From 17570819b2863bbf21f6655a6c38c20dd73025ca Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 21 Jan 2023 11:32:50 +0100 Subject: [PATCH] 5.4-stable patches added patches: add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch --- ...r-vd-in-axi_chan_handle_err-function.patch | 99 +++++++++++++++++ ...otection-fault-in-nilfs_btree_insert.patch | 102 ++++++++++++++++++ queue-5.4/series | 3 + ...ssion-for-broadcom-pcie-wifi-devices.patch | 39 +++++++ 4 files changed, 243 insertions(+) create mode 100644 queue-5.4/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch create mode 100644 queue-5.4/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch create mode 100644 queue-5.4/wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch diff --git a/queue-5.4/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch b/queue-5.4/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch new file mode 100644 index 00000000000..6015c56862a --- /dev/null +++ b/queue-5.4/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch @@ -0,0 +1,99 @@ +From 57054fe516d59d03a7bcf1888e82479ccc244f87 Mon Sep 17 00:00:00 2001 +From: "Shawn.Shao" +Date: Thu, 12 Jan 2023 13:58:02 +0800 +Subject: Add exception protection processing for vd in axi_chan_handle_err function + +From: Shawn.Shao + +commit 57054fe516d59d03a7bcf1888e82479ccc244f87 upstream. + +Since there is no protection for vd, a kernel panic will be +triggered here in exceptional cases. + +You can refer to the processing of axi_chan_block_xfer_complete function + +The triggered kernel panic is as follows: + +[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 +[ 67.848447] Mem abort info: +[ 67.848449] ESR = 0x96000004 +[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits +[ 67.848454] SET = 0, FnV = 0 +[ 67.848456] EA = 0, S1PTW = 0 +[ 67.848458] Data abort info: +[ 67.848460] ISV = 0, ISS = 0x00000004 +[ 67.848462] CM = 0, WnR = 0 +[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000 +[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000 +[ 67.848472] Internal error: Oops: 96000004 [#1] SMP +[ 67.848475] Modules linked in: dmatest +[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11 +[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--) +[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230 +[ 67.848491] lr : axi_chan_handle_err+0x30/0x230 +[ 67.848493] sp : ffff0803fe55ae50 +[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200 +[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080 +[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850 +[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000 +[ 67.848512] x21: 0000000000000080 x20: 0000000000002000 +[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000 +[ 67.848521] x17: 0000000000000000 x16: 0000000000000000 +[ 67.848525] x15: 0000000000000000 x14: 0000000000000000 +[ 67.848529] x13: 0000000000000000 x12: 0000000000000040 +[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a +[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270 +[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0 +[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480 +[ 67.848550] x3 : dead000000000100 x2 : dead000000000122 +[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168 +[ 67.848559] Call trace: +[ 67.848562] axi_chan_handle_err+0xc4/0x230 +[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590 +[ 67.848569] __handle_irq_event_percpu+0x60/0x220 +[ 67.848573] handle_irq_event+0x64/0x120 +[ 67.848576] handle_fasteoi_irq+0xc4/0x220 +[ 67.848580] __handle_domain_irq+0x80/0xe0 +[ 67.848583] gic_handle_irq+0xc0/0x138 +[ 67.848585] el1_irq+0xc8/0x180 +[ 67.848588] arch_cpu_idle+0x14/0x2c +[ 67.848591] default_idle_call+0x40/0x16c +[ 67.848594] do_idle+0x1f0/0x250 +[ 67.848597] cpu_startup_entry+0x2c/0x60 +[ 67.848600] rest_init+0xc0/0xcc +[ 67.848603] arch_call_rest_init+0x14/0x1c +[ 67.848606] start_kernel+0x4cc/0x500 +[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1) +[ 67.848613] ---[ end trace 585a97036f88203a ]--- + +Signed-off-by: Shawn.Shao +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230112055802.1764-1-shawn.shao@jaguarmicro.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c ++++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c +@@ -551,6 +551,11 @@ static noinline void axi_chan_handle_err + + /* The bad descriptor currently is in the head of vc list */ + vd = vchan_next_desc(&chan->vc); ++ if (!vd) { ++ dev_err(chan2dev(chan), "BUG: %s, IRQ with no descriptors\n", ++ axi_chan_name(chan)); ++ goto out; ++ } + /* Remove the completed descriptor from issued list */ + list_del(&vd->node); + +@@ -565,6 +570,7 @@ static noinline void axi_chan_handle_err + /* Try to restart the controller */ + axi_chan_start_first_queued(chan); + ++out: + spin_unlock_irqrestore(&chan->vc.lock, flags); + } + diff --git a/queue-5.4/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch b/queue-5.4/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch new file mode 100644 index 00000000000..b0645fc0d4d --- /dev/null +++ b/queue-5.4/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch @@ -0,0 +1,102 @@ +From 7633355e5c7f29c049a9048e461427d1d8ed3051 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 5 Jan 2023 14:53:56 +0900 +Subject: nilfs2: fix general protection fault in nilfs_btree_insert() + +From: Ryusuke Konishi + +commit 7633355e5c7f29c049a9048e461427d1d8ed3051 upstream. + +If nilfs2 reads a corrupted disk image and tries to reads a b-tree node +block by calling __nilfs_btree_get_block() against an invalid virtual +block address, it returns -ENOENT because conversion of the virtual block +address to a disk block address fails. However, this return value is the +same as the internal code that b-tree lookup routines return to indicate +that the block being searched does not exist, so functions that operate on +that b-tree may misbehave. + +When nilfs_btree_insert() receives this spurious 'not found' code from +nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was +successful and continues the insert operation using incomplete lookup path +data, causing the following crash: + + general protection fault, probably for non-canonical address + 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] + ... + RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline] + RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline] + RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 + Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 + ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c + 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02 + ... + Call Trace: + + nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline] + nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147 + nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101 + __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991 + __block_write_begin fs/buffer.c:2041 [inline] + block_write_begin+0x93/0x1e0 fs/buffer.c:2102 + nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261 + generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 + __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900 + generic_file_write_iter+0xab/0x310 mm/filemap.c:3932 + call_write_iter include/linux/fs.h:2186 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x7dc/0xc50 fs/read_write.c:584 + ksys_write+0x177/0x2a0 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + ... + + +This patch fixes the root cause of this problem by replacing the error +code that __nilfs_btree_get_block() returns on block address conversion +failure from -ENOENT to another internal code -EINVAL which means that the +b-tree metadata is corrupted. + +By returning -EINVAL, it propagates without glitches, and for all relevant +b-tree operations, functions in the upper bmap layer output an error +message indicating corrupted b-tree metadata via +nilfs_bmap_convert_error(), and code -EIO will be eventually returned as +it should be. + +Link: https://lkml.kernel.org/r/000000000000bd89e205f0e38355@google.com +Link: https://lkml.kernel.org/r/20230105055356.8811-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+ede796cecd5296353515@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btree.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -480,9 +480,18 @@ static int __nilfs_btree_get_block(const + ret = nilfs_btnode_submit_block(btnc, ptr, 0, REQ_OP_READ, 0, &bh, + &submit_ptr); + if (ret) { +- if (ret != -EEXIST) +- return ret; +- goto out_check; ++ if (likely(ret == -EEXIST)) ++ goto out_check; ++ if (ret == -ENOENT) { ++ /* ++ * Block address translation failed due to invalid ++ * value of 'ptr'. In this case, return internal code ++ * -EINVAL (broken bmap) to notify bmap layer of fatal ++ * metadata corruption. ++ */ ++ ret = -EINVAL; ++ } ++ return ret; + } + + if (ra) { diff --git a/queue-5.4/series b/queue-5.4/series index dad3496c711..7721980af92 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -3,3 +3,6 @@ selftests-bpf-check-null-propagation-only-neither-re.patch net-ethtool-ioctl-return-eopnotsupp-if-we-have-no-ph.patch rdma-srp-move-large-values-to-a-new-enum-for-gcc13.patch f2fs-let-s-avoid-panic-if-extent_tree-is-not-created.patch +wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch +add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch +nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch diff --git a/queue-5.4/wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch b/queue-5.4/wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch new file mode 100644 index 00000000000..ed2e37df767 --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-fix-regression-for-broadcom-pcie-wifi-devices.patch @@ -0,0 +1,39 @@ +From ed05cb177ae5cd7f02f1d6e7706ba627d30f1696 Mon Sep 17 00:00:00 2001 +From: Arend van Spriel +Date: Wed, 11 Jan 2023 12:24:19 +0100 +Subject: wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices + +From: Arend van Spriel + +commit ed05cb177ae5cd7f02f1d6e7706ba627d30f1696 upstream. + +A sanity check was introduced considering maximum flowrings above +256 as insane and effectively aborting the device probe. This +resulted in regression for number of users as the value turns out +to be sane after all. + +Fixes: 2aca4f3734bd ("brcmfmac: return error when getting invalid max_flowrings from dongle") +Reported-by: chainofflowers +Link: https://lore.kernel.org/all/4781984.GXAFRqVoOG@luna/ +Reported-by: Christian Marillat +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216894 +Cc: stable@vger.kernel.org +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230111112419.24185-1-arend.vanspriel@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -1109,7 +1109,7 @@ static int brcmf_pcie_init_ringbuffers(s + BRCMF_NROF_H2D_COMMON_MSGRINGS; + max_completionrings = BRCMF_NROF_D2H_COMMON_MSGRINGS; + } +- if (max_flowrings > 256) { ++ if (max_flowrings > 512) { + brcmf_err(bus, "invalid max_flowrings(%d)\n", max_flowrings); + return -EIO; + } -- 2.47.3