From: Greg Kroah-Hartman Date: Fri, 24 Nov 2023 13:15:24 +0000 (+0000) Subject: 4.14-stable patches X-Git-Tag: v4.14.331~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=25a30c307fcafaca10b0a3bb1f8a6a1c721a629e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch media-sharp-fix-sharp-encoding.patch media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch --- diff --git a/queue-4.14/i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch b/queue-4.14/i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch new file mode 100644 index 00000000000..71be4c3e82e --- /dev/null +++ b/queue-4.14/i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch @@ -0,0 +1,66 @@ +From f78ca48a8ba9cdec96e8839351e49eec3233b177 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Sat, 9 Sep 2023 22:25:06 +0200 +Subject: i2c: i801: fix potential race in i801_block_transaction_byte_by_byte + +From: Heiner Kallweit + +commit f78ca48a8ba9cdec96e8839351e49eec3233b177 upstream. + +Currently we set SMBHSTCNT_LAST_BYTE only after the host has started +receiving the last byte. If we get e.g. preempted before setting +SMBHSTCNT_LAST_BYTE, the host may be finished with receiving the byte +before SMBHSTCNT_LAST_BYTE is set. +Therefore change the code to set SMBHSTCNT_LAST_BYTE before writing +SMBHSTSTS_BYTE_DONE for the byte before the last byte. Now the code +is also consistent with what we do in i801_isr_byte_done(). + +Reported-by: Jean Delvare +Closes: https://lore.kernel.org/linux-i2c/20230828152747.09444625@endymion.delvare/ +Cc: stable@vger.kernel.org +Acked-by: Andi Shyti +Signed-off-by: Heiner Kallweit +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-i801.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -707,15 +707,11 @@ static int i801_block_transaction_byte_b + return i801_check_post(priv, status); + } + +- for (i = 1; i <= len; i++) { +- if (i == len && read_write == I2C_SMBUS_READ) +- smbcmd |= SMBHSTCNT_LAST_BYTE; +- outb_p(smbcmd, SMBHSTCNT(priv)); +- +- if (i == 1) +- outb_p(inb(SMBHSTCNT(priv)) | SMBHSTCNT_START, +- SMBHSTCNT(priv)); ++ if (len == 1 && read_write == I2C_SMBUS_READ) ++ smbcmd |= SMBHSTCNT_LAST_BYTE; ++ outb_p(smbcmd | SMBHSTCNT_START, SMBHSTCNT(priv)); + ++ for (i = 1; i <= len; i++) { + status = i801_wait_byte_done(priv); + if (status) + goto exit; +@@ -738,9 +734,12 @@ static int i801_block_transaction_byte_b + data->block[0] = len; + } + +- /* Retrieve/store value in SMBBLKDAT */ +- if (read_write == I2C_SMBUS_READ) ++ if (read_write == I2C_SMBUS_READ) { + data->block[i] = inb_p(SMBBLKDAT(priv)); ++ if (i == len - 1) ++ outb_p(smbcmd | SMBHSTCNT_LAST_BYTE, SMBHSTCNT(priv)); ++ } ++ + if (read_write == I2C_SMBUS_WRITE && i+1 <= len) + outb_p(data->block[i+1], SMBBLKDAT(priv)); + diff --git a/queue-4.14/media-sharp-fix-sharp-encoding.patch b/queue-4.14/media-sharp-fix-sharp-encoding.patch new file mode 100644 index 00000000000..c883efe45bf --- /dev/null +++ b/queue-4.14/media-sharp-fix-sharp-encoding.patch @@ -0,0 +1,48 @@ +From 4f7efc71891462ab7606da7039f480d7c1584a13 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Fri, 6 Oct 2023 12:54:25 +0100 +Subject: media: sharp: fix sharp encoding + +From: Sean Young + +commit 4f7efc71891462ab7606da7039f480d7c1584a13 upstream. + +The Sharp protocol[1] encoding has incorrect timings for bit space. + +[1] https://www.sbprojects.net/knowledge/ir/sharp.php + +Fixes: d35afc5fe097 ("[media] rc: ir-sharp-decoder: Add encode capability") +Cc: stable@vger.kernel.org +Reported-by: Joe Ferner +Closes: https://sourceforge.net/p/lirc/mailman/message/38604507/ +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/ir-sharp-decoder.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/media/rc/ir-sharp-decoder.c ++++ b/drivers/media/rc/ir-sharp-decoder.c +@@ -23,7 +23,9 @@ + #define SHARP_UNIT 40000 /* ns */ + #define SHARP_BIT_PULSE (8 * SHARP_UNIT) /* 320us */ + #define SHARP_BIT_0_PERIOD (25 * SHARP_UNIT) /* 1ms (680us space) */ +-#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680ms space) */ ++#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680us space) */ ++#define SHARP_BIT_0_SPACE (17 * SHARP_UNIT) /* 680us space */ ++#define SHARP_BIT_1_SPACE (42 * SHARP_UNIT) /* 1680us space */ + #define SHARP_ECHO_SPACE (1000 * SHARP_UNIT) /* 40 ms */ + #define SHARP_TRAILER_SPACE (125 * SHARP_UNIT) /* 5 ms (even longer) */ + +@@ -177,8 +179,8 @@ static const struct ir_raw_timings_pd ir + .header_pulse = 0, + .header_space = 0, + .bit_pulse = SHARP_BIT_PULSE, +- .bit_space[0] = SHARP_BIT_0_PERIOD, +- .bit_space[1] = SHARP_BIT_1_PERIOD, ++ .bit_space[0] = SHARP_BIT_0_SPACE, ++ .bit_space[1] = SHARP_BIT_1_SPACE, + .trailer_pulse = SHARP_BIT_PULSE, + .trailer_space = SHARP_ECHO_SPACE, + .msb_first = 1, diff --git a/queue-4.14/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch b/queue-4.14/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch new file mode 100644 index 00000000000..27dae3426d7 --- /dev/null +++ b/queue-4.14/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch @@ -0,0 +1,36 @@ +From b18e36dfd6c935da60a971310374f3dfec3c82e1 Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 10 Aug 2023 07:55:02 +0530 +Subject: media: venus: hfi: fix the check to handle session buffer requirement + +From: Vikash Garodia + +commit b18e36dfd6c935da60a971310374f3dfec3c82e1 upstream. + +Buffer requirement, for different buffer type, comes from video firmware. +While copying these requirements, there is an OOB possibility when the +payload from firmware is more than expected size. Fix the check to avoid +the OOB possibility. + +Cc: stable@vger.kernel.org +Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") +Reviewed-by: Nathan Hebert +Signed-off-by: Vikash Garodia +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/venus/hfi_msgs.c ++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c +@@ -412,7 +412,7 @@ session_get_prop_buf_req(struct hfi_msg_ + memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); + idx++; + +- if (idx > HFI_BUFFER_TYPE_MAX) ++ if (idx >= HFI_BUFFER_TYPE_MAX) + return HFI_ERR_SESSION_INVALID_PARAMETER; + + req_bytes -= sizeof(struct hfi_buffer_requirements); diff --git a/queue-4.14/net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch b/queue-4.14/net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch new file mode 100644 index 00000000000..00796470e4c --- /dev/null +++ b/queue-4.14/net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch @@ -0,0 +1,171 @@ +From 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Fri, 27 Oct 2023 08:57:38 +0200 +Subject: net: dsa: lan9303: consequently nested-lock physical MDIO + +From: Alexander Sverdlin + +commit 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 upstream. + +When LAN9303 is MDIO-connected two callchains exist into +mdio->bus->write(): + +1. switch ports 1&2 ("physical" PHYs): + +virtual (switch-internal) MDIO bus (lan9303_switch_ops->phy_{read|write})-> + lan9303_mdio_phy_{read|write} -> mdiobus_{read|write}_nested + +2. LAN9303 virtual PHY: + +virtual MDIO bus (lan9303_phy_{read|write}) -> + lan9303_virt_phy_reg_{read|write} -> regmap -> lan9303_mdio_{read|write} + +If the latter functions just take +mutex_lock(&sw_dev->device->bus->mdio_lock) it triggers a LOCKDEP +false-positive splat. It's false-positive because the first +mdio_lock in the second callchain above belongs to virtual MDIO bus, the +second mdio_lock belongs to physical MDIO bus. + +Consequent annotation in lan9303_mdio_{read|write} as nested lock +(similar to lan9303_mdio_phy_{read|write}, it's the same physical MDIO bus) +prevents the following splat: + +WARNING: possible circular locking dependency detected +5.15.71 #1 Not tainted +------------------------------------------------------ +kworker/u4:3/609 is trying to acquire lock: +ffff000011531c68 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}, at: regmap_lock_mutex +but task is already holding lock: +ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read +which lock already depends on the new lock. +the existing dependency chain (in reverse order) is: +-> #1 (&bus->mdio_lock){+.+.}-{3:3}: + lock_acquire + __mutex_lock + mutex_lock_nested + lan9303_mdio_read + _regmap_read + regmap_read + lan9303_probe + lan9303_mdio_probe + mdio_probe + really_probe + __driver_probe_device + driver_probe_device + __device_attach_driver + bus_for_each_drv + __device_attach + device_initial_probe + bus_probe_device + deferred_probe_work_func + process_one_work + worker_thread + kthread + ret_from_fork +-> #0 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}: + __lock_acquire + lock_acquire.part.0 + lock_acquire + __mutex_lock + mutex_lock_nested + regmap_lock_mutex + regmap_read + lan9303_phy_read + dsa_slave_phy_read + __mdiobus_read + mdiobus_read + get_phy_device + mdiobus_scan + __mdiobus_register + dsa_register_switch + lan9303_probe + lan9303_mdio_probe + mdio_probe + really_probe + __driver_probe_device + driver_probe_device + __device_attach_driver + bus_for_each_drv + __device_attach + device_initial_probe + bus_probe_device + deferred_probe_work_func + process_one_work + worker_thread + kthread + ret_from_fork +other info that might help us debug this: + Possible unsafe locking scenario: + CPU0 CPU1 + ---- ---- + lock(&bus->mdio_lock); + lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); + lock(&bus->mdio_lock); + lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); +*** DEADLOCK *** +5 locks held by kworker/u4:3/609: + #0: ffff000002842938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work + #1: ffff80000bacbd60 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work + #2: ffff000007645178 (&dev->mutex){....}-{3:3}, at: __device_attach + #3: ffff8000096e6e78 (dsa2_mutex){+.+.}-{3:3}, at: dsa_register_switch + #4: ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read +stack backtrace: +CPU: 1 PID: 609 Comm: kworker/u4:3 Not tainted 5.15.71 #1 +Workqueue: events_unbound deferred_probe_work_func +Call trace: + dump_backtrace + show_stack + dump_stack_lvl + dump_stack + print_circular_bug + check_noncircular + __lock_acquire + lock_acquire.part.0 + lock_acquire + __mutex_lock + mutex_lock_nested + regmap_lock_mutex + regmap_read + lan9303_phy_read + dsa_slave_phy_read + __mdiobus_read + mdiobus_read + get_phy_device + mdiobus_scan + __mdiobus_register + dsa_register_switch + lan9303_probe + lan9303_mdio_probe +... + +Cc: stable@vger.kernel.org +Fixes: dc7005831523 ("net: dsa: LAN9303: add MDIO managed mode support") +Signed-off-by: Alexander Sverdlin +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20231027065741.534971-1-alexander.sverdlin@siemens.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/lan9303_mdio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/lan9303_mdio.c ++++ b/drivers/net/dsa/lan9303_mdio.c +@@ -41,7 +41,7 @@ static int lan9303_mdio_write(void *ctx, + struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx; + + reg <<= 2; /* reg num to offset */ +- mutex_lock(&sw_dev->device->bus->mdio_lock); ++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED); + lan9303_mdio_real_write(sw_dev->device, reg, val & 0xffff); + lan9303_mdio_real_write(sw_dev->device, reg + 2, (val >> 16) & 0xffff); + mutex_unlock(&sw_dev->device->bus->mdio_lock); +@@ -59,7 +59,7 @@ static int lan9303_mdio_read(void *ctx, + struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx; + + reg <<= 2; /* reg num to offset */ +- mutex_lock(&sw_dev->device->bus->mdio_lock); ++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED); + *val = lan9303_mdio_real_read(sw_dev->device, reg); + *val |= (lan9303_mdio_real_read(sw_dev->device, reg + 2) << 16); + mutex_unlock(&sw_dev->device->bus->mdio_lock); diff --git a/queue-4.14/series b/queue-4.14/series index 04996ccb87a..f4a8fdc763c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -45,3 +45,7 @@ parisc-prevent-booting-64-bit-kernels-on-pa1.x-machines.patch parisc-pgtable-do-not-drop-upper-5-address-bits-of-physical-address.patch parisc-power-fix-power-soft-off-when-running-on-qemu.patch alsa-info-fix-potential-deadlock-at-disconnection.patch +net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch +i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch +media-sharp-fix-sharp-encoding.patch +media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch