From: Greg Kroah-Hartman Date: Tue, 21 Apr 2020 17:56:02 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.19.118~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=71d880424015b2597e91dfb44330d9d894200a90;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: drm-null-pointer-dereference-cwe-476-problem.patch of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch rtc-pm8xxx-fix-issue-in-rtc-write-path.patch scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch soc-qcom-smem-use-le32_to_cpu-for-comparison.patch wil6210-add-block-size-checks-during-fw-load.patch wil6210-fix-length-check-in-__wmi_send.patch wil6210-fix-temperature-debugfs.patch wil6210-increase-firmware-ready-timeout.patch wil6210-rate-limit-wil_rx_refill-error.patch --- diff --git a/queue-4.4/drm-null-pointer-dereference-cwe-476-problem.patch b/queue-4.4/drm-null-pointer-dereference-cwe-476-problem.patch new file mode 100644 index 00000000000..70f2a8d7978 --- /dev/null +++ b/queue-4.4/drm-null-pointer-dereference-cwe-476-problem.patch @@ -0,0 +1,46 @@ +From 22a07038c0eaf4d1315a493ce66dcd255accba19 Mon Sep 17 00:00:00 2001 +From: Joe Moriarty +Date: Mon, 12 Feb 2018 14:51:42 -0500 +Subject: drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem + +From: Joe Moriarty + +commit 22a07038c0eaf4d1315a493ce66dcd255accba19 upstream. + +The Parfait (version 2.1.0) static code analysis tool found the +following NULL pointer derefernce problem. + +- drivers/gpu/drm/drm_dp_mst_topology.c +The call to drm_dp_calculate_rad() in function drm_dp_port_setup_pdt() +could result in a NULL pointer being returned to port->mstb due to a +failure to allocate memory for port->mstb. + +Signed-off-by: Joe Moriarty +Reviewed-by: Steven Sistare +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20180212195144.98323-3-joe.moriarty@oracle.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -1036,10 +1036,12 @@ static bool drm_dp_port_setup_pdt(struct + lct = drm_dp_calculate_rad(port, rad); + + port->mstb = drm_dp_add_mst_branch_device(lct, rad); +- port->mstb->mgr = port->mgr; +- port->mstb->port_parent = port; ++ if (port->mstb) { ++ port->mstb->mgr = port->mgr; ++ port->mstb->port_parent = port; + +- send_link = true; ++ send_link = true; ++ } + break; + } + return send_link; diff --git a/queue-4.4/of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch b/queue-4.4/of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch new file mode 100644 index 00000000000..3761fa3417d --- /dev/null +++ b/queue-4.4/of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:16 +0100 +Subject: of: fix missing kobject init for !SYSFS && OF_DYNAMIC config +To: stable@vger.kernel.org +Cc: Rob Herring , Nicolas Pitre , Frank Rowand , Grant Likely , Lee Jones +Message-ID: <20200421124017.272694-24-lee.jones@linaro.org> + +From: Rob Herring + +[ Upstream commit bd82bbf38cbe27f2c65660da801900d71bcc5cc8 ] + +The ref counting is broken for OF_DYNAMIC when sysfs is disabled because +the kobject initialization is skipped. Only the properties +add/remove/update should be skipped for !SYSFS config. + +Tested-by: Nicolas Pitre +Reviewed-by: Frank Rowand +Acked-by: Grant Likely +Signed-off-by: Rob Herring +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -167,9 +167,6 @@ int __of_attach_node_sysfs(struct device + struct property *pp; + int rc; + +- if (!IS_ENABLED(CONFIG_SYSFS)) +- return 0; +- + if (!of_kset) + return 