From: Greg Kroah-Hartman Date: Mon, 20 Jun 2022 09:42:32 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.4.200~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b359b814ce064dea721b35a3ba93d22b4c27116a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch serial-8250-store-to-lsr_save_flags-after-lsr-read.patch --- diff --git a/queue-5.15/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch b/queue-5.15/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch new file mode 100644 index 00000000000..0a033dacde7 --- /dev/null +++ b/queue-5.15/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch @@ -0,0 +1,47 @@ +From 928ea98252ad75118950941683893cf904541da9 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Wed, 1 Jun 2022 19:51:59 +0900 +Subject: bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove() + +From: Shin'ichiro Kawasaki + +commit 928ea98252ad75118950941683893cf904541da9 upstream. + +In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to +fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in +fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io +triggers KASAN use-after-free. To avoid the use-after-free, keep the +reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to +fsl_destroy_mc_io(). + +This patch needs rework to apply to kernels older than v5.15. + +Fixes: f93627146f0e ("staging: fsl-mc: fix asymmetry in destroy of mc_io") +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Shin'ichiro Kawasaki +Link: https://lore.kernel.org/r/20220601105159.87752-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -1236,14 +1236,14 @@ error_cleanup_mc_io: + static int fsl_mc_bus_remove(struct platform_device *pdev) + { + struct fsl_mc *mc = platform_get_drvdata(pdev); ++ struct fsl_mc_io *mc_io; + + if (!fsl_mc_is_root_dprc(&mc->root_mc_bus_dev->dev)) + return -EINVAL; + ++ mc_io = mc->root_mc_bus_dev->mc_io; + fsl_mc_device_remove(mc->root_mc_bus_dev); +- +- fsl_destroy_mc_io(mc->root_mc_bus_dev->mc_io); +- mc->root_mc_bus_dev->mc_io = NULL; ++ fsl_destroy_mc_io(mc_io); + + bus_unregister_notifier(&fsl_mc_bus_type, &fsl_mc_nb); + diff --git a/queue-5.15/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch b/queue-5.15/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch new file mode 100644 index 00000000000..7feab54cf39 --- /dev/null +++ b/queue-5.15/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch @@ -0,0 +1,46 @@ +From be03b0651ffd8bab69dfd574c6818b446c0753ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Fri, 20 May 2022 13:35:41 +0300 +Subject: serial: 8250: Store to lsr_save_flags after lsr read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit be03b0651ffd8bab69dfd574c6818b446c0753ce upstream. + +Not all LSR register flags are preserved across reads. Therefore, LSR +readers must store the non-preserved bits into lsr_save_flags. + +This fix was initially mixed into feature commit f6f586102add ("serial: +8250: Handle UART without interrupt on TEMT using em485"). However, +that feature change had a flaw and it was reverted to make room for +simpler approach providing the same feature. The embedded fix got +reverted with the feature change. + +Re-add the lsr_save_flags fix and properly mark it's a fix. + +Link: https://lore.kernel.org/all/1d6c31d-d194-9e6a-ddf9-5f29af829f3@linux.intel.com/T/#m1737eef986bd20cf19593e344cebd7b0244945fc +Fixes: e490c9144cfa ("tty: Add software emulated RS485 support for 8250") +Cc: stable +Acked-by: Uwe Kleine-König +Signed-off-by: Uwe Kleine-König +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/f4d774be-1437-a550-8334-19d8722ab98c@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1535,6 +1535,8 @@ static inline void __stop_tx(struct uart + + if (em485) { + unsigned char lsr = serial_in(p, UART_LSR); ++ p->lsr_saved_flags |= lsr & LSR_SAVE_FLAGS; ++ + /* + * To provide required timeing and allow FIFO transfer, + * __stop_tx_rs485() must be called only when both FIFO and diff --git a/queue-5.15/series b/queue-5.15/series index 77a133f1759..1cad237fab1 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -90,3 +90,5 @@ usb-gadget-lpc32xx_udc-fix-refcount-leak-in-lpc32xx_udc_probe.patch usb-gadget-f_fs-change-ep-status-safe-in-ffs_epfile_io.patch usb-gadget-f_fs-change-ep-ep-safe-in-ffs_epfile_io.patch tty-n_gsm-debug-output-allocation-must-use-gfp_atomic.patch +serial-8250-store-to-lsr_save_flags-after-lsr-read.patch +bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch