From: Greg Kroah-Hartman Date: Mon, 20 Dec 2021 11:05:12 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.296~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5eb459aad8608a244533321ac8c114933ce2dc65;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch net-systemport-add-global-locking-for-descriptor-lifecycle.patch --- diff --git a/queue-4.9/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch b/queue-4.9/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch new file mode 100644 index 00000000000..03d514ee241 --- /dev/null +++ b/queue-4.9/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch @@ -0,0 +1,55 @@ +From 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Thu, 9 Dec 2021 12:04:56 +0000 +Subject: firmware: arm_scpi: Fix string overflow in SCPI genpd driver + +From: Sudeep Holla + +commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 upstream. + +Without the bound checks for scpi_pd->name, it could result in the buffer +overflow when copying the SCPI device name from the corresponding device +tree node as the name string is set at maximum size of 30. + +Let us fix it by using devm_kasprintf so that the string buffer is +allocated dynamically. + +Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd") +Reported-by: Pedro Batista +Signed-off-by: Sudeep Holla +Cc: stable@vger.kernel.org +Cc: Cristian Marussi +Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com' +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/scpi_pm_domain.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/firmware/scpi_pm_domain.c ++++ b/drivers/firmware/scpi_pm_domain.c +@@ -27,7 +27,6 @@ struct scpi_pm_domain { + struct generic_pm_domain genpd; + struct scpi_ops *ops; + u32 domain; +- char name[30]; + }; + + /* +@@ -121,8 +120,13 @@ static int scpi_pm_domain_probe(struct p + + scpi_pd->domain = i; + scpi_pd->ops = scpi_ops; +- sprintf(scpi_pd->name, "%s.%d", np->name, i); +- scpi_pd->genpd.name = scpi_pd->name; ++ scpi_pd->genpd.name = devm_kasprintf(dev, GFP_KERNEL, ++ "%s.%d", np->name, i); ++ if (!scpi_pd->genpd.name) { ++ dev_err(dev, "Failed to allocate genpd name:%s.%d\n", ++ np->name, i); ++ continue; ++ } + scpi_pd->genpd.power_off = scpi_pd_power_off; + scpi_pd->genpd.power_on = scpi_pd_power_on; + diff --git a/queue-4.9/net-systemport-add-global-locking-for-descriptor-lifecycle.patch b/queue-4.9/net-systemport-add-global-locking-for-descriptor-lifecycle.patch new file mode 100644 index 00000000000..a09b5e5c229 --- /dev/null +++ b/queue-4.9/net-systemport-add-global-locking-for-descriptor-lifecycle.patch @@ -0,0 +1,77 @@ +From 8b8e6e782456f1ce02a7ae914bbd5b1053f0b034 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Wed, 15 Dec 2021 12:24:49 -0800 +Subject: net: systemport: Add global locking for descriptor lifecycle + +From: Florian Fainelli + +commit 8b8e6e782456f1ce02a7ae914bbd5b1053f0b034 upstream. + +The descriptor list is a shared resource across all of the transmit queues, and +the locking mechanism used today only protects concurrency across a given +transmit queue between the transmit and reclaiming. This creates an opportunity +for the SYSTEMPORT hardware to work on corrupted descriptors if we have +multiple producers at once which is the case when using multiple transmit +queues. + +This was particularly noticeable when using multiple flows/transmit queues and +it showed up in interesting ways in that UDP packets would get a correct UDP +header checksum being calculated over an incorrect packet length. Similarly TCP +packets would get an equally correct checksum computed by the hardware over an +incorrect packet length. + +The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges +when the driver produces a new descriptor anytime it writes to the +WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to +re-organize its descriptors and it is possible that concurrent TX queues +eventually break this internal allocation scheme to the point where the +length/status part of the descriptor gets used for an incorrect data buffer. + +The fix is to impose a global serialization for all TX queues in the short +section where we are writing to the WRITE_PORT_{HI,LO} registers which solves +the corruption even with multiple concurrent TX queues being used. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20211215202450.4086240-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 5 +++++ + drivers/net/ethernet/broadcom/bcmsysport.h | 1 + + 2 files changed, 6 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -90,9 +90,13 @@ static inline void tdma_port_write_desc_ + struct dma_desc *desc, + unsigned int port) + { ++ unsigned long desc_flags; ++ + /* Ports are latched, so write upper address first */ ++ spin_lock_irqsave(&priv->desc_lock, desc_flags); + tdma_writel(priv, desc->addr_status_len, TDMA_WRITE_PORT_HI(port)); + tdma_writel(priv, desc->addr_lo, TDMA_WRITE_PORT_LO(port)); ++ spin_unlock_irqrestore(&priv->desc_lock, desc_flags); + } + + /* Ethtool operations */ +@@ -1587,6 +1591,7 @@ static int bcm_sysport_open(struct net_d + } + + /* Initialize both hardware and software ring */ ++ spin_lock_init(&priv->desc_lock); + for (i = 0; i < dev->num_tx_queues; i++) { + ret = bcm_sysport_init_tx_ring(priv, i); + if (ret) { +--- a/drivers/net/ethernet/broadcom/bcmsysport.h ++++ b/drivers/net/ethernet/broadcom/bcmsysport.h +@@ -660,6 +660,7 @@ struct bcm_sysport_priv { + int wol_irq; + + /* Transmit rings */ ++ spinlock_t desc_lock; + struct bcm_sysport_tx_ring tx_rings[TDMA_NUM_RINGS]; + + /* Receive queue */ diff --git a/queue-4.9/series b/queue-4.9/series index a0106000857..36aa72cca42 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -16,3 +16,5 @@ usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch pci-msi-clear-pci_msix_flags_maskall-on-error.patch usb-serial-option-add-telit-fn990-compositions.patch timekeeping-really-make-sure-wall_to_monotonic-isn-t-positive.patch +net-systemport-add-global-locking-for-descriptor-lifecycle.patch +firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch