--- /dev/null
+From 010bfbe768f7ecc876ffba92db30432de4997e2a Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 16 Apr 2021 09:42:14 +0200
+Subject: cfg80211: scan: drop entry from hidden_list on overflow
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 010bfbe768f7ecc876ffba92db30432de4997e2a upstream.
+
+If we overflow the maximum number of BSS entries and free the
+new entry, drop it from any hidden_list that it may have been
+added to in the code above or in cfg80211_combine_bsses().
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20210416094212.5de7d1676ad7.Ied283b0bc5f504845e7d6ab90626bdfa68bb3dc0@changeid
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/scan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1751,6 +1751,8 @@ cfg80211_bss_update(struct cfg80211_regi
+
+ if (rdev->bss_entries >= bss_entries_limit &&
+ !cfg80211_bss_expire_oldest(rdev)) {
++ if (!list_empty(&new->hidden_list))
++ list_del(&new->hidden_list);
+ kfree(new);
+ goto drop;
+ }
--- /dev/null
+From 193ced4a79599352d63cb8c9e2f0c6043106eb6a Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Wed, 10 Mar 2021 13:03:14 +0100
+Subject: FDDI: defxx: Make MMIO the configuration default except for EISA
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 193ced4a79599352d63cb8c9e2f0c6043106eb6a upstream.
+
+Recent versions of the PCI Express specification have deprecated support
+for I/O transactions and actually some PCIe host bridges, such as Power
+Systems Host Bridge 4 (PHB4), do not implement them.
+
+The default kernel configuration choice for the defxx driver is the use
+of I/O ports rather than MMIO for PCI and EISA systems. It may have
+made sense as a conservative backwards compatible choice back when MMIO
+operation support was added to the driver as a part of TURBOchannel bus
+support. However nowadays this configuration choice makes the driver
+unusable with systems that do not implement I/O transactions for PCIe.
+
+Make DEFXX_MMIO the configuration default then, except where configured
+for EISA. This exception is because an EISA adapter can have its MMIO
+decoding disabled with ECU (EISA Configuration Utility) and therefore
+not available with the resource allocation infrastructure we implement,
+while port I/O is always readily available as it uses slot-specific
+addressing, directly mapped to the slot an option card has been placed
+in and handled with our EISA bus support core. Conversely a kernel that
+supports modern systems which may not have I/O transactions implemented
+for PCIe will usually not be expected to handle legacy EISA systems.
+
+The change of the default will make it easier for people, including but
+not limited to distribution packagers, to make a working choice for the
+driver.
+
+Update the option description accordingly and while at it replace the
+potentially ambiguous PIO acronym with IOP for "port I/O" vs "I/O ports"
+according to our nomenclature used elsewhere.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: e89a2cfb7d7b ("[TC] defxx: TURBOchannel support")
+Cc: stable@vger.kernel.org # v2.6.21+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/fddi/Kconfig | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/fddi/Kconfig
++++ b/drivers/net/fddi/Kconfig
+@@ -40,17 +40,20 @@ config DEFXX
+
+ config DEFXX_MMIO
+ bool
+- prompt "Use MMIO instead of PIO" if PCI || EISA
++ prompt "Use MMIO instead of IOP" if PCI || EISA
+ depends on DEFXX
+- default n if PCI || EISA
++ default n if EISA
+ default y
+ help
+ This instructs the driver to use EISA or PCI memory-mapped I/O
+- (MMIO) as appropriate instead of programmed I/O ports (PIO).
++ (MMIO) as appropriate instead of programmed I/O ports (IOP).
+ Enabling this gives an improvement in processing time in parts
+- of the driver, but it may cause problems with EISA (DEFEA)
+- adapters. TURBOchannel does not have the concept of I/O ports,
+- so MMIO is always used for these (DEFTA) adapters.
++ of the driver, but it requires a memory window to be configured
++ for EISA (DEFEA) adapters that may not always be available.
++ Conversely some PCIe host bridges do not support IOP, so MMIO
++ may be required to access PCI (DEFPA) adapters on downstream PCI
++ buses with some systems. TURBOchannel does not have the concept
++ of I/O ports, so MMIO is always used for these (DEFTA) adapters.
+
+ If unsure, say N.
+
--- /dev/null
+From 260a9ad9446723d4063ed802989758852809714d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 14 Apr 2021 11:29:55 +0300
+Subject: ipw2x00: potential buffer overflow in libipw_wx_set_encodeext()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 260a9ad9446723d4063ed802989758852809714d upstream.
+
+The "ext->key_len" is a u16 that comes from the user. If it's over
+SCM_KEY_LEN (32) that could lead to memory corruption.
+
+Fixes: e0d369d1d969 ("[PATCH] ieee82011: Added WE-18 support to default wireless extension handler")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Stanislav Yakovlev <stas.yakovlev@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/YHaoA1i+8uT4ir4h@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/ipw2x00/libipw_wx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c
++++ b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c
+@@ -633,8 +633,10 @@ int libipw_wx_set_encodeext(struct libip
+ }
+
+ if (ext->alg != IW_ENCODE_ALG_NONE) {
+- memcpy(sec.keys[idx], ext->key, ext->key_len);
+- sec.key_sizes[idx] = ext->key_len;
++ int key_len = clamp_val(ext->key_len, 0, SCM_KEY_LEN);
++
++ memcpy(sec.keys[idx], ext->key, key_len);
++ sec.key_sizes[idx] = key_len;
+ sec.flags |= (1 << idx);
+ if (ext->alg == IW_ENCODE_ALG_WEP) {
+ sec.encode_alg[idx] = SEC_ALG_WEP;
--- /dev/null
+From f7c7a2f9a23e5b6e0f5251f29648d0238bb7757e Mon Sep 17 00:00:00 2001
+From: Heming Zhao <heming.zhao@suse.com>
+Date: Thu, 8 Apr 2021 15:44:15 +0800
+Subject: md-cluster: fix use-after-free issue when removing rdev
+
+From: Heming Zhao <heming.zhao@suse.com>
+
+commit f7c7a2f9a23e5b6e0f5251f29648d0238bb7757e upstream.
+
+md_kick_rdev_from_array will remove rdev, so we should
+use rdev_for_each_safe to search list.
+
+How to trigger:
+
+env: Two nodes on kvm-qemu x86_64 VMs (2C2G with 2 iscsi luns).
+
+```
+node2=192.168.0.3
+
+for i in {1..20}; do
+ echo ==== $i `date` ====;
+
+ mdadm -Ss && ssh ${node2} "mdadm -Ss"
+ wipefs -a /dev/sda /dev/sdb
+
+ mdadm -CR /dev/md0 -b clustered -e 1.2 -n 2 -l 1 /dev/sda \
+ /dev/sdb --assume-clean
+ ssh ${node2} "mdadm -A /dev/md0 /dev/sda /dev/sdb"
+ mdadm --wait /dev/md0
+ ssh ${node2} "mdadm --wait /dev/md0"
+
+ mdadm --manage /dev/md0 --fail /dev/sda --remove /dev/sda
+ sleep 1
+done
+```
+
+Crash stack:
+
+```
+stack segment: 0000 [#1] SMP
+... ...
+RIP: 0010:md_check_recovery+0x1e8/0x570 [md_mod]
+... ...
+RSP: 0018:ffffb149807a7d68 EFLAGS: 00010207
+RAX: 0000000000000000 RBX: ffff9d494c180800 RCX: ffff9d490fc01e50
+RDX: fffff047c0ed8308 RSI: 0000000000000246 RDI: 0000000000000246
+RBP: 6b6b6b6b6b6b6b6b R08: ffff9d490fc01e40 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
+R13: ffff9d494c180818 R14: ffff9d493399ef38 R15: ffff9d4933a1d800
+FS: 0000000000000000(0000) GS:ffff9d494f700000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fe68cab9010 CR3: 000000004c6be001 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ raid1d+0x5c/0xd40 [raid1]
+ ? finish_task_switch+0x75/0x2a0
+ ? lock_timer_base+0x67/0x80
+ ? try_to_del_timer_sync+0x4d/0x80
+ ? del_timer_sync+0x41/0x50
+ ? schedule_timeout+0x254/0x2d0
+ ? md_start_sync+0xe0/0xe0 [md_mod]
+ ? md_thread+0x127/0x160 [md_mod]
+ md_thread+0x127/0x160 [md_mod]
+ ? wait_woken+0x80/0x80
+ kthread+0x10d/0x130
+ ? kthread_park+0xa0/0xa0
+ ret_from_fork+0x1f/0x40
+```
+
+Fixes: dbb64f8635f5d ("md-cluster: Fix adding of new disk with new reload code")
+Fixes: 659b254fa7392 ("md-cluster: remove a disk asynchronously from cluster environment")
+Cc: stable@vger.kernel.org
+Reviewed-by: Gang He <ghe@suse.com>
+Signed-off-by: Heming Zhao <heming.zhao@suse.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -9251,11 +9251,11 @@ void md_check_recovery(struct mddev *mdd
+ }
+
+ if (mddev_is_clustered(mddev)) {
+- struct md_rdev *rdev;
++ struct md_rdev *rdev, *tmp;
+ /* kick the device if another node issued a
+ * remove disk.
+ */
+- rdev_for_each(rdev, mddev) {
++ rdev_for_each_safe(rdev, tmp, mddev) {
+ if (test_and_clear_bit(ClusterRemove, &rdev->flags) &&
+ rdev->raid_disk < 0)
+ md_kick_rdev_from_array(rdev);
+@@ -9569,7 +9569,7 @@ err_wq:
+ static void check_sb_changes(struct mddev *mddev, struct md_rdev *rdev)
+ {
+ struct mdp_superblock_1 *sb = page_address(rdev->sb_page);
+- struct md_rdev *rdev2;
++ struct md_rdev *rdev2, *tmp;
+ int role, ret;
+ char b[BDEVNAME_SIZE];
+
+@@ -9586,7 +9586,7 @@ static void check_sb_changes(struct mdde
+ }
+
+ /* Check for change of roles in the active devices */
+- rdev_for_each(rdev2, mddev) {
++ rdev_for_each_safe(rdev2, tmp, mddev) {
+ if (test_bit(Faulty, &rdev2->flags))
+ continue;
+
--- /dev/null
+From 8b57251f9a91f5e5a599de7549915d2d226cc3af Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Sat, 3 Apr 2021 18:15:28 +0200
+Subject: md: factor out a mddev_find_locked helper from mddev_find
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 8b57251f9a91f5e5a599de7549915d2d226cc3af upstream.
+
+Factor out a self-contained helper to just lookup a mddev by the dev_t
+"unit".
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 32 +++++++++++++++++++-------------
+ 1 file changed, 19 insertions(+), 13 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -734,6 +734,17 @@ void mddev_init(struct mddev *mddev)
+ }
+ EXPORT_SYMBOL_GPL(mddev_init);
+
++static struct mddev *mddev_find_locked(dev_t unit)
++{
++ struct mddev *mddev;
++
++ list_for_each_entry(mddev, &all_mddevs, all_mddevs)
++ if (mddev->unit == unit)
++ return mddev;
++
++ return NULL;
++}
++
+ static struct mddev *mddev_find(dev_t unit)
+ {
+ struct mddev *mddev;
+@@ -761,13 +772,13 @@ static struct mddev *mddev_find_or_alloc
+ spin_lock(&all_mddevs_lock);
+
+ if (unit) {
+- list_for_each_entry(mddev, &all_mddevs, all_mddevs)
+- if (mddev->unit == unit) {
+- mddev_get(mddev);
+- spin_unlock(&all_mddevs_lock);
+- kfree(new);
+- return mddev;
+- }
++ mddev = mddev_find_locked(unit);
++ if (mddev) {
++ mddev_get(mddev);
++ spin_unlock(&all_mddevs_lock);
++ kfree(new);
++ return mddev;
++ }
+
+ if (new) {
+ list_add(&new->all_mddevs, &all_mddevs);
+@@ -793,12 +804,7 @@ static struct mddev *mddev_find_or_alloc
+ return NULL;
+ }
+
+- is_free = 1;
+- list_for_each_entry(mddev, &all_mddevs, all_mddevs)
+- if (mddev->unit == dev) {
+- is_free = 0;
+- break;
+- }
++ is_free = !mddev_find_locked(dev);
+ }
+ new->unit = dev;
+ new->md_minor = MINOR(dev);
--- /dev/null
+From 7abfabaf5f805f5171d133ce6af9b65ab766e76a Mon Sep 17 00:00:00 2001
+From: Jan Glauber <jglauber@digitalocean.com>
+Date: Wed, 17 Mar 2021 15:04:39 +0100
+Subject: md: Fix missing unused status line of /proc/mdstat
+
+From: Jan Glauber <jglauber@digitalocean.com>
+
+commit 7abfabaf5f805f5171d133ce6af9b65ab766e76a upstream.
+
+Reading /proc/mdstat with a read buffer size that would not
+fit the unused status line in the first read will skip this
+line from the output.
+
+So 'dd if=/proc/mdstat bs=64 2>/dev/null' will not print something
+like: unused devices: <none>
+
+Don't return NULL immediately in start() for v=2 but call
+show() once to print the status line also for multiple reads.
+
+Cc: stable@vger.kernel.org
+Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface")
+Signed-off-by: Jan Glauber <jglauber@digitalocean.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8172,7 +8172,11 @@ static void *md_seq_start(struct seq_fil
+ loff_t l = *pos;
+ struct mddev *mddev;
+
+- if (l >= 0x10000)
++ if (l == 0x10000) {
++ ++*pos;
++ return (void *)2;
++ }
++ if (l > 0x10000)
+ return NULL;
+ if (!l--)
+ /* header */
--- /dev/null
+From 6a4db2a60306eb65bfb14ccc9fde035b74a4b4e7 Mon Sep 17 00:00:00 2001
+From: Zhao Heming <heming.zhao@suse.com>
+Date: Sat, 3 Apr 2021 11:01:25 +0800
+Subject: md: md_open returns -EBUSY when entering racing area
+
+From: Zhao Heming <heming.zhao@suse.com>
+
+commit 6a4db2a60306eb65bfb14ccc9fde035b74a4b4e7 upstream.
+
+commit d3374825ce57 ("md: make devices disappear when they are no longer
+needed.") introduced protection between mddev creating & removing. The
+md_open shouldn't create mddev when all_mddevs list doesn't contain
+mddev. With currently code logic, there will be very easy to trigger
+soft lockup in non-preempt env.
+
+This patch changes md_open returning from -ERESTARTSYS to -EBUSY, which
+will break the infinitely retry when md_open enter racing area.
+
+This patch is partly fix soft lockup issue, full fix needs mddev_find
+is split into two functions: mddev_find & mddev_find_or_alloc. And
+md_open should call new mddev_find (it only does searching job).
+
+For more detail, please refer with Christoph's "split mddev_find" patch
+in later commits.
+
+---
+ drivers/md/md.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7841,8 +7841,7 @@ static int md_open(struct block_device *
+ /* Wait until bdev->bd_disk is definitely gone */
+ if (work_pending(&mddev->del_work))
+ flush_workqueue(md_misc_wq);
+- /* Then retry the open from the top */
+- return -ERESTARTSYS;
++ return -EBUSY;
+ }
+ BUG_ON(mddev != bdev->bd_disk->private_data);
+
--- /dev/null
+From 65aa97c4d2bfd76677c211b9d03ef05a98c6d68e Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Sat, 3 Apr 2021 18:15:29 +0200
+Subject: md: split mddev_find
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 65aa97c4d2bfd76677c211b9d03ef05a98c6d68e upstream.
+
+Split mddev_find into a simple mddev_find that just finds an existing
+mddev by the unit number, and a more complicated mddev_find that deals
+with find or allocating a mddev.
+
+This turns out to fix this bug reported by Zhao Heming.
+
+----------------------------- snip ------------------------------
+commit d3374825ce57 ("md: make devices disappear when they are no longer
+needed.") introduced protection between mddev creating & removing. The
+md_open shouldn't create mddev when all_mddevs list doesn't contain
+mddev. With currently code logic, there will be very easy to trigger
+soft lockup in non-preempt env.
+
+---
+ drivers/md/md.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -736,6 +736,22 @@ EXPORT_SYMBOL_GPL(mddev_init);
+
+ static struct mddev *mddev_find(dev_t unit)
+ {
++ struct mddev *mddev;
++
++ if (MAJOR(unit) != MD_MAJOR)
++ unit &= ~((1 << MdpMinorShift) - 1);
++
++ spin_lock(&all_mddevs_lock);
++ mddev = mddev_find_locked(unit);
++ if (mddev)
++ mddev_get(mddev);
++ spin_unlock(&all_mddevs_lock);
++
++ return mddev;
++}
++
++static struct mddev *mddev_find_or_alloc(dev_t unit)
++{
+ struct mddev *mddev, *new = NULL;
+
+ if (unit && MAJOR(unit) != MD_MAJOR)
+@@ -5644,7 +5660,7 @@ static int md_alloc(dev_t dev, char *nam
+ * writing to /sys/module/md_mod/parameters/new_array.
+ */
+ static DEFINE_MUTEX(disks_mutex);
+- struct mddev *mddev = mddev_find(dev);
++ struct mddev *mddev = mddev_find_or_alloc(dev);
+ struct gendisk *disk;
+ int partitioned;
+ int shift;
+@@ -6524,11 +6540,9 @@ static void autorun_devices(int part)
+
+ md_probe(dev);
+ mddev = mddev_find(dev);
+- if (!mddev || !mddev->gendisk) {
+- if (mddev)
+- mddev_put(mddev);
++ if (!mddev)
+ break;
+- }
++
+ if (mddev_lock(mddev))
+ pr_warn("md: %s locked, cannot run\n", mdname(mddev));
+ else if (mddev->raid_disks || mddev->major_version
--- /dev/null
+From e607ff630c6053ecc67502677c0e50053d7892d4 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Fri, 9 Apr 2021 12:21:28 -0700
+Subject: MIPS: generic: Update node names to avoid unit addresses
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit e607ff630c6053ecc67502677c0e50053d7892d4 upstream.
+
+With the latest mkimage from U-Boot 2021.04, the generic defconfigs no
+longer build, failing with:
+
+/usr/bin/mkimage: verify_header failed for FIT Image support with exit code 1
+
+This is expected after the linked U-Boot commits because '@' is
+forbidden in the node names due to the way that libfdt treats nodes with
+the same prefix but different unit addresses.
+
+Switch the '@' in the node name to '-'. Drop the unit addresses from the
+hash and kernel child nodes because there is only one node so they do
+not need to have a number to differentiate them.
+
+Cc: stable@vger.kernel.org
+Link: https://source.denx.de/u-boot/u-boot/-/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4
+Link: https://source.denx.de/u-boot/u-boot/-/commit/3f04db891a353f4b127ed57279279f851c6b4917
+Suggested-by: Simon Glass <sjg@chromium.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Tom Rini <trini@konsulko.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/generic/board-boston.its.S | 10 +++++-----
+ arch/mips/generic/board-jaguar2.its.S | 16 ++++++++--------
+ arch/mips/generic/board-luton.its.S | 8 ++++----
+ arch/mips/generic/board-ni169445.its.S | 10 +++++-----
+ arch/mips/generic/board-ocelot.its.S | 20 ++++++++++----------
+ arch/mips/generic/board-serval.its.S | 8 ++++----
+ arch/mips/generic/board-xilfpga.its.S | 10 +++++-----
+ arch/mips/generic/vmlinux.its.S | 10 +++++-----
+ 8 files changed, 46 insertions(+), 46 deletions(-)
+
+--- a/arch/mips/generic/board-boston.its.S
++++ b/arch/mips/generic/board-boston.its.S
+@@ -1,22 +1,22 @@
+ / {
+ images {
+- fdt@boston {
++ fdt-boston {
+ description = "img,boston Device Tree";
+ data = /incbin/("boot/dts/img/boston.dtb");
+ type = "flat_dt";
+ arch = "mips";
+ compression = "none";
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+ };
+
+ configurations {
+- conf@boston {
++ conf-boston {
+ description = "Boston Linux kernel";
+- kernel = "kernel@0";
+- fdt = "fdt@boston";
++ kernel = "kernel";
++ fdt = "fdt-boston";
+ };
+ };
+ };
+--- a/arch/mips/generic/board-jaguar2.its.S
++++ b/arch/mips/generic/board-jaguar2.its.S
+@@ -1,23 +1,23 @@
+ /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */
+ / {
+ images {
+- fdt@jaguar2_pcb110 {
++ fdt-jaguar2_pcb110 {
+ description = "MSCC Jaguar2 PCB110 Device Tree";
+ data = /incbin/("boot/dts/mscc/jaguar2_pcb110.dtb");
+ type = "flat_dt";
+ arch = "mips";
+ compression = "none";
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+- fdt@jaguar2_pcb111 {
++ fdt-jaguar2_pcb111 {
+ description = "MSCC Jaguar2 PCB111 Device Tree";
+ data = /incbin/("boot/dts/mscc/jaguar2_pcb111.dtb");
+ type = "flat_dt";
+ arch = "mips";
+ compression = "none";
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+@@ -26,14 +26,14 @@
+ configurations {
+ pcb110 {
+ description = "Jaguar2 Linux kernel";
+- kernel = "kernel@0";
+- fdt = "fdt@jaguar2_pcb110";
++ kernel = "kernel";
++ fdt = "fdt-jaguar2_pcb110";
+ ramdisk = "ramdisk";
+ };
+ pcb111 {
+ description = "Jaguar2 Linux kernel";
+- kernel = "kernel@0";
+- fdt = "fdt@jaguar2_pcb111";
++ kernel = "kernel";
++ fdt = "fdt-jaguar2_pcb111";
+ ramdisk = "ramdisk";
+ };
+ };
+--- a/arch/mips/generic/board-luton.its.S
++++ b/arch/mips/generic/board-luton.its.S
+@@ -1,13 +1,13 @@
+ /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */
+ / {
+ images {
+- fdt@luton_pcb091 {
++ fdt-luton_pcb091 {
+ description = "MSCC Luton PCB091 Device Tree";
+ data = /incbin/("boot/dts/mscc/luton_pcb091.dtb");
+ type = "flat_dt";
+ arch = "mips";
+ compression = "none";
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+@@ -16,8 +16,8 @@
+ configurations {
+ pcb091 {
+ description = "Luton Linux kernel";
+- kernel = "kernel@0";
+- fdt = "fdt@luton_pcb091";
++ kernel = "kernel";
++ fdt = "fdt-luton_pcb091";
+ };
+ };
+ };
+--- a/arch/mips/generic/board-ni169445.its.S
++++ b/arch/mips/generic/board-ni169445.its.S
+@@ -1,22 +1,22 @@
+ / {
+ images {
+- fdt@ni169445 {
++ fdt-ni169445 {
+ description = "NI 169445 device tree";
+ data = /incbin/("boot/dts/ni/169445.dtb");
+ type = "flat_dt";
+ arch = "mips";
+ compression = "none";
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+ };
+
+ configurations {
+- conf@ni169445 {
++ conf-ni169445 {
+ description = "NI 169445 Linux Kernel";
+- kernel = "kernel@0";
+- fdt = "fdt@ni169445";
++ kernel = "kernel";
++ fdt = "fdt-ni169445";
+ };
+ };
+ };
+--- a/arch/mips/generic/board-ocelot.its.S
++++ b/arch/mips/generic/board-ocelot.its.S
+@@ -1,40 +1,40 @@
+ /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */
+ / {
+ images {
+- fdt@ocelot_pcb123 {
++ fdt-ocelot_pcb123 {
+ description = "MSCC Ocelot PCB123 Device Tree";
+ data = /incbin/("boot/dts/mscc/ocelot_pcb123.dtb");
+ type = "flat_dt";
+ arch = "mips";
+ compression = "none";
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+
+- fdt@ocelot_pcb120 {
++ fdt-ocelot_pcb120 {
+ description = "MSCC Ocelot PCB120 Device Tree";
+ data = /incbin/("boot/dts/mscc/ocelot_pcb120.dtb");
+ type = "flat_dt";
+ arch = "mips";
+ compression = "none";
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+ };
+
+ configurations {
+- conf@ocelot_pcb123 {
++ conf-ocelot_pcb123 {
+ description = "Ocelot Linux kernel";
+- kernel = "kernel@0";
+- fdt = "fdt@ocelot_pcb123";
++ kernel = "kernel";
++ fdt = "fdt-ocelot_pcb123";
+ };
+
+- conf@ocelot_pcb120 {
++ conf-ocelot_pcb120 {
+ description = "Ocelot Linux kernel";
+- kernel = "kernel@0";
+- fdt = "fdt@ocelot_pcb120";
++ kernel = "kernel";
++ fdt = "fdt-ocelot_pcb120";
+ };
+ };
+ };
+--- a/arch/mips/generic/board-serval.its.S
++++ b/arch/mips/generic/board-serval.its.S
+@@ -1,13 +1,13 @@
+ /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */
+ / {
+ images {
+- fdt@serval_pcb105 {
++ fdt-serval_pcb105 {
+ description = "MSCC Serval PCB105 Device Tree";
+ data = /incbin/("boot/dts/mscc/serval_pcb105.dtb");
+ type = "flat_dt";
+ arch = "mips";
+ compression = "none";
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+@@ -16,8 +16,8 @@
+ configurations {
+ pcb105 {
+ description = "Serval Linux kernel";
+- kernel = "kernel@0";
+- fdt = "fdt@serval_pcb105";
++ kernel = "kernel";
++ fdt = "fdt-serval_pcb105";
+ ramdisk = "ramdisk";
+ };
+ };
+--- a/arch/mips/generic/board-xilfpga.its.S
++++ b/arch/mips/generic/board-xilfpga.its.S
+@@ -1,22 +1,22 @@
+ / {
+ images {
+- fdt@xilfpga {
++ fdt-xilfpga {
+ description = "MIPSfpga (xilfpga) Device Tree";
+ data = /incbin/("boot/dts/xilfpga/nexys4ddr.dtb");
+ type = "flat_dt";
+ arch = "mips";
+ compression = "none";
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+ };
+
+ configurations {
+- conf@xilfpga {
++ conf-xilfpga {
+ description = "MIPSfpga Linux kernel";
+- kernel = "kernel@0";
+- fdt = "fdt@xilfpga";
++ kernel = "kernel";
++ fdt = "fdt-xilfpga";
+ };
+ };
+ };
+--- a/arch/mips/generic/vmlinux.its.S
++++ b/arch/mips/generic/vmlinux.its.S
+@@ -6,7 +6,7 @@
+ #address-cells = <ADDR_CELLS>;
+
+ images {
+- kernel@0 {
++ kernel {
+ description = KERNEL_NAME;
+ data = /incbin/(VMLINUX_BINARY);
+ type = "kernel";
+@@ -15,18 +15,18 @@
+ compression = VMLINUX_COMPRESSION;
+ load = /bits/ ADDR_BITS <VMLINUX_LOAD_ADDRESS>;
+ entry = /bits/ ADDR_BITS <VMLINUX_ENTRY_ADDRESS>;
+- hash@0 {
++ hash {
+ algo = "sha1";
+ };
+ };
+ };
+
+ configurations {
+- default = "conf@default";
++ default = "conf-default";
+
+- conf@default {
++ conf-default {
+ description = "Generic Linux kernel";
+- kernel = "kernel@0";
++ kernel = "kernel";
+ };
+ };
+ };
--- /dev/null
+From c49f71f60754acbff37505e1d16ca796bf8a8140 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Tue, 20 Apr 2021 04:50:40 +0200
+Subject: MIPS: Reinstate platform `__div64_32' handler
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit c49f71f60754acbff37505e1d16ca796bf8a8140 upstream.
+
+Our current MIPS platform `__div64_32' handler is inactive, because it
+is incorrectly only enabled for 64-bit configurations, for which generic
+`do_div' code does not call it anyway.
+
+The handler is not suitable for being called from there though as it
+only calculates 32 bits of the quotient under the assumption the 64-bit
+divident has been suitably reduced. Code for such reduction used to be
+there, however it has been incorrectly removed with commit c21004cd5b4c
+("MIPS: Rewrite <asm/div64.h> to work with gcc 4.4.0."), which should
+have only updated an obsoleted constraint for an inline asm involving
+$hi and $lo register outputs, while possibly wiring the original MIPS
+variant of the `do_div' macro as `__div64_32' handler for the generic
+`do_div' implementation
+
+Correct the handler as follows then:
+
+- Revert most of the commit referred, however retaining the current
+ formatting, except for the final two instructions of the inline asm
+ sequence, which the original commit missed. Omit the original 64-bit
+ parts though.
+
+- Rename the original `do_div' macro to `__div64_32'. Use the combined
+ `x' constraint referring to the MD accumulator as a whole, replacing
+ the original individual `h' and `l' constraints used for $hi and $lo
+ registers respectively, of which `h' has been obsoleted with GCC 4.4.
+ Update surrounding code accordingly.
+
+ We have since removed support for GCC versions before 4.9, so no need
+ for a special arrangement here; GCC has supported the `x' constraint
+ since forever anyway, or at least going back to 1991.
+
+- Rename the `__base' local variable in `__div64_32' to `__radix' to
+ avoid a conflict with a local variable in `do_div'.
+
+- Actually enable this code for 32-bit rather than 64-bit configurations
+ by qualifying it with BITS_PER_LONG being 32 instead of 64. Include
+ <asm/bitsperlong.h> for this macro rather than <linux/types.h> as we
+ don't need anything else.
+
+- Finally include <asm-generic/div64.h> last rather than first.
+
+This has passed correctness verification with test_div64 and reduced the
+module's average execution time down to 1.0668s and 0.2629s from 2.1529s
+and 0.5647s respectively for an R3400 CPU @40MHz and a 5Kc CPU @160MHz.
+For a reference 64-bit `do_div' code where we have the DDIVU instruction
+available to do the whole calculation right away averages at 0.0660s for
+the latter CPU.
+
+Fixes: c21004cd5b4c ("MIPS: Rewrite <asm/div64.h> to work with gcc 4.4.0.")
+Reported-by: Huacai Chen <chenhuacai@kernel.org>
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v2.6.30+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/div64.h | 57 ++++++++++++++++++++++++++++++------------
+ 1 file changed, 41 insertions(+), 16 deletions(-)
+
+--- a/arch/mips/include/asm/div64.h
++++ b/arch/mips/include/asm/div64.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2000, 2004 Maciej W. Rozycki
++ * Copyright (C) 2000, 2004, 2021 Maciej W. Rozycki
+ * Copyright (C) 2003, 07 Ralf Baechle (ralf@linux-mips.org)
+ *
+ * This file is subject to the terms and conditions of the GNU General Public
+@@ -9,25 +9,18 @@
+ #ifndef __ASM_DIV64_H
+ #define __ASM_DIV64_H
+
+-#include <asm-generic/div64.h>
+-
+-#if BITS_PER_LONG == 64
++#include <asm/bitsperlong.h>
+
+-#include <linux/types.h>
++#if BITS_PER_LONG == 32
+
+ /*
+ * No traps on overflows for any of these...
+ */
+
+-#define __div64_32(n, base) \
+-({ \
++#define do_div64_32(res, high, low, base) ({ \
+ unsigned long __cf, __tmp, __tmp2, __i; \
+ unsigned long __quot32, __mod32; \
+- unsigned long __high, __low; \
+- unsigned long long __n; \
+ \
+- __high = *__n >> 32; \
+- __low = __n; \
+ __asm__( \
+ " .set push \n" \
+ " .set noat \n" \
+@@ -51,18 +44,50 @@
+ " subu %0, %0, %z6 \n" \
+ " addiu %2, %2, 1 \n" \
+ "3: \n" \
+- " bnez %4, 0b\n\t" \
+- " srl %5, %1, 0x1f\n\t" \
++ " bnez %4, 0b \n" \
++ " srl %5, %1, 0x1f \n" \
+ " .set pop" \
+ : "=&r" (__mod32), "=&r" (__tmp), \
+ "=&r" (__quot32), "=&r" (__cf), \
+ "=&r" (__i), "=&r" (__tmp2) \
+- : "Jr" (base), "0" (__high), "1" (__low)); \
++ : "Jr" (base), "0" (high), "1" (low)); \
+ \
+- (__n) = __quot32; \
++ (res) = __quot32; \
+ __mod32; \
+ })
+
+-#endif /* BITS_PER_LONG == 64 */
++#define __div64_32(n, base) ({ \
++ unsigned long __upper, __low, __high, __radix; \
++ unsigned long long __modquot; \
++ unsigned long long __quot; \
++ unsigned long long __div; \
++ unsigned long __mod; \
++ \
++ __div = (*n); \
++ __radix = (base); \
++ \
++ __high = __div >> 32; \
++ __low = __div; \
++ __upper = __high; \
++ \
++ if (__high) { \
++ __asm__("divu $0, %z1, %z2" \
++ : "=x" (__modquot) \
++ : "Jr" (__high), "Jr" (__radix)); \
++ __upper = __modquot >> 32; \
++ __high = __modquot; \
++ } \
++ \
++ __mod = do_div64_32(__low, __upper, __low, __radix); \
++ \
++ __quot = __high; \
++ __quot = __quot << 32 | __low; \
++ (*n) = __quot; \
++ __mod; \
++})
++
++#endif /* BITS_PER_LONG == 32 */
++
++#include <asm-generic/div64.h>
+
+ #endif /* __ASM_DIV64_H */
--- /dev/null
+From b4403cee6400c5f679e9c4a82b91d61aa961eccf Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 23 Mar 2021 22:47:37 +0100
+Subject: mt76: fix potential DMA mapping leak
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit b4403cee6400c5f679e9c4a82b91d61aa961eccf upstream.
+
+With buf uninitialized in mt76_dma_tx_queue_skb_raw, its field skip_unmap
+could potentially inherit a non-zero value from stack garbage.
+If this happens, it will cause DMA mappings for MCU command frames to not be
+unmapped after completion
+
+Fixes: 27d5c528a7ca ("mt76: fix double DMA unmap of the first buffer on 7615/7915")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/dma.c
+@@ -309,7 +309,7 @@ static int
+ mt76_dma_tx_queue_skb_raw(struct mt76_dev *dev, struct mt76_queue *q,
+ struct sk_buff *skb, u32 tx_info)
+ {
+- struct mt76_queue_buf buf;
++ struct mt76_queue_buf buf = {};
+ dma_addr_t addr;
+
+ if (q->queued + 1 >= q->ndesc - 1)
--- /dev/null
+From 06991d1f73a9bdbc5f234ee96737b9102705b89c Mon Sep 17 00:00:00 2001
+From: Ryder Lee <ryder.lee@mediatek.com>
+Date: Tue, 13 Apr 2021 16:00:07 +0800
+Subject: mt76: mt7615: use ieee80211_free_txskb() in mt7615_tx_token_put()
+
+From: Ryder Lee <ryder.lee@mediatek.com>
+
+commit 06991d1f73a9bdbc5f234ee96737b9102705b89c upstream.
+
+We should use ieee80211_free_txskb() to report skb status avoid wrong
+aql accounting after reset.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -2000,8 +2000,12 @@ void mt7615_tx_token_put(struct mt7615_d
+ spin_lock_bh(&dev->token_lock);
+ idr_for_each_entry(&dev->token, txwi, id) {
+ mt7615_txp_skb_unmap(&dev->mt76, txwi);
+- if (txwi->skb)
+- dev_kfree_skb_any(txwi->skb);
++ if (txwi->skb) {
++ struct ieee80211_hw *hw;
++
++ hw = mt76_tx_status_get_hw(&dev->mt76, txwi->skb);
++ ieee80211_free_txskb(hw, txwi->skb);
++ }
+ mt76_put_txwi(&dev->mt76, txwi);
+ }
+ spin_unlock_bh(&dev->token_lock);
--- /dev/null
+From 46fd4471615c1bff9d87c411140807762c25667a Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 16 Apr 2021 23:55:54 -0700
+Subject: net: xilinx: drivers need/depend on HAS_IOMEM
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 46fd4471615c1bff9d87c411140807762c25667a upstream.
+
+kernel test robot reports build errors in 3 Xilinx ethernet drivers.
+They all use ioremap functions that are only available when HAS_IOMEM
+is set/enabled. If it is not enabled, they all have build errors,
+so make these 3 drivers depend on HAS_IOMEM.
+
+ld: drivers/net/ethernet/xilinx/xilinx_emaclite.o: in function `xemaclite_of_probe':
+xilinx_emaclite.c:(.text+0x9fc): undefined reference to `devm_ioremap_resource'
+
+ld: drivers/net/ethernet/xilinx/xilinx_axienet_main.o: in function `axienet_probe':
+xilinx_axienet_main.c:(.text+0x942): undefined reference to `devm_ioremap_resource'
+
+ld: drivers/net/ethernet/xilinx/ll_temac_main.o: in function `temac_probe':
+ll_temac_main.c:(.text+0x1283): undefined reference to `devm_platform_ioremap_resource_byname'
+ld: ll_temac_main.c:(.text+0x13ad): undefined reference to `devm_of_iomap'
+ld: ll_temac_main.c:(.text+0x162e): undefined reference to `devm_platform_ioremap_resource'
+
+Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+Cc: Gary Guo <gary@garyguo.net>
+Cc: Zhang Changzhong <zhangchangzhong@huawei.com>
+Cc: Andre Przywara <andre.przywara@arm.com>
+Cc: stable@vger.kernel.org
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: netdev@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/xilinx/Kconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/xilinx/Kconfig
++++ b/drivers/net/ethernet/xilinx/Kconfig
+@@ -18,12 +18,14 @@ if NET_VENDOR_XILINX
+
+ config XILINX_EMACLITE
+ tristate "Xilinx 10/100 Ethernet Lite support"
++ depends on HAS_IOMEM
+ select PHYLIB
+ help
+ This driver supports the 10/100 Ethernet Lite from Xilinx.
+
+ config XILINX_AXI_EMAC
+ tristate "Xilinx 10/100/1000 AXI Ethernet support"
++ depends on HAS_IOMEM
+ select PHYLINK
+ help
+ This driver supports the 10/100/1000 Ethernet from Xilinx for the
+@@ -31,6 +33,7 @@ config XILINX_AXI_EMAC
+
+ config XILINX_LL_TEMAC
+ tristate "Xilinx LL TEMAC (LocalLink Tri-mode Ethernet MAC) driver"
++ depends on HAS_IOMEM
+ select PHYLIB
+ help
+ This driver supports the Xilinx 10/100/1000 LocalLink TEMAC
--- /dev/null
+From 2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Thu, 1 Apr 2021 14:27:17 -0500
+Subject: rtw88: Fix array overrun in rtw_get_tx_power_params()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit 2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e upstream.
+
+Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the
+following array overrun is logged:
+
+================================================================================
+UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34
+index 5 is out of range for type 'u8 [5]'
+CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651
+Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014
+Workqueue: phy0 ieee80211_scan_work [mac80211]
+Call Trace:
+ dump_stack+0x64/0x7c
+ ubsan_epilogue+0x5/0x40
+ __ubsan_handle_out_of_bounds.cold+0x43/0x48
+ rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core]
+ ? rtw_pci_read16+0x20/0x20 [rtw_pci]
+ ? check_hw_ready+0x50/0x90 [rtw_core]
+ rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core]
+ rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core]
+ rtw_set_channel+0xab/0x110 [rtw_core]
+ rtw_ops_config+0x87/0xc0 [rtw_core]
+ ieee80211_hw_config+0x9d/0x130 [mac80211]
+ ieee80211_scan_state_set_channel+0x81/0x170 [mac80211]
+ ieee80211_scan_work+0x19f/0x2a0 [mac80211]
+ process_one_work+0x1dd/0x3a0
+ worker_thread+0x49/0x330
+ ? rescuer_thread+0x3a0/0x3a0
+ kthread+0x134/0x150
+ ? kthread_create_worker_on_cpu+0x70/0x70
+ ret_from_fork+0x22/0x30
+================================================================================
+
+The statement where an array is being overrun is shown in the following snippet:
+
+ if (rate <= DESC_RATE11M)
+ tx_power = pwr_idx_2g->cck_base[group];
+ else
+====> tx_power = pwr_idx_2g->bw40_base[group];
+
+The associated arrays are defined in main.h as follows:
+
+struct rtw_2g_txpwr_idx {
+ u8 cck_base[6];
+ u8 bw40_base[5];
+ struct rtw_2g_1s_pwr_idx_diff ht_1s_diff;
+ struct rtw_2g_ns_pwr_idx_diff ht_2s_diff;
+ struct rtw_2g_ns_pwr_idx_diff ht_3s_diff;
+ struct rtw_2g_ns_pwr_idx_diff ht_4s_diff;
+};
+
+The problem arises because the value of group is 5 for channel 14. The trivial
+increase in the dimension of bw40_base fails as this struct must match the layout of
+efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set
+the group for channel 14 to 4 if rate <= DESC_RATE11M.
+
+This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines")
+
+Fixes: fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines")
+Reported-by: Богдан Пилипенко <bogdan.pylypenko107@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210401192717.28927-1-Larry.Finger@lwfinger.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/phy.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/phy.c
++++ b/drivers/net/wireless/realtek/rtw88/phy.c
+@@ -1584,7 +1584,7 @@ void rtw_phy_load_tables(struct rtw_dev
+ }
+ EXPORT_SYMBOL(rtw_phy_load_tables);
+
+-static u8 rtw_get_channel_group(u8 channel)
++static u8 rtw_get_channel_group(u8 channel, u8 rate)
+ {
+ switch (channel) {
+ default:
+@@ -1628,6 +1628,7 @@ static u8 rtw_get_channel_group(u8 chann
+ case 106:
+ return 4;
+ case 14:
++ return rate <= DESC_RATE11M ? 5 : 4;
+ case 108:
+ case 110:
+ case 112:
+@@ -1879,7 +1880,7 @@ void rtw_get_tx_power_params(struct rtw_
+ s8 *remnant = &pwr_param->pwr_remnant;
+
+ pwr_idx = &rtwdev->efuse.txpwr_idx_table[path];
+- group = rtw_get_channel_group(ch);
++ group = rtw_get_channel_group(ch, rate);
+
+ /* base power index for 2.4G/5G */
+ if (IS_CH_2G_BAND(ch)) {
x86-sched-treat-intel-snc-topology-as-default-cod-as-exception.patch
async_xor-increase-src_offs-when-dropping-destination-page.patch
md-bitmap-wait-for-external-bitmap-writes-to-complete-during-tear-down.patch
+md-cluster-fix-use-after-free-issue-when-removing-rdev.patch
+md-split-mddev_find.patch
+md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch
+md-md_open-returns-ebusy-when-entering-racing-area.patch
+md-fix-missing-unused-status-line-of-proc-mdstat.patch
+mips-reinstate-platform-__div64_32-handler.patch
+mips-generic-update-node-names-to-avoid-unit-addresses.patch
+mt76-mt7615-use-ieee80211_free_txskb-in-mt7615_tx_token_put.patch
+ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch
+net-xilinx-drivers-need-depend-on-has_iomem.patch
+cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch
+rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch
+mt76-fix-potential-dma-mapping-leak.patch
+fddi-defxx-make-mmio-the-configuration-default-except-for-eisa.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
