--- /dev/null
+From e3548aaf41a200c2af359462be23bcdd76efd795 Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Mon, 17 Jan 2022 00:20:47 -0600
+Subject: cifs: free ntlmsspblob allocated in negotiate
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit e3548aaf41a200c2af359462be23bcdd76efd795 upstream.
+
+One of my previous fixes:
+cifs: send workstation name during ntlmssp session setup
+...changed the prototype of build_ntlmssp_negotiate_blob
+from being allocated by the caller to being allocated within
+the function. The caller needs to free this object too.
+While SMB2 version of the caller did it, I forgot to free
+for the SMB1 version. Fixing that here.
+
+Fixes: 49bd49f983b5 ("cifs: send workstation name during ntlmssp session setup")
+Cc: stable@vger.kernel.org # 5.16
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/sess.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -1354,7 +1354,7 @@ sess_auth_rawntlmssp_negotiate(struct se
+ &blob_len, ses,
+ sess_data->nls_cp);
+ if (rc)
+- goto out;
++ goto out_free_ntlmsspblob;
+
+ sess_data->iov[1].iov_len = blob_len;
+ sess_data->iov[1].iov_base = ntlmsspblob;
+@@ -1362,7 +1362,7 @@ sess_auth_rawntlmssp_negotiate(struct se
+
+ rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
+ if (rc)
+- goto out;
++ goto out_free_ntlmsspblob;
+
+ rc = sess_sendreceive(sess_data);
+
+@@ -1376,14 +1376,14 @@ sess_auth_rawntlmssp_negotiate(struct se
+ rc = 0;
+
+ if (rc)
+- goto out;
++ goto out_free_ntlmsspblob;
+
+ cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
+
+ if (smb_buf->WordCount != 4) {
+ rc = -EIO;
+ cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
+- goto out;
++ goto out_free_ntlmsspblob;
+ }
+
+ ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */
+@@ -1397,10 +1397,13 @@ sess_auth_rawntlmssp_negotiate(struct se
+ cifs_dbg(VFS, "bad security blob length %d\n",
+ blob_len);
+ rc = -EINVAL;
+- goto out;
++ goto out_free_ntlmsspblob;
+ }
+
+ rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
++
++out_free_ntlmsspblob:
++ kfree(ntlmsspblob);
+ out:
+ sess_free_buffer(sess_data);
+
--- /dev/null
+From 19bdba5265624ba6b9d9dd936a0c6ccc167cfe80 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Thu, 9 Dec 2021 10:25:43 -0800
+Subject: f2fs: avoid EINVAL by SBI_NEED_FSCK when pinning a file
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 19bdba5265624ba6b9d9dd936a0c6ccc167cfe80 upstream.
+
+Android OTA failed due to SBI_NEED_FSCK flag when pinning the file. Let's avoid
+it since we can do in-place-updates.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 7 +++++--
+ fs/f2fs/file.c | 10 +++++-----
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -2617,6 +2617,11 @@ bool f2fs_should_update_outplace(struct
+ {
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+
++ /* The below cases were checked when setting it. */
++ if (f2fs_is_pinned_file(inode))
++ return false;
++ if (fio && is_sbi_flag_set(sbi, SBI_NEED_FSCK))
++ return true;
+ if (f2fs_lfs_mode(sbi))
+ return true;
+ if (S_ISDIR(inode->i_mode))
+@@ -2625,8 +2630,6 @@ bool f2fs_should_update_outplace(struct
+ return true;
+ if (f2fs_is_atomic_file(inode))
+ return true;
+- if (is_sbi_flag_set(sbi, SBI_NEED_FSCK))
+- return true;
+
+ /* swap file is migrating in aligned write mode */
+ if (is_inode_flag_set(inode, FI_ALIGNED_WRITE))
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -3143,17 +3143,17 @@ static int f2fs_ioc_set_pin_file(struct
+
+ inode_lock(inode);
+
+- if (f2fs_should_update_outplace(inode, NULL)) {
+- ret = -EINVAL;
+- goto out;
+- }
+-
+ if (!pin) {
+ clear_inode_flag(inode, FI_PIN_FILE);
+ f2fs_i_gc_failures_write(inode, 0);
+ goto done;
+ }
+
++ if (f2fs_should_update_outplace(inode, NULL)) {
++ ret = -EINVAL;
++ goto out;
++ }
++
+ if (f2fs_pin_file_control(inode, false)) {
+ ret = -EAGAIN;
+ goto out;
--- /dev/null
+From 77900c45ee5cd5da63bd4d818a41dbdf367e81cd Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Mon, 6 Dec 2021 22:44:21 +0800
+Subject: f2fs: fix to do sanity check in is_alive()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 77900c45ee5cd5da63bd4d818a41dbdf367e81cd upstream.
+
+In fuzzed image, SSA table may indicate that a data block belongs to
+invalid node, which node ID is out-of-range (0, 1, 2 or max_nid), in
+order to avoid migrating inconsistent data in such corrupted image,
+let's do sanity check anyway before data block migration.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/gc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -1026,6 +1026,9 @@ static bool is_alive(struct f2fs_sb_info
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ }
+
++ if (f2fs_check_nid_range(sbi, dni->ino))
++ return false;
++
+ *nofs = ofs_of_node(node_page);
+ source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);
+ f2fs_put_page(node_page, 1);
--- /dev/null
+From 9056d6489f5a41cfbb67f719d2c0ce61ead72d9f Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Mon, 6 Dec 2021 22:44:19 +0800
+Subject: f2fs: fix to do sanity check on inode type during garbage collection
+
+From: Chao Yu <chao@kernel.org>
+
+commit 9056d6489f5a41cfbb67f719d2c0ce61ead72d9f upstream.
+
+As report by Wenqing Liu in bugzilla:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=215231
+
+- Overview
+kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
+
+- Reproduce
+tested on kernel 5.16-rc3, 5.15.X under root
+
+1. mkdir mnt
+2. mount -t f2fs tmp1.img mnt
+3. touch tmp
+4. cp tmp mnt
+
+F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info [5942, 4294180864, 4] is incorrect, run fsck to fix
+F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=31340049, run fsck to fix.
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+ folio_mark_dirty+0x33/0x50
+ move_data_page+0x2dd/0x460 [f2fs]
+ do_garbage_collect+0xc18/0x16a0 [f2fs]
+ f2fs_gc+0x1d3/0xd90 [f2fs]
+ f2fs_balance_fs+0x13a/0x570 [f2fs]
+ f2fs_create+0x285/0x840 [f2fs]
+ path_openat+0xe6d/0x1040
+ do_filp_open+0xc5/0x140
+ do_sys_openat2+0x23a/0x310
+ do_sys_open+0x57/0x80
+
+The root cause is for special file: e.g. character, block, fifo or socket file,
+f2fs doesn't assign address space operations pointer array for mapping->a_ops field,
+so, in a fuzzed image, SSA table indicates a data block belong to special file, when
+f2fs tries to migrate that block, it causes NULL pointer access once move_data_page()
+calls a_ops->set_dirty_page().
+
+Cc: stable@vger.kernel.org
+Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/gc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -1457,7 +1457,8 @@ next_step:
+
+ if (phase == 3) {
+ inode = f2fs_iget(sb, dni.ino);
+- if (IS_ERR(inode) || is_bad_inode(inode))
++ if (IS_ERR(inode) || is_bad_inode(inode) ||
++ special_file(inode->i_mode))
+ continue;
+
+ if (!down_write_trylock(
--- /dev/null
+From 645a3c40ca3d40cc32b4b5972bf2620f2eb5dba6 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Sun, 12 Dec 2021 17:16:30 +0800
+Subject: f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 645a3c40ca3d40cc32b4b5972bf2620f2eb5dba6 upstream.
+
+As Wenqing Liu reported in bugzilla:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=215235
+
+- Overview
+page fault in f2fs_setxattr() when mount and operate on corrupted image
+
+- Reproduce
+tested on kernel 5.16-rc3, 5.15.X under root
+
+1. unzip tmp7.zip
+2. ./single.sh f2fs 7
+
+Sometimes need to run the script several times
+
+- Kernel dump
+loop0: detected capacity change from 0 to 131072
+F2FS-fs (loop0): Found nat_bits in checkpoint
+F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee
+BUG: unable to handle page fault for address: ffffe47bc7123f48
+RIP: 0010:kfree+0x66/0x320
+Call Trace:
+ __f2fs_setxattr+0x2aa/0xc00 [f2fs]
+ f2fs_setxattr+0xfa/0x480 [f2fs]
+ __f2fs_set_acl+0x19b/0x330 [f2fs]
+ __vfs_removexattr+0x52/0x70
+ __vfs_removexattr_locked+0xb1/0x140
+ vfs_removexattr+0x56/0x100
+ removexattr+0x57/0x80
+ path_removexattr+0xa3/0xc0
+ __x64_sys_removexattr+0x17/0x20
+ do_syscall_64+0x37/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The root cause is in __f2fs_setxattr(), we missed to do sanity check on
+last xattr entry, result in out-of-bound memory access during updating
+inconsistent xattr data of target inode.
+
+After the fix, it can detect such xattr inconsistency as below:
+
+F2FS-fs (loop11): inode (7) has invalid last xattr entry, entry_size: 60676
+F2FS-fs (loop11): inode (8) has corrupted xattr
+F2FS-fs (loop11): inode (8) has corrupted xattr
+F2FS-fs (loop11): inode (8) has invalid last xattr entry, entry_size: 47736
+
+Cc: stable@vger.kernel.org
+Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/xattr.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -684,8 +684,17 @@ static int __f2fs_setxattr(struct inode
+ }
+
+ last = here;
+- while (!IS_XATTR_LAST_ENTRY(last))
++ while (!IS_XATTR_LAST_ENTRY(last)) {
++ if ((void *)(last) + sizeof(__u32) > last_base_addr ||
++ (void *)XATTR_NEXT_ENTRY(last) > last_base_addr) {
++ f2fs_err(F2FS_I_SB(inode), "inode (%lu) has invalid last xattr entry, entry_size: %zu",
++ inode->i_ino, ENTRY_SIZE(last));
++ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
++ error = -EFSCORRUPTED;
++ goto exit;
++ }
+ last = XATTR_NEXT_ENTRY(last);
++ }
+
+ newsize = XATTR_ALIGN(sizeof(struct f2fs_xattr_entry) + len + size);
+
--- /dev/null
+From 2966daf7d253d9904b337b040dd7a43472858b8a Mon Sep 17 00:00:00 2001
+From: Andreas Oetken <ennoerlangen@gmail.com>
+Date: Tue, 2 Nov 2021 18:26:04 +0100
+Subject: mtd: Fixed breaking list in __mtd_del_partition.
+
+From: Andreas Oetken <ennoerlangen@gmail.com>
+
+commit 2966daf7d253d9904b337b040dd7a43472858b8a upstream.
+
+Not the child partition should be removed from the partition list
+but the partition itself. Otherwise the partition list gets broken
+and any subsequent remove operations leads to a kernel panic.
+
+Fixes: 46b5889cc2c5 ("mtd: implement proper partition handling")
+Signed-off-by: Andreas Oetken <andreas.oetken@siemens-energy.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20211102172604.2921065-1-andreas.oetken@siemens-energy.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdpart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/mtdpart.c
++++ b/drivers/mtd/mtdpart.c
+@@ -312,7 +312,7 @@ static int __mtd_del_partition(struct mt
+ if (err)
+ return err;
+
+- list_del(&child->part.node);
++ list_del(&mtd->part.node);
+ free_partition(mtd);
+
+ return 0;
--- /dev/null
+From f53d4c109a666bf1a4883b45d546fba079258717 Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Tue, 2 Nov 2021 21:20:22 +0100
+Subject: mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit f53d4c109a666bf1a4883b45d546fba079258717 upstream.
+
+gpmi_io clock needs to be gated off when changing the parent/dividers of
+enfc_clk_root (i.MX6Q/i.MX6UL) respectively qspi2_clk_root (i.MX6SX).
+Otherwise this rate change can lead to an unresponsive GPMI core which
+results in DMA timeouts and failed driver probe:
+
+[ 4.072318] gpmi-nand 112000.gpmi-nand: DMA timeout, last DMA
+...
+[ 4.370355] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -110
+...
+[ 4.375988] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22
+[ 4.381524] gpmi-nand 112000.gpmi-nand: Error in ECC-based read: -22
+[ 4.387988] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22
+[ 4.393535] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22
+...
+
+Other than stated in i.MX 6 erratum ERR007117, it should be sufficient
+to gate only gpmi_io because all other bch/nand clocks are derived from
+different clock roots.
+
+The i.MX6 reference manuals state that changing clock muxers can cause
+glitches but are silent about changing dividers. But tests showed that
+these glitches can definitely happen on i.MX6ULL. For i.MX7D/8MM in turn,
+the manual guarantees that no glitches can happen when changing
+dividers.
+
+Co-developed-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Signed-off-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Cc: stable@vger.kernel.org
+Acked-by: Han Xu <han.xu@nxp.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20211102202022.15551-2-ceggers@arri.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
+@@ -713,14 +713,32 @@ static void gpmi_nfc_compute_timings(str
+ (use_half_period ? BM_GPMI_CTRL1_HALF_PERIOD : 0);
+ }
+
+-static void gpmi_nfc_apply_timings(struct gpmi_nand_data *this)
++static int gpmi_nfc_apply_timings(struct gpmi_nand_data *this)
+ {
+ struct gpmi_nfc_hardware_timing *hw = &this->hw;
+ struct resources *r = &this->resources;
+ void __iomem *gpmi_regs = r->gpmi_regs;
+ unsigned int dll_wait_time_us;
++ int ret;
++
++ /* Clock dividers do NOT guarantee a clean clock signal on its output
++ * during the change of the divide factor on i.MX6Q/UL/SX. On i.MX7/8,
++ * all clock dividers provide these guarantee.
++ */
++ if (GPMI_IS_MX6Q(this) || GPMI_IS_MX6SX(this))
++ clk_disable_unprepare(r->clock[0]);
++
++ ret = clk_set_rate(r->clock[0], hw->clk_rate);
++ if (ret) {
++ dev_err(this->dev, "cannot set clock rate to %lu Hz: %d\n", hw->clk_rate, ret);
++ return ret;
++ }
+
+- clk_set_rate(r->clock[0], hw->clk_rate);
++ if (GPMI_IS_MX6Q(this) || GPMI_IS_MX6SX(this)) {
++ ret = clk_prepare_enable(r->clock[0]);
++ if (ret)
++ return ret;
++ }
+
+ writel(hw->timing0, gpmi_regs + HW_GPMI_TIMING0);
+ writel(hw->timing1, gpmi_regs + HW_GPMI_TIMING1);
+@@ -739,6 +757,8 @@ static void gpmi_nfc_apply_timings(struc
+
+ /* Wait for the DLL to settle. */
+ udelay(dll_wait_time_us);
++
++ return 0;
+ }
+
+ static int gpmi_setup_interface(struct nand_chip *chip, int chipnr,
+@@ -2278,7 +2298,9 @@ static int gpmi_nfc_exec_op(struct nand_
+ */
+ if (this->hw.must_apply_timings) {
+ this->hw.must_apply_timings = false;
+- gpmi_nfc_apply_timings(this);
++ ret = gpmi_nfc_apply_timings(this);
++ if (ret)
++ return ret;
+ }
+
+ dev_dbg(this->dev, "%s: %d instructions\n", __func__, op->ninstrs);
--- /dev/null
+From aa1baa0e6c1aa4872e481dce4fc7fd6f3dd8496b Mon Sep 17 00:00:00 2001
+From: Stefan Riedmueller <s.riedmueller@phytec.de>
+Date: Tue, 2 Nov 2021 21:20:21 +0100
+Subject: mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6
+
+From: Stefan Riedmueller <s.riedmueller@phytec.de>
+
+commit aa1baa0e6c1aa4872e481dce4fc7fd6f3dd8496b upstream.
+
+There is no need to explicitly set the default gpmi clock rate during
+boot for the i.MX 6 since this is done during nand_detect anyway.
+
+Signed-off-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Cc: stable@vger.kernel.org
+Acked-by: Han Xu <han.xu@nxp.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20211102202022.15551-1-ceggers@arri.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
+@@ -1052,15 +1052,6 @@ static int gpmi_get_clks(struct gpmi_nan
+ r->clock[i] = clk;
+ }
+
+- if (GPMI_IS_MX6(this))
+- /*
+- * Set the default value for the gpmi clock.
+- *
+- * If you want to use the ONFI nand which is in the
+- * Synchronous Mode, you should change the clock as you need.
+- */
+- clk_set_rate(r->clock[0], 22000000);
+-
+ return 0;
+
+ err_clock:
--- /dev/null
+From dded08927ca3c31a5c37f8e7f95fe98770475dd4 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Wed, 19 Jan 2022 08:48:16 +0100
+Subject: nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit dded08927ca3c31a5c37f8e7f95fe98770475dd4 upstream.
+
+Syzbot detected a NULL pointer dereference of nfc_llcp_sock->dev pointer
+(which is a 'struct nfc_dev *') with calls to llcp_sock_sendmsg() after
+a failed llcp_sock_bind(). The message being sent is a SOCK_DGRAM.
+
+KASAN report:
+
+ BUG: KASAN: null-ptr-deref in nfc_alloc_send_skb+0x2d/0xc0
+ Read of size 4 at addr 00000000000005c8 by task llcp_sock_nfc_a/899
+
+ CPU: 5 PID: 899 Comm: llcp_sock_nfc_a Not tainted 5.16.0-rc6-next-20211224-00001-gc6437fbf18b0 #125
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x45/0x59
+ ? nfc_alloc_send_skb+0x2d/0xc0
+ __kasan_report.cold+0x117/0x11c
+ ? mark_lock+0x480/0x4f0
+ ? nfc_alloc_send_skb+0x2d/0xc0
+ kasan_report+0x38/0x50
+ nfc_alloc_send_skb+0x2d/0xc0
+ nfc_llcp_send_ui_frame+0x18c/0x2a0
+ ? nfc_llcp_send_i_frame+0x230/0x230
+ ? __local_bh_enable_ip+0x86/0xe0
+ ? llcp_sock_connect+0x470/0x470
+ ? llcp_sock_connect+0x470/0x470
+ sock_sendmsg+0x8e/0xa0
+ ____sys_sendmsg+0x253/0x3f0
+ ...
+
+The issue was visible only with multiple simultaneous calls to bind() and
+sendmsg(), which resulted in most of the bind() calls to fail. The
+bind() was failing on checking if there is available WKS/SDP/SAP
+(respective bit in 'struct nfc_llcp_local' fields). When there was no
+available WKS/SDP/SAP, the bind returned error but the sendmsg() to such
+socket was able to trigger mentioned NULL pointer dereference of
+nfc_llcp_sock->dev.
+
+The code looks simply racy and currently it protects several paths
+against race with checks for (!nfc_llcp_sock->local) which is NULL-ified
+in error paths of bind(). The llcp_sock_sendmsg() did not have such
+check but called function nfc_llcp_send_ui_frame() had, although not
+protected with lock_sock().
+
+Therefore the race could look like (same socket is used all the time):
+ CPU0 CPU1
+ ==== ====
+ llcp_sock_bind()
+ - lock_sock()
+ - success
+ - release_sock()
+ - return 0
+ llcp_sock_sendmsg()
+ - lock_sock()
+ - release_sock()
+ llcp_sock_bind(), same socket
+ - lock_sock()
+ - error
+ - nfc_llcp_send_ui_frame()
+ - if (!llcp_sock->local)
+ - llcp_sock->local = NULL
+ - nfc_put_device(dev)
+ - dereference llcp_sock->dev
+ - release_sock()
+ - return -ERRNO
+
+The nfc_llcp_send_ui_frame() checked llcp_sock->local outside of the
+lock, which is racy and ineffective check. Instead, its caller
+llcp_sock_sendmsg(), should perform the check inside lock_sock().
+
+Reported-and-tested-by: syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com
+Fixes: b874dec21d1c ("NFC: Implement LLCP connection less Tx path")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -789,6 +789,11 @@ static int llcp_sock_sendmsg(struct sock
+
+ lock_sock(sk);
+
++ if (!llcp_sock->local) {
++ release_sock(sk);
++ return -ENODEV;
++ }
++
+ if (sk->sk_type == SOCK_DGRAM) {
+ DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
+ msg->msg_name);
hid-wacom-ignore-the-confidence-flag-when-a-touch-is-removed.patch
hid-wacom-avoid-using-stale-array-indicies-to-read-contact-count.patch
alsa-core-fix-ssid-quirk-lookup-for-subvendor-0.patch
+cifs-free-ntlmsspblob-allocated-in-negotiate.patch
+f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch
+f2fs-fix-to-do-sanity-check-in-is_alive.patch
+f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch
+f2fs-avoid-einval-by-sbi_need_fsck-when-pinning-a-file.patch
+nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch
+mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch
+mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch
+mtd-fixed-breaking-list-in-__mtd_del_partition.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
