From: Greg Kroah-Hartman Date: Sun, 23 Jan 2022 14:07:10 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.4.300~144 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=908ccbf5de8e8af77aad29200c8462cafb569538;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: f2fs-avoid-einval-by-sbi_need_fsck-when-pinning-a-file.patch f2fs-fix-to-do-sanity-check-in-is_alive.patch f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch mtd-fixed-breaking-list-in-__mtd_del_partition.patch mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch --- diff --git a/queue-5.15/f2fs-avoid-einval-by-sbi_need_fsck-when-pinning-a-file.patch b/queue-5.15/f2fs-avoid-einval-by-sbi_need_fsck-when-pinning-a-file.patch new file mode 100644 index 00000000000..be36437a292 --- /dev/null +++ b/queue-5.15/f2fs-avoid-einval-by-sbi_need_fsck-when-pinning-a-file.patch @@ -0,0 +1,68 @@ +From 19bdba5265624ba6b9d9dd936a0c6ccc167cfe80 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Thu, 9 Dec 2021 10:25:43 -0800 +Subject: f2fs: avoid EINVAL by SBI_NEED_FSCK when pinning a file + +From: Jaegeuk Kim + +commit 19bdba5265624ba6b9d9dd936a0c6ccc167cfe80 upstream. + +Android OTA failed due to SBI_NEED_FSCK flag when pinning the file. Let's avoid +it since we can do in-place-updates. + +Cc: stable@vger.kernel.org +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 7 +++++-- + fs/f2fs/file.c | 10 +++++----- + 2 files changed, 10 insertions(+), 7 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2564,6 +2564,11 @@ bool f2fs_should_update_outplace(struct + { + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + ++ /* The below cases were checked when setting it. */ ++ if (f2fs_is_pinned_file(inode)) ++ return false; ++ if (fio && is_sbi_flag_set(sbi, SBI_NEED_FSCK)) ++ return true; + if (f2fs_lfs_mode(sbi)) + return true; + if (S_ISDIR(inode->i_mode)) +@@ -2572,8 +2577,6 @@ bool f2fs_should_update_outplace(struct + return true; + if (f2fs_is_atomic_file(inode)) + return true; +- if (is_sbi_flag_set(sbi, SBI_NEED_FSCK)) +- return true; + + /* swap file is migrating in aligned write mode */ + if (is_inode_flag_set(inode, FI_ALIGNED_WRITE)) +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -3143,17 +3143,17 @@ static int f2fs_ioc_set_pin_file(struct + + inode_lock(inode); + +- if (f2fs_should_update_outplace(inode, NULL)) { +- ret = -EINVAL; +- goto out; +- } +- + if (!pin) { + clear_inode_flag(inode, FI_PIN_FILE); + f2fs_i_gc_failures_write(inode, 0); + goto done; + } + ++ if (f2fs_should_update_outplace(inode, NULL)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + if (f2fs_pin_file_control(inode, false)) { + ret = -EAGAIN; + goto out; diff --git a/queue-5.15/f2fs-fix-to-do-sanity-check-in-is_alive.patch b/queue-5.15/f2fs-fix-to-do-sanity-check-in-is_alive.patch new file mode 100644 index 00000000000..dab1a2df7ef --- /dev/null +++ b/queue-5.15/f2fs-fix-to-do-sanity-check-in-is_alive.patch @@ -0,0 +1,34 @@ +From 77900c45ee5cd5da63bd4d818a41dbdf367e81cd Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 6 Dec 2021 22:44:21 +0800 +Subject: f2fs: fix to do sanity check in is_alive() + +From: Chao Yu + +commit 77900c45ee5cd5da63bd4d818a41dbdf367e81cd upstream. + +In fuzzed image, SSA table may indicate that a data block belongs to +invalid node, which node ID is out-of-range (0, 1, 2 or max_nid), in +order to avoid migrating inconsistent data in such corrupted image, +let's do sanity check anyway before data block migration. + +Cc: stable@vger.kernel.org +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1023,6 +1023,9 @@ static bool is_alive(struct f2fs_sb_info + set_sbi_flag(sbi, SBI_NEED_FSCK); + } + ++ if (f2fs_check_nid_range(sbi, dni->ino)) ++ return false; ++ + *nofs = ofs_of_node(node_page); + source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node); + f2fs_put_page(node_page, 1); diff --git a/queue-5.15/f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch b/queue-5.15/f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch new file mode 100644 index 00000000000..55a84714a5e --- /dev/null +++ b/queue-5.15/f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch @@ -0,0 +1,65 @@ +From 9056d6489f5a41cfbb67f719d2c0ce61ead72d9f Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 6 Dec 2021 22:44:19 +0800 +Subject: f2fs: fix to do sanity check on inode type during garbage collection + +From: Chao Yu + +commit 9056d6489f5a41cfbb67f719d2c0ce61ead72d9f upstream. + +As report by Wenqing Liu in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=215231 + +- Overview +kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image + +- Reproduce +tested on kernel 5.16-rc3, 5.15.X under root + +1. mkdir mnt +2. mount -t f2fs tmp1.img mnt +3. touch tmp +4. cp tmp mnt + +F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info [5942, 4294180864, 4] is incorrect, run fsck to fix +F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=31340049, run fsck to fix. +BUG: kernel NULL pointer dereference, address: 0000000000000000 + folio_mark_dirty+0x33/0x50 + move_data_page+0x2dd/0x460 [f2fs] + do_garbage_collect+0xc18/0x16a0 [f2fs] + f2fs_gc+0x1d3/0xd90 [f2fs] + f2fs_balance_fs+0x13a/0x570 [f2fs] + f2fs_create+0x285/0x840 [f2fs] + path_openat+0xe6d/0x1040 + do_filp_open+0xc5/0x140 + do_sys_openat2+0x23a/0x310 + do_sys_open+0x57/0x80 + +The root cause is for special file: e.g. character, block, fifo or socket file, +f2fs doesn't assign address space operations pointer array for mapping->a_ops field, +so, in a fuzzed image, SSA table indicates a data block belong to special file, when +f2fs tries to migrate that block, it causes NULL pointer access once move_data_page() +calls a_ops->set_dirty_page(). + +Cc: stable@vger.kernel.org +Reported-by: Wenqing Liu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1454,7 +1454,8 @@ next_step: + + if (phase == 3) { + inode = f2fs_iget(sb, dni.ino); +- if (IS_ERR(inode) || is_bad_inode(inode)) ++ if (IS_ERR(inode) || is_bad_inode(inode) || ++ special_file(inode->i_mode)) + continue; + + if (!down_write_trylock( diff --git a/queue-5.15/mtd-fixed-breaking-list-in-__mtd_del_partition.patch b/queue-5.15/mtd-fixed-breaking-list-in-__mtd_del_partition.patch new file mode 100644 index 00000000000..5cbc3537655 --- /dev/null +++ b/queue-5.15/mtd-fixed-breaking-list-in-__mtd_del_partition.patch @@ -0,0 +1,34 @@ +From 2966daf7d253d9904b337b040dd7a43472858b8a Mon Sep 17 00:00:00 2001 +From: Andreas Oetken +Date: Tue, 2 Nov 2021 18:26:04 +0100 +Subject: mtd: Fixed breaking list in __mtd_del_partition. + +From: Andreas Oetken + +commit 2966daf7d253d9904b337b040dd7a43472858b8a upstream. + +Not the child partition should be removed from the partition list +but the partition itself. Otherwise the partition list gets broken +and any subsequent remove operations leads to a kernel panic. + +Fixes: 46b5889cc2c5 ("mtd: implement proper partition handling") +Signed-off-by: Andreas Oetken +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20211102172604.2921065-1-andreas.oetken@siemens-energy.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/mtdpart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/mtdpart.c ++++ b/drivers/mtd/mtdpart.c +@@ -312,7 +312,7 @@ static int __mtd_del_partition(struct mt + if (err) + return err; + +- list_del(&child->part.node); ++ list_del(&mtd->part.node); + free_partition(mtd); + + return 0; diff --git a/queue-5.15/mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch b/queue-5.15/mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch new file mode 100644 index 00000000000..e76566f305c --- /dev/null +++ b/queue-5.15/mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch @@ -0,0 +1,103 @@ +From f53d4c109a666bf1a4883b45d546fba079258717 Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Tue, 2 Nov 2021 21:20:22 +0100 +Subject: mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings + +From: Christian Eggers + +commit f53d4c109a666bf1a4883b45d546fba079258717 upstream. + +gpmi_io clock needs to be gated off when changing the parent/dividers of +enfc_clk_root (i.MX6Q/i.MX6UL) respectively qspi2_clk_root (i.MX6SX). +Otherwise this rate change can lead to an unresponsive GPMI core which +results in DMA timeouts and failed driver probe: + +[ 4.072318] gpmi-nand 112000.gpmi-nand: DMA timeout, last DMA +... +[ 4.370355] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -110 +... +[ 4.375988] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22 +[ 4.381524] gpmi-nand 112000.gpmi-nand: Error in ECC-based read: -22 +[ 4.387988] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22 +[ 4.393535] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22 +... + +Other than stated in i.MX 6 erratum ERR007117, it should be sufficient +to gate only gpmi_io because all other bch/nand clocks are derived from +different clock roots. + +The i.MX6 reference manuals state that changing clock muxers can cause +glitches but are silent about changing dividers. But tests showed that +these glitches can definitely happen on i.MX6ULL. For i.MX7D/8MM in turn, +the manual guarantees that no glitches can happen when changing +dividers. + +Co-developed-by: Stefan Riedmueller +Signed-off-by: Stefan Riedmueller +Signed-off-by: Christian Eggers +Cc: stable@vger.kernel.org +Acked-by: Han Xu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20211102202022.15551-2-ceggers@arri.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c +@@ -713,14 +713,32 @@ static void gpmi_nfc_compute_timings(str + (use_half_period ? BM_GPMI_CTRL1_HALF_PERIOD : 0); + } + +-static void gpmi_nfc_apply_timings(struct gpmi_nand_data *this) ++static int gpmi_nfc_apply_timings(struct gpmi_nand_data *this) + { + struct gpmi_nfc_hardware_timing *hw = &this->hw; + struct resources *r = &this->resources; + void __iomem *gpmi_regs = r->gpmi_regs; + unsigned int dll_wait_time_us; ++ int ret; ++ ++ /* Clock dividers do NOT guarantee a clean clock signal on its output ++ * during the change of the divide factor on i.MX6Q/UL/SX. On i.MX7/8, ++ * all clock dividers provide these guarantee. ++ */ ++ if (GPMI_IS_MX6Q(this) || GPMI_IS_MX6SX(this)) ++ clk_disable_unprepare(r->clock[0]); ++ ++ ret = clk_set_rate(r->clock[0], hw->clk_rate); ++ if (ret) { ++ dev_err(this->dev, "cannot set clock rate to %lu Hz: %d\n", hw->clk_rate, ret); ++ return ret; ++ } + +- clk_set_rate(r->clock[0], hw->clk_rate); ++ if (GPMI_IS_MX6Q(this) || GPMI_IS_MX6SX(this)) { ++ ret = clk_prepare_enable(r->clock[0]); ++ if (ret) ++ return ret; ++ } + + writel(hw->timing0, gpmi_regs + HW_GPMI_TIMING0); + writel(hw->timing1, gpmi_regs + HW_GPMI_TIMING1); +@@ -739,6 +757,8 @@ static void gpmi_nfc_apply_timings(struc + + /* Wait for the DLL to settle. */ + udelay(dll_wait_time_us); ++ ++ return 0; + } + + static int gpmi_setup_interface(struct nand_chip *chip, int chipnr, +@@ -2280,7 +2300,9 @@ static int gpmi_nfc_exec_op(struct nand_ + */ + if (this->hw.must_apply_timings) { + this->hw.must_apply_timings = false; +- gpmi_nfc_apply_timings(this); ++ ret = gpmi_nfc_apply_timings(this); ++ if (ret) ++ return ret; + } + + dev_dbg(this->dev, "%s: %d instructions\n", __func__, op->ninstrs); diff --git a/queue-5.15/mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch b/queue-5.15/mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch new file mode 100644 index 00000000000..6557afea4d1 --- /dev/null +++ b/queue-5.15/mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch @@ -0,0 +1,40 @@ +From aa1baa0e6c1aa4872e481dce4fc7fd6f3dd8496b Mon Sep 17 00:00:00 2001 +From: Stefan Riedmueller +Date: Tue, 2 Nov 2021 21:20:21 +0100 +Subject: mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 + +From: Stefan Riedmueller + +commit aa1baa0e6c1aa4872e481dce4fc7fd6f3dd8496b upstream. + +There is no need to explicitly set the default gpmi clock rate during +boot for the i.MX 6 since this is done during nand_detect anyway. + +Signed-off-by: Stefan Riedmueller +Cc: stable@vger.kernel.org +Acked-by: Han Xu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20211102202022.15551-1-ceggers@arri.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c +@@ -1054,15 +1054,6 @@ static int gpmi_get_clks(struct gpmi_nan + r->clock[i] = clk; + } + +- if (GPMI_IS_MX6(this)) +- /* +- * Set the default value for the gpmi clock. +- * +- * If you want to use the ONFI nand which is in the +- * Synchronous Mode, you should change the clock as you need. +- */ +- clk_set_rate(r->clock[0], 22000000); +- + return 0; + + err_clock: diff --git a/queue-5.15/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch b/queue-5.15/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch new file mode 100644 index 00000000000..c59f823e24a --- /dev/null +++ b/queue-5.15/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch @@ -0,0 +1,102 @@ +From dded08927ca3c31a5c37f8e7f95fe98770475dd4 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 19 Jan 2022 08:48:16 +0100 +Subject: nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() + +From: Krzysztof Kozlowski + +commit dded08927ca3c31a5c37f8e7f95fe98770475dd4 upstream. + +Syzbot detected a NULL pointer dereference of nfc_llcp_sock->dev pointer +(which is a 'struct nfc_dev *') with calls to llcp_sock_sendmsg() after +a failed llcp_sock_bind(). The message being sent is a SOCK_DGRAM. + +KASAN report: + + BUG: KASAN: null-ptr-deref in nfc_alloc_send_skb+0x2d/0xc0 + Read of size 4 at addr 00000000000005c8 by task llcp_sock_nfc_a/899 + + CPU: 5 PID: 899 Comm: llcp_sock_nfc_a Not tainted 5.16.0-rc6-next-20211224-00001-gc6437fbf18b0 #125 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + Call Trace: + + dump_stack_lvl+0x45/0x59 + ? nfc_alloc_send_skb+0x2d/0xc0 + __kasan_report.cold+0x117/0x11c + ? mark_lock+0x480/0x4f0 + ? nfc_alloc_send_skb+0x2d/0xc0 + kasan_report+0x38/0x50 + nfc_alloc_send_skb+0x2d/0xc0 + nfc_llcp_send_ui_frame+0x18c/0x2a0 + ? nfc_llcp_send_i_frame+0x230/0x230 + ? __local_bh_enable_ip+0x86/0xe0 + ? llcp_sock_connect+0x470/0x470 + ? llcp_sock_connect+0x470/0x470 + sock_sendmsg+0x8e/0xa0 + ____sys_sendmsg+0x253/0x3f0 + ... + +The issue was visible only with multiple simultaneous calls to bind() and +sendmsg(), which resulted in most of the bind() calls to fail. The +bind() was failing on checking if there is available WKS/SDP/SAP +(respective bit in 'struct nfc_llcp_local' fields). When there was no +available WKS/SDP/SAP, the bind returned error but the sendmsg() to such +socket was able to trigger mentioned NULL pointer dereference of +nfc_llcp_sock->dev. + +The code looks simply racy and currently it protects several paths +against race with checks for (!nfc_llcp_sock->local) which is NULL-ified +in error paths of bind(). The llcp_sock_sendmsg() did not have such +check but called function nfc_llcp_send_ui_frame() had, although not +protected with lock_sock(). + +Therefore the race could look like (same socket is used all the time): + CPU0 CPU1 + ==== ==== + llcp_sock_bind() + - lock_sock() + - success + - release_sock() + - return 0 + llcp_sock_sendmsg() + - lock_sock() + - release_sock() + llcp_sock_bind(), same socket + - lock_sock() + - error + - nfc_llcp_send_ui_frame() + - if (!llcp_sock->local) + - llcp_sock->local = NULL + - nfc_put_device(dev) + - dereference llcp_sock->dev + - release_sock() + - return -ERRNO + +The nfc_llcp_send_ui_frame() checked llcp_sock->local outside of the +lock, which is racy and ineffective check. Instead, its caller +llcp_sock_sendmsg(), should perform the check inside lock_sock(). + +Reported-and-tested-by: syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com +Fixes: b874dec21d1c ("NFC: Implement LLCP connection less Tx path") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -789,6 +789,11 @@ static int llcp_sock_sendmsg(struct sock + + lock_sock(sk); + ++ if (!llcp_sock->local) { ++ release_sock(sk); ++ return -ENODEV; ++ } ++ + if (sk->sk_type == SOCK_DGRAM) { + DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr, + msg->msg_name); diff --git a/queue-5.15/series b/queue-5.15/series index 0bd273859cf..775898c023a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -6,3 +6,10 @@ hid-wacom-reset-expected-and-received-contact-counts-at-the-same-time.patch hid-wacom-ignore-the-confidence-flag-when-a-touch-is-removed.patch hid-wacom-avoid-using-stale-array-indicies-to-read-contact-count.patch alsa-core-fix-ssid-quirk-lookup-for-subvendor-0.patch +f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch +f2fs-fix-to-do-sanity-check-in-is_alive.patch +f2fs-avoid-einval-by-sbi_need_fsck-when-pinning-a-file.patch +nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch +mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch +mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch +mtd-fixed-breaking-list-in-__mtd_del_partition.patch