From: Greg Kroah-Hartman Date: Wed, 1 Sep 2021 09:51:06 +0000 (+0200) Subject: 5.13-stable patches X-Git-Tag: v4.4.283~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=75b97f219ba0fb4c29146fc1debf7a42f8ab68b9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.13-stable patches added patches: arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch revert-floppy-reintroduce-o_ndelay-fix.patch --- diff --git a/queue-5.13/arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch b/queue-5.13/arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch new file mode 100644 index 00000000000..f30a18de301 --- /dev/null +++ b/queue-5.13/arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch @@ -0,0 +1,35 @@ +From f890f89d9a80fffbfa7ca791b78927e5b8aba869 Mon Sep 17 00:00:00 2001 +From: Petr Vorel +Date: Thu, 15 Apr 2021 21:39:13 +0200 +Subject: arm64: dts: qcom: msm8994-angler: Fix gpio-reserved-ranges 85-88 + +From: Petr Vorel + +commit f890f89d9a80fffbfa7ca791b78927e5b8aba869 upstream. + +Reserve GPIO pins 85-88 as these aren't meant to be accessible from the +application CPUs (causes reboot). Yet another fix similar to +9134586715e3, 5f8d3ab136d0, which is needed to allow angler to boot after +3edfb7bd76bd ("gpiolib: Show correct direction from the beginning"). + +Fixes: feeaf56ac78d ("arm64: dts: msm8994 SoC and Huawei Angler (Nexus 6P) support") + +Signed-off-by: Petr Vorel +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20210415193913.1836153-1-petr.vorel@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/msm8994-angler-rev-101.dts | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/msm8994-angler-rev-101.dts ++++ b/arch/arm64/boot/dts/qcom/msm8994-angler-rev-101.dts +@@ -36,3 +36,7 @@ + }; + }; + }; ++ ++&tlmm { ++ gpio-reserved-ranges = <85 4>; ++}; diff --git a/queue-5.13/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch b/queue-5.13/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch new file mode 100644 index 00000000000..27aec361cb8 --- /dev/null +++ b/queue-5.13/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch @@ -0,0 +1,79 @@ +From e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 6 Aug 2021 18:24:15 +0800 +Subject: btrfs: fix NULL pointer dereference when deleting device by invalid id + +From: Qu Wenruo + +commit e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 upstream. + +[BUG] +It's easy to trigger NULL pointer dereference, just by removing a +non-existing device id: + + # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \ + /dev/test/scratch2 + # mount /dev/test/scratch1 /mnt/btrfs + # btrfs device remove 3 /mnt/btrfs + +Then we have the following kernel NULL pointer dereference: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs] + btrfs_ioctl+0x18bb/0x3190 [btrfs] + ? lock_is_held_type+0xa5/0x120 + ? find_held_lock.constprop.0+0x2b/0x80 + ? do_user_addr_fault+0x201/0x6a0 + ? lock_release+0xd2/0x2d0 + ? __x64_sys_ioctl+0x83/0xb0 + __x64_sys_ioctl+0x83/0xb0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +[CAUSE] +Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return +btrfs_device directly") moves the "missing" device path check into +btrfs_rm_device(). + +But btrfs_rm_device() itself can have case where it only receives +@devid, with NULL as @device_path. + +In that case, calling strcmp() on NULL will trigger the NULL pointer +dereference. + +Before that commit, we handle the "missing" case inside +btrfs_find_device_by_devspec(), which will not check @device_path at all +if @devid is provided, thus no way to trigger the bug. + +[FIX] +Before calling strcmp(), also make sure @device_path is not NULL. + +Fixes: a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly") +CC: stable@vger.kernel.org # 5.4+ +Reported-by: butt3rflyh4ck +Reviewed-by: Anand Jain +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -2137,7 +2137,7 @@ int btrfs_rm_device(struct btrfs_fs_info + + if (IS_ERR(device)) { + if (PTR_ERR(device) == -ENOENT && +- strcmp(device_path, "missing") == 0) ++ device_path && strcmp(device_path, "missing") == 0) + ret = BTRFS_ERROR_DEV_MISSING_NOT_FOUND; + else + ret = PTR_ERR(device); diff --git a/queue-5.13/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch b/queue-5.13/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch new file mode 100644 index 00000000000..c5407cb01d1 --- /dev/null +++ b/queue-5.13/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch @@ -0,0 +1,40 @@ +From 7428022b50d0fbb4846dd0f00639ea09d36dff02 Mon Sep 17 00:00:00 2001 +From: DENG Qingfang +Date: Wed, 11 Aug 2021 17:50:43 +0800 +Subject: net: dsa: mt7530: fix VLAN traffic leaks again + +From: DENG Qingfang + +commit 7428022b50d0fbb4846dd0f00639ea09d36dff02 upstream. + +When a port leaves a VLAN-aware bridge, the current code does not clear +other ports' matrix field bit. If the bridge is later set to VLAN-unaware +mode, traffic in the bridge may leak to that port. + +Remove the VLAN filtering check in mt7530_port_bridge_leave. + +Fixes: 474a2ddaa192 ("net: dsa: mt7530: fix VLAN traffic leaks") +Fixes: 83163f7dca56 ("net: dsa: mediatek: add VLAN support for MT7530") +Signed-off-by: DENG Qingfang +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mt7530.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -1295,11 +1295,8 @@ mt7530_port_bridge_leave(struct dsa_swit + /* Remove this port from the port matrix of the other ports + * in the same bridge. If the port is disabled, port matrix + * is kept and not being setup until the port becomes enabled. +- * And the other port's port matrix cannot be broken when the +- * other port is still a VLAN-aware port. + */ +- if (dsa_is_user_port(ds, i) && i != port && +- !dsa_port_is_vlan_filtering(dsa_to_port(ds, i))) { ++ if (dsa_is_user_port(ds, i) && i != port) { + if (dsa_to_port(ds, i)->bridge_dev != bridge) + continue; + if (priv->ports[i].enable) diff --git a/queue-5.13/revert-floppy-reintroduce-o_ndelay-fix.patch b/queue-5.13/revert-floppy-reintroduce-o_ndelay-fix.patch new file mode 100644 index 00000000000..b8ca303550a --- /dev/null +++ b/queue-5.13/revert-floppy-reintroduce-o_ndelay-fix.patch @@ -0,0 +1,72 @@ +From c7e9d0020361f4308a70cdfd6d5335e273eb8717 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Sat, 7 Aug 2021 10:37:02 +0300 +Subject: Revert "floppy: reintroduce O_NDELAY fix" + +From: Denis Efremov + +commit c7e9d0020361f4308a70cdfd6d5335e273eb8717 upstream. + +The patch breaks userspace implementations (e.g. fdutils) and introduces +regressions in behaviour. Previously, it was possible to O_NDELAY open a +floppy device with no media inserted or with write protected media without +an error. Some userspace tools use this particular behavior for probing. + +It's not the first time when we revert this patch. Previous revert is in +commit f2791e7eadf4 (Revert "floppy: refactor open() flags handling"). + +This reverts commit 8a0c014cd20516ade9654fc13b51345ec58e7be8. + +Link: https://lore.kernel.org/linux-block/de10cb47-34d1-5a88-7751-225ca380f735@compro.net/ +Reported-by: Mark Hounschell +Cc: Jiri Kosina +Cc: Wim Osterholt +Cc: Kurt Garloff +Cc: +Signed-off-by: Denis Efremov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/floppy.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -4029,23 +4029,23 @@ static int floppy_open(struct block_devi + if (fdc_state[FDC(drive)].rawcmd == 1) + fdc_state[FDC(drive)].rawcmd = 2; + +- if (mode & (FMODE_READ|FMODE_WRITE)) { +- drive_state[drive].last_checked = 0; +- clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &drive_state[drive].flags); +- if (bdev_check_media_change(bdev)) +- floppy_revalidate(bdev->bd_disk); +- if (test_bit(FD_DISK_CHANGED_BIT, &drive_state[drive].flags)) +- goto out; +- if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &drive_state[drive].flags)) ++ if (!(mode & FMODE_NDELAY)) { ++ if (mode & (FMODE_READ|FMODE_WRITE)) { ++ drive_state[drive].last_checked = 0; ++ clear_bit(FD_OPEN_SHOULD_FAIL_BIT, ++ &drive_state[drive].flags); ++ if (bdev_check_media_change(bdev)) ++ floppy_revalidate(bdev->bd_disk); ++ if (test_bit(FD_DISK_CHANGED_BIT, &drive_state[drive].flags)) ++ goto out; ++ if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &drive_state[drive].flags)) ++ goto out; ++ } ++ res = -EROFS; ++ if ((mode & FMODE_WRITE) && ++ !test_bit(FD_DISK_WRITABLE_BIT, &drive_state[drive].flags)) + goto out; + } +- +- res = -EROFS; +- +- if ((mode & FMODE_WRITE) && +- !test_bit(FD_DISK_WRITABLE_BIT, &drive_state[drive].flags)) +- goto out; +- + mutex_unlock(&open_lock); + mutex_unlock(&floppy_mutex); + return 0; diff --git a/queue-5.13/series b/queue-5.13/series index c9879b4f41d..9925d092ecd 100644 --- a/queue-5.13/series +++ b/queue-5.13/series @@ -100,3 +100,7 @@ pipe-do-fasync-notifications-for-every-pipe-io-not-just-state-changes.patch tipc-call-tipc_wait_for_connect-only-when-dlen-is-not-0.patch vt_kdsetmode-extend-console-locking.patch bluetooth-btusb-check-conditions-before-enabling-usb-alt-3-for-wbs.patch +net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch +arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch +btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch +revert-floppy-reintroduce-o_ndelay-fix.patch