From: Greg Kroah-Hartman Date: Sun, 22 Jan 2023 12:59:31 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.14.304~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8de85541d50b05e3644a0d3564b7e4cb5bd3b3c3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch cifs-do-not-include-page-data-when-checking-signature.patch mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch --- diff --git a/queue-5.10/btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch b/queue-5.10/btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch new file mode 100644 index 00000000000..06fc9b26165 --- /dev/null +++ b/queue-5.10/btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch @@ -0,0 +1,134 @@ +From b7adbf9ada3513d2092362c8eac5cddc5b651f5c Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 12 Jan 2023 16:31:08 +0000 +Subject: btrfs: fix race between quota rescan and disable leading to NULL pointer deref + +From: Filipe Manana + +commit b7adbf9ada3513d2092362c8eac5cddc5b651f5c upstream. + +If we have one task trying to start the quota rescan worker while another +one is trying to disable quotas, we can end up hitting a race that results +in the quota rescan worker doing a NULL pointer dereference. The steps for +this are the following: + +1) Quotas are enabled; + +2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan(). + It calls qgroup_rescan_init() which returns 0 (success) and then joins a + transaction and commits it; + +3) Task B calls the quota disable ioctl and enters btrfs_quota_disable(). + It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls + btrfs_qgroup_wait_for_completion(), which returns immediately since the + rescan worker is not yet running. + Then it starts a transaction and locks fs_info->qgroup_ioctl_lock; + +4) Task A queues the rescan worker, by calling btrfs_queue_work(); + +5) The rescan worker starts, and calls rescan_should_stop() at the start + of its while loop, which results in 0 iterations of the loop, since + the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by + task B at step 3); + +6) Task B sets fs_info->quota_root to NULL; + +7) The rescan worker tries to start a transaction and uses + fs_info->quota_root as the root argument for btrfs_start_transaction(). + This results in a NULL pointer dereference down the call chain of + btrfs_start_transaction(). The stack trace is something like the one + reported in Link tag below: + + general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f] + CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 + Workqueue: btrfs-qgroup-rescan btrfs_work_helper + RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564 + Code: 48 89 fb 48 (...) + RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206 + RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 + RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d + R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000 + R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003 + FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402 + btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280 + process_one_work+0x877/0xdb0 kernel/workqueue.c:2289 + worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 + kthread+0x266/0x300 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + + Modules linked in: + +So fix this by having the rescan worker function not attempt to start a +transaction if it didn't do any rescan work. + +Reported-by: syzbot+96977faa68092ad382c4@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/000000000000e5454b05f065a803@google.com/ +Fixes: e804861bd4e6 ("btrfs: fix deadlock between quota disable and qgroup rescan worker") +CC: stable@vger.kernel.org # 5.4+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -3296,6 +3296,7 @@ static void btrfs_qgroup_rescan_worker(s + int err = -ENOMEM; + int ret = 0; + bool stopped = false; ++ bool did_leaf_rescans = false; + + path = btrfs_alloc_path(); + if (!path) +@@ -3316,6 +3317,7 @@ static void btrfs_qgroup_rescan_worker(s + } + + err = qgroup_rescan_leaf(trans, path); ++ did_leaf_rescans = true; + + if (err > 0) + btrfs_commit_transaction(trans); +@@ -3336,16 +3338,23 @@ out: + mutex_unlock(&fs_info->qgroup_rescan_lock); + + /* +- * only update status, since the previous part has already updated the +- * qgroup info. ++ * Only update status, since the previous part has already updated the ++ * qgroup info, and only if we did any actual work. This also prevents ++ * race with a concurrent quota disable, which has already set ++ * fs_info->quota_root to NULL and cleared BTRFS_FS_QUOTA_ENABLED at ++ * btrfs_quota_disable(). + */ +- trans = btrfs_start_transaction(fs_info->quota_root, 1); +- if (IS_ERR(trans)) { +- err = PTR_ERR(trans); ++ if (did_leaf_rescans) { ++ trans = btrfs_start_transaction(fs_info->quota_root, 1); ++ if (IS_ERR(trans)) { ++ err = PTR_ERR(trans); ++ trans = NULL; ++ btrfs_err(fs_info, ++ "fail to start transaction for status update: %d", ++ err); ++ } ++ } else { + trans = NULL; +- btrfs_err(fs_info, +- "fail to start transaction for status update: %d", +- err); + } + + mutex_lock(&fs_info->qgroup_rescan_lock); diff --git a/queue-5.10/cifs-do-not-include-page-data-when-checking-signature.patch b/queue-5.10/cifs-do-not-include-page-data-when-checking-signature.patch new file mode 100644 index 00000000000..f4731be6d60 --- /dev/null +++ b/queue-5.10/cifs-do-not-include-page-data-when-checking-signature.patch @@ -0,0 +1,52 @@ +From 30b2b2196d6e4cc24cbec633535a2404f258ce69 Mon Sep 17 00:00:00 2001 +From: Enzo Matsumiya +Date: Wed, 18 Jan 2023 14:06:57 -0300 +Subject: cifs: do not include page data when checking signature + +From: Enzo Matsumiya + +commit 30b2b2196d6e4cc24cbec633535a2404f258ce69 upstream. + +On async reads, page data is allocated before sending. When the +response is received but it has no data to fill (e.g. +STATUS_END_OF_FILE), __calc_signature() will still include the pages in +its computation, leading to an invalid signature check. + +This patch fixes this by not setting the async read smb_rqst page data +(zeroed by default) if its got_bytes is 0. + +This can be reproduced/verified with xfstests generic/465. + +Cc: +Signed-off-by: Enzo Matsumiya +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3925,12 +3925,15 @@ smb2_readv_callback(struct mid_q_entry * + (struct smb2_sync_hdr *)rdata->iov[0].iov_base; + struct cifs_credits credits = { .value = 0, .instance = 0 }; + struct smb_rqst rqst = { .rq_iov = &rdata->iov[1], +- .rq_nvec = 1, +- .rq_pages = rdata->pages, +- .rq_offset = rdata->page_offset, +- .rq_npages = rdata->nr_pages, +- .rq_pagesz = rdata->pagesz, +- .rq_tailsz = rdata->tailsz }; ++ .rq_nvec = 1, }; ++ ++ if (rdata->got_bytes) { ++ rqst.rq_pages = rdata->pages; ++ rqst.rq_offset = rdata->page_offset; ++ rqst.rq_npages = rdata->nr_pages; ++ rqst.rq_pagesz = rdata->pagesz; ++ rqst.rq_tailsz = rdata->tailsz; ++ } + + WARN_ONCE(rdata->server != mid->server, + "rdata server %p != mid server %p", diff --git a/queue-5.10/mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch b/queue-5.10/mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch new file mode 100644 index 00000000000..97bf2802bb4 --- /dev/null +++ b/queue-5.10/mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch @@ -0,0 +1,73 @@ +From 1e336aa0c0250ec84c6f16efac40c9f0138e367d Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Wed, 7 Dec 2022 19:23:15 +0800 +Subject: mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting + +From: Haibo Chen + +commit 1e336aa0c0250ec84c6f16efac40c9f0138e367d upstream. + +Current code logic may be impacted by the setting of ROM/Bootloader, +so unmask these bits first, then setting these bits accordingly. + +Fixes: 2b16cf326b70 ("mmc: sdhci-esdhc-imx: move tuning static configuration into hwinit function") +Signed-off-by: Haibo Chen +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221207112315.1812222-1-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -103,6 +103,7 @@ + #define ESDHC_TUNING_START_TAP_DEFAULT 0x1 + #define ESDHC_TUNING_START_TAP_MASK 0x7f + #define ESDHC_TUNING_CMD_CRC_CHECK_DISABLE (1 << 7) ++#define ESDHC_TUNING_STEP_DEFAULT 0x1 + #define ESDHC_TUNING_STEP_MASK 0x00070000 + #define ESDHC_TUNING_STEP_SHIFT 16 + +@@ -1300,7 +1301,7 @@ static void sdhci_esdhc_imx_hwinit(struc + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host); + struct cqhci_host *cq_host = host->mmc->cqe_private; +- int tmp; ++ u32 tmp; + + if (esdhc_is_usdhc(imx_data)) { + /* +@@ -1353,17 +1354,24 @@ static void sdhci_esdhc_imx_hwinit(struc + + if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) { + tmp = readl(host->ioaddr + ESDHC_TUNING_CTRL); +- tmp |= ESDHC_STD_TUNING_EN | +- ESDHC_TUNING_START_TAP_DEFAULT; +- if (imx_data->boarddata.tuning_start_tap) { +- tmp &= ~ESDHC_TUNING_START_TAP_MASK; ++ tmp |= ESDHC_STD_TUNING_EN; ++ ++ /* ++ * ROM code or bootloader may config the start tap ++ * and step, unmask them first. ++ */ ++ tmp &= ~(ESDHC_TUNING_START_TAP_MASK | ESDHC_TUNING_STEP_MASK); ++ if (imx_data->boarddata.tuning_start_tap) + tmp |= imx_data->boarddata.tuning_start_tap; +- } ++ else ++ tmp |= ESDHC_TUNING_START_TAP_DEFAULT; + + if (imx_data->boarddata.tuning_step) { +- tmp &= ~ESDHC_TUNING_STEP_MASK; + tmp |= imx_data->boarddata.tuning_step + << ESDHC_TUNING_STEP_SHIFT; ++ } else { ++ tmp |= ESDHC_TUNING_STEP_DEFAULT ++ << ESDHC_TUNING_STEP_SHIFT; + } + + /* Disable the CMD CRC check for tuning, if not, need to diff --git a/queue-5.10/mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch b/queue-5.10/mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch new file mode 100644 index 00000000000..900d666548c --- /dev/null +++ b/queue-5.10/mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch @@ -0,0 +1,41 @@ +From 8509419758f2cc28dd05370385af0d91573b76b4 Mon Sep 17 00:00:00 2001 +From: Samuel Holland +Date: Tue, 9 Aug 2022 21:25:09 -0500 +Subject: mmc: sunxi-mmc: Fix clock refcount imbalance during unbind + +From: Samuel Holland + +commit 8509419758f2cc28dd05370385af0d91573b76b4 upstream. + +If the controller is suspended by runtime PM, the clock is already +disabled, so do not try to disable it again during removal. Use +pm_runtime_disable() to flush any pending runtime PM transitions. + +Fixes: 9a8e1e8cc2c0 ("mmc: sunxi: Add runtime_pm support") +Signed-off-by: Samuel Holland +Acked-by: Jernej Skrabec +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220810022509.43743-1-samuel@sholland.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sunxi-mmc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/sunxi-mmc.c ++++ b/drivers/mmc/host/sunxi-mmc.c +@@ -1459,9 +1459,11 @@ static int sunxi_mmc_remove(struct platf + struct sunxi_mmc_host *host = mmc_priv(mmc); + + mmc_remove_host(mmc); +- pm_runtime_force_suspend(&pdev->dev); +- disable_irq(host->irq); +- sunxi_mmc_disable(host); ++ pm_runtime_disable(&pdev->dev); ++ if (!pm_runtime_status_suspended(&pdev->dev)) { ++ disable_irq(host->irq); ++ sunxi_mmc_disable(host); ++ } + dma_free_coherent(&pdev->dev, PAGE_SIZE, host->sg_cpu, host->sg_dma); + mmc_free_host(mmc); + diff --git a/queue-5.10/series b/queue-5.10/series index f0faaf619ea..49dc5d7e1f0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -52,3 +52,8 @@ misc-fastrpc-don-t-remove-map-on-creater_process-and-device_release.patch misc-fastrpc-fix-use-after-free-race-condition-for-maps.patch usb-core-hub-disable-autosuspend-for-ti-tusb8041.patch comedi-adv_pci1760-fix-pwm-instruction-handling.patch +mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch +mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch +btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch +cifs-do-not-include-page-data-when-checking-signature.patch +thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch diff --git a/queue-5.10/thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch b/queue-5.10/thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch new file mode 100644 index 00000000000..97c0f9222e9 --- /dev/null +++ b/queue-5.10/thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch @@ -0,0 +1,33 @@ +From e8ff07fb33026c5c1bb5b81293496faba5d68059 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Fri, 20 May 2022 13:35:19 +0300 +Subject: thunderbolt: Use correct function to calculate maximum USB3 link rate + +From: Mika Westerberg + +commit e8ff07fb33026c5c1bb5b81293496faba5d68059 upstream. + +We need to take minimum of both sides of the USB3 link into consideration, +not just the downstream port. Fix this by calling tb_usb3_max_link_rate() +instead. + +Fixes: 0bd680cd900c ("thunderbolt: Add USB3 bandwidth management") +Cc: stable@vger.kernel.org +Acked-by: Yehezkel Bernat +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thunderbolt/tunnel.c ++++ b/drivers/thunderbolt/tunnel.c +@@ -956,7 +956,7 @@ static void tb_usb3_reclaim_available_ba + return; + } else if (!ret) { + /* Use maximum link rate if the link valid is not set */ +- ret = usb4_usb3_port_max_link_rate(tunnel->src_port); ++ ret = tb_usb3_max_link_rate(tunnel->dst_port, tunnel->src_port); + if (ret < 0) { + tb_tunnel_warn(tunnel, "failed to read maximum link rate\n"); + return;