From: Greg Kroah-Hartman Date: Tue, 21 Apr 2020 17:47:37 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.19.118~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a639dd4ce2ae16ff3c10a8799fe36cf3f3b390f5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: arch_topology-fix-section-miss-match-warning-due-to-free_raw_capacity.patch arm64-perf-remove-unsupported-events-for-cortex-a73.patch arm64-traps-don-t-print-stack-or-raw-pc-lr-values-in-backtraces.patch clk-fix-debugfs_create_-usage.patch drm-null-pointer-dereference-cwe-476-problem.patch of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch revert-gpio-set-up-initial-state-from-.get_direction.patch rpmsg-glink-fix-missing-mutex_init-in-qcom_glink_alloc_channel.patch rpmsg-glink-smem-ensure-ordering-during-tx.patch rpmsg-glink-use-put_device-if-device_register-fail.patch rtc-pm8xxx-fix-issue-in-rtc-write-path.patch scsi-ufs-make-sure-all-interrupts-are-processed.patch scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch soc-qcom-smem-use-le32_to_cpu-for-comparison.patch wil6210-abort-properly-in-cfg-suspend.patch wil6210-add-block-size-checks-during-fw-load.patch wil6210-fix-length-check-in-__wmi_send.patch wil6210-fix-pcie-bus-mastering-in-case-of-interface-down.patch wil6210-fix-temperature-debugfs.patch wil6210-increase-firmware-ready-timeout.patch wil6210-rate-limit-wil_rx_refill-error.patch --- diff --git a/queue-4.14/arch_topology-fix-section-miss-match-warning-due-to-free_raw_capacity.patch b/queue-4.14/arch_topology-fix-section-miss-match-warning-due-to-free_raw_capacity.patch new file mode 100644 index 00000000000..bdca1eac686 --- /dev/null +++ b/queue-4.14/arch_topology-fix-section-miss-match-warning-due-to-free_raw_capacity.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:00 +0100 +Subject: arch_topology: Fix section miss match warning due to free_raw_capacity() +To: stable@vger.kernel.org +Cc: Prasad Sodagudi , Viresh Kumar , Greg Kroah-Hartman , Lee Jones +Message-ID: <20200421124017.272694-8-lee.jones@linaro.org> + +From: Prasad Sodagudi + +[ Upstream commit 82d8ba717ccb54dd803624db044f351b2a54d000 ] + +Remove the __init annotation from free_raw_capacity() to avoid +the following warning. + +The function init_cpu_capacity_callback() references the +function __init free_raw_capacity(). +WARNING: vmlinux.o(.text+0x425cc0): Section mismatch in reference +from the function init_cpu_capacity_callback() to the function +.init.text:free_raw_capacity(). + +Signed-off-by: Prasad Sodagudi +Acked-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/arch_topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/arch_topology.c ++++ b/drivers/base/arch_topology.c +@@ -96,7 +96,7 @@ subsys_initcall(register_cpu_capacity_sy + static u32 capacity_scale; + static u32 *raw_capacity; + +-static int __init free_raw_capacity(void) ++static int free_raw_capacity(void) + { + kfree(raw_capacity); + raw_capacity = NULL; diff --git a/queue-4.14/arm64-perf-remove-unsupported-events-for-cortex-a73.patch b/queue-4.14/arm64-perf-remove-unsupported-events-for-cortex-a73.patch new file mode 100644 index 00000000000..2a51c813bff --- /dev/null +++ b/queue-4.14/arm64-perf-remove-unsupported-events-for-cortex-a73.patch @@ -0,0 +1,40 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:39:57 +0100 +Subject: arm64: perf: remove unsupported events for Cortex-A73 +To: stable@vger.kernel.org +Cc: Xu YiPing , Julien Thierry , Will Deacon , Lee Jones +Message-ID: <20200421124017.272694-5-lee.jones@linaro.org> + +From: Xu YiPing + +[ Upstream commit f8ada189550984ee21f27be736042b74a7da1d68 ] + +bus access read/write events are not supported in A73, based on the +Cortex-A73 TRM r0p2, section 11.9 Events (pages 11-457 to 11-460). + +Fixes: 5561b6c5e981 "arm64: perf: add support for Cortex-A73" +Acked-by: Julien Thierry +Signed-off-by: Xu YiPing +Signed-off-by: Will Deacon +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/perf_event.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -262,12 +262,6 @@ static const unsigned armv8_a73_perf_cac + + [C(L1D)][C(OP_READ)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_L1D_CACHE_RD, + [C(L1D)][C(OP_WRITE)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_L1D_CACHE_WR, +- +- [C(NODE)][C(OP_READ)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_BUS_ACCESS_RD, +- [C(NODE)][C(OP_WRITE)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_BUS_ACCESS_WR, +- +- [C(NODE)][C(OP_READ)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_BUS_ACCESS_RD, +- [C(NODE)][C(OP_WRITE)][C(RESULT_ACCESS)] = ARMV8_IMPDEF_PERFCTR_BUS_ACCESS_WR, + }; + + static const unsigned armv8_thunder_perf_cache_map[PERF_COUNT_HW_CACHE_MAX] diff --git a/queue-4.14/arm64-traps-don-t-print-stack-or-raw-pc-lr-values-in-backtraces.patch b/queue-4.14/arm64-traps-don-t-print-stack-or-raw-pc-lr-values-in-backtraces.patch new file mode 100644 index 00000000000..d99bf76566c --- /dev/null +++ b/queue-4.14/arm64-traps-don-t-print-stack-or-raw-pc-lr-values-in-backtraces.patch @@ -0,0 +1,135 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:39:58 +0100 +Subject: arm64: traps: Don't print stack or raw PC/LR values in backtraces +To: stable@vger.kernel.org +Cc: Will Deacon , Laura Abbott , Lee Jones +Message-ID: <20200421124017.272694-6-lee.jones@linaro.org> + +From: Will Deacon + +[ Upstream commit a25ffd3a6302a67814280274d8f1aa4ae2ea4b59 ] + +Printing raw pointer values in backtraces has potential security +implications and are of questionable value anyway. + +This patch follows x86's lead and removes the "Exception stack:" dump +from kernel backtraces, as well as converting PC/LR values to symbols +such as "sysrq_handle_crash+0x20/0x30". + +Tested-by: Laura Abbott +Signed-off-by: Will Deacon +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/process.c | 8 ++--- + arch/arm64/kernel/traps.c | 65 ++------------------------------------------ + 2 files changed, 6 insertions(+), 67 deletions(-) + +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -186,11 +186,9 @@ void __show_regs(struct pt_regs *regs) + } + + show_regs_print_info(KERN_DEFAULT); +- print_symbol("PC is at %s\n", instruction_pointer(regs)); +- print_symbol("LR is at %s\n", lr); +- printk("pc : [<%016llx>] lr : [<%016llx>] pstate: %08llx\n", +- regs->pc, lr, regs->pstate); +- printk("sp : %016llx\n", sp); ++ print_symbol("pc : %s\n", regs->pc); ++ print_symbol("lr : %s\n", lr); ++ printk("sp : %016llx pstate : %08llx\n", sp, regs->pstate); + + i = top_reg; + +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -59,55 +59,9 @@ static const char *handler[]= { + + int show_unhandled_signals = 0; + +-/* +- * Dump out the contents of some kernel memory nicely... +- */ +-static void dump_mem(const char *lvl, const char *str, unsigned long bottom, +- unsigned long top) +-{ +- unsigned long first; +- mm_segment_t fs; +- int i; +- +- /* +- * We need to switch to kernel mode so that we can use __get_user +- * to safely read from kernel space. +- */ +- fs = get_fs(); +- set_fs(KERNEL_DS); +- +- printk("%s%s(0x%016lx to 0x%016lx)\n", lvl, str, bottom, top); +- +- for (first = bottom & ~31; first < top; first += 32) { +- unsigned long p; +- char str[sizeof(" 12345678") * 8 + 1]; +- +- memset(str, ' ', sizeof(str)); +- str[sizeof(str) - 1] = '\0'; +- +- for (p = first, i = 0; i < (32 / 8) +- && p < top; i++, p += 8) { +- if (p >= bottom && p < top) { +- unsigned long val; +- +- if (__get_user(val, (unsigned long *)p) == 0) +- sprintf(str + i * 17, " %016lx", val); +- else +- sprintf(str + i * 17, " ????????????????"); +- } +- } +- printk("%s%04lx:%s\n", lvl, first & 0xffff, str); +- } +- +- set_fs(fs); +-} +- + static void dump_backtrace_entry(unsigned long where) + { +- /* +- * Note that 'where' can have a physical address, but it's not handled. +- */ +- print_ip_sym(where); ++ printk(" %pS\n", (void *)where); + } + + static void __dump_instr(const char *lvl, struct pt_regs *regs) +@@ -177,10 +131,7 @@ void dump_backtrace(struct pt_regs *regs + #endif + + printk("Call trace:\n"); +- while (1) { +- unsigned long stack; +- int ret; +- ++ do { + /* skip until specified stack frame */ + if (!skip) { + dump_backtrace_entry(frame.pc); +@@ -195,17 +146,7 @@ void dump_backtrace(struct pt_regs *regs + */ + dump_backtrace_entry(regs->pc); + } +- ret = unwind_frame(tsk, &frame); +- if (ret < 0) +- break; +- if (in_entry_text(frame.pc)) { +- stack = frame.fp - offsetof(struct pt_regs, stackframe); +- +- if (on_accessible_stack(tsk, stack)) +- dump_mem("", "Exception stack", stack, +- stack + sizeof(struct pt_regs)); +- } +- } ++ } while (!unwind_frame(tsk, &frame)); + + put_task_stack(tsk); + } diff --git a/queue-4.14/clk-fix-debugfs_create_-usage.patch b/queue-4.14/clk-fix-debugfs_create_-usage.patch new file mode 100644 index 00000000000..16d580b6e27 --- /dev/null +++ b/queue-4.14/clk-fix-debugfs_create_-usage.patch @@ -0,0 +1,116 @@ +From 4c8326d5ebb0de3191e98980c80ab644026728d0 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 3 Jan 2018 12:06:15 +0100 +Subject: clk: Fix debugfs_create_*() usage + +From: Geert Uytterhoeven + +commit 4c8326d5ebb0de3191e98980c80ab644026728d0 upstream. + +When exposing data access through debugfs, the correct +debugfs_create_*() functions must be used, matching the data +types. + +Remove all casts from data pointers passed to debugfs_create_*() +functions, as such casts prevent the compiler from flagging bugs. + +clk_core.rate and .accuracy are "unsigned long", hence casting +their addresses to "u32 *" exposed the wrong halves on big-endian +64-bit systems. Fix this by using debugfs_create_ulong() instead. + +Octal permissions are preferred, as they are easier to read than +symbolic permissions. Hence replace "S_IRUGO" by "0444" +throughout. + +Signed-off-by: Geert Uytterhoeven +[sboyd@codeaurora.org: Squash the octal change in too] +Signed-off-by: Stephen Boyd +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk.c | 32 +++++++++++++++----------------- + 1 file changed, 15 insertions(+), 17 deletions(-) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2172,18 +2172,16 @@ static int clk_debug_create_one(struct c + + core->dentry = d; + +- d = debugfs_create_u32("clk_rate", S_IRUGO, core->dentry, +- (u32 *)&core->rate); ++ d = debugfs_create_ulong("clk_rate", 0444, core->dentry, &core->rate); + if (!d) + goto err_out; + +- d = debugfs_create_u32("clk_accuracy", S_IRUGO, core->dentry, +- (u32 *)&core->accuracy); ++ d = debugfs_create_ulong("clk_accuracy", 0444, core->dentry, ++ &core->accuracy); + if (!d) + goto err_out; + +- d = debugfs_create_u32("clk_phase", S_IRUGO, core->dentry, +- (u32 *)&core->phase); ++ d = debugfs_create_u32("clk_phase", 0444, core->dentry, &core->phase); + if (!d) + goto err_out; + +@@ -2192,23 +2190,23 @@ static int clk_debug_create_one(struct c + if (!d) + goto err_out; + +- d = debugfs_create_u32("clk_prepare_count", S_IRUGO, core->dentry, +- (u32 *)&core->prepare_count); ++ d = debugfs_create_u32("clk_prepare_count", 0444, core->dentry, ++ &core->prepare_count); + if (!d) + goto err_out; + +- d = debugfs_create_u32("clk_enable_count", S_IRUGO, core->dentry, +- (u32 *)&core->enable_count); ++ d = debugfs_create_u32("clk_enable_count", 0444, core->dentry, ++ &core->enable_count); + if (!d) + goto err_out; + +- d = debugfs_create_u32("clk_notifier_count", S_IRUGO, core->dentry, +- (u32 *)&core->notifier_count); ++ d = debugfs_create_u32("clk_notifier_count", 0444, core->dentry, ++ &core->notifier_count); + if (!d) + goto err_out; + + if (core->num_parents > 1) { +- d = debugfs_create_file("clk_possible_parents", S_IRUGO, ++ d = debugfs_create_file("clk_possible_parents", 0444, + core->dentry, core, &possible_parents_fops); + if (!d) + goto err_out; +@@ -2304,22 +2302,22 @@ static int __init clk_debug_init(void) + if (!rootdir) + return -ENOMEM; + +- d = debugfs_create_file("clk_summary", S_IRUGO, rootdir, &all_lists, ++ d = debugfs_create_file("clk_summary", 0444, rootdir, &all_lists, + &clk_summary_fops); + if (!d) + return -ENOMEM; + +- d = debugfs_create_file("clk_dump", S_IRUGO, rootdir, &all_lists, ++ d = debugfs_create_file("clk_dump", 0444, rootdir, &all_lists, + &clk_dump_fops); + if (!d) + return -ENOMEM; + +- d = debugfs_create_file("clk_orphan_summary", S_IRUGO, rootdir, ++ d = debugfs_create_file("clk_orphan_summary", 0444, rootdir, + &orphan_list, &clk_summary_fops); + if (!d) + return -ENOMEM; + +- d = debugfs_create_file("clk_orphan_dump", S_IRUGO, rootdir, ++ d = debugfs_create_file("clk_orphan_dump", 0444, rootdir, + &orphan_list, &clk_dump_fops); + if (!d) + return -ENOMEM; diff --git a/queue-4.14/drm-null-pointer-dereference-cwe-476-problem.patch b/queue-4.14/drm-null-pointer-dereference-cwe-476-problem.patch new file mode 100644 index 00000000000..242b020462d --- /dev/null +++ b/queue-4.14/drm-null-pointer-dereference-cwe-476-problem.patch @@ -0,0 +1,46 @@ +From 22a07038c0eaf4d1315a493ce66dcd255accba19 Mon Sep 17 00:00:00 2001 +From: Joe Moriarty +Date: Mon, 12 Feb 2018 14:51:42 -0500 +Subject: drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem + +From: Joe Moriarty + +commit 22a07038c0eaf4d1315a493ce66dcd255accba19 upstream. + +The Parfait (version 2.1.0) static code analysis tool found the +following NULL pointer derefernce problem. + +- drivers/gpu/drm/drm_dp_mst_topology.c +The call to drm_dp_calculate_rad() in function drm_dp_port_setup_pdt() +could result in a NULL pointer being returned to port->mstb due to a +failure to allocate memory for port->mstb. + +Signed-off-by: Joe Moriarty +Reviewed-by: Steven Sistare +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20180212195144.98323-3-joe.moriarty@oracle.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -1043,10 +1043,12 @@ static bool drm_dp_port_setup_pdt(struct + lct = drm_dp_calculate_rad(port, rad); + + port->mstb = drm_dp_add_mst_branch_device(lct, rad); +- port->mstb->mgr = port->mgr; +- port->mstb->port_parent = port; ++ if (port->mstb) { ++ port->mstb->mgr = port->mgr; ++ port->mstb->port_parent = port; + +- send_link = true; ++ send_link = true; ++ } + break; + } + return send_link; diff --git a/queue-4.14/of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch b/queue-4.14/of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch new file mode 100644 index 00000000000..ad284f7205f --- /dev/null +++ b/queue-4.14/of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:16 +0100 +Subject: of: fix missing kobject init for !SYSFS && OF_DYNAMIC config +To: stable@vger.kernel.org +Cc: Rob Herring , Nicolas Pitre , Frank Rowand , Grant Likely , Lee Jones +Message-ID: <20200421124017.272694-24-lee.jones@linaro.org> + +From: Rob Herring + +[ Upstream commit bd82bbf38cbe27f2c65660da801900d71bcc5cc8 ] + +The ref counting is broken for OF_DYNAMIC when sysfs is disabled because +the kobject initialization is skipped. Only the properties +add/remove/update should be skipped for !SYSFS config. + +Tested-by: Nicolas Pitre +Reviewed-by: Frank Rowand +Acked-by: Grant Likely +Signed-off-by: Rob Herring +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -169,9 +169,6 @@ int __of_attach_node_sysfs(struct device + struct property *pp; + int rc; + +- if (!IS_ENABLED(CONFIG_SYSFS)) +- return 0; +- + if (!of_kset) + return 0; + diff --git a/queue-4.14/revert-gpio-set-up-initial-state-from-.get_direction.patch b/queue-4.14/revert-gpio-set-up-initial-state-from-.get_direction.patch new file mode 100644 index 00000000000..e70ede6463e --- /dev/null +++ b/queue-4.14/revert-gpio-set-up-initial-state-from-.get_direction.patch @@ -0,0 +1,69 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:39:56 +0100 +Subject: Revert "gpio: set up initial state from .get_direction()" +To: stable@vger.kernel.org +Cc: Timur Tabi , Stephen Boyd , Linus Walleij , Lee Jones +Message-ID: <20200421124017.272694-4-lee.jones@linaro.org> + +From: Timur Tabi + +[ Upstream commit 1ca2a92b2a99323f666f1b669b7484df4bda05e4 ] + +This reverts commit 72d3200061776264941be1b5a9bb8e926b3b30a5. + +We cannot blindly query the direction of all GPIOs when the pins are +first registered. The get_direction callback normally triggers a +read/write to hardware, but we shouldn't be touching the hardware for +an individual GPIO until after it's been properly claimed. + +Signed-off-by: Timur Tabi +Reviewed-by: Stephen Boyd +Signed-off-by: Linus Walleij +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib.c | 31 +++++++------------------------ + 1 file changed, 7 insertions(+), 24 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1245,31 +1245,14 @@ int gpiochip_add_data(struct gpio_chip * + struct gpio_desc *desc = &gdev->descs[i]; + + desc->gdev = gdev; +- /* +- * REVISIT: most hardware initializes GPIOs as inputs +- * (often with pullups enabled) so power usage is +- * minimized. Linux code should set the gpio direction +- * first thing; but until it does, and in case +- * chip->get_direction is not set, we may expose the +- * wrong direction in sysfs. +- */ +- +- if (chip->get_direction) { +- /* +- * If we have .get_direction, set up the initial +- * direction flag from the hardware. +- */ +- int dir = chip->get_direction(chip, i); + +- if (!dir) +- set_bit(FLAG_IS_OUT, &desc->flags); +- } else if (!chip->direction_input) { +- /* +- * If the chip lacks the .direction_input callback +- * we logically assume all lines are outputs. +- */ +- set_bit(FLAG_IS_OUT, &desc->flags); +- } ++ /* REVISIT: most hardware initializes GPIOs as inputs (often ++ * with pullups enabled) so power usage is minimized. Linux ++ * code should set the gpio direction first thing; but until ++ * it does, and in case chip->get_direction is not set, we may ++ * expose the wrong direction in sysfs. ++ */ ++ desc->flags = !chip->direction_input ? (1 << FLAG_IS_OUT) : 0; + } + + #ifdef CONFIG_PINCTRL diff --git a/queue-4.14/rpmsg-glink-fix-missing-mutex_init-in-qcom_glink_alloc_channel.patch b/queue-4.14/rpmsg-glink-fix-missing-mutex_init-in-qcom_glink_alloc_channel.patch new file mode 100644 index 00000000000..78dd31f1eef --- /dev/null +++ b/queue-4.14/rpmsg-glink-fix-missing-mutex_init-in-qcom_glink_alloc_channel.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:09 +0100 +Subject: rpmsg: glink: Fix missing mutex_init() in qcom_glink_alloc_channel() +To: stable@vger.kernel.org +Cc: Wei Yongjun , Bjorn Andersson , Lee Jones +Message-ID: <20200421124017.272694-17-lee.jones@linaro.org> + +From: Wei Yongjun + +[ Upstream commit fb416f69900773d5a6030c909114099f92d07ab9 ] + +qcom_glink_alloc_channel() allocates the mutex but not initialize it. +Use mutex_init() on it to initialize it correctly. + +This is detected by Coccinelle semantic patch. + +Signed-off-by: Wei Yongjun +Signed-off-by: Bjorn Andersson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/qcom_glink_native.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -221,6 +221,7 @@ static struct glink_channel *qcom_glink_ + /* Setup glink internal glink_channel data */ + spin_lock_init(&channel->recv_lock); + spin_lock_init(&channel->intent_lock); ++ mutex_init(&channel->intent_req_lock); + + channel->glink = glink; + channel->name = kstrdup(name, GFP_KERNEL); diff --git a/queue-4.14/rpmsg-glink-smem-ensure-ordering-during-tx.patch b/queue-4.14/rpmsg-glink-smem-ensure-ordering-during-tx.patch new file mode 100644 index 00000000000..8734d791de7 --- /dev/null +++ b/queue-4.14/rpmsg-glink-smem-ensure-ordering-during-tx.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:10 +0100 +Subject: rpmsg: glink: smem: Ensure ordering during tx +To: stable@vger.kernel.org +Cc: Bjorn Andersson , Chris Lew , Arun Kumar Neelakantam , Lee Jones +Message-ID: <20200421124017.272694-18-lee.jones@linaro.org> + +From: Bjorn Andersson + +[ Upstream commit 9d32497361ff89d2fc8306407de6f04b2bfb2836 ] + +Ensure the ordering of the fifo write and the update of the write index, +so that the index is not updated before the data has landed in the fifo. + +Acked-By: Chris Lew +Reported-by: Arun Kumar Neelakantam +Signed-off-by: Bjorn Andersson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/qcom_glink_smem.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/rpmsg/qcom_glink_smem.c ++++ b/drivers/rpmsg/qcom_glink_smem.c +@@ -181,6 +181,9 @@ static void glink_smem_tx_write(struct q + if (head >= pipe->native.length) + head -= pipe->native.length; + ++ /* Ensure ordering of fifo and head update */ ++ wmb(); ++ + *pipe->head = cpu_to_le32(head); + } + diff --git a/queue-4.14/rpmsg-glink-use-put_device-if-device_register-fail.patch b/queue-4.14/rpmsg-glink-use-put_device-if-device_register-fail.patch new file mode 100644 index 00000000000..78865850807 --- /dev/null +++ b/queue-4.14/rpmsg-glink-use-put_device-if-device_register-fail.patch @@ -0,0 +1,43 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:06 +0100 +Subject: rpmsg: glink: use put_device() if device_register fail +To: stable@vger.kernel.org +Cc: Arvind Yadav , Bjorn Andersson , Lee Jones +Message-ID: <20200421124017.272694-14-lee.jones@linaro.org> + +From: Arvind Yadav + +[ Upstream commit a9011726c4bb37e5d6a7279bf47fcc19cd9d3e1a ] + +if device_register() returned an error! Always use put_device() +to give up the reference initialized. And unregister device for +other return error. + +Signed-off-by: Arvind Yadav +Signed-off-by: Bjorn Andersson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/qcom_glink_smem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/rpmsg/qcom_glink_smem.c ++++ b/drivers/rpmsg/qcom_glink_smem.c +@@ -212,6 +212,7 @@ struct qcom_glink *qcom_glink_smem_regis + ret = device_register(dev); + if (ret) { + pr_err("failed to register glink edge\n"); ++ put_device(dev); + return ERR_PTR(ret); + } + +@@ -294,7 +295,7 @@ struct qcom_glink *qcom_glink_smem_regis + return glink; + + err_put_dev: +- put_device(dev); ++ device_unregister(dev); + + return ERR_PTR(ret); + } diff --git a/queue-4.14/rtc-pm8xxx-fix-issue-in-rtc-write-path.patch b/queue-4.14/rtc-pm8xxx-fix-issue-in-rtc-write-path.patch new file mode 100644 index 00000000000..1447658cb72 --- /dev/null +++ b/queue-4.14/rtc-pm8xxx-fix-issue-in-rtc-write-path.patch @@ -0,0 +1,119 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:07 +0100 +Subject: rtc: pm8xxx: Fix issue in RTC write path +To: stable@vger.kernel.org +Cc: Mohit Aggarwal , Alexandre Belloni , Lee Jones +Message-ID: <20200421124017.272694-15-lee.jones@linaro.org> + +From: Mohit Aggarwal + +[ Upstream commit 83220bf38b77a830f8e62ab1a0d0408304f9b966 ] + +In order to set time in rtc, need to disable +rtc hw before writing into rtc registers. + +Also fixes disabling of alarm while setting +rtc time. + +Signed-off-by: Mohit Aggarwal +Signed-off-by: Alexandre Belloni +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-pm8xxx.c | 49 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 38 insertions(+), 11 deletions(-) + +--- a/drivers/rtc/rtc-pm8xxx.c ++++ b/drivers/rtc/rtc-pm8xxx.c +@@ -74,16 +74,18 @@ struct pm8xxx_rtc { + /* + * Steps to write the RTC registers. + * 1. Disable alarm if enabled. +- * 2. Write 0x00 to LSB. +- * 3. Write Byte[1], Byte[2], Byte[3] then Byte[0]. +- * 4. Enable alarm if disabled in step 1. ++ * 2. Disable rtc if enabled. ++ * 3. Write 0x00 to LSB. ++ * 4. Write Byte[1], Byte[2], Byte[3] then Byte[0]. ++ * 5. Enable rtc if disabled in step 2. ++ * 6. Enable alarm if disabled in step 1. + */ + static int pm8xxx_rtc_set_time(struct device *dev, struct rtc_time *tm) + { + int rc, i; + unsigned long secs, irq_flags; +- u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0; +- unsigned int ctrl_reg; ++ u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0, rtc_disabled = 0; ++ unsigned int ctrl_reg, rtc_ctrl_reg; + struct pm8xxx_rtc *rtc_dd = dev_get_drvdata(dev); + const struct pm8xxx_rtc_regs *regs = rtc_dd->regs; + +@@ -92,23 +94,38 @@ static int pm8xxx_rtc_set_time(struct de + + rtc_tm_to_time(tm, &secs); + ++ dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs); ++ + for (i = 0; i < NUM_8_BIT_RTC_REGS; i++) { + value[i] = secs & 0xFF; + secs >>= 8; + } + +- dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs); +- + spin_lock_irqsave(&rtc_dd->ctrl_reg_lock, irq_flags); + +- rc = regmap_read(rtc_dd->regmap, regs->ctrl, &ctrl_reg); ++ rc = regmap_read(rtc_dd->regmap, regs->alarm_ctrl, &ctrl_reg); + if (rc) + goto rtc_rw_fail; + + if (ctrl_reg & regs->alarm_en) { + alarm_enabled = 1; + ctrl_reg &= ~regs->alarm_en; +- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg); ++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg); ++ if (rc) { ++ dev_err(dev, "Write to RTC Alarm control register failed\n"); ++ goto rtc_rw_fail; ++ } ++ } ++ ++ /* Disable RTC H/w before writing on RTC register */ ++ rc = regmap_read(rtc_dd->regmap, regs->ctrl, &rtc_ctrl_reg); ++ if (rc) ++ goto rtc_rw_fail; ++ ++ if (rtc_ctrl_reg & PM8xxx_RTC_ENABLE) { ++ rtc_disabled = 1; ++ rtc_ctrl_reg &= ~PM8xxx_RTC_ENABLE; ++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg); + if (rc) { + dev_err(dev, "Write to RTC control register failed\n"); + goto rtc_rw_fail; +@@ -137,11 +154,21 @@ static int pm8xxx_rtc_set_time(struct de + goto rtc_rw_fail; + } + ++ /* Enable RTC H/w after writing on RTC register */ ++ if (rtc_disabled) { ++ rtc_ctrl_reg |= PM8xxx_RTC_ENABLE; ++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg); ++ if (rc) { ++ dev_err(dev, "Write to RTC control register failed\n"); ++ goto rtc_rw_fail; ++ } ++ } ++ + if (alarm_enabled) { + ctrl_reg |= regs->alarm_en; +- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg); ++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg); + if (rc) { +- dev_err(dev, "Write to RTC control register failed\n"); ++ dev_err(dev, "Write to RTC Alarm control register failed\n"); + goto rtc_rw_fail; + } + } diff --git a/queue-4.14/scsi-ufs-make-sure-all-interrupts-are-processed.patch b/queue-4.14/scsi-ufs-make-sure-all-interrupts-are-processed.patch new file mode 100644 index 00000000000..5a90c172ed5 --- /dev/null +++ b/queue-4.14/scsi-ufs-make-sure-all-interrupts-are-processed.patch @@ -0,0 +1,70 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:03 +0100 +Subject: scsi: ufs: make sure all interrupts are processed +To: stable@vger.kernel.org +Cc: Venkat Gopalakrishnan , Asutosh Das , Subhash Jadavani , "Martin K . Petersen" , Lee Jones +Message-ID: <20200421124017.272694-11-lee.jones@linaro.org> + +From: Venkat Gopalakrishnan + +[ Upstream commit 7f6ba4f12e6cbfdefbb95cfd8fc67ece6c15d799 ] + +As multiple requests are submitted to the ufs host controller in +parallel there could be instances where the command completion interrupt +arrives later for a request that is already processed earlier as the +corresponding doorbell was cleared when handling the previous +interrupt. Read the interrupt status in a loop after processing the +received interrupt to catch such interrupts and handle it. + +Signed-off-by: Venkat Gopalakrishnan +Signed-off-by: Asutosh Das +Reviewed-by: Subhash Jadavani +Signed-off-by: Martin K. Petersen +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufshcd.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -5371,19 +5371,30 @@ static irqreturn_t ufshcd_intr(int irq, + u32 intr_status, enabled_intr_status; + irqreturn_t retval = IRQ_NONE; + struct ufs_hba *hba = __hba; ++ int retries = hba->nutrs; + + spin_lock(hba->host->host_lock); + intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS); +- enabled_intr_status = +- intr_status & ufshcd_readl(hba, REG_INTERRUPT_ENABLE); + +- if (intr_status) +- ufshcd_writel(hba, intr_status, REG_INTERRUPT_STATUS); ++ /* ++ * There could be max of hba->nutrs reqs in flight and in worst case ++ * if the reqs get finished 1 by 1 after the interrupt status is ++ * read, make sure we handle them by checking the interrupt status ++ * again in a loop until we process all of the reqs before returning. ++ */ ++ do { ++ enabled_intr_status = ++ intr_status & ufshcd_readl(hba, REG_INTERRUPT_ENABLE); ++ if (intr_status) ++ ufshcd_writel(hba, intr_status, REG_INTERRUPT_STATUS); ++ if (enabled_intr_status) { ++ ufshcd_sl_intr(hba, enabled_intr_status); ++ retval = IRQ_HANDLED; ++ } ++ ++ intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS); ++ } while (intr_status && --retries); + +- if (enabled_intr_status) { +- ufshcd_sl_intr(hba, enabled_intr_status); +- retval = IRQ_HANDLED; +- } + spin_unlock(hba->host->host_lock); + return retval; + } diff --git a/queue-4.14/scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch b/queue-4.14/scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch new file mode 100644 index 00000000000..171132f22bb --- /dev/null +++ b/queue-4.14/scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:04 +0100 +Subject: scsi: ufs: ufs-qcom: remove broken hci version quirk +To: stable@vger.kernel.org +Cc: Subhash Jadavani , Asutosh Das , "Martin K . Petersen" , Lee Jones +Message-ID: <20200421124017.272694-12-lee.jones@linaro.org> + +From: Subhash Jadavani + +[ Upstream commit 69a6fff068567469c0ef1156ae5ac8d3d71701f0 ] + +UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION is only applicable for QCOM UFS host +controller version 2.x.y and this has been fixed from version 3.x.y +onwards, hence this change removes this quirk for version 3.x.y onwards. + +[mkp: applied by hand] + +Signed-off-by: Subhash Jadavani +Signed-off-by: Asutosh Das +Signed-off-by: Martin K. Petersen +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ufs/ufs-qcom.c ++++ b/drivers/scsi/ufs/ufs-qcom.c +@@ -1094,7 +1094,7 @@ static void ufs_qcom_advertise_quirks(st + hba->quirks |= UFSHCD_QUIRK_BROKEN_LCC; + } + +- if (host->hw_ver.major >= 0x2) { ++ if (host->hw_ver.major == 0x2) { + hba->quirks |= UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION; + + if (!ufs_qcom_cap_qunipro(host)) diff --git a/queue-4.14/series b/queue-4.14/series index 6bab94ea15a..d19c9864c27 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -143,3 +143,24 @@ alsa-hda-don-t-release-card-at-firmware-loading-error.patch of-unittest-kmemleak-on-changeset-destroy.patch lib-raid6-use-vdupq_n_u8-to-avoid-endianness-warnings.patch video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch +drm-null-pointer-dereference-cwe-476-problem.patch +clk-fix-debugfs_create_-usage.patch +revert-gpio-set-up-initial-state-from-.get_direction.patch +arm64-perf-remove-unsupported-events-for-cortex-a73.patch +arm64-traps-don-t-print-stack-or-raw-pc-lr-values-in-backtraces.patch +arch_topology-fix-section-miss-match-warning-due-to-free_raw_capacity.patch +wil6210-increase-firmware-ready-timeout.patch +wil6210-fix-temperature-debugfs.patch +scsi-ufs-make-sure-all-interrupts-are-processed.patch +scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch +wil6210-rate-limit-wil_rx_refill-error.patch +rpmsg-glink-use-put_device-if-device_register-fail.patch +rtc-pm8xxx-fix-issue-in-rtc-write-path.patch +rpmsg-glink-fix-missing-mutex_init-in-qcom_glink_alloc_channel.patch +rpmsg-glink-smem-ensure-ordering-during-tx.patch +wil6210-fix-pcie-bus-mastering-in-case-of-interface-down.patch +wil6210-add-block-size-checks-during-fw-load.patch +wil6210-fix-length-check-in-__wmi_send.patch +wil6210-abort-properly-in-cfg-suspend.patch +soc-qcom-smem-use-le32_to_cpu-for-comparison.patch +of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch diff --git a/queue-4.14/soc-qcom-smem-use-le32_to_cpu-for-comparison.patch b/queue-4.14/soc-qcom-smem-use-le32_to_cpu-for-comparison.patch new file mode 100644 index 00000000000..de9b9dd4e9a --- /dev/null +++ b/queue-4.14/soc-qcom-smem-use-le32_to_cpu-for-comparison.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:15 +0100 +Subject: soc: qcom: smem: Use le32_to_cpu for comparison +To: stable@vger.kernel.org +Cc: Chris Lew , Bjorn Andersson , Andy Gross , Lee Jones +Message-ID: <20200421124017.272694-23-lee.jones@linaro.org> + +From: Chris Lew + +[ Upstream commit a216000f0140f415cec96129f777b5234c9d142f ] + +Endianness can vary in the system, add le32_to_cpu when comparing +partition sizes from smem. + +Signed-off-by: Chris Lew +Acked-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/smem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/smem.c ++++ b/drivers/soc/qcom/smem.c +@@ -646,7 +646,7 @@ static int qcom_smem_enumerate_partition + return -EINVAL; + } + +- if (header->size != entry->size) { ++ if (le32_to_cpu(header->size) != le32_to_cpu(entry->size)) { + dev_err(smem->dev, + "Partition %d has invalid size\n", i); + return -EINVAL; diff --git a/queue-4.14/wil6210-abort-properly-in-cfg-suspend.patch b/queue-4.14/wil6210-abort-properly-in-cfg-suspend.patch new file mode 100644 index 00000000000..96591345d40 --- /dev/null +++ b/queue-4.14/wil6210-abort-properly-in-cfg-suspend.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:14 +0100 +Subject: wil6210: abort properly in cfg suspend +To: stable@vger.kernel.org +Cc: Hamad Kadmany , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-22-lee.jones@linaro.org> + +From: Hamad Kadmany + +[ Upstream commit 144a12a6d83f3ca34ddefce5dee4d502afd2fc5b ] + +On-going operations were not aborted properly +and required locks were not taken. + +Signed-off-by: Hamad Kadmany +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/cfg80211.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/cfg80211.c ++++ b/drivers/net/wireless/ath/wil6210/cfg80211.c +@@ -1735,9 +1735,12 @@ static int wil_cfg80211_suspend(struct w + + wil_dbg_pm(wil, "suspending\n"); + +- wil_p2p_stop_discovery(wil); +- ++ mutex_lock(&wil->mutex); ++ mutex_lock(&wil->p2p_wdev_mutex); ++ wil_p2p_stop_radio_operations(wil); + wil_abort_scan(wil, true); ++ mutex_unlock(&wil->p2p_wdev_mutex); ++ mutex_unlock(&wil->mutex); + + out: + return rc; diff --git a/queue-4.14/wil6210-add-block-size-checks-during-fw-load.patch b/queue-4.14/wil6210-add-block-size-checks-during-fw-load.patch new file mode 100644 index 00000000000..104f56a7dca --- /dev/null +++ b/queue-4.14/wil6210-add-block-size-checks-during-fw-load.patch @@ -0,0 +1,177 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:12 +0100 +Subject: wil6210: add block size checks during FW load +To: stable@vger.kernel.org +Cc: Lior David , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-20-lee.jones@linaro.org> + +From: Lior David + +[ Upstream commit 705d2fde94b23cd76efbeedde643ffa7c32fac7f ] + +When loading FW from file add block size checks to ensure a +corrupted FW file will not cause the driver to write outside +the device memory. + +Signed-off-by: Lior David +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/fw_inc.c | 58 +++++++++++++++++++---------- + drivers/net/wireless/ath/wil6210/wil6210.h | 1 + drivers/net/wireless/ath/wil6210/wmi.c | 11 +++++ + 3 files changed, 49 insertions(+), 21 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/fw_inc.c ++++ b/drivers/net/wireless/ath/wil6210/fw_inc.c +@@ -26,14 +26,17 @@ + prefix_type, rowsize, \ + groupsize, buf, len, ascii) + +-#define FW_ADDR_CHECK(ioaddr, val, msg) do { \ +- ioaddr = wmi_buffer(wil, val); \ +- if (!ioaddr) { \ +- wil_err_fw(wil, "bad " msg ": 0x%08x\n", \ +- le32_to_cpu(val)); \ +- return -EINVAL; \ +- } \ +- } while (0) ++static bool wil_fw_addr_check(struct wil6210_priv *wil, ++ void __iomem **ioaddr, __le32 val, ++ u32 size, const char *msg) ++{ ++ *ioaddr = wmi_buffer_block(wil, val, size); ++ if (!(*ioaddr)) { ++ wil_err_fw(wil, "bad %s: 0x%08x\n", msg, le32_to_cpu(val)); ++ return false; ++ } ++ return true; ++} + + /** + * wil_fw_verify - verify firmware file validity +@@ -165,7 +168,8 @@ static int fw_handle_data(struct wil6210 + return -EINVAL; + } + +- FW_ADDR_CHECK(dst, d->addr, "address"); ++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address")) ++ return -EINVAL; + wil_dbg_fw(wil, "write [0x%08x] <== %zu bytes\n", le32_to_cpu(d->addr), + s); + wil_memcpy_toio_32(dst, d->data, s); +@@ -197,7 +201,8 @@ static int fw_handle_fill(struct wil6210 + return -EINVAL; + } + +- FW_ADDR_CHECK(dst, d->addr, "address"); ++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address")) ++ return -EINVAL; + + v = le32_to_cpu(d->value); + wil_dbg_fw(wil, "fill [0x%08x] <== 0x%08x, %zu bytes\n", +@@ -253,7 +258,8 @@ static int fw_handle_direct_write(struct + u32 v = le32_to_cpu(block[i].value); + u32 x, y; + +- FW_ADDR_CHECK(dst, block[i].addr, "address"); ++ if (!wil_fw_addr_check(wil, &dst, block[i].addr, 0, "address")) ++ return -EINVAL; + + x = readl(dst); + y = (x & m) | (v & ~m); +@@ -319,10 +325,15 @@ static int fw_handle_gateway_data(struct + wil_dbg_fw(wil, "gw write record [%3d] blocks, cmd 0x%08x\n", + n, gw_cmd); + +- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr"); +- FW_ADDR_CHECK(gwa_val, d->gateway_value_addr, "gateway_value_addr"); +- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr"); +- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address"); ++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0, ++ "gateway_addr_addr") || ++ !wil_fw_addr_check(wil, &gwa_val, d->gateway_value_addr, 0, ++ "gateway_value_addr") || ++ !wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0, ++ "gateway_cmd_addr") || ++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0, ++ "gateway_ctrl_address")) ++ return -EINVAL; + + wil_dbg_fw(wil, "gw addresses: addr 0x%08x val 0x%08x" + " cmd 0x%08x ctl 0x%08x\n", +@@ -378,12 +389,19 @@ static int fw_handle_gateway_data4(struc + wil_dbg_fw(wil, "gw4 write record [%3d] blocks, cmd 0x%08x\n", + n, gw_cmd); + +- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr"); ++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0, ++ "gateway_addr_addr")) ++ return -EINVAL; + for (k = 0; k < ARRAY_SIZE(block->value); k++) +- FW_ADDR_CHECK(gwa_val[k], d->gateway_value_addr[k], +- "gateway_value_addr"); +- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr"); +- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address"); ++ if (!wil_fw_addr_check(wil, &gwa_val[k], ++ d->gateway_value_addr[k], ++ 0, "gateway_value_addr")) ++ return -EINVAL; ++ if (!wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0, ++ "gateway_cmd_addr") || ++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0, ++ "gateway_ctrl_address")) ++ return -EINVAL; + + wil_dbg_fw(wil, "gw4 addresses: addr 0x%08x cmd 0x%08x ctl 0x%08x\n", + le32_to_cpu(d->gateway_addr_addr), +--- a/drivers/net/wireless/ath/wil6210/wil6210.h ++++ b/drivers/net/wireless/ath/wil6210/wil6210.h +@@ -865,6 +865,7 @@ void wil_mbox_ring_le2cpus(struct wil621 + int wil_find_cid(struct wil6210_priv *wil, const u8 *mac); + void wil_set_ethtoolops(struct net_device *ndev); + ++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr, u32 size); + void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr); + void __iomem *wmi_addr(struct wil6210_priv *wil, u32 ptr); + int wmi_read_hdr(struct wil6210_priv *wil, __le32 ptr, +--- a/drivers/net/wireless/ath/wil6210/wmi.c ++++ b/drivers/net/wireless/ath/wil6210/wmi.c +@@ -140,13 +140,15 @@ static u32 wmi_addr_remap(u32 x) + /** + * Check address validity for WMI buffer; remap if needed + * @ptr - internal (linker) fw/ucode address ++ * @size - if non zero, validate the block does not ++ * exceed the device memory (bar) + * + * Valid buffer should be DWORD aligned + * + * return address for accessing buffer from the host; + * if buffer is not valid, return NULL. + */ +-void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_) ++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr_, u32 size) + { + u32 off; + u32 ptr = le32_to_cpu(ptr_); +@@ -161,10 +163,17 @@ void __iomem *wmi_buffer(struct wil6210_ + off = HOSTADDR(ptr); + if (off > wil->bar_size - 4) + return NULL; ++ if (size && ((off + size > wil->bar_size) || (off + size < off))) ++ return NULL; + + return wil->csr + off; + } + ++void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_) ++{ ++ return wmi_buffer_block(wil, ptr_, 0); ++} ++ + /** + * Check address validity + */ diff --git a/queue-4.14/wil6210-fix-length-check-in-__wmi_send.patch b/queue-4.14/wil6210-fix-length-check-in-__wmi_send.patch new file mode 100644 index 00000000000..c25dd26681b --- /dev/null +++ b/queue-4.14/wil6210-fix-length-check-in-__wmi_send.patch @@ -0,0 +1,78 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:13 +0100 +Subject: wil6210: fix length check in __wmi_send +To: stable@vger.kernel.org +Cc: Lior David , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-21-lee.jones@linaro.org> + +From: Lior David + +[ Upstream commit 26a6d5274865532502c682ff378ac8ebe2886238 ] + +The current length check: +sizeof(cmd) + len > r->entry_size +will allow very large values of len (> U16_MAX - sizeof(cmd)) +and can cause a buffer overflow. Fix the check to cover this case. +In addition, ensure the mailbox entry_size is not too small, +since this can also bypass the above check. + +Signed-off-by: Lior David +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/interrupt.c | 22 +++++++++++++++++++++- + drivers/net/wireless/ath/wil6210/wmi.c | 2 +- + 2 files changed, 22 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/interrupt.c ++++ b/drivers/net/wireless/ath/wil6210/interrupt.c +@@ -358,6 +358,25 @@ static void wil_cache_mbox_regs(struct w + wil_mbox_ring_le2cpus(&wil->mbox_ctl.tx); + } + ++static bool wil_validate_mbox_regs(struct wil6210_priv *wil) ++{ ++ size_t min_size = sizeof(struct wil6210_mbox_hdr) + ++ sizeof(struct wmi_cmd_hdr); ++ ++ if (wil->mbox_ctl.rx.entry_size < min_size) { ++ wil_err(wil, "rx mbox entry too small (%d)\n", ++ wil->mbox_ctl.rx.entry_size); ++ return false; ++ } ++ if (wil->mbox_ctl.tx.entry_size < min_size) { ++ wil_err(wil, "tx mbox entry too small (%d)\n", ++ wil->mbox_ctl.tx.entry_size); ++ return false; ++ } ++ ++ return true; ++} ++ + static irqreturn_t wil6210_irq_misc(int irq, void *cookie) + { + struct wil6210_priv *wil = cookie; +@@ -393,7 +412,8 @@ static irqreturn_t wil6210_irq_misc(int + if (isr & ISR_MISC_FW_READY) { + wil_dbg_irq(wil, "IRQ: FW ready\n"); + wil_cache_mbox_regs(wil); +- set_bit(wil_status_mbox_ready, wil->status); ++ if (wil_validate_mbox_regs(wil)) ++ set_bit(wil_status_mbox_ready, wil->status); + /** + * Actual FW ready indicated by the + * WMI_FW_READY_EVENTID +--- a/drivers/net/wireless/ath/wil6210/wmi.c ++++ b/drivers/net/wireless/ath/wil6210/wmi.c +@@ -231,7 +231,7 @@ static int __wmi_send(struct wil6210_pri + uint retry; + int rc = 0; + +- if (sizeof(cmd) + len > r->entry_size) { ++ if (len > r->entry_size - sizeof(cmd)) { + wil_err(wil, "WMI size too large: %d bytes, max is %d\n", + (int)(sizeof(cmd) + len), r->entry_size); + return -ERANGE; diff --git a/queue-4.14/wil6210-fix-pcie-bus-mastering-in-case-of-interface-down.patch b/queue-4.14/wil6210-fix-pcie-bus-mastering-in-case-of-interface-down.patch new file mode 100644 index 00000000000..db881ecb1bf --- /dev/null +++ b/queue-4.14/wil6210-fix-pcie-bus-mastering-in-case-of-interface-down.patch @@ -0,0 +1,131 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:11 +0100 +Subject: wil6210: fix PCIe bus mastering in case of interface down +To: stable@vger.kernel.org +Cc: Lazar Alexei , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-19-lee.jones@linaro.org> + +From: Lazar Alexei + +[ Upstream commit 680c242dc25e036265793edc7d755cfc15afd231 ] + +In case of interface down, radio is turned off but PCIe mastering is +not cleared. +This can cause unexpected PCIe access to the shutdown device. +Fix this by clearing PCIe mastering also in case interface is down + +Signed-off-by: Lazar Alexei +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/pcie_bus.c | 24 +++++++++++++++--------- + drivers/net/wireless/ath/wil6210/pm.c | 10 ++-------- + drivers/net/wireless/ath/wil6210/wil6210.h | 4 ++-- + 3 files changed, 19 insertions(+), 19 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/pcie_bus.c ++++ b/drivers/net/wireless/ath/wil6210/pcie_bus.c +@@ -393,6 +393,9 @@ static int wil6210_suspend(struct device + int rc = 0; + struct pci_dev *pdev = to_pci_dev(dev); + struct wil6210_priv *wil = pci_get_drvdata(pdev); ++ struct net_device *ndev = wil_to_ndev(wil); ++ bool keep_radio_on = ndev->flags & IFF_UP && ++ wil->keep_radio_on_during_sleep; + + wil_dbg_pm(wil, "suspend: %s\n", is_runtime ? "runtime" : "system"); + +@@ -400,14 +403,14 @@ static int wil6210_suspend(struct device + if (rc) + goto out; + +- rc = wil_suspend(wil, is_runtime); ++ rc = wil_suspend(wil, is_runtime, keep_radio_on); + if (!rc) { + wil->suspend_stats.successful_suspends++; + +- /* If platform device supports keep_radio_on_during_sleep +- * it will control PCIe master ++ /* In case radio stays on, platform device will control ++ * PCIe master + */ +- if (!wil->keep_radio_on_during_sleep) ++ if (!keep_radio_on) + /* disable bus mastering */ + pci_clear_master(pdev); + } +@@ -420,20 +423,23 @@ static int wil6210_resume(struct device + int rc = 0; + struct pci_dev *pdev = to_pci_dev(dev); + struct wil6210_priv *wil = pci_get_drvdata(pdev); ++ struct net_device *ndev = wil_to_ndev(wil); ++ bool keep_radio_on = ndev->flags & IFF_UP && ++ wil->keep_radio_on_during_sleep; + + wil_dbg_pm(wil, "resume: %s\n", is_runtime ? "runtime" : "system"); + +- /* If platform device supports keep_radio_on_during_sleep it will +- * control PCIe master ++ /* In case radio stays on, platform device will control ++ * PCIe master + */ +- if (!wil->keep_radio_on_during_sleep) ++ if (!keep_radio_on) + /* allow master */ + pci_set_master(pdev); +- rc = wil_resume(wil, is_runtime); ++ rc = wil_resume(wil, is_runtime, keep_radio_on); + if (rc) { + wil_err(wil, "device failed to resume (%d)\n", rc); + wil->suspend_stats.failed_resumes++; +- if (!wil->keep_radio_on_during_sleep) ++ if (!keep_radio_on) + pci_clear_master(pdev); + } else { + wil->suspend_stats.successful_resumes++; +--- a/drivers/net/wireless/ath/wil6210/pm.c ++++ b/drivers/net/wireless/ath/wil6210/pm.c +@@ -279,12 +279,9 @@ static int wil_resume_radio_off(struct w + return rc; + } + +-int wil_suspend(struct wil6210_priv *wil, bool is_runtime) ++int wil_suspend(struct wil6210_priv *wil, bool is_runtime, bool keep_radio_on) + { + int rc = 0; +- struct net_device *ndev = wil_to_ndev(wil); +- bool keep_radio_on = ndev->flags & IFF_UP && +- wil->keep_radio_on_during_sleep; + + wil_dbg_pm(wil, "suspend: %s\n", is_runtime ? "runtime" : "system"); + +@@ -307,12 +304,9 @@ int wil_suspend(struct wil6210_priv *wil + return rc; + } + +-int wil_resume(struct wil6210_priv *wil, bool is_runtime) ++int wil_resume(struct wil6210_priv *wil, bool is_runtime, bool keep_radio_on) + { + int rc = 0; +- struct net_device *ndev = wil_to_ndev(wil); +- bool keep_radio_on = ndev->flags & IFF_UP && +- wil->keep_radio_on_during_sleep; + unsigned long long suspend_time_usec = 0; + + wil_dbg_pm(wil, "resume: %s\n", is_runtime ? "runtime" : "system"); +--- a/drivers/net/wireless/ath/wil6210/wil6210.h ++++ b/drivers/net/wireless/ath/wil6210/wil6210.h +@@ -1000,8 +1000,8 @@ int wil_request_firmware(struct wil6210_ + bool wil_fw_verify_file_exists(struct wil6210_priv *wil, const char *name); + + int wil_can_suspend(struct wil6210_priv *wil, bool is_runtime); +-int wil_suspend(struct wil6210_priv *wil, bool is_runtime); +-int wil_resume(struct wil6210_priv *wil, bool is_runtime); ++int wil_suspend(struct wil6210_priv *wil, bool is_runtime, bool keep_radio_on); ++int wil_resume(struct wil6210_priv *wil, bool is_runtime, bool keep_radio_on); + bool wil_is_wmi_idle(struct wil6210_priv *wil); + int wmi_resume(struct wil6210_priv *wil); + int wmi_suspend(struct wil6210_priv *wil); diff --git a/queue-4.14/wil6210-fix-temperature-debugfs.patch b/queue-4.14/wil6210-fix-temperature-debugfs.patch new file mode 100644 index 00000000000..3d926edabfe --- /dev/null +++ b/queue-4.14/wil6210-fix-temperature-debugfs.patch @@ -0,0 +1,55 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:02 +0100 +Subject: wil6210: fix temperature debugfs +To: stable@vger.kernel.org +Cc: Dedy Lansky , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-10-lee.jones@linaro.org> + +From: Dedy Lansky + +[ Upstream commit 6d9eb7ebae3d7e951bc0999235ae7028eb4cae4f ] + +For negative temperatures, "temp" debugfs is showing wrong values. +Use signed types so proper calculations is done for sub zero +temperatures. + +Signed-off-by: Dedy Lansky +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/debugfs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/debugfs.c ++++ b/drivers/net/wireless/ath/wil6210/debugfs.c +@@ -1093,7 +1093,7 @@ static const struct file_operations fops + }; + + /*---------temp------------*/ +-static void print_temp(struct seq_file *s, const char *prefix, u32 t) ++static void print_temp(struct seq_file *s, const char *prefix, s32 t) + { + switch (t) { + case 0: +@@ -1101,7 +1101,8 @@ static void print_temp(struct seq_file * + seq_printf(s, "%s N/A\n", prefix); + break; + default: +- seq_printf(s, "%s %d.%03d\n", prefix, t / 1000, t % 1000); ++ seq_printf(s, "%s %s%d.%03d\n", prefix, (t < 0 ? "-" : ""), ++ abs(t / 1000), abs(t % 1000)); + break; + } + } +@@ -1109,7 +1110,7 @@ static void print_temp(struct seq_file * + static int wil_temp_debugfs_show(struct seq_file *s, void *data) + { + struct wil6210_priv *wil = s->private; +- u32 t_m, t_r; ++ s32 t_m, t_r; + int rc = wmi_get_temperature(wil, &t_m, &t_r); + + if (rc) { diff --git a/queue-4.14/wil6210-increase-firmware-ready-timeout.patch b/queue-4.14/wil6210-increase-firmware-ready-timeout.patch new file mode 100644 index 00000000000..753f387f1fe --- /dev/null +++ b/queue-4.14/wil6210-increase-firmware-ready-timeout.patch @@ -0,0 +1,39 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:01 +0100 +Subject: wil6210: increase firmware ready timeout +To: stable@vger.kernel.org +Cc: Hamad Kadmany , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-9-lee.jones@linaro.org> + +From: Hamad Kadmany + +[ Upstream commit 6ccae584014ef7074359eb4151086beef66ecfa9 ] + +Firmware ready event may take longer than +current timeout in some scenarios, for example +with multiple RFs connected where each +requires an initial calibration. + +Increase the timeout to support these scenarios. + +Signed-off-by: Hamad Kadmany +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/wil6210/main.c ++++ b/drivers/net/wireless/ath/wil6210/main.c +@@ -871,7 +871,7 @@ static void wil_bl_crash_info(struct wil + + static int wil_wait_for_fw_ready(struct wil6210_priv *wil) + { +- ulong to = msecs_to_jiffies(1000); ++ ulong to = msecs_to_jiffies(2000); + ulong left = wait_for_completion_timeout(&wil->wmi_ready, to); + + if (0 == left) { diff --git a/queue-4.14/wil6210-rate-limit-wil_rx_refill-error.patch b/queue-4.14/wil6210-rate-limit-wil_rx_refill-error.patch new file mode 100644 index 00000000000..202f602bc9d --- /dev/null +++ b/queue-4.14/wil6210-rate-limit-wil_rx_refill-error.patch @@ -0,0 +1,37 @@ +From foo@baz Tue 21 Apr 2020 07:43:03 PM CEST +From: Lee Jones +Date: Tue, 21 Apr 2020 13:40:05 +0100 +Subject: wil6210: rate limit wil_rx_refill error +To: stable@vger.kernel.org +Cc: Dedy Lansky , Maya Erez , Kalle Valo , Lee Jones +Message-ID: <20200421124017.272694-13-lee.jones@linaro.org> + +From: Dedy Lansky + +[ Upstream commit 3d6b72729cc2933906de8d2c602ae05e920b2122 ] + +wil_err inside wil_rx_refill can flood the log buffer. +Replace it with wil_err_ratelimited. + +Signed-off-by: Dedy Lansky +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/txrx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/txrx.c ++++ b/drivers/net/wireless/ath/wil6210/txrx.c +@@ -636,8 +636,8 @@ static int wil_rx_refill(struct wil6210_ + v->swtail = next_tail) { + rc = wil_vring_alloc_skb(wil, v, v->swtail, headroom); + if (unlikely(rc)) { +- wil_err(wil, "Error %d in wil_rx_refill[%d]\n", +- rc, v->swtail); ++ wil_err_ratelimited(wil, "Error %d in rx refill[%d]\n", ++ rc, v->swtail); + break; + } + }