--- /dev/null
+From f0acf637d60ffcef3ccb6e279f743e587b3c7359 Mon Sep 17 00:00:00 2001
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Date: Fri, 19 Mar 2021 12:04:57 +0100
+Subject: driver core: clear deferred probe reason on probe retry
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+commit f0acf637d60ffcef3ccb6e279f743e587b3c7359 upstream.
+
+When retrying a deferred probe, any old defer reason string should be
+discarded. Otherwise, if the probe is deferred again at a different spot,
+but without setting a message, the now incorrect probe reason will remain.
+
+This was observed with the i.MX I2C driver, which ultimately failed
+to probe due to lack of the GPIO driver. The probe defer for GPIO
+doesn't record a message, but a previous probe defer to clock_get did.
+This had the effect that /sys/kernel/debug/devices_deferred listed
+a misleading probe deferral reason.
+
+Cc: stable <stable@vger.kernel.org>
+Fixes: d090b70ede02 ("driver core: add deferring probe reason to devices_deferred property")
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Link: https://lore.kernel.org/r/20210319110459.19966-1-a.fatoum@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/dd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -97,6 +97,9 @@ static void deferred_probe_work_func(str
+
+ get_device(dev);
+
++ kfree(dev->p->deferred_probe_reason);
++ dev->p->deferred_probe_reason = NULL;
++
+ /*
+ * Drop the mutex while probing each device; the probe path may
+ * manipulate the deferred list
--- /dev/null
+From 01faae5193d6190b7b3aa93dae43f514e866d652 Mon Sep 17 00:00:00 2001
+From: Du Cheng <ducheng2@gmail.com>
+Date: Fri, 12 Mar 2021 16:14:21 +0800
+Subject: drivers: video: fbcon: fix NULL dereference in fbcon_cursor()
+
+From: Du Cheng <ducheng2@gmail.com>
+
+commit 01faae5193d6190b7b3aa93dae43f514e866d652 upstream.
+
+add null-check on function pointer before dereference on ops->cursor
+
+Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Du Cheng <ducheng2@gmail.com>
+Link: https://lore.kernel.org/r/20210312081421.452405-1-ducheng2@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbcon.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -1341,6 +1341,9 @@ static void fbcon_cursor(struct vc_data
+
+ ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
+
++ if (!ops->cursor)
++ return;
++
+ ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
+ get_color(vc, info, c, 0));
+ }
usb-dwc2-prevent-core-suspend-when-port-connection-flag-is-0.patch
usb-dwc3-qcom-skip-interconnect-init-for-acpi-probe.patch
usb-dwc3-gadget-clear-dep-flags-after-stop-transfers-in-ep-disable.patch
+soc-qcom-geni-se-cleanup-the-code-to-remove-proxy-votes.patch
+staging-rtl8192e-fix-incorrect-source-in-memcpy.patch
+staging-rtl8192e-change-state-information-from-u16-to-u8.patch
+driver-core-clear-deferred-probe-reason-on-probe-retry.patch
+drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch
--- /dev/null
+From 29d96eb261345c8d888e248ae79484e681be2faa Mon Sep 17 00:00:00 2001
+From: Roja Rani Yarubandi <rojay@codeaurora.org>
+Date: Wed, 24 Mar 2021 15:48:35 +0530
+Subject: soc: qcom-geni-se: Cleanup the code to remove proxy votes
+
+From: Roja Rani Yarubandi <rojay@codeaurora.org>
+
+commit 29d96eb261345c8d888e248ae79484e681be2faa upstream.
+
+This reverts commit 048eb908a1f2 ("soc: qcom-geni-se: Add interconnect
+support to fix earlycon crash")
+
+ICC core and platforms drivers supports sync_state feature, which
+ensures that the default ICC BW votes from the bootloader is not
+removed until all it's consumers are probes.
+
+The proxy votes were needed in case other QUP child drivers
+I2C, SPI probes before UART, they can turn off the QUP-CORE clock
+which is shared resources for all QUP driver, this causes unclocked
+access to HW from earlycon.
+
+Given above support from ICC there is no longer need to maintain
+proxy votes on QUP-CORE ICC node from QUP wrapper driver for early
+console usecase, the default votes won't be removed until real
+console is probed.
+
+Cc: stable@vger.kernel.org
+Fixes: 266cd33b5913 ("interconnect: qcom: Ensure that the floor bandwidth value is enforced")
+Fixes: 7d3b0b0d8184 ("interconnect: qcom: Use icc_sync_state")
+Signed-off-by: Roja Rani Yarubandi <rojay@codeaurora.org>
+Signed-off-by: Akash Asthana <akashast@codeaurora.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Link: https://lore.kernel.org/r/20210324101836.25272-2-rojay@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/qcom-geni-se.c | 74 ----------------------------------
+ drivers/tty/serial/qcom_geni_serial.c | 7 ---
+ include/linux/qcom-geni-se.h | 2
+ 3 files changed, 83 deletions(-)
+
+--- a/drivers/soc/qcom/qcom-geni-se.c
++++ b/drivers/soc/qcom/qcom-geni-se.c
+@@ -3,7 +3,6 @@
+
+ #include <linux/acpi.h>
+ #include <linux/clk.h>
+-#include <linux/console.h>
+ #include <linux/slab.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/io.h>
+@@ -92,14 +91,11 @@ struct geni_wrapper {
+ struct device *dev;
+ void __iomem *base;
+ struct clk_bulk_data ahb_clks[NUM_AHB_CLKS];
+- struct geni_icc_path to_core;
+ };
+
+ static const char * const icc_path_names[] = {"qup-core", "qup-config",
+ "qup-memory"};
+
+-static struct geni_wrapper *earlycon_wrapper;
+-
+ #define QUP_HW_VER_REG 0x4
+
+ /* Common SE registers */
+@@ -843,44 +839,11 @@ int geni_icc_disable(struct geni_se *se)
+ }
+ EXPORT_SYMBOL(geni_icc_disable);
+
+-void geni_remove_earlycon_icc_vote(void)
+-{
+- struct platform_device *pdev;
+- struct geni_wrapper *wrapper;
+- struct device_node *parent;
+- struct device_node *child;
+-
+- if (!earlycon_wrapper)
+- return;
+-
+- wrapper = earlycon_wrapper;
+- parent = of_get_next_parent(wrapper->dev->of_node);
+- for_each_child_of_node(parent, child) {
+- if (!of_device_is_compatible(child, "qcom,geni-se-qup"))
+- continue;
+-
+- pdev = of_find_device_by_node(child);
+- if (!pdev)
+- continue;
+-
+- wrapper = platform_get_drvdata(pdev);
+- icc_put(wrapper->to_core.path);
+- wrapper->to_core.path = NULL;
+-
+- }
+- of_node_put(parent);
+-
+- earlycon_wrapper = NULL;
+-}
+-EXPORT_SYMBOL(geni_remove_earlycon_icc_vote);
+-
+ static int geni_se_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct resource *res;
+ struct geni_wrapper *wrapper;
+- struct console __maybe_unused *bcon;
+- bool __maybe_unused has_earlycon = false;
+ int ret;
+
+ wrapper = devm_kzalloc(dev, sizeof(*wrapper), GFP_KERNEL);
+@@ -903,43 +866,6 @@ static int geni_se_probe(struct platform
+ }
+ }
+
+-#ifdef CONFIG_SERIAL_EARLYCON
+- for_each_console(bcon) {
+- if (!strcmp(bcon->name, "qcom_geni")) {
+- has_earlycon = true;
+- break;
+- }
+- }
+- if (!has_earlycon)
+- goto exit;
+-
+- wrapper->to_core.path = devm_of_icc_get(dev, "qup-core");
+- if (IS_ERR(wrapper->to_core.path))
+- return PTR_ERR(wrapper->to_core.path);
+- /*
+- * Put minmal BW request on core clocks on behalf of early console.
+- * The vote will be removed earlycon exit function.
