From: Greg Kroah-Hartman Date: Tue, 23 Nov 2021 11:15:28 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v5.15.5~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a057e5293e1d376eca9de16f110a649f776ebd3c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch parisc-sticon-fix-reverse-colors.patch --- diff --git a/queue-4.4/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch b/queue-4.4/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch new file mode 100644 index 00000000000..f2e3899f266 --- /dev/null +++ b/queue-4.4/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch @@ -0,0 +1,86 @@ +From 45da9c1767ac31857df572f0a909fbe88fd5a7e9 Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Tue, 2 Nov 2021 14:49:16 +0200 +Subject: btrfs: fix memory ordering between normal and ordered work functions + +From: Nikolay Borisov + +commit 45da9c1767ac31857df572f0a909fbe88fd5a7e9 upstream. + +Ordered work functions aren't guaranteed to be handled by the same thread +which executed the normal work functions. The only way execution between +normal/ordered functions is synchronized is via the WORK_DONE_BIT, +unfortunately the used bitops don't guarantee any ordering whatsoever. + +This manifested as seemingly inexplicable crashes on ARM64, where +async_chunk::inode is seen as non-null in async_cow_submit which causes +submit_compressed_extents to be called and crash occurs because +async_chunk::inode suddenly became NULL. The call trace was similar to: + + pc : submit_compressed_extents+0x38/0x3d0 + lr : async_cow_submit+0x50/0xd0 + sp : ffff800015d4bc20 + + + + Call trace: + submit_compressed_extents+0x38/0x3d0 + async_cow_submit+0x50/0xd0 + run_ordered_work+0xc8/0x280 + btrfs_work_helper+0x98/0x250 + process_one_work+0x1f0/0x4ac + worker_thread+0x188/0x504 + kthread+0x110/0x114 + ret_from_fork+0x10/0x18 + +Fix this by adding respective barrier calls which ensure that all +accesses preceding setting of WORK_DONE_BIT are strictly ordered before +setting the flag. At the same time add a read barrier after reading of +WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads +would be strictly ordered after reading the bit. This in turn ensures +are all accesses before WORK_DONE_BIT are going to be strictly ordered +before any access that can occur in ordered_func. + +Reported-by: Chris Murphy +Fixes: 08a9ff326418 ("btrfs: Added btrfs_workqueue_struct implemented ordered execution based on kernel workqueue") +CC: stable@vger.kernel.org # 4.4+ +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2011928 +Reviewed-by: Josef Bacik +Tested-by: Chris Murphy +Signed-off-by: Nikolay Borisov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/async-thread.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/btrfs/async-thread.c ++++ b/fs/btrfs/async-thread.c +@@ -261,6 +261,13 @@ static void run_ordered_work(struct __bt + ordered_list); + if (!test_bit(WORK_DONE_BIT, &work->flags)) + break; ++ /* ++ * Orders all subsequent loads after reading WORK_DONE_BIT, ++ * paired with the smp_mb__before_atomic in btrfs_work_helper ++ * this guarantees that the ordered function will see all ++ * updates from ordinary work function. ++ */ ++ smp_rmb(); + + /* + * we are going to call the ordered done function, but +@@ -310,6 +317,13 @@ static void normal_work_helper(struct bt + thresh_exec_hook(wq); + work->func(work); + if (need_order) { ++ /* ++ * Ensures all memory accesses done in the work function are ++ * ordered before setting the WORK_DONE_BIT. Ensuring the thread ++ * which is going to executed the ordered work sees them. ++ * Pairs with the smp_rmb in run_ordered_work. ++ */ ++ smp_mb__before_atomic(); + set_bit(WORK_DONE_BIT, &work->flags); + run_ordered_work(wq); + } diff --git a/queue-4.4/cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch b/queue-4.4/cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch new file mode 100644 index 00000000000..a1b22e2ea23 --- /dev/null +++ b/queue-4.4/cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch @@ -0,0 +1,37 @@ +From 563fbefed46ae4c1f70cffb8eb54c02df480b2c2 Mon Sep 17 00:00:00 2001 +From: Nguyen Dinh Phi +Date: Thu, 28 Oct 2021 01:37:22 +0800 +Subject: cfg80211: call cfg80211_stop_ap when switch from P2P_GO type + +From: Nguyen Dinh Phi + +commit 563fbefed46ae4c1f70cffb8eb54c02df480b2c2 upstream. + +If the userspace tools switch from NL80211_IFTYPE_P2P_GO to +NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it +does not call the cleanup cfg80211_stop_ap(), this leads to the +initialization of in-use data. For example, this path re-init the +sdata->assigned_chanctx_list while it is still an element of +assigned_vifs list, and makes that linked list corrupt. + +Signed-off-by: Nguyen Dinh Phi +Reported-by: syzbot+bbf402b783eeb6d908db@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20211027173722.777287-1-phind.uet@gmail.com +Cc: stable@vger.kernel.org +Fixes: ac800140c20e ("cfg80211: .stop_ap when interface is going down") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/util.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -963,6 +963,7 @@ int cfg80211_change_iface(struct cfg8021 + + switch (otype) { + case NL80211_IFTYPE_AP: ++ case NL80211_IFTYPE_P2P_GO: + cfg80211_stop_ap(rdev, dev, true); + break; + case NL80211_IFTYPE_ADHOC: diff --git a/queue-4.4/parisc-sticon-fix-reverse-colors.patch b/queue-4.4/parisc-sticon-fix-reverse-colors.patch new file mode 100644 index 00000000000..b57924bb443 --- /dev/null +++ b/queue-4.4/parisc-sticon-fix-reverse-colors.patch @@ -0,0 +1,45 @@ +From bec05f33ebc1006899c6d3e59a00c58881fe7626 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Sun, 14 Nov 2021 17:08:17 +0100 +Subject: parisc/sticon: fix reverse colors + +From: Sven Schnelle + +commit bec05f33ebc1006899c6d3e59a00c58881fe7626 upstream. + +sticon_build_attr() checked the reverse argument and flipped +background and foreground color, but returned the non-reverse +value afterwards. Fix this and also add two local variables +for foreground and background color to make the code easier +to read. + +Signed-off-by: Sven Schnelle +Cc: +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/console/sticon.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/video/console/sticon.c ++++ b/drivers/video/console/sticon.c +@@ -316,13 +316,13 @@ static unsigned long sticon_getxy(struct + static u8 sticon_build_attr(struct vc_data *conp, u8 color, u8 intens, + u8 blink, u8 underline, u8 reverse, u8 italic) + { +- u8 attr = ((color & 0x70) >> 1) | ((color & 7)); ++ u8 fg = color & 7; ++ u8 bg = (color & 0x70) >> 4; + +- if (reverse) { +- color = ((color >> 3) & 0x7) | ((color & 0x7) << 3); +- } +- +- return attr; ++ if (reverse) ++ return (fg << 3) | bg; ++ else ++ return (bg << 3) | fg; + } + + static void sticon_invert_region(struct vc_data *conp, u16 *p, int count) diff --git a/queue-4.4/series b/queue-4.4/series index a4a94eaf9f9..92a3dd0862e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -141,3 +141,6 @@ perf-bench-fix-two-memory-leaks-detected-with-asan.patch tun-fix-bonding-active-backup-with-arp-monitoring.patch hexagon-export-raw-i-o-routines-for-modules.patch mm-kmemleak-slob-respect-slab_noleaktrace-flag.patch +btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch +parisc-sticon-fix-reverse-colors.patch +cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch