--- /dev/null
+From 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 13 Apr 2021 13:21:03 -0300
+Subject: Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 upstream.
+
+When cmtp_attach_device fails, cmtp_add_connection returns the error value
+which leads to the caller to doing fput through sockfd_put. But
+cmtp_session kthread, which is stopped in this path will also call fput,
+leading to a potential refcount underflow or a use-after-free.
+
+Add a refcount before we signal the kthread to stop. The kthread will try
+to grab the cmtp_session_sem mutex before doing the fput, which is held
+when get_file is called, so there should be no races there.
+
+Reported-by: Ryota Shiga
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/cmtp/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bluetooth/cmtp/core.c
++++ b/net/bluetooth/cmtp/core.c
+@@ -392,6 +392,11 @@ int cmtp_add_connection(struct cmtp_conn
+ if (!(session->flags & BIT(CMTP_LOOPBACK))) {
+ err = cmtp_attach_device(session);
+ if (err < 0) {
++ /* Caller will call fput in case of failure, and so
++ * will cmtp_session kthread.
++ */
++ get_file(session->sock->file);
++
+ atomic_inc(&session->terminate);
+ wake_up_interruptible(sk_sleep(session->sock->sk));
+ up_write(&cmtp_session_sem);
--- /dev/null
+From 7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2 Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Fri, 30 Apr 2021 10:27:44 +0200
+Subject: drm/meson: fix shutdown crash when component not probed
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+commit 7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2 upstream.
+
+When main component is not probed, by example when the dw-hdmi module is
+not loaded yet or in probe defer, the following crash appears on shutdown:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038
+...
+pc : meson_drv_shutdown+0x24/0x50
+lr : platform_drv_shutdown+0x20/0x30
+...
+Call trace:
+meson_drv_shutdown+0x24/0x50
+platform_drv_shutdown+0x20/0x30
+device_shutdown+0x158/0x360
+kernel_restart_prepare+0x38/0x48
+kernel_restart+0x18/0x68
+__do_sys_reboot+0x224/0x250
+__arm64_sys_reboot+0x24/0x30
+...
+
+Simply check if the priv struct has been allocated before using it.
+
+Fixes: fa0c16caf3d7 ("drm: meson_drv add shutdown function")
+Reported-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210430082744.3638743-1-narmstrong@baylibre.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -423,11 +423,12 @@ static int meson_probe_remote(struct pla
+ static void meson_drv_shutdown(struct platform_device *pdev)
+ {
+ struct meson_drm *priv = dev_get_drvdata(&pdev->dev);
+- struct drm_device *drm = priv->drm;
+
+- DRM_DEBUG_DRIVER("\n");
+- drm_kms_helper_poll_fini(drm);
+- drm_atomic_helper_shutdown(drm);
++ if (!priv)
++ return;
++
++ drm_kms_helper_poll_fini(priv->drm);
++ drm_atomic_helper_shutdown(priv->drm);
+ }
+
+ static int meson_drv_probe(struct platform_device *pdev)
--- /dev/null
+From bb002388901151fe35b6697ab116f6ed0721a9ed Mon Sep 17 00:00:00 2001
+From: zhouchuangao <zhouchuangao@vivo.com>
+Date: Sun, 9 May 2021 19:34:37 -0700
+Subject: fs/nfs: Use fatal_signal_pending instead of signal_pending
+
+From: zhouchuangao <zhouchuangao@vivo.com>
+
+commit bb002388901151fe35b6697ab116f6ed0721a9ed upstream.
+
+We set the state of the current process to TASK_KILLABLE via
+prepare_to_wait(). Should we use fatal_signal_pending() to detect
+the signal here?
