--- /dev/null
+From 5ad9b4719fc9bc4715c7e19875a962095b0577e7 Mon Sep 17 00:00:00 2001
+From: pengfuyuan <pengfuyuan@kylinos.cn>
+Date: Tue, 23 May 2023 15:09:55 +0800
+Subject: btrfs: fix csum_tree_block page iteration to avoid tripping on -Werror=array-bounds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: pengfuyuan <pengfuyuan@kylinos.cn>
+
+commit 5ad9b4719fc9bc4715c7e19875a962095b0577e7 upstream.
+
+When compiling on a MIPS 64-bit machine we get these warnings:
+
+ In file included from ./arch/mips/include/asm/cacheflush.h:13,
+ from ./include/linux/cacheflush.h:5,
+ from ./include/linux/highmem.h:8,
+ from ./include/linux/bvec.h:10,
+ from ./include/linux/blk_types.h:10,
+ from ./include/linux/blkdev.h:9,
+ from fs/btrfs/disk-io.c:7:
+ fs/btrfs/disk-io.c: In function ‘csum_tree_block’:
+ fs/btrfs/disk-io.c:100:34: error: array subscript 1 is above array bounds of ‘struct page *[1]’ [-Werror=array-bounds]
+ 100 | kaddr = page_address(buf->pages[i]);
+ | ~~~~~~~~~~^~~
+ ./include/linux/mm.h:2135:48: note: in definition of macro ‘page_address’
+ 2135 | #define page_address(page) lowmem_page_address(page)
+ | ^~~~
+ cc1: all warnings being treated as errors
+
+We can check if i overflows to solve the problem. However, this doesn't make
+much sense, since i == 1 and num_pages == 1 doesn't execute the body of the loop.
+In addition, i < num_pages can also ensure that buf->pages[i] will not cross
+the boundary. Unfortunately, this doesn't help with the problem observed here:
+gcc still complains.
+
+To fix this add a compile-time condition for the extent buffer page
+array size limit, which would eventually lead to eliminating the whole
+for loop.
+
+CC: stable@vger.kernel.org # 5.10+
+Signed-off-by: pengfuyuan <pengfuyuan@kylinos.cn>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -220,7 +220,7 @@ static void csum_tree_block(struct exten
+ crypto_shash_update(shash, kaddr + BTRFS_CSUM_SIZE,
+ PAGE_SIZE - BTRFS_CSUM_SIZE);
+
+- for (i = 1; i < num_pages; i++) {
++ for (i = 1; i < num_pages && INLINE_EXTENT_BUFFER_PAGES > 1; i++) {
+ kaddr = page_address(buf->pages[i]);
+ crypto_shash_update(shash, kaddr, PAGE_SIZE);
+ }
--- /dev/null
+From a99d21cefd351c8aaa20b83a3c942340e5789d45 Mon Sep 17 00:00:00 2001
+From: Deren Wu <deren.wu@mediatek.com>
+Date: Sat, 13 May 2023 22:48:15 +0800
+Subject: mmc: vub300: fix invalid response handling
+
+From: Deren Wu <deren.wu@mediatek.com>
+
+commit a99d21cefd351c8aaa20b83a3c942340e5789d45 upstream.
+
+We may get an empty response with zero length at the beginning of
+the driver start and get following UBSAN error. Since there is no
+content(SDRT_NONE) for the response, just return and skip the response
+handling to avoid this problem.
+
+Test pass : SDIO wifi throughput test with this patch
+
+[ 126.980684] UBSAN: array-index-out-of-bounds in drivers/mmc/host/vub300.c:1719:12
+[ 126.980709] index -1 is out of range for type 'u32 [4]'
+[ 126.980729] CPU: 4 PID: 9 Comm: kworker/u16:0 Tainted: G E 6.3.0-rc4-mtk-local-202304272142 #1
+[ 126.980754] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020
+[ 126.980770] Workqueue: kvub300c vub300_cmndwork_thread [vub300]
+[ 126.980833] Call Trace:
+[ 126.980845] <TASK>
+[ 126.980860] dump_stack_lvl+0x48/0x70
+[ 126.980895] dump_stack+0x10/0x20
+[ 126.980916] ubsan_epilogue+0x9/0x40
+[ 126.980944] __ubsan_handle_out_of_bounds+0x70/0x90
+[ 126.980979] vub300_cmndwork_thread+0x58e7/0x5e10 [vub300]
+[ 126.981018] ? _raw_spin_unlock+0x18/0x40
+[ 126.981042] ? finish_task_switch+0x175/0x6f0
+[ 126.981070] ? __switch_to+0x42e/0xda0
+[ 126.981089] ? __switch_to_asm+0x3a/0x80
+[ 126.981129] ? __pfx_vub300_cmndwork_thread+0x10/0x10 [vub300]
+[ 126.981174] ? __kasan_check_read+0x11/0x20
+[ 126.981204] process_one_work+0x7ee/0x13d0
+[ 126.981246] worker_thread+0x53c/0x1240
+[ 126.981291] kthread+0x2b8/0x370
+[ 126.981312] ? __pfx_worker_thread+0x10/0x10
+[ 126.981336] ? __pfx_kthread+0x10/0x10
+[ 126.981359] ret_from_fork+0x29/0x50
+[ 126.981400] </TASK>
+
+Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/048cd6972c50c33c2e8f81d5228fed928519918b.1683987673.git.deren.wu@mediatek.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/vub300.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/vub300.c
++++ b/drivers/mmc/host/vub300.c
+@@ -1715,6 +1715,9 @@ static void construct_request_response(s
+ int bytes = 3 & less_cmd;
+ int words = less_cmd >> 2;
+ u8 *r = vub300->resp.response.command_response;
++
++ if (!resp_len)
++ return;
+ if (bytes == 3) {
+ cmd->resp[words] = (r[1 + (words << 2)] << 24)
+ | (r[2 + (words << 2)] << 16)
ath6kl-use-struct_group-to-avoid-size-mismatched-casting.patch
gcc-12-disable-wdangling-pointer-warning-for-now.patch
eth-sun-cassini-remove-dead-code.patch
+mmc-vub300-fix-invalid-response-handling.patch
+tty-serial-fsl_lpuart-use-uartctrl_txinv-to-send-break-instead-of-uartctrl_sbk.patch
+btrfs-fix-csum_tree_block-page-iteration-to-avoid-tripping-on-werror-array-bounds.patch
--- /dev/null
+From 2474e05467c00f7d51af3039b664de6886325257 Mon Sep 17 00:00:00 2001
+From: Sherry Sun <sherry.sun@nxp.com>
+Date: Fri, 19 May 2023 17:47:51 +0800
+Subject: tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+commit 2474e05467c00f7d51af3039b664de6886325257 upstream.
+
+LPUART IP now has two known bugs, one is that CTS has higher priority
+than the break signal, which causes the break signal sending through
+UARTCTRL_SBK may impacted by the CTS input if the HW flow control is
+enabled. It exists on all platforms we support in this driver.
+So we add a workaround patch for this issue: commit c4c81db5cf8b
+("tty: serial: fsl_lpuart: disable the CTS when send break signal").
+
+Another IP bug is i.MX8QM LPUART may have an additional break character
+being sent after SBK was cleared. It may need to add some delay between
+clearing SBK and re-enabling CTS to ensure that the SBK latch are
+completely cleared.
+
+But we found that during the delay period before CTS is enabled, there
+is still a risk that Bluetooth data in TX FIFO may be sent out during
+this period because of break off and CTS disabled(even if BT sets CTS
+line deasserted, data is still sent to BT).
+
+Due to this risk, we have to drop the CTS-disabling workaround for SBK
+bugs, use TXINV seems to be a better way to replace SBK feature and
+avoid above risk. Also need to disable the transmitter to prevent any
+data from being sent out during break, then invert the TX line to send
+break. Then disable the TXINV when turn off break and re-enable
+transmitter.
+
+Fixes: c4c81db5cf8b ("tty: serial: fsl_lpuart: disable the CTS when send break signal")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Link: https://lore.kernel.org/r/20230519094751.28948-1-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 44 ++++++++++++++++++++--------------------
+ 1 file changed, 23 insertions(+), 21 deletions(-)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1455,34 +1455,36 @@ static void lpuart_break_ctl(struct uart
+
+ static void lpuart32_break_ctl(struct uart_port *port, int break_state)
+ {
+- unsigned long temp, modem;
+- struct tty_struct *tty;
+- unsigned int cflag = 0;
++ unsigned long temp;
+
+- tty = tty_port_tty_get(&port->state->port);
+- if (tty) {
+- cflag = tty->termios.c_cflag;
+- tty_kref_put(tty);
+- }
+-
+- temp = lpuart32_read(port, UARTCTRL) & ~UARTCTRL_SBK;
+- modem = lpuart32_read(port, UARTMODIR);
++ temp = lpuart32_read(port, UARTCTRL);
+
++ /*
++ * LPUART IP now has two known bugs, one is CTS has higher priority than the
++ * break signal, which causes the break signal sending through UARTCTRL_SBK
++ * may impacted by the CTS input if the HW flow control is enabled. It
++ * exists on all platforms we support in this driver.
++ * Another bug is i.MX8QM LPUART may have an additional break character
++ * being sent after SBK was cleared.
++ * To avoid above two bugs, we use Transmit Data Inversion function to send
++ * the break signal instead of UARTCTRL_SBK.
++ */
+ if (break_state != 0) {
+- temp |= UARTCTRL_SBK;
+ /*
+- * LPUART CTS has higher priority than SBK, need to disable CTS before
+- * asserting SBK to avoid any interference if flow control is enabled.
++ * Disable the transmitter to prevent any data from being sent out
++ * during break, then invert the TX line to send break.
+ */
+- if (cflag & CRTSCTS && modem & UARTMODIR_TXCTSE)
+- lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR);
++ temp &= ~UARTCTRL_TE;
++ lpuart32_write(port, temp, UARTCTRL);
++ temp |= UARTCTRL_TXINV;
++ lpuart32_write(port, temp, UARTCTRL);
+ } else {
+- /* Re-enable the CTS when break off. */
+- if (cflag & CRTSCTS && !(modem & UARTMODIR_TXCTSE))
+- lpuart32_write(port, modem | UARTMODIR_TXCTSE, UARTMODIR);
++ /* Disable the TXINV to turn off break and re-enable transmitter. */
++ temp &= ~UARTCTRL_TXINV;
++ lpuart32_write(port, temp, UARTCTRL);
++ temp |= UARTCTRL_TE;
++ lpuart32_write(port, temp, UARTCTRL);
+ }
+-
+- lpuart32_write(port, temp, UARTCTRL);
+ }
+
+ static void lpuart_setup_watermark(struct lpuart_port *sport)
projects / thirdparty / kernel / stable-queue.git / commitdiff
