From: Greg Kroah-Hartman Date: Wed, 12 May 2021 09:34:10 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.119~76 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1acbff16b4af0a23c57b27b8f584f64825f80ac0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch md-cluster-fix-use-after-free-issue-when-removing-rdev.patch md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch md-fix-missing-unused-status-line-of-proc-mdstat.patch md-md_open-returns-ebusy-when-entering-racing-area.patch md-split-mddev_find.patch mips-reinstate-platform-__div64_32-handler.patch rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch --- diff --git a/queue-5.4/cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch b/queue-5.4/cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch new file mode 100644 index 00000000000..d698d003dc4 --- /dev/null +++ b/queue-5.4/cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch @@ -0,0 +1,33 @@ +From 010bfbe768f7ecc876ffba92db30432de4997e2a Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 16 Apr 2021 09:42:14 +0200 +Subject: cfg80211: scan: drop entry from hidden_list on overflow + +From: Johannes Berg + +commit 010bfbe768f7ecc876ffba92db30432de4997e2a upstream. + +If we overflow the maximum number of BSS entries and free the +new entry, drop it from any hidden_list that it may have been +added to in the code above or in cfg80211_combine_bsses(). + +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/r/20210416094212.5de7d1676ad7.Ied283b0bc5f504845e7d6ab90626bdfa68bb3dc0@changeid +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/scan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1257,6 +1257,8 @@ cfg80211_bss_update(struct cfg80211_regi + + if (rdev->bss_entries >= bss_entries_limit && + !cfg80211_bss_expire_oldest(rdev)) { ++ if (!list_empty(&new->hidden_list)) ++ list_del(&new->hidden_list); + kfree(new); + goto drop; + } diff --git a/queue-5.4/ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch b/queue-5.4/ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch new file mode 100644 index 00000000000..a6fdd2ffd77 --- /dev/null +++ b/queue-5.4/ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch @@ -0,0 +1,38 @@ +From 260a9ad9446723d4063ed802989758852809714d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 14 Apr 2021 11:29:55 +0300 +Subject: ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() + +From: Dan Carpenter + +commit 260a9ad9446723d4063ed802989758852809714d upstream. + +The "ext->key_len" is a u16 that comes from the user. If it's over +SCM_KEY_LEN (32) that could lead to memory corruption. + +Fixes: e0d369d1d969 ("[PATCH] ieee82011: Added WE-18 support to default wireless extension handler") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Acked-by: Stanislav Yakovlev +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YHaoA1i+8uT4ir4h@mwanda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/ipw2x00/libipw_wx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c ++++ b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c +@@ -633,8 +633,10 @@ int libipw_wx_set_encodeext(struct libip + } + + if (ext->alg != IW_ENCODE_ALG_NONE) { +- memcpy(sec.keys[idx], ext->key, ext->key_len); +- sec.key_sizes[idx] = ext->key_len; ++ int key_len = clamp_val(ext->key_len, 0, SCM_KEY_LEN); ++ ++ memcpy(sec.keys[idx], ext->key, key_len); ++ sec.key_sizes[idx] = key_len; + sec.flags |= (1 << idx); + if (ext->alg == IW_ENCODE_ALG_WEP) { + sec.encode_alg[idx] = SEC_ALG_WEP; diff --git a/queue-5.4/md-cluster-fix-use-after-free-issue-when-removing-rdev.patch b/queue-5.4/md-cluster-fix-use-after-free-issue-when-removing-rdev.patch new file mode 100644 index 00000000000..6b1e3b33a41 --- /dev/null +++ b/queue-5.4/md-cluster-fix-use-after-free-issue-when-removing-rdev.patch @@ -0,0 +1,115 @@ +From f7c7a2f9a23e5b6e0f5251f29648d0238bb7757e Mon Sep 17 00:00:00 2001 +From: Heming Zhao +Date: Thu, 8 Apr 2021 15:44:15 +0800 +Subject: md-cluster: fix use-after-free issue when removing rdev + +From: Heming Zhao + +commit f7c7a2f9a23e5b6e0f5251f29648d0238bb7757e upstream. + +md_kick_rdev_from_array will remove rdev, so we should +use rdev_for_each_safe to search list. + +How to trigger: + +env: Two nodes on kvm-qemu x86_64 VMs (2C2G with 2 iscsi luns). + +``` +node2=192.168.0.3 + +for i in {1..20}; do + echo ==== $i `date` ====; + + mdadm -Ss && ssh ${node2} "mdadm -Ss" + wipefs -a /dev/sda /dev/sdb + + mdadm -CR /dev/md0 -b clustered -e 1.2 -n 2 -l 1 /dev/sda \ + /dev/sdb --assume-clean + ssh ${node2} "mdadm -A /dev/md0 /dev/sda /dev/sdb" + mdadm --wait /dev/md0 + ssh ${node2} "mdadm --wait /dev/md0" + + mdadm --manage /dev/md0 --fail /dev/sda --remove /dev/sda + sleep 1 +done +``` + +Crash stack: + +``` +stack segment: 0000 [#1] SMP +... ... +RIP: 0010:md_check_recovery+0x1e8/0x570 [md_mod] +... ... +RSP: 0018:ffffb149807a7d68 EFLAGS: 00010207 +RAX: 0000000000000000 RBX: ffff9d494c180800 RCX: ffff9d490fc01e50 +RDX: fffff047c0ed8308 RSI: 0000000000000246 RDI: 0000000000000246 +RBP: 6b6b6b6b6b6b6b6b R08: ffff9d490fc01e40 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 +R13: ffff9d494c180818 R14: ffff9d493399ef38 R15: ffff9d4933a1d800 +FS: 0000000000000000(0000) GS:ffff9d494f700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe68cab9010 CR3: 000000004c6be001 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + raid1d+0x5c/0xd40 [raid1] + ? finish_task_switch+0x75/0x2a0 + ? lock_timer_base+0x67/0x80 + ? try_to_del_timer_sync+0x4d/0x80 + ? del_timer_sync+0x41/0x50 + ? schedule_timeout+0x254/0x2d0 + ? md_start_sync+0xe0/0xe0 [md_mod] + ? md_thread+0x127/0x160 [md_mod] + md_thread+0x127/0x160 [md_mod] + ? wait_woken+0x80/0x80 + kthread+0x10d/0x130 + ? kthread_park+0xa0/0xa0 + ret_from_fork+0x1f/0x40 +``` + +Fixes: dbb64f8635f5d ("md-cluster: Fix adding of new disk with new reload code") +Fixes: 659b254fa7392 ("md-cluster: remove a disk asynchronously from cluster environment") +Cc: stable@vger.kernel.org +Reviewed-by: Gang He +Signed-off-by: Heming Zhao +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -9049,11 +9049,11 @@ void md_check_recovery(struct mddev *mdd + } + + if (mddev_is_clustered(mddev)) { +- struct md_rdev *rdev; ++ struct md_rdev *rdev, *tmp; + /* kick the device if another node issued a + * remove disk. + */ +- rdev_for_each(rdev, mddev) { ++ rdev_for_each_safe(rdev, tmp, mddev) { + if (test_and_clear_bit(ClusterRemove, &rdev->flags) && + rdev->raid_disk < 0) + md_kick_rdev_from_array(rdev); +@@ -9366,7 +9366,7 @@ err_wq: + static void check_sb_changes(struct mddev *mddev, struct md_rdev *rdev) + { + struct mdp_superblock_1 *sb = page_address(rdev->sb_page); +- struct md_rdev *rdev2; ++ struct md_rdev *rdev2, *tmp; + int role, ret; + char b[BDEVNAME_SIZE]; + +@@ -9383,7 +9383,7 @@ static void check_sb_changes(struct mdde + } + + /* Check for change of roles in the active devices */ +- rdev_for_each(rdev2, mddev) { ++ rdev_for_each_safe(rdev2, tmp, mddev) { + if (test_bit(Faulty, &rdev2->flags)) + continue; + diff --git a/queue-5.4/md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch b/queue-5.4/md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch new file mode 100644 index 00000000000..1a8dfc3ff99 --- /dev/null +++ b/queue-5.4/md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch @@ -0,0 +1,76 @@ +From 8b57251f9a91f5e5a599de7549915d2d226cc3af Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Sat, 3 Apr 2021 18:15:28 +0200 +Subject: md: factor out a mddev_find_locked helper from mddev_find + +From: Christoph Hellwig + +commit 8b57251f9a91f5e5a599de7549915d2d226cc3af upstream. + +Factor out a self-contained helper to just lookup a mddev by the dev_t +"unit". + +Cc: stable@vger.kernel.org +Reviewed-by: Heming Zhao +Signed-off-by: Christoph Hellwig +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -647,6 +647,17 @@ void mddev_init(struct mddev *mddev) + } + EXPORT_SYMBOL_GPL(mddev_init); + ++static struct mddev *mddev_find_locked(dev_t unit) ++{ ++ struct mddev *mddev; ++ ++ list_for_each_entry(mddev, &all_mddevs, all_mddevs) ++ if (mddev->unit == unit) ++ return mddev; ++ ++ return NULL; ++} ++ + static struct mddev *mddev_find(dev_t unit) + { + struct mddev *mddev; +@@ -674,13 +685,13 @@ static struct mddev *mddev_find_or_alloc + spin_lock(&all_mddevs_lock); + + if (unit) { +- list_for_each_entry(mddev, &all_mddevs, all_mddevs) +- if (mddev->unit == unit) { +- mddev_get(mddev); +- spin_unlock(&all_mddevs_lock); +- kfree(new); +- return mddev; +- } ++ mddev = mddev_find_locked(unit); ++ if (mddev) { ++ mddev_get(mddev); ++ spin_unlock(&all_mddevs_lock); ++ kfree(new); ++ return mddev; ++ } + + if (new) { + list_add(&new->all_mddevs, &all_mddevs); +@@ -706,12 +717,7 @@ static struct mddev *mddev_find_or_alloc + return NULL; + } + +- is_free = 1; +- list_for_each_entry(mddev, &all_mddevs, all_mddevs) +- if (mddev->unit == dev) { +- is_free = 0; +- break; +- } ++ is_free = !mddev_find_locked(dev); + } + new->unit = dev; + new->md_minor = MINOR(dev); diff --git a/queue-5.4/md-fix-missing-unused-status-line-of-proc-mdstat.patch b/queue-5.4/md-fix-missing-unused-status-line-of-proc-mdstat.patch new file mode 100644 index 00000000000..823c4bc6b54 --- /dev/null +++ b/queue-5.4/md-fix-missing-unused-status-line-of-proc-mdstat.patch @@ -0,0 +1,43 @@ +From 7abfabaf5f805f5171d133ce6af9b65ab766e76a Mon Sep 17 00:00:00 2001 +From: Jan Glauber +Date: Wed, 17 Mar 2021 15:04:39 +0100 +Subject: md: Fix missing unused status line of /proc/mdstat + +From: Jan Glauber + +commit 7abfabaf5f805f5171d133ce6af9b65ab766e76a upstream. + +Reading /proc/mdstat with a read buffer size that would not +fit the unused status line in the first read will skip this +line from the output. + +So 'dd if=/proc/mdstat bs=64 2>/dev/null' will not print something +like: unused devices: + +Don't return NULL immediately in start() for v=2 but call +show() once to print the status line also for multiple reads. + +Cc: stable@vger.kernel.org +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") +Signed-off-by: Jan Glauber +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7971,7 +7971,11 @@ static void *md_seq_start(struct seq_fil + loff_t l = *pos; + struct mddev *mddev; + +- if (l >= 0x10000) ++ if (l == 0x10000) { ++ ++*pos; ++ return (void *)2; ++ } ++ if (l > 0x10000) + return NULL; + if (!l--) + /* header */ diff --git a/queue-5.4/md-md_open-returns-ebusy-when-entering-racing-area.patch b/queue-5.4/md-md_open-returns-ebusy-when-entering-racing-area.patch new file mode 100644 index 00000000000..fe3f67f84c2 --- /dev/null +++ b/queue-5.4/md-md_open-returns-ebusy-when-entering-racing-area.patch @@ -0,0 +1,41 @@ +From 6a4db2a60306eb65bfb14ccc9fde035b74a4b4e7 Mon Sep 17 00:00:00 2001 +From: Zhao Heming +Date: Sat, 3 Apr 2021 11:01:25 +0800 +Subject: md: md_open returns -EBUSY when entering racing area + +From: Zhao Heming + +commit 6a4db2a60306eb65bfb14ccc9fde035b74a4b4e7 upstream. + +commit d3374825ce57 ("md: make devices disappear when they are no longer +needed.") introduced protection between mddev creating & removing. The +md_open shouldn't create mddev when all_mddevs list doesn't contain +mddev. With currently code logic, there will be very easy to trigger +soft lockup in non-preempt env. + +This patch changes md_open returning from -ERESTARTSYS to -EBUSY, which +will break the infinitely retry when md_open enter racing area. + +This patch is partly fix soft lockup issue, full fix needs mddev_find +is split into two functions: mddev_find & mddev_find_or_alloc. And +md_open should call new mddev_find (it only does searching job). + +For more detail, please refer with Christoph's "split mddev_find" patch +in later commits. + +--- + drivers/md/md.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7638,8 +7638,7 @@ static int md_open(struct block_device * + /* Wait until bdev->bd_disk is definitely gone */ + if (work_pending(&mddev->del_work)) + flush_workqueue(md_misc_wq); +- /* Then retry the open from the top */ +- return -ERESTARTSYS; ++ return -EBUSY; + } + BUG_ON(mddev != bdev->bd_disk->private_data); + diff --git a/queue-5.4/md-split-mddev_find.patch b/queue-5.4/md-split-mddev_find.patch new file mode 100644 index 00000000000..a2a0d30e510 --- /dev/null +++ b/queue-5.4/md-split-mddev_find.patch @@ -0,0 +1,74 @@ +From 65aa97c4d2bfd76677c211b9d03ef05a98c6d68e Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Sat, 3 Apr 2021 18:15:29 +0200 +Subject: md: split mddev_find + +From: Christoph Hellwig + +commit 65aa97c4d2bfd76677c211b9d03ef05a98c6d68e upstream. + +Split mddev_find into a simple mddev_find that just finds an existing +mddev by the unit number, and a more complicated mddev_find that deals +with find or allocating a mddev. + +This turns out to fix this bug reported by Zhao Heming. + +----------------------------- snip ------------------------------ +commit d3374825ce57 ("md: make devices disappear when they are no longer +needed.") introduced protection between mddev creating & removing. The +md_open shouldn't create mddev when all_mddevs list doesn't contain +mddev. With currently code logic, there will be very easy to trigger +soft lockup in non-preempt env. + +--- + drivers/md/md.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -649,6 +649,22 @@ EXPORT_SYMBOL_GPL(mddev_init); + + static struct mddev *mddev_find(dev_t unit) + { ++ struct mddev *mddev; ++ ++ if (MAJOR(unit) != MD_MAJOR) ++ unit &= ~((1 << MdpMinorShift) - 1); ++ ++ spin_lock(&all_mddevs_lock); ++ mddev = mddev_find_locked(unit); ++ if (mddev) ++ mddev_get(mddev); ++ spin_unlock(&all_mddevs_lock); ++ ++ return mddev; ++} ++ ++static struct mddev *mddev_find_or_alloc(dev_t unit) ++{ + struct mddev *mddev, *new = NULL; + + if (unit && MAJOR(unit) != MD_MAJOR) +@@ -5436,7 +5452,7 @@ static int md_alloc(dev_t dev, char *nam + * writing to /sys/module/md_mod/parameters/new_array. + */ + static DEFINE_MUTEX(disks_mutex); +- struct mddev *mddev = mddev_find(dev); ++ struct mddev *mddev = mddev_find_or_alloc(dev); + struct gendisk *disk; + int partitioned; + int shift; +@@ -6312,11 +6328,9 @@ static void autorun_devices(int part) + + md_probe(dev, NULL, NULL); + mddev = mddev_find(dev); +- if (!mddev || !mddev->gendisk) { +- if (mddev) +- mddev_put(mddev); ++ if (!mddev) + break; +- } ++ + if (mddev_lock(mddev)) + pr_warn("md: %s locked, cannot run\n", mdname(mddev)); + else if (mddev->raid_disks || mddev->major_version diff --git a/queue-5.4/mips-reinstate-platform-__div64_32-handler.patch b/queue-5.4/mips-reinstate-platform-__div64_32-handler.patch new file mode 100644 index 00000000000..3a0267d6f28 --- /dev/null +++ b/queue-5.4/mips-reinstate-platform-__div64_32-handler.patch @@ -0,0 +1,161 @@ +From c49f71f60754acbff37505e1d16ca796bf8a8140 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 20 Apr 2021 04:50:40 +0200 +Subject: MIPS: Reinstate platform `__div64_32' handler + +From: Maciej W. Rozycki + +commit c49f71f60754acbff37505e1d16ca796bf8a8140 upstream. + +Our current MIPS platform `__div64_32' handler is inactive, because it +is incorrectly only enabled for 64-bit configurations, for which generic +`do_div' code does not call it anyway. + +The handler is not suitable for being called from there though as it +only calculates 32 bits of the quotient under the assumption the 64-bit +divident has been suitably reduced. Code for such reduction used to be +there, however it has been incorrectly removed with commit c21004cd5b4c +("MIPS: Rewrite to work with gcc 4.4.0."), which should +have only updated an obsoleted constraint for an inline asm involving +$hi and $lo register outputs, while possibly wiring the original MIPS +variant of the `do_div' macro as `__div64_32' handler for the generic +`do_div' implementation + +Correct the handler as follows then: + +- Revert most of the commit referred, however retaining the current + formatting, except for the final two instructions of the inline asm + sequence, which the original commit missed. Omit the original 64-bit + parts though. + +- Rename the original `do_div' macro to `__div64_32'. Use the combined + `x' constraint referring to the MD accumulator as a whole, replacing + the original individual `h' and `l' constraints used for $hi and $lo + registers respectively, of which `h' has been obsoleted with GCC 4.4. + Update surrounding code accordingly. + + We have since removed support for GCC versions before 4.9, so no need + for a special arrangement here; GCC has supported the `x' constraint + since forever anyway, or at least going back to 1991. + +- Rename the `__base' local variable in `__div64_32' to `__radix' to + avoid a conflict with a local variable in `do_div'. + +- Actually enable this code for 32-bit rather than 64-bit configurations + by qualifying it with BITS_PER_LONG being 32 instead of 64. Include + for this macro rather than as we + don't need anything else. + +- Finally include last rather than first. + +This has passed correctness verification with test_div64 and reduced the +module's average execution time down to 1.0668s and 0.2629s from 2.1529s +and 0.5647s respectively for an R3400 CPU @40MHz and a 5Kc CPU @160MHz. +For a reference 64-bit `do_div' code where we have the DDIVU instruction +available to do the whole calculation right away averages at 0.0660s for +the latter CPU. + +Fixes: c21004cd5b4c ("MIPS: Rewrite to work with gcc 4.4.0.") +Reported-by: Huacai Chen +Signed-off-by: Maciej W. Rozycki +Cc: stable@vger.kernel.org # v2.6.30+ +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/div64.h | 57 ++++++++++++++++++++++++++++++------------ + 1 file changed, 41 insertions(+), 16 deletions(-) + +--- a/arch/mips/include/asm/div64.h ++++ b/arch/mips/include/asm/div64.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2000, 2004 Maciej W. Rozycki ++ * Copyright (C) 2000, 2004, 2021 Maciej W. Rozycki + * Copyright (C) 2003, 07 Ralf Baechle (ralf@linux-mips.org) + * + * This file is subject to the terms and conditions of the GNU General Public +@@ -9,25 +9,18 @@ + #ifndef __ASM_DIV64_H + #define __ASM_DIV64_H + +-#include +- +-#if BITS_PER_LONG == 64 ++#include + +-#include ++#if BITS_PER_LONG == 32 + + /* + * No traps on overflows for any of these... + */ + +-#define __div64_32(n, base) \ +-({ \ ++#define do_div64_32(res, high, low, base) ({ \ + unsigned long __cf, __tmp, __tmp2, __i; \ + unsigned long __quot32, __mod32; \ +- unsigned long __high, __low; \ +- unsigned long long __n; \ + \ +- __high = *__n >> 32; \ +- __low = __n; \ + __asm__( \ + " .set push \n" \ + " .set noat \n" \ +@@ -51,18 +44,50 @@ + " subu %0, %0, %z6 \n" \ + " addiu %2, %2, 1 \n" \ + "3: \n" \ +- " bnez %4, 0b\n\t" \ +- " srl %5, %1, 0x1f\n\t" \ ++ " bnez %4, 0b \n" \ ++ " srl %5, %1, 0x1f \n" \ + " .set pop" \ + : "=&r" (__mod32), "=&r" (__tmp), \ + "=&r" (__quot32), "=&r" (__cf), \ + "=&r" (__i), "=&r" (__tmp2) \ +- : "Jr" (base), "0" (__high), "1" (__low)); \ ++ : "Jr" (base), "0" (high), "1" (low)); \ + \ +- (__n) = __quot32; \ ++ (res) = __quot32; \ + __mod32; \ + }) + +-#endif /* BITS_PER_LONG == 64 */ ++#define __div64_32(n, base) ({ \ ++ unsigned long __upper, __low, __high, __radix; \ ++ unsigned long long __modquot; \ ++ unsigned long long __quot; \ ++ unsigned long long __div; \ ++ unsigned long __mod; \ ++ \ ++ __div = (*n); \ ++ __radix = (base); \ ++ \ ++ __high = __div >> 32; \ ++ __low = __div; \ ++ __upper = __high; \ ++ \ ++ if (__high) { \ ++ __asm__("divu $0, %z1, %z2" \ ++ : "=x" (__modquot) \ ++ : "Jr" (__high), "Jr" (__radix)); \ ++ __upper = __modquot >> 32; \ ++ __high = __modquot; \ ++ } \ ++ \ ++ __mod = do_div64_32(__low, __upper, __low, __radix); \ ++ \ ++ __quot = __high; \ ++ __quot = __quot << 32 | __low; \ ++ (*n) = __quot; \ ++ __mod; \ ++}) ++ ++#endif /* BITS_PER_LONG == 32 */ ++ ++#include + + #endif /* __ASM_DIV64_H */ diff --git a/queue-5.4/rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch b/queue-5.4/rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch new file mode 100644 index 00000000000..d5aa1d3c063 --- /dev/null +++ b/queue-5.4/rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch @@ -0,0 +1,108 @@ +From 2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Thu, 1 Apr 2021 14:27:17 -0500 +Subject: rtw88: Fix array overrun in rtw_get_tx_power_params() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ping-Ke Shih + +commit 2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e upstream. + +Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the +following array overrun is logged: + +================================================================================ +UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34 +index 5 is out of range for type 'u8 [5]' +CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651 +Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 +Workqueue: phy0 ieee80211_scan_work [mac80211] +Call Trace: + dump_stack+0x64/0x7c + ubsan_epilogue+0x5/0x40 + __ubsan_handle_out_of_bounds.cold+0x43/0x48 + rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core] + ? rtw_pci_read16+0x20/0x20 [rtw_pci] + ? check_hw_ready+0x50/0x90 [rtw_core] + rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core] + rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core] + rtw_set_channel+0xab/0x110 [rtw_core] + rtw_ops_config+0x87/0xc0 [rtw_core] + ieee80211_hw_config+0x9d/0x130 [mac80211] + ieee80211_scan_state_set_channel+0x81/0x170 [mac80211] + ieee80211_scan_work+0x19f/0x2a0 [mac80211] + process_one_work+0x1dd/0x3a0 + worker_thread+0x49/0x330 + ? rescuer_thread+0x3a0/0x3a0 + kthread+0x134/0x150 + ? kthread_create_worker_on_cpu+0x70/0x70 + ret_from_fork+0x22/0x30 +================================================================================ + +The statement where an array is being overrun is shown in the following snippet: + + if (rate <= DESC_RATE11M) + tx_power = pwr_idx_2g->cck_base[group]; + else +====> tx_power = pwr_idx_2g->bw40_base[group]; + +The associated arrays are defined in main.h as follows: + +struct rtw_2g_txpwr_idx { + u8 cck_base[6]; + u8 bw40_base[5]; + struct rtw_2g_1s_pwr_idx_diff ht_1s_diff; + struct rtw_2g_ns_pwr_idx_diff ht_2s_diff; + struct rtw_2g_ns_pwr_idx_diff ht_3s_diff; + struct rtw_2g_ns_pwr_idx_diff ht_4s_diff; +}; + +The problem arises because the value of group is 5 for channel 14. The trivial +increase in the dimension of bw40_base fails as this struct must match the layout of +efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set +the group for channel 14 to 4 if rate <= DESC_RATE11M. + +This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines") + +Fixes: fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines") +Reported-by: Богдан Пилипенко +Signed-off-by: Larry Finger +Signed-off-by: Ping-Ke Shih +Cc: Stable +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210401192717.28927-1-Larry.Finger@lwfinger.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/phy.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/phy.c ++++ b/drivers/net/wireless/realtek/rtw88/phy.c +@@ -1451,7 +1451,7 @@ void rtw_phy_load_tables(struct rtw_dev + } + } + +-static u8 rtw_get_channel_group(u8 channel) ++static u8 rtw_get_channel_group(u8 channel, u8 rate) + { + switch (channel) { + default: +@@ -1495,6 +1495,7 @@ static u8 rtw_get_channel_group(u8 chann + case 106: + return 4; + case 14: ++ return rate <= DESC_RATE11M ? 5 : 4; + case 108: + case 110: + case 112: +@@ -1744,7 +1745,7 @@ void rtw_get_tx_power_params(struct rtw_ + s8 *limit = &pwr_param->pwr_limit; + + pwr_idx = &rtwdev->efuse.txpwr_idx_table[path]; +- group = rtw_get_channel_group(ch); ++ group = rtw_get_channel_group(ch, rate); + + /* base power index for 2.4G/5G */ + if (ch <= 14) { diff --git a/queue-5.4/series b/queue-5.4/series index 4ec6e4440e0..d593c269afe 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -27,3 +27,12 @@ misc-lis3lv02d-fix-false-positive-warn-on-various-hp-models.patch misc-vmw_vmci-explicitly-initialize-vmci_notify_bm_set_msg-struct.patch misc-vmw_vmci-explicitly-initialize-vmci_datagram-payload.patch md-bitmap-wait-for-external-bitmap-writes-to-complete-during-tear-down.patch +md-cluster-fix-use-after-free-issue-when-removing-rdev.patch +md-split-mddev_find.patch +md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch +md-md_open-returns-ebusy-when-entering-racing-area.patch +md-fix-missing-unused-status-line-of-proc-mdstat.patch +mips-reinstate-platform-__div64_32-handler.patch +ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch +cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch +rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch