From f0985ab776c1786714855363d60deb6788ae5980 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 18 Jan 2024 11:41:46 +0100 Subject: [PATCH] 5.15-stable patches added patches: binder-fix-comment-on-binder_alloc_new_buf-return-value.patch binder-fix-trivial-typo-of-binder_free_buf_locked.patch binder-fix-use-after-free-in-shinker-s-callback.patch binder-use-epollerr-from-eventpoll.h.patch coresight-etm4x-fix-width-of-ccitmin-field.patch leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch parport-parport_serial-add-brainboxes-bar-details.patch parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch uio-fix-use-after-free-in-uio_open.patch --- ...on-binder_alloc_new_buf-return-value.patch | 35 ++++++ ...ivial-typo-of-binder_free_buf_locked.patch | 34 ++++++ ...use-after-free-in-shinker-s-callback.patch | 102 ++++++++++++++++++ ...binder-use-epollerr-from-eventpoll.h.patch | 38 +++++++ ...ght-etm4x-fix-width-of-ccitmin-field.patch | 47 ++++++++ ...located-ttyname-buffer-on-deactivate.patch | 44 ++++++++ ...rt_serial-add-brainboxes-bar-details.patch | 44 ++++++++ ...d-brainboxes-device-ids-and-geometry.patch | 95 ++++++++++++++++ ...cs-quirk-for-more-zhaoxin-root-ports.patch | 50 +++++++++ ...t-for-md_sb_change_pending-in-raid5d.patch | 67 ++++++++++++ queue-5.15/series | 11 ++ .../uio-fix-use-after-free-in-uio_open.patch | 74 +++++++++++++ 12 files changed, 641 insertions(+) create mode 100644 queue-5.15/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch create mode 100644 queue-5.15/binder-fix-trivial-typo-of-binder_free_buf_locked.patch create mode 100644 queue-5.15/binder-fix-use-after-free-in-shinker-s-callback.patch create mode 100644 queue-5.15/binder-use-epollerr-from-eventpoll.h.patch create mode 100644 queue-5.15/coresight-etm4x-fix-width-of-ccitmin-field.patch create mode 100644 queue-5.15/leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch create mode 100644 queue-5.15/parport-parport_serial-add-brainboxes-bar-details.patch create mode 100644 queue-5.15/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch create mode 100644 queue-5.15/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch create mode 100644 queue-5.15/revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch create mode 100644 queue-5.15/uio-fix-use-after-free-in-uio_open.patch diff --git a/queue-5.15/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch b/queue-5.15/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch new file mode 100644 index 00000000000..f2e4ebe16e3 --- /dev/null +++ b/queue-5.15/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch @@ -0,0 +1,35 @@ +From e1090371e02b601cbfcea175c2a6cc7c955fa830 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:36 +0000 +Subject: binder: fix comment on binder_alloc_new_buf() return value + +From: Carlos Llamas + +commit e1090371e02b601cbfcea175c2a6cc7c955fa830 upstream. + +Update the comments of binder_alloc_new_buf() to reflect that the return +value of the function is now ERR_PTR(-errno) on failure. + +No functional changes in this patch. + +Cc: stable@vger.kernel.org +Fixes: 57ada2fb2250 ("binder: add log information for binder transaction failures") +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-8-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -557,7 +557,7 @@ err_alloc_buf_struct_failed: + * is the sum of the three given sizes (each rounded up to + * pointer-sized boundary) + * +- * Return: The allocated buffer or %NULL if error ++ * Return: The allocated buffer or %ERR_PTR(-errno) if error + */ + struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc, + size_t data_size, diff --git a/queue-5.15/binder-fix-trivial-typo-of-binder_free_buf_locked.patch b/queue-5.15/binder-fix-trivial-typo-of-binder_free_buf_locked.patch new file mode 100644 index 00000000000..9287304afd5 --- /dev/null +++ b/queue-5.15/binder-fix-trivial-typo-of-binder_free_buf_locked.patch @@ -0,0 +1,34 @@ +From 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:35 +0000 +Subject: binder: fix trivial typo of binder_free_buf_locked() + +From: Carlos Llamas + +commit 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 upstream. + +Fix minor misspelling of