Merge "cnss2: add null pointer check"
diff --git a/arch/arm64/boot/dts/qcom/sda429-bg-dvt2-wtp-overlay.dts b/arch/arm64/boot/dts/qcom/sda429-bg-dvt2-wtp-overlay.dts
index eb9d5d4..78970d5 100644
--- a/arch/arm64/boot/dts/qcom/sda429-bg-dvt2-wtp-overlay.dts
+++ b/arch/arm64/boot/dts/qcom/sda429-bg-dvt2-wtp-overlay.dts
@@ -51,6 +51,36 @@
/delete-node/ qcom,panel-supply-entry@0;
};
+&i2c_4 {
+ status = "ok";
+ tsc@24 {
+ status = "disabled";
+ };
+
+ raydium_ts@39 {
+ compatible = "raydium,raydium-ts";
+ reg = <0x39>;
+ interrupt-parent = <&tlmm>;
+ interrupts = <13 0x2008>;
+ vdd_ana-supply = <&pm660_l11>;
+ vcc_i2c-supply = <&pm660_l13>;
+ pinctrl-names = "pmx_ts_active","pmx_ts_suspend",
+ "pmx_ts_release";
+ pinctrl-0 = <&ts_int_active &ts_reset_active>;
+ pinctrl-1 = <&ts_int_suspend &ts_reset_suspend>;
+ pinctrl-2 = <&ts_release>;
+ raydium,reset-gpio = <&tlmm 64 0x00>;
+ raydium,irq-gpio = <&tlmm 65 0x00>;
+ raydium,num-max-touches = <2>;
+ raydium,soft-reset-delay-ms = <50>;
+ raydium,hard-reset-delay-ms = <100>;
+ raydium,x_max = <416>;
+ raydium,y_max = <416>;
+ raydium,display-coords= <0 0 416 416>;
+ raydium,fw_id = <0x2202>;
+ };
+};
+
&usb_otg {
HSUSB_3p3-supply = <&L16A>;
};
diff --git a/arch/arm64/boot/dts/qcom/sdm429-bg-dvt2-wtp-overlay.dts b/arch/arm64/boot/dts/qcom/sdm429-bg-dvt2-wtp-overlay.dts
index b2f9204..31d0c07b0 100644
--- a/arch/arm64/boot/dts/qcom/sdm429-bg-dvt2-wtp-overlay.dts
+++ b/arch/arm64/boot/dts/qcom/sdm429-bg-dvt2-wtp-overlay.dts
@@ -39,6 +39,36 @@
/delete-node/ qcom,panel-supply-entry@0;
};
+&i2c_4 {
+ status = "ok";
+ tsc@24 {
+ status = "disabled";
+ };
+
+ raydium_ts@39 {
+ compatible = "raydium,raydium-ts";
+ reg = <0x39>;
+ interrupt-parent = <&tlmm>;
+ interrupts = <13 0x2008>;
+ vdd_ana-supply = <&pm660_l11>;
+ vcc_i2c-supply = <&pm660_l13>;
+ pinctrl-names = "pmx_ts_active","pmx_ts_suspend",
+ "pmx_ts_release";
+ pinctrl-0 = <&ts_int_active &ts_reset_active>;
+ pinctrl-1 = <&ts_int_suspend &ts_reset_suspend>;
+ pinctrl-2 = <&ts_release>;
+ raydium,reset-gpio = <&tlmm 64 0x00>;
+ raydium,irq-gpio = <&tlmm 65 0x00>;
+ raydium,num-max-touches = <2>;
+ raydium,soft-reset-delay-ms = <50>;
+ raydium,hard-reset-delay-ms = <100>;
+ raydium,x_max = <416>;
+ raydium,y_max = <416>;
+ raydium,display-coords= <0 0 416 416>;
+ raydium,fw_id = <0x2202>;
+ };
+};
+
&usb_otg {
HSUSB_3p3-supply = <&L16A>;
};
diff --git a/drivers/bus/mhi/core/mhi_main.c b/drivers/bus/mhi/core/mhi_main.c
index 1b81eb8..0dfeff0 100644
--- a/drivers/bus/mhi/core/mhi_main.c
+++ b/drivers/bus/mhi/core/mhi_main.c
@@ -1049,7 +1049,9 @@
result.transaction_status = (ev_code == MHI_EV_CC_OVERFLOW) ?
-EOVERFLOW : 0;
- result.bytes_xferd = xfer_len;
+
+ /* truncate to buf len if xfer_len is larger */
+ result.bytes_xferd = min_t(u16, xfer_len, buf_info->len);
result.buf_addr = buf_info->cb_buf;
result.dir = mhi_chan->dir;
@@ -1287,7 +1289,7 @@
chan = MHI_TRE_GET_EV_CHID(local_rp);
if (chan >= mhi_cntrl->max_chan) {
MHI_ERR("invalid channel id %u\n", chan);
- continue;
+ goto next_er_element;
}
mhi_chan = &mhi_cntrl->mhi_chan[chan];
@@ -1299,6 +1301,7 @@
event_quota--;
}
+next_er_element:
mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring);
local_rp = ev_ring->rp;
dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index a0652b7..2d23442 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -720,12 +720,20 @@
{
struct fastrpc_apps *me = &gfa;
struct fastrpc_file *fl;
- int vmid;
+ int vmid, cid = -1, err = 0;
struct fastrpc_session_ctx *sess;
if (!map)
return;
fl = map->fl;
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ pr_err("adsprpc: ERROR:%s, Invalid channel id: %d, err:%d",
+ __func__, cid, err);
+ return;
+ }
if (map->flags == ADSP_MMAP_HEAP_ADDR ||
map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
spin_lock(&me->hlock);
@@ -805,15 +813,21 @@
struct fastrpc_apps *me = &gfa;
struct fastrpc_session_ctx *sess;
struct fastrpc_apps *apps = fl->apps;
- int cid = fl->cid;
- struct fastrpc_channel_ctx *chan = &apps->channel[cid];
struct fastrpc_mmap *map = NULL;
+ struct fastrpc_channel_ctx *chan = NULL;
unsigned long attrs;
dma_addr_t region_phys = 0;
void *region_vaddr = NULL;
unsigned long flags;
- int err = 0, vmid;
+ int err = 0, vmid, cid = -1;
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ goto bail;
+ }
+ chan = &apps->channel[cid];
if (!fastrpc_mmap_find(fl, fd, va, len, mflags, 1, ppmap))
return 0;
map = kzalloc(sizeof(*map), GFP_KERNEL);
@@ -1850,12 +1864,22 @@
{
struct smq_msg *msg = &ctx->msg;
struct fastrpc_file *fl = ctx->fl;
- struct fastrpc_channel_ctx *channel_ctx = &fl->apps->channel[fl->cid];
- int err = 0, len;
+ int err = 0, len, cid = -1;
+ struct fastrpc_channel_ctx *channel_ctx = NULL;
+
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ goto bail;
+ }
+ channel_ctx = &fl->apps->channel[fl->cid];
VERIFY(err, NULL != channel_ctx->chan);
- if (err)
+ if (err) {
+ err = -ECHRNG;
goto bail;
+ }
msg->pid = fl->tgid;
msg->tid = current->pid;
if (fl->sessionid)
@@ -1974,11 +1998,22 @@
{
struct smq_invoke_ctx *ctx = NULL;
struct fastrpc_ioctl_invoke *invoke = &inv->inv;
- int cid = fl->cid;
- int interrupted = 0;
- int err = 0;
+ int err = 0, cid = -1, interrupted = 0;
struct timespec invoket = {0};
- int64_t *perf_counter = getperfcounter(fl, PERF_COUNT);
+ int64_t *perf_counter = NULL;
+
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ goto bail;
+ }
+ VERIFY(err, fl->sctx != NULL);
+ if (err) {
+ err = -EBADR;
+ goto bail;
+ }
+ perf_counter = getperfcounter(fl, PERF_COUNT);
if (fl->profile)
getnstimeofday(&invoket);
@@ -1992,13 +2027,6 @@
}
}
- VERIFY(err, fl->sctx != NULL);
- if (err)
- goto bail;
- VERIFY(err, fl->cid >= 0 && fl->cid < NUM_CHANNELS);
- if (err)
- goto bail;
-
if (!kernel) {
VERIFY(err, 0 == context_restore_interrupted(fl, inv,
&ctx));
@@ -3408,7 +3436,7 @@
static int fastrpc_channel_open(struct fastrpc_file *fl)
{
struct fastrpc_apps *me = &gfa;
- int cid, ii, err = 0;
+ int cid = -1, ii, err = 0;
mutex_lock(&me->smd_mutex);
@@ -3416,9 +3444,11 @@
if (err)
goto bail;
cid = fl->cid;
- VERIFY(err, cid >= 0 && cid < NUM_CHANNELS);
- if (err)
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
goto bail;
+ }
if (me->channel[cid].ssrcount !=
me->channel[cid].prevssrcount) {
if (!me->channel[cid].issubsystemup) {
diff --git a/drivers/input/misc/qti-haptics.c b/drivers/input/misc/qti-haptics.c
index a2c8e76..11d23e5 100644
--- a/drivers/input/misc/qti-haptics.c
+++ b/drivers/input/misc/qti-haptics.c
@@ -251,6 +251,13 @@
{REG_HAP_EN_CTL1, 0x80}, /* Enable haptics driver */
};
+static struct hap_addr_val twm_cfg[] = {
+ {REG_HAP_PLAY, 0x00}, /* Stop playing haptics waveform */
+ {REG_HAP_SEL, 0x00}, /* Configure for cmd mode */
+ {REG_HAP_EN_CTL1, 0x00}, /* Enable haptics driver */
+ {REG_HAP_PERPH_RESET_CTL3, 0x0D}, /* Disable SHUTDOWN1_RB reset */
+};
+
static int wf_repeat[8] = {1, 2, 4, 8, 16, 32, 64, 128};
static int wf_s_repeat[4] = {1, 2, 4, 8};
@@ -1058,20 +1065,30 @@
qti_haptics_config_vmax(chip, play->vmax_mv);
}
-static int qti_haptics_twm_config(struct qti_hap_chip *chip)
+static int qti_haptics_twm_config(struct qti_hap_chip *chip, bool ext_pin)
{
- int rc, i;
+ int rc = 0, i;
- for (i = 0; i < ARRAY_SIZE(twm_ext_cfg); i++) {
- rc = qti_haptics_write(chip, twm_ext_cfg[i].addr,
- &twm_ext_cfg[i].value, 1);
- if (rc < 0) {
- dev_err(chip->dev, "Haptics TWM config failed, rc=%d\n",
- rc);
- return rc;
+ if (ext_pin) {
+ for (i = 0; i < ARRAY_SIZE(twm_ext_cfg); i++) {
+ rc = qti_haptics_write(chip, twm_ext_cfg[i].addr,
+ &twm_ext_cfg[i].value, 1);
+ if (rc < 0)
+ break;
+ }
+ } else {
+ for (i = 0; i < ARRAY_SIZE(twm_cfg); i++) {
+ rc = qti_haptics_write(chip, twm_cfg[i].addr,
+ &twm_cfg[i].value, 1);
+ if (rc < 0)
+ break;
}
}
- pr_debug("Enabled haptics for TWM mode\n");
+
+ if (rc < 0)
+ pr_err("Failed to write twm_config rc=%d\n", rc);
+ else
+ pr_debug("Enabled haptics for TWM mode\n");
return 0;
}
@@ -2033,7 +2050,6 @@
{
struct qti_hap_chip *chip = dev_get_drvdata(&pdev->dev);
int rc;
- bool enable_haptics_twm;
dev_dbg(chip->dev, "Shutdown!\n");
@@ -2049,10 +2065,8 @@
chip->vdd_enabled = false;
}
- enable_haptics_twm = chip->haptics_ext_pin_twm && twm_sys_enable;
-
- if (chip->twm_state == PMIC_TWM_ENABLE && enable_haptics_twm) {
- rc = qti_haptics_twm_config(chip);
+ if (chip->twm_state == PMIC_TWM_ENABLE && twm_sys_enable) {
+ rc = qti_haptics_twm_config(chip, chip->haptics_ext_pin_twm);
if (rc < 0)
pr_err("Haptics TWM config failed rc=%d\n", rc);
}
diff --git a/drivers/soc/qcom/bgcom_spi.c b/drivers/soc/qcom/bgcom_spi.c
index a6a176a..ff07a32 100644
--- a/drivers/soc/qcom/bgcom_spi.c
+++ b/drivers/soc/qcom/bgcom_spi.c
@@ -1050,6 +1050,7 @@
{
struct bg_spi_priv *bg_spi = spi_get_drvdata(spi);
+ bg_com_drv = NULL;
mutex_destroy(&bg_spi->xfer_mutex);
devm_kfree(&spi->dev, bg_spi);
spi_set_drvdata(spi, NULL);