--- /dev/null
+From 8d9eb0d6d59a5d7028c80a30831143d3e75515a7 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 22 May 2020 12:33:41 +0100
+Subject: nvmem: qfprom: remove incorrect write support
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 8d9eb0d6d59a5d7028c80a30831143d3e75515a7 upstream.
+
+qfprom has different address spaces for read and write. Reads are
+always done from corrected address space, where as writes are done
+on raw address space.
+Writing to corrected address space is invalid and ignored, so it
+does not make sense to have this support in the driver which only
+supports corrected address space regions at the moment.
+
+Fixes: 4ab11996b489 ("nvmem: qfprom: Add Qualcomm QFPROM support.")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200522113341.7728-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvmem/qfprom.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+--- a/drivers/nvmem/qfprom.c
++++ b/drivers/nvmem/qfprom.c
+@@ -30,19 +30,6 @@ static int qfprom_reg_read(void *context
+ return 0;
+ }
+
+-static int qfprom_reg_write(void *context,
+- unsigned int reg, void *_val, size_t bytes)
+-{
+- void __iomem *base = context;
+- u32 *val = _val;
+- int i = 0, words = bytes / 4;
+-
+- while (words--)
+- writel(*val++, base + reg + (i++ * 4));
+-
+- return 0;
+-}
+-
+ static int qfprom_remove(struct platform_device *pdev)
+ {
+ struct nvmem_device *nvmem = platform_get_drvdata(pdev);
+@@ -56,7 +43,6 @@ static struct nvmem_config econfig = {
+ .stride = 4,
+ .word_size = 1,
+ .reg_read = qfprom_reg_read,
+- .reg_write = qfprom_reg_write,
+ };
+
+ static int qfprom_probe(struct platform_device *pdev)
usb-serial-usb_wwan-do-not-resubmit-rx-urb-on-fatal-errors.patch
usb-serial-option-add-telit-le910c1-eux-compositions.patch
usb-musb-fix-runtime-pm-imbalance-on-error.patch
+vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch
+tty-hvc_console-fix-crashes-on-parallel-open-close.patch
+staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch
+nvmem-qfprom-remove-incorrect-write-support.patch
--- /dev/null
+From 15ea976a1f12b5fd76b1bd6ff3eb5132fd28047f Mon Sep 17 00:00:00 2001
+From: Pascal Terjan <pterjan@google.com>
+Date: Sat, 23 May 2020 22:12:47 +0100
+Subject: staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK
+
+From: Pascal Terjan <pterjan@google.com>
+
+commit 15ea976a1f12b5fd76b1bd6ff3eb5132fd28047f upstream.
+
+The value in shared headers was fixed 9 years ago in commit 8d661f1e462d
+("ieee80211: correct IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK macro") and
+while looking at using shared headers for other duplicated constants
+I noticed this driver uses the old value.
+
+The macros are also defined twice in this file so I am deleting the
+second definition.
+
+Signed-off-by: Pascal Terjan <pterjan@google.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200523211247.23262-1-pterjan@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/wifi.h | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/staging/rtl8712/wifi.h
++++ b/drivers/staging/rtl8712/wifi.h
+@@ -471,7 +471,7 @@ static inline unsigned char *get_hdr_bss
+ /* block-ack parameters */
+ #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
+ #define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C
+-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0
++#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFC0
+ #define IEEE80211_DELBA_PARAM_TID_MASK 0xF000
+ #define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800
+
+@@ -565,13 +565,6 @@ struct ieee80211_ht_addt_info {
+ #define IEEE80211_HT_IE_NON_GF_STA_PRSNT 0x0004
+ #define IEEE80211_HT_IE_NON_HT_STA_PRSNT 0x0010
+
+-/* block-ack parameters */
+-#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
+-#define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C
+-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0
+-#define IEEE80211_DELBA_PARAM_TID_MASK 0xF000
+-#define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800
+-
+ /*
+ * A-PMDU buffer sizes
+ * According to IEEE802.11n spec size varies from 8K to 64K (in powers of 2)
--- /dev/null
+From 24eb2377f977fe06d84fca558f891f95bc28a449 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Tue, 26 May 2020 16:56:32 +0200
+Subject: tty: hvc_console, fix crashes on parallel open/close
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 24eb2377f977fe06d84fca558f891f95bc28a449 upstream.
+
+hvc_open sets tty->driver_data to NULL when open fails at some point.
+Typically, the failure happens in hp->ops->notifier_add(). If there is
+a racing process which tries to open such mangled tty, which was not
+closed yet, the process will crash in hvc_open as tty->driver_data is
+NULL.
+
+All this happens because close wants to know whether open failed or not.
+But ->open should not NULL this and other tty fields for ->close to be
+happy. ->open should call tty_port_set_initialized(true) and close
+should check by tty_port_initialized() instead. So do this properly in
+this driver.
+
+So this patch removes these from ->open:
+* tty_port_tty_set(&hp->port, NULL). This happens on last close.
+* tty->driver_data = NULL. Dtto.
+* tty_port_put(&hp->port). This happens in shutdown and until now, this
+ must have been causing a reference underflow, if I am not missing
+ something.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: stable <stable@vger.kernel.org>
+Reported-and-tested-by: Raghavendra <rananta@codeaurora.org>
+Link: https://lore.kernel.org/r/20200526145632.13879-1-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/hvc/hvc_console.c | 23 ++++++++---------------
+ 1 file changed, 8 insertions(+), 15 deletions(-)
+
+--- a/drivers/tty/hvc/hvc_console.c
++++ b/drivers/tty/hvc/hvc_console.c
+@@ -358,15 +358,14 @@ static int hvc_open(struct tty_struct *t
+ * tty fields and return the kref reference.
+ */
+ if (rc) {
+- tty_port_tty_set(&hp->port, NULL);
+- tty->driver_data = NULL;
+- tty_port_put(&hp->port);
+ printk(KERN_ERR "hvc_open: request_irq failed with rc %d.\n", rc);
+- } else
++ } else {
+ /* We are ready... raise DTR/RTS */
+ if (C_BAUD(tty))
+ if (hp->ops->dtr_rts)
+ hp->ops->dtr_rts(hp, 1);
++ tty_port_set_initialized(&hp->port, true);
++ }
+
+ /* Force wakeup of the polling thread */
+ hvc_kick();
+@@ -376,22 +375,12 @@ static int hvc_open(struct tty_struct *t
+
+ static void hvc_close(struct tty_struct *tty, struct file * filp)
+ {
+- struct hvc_struct *hp;
++ struct hvc_struct *hp = tty->driver_data;
+ unsigned long flags;
+
+ if (tty_hung_up_p(filp))
+ return;
+
+- /*
+- * No driver_data means that this close was issued after a failed
+- * hvc_open by the tty layer's release_dev() function and we can just
+- * exit cleanly because the kref reference wasn't made.
+- */
+- if (!tty->driver_data)
+- return;
+-
+- hp = tty->driver_data;
+-
+ spin_lock_irqsave(&hp->port.lock, flags);
+
+ if (--hp->port.count == 0) {
+@@ -399,6 +388,9 @@ static void hvc_close(struct tty_struct
+ /* We are done with the tty pointer now. */
+ tty_port_tty_set(&hp->port, NULL);
+
++ if (!tty_port_initialized(&hp->port))
++ return;
++
+ if (C_HUPCL(tty))
+ if (hp->ops->dtr_rts)
+ hp->ops->dtr_rts(hp, 0);
+@@ -415,6 +407,7 @@ static void hvc_close(struct tty_struct
+ * waking periodically to check chars_in_buffer().
+ */
+ tty_wait_until_sent(tty, HVC_CLOSE_WAIT);
++ tty_port_set_initialized(&hp->port, false);
+ } else {
+ if (hp->port.count < 0)
+ printk(KERN_ERR "hvc_close %X: oops, count is %d\n",
--- /dev/null
+From b86dab054059b970111b5516ae548efaae5b3aae Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 25 May 2020 16:27:40 -0700
+Subject: vt: keyboard: avoid signed integer overflow in k_ascii
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit b86dab054059b970111b5516ae548efaae5b3aae upstream.
+
+When k_ascii is invoked several times in a row there is a potential for
+signed integer overflow:
+
+UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow:
+10 * 1111111111 cannot be represented in type 'int'
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xce/0x128 lib/dump_stack.c:118
+ ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
+ handle_overflow+0xdc/0xf0 lib/ubsan.c:184
+ __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
+ k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
+ kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
+ kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
+
+While it can be worked around by using check_mul_overflow()/
+check_add_overflow(), it is better to introduce a separate flag to
+signal that number pad is being used to compose a symbol, and
+change type of the accumulator from signed to unsigned, thus
+avoiding undefined behavior when it overflows.
+
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-ws
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/keyboard.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/drivers/tty/vt/keyboard.c
++++ b/drivers/tty/vt/keyboard.c
+@@ -125,7 +125,11 @@ static DEFINE_SPINLOCK(func_buf_lock); /
+ static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */
+ static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */
+ static bool dead_key_next;
+-static int npadch = -1; /* -1 or number assembled on pad */
++
++/* Handles a number being assembled on the number pad */
++static bool npadch_active;
++static unsigned int npadch_value;
++
+ static unsigned int diacr;
+ static char rep; /* flag telling character repeat */
+
+@@ -815,12 +819,12 @@ static void k_shift(struct vc_data *vc,
+ shift_state &= ~(1 << value);
+
+ /* kludge */
+- if (up_flag && shift_state != old_state && npadch != -1) {
++ if (up_flag && shift_state != old_state && npadch_active) {
+ if (kbd->kbdmode == VC_UNICODE)
+- to_utf8(vc, npadch);
++ to_utf8(vc, npadch_value);
+ else
+- put_queue(vc, npadch & 0xff);
+- npadch = -1;
++ put_queue(vc, npadch_value & 0xff);
++ npadch_active = false;
+ }
+ }
+
+@@ -838,7 +842,7 @@ static void k_meta(struct vc_data *vc, u
+
+ static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
+ {
+- int base;
++ unsigned int base;
+
+ if (up_flag)
+ return;
+@@ -852,10 +856,12 @@ static void k_ascii(struct vc_data *vc,
+ base = 16;
+ }
+
+- if (npadch == -1)
+- npadch = value;
+- else
+- npadch = npadch * base + value;
++ if (!npadch_active) {
++ npadch_value = 0;
++ npadch_active = true;
++ }
++
++ npadch_value = npadch_value * base + value;
+ }
+
+ static void k_lock(struct vc_data *vc, unsigned char value, char up_flag)
projects / thirdparty / kernel / stable-queue.git / commitdiff
