From 3eb6f79cad6e7d4d1dece02d69b7b42124f0211b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 20 Dec 2021 12:05:27 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
	net-systemport-add-global-locking-for-descriptor-lifecycle.patch
---
 ...string-overflow-in-scpi-genpd-driver.patch | 55 +++++++++++++
 ...bal-locking-for-descriptor-lifecycle.patch | 77 +++++++++++++++++++
 queue-4.14/series                             |  2 +
 3 files changed, 134 insertions(+)
 create mode 100644 queue-4.14/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
 create mode 100644 queue-4.14/net-systemport-add-global-locking-for-descriptor-lifecycle.patch

diff --git a/queue-4.14/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch b/queue-4.14/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
new file mode 100644
index 00000000000..03d514ee241
--- /dev/null
+++ b/queue-4.14/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
@@ -0,0 +1,55 @@
+From 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Thu, 9 Dec 2021 12:04:56 +0000
+Subject: firmware: arm_scpi: Fix string overflow in SCPI genpd driver
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 upstream.
+
+Without the bound checks for scpi_pd->name, it could result in the buffer
+overflow when copying the SCPI device name from the corresponding device
+tree node as the name string is set at maximum size of 30.
+
+Let us fix it by using devm_kasprintf so that the string buffer is
+allocated dynamically.
+
+Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd")
+Reported-by: Pedro Batista <pedbap.g@gmail.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Cc: stable@vger.kernel.org
+Cc: Cristian Marussi <cristian.marussi@arm.com>
+Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com'
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/scpi_pm_domain.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/scpi_pm_domain.c
++++ b/drivers/firmware/scpi_pm_domain.c
+@@ -27,7 +27,6 @@ struct scpi_pm_domain {
+ 	struct generic_pm_domain genpd;
+ 	struct scpi_ops *ops;
+ 	u32 domain;
+-	char name[30];
+ };
+ 
+ /*
+@@ -121,8 +120,13 @@ static int scpi_pm_domain_probe(struct p
+ 
+ 		scpi_pd->domain = i;
+ 		scpi_pd->ops = scpi_ops;
+-		sprintf(scpi_pd->name, "%s.%d", np->name, i);
+-		scpi_pd->genpd.name = scpi_pd->name;
++		scpi_pd->genpd.name = devm_kasprintf(dev, GFP_KERNEL,
++						     "%s.%d", np->name, i);
++		if (!scpi_pd->genpd.name) {
++			dev_err(dev, "Failed to allocate genpd name:%s.%d\n",
++				np->name, i);
++			continue;
++		}
+ 		scpi_pd->genpd.power_off = scpi_pd_power_off;
+ 		scpi_pd->genpd.power_on = scpi_pd_power_on;
+ 
diff --git a/queue-4.14/net-systemport-add-global-locking-for-descriptor-lifecycle.patch b/queue-4.14/net-systemport-add-global-locking-for-descriptor-lifecycle.patch
new file mode 100644
index 00000000000..5e77a05d2bc
--- /dev/null
+++ b/queue-4.14/net-systemport-add-global-locking-for-descriptor-lifecycle.patch
@@ -0,0 +1,77 @@
+From 8b8e6e782456f1ce02a7ae914bbd5b1053f0b034 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 15 Dec 2021 12:24:49 -0800
+Subject: net: systemport: Add global locking for descriptor lifecycle
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 8b8e6e782456f1ce02a7ae914bbd5b1053f0b034 upstream.
+
+The descriptor list is a shared resource across all of the transmit queues, and
+the locking mechanism used today only protects concurrency across a given
+transmit queue between the transmit and reclaiming. This creates an opportunity
+for the SYSTEMPORT hardware to work on corrupted descriptors if we have
+multiple producers at once which is the case when using multiple transmit
+queues.
+
+This was particularly noticeable when using multiple flows/transmit queues and
+it showed up in interesting ways in that UDP packets would get a correct UDP
+header checksum being calculated over an incorrect packet length. Similarly TCP
+packets would get an equally correct checksum computed by the hardware over an
+incorrect packet length.
+
+The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges
+when the driver produces a new descriptor anytime it writes to the
+WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to
+re-organize its descriptors and it is possible that concurrent TX queues
+eventually break this internal allocation scheme to the point where the
+length/status part of the descriptor gets used for an incorrect data buffer.
+
+The fix is to impose a global serialization for all TX queues in the short
+section where we are writing to the WRITE_PORT_{HI,LO} registers which solves
+the corruption even with multiple concurrent TX queues being used.
+
+Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20211215202450.4086240-1-f.fainelli@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c |    5 +++++
+ drivers/net/ethernet/broadcom/bcmsysport.h |    1 +
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -120,9 +120,13 @@ static inline void tdma_port_write_desc_
+ 					     struct dma_desc *desc,
+ 					     unsigned int port)
+ {
++	unsigned long desc_flags;
++
+ 	/* Ports are latched, so write upper address first */
++	spin_lock_irqsave(&priv->desc_lock, desc_flags);
+ 	tdma_writel(priv, desc->addr_status_len, TDMA_WRITE_PORT_HI(port));
+ 	tdma_writel(priv, desc->addr_lo, TDMA_WRITE_PORT_LO(port));
++	spin_unlock_irqrestore(&priv->desc_lock, desc_flags);
+ }
+ 
+ /* Ethtool operations */
+@@ -1880,6 +1884,7 @@ static int bcm_sysport_open(struct net_d
+ 	}
+ 
+ 	/* Initialize both hardware and software ring */
++	spin_lock_init(&priv->desc_lock);
+ 	for (i = 0; i < dev->num_tx_queues; i++) {
+ 		ret = bcm_sysport_init_tx_ring(priv, i);
+ 		if (ret) {
+--- a/drivers/net/ethernet/broadcom/bcmsysport.h
++++ b/drivers/net/ethernet/broadcom/bcmsysport.h
+@@ -733,6 +733,7 @@ struct bcm_sysport_priv {
+ 	int			wol_irq;
+ 
+ 	/* Transmit rings */
++	spinlock_t		desc_lock;
+ 	struct bcm_sysport_tx_ring *tx_rings;
+ 
+ 	/* Receive queue */
diff --git a/queue-4.14/series b/queue-4.14/series
index 78e484b4a76..b920dc234a9 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -28,3 +28,5 @@ pci-msi-mask-msi-x-vectors-only-on-success.patch
 usb-serial-option-add-telit-fn990-compositions.patch
 timekeeping-really-make-sure-wall_to_monotonic-isn-t-positive.patch
 libata-if-t_length-is-zero-dma-direction-should-be-dma_none.patch
+net-systemport-add-global-locking-for-descriptor-lifecycle.patch
+firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
-- 
2.47.3