--- /dev/null
+From 22a07038c0eaf4d1315a493ce66dcd255accba19 Mon Sep 17 00:00:00 2001
+From: Joe Moriarty <joe.moriarty@oracle.com>
+Date: Mon, 12 Feb 2018 14:51:42 -0500
+Subject: drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem
+
+From: Joe Moriarty <joe.moriarty@oracle.com>
+
+commit 22a07038c0eaf4d1315a493ce66dcd255accba19 upstream.
+
+The Parfait (version 2.1.0) static code analysis tool found the
+following NULL pointer derefernce problem.
+
+- drivers/gpu/drm/drm_dp_mst_topology.c
+The call to drm_dp_calculate_rad() in function drm_dp_port_setup_pdt()
+could result in a NULL pointer being returned to port->mstb due to a
+failure to allocate memory for port->mstb.
+
+Signed-off-by: Joe Moriarty <joe.moriarty@oracle.com>
+Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180212195144.98323-3-joe.moriarty@oracle.com
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -1041,10 +1041,12 @@ static bool drm_dp_port_setup_pdt(struct
+ lct = drm_dp_calculate_rad(port, rad);
+
+ port->mstb = drm_dp_add_mst_branch_device(lct, rad);
+- port->mstb->mgr = port->mgr;
+- port->mstb->port_parent = port;
++ if (port->mstb) {
++ port->mstb->mgr = port->mgr;
++ port->mstb->port_parent = port;
+
+- send_link = true;
++ send_link = true;
++ }
+ break;
+ }
+ return send_link;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:16 +0100
+Subject: of: fix missing kobject init for !SYSFS && OF_DYNAMIC config
+To: stable@vger.kernel.org
+Cc: Rob Herring <robh@kernel.org>, Nicolas Pitre <nico@linaro.org>, Frank Rowand <frowand.list@gmail.com>, Grant Likely <grant.likely@secretlab.ca>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-24-lee.jones@linaro.org>
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit bd82bbf38cbe27f2c65660da801900d71bcc5cc8 ]
+
+The ref counting is broken for OF_DYNAMIC when sysfs is disabled because
+the kobject initialization is skipped. Only the properties
+add/remove/update should be skipped for !SYSFS config.
+
+Tested-by: Nicolas Pitre <nico@linaro.org>
+Reviewed-by: Frank Rowand <frowand.list@gmail.com>
+Acked-by: Grant Likely <grant.likely@secretlab.ca>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -170,9 +170,6 @@ int __of_attach_node_sysfs(struct device
+ struct property *pp;
+ int rc;
+
+- if (!IS_ENABLED(CONFIG_SYSFS))
+- return 0;
+-
+ if (!of_kset)
+ return 0;
+
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:39:56 +0100
+Subject: Revert "gpio: set up initial state from .get_direction()"
+To: stable@vger.kernel.org
+Cc: Timur Tabi <timur@codeaurora.org>, Stephen Boyd <sboyd@codeaurora.org>, Linus Walleij <linus.walleij@linaro.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-4-lee.jones@linaro.org>
+
+From: Timur Tabi <timur@codeaurora.org>
+
+[ Upstream commit 1ca2a92b2a99323f666f1b669b7484df4bda05e4 ]
+
+This reverts commit 72d3200061776264941be1b5a9bb8e926b3b30a5.
+
+We cannot blindly query the direction of all GPIOs when the pins are
+first registered. The get_direction callback normally triggers a
+read/write to hardware, but we shouldn't be touching the hardware for
+an individual GPIO until after it's been properly claimed.
+
+Signed-off-by: Timur Tabi <timur@codeaurora.org>
+Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 31 +++++++------------------------
+ 1 file changed, 7 insertions(+), 24 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1232,31 +1232,14 @@ int gpiochip_add_data(struct gpio_chip *
+ struct gpio_desc *desc = &gdev->descs[i];
+
+ desc->gdev = gdev;
+- /*
+- * REVISIT: most hardware initializes GPIOs as inputs
+- * (often with pullups enabled) so power usage is
+- * minimized. Linux code should set the gpio direction
+- * first thing; but until it does, and in case
+- * chip->get_direction is not set, we may expose the
+- * wrong direction in sysfs.
+- */
+-
+- if (chip->get_direction) {
+- /*
+- * If we have .get_direction, set up the initial
+- * direction flag from the hardware.
+- */
+- int dir = chip->get_direction(chip, i);
+
+- if (!dir)
+- set_bit(FLAG_IS_OUT, &desc->flags);
+- } else if (!chip->direction_input) {
+- /*
+- * If the chip lacks the .direction_input callback
+- * we logically assume all lines are outputs.
+- */
+- set_bit(FLAG_IS_OUT, &desc->flags);
+- }
++ /* REVISIT: most hardware initializes GPIOs as inputs (often
++ * with pullups enabled) so power usage is minimized. Linux
++ * code should set the gpio direction first thing; but until
++ * it does, and in case chip->get_direction is not set, we may
++ * expose the wrong direction in sysfs.
++ */
++ desc->flags = !chip->direction_input ? (1 << FLAG_IS_OUT) : 0;
+ }
+
+ #ifdef CONFIG_PINCTRL
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:07 +0100
+Subject: rtc: pm8xxx: Fix issue in RTC write path
+To: stable@vger.kernel.org
+Cc: Mohit Aggarwal <maggarwa@codeaurora.org>, Alexandre Belloni <alexandre.belloni@bootlin.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-15-lee.jones@linaro.org>
+
+From: Mohit Aggarwal <maggarwa@codeaurora.org>
+
+[ Upstream commit 83220bf38b77a830f8e62ab1a0d0408304f9b966 ]
+
+In order to set time in rtc, need to disable
+rtc hw before writing into rtc registers.
+
+Also fixes disabling of alarm while setting
+rtc time.
+
+Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-pm8xxx.c | 49 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 38 insertions(+), 11 deletions(-)
+
+--- a/drivers/rtc/rtc-pm8xxx.c
++++ b/drivers/rtc/rtc-pm8xxx.c
+@@ -74,16 +74,18 @@ struct pm8xxx_rtc {
+ /*
+ * Steps to write the RTC registers.
+ * 1. Disable alarm if enabled.
+- * 2. Write 0x00 to LSB.
+- * 3. Write Byte[1], Byte[2], Byte[3] then Byte[0].
+- * 4. Enable alarm if disabled in step 1.
++ * 2. Disable rtc if enabled.
++ * 3. Write 0x00 to LSB.
++ * 4. Write Byte[1], Byte[2], Byte[3] then Byte[0].
++ * 5. Enable rtc if disabled in step 2.
++ * 6. Enable alarm if disabled in step 1.
+ */
+ static int pm8xxx_rtc_set_time(struct device *dev, struct rtc_time *tm)
+ {
+ int rc, i;
+ unsigned long secs, irq_flags;
+- u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0;
+- unsigned int ctrl_reg;
++ u8 value[NUM_8_BIT_RTC_REGS], alarm_enabled = 0, rtc_disabled = 0;
++ unsigned int ctrl_reg, rtc_ctrl_reg;
+ struct pm8xxx_rtc *rtc_dd = dev_get_drvdata(dev);
+ const struct pm8xxx_rtc_regs *regs = rtc_dd->regs;
+
+@@ -92,23 +94,38 @@ static int pm8xxx_rtc_set_time(struct de
+
+ rtc_tm_to_time(tm, &secs);
+
++ dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs);
++
+ for (i = 0; i < NUM_8_BIT_RTC_REGS; i++) {
+ value[i] = secs & 0xFF;
+ secs >>= 8;
+ }
+
+- dev_dbg(dev, "Seconds value to be written to RTC = %lu\n", secs);
+-
+ spin_lock_irqsave(&rtc_dd->ctrl_reg_lock, irq_flags);
+
+- rc = regmap_read(rtc_dd->regmap, regs->ctrl, &ctrl_reg);
++ rc = regmap_read(rtc_dd->regmap, regs->alarm_ctrl, &ctrl_reg);
+ if (rc)
+ goto rtc_rw_fail;
+
+ if (ctrl_reg & regs->alarm_en) {
+ alarm_enabled = 1;
+ ctrl_reg &= ~regs->alarm_en;
+- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg);
++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg);
++ if (rc) {
++ dev_err(dev, "Write to RTC Alarm control register failed\n");
++ goto rtc_rw_fail;
++ }
++ }
++
++ /* Disable RTC H/w before writing on RTC register */
++ rc = regmap_read(rtc_dd->regmap, regs->ctrl, &rtc_ctrl_reg);
++ if (rc)
++ goto rtc_rw_fail;
++
++ if (rtc_ctrl_reg & PM8xxx_RTC_ENABLE) {
++ rtc_disabled = 1;
++ rtc_ctrl_reg &= ~PM8xxx_RTC_ENABLE;
++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg);
+ if (rc) {
+ dev_err(dev, "Write to RTC control register failed\n");
+ goto rtc_rw_fail;
+@@ -137,11 +154,21 @@ static int pm8xxx_rtc_set_time(struct de
+ goto rtc_rw_fail;
+ }
+
++ /* Enable RTC H/w after writing on RTC register */
++ if (rtc_disabled) {
++ rtc_ctrl_reg |= PM8xxx_RTC_ENABLE;
++ rc = regmap_write(rtc_dd->regmap, regs->ctrl, rtc_ctrl_reg);
++ if (rc) {
++ dev_err(dev, "Write to RTC control register failed\n");
++ goto rtc_rw_fail;
++ }
++ }
++
+ if (alarm_enabled) {
+ ctrl_reg |= regs->alarm_en;
+- rc = regmap_write(rtc_dd->regmap, regs->ctrl, ctrl_reg);
++ rc = regmap_write(rtc_dd->regmap, regs->alarm_ctrl, ctrl_reg);
+ if (rc) {
+- dev_err(dev, "Write to RTC control register failed\n");
++ dev_err(dev, "Write to RTC Alarm control register failed\n");
+ goto rtc_rw_fail;
+ }
+ }
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:03 +0100
+Subject: scsi: ufs: make sure all interrupts are processed
+To: stable@vger.kernel.org
+Cc: Venkat Gopalakrishnan <venkatg@codeaurora.org>, Asutosh Das <asutoshd@codeaurora.org>, Subhash Jadavani <subhashj@codeaurora.org>, "Martin K . Petersen" <martin.petersen@oracle.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-11-lee.jones@linaro.org>
+
+From: Venkat Gopalakrishnan <venkatg@codeaurora.org>
+
+[ Upstream commit 7f6ba4f12e6cbfdefbb95cfd8fc67ece6c15d799 ]
+
+As multiple requests are submitted to the ufs host controller in
+parallel there could be instances where the command completion interrupt
+arrives later for a request that is already processed earlier as the
+corresponding doorbell was cleared when handling the previous
+interrupt. Read the interrupt status in a loop after processing the
+received interrupt to catch such interrupts and handle it.
+
+Signed-off-by: Venkat Gopalakrishnan <venkatg@codeaurora.org>
+Signed-off-by: Asutosh Das <asutoshd@codeaurora.org>
+Reviewed-by: Subhash Jadavani <subhashj@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -4397,19 +4397,30 @@ static irqreturn_t ufshcd_intr(int irq,
+ u32 intr_status, enabled_intr_status;
+ irqreturn_t retval = IRQ_NONE;
+ struct ufs_hba *hba = __hba;
++ int retries = hba->nutrs;
+
+ spin_lock(hba->host->host_lock);
+ intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS);
+- enabled_intr_status =
+- intr_status & ufshcd_readl(hba, REG_INTERRUPT_ENABLE);
+
+- if (intr_status)
+- ufshcd_writel(hba, intr_status, REG_INTERRUPT_STATUS);
++ /*
++ * There could be max of hba->nutrs reqs in flight and in worst case
++ * if the reqs get finished 1 by 1 after the interrupt status is
++ * read, make sure we handle them by checking the interrupt status
++ * again in a loop until we process all of the reqs before returning.
++ */
++ do {
++ enabled_intr_status =
++ intr_status & ufshcd_readl(hba, REG_INTERRUPT_ENABLE);
++ if (intr_status)
++ ufshcd_writel(hba, intr_status, REG_INTERRUPT_STATUS);
++ if (enabled_intr_status) {
++ ufshcd_sl_intr(hba, enabled_intr_status);
++ retval = IRQ_HANDLED;
++ }
++
++ intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS);
++ } while (intr_status && --retries);
+
+- if (enabled_intr_status) {
+- ufshcd_sl_intr(hba, enabled_intr_status);
+- retval = IRQ_HANDLED;
+- }
+ spin_unlock(hba->host->host_lock);
+ return retval;
+ }
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:04 +0100
+Subject: scsi: ufs: ufs-qcom: remove broken hci version quirk
+To: stable@vger.kernel.org
+Cc: Subhash Jadavani <subhashj@codeaurora.org>, Asutosh Das <asutoshd@codeaurora.org>, "Martin K . Petersen" <martin.petersen@oracle.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-12-lee.jones@linaro.org>
+
+From: Subhash Jadavani <subhashj@codeaurora.org>
+
+[ Upstream commit 69a6fff068567469c0ef1156ae5ac8d3d71701f0 ]
+
+UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION is only applicable for QCOM UFS host
+controller version 2.x.y and this has been fixed from version 3.x.y
+onwards, hence this change removes this quirk for version 3.x.y onwards.
+
+[mkp: applied by hand]
+
+Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
+Signed-off-by: Asutosh Das <asutoshd@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -1094,7 +1094,7 @@ static void ufs_qcom_advertise_quirks(st
+ hba->quirks |= UFSHCD_QUIRK_BROKEN_LCC;
+ }
+
+- if (host->hw_ver.major >= 0x2) {
++ if (host->hw_ver.major == 0x2) {
+ hba->quirks |= UFSHCD_QUIRK_BROKEN_UFS_HCI_VERSION;
+
+ if (!ufs_qcom_cap_qunipro(host))
alsa-hda-don-t-release-card-at-firmware-loading-error.patch
of-unittest-kmemleak-on-changeset-destroy.patch
video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch
+drm-null-pointer-dereference-cwe-476-problem.patch
+revert-gpio-set-up-initial-state-from-.get_direction.patch
+wil6210-increase-firmware-ready-timeout.patch
+wil6210-fix-temperature-debugfs.patch
+scsi-ufs-make-sure-all-interrupts-are-processed.patch
+scsi-ufs-ufs-qcom-remove-broken-hci-version-quirk.patch
+wil6210-rate-limit-wil_rx_refill-error.patch
+rtc-pm8xxx-fix-issue-in-rtc-write-path.patch
+wil6210-add-block-size-checks-during-fw-load.patch
+wil6210-fix-length-check-in-__wmi_send.patch
+soc-qcom-smem-use-le32_to_cpu-for-comparison.patch
+of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:15 +0100
+Subject: soc: qcom: smem: Use le32_to_cpu for comparison
+To: stable@vger.kernel.org
+Cc: Chris Lew <clew@codeaurora.org>, Bjorn Andersson <bjorn.andersson@linaro.org>, Andy Gross <andy.gross@linaro.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-23-lee.jones@linaro.org>
+
+From: Chris Lew <clew@codeaurora.org>
+
+[ Upstream commit a216000f0140f415cec96129f777b5234c9d142f ]
+
+Endianness can vary in the system, add le32_to_cpu when comparing
+partition sizes from smem.
+
+Signed-off-by: Chris Lew <clew@codeaurora.org>
+Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/smem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/qcom/smem.c
++++ b/drivers/soc/qcom/smem.c
+@@ -646,7 +646,7 @@ static int qcom_smem_enumerate_partition
+ return -EINVAL;
+ }
+
+- if (header->size != entry->size) {
++ if (le32_to_cpu(header->size) != le32_to_cpu(entry->size)) {
+ dev_err(smem->dev,
+ "Partition %d has invalid size\n", i);
+ return -EINVAL;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:12 +0100
+Subject: wil6210: add block size checks during FW load
+To: stable@vger.kernel.org
+Cc: Lior David <qca_liord@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-20-lee.jones@linaro.org>
+
+From: Lior David <qca_liord@qca.qualcomm.com>
+
+[ Upstream commit 705d2fde94b23cd76efbeedde643ffa7c32fac7f ]
+
+When loading FW from file add block size checks to ensure a
+corrupted FW file will not cause the driver to write outside
+the device memory.
+
+Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/fw_inc.c | 58 +++++++++++++++++++----------
+ drivers/net/wireless/ath/wil6210/wil6210.h | 1
+ drivers/net/wireless/ath/wil6210/wmi.c | 11 +++++
+ 3 files changed, 49 insertions(+), 21 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/fw_inc.c
++++ b/drivers/net/wireless/ath/wil6210/fw_inc.c
+@@ -26,14 +26,17 @@
+ prefix_type, rowsize, \
+ groupsize, buf, len, ascii)
+
+-#define FW_ADDR_CHECK(ioaddr, val, msg) do { \
+- ioaddr = wmi_buffer(wil, val); \
+- if (!ioaddr) { \
+- wil_err_fw(wil, "bad " msg ": 0x%08x\n", \
+- le32_to_cpu(val)); \
+- return -EINVAL; \
+- } \
+- } while (0)
++static bool wil_fw_addr_check(struct wil6210_priv *wil,
++ void __iomem **ioaddr, __le32 val,
++ u32 size, const char *msg)
++{
++ *ioaddr = wmi_buffer_block(wil, val, size);
++ if (!(*ioaddr)) {
++ wil_err_fw(wil, "bad %s: 0x%08x\n", msg, le32_to_cpu(val));
++ return false;
++ }
++ return true;
++}
+
+ /**
+ * wil_fw_verify - verify firmware file validity
+@@ -165,7 +168,8 @@ static int fw_handle_data(struct wil6210
+ return -EINVAL;
+ }
+
+- FW_ADDR_CHECK(dst, d->addr, "address");
++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
++ return -EINVAL;
+ wil_dbg_fw(wil, "write [0x%08x] <== %zu bytes\n", le32_to_cpu(d->addr),
+ s);
+ wil_memcpy_toio_32(dst, d->data, s);
+@@ -197,7 +201,8 @@ static int fw_handle_fill(struct wil6210
+ return -EINVAL;
+ }
+
+- FW_ADDR_CHECK(dst, d->addr, "address");
++ if (!wil_fw_addr_check(wil, &dst, d->addr, s, "address"))
++ return -EINVAL;
+
+ v = le32_to_cpu(d->value);
+ wil_dbg_fw(wil, "fill [0x%08x] <== 0x%08x, %zu bytes\n",
+@@ -253,7 +258,8 @@ static int fw_handle_direct_write(struct
+ u32 v = le32_to_cpu(block[i].value);
+ u32 x, y;
+
+- FW_ADDR_CHECK(dst, block[i].addr, "address");
++ if (!wil_fw_addr_check(wil, &dst, block[i].addr, 0, "address"))
++ return -EINVAL;
+
+ x = readl(dst);
+ y = (x & m) | (v & ~m);
+@@ -319,10 +325,15 @@ static int fw_handle_gateway_data(struct
+ wil_dbg_fw(wil, "gw write record [%3d] blocks, cmd 0x%08x\n",
+ n, gw_cmd);
+
+- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
+- FW_ADDR_CHECK(gwa_val, d->gateway_value_addr, "gateway_value_addr");
+- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
+- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
++ "gateway_addr_addr") ||
++ !wil_fw_addr_check(wil, &gwa_val, d->gateway_value_addr, 0,
++ "gateway_value_addr") ||
++ !wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
++ "gateway_cmd_addr") ||
++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
++ "gateway_ctrl_address"))
++ return -EINVAL;
+
+ wil_dbg_fw(wil, "gw addresses: addr 0x%08x val 0x%08x"
+ " cmd 0x%08x ctl 0x%08x\n",
+@@ -378,12 +389,19 @@ static int fw_handle_gateway_data4(struc
+ wil_dbg_fw(wil, "gw4 write record [%3d] blocks, cmd 0x%08x\n",
+ n, gw_cmd);
+
+- FW_ADDR_CHECK(gwa_addr, d->gateway_addr_addr, "gateway_addr_addr");
++ if (!wil_fw_addr_check(wil, &gwa_addr, d->gateway_addr_addr, 0,
++ "gateway_addr_addr"))
++ return -EINVAL;
+ for (k = 0; k < ARRAY_SIZE(block->value); k++)
+- FW_ADDR_CHECK(gwa_val[k], d->gateway_value_addr[k],
+- "gateway_value_addr");
+- FW_ADDR_CHECK(gwa_cmd, d->gateway_cmd_addr, "gateway_cmd_addr");
+- FW_ADDR_CHECK(gwa_ctl, d->gateway_ctrl_address, "gateway_ctrl_address");
++ if (!wil_fw_addr_check(wil, &gwa_val[k],
++ d->gateway_value_addr[k],
++ 0, "gateway_value_addr"))
++ return -EINVAL;
++ if (!wil_fw_addr_check(wil, &gwa_cmd, d->gateway_cmd_addr, 0,
++ "gateway_cmd_addr") ||
++ !wil_fw_addr_check(wil, &gwa_ctl, d->gateway_ctrl_address, 0,
++ "gateway_ctrl_address"))
++ return -EINVAL;
+
+ wil_dbg_fw(wil, "gw4 addresses: addr 0x%08x cmd 0x%08x ctl 0x%08x\n",
+ le32_to_cpu(d->gateway_addr_addr),
+--- a/drivers/net/wireless/ath/wil6210/wil6210.h
++++ b/drivers/net/wireless/ath/wil6210/wil6210.h
+@@ -786,6 +786,7 @@ void wil_mbox_ring_le2cpus(struct wil621
+ int wil_find_cid(struct wil6210_priv *wil, const u8 *mac);
+ void wil_set_ethtoolops(struct net_device *ndev);
+
++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr, u32 size);
+ void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr);
+ void __iomem *wmi_addr(struct wil6210_priv *wil, u32 ptr);
+ int wmi_read_hdr(struct wil6210_priv *wil, __le32 ptr,
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -127,13 +127,15 @@ static u32 wmi_addr_remap(u32 x)
+ /**
+ * Check address validity for WMI buffer; remap if needed
+ * @ptr - internal (linker) fw/ucode address
++ * @size - if non zero, validate the block does not
++ * exceed the device memory (bar)
+ *
+ * Valid buffer should be DWORD aligned
+ *
+ * return address for accessing buffer from the host;
+ * if buffer is not valid, return NULL.
+ */
+-void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
++void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr_, u32 size)
+ {
+ u32 off;
+ u32 ptr = le32_to_cpu(ptr_);
+@@ -148,10 +150,17 @@ void __iomem *wmi_buffer(struct wil6210_
+ off = HOSTADDR(ptr);
+ if (off > WIL6210_MEM_SIZE - 4)
+ return NULL;
++ if (size && ((off + size > wil->bar_size) || (off + size < off)))
++ return NULL;
+
+ return wil->csr + off;
+ }
+
++void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_)
++{
++ return wmi_buffer_block(wil, ptr_, 0);
++}
++
+ /**
+ * Check address validity
+ */
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:13 +0100
+Subject: wil6210: fix length check in __wmi_send
+To: stable@vger.kernel.org
+Cc: Lior David <qca_liord@qca.qualcomm.com>, Maya Erez <qca_merez@qca.qualcomm.com>, Kalle Valo <kvalo@qca.qualcomm.com>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-21-lee.jones@linaro.org>
+
+From: Lior David <qca_liord@qca.qualcomm.com>
+
+[ Upstream commit 26a6d5274865532502c682ff378ac8ebe2886238 ]
+
+The current length check:
+sizeof(cmd) + len > r->entry_size
+will allow very large values of len (> U16_MAX - sizeof(cmd))
+and can cause a buffer overflow. Fix the check to cover this case.
+In addition, ensure the mailbox entry_size is not too small,
+since this can also bypass the above check.
+
+Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/interrupt.c | 22 +++++++++++++++++++++-
+ drivers/net/wireless/ath/wil6210/wmi.c | 2 +-
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/interrupt.c
++++ b/drivers/net/wireless/ath/wil6210/interrupt.c
+@@ -356,6 +356,25 @@ static void wil_cache_mbox_regs(struct w
+ wil_mbox_ring_le2cpus(&wil->mbox_ctl.tx);
+ }
+
++static bool wil_validate_mbox_regs(struct wil6210_priv *wil)
++{
++ size_t min_size = sizeof(struct wil6210_mbox_hdr) +
++ sizeof(struct wmi_cmd_hdr);
++
++ if (wil->mbox_ctl.rx.entry_size < min_size) {
++ wil_err(wil, "rx mbox entry too small (%d)\n",
++ wil->mbox_ctl.rx.entry_size);
++ return false;
++ }
++ if (wil->mbox_ctl.tx.entry_size < min_size) {
++ wil_err(wil, "tx mbox entry too small (%d)\n",
++ wil->mbox_ctl.tx.entry_size);
++ return false;
++ }
++
++ return true;
++}
++
+ static irqreturn_t wil6210_irq_misc(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+@@ -391,7 +410,8 @@ static irqreturn_t wil6210_irq_misc(int
+ if (isr & ISR_MISC_FW_READY) {
+ wil_dbg_irq(wil, "IRQ: FW ready\n");
+ wil_cache_mbox_regs(wil);
+- set_bit(wil_status_mbox_ready, wil->status);
++ if (wil_validate_mbox_regs(wil))
++ set_bit(wil_status_mbox_ready, wil->status);
+ /**
+ * Actual FW ready indicated by the
+ * WMI_FW_READY_EVENTID
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -218,7 +218,7 @@ static int __wmi_send(struct wil6210_pri
+ uint retry;
+ int rc = 0;
+
+- if (sizeof(cmd) + len > r->entry_size) {
++ if (len > r->entry_size - sizeof(cmd)) {
+ wil_err(wil, "WMI size too large: %d bytes, max is %d\n",
+ (int)(sizeof(cmd) + len), r->entry_size);
+ return -ERANGE;
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:02 +0100
+Subject: wil6210: fix temperature debugfs
+To: stable@vger.kernel.org
+Cc: Dedy Lansky <dlansky@codeaurora.org>, Maya Erez <merez@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-10-lee.jones@linaro.org>
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+[ Upstream commit 6d9eb7ebae3d7e951bc0999235ae7028eb4cae4f ]
+
+For negative temperatures, "temp" debugfs is showing wrong values.
+Use signed types so proper calculations is done for sub zero
+temperatures.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/debugfs.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/debugfs.c
++++ b/drivers/net/wireless/ath/wil6210/debugfs.c
+@@ -1091,7 +1091,7 @@ static const struct file_operations fops
+ };
+
+ /*---------temp------------*/
+-static void print_temp(struct seq_file *s, const char *prefix, u32 t)
++static void print_temp(struct seq_file *s, const char *prefix, s32 t)
+ {
+ switch (t) {
+ case 0:
+@@ -1099,7 +1099,8 @@ static void print_temp(struct seq_file *
+ seq_printf(s, "%s N/A\n", prefix);
+ break;
+ default:
+- seq_printf(s, "%s %d.%03d\n", prefix, t / 1000, t % 1000);
++ seq_printf(s, "%s %s%d.%03d\n", prefix, (t < 0 ? "-" : ""),
++ abs(t / 1000), abs(t % 1000));
+ break;
+ }
+ }
+@@ -1107,7 +1108,7 @@ static void print_temp(struct seq_file *
+ static int wil_temp_debugfs_show(struct seq_file *s, void *data)
+ {
+ struct wil6210_priv *wil = s->private;
+- u32 t_m, t_r;
++ s32 t_m, t_r;
+ int rc = wmi_get_temperature(wil, &t_m, &t_r);
+
+ if (rc) {
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:01 +0100
+Subject: wil6210: increase firmware ready timeout
+To: stable@vger.kernel.org
+Cc: Hamad Kadmany <hkadmany@codeaurora.org>, Maya Erez <merez@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-9-lee.jones@linaro.org>
+
+From: Hamad Kadmany <hkadmany@codeaurora.org>
+
+[ Upstream commit 6ccae584014ef7074359eb4151086beef66ecfa9 ]
+
+Firmware ready event may take longer than
+current timeout in some scenarios, for example
+with multiple RFs connected where each
+requires an initial calibration.
+
+Increase the timeout to support these scenarios.
+
+Signed-off-by: Hamad Kadmany <hkadmany@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/wil6210/main.c
++++ b/drivers/net/wireless/ath/wil6210/main.c
+@@ -803,7 +803,7 @@ static void wil_bl_crash_info(struct wil
+
+ static int wil_wait_for_fw_ready(struct wil6210_priv *wil)
+ {
+- ulong to = msecs_to_jiffies(1000);
++ ulong to = msecs_to_jiffies(2000);
+ ulong left = wait_for_completion_timeout(&wil->wmi_ready, to);
+
+ if (0 == left) {
--- /dev/null
+From foo@baz Tue 21 Apr 2020 07:47:52 PM CEST
+From: Lee Jones <lee.jones@linaro.org>
+Date: Tue, 21 Apr 2020 13:40:05 +0100
+Subject: wil6210: rate limit wil_rx_refill error
+To: stable@vger.kernel.org
+Cc: Dedy Lansky <dlansky@codeaurora.org>, Maya Erez <merez@codeaurora.org>, Kalle Valo <kvalo@codeaurora.org>, Lee Jones <lee.jones@linaro.org>
+Message-ID: <20200421124017.272694-13-lee.jones@linaro.org>
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+[ Upstream commit 3d6b72729cc2933906de8d2c602ae05e920b2122 ]
+
+wil_err inside wil_rx_refill can flood the log buffer.
+Replace it with wil_err_ratelimited.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/txrx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/txrx.c
++++ b/drivers/net/wireless/ath/wil6210/txrx.c
+@@ -546,8 +546,8 @@ static int wil_rx_refill(struct wil6210_
+ v->swtail = next_tail) {
+ rc = wil_vring_alloc_skb(wil, v, v->swtail, headroom);
+ if (unlikely(rc)) {
+- wil_err(wil, "Error %d in wil_rx_refill[%d]\n",
+- rc, v->swtail);
++ wil_err_ratelimited(wil, "Error %d in rx refill[%d]\n",
++ rc, v->swtail);
+ break;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