+
+Fixes: b4868b44c562 ("NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE")
+Signed-off-by: zhouchuangao <zhouchuangao@vivo.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1647,7 +1647,7 @@ static void nfs_set_open_stateid_locked(
+ rcu_read_unlock();
+ trace_nfs4_open_stateid_update_wait(state->inode, stateid, 0);
+
+- if (!signal_pending(current)) {
++ if (!fatal_signal_pending(current)) {
+ if (schedule_timeout(5*HZ) == 0)
+ status = -EAGAIN;
+ else
+@@ -3416,7 +3416,7 @@ static bool nfs4_refresh_open_old_statei
+ write_sequnlock(&state->seqlock);
+ trace_nfs4_close_stateid_update_wait(state->inode, dst, 0);
+
+- if (signal_pending(current))
++ if (fatal_signal_pending(current))
+ status = -EINTR;
+ else
+ if (schedule_timeout(5*HZ) != 0)
--- /dev/null
+From db825feefc6868896fed5e361787ba3bee2fd906 Mon Sep 17 00:00:00 2001
+From: Vladyslav Tarasiuk <vladyslavt@nvidia.com>
+Date: Sun, 9 May 2021 09:43:18 +0300
+Subject: net/mlx4: Fix EEPROM dump support
+
+From: Vladyslav Tarasiuk <vladyslavt@nvidia.com>
+
+commit db825feefc6868896fed5e361787ba3bee2fd906 upstream.
+
+Fix SFP and QSFP* EEPROM queries by setting i2c_address, offset and page
+number correctly. For SFP set the following params:
+- I2C address for offsets 0-255 is 0x50. For 256-511 - 0x51.
+- Page number is zero.
+- Offset is 0-255.
+
+At the same time, QSFP* parameters are different:
+- I2C address is always 0x50.
+- Page number is not limited to zero.
+- Offset is 0-255 for page zero and 128-255 for others.
+
+To set parameters accordingly to cable used, implement function to query
+module ID and implement respective helper functions to set parameters
+correctly.
+
+Fixes: 135dd9594f12 ("net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query")
+Signed-off-by: Vladyslav Tarasiuk <vladyslavt@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4
+ drivers/net/ethernet/mellanox/mlx4/port.c | 107 +++++++++++++++++++++++-
+ 2 files changed, 104 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -2011,8 +2011,6 @@ static int mlx4_en_set_tunable(struct ne
+ return ret;
+ }
+
+-#define MLX4_EEPROM_PAGE_LEN 256
+-
+ static int mlx4_en_get_module_info(struct net_device *dev,
+ struct ethtool_modinfo *modinfo)
+ {
+@@ -2047,7 +2045,7 @@ static int mlx4_en_get_module_info(struc
+ break;
+ case MLX4_MODULE_ID_SFP:
+ modinfo->type = ETH_MODULE_SFF_8472;
+- modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN;
++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
+ break;
+ default:
+ return -EINVAL;
+--- a/drivers/net/ethernet/mellanox/mlx4/port.c
++++ b/drivers/net/ethernet/mellanox/mlx4/port.c
+@@ -1973,6 +1973,7 @@ EXPORT_SYMBOL(mlx4_get_roce_gid_from_sla
+ #define I2C_ADDR_LOW 0x50
+ #define I2C_ADDR_HIGH 0x51
+ #define I2C_PAGE_SIZE 256
++#define I2C_HIGH_PAGE_SIZE 128
+
+ /* Module Info Data */
+ struct mlx4_cable_info {
+@@ -2026,6 +2027,88 @@ static inline const char *cable_info_mad
+ return "Unknown Error";
+ }
+
++static int mlx4_get_module_id(struct mlx4_dev *dev, u8 port, u8 *module_id)
++{
++ struct mlx4_cmd_mailbox *inbox, *outbox;
++ struct mlx4_mad_ifc *inmad, *outmad;
++ struct mlx4_cable_info *cable_info;
++ int ret;
++
++ inbox = mlx4_alloc_cmd_mailbox(dev);
++ if (IS_ERR(inbox))
++ return PTR_ERR(inbox);
++
++ outbox = mlx4_alloc_cmd_mailbox(dev);
++ if (IS_ERR(outbox)) {
++ mlx4_free_cmd_mailbox(dev, inbox);
++ return PTR_ERR(outbox);
++ }
++
++ inmad = (struct mlx4_mad_ifc *)(inbox->buf);
++ outmad = (struct mlx4_mad_ifc *)(outbox->buf);
++
++ inmad->method = 0x1; /* Get */
++ inmad->class_version = 0x1;
++ inmad->mgmt_class = 0x1;
++ inmad->base_version = 0x1;
++ inmad->attr_id = cpu_to_be16(0xFF60); /* Module Info */
++
++ cable_info = (struct mlx4_cable_info *)inmad->data;
++ cable_info->dev_mem_address = 0;
++ cable_info->page_num = 0;
++ cable_info->i2c_addr = I2C_ADDR_LOW;
++ cable_info->size = cpu_to_be16(1);
++
++ ret = mlx4_cmd_box(dev, inbox->dma, outbox->dma, port, 3,
++ MLX4_CMD_MAD_IFC, MLX4_CMD_TIME_CLASS_C,
++ MLX4_CMD_NATIVE);
++ if (ret)
++ goto out;
++
++ if (be16_to_cpu(outmad->status)) {
++ /* Mad returned with bad status */
++ ret = be16_to_cpu(outmad->status);
++ mlx4_warn(dev,
++ "MLX4_CMD_MAD_IFC Get Module ID attr(%x) port(%d) i2c_addr(%x) offset(%d) size(%d): Response Mad Status(%x) - %s\n",
++ 0xFF60, port, I2C_ADDR_LOW, 0, 1, ret,
++ cable_info_mad_err_str(ret));
++ ret = -ret;
++ goto out;
++ }
++ cable_info = (struct mlx4_cable_info *)outmad->data;
++ *module_id = cable_info->data[0];
++out:
++ mlx4_free_cmd_mailbox(dev, inbox);
++ mlx4_free_cmd_mailbox(dev, outbox);
++ return ret;
++}
++
++static void mlx4_sfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset)
++{
++ *i2c_addr = I2C_ADDR_LOW;
++ *page_num = 0;
++
++ if (*offset < I2C_PAGE_SIZE)
++ return;
++
++ *i2c_addr = I2C_ADDR_HIGH;
++ *offset -= I2C_PAGE_SIZE;
++}
++
++static void mlx4_qsfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset)
++{
++ /* Offsets 0-255 belong to page 0.
++ * Offsets 256-639 belong to pages 01, 02, 03.
++ * For example, offset 400 is page 02: 1 + (400 - 256) / 128 = 2
++ */
++ if (*offset < I2C_PAGE_SIZE)
++ *page_num = 0;
++ else
++ *page_num = 1 + (*offset - I2C_PAGE_SIZE) / I2C_HIGH_PAGE_SIZE;
++ *i2c_addr = I2C_ADDR_LOW;
++ *offset -= *page_num * I2C_HIGH_PAGE_SIZE;
++}
++
+ /**
+ * mlx4_get_module_info - Read cable module eeprom data
+ * @dev: mlx4_dev.
+@@ -2045,12 +2128,30 @@ int mlx4_get_module_info(struct mlx4_dev
+ struct mlx4_cmd_mailbox *inbox, *outbox;
+ struct mlx4_mad_ifc *inmad, *outmad;
+ struct mlx4_cable_info *cable_info;
+- u16 i2c_addr;
++ u8 module_id, i2c_addr, page_num;
+ int ret;
+
+ if (size > MODULE_INFO_MAX_READ)
+ size = MODULE_INFO_MAX_READ;
+
++ ret = mlx4_get_module_id(dev, port, &module_id);
++ if (ret)
++ return ret;
++
++ switch (module_id) {
++ case MLX4_MODULE_ID_SFP:
++ mlx4_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ case MLX4_MODULE_ID_QSFP:
++ case MLX4_MODULE_ID_QSFP_PLUS:
++ case MLX4_MODULE_ID_QSFP28:
++ mlx4_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ default:
++ mlx4_err(dev, "Module ID not recognized: %#x\n", module_id);
++ return -EINVAL;
++ }
++
+ inbox = mlx4_alloc_cmd_mailbox(dev);
+ if (IS_ERR(inbox))
+ return PTR_ERR(inbox);
+@@ -2076,11 +2177,9 @@ int mlx4_get_module_info(struct mlx4_dev
+ */
+ size -= offset + size - I2C_PAGE_SIZE;
+
+- i2c_addr = I2C_ADDR_LOW;
+-
+ cable_info = (struct mlx4_cable_info *)inmad->data;
+ cable_info->dev_mem_address = cpu_to_be16(offset);
+- cable_info->page_num = 0;
++ cable_info->page_num = page_num;
+ cable_info->i2c_addr = i2c_addr;
+ cable_info->size = cpu_to_be16(size);
+
--- /dev/null
+From 97817fcc684ed01497bd19d0cd4dea699665b9cf Mon Sep 17 00:00:00 2001
+From: Dima Chumak <dchumak@nvidia.com>
+Date: Tue, 13 Apr 2021 22:43:08 +0300
+Subject: net/mlx5e: Fix multipath lag activation
+
+From: Dima Chumak <dchumak@nvidia.com>
+
+commit 97817fcc684ed01497bd19d0cd4dea699665b9cf upstream.
+
+When handling FIB_EVENT_ENTRY_REPLACE event for a new multipath route,
+lag activation can be missed if a stale (struct lag_mp)->mfi pointer
+exists, which was associated with an older multipath route that had been
+removed.
+
+Normally, when a route is removed, it triggers mlx5_lag_fib_event(),
+which handles FIB_EVENT_ENTRY_DEL and clears mfi pointer. But, if
+mlx5_lag_check_prereq() condition isn't met, for example when eswitch is
+in legacy mode, the fib event is skipped and mfi pointer becomes stale.
+
+Fix by resetting mfi pointer to NULL every time mlx5_lag_mp_init() is
+called.
+
+Fixes: 544fe7c2e654 ("net/mlx5e: Activate HW multipath and handle port affinity based on FIB events")
+Signed-off-by: Dima Chumak <dchumak@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c
+@@ -307,6 +307,11 @@ int mlx5_lag_mp_init(struct mlx5_lag *ld
+ struct lag_mp *mp = &ldev->lag_mp;
+ int err;
+
++ /* always clear mfi, as it might become stale when a route delete event
++ * has been missed
++ */
++ mp->mfi = NULL;
++
+ if (mp->fib_nb.notifier_call)
+ return 0;
+
+@@ -328,4 +333,5 @@ void mlx5_lag_mp_cleanup(struct mlx5_lag
+
+ unregister_fib_notifier(&mp->fib_nb);
+ mp->fib_nb.notifier_call = NULL;
++ mp->mfi = NULL;
+ }
--- /dev/null
+From dca59f4a791960ec73fa15803faa0abe0f92ece2 Mon Sep 17 00:00:00 2001
+From: Dima Chumak <dchumak@nvidia.com>
+Date: Mon, 26 Apr 2021 15:16:26 +0300
+Subject: net/mlx5e: Fix nullptr in add_vlan_push_action()
+
+From: Dima Chumak <dchumak@nvidia.com>
+
+commit dca59f4a791960ec73fa15803faa0abe0f92ece2 upstream.
+
+The result of dev_get_by_index_rcu() is not checked for NULL and then
+gets dereferenced immediately.
+
+Also, the RCU lock must be held by the caller of dev_get_by_index_rcu(),
+which isn't satisfied by the call stack.
+
+Fix by handling nullptr return value when iflink device is not found.
+Add RCU locking around dev_get_by_index_rcu() to avoid possible adverse
+effects while iterating over the net_device's hlist.
+
+It is safe not to increment reference count of the net_device pointer in
+case of a successful lookup, because it's already handled by VLAN code
+during VLAN device registration (see register_vlan_dev and
+netdev_upper_dev_link).
+
+Fixes: 278748a95aa3 ("net/mlx5e: Offload TC e-switch rules with egress VLAN device")
+Addresses-Coverity: ("Dereference null return value")
+Signed-off-by: Dima Chumak <dchumak@nvidia.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -3170,8 +3170,12 @@ static int add_vlan_push_action(struct m
+ if (err)
+ return err;
+
+- *out_dev = dev_get_by_index_rcu(dev_net(vlan_dev),
+- dev_get_iflink(vlan_dev));
++ rcu_read_lock();
++ *out_dev = dev_get_by_index_rcu(dev_net(vlan_dev), dev_get_iflink(vlan_dev));
++ rcu_read_unlock();
++ if (!*out_dev)
++ return -ENODEV;
++
+ if (is_vlan_dev(*out_dev))
+ err = add_vlan_push_action(priv, attr, out_dev, action);
+
--- /dev/null
+From 0d0ea309357dea0d85a82815f02157eb7fcda39f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 25 May 2021 10:40:12 -0400
+Subject: NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 0d0ea309357dea0d85a82815f02157eb7fcda39f upstream.
+
+The value of mirror->pg_bytes_written should only be updated after a
+successful attempt to flush out the requests on the list.
+
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pagelist.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1019,17 +1019,16 @@ static void nfs_pageio_doio(struct nfs_p
+ {
+ struct nfs_pgio_mirror *mirror = nfs_pgio_current_mirror(desc);
+
+-
+ if (!list_empty(&mirror->pg_list)) {
+ int error = desc->pg_ops->pg_doio(desc);
+ if (error < 0)
+ desc->pg_error = error;
+- else
++ if (list_empty(&mirror->pg_list)) {
+ mirror->pg_bytes_written += mirror->pg_count;
+- }
+- if (list_empty(&mirror->pg_list)) {
+- mirror->pg_count = 0;
+- mirror->pg_base = 0;
++ mirror->pg_count = 0;
++ mirror->pg_base = 0;
++ mirror->pg_recoalesce = 0;
++ }
+ }
+ }
+
+@@ -1123,7 +1122,6 @@ static int nfs_do_recoalesce(struct nfs_
+
+ do {
+ list_splice_init(&mirror->pg_list, &head);
+- mirror->pg_bytes_written -= mirror->pg_count;
+ mirror->pg_count = 0;
+ mirror->pg_base = 0;
+ mirror->pg_recoalesce = 0;
--- /dev/null
+From 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 11 May 2021 11:49:42 +0300
+Subject: NFS: fix an incorrect limit in filelayout_decode_layout()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 upstream.
+
+The "sizeof(struct nfs_fh)" is two bytes too large and could lead to
+memory corruption. It should be NFS_MAXFHSIZE because that's the size
+of the ->data[] buffer.
+
+I reversed the size of the arguments to put the variable on the left.
+
+Fixes: 16b374ca439f ("NFSv4.1: pnfs: filelayout: add driver's LAYOUTGET and GETDEVICEINFO infrastructure")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/filelayout/filelayout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/filelayout/filelayout.c
++++ b/fs/nfs/filelayout/filelayout.c
+@@ -717,7 +717,7 @@ filelayout_decode_layout(struct pnfs_lay
+ if (unlikely(!p))
+ goto out_err;
+ fl->fh_array[i]->size = be32_to_cpup(p++);
+- if (sizeof(struct nfs_fh) < fl->fh_array[i]->size) {
++ if (fl->fh_array[i]->size > NFS_MAXFHSIZE) {
+ printk(KERN_ERR "NFS: Too big fh %d received %d\n",
+ i, fl->fh_array[i]->size);
+ goto out_err;
--- /dev/null
+From 56517ab958b7c11030e626250c00b9b1a24b41eb Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 25 May 2021 10:23:05 -0400
+Subject: NFS: Fix an Oopsable condition in __nfs_pageio_add_request()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 56517ab958b7c11030e626250c00b9b1a24b41eb upstream.
+
+Ensure that nfs_pageio_error_cleanup() resets the mirror array contents,
+so that the structure reflects the fact that it is now empty.
+Also change the test in nfs_pageio_do_add_request() to be more robust by
+checking whether or not the list is empty rather than relying on the
+value of pg_count.
+
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pagelist.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -986,15 +986,16 @@ static int nfs_pageio_do_add_request(str
+
+ struct nfs_page *prev = NULL;
+
+- if (mirror->pg_count != 0) {
+- prev = nfs_list_entry(mirror->pg_list.prev);
+- } else {
++ if (list_empty(&mirror->pg_list)) {
+ if (desc->pg_ops->pg_init)
+ desc->pg_ops->pg_init(desc, req);
+ if (desc->pg_error < 0)
+ return 0;
+ mirror->pg_base = req->wb_pgbase;
+- }
++ mirror->pg_count = 0;
++ mirror->pg_recoalesce = 0;
++ } else
++ prev = nfs_list_entry(mirror->pg_list.prev);
+
+ if (desc->pg_maxretrans && req->wb_nio > desc->pg_maxretrans) {
+ if (NFS_SERVER(desc->pg_inode)->flags & NFS_MOUNT_SOFTERR)
--- /dev/null
+From e67afa7ee4a59584d7253e45d7f63b9528819a13 Mon Sep 17 00:00:00 2001
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Date: Tue, 25 May 2021 23:32:35 -0400
+Subject: NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+commit e67afa7ee4a59584d7253e45d7f63b9528819a13 upstream.
+
+Since commit bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors"),
+nfs42_proc_llseek would return -EOPNOTSUPP rather than -ENOTSUPP when
+SEEK_DATA on NFSv4.0/v4.1.
+
+This will lead xfstests generic/285 not run on NFSv4.0/v4.1 when set the
+CONFIG_NFS_V4_2, rather than run failed.
+
+Fixes: bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors")
+Cc: <stable.vger.kernel.org> # 4.2
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4file.c
++++ b/fs/nfs/nfs4file.c
+@@ -168,7 +168,7 @@ static loff_t nfs4_file_llseek(struct fi
+ case SEEK_HOLE:
+ case SEEK_DATA:
+ ret = nfs42_proc_llseek(filep, offset, whence);
+- if (ret != -ENOTSUPP)
++ if (ret != -EOPNOTSUPP)
+ return ret;
+ /* Fall through */
+ default:
--- /dev/null
+From 75016891357a628d2b8acc09e2b9b2576c18d318 Mon Sep 17 00:00:00 2001
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Fri, 14 May 2021 08:23:03 +0700
+Subject: Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+commit 75016891357a628d2b8acc09e2b9b2576c18d318 upstream.
+
+This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
+Above fix is not correct and caused memory leak issue.
+
+Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv")
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Acked-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1210,7 +1210,10 @@ void tipc_sk_mcast_rcv(struct net *net,
+ spin_lock_bh(&inputq->lock);
+ if (skb_peek(arrvq) == skb) {
+ skb_queue_splice_tail_init(&tmpq, inputq);
+- __skb_dequeue(arrvq);
++ /* Decrease the skb's refcnt as increasing in the
++ * function tipc_skb_peek
++ */
++ kfree_skb(__skb_dequeue(arrvq));
+ }
+ spin_unlock_bh(&inputq->lock);
+ __skb_queue_purge(&tmpq);
usb-gadget-udc-renesas_usb3-fix-a-race-in-usb3_start_pipen.patch
net-usb-fix-memory-leak-in-smsc75xx_bind.patch
spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch
+bluetooth-cmtp-fix-file-refcount-when-cmtp_attach_device-fails.patch
+fs-nfs-use-fatal_signal_pending-instead-of-signal_pending.patch
+nfs-fix-an-incorrect-limit-in-filelayout_decode_layout.patch
+nfs-fix-an-oopsable-condition-in-__nfs_pageio_add_request.patch
+nfs-don-t-corrupt-the-value-of-pg_bytes_written-in-nfs_do_recoalesce.patch
+nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch
+drm-meson-fix-shutdown-crash-when-component-not-probed.patch
+net-mlx5e-fix-multipath-lag-activation.patch
+net-mlx5e-fix-nullptr-in-add_vlan_push_action.patch
+net-mlx4-fix-eeprom-dump-support.patch
+revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch
+tipc-wait-and-exit-until-all-work-queues-are-done.patch
+tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch
+spi-spi-fsl-dspi-fix-a-resource-leak-in-an-error-handling-path.patch
--- /dev/null
+From 680ec0549a055eb464dce6ffb4bfb736ef87236e Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 9 May 2021 21:12:27 +0200
+Subject: spi: spi-fsl-dspi: Fix a resource leak in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 680ec0549a055eb464dce6ffb4bfb736ef87236e upstream.
+
+'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the
+error handling path of the probe function, as already done in the remove
+function
+
+Fixes: 90ba37033cb9 ("spi: spi-fsl-dspi: Add DMA support for Vybrid")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/d51caaac747277a1099ba8dea07acd85435b857e.1620587472.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -1142,11 +1142,13 @@ poll_mode:
+ ret = spi_register_controller(ctlr);
+ if (ret != 0) {
+ dev_err(&pdev->dev, "Problem registering DSPI ctlr\n");
+- goto out_free_irq;
++ goto out_release_dma;
+ }
+
+ return ret;
+
++out_release_dma:
++ dspi_release_dma(dspi);
+ out_free_irq:
+ if (dspi->irq)
+ free_irq(dspi->irq, dspi);
--- /dev/null
+From b7df21cf1b79ab7026f545e7bf837bd5750ac026 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 8 May 2021 03:57:03 +0800
+Subject: tipc: skb_linearize the head skb when reassembling msgs
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit b7df21cf1b79ab7026f545e7bf837bd5750ac026 upstream.
+
+It's not a good idea to append the frag skb to a skb's frag_list if
+the frag_list already has skbs from elsewhere, such as this skb was
+created by pskb_copy() where the frag_list was cloned (all the skbs
+in it were skb_get'ed) and shared by multiple skbs.
+
+However, the new appended frag skb should have been only seen by the
+current skb. Otherwise, it will cause use after free crashes as this
+appended frag skb are seen by multiple skbs but it only got skb_get
+called once.
+
+The same thing happens with a skb updated by pskb_may_pull() with a
+skb_cloned skb. Li Shuang has reported quite a few crashes caused
+by this when doing testing over macvlan devices:
+
+ [] kernel BUG at net/core/skbuff.c:1970!
+ [] Call Trace:
+ [] skb_clone+0x4d/0xb0
+ [] macvlan_broadcast+0xd8/0x160 [macvlan]
+ [] macvlan_process_broadcast+0x148/0x150 [macvlan]
+ [] process_one_work+0x1a7/0x360
+ [] worker_thread+0x30/0x390
+
+ [] kernel BUG at mm/usercopy.c:102!
+ [] Call Trace:
+ [] __check_heap_object+0xd3/0x100
+ [] __check_object_size+0xff/0x16b
+ [] simple_copy_to_iter+0x1c/0x30
+ [] __skb_datagram_iter+0x7d/0x310
+ [] __skb_datagram_iter+0x2a5/0x310
+ [] skb_copy_datagram_iter+0x3b/0x90
+ [] tipc_recvmsg+0x14a/0x3a0 [tipc]
+ [] ____sys_recvmsg+0x91/0x150
+ [] ___sys_recvmsg+0x7b/0xc0
+
+ [] kernel BUG at mm/slub.c:305!
+ [] Call Trace:
+ [] <IRQ>
+ [] kmem_cache_free+0x3ff/0x400
+ [] __netif_receive_skb_core+0x12c/0xc40
+ [] ? kmem_cache_alloc+0x12e/0x270
+ [] netif_receive_skb_internal+0x3d/0xb0
+ [] ? get_rx_page_info+0x8e/0xa0 [be2net]
+ [] be_poll+0x6ef/0xd00 [be2net]
+ [] ? irq_exit+0x4f/0x100
+ [] net_rx_action+0x149/0x3b0
+
+ ...
+
+This patch is to fix it by linearizing the head skb if it has frag_list
+set in tipc_buf_append(). Note that we choose to do this before calling
+skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can
+not just drop the frag_list either as the early time.
+
+Fixes: 45c8b7b175ce ("tipc: allow non-linear first fragment buffer")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/msg.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -141,18 +141,13 @@ int tipc_buf_append(struct sk_buff **hea
+ if (unlikely(head))
+ goto err;
+ *buf = NULL;
++ if (skb_has_frag_list(frag) && __skb_linearize(frag))
++ goto err;
+ frag = skb_unshare(frag, GFP_ATOMIC);
+ if (unlikely(!frag))
+ goto err;
+ head = *headbuf = frag;
+ TIPC_SKB_CB(head)->tail = NULL;
+- if (skb_is_nonlinear(head)) {
+- skb_walk_frags(head, tail) {
+- TIPC_SKB_CB(head)->tail = tail;
+- }
+- } else {
+- skb_frag_list_init(head);
+- }
+ return 0;
+ }
+
--- /dev/null
+From 04c26faa51d1e2fe71cf13c45791f5174c37f986 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 17 May 2021 02:28:58 +0800
+Subject: tipc: wait and exit until all work queues are done
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 upstream.
+
+On some host, a crash could be triggered simply by repeating these
+commands several times:
+
+ # modprobe tipc
+ # tipc bearer enable media udp name UDP1 localip 127.0.0.1
+ # rmmod tipc
+
+ [] BUG: unable to handle kernel paging request at ffffffffc096bb00
+ [] Workqueue: events 0xffffffffc096bb00
+ [] Call Trace:
+ [] ? process_one_work+0x1a7/0x360
+ [] ? worker_thread+0x30/0x390
+ [] ? create_worker+0x1a0/0x1a0
+ [] ? kthread+0x116/0x130
+ [] ? kthread_flush_work_fn+0x10/0x10
+ [] ? ret_from_fork+0x35/0x40
+
+When removing the TIPC module, the UDP tunnel sock will be delayed to
+release in a work queue as sock_release() can't be done in rtnl_lock().
+If the work queue is schedule to run after the TIPC module is removed,
+kernel will crash as the work queue function cleanup_beareri() code no
+longer exists when trying to invoke it.
+
+To fix it, this patch introduce a member wq_count in tipc_net to track
+the numbers of work queues in schedule, and wait and exit until all
+work queues are done in tipc_exit_net().
+
+Fixes: d0f91938bede ("tipc: add ip/udp media type")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/core.c | 3 +++
+ net/tipc/core.h | 2 ++
+ net/tipc/udp_media.c | 2 ++
+ 3 files changed, 7 insertions(+)
+
+--- a/net/tipc/core.c
++++ b/net/tipc/core.c
+@@ -107,6 +107,9 @@ static void __net_exit tipc_exit_net(str
+ tipc_bcast_stop(net);
+ tipc_nametbl_stop(net);
+ tipc_sk_rht_destroy(net);
++
++ while (atomic_read(&tn->wq_count))
++ cond_resched();
+ }
+
+ static struct pernet_operations tipc_net_ops = {
+--- a/net/tipc/core.h
++++ b/net/tipc/core.h
+@@ -143,6 +143,8 @@ struct tipc_net {
+
+ /* Work item for net finalize */
+ struct tipc_net_work final_work;
++ /* The numbers of work queues in schedule */
++ atomic_t wq_count;
+ };
+
+ static inline struct tipc_net *tipc_net(struct net *net)
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -802,6 +802,7 @@ static void cleanup_bearer(struct work_s
+ kfree_rcu(rcast, rcu);
+ }
+
++ atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
+ dst_cache_destroy(&ub->rcast.dst_cache);
+ udp_tunnel_sock_release(ub->ubsock);
+ synchronize_net();
+@@ -822,6 +823,7 @@ static void tipc_udp_disable(struct tipc
+ RCU_INIT_POINTER(ub->bearer, NULL);
+
+ /* sock_release need to be done outside of rtnl lock */
++ atomic_inc(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
+ INIT_WORK(&ub->work, cleanup_bearer);
+ schedule_work(&ub->work);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
