--- /dev/null
+From f43e5210c739fe76a4b0ed851559d6902f20ceb1 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 23 Sep 2019 13:51:16 +0200
+Subject: cfg80211: initialize on-stack chandefs
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit f43e5210c739fe76a4b0ed851559d6902f20ceb1 upstream.
+
+In a few places we don't properly initialize on-stack chandefs,
+resulting in EDMG data to be non-zero, which broke things.
+
+Additionally, in a few places we rely on the driver to init the
+data completely, but perhaps we shouldn't as non-EDMG drivers
+may not initialize the EDMG data, also initialize it there.
+
+Cc: stable@vger.kernel.org
+Fixes: 2a38075cd0be ("nl80211: Add support for EDMG channels")
+Reported-by: Dmitry Osipenko <digetx@gmail.com>
+Tested-by: Dmitry Osipenko <digetx@gmail.com>
+Link: https://lore.kernel.org/r/1569239475-I2dcce394ecf873376c386a78f31c2ec8b538fa25@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 4 +++-
+ net/wireless/reg.c | 2 +-
+ net/wireless/wext-compat.c | 2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2069,6 +2069,8 @@ static int nl80211_parse_chandef(struct
+
+ control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
+
++ memset(chandef, 0, sizeof(*chandef));
++
+ chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
+ chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
+ chandef->center_freq1 = control_freq;
+@@ -2538,7 +2540,7 @@ static int nl80211_send_iface(struct sk_
+
+ if (rdev->ops->get_channel) {
+ int ret;
+- struct cfg80211_chan_def chandef;
++ struct cfg80211_chan_def chandef = {};
+
+ ret = rdev_get_channel(rdev, wdev, &chandef);
+ if (ret == 0) {
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1564,7 +1564,7 @@ static void reg_call_notifier(struct wip
+
+ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
+ {
+- struct cfg80211_chan_def chandef;
++ struct cfg80211_chan_def chandef = {};
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+ enum nl80211_iftype iftype;
+
+--- a/net/wireless/wext-compat.c
++++ b/net/wireless/wext-compat.c
+@@ -799,7 +799,7 @@ static int cfg80211_wext_giwfreq(struct
+ {
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
+- struct cfg80211_chan_def chandef;
++ struct cfg80211_chan_def chandef = {};
+ int ret;
+
+ switch (wdev->iftype) {
--- /dev/null
+From 7fd25e6fc035f4b04b75bca6d7e8daa069603a76 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 14:12:34 +0200
+Subject: ieee802154: atusb: fix use-after-free at disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7fd25e6fc035f4b04b75bca6d7e8daa069603a76 upstream.
+
+The disconnect callback was accessing the hardware-descriptor private
+data after having having freed it.
+
+Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver")
+Cc: stable <stable@vger.kernel.org> # 4.2
+Cc: Alexander Aring <alex.aring@gmail.com>
+Reported-by: syzbot+f4509a9138a1472e7e80@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ieee802154/atusb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -838,10 +838,11 @@ static void atusb_disconnect(struct usb_
+
+ ieee802154_unregister_hw(atusb->hw);
+
++ usb_put_dev(atusb->usb_dev);
++
+ ieee802154_free_hw(atusb->hw);
+
+ usb_set_intfdata(interface, NULL);
+- usb_put_dev(atusb->usb_dev);
+
+ pr_debug("atusb_disconnect done\n");
+ }
--- /dev/null
+From 121bd08b029e03404c451bb237729cdff76eafed Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Sun, 22 Sep 2019 11:26:58 +0100
+Subject: mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 121bd08b029e03404c451bb237729cdff76eafed upstream.
+
+We must not unconditionally set the DMA snoop bit; if the DMA API is
+assuming that the device is not DMA coherent, and the device snoops the
+CPU caches, the device can see stale cache lines brought in by
+speculative prefetch.
+
+This leads to the device seeing stale data, potentially resulting in
+corrupted data transfers. Commonly, this results in a descriptor fetch
+error such as:
+
+mmc0: ADMA error
+mmc0: sdhci: ============ SDHCI REGISTER DUMP ===========
+mmc0: sdhci: Sys addr: 0x00000000 | Version: 0x00002202
+mmc0: sdhci: Blk size: 0x00000008 | Blk cnt: 0x00000001
+mmc0: sdhci: Argument: 0x00000000 | Trn mode: 0x00000013
+mmc0: sdhci: Present: 0x01f50008 | Host ctl: 0x00000038
+mmc0: sdhci: Power: 0x00000003 | Blk gap: 0x00000000
+mmc0: sdhci: Wake-up: 0x00000000 | Clock: 0x000040d8
+mmc0: sdhci: Timeout: 0x00000003 | Int stat: 0x00000001
+mmc0: sdhci: Int enab: 0x037f108f | Sig enab: 0x037f108b
+mmc0: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00002202
+mmc0: sdhci: Caps: 0x35fa0000 | Caps_1: 0x0000af00
+mmc0: sdhci: Cmd: 0x0000333a | Max curr: 0x00000000
+mmc0: sdhci: Resp[0]: 0x00000920 | Resp[1]: 0x001d8a33
+mmc0: sdhci: Resp[2]: 0x325b5900 | Resp[3]: 0x3f400e00
+mmc0: sdhci: Host ctl2: 0x00000000
+mmc0: sdhci: ADMA Err: 0x00000009 | ADMA Ptr: 0x000000236d43820c
+mmc0: sdhci: ============================================
+mmc0: error -5 whilst initialising SD card
+
+but can lead to other errors, and potentially direct the SDHCI
+controller to read/write data to other memory locations (e.g. if a valid
+descriptor is visible to the device in a stale cache line.)
+
+Fix this by ensuring that the DMA snoop bit corresponds with the
+behaviour of the DMA API. Since the driver currently only supports DT,
+use of_dma_is_coherent(). Note that device_get_dma_attr() can not be
+used as that risks re-introducing this bug if/when the driver is
+converted to ACPI.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -396,7 +396,12 @@ static int esdhc_of_enable_dma(struct sd
+ u32 value;
+
+ value = sdhci_readl(host, ESDHC_DMA_SYSCTL);
+- value |= ESDHC_DMA_SNOOP;
++
++ if (of_dma_is_coherent(dev->of_node))
++ value |= ESDHC_DMA_SNOOP;
++ else
++ value &= ~ESDHC_DMA_SNOOP;
++
+ sdhci_writel(host, value, ESDHC_DMA_SYSCTL);
+ return 0;
+ }
crypto-qat-silence-smp_processor_id-warning.patch
usercopy-avoid-highmem-pfn-warning.patch
timer-read-jiffies-once-when-forwarding-base-clk.patch
+watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch
+mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch
+ieee802154-atusb-fix-use-after-free-at-disconnect.patch
+cfg80211-initialize-on-stack-chandefs.patch
--- /dev/null
+From 144783a80cd2cbc45c6ce17db649140b65f203dd Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Mon, 12 Aug 2019 15:13:56 +0200
+Subject: watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit 144783a80cd2cbc45c6ce17db649140b65f203dd upstream.
+
+Converting from ms to s requires dividing by 1000, not multiplying. So
+this is currently taking the smaller of new_timeout and 1.28e8,
+i.e. effectively new_timeout.
+
+The driver knows what it set max_hw_heartbeat_ms to, so use that
+value instead of doing a division at run-time.
+
+FWIW, this can easily be tested by booting into a busybox shell and
+doing "watchdog -t 5 -T 130 /dev/watchdog" - without this patch, the
+watchdog fires after 130&127 == 2 seconds.
+
+Fixes: b07e228eee69 "watchdog: imx2_wdt: Fix set_timeout for big timeout values"
+Cc: stable@vger.kernel.org # 5.2 plus anything the above got backported to
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20190812131356.23039-1-linux@rasmusvillemoes.dk
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/imx2_wdt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/watchdog/imx2_wdt.c
++++ b/drivers/watchdog/imx2_wdt.c
+@@ -58,7 +58,7 @@
+
+ #define IMX2_WDT_WMCR 0x08 /* Misc Register */
+
+-#define IMX2_WDT_MAX_TIME 128
++#define IMX2_WDT_MAX_TIME 128U
+ #define IMX2_WDT_DEFAULT_TIME 60 /* in seconds */
+
+ #define WDOG_SEC_TO_COUNT(s) ((s * 2 - 1) << 8)
+@@ -183,7 +183,7 @@ static int imx2_wdt_set_timeout(struct w
+ {
+ unsigned int actual;
+
+- actual = min(new_timeout, wdog->max_hw_heartbeat_ms * 1000);
++ actual = min(new_timeout, IMX2_WDT_MAX_TIME);
+ __imx2_wdt_set_timeout(wdog, actual);
+ wdog->timeout = new_timeout;
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
