From: Greg Kroah-Hartman Date: Sat, 2 Apr 2022 09:16:33 +0000 (+0200) Subject: 5.16-stable patches X-Git-Tag: v4.14.275~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fe5d79c108642e052d36ed5bdef36def9311f5a9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.16-stable patches added patches: alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch alsa-hda-avoid-unsol-event-during-rpm-suspending.patch alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch cifs-do-not-skip-link-targets-when-an-i-o-fails.patch cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch io_uring-ensure-that-fsnotify-is-always-called.patch ocfs2-fix-crash-when-mount-with-quota-enabled.patch revert-input-clear-btn_right-middle-on-buttonpads.patch riscv-dts-canaan-fix-spi3-bus-width.patch riscv-fix-fill_callchain-return-value.patch riscv-increase-stack-size-under-kasan.patch rtc-mc146818-lib-fix-locking-in-mc146818_set_time.patch rtc-pl031-fix-rtc-features-null-pointer-dereference.patch --- diff --git a/queue-5.16/alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch b/queue-5.16/alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch new file mode 100644 index 00000000000..a231a26c9f7 --- /dev/null +++ b/queue-5.16/alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch @@ -0,0 +1,57 @@ +From 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Sun, 27 Mar 2022 14:08:22 +0800 +Subject: ALSA: cs4236: fix an incorrect NULL check on list iterator + +From: Xiaomeng Tong + +commit 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 upstream. + +The bug is here: + err = snd_card_cs423x_pnp(dev, card->private_data, pdev, cdev); + +The list iterator value 'cdev' will *always* be set and non-NULL +by list_for_each_entry(), so it is incorrect to assume that the +iterator value will be NULL if the list is empty or no element +is found. + +To fix the bug, use a new variable 'iter' as the list iterator, +while use the original variable 'cdev' as a dedicated pointer +to point to the found element. And snd_card_cs423x_pnp() itself +has NULL check for cdev. + +Cc: stable@vger.kernel.org +Fixes: c2b73d1458014 ("ALSA: cs4236: cs4232 and cs4236 driver merge to solve PnP BIOS detection") +Signed-off-by: Xiaomeng Tong +Link: https://lore.kernel.org/r/20220327060822.4735-1-xiam0nd.tong@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/cs423x/cs4236.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/sound/isa/cs423x/cs4236.c ++++ b/sound/isa/cs423x/cs4236.c +@@ -494,7 +494,7 @@ static int snd_cs423x_pnpbios_detect(str + static int dev; + int err; + struct snd_card *card; +- struct pnp_dev *cdev; ++ struct pnp_dev *cdev, *iter; + char cid[PNP_ID_LEN]; + + if (pnp_device_is_isapnp(pdev)) +@@ -510,9 +510,11 @@ static int snd_cs423x_pnpbios_detect(str + strcpy(cid, pdev->id[0].id); + cid[5] = '1'; + cdev = NULL; +- list_for_each_entry(cdev, &(pdev->protocol->devices), protocol_list) { +- if (!strcmp(cdev->id[0].id, cid)) ++ list_for_each_entry(iter, &(pdev->protocol->devices), protocol_list) { ++ if (!strcmp(iter->id[0].id, cid)) { ++ cdev = iter; + break; ++ } + } + err = snd_cs423x_card_new(&pdev->dev, dev, &card); + if (err < 0) diff --git a/queue-5.16/alsa-hda-avoid-unsol-event-during-rpm-suspending.patch b/queue-5.16/alsa-hda-avoid-unsol-event-during-rpm-suspending.patch new file mode 100644 index 00000000000..5dd98f7127b --- /dev/null +++ b/queue-5.16/alsa-hda-avoid-unsol-event-during-rpm-suspending.patch @@ -0,0 +1,70 @@ +From 6ddc2f749621d5d45ca03edc9f0616bcda136d29 Mon Sep 17 00:00:00 2001 +From: Mohan Kumar +Date: Tue, 29 Mar 2022 21:29:40 +0530 +Subject: ALSA: hda: Avoid unsol event during RPM suspending + +From: Mohan Kumar + +commit 6ddc2f749621d5d45ca03edc9f0616bcda136d29 upstream. + +There is a corner case with unsol event handling during codec runtime +suspending state. When the codec runtime suspend call initiated, the +codec->in_pm atomic variable would be 0, currently the codec runtime +suspend function calls snd_hdac_enter_pm() which will just increments +the codec->in_pm atomic variable. Consider unsol event happened just +after this step and before snd_hdac_leave_pm() in the codec runtime +suspend function. The snd_hdac_power_up_pm() in the unsol event +flow in hdmi_present_sense_via_verbs() function would just increment +the codec->in_pm atomic variable without calling pm_runtime_get_sync +function. + +As codec runtime suspend flow is already in progress and in parallel +unsol event is also accessing the codec verbs, as soon as codec +suspend flow completes and clocks are switched off before completing +the unsol event handling as both functions doesn't wait for each other. +This will result in below errors + +[ 589.428020] tegra-hda 3510000.hda: azx_get_response timeout, switching +to polling mode: last cmd=0x505f2f57 +[ 589.428344] tegra-hda 3510000.hda: spurious response 0x80000074:0x5, +last cmd=0x505f2f57 +[ 589.428547] tegra-hda 3510000.hda: spurious response 0x80000065:0x5, +last cmd=0x505f2f57 + +To avoid this, the unsol event flow should not perform any codec verb +related operations during RPM_SUSPENDING state. + +Signed-off-by: Mohan Kumar +Cc: +Link: https://lore.kernel.org/r/20220329155940.26331-1-mkumard@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1617,6 +1617,7 @@ static void hdmi_present_sense_via_verbs + struct hda_codec *codec = per_pin->codec; + struct hdmi_spec *spec = codec->spec; + struct hdmi_eld *eld = &spec->temp_eld; ++ struct device *dev = hda_codec_dev(codec); + hda_nid_t pin_nid = per_pin->pin_nid; + int dev_id = per_pin->dev_id; + /* +@@ -1630,8 +1631,13 @@ static void hdmi_present_sense_via_verbs + int present; + int ret; + ++#ifdef CONFIG_PM ++ if (dev->power.runtime_status == RPM_SUSPENDING) ++ return; ++#endif ++ + ret = snd_hda_power_up_pm(codec); +- if (ret < 0 && pm_runtime_suspended(hda_codec_dev(codec))) ++ if (ret < 0 && pm_runtime_suspended(dev)) + goto out; + + present = snd_hda_jack_pin_sense(codec, pin_nid, dev_id); diff --git a/queue-5.16/alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch b/queue-5.16/alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch new file mode 100644 index 00000000000..ec993175d5a --- /dev/null +++ b/queue-5.16/alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch @@ -0,0 +1,45 @@ +From f30741cded62f87bb4b1cc58bc627f076abcaba8 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 30 Mar 2022 14:13:33 +0800 +Subject: ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020 + +From: Kai-Heng Feng + +commit f30741cded62f87bb4b1cc58bc627f076abcaba8 upstream. + +Commit 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording +issue") is to solve recording issue met on AL236, by matching codec +variant ALC269_TYPE_ALC257 and ALC269_TYPE_ALC256. + +This match can be too broad and Mi Notebook Pro 2020 is broken by the +patch. + +Instead, use codec ID to be narrow down the scope, in order to make +ALC256 unaffected. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215484 +Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Cc: +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20220330061335.1015533-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3612,8 +3612,8 @@ static void alc256_shutup(struct hda_cod + /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly + * when booting with headset plugged. So skip setting it for the codec alc257 + */ +- if (spec->codec_variant != ALC269_TYPE_ALC257 && +- spec->codec_variant != ALC269_TYPE_ALC256) ++ if (codec->core.vendor_id != 0x10ec0236 && ++ codec->core.vendor_id != 0x10ec0257) + alc_update_coef_idx(codec, 0x46, 0, 3 << 12); + + if (!spec->no_shutup_pins) diff --git a/queue-5.16/alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch b/queue-5.16/alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch new file mode 100644 index 00000000000..0db292d6599 --- /dev/null +++ b/queue-5.16/alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch @@ -0,0 +1,212 @@ +From bc55cfd5718c7c23e5524582e9fa70b4d10f2433 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 30 Mar 2022 14:09:03 +0200 +Subject: ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock + +From: Takashi Iwai + +commit bc55cfd5718c7c23e5524582e9fa70b4d10f2433 upstream. + +syzbot caught a potential deadlock between the PCM +runtime->buffer_mutex and the mm->mmap_lock. It was brought by the +recent fix to cover the racy read/write and other ioctls, and in that +commit, I overlooked a (hopefully only) corner case that may take the +revert lock, namely, the OSS mmap. The OSS mmap operation +exceptionally allows to re-configure the parameters inside the OSS +mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the +copy_from/to_user calls at read/write operations also take the +mm->mmap_lock internally, hence it may lead to a AB/BA deadlock. + +A similar problem was already seen in the past and we fixed it with a +refcount (in commit b248371628aa). The former fix covered only the +call paths with OSS read/write and OSS ioctls, while we need to cover +the concurrent access via both ALSA and OSS APIs now. + +This patch addresses the problem above by replacing the buffer_mutex +lock in the read/write operations with a refcount similar as we've +used for OSS. The new field, runtime->buffer_accessing, keeps the +number of concurrent read/write operations. Unlike the former +buffer_mutex protection, this protects only around the +copy_from/to_user() calls; the other codes are basically protected by +the PCM stream lock. The refcount can be a negative, meaning blocked +by the ioctls. If a negative value is seen, the read/write aborts +with -EBUSY. In the ioctl side, OTOH, they check this refcount, too, +and set to a negative value for blocking unless it's already being +accessed. + +Reported-by: syzbot+6e5c88838328e99c7e1c@syzkaller.appspotmail.com +Fixes: dca947d4d26d ("ALSA: pcm: Fix races among concurrent read/write and buffer changes") +Cc: +Link: https://lore.kernel.org/r/000000000000381a0d05db622a81@google.com +Link: https://lore.kernel.org/r/20220330120903.4738-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/pcm.h | 1 + + sound/core/pcm.c | 1 + + sound/core/pcm_lib.c | 9 +++++---- + sound/core/pcm_native.c | 39 ++++++++++++++++++++++++++++++++------- + 4 files changed, 39 insertions(+), 11 deletions(-) + +--- a/include/sound/pcm.h ++++ b/include/sound/pcm.h +@@ -399,6 +399,7 @@ struct snd_pcm_runtime { + struct fasync_struct *fasync; + bool stop_operating; /* sync_stop will be called */ + struct mutex buffer_mutex; /* protect for buffer changes */ ++ atomic_t buffer_accessing; /* >0: in r/w operation, <0: blocked */ + + /* -- private section -- */ + void *private_data; +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -970,6 +970,7 @@ int snd_pcm_attach_substream(struct snd_ + + runtime->status->state = SNDRV_PCM_STATE_OPEN; + mutex_init(&runtime->buffer_mutex); ++ atomic_set(&runtime->buffer_accessing, 0); + + substream->runtime = runtime; + substream->private_data = pcm->private_data; +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -1906,11 +1906,9 @@ static int wait_for_avail(struct snd_pcm + if (avail >= runtime->twake) + break; + snd_pcm_stream_unlock_irq(substream); +- mutex_unlock(&runtime->buffer_mutex); + + tout = schedule_timeout(wait_time); + +- mutex_lock(&runtime->buffer_mutex); + snd_pcm_stream_lock_irq(substream); + set_current_state(TASK_INTERRUPTIBLE); + switch (runtime->status->state) { +@@ -2204,7 +2202,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + + nonblock = !!(substream->f_flags & O_NONBLOCK); + +- mutex_lock(&runtime->buffer_mutex); + snd_pcm_stream_lock_irq(substream); + err = pcm_accessible_state(runtime); + if (err < 0) +@@ -2259,6 +2256,10 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + err = -EINVAL; + goto _end_unlock; + } ++ if (!atomic_inc_unless_negative(&runtime->buffer_accessing)) { ++ err = -EBUSY; ++ goto _end_unlock; ++ } + snd_pcm_stream_unlock_irq(substream); + if (!is_playback) + snd_pcm_dma_buffer_sync(substream, SNDRV_DMA_SYNC_CPU); +@@ -2267,6 +2268,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + if (is_playback) + snd_pcm_dma_buffer_sync(substream, SNDRV_DMA_SYNC_DEVICE); + snd_pcm_stream_lock_irq(substream); ++ atomic_dec(&runtime->buffer_accessing); + if (err < 0) + goto _end_unlock; + err = pcm_accessible_state(runtime); +@@ -2296,7 +2298,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + if (xfer > 0 && err >= 0) + snd_pcm_update_state(substream, runtime); + snd_pcm_stream_unlock_irq(substream); +- mutex_unlock(&runtime->buffer_mutex); + return xfer > 0 ? (snd_pcm_sframes_t)xfer : err; + } + EXPORT_SYMBOL(__snd_pcm_lib_xfer); +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -672,6 +672,24 @@ static int snd_pcm_hw_params_choose(stru + return 0; + } + ++/* acquire buffer_mutex; if it's in r/w operation, return -EBUSY, otherwise ++ * block the further r/w operations ++ */ ++static int snd_pcm_buffer_access_lock(struct snd_pcm_runtime *runtime) ++{ ++ if (!atomic_dec_unless_positive(&runtime->buffer_accessing)) ++ return -EBUSY; ++ mutex_lock(&runtime->buffer_mutex); ++ return 0; /* keep buffer_mutex, unlocked by below */ ++} ++ ++/* release buffer_mutex and clear r/w access flag */ ++static void snd_pcm_buffer_access_unlock(struct snd_pcm_runtime *runtime) ++{ ++ mutex_unlock(&runtime->buffer_mutex); ++ atomic_inc(&runtime->buffer_accessing); ++} ++ + #if IS_ENABLED(CONFIG_SND_PCM_OSS) + #define is_oss_stream(substream) ((substream)->oss.oss) + #else +@@ -682,14 +700,16 @@ static int snd_pcm_hw_params(struct snd_ + struct snd_pcm_hw_params *params) + { + struct snd_pcm_runtime *runtime; +- int err = 0, usecs; ++ int err, usecs; + unsigned int bits; + snd_pcm_uframes_t frames; + + if (PCM_RUNTIME_CHECK(substream)) + return -ENXIO; + runtime = substream->runtime; +- mutex_lock(&runtime->buffer_mutex); ++ err = snd_pcm_buffer_access_lock(runtime); ++ if (err < 0) ++ return err; + snd_pcm_stream_lock_irq(substream); + switch (runtime->status->state) { + case SNDRV_PCM_STATE_OPEN: +@@ -807,7 +827,7 @@ static int snd_pcm_hw_params(struct snd_ + snd_pcm_lib_free_pages(substream); + } + unlock: +- mutex_unlock(&runtime->buffer_mutex); ++ snd_pcm_buffer_access_unlock(runtime); + return err; + } + +@@ -852,7 +872,9 @@ static int snd_pcm_hw_free(struct snd_pc + if (PCM_RUNTIME_CHECK(substream)) + return -ENXIO; + runtime = substream->runtime; +- mutex_lock(&runtime->buffer_mutex); ++ result = snd_pcm_buffer_access_lock(runtime); ++ if (result < 0) ++ return result; + snd_pcm_stream_lock_irq(substream); + switch (runtime->status->state) { + case SNDRV_PCM_STATE_SETUP: +@@ -871,7 +893,7 @@ static int snd_pcm_hw_free(struct snd_pc + snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); + cpu_latency_qos_remove_request(&substream->latency_pm_qos_req); + unlock: +- mutex_unlock(&runtime->buffer_mutex); ++ snd_pcm_buffer_access_unlock(runtime); + return result; + } + +@@ -1356,12 +1378,15 @@ static int snd_pcm_action_nonatomic(cons + + /* Guarantee the group members won't change during non-atomic action */ + down_read(&snd_pcm_link_rwsem); +- mutex_lock(&substream->runtime->buffer_mutex); ++ res = snd_pcm_buffer_access_lock(substream->runtime); ++ if (res < 0) ++ goto unlock; + if (snd_pcm_stream_linked(substream)) + res = snd_pcm_action_group(ops, substream, state, false); + else + res = snd_pcm_action_single(ops, substream, state); +- mutex_unlock(&substream->runtime->buffer_mutex); ++ snd_pcm_buffer_access_unlock(substream->runtime); ++ unlock: + up_read(&snd_pcm_link_rwsem); + return res; + } diff --git a/queue-5.16/cifs-do-not-skip-link-targets-when-an-i-o-fails.patch b/queue-5.16/cifs-do-not-skip-link-targets-when-an-i-o-fails.patch new file mode 100644 index 00000000000..51ddc3c09bf --- /dev/null +++ b/queue-5.16/cifs-do-not-skip-link-targets-when-an-i-o-fails.patch @@ -0,0 +1,63 @@ +From 5d7e282541fc91b831a5c4477c5d72881c623df9 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Fri, 4 Mar 2022 13:22:15 -0300 +Subject: cifs: do not skip link targets when an I/O fails + +From: Paulo Alcantara + +commit 5d7e282541fc91b831a5c4477c5d72881c623df9 upstream. + +When I/O fails in one of the currently connected DFS targets, retry it +from other targets as specified in MS-DFSC "3.1.5.2 I/O Operation to ++Target Fails with an Error Other Than STATUS_PATH_NOT_COVERED." + +Signed-off-by: Paulo Alcantara (SUSE) +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/connect.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3401,6 +3401,9 @@ static int connect_dfs_target(struct mou + struct cifs_sb_info *cifs_sb = mnt_ctx->cifs_sb; + char *oldmnt = cifs_sb->ctx->mount_options; + ++ cifs_dbg(FYI, "%s: full_path=%s ref_path=%s target=%s\n", __func__, full_path, ref_path, ++ dfs_cache_get_tgt_name(tit)); ++ + rc = dfs_cache_get_tgt_referral(ref_path, tit, &ref); + if (rc) + goto out; +@@ -3499,13 +3502,18 @@ static int __follow_dfs_link(struct moun + if (rc) + goto out; + +- /* Try all dfs link targets */ ++ /* Try all dfs link targets. If an I/O fails from currently connected DFS target with an ++ * error other than STATUS_PATH_NOT_COVERED (-EREMOTE), then retry it from other targets as ++ * specified in MS-DFSC "3.1.5.2 I/O Operation to Target Fails with an Error Other Than ++ * STATUS_PATH_NOT_COVERED." ++ */ + for (rc = -ENOENT, tit = dfs_cache_get_tgt_iterator(&tl); + tit; tit = dfs_cache_get_next_tgt(&tl, tit)) { + rc = connect_dfs_target(mnt_ctx, full_path, mnt_ctx->leaf_fullpath + 1, tit); + if (!rc) { + rc = is_path_remote(mnt_ctx); +- break; ++ if (!rc || rc == -EREMOTE) ++ break; + } + } + +@@ -3579,7 +3587,7 @@ int cifs_mount(struct cifs_sb_info *cifs + goto error; + + rc = is_path_remote(&mnt_ctx); +- if (rc == -EREMOTE) ++ if (rc) + rc = follow_dfs_link(&mnt_ctx); + if (rc) + goto error; diff --git a/queue-5.16/cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch b/queue-5.16/cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch new file mode 100644 index 00000000000..86e95503938 --- /dev/null +++ b/queue-5.16/cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch @@ -0,0 +1,329 @@ +From d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Tue, 29 Mar 2022 16:20:06 -0300 +Subject: cifs: fix NULL ptr dereference in smb2_ioctl_query_info() + +From: Paulo Alcantara + +commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream. + +When calling smb2_ioctl_query_info() with invalid +smb_query_info::flags, a NULL ptr dereference is triggered when trying +to kfree() uninitialised rqst[n].rq_iov array. + +This also fixes leaked paths that are created in SMB2_open_init() +which required SMB2_open_free() to properly free them. + +Here is a small C reproducer that triggers it + + #include + #include + #include + #include + #include + #include + + #define die(s) perror(s), exit(1) + #define QUERY_INFO 0xc018cf07 + + int main(int argc, char *argv[]) + { + int fd; + + if (argc < 2) + exit(1); + fd = open(argv[1], O_RDONLY); + if (fd == -1) + die("open"); + if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1) + die("ioctl"); + close(fd); + return 0; + } + + mount.cifs //srv/share /mnt -o ... + gcc repro.c && ./a.out /mnt/f0 + + [ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4 + [ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI + [ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + [ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2 + [ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 + [ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs] + [ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48 + [ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256 + [ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d + [ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0 + [ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003 + [ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800 + [ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8 + [ 1832.131485] FS: 00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000 + [ 1832.131993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0 + [ 1832.132801] Call Trace: + [ 1832.132962] + [ 1832.133104] ? smb2_query_reparse_tag+0x890/0x890 [cifs] + [ 1832.133489] ? cifs_mapchar+0x460/0x460 [cifs] + [ 1832.133822] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 1832.134125] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs] + [ 1832.134502] ? lock_downgrade+0x6f0/0x6f0 + [ 1832.134760] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs] + [ 1832.135170] ? smb2_check_message+0x1080/0x1080 [cifs] + [ 1832.135545] cifs_ioctl+0x1577/0x3320 [cifs] + [ 1832.135864] ? lock_downgrade+0x6f0/0x6f0 + [ 1832.136125] ? cifs_readdir+0x2e60/0x2e60 [cifs] + [ 1832.136468] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 1832.136769] ? __rseq_handle_notify_resume+0x80b/0xbe0 + [ 1832.137096] ? __up_read+0x192/0x710 + [ 1832.137327] ? __ia32_sys_rseq+0xf0/0xf0 + [ 1832.137578] ? __x64_sys_openat+0x11f/0x1d0 + [ 1832.137850] __x64_sys_ioctl+0x127/0x190 + [ 1832.138103] do_syscall_64+0x3b/0x90 + [ 1832.138378] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 1832.138702] RIP: 0033:0x7fcee9a253df + [ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 + [ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df + [ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003 + [ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e + [ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48 + [ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000 + [ 1832.142851] + [ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs] + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 124 ++++++++++++++++++++++++++++-------------------------- + 1 file changed, 65 insertions(+), 59 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1631,6 +1631,7 @@ smb2_ioctl_query_info(const unsigned int + unsigned int size[2]; + void *data[2]; + int create_options = is_dir ? CREATE_NOT_FILE : CREATE_NOT_DIR; ++ void (*free_req1_func)(struct smb_rqst *r); + + vars = kzalloc(sizeof(*vars), GFP_ATOMIC); + if (vars == NULL) +@@ -1640,17 +1641,18 @@ smb2_ioctl_query_info(const unsigned int + + resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER; + +- if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) +- goto e_fault; +- ++ if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) { ++ rc = -EFAULT; ++ goto free_vars; ++ } + if (qi.output_buffer_length > 1024) { +- kfree(vars); +- return -EINVAL; ++ rc = -EINVAL; ++ goto free_vars; + } + + if (!ses || !server) { +- kfree(vars); +- return -EIO; ++ rc = -EIO; ++ goto free_vars; + } + + if (smb3_encryption_required(tcon)) +@@ -1659,8 +1661,8 @@ smb2_ioctl_query_info(const unsigned int + if (qi.output_buffer_length) { + buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length); + if (IS_ERR(buffer)) { +- kfree(vars); +- return PTR_ERR(buffer); ++ rc = PTR_ERR(buffer); ++ goto free_vars; + } + } + +@@ -1699,48 +1701,45 @@ smb2_ioctl_query_info(const unsigned int + rc = SMB2_open_init(tcon, server, + &rqst[0], &oplock, &oparms, path); + if (rc) +- goto iqinf_exit; ++ goto free_output_buffer; + smb2_set_next_command(tcon, &rqst[0]); + + /* Query */ + if (qi.flags & PASSTHRU_FSCTL) { + /* Can eventually relax perm check since server enforces too */ +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN)) { + rc = -EPERM; +- else { +- rqst[1].rq_iov = &vars->io_iov[0]; +- rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE; +- +- rc = SMB2_ioctl_init(tcon, server, +- &rqst[1], +- COMPOUND_FID, COMPOUND_FID, +- qi.info_type, true, buffer, +- qi.output_buffer_length, +- CIFSMaxBufSize - +- MAX_SMB2_CREATE_RESPONSE_SIZE - +- MAX_SMB2_CLOSE_RESPONSE_SIZE); ++ goto free_open_req; + } ++ rqst[1].rq_iov = &vars->io_iov[0]; ++ rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE; ++ ++ rc = SMB2_ioctl_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID, ++ qi.info_type, true, buffer, qi.output_buffer_length, ++ CIFSMaxBufSize - MAX_SMB2_CREATE_RESPONSE_SIZE - ++ MAX_SMB2_CLOSE_RESPONSE_SIZE); ++ free_req1_func = SMB2_ioctl_free; + } else if (qi.flags == PASSTHRU_SET_INFO) { + /* Can eventually relax perm check since server enforces too */ +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN)) { + rc = -EPERM; +- else if (qi.output_buffer_length < 8) ++ goto free_open_req; ++ } ++ if (qi.output_buffer_length < 8) { + rc = -EINVAL; +- else { +- rqst[1].rq_iov = &vars->si_iov[0]; +- rqst[1].rq_nvec = 1; +- +- /* MS-FSCC 2.4.13 FileEndOfFileInformation */ +- size[0] = 8; +- data[0] = buffer; +- +- rc = SMB2_set_info_init(tcon, server, +- &rqst[1], +- COMPOUND_FID, COMPOUND_FID, +- current->tgid, +- FILE_END_OF_FILE_INFORMATION, +- SMB2_O_INFO_FILE, 0, data, size); ++ goto free_open_req; + } ++ rqst[1].rq_iov = &vars->si_iov[0]; ++ rqst[1].rq_nvec = 1; ++ ++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */ ++ size[0] = 8; ++ data[0] = buffer; ++ ++ rc = SMB2_set_info_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID, ++ current->tgid, FILE_END_OF_FILE_INFORMATION, ++ SMB2_O_INFO_FILE, 0, data, size); ++ free_req1_func = SMB2_set_info_free; + } else if (qi.flags == PASSTHRU_QUERY_INFO) { + rqst[1].rq_iov = &vars->qi_iov[0]; + rqst[1].rq_nvec = 1; +@@ -1751,6 +1750,7 @@ smb2_ioctl_query_info(const unsigned int + qi.info_type, qi.additional_information, + qi.input_buffer_length, + qi.output_buffer_length, buffer); ++ free_req1_func = SMB2_query_info_free; + } else { /* unknown flags */ + cifs_tcon_dbg(VFS, "Invalid passthru query flags: 0x%x\n", + qi.flags); +@@ -1758,7 +1758,7 @@ smb2_ioctl_query_info(const unsigned int + } + + if (rc) +- goto iqinf_exit; ++ goto free_open_req; + smb2_set_next_command(tcon, &rqst[1]); + smb2_set_related(&rqst[1]); + +@@ -1769,14 +1769,14 @@ smb2_ioctl_query_info(const unsigned int + rc = SMB2_close_init(tcon, server, + &rqst[2], COMPOUND_FID, COMPOUND_FID, false); + if (rc) +- goto iqinf_exit; ++ goto free_req_1; + smb2_set_related(&rqst[2]); + + rc = compound_send_recv(xid, ses, server, + flags, 3, rqst, + resp_buftype, rsp_iov); + if (rc) +- goto iqinf_exit; ++ goto out; + + /* No need to bump num_remote_opens since handle immediately closed */ + if (qi.flags & PASSTHRU_FSCTL) { +@@ -1786,18 +1786,22 @@ smb2_ioctl_query_info(const unsigned int + qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount); + if (qi.input_buffer_length > 0 && + le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length +- > rsp_iov[1].iov_len) +- goto e_fault; ++ > rsp_iov[1].iov_len) { ++ rc = -EFAULT; ++ goto out; ++ } + + if (copy_to_user(&pqi->input_buffer_length, + &qi.input_buffer_length, +- sizeof(qi.input_buffer_length))) +- goto e_fault; ++ sizeof(qi.input_buffer_length))) { ++ rc = -EFAULT; ++ goto out; ++ } + + if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info), + (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset), + qi.input_buffer_length)) +- goto e_fault; ++ rc = -EFAULT; + } else { + pqi = (struct smb_query_info __user *)arg; + qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base; +@@ -1805,28 +1809,30 @@ smb2_ioctl_query_info(const unsigned int + qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength); + if (copy_to_user(&pqi->input_buffer_length, + &qi.input_buffer_length, +- sizeof(qi.input_buffer_length))) +- goto e_fault; ++ sizeof(qi.input_buffer_length))) { ++ rc = -EFAULT; ++ goto out; ++ } + + if (copy_to_user(pqi + 1, qi_rsp->Buffer, + qi.input_buffer_length)) +- goto e_fault; ++ rc = -EFAULT; + } + +- iqinf_exit: +- cifs_small_buf_release(rqst[0].rq_iov[0].iov_base); +- cifs_small_buf_release(rqst[1].rq_iov[0].iov_base); +- cifs_small_buf_release(rqst[2].rq_iov[0].iov_base); ++out: + free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base); + free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base); + free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base); +- kfree(vars); ++ SMB2_close_free(&rqst[2]); ++free_req_1: ++ free_req1_func(&rqst[1]); ++free_open_req: ++ SMB2_open_free(&rqst[0]); ++free_output_buffer: + kfree(buffer); ++free_vars: ++ kfree(vars); + return rc; +- +-e_fault: +- rc = -EFAULT; +- goto iqinf_exit; + } + + static ssize_t diff --git a/queue-5.16/cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch b/queue-5.16/cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch new file mode 100644 index 00000000000..0dfcf9f1022 --- /dev/null +++ b/queue-5.16/cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch @@ -0,0 +1,175 @@ +From b92e358757b91c2827af112cae9af513f26a3f34 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Tue, 29 Mar 2022 16:20:05 -0300 +Subject: cifs: prevent bad output lengths in smb2_ioctl_query_info() + +From: Paulo Alcantara + +commit b92e358757b91c2827af112cae9af513f26a3f34 upstream. + +When calling smb2_ioctl_query_info() with +smb_query_info::flags=PASSTHRU_FSCTL and +smb_query_info::output_buffer_length=0, the following would return +0x10 + + buffer = memdup_user(arg + sizeof(struct smb_query_info), + qi.output_buffer_length); + if (IS_ERR(buffer)) { + kfree(vars); + return PTR_ERR(buffer); + } + +rather than a valid pointer thus making IS_ERR() check fail. This +would then cause a NULL ptr deference in @buffer when accessing it +later in smb2_ioctl_query_ioctl(). While at it, prevent having a +@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO +FileEndOfFileInformation requests when +smb_query_info::flags=PASSTHRU_SET_INFO. + +Here is a small C reproducer which triggers a NULL ptr in @buffer when +passing an invalid smb_query_info::flags + + #include + #include + #include + #include + #include + #include + + #define die(s) perror(s), exit(1) + #define QUERY_INFO 0xc018cf07 + + int main(int argc, char *argv[]) + { + int fd; + + if (argc < 2) + exit(1); + fd = open(argv[1], O_RDONLY); + if (fd == -1) + die("open"); + if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1) + die("ioctl"); + close(fd); + return 0; + } + + mount.cifs //srv/share /mnt -o ... + gcc repro.c && ./a.out /mnt/f0 + + [ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI + [ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + [ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1 + [ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 + [ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs] + [ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24 + [ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256 + [ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d + [ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380 + [ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003 + [ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288 + [ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000 + [ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000 + [ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0 + [ 114.146131] Call Trace: + [ 114.146291] + [ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs] + [ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs] + [ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs] + [ 114.147775] ? dentry_path_raw+0xa6/0xf0 + [ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs] + [ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs] + [ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs] + [ 114.149371] ? lock_downgrade+0x6f0/0x6f0 + [ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs] + [ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0 + [ 114.150562] ? __up_read+0x192/0x710 + [ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0 + [ 114.151025] ? __x64_sys_openat+0x11f/0x1d0 + [ 114.151296] __x64_sys_ioctl+0x127/0x190 + [ 114.151549] do_syscall_64+0x3b/0x90 + [ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 114.152079] RIP: 0033:0x7f7aead043df + [ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 + [ 114.153431] RSP: 002b:00007ffc2e0c1f80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [ 114.153890] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7aead043df + [ 114.154315] RDX: 00007ffc2e0c1ff0 RSI: 00000000c018cf07 RDI: 0000000000000003 + [ 114.154747] RBP: 00007ffc2e0c2010 R08: 00007f7aeae03db0 R09: 00007f7aeae24c4e + [ 114.155192] R10: 00007f7aeabf7d40 R11: 0000000000000246 R12: 00007ffc2e0c2128 + [ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000 + [ 114.156071] + [ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload + [ 114.156608] ---[ end trace 0000000000000000 ]--- + [ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs] + [ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24 + [ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256 + [ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d + [ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380 + [ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003 + [ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288 + [ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000 + [ 114.156071] + [ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload + [ 114.156608] ---[ end trace 0000000000000000 ]--- + [ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs] + [ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24 + [ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256 + [ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d + [ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380 + [ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003 + [ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288 + [ 114.161823] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000 + [ 114.162274] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000 + [ 114.162853] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 114.163218] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0 + [ 114.163691] Kernel panic - not syncing: Fatal exception + [ 114.164087] Kernel Offset: disabled + [ 114.164316] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1656,11 +1656,12 @@ smb2_ioctl_query_info(const unsigned int + if (smb3_encryption_required(tcon)) + flags |= CIFS_TRANSFORM_REQ; + +- buffer = memdup_user(arg + sizeof(struct smb_query_info), +- qi.output_buffer_length); +- if (IS_ERR(buffer)) { +- kfree(vars); +- return PTR_ERR(buffer); ++ if (qi.output_buffer_length) { ++ buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length); ++ if (IS_ERR(buffer)) { ++ kfree(vars); ++ return PTR_ERR(buffer); ++ } + } + + /* Open */ +@@ -1723,10 +1724,13 @@ smb2_ioctl_query_info(const unsigned int + /* Can eventually relax perm check since server enforces too */ + if (!capable(CAP_SYS_ADMIN)) + rc = -EPERM; +- else { ++ else if (qi.output_buffer_length < 8) ++ rc = -EINVAL; ++ else { + rqst[1].rq_iov = &vars->si_iov[0]; + rqst[1].rq_nvec = 1; + ++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */ + size[0] = 8; + data[0] = buffer; + diff --git a/queue-5.16/io_uring-ensure-that-fsnotify-is-always-called.patch b/queue-5.16/io_uring-ensure-that-fsnotify-is-always-called.patch new file mode 100644 index 00000000000..137cb685a26 --- /dev/null +++ b/queue-5.16/io_uring-ensure-that-fsnotify-is-always-called.patch @@ -0,0 +1,47 @@ +From f63cf5192fe3418ad5ae1a4412eba5694b145f79 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 20 Mar 2022 13:08:38 -0600 +Subject: io_uring: ensure that fsnotify is always called + +From: Jens Axboe + +commit f63cf5192fe3418ad5ae1a4412eba5694b145f79 upstream. + +Ensure that we call fsnotify_modify() if we write a file, and that we +do fsnotify_access() if we read it. This enables anyone using inotify +on the file to get notified. + +Ditto for fallocate, ensure that fsnotify_modify() is called. + +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2720,8 +2720,12 @@ static bool io_rw_should_reissue(struct + + static bool __io_complete_rw_common(struct io_kiocb *req, long res) + { +- if (req->rw.kiocb.ki_flags & IOCB_WRITE) ++ if (req->rw.kiocb.ki_flags & IOCB_WRITE) { + kiocb_end_write(req); ++ fsnotify_modify(req->file); ++ } else { ++ fsnotify_access(req->file); ++ } + if (unlikely(res != req->result)) { + if ((res == -EAGAIN || res == -EOPNOTSUPP) && + io_rw_should_reissue(req)) { +@@ -4211,6 +4215,8 @@ static int io_fallocate(struct io_kiocb + req->sync.len); + if (ret < 0) + req_set_fail(req); ++ else ++ fsnotify_modify(req->file); + io_req_complete(req, ret); + return 0; + } diff --git a/queue-5.16/ocfs2-fix-crash-when-mount-with-quota-enabled.patch b/queue-5.16/ocfs2-fix-crash-when-mount-with-quota-enabled.patch new file mode 100644 index 00000000000..1f98c625363 --- /dev/null +++ b/queue-5.16/ocfs2-fix-crash-when-mount-with-quota-enabled.patch @@ -0,0 +1,109 @@ +From de19433423c7bedabbd4f9a25f7dbc62c5e78921 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Fri, 1 Apr 2022 11:28:15 -0700 +Subject: ocfs2: fix crash when mount with quota enabled + +From: Joseph Qi + +commit de19433423c7bedabbd4f9a25f7dbc62c5e78921 upstream. + +There is a reported crash when mounting ocfs2 with quota enabled. + + RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2] + Call Trace: + ocfs2_local_read_info+0xb9/0x6f0 [ocfs2] + dquot_load_quota_sb+0x216/0x470 + dquot_load_quota_inode+0x85/0x100 + ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2] + ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2] + mount_bdev+0x185/0x1b0 + legacy_get_tree+0x27/0x40 + vfs_get_tree+0x25/0xb0 + path_mount+0x465/0xac0 + __x64_sys_mount+0x103/0x140 + +It is caused by when initializing dqi_gqlock, the corresponding dqi_type +and dqi_sb are not properly initialized. + +This issue is introduced by commit 6c85c2c72819, which wants to avoid +accessing uninitialized variables in error cases. So make global quota +info properly initialized. + +Link: https://lkml.kernel.org/r/20220323023644.40084-1-joseph.qi@linux.alibaba.com +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007141 +Fixes: 6c85c2c72819 ("ocfs2: quota_local: fix possible uninitialized-variable access in ocfs2_local_read_info()") +Signed-off-by: Joseph Qi +Reported-by: Dayvison +Tested-by: Valentin Vidic +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/quota_global.c | 23 ++++++++++++----------- + fs/ocfs2/quota_local.c | 2 -- + 2 files changed, 12 insertions(+), 13 deletions(-) + +--- a/fs/ocfs2/quota_global.c ++++ b/fs/ocfs2/quota_global.c +@@ -337,7 +337,6 @@ void ocfs2_unlock_global_qf(struct ocfs2 + /* Read information header from global quota file */ + int ocfs2_global_read_info(struct super_block *sb, int type) + { +- struct inode *gqinode = NULL; + unsigned int ino[OCFS2_MAXQUOTAS] = { USER_QUOTA_SYSTEM_INODE, + GROUP_QUOTA_SYSTEM_INODE }; + struct ocfs2_global_disk_dqinfo dinfo; +@@ -346,29 +345,31 @@ int ocfs2_global_read_info(struct super_ + u64 pcount; + int status; + ++ oinfo->dqi_gi.dqi_sb = sb; ++ oinfo->dqi_gi.dqi_type = type; ++ ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo); ++ oinfo->dqi_gi.dqi_entry_size = sizeof(struct ocfs2_global_disk_dqblk); ++ oinfo->dqi_gi.dqi_ops = &ocfs2_global_ops; ++ oinfo->dqi_gqi_bh = NULL; ++ oinfo->dqi_gqi_count = 0; ++ + /* Read global header */ +- gqinode = ocfs2_get_system_file_inode(OCFS2_SB(sb), ino[type], ++ oinfo->dqi_gqinode = ocfs2_get_system_file_inode(OCFS2_SB(sb), ino[type], + OCFS2_INVALID_SLOT); +- if (!gqinode) { ++ if (!oinfo->dqi_gqinode) { + mlog(ML_ERROR, "failed to get global quota inode (type=%d)\n", + type); + status = -EINVAL; + goto out_err; + } +- oinfo->dqi_gi.dqi_sb = sb; +- oinfo->dqi_gi.dqi_type = type; +- oinfo->dqi_gi.dqi_entry_size = sizeof(struct ocfs2_global_disk_dqblk); +- oinfo->dqi_gi.dqi_ops = &ocfs2_global_ops; +- oinfo->dqi_gqi_bh = NULL; +- oinfo->dqi_gqi_count = 0; +- oinfo->dqi_gqinode = gqinode; ++ + status = ocfs2_lock_global_qf(oinfo, 0); + if (status < 0) { + mlog_errno(status); + goto out_err; + } + +- status = ocfs2_extent_map_get_blocks(gqinode, 0, &oinfo->dqi_giblk, ++ status = ocfs2_extent_map_get_blocks(oinfo->dqi_gqinode, 0, &oinfo->dqi_giblk, + &pcount, NULL); + if (status < 0) + goto out_unlock; +--- a/fs/ocfs2/quota_local.c ++++ b/fs/ocfs2/quota_local.c +@@ -702,8 +702,6 @@ static int ocfs2_local_read_info(struct + info->dqi_priv = oinfo; + oinfo->dqi_type = type; + INIT_LIST_HEAD(&oinfo->dqi_chunk); +- oinfo->dqi_gqinode = NULL; +- ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo); + oinfo->dqi_rec = NULL; + oinfo->dqi_lqi_bh = NULL; + oinfo->dqi_libh = NULL; diff --git a/queue-5.16/revert-input-clear-btn_right-middle-on-buttonpads.patch b/queue-5.16/revert-input-clear-btn_right-middle-on-buttonpads.patch new file mode 100644 index 00000000000..2cc894a66ae --- /dev/null +++ b/queue-5.16/revert-input-clear-btn_right-middle-on-buttonpads.patch @@ -0,0 +1,62 @@ +From 8b188fba75195745026e11d408e4a7e94e01d701 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Thu, 31 Mar 2022 21:15:36 -0700 +Subject: Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +commit 8b188fba75195745026e11d408e4a7e94e01d701 upstream. + +This reverts commit 37ef4c19b4c659926ce65a7ac709ceaefb211c40. + +The touchpad present in the Dell Precision 7550 and 7750 laptops +reports a HID_DG_BUTTONTYPE of type MT_BUTTONTYPE_CLICKPAD. However, +the device is not a clickpad, it is a touchpad with physical buttons. + +In order to fix this issue, a quirk for the device was introduced in +libinput [1] [2] to disable the INPUT_PROP_BUTTONPAD property: + + [Precision 7x50 Touchpad] + MatchBus=i2c + MatchUdevType=touchpad + MatchDMIModalias=dmi:*svnDellInc.:pnPrecision7?50* + AttrInputPropDisable=INPUT_PROP_BUTTONPAD + +However, because of the change introduced in 37ef4c19b4 ("Input: clear +BTN_RIGHT/MIDDLE on buttonpads") the BTN_RIGHT key bit is not mapped +anymore breaking the device right click button and making impossible to +workaround it in user space. + +In order to avoid breakage on other present or future devices, revert +the patch causing the issue. + +Signed-off-by: José Expósito +Reviewed-by: Hans de Goede +Acked-by: Peter Hutterer +Acked-by: Benjamin Tissoires +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220321184404.20025-1-jose.exposito89@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/input.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -2285,12 +2285,6 @@ int input_register_device(struct input_d + /* KEY_RESERVED is not supposed to be transmitted to userspace. */ + __clear_bit(KEY_RESERVED, dev->keybit); + +- /* Buttonpads should not map BTN_RIGHT and/or BTN_MIDDLE. */ +- if (test_bit(INPUT_PROP_BUTTONPAD, dev->propbit)) { +- __clear_bit(BTN_RIGHT, dev->keybit); +- __clear_bit(BTN_MIDDLE, dev->keybit); +- } +- + /* Make sure that bitmasks not mentioned in dev->evbit are clean. */ + input_cleanse_bitmasks(dev); + diff --git a/queue-5.16/riscv-dts-canaan-fix-spi3-bus-width.patch b/queue-5.16/riscv-dts-canaan-fix-spi3-bus-width.patch new file mode 100644 index 00000000000..7bd29b4463f --- /dev/null +++ b/queue-5.16/riscv-dts-canaan-fix-spi3-bus-width.patch @@ -0,0 +1,85 @@ +From 6846d656106add3aeefcd6eda0dc885787deaa6e Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Tue, 8 Mar 2022 14:28:05 +0100 +Subject: riscv: dts: canaan: Fix SPI3 bus width + +From: Niklas Cassel + +commit 6846d656106add3aeefcd6eda0dc885787deaa6e upstream. + +According to the K210 Standalone SDK Programming guide: +https://canaan-creative.com/wp-content/uploads/2020/03/kendryte_standalone_programming_guide_20190311144158_en.pdf + +Section 15.4.3.3: +SPI0 and SPI1 supports: standard, dual, quad and octal transfers. +SPI3 supports: standard, dual and quad transfers (octal is not supported). + +In order to support quad transfers (Quad SPI), SPI3 must have four IO wires +connected to the SPI flash. + +Update the device tree to specify the correct bus width. + +Tested on maix bit, maix dock and maixduino, which all have the same +SPI flash (gd25lq128d) connected to SPI3. maix go is untested, but it +would not make sense for this k210 board to be designed differently. + +Signed-off-by: Niklas Cassel +Reviewed-by: Damien Le Moal +Fixes: 8f5b0e79f3e5 ("riscv: Add SiPeed MAIXDUINO board device tree") +Fixes: 8194f08bda18 ("riscv: Add SiPeed MAIX GO board device tree") +Fixes: a40f920964c4 ("riscv: Add SiPeed MAIX DOCK board device tree") +Fixes: 97c279bcf813 ("riscv: Add SiPeed MAIX BiT board device tree") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts | 2 ++ + arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts | 2 ++ + arch/riscv/boot/dts/canaan/sipeed_maix_go.dts | 2 ++ + arch/riscv/boot/dts/canaan/sipeed_maixduino.dts | 2 ++ + 4 files changed, 8 insertions(+) + +--- a/arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts ++++ b/arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts +@@ -203,6 +203,8 @@ + compatible = "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <50000000>; ++ spi-tx-bus-width = <4>; ++ spi-rx-bus-width = <4>; + m25p,fast-read; + broken-flash-reset; + }; +--- a/arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts ++++ b/arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts +@@ -205,6 +205,8 @@ + compatible = "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <50000000>; ++ spi-tx-bus-width = <4>; ++ spi-rx-bus-width = <4>; + m25p,fast-read; + broken-flash-reset; + }; +--- a/arch/riscv/boot/dts/canaan/sipeed_maix_go.dts ++++ b/arch/riscv/boot/dts/canaan/sipeed_maix_go.dts +@@ -213,6 +213,8 @@ + compatible = "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <50000000>; ++ spi-tx-bus-width = <4>; ++ spi-rx-bus-width = <4>; + m25p,fast-read; + broken-flash-reset; + }; +--- a/arch/riscv/boot/dts/canaan/sipeed_maixduino.dts ++++ b/arch/riscv/boot/dts/canaan/sipeed_maixduino.dts +@@ -178,6 +178,8 @@ + compatible = "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <50000000>; ++ spi-tx-bus-width = <4>; ++ spi-rx-bus-width = <4>; + m25p,fast-read; + broken-flash-reset; + }; diff --git a/queue-5.16/riscv-fix-fill_callchain-return-value.patch b/queue-5.16/riscv-fix-fill_callchain-return-value.patch new file mode 100644 index 00000000000..3418cddc357 --- /dev/null +++ b/queue-5.16/riscv-fix-fill_callchain-return-value.patch @@ -0,0 +1,32 @@ +From 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f Mon Sep 17 00:00:00 2001 +From: Nikita Shubin +Date: Fri, 11 Mar 2022 09:58:15 +0300 +Subject: riscv: Fix fill_callchain return value + +From: Nikita Shubin + +commit 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f upstream. + +perf_callchain_store return 0 on success, -1 otherwise, +fix fill_callchain to return correct bool value. + +Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support") +Signed-off-by: Nikita Shubin +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/perf_callchain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/kernel/perf_callchain.c ++++ b/arch/riscv/kernel/perf_callchain.c +@@ -73,7 +73,7 @@ void perf_callchain_user(struct perf_cal + + static bool fill_callchain(void *entry, unsigned long pc) + { +- return perf_callchain_store(entry, pc); ++ return perf_callchain_store(entry, pc) == 0; + } + + void perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, diff --git a/queue-5.16/riscv-increase-stack-size-under-kasan.patch b/queue-5.16/riscv-increase-stack-size-under-kasan.patch new file mode 100644 index 00000000000..b5b7ae361e6 --- /dev/null +++ b/queue-5.16/riscv-increase-stack-size-under-kasan.patch @@ -0,0 +1,44 @@ +From b81d591386c3a50b96dddcf663628ea0df0bf2b3 Mon Sep 17 00:00:00 2001 +From: Dmitry Vyukov +Date: Mon, 14 Mar 2022 10:06:52 +0100 +Subject: riscv: Increase stack size under KASAN + +From: Dmitry Vyukov + +commit b81d591386c3a50b96dddcf663628ea0df0bf2b3 upstream. + +KASAN requires more stack space because of compiler instrumentation. +Increase stack size as other arches do. + +Signed-off-by: Dmitry Vyukov +Reported-by: syzbot+0600986d88e2d4d7ebb8@syzkaller.appspotmail.com +Fixes: 8ad8b72721d0 ("riscv: Add KASAN support") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/thread_info.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/thread_info.h ++++ b/arch/riscv/include/asm/thread_info.h +@@ -11,11 +11,17 @@ + #include + #include + ++#ifdef CONFIG_KASAN ++#define KASAN_STACK_ORDER 1 ++#else ++#define KASAN_STACK_ORDER 0 ++#endif ++ + /* thread information allocation */ + #ifdef CONFIG_64BIT +-#define THREAD_SIZE_ORDER (2) ++#define THREAD_SIZE_ORDER (2 + KASAN_STACK_ORDER) + #else +-#define THREAD_SIZE_ORDER (1) ++#define THREAD_SIZE_ORDER (1 + KASAN_STACK_ORDER) + #endif + #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER) + diff --git a/queue-5.16/rtc-mc146818-lib-fix-locking-in-mc146818_set_time.patch b/queue-5.16/rtc-mc146818-lib-fix-locking-in-mc146818_set_time.patch new file mode 100644 index 00000000000..5f9fb110e69 --- /dev/null +++ b/queue-5.16/rtc-mc146818-lib-fix-locking-in-mc146818_set_time.patch @@ -0,0 +1,46 @@ +From 811f5559270f25c34c338d6eaa2ece2544c3d3bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mateusz=20Jo=C5=84czyk?= +Date: Sun, 20 Feb 2022 10:04:03 +0100 +Subject: rtc: mc146818-lib: fix locking in mc146818_set_time +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Jończyk + +commit 811f5559270f25c34c338d6eaa2ece2544c3d3bd upstream. + +In mc146818_set_time(), CMOS_READ(RTC_CONTROL) was performed without the +rtc_lock taken, which is required for CMOS accesses. Fix this. + +Nothing in kernel modifies RTC_DM_BINARY, so a separate critical section +is allowed here. + +Fixes: dcf257e92622 ("rtc: mc146818: Reduce spinlock section in mc146818_set_time()") +Signed-off-by: Mateusz Jończyk +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220220090403.153928-1-mat.jonczyk@o2.pl +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-mc146818-lib.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-mc146818-lib.c ++++ b/drivers/rtc/rtc-mc146818-lib.c +@@ -176,8 +176,10 @@ int mc146818_set_time(struct rtc_time *t + if (yrs >= 100) + yrs -= 100; + +- if (!(CMOS_READ(RTC_CONTROL) & RTC_DM_BINARY) +- || RTC_ALWAYS_BCD) { ++ spin_lock_irqsave(&rtc_lock, flags); ++ save_control = CMOS_READ(RTC_CONTROL); ++ spin_unlock_irqrestore(&rtc_lock, flags); ++ if (!(save_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) { + sec = bin2bcd(sec); + min = bin2bcd(min); + hrs = bin2bcd(hrs); diff --git a/queue-5.16/rtc-pl031-fix-rtc-features-null-pointer-dereference.patch b/queue-5.16/rtc-pl031-fix-rtc-features-null-pointer-dereference.patch new file mode 100644 index 00000000000..2f5c7fc84c1 --- /dev/null +++ b/queue-5.16/rtc-pl031-fix-rtc-features-null-pointer-dereference.patch @@ -0,0 +1,49 @@ +From ea6af39f3da50c86367a71eb3cc674ade3ed244c Mon Sep 17 00:00:00 2001 +From: Ali Pouladi +Date: Fri, 25 Feb 2022 08:19:24 -0800 +Subject: rtc: pl031: fix rtc features null pointer dereference + +From: Ali Pouladi + +commit ea6af39f3da50c86367a71eb3cc674ade3ed244c upstream. + +When there is no interrupt line, rtc alarm feature is disabled. + +The clearing of the alarm feature bit was being done prior to allocations +of ldata->rtc device, resulting in a null pointer dereference. + +Clear RTC_FEATURE_ALARM after the rtc device is allocated. + +Fixes: d9b0dd54a194 ("rtc: pl031: use RTC_FEATURE_ALARM") +Cc: stable@vger.kernel.org +Signed-off-by: Ali Pouladi +Signed-off-by: Elliot Berman +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220225161924.274141-1-quic_eberman@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-pl031.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/rtc/rtc-pl031.c ++++ b/drivers/rtc/rtc-pl031.c +@@ -350,9 +350,6 @@ static int pl031_probe(struct amba_devic + } + } + +- if (!adev->irq[0]) +- clear_bit(RTC_FEATURE_ALARM, ldata->rtc->features); +- + device_init_wakeup(&adev->dev, true); + ldata->rtc = devm_rtc_allocate_device(&adev->dev); + if (IS_ERR(ldata->rtc)) { +@@ -360,6 +357,9 @@ static int pl031_probe(struct amba_devic + goto out; + } + ++ if (!adev->irq[0]) ++ clear_bit(RTC_FEATURE_ALARM, ldata->rtc->features); ++ + ldata->rtc->ops = ops; + ldata->rtc->range_min = vendor->range_min; + ldata->rtc->range_max = vendor->range_max; diff --git a/queue-5.16/series b/queue-5.16/series index f03d8253818..f36841df27a 100644 --- a/queue-5.16/series +++ b/queue-5.16/series @@ -94,3 +94,18 @@ scsi-scsi_transport_fc-fix-fpin-link-integrity-statistics-counters.patch scsi-libsas-fix-sas_ata_qc_issue-handling-of-ncq-non-data-commands.patch qed-display-vf-trust-config.patch qed-validate-and-restrict-untrusted-vfs-vlan-promisc-mode.patch +riscv-dts-canaan-fix-spi3-bus-width.patch +riscv-fix-fill_callchain-return-value.patch +riscv-increase-stack-size-under-kasan.patch +revert-input-clear-btn_right-middle-on-buttonpads.patch +cifs-do-not-skip-link-targets-when-an-i-o-fails.patch +cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch +cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch +alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch +alsa-hda-avoid-unsol-event-during-rpm-suspending.patch +alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch +alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch +rtc-mc146818-lib-fix-locking-in-mc146818_set_time.patch +rtc-pl031-fix-rtc-features-null-pointer-dereference.patch +io_uring-ensure-that-fsnotify-is-always-called.patch +ocfs2-fix-crash-when-mount-with-quota-enabled.patch