From: Greg Kroah-Hartman Date: Mon, 5 Apr 2021 08:20:32 +0000 (+0200) Subject: 5.11-stable patches X-Git-Tag: v4.4.265~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d4406c9602f616b520f141a4b8e2c20770a8ecbf;p=thirdparty%2Fkernel%2Fstable-queue.git 5.11-stable patches added patches: driver-core-clear-deferred-probe-reason-on-probe-retry.patch drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch soc-qcom-geni-se-cleanup-the-code-to-remove-proxy-votes.patch staging-rtl8192e-change-state-information-from-u16-to-u8.patch staging-rtl8192e-fix-incorrect-source-in-memcpy.patch --- diff --git a/queue-5.11/driver-core-clear-deferred-probe-reason-on-probe-retry.patch b/queue-5.11/driver-core-clear-deferred-probe-reason-on-probe-retry.patch new file mode 100644 index 00000000000..c404af1d33b --- /dev/null +++ b/queue-5.11/driver-core-clear-deferred-probe-reason-on-probe-retry.patch @@ -0,0 +1,42 @@ +From f0acf637d60ffcef3ccb6e279f743e587b3c7359 Mon Sep 17 00:00:00 2001 +From: Ahmad Fatoum +Date: Fri, 19 Mar 2021 12:04:57 +0100 +Subject: driver core: clear deferred probe reason on probe retry + +From: Ahmad Fatoum + +commit f0acf637d60ffcef3ccb6e279f743e587b3c7359 upstream. + +When retrying a deferred probe, any old defer reason string should be +discarded. Otherwise, if the probe is deferred again at a different spot, +but without setting a message, the now incorrect probe reason will remain. + +This was observed with the i.MX I2C driver, which ultimately failed +to probe due to lack of the GPIO driver. The probe defer for GPIO +doesn't record a message, but a previous probe defer to clock_get did. +This had the effect that /sys/kernel/debug/devices_deferred listed +a misleading probe deferral reason. + +Cc: stable +Fixes: d090b70ede02 ("driver core: add deferring probe reason to devices_deferred property") +Reviewed-by: Andy Shevchenko +Reviewed-by: Andrzej Hajda +Signed-off-by: Ahmad Fatoum +Link: https://lore.kernel.org/r/20210319110459.19966-1-a.fatoum@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/dd.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -97,6 +97,9 @@ static void deferred_probe_work_func(str + + get_device(dev); + ++ kfree(dev->p->deferred_probe_reason); ++ dev->p->deferred_probe_reason = NULL; ++ + /* + * Drop the mutex while probing each device; the probe path may + * manipulate the deferred list diff --git a/queue-5.11/drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch b/queue-5.11/drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch new file mode 100644 index 00000000000..b14ab1908cf --- /dev/null +++ b/queue-5.11/drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch @@ -0,0 +1,32 @@ +From 01faae5193d6190b7b3aa93dae43f514e866d652 Mon Sep 17 00:00:00 2001 +From: Du Cheng +Date: Fri, 12 Mar 2021 16:14:21 +0800 +Subject: drivers: video: fbcon: fix NULL dereference in fbcon_cursor() + +From: Du Cheng + +commit 01faae5193d6190b7b3aa93dae43f514e866d652 upstream. + +add null-check on function pointer before dereference on ops->cursor + +Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com +Cc: stable +Signed-off-by: Du Cheng +Link: https://lore.kernel.org/r/20210312081421.452405-1-ducheng2@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -1341,6 +1341,9 @@ static void fbcon_cursor(struct vc_data + + ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1; + ++ if (!ops->cursor) ++ return; ++ + ops->cursor(vc, info, mode, get_color(vc, info, c, 1), + get_color(vc, info, c, 0)); + } diff --git a/queue-5.11/series b/queue-5.11/series index 7c2f2cdbe3f..baf32aaef89 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -141,3 +141,8 @@ usb-dwc2-fix-hprt0.prtsusp-bit-setting-for-hikey-960-board.patch usb-dwc2-prevent-core-suspend-when-port-connection-flag-is-0.patch usb-dwc3-qcom-skip-interconnect-init-for-acpi-probe.patch usb-dwc3-gadget-clear-dep-flags-after-stop-transfers-in-ep-disable.patch +soc-qcom-geni-se-cleanup-the-code-to-remove-proxy-votes.patch +staging-rtl8192e-fix-incorrect-source-in-memcpy.patch +staging-rtl8192e-change-state-information-from-u16-to-u8.patch +driver-core-clear-deferred-probe-reason-on-probe-retry.patch +drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch diff --git a/queue-5.11/soc-qcom-geni-se-cleanup-the-code-to-remove-proxy-votes.patch b/queue-5.11/soc-qcom-geni-se-cleanup-the-code-to-remove-proxy-votes.patch new file mode 100644 index 00000000000..8635105e96e --- /dev/null +++ b/queue-5.11/soc-qcom-geni-se-cleanup-the-code-to-remove-proxy-votes.patch @@ -0,0 +1,187 @@ +From 29d96eb261345c8d888e248ae79484e681be2faa Mon Sep 17 00:00:00 2001 +From: Roja Rani Yarubandi +Date: Wed, 24 Mar 2021 15:48:35 +0530 +Subject: soc: qcom-geni-se: Cleanup the code to remove proxy votes + +From: Roja Rani Yarubandi + +commit 29d96eb261345c8d888e248ae79484e681be2faa upstream. + +This reverts commit 048eb908a1f2 ("soc: qcom-geni-se: Add interconnect +support to fix earlycon crash") + +ICC core and platforms drivers supports sync_state feature, which +ensures that the default ICC BW votes from the bootloader is not +removed until all it's consumers are probes. + +The proxy votes were needed in case other QUP child drivers +I2C, SPI probes before UART, they can turn off the QUP-CORE clock +which is shared resources for all QUP driver, this causes unclocked +access to HW from earlycon. + +Given above support from ICC there is no longer need to maintain +proxy votes on QUP-CORE ICC node from QUP wrapper driver for early +console usecase, the default votes won't be removed until real +console is probed. + +Cc: stable@vger.kernel.org +Fixes: 266cd33b5913 ("interconnect: qcom: Ensure that the floor bandwidth value is enforced") +Fixes: 7d3b0b0d8184 ("interconnect: qcom: Use icc_sync_state") +Signed-off-by: Roja Rani Yarubandi +Signed-off-by: Akash Asthana +Reviewed-by: Matthias Kaehlcke +Link: https://lore.kernel.org/r/20210324101836.25272-2-rojay@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/qcom-geni-se.c | 74 ---------------------------------- + drivers/tty/serial/qcom_geni_serial.c | 7 --- + include/linux/qcom-geni-se.h | 2 + 3 files changed, 83 deletions(-) + +--- a/drivers/soc/qcom/qcom-geni-se.c ++++ b/drivers/soc/qcom/qcom-geni-se.c +@@ -3,7 +3,6 @@ + + #include + #include +-#include + #include + #include + #include +@@ -92,14 +91,11 @@ struct geni_wrapper { + struct device *dev; + void __iomem *base; + struct clk_bulk_data ahb_clks[NUM_AHB_CLKS]; +- struct geni_icc_path to_core; + }; + + static const char * const icc_path_names[] = {"qup-core", "qup-config", + "qup-memory"}; + +-static struct geni_wrapper *earlycon_wrapper; +- + #define QUP_HW_VER_REG 0x4 + + /* Common SE registers */ +@@ -843,44 +839,11 @@ int geni_icc_disable(struct geni_se *se) + } + EXPORT_SYMBOL(geni_icc_disable); + +-void geni_remove_earlycon_icc_vote(void) +-{ +- struct platform_device *pdev; +- struct geni_wrapper *wrapper; +- struct device_node *parent; +- struct device_node *child; +- +- if (!earlycon_wrapper) +- return; +- +- wrapper = earlycon_wrapper; +- parent = of_get_next_parent(wrapper->dev->of_node); +- for_each_child_of_node(parent, child) { +- if (!of_device_is_compatible(child, "qcom,geni-se-qup")) +- continue; +- +- pdev = of_find_device_by_node(child); +- if (!pdev) +- continue; +- +- wrapper = platform_get_drvdata(pdev); +- icc_put(wrapper->to_core.path); +- wrapper->to_core.path = NULL; +- +- } +- of_node_put(parent); +- +- earlycon_wrapper = NULL; +-} +-EXPORT_SYMBOL(geni_remove_earlycon_icc_vote); +- + static int geni_se_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct resource *res; + struct geni_wrapper *wrapper; +- struct console __maybe_unused *bcon; +- bool __maybe_unused has_earlycon = false; + int ret; + + wrapper = devm_kzalloc(dev, sizeof(*wrapper), GFP_KERNEL); +@@ -903,43 +866,6 @@ static int geni_se_probe(struct platform + } + } + +-#ifdef CONFIG_SERIAL_EARLYCON +- for_each_console(bcon) { +- if (!strcmp(bcon->name, "qcom_geni")) { +- has_earlycon = true; +- break; +- } +- } +- if (!has_earlycon) +- goto exit; +- +- wrapper->to_core.path = devm_of_icc_get(dev, "qup-core"); +- if (IS_ERR(wrapper->to_core.path)) +- return PTR_ERR(wrapper->to_core.path); +- /* +- * Put minmal BW request on core clocks on behalf of early console. +- * The vote will be removed earlycon exit function. +- * +- * Note: We are putting vote on each QUP wrapper instead only to which +- * earlycon is connected because QUP core clock of different wrapper +- * share same voltage domain. If core1 is put to 0, then core2 will +- * also run at 0, if not voted. Default ICC vote will be removed ASA +- * we touch any of the core clock. +- * core1 = core2 = max(core1, core2) +- */ +- ret = icc_set_bw(wrapper->to_core.path, GENI_DEFAULT_BW, +- GENI_DEFAULT_BW); +- if (ret) { +- dev_err(&pdev->dev, "%s: ICC BW voting failed for core: %d\n", +- __func__, ret); +- return ret; +- } +- +- if (of_get_compatible_child(pdev->dev.of_node, "qcom,geni-debug-uart")) +- earlycon_wrapper = wrapper; +- of_node_put(pdev->dev.of_node); +-exit: +-#endif + dev_set_drvdata(dev, wrapper); + dev_dbg(dev, "GENI SE Driver probed\n"); + return devm_of_platform_populate(dev); +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -1177,12 +1177,6 @@ static inline void qcom_geni_serial_enab + struct console *con) { } + #endif + +-static int qcom_geni_serial_earlycon_exit(struct console *con) +-{ +- geni_remove_earlycon_icc_vote(); +- return 0; +-} +- + static struct qcom_geni_private_data earlycon_private_data; + + static int __init qcom_geni_serial_earlycon_setup(struct earlycon_device *dev, +@@ -1233,7 +1227,6 @@ static int __init qcom_geni_serial_early + writel(stop_bit_len, uport->membase + SE_UART_TX_STOP_BIT_LEN); + + dev->con->write = qcom_geni_serial_earlycon_write; +- dev->con->exit = qcom_geni_serial_earlycon_exit; + dev->con->setup = NULL; + qcom_geni_serial_enable_early_read(&se, dev->con); + +--- a/include/linux/qcom-geni-se.h ++++ b/include/linux/qcom-geni-se.h +@@ -460,7 +460,5 @@ void geni_icc_set_tag(struct geni_se *se + int geni_icc_enable(struct geni_se *se); + + int geni_icc_disable(struct geni_se *se); +- +-void geni_remove_earlycon_icc_vote(void); + #endif + #endif diff --git a/queue-5.11/staging-rtl8192e-change-state-information-from-u16-to-u8.patch b/queue-5.11/staging-rtl8192e-change-state-information-from-u16-to-u8.patch new file mode 100644 index 00000000000..6b222001d83 --- /dev/null +++ b/queue-5.11/staging-rtl8192e-change-state-information-from-u16-to-u8.patch @@ -0,0 +1,74 @@ +From e78836ae76d20f38eed8c8c67f21db97529949da Mon Sep 17 00:00:00 2001 +From: Atul Gopinathan +Date: Tue, 23 Mar 2021 17:04:14 +0530 +Subject: staging: rtl8192e: Change state information from u16 to u8 + +From: Atul Gopinathan + +commit e78836ae76d20f38eed8c8c67f21db97529949da upstream. + +The "u16 CcxRmState[2];" array field in struct "rtllib_network" has 4 +bytes in total while the operations performed on this array through-out +the code base are only 2 bytes. + +The "CcxRmState" field is fed only 2 bytes of data using memcpy(): + +(In rtllib_rx.c:1972) + memcpy(network->CcxRmState, &info_element->data[4], 2) + +With "info_element->data[]" being a u8 array, if 2 bytes are written +into "CcxRmState" (whose one element is u16 size), then the 2 u8 +elements from "data[]" gets squashed and written into the first element +("CcxRmState[0]") while the second element ("CcxRmState[1]") is never +fed with any data. + +Same in file rtllib_rx.c:2522: + memcpy(dst->CcxRmState, src->CcxRmState, 2); + +The above line duplicates "src" data to "dst" but only writes 2 bytes +(and not 4, which is the actual size). Again, only 1st element gets the +value while the 2nd element remains uninitialized. + +This later makes operations done with CcxRmState unpredictable in the +following lines as the 1st element is having a squashed number while the +2nd element is having an uninitialized random number. + +rtllib_rx.c:1973: if (network->CcxRmState[0] != 0) +rtllib_rx.c:1977: network->MBssidMask = network->CcxRmState[1] & 0x07; + +network->MBssidMask is also of type u8 and not u16. + +Fix this by changing the type of "CcxRmState" from