From: Greg Kroah-Hartman Date: Wed, 12 May 2021 09:35:00 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v5.4.119~73 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c324b1da74fd705a4e96d3817a42f53bfa48d150;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch fddi-defxx-make-mmio-the-configuration-default-except-for-eisa.patch ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch md-cluster-fix-use-after-free-issue-when-removing-rdev.patch md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch md-fix-missing-unused-status-line-of-proc-mdstat.patch md-md_open-returns-ebusy-when-entering-racing-area.patch md-split-mddev_find.patch mips-generic-update-node-names-to-avoid-unit-addresses.patch mips-reinstate-platform-__div64_32-handler.patch mt76-fix-potential-dma-mapping-leak.patch mt76-mt7615-use-ieee80211_free_txskb-in-mt7615_tx_token_put.patch net-xilinx-drivers-need-depend-on-has_iomem.patch rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch --- diff --git a/queue-5.12/cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch b/queue-5.12/cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch new file mode 100644 index 00000000000..e8919c9eee8 --- /dev/null +++ b/queue-5.12/cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch @@ -0,0 +1,33 @@ +From 010bfbe768f7ecc876ffba92db30432de4997e2a Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 16 Apr 2021 09:42:14 +0200 +Subject: cfg80211: scan: drop entry from hidden_list on overflow + +From: Johannes Berg + +commit 010bfbe768f7ecc876ffba92db30432de4997e2a upstream. + +If we overflow the maximum number of BSS entries and free the +new entry, drop it from any hidden_list that it may have been +added to in the code above or in cfg80211_combine_bsses(). + +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/r/20210416094212.5de7d1676ad7.Ied283b0bc5f504845e7d6ab90626bdfa68bb3dc0@changeid +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/scan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1751,6 +1751,8 @@ cfg80211_bss_update(struct cfg80211_regi + + if (rdev->bss_entries >= bss_entries_limit && + !cfg80211_bss_expire_oldest(rdev)) { ++ if (!list_empty(&new->hidden_list)) ++ list_del(&new->hidden_list); + kfree(new); + goto drop; + } diff --git a/queue-5.12/fddi-defxx-make-mmio-the-configuration-default-except-for-eisa.patch b/queue-5.12/fddi-defxx-make-mmio-the-configuration-default-except-for-eisa.patch new file mode 100644 index 00000000000..4511e4e6b83 --- /dev/null +++ b/queue-5.12/fddi-defxx-make-mmio-the-configuration-default-except-for-eisa.patch @@ -0,0 +1,76 @@ +From 193ced4a79599352d63cb8c9e2f0c6043106eb6a Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Wed, 10 Mar 2021 13:03:14 +0100 +Subject: FDDI: defxx: Make MMIO the configuration default except for EISA + +From: Maciej W. Rozycki + +commit 193ced4a79599352d63cb8c9e2f0c6043106eb6a upstream. + +Recent versions of the PCI Express specification have deprecated support +for I/O transactions and actually some PCIe host bridges, such as Power +Systems Host Bridge 4 (PHB4), do not implement them. + +The default kernel configuration choice for the defxx driver is the use +of I/O ports rather than MMIO for PCI and EISA systems. It may have +made sense as a conservative backwards compatible choice back when MMIO +operation support was added to the driver as a part of TURBOchannel bus +support. However nowadays this configuration choice makes the driver +unusable with systems that do not implement I/O transactions for PCIe. + +Make DEFXX_MMIO the configuration default then, except where configured +for EISA. This exception is because an EISA adapter can have its MMIO +decoding disabled with ECU (EISA Configuration Utility) and therefore +not available with the resource allocation infrastructure we implement, +while port I/O is always readily available as it uses slot-specific +addressing, directly mapped to the slot an option card has been placed +in and handled with our EISA bus support core. Conversely a kernel that +supports modern systems which may not have I/O transactions implemented +for PCIe will usually not be expected to handle legacy EISA systems. + +The change of the default will make it easier for people, including but +not limited to distribution packagers, to make a working choice for the +driver. + +Update the option description accordingly and while at it replace the +potentially ambiguous PIO acronym with IOP for "port I/O" vs "I/O ports" +according to our nomenclature used elsewhere. + +Signed-off-by: Maciej W. Rozycki +Fixes: e89a2cfb7d7b ("[TC] defxx: TURBOchannel support") +Cc: stable@vger.kernel.org # v2.6.21+ +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/fddi/Kconfig | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/net/fddi/Kconfig ++++ b/drivers/net/fddi/Kconfig +@@ -40,17 +40,20 @@ config DEFXX + + config DEFXX_MMIO + bool +- prompt "Use MMIO instead of PIO" if PCI || EISA ++ prompt "Use MMIO instead of IOP" if PCI || EISA + depends on DEFXX +- default n if PCI || EISA ++ default n if EISA + default y + help + This instructs the driver to use EISA or PCI memory-mapped I/O +- (MMIO) as