--- /dev/null
+From 75b81f339c6af43f6f4a1b3eabe0603321dade65 Mon Sep 17 00:00:00 2001
+From: Marek Roszko <mark.roszko@gmail.com>
+Date: Wed, 20 Aug 2014 21:39:41 -0400
+Subject: i2c: at91: add bound checking on SMBus block length bytes
+
+From: Marek Roszko <mark.roszko@gmail.com>
+
+commit 75b81f339c6af43f6f4a1b3eabe0603321dade65 upstream.
+
+The driver was not bound checking the received length byte to ensure it was within the
+the buffer size that is allocated for SMBus blocks. This resulted in buffer overflows
+whenever an invalid length byte was received.
+It also failed to ensure the length byte was not zero. If it received zero, it would end up
+in an infinite loop as the at91_twi_read_next_byte function returned immediately without
+allowing RHR to be read to clear the RXRDY interrupt.
+
+Tested agaisnt a SMBus compliant battery.
+
+Signed-off-by: Marek Roszko <mark.roszko@gmail.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-at91.c | 28 ++++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-at91.c
++++ b/drivers/i2c/busses/i2c-at91.c
+@@ -101,6 +101,7 @@ struct at91_twi_dev {
+ unsigned twi_cwgr_reg;
+ struct at91_twi_pdata *pdata;
+ bool use_dma;
++ bool recv_len_abort;
+ struct at91_twi_dma dma;
+ };
+
+@@ -267,12 +268,24 @@ static void at91_twi_read_next_byte(stru
+ *dev->buf = at91_twi_read(dev, AT91_TWI_RHR) & 0xff;
+ --dev->buf_len;
+
++ /* return if aborting, we only needed to read RHR to clear RXRDY*/
++ if (dev->recv_len_abort)
++ return;
++
+ /* handle I2C_SMBUS_BLOCK_DATA */
+ if (unlikely(dev->msg->flags & I2C_M_RECV_LEN)) {
+- dev->msg->flags &= ~I2C_M_RECV_LEN;
+- dev->buf_len += *dev->buf;
+- dev->msg->len = dev->buf_len + 1;
+- dev_dbg(dev->dev, "received block length %d\n", dev->buf_len);
++ /* ensure length byte is a valid value */
++ if (*dev->buf <= I2C_SMBUS_BLOCK_MAX && *dev->buf > 0) {
++ dev->msg->flags &= ~I2C_M_RECV_LEN;
++ dev->buf_len += *dev->buf;
++ dev->msg->len = dev->buf_len + 1;
++ dev_dbg(dev->dev, "received block length %d\n",
++ dev->buf_len);
++ } else {
++ /* abort and send the stop by reading one more byte */
++ dev->recv_len_abort = true;
++ dev->buf_len = 1;
++ }
+ }
+
+ /* send stop if second but last byte has been read */
+@@ -444,6 +457,12 @@ static int at91_do_twi_transfer(struct a
+ ret = -EIO;
+ goto error;
+ }
++ if (dev->recv_len_abort) {
++ dev_err(dev->dev, "invalid smbus block length recvd\n");
++ ret = -EPROTO;
++ goto error;
++ }
++
+ dev_dbg(dev->dev, "transfer complete\n");
+
+ return 0;
+@@ -500,6 +519,7 @@ static int at91_twi_xfer(struct i2c_adap
+ dev->buf_len = m_start->len;
+ dev->buf = m_start->buf;
+ dev->msg = m_start;
++ dev->recv_len_abort = false;
+
+ ret = at91_do_twi_transfer(dev);
+
--- /dev/null
+From 6721f28a26efd6368497abbdef5dcfc59608d899 Mon Sep 17 00:00:00 2001
+From: Simon Lindgren <simon@aqwary.com>
+Date: Tue, 26 Aug 2014 21:13:24 +0200
+Subject: i2c: at91: Fix a race condition during signal handling in at91_do_twi_xfer.
+
+From: Simon Lindgren <simon@aqwary.com>
+
+commit 6721f28a26efd6368497abbdef5dcfc59608d899 upstream.
+
+There is a race condition in at91_do_twi_xfer when signals arrive.
+If a signal is recieved while waiting for a transfer to complete
+wait_for_completion_interruptible_timeout() will return -ERESTARTSYS.
+This is not handled correctly resulting in interrupts still being
+enabled and a transfer being in flight when we return.
+
+Symptoms include a range of oopses and bus lockups. Oopses can happen
+when the transfer completes because the interrupt handler will corrupt
+the stack. If a new transfer is started before the interrupt fires
+the controller will start a new transfer in the middle of the old one,
+resulting in confused slaves and a locked bus.
+
+To avoid this, use wait_for_completion_io_timeout instead so that we
+don't have to deal with gracefully shutting down the transfer and
+disabling the interrupts.
+
+Signed-off-by: Simon Lindgren <simon@aqwary.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-at91.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-at91.c
++++ b/drivers/i2c/busses/i2c-at91.c
+@@ -434,8 +434,8 @@ static int at91_do_twi_transfer(struct a
+ }
+ }
+
+- ret = wait_for_completion_interruptible_timeout(&dev->cmd_complete,
+- dev->adapter.timeout);
++ ret = wait_for_completion_io_timeout(&dev->cmd_complete,
++ dev->adapter.timeout);
+ if (ret == 0) {
+ dev_err(dev->dev, "controller timed out\n");
+ at91_init_twi_bus(dev);
--- /dev/null
+From 979bbf7b7ae75cfc06e09d09eda38009a3bdc4a4 Mon Sep 17 00:00:00 2001
+From: Fan Du <fan.du@intel.com>
+Date: Tue, 16 Sep 2014 17:21:04 +0800
+Subject: i2c: ismt: use correct length when copy buffer
+
+From: Fan Du <fan.du@intel.com>
+
+commit 979bbf7b7ae75cfc06e09d09eda38009a3bdc4a4 upstream.
+
+In block write mode, when encapsulating dma_buffer, first element is
+'command', the rest is data buffer, so only copy actual data buffer
+starting from block[1] with the size indicating by block[0].
+
+Signed-off-by: Fan Du <fan.du@intel.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -497,7 +497,7 @@ static int ismt_access(struct i2c_adapte
+ desc->wr_len_cmd = dma_size;
+ desc->control |= ISMT_DESC_BLK;
+ priv->dma_buffer[0] = command;
+- memcpy(&priv->dma_buffer[1], &data->block[1], dma_size);
++ memcpy(&priv->dma_buffer[1], &data->block[1], dma_size - 1);
+ } else {
+ /* Block Read */
+ dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: READ\n");
+@@ -525,7 +525,7 @@ static int ismt_access(struct i2c_adapte
+ desc->wr_len_cmd = dma_size;
+ desc->control |= ISMT_DESC_I2C;
+ priv->dma_buffer[0] = command;
+- memcpy(&priv->dma_buffer[1], &data->block[1], dma_size);
++ memcpy(&priv->dma_buffer[1], &data->block[1], dma_size - 1);
+ } else {
+ /* i2c Block Read */
+ dev_dbg(dev, "I2C_SMBUS_I2C_BLOCK_DATA: READ\n");
--- /dev/null
+From 0ce4bc1dbdd911ae1763e2d4ff36bd1b214a59f7 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Mon, 1 Sep 2014 22:28:13 +0800
+Subject: i2c: mv64xxx: continue probe when clock-frequency is missing
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 0ce4bc1dbdd911ae1763e2d4ff36bd1b214a59f7 upstream.
+
+The "clock-frequency" DT property is listed as optional, However,
+the current code stores the return value of of_property_read_u32 in
+the return code of mv64xxx_of_config, but then forgets to clear it
+after setting the default value of "clock-frequency". It is then
+passed out to the main probe function, resulting in a probe failure
+when "clock-frequency" is missing.
+
+This patch checks and then throws away the return value of
+of_property_read_u32, instead of storing it and having to clear it
+afterwards.
+
+This issue was discovered after the property was removed from all
+sunxi DTs.
+
+Fixes: 4c730a06c19bb ("i2c: mv64xxx: Set bus frequency to 100kHz if clock-frequency is not provided")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Acked-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-mv64xxx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-mv64xxx.c
++++ b/drivers/i2c/busses/i2c-mv64xxx.c
+@@ -748,8 +748,7 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat
+ }
+ tclk = clk_get_rate(drv_data->clk);
+
+- rc = of_property_read_u32(np, "clock-frequency", &bus_freq);
+- if (rc)
++ if (of_property_read_u32(np, "clock-frequency", &bus_freq))
+ bus_freq = 100000; /* 100kHz by default */
+
+ if (!mv64xxx_find_baud_factors(bus_freq, tclk,
arm64-use-irq_set_affinity-with-force-false-when-migrating-irqs.patch
arm-arm64-kvm-complete-wfi-wfe-instructions.patch
arm-arm64-kvm-nuke-hyp-mode-tlbs-before-enabling-mmu.patch
+i2c-mv64xxx-continue-probe-when-clock-frequency-is-missing.patch
+i2c-at91-add-bound-checking-on-smbus-block-length-bytes.patch
+i2c-at91-fix-a-race-condition-during-signal-handling-in-at91_do_twi_xfer.patch
+i2c-ismt-use-correct-length-when-copy-buffer.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
