--- /dev/null
+From 928ea98252ad75118950941683893cf904541da9 Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Wed, 1 Jun 2022 19:51:59 +0900
+Subject: bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove()
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 928ea98252ad75118950941683893cf904541da9 upstream.
+
+In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to
+fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in
+fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io
+triggers KASAN use-after-free. To avoid the use-after-free, keep the
+reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to
+fsl_destroy_mc_io().
+
+This patch needs rework to apply to kernels older than v5.15.
+
+Fixes: f93627146f0e ("staging: fsl-mc: fix asymmetry in destroy of mc_io")
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Link: https://lore.kernel.org/r/20220601105159.87752-1-shinichiro.kawasaki@wdc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -1236,14 +1236,14 @@ error_cleanup_mc_io:
+ static int fsl_mc_bus_remove(struct platform_device *pdev)
+ {
+ struct fsl_mc *mc = platform_get_drvdata(pdev);
++ struct fsl_mc_io *mc_io;
+
+ if (!fsl_mc_is_root_dprc(&mc->root_mc_bus_dev->dev))
+ return -EINVAL;
+
++ mc_io = mc->root_mc_bus_dev->mc_io;
+ fsl_mc_device_remove(mc->root_mc_bus_dev);
+-
+- fsl_destroy_mc_io(mc->root_mc_bus_dev->mc_io);
+- mc->root_mc_bus_dev->mc_io = NULL;
++ fsl_destroy_mc_io(mc_io);
+
+ bus_unregister_notifier(&fsl_mc_bus_type, &fsl_mc_nb);
+
--- /dev/null
+From f34fdcd4a0e7a0b92340ad7e48e7bcff9393fab5 Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Wed, 8 Jun 2022 10:27:46 -0600
+Subject: md/raid5-ppl: Fix argument order in bio_alloc_bioset()
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+commit f34fdcd4a0e7a0b92340ad7e48e7bcff9393fab5 upstream.
+
+bio_alloc_bioset() takes a block device, number of vectors, the
+OP flags, the GFP mask and the bio set. However when the prototype
+was changed, the callisite in ppl_do_flush() had the OP flags and
+the GFP flags reversed. This introduced some sparse error:
+
+ drivers/md/raid5-ppl.c:632:57: warning: incorrect type in argument 3
+ (different base types)
+ drivers/md/raid5-ppl.c:632:57: expected unsigned int opf
+ drivers/md/raid5-ppl.c:632:57: got restricted gfp_t [usertype]
+ drivers/md/raid5-ppl.c:633:61: warning: incorrect type in argument 4
+ (different base types)
+ drivers/md/raid5-ppl.c:633:61: expected restricted gfp_t [usertype]
+ gfp_mask
+ drivers/md/raid5-ppl.c:633:61: got unsigned long long
+
+The sparse error introduction may not have been reported correctly by
+0day due to other work that was cleaning up other sparse errors in this
+area.
+
+Fixes: 609be1066731 ("block: pass a block_device and opf to bio_alloc_bioset")
+Cc: stable@vger.kernel.org # 5.18+
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5-ppl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/raid5-ppl.c
++++ b/drivers/md/raid5-ppl.c
+@@ -629,9 +629,9 @@ static void ppl_do_flush(struct ppl_io_u
+ if (bdev) {
+ struct bio *bio;
+
+- bio = bio_alloc_bioset(bdev, 0, GFP_NOIO,
++ bio = bio_alloc_bioset(bdev, 0,
+ REQ_OP_WRITE | REQ_PREFLUSH,
+- &ppl_conf->flush_bs);
++ GFP_NOIO, &ppl_conf->flush_bs);
+ bio->bi_private = io;
+ bio->bi_end_io = ppl_flush_endio;
+
--- /dev/null
+From be03b0651ffd8bab69dfd574c6818b446c0753ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Fri, 20 May 2022 13:35:41 +0300
+Subject: serial: 8250: Store to lsr_save_flags after lsr read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit be03b0651ffd8bab69dfd574c6818b446c0753ce upstream.
+
+Not all LSR register flags are preserved across reads. Therefore, LSR
+readers must store the non-preserved bits into lsr_save_flags.
+
+This fix was initially mixed into feature commit f6f586102add ("serial:
+8250: Handle UART without interrupt on TEMT using em485"). However,
+that feature change had a flaw and it was reverted to make room for
+simpler approach providing the same feature. The embedded fix got
+reverted with the feature change.
+
+Re-add the lsr_save_flags fix and properly mark it's a fix.
+
+Link: https://lore.kernel.org/all/1d6c31d-d194-9e6a-ddf9-5f29af829f3@linux.intel.com/T/#m1737eef986bd20cf19593e344cebd7b0244945fc
+Fixes: e490c9144cfa ("tty: Add software emulated RS485 support for 8250")
+Cc: stable <stable@kernel.org>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@penugtronix.de>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/f4d774be-1437-a550-8334-19d8722ab98c@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1535,6 +1535,8 @@ static inline void __stop_tx(struct uart
+
+ if (em485) {
+ unsigned char lsr = serial_in(p, UART_LSR);
++ p->lsr_saved_flags |= lsr & LSR_SAVE_FLAGS;
++
+ /*
+ * To provide required timeing and allow FIFO transfer,
+ * __stop_tx_rs485() must be called only when both FIFO and
usb-gadget-f_fs-change-ep-status-safe-in-ffs_epfile_io.patch
usb-gadget-f_fs-change-ep-ep-safe-in-ffs_epfile_io.patch
tty-n_gsm-debug-output-allocation-must-use-gfp_atomic.patch
+serial-8250-store-to-lsr_save_flags-after-lsr-read.patch
+bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch
+md-raid5-ppl-fix-argument-order-in-bio_alloc_bioset.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
