--- /dev/null
+From 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 Mon Sep 17 00:00:00 2001
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Date: Sun, 27 Mar 2022 14:08:22 +0800
+Subject: ALSA: cs4236: fix an incorrect NULL check on list iterator
+
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+
+commit 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 upstream.
+
+The bug is here:
+ err = snd_card_cs423x_pnp(dev, card->private_data, pdev, cdev);
+
+The list iterator value 'cdev' will *always* be set and non-NULL
+by list_for_each_entry(), so it is incorrect to assume that the
+iterator value will be NULL if the list is empty or no element
+is found.
+
+To fix the bug, use a new variable 'iter' as the list iterator,
+while use the original variable 'cdev' as a dedicated pointer
+to point to the found element. And snd_card_cs423x_pnp() itself
+has NULL check for cdev.
+
+Cc: stable@vger.kernel.org
+Fixes: c2b73d1458014 ("ALSA: cs4236: cs4232 and cs4236 driver merge to solve PnP BIOS detection")
+Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Link: https://lore.kernel.org/r/20220327060822.4735-1-xiam0nd.tong@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/isa/cs423x/cs4236.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/sound/isa/cs423x/cs4236.c
++++ b/sound/isa/cs423x/cs4236.c
+@@ -494,7 +494,7 @@ static int snd_cs423x_pnpbios_detect(str
+ static int dev;
+ int err;
+ struct snd_card *card;
+- struct pnp_dev *cdev;
++ struct pnp_dev *cdev, *iter;
+ char cid[PNP_ID_LEN];
+
+ if (pnp_device_is_isapnp(pdev))
+@@ -510,9 +510,11 @@ static int snd_cs423x_pnpbios_detect(str
+ strcpy(cid, pdev->id[0].id);
+ cid[5] = '1';
+ cdev = NULL;
+- list_for_each_entry(cdev, &(pdev->protocol->devices), protocol_list) {
+- if (!strcmp(cdev->id[0].id, cid))
++ list_for_each_entry(iter, &(pdev->protocol->devices), protocol_list) {
++ if (!strcmp(iter->id[0].id, cid)) {
++ cdev = iter;
+ break;
++ }
+ }
+ err = snd_cs423x_card_new(&pdev->dev, dev, &card);
+ if (err < 0)
--- /dev/null
+From 6ddc2f749621d5d45ca03edc9f0616bcda136d29 Mon Sep 17 00:00:00 2001
+From: Mohan Kumar <mkumard@nvidia.com>
+Date: Tue, 29 Mar 2022 21:29:40 +0530
+Subject: ALSA: hda: Avoid unsol event during RPM suspending
+
+From: Mohan Kumar <mkumard@nvidia.com>
+
+commit 6ddc2f749621d5d45ca03edc9f0616bcda136d29 upstream.
+
+There is a corner case with unsol event handling during codec runtime
+suspending state. When the codec runtime suspend call initiated, the
+codec->in_pm atomic variable would be 0, currently the codec runtime
+suspend function calls snd_hdac_enter_pm() which will just increments
+the codec->in_pm atomic variable. Consider unsol event happened just
+after this step and before snd_hdac_leave_pm() in the codec runtime
+suspend function. The snd_hdac_power_up_pm() in the unsol event
+flow in hdmi_present_sense_via_verbs() function would just increment
+the codec->in_pm atomic variable without calling pm_runtime_get_sync
+function.
+
+As codec runtime suspend flow is already in progress and in parallel
+unsol event is also accessing the codec verbs, as soon as codec
+suspend flow completes and clocks are switched off before completing
+the unsol event handling as both functions doesn't wait for each other.
+This will result in below errors
+
+[ 589.428020] tegra-hda 3510000.hda: azx_get_response timeout, switching
+to polling mode: last cmd=0x505f2f57
+[ 589.428344] tegra-hda 3510000.hda: spurious response 0x80000074:0x5,
+last cmd=0x505f2f57
+[ 589.428547] tegra-hda 3510000.hda: spurious response 0x80000065:0x5,
+last cmd=0x505f2f57
+
+To avoid this, the unsol event flow should not perform any codec verb
+related operations during RPM_SUSPENDING state.
+
+Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220329155940.26331-1-mkumard@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_hdmi.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -1617,6 +1617,7 @@ static void hdmi_present_sense_via_verbs
+ struct hda_codec *codec = per_pin->codec;
+ struct hdmi_spec *spec = codec->spec;
+ struct hdmi_eld *eld = &spec->temp_eld;
++ struct device *dev = hda_codec_dev(codec);
+ hda_nid_t pin_nid = per_pin->pin_nid;
+ int dev_id = per_pin->dev_id;
+ /*
+@@ -1630,8 +1631,13 @@ static void hdmi_present_sense_via_verbs
+ int present;
+ int ret;
+
++#ifdef CONFIG_PM
++ if (dev->power.runtime_status == RPM_SUSPENDING)
++ return;
++#endif
++
+ ret = snd_hda_power_up_pm(codec);
+- if (ret < 0 && pm_runtime_suspended(hda_codec_dev(codec)))
++ if (ret < 0 && pm_runtime_suspended(dev))
+ goto out;
+
+ present = snd_hda_jack_pin_sense(codec, pin_nid, dev_id);
--- /dev/null
+From f30741cded62f87bb4b1cc58bc627f076abcaba8 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Wed, 30 Mar 2022 14:13:33 +0800
+Subject: ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit f30741cded62f87bb4b1cc58bc627f076abcaba8 upstream.
+
+Commit 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording
+issue") is to solve recording issue met on AL236, by matching codec
+variant ALC269_TYPE_ALC257 and ALC269_TYPE_ALC256.
+
+This match can be too broad and Mi Notebook Pro 2020 is broken by the
+patch.
+
+Instead, use codec ID to be narrow down the scope, in order to make
+ALC256 unaffected.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215484
+Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Link: https://lore.kernel.org/r/20220330061335.1015533-1-kai.heng.feng@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3612,8 +3612,8 @@ static void alc256_shutup(struct hda_cod
+ /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly
+ * when booting with headset plugged. So skip setting it for the codec alc257
+ */
+- if (spec->codec_variant != ALC269_TYPE_ALC257 &&
+- spec->codec_variant != ALC269_TYPE_ALC256)
++ if (codec->core.vendor_id != 0x10ec0236 &&
++ codec->core.vendor_id != 0x10ec0257)
+ alc_update_coef_idx(codec, 0x46, 0, 3 << 12);
+
+ if (!spec->no_shutup_pins)
--- /dev/null
+From bc55cfd5718c7c23e5524582e9fa70b4d10f2433 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 30 Mar 2022 14:09:03 +0200
+Subject: ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit bc55cfd5718c7c23e5524582e9fa70b4d10f2433 upstream.
+
+syzbot caught a potential deadlock between the PCM
+runtime->buffer_mutex and the mm->mmap_lock. It was brought by the
+recent fix to cover the racy read/write and other ioctls, and in that
+commit, I overlooked a (hopefully only) corner case that may take the
+revert lock, namely, the OSS mmap. The OSS mmap operation
+exceptionally allows to re-configure the parameters inside the OSS
+mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the
+copy_from/to_user calls at read/write operations also take the
+mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.
+
+A similar problem was already seen in the past and we fixed it with a
+refcount (in commit b248371628aa). The former fix covered only the
+call paths with OSS read/write and OSS ioctls, while we need to cover
+the concurrent access via both ALSA and OSS APIs now.
+
+This patch addresses the problem above by replacing the buffer_mutex
+lock in the read/write operations with a refcount similar as we've
+used for OSS. The new field, runtime->buffer_accessing, keeps the
+number of concurrent read/write operations. Unlike the former
+buffer_mutex protection, this protects only around the
+copy_from/to_user() calls; the other codes are basically protected by
+the PCM stream lock. The refcount can be a negative, meaning blocked
+by the ioctls. If a negative value is seen, the read/write aborts
+with -EBUSY. In the ioctl side, OTOH, they check this refcount, too,
+and set to a negative value for blocking unless it's already being
+accessed.
+
+Reported-by: syzbot+6e5c88838328e99c7e1c@syzkaller.appspotmail.com
+Fixes: dca947d4d26d ("ALSA: pcm: Fix races among concurrent read/write and buffer changes")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/000000000000381a0d05db622a81@google.com
+Link: https://lore.kernel.org/r/20220330120903.4738-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/sound/pcm.h | 1 +
+ sound/core/pcm.c | 1 +
+ sound/core/pcm_lib.c | 9 +++++----
+ sound/core/pcm_native.c | 39 ++++++++++++++++++++++++++++++++-------
+ 4 files changed, 39 insertions(+), 11 deletions(-)
+
+--- a/include/sound/pcm.h
++++ b/include/sound/pcm.h
+@@ -399,6 +399,7 @@ struct snd_pcm_runtime {
+ struct fasync_struct *fasync;
+ bool stop_operating; /* sync_stop will be called */
+ struct mutex buffer_mutex; /* protect for buffer changes */
++ atomic_t buffer_accessing; /* >0: in r/w operation, <0: blocked */
+
+ /* -- private section -- */
+ void *private_data;
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -970,6 +970,7 @@ int snd_pcm_attach_substream(struct snd_
+
+ runtime->status->state = SNDRV_PCM_STATE_OPEN;
+ mutex_init(&runtime->buffer_mutex);
++ atomic_set(&runtime->buffer_accessing, 0);
+
+ substream->runtime = runtime;
+ substream->private_data = pcm->private_data;
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -1905,11 +1905,9 @@ static int wait_for_avail(struct snd_pcm
+ if (avail >= runtime->twake)
+ break;
+ snd_pcm_stream_unlock_irq(substream);
+- mutex_unlock(&runtime->buffer_mutex);
+
+ tout = schedule_timeout(wait_time);
+
+- mutex_lock(&runtime->buffer_mutex);
+ snd_pcm_stream_lock_irq(substream);
+ set_current_state(TASK_INTERRUPTIBLE);
+ switch (runtime->status->state) {
+@@ -2203,7 +2201,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
+
+ nonblock = !!(substream->f_flags & O_NONBLOCK);
+
+- mutex_lock(&runtime->buffer_mutex);
+ snd_pcm_stream_lock_irq(substream);
+ err = pcm_accessible_state(runtime);
+ if (err < 0)
+@@ -2258,10 +2255,15 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
+ err = -EINVAL;
+ goto _end_unlock;
+ }
++ if (!atomic_inc_unless_negative(&runtime->buffer_accessing)) {
++ err = -EBUSY;
++ goto _end_unlock;
++ }
+ snd_pcm_stream_unlock_irq(substream);
+ err = writer(substream, appl_ofs, data, offset, frames,
+ transfer);
+ snd_pcm_stream_lock_irq(substream);
++ atomic_dec(&runtime->buffer_accessing);
+ if (err < 0)
+ goto _end_unlock;
+ err = pcm_accessible_state(runtime);
+@@ -2291,7 +2293,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
+ if (xfer > 0 && err >= 0)
+ snd_pcm_update_state(substream, runtime);
+ snd_pcm_stream_unlock_irq(substream);
+- mutex_unlock(&runtime->buffer_mutex);
+ return xfer > 0 ? (snd_pcm_sframes_t)xfer : err;
+ }
+ EXPORT_SYMBOL(__snd_pcm_lib_xfer);
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -672,6 +672,24 @@ static int snd_pcm_hw_params_choose(stru
+ return 0;
+ }
+
++/* acquire buffer_mutex; if it's in r/w operation, return -EBUSY, otherwise
++ * block the further r/w operations
++ */
++static int snd_pcm_buffer_access_lock(struct snd_pcm_runtime *runtime)
++{
++ if (!atomic_dec_unless_positive(&runtime->buffer_accessing))
++ return -EBUSY;
++ mutex_lock(&runtime->buffer_mutex);
++ return 0; /* keep buffer_mutex, unlocked by below */
++}
++
++/* release buffer_mutex and clear r/w access flag */
++static void snd_pcm_buffer_access_unlock(struct snd_pcm_runtime *runtime)
++{
++ mutex_unlock(&runtime->buffer_mutex);
++ atomic_inc(&runtime->buffer_accessing);
++}
++
+ #if IS_ENABLED(CONFIG_SND_PCM_OSS)
+ #define is_oss_stream(substream) ((substream)->oss.oss)
+ #else
+@@ -682,14 +700,16 @@ static int snd_pcm_hw_params(struct snd_
+ struct snd_pcm_hw_params *params)
+ {
+ struct snd_pcm_runtime *runtime;
+- int err = 0, usecs;
++ int err, usecs;
+ unsigned int bits;
+ snd_pcm_uframes_t frames;
+
+ if (PCM_RUNTIME_CHECK(substream))
+ return -ENXIO;
+ runtime = substream->runtime;
+- mutex_lock(&runtime->buffer_mutex);
++ err = snd_pcm_buffer_access_lock(runtime);
++ if (err < 0)
++ return err;
+ snd_pcm_stream_lock_irq(substream);
+ switch (runtime->status->state) {
+ case SNDRV_PCM_STATE_OPEN:
+@@ -807,7 +827,7 @@ static int snd_pcm_hw_params(struct snd_
+ snd_pcm_lib_free_pages(substream);
+ }
+ unlock:
+- mutex_unlock(&runtime->buffer_mutex);
++ snd_pcm_buffer_access_unlock(runtime);
+ return err;
+ }
+
+@@ -852,7 +872,9 @@ static int snd_pcm_hw_free(struct snd_pc
+ if (PCM_RUNTIME_CHECK(substream))
+ return -ENXIO;
+ runtime = substream->runtime;
+- mutex_lock(&runtime->buffer_mutex);
++ result = snd_pcm_buffer_access_lock(runtime);
++ if (result < 0)
++ return result;
+ snd_pcm_stream_lock_irq(substream);
+ switch (runtime->status->state) {
+ case SNDRV_PCM_STATE_SETUP:
+@@ -871,7 +893,7 @@ static int snd_pcm_hw_free(struct snd_pc
+ snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN);
+ cpu_latency_qos_remove_request(&substream->latency_pm_qos_req);
+ unlock:
+- mutex_unlock(&runtime->buffer_mutex);
++ snd_pcm_buffer_access_unlock(runtime);
+ return result;
+ }
+
+@@ -1356,12 +1378,15 @@ static int snd_pcm_action_nonatomic(cons
+
+ /* Guarantee the group members won't change during non-atomic action */
+ down_read(&snd_pcm_link_rwsem);
+- mutex_lock(&substream->runtime->buffer_mutex);
++ res = snd_pcm_buffer_access_lock(substream->runtime);
++ if (res < 0)
++ goto unlock;
+ if (snd_pcm_stream_linked(substream))
+ res = snd_pcm_action_group(ops, substream, state, false);
+ else
+ res = snd_pcm_action_single(ops, substream, state);
+- mutex_unlock(&substream->runtime->buffer_mutex);
++ snd_pcm_buffer_access_unlock(substream->runtime);
++ unlock:
+ up_read(&snd_pcm_link_rwsem);
+ return res;
+ }
--- /dev/null
+From d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Tue, 29 Mar 2022 16:20:06 -0300
+Subject: cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream.
+
+When calling smb2_ioctl_query_info() with invalid
+smb_query_info::flags, a NULL ptr dereference is triggered when trying
+to kfree() uninitialised rqst[n].rq_iov array.
+
+This also fixes leaked paths that are created in SMB2_open_init()
+which required SMB2_open_free() to properly free them.
+
+Here is a small C reproducer that triggers it
+
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ #define die(s) perror(s), exit(1)
+ #define QUERY_INFO 0xc018cf07
+
+ int main(int argc, char *argv[])
+ {
+ int fd;
+
+ if (argc < 2)
+ exit(1);
+ fd = open(argv[1], O_RDONLY);
+ if (fd == -1)
+ die("open");
+ if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
+ die("ioctl");
+ close(fd);
+ return 0;
+ }
+
+ mount.cifs //srv/share /mnt -o ...
+ gcc repro.c && ./a.out /mnt/f0
+
+ [ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4
+ [ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
+ [ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ [ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2
+ [ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
+ [ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs]
+ [ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48
+ [ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256
+ [ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d
+ [ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0
+ [ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003
+ [ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800
+ [ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8
+ [ 1832.131485] FS: 00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000
+ [ 1832.131993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0
+ [ 1832.132801] Call Trace:
+ [ 1832.132962] <TASK>
+ [ 1832.133104] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
+ [ 1832.133489] ? cifs_mapchar+0x460/0x460 [cifs]
+ [ 1832.133822] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 1832.134125] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
+ [ 1832.134502] ? lock_downgrade+0x6f0/0x6f0
+ [ 1832.134760] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
+ [ 1832.135170] ? smb2_check_message+0x1080/0x1080 [cifs]
+ [ 1832.135545] cifs_ioctl+0x1577/0x3320 [cifs]
+ [ 1832.135864] ? lock_downgrade+0x6f0/0x6f0
+ [ 1832.136125] ? cifs_readdir+0x2e60/0x2e60 [cifs]
+ [ 1832.136468] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 1832.136769] ? __rseq_handle_notify_resume+0x80b/0xbe0
+ [ 1832.137096] ? __up_read+0x192/0x710
+ [ 1832.137327] ? __ia32_sys_rseq+0xf0/0xf0
+ [ 1832.137578] ? __x64_sys_openat+0x11f/0x1d0
+ [ 1832.137850] __x64_sys_ioctl+0x127/0x190
+ [ 1832.138103] do_syscall_64+0x3b/0x90
+ [ 1832.138378] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [ 1832.138702] RIP: 0033:0x7fcee9a253df
+ [ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
+ [ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df
+ [ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003
+ [ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e
+ [ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48
+ [ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000
+ [ 1832.142851] </TASK>
+ [ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 124 ++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 65 insertions(+), 59 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1631,6 +1631,7 @@ smb2_ioctl_query_info(const unsigned int
+ unsigned int size[2];
+ void *data[2];
+ int create_options = is_dir ? CREATE_NOT_FILE : CREATE_NOT_DIR;
++ void (*free_req1_func)(struct smb_rqst *r);
+
+ vars = kzalloc(sizeof(*vars), GFP_ATOMIC);
+ if (vars == NULL)
+@@ -1640,17 +1641,18 @@ smb2_ioctl_query_info(const unsigned int
+
+ resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER;
+
+- if (copy_from_user(&qi, arg, sizeof(struct smb_query_info)))
+- goto e_fault;
+-
++ if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) {
++ rc = -EFAULT;
++ goto free_vars;
++ }
+ if (qi.output_buffer_length > 1024) {
+- kfree(vars);
+- return -EINVAL;
++ rc = -EINVAL;
++ goto free_vars;
+ }
+
+ if (!ses || !server) {
+- kfree(vars);
+- return -EIO;
++ rc = -EIO;
++ goto free_vars;
+ }
+
+ if (smb3_encryption_required(tcon))
+@@ -1659,8 +1661,8 @@ smb2_ioctl_query_info(const unsigned int
+ if (qi.output_buffer_length) {
+ buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
+ if (IS_ERR(buffer)) {
+- kfree(vars);
+- return PTR_ERR(buffer);
++ rc = PTR_ERR(buffer);
++ goto free_vars;
+ }
+ }
+
+@@ -1699,48 +1701,45 @@ smb2_ioctl_query_info(const unsigned int
+ rc = SMB2_open_init(tcon, server,
+ &rqst[0], &oplock, &oparms, path);
+ if (rc)
+- goto iqinf_exit;
++ goto free_output_buffer;
+ smb2_set_next_command(tcon, &rqst[0]);
+
+ /* Query */
+ if (qi.flags & PASSTHRU_FSCTL) {
+ /* Can eventually relax perm check since server enforces too */
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable(CAP_SYS_ADMIN)) {
+ rc = -EPERM;
+- else {
+- rqst[1].rq_iov = &vars->io_iov[0];
+- rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
+-
+- rc = SMB2_ioctl_init(tcon, server,
+- &rqst[1],
+- COMPOUND_FID, COMPOUND_FID,
+- qi.info_type, true, buffer,
+- qi.output_buffer_length,
+- CIFSMaxBufSize -
+- MAX_SMB2_CREATE_RESPONSE_SIZE -
+- MAX_SMB2_CLOSE_RESPONSE_SIZE);
++ goto free_open_req;
+ }
++ rqst[1].rq_iov = &vars->io_iov[0];
++ rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
++
++ rc = SMB2_ioctl_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
++ qi.info_type, true, buffer, qi.output_buffer_length,
++ CIFSMaxBufSize - MAX_SMB2_CREATE_RESPONSE_SIZE -
++ MAX_SMB2_CLOSE_RESPONSE_SIZE);
++ free_req1_func = SMB2_ioctl_free;
+ } else if (qi.flags == PASSTHRU_SET_INFO) {
+ /* Can eventually relax perm check since server enforces too */
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable(CAP_SYS_ADMIN)) {
+ rc = -EPERM;
+- else if (qi.output_buffer_length < 8)
++ goto free_open_req;
++ }
++ if (qi.output_buffer_length < 8) {
+ rc = -EINVAL;
+- else {
+- rqst[1].rq_iov = &vars->si_iov[0];
+- rqst[1].rq_nvec = 1;
+-
+- /* MS-FSCC 2.4.13 FileEndOfFileInformation */
+- size[0] = 8;
+- data[0] = buffer;
+-
+- rc = SMB2_set_info_init(tcon, server,
+- &rqst[1],
+- COMPOUND_FID, COMPOUND_FID,
+- current->tgid,
+- FILE_END_OF_FILE_INFORMATION,
+- SMB2_O_INFO_FILE, 0, data, size);
++ goto free_open_req;
+ }
++ rqst[1].rq_iov = &vars->si_iov[0];
++ rqst[1].rq_nvec = 1;
++
++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */
++ size[0] = 8;
++ data[0] = buffer;
++
++ rc = SMB2_set_info_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
++ current->tgid, FILE_END_OF_FILE_INFORMATION,
++ SMB2_O_INFO_FILE, 0, data, size);
++ free_req1_func = SMB2_set_info_free;
+ } else if (qi.flags == PASSTHRU_QUERY_INFO) {
+ rqst[1].rq_iov = &vars->qi_iov[0];
+ rqst[1].rq_nvec = 1;
+@@ -1751,6 +1750,7 @@ smb2_ioctl_query_info(const unsigned int
+ qi.info_type, qi.additional_information,
+ qi.input_buffer_length,
+ qi.output_buffer_length, buffer);
++ free_req1_func = SMB2_query_info_free;
+ } else { /* unknown flags */
+ cifs_tcon_dbg(VFS, "Invalid passthru query flags: 0x%x\n",
+ qi.flags);
+@@ -1758,7 +1758,7 @@ smb2_ioctl_query_info(const unsigned int
+ }
+
+ if (rc)
+- goto iqinf_exit;
++ goto free_open_req;
+ smb2_set_next_command(tcon, &rqst[1]);
+ smb2_set_related(&rqst[1]);
+
+@@ -1769,14 +1769,14 @@ smb2_ioctl_query_info(const unsigned int
+ rc = SMB2_close_init(tcon, server,
+ &rqst[2], COMPOUND_FID, COMPOUND_FID, false);
+ if (rc)
+- goto iqinf_exit;
++ goto free_req_1;
+ smb2_set_related(&rqst[2]);
+
+ rc = compound_send_recv(xid, ses, server,
+ flags, 3, rqst,
+ resp_buftype, rsp_iov);
+ if (rc)
+- goto iqinf_exit;
++ goto out;
+
+ /* No need to bump num_remote_opens since handle immediately closed */
+ if (qi.flags & PASSTHRU_FSCTL) {
+@@ -1786,18 +1786,22 @@ smb2_ioctl_query_info(const unsigned int
+ qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
+ if (qi.input_buffer_length > 0 &&
+ le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length
+- > rsp_iov[1].iov_len)
+- goto e_fault;
++ > rsp_iov[1].iov_len) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ if (copy_to_user(&pqi->input_buffer_length,
+ &qi.input_buffer_length,
+- sizeof(qi.input_buffer_length)))
+- goto e_fault;
++ sizeof(qi.input_buffer_length))) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info),
+ (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset),
+ qi.input_buffer_length))
+- goto e_fault;
++ rc = -EFAULT;
+ } else {
+ pqi = (struct smb_query_info __user *)arg;
+ qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
+@@ -1805,28 +1809,30 @@ smb2_ioctl_query_info(const unsigned int
+ qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength);
+ if (copy_to_user(&pqi->input_buffer_length,
+ &qi.input_buffer_length,
+- sizeof(qi.input_buffer_length)))
+- goto e_fault;
++ sizeof(qi.input_buffer_length))) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ if (copy_to_user(pqi + 1, qi_rsp->Buffer,
+ qi.input_buffer_length))
+- goto e_fault;
++ rc = -EFAULT;
+ }
+
+- iqinf_exit:
+- cifs_small_buf_release(rqst[0].rq_iov[0].iov_base);
+- cifs_small_buf_release(rqst[1].rq_iov[0].iov_base);
+- cifs_small_buf_release(rqst[2].rq_iov[0].iov_base);
++out:
+ free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
+ free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base);
+ free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base);
+- kfree(vars);
++ SMB2_close_free(&rqst[2]);
++free_req_1:
++ free_req1_func(&rqst[1]);
++free_open_req:
++ SMB2_open_free(&rqst[0]);
++free_output_buffer:
+ kfree(buffer);
++free_vars:
++ kfree(vars);
+ return rc;
+-
+-e_fault:
+- rc = -EFAULT;
+- goto iqinf_exit;
+ }
+
+ static ssize_t
--- /dev/null
+From b92e358757b91c2827af112cae9af513f26a3f34 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Tue, 29 Mar 2022 16:20:05 -0300
+Subject: cifs: prevent bad output lengths in smb2_ioctl_query_info()
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit b92e358757b91c2827af112cae9af513f26a3f34 upstream.
+
+When calling smb2_ioctl_query_info() with
+smb_query_info::flags=PASSTHRU_FSCTL and
+smb_query_info::output_buffer_length=0, the following would return
+0x10
+
+ buffer = memdup_user(arg + sizeof(struct smb_query_info),
+ qi.output_buffer_length);
+ if (IS_ERR(buffer)) {
+ kfree(vars);
+ return PTR_ERR(buffer);
+ }
+
+rather than a valid pointer thus making IS_ERR() check fail. This
+would then cause a NULL ptr deference in @buffer when accessing it
+later in smb2_ioctl_query_ioctl(). While at it, prevent having a
+@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO
+FileEndOfFileInformation requests when
+smb_query_info::flags=PASSTHRU_SET_INFO.
+
+Here is a small C reproducer which triggers a NULL ptr in @buffer when
+passing an invalid smb_query_info::flags
+
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ #define die(s) perror(s), exit(1)
+ #define QUERY_INFO 0xc018cf07
+
+ int main(int argc, char *argv[])
+ {
+ int fd;
+
+ if (argc < 2)
+ exit(1);
+ fd = open(argv[1], O_RDONLY);
+ if (fd == -1)
+ die("open");
+ if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
+ die("ioctl");
+ close(fd);
+ return 0;
+ }
+
+ mount.cifs //srv/share /mnt -o ...
+ gcc repro.c && ./a.out /mnt/f0
+
+ [ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
+ [ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ [ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1
+ [ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
+ [ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
+ [ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
+ [ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
+ [ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
+ [ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
+ [ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
+ [ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
+ [ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
+ [ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
+ [ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
+ [ 114.146131] Call Trace:
+ [ 114.146291] <TASK>
+ [ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
+ [ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]
+ [ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
+ [ 114.147775] ? dentry_path_raw+0xa6/0xf0
+ [ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
+ [ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]
+ [ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]
+ [ 114.149371] ? lock_downgrade+0x6f0/0x6f0
+ [ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]
+ [ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0
+ [ 114.150562] ? __up_read+0x192/0x710
+ [ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0
+ [ 114.151025] ? __x64_sys_openat+0x11f/0x1d0
+ [ 114.151296] __x64_sys_ioctl+0x127/0x190
+ [ 114.151549] do_syscall_64+0x3b/0x90
+ [ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [ 114.152079] RIP: 0033:0x7f7aead043df
+ [ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
+ [ 114.153431] RSP: 002b:00007ffc2e0c1f80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [ 114.153890] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7aead043df
+ [ 114.154315] RDX: 00007ffc2e0c1ff0 RSI: 00000000c018cf07 RDI: 0000000000000003
+ [ 114.154747] RBP: 00007ffc2e0c2010 R08: 00007f7aeae03db0 R09: 00007f7aeae24c4e
+ [ 114.155192] R10: 00007f7aeabf7d40 R11: 0000000000000246 R12: 00007ffc2e0c2128
+ [ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
+ [ 114.156071] </TASK>
+ [ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
+ [ 114.156608] ---[ end trace 0000000000000000 ]---
+ [ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
+ [ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
+ [ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
+ [ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
+ [ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
+ [ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
+ [ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
+ [ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
+ [ 114.156071] </TASK>
+ [ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
+ [ 114.156608] ---[ end trace 0000000000000000 ]---
+ [ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
+ [ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
+ [ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
+ [ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
+ [ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
+ [ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
+ [ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
+ [ 114.161823] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
+ [ 114.162274] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
+ [ 114.162853] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 114.163218] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
+ [ 114.163691] Kernel panic - not syncing: Fatal exception
+ [ 114.164087] Kernel Offset: disabled
+ [ 114.164316] ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1656,11 +1656,12 @@ smb2_ioctl_query_info(const unsigned int
+ if (smb3_encryption_required(tcon))
+ flags |= CIFS_TRANSFORM_REQ;
+
+- buffer = memdup_user(arg + sizeof(struct smb_query_info),
+- qi.output_buffer_length);
+- if (IS_ERR(buffer)) {
+- kfree(vars);
+- return PTR_ERR(buffer);
++ if (qi.output_buffer_length) {
++ buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
++ if (IS_ERR(buffer)) {
++ kfree(vars);
++ return PTR_ERR(buffer);
++ }
+ }
+
+ /* Open */
+@@ -1723,10 +1724,13 @@ smb2_ioctl_query_info(const unsigned int
+ /* Can eventually relax perm check since server enforces too */
+ if (!capable(CAP_SYS_ADMIN))
+ rc = -EPERM;
+- else {
++ else if (qi.output_buffer_length < 8)
++ rc = -EINVAL;
++ else {
+ rqst[1].rq_iov = &vars->si_iov[0];
+ rqst[1].rq_nvec = 1;
+
++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */
+ size[0] = 8;
+ data[0] = buffer;
+
--- /dev/null
+From de19433423c7bedabbd4f9a25f7dbc62c5e78921 Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Fri, 1 Apr 2022 11:28:15 -0700
+Subject: ocfs2: fix crash when mount with quota enabled
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit de19433423c7bedabbd4f9a25f7dbc62c5e78921 upstream.
+
+There is a reported crash when mounting ocfs2 with quota enabled.
+
+ RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2]
+ Call Trace:
+ ocfs2_local_read_info+0xb9/0x6f0 [ocfs2]
+ dquot_load_quota_sb+0x216/0x470
+ dquot_load_quota_inode+0x85/0x100
+ ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2]
+ ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2]
+ mount_bdev+0x185/0x1b0
+ legacy_get_tree+0x27/0x40
+ vfs_get_tree+0x25/0xb0
+ path_mount+0x465/0xac0
+ __x64_sys_mount+0x103/0x140
+
+It is caused by when initializing dqi_gqlock, the corresponding dqi_type
+and dqi_sb are not properly initialized.
+
+This issue is introduced by commit 6c85c2c72819, which wants to avoid
+accessing uninitialized variables in error cases. So make global quota
+info properly initialized.
+
+Link: https://lkml.kernel.org/r/20220323023644.40084-1-joseph.qi@linux.alibaba.com
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007141
+Fixes: 6c85c2c72819 ("ocfs2: quota_local: fix possible uninitialized-variable access in ocfs2_local_read_info()")
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: Dayvison <sathlerds@gmail.com>
+Tested-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/quota_global.c | 23 ++++++++++++-----------
+ fs/ocfs2/quota_local.c | 2 --
+ 2 files changed, 12 insertions(+), 13 deletions(-)
+
+--- a/fs/ocfs2/quota_global.c
++++ b/fs/ocfs2/quota_global.c
+@@ -337,7 +337,6 @@ void ocfs2_unlock_global_qf(struct ocfs2
+ /* Read information header from global quota file */
+ int ocfs2_global_read_info(struct super_block *sb, int type)
+ {
+- struct inode *gqinode = NULL;
+ unsigned int ino[OCFS2_MAXQUOTAS] = { USER_QUOTA_SYSTEM_INODE,
+ GROUP_QUOTA_SYSTEM_INODE };
+ struct ocfs2_global_disk_dqinfo dinfo;
+@@ -346,29 +345,31 @@ int ocfs2_global_read_info(struct super_
+ u64 pcount;
+ int status;
+
++ oinfo->dqi_gi.dqi_sb = sb;
++ oinfo->dqi_gi.dqi_type = type;
++ ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo);
++ oinfo->dqi_gi.dqi_entry_size = sizeof(struct ocfs2_global_disk_dqblk);
++ oinfo->dqi_gi.dqi_ops = &ocfs2_global_ops;
++ oinfo->dqi_gqi_bh = NULL;
++ oinfo->dqi_gqi_count = 0;
++
+ /* Read global header */
+- gqinode = ocfs2_get_system_file_inode(OCFS2_SB(sb), ino[type],
++ oinfo->dqi_gqinode = ocfs2_get_system_file_inode(OCFS2_SB(sb), ino[type],
+ OCFS2_INVALID_SLOT);
+- if (!gqinode) {
++ if (!oinfo->dqi_gqinode) {
+ mlog(ML_ERROR, "failed to get global quota inode (type=%d)\n",
+ type);
+ status = -EINVAL;
+ goto out_err;
+ }
+- oinfo->dqi_gi.dqi_sb = sb;
+- oinfo->dqi_gi.dqi_type = type;
+- oinfo->dqi_gi.dqi_entry_size = sizeof(struct ocfs2_global_disk_dqblk);
+- oinfo->dqi_gi.dqi_ops = &ocfs2_global_ops;
+- oinfo->dqi_gqi_bh = NULL;
+- oinfo->dqi_gqi_count = 0;
+- oinfo->dqi_gqinode = gqinode;
++
+ status = ocfs2_lock_global_qf(oinfo, 0);
+ if (status < 0) {
+ mlog_errno(status);
+ goto out_err;
+ }
+
+- status = ocfs2_extent_map_get_blocks(gqinode, 0, &oinfo->dqi_giblk,
++ status = ocfs2_extent_map_get_blocks(oinfo->dqi_gqinode, 0, &oinfo->dqi_giblk,
+ &pcount, NULL);
+ if (status < 0)
+ goto out_unlock;
+--- a/fs/ocfs2/quota_local.c
++++ b/fs/ocfs2/quota_local.c
+@@ -702,8 +702,6 @@ static int ocfs2_local_read_info(struct
+ info->dqi_priv = oinfo;
+ oinfo->dqi_type = type;
+ INIT_LIST_HEAD(&oinfo->dqi_chunk);
+- oinfo->dqi_gqinode = NULL;
+- ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo);
+ oinfo->dqi_rec = NULL;
+ oinfo->dqi_lqi_bh = NULL;
+ oinfo->dqi_libh = NULL;
--- /dev/null
+From 8b188fba75195745026e11d408e4a7e94e01d701 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jose.exposito89@gmail.com>
+Date: Thu, 31 Mar 2022 21:15:36 -0700
+Subject: Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+commit 8b188fba75195745026e11d408e4a7e94e01d701 upstream.
+
+This reverts commit 37ef4c19b4c659926ce65a7ac709ceaefb211c40.
+
+The touchpad present in the Dell Precision 7550 and 7750 laptops
+reports a HID_DG_BUTTONTYPE of type MT_BUTTONTYPE_CLICKPAD. However,
+the device is not a clickpad, it is a touchpad with physical buttons.
+
+In order to fix this issue, a quirk for the device was introduced in
+libinput [1] [2] to disable the INPUT_PROP_BUTTONPAD property:
+
+ [Precision 7x50 Touchpad]
+ MatchBus=i2c
+ MatchUdevType=touchpad
+ MatchDMIModalias=dmi:*svnDellInc.:pnPrecision7?50*
+ AttrInputPropDisable=INPUT_PROP_BUTTONPAD
+
+However, because of the change introduced in 37ef4c19b4 ("Input: clear
+BTN_RIGHT/MIDDLE on buttonpads") the BTN_RIGHT key bit is not mapped
+anymore breaking the device right click button and making impossible to
+workaround it in user space.
+
+In order to avoid breakage on other present or future devices, revert
+the patch causing the issue.
+
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220321184404.20025-1-jose.exposito89@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/input.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/input/input.c
++++ b/drivers/input/input.c
+@@ -2285,12 +2285,6 @@ int input_register_device(struct input_d
+ /* KEY_RESERVED is not supposed to be transmitted to userspace. */
+ __clear_bit(KEY_RESERVED, dev->keybit);
+
+- /* Buttonpads should not map BTN_RIGHT and/or BTN_MIDDLE. */
+- if (test_bit(INPUT_PROP_BUTTONPAD, dev->propbit)) {
+- __clear_bit(BTN_RIGHT, dev->keybit);
+- __clear_bit(BTN_MIDDLE, dev->keybit);
+- }
+-
+ /* Make sure that bitmasks not mentioned in dev->evbit are clean. */
+ input_cleanse_bitmasks(dev);
+
--- /dev/null
+From 6846d656106add3aeefcd6eda0dc885787deaa6e Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <niklas.cassel@wdc.com>
+Date: Tue, 8 Mar 2022 14:28:05 +0100
+Subject: riscv: dts: canaan: Fix SPI3 bus width
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+commit 6846d656106add3aeefcd6eda0dc885787deaa6e upstream.
+
+According to the K210 Standalone SDK Programming guide:
+https://canaan-creative.com/wp-content/uploads/2020/03/kendryte_standalone_programming_guide_20190311144158_en.pdf
+
+Section 15.4.3.3:
+SPI0 and SPI1 supports: standard, dual, quad and octal transfers.
+SPI3 supports: standard, dual and quad transfers (octal is not supported).
+
+In order to support quad transfers (Quad SPI), SPI3 must have four IO wires
+connected to the SPI flash.
+
+Update the device tree to specify the correct bus width.
+
+Tested on maix bit, maix dock and maixduino, which all have the same
+SPI flash (gd25lq128d) connected to SPI3. maix go is untested, but it
+would not make sense for this k210 board to be designed differently.
+
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Fixes: 8f5b0e79f3e5 ("riscv: Add SiPeed MAIXDUINO board device tree")
+Fixes: 8194f08bda18 ("riscv: Add SiPeed MAIX GO board device tree")
+Fixes: a40f920964c4 ("riscv: Add SiPeed MAIX DOCK board device tree")
+Fixes: 97c279bcf813 ("riscv: Add SiPeed MAIX BiT board device tree")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts | 2 ++
+ arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts | 2 ++
+ arch/riscv/boot/dts/canaan/sipeed_maix_go.dts | 2 ++
+ arch/riscv/boot/dts/canaan/sipeed_maixduino.dts | 2 ++
+ 4 files changed, 8 insertions(+)
+
+--- a/arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts
++++ b/arch/riscv/boot/dts/canaan/sipeed_maix_bit.dts
+@@ -203,6 +203,8 @@
+ compatible = "jedec,spi-nor";
+ reg = <0>;
+ spi-max-frequency = <50000000>;
++ spi-tx-bus-width = <4>;
++ spi-rx-bus-width = <4>;
+ m25p,fast-read;
+ broken-flash-reset;
+ };
+--- a/arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts
++++ b/arch/riscv/boot/dts/canaan/sipeed_maix_dock.dts
+@@ -205,6 +205,8 @@
+ compatible = "jedec,spi-nor";
+ reg = <0>;
+ spi-max-frequency = <50000000>;
++ spi-tx-bus-width = <4>;
++ spi-rx-bus-width = <4>;
+ m25p,fast-read;
+ broken-flash-reset;
+ };
+--- a/arch/riscv/boot/dts/canaan/sipeed_maix_go.dts
++++ b/arch/riscv/boot/dts/canaan/sipeed_maix_go.dts
+@@ -213,6 +213,8 @@
+ compatible = "jedec,spi-nor";
+ reg = <0>;
+ spi-max-frequency = <50000000>;
++ spi-tx-bus-width = <4>;
++ spi-rx-bus-width = <4>;
+ m25p,fast-read;
+ broken-flash-reset;
+ };
+--- a/arch/riscv/boot/dts/canaan/sipeed_maixduino.dts
++++ b/arch/riscv/boot/dts/canaan/sipeed_maixduino.dts
+@@ -178,6 +178,8 @@
+ compatible = "jedec,spi-nor";
+ reg = <0>;
+ spi-max-frequency = <50000000>;
++ spi-tx-bus-width = <4>;
++ spi-rx-bus-width = <4>;
+ m25p,fast-read;
+ broken-flash-reset;
+ };
--- /dev/null
+From 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f Mon Sep 17 00:00:00 2001
+From: Nikita Shubin <n.shubin@yadro.com>
+Date: Fri, 11 Mar 2022 09:58:15 +0300
+Subject: riscv: Fix fill_callchain return value
+
+From: Nikita Shubin <n.shubin@yadro.com>
+
+commit 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f upstream.
+
+perf_callchain_store return 0 on success, -1 otherwise,
+fix fill_callchain to return correct bool value.
+
+Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support")
+Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/perf_callchain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/perf_callchain.c
++++ b/arch/riscv/kernel/perf_callchain.c
+@@ -73,7 +73,7 @@ void perf_callchain_user(struct perf_cal
+
+ static bool fill_callchain(void *entry, unsigned long pc)
+ {
+- return perf_callchain_store(entry, pc);
++ return perf_callchain_store(entry, pc) == 0;
+ }
+
+ void perf_callchain_kernel(struct perf_callchain_entry_ctx *entry,
--- /dev/null
+From b81d591386c3a50b96dddcf663628ea0df0bf2b3 Mon Sep 17 00:00:00 2001
+From: Dmitry Vyukov <dvyukov@google.com>
+Date: Mon, 14 Mar 2022 10:06:52 +0100
+Subject: riscv: Increase stack size under KASAN
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+commit b81d591386c3a50b96dddcf663628ea0df0bf2b3 upstream.
+
+KASAN requires more stack space because of compiler instrumentation.
+Increase stack size as other arches do.
+
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: syzbot+0600986d88e2d4d7ebb8@syzkaller.appspotmail.com
+Fixes: 8ad8b72721d0 ("riscv: Add KASAN support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/thread_info.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/include/asm/thread_info.h
++++ b/arch/riscv/include/asm/thread_info.h
+@@ -11,11 +11,17 @@
+ #include <asm/page.h>
+ #include <linux/const.h>
+
++#ifdef CONFIG_KASAN
++#define KASAN_STACK_ORDER 1
++#else
++#define KASAN_STACK_ORDER 0
++#endif
++
+ /* thread information allocation */
+ #ifdef CONFIG_64BIT
+-#define THREAD_SIZE_ORDER (2)
++#define THREAD_SIZE_ORDER (2 + KASAN_STACK_ORDER)
+ #else
+-#define THREAD_SIZE_ORDER (1)
++#define THREAD_SIZE_ORDER (1 + KASAN_STACK_ORDER)
+ #endif
+ #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER)
+
--- /dev/null
+From 811f5559270f25c34c338d6eaa2ece2544c3d3bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mateusz=20Jo=C5=84czyk?= <mat.jonczyk@o2.pl>
+Date: Sun, 20 Feb 2022 10:04:03 +0100
+Subject: rtc: mc146818-lib: fix locking in mc146818_set_time
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mateusz Jończyk <mat.jonczyk@o2.pl>
+
+commit 811f5559270f25c34c338d6eaa2ece2544c3d3bd upstream.
+
+In mc146818_set_time(), CMOS_READ(RTC_CONTROL) was performed without the
+rtc_lock taken, which is required for CMOS accesses. Fix this.
+
+Nothing in kernel modifies RTC_DM_BINARY, so a separate critical section
+is allowed here.
+
+Fixes: dcf257e92622 ("rtc: mc146818: Reduce spinlock section in mc146818_set_time()")
+Signed-off-by: Mateusz Jończyk <mat.jonczyk@o2.pl>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20220220090403.153928-1-mat.jonczyk@o2.pl
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-mc146818-lib.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-mc146818-lib.c
++++ b/drivers/rtc/rtc-mc146818-lib.c
+@@ -176,8 +176,10 @@ int mc146818_set_time(struct rtc_time *t
+ if (yrs >= 100)
+ yrs -= 100;
+
+- if (!(CMOS_READ(RTC_CONTROL) & RTC_DM_BINARY)
+- || RTC_ALWAYS_BCD) {
++ spin_lock_irqsave(&rtc_lock, flags);
++ save_control = CMOS_READ(RTC_CONTROL);
++ spin_unlock_irqrestore(&rtc_lock, flags);
++ if (!(save_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) {
+ sec = bin2bcd(sec);
+ min = bin2bcd(min);
+ hrs = bin2bcd(hrs);
--- /dev/null
+From ea6af39f3da50c86367a71eb3cc674ade3ed244c Mon Sep 17 00:00:00 2001
+From: Ali Pouladi <quic_apouladi@quicinc.com>
+Date: Fri, 25 Feb 2022 08:19:24 -0800
+Subject: rtc: pl031: fix rtc features null pointer dereference
+
+From: Ali Pouladi <quic_apouladi@quicinc.com>
+
+commit ea6af39f3da50c86367a71eb3cc674ade3ed244c upstream.
+
+When there is no interrupt line, rtc alarm feature is disabled.
+
+The clearing of the alarm feature bit was being done prior to allocations
+of ldata->rtc device, resulting in a null pointer dereference.
+
+Clear RTC_FEATURE_ALARM after the rtc device is allocated.
+
+Fixes: d9b0dd54a194 ("rtc: pl031: use RTC_FEATURE_ALARM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ali Pouladi <quic_apouladi@quicinc.com>
+Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20220225161924.274141-1-quic_eberman@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-pl031.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/rtc/rtc-pl031.c
++++ b/drivers/rtc/rtc-pl031.c
+@@ -350,9 +350,6 @@ static int pl031_probe(struct amba_devic
+ }
+ }
+
+- if (!adev->irq[0])
+- clear_bit(RTC_FEATURE_ALARM, ldata->rtc->features);
+-
+ device_init_wakeup(&adev->dev, true);
+ ldata->rtc = devm_rtc_allocate_device(&adev->dev);
+ if (IS_ERR(ldata->rtc)) {
+@@ -360,6 +357,9 @@ static int pl031_probe(struct amba_devic
+ goto out;
+ }
+
++ if (!adev->irq[0])
++ clear_bit(RTC_FEATURE_ALARM, ldata->rtc->features);
++
+ ldata->rtc->ops = ops;
+ ldata->rtc->range_min = vendor->range_min;
+ ldata->rtc->range_max = vendor->range_max;
scsi-libsas-fix-sas_ata_qc_issue-handling-of-ncq-non-data-commands.patch
qed-display-vf-trust-config.patch
qed-validate-and-restrict-untrusted-vfs-vlan-promisc-mode.patch
+riscv-dts-canaan-fix-spi3-bus-width.patch
+riscv-fix-fill_callchain-return-value.patch
+riscv-increase-stack-size-under-kasan.patch
+revert-input-clear-btn_right-middle-on-buttonpads.patch
+cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch
+cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch
+alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch
+alsa-hda-avoid-unsol-event-during-rpm-suspending.patch
+alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch
+alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch
+rtc-mc146818-lib-fix-locking-in-mc146818_set_time.patch
+rtc-pl031-fix-rtc-features-null-pointer-dereference.patch
+ocfs2-fix-crash-when-mount-with-quota-enabled.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
