From: Greg Kroah-Hartman Date: Sun, 20 Aug 2023 19:32:49 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.4.12~79 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5ac2b057e8beb87961ef473e7812fe950d0d259;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch fbdev-mmp-fix-value-check-in-mmphw_probe.patch i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch --- diff --git a/queue-5.10/btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch b/queue-5.10/btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch new file mode 100644 index 00000000000..5529bf730ae --- /dev/null +++ b/queue-5.10/btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch @@ -0,0 +1,64 @@ +From 29eefa6d0d07e185f7bfe9576f91e6dba98189c2 Mon Sep 17 00:00:00 2001 +From: xiaoshoukui +Date: Tue, 15 Aug 2023 02:55:59 -0400 +Subject: btrfs: fix BUG_ON condition in btrfs_cancel_balance + +From: xiaoshoukui + +commit 29eefa6d0d07e185f7bfe9576f91e6dba98189c2 upstream. + +Pausing and canceling balance can race to interrupt balance lead to BUG_ON +panic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance +does not take this race scenario into account. + +However, the race condition has no other side effects. We can fix that. + +Reproducing it with panic trace like this: + + kernel BUG at fs/btrfs/volumes.c:4618! + RIP: 0010:btrfs_cancel_balance+0x5cf/0x6a0 + Call Trace: + + ? do_nanosleep+0x60/0x120 + ? hrtimer_nanosleep+0xb7/0x1a0 + ? sched_core_clone_cookie+0x70/0x70 + btrfs_ioctl_balance_ctl+0x55/0x70 + btrfs_ioctl+0xa46/0xd20 + __x64_sys_ioctl+0x7d/0xa0 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + Race scenario as follows: + > mutex_unlock(&fs_info->balance_mutex); + > -------------------- + > .......issue pause and cancel req in another thread + > -------------------- + > ret = __btrfs_balance(fs_info); + > + > mutex_lock(&fs_info->balance_mutex); + > if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { + > btrfs_info(fs_info, "balance: paused"); + > btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); + > } + +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: xiaoshoukui +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4460,8 +4460,7 @@ int btrfs_cancel_balance(struct btrfs_fs + } + } + +- BUG_ON(fs_info->balance_ctl || +- test_bit(BTRFS_FS_BALANCE_RUNNING, &fs_info->flags)); ++ ASSERT(!test_bit(BTRFS_FS_BALANCE_RUNNING, &fs_info->flags)); + atomic_dec(&fs_info->balance_cancel_req); + mutex_unlock(&fs_info->balance_mutex); + return 0; diff --git a/queue-5.10/fbdev-mmp-fix-value-check-in-mmphw_probe.patch b/queue-5.10/fbdev-mmp-fix-value-check-in-mmphw_probe.patch new file mode 100644 index 00000000000..2fc88c61287 --- /dev/null +++ b/queue-5.10/fbdev-mmp-fix-value-check-in-mmphw_probe.patch @@ -0,0 +1,34 @@ +From 0872b2c0abc0e84ac82472959c8e14e35277549c Mon Sep 17 00:00:00 2001 +From: Yuanjun Gong +Date: Fri, 28 Jul 2023 01:03:18 +0800 +Subject: fbdev: mmp: fix value check in mmphw_probe() + +From: Yuanjun Gong + +commit 0872b2c0abc0e84ac82472959c8e14e35277549c upstream. + +in mmphw_probe(), check the return value of clk_prepare_enable() +and return the error code if clk_prepare_enable() returns an +unexpected value. + +Fixes: d63028c38905 ("video: mmp display controller support") +Signed-off-by: Yuanjun Gong +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/mmp/hw/mmp_ctrl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/mmp/hw/mmp_ctrl.c ++++ b/drivers/video/fbdev/mmp/hw/mmp_ctrl.c +@@ -518,7 +518,9 @@ static int mmphw_probe(struct platform_d + ret = -ENOENT; + goto failed; + } +- clk_prepare_enable(ctrl->clk); ++ ret = clk_prepare_enable(ctrl->clk); ++ if (ret) ++ goto failed; + + /* init global regs */ + ctrl_set_default(ctrl); diff --git a/queue-5.10/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch b/queue-5.10/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch new file mode 100644 index 00000000000..c6d052866cb --- /dev/null +++ b/queue-5.10/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch @@ -0,0 +1,61 @@ +From 4caf4cb1eaed469742ef719f2cc024b1ec3fa9e6 Mon Sep 17 00:00:00 2001 +From: Chengfeng Ye +Date: Fri, 7 Jul 2023 08:49:41 +0000 +Subject: i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue + +From: Chengfeng Ye + +commit 4caf4cb1eaed469742ef719f2cc024b1ec3fa9e6 upstream. + +iproc_i2c_rd_reg() and iproc_i2c_wr_reg() are called from both +interrupt context (e.g. bcm_iproc_i2c_isr) and process context +(e.g. bcm_iproc_i2c_suspend). Therefore, interrupts should be +disabled to avoid potential deadlock. To prevent this scenario, +use spin_lock_irqsave(). + +Fixes: 9a1038728037 ("i2c: iproc: add NIC I2C support") +Signed-off-by: Chengfeng Ye +Acked-by: Ray Jui +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-bcm-iproc.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-bcm-iproc.c ++++ b/drivers/i2c/busses/i2c-bcm-iproc.c +@@ -242,13 +242,14 @@ static inline u32 iproc_i2c_rd_reg(struc + u32 offset) + { + u32 val; ++ unsigned long flags; + + if (iproc_i2c->idm_base) { +- spin_lock(&iproc_i2c->idm_lock); ++ spin_lock_irqsave(&iproc_i2c->idm_lock, flags); + writel(iproc_i2c->ape_addr_mask, + iproc_i2c->idm_base + IDM_CTRL_DIRECT_OFFSET); + val = readl(iproc_i2c->base + offset); +- spin_unlock(&iproc_i2c->idm_lock); ++ spin_unlock_irqrestore(&iproc_i2c->idm_lock, flags); + } else { + val = readl(iproc_i2c->base + offset); + } +@@ -259,12 +260,14 @@ static inline u32 iproc_i2c_rd_reg(struc + static inline void iproc_i2c_wr_reg(struct bcm_iproc_i2c_dev *iproc_i2c, + u32 offset, u32 val) + { ++ unsigned long flags; ++ + if (iproc_i2c->idm_base) { +- spin_lock(&iproc_i2c->idm_lock); ++ spin_lock_irqsave(&iproc_i2c->idm_lock, flags); + writel(iproc_i2c->ape_addr_mask, + iproc_i2c->idm_base + IDM_CTRL_DIRECT_OFFSET); + writel(val, iproc_i2c->base + offset); +- spin_unlock(&iproc_i2c->idm_lock); ++ spin_unlock_irqrestore(&iproc_i2c->idm_lock, flags); + } else { + writel(val, iproc_i2c->base + offset); + } diff --git a/queue-5.10/i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch b/queue-5.10/i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch new file mode 100644 index 00000000000..2c57499ac27 --- /dev/null +++ b/queue-5.10/i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch @@ -0,0 +1,57 @@ +From 69f035c480d76f12bf061148ccfd578e1099e5fc Mon Sep 17 00:00:00 2001 +From: Tam Nguyen +Date: Wed, 26 Jul 2023 15:00:01 +0700 +Subject: i2c: designware: Handle invalid SMBus block data response length value + +From: Tam Nguyen + +commit 69f035c480d76f12bf061148ccfd578e1099e5fc upstream. + +In the I2C_FUNC_SMBUS_BLOCK_DATA case, the invalid length byte value +(outside of 1-32) of the SMBus block data response from the Slave device +is not correctly handled by the I2C Designware driver. + +In case IC_EMPTYFIFO_HOLD_MASTER_EN==1, which cannot be detected +from the registers, the Master can be disabled only if the STOP bit +is set. Without STOP bit set, the Master remains active, holding the bus +until receiving a block data response length. This hangs the bus and +is unrecoverable. + +Avoid this by issuing another dump read to reach the stop condition when +an invalid length byte is received. + +Cc: stable@vger.kernel.org +Signed-off-by: Tam Nguyen +Acked-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20230726080001.337353-3-tamnguyenchi@os.amperecomputing.com +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-designware-master.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-designware-master.c ++++ b/drivers/i2c/busses/i2c-designware-master.c +@@ -432,8 +432,19 @@ i2c_dw_read(struct dw_i2c_dev *dev) + + regmap_read(dev->map, DW_IC_DATA_CMD, &tmp); + /* Ensure length byte is a valid value */ +- if (flags & I2C_M_RECV_LEN && +- tmp <= I2C_SMBUS_BLOCK_MAX && tmp > 0) { ++ if (flags & I2C_M_RECV_LEN) { ++ /* ++ * if IC_EMPTYFIFO_HOLD_MASTER_EN is set, which cannot be ++ * detected from the registers, the controller can be ++ * disabled if the STOP bit is set. But it is only set ++ * after receiving block data response length in ++ * I2C_FUNC_SMBUS_BLOCK_DATA case. That needs to read ++ * another byte with STOP bit set when the block data ++ * response length is invalid to complete the transaction. ++ */ ++ if (!tmp || tmp > I2C_SMBUS_BLOCK_MAX) ++ tmp = 1; ++ + len = i2c_dw_recv_len(dev, tmp); + } + *buf++ = tmp; diff --git a/queue-5.10/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch b/queue-5.10/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch new file mode 100644 index 00000000000..5f779fcaa0d --- /dev/null +++ b/queue-5.10/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch @@ -0,0 +1,68 @@ +From 4f3175979e62de3b929bfa54a0db4b87d36257a7 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Thu, 10 Aug 2023 22:37:55 -0500 +Subject: powerpc/rtas_flash: allow user copy to flash block cache objects + +From: Nathan Lynch + +commit 4f3175979e62de3b929bfa54a0db4b87d36257a7 upstream. + +With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the +/proc/powerpc/rtas/firmware_update interface to prepare a system +firmware update yields a BUG(): + + kernel BUG at mm/usercopy.c:102! + Oops: Exception in kernel mode, sig: 5 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: + CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2 + Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries + NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000 + REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+) + MSR: 8000000000029033 CR: 24002242 XER: 0000000c + CFAR: c0000000001fbd34 IRQMASK: 0 + [ ... GPRs omitted ... ] + NIP usercopy_abort+0xa0/0xb0 + LR usercopy_abort+0x9c/0xb0 + Call Trace: + usercopy_abort+0x9c/0xb0 (unreliable) + __check_heap_object+0x1b4/0x1d0 + __check_object_size+0x2d0/0x380 + rtas_flash_write+0xe4/0x250 + proc_reg_write+0xfc/0x160 + vfs_write+0xfc/0x4e0 + ksys_write+0x90/0x160 + system_call_exception+0x178/0x320 + system_call_common+0x160/0x2c4 + +The blocks of the firmware image are copied directly from user memory +to objects allocated from flash_block_cache, so flash_block_cache must +be created using kmem_cache_create_usercopy() to mark it safe for user +access. + +Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +Signed-off-by: Nathan Lynch +Reviewed-by: Kees Cook +[mpe: Trim and indent oops] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230810-rtas-flash-vs-hardened-usercopy-v2-1-dcf63793a938@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/rtas_flash.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/rtas_flash.c ++++ b/arch/powerpc/kernel/rtas_flash.c +@@ -710,9 +710,9 @@ static int __init rtas_flash_init(void) + if (!rtas_validate_flash_data.buf) + return -ENOMEM; + +- flash_block_cache = kmem_cache_create("rtas_flash_cache", +- RTAS_BLK_SIZE, RTAS_BLK_SIZE, 0, +- NULL); ++ flash_block_cache = kmem_cache_create_usercopy("rtas_flash_cache", ++ RTAS_BLK_SIZE, RTAS_BLK_SIZE, ++ 0, 0, RTAS_BLK_SIZE, NULL); + if (!flash_block_cache) { + printk(KERN_ERR "%s: failed to create block cache\n", + __func__); diff --git a/queue-5.10/series b/queue-5.10/series index 25bd2893077..8c2d2d63636 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -69,3 +69,10 @@ tracing-probes-fix-to-update-dynamic-data-counter-if.patch net-ncsi-change-from-ndo_set_mac_address-to-dev_set_.patch virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch +i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch +fbdev-mmp-fix-value-check-in-mmphw_probe.patch +powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch +tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch +tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch +btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch +i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch diff --git a/queue-5.10/tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch b/queue-5.10/tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch new file mode 100644 index 00000000000..ccaa3944985 --- /dev/null +++ b/queue-5.10/tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch @@ -0,0 +1,59 @@ +From 3c4f8333b582487a2d1e02171f1465531cde53e3 Mon Sep 17 00:00:00 2001 +From: Yi Yang +Date: Fri, 11 Aug 2023 11:11:21 +0800 +Subject: tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux + +From: Yi Yang + +commit 3c4f8333b582487a2d1e02171f1465531cde53e3 upstream. + +In commit 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux"), the UAF +problem is not completely fixed. There is a race condition in +gsm_cleanup_mux(), which caused this UAF. + +The UAF problem is triggered by the following race: +task[5046] task[5054] +----------------------- ----------------------- +gsm_cleanup_mux(); +dlci = gsm->dlci[0]; +mutex_lock(&gsm->mutex); + gsm_cleanup_mux(); + dlci = gsm->dlci[0]; //Didn't take the lock +gsm_dlci_release(gsm->dlci[i]); +gsm->dlci[i] = NULL; +mutex_unlock(&gsm->mutex); + mutex_lock(&gsm->mutex); + dlci->dead = true; //UAF + +Fix it by assigning values after mutex_lock(). + +Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000 +Cc: stable +Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux") +Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command") +Signed-off-by: Yi Yang +Co-developed-by: Qiumiao Zhang +Signed-off-by: Qiumiao Zhang +Link: https://lore.kernel.org/r/20230811031121.153237-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -2159,12 +2159,13 @@ static void gsm_error(struct gsm_mux *gs + static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) + { + int i; +- struct gsm_dlci *dlci = gsm->dlci[0]; ++ struct gsm_dlci *dlci; + struct gsm_msg *txq, *ntxq; + + gsm->dead = true; + mutex_lock(&gsm->mutex); + ++ dlci = gsm->dlci[0]; + if (dlci) { + if (disc && dlci->state != DLCI_CLOSED) { + gsm_dlci_begin_close(dlci); diff --git a/queue-5.10/tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch b/queue-5.10/tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch new file mode 100644 index 00000000000..b69757b2a3f --- /dev/null +++ b/queue-5.10/tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch @@ -0,0 +1,37 @@ +From 282069845af388b08d622ad192b831dcd0549c62 Mon Sep 17 00:00:00 2001 +From: Sherry Sun +Date: Tue, 1 Aug 2023 10:23:04 +0800 +Subject: tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms + +From: Sherry Sun + +commit 282069845af388b08d622ad192b831dcd0549c62 upstream. + +Do not read the data register to clear the error flags for lpuart32 +platforms, the additional read may cause the receive FIFO underflow +since the DMA has already read the data register. +Actually all lpuart32 platforms support write 1 to clear those error +bits, let's use this method to better clear the error flags. + +Fixes: 42b68768e51b ("serial: fsl_lpuart: DMA support for 32-bit variant") +Cc: stable +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20230801022304.24251-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1062,8 +1062,8 @@ static void lpuart_copy_rx_to_tty(struct + unsigned long sr = lpuart32_read(&sport->port, UARTSTAT); + + if (sr & (UARTSTAT_PE | UARTSTAT_FE)) { +- /* Read DR to clear the error flags */ +- lpuart32_read(&sport->port, UARTDATA); ++ /* Clear the error flags */ ++ lpuart32_write(&sport->port, sr, UARTSTAT); + + if (sr & UARTSTAT_PE) + sport->port.icount.parity++;