From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 12 Dec 2021 13:25:34 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.295~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b619ef1e717eb8960cde3755d1fe129b9b54a529;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	can-pch_can-pch_can_rx_normal-fix-use-after-free.patch
	libata-add-horkage-for-asmedia-1092.patch
	tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch
---

diff --git a/queue-4.9/can-pch_can-pch_can_rx_normal-fix-use-after-free.patch b/queue-4.9/can-pch_can-pch_can_rx_normal-fix-use-after-free.patch
new file mode 100644
index 00000000000..c28a11e104f
--- /dev/null
+++ b/queue-4.9/can-pch_can-pch_can_rx_normal-fix-use-after-free.patch
@@ -0,0 +1,41 @@
+From 94cddf1e9227a171b27292509d59691819c458db Mon Sep 17 00:00:00 2001
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Date: Tue, 23 Nov 2021 20:16:54 +0900
+Subject: can: pch_can: pch_can_rx_normal: fix use after free
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+commit 94cddf1e9227a171b27292509d59691819c458db upstream.
+
+After calling netif_receive_skb(skb), dereferencing skb is unsafe.
+Especially, the can_frame cf which aliases skb memory is dereferenced
+just after the call netif_receive_skb(skb).
+
+Reordering the lines solves the issue.
+
+Fixes: b21d18b51b31 ("can: Topcliff: Add PCH_CAN driver.")
+Link: https://lore.kernel.org/all/20211123111654.621610-1-mailhol.vincent@wanadoo.fr
+Cc: stable@vger.kernel.org
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/pch_can.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/pch_can.c
++++ b/drivers/net/can/pch_can.c
+@@ -703,11 +703,11 @@ static int pch_can_rx_normal(struct net_
+ 			cf->data[i + 1] = data_reg >> 8;
+ 		}
+ 
+-		netif_receive_skb(skb);
+ 		rcv_pkts++;
+ 		stats->rx_packets++;
+ 		quota--;
+ 		stats->rx_bytes += cf->can_dlc;
++		netif_receive_skb(skb);
+ 
+ 		pch_fifo_thresh(priv, obj_num);
+ 		obj_num++;
diff --git a/queue-4.9/libata-add-horkage-for-asmedia-1092.patch b/queue-4.9/libata-add-horkage-for-asmedia-1092.patch
new file mode 100644
index 00000000000..ebb5bd5b47b
--- /dev/null
+++ b/queue-4.9/libata-add-horkage-for-asmedia-1092.patch
@@ -0,0 +1,33 @@
+From a66307d473077b7aeba74e9b09c841ab3d399c2d Mon Sep 17 00:00:00 2001
+From: Hannes Reinecke <hare@suse.de>
+Date: Wed, 8 Dec 2021 07:58:53 +0100
+Subject: libata: add horkage for ASMedia 1092
+
+From: Hannes Reinecke <hare@suse.de>
+
+commit a66307d473077b7aeba74e9b09c841ab3d399c2d upstream.
+
+The ASMedia 1092 has a configuration mode which will present a
+dummy device; sadly the implementation falsely claims to provide
+a device with 100M which doesn't actually exist.
+So disable this device to avoid errors during boot.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4332,6 +4332,8 @@ static const struct ata_blacklist_entry
+ 	{ "VRFDFC22048UCHC-TE*", NULL,		ATA_HORKAGE_NODMA },
+ 	/* Odd clown on sil3726/4726 PMPs */
+ 	{ "Config  Disk",	NULL,		ATA_HORKAGE_DISABLE },
++	/* Similar story with ASMedia 1092 */
++	{ "ASMT109x- Config",	NULL,		ATA_HORKAGE_DISABLE },
+ 
+ 	/* Weird ATAPI devices */
+ 	{ "TORiSAN DVD-ROM DRD-N216", NULL,	ATA_HORKAGE_MAX_SEC_128 },
diff --git a/queue-4.9/series b/queue-4.9/series
index eeacea95994..7fc887d4b34 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -13,3 +13,6 @@ alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch
 alsa-pcm-oss-fix-negative-period-buffer-sizes.patch
 alsa-pcm-oss-limit-the-period-size-to-16mb.patch
 alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch
+tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch
+can-pch_can-pch_can_rx_normal-fix-use-after-free.patch
+libata-add-horkage-for-asmedia-1092.patch
diff --git a/queue-4.9/tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch b/queue-4.9/tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch
new file mode 100644
index 00000000000..12bbaed8478
--- /dev/null
+++ b/queue-4.9/tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch
@@ -0,0 +1,53 @@
+From ee7f3666995d8537dec17b1d35425f28877671a9 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 8 Dec 2021 07:57:20 -0500
+Subject: tracefs: Have new files inherit the ownership of their parent
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit ee7f3666995d8537dec17b1d35425f28877671a9 upstream.
+
+If directories in tracefs have their ownership changed, then any new files
+and directories that are created under those directories should inherit
+the ownership of the director they are created in.
+
+Link: https://lkml.kernel.org/r/20211208075720.4855d180@gandalf.local.home
+
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Yabin Cui <yabinc@google.com>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: stable@vger.kernel.org
+Fixes: 4282d60689d4f ("tracefs: Add new tracefs file system")
+Reported-by: Kalesh Singh <kaleshsingh@google.com>
+Reported: https://lore.kernel.org/all/CAC_TJve8MMAv+H_NdLSJXZUSoxOEq2zB_pVaJ9p=7H6Bu3X76g@mail.gmail.com/
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/tracefs/inode.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/tracefs/inode.c
++++ b/fs/tracefs/inode.c
+@@ -411,6 +411,8 @@ struct dentry *tracefs_create_file(const
+ 	inode->i_mode = mode;
+ 	inode->i_fop = fops ? fops : &tracefs_file_operations;
+ 	inode->i_private = data;
++	inode->i_uid = d_inode(dentry->d_parent)->i_uid;
++	inode->i_gid = d_inode(dentry->d_parent)->i_gid;
+ 	d_instantiate(dentry, inode);
+ 	fsnotify_create(dentry->d_parent->d_inode, dentry);
+ 	return end_creating(dentry);
+@@ -433,6 +435,8 @@ static struct dentry *__create_dir(const
+ 	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP;
+ 	inode->i_op = ops;
+ 	inode->i_fop = &simple_dir_operations;
++	inode->i_uid = d_inode(dentry->d_parent)->i_uid;
++	inode->i_gid = d_inode(dentry->d_parent)->i_gid;
+ 
+ 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
+ 	inc_nlink(inode);