From: Sasha Levin Date: Sat, 26 Feb 2022 02:59:32 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.9.304~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=af1a98619ea5ba3c76877d9f342f3fd4f1eef325;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch b/queue-5.4/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch new file mode 100644 index 00000000000..9ce79a559ff --- /dev/null +++ b/queue-5.4/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch @@ -0,0 +1,98 @@ +From 1e4650705e6bbdfae92422c31537d37ea7869e72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 15:10:30 +0800 +Subject: configfs: fix a race in configfs_{,un}register_subsystem() + +From: ChenXiaoSong + +[ Upstream commit 84ec758fb2daa236026506868c8796b0500c047d ] + +When configfs_register_subsystem() or configfs_unregister_subsystem() +is executing link_group() or unlink_group(), +it is possible that two processes add or delete list concurrently. +Some unfortunate interleavings of them can cause kernel panic. + +One of cases is: +A --> B --> C --> D +A <-- B <-- C <-- D + + delete list_head *B | delete list_head *C +--------------------------------|----------------------------------- +configfs_unregister_subsystem | configfs_unregister_subsystem + unlink_group | unlink_group + unlink_obj | unlink_obj + list_del_init | list_del_init + __list_del_entry | __list_del_entry + __list_del | __list_del + // next == C | + next->prev = prev | + | next->prev = prev + prev->next = next | + | // prev == B + | prev->next = next + +Fix this by adding mutex when calling link_group() or unlink_group(), +but parent configfs_subsystem is NULL when config_item is root. +So I create a mutex configfs_subsystem_mutex. + +Fixes: 7063fbf22611 ("[PATCH] configfs: User-driven configuration filesystem") +Signed-off-by: ChenXiaoSong +Signed-off-by: Laibin Qiu +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/configfs/dir.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c +index 2992cebb78661..d73d88d9c2598 100644 +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -36,6 +36,14 @@ + */ + DEFINE_SPINLOCK(configfs_dirent_lock); + ++/* ++ * All of link_obj/unlink_obj/link_group/unlink_group require that ++ * subsys->su_mutex is held. ++ * But parent configfs_subsystem is NULL when config_item is root. ++ * Use this mutex when config_item is root. ++ */ ++static DEFINE_MUTEX(configfs_subsystem_mutex); ++ + static void configfs_d_iput(struct dentry * dentry, + struct inode * inode) + { +@@ -1884,7 +1892,9 @@ int configfs_register_subsystem(struct configfs_subsystem *subsys) + group->cg_item.ci_name = group->cg_item.ci_namebuf; + + sd = root->d_fsdata; ++ mutex_lock(&configfs_subsystem_mutex); + link_group(to_config_group(sd->s_element), group); ++ mutex_unlock(&configfs_subsystem_mutex); + + inode_lock_nested(d_inode(root), I_MUTEX_PARENT); + +@@ -1909,7 +1919,9 @@ int configfs_register_subsystem(struct configfs_subsystem *subsys) + inode_unlock(d_inode(root)); + + if (err) { ++ mutex_lock(&configfs_subsystem_mutex); + unlink_group(group); ++ mutex_unlock(&configfs_subsystem_mutex); + configfs_release_fs(); + } + put_fragment(frag); +@@ -1956,7 +1968,9 @@ void configfs_unregister_subsystem(struct configfs_subsystem *subsys) + + dput(dentry); + ++ mutex_lock(&configfs_subsystem_mutex); + unlink_group(group); ++ mutex_unlock(&configfs_subsystem_mutex); + configfs_release_fs(); + } + +-- +2.34.1 + diff --git a/queue-5.4/rdma-ib_srp-fix-a-deadlock.patch b/queue-5.4/rdma-ib_srp-fix-a-deadlock.patch new file mode 100644 index 00000000000..4e0563319ed --- /dev/null +++ b/queue-5.4/rdma-ib_srp-fix-a-deadlock.patch @@ -0,0 +1,45 @@ +From f9570d902d48f3681194a6b2b42d9ac31e822397 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 13:05:11 -0800 +Subject: RDMA/ib_srp: Fix a deadlock + +From: Bart Van Assche + +[ Upstream commit 081bdc9fe05bb23248f5effb6f811da3da4b8252 ] + +Remove the flush_workqueue(system_long_wq) call since flushing +system_long_wq is deadlock-prone and since that call is redundant with a +preceding cancel_work_sync() + +Link: https://lore.kernel.org/r/20220215210511.28303-3-bvanassche@acm.org +Fixes: ef6c49d87c34 ("IB/srp: Eliminate state SRP_TARGET_DEAD") +Reported-by: syzbot+831661966588c802aae9@syzkaller.appspotmail.com +Signed-off-by: Bart Van Assche +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index 8708ed5477e99..dac806b715afa 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -4222,9 +4222,11 @@ static void srp_remove_one(struct ib_device *device, void *client_data) + spin_unlock(&host->target_lock); + + /* +- * Wait for tl_err and target port removal tasks. ++ * srp_queue_remove_work() queues a call to ++ * srp_remove_target(). The latter function cancels ++ * target->tl_err_work so waiting for the remove works to ++ * finish is sufficient. + */ +- flush_workqueue(system_long_wq); + flush_workqueue(srp_remove_wq); + + kfree(host); +-- +2.34.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 6ed50942cc2..6b2c7c9d4cd 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -26,3 +26,6 @@ nfp-flower-fix-a-potential-leak-in-nfp_tunnel_add_shared_mac.patch netfilter-nf_tables-fix-memory-leak-during-stateful-obj-update.patch net-mlx5-fix-possible-deadlock-on-rule-deletion.patch net-mlx5-fix-wrong-limitation-of-metadata-match-on-ecpf.patch +spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch +configfs-fix-a-race-in-configfs_-un-register_subsyst.patch +rdma-ib_srp-fix-a-deadlock.patch diff --git a/queue-5.4/spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch b/queue-5.4/spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch new file mode 100644 index 00000000000..c83430ce1d5 --- /dev/null +++ b/queue-5.4/spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch @@ -0,0 +1,55 @@ +From 784fb931a0f4f5fca880f2cfcca103797963e3b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 01:22:53 +0800 +Subject: spi: spi-zynq-qspi: Fix a NULL pointer dereference in + zynq_qspi_exec_mem_op() + +From: Zhou Qingyang + +[ Upstream commit ab3824427b848da10e9fe2727f035bbeecae6ff4 ] + +In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(), +which could lead to a NULL pointer dereference on failure of +kzalloc(). + +Fix this bug by adding a check of tmpbuf. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller") +Signed-off-by: Zhou Qingyang +Link: https://lore.kernel.org/r/20211130172253.203700-1-zhou1615@umn.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-zynq-qspi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c +index 1ced6eb8b3303..b3588240eb39b 100644 +--- a/drivers/spi/spi-zynq-qspi.c ++++ b/drivers/spi/spi-zynq-qspi.c +@@ -558,6 +558,9 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem, + + if (op->dummy.nbytes) { + tmpbuf = kzalloc(op->dummy.nbytes, GFP_KERNEL); ++ if (!tmpbuf) ++ return -ENOMEM; ++ + memset(tmpbuf, 0xff, op->dummy.nbytes); + reinit_completion(&xqspi->data_completion); + xqspi->txbuf = tmpbuf; +-- +2.34.1 +