scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch
wil6210-rate-limit-wil_rx_refill-error.patch
rtc-pm8xxx-fix-issue-in-rtc-write-path.patch
-wil6210-add-block-size-checks-during-fw-load.patch
-wil6210-fix-length-check-in-__wmi_send.patch
soc-qcom-smem-use-le32_to_cpu-for-comparison.patch
of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch
+++ /dev/null
-From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
-From: Lee Jones <lee.jones@linaro.org>
-Date: Tue, 21 Apr 2020 13:40:12 +0100
-Subject: wil6210: add block size checks during FW load
-To: stable@vger.kernel.org
-Cc: Lior David <qca_liord@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
-Message-ID: <20200421124017.272694-20-lee.jones@linaro.org>
-
-From: Lior David <qca_liord@qca.qualcomm.com>
-
-[ Upstream commit 705d2fde94b23cd76efbeedde643ffa7c32fac7f ]
-
-When loading FW from file add block size checks to ensure a
-corrupted FW file will not cause the driver to write outside
-the device memory.
-
-Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
-Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
-Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-Signed-off-by: Lee Jones <lee.jones@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/wireless/ath/wil6210/fw_inc.c | 58 +++++++++++++++++++----------
- drivers/net/wireless/ath/wil6210/wil6210.h | 1
- drivers/net/wireless/ath/wil6210/wmi.c | 11 +++++
- 3 files changed, 49 insertions(+), 21 deletions(-)
-
---- a/drivers/net/wireless/ath/wil6210/fw_inc.c
-+++ b/drivers/net/wireless/ath/wil6210/fw_inc.c
-@@ -26,14 +26,17 @@
- prefix_type, rowsize, \
- groupsize, buf, len, ascii)
-
--#define FW_ADDR_CHECK(ioaddr, val, msg) do { \
-- ioaddr = wmi_buffer(wil, val); \
-- if (!ioaddr) { \
-- wil_err_fw(wil, "bad " msg ": 0x%08x\n", \
-- le32_to_cpu(val)); \
-- return -EINVAL; \
-- } \
-- } while (0)
-+static bool wil_fw_addr_check(struct wil6210_priv *wil,
-+ void __iomem **ioaddr, __le32 val,
-+ u32 size, const char *msg)
-+{
-+ *ioaddr = wmi_buffer_block(wil, val, size);
-+ if (!(*ioaddr)) {
-+ wil_err_fw(wil, "bad %s: 0x%08x\n", msg, le32_to_cpu(val));
-+ return false;
-+ }
-+ return true;
-+}
-
- /**
- * wil_fw_verify - verify firmware file validity
-@@ -138,7 +141,8 @@ static int fw_handle_data(struct wil6210
- return -EINVAL;
- }
-
-- FW_ADDR_CHECK(dst, d->addr, "address");
-+ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
-+ return -EINVAL;
- wil_dbg_fw(wil, "write [0x%08x] <== %zu bytes\n", le32_to_cpu(d->addr),
- s);
- wil_memcpy_toio_32(dst, d->data, s);
-@@ -170,7 +174,8 @@ static int fw_handle_fill(struct wil6210
- return -EINVAL;
- }
-
-- FW_ADDR_CHECK(dst, d->addr, "address");
-+ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
-+ return -EINVAL;
-
- v = le32_to_cpu(d->value);
- wil_dbg_fw(wil, "fill [0x%08x] <== 0x%08x, %zu bytes\n",
-@@ -219,7 +224,8 @@ static int fw_handle_direct_write(struct
- u32 v = le32_to_cpu(block[i].value);
- u32 x, y;
-
-- FW_ADDR_CHECK(dst, block[i].addr, "address");
-+ if (!wil_fw_addr_check(wil, &dst, block[i].addr, 0, "address"))
-+ return -EINVAL;
-
- x = readl(dst);
- y = (x & m) | (v & ~m);
-@@ -285,10 +291,15 @@ static int fw_handle_gateway_data(struct
- wil_dbg_fw(wil, "gw write record [%3d] blocks, cmd 0x%08x\n",
- n, gw_cmd);
-
-- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
-- FW_ADDR_CHECK(gwa_val, d->gateway_value_addr, "gateway_value_addr");
-- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
-- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
-+ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
-+ "gateway_addr_addr") ||
-+ !wil_fw_addr_check(wil, &gwa_val, d->gateway_value_addr, 0,
-+ "gateway_value_addr") ||
-+ !wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
-+ "gateway_cmd_addr") ||
-+ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
-+ "gateway_ctrl_address"))
-+ return -EINVAL;
-
- wil_dbg_fw(wil, "gw addresses: addr 0x%08x val 0x%08x"
- " cmd 0x%08x ctl 0x%08x\n",
-@@ -344,12 +355,19 @@ static int fw_handle_gateway_data4(struc
- wil_dbg_fw(wil, "gw4 write record [%3d] blocks, cmd 0x%08x\n",
- n, gw_cmd);
-
-- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
-+ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
-+ "gateway_addr_addr"))
-+ return -EINVAL;
- for (k = 0; k < ARRAY_SIZE(block->value); k++)
-- FW_ADDR_CHECK(gwa_val[k], d->gateway_value_addr[k],
-- "gateway_value_addr");
-- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
-- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
-+ if (!wil_fw_addr_check(wil, &gwa_val[k],
-+ d->gateway_value_addr[k],
-+ 0, "gateway_value_addr"))
-+ return -EINVAL;
-+ if (!wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
-+ "gateway_cmd_addr") ||
-+ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
-+ "gateway_ctrl_address"))
-+ return -EINVAL;
-
- wil_dbg_fw(wil, "gw4 addresses: addr 0x%08x cmd 0x%08x ctl 0x%08x\n",
- le32_to_cpu(d->gateway_addr_addr),
---- a/drivers/net/wireless/ath/wil6210/wil6210.h
-+++ b/drivers/net/wireless/ath/wil6210/wil6210.h
-@@ -731,6 +731,7 @@ void wil_mbox_ring_le2cpus(struct wil621
- int wil_find_cid(struct wil6210_priv *wil, const u8 *mac);
- void wil_set_ethtoolops(struct net_device *ndev);
-
-+void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr, u32 size);
- void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr);
- void __iomem *wmi_addr(struct wil6210_priv *wil, u32 ptr);
- int wmi_read_hdr(struct wil6210_priv *wil, __le32 ptr,
---- a/drivers/net/wireless/ath/wil6210/wmi.c
-+++ b/drivers/net/wireless/ath/wil6210/wmi.c
-@@ -114,13 +114,15 @@ static u32 wmi_addr_remap(u32 x)
- /**
- * Check address validity for WMI buffer; remap if needed
- * @ptr - internal (linker) fw/ucode address
-+ * @size - if non zero, validate the block does not
-+ * exceed the device memory (bar)
- *
- * Valid buffer should be DWORD aligned
- *
- * return address for accessing buffer from the host;
- * if buffer is not valid, return NULL.
- */
--void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
-+void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr_, u32 size)
- {
- u32 off;
- u32 ptr = le32_to_cpu(ptr_);
-@@ -135,10 +137,17 @@ void __iomem *wmi_buffer(struct wil6210_
- off = HOSTADDR(ptr);
- if (off > WIL6210_MEM_SIZE - 4)
- return NULL;
-+ if (size && ((off + size > wil->bar_size) || (off + size < off)))
-+ return NULL;
-
- return wil->csr + off;
- }
-
-+void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
-+{
-+ return wmi_buffer_block(wil, ptr_, 0);
-+}
-+
- /**
- * Check address validity
- */
+++ /dev/null
-From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST
-From: Lee Jones <lee.jones@linaro.org>
-Date: Tue, 21 Apr 2020 13:40:13 +0100
-Subject: wil6210: fix length check in __wmi_send
-To: stable@vger.kernel.org
-Cc: Lior David <qca_liord@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
-Message-ID: <20200421124017.272694-21-lee.jones@linaro.org>
-
-From: Lior David <qca_liord@qca.qualcomm.com>
-
-[ Upstream commit 26a6d5274865532502c682ff378ac8ebe2886238 ]
-
-The current length check:
-sizeof(cmd) + len > r->entry_size
-will allow very large values of len (> U16_MAX - sizeof(cmd))
-and can cause a buffer overflow. Fix the check to cover this case.
-In addition, ensure the mailbox entry_size is not too small,
-since this can also bypass the above check.
