--- /dev/null
+From e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 6 Aug 2021 18:24:15 +0800
+Subject: btrfs: fix NULL pointer dereference when deleting device by invalid id
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 upstream.
+
+[BUG]
+It's easy to trigger NULL pointer dereference, just by removing a
+non-existing device id:
+
+ # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
+ /dev/test/scratch2
+ # mount /dev/test/scratch1 /mnt/btrfs
+ # btrfs device remove 3 /mnt/btrfs
+
+Then we have the following kernel NULL pointer dereference:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
+ btrfs_ioctl+0x18bb/0x3190 [btrfs]
+ ? lock_is_held_type+0xa5/0x120
+ ? find_held_lock.constprop.0+0x2b/0x80
+ ? do_user_addr_fault+0x201/0x6a0
+ ? lock_release+0xd2/0x2d0
+ ? __x64_sys_ioctl+0x83/0xb0
+ __x64_sys_ioctl+0x83/0xb0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+[CAUSE]
+Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
+btrfs_device directly") moves the "missing" device path check into
+btrfs_rm_device().
+
+But btrfs_rm_device() itself can have case where it only receives
+@devid, with NULL as @device_path.
+
+In that case, calling strcmp() on NULL will trigger the NULL pointer
+dereference.
+
+Before that commit, we handle the "missing" case inside
+btrfs_find_device_by_devspec(), which will not check @device_path at all
+if @devid is provided, thus no way to trigger the bug.
+
+[FIX]
+Before calling strcmp(), also make sure @device_path is not NULL.
+
+Fixes: a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly")
+CC: stable@vger.kernel.org # 5.4+
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2137,7 +2137,7 @@ int btrfs_rm_device(struct btrfs_fs_info
+
+ if (IS_ERR(device)) {
+ if (PTR_ERR(device) == -ENOENT &&
+- strcmp(device_path, "missing") == 0)
++ device_path && strcmp(device_path, "missing") == 0)
+ ret = BTRFS_ERROR_DEV_MISSING_NOT_FOUND;
+ else
+ ret = PTR_ERR(device);
--- /dev/null
+From 7428022b50d0fbb4846dd0f00639ea09d36dff02 Mon Sep 17 00:00:00 2001
+From: DENG Qingfang <dqfext@gmail.com>
+Date: Wed, 11 Aug 2021 17:50:43 +0800
+Subject: net: dsa: mt7530: fix VLAN traffic leaks again
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+commit 7428022b50d0fbb4846dd0f00639ea09d36dff02 upstream.
+
+When a port leaves a VLAN-aware bridge, the current code does not clear
+other ports' matrix field bit. If the bridge is later set to VLAN-unaware
+mode, traffic in the bridge may leak to that port.
+
+Remove the VLAN filtering check in mt7530_port_bridge_leave.
+
+Fixes: 474a2ddaa192 ("net: dsa: mt7530: fix VLAN traffic leaks")
+Fixes: 83163f7dca56 ("net: dsa: mediatek: add VLAN support for MT7530")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -1308,11 +1308,8 @@ mt7530_port_bridge_leave(struct dsa_swit
+ /* Remove this port from the port matrix of the other ports
+ * in the same bridge. If the port is disabled, port matrix
+ * is kept and not being setup until the port becomes enabled.
+- * And the other port's port matrix cannot be broken when the
+- * other port is still a VLAN-aware port.
+ */
+- if (dsa_is_user_port(ds, i) && i != port &&
+- !dsa_port_is_vlan_filtering(dsa_to_port(ds, i))) {
++ if (dsa_is_user_port(ds, i) && i != port) {
+ if (dsa_to_port(ds, i)->bridge_dev != bridge)
+ continue;
+ if (priv->ports[i].enable)
--- /dev/null
+From c7e9d0020361f4308a70cdfd6d5335e273eb8717 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@linux.com>
+Date: Sat, 7 Aug 2021 10:37:02 +0300
+Subject: Revert "floppy: reintroduce O_NDELAY fix"
+
+From: Denis Efremov <efremov@linux.com>
+
+commit c7e9d0020361f4308a70cdfd6d5335e273eb8717 upstream.
+
+The patch breaks userspace implementations (e.g. fdutils) and introduces
+regressions in behaviour. Previously, it was possible to O_NDELAY open a
+floppy device with no media inserted or with write protected media without
+an error. Some userspace tools use this particular behavior for probing.
+
+It's not the first time when we revert this patch. Previous revert is in
+commit f2791e7eadf4 (Revert "floppy: refactor open() flags handling").
+
+This reverts commit 8a0c014cd20516ade9654fc13b51345ec58e7be8.
+
+Link: https://lore.kernel.org/linux-block/de10cb47-34d1-5a88-7751-225ca380f735@compro.net/
+Reported-by: Mark Hounschell <markh@compro.net>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Wim Osterholt <wim@djo.tudelft.nl>
+Cc: Kurt Garloff <kurt@garloff.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/floppy.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -4029,23 +4029,23 @@ static int floppy_open(struct block_devi
+ if (fdc_state[FDC(drive)].rawcmd == 1)
+ fdc_state[FDC(drive)].rawcmd = 2;
+
+- if (mode & (FMODE_READ|FMODE_WRITE)) {
+- drive_state[drive].last_checked = 0;
+- clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &drive_state[drive].flags);
+- if (bdev_check_media_change(bdev))
+- floppy_revalidate(bdev->bd_disk);
+- if (test_bit(FD_DISK_CHANGED_BIT, &drive_state[drive].flags))
+- goto out;
+- if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &drive_state[drive].flags))
++ if (!(mode & FMODE_NDELAY)) {
++ if (mode & (FMODE_READ|FMODE_WRITE)) {
++ drive_state[drive].last_checked = 0;
++ clear_bit(FD_OPEN_SHOULD_FAIL_BIT,
++ &drive_state[drive].flags);
++ if (bdev_check_media_change(bdev))
++ floppy_revalidate(bdev->bd_disk);
++ if (test_bit(FD_DISK_CHANGED_BIT, &drive_state[drive].flags))
++ goto out;
++ if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &drive_state[drive].flags))
++ goto out;
++ }
++ res = -EROFS;
++ if ((mode & FMODE_WRITE) &&
++ !test_bit(FD_DISK_WRITABLE_BIT, &drive_state[drive].flags))
+ goto out;
+ }
+-
+- res = -EROFS;
+-
+- if ((mode & FMODE_WRITE) &&
+- !test_bit(FD_DISK_WRITABLE_BIT, &drive_state[drive].flags))
+- goto out;
+-
+ mutex_unlock(&open_lock);
+ mutex_unlock(&floppy_mutex);
+ return 0;
vt_kdsetmode-extend-console-locking.patch
bluetooth-btusb-check-conditions-before-enabling-usb-alt-3-for-wbs.patch
+net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch
+btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch
+revert-floppy-reintroduce-o_ndelay-fix.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
