--- /dev/null
+From 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 13 Apr 2021 13:21:03 -0300
+Subject: Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 upstream.
+
+When cmtp_attach_device fails, cmtp_add_connection returns the error value
+which leads to the caller to doing fput through sockfd_put. But
+cmtp_session kthread, which is stopped in this path will also call fput,
+leading to a potential refcount underflow or a use-after-free.
+
+Add a refcount before we signal the kthread to stop. The kthread will try
+to grab the cmtp_session_sem mutex before doing the fput, which is held
+when get_file is called, so there should be no races there.
+
+Reported-by: Ryota Shiga
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/cmtp/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bluetooth/cmtp/core.c
++++ b/net/bluetooth/cmtp/core.c
+@@ -392,6 +392,11 @@ int cmtp_add_connection(struct cmtp_conn
+ if (!(session->flags & BIT(CMTP_LOOPBACK))) {
+ err = cmtp_attach_device(session);
+ if (err < 0) {
++ /* Caller will call fput in case of failure, and so
++ * will cmtp_session kthread.
++ */
++ get_file(session->sock->file);
++
+ atomic_inc(&session->terminate);
+ wake_up_interruptible(sk_sleep(session->sock->sk));
+ up_write(&cmtp_session_sem);
--- /dev/null
+From 7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2 Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Fri, 30 Apr 2021 10:27:44 +0200
+Subject: drm/meson: fix shutdown crash when component not probed
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+commit 7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2 upstream.
+
+When main component is not probed, by example when the dw-hdmi module is
+not loaded yet or in probe defer, the following crash appears on shutdown:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038
+...
+pc : meson_drv_shutdown+0x24/0x50
+lr : platform_drv_shutdown+0x20/0x30
+...
+Call trace:
+meson_drv_shutdown+0x24/0x50
+platform_drv_shutdown+0x20/0x30
+device_shutdown+0x158/0x360
+kernel_restart_prepare+0x38/0x48
+kernel_restart+0x18/0x68
+__do_sys_reboot+0x224/0x250
+__arm64_sys_reboot+0x24/0x30
+...
+
+Simply check if the priv struct has been allocated before using it.
+
+Fixes: fa0c16caf3d7 ("drm: meson_drv add shutdown function")
+Reported-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210430082744.3638743-1-narmstrong@baylibre.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -485,11 +485,12 @@ static int meson_probe_remote(struct pla
+ static void meson_drv_shutdown(struct platform_device *pdev)
+ {
+ struct meson_drm *priv = dev_get_drvdata(&pdev->dev);
+- struct drm_device *drm = priv->drm;
+
+- DRM_DEBUG_DRIVER("\n");
+- drm_kms_helper_poll_fini(drm);
+- drm_atomic_helper_shutdown(drm);
++ if (!priv)
++ return;
++
++ drm_kms_helper_poll_fini(priv->drm);
++ drm_atomic_helper_shutdown(priv->drm);
+ }
+
+ static int meson_drv_probe(struct platform_device *pdev)
--- /dev/null
+From bb002388901151fe35b6697ab116f6ed0721a9ed Mon Sep 17 00:00:00 2001
+From: zhouchuangao <zhouchuangao@vivo.com>
+Date: Sun, 9 May 2021 19:34:37 -0700
+Subject: fs/nfs: Use fatal_signal_pending instead of signal_pending
+
+From: zhouchuangao <zhouchuangao@vivo.com>
+
+commit bb002388901151fe35b6697ab116f6ed0721a9ed upstream.
+
+We set the state of the current process to TASK_KILLABLE via
+prepare_to_wait(). Should we use fatal_signal_pending() to detect
+the signal here?
+
+Fixes: b4868b44c562 ("NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE")
+Signed-off-by: zhouchuangao <zhouchuangao@vivo.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1682,7 +1682,7 @@ static void nfs_set_open_stateid_locked(
+ rcu_read_unlock();
+ trace_nfs4_open_stateid_update_wait(state->inode, stateid, 0);
+
+- if (!signal_pending(current)) {
++ if (!fatal_signal_pending(current)) {
+ if (schedule_timeout(5*HZ) == 0)
+ status = -EAGAIN;
+ else
+@@ -3458,7 +3458,7 @@ static bool nfs4_refresh_open_old_statei
+ write_sequnlock(&state->seqlock);
+ trace_nfs4_close_stateid_update_wait(state->inode, dst, 0);
+
+- if (signal_pending(current))
++ if (fatal_signal_pending(current))
+ status = -EINTR;
+ else
+ if (schedule_timeout(5*HZ) != 0)
--- /dev/null
+From 0d0ea309357dea0d85a82815f02157eb7fcda39f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 25 May 2021 10:40:12 -0400
+Subject: NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 0d0ea309357dea0d85a82815f02157eb7fcda39f upstream.
+
+The value of mirror->pg_bytes_written should only be updated after a
+successful attempt to flush out the requests on the list.
+
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pagelist.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1128,17 +1128,16 @@ static void nfs_pageio_doio(struct nfs_p
+ {
+ struct nfs_pgio_mirror *mirror = nfs_pgio_current_mirror(desc);
+
+-
+ if (!list_empty(&mirror->pg_list)) {
+ int error = desc->pg_ops->pg_doio(desc);
+ if (error < 0)
+ desc->pg_error = error;
+- else
++ if (list_empty(&mirror->pg_list)) {
+ mirror->pg_bytes_written += mirror->pg_count;
+- }
+- if (list_empty(&mirror->pg_list)) {
+- mirror->pg_count = 0;
+- mirror->pg_base = 0;
++ mirror->pg_count = 0;
++ mirror->pg_base = 0;
++ mirror->pg_recoalesce = 0;
++ }
+ }
+ }
+
+@@ -1228,7 +1227,6 @@ static int nfs_do_recoalesce(struct nfs_
+
+ do {
+ list_splice_init(&mirror->pg_list, &head);
+- mirror->pg_bytes_written -= mirror->pg_count;
+ mirror->pg_count = 0;
+ mirror->pg_base = 0;
+ mirror->pg_recoalesce = 0;
--- /dev/null
+From 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 11 May 2021 11:49:42 +0300
+Subject: NFS: fix an incorrect limit in filelayout_decode_layout()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 upstream.
+
+The "sizeof(struct nfs_fh)" is two bytes too large and could lead to
+memory corruption. It should be NFS_MAXFHSIZE because that's the size
+of the ->data[] buffer.
+
+I reversed the size of the arguments to put the variable on the left.
+
+Fixes: 16b374ca439f ("NFSv4.1: pnfs: filelayout: add driver's LAYOUTGET and GETDEVICEINFO infrastructure")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/filelayout/filelayout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/filelayout/filelayout.c
++++ b/fs/nfs/filelayout/filelayout.c
+@@ -718,7 +718,7 @@ filelayout_decode_layout(struct pnfs_lay
+ if (unlikely(!p))
+ goto out_err;
+ fl->fh_array[i]->size = be32_to_cpup(p++);
+- if (sizeof(struct nfs_fh) < fl->fh_array[i]->size) {
++ if (fl->fh_array[i]->size > NFS_MAXFHSIZE) {
+ printk(KERN_ERR "NFS: Too big fh %d received %d\n",
+ i, fl->fh_array[i]->size);
+ goto out_err;
--- /dev/null
+From 56517ab958b7c11030e626250c00b9b1a24b41eb Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 25 May 2021 10:23:05 -0400
+Subject: NFS: Fix an Oopsable condition in __nfs_pageio_add_request()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 56517ab958b7c11030e626250c00b9b1a24b41eb upstream.
+
+Ensure that nfs_pageio_error_cleanup() resets the mirror array contents,
+so that the structure reflects the fact that it is now empty.
+Also change the test in nfs_pageio_do_add_request() to be more robust by
+checking whether or not the list is empty rather than relying on the
+value of pg_count.
+
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pagelist.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1094,15 +1094,16 @@ nfs_pageio_do_add_request(struct nfs_pag
+ struct nfs_page *prev = NULL;
+ unsigned int size;
+
+- if (mirror->pg_count != 0) {
+- prev = nfs_list_entry(mirror->pg_list.prev);
+- } else {
++ if (list_empty(&mirror->pg_list)) {
+ if (desc->pg_ops->pg_init)
+ desc->pg_ops->pg_init(desc, req);
+ if (desc->pg_error < 0)
+ return 0;
+ mirror->pg_base = req->wb_pgbase;
+- }
++ mirror->pg_count = 0;
++ mirror->pg_recoalesce = 0;
++ } else
++ prev = nfs_list_entry(mirror->pg_list.prev);
+
+ if (desc->pg_maxretrans && req->wb_nio > desc->pg_maxretrans) {
+ if (NFS_SERVER(desc->pg_inode)->flags & NFS_MOUNT_SOFTERR)
--- /dev/null
+From e67afa7ee4a59584d7253e45d7f63b9528819a13 Mon Sep 17 00:00:00 2001
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Date: Tue, 25 May 2021 23:32:35 -0400
+Subject: NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+commit e67afa7ee4a59584d7253e45d7f63b9528819a13 upstream.
+
+Since commit bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors"),
+nfs42_proc_llseek would return -EOPNOTSUPP rather than -ENOTSUPP when
+SEEK_DATA on NFSv4.0/v4.1.
+
+This will lead xfstests generic/285 not run on NFSv4.0/v4.1 when set the
+CONFIG_NFS_V4_2, rather than run failed.
+
+Fixes: bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors")
+Cc: <stable.vger.kernel.org> # 4.2
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4file.c
++++ b/fs/nfs/nfs4file.c
+@@ -211,7 +211,7 @@ static loff_t nfs4_file_llseek(struct fi
+ case SEEK_HOLE:
+ case SEEK_DATA:
+ ret = nfs42_proc_llseek(filep, offset, whence);
+- if (ret != -ENOTSUPP)
++ if (ret != -EOPNOTSUPP)
+ return ret;
+ fallthrough;
+ default:
usb-typec-tcpm-properly-interrupt-vdm-ams.patch
usb-typec-tcpm-respond-not_supported-if-no-snk_vdo.patch
net-usb-fix-memory-leak-in-smsc75xx_bind.patch
+bluetooth-cmtp-fix-file-refcount-when-cmtp_attach_device-fails.patch
+fs-nfs-use-fatal_signal_pending-instead-of-signal_pending.patch
+nfs-fix-an-incorrect-limit-in-filelayout_decode_layout.patch
+nfs-fix-an-oopsable-condition-in-__nfs_pageio_add_request.patch
+nfs-don-t-corrupt-the-value-of-pg_bytes_written-in-nfs_do_recoalesce.patch
+nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch
+drm-meson-fix-shutdown-crash-when-component-not-probed.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
