--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:00 +0100
+Subject: arch_topology: Fix section miss match warning due to free_raw_capacity()
+To: stable@vger.kernel.org
+Cc: Prasad Sodagudi <psodagud@codeaurora.org>, Viresh Kumar <viresh.kumar@linaro.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-8-lee.jones@linaro.org>
+
+From: Prasad Sodagudi <psodagud@codeaurora.org>
+
+[ Upstream commit 82d8ba717ccb54dd803624db044f351b2a54d000 ]
+
+Remove the __init annotation from free_raw_capacity() to avoid
+the following warning.
+
+The function init_cpu_capacity_callback() references the
+function __init free_raw_capacity().
+WARNING: vmlinux.o(.text+0x425cc0): Section mismatch in reference
+from the function init_cpu_capacity_callback() to the function
+.init.text:free_raw_capacity().
+
+Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/arch_topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/arch_topology.c
++++ b/drivers/base/arch_topology.c
+@@ -96,7 +96,7 @@ subsys_initcall(register_cpu_capacity_sy
+ static u32 capacity_scale;
+ static u32 *raw_capacity;
+
+-static int __init free_raw_capacity(void)
++static int free_raw_capacity(void)
+ {
+ kfree(raw_capacity);
+ raw_capacity = NULL;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:39:57 +0100
+Subject: arm64: perf: remove unsupported events for Cortex-A73
+To: stable@vger.kernel.org
+Cc: Xu YiPing <xuyiping@hisilicon.com>, Julien Thierry <julien.thierry@arm.com>, Will Deacon <will.deacon@arm.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-5-lee.jones@linaro.org>
+
+From: Xu YiPing <xuyiping@hisilicon.com>
+
+[ Upstream commit f8ada189550984ee21f27be736042b74a7da1d68 ]
+
+bus access read/write events are not supported in A73, based on the
+Cortex-A73 TRM r0p2, section 11.9 Events (pages 11-457 to 11-460).
+
+Fixes: 5561b6c5e981 "arm64: perf: add support for Cortex-A73"
+Acked-by: Julien Thierry <julien.thierry@arm.com>
+Signed-off-by: Xu YiPing <xuyiping@hisilicon.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/perf_event.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/arch/arm64/kernel/perf_event.c
++++ b/arch/arm64/kernel/perf_event.c
+@@ -262,12 +262,6 @@ static const unsigned armv8_a73_perf_cac
+
+ [C(L1D)][C(OP_READ)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_L1D_CACHE_RD,
+ [C(L1D)][C(OP_WRITE)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_L1D_CACHE_WR,
+-
+- [C(NODE)][C(OP_READ)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_BUS_ACCESS_RD,
+- [C(NODE)][C(OP_WRITE)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_BUS_ACCESS_WR,
+-
+- [C(NODE)][C(OP_READ)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_BUS_ACCESS_RD,
+- [C(NODE)][C(OP_WRITE)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_BUS_ACCESS_WR,
+ };
+
+ static const unsigned armv8_thunder_perf_cache_map[PERF_COUNT_HW_CACHE_MAX]
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:39:58 +0100
+Subject: arm64: traps: Don't print stack or raw PC/LR values in backtraces
+To: stable@vger.kernel.org
+Cc: Will Deacon <will.deacon@arm.com>, Laura Abbott <labbott@redhat.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-6-lee.jones@linaro.org>
+
+From: Will Deacon <will.deacon@arm.com>
+
+[ Upstream commit a25ffd3a6302a67814280274d8f1aa4ae2ea4b59 ]
+
+Printing raw pointer values in backtraces has potential security
+implications and are of questionable value anyway.
+
+This patch follows x86's lead and removes the "Exception stack:" dump
+from kernel backtraces, as well as converting PC/LR values to symbols
+such as "sysrq_handle_crash+0x20/0x30".
+
+Tested-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/process.c | 8 ++---
+ arch/arm64/kernel/traps.c | 65 ++------------------------------------------
+ 2 files changed, 6 insertions(+), 67 deletions(-)
+
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -186,11 +186,9 @@ void __show_regs(struct pt_regs *regs)
+ }
+
+ show_regs_print_info(KERN_DEFAULT);
+- print_symbol("PC is at %s\n", instruction_pointer(regs));
+- print_symbol("LR is at %s\n", lr);
+- printk("pc : [<%016llx>] lr : [<%016llx>] pstate: %08llx\n",
+- regs->pc, lr, regs->pstate);
+- printk("sp : %016llx\n", sp);
++ print_symbol("pc : %s\n", regs->pc);
++ print_symbol("lr : %s\n", lr);
++ printk("sp : %016llx pstate : %08llx\n", sp, regs->pstate);
+
+ i = top_reg;
+
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -59,55 +59,9 @@ static const char *handler[]= {
+
+ int show_unhandled_signals = 0;
+
+-/*
+- * Dump out the contents of some kernel memory nicely...
+- */
+-static void dump_mem(const char *lvl, const char *str, unsigned long bottom,
+- unsigned long top)
+-{
+- unsigned long first;
+- mm_segment_t fs;
+- int i;
+-
+- /*
+- * We need to switch to kernel mode so that we can use __get_user
+- * to safely read from kernel space.
+- */
+- fs = get_fs();
+- set_fs(KERNEL_DS);
+-
+- printk("%s%s(0x%016lx to 0x%016lx)\n", lvl, str, bottom, top);
+-
+- for (first = bottom & ~31; first < top; first += 32) {
+- unsigned long p;
+- char str[sizeof(" 12345678") * 8 + 1];
+-
+- memset(str, ' ', sizeof(str));
+- str[sizeof(str) - 1] = '\0';
+-
+- for (p = first, i = 0; i < (32 / 8)
+- && p < top; i++, p += 8) {
+- if (p >= bottom && p < top) {
+- unsigned long val;
+-
+- if (__get_user(val, (unsigned long *)p) == 0)
+- sprintf(str + i * 17, " %016lx", val);
+- else
+- sprintf(str + i * 17, " ????????????????");
+- }
+- }
+- printk("%s%04lx:%s\n", lvl, first & 0xffff, str);
+- }
+-
+- set_fs(fs);
+-}
+-
+ static void dump_backtrace_entry(unsigned long where)
+ {
+- /*
+- * Note that 'where' can have a physical address, but it's not handled.
+- */
+- print_ip_sym(where);
++ printk(" %pS\n", (void *)where);
+ }
+
+ static void __dump_instr(const char *lvl, struct pt_regs *regs)
+@@ -177,10 +131,7 @@ void dump_backtrace(struct pt_regs *regs
+ #endif
+
+ printk("Call trace:\n");
+- while (1) {
+- unsigned long stack;
+- int ret;
+-
++ do {
+ /* skip until specified stack frame */
+ if (!skip) {
+ dump_backtrace_entry(frame.pc);
+@@ -195,17 +146,7 @@ void dump_backtrace(struct pt_regs *regs
+ */
+ dump_backtrace_entry(regs->pc);
+ }
+- ret = unwind_frame(tsk, &frame);
+- if (ret < 0)
+- break;
+- if (in_entry_text(frame.pc)) {
+- stack = frame.fp - offsetof(struct pt_regs, stackframe);
+-
+- if (on_accessible_stack(tsk, stack))
+- dump_mem("", "Exception stack", stack,
+- stack + sizeof(struct pt_regs));
+- }
+- }
++ } while (!unwind_frame(tsk, &frame));
+
+ put_task_stack(tsk);
+ }
--- /dev/null
+From 4c8326d5ebb0de3191e98980c80ab644026728d0 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 3 Jan 2018 12:06:15 +0100
+Subject: clk: Fix debugfs_create_*() usage
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 4c8326d5ebb0de3191e98980c80ab644026728d0 upstream.
+
+When exposing data access through debugfs, the correct
+debugfs_create_*() functions must be used, matching the data
+types.
+
+Remove all casts from data pointers passed to debugfs_create_*()
+functions, as such casts prevent the compiler from flagging bugs.
+
+clk_core.rate and .accuracy are "unsigned long", hence casting
+their addresses to "u32 *" exposed the wrong halves on big-endian
+64-bit systems. Fix this by using debugfs_create_ulong() instead.
+
+Octal permissions are preferred, as they are easier to read than
+symbolic permissions. Hence replace "S_IRUGO" by "0444"
+throughout.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+[sboyd@codeaurora.org: Squash the octal change in too]
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk.c | 32 +++++++++++++++-----------------
+ 1 file changed, 15 insertions(+), 17 deletions(-)
+
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -2172,18 +2172,16 @@ static int clk_debug_create_one(struct c
+
+ core->dentry = d;
+
+- d = debugfs_create_u32("clk_rate", S_IRUGO, core->dentry,
+- (u32 *)&core->rate);
++ d = debugfs_create_ulong("clk_rate", 0444, core->dentry, &core->rate);
+ if (!d)
+ goto err_out;
+
+- d = debugfs_create_u32("clk_accuracy", S_IRUGO, core->dentry,
+- (u32 *)&core->accuracy);
++ d = debugfs_create_ulong("clk_accuracy", 0444, core->dentry,
++ &core->accuracy);
+ if (!d)
+ goto err_out;
+
+- d = debugfs_create_u32("clk_phase", S_IRUGO, core->dentry,
+- (u32 *)&core->phase);
++ d = debugfs_create_u32("clk_phase", 0444, core->dentry, &core->phase);
+ if (!d)
+ goto err_out;
+
+@@ -2192,23 +2190,23 @@ static int clk_debug_create_one(struct c
+ if (!d)
+ goto err_out;
+
+- d = debugfs_create_u32("clk_prepare_count", S_IRUGO, core->dentry,
+- (u32 *)&core->prepare_count);
++ d = debugfs_create_u32("clk_prepare_count", 0444, core->dentry,
++ &core->prepare_count);
+ if (!d)
+ goto err_out;
+
+- d = debugfs_create_u32("clk_enable_count", S_IRUGO, core->dentry,
+- (u32 *)&core->enable_count);
++ d = debugfs_create_u32("clk_enable_count", 0444, core->dentry,
++ &core->enable_count);
+ if (!d)
+ goto err_out;
+
+- d = debugfs_create_u32("clk_notifier_count", S_IRUGO, core->dentry,
+- (u32 *)&core->notifier_count);
++ d = debugfs_create_u32("clk_notifier_count", 0444, core->dentry,
++ &core->notifier_count);
+ if (!d)
+ goto err_out;
+
+ if (core->num_parents > 1) {
+- d = debugfs_create_file("clk_possible_parents", S_IRUGO,
++ d = debugfs_create_file("clk_possible_parents", 0444,
+ core->dentry, core, &possible_parents_fops);
+ if (!d)
+ goto err_out;
+@@ -2304,22 +2302,22 @@ static int __init clk_debug_init(void)
+ if (!rootdir)
+ return -ENOMEM;
+
+- d = debugfs_create_file("clk_summary", S_IRUGO, rootdir, &all_lists,
++ d = debugfs_create_file("clk_summary", 0444, rootdir, &all_lists,
+ &clk_summary_fops);
+ if (!d)
+ return -ENOMEM;
+
+- d = debugfs_create_file("clk_dump", S_IRUGO, rootdir, &all_lists,
++ d = debugfs_create_file("clk_dump", 0444, rootdir, &all_lists,
+ &clk_dump_fops);
+ if (!d)
+ return -ENOMEM;
+
+- d = debugfs_create_file("clk_orphan_summary", S_IRUGO, rootdir,
++ d = debugfs_create_file("clk_orphan_summary", 0444, rootdir,
+ &orphan_list, &clk_summary_fops);
+ if (!d)
+ return -ENOMEM;
+
+- d = debugfs_create_file("clk_orphan_dump", S_IRUGO, rootdir,
++ d = debugfs_create_file("clk_orphan_dump", 0444, rootdir,
+ &orphan_list, &clk_dump_fops);
+ if (!d)
+ return -ENOMEM;
--- /dev/null
+From 22a07038c0eaf4d1315a493ce66dcd255accba19 Mon Sep 17 00:00:00 2001
+From: Joe Moriarty <joe.moriarty@oracle.com>
+Date: Mon, 12 Feb 2018 14:51:42 -0500
+Subject: drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem
+
+From: Joe Moriarty <joe.moriarty@oracle.com>
+
+commit 22a07038c0eaf4d1315a493ce66dcd255accba19 upstream.
+
+The Parfait (version 2.1.0) static code analysis tool found the
+following NULL pointer derefernce problem.
+
+- drivers/gpu/drm/drm_dp_mst_topology.c
+The call to drm_dp_calculate_rad() in function drm_dp_port_setup_pdt()
+could result in a NULL pointer being returned to port->mstb due to a
+failure to allocate memory for port->mstb.
