From: Greg Kroah-Hartman Date: Tue, 27 Jun 2017 12:19:47 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.59~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eac43d9e6d5a66816bfaad94609166b628a3261e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: net-phy-fix-marvell-phy-status-reading.patch net-phy-initialize-mdio-clock-at-probe-function.patch nvme-apply-delay_before_chk_rdy-quirk-at-probe-time-too.patch nvme-quirk-add-a-delay-before-checking-for-adapter-readiness.patch usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch --- diff --git a/queue-4.4/net-phy-fix-marvell-phy-status-reading.patch b/queue-4.4/net-phy-fix-marvell-phy-status-reading.patch new file mode 100644 index 00000000000..be111ed28cf --- /dev/null +++ b/queue-4.4/net-phy-fix-marvell-phy-status-reading.patch @@ -0,0 +1,40 @@ +From 898805e0cdf7fd860ec21bf661d3a0285a3defbd Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 30 May 2017 16:21:51 +0100 +Subject: net: phy: fix marvell phy status reading + +From: Russell King + +commit 898805e0cdf7fd860ec21bf661d3a0285a3defbd upstream. + +The Marvell driver incorrectly provides phydev->lp_advertising as the +logical and of the link partner's advert and our advert. This is +incorrect - this field is supposed to store the link parter's unmodified +advertisment. + +This allows ethtool to report the correct link partner auto-negotiation +status. + +Fixes: be937f1f89ca ("Marvell PHY m88e1111 driver fix") +Signed-off-by: Russell King +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/phy/marvell.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -822,8 +822,6 @@ static int marvell_read_status(struct ph + phydev->lp_advertising = mii_stat1000_to_ethtool_lpa_t(lpagb) | + mii_lpa_to_ethtool_lpa_t(lpa); + +- lpa &= adv; +- + if (status & MII_M1011_PHY_STATUS_FULLDUPLEX) + phydev->duplex = DUPLEX_FULL; + else diff --git a/queue-4.4/net-phy-initialize-mdio-clock-at-probe-function.patch b/queue-4.4/net-phy-initialize-mdio-clock-at-probe-function.patch new file mode 100644 index 00000000000..bb7c4162b76 --- /dev/null +++ b/queue-4.4/net-phy-initialize-mdio-clock-at-probe-function.patch @@ -0,0 +1,55 @@ +From bb1a619735b4660f21bce3e728b937640024b4ad Mon Sep 17 00:00:00 2001 +From: Yendapally Reddy Dhananjaya Reddy +Date: Wed, 8 Feb 2017 17:14:26 -0500 +Subject: net: phy: Initialize mdio clock at probe function + +From: Yendapally Reddy Dhananjaya Reddy + +commit bb1a619735b4660f21bce3e728b937640024b4ad upstream. + +USB PHYs need the MDIO clock divisor enabled earlier to work. +Initialize mdio clock divisor in probe function. The ext bus +bit available in the same register will be used by mdio mux +to enable external mdio. + +Signed-off-by: Yendapally Reddy Dhananjaya Reddy +Fixes: ddc24ae1 ("net: phy: Broadcom iProc MDIO bus driver") +Reviewed-by: Florian Fainelli +Signed-off-by: Jon Mason +Signed-off-by: David S. Miller +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/phy/mdio-bcm-iproc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/phy/mdio-bcm-iproc.c ++++ b/drivers/net/phy/mdio-bcm-iproc.c +@@ -81,8 +81,6 @@ static int iproc_mdio_read(struct mii_bu + if (rc) + return rc; + +- iproc_mdio_config_clk(priv->base); +- + /* Prepare the read operation */ + cmd = (MII_DATA_TA_VAL << MII_DATA_TA_SHIFT) | + (reg << MII_DATA_RA_SHIFT) | +@@ -112,8 +110,6 @@ static int iproc_mdio_write(struct mii_b + if (rc) + return rc; + +- iproc_mdio_config_clk(priv->base); +- + /* Prepare the write operation */ + cmd = (MII_DATA_TA_VAL << MII_DATA_TA_SHIFT) | + (reg << MII_DATA_RA_SHIFT) | +@@ -163,6 +159,8 @@ static int iproc_mdio_probe(struct platf + bus->read = iproc_mdio_read; + bus->write = iproc_mdio_write; + ++ iproc_mdio_config_clk(priv->base); ++ + rc = of_mdiobus_register(bus, pdev->dev.of_node); + if (rc) { + dev_err(&pdev->dev, "MDIO bus registration failed\n"); diff --git a/queue-4.4/nvme-apply-delay_before_chk_rdy-quirk-at-probe-time-too.patch b/queue-4.4/nvme-apply-delay_before_chk_rdy-quirk-at-probe-time-too.patch new file mode 100644 index 00000000000..c0dcea4f33d --- /dev/null +++ b/queue-4.4/nvme-apply-delay_before_chk_rdy-quirk-at-probe-time-too.patch @@ -0,0 +1,62 @@ +From b5a10c5f7532b7473776da87e67f8301bbc32693 Mon Sep 17 00:00:00 2001 +From: "Guilherme G. Piccoli" +Date: Wed, 28 Dec 2016 22:13:15 -0200 +Subject: nvme: apply DELAY_BEFORE_CHK_RDY quirk at probe time too + +From: Guilherme G. Piccoli + +commit b5a10c5f7532b7473776da87e67f8301bbc32693 upstream. + +Commit 54adc01055b7 ("nvme/quirk: Add a delay before checking for adapter +readiness") introduced a quirk to adapters that cannot read the bit +NVME_CSTS_RDY right after register NVME_REG_CC is set; these adapters +need a delay or else the action of reading the bit NVME_CSTS_RDY could +somehow corrupt adapter's registers state and it never recovers. + +When this quirk was added, we checked ctrl->tagset in order to avoid +quirking in probe time, supposing we would never require such delay +during probe. Well, it was too optimistic; we in fact need this quirk +at probe time in some cases, like after a kexec. + +In some experiments, after abnormal shutdown of machine (aka power cord +unplug), we booted into our bootloader in Power, which is a Linux kernel, +and kexec'ed into another distro. If this kexec is too quick, we end up +reaching the probe of NVMe adapter in that distro when adapter is in +bad state (not fully initialized on our bootloader). What happens next +is that nvme_wait_ready() is unable to complete, except if the quirk is +enabled. + +So, this patch removes the original ctrl->tagset verification in order +to enable the quirk even on probe time. + +Fixes: 54adc01055b7 ("nvme/quirk: Add a delay before checking for adapter readiness") +Reported-by: Andrew Byrne +Reported-by: Jaime A. H. Gomez +Reported-by: Zachary D. Myers +Signed-off-by: Guilherme G. Piccoli +Acked-by: Jeffrey Lien +Signed-off-by: Christoph Hellwig +[mauricfo: backport to v4.4.70 without nvme quirk handling & nvme_ctrl] +Signed-off-by: Mauricio Faria de Oliveira +Tested-by: Narasimhan Vaidyanathan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1639,12 +1639,7 @@ static int nvme_disable_ctrl(struct nvme + dev->ctrl_config &= ~NVME_CC_ENABLE; + writel(dev->ctrl_config, &dev->bar->cc); + +- /* Checking for dev->tagset is a trick to avoid sleeping on module +- * load, since we only need the quirk on reset_controller. Notice +- * that the HGST device needs this delay only in firmware activation +- * procedure; unfortunately we have no (easy) way to verify this. +- */ +- if (pdev->vendor == 0x1c58 && pdev->device == 0x0003 && dev->tagset) ++ if (pdev->vendor == 0x1c58 && pdev->device == 0x0003) + msleep(NVME_QUIRK_DELAY_AMOUNT); + + return nvme_wait_ready(dev, cap, false); diff --git a/queue-4.4/nvme-quirk-add-a-delay-before-checking-for-adapter-readiness.patch b/queue-4.4/nvme-quirk-add-a-delay-before-checking-for-adapter-readiness.patch new file mode 100644 index 00000000000..a6e0103a134 --- /dev/null +++ b/queue-4.4/nvme-quirk-add-a-delay-before-checking-for-adapter-readiness.patch @@ -0,0 +1,78 @@ +From 54adc01055b75ec8769c5a36574c7a0895c0c0b2 Mon Sep 17 00:00:00 2001 +From: "Guilherme G. Piccoli" +Date: Tue, 14 Jun 2016 18:22:41 -0300 +Subject: nvme/quirk: Add a delay before checking for adapter readiness + +From: Guilherme G. Piccoli + +commit 54adc01055b75ec8769c5a36574c7a0895c0c0b2 upstream. + +When disabling the controller, the specification says the register +NVME_REG_CC should be written and then driver needs to wait the +adapter to be ready, which is checked by reading another register +bit (NVME_CSTS_RDY). There's a timeout validation in this checking, +so in case this timeout is reached the driver gives up and removes +the adapter from the system. + +After a firmware activation procedure, the PCI_DEVICE(0x1c58, 0x0003) +(HGST adapter) end up being removed if we issue a reset_controller, +because driver keeps verifying the NVME_REG_CSTS until the timeout is +reached. This patch adds a necessary quirk for this adapter, by +introducing a delay before nvme_wait_ready(), so the reset procedure +is able to be completed. This quirk is needed because just increasing +the timeout is not enough in case of this adapter - the driver must +wait before start reading NVME_REG_CSTS register on this specific +device. + +Signed-off-by: Guilherme G. Piccoli +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +[mauricfo: backport to v4.4.70 without nvme quirk handling & nvme_ctrl] +Signed-off-by: Mauricio Faria de Oliveira +Tested-by: Narasimhan Vaidyanathan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/nvme.h | 7 +++++++ + drivers/nvme/host/pci.c | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -27,6 +27,13 @@ enum { + NVME_NS_LIGHTNVM = 1, + }; + ++/* The below value is the specific amount of delay needed before checking ++ * readiness in case of the PCI_DEVICE(0x1c58, 0x0003), which needs the ++ * NVME_QUIRK_DELAY_BEFORE_CHK_RDY quirk enabled. The value (in ms) was ++ * found empirically. ++ */ ++#define NVME_QUIRK_DELAY_AMOUNT 2000 ++ + /* + * Represents an NVM Express device. Each nvme_dev is a PCI function. + */ +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1633,10 +1633,20 @@ static int nvme_wait_ready(struct nvme_d + */ + static int nvme_disable_ctrl(struct nvme_dev *dev, u64 cap) + { ++ struct pci_dev *pdev = to_pci_dev(dev->dev); ++ + dev->ctrl_config &= ~NVME_CC_SHN_MASK; + dev->ctrl_config &= ~NVME_CC_ENABLE; + writel(dev->ctrl_config, &dev->bar->cc); + ++ /* Checking for dev->tagset is a trick to avoid sleeping on module ++ * load, since we only need the quirk on reset_controller. Notice ++ * that the HGST device needs this delay only in firmware activation ++ * procedure; unfortunately we have no (easy) way to verify this. ++ */ ++ if (pdev->vendor == 0x1c58 && pdev->device == 0x0003 && dev->tagset) ++ msleep(NVME_QUIRK_DELAY_AMOUNT); ++ + return nvme_wait_ready(dev, cap, false); + } + diff --git a/queue-4.4/series b/queue-4.4/series index cb9c8c58cd5..80fe1118c45 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -19,3 +19,8 @@ rxrpc-fix-several-cases-where-a-padded-len-isn-t-checked-in-ticket-decode.patch of-add-check-to-of_scan_flat_dt-before-accessing-initial_boot_params.patch mtd-spi-nor-fix-spansion-quad-enable.patch powerpc-slb-force-a-full-slb-flush-when-we-insert-for-a-bad-ea.patch +usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch +net-phy-initialize-mdio-clock-at-probe-function.patch +net-phy-fix-marvell-phy-status-reading.patch +nvme-quirk-add-a-delay-before-checking-for-adapter-readiness.patch +nvme-apply-delay_before_chk_rdy-quirk-at-probe-time-too.patch diff --git a/queue-4.4/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch b/queue-4.4/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch new file mode 100644 index 00000000000..29b88d7733b --- /dev/null +++ b/queue-4.4/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch @@ -0,0 +1,106 @@ +From b7f73850bb4fac1e2209a4dd5e636d39be92f42c Mon Sep 17 00:00:00 2001 +From: William Wu +Date: Tue, 25 Apr 2017 17:45:48 +0800 +Subject: usb: gadget: f_fs: avoid out of bounds access on comp_desc + +From: William Wu + +commit b7f73850bb4fac1e2209a4dd5e636d39be92f42c upstream. + +Companion descriptor is only used for SuperSpeed endpoints, +if the endpoints are HighSpeed or FullSpeed, the Companion +descriptor will not allocated, so we can only access it if +gadget is SuperSpeed. + +I can reproduce this issue on Rockchip platform rk3368 SoC +which supports USB 2.0, and use functionfs for ADB. Kernel +build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report +the following BUG: + +================================================================== +BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509 +Read of size 1 by task swapper/0/0 +============================================================================ +BUG kmalloc-256 (Not tainted): kasan: bad access detected +---------------------------------------------------------------------------- + +Disabling lock debugging due to kernel taint +INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1 +alloc_debug_processing+0x128/0x17c +___slab_alloc.constprop.58+0x50c/0x610 +__slab_alloc.isra.55.constprop.57+0x24/0x34 +__kmalloc+0xe0/0x250 +ffs_func_bind+0x52c/0x99c +usb_add_function+0xd8/0x1d4 +configfs_composite_bind+0x48c/0x570 +udc_bind_to_driver+0x6c/0x170 +usb_udc_attach_driver+0xa4/0xd0 +gadget_dev_desc_UDC_store+0xcc/0x118 +configfs_write_file+0x1a0/0x1f8 +__vfs_write+0x64/0x174 +vfs_write+0xe4/0x200 +SyS_write+0x68/0xc8 +el0_svc_naked+0x24/0x28 +INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247 +... +Call trace: +[] dump_backtrace+0x0/0x230 +[] show_stack+0x14/0x1c +[] dump_stack+0xa0/0xc8 +[] print_trailer+0x188/0x198 +[] object_err+0x3c/0x4c +[] kasan_report+0x324/0x4dc +[] __asan_load1+0x24/0x50 +[] ffs_func_set_alt+0x224/0x3a0 +[] composite_setup+0xdcc/0x1ac8 +[] android_setup+0x124/0x1a0 +[] _setup+0x54/0x74 +[] handle_ep0+0x3288/0x4390 +[] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4 +[] dwc_otg_pcd_handle_intr+0x1ec/0x298 +[] dwc_otg_pcd_irq+0x10/0x20 +[] handle_irq_event_percpu+0x124/0x3ac +[] handle_irq_event+0x60/0xa0 +[] handle_fasteoi_irq+0x10c/0x1d4 +[] generic_handle_irq+0x30/0x40 +[] __handle_domain_irq+0xac/0xdc +[] gic_handle_irq+0x64/0xa4 +... +Memory state around the buggy address: + ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc + >ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 +================================================================== + +Signed-off-by: William Wu +Signed-off-by: Felipe Balbi +Cc: Jerry Zhang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1668,12 +1668,12 @@ static int ffs_func_eps_enable(struct ff + ep->ep->driver_data = ep; + ep->ep->desc = ds; + +- comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + +- USB_DT_ENDPOINT_SIZE); +- ep->ep->maxburst = comp_desc->bMaxBurst + 1; +- +- if (needs_comp_desc) ++ if (needs_comp_desc) { ++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + ++ USB_DT_ENDPOINT_SIZE); ++ ep->ep->maxburst = comp_desc->bMaxBurst + 1; + ep->ep->comp_desc = comp_desc; ++ } + + ret = usb_ep_enable(ep->ep); + if (likely(!ret)) {