From: Greg Kroah-Hartman Date: Mon, 8 Jun 2020 16:56:16 +0000 (+0200) Subject: 5.7-stable patches X-Git-Tag: v5.7.2~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=23c65de0b9ed47486359b47ac170ba869e3f2adc;p=thirdparty%2Fkernel%2Fstable-queue.git 5.7-stable patches added patches: cdc-acm-heed-quirk-also-in-error-handling.patch nvmem-qfprom-remove-incorrect-write-support.patch staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch tty-hvc_console-fix-crashes-on-parallel-open-close.patch vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch --- diff --git a/queue-5.7/cdc-acm-heed-quirk-also-in-error-handling.patch b/queue-5.7/cdc-acm-heed-quirk-also-in-error-handling.patch new file mode 100644 index 00000000000..61ac898e073 --- /dev/null +++ b/queue-5.7/cdc-acm-heed-quirk-also-in-error-handling.patch @@ -0,0 +1,34 @@ +From 97fe809934dd2b0b37dfef3a2fc70417f485d7af Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 26 May 2020 14:44:20 +0200 +Subject: CDC-ACM: heed quirk also in error handling + +From: Oliver Neukum + +commit 97fe809934dd2b0b37dfef3a2fc70417f485d7af upstream. + +If buffers are iterated over in the error case, the lower limits +for quirky devices must be heeded. + +Signed-off-by: Oliver Neukum +Reported-by: Jean Rene Dawin +Fixes: a4e7279cd1d19 ("cdc-acm: introduce a cool down") +Cc: stable +Link: https://lore.kernel.org/r/20200526124420.22160-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -584,7 +584,7 @@ static void acm_softint(struct work_stru + } + + if (test_and_clear_bit(ACM_ERROR_DELAY, &acm->flags)) { +- for (i = 0; i < ACM_NR; i++) ++ for (i = 0; i < acm->rx_buflimit; i++) + if (test_and_clear_bit(i, &acm->urbs_in_error_delay)) + acm_submit_read_urb(acm, i, GFP_NOIO); + } diff --git a/queue-5.7/nvmem-qfprom-remove-incorrect-write-support.patch b/queue-5.7/nvmem-qfprom-remove-incorrect-write-support.patch new file mode 100644 index 00000000000..f5392554c07 --- /dev/null +++ b/queue-5.7/nvmem-qfprom-remove-incorrect-write-support.patch @@ -0,0 +1,55 @@ +From 8d9eb0d6d59a5d7028c80a30831143d3e75515a7 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 22 May 2020 12:33:41 +0100 +Subject: nvmem: qfprom: remove incorrect write support + +From: Srinivas Kandagatla + +commit 8d9eb0d6d59a5d7028c80a30831143d3e75515a7 upstream. + +qfprom has different address spaces for read and write. Reads are +always done from corrected address space, where as writes are done +on raw address space. +Writing to corrected address space is invalid and ignored, so it +does not make sense to have this support in the driver which only +supports corrected address space regions at the moment. + +Fixes: 4ab11996b489 ("nvmem: qfprom: Add Qualcomm QFPROM support.") +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Douglas Anderson +Cc: stable +Link: https://lore.kernel.org/r/20200522113341.7728-1-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvmem/qfprom.c | 14 -------------- + 1 file changed, 14 deletions(-) + +--- a/drivers/nvmem/qfprom.c ++++ b/drivers/nvmem/qfprom.c +@@ -27,25 +27,11 @@ static int qfprom_reg_read(void *context + return 0; + } + +-static int qfprom_reg_write(void *context, +- unsigned int reg, void *_val, size_t bytes) +-{ +- struct qfprom_priv *priv = context; +- u8 *val = _val; +- int i = 0, words = bytes; +- +- while (words--) +- writeb(*val++, priv->base + reg + i++); +- +- return 0; +-} +- + static struct nvmem_config econfig = { + .name = "qfprom", + .stride = 1, + .word_size = 1, + .reg_read = qfprom_reg_read, +- .reg_write = qfprom_reg_write, + }; + + static int qfprom_probe(struct platform_device *pdev) diff --git a/queue-5.7/series b/queue-5.7/series index ae27040df02..761b638cb7b 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -11,3 +11,8 @@ usb-musb-start-session-in-resume-for-host-port.patch usb-musb-fix-runtime-pm-imbalance-on-error.patch usb-musb-jz4740-prevent-lockup-when-config_smp-is-set.patch serial-8250-enable-16550a-variants-by-default-on-non-x86.patch +vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch +tty-hvc_console-fix-crashes-on-parallel-open-close.patch +staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch +cdc-acm-heed-quirk-also-in-error-handling.patch +nvmem-qfprom-remove-incorrect-write-support.patch diff --git a/queue-5.7/staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch b/queue-5.7/staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch new file mode 100644 index 00000000000..b3d547c8dad --- /dev/null +++ b/queue-5.7/staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch @@ -0,0 +1,51 @@ +From 15ea976a1f12b5fd76b1bd6ff3eb5132fd28047f Mon Sep 17 00:00:00 2001 +From: Pascal Terjan +Date: Sat, 23 May 2020 22:12:47 +0100 +Subject: staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK + +From: Pascal Terjan + +commit 15ea976a1f12b5fd76b1bd6ff3eb5132fd28047f upstream. + +The value in shared headers was fixed 9 years ago in commit 8d661f1e462d +("ieee80211: correct IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK macro") and +while looking at using shared headers for other duplicated constants +I noticed this driver uses the old value. + +The macros are also defined twice in this file so I am deleting the +second definition. + +Signed-off-by: Pascal Terjan +Cc: stable +Link: https://lore.kernel.org/r/20200523211247.23262-1-pterjan@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/wifi.h | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/staging/rtl8712/wifi.h ++++ b/drivers/staging/rtl8712/wifi.h +@@ -440,7 +440,7 @@ static inline unsigned char *get_hdr_bss + /* block-ack parameters */ + #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002 + #define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C +-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0 ++#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFC0 + #define IEEE80211_DELBA_PARAM_TID_MASK 0xF000 + #define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800 + +@@ -532,13 +532,6 @@ struct ieee80211_ht_addt_info { + #define IEEE80211_HT_IE_NON_GF_STA_PRSNT 0x0004 + #define IEEE80211_HT_IE_NON_HT_STA_PRSNT 0x0010 + +-/* block-ack parameters */ +-#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002 +-#define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C +-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0 +-#define IEEE80211_DELBA_PARAM_TID_MASK 0xF000 +-#define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800 +- + /* + * A-PMDU buffer sizes + * According to IEEE802.11n spec size varies from 8K to 64K (in powers of 2) diff --git a/queue-5.7/tty-hvc_console-fix-crashes-on-parallel-open-close.patch b/queue-5.7/tty-hvc_console-fix-crashes-on-parallel-open-close.patch new file mode 100644 index 00000000000..d992bd20725 --- /dev/null +++ b/queue-5.7/tty-hvc_console-fix-crashes-on-parallel-open-close.patch @@ -0,0 +1,101 @@ +From 24eb2377f977fe06d84fca558f891f95bc28a449 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Tue, 26 May 2020 16:56:32 +0200 +Subject: tty: hvc_console, fix crashes on parallel open/close + +From: Jiri Slaby + +commit 24eb2377f977fe06d84fca558f891f95bc28a449 upstream. + +hvc_open sets tty->driver_data to NULL when open fails at some point. +Typically, the failure happens in hp->ops->notifier_add(). If there is +a racing process which tries to open such mangled tty, which was not +closed yet, the process will crash in hvc_open as tty->driver_data is +NULL. + +All this happens because close wants to know whether open failed or not. +But ->open should not NULL this and other tty fields for ->close to be +happy. ->open should call tty_port_set_initialized(true) and close +should check by tty_port_initialized() instead. So do this properly in +this driver. + +So this patch removes these from ->open: +* tty_port_tty_set(&hp->port, NULL). This happens on last close. +* tty->driver_data = NULL. Dtto. +* tty_port_put(&hp->port). This happens in shutdown and until now, this + must have been causing a reference underflow, if I am not missing + something. + +Signed-off-by: Jiri Slaby +Cc: stable +Reported-and-tested-by: Raghavendra +Link: https://lore.kernel.org/r/20200526145632.13879-1-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/hvc/hvc_console.c | 23 ++++++++--------------- + 1 file changed, 8 insertions(+), 15 deletions(-) + +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -371,15 +371,14 @@ static int hvc_open(struct tty_struct *t + * tty fields and return the kref reference. + */ + if (rc) { +- tty_port_tty_set(&hp->port, NULL); +- tty->driver_data = NULL; +- tty_port_put(&hp->port); + printk(KERN_ERR "hvc_open: request_irq failed with rc %d.\n", rc); +- } else ++ } else { + /* We are ready... raise DTR/RTS */ + if (C_BAUD(tty)) + if (hp->ops->dtr_rts) + hp->ops->dtr_rts(hp, 1); ++ tty_port_set_initialized(&hp->port, true); ++ } + + /* Force wakeup of the polling thread */ + hvc_kick(); +@@ -389,22 +388,12 @@ static int hvc_open(struct tty_struct *t + + static void hvc_close(struct tty_struct *tty, struct file * filp) + { +- struct hvc_struct *hp; ++ struct hvc_struct *hp = tty->driver_data; + unsigned long flags; + + if (tty_hung_up_p(filp)) + return; + +- /* +- * No driver_data means that this close was issued after a failed +- * hvc_open by the tty layer's release_dev() function and we can just +- * exit cleanly because the kref reference wasn't made. +- */ +- if (!tty->driver_data) +- return; +- +- hp = tty->driver_data; +- + spin_lock_irqsave(&hp->port.lock, flags); + + if (--hp->port.count == 0) { +@@ -412,6 +401,9 @@ static void hvc_close(struct tty_struct + /* We are done with the tty pointer now. */ + tty_port_tty_set(&hp->port, NULL); + ++ if (!tty_port_initialized(&hp->port)) ++ return; ++ + if (C_HUPCL(tty)) + if (hp->ops->dtr_rts) + hp->ops->dtr_rts(hp, 0); +@@ -428,6 +420,7 @@ static void hvc_close(struct tty_struct + * waking periodically to check chars_in_buffer(). + */ + tty_wait_until_sent(tty, HVC_CLOSE_WAIT); ++ tty_port_set_initialized(&hp->port, false); + } else { + if (hp->port.count < 0) + printk(KERN_ERR "hvc_close %X: oops, count is %d\n", diff --git a/queue-5.7/vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch b/queue-5.7/vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch new file mode 100644 index 00000000000..45938c42647 --- /dev/null +++ b/queue-5.7/vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch @@ -0,0 +1,101 @@ +From b86dab054059b970111b5516ae548efaae5b3aae Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 25 May 2020 16:27:40 -0700 +Subject: vt: keyboard: avoid signed integer overflow in k_ascii + +From: Dmitry Torokhov + +commit b86dab054059b970111b5516ae548efaae5b3aae upstream. + +When k_ascii is invoked several times in a row there is a potential for +signed integer overflow: + +UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow: +10 * 1111111111 cannot be represented in type 'int' +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xce/0x128 lib/dump_stack.c:118 + ubsan_epilogue+0xe/0x30 lib/ubsan.c:154 + handle_overflow+0xdc/0xf0 lib/ubsan.c:184 + __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205 + k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888 + kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline] + kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495 + +While it can be worked around by using check_mul_overflow()/ +check_add_overflow(), it is better to introduce a separate flag to +signal that number pad is being used to compose a symbol, and +change type of the accumulator from signed to unsigned, thus +avoiding undefined behavior when it overflows. + +Reported-by: Kyungtae Kim +Signed-off-by: Dmitry Torokhov +Cc: stable +Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-ws +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/keyboard.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -127,7 +127,11 @@ static DEFINE_SPINLOCK(func_buf_lock); / + static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */ + static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */ + static bool dead_key_next; +-static int npadch = -1; /* -1 or number assembled on pad */ ++ ++/* Handles a number being assembled on the number pad */ ++static bool npadch_active; ++static unsigned int npadch_value; ++ + static unsigned int diacr; + static char rep; /* flag telling character repeat */ + +@@ -845,12 +849,12 @@ static void k_shift(struct vc_data *vc, + shift_state &= ~(1 << value); + + /* kludge */ +- if (up_flag && shift_state != old_state && npadch != -1) { ++ if (up_flag && shift_state != old_state && npadch_active) { + if (kbd->kbdmode == VC_UNICODE) +- to_utf8(vc, npadch); ++ to_utf8(vc, npadch_value); + else +- put_queue(vc, npadch & 0xff); +- npadch = -1; ++ put_queue(vc, npadch_value & 0xff); ++ npadch_active = false; + } + } + +@@ -868,7 +872,7 @@ static void k_meta(struct vc_data *vc, u + + static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag) + { +- int base; ++ unsigned int base; + + if (up_flag) + return; +@@ -882,10 +886,12 @@ static void k_ascii(struct vc_data *vc, + base = 16; + } + +- if (npadch == -1) +- npadch = value; +- else +- npadch = npadch * base + value; ++ if (!npadch_active) { ++ npadch_value = 0; ++ npadch_active = true; ++ } ++ ++ npadch_value = npadch_value * base + value; + } + + static void k_lock(struct vc_data *vc, unsigned char value, char up_flag)