+
+Signed-off-by: Joe Moriarty <joe.moriarty@oracle.com>
+Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180212195144.98323-3-joe.moriarty@oracle.com
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -1043,10 +1043,12 @@ static bool drm_dp_port_setup_pdt(struct
+ lct = drm_dp_calculate_rad(port, rad);
+
+ port->mstb = drm_dp_add_mst_branch_device(lct, rad);
+- port->mstb->mgr = port->mgr;
+- port->mstb->port_parent = port;
++ if (port->mstb) {
++ port->mstb->mgr = port->mgr;
++ port->mstb->port_parent = port;
+
+- send_link = true;
++ send_link = true;
++ }
+ break;
+ }
+ return send_link;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:16 +0100
+Subject: of: fix missing kobject init for !SYSFS && OF_DYNAMIC config
+To: stable@vger.kernel.org
+Cc: Rob Herring <robh@kernel.org>, Nicolas Pitre <nico@linaro.org>, Frank Rowand <frowand.list@gmail.com>, Grant Likely <grant.likely@secretlab.ca>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-24-lee.jones@linaro.org>
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit bd82bbf38cbe27f2c65660da801900d71bcc5cc8 ]
+
+The ref counting is broken for OF_DYNAMIC when sysfs is disabled because
+the kobject initialization is skipped. Only the properties
+add/remove/update should be skipped for !SYSFS config.
+
+Tested-by: Nicolas Pitre <nico@linaro.org>
+Reviewed-by: Frank Rowand <frowand.list@gmail.com>
+Acked-by: Grant Likely <grant.likely@secretlab.ca>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -169,9 +169,6 @@ int __of_attach_node_sysfs(struct device
+ struct property *pp;
+ int rc;
+
+- if (!IS_ENABLED(CONFIG_SYSFS))
+- return 0;
+-
+ if (!of_kset)
+ return 0;
+
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:39:56 +0100
+Subject: Revert "gpio: set up initial state from .get_direction()"
+To: stable@vger.kernel.org
+Cc: Timur Tabi <timur@codeaurora.org>, Stephen Boyd <sboyd@codeaurora.org>, Linus Walleij <linus.walleij@linaro.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-4-lee.jones@linaro.org>
+
+From: Timur Tabi <timur@codeaurora.org>
+
+[ Upstream commit 1ca2a92b2a99323f666f1b669b7484df4bda05e4 ]
+
+This reverts commit 72d3200061776264941be1b5a9bb8e926b3b30a5.
+
+We cannot blindly query the direction of all GPIOs when the pins are
+first registered. The get_direction callback normally triggers a
+read/write to hardware, but we shouldn't be touching the hardware for
+an individual GPIO until after it's been properly claimed.
+
+Signed-off-by: Timur Tabi <timur@codeaurora.org>
+Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 31 +++++++------------------------
+ 1 file changed, 7 insertions(+), 24 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1245,31 +1245,14 @@ int gpiochip_add_data(struct gpio_chip *
+ struct gpio_desc *desc = &gdev->descs[i];
+
+ desc->gdev = gdev;
+- /*
+- * REVISIT: most hardware initializes GPIOs as inputs
+- * (often with pullups enabled) so power usage is
+- * minimized. Linux code should set the gpio direction
+- * first thing; but until it does, and in case
+- * chip->get_direction is not set, we may expose the
+- * wrong direction in sysfs.
+- */
+-
+- if (chip->get_direction) {
+- /*
+- * If we have .get_direction, set up the initial
+- * direction flag from the hardware.
+- */
+- int dir = chip->get_direction(chip, i);
+
+- if (!dir)
+- set_bit(FLAG_IS_OUT, &desc->flags);
+- } else if (!chip->direction_input) {
+- /*
+- * If the chip lacks the .direction_input callback
+- * we logically assume all lines are outputs.
+- */
+- set_bit(FLAG_IS_OUT, &desc->flags);
+- }
++ /* REVISIT: most hardware initializes GPIOs as inputs (often
++ * with pullups enabled) so power usage is minimized. Linux
++ * code should set the gpio direction first thing; but until
++ * it does, and in case chip->get_direction is not set, we may
++ * expose the wrong direction in sysfs.
++ */
++ desc->flags = !chip->direction_input ? (1 << FLAG_IS_OUT) : 0;
+ }
+
+ #ifdef CONFIG_PINCTRL
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:09 +0100
+Subject: rpmsg: glink: Fix missing mutex_init() in qcom_glink_alloc_channel()
+To: stable@vger.kernel.org
+Cc: Wei Yongjun <weiyongjun1@huawei.com>, Bjorn Andersson <bjorn.andersson@linaro.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-17-lee.jones@linaro.org>
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit fb416f69900773d5a6030c909114099f92d07ab9 ]
+
+qcom_glink_alloc_channel() allocates the mutex but not initialize it.
+Use mutex_init() on it to initialize it correctly.
+
+This is detected by Coccinelle semantic patch.
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -221,6 +221,7 @@ static struct glink_channel *qcom_glink_
+ /* Setup glink internal glink_channel data */
+ spin_lock_init(&channel->recv_lock);
+ spin_lock_init(&channel->intent_lock);
++ mutex_init(&channel->intent_req_lock);
+
+ channel->glink = glink;
+ channel->name = kstrdup(name, GFP_KERNEL);
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:10 +0100
+Subject: rpmsg: glink: smem: Ensure ordering during tx
+To: stable@vger.kernel.org
+Cc: Bjorn Andersson <bjorn.andersson@linaro.org>, Chris Lew <clew@codeaurora.org>, Arun Kumar Neelakantam <aneela@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-18-lee.jones@linaro.org>
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 9d32497361ff89d2fc8306407de6f04b2bfb2836 ]
+
+Ensure the ordering of the fifo write and the update of the write index,
+so that the index is not updated before the data has landed in the fifo.