0; + diff --git a/queue-4.4/rtc-pm8xxx-fix-issue-in-rtc-write-path.patch b/queue-4.4/rtc-pm8xxx-fix-issue-in-rtc-write-path.patch new file mode 100644 index 00000000000..daa8d7b27af --- /dev/null +++ b/queue-4.4/rtc-pm8xxx-fix-issue-in-rtc-write-path.patch @@ -0,0 +1,119 @@ +From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:07 +0100 +Subject: rtc: pm8xxx: Fix issue in RTC write path +To: stable@vger.kernel.org +Cc: Mohit Aggarwal , Alexandre Belloni , Lee Jones +Message-ID: <20200421124017.272694-15-lee.jones@linaro.org> + +From: Mohit Aggarwal + +[ Upstream commit 83220bf38b77a830f8e62ab1a0d0408304f9b966 ] + +In order to set time in rtc, need to disable +rtc hw before writing into rtc registers. + +Also fixes disabling of alarm while setting +rtc time. + +Signed-off-by: Mohit Aggarwal +Signed-off-by: Alexandre Belloni +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-pm8xxx.c | 49 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 38 insertions(+), 11 deletions(-) + +--- a/drivers/rtc/rtc-pm8xxx.c ++++ b/drivers/rtc/rtc-pm8xxx.c +@@ -74,16 +74,18 @@ struct pm8xxx_rtc { + /* + * Steps to write the RTC registers. + * 1. Disable alarm if enabled. +- * 2. Write 0x00 to LSB. +- * 3. Write Byte[1], Byte[2], Byte[3] then Byte[0]. +- * 4. Enable alarm if disabled in step 1. ++ * 2. Disable rtc if enabled. ++ * 3. Write 0x00 to LSB. ++ * 4. Write Byte[1], Byte[2], Byte[3] then Byte[0]. ++ * 5. Enable rtc if disabled in step 2. ++ * 6. Enable alarm if disabled in step 1. + */ + static int pm8xxx_rtc_set_time(struct device *dev, struct rtc_time *tm) + { + int rc, i; + unsigned long secs, irq_flags; +- u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0; +- unsigned int ctrl_reg; ++ u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0, rtc_disabled = 0; ++ unsigned int ctrl_reg, rtc_ctrl_reg; + struct pm8xxx_rtc *rtc_dd = dev_get_drvdata(dev); + const struct pm8xxx_rtc_regs *regs = rtc_dd->regs; + +@@ -92,23 +94,38 @@ static int pm8xxx_rtc_set_time(struct de + + rtc_tm_to_time(tm, &secs); + ++ dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs); ++ + for (i = 0; i < NUM_8_BIT_RTC_REGS; i++) { + value[i] = secs & 0xFF; + secs >>= 8; + } + +- dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs); +- + spin_lock_irqsave(&rtc_dd->ctrl_reg_lock, irq_flags); + +- rc = regmap_read(rtc_dd->regmap, regs->ctrl, &ctrl_reg); ++ rc = regmap_read(rtc_dd->regmap, regs->alarm_ctrl, &ctrl_reg); + if (rc) + goto rtc_rw_fail; + + if (ctrl_reg & regs->alarm_en) { + alarm_enabled = 1; + ctrl_reg &= ~regs->alarm_en; +- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg); ++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg); ++ if (rc) { ++ dev_err(dev, "Write to RTC Alarm control register failed\n"); ++ goto rtc_rw_fail; ++ } ++ } ++ ++ /* Disable RTC H/w before writing on RTC register */ ++ rc = regmap_read(rtc_dd->regmap, regs->ctrl, &rtc_ctrl_reg); ++ if (rc) ++ goto rtc_rw_fail; ++ ++ if (rtc_ctrl_reg & PM8xxx_RTC_ENABLE) { ++ rtc_disabled = 1; ++ rtc_ctrl_reg &= ~PM8xxx_RTC_ENABLE; ++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg); + if (rc) { + dev_err(dev, "Write to RTC control register failed\n"); + goto rtc_rw_fail; +@@ -137,11 +154,21 @@ static int pm8xxx_rtc_set_time(struct de + goto rtc_rw_fail; + } + ++ /* Enable RTC H/w after writing on RTC register */ ++ if (rtc_disabled) { ++ rtc_ctrl_reg |= PM8xxx_RTC_ENABLE; ++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg); ++ if (rc) { ++ dev_err(dev, "Write to RTC control register failed\n"); ++ goto rtc_rw_fail; ++ } ++ } ++ + if (alarm_enabled) { + ctrl_reg |= regs->alarm_en; +- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg); ++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg); + if (rc) { +- dev_err(dev, "Write to RTC control register failed\n"); ++ dev_err(dev, "Write to RTC Alarm control register failed\n"); + goto rtc_rw_fail; + } + } diff --git a/queue-4.4/scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch b/queue-4.4/scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch new file mode 100644 index 00000000000..2e7c2fba54c --- /dev/null +++ b/queue-4.4/scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:04 +0100 +Subject: scsi: ufs: ufs-qcom: remove broken hci version quirk +To: stable@vger.kernel.org +Cc: Subhash Jadavani , Asutosh Das , "Martin K . Petersen" , Lee Jones +Message-ID: <20200421124017.272694-12-lee.jones@linaro.org> + +From: Subhash Jadavani + +[ Upstream commit 69a6fff068567469c0ef1156ae5ac8d3d71701f0 ] + +UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION is only applicable for QCOM UFS host +controller version 2.x.y and this has been fixed from version 3.x.y +onwards, hence this change removes this quirk for version 3.x.y onwards. + +[mkp: applied by hand] + +Signed-off-by: Subhash Jadavani +Signed-off-by: Asutosh Das +Signed-off-by: Martin K. Petersen +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ufs/ufs-qcom.c ++++ b/drivers/scsi/ufs/ufs-qcom.c +@@ -1032,7 +1032,7 @@ static void ufs_qcom_advertise_quirks(st + hba->quirks |= UFSHCD_QUIRK_BROKEN_LCC; + } + +- if (host->hw_ver.major >= 0x2) { ++ if (host->hw_ver.major == 0x2) { + hba->quirks |= UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION; + + if (!ufs_qcom_cap_qunipro(host)) diff --git a/queue-4.4/series b/queue-4.4/series index 40c25b1743e..e6082261f49 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -72,3 +72,13 @@ scsi-sg-add-sg_remove_request-in-sg_common_write.patch alsa-hda-don-t-release-card-at-firmware-loading-error.patch of-unittest-kmemleak-on-changeset-destroy.patch video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch +drm-null-pointer-dereference-cwe-476-problem.patch +wil6210-increase-firmware-ready-timeout.patch +wil6210-fix-temperature-debugfs.patch +scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch +wil6210-rate-limit-wil_rx_refill-error.patch +rtc-pm8xxx-fix-issue-in-rtc-write-path.patch +wil6210-add-block-size-checks-during-fw-load.patch +wil6210-fix-length-check-in-__wmi_send.patch +soc-qcom-smem-use-le32_to_cpu-for-comparison.patch +of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch diff --git a/queue-4.4/soc-qcom-smem-use-le32_to_cpu-for-comparison.patch b/queue-4.4/soc-qcom-smem-use-le32_to_cpu-for-comparison.patch new file mode 100644 index 00000000000..a965c97413e --- /dev/null +++ b/queue-4.4/soc-qcom-smem-use-le32_to_cpu-for-comparison.