From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 7 May 2023 10:58:59 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v5.15.111~81
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa9051977db229954957ed2c0b0ed3b72033291e;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	clk-rockchip-rk3399-allow-clk_cifout-to-force-clk_cifout_src-to-reparent.patch
	md-raid10-fix-null-ptr-deref-in-raid10_sync_request.patch
	wifi-rtl8xxxu-rtl8192eu-always-needs-full-init.patch
---

diff --git a/queue-4.19/clk-rockchip-rk3399-allow-clk_cifout-to-force-clk_cifout_src-to-reparent.patch b/queue-4.19/clk-rockchip-rk3399-allow-clk_cifout-to-force-clk_cifout_src-to-reparent.patch
new file mode 100644
index 00000000000..7b6e26934c4
--- /dev/null
+++ b/queue-4.19/clk-rockchip-rk3399-allow-clk_cifout-to-force-clk_cifout_src-to-reparent.patch
@@ -0,0 +1,39 @@
+From 933bf364e152cd60902cf9585c2ba310d593e69f Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Date: Thu, 17 Nov 2022 13:04:31 +0100
+Subject: clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent
+
+From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+
+commit 933bf364e152cd60902cf9585c2ba310d593e69f upstream.
+
+clk_cifout is derived from clk_cifout_src through an integer divider
+limited to 32. clk_cifout_src is a child of either cpll, gpll or npll
+without any possibility of a divider of any sort. The default clock
+parent is cpll.
+
+Let's allow clk_cifout to ask its parent clk_cifout_src to reparent in
+order to find the real closest possible rate for clk_cifout and not one
+derived from cpll only.
+
+Cc: stable@vger.kernel.org # 4.10+
+Fixes: fd8bc829336a ("clk: rockchip: fix the rk3399 cifout clock")
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Link: https://lore.kernel.org/r/20221117-rk3399-cifout-set-rate-parent-v1-0-432548d04081@theobroma-systems.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/rockchip/clk-rk3399.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/rockchip/clk-rk3399.c
++++ b/drivers/clk/rockchip/clk-rk3399.c
+@@ -1267,7 +1267,7 @@ static struct rockchip_clk_branch rk3399
+ 			RK3399_CLKSEL_CON(56), 6, 2, MFLAGS,
+ 			RK3399_CLKGATE_CON(10), 7, GFLAGS),
+ 
+-	COMPOSITE_NOGATE(SCLK_CIF_OUT, "clk_cifout", mux_clk_cif_p, 0,
++	COMPOSITE_NOGATE(SCLK_CIF_OUT, "clk_cifout", mux_clk_cif_p, CLK_SET_RATE_PARENT,
+ 			 RK3399_CLKSEL_CON(56), 5, 1, MFLAGS, 0, 5, DFLAGS),
+ 
+ 	/* gic */
diff --git a/queue-4.19/md-raid10-fix-null-ptr-deref-in-raid10_sync_request.patch b/queue-4.19/md-raid10-fix-null-ptr-deref-in-raid10_sync_request.patch
new file mode 100644
index 00000000000..51d58391378
--- /dev/null
+++ b/queue-4.19/md-raid10-fix-null-ptr-deref-in-raid10_sync_request.patch
@@ -0,0 +1,64 @@
+From a405c6f0229526160aa3f177f65e20c86fce84c5 Mon Sep 17 00:00:00 2001
+From: Li Nan <linan122@huawei.com>
+Date: Wed, 22 Feb 2023 12:10:00 +0800
+Subject: md/raid10: fix null-ptr-deref in raid10_sync_request
+
+From: Li Nan <linan122@huawei.com>
+
+commit a405c6f0229526160aa3f177f65e20c86fce84c5 upstream.
+
+init_resync() inits mempool and sets conf->have_replacemnt at the beginning
+of sync, close_sync() frees the mempool when sync is completed.
+
+After [1] recovery might be skipped and init_resync() is called but
+close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio.
+
+The following is one way to reproduce the issue.
+
+  1) create a array, wait for resync to complete, mddev->recovery_cp is set
+     to MaxSector.
+  2) recovery is woken and it is skipped. conf->have_replacement is set to
+     0 in init_resync(). close_sync() not called.
+  3) some io errors and rdev A is set to WantReplacement.
+  4) a new device is added and set to A's replacement.
+  5) recovery is woken, A have replacement, but conf->have_replacemnt is
+     0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref
+     occurs.
+
+Fix it by not calling init_resync() if recovery skipped.
+
+[1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled")
+Fixes: 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Nan <linan122@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230222041000.3341651-3-linan666@huaweicloud.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -2957,10 +2957,6 @@ static sector_t raid10_sync_request(stru
+ 	sector_t chunk_mask = conf->geo.chunk_mask;
+ 	int page_idx = 0;
+ 
+-	if (!mempool_initialized(&conf->r10buf_pool))
+-		if (init_resync(conf))
+-			return 0;
+-
+ 	/*
+ 	 * Allow skipping a full rebuild for incremental assembly
+ 	 * of a clean array, like RAID1 does.
+@@ -2976,6 +2972,10 @@ static sector_t raid10_sync_request(stru
+ 		return mddev->dev_sectors - sector_nr;
+ 	}
+ 
++	if (!mempool_initialized(&conf->r10buf_pool))
++		if (init_resync(conf))
++			return 0;
++
+  skipped:
+ 	max_sector = mddev->dev_sectors;
+ 	if (test_bit(MD_RECOVERY_SYNC, &mddev->recovery) ||
diff --git a/queue-4.19/series b/queue-4.19/series
index c6b903cddfb..6dd1f2e7dd1 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -126,3 +126,6 @@ dmaengine-at_xdmac-do-not-enable-all-cyclic-channels.patch
 parisc-fix-argument-pointer-in-real64_call_asm.patch
 nilfs2-do-not-write-dirty-data-after-degenerating-to-read-only.patch
 nilfs2-fix-infinite-loop-in-nilfs_mdt_get_block.patch
+md-raid10-fix-null-ptr-deref-in-raid10_sync_request.patch
+wifi-rtl8xxxu-rtl8192eu-always-needs-full-init.patch
+clk-rockchip-rk3399-allow-clk_cifout-to-force-clk_cifout_src-to-reparent.patch
diff --git a/queue-4.19/wifi-rtl8xxxu-rtl8192eu-always-needs-full-init.patch b/queue-4.19/wifi-rtl8xxxu-rtl8192eu-always-needs-full-init.patch
new file mode 100644
index 00000000000..362708f7d6a
--- /dev/null
+++ b/queue-4.19/wifi-rtl8xxxu-rtl8192eu-always-needs-full-init.patch
@@ -0,0 +1,43 @@
+From d46e04ccd40457a0119b76e11ab64a2ad403e138 Mon Sep 17 00:00:00 2001
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Date: Mon, 13 Mar 2023 15:42:59 +0200
+Subject: wifi: rtl8xxxu: RTL8192EU always needs full init
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+commit d46e04ccd40457a0119b76e11ab64a2ad403e138 upstream.
+
+Always run the entire init sequence (rtl8xxxu_init_device()) for
+RTL8192EU. It's what the vendor driver does too.
+
+This fixes a bug where the device is unable to connect after
+rebooting:
+
+wlp3s0f3u2: send auth to ... (try 1/3)
+wlp3s0f3u2: send auth to ... (try 2/3)
+wlp3s0f3u2: send auth to ... (try 3/3)
+wlp3s0f3u2: authentication with ... timed out
+
+Rebooting leaves the device powered on (partially? at least the
+firmware is still running), but not really in a working state.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Jes Sorensen <jes@trained-monkey.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/4eb111a9-d4c4-37d0-b376-4e202de7153c@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c
+@@ -1710,6 +1710,7 @@ struct rtl8xxxu_fileops rtl8192eu_fops =
+ 	.rx_desc_size = sizeof(struct rtl8xxxu_rxdesc24),
+ 	.has_s0s1 = 0,
+ 	.gen2_thermal_meter = 1,
++	.needs_full_init = 1,
+ 	.adda_1t_init = 0x0fc01616,
+ 	.adda_1t_path_on = 0x0fc01616,
+ 	.adda_2t_path_on_a = 0x0fc01616,