--- /dev/null
+From 333ff32d54cdefc2e479892e7f15ac91e026b57d Mon Sep 17 00:00:00 2001
+From: Lars Poeschel <poeschel@lemonage.de>
+Date: Wed, 14 Jul 2021 13:02:28 +0200
+Subject: auxdisplay: hd44780: Fix oops on module unloading
+
+From: Lars Poeschel <poeschel@lemonage.de>
+
+commit 333ff32d54cdefc2e479892e7f15ac91e026b57d upstream.
+
+Fixes: 718e05ed92ec ("auxdisplay: Introduce hd44780_common.[ch]")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/lkml/CAHp75VfKyqy+vM0XkP9Yb+znGOTVT4zYCRY3A3nQ7C3WNUVN0g@mail.gmail.com/
+Reported-By: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Lars Poeschel <poeschel@lemonage.de>
+Tested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+[added Link, Fixes, Cc stable tags, edited message]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/auxdisplay/hd44780.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/auxdisplay/hd44780.c
++++ b/drivers/auxdisplay/hd44780.c
+@@ -323,8 +323,8 @@ static int hd44780_remove(struct platfor
+ {
+ struct charlcd *lcd = platform_get_drvdata(pdev);
+
+- kfree(lcd->drvdata);
+ charlcd_unregister(lcd);
++ kfree(lcd->drvdata);
+
+ kfree(lcd);
+ return 0;
--- /dev/null
+From d9cf3bd531844ffbfe94b16e417037a16efc988d Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 19 Jul 2021 11:53:00 +0100
+Subject: bio: fix page leak bio_add_hw_page failure
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit d9cf3bd531844ffbfe94b16e417037a16efc988d upstream.
+
+__bio_iov_append_get_pages() doesn't put not appended pages on
+bio_add_hw_page() failure, so potentially leaking them, fix it. Also, do
+the same for __bio_iov_iter_get_pages(), even though it looks like it
+can't be triggered by userspace in this case.
+
+Fixes: 0512a75b98f8 ("block: Introduce REQ_OP_ZONE_APPEND")
+Cc: stable@vger.kernel.org # 5.8+
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/1edfa6a2ffd66d55e6345a477df5387d2c1415d0.1626653825.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/bio.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -979,6 +979,14 @@ static int bio_iov_bvec_set_append(struc
+ return 0;
+ }
+
++static void bio_put_pages(struct page **pages, size_t size, size_t off)
++{
++ size_t i, nr = DIV_ROUND_UP(size + (off & ~PAGE_MASK), PAGE_SIZE);
++
++ for (i = 0; i < nr; i++)
++ put_page(pages[i]);
++}
++
+ #define PAGE_PTRS_PER_BVEC (sizeof(struct bio_vec) / sizeof(struct page *))
+
+ /**
+@@ -1023,8 +1031,10 @@ static int __bio_iov_iter_get_pages(stru
+ if (same_page)
+ put_page(page);
+ } else {
+- if (WARN_ON_ONCE(bio_full(bio, len)))
+- return -EINVAL;
++ if (WARN_ON_ONCE(bio_full(bio, len))) {
++ bio_put_pages(pages + i, left, offset);
++ return -EINVAL;
++ }
+ __bio_add_page(bio, page, len, offset);
+ }
+ offset = 0;
+@@ -1069,6 +1079,7 @@ static int __bio_iov_append_get_pages(st
+ len = min_t(size_t, PAGE_SIZE - offset, left);
+ if (bio_add_hw_page(q, bio, page, len, offset,
+ max_append_sectors, &same_page) != len) {
++ bio_put_pages(pages + i, left, offset);
+ ret = -EINVAL;
+ break;
+ }
--- /dev/null
+From 3998f0b8bc49ec784990971dc1f16bf367b19078 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 25 Aug 2021 21:16:56 +1000
+Subject: cifs: Do not leak EDEADLK to dgetents64 for STATUS_USER_SESSION_DELETED
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit 3998f0b8bc49ec784990971dc1f16bf367b19078 upstream.
+
+RHBZ: 1994393
+
+If we hit a STATUS_USER_SESSION_DELETED for the Create part in the
+Create/QueryDirectory compound that starts a directory scan
+we will leak EDEADLK back to userspace and surprise glibc and the application.
+
+Pick this up initiate_cifs_search() and retry a small number of tries before we
+return an error to userspace.
+
+Cc: stable@vger.kernel.org
+Reported-by: Xiaoli Feng <xifeng@redhat.com>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/readdir.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/readdir.c
++++ b/fs/cifs/readdir.c
+@@ -381,7 +381,7 @@ int get_symlink_reparse_path(char *full_
+ */
+
+ static int
+-initiate_cifs_search(const unsigned int xid, struct file *file,
++_initiate_cifs_search(const unsigned int xid, struct file *file,
+ const char *full_path)
+ {
+ __u16 search_flags;
+@@ -463,6 +463,27 @@ error_exit:
+ return rc;
+ }
+
++static int
++initiate_cifs_search(const unsigned int xid, struct file *file,
++ const char *full_path)
++{
++ int rc, retry_count = 0;
++
++ do {
++ rc = _initiate_cifs_search(xid, file, full_path);
++ /*
++ * If we don't have enough credits to start reading the
++ * directory just try again after short wait.
++ */
++ if (rc != -EDEADLK)
++ break;
++
++ usleep_range(512, 2048);
++ } while (retry_count++ < 5);
++
++ return rc;
++}
++
+ /* return length of unicode string in bytes */
+ static int cifs_unicode_bytelen(const char *str)
+ {
--- /dev/null
+From 2ae2eb9dde18979b40629dd413b9adbd6c894cdf Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Thu, 9 Sep 2021 13:56:27 +0100
+Subject: io_uring: fail links of cancelled timeouts
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 2ae2eb9dde18979b40629dd413b9adbd6c894cdf upstream.
+
+When we cancel a timeout we should mark it with REQ_F_FAIL, so
+linked requests are cancelled as well, but not queued for further
+execution.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/fff625b44eeced3a5cae79f60e6acf3fbdf8f990.1631192135.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -1307,6 +1307,8 @@ static void io_kill_timeout(struct io_ki
+ struct io_timeout_data *io = req->async_data;
+
+ if (hrtimer_try_to_cancel(&io->timer) != -1) {
++ if (status)
++ req_set_fail(req);
+ atomic_set(&req->ctx->cq_timeouts,
+ atomic_read(&req->ctx->cq_timeouts) + 1);
+ list_del_init(&req->timeout.list);
--- /dev/null
+From 2fc2a7a62eb58650e71b4550cf6fa6cc0a75b2d2 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Fri, 3 Sep 2021 16:55:26 -0600
+Subject: io_uring: io_uring_complete() trace should take an integer
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 2fc2a7a62eb58650e71b4550cf6fa6cc0a75b2d2 upstream.
+
+It currently takes a long, and while that's normally OK, the io_uring
+limit is an int. Internally in io_uring it's an int, but sometimes it's
+passed as a long. That can yield confusing results where a completions
+seems to generate a huge result:
+
+ou-sqp-1297-1298 [001] ...1 788.056371: io_uring_complete: ring 000000000e98e046, user_data 0x0, result 4294967171, cflags 0
+
+which is due to -ECANCELED being stored in an unsigned, and then passed
+in as a long. Using the right int type, the trace looks correct:
+
+iou-sqp-338-339 [002] ...1 15.633098: io_uring_complete: ring 00000000e0ac60cf, user_data 0x0, result -125, cflags 0
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/io_uring.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/trace/events/io_uring.h
++++ b/include/trace/events/io_uring.h
+@@ -295,14 +295,14 @@ TRACE_EVENT(io_uring_fail_link,
+ */
+ TRACE_EVENT(io_uring_complete,
+
+- TP_PROTO(void *ctx, u64 user_data, long res, unsigned cflags),
++ TP_PROTO(void *ctx, u64 user_data, int res, unsigned cflags),
+
+ TP_ARGS(ctx, user_data, res, cflags),
+
+ TP_STRUCT__entry (
+ __field( void *, ctx )
+ __field( u64, user_data )
+- __field( long, res )
++ __field( int, res )
+ __field( unsigned, cflags )
+ ),
+
+@@ -313,7 +313,7 @@ TRACE_EVENT(io_uring_complete,
+ __entry->cflags = cflags;
+ ),
+
+- TP_printk("ring %p, user_data 0x%llx, result %ld, cflags %x",
++ TP_printk("ring %p, user_data 0x%llx, result %d, cflags %x",
+ __entry->ctx, (unsigned long long)__entry->user_data,
+ __entry->res, __entry->cflags)
+ );
--- /dev/null
+From 7b3188e7ed54102a5dcc73d07727f41fb528f7c8 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 30 Aug 2021 19:37:41 -0600
+Subject: io_uring: IORING_OP_WRITE needs hash_reg_file set
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 7b3188e7ed54102a5dcc73d07727f41fb528f7c8 upstream.
+
+During some testing, it became evident that using IORING_OP_WRITE doesn't
+hash buffered writes like the other writes commands do. That's simply
+an oversight, and can cause performance regressions when doing buffered
+writes with this command.
+
+Correct that and add the flag, so that buffered writes are correctly
+hashed when using the non-iovec based write command.
+
+Cc: stable@vger.kernel.org
+Fixes: 3a6820f2bb8a ("io_uring: add non-vectored read/write commands")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -990,6 +990,7 @@ static const struct io_op_def io_op_defs
+ },
+ [IORING_OP_WRITE] = {
+ .needs_file = 1,
++ .hash_reg_file = 1,
+ .unbound_nonreg_file = 1,
+ .pollout = 1,
+ .plug = 1,
--- /dev/null
+From 3a1b8a4e843f96b636431450d8d79061605cf74b Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Fri, 20 Aug 2021 10:36:35 +0100
+Subject: io_uring: limit fixed table size by RLIMIT_NOFILE
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 3a1b8a4e843f96b636431450d8d79061605cf74b upstream.
+
+Limit the number of files in io_uring fixed tables by RLIMIT_NOFILE,
+that's the first and the simpliest restriction that we should impose.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/b2756c340aed7d6c0b302c26dab50c6c5907f4ce.1629451684.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -7669,6 +7669,8 @@ static int io_sqe_files_register(struct
+ return -EINVAL;
+ if (nr_args > IORING_MAX_FIXED_FILES)
+ return -EMFILE;
++ if (nr_args > rlimit(RLIMIT_NOFILE))
++ return -EMFILE;
+ ret = io_rsrc_node_switch_start(ctx);
+ if (ret)
+ return ret;
--- /dev/null
+From 89c2b3b74918200e46699338d7bcc19b1ea12110 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 23 Aug 2021 11:18:45 +0100
+Subject: io_uring: reexpand under-reexpanded iters
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 89c2b3b74918200e46699338d7bcc19b1ea12110 upstream.
+
+[ 74.211232] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x809/0x900
+[ 74.212778] Read of size 8 at addr ffff888025dc78b8 by task
+syz-executor.0/828
+[ 74.214756] CPU: 0 PID: 828 Comm: syz-executor.0 Not tainted
+5.14.0-rc3-next-20210730 #1
+[ 74.216525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 74.219033] Call Trace:
+[ 74.219683] dump_stack_lvl+0x8b/0xb3
+[ 74.220706] print_address_description.constprop.0+0x1f/0x140
+[ 74.224226] kasan_report.cold+0x7f/0x11b
+[ 74.226085] iov_iter_revert+0x809/0x900
+[ 74.227960] io_write+0x57d/0xe40
+[ 74.232647] io_issue_sqe+0x4da/0x6a80
+[ 74.242578] __io_queue_sqe+0x1ac/0xe60
+[ 74.245358] io_submit_sqes+0x3f6e/0x76a0
+[ 74.248207] __do_sys_io_uring_enter+0x90c/0x1a20
+[ 74.257167] do_syscall_64+0x3b/0x90
+[ 74.257984] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+old_size = iov_iter_count();
+...
+iov_iter_revert(old_size - iov_iter_count());
+
+If iov_iter_revert() is done base on the initial size as above, and the
+iter is truncated and not reexpanded in the middle, it miscalculates
+borders causing problems. This trace is due to no one reexpanding after
+generic_write_checks().
+
+Now iters store how many bytes has been truncated, so reexpand them to
+the initial state right before reverting.
+
+Cc: stable@vger.kernel.org
+Reported-by: Palash Oswal <oswalpalash@gmail.com>
+Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Reported-and-tested-by: syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -3316,6 +3316,7 @@ static int io_read(struct io_kiocb *req,
+ if (req->flags & REQ_F_NOWAIT)
+ goto done;
+ /* some cases will consume bytes even on error returns */
++ iov_iter_reexpand(iter, iter->count + iter->truncated);
+ iov_iter_revert(iter, io_size - iov_iter_count(iter));
+ ret = 0;
+ } else if (ret == -EIOCBQUEUED) {
+@@ -3455,6 +3456,7 @@ done:
+ } else {
+ copy_iov:
+ /* some cases will consume bytes even on error returns */
++ iov_iter_reexpand(iter, iter->count + iter->truncated);
+ iov_iter_revert(iter, io_size - iov_iter_count(iter));
+ ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
+ return ret ?: -EAGAIN;
--- /dev/null
+From 6607cd319b6b91bff94e90f798a61c031650b514 Mon Sep 17 00:00:00 2001
+From: Guoqing Jiang <jiangguoqing@kylinos.cn>
+Date: Tue, 24 Aug 2021 09:16:54 +0800
+Subject: raid1: ensure write behind bio has less than BIO_MAX_VECS sectors
+
+From: Guoqing Jiang <jiangguoqing@kylinos.cn>
+
+commit 6607cd319b6b91bff94e90f798a61c031650b514 upstream.
+
+We can't split write behind bio with more than BIO_MAX_VECS sectors,
+otherwise the below call trace was triggered because we could allocate
+oversized write behind bio later.
+
+[ 8.097936] bvec_alloc+0x90/0xc0
+[ 8.098934] bio_alloc_bioset+0x1b3/0x260
+[ 8.099959] raid1_make_request+0x9ce/0xc50 [raid1]
+[ 8.100988] ? __bio_clone_fast+0xa8/0xe0
+[ 8.102008] md_handle_request+0x158/0x1d0 [md_mod]
+[ 8.103050] md_submit_bio+0xcd/0x110 [md_mod]
+[ 8.104084] submit_bio_noacct+0x139/0x530
+[ 8.105127] submit_bio+0x78/0x1d0
+[ 8.106163] ext4_io_submit+0x48/0x60 [ext4]
+[ 8.107242] ext4_writepages+0x652/0x1170 [ext4]
+[ 8.108300] ? do_writepages+0x41/0x100
+[ 8.109338] ? __ext4_mark_inode_dirty+0x240/0x240 [ext4]
+[ 8.110406] do_writepages+0x41/0x100
+[ 8.111450] __filemap_fdatawrite_range+0xc5/0x100
+[ 8.112513] file_write_and_wait_range+0x61/0xb0
+[ 8.113564] ext4_sync_file+0x73/0x370 [ext4]
+[ 8.114607] __x64_sys_fsync+0x33/0x60
+[ 8.115635] do_syscall_64+0x33/0x40
+[ 8.116670] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Thanks for the comment from Christoph.
+
+[1]. https://bugs.archlinux.org/task/70992
+
+Cc: stable@vger.kernel.org # v5.12+
+Reported-by: Jens Stutte <jens@chianterastutte.eu>
+Tested-by: Jens Stutte <jens@chianterastutte.eu>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Guoqing Jiang <jiangguoqing@kylinos.cn>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid1.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1324,6 +1324,7 @@ static void raid1_write_request(struct m
+ struct raid1_plug_cb *plug = NULL;
+ int first_clone;
+ int max_sectors;
++ bool write_behind = false;
+
+ if (mddev_is_clustered(mddev) &&
+ md_cluster_ops->area_resyncing(mddev, WRITE,
+@@ -1376,6 +1377,15 @@ static void raid1_write_request(struct m
+ max_sectors = r1_bio->sectors;
+ for (i = 0; i < disks; i++) {
+ struct md_rdev *rdev = rcu_dereference(conf->mirrors[i].rdev);
++
++ /*
++ * The write-behind io is only attempted on drives marked as
++ * write-mostly, which means we could allocate write behind
++ * bio later.
++ */
++ if (rdev && test_bit(WriteMostly, &rdev->flags))
++ write_behind = true;
++
+ if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) {
+ atomic_inc(&rdev->nr_pending);
+ blocked_rdev = rdev;
+@@ -1449,6 +1459,15 @@ static void raid1_write_request(struct m
+ goto retry_write;
+ }
+
++ /*
++ * When using a bitmap, we may call alloc_behind_master_bio below.
++ * alloc_behind_master_bio allocates a copy of the data payload a page
++ * at a time and thus needs a new bio that can fit the whole payload
++ * this bio in page sized chunks.
++ */
++ if (write_behind && bitmap)
++ max_sectors = min_t(int, max_sectors,
++ BIO_MAX_VECS * (PAGE_SIZE >> 9));
+ if (max_sectors < bio_sectors(bio)) {
+ struct bio *split = bio_split(bio, max_sectors,
+ GFP_NOIO, &conf->bio_split);
asoc-rt5682-remove-unused-variable-in-rt5682_i2c_remove.patch
iwlwifi-add-support-for-ax201-in-samsung-galaxy-book-flex2-alpha.patch
f2fs-guarantee-to-write-dirty-data-when-enabling-checkpoint-back.patch
+time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch
+auxdisplay-hd44780-fix-oops-on-module-unloading.patch
+io_uring-limit-fixed-table-size-by-rlimit_nofile.patch
+io_uring-ioring_op_write-needs-hash_reg_file-set.patch
+io_uring-io_uring_complete-trace-should-take-an-integer.patch
+io_uring-reexpand-under-reexpanded-iters.patch
+io_uring-fail-links-of-cancelled-timeouts.patch
+bio-fix-page-leak-bio_add_hw_page-failure.patch
+raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch
+cifs-do-not-leak-edeadlk-to-dgetents64-for-status_user_session_deleted.patch
+smb3-fix-posix-extensions-mount-option.patch
+tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch
--- /dev/null
+From 7321be2663da5922343cc121f1ff04924cee2e76 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 23 Aug 2021 13:52:12 -0500
+Subject: smb3: fix posix extensions mount option
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 7321be2663da5922343cc121f1ff04924cee2e76 upstream.
+
+We were incorrectly initializing the posix extensions in the
+conversion to the new mount API.
+
+CC: <stable@vger.kernel.org> # 5.11+
+Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Suggested-by: Namjae Jeon <namjae.jeon@samsung.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/fs_context.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -1259,10 +1259,17 @@ static int smb3_fs_context_parse_param(s
+ ctx->posix_paths = 1;
+ break;
+ case Opt_unix:
+- if (result.negated)
++ if (result.negated) {
++ if (ctx->linux_ext == 1)
++ pr_warn_once("conflicting posix mount options specified\n");
+ ctx->linux_ext = 0;
+- else
+ ctx->no_linux_ext = 1;
++ } else {
++ if (ctx->no_linux_ext == 1)
++ pr_warn_once("conflicting posix mount options specified\n");
++ ctx->linux_ext = 1;
++ ctx->no_linux_ext = 0;
++ }
+ break;
+ case Opt_nocase:
+ ctx->nocase = 1;
--- /dev/null
+From 39ff83f2f6cc5cc1458dfcea9697f96338210beb Mon Sep 17 00:00:00 2001
+From: Lukas Hannen <lukas.hannen@opensource.tttech-industrial.com>
+Date: Wed, 25 Aug 2021 10:12:43 +0000
+Subject: time: Handle negative seconds correctly in timespec64_to_ns()
+
+From: Lukas Hannen <lukas.hannen@opensource.tttech-industrial.com>
+
+commit 39ff83f2f6cc5cc1458dfcea9697f96338210beb upstream.
+
+timespec64_ns() prevents multiplication overflows by comparing the seconds
+value of the timespec to KTIME_SEC_MAX. If the value is greater or equal it
+returns KTIME_MAX.
+
+But that check casts the signed seconds value to unsigned which makes the
+comparision true for all negative values and therefore return wrongly
+KTIME_MAX.
+
+Negative second values are perfectly valid and required in some places,
+e.g. ptp_clock_adjtime().
+
+Remove the cast and add a check for the negative boundary which is required
+to prevent undefined behaviour due to multiplication underflow.
+
+Fixes: cb47755725da ("time: Prevent undefined behaviour in timespec64_to_ns()")'
+Signed-off-by: Lukas Hannen <lukas.hannen@opensource.tttech-industrial.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/AM6PR01MB541637BD6F336B8FFB72AF80EEC69@AM6PR01MB5416.eurprd01.prod.exchangelabs.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/time64.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/time64.h
++++ b/include/linux/time64.h
+@@ -25,7 +25,9 @@ struct itimerspec64 {
+ #define TIME64_MIN (-TIME64_MAX - 1)
+
+ #define KTIME_MAX ((s64)~((u64)1 << 63))
++#define KTIME_MIN (-KTIME_MAX - 1)
+ #define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC)
++#define KTIME_SEC_MIN (KTIME_MIN / NSEC_PER_SEC)
+
+ /*
+ * Limits for settimeofday():
+@@ -124,10 +126,13 @@ static inline bool timespec64_valid_sett
+ */
+ static inline s64 timespec64_to_ns(const struct timespec64 *ts)
+ {
+- /* Prevent multiplication overflow */
+- if ((unsigned long long)ts->tv_sec >= KTIME_SEC_MAX)
++ /* Prevent multiplication overflow / underflow */
++ if (ts->tv_sec >= KTIME_SEC_MAX)
+ return KTIME_MAX;
+
++ if (ts->tv_sec <= KTIME_SEC_MIN)
++ return KTIME_MIN;
++
+ return ((s64) ts->tv_sec * NSEC_PER_SEC) + ts->tv_nsec;
+ }
+
--- /dev/null
+From bb2853a6a421a052268eee00fd5d3f6b3504b2b1 Mon Sep 17 00:00:00 2001
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+Date: Mon, 23 Aug 2021 08:06:41 +0800
+Subject: tty: Fix data race between tiocsti() and flush_to_ldisc()
+
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+
+commit bb2853a6a421a052268eee00fd5d3f6b3504b2b1 upstream.
+
+The ops->receive_buf() may be accessed concurrently from these two
+functions. If the driver flushes data to the line discipline
+receive_buf() method while tiocsti() is waiting for the
+ops->receive_buf() to finish its work, the data race will happen.
+
+For example:
+tty_ioctl |tty_ldisc_receive_buf
+ ->tioctsi | ->tty_port_default_receive_buf
+ | ->tty_ldisc_receive_buf
+ ->hci_uart_tty_receive | ->hci_uart_tty_receive
+ ->h4_recv | ->h4_recv
+
+In this case, the h4 receive buffer will be overwritten by the
+latecomer, and we will lost the data.
+
+Hence, change tioctsi() function to use the exclusive lock interface
+from tty_buffer to avoid the data race.
+
+Reported-by: syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Link: https://lore.kernel.org/r/20210823000641.2082292-1-phind.uet@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2294,8 +2294,6 @@ static int tty_fasync(int fd, struct fil
+ * Locking:
+ * Called functions take tty_ldiscs_lock
+ * current->signal->tty check is safe without locks
+- *
+- * FIXME: may race normal receive processing
+ */
+
+ static int tiocsti(struct tty_struct *tty, char __user *p)
+@@ -2311,8 +2309,10 @@ static int tiocsti(struct tty_struct *tt
+ ld = tty_ldisc_ref_wait(tty);
+ if (!ld)
+ return -EIO;
++ tty_buffer_lock_exclusive(tty->port);
+ if (ld->ops->receive_buf)
+ ld->ops->receive_buf(tty, &ch, &mbz, 1);
++ tty_buffer_unlock_exclusive(tty->port);
+ tty_ldisc_deref(ld);
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
