--- /dev/null
+From bde545295b710bdd13a0fcd4b9fddd2383eeeb3a Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@redhat.com>
+Date: Wed, 20 Jan 2021 09:30:16 +0800
+Subject: erofs: fix shift-out-of-bounds of blkszbits
+
+From: Gao Xiang <hsiangkao@redhat.com>
+
+commit bde545295b710bdd13a0fcd4b9fddd2383eeeb3a upstream.
+
+syzbot generated a crafted bitszbits which can be shifted
+out-of-bounds[1]. So directly print unsupported blkszbits
+instead of blksize.
+
+[1] https://lore.kernel.org/r/000000000000c72ddd05b9444d2f@google.com
+
+Link: https://lore.kernel.org/r/20210120013016.14071-1-hsiangkao@aol.com
+Reported-by: syzbot+c68f467cd7c45860e8d4@syzkaller.appspotmail.com
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/erofs/super.c
++++ b/fs/erofs/super.c
+@@ -124,8 +124,8 @@ static int erofs_read_superblock(struct
+ blkszbits = dsb->blkszbits;
+ /* 9(512 bytes) + LOG_SECTORS_PER_BLOCK == LOG_BLOCK_SIZE */
+ if (blkszbits != LOG_BLOCK_SIZE) {
+- erofs_err(sb, "blksize %u isn't supported on this platform",
+- 1 << blkszbits);
++ erofs_err(sb, "blkszbits %u isn't supported on this platform",
++ blkszbits);
+ goto out;
+ }
+
--- /dev/null
+From 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 18 Dec 2020 12:17:16 -0800
+Subject: JFS: more checks for invalid superblock
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 upstream.
+
+syzbot is feeding invalid superblock data to JFS for mount testing.
+JFS does not check several of the fields -- just assumes that they
+are good since the JFS_MAGIC and version fields are good.
+
+In this case (syzbot reproducer), we have s_l2bsize == 0xda0c,
+pad == 0xf045, and s_state == 0x50, all of which are invalid IMO.
+Having s_l2bsize == 0xda0c causes this UBSAN warning:
+ UBSAN: shift-out-of-bounds in fs/jfs/jfs_mount.c:373:25
+ shift exponent -9716 is negative
+
+s_l2bsize can be tested for correctness. pad can be tested for non-0
+and punted. s_state can be tested for its valid values and punted.
+
+Do those 3 tests and if any of them fails, report the superblock as
+invalid/corrupt and let fsck handle it.
+
+With this patch, chkSuper() says this when JFS_DEBUG is enabled:
+ jfs_mount: Mount Failure: superblock is corrupt!
+ Mount JFS Failure: -22
+ jfs_mount failed w/return code = -22
+
+The obvious problem with this method is that next week there could
+be another syzbot test that uses different fields for invalid values,
+this making this like a game of whack-a-mole.
+
+syzkaller link: https://syzkaller.appspot.com/bug?extid=36315852ece4132ec193
+
+Reported-by: syzbot+36315852ece4132ec193@syzkaller.appspotmail.com
+Reported-by: kernel test robot <lkp@intel.com> # v2
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Cc: jfs-discussion@lists.sourceforge.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/jfs_filsys.h | 1 +
+ fs/jfs/jfs_mount.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/fs/jfs/jfs_filsys.h
++++ b/fs/jfs/jfs_filsys.h
+@@ -268,5 +268,6 @@
+ * fsck() must be run to repair
+ */
+ #define FM_EXTENDFS 0x00000008 /* file system extendfs() in progress */
++#define FM_STATE_MAX 0x0000000f /* max value of s_state */
+
+ #endif /* _H_JFS_FILSYS */
+--- a/fs/jfs/jfs_mount.c
++++ b/fs/jfs/jfs_mount.c
+@@ -36,6 +36,7 @@
+
+ #include <linux/fs.h>
+ #include <linux/buffer_head.h>
++#include <linux/log2.h>
+
+ #include "jfs_incore.h"
+ #include "jfs_filsys.h"
+@@ -365,6 +366,15 @@ static int chkSuper(struct super_block *
+ sbi->bsize = bsize;
+ sbi->l2bsize = le16_to_cpu(j_sb->s_l2bsize);
+
++ /* check some fields for possible corruption */
++ if (sbi->l2bsize != ilog2((u32)bsize) ||
++ j_sb->pad != 0 ||
++ le32_to_cpu(j_sb->s_state) > FM_STATE_MAX) {
++ rc = -EINVAL;
++ jfs_err("jfs_mount: Mount Failure: superblock is corrupt!");
++ goto out;
++ }
++
+ /*
+ * For now, ignore s_pbsize, l2bfactor. All I/O going through buffer
+ * cache.
--- /dev/null
+From 9dec0f48a75e0dadca498002d25ef4e143e60194 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Tue, 19 Jan 2021 14:53:50 +0100
+Subject: media: mceusb: sanity check for prescaler value
+
+From: Sean Young <sean@mess.org>
+
+commit 9dec0f48a75e0dadca498002d25ef4e143e60194 upstream.
+
+prescaler larger than 8 would mean the carrier is at most 152Hz,
+which does not make sense for IR carriers.
+
+Reported-by: syzbot+6d31bf169a8265204b8d@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/mceusb.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/rc/mceusb.c
++++ b/drivers/media/rc/mceusb.c
+@@ -701,11 +701,18 @@ static void mceusb_dev_printdata(struct
+ data[0], data[1]);
+ break;
+ case MCE_RSP_EQIRCFS:
++ if (!data[0] && !data[1]) {
++ dev_dbg(dev, "%s: no carrier", inout);
++ break;
++ }
++ // prescaler should make sense
++ if (data[0] > 8)
++ break;
+ period = DIV_ROUND_CLOSEST((1U << data[0] * 2) *
+ (data[1] + 1), 10);
+ if (!period)
+ break;
+- carrier = (1000 * 1000) / period;
++ carrier = USEC_PER_SEC / period;
+ dev_dbg(dev, "%s carrier of %u Hz (period %uus)",
+ inout, carrier, period);
+ break;
--- /dev/null
+From 048c96e28674f15c0403deba2104ffba64544a06 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Wed, 20 Jan 2021 09:28:02 +0100
+Subject: media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 048c96e28674f15c0403deba2104ffba64544a06 upstream.
+
+If a menu has more than 64 items, then don't check menu_skip_mask
+for items 65 and up.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+42d8c7c3d3e594b34346@syzkaller.appspotmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -1795,7 +1795,8 @@ static int std_validate(const struct v4l
+ case V4L2_CTRL_TYPE_INTEGER_MENU:
+ if (ptr.p_s32[idx] < ctrl->minimum || ptr.p_s32[idx] > ctrl->maximum)
+ return -ERANGE;
+- if (ctrl->menu_skip_mask & (1ULL << ptr.p_s32[idx]))
++ if (ptr.p_s32[idx] < BITS_PER_LONG_LONG &&
++ (ctrl->menu_skip_mask & BIT_ULL(ptr.p_s32[idx])))
+ return -EINVAL;
+ if (ctrl->type == V4L2_CTRL_TYPE_MENU &&
+ ctrl->qmenu[ptr.p_s32[idx]][0] == '\0')
--- /dev/null
+From a1ba9da8f0f9a37d900ff7eff66482cf7de8015e Mon Sep 17 00:00:00 2001
+From: Li Xinhai <lixinhai.lxh@gmail.com>
+Date: Wed, 24 Feb 2021 12:06:54 -0800
+Subject: mm/hugetlb.c: fix unnecessary address expansion of pmd sharing
+
+From: Li Xinhai <lixinhai.lxh@gmail.com>
+
+commit a1ba9da8f0f9a37d900ff7eff66482cf7de8015e upstream.
+
+The current code would unnecessarily expand the address range. Consider
+one example, (start, end) = (1G-2M, 3G+2M), and (vm_start, vm_end) =
+(1G-4M, 3G+4M), the expected adjustment should be keep (1G-2M, 3G+2M)
+without expand. But the current result will be (1G-4M, 3G+4M). Actually,
+the range (1G-4M, 1G) and (3G, 3G+4M) would never been involved in pmd
+sharing.
+
+After this patch, we will check that the vma span at least one PUD aligned
+size and the start,end range overlap the aligned range of vma.
+
+With above example, the aligned vma range is (1G, 3G), so if (start, end)
+range is within (1G-4M, 1G), or within (3G, 3G+4M), then no adjustment to
+both start and end. Otherwise, we will have chance to adjust start
+downwards or end upwards without exceeding (vm_start, vm_end).
+
+Mike:
+
+: The 'adjusted range' is used for calls to mmu notifiers and cache(tlb)
+: flushing. Since the current code unnecessarily expands the range in some
+: cases, more entries than necessary would be flushed. This would/could
+: result in performance degradation. However, this is highly dependent on
+: the user runtime. Is there a combination of vma layout and calls to
+: actually hit this issue? If the issue is hit, will those entries
+: unnecessarily flushed be used again and need to be unnecessarily reloaded?
+
+Link: https://lkml.kernel.org/r/20210104081631.2921415-1-lixinhai.lxh@gmail.com
+Fixes: 75802ca66354 ("mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible")
+Signed-off-by: Li Xinhai <lixinhai.lxh@gmail.com>
+Suggested-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Xu <peterx@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -4902,21 +4902,23 @@ static bool vma_shareable(struct vm_area
+ void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
+ unsigned long *start, unsigned long *end)
+ {
+- unsigned long a_start, a_end;
++ unsigned long v_start = ALIGN(vma->vm_start, PUD_SIZE),
++ v_end = ALIGN_DOWN(vma->vm_end, PUD_SIZE);
+
+- if (!(vma->vm_flags & VM_MAYSHARE))
++ /*
++ * vma need span at least one aligned PUD size and the start,end range
++ * must at least partialy within it.
++ */
++ if (!(vma->vm_flags & VM_MAYSHARE) || !(v_end > v_start) ||
++ (*end <= v_start) || (*start >= v_end))
+ return;
+
+ /* Extend the range to be PUD aligned for a worst case scenario */
+- a_start = ALIGN_DOWN(*start, PUD_SIZE);
+- a_end = ALIGN(*end, PUD_SIZE);
++ if (*start > v_start)
++ *start = ALIGN_DOWN(*start, PUD_SIZE);
+
+- /*
+- * Intersect the range with the vma range, since pmd sharing won't be
+- * across vma after all
+- */
+- *start = max(vma->vm_start, a_start);
+- *end = min(vma->vm_end, a_end);
++ if (*end < v_end)
++ *end = ALIGN(*end, PUD_SIZE);
+ }
+
+ /*
--- /dev/null
+From c9a2f90f4d6b9d42b9912f7aaf68e8d748acfffd Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 22 Feb 2021 15:09:53 -0500
+Subject: nbd: handle device refs for DESTROY_ON_DISCONNECT properly
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit c9a2f90f4d6b9d42b9912f7aaf68e8d748acfffd upstream.
+
+There exists a race where we can be attempting to create a new nbd
+configuration while a previous configuration is going down, both
+configured with DESTROY_ON_DISCONNECT. Normally devices all have a
+reference of 1, as they won't be cleaned up until the module is torn
+down. However with DESTROY_ON_DISCONNECT we'll make sure that there is
+only 1 reference (generally) on the device for the config itself, and
+then once the config is dropped, the device is torn down.
+
+The race that exists looks like this
+
+TASK1 TASK2
+nbd_genl_connect()
+ idr_find()
+ refcount_inc_not_zero(nbd)
+ * count is 2 here ^^
+ nbd_config_put()
+ nbd_put(nbd) (count is 1)
+ setup new config
+ check DESTROY_ON_DISCONNECT
+ put_dev = true
+ if (put_dev) nbd_put(nbd)
+ * free'd here ^^
+
+In nbd_genl_connect() we assume that the nbd ref count will be 2,
+however clearly that won't be true if the nbd device had been setup as
+DESTROY_ON_DISCONNECT with its prior configuration. Fix this by getting
+rid of the runtime flag to check if we need to mess with the nbd device
+refcount, and use the device NBD_DESTROY_ON_DISCONNECT flag to check if
+we need to adjust the ref counts. This was reported by syzkaller with
+the following kasan dump
+
+BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline]
+BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
+BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1e0 lib/refcount.c:76
+Read of size 4 at addr ffff888143bf71a0 by task systemd-udevd/8451
+
+CPU: 0 PID: 8451 Comm: systemd-udevd Not tainted 5.11.0-rc7-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
+ __kasan_report mm/kasan/report.c:396 [inline]
+ kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
+ check_memory_region_inline mm/kasan/generic.c:179 [inline]
+ check_memory_region+0x13d/0x180 mm/kasan/generic.c:185
+ instrument_atomic_read include/linux/instrumented.h:71 [inline]
+ atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
+ refcount_dec_not_one+0x71/0x1e0 lib/refcount.c:76
+ refcount_dec_and_mutex_lock+0x19/0x140 lib/refcount.c:115
+ nbd_put drivers/block/nbd.c:248 [inline]
+ nbd_release+0x116/0x190 drivers/block/nbd.c:1508
+ __blkdev_put+0x548/0x800 fs/block_dev.c:1579
+ blkdev_put+0x92/0x570 fs/block_dev.c:1632
+ blkdev_close+0x8c/0xb0 fs/block_dev.c:1640
+ __fput+0x283/0x920 fs/file_table.c:280
+ task_work_run+0xdd/0x190 kernel/task_work.c:140
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
+ exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
+ syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7fc1e92b5270
+Code: 73 01 c3 48 8b 0d 38 7d 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c1 20 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24
+RSP: 002b:00007ffe8beb2d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
+RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1e92b5270
+RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007
+RBP: 00007fc1ea16f710 R08: 000000000000004a R09: 0000000000000008
+R10: 0000562f8cb0b2a8 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000562f8cb0afd0 R14: 0000000000000003 R15: 000000000000000e
+
+Allocated by task 1:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
+ kasan_set_track mm/kasan/common.c:46 [inline]
+ set_alloc_info mm/kasan/common.c:401 [inline]
+ ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429
+ kmalloc include/linux/slab.h:552 [inline]
+ kzalloc include/linux/slab.h:682 [inline]
+ nbd_dev_add+0x44/0x8e0 drivers/block/nbd.c:1673
+ nbd_init+0x250/0x271 drivers/block/nbd.c:2394
+ do_one_initcall+0x103/0x650 init/main.c:1223
+ do_initcall_level init/main.c:1296 [inline]
+ do_initcalls init/main.c:1312 [inline]
+ do_basic_setup init/main.c:1332 [inline]
+ kernel_init_freeable+0x605/0x689 init/main.c:1533
+ kernel_init+0xd/0x1b8 init/main.c:1421
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
+
+Freed by task 8451:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
+ kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
+ kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356
+ ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362
+ kasan_slab_free include/linux/kasan.h:192 [inline]
+ slab_free_hook mm/slub.c:1547 [inline]
+ slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580
+ slab_free mm/slub.c:3143 [inline]
+ kfree+0xdb/0x3b0 mm/slub.c:4139
+ nbd_dev_remove drivers/block/nbd.c:243 [inline]
+ nbd_put.part.0+0x180/0x1d0 drivers/block/nbd.c:251
+ nbd_put drivers/block/nbd.c:295 [inline]
+ nbd_config_put+0x6dd/0x8c0 drivers/block/nbd.c:1242
+ nbd_release+0x103/0x190 drivers/block/nbd.c:1507
+ __blkdev_put+0x548/0x800 fs/block_dev.c:1579
+ blkdev_put+0x92/0x570 fs/block_dev.c:1632
+ blkdev_close+0x8c/0xb0 fs/block_dev.c:1640
+ __fput+0x283/0x920 fs/file_table.c:280
+ task_work_run+0xdd/0x190 kernel/task_work.c:140
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
+ exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
+ syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The buggy address belongs to the object at ffff888143bf7000
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 416 bytes inside of
+ 1024-byte region [ffff888143bf7000, ffff888143bf7400)
+The buggy address belongs to the page:
+page:000000005238f4ce refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143bf0
+head:000000005238f4ce order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x57ff00000010200(slab|head)
+raw: 057ff00000010200 ffffea00004b1400 0000000300000003 ffff888010c41140
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888143bf7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888143bf7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888143bf7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888143bf7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Reported-and-tested-by: syzbot+429d3f82d757c211bff3@syzkaller.appspotmail.com
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/nbd.c | 32 +++++++++++++++++++-------------
+ 1 file changed, 19 insertions(+), 13 deletions(-)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -78,8 +78,7 @@ struct link_dead_args {
+ #define NBD_RT_HAS_PID_FILE 3
+ #define NBD_RT_HAS_CONFIG_REF 4
+ #define NBD_RT_BOUND 5
+-#define NBD_RT_DESTROY_ON_DISCONNECT 6
+-#define NBD_RT_DISCONNECT_ON_CLOSE 7
++#define NBD_RT_DISCONNECT_ON_CLOSE 6
+
+ #define NBD_DESTROY_ON_DISCONNECT 0
+ #define NBD_DISCONNECT_REQUESTED 1
+@@ -1940,12 +1939,21 @@ again:
+ if (info->attrs[NBD_ATTR_CLIENT_FLAGS]) {
+ u64 flags = nla_get_u64(info->attrs[NBD_ATTR_CLIENT_FLAGS]);
+ if (flags & NBD_CFLAG_DESTROY_ON_DISCONNECT) {
+- set_bit(NBD_RT_DESTROY_ON_DISCONNECT,
+- &config->runtime_flags);
+- set_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags);
+- put_dev = true;
++ /*
++ * We have 1 ref to keep the device around, and then 1
++ * ref for our current operation here, which will be
++ * inherited by the config. If we already have
++ * DESTROY_ON_DISCONNECT set then we know we don't have
++ * that extra ref already held so we don't need the
++ * put_dev.
++ */
++ if (!test_and_set_bit(NBD_DESTROY_ON_DISCONNECT,
++ &nbd->flags))
++ put_dev = true;
+ } else {
+- clear_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags);
++ if (test_and_clear_bit(NBD_DESTROY_ON_DISCONNECT,
++ &nbd->flags))
++ refcount_inc(&nbd->refs);
+ }
+ if (flags & NBD_CFLAG_DISCONNECT_ON_CLOSE) {
+ set_bit(NBD_RT_DISCONNECT_ON_CLOSE,
+@@ -2116,15 +2124,13 @@ static int nbd_genl_reconfigure(struct s
+ if (info->attrs[NBD_ATTR_CLIENT_FLAGS]) {
+ u64 flags = nla_get_u64(info->attrs[NBD_ATTR_CLIENT_FLAGS]);
+ if (flags & NBD_CFLAG_DESTROY_ON_DISCONNECT) {
+- if (!test_and_set_bit(NBD_RT_DESTROY_ON_DISCONNECT,
+- &config->runtime_flags))
++ if (!test_and_set_bit(NBD_DESTROY_ON_DISCONNECT,
++ &nbd->flags))
+ put_dev = true;
+- set_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags);
+ } else {
+- if (test_and_clear_bit(NBD_RT_DESTROY_ON_DISCONNECT,
+- &config->runtime_flags))
++ if (test_and_clear_bit(NBD_DESTROY_ON_DISCONNECT,
++ &nbd->flags))
+ refcount_inc(&nbd->refs);
+- clear_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags);
+ }
+
+ if (flags & NBD_CFLAG_DISCONNECT_ON_CLOSE) {
--- /dev/null
+From 27e9c1de529919d8dd7d072415d3bcae77709300 Mon Sep 17 00:00:00 2001
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+Date: Thu, 28 Jan 2021 12:41:04 +0100
+Subject: net/af_iucv: remove WARN_ONCE on malformed RX packets
+
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+
+commit 27e9c1de529919d8dd7d072415d3bcae77709300 upstream.
+
+syzbot reported the following finding:
+
+AF_IUCV failed to receive skb, len=0
+WARNING: CPU: 0 PID: 522 at net/iucv/af_iucv.c:2039 afiucv_hs_rcv+0x174/0x190 net/iucv/af_iucv.c:2039
+CPU: 0 PID: 522 Comm: syz-executor091 Not tainted 5.10.0-rc1-syzkaller-07082-g55027a88ec9f #0
+Hardware name: IBM 3906 M04 701 (KVM/Linux)
+Call Trace:
+ [<00000000b87ea538>] afiucv_hs_rcv+0x178/0x190 net/iucv/af_iucv.c:2039
+([<00000000b87ea534>] afiucv_hs_rcv+0x174/0x190 net/iucv/af_iucv.c:2039)
+ [<00000000b796533e>] __netif_receive_skb_one_core+0x13e/0x188 net/core/dev.c:5315
+ [<00000000b79653ce>] __netif_receive_skb+0x46/0x1c0 net/core/dev.c:5429
+ [<00000000b79655fe>] netif_receive_skb_internal+0xb6/0x220 net/core/dev.c:5534
+ [<00000000b796ac3a>] netif_receive_skb+0x42/0x318 net/core/dev.c:5593
+ [<00000000b6fd45f4>] tun_rx_batched.isra.0+0x6fc/0x860 drivers/net/tun.c:1485
+ [<00000000b6fddc4e>] tun_get_user+0x1c26/0x27f0 drivers/net/tun.c:1939
+ [<00000000b6fe0f00>] tun_chr_write_iter+0x158/0x248 drivers/net/tun.c:1968
+ [<00000000b4f22bfa>] call_write_iter include/linux/fs.h:1887 [inline]
+ [<00000000b4f22bfa>] new_sync_write+0x442/0x648 fs/read_write.c:518
+ [<00000000b4f238fe>] vfs_write.part.0+0x36e/0x5d8 fs/read_write.c:605
+ [<00000000b4f2984e>] vfs_write+0x10e/0x148 fs/read_write.c:615
+ [<00000000b4f29d0e>] ksys_write+0x166/0x290 fs/read_write.c:658
+ [<00000000b8dc4ab4>] system_call+0xe0/0x28c arch/s390/kernel/entry.S:415
+Last Breaking-Event-Address:
+ [<00000000b8dc64d4>] __s390_indirect_jump_r14+0x0/0xc
+
+Malformed RX packets shouldn't generate any warnings because
+debugging info already flows to dropmon via the kfree_skb().
+
+Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Reviewed-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/iucv/af_iucv.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -2176,7 +2176,6 @@ static int afiucv_hs_rcv(struct sk_buff
+ char nullstring[8];
+
+ if (!pskb_may_pull(skb, sizeof(*trans_hdr))) {
+- WARN_ONCE(1, "AF_IUCV failed to receive skb, len=%u", skb->len);
+ kfree_skb(skb);
+ return NET_RX_SUCCESS;
+ }
--- /dev/null
+From 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 Mon Sep 17 00:00:00 2001
+From: Marco Elver <elver@google.com>
+Date: Mon, 1 Feb 2021 17:04:20 +0100
+Subject: net: fix up truesize of cloned skb in skb_prepare_for_shift()
+
+From: Marco Elver <elver@google.com>
+
+commit 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 upstream.
+
+Avoid the assumption that ksize(kmalloc(S)) == ksize(kmalloc(S)): when
+cloning an skb, save and restore truesize after pskb_expand_head(). This
+can occur if the allocator decides to service an allocation of the same
+size differently (e.g. use a different size class, or pass the
+allocation on to KFENCE).
+
+Because truesize is used for bookkeeping (such as sk_wmem_queued), a
+modified truesize of a cloned skb may result in corrupt bookkeeping and
+relevant warnings (such as in sk_stream_kill_queues()).
+
+Link: https://lkml.kernel.org/r/X9JR/J6dMMOy1obu@elver.google.com
+Reported-by: syzbot+7b99aafdcc2eedea6178@syzkaller.appspotmail.com
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210201160420.2826895-1-elver@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3290,7 +3290,19 @@ EXPORT_SYMBOL(skb_split);
+ */
+ static int skb_prepare_for_shift(struct sk_buff *skb)
+ {
+- return skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
++ int ret = 0;
++
++ if (skb_cloned(skb)) {
++ /* Save and restore truesize: pskb_expand_head() may reallocate
++ * memory where ksize(kmalloc(S)) != ksize(kmalloc(S)), but we
++ * cannot change truesize at this point.
++ */
++ unsigned int save_truesize = skb->truesize;
++
++ ret = pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
++ skb->truesize = save_truesize;
++ }
++ return ret;
+ }
+
+ /**
nvme-pci-fix-error-unwind-in-nvme_map_data.patch
arm64-module-set-plt-section-addresses-to-0x0.patch
mips-vdso-use-clang_flags-instead-of-filtering-out-target.patch
+jfs-more-checks-for-invalid-superblock.patch
+udlfb-fix-memory-leak-in-dlfb_usb_probe.patch
+media-mceusb-sanity-check-for-prescaler-value.patch
+erofs-fix-shift-out-of-bounds-of-blkszbits.patch
+media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch
+xfs-fix-assert-failure-in-xfs_setattr_size.patch
+net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch
+smackfs-restrict-bytes-count-in-smackfs-write-functions.patch
+net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch
+nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch
+mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch
--- /dev/null
+From 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 Mon Sep 17 00:00:00 2001
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Date: Thu, 28 Jan 2021 17:58:01 +0600
+Subject: smackfs: restrict bytes count in smackfs write functions
+
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+
+commit 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 upstream.
+
+syzbot found WARNINGs in several smackfs write operations where
+bytes count is passed to memdup_user_nul which exceeds
+GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE.
+
+Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO,
+smk_write_net6addr accepts any label or -DELETE. I couldn't find
+any general rule for other label lengths except SMK_LABELLEN,
+SMK_LONGLABEL, SMK_CIPSOMAX which are documented.
+
+Let's constrain, in general, smackfs label lengths for PAGE_SIZE.
+Although fuzzer crashes write to smackfs/netlabel on 0x400000 length.
+
+Here is a quick way to reproduce the WARNING:
+python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel
+
+Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com
+Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/smack/smackfs.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -1163,7 +1163,7 @@ static ssize_t smk_write_net4addr(struct
+ return -EPERM;
+ if (*ppos != 0)
+ return -EINVAL;
+- if (count < SMK_NETLBLADDRMIN)
++ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
+ return -EINVAL;
+
+ data = memdup_user_nul(buf, count);
+@@ -1423,7 +1423,7 @@ static ssize_t smk_write_net6addr(struct
+ return -EPERM;
+ if (*ppos != 0)
+ return -EINVAL;
+- if (count < SMK_NETLBLADDRMIN)
++ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
+ return -EINVAL;
+
+ data = memdup_user_nul(buf, count);
+@@ -1830,6 +1830,10 @@ static ssize_t smk_write_ambient(struct
+ if (!smack_privileged(CAP_MAC_ADMIN))
+ return -EPERM;
+
++ /* Enough data must be present */
++ if (count == 0 || count > PAGE_SIZE)
++ return -EINVAL;
++
+ data = memdup_user_nul(buf, count);
+ if (IS_ERR(data))
+ return PTR_ERR(data);
+@@ -2001,6 +2005,9 @@ static ssize_t smk_write_onlycap(struct
+ if (!smack_privileged(CAP_MAC_ADMIN))
+ return -EPERM;
+
++ if (count > PAGE_SIZE)
++ return -EINVAL;
++
+ data = memdup_user_nul(buf, count);
+ if (IS_ERR(data))
+ return PTR_ERR(data);
+@@ -2088,6 +2095,9 @@ static ssize_t smk_write_unconfined(stru
+ if (!smack_privileged(CAP_MAC_ADMIN))
+ return -EPERM;
+
++ if (count > PAGE_SIZE)
++ return -EINVAL;
++
+ data = memdup_user_nul(buf, count);
+ if (IS_ERR(data))
+ return PTR_ERR(data);
+@@ -2643,6 +2653,10 @@ static ssize_t smk_write_syslog(struct f
+ if (!smack_privileged(CAP_MAC_ADMIN))
+ return -EPERM;
+
++ /* Enough data must be present */
++ if (count == 0 || count > PAGE_SIZE)
++ return -EINVAL;
++
+ data = memdup_user_nul(buf, count);
+ if (IS_ERR(data))
+ return PTR_ERR(data);
+@@ -2735,10 +2749,13 @@ static ssize_t smk_write_relabel_self(st
+ return -EPERM;
+
+ /*
++ * No partial write.
+ * Enough data must be present.
+ */
+ if (*ppos != 0)
+ return -EINVAL;
++ if (count == 0 || count > PAGE_SIZE)
++ return -EINVAL;
+
+ data = memdup_user_nul(buf, count);
+ if (IS_ERR(data))
--- /dev/null
+From 5c0e4110f751934e748a66887c61f8e73805f0f9 Mon Sep 17 00:00:00 2001
+From: Zqiang <qiang.zhang@windriver.com>
+Date: Tue, 15 Dec 2020 14:30:22 +0800
+Subject: udlfb: Fix memory leak in dlfb_usb_probe
+
+From: Zqiang <qiang.zhang@windriver.com>
+
+commit 5c0e4110f751934e748a66887c61f8e73805f0f9 upstream.
+
+The dlfb_alloc_urb_list function is called in dlfb_usb_probe function,
+after that if an error occurs, the dlfb_free_urb_list function need to
+be called.
+
+BUG: memory leak
+unreferenced object 0xffff88810adde100 (size 32):
+ comm "kworker/1:0", pid 17, jiffies 4294947788 (age 19.520s)
+ hex dump (first 32 bytes):
+ 10 30 c3 0d 81 88 ff ff c0 fa 63 12 81 88 ff ff .0........c.....
+ 00 30 c3 0d 81 88 ff ff 80 d1 3a 08 81 88 ff ff .0........:.....
+ backtrace:
+ [<0000000019512953>] kmalloc include/linux/slab.h:552 [inline]
+ [<0000000019512953>] kzalloc include/linux/slab.h:664 [inline]
+ [<0000000019512953>] dlfb_alloc_urb_list drivers/video/fbdev/udlfb.c:1892 [inline]
+ [<0000000019512953>] dlfb_usb_probe.cold+0x289/0x988 drivers/video/fbdev/udlfb.c:1704
+ [<0000000072160152>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+ [<00000000a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554
+ [<00000000c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738
+ [<00000000e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844
+ [<00000000de0a5a5c>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431
+ [<00000000463fbcb4>] __device_attach+0x122/0x250 drivers/base/dd.c:912
+ [<00000000b881a711>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491
+ [<00000000364bbda5>] device_add+0x5ac/0xc30 drivers/base/core.c:2936
+ [<00000000eecca418>] usb_set_configuration+0x9de/0xb90 drivers/usb/core/message.c:2159
+ [<00000000edfeca2d>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
+ [<000000001830872b>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
+ [<00000000a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554
+ [<00000000c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738
+ [<00000000e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844
+ [<00000000de0a5a5c>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431
+
+Reported-by: syzbot+c9e365d7f450e8aa615d@syzkaller.appspotmail.com
+Signed-off-by: Zqiang <qiang.zhang@windriver.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201215063022.16746-1-qiang.zhang@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/udlfb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -1017,6 +1017,7 @@ static void dlfb_ops_destroy(struct fb_i
+ }
+ vfree(dlfb->backing_buffer);
+ kfree(dlfb->edid);
++ dlfb_free_urb_list(dlfb);
+ usb_put_dev(dlfb->udev);
+ kfree(dlfb);
+
--- /dev/null
+From 88a9e03beef22cc5fabea344f54b9a0dfe63de08 Mon Sep 17 00:00:00 2001
+From: Yumei Huang <yuhuang@redhat.com>
+Date: Fri, 22 Jan 2021 16:48:19 -0800
+Subject: xfs: Fix assert failure in xfs_setattr_size()
+
+From: Yumei Huang <yuhuang@redhat.com>
+
+commit 88a9e03beef22cc5fabea344f54b9a0dfe63de08 upstream.
+
+An assert failure is triggered by syzkaller test due to
+ATTR_KILL_PRIV is not cleared before xfs_setattr_size.
+As ATTR_KILL_PRIV is not checked/used by xfs_setattr_size,
+just remove it from the assert.
+
+Signed-off-by: Yumei Huang <yuhuang@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_iops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -839,7 +839,7 @@ xfs_setattr_size(
+ ASSERT(xfs_isilocked(ip, XFS_MMAPLOCK_EXCL));
+ ASSERT(S_ISREG(inode->i_mode));
+ ASSERT((iattr->ia_valid & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
+- ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
++ ATTR_MTIME_SET|ATTR_TIMES_SET)) == 0);
+
+ oldsize = inode->i_size;
+ newsize = iattr->ia_size;
projects / thirdparty / kernel / stable-queue.git / commitdiff
