--- /dev/null
+From aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 1 Apr 2020 21:10:58 -0700
+Subject: mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd upstream.
+
+Using an empty (malformed) nodelist that is not caught during mount option
+parsing leads to a stack-out-of-bounds access.
+
+The option string that was used was: "mpol=prefer:,". However,
+MPOL_PREFERRED requires a single node number, which is not being provided
+here.
+
+Add a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's
+nodeid.
+
+Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
+Reported-by: Entropy Moe <3ntr0py1337@gmail.com>
+Reported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
+Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+Link: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2768,7 +2768,9 @@ int mpol_parse_str(char *str, struct mem
+ switch (mode) {
+ case MPOL_PREFERRED:
+ /*
+- * Insist on a nodelist of one node only
++ * Insist on a nodelist of one node only, although later
++ * we use first_node(nodes) to grab a single node, so here
++ * nodelist (or nodes) cannot be empty.
+ */
+ if (nodelist) {
+ char *rest = nodelist;
+@@ -2776,6 +2778,8 @@ int mpol_parse_str(char *str, struct mem
+ rest++;
+ if (*rest)
+ goto out;
++ if (nodes_empty(nodes))
++ goto out;
+ }
+ break;
+ case MPOL_INTERLEAVE:
--- /dev/null
+From f6aa5beb45be27968a4df90176ca36dfc4363d37 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Mon, 3 Sep 2018 02:44:52 +0200
+Subject: serial: 8250: Fix clearing FIFOs in RS485 mode again
+
+From: Marek Vasut <marex@denx.de>
+
+commit f6aa5beb45be27968a4df90176ca36dfc4363d37 upstream.
+
+The 8250 FIFOs indeed need to be cleared after stopping transmission in
+RS485 mode without SER_RS485_RX_DURING_TX flag set. But there are two
+problems with the approach taken by the previous patch from Fixes tag.
+
+First, serial8250_clear_fifos() should clear fifos, but what it really
+does is it enables the FIFOs unconditionally if present, clears them
+and then sets the FCR register to zero, which effectively disables the
+FIFOs. In case the FIFO is disabled, enabling it and clearing it makes
+no sense and in fact can trigger misbehavior of the 8250 core. Moreover,
+the FCR register may contain other FIFO configuration bits which may not
+be writable unconditionally and writing them incorrectly can trigger
+misbehavior of the 8250 core too. (ie. AM335x UART swallows the first
+byte and retransmits the last byte twice because of this FCR write).
+
+Second, serial8250_clear_and_reinit_fifos() completely reloads the FCR,
+but what really has to happen at the end of the RS485 transmission is
+clearing of the FIFOs and nothing else.
+
+This patch repairs serial8250_clear_fifos() so that it really only
+clears the FIFOs by operating on FCR[2:1] bits and leaves all the
+other bits alone. It also undoes serial8250_clear_and_reinit_fifos()
+from __do_stop_tx_rs485() as serial8250_clear_fifos() is sufficient.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Fixes: 2bed8a8e7072 ("Clearing FIFOs in RS485 emulation mode causes subsequent transmits to break")
+Cc: Daniel Jedrychowski <avistel@gmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable <stable@vger.kernel.org> # let it bake a bit before merging
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_port.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -517,11 +517,30 @@ static unsigned int serial_icr_read(stru
+ */
+ static void serial8250_clear_fifos(struct uart_8250_port *p)
+ {
++ unsigned char fcr;
++ unsigned char clr_mask = UART_FCR_CLEAR_RCVR | UART_FCR_CLEAR_XMIT;
++
+ if (p->capabilities & UART_CAP_FIFO) {
+- serial_out(p, UART_FCR, UART_FCR_ENABLE_FIFO);
+- serial_out(p, UART_FCR, UART_FCR_ENABLE_FIFO |
+- UART_FCR_CLEAR_RCVR | UART_FCR_CLEAR_XMIT);
+- serial_out(p, UART_FCR, 0);
++ /*
++ * Make sure to avoid changing FCR[7:3] and ENABLE_FIFO bits.
++ * In case ENABLE_FIFO is not set, there is nothing to flush
++ * so just return. Furthermore, on certain implementations of
++ * the 8250 core, the FCR[7:3] bits may only be changed under
++ * specific conditions and changing them if those conditions
++ * are not met can have nasty side effects. One such core is
++ * the 8250-omap present in TI AM335x.
++ */
++ fcr = serial_in(p, UART_FCR);
++
++ /* FIFO is not enabled, there's nothing to clear. */
++ if (!(fcr & UART_FCR_ENABLE_FIFO))
++ return;
++
++ fcr |= clr_mask;
++ serial_out(p, UART_FCR, fcr);
++
++ fcr &= ~clr_mask;
++ serial_out(p, UART_FCR, fcr);
+ }
+ }
+
+@@ -1410,7 +1429,7 @@ static void __do_stop_tx_rs485(struct ua
+ * Enable previously disabled RX interrupts.
+ */
+ if (!(p->port.rs485.flags & SER_RS485_RX_DURING_TX)) {
+- serial8250_clear_and_reinit_fifos(p);
++ serial8250_clear_fifos(p);
+
+ p->ier |= UART_IER_RLSI | UART_IER_RDI;
+ serial_port_out(&p->port, UART_IER, p->ier);
projects / thirdparty / kernel / stable-queue.git / commitdiff
