--- /dev/null
+From c5d2b6fa26b5b8386a9cc902cdece3a46bef2bd2 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 30 May 2023 13:48:44 -0700
+Subject: Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit c5d2b6fa26b5b8386a9cc902cdece3a46bef2bd2 upstream.
+
+Similar to commit 0f7d9b31ce7a ("netfilter: nf_tables: fix use-after-free
+in nft_set_catchall_destroy()"). We can not access k after kfree_rcu()
+call.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Min Li <lm0963hack@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -2517,10 +2517,10 @@ int hci_remove_link_key(struct hci_dev *
+
+ int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
+ {
+- struct smp_ltk *k;
++ struct smp_ltk *k, *tmp;
+ int removed = 0;
+
+- list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
++ list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
+ if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
+ continue;
+
+@@ -2536,9 +2536,9 @@ int hci_remove_ltk(struct hci_dev *hdev,
+
+ void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
+ {
+- struct smp_irk *k;
++ struct smp_irk *k, *tmp;
+
+- list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
++ list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
+ if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
+ continue;
+
--- /dev/null
+From 409e873ea3c1fd3079909718bbeb06ac1ec7f38b Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Thu, 1 Jun 2023 08:59:31 +0800
+Subject: ceph: fix use-after-free bug for inodes when flushing capsnaps
+
+From: Xiubo Li <xiubli@redhat.com>
+
+commit 409e873ea3c1fd3079909718bbeb06ac1ec7f38b upstream.
+
+There is a race between capsnaps flush and removing the inode from
+'mdsc->snap_flush_list' list:
+
+ == Thread A == == Thread B ==
+ceph_queue_cap_snap()
+ -> allocate 'capsnapA'
+ ->ihold('&ci->vfs_inode')
+ ->add 'capsnapA' to 'ci->i_cap_snaps'
+ ->add 'ci' to 'mdsc->snap_flush_list'
+ ...
+ == Thread C ==
+ceph_flush_snaps()
+ ->__ceph_flush_snaps()
+ ->__send_flush_snap()
+ handle_cap_flushsnap_ack()
+ ->iput('&ci->vfs_inode')
+ this also will release 'ci'
+ ...
+ == Thread D ==
+ ceph_handle_snap()
+ ->flush_snaps()
+ ->iterate 'mdsc->snap_flush_list'
+ ->get the stale 'ci'
+ ->remove 'ci' from ->ihold(&ci->vfs_inode) this
+ 'mdsc->snap_flush_list' will WARNING
+
+To fix this we will increase the inode's i_count ref when adding 'ci'
+to the 'mdsc->snap_flush_list' list.
+
+[ idryomov: need_put int -> bool ]
+
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2209299
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Milind Changire <mchangir@redhat.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/caps.c | 6 ++++++
+ fs/ceph/snap.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1554,6 +1554,7 @@ void ceph_flush_snaps(struct ceph_inode_
+ struct inode *inode = &ci->vfs_inode;
+ struct ceph_mds_client *mdsc = ceph_inode_to_client(inode)->mdsc;
+ struct ceph_mds_session *session = NULL;
++ bool need_put = false;
+ int mds;
+
+ dout("ceph_flush_snaps %p\n", inode);
+@@ -1607,8 +1608,13 @@ out:
+ }
+ /* we flushed them all; remove this inode from the queue */
+ spin_lock(&mdsc->snap_flush_lock);
++ if (!list_empty(&ci->i_snap_flush_item))
++ need_put = true;
+ list_del_init(&ci->i_snap_flush_item);
+ spin_unlock(&mdsc->snap_flush_lock);
++
++ if (need_put)
++ iput(inode);
+ }
+
+ /*
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -623,8 +623,10 @@ int __ceph_finish_cap_snap(struct ceph_i
+ capsnap->size);
+
+ spin_lock(&mdsc->snap_flush_lock);
+- if (list_empty(&ci->i_snap_flush_item))
++ if (list_empty(&ci->i_snap_flush_item)) {
++ ihold(inode);
+ list_add_tail(&ci->i_snap_flush_item, &mdsc->snap_flush_list);
++ }
+ spin_unlock(&mdsc->snap_flush_lock);
+ return 1; /* caller may want to ceph_flush_snaps */
+ }
--- /dev/null
+From 5b10ff013e8a57f8845615ac2cc37edf7f6eef05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com>
+Date: Fri, 12 May 2023 08:49:25 +0200
+Subject: pinctrl: meson-axg: add missing GPIOA_18 gpio group
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Hundebøll <martin@geanix.com>
+
+commit 5b10ff013e8a57f8845615ac2cc37edf7f6eef05 upstream.
+
+Without this, the gpio cannot be explicitly mux'ed to its gpio function.
+
+Fixes: 83c566806a68a ("pinctrl: meson-axg: Add new pinctrl driver for Meson AXG SoC")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Hundebøll <martin@geanix.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Dmitry Rokosov <ddrokosov@sberdevices.ru>
+Link: https://lore.kernel.org/r/20230512064925.133516-1-martin@geanix.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/meson/pinctrl-meson-axg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pinctrl/meson/pinctrl-meson-axg.c
++++ b/drivers/pinctrl/meson/pinctrl-meson-axg.c
+@@ -400,6 +400,7 @@ static struct meson_pmx_group meson_axg_
+ GPIO_GROUP(GPIOA_15),
+ GPIO_GROUP(GPIOA_16),
+ GPIO_GROUP(GPIOA_17),
++ GPIO_GROUP(GPIOA_18),
+ GPIO_GROUP(GPIOA_19),
+ GPIO_GROUP(GPIOA_20),
+
input-xpad-delete-a-razer-deathadder-mouse-vid-pid-entry.patch
input-psmouse-fix-oob-access-in-elantech-protocol.patch
drm-amdgpu-fix-xclk-freq-on-chip_stoney.patch
+ceph-fix-use-after-free-bug-for-inodes-when-flushing-capsnaps.patch
+bluetooth-fix-use-after-free-in-hci_remove_ltk-hci_remove_irk.patch
+pinctrl-meson-axg-add-missing-gpioa_18-gpio-group.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
