--- /dev/null
+From 22065e4214c1196b54fc164892c2e193a743caf3 Mon Sep 17 00:00:00 2001
+From: Werner Sembach <wse@tuxedocomputers.com>
+Date: Wed, 28 Jun 2023 17:54:34 +0200
+Subject: ALSA: hda/realtek: Add quirk for Clevo NPx0SNx
+
+From: Werner Sembach <wse@tuxedocomputers.com>
+
+commit 22065e4214c1196b54fc164892c2e193a743caf3 upstream.
+
+This applies a SND_PCI_QUIRK(...) to the Clevo NPx0SNx barebones fixing the
+microphone not being detected on the headset combo port.
+
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230628155434.584159-1-wse@tuxedocomputers.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9682,6 +9682,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1558, 0x971d, "Clevo N970T[CDF]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0xa500, "Clevo NL5[03]RU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0xa600, "Clevo NL50NU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0xa650, "Clevo NP[567]0SN[CD]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0xa671, "Clevo NP70SN[CDE]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0xb018, "Clevo NP50D[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0xb019, "Clevo NH77D[BE]Q", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
--- /dev/null
+From e94f1f96f108ba96c0ed8bf3fbdd8ee6a6703880 Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Mon, 26 Jun 2023 21:03:00 +0800
+Subject: ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit e94f1f96f108ba96c0ed8bf3fbdd8ee6a6703880 upstream.
+
+On HP EliteBook 835/845/845W G10, the audio LEDs can be enabled by
+ALC285_FIXUP_HP_MUTE_LED. So use it accordingly.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Fixes: 3e10f6ca76c4 ("ALSA: hda/realtek: Add quirk for HP EliteBook G10 laptops")
+Link: https://lore.kernel.org/r/20230626130301.301712-1-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9490,9 +9490,9 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8b63, "HP Elite Dragonfly 13.5 inch G4", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b65, "HP ProBook 455 15.6 inch G10 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8b66, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+- SND_PCI_QUIRK(0x103c, 0x8b70, "HP EliteBook 835 G10", ALC287_FIXUP_CS35L41_I2C_2),
+- SND_PCI_QUIRK(0x103c, 0x8b72, "HP EliteBook 845 G10", ALC287_FIXUP_CS35L41_I2C_2),
+- SND_PCI_QUIRK(0x103c, 0x8b74, "HP EliteBook 845W G10", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x103c, 0x8b70, "HP EliteBook 835 G10", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b72, "HP EliteBook 845 G10", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b74, "HP EliteBook 845W G10", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b77, "HP ElieBook 865 G10", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b7d, "HP", ALC236_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 89dbb335cb6a627a4067bc42caa09c8bc3326d40 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 6 Jul 2023 17:53:57 +0200
+Subject: ALSA: jack: Fix mutex call in snd_jack_report()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 89dbb335cb6a627a4067bc42caa09c8bc3326d40 upstream.
+
+snd_jack_report() is supposed to be callable from an IRQ context, too,
+and it's indeed used in that way from virtsnd driver. The fix for
+input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev
+under mutex"), however, introduced a mutex lock in snd_jack_report(),
+and this resulted in a potential sleep-in-atomic.
+
+For addressing that problem, this patch changes the relevant code to
+use the object get/put and removes the mutex usage. That is,
+snd_jack_report(), it takes input_get_device() and leaves with
+input_put_device() for assuring the input_dev being assigned.
+
+Although the whole mutex could be reduced, we keep it because it can
+be still a protection for potential races between creation and
+deletion.
+
+Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain
+Tested-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/jack.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/sound/core/jack.c
++++ b/sound/core/jack.c
+@@ -654,6 +654,7 @@ void snd_jack_report(struct snd_jack *ja
+ struct snd_jack_kctl *jack_kctl;
+ unsigned int mask_bits = 0;
+ #ifdef CONFIG_SND_JACK_INPUT_DEV
++ struct input_dev *idev;
+ int i;
+ #endif
+
+@@ -670,17 +671,15 @@ void snd_jack_report(struct snd_jack *ja
+ status & jack_kctl->mask_bits);
+
+ #ifdef CONFIG_SND_JACK_INPUT_DEV
+- mutex_lock(&jack->input_dev_lock);
+- if (!jack->input_dev) {
+- mutex_unlock(&jack->input_dev_lock);
++ idev = input_get_device(jack->input_dev);
++ if (!idev)
+ return;
+- }
+
+ for (i = 0; i < ARRAY_SIZE(jack->key); i++) {
+ int testbit = ((SND_JACK_BTN_0 >> i) & ~mask_bits);
+
+ if (jack->type & testbit)
+- input_report_key(jack->input_dev, jack->key[i],
++ input_report_key(idev, jack->key[i],
+ status & testbit);
+ }
+
+@@ -688,13 +687,13 @@ void snd_jack_report(struct snd_jack *ja
+ int testbit = ((1 << i) & ~mask_bits);
+
+ if (jack->type & testbit)
+- input_report_switch(jack->input_dev,
++ input_report_switch(idev,
+ jack_switch_types[i],
+ status & testbit);
+ }
+
+- input_sync(jack->input_dev);
+- mutex_unlock(&jack->input_dev_lock);
++ input_sync(idev);
++ input_put_device(idev);
+ #endif /* CONFIG_SND_JACK_INPUT_DEV */
+ }
+ EXPORT_SYMBOL(snd_jack_report);
--- /dev/null
+From bd55842ed998a622ba6611fe59b3358c9f76773d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 3 Jul 2023 13:24:30 +0200
+Subject: ALSA: pcm: Fix potential data race at PCM memory allocation helpers
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit bd55842ed998a622ba6611fe59b3358c9f76773d upstream.
+
+The PCM memory allocation helpers have a sanity check against too many
+buffer allocations. However, the check is performed without a proper
+lock and the allocation isn't serialized; this allows user to allocate
+more memories than predefined max size.
+
+Practically seen, this isn't really a big problem, as it's more or
+less some "soft limit" as a sanity check, and it's not possible to
+allocate unlimitedly. But it's still better to address this for more
+consistent behavior.
+
+The patch covers the size check in do_alloc_pages() with the
+card->memory_mutex, and increases the allocated size there for
+preventing the further overflow. When the actual allocation fails,
+the size is decreased accordingly.
+
+Reported-by: BassCheck <bass@buaa.edu.cn>
+Reported-by: Tuo Li <islituo@gmail.com>
+Link: https://lore.kernel.org/r/CADm8Tek6t0WedK+3Y6rbE5YEt19tML8BUL45N2ji4ZAz1KcN_A@mail.gmail.com
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230703112430.30634-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/pcm_memory.c | 44 ++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 36 insertions(+), 8 deletions(-)
+
+--- a/sound/core/pcm_memory.c
++++ b/sound/core/pcm_memory.c
+@@ -31,15 +31,41 @@ static unsigned long max_alloc_per_card
+ module_param(max_alloc_per_card, ulong, 0644);
+ MODULE_PARM_DESC(max_alloc_per_card, "Max total allocation bytes per card.");
+
++static void __update_allocated_size(struct snd_card *card, ssize_t bytes)
++{
++ card->total_pcm_alloc_bytes += bytes;
++}
++
++static void update_allocated_size(struct snd_card *card, ssize_t bytes)
++{
++ mutex_lock(&card->memory_mutex);
++ __update_allocated_size(card, bytes);
++ mutex_unlock(&card->memory_mutex);
++}
++
++static void decrease_allocated_size(struct snd_card *card, size_t bytes)
++{
++ mutex_lock(&card->memory_mutex);
++ WARN_ON(card->total_pcm_alloc_bytes < bytes);
++ __update_allocated_size(card, -(ssize_t)bytes);
++ mutex_unlock(&card->memory_mutex);
++}
++
+ static int do_alloc_pages(struct snd_card *card, int type, struct device *dev,
+ int str, size_t size, struct snd_dma_buffer *dmab)
+ {
+ enum dma_data_direction dir;
+ int err;
+
++ /* check and reserve the requested size */
++ mutex_lock(&card->memory_mutex);
+ if (max_alloc_per_card &&
+- card->total_pcm_alloc_bytes + size > max_alloc_per_card)
++ card->total_pcm_alloc_bytes + size > max_alloc_per_card) {
++ mutex_unlock(&card->memory_mutex);
+ return -ENOMEM;
++ }
++ __update_allocated_size(card, size);
++ mutex_unlock(&card->memory_mutex);
+
+ if (str == SNDRV_PCM_STREAM_PLAYBACK)
+ dir = DMA_TO_DEVICE;
+@@ -47,9 +73,14 @@ static int do_alloc_pages(struct snd_car
+ dir = DMA_FROM_DEVICE;
+ err = snd_dma_alloc_dir_pages(type, dev, dir, size, dmab);
+ if (!err) {
+- mutex_lock(&card->memory_mutex);
+- card->total_pcm_alloc_bytes += dmab->bytes;
+- mutex_unlock(&card->memory_mutex);
++ /* the actual allocation size might be bigger than requested,
++ * and we need to correct the account
++ */
++ if (dmab->bytes != size)
++ update_allocated_size(card, dmab->bytes - size);
++ } else {
++ /* take back on allocation failure */
++ decrease_allocated_size(card, size);
+ }
+ return err;
+ }
+@@ -58,10 +89,7 @@ static void do_free_pages(struct snd_car
+ {
+ if (!dmab->area)
+ return;
+- mutex_lock(&card->memory_mutex);
+- WARN_ON(card->total_pcm_alloc_bytes < dmab->bytes);
+- card->total_pcm_alloc_bytes -= dmab->bytes;
+- mutex_unlock(&card->memory_mutex);
++ decrease_allocated_size(card, dmab->bytes);
+ snd_dma_free_pages(dmab);
+ dmab->area = NULL;
+ }
--- /dev/null
+From ec6851ae0ab4587e610e260ddda75f92f3389f91 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Sat, 15 Apr 2023 00:50:32 -0700
+Subject: apparmor: fix: kzalloc perms tables for shared dfas
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit ec6851ae0ab4587e610e260ddda75f92f3389f91 upstream.
+
+Currently the permstables of the shared dfas are not shared, and need
+to be allocated and copied. In the future this should be addressed
+with a larger rework on dfa and pdb ref counts and structure sharing.
+
+BugLink: http://bugs.launchpad.net/bugs/2017903
+Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments")
+Cc: stable@vger.kernel.org
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Reviewed-by: Jon Tourville <jontourville@me.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy.c | 13 +++++++++++++
+ security/apparmor/policy_unpack.c | 26 ++++++++++++++++++++++----
+ 2 files changed, 35 insertions(+), 4 deletions(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -591,7 +591,15 @@ struct aa_profile *aa_alloc_null(struct
+ profile->label.flags |= FLAG_NULL;
+ rules = list_first_entry(&profile->rules, typeof(*rules), list);
+ rules->file.dfa = aa_get_dfa(nulldfa);
++ rules->file.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
++ if (!rules->file.perms)
++ goto fail;
++ rules->file.size = 2;
+ rules->policy.dfa = aa_get_dfa(nulldfa);
++ rules->policy.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
++ if (!rules->policy.perms)
++ goto fail;
++ rules->policy.size = 2;
+
+ if (parent) {
+ profile->path_flags = parent->path_flags;
+@@ -602,6 +610,11 @@ struct aa_profile *aa_alloc_null(struct
+ }
+
+ return profile;
++
++fail:
++ aa_free_profile(profile);
++
++ return NULL;
+ }
+
+ /**
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -988,9 +988,14 @@ static struct aa_profile *unpack_profile
+ info = "failed to remap policydb permission table";
+ goto fail;
+ }
+- } else
++ } else {
+ rules->policy.dfa = aa_get_dfa(nulldfa);
+-
++ rules->policy.perms = kcalloc(2, sizeof(struct aa_perms),
++ GFP_KERNEL);
++ if (!rules->policy.perms)
++ goto fail;
++ rules->policy.size = 2;
++ }
+ /* get file rules */
+ error = unpack_pdb(e, &rules->file, false, true, &info);
+ if (error) {
+@@ -1005,9 +1010,22 @@ static struct aa_profile *unpack_profile
+ rules->policy.start[AA_CLASS_FILE]) {
+ rules->file.dfa = aa_get_dfa(rules->policy.dfa);
+ rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE];
+- } else
++ rules->file.perms = kcalloc(rules->policy.size,
++ sizeof(struct aa_perms),
++ GFP_KERNEL);
++ if (!rules->file.perms)
++ goto fail;
++ memcpy(rules->file.perms, rules->policy.perms,
++ rules->policy.size * sizeof(struct aa_perms));
++ rules->file.size = rules->policy.size;
++ } else {
+ rules->file.dfa = aa_get_dfa(nulldfa);
+-
++ rules->file.perms = kcalloc(2, sizeof(struct aa_perms),
++ GFP_KERNEL);
++ if (!rules->file.perms)
++ goto fail;
++ rules->file.size = 2;
++ }
+ error = -EPROTO;
+ if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
+ info = "out of memory";
--- /dev/null
+From b6f3f28f604ba3de4724ad82bea6adb1300c0b5f Mon Sep 17 00:00:00 2001
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Wed, 21 Jun 2023 08:17:25 +1200
+Subject: block: add overflow checks for Amiga partition support
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+commit b6f3f28f604ba3de4724ad82bea6adb1300c0b5f upstream.
+
+The Amiga partition parser module uses signed int for partition sector
+address and count, which will overflow for disks larger than 1 TB.
+
+Use u64 as type for sector address and size to allow using disks up to
+2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD
+format allows to specify disk sizes up to 2^128 bytes (though native
+OS limitations reduce this somewhat, to max 2^68 bytes), so check for
+u64 overflow carefully to protect against overflowing sector_t.
+
+Bail out if sector addresses overflow 32 bits on kernels without LBD
+support.
+
+This bug was reported originally in 2012, and the fix was created by
+the RDB author, Joanne Dow <jdow@earthlink.net>. A patch had been
+discussed and reviewed on linux-m68k at that time but never officially
+submitted (now resubmitted as patch 1 in this series).
+This patch adds additional error checking and warning messages.
+
+Reported-by: Martin Steigerwald <Martin@lichtvoll.de>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Message-ID: <201206192146.09327.Martin@lichtvoll.de>
+Cc: <stable@vger.kernel.org> # 5.2
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Reviewed-by: Christoph Hellwig <hch@infradead.org>
+Link: https://lore.kernel.org/r/20230620201725.7020-4-schmitzmic@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partitions/amiga.c | 103 ++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 85 insertions(+), 18 deletions(-)
+
+--- a/block/partitions/amiga.c
++++ b/block/partitions/amiga.c
+@@ -11,10 +11,18 @@
+ #define pr_fmt(fmt) fmt
+
+ #include <linux/types.h>
++#include <linux/mm_types.h>
++#include <linux/overflow.h>
+ #include <linux/affs_hardblocks.h>
+
+ #include "check.h"
+
++/* magic offsets in partition DosEnvVec */
++#define NR_HD 3
++#define NR_SECT 5
++#define LO_CYL 9
++#define HI_CYL 10
++
+ static __inline__ u32
+ checksum_block(__be32 *m, int size)
+ {
+@@ -31,9 +39,12 @@ int amiga_partition(struct parsed_partit
+ unsigned char *data;
+ struct RigidDiskBlock *rdb;
+ struct PartitionBlock *pb;
+- sector_t start_sect, nr_sects;
+- int blk, part, res = 0;
+- int blksize = 1; /* Multiplier for disk block size */
++ u64 start_sect, nr_sects;
++ sector_t blk, end_sect;
++ u32 cylblk; /* rdb_CylBlocks = nr_heads*sect_per_track */
++ u32 nr_hd, nr_sect, lo_cyl, hi_cyl;
++ int part, res = 0;
++ unsigned int blksize = 1; /* Multiplier for disk block size */
+ int slot = 1;
+
+ for (blk = 0; ; blk++, put_dev_sector(sect)) {
+@@ -41,7 +52,7 @@ int amiga_partition(struct parsed_partit
+ goto rdb_done;
+ data = read_part_sector(state, blk, §);
+ if (!data) {
+- pr_err("Dev %s: unable to read RDB block %d\n",
++ pr_err("Dev %s: unable to read RDB block %llu\n",
+ state->disk->disk_name, blk);
+ res = -1;
+ goto rdb_done;
+@@ -58,12 +69,12 @@ int amiga_partition(struct parsed_partit
+ *(__be32 *)(data+0xdc) = 0;
+ if (checksum_block((__be32 *)data,
+ be32_to_cpu(rdb->rdb_SummedLongs) & 0x7F)==0) {
+- pr_err("Trashed word at 0xd0 in block %d ignored in checksum calculation\n",
++ pr_err("Trashed word at 0xd0 in block %llu ignored in checksum calculation\n",
+ blk);
+ break;
+ }
+
+- pr_err("Dev %s: RDB in block %d has bad checksum\n",
++ pr_err("Dev %s: RDB in block %llu has bad checksum\n",
+ state->disk->disk_name, blk);
+ }
+
+@@ -80,10 +91,15 @@ int amiga_partition(struct parsed_partit
+ blk = be32_to_cpu(rdb->rdb_PartitionList);
+ put_dev_sector(sect);
+ for (part = 1; blk>0 && part<=16; part++, put_dev_sector(sect)) {
+- blk *= blksize; /* Read in terms partition table understands */
++ /* Read in terms partition table understands */
++ if (check_mul_overflow(blk, (sector_t) blksize, &blk)) {
++ pr_err("Dev %s: overflow calculating partition block %llu! Skipping partitions %u and beyond\n",
++ state->disk->disk_name, blk, part);
++ break;
++ }
+ data = read_part_sector(state, blk, §);
+ if (!data) {
+- pr_err("Dev %s: unable to read partition block %d\n",
++ pr_err("Dev %s: unable to read partition block %llu\n",
+ state->disk->disk_name, blk);
+ res = -1;
+ goto rdb_done;
+@@ -95,19 +111,70 @@ int amiga_partition(struct parsed_partit
+ if (checksum_block((__be32 *)pb, be32_to_cpu(pb->pb_SummedLongs) & 0x7F) != 0 )
+ continue;
+
+- /* Tell Kernel about it */
++ /* RDB gives us more than enough rope to hang ourselves with,
++ * many times over (2^128 bytes if all fields max out).
++ * Some careful checks are in order, so check for potential
++ * overflows.
++ * We are multiplying four 32 bit numbers to one sector_t!
++ */
++
++ nr_hd = be32_to_cpu(pb->pb_Environment[NR_HD]);
++ nr_sect = be32_to_cpu(pb->pb_Environment[NR_SECT]);
++
++ /* CylBlocks is total number of blocks per cylinder */
++ if (check_mul_overflow(nr_hd, nr_sect, &cylblk)) {
++ pr_err("Dev %s: heads*sects %u overflows u32, skipping partition!\n",
++ state->disk->disk_name, cylblk);
++ continue;
++ }
++
++ /* check for consistency with RDB defined CylBlocks */
++ if (cylblk > be32_to_cpu(rdb->rdb_CylBlocks)) {
++ pr_warn("Dev %s: cylblk %u > rdb_CylBlocks %u!\n",
++ state->disk->disk_name, cylblk,
++ be32_to_cpu(rdb->rdb_CylBlocks));
++ }
++
++ /* RDB allows for variable logical block size -
++ * normalize to 512 byte blocks and check result.
++ */
++
++ if (check_mul_overflow(cylblk, blksize, &cylblk)) {
++ pr_err("Dev %s: partition %u bytes per cyl. overflows u32, skipping partition!\n",
++ state->disk->disk_name, part);
++ continue;
++ }
++
++ /* Calculate partition start and end. Limit of 32 bit on cylblk
++ * guarantees no overflow occurs if LBD support is enabled.
++ */
++
++ lo_cyl = be32_to_cpu(pb->pb_Environment[LO_CYL]);
++ start_sect = ((u64) lo_cyl * cylblk);
++
++ hi_cyl = be32_to_cpu(pb->pb_Environment[HI_CYL]);
++ nr_sects = (((u64) hi_cyl - lo_cyl + 1) * cylblk);
+
+- nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 -
+- be32_to_cpu(pb->pb_Environment[9])) *
+- be32_to_cpu(pb->pb_Environment[3]) *
+- be32_to_cpu(pb->pb_Environment[5]) *
+- blksize;
+ if (!nr_sects)
+ continue;
+- start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) *
+- be32_to_cpu(pb->pb_Environment[3]) *
+- be32_to_cpu(pb->pb_Environment[5]) *
+- blksize;
++
++ /* Warn user if partition end overflows u32 (AmigaDOS limit) */
++
++ if ((start_sect + nr_sects) > UINT_MAX) {
++ pr_warn("Dev %s: partition %u (%llu-%llu) needs 64 bit device support!\n",
++ state->disk->disk_name, part,
++ start_sect, start_sect + nr_sects);
++ }
++
++ if (check_add_overflow(start_sect, nr_sects, &end_sect)) {
++ pr_err("Dev %s: partition %u (%llu-%llu) needs LBD device support, skipping partition!\n",
++ state->disk->disk_name, part,
++ start_sect, end_sect);
++ continue;
++ }
++
++ /* Tell Kernel about it */
++
+ put_partition(state,slot++,start_sect,nr_sects);
+ {
+ /* Be even more informative to aid mounting */
--- /dev/null
+From 95a55437dc49fb3342c82e61f5472a71c63d9ed0 Mon Sep 17 00:00:00 2001
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Wed, 21 Jun 2023 08:17:24 +1200
+Subject: block: change all __u32 annotations to __be32 in affs_hardblocks.h
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+commit 95a55437dc49fb3342c82e61f5472a71c63d9ed0 upstream.
+
+The Amiga partition parser module uses signed int for partition sector
+address and count, which will overflow for disks larger than 1 TB.
+
+Use u64 as type for sector address and size to allow using disks up to
+2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD
+format allows to specify disk sizes up to 2^128 bytes (though native
+OS limitations reduce this somewhat, to max 2^68 bytes), so check for
+u64 overflow carefully to protect against overflowing sector_t.
+
+This bug was reported originally in 2012, and the fix was created by
+the RDB author, Joanne Dow <jdow@earthlink.net>. A patch had been
+discussed and reviewed on linux-m68k at that time but never officially
+submitted (now resubmitted as patch 1 of this series).
+
+Patch 3 (this series) adds additional error checking and warning
+messages. One of the error checks now makes use of the previously
+unused rdb_CylBlocks field, which causes a 'sparse' warning
+(cast to restricted __be32).
+
+Annotate all 32 bit fields in affs_hardblocks.h as __be32, as the
+on-disk format of RDB and partition blocks is always big endian.
+
+Reported-by: Martin Steigerwald <Martin@lichtvoll.de>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Message-ID: <201206192146.09327.Martin@lichtvoll.de>
+Cc: <stable@vger.kernel.org> # 5.2
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20230620201725.7020-3-schmitzmic@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/affs_hardblocks.h | 68 +++++++++++++++++------------------
+ 1 file changed, 34 insertions(+), 34 deletions(-)
+
+--- a/include/uapi/linux/affs_hardblocks.h
++++ b/include/uapi/linux/affs_hardblocks.h
+@@ -7,42 +7,42 @@
+ /* Just the needed definitions for the RDB of an Amiga HD. */
+
+ struct RigidDiskBlock {
+- __u32 rdb_ID;
++ __be32 rdb_ID;
+ __be32 rdb_SummedLongs;
+- __s32 rdb_ChkSum;
+- __u32 rdb_HostID;
++ __be32 rdb_ChkSum;
++ __be32 rdb_HostID;
+ __be32 rdb_BlockBytes;
+- __u32 rdb_Flags;
+- __u32 rdb_BadBlockList;
++ __be32 rdb_Flags;
++ __be32 rdb_BadBlockList;
+ __be32 rdb_PartitionList;
+- __u32 rdb_FileSysHeaderList;
+- __u32 rdb_DriveInit;
+- __u32 rdb_Reserved1[6];
+- __u32 rdb_Cylinders;
+- __u32 rdb_Sectors;
+- __u32 rdb_Heads;
+- __u32 rdb_Interleave;
+- __u32 rdb_Park;
+- __u32 rdb_Reserved2[3];
+- __u32 rdb_WritePreComp;
+- __u32 rdb_ReducedWrite;
+- __u32 rdb_StepRate;
+- __u32 rdb_Reserved3[5];
+- __u32 rdb_RDBBlocksLo;
+- __u32 rdb_RDBBlocksHi;
+- __u32 rdb_LoCylinder;
+- __u32 rdb_HiCylinder;
+- __u32 rdb_CylBlocks;
+- __u32 rdb_AutoParkSeconds;
+- __u32 rdb_HighRDSKBlock;
+- __u32 rdb_Reserved4;
++ __be32 rdb_FileSysHeaderList;
++ __be32 rdb_DriveInit;
++ __be32 rdb_Reserved1[6];
++ __be32 rdb_Cylinders;
++ __be32 rdb_Sectors;
++ __be32 rdb_Heads;
++ __be32 rdb_Interleave;
++ __be32 rdb_Park;
++ __be32 rdb_Reserved2[3];
++ __be32 rdb_WritePreComp;
++ __be32 rdb_ReducedWrite;
++ __be32 rdb_StepRate;
++ __be32 rdb_Reserved3[5];
++ __be32 rdb_RDBBlocksLo;
++ __be32 rdb_RDBBlocksHi;
++ __be32 rdb_LoCylinder;
++ __be32 rdb_HiCylinder;
++ __be32 rdb_CylBlocks;
++ __be32 rdb_AutoParkSeconds;
++ __be32 rdb_HighRDSKBlock;
++ __be32 rdb_Reserved4;
+ char rdb_DiskVendor[8];
+ char rdb_DiskProduct[16];
+ char rdb_DiskRevision[4];
+ char rdb_ControllerVendor[8];
+ char rdb_ControllerProduct[16];
+ char rdb_ControllerRevision[4];
+- __u32 rdb_Reserved5[10];
++ __be32 rdb_Reserved5[10];
+ };
+
+ #define IDNAME_RIGIDDISK 0x5244534B /* "RDSK" */
+@@ -50,16 +50,16 @@ struct RigidDiskBlock {
+ struct PartitionBlock {
+ __be32 pb_ID;
+ __be32 pb_SummedLongs;
+- __s32 pb_ChkSum;
+- __u32 pb_HostID;
++ __be32 pb_ChkSum;
++ __be32 pb_HostID;
+ __be32 pb_Next;
+- __u32 pb_Flags;
+- __u32 pb_Reserved1[2];
+- __u32 pb_DevFlags;
++ __be32 pb_Flags;
++ __be32 pb_Reserved1[2];
++ __be32 pb_DevFlags;
+ __u8 pb_DriveName[32];
+- __u32 pb_Reserved2[15];
++ __be32 pb_Reserved2[15];
+ __be32 pb_Environment[17];
+- __u32 pb_EReserved[15];
++ __be32 pb_EReserved[15];
+ };
+
+ #define IDNAME_PARTITION 0x50415254 /* "PART" */
--- /dev/null
+From fc3d092c6bb48d5865fec15ed5b333c12f36288c Mon Sep 17 00:00:00 2001
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Wed, 21 Jun 2023 08:17:23 +1200
+Subject: block: fix signed int overflow in Amiga partition support
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+commit fc3d092c6bb48d5865fec15ed5b333c12f36288c upstream.
+
+The Amiga partition parser module uses signed int for partition sector
+address and count, which will overflow for disks larger than 1 TB.
+
+Use sector_t as type for sector address and size to allow using disks
+up to 2 TB without LBD support, and disks larger than 2 TB with LBD.
+
+This bug was reported originally in 2012, and the fix was created by
+the RDB author, Joanne Dow <jdow@earthlink.net>. A patch had been
+discussed and reviewed on linux-m68k at that time but never officially
+submitted. This patch differs from Joanne's patch only in its use of
+sector_t instead of unsigned int. No checking for overflows is done
+(see patch 3 of this series for that).
+
+Reported-by: Martin Steigerwald <Martin@lichtvoll.de>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Message-ID: <201206192146.09327.Martin@lichtvoll.de>
+Cc: <stable@vger.kernel.org> # 5.2
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Tested-by: Martin Steigerwald <Martin@lichtvoll.de>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230620201725.7020-2-schmitzmic@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partitions/amiga.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/block/partitions/amiga.c
++++ b/block/partitions/amiga.c
+@@ -31,7 +31,8 @@ int amiga_partition(struct parsed_partit
+ unsigned char *data;
+ struct RigidDiskBlock *rdb;
+ struct PartitionBlock *pb;
+- int start_sect, nr_sects, blk, part, res = 0;
++ sector_t start_sect, nr_sects;
++ int blk, part, res = 0;
+ int blksize = 1; /* Multiplier for disk block size */
+ int slot = 1;
+
+@@ -96,14 +97,14 @@ int amiga_partition(struct parsed_partit
+
+ /* Tell Kernel about it */
+
+- nr_sects = (be32_to_cpu(pb->pb_Environment[10]) + 1 -
+- be32_to_cpu(pb->pb_Environment[9])) *
++ nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 -
++ be32_to_cpu(pb->pb_Environment[9])) *
+ be32_to_cpu(pb->pb_Environment[3]) *
+ be32_to_cpu(pb->pb_Environment[5]) *
+ blksize;
+ if (!nr_sects)
+ continue;
+- start_sect = be32_to_cpu(pb->pb_Environment[9]) *
++ start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) *
+ be32_to_cpu(pb->pb_Environment[3]) *
+ be32_to_cpu(pb->pb_Environment[5]) *
+ blksize;
--- /dev/null
+From b90ecc0379eb7bbe79337b0c7289390a98752646 Mon Sep 17 00:00:00 2001
+From: Demi Marie Obenour <demi@invisiblethingslab.com>
+Date: Wed, 7 Jun 2023 13:08:37 -0400
+Subject: block: increment diskseq on all media change events
+
+From: Demi Marie Obenour <demi@invisiblethingslab.com>
+
+commit b90ecc0379eb7bbe79337b0c7289390a98752646 upstream.
+
+Currently, associating a loop device with a different file descriptor
+does not increment its diskseq. This allows the following race
+condition:
+
+1. Program X opens a loop device
+2. Program X gets the diskseq of the loop device.
+3. Program X associates a file with the loop device.
+4. Program X passes the loop device major, minor, and diskseq to
+ something.
+5. Program X exits.
+6. Program Y detaches the file from the loop device.
+7. Program Y attaches a different file to the loop device.
+8. The opener finally gets around to opening the loop device and checks
+ that the diskseq is what it expects it to be. Even though the
+ diskseq is the expected value, the result is that the opener is
+ accessing the wrong file.
+
+From discussions with Christoph Hellwig, it appears that
+disk_force_media_change() was supposed to call inc_diskseq(), but in
+fact it does not. Adding a Fixes: tag to indicate this. Christoph's
+Reported-by is because he stated that disk_force_media_change()
+calls inc_diskseq(), which is what led me to discover that it should but
+does not.
+
+Reported-by: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
+Fixes: e6138dc12de9 ("block: add a helper to raise a media changed event")
+Cc: stable@vger.kernel.org # 5.15+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230607170837.1559-1-demi@invisiblethingslab.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/disk-events.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/disk-events.c
++++ b/block/disk-events.c
+@@ -307,6 +307,7 @@ bool disk_force_media_change(struct gend
+ if (!(events & DISK_EVENT_MEDIA_CHANGE))
+ return false;
+
++ inc_diskseq(disk);
+ if (__invalidate_device(disk->part0, true))
+ pr_warn("VFS: busy inodes on changed media %s\n",
+ disk->disk_name);
--- /dev/null
+From 39020d8abc7ec62c4de9b260e3d10d4a1c2478ce Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 8 Jun 2023 11:27:41 +0100
+Subject: btrfs: do not BUG_ON() on tree mod log failure at balance_level()
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 39020d8abc7ec62c4de9b260e3d10d4a1c2478ce upstream.
+
+At balance_level(), instead of doing a BUG_ON() in case we fail to record
+tree mod log operations, do a transaction abort and return the error to
+the callers. There's really no need for the BUG_ON() as we can release
+all resources in this context, and we have to abort because other future
+tree searches that use the tree mod log (btrfs_search_old_slot()) may get
+inconsistent results if other operations modify the tree after that
+failure and before the tree mod log based search.
+
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -1042,7 +1042,12 @@ static noinline int balance_level(struct
+ }
+
+ ret = btrfs_tree_mod_log_insert_root(root->node, child, true);
+- BUG_ON(ret < 0);
++ if (ret < 0) {
++ btrfs_tree_unlock(child);
++ free_extent_buffer(child);
++ btrfs_abort_transaction(trans, ret);
++ goto enospc;
++ }
+ rcu_assign_pointer(root->node, child);
+
+ add_root_to_dirty_list(root);
+@@ -1130,7 +1135,10 @@ static noinline int balance_level(struct
+ btrfs_node_key(right, &right_key, 0);
+ ret = btrfs_tree_mod_log_insert_key(parent, pslot + 1,
+ BTRFS_MOD_LOG_KEY_REPLACE);
+- BUG_ON(ret < 0);
++ if (ret < 0) {
++ btrfs_abort_transaction(trans, ret);
++ goto enospc;
++ }
+ btrfs_set_node_key(parent, &right_key, pslot + 1);
+ btrfs_mark_buffer_dirty(parent);
+ }
+@@ -1176,7 +1184,10 @@ static noinline int balance_level(struct
+ btrfs_node_key(mid, &mid_key, 0);
+ ret = btrfs_tree_mod_log_insert_key(parent, pslot,
+ BTRFS_MOD_LOG_KEY_REPLACE);
+- BUG_ON(ret < 0);
++ if (ret < 0) {
++ btrfs_abort_transaction(trans, ret);
++ goto enospc;
++ }
+ btrfs_set_node_key(parent, &mid_key, pslot);
+ btrfs_mark_buffer_dirty(parent);
+ }
--- /dev/null
+From babebf023e661b90b1c78b2baa384fb03a226879 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 19 Jun 2023 17:21:48 +0100
+Subject: btrfs: fix race when deleting free space root from the dirty cow roots list
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit babebf023e661b90b1c78b2baa384fb03a226879 upstream.
+
+When deleting the free space tree we are deleting the free space root
+from the list fs_info->dirty_cowonly_roots without taking the lock that
+protects it, which is struct btrfs_fs_info::trans_lock.
+This unsynchronized list manipulation may cause chaos if there's another
+concurrent manipulation of this list, such as when adding a root to it
+with ctree.c:add_root_to_dirty_list().
+
+This can result in all sorts of weird failures caused by a race, such as
+the following crash:
+
+ [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI
+ [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
+ [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+ [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]
+ [337571.279928] Code: 85 38 06 00 (...)
+ [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206
+ [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000
+ [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070
+ [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b
+ [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600
+ [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48
+ [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000
+ [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0
+ [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [337571.282874] Call Trace:
+ [337571.283101] <TASK>
+ [337571.283327] ? __die_body+0x1b/0x60
+ [337571.283570] ? die_addr+0x39/0x60
+ [337571.283796] ? exc_general_protection+0x22e/0x430
+ [337571.284022] ? asm_exc_general_protection+0x22/0x30
+ [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]
+ [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]
+ [337571.284803] ? _raw_spin_unlock+0x15/0x30
+ [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]
+ [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]
+ [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]
+ [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410
+ [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]
+ [337571.286358] ? mod_objcg_state+0xd2/0x360
+ [337571.286577] ? refill_obj_stock+0xb0/0x160
+ [337571.286798] ? seq_release+0x25/0x30
+ [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0
+ [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0
+ [337571.287455] ? __x64_sys_ioctl+0x88/0xc0
+ [337571.287675] __x64_sys_ioctl+0x88/0xc0
+ [337571.287901] do_syscall_64+0x38/0x90
+ [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+ [337571.288352] RIP: 0033:0x7f478aaffe9b
+
+So fix this by locking struct btrfs_fs_info::trans_lock before deleting
+the free space root from that list.
+
+Fixes: a5ed91828518 ("Btrfs: implement the free space B-tree")
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/free-space-tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/free-space-tree.c
++++ b/fs/btrfs/free-space-tree.c
+@@ -1280,7 +1280,10 @@ int btrfs_delete_free_space_tree(struct
+ goto abort;
+
+ btrfs_global_root_delete(free_space_root);
++
++ spin_lock(&fs_info->trans_lock);
+ list_del(&free_space_root->dirty_list);
++ spin_unlock(&fs_info->trans_lock);
+
+ btrfs_tree_lock(free_space_root->node);
+ btrfs_clear_buffer_dirty(trans, free_space_root->node);
--- /dev/null
+From 568898cbc8b570311b3b94a3202b8233f4168144 Mon Sep 17 00:00:00 2001
+From: Christian Loehle <CLoehle@hyperstone.com>
+Date: Thu, 25 May 2023 09:56:04 +0000
+Subject: mmc: block: ioctl: do write error check for spi
+
+From: Christian Loehle <CLoehle@hyperstone.com>
+
+commit 568898cbc8b570311b3b94a3202b8233f4168144 upstream.
+
+SPI doesn't have the usual PROG path we can check for error bits
+after moving back to TRAN. Instead it holds the line LOW until
+completion. We can then check if the card shows any errors or
+is in IDLE state, indicating the line is no longer LOW because
+the card was reset.
+
+Signed-off-by: Christian Loehle <cloehle@hyperstone.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/55920f880c9742f486f64aa44e25508e@hyperstone.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -178,6 +178,7 @@ static void mmc_blk_rw_rq_prep(struct mm
+ int recovery_mode,
+ struct mmc_queue *mq);
+ static void mmc_blk_hsq_req_done(struct mmc_request *mrq);
++static int mmc_spi_err_check(struct mmc_card *card);
+
+ static struct mmc_blk_data *mmc_blk_get(struct gendisk *disk)
+ {
+@@ -608,6 +609,11 @@ static int __mmc_blk_ioctl_cmd(struct mm
+ if ((card->host->caps & MMC_CAP_WAIT_WHILE_BUSY) && use_r1b_resp)
+ return 0;
+
++ if (mmc_host_is_spi(card->host)) {
++ if (idata->ic.write_flag || r1b_resp || cmd.flags & MMC_RSP_SPI_BUSY)
++ return mmc_spi_err_check(card);
++ return err;
++ }
+ /* Ensure RPMB/R1B command has completed by polling with CMD13. */
+ if (idata->rpmb || r1b_resp)
+ err = mmc_poll_for_busy(card, busy_timeout_ms, false,
dax-introduce-alloc_dev_dax_id.patch
dax-kmem-pass-valid-argument-to-memory_group_registe.patch
hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch
+alsa-hda-realtek-enable-mute-micmute-leds-and-limit-mic-boost-on-elitebook.patch
+alsa-hda-realtek-add-quirk-for-clevo-npx0snx.patch
+alsa-jack-fix-mutex-call-in-snd_jack_report.patch
+alsa-pcm-fix-potential-data-race-at-pcm-memory-allocation-helpers.patch
+apparmor-fix-kzalloc-perms-tables-for-shared-dfas.patch
+block-fix-signed-int-overflow-in-amiga-partition-support.patch
+block-add-overflow-checks-for-amiga-partition-support.patch
+block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch
+block-increment-diskseq-on-all-media-change-events.patch
+mmc-block-ioctl-do-write-error-check-for-spi.patch
+btrfs-fix-race-when-deleting-free-space-root-from-the-dirty-cow-roots-list.patch
+btrfs-do-not-bug_on-on-tree-mod-log-failure-at-balance_level.patch
+sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch
kbuild-fix-cfi-failures-with-gcov.patch
kbuild-disable-gcov-for-.mod.o.patch
cxl-region-move-cache-invalidation-before-region-tea.patch
--- /dev/null
+From fc80fc2d4e39137869da3150ee169b40bf879287 Mon Sep 17 00:00:00 2001
+From: Ding Hui <dinghui@sangfor.com.cn>
+Date: Mon, 15 May 2023 10:13:07 +0800
+Subject: SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
+
+From: Ding Hui <dinghui@sangfor.com.cn>
+
+commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream.
+
+After the listener svc_sock is freed, and before invoking svc_tcp_accept()
+for the established child sock, there is a window that the newsock
+retaining a freed listener svc_sock in sk_user_data which cloning from
+parent. In the race window, if data is received on the newsock, we will
+observe use-after-free report in svc_tcp_listen_data_ready().
+
+Reproduce by two tasks:
+
+1. while :; do rpc.nfsd 0 ; rpc.nfsd; done
+2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done
+
+KASAN report:
+
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
+ Read of size 8 at addr ffff888139d96228 by task nc/102553
+ CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18
+ Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
+ Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x33/0x50
+ print_address_description.constprop.0+0x27/0x310
+ print_report+0x3e/0x70
+ kasan_report+0xae/0xe0
+ svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
+ tcp_data_queue+0x9f4/0x20e0
+ tcp_rcv_established+0x666/0x1f60
+ tcp_v4_do_rcv+0x51c/0x850
+ tcp_v4_rcv+0x23fc/0x2e80
+ ip_protocol_deliver_rcu+0x62/0x300
+ ip_local_deliver_finish+0x267/0x350
+ ip_local_deliver+0x18b/0x2d0
+ ip_rcv+0x2fb/0x370
+ __netif_receive_skb_one_core+0x166/0x1b0
+ process_backlog+0x24c/0x5e0
+ __napi_poll+0xa2/0x500
+ net_rx_action+0x854/0xc90
+ __do_softirq+0x1bb/0x5de
+ do_softirq+0xcb/0x100
+ </IRQ>
+ <TASK>
+ ...
+ </TASK>
+
+ Allocated by task 102371:
+ kasan_save_stack+0x1e/0x40
+ kasan_set_track+0x21/0x30
+ __kasan_kmalloc+0x7b/0x90
+ svc_setup_socket+0x52/0x4f0 [sunrpc]
+ svc_addsock+0x20d/0x400 [sunrpc]
+ __write_ports_addfd+0x209/0x390 [nfsd]
+ write_ports+0x239/0x2c0 [nfsd]
+ nfsctl_transaction_write+0xac/0x110 [nfsd]
+ vfs_write+0x1c3/0xae0
+ ksys_write+0xed/0x1c0
+ do_syscall_64+0x38/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+ Freed by task 102551:
+ kasan_save_stack+0x1e/0x40
+ kasan_set_track+0x21/0x30
+ kasan_save_free_info+0x2a/0x50
+ __kasan_slab_free+0x106/0x190
+ __kmem_cache_free+0x133/0x270
+ svc_xprt_free+0x1e2/0x350 [sunrpc]
+ svc_xprt_destroy_all+0x25a/0x440 [sunrpc]
+ nfsd_put+0x125/0x240 [nfsd]
+ nfsd_svc+0x2cb/0x3c0 [nfsd]
+ write_threads+0x1ac/0x2a0 [nfsd]
+ nfsctl_transaction_write+0xac/0x110 [nfsd]
+ vfs_write+0x1c3/0xae0
+ ksys_write+0xed/0x1c0
+ do_syscall_64+0x38/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready()
+if state != TCP_LISTEN, that will avoid dereferencing svsk for all
+child socket.
+
+Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/
+Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding")
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/svcsock.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -826,12 +826,6 @@ static void svc_tcp_listen_data_ready(st
+
+ trace_sk_data_ready(sk);
+
+- if (svsk) {
+- /* Refer to svc_setup_socket() for details. */
+- rmb();
+- svsk->sk_odata(sk);
+- }
+-
+ /*
+ * This callback may called twice when a new connection
+ * is established as a child socket inherits everything
+@@ -840,13 +834,18 @@ static void svc_tcp_listen_data_ready(st
+ * when one of child sockets become ESTABLISHED.
+ * 2) data_ready method of the child socket may be called
+ * when it receives data before the socket is accepted.
+- * In case of 2, we should ignore it silently.
++ * In case of 2, we should ignore it silently and DO NOT
++ * dereference svsk.
+ */
+- if (sk->sk_state == TCP_LISTEN) {
+- if (svsk) {
+- set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags);
+- svc_xprt_enqueue(&svsk->sk_xprt);
+- }
++ if (sk->sk_state != TCP_LISTEN)
++ return;
++
++ if (svsk) {
++ /* Refer to svc_setup_socket() for details. */
++ rmb();
++ svsk->sk_odata(sk);
++ set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags);
++ svc_xprt_enqueue(&svsk->sk_xprt);
+ }
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
