--- /dev/null
+From a149d2a5cabbf6507a7832a1c4fd2593c55fd450 Mon Sep 17 00:00:00 2001
+From: Zhang Yi <yi.zhang@huawei.com>
+Date: Wed, 31 Mar 2021 20:15:16 +0800
+Subject: ext4: fix check to prevent false positive report of incorrect used inodes
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+commit a149d2a5cabbf6507a7832a1c4fd2593c55fd450 upstream.
+
+Commit <50122847007> ("ext4: fix check to prevent initializing reserved
+inodes") check the block group zero and prevent initializing reserved
+inodes. But in some special cases, the reserved inode may not all belong
+to the group zero, it may exist into the second group if we format
+filesystem below.
+
+ mkfs.ext4 -b 4096 -g 8192 -N 1024 -I 4096 /dev/sda
+
+So, it will end up triggering a false positive report of a corrupted
+file system. This patch fix it by avoid check reserved inodes if no free
+inode blocks will be zeroed.
+
+Cc: stable@kernel.org
+Fixes: 50122847007 ("ext4: fix check to prevent initializing reserved inodes")
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Suggested-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20210331121516.2243099-1-yi.zhang@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/ialloc.c | 48 ++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 32 insertions(+), 16 deletions(-)
+
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1286,6 +1286,7 @@ int ext4_init_inode_table(struct super_b
+ handle_t *handle;
+ ext4_fsblk_t blk;
+ int num, ret = 0, used_blks = 0;
++ unsigned long used_inos = 0;
+
+ /* This should not happen, but just to be sure check this */
+ if (sb->s_flags & MS_RDONLY) {
+@@ -1316,22 +1317,37 @@ int ext4_init_inode_table(struct super_b
+ * used inodes so we need to skip blocks with used inodes in
+ * inode table.
+ */
+- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)))
+- used_blks = DIV_ROUND_UP((EXT4_INODES_PER_GROUP(sb) -
+- ext4_itable_unused_count(sb, gdp)),
+- sbi->s_inodes_per_block);
+-
+- if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group) ||
+- ((group == 0) && ((EXT4_INODES_PER_GROUP(sb) -
+- ext4_itable_unused_count(sb, gdp)) <
+- EXT4_FIRST_INO(sb)))) {
+- ext4_error(sb, "Something is wrong with group %u: "
+- "used itable blocks: %d; "
+- "itable unused count: %u",
+- group, used_blks,
+- ext4_itable_unused_count(sb, gdp));
+- ret = 1;
+- goto err_out;
++ if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) {
++ used_inos = EXT4_INODES_PER_GROUP(sb) -
++ ext4_itable_unused_count(sb, gdp);
++ used_blks = DIV_ROUND_UP(used_inos, sbi->s_inodes_per_block);
++
++ /* Bogus inode unused count? */
++ if (used_blks < 0 || used_blks > sbi->s_itb_per_group) {
++ ext4_error(sb, "Something is wrong with group %u: "
++ "used itable blocks: %d; "
++ "itable unused count: %u",
++ group, used_blks,
++ ext4_itable_unused_count(sb, gdp));
++ ret = 1;
++ goto err_out;
++ }
++
++ used_inos += group * EXT4_INODES_PER_GROUP(sb);
++ /*
++ * Are there some uninitialized inodes in the inode table
++ * before the first normal inode?
++ */
++ if ((used_blks != sbi->s_itb_per_group) &&
++ (used_inos < EXT4_FIRST_INO(sb))) {
++ ext4_error(sb, "Something is wrong with group %u: "
++ "itable unused count: %u; "
++ "itables initialized count: %ld",
++ group, ext4_itable_unused_count(sb, gdp),
++ used_inos);
++ ret = 1;
++ goto err_out;
++ }
+ }
+
+ blk = ext4_inode_table(sb, gdp) + used_blks;
--- /dev/null
+From f88f1466e2a2e5ca17dfada436d3efa1b03a3972 Mon Sep 17 00:00:00 2001
+From: Fengnan Chang <changfengnan@vivo.com>
+Date: Fri, 2 Apr 2021 18:16:31 +0800
+Subject: ext4: fix error code in ext4_commit_super
+
+From: Fengnan Chang <changfengnan@vivo.com>
+
+commit f88f1466e2a2e5ca17dfada436d3efa1b03a3972 upstream.
+
+We should set the error code when ext4_commit_super check argument failed.
+Found in code review.
+Fixes: c4be0c1dc4cdc ("filesystem freeze: add error handling of write_super_lockfs/unlockfs").
+
+Cc: stable@kernel.org
+Signed-off-by: Fengnan Chang <changfengnan@vivo.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Link: https://lore.kernel.org/r/20210402101631.561-1-changfengnan@vivo.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4678,8 +4678,10 @@ static int ext4_commit_super(struct supe
+ struct buffer_head *sbh = EXT4_SB(sb)->s_sbh;
+ int error = 0;
+
+- if (!sbh || block_device_ejected(sb))
+- return error;
++ if (!sbh)
++ return -EINVAL;
++ if (block_device_ejected(sb))
++ return -ENODEV;
+
+ /*
+ * If the file system is mounted read-only, don't update the
--- /dev/null
+From 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 5 May 2021 10:38:24 -0400
+Subject: ftrace: Handle commands when closing set_ftrace_filter file
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 upstream.
+
+ # echo switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter
+
+will cause switch_mm to stop tracing by the traceoff command.
+
+ # echo -n switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter
+
+does nothing.
+
+The reason is that the parsing in the write function only processes
+commands if it finished parsing (there is white space written after the
+command). That's to handle:
+
+ write(fd, "switch_mm:", 10);
+ write(fd, "traceoff", 8);
+
+cases, where the command is broken over multiple writes.
+
+The problem is if the file descriptor is closed, then the write call is
+not processed, and the command needs to be processed in the release code.
+The release code can handle matching of functions, but does not handle
+commands.
+
+Cc: stable@vger.kernel.org
+Fixes: eda1e32855656 ("tracing: handle broken names in ftrace filter")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -4486,8 +4486,11 @@ int ftrace_regex_release(struct inode *i
+
+ parser = &iter->parser;
+ if (trace_parser_loaded(parser)) {
++ int enable = !(iter->flags & FTRACE_ITER_NOTRACE);
++
+ parser->buffer[parser->idx] = 0;
+- ftrace_match_records(iter->hash, parser->buffer, parser->idx);
++ ftrace_process_regex(iter->hash, parser->buffer,
++ parser->idx, enable);
+ }
+
+ trace_parser_put(parser);
--- /dev/null
+From bf9a40ae8d722f281a2721779595d6df1c33a0bf Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Fri, 11 Dec 2020 09:30:39 +0100
+Subject: media: dvbdev: Fix memory leak in dvb_media_device_free()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit bf9a40ae8d722f281a2721779595d6df1c33a0bf upstream.
+
+dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn`
+before setting it to NULL, as documented in include/media/media-device.h:
+"The media_entity instance itself must be freed explicitly by the driver
+if required."
+
+Link: https://syzkaller.appspot.com/bug?id=9bbe4b842c98f0ed05c5eed77a226e9de33bf298
+
+Link: https://lore.kernel.org/linux-media/20201211083039.521617-1-yepeilin.cs@gmail.com
+Cc: stable@vger.kernel.org
+Fixes: 0230d60e4661 ("[media] dvbdev: Add RF connector if needed")
+Reported-by: syzbot+7f09440acc069a0d38ac@syzkaller.appspotmail.com
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvbdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -216,6 +216,7 @@ static void dvb_media_device_free(struct
+
+ if (dvbdev->adapter->conn) {
+ media_device_unregister_entity(dvbdev->adapter->conn);
++ kfree(dvbdev->adapter->conn);
+ dvbdev->adapter->conn = NULL;
+ kfree(dvbdev->adapter->conn_pads);
+ dvbdev->adapter->conn_pads = NULL;
powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch
jffs2-check-the-validity-of-dstlen-in-jffs2_zlib_compress.patch
revert-337f13046ff0-futex-allow-futex_clock_realtime-with-futex_wait-op.patch
+ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch
+ext4-fix-check-to-prevent-false-positive-report-of-incorrect-used-inodes.patch
+ext4-fix-error-code-in-ext4_commit_super.patch
+media-dvbdev-fix-memory-leak-in-dvb_media_device_free.patch
+usb-gadget-dummy_hcd-fix-gpf-in-gadget_setup.patch
+usb-gadget-fix-double-free-of-device-descriptor-pointers.patch
+usb-gadget-function-f_fs-string-table-fix-for-multiple-languages.patch
--- /dev/null
+From 4a5d797a9f9c4f18585544237216d7812686a71f Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Mon, 19 Apr 2021 09:07:08 +0530
+Subject: usb: gadget: dummy_hcd: fix gpf in gadget_setup
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit 4a5d797a9f9c4f18585544237216d7812686a71f upstream.
+
+Fix a general protection fault reported by syzbot due to a race between
+gadget_setup() and gadget_unbind() in raw_gadget.
+
+The gadget core is supposed to guarantee that there won't be any more
+callbacks to the gadget driver once the driver's unbind routine is
+called. That guarantee is enforced in usb_gadget_remove_driver as
+follows:
+
+ usb_gadget_disconnect(udc->gadget);
+ if (udc->gadget->irq)
+ synchronize_irq(udc->gadget->irq);
+ udc->driver->unbind(udc->gadget);
+ usb_gadget_udc_stop(udc);
+
+usb_gadget_disconnect turns off the pullup resistor, telling the host
+that the gadget is no longer connected and preventing the transmission
+of any more USB packets. Any packets that have already been received
+are sure to processed by the UDC driver's interrupt handler by the time
+synchronize_irq returns.
+
+But this doesn't work with dummy_hcd, because dummy_hcd doesn't use
+interrupts; it uses a timer instead. It does have code to emulate the
+effect of synchronize_irq, but that code doesn't get invoked at the
+right time -- it currently runs in usb_gadget_udc_stop, after the unbind
+callback instead of before. Indeed, there's no way for
+usb_gadget_remove_driver to invoke this code before the unbind callback.
+
+To fix this, move the synchronize_irq() emulation code to dummy_pullup
+so that it runs before unbind. Also, add a comment explaining why it is
+necessary to have it there.
+
+Reported-by: syzbot+eb4674092e6cc8d9e0bd@syzkaller.appspotmail.com
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Link: https://lore.kernel.org/r/20210419033713.3021-1-mail@anirudhrb.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -918,6 +918,21 @@ static int dummy_pullup(struct usb_gadge
+ spin_lock_irqsave(&dum->lock, flags);
+ dum->pullup = (value != 0);
+ set_link_state(dum_hcd);
++ if (value == 0) {
++ /*
++ * Emulate synchronize_irq(): wait for callbacks to finish.
++ * This seems to be the best place to emulate the call to
++ * synchronize_irq() that's in usb_gadget_remove_driver().
++ * Doing it in dummy_udc_stop() would be too late since it
++ * is called after the unbind callback and unbind shouldn't
++ * be invoked until all the other callbacks are finished.
++ */
++ while (dum->callback_usage > 0) {
++ spin_unlock_irqrestore(&dum->lock, flags);
++ usleep_range(1000, 2000);
++ spin_lock_irqsave(&dum->lock, flags);
++ }
++ }
+ spin_unlock_irqrestore(&dum->lock, flags);
+
+ usb_hcd_poll_rh_status(dummy_hcd_to_hcd(dum_hcd));
+@@ -998,14 +1013,6 @@ static int dummy_udc_stop(struct usb_gad
+ spin_lock_irq(&dum->lock);
+ dum->ints_enabled = 0;
+ stop_activity(dum);
+-
+- /* emulate synchronize_irq(): wait for callbacks to finish */
+- while (dum->callback_usage > 0) {
+- spin_unlock_irq(&dum->lock);
+- usleep_range(1000, 2000);
+- spin_lock_irq(&dum->lock);
+- }
+-
+ dum->driver = NULL;
+ spin_unlock_irq(&dum->lock);
+
--- /dev/null
+From 43c4cab006f55b6ca549dd1214e22f5965a8675f Mon Sep 17 00:00:00 2001
+From: Hemant Kumar <hemantk@codeaurora.org>
+Date: Wed, 21 Apr 2021 12:47:32 -0700
+Subject: usb: gadget: Fix double free of device descriptor pointers
+
+From: Hemant Kumar <hemantk@codeaurora.org>
+
+commit 43c4cab006f55b6ca549dd1214e22f5965a8675f upstream.
+
+Upon driver unbind usb_free_all_descriptors() function frees all
+speed descriptor pointers without setting them to NULL. In case
+gadget speed changes (i.e from super speed plus to super speed)
+after driver unbind only upto super speed descriptor pointers get
+populated. Super speed plus desc still holds the stale (already
+freed) pointer. Fix this issue by setting all descriptor pointers
+to NULL after freeing them in usb_free_all_descriptors().
+
+Fixes: f5c61225cf29 ("usb: gadget: Update function for SuperSpeedPlus")
+cc: stable@vger.kernel.org
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
+Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
+Link: https://lore.kernel.org/r/1619034452-17334-1-git-send-email-wcheng@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/config.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/gadget/config.c
++++ b/drivers/usb/gadget/config.c
+@@ -198,9 +198,13 @@ EXPORT_SYMBOL_GPL(usb_assign_descriptors
+ void usb_free_all_descriptors(struct usb_function *f)
+ {
+ usb_free_descriptors(f->fs_descriptors);
++ f->fs_descriptors = NULL;
+ usb_free_descriptors(f->hs_descriptors);
++ f->hs_descriptors = NULL;
+ usb_free_descriptors(f->ss_descriptors);
++ f->ss_descriptors = NULL;
+ usb_free_descriptors(f->ssp_descriptors);
++ f->ssp_descriptors = NULL;
+ }
+ EXPORT_SYMBOL_GPL(usb_free_all_descriptors);
+
--- /dev/null
+From 55b74ce7d2ce0b0058f3e08cab185a0afacfe39e Mon Sep 17 00:00:00 2001
+From: Dean Anderson <dean@sensoray.com>
+Date: Wed, 17 Mar 2021 15:41:09 -0700
+Subject: usb: gadget/function/f_fs string table fix for multiple languages
+
+From: Dean Anderson <dean@sensoray.com>
+
+commit 55b74ce7d2ce0b0058f3e08cab185a0afacfe39e upstream.
+
+Fixes bug with the handling of more than one language in
+the string table in f_fs.c.
+str_count was not reset for subsequent language codes.
+str_count-- "rolls under" and processes u32 max strings on
+the processing of the second language entry.
+The existing bug can be reproduced by adding a second language table
+to the structure "strings" in tools/usb/ffs-test.c.
+
+Signed-off-by: Dean Anderson <dean@sensoray.com>
+Link: https://lore.kernel.org/r/20210317224109.21534-1-dean@sensoray.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -2543,6 +2543,7 @@ static int __ffs_data_got_strings(struct
+
+ do { /* lang_count > 0 so we can use do-while */
+ unsigned needed = needed_count;
++ u32 str_per_lang = str_count;
+
+ if (unlikely(len < 3))
+ goto error_free;
+@@ -2578,7 +2579,7 @@ static int __ffs_data_got_strings(struct
+
+ data += length + 1;
+ len -= length + 1;
+- } while (--str_count);
++ } while (--str_per_lang);
+
+ s->id = 0; /* terminator */
+ s->s = NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
