--- /dev/null
+From aef454b40288158b850aab13e3d2a8c406779401 Mon Sep 17 00:00:00 2001
+From: Steven Clarkson <sc@lambdal.com>
+Date: Thu, 14 Oct 2021 06:35:54 -0700
+Subject: ALSA: hda/realtek: Add quirk for Clevo PC50HS
+
+From: Steven Clarkson <sc@lambdal.com>
+
+commit aef454b40288158b850aab13e3d2a8c406779401 upstream.
+
+Apply existing PCI quirk to the Clevo PC50HS and related models to fix
+audio output on the built in speakers.
+
+Signed-off-by: Steven Clarkson <sc@lambdal.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211014133554.1326741-1-sc@lambdal.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2537,6 +2537,7 @@ static const struct snd_pci_quirk alc882
+ SND_PCI_QUIRK(0x1558, 0x65d2, "Clevo PB51R[CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x65e1, "Clevo PB51[ED][DF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x65e5, "Clevo PC50D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
++ SND_PCI_QUIRK(0x1558, 0x65f1, "Clevo PC50HS", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
--- /dev/null
+From 3c414eb65c294719a91a746260085363413f91c1 Mon Sep 17 00:00:00 2001
+From: Brendan Grieve <brendan@grieve.com.au>
+Date: Fri, 15 Oct 2021 10:53:35 +0800
+Subject: ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset
+
+From: Brendan Grieve <brendan@grieve.com.au>
+
+commit 3c414eb65c294719a91a746260085363413f91c1 upstream.
+
+As per discussion at: https://github.com/szszoke/sennheiser-gsp670-pulseaudio-profile/issues/13
+
+The GSP670 has 2 playback and 1 recording device that by default are
+detected in an incompatible order for alsa. This may have been done to make
+it compatible for the console by the manufacturer and only affects the
+latest firmware which uses its own ID.
+
+This quirk will resolve this by reordering the channels.
+
+Signed-off-by: Brendan Grieve <brendan@grieve.com.au>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211015025335.196592-1-brendan@grieve.com.au
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks-table.h | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3806,5 +3806,37 @@ ALC1220_VB_DESKTOP(0x26ce, 0x0a01), /* A
+ }
+ }
+ },
++{
++ /*
++ * Sennheiser GSP670
++ * Change order of interfaces loaded
++ */
++ USB_DEVICE(0x1395, 0x0300),
++ .bInterfaceClass = USB_CLASS_PER_INTERFACE,
++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
++ .ifnum = QUIRK_ANY_INTERFACE,
++ .type = QUIRK_COMPOSITE,
++ .data = &(const struct snd_usb_audio_quirk[]) {
++ // Communication
++ {
++ .ifnum = 3,
++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
++ },
++ // Recording
++ {
++ .ifnum = 4,
++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
++ },
++ // Main
++ {
++ .ifnum = 1,
++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
++ },
++ {
++ .ifnum = -1
++ }
++ }
++ }
++},
+
+ #undef USB_DEVICE_VENDOR_SPEC
--- /dev/null
+From 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 6 Oct 2021 16:17:12 +0200
+Subject: ASoC: DAPM: Fix missing kctl change notifications
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 upstream.
+
+The put callback of a kcontrol is supposed to return 1 when the value
+is changed, and this will be notified to user-space. However, some
+DAPM kcontrols always return 0 (except for errors), hence the
+user-space misses the update of a control value.
+
+This patch corrects the behavior by properly returning 1 when the
+value gets updated.
+
+Reported-and-tested-by: Hans de Goede <hdegoede@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20211006141712.2439-1-tiwai@suse.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -2546,6 +2546,7 @@ static int snd_soc_dapm_set_pin(struct s
+ const char *pin, int status)
+ {
+ struct snd_soc_dapm_widget *w = dapm_find_widget(dapm, pin, true);
++ int ret = 0;
+
+ dapm_assert_locked(dapm);
+
+@@ -2558,13 +2559,14 @@ static int snd_soc_dapm_set_pin(struct s
+ dapm_mark_dirty(w, "pin configuration");
+ dapm_widget_invalidate_input_paths(w);
+ dapm_widget_invalidate_output_paths(w);
++ ret = 1;
+ }
+
+ w->connected = status;
+ if (status == 0)
+ w->force = 0;
+
+- return 0;
++ return ret;
+ }
+
+ /**
+@@ -3580,14 +3582,15 @@ int snd_soc_dapm_put_pin_switch(struct s
+ {
+ struct snd_soc_card *card = snd_kcontrol_chip(kcontrol);
+ const char *pin = (const char *)kcontrol->private_value;
++ int ret;
+
+ if (ucontrol->value.integer.value[0])
+- snd_soc_dapm_enable_pin(&card->dapm, pin);
++ ret = snd_soc_dapm_enable_pin(&card->dapm, pin);
+ else
+- snd_soc_dapm_disable_pin(&card->dapm, pin);
++ ret = snd_soc_dapm_disable_pin(&card->dapm, pin);
+
+ snd_soc_dapm_sync(&card->dapm);
+- return 0;
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(snd_soc_dapm_put_pin_switch);
+
+@@ -4029,7 +4032,7 @@ static int snd_soc_dapm_dai_link_put(str
+
+ rtd->params_select = ucontrol->value.enumerated.item[0];
+
+- return 0;
++ return 1;
+ }
+
+ static void
--- /dev/null
+From 6e3ee990c90494561921c756481d0e2125d8b895 Mon Sep 17 00:00:00 2001
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+Date: Sat, 16 Oct 2021 15:23:50 +0800
+Subject: audit: fix possible null-pointer dereference in audit_filter_rules
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+commit 6e3ee990c90494561921c756481d0e2125d8b895 upstream.
+
+Fix possible null-pointer dereference in audit_filter_rules.
+
+audit_filter_rules() error: we previously assumed 'ctx' could be null
+
+Cc: stable@vger.kernel.org
+Fixes: bf361231c295 ("audit: add saddr_fam filter field")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/auditsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -624,7 +624,7 @@ static int audit_filter_rules(struct tas
+ result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
+ break;
+ case AUDIT_SADDR_FAM:
+- if (ctx->sockaddr)
++ if (ctx && ctx->sockaddr)
+ result = audit_comparator(ctx->sockaddr->ss_family,
+ f->op, f->val);
+ break;
--- /dev/null
+From d9d52a3ebd284882f5562c88e55991add5d01586 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Sun, 26 Sep 2021 18:47:57 +0800
+Subject: can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit d9d52a3ebd284882f5562c88e55991add5d01586 upstream.
+
+It will trigger UAF for rx_kref of j1939_priv as following.
+
+ cpu0 cpu1
+j1939_sk_bind(socket0, ndev0, ...)
+j1939_netdev_start
+ j1939_sk_bind(socket1, ndev0, ...)
+ j1939_netdev_start
+j1939_priv_set
+ j1939_priv_get_by_ndev_locked
+j1939_jsk_add
+.....
+j1939_netdev_stop
+kref_put_lock(&priv->rx_kref, ...)
+ kref_get(&priv->rx_kref, ...)
+ REFCOUNT_WARN("addition on 0;...")
+
+====================================================
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0
+RIP: 0010:refcount_warn_saturate+0x169/0x1e0
+Call Trace:
+ j1939_netdev_start+0x68b/0x920
+ j1939_sk_bind+0x426/0xeb0
+ ? security_socket_bind+0x83/0xb0
+
+The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to
+protect.
+
+Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/all/20210926104757.2021540-1-william.xuanziyang@huawei.com
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/can/j1939/main.c
++++ b/net/can/j1939/main.c
+@@ -249,11 +249,14 @@ struct j1939_priv *j1939_netdev_start(st
+ struct j1939_priv *priv, *priv_new;
+ int ret;
+
+- priv = j1939_priv_get_by_ndev(ndev);
++ spin_lock(&j1939_netdev_lock);
++ priv = j1939_priv_get_by_ndev_locked(ndev);
+ if (priv) {
+ kref_get(&priv->rx_kref);
++ spin_unlock(&j1939_netdev_lock);
+ return priv;
+ }
++ spin_unlock(&j1939_netdev_lock);
+
+ priv = j1939_priv_create(ndev);
+ if (!priv)
+@@ -269,10 +272,10 @@ struct j1939_priv *j1939_netdev_start(st
+ /* Someone was faster than us, use their priv and roll
+ * back our's.
+ */
++ kref_get(&priv_new->rx_kref);
+ spin_unlock(&j1939_netdev_lock);
+ dev_put(ndev);
+ kfree(priv);
+- kref_get(&priv_new->rx_kref);
+ return priv_new;
+ }
+ j1939_priv_set(ndev, priv);
--- /dev/null
+From b504a884f6b5a77dac7d580ffa08e482f70d1a30 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Mon, 6 Sep 2021 17:42:19 +0800
+Subject: can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit b504a884f6b5a77dac7d580ffa08e482f70d1a30 upstream.
+
+When the session state is J1939_SESSION_DONE, j1939_tp_rxtimer() will
+give an alert "rx timeout, send abort", but do nothing actually. Move
+the alert into session active judgment condition, it is more
+reasonable.
+
+One of the scenarios is that j1939_tp_rxtimer() execute followed by
+j1939_xtp_rx_abort_one(). After j1939_xtp_rx_abort_one(), the session
+state is J1939_SESSION_DONE, then j1939_tp_rxtimer() give an alert.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/all/20210906094219.95924-1-william.xuanziyang@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1230,12 +1230,11 @@ static enum hrtimer_restart j1939_tp_rxt
+ session->err = -ETIME;
+ j1939_session_deactivate(session);
+ } else {
+- netdev_alert(priv->ndev, "%s: 0x%p: rx timeout, send abort\n",
+- __func__, session);
+-
+ j1939_session_list_lock(session->priv);
+ if (session->state >= J1939_SESSION_ACTIVE &&
+ session->state < J1939_SESSION_ACTIVE_MAX) {
++ netdev_alert(priv->ndev, "%s: 0x%p: rx timeout, send abort\n",
++ __func__, session);
+ j1939_session_get(session);
+ hrtimer_start(&session->rxtimer,
+ ms_to_ktime(J1939_XTP_ABORT_TIMEOUT_MS),
--- /dev/null
+From 379743985ab6cfe2cbd32067cf4ed497baca6d06 Mon Sep 17 00:00:00 2001
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Thu, 30 Sep 2021 11:33:20 +0800
+Subject: can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with error length
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+commit 379743985ab6cfe2cbd32067cf4ed497baca6d06 upstream.
+
+According to SAE-J1939-21, the data length of TP.DT must be 8 bytes, so
+cancel session when receive unexpected TP.DT message.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/all/1632972800-45091-1-git-send-email-zhangchangzhong@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1770,6 +1770,7 @@ static void j1939_xtp_rx_dpo(struct j193
+ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ struct sk_buff *skb)
+ {
++ enum j1939_xtp_abort abort = J1939_XTP_ABORT_FAULT;
+ struct j1939_priv *priv = session->priv;
+ struct j1939_sk_buff_cb *skcb;
+ struct sk_buff *se_skb = NULL;
+@@ -1784,9 +1785,11 @@ static void j1939_xtp_rx_dat_one(struct
+
+ skcb = j1939_skb_to_cb(skb);
+ dat = skb->data;
+- if (skb->len <= 1)
++ if (skb->len != 8) {
+ /* makes no sense */
++ abort = J1939_XTP_ABORT_UNEXPECTED_DATA;
+ goto out_session_cancel;
++ }
+
+ switch (session->last_cmd) {
+ case 0xff:
+@@ -1884,7 +1887,7 @@ static void j1939_xtp_rx_dat_one(struct
+ out_session_cancel:
+ kfree_skb(se_skb);
+ j1939_session_timers_cancel(session);
+- j1939_session_cancel(session, J1939_XTP_ABORT_FAULT);
++ j1939_session_cancel(session, abort);
+ j1939_session_put(session);
+ }
+
--- /dev/null
+From a4fbe70c5cb746441d56b28cf88161d9e0e25378 Mon Sep 17 00:00:00 2001
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Thu, 14 Oct 2021 17:26:40 +0800
+Subject: can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+commit a4fbe70c5cb746441d56b28cf88161d9e0e25378 upstream.
+
+The receiver should abort TP if 'total message size' in TP.CM_RTS and
+TP.CM_BAM is less than 9 or greater than 1785 [1], but currently the
+j1939 stack only checks the upper bound and the receiver will accept
+the following broadcast message:
+
+ vcan1 18ECFF00 [8] 20 08 00 02 FF 00 23 01
+ vcan1 18EBFF00 [8] 01 00 00 00 00 00 00 00
+ vcan1 18EBFF00 [8] 02 00 FF FF FF FF FF FF
+
+This patch adds check for the lower bound and abort illegal TP.
+
+[1] SAE-J1939-82 A.3.4 Row 2 and A.3.6 Row 6.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/all/1634203601-3460-1-git-send-email-zhangchangzhong@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/j1939-priv.h | 1 +
+ net/can/j1939/transport.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/net/can/j1939/j1939-priv.h
++++ b/net/can/j1939/j1939-priv.h
+@@ -326,6 +326,7 @@ int j1939_session_activate(struct j1939_
+ void j1939_tp_schedule_txtimer(struct j1939_session *session, int msec);
+ void j1939_session_timers_cancel(struct j1939_session *session);
+
++#define J1939_MIN_TP_PACKET_SIZE 9
+ #define J1939_MAX_TP_PACKET_SIZE (7 * 0xff)
+ #define J1939_MAX_ETP_PACKET_SIZE (7 * 0x00ffffff)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1596,6 +1596,8 @@ j1939_session *j1939_xtp_rx_rts_session_
+ abort = J1939_XTP_ABORT_FAULT;
+ else if (len > priv->tp_max_packet_size)
+ abort = J1939_XTP_ABORT_RESOURCE;
++ else if (len < J1939_MIN_TP_PACKET_SIZE)
++ abort = J1939_XTP_ABORT_FAULT;
+ }
+
+ if (abort != J1939_XTP_NO_ABORT) {
--- /dev/null
+From 949fe9b35570361bc6ee2652f89a0561b26eec98 Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Thu, 14 Oct 2021 06:28:33 +0000
+Subject: can: peak_pci: peak_pci_remove(): fix UAF
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit 949fe9b35570361bc6ee2652f89a0561b26eec98 upstream.
+
+When remove the module peek_pci, referencing 'chan' again after
+releasing 'dev' will cause UAF.
+
+Fix this by releasing 'dev' later.
+
+The following log reveals it:
+
+[ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537
+[ 35.965513 ] Call Trace:
+[ 35.965718 ] dump_stack_lvl+0xa8/0xd1
+[ 35.966028 ] print_address_description+0x87/0x3b0
+[ 35.966420 ] kasan_report+0x172/0x1c0
+[ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170
+[ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.967945 ] __asan_report_load8_noabort+0x14/0x20
+[ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.968752 ] pci_device_remove+0xa9/0x250
+
+Fixes: e6d9c80b7ca1 ("can: peak_pci: add support of some new PEAK-System PCI cards")
+Link: https://lore.kernel.org/all/1634192913-15639-1-git-send-email-zheyuma97@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/sja1000/peak_pci.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/sja1000/peak_pci.c
++++ b/drivers/net/can/sja1000/peak_pci.c
+@@ -731,16 +731,15 @@ static void peak_pci_remove(struct pci_d
+ struct net_device *prev_dev = chan->prev_dev;
+
+ dev_info(&pdev->dev, "removing device %s\n", dev->name);
++ /* do that only for first channel */
++ if (!prev_dev && chan->pciec_card)
++ peak_pciec_remove(chan->pciec_card);
+ unregister_sja1000dev(dev);
+ free_sja1000dev(dev);
+ dev = prev_dev;
+
+- if (!dev) {
+- /* do that only for first channel */
+- if (chan->pciec_card)
+- peak_pciec_remove(chan->pciec_card);
++ if (!dev)
+ break;
+- }
+ priv = netdev_priv(dev);
+ chan = priv->priv;
+ }
--- /dev/null
+From 3d031abc7e7249573148871180c28ecedb5e27df Mon Sep 17 00:00:00 2001
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Wed, 29 Sep 2021 16:21:10 +0200
+Subject: can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+commit 3d031abc7e7249573148871180c28ecedb5e27df upstream.
+
+This corrects the lack of notification of a return to ERROR_ACTIVE
+state for USB - CANFD devices from PEAK-System.
+
+Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
+Link: https://lore.kernel.org/all/20210929142111.55757-1-s.grosjean@peak-system.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -551,11 +551,10 @@ static int pcan_usb_fd_decode_status(str
+ } else if (sm->channel_p_w_b & PUCAN_BUS_WARNING) {
+ new_state = CAN_STATE_ERROR_WARNING;
+ } else {
+- /* no error bit (so, no error skb, back to active state) */
+- dev->can.state = CAN_STATE_ERROR_ACTIVE;
++ /* back to (or still in) ERROR_ACTIVE state */
++ new_state = CAN_STATE_ERROR_ACTIVE;
+ pdev->bec.txerr = 0;
+ pdev->bec.rxerr = 0;
+- return 0;
+ }
+
+ /* state hasn't changed */
--- /dev/null
+From f7c05c3987dcfde9a4e8c2d533db013fabebca0d Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Fri, 24 Sep 2021 16:55:56 +0900
+Subject: can: rcar_can: fix suspend/resume
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit f7c05c3987dcfde9a4e8c2d533db013fabebca0d upstream.
+
+If the driver was not opened, rcar_can_suspend() should not call
+clk_disable() because the clock was not enabled.
+
+Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver")
+Link: https://lore.kernel.org/all/20210924075556.223685-1-yoshihiro.shimoda.uh@renesas.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Ayumi Nakamichi <ayumi.nakamichi.kf@renesas.com>
+Reviewed-by: Ulrich Hecht <uli+renesas@fpond.eu>
+Tested-by: Biju Das <biju.das.jz@bp.renesas.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/rcar/rcar_can.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/can/rcar/rcar_can.c
++++ b/drivers/net/can/rcar/rcar_can.c
+@@ -848,10 +848,12 @@ static int __maybe_unused rcar_can_suspe
+ struct rcar_can_priv *priv = netdev_priv(ndev);
+ u16 ctlr;
+
+- if (netif_running(ndev)) {
+- netif_stop_queue(ndev);
+- netif_device_detach(ndev);
+- }
++ if (!netif_running(ndev))
++ return 0;
++
++ netif_stop_queue(ndev);
++ netif_device_detach(ndev);
++
+ ctlr = readw(&priv->regs->ctlr);
+ ctlr |= RCAR_CAN_CTLR_CANM_HALT;
+ writew(ctlr, &priv->regs->ctlr);
+@@ -870,6 +872,9 @@ static int __maybe_unused rcar_can_resum
+ u16 ctlr;
+ int err;
+
++ if (!netif_running(ndev))
++ return 0;
++
+ err = clk_enable(priv->clk);
+ if (err) {
+ netdev_err(ndev, "clk_enable() failed, error %d\n", err);
+@@ -883,10 +888,9 @@ static int __maybe_unused rcar_can_resum
+ writew(ctlr, &priv->regs->ctlr);
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
+
+- if (netif_running(ndev)) {
+- netif_device_attach(ndev);
+- netif_start_queue(ndev);
+- }
++ netif_device_attach(ndev);
++ netif_start_queue(ndev);
++
+ return 0;
+ }
+
--- /dev/null
+From 1bd85aa65d0e7b5e4d09240f492f37c569fdd431 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 7 Oct 2021 14:19:49 -0400
+Subject: ceph: fix handling of "meta" errors
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 1bd85aa65d0e7b5e4d09240f492f37c569fdd431 upstream.
+
+Currently, we check the wb_err too early for directories, before all of
+the unsafe child requests have been waited on. In order to fix that we
+need to check the mapping->wb_err later nearer to the end of ceph_fsync.
+
+We also have an overly-complex method for tracking errors after
+blocklisting. The errors recorded in cleanup_session_requests go to a
+completely separate field in the inode, but we end up reporting them the
+same way we would for any other error (in fsync).
+
+There's no real benefit to tracking these errors in two different
+places, since the only reporting mechanism for them is in fsync, and
+we'd need to advance them both every time.
+
+Given that, we can just remove i_meta_err, and convert the places that
+used it to instead just use mapping->wb_err instead. That also fixes
+the original problem by ensuring that we do a check_and_advance of the
+wb_err at the end of the fsync op.
+
+Cc: stable@vger.kernel.org
+URL: https://tracker.ceph.com/issues/52864
+Reported-by: Patrick Donnelly <pdonnell@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/caps.c | 12 +++---------
+ fs/ceph/file.c | 1 -
+ fs/ceph/inode.c | 2 --
+ fs/ceph/mds_client.c | 17 +++++------------
+ fs/ceph/super.h | 3 ---
+ 5 files changed, 8 insertions(+), 27 deletions(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -2249,7 +2249,6 @@ static int unsafe_request_wait(struct in
+
+ int ceph_fsync(struct file *file, loff_t start, loff_t end, int datasync)
+ {
+- struct ceph_file_info *fi = file->private_data;
+ struct inode *inode = file->f_mapping->host;
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ u64 flush_tid;
+@@ -2280,14 +2279,9 @@ int ceph_fsync(struct file *file, loff_t
+ if (err < 0)
+ ret = err;
+
+- if (errseq_check(&ci->i_meta_err, READ_ONCE(fi->meta_err))) {
+- spin_lock(&file->f_lock);
+- err = errseq_check_and_advance(&ci->i_meta_err,
+- &fi->meta_err);
+- spin_unlock(&file->f_lock);
+- if (err < 0)
+- ret = err;
+- }
++ err = file_check_and_advance_wb_err(file);
++ if (err < 0)
++ ret = err;
+ out:
+ dout("fsync %p%s result=%d\n", inode, datasync ? " datasync" : "", ret);
+ return ret;
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -234,7 +234,6 @@ static int ceph_init_file_info(struct in
+ fi->fmode = fmode;
+ spin_lock_init(&fi->rw_contexts_lock);
+ INIT_LIST_HEAD(&fi->rw_contexts);
+- fi->meta_err = errseq_sample(&ci->i_meta_err);
+ fi->filp_gen = READ_ONCE(ceph_inode_to_client(inode)->filp_gen);
+
+ return 0;
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -515,8 +515,6 @@ struct inode *ceph_alloc_inode(struct su
+
+ ceph_fscache_inode_init(ci);
+
+- ci->i_meta_err = 0;
+-
+ return &ci->vfs_inode;
+ }
+
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -1272,7 +1272,6 @@ static void cleanup_session_requests(str
+ {
+ struct ceph_mds_request *req;
+ struct rb_node *p;
+- struct ceph_inode_info *ci;
+
+ dout("cleanup_session_requests mds%d\n", session->s_mds);
+ mutex_lock(&mdsc->mutex);
+@@ -1281,16 +1280,10 @@ static void cleanup_session_requests(str
+ struct ceph_mds_request, r_unsafe_item);
+ pr_warn_ratelimited(" dropping unsafe request %llu\n",
+ req->r_tid);
+- if (req->r_target_inode) {
+- /* dropping unsafe change of inode's attributes */
+- ci = ceph_inode(req->r_target_inode);
+- errseq_set(&ci->i_meta_err, -EIO);
+- }
+- if (req->r_unsafe_dir) {
+- /* dropping unsafe directory operation */
+- ci = ceph_inode(req->r_unsafe_dir);
+- errseq_set(&ci->i_meta_err, -EIO);
+- }
++ if (req->r_target_inode)
++ mapping_set_error(req->r_target_inode->i_mapping, -EIO);
++ if (req->r_unsafe_dir)
++ mapping_set_error(req->r_unsafe_dir->i_mapping, -EIO);
+ __unregister_request(mdsc, req);
+ }
+ /* zero r_attempts, so kick_requests() will re-send requests */
+@@ -1436,7 +1429,7 @@ static int remove_session_caps_cb(struct
+ spin_unlock(&mdsc->cap_dirty_lock);
+
+ if (dirty_dropped) {
+- errseq_set(&ci->i_meta_err, -EIO);
++ mapping_set_error(inode->i_mapping, -EIO);
+
+ if (ci->i_wrbuffer_ref_head == 0 &&
+ ci->i_wr_ref == 0 &&
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -402,8 +402,6 @@ struct ceph_inode_info {
+ struct fscache_cookie *fscache;
+ u32 i_fscache_gen;
+ #endif
+- errseq_t i_meta_err;
+-
+ struct inode vfs_inode; /* at end */
+ };
+
+@@ -712,7 +710,6 @@ struct ceph_file_info {
+ spinlock_t rw_contexts_lock;
+ struct list_head rw_contexts;
+
+- errseq_t meta_err;
+ u32 filp_gen;
+ atomic_t num_locks;
+ };
--- /dev/null
+From b0e901280d9860a0a35055f220e8e457f300f40a Mon Sep 17 00:00:00 2001
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Date: Mon, 18 Oct 2021 15:16:09 -0700
+Subject: elfcore: correct reference to CONFIG_UML
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+commit b0e901280d9860a0a35055f220e8e457f300f40a upstream.
+
+Commit 6e7b64b9dd6d ("elfcore: fix building with clang") introduces
+special handling for two architectures, ia64 and User Mode Linux.
+However, the wrong name, i.e., CONFIG_UM, for the intended Kconfig
+symbol for User-Mode Linux was used.
+
+Although the directory for User Mode Linux is ./arch/um; the Kconfig
+symbol for this architecture is called CONFIG_UML.
+
+Luckily, ./scripts/checkkconfigsymbols.py warns on non-existing configs:
+
+ UM
+ Referencing files: include/linux/elfcore.h
+ Similar symbols: UML, NUMA
+
+Correct the name of the config to the intended one.
+
+[akpm@linux-foundation.org: fix um/x86_64, per Catalin]
+ Link: https://lkml.kernel.org/r/20211006181119.2851441-1-catalin.marinas@arm.com
+ Link: https://lkml.kernel.org/r/YV6pejGzLy5ppEpt@arm.com
+
+Link: https://lkml.kernel.org/r/20211006082209.417-1-lukas.bulwahn@gmail.com
+Fixes: 6e7b64b9dd6d ("elfcore: fix building with clang")
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Barret Rhoden <brho@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/elfcore.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/elfcore.h
++++ b/include/linux/elfcore.h
+@@ -58,7 +58,7 @@ static inline int elf_core_copy_task_xfp
+ }
+ #endif
+
+-#if defined(CONFIG_UM) || defined(CONFIG_IA64)
++#if (defined(CONFIG_UML) && defined(CONFIG_X86_32)) || defined(CONFIG_IA64)
+ /*
+ * These functions parameterize elf_core_dump in fs/binfmt_elf.c to write out
+ * extra segments containing the gate DSO contents. Dumping its
--- /dev/null
+From 5314454ea3ff6fc746eaf71b9a7ceebed52888fa Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 18 Oct 2021 15:15:39 -0700
+Subject: ocfs2: fix data corruption after conversion from inline format
+
+From: Jan Kara <jack@suse.cz>
+
+commit 5314454ea3ff6fc746eaf71b9a7ceebed52888fa upstream.
+
+Commit 6dbf7bb55598 ("fs: Don't invalidate page buffers in
+block_write_full_page()") uncovered a latent bug in ocfs2 conversion
+from inline inode format to a normal inode format.
+
+The code in ocfs2_convert_inline_data_to_extents() attempts to zero out
+the whole cluster allocated for file data by grabbing, zeroing, and
+dirtying all pages covering this cluster. However these pages are
+beyond i_size, thus writeback code generally ignores these dirty pages
+and no blocks were ever actually zeroed on the disk.
+
+This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero
+pages past i_size.") for standard ocfs2 write path, inline conversion
+path was apparently forgotten; the commit log also has a reasoning why
+the zeroing actually is not needed.
+
+After commit 6dbf7bb55598, things became worse as writeback code stopped
+invalidating buffers on pages beyond i_size and thus these pages end up
+with clean PageDirty bit but with buffers attached to these pages being
+still dirty. So when a file is converted from inline format, then
+writeback triggers, and then the file is grown so that these pages
+become valid, the invalid dirtiness state is preserved,
+mark_buffer_dirty() does nothing on these pages (buffers are already
+dirty) but page is never written back because it is clean. So data
+written to these pages is lost once pages are reclaimed.
+
+Simple reproducer for the problem is:
+
+ xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \
+ -c "pwrite 4000 2000" ocfs2_file
+
+After unmounting and mounting the fs again, you can observe that end of
+'ocfs2_file' has lost its contents.
+
+Fix the problem by not doing the pointless zeroing during conversion
+from inline format similarly as in the standard write path.
+
+[akpm@linux-foundation.org: fix whitespace, per Joseph]
+
+Link: https://lkml.kernel.org/r/20210930095405.21433-1-jack@suse.cz
+Fixes: 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Tested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Acked-by: Gang He <ghe@suse.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: "Markov, Andrey" <Markov.Andrey@Dell.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/alloc.c | 46 ++++++++++++----------------------------------
+ 1 file changed, 12 insertions(+), 34 deletions(-)
+
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -7048,7 +7048,7 @@ void ocfs2_set_inode_data_inline(struct
+ int ocfs2_convert_inline_data_to_extents(struct inode *inode,
+ struct buffer_head *di_bh)
+ {
+- int ret, i, has_data, num_pages = 0;
++ int ret, has_data, num_pages = 0;
+ int need_free = 0;
+ u32 bit_off, num;
+ handle_t *handle;
+@@ -7057,26 +7057,17 @@ int ocfs2_convert_inline_data_to_extents
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+ struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data;
+ struct ocfs2_alloc_context *data_ac = NULL;
+- struct page **pages = NULL;
+- loff_t end = osb->s_clustersize;
++ struct page *page = NULL;
+ struct ocfs2_extent_tree et;
+ int did_quota = 0;
+
+ has_data = i_size_read(inode) ? 1 : 0;
+
+ if (has_data) {
+- pages = kcalloc(ocfs2_pages_per_cluster(osb->sb),
+- sizeof(struct page *), GFP_NOFS);
+- if (pages == NULL) {
+- ret = -ENOMEM;
+- mlog_errno(ret);
+- return ret;
+- }
+-
+ ret = ocfs2_reserve_clusters(osb, 1, &data_ac);
+ if (ret) {
+ mlog_errno(ret);
+- goto free_pages;
++ goto out;
+ }
+ }
+
+@@ -7096,7 +7087,8 @@ int ocfs2_convert_inline_data_to_extents
+ }
+
+ if (has_data) {
+- unsigned int page_end;
++ unsigned int page_end = min_t(unsigned, PAGE_SIZE,
++ osb->s_clustersize);
+ u64 phys;
+
+ ret = dquot_alloc_space_nodirty(inode,
+@@ -7120,15 +7112,8 @@ int ocfs2_convert_inline_data_to_extents
+ */
+ block = phys = ocfs2_clusters_to_blocks(inode->i_sb, bit_off);
+
+- /*
+- * Non sparse file systems zero on extend, so no need
+- * to do that now.
+- */
+- if (!ocfs2_sparse_alloc(osb) &&
+- PAGE_SIZE < osb->s_clustersize)
+- end = PAGE_SIZE;
+-
+- ret = ocfs2_grab_eof_pages(inode, 0, end, pages, &num_pages);
++ ret = ocfs2_grab_eof_pages(inode, 0, page_end, &page,
++ &num_pages);
+ if (ret) {
+ mlog_errno(ret);
+ need_free = 1;
+@@ -7139,20 +7124,15 @@ int ocfs2_convert_inline_data_to_extents
+ * This should populate the 1st page for us and mark
+ * it up to date.
+ */
+- ret = ocfs2_read_inline_data(inode, pages[0], di_bh);
++ ret = ocfs2_read_inline_data(inode, page, di_bh);
+ if (ret) {
+ mlog_errno(ret);
+ need_free = 1;
+ goto out_unlock;
+ }
+
+- page_end = PAGE_SIZE;
+- if (PAGE_SIZE > osb->s_clustersize)
+- page_end = osb->s_clustersize;
+-
+- for (i = 0; i < num_pages; i++)
+- ocfs2_map_and_dirty_page(inode, handle, 0, page_end,
+- pages[i], i > 0, &phys);
++ ocfs2_map_and_dirty_page(inode, handle, 0, page_end, page, 0,
++ &phys);
+ }
+
+ spin_lock(&oi->ip_lock);
+@@ -7183,8 +7163,8 @@ int ocfs2_convert_inline_data_to_extents
+ }
+
+ out_unlock:
+- if (pages)
+- ocfs2_unlock_and_free_pages(pages, num_pages);
++ if (page)
++ ocfs2_unlock_and_free_pages(&page, num_pages);
+
+ out_commit:
+ if (ret < 0 && did_quota)
+@@ -7208,8 +7188,6 @@ out_commit:
+ out:
+ if (data_ac)
+ ocfs2_free_alloc_context(data_ac);
+-free_pages:
+- kfree(pages);
+ return ret;
+ }
+
--- /dev/null
+From b15fa9224e6e1239414525d8d556d824701849fc Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Mon, 18 Oct 2021 15:15:42 -0700
+Subject: ocfs2: mount fails with buffer overflow in strlen
+
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+
+commit b15fa9224e6e1239414525d8d556d824701849fc upstream.
+
+Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an
+ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the
+trace below. Problem seems to be that strings for cluster stack and
+cluster name are not guaranteed to be null terminated in the disk
+representation, while strlcpy assumes that the source string is always
+null terminated. This causes a read outside of the source string
+triggering the buffer overflow detection.
+
+ detected buffer overflow in strlen
+ ------------[ cut here ]------------
+ kernel BUG at lib/string.c:1149!
+ invalid opcode: 0000 [#1] SMP PTI
+ CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1
+ Debian 5.14.6-2
+ RIP: 0010:fortify_panic+0xf/0x11
+ ...
+ Call Trace:
+ ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]
+ ocfs2_fill_super+0x359/0x19b0 [ocfs2]
+ mount_bdev+0x185/0x1b0
+ legacy_get_tree+0x27/0x40
+ vfs_get_tree+0x25/0xb0
+ path_mount+0x454/0xa20
+ __x64_sys_mount+0x103/0x140
+ do_syscall_64+0x3b/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Link: https://lkml.kernel.org/r/20210929180654.32460-1-vvidic@valentin-vidic.from.hr
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/super.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -2150,11 +2150,17 @@ static int ocfs2_initialize_super(struct
+ }
+
+ if (ocfs2_clusterinfo_valid(osb)) {
++ /*
++ * ci_stack and ci_cluster in ocfs2_cluster_info may not be null
++ * terminated, so make sure no overflow happens here by using
++ * memcpy. Destination strings will always be null terminated
++ * because osb is allocated using kzalloc.
++ */
+ osb->osb_stackflags =
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags;
+- strlcpy(osb->osb_cluster_stack,
++ memcpy(osb->osb_cluster_stack,
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_stack,
+- OCFS2_STACK_LABEL_LEN + 1);
++ OCFS2_STACK_LABEL_LEN);
+ if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) {
+ mlog(ML_ERROR,
+ "couldn't mount because of an invalid "
+@@ -2163,9 +2169,9 @@ static int ocfs2_initialize_super(struct
+ status = -EINVAL;
+ goto bail;
+ }
+- strlcpy(osb->osb_cluster_name,
++ memcpy(osb->osb_cluster_name,
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster,
+- OCFS2_CLUSTER_NAME_LEN + 1);
++ OCFS2_CLUSTER_NAME_LEN);
+ } else {
+ /* The empty string is identical with classic tools that
+ * don't know about s_cluster_info. */
net-hns3-disable-sriov-before-unload-hclge-layer.patch
net-stmmac-fix-e2e-delay-mechanism.patch
net-enetc-fix-ethtool-counter-name-for-pm0_terr.patch
+can-rcar_can-fix-suspend-resume.patch
+can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch
+can-peak_pci-peak_pci_remove-fix-uaf.patch
+can-j1939-j1939_tp_rxtimer-fix-errant-alert-in-j1939_tp_rxtimer.patch
+can-j1939-j1939_netdev_start-fix-uaf-for-rx_kref-of-j1939_priv.patch
+can-j1939-j1939_xtp_rx_dat_one-cancel-session-if-receive-tp.dt-with-error-length.patch
+can-j1939-j1939_xtp_rx_rts_session_new-abort-tp-less-than-9-bytes.patch
+ceph-fix-handling-of-meta-errors.patch
+ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch
+ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
+elfcore-correct-reference-to-config_uml.patch
+vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch
+alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch
+alsa-hda-realtek-add-quirk-for-clevo-pc50hs.patch
+asoc-dapm-fix-missing-kctl-change-notifications.patch
+audit-fix-possible-null-pointer-dereference-in-audit_filter_rules.patch
--- /dev/null
+From 032146cda85566abcd1c4884d9d23e4e30a07e9a Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Mon, 18 Oct 2021 15:16:12 -0700
+Subject: vfs: check fd has read access in kernel_read_file_from_fd()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit 032146cda85566abcd1c4884d9d23e4e30a07e9a upstream.
+
+If we open a file without read access and then pass the fd to a syscall
+whose implementation calls kernel_read_file_from_fd(), we get a warning
+from __kernel_read():
+
+ if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ)))
+
+This currently affects both finit_module() and kexec_file_load(), but it
+could affect other syscalls in the future.
+
+Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org
+Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Mimi Zohar <zohar@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -988,7 +988,7 @@ int kernel_read_file_from_fd(int fd, voi
+ struct fd f = fdget(fd);
+ int ret = -EBADF;
+
+- if (!f.file)
++ if (!f.file || !(f.file->f_mode & FMODE_READ))
+ goto out;
+
+ ret = kernel_read_file(f.file, buf, size, max_size, id);
projects / thirdparty / kernel / stable-queue.git / commitdiff
