From dfe1455103ba3f6413488dfc68f31322d9c4de8f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Jun 2022 17:20:38 +0200 Subject: [PATCH] 4.9-stable patches added patches: asoc-rt5514-fix-event-generation-for-dsp-voice-wake-up-control.patch carl9170-tx-fix-an-incorrect-use-of-list-iterator.patch rtl818x-prevent-using-not-initialized-queues.patch --- ...ration-for-dsp-voice-wake-up-control.patch | 34 +++++++++ ...ix-an-incorrect-use-of-list-iterator.patch | 44 ++++++++++++ ...prevent-using-not-initialized-queues.patch | 70 +++++++++++++++++++ queue-4.9/series | 3 + 4 files changed, 151 insertions(+) create mode 100644 queue-4.9/asoc-rt5514-fix-event-generation-for-dsp-voice-wake-up-control.patch create mode 100644 queue-4.9/carl9170-tx-fix-an-incorrect-use-of-list-iterator.patch create mode 100644 queue-4.9/rtl818x-prevent-using-not-initialized-queues.patch diff --git a/queue-4.9/asoc-rt5514-fix-event-generation-for-dsp-voice-wake-up-control.patch b/queue-4.9/asoc-rt5514-fix-event-generation-for-dsp-voice-wake-up-control.patch new file mode 100644 index 00000000000..d0b65496008 --- /dev/null +++ b/queue-4.9/asoc-rt5514-fix-event-generation-for-dsp-voice-wake-up-control.patch @@ -0,0 +1,34 @@ +From 4213ff556740bb45e2d9ff0f50d056c4e7dd0921 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 28 Apr 2022 17:24:44 +0100 +Subject: ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control + +From: Mark Brown + +commit 4213ff556740bb45e2d9ff0f50d056c4e7dd0921 upstream. + +The driver has a custom put function for "DSP Voice Wake Up" which does +not generate event notifications on change, instead returning 0. Since we +already exit early in the case that there is no change this can be fixed +by unconditionally returning 1 at the end of the function. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220428162444.3883147-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5514.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/rt5514.c ++++ b/sound/soc/codecs/rt5514.c +@@ -345,7 +345,7 @@ static int rt5514_dsp_voice_wake_up_put( + } + } + +- return 0; ++ return 1; + } + + static const struct snd_kcontrol_new rt5514_snd_controls[] = { diff --git a/queue-4.9/carl9170-tx-fix-an-incorrect-use-of-list-iterator.patch b/queue-4.9/carl9170-tx-fix-an-incorrect-use-of-list-iterator.patch new file mode 100644 index 00000000000..1518dcf7ba1 --- /dev/null +++ b/queue-4.9/carl9170-tx-fix-an-incorrect-use-of-list-iterator.patch @@ -0,0 +1,44 @@ +From 54a6f29522da3c914da30e50721dedf51046449a Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Mon, 28 Mar 2022 20:28:20 +0800 +Subject: carl9170: tx: fix an incorrect use of list iterator + +From: Xiaomeng Tong + +commit 54a6f29522da3c914da30e50721dedf51046449a upstream. + +If the previous list_for_each_entry_continue_rcu() don't exit early +(no goto hit inside the loop), the iterator 'cvif' after the loop +will be a bogus pointer to an invalid structure object containing +the HEAD (&ar->vif_list). As a result, the use of 'cvif' after that +will lead to a invalid memory access (i.e., 'cvif->id': the invalid +pointer dereference when return back to/after the callsite in the +carl9170_update_beacon()). + +The original intention should have been to return the valid 'cvif' +when found in list, NULL otherwise. So just return NULL when no +entry found, to fix this bug. + +Cc: stable@vger.kernel.org +Fixes: 1f1d9654e183c ("carl9170: refactor carl9170_update_beacon") +Signed-off-by: Xiaomeng Tong +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220328122820.1004-1-xiam0nd.tong@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/carl9170/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/ath/carl9170/tx.c ++++ b/drivers/net/wireless/ath/carl9170/tx.c +@@ -1554,6 +1554,9 @@ static struct carl9170_vif_info *carl917 + goto out; + } + } while (ar->beacon_enabled && i--); ++ ++ /* no entry found in list */ ++ return NULL; + } + + out: diff --git a/queue-4.9/rtl818x-prevent-using-not-initialized-queues.patch b/queue-4.9/rtl818x-prevent-using-not-initialized-queues.patch new file mode 100644 index 00000000000..b9462ac407a --- /dev/null +++ b/queue-4.9/rtl818x-prevent-using-not-initialized-queues.patch @@ -0,0 +1,70 @@ +From 746285cf81dc19502ab238249d75f5990bd2d231 Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Fri, 22 Apr 2022 16:52:28 +0200 +Subject: rtl818x: Prevent using not initialized queues + +From: Alexander Wetzel + +commit 746285cf81dc19502ab238249d75f5990bd2d231 upstream. + +Using not existing queues can panic the kernel with rtl8180/rtl8185 cards. +Ignore the skb priority for those cards, they only have one tx queue. Pierre +Asselin (pa@panix.com) reported the kernel crash in the Gentoo forum: + +https://forums.gentoo.org/viewtopic-t-1147832-postdays-0-postorder-asc-start-25.html + +He also confirmed that this patch fixes the issue. In summary this happened: + +After updating wpa_supplicant from 2.9 to 2.10 the kernel crashed with a +"divide error: 0000" when connecting to an AP. Control port tx now tries to +use IEEE80211_AC_VO for the priority, which wpa_supplicants starts to use in +2.10. + +Since only the rtl8187se part of the driver supports QoS, the priority +of the skb is set to IEEE80211_AC_BE (2) by mac80211 for rtl8180/rtl8185 +cards. + +rtl8180 is then unconditionally reading out the priority and finally crashes on +drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c line 544 without this +patch: + idx = (ring->idx + skb_queue_len(&ring->queue)) % ring->entries + +"ring->entries" is zero for rtl8180/rtl8185 cards, tx_ring[2] never got +initialized. + +Cc: stable@vger.kernel.org +Reported-by: pa@panix.com +Tested-by: pa@panix.com +Signed-off-by: Alexander Wetzel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220422145228.7567-1-alexander@wetzel-home.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c ++++ b/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c +@@ -460,8 +460,10 @@ static void rtl8180_tx(struct ieee80211_ + struct rtl8180_priv *priv = dev->priv; + struct rtl8180_tx_ring *ring; + struct rtl8180_tx_desc *entry; ++ unsigned int prio = 0; + unsigned long flags; +- unsigned int idx, prio, hw_prio; ++ unsigned int idx, hw_prio; ++ + dma_addr_t mapping; + u32 tx_flags; + u8 rc_flags; +@@ -470,7 +472,9 @@ static void rtl8180_tx(struct ieee80211_ + /* do arithmetic and then convert to le16 */ + u16 frame_duration = 0; + +- prio = skb_get_queue_mapping(skb); ++ /* rtl8180/rtl8185 only has one useable tx queue */ ++ if (dev->queues > IEEE80211_AC_BK) ++ prio = skb_get_queue_mapping(skb); + ring = &priv->tx_ring[prio]; + + mapping = pci_map_single(priv->pdev, skb->data, diff --git a/queue-4.9/series b/queue-4.9/series index 63754788482..554061160f9 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -97,3 +97,6 @@ um-fix-out-of-bounds-read-in-ldt-setup.patch iommu-msm-fix-an-incorrect-null-check-on-list-iterator.patch nodemask.h-fix-compilation-error-with-gcc12.patch hugetlb-fix-huge_pmd_unshare-address-update.patch +rtl818x-prevent-using-not-initialized-queues.patch +asoc-rt5514-fix-event-generation-for-dsp-voice-wake-up-control.patch +carl9170-tx-fix-an-incorrect-use-of-list-iterator.patch -- 2.47.3