-
-Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
-Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
-Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-Signed-off-by: Lee Jones <lee.jones@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/wireless/ath/wil6210/interrupt.c | 22 +++++++++++++++++++++-
- drivers/net/wireless/ath/wil6210/wmi.c | 2 +-
- 2 files changed, 22 insertions(+), 2 deletions(-)
-
---- a/drivers/net/wireless/ath/wil6210/interrupt.c
-+++ b/drivers/net/wireless/ath/wil6210/interrupt.c
-@@ -329,6 +329,25 @@ static void wil_cache_mbox_regs(struct w
- wil_mbox_ring_le2cpus(&wil->mbox_ctl.tx);
- }
-
-+static bool wil_validate_mbox_regs(struct wil6210_priv *wil)
-+{
-+ size_t min_size = sizeof(struct wil6210_mbox_hdr) +
-+ sizeof(struct wmi_cmd_hdr);
-+
-+ if (wil->mbox_ctl.rx.entry_size < min_size) {
-+ wil_err(wil, "rx mbox entry too small (%d)\n",
-+ wil->mbox_ctl.rx.entry_size);
-+ return false;
-+ }
-+ if (wil->mbox_ctl.tx.entry_size < min_size) {
-+ wil_err(wil, "tx mbox entry too small (%d)\n",
-+ wil->mbox_ctl.tx.entry_size);
-+ return false;
-+ }
-+
-+ return true;
-+}
-+
- static irqreturn_t wil6210_irq_misc(int irq, void *cookie)
- {
- struct wil6210_priv *wil = cookie;
-@@ -364,7 +383,8 @@ static irqreturn_t wil6210_irq_misc(int
- if (isr & ISR_MISC_FW_READY) {
- wil_dbg_irq(wil, "IRQ: FW ready\n");
- wil_cache_mbox_regs(wil);
-- set_bit(wil_status_mbox_ready, wil->status);
-+ if (wil_validate_mbox_regs(wil))
-+ set_bit(wil_status_mbox_ready, wil->status);
- /**
- * Actual FW ready indicated by the
- * WMI_FW_READY_EVENTID
---- a/drivers/net/wireless/ath/wil6210/wmi.c
-+++ b/drivers/net/wireless/ath/wil6210/wmi.c
-@@ -204,7 +204,7 @@ static int __wmi_send(struct wil6210_pri
- void __iomem *head = wmi_addr(wil, r->head);
- uint retry;
-
-- if (sizeof(cmd) + len > r->entry_size) {
-+ if (len > r->entry_size - sizeof(cmd)) {
- wil_err(wil, "WMI size too large: %d bytes, max is %d\n",
- (int)(sizeof(cmd) + len), r->entry_size);
- return -ERANGE;
scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch
wil6210-rate-limit-wil_rx_refill-error.patch
rtc-pm8xxx-fix-issue-in-rtc-write-path.patch
-wil6210-add-block-size-checks-during-fw-load.patch
wil6210-fix-length-check-in-__wmi_send.patch
soc-qcom-smem-use-le32_to_cpu-for-comparison.patch
of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch
+++ /dev/null
-From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
-From: Lee Jones <lee.jones@linaro.org>
-Date: Tue, 21 Apr 2020 13:40:12 +0100
-Subject: wil6210: add block size checks during FW load
-To: stable@vger.kernel.org
-Cc: Lior David <qca_liord@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
-Message-ID: <20200421124017.272694-20-lee.jones@linaro.org>
-
-From: Lior David <qca_liord@qca.qualcomm.com>
-
-[ Upstream commit 705d2fde94b23cd76efbeedde643ffa7c32fac7f ]
-
-When loading FW from file add block size checks to ensure a
-corrupted FW file will not cause the driver to write outside
-the device memory.
-
-Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
-Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
-Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-Signed-off-by: Lee Jones <lee.jones@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/wireless/ath/wil6210/fw_inc.c | 58 +++++++++++++++++++----------
- drivers/net/wireless/ath/wil6210/wil6210.h | 1
- drivers/net/wireless/ath/wil6210/wmi.c | 11 +++++
- 3 files changed, 49 insertions(+), 21 deletions(-)
-
---- a/drivers/net/wireless/ath/wil6210/fw_inc.c
-+++ b/drivers/net/wireless/ath/wil6210/fw_inc.c
-@@ -26,14 +26,17 @@
- prefix_type, rowsize, \
- groupsize, buf, len, ascii)
-
--#define FW_ADDR_CHECK(ioaddr, val, msg) do { \
-- ioaddr = wmi_buffer(wil, val); \
-- if (!ioaddr) { \
-- wil_err_fw(wil, "bad " msg ": 0x%08x\n", \
-- le32_to_cpu(val)); \
-- return -EINVAL; \
-- } \
-- } while (0)
-+static bool wil_fw_addr_check(struct wil6210_priv *wil,
-+ void __iomem **ioaddr, __le32 val,
-+ u32 size, const char *msg)
-+{
-+ *ioaddr = wmi_buffer_block(wil, val, size);
-+ if (!(*ioaddr)) {
-+ wil_err_fw(wil, "bad %s: 0x%08x\n", msg, le32_to_cpu(val));
-+ return false;
-+ }
-+ return true;
-+}
-
- /**
- * wil_fw_verify - verify firmware file validity
-@@ -165,7 +168,8 @@ static int fw_handle_data(struct wil6210
- return -EINVAL;
- }
-
-- FW_ADDR_CHECK(dst, d->addr, "address");
-+ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
-+ return -EINVAL;
- wil_dbg_fw(wil, "write [0x%08x] <== %zu bytes\n", le32_to_cpu(d->addr),
- s);
- wil_memcpy_toio_32(dst, d->data, s);
-@@ -197,7 +201,8 @@ static int fw_handle_fill(struct wil6210
- return -EINVAL;
- }
-
-- FW_ADDR_CHECK(dst, d->addr, "address");
-+ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
-+ return -EINVAL;
-
- v = le32_to_cpu(d->value);
- wil_dbg_fw(wil, "fill [0x%08x] <== 0x%08x, %zu bytes\n",
-@@ -253,7 +258,8 @@ static int fw_handle_direct_write(struct
- u32 v = le32_to_cpu(block[i].value);
- u32 x, y;
-
-- FW_ADDR_CHECK(dst, block[i].addr, "address");
-+ if (!wil_fw_addr_check(wil, &dst, block[i].addr, 0, "address"))
-+ return -EINVAL;
-
- x = readl(dst);
- y = (x & m) | (v & ~m);
-@@ -319,10 +325,15 @@ static int fw_handle_gateway_data(struct
- wil_dbg_fw(wil, "gw write record [%3d] blocks, cmd 0x%08x\n",
- n, gw_cmd);
-
-- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
-- FW_ADDR_CHECK(gwa_val, d->gateway_value_addr, "gateway_value_addr");
-- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
-- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
-+ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
-+ "gateway_addr_addr") ||
-+ !wil_fw_addr_check(wil, &gwa_val, d->gateway_value_addr, 0,
-+ "gateway_value_addr") ||
-+ !wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
-+ "gateway_cmd_addr") ||
-+ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
-+ "gateway_ctrl_address"))
-+ return -EINVAL;
-
- wil_dbg_fw(wil, "gw addresses: addr 0x%08x val 0x%08x"
- " cmd 0x%08x ctl 0x%08x\n",
-@@ -378,12 +389,19 @@ static int fw_handle_gateway_data4(struc
- wil_dbg_fw(wil, "gw4 write record [%3d] blocks, cmd 0x%08x\n",
- n, gw_cmd);
-
-- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
-+ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
-+ "gateway_addr_addr"))
-+ return -EINVAL;
- for (k = 0; k < ARRAY_SIZE(block->value); k++)
-- FW_ADDR_CHECK(gwa_val[k], d->gateway_value_addr[k],
-- "gateway_value_addr");
-- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
-- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
-+ if (!wil_fw_addr_check(wil, &gwa_val[k],
-+ d->gateway_value_addr[k],
-+ 0, "gateway_value_addr"))
-+ return -EINVAL;
-+ if (!wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
-+ "gateway_cmd_addr") ||
-+ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
-+ "gateway_ctrl_address"))
-+ return -EINVAL;
-
- wil_dbg_fw(wil, "gw4 addresses: addr 0x%08x cmd 0x%08x ctl 0x%08x\n",
- le32_to_cpu(d->gateway_addr_addr),
---- a/drivers/net/wireless/ath/wil6210/wil6210.h
-+++ b/drivers/net/wireless/ath/wil6210/wil6210.h
-@@ -786,6 +786,7 @@ void wil_mbox_ring_le2cpus(struct wil621
- int wil_find_cid(struct wil6210_priv *wil, const u8 *mac);
- void wil_set_ethtoolops(struct net_device *ndev);
-
-+void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr, u32 size);
- void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr);
- void __iomem *wmi_addr(struct wil6210_priv *wil, u32 ptr);
- int wmi_read_hdr(struct wil6210_priv *wil, __le32 ptr,
---- a/drivers/net/wireless/ath/wil6210/wmi.c
-+++ b/drivers/net/wireless/ath/wil6210/wmi.c
-@@ -127,13 +127,15 @@ static u32 wmi_addr_remap(u32 x)
- /**
- * Check address validity for WMI buffer; remap if needed
- * @ptr - internal (linker) fw/ucode address
-+ * @size - if non zero, validate the block does not
-+ * exceed the device memory (bar)
- *
- * Valid buffer should be DWORD aligned
- *
- * return address for accessing buffer from the host;
- * if buffer is not valid, return NULL.
- */
--void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
-+void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr_, u32 size)
- {
- u32 off;
- u32 ptr = le32_to_cpu(ptr_);
-@@ -148,10 +150,17 @@ void __iomem *wmi_buffer(struct wil6210_
- off = HOSTADDR(ptr);
- if (off > WIL6210_MEM_SIZE - 4)
- return NULL;
-+ if (size && ((off + size > wil->bar_size) || (off + size < off)))
-+ return NULL;
-
- return wil->csr + off;
- }
-
-+void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
-+{
-+ return wmi_buffer_block(wil, ptr_, 0);
-+}
-+
- /**
- * Check address validity
- */
* WMI_FW_READY_EVENTID
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
-@@ -218,7 +218,7 @@ static int __wmi_send(struct wil6210_pri
+@@ -209,7 +209,7 @@ static int __wmi_send(struct wil6210_pri
uint retry;
int rc = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
