From: Sasha Levin <sashal@kernel.org>
Date: Fri, 18 Aug 2023 13:48:24 +0000 (-0400)
Subject: Fixes for 5.10
X-Git-Tag: v6.4.12~88
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c8201934ff9cb888657a8eb9d03b0af424ea47d2;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.10

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.10/series b/queue-5.10/series
index c688d7018b1..25bd2893077 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -67,3 +67,5 @@ mmc-meson-gx-fix-deferred-probing.patch
 tracing-probes-have-process_fetch_insn-take-a-void-i.patch
 tracing-probes-fix-to-update-dynamic-data-counter-if.patch
 net-ncsi-change-from-ndo_set_mac_address-to-dev_set_.patch
+virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
+virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
diff --git a/queue-5.10/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch b/queue-5.10/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
new file mode 100644
index 00000000000..35b2069235b
--- /dev/null
+++ b/queue-5.10/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
@@ -0,0 +1,60 @@
+From 7a505db58b0bbdb1c4504b96dc74fe5b94fe3029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jun 2023 14:05:26 +0200
+Subject: virtio-mmio: don't break lifecycle of vm_dev
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a ]
+
+vm_dev has a separate lifecycle because it has a 'struct device'
+embedded. Thus, having a release callback for it is correct.
+
+Allocating the vm_dev struct with devres totally breaks this protection,
+though. Instead of waiting for the vm_dev release callback, the memory
+is freed when the platform_device is removed. Resulting in a
+use-after-free when finally the callback is to be called.
+
+To easily see the problem, compile the kernel with
+CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.
+
+The fix is easy, don't use devres in this case.
+
+Found during my research about object lifetime problems.
+
+Fixes: 7eb781b1bbb7 ("virtio_mmio: add cleanup for virtio_mmio_probe")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Message-Id: <20230629120526.7184-1-wsa+renesas@sang-engineering.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_mmio.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
+index 844b949b45c96..136f90dbad831 100644
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -572,9 +572,8 @@ static void virtio_mmio_release_dev(struct device *_d)
+ 	struct virtio_device *vdev =
+ 			container_of(_d, struct virtio_device, dev);
+ 	struct virtio_mmio_device *vm_dev = to_virtio_mmio_device(vdev);
+-	struct platform_device *pdev = vm_dev->pdev;
+ 
+-	devm_kfree(&pdev->dev, vm_dev);
++	kfree(vm_dev);
+ }
+ 
+ /* Platform device */
+@@ -585,7 +584,7 @@ static int virtio_mmio_probe(struct platform_device *pdev)
+ 	unsigned long magic;
+ 	int rc;
+ 
+-	vm_dev = devm_kzalloc(&pdev->dev, sizeof(*vm_dev), GFP_KERNEL);
++	vm_dev = kzalloc(sizeof(*vm_dev), GFP_KERNEL);
+ 	if (!vm_dev)
+ 		return -ENOMEM;
+ 
+-- 
+2.40.1
+
diff --git a/queue-5.10/virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch b/queue-5.10/virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
new file mode 100644
index 00000000000..ff59e711983
--- /dev/null
+++ b/queue-5.10/virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
@@ -0,0 +1,38 @@
+From a975e9be942aaa84e2e627c7339fdd50b8c39097 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Feb 2021 13:57:24 +0800
+Subject: virtio-mmio: Use to_virtio_mmio_device() to simply code
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+[ Upstream commit da98b54d02981de5b07d8044b2a632bf6ba3ac45 ]
+
+The file virtio_mmio.c has defined the function to_virtio_mmio_device,
+so use it instead of container_of() to simply code.
+
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Link: https://lore.kernel.org/r/20210222055724.220-1-tangbin@cmss.chinamobile.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_mmio.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
+index e8ef0c66e558f..844b949b45c96 100644
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -571,8 +571,7 @@ static void virtio_mmio_release_dev(struct device *_d)
+ {
+ 	struct virtio_device *vdev =
+ 			container_of(_d, struct virtio_device, dev);
+-	struct virtio_mmio_device *vm_dev =
+-			container_of(vdev, struct virtio_mmio_device, vdev);
++	struct virtio_mmio_device *vm_dev = to_virtio_mmio_device(vdev);
+ 	struct platform_device *pdev = vm_dev->pdev;
+ 
+ 	devm_kfree(&pdev->dev, vm_dev);
+-- 
+2.40.1
+