appropriate instead of programmed I/O ports (PIO). ++ (MMIO) as appropriate instead of programmed I/O ports (IOP). + Enabling this gives an improvement in processing time in parts +- of the driver, but it may cause problems with EISA (DEFEA) +- adapters. TURBOchannel does not have the concept of I/O ports, +- so MMIO is always used for these (DEFTA) adapters. ++ of the driver, but it requires a memory window to be configured ++ for EISA (DEFEA) adapters that may not always be available. ++ Conversely some PCIe host bridges do not support IOP, so MMIO ++ may be required to access PCI (DEFPA) adapters on downstream PCI ++ buses with some systems. TURBOchannel does not have the concept ++ of I/O ports, so MMIO is always used for these (DEFTA) adapters. + + If unsure, say N. + diff --git a/queue-5.12/ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch b/queue-5.12/ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch new file mode 100644 index 00000000000..a6fdd2ffd77 --- /dev/null +++ b/queue-5.12/ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch @@ -0,0 +1,38 @@ +From 260a9ad9446723d4063ed802989758852809714d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 14 Apr 2021 11:29:55 +0300 +Subject: ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() + +From: Dan Carpenter + +commit 260a9ad9446723d4063ed802989758852809714d upstream. + +The "ext->key_len" is a u16 that comes from the user. If it's over +SCM_KEY_LEN (32) that could lead to memory corruption. + +Fixes: e0d369d1d969 ("[PATCH] ieee82011: Added WE-18 support to default wireless extension handler") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Acked-by: Stanislav Yakovlev +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YHaoA1i+8uT4ir4h@mwanda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/ipw2x00/libipw_wx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c ++++ b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c +@@ -633,8 +633,10 @@ int libipw_wx_set_encodeext(struct libip + } + + if (ext->alg != IW_ENCODE_ALG_NONE) { +- memcpy(sec.keys[idx], ext->key, ext->key_len); +- sec.key_sizes[idx] = ext->key_len; ++ int key_len = clamp_val(ext->key_len, 0, SCM_KEY_LEN); ++ ++ memcpy(sec.keys[idx], ext->key, key_len); ++ sec.key_sizes[idx] = key_len; + sec.flags |= (1 << idx); + if (ext->alg == IW_ENCODE_ALG_WEP) { + sec.encode_alg[idx] = SEC_ALG_WEP; diff --git a/queue-5.12/md-cluster-fix-use-after-free-issue-when-removing-rdev.patch b/queue-5.12/md-cluster-fix-use-after-free-issue-when-removing-rdev.patch new file mode 100644 index 00000000000..43652b01be5 --- /dev/null +++ b/queue-5.12/md-cluster-fix-use-after-free-issue-when-removing-rdev.patch @@ -0,0 +1,115 @@ +From f7c7a2f9a23e5b6e0f5251f29648d0238bb7757e Mon Sep 17 00:00:00 2001 +From: Heming Zhao +Date: Thu, 8 Apr 2021 15:44:15 +0800 +Subject: md-cluster: fix use-after-free issue when removing rdev + +From: Heming Zhao + +commit f7c7a2f9a23e5b6e0f5251f29648d0238bb7757e upstream. + +md_kick_rdev_from_array will remove rdev, so we should +use rdev_for_each_safe to search list. + +How to trigger: + +env: Two nodes on kvm-qemu x86_64 VMs (2C2G with 2 iscsi luns). + +``` +node2=192.168.0.3 + +for i in {1..20}; do + echo ==== $i `date` ====; + + mdadm -Ss && ssh ${node2} "mdadm -Ss" + wipefs -a /dev/sda /dev/sdb + + mdadm -CR /dev/md0 -b clustered -e 1.2 -n 2 -l 1 /dev/sda \ + /dev/sdb --assume-clean + ssh ${node2} "mdadm -A /dev/md0 /dev/sda /dev/sdb" + mdadm --wait /dev/md0 + ssh ${node2} "mdadm --wait /dev/md0" + + mdadm --manage /dev/md0 --fail /dev/sda --remove /dev/sda + sleep 1 +done +``` + +Crash stack: + +``` +stack segment: 0000 [#1] SMP +... ... +RIP: 0010:md_check_recovery+0x1e8/0x570 [md_mod] +... ... +RSP: 0018:ffffb149807a7d68 EFLAGS: 00010207 +RAX: 0000000000000000 RBX: ffff9d494c180800 RCX: ffff9d490fc01e50 +RDX: fffff047c0ed8308 RSI: 0000000000000246 RDI: 0000000000000246 +RBP: 6b6b6b6b6b6b6b6b R08: ffff9d490fc01e40 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 +R13: ffff9d494c180818 R14: ffff9d493399ef38 R15: ffff9d4933a1d800 +FS: 0000000000000000(0000) GS:ffff9d494f700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe68cab9010 CR3: 000000004c6be001 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + raid1d+0x5c/0xd40 [raid1] + ? finish_task_switch+0x75/0x2a0 + ? lock_timer_base+0x67/0x80 + ? try_to_del_timer_sync+0x4d/0x80 + ? del_timer_sync+0x41/0x50 + ? schedule_timeout+0x254/0x2d0 + ? md_start_sync+0xe0/0xe0 [md_mod] + ? md_thread+0x127/0x160 [md_mod] + md_thread+0x127/0x160 [md_mod] + ? wait_woken+0x80/0x80 + kthread+0x10d/0x130 + ? kthread_park+0xa0/0xa0 + ret_from_fork+0x1f/0x40 +``` + +Fixes: dbb64f8635f5d ("md-cluster: Fix adding of new disk with new reload code") +Fixes: 659b254fa7392 ("md-cluster: remove a disk asynchronously from cluster environment") +Cc: stable@vger.kernel.org +Reviewed-by: Gang He +Signed-off-by: Heming Zhao +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -9251,11 +9251,11 @@ void md_check_recovery(struct mddev *mdd + } + + if (mddev_is_clustered(mddev)) { +- struct md_rdev *rdev; ++ struct md_rdev *rdev, *tmp; + /* kick the device if another node issued a + * remove disk. + */ +- rdev_for_each(rdev, mddev) { ++ rdev_for_each_safe(rdev, tmp, mddev) { + if (test_and_clear_bit(ClusterRemove, &rdev->flags) && + rdev->raid_disk < 0) + md_kick_rdev_from_array(rdev); +@@ -9569,7 +9569,7 @@ err_wq: + static void check_sb_changes(struct mddev *mddev, struct md_rdev *rdev) + { + struct mdp_superblock_1 *sb = page_address(rdev->sb_page); +- struct md_rdev *rdev2; ++ struct md_rdev *rdev2, *tmp; + int role, ret; + char b[BDEVNAME_SIZE]; + +@@ -9586,7 +9586,7 @@ static void check_sb_changes(struct mdde + } + + /* Check for change of roles in the active devices */ +- rdev_for_each(rdev2, mddev) { ++ rdev_for_each_safe(rdev2, tmp, mddev) { + if (test_bit(Faulty, &rdev2->flags)) + continue; + diff --git a/queue-5.12/md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch b/queue-5.12/md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch new file mode 100644 index 00000000000..93bab8cede7 --- /dev/null +++ b/queue-5.12/md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch @@ -0,0 +1,76 @@ +From 8b57251f9a91f5e5a599de7549915d2d226cc3af Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Sat, 3 Apr 2021 18:15:28 +0200 +Subject: md: factor out a mddev_find_locked helper from mddev_find + +From: Christoph Hellwig + +commit 8b57251f9a91f5e5a599de7549915d2d226cc3af upstream. + +Factor out a self-contained helper to just lookup a mddev by the dev_t +"unit". + +Cc: stable@vger.kernel.org +Reviewed-by: Heming Zhao +Signed-off-by: Christoph Hellwig +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -734,6 +734,17 @@ void mddev_init(struct mddev *mddev) + } + EXPORT_SYMBOL_GPL(mddev_init); + ++static struct mddev *mddev_find_locked(dev_t unit) ++{ ++ struct mddev *mddev; ++ ++ list_for_each_entry(mddev, &all_mddevs, all_mddevs) ++ if (mddev->unit == unit) ++ return mddev; ++ ++ return NULL; ++} ++ + static struct mddev *mddev_find(dev_t unit) + { + struct mddev *mddev; +@@ -761,13 +772,13 @@ static struct mddev *mddev_find_or_alloc + spin_lock(&all_mddevs_lock); + + if (unit) { +- list_for_each_entry(mddev, &all_mddevs, all_mddevs) +- if (mddev->unit == unit) { +- mddev_get(mddev); +- spin_unlock(&all_mddevs_lock); +- kfree(new); +- return mddev; +- } ++ mddev = mddev_find_locked(unit); ++ if (mddev) { ++ mddev_get(mddev); ++ spin_unlock(&all_mddevs_lock); ++ kfree(new); ++ return mddev; ++ } + + if (new) { + list_add(&new->all_mddevs, &all_mddevs); +@@ -793,12 +804,7 @@ static struct mddev *mddev_find_or_alloc + return NULL; + } + +- is_free = 1; +- list_for_each_entry(mddev, &all_mddevs, all_mddevs) +- if (mddev->unit == dev) { +- is_free = 0; +- break; +- } ++ is_free = !mddev_find_locked(dev); + } + new->unit = dev; + new->md_minor = MINOR(dev); diff --git a/queue-5.12/md-fix-missing-unused-status-line-of-proc-mdstat.patch b/queue-5.12/md-fix-missing-unused-status-line-of-proc-mdstat.patch new file mode 100644 index 00000000000..61c3a1378d6 --- /dev/null +++ b/queue-5.12/md-fix-missing-unused-status-line-of-proc-mdstat.patch @@ -0,0 +1,43 @@ +From 7abfabaf5f805f5171d133ce6af9b65ab766e76a Mon Sep 17 00:00:00 2001 +From: Jan Glauber +Date: Wed, 17 Mar 2021 15:04:39 +0100 +Subject: md: Fix missing unused status line of /proc/mdstat + +From: Jan Glauber + +commit 7abfabaf5f805f5171d133ce6af9b65ab766e76a upstream. + +Reading /proc/mdstat with a read buffer size that would not +fit the unused status line in the first read will skip this +line from the output. + +So 'dd if=/proc/mdstat bs=64 2>/dev/null' will not print something +like: unused devices: + +Don't return NULL immediately in start() for v=2 but call +show() once to print the status line also for multiple reads. + +Cc: stable@vger.kernel.org +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") +Signed-off-by: Jan Glauber +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8172,7 +8172,11 @@ static void *md_seq_start(struct seq_fil + loff_t l = *pos; + struct mddev *mddev; + +- if (l >= 0x10000) ++ if (l == 0x10000) { ++ ++*pos; ++ return (void *)2; ++ } ++ if (l > 0x10000) + return NULL; + if (!l--) + /* header */ diff --git a/queue-5.12/md-md_open-returns-ebusy-when-entering-racing-area.patch b/queue-5.12/md-md_open-returns-ebusy-when-entering-racing-area.patch new file mode 100644 index 00000000000..0de59842de4 --- /dev/null +++ b/queue-5.12/md-md_open-returns-ebusy-when-entering-racing-area.patch @@ -0,0 +1,41 @@ +From 6a4db2a60306eb65bfb14ccc9fde035b74a4b4e7 Mon Sep 17 00:00:00 2001 +From: Zhao Heming +Date: Sat, 3 Apr 2021 11:01:25 +0800 +Subject: md: md_open returns -EBUSY when entering racing area + +From: Zhao Heming + +commit 6a4db2a60306eb65bfb14ccc9fde035b74a4b4e7 upstream. + +commit d3374825ce57 ("md: make devices disappear when they are no longer +needed.") introduced protection between mddev creating & removing. The +md_open shouldn't create mddev when all_mddevs list doesn't contain +mddev. With currently code logic, there will be very easy to trigger +soft lockup in non-preempt env. + +This patch changes md_open returning from -ERESTARTSYS to -EBUSY, which +will break the infinitely retry when md_open enter racing area. + +This patch is partly fix soft lockup issue, full fix needs mddev_find +is split into two functions: mddev_find & mddev_find_or_alloc. And +md_open should call new mddev_find (it only does searching job). + +For more detail, please refer with Christoph's "split mddev_find" patch +in later commits. + +--- + drivers/md/md.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7841,8 +7841,7 @@ static int md_open(struct block_device * + /* Wait until bdev->bd_disk is definitely gone */ + if (work_pending(&mddev->del_work)) + flush_workqueue(md_misc_wq); +- /* Then retry the open from the top */ +- return -ERESTARTSYS; ++ return -EBUSY; + } + BUG_ON(mddev != bdev->bd_disk->private_data); + diff --git a/queue-5.12/md-split-mddev_find.patch b/queue-5.12/md-split-mddev_find.patch new file mode 100644 index 00000000000..16c1354701a --- /dev/null +++ b/queue-5.12/md-split-mddev_find.patch @@ -0,0 +1,74 @@ +From 65aa97c4d2bfd76677c211b9d03ef05a98c6d68e Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Sat, 3 Apr 2021 18:15:29 +0200 +Subject: md: split mddev_find + +From: Christoph Hellwig + +commit 65aa97c4d2bfd76677c211b9d03ef05a98c6d68e upstream. + +Split mddev_find into a simple mddev_find that just finds an existing +mddev by the unit number, and a more complicated mddev_find that deals +with find or allocating a mddev. + +This turns out to fix this bug reported by Zhao Heming. + +----------------------------- snip ------------------------------ +commit d3374825ce57 ("md: make devices disappear when they are no longer +needed.") introduced protection between mddev creating & removing. The +md_open shouldn't create mddev when all_mddevs list doesn't contain +mddev. With currently code logic, there will be very easy to trigger +soft lockup in non-preempt env. + +--- + drivers/md/md.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -736,6 +736,22 @@ EXPORT_SYMBOL_GPL(mddev_init); + + static struct mddev *mddev_find(dev_t unit) + { ++ struct mddev *mddev; ++ ++ if (MAJOR(unit) != MD_MAJOR) ++ unit &= ~((1 << MdpMinorShift) - 1); ++ ++ spin_lock(&all_mddevs_lock); ++ mddev = mddev_find_locked(unit); ++ if (mddev) ++ mddev_get(mddev); ++ spin_unlock(&all_mddevs_lock); ++ ++ return mddev; ++} ++ ++static struct mddev *mddev_find_or_alloc(dev_t unit) ++{ + struct mddev *mddev, *new = NULL; + + if (unit && MAJOR(unit) != MD_MAJOR) +@@ -5644,7 +5660,7 @@ static int md_alloc(dev_t dev, char *nam + * writing to /sys/module/md_mod/parameters/new_array. + */ + static DEFINE_MUTEX(disks_mutex); +- struct mddev *mddev = mddev_find(dev); ++ struct mddev *mddev = mddev_find_or_alloc(dev); + struct gendisk *disk; + int partitioned; + int shift; +@@ -6524,11 +6540,9 @@ static void autorun_devices(int part) + + md_probe(dev); + mddev = mddev_find(dev); +- if (!mddev || !mddev->gendisk) { +- if (mddev) +- mddev_put(mddev); ++ if (!mddev) + break; +- } ++ + if (mddev_lock(mddev)) + pr_warn("md: %s locked, cannot run\n", mdname(mddev)); + else if (mddev->raid_disks || mddev->major_version diff --git a/queue-5.12/mips-generic-update-node-names-to-avoid-unit-addresses.patch b/queue-5.12/mips-generic-update-node-names-to-avoid-unit-addresses.patch new file mode 100644 index 00000000000..bba98ffc340 --- /dev/null +++ b/queue-5.12/mips-generic-update-node-names-to-avoid-unit-addresses.patch @@ -0,0 +1,325 @@ +From e607ff630c6053ecc67502677c0e50053d7892d4 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 9 Apr 2021 12:21:28 -0700 +Subject: MIPS: generic: Update node names to avoid unit addresses + +From: Nathan Chancellor + +commit e607ff630c6053ecc67502677c0e50053d7892d4 upstream. + +With the latest mkimage from U-Boot 2021.04, the generic defconfigs no +longer build, failing with: + +/usr/bin/mkimage: verify_header failed for FIT Image support with exit code 1 + +This is expected after the linked U-Boot commits because '@' is +forbidden in the node names due to the way that libfdt treats nodes with +the same prefix but different unit addresses. + +Switch the '@' in the node name to '-'. Drop the unit addresses from the +hash and kernel child nodes because there is only one node so they do +not need to have a number to differentiate them. + +Cc: stable@vger.kernel.org +Link: https://source.denx.de/u-boot/u-boot/-/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4 +Link: https://source.denx.de/u-boot/u-boot/-/commit/3f04db891a353f4b127ed57279279f851c6b4917 +Suggested-by: Simon Glass +Signed-off-by: Nathan Chancellor +Reviewed-by: Tom Rini +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/generic/board-boston.its.S | 10 +++++----- + arch/mips/generic/board-jaguar2.its.S | 16 ++++++++-------- + arch/mips/generic/board-luton.its.S | 8 ++++---- + arch/mips/generic/board-ni169445.its.S | 10 +++++----- + arch/mips/generic/board-ocelot.its.S | 20 ++++++++++---------- + arch/mips/generic/board-serval.its.S | 8 ++++---- + arch/mips/generic/board-xilfpga.its.S | 10 +++++----- + arch/mips/generic/vmlinux.its.S | 10 +++++----- + 8 files changed, 46 insertions(+), 46 deletions(-) + +--- a/arch/mips/generic/board-boston.its.S ++++ b/arch/mips/generic/board-boston.its.S +@@ -1,22 +1,22 @@ + / { + images { +- fdt@boston { ++ fdt-boston { + description = "img,boston Device Tree"; + data = /incbin/("boot/dts/img/boston.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@boston { ++ conf-boston { + description = "Boston Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@boston"; ++ kernel = "kernel"; ++ fdt = "fdt-boston"; + }; + }; + }; +--- a/arch/mips/generic/board-jaguar2.its.S ++++ b/arch/mips/generic/board-jaguar2.its.S +@@ -1,23 +1,23 @@ + /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */ + / { + images { +- fdt@jaguar2_pcb110 { ++ fdt-jaguar2_pcb110 { + description = "MSCC Jaguar2 PCB110 Device Tree"; + data = /incbin/("boot/dts/mscc/jaguar2_pcb110.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; +- fdt@jaguar2_pcb111 { ++ fdt-jaguar2_pcb111 { + description = "MSCC Jaguar2 PCB111 Device Tree"; + data = /incbin/("boot/dts/mscc/jaguar2_pcb111.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; +@@ -26,14 +26,14 @@ + configurations { + pcb110 { + description = "Jaguar2 Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@jaguar2_pcb110"; ++ kernel = "kernel"; ++ fdt = "fdt-jaguar2_pcb110"; + ramdisk = "ramdisk"; + }; + pcb111 { + description = "Jaguar2 Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@jaguar2_pcb111"; ++ kernel = "kernel"; ++ fdt = "fdt-jaguar2_pcb111"; + ramdisk = "ramdisk"; + }; + }; +--- a/arch/mips/generic/board-luton.its.S ++++ b/arch/mips/generic/board-luton.its.S +@@ -1,13 +1,13 @@ + /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */ + / { + images { +- fdt@luton_pcb091 { ++ fdt-luton_pcb091 { + description = "MSCC Luton PCB091 Device Tree"; + data = /incbin/("boot/dts/mscc/luton_pcb091.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; +@@ -16,8 +16,8 @@ + configurations { + pcb091 { + description = "Luton Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@luton_pcb091"; ++ kernel = "kernel"; ++ fdt = "fdt-luton_pcb091"; + }; + }; + }; +--- a/arch/mips/generic/board-ni169445.its.S ++++ b/arch/mips/generic/board-ni169445.its.S +@@ -1,22 +1,22 @@ + / { + images { +- fdt@ni169445 { ++ fdt-ni169445 { + description = "NI 169445 device tree"; + data = /incbin/("boot/dts/ni/169445.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@ni169445 { ++ conf-ni169445 { + description = "NI 169445 Linux Kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@ni169445"; ++ kernel = "kernel"; ++ fdt = "fdt-ni169445"; + }; + }; + }; +--- a/arch/mips/generic/board-ocelot.its.S ++++ b/arch/mips/generic/board-ocelot.its.S +@@ -1,40 +1,40 @@ + /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */ + / { + images { +- fdt@ocelot_pcb123 { ++ fdt-ocelot_pcb123 { + description = "MSCC Ocelot PCB123 Device Tree"; + data = /incbin/("boot/dts/mscc/ocelot_pcb123.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + +- fdt@ocelot_pcb120 { ++ fdt-ocelot_pcb120 { + description = "MSCC Ocelot PCB120 Device Tree"; + data = /incbin/("boot/dts/mscc/ocelot_pcb120.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@ocelot_pcb123 { ++ conf-ocelot_pcb123 { + description = "Ocelot Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@ocelot_pcb123"; ++ kernel = "kernel"; ++ fdt = "fdt-ocelot_pcb123"; + }; + +- conf@ocelot_pcb120 { ++ conf-ocelot_pcb120 { + description = "Ocelot Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@ocelot_pcb120"; ++ kernel = "kernel"; ++ fdt = "fdt-ocelot_pcb120"; + }; + }; + }; +--- a/arch/mips/generic/board-serval.its.S ++++ b/arch/mips/generic/board-serval.its.S +@@ -1,13 +1,13 @@ + /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */ + / { + images { +- fdt@serval_pcb105 { ++ fdt-serval_pcb105 { + description = "MSCC Serval PCB105 Device Tree"; + data = /incbin/("boot/dts/mscc/serval_pcb105.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; +@@ -16,8 +16,8 @@ + configurations { + pcb105 { + description = "Serval Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@serval_pcb105"; ++ kernel = "kernel"; ++ fdt = "fdt-serval_pcb105"; + ramdisk = "ramdisk"; + }; + }; +--- a/arch/mips/generic/board-xilfpga.its.S ++++ b/arch/mips/generic/board-xilfpga.its.S +@@ -1,22 +1,22 @@ + / { + images { +- fdt@xilfpga { ++ fdt-xilfpga { + description = "MIPSfpga (xilfpga) Device Tree"; + data = /incbin/("boot/dts/xilfpga/nexys4ddr.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@xilfpga { ++ conf-xilfpga { + description = "MIPSfpga Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@xilfpga"; ++ kernel = "kernel"; ++ fdt = "fdt-xilfpga"; + }; + }; + }; +--- a/arch/mips/generic/vmlinux.its.S ++++ b/arch/mips/generic/vmlinux.its.S +@@ -6,7 +6,7 @@ + #address-cells = ; + + images { +- kernel@0 { ++ kernel { + description = KERNEL_NAME; + data = /incbin/(VMLINUX_BINARY); + type = "kernel"; +@@ -15,18 +15,18 @@ + compression = VMLINUX_COMPRESSION; + load = /bits/ ADDR_BITS ; + entry = /bits/ ADDR_BITS ; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- default = "conf@default"; ++ default = "conf-default"; + +- conf@default { ++ conf-default { + description = "Generic Linux kernel"; +- kernel = "kernel@0"; ++ kernel = "kernel"; + }; + }; + }; diff --git a/queue-5.12/mips-reinstate-platform-__div64_32-handler.patch b/queue-5.12/mips-reinstate-platform-__div64_32-handler.patch new file mode 100644 index 00000000000..3a0267d6f28 --- /dev/null +++ b/queue-5.12/mips-reinstate-platform-__div64_32-handler.patch @@ -0,0 +1,161 @@ +From c49f71f60754acbff37505e1d16ca796bf8a8140 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 20 Apr 2021 04:50:40 +0200 +Subject: MIPS: Reinstate platform `__div64_32' handler + +From: Maciej W. Rozycki + +commit c49f71f60754acbff37505e1d16ca796bf8a8140 upstream. + +Our current MIPS platform `__div64_32' handler is inactive, because it +is incorrectly only enabled for 64-bit configurations, for which generic +`do_div' code does not call it anyway. + +The handler is not suitable for being called from there though as it +only calculates 32 bits of the quotient under the assumption the 64-bit +divident has been suitably reduced. Code for such reduction used to be +there, however it has been incorrectly removed with commit c21004cd5b4c +("MIPS: Rewrite to work with gcc 4.4.0."), which should +have only updated an obsoleted constraint for an inline asm involving +$hi and $lo register outputs, while possibly wiring the original MIPS +variant of the `do_div' macro as `__div64_32' handler for the generic +`do_div' implementation + +Correct the handler as follows then: + +- Revert most of the commit referred, however retaining the current + formatting, except for the final two instructions of the inline asm + sequence, which the original commit missed. Omit the original 64-bit + parts though. + +- Rename the original `do_div' macro to `__div64_32'. Use the combined + `x' constraint referring to the MD accumulator as a whole, replacing + the original individual `h' and `l' constraints used for $hi and $lo + registers respectively, of which `h' has been obsoleted with GCC 4.4. + Update surrounding code accordingly. + + We have since removed support for GCC versions before 4.9, so no need + for a special arrangement here; GCC has supported the `x' constraint + since forever anyway, or at least going back to 1991. + +- Rename the `__base' local variable in `__div64_32' to `__radix' to + avoid a conflict with a local variable in `do_div'. + +- Actually enable this code for 32-bit rather than 64-bit configurations + by qualifying it with BITS_PER_LONG being 32 instead of 64. Include + for this macro rather than as we + don't need anything else. + +- Finally include last rather than first. + +This has passed correctness verification with test_div64 and reduced the +module's average execution time down to 1.0668s and 0.2629s from 2.1529s +and 0.5647s respectively for an R3400 CPU @40MHz and a 5Kc CPU @160MHz. +For a reference 64-bit `do_div' code where we have the DDIVU instruction +available to do the whole calculation right away averages at 0.0660s for +the latter CPU. + +Fixes: c21004cd5b4c ("MIPS: Rewrite to work with gcc 4.4.0.") +Reported-by: Huacai Chen +Signed-off-by: Maciej W. Rozycki +Cc: stable@vger.kernel.org # v2.6.30+ +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/div64.h | 57 ++++++++++++++++++++++++++++++------------ + 1 file changed, 41 insertions(+), 16 deletions(-) + +--- a/arch/mips/include/asm/div64.h ++++ b/arch/mips/include/asm/div64.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2000, 2004 Maciej W. Rozycki ++ * Copyright (C) 2000, 2004, 2021 Maciej W. Rozycki + * Copyright (C) 2003, 07 Ralf Baechle (ralf@linux-mips.org) + * + * This file is subject to the terms and conditions of the GNU General Public +@@ -9,25 +9,18 @@ + #ifndef __ASM_DIV64_H + #define __ASM_DIV64_H + +-#include +- +-#if BITS_PER_LONG == 64 ++#include + +-#include ++#if BITS_PER_LONG == 32 + + /* + * No traps on overflows for any of these... + */ + +-#define __div64_32(n, base) \ +-({ \ ++#define do_div64_32(res, high, low, base) ({ \ + unsigned long __cf, __tmp, __tmp2, __i; \ + unsigned long __quot32, __mod32; \ +- unsigned long __high, __low; \ +- unsigned long long __n; \ + \ +- __high = *__n >> 32; \ +- __low = __n; \ + __asm__( \ + " .set push \n" \ + " .set noat \n" \ +@@ -51,18 +44,50 @@ + " subu %0, %0, %z6 \n" \ + " addiu %2, %2, 1 \n" \ + "3: \n" \ +- " bnez %4, 0b\n\t" \ +- " srl %5, %1, 0x1f\n\t" \ ++ " bnez %4, 0b \n" \ ++ " srl %5, %1, 0x1f \n" \ + " .set pop" \ + : "=&r" (__mod32), "=&r" (__tmp), \ + "=&r" (__quot32), "=&r" (__cf), \ + "=&r" (__i), "=&r" (__tmp2) \ +- : "Jr" (base), "0" (__high), "1" (__low)); \ ++ : "Jr" (base), "0" (high), "1" (low)); \ + \ +- (__n) = __quot32; \ ++ (res) = __quot32; \ + __mod32; \ + }) + +-#endif /* BITS_PER_LONG == 64 */ ++#define __div64_32(n, base) ({ \ ++ unsigned long __upper, __low, __high, __radix; \ ++ unsigned long long __modquot; \ ++ unsigned long long __quot; \ ++ unsigned long long __div; \ ++ unsigned long __mod; \ ++ \ ++ __div = (*n); \ ++ __radix = (base); \ ++ \ ++ __high = __div >> 32; \ ++ __low = __div; \ ++ __upper = __high; \ ++ \ ++ if (__high) { \ ++ __asm__("divu $0, %z1, %z2" \ ++ : "=x" (__modquot) \ ++ : "Jr" (__high), "Jr" (__radix)); \ ++ __upper = __modquot >> 32; \ ++ __high = __modquot; \ ++ } \ ++ \ ++ __mod = do_div64_32(__low, __upper, __low, __radix); \ ++ \ ++ __quot = __high; \ ++ __quot = __quot << 32 | __low; \ ++ (*n) = __quot; \ ++ __mod; \ ++}) ++ ++#endif /* BITS_PER_LONG == 32 */ ++ ++#include + + #endif /* __ASM_DIV64_H */ diff --git a/queue-5.12/mt76-fix-potential-dma-mapping-leak.patch b/queue-5.12/mt76-fix-potential-dma-mapping-leak.patch new file mode 100644 index 00000000000..6d991a50ef0 --- /dev/null +++ b/queue-5.12/mt76-fix-potential-dma-mapping-leak.patch @@ -0,0 +1,33 @@ +From b4403cee6400c5f679e9c4a82b91d61aa961eccf Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 23 Mar 2021 22:47:37 +0100 +Subject: mt76: fix potential DMA mapping leak + +From: Felix Fietkau + +commit b4403cee6400c5f679e9c4a82b91d61aa961eccf upstream. + +With buf uninitialized in mt76_dma_tx_queue_skb_raw, its field skip_unmap +could potentially inherit a non-zero value from stack garbage. +If this happens, it will cause DMA mappings for MCU command frames to not be +unmapped after completion + +Fixes: 27d5c528a7ca ("mt76: fix double DMA unmap of the first buffer on 7615/7915") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/dma.c +@@ -309,7 +309,7 @@ static int + mt76_dma_tx_queue_skb_raw(struct mt76_dev *dev, struct mt76_queue *q, + struct sk_buff *skb, u32 tx_info) + { +- struct mt76_queue_buf buf; ++ struct mt76_queue_buf buf = {}; + dma_addr_t addr; + + if (q->queued + 1 >= q->ndesc - 1) diff --git a/queue-5.12/mt76-mt7615-use-ieee80211_free_txskb-in-mt7615_tx_token_put.patch b/queue-5.12/mt76-mt7615-use-ieee80211_free_txskb-in-mt7615_tx_token_put.patch new file mode 100644 index 00000000000..b0fbf923ad8 --- /dev/null +++ b/queue-5.12/mt76-mt7615-use-ieee80211_free_txskb-in-mt7615_tx_token_put.patch @@ -0,0 +1,37 @@ +From 06991d1f73a9bdbc5f234ee96737b9102705b89c Mon Sep 17 00:00:00 2001 +From: Ryder Lee +Date: Tue, 13 Apr 2021 16:00:07 +0800 +Subject: mt76: mt7615: use ieee80211_free_txskb() in mt7615_tx_token_put() + +From: Ryder Lee + +commit 06991d1f73a9bdbc5f234ee96737b9102705b89c upstream. + +We should use ieee80211_free_txskb() to report skb status avoid wrong +aql accounting after reset. + +Cc: stable@vger.kernel.org +Signed-off-by: Ryder Lee +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +@@ -2000,8 +2000,12 @@ void mt7615_tx_token_put(struct mt7615_d + spin_lock_bh(&dev->token_lock); + idr_for_each_entry(&dev->token, txwi, id) { + mt7615_txp_skb_unmap(&dev->mt76, txwi); +- if (txwi->skb) +- dev_kfree_skb_any(txwi->skb); ++ if (txwi->skb) { ++ struct ieee80211_hw *hw; ++ ++ hw = mt76_tx_status_get_hw(&dev->mt76, txwi->skb); ++ ieee80211_free_txskb(hw, txwi->skb); ++ } + mt76_put_txwi(&dev->mt76, txwi); + } + spin_unlock_bh(&dev->token_lock); diff --git a/queue-5.12/net-xilinx-drivers-need-depend-on-has_iomem.patch b/queue-5.12/net-xilinx-drivers-need-depend-on-has_iomem.patch new file mode 100644 index 00000000000..a69c617f978 --- /dev/null +++ b/queue-5.12/net-xilinx-drivers-need-depend-on-has_iomem.patch @@ -0,0 +1,68 @@ +From 46fd4471615c1bff9d87c411140807762c25667a Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Fri, 16 Apr 2021 23:55:54 -0700 +Subject: net: xilinx: drivers need/depend on HAS_IOMEM + +From: Randy Dunlap + +commit 46fd4471615c1bff9d87c411140807762c25667a upstream. + +kernel test robot reports build errors in 3 Xilinx ethernet drivers. +They all use ioremap functions that are only available when HAS_IOMEM +is set/enabled. If it is not enabled, they all have build errors, +so make these 3 drivers depend on HAS_IOMEM. + +ld: drivers/net/ethernet/xilinx/xilinx_emaclite.o: in function `xemaclite_of_probe': +xilinx_emaclite.c:(.text+0x9fc): undefined reference to `devm_ioremap_resource' + +ld: drivers/net/ethernet/xilinx/xilinx_axienet_main.o: in function `axienet_probe': +xilinx_axienet_main.c:(.text+0x942): undefined reference to `devm_ioremap_resource' + +ld: drivers/net/ethernet/xilinx/ll_temac_main.o: in function `temac_probe': +ll_temac_main.c:(.text+0x1283): undefined reference to `devm_platform_ioremap_resource_byname' +ld: ll_temac_main.c:(.text+0x13ad): undefined reference to `devm_of_iomap' +ld: ll_temac_main.c:(.text+0x162e): undefined reference to `devm_platform_ioremap_resource' + +Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Radhey Shyam Pandey +Cc: Gary Guo +Cc: Zhang Changzhong +Cc: Andre Przywara +Cc: stable@vger.kernel.org +Cc: Daniel Borkmann +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: netdev@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/xilinx/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/xilinx/Kconfig ++++ b/drivers/net/ethernet/xilinx/Kconfig +@@ -18,12 +18,14 @@ if NET_VENDOR_XILINX + + config XILINX_EMACLITE + tristate "Xilinx 10/100 Ethernet Lite support" ++ depends on HAS_IOMEM + select PHYLIB + help + This driver supports the 10/100 Ethernet Lite from Xilinx. + + config XILINX_AXI_EMAC + tristate "Xilinx 10/100/1000 AXI Ethernet support" ++ depends on HAS_IOMEM + select PHYLINK + help + This driver supports the 10/100/1000 Ethernet from Xilinx for the +@@ -31,6 +33,7 @@ config XILINX_AXI_EMAC + + config XILINX_LL_TEMAC + tristate "Xilinx LL TEMAC (LocalLink Tri-mode Ethernet MAC) driver" ++ depends on HAS_IOMEM + select PHYLIB + help + This driver supports the Xilinx 10/100/1000 LocalLink TEMAC diff --git a/queue-5.12/rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch b/queue-5.12/rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch new file mode 100644 index 00000000000..b94b372e8ac --- /dev/null +++ b/queue-5.12/rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch @@ -0,0 +1,108 @@ +From 2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Thu, 1 Apr 2021 14:27:17 -0500 +Subject: rtw88: Fix array overrun in rtw_get_tx_power_params() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ping-Ke Shih + +commit 2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e upstream. + +Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the +following array overrun is logged: + +================================================================================ +UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34 +index 5 is out of range for type 'u8 [5]' +CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651 +Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 +Workqueue: phy0 ieee80211_scan_work [mac80211] +Call Trace: + dump_stack+0x64/0x7c + ubsan_epilogue+0x5/0x40 + __ubsan_handle_out_of_bounds.cold+0x43/0x48 + rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core] + ? rtw_pci_read16+0x20/0x20 [rtw_pci] + ? check_hw_ready+0x50/0x90 [rtw_core] + rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core] + rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core] + rtw_set_channel+0xab/0x110 [rtw_core] + rtw_ops_config+0x87/0xc0 [rtw_core] + ieee80211_hw_config+0x9d/0x130 [mac80211] + ieee80211_scan_state_set_channel+0x81/0x170 [mac80211] + ieee80211_scan_work+0x19f/0x2a0 [mac80211] + process_one_work+0x1dd/0x3a0 + worker_thread+0x49/0x330 + ? rescuer_thread+0x3a0/0x3a0 + kthread+0x134/0x150 + ? kthread_create_worker_on_cpu+0x70/0x70 + ret_from_fork+0x22/0x30 +================================================================================ + +The statement where an array is being overrun is shown in the following snippet: + + if (rate <= DESC_RATE11M) + tx_power = pwr_idx_2g->cck_base[group]; + else +====> tx_power = pwr_idx_2g->bw40_base[group]; + +The associated arrays are defined in main.h as follows: + +struct rtw_2g_txpwr_idx { + u8 cck_base[6]; + u8 bw40_base[5]; + struct rtw_2g_1s_pwr_idx_diff ht_1s_diff; + struct rtw_2g_ns_pwr_idx_diff ht_2s_diff; + struct rtw_2g_ns_pwr_idx_diff ht_3s_diff; + struct rtw_2g_ns_pwr_idx_diff ht_4s_diff; +}; + +The problem arises because the value of group is 5 for channel 14. The trivial +increase in the dimension of bw40_base fails as this struct must match the layout of +efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set +the group for channel 14 to 4 if rate <= DESC_RATE11M. + +This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines") + +Fixes: fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines") +Reported-by: Богдан Пилипенко +Signed-off-by: Larry Finger +Signed-off-by: Ping-Ke Shih +Cc: Stable +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210401192717.28927-1-Larry.Finger@lwfinger.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/phy.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/phy.c ++++ b/drivers/net/wireless/realtek/rtw88/phy.c +@@ -1584,7 +1584,7 @@ void rtw_phy_load_tables(struct rtw_dev + } + EXPORT_SYMBOL(rtw_phy_load_tables); + +-static u8 rtw_get_channel_group(u8 channel) ++static u8 rtw_get_channel_group(u8 channel, u8 rate) + { + switch (channel) { + default: +@@ -1628,6 +1628,7 @@ static u8 rtw_get_channel_group(u8 chann + case 106: + return 4; + case 14: ++ return rate <= DESC_RATE11M ? 5 : 4; + case 108: + case 110: + case 112: +@@ -1879,7 +1880,7 @@ void rtw_get_tx_power_params(struct rtw_ + s8 *remnant = &pwr_param->pwr_remnant; + + pwr_idx = &rtwdev->efuse.txpwr_idx_table[path]; +- group = rtw_get_channel_group(ch); ++ group = rtw_get_channel_group(ch, rate); + + /* base power index for 2.4G/5G */ + if (IS_CH_2G_BAND(ch)) { diff --git a/queue-5.12/series b/queue-5.12/series index 2a24d7ff328..3b04611447b 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -54,3 +54,17 @@ selinux-add-proper-null-termination-to-the-secclass_map-permissions.patch x86-sched-treat-intel-snc-topology-as-default-cod-as-exception.patch async_xor-increase-src_offs-when-dropping-destination-page.patch md-bitmap-wait-for-external-bitmap-writes-to-complete-during-tear-down.patch +md-cluster-fix-use-after-free-issue-when-removing-rdev.patch +md-split-mddev_find.patch +md-factor-out-a-mddev_find_locked-helper-from-mddev_find.patch +md-md_open-returns-ebusy-when-entering-racing-area.patch +md-fix-missing-unused-status-line-of-proc-mdstat.patch +mips-reinstate-platform-__div64_32-handler.patch +mips-generic-update-node-names-to-avoid-unit-addresses.patch +mt76-mt7615-use-ieee80211_free_txskb-in-mt7615_tx_token_put.patch +ipw2x00-potential-buffer-overflow-in-libipw_wx_set_encodeext.patch +net-xilinx-drivers-need-depend-on-has_iomem.patch +cfg80211-scan-drop-entry-from-hidden_list-on-overflow.patch +rtw88-fix-array-overrun-in-rtw_get_tx_power_params.patch +mt76-fix-potential-dma-mapping-leak.patch +fddi-defxx-make-mmio-the-configuration-default-except-for-eisa.patch