--- /dev/null
+From 22a07038c0eaf4d1315a493ce66dcd255accba19 Mon Sep 17 00:00:00 2001
+From: Joe Moriarty <joe.moriarty@oracle.com>
+Date: Mon, 12 Feb 2018 14:51:42 -0500
+Subject: drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem
+
+From: Joe Moriarty <joe.moriarty@oracle.com>
+
+commit 22a07038c0eaf4d1315a493ce66dcd255accba19 upstream.
+
+The Parfait (version 2.1.0) static code analysis tool found the
+following NULL pointer derefernce problem.
+
+- drivers/gpu/drm/drm_dp_mst_topology.c
+The call to drm_dp_calculate_rad() in function drm_dp_port_setup_pdt()
+could result in a NULL pointer being returned to port->mstb due to a
+failure to allocate memory for port->mstb.
+
+Signed-off-by: Joe Moriarty <joe.moriarty@oracle.com>
+Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180212195144.98323-3-joe.moriarty@oracle.com
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -1036,10 +1036,12 @@ static bool drm_dp_port_setup_pdt(struct
+ lct = drm_dp_calculate_rad(port, rad);
+
+ port->mstb = drm_dp_add_mst_branch_device(lct, rad);
+- port->mstb->mgr = port->mgr;
+- port->mstb->port_parent = port;
++ if (port->mstb) {
++ port->mstb->mgr = port->mgr;
++ port->mstb->port_parent = port;
+
+- send_link = true;
++ send_link = true;
++ }
+ break;
+ }
+ return send_link;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:16 +0100
+Subject: of: fix missing kobject init for !SYSFS && OF_DYNAMIC config
+To: stable@vger.kernel.org
+Cc: Rob Herring <robh@kernel.org>, Nicolas Pitre <nico@linaro.org>, Frank Rowand <frowand.list@gmail.com>, Grant Likely <grant.likely@secretlab.ca>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-24-lee.jones@linaro.org>
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit bd82bbf38cbe27f2c65660da801900d71bcc5cc8 ]
+
+The ref counting is broken for OF_DYNAMIC when sysfs is disabled because
+the kobject initialization is skipped. Only the properties
+add/remove/update should be skipped for !SYSFS config.
+
+Tested-by: Nicolas Pitre <nico@linaro.org>
+Reviewed-by: Frank Rowand <frowand.list@gmail.com>
+Acked-by: Grant Likely <grant.likely@secretlab.ca>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -167,9 +167,6 @@ int __of_attach_node_sysfs(struct device
+ struct property *pp;
+ int rc;
+
+- if (!IS_ENABLED(CONFIG_SYSFS))
+- return 0;
+-
+ if (!of_kset)
+ return 0;
+
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:07 +0100
+Subject: rtc: pm8xxx: Fix issue in RTC write path
+To: stable@vger.kernel.org
+Cc: Mohit Aggarwal <maggarwa@codeaurora.org>, Alexandre Belloni <alexandre.belloni@bootlin.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-15-lee.jones@linaro.org>
+
+From: Mohit Aggarwal <maggarwa@codeaurora.org>
+
+[ Upstream commit 83220bf38b77a830f8e62ab1a0d0408304f9b966 ]
+
+In order to set time in rtc, need to disable
+rtc hw before writing into rtc registers.
+
+Also fixes disabling of alarm while setting
+rtc time.
+
+Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-pm8xxx.c | 49 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 38 insertions(+), 11 deletions(-)
+
+--- a/drivers/rtc/rtc-pm8xxx.c
++++ b/drivers/rtc/rtc-pm8xxx.c
+@@ -74,16 +74,18 @@ struct pm8xxx_rtc {
+ /*
+ * Steps to write the RTC registers.
+ * 1. Disable alarm if enabled.
+- * 2. Write 0x00 to LSB.
+- * 3. Write Byte[1], Byte[2], Byte[3] then Byte[0].
+- * 4. Enable alarm if disabled in step 1.
++ * 2. Disable rtc if enabled.
++ * 3. Write 0x00 to LSB.
++ * 4. Write Byte[1], Byte[2], Byte[3] then Byte[0].
++ * 5. Enable rtc if disabled in step 2.
++ * 6. Enable alarm if disabled in step 1.
+ */
+ static int pm8xxx_rtc_set_time(struct device *dev, struct rtc_time *tm)
+ {
+ int rc, i;
+ unsigned long secs, irq_flags;
+- u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0;
+- unsigned int ctrl_reg;
++ u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0, rtc_disabled = 0;
++ unsigned int ctrl_reg, rtc_ctrl_reg;
+ struct pm8xxx_rtc *rtc_dd = dev_get_drvdata(dev);
+ const struct pm8xxx_rtc_regs *regs = rtc_dd->regs;
+
+@@ -92,23 +94,38 @@ static int pm8xxx_rtc_set_time(struct de
+
+ rtc_tm_to_time(tm, &secs);
+
++ dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs);
++
+ for (i = 0; i < NUM_8_BIT_RTC_REGS; i++) {
+ value[i] = secs & 0xFF;
+ secs >>= 8;
+ }
+
+- dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs);
+-
+ spin_lock_irqsave(&rtc_dd->ctrl_reg_lock, irq_flags);
+
+- rc = regmap_read(rtc_dd->regmap, regs->ctrl, &ctrl_reg);
++ rc = regmap_read(rtc_dd->regmap, regs->alarm_ctrl, &ctrl_reg);
+ if (rc)
+ goto rtc_rw_fail;
+
+ if (ctrl_reg & regs->alarm_en) {
+ alarm_enabled = 1;
+ ctrl_reg &= ~regs->alarm_en;
+- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg);
++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg);
++ if (rc) {
++ dev_err(dev, "Write to RTC Alarm control register failed\n");
++ goto rtc_rw_fail;
++ }
++ }
++
++ /* Disable RTC H/w before writing on RTC register */
++ rc = regmap_read(rtc_dd->regmap, regs->ctrl, &rtc_ctrl_reg);
++ if (rc)
++ goto rtc_rw_fail;
++
++ if (rtc_ctrl_reg & PM8xxx_RTC_ENABLE) {
++ rtc_disabled = 1;
++ rtc_ctrl_reg &= ~PM8xxx_RTC_ENABLE;
++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg);
+ if (rc) {
+ dev_err(dev, "Write to RTC control register failed\n");
+ goto rtc_rw_fail;
+@@ -137,11 +154,21 @@ static int pm8xxx_rtc_set_time(struct de
+ goto rtc_rw_fail;
+ }
+
++ /* Enable RTC H/w after writing on RTC register */
++ if (rtc_disabled) {
++ rtc_ctrl_reg |= PM8xxx_RTC_ENABLE;
++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg);
++ if (rc) {
++ dev_err(dev, "Write to RTC control register failed\n");
++ goto rtc_rw_fail;
++ }
++ }
++
+ if (alarm_enabled) {
+ ctrl_reg |= regs->alarm_en;
+- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg);
++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg);
+ if (rc) {
+- dev_err(dev, "Write to RTC control register failed\n");
++ dev_err(dev, "Write to RTC Alarm control register failed\n");
+ goto rtc_rw_fail;
+ }
+ }
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:04 +0100
+Subject: scsi: ufs: ufs-qcom: remove broken hci version quirk
+To: stable@vger.kernel.org
+Cc: Subhash Jadavani <subhashj@codeaurora.org>, Asutosh Das <asutoshd@codeaurora.org>, "Martin K . Petersen" <martin.petersen@oracle.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-12-lee.jones@linaro.org>
+
+From: Subhash Jadavani <subhashj@codeaurora.org>
+
+[ Upstream commit 69a6fff068567469c0ef1156ae5ac8d3d71701f0 ]
+
+UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION is only applicable for QCOM UFS host
+controller version 2.x.y and this has been fixed from version 3.x.y
+onwards, hence this change removes this quirk for version 3.x.y onwards.
+
+[mkp: applied by hand]
+
+Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
+Signed-off-by: Asutosh Das <asutoshd@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -1032,7 +1032,7 @@ static void ufs_qcom_advertise_quirks(st
+ hba->quirks |= UFSHCD_QUIRK_BROKEN_LCC;
+ }
+
+- if (host->hw_ver.major >= 0x2) {
++ if (host->hw_ver.major == 0x2) {
+ hba->quirks |= UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION;
+
+ if (!ufs_qcom_cap_qunipro(host))
alsa-hda-don-t-release-card-at-firmware-loading-error.patch
of-unittest-kmemleak-on-changeset-destroy.patch
video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch
+drm-null-pointer-dereference-cwe-476-problem.patch
+wil6210-increase-firmware-ready-timeout.patch
+wil6210-fix-temperature-debugfs.patch
+scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch
+wil6210-rate-limit-wil_rx_refill-error.patch
+rtc-pm8xxx-fix-issue-in-rtc-write-path.patch
+wil6210-add-block-size-checks-during-fw-load.patch
+wil6210-fix-length-check-in-__wmi_send.patch
+soc-qcom-smem-use-le32_to_cpu-for-comparison.patch
+of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:15 +0100
+Subject: soc: qcom: smem: Use le32_to_cpu for comparison
+To: stable@vger.kernel.org
+Cc: Chris Lew <clew@codeaurora.org>, Bjorn Andersson <bjorn.andersson@linaro.org>, Andy Gross <andy.gross@linaro.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-23-lee.jones@linaro.org>
+
+From: Chris Lew <clew@codeaurora.org>
+
+[ Upstream commit a216000f0140f415cec96129f777b5234c9d142f ]
+
+Endianness can vary in the system, add le32_to_cpu when comparing
+partition sizes from smem.
+
+Signed-off-by: Chris Lew <clew@codeaurora.org>
+Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/smem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/qcom/smem.c
++++ b/drivers/soc/qcom/smem.c
+@@ -646,7 +646,7 @@ static int qcom_smem_enumerate_partition
+ return -EINVAL;
+ }
+
+- if (header->size != entry->size) {
++ if (le32_to_cpu(header->size) != le32_to_cpu(entry->size)) {
+ dev_err(smem->dev,
+ "Partition %d has invalid size\n", i);
+ return -EINVAL;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:12 +0100
+Subject: wil6210: add block size checks during FW load
+To: stable@vger.kernel.org
+Cc: Lior David <qca_liord@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-20-lee.jones@linaro.org>
+
+From: Lior David <qca_liord@qca.qualcomm.com>
+
+[ Upstream commit 705d2fde94b23cd76efbeedde643ffa7c32fac7f ]
+
+When loading FW from file add block size checks to ensure a
+corrupted FW file will not cause the driver to write outside
+the device memory.
+
+Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/fw_inc.c | 58 +++++++++++++++++++----------
+ drivers/net/wireless/ath/wil6210/wil6210.h | 1
+ drivers/net/wireless/ath/wil6210/wmi.c | 11 +++++
+ 3 files changed, 49 insertions(+), 21 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/fw_inc.c
++++ b/drivers/net/wireless/ath/wil6210/fw_inc.c
+@@ -26,14 +26,17 @@
+ prefix_type, rowsize, \
+ groupsize, buf, len, ascii)
+
+-#define FW_ADDR_CHECK(ioaddr, val, msg) do { \
+- ioaddr = wmi_buffer(wil, val); \
+- if (!ioaddr) { \
+- wil_err_fw(wil, "bad " msg ": 0x%08x\n", \
+- le32_to_cpu(val)); \
+- return -EINVAL; \
+- } \
+- } while (0)
++static bool wil_fw_addr_check(struct wil6210_priv *wil,
++ void __iomem **ioaddr, __le32 val,
++ u32 size, const char *msg)
++{
++ *ioaddr = wmi_buffer_block(wil, val, size);
++ if (!(*ioaddr)) {
++ wil_err_fw(wil, "bad %s: 0x%08x\n", msg, le32_to_cpu(val));
++ return false;
++ }
++ return true;
++}
+
+ /**
+ * wil_fw_verify - verify firmware file validity
+@@ -138,7 +141,8 @@ static int fw_handle_data(struct wil6210
+ return -EINVAL;
+ }
+
+- FW_ADDR_CHECK(dst, d->addr, "address");
++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
++ return -EINVAL;
+ wil_dbg_fw(wil, "write [0x%08x] <== %zu bytes\n", le32_to_cpu(d->addr),
+ s);
+ wil_memcpy_toio_32(dst, d->data, s);
+@@ -170,7 +174,8 @@ static int fw_handle_fill(struct wil6210
+ return -EINVAL;
+ }
+
+- FW_ADDR_CHECK(dst, d->addr, "address");
++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
++ return -EINVAL;
+
+ v = le32_to_cpu(d->value);
+ wil_dbg_fw(wil, "fill [0x%08x] <== 0x%08x, %zu bytes\n",
+@@ -219,7 +224,8 @@ static int fw_handle_direct_write(struct
+ u32 v = le32_to_cpu(block[i].value);
+ u32 x, y;
+
+- FW_ADDR_CHECK(dst, block[i].addr, "address");
++ if (!wil_fw_addr_check(wil, &dst, block[i].addr, 0, "address"))
++ return -EINVAL;
+
+ x = readl(dst);
+ y = (x & m) | (v & ~m);
+@@ -285,10 +291,15 @@ static int fw_handle_gateway_data(struct
+ wil_dbg_fw(wil, "gw write record [%3d] blocks, cmd 0x%08x\n",
+ n, gw_cmd);
+
+- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
+- FW_ADDR_CHECK(gwa_val, d->gateway_value_addr, "gateway_value_addr");
+- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
+- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
++ "gateway_addr_addr") ||
++ !wil_fw_addr_check(wil, &gwa_val, d->gateway_value_addr, 0,
++ "gateway_value_addr") ||
++ !wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
++ "gateway_cmd_addr") ||
++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
++ "gateway_ctrl_address"))
++ return -EINVAL;
+
+ wil_dbg_fw(wil, "gw addresses: addr 0x%08x val 0x%08x"
+ " cmd 0x%08x ctl 0x%08x\n",
+@@ -344,12 +355,19 @@ static int fw_handle_gateway_data4(struc
+ wil_dbg_fw(wil, "gw4 write record [%3d] blocks, cmd 0x%08x\n",
+ n, gw_cmd);
+
+- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
++ "gateway_addr_addr"))
++ return -EINVAL;
+ for (k = 0; k < ARRAY_SIZE(block->value); k++)
+- FW_ADDR_CHECK(gwa_val[k], d->gateway_value_addr[k],
+- "gateway_value_addr");
+- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
+- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
++ if (!wil_fw_addr_check(wil, &gwa_val[k],
++ d->gateway_value_addr[k],
++ 0, "gateway_value_addr"))
++ return -EINVAL;
++ if (!wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
++ "gateway_cmd_addr") ||
++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
++ "gateway_ctrl_address"))
++ return -EINVAL;
+
+ wil_dbg_fw(wil, "gw4 addresses: addr 0x%08x cmd 0x%08x ctl 0x%08x\n",
+ le32_to_cpu(d->gateway_addr_addr),
+--- a/drivers/net/wireless/ath/wil6210/wil6210.h
++++ b/drivers/net/wireless/ath/wil6210/wil6210.h
+@@ -731,6 +731,7 @@ void wil_mbox_ring_le2cpus(struct wil621
+ int wil_find_cid(struct wil6210_priv *wil, const u8 *mac);
+ void wil_set_ethtoolops(struct net_device *ndev);
+
++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr, u32 size);
+ void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr);
+ void __iomem *wmi_addr(struct wil6210_priv *wil, u32 ptr);
+ int wmi_read_hdr(struct wil6210_priv *wil, __le32 ptr,
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -114,13 +114,15 @@ static u32 wmi_addr_remap(u32 x)
+ /**
+ * Check address validity for WMI buffer; remap if needed
+ * @ptr - internal (linker) fw/ucode address
++ * @size - if non zero, validate the block does not
++ * exceed the device memory (bar)
+ *
+ * Valid buffer should be DWORD aligned
+ *
+ * return address for accessing buffer from the host;
+ * if buffer is not valid, return NULL.
+ */
+-void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr_, u32 size)
+ {
+ u32 off;
+ u32 ptr = le32_to_cpu(ptr_);
+@@ -135,10 +137,17 @@ void __iomem *wmi_buffer(struct wil6210_
+ off = HOSTADDR(ptr);
+ if (off > WIL6210_MEM_SIZE - 4)
+ return NULL;
++ if (size && ((off + size > wil->bar_size) || (off + size < off)))
++ return NULL;
+
+ return wil->csr + off;
+ }
+
++void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
++{
++ return wmi_buffer_block(wil, ptr_, 0);
++}
++
+ /**
+ * Check address validity
+ */
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:13 +0100
+Subject: wil6210: fix length check in __wmi_send
+To: stable@vger.kernel.org
+Cc: Lior David <qca_liord@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-21-lee.jones@linaro.org>
+
+From: Lior David <qca_liord@qca.qualcomm.com>
+
+[ Upstream commit 26a6d5274865532502c682ff378ac8ebe2886238 ]
+
+The current length check:
+sizeof(cmd) + len > r->entry_size
+will allow very large values of len (> U16_MAX - sizeof(cmd))
+and can cause a buffer overflow. Fix the check to cover this case.
+In addition, ensure the mailbox entry_size is not too small,
+since this can also bypass the above check.
+
+Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/interrupt.c | 22 +++++++++++++++++++++-
+ drivers/net/wireless/ath/wil6210/wmi.c | 2 +-
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/interrupt.c
++++ b/drivers/net/wireless/ath/wil6210/interrupt.c
+@@ -329,6 +329,25 @@ static void wil_cache_mbox_regs(struct w
+ wil_mbox_ring_le2cpus(&wil->mbox_ctl.tx);
+ }
+
++static bool wil_validate_mbox_regs(struct wil6210_priv *wil)
++{
++ size_t min_size = sizeof(struct wil6210_mbox_hdr) +
++ sizeof(struct wmi_cmd_hdr);
++
++ if (wil->mbox_ctl.rx.entry_size < min_size) {
++ wil_err(wil, "rx mbox entry too small (%d)\n",
++ wil->mbox_ctl.rx.entry_size);
++ return false;
++ }
++ if (wil->mbox_ctl.tx.entry_size < min_size) {
++ wil_err(wil, "tx mbox entry too small (%d)\n",
++ wil->mbox_ctl.tx.entry_size);
++ return false;
++ }
++
++ return true;
++}
++
+ static irqreturn_t wil6210_irq_misc(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+@@ -364,7 +383,8 @@ static irqreturn_t wil6210_irq_misc(int
+ if (isr & ISR_MISC_FW_READY) {
+ wil_dbg_irq(wil, "IRQ: FW ready\n");
+ wil_cache_mbox_regs(wil);
+- set_bit(wil_status_mbox_ready, wil->status);
++ if (wil_validate_mbox_regs(wil))
++ set_bit(wil_status_mbox_ready, wil->status);
+ /**
+ * Actual FW ready indicated by the
+ * WMI_FW_READY_EVENTID
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -204,7 +204,7 @@ static int __wmi_send(struct wil6210_pri
+ void __iomem *head = wmi_addr(wil, r->head);
+ uint retry;
+
+- if (sizeof(cmd) + len > r->entry_size) {
++ if (len > r->entry_size - sizeof(cmd)) {
+ wil_err(wil, "WMI size too large: %d bytes, max is %d\n",
+ (int)(sizeof(cmd) + len), r->entry_size);
+ return -ERANGE;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:02 +0100
+Subject: wil6210: fix temperature debugfs
+To: stable@vger.kernel.org
+Cc: Dedy Lansky <dlansky@codeaurora.org>, Maya Erez <merez@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-10-lee.jones@linaro.org>
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+[ Upstream commit 6d9eb7ebae3d7e951bc0999235ae7028eb4cae4f ]
+
+For negative temperatures, "temp" debugfs is showing wrong values.
+Use signed types so proper calculations is done for sub zero
+temperatures.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/debugfs.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/debugfs.c
++++ b/drivers/net/wireless/ath/wil6210/debugfs.c
+@@ -1088,7 +1088,7 @@ static const struct file_operations fops
+ };
+
+ /*---------temp------------*/
+-static void print_temp(struct seq_file *s, const char *prefix, u32 t)
++static void print_temp(struct seq_file *s, const char *prefix, s32 t)
+ {
+ switch (t) {
+ case 0:
+@@ -1096,7 +1096,8 @@ static void print_temp(struct seq_file *
+ seq_printf(s, "%s N/A\n", prefix);
+ break;
+ default:
+- seq_printf(s, "%s %d.%03d\n", prefix, t / 1000, t % 1000);
++ seq_printf(s, "%s %s%d.%03d\n", prefix, (t < 0 ? "-" : ""),
++ abs(t / 1000), abs(t % 1000));
+ break;
+ }
+ }
+@@ -1104,7 +1105,7 @@ static void print_temp(struct seq_file *
+ static int wil_temp_debugfs_show(struct seq_file *s, void *data)
+ {
+ struct wil6210_priv *wil = s->private;
+- u32 t_m, t_r;
++ s32 t_m, t_r;
+ int rc = wmi_get_temperature(wil, &t_m, &t_r);
+
+ if (rc) {
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:01 +0100
+Subject: wil6210: increase firmware ready timeout
+To: stable@vger.kernel.org
+Cc: Hamad Kadmany <hkadmany@codeaurora.org>, Maya Erez <merez@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-9-lee.jones@linaro.org>
+
+From: Hamad Kadmany <hkadmany@codeaurora.org>
+
+[ Upstream commit 6ccae584014ef7074359eb4151086beef66ecfa9 ]
+
+Firmware ready event may take longer than
+current timeout in some scenarios, for example
+with multiple RFs connected where each
+requires an initial calibration.
+
+Increase the timeout to support these scenarios.
+
+Signed-off-by: Hamad Kadmany <hkadmany@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/wil6210/main.c
++++ b/drivers/net/wireless/ath/wil6210/main.c
+@@ -741,7 +741,7 @@ static void wil_bl_crash_info(struct wil
+
+ static int wil_wait_for_fw_ready(struct wil6210_priv *wil)
+ {
+- ulong to = msecs_to_jiffies(1000);
++ ulong to = msecs_to_jiffies(2000);
+ ulong left = wait_for_completion_timeout(&wil->wmi_ready, to);
+
+ if (0 == left) {
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:05 +0100
+Subject: wil6210: rate limit wil_rx_refill error
+To: stable@vger.kernel.org
+Cc: Dedy Lansky <dlansky@codeaurora.org>, Maya Erez <merez@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-13-lee.jones@linaro.org>
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+[ Upstream commit 3d6b72729cc2933906de8d2c602ae05e920b2122 ]
+
+wil_err inside wil_rx_refill can flood the log buffer.
+Replace it with wil_err_ratelimited.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/txrx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/txrx.c
++++ b/drivers/net/wireless/ath/wil6210/txrx.c
+@@ -538,8 +538,8 @@ static int wil_rx_refill(struct wil6210_
+ v->swtail = next_tail) {
+ rc = wil_vring_alloc_skb(wil, v, v->swtail, headroom);
+ if (unlikely(rc)) {
+- wil_err(wil, "Error %d in wil_rx_refill[%d]\n",
+- rc, v->swtail);
++ wil_err_ratelimited(wil, "Error %d in rx refill[%d]\n",
++ rc, v->swtail);
+ break;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
