--- /dev/null
+From 6457378fe796815c973f631a1904e147d6ee33b1 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 25 Aug 2021 16:17:29 -0700
+Subject: ipv4: use siphash instead of Jenkins in fnhe_hashfun()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6457378fe796815c973f631a1904e147d6ee33b1 upstream.
+
+A group of security researchers brought to our attention
+the weakness of hash function used in fnhe_hashfun().
+
+Lets use siphash instead of Jenkins Hash, to considerably
+reduce security risks.
+
+Also remove the inline keyword, this really is distracting.
+
+Fixes: d546c621542d ("ipv4: harden fnhe_hashfun()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Keyu Man <kman001@ucr.edu>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[OP: adjusted context for 4.14 stable]
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -640,14 +640,14 @@ static void fnhe_remove_oldest(struct fn
+ kfree_rcu(oldest, rcu);
+ }
+
+-static inline u32 fnhe_hashfun(__be32 daddr)
++static u32 fnhe_hashfun(__be32 daddr)
+ {
+- static u32 fnhe_hashrnd __read_mostly;
+- u32 hval;
++ static siphash_key_t fnhe_hash_key __read_mostly;
++ u64 hval;
+
+- net_get_random_once(&fnhe_hashrnd, sizeof(fnhe_hashrnd));
+- hval = jhash_1word((__force u32) daddr, fnhe_hashrnd);
+- return hash_32(hval, FNHE_HASH_SHIFT);
++ net_get_random_once(&fnhe_hash_key, sizeof(fnhe_hash_key));
++ hval = siphash_1u32((__force u32)daddr, &fnhe_hash_key);
++ return hash_64(hval, FNHE_HASH_SHIFT);
+ }
+
+ static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe)
--- /dev/null
+From 697542bceae51f7620af333b065dd09d213629fb Mon Sep 17 00:00:00 2001
+From: Jaehoon Chung <jh80.chung@samsung.com>
+Date: Fri, 22 Oct 2021 17:21:06 +0900
+Subject: mmc: dw_mmc: exynos: fix the finding clock sample value
+
+From: Jaehoon Chung <jh80.chung@samsung.com>
+
+commit 697542bceae51f7620af333b065dd09d213629fb upstream.
+
+Even though there are candiates value if can't find best value, it's
+returned -EIO. It's not proper behavior.
+If there is not best value, use a first candiate value to work eMMC.
+
+Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Christian Hewitt <christianshewitt@gmail.com>
+Cc: stable@vger.kernel.org
+Fixes: c537a1c5ff63 ("mmc: dw_mmc: exynos: add variable delay tuning sequence")
+Link: https://lore.kernel.org/r/20211022082106.1557-1-jh80.chung@samsung.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/dw_mmc-exynos.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/dw_mmc-exynos.c
++++ b/drivers/mmc/host/dw_mmc-exynos.c
+@@ -437,6 +437,18 @@ static s8 dw_mci_exynos_get_best_clksmpl
+ }
+ }
+
++ /*
++ * If there is no cadiates value, then it needs to return -EIO.
++ * If there are candiates values and don't find bset clk sample value,
++ * then use a first candiates clock sample value.
++ */
++ for (i = 0; i < iter; i++) {
++ __c = ror8(candiates, i);
++ if ((__c & 0x1) == 0x1) {
++ loc = i;
++ goto out;
++ }
++ }
+ out:
+ return loc;
+ }
+@@ -467,6 +479,8 @@ static int dw_mci_exynos_execute_tuning(
+ priv->tuned_sample = found;
+ } else {
+ ret = -EIO;
++ dev_warn(&mmc->class_dev,
++ "There is no candiates value about clksmpl!\n");
+ }
+
+ return ret;
--- /dev/null
+From 9af372dc70e9fdcbb70939dac75365e7b88580b4 Mon Sep 17 00:00:00 2001
+From: Haibo Chen <haibo.chen@nxp.com>
+Date: Fri, 15 Oct 2021 10:00:36 +0800
+Subject: mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+commit 9af372dc70e9fdcbb70939dac75365e7b88580b4 upstream.
+
+To reset standard tuning circuit completely, after clear ESDHC_MIX_CTRL_EXE_TUNE,
+also need to clear bit buffer_read_ready, this operation will finally clear the
+USDHC IP internal logic flag execute_tuning_with_clr_buf, make sure the following
+normal data transfer will not be impacted by standard tuning logic used before.
+
+Find this issue when do quick SD card insert/remove stress test. During standard
+tuning prodedure, if remove SD card, USDHC standard tuning logic can't clear the
+internal flag execute_tuning_with_clr_buf. Next time when insert SD card, all
+data related commands can't get any data related interrupts, include data transfer
+complete interrupt, data timeout interrupt, data CRC interrupt, data end bit interrupt.
+Always trigger software timeout issue. Even reset the USDHC through bits in register
+SYS_CTRL (0x2C, bit28 reset tuning, bit26 reset data, bit 25 reset command, bit 24
+reset all) can't recover this. From the user's point of view, USDHC stuck, SD can't
+be recognized any more.
+
+Fixes: d9370424c948 ("mmc: sdhci-esdhc-imx: reset tuning circuit when power on mmc card")
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1634263236-6111-1-git-send-email-haibo.chen@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -927,6 +927,7 @@ static void esdhc_reset_tuning(struct sd
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host);
+ u32 ctrl;
++ int ret;
+
+ /* Reset the tuning circuit */
+ if (esdhc_is_usdhc(imx_data)) {
+@@ -939,7 +940,22 @@ static void esdhc_reset_tuning(struct sd
+ } else if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) {
+ ctrl = readl(host->ioaddr + SDHCI_AUTO_CMD_STATUS);
+ ctrl &= ~ESDHC_MIX_CTRL_SMPCLK_SEL;
++ ctrl &= ~ESDHC_MIX_CTRL_EXE_TUNE;
+ writel(ctrl, host->ioaddr + SDHCI_AUTO_CMD_STATUS);
++ /* Make sure ESDHC_MIX_CTRL_EXE_TUNE cleared */
++ ret = readl_poll_timeout(host->ioaddr + SDHCI_AUTO_CMD_STATUS,
++ ctrl, !(ctrl & ESDHC_MIX_CTRL_EXE_TUNE), 1, 50);
++ if (ret == -ETIMEDOUT)
++ dev_warn(mmc_dev(host->mmc),
++ "Warning! clear execute tuning bit failed\n");
++ /*
++ * SDHCI_INT_DATA_AVAIL is W1C bit, set this bit will clear the
++ * usdhc IP internal logic flag execute_tuning_with_clr_buf, which
++ * will finally make sure the normal data transfer logic correct.
++ */
++ ctrl = readl(host->ioaddr + SDHCI_INT_STATUS);
++ ctrl |= SDHCI_INT_DATA_AVAIL;
++ writel(ctrl, host->ioaddr + SDHCI_INT_STATUS);
+ }
+ }
+ }
--- /dev/null
+From 4217d07b9fb328751f877d3bd9550122014860a2 Mon Sep 17 00:00:00 2001
+From: Shawn Guo <shawn.guo@linaro.org>
+Date: Mon, 4 Oct 2021 10:49:35 +0800
+Subject: mmc: sdhci: Map more voltage level to SDHCI_POWER_330
+
+From: Shawn Guo <shawn.guo@linaro.org>
+
+commit 4217d07b9fb328751f877d3bd9550122014860a2 upstream.
+
+On Thundercomm TurboX CM2290, the eMMC OCR reports vdd = 23 (3.5 ~ 3.6 V),
+which is being treated as an invalid value by sdhci_set_power_noreg().
+And thus eMMC is totally broken on the platform.
+
+[ 1.436599] ------------[ cut here ]------------
+[ 1.436606] mmc0: Invalid vdd 0x17
+[ 1.436640] WARNING: CPU: 2 PID: 69 at drivers/mmc/host/sdhci.c:2048 sdhci_set_power_noreg+0x168/0x2b4
+[ 1.436655] Modules linked in:
+[ 1.436662] CPU: 2 PID: 69 Comm: kworker/u8:1 Tainted: G W 5.15.0-rc1+ #137
+[ 1.436669] Hardware name: Thundercomm TurboX CM2290 (DT)
+[ 1.436674] Workqueue: events_unbound async_run_entry_fn
+[ 1.436685] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 1.436692] pc : sdhci_set_power_noreg+0x168/0x2b4
+[ 1.436698] lr : sdhci_set_power_noreg+0x168/0x2b4
+[ 1.436703] sp : ffff800010803a60
+[ 1.436705] x29: ffff800010803a60 x28: ffff6a9102465f00 x27: ffff6a9101720a70
+[ 1.436715] x26: ffff6a91014de1c0 x25: ffff6a91014de010 x24: ffff6a91016af280
+[ 1.436724] x23: ffffaf7b1b276640 x22: 0000000000000000 x21: ffff6a9101720000
+[ 1.436733] x20: ffff6a9101720370 x19: ffff6a9101720580 x18: 0000000000000020
+[ 1.436743] x17: 0000000000000000 x16: 0000000000000004 x15: ffffffffffffffff
+[ 1.436751] x14: 0000000000000000 x13: 00000000fffffffd x12: ffffaf7b1b84b0bc
+[ 1.436760] x11: ffffaf7b1b720d10 x10: 000000000000000a x9 : ffff800010803a60
+[ 1.436769] x8 : 000000000000000a x7 : 000000000000000f x6 : 00000000fffff159
+[ 1.436778] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000ffffffff
+[ 1.436787] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff6a9101718d80
+[ 1.436797] Call trace:
+[ 1.436800] sdhci_set_power_noreg+0x168/0x2b4
+[ 1.436805] sdhci_set_ios+0xa0/0x7fc
+[ 1.436811] mmc_power_up.part.0+0xc4/0x164
+[ 1.436818] mmc_start_host+0xa0/0xb0
+[ 1.436824] mmc_add_host+0x60/0x90
+[ 1.436830] __sdhci_add_host+0x174/0x330
+[ 1.436836] sdhci_msm_probe+0x7c0/0x920
+[ 1.436842] platform_probe+0x68/0xe0
+[ 1.436850] really_probe.part.0+0x9c/0x31c
+[ 1.436857] __driver_probe_device+0x98/0x144
+[ 1.436863] driver_probe_device+0xc8/0x15c
+[ 1.436869] __device_attach_driver+0xb4/0x120
+[ 1.436875] bus_for_each_drv+0x78/0xd0
+[ 1.436881] __device_attach_async_helper+0xac/0xd0
+[ 1.436888] async_run_entry_fn+0x34/0x110
+[ 1.436895] process_one_work+0x1d0/0x354
+[ 1.436903] worker_thread+0x13c/0x470
+[ 1.436910] kthread+0x150/0x160
+[ 1.436915] ret_from_fork+0x10/0x20
+[ 1.436923] ---[ end trace fcfac44cb045c3a8 ]---
+
+Fix the issue by mapping MMC_VDD_35_36 (and MMC_VDD_34_35) to
+SDHCI_POWER_330 as well.
+
+Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211004024935.15326-1-shawn.guo@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -1500,6 +1500,12 @@ void sdhci_set_power_noreg(struct sdhci_
+ break;
+ case MMC_VDD_32_33:
+ case MMC_VDD_33_34:
++ /*
++ * 3.4 ~ 3.6V are valid only for those platforms where it's
++ * known that the voltage range is supported by hardware.
++ */
++ case MMC_VDD_34_35:
++ case MMC_VDD_35_36:
+ pwr = SDHCI_POWER_330;
+ break;
+ default:
--- /dev/null
+From 8c8171929116cc23f74743d99251eedadf62341a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:56:08 +0200
+Subject: mmc: vub300: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 8c8171929116cc23f74743d99251eedadf62341a upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
+Cc: stable@vger.kernel.org # 3.0
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211025115608.5287-1-johan@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/vub300.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/mmc/host/vub300.c
++++ b/drivers/mmc/host/vub300.c
+@@ -579,7 +579,7 @@ static void check_vub300_port_status(str
+ GET_SYSTEM_PORT_STATUS,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0x0000, 0x0000, &vub300->system_port_status,
+- sizeof(vub300->system_port_status), HZ);
++ sizeof(vub300->system_port_status), 1000);
+ if (sizeof(vub300->system_port_status) == retval)
+ new_system_port_status(vub300);
+ }
+@@ -1242,7 +1242,7 @@ static void __download_offload_pseudocod
+ SET_INTERRUPT_PSEUDOCODE,
+ USB_DIR_OUT | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0x0000, 0x0000,
+- xfer_buffer, xfer_length, HZ);
++ xfer_buffer, xfer_length, 1000);
+ kfree(xfer_buffer);
+ if (retval < 0) {
+ strncpy(vub300->vub_name,
+@@ -1289,7 +1289,7 @@ static void __download_offload_pseudocod
+ SET_TRANSFER_PSEUDOCODE,
+ USB_DIR_OUT | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0x0000, 0x0000,
+- xfer_buffer, xfer_length, HZ);
++ xfer_buffer, xfer_length, 1000);
+ kfree(xfer_buffer);
+ if (retval < 0) {
+ strncpy(vub300->vub_name,
+@@ -1994,7 +1994,7 @@ static void __set_clock_speed(struct vub
+ usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
+ SET_CLOCK_SPEED,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- 0x00, 0x00, buf, buf_array_size, HZ);
++ 0x00, 0x00, buf, buf_array_size, 1000);
+ if (retval != 8) {
+ dev_err(&vub300->udev->dev, "SET_CLOCK_SPEED"
+ " %dkHz failed with retval=%d\n", kHzClock, retval);
+@@ -2016,14 +2016,14 @@ static void vub300_mmc_set_ios(struct mm
+ usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
+ SET_SD_POWER,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- 0x0000, 0x0000, NULL, 0, HZ);
++ 0x0000, 0x0000, NULL, 0, 1000);
+ /* must wait for the VUB300 u-proc to boot up */
+ msleep(600);
+ } else if ((ios->power_mode == MMC_POWER_UP) && !vub300->card_powered) {
+ usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
+ SET_SD_POWER,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- 0x0001, 0x0000, NULL, 0, HZ);
++ 0x0001, 0x0000, NULL, 0, 1000);
+ msleep(600);
+ vub300->card_powered = 1;
+ } else if (ios->power_mode == MMC_POWER_ON) {
+@@ -2285,14 +2285,14 @@ static int vub300_probe(struct usb_inter
+ GET_HC_INF0,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0x0000, 0x0000, &vub300->hc_info,
+- sizeof(vub300->hc_info), HZ);
++ sizeof(vub300->hc_info), 1000);
+ if (retval < 0)
+ goto error5;
+ retval =
+ usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
+ SET_ROM_WAIT_STATES,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- firmware_rom_wait_states, 0x0000, NULL, 0, HZ);
++ firmware_rom_wait_states, 0x0000, NULL, 0, 1000);
+ if (retval < 0)
+ goto error5;
+ dev_info(&vub300->udev->dev,
+@@ -2307,7 +2307,7 @@ static int vub300_probe(struct usb_inter
+ GET_SYSTEM_PORT_STATUS,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0x0000, 0x0000, &vub300->system_port_status,
+- sizeof(vub300->system_port_status), HZ);
++ sizeof(vub300->system_port_status), 1000);
+ if (retval < 0) {
+ goto error4;
+ } else if (sizeof(vub300->system_port_status) == retval) {
--- /dev/null
+From db6c3c064f5d55fa9969f33eafca3cdbefbb3541 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 26 Oct 2021 12:36:17 +0200
+Subject: net: lan78xx: fix division by zero in send path
+
+From: Johan Hovold <johan@kernel.org>
+
+commit db6c3c064f5d55fa9969f33eafca3cdbefbb3541 upstream.
+
+Add the missing endpoint max-packet sanity check to probe() to avoid
+division by zero in lan78xx_tx_bh() in case a malicious device has
+broken descriptors (or when doing descriptor fuzz testing).
+
+Note that USB core will reject URBs submitted for endpoints with zero
+wMaxPacketSize but that drivers doing packet-size calculations still
+need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
+endpoint descriptors with maxpacket=0")).
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Cc: stable@vger.kernel.org # 4.3
+Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3615,6 +3615,12 @@ static int lan78xx_probe(struct usb_inte
+
+ dev->maxpacket = usb_maxpacket(dev->udev, dev->pipe_out, 1);
+
++ /* Reject broken descriptors. */
++ if (dev->maxpacket == 0) {
++ ret = -ENODEV;
++ goto out4;
++ }
++
+ /* driver requires remote-wakeup capability during autosuspend. */
+ intf->needs_remote_wakeup = 1;
+
ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
nfc-port100-fix-using-errno-as-command-type-mask.patch
revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
+ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch
+mmc-vub300-fix-control-message-timeouts.patch
+mmc-dw_mmc-exynos-fix-the-finding-clock-sample-value.patch
+mmc-sdhci-map-more-voltage-level-to-sdhci_power_330.patch
+mmc-sdhci-esdhc-imx-clear-the-buffer_read_ready-to-reset-standard-tuning-circuit.patch
+net-lan78xx-fix-division-by-zero-in-send-path.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
