From: Greg Kroah-Hartman Date: Mon, 24 Apr 2023 11:35:29 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.14.314~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b22d96b06a67214074c232cb6ca62dbe3ee6851;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: asn.1-fix-check-for-strdup-success.patch asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch --- diff --git a/queue-5.15/asn.1-fix-check-for-strdup-success.patch b/queue-5.15/asn.1-fix-check-for-strdup-success.patch new file mode 100644 index 00000000000..5ac31d69e92 --- /dev/null +++ b/queue-5.15/asn.1-fix-check-for-strdup-success.patch @@ -0,0 +1,40 @@ +From 5a43001c01691dcbd396541e6faa2c0077378f48 Mon Sep 17 00:00:00 2001 +From: Ekaterina Orlova +Date: Fri, 21 Apr 2023 15:35:39 +0100 +Subject: ASN.1: Fix check for strdup() success + +From: Ekaterina Orlova + +commit 5a43001c01691dcbd396541e6faa2c0077378f48 upstream. + +It seems there is a misprint in the check of strdup() return code that +can lead to NULL pointer dereference. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 4520c6a49af8 ("X.509: Add simple ASN.1 grammar compiler") +Signed-off-by: Ekaterina Orlova +Cc: David Woodhouse +Cc: James Bottomley +Cc: Jarkko Sakkinen +Cc: keyrings@vger.kernel.org +Cc: linux-kbuild@vger.kernel.org +Link: https://lore.kernel.org/r/20230315172130.140-1-vorobushek.ok@gmail.com/ +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + scripts/asn1_compiler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/asn1_compiler.c ++++ b/scripts/asn1_compiler.c +@@ -625,7 +625,7 @@ int main(int argc, char **argv) + p = strrchr(argv[1], '/'); + p = p ? p + 1 : argv[1]; + grammar_name = strdup(p); +- if (!p) { ++ if (!grammar_name) { + perror(NULL); + exit(1); + } diff --git a/queue-5.15/asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch b/queue-5.15/asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch new file mode 100644 index 00000000000..9e5d68595d9 --- /dev/null +++ b/queue-5.15/asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch @@ -0,0 +1,54 @@ +From 86a24e99c97234f87d9f70b528a691150e145197 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Mon, 17 Apr 2023 06:32:42 -0700 +Subject: ASoC: fsl_asrc_dma: fix potential null-ptr-deref + +From: Nikita Zhandarovich + +commit 86a24e99c97234f87d9f70b528a691150e145197 upstream. + +dma_request_slave_channel() may return NULL which will lead to +NULL pointer dereference error in 'tmp_chan->private'. + +Correct this behaviour by, first, switching from deprecated function +dma_request_slave_channel() to dma_request_chan(). Secondly, enable +sanity check for the resuling value of dma_request_chan(). +Also, fix description that follows the enacted changes and that +concerns the use of dma_request_slave_channel(). + +Fixes: 706e2c881158 ("ASoC: fsl_asrc_dma: Reuse the dma channel if available in Back-End") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Acked-by: Shengjiu Wang +Link: https://lore.kernel.org/r/20230417133242.53339-1-n.zhandarovich@fintech.ru +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_asrc_dma.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/sound/soc/fsl/fsl_asrc_dma.c ++++ b/sound/soc/fsl/fsl_asrc_dma.c +@@ -208,14 +208,19 @@ static int fsl_asrc_dma_hw_params(struct + be_chan = soc_component_to_pcm(component_be)->chan[substream->stream]; + tmp_chan = be_chan; + } +- if (!tmp_chan) +- tmp_chan = dma_request_slave_channel(dev_be, tx ? "tx" : "rx"); ++ if (!tmp_chan) { ++ tmp_chan = dma_request_chan(dev_be, tx ? "tx" : "rx"); ++ if (IS_ERR(tmp_chan)) { ++ dev_err(dev, "failed to request DMA channel for Back-End\n"); ++ return -EINVAL; ++ } ++ } + + /* + * An EDMA DEV_TO_DEV channel is fixed and bound with DMA event of each + * peripheral, unlike SDMA channel that is allocated dynamically. So no + * need to configure dma_request and dma_request2, but get dma_chan of +- * Back-End device directly via dma_request_slave_channel. ++ * Back-End device directly via dma_request_chan. + */ + if (!asrc->use_edma) { + /* Get DMA request of Back-End */ diff --git a/queue-5.15/iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch b/queue-5.15/iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch new file mode 100644 index 00000000000..e4485ba604e --- /dev/null +++ b/queue-5.15/iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch @@ -0,0 +1,32 @@ +From 73a428b37b9b538f8f8fe61caa45e7f243bab87c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 29 Mar 2023 07:35:32 +0300 +Subject: iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger() + +From: Dan Carpenter + +commit 73a428b37b9b538f8f8fe61caa45e7f243bab87c upstream. + +The at91_adc_allocate_trigger() function is supposed to return error +pointers. Returning a NULL will cause an Oops. + +Fixes: 5e1a1da0f8c9 ("iio: adc: at91-sama5d2_adc: add hw trigger and buffer support") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/5d728f9d-31d1-410d-a0b3-df6a63a2c8ba@kili.mountain +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91-sama5d2_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -1000,7 +1000,7 @@ static struct iio_trigger *at91_adc_allo + trig = devm_iio_trigger_alloc(&indio->dev, "%s-dev%d-%s", indio->name, + iio_device_id(indio), trigger_name); + if (!trig) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + trig->dev.parent = indio->dev.parent; + iio_trigger_set_drvdata(trig, indio); diff --git a/queue-5.15/mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch b/queue-5.15/mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch new file mode 100644 index 00000000000..a48334c62f8 --- /dev/null +++ b/queue-5.15/mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch @@ -0,0 +1,184 @@ +From 1007843a91909a4995ee78a538f62d8665705b66 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 4 Apr 2023 23:31:58 +0900 +Subject: mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tetsuo Handa + +commit 1007843a91909a4995ee78a538f62d8665705b66 upstream. + +syzbot is reporting circular locking dependency which involves +zonelist_update_seq seqlock [1], for this lock is checked by memory +allocation requests which do not need to be retried. + +One deadlock scenario is kmalloc(GFP_ATOMIC) from an interrupt handler. + + CPU0 + ---- + __build_all_zonelists() { + write_seqlock(&zonelist_update_seq); // makes zonelist_update_seq.seqcount odd + // e.g. timer interrupt handler runs at this moment + some_timer_func() { + kmalloc(GFP_ATOMIC) { + __alloc_pages_slowpath() { + read_seqbegin(&zonelist_update_seq) { + // spins forever because zonelist_update_seq.seqcount is odd + } + } + } + } + // e.g. timer interrupt handler finishes + write_sequnlock(&zonelist_update_seq); // makes zonelist_update_seq.seqcount even + } + +This deadlock scenario can be easily eliminated by not calling +read_seqbegin(&zonelist_update_seq) from !__GFP_DIRECT_RECLAIM allocation +requests, for retry is applicable to only __GFP_DIRECT_RECLAIM allocation +requests. But Michal Hocko does not know whether we should go with this +approach. + +Another deadlock scenario which syzbot is reporting is a race between +kmalloc(GFP_ATOMIC) from tty_insert_flip_string_and_push_buffer() with +port->lock held and printk() from __build_all_zonelists() with +zonelist_update_seq held. + + CPU0 CPU1 + ---- ---- + pty_write() { + tty_insert_flip_string_and_push_buffer() { + __build_all_zonelists() { + write_seqlock(&zonelist_update_seq); + build_zonelists() { + printk() { + vprintk() { + vprintk_default() { + vprintk_emit() { + console_unlock() { + console_flush_all() { + console_emit_next_record() { + con->write() = serial8250_console_write() { + spin_lock_irqsave(&port->lock, flags); + tty_insert_flip_string() { + tty_insert_flip_string_fixed_flag() { + __tty_buffer_request_room() { + tty_buffer_alloc() { + kmalloc(GFP_ATOMIC | __GFP_NOWARN) { + __alloc_pages_slowpath() { + zonelist_iter_begin() { + read_seqbegin(&zonelist_update_seq); // spins forever because zonelist_update_seq.seqcount is odd + spin_lock_irqsave(&port->lock, flags); // spins forever because port->lock is held + } + } + } + } + } + } + } + } + spin_unlock_irqrestore(&port->lock, flags); + // message is printed to console + spin_unlock_irqrestore(&port->lock, flags); + } + } + } + } + } + } + } + } + } + write_sequnlock(&zonelist_update_seq); + } + } + } + +This deadlock scenario can be eliminated by + + preventing interrupt context from calling kmalloc(GFP_ATOMIC) + +and + + preventing printk() from calling console_flush_all() + +while zonelist_update_seq.seqcount is odd. + +Since Petr Mladek thinks that __build_all_zonelists() can become a +candidate for deferring printk() [2], let's address this problem by + + disabling local interrupts in order to avoid kmalloc(GFP_ATOMIC) + +and + + disabling synchronous printk() in order to avoid console_flush_all() + +. + +As a side effect of minimizing duration of zonelist_update_seq.seqcount +being odd by disabling synchronous printk(), latency at +read_seqbegin(&zonelist_update_seq) for both !__GFP_DIRECT_RECLAIM and +__GFP_DIRECT_RECLAIM allocation requests will be reduced. Although, from +lockdep perspective, not calling read_seqbegin(&zonelist_update_seq) (i.e. +do not record unnecessary locking dependency) from interrupt context is +still preferable, even if we don't allow calling kmalloc(GFP_ATOMIC) +inside +write_seqlock(&zonelist_update_seq)/write_sequnlock(&zonelist_update_seq) +section... + +Link: https://lkml.kernel.org/r/8796b95c-3da3-5885-fddd-6ef55f30e4d3@I-love.SAKURA.ne.jp +Fixes: 3d36424b3b58 ("mm/page_alloc: fix race condition between build_all_zonelists and page allocation") +Link: https://lkml.kernel.org/r/ZCrs+1cDqPWTDFNM@alley [2] +Reported-by: syzbot + Link: https://syzkaller.appspot.com/bug?extid=223c7461c58c58a4cb10 [1] +Signed-off-by: Tetsuo Handa +Acked-by: Michal Hocko +Acked-by: Mel Gorman +Cc: Petr Mladek +Cc: David Hildenbrand +Cc: Ilpo Järvinen +Cc: John Ogness +Cc: Patrick Daly +Cc: Sergey Senozhatsky +Cc: Steven Rostedt +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -6416,7 +6416,21 @@ static void __build_all_zonelists(void * + int nid; + int __maybe_unused cpu; + pg_data_t *self = data; ++ unsigned long flags; + ++ /* ++ * Explicitly disable this CPU's interrupts before taking seqlock ++ * to prevent any IRQ handler from calling into the page allocator ++ * (e.g. GFP_ATOMIC) that could hit zonelist_iter_begin and livelock. ++ */ ++ local_irq_save(flags); ++ /* ++ * Explicitly disable this CPU's synchronous printk() before taking ++ * seqlock to prevent any printk() from trying to hold port->lock, for ++ * tty_insert_flip_string_and_push_buffer() on other CPU might be ++ * calling kmalloc(GFP_ATOMIC | __GFP_NOWARN) with port->lock held. ++ */ ++ printk_deferred_enter(); + write_seqlock(&zonelist_update_seq); + + #ifdef CONFIG_NUMA +@@ -6451,6 +6465,8 @@ static void __build_all_zonelists(void * + } + + write_sequnlock(&zonelist_update_seq); ++ printk_deferred_exit(); ++ local_irq_restore(flags); + } + + static noinline void __init diff --git a/queue-5.15/series b/queue-5.15/series index 1b6414dd6b4..11bda91f718 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -64,3 +64,7 @@ pwm-meson-explicitly-set-.polarity-in-.get_state.patch pwm-iqs620a-explicitly-set-.polarity-in-.get_state.patch pwm-hibvt-explicitly-set-.polarity-in-.get_state.patch counter-104-quad-8-fix-race-condition-between-flag-and-cntr-reads.patch +iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch +mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch +asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch +asn.1-fix-check-for-strdup-success.patch