+
+Acked-By: Chris Lew <clew@codeaurora.org>
+Reported-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rpmsg/qcom_glink_smem.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/rpmsg/qcom_glink_smem.c
++++ b/drivers/rpmsg/qcom_glink_smem.c
+@@ -181,6 +181,9 @@ static void glink_smem_tx_write(struct q
+ if (head >= pipe->native.length)
+ head -= pipe->native.length;
+
++ /* Ensure ordering of fifo and head update */
++ wmb();
++
+ *pipe->head = cpu_to_le32(head);
+ }
+
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:06 +0100
+Subject: rpmsg: glink: use put_device() if device_register fail
+To: stable@vger.kernel.org
+Cc: Arvind Yadav <arvind.yadav.cs@gmail.com>, Bjorn Andersson <bjorn.andersson@linaro.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-14-lee.jones@linaro.org>
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+[ Upstream commit a9011726c4bb37e5d6a7279bf47fcc19cd9d3e1a ]
+
+if device_register() returned an error! Always use put_device()
+to give up the reference initialized. And unregister device for
+other return error.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rpmsg/qcom_glink_smem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/rpmsg/qcom_glink_smem.c
++++ b/drivers/rpmsg/qcom_glink_smem.c
+@@ -212,6 +212,7 @@ struct qcom_glink *qcom_glink_smem_regis
+ ret = device_register(dev);
+ if (ret) {
+ pr_err("failed to register glink edge\n");
++ put_device(dev);
+ return ERR_PTR(ret);
+ }
+
+@@ -294,7 +295,7 @@ struct qcom_glink *qcom_glink_smem_regis
+ return glink;
+
+ err_put_dev:
+- put_device(dev);
++ device_unregister(dev);
+
+ return ERR_PTR(ret);
+ }
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:07 +0100
+Subject: rtc: pm8xxx: Fix issue in RTC write path
+To: stable@vger.kernel.org
+Cc: Mohit Aggarwal <maggarwa@codeaurora.org>, Alexandre Belloni <alexandre.belloni@bootlin.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-15-lee.jones@linaro.org>
+
+From: Mohit Aggarwal <maggarwa@codeaurora.org>
+
+[ Upstream commit 83220bf38b77a830f8e62ab1a0d0408304f9b966 ]
+
+In order to set time in rtc, need to disable
+rtc hw before writing into rtc registers.
+
+Also fixes disabling of alarm while setting
+rtc time.
+
+Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-pm8xxx.c | 49 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 38 insertions(+), 11 deletions(-)
+
+--- a/drivers/rtc/rtc-pm8xxx.c
++++ b/drivers/rtc/rtc-pm8xxx.c
+@@ -74,16 +74,18 @@ struct pm8xxx_rtc {
+ /*
+ * Steps to write the RTC registers.
+ * 1. Disable alarm if enabled.
+- * 2. Write 0x00 to LSB.
+- * 3. Write Byte[1], Byte[2], Byte[3] then Byte[0].
+- * 4. Enable alarm if disabled in step 1.
++ * 2. Disable rtc if enabled.
++ * 3. Write 0x00 to LSB.
++ * 4. Write Byte[1], Byte[2], Byte[3] then Byte[0].
++ * 5. Enable rtc if disabled in step 2.
++ * 6. Enable alarm if disabled in step 1.
+ */
+ static int pm8xxx_rtc_set_time(struct device *dev, struct rtc_time *tm)
+ {
+ int rc, i;
+ unsigned long secs, irq_flags;
+- u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0;
+- unsigned int ctrl_reg;
++ u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0, rtc_disabled = 0;
++ unsigned int ctrl_reg, rtc_ctrl_reg;
+ struct pm8xxx_rtc *rtc_dd = dev_get_drvdata(dev);
+ const struct pm8xxx_rtc_regs *regs = rtc_dd->regs;
+
+@@ -92,23 +94,38 @@ static int pm8xxx_rtc_set_time(struct de
+
+ rtc_tm_to_time(tm, &secs);
+
++ dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs);
++
+ for (i = 0; i < NUM_8_BIT_RTC_REGS; i++) {
+ value[i] = secs & 0xFF;
+ secs >>= 8;
+ }
+
+- dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs);
+-
+ spin_lock_irqsave(&rtc_dd->ctrl_reg_lock, irq_flags);
+
+- rc = regmap_read(rtc_dd->regmap, regs->ctrl, &ctrl_reg);
++ rc = regmap_read(rtc_dd->regmap, regs->alarm_ctrl, &ctrl_reg);
+ if (rc)
+ goto rtc_rw_fail;
+
+ if (ctrl_reg & regs->alarm_en) {
+ alarm_enabled = 1;
+ ctrl_reg &= ~regs->alarm_en;
+- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg);
++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg);
++ if (rc) {
++ dev_err(dev, "Write to RTC Alarm control register failed\n");
++ goto rtc_rw_fail;
++ }
++ }
++
++ /* Disable RTC H/w before writing on RTC register */
++ rc = regmap_read(rtc_dd->regmap, regs->ctrl, &rtc_ctrl_reg);
++ if (rc)
++ goto rtc_rw_fail;
++
++ if (rtc_ctrl_reg & PM8xxx_RTC_ENABLE) {
++ rtc_disabled = 1;
++ rtc_ctrl_reg &= ~PM8xxx_RTC_ENABLE;
++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg);
+ if (rc) {
+ dev_err(dev, "Write to RTC control register failed\n");
+ goto rtc_rw_fail;
+@@ -137,11 +154,21 @@ static int pm8xxx_rtc_set_time(struct de
+ goto rtc_rw_fail;
+ }
+
++ /* Enable RTC H/w after writing on RTC register */
++ if (rtc_disabled) {
++ rtc_ctrl_reg |= PM8xxx_RTC_ENABLE;
++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg);
++ if (rc) {
++ dev_err(dev, "Write to RTC control register failed\n");
++ goto rtc_rw_fail;
++ }
++ }
++
+ if (alarm_enabled) {
+ ctrl_reg |= regs->alarm_en;
+- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg);
++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg);
+ if (rc) {
+- dev_err(dev, "Write to RTC control register failed\n");
++ dev_err(dev, "Write to RTC Alarm control register failed\n");
+ goto rtc_rw_fail;
+ }
+ }
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:03 +0100
+Subject: scsi: ufs: make sure all interrupts are processed
+To: stable@vger.kernel.org
+Cc: Venkat Gopalakrishnan <venkatg@codeaurora.org>, Asutosh Das <asutoshd@codeaurora.org>, Subhash Jadavani <subhashj@codeaurora.org>, "Martin K . Petersen" <martin.petersen@oracle.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-11-lee.jones@linaro.org>
+
+From: Venkat Gopalakrishnan <venkatg@codeaurora.org>
+
+[ Upstream commit 7f6ba4f12e6cbfdefbb95cfd8fc67ece6c15d799 ]
+
+As multiple requests are submitted to the ufs host controller in
+parallel there could be instances where the command completion interrupt
+arrives later for a request that is already processed earlier as the
+corresponding doorbell was cleared when handling the previous
+interrupt. Read the interrupt status in a loop after processing the
+received interrupt to catch such interrupts and handle it.
