From: Greg Kroah-Hartman Date: Mon, 5 Jun 2023 19:54:46 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.14.317~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=84823bde94770250f7d7bb6de1a14a75cc909e94;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: mmc-vub300-fix-invalid-response-handling.patch tty-serial-fsl_lpuart-use-uartctrl_txinv-to-send-break-instead-of-uartctrl_sbk.patch --- diff --git a/queue-5.4/mmc-vub300-fix-invalid-response-handling.patch b/queue-5.4/mmc-vub300-fix-invalid-response-handling.patch new file mode 100644 index 00000000000..9687d057e39 --- /dev/null +++ b/queue-5.4/mmc-vub300-fix-invalid-response-handling.patch @@ -0,0 +1,64 @@ +From a99d21cefd351c8aaa20b83a3c942340e5789d45 Mon Sep 17 00:00:00 2001 +From: Deren Wu +Date: Sat, 13 May 2023 22:48:15 +0800 +Subject: mmc: vub300: fix invalid response handling + +From: Deren Wu + +commit a99d21cefd351c8aaa20b83a3c942340e5789d45 upstream. + +We may get an empty response with zero length at the beginning of +the driver start and get following UBSAN error. Since there is no +content(SDRT_NONE) for the response, just return and skip the response +handling to avoid this problem. + +Test pass : SDIO wifi throughput test with this patch + +[ 126.980684] UBSAN: array-index-out-of-bounds in drivers/mmc/host/vub300.c:1719:12 +[ 126.980709] index -1 is out of range for type 'u32 [4]' +[ 126.980729] CPU: 4 PID: 9 Comm: kworker/u16:0 Tainted: G E 6.3.0-rc4-mtk-local-202304272142 #1 +[ 126.980754] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020 +[ 126.980770] Workqueue: kvub300c vub300_cmndwork_thread [vub300] +[ 126.980833] Call Trace: +[ 126.980845] +[ 126.980860] dump_stack_lvl+0x48/0x70 +[ 126.980895] dump_stack+0x10/0x20 +[ 126.980916] ubsan_epilogue+0x9/0x40 +[ 126.980944] __ubsan_handle_out_of_bounds+0x70/0x90 +[ 126.980979] vub300_cmndwork_thread+0x58e7/0x5e10 [vub300] +[ 126.981018] ? _raw_spin_unlock+0x18/0x40 +[ 126.981042] ? finish_task_switch+0x175/0x6f0 +[ 126.981070] ? __switch_to+0x42e/0xda0 +[ 126.981089] ? __switch_to_asm+0x3a/0x80 +[ 126.981129] ? __pfx_vub300_cmndwork_thread+0x10/0x10 [vub300] +[ 126.981174] ? __kasan_check_read+0x11/0x20 +[ 126.981204] process_one_work+0x7ee/0x13d0 +[ 126.981246] worker_thread+0x53c/0x1240 +[ 126.981291] kthread+0x2b8/0x370 +[ 126.981312] ? __pfx_worker_thread+0x10/0x10 +[ 126.981336] ? __pfx_kthread+0x10/0x10 +[ 126.981359] ret_from_fork+0x29/0x50 +[ 126.981400] + +Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") +Signed-off-by: Deren Wu +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/048cd6972c50c33c2e8f81d5228fed928519918b.1683987673.git.deren.wu@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/vub300.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/host/vub300.c ++++ b/drivers/mmc/host/vub300.c +@@ -1715,6 +1715,9 @@ static void construct_request_response(s + int bytes = 3 & less_cmd; + int words = less_cmd >> 2; + u8 *r = vub300->resp.response.command_response; ++ ++ if (!resp_len) ++ return; + if (bytes == 3) { + cmd->resp[words] = (r[1 + (words << 2)] << 24) + | (r[2 + (words << 2)] << 16) diff --git a/queue-5.4/series b/queue-5.4/series index 61e9d23627b..c92bfef1f90 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -79,3 +79,5 @@ kernel-extable.c-use-address-of-operator-on-section-symbols.patch treewide-remove-uninitialized_var-usage.patch lib-dynamic_debug.c-use-address-of-operator-on-section-symbols.patch wifi-rtlwifi-remove-always-true-condition-pointed-out-by-gcc-12.patch +mmc-vub300-fix-invalid-response-handling.patch +tty-serial-fsl_lpuart-use-uartctrl_txinv-to-send-break-instead-of-uartctrl_sbk.patch diff --git a/queue-5.4/tty-serial-fsl_lpuart-use-uartctrl_txinv-to-send-break-instead-of-uartctrl_sbk.patch b/queue-5.4/tty-serial-fsl_lpuart-use-uartctrl_txinv-to-send-break-instead-of-uartctrl_sbk.patch new file mode 100644 index 00000000000..2e7299d65a5 --- /dev/null +++ b/queue-5.4/tty-serial-fsl_lpuart-use-uartctrl_txinv-to-send-break-instead-of-uartctrl_sbk.patch @@ -0,0 +1,102 @@ +From 2474e05467c00f7d51af3039b664de6886325257 Mon Sep 17 00:00:00 2001 +From: Sherry Sun +Date: Fri, 19 May 2023 17:47:51 +0800 +Subject: tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK + +From: Sherry Sun + +commit 2474e05467c00f7d51af3039b664de6886325257 upstream. + +LPUART IP now has two known bugs, one is that CTS has higher priority +than the break signal, which causes the break signal sending through +UARTCTRL_SBK may impacted by the CTS input if the HW flow control is +enabled. It exists on all platforms we support in this driver. +So we add a workaround patch for this issue: commit c4c81db5cf8b +("tty: serial: fsl_lpuart: disable the CTS when send break signal"). + +Another IP bug is i.MX8QM LPUART may have an additional break character +being sent after SBK was cleared. It may need to add some delay between +clearing SBK and re-enabling CTS to ensure that the SBK latch are +completely cleared. + +But we found that during the delay period before CTS is enabled, there +is still a risk that Bluetooth data in TX FIFO may be sent out during +this period because of break off and CTS disabled(even if BT sets CTS +line deasserted, data is still sent to BT). + +Due to this risk, we have to drop the CTS-disabling workaround for SBK +bugs, use TXINV seems to be a better way to replace SBK feature and +avoid above risk. Also need to disable the transmitter to prevent any +data from being sent out during break, then invert the TX line to send +break. Then disable the TXINV when turn off break and re-enable +transmitter. + +Fixes: c4c81db5cf8b ("tty: serial: fsl_lpuart: disable the CTS when send break signal") +Cc: stable +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20230519094751.28948-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 44 ++++++++++++++++++++-------------------- + 1 file changed, 23 insertions(+), 21 deletions(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1376,34 +1376,36 @@ static void lpuart_break_ctl(struct uart + + static void lpuart32_break_ctl(struct uart_port *port, int break_state) + { +- unsigned long temp, modem; +- struct tty_struct *tty; +- unsigned int cflag = 0; ++ unsigned long temp; + +- tty = tty_port_tty_get(&port->state->port); +- if (tty) { +- cflag = tty->termios.c_cflag; +- tty_kref_put(tty); +- } +- +- temp = lpuart32_read(port, UARTCTRL) & ~UARTCTRL_SBK; +- modem = lpuart32_read(port, UARTMODIR); ++ temp = lpuart32_read(port, UARTCTRL); + ++ /* ++ * LPUART IP now has two known bugs, one is CTS has higher priority than the ++ * break signal, which causes the break signal sending through UARTCTRL_SBK ++ * may impacted by the CTS input if the HW flow control is enabled. It ++ * exists on all platforms we support in this driver. ++ * Another bug is i.MX8QM LPUART may have an additional break character ++ * being sent after SBK was cleared. ++ * To avoid above two bugs, we use Transmit Data Inversion function to send ++ * the break signal instead of UARTCTRL_SBK. ++ */ + if (break_state != 0) { +- temp |= UARTCTRL_SBK; + /* +- * LPUART CTS has higher priority than SBK, need to disable CTS before +- * asserting SBK to avoid any interference if flow control is enabled. ++ * Disable the transmitter to prevent any data from being sent out ++ * during break, then invert the TX line to send break. + */ +- if (cflag & CRTSCTS && modem & UARTMODIR_TXCTSE) +- lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); ++ temp &= ~UARTCTRL_TE; ++ lpuart32_write(port, temp, UARTCTRL); ++ temp |= UARTCTRL_TXINV; ++ lpuart32_write(port, temp, UARTCTRL); + } else { +- /* Re-enable the CTS when break off. */ +- if (cflag & CRTSCTS && !(modem & UARTMODIR_TXCTSE)) +- lpuart32_write(port, modem | UARTMODIR_TXCTSE, UARTMODIR); ++ /* Disable the TXINV to turn off break and re-enable transmitter. */ ++ temp &= ~UARTCTRL_TXINV; ++ lpuart32_write(port, temp, UARTCTRL); ++ temp |= UARTCTRL_TE; ++ lpuart32_write(port, temp, UARTCTRL); + } +- +- lpuart32_write(port, temp, UARTCTRL); + } + + static void lpuart_setup_watermark(struct lpuart_port *sport)