From 705d916f01df2e06d2dd03d7ab8b596df42c905e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 13 Aug 2022 16:37:24 +0200 Subject: [PATCH] 5.10-stable patches added patches: fuse-limit-nsec.patch ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch mbcache-add-functions-to-delete-entry-if-unused.patch mbcache-don-t-reclaim-used-entries.patch md-raid-destroy-the-bitmap-after-destroying-the-thread.patch md-raid10-fix-kasan-warning.patch media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch serial-mvebu-uart-uart2-error-bits-clearing.patch --- queue-5.10/fuse-limit-nsec.patch | 34 ++++ ...atible-pointer-types-in-ia64_get_irr.patch | 44 ++++++ ...-functions-to-delete-entry-if-unused.patch | 148 ++++++++++++++++++ .../mbcache-don-t-reclaim-used-entries.patch | 50 ++++++ ...e-bitmap-after-destroying-the-thread.patch | 129 +++++++++++++++ queue-5.10/md-raid10-fix-kasan-warning.patch | 148 ++++++++++++++++++ ...hree-missing-checks-on-list-iterator.patch | 142 +++++++++++++++++ ...mvebu-uart-uart2-error-bits-clearing.patch | 53 +++++++ queue-5.10/series | 8 + 9 files changed, 756 insertions(+) create mode 100644 queue-5.10/fuse-limit-nsec.patch create mode 100644 queue-5.10/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch create mode 100644 queue-5.10/mbcache-add-functions-to-delete-entry-if-unused.patch create mode 100644 queue-5.10/mbcache-don-t-reclaim-used-entries.patch create mode 100644 queue-5.10/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch create mode 100644 queue-5.10/md-raid10-fix-kasan-warning.patch create mode 100644 queue-5.10/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch create mode 100644 queue-5.10/serial-mvebu-uart-uart2-error-bits-clearing.patch diff --git a/queue-5.10/fuse-limit-nsec.patch b/queue-5.10/fuse-limit-nsec.patch new file mode 100644 index 00000000000..c28a0d62b7e --- /dev/null +++ b/queue-5.10/fuse-limit-nsec.patch @@ -0,0 +1,34 @@ +From 47912eaa061a6a81e4aa790591a1874c650733c0 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 21 Jul 2022 16:06:18 +0200 +Subject: fuse: limit nsec + +From: Miklos Szeredi + +commit 47912eaa061a6a81e4aa790591a1874c650733c0 upstream. + +Limit nanoseconds to 0..999999999. + +Fixes: d8a5ba45457e ("[PATCH] FUSE - core") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -182,6 +182,12 @@ void fuse_change_attributes_common(struc + inode->i_uid = make_kuid(fc->user_ns, attr->uid); + inode->i_gid = make_kgid(fc->user_ns, attr->gid); + inode->i_blocks = attr->blocks; ++ ++ /* Sanitize nsecs */ ++ attr->atimensec = min_t(u32, attr->atimensec, NSEC_PER_SEC - 1); ++ attr->mtimensec = min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1); ++ attr->ctimensec = min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1); ++ + inode->i_atime.tv_sec = attr->atime; + inode->i_atime.tv_nsec = attr->atimensec; + /* mtime from server may be stale due to local buffered write */ diff --git a/queue-5.10/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch b/queue-5.10/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch new file mode 100644 index 00000000000..ad35b8d9459 --- /dev/null +++ b/queue-5.10/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch @@ -0,0 +1,44 @@ +From e5a16a5c4602c119262f350274021f90465f479d Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Fri, 24 Jun 2022 14:13:05 +0200 +Subject: ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() + +From: Alexander Lobakin + +commit e5a16a5c4602c119262f350274021f90465f479d upstream. + +test_bit(), as any other bitmap op, takes `unsigned long *` as a +second argument (pointer to the actual bitmap), as any bitmap +itself is an array of unsigned longs. However, the ia64_get_irr() +code passes a ref to `u64` as a second argument. +This works with the ia64 bitops implementation due to that they +have `void *` as the second argument and then cast it later on. +This works with the bitmap API itself due to that `unsigned long` +has the same size on ia64 as `u64` (`unsigned long long`), but +from the compiler PoV those two are different. +Define @irr as `unsigned long` to fix that. That implies no +functional changes. Has been hidden for 16 years! + +Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations") +Cc: stable@vger.kernel.org # 2.6.16+ +Reported-by: kernel test robot +Signed-off-by: Alexander Lobakin +Reviewed-by: Andy Shevchenko +Reviewed-by: Yury Norov +Signed-off-by: Yury Norov +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/ia64/include/asm/processor.h ++++ b/arch/ia64/include/asm/processor.h +@@ -542,7 +542,7 @@ ia64_get_irr(unsigned int vector) + { + unsigned int reg = vector / 64; + unsigned int bit = vector % 64; +- u64 irr; ++ unsigned long irr; + + switch (reg) { + case 0: irr = ia64_getreg(_IA64_REG_CR_IRR0); break; diff --git a/queue-5.10/mbcache-add-functions-to-delete-entry-if-unused.patch b/queue-5.10/mbcache-add-functions-to-delete-entry-if-unused.patch new file mode 100644 index 00000000000..6ba6d9afbb8 --- /dev/null +++ b/queue-5.10/mbcache-add-functions-to-delete-entry-if-unused.patch @@ -0,0 +1,148 @@ +From 3dc96bba65f53daa217f0a8f43edad145286a8f5 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 12 Jul 2022 12:54:21 +0200 +Subject: mbcache: add functions to delete entry if unused + +From: Jan Kara + +commit 3dc96bba65f53daa217f0a8f43edad145286a8f5 upstream. + +Add function mb_cache_entry_delete_or_get() to delete mbcache entry if +it is unused and also add a function to wait for entry to become unused +- mb_cache_entry_wait_unused(). We do not share code between the two +deleting function as one of them will go away soon. + +CC: stable@vger.kernel.org +Fixes: 82939d7999df ("ext4: convert to mbcache2") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220712105436.32204-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/mbcache.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++-- + include/linux/mbcache.h | 10 ++++++- + 2 files changed, 73 insertions(+), 3 deletions(-) + +--- a/fs/mbcache.c ++++ b/fs/mbcache.c +@@ -11,7 +11,7 @@ + /* + * Mbcache is a simple key-value store. Keys need not be unique, however + * key-value pairs are expected to be unique (we use this fact in +- * mb_cache_entry_delete()). ++ * mb_cache_entry_delete_or_get()). + * + * Ext2 and ext4 use this cache for deduplication of extended attribute blocks. + * Ext4 also uses it for deduplication of xattr values stored in inodes. +@@ -125,6 +125,19 @@ void __mb_cache_entry_free(struct mb_cac + } + EXPORT_SYMBOL(__mb_cache_entry_free); + ++/* ++ * mb_cache_entry_wait_unused - wait to be the last user of the entry ++ * ++ * @entry - entry to work on ++ * ++ * Wait to be the last user of the entry. ++ */ ++void mb_cache_entry_wait_unused(struct mb_cache_entry *entry) ++{ ++ wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 3); ++} ++EXPORT_SYMBOL(mb_cache_entry_wait_unused); ++ + static struct mb_cache_entry *__entry_find(struct mb_cache *cache, + struct mb_cache_entry *entry, + u32 key) +@@ -217,7 +230,7 @@ out: + } + EXPORT_SYMBOL(mb_cache_entry_get); + +-/* mb_cache_entry_delete - remove a cache entry ++/* mb_cache_entry_delete - try to remove a cache entry + * @cache - cache we work with + * @key - key + * @value - value +@@ -254,6 +267,55 @@ void mb_cache_entry_delete(struct mb_cac + } + EXPORT_SYMBOL(mb_cache_entry_delete); + ++/* mb_cache_entry_delete_or_get - remove a cache entry if it has no users ++ * @cache - cache we work with ++ * @key - key ++ * @value - value ++ * ++ * Remove entry from cache @cache with key @key and value @value. The removal ++ * happens only if the entry is unused. The function returns NULL in case the ++ * entry was successfully removed or there's no entry in cache. Otherwise the ++ * function grabs reference of the entry that we failed to delete because it ++ * still has users and return it. ++ */ ++struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache, ++ u32 key, u64 value) ++{ ++ struct hlist_bl_node *node; ++ struct hlist_bl_head *head; ++ struct mb_cache_entry *entry; ++ ++ head = mb_cache_entry_head(cache, key); ++ hlist_bl_lock(head); ++ hlist_bl_for_each_entry(entry, node, head, e_hash_list) { ++ if (entry->e_key == key && entry->e_value == value) { ++ if (atomic_read(&entry->e_refcnt) > 2) { ++ atomic_inc(&entry->e_refcnt); ++ hlist_bl_unlock(head); ++ return entry; ++ } ++ /* We keep hash list reference to keep entry alive */ ++ hlist_bl_del_init(&entry->e_hash_list); ++ hlist_bl_unlock(head); ++ spin_lock(&cache->c_list_lock); ++ if (!list_empty(&entry->e_list)) { ++ list_del_init(&entry->e_list); ++ if (!WARN_ONCE(cache->c_entry_count == 0, ++ "mbcache: attempt to decrement c_entry_count past zero")) ++ cache->c_entry_count--; ++ atomic_dec(&entry->e_refcnt); ++ } ++ spin_unlock(&cache->c_list_lock); ++ mb_cache_entry_put(cache, entry); ++ return NULL; ++ } ++ } ++ hlist_bl_unlock(head); ++ ++ return NULL; ++} ++EXPORT_SYMBOL(mb_cache_entry_delete_or_get); ++ + /* mb_cache_entry_touch - cache entry got used + * @cache - cache the entry belongs to + * @entry - entry that got used +--- a/include/linux/mbcache.h ++++ b/include/linux/mbcache.h +@@ -30,15 +30,23 @@ void mb_cache_destroy(struct mb_cache *c + int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key, + u64 value, bool reusable); + void __mb_cache_entry_free(struct mb_cache_entry *entry); ++void mb_cache_entry_wait_unused(struct mb_cache_entry *entry); + static inline int mb_cache_entry_put(struct mb_cache *cache, + struct mb_cache_entry *entry) + { +- if (!atomic_dec_and_test(&entry->e_refcnt)) ++ unsigned int cnt = atomic_dec_return(&entry->e_refcnt); ++ ++ if (cnt > 0) { ++ if (cnt <= 3) ++ wake_up_var(&entry->e_refcnt); + return 0; ++ } + __mb_cache_entry_free(entry); + return 1; + } + ++struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache, ++ u32 key, u64 value); + void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value); + struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key, + u64 value); diff --git a/queue-5.10/mbcache-don-t-reclaim-used-entries.patch b/queue-5.10/mbcache-don-t-reclaim-used-entries.patch new file mode 100644 index 00000000000..38b35d75c32 --- /dev/null +++ b/queue-5.10/mbcache-don-t-reclaim-used-entries.patch @@ -0,0 +1,50 @@ +From 58318914186c157477b978b1739dfe2f1b9dc0fe Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 12 Jul 2022 12:54:20 +0200 +Subject: mbcache: don't reclaim used entries + +From: Jan Kara + +commit 58318914186c157477b978b1739dfe2f1b9dc0fe upstream. + +Do not reclaim entries that are currently used by somebody from a +shrinker. Firstly, these entries are likely useful. Secondly, we will +need to keep such entries to protect pending increment of xattr block +refcount. + +CC: stable@vger.kernel.org +Fixes: 82939d7999df ("ext4: convert to mbcache2") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/mbcache.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/mbcache.c ++++ b/fs/mbcache.c +@@ -288,7 +288,7 @@ static unsigned long mb_cache_shrink(str + while (nr_to_scan-- && !list_empty(&cache->c_list)) { + entry = list_first_entry(&cache->c_list, + struct mb_cache_entry, e_list); +- if (entry->e_referenced) { ++ if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) { + entry->e_referenced = 0; + list_move_tail(&entry->e_list, &cache->c_list); + continue; +@@ -302,6 +302,14 @@ static unsigned long mb_cache_shrink(str + spin_unlock(&cache->c_list_lock); + head = mb_cache_entry_head(cache, entry->e_key); + hlist_bl_lock(head); ++ /* Now a reliable check if the entry didn't get used... */ ++ if (atomic_read(&entry->e_refcnt) > 2) { ++ hlist_bl_unlock(head); ++ spin_lock(&cache->c_list_lock); ++ list_add_tail(&entry->e_list, &cache->c_list); ++ cache->c_entry_count++; ++ continue; ++ } + if (!hlist_bl_unhashed(&entry->e_hash_list)) { + hlist_bl_del_init(&entry->e_hash_list); + atomic_dec(&entry->e_refcnt); diff --git a/queue-5.10/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch b/queue-5.10/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch new file mode 100644 index 00000000000..1b99df3e28f --- /dev/null +++ b/queue-5.10/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch @@ -0,0 +1,129 @@ +From e151db8ecfb019b7da31d076130a794574c89f6f Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 24 Jul 2022 14:26:12 -0400 +Subject: md-raid: destroy the bitmap after destroying the thread + +From: Mikulas Patocka + +commit e151db8ecfb019b7da31d076130a794574c89f6f upstream. + +When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with +kasan, we got failure in write_page. + +The reason for the failure is that md_bitmap_destroy is called before +destroying the thread and the thread may be waiting in the function +write_page for the bio to complete. When the thread finishes waiting, it +executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which +triggers the kasan warning. + +Note that the commit 48df498daf62 that caused this bug claims that it is +neede for md-cluster, you should check md-cluster and possibly find +another bugfix for it. + +BUG: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod] +Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539 + +CPU: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report.cold+0x45/0x57a + ? __lock_text_start+0x18/0x18 + ? write_page+0x18d/0x680 [md_mod] + kasan_report+0xa8/0xe0 + ? write_page+0x18d/0x680 [md_mod] + kasan_check_range+0x13f/0x180 + write_page+0x18d/0x680 [md_mod] + ? super_sync+0x4d5/0x560 [dm_raid] + ? md_bitmap_file_kick+0xa0/0xa0 [md_mod] + ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid] + ? mutex_trylock+0x120/0x120 + ? preempt_count_add+0x6b/0xc0 + ? preempt_count_sub+0xf/0xc0 + md_update_sb+0x707/0xe40 [md_mod] + md_reap_sync_thread+0x1b2/0x4a0 [md_mod] + md_check_recovery+0x533/0x960 [md_mod] + raid1d+0xc8/0x2a20 [raid1] + ? var_wake_function+0xe0/0xe0 + ? psi_group_change+0x411/0x500 + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? raid1_end_read_request+0x2a0/0x2a0 [raid1] + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_unlock_irqrestore+0x19/0x40 + ? del_timer_sync+0xa9/0x100 + ? try_to_del_timer_sync+0xc0/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? __list_del_entry_valid+0x68/0xa0 + ? finish_wait+0xa3/0x100 + md_thread+0x161/0x260 [md_mod] + ? unregister_md_personality+0xa0/0xa0 [md_mod] + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? prepare_to_wait_event+0x2c0/0x2c0 + ? unregister_md_personality+0xa0/0xa0 [md_mod] + kthread+0x148/0x180 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Allocated by task 5522: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x80/0xa0 + md_bitmap_create+0xa8/0xe80 [md_mod] + md_run+0x777/0x1300 [md_mod] + raid_ctr+0x249c/0x4a30 [dm_raid] + dm_table_add_target+0x2b0/0x620 [dm_mod] + table_load+0x1c8/0x400 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Freed by task 5680: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x40 + kasan_set_free_info+0x20/0x40 + __kasan_slab_free+0xf7/0x140 + kfree+0x80/0x240 + md_bitmap_free+0x1c3/0x280 [md_mod] + __md_stop+0x21/0x120 [md_mod] + md_stop+0x9/0x40 [md_mod] + raid_dtr+0x1b/0x40 [dm_raid] + dm_table_destroy+0x98/0x1e0 [dm_mod] + __dm_destroy+0x199/0x360 [dm_mod] + dev_remove+0x10c/0x160 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop") +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6278,11 +6278,11 @@ static void mddev_detach(struct mddev *m + static void __md_stop(struct mddev *mddev) + { + struct md_personality *pers = mddev->pers; +- md_bitmap_destroy(mddev); + mddev_detach(mddev); + /* Ensure ->event_work is done */ + if (mddev->event_work.func) + flush_workqueue(md_misc_wq); ++ md_bitmap_destroy(mddev); + spin_lock(&mddev->lock); + mddev->pers = NULL; + spin_unlock(&mddev->lock); diff --git a/queue-5.10/md-raid10-fix-kasan-warning.patch b/queue-5.10/md-raid10-fix-kasan-warning.patch new file mode 100644 index 00000000000..61c535467ea --- /dev/null +++ b/queue-5.10/md-raid10-fix-kasan-warning.patch @@ -0,0 +1,148 @@ +From d17f744e883b2f8d13cca252d71cfe8ace346f7d Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 26 Jul 2022 04:33:12 -0400 +Subject: md-raid10: fix KASAN warning + +From: Mikulas Patocka + +commit d17f744e883b2f8d13cca252d71cfe8ace346f7d upstream. + +There's a KASAN warning in raid10_remove_disk when running the lvm +test lvconvert-raid-reshape.sh. We fix this warning by verifying that the +value "number" is valid. + +BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10] +Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682 + +CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report.cold+0x45/0x57a + ? __lock_text_start+0x18/0x18 + ? raid10_remove_disk+0x61/0x2a0 [raid10] + kasan_report+0xa8/0xe0 + ? raid10_remove_disk+0x61/0x2a0 [raid10] + raid10_remove_disk+0x61/0x2a0 [raid10] +Buffer I/O error on dev dm-76, logical block 15344, async page read + ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0 + remove_and_add_spares+0x367/0x8a0 [md_mod] + ? super_written+0x1c0/0x1c0 [md_mod] + ? mutex_trylock+0xac/0x120 + ? _raw_spin_lock+0x72/0xc0 + ? _raw_spin_lock_bh+0xc0/0xc0 + md_check_recovery+0x848/0x960 [md_mod] + raid10d+0xcf/0x3360 [raid10] + ? sched_clock_cpu+0x185/0x1a0 + ? rb_erase+0x4d4/0x620 + ? var_wake_function+0xe0/0xe0 + ? psi_group_change+0x411/0x500 + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? raid10_sync_request+0x36c0/0x36c0 [raid10] + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_unlock_irqrestore+0x19/0x40 + ? del_timer_sync+0xa9/0x100 + ? try_to_del_timer_sync+0xc0/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? _raw_spin_unlock_irq+0x11/0x24 + ? __list_del_entry_valid+0x68/0xa0 + ? finish_wait+0xa3/0x100 + md_thread+0x161/0x260 [md_mod] + ? unregister_md_personality+0xa0/0xa0 [md_mod] + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? prepare_to_wait_event+0x2c0/0x2c0 + ? unregister_md_personality+0xa0/0xa0 [md_mod] + kthread+0x148/0x180 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Allocated by task 124495: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x80/0xa0 + setup_conf+0x140/0x5c0 [raid10] + raid10_run+0x4cd/0x740 [raid10] + md_run+0x6f9/0x1300 [md_mod] + raid_ctr+0x2531/0x4ac0 [dm_raid] + dm_table_add_target+0x2b0/0x620 [dm_mod] + table_load+0x1c8/0x400 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0x9e/0xc0 + kvfree_call_rcu+0x84/0x480 + timerfd_release+0x82/0x140 +L __fput+0xfa/0x400 + task_work_run+0x80/0xc0 + exit_to_user_mode_prepare+0x155/0x160 + syscall_exit_to_user_mode+0x12/0x40 + do_syscall_64+0x42/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Second to last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0x9e/0xc0 + kvfree_call_rcu+0x84/0x480 + timerfd_release+0x82/0x140 + __fput+0xfa/0x400 + task_work_run+0x80/0xc0 + exit_to_user_mode_prepare+0x155/0x160 + syscall_exit_to_user_mode+0x12/0x40 + do_syscall_64+0x42/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +The buggy address belongs to the object at ffff889108f3d200 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 0 bytes to the right of + 256-byte region [ffff889108f3d200, ffff889108f3d300) + +The buggy address belongs to the physical page: +page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c +head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0 +flags: 0x4000000000010200(slab|head|zone=2) +raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40 +raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1809,9 +1809,12 @@ static int raid10_remove_disk(struct mdd + int err = 0; + int number = rdev->raid_disk; + struct md_rdev **rdevp; +- struct raid10_info *p = conf->mirrors + number; ++ struct raid10_info *p; + + print_conf(conf); ++ if (unlikely(number >= mddev->raid_disks)) ++ return 0; ++ p = conf->mirrors + number; + if (rdev == p->rdev) + rdevp = &p->rdev; + else if (rdev == p->replacement) diff --git a/queue-5.10/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch b/queue-5.10/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch new file mode 100644 index 00000000000..ef88dd3d3f8 --- /dev/null +++ b/queue-5.10/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch @@ -0,0 +1,142 @@ +From 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Thu, 14 Apr 2022 05:14:15 +0100 +Subject: media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator + +From: Xiaomeng Tong + +commit 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 upstream. + +The three bugs are here: + __func__, s3a_buf->s3a_data->exp_id); + __func__, md_buf->metadata->exp_id); + __func__, dis_buf->dis_data->exp_id); + +The list iterator 's3a_buf/md_buf/dis_buf' will point to a bogus +position containing HEAD if the list is empty or no element is found. +This case must be checked before any use of the iterator, otherwise +it will lead to a invalid memory access. + +To fix this bug, add an check. Use a new variable '*_iter' as the +list iterator, while use the old variable '*_buf' as a dedicated +pointer to point to the found element. + +Link: https://lore.kernel.org/linux-media/20220414041415.3342-1-xiam0nd.tong@gmail.com +Cc: stable@vger.kernel.org +Fixes: ad85094b293e4 ("Revert "media: staging: atomisp: Remove driver"") +Signed-off-by: Xiaomeng Tong +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/atomisp/pci/atomisp_cmd.c | 57 +++++++++++++++--------- + 1 file changed, 36 insertions(+), 21 deletions(-) + +--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c +@@ -899,9 +899,9 @@ void atomisp_buf_done(struct atomisp_sub + int err; + unsigned long irqflags; + struct ia_css_frame *frame = NULL; +- struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp; +- struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp; +- struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp; ++ struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp, *s3a_iter; ++ struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp, *dis_iter; ++ struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp, *md_iter; + enum atomisp_metadata_type md_type; + struct atomisp_device *isp = asd->isp; + struct v4l2_control ctrl; +@@ -940,60 +940,75 @@ void atomisp_buf_done(struct atomisp_sub + + switch (buf_type) { + case IA_CSS_BUFFER_TYPE_3A_STATISTICS: +- list_for_each_entry_safe(s3a_buf, _s3a_buf_tmp, ++ list_for_each_entry_safe(s3a_iter, _s3a_buf_tmp, + &asd->s3a_stats_in_css, list) { +- if (s3a_buf->s3a_data == ++ if (s3a_iter->s3a_data == + buffer.css_buffer.data.stats_3a) { +- list_del_init(&s3a_buf->list); +- list_add_tail(&s3a_buf->list, ++ list_del_init(&s3a_iter->list); ++ list_add_tail(&s3a_iter->list, + &asd->s3a_stats_ready); ++ s3a_buf = s3a_iter; + break; + } + } + + asd->s3a_bufs_in_css[css_pipe_id]--; + atomisp_3a_stats_ready_event(asd, buffer.css_buffer.exp_id); +- dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", +- __func__, s3a_buf->s3a_data->exp_id); ++ if (s3a_buf) ++ dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", ++ __func__, s3a_buf->s3a_data->exp_id); ++ else ++ dev_dbg(isp->dev, "%s: s3a stat is ready with no exp_id found\n", ++ __func__); + break; + case IA_CSS_BUFFER_TYPE_METADATA: + if (error) + break; + + md_type = atomisp_get_metadata_type(asd, css_pipe_id); +- list_for_each_entry_safe(md_buf, _md_buf_tmp, ++ list_for_each_entry_safe(md_iter, _md_buf_tmp, + &asd->metadata_in_css[md_type], list) { +- if (md_buf->metadata == ++ if (md_iter->metadata == + buffer.css_buffer.data.metadata) { +- list_del_init(&md_buf->list); +- list_add_tail(&md_buf->list, ++ list_del_init(&md_iter->list); ++ list_add_tail(&md_iter->list, + &asd->metadata_ready[md_type]); ++ md_buf = md_iter; + break; + } + } + asd->metadata_bufs_in_css[stream_id][css_pipe_id]--; + atomisp_metadata_ready_event(asd, md_type); +- dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", +- __func__, md_buf->metadata->exp_id); ++ if (md_buf) ++ dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", ++ __func__, md_buf->metadata->exp_id); ++ else ++ dev_dbg(isp->dev, "%s: metadata is ready with no exp_id found\n", ++ __func__); + break; + case IA_CSS_BUFFER_TYPE_DIS_STATISTICS: +- list_for_each_entry_safe(dis_buf, _dis_buf_tmp, ++ list_for_each_entry_safe(dis_iter, _dis_buf_tmp, + &asd->dis_stats_in_css, list) { +- if (dis_buf->dis_data == ++ if (dis_iter->dis_data == + buffer.css_buffer.data.stats_dvs) { + spin_lock_irqsave(&asd->dis_stats_lock, + irqflags); +- list_del_init(&dis_buf->list); +- list_add(&dis_buf->list, &asd->dis_stats); ++ list_del_init(&dis_iter->list); ++ list_add(&dis_iter->list, &asd->dis_stats); + asd->params.dis_proj_data_valid = true; + spin_unlock_irqrestore(&asd->dis_stats_lock, + irqflags); ++ dis_buf = dis_iter; + break; + } + } + asd->dis_bufs_in_css--; +- dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", +- __func__, dis_buf->dis_data->exp_id); ++ if (dis_buf) ++ dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", ++ __func__, dis_buf->dis_data->exp_id); ++ else ++ dev_dbg(isp->dev, "%s: dis stat is ready with no exp_id found\n", ++ __func__); + break; + case IA_CSS_BUFFER_TYPE_VF_OUTPUT_FRAME: + case IA_CSS_BUFFER_TYPE_SEC_VF_OUTPUT_FRAME: diff --git a/queue-5.10/serial-mvebu-uart-uart2-error-bits-clearing.patch b/queue-5.10/serial-mvebu-uart-uart2-error-bits-clearing.patch new file mode 100644 index 00000000000..4ae43416d4b --- /dev/null +++ b/queue-5.10/serial-mvebu-uart-uart2-error-bits-clearing.patch @@ -0,0 +1,53 @@ +From a7209541239e5dd44d981289e5f9059222d40fd1 Mon Sep 17 00:00:00 2001 +From: Narendra Hadke +Date: Tue, 26 Jul 2022 11:12:21 +0200 +Subject: serial: mvebu-uart: uart2 error bits clearing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Narendra Hadke + +commit a7209541239e5dd44d981289e5f9059222d40fd1 upstream. + +For mvebu uart2, error bits are not cleared on buffer read. +This causes interrupt loop and system hang. + +Cc: stable@vger.kernel.org +Reviewed-by: Yi Guo +Reviewed-by: Nadav Haklai +Signed-off-by: Narendra Hadke +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20220726091221.12358-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mvebu-uart.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -238,6 +238,7 @@ static void mvebu_uart_rx_chars(struct u + struct tty_port *tport = &port->state->port; + unsigned char ch = 0; + char flag = 0; ++ int ret; + + do { + if (status & STAT_RX_RDY(port)) { +@@ -250,6 +251,16 @@ static void mvebu_uart_rx_chars(struct u + port->icount.parity++; + } + ++ /* ++ * For UART2, error bits are not cleared on buffer read. ++ * This causes interrupt loop and system hang. ++ */ ++ if (IS_EXTENDED(port) && (status & STAT_BRK_ERR)) { ++ ret = readl(port->membase + UART_STAT); ++ ret |= STAT_BRK_ERR; ++ writel(ret, port->membase + UART_STAT); ++ } ++ + if (status & STAT_BRK_DET) { + port->icount.brk++; + status &= ~(STAT_FRM_ERR | STAT_PAR_ERR); diff --git a/queue-5.10/series b/queue-5.10/series index 0e3270d9970..a9a63cd788a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -50,3 +50,11 @@ iio-light-isl29028-fix-the-warning-in-isl29028_remove.patch scsi-sg-allow-waiting-for-commands-to-complete-on-removed-device.patch scsi-qla2xxx-fix-incorrect-display-of-max-frame-size.patch scsi-qla2xxx-zero-undefined-mailbox-in-registers.patch +fuse-limit-nsec.patch +serial-mvebu-uart-uart2-error-bits-clearing.patch +md-raid-destroy-the-bitmap-after-destroying-the-thread.patch +md-raid10-fix-kasan-warning.patch +mbcache-don-t-reclaim-used-entries.patch +mbcache-add-functions-to-delete-entry-if-unused.patch +media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch +ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch -- 2.47.3