+- *
+- * Note: We are putting vote on each QUP wrapper instead only to which
+- * earlycon is connected because QUP core clock of different wrapper
+- * share same voltage domain. If core1 is put to 0, then core2 will
+- * also run at 0, if not voted. Default ICC vote will be removed ASA
+- * we touch any of the core clock.
+- * core1 = core2 = max(core1, core2)
+- */
+- ret = icc_set_bw(wrapper->to_core.path, GENI_DEFAULT_BW,
+- GENI_DEFAULT_BW);
+- if (ret) {
+- dev_err(&pdev->dev, "%s: ICC BW voting failed for core: %d\n",
+- __func__, ret);
+- return ret;
+- }
+-
+- if (of_get_compatible_child(pdev->dev.of_node, "qcom,geni-debug-uart"))
+- earlycon_wrapper = wrapper;
+- of_node_put(pdev->dev.of_node);
+-exit:
+-#endif
+ dev_set_drvdata(dev, wrapper);
+ dev_dbg(dev, "GENI SE Driver probed\n");
+ return devm_of_platform_populate(dev);
+--- a/drivers/tty/serial/qcom_geni_serial.c
++++ b/drivers/tty/serial/qcom_geni_serial.c
+@@ -1177,12 +1177,6 @@ static inline void qcom_geni_serial_enab
+ struct console *con) { }
+ #endif
+
+-static int qcom_geni_serial_earlycon_exit(struct console *con)
+-{
+- geni_remove_earlycon_icc_vote();
+- return 0;
+-}
+-
+ static struct qcom_geni_private_data earlycon_private_data;
+
+ static int __init qcom_geni_serial_earlycon_setup(struct earlycon_device *dev,
+@@ -1233,7 +1227,6 @@ static int __init qcom_geni_serial_early
+ writel(stop_bit_len, uport->membase + SE_UART_TX_STOP_BIT_LEN);
+
+ dev->con->write = qcom_geni_serial_earlycon_write;
+- dev->con->exit = qcom_geni_serial_earlycon_exit;
+ dev->con->setup = NULL;
+ qcom_geni_serial_enable_early_read(&se, dev->con);
+
+--- a/include/linux/qcom-geni-se.h
++++ b/include/linux/qcom-geni-se.h
+@@ -460,7 +460,5 @@ void geni_icc_set_tag(struct geni_se *se
+ int geni_icc_enable(struct geni_se *se);
+
+ int geni_icc_disable(struct geni_se *se);
+-
+-void geni_remove_earlycon_icc_vote(void);
+ #endif
+ #endif
--- /dev/null
+From e78836ae76d20f38eed8c8c67f21db97529949da Mon Sep 17 00:00:00 2001
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+Date: Tue, 23 Mar 2021 17:04:14 +0530
+Subject: staging: rtl8192e: Change state information from u16 to u8
+
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+
+commit e78836ae76d20f38eed8c8c67f21db97529949da upstream.
+
+The "u16 CcxRmState[2];" array field in struct "rtllib_network" has 4
+bytes in total while the operations performed on this array through-out
+the code base are only 2 bytes.
+
+The "CcxRmState" field is fed only 2 bytes of data using memcpy():
+
+(In rtllib_rx.c:1972)
+ memcpy(network->CcxRmState, &info_element->data[4], 2)
+
+With "info_element->data[]" being a u8 array, if 2 bytes are written
+into "CcxRmState" (whose one element is u16 size), then the 2 u8
+elements from "data[]" gets squashed and written into the first element
+("CcxRmState[0]") while the second element ("CcxRmState[1]") is never
+fed with any data.
+
+Same in file rtllib_rx.c:2522:
+ memcpy(dst->CcxRmState, src->CcxRmState, 2);
+
+The above line duplicates "src" data to "dst" but only writes 2 bytes
+(and not 4, which is the actual size). Again, only 1st element gets the
+value while the 2nd element remains uninitialized.
+
+This later makes operations done with CcxRmState unpredictable in the
+following lines as the 1st element is having a squashed number while the
+2nd element is having an uninitialized random number.