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:15 +0100 +Subject: soc: qcom: smem: Use le32_to_cpu for comparison +To: stable@vger.kernel.org +Cc: Chris Lew , Bjorn Andersson , Andy Gross , Lee Jones +Message-ID: <20200421124017.272694-23-lee.jones@linaro.org> + +From: Chris Lew + +[ Upstream commit a216000f0140f415cec96129f777b5234c9d142f ] + +Endianness can vary in the system, add le32_to_cpu when comparing +partition sizes from smem. + +Signed-off-by: Chris Lew +Acked-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/smem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/smem.c ++++ b/drivers/soc/qcom/smem.c +@@ -646,7 +646,7 @@ static int qcom_smem_enumerate_partition + return -EINVAL; + } + +- if (header->size != entry->size) { ++ if (le32_to_cpu(header->size) != le32_to_cpu(entry->size)) { + dev_err(smem->dev, + "Partition %d has invalid size\n", i); + return -EINVAL; diff --git a/queue-4.4/wil6210-add-block-size-checks-during-fw-load.patch b/queue-4.4/wil6210-add-block-size-checks-during-fw-load.patch new file mode 100644 index 00000000000..d8a61be082b --- /dev/null +++ b/queue-4.4/wil6210-add-block-size-checks-during-fw-load.patch @@ -0,0 +1,177 @@ +From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:12 +0100 +Subject: wil6210: add block size checks during FW load +To: stable@vger.kernel.org +Cc: Lior David , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-20-lee.jones@linaro.org> + +From: Lior David + +[ Upstream commit 705d2fde94b23cd76efbeedde643ffa7c32fac7f ] + +When loading FW from file add block size checks to ensure a +corrupted FW file will not cause the driver to write outside +the device memory. + +Signed-off-by: Lior David +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/fw_inc.c | 58 +++++++++++++++++++---------- + drivers/net/wireless/ath/wil6210/wil6210.h | 1 + drivers/net/wireless/ath/wil6210/wmi.c | 11 +++++ + 3 files changed, 49 insertions(+), 21 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/fw_inc.c ++++ b/drivers/net/wireless/ath/wil6210/fw_inc.c +@@ -26,14 +26,17 @@ + prefix_type, rowsize, \ + groupsize, buf, len, ascii) + +-#define FW_ADDR_CHECK(ioaddr, val, msg) do { \ +- ioaddr = wmi_buffer(wil, val); \ +- if (!ioaddr) { \ +- wil_err_fw(wil, "bad " msg ": 0x%08x\n", \ +- le32_to_cpu(val)); \ +- return -EINVAL; \ +- } \ +- } while (0) ++static bool wil_fw_addr_check(struct wil6210_priv *wil, ++ void __iomem **ioaddr, __le32 val, ++ u32 size, const char *msg) ++{ ++ *ioaddr = wmi_buffer_block(wil, val, size); ++ if (!(*ioaddr)) { ++ wil_err_fw(wil, "bad %s: 0x%08x\n", msg, le32_to_cpu(val)); ++ return false; ++ } ++ return true; ++} + + /** + * wil_fw_verify - verify firmware file validity +@@ -138,7 +141,8 @@ static int fw_handle_data(struct wil6210 + return -EINVAL; + } + +- FW_ADDR_CHECK(dst, d->addr, "address"); ++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address")) ++ return -EINVAL; + wil_dbg_fw(wil, "write [0x%08x] <== %zu bytes\n", le32_to_cpu(d->addr), + s); + wil_memcpy_toio_32(dst, d->data, s); +@@ -170,7 +174,8 @@ static int fw_handle_fill(struct wil6210 + return -EINVAL; + } + +- FW_ADDR_CHECK(dst, d->addr, "address"); ++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address")) ++ return -EINVAL; + + v = le32_to_cpu(d->value); + wil_dbg_fw(wil, "fill [0x%08x] <== 0x%08x, %zu bytes\n", +@@ -219,7 +224,8 @@ static int fw_handle_direct_write(struct + u32 v = le32_to_cpu(block[i].value); + u32 x, y; + +- FW_ADDR_CHECK(dst, block[i].addr, "address"); ++ if (!wil_fw_addr_check(wil, &dst, block[i].addr, 0, "address")) ++ return -EINVAL; + + x = readl(dst); + y = (x & m) | (v & ~m); +@@ -285,10 +291,15 @@ static int fw_handle_gateway_data(struct + wil_dbg_fw(wil, "gw write record [%3d] blocks, cmd 0x%08x\n", + n, gw_cmd); + +- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr"); +- FW_ADDR_CHECK(gwa_val, d->gateway_value_addr, "gateway_value_addr"); +- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr"); +- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address"); ++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0, ++ "gateway_addr_addr") || ++ !wil_fw_addr_check(wil, &gwa_val, d->gateway_value_addr, 0, ++ "gateway_value_addr") || ++ !wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0, ++ "gateway_cmd_addr") || ++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0, ++ "gateway_ctrl_address")) ++ return -EINVAL; + + wil_dbg_fw(wil, "gw addresses: addr 0x%08x val 0x%08x" + " cmd 0x%08x ctl 0x%08x\n", +@@ -344,12 +355,19 @@ static int fw_handle_gateway_data4(struc + wil_dbg_fw(wil, "gw4 write record [%3d] blocks, cmd 0x%08x\n", + n, gw_cmd); + +- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr"); ++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0, ++ "gateway_addr_addr")) ++ return -EINVAL; + for (k = 0; k < ARRAY_SIZE(block->value); k++) +- FW_ADDR_CHECK(gwa_val[k], d->gateway_value_addr[k], +- "gateway_value_addr"); +- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr"); +- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address"); ++ if (!wil_fw_addr_check(wil, &gwa_val[k], ++ d->gateway_value_addr[k], ++ 0, "gateway_value_addr")) ++ return -EINVAL; ++ if (!wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0, ++ "gateway_cmd_addr") || ++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0, ++ "gateway_ctrl_address")) ++ return -EINVAL; + + wil_dbg_fw(wil, "gw4 addresses: addr 0x%08x cmd 0x%08x ctl 0x%08x\n", + le32_to_cpu(d->gateway_addr_addr), +--- a/drivers/net/wireless/ath/wil6210/wil6210.h ++++ b/drivers/net/wireless/ath/wil6210/wil6210.h +@@ -731,6 +731,7 @@ void wil_mbox_ring_le2cpus(struct wil621 + int wil_find_cid(struct wil6210_priv *wil, const u8 *mac); + void wil_set_ethtoolops(struct net_device *ndev); + ++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr, u32 size); + void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr); + void __iomem *wmi_addr(struct wil6210_priv *wil, u32 ptr); + int wmi_read_hdr(struct wil6210_priv *wil, __le32 ptr, +--- a/drivers/net/wireless/ath/wil6210/wmi.c ++++ b/drivers/net/wireless/ath/wil6210/wmi.c +@@ -114,13 +114,15 @@ static u32 wmi_addr_remap(u32 x) + /** + * Check address validity for WMI buffer; remap if needed + * @ptr - internal (linker) fw/ucode address ++ * @size - if non zero, validate the block does not ++ * exceed the device memory (bar) + * + * Valid buffer should be DWORD aligned + * + * return address for accessing buffer from the host; + * if buffer is not valid, return NULL. + */ +-void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_) ++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr_, u32 size) + { + u32 off; + u32 ptr = le32_to_cpu(ptr_); +@@ -135,10 +137,17 @@ void __iomem *wmi_buffer(struct wil6210_ + off = HOSTADDR(ptr); + if (off > WIL6210_MEM_SIZE - 4) + return NULL; ++ if (size && ((off + size > wil->bar_size) || (off + size < off))) ++ return NULL; + + return wil->csr + off; + } + ++void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_) ++{ ++ return wmi_buffer_block(wil, ptr_, 0); ++} ++ + /** + * Check address validity + */ diff --git a/queue-4.4/wil6210-fix-length-check-in-__wmi_send.patch b/queue-4.4/wil6210-fix-length-check-in-__wmi_send.patch new file mode 100644 index 00000000000..54c34eda15d --- /dev/null +++ b/queue-4.4/wil6210-fix-length-check-in-__wmi_send.patch @@ -0,0 +1,78 @@ +From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:13 +0100 +Subject: wil6210: fix length check in __wmi_send +To: stable@vger.kernel.org +Cc: Lior David , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-21-lee.jones@linaro.org> + +From: Lior David + +[ Upstream commit 26a6d5274865532502c682ff378ac8ebe2886238 ] + +The current length check: +sizeof(cmd) + len > r->entry_size +will allow very large values of len (> U16_MAX - sizeof(cmd)) +and can cause a buffer overflow. Fix the check to cover this case. +In addition, ensure the mailbox entry_size is not too small, +since this can also bypass the above check. + +Signed-off-by: Lior David +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/interrupt.c | 22 +++++++++++++++++++++- + drivers/net/wireless/ath/wil6210/wmi.c | 2 +- + 2 files changed, 22 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/interrupt.c ++++ b/drivers/net/wireless/ath/wil6210/interrupt.c +@@ -329,6 +329,25 @@ static void wil_cache_mbox_regs(struct w + wil_mbox_ring_le2cpus(&wil->mbox_ctl.tx); + } + ++static bool wil_validate_mbox_regs(struct wil6210_priv *wil) ++{ ++ size_t min_size = sizeof(struct wil6210_mbox_hdr) + ++ sizeof(struct wmi_cmd_hdr); ++ ++ if (wil->mbox_ctl.rx.entry_size < min_size) { ++ wil_err(wil, "rx mbox entry too small (%d)\n", ++ wil->mbox_ctl.rx.entry_size); ++ return false; ++ } ++ if (wil->mbox_ctl.tx.entry_size < min_size) { ++ wil_err(wil, "tx mbox entry too small (%d)\n", ++ wil->mbox_ctl.tx.entry_size); ++ return false; ++ } ++ ++ return true; ++} ++ + static irqreturn_t wil6210_irq_misc(int irq, void *cookie) + { + struct wil6210_priv *wil = cookie; +@@ -364,7 +383,8 @@ static irqreturn_t wil6210_irq_misc(int + if (isr & ISR_MISC_FW_READY) { + wil_dbg_irq(wil, "IRQ: FW ready\n"); + wil_cache_mbox_regs(wil); +- set_bit(wil_status_mbox_ready, wil->status); ++ if (wil_validate_mbox_regs(wil)) ++ set_bit(wil_status_mbox_ready, wil->status); + /** + * Actual FW ready indicated by the + * WMI_FW_READY_EVENTID +--- a/drivers/net/wireless/ath/wil6210/wmi.c ++++ b/drivers/net/wireless/ath/wil6210/wmi.c +@@ -204,7 +204,7 @@ static int __wmi_send(struct wil6210_pri + void __iomem *head = wmi_addr(wil, r->head); + uint retry; + +- if (sizeof(cmd) + len > r->entry_size) { ++ if (len > r->entry_size - sizeof(cmd)) { + wil_err(wil, "WMI size too large: %d bytes, max is %d\n", + (int)(sizeof(cmd) + len), r->entry_size); + return -ERANGE; diff --git a/queue-4.4/wil6210-fix-temperature-debugfs.patch b/queue-4.4/wil6210-fix-temperature-debugfs.patch new file mode 100644 index 00000000000..371e067cb9c --- /dev/null +++ b/queue-4.4/wil6210-fix-temperature-debugfs.patch @@ -0,0 +1,55 @@ +From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:02 +0100 +Subject: wil6210: fix temperature debugfs +To: stable@vger.kernel.org +Cc: Dedy Lansky , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-10-lee.jones@linaro.org> + +From: Dedy Lansky + +[ Upstream commit 6d9eb7ebae3d7e951bc0999235ae7028eb4cae4f ] + +For negative temperatures, "temp" debugfs is showing wrong values. +Use signed types so proper calculations is done for sub zero +temperatures. + +Signed-off-by: Dedy Lansky +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/debugfs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/debugfs.c ++++ b/drivers/net/wireless/ath/wil6210/debugfs.c +@@ -1088,7 +1088,7 @@ static const struct file_operations fops + }; + + /*---------temp------------*/ +-static void print_temp(struct seq_file *s, const char *prefix, u32 t) ++static void print_temp(struct seq_file *s, const char *prefix, s32 t) + { + switch (t) { + case 0: +@@ -1096,7 +1096,8 @@ static void print_temp(struct seq_file * + seq_printf(s, "%s N/A\n", prefix); + break; + default: +- seq_printf(s, "%s %d.%03d\n", prefix, t / 1000, t % 1000); ++ seq_printf(s, "%s %s%d.%03d\n", prefix, (t < 0 ? "-" : ""), ++ abs(t / 1000), abs(t % 1000)); + break; + } + } +@@ -1104,7 +1105,7 @@ static void print_temp(struct seq_file * + static int wil_temp_debugfs_show(struct seq_file *s, void *data) + { + struct wil6210_priv *wil = s->private; +- u32 t_m, t_r; ++ s32 t_m, t_r; + int rc = wmi_get_temperature(wil, &t_m, &t_r); + + if (rc) { diff --git a/queue-4.4/wil6210-increase-firmware-ready-timeout.patch b/queue-4.4/wil6210-increase-firmware-ready-timeout.patch new file mode 100644 index 00000000000..555d0b65843 --- /dev/null +++ b/queue-4.4/wil6210-increase-firmware-ready-timeout.patch @@ -0,0 +1,39 @@ +From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:01 +0100 +Subject: wil6210: increase firmware ready timeout +To: stable@vger.kernel.org +Cc: Hamad Kadmany , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-9-lee.jones@linaro.org> + +From: Hamad Kadmany + +[ Upstream commit 6ccae584014ef7074359eb4151086beef66ecfa9 ] + +Firmware ready event may take longer than +current timeout in some scenarios, for example +with multiple RFs connected where each +requires an initial calibration. + +Increase the timeout to support these scenarios. + +Signed-off-by: Hamad Kadmany +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/wil6210/main.c ++++ b/drivers/net/wireless/ath/wil6210/main.c +@@ -741,7 +741,7 @@ static void wil_bl_crash_info(struct wil + + static int wil_wait_for_fw_ready(struct wil6210_priv *wil) + { +- ulong to = msecs_to_jiffies(1000); ++ ulong to = msecs_to_jiffies(2000); + ulong left = wait_for_completion_timeout(&wil->wmi_ready, to); + + if (0 == left) { diff --git a/queue-4.4/wil6210-rate-limit-wil_rx_refill-error.patch b/queue-4.4/wil6210-rate-limit-wil_rx_refill-error.patch new file mode 100644 index 00000000000..1989623b546 --- /dev/null +++ b/queue-4.4/wil6210-rate-limit-wil_rx_refill-error.patch @@ -0,0 +1,37 @@ +From foo@baz Tue 21 Apr 2020 07:51:27 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:05 +0100 +Subject: wil6210: rate limit wil_rx_refill error +To: stable@vger.kernel.org +Cc: Dedy Lansky , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-13-lee.jones@linaro.org> + +From: Dedy Lansky + +[ Upstream commit 3d6b72729cc2933906de8d2c602ae05e920b2122 ] + +wil_err inside wil_rx_refill can flood the log buffer. +Replace it with wil_err_ratelimited. + +Signed-off-by: Dedy Lansky +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/txrx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/txrx.c ++++ b/drivers/net/wireless/ath/wil6210/txrx.c +@@ -538,8 +538,8 @@ static int wil_rx_refill(struct wil6210_ + v->swtail = next_tail) { + rc = wil_vring_alloc_skb(wil, v, v->swtail, headroom); + if (unlikely(rc)) { +- wil_err(wil, "Error %d in wil_rx_refill[%d]\n", +- rc, v->swtail); ++ wil_err_ratelimited(wil, "Error %d in rx refill[%d]\n", ++ rc, v->swtail); + break; + } + }