u16 to u8 so that the +data written into this array and read from it make sense and are not +random values. + +NOTE: The wrong initialization of "CcxRmState" can be seen in the +following commit: + +commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver") + +The above commit created a file `rtl8192e/ieee80211.h` which used to +have the faulty line. The file has been deleted (or possibly renamed) +with the contents copied in to a new file `rtl8192e/rtllib.h` along with +additional code in the commit 94a799425eee (tagged in Fixes). + +Fixes: 94a799425eee ("From: wlanfae [PATCH 1/8] rtl8192e: Import new version of driver from realtek") +Cc: stable@vger.kernel.org +Signed-off-by: Atul Gopinathan +Link: https://lore.kernel.org/r/20210323113413.29179-2-atulgopinathan@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192e/rtllib.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8192e/rtllib.h ++++ b/drivers/staging/rtl8192e/rtllib.h +@@ -1105,7 +1105,7 @@ struct rtllib_network { + bool bWithAironetIE; + bool bCkipSupported; + bool bCcxRmEnable; +- u16 CcxRmState[2]; ++ u8 CcxRmState[2]; + bool bMBssidValid; + u8 MBssidMask; + u8 MBssid[ETH_ALEN]; diff --git a/queue-5.11/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch b/queue-5.11/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch new file mode 100644 index 00000000000..83a311814cf --- /dev/null +++ b/queue-5.11/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch @@ -0,0 +1,67 @@ +From 72ad25fbbb78930f892b191637359ab5b94b3190 Mon Sep 17 00:00:00 2001 +From: Atul Gopinathan +Date: Tue, 23 Mar 2021 17:04:12 +0530 +Subject: staging: rtl8192e: Fix incorrect source in memcpy() + +From: Atul Gopinathan + +commit 72ad25fbbb78930f892b191637359ab5b94b3190 upstream. + +The variable "info_element" is of the following type: + + struct rtllib_info_element *info_element + +defined in drivers/staging/rtl8192e/rtllib.h: + + struct rtllib_info_element { + u8 id; + u8 len; + u8 data[]; + } __packed; + +The "len" field defines the size of the "data[]" array. The code is +supposed to check if "info_element->len" is greater than 4 and later +equal to 6. If this is satisfied then, the last two bytes (the 4th and +5th element of u8 "data[]" array) are copied into "network->CcxRmState". + +Right now the code uses "memcpy()" with the source as "&info_element[4]" +which would copy in wrong and unintended information. The struct +"rtllib_info_element" has a size of 2 bytes for "id" and "len", +therefore indexing will be done in interval of 2 bytes. So, +"info_element[4]" would point to data which is beyond the memory +allocated for this pointer (that is, at x+8, while "info_element" has +been allocated only from x to x+7 (2 + 6 => 8 bytes)). + +This patch rectifies this error by using "&info_element->data[4]" which +correctly copies the last two bytes of "data[]". + +NOTE: The faulty line of code came from the following commit: + +commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver") + +The above commit created the file `rtl8192e/ieee80211/ieee80211_rx.c` +which had the faulty line of code. This file has been deleted (or +possibly renamed) with the contents copied in to a new file +`rtl8192e/rtllib_rx.c` along with additional code in the commit +94a799425eee (tagged in Fixes). + +Fixes: 94a799425eee ("From: wlanfae [PATCH 1/8] rtl8192e: Import new version of driver from realtek") +Cc: stable@vger.kernel.org +Signed-off-by: Atul Gopinathan +Link: https://lore.kernel.org/r/20210323113413.29179-1-atulgopinathan@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192e/rtllib_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8192e/rtllib_rx.c ++++ b/drivers/staging/rtl8192e/rtllib_rx.c +@@ -1968,7 +1968,7 @@ static void rtllib_parse_mife_generic(st + info_element->data[2] == 0x96 && + info_element->data[3] == 0x01) { + if (info_element->len == 6) { +- memcpy(network->CcxRmState, &info_element[4], 2); ++ memcpy(network->CcxRmState, &info_element->data[4], 2); + if (network->CcxRmState[0] != 0) + network->bCcxRmEnable = true; + else