<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/i3c/master, branch linux-6.11.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition</title>
<updated>2024-10-17T13:26:36+00:00</updated>
<author>
<name>Kaixin Wang</name>
<email>kxwang23@m.fudan.edu.cn</email>
</author>
<published>2024-09-11T15:35:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=687016d6a1efbfacdd2af913e2108de6b75a28d5'/>
<id>687016d6a1efbfacdd2af913e2108de6b75a28d5</id>
<content type='text'>
[ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]

In the cdns_i3c_master_probe function, &amp;master-&gt;hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.

If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master-&gt;base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:

CPU0                                      CPU1

                                     | cdns_i3c_master_hj
cdns_i3c_master_remove               |
i3c_master_unregister(&amp;master-&gt;base) |
device_unregister(&amp;master-&gt;dev)      |
device_release                       |
//free master-&gt;base                  |
                                     | i3c_master_do_daa(&amp;master-&gt;base)
                                     | //use master-&gt;base

Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.

Signed-off-by: Kaixin Wang &lt;kxwang23@m.fudan.edu.cn&gt;
Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]

In the cdns_i3c_master_probe function, &amp;master-&gt;hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.

If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master-&gt;base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:

CPU0                                      CPU1

                                     | cdns_i3c_master_hj
cdns_i3c_master_remove               |
i3c_master_unregister(&amp;master-&gt;base) |
device_unregister(&amp;master-&gt;dev)      |
device_release                       |
//free master-&gt;base                  |
                                     | i3c_master_do_daa(&amp;master-&gt;base)
                                     | //use master-&gt;base

Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.

Signed-off-by: Kaixin Wang &lt;kxwang23@m.fudan.edu.cn&gt;
Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition</title>
<updated>2024-10-10T10:03:59+00:00</updated>
<author>
<name>Kaixin Wang</name>
<email>kxwang23@m.fudan.edu.cn</email>
</author>
<published>2024-09-14T16:39:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=27b55724d3f781dd6e635e89dc6e2fd78fa81a00'/>
<id>27b55724d3f781dd6e635e89dc6e2fd78fa81a00</id>
<content type='text'>
commit 61850725779709369c7e907ae8c7c75dc7cec4f3 upstream.

In the svc_i3c_master_probe function, &amp;master-&gt;hj_work is bound with
svc_i3c_master_hj_work, &amp;master-&gt;ibi_work is bound with
svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work  can start the
hj_work, svc_i3c_master_irq_handler can start the ibi_work.

If we remove the module which will call svc_i3c_master_remove to
make cleanup, it will free master-&gt;base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:

CPU0                                         CPU1

                                    | svc_i3c_master_hj_work
svc_i3c_master_remove               |
i3c_master_unregister(&amp;master-&gt;base)|
device_unregister(&amp;master-&gt;dev)     |
device_release                      |
//free master-&gt;base                 |
                                    | i3c_master_do_daa(&amp;master-&gt;base)
                                    | //use master-&gt;base

Fix it by ensuring that the work is canceled before proceeding with the
cleanup in svc_i3c_master_remove.

Fixes: 0f74f8b6675c ("i3c: Make i3c_master_unregister() return void")
Cc: stable@vger.kernel.org
Signed-off-by: Kaixin Wang &lt;kxwang23@m.fudan.edu.cn&gt;
Reviewed-by: Miquel Raynal &lt;miquel.raynal@bootlin.com&gt;
Reviewed-by: Frank Li &lt;Frank.Li@nxp.com&gt;
Link: https://lore.kernel.org/stable/20240914154030.180-1-kxwang23%40m.fudan.edu.cn
Link: https://lore.kernel.org/r/20240914163932.253-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 61850725779709369c7e907ae8c7c75dc7cec4f3 upstream.

In the svc_i3c_master_probe function, &amp;master-&gt;hj_work is bound with
svc_i3c_master_hj_work, &amp;master-&gt;ibi_work is bound with
svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work  can start the
hj_work, svc_i3c_master_irq_handler can start the ibi_work.

If we remove the module which will call svc_i3c_master_remove to
make cleanup, it will free master-&gt;base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:

CPU0                                         CPU1

                                    | svc_i3c_master_hj_work
svc_i3c_master_remove               |
i3c_master_unregister(&amp;master-&gt;base)|
device_unregister(&amp;master-&gt;dev)     |
device_release                      |
//free master-&gt;base                 |
                                    | i3c_master_do_daa(&amp;master-&gt;base)
                                    | //use master-&gt;base

Fix it by ensuring that the work is canceled before proceeding with the
cleanup in svc_i3c_master_remove.

Fixes: 0f74f8b6675c ("i3c: Make i3c_master_unregister() return void")
Cc: stable@vger.kernel.org
Signed-off-by: Kaixin Wang &lt;kxwang23@m.fudan.edu.cn&gt;
Reviewed-by: Miquel Raynal &lt;miquel.raynal@bootlin.com&gt;
Reviewed-by: Frank Li &lt;Frank.Li@nxp.com&gt;
Link: https://lore.kernel.org/stable/20240914154030.180-1-kxwang23%40m.fudan.edu.cn
Link: https://lore.kernel.org/r/20240914163932.253-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>i3c: master: svc: Fix error code in svc_i3c_master_do_daa_locked()</title>
<updated>2024-07-26T12:21:30+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2024-07-18T18:30:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b73c983491e0a61331611d2dab1dfccd4464b060'/>
<id>b73c983491e0a61331611d2dab1dfccd4464b060</id>
<content type='text'>
This code has a typo so it returns positive EIO instead of negative -EIO.  Fix
it!

Fixes: a7809cb368b9 ("i3c: master: svc: Improve DAA STOP handle code logic")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Frank Li &lt;Frank.Li@nxp.com&gt;
Link: https://lore.kernel.org/r/e017edfc-da64-496b-8516-958bec27cd9a@stanley.mountain
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This code has a typo so it returns positive EIO instead of negative -EIO.  Fix
it!

Fixes: a7809cb368b9 ("i3c: master: svc: Improve DAA STOP handle code logic")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Frank Li &lt;Frank.Li@nxp.com&gt;
Link: https://lore.kernel.org/r/e017edfc-da64-496b-8516-958bec27cd9a@stanley.mountain
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>i3c: dw: Add power management support</title>
<updated>2024-07-26T12:21:30+00:00</updated>
<author>
<name>Aniket</name>
<email>aniketmaurya@google.com</email>
</author>
<published>2024-07-08T06:21:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=62fe9d06f5709caa1fa68055873ff279e05ade37'/>
<id>62fe9d06f5709caa1fa68055873ff279e05ade37</id>
<content type='text'>
Add support for runtime and system power management.
Handle clocks, resets, pads as part of suspend and resume.
Restore controller registers that could be lost due to suspend.
Finally add get and put calls appropriately in functions which
access controller : bus_init, do_daa, send_ccc_cmd, priv_xfers,
i2c_xfers, ibi and hot-join.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240708062103.3296587-4-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add support for runtime and system power management.
Handle clocks, resets, pads as part of suspend and resume.
Restore controller registers that could be lost due to suspend.
Finally add get and put calls appropriately in functions which
access controller : bus_init, do_daa, send_ccc_cmd, priv_xfers,
i2c_xfers, ibi and hot-join.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240708062103.3296587-4-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>i3c: dw: Add some functions for reusability</title>
<updated>2024-07-26T12:21:30+00:00</updated>
<author>
<name>Aniket</name>
<email>aniketmaurya@google.com</email>
</author>
<published>2024-07-08T06:21:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=effd21743c39a6535f204812006054fa172e4313'/>
<id>effd21743c39a6535f204812006054fa172e4313</id>
<content type='text'>
Separate logic for setting intr/thld registers in a func.
Also modify enable function to take care of setting all fields in DEVICE_CTRL.
These functions can be reused later for power management.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240708062103.3296587-3-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Separate logic for setting intr/thld registers in a func.
Also modify enable function to take care of setting all fields in DEVICE_CTRL.
These functions can be reused later for power management.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240708062103.3296587-3-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>i3c: dw: Save timing registers and other values</title>
<updated>2024-07-26T12:21:29+00:00</updated>
<author>
<name>Aniket</name>
<email>aniketmaurya@google.com</email>
</author>
<published>2024-07-08T06:21:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4e89bc48e66a9aef46a705943d3f81bffb3a2288'/>
<id>4e89bc48e66a9aef46a705943d3f81bffb3a2288</id>
<content type='text'>
Add variables to store timing registers and other values.
These variables would be later used to restore registers
during resume without recomputation.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240708062103.3296587-2-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add variables to store timing registers and other values.
These variables would be later used to restore registers
during resume without recomputation.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240708062103.3296587-2-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>i3c: master: svc: Improve DAA STOP handle code logic</title>
<updated>2024-07-26T12:21:29+00:00</updated>
<author>
<name>Frank Li</name>
<email>Frank.Li@nxp.com</email>
</author>
<published>2024-07-02T22:31:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=915d0741e0c8e5fe406f8a8369745a73e2c681ef'/>
<id>915d0741e0c8e5fe406f8a8369745a73e2c681ef</id>
<content type='text'>
The REQUEST_PROC_DAA command behaves differently from other commands.
Sometimes the hardware can auto emit STOP, but in other conditions, it
cannot.

Improves the code logic to better handle these situations.

Hardware can auto emit STOP only when the following conditions are met:
- The previous I3C device correctly returns a PID and ACKs an I3C address.
- A NACK is received when emitting 7E to try to get the next I3C device's
PID.

In all other cases, a manual STOP emission is needed.

The code is changed to emit STOP when break the while loop and 'return 0'
only when the hardware can auto emit STOP.

Signed-off-by: Frank Li &lt;Frank.Li@nxp.com&gt;
Reviewed-by: Miquel Raynal &lt;miquel.raynal@bootlin.com&gt;
Link: https://lore.kernel.org/r/20240702223107.403057-1-Frank.Li@nxp.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The REQUEST_PROC_DAA command behaves differently from other commands.
Sometimes the hardware can auto emit STOP, but in other conditions, it
cannot.

Improves the code logic to better handle these situations.

Hardware can auto emit STOP only when the following conditions are met:
- The previous I3C device correctly returns a PID and ACKs an I3C address.
- A NACK is received when emitting 7E to try to get the next I3C device's
PID.

In all other cases, a manual STOP emission is needed.

The code is changed to emit STOP when break the while loop and 'return 0'
only when the hardware can auto emit STOP.

Signed-off-by: Frank Li &lt;Frank.Li@nxp.com&gt;
Reviewed-by: Miquel Raynal &lt;miquel.raynal@bootlin.com&gt;
Link: https://lore.kernel.org/r/20240702223107.403057-1-Frank.Li@nxp.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>i3c: dw: Add optional apb clock</title>
<updated>2024-07-26T12:21:29+00:00</updated>
<author>
<name>Aniket</name>
<email>aniketmaurya@google.com</email>
</author>
<published>2024-06-28T15:46:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a0d48ebf39cee74f3832d42126b6ddf4497fc07c'/>
<id>a0d48ebf39cee74f3832d42126b6ddf4497fc07c</id>
<content type='text'>
Besides the core clock, IP also has an apb interface clock.
Add an optional hook for the same.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240628154618.327151-1-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Besides the core clock, IP also has an apb interface clock.
Add an optional hook for the same.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240628154618.327151-1-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>i3c: dw: Use new *_enabled clk API</title>
<updated>2024-07-26T12:21:29+00:00</updated>
<author>
<name>Aniket</name>
<email>aniketmaurya@google.com</email>
</author>
<published>2024-06-28T15:46:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=54f5079e0dfcce2886178382ee9f03f35cc28325'/>
<id>54f5079e0dfcce2886178382ee9f03f35cc28325</id>
<content type='text'>
Move to "enabled" variant of clk_get API. It takes care
of enable and disable calls during the probe and remove.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240628154603.326075-1-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Move to "enabled" variant of clk_get API. It takes care
of enable and disable calls during the probe and remove.

Signed-off-by: Aniket &lt;aniketmaurya@google.com&gt;
Link: https://lore.kernel.org/r/20240628154603.326075-1-aniketmaurya@google.com
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>i3c: master: svc: Convert comma to semicolon</title>
<updated>2024-07-26T12:21:29+00:00</updated>
<author>
<name>Chen Ni</name>
<email>nichen@iscas.ac.cn</email>
</author>
<published>2024-07-02T02:47:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=48a6dcdafdbe7b9596ac6ecbecc347c2e2413f81'/>
<id>48a6dcdafdbe7b9596ac6ecbecc347c2e2413f81</id>
<content type='text'>
Replace a comma between expression statements by a semicolon.

Signed-off-by: Chen Ni &lt;nichen@iscas.ac.cn&gt;
Link: https://lore.kernel.org/r/20240702024758.1411569-1-nichen@iscas.ac.cn
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Replace a comma between expression statements by a semicolon.

Signed-off-by: Chen Ni &lt;nichen@iscas.ac.cn&gt;
Link: https://lore.kernel.org/r/20240702024758.1411569-1-nichen@iscas.ac.cn
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
