--- /dev/null
+From d9cf3bd531844ffbfe94b16e417037a16efc988d Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 19 Jul 2021 11:53:00 +0100
+Subject: bio: fix page leak bio_add_hw_page failure
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit d9cf3bd531844ffbfe94b16e417037a16efc988d upstream.
+
+__bio_iov_append_get_pages() doesn't put not appended pages on
+bio_add_hw_page() failure, so potentially leaking them, fix it. Also, do
+the same for __bio_iov_iter_get_pages(), even though it looks like it
+can't be triggered by userspace in this case.
+
+Fixes: 0512a75b98f8 ("block: Introduce REQ_OP_ZONE_APPEND")
+Cc: stable@vger.kernel.org # 5.8+
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/1edfa6a2ffd66d55e6345a477df5387d2c1415d0.1626653825.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/bio.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -978,6 +978,14 @@ static int __bio_iov_bvec_add_pages(stru
+ return 0;
+ }
+
++static void bio_put_pages(struct page **pages, size_t size, size_t off)
++{
++ size_t i, nr = DIV_ROUND_UP(size + (off & ~PAGE_MASK), PAGE_SIZE);
++
++ for (i = 0; i < nr; i++)
++ put_page(pages[i]);
++}
++
+ #define PAGE_PTRS_PER_BVEC (sizeof(struct bio_vec) / sizeof(struct page *))
+
+ /**
+@@ -1022,8 +1030,10 @@ static int __bio_iov_iter_get_pages(stru
+ if (same_page)
+ put_page(page);
+ } else {
+- if (WARN_ON_ONCE(bio_full(bio, len)))
+- return -EINVAL;
++ if (WARN_ON_ONCE(bio_full(bio, len))) {
++ bio_put_pages(pages + i, left, offset);
++ return -EINVAL;
++ }
+ __bio_add_page(bio, page, len, offset);
+ }
+ offset = 0;
+@@ -1068,6 +1078,7 @@ static int __bio_iov_append_get_pages(st
+ len = min_t(size_t, PAGE_SIZE - offset, left);
+ if (bio_add_hw_page(q, bio, page, len, offset,
+ max_append_sectors, &same_page) != len) {
++ bio_put_pages(pages + i, left, offset);
+ ret = -EINVAL;
+ break;
+ }
--- /dev/null
+From 7b3188e7ed54102a5dcc73d07727f41fb528f7c8 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 30 Aug 2021 19:37:41 -0600
+Subject: io_uring: IORING_OP_WRITE needs hash_reg_file set
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 7b3188e7ed54102a5dcc73d07727f41fb528f7c8 upstream.
+
+During some testing, it became evident that using IORING_OP_WRITE doesn't
+hash buffered writes like the other writes commands do. That's simply
+an oversight, and can cause performance regressions when doing buffered
+writes with this command.
+
+Correct that and add the flag, so that buffered writes are correctly
+hashed when using the non-iovec based write command.
+
+Cc: stable@vger.kernel.org
+Fixes: 3a6820f2bb8a ("io_uring: add non-vectored read/write commands")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -889,6 +889,7 @@ static const struct io_op_def io_op_defs
+ },
+ [IORING_OP_WRITE] = {
+ .needs_file = 1,
++ .hash_reg_file = 1,
+ .unbound_nonreg_file = 1,
+ .pollout = 1,
+ .async_size = sizeof(struct io_async_rw),
asoc-rt5682-remove-unused-variable-in-rt5682_i2c_remove.patch
iwlwifi-add-support-for-ax201-in-samsung-galaxy-book-flex2-alpha.patch
f2fs-guarantee-to-write-dirty-data-when-enabling-checkpoint-back.patch
+time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch
+io_uring-ioring_op_write-needs-hash_reg_file-set.patch
+bio-fix-page-leak-bio_add_hw_page-failure.patch
+tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch
--- /dev/null
+From 39ff83f2f6cc5cc1458dfcea9697f96338210beb Mon Sep 17 00:00:00 2001
+From: Lukas Hannen <lukas.hannen@opensource.tttech-industrial.com>
+Date: Wed, 25 Aug 2021 10:12:43 +0000
+Subject: time: Handle negative seconds correctly in timespec64_to_ns()
+
+From: Lukas Hannen <lukas.hannen@opensource.tttech-industrial.com>
+
+commit 39ff83f2f6cc5cc1458dfcea9697f96338210beb upstream.
+
+timespec64_ns() prevents multiplication overflows by comparing the seconds
+value of the timespec to KTIME_SEC_MAX. If the value is greater or equal it
+returns KTIME_MAX.
+
+But that check casts the signed seconds value to unsigned which makes the
+comparision true for all negative values and therefore return wrongly
+KTIME_MAX.
+
+Negative second values are perfectly valid and required in some places,
+e.g. ptp_clock_adjtime().
+
+Remove the cast and add a check for the negative boundary which is required
+to prevent undefined behaviour due to multiplication underflow.
+
+Fixes: cb47755725da ("time: Prevent undefined behaviour in timespec64_to_ns()")'
+Signed-off-by: Lukas Hannen <lukas.hannen@opensource.tttech-industrial.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/AM6PR01MB541637BD6F336B8FFB72AF80EEC69@AM6PR01MB5416.eurprd01.prod.exchangelabs.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/time64.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/time64.h
++++ b/include/linux/time64.h
+@@ -25,7 +25,9 @@ struct itimerspec64 {
+ #define TIME64_MIN (-TIME64_MAX - 1)
+
+ #define KTIME_MAX ((s64)~((u64)1 << 63))
++#define KTIME_MIN (-KTIME_MAX - 1)
+ #define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC)
++#define KTIME_SEC_MIN (KTIME_MIN / NSEC_PER_SEC)
+
+ /*
+ * Limits for settimeofday():
+@@ -124,10 +126,13 @@ static inline bool timespec64_valid_sett
+ */
+ static inline s64 timespec64_to_ns(const struct timespec64 *ts)
+ {
+- /* Prevent multiplication overflow */
+- if ((unsigned long long)ts->tv_sec >= KTIME_SEC_MAX)
++ /* Prevent multiplication overflow / underflow */
++ if (ts->tv_sec >= KTIME_SEC_MAX)
+ return KTIME_MAX;
+
++ if (ts->tv_sec <= KTIME_SEC_MIN)
++ return KTIME_MIN;
++
+ return ((s64) ts->tv_sec * NSEC_PER_SEC) + ts->tv_nsec;
+ }
+
--- /dev/null
+From bb2853a6a421a052268eee00fd5d3f6b3504b2b1 Mon Sep 17 00:00:00 2001
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+Date: Mon, 23 Aug 2021 08:06:41 +0800
+Subject: tty: Fix data race between tiocsti() and flush_to_ldisc()
+
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+
+commit bb2853a6a421a052268eee00fd5d3f6b3504b2b1 upstream.
+
+The ops->receive_buf() may be accessed concurrently from these two
+functions. If the driver flushes data to the line discipline
+receive_buf() method while tiocsti() is waiting for the
+ops->receive_buf() to finish its work, the data race will happen.
+
+For example:
+tty_ioctl |tty_ldisc_receive_buf
+ ->tioctsi | ->tty_port_default_receive_buf
+ | ->tty_ldisc_receive_buf
+ ->hci_uart_tty_receive | ->hci_uart_tty_receive
+ ->h4_recv | ->h4_recv
+
+In this case, the h4 receive buffer will be overwritten by the
+latecomer, and we will lost the data.
+
+Hence, change tioctsi() function to use the exclusive lock interface
+from tty_buffer to avoid the data race.
+
+Reported-by: syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Link: https://lore.kernel.org/r/20210823000641.2082292-1-phind.uet@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2257,8 +2257,6 @@ static int tty_fasync(int fd, struct fil
+ * Locking:
+ * Called functions take tty_ldiscs_lock
+ * current->signal->tty check is safe without locks
+- *
+- * FIXME: may race normal receive processing
+ */
+
+ static int tiocsti(struct tty_struct *tty, char __user *p)
+@@ -2274,8 +2272,10 @@ static int tiocsti(struct tty_struct *tt
+ ld = tty_ldisc_ref_wait(tty);
+ if (!ld)
+ return -EIO;
++ tty_buffer_lock_exclusive(tty->port);
+ if (ld->ops->receive_buf)
+ ld->ops->receive_buf(tty, &ch, &mbz, 1);
++ tty_buffer_unlock_exclusive(tty->port);
+ tty_ldisc_deref(ld);
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
