--- /dev/null
+From af505cad9567f7a500d34bf183696d570d7f6810 Mon Sep 17 00:00:00 2001
+From: Nirmoy Das <nirmoy.das@amd.com>
+Date: Thu, 2 Sep 2021 12:29:17 +0200
+Subject: debugfs: debugfs_create_file_size(): use IS_ERR to check for error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@amd.com>
+
+commit af505cad9567f7a500d34bf183696d570d7f6810 upstream.
+
+debugfs_create_file() returns encoded error so use IS_ERR for checking
+return value.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Nirmoy Das <nirmoy.das@amd.com>
+Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL")
+Cc: stable <stable@vger.kernel.org>
+References: https://gitlab.freedesktop.org/drm/amd/-/issues/1686
+Link: https://lore.kernel.org/r/20210902102917.2233-1-nirmoy.das@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/debugfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -524,7 +524,7 @@ void debugfs_create_file_size(const char
+ {
+ struct dentry *de = debugfs_create_file(name, mode, parent, data, fops);
+
+- if (de)
++ if (!IS_ERR(de))
+ d_inode(de)->i_size = file_size;
+ }
+ EXPORT_SYMBOL_GPL(debugfs_create_file_size);
--- /dev/null
+From 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 Mon Sep 17 00:00:00 2001
+From: Chen Jingwen <chenjingwen6@huawei.com>
+Date: Tue, 28 Sep 2021 20:56:57 +0800
+Subject: elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
+
+From: Chen Jingwen <chenjingwen6@huawei.com>
+
+commit 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 upstream.
+
+In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf
+executable mappings") we still leave MAP_FIXED_NOREPLACE in place for
+load_elf_interp.
+
+Unfortunately, this will cause kernel to fail to start with:
+
+ 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already
+ Failed to execute /init (error -17)
+
+The reason is that the elf interpreter (ld.so) has overlapping segments.
+
+ readelf -l ld-2.31.so
+ Program Headers:
+ Type Offset VirtAddr PhysAddr
+ FileSiz MemSiz Flags Align
+ LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
+ 0x000000000002c94c 0x000000000002c94c R E 0x10000
+ LOAD 0x000000000002dae0 0x000000000003dae0 0x000000000003dae0
+ 0x00000000000021e8 0x0000000000002320 RW 0x10000
+ LOAD 0x000000000002fe00 0x000000000003fe00 0x000000000003fe00
+ 0x00000000000011ac 0x0000000000001328 RW 0x10000
+
+The reason for this problem is the same as described in commit
+ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments").
+
+Not only executable binaries, elf interpreters (e.g. ld.so) can have
+overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go
+back to MAP_FIXED in load_elf_interp.
+
+Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
+Cc: <stable@vger.kernel.org> # v4.19
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/binfmt_elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -627,7 +627,7 @@ static unsigned long load_elf_interp(str
+
+ vaddr = eppnt->p_vaddr;
+ if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
+- elf_type |= MAP_FIXED_NOREPLACE;
++ elf_type |= MAP_FIXED;
+ else if (no_base && interp_elf_ex->e_type == ET_DYN)
+ load_addr = -vaddr;
+
--- /dev/null
+From 1fd95c05d8f742abfe906620780aee4dbe1a2db0 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 2 Sep 2021 11:36:01 -0400
+Subject: ext4: add error checking to ext4_ext_replay_set_iblocks()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 1fd95c05d8f742abfe906620780aee4dbe1a2db0 upstream.
+
+If the call to ext4_map_blocks() fails due to an corrupted file
+system, ext4_ext_replay_set_iblocks() can get stuck in an infinite
+loop. This could be reproduced by running generic/526 with a file
+system that has inline_data and fast_commit enabled. The system will
+repeatedly log to the console:
+
+EXT4-fs warning (device dm-3): ext4_block_to_path:105: block 1074800922 > max in inode 131076
+
+and the stack that it gets stuck in is:
+
+ ext4_block_to_path+0xe3/0x130
+ ext4_ind_map_blocks+0x93/0x690
+ ext4_map_blocks+0x100/0x660
+ skip_hole+0x47/0x70
+ ext4_ext_replay_set_iblocks+0x223/0x440
+ ext4_fc_replay_inode+0x29e/0x3b0
+ ext4_fc_replay+0x278/0x550
+ do_one_pass+0x646/0xc10
+ jbd2_journal_recover+0x14a/0x270
+ jbd2_journal_load+0xc4/0x150
+ ext4_load_journal+0x1f3/0x490
+ ext4_fill_super+0x22d4/0x2c00
+
+With this patch, generic/526 still fails, but system is no longer
+locking up in a tight loop. It's likely the root casue is that
+fast_commit replay is corrupting file systems with inline_data, and we
+probably need to add better error handling in the fast commit replay
+code path beyond what is done here, which essentially just breaks the
+infinite loop without reporting the to the higher levels of the code.
+
+Fixes: 8016E29F4362 ("ext4: fast commit recovery path")
+Cc: stable@kernel.org
+Cc: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/extents.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -5907,7 +5907,7 @@ void ext4_ext_replay_shrink_inode(struct
+ }
+
+ /* Check if *cur is a hole and if it is, skip it */
+-static void skip_hole(struct inode *inode, ext4_lblk_t *cur)
++static int skip_hole(struct inode *inode, ext4_lblk_t *cur)
+ {
+ int ret;
+ struct ext4_map_blocks map;
+@@ -5916,9 +5916,12 @@ static void skip_hole(struct inode *inod
+ map.m_len = ((inode->i_size) >> inode->i_sb->s_blocksize_bits) - *cur;
+
+ ret = ext4_map_blocks(NULL, inode, &map, 0);
++ if (ret < 0)
++ return ret;
+ if (ret != 0)
+- return;
++ return 0;
+ *cur = *cur + map.m_len;
++ return 0;
+ }
+
+ /* Count number of blocks used by this inode and update i_blocks */
+@@ -5967,7 +5970,9 @@ int ext4_ext_replay_set_iblocks(struct i
+ * iblocks by total number of differences found.
+ */
+ cur = 0;
+- skip_hole(inode, &cur);
++ ret = skip_hole(inode, &cur);
++ if (ret < 0)
++ goto out;
+ path = ext4_find_extent(inode, cur, NULL, 0);
+ if (IS_ERR(path))
+ goto out;
+@@ -5986,8 +5991,12 @@ int ext4_ext_replay_set_iblocks(struct i
+ }
+ cur = max(cur + 1, le32_to_cpu(ex->ee_block) +
+ ext4_ext_get_actual_len(ex));
+- skip_hole(inode, &cur);
+-
++ ret = skip_hole(inode, &cur);
++ if (ret < 0) {
++ ext4_ext_drop_refs(path);
++ kfree(path);
++ break;
++ }
+ path2 = ext4_find_extent(inode, cur, NULL, 0);
+ if (IS_ERR(path2)) {
+ ext4_ext_drop_refs(path);
--- /dev/null
+From 75ca6ad408f459f00b09a64f04c774559848c097 Mon Sep 17 00:00:00 2001
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+Date: Sat, 5 Jun 2021 10:39:32 +0530
+Subject: ext4: fix loff_t overflow in ext4_max_bitmap_size()
+
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+
+commit 75ca6ad408f459f00b09a64f04c774559848c097 upstream.
+
+We should use unsigned long long rather than loff_t to avoid
+overflow in ext4_max_bitmap_size() for comparison before returning.
+w/o this patch sbi->s_bitmap_maxbytes was becoming a negative
+value due to overflow of upper_limit (with has_huge_files as true)
+
+Below is a quick test to trigger it on a 64KB pagesize system.
+
+sudo mkfs.ext4 -b 65536 -O ^has_extents,^64bit /dev/loop2
+sudo mount /dev/loop2 /mnt
+sudo echo "hello" > /mnt/hello -> This will error out with
+ "echo: write error: File too large"
+
+Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/594f409e2c543e90fd836b78188dfa5c575065ba.1622867594.git.riteshh@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3194,17 +3194,17 @@ static loff_t ext4_max_size(int blkbits,
+ */
+ static loff_t ext4_max_bitmap_size(int bits, int has_huge_files)
+ {
+- loff_t res = EXT4_NDIR_BLOCKS;
++ unsigned long long upper_limit, res = EXT4_NDIR_BLOCKS;
+ int meta_blocks;
+- loff_t upper_limit;
+- /* This is calculated to be the largest file size for a dense, block
++
++ /*
++ * This is calculated to be the largest file size for a dense, block
+ * mapped file such that the file's total number of 512-byte sectors,
+ * including data and all indirect blocks, does not exceed (2^48 - 1).
+ *
+ * __u32 i_blocks_lo and _u16 i_blocks_high represent the total
+ * number of 512-byte sectors of the file.
+ */
+-
+ if (!has_huge_files) {
+ /*
+ * !has_huge_files or implies that the inode i_block field
+@@ -3247,7 +3247,7 @@ static loff_t ext4_max_bitmap_size(int b
+ if (res > MAX_LFS_FILESIZE)
+ res = MAX_LFS_FILESIZE;
+
+- return res;
++ return (loff_t)res;
+ }
+
+ static ext4_fsblk_t descriptor_loc(struct super_block *sb,
--- /dev/null
+From 42cb447410d024e9d54139ae9c21ea132a8c384c Mon Sep 17 00:00:00 2001
+From: yangerkun <yangerkun@huawei.com>
+Date: Tue, 14 Sep 2021 19:14:15 +0800
+Subject: ext4: fix potential infinite loop in ext4_dx_readdir()
+
+From: yangerkun <yangerkun@huawei.com>
+
+commit 42cb447410d024e9d54139ae9c21ea132a8c384c upstream.
+
+When ext4_htree_fill_tree() fails, ext4_dx_readdir() can run into an
+infinite loop since if info->last_pos != ctx->pos this will reset the
+directory scan and reread the failing entry. For example:
+
+1. a dx_dir which has 3 block, block 0 as dx_root block, block 1/2 as
+ leaf block which own the ext4_dir_entry_2
+2. block 1 read ok and call_filldir which will fill the dirent and update
+ the ctx->pos
+3. block 2 read fail, but we has already fill some dirent, so we will
+ return back to userspace will a positive return val(see ksys_getdents64)
+4. the second ext4_dx_readdir will reset the world since info->last_pos
+ != ctx->pos, and will also init the curr_hash which pos to block 1
+5. So we will read block1 too, and once block2 still read fail, we can
+ only fill one dirent because the hash of the entry in block1(besides
+ the last one) won't greater than curr_hash
+6. this time, we forget update last_pos too since the read for block2
+ will fail, and since we has got the one entry, ksys_getdents64 can
+ return success
+7. Latter we will trapped in a loop with step 4~6
+
+Cc: stable@kernel.org
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20210914111415.3921954-1-yangerkun@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/dir.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/dir.c
++++ b/fs/ext4/dir.c
+@@ -534,7 +534,7 @@ static int ext4_dx_readdir(struct file *
+ struct dir_private_info *info = file->private_data;
+ struct inode *inode = file_inode(file);
+ struct fname *fname;
+- int ret;
++ int ret = 0;
+
+ if (!info) {
+ info = ext4_htree_create_dir_info(file, ctx->pos);
+@@ -582,7 +582,7 @@ static int ext4_dx_readdir(struct file *
+ info->curr_minor_hash,
+ &info->next_hash);
+ if (ret < 0)
+- return ret;
++ goto finished;
+ if (ret == 0) {
+ ctx->pos = ext4_get_htree_eof(file);
+ break;
+@@ -613,7 +613,7 @@ static int ext4_dx_readdir(struct file *
+ }
+ finished:
+ info->last_pos = ctx->pos;
+- return 0;
++ return ret < 0 ? ret : 0;
+ }
+
+ static int ext4_dir_open(struct inode * inode, struct file * filp)
--- /dev/null
+From 6fed83957f21eff11c8496e9f24253b03d2bc1dc Mon Sep 17 00:00:00 2001
+From: Jeffle Xu <jefflexu@linux.alibaba.com>
+Date: Mon, 23 Aug 2021 14:13:58 +0800
+Subject: ext4: fix reserved space counter leakage
+
+From: Jeffle Xu <jefflexu@linux.alibaba.com>
+
+commit 6fed83957f21eff11c8496e9f24253b03d2bc1dc upstream.
+
+When ext4_insert_delayed block receives and recovers from an error from
+ext4_es_insert_delayed_block(), e.g., ENOMEM, it does not release the
+space it has reserved for that block insertion as it should. One effect
+of this bug is that s_dirtyclusters_counter is not decremented and
+remains incorrectly elevated until the file system has been unmounted.
+This can result in premature ENOSPC returns and apparent loss of free
+space.
+
+Another effect of this bug is that
+/sys/fs/ext4/<dev>/delayed_allocation_blocks can remain non-zero even
+after syncfs has been executed on the filesystem.
+
+Besides, add check for s_dirtyclusters_counter when inode is going to be
+evicted and freed. s_dirtyclusters_counter can still keep non-zero until
+inode is written back in .evict_inode(), and thus the check is delayed
+to .destroy_inode().
+
+Fixes: 51865fda28e5 ("ext4: let ext4 maintain extent status tree")
+Cc: stable@kernel.org
+Suggested-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Jeffle Xu <jefflexu@linux.alibaba.com>
+Reviewed-by: Eric Whitney <enwlinux@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20210823061358.84473-1-jefflexu@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c | 5 +++++
+ fs/ext4/super.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1641,6 +1641,7 @@ static int ext4_insert_delayed_block(str
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ int ret;
+ bool allocated = false;
++ bool reserved = false;
+
+ /*
+ * If the cluster containing lblk is shared with a delayed,
+@@ -1657,6 +1658,7 @@ static int ext4_insert_delayed_block(str
+ ret = ext4_da_reserve_space(inode);
+ if (ret != 0) /* ENOSPC */
+ goto errout;
++ reserved = true;
+ } else { /* bigalloc */
+ if (!ext4_es_scan_clu(inode, &ext4_es_is_delonly, lblk)) {
+ if (!ext4_es_scan_clu(inode,
+@@ -1669,6 +1671,7 @@ static int ext4_insert_delayed_block(str
+ ret = ext4_da_reserve_space(inode);
+ if (ret != 0) /* ENOSPC */
+ goto errout;
++ reserved = true;
+ } else {
+ allocated = true;
+ }
+@@ -1679,6 +1682,8 @@ static int ext4_insert_delayed_block(str
+ }
+
+ ret = ext4_es_insert_delayed_block(inode, lblk, allocated);
++ if (ret && reserved)
++ ext4_da_release_space(inode, 1);
+
+ errout:
+ return ret;
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1356,6 +1356,12 @@ static void ext4_destroy_inode(struct in
+ true);
+ dump_stack();
+ }
++
++ if (EXT4_I(inode)->i_reserved_data_blocks)
++ ext4_msg(inode->i_sb, KERN_ERR,
++ "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!",
++ inode->i_ino, EXT4_I(inode),
++ EXT4_I(inode)->i_reserved_data_blocks);
+ }
+
+ static void init_once(void *foo)
--- /dev/null
+From a2c2f0826e2b75560b31daf1cd9a755ab93cf4c6 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Fri, 20 Aug 2021 12:45:05 +0800
+Subject: ext4: limit the number of blocks in one ADD_RANGE TLV
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit a2c2f0826e2b75560b31daf1cd9a755ab93cf4c6 upstream.
+
+Now EXT4_FC_TAG_ADD_RANGE uses ext4_extent to track the
+newly-added blocks, but the limit on the max value of
+ee_len field is ignored, and it can lead to BUG_ON as
+shown below when running command "fallocate -l 128M file"
+on a fast_commit-enabled fs:
+
+ kernel BUG at fs/ext4/ext4_extents.h:199!
+ invalid opcode: 0000 [#1] SMP PTI
+ CPU: 3 PID: 624 Comm: fallocate Not tainted 5.14.0-rc6+ #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
+ RIP: 0010:ext4_fc_write_inode_data+0x1f3/0x200
+ Call Trace:
+ ? ext4_fc_write_inode+0xf2/0x150
+ ext4_fc_commit+0x93b/0xa00
+ ? ext4_fallocate+0x1ad/0x10d0
+ ext4_sync_file+0x157/0x340
+ ? ext4_sync_file+0x157/0x340
+ vfs_fsync_range+0x49/0x80
+ do_fsync+0x3d/0x70
+ __x64_sys_fsync+0x14/0x20
+ do_syscall_64+0x3b/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Simply fixing it by limiting the number of blocks
+in one EXT4_FC_TAG_ADD_RANGE TLV.
+
+Fixes: aa75f4d3daae ("ext4: main fast-commit commit path")
+Cc: stable@kernel.org
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20210820044505.474318-1-houtao1@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/fast_commit.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ext4/fast_commit.c
++++ b/fs/ext4/fast_commit.c
+@@ -832,6 +832,12 @@ static int ext4_fc_write_inode_data(stru
+ sizeof(lrange), (u8 *)&lrange, crc))
+ return -ENOSPC;
+ } else {
++ unsigned int max = (map.m_flags & EXT4_MAP_UNWRITTEN) ?
++ EXT_UNWRITTEN_MAX_LEN : EXT_INIT_MAX_LEN;
++
++ /* Limit the number of blocks in one extent */
++ map.m_len = min(max, map.m_len);
++
+ fc_ext.fc_ino = cpu_to_le32(inode->i_ino);
+ ex = (struct ext4_extent *)&fc_ext.fc_ex;
+ ex->ee_block = cpu_to_le32(map.m_lblk);
--- /dev/null
+From 22d65765f211cc83186fd8b87521159f354c0da9 Mon Sep 17 00:00:00 2001
+From: Andrej Shadura <andrew.shadura@collabora.co.uk>
+Date: Thu, 16 Sep 2021 17:33:11 +0100
+Subject: HID: u2fzero: ignore incomplete packets without data
+
+From: Andrej Shadura <andrew.shadura@collabora.co.uk>
+
+commit 22d65765f211cc83186fd8b87521159f354c0da9 upstream.
+
+Since the actual_length calculation is performed unsigned, packets
+shorter than 7 bytes (e.g. packets without data or otherwise truncated)
+or non-received packets ("zero" bytes) can cause buffer overflow.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437
+Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG")
+Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-u2fzero.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-u2fzero.c
++++ b/drivers/hid/hid-u2fzero.c
+@@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng
+ }
+
+ ret = u2fzero_recv(dev, &req, &resp);
+- if (ret < 0)
++
++ /* ignore errors or packets without data */
++ if (ret < offsetof(struct u2f_hid_msg, init.data))
+ return 0;
+
+ /* only take the minimum amount of data it is safe to take */
--- /dev/null
+From 445c8132727728dc297492a7d9fc074af3e94ba3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:20 +0200
+Subject: ipack: ipoctal: fix missing allocation-failure check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 445c8132727728dc297492a7d9fc074af3e94ba3 upstream.
+
+Add the missing error handling when allocating the transmit buffer to
+avoid dereferencing a NULL pointer in write() should the allocation
+ever fail.
+
+Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board")
+Cc: stable@vger.kernel.org # 3.5
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -388,7 +388,9 @@ static int ipoctal_inst_slot(struct ipoc
+
+ channel = &ipoctal->channel[i];
+ tty_port_init(&channel->tty_port);
+- tty_port_alloc_xmit_buf(&channel->tty_port);
++ res = tty_port_alloc_xmit_buf(&channel->tty_port);
++ if (res)
++ continue;
+ channel->tty_port.ops = &ipoctal_tty_port_ops;
+
+ ipoctal_reset_stats(&channel->stats);
--- /dev/null
+From bb8a4fcb2136508224c596a7e665bdba1d7c3c27 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:21 +0200
+Subject: ipack: ipoctal: fix module reference leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bb8a4fcb2136508224c596a7e665bdba1d7c3c27 upstream.
+
+A reference to the carrier module was taken on every open but was only
+released once when the final reference to the tty struct was dropped.
+
+Fix this by taking the module reference and initialising the tty driver
+data when installing the tty.
+
+Fixes: 82a82340bab6 ("ipoctal: get carrier driver to avoid rmmod")
+Cc: stable@vger.kernel.org # 3.18
+Cc: Federico Vaga <federico.vaga@cern.ch>
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-6-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -84,22 +84,34 @@ static int ipoctal_port_activate(struct
+ return 0;
+ }
+
+-static int ipoctal_open(struct tty_struct *tty, struct file *file)
++static int ipoctal_install(struct tty_driver *driver, struct tty_struct *tty)
+ {
+ struct ipoctal_channel *channel = dev_get_drvdata(tty->dev);
+ struct ipoctal *ipoctal = chan_to_ipoctal(channel, tty->index);
+- int err;
+-
+- tty->driver_data = channel;
++ int res;
+
+ if (!ipack_get_carrier(ipoctal->dev))
+ return -EBUSY;
+
+- err = tty_port_open(&channel->tty_port, tty, file);
+- if (err)
+- ipack_put_carrier(ipoctal->dev);
++ res = tty_standard_install(driver, tty);
++ if (res)
++ goto err_put_carrier;
++
++ tty->driver_data = channel;
++
++ return 0;
++
++err_put_carrier:
++ ipack_put_carrier(ipoctal->dev);
++
++ return res;
++}
++
++static int ipoctal_open(struct tty_struct *tty, struct file *file)
++{
++ struct ipoctal_channel *channel = tty->driver_data;
+
+- return err;
++ return tty_port_open(&channel->tty_port, tty, file);
+ }
+
+ static void ipoctal_reset_stats(struct ipoctal_stats *stats)
+@@ -665,6 +677,7 @@ static void ipoctal_cleanup(struct tty_s
+
+ static const struct tty_operations ipoctal_fops = {
+ .ioctl = NULL,
++ .install = ipoctal_install,
+ .open = ipoctal_open,
+ .close = ipoctal_close,
+ .write = ipoctal_write_tty,
--- /dev/null
+From a89936cce87d60766a75732a9e7e25c51164f47c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:17 +0200
+Subject: ipack: ipoctal: fix stack information leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a89936cce87d60766a75732a9e7e25c51164f47c upstream.
+
+The tty driver name is used also after registering the driver and must
+specifically not be allocated on the stack to avoid leaking information
+to user space (or triggering an oops).
+
+Drivers should not try to encode topology information in the tty device
+name but this one snuck in through staging without anyone noticing and
+another driver has since copied this malpractice.
+
+Fixing the ABI is a separate issue, but this at least plugs the security
+hole.
+
+Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board")
+Cc: stable@vger.kernel.org # 3.5
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -266,7 +266,6 @@ static int ipoctal_inst_slot(struct ipoc
+ int res;
+ int i;
+ struct tty_driver *tty;
+- char name[20];
+ struct ipoctal_channel *channel;
+ struct ipack_region *region;
+ void __iomem *addr;
+@@ -357,8 +356,11 @@ static int ipoctal_inst_slot(struct ipoc
+ /* Fill struct tty_driver with ipoctal data */
+ tty->owner = THIS_MODULE;
+ tty->driver_name = KBUILD_MODNAME;
+- sprintf(name, KBUILD_MODNAME ".%d.%d.", bus_nr, slot);
+- tty->name = name;
++ tty->name = kasprintf(GFP_KERNEL, KBUILD_MODNAME ".%d.%d.", bus_nr, slot);
++ if (!tty->name) {
++ res = -ENOMEM;
++ goto err_put_driver;
++ }
+ tty->major = 0;
+
+ tty->minor_start = 0;
+@@ -374,8 +376,7 @@ static int ipoctal_inst_slot(struct ipoc
+ res = tty_register_driver(tty);
+ if (res) {
+ dev_err(&ipoctal->dev->dev, "Can't register tty driver.\n");
+- put_tty_driver(tty);
+- return res;
++ goto err_free_name;
+ }
+
+ /* Save struct tty_driver for use it when uninstalling the device */
+@@ -412,6 +413,13 @@ static int ipoctal_inst_slot(struct ipoc
+ ipoctal_irq_handler, ipoctal);
+
+ return 0;
++
++err_free_name:
++ kfree(tty->name);
++err_put_driver:
++ put_tty_driver(tty);
++
++ return res;
+ }
+
+ static inline int ipoctal_copy_write_buffer(struct ipoctal_channel *channel,
+@@ -700,6 +708,7 @@ static void __ipoctal_remove(struct ipoc
+ }
+
+ tty_unregister_driver(ipoctal->tty_drv);
++ kfree(ipoctal->tty_drv->name);
+ put_tty_driver(ipoctal->tty_drv);
+ kfree(ipoctal);
+ }
--- /dev/null
+From cd20d59291d1790dc74248476e928f57fc455189 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:19 +0200
+Subject: ipack: ipoctal: fix tty-registration error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit cd20d59291d1790dc74248476e928f57fc455189 upstream.
+
+Registration of the ipoctal tty devices is unlikely to fail, but if it
+ever does, make sure not to deregister a never registered tty device
+(and dereference a NULL pointer) when the driver is later unbound.
+
+Fixes: 2afb41d9d30d ("Staging: ipack/devices/ipoctal: Check tty_register_device return value.")
+Cc: stable@vger.kernel.org # 3.7
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -35,6 +35,7 @@ struct ipoctal_channel {
+ unsigned int pointer_read;
+ unsigned int pointer_write;
+ struct tty_port tty_port;
++ bool tty_registered;
+ union scc2698_channel __iomem *regs;
+ union scc2698_block __iomem *block_regs;
+ unsigned int board_id;
+@@ -399,9 +400,11 @@ static int ipoctal_inst_slot(struct ipoc
+ i, NULL, channel, NULL);
+ if (IS_ERR(tty_dev)) {
+ dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n");
++ tty_port_free_xmit_buf(&channel->tty_port);
+ tty_port_destroy(&channel->tty_port);
+ continue;
+ }
++ channel->tty_registered = true;
+ }
+
+ /*
+@@ -702,6 +705,10 @@ static void __ipoctal_remove(struct ipoc
+
+ for (i = 0; i < NR_CHANNELS; i++) {
+ struct ipoctal_channel *channel = &ipoctal->channel[i];
++
++ if (!channel->tty_registered)
++ continue;
++
+ tty_unregister_device(ipoctal->tty_drv, i);
+ tty_port_free_xmit_buf(&channel->tty_port);
+ tty_port_destroy(&channel->tty_port);
--- /dev/null
+From 65c001df517a7bf9be8621b53d43c89f426ce8d6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:18 +0200
+Subject: ipack: ipoctal: fix tty registration race
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 65c001df517a7bf9be8621b53d43c89f426ce8d6 upstream.
+
+Make sure to set the tty class-device driver data before registering the
+tty to avoid having a racing open() dereference a NULL pointer.
+
+Fixes: 9c1d784afc6f ("Staging: ipack/devices/ipoctal: Get rid of ipoctal_list.")
+Cc: stable@vger.kernel.org # 3.7
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -395,13 +395,13 @@ static int ipoctal_inst_slot(struct ipoc
+ spin_lock_init(&channel->lock);
+ channel->pointer_read = 0;
+ channel->pointer_write = 0;
+- tty_dev = tty_port_register_device(&channel->tty_port, tty, i, NULL);
++ tty_dev = tty_port_register_device_attr(&channel->tty_port, tty,
++ i, NULL, channel, NULL);
+ if (IS_ERR(tty_dev)) {
+ dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n");
+ tty_port_destroy(&channel->tty_port);
+ continue;
+ }
+- dev_set_drvdata(tty_dev, channel);
+ }
+
+ /*
--- /dev/null
+From a9f5970767d11eadc805d5283f202612c7ba1f59 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 27 Sep 2021 17:29:24 -0700
+Subject: net: udp: annotate data race around udp_sk(sk)->corkflag
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream.
+
+up->corkflag field can be read or written without any lock.
+Annotate accesses to avoid possible syzbot/KCSAN reports.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 10 +++++-----
+ net/ipv6/udp.c | 2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1035,7 +1035,7 @@ int udp_sendmsg(struct sock *sk, struct
+ __be16 dport;
+ u8 tos;
+ int err, is_udplite = IS_UDPLITE(sk);
+- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE;
+ int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);
+ struct sk_buff *skb;
+ struct ip_options_data opt_copy;
+@@ -1343,7 +1343,7 @@ int udp_sendpage(struct sock *sk, struct
+ }
+
+ up->len += size;
+- if (!(up->corkflag || (flags&MSG_MORE)))
++ if (!(READ_ONCE(up->corkflag) || (flags&MSG_MORE)))
+ ret = udp_push_pending_frames(sk);
+ if (!ret)
+ ret = size;
+@@ -2609,9 +2609,9 @@ int udp_lib_setsockopt(struct sock *sk,
+ switch (optname) {
+ case UDP_CORK:
+ if (val != 0) {
+- up->corkflag = 1;
++ WRITE_ONCE(up->corkflag, 1);
+ } else {
+- up->corkflag = 0;
++ WRITE_ONCE(up->corkflag, 0);
+ lock_sock(sk);
+ push_pending_frames(sk);
+ release_sock(sk);
+@@ -2734,7 +2734,7 @@ int udp_lib_getsockopt(struct sock *sk,
+
+ switch (optname) {
+ case UDP_CORK:
+- val = up->corkflag;
++ val = READ_ONCE(up->corkflag);
+ break;
+
+ case UDP_ENCAP:
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1288,7 +1288,7 @@ int udpv6_sendmsg(struct sock *sk, struc
+ int addr_len = msg->msg_namelen;
+ bool connected = false;
+ int ulen = len;
+- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE;
+ int err;
+ int is_udplite = IS_UDPLITE(sk);
+ int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);
--- /dev/null
+From a2941f6aa71a72be2c82c0a168523a492d093530 Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Mon, 27 Sep 2021 08:43:06 -0700
+Subject: nvme: add command id quirk for apple controllers
+
+From: Keith Busch <kbusch@kernel.org>
+
+commit a2941f6aa71a72be2c82c0a168523a492d093530 upstream.
+
+Some apple controllers use the command id as an index to implementation
+specific data structures and will fail if the value is out of bounds.
+The nvme driver's recently introduced command sequence number breaks
+this controller.
+
+Provide a quirk so these spec incompliant controllers can function as
+before. The driver will not have the ability to detect bad completions
+when this quirk is used, but we weren't previously checking this anyway.
+
+The quirk bit was selected so that it can readily apply to stable.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=214509
+Cc: Sven Peter <sven@svenpeter.dev>
+Reported-by: Orlando Chamberlain <redecorating@protonmail.com>
+Reported-by: Aditya Garg <gargaditya08@live.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Sven Peter <sven@svenpeter.dev>
+Link: https://lore.kernel.org/r/20210927154306.387437-1-kbusch@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/core.c | 4 +++-
+ drivers/nvme/host/nvme.h | 6 ++++++
+ drivers/nvme/host/pci.c | 3 ++-
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -831,6 +831,7 @@ EXPORT_SYMBOL_GPL(nvme_cleanup_cmd);
+ blk_status_t nvme_setup_cmd(struct nvme_ns *ns, struct request *req,
+ struct nvme_command *cmd)
+ {
++ struct nvme_ctrl *ctrl = nvme_req(req)->ctrl;
+ blk_status_t ret = BLK_STS_OK;
+
+ nvme_clear_nvme_request(req);
+@@ -877,7 +878,8 @@ blk_status_t nvme_setup_cmd(struct nvme_
+ return BLK_STS_IOERR;
+ }
+
+- nvme_req(req)->genctr++;
++ if (!(ctrl->quirks & NVME_QUIRK_SKIP_CID_GEN))
++ nvme_req(req)->genctr++;
+ cmd->common.command_id = nvme_cid(req);
+ trace_nvme_setup_cmd(req, cmd);
+ return ret;
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -144,6 +144,12 @@ enum nvme_quirks {
+ * NVMe 1.3 compliance.
+ */
+ NVME_QUIRK_NO_NS_DESC_LIST = (1 << 15),
++
++ /*
++ * The controller requires the command_id value be be limited, so skip
++ * encoding the generation sequence number.
++ */
++ NVME_QUIRK_SKIP_CID_GEN = (1 << 17),
+ };
+
+ /*
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3259,7 +3259,8 @@ static const struct pci_device_id nvme_i
+ { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2005),
+ .driver_data = NVME_QUIRK_SINGLE_VECTOR |
+ NVME_QUIRK_128_BYTES_SQES |
+- NVME_QUIRK_SHARED_TAGS },
++ NVME_QUIRK_SHARED_TAGS |
++ NVME_QUIRK_SKIP_CID_GEN },
+
+ { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) },
+ { 0, }
af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch
perf-x86-intel-update-event-constraints-for-icx.patch
hwmon-pmbus-mp2975-add-missed-pout-attribute-for-pag.patch
+nvme-add-command-id-quirk-for-apple-controllers.patch
+elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch
+debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch
+ipack-ipoctal-fix-stack-information-leak.patch
+ipack-ipoctal-fix-tty-registration-race.patch
+ipack-ipoctal-fix-tty-registration-error-handling.patch
+ipack-ipoctal-fix-missing-allocation-failure-check.patch
+ipack-ipoctal-fix-module-reference-leak.patch
+ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch
+ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch
+ext4-fix-reserved-space-counter-leakage.patch
+ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch
+ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch
+hid-u2fzero-ignore-incomplete-packets-without-data.patch
+net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
