5.15-stable patches

added patches:
	bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch
	serial-8250-store-to-lsr_save_flags-after-lsr-read.patch

diff --git a/queue-5.15/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch b/queue-5.15/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch
new file mode 100644 (file)
index 0000000..0a033da
--- /dev/null
+++ b/queue-5.15/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch
@@ -0,0 +1,47 @@
+From 928ea98252ad75118950941683893cf904541da9 Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Wed, 1 Jun 2022 19:51:59 +0900
+Subject: bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove()
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 928ea98252ad75118950941683893cf904541da9 upstream.
+
+In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to
+fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in
+fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io
+triggers KASAN use-after-free. To avoid the use-after-free, keep the
+reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to
+fsl_destroy_mc_io().
+
+This patch needs rework to apply to kernels older than v5.15.
+
+Fixes: f93627146f0e ("staging: fsl-mc: fix asymmetry in destroy of mc_io")
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Link: https://lore.kernel.org/r/20220601105159.87752-1-shinichiro.kawasaki@wdc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -1236,14 +1236,14 @@ error_cleanup_mc_io:
+ static int fsl_mc_bus_remove(struct platform_device *pdev)
+ {
+       struct fsl_mc *mc = platform_get_drvdata(pdev);
++      struct fsl_mc_io *mc_io;
+ 
+       if (!fsl_mc_is_root_dprc(&mc->root_mc_bus_dev->dev))
+               return -EINVAL;
+ 
++      mc_io = mc->root_mc_bus_dev->mc_io;
+       fsl_mc_device_remove(mc->root_mc_bus_dev);
+-
+-      fsl_destroy_mc_io(mc->root_mc_bus_dev->mc_io);
+-      mc->root_mc_bus_dev->mc_io = NULL;
++      fsl_destroy_mc_io(mc_io);
+ 
+       bus_unregister_notifier(&fsl_mc_bus_type, &fsl_mc_nb);
+ 

diff --git a/queue-5.15/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch b/queue-5.15/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch
new file mode 100644 (file)
index 0000000..7feab54
--- /dev/null
+++ b/queue-5.15/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch
@@ -0,0 +1,46 @@
+From be03b0651ffd8bab69dfd574c6818b446c0753ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Fri, 20 May 2022 13:35:41 +0300
+Subject: serial: 8250: Store to lsr_save_flags after lsr read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit be03b0651ffd8bab69dfd574c6818b446c0753ce upstream.
+
+Not all LSR register flags are preserved across reads. Therefore, LSR
+readers must store the non-preserved bits into lsr_save_flags.
+
+This fix was initially mixed into feature commit f6f586102add ("serial:
+8250: Handle UART without interrupt on TEMT using em485"). However,
+that feature change had a flaw and it was reverted to make room for
+simpler approach providing the same feature. The embedded fix got
+reverted with the feature change.
+
+Re-add the lsr_save_flags fix and properly mark it's a fix.
+
+Link: https://lore.kernel.org/all/1d6c31d-d194-9e6a-ddf9-5f29af829f3@linux.intel.com/T/#m1737eef986bd20cf19593e344cebd7b0244945fc
+Fixes: e490c9144cfa ("tty: Add software emulated RS485 support for 8250")
+Cc: stable <stable@kernel.org>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@penugtronix.de>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/f4d774be-1437-a550-8334-19d8722ab98c@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1535,6 +1535,8 @@ static inline void __stop_tx(struct uart
+ 
+       if (em485) {
+               unsigned char lsr = serial_in(p, UART_LSR);
++              p->lsr_saved_flags |= lsr & LSR_SAVE_FLAGS;
++
+               /*
+                * To provide required timeing and allow FIFO transfer,
+                * __stop_tx_rs485() must be called only when both FIFO and

diff --git a/queue-5.15/series b/queue-5.15/series
index 77a133f1759f9db525a713ce31f6c9041d16ea7b..1cad237fab132c74464a03053deb32ab96d8ce68 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -90,3 +90,5 @@ usb-gadget-lpc32xx_udc-fix-refcount-leak-in-lpc32xx_udc_probe.patch
 usb-gadget-f_fs-change-ep-status-safe-in-ffs_epfile_io.patch
 usb-gadget-f_fs-change-ep-ep-safe-in-ffs_epfile_io.patch
 tty-n_gsm-debug-output-allocation-must-use-gfp_atomic.patch
+serial-8250-store-to-lsr_save_flags-after-lsr-read.patch
+bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch