From bf3b2105bcf35ac3f0ca70a75b557e58ea19e7cd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 9 Apr 2020 16:07:15 +0200 Subject: [PATCH] 4.9-stable patches added patches: net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch --- ...f2-ensure-correct-sub-node-is-parsed.patch | 48 ++++++++++++++ ...esume-before-accessing-phy-registers.patch | 63 +++++++++++++++++++ ...ut-of-bounds-mac-address-reg-setting.patch | 35 +++++++++++ queue-4.9/series | 4 ++ ...-uninitialized-stack-data-in-padding.patch | 51 +++++++++++++++ 5 files changed, 201 insertions(+) create mode 100644 queue-4.9/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch create mode 100644 queue-4.9/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch create mode 100644 queue-4.9/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch create mode 100644 queue-4.9/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch diff --git a/queue-4.9/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch b/queue-4.9/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch new file mode 100644 index 00000000000..76aafeeb37f --- /dev/null +++ b/queue-4.9/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch @@ -0,0 +1,48 @@ +From foo@baz Thu 09 Apr 2020 04:04:49 PM CEST +From: Florian Fainelli +Date: Sun, 5 Apr 2020 13:00:30 -0700 +Subject: net: dsa: bcm_sf2: Ensure correct sub-node is parsed + +From: Florian Fainelli + +[ Upstream commit afa3b592953bfaecfb4f2f335ec5f935cff56804 ] + +When the bcm_sf2 was converted into a proper platform device driver and +used the new dsa_register_switch() interface, we would still be parsing +the legacy DSA node that contained all the port information since the +platform firmware has intentionally maintained backward and forward +compatibility to client programs. Ensure that we do parse the correct +node, which is "ports" per the revised DSA binding. + +Fixes: d9338023fb8e ("net: dsa: bcm_sf2: Make it a real platform device driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Vivien Didelot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/bcm_sf2.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -976,6 +976,7 @@ static int bcm_sf2_sw_probe(struct platf + struct device_node *dn = pdev->dev.of_node; + struct b53_platform_data *pdata; + struct dsa_switch_ops *ops; ++ struct device_node *ports; + struct bcm_sf2_priv *priv; + struct b53_device *dev; + struct dsa_switch *ds; +@@ -1038,7 +1039,11 @@ static int bcm_sf2_sw_probe(struct platf + spin_lock_init(&priv->indir_lock); + mutex_init(&priv->stats_mutex); + +- bcm_sf2_identify_ports(priv, dn->child); ++ ports = of_find_node_by_name(dn, "ports"); ++ if (ports) { ++ bcm_sf2_identify_ports(priv, ports); ++ of_node_put(ports); ++ } + + priv->irq0 = irq_of_parse_and_map(dn, 0); + priv->irq1 = irq_of_parse_and_map(dn, 1); diff --git a/queue-4.9/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch b/queue-4.9/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch new file mode 100644 index 00000000000..63eb424f587 --- /dev/null +++ b/queue-4.9/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch @@ -0,0 +1,63 @@ +From foo@baz Thu 09 Apr 2020 04:04:49 PM CEST +From: Oleksij Rempel +Date: Fri, 3 Apr 2020 09:53:25 +0200 +Subject: net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers + +From: Oleksij Rempel + +[ Upstream commit 6110dff776f7fa65c35850ef65b41d3b39e2fac2 ] + +After the power-down bit is cleared, the chip internally triggers a +global reset. According to the KSZ9031 documentation, we have to wait at +least 1ms for the reset to finish. + +If the chip is accessed during reset, read will return 0xffff, while +write will be ignored. Depending on the system performance and MDIO bus +speed, we may or may not run in to this issue. + +This bug was discovered on an iMX6QP system with KSZ9031 PHY and +attached PHY interrupt line. If IRQ was used, the link status update was +lost. In polling mode, the link status update was always correct. + +The investigation showed, that during a read-modify-write access, the +read returned 0xffff (while the chip was still in reset) and +corresponding write hit the chip _after_ reset and triggered (due to the +0xffff) another reset in an undocumented bit (register 0x1f, bit 1), +resulting in the next write being lost due to the new reset cycle. + +This patch fixes the issue by adding a 1...2 ms sleep after the +genphy_resume(). + +Fixes: 836384d2501d ("net: phy: micrel: Add specific suspend") +Signed-off-by: Oleksij Rempel +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + /* Operation Mode Strap Override */ + #define MII_KSZPHY_OMSO 0x16 +@@ -728,6 +729,12 @@ static int kszphy_resume(struct phy_devi + { + genphy_resume(phydev); + ++ /* After switching from power-down to normal mode, an internal global ++ * reset is automatically generated. Wait a minimum of 1 ms before ++ * read/write access to the PHY registers. ++ */ ++ usleep_range(1000, 2000); ++ + /* Enable PHY Interrupts */ + if (phy_interrupt_is_valid(phydev)) { + phydev->interrupts = PHY_INTERRUPT_ENABLED; diff --git a/queue-4.9/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch b/queue-4.9/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch new file mode 100644 index 00000000000..9209b62c6ed --- /dev/null +++ b/queue-4.9/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch @@ -0,0 +1,35 @@ +From foo@baz Thu 09 Apr 2020 04:04:49 PM CEST +From: Jisheng Zhang +Date: Fri, 3 Apr 2020 10:23:29 +0800 +Subject: net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting + +From: Jisheng Zhang + +[ Upstream commit 3e1221acf6a8f8595b5ce354bab4327a69d54d18 ] + +Commit 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address +entries") cleared the unused mac address entries, but introduced an +out-of bounds mac address register programming bug -- After setting +the secondary unicast mac addresses, the "reg" value has reached +netdev_uc_count() + 1, thus we should only clear address entries +if (addr < perfect_addr_number) + +Fixes: 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address entries") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -214,7 +214,7 @@ static void dwmac1000_set_filter(struct + reg++; + } + +- while (reg <= perfect_addr_number) { ++ while (reg < perfect_addr_number) { + writel(0, ioaddr + GMAC_ADDR_HIGH(reg)); + writel(0, ioaddr + GMAC_ADDR_LOW(reg)); + reg++; diff --git a/queue-4.9/series b/queue-4.9/series index 13e54bf3071..209e478876a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -12,3 +12,7 @@ coresight-do-not-use-the-bit-macro-in-the-uapi-header.patch net-dsa-tag_brcm-fix-skb-fwd_offload_mark-location.patch padata-always-acquire-cpu_hotplug_lock-before-pinst-lock.patch mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch +net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch +net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch +slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch +net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch diff --git a/queue-4.9/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch b/queue-4.9/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch new file mode 100644 index 00000000000..78fdddfa15d --- /dev/null +++ b/queue-4.9/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch @@ -0,0 +1,51 @@ +From foo@baz Thu 09 Apr 2020 04:04:49 PM CEST +From: Richard Palethorpe +Date: Wed, 1 Apr 2020 12:06:39 +0200 +Subject: slcan: Don't transmit uninitialized stack data in padding + +From: Richard Palethorpe + +[ Upstream commit b9258a2cece4ec1f020715fe3554bc2e360f6264 ] + +struct can_frame contains some padding which is not explicitly zeroed in +slc_bump. This uninitialized data will then be transmitted if the stack +initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL). + +This commit just zeroes the whole struct including the padding. + +Signed-off-by: Richard Palethorpe +Fixes: a1044e36e457 ("can: add slcan driver for serial/USB-serial CAN adapters") +Reviewed-by: Kees Cook +Cc: linux-can@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: security@kernel.org +Cc: wg@grandegger.com +Cc: mkl@pengutronix.de +Cc: davem@davemloft.net +Acked-by: Marc Kleine-Budde +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/slcan.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -147,7 +147,7 @@ static void slc_bump(struct slcan *sl) + u32 tmpid; + char *cmd = sl->rbuff; + +- cf.can_id = 0; ++ memset(&cf, 0, sizeof(cf)); + + switch (*cmd) { + case 'r': +@@ -186,8 +186,6 @@ static void slc_bump(struct slcan *sl) + else + return; + +- *(u64 *) (&cf.data) = 0; /* clear payload */ +- + /* RTR frames may have a dlc > 0 but they never have any data bytes */ + if (!(cf.can_id & CAN_RTR_FLAG)) { + for (i = 0; i < cf.can_dlc; i++) { -- 2.47.3