From: Greg Kroah-Hartman Date: Sat, 13 Aug 2022 14:37:33 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.61~157 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ed01c02381022bf11e074888ea80b91e69c431e8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: fuse-ioctl-translate-enosys.patch fuse-limit-nsec.patch ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch mbcache-add-functions-to-delete-entry-if-unused.patch mbcache-don-t-reclaim-used-entries.patch md-raid-destroy-the-bitmap-after-destroying-the-thread.patch md-raid10-fix-kasan-warning.patch media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch serial-mvebu-uart-uart2-error-bits-clearing.patch --- diff --git a/queue-5.15/fuse-ioctl-translate-enosys.patch b/queue-5.15/fuse-ioctl-translate-enosys.patch new file mode 100644 index 00000000000..2783df115f4 --- /dev/null +++ b/queue-5.15/fuse-ioctl-translate-enosys.patch @@ -0,0 +1,84 @@ +From 02c0cab8e7345b06f1c0838df444e2902e4138d3 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 21 Jul 2022 16:06:18 +0200 +Subject: fuse: ioctl: translate ENOSYS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miklos Szeredi + +commit 02c0cab8e7345b06f1c0838df444e2902e4138d3 upstream. + +Overlayfs may fail to complete updates when a filesystem lacks +fileattr/xattr syscall support and responds with an ENOSYS error code, +resulting in an unexpected "Function not implemented" error. + +This bug may occur with FUSE filesystems, such as davfs2. + +Steps to reproduce: + + # install davfs2, e.g., apk add davfs2 + mkdir /test mkdir /test/lower /test/upper /test/work /test/mnt + yes '' | mount -t davfs -o ro http://some-web-dav-server/path \ + /test/lower + mount -t overlay -o upperdir=/test/upper,lowerdir=/test/lower \ + -o workdir=/test/work overlay /test/mnt + + # when "some-file" exists in the lowerdir, this fails with "Function + # not implemented", with dmesg showing "overlayfs: failed to retrieve + # lower fileattr (/some-file, err=-38)" + touch /test/mnt/some-file + +The underlying cause of this regresion is actually in FUSE, which fails to +translate the ENOSYS error code returned by userspace filesystem (which +means that the ioctl operation is not supported) to ENOTTY. + +Reported-by: Christian Kohlschütter +Fixes: 72db82115d2b ("ovl: copy up sync/noatime fileattr flags") +Fixes: 59efec7b9039 ("fuse: implement ioctl support") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/ioctl.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/fs/fuse/ioctl.c ++++ b/fs/fuse/ioctl.c +@@ -9,6 +9,17 @@ + #include + #include + ++static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args) ++{ ++ ssize_t ret = fuse_simple_request(fm, args); ++ ++ /* Translate ENOSYS, which shouldn't be returned from fs */ ++ if (ret == -ENOSYS) ++ ret = -ENOTTY; ++ ++ return ret; ++} ++ + /* + * CUSE servers compiled on 32bit broke on 64bit kernels because the + * ABI was defined to be 'struct iovec' which is different on 32bit +@@ -259,7 +270,7 @@ long fuse_do_ioctl(struct file *file, un + ap.args.out_pages = true; + ap.args.out_argvar = true; + +- transferred = fuse_simple_request(fm, &ap.args); ++ transferred = fuse_send_ioctl(fm, &ap.args); + err = transferred; + if (transferred < 0) + goto out; +@@ -393,7 +404,7 @@ static int fuse_priv_ioctl(struct inode + args.out_args[1].size = inarg.out_size; + args.out_args[1].value = ptr; + +- err = fuse_simple_request(fm, &args); ++ err = fuse_send_ioctl(fm, &args); + if (!err) { + if (outarg.result < 0) + err = outarg.result; diff --git a/queue-5.15/fuse-limit-nsec.patch b/queue-5.15/fuse-limit-nsec.patch new file mode 100644 index 00000000000..417448ada4e --- /dev/null +++ b/queue-5.15/fuse-limit-nsec.patch @@ -0,0 +1,34 @@ +From 47912eaa061a6a81e4aa790591a1874c650733c0 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 21 Jul 2022 16:06:18 +0200 +Subject: fuse: limit nsec + +From: Miklos Szeredi + +commit 47912eaa061a6a81e4aa790591a1874c650733c0 upstream. + +Limit nanoseconds to 0..999999999. + +Fixes: d8a5ba45457e ("[PATCH] FUSE - core") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -181,6 +181,12 @@ void fuse_change_attributes_common(struc + inode->i_uid = make_kuid(fc->user_ns, attr->uid); + inode->i_gid = make_kgid(fc->user_ns, attr->gid); + inode->i_blocks = attr->blocks; ++ ++ /* Sanitize nsecs */ ++ attr->atimensec = min_t(u32, attr->atimensec, NSEC_PER_SEC - 1); ++ attr->mtimensec = min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1); ++ attr->ctimensec = min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1); ++ + inode->i_atime.tv_sec = attr->atime; + inode->i_atime.tv_nsec = attr->atimensec; + /* mtime from server may be stale due to local buffered write */ diff --git a/queue-5.15/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch b/queue-5.15/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch new file mode 100644 index 00000000000..ad35b8d9459 --- /dev/null +++ b/queue-5.15/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch @@ -0,0 +1,44 @@ +From e5a16a5c4602c119262f350274021f90465f479d Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Fri, 24 Jun 2022 14:13:05 +0200 +Subject: ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() + +From: Alexander Lobakin + +commit e5a16a5c4602c119262f350274021f90465f479d upstream. + +test_bit(), as any other bitmap op, takes `unsigned long *` as a +second argument (pointer to the actual bitmap), as any bitmap +itself is an array of unsigned longs. However, the ia64_get_irr() +code passes a ref to `u64` as a second argument. +This works with the ia64 bitops implementation due to that they +have `void *` as the second argument and then cast it later on. +This works with the bitmap API itself due to that `unsigned long` +has the same size on ia64 as `u64` (`unsigned long long`), but +from the compiler PoV those two are different. +Define @irr as `unsigned long` to fix that. That implies no +functional changes. Has been hidden for 16 years! + +Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations") +Cc: stable@vger.kernel.org # 2.6.16+ +Reported-by: kernel test robot +Signed-off-by: Alexander Lobakin +Reviewed-by: Andy Shevchenko +Reviewed-by: Yury Norov +Signed-off-by: Yury Norov +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/ia64/include/asm/processor.h ++++ b/arch/ia64/include/asm/processor.h +@@ -542,7 +542,7 @@ ia64_get_irr(unsigned int vector) + { + unsigned int reg = vector / 64; + unsigned int bit = vector % 64; +- u64 irr; ++ unsigned long irr; + + switch (reg) { + case 0: irr = ia64_getreg(_IA64_REG_CR_IRR0); break; diff --git a/queue-5.15/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch b/queue-5.15/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch new file mode 100644 index 00000000000..f618b4743aa --- /dev/null +++ b/queue-5.15/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch @@ -0,0 +1,42 @@ +From aa7253c2393f6dcd6a1468b0792f6da76edad917 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 28 Jul 2022 21:56:19 +0900 +Subject: ksmbd: fix memory leak in smb2_handle_negotiate + +From: Namjae Jeon + +commit aa7253c2393f6dcd6a1468b0792f6da76edad917 upstream. + +The allocated memory didn't free under an error +path in smb2_handle_negotiate(). + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17815 +Signed-off-by: Namjae Jeon +Reviewed-by: Hyunchul Lee +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -1146,12 +1146,16 @@ int smb2_handle_negotiate(struct ksmbd_w + status); + rsp->hdr.Status = status; + rc = -EINVAL; ++ kfree(conn->preauth_info); ++ conn->preauth_info = NULL; + goto err_out; + } + + rc = init_smb3_11_server(conn); + if (rc < 0) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; ++ kfree(conn->preauth_info); ++ conn->preauth_info = NULL; + goto err_out; + } + diff --git a/queue-5.15/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch b/queue-5.15/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch new file mode 100644 index 00000000000..8a50ddc66cd --- /dev/null +++ b/queue-5.15/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch @@ -0,0 +1,59 @@ +From cf6531d98190fa2cf92a6d8bbc8af0a4740a223c Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 28 Jul 2022 21:57:08 +0900 +Subject: ksmbd: fix use-after-free bug in smb2_tree_disconect + +From: Namjae Jeon + +commit cf6531d98190fa2cf92a6d8bbc8af0a4740a223c upstream. + +smb2_tree_disconnect() freed the struct ksmbd_tree_connect, +but it left the dangling pointer. It can be accessed +again under compound requests. + +This bug can lead an oops looking something link: + +[ 1685.468014 ] BUG: KASAN: use-after-free in ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] +[ 1685.468068 ] Read of size 4 at addr ffff888102172180 by task kworker/1:2/4807 +... +[ 1685.468130 ] Call Trace: +[ 1685.468132 ] +[ 1685.468135 ] dump_stack_lvl+0x49/0x5f +[ 1685.468141 ] print_report.cold+0x5e/0x5cf +[ 1685.468145 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] +[ 1685.468157 ] kasan_report+0xaa/0x120 +[ 1685.468194 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] +[ 1685.468206 ] __asan_report_load4_noabort+0x14/0x20 +[ 1685.468210 ] ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] +[ 1685.468222 ] smb2_tree_disconnect+0x175/0x250 [ksmbd] +[ 1685.468235 ] handle_ksmbd_work+0x30e/0x1020 [ksmbd] +[ 1685.468247 ] process_one_work+0x778/0x11c0 +[ 1685.468251 ] ? _raw_spin_lock_irq+0x8e/0xe0 +[ 1685.468289 ] worker_thread+0x544/0x1180 +[ 1685.468293 ] ? __cpuidle_text_end+0x4/0x4 +[ 1685.468297 ] kthread+0x282/0x320 +[ 1685.468301 ] ? process_one_work+0x11c0/0x11c0 +[ 1685.468305 ] ? kthread_complete_and_exit+0x30/0x30 +[ 1685.468309 ] ret_from_fork+0x1f/0x30 + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17816 +Signed-off-by: Namjae Jeon +Reviewed-by: Hyunchul Lee +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -2044,6 +2044,7 @@ int smb2_tree_disconnect(struct ksmbd_wo + + ksmbd_close_tree_conn_fds(work); + ksmbd_tree_conn_disconnect(sess, tcon); ++ work->tcon = NULL; + return 0; + } + diff --git a/queue-5.15/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch b/queue-5.15/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch new file mode 100644 index 00000000000..b3e8b2c7df4 --- /dev/null +++ b/queue-5.15/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch @@ -0,0 +1,69 @@ +From 824d4f64c20093275f72fc8101394d75ff6a249e Mon Sep 17 00:00:00 2001 +From: Hyunchul Lee +Date: Thu, 28 Jul 2022 21:58:53 +0900 +Subject: ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT + +From: Hyunchul Lee + +commit 824d4f64c20093275f72fc8101394d75ff6a249e upstream. + +if Status is not 0 and PathLength is long, +smb_strndup_from_utf16 could make out of bound +read in smb2_tree_connnect. + +This bug can lead an oops looking something like: + +[ 1553.882047] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] +[ 1553.882064] Read of size 2 at addr ffff88802c4eda04 by task kworker/0:2/42805 +... +[ 1553.882095] Call Trace: +[ 1553.882098] +[ 1553.882101] dump_stack_lvl+0x49/0x5f +[ 1553.882107] print_report.cold+0x5e/0x5cf +[ 1553.882112] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] +[ 1553.882122] kasan_report+0xaa/0x120 +[ 1553.882128] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] +[ 1553.882139] __asan_report_load_n_noabort+0xf/0x20 +[ 1553.882143] smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] +[ 1553.882155] ? smb_strtoUTF16+0x3b0/0x3b0 [ksmbd] +[ 1553.882166] ? __kmalloc_node+0x185/0x430 +[ 1553.882171] smb2_tree_connect+0x140/0xab0 [ksmbd] +[ 1553.882185] handle_ksmbd_work+0x30e/0x1020 [ksmbd] +[ 1553.882197] process_one_work+0x778/0x11c0 +[ 1553.882201] ? _raw_spin_lock_irq+0x8e/0xe0 +[ 1553.882206] worker_thread+0x544/0x1180 +[ 1553.882209] ? __cpuidle_text_end+0x4/0x4 +[ 1553.882214] kthread+0x282/0x320 +[ 1553.882218] ? process_one_work+0x11c0/0x11c0 +[ 1553.882221] ? kthread_complete_and_exit+0x30/0x30 +[ 1553.882225] ret_from_fork+0x1f/0x30 +[ 1553.882231] + +There is no need to check error request validation in server. +This check allow invalid requests not to validate message. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17818 +Signed-off-by: Hyunchul Lee +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2misc.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -91,11 +91,6 @@ static int smb2_get_data_area_len(unsign + *off = 0; + *len = 0; + +- /* error reqeusts do not have data area */ +- if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED && +- (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE) +- return ret; +- + /* + * Following commands have data areas so we have to get the location + * of the data buffer offset and data buffer length for the particular diff --git a/queue-5.15/mbcache-add-functions-to-delete-entry-if-unused.patch b/queue-5.15/mbcache-add-functions-to-delete-entry-if-unused.patch new file mode 100644 index 00000000000..6ba6d9afbb8 --- /dev/null +++ b/queue-5.15/mbcache-add-functions-to-delete-entry-if-unused.patch @@ -0,0 +1,148 @@ +From 3dc96bba65f53daa217f0a8f43edad145286a8f5 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 12 Jul 2022 12:54:21 +0200 +Subject: mbcache: add functions to delete entry if unused + +From: Jan Kara + +commit 3dc96bba65f53daa217f0a8f43edad145286a8f5 upstream. + +Add function mb_cache_entry_delete_or_get() to delete mbcache entry if +it is unused and also add a function to wait for entry to become unused +- mb_cache_entry_wait_unused(). We do not share code between the two +deleting function as one of them will go away soon. + +CC: stable@vger.kernel.org +Fixes: 82939d7999df ("ext4: convert to mbcache2") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220712105436.32204-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/mbcache.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++-- + include/linux/mbcache.h | 10 ++++++- + 2 files changed, 73 insertions(+), 3 deletions(-) + +--- a/fs/mbcache.c ++++ b/fs/mbcache.c +@@ -11,7 +11,7 @@ + /* + * Mbcache is a simple key-value store. Keys need not be unique, however + * key-value pairs are expected to be unique (we use this fact in +- * mb_cache_entry_delete()). ++ * mb_cache_entry_delete_or_get()). + * + * Ext2 and ext4 use this cache for deduplication of extended attribute blocks. + * Ext4 also uses it for deduplication of xattr values stored in inodes. +@@ -125,6 +125,19 @@ void __mb_cache_entry_free(struct mb_cac + } + EXPORT_SYMBOL(__mb_cache_entry_free); + ++/* ++ * mb_cache_entry_wait_unused - wait to be the last user of the entry ++ * ++ * @entry - entry to work on ++ * ++ * Wait to be the last user of the entry. ++ */ ++void mb_cache_entry_wait_unused(struct mb_cache_entry *entry) ++{ ++ wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 3); ++} ++EXPORT_SYMBOL(mb_cache_entry_wait_unused); ++ + static struct mb_cache_entry *__entry_find(struct mb_cache *cache, + struct mb_cache_entry *entry, + u32 key) +@@ -217,7 +230,7 @@ out: + } + EXPORT_SYMBOL(mb_cache_entry_get); + +-/* mb_cache_entry_delete - remove a cache entry ++/* mb_cache_entry_delete - try to remove a cache entry + * @cache - cache we work with + * @key - key + * @value - value +@@ -254,6 +267,55 @@ void mb_cache_entry_delete(struct mb_cac + } + EXPORT_SYMBOL(mb_cache_entry_delete); + ++/* mb_cache_entry_delete_or_get - remove a cache entry if it has no users ++ * @cache - cache we work with ++ * @key - key ++ * @value - value ++ * ++ * Remove entry from cache @cache with key @key and value @value. The removal ++ * happens only if the entry is unused. The function returns NULL in case the ++ * entry was successfully removed or there's no entry in cache. Otherwise the ++ * function grabs reference of the entry that we failed to delete because it ++ * still has users and return it. ++ */ ++struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache, ++ u32 key, u64 value) ++{ ++ struct hlist_bl_node *node; ++ struct hlist_bl_head *head; ++ struct mb_cache_entry *entry; ++ ++ head = mb_cache_entry_head(cache, key); ++ hlist_bl_lock(head); ++ hlist_bl_for_each_entry(entry, node, head, e_hash_list) { ++ if (entry->e_key == key && entry->e_value == value) { ++ if (atomic_read(&entry->e_refcnt) > 2) { ++ atomic_inc(&entry->e_refcnt); ++ hlist_bl_unlock(head); ++ return entry; ++ } ++ /* We keep hash list reference to keep entry alive */ ++ hlist_bl_del_init(&entry->e_hash_list); ++ hlist_bl_unlock(head); ++ spin_lock(&cache->c_list_lock); ++ if (!list_empty(&entry->e_list)) { ++ list_del_init(&entry->e_list); ++ if (!WARN_ONCE(cache->c_entry_count == 0, ++ "mbcache: attempt to decrement c_entry_count past zero")) ++ cache->c_entry_count--; ++ atomic_dec(&entry->e_refcnt); ++ } ++ spin_unlock(&cache->c_list_lock); ++ mb_cache_entry_put(cache, entry); ++ return NULL; ++ } ++ } ++ hlist_bl_unlock(head); ++ ++ return NULL; ++} ++EXPORT_SYMBOL(mb_cache_entry_delete_or_get); ++ + /* mb_cache_entry_touch - cache entry got used + * @cache - cache the entry belongs to + * @entry - entry that got used +--- a/include/linux/mbcache.h ++++ b/include/linux/mbcache.h +@@ -30,15 +30,23 @@ void mb_cache_destroy(struct mb_cache *c + int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key, + u64 value, bool reusable); + void __mb_cache_entry_free(struct mb_cache_entry *entry); ++void mb_cache_entry_wait_unused(struct mb_cache_entry *entry); + static inline int mb_cache_entry_put(struct mb_cache *cache, + struct mb_cache_entry *entry) + { +- if (!atomic_dec_and_test(&entry->e_refcnt)) ++ unsigned int cnt = atomic_dec_return(&entry->e_refcnt); ++ ++ if (cnt > 0) { ++ if (cnt <= 3) ++ wake_up_var(&entry->e_refcnt); + return 0; ++ } + __mb_cache_entry_free(entry); + return 1; + } + ++struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache, ++ u32 key, u64 value); + void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value); + struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key, + u64 value); diff --git a/queue-5.15/mbcache-don-t-reclaim-used-entries.patch b/queue-5.15/mbcache-don-t-reclaim-used-entries.patch new file mode 100644 index 00000000000..38b35d75c32 --- /dev/null +++ b/queue-5.15/mbcache-don-t-reclaim-used-entries.patch @@ -0,0 +1,50 @@ +From 58318914186c157477b978b1739dfe2f1b9dc0fe Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 12 Jul 2022 12:54:20 +0200 +Subject: mbcache: don't reclaim used entries + +From: Jan Kara + +commit 58318914186c157477b978b1739dfe2f1b9dc0fe upstream. + +Do not reclaim entries that are currently used by somebody from a +shrinker. Firstly, these entries are likely useful. Secondly, we will +need to keep such entries to protect pending increment of xattr block +refcount. + +CC: stable@vger.kernel.org +Fixes: 82939d7999df ("ext4: convert to mbcache2") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/mbcache.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/mbcache.c ++++ b/fs/mbcache.c +@@ -288,7 +288,7 @@ static unsigned long mb_cache_shrink(str + while (nr_to_scan-- && !list_empty(&cache->c_list)) { + entry = list_first_entry(&cache->c_list, + struct mb_cache_entry, e_list); +- if (entry->e_referenced) { ++ if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) { + entry->e_referenced = 0; + list_move_tail(&entry->e_list, &cache->c_list); + continue; +@@ -302,6 +302,14 @@ static unsigned long mb_cache_shrink(str + spin_unlock(&cache->c_list_lock); + head = mb_cache_entry_head(cache, entry->e_key); + hlist_bl_lock(head); ++ /* Now a reliable check if the entry didn't get used... */ ++ if (atomic_read(&entry->e_refcnt) > 2) { ++ hlist_bl_unlock(head); ++ spin_lock(&cache->c_list_lock); ++ list_add_tail(&entry->e_list, &cache->c_list); ++ cache->c_entry_count++; ++ continue; ++ } + if (!hlist_bl_unhashed(&entry->e_hash_list)) { + hlist_bl_del_init(&entry->e_hash_list); + atomic_dec(&entry->e_refcnt); diff --git a/queue-5.15/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch b/queue-5.15/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch new file mode 100644 index 00000000000..f815cc4bd72 --- /dev/null +++ b/queue-5.15/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch @@ -0,0 +1,129 @@ +From e151db8ecfb019b7da31d076130a794574c89f6f Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 24 Jul 2022 14:26:12 -0400 +Subject: md-raid: destroy the bitmap after destroying the thread + +From: Mikulas Patocka + +commit e151db8ecfb019b7da31d076130a794574c89f6f upstream. + +When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with +kasan, we got failure in write_page. + +The reason for the failure is that md_bitmap_destroy is called before +destroying the thread and the thread may be waiting in the function +write_page for the bio to complete. When the thread finishes waiting, it +executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which +triggers the kasan warning. + +Note that the commit 48df498daf62 that caused this bug claims that it is +neede for md-cluster, you should check md-cluster and possibly find +another bugfix for it. + +BUG: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod] +Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539 + +CPU: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report.cold+0x45/0x57a + ? __lock_text_start+0x18/0x18 + ? write_page+0x18d/0x680 [md_mod] + kasan_report+0xa8/0xe0 + ? write_page+0x18d/0x680 [md_mod] + kasan_check_range+0x13f/0x180 + write_page+0x18d/0x680 [md_mod] + ? super_sync+0x4d5/0x560 [dm_raid] + ? md_bitmap_file_kick+0xa0/0xa0 [md_mod] + ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid] + ? mutex_trylock+0x120/0x120 + ? preempt_count_add+0x6b/0xc0 + ? preempt_count_sub+0xf/0xc0 + md_update_sb+0x707/0xe40 [md_mod] + md_reap_sync_thread+0x1b2/0x4a0 [md_mod] + md_check_recovery+0x533/0x960 [md_mod] + raid1d+0xc8/0x2a20 [raid1] + ? var_wake_function+0xe0/0xe0 + ? psi_group_change+0x411/0x500 + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? raid1_end_read_request+0x2a0/0x2a0 [raid1] + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_unlock_irqrestore+0x19/0x40 + ? del_timer_sync+0xa9/0x100 + ? try_to_del_timer_sync+0xc0/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? __list_del_entry_valid+0x68/0xa0 + ? finish_wait+0xa3/0x100 + md_thread+0x161/0x260 [md_mod] + ? unregister_md_personality+0xa0/0xa0 [md_mod] + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? prepare_to_wait_event+0x2c0/0x2c0 + ? unregister_md_personality+0xa0/0xa0 [md_mod] + kthread+0x148/0x180 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Allocated by task 5522: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x80/0xa0 + md_bitmap_create+0xa8/0xe80 [md_mod] + md_run+0x777/0x1300 [md_mod] + raid_ctr+0x249c/0x4a30 [dm_raid] + dm_table_add_target+0x2b0/0x620 [dm_mod] + table_load+0x1c8/0x400 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Freed by task 5680: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x40 + kasan_set_free_info+0x20/0x40 + __kasan_slab_free+0xf7/0x140 + kfree+0x80/0x240 + md_bitmap_free+0x1c3/0x280 [md_mod] + __md_stop+0x21/0x120 [md_mod] + md_stop+0x9/0x40 [md_mod] + raid_dtr+0x1b/0x40 [dm_raid] + dm_table_destroy+0x98/0x1e0 [dm_mod] + __dm_destroy+0x199/0x360 [dm_mod] + dev_remove+0x10c/0x160 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop") +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6251,11 +6251,11 @@ static void mddev_detach(struct mddev *m + static void __md_stop(struct mddev *mddev) + { + struct md_personality *pers = mddev->pers; +- md_bitmap_destroy(mddev); + mddev_detach(mddev); + /* Ensure ->event_work is done */ + if (mddev->event_work.func) + flush_workqueue(md_misc_wq); ++ md_bitmap_destroy(mddev); + spin_lock(&mddev->lock); + mddev->pers = NULL; + spin_unlock(&mddev->lock); diff --git a/queue-5.15/md-raid10-fix-kasan-warning.patch b/queue-5.15/md-raid10-fix-kasan-warning.patch new file mode 100644 index 00000000000..0167ec90f2a --- /dev/null +++ b/queue-5.15/md-raid10-fix-kasan-warning.patch @@ -0,0 +1,148 @@ +From d17f744e883b2f8d13cca252d71cfe8ace346f7d Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 26 Jul 2022 04:33:12 -0400 +Subject: md-raid10: fix KASAN warning + +From: Mikulas Patocka + +commit d17f744e883b2f8d13cca252d71cfe8ace346f7d upstream. + +There's a KASAN warning in raid10_remove_disk when running the lvm +test lvconvert-raid-reshape.sh. We fix this warning by verifying that the +value "number" is valid. + +BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10] +Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682 + +CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report.cold+0x45/0x57a + ? __lock_text_start+0x18/0x18 + ? raid10_remove_disk+0x61/0x2a0 [raid10] + kasan_report+0xa8/0xe0 + ? raid10_remove_disk+0x61/0x2a0 [raid10] + raid10_remove_disk+0x61/0x2a0 [raid10] +Buffer I/O error on dev dm-76, logical block 15344, async page read + ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0 + remove_and_add_spares+0x367/0x8a0 [md_mod] + ? super_written+0x1c0/0x1c0 [md_mod] + ? mutex_trylock+0xac/0x120 + ? _raw_spin_lock+0x72/0xc0 + ? _raw_spin_lock_bh+0xc0/0xc0 + md_check_recovery+0x848/0x960 [md_mod] + raid10d+0xcf/0x3360 [raid10] + ? sched_clock_cpu+0x185/0x1a0 + ? rb_erase+0x4d4/0x620 + ? var_wake_function+0xe0/0xe0 + ? psi_group_change+0x411/0x500 + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? raid10_sync_request+0x36c0/0x36c0 [raid10] + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_unlock_irqrestore+0x19/0x40 + ? del_timer_sync+0xa9/0x100 + ? try_to_del_timer_sync+0xc0/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? _raw_spin_unlock_irq+0x11/0x24 + ? __list_del_entry_valid+0x68/0xa0 + ? finish_wait+0xa3/0x100 + md_thread+0x161/0x260 [md_mod] + ? unregister_md_personality+0xa0/0xa0 [md_mod] + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? prepare_to_wait_event+0x2c0/0x2c0 + ? unregister_md_personality+0xa0/0xa0 [md_mod] + kthread+0x148/0x180 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Allocated by task 124495: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x80/0xa0 + setup_conf+0x140/0x5c0 [raid10] + raid10_run+0x4cd/0x740 [raid10] + md_run+0x6f9/0x1300 [md_mod] + raid_ctr+0x2531/0x4ac0 [dm_raid] + dm_table_add_target+0x2b0/0x620 [dm_mod] + table_load+0x1c8/0x400 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0x9e/0xc0 + kvfree_call_rcu+0x84/0x480 + timerfd_release+0x82/0x140 +L __fput+0xfa/0x400 + task_work_run+0x80/0xc0 + exit_to_user_mode_prepare+0x155/0x160 + syscall_exit_to_user_mode+0x12/0x40 + do_syscall_64+0x42/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Second to last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0x9e/0xc0 + kvfree_call_rcu+0x84/0x480 + timerfd_release+0x82/0x140 + __fput+0xfa/0x400 + task_work_run+0x80/0xc0 + exit_to_user_mode_prepare+0x155/0x160 + syscall_exit_to_user_mode+0x12/0x40 + do_syscall_64+0x42/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +The buggy address belongs to the object at ffff889108f3d200 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 0 bytes to the right of + 256-byte region [ffff889108f3d200, ffff889108f3d300) + +The buggy address belongs to the physical page: +page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c +head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0 +flags: 0x4000000000010200(slab|head|zone=2) +raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40 +raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2139,9 +2139,12 @@ static int raid10_remove_disk(struct mdd + int err = 0; + int number = rdev->raid_disk; + struct md_rdev **rdevp; +- struct raid10_info *p = conf->mirrors + number; ++ struct raid10_info *p; + + print_conf(conf); ++ if (unlikely(number >= mddev->raid_disks)) ++ return 0; ++ p = conf->mirrors + number; + if (rdev == p->rdev) + rdevp = &p->rdev; + else if (rdev == p->replacement) diff --git a/queue-5.15/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch b/queue-5.15/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch new file mode 100644 index 00000000000..ef88dd3d3f8 --- /dev/null +++ b/queue-5.15/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch @@ -0,0 +1,142 @@ +From 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Thu, 14 Apr 2022 05:14:15 +0100 +Subject: media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator + +From: Xiaomeng Tong + +commit 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 upstream. + +The three bugs are here: + __func__, s3a_buf->s3a_data->exp_id); + __func__, md_buf->metadata->exp_id); + __func__, dis_buf->dis_data->exp_id); + +The list iterator 's3a_buf/md_buf/dis_buf' will point to a bogus +position containing HEAD if the list is empty or no element is found. +This case must be checked before any use of the iterator, otherwise +it will lead to a invalid memory access. + +To fix this bug, add an check. Use a new variable '*_iter' as the +list iterator, while use the old variable '*_buf' as a dedicated +pointer to point to the found element. + +Link: https://lore.kernel.org/linux-media/20220414041415.3342-1-xiam0nd.tong@gmail.com +Cc: stable@vger.kernel.org +Fixes: ad85094b293e4 ("Revert "media: staging: atomisp: Remove driver"") +Signed-off-by: Xiaomeng Tong +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/atomisp/pci/atomisp_cmd.c | 57 +++++++++++++++--------- + 1 file changed, 36 insertions(+), 21 deletions(-) + +--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c +@@ -899,9 +899,9 @@ void atomisp_buf_done(struct atomisp_sub + int err; + unsigned long irqflags; + struct ia_css_frame *frame = NULL; +- struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp; +- struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp; +- struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp; ++ struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp, *s3a_iter; ++ struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp, *dis_iter; ++ struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp, *md_iter; + enum atomisp_metadata_type md_type; + struct atomisp_device *isp = asd->isp; + struct v4l2_control ctrl; +@@ -940,60 +940,75 @@ void atomisp_buf_done(struct atomisp_sub + + switch (buf_type) { + case IA_CSS_BUFFER_TYPE_3A_STATISTICS: +- list_for_each_entry_safe(s3a_buf, _s3a_buf_tmp, ++ list_for_each_entry_safe(s3a_iter, _s3a_buf_tmp, + &asd->s3a_stats_in_css, list) { +- if (s3a_buf->s3a_data == ++ if (s3a_iter->s3a_data == + buffer.css_buffer.data.stats_3a) { +- list_del_init(&s3a_buf->list); +- list_add_tail(&s3a_buf->list, ++ list_del_init(&s3a_iter->list); ++ list_add_tail(&s3a_iter->list, + &asd->s3a_stats_ready); ++ s3a_buf = s3a_iter; + break; + } + } + + asd->s3a_bufs_in_css[css_pipe_id]--; + atomisp_3a_stats_ready_event(asd, buffer.css_buffer.exp_id); +- dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", +- __func__, s3a_buf->s3a_data->exp_id); ++ if (s3a_buf) ++ dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", ++ __func__, s3a_buf->s3a_data->exp_id); ++ else ++ dev_dbg(isp->dev, "%s: s3a stat is ready with no exp_id found\n", ++ __func__); + break; + case IA_CSS_BUFFER_TYPE_METADATA: + if (error) + break; + + md_type = atomisp_get_metadata_type(asd, css_pipe_id); +- list_for_each_entry_safe(md_buf, _md_buf_tmp, ++ list_for_each_entry_safe(md_iter, _md_buf_tmp, + &asd->metadata_in_css[md_type], list) { +- if (md_buf->metadata == ++ if (md_iter->metadata == + buffer.css_buffer.data.metadata) { +- list_del_init(&md_buf->list); +- list_add_tail(&md_buf->list, ++ list_del_init(&md_iter->list); ++ list_add_tail(&md_iter->list, + &asd->metadata_ready[md_type]); ++ md_buf = md_iter; + break; + } + } + asd->metadata_bufs_in_css[stream_id][css_pipe_id]--; + atomisp_metadata_ready_event(asd, md_type); +- dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", +- __func__, md_buf->metadata->exp_id); ++ if (md_buf) ++ dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", ++ __func__, md_buf->metadata->exp_id); ++ else ++ dev_dbg(isp->dev, "%s: metadata is ready with no exp_id found\n", ++ __func__); + break; + case IA_CSS_BUFFER_TYPE_DIS_STATISTICS: +- list_for_each_entry_safe(dis_buf, _dis_buf_tmp, ++ list_for_each_entry_safe(dis_iter, _dis_buf_tmp, + &asd->dis_stats_in_css, list) { +- if (dis_buf->dis_data == ++ if (dis_iter->dis_data == + buffer.css_buffer.data.stats_dvs) { + spin_lock_irqsave(&asd->dis_stats_lock, + irqflags); +- list_del_init(&dis_buf->list); +- list_add(&dis_buf->list, &asd->dis_stats); ++ list_del_init(&dis_iter->list); ++ list_add(&dis_iter->list, &asd->dis_stats); + asd->params.dis_proj_data_valid = true; + spin_unlock_irqrestore(&asd->dis_stats_lock, + irqflags); ++ dis_buf = dis_iter; + break; + } + } + asd->dis_bufs_in_css--; +- dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", +- __func__, dis_buf->dis_data->exp_id); ++ if (dis_buf) ++ dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", ++ __func__, dis_buf->dis_data->exp_id); ++ else ++ dev_dbg(isp->dev, "%s: dis stat is ready with no exp_id found\n", ++ __func__); + break; + case IA_CSS_BUFFER_TYPE_VF_OUTPUT_FRAME: + case IA_CSS_BUFFER_TYPE_SEC_VF_OUTPUT_FRAME: diff --git a/queue-5.15/serial-mvebu-uart-uart2-error-bits-clearing.patch b/queue-5.15/serial-mvebu-uart-uart2-error-bits-clearing.patch new file mode 100644 index 00000000000..995b683db33 --- /dev/null +++ b/queue-5.15/serial-mvebu-uart-uart2-error-bits-clearing.patch @@ -0,0 +1,53 @@ +From a7209541239e5dd44d981289e5f9059222d40fd1 Mon Sep 17 00:00:00 2001 +From: Narendra Hadke +Date: Tue, 26 Jul 2022 11:12:21 +0200 +Subject: serial: mvebu-uart: uart2 error bits clearing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Narendra Hadke + +commit a7209541239e5dd44d981289e5f9059222d40fd1 upstream. + +For mvebu uart2, error bits are not cleared on buffer read. +This causes interrupt loop and system hang. + +Cc: stable@vger.kernel.org +Reviewed-by: Yi Guo +Reviewed-by: Nadav Haklai +Signed-off-by: Narendra Hadke +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20220726091221.12358-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mvebu-uart.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -237,6 +237,7 @@ static void mvebu_uart_rx_chars(struct u + struct tty_port *tport = &port->state->port; + unsigned char ch = 0; + char flag = 0; ++ int ret; + + do { + if (status & STAT_RX_RDY(port)) { +@@ -249,6 +250,16 @@ static void mvebu_uart_rx_chars(struct u + port->icount.parity++; + } + ++ /* ++ * For UART2, error bits are not cleared on buffer read. ++ * This causes interrupt loop and system hang. ++ */ ++ if (IS_EXTENDED(port) && (status & STAT_BRK_ERR)) { ++ ret = readl(port->membase + UART_STAT); ++ ret |= STAT_BRK_ERR; ++ writel(ret, port->membase + UART_STAT); ++ } ++ + if (status & STAT_BRK_DET) { + port->icount.brk++; + status &= ~(STAT_FRM_ERR | STAT_PAR_ERR); diff --git a/queue-5.15/series b/queue-5.15/series index d69abfcd8ef..6deb8f1b050 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -79,3 +79,15 @@ scsi-sg-allow-waiting-for-commands-to-complete-on-removed-device.patch scsi-qla2xxx-fix-incorrect-display-of-max-frame-size.patch scsi-qla2xxx-zero-undefined-mailbox-in-registers.patch soundwire-qcom-check-device-status-before-reading-devid.patch +ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch +ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch +ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch +fuse-limit-nsec.patch +fuse-ioctl-translate-enosys.patch +serial-mvebu-uart-uart2-error-bits-clearing.patch +md-raid-destroy-the-bitmap-after-destroying-the-thread.patch +md-raid10-fix-kasan-warning.patch +mbcache-don-t-reclaim-used-entries.patch +mbcache-add-functions-to-delete-entry-if-unused.patch +media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch +ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch