--- /dev/null
+From 877ba3f729fd3d8ef0e29bc2a55e57cfa54b2e43 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 4 Aug 2021 14:23:55 -0400
+Subject: ext4: fix potential htree corruption when growing large_dir directories
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 877ba3f729fd3d8ef0e29bc2a55e57cfa54b2e43 upstream.
+
+Commit b5776e7524af ("ext4: fix potential htree index checksum
+corruption) removed a required restart when multiple levels of index
+nodes need to be split. Fix this to avoid directory htree corruptions
+when using the large_dir feature.
+
+Cc: stable@kernel.org # v5.11
+Cc: Благодаренко Артём <artem.blagodarenko@gmail.com>
+Fixes: b5776e7524af ("ext4: fix potential htree index checksum corruption)
+Reported-by: Denis <denis@voxelsoft.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2295,7 +2295,7 @@ again:
+ goto journal_error;
+ err = ext4_handle_dirty_dx_node(handle, dir,
+ frame->bh);
+- if (err)
++ if (restart || err)
+ goto journal_error;
+ } else {
+ struct dx_root *dxroot;
--- /dev/null
+From 76f22c93b209c811bd489950f17f8839adb31901 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 23 Jun 2021 10:45:21 +0200
+Subject: media: rtl28xxu: fix zero-length control request
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 76f22c93b209c811bd489950f17f8839adb31901 upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Control transfers without a data stage are treated as OUT requests by
+the USB stack and should be using usb_sndctrlpipe(). Failing to do so
+will now trigger a warning.
+
+The driver uses a zero-length i2c-read request for type detection so
+update the control-request code to use usb_sndctrlpipe() in this case.
+
+Note that actually trying to read the i2c register in question does not
+work as the register might not exist (e.g. depending on the demodulator)
+as reported by Eero Lehtinen <debiangamer2@gmail.com>.
+
+Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com
+Reported-by: Eero Lehtinen <debiangamer2@gmail.com>
+Tested-by: Eero Lehtinen <debiangamer2@gmail.com>
+Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type")
+Cc: stable@vger.kernel.org # 4.0
+Cc: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+@@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_
+ } else {
+ /* read */
+ requesttype = (USB_TYPE_VENDOR | USB_DIR_IN);
+- pipe = usb_rcvctrlpipe(d->udev, 0);
++
++ /*
++ * Zero-length transfers must use usb_sndctrlpipe() and
++ * rtl28xxu_identify_state() uses a zero-length i2c read
++ * command to determine the chip type.
++ */
++ if (req->size)
++ pipe = usb_rcvctrlpipe(d->udev, 0);
++ else
++ pipe = usb_sndctrlpipe(d->udev, 0);
+ }
+
+ ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,
--- /dev/null
+From 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 Mon Sep 17 00:00:00 2001
+From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
+Date: Thu, 5 Aug 2021 10:40:47 -0400
+Subject: pipe: increase minimum default pipe size to 2 pages
+
+From: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
+
+commit 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 upstream.
+
+This program always prints 4096 and hangs before the patch, and always
+prints 8192 and exits successfully after:
+
+ int main()
+ {
+ int pipefd[2];
+ for (int i = 0; i < 1025; i++)
+ if (pipe(pipefd) == -1)
+ return 1;
+ size_t bufsz = fcntl(pipefd[1], F_GETPIPE_SZ);
+ printf("%zd\n", bufsz);
+ char *buf = calloc(bufsz, 1);
+ write(pipefd[1], buf, bufsz);
+ read(pipefd[0], buf, bufsz-1);
+ write(pipefd[1], buf, 1);
+ }
+
+Note that you may need to increase your RLIMIT_NOFILE before running the
+program.
+
+Fixes: 759c01142a ("pipe: limit the per-user amount of pages allocated in pipes")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/
+Link: https://lore.kernel.org/lkml/1628127094.lxxn016tj7.none@localhost/
+Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/pipe.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -30,6 +30,21 @@
+ #include "internal.h"
+
+ /*
++ * New pipe buffers will be restricted to this size while the user is exceeding
++ * their pipe buffer quota. The general pipe use case needs at least two
++ * buffers: one for data yet to be read, and one for new data. If this is less
++ * than two, then a write to a non-empty pipe may block even if the pipe is not
++ * full. This can occur with GNU make jobserver or similar uses of pipes as
++ * semaphores: multiple processes may be waiting to write tokens back to the
++ * pipe before reading tokens: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/.
++ *
++ * Users can reduce their pipe buffers with F_SETPIPE_SZ below this at their
++ * own risk, namely: pipe writes to non-full pipes may block until the pipe is
++ * emptied.
++ */
++#define PIPE_MIN_DEF_BUFFERS 2
++
++/*
+ * The max size that a non-root user is allowed to grow the pipe. Can
+ * be set by root in /proc/sys/fs/pipe-max-size
+ */
+@@ -654,8 +669,8 @@ struct pipe_inode_info *alloc_pipe_info(
+ user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
+
+ if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) {
+- user_bufs = account_pipe_buffers(user, pipe_bufs, 1);
+- pipe_bufs = 1;
++ user_bufs = account_pipe_buffers(user, pipe_bufs, PIPE_MIN_DEF_BUFFERS);
++ pipe_bufs = PIPE_MIN_DEF_BUFFERS;
+ }
+
+ if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user())
usb-gadget-f_hid-idle-uses-the-highest-byte-for-duration.patch
usb-otg-fsm-fix-hrtimer-list-corruption.patch
scripts-tracing-fix-the-bug-that-can-t-parse-raw_trace_func.patch
+staging-rtl8723bs-fix-a-resource-leak-in-sd_int_dpc.patch
+media-rtl28xxu-fix-zero-length-control-request.patch
+pipe-increase-minimum-default-pipe-size-to-2-pages.patch
+ext4-fix-potential-htree-corruption-when-growing-large_dir-directories.patch
--- /dev/null
+From 990e4ad3ddcb72216caeddd6e62c5f45a21e8121 Mon Sep 17 00:00:00 2001
+From: Xiangyang Zhang <xyz.sun.ok@gmail.com>
+Date: Mon, 28 Jun 2021 23:22:39 +0800
+Subject: staging: rtl8723bs: Fix a resource leak in sd_int_dpc
+
+From: Xiangyang Zhang <xyz.sun.ok@gmail.com>
+
+commit 990e4ad3ddcb72216caeddd6e62c5f45a21e8121 upstream.
+
+The "c2h_evt" variable is not freed when function call
+"c2h_evt_read_88xx" failed
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Xiangyang Zhang <xyz.sun.ok@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210628152239.5475-1-xyz.sun.ok@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/hal/sdio_ops.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/rtl8723bs/hal/sdio_ops.c
++++ b/drivers/staging/rtl8723bs/hal/sdio_ops.c
+@@ -1118,6 +1118,8 @@ void sd_int_dpc(struct adapter *padapter
+ } else {
+ rtw_c2h_wk_cmd(padapter, (u8 *)c2h_evt);
+ }
++ } else {
++ kfree(c2h_evt);
+ }
+ } else {
+ /* Error handling for malloc fail */
projects / thirdparty / kernel / stable-queue.git / commitdiff