+
+Signed-off-by: Venkat Gopalakrishnan <venkatg@codeaurora.org>
+Signed-off-by: Asutosh Das <asutoshd@codeaurora.org>
+Reviewed-by: Subhash Jadavani <subhashj@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -5371,19 +5371,30 @@ static irqreturn_t ufshcd_intr(int irq,
+ u32 intr_status, enabled_intr_status;
+ irqreturn_t retval = IRQ_NONE;
+ struct ufs_hba *hba = __hba;
++ int retries = hba->nutrs;
+
+ spin_lock(hba->host->host_lock);
+ intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS);
+- enabled_intr_status =
+- intr_status & ufshcd_readl(hba, REG_INTERRUPT_ENABLE);
+
+- if (intr_status)
+- ufshcd_writel(hba, intr_status, REG_INTERRUPT_STATUS);
++ /*
++ * There could be max of hba->nutrs reqs in flight and in worst case
++ * if the reqs get finished 1 by 1 after the interrupt status is
++ * read, make sure we handle them by checking the interrupt status
++ * again in a loop until we process all of the reqs before returning.
++ */
++ do {
++ enabled_intr_status =
++ intr_status & ufshcd_readl(hba, REG_INTERRUPT_ENABLE);
++ if (intr_status)
++ ufshcd_writel(hba, intr_status, REG_INTERRUPT_STATUS);
++ if (enabled_intr_status) {
++ ufshcd_sl_intr(hba, enabled_intr_status);
++ retval = IRQ_HANDLED;
++ }
++
++ intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS);
++ } while (intr_status && --retries);
+
+- if (enabled_intr_status) {
+- ufshcd_sl_intr(hba, enabled_intr_status);
+- retval = IRQ_HANDLED;
+- }
+ spin_unlock(hba->host->host_lock);
+ return retval;
+ }
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:04 +0100
+Subject: scsi: ufs: ufs-qcom: remove broken hci version quirk
+To: stable@vger.kernel.org
+Cc: Subhash Jadavani <subhashj@codeaurora.org>, Asutosh Das <asutoshd@codeaurora.org>, "Martin K . Petersen" <martin.petersen@oracle.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-12-lee.jones@linaro.org>
+
+From: Subhash Jadavani <subhashj@codeaurora.org>
+
+[ Upstream commit 69a6fff068567469c0ef1156ae5ac8d3d71701f0 ]
+
+UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION is only applicable for QCOM UFS host
+controller version 2.x.y and this has been fixed from version 3.x.y
+onwards, hence this change removes this quirk for version 3.x.y onwards.
+
+[mkp: applied by hand]
+
+Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
+Signed-off-by: Asutosh Das <asutoshd@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -1094,7 +1094,7 @@ static void ufs_qcom_advertise_quirks(st
+ hba->quirks |= UFSHCD_QUIRK_BROKEN_LCC;
+ }
+
+- if (host->hw_ver.major >= 0x2) {
++ if (host->hw_ver.major == 0x2) {
+ hba->quirks |= UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION;
+
+ if (!ufs_qcom_cap_qunipro(host))
of-unittest-kmemleak-on-changeset-destroy.patch
lib-raid6-use-vdupq_n_u8-to-avoid-endianness-warnings.patch
video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch
+drm-null-pointer-dereference-cwe-476-problem.patch
+clk-fix-debugfs_create_-usage.patch
+revert-gpio-set-up-initial-state-from-.get_direction.patch
+arm64-perf-remove-unsupported-events-for-cortex-a73.patch
+arm64-traps-don-t-print-stack-or-raw-pc-lr-values-in-backtraces.patch
+arch_topology-fix-section-miss-match-warning-due-to-free_raw_capacity.patch
+wil6210-increase-firmware-ready-timeout.patch
+wil6210-fix-temperature-debugfs.patch
+scsi-ufs-make-sure-all-interrupts-are-processed.patch
+scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch
+wil6210-rate-limit-wil_rx_refill-error.patch
+rpmsg-glink-use-put_device-if-device_register-fail.patch
+rtc-pm8xxx-fix-issue-in-rtc-write-path.patch
+rpmsg-glink-fix-missing-mutex_init-in-qcom_glink_alloc_channel.patch
+rpmsg-glink-smem-ensure-ordering-during-tx.patch
+wil6210-fix-pcie-bus-mastering-in-case-of-interface-down.patch
+wil6210-add-block-size-checks-during-fw-load.patch
+wil6210-fix-length-check-in-__wmi_send.patch
+wil6210-abort-properly-in-cfg-suspend.patch
+soc-qcom-smem-use-le32_to_cpu-for-comparison.patch
+of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:15 +0100
+Subject: soc: qcom: smem: Use le32_to_cpu for comparison
+To: stable@vger.kernel.org
+Cc: Chris Lew <clew@codeaurora.org>, Bjorn Andersson <bjorn.andersson@linaro.org>, Andy Gross <andy.gross@linaro.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-23-lee.jones@linaro.org>
+
+From: Chris Lew <clew@codeaurora.org>
+
+[ Upstream commit a216000f0140f415cec96129f777b5234c9d142f ]
+
+Endianness can vary in the system, add le32_to_cpu when comparing
+partition sizes from smem.
+
+Signed-off-by: Chris Lew <clew@codeaurora.org>
+Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/smem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/qcom/smem.c
++++ b/drivers/soc/qcom/smem.c
+@@ -646,7 +646,7 @@ static int qcom_smem_enumerate_partition
+ return -EINVAL;
+ }
+
+- if (header->size != entry->size) {
++ if (le32_to_cpu(header->size) != le32_to_cpu(entry->size)) {
+ dev_err(smem->dev,
+ "Partition %d has invalid size\n", i);
+ return -EINVAL;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:14 +0100
+Subject: wil6210: abort properly in cfg suspend
+To: stable@vger.kernel.org
+Cc: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-22-lee.jones@linaro.org>
+
+From: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
+
+[ Upstream commit 144a12a6d83f3ca34ddefce5dee4d502afd2fc5b ]
+
+On-going operations were not aborted properly
+and required locks were not taken.
+
+Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/cfg80211.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
++++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
+@@ -1735,9 +1735,12 @@ static int wil_cfg80211_suspend(struct w
+
+ wil_dbg_pm(wil, "suspending\n");
+
+- wil_p2p_stop_discovery(wil);
+-
++ mutex_lock(&wil->mutex);
++ mutex_lock(&wil->p2p_wdev_mutex);
++ wil_p2p_stop_radio_operations(wil);
+ wil_abort_scan(wil, true);
++ mutex_unlock(&wil->p2p_wdev_mutex);
++ mutex_unlock(&wil->mutex);
+
+ out:
+ return rc;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:12 +0100
+Subject: wil6210: add block size checks during FW load
+To: stable@vger.kernel.org
+Cc: Lior David <qca_liord@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-20-lee.jones@linaro.org>
+
+From: Lior David <qca_liord@qca.qualcomm.com>
+
+[ Upstream commit 705d2fde94b23cd76efbeedde643ffa7c32fac7f ]
+
+When loading FW from file add block size checks to ensure a
+corrupted FW file will not cause the driver to write outside
+the device memory.
+
+Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/fw_inc.c | 58 +++++++++++++++++++----------
+ drivers/net/wireless/ath/wil6210/wil6210.h | 1
+ drivers/net/wireless/ath/wil6210/wmi.c | 11 +++++
+ 3 files changed, 49 insertions(+), 21 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/fw_inc.c
++++ b/drivers/net/wireless/ath/wil6210/fw_inc.c
+@@ -26,14 +26,17 @@
+ prefix_type, rowsize, \
+ groupsize, buf, len, ascii)
+
+-#define FW_ADDR_CHECK(ioaddr, val, msg) do { \
+- ioaddr = wmi_buffer(wil, val); \
+- if (!ioaddr) { \
+- wil_err_fw(wil, "bad " msg ": 0x%08x\n", \
+- le32_to_cpu(val)); \
+- return -EINVAL; \
+- } \
+- } while (0)
++static bool wil_fw_addr_check(struct wil6210_priv *wil,
++ void __iomem **ioaddr, __le32 val,
++ u32 size, const char *msg)
++{
++ *ioaddr = wmi_buffer_block(wil, val, size);
++ if (!(*ioaddr)) {
++ wil_err_fw(wil, "bad %s: 0x%08x\n", msg, le32_to_cpu(val));
++ return false;
++ }
++ return true;
++}
+
+ /**
+ * wil_fw_verify - verify firmware file validity
+@@ -165,7 +168,8 @@ static int fw_handle_data(struct wil6210
+ return -EINVAL;
+ }
+
+- FW_ADDR_CHECK(dst, d->addr, "address");
++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
++ return -EINVAL;
+ wil_dbg_fw(wil, "write [0x%08x] <== %zu bytes\n", le32_to_cpu(d->addr),
+ s);
+ wil_memcpy_toio_32(dst, d->data, s);
+@@ -197,7 +201,8 @@ static int fw_handle_fill(struct wil6210
+ return -EINVAL;
+ }
+
+- FW_ADDR_CHECK(dst, d->addr, "address");
++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
++ return -EINVAL;
+
+ v = le32_to_cpu(d->value);
+ wil_dbg_fw(wil, "fill [0x%08x] <== 0x%08x, %zu bytes\n",
+@@ -253,7 +258,8 @@ static int fw_handle_direct_write(struct
+ u32 v = le32_to_cpu(block[i].value);
+ u32 x, y;
+
+- FW_ADDR_CHECK(dst, block[i].addr, "address");
++ if (!wil_fw_addr_check(wil, &dst, block[i].addr, 0, "address"))
++ return -EINVAL;
+
+ x = readl(dst);
+ y = (x & m) | (v & ~m);
+@@ -319,10 +325,15 @@ static int fw_handle_gateway_data(struct
+ wil_dbg_fw(wil, "gw write record [%3d] blocks, cmd 0x%08x\n",
+ n, gw_cmd);
+
+- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
+- FW_ADDR_CHECK(gwa_val, d->gateway_value_addr, "gateway_value_addr");
+- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
+- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
++ "gateway_addr_addr") ||
++ !wil_fw_addr_check(wil, &gwa_val, d->gateway_value_addr, 0,
++ "gateway_value_addr") ||
++ !wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
++ "gateway_cmd_addr") ||
++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
++ "gateway_ctrl_address"))
++ return -EINVAL;
+
+ wil_dbg_fw(wil, "gw addresses: addr 0x%08x val 0x%08x"
+ " cmd 0x%08x ctl 0x%08x\n",
+@@ -378,12 +389,19 @@ static int fw_handle_gateway_data4(struc
+ wil_dbg_fw(wil, "gw4 write record [%3d] blocks, cmd 0x%08x\n",
+ n, gw_cmd);
+
+- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
++ "gateway_addr_addr"))
++ return -EINVAL;
+ for (k = 0; k < ARRAY_SIZE(block->value); k++)
+- FW_ADDR_CHECK(gwa_val[k], d->gateway_value_addr[k],
+- "gateway_value_addr");
+- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
+- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
++ if (!wil_fw_addr_check(wil, &gwa_val[k],
++ d->gateway_value_addr[k],
++ 0, "gateway_value_addr"))
++ return -EINVAL;
++ if (!wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
++ "gateway_cmd_addr") ||
++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
++ "gateway_ctrl_address"))
++ return -EINVAL;
+
+ wil_dbg_fw(wil, "gw4 addresses: addr 0x%08x cmd 0x%08x ctl 0x%08x\n",
+ le32_to_cpu(d->gateway_addr_addr),
+--- a/drivers/net/wireless/ath/wil6210/wil6210.h
++++ b/drivers/net/wireless/ath/wil6210/wil6210.h
+@@ -865,6 +865,7 @@ void wil_mbox_ring_le2cpus(struct wil621
+ int wil_find_cid(struct wil6210_priv *wil, const u8 *mac);
+ void wil_set_ethtoolops(struct net_device *ndev);
+
++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr, u32 size);
+ void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr);
+ void __iomem *wmi_addr(struct wil6210_priv *wil, u32 ptr);
+ int wmi_read_hdr(struct wil6210_priv *wil, __le32 ptr,
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -140,13 +140,15 @@ static u32 wmi_addr_remap(u32 x)
+ /**
+ * Check address validity for WMI buffer; remap if needed
+ * @ptr - internal (linker) fw/ucode address
++ * @size - if non zero, validate the block does not
++ * exceed the device memory (bar)
+ *
+ * Valid buffer should be DWORD aligned
+ *
+ * return address for accessing buffer from the host;
+ * if buffer is not valid, return NULL.
+ */
+-void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr_, u32 size)
+ {
+ u32 off;
+ u32 ptr = le32_to_cpu(ptr_);
+@@ -161,10 +163,17 @@ void __iomem *wmi_buffer(struct wil6210_
+ off = HOSTADDR(ptr);
+ if (off > wil->bar_size - 4)
+ return NULL;
++ if (size && ((off + size > wil->bar_size) || (off + size < off)))
++ return NULL;
+
+ return wil->csr + off;
+ }
+
++void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
++{
++ return wmi_buffer_block(wil, ptr_, 0);
++}
++
+ /**
+ * Check address validity
+ */
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:13 +0100
+Subject: wil6210: fix length check in __wmi_send
+To: stable@vger.kernel.org
+Cc: Lior David <qca_liord@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-21-lee.jones@linaro.org>
+
+From: Lior David <qca_liord@qca.qualcomm.com>
+
+[ Upstream commit 26a6d5274865532502c682ff378ac8ebe2886238 ]
+
+The current length check:
+sizeof(cmd) + len > r->entry_size
+will allow very large values of len (> U16_MAX - sizeof(cmd))
+and can cause a buffer overflow. Fix the check to cover this case.
+In addition, ensure the mailbox entry_size is not too small,
+since this can also bypass the above check.
+
+Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/interrupt.c | 22 +++++++++++++++++++++-
+ drivers/net/wireless/ath/wil6210/wmi.c | 2 +-
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/interrupt.c
++++ b/drivers/net/wireless/ath/wil6210/interrupt.c
+@@ -358,6 +358,25 @@ static void wil_cache_mbox_regs(struct w
+ wil_mbox_ring_le2cpus(&wil->mbox_ctl.tx);
+ }
+
++static bool wil_validate_mbox_regs(struct wil6210_priv *wil)
++{
++ size_t min_size = sizeof(struct wil6210_mbox_hdr) +
++ sizeof(struct wmi_cmd_hdr);
++
++ if (wil->mbox_ctl.rx.entry_size < min_size) {
++ wil_err(wil, "rx mbox entry too small (%d)\n",
++ wil->mbox_ctl.rx.entry_size);
++ return false;
++ }
++ if (wil->mbox_ctl.tx.entry_size < min_size) {
++ wil_err(wil, "tx mbox entry too small (%d)\n",
++ wil->mbox_ctl.tx.entry_size);
++ return false;
++ }
++
++ return true;
++}
++
+ static irqreturn_t wil6210_irq_misc(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+@@ -393,7 +412,8 @@ static irqreturn_t wil6210_irq_misc(int
+ if (isr & ISR_MISC_FW_READY) {
+ wil_dbg_irq(wil, "IRQ: FW ready\n");
+ wil_cache_mbox_regs(wil);
+- set_bit(wil_status_mbox_ready, wil->status);
++ if (wil_validate_mbox_regs(wil))
++ set_bit(wil_status_mbox_ready, wil->status);
+ /**
+ * Actual FW ready indicated by the
+ * WMI_FW_READY_EVENTID
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -231,7 +231,7 @@ static int __wmi_send(struct wil6210_pri
+ uint retry;
+ int rc = 0;
+
+- if (sizeof(cmd) + len > r->entry_size) {
++ if (len > r->entry_size - sizeof(cmd)) {
+ wil_err(wil, "WMI size too large: %d bytes, max is %d\n",
+ (int)(sizeof(cmd) + len), r->entry_size);
+ return -ERANGE;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:11 +0100
+Subject: wil6210: fix PCIe bus mastering in case of interface down
+To: stable@vger.kernel.org
+Cc: Lazar Alexei <qca_ailizaro@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-19-lee.jones@linaro.org>
+
+From: Lazar Alexei <qca_ailizaro@qca.qualcomm.com>
+
+[ Upstream commit 680c242dc25e036265793edc7d755cfc15afd231 ]
+
+In case of interface down, radio is turned off but PCIe mastering is
+not cleared.
+This can cause unexpected PCIe access to the shutdown device.
+Fix this by clearing PCIe mastering also in case interface is down
+
+Signed-off-by: Lazar Alexei <qca_ailizaro@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/pcie_bus.c | 24 +++++++++++++++---------
+ drivers/net/wireless/ath/wil6210/pm.c | 10 ++--------
+ drivers/net/wireless/ath/wil6210/wil6210.h | 4 ++--
+ 3 files changed, 19 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/pcie_bus.c
++++ b/drivers/net/wireless/ath/wil6210/pcie_bus.c
+@@ -393,6 +393,9 @@ static int wil6210_suspend(struct device
+ int rc = 0;
+ struct pci_dev *pdev = to_pci_dev(dev);
+ struct wil6210_priv *wil = pci_get_drvdata(pdev);
++ struct net_device *ndev = wil_to_ndev(wil);
++ bool keep_radio_on = ndev->flags & IFF_UP &&
++ wil->keep_radio_on_during_sleep;
+
+ wil_dbg_pm(wil, "suspend: %s\n", is_runtime ? "runtime" : "system");
+
+@@ -400,14 +403,14 @@ static int wil6210_suspend(struct device
+ if (rc)
+ goto out;
+
+- rc = wil_suspend(wil, is_runtime);
++ rc = wil_suspend(wil, is_runtime, keep_radio_on);
+ if (!rc) {
+ wil->suspend_stats.successful_suspends++;
+
+- /* If platform device supports keep_radio_on_during_sleep
+- * it will control PCIe master
++ /* In case radio stays on, platform device will control
++ * PCIe master
+ */
+- if (!wil->keep_radio_on_during_sleep)
++ if (!keep_radio_on)
+ /* disable bus mastering */
+ pci_clear_master(pdev);
+ }
+@@ -420,20 +423,23 @@ static int wil6210_resume(struct device
+ int rc = 0;
+ struct pci_dev *pdev = to_pci_dev(dev);
+ struct wil6210_priv *wil = pci_get_drvdata(pdev);
++ struct net_device *ndev = wil_to_ndev(wil);
++ bool keep_radio_on = ndev->flags & IFF_UP &&
++ wil->keep_radio_on_during_sleep;
+
+ wil_dbg_pm(wil, "resume: %s\n", is_runtime ? "runtime" : "system");
+
+- /* If platform device supports keep_radio_on_during_sleep it will
+- * control PCIe master
++ /* In case radio stays on, platform device will control
++ * PCIe master
+ */
+- if (!wil->keep_radio_on_during_sleep)
++ if (!keep_radio_on)
+ /* allow master */
+ pci_set_master(pdev);
+- rc = wil_resume(wil, is_runtime);
++ rc = wil_resume(wil, is_runtime, keep_radio_on);
+ if (rc) {
+ wil_err(wil, "device failed to resume (%d)\n", rc);
+ wil->suspend_stats.failed_resumes++;
+- if (!wil->keep_radio_on_during_sleep)
++ if (!keep_radio_on)
+ pci_clear_master(pdev);
+ } else {
+ wil->suspend_stats.successful_resumes++;
+--- a/drivers/net/wireless/ath/wil6210/pm.c
++++ b/drivers/net/wireless/ath/wil6210/pm.c
+@@ -279,12 +279,9 @@ static int wil_resume_radio_off(struct w
+ return rc;
+ }
+
+-int wil_suspend(struct wil6210_priv *wil, bool is_runtime)
++int wil_suspend(struct wil6210_priv *wil, bool is_runtime, bool keep_radio_on)
+ {
+ int rc = 0;
+- struct net_device *ndev = wil_to_ndev(wil);
+- bool keep_radio_on = ndev->flags & IFF_UP &&
+- wil->keep_radio_on_during_sleep;
+
+ wil_dbg_pm(wil, "suspend: %s\n", is_runtime ? "runtime" : "system");
+
+@@ -307,12 +304,9 @@ int wil_suspend(struct wil6210_priv *wil
+ return rc;
+ }
+
+-int wil_resume(struct wil6210_priv *wil, bool is_runtime)
++int wil_resume(struct wil6210_priv *wil, bool is_runtime, bool keep_radio_on)
+ {
+ int rc = 0;
+- struct net_device *ndev = wil_to_ndev(wil);
+- bool keep_radio_on = ndev->flags & IFF_UP &&
+- wil->keep_radio_on_during_sleep;
+ unsigned long long suspend_time_usec = 0;
+
+ wil_dbg_pm(wil, "resume: %s\n", is_runtime ? "runtime" : "system");
+--- a/drivers/net/wireless/ath/wil6210/wil6210.h
++++ b/drivers/net/wireless/ath/wil6210/wil6210.h
+@@ -1000,8 +1000,8 @@ int wil_request_firmware(struct wil6210_
+ bool wil_fw_verify_file_exists(struct wil6210_priv *wil, const char *name);
+
+ int wil_can_suspend(struct wil6210_priv *wil, bool is_runtime);
+-int wil_suspend(struct wil6210_priv *wil, bool is_runtime);
+-int wil_resume(struct wil6210_priv *wil, bool is_runtime);
++int wil_suspend(struct wil6210_priv *wil, bool is_runtime, bool keep_radio_on);
++int wil_resume(struct wil6210_priv *wil, bool is_runtime, bool keep_radio_on);
+ bool wil_is_wmi_idle(struct wil6210_priv *wil);
+ int wmi_resume(struct wil6210_priv *wil);
+ int wmi_suspend(struct wil6210_priv *wil);
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:02 +0100
+Subject: wil6210: fix temperature debugfs
+To: stable@vger.kernel.org
+Cc: Dedy Lansky <dlansky@codeaurora.org>, Maya Erez <merez@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-10-lee.jones@linaro.org>
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+[ Upstream commit 6d9eb7ebae3d7e951bc0999235ae7028eb4cae4f ]
+
+For negative temperatures, "temp" debugfs is showing wrong values.
+Use signed types so proper calculations is done for sub zero
+temperatures.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/debugfs.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/debugfs.c
++++ b/drivers/net/wireless/ath/wil6210/debugfs.c
+@@ -1093,7 +1093,7 @@ static const struct file_operations fops
+ };
+
+ /*---------temp------------*/
+-static void print_temp(struct seq_file *s, const char *prefix, u32 t)
++static void print_temp(struct seq_file *s, const char *prefix, s32 t)
+ {
+ switch (t) {
+ case 0:
+@@ -1101,7 +1101,8 @@ static void print_temp(struct seq_file *
+ seq_printf(s, "%s N/A\n", prefix);
+ break;
+ default:
+- seq_printf(s, "%s %d.%03d\n", prefix, t / 1000, t % 1000);
++ seq_printf(s, "%s %s%d.%03d\n", prefix, (t < 0 ? "-" : ""),
++ abs(t / 1000), abs(t % 1000));
+ break;
+ }
+ }
+@@ -1109,7 +1110,7 @@ static void print_temp(struct seq_file *
+ static int wil_temp_debugfs_show(struct seq_file *s, void *data)
+ {
+ struct wil6210_priv *wil = s->private;
+- u32 t_m, t_r;
++ s32 t_m, t_r;
+ int rc = wmi_get_temperature(wil, &t_m, &t_r);
+
+ if (rc) {
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:01 +0100
+Subject: wil6210: increase firmware ready timeout
+To: stable@vger.kernel.org
+Cc: Hamad Kadmany <hkadmany@codeaurora.org>, Maya Erez <merez@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-9-lee.jones@linaro.org>
+
+From: Hamad Kadmany <hkadmany@codeaurora.org>
+
+[ Upstream commit 6ccae584014ef7074359eb4151086beef66ecfa9 ]
+
+Firmware ready event may take longer than
+current timeout in some scenarios, for example
+with multiple RFs connected where each
+requires an initial calibration.
+
+Increase the timeout to support these scenarios.
+
+Signed-off-by: Hamad Kadmany <hkadmany@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/wil6210/main.c
++++ b/drivers/net/wireless/ath/wil6210/main.c
+@@ -871,7 +871,7 @@ static void wil_bl_crash_info(struct wil
+
+ static int wil_wait_for_fw_ready(struct wil6210_priv *wil)
+ {
+- ulong to = msecs_to_jiffies(1000);
++ ulong to = msecs_to_jiffies(2000);
+ ulong left = wait_for_completion_timeout(&wil->wmi_ready, to);
+
+ if (0 == left) {
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:05 +0100
+Subject: wil6210: rate limit wil_rx_refill error
+To: stable@vger.kernel.org
+Cc: Dedy Lansky <dlansky@codeaurora.org>, Maya Erez <merez@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-13-lee.jones@linaro.org>
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+[ Upstream commit 3d6b72729cc2933906de8d2c602ae05e920b2122 ]
+
+wil_err inside wil_rx_refill can flood the log buffer.
+Replace it with wil_err_ratelimited.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/txrx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/txrx.c
++++ b/drivers/net/wireless/ath/wil6210/txrx.c
+@@ -636,8 +636,8 @@ static int wil_rx_refill(struct wil6210_
+ v->swtail = next_tail) {
+ rc = wil_vring_alloc_skb(wil, v, v->swtail, headroom);
+ if (unlikely(rc)) {
+- wil_err(wil, "Error %d in wil_rx_refill[%d]\n",
+- rc, v->swtail);
++ wil_err_ratelimited(wil, "Error %d in rx refill[%d]\n",
++ rc, v->swtail);
+ break;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
