From 68c71c8eef083bf35356fc8a7c533fb78b4be26d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 20 Jun 2022 11:42:39 +0200 Subject: [PATCH] 5.18-stable patches added patches: bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch md-raid5-ppl-fix-argument-order-in-bio_alloc_bioset.patch serial-8250-store-to-lsr_save_flags-after-lsr-read.patch --- ...-use-after-free-in-fsl_mc_bus_remove.patch | 47 +++++++++++++++++ ...x-argument-order-in-bio_alloc_bioset.patch | 52 +++++++++++++++++++ ...ore-to-lsr_save_flags-after-lsr-read.patch | 46 ++++++++++++++++ queue-5.18/series | 3 ++ 4 files changed, 148 insertions(+) create mode 100644 queue-5.18/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch create mode 100644 queue-5.18/md-raid5-ppl-fix-argument-order-in-bio_alloc_bioset.patch create mode 100644 queue-5.18/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch diff --git a/queue-5.18/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch b/queue-5.18/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch new file mode 100644 index 00000000000..0a033dacde7 --- /dev/null +++ b/queue-5.18/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch @@ -0,0 +1,47 @@ +From 928ea98252ad75118950941683893cf904541da9 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Wed, 1 Jun 2022 19:51:59 +0900 +Subject: bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove() + +From: Shin'ichiro Kawasaki + +commit 928ea98252ad75118950941683893cf904541da9 upstream. + +In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to +fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in +fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io +triggers KASAN use-after-free. To avoid the use-after-free, keep the +reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to +fsl_destroy_mc_io(). + +This patch needs rework to apply to kernels older than v5.15. + +Fixes: f93627146f0e ("staging: fsl-mc: fix asymmetry in destroy of mc_io") +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Shin'ichiro Kawasaki +Link: https://lore.kernel.org/r/20220601105159.87752-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -1236,14 +1236,14 @@ error_cleanup_mc_io: + static int fsl_mc_bus_remove(struct platform_device *pdev) + { + struct fsl_mc *mc = platform_get_drvdata(pdev); ++ struct fsl_mc_io *mc_io; + + if (!fsl_mc_is_root_dprc(&mc->root_mc_bus_dev->dev)) + return -EINVAL; + ++ mc_io = mc->root_mc_bus_dev->mc_io; + fsl_mc_device_remove(mc->root_mc_bus_dev); +- +- fsl_destroy_mc_io(mc->root_mc_bus_dev->mc_io); +- mc->root_mc_bus_dev->mc_io = NULL; ++ fsl_destroy_mc_io(mc_io); + + bus_unregister_notifier(&fsl_mc_bus_type, &fsl_mc_nb); + diff --git a/queue-5.18/md-raid5-ppl-fix-argument-order-in-bio_alloc_bioset.patch b/queue-5.18/md-raid5-ppl-fix-argument-order-in-bio_alloc_bioset.patch new file mode 100644 index 00000000000..c4027af2945 --- /dev/null +++ b/queue-5.18/md-raid5-ppl-fix-argument-order-in-bio_alloc_bioset.patch @@ -0,0 +1,52 @@ +From f34fdcd4a0e7a0b92340ad7e48e7bcff9393fab5 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Wed, 8 Jun 2022 10:27:46 -0600 +Subject: md/raid5-ppl: Fix argument order in bio_alloc_bioset() + +From: Logan Gunthorpe + +commit f34fdcd4a0e7a0b92340ad7e48e7bcff9393fab5 upstream. + +bio_alloc_bioset() takes a block device, number of vectors, the +OP flags, the GFP mask and the bio set. However when the prototype +was changed, the callisite in ppl_do_flush() had the OP flags and +the GFP flags reversed. This introduced some sparse error: + + drivers/md/raid5-ppl.c:632:57: warning: incorrect type in argument 3 + (different base types) + drivers/md/raid5-ppl.c:632:57: expected unsigned int opf + drivers/md/raid5-ppl.c:632:57: got restricted gfp_t [usertype] + drivers/md/raid5-ppl.c:633:61: warning: incorrect type in argument 4 + (different base types) + drivers/md/raid5-ppl.c:633:61: expected restricted gfp_t [usertype] + gfp_mask + drivers/md/raid5-ppl.c:633:61: got unsigned long long + +The sparse error introduction may not have been reported correctly by +0day due to other work that was cleaning up other sparse errors in this +area. + +Fixes: 609be1066731 ("block: pass a block_device and opf to bio_alloc_bioset") +Cc: stable@vger.kernel.org # 5.18+ +Signed-off-by: Logan Gunthorpe +Reviewed-by: Christoph Hellwig +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5-ppl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid5-ppl.c ++++ b/drivers/md/raid5-ppl.c +@@ -629,9 +629,9 @@ static void ppl_do_flush(struct ppl_io_u + if (bdev) { + struct bio *bio; + +- bio = bio_alloc_bioset(bdev, 0, GFP_NOIO, ++ bio = bio_alloc_bioset(bdev, 0, + REQ_OP_WRITE | REQ_PREFLUSH, +- &ppl_conf->flush_bs); ++ GFP_NOIO, &ppl_conf->flush_bs); + bio->bi_private = io; + bio->bi_end_io = ppl_flush_endio; + diff --git a/queue-5.18/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch b/queue-5.18/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch new file mode 100644 index 00000000000..7feab54cf39 --- /dev/null +++ b/queue-5.18/serial-8250-store-to-lsr_save_flags-after-lsr-read.patch @@ -0,0 +1,46 @@ +From be03b0651ffd8bab69dfd574c6818b446c0753ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Fri, 20 May 2022 13:35:41 +0300 +Subject: serial: 8250: Store to lsr_save_flags after lsr read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit be03b0651ffd8bab69dfd574c6818b446c0753ce upstream. + +Not all LSR register flags are preserved across reads. Therefore, LSR +readers must store the non-preserved bits into lsr_save_flags. + +This fix was initially mixed into feature commit f6f586102add ("serial: +8250: Handle UART without interrupt on TEMT using em485"). However, +that feature change had a flaw and it was reverted to make room for +simpler approach providing the same feature. The embedded fix got +reverted with the feature change. + +Re-add the lsr_save_flags fix and properly mark it's a fix. + +Link: https://lore.kernel.org/all/1d6c31d-d194-9e6a-ddf9-5f29af829f3@linux.intel.com/T/#m1737eef986bd20cf19593e344cebd7b0244945fc +Fixes: e490c9144cfa ("tty: Add software emulated RS485 support for 8250") +Cc: stable +Acked-by: Uwe Kleine-König +Signed-off-by: Uwe Kleine-König +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/f4d774be-1437-a550-8334-19d8722ab98c@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1535,6 +1535,8 @@ static inline void __stop_tx(struct uart + + if (em485) { + unsigned char lsr = serial_in(p, UART_LSR); ++ p->lsr_saved_flags |= lsr & LSR_SAVE_FLAGS; ++ + /* + * To provide required timeing and allow FIFO transfer, + * __stop_tx_rs485() must be called only when both FIFO and diff --git a/queue-5.18/series b/queue-5.18/series index 38144b21e7f..46b4e15d483 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -113,3 +113,6 @@ usb-gadget-lpc32xx_udc-fix-refcount-leak-in-lpc32xx_udc_probe.patch usb-gadget-f_fs-change-ep-status-safe-in-ffs_epfile_io.patch usb-gadget-f_fs-change-ep-ep-safe-in-ffs_epfile_io.patch tty-n_gsm-debug-output-allocation-must-use-gfp_atomic.patch +serial-8250-store-to-lsr_save_flags-after-lsr-read.patch +bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch +md-raid5-ppl-fix-argument-order-in-bio_alloc_bioset.patch -- 2.47.3