+
+rtllib_rx.c:1973: if (network->CcxRmState[0] != 0)
+rtllib_rx.c:1977: network->MBssidMask = network->CcxRmState[1] & 0x07;
+
+network->MBssidMask is also of type u8 and not u16.
+
+Fix this by changing the type of "CcxRmState" from u16 to u8 so that the
+data written into this array and read from it make sense and are not
+random values.
+
+NOTE: The wrong initialization of "CcxRmState" can be seen in the
+following commit:
+
+commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")
+
+The above commit created a file `rtl8192e/ieee80211.h` which used to
+have the faulty line. The file has been deleted (or possibly renamed)
+with the contents copied in to a new file `rtl8192e/rtllib.h` along with
+additional code in the commit 94a799425eee (tagged in Fixes).
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
+Cc: stable@vger.kernel.org
+Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
+Link: https://lore.kernel.org/r/20210323113413.29179-2-atulgopinathan@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtllib.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8192e/rtllib.h
++++ b/drivers/staging/rtl8192e/rtllib.h
+@@ -1105,7 +1105,7 @@ struct rtllib_network {
+ bool bWithAironetIE;
+ bool bCkipSupported;
+ bool bCcxRmEnable;
+- u16 CcxRmState[2];
++ u8 CcxRmState[2];
+ bool bMBssidValid;
+ u8 MBssidMask;
+ u8 MBssid[ETH_ALEN];
--- /dev/null
+From 72ad25fbbb78930f892b191637359ab5b94b3190 Mon Sep 17 00:00:00 2001
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+Date: Tue, 23 Mar 2021 17:04:12 +0530
+Subject: staging: rtl8192e: Fix incorrect source in memcpy()
+
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+
+commit 72ad25fbbb78930f892b191637359ab5b94b3190 upstream.
+
+The variable "info_element" is of the following type:
+
+ struct rtllib_info_element *info_element
+
+defined in drivers/staging/rtl8192e/rtllib.h:
+
+ struct rtllib_info_element {
+ u8 id;
+ u8 len;
+ u8 data[];
+ } __packed;
+
+The "len" field defines the size of the "data[]" array. The code is
+supposed to check if "info_element->len" is greater than 4 and later
+equal to 6. If this is satisfied then, the last two bytes (the 4th and
+5th element of u8 "data[]" array) are copied into "network->CcxRmState".
+
+Right now the code uses "memcpy()" with the source as "&info_element[4]"
+which would copy in wrong and unintended information. The struct
+"rtllib_info_element" has a size of 2 bytes for "id" and "len",
+therefore indexing will be done in interval of 2 bytes. So,
+"info_element[4]" would point to data which is beyond the memory
+allocated for this pointer (that is, at x+8, while "info_element" has
+been allocated only from x to x+7 (2 + 6 => 8 bytes)).
+
+This patch rectifies this error by using "&info_element->data[4]" which
+correctly copies the last two bytes of "data[]".
+
+NOTE: The faulty line of code came from the following commit:
+
+commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")
+
+The above commit created the file `rtl8192e/ieee80211/ieee80211_rx.c`
+which had the faulty line of code. This file has been deleted (or
+possibly renamed) with the contents copied in to a new file
+`rtl8192e/rtllib_rx.c` along with additional code in the commit
+94a799425eee (tagged in Fixes).
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
+Cc: stable@vger.kernel.org
+Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
+Link: https://lore.kernel.org/r/20210323113413.29179-1-atulgopinathan@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtllib_rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8192e/rtllib_rx.c
++++ b/drivers/staging/rtl8192e/rtllib_rx.c
+@@ -1968,7 +1968,7 @@ static void rtllib_parse_mife_generic(st
+ info_element->data[2] == 0x96 &&
+ info_element->data[3] == 0x01) {
+ if (info_element->len == 6) {
+- memcpy(network->CcxRmState, &info_element[4], 2);
++ memcpy(network->CcxRmState, &info_element->data[4], 2);
+ if (network->CcxRmState[0] != 0)
+ network->bCcxRmEnable = true;
+ else
projects / thirdparty / kernel / stable-queue.git / commitdiff
