From 7d7709c380b1afd278f13b6e4efdca09519f5c78 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 1 Sep 2021 11:51:22 +0200
Subject: [PATCH] 5.14-stable patches

added patches:
	btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch
	net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch
	revert-floppy-reintroduce-o_ndelay-fix.patch
---
 ...e-when-deleting-device-by-invalid-id.patch | 79 +++++++++++++++++++
 ...-mt7530-fix-vlan-traffic-leaks-again.patch | 40 ++++++++++
 ...vert-floppy-reintroduce-o_ndelay-fix.patch | 72 +++++++++++++++++
 queue-5.14/series                             |  3 +
 4 files changed, 194 insertions(+)
 create mode 100644 queue-5.14/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch
 create mode 100644 queue-5.14/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch
 create mode 100644 queue-5.14/revert-floppy-reintroduce-o_ndelay-fix.patch

diff --git a/queue-5.14/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch b/queue-5.14/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch
new file mode 100644
index 00000000000..27aec361cb8
--- /dev/null
+++ b/queue-5.14/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch
@@ -0,0 +1,79 @@
+From e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 6 Aug 2021 18:24:15 +0800
+Subject: btrfs: fix NULL pointer dereference when deleting device by invalid id
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 upstream.
+
+[BUG]
+It's easy to trigger NULL pointer dereference, just by removing a
+non-existing device id:
+
+ # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
+				     /dev/test/scratch2
+ # mount /dev/test/scratch1 /mnt/btrfs
+ # btrfs device remove 3 /mnt/btrfs
+
+Then we have the following kernel NULL pointer dereference:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
+  btrfs_ioctl+0x18bb/0x3190 [btrfs]
+  ? lock_is_held_type+0xa5/0x120
+  ? find_held_lock.constprop.0+0x2b/0x80
+  ? do_user_addr_fault+0x201/0x6a0
+  ? lock_release+0xd2/0x2d0
+  ? __x64_sys_ioctl+0x83/0xb0
+  __x64_sys_ioctl+0x83/0xb0
+  do_syscall_64+0x3b/0x90
+  entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+[CAUSE]
+Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
+btrfs_device directly") moves the "missing" device path check into
+btrfs_rm_device().
+
+But btrfs_rm_device() itself can have case where it only receives
+@devid, with NULL as @device_path.
+
+In that case, calling strcmp() on NULL will trigger the NULL pointer
+dereference.
+
+Before that commit, we handle the "missing" case inside
+btrfs_find_device_by_devspec(), which will not check @device_path at all
+if @devid is provided, thus no way to trigger the bug.
+
+[FIX]
+Before calling strcmp(), also make sure @device_path is not NULL.
+
+Fixes: a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly")
+CC: stable@vger.kernel.org # 5.4+
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2137,7 +2137,7 @@ int btrfs_rm_device(struct btrfs_fs_info
+ 
+ 	if (IS_ERR(device)) {
+ 		if (PTR_ERR(device) == -ENOENT &&
+-		    strcmp(device_path, "missing") == 0)
++		    device_path && strcmp(device_path, "missing") == 0)
+ 			ret = BTRFS_ERROR_DEV_MISSING_NOT_FOUND;
+ 		else
+ 			ret = PTR_ERR(device);
diff --git a/queue-5.14/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch b/queue-5.14/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch
new file mode 100644
index 00000000000..9642c7e69e7
--- /dev/null
+++ b/queue-5.14/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch
@@ -0,0 +1,40 @@
+From 7428022b50d0fbb4846dd0f00639ea09d36dff02 Mon Sep 17 00:00:00 2001
+From: DENG Qingfang <dqfext@gmail.com>
+Date: Wed, 11 Aug 2021 17:50:43 +0800
+Subject: net: dsa: mt7530: fix VLAN traffic leaks again
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+commit 7428022b50d0fbb4846dd0f00639ea09d36dff02 upstream.
+
+When a port leaves a VLAN-aware bridge, the current code does not clear
+other ports' matrix field bit. If the bridge is later set to VLAN-unaware
+mode, traffic in the bridge may leak to that port.
+
+Remove the VLAN filtering check in mt7530_port_bridge_leave.
+
+Fixes: 474a2ddaa192 ("net: dsa: mt7530: fix VLAN traffic leaks")
+Fixes: 83163f7dca56 ("net: dsa: mediatek: add VLAN support for MT7530")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c |    5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -1308,11 +1308,8 @@ mt7530_port_bridge_leave(struct dsa_swit
+ 		/* Remove this port from the port matrix of the other ports
+ 		 * in the same bridge. If the port is disabled, port matrix
+ 		 * is kept and not being setup until the port becomes enabled.
+-		 * And the other port's port matrix cannot be broken when the
+-		 * other port is still a VLAN-aware port.
+ 		 */
+-		if (dsa_is_user_port(ds, i) && i != port &&
+-		   !dsa_port_is_vlan_filtering(dsa_to_port(ds, i))) {
++		if (dsa_is_user_port(ds, i) && i != port) {
+ 			if (dsa_to_port(ds, i)->bridge_dev != bridge)
+ 				continue;
+ 			if (priv->ports[i].enable)
diff --git a/queue-5.14/revert-floppy-reintroduce-o_ndelay-fix.patch b/queue-5.14/revert-floppy-reintroduce-o_ndelay-fix.patch
new file mode 100644
index 00000000000..b8ca303550a
--- /dev/null
+++ b/queue-5.14/revert-floppy-reintroduce-o_ndelay-fix.patch
@@ -0,0 +1,72 @@
+From c7e9d0020361f4308a70cdfd6d5335e273eb8717 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@linux.com>
+Date: Sat, 7 Aug 2021 10:37:02 +0300
+Subject: Revert "floppy: reintroduce O_NDELAY fix"
+
+From: Denis Efremov <efremov@linux.com>
+
+commit c7e9d0020361f4308a70cdfd6d5335e273eb8717 upstream.
+
+The patch breaks userspace implementations (e.g. fdutils) and introduces
+regressions in behaviour. Previously, it was possible to O_NDELAY open a
+floppy device with no media inserted or with write protected media without
+an error. Some userspace tools use this particular behavior for probing.
+
+It's not the first time when we revert this patch. Previous revert is in
+commit f2791e7eadf4 (Revert "floppy: refactor open() flags handling").
+
+This reverts commit 8a0c014cd20516ade9654fc13b51345ec58e7be8.
+
+Link: https://lore.kernel.org/linux-block/de10cb47-34d1-5a88-7751-225ca380f735@compro.net/
+Reported-by: Mark Hounschell <markh@compro.net>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Wim Osterholt <wim@djo.tudelft.nl>
+Cc: Kurt Garloff <kurt@garloff.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/floppy.c |   30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -4029,23 +4029,23 @@ static int floppy_open(struct block_devi
+ 	if (fdc_state[FDC(drive)].rawcmd == 1)
+ 		fdc_state[FDC(drive)].rawcmd = 2;
+ 
+-	if (mode & (FMODE_READ|FMODE_WRITE)) {
+-		drive_state[drive].last_checked = 0;
+-		clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &drive_state[drive].flags);
+-		if (bdev_check_media_change(bdev))
+-			floppy_revalidate(bdev->bd_disk);
+-		if (test_bit(FD_DISK_CHANGED_BIT, &drive_state[drive].flags))
+-			goto out;
+-		if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &drive_state[drive].flags))
++	if (!(mode & FMODE_NDELAY)) {
++		if (mode & (FMODE_READ|FMODE_WRITE)) {
++			drive_state[drive].last_checked = 0;
++			clear_bit(FD_OPEN_SHOULD_FAIL_BIT,
++				  &drive_state[drive].flags);
++			if (bdev_check_media_change(bdev))
++				floppy_revalidate(bdev->bd_disk);
++			if (test_bit(FD_DISK_CHANGED_BIT, &drive_state[drive].flags))
++				goto out;
++			if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &drive_state[drive].flags))
++				goto out;
++		}
++		res = -EROFS;
++		if ((mode & FMODE_WRITE) &&
++		    !test_bit(FD_DISK_WRITABLE_BIT, &drive_state[drive].flags))
+ 			goto out;
+ 	}
+-
+-	res = -EROFS;
+-
+-	if ((mode & FMODE_WRITE) &&
+-			!test_bit(FD_DISK_WRITABLE_BIT, &drive_state[drive].flags))
+-		goto out;
+-
+ 	mutex_unlock(&open_lock);
+ 	mutex_unlock(&floppy_mutex);
+ 	return 0;
diff --git a/queue-5.14/series b/queue-5.14/series
index 28b64045b3f..2dcf9595f4a 100644
--- a/queue-5.14/series
+++ b/queue-5.14/series
@@ -1,2 +1,5 @@
 vt_kdsetmode-extend-console-locking.patch
 bluetooth-btusb-check-conditions-before-enabling-usb-alt-3-for-wbs.patch
+net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch
+btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch
+revert-floppy-reintroduce-o_ndelay-fix.patch
-- 
2.47.3