From: Greg Kroah-Hartman Date: Thu, 2 Oct 2014 19:35:33 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.16.4~82 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4ac61cecba803c3e0e43b2e668c1e16e57e3aa95;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: i2c-at91-add-bound-checking-on-smbus-block-length-bytes.patch i2c-at91-fix-a-race-condition-during-signal-handling-in-at91_do_twi_xfer.patch i2c-ismt-use-correct-length-when-copy-buffer.patch i2c-mv64xxx-continue-probe-when-clock-frequency-is-missing.patch --- diff --git a/queue-3.14/i2c-at91-add-bound-checking-on-smbus-block-length-bytes.patch b/queue-3.14/i2c-at91-add-bound-checking-on-smbus-block-length-bytes.patch new file mode 100644 index 00000000000..f2478412c28 --- /dev/null +++ b/queue-3.14/i2c-at91-add-bound-checking-on-smbus-block-length-bytes.patch @@ -0,0 +1,87 @@ +From 75b81f339c6af43f6f4a1b3eabe0603321dade65 Mon Sep 17 00:00:00 2001 +From: Marek Roszko +Date: Wed, 20 Aug 2014 21:39:41 -0400 +Subject: i2c: at91: add bound checking on SMBus block length bytes + +From: Marek Roszko + +commit 75b81f339c6af43f6f4a1b3eabe0603321dade65 upstream. + +The driver was not bound checking the received length byte to ensure it was within the +the buffer size that is allocated for SMBus blocks. This resulted in buffer overflows +whenever an invalid length byte was received. +It also failed to ensure the length byte was not zero. If it received zero, it would end up +in an infinite loop as the at91_twi_read_next_byte function returned immediately without +allowing RHR to be read to clear the RXRDY interrupt. + +Tested agaisnt a SMBus compliant battery. + +Signed-off-by: Marek Roszko +Acked-by: Ludovic Desroches +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-at91.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-at91.c ++++ b/drivers/i2c/busses/i2c-at91.c +@@ -101,6 +101,7 @@ struct at91_twi_dev { + unsigned twi_cwgr_reg; + struct at91_twi_pdata *pdata; + bool use_dma; ++ bool recv_len_abort; + struct at91_twi_dma dma; + }; + +@@ -267,12 +268,24 @@ static void at91_twi_read_next_byte(stru + *dev->buf = at91_twi_read(dev, AT91_TWI_RHR) & 0xff; + --dev->buf_len; + ++ /* return if aborting, we only needed to read RHR to clear RXRDY*/ ++ if (dev->recv_len_abort) ++ return; ++ + /* handle I2C_SMBUS_BLOCK_DATA */ + if (unlikely(dev->msg->flags & I2C_M_RECV_LEN)) { +- dev->msg->flags &= ~I2C_M_RECV_LEN; +- dev->buf_len += *dev->buf; +- dev->msg->len = dev->buf_len + 1; +- dev_dbg(dev->dev, "received block length %d\n", dev->buf_len); ++ /* ensure length byte is a valid value */ ++ if (*dev->buf <= I2C_SMBUS_BLOCK_MAX && *dev->buf > 0) { ++ dev->msg->flags &= ~I2C_M_RECV_LEN; ++ dev->buf_len += *dev->buf; ++ dev->msg->len = dev->buf_len + 1; ++ dev_dbg(dev->dev, "received block length %d\n", ++ dev->buf_len); ++ } else { ++ /* abort and send the stop by reading one more byte */ ++ dev->recv_len_abort = true; ++ dev->buf_len = 1; ++ } + } + + /* send stop if second but last byte has been read */ +@@ -444,6 +457,12 @@ static int at91_do_twi_transfer(struct a + ret = -EIO; + goto error; + } ++ if (dev->recv_len_abort) { ++ dev_err(dev->dev, "invalid smbus block length recvd\n"); ++ ret = -EPROTO; ++ goto error; ++ } ++ + dev_dbg(dev->dev, "transfer complete\n"); + + return 0; +@@ -500,6 +519,7 @@ static int at91_twi_xfer(struct i2c_adap + dev->buf_len = m_start->len; + dev->buf = m_start->buf; + dev->msg = m_start; ++ dev->recv_len_abort = false; + + ret = at91_do_twi_transfer(dev); + diff --git a/queue-3.14/i2c-at91-fix-a-race-condition-during-signal-handling-in-at91_do_twi_xfer.patch b/queue-3.14/i2c-at91-fix-a-race-condition-during-signal-handling-in-at91_do_twi_xfer.patch new file mode 100644 index 00000000000..0ccff5c8fe8 --- /dev/null +++ b/queue-3.14/i2c-at91-fix-a-race-condition-during-signal-handling-in-at91_do_twi_xfer.patch @@ -0,0 +1,47 @@ +From 6721f28a26efd6368497abbdef5dcfc59608d899 Mon Sep 17 00:00:00 2001 +From: Simon Lindgren +Date: Tue, 26 Aug 2014 21:13:24 +0200 +Subject: i2c: at91: Fix a race condition during signal handling in at91_do_twi_xfer. + +From: Simon Lindgren + +commit 6721f28a26efd6368497abbdef5dcfc59608d899 upstream. + +There is a race condition in at91_do_twi_xfer when signals arrive. +If a signal is recieved while waiting for a transfer to complete +wait_for_completion_interruptible_timeout() will return -ERESTARTSYS. +This is not handled correctly resulting in interrupts still being +enabled and a transfer being in flight when we return. + +Symptoms include a range of oopses and bus lockups. Oopses can happen +when the transfer completes because the interrupt handler will corrupt +the stack. If a new transfer is started before the interrupt fires +the controller will start a new transfer in the middle of the old one, +resulting in confused slaves and a locked bus. + +To avoid this, use wait_for_completion_io_timeout instead so that we +don't have to deal with gracefully shutting down the transfer and +disabling the interrupts. + +Signed-off-by: Simon Lindgren +Acked-by: Ludovic Desroches +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-at91.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-at91.c ++++ b/drivers/i2c/busses/i2c-at91.c +@@ -434,8 +434,8 @@ static int at91_do_twi_transfer(struct a + } + } + +- ret = wait_for_completion_interruptible_timeout(&dev->cmd_complete, +- dev->adapter.timeout); ++ ret = wait_for_completion_io_timeout(&dev->cmd_complete, ++ dev->adapter.timeout); + if (ret == 0) { + dev_err(dev->dev, "controller timed out\n"); + at91_init_twi_bus(dev); diff --git a/queue-3.14/i2c-ismt-use-correct-length-when-copy-buffer.patch b/queue-3.14/i2c-ismt-use-correct-length-when-copy-buffer.patch new file mode 100644 index 00000000000..bd1950fdd72 --- /dev/null +++ b/queue-3.14/i2c-ismt-use-correct-length-when-copy-buffer.patch @@ -0,0 +1,42 @@ +From 979bbf7b7ae75cfc06e09d09eda38009a3bdc4a4 Mon Sep 17 00:00:00 2001 +From: Fan Du +Date: Tue, 16 Sep 2014 17:21:04 +0800 +Subject: i2c: ismt: use correct length when copy buffer + +From: Fan Du + +commit 979bbf7b7ae75cfc06e09d09eda38009a3bdc4a4 upstream. + +In block write mode, when encapsulating dma_buffer, first element is +'command', the rest is data buffer, so only copy actual data buffer +starting from block[1] with the size indicating by block[0]. + +Signed-off-by: Fan Du +Acked-by: Neil Horman +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-ismt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -497,7 +497,7 @@ static int ismt_access(struct i2c_adapte + desc->wr_len_cmd = dma_size; + desc->control |= ISMT_DESC_BLK; + priv->dma_buffer[0] = command; +- memcpy(&priv->dma_buffer[1], &data->block[1], dma_size); ++ memcpy(&priv->dma_buffer[1], &data->block[1], dma_size - 1); + } else { + /* Block Read */ + dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: READ\n"); +@@ -525,7 +525,7 @@ static int ismt_access(struct i2c_adapte + desc->wr_len_cmd = dma_size; + desc->control |= ISMT_DESC_I2C; + priv->dma_buffer[0] = command; +- memcpy(&priv->dma_buffer[1], &data->block[1], dma_size); ++ memcpy(&priv->dma_buffer[1], &data->block[1], dma_size - 1); + } else { + /* i2c Block Read */ + dev_dbg(dev, "I2C_SMBUS_I2C_BLOCK_DATA: READ\n"); diff --git a/queue-3.14/i2c-mv64xxx-continue-probe-when-clock-frequency-is-missing.patch b/queue-3.14/i2c-mv64xxx-continue-probe-when-clock-frequency-is-missing.patch new file mode 100644 index 00000000000..13e0148cf06 --- /dev/null +++ b/queue-3.14/i2c-mv64xxx-continue-probe-when-clock-frequency-is-missing.patch @@ -0,0 +1,46 @@ +From 0ce4bc1dbdd911ae1763e2d4ff36bd1b214a59f7 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Mon, 1 Sep 2014 22:28:13 +0800 +Subject: i2c: mv64xxx: continue probe when clock-frequency is missing + +From: Chen-Yu Tsai + +commit 0ce4bc1dbdd911ae1763e2d4ff36bd1b214a59f7 upstream. + +The "clock-frequency" DT property is listed as optional, However, +the current code stores the return value of of_property_read_u32 in +the return code of mv64xxx_of_config, but then forgets to clear it +after setting the default value of "clock-frequency". It is then +passed out to the main probe function, resulting in a probe failure +when "clock-frequency" is missing. + +This patch checks and then throws away the return value of +of_property_read_u32, instead of storing it and having to clear it +afterwards. + +This issue was discovered after the property was removed from all +sunxi DTs. + +Fixes: 4c730a06c19bb ("i2c: mv64xxx: Set bus frequency to 100kHz if clock-frequency is not provided") +Signed-off-by: Chen-Yu Tsai +Acked-by: Andrew Lunn +Acked-by: Maxime Ripard +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-mv64xxx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-mv64xxx.c ++++ b/drivers/i2c/busses/i2c-mv64xxx.c +@@ -748,8 +748,7 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat + } + tclk = clk_get_rate(drv_data->clk); + +- rc = of_property_read_u32(np, "clock-frequency", &bus_freq); +- if (rc) ++ if (of_property_read_u32(np, "clock-frequency", &bus_freq)) + bus_freq = 100000; /* 100kHz by default */ + + if (!mv64xxx_find_baud_factors(bus_freq, tclk, diff --git a/queue-3.14/series b/queue-3.14/series index 349869ac825..54c22e75b34 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -32,3 +32,7 @@ arm64-flush-tls-registers-during-exec.patch arm64-use-irq_set_affinity-with-force-false-when-migrating-irqs.patch arm-arm64-kvm-complete-wfi-wfe-instructions.patch arm-arm64-kvm-nuke-hyp-mode-tlbs-before-enabling-mmu.patch +i2c-mv64xxx-continue-probe-when-clock-frequency-is-missing.patch +i2c-at91-add-bound-checking-on-smbus-block-length-bytes.patch +i2c-at91-fix-a-race-condition-during-signal-handling-in-at91_do_twi_xfer.patch +i2c-ismt-use-correct-length-when-copy-buffer.patch