--- /dev/null
+From aef454b40288158b850aab13e3d2a8c406779401 Mon Sep 17 00:00:00 2001
+From: Steven Clarkson <sc@lambdal.com>
+Date: Thu, 14 Oct 2021 06:35:54 -0700
+Subject: ALSA: hda/realtek: Add quirk for Clevo PC50HS
+
+From: Steven Clarkson <sc@lambdal.com>
+
+commit aef454b40288158b850aab13e3d2a8c406779401 upstream.
+
+Apply existing PCI quirk to the Clevo PC50HS and related models to fix
+audio output on the built in speakers.
+
+Signed-off-by: Steven Clarkson <sc@lambdal.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211014133554.1326741-1-sc@lambdal.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2547,6 +2547,7 @@ static const struct snd_pci_quirk alc882
+ SND_PCI_QUIRK(0x1558, 0x65d2, "Clevo PB51R[CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x65e1, "Clevo PB51[ED][DF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x65e5, "Clevo PC50D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
++ SND_PCI_QUIRK(0x1558, 0x65f1, "Clevo PC50HS", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
--- /dev/null
+From 3c414eb65c294719a91a746260085363413f91c1 Mon Sep 17 00:00:00 2001
+From: Brendan Grieve <brendan@grieve.com.au>
+Date: Fri, 15 Oct 2021 10:53:35 +0800
+Subject: ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset
+
+From: Brendan Grieve <brendan@grieve.com.au>
+
+commit 3c414eb65c294719a91a746260085363413f91c1 upstream.
+
+As per discussion at: https://github.com/szszoke/sennheiser-gsp670-pulseaudio-profile/issues/13
+
+The GSP670 has 2 playback and 1 recording device that by default are
+detected in an incompatible order for alsa. This may have been done to make
+it compatible for the console by the manufacturer and only affects the
+latest firmware which uses its own ID.
+
+This quirk will resolve this by reordering the channels.
+
+Signed-off-by: Brendan Grieve <brendan@grieve.com.au>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211015025335.196592-1-brendan@grieve.com.au
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks-table.h | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3698,6 +3698,38 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
+ }
+ }
+ },
++{
++ /*
++ * Sennheiser GSP670
++ * Change order of interfaces loaded
++ */
++ USB_DEVICE(0x1395, 0x0300),
++ .bInterfaceClass = USB_CLASS_PER_INTERFACE,
++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
++ .ifnum = QUIRK_ANY_INTERFACE,
++ .type = QUIRK_COMPOSITE,
++ .data = &(const struct snd_usb_audio_quirk[]) {
++ // Communication
++ {
++ .ifnum = 3,
++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
++ },
++ // Recording
++ {
++ .ifnum = 4,
++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
++ },
++ // Main
++ {
++ .ifnum = 1,
++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
++ },
++ {
++ .ifnum = -1
++ }
++ }
++ }
++},
+
+ #undef USB_DEVICE_VENDOR_SPEC
+ #undef USB_AUDIO_DEVICE
--- /dev/null
+From 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 6 Oct 2021 16:17:12 +0200
+Subject: ASoC: DAPM: Fix missing kctl change notifications
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 upstream.
+
+The put callback of a kcontrol is supposed to return 1 when the value
+is changed, and this will be notified to user-space. However, some
+DAPM kcontrols always return 0 (except for errors), hence the
+user-space misses the update of a control value.
+
+This patch corrects the behavior by properly returning 1 when the
+value gets updated.
+
+Reported-and-tested-by: Hans de Goede <hdegoede@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20211006141712.2439-1-tiwai@suse.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -2559,6 +2559,7 @@ static int snd_soc_dapm_set_pin(struct s
+ const char *pin, int status)
+ {
+ struct snd_soc_dapm_widget *w = dapm_find_widget(dapm, pin, true);
++ int ret = 0;
+
+ dapm_assert_locked(dapm);
+
+@@ -2571,13 +2572,14 @@ static int snd_soc_dapm_set_pin(struct s
+ dapm_mark_dirty(w, "pin configuration");
+ dapm_widget_invalidate_input_paths(w);
+ dapm_widget_invalidate_output_paths(w);
++ ret = 1;
+ }
+
+ w->connected = status;
+ if (status == 0)
+ w->force = 0;
+
+- return 0;
++ return ret;
+ }
+
+ /**
+@@ -3582,14 +3584,15 @@ int snd_soc_dapm_put_pin_switch(struct s
+ {
+ struct snd_soc_card *card = snd_kcontrol_chip(kcontrol);
+ const char *pin = (const char *)kcontrol->private_value;
++ int ret;
+
+ if (ucontrol->value.integer.value[0])
+- snd_soc_dapm_enable_pin(&card->dapm, pin);
++ ret = snd_soc_dapm_enable_pin(&card->dapm, pin);
+ else
+- snd_soc_dapm_disable_pin(&card->dapm, pin);
++ ret = snd_soc_dapm_disable_pin(&card->dapm, pin);
+
+ snd_soc_dapm_sync(&card->dapm);
+- return 0;
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(snd_soc_dapm_put_pin_switch);
+
+@@ -4035,7 +4038,7 @@ static int snd_soc_dapm_dai_link_put(str
+
+ rtd->params_select = ucontrol->value.enumerated.item[0];
+
+- return 0;
++ return 1;
+ }
+
+ static void
--- /dev/null
+From 6e3ee990c90494561921c756481d0e2125d8b895 Mon Sep 17 00:00:00 2001
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+Date: Sat, 16 Oct 2021 15:23:50 +0800
+Subject: audit: fix possible null-pointer dereference in audit_filter_rules
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+commit 6e3ee990c90494561921c756481d0e2125d8b895 upstream.
+
+Fix possible null-pointer dereference in audit_filter_rules.
+
+audit_filter_rules() error: we previously assumed 'ctx' could be null
+
+Cc: stable@vger.kernel.org
+Fixes: bf361231c295 ("audit: add saddr_fam filter field")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/auditsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -653,7 +653,7 @@ static int audit_filter_rules(struct tas
+ result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
+ break;
+ case AUDIT_SADDR_FAM:
+- if (ctx->sockaddr)
++ if (ctx && ctx->sockaddr)
+ result = audit_comparator(ctx->sockaddr->ss_family,
+ f->op, f->val);
+ break;
--- /dev/null
+From 9acf636215a6ce9362fe618e7da4913b8bfe84c8 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Sat, 9 Oct 2021 15:40:18 +0800
+Subject: can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 9acf636215a6ce9362fe618e7da4913b8bfe84c8 upstream.
+
+Using wait_event_interruptible() to wait for complete transmission,
+but do not check the result of wait_event_interruptible() which can be
+interrupted. It will result in TX buffer has multiple accessors and
+the later process interferes with the previous process.
+
+Following is one of the problems reported by syzbot.
+
+=============================================================
+WARNING: CPU: 0 PID: 0 at net/can/isotp.c:840 isotp_tx_timer_handler+0x2e0/0x4c0
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc7+ #68
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
+RIP: 0010:isotp_tx_timer_handler+0x2e0/0x4c0
+Call Trace:
+ <IRQ>
+ ? isotp_setsockopt+0x390/0x390
+ __hrtimer_run_queues+0xb8/0x610
+ hrtimer_run_softirq+0x91/0xd0
+ ? rcu_read_lock_sched_held+0x4d/0x80
+ __do_softirq+0xe8/0x553
+ irq_exit_rcu+0xf8/0x100
+ sysvec_apic_timer_interrupt+0x9e/0xc0
+ </IRQ>
+ asm_sysvec_apic_timer_interrupt+0x12/0x20
+
+Add result check for wait_event_interruptible() in isotp_sendmsg()
+to avoid multiple accessers for tx buffer.
+
+Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
+Link: https://lore.kernel.org/all/10ca695732c9dd267c76a3c30f37aefe1ff7e32f.1633764159.git.william.xuanziyang@huawei.com
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+78bab6958a614b0c80b9@syzkaller.appspotmail.com
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -863,7 +863,9 @@ static int isotp_sendmsg(struct socket *
+ return -EAGAIN;
+
+ /* wait for complete transmission of current pdu */
+- wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
++ err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
++ if (err)
++ return err;
+ }
+
+ if (!size || size > MAX_MSG_LENGTH)
--- /dev/null
+From d674a8f123b4096d85955c7eaabec688f29724c9 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 7 May 2021 11:18:39 +0200
+Subject: can: isotp: isotp_sendmsg(): fix return error on FC timeout on TX path
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit d674a8f123b4096d85955c7eaabec688f29724c9 upstream.
+
+When the a large chunk of data send and the receiver does not send a
+Flow Control frame back in time, the sendmsg() does not return a error
+code, but the number of bytes sent corresponding to the size of the
+packet.
+
+If a timeout occurs the isotp_tx_timer_handler() is fired, sets
+sk->sk_err and calls the sk->sk_error_report() function. It was
+wrongly expected that the error would be propagated to user space in
+every case. For isotp_sendmsg() blocking on wait_event_interruptible()
+this is not the case.
+
+This patch fixes the problem by checking if sk->sk_err is set and
+returning the error to user space.
+
+Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
+Link: https://github.com/hartkopp/can-isotp/issues/42
+Link: https://github.com/hartkopp/can-isotp/pull/43
+Link: https://lore.kernel.org/all/20210507091839.1366379-1-mkl@pengutronix.de
+Cc: stable@vger.kernel.org
+Reported-by: Sottas Guillaume (LMB) <Guillaume.Sottas@liebherr.com>
+Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -953,6 +953,9 @@ static int isotp_sendmsg(struct socket *
+ if (wait_tx_done) {
+ /* wait for complete transmission of current pdu */
+ wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
++
++ if (sk->sk_err)
++ return -sk->sk_err;
+ }
+
+ return size;
--- /dev/null
+From d9d52a3ebd284882f5562c88e55991add5d01586 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Sun, 26 Sep 2021 18:47:57 +0800
+Subject: can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit d9d52a3ebd284882f5562c88e55991add5d01586 upstream.
+
+It will trigger UAF for rx_kref of j1939_priv as following.
+
+ cpu0 cpu1
+j1939_sk_bind(socket0, ndev0, ...)
+j1939_netdev_start
+ j1939_sk_bind(socket1, ndev0, ...)
+ j1939_netdev_start
+j1939_priv_set
+ j1939_priv_get_by_ndev_locked
+j1939_jsk_add
+.....
+j1939_netdev_stop
+kref_put_lock(&priv->rx_kref, ...)
+ kref_get(&priv->rx_kref, ...)
+ REFCOUNT_WARN("addition on 0;...")
+
+====================================================
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0
+RIP: 0010:refcount_warn_saturate+0x169/0x1e0
+Call Trace:
+ j1939_netdev_start+0x68b/0x920
+ j1939_sk_bind+0x426/0xeb0
+ ? security_socket_bind+0x83/0xb0
+
+The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to
+protect.
+
+Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/all/20210926104757.2021540-1-william.xuanziyang@huawei.com
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/can/j1939/main.c
++++ b/net/can/j1939/main.c
+@@ -249,11 +249,14 @@ struct j1939_priv *j1939_netdev_start(st
+ struct j1939_priv *priv, *priv_new;
+ int ret;
+
+- priv = j1939_priv_get_by_ndev(ndev);
++ spin_lock(&j1939_netdev_lock);
++ priv = j1939_priv_get_by_ndev_locked(ndev);
+ if (priv) {
+ kref_get(&priv->rx_kref);
++ spin_unlock(&j1939_netdev_lock);
+ return priv;
+ }
++ spin_unlock(&j1939_netdev_lock);
+
+ priv = j1939_priv_create(ndev);
+ if (!priv)
+@@ -269,10 +272,10 @@ struct j1939_priv *j1939_netdev_start(st
+ /* Someone was faster than us, use their priv and roll
+ * back our's.
+ */
++ kref_get(&priv_new->rx_kref);
+ spin_unlock(&j1939_netdev_lock);
+ dev_put(ndev);
+ kfree(priv);
+- kref_get(&priv_new->rx_kref);
+ return priv_new;
+ }
+ j1939_priv_set(ndev, priv);
--- /dev/null
+From b504a884f6b5a77dac7d580ffa08e482f70d1a30 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Mon, 6 Sep 2021 17:42:19 +0800
+Subject: can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit b504a884f6b5a77dac7d580ffa08e482f70d1a30 upstream.
+
+When the session state is J1939_SESSION_DONE, j1939_tp_rxtimer() will
+give an alert "rx timeout, send abort", but do nothing actually. Move
+the alert into session active judgment condition, it is more
+reasonable.
+
+One of the scenarios is that j1939_tp_rxtimer() execute followed by
+j1939_xtp_rx_abort_one(). After j1939_xtp_rx_abort_one(), the session
+state is J1939_SESSION_DONE, then j1939_tp_rxtimer() give an alert.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/all/20210906094219.95924-1-william.xuanziyang@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1230,12 +1230,11 @@ static enum hrtimer_restart j1939_tp_rxt
+ session->err = -ETIME;
+ j1939_session_deactivate(session);
+ } else {
+- netdev_alert(priv->ndev, "%s: 0x%p: rx timeout, send abort\n",
+- __func__, session);
+-
+ j1939_session_list_lock(session->priv);
+ if (session->state >= J1939_SESSION_ACTIVE &&
+ session->state < J1939_SESSION_ACTIVE_MAX) {
++ netdev_alert(priv->ndev, "%s: 0x%p: rx timeout, send abort\n",
++ __func__, session);
+ j1939_session_get(session);
+ hrtimer_start(&session->rxtimer,
+ ms_to_ktime(J1939_XTP_ABORT_TIMEOUT_MS),
--- /dev/null
+From 379743985ab6cfe2cbd32067cf4ed497baca6d06 Mon Sep 17 00:00:00 2001
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Thu, 30 Sep 2021 11:33:20 +0800
+Subject: can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with error length
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+commit 379743985ab6cfe2cbd32067cf4ed497baca6d06 upstream.
+
+According to SAE-J1939-21, the data length of TP.DT must be 8 bytes, so
+cancel session when receive unexpected TP.DT message.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/all/1632972800-45091-1-git-send-email-zhangchangzhong@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1770,6 +1770,7 @@ static void j1939_xtp_rx_dpo(struct j193
+ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ struct sk_buff *skb)
+ {
++ enum j1939_xtp_abort abort = J1939_XTP_ABORT_FAULT;
+ struct j1939_priv *priv = session->priv;
+ struct j1939_sk_buff_cb *skcb;
+ struct sk_buff *se_skb = NULL;
+@@ -1784,9 +1785,11 @@ static void j1939_xtp_rx_dat_one(struct
+
+ skcb = j1939_skb_to_cb(skb);
+ dat = skb->data;
+- if (skb->len <= 1)
++ if (skb->len != 8) {
+ /* makes no sense */
++ abort = J1939_XTP_ABORT_UNEXPECTED_DATA;
+ goto out_session_cancel;
++ }
+
+ switch (session->last_cmd) {
+ case 0xff:
+@@ -1884,7 +1887,7 @@ static void j1939_xtp_rx_dat_one(struct
+ out_session_cancel:
+ kfree_skb(se_skb);
+ j1939_session_timers_cancel(session);
+- j1939_session_cancel(session, J1939_XTP_ABORT_FAULT);
++ j1939_session_cancel(session, abort);
+ j1939_session_put(session);
+ }
+
--- /dev/null
+From a4fbe70c5cb746441d56b28cf88161d9e0e25378 Mon Sep 17 00:00:00 2001
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Thu, 14 Oct 2021 17:26:40 +0800
+Subject: can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+commit a4fbe70c5cb746441d56b28cf88161d9e0e25378 upstream.
+
+The receiver should abort TP if 'total message size' in TP.CM_RTS and
+TP.CM_BAM is less than 9 or greater than 1785 [1], but currently the
+j1939 stack only checks the upper bound and the receiver will accept
+the following broadcast message:
+
+ vcan1 18ECFF00 [8] 20 08 00 02 FF 00 23 01
+ vcan1 18EBFF00 [8] 01 00 00 00 00 00 00 00
+ vcan1 18EBFF00 [8] 02 00 FF FF FF FF FF FF
+
+This patch adds check for the lower bound and abort illegal TP.
+
+[1] SAE-J1939-82 A.3.4 Row 2 and A.3.6 Row 6.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/all/1634203601-3460-1-git-send-email-zhangchangzhong@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/j1939-priv.h | 1 +
+ net/can/j1939/transport.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/net/can/j1939/j1939-priv.h
++++ b/net/can/j1939/j1939-priv.h
+@@ -326,6 +326,7 @@ int j1939_session_activate(struct j1939_
+ void j1939_tp_schedule_txtimer(struct j1939_session *session, int msec);
+ void j1939_session_timers_cancel(struct j1939_session *session);
+
++#define J1939_MIN_TP_PACKET_SIZE 9
+ #define J1939_MAX_TP_PACKET_SIZE (7 * 0xff)
+ #define J1939_MAX_ETP_PACKET_SIZE (7 * 0x00ffffff)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1596,6 +1596,8 @@ j1939_session *j1939_xtp_rx_rts_session_
+ abort = J1939_XTP_ABORT_FAULT;
+ else if (len > priv->tp_max_packet_size)
+ abort = J1939_XTP_ABORT_RESOURCE;
++ else if (len < J1939_MIN_TP_PACKET_SIZE)
++ abort = J1939_XTP_ABORT_FAULT;
+ }
+
+ if (abort != J1939_XTP_NO_ABORT) {
--- /dev/null
+From 949fe9b35570361bc6ee2652f89a0561b26eec98 Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Thu, 14 Oct 2021 06:28:33 +0000
+Subject: can: peak_pci: peak_pci_remove(): fix UAF
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit 949fe9b35570361bc6ee2652f89a0561b26eec98 upstream.
+
+When remove the module peek_pci, referencing 'chan' again after
+releasing 'dev' will cause UAF.
+
+Fix this by releasing 'dev' later.
+
+The following log reveals it:
+
+[ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537
+[ 35.965513 ] Call Trace:
+[ 35.965718 ] dump_stack_lvl+0xa8/0xd1
+[ 35.966028 ] print_address_description+0x87/0x3b0
+[ 35.966420 ] kasan_report+0x172/0x1c0
+[ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170
+[ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.967945 ] __asan_report_load8_noabort+0x14/0x20
+[ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.968752 ] pci_device_remove+0xa9/0x250
+
+Fixes: e6d9c80b7ca1 ("can: peak_pci: add support of some new PEAK-System PCI cards")
+Link: https://lore.kernel.org/all/1634192913-15639-1-git-send-email-zheyuma97@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/sja1000/peak_pci.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/sja1000/peak_pci.c
++++ b/drivers/net/can/sja1000/peak_pci.c
+@@ -731,16 +731,15 @@ static void peak_pci_remove(struct pci_d
+ struct net_device *prev_dev = chan->prev_dev;
+
+ dev_info(&pdev->dev, "removing device %s\n", dev->name);
++ /* do that only for first channel */
++ if (!prev_dev && chan->pciec_card)
++ peak_pciec_remove(chan->pciec_card);
+ unregister_sja1000dev(dev);
+ free_sja1000dev(dev);
+ dev = prev_dev;
+
+- if (!dev) {
+- /* do that only for first channel */
+- if (chan->pciec_card)
+- peak_pciec_remove(chan->pciec_card);
++ if (!dev)
+ break;
+- }
+ priv = netdev_priv(dev);
+ chan = priv->priv;
+ }
--- /dev/null
+From 3d031abc7e7249573148871180c28ecedb5e27df Mon Sep 17 00:00:00 2001
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Wed, 29 Sep 2021 16:21:10 +0200
+Subject: can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+commit 3d031abc7e7249573148871180c28ecedb5e27df upstream.
+
+This corrects the lack of notification of a return to ERROR_ACTIVE
+state for USB - CANFD devices from PEAK-System.
+
+Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
+Link: https://lore.kernel.org/all/20210929142111.55757-1-s.grosjean@peak-system.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -551,11 +551,10 @@ static int pcan_usb_fd_decode_status(str
+ } else if (sm->channel_p_w_b & PUCAN_BUS_WARNING) {
+ new_state = CAN_STATE_ERROR_WARNING;
+ } else {
+- /* no error bit (so, no error skb, back to active state) */
+- dev->can.state = CAN_STATE_ERROR_ACTIVE;
++ /* back to (or still in) ERROR_ACTIVE state */
++ new_state = CAN_STATE_ERROR_ACTIVE;
+ pdev->bec.txerr = 0;
+ pdev->bec.rxerr = 0;
+- return 0;
+ }
+
+ /* state hasn't changed */
--- /dev/null
+From f7c05c3987dcfde9a4e8c2d533db013fabebca0d Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Fri, 24 Sep 2021 16:55:56 +0900
+Subject: can: rcar_can: fix suspend/resume
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit f7c05c3987dcfde9a4e8c2d533db013fabebca0d upstream.
+
+If the driver was not opened, rcar_can_suspend() should not call
+clk_disable() because the clock was not enabled.
+
+Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver")
+Link: https://lore.kernel.org/all/20210924075556.223685-1-yoshihiro.shimoda.uh@renesas.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Ayumi Nakamichi <ayumi.nakamichi.kf@renesas.com>
+Reviewed-by: Ulrich Hecht <uli+renesas@fpond.eu>
+Tested-by: Biju Das <biju.das.jz@bp.renesas.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/rcar/rcar_can.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/can/rcar/rcar_can.c
++++ b/drivers/net/can/rcar/rcar_can.c
+@@ -846,10 +846,12 @@ static int __maybe_unused rcar_can_suspe
+ struct rcar_can_priv *priv = netdev_priv(ndev);
+ u16 ctlr;
+
+- if (netif_running(ndev)) {
+- netif_stop_queue(ndev);
+- netif_device_detach(ndev);
+- }
++ if (!netif_running(ndev))
++ return 0;
++
++ netif_stop_queue(ndev);
++ netif_device_detach(ndev);
++
+ ctlr = readw(&priv->regs->ctlr);
+ ctlr |= RCAR_CAN_CTLR_CANM_HALT;
+ writew(ctlr, &priv->regs->ctlr);
+@@ -868,6 +870,9 @@ static int __maybe_unused rcar_can_resum
+ u16 ctlr;
+ int err;
+
++ if (!netif_running(ndev))
++ return 0;
++
+ err = clk_enable(priv->clk);
+ if (err) {
+ netdev_err(ndev, "clk_enable() failed, error %d\n", err);
+@@ -881,10 +886,9 @@ static int __maybe_unused rcar_can_resum
+ writew(ctlr, &priv->regs->ctlr);
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
+
+- if (netif_running(ndev)) {
+- netif_device_attach(ndev);
+- netif_start_queue(ndev);
+- }
++ netif_device_attach(ndev);
++ netif_start_queue(ndev);
++
+ return 0;
+ }
+
--- /dev/null
+From 1bd85aa65d0e7b5e4d09240f492f37c569fdd431 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 7 Oct 2021 14:19:49 -0400
+Subject: ceph: fix handling of "meta" errors
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 1bd85aa65d0e7b5e4d09240f492f37c569fdd431 upstream.
+
+Currently, we check the wb_err too early for directories, before all of
+the unsafe child requests have been waited on. In order to fix that we
+need to check the mapping->wb_err later nearer to the end of ceph_fsync.
+
+We also have an overly-complex method for tracking errors after
+blocklisting. The errors recorded in cleanup_session_requests go to a
+completely separate field in the inode, but we end up reporting them the
+same way we would for any other error (in fsync).
+
+There's no real benefit to tracking these errors in two different
+places, since the only reporting mechanism for them is in fsync, and
+we'd need to advance them both every time.
+
+Given that, we can just remove i_meta_err, and convert the places that
+used it to instead just use mapping->wb_err instead. That also fixes
+the original problem by ensuring that we do a check_and_advance of the
+wb_err at the end of the fsync op.
+
+Cc: stable@vger.kernel.org
+URL: https://tracker.ceph.com/issues/52864
+Reported-by: Patrick Donnelly <pdonnell@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/caps.c | 12 +++---------
+ fs/ceph/file.c | 1 -
+ fs/ceph/inode.c | 2 --
+ fs/ceph/mds_client.c | 17 +++++------------
+ fs/ceph/super.h | 3 ---
+ 5 files changed, 8 insertions(+), 27 deletions(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -2334,7 +2334,6 @@ static int unsafe_request_wait(struct in
+
+ int ceph_fsync(struct file *file, loff_t start, loff_t end, int datasync)
+ {
+- struct ceph_file_info *fi = file->private_data;
+ struct inode *inode = file->f_mapping->host;
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ u64 flush_tid;
+@@ -2369,14 +2368,9 @@ int ceph_fsync(struct file *file, loff_t
+ if (err < 0)
+ ret = err;
+
+- if (errseq_check(&ci->i_meta_err, READ_ONCE(fi->meta_err))) {
+- spin_lock(&file->f_lock);
+- err = errseq_check_and_advance(&ci->i_meta_err,
+- &fi->meta_err);
+- spin_unlock(&file->f_lock);
+- if (err < 0)
+- ret = err;
+- }
++ err = file_check_and_advance_wb_err(file);
++ if (err < 0)
++ ret = err;
+ out:
+ dout("fsync %p%s result=%d\n", inode, datasync ? " datasync" : "", ret);
+ return ret;
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -233,7 +233,6 @@ static int ceph_init_file_info(struct in
+
+ spin_lock_init(&fi->rw_contexts_lock);
+ INIT_LIST_HEAD(&fi->rw_contexts);
+- fi->meta_err = errseq_sample(&ci->i_meta_err);
+ fi->filp_gen = READ_ONCE(ceph_inode_to_client(inode)->filp_gen);
+
+ return 0;
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -529,8 +529,6 @@ struct inode *ceph_alloc_inode(struct su
+
+ ceph_fscache_inode_init(ci);
+
+- ci->i_meta_err = 0;
+-
+ return &ci->vfs_inode;
+ }
+
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -1481,7 +1481,6 @@ static void cleanup_session_requests(str
+ {
+ struct ceph_mds_request *req;
+ struct rb_node *p;
+- struct ceph_inode_info *ci;
+
+ dout("cleanup_session_requests mds%d\n", session->s_mds);
+ mutex_lock(&mdsc->mutex);
+@@ -1490,16 +1489,10 @@ static void cleanup_session_requests(str
+ struct ceph_mds_request, r_unsafe_item);
+ pr_warn_ratelimited(" dropping unsafe request %llu\n",
+ req->r_tid);
+- if (req->r_target_inode) {
+- /* dropping unsafe change of inode's attributes */
+- ci = ceph_inode(req->r_target_inode);
+- errseq_set(&ci->i_meta_err, -EIO);
+- }
+- if (req->r_unsafe_dir) {
+- /* dropping unsafe directory operation */
+- ci = ceph_inode(req->r_unsafe_dir);
+- errseq_set(&ci->i_meta_err, -EIO);
+- }
++ if (req->r_target_inode)
++ mapping_set_error(req->r_target_inode->i_mapping, -EIO);
++ if (req->r_unsafe_dir)
++ mapping_set_error(req->r_unsafe_dir->i_mapping, -EIO);
+ __unregister_request(mdsc, req);
+ }
+ /* zero r_attempts, so kick_requests() will re-send requests */
+@@ -1668,7 +1661,7 @@ static int remove_session_caps_cb(struct
+ spin_unlock(&mdsc->cap_dirty_lock);
+
+ if (dirty_dropped) {
+- errseq_set(&ci->i_meta_err, -EIO);
++ mapping_set_error(inode->i_mapping, -EIO);
+
+ if (ci->i_wrbuffer_ref_head == 0 &&
+ ci->i_wr_ref == 0 &&
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -430,8 +430,6 @@ struct ceph_inode_info {
+ struct fscache_cookie *fscache;
+ u32 i_fscache_gen;
+ #endif
+- errseq_t i_meta_err;
+-
+ struct inode vfs_inode; /* at end */
+ };
+
+@@ -773,7 +771,6 @@ struct ceph_file_info {
+ spinlock_t rw_contexts_lock;
+ struct list_head rw_contexts;
+
+- errseq_t meta_err;
+ u32 filp_gen;
+ atomic_t num_locks;
+ };
--- /dev/null
+From 98d0a6fb7303a6f4a120b8b8ed05b86ff5db53e8 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 30 Sep 2021 08:33:13 -0400
+Subject: ceph: skip existing superblocks that are blocklisted or shut down when mounting
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 98d0a6fb7303a6f4a120b8b8ed05b86ff5db53e8 upstream.
+
+Currently when mounting, we may end up finding an existing superblock
+that corresponds to a blocklisted MDS client. This means that the new
+mount ends up being unusable.
+
+If we've found an existing superblock with a client that is already
+blocklisted, and the client is not configured to recover on its own,
+fail the match. Ditto if the superblock has been forcibly unmounted.
+
+While we're in here, also rename "other" to the more conventional "fsc".
+
+Cc: stable@vger.kernel.org
+URL: https://bugzilla.redhat.com/show_bug.cgi?id=1901499
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/super.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -997,16 +997,16 @@ static int ceph_compare_super(struct sup
+ struct ceph_fs_client *new = fc->s_fs_info;
+ struct ceph_mount_options *fsopt = new->mount_options;
+ struct ceph_options *opt = new->client->options;
+- struct ceph_fs_client *other = ceph_sb_to_client(sb);
++ struct ceph_fs_client *fsc = ceph_sb_to_client(sb);
+
+ dout("ceph_compare_super %p\n", sb);
+
+- if (compare_mount_options(fsopt, opt, other)) {
++ if (compare_mount_options(fsopt, opt, fsc)) {
+ dout("monitor(s)/mount options don't match\n");
+ return 0;
+ }
+ if ((opt->flags & CEPH_OPT_FSID) &&
+- ceph_fsid_compare(&opt->fsid, &other->client->fsid)) {
++ ceph_fsid_compare(&opt->fsid, &fsc->client->fsid)) {
+ dout("fsid doesn't match\n");
+ return 0;
+ }
+@@ -1014,6 +1014,17 @@ static int ceph_compare_super(struct sup
+ dout("flags differ\n");
+ return 0;
+ }
++
++ if (fsc->blocklisted && !ceph_test_mount_opt(fsc, CLEANRECOVER)) {
++ dout("client is blocklisted (and CLEANRECOVER is not set)\n");
++ return 0;
++ }
++
++ if (fsc->mount_state == CEPH_MOUNT_SHUTDOWN) {
++ dout("client has been forcibly unmounted\n");
++ return 0;
++ }
++
+ return 1;
+ }
+
--- /dev/null
+From b0e901280d9860a0a35055f220e8e457f300f40a Mon Sep 17 00:00:00 2001
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Date: Mon, 18 Oct 2021 15:16:09 -0700
+Subject: elfcore: correct reference to CONFIG_UML
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+commit b0e901280d9860a0a35055f220e8e457f300f40a upstream.
+
+Commit 6e7b64b9dd6d ("elfcore: fix building with clang") introduces
+special handling for two architectures, ia64 and User Mode Linux.
+However, the wrong name, i.e., CONFIG_UM, for the intended Kconfig
+symbol for User-Mode Linux was used.
+
+Although the directory for User Mode Linux is ./arch/um; the Kconfig
+symbol for this architecture is called CONFIG_UML.
+
+Luckily, ./scripts/checkkconfigsymbols.py warns on non-existing configs:
+
+ UM
+ Referencing files: include/linux/elfcore.h
+ Similar symbols: UML, NUMA
+
+Correct the name of the config to the intended one.
+
+[akpm@linux-foundation.org: fix um/x86_64, per Catalin]
+ Link: https://lkml.kernel.org/r/20211006181119.2851441-1-catalin.marinas@arm.com
+ Link: https://lkml.kernel.org/r/YV6pejGzLy5ppEpt@arm.com
+
+Link: https://lkml.kernel.org/r/20211006082209.417-1-lukas.bulwahn@gmail.com
+Fixes: 6e7b64b9dd6d ("elfcore: fix building with clang")
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Barret Rhoden <brho@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/elfcore.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/elfcore.h
++++ b/include/linux/elfcore.h
+@@ -104,7 +104,7 @@ static inline int elf_core_copy_task_fpr
+ #endif
+ }
+
+-#if defined(CONFIG_UM) || defined(CONFIG_IA64)
++#if (defined(CONFIG_UML) && defined(CONFIG_X86_32)) || defined(CONFIG_IA64)
+ /*
+ * These functions parameterize elf_core_dump in fs/binfmt_elf.c to write out
+ * extra segments containing the gate DSO contents. Dumping its
--- /dev/null
+From 342afce10d6f61c443c95e244f812d4766f73f53 Mon Sep 17 00:00:00 2001
+From: DENG Qingfang <dqfext@gmail.com>
+Date: Sat, 16 Oct 2021 14:24:14 +0800
+Subject: net: dsa: mt7530: correct ds->num_ports
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+commit 342afce10d6f61c443c95e244f812d4766f73f53 upstream.
+
+Setting ds->num_ports to DSA_MAX_PORTS made DSA core allocate unnecessary
+dsa_port's and call mt7530_port_disable for non-existent ports.
+
+Set it to MT7530_NUM_PORTS to fix that, and dsa_is_user_port check in
+port_enable/disable is no longer required.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -981,9 +981,6 @@ mt7530_port_enable(struct dsa_switch *ds
+ {
+ struct mt7530_priv *priv = ds->priv;
+
+- if (!dsa_is_user_port(ds, port))
+- return 0;
+-
+ mutex_lock(&priv->reg_mutex);
+
+ /* Allow the user port gets connected to the cpu port and also
+@@ -1006,9 +1003,6 @@ mt7530_port_disable(struct dsa_switch *d
+ {
+ struct mt7530_priv *priv = ds->priv;
+
+- if (!dsa_is_user_port(ds, port))
+- return;
+-
+ mutex_lock(&priv->reg_mutex);
+
+ /* Clear up all port matrix which could be restored in the next
+@@ -2593,7 +2587,7 @@ mt7530_probe(struct mdio_device *mdiodev
+ return -ENOMEM;
+
+ priv->ds->dev = &mdiodev->dev;
+- priv->ds->num_ports = DSA_MAX_PORTS;
++ priv->ds->num_ports = MT7530_NUM_PORTS;
+
+ /* Use medatek,mcm property to distinguish hardware type that would
+ * casues a little bit differences on power-on sequence.
--- /dev/null
+From 5314454ea3ff6fc746eaf71b9a7ceebed52888fa Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 18 Oct 2021 15:15:39 -0700
+Subject: ocfs2: fix data corruption after conversion from inline format
+
+From: Jan Kara <jack@suse.cz>
+
+commit 5314454ea3ff6fc746eaf71b9a7ceebed52888fa upstream.
+
+Commit 6dbf7bb55598 ("fs: Don't invalidate page buffers in
+block_write_full_page()") uncovered a latent bug in ocfs2 conversion
+from inline inode format to a normal inode format.
+
+The code in ocfs2_convert_inline_data_to_extents() attempts to zero out
+the whole cluster allocated for file data by grabbing, zeroing, and
+dirtying all pages covering this cluster. However these pages are
+beyond i_size, thus writeback code generally ignores these dirty pages
+and no blocks were ever actually zeroed on the disk.
+
+This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero
+pages past i_size.") for standard ocfs2 write path, inline conversion
+path was apparently forgotten; the commit log also has a reasoning why
+the zeroing actually is not needed.
+
+After commit 6dbf7bb55598, things became worse as writeback code stopped
+invalidating buffers on pages beyond i_size and thus these pages end up
+with clean PageDirty bit but with buffers attached to these pages being
+still dirty. So when a file is converted from inline format, then
+writeback triggers, and then the file is grown so that these pages
+become valid, the invalid dirtiness state is preserved,
+mark_buffer_dirty() does nothing on these pages (buffers are already
+dirty) but page is never written back because it is clean. So data
+written to these pages is lost once pages are reclaimed.
+
+Simple reproducer for the problem is:
+
+ xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \
+ -c "pwrite 4000 2000" ocfs2_file
+
+After unmounting and mounting the fs again, you can observe that end of
+'ocfs2_file' has lost its contents.
+
+Fix the problem by not doing the pointless zeroing during conversion
+from inline format similarly as in the standard write path.
+
+[akpm@linux-foundation.org: fix whitespace, per Joseph]
+
+Link: https://lkml.kernel.org/r/20210930095405.21433-1-jack@suse.cz
+Fixes: 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Tested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Acked-by: Gang He <ghe@suse.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: "Markov, Andrey" <Markov.Andrey@Dell.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/alloc.c | 46 ++++++++++++----------------------------------
+ 1 file changed, 12 insertions(+), 34 deletions(-)
+
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -7047,7 +7047,7 @@ void ocfs2_set_inode_data_inline(struct
+ int ocfs2_convert_inline_data_to_extents(struct inode *inode,
+ struct buffer_head *di_bh)
+ {
+- int ret, i, has_data, num_pages = 0;
++ int ret, has_data, num_pages = 0;
+ int need_free = 0;
+ u32 bit_off, num;
+ handle_t *handle;
+@@ -7056,26 +7056,17 @@ int ocfs2_convert_inline_data_to_extents
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+ struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data;
+ struct ocfs2_alloc_context *data_ac = NULL;
+- struct page **pages = NULL;
+- loff_t end = osb->s_clustersize;
++ struct page *page = NULL;
+ struct ocfs2_extent_tree et;
+ int did_quota = 0;
+
+ has_data = i_size_read(inode) ? 1 : 0;
+
+ if (has_data) {
+- pages = kcalloc(ocfs2_pages_per_cluster(osb->sb),
+- sizeof(struct page *), GFP_NOFS);
+- if (pages == NULL) {
+- ret = -ENOMEM;
+- mlog_errno(ret);
+- return ret;
+- }
+-
+ ret = ocfs2_reserve_clusters(osb, 1, &data_ac);
+ if (ret) {
+ mlog_errno(ret);
+- goto free_pages;
++ goto out;
+ }
+ }
+
+@@ -7095,7 +7086,8 @@ int ocfs2_convert_inline_data_to_extents
+ }
+
+ if (has_data) {
+- unsigned int page_end;
++ unsigned int page_end = min_t(unsigned, PAGE_SIZE,
++ osb->s_clustersize);
+ u64 phys;
+
+ ret = dquot_alloc_space_nodirty(inode,
+@@ -7119,15 +7111,8 @@ int ocfs2_convert_inline_data_to_extents
+ */
+ block = phys = ocfs2_clusters_to_blocks(inode->i_sb, bit_off);
+
+- /*
+- * Non sparse file systems zero on extend, so no need
+- * to do that now.
+- */
+- if (!ocfs2_sparse_alloc(osb) &&
+- PAGE_SIZE < osb->s_clustersize)
+- end = PAGE_SIZE;
+-
+- ret = ocfs2_grab_eof_pages(inode, 0, end, pages, &num_pages);
++ ret = ocfs2_grab_eof_pages(inode, 0, page_end, &page,
++ &num_pages);
+ if (ret) {
+ mlog_errno(ret);
+ need_free = 1;
+@@ -7138,20 +7123,15 @@ int ocfs2_convert_inline_data_to_extents
+ * This should populate the 1st page for us and mark
+ * it up to date.
+ */
+- ret = ocfs2_read_inline_data(inode, pages[0], di_bh);
++ ret = ocfs2_read_inline_data(inode, page, di_bh);
+ if (ret) {
+ mlog_errno(ret);
+ need_free = 1;
+ goto out_unlock;
+ }
+
+- page_end = PAGE_SIZE;
+- if (PAGE_SIZE > osb->s_clustersize)
+- page_end = osb->s_clustersize;
+-
+- for (i = 0; i < num_pages; i++)
+- ocfs2_map_and_dirty_page(inode, handle, 0, page_end,
+- pages[i], i > 0, &phys);
++ ocfs2_map_and_dirty_page(inode, handle, 0, page_end, page, 0,
++ &phys);
+ }
+
+ spin_lock(&oi->ip_lock);
+@@ -7182,8 +7162,8 @@ int ocfs2_convert_inline_data_to_extents
+ }
+
+ out_unlock:
+- if (pages)
+- ocfs2_unlock_and_free_pages(pages, num_pages);
++ if (page)
++ ocfs2_unlock_and_free_pages(&page, num_pages);
+
+ out_commit:
+ if (ret < 0 && did_quota)
+@@ -7207,8 +7187,6 @@ out_commit:
+ out:
+ if (data_ac)
+ ocfs2_free_alloc_context(data_ac);
+-free_pages:
+- kfree(pages);
+ return ret;
+ }
+
--- /dev/null
+From b15fa9224e6e1239414525d8d556d824701849fc Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Mon, 18 Oct 2021 15:15:42 -0700
+Subject: ocfs2: mount fails with buffer overflow in strlen
+
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+
+commit b15fa9224e6e1239414525d8d556d824701849fc upstream.
+
+Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an
+ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the
+trace below. Problem seems to be that strings for cluster stack and
+cluster name are not guaranteed to be null terminated in the disk
+representation, while strlcpy assumes that the source string is always
+null terminated. This causes a read outside of the source string
+triggering the buffer overflow detection.
+
+ detected buffer overflow in strlen
+ ------------[ cut here ]------------
+ kernel BUG at lib/string.c:1149!
+ invalid opcode: 0000 [#1] SMP PTI
+ CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1
+ Debian 5.14.6-2
+ RIP: 0010:fortify_panic+0xf/0x11
+ ...
+ Call Trace:
+ ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]
+ ocfs2_fill_super+0x359/0x19b0 [ocfs2]
+ mount_bdev+0x185/0x1b0
+ legacy_get_tree+0x27/0x40
+ vfs_get_tree+0x25/0xb0
+ path_mount+0x454/0xa20
+ __x64_sys_mount+0x103/0x140
+ do_syscall_64+0x3b/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Link: https://lkml.kernel.org/r/20210929180654.32460-1-vvidic@valentin-vidic.from.hr
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/super.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -2171,11 +2171,17 @@ static int ocfs2_initialize_super(struct
+ }
+
+ if (ocfs2_clusterinfo_valid(osb)) {
++ /*
++ * ci_stack and ci_cluster in ocfs2_cluster_info may not be null
++ * terminated, so make sure no overflow happens here by using
++ * memcpy. Destination strings will always be null terminated
++ * because osb is allocated using kzalloc.
++ */
+ osb->osb_stackflags =
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags;
+- strlcpy(osb->osb_cluster_stack,
++ memcpy(osb->osb_cluster_stack,
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_stack,
+- OCFS2_STACK_LABEL_LEN + 1);
++ OCFS2_STACK_LABEL_LEN);
+ if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) {
+ mlog(ML_ERROR,
+ "couldn't mount because of an invalid "
+@@ -2184,9 +2190,9 @@ static int ocfs2_initialize_super(struct
+ status = -EINVAL;
+ goto bail;
+ }
+- strlcpy(osb->osb_cluster_name,
++ memcpy(osb->osb_cluster_name,
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster,
+- OCFS2_CLUSTER_NAME_LEN + 1);
++ OCFS2_CLUSTER_NAME_LEN);
+ } else {
+ /* The empty string is identical with classic tools that
+ * don't know about s_cluster_info. */
ice-add-missing-e810-device-ids.patch
drm-panel-ilitek-ili9881c-fix-sync-for-feixin-k101-i.patch
net-enetc-fix-ethtool-counter-name-for-pm0_terr.patch
+can-rcar_can-fix-suspend-resume.patch
+can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch
+can-peak_pci-peak_pci_remove-fix-uaf.patch
+can-isotp-isotp_sendmsg-fix-return-error-on-fc-timeout-on-tx-path.patch
+can-isotp-isotp_sendmsg-add-result-check-for-wait_event_interruptible.patch
+can-j1939-j1939_tp_rxtimer-fix-errant-alert-in-j1939_tp_rxtimer.patch
+can-j1939-j1939_netdev_start-fix-uaf-for-rx_kref-of-j1939_priv.patch
+can-j1939-j1939_xtp_rx_dat_one-cancel-session-if-receive-tp.dt-with-error-length.patch
+can-j1939-j1939_xtp_rx_rts_session_new-abort-tp-less-than-9-bytes.patch
+ceph-skip-existing-superblocks-that-are-blocklisted-or-shut-down-when-mounting.patch
+ceph-fix-handling-of-meta-errors.patch
+ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch
+ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
+userfaultfd-fix-a-race-between-writeprotect-and-exit_mmap.patch
+elfcore-correct-reference-to-config_uml.patch
+vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch
+alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch
+alsa-hda-realtek-add-quirk-for-clevo-pc50hs.patch
+asoc-dapm-fix-missing-kctl-change-notifications.patch
+audit-fix-possible-null-pointer-dereference-in-audit_filter_rules.patch
+net-dsa-mt7530-correct-ds-num_ports.patch
--- /dev/null
+From cb185d5f1ebf900f4ae3bf84cee212e6dd035aca Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Mon, 18 Oct 2021 15:15:25 -0700
+Subject: userfaultfd: fix a race between writeprotect and exit_mmap()
+
+From: Nadav Amit <namit@vmware.com>
+
+commit cb185d5f1ebf900f4ae3bf84cee212e6dd035aca upstream.
+
+A race is possible when a process exits, its VMAs are removed by
+exit_mmap() and at the same time userfaultfd_writeprotect() is called.
+
+The race was detected by KASAN on a development kernel, but it appears
+to be possible on vanilla kernels as well.
+
+Use mmget_not_zero() to prevent the race as done in other userfaultfd
+operations.
+
+Link: https://lkml.kernel.org/r/20210921200247.25749-1-namit@vmware.com
+Fixes: 63b2d4174c4ad ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl")
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Tested-by: Li Wang <liwang@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/userfaultfd.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -1794,9 +1794,15 @@ static int userfaultfd_writeprotect(stru
+ if (mode_wp && mode_dontwake)
+ return -EINVAL;
+
+- ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start,
+- uffdio_wp.range.len, mode_wp,
+- &ctx->mmap_changing);
++ if (mmget_not_zero(ctx->mm)) {
++ ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start,
++ uffdio_wp.range.len, mode_wp,
++ &ctx->mmap_changing);
++ mmput(ctx->mm);
++ } else {
++ return -ESRCH;
++ }
++
+ if (ret)
+ return ret;
+
--- /dev/null
+From 032146cda85566abcd1c4884d9d23e4e30a07e9a Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Mon, 18 Oct 2021 15:16:12 -0700
+Subject: vfs: check fd has read access in kernel_read_file_from_fd()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit 032146cda85566abcd1c4884d9d23e4e30a07e9a upstream.
+
+If we open a file without read access and then pass the fd to a syscall
+whose implementation calls kernel_read_file_from_fd(), we get a warning
+from __kernel_read():
+
+ if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ)))
+
+This currently affects both finit_module() and kexec_file_load(), but it
+could affect other syscalls in the future.
+
+Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org
+Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Mimi Zohar <zohar@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/kernel_read_file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/kernel_read_file.c
++++ b/fs/kernel_read_file.c
+@@ -178,7 +178,7 @@ int kernel_read_file_from_fd(int fd, lof
+ struct fd f = fdget(fd);
+ int ret = -EBADF;
+
+- if (!f.file)
++ if (!f.file || !(f.file->f_mode & FMODE_READ))
+ goto out;
+
+ ret = kernel_read_file(f.file, offset, buf, buf_size, file_size, id);
projects / thirdparty / kernel / stable-queue.git / commitdiff
