--- /dev/null
+From 162d053e15fe985f754ef495a96eb3db970c43ed Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 28 Nov 2022 15:07:30 +0000
+Subject: btrfs: do not BUG_ON() on ENOMEM when dropping extent items for a range
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 162d053e15fe985f754ef495a96eb3db970c43ed upstream.
+
+If we get -ENOMEM while dropping file extent items in a given range, at
+btrfs_drop_extents(), due to failure to allocate memory when attempting to
+increment the reference count for an extent or drop the reference count,
+we handle it with a BUG_ON(). This is excessive, instead we can simply
+abort the transaction and return the error to the caller. In fact most
+callers of btrfs_drop_extents(), directly or indirectly, already abort
+the transaction if btrfs_drop_extents() returns any error.
+
+Also, we already have error paths at btrfs_drop_extents() that may return
+-ENOMEM and in those cases we abort the transaction, like for example
+anything that changes the b+tree may return -ENOMEM due to a failure to
+allocate a new extent buffer when COWing an existing extent buffer, such
+as a call to btrfs_duplicate_item() for example.
+
+So replace the BUG_ON() calls with proper logic to abort the transaction
+and return the error.
+
+Reported-by: syzbot+0b1fb6b0108c27419f9f@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/00000000000089773e05ee4b9cb4@google.com/
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -880,7 +880,10 @@ next_slot:
+ args->start - extent_offset,
+ 0, false);
+ ret = btrfs_inc_extent_ref(trans, &ref);
+- BUG_ON(ret); /* -ENOMEM */
++ if (ret) {
++ btrfs_abort_transaction(trans, ret);
++ break;
++ }
+ }
+ key.offset = args->start;
+ }
+@@ -967,7 +970,10 @@ delete_extent_item:
+ key.offset - extent_offset, 0,
+ false);
+ ret = btrfs_free_extent(trans, &ref);
+- BUG_ON(ret); /* -ENOMEM */
++ if (ret) {
++ btrfs_abort_transaction(trans, ret);
++ break;
++ }
+ args->bytes_found += extent_end - key.offset;
+ }
+
--- /dev/null
+From 3c3bfb8586f848317ceba5d777e11204ba3e5758 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Tue, 6 Dec 2022 07:10:31 +0900
+Subject: fbdev: fbcon: release buffer when fbcon_do_set_font() failed
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 3c3bfb8586f848317ceba5d777e11204ba3e5758 upstream.
+
+syzbot is reporting memory leak at fbcon_do_set_font() [1], for
+commit a5a923038d70 ("fbdev: fbcon: Properly revert changes when
+vc_resize() failed") missed that the buffer might be newly allocated
+by fbcon_set_font().
+
+Link: https://syzkaller.appspot.com/bug?extid=25bdb7b1703639abd498 [1]
+Reported-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Tested-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com>
+Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbcon.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -2450,7 +2450,8 @@ err_out:
+
+ if (userfont) {
+ p->userfont = old_userfont;
+- REFCOUNT(data)--;
++ if (--REFCOUNT(data) == 0)
++ kfree(data - FONT_EXTRA_WORDS * sizeof(int));
+ }
+
+ vc->vc_font.width = old_width;
--- /dev/null
+From e96b95c2b7a63a454b6498e2df67aac14d046d13 Mon Sep 17 00:00:00 2001
+From: Rickard x Andersson <rickaran@axis.com>
+Date: Tue, 20 Dec 2022 11:23:18 +0100
+Subject: gcov: add support for checksum field
+
+From: Rickard x Andersson <rickaran@axis.com>
+
+commit e96b95c2b7a63a454b6498e2df67aac14d046d13 upstream.
+
+In GCC version 12.1 a checksum field was added.
+
+This patch fixes a kernel crash occurring during boot when using
+gcov-kernel with GCC version 12.2. The crash occurred on a system running
+on i.MX6SX.
+
+Link: https://lkml.kernel.org/r/20221220102318.3418501-1-rickaran@axis.com
+Fixes: 977ef30a7d88 ("gcov: support GCC 12.1 and newer compilers")
+Signed-off-by: Rickard x Andersson <rickaran@axis.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Tested-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Reviewed-by: Martin Liska <mliska@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/gcov/gcc_4_7.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/gcov/gcc_4_7.c
++++ b/kernel/gcov/gcc_4_7.c
+@@ -82,6 +82,7 @@ struct gcov_fn_info {
+ * @version: gcov version magic indicating the gcc version used for compilation
+ * @next: list head for a singly-linked list
+ * @stamp: uniquifying time stamp
++ * @checksum: unique object checksum
+ * @filename: name of the associated gcov data file
+ * @merge: merge functions (null for unused counter type)
+ * @n_functions: number of instrumented functions
+@@ -94,6 +95,10 @@ struct gcov_info {
+ unsigned int version;
+ struct gcov_info *next;
+ unsigned int stamp;
++ /* Since GCC 12.1 a checksum field is added. */
++#if (__GNUC__ >= 12)
++ unsigned int checksum;
++#endif
+ const char *filename;
+ void (*merge[GCOV_COUNTERS])(gcov_type *, unsigned int);
+ unsigned int n_functions;
--- /dev/null
+From 2ccc92f4effcfa1c51c4fcf1e34d769099d3cad4 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 23 Nov 2022 11:33:36 +0000
+Subject: io_uring: add completion locking for iopoll
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 2ccc92f4effcfa1c51c4fcf1e34d769099d3cad4 upstream.
+
+There are pieces of code that may allow iopoll to race filling cqes,
+temporarily add spinlocking around posting events.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/84d86b5c117feda075471c5c9e65208e0dccf5d0.1669203009.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/rw.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/io_uring/rw.c
++++ b/io_uring/rw.c
+@@ -1063,6 +1063,7 @@ int io_do_iopoll(struct io_ring_ctx *ctx
+ else if (!pos)
+ return 0;
+
++ spin_lock(&ctx->completion_lock);
+ prev = start;
+ wq_list_for_each_resume(pos, prev) {
+ struct io_kiocb *req = container_of(pos, struct io_kiocb, comp_list);
+@@ -1077,11 +1078,11 @@ int io_do_iopoll(struct io_ring_ctx *ctx
+ req->cqe.flags = io_put_kbuf(req, 0);
+ __io_fill_cqe_req(req->ctx, req);
+ }
+-
++ io_commit_cqring(ctx);
++ spin_unlock(&ctx->completion_lock);
+ if (unlikely(!nr_events))
+ return 0;
+
+- io_commit_cqring(ctx);
+ io_cqring_ev_posted_iopoll(ctx);
+ pos = start ? start->next : ctx->iopoll_list.first;
+ wq_list_cut(&ctx->iopoll_list, prev, start);
--- /dev/null
+From 4c979eaefa4356d385b7c7d2877dc04d7fe88969 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 7 Dec 2022 03:53:27 +0000
+Subject: io_uring: improve io_double_lock_ctx fail handling
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 4c979eaefa4356d385b7c7d2877dc04d7fe88969 upstream.
+
+msg_ring will fail the request if it can't lock rings, instead punt it
+to io-wq as was originally intended.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/4697f05afcc37df5c8f89e2fe6d9c7c19f0241f9.1670384893.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/msg_ring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/io_uring/msg_ring.c
++++ b/io_uring/msg_ring.c
+@@ -164,6 +164,8 @@ int io_msg_ring(struct io_kiocb *req, un
+ }
+
+ done:
++ if (ret == -EAGAIN)
++ return -EAGAIN;
+ if (ret < 0)
+ req_set_fail(req);
+ io_req_set_res(req, ret, 0);
--- /dev/null
+From 6c3e8955d4bd9811a6e1761eea412a14fb51a2e6 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 19 Dec 2022 15:11:40 +0000
+Subject: io_uring/net: fix cleanup after recycle
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 6c3e8955d4bd9811a6e1761eea412a14fb51a2e6 upstream.
+
+Don't access io_async_msghdr io_netmsg_recycle(), it may be reallocated.
+
+Cc: stable@vger.kernel.org
+Fixes: 9bb66906f23e5 ("io_uring: support multishot in recvmsg")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/9e326f4ad4046ddadf15bf34bf3fa58c6372f6b5.1671461985.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -772,10 +772,10 @@ retry_multishot:
+ goto retry_multishot;
+
+ if (mshot_finished) {
+- io_netmsg_recycle(req, issue_flags);
+ /* fast path, check for non-NULL to avoid function call */
+ if (kmsg->free_iov)
+ kfree(kmsg->free_iov);
++ io_netmsg_recycle(req, issue_flags);
+ req->flags &= ~REQ_F_NEED_CLEANUP;
+ }
+
--- /dev/null
+From ea011ee10231f5fa6cbb415007048ca0bb948baf Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Fri, 2 Dec 2022 17:47:22 +0000
+Subject: io_uring: protect cq_timeouts with timeout_lock
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit ea011ee10231f5fa6cbb415007048ca0bb948baf upstream.
+
+Read cq_timeouts in io_flush_timeouts() only after taking the
+timeout_lock, as it's protected by it. There are many places where we
+also grab ->completion_lock, but for instance io_timeout_fn() doesn't
+and still modifies cq_timeouts.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/9c79544dd6cf5c4018cb1bab99cf481a93ea46ef.1670002973.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/timeout.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/io_uring/timeout.c
++++ b/io_uring/timeout.c
+@@ -72,10 +72,12 @@ static bool io_kill_timeout(struct io_ki
+ __cold void io_flush_timeouts(struct io_ring_ctx *ctx)
+ __must_hold(&ctx->completion_lock)
+ {
+- u32 seq = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
++ u32 seq;
+ struct io_timeout *timeout, *tmp;
+
+ spin_lock_irq(&ctx->timeout_lock);
++ seq = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
++
+ list_for_each_entry_safe(timeout, tmp, &ctx->timeout_list, list) {
+ struct io_kiocb *req = cmd_to_io_kiocb(timeout);
+ u32 events_needed, events_got;
--- /dev/null
+From f347454d034184b4f0a2caf6e14daf7848cea01c Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Mon, 31 Oct 2022 16:25:24 +0100
+Subject: mm/gup: disallow FOLL_FORCE|FOLL_WRITE on hugetlb mappings
+
+From: David Hildenbrand <david@redhat.com>
+
+commit f347454d034184b4f0a2caf6e14daf7848cea01c upstream.
+
+hugetlb does not support fake write-faults (write faults without write
+permissions). However, we are currently able to trigger a
+FAULT_FLAG_WRITE fault on a VMA without VM_WRITE.
+
+If we'd ever want to support FOLL_FORCE|FOLL_WRITE, we'd have to teach
+hugetlb to:
+
+(1) Leave the page mapped R/O after the fake write-fault, like
+ maybe_mkwrite() does.
+(2) Allow writing to an exclusive anon page that's mapped R/O when
+ FOLL_FORCE is set, like can_follow_write_pte(). E.g.,
+ __follow_hugetlb_must_fault() needs adjustment.
+
+For now, it's not clear if that added complexity is really required.
+History tolds us that FOLL_FORCE is dangerous and that we better limit its
+use to a bare minimum.
+
+--------------------------------------------------------------------------
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <errno.h>
+ #include <stdint.h>
+ #include <sys/mman.h>
+ #include <linux/mman.h>
+
+ int main(int argc, char **argv)
+ {
+ char *map;
+ int mem_fd;
+
+ map = mmap(NULL, 2 * 1024 * 1024u, PROT_READ,
+ MAP_PRIVATE|MAP_ANON|MAP_HUGETLB|MAP_HUGE_2MB, -1, 0);
+ if (map == MAP_FAILED) {
+ fprintf(stderr, "mmap() failed: %d\n", errno);
+ return 1;
+ }
+
+ mem_fd = open("/proc/self/mem", O_RDWR);
+ if (mem_fd < 0) {
+ fprintf(stderr, "open(/proc/self/mem) failed: %d\n", errno);
+ return 1;
+ }
+
+ if (pwrite(mem_fd, "0", 1, (uintptr_t) map) == 1) {
+ fprintf(stderr, "write() succeeded, which is unexpected\n");
+ return 1;
+ }
+
+ printf("write() failed as expected: %d\n", errno);
+ return 0;
+ }
+--------------------------------------------------------------------------
+
+Fortunately, we have a sanity check in hugetlb_wp() in place ever since
+commit 1d8d14641fd9 ("mm/hugetlb: support write-faults in shared
+mappings"), that bails out instead of silently mapping a page writable in
+a !PROT_WRITE VMA.
+
+Consequently, above reproducer triggers a warning, similar to the one
+reported by szsbot:
+
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 3612 at mm/hugetlb.c:5313 hugetlb_wp+0x20a/0x1af0 mm/hugetlb.c:5313
+Modules linked in:
+CPU: 1 PID: 3612 Comm: syz-executor250 Not tainted 6.1.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
+RIP: 0010:hugetlb_wp+0x20a/0x1af0 mm/hugetlb.c:5313
+Code: ea 03 80 3c 02 00 0f 85 31 14 00 00 49 8b 5f 20 31 ff 48 89 dd 83 e5 02 48 89 ee e8 70 ab b7 ff 48 85 ed 75 5b e8 76 ae b7 ff <0f> 0b 41 bd 40 00 00 00 e8 69 ae b7 ff 48 b8 00 00 00 00 00 fc ff
+RSP: 0018:ffffc90003caf620 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000008640070 RCX: 0000000000000000
+RDX: ffff88807b963a80 RSI: ffffffff81c4ed2a RDI: 0000000000000007
+RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
+R10: 0000000000000000 R11: 000000000008c07e R12: ffff888023805800
+R13: 0000000000000000 R14: ffffffff91217f38 R15: ffff88801d4b0360
+FS: 0000555555bba300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fff7a47a1b8 CR3: 000000002378d000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ hugetlb_no_page mm/hugetlb.c:5755 [inline]
+ hugetlb_fault+0x19cc/0x2060 mm/hugetlb.c:5874
+ follow_hugetlb_page+0x3f3/0x1850 mm/hugetlb.c:6301
+ __get_user_pages+0x2cb/0xf10 mm/gup.c:1202
+ __get_user_pages_locked mm/gup.c:1434 [inline]
+ __get_user_pages_remote+0x18f/0x830 mm/gup.c:2187
+ get_user_pages_remote+0x84/0xc0 mm/gup.c:2260
+ __access_remote_vm+0x287/0x6b0 mm/memory.c:5517
+ ptrace_access_vm+0x181/0x1d0 kernel/ptrace.c:61
+ generic_ptrace_pokedata kernel/ptrace.c:1323 [inline]
+ ptrace_request+0xb46/0x10c0 kernel/ptrace.c:1046
+ arch_ptrace+0x36/0x510 arch/x86/kernel/ptrace.c:828
+ __do_sys_ptrace kernel/ptrace.c:1296 [inline]
+ __se_sys_ptrace kernel/ptrace.c:1269 [inline]
+ __x64_sys_ptrace+0x178/0x2a0 kernel/ptrace.c:1269
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[...]
+
+So let's silence that warning by teaching GUP code that FOLL_FORCE -- so
+far -- does not apply to hugetlb.
+
+Note that FOLL_FORCE for read-access seems to be working as expected. The
+assumption is that this has been broken forever, only ever since above
+commit, we actually detect the wrong handling and WARN_ON_ONCE().
+
+I assume this has been broken at least since 2014, when mm/gup.c came to
+life. I failed to come up with a suitable Fixes tag quickly.
+
+Link: https://lkml.kernel.org/r/20221031152524.173644-1-david@redhat.com
+Fixes: 1d8d14641fd9 ("mm/hugetlb: support write-faults in shared mappings")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reported-by: <syzbot+f0b97304ef90f0d0b1dc@syzkaller.appspotmail.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/gup.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -1058,6 +1058,9 @@ static int check_vma_flags(struct vm_are
+ if (!(vm_flags & VM_WRITE)) {
+ if (!(gup_flags & FOLL_FORCE))
+ return -EFAULT;
++ /* hugetlb does not support FOLL_FORCE|FOLL_WRITE. */
++ if (is_vm_hugetlb_page(vma))
++ return -EFAULT;
+ /*
+ * We used to let the write,force case do COW in a
+ * VM_MAYWRITE VM_SHARED !VM_WRITE vma, so ptrace could
--- /dev/null
+From 672e4268b2863d7e4978dfed29552b31c2f9bd4e Mon Sep 17 00:00:00 2001
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+Date: Mon, 28 Nov 2022 11:33:05 +0100
+Subject: ovl: fix use inode directly in rcu-walk mode
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+commit 672e4268b2863d7e4978dfed29552b31c2f9bd4e upstream.
+
+ovl_dentry_revalidate_common() can be called in rcu-walk mode. As document
+said, "in rcu-walk mode, d_parent and d_inode should not be used without
+care".
+
+Check inode here to protect access under rcu-walk mode.
+
+Fixes: bccece1ead36 ("ovl: allow remote upper")
+Reported-and-tested-by: syzbot+a4055c78774bbf3498bb@syzkaller.appspotmail.com
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Cc: <stable@vger.kernel.org> # v5.7
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/super.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -138,11 +138,16 @@ static int ovl_dentry_revalidate_common(
+ unsigned int flags, bool weak)
+ {
+ struct ovl_entry *oe = dentry->d_fsdata;
++ struct inode *inode = d_inode_rcu(dentry);
+ struct dentry *upper;
+ unsigned int i;
+ int ret = 1;
+
+- upper = ovl_dentry_upper(dentry);
++ /* Careful in RCU mode */
++ if (!inode)
++ return -ECHILD;
++
++ upper = ovl_i_dentry_upper(inode);
+ if (upper)
+ ret = ovl_revalidate_real(upper, flags, weak);
+
--- /dev/null
+From 68ad83188d782b2ecef2e41ac245d27e0710fe8e Mon Sep 17 00:00:00 2001
+From: Arun Easi <aeasi@marvell.com>
+Date: Tue, 29 Nov 2022 01:26:34 -0800
+Subject: scsi: qla2xxx: Fix crash when I/O abort times out
+
+From: Arun Easi <aeasi@marvell.com>
+
+commit 68ad83188d782b2ecef2e41ac245d27e0710fe8e upstream.
+
+While performing CPU hotplug, a crash with the following stack was seen:
+
+Call Trace:
+ qla24xx_process_response_queue+0x42a/0x970 [qla2xxx]
+ qla2x00_start_nvme_mq+0x3a2/0x4b0 [qla2xxx]
+ qla_nvme_post_cmd+0x166/0x240 [qla2xxx]
+ nvme_fc_start_fcp_op.part.0+0x119/0x2e0 [nvme_fc]
+ blk_mq_dispatch_rq_list+0x17b/0x610
+ __blk_mq_sched_dispatch_requests+0xb0/0x140
+ blk_mq_sched_dispatch_requests+0x30/0x60
+ __blk_mq_run_hw_queue+0x35/0x90
+ __blk_mq_delay_run_hw_queue+0x161/0x180
+ blk_execute_rq+0xbe/0x160
+ __nvme_submit_sync_cmd+0x16f/0x220 [nvme_core]
+ nvmf_connect_admin_queue+0x11a/0x170 [nvme_fabrics]
+ nvme_fc_create_association.cold+0x50/0x3dc [nvme_fc]
+ nvme_fc_connect_ctrl_work+0x19/0x30 [nvme_fc]
+ process_one_work+0x1e8/0x3c0
+
+On abort timeout, completion was called without checking if the I/O was
+already completed.
+
+Verify that I/O and abort request are indeed outstanding before attempting
+completion.
+
+Fixes: 71c80b75ce8f ("scsi: qla2xxx: Do command completion on abort timeout")
+Reported-by: Marco Patalano <mpatalan@redhat.com>
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20221129092634.15347-1-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -110,6 +110,7 @@ static void qla24xx_abort_iocb_timeout(v
+ struct qla_qpair *qpair = sp->qpair;
+ u32 handle;
+ unsigned long flags;
++ int sp_found = 0, cmdsp_found = 0;
+
+ if (sp->cmd_sp)
+ ql_dbg(ql_dbg_async, sp->vha, 0x507c,
+@@ -124,18 +125,21 @@ static void qla24xx_abort_iocb_timeout(v
+ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
+ for (handle = 1; handle < qpair->req->num_outstanding_cmds; handle++) {
+ if (sp->cmd_sp && (qpair->req->outstanding_cmds[handle] ==
+- sp->cmd_sp))
++ sp->cmd_sp)) {
+ qpair->req->outstanding_cmds[handle] = NULL;
++ cmdsp_found = 1;
++ }
+
+ /* removing the abort */
+ if (qpair->req->outstanding_cmds[handle] == sp) {
+ qpair->req->outstanding_cmds[handle] = NULL;
++ sp_found = 1;
+ break;
+ }
+ }
+ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+
+- if (sp->cmd_sp) {
++ if (cmdsp_found && sp->cmd_sp) {
+ /*
+ * This done function should take care of
+ * original command ref: INIT
+@@ -143,8 +147,10 @@ static void qla24xx_abort_iocb_timeout(v
+ sp->cmd_sp->done(sp->cmd_sp, QLA_OS_TIMER_EXPIRED);
+ }
+
+- abt->u.abt.comp_status = cpu_to_le16(CS_TIMEOUT);
+- sp->done(sp, QLA_OS_TIMER_EXPIRED);
++ if (sp_found) {
++ abt->u.abt.comp_status = cpu_to_le16(CS_TIMEOUT);
++ sp->done(sp, QLA_OS_TIMER_EXPIRED);
++ }
+ }
+
+ static void qla24xx_abort_sp_done(srb_t *sp, int res)
iio-addac-ad74413r-fix-integer-promotion-bug-in-ad74413_get_input_current_offset.patch
regulator-core-fix-deadlock-on-regulator-enable.patch
floppy-fix-memory-leak-in-do_floppy_init.patch
+gcov-add-support-for-checksum-field.patch
+fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch
+ovl-fix-use-inode-directly-in-rcu-walk-mode.patch
+btrfs-do-not-bug_on-on-enomem-when-dropping-extent-items-for-a-range.patch
+mm-gup-disallow-foll_force-foll_write-on-hugetlb-mappings.patch
+scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch
+io_uring-add-completion-locking-for-iopoll.patch
+io_uring-improve-io_double_lock_ctx-fail-handling.patch
+io_uring-net-fix-cleanup-after-recycle.patch
+io_uring-protect-cq_timeouts-with-timeout_lock.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