the function in the comment section. + +No functional changes in this patch. + +Cc: stable@vger.kernel.org +Fixes: 0f966cba95c7 ("binder: add flag to clear buffer on txn complete") +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-7-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -706,7 +706,7 @@ void binder_alloc_free_buf(struct binder + /* + * We could eliminate the call to binder_alloc_clear_buf() + * from binder_alloc_deferred_release() by moving this to +- * binder_alloc_free_buf_locked(). However, that could ++ * binder_free_buf_locked(). However, that could + * increase contention for the alloc mutex if clear_on_free + * is used frequently for large buffers. The mutex is not + * needed for correctness here. diff --git a/queue-5.15/binder-fix-use-after-free-in-shinker-s-callback.patch b/queue-5.15/binder-fix-use-after-free-in-shinker-s-callback.patch new file mode 100644 index 00000000000..aefa7ef9921 --- /dev/null +++ b/queue-5.15/binder-fix-use-after-free-in-shinker-s-callback.patch @@ -0,0 +1,102 @@ +From 3f489c2067c5824528212b0fc18b28d51332d906 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:31 +0000 +Subject: binder: fix use-after-free in shinker's callback + +From: Carlos Llamas + +commit 3f489c2067c5824528212b0fc18b28d51332d906 upstream. + +The mmap read lock is used during the shrinker's callback, which means +that using alloc->vma pointer isn't safe as it can race with munmap(). +As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in +munmap") the mmap lock is downgraded after the vma has been isolated. + +I was able to reproduce this issue by manually adding some delays and +triggering page reclaiming through the shrinker's debug sysfs. The +following KASAN report confirms the UAF: + + ================================================================== + BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 + Read of size 8 at addr ffff356ed50e50f0 by task bash/478 + + CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 + Hardware name: linux,dummy-virt (DT) + Call trace: + zap_page_range_single+0x470/0x4b8 + binder_alloc_free_page+0x608/0xadc + __list_lru_walk_one+0x130/0x3b0 + list_lru_walk_node+0xc4/0x22c + binder_shrink_scan+0x108/0x1dc + shrinker_debugfs_scan_write+0x2b4/0x500 + full_proxy_write+0xd4/0x140 + vfs_write+0x1ac/0x758 + ksys_write+0xf0/0x1dc + __arm64_sys_write+0x6c/0x9c + + Allocated by task 492: + kmem_cache_alloc+0x130/0x368 + vm_area_alloc+0x2c/0x190 + mmap_region+0x258/0x18bc + do_mmap+0x694/0xa60 + vm_mmap_pgoff+0x170/0x29c + ksys_mmap_pgoff+0x290/0x3a0 + __arm64_sys_mmap+0xcc/0x144 + + Freed by task 491: + kmem_cache_free+0x17c/0x3c8 + vm_area_free_rcu_cb+0x74/0x98 + rcu_core+0xa38/0x26d4 + rcu_core_si+0x10/0x1c + __do_softirq+0x2fc/0xd24 + + Last potentially related work creation: + __call_rcu_common.constprop.0+0x6c/0xba0 + call_rcu+0x10/0x1c + vm_area_free+0x18/0x24 + remove_vma+0xe4/0x118 + do_vmi_align_munmap.isra.0+0x718/0xb5c + do_vmi_munmap+0xdc/0x1fc + __vm_munmap+0x10c/0x278 + __arm64_sys_munmap+0x58/0x7c + +Fix this issue by performing instead a vma_lookup() which will fail to +find the vma that was isolated before the mmap lock downgrade. Note that +this option has better performance than upgrading to a mmap write lock +which would increase contention. Plus, mmap_write_trylock() has been +recently removed anyway. + +Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") +Cc: stable@vger.kernel.org +Cc: Liam Howlett +Cc: Minchan Kim +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-3-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -1005,7 +1005,9 @@ enum lru_status binder_alloc_free_page(s + goto err_mmget; + if (!mmap_read_trylock(mm)) + goto err_mmap_read_lock_failed; +- vma = binder_alloc_get_vma(alloc); ++ vma = vma_lookup(mm, page_addr); ++ if (vma && vma != binder_alloc_get_vma(alloc)) ++ goto err_invalid_vma; + + list_lru_isolate(lru, item); + spin_unlock(lock); +@@ -1031,6 +1033,8 @@ enum lru_status binder_alloc_free_page(s + mutex_unlock(&alloc->mutex); + return LRU_REMOVED_RETRY; + ++err_invalid_vma: ++ mmap_read_unlock(mm); + err_mmap_read_lock_failed: + mmput_async(mm); + err_mmget: diff --git a/queue-5.15/binder-use-epollerr-from-eventpoll.h.patch b/queue-5.15/binder-use-epollerr-from-eventpoll.h.patch new file mode 100644 index 00000000000..a4b0ac4f74a --- /dev/null +++ b/queue-5.15/binder-use-epollerr-from-eventpoll.h.patch @@ -0,0 +1,38 @@ +From 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:30 +0000 +Subject: binder: use EPOLLERR from eventpoll.h + +From: Carlos Llamas + +commit 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 upstream. + +Use EPOLLERR instead of POLLERR to make sure it is cast to the correct +__poll_t type. This fixes the following sparse issue: + + drivers/android/binder.c:5030:24: warning: incorrect type in return expression (different base types) + drivers/android/binder.c:5030:24: expected restricted __poll_t + drivers/android/binder.c:5030:24: got int + +Fixes: f88982679f54 ("binder: check for binder_thread allocation failure in binder_poll()") +Cc: stable@vger.kernel.org +Cc: Eric Biggers +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-2-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -4836,7 +4836,7 @@ static __poll_t binder_poll(struct file + + thread = binder_get_thread(proc); + if (!thread) +- return POLLERR; ++ return EPOLLERR; + + binder_inner_proc_lock(thread->proc); + thread->looper |= BINDER_LOOPER_STATE_POLL; diff --git a/queue-5.15/coresight-etm4x-fix-width-of-ccitmin-field.patch b/queue-5.15/coresight-etm4x-fix-width-of-ccitmin-field.patch new file mode 100644 index 00000000000..c2cb70e880d --- /dev/null +++ b/queue-5.15/coresight-etm4x-fix-width-of-ccitmin-field.patch @@ -0,0 +1,47 @@ +From cc0271a339cc70cae914c3ec20edc2a8058407da Mon Sep 17 00:00:00 2001 +From: James Clark +Date: Wed, 1 Nov 2023 11:52:06 +0000 +Subject: coresight: etm4x: Fix width of CCITMIN field + +From: James Clark + +commit cc0271a339cc70cae914c3ec20edc2a8058407da upstream. + +CCITMIN is a 12 bit field and doesn't fit in a u8, so extend it to u16. +This probably wasn't an issue previously because values higher than 255 +never occurred. + +But since commit 4aff040bcc8d ("coresight: etm: Override TRCIDR3.CCITMIN +on errata affected cpus"), a comparison with 256 was done to enable the +errata, generating the following W=1 build error: + + coresight-etm4x-core.c:1188:24: error: result of comparison of + constant 256 with expression of type 'u8' (aka 'unsigned char') is + always false [-Werror,-Wtautological-constant-out-of-range-compare] + + if (drvdata->ccitmin == 256) + +Cc: stable@vger.kernel.org +Fixes: 2e1cdfe184b5 ("coresight-etm4x: Adding CoreSight ETM4x driver") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202310302043.as36UFED-lkp@intel.com/ +Reviewed-by: Mike Leach +Signed-off-by: James Clark +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20231101115206.70810-1-james.clark@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-etm4x.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x.h ++++ b/drivers/hwtracing/coresight/coresight-etm4x.h +@@ -944,7 +944,7 @@ struct etmv4_drvdata { + u8 ctxid_size; + u8 vmid_size; + u8 ccsize; +- u8 ccitmin; ++ u16 ccitmin; + u8 s_ex_level; + u8 ns_ex_level; + u8 q_support; diff --git a/queue-5.15/leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch b/queue-5.15/leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch new file mode 100644 index 00000000000..fe92ed38025 --- /dev/null +++ b/queue-5.15/leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch @@ -0,0 +1,44 @@ +From 25054b232681c286fca9c678854f56494d1352cc Mon Sep 17 00:00:00 2001 +From: Florian Eckert +Date: Mon, 27 Nov 2023 09:16:21 +0100 +Subject: leds: ledtrig-tty: Free allocated ttyname buffer on deactivate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Eckert + +commit 25054b232681c286fca9c678854f56494d1352cc upstream. + +The ttyname buffer for the ledtrig_tty_data struct is allocated in the +sysfs ttyname_store() function. This buffer must be released on trigger +deactivation. This was missing and is thus a memory leak. + +While we are at it, the TTY handler in the ledtrig_tty_data struct should +also be returned in case of the trigger deactivation call. + +Cc: stable@vger.kernel.org +Fixes: fd4a641ac88f ("leds: trigger: implement a tty trigger") +Signed-off-by: Florian Eckert +Reviewed-by: Uwe Kleine-König +Reviewed-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20231127081621.774866-1-fe@dev.tdt.de +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/trigger/ledtrig-tty.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/leds/trigger/ledtrig-tty.c ++++ b/drivers/leds/trigger/ledtrig-tty.c +@@ -168,6 +168,10 @@ static void ledtrig_tty_deactivate(struc + + cancel_delayed_work_sync(&trigger_data->dwork); + ++ kfree(trigger_data->ttyname); ++ tty_kref_put(trigger_data->tty); ++ trigger_data->tty = NULL; ++ + kfree(trigger_data); + } + diff --git a/queue-5.15/parport-parport_serial-add-brainboxes-bar-details.patch b/queue-5.15/parport-parport_serial-add-brainboxes-bar-details.patch new file mode 100644 index 00000000000..147862cef05 --- /dev/null +++ b/queue-5.15/parport-parport_serial-add-brainboxes-bar-details.patch @@ -0,0 +1,44 @@ +From 65fde134b0a4ffe838729f9ee11b459a2f6f2815 Mon Sep 17 00:00:00 2001 +From: Cameron Williams +Date: Thu, 2 Nov 2023 21:07:05 +0000 +Subject: parport: parport_serial: Add Brainboxes BAR details + +From: Cameron Williams + +commit 65fde134b0a4ffe838729f9ee11b459a2f6f2815 upstream. + +Add BAR/enum entries for Brainboxes serial/parallel cards. + +Cc: +Signed-off-by: Cameron Williams +Acked-by: Sudip Mukherjee +Link: https://lore.kernel.org/r/AS4PR02MB79035155C2D5C3333AE6FA52C4A6A@AS4PR02MB7903.eurprd02.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parport/parport_serial.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/parport/parport_serial.c ++++ b/drivers/parport/parport_serial.c +@@ -65,6 +65,10 @@ enum parport_pc_pci_cards { + sunix_5069a, + sunix_5079a, + sunix_5099a, ++ brainboxes_uc257, ++ brainboxes_is300, ++ brainboxes_uc414, ++ brainboxes_px263, + }; + + /* each element directly indexed from enum list, above */ +@@ -158,6 +162,10 @@ static struct parport_pc_pci cards[] = { + /* sunix_5069a */ { 1, { { 1, 2 }, } }, + /* sunix_5079a */ { 1, { { 1, 2 }, } }, + /* sunix_5099a */ { 1, { { 1, 2 }, } }, ++ /* brainboxes_uc257 */ { 1, { { 3, -1 }, } }, ++ /* brainboxes_is300 */ { 1, { { 3, -1 }, } }, ++ /* brainboxes_uc414 */ { 1, { { 3, -1 }, } }, ++ /* brainboxes_px263 */ { 1, { { 3, -1 }, } }, + }; + + static struct pci_device_id parport_serial_pci_tbl[] = { diff --git a/queue-5.15/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch b/queue-5.15/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch new file mode 100644 index 00000000000..beb476d3b5f --- /dev/null +++ b/queue-5.15/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch @@ -0,0 +1,95 @@ +From 6aa1fc5a8085bbc01687aa708dcf2dbe637a5ee3 Mon Sep 17 00:00:00 2001 +From: Cameron Williams +Date: Thu, 2 Nov 2023 21:07:06 +0000 +Subject: parport: parport_serial: Add Brainboxes device IDs and geometry + +From: Cameron Williams + +commit 6aa1fc5a8085bbc01687aa708dcf2dbe637a5ee3 upstream. + +Add device IDs for the Brainboxes UC-203, UC-257, UC-414, UC-475, +IS-300/IS-500 and PX-263/PX-295 and define the relevant "geometry" +for the cards. +This patch requires part 1 of this series. + +Cc: +Signed-off-by: Cameron Williams +Acked-by: Sudip Mukherjee +Link: https://lore.kernel.org/r/AS4PR02MB7903A4094564BE28F1F926A6C4A6A@AS4PR02MB7903.eurprd02.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parport/parport_serial.c | 56 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +--- a/drivers/parport/parport_serial.c ++++ b/drivers/parport/parport_serial.c +@@ -285,6 +285,38 @@ static struct pci_device_id parport_seri + { PCI_VENDOR_ID_SUNIX, PCI_DEVICE_ID_SUNIX_1999, PCI_VENDOR_ID_SUNIX, + 0x0104, 0, 0, sunix_5099a }, + ++ /* Brainboxes UC-203 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0bc1, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0bc2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ ++ /* Brainboxes UC-257 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0861, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0862, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0863, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ ++ /* Brainboxes UC-414 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0e61, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc414 }, ++ ++ /* Brainboxes UC-475 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0981, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0982, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ ++ /* Brainboxes IS-300/IS-500 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0da0, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_is300 }, ++ ++ /* Brainboxes PX-263/PX-295 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x402c, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_px263 }, ++ + { 0, } /* terminate list */ + }; + MODULE_DEVICE_TABLE(pci,parport_serial_pci_tbl); +@@ -550,6 +582,30 @@ static struct pciserial_board pci_parpor + .base_baud = 921600, + .uart_offset = 0x8, + }, ++ [brainboxes_uc257] = { ++ .flags = FL_BASE2, ++ .num_ports = 2, ++ .base_baud = 115200, ++ .uart_offset = 8, ++ }, ++ [brainboxes_is300] = { ++ .flags = FL_BASE2, ++ .num_ports = 1, ++ .base_baud = 115200, ++ .uart_offset = 8, ++ }, ++ [brainboxes_uc414] = { ++ .flags = FL_BASE2, ++ .num_ports = 4, ++ .base_baud = 115200, ++ .uart_offset = 8, ++ }, ++ [brainboxes_px263] = { ++ .flags = FL_BASE2, ++ .num_ports = 4, ++ .base_baud = 921600, ++ .uart_offset = 8, ++ }, + }; + + struct parport_serial_private { diff --git a/queue-5.15/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch b/queue-5.15/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch new file mode 100644 index 00000000000..c94f4e549cb --- /dev/null +++ b/queue-5.15/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch @@ -0,0 +1,50 @@ +From e367e3c765f5477b2e79da0f1399aed49e2d1e37 Mon Sep 17 00:00:00 2001 +From: LeoLiuoc +Date: Mon, 11 Dec 2023 17:15:43 +0800 +Subject: PCI: Add ACS quirk for more Zhaoxin Root Ports + +From: LeoLiuoc + +commit e367e3c765f5477b2e79da0f1399aed49e2d1e37 upstream. + +Add more Root Port Device IDs to pci_quirk_zhaoxin_pcie_ports_acs() for +some new Zhaoxin platforms. + +Fixes: 299bd044a6f3 ("PCI: Add ACS quirk for Zhaoxin Root/Downstream Ports") +Link: https://lore.kernel.org/r/20231211091543.735903-1-LeoLiu-oc@zhaoxin.com +Signed-off-by: LeoLiuoc +[bhelgaas: update subject, drop changelog, add Fixes, add stable tag, fix +whitespace, wrap code comment] +Signed-off-by: Bjorn Helgaas +Cc: # 5.7 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4577,17 +4577,21 @@ static int pci_quirk_xgene_acs(struct pc + * But the implementation could block peer-to-peer transactions between them + * and provide ACS-like functionality. + */ +-static int pci_quirk_zhaoxin_pcie_ports_acs(struct pci_dev *dev, u16 acs_flags) ++static int pci_quirk_zhaoxin_pcie_ports_acs(struct pci_dev *dev, u16 acs_flags) + { + if (!pci_is_pcie(dev) || + ((pci_pcie_type(dev) != PCI_EXP_TYPE_ROOT_PORT) && + (pci_pcie_type(dev) != PCI_EXP_TYPE_DOWNSTREAM))) + return -ENOTTY; + ++ /* ++ * Future Zhaoxin Root Ports and Switch Downstream Ports will ++ * implement ACS capability in accordance with the PCIe Spec. ++ */ + switch (dev->device) { + case 0x0710 ... 0x071e: + case 0x0721: +- case 0x0723 ... 0x0732: ++ case 0x0723 ... 0x0752: + return pci_acs_ctrl_enabled(acs_flags, + PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); + } diff --git a/queue-5.15/revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch b/queue-5.15/revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch new file mode 100644 index 00000000000..a1c9bf25cf7 --- /dev/null +++ b/queue-5.15/revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch @@ -0,0 +1,67 @@ +From bed9e27baf52a09b7ba2a3714f1e24e17ced386d Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Wed, 8 Nov 2023 10:22:16 -0800 +Subject: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" + +From: Junxiao Bi + +commit bed9e27baf52a09b7ba2a3714f1e24e17ced386d upstream. + +This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74. + +That commit introduced the following race and can cause system hung. + + md_write_start: raid5d: + // mddev->in_sync == 1 + set "MD_SB_CHANGE_PENDING" + // running before md_write_start wakeup it + waiting "MD_SB_CHANGE_PENDING" cleared + >>>>>>>>> hung + wakeup mddev->thread + ... + waiting "MD_SB_CHANGE_PENDING" cleared + >>>> hung, raid5d should clear this flag + but get hung by same flag. + +The issue reverted commit fixing is fixed by last patch in a new way. + +Fixes: 5e2cf333b7bd ("md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d") +Cc: stable@vger.kernel.org # v5.19+ +Signed-off-by: Junxiao Bi +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20231108182216.73611-2-junxiao.bi@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -36,7 +36,6 @@ + */ + + #include +-#include + #include + #include + #include +@@ -6522,18 +6521,7 @@ static void raid5d(struct md_thread *thr + spin_unlock_irq(&conf->device_lock); + md_check_recovery(mddev); + spin_lock_irq(&conf->device_lock); +- +- /* +- * Waiting on MD_SB_CHANGE_PENDING below may deadlock +- * seeing md_check_recovery() is needed to clear +- * the flag when using mdmon. +- */ +- continue; + } +- +- wait_event_lock_irq(mddev->sb_wait, +- !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags), +- conf->device_lock); + } + pr_debug("%d stripes handled\n", handled); + diff --git a/queue-5.15/series b/queue-5.15/series index 5495590b208..925f7d134f3 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -50,3 +50,14 @@ arm-sun9i-smp-fix-return-code-check-of-of_property_m.patch drm-crtc-fix-uninitialized-variable-use.patch acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch revert-asoc-atmel-remove-system-clock-tree-configuration-for-at91sam9g20ek.patch +revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch +binder-use-epollerr-from-eventpoll.h.patch +binder-fix-use-after-free-in-shinker-s-callback.patch +binder-fix-trivial-typo-of-binder_free_buf_locked.patch +binder-fix-comment-on-binder_alloc_new_buf-return-value.patch +uio-fix-use-after-free-in-uio_open.patch +parport-parport_serial-add-brainboxes-bar-details.patch +parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch +leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch +pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch +coresight-etm4x-fix-width-of-ccitmin-field.patch diff --git a/queue-5.15/uio-fix-use-after-free-in-uio_open.patch b/queue-5.15/uio-fix-use-after-free-in-uio_open.patch new file mode 100644 index 00000000000..18d493f7e56 --- /dev/null +++ b/queue-5.15/uio-fix-use-after-free-in-uio_open.patch @@ -0,0 +1,74 @@ +From 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 Mon Sep 17 00:00:00 2001 +From: Guanghui Feng +Date: Thu, 21 Dec 2023 17:57:43 +0800 +Subject: uio: Fix use-after-free in uio_open + +From: Guanghui Feng + +commit 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 upstream. + +core-1 core-2 +------------------------------------------------------- +uio_unregister_device uio_open + idev = idr_find() +device_unregister(&idev->dev) +put_device(&idev->dev) +uio_device_release + get_device(&idev->dev) +kfree(idev) +uio_free_minor(minor) + uio_release + put_device(&idev->dev) + kfree(idev) +------------------------------------------------------- + +In the core-1 uio_unregister_device(), the device_unregister will kfree +idev when the idev->dev kobject ref is 1. But after core-1 +device_unregister, put_device and before doing kfree, the core-2 may +get_device. Then: +1. After core-1 kfree idev, the core-2 will do use-after-free for idev. +2. When core-2 do uio_release and put_device, the idev will be double + freed. + +To address this issue, we can get idev atomic & inc idev reference with +minor_lock. + +Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered") +Cc: stable +Signed-off-by: Guanghui Feng +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -464,13 +464,13 @@ static int uio_open(struct inode *inode, + + mutex_lock(&minor_lock); + idev = idr_find(&uio_idr, iminor(inode)); +- mutex_unlock(&minor_lock); + if (!idev) { + ret = -ENODEV; ++ mutex_unlock(&minor_lock); + goto out; + } +- + get_device(&idev->dev); ++ mutex_unlock(&minor_lock); + + if (!try_module_get(idev->owner)) { + ret = -ENODEV; +@@ -1062,9 +1062,8 @@ void uio_unregister_device(struct uio_in + wake_up_interruptible(&idev->wait); + kill_fasync(&idev->async_queue, SIGIO, POLL_HUP); + +- device_unregister(&idev->dev); +- + uio_free_minor(minor); ++ device_unregister(&idev->dev); + + return; + } -- 2.47.3