commit 45c20a29e4c235f595e04cdb306bdcee8b83bbf5 Author: Greg Kroah-Hartman Date: Wed Feb 16 12:43:55 2022 +0100 Linux 4.9.302 Link: https://lore.kernel.org/r/20220214092445.946718557@linuxfoundation.org Tested-by: Jon Hunter Tested-by: Florian Fainelli Tested-by: Slade Watkins Tested-by: Shuah Khan Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Signed-off-by: Greg Kroah-Hartman commit 47e529da055fd8012dbbc322f34c9ad38c6369e1 Author: Arnd Bergmann Date: Fri Jul 28 15:18:00 2017 +0200 HID: wacom: add USB_HID dependency commit 9d14201c7444bbdf89413e88d91b73150c3de38b upstream. The driver has gained a compile-time dependency that we should express in Kconfig to avoid this link error: drivers/hid/wacom_sys.o: In function `wacom_parse_and_register': wacom_sys.c:(.text+0x2eec): undefined reference to `usb_hid_driver' Fixes: 09dc28acaec7 ("HID: wacom: Improve generic name generation") Signed-off-by: Arnd Bergmann Signed-off-by: Jiri Kosina Cc: Jason Self Signed-off-by: Greg Kroah-Hartman commit 96eef397499865c90e236cf88332f2aff49ceeb5 Author: Armin Wolf Date: Thu Oct 21 21:05:31 2021 +0200 hwmon: (dell-smm) Speed up setting of fan speed commit c0d79987a0d82671bff374c07f2201f9bdf4aaa2 upstream. When setting the fan speed, i8k_set_fan() calls i8k_get_fan_status(), causing an unnecessary SMM call since from the two users of this function, only i8k_ioctl_unlocked() needs to know the new fan status while dell_smm_write() ignores the new fan status. Since SMM calls can be very slow while also making error reporting difficult for dell_smm_write(), remove the function call from i8k_set_fan() and call it separately in i8k_ioctl_unlocked(). Tested on a Dell Inspiron 3505. Signed-off-by: Armin Wolf Reviewed-by: Pali Rohár Link: https://lore.kernel.org/r/20211021190531.17379-6-W_Armin@gmx.de Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 52ae749aa411f02f1c56d51ac4ce554b1a0a97d8 Author: Johan Hovold Date: Tue Feb 1 11:42:53 2022 +0100 USB: serial: cp210x: add CPI Bulk Coin Recycler id commit 6ca0c6283340d819bf9c7d8e76be33c9fbd903ab upstream. Add the device id for the Crane Payment Innovation / Money Controls Bulk Coin Recycler: https://www.cranepi.com/en/system/files/Support/OM_BCR_EN_V1-04_0.pdf Reported-by: Scott Russell Cc: stable@vger.kernel.org Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 4d41176c25b6b80fc340cf23c8ec5aab3677e807 Author: Johan Hovold Date: Tue Feb 1 11:42:52 2022 +0100 USB: serial: cp210x: add NCR Retail IO box id commit b50f8f09c622297d3cf46e332e17ba8adedec9af upstream. Add the device id for NCR's Retail IO box (CP2105) used in NCR FastLane SelfServ Checkout - R6C: https://www.ncr.com/product-catalog/ncr-fastlane-selfserv-checkout-r6c Reported-by: Scott Russell Cc: stable@vger.kernel.org Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 04d7abaabb5e46dcf051139cd8ddc32108cea181 Author: Stephan Brunner Date: Sat Jan 8 13:00:20 2022 +0100 USB: serial: ch341: add support for GW Instek USB2.0-Serial devices commit fa77ce201f7f2d823b07753575122d1ae5597fbe upstream. Programmable lab power supplies made by GW Instek, such as the GPP-2323, have a USB port exposing a serial port to control the device. Stringing the supplied Windows driver, references to the ch341 chip are found. Binding the existing ch341 driver to the VID/PID of the GPP-2323 ("GW Instek USB2.0-Serial" as per the USB product name) works out of the box, communication and control is now possible. This patch should work with any GPP series power supply due to similarities in the product line. Signed-off-by: Stephan Brunner Link: https://lore.kernel.org/r/4a47b864-0816-6f6a-efee-aa20e74bcdc6@stephan-brunner.net Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 000e1e34bb2e1d0598e6cc0e8bbe1e5cc2a1f5cf Author: Pawel Dembicki Date: Tue Jan 11 23:12:05 2022 +0100 USB: serial: option: add ZTE MF286D modem commit d48384c7ed6c8fe4727eaa0f3048f62afd1cd715 upstream. Modem from ZTE MF286D is an Qualcomm MDM9250 based 3G/4G modem. T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0 D: Ver= 3.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=19d2 ProdID=1485 Rev=52.87 S: Manufacturer=ZTE,Incorporated S: Product=ZTE Technologies MSM S: SerialNumber=MF286DZTED000000 C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=896mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms Signed-off-by: Pawel Dembicki Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 8f5de7156e7c56846d305bf40eb800ff06fb3d28 Author: Cameron Williams Date: Tue Feb 1 10:12:51 2022 +0000 USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 commit fbb9b194e15a63c56c5664e76ccd0e85c6100cea upstream. This patch adds support for the Brainboxes US-159, US-235 and US-320 USB-to-Serial devices. Signed-off-by: Cameron Williams Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit ff0a90739925734c91c7e39befe3f4378e0c1369 Author: Greg Kroah-Hartman Date: Wed Feb 9 16:37:53 2022 +0100 usb: gadget: rndis: check size of RNDIS_MSG_SET command commit 38ea1eac7d88072bbffb630e2b3db83ca649b826 upstream. Check the size of the RNDIS_MSG_SET command given to us before attempting to respond to an invalid message size. Reported-by: Szymon Heidrich Cc: stable@kernel.org Tested-by: Szymon Heidrich Signed-off-by: Greg Kroah-Hartman commit f3bcd744b0bc8dcc6cdb3ac5be20f54aecfb78a4 Author: Szymon Heidrich Date: Mon Jan 24 12:14:00 2022 +0100 USB: gadget: validate interface OS descriptor requests commit 75e5b4849b81e19e9efe1654b30d7f3151c33c2c upstream. Stall the control endpoint in case provided index exceeds array size of MAX_CONFIG_INTERFACES or when the retrieved function pointer is null. Signed-off-by: Szymon Heidrich Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 1187fc20f45a1b3160998105614cdffa09d8f0d8 Author: Udipto Goswami Date: Mon Feb 7 09:55:58 2022 +0530 usb: dwc3: gadget: Prevent core from processing stale TRBs commit 117b4e96c7f362eb6459543883fc07f77662472c upstream. With CPU re-ordering on write instructions, there might be a chance that the HWO is set before the TRB is updated with the new mapped buffer address. And in the case where core is processing a list of TRBs it is possible that it fetched the TRBs when the HWO is set but before the buffer address is updated. Prevent this by adding a memory barrier before the HWO is updated to ensure that the core always process the updated TRBs. Fixes: f6bafc6a1c9d ("usb: dwc3: convert TRBs into bitshifts") Cc: stable Reviewed-by: Pavankumar Kondeti Signed-off-by: Udipto Goswami Link: https://lore.kernel.org/r/1644207958-18287-1-git-send-email-quic_ugoswami@quicinc.com Signed-off-by: Greg Kroah-Hartman commit 709557e6742f870c71f8307d9a1e178b5d009b01 Author: TATSUKAWA KOSUKE (立川 江介) Date: Wed Jan 26 23:35:02 2022 +0000 n_tty: wake up poll(POLLRDNORM) on receiving data commit c816b2e65b0e86b95011418cad334f0524fc33b8 upstream. The poll man page says POLLRDNORM is equivalent to POLLIN when used as an event. $ man poll POLLRDNORM Equivalent to POLLIN. However, in n_tty driver, POLLRDNORM does not return until timeout even if there is terminal input, whereas POLLIN returns. The following test program works until kernel-3.17, but the test stops in poll() after commit 57087d515441 ("tty: Fix spurious poll() wakeups"). [Steps to run test program] $ cc -o test-pollrdnorm test-pollrdnorm.c $ ./test-pollrdnorm foo <-- Type in something from the terminal followed by [RET]. The string should be echoed back. ------------------------< test-pollrdnorm.c >------------------------ #include #include #include #include void main(void) { int n; unsigned char buf[8]; struct pollfd fds[1] = {{ 0, POLLRDNORM, 0 }}; n = poll(fds, 1, -1); if (n < 0) perror("poll"); n = read(0, buf, 8); if (n < 0) perror("read"); if (n > 0) write(1, buf, n); } ------------------------------------------------------------------------ The attached patch fixes this problem. Many calls to wake_up_interruptible_poll() in the kernel source code already specify "POLLIN | POLLRDNORM". Fixes: 57087d515441 ("tty: Fix spurious poll() wakeups") Cc: stable@vger.kernel.org Signed-off-by: Kosuke Tatsukawa Link: https://lore.kernel.org/r/TYCPR01MB81901C0F932203D30E452B3EA5209@TYCPR01MB8190.jpnprd01.prod.outlook.com Signed-off-by: Greg Kroah-Hartman commit b6ef4bc38b57e52eaeeef2efe149113b7303e609 Author: Daniel Borkmann Date: Tue May 11 22:35:17 2021 +0200 bpf: Add kconfig knob for disabling unpriv bpf by default commit 08389d888287c3823f80b0216766b71e17f0aba5 upstream. Add a kconfig knob which allows for unprivileged bpf to be disabled by default. If set, the knob sets /proc/sys/kernel/unprivileged_bpf_disabled to value of 2. This still allows a transition of 2 -> {0,1} through an admin. Similarly, this also still keeps 1 -> {1} behavior intact, so that once set to permanently disabled, it cannot be undone aside from a reboot. We've also added extra2 with max of 2 for the procfs handler, so that an admin still has a chance to toggle between 0 <-> 2. Either way, as an additional alternative, applications can make use of CAP_BPF that we added a while ago. Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/74ec548079189e4e4dffaeb42b8987bb3c852eee.1620765074.git.daniel@iogearbox.net [fllinden@amazon.com: backported to 4.9] Signed-off-by: Frank van der Linden Signed-off-by: Greg Kroah-Hartman commit 32b0c0546025c1efe6b87095b182a0b197b82d74 Author: Jakob Koschel Date: Thu Jan 27 15:44:05 2022 +0100 vt_ioctl: add array_index_nospec to VT_ACTIVATE commit 28cb138f559f8c1a1395f5564f86b8bbee83631b upstream. in vt_setactivate an almost identical code path has been patched with array_index_nospec. In the VT_ACTIVATE path the user input is from a system call argument instead of a usercopy. For consistency both code paths should have the same mitigations applied. Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam. Co-developed-by: Brian Johannesmeyer Signed-off-by: Brian Johannesmeyer Signed-off-by: Jakob Koschel Link: https://lore.kernel.org/r/20220127144406.3589293-2-jakobkoschel@gmail.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 830c5aa302ec16b4ee641aec769462c37f802c90 Author: Jakob Koschel Date: Thu Jan 27 15:44:04 2022 +0100 vt_ioctl: fix array_index_nospec in vt_setactivate commit 61cc70d9e8ef5b042d4ed87994d20100ec8896d9 upstream. array_index_nospec ensures that an out-of-bounds value is set to zero on the transient path. Decreasing the value by one afterwards causes a transient integer underflow. vsa.console should be decreased first and then sanitized with array_index_nospec. Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam. Co-developed-by: Brian Johannesmeyer Signed-off-by: Brian Johannesmeyer Signed-off-by: Jakob Koschel Link: https://lore.kernel.org/r/20220127144406.3589293-1-jakobkoschel@gmail.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 9839da923ff9eaaae7cb3fc9d59bf2141cc3e15d Author: Jon Maloy Date: Tue Feb 8 22:22:37 2022 -0500 tipc: rate limit warning for received illegal binding update [ Upstream commit c7223d687758462826a20e9735305d55bb874c70 ] It would be easy to craft a message containing an illegal binding table update operation. This is handled correctly by the code, but the corresponding warning printout is not rate limited as is should be. We fix this now. Fixes: b97bf3fd8f6a ("[TIPC] Initial merge") Signed-off-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4ac84498fbe84a00e7aef185e2bb3e40ce71eca4 Author: Antoine Tenart Date: Mon Feb 7 18:13:19 2022 +0100 net: fix a memleak when uncloning an skb dst and its metadata [ Upstream commit 9eeabdf17fa0ab75381045c867c370f4cc75a613 ] When uncloning an skb dst and its associated metadata, a new dst+metadata is allocated and later replaces the old one in the skb. This is helpful to have a non-shared dst+metadata attached to a specific skb. The issue is the uncloned dst+metadata is initialized with a refcount of 1, which is increased to 2 before attaching it to the skb. When tun_dst_unclone returns, the dst+metadata is only referenced from a single place (the skb) while its refcount is 2. Its refcount will never drop to 0 (when the skb is consumed), leading to a memory leak. Fix this by removing the call to dst_hold in tun_dst_unclone, as the dst+metadata refcount is already 1. Fixes: fc4099f17240 ("openvswitch: Fix egress tunnel info.") Cc: Pravin B Shelar Reported-by: Vlad Buslov Tested-by: Vlad Buslov Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cbb43514c830cdf0f021ea74e7375a29baf80f8f Author: Antoine Tenart Date: Mon Feb 7 18:13:18 2022 +0100 net: do not keep the dst cache when uncloning an skb dst and its metadata [ Upstream commit cfc56f85e72f5b9c5c5be26dc2b16518d36a7868 ] When uncloning an skb dst and its associated metadata a new dst+metadata is allocated and the tunnel information from the old metadata is copied over there. The issue is the tunnel metadata has references to cached dst, which are copied along the way. When a dst+metadata refcount drops to 0 the metadata is freed including the cached dst entries. As they are also referenced in the initial dst+metadata, this ends up in UaFs. In practice the above did not happen because of another issue, the dst+metadata was never freed because its refcount never dropped to 0 (this will be fixed in a subsequent patch). Fix this by initializing the dst cache after copying the tunnel information from the old metadata to also unshare the dst cache. Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel") Cc: Paolo Abeni Reported-by: Vlad Buslov Tested-by: Vlad Buslov Signed-off-by: Antoine Tenart Acked-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 80c529322600dfb1f985b5e3f14c3c6f522ce154 Author: Eric Dumazet Date: Mon Feb 7 21:34:51 2022 -0800 ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path [ Upstream commit 5611a00697c8ecc5aad04392bea629e9d6a20463 ] ip[6]mr_free_table() can only be called under RTNL lock. RTNL: assertion failed at net/core/dev.c (10367) WARNING: CPU: 1 PID: 5890 at net/core/dev.c:10367 unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 Modules linked in: CPU: 1 PID: 5890 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller-11627-g422ee58dc0ef #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 Code: 0f 85 9b ee ff ff e8 69 07 4b fa ba 7f 28 00 00 48 c7 c6 00 90 ae 8a 48 c7 c7 40 90 ae 8a c6 05 6d b1 51 06 01 e8 8c 90 d8 01 <0f> 0b e9 70 ee ff ff e8 3e 07 4b fa 4c 89 e7 e8 86 2a 59 fa e9 ee RSP: 0018:ffffc900046ff6e0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff888050f51d00 RSI: ffffffff815fa008 RDI: fffff520008dfece RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815f3d6e R11: 0000000000000000 R12: 00000000fffffff4 R13: dffffc0000000000 R14: ffffc900046ff750 R15: ffff88807b7dc000 FS: 00007f4ab736e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fee0b4f8990 CR3: 000000001e7d2000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mroute_clean_tables+0x244/0xb40 net/ipv6/ip6mr.c:1509 ip6mr_free_table net/ipv6/ip6mr.c:389 [inline] ip6mr_rules_init net/ipv6/ip6mr.c:246 [inline] ip6mr_net_init net/ipv6/ip6mr.c:1306 [inline] ip6mr_net_init+0x3f0/0x4e0 net/ipv6/ip6mr.c:1298 ops_init+0xaf/0x470 net/core/net_namespace.c:140 setup_net+0x54f/0xbb0 net/core/net_namespace.c:331 copy_net_ns+0x318/0x760 net/core/net_namespace.c:475 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 copy_namespaces+0x391/0x450 kernel/nsproxy.c:178 copy_process+0x2e0c/0x7300 kernel/fork.c:2167 kernel_clone+0xe7/0xab0 kernel/fork.c:2555 __do_sys_clone+0xc8/0x110 kernel/fork.c:2672 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f4ab89f9059 Code: Unable to access opcode bytes at RIP 0x7f4ab89f902f. RSP: 002b:00007f4ab736e118 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 00007f4ab8b0bf60 RCX: 00007f4ab89f9059 RDX: 0000000020000280 RSI: 0000000020000270 RDI: 0000000040200000 RBP: 00007f4ab8a5308d R08: 0000000020000300 R09: 0000000020000300 R10: 00000000200002c0 R11: 0000000000000206 R12: 0000000000000000 R13: 00007ffc3977cc1f R14: 00007f4ab736e300 R15: 0000000000022000 Fixes: f243e5a7859a ("ipmr,ip6mr: call ip6mr_free_table() on failure path") Signed-off-by: Eric Dumazet Cc: Cong Wang Reported-by: syzbot Link: https://lore.kernel.org/r/20220208053451.2885398-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 039b2b945f7470d6626a7e9cb29df4dc52adaaca Author: Mahesh Bandewar Date: Mon Feb 7 14:29:01 2022 -0800 bonding: pair enable_port with slave_arr_updates [ Upstream commit 23de0d7b6f0e3f9a6283a882594c479949da1120 ] When 803.2ad mode enables a participating port, it should update the slave-array. I have observed that the member links are participating and are part of the active aggregator while the traffic is egressing via only one member link (in a case where two links are participating). Via kprobes I discovered that slave-arr has only one link added while the other participating link wasn't part of the slave-arr. I couldn't see what caused that situation but the simple code-walk through provided me hints that the enable_port wasn't always associated with the slave-array update. Fixes: ee6377147409 ("bonding: Simplify the xmit function for modes that use xmit_hash") Signed-off-by: Mahesh Bandewar Acked-by: Jay Vosburgh Link: https://lore.kernel.org/r/20220207222901.1795287-1-maheshb@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 61a35db807aca8012d484c72d6c5e25b24296ea4 Author: Fabio Estevam Date: Sun Dec 19 19:42:15 2021 -0300 ARM: dts: imx6qdl-udoo: Properly describe the SD card detect [ Upstream commit 993d66140f8d1c1853a3b58b77b43b681eb64dee ] GPIO7_IO00 is used as SD card detect. Properly describe this in the devicetree. Fixes: 40cdaa542cf0 ("ARM: dts: imx6q-udoo: Add initial board support") Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit a0b1dcc362579d911ee64ca7e075fe0b8630c768 Author: Uwe Kleine-König Date: Tue Jan 18 19:13:37 2022 +0100 staging: fbtft: Fix error path in fbtft_driver_module_init() [ Upstream commit 426aca16e903b387a0b0001d62207a745c67cfd3 ] If registering the platform driver fails, the function must not return without undoing the spi driver registration first. Fixes: c296d5f9957c ("staging: fbtft: core support") Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20220118181338.207943-1-u.kleine-koenig@pengutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8fffbfd1ccadf66ab0272d9018f14897c549d76e Author: Fabio Estevam Date: Mon Dec 27 13:14:02 2021 -0300 ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group commit 42c9b28e6862d16db82a56f5667cf4d1f6658cf6 upstream. Currently, SD card fails to mount due to the following pinctrl error: [ 11.170000] imx23-pinctrl 80018000.pinctrl: pin SSP1_DETECT already requested by 80018000.pinctrl; cannot claim for 80010000.spi [ 11.180000] imx23-pinctrl 80018000.pinctrl: pin-65 (80010000.spi) status -22 [ 11.190000] imx23-pinctrl 80018000.pinctrl: could not request pin 65 (SSP1_DETECT) from group mmc0-pins-fixup.0 on device 80018000.pinctrl [ 11.200000] mxs-mmc 80010000.spi: Error applying setting, reverse things back Fix it by removing the MX23_PAD_SSP1_DETECT pin from the hog group as it is already been used by the mmc0-pins-fixup pinctrl group. With this change the rootfs can be mounted and the imx23-evk board can boot successfully. Cc: Fixes: bc3875f1a61e ("ARM: dts: mxs: modify mx23/mx28 dts files to use pinctrl headers") Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 86500a99e5a5a31855ca1210d6e8a44b6b075780 Author: Amelie Delaunay Date: Tue Dec 7 14:01:01 2021 +0100 usb: dwc2: gadget: don't try to disable ep0 in dwc2_hsotg_suspend [ Upstream commit ac55d163855924aa5af9f1560977da8f346963c8 ] Calling dwc2_hsotg_ep_disable on ep0 (in/out) will lead to the following logs before returning -EINVAL: dwc2 49000000.usb-otg: dwc2_hsotg_ep_disable: called for ep0 dwc2 49000000.usb-otg: dwc2_hsotg_ep_disable: called for ep0 To avoid these two logs while suspending, start disabling the endpoint from the index 1, as done in dwc2_hsotg_udc_stop: /* all endpoints should be shutdown */ for (ep = 1; ep < hsotg->num_of_eps; ep++) { if (hsotg->eps_in[ep]) dwc2_hsotg_ep_disable_lock(&hsotg->eps_in[ep]->ep); if (hsotg->eps_out[ep]) dwc2_hsotg_ep_disable_lock(&hsotg->eps_out[ep]->ep); } Acked-by: Minas Harutyunyan Signed-off-by: Amelie Delaunay Link: https://lore.kernel.org/r/20211207130101.270314-1-amelie.delaunay@foss.st.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2953394b3129aaf5df3b61918ea2570ff878a7b8 Author: ZouMingzhe Date: Tue Jan 11 13:47:42 2022 +0800 scsi: target: iscsi: Make sure the np under each tpg is unique [ Upstream commit a861790afaa8b6369eee8a88c5d5d73f5799c0c6 ] iscsit_tpg_check_network_portal() has nested for_each loops and is supposed to return true when a match is found. However, the tpg loop will still continue after existing the tpg_np loop. If this tpg_np is not the last the match value will be changed. Break the outer loop after finding a match and make sure the np under each tpg is unique. Link: https://lore.kernel.org/r/20220111054742.19582-1-mingzhe.zou@easystack.cn Signed-off-by: ZouMingzhe Reviewed-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3df92dd98ffca9cc92fc1ed4032c7b0d2148b939 Author: Olga Kornievskaia Date: Thu Dec 9 14:53:29 2021 -0500 NFSv4 remove zero number of fs_locations entries error check [ Upstream commit 90e12a3191040bd3854d3e236c35921e4e92a044 ] Remove the check for the zero length fs_locations reply in the xdr decoding, and instead check for that in the migration code. Signed-off-by: Olga Kornievskaia Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 899460b3737dcc91107c24bdc297c177ef327bb6 Author: Xiaoke Wang Date: Fri Dec 17 01:01:33 2021 +0800 nfs: nfs4clinet: check the return value of kstrdup() [ Upstream commit fbd2057e5329d3502a27491190237b6be52a1cb6 ] kstrdup() returns NULL when some internal memory errors happen, it is better to check the return value of it so to catch the memory error in time. Signed-off-by: Xiaoke Wang Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 06f6387fe4f27ae21d1f19c5de17c6b69b8ddb83 Author: Olga Kornievskaia Date: Mon Nov 29 15:33:56 2021 -0500 NFSv4 only print the label when its queried [ Upstream commit 2c52c8376db7160a1dd8a681c61c9258405ef143 ] When the bitmask of the attributes doesn't include the security label, don't bother printing it. Since the label might not be null terminated, adjust the printing format accordingly. Signed-off-by: Olga Kornievskaia Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit a00dbd5600ffc7e2ec2fbf1982d075e6e8929b89 Author: Guillaume Bertholon Date: Fri Feb 11 14:33:01 2022 +0100 Revert "net: axienet: Wait for PhyRstCmplt after core reset" This reverts commit 9f1a3c13342b4d96b9baa337ec5fb7d453828709. The upstream commit b400c2f4f4c5 ("net: axienet: Wait for PhyRstCmplt after core reset") add new instructions in the `__axienet_device_reset` function to wait until PhyRstCmplt bit is set, and return a non zero-exit value if this exceeds a timeout. However, its backported version in 4.9 (commit 9f1a3c13342b ("net: axienet: Wait for PhyRstCmplt after core reset")) insert these instructions in `axienet_dma_bd_init` instead. Unlike upstream, the version of `__axienet_device_reset` currently present in branch stable/linux-4.9.y does not return an integer for error codes. Therefore fixing the backport cannot be as simple as moving the inserted instructions in the right place, and we simply revert it instead. Fixes: 9f1a3c13342b ("net: axienet: Wait for PhyRstCmplt after core reset") Signed-off-by: Guillaume Bertholon Signed-off-by: Greg Kroah-Hartman commit 216897eecef94fd1a897d0b8f88f01cd5f631088 Author: Guillaume Bertholon Date: Tue Feb 8 17:31:15 2022 +0100 ALSA: line6: Fix misplaced backport of "Fix wrong altsetting for LINE6_PODHD500_1" The upstream commit 70256b42caaf ("ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1") changed the .altsetting field of the LINE6_PODHD500_1 entry in podhd_properties_table from 1 to 0. However, its backported version in stable (commit ec565611f930 ("ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1")) change the .altsetting field of the LINE6_PODHD500_0 entry instead. This patch resets the altsetting of LINE6_PODHD500_0 to 1, and sets the altsetting of LINE6_PODHD500_1 to 0, as wanted by the original fix. Fixes: ec565611f930 ("ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1") Signed-off-by: Guillaume Bertholon Signed-off-by: Greg Kroah-Hartman commit 40555e6d2b43a79bb9bf1a2ebb8d1aec9c25be83 Author: Guillaume Bertholon Date: Tue Feb 8 17:33:56 2022 +0100 serial: sh-sci: Fix misplaced backport of "Fix late enablement of AUTORTS" The upstream commit 5f76895e4c71 ("serial: sh-sci: Fix late enablement of AUTORTS") inserted a new call to .set_mctrl(). However the backported version in stable (commit ad3faea03fdf ("serial: sh-sci: Fix late enablement of AUTORTS")) does not insert it at the same position. This patch moves the added instructions back to where they should be according to the upsteam patch. Fixes: ad3faea03fdf ("serial: sh-sci: Fix late enablement of AUTORTS") Signed-off-by: Guillaume Bertholon Signed-off-by: Greg Kroah-Hartman commit 29c00a3756a752f6ea24177d127767cfa24ea522 Author: Guillaume Bertholon Date: Tue Feb 8 17:33:02 2022 +0100 Input: i8042 - Fix misplaced backport of "add ASUS Zenbook Flip to noselftest list" The upstream commit b5d6e7ab7fe7 ("Input: i8042 - add ASUS Zenbook Flip to noselftest list") inserted a new entry in the `i8042_dmi_noselftest_table` table, further patched by commit daa58c8eec0a ("Input: i8042 - fix Pegatron C15B ID entry") to insert a missing separator. However, their backported version in stable (commit e9e8b3769099 ("Input: i8042 - add ASUS Zenbook Flip to noselftest list") and commit c551d20d487a ("Input: i8042 - fix Pegatron C15B ID entry")) inserted this entry in `i8042_dmi_forcemux_table` instead. This patch moves the entry back into `i8042_dmi_noselftest_table`. Fixes: e9e8b3769099 ("Input: i8042 - add ASUS Zenbook Flip to noselftest list") Signed-off-by: Guillaume Bertholon Signed-off-by: Greg Kroah-Hartman commit f56ca2421c63f879d48e5dada63194c9fdcdc6d7 Author: Chuck Lever Date: Tue Jan 25 16:36:22 2022 -0500 NFSD: Clamp WRITE offsets commit 6260d9a56ab352b54891ec66ab0eced57d55abc6 upstream. Ensure that a client cannot specify a WRITE range that falls in a byte range outside what the kernel's internal types (such as loff_t, which is signed) can represent. The kiocb iterators, invoked in nfsd_vfs_write(), should properly limit write operations to within the underlying file system's s_maxbytes. Cc: stable@vger.kernel.org Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit ccc3a3fbf04f64de1f8c3219f27ff8e0dc692b3c Author: Trond Myklebust Date: Wed Feb 2 18:52:01 2022 -0500 NFS: Fix initialisation of nfs_client cl_flags field commit 468d126dab45718feeb728319be20bd869a5eaa7 upstream. For some long forgotten reason, the nfs_client cl_flags field is initialised in nfs_get_client() instead of being initialised at allocation time. This quirk was harmless until we moved the call to nfs_create_rpc_client(). Fixes: dd99e9f98fbf ("NFSv4: Initialise connection to the server in nfs4_alloc_client()") Cc: stable@vger.kernel.org # 4.8.x Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit dd842056ef7ca1dae78eb0ae1d6beaf1b767f666 Author: Stefan Berger Date: Tue Jan 25 17:46:23 2022 -0500 ima: Remove ima_policy file before directory commit f7333b9572d0559e00352a926c92f29f061b4569 upstream. The removal of ima_dir currently fails since ima_policy still exists, so remove the ima_policy file before removing the directory. Fixes: 4af4662fa4a9 ("integrity: IMA policy") Signed-off-by: Stefan Berger Cc: Acked-by: Christian Brauner Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit 9d75b8889739721b59c5731a68c06e7683e8360b Author: Xiaoke Wang Date: Sat Jan 15 09:11:11 2022 +0800 integrity: check the return value of audit_log_start() commit 83230351c523b04ff8a029a4bdf97d881ecb96fc upstream. audit_log_start() returns audit_buffer pointer on success or NULL on error, so it is better to check the return value of it. Fixes: 3323eec921ef ("integrity: IMA as an integrity service provider") Signed-off-by: Xiaoke Wang Cc: Reviewed-by: Paul Moore Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman