From 0c1cb669ac2d883c2b5bd1dc1c9229a554a87360 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 8 Oct 2019 19:38:49 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	cfg80211-initialize-on-stack-chandefs.patch
	ieee802154-atusb-fix-use-after-free-at-disconnect.patch
	mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch
	watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch
---
 ...fg80211-initialize-on-stack-chandefs.patch | 72 ++++++++++++++++++
 ...usb-fix-use-after-free-at-disconnect.patch | 39 ++++++++++
 ...-dma-snooping-based-on-dma-coherence.patch | 74 +++++++++++++++++++
 queue-4.9/series                              |  4 +
 ...-calculation-in-imx2_wdt_set_timeout.patch | 53 +++++++++++++
 5 files changed, 242 insertions(+)
 create mode 100644 queue-4.9/cfg80211-initialize-on-stack-chandefs.patch
 create mode 100644 queue-4.9/ieee802154-atusb-fix-use-after-free-at-disconnect.patch
 create mode 100644 queue-4.9/mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch
 create mode 100644 queue-4.9/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch

diff --git a/queue-4.9/cfg80211-initialize-on-stack-chandefs.patch b/queue-4.9/cfg80211-initialize-on-stack-chandefs.patch
new file mode 100644
index 00000000000..b8d9b7d1d56
--- /dev/null
+++ b/queue-4.9/cfg80211-initialize-on-stack-chandefs.patch
@@ -0,0 +1,72 @@
+From f43e5210c739fe76a4b0ed851559d6902f20ceb1 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 23 Sep 2019 13:51:16 +0200
+Subject: cfg80211: initialize on-stack chandefs
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit f43e5210c739fe76a4b0ed851559d6902f20ceb1 upstream.
+
+In a few places we don't properly initialize on-stack chandefs,
+resulting in EDMG data to be non-zero, which broke things.
+
+Additionally, in a few places we rely on the driver to init the
+data completely, but perhaps we shouldn't as non-EDMG drivers
+may not initialize the EDMG data, also initialize it there.
+
+Cc: stable@vger.kernel.org
+Fixes: 2a38075cd0be ("nl80211: Add support for EDMG channels")
+Reported-by: Dmitry Osipenko <digetx@gmail.com>
+Tested-by: Dmitry Osipenko <digetx@gmail.com>
+Link: https://lore.kernel.org/r/1569239475-I2dcce394ecf873376c386a78f31c2ec8b538fa25@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c     |    4 +++-
+ net/wireless/reg.c         |    2 +-
+ net/wireless/wext-compat.c |    2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2069,6 +2069,8 @@ static int nl80211_parse_chandef(struct
+ 
+ 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
+ 
++	memset(chandef, 0, sizeof(*chandef));
++
+ 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
+ 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
+ 	chandef->center_freq1 = control_freq;
+@@ -2538,7 +2540,7 @@ static int nl80211_send_iface(struct sk_
+ 
+ 	if (rdev->ops->get_channel) {
+ 		int ret;
+-		struct cfg80211_chan_def chandef;
++		struct cfg80211_chan_def chandef = {};
+ 
+ 		ret = rdev_get_channel(rdev, wdev, &chandef);
+ 		if (ret == 0) {
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1564,7 +1564,7 @@ static void reg_call_notifier(struct wip
+ 
+ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
+ {
+-	struct cfg80211_chan_def chandef;
++	struct cfg80211_chan_def chandef = {};
+ 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+ 	enum nl80211_iftype iftype;
+ 
+--- a/net/wireless/wext-compat.c
++++ b/net/wireless/wext-compat.c
+@@ -799,7 +799,7 @@ static int cfg80211_wext_giwfreq(struct
+ {
+ 	struct wireless_dev *wdev = dev->ieee80211_ptr;
+ 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
+-	struct cfg80211_chan_def chandef;
++	struct cfg80211_chan_def chandef = {};
+ 	int ret;
+ 
+ 	switch (wdev->iftype) {
diff --git a/queue-4.9/ieee802154-atusb-fix-use-after-free-at-disconnect.patch b/queue-4.9/ieee802154-atusb-fix-use-after-free-at-disconnect.patch
new file mode 100644
index 00000000000..60be12ee5e4
--- /dev/null
+++ b/queue-4.9/ieee802154-atusb-fix-use-after-free-at-disconnect.patch
@@ -0,0 +1,39 @@
+From 7fd25e6fc035f4b04b75bca6d7e8daa069603a76 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 14:12:34 +0200
+Subject: ieee802154: atusb: fix use-after-free at disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7fd25e6fc035f4b04b75bca6d7e8daa069603a76 upstream.
+
+The disconnect callback was accessing the hardware-descriptor private
+data after having having freed it.
+
+Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver")
+Cc: stable <stable@vger.kernel.org>     # 4.2
+Cc: Alexander Aring <alex.aring@gmail.com>
+Reported-by: syzbot+f4509a9138a1472e7e80@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ieee802154/atusb.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -838,10 +838,11 @@ static void atusb_disconnect(struct usb_
+ 
+ 	ieee802154_unregister_hw(atusb->hw);
+ 
++	usb_put_dev(atusb->usb_dev);
++
+ 	ieee802154_free_hw(atusb->hw);
+ 
+ 	usb_set_intfdata(interface, NULL);
+-	usb_put_dev(atusb->usb_dev);
+ 
+ 	pr_debug("atusb_disconnect done\n");
+ }
diff --git a/queue-4.9/mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch b/queue-4.9/mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch
new file mode 100644
index 00000000000..68fe7d86229
--- /dev/null
+++ b/queue-4.9/mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch
@@ -0,0 +1,74 @@
+From 121bd08b029e03404c451bb237729cdff76eafed Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Sun, 22 Sep 2019 11:26:58 +0100
+Subject: mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 121bd08b029e03404c451bb237729cdff76eafed upstream.
+
+We must not unconditionally set the DMA snoop bit; if the DMA API is
+assuming that the device is not DMA coherent, and the device snoops the
+CPU caches, the device can see stale cache lines brought in by
+speculative prefetch.
+
+This leads to the device seeing stale data, potentially resulting in
+corrupted data transfers.  Commonly, this results in a descriptor fetch
+error such as:
+
+mmc0: ADMA error
+mmc0: sdhci: ============ SDHCI REGISTER DUMP ===========
+mmc0: sdhci: Sys addr:  0x00000000 | Version:  0x00002202
+mmc0: sdhci: Blk size:  0x00000008 | Blk cnt:  0x00000001
+mmc0: sdhci: Argument:  0x00000000 | Trn mode: 0x00000013
+mmc0: sdhci: Present:   0x01f50008 | Host ctl: 0x00000038
+mmc0: sdhci: Power:     0x00000003 | Blk gap:  0x00000000
+mmc0: sdhci: Wake-up:   0x00000000 | Clock:    0x000040d8
+mmc0: sdhci: Timeout:   0x00000003 | Int stat: 0x00000001
+mmc0: sdhci: Int enab:  0x037f108f | Sig enab: 0x037f108b
+mmc0: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00002202
+mmc0: sdhci: Caps:      0x35fa0000 | Caps_1:   0x0000af00
+mmc0: sdhci: Cmd:       0x0000333a | Max curr: 0x00000000
+mmc0: sdhci: Resp[0]:   0x00000920 | Resp[1]:  0x001d8a33
+mmc0: sdhci: Resp[2]:   0x325b5900 | Resp[3]:  0x3f400e00
+mmc0: sdhci: Host ctl2: 0x00000000
+mmc0: sdhci: ADMA Err:  0x00000009 | ADMA Ptr: 0x000000236d43820c
+mmc0: sdhci: ============================================
+mmc0: error -5 whilst initialising SD card
+
+but can lead to other errors, and potentially direct the SDHCI
+controller to read/write data to other memory locations (e.g. if a valid
+descriptor is visible to the device in a stale cache line.)
+
+Fix this by ensuring that the DMA snoop bit corresponds with the
+behaviour of the DMA API.  Since the driver currently only supports DT,
+use of_dma_is_coherent().  Note that device_get_dma_attr() can not be
+used as that risks re-introducing this bug if/when the driver is
+converted to ACPI.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-of-esdhc.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -396,7 +396,12 @@ static int esdhc_of_enable_dma(struct sd
+ 	u32 value;
+ 
+ 	value = sdhci_readl(host, ESDHC_DMA_SYSCTL);
+-	value |= ESDHC_DMA_SNOOP;
++
++	if (of_dma_is_coherent(dev->of_node))
++		value |= ESDHC_DMA_SNOOP;
++	else
++		value &= ~ESDHC_DMA_SNOOP;
++
+ 	sdhci_writel(host, value, ESDHC_DMA_SYSCTL);
+ 	return 0;
+ }
diff --git a/queue-4.9/series b/queue-4.9/series
index 8fbe2949b45..93fa0358905 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -9,3 +9,7 @@ can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch
 crypto-qat-silence-smp_processor_id-warning.patch
 usercopy-avoid-highmem-pfn-warning.patch
 timer-read-jiffies-once-when-forwarding-base-clk.patch
+watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch
+mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch
+ieee802154-atusb-fix-use-after-free-at-disconnect.patch
+cfg80211-initialize-on-stack-chandefs.patch
diff --git a/queue-4.9/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch b/queue-4.9/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch
new file mode 100644
index 00000000000..cc938d3d1b4
--- /dev/null
+++ b/queue-4.9/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch
@@ -0,0 +1,53 @@
+From 144783a80cd2cbc45c6ce17db649140b65f203dd Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Mon, 12 Aug 2019 15:13:56 +0200
+Subject: watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit 144783a80cd2cbc45c6ce17db649140b65f203dd upstream.
+
+Converting from ms to s requires dividing by 1000, not multiplying. So
+this is currently taking the smaller of new_timeout and 1.28e8,
+i.e. effectively new_timeout.
+
+The driver knows what it set max_hw_heartbeat_ms to, so use that
+value instead of doing a division at run-time.
+
+FWIW, this can easily be tested by booting into a busybox shell and
+doing "watchdog -t 5 -T 130 /dev/watchdog" - without this patch, the
+watchdog fires after 130&127 == 2 seconds.
+
+Fixes: b07e228eee69 "watchdog: imx2_wdt: Fix set_timeout for big timeout values"
+Cc: stable@vger.kernel.org # 5.2 plus anything the above got backported to
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20190812131356.23039-1-linux@rasmusvillemoes.dk
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/imx2_wdt.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/watchdog/imx2_wdt.c
++++ b/drivers/watchdog/imx2_wdt.c
+@@ -58,7 +58,7 @@
+ 
+ #define IMX2_WDT_WMCR		0x08		/* Misc Register */
+ 
+-#define IMX2_WDT_MAX_TIME	128
++#define IMX2_WDT_MAX_TIME	128U
+ #define IMX2_WDT_DEFAULT_TIME	60		/* in seconds */
+ 
+ #define WDOG_SEC_TO_COUNT(s)	((s * 2 - 1) << 8)
+@@ -183,7 +183,7 @@ static int imx2_wdt_set_timeout(struct w
+ {
+ 	unsigned int actual;
+ 
+-	actual = min(new_timeout, wdog->max_hw_heartbeat_ms * 1000);
++	actual = min(new_timeout, IMX2_WDT_MAX_TIME);
+ 	__imx2_wdt_set_timeout(wdog, actual);
+ 	wdog->timeout = new_timeout;
+ 	return 0;
-- 
2.47.2