--- /dev/null
+From b2a616676839e2a6b02c8e40be7f886f882ed194 Mon Sep 17 00:00:00 2001
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Date: Tue, 27 Jul 2021 15:13:03 +0800
+Subject: btrfs: fix rw device counting in __btrfs_free_extra_devids
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+commit b2a616676839e2a6b02c8e40be7f886f882ed194 upstream.
+
+When removing a writeable device in __btrfs_free_extra_devids, the rw
+device count should be decremented.
+
+This error was caught by Syzbot which reported a warning in
+close_fs_devices:
+
+ WARNING: CPU: 1 PID: 9355 at fs/btrfs/volumes.c:1168 close_fs_devices+0x763/0x880 fs/btrfs/volumes.c:1168
+ Modules linked in:
+ CPU: 0 PID: 9355 Comm: syz-executor552 Not tainted 5.13.0-rc1-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ RIP: 0010:close_fs_devices+0x763/0x880 fs/btrfs/volumes.c:1168
+ RSP: 0018:ffffc9000333f2f0 EFLAGS: 00010293
+ RAX: ffffffff8365f5c3 RBX: 0000000000000001 RCX: ffff888029afd4c0
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
+ RBP: ffff88802846f508 R08: ffffffff8365f525 R09: ffffed100337d128
+ R10: ffffed100337d128 R11: 0000000000000000 R12: dffffc0000000000
+ R13: ffff888019be8868 R14: 1ffff1100337d10d R15: 1ffff1100337d10a
+ FS: 00007f6f53828700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000000047c410 CR3: 00000000302a6000 CR4: 00000000001506f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ btrfs_close_devices+0xc9/0x450 fs/btrfs/volumes.c:1180
+ open_ctree+0x8e1/0x3968 fs/btrfs/disk-io.c:3693
+ btrfs_fill_super fs/btrfs/super.c:1382 [inline]
+ btrfs_mount_root+0xac5/0xc60 fs/btrfs/super.c:1749
+ legacy_get_tree+0xea/0x180 fs/fs_context.c:592
+ vfs_get_tree+0x86/0x270 fs/super.c:1498
+ fc_mount fs/namespace.c:993 [inline]
+ vfs_kern_mount+0xc9/0x160 fs/namespace.c:1023
+ btrfs_mount+0x3d3/0xb50 fs/btrfs/super.c:1809
+ legacy_get_tree+0xea/0x180 fs/fs_context.c:592
+ vfs_get_tree+0x86/0x270 fs/super.c:1498
+ do_new_mount fs/namespace.c:2905 [inline]
+ path_mount+0x196f/0x2be0 fs/namespace.c:3235
+ do_mount fs/namespace.c:3248 [inline]
+ __do_sys_mount fs/namespace.c:3456 [inline]
+ __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433
+ do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Because fs_devices->rw_devices was not 0 after
+closing all devices. Here is the call trace that was observed:
+
+ btrfs_mount_root():
+ btrfs_scan_one_device():
+ device_list_add(); <---------------- device added
+ btrfs_open_devices():
+ open_fs_devices():
+ btrfs_open_one_device(); <-------- writable device opened,
+ rw device count ++
+ btrfs_fill_super():
+ open_ctree():
+ btrfs_free_extra_devids():
+ __btrfs_free_extra_devids(); <--- writable device removed,
+ rw device count not decremented
+ fail_tree_roots:
+ btrfs_close_devices():
+ close_fs_devices(); <------- rw device count off by 1
+
+As a note, prior to commit cf89af146b7e ("btrfs: dev-replace: fail
+mount if we don't have replace item with target device"), rw_devices
+was decremented on removing a writable device in
+__btrfs_free_extra_devids only if the BTRFS_DEV_STATE_REPLACE_TGT bit
+was not set for the device. However, this check does not need to be
+reinstated as it is now redundant and incorrect.
+
+In __btrfs_free_extra_devids, we skip removing the device if it is the
+target for replacement. This is done by checking whether device->devid
+== BTRFS_DEV_REPLACE_DEVID. Since BTRFS_DEV_STATE_REPLACE_TGT is set
+only on the device with devid BTRFS_DEV_REPLACE_DEVID, no devices
+should have the BTRFS_DEV_STATE_REPLACE_TGT bit set after the check,
+and so it's redundant to test for that bit.
+
+Additionally, following commit 82372bc816d7 ("Btrfs: make
+the logic of source device removing more clear"), rw_devices is
+incremented whenever a writeable device is added to the alloc
+list (including the target device in btrfs_dev_replace_finishing), so
+all removals of writable devices from the alloc list should also be
+accompanied by a decrement to rw_devices.
+
+Reported-by: syzbot+a70e2ad0879f160b9217@syzkaller.appspotmail.com
+Fixes: cf89af146b7e ("btrfs: dev-replace: fail mount if we don't have replace item with target device")
+CC: stable@vger.kernel.org # 5.10+
+Tested-by: syzbot+a70e2ad0879f160b9217@syzkaller.appspotmail.com
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1266,6 +1266,7 @@ again:
+ if (test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) {
+ list_del_init(&device->dev_alloc_list);
+ clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state);
++ fs_devices->rw_devices--;
+ }
+ list_del_init(&device->dev_list);
+ fs_devices->num_devices--;
--- /dev/null
+From 240246f6b913b0c23733cfd2def1d283f8cc9bbe Mon Sep 17 00:00:00 2001
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+Date: Fri, 9 Jul 2021 11:29:22 -0500
+Subject: btrfs: mark compressed range uptodate only if all bio succeed
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+
+commit 240246f6b913b0c23733cfd2def1d283f8cc9bbe upstream.
+
+In compression write endio sequence, the range which the compressed_bio
+writes is marked as uptodate if the last bio of the compressed (sub)bios
+is completed successfully. There could be previous bio which may
+have failed which is recorded in cb->errors.
+
+Set the writeback range as uptodate only if cb->errors is zero, as opposed
+to checking only the last bio's status.
+
+Backporting notes: in all versions up to 4.4 the last argument is always
+replaced by "!cb->errors".
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/compression.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/compression.c
++++ b/fs/btrfs/compression.c
+@@ -273,7 +273,7 @@ static void end_compressed_bio_write(str
+ cb->compressed_pages[0]->mapping = cb->inode->i_mapping;
+ btrfs_writepage_endio_finish_ordered(cb->compressed_pages[0],
+ cb->start, cb->start + cb->len - 1,
+- bio->bi_status == BLK_STS_OK);
++ !cb->errors);
+ cb->compressed_pages[0]->mapping = NULL;
+
+ end_compressed_writeback(inode, cb);
--- /dev/null
+From 9969e3c5f40c166e3396acc36c34f9de502929f6 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 27 Jul 2021 20:00:33 +0300
+Subject: can: ems_usb: fix memory leak
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 9969e3c5f40c166e3396acc36c34f9de502929f6 upstream.
+
+In ems_usb_start() MAX_RX_URBS coherent buffers are allocated and
+there is nothing, that frees them:
+
+1) In callback function the urb is resubmitted and that's all
+2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER
+ is not set (see ems_usb_start) and this flag cannot be used with
+ coherent buffers.
+
+So, all allocated buffers should be freed with usb_free_coherent()
+explicitly.
+
+Side note: This code looks like a copy-paste of other can drivers. The
+same patch was applied to mcba_usb driver and it works nice with real
+hardware. There is no change in functionality, only clean-up code for
+coherent buffers.
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Link: https://lore.kernel.org/r/59aa9fbc9a8cbf9af2bbd2f61a659c480b415800.1627404470.git.paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/ems_usb.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -255,6 +255,8 @@ struct ems_usb {
+ unsigned int free_slots; /* remember number of available slots */
+
+ struct ems_cpc_msg active_params; /* active controller parameters */
++ void *rxbuf[MAX_RX_URBS];
++ dma_addr_t rxbuf_dma[MAX_RX_URBS];
+ };
+
+ static void ems_usb_read_interrupt_callback(struct urb *urb)
+@@ -587,6 +589,7 @@ static int ems_usb_start(struct ems_usb
+ for (i = 0; i < MAX_RX_URBS; i++) {
+ struct urb *urb = NULL;
+ u8 *buf = NULL;
++ dma_addr_t buf_dma;
+
+ /* create a URB, and a buffer for it */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -596,7 +599,7 @@ static int ems_usb_start(struct ems_usb
+ }
+
+ buf = usb_alloc_coherent(dev->udev, RX_BUFFER_SIZE, GFP_KERNEL,
+- &urb->transfer_dma);
++ &buf_dma);
+ if (!buf) {
+ netdev_err(netdev, "No memory left for USB buffer\n");
+ usb_free_urb(urb);
+@@ -604,6 +607,8 @@ static int ems_usb_start(struct ems_usb
+ break;
+ }
+
++ urb->transfer_dma = buf_dma;
++
+ usb_fill_bulk_urb(urb, dev->udev, usb_rcvbulkpipe(dev->udev, 2),
+ buf, RX_BUFFER_SIZE,
+ ems_usb_read_bulk_callback, dev);
+@@ -619,6 +624,9 @@ static int ems_usb_start(struct ems_usb
+ break;
+ }
+
++ dev->rxbuf[i] = buf;
++ dev->rxbuf_dma[i] = buf_dma;
++
+ /* Drop reference, USB core will take care of freeing it */
+ usb_free_urb(urb);
+ }
+@@ -684,6 +692,10 @@ static void unlink_all_urbs(struct ems_u
+
+ usb_kill_anchored_urbs(&dev->rx_submitted);
+
++ for (i = 0; i < MAX_RX_URBS; ++i)
++ usb_free_coherent(dev->udev, RX_BUFFER_SIZE,
++ dev->rxbuf[i], dev->rxbuf_dma[i]);
++
+ usb_kill_anchored_urbs(&dev->tx_submitted);
+ atomic_set(&dev->active_tx_urbs, 0);
+
--- /dev/null
+From 928150fad41ba16df7fcc9f7f945747d0f56cbb6 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 27 Jul 2021 20:00:46 +0300
+Subject: can: esd_usb2: fix memory leak
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 928150fad41ba16df7fcc9f7f945747d0f56cbb6 upstream.
+
+In esd_usb2_setup_rx_urbs() MAX_RX_URBS coherent buffers are allocated
+and there is nothing, that frees them:
+
+1) In callback function the urb is resubmitted and that's all
+2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER
+ is not set (see esd_usb2_setup_rx_urbs) and this flag cannot be used
+ with coherent buffers.
+
+So, all allocated buffers should be freed with usb_free_coherent()
+explicitly.
+
+Side note: This code looks like a copy-paste of other can drivers. The
+same patch was applied to mcba_usb driver and it works nice with real
+hardware. There is no change in functionality, only clean-up code for
+coherent buffers.
+
+Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
+Link: https://lore.kernel.org/r/b31b096926dcb35998ad0271aac4b51770ca7cc8.1627404470.git.paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/esd_usb2.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/esd_usb2.c
++++ b/drivers/net/can/usb/esd_usb2.c
+@@ -195,6 +195,8 @@ struct esd_usb2 {
+ int net_count;
+ u32 version;
+ int rxinitdone;
++ void *rxbuf[MAX_RX_URBS];
++ dma_addr_t rxbuf_dma[MAX_RX_URBS];
+ };
+
+ struct esd_usb2_net_priv {
+@@ -544,6 +546,7 @@ static int esd_usb2_setup_rx_urbs(struct
+ for (i = 0; i < MAX_RX_URBS; i++) {
+ struct urb *urb = NULL;
+ u8 *buf = NULL;
++ dma_addr_t buf_dma;
+
+ /* create a URB, and a buffer for it */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -553,7 +556,7 @@ static int esd_usb2_setup_rx_urbs(struct
+ }
+
+ buf = usb_alloc_coherent(dev->udev, RX_BUFFER_SIZE, GFP_KERNEL,
+- &urb->transfer_dma);
++ &buf_dma);
+ if (!buf) {
+ dev_warn(dev->udev->dev.parent,
+ "No memory left for USB buffer\n");
+@@ -561,6 +564,8 @@ static int esd_usb2_setup_rx_urbs(struct
+ goto freeurb;
+ }
+
++ urb->transfer_dma = buf_dma;
++
+ usb_fill_bulk_urb(urb, dev->udev,
+ usb_rcvbulkpipe(dev->udev, 1),
+ buf, RX_BUFFER_SIZE,
+@@ -573,8 +578,12 @@ static int esd_usb2_setup_rx_urbs(struct
+ usb_unanchor_urb(urb);
+ usb_free_coherent(dev->udev, RX_BUFFER_SIZE, buf,
+ urb->transfer_dma);
++ goto freeurb;
+ }
+
++ dev->rxbuf[i] = buf;
++ dev->rxbuf_dma[i] = buf_dma;
++
+ freeurb:
+ /* Drop reference, USB core will take care of freeing it */
+ usb_free_urb(urb);
+@@ -662,6 +671,11 @@ static void unlink_all_urbs(struct esd_u
+ int i, j;
+
+ usb_kill_anchored_urbs(&dev->rx_submitted);
++
++ for (i = 0; i < MAX_RX_URBS; ++i)
++ usb_free_coherent(dev->udev, RX_BUFFER_SIZE,
++ dev->rxbuf[i], dev->rxbuf_dma[i]);
++
+ for (i = 0; i < dev->net_count; i++) {
+ priv = dev->nets[i];
+ if (priv) {
--- /dev/null
+From c6eea1c8bda56737752465a298dc6ce07d6b8ce3 Mon Sep 17 00:00:00 2001
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Tue, 6 Jul 2021 19:00:08 +0800
+Subject: can: j1939: j1939_xtp_rx_dat_one(): fix rxtimer value between consecutive TP.DT to 750ms
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+commit c6eea1c8bda56737752465a298dc6ce07d6b8ce3 upstream.
+
+For receive side, the max time interval between two consecutive TP.DT
+should be 750ms.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/r/1625569210-47506-1-git-send-email-zhangchangzhong@huawei.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1869,7 +1869,7 @@ static void j1939_xtp_rx_dat_one(struct
+ if (!session->transmission)
+ j1939_tp_schedule_txtimer(session, 0);
+ } else {
+- j1939_tp_set_rxtimeout(session, 250);
++ j1939_tp_set_rxtimeout(session, 750);
+ }
+ session->last_cmd = 0xff;
+ consume_skb(se_skb);
--- /dev/null
+From fc43fb69a7af92839551f99c1a96a37b77b3ae7a Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Sun, 25 Jul 2021 13:36:30 +0300
+Subject: can: mcba_usb_start(): add missing urb->transfer_dma initialization
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit fc43fb69a7af92839551f99c1a96a37b77b3ae7a upstream.
+
+Yasushi reported, that his Microchip CAN Analyzer stopped working
+since commit 91c02557174b ("can: mcba_usb: fix memory leak in
+mcba_usb"). The problem was in missing urb->transfer_dma
+initialization.
+
+In my previous patch to this driver I refactored mcba_usb_start() code
+to avoid leaking usb coherent buffers. To archive it, I passed local
+stack variable to usb_alloc_coherent() and then saved it to private
+array to correctly free all coherent buffers on ->close() call. But I
+forgot to initialize urb->transfer_dma with variable passed to
+usb_alloc_coherent().
+
+All of this was causing device to not work, since dma addr 0 is not
+valid and following log can be found on bug report page, which points
+exactly to problem described above.
+
+| DMAR: [DMA Write] Request device [00:14.0] PASID ffffffff fault addr 0 [fault reason 05] PTE Write access is not set
+
+Fixes: 91c02557174b ("can: mcba_usb: fix memory leak in mcba_usb")
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990850
+Link: https://lore.kernel.org/r/20210725103630.23864-1-paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Reported-by: Yasushi SHOJI <yasushi.shoji@gmail.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Tested-by: Yasushi SHOJI <yashi@spacecubics.com>
+[mkl: fixed typos in commit message - thanks Yasushi SHOJI]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/mcba_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/usb/mcba_usb.c
++++ b/drivers/net/can/usb/mcba_usb.c
+@@ -653,6 +653,8 @@ static int mcba_usb_start(struct mcba_pr
+ break;
+ }
+
++ urb->transfer_dma = buf_dma;
++
+ usb_fill_bulk_urb(urb, priv->udev,
+ usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_IN),
+ buf, MCBA_USB_RX_BUFF_SIZE,
--- /dev/null
+From 54f93336d000229f72c26d8a3f69dd256b744528 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Thu, 22 Jul 2021 15:08:19 +0800
+Subject: can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 54f93336d000229f72c26d8a3f69dd256b744528 upstream.
+
+We get a bug during ltp can_filter test as following.
+
+===========================================
+[60919.264984] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+[60919.265223] PGD 8000003dda726067 P4D 8000003dda726067 PUD 3dda727067 PMD 0
+[60919.265443] Oops: 0000 [#1] SMP PTI
+[60919.265550] CPU: 30 PID: 3638365 Comm: can_filter Kdump: loaded Tainted: G W 4.19.90+ #1
+[60919.266068] RIP: 0010:selinux_socket_sock_rcv_skb+0x3e/0x200
+[60919.293289] RSP: 0018:ffff8d53bfc03cf8 EFLAGS: 00010246
+[60919.307140] RAX: 0000000000000000 RBX: 000000000000001d RCX: 0000000000000007
+[60919.320756] RDX: 0000000000000001 RSI: ffff8d5104a8ed00 RDI: ffff8d53bfc03d30
+[60919.334319] RBP: ffff8d9338056800 R08: ffff8d53bfc29d80 R09: 0000000000000001
+[60919.347969] R10: ffff8d53bfc03ec0 R11: ffffb8526ef47c98 R12: ffff8d53bfc03d30
+[60919.350320] perf: interrupt took too long (3063 > 2500), lowering kernel.perf_event_max_sample_rate to 65000
+[60919.361148] R13: 0000000000000001 R14: ffff8d53bcf90000 R15: 0000000000000000
+[60919.361151] FS: 00007fb78b6b3600(0000) GS:ffff8d53bfc00000(0000) knlGS:0000000000000000
+[60919.400812] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[60919.413730] CR2: 0000000000000010 CR3: 0000003e3f784006 CR4: 00000000007606e0
+[60919.426479] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[60919.439339] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[60919.451608] PKRU: 55555554
+[60919.463622] Call Trace:
+[60919.475617] <IRQ>
+[60919.487122] ? update_load_avg+0x89/0x5d0
+[60919.498478] ? update_load_avg+0x89/0x5d0
+[60919.509822] ? account_entity_enqueue+0xc5/0xf0
+[60919.520709] security_sock_rcv_skb+0x2a/0x40
+[60919.531413] sk_filter_trim_cap+0x47/0x1b0
+[60919.542178] ? kmem_cache_alloc+0x38/0x1b0
+[60919.552444] sock_queue_rcv_skb+0x17/0x30
+[60919.562477] raw_rcv+0x110/0x190 [can_raw]
+[60919.572539] can_rcv_filter+0xbc/0x1b0 [can]
+[60919.582173] can_receive+0x6b/0xb0 [can]
+[60919.591595] can_rcv+0x31/0x70 [can]
+[60919.600783] __netif_receive_skb_one_core+0x5a/0x80
+[60919.609864] process_backlog+0x9b/0x150
+[60919.618691] net_rx_action+0x156/0x400
+[60919.627310] ? sched_clock_cpu+0xc/0xa0
+[60919.635714] __do_softirq+0xe8/0x2e9
+[60919.644161] do_softirq_own_stack+0x2a/0x40
+[60919.652154] </IRQ>
+[60919.659899] do_softirq.part.17+0x4f/0x60
+[60919.667475] __local_bh_enable_ip+0x60/0x70
+[60919.675089] __dev_queue_xmit+0x539/0x920
+[60919.682267] ? finish_wait+0x80/0x80
+[60919.689218] ? finish_wait+0x80/0x80
+[60919.695886] ? sock_alloc_send_pskb+0x211/0x230
+[60919.702395] ? can_send+0xe5/0x1f0 [can]
+[60919.708882] can_send+0xe5/0x1f0 [can]
+[60919.715037] raw_sendmsg+0x16d/0x268 [can_raw]
+
+It's because raw_setsockopt() concurrently with
+unregister_netdevice_many(). Concurrent scenario as following.
+
+ cpu0 cpu1
+raw_bind
+raw_setsockopt unregister_netdevice_many
+ unlist_netdevice
+dev_get_by_index raw_notifier
+raw_enable_filters ......
+can_rx_register
+can_rcv_list_find(..., net->can.rx_alldev_list)
+
+......
+
+sock_close
+raw_release(sock_a)
+
+......
+
+can_receive
+can_rcv_filter(net->can.rx_alldev_list, ...)
+raw_rcv(skb, sock_a)
+BUG
+
+After unlist_netdevice(), dev_get_by_index() return NULL in
+raw_setsockopt(). Function raw_enable_filters() will add sock
+and can_filter to net->can.rx_alldev_list. Then the sock is closed.
+Followed by, we sock_sendmsg() to a new vcan device use the same
+can_filter. Protocol stack match the old receiver whose sock has
+been released on net->can.rx_alldev_list in can_rcv_filter().
+Function raw_rcv() uses the freed sock. UAF BUG is triggered.
+
+We can find that the key issue is that net_device has not been
+protected in raw_setsockopt(). Use rtnl_lock to protect net_device
+in raw_setsockopt().
+
+Fixes: c18ce101f2e4 ("[CAN]: Add raw protocol")
+Link: https://lore.kernel.org/r/20210722070819.1048263-1-william.xuanziyang@huawei.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/raw.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -548,10 +548,18 @@ static int raw_setsockopt(struct socket
+ return -EFAULT;
+ }
+
++ rtnl_lock();
+ lock_sock(sk);
+
+- if (ro->bound && ro->ifindex)
++ if (ro->bound && ro->ifindex) {
+ dev = dev_get_by_index(sock_net(sk), ro->ifindex);
++ if (!dev) {
++ if (count > 1)
++ kfree(filter);
++ err = -ENODEV;
++ goto out_fil;
++ }
++ }
+
+ if (ro->bound) {
+ /* (try to) register the new filters */
+@@ -590,6 +598,7 @@ static int raw_setsockopt(struct socket
+ dev_put(dev);
+
+ release_sock(sk);
++ rtnl_unlock();
+
+ break;
+
+@@ -602,10 +611,16 @@ static int raw_setsockopt(struct socket
+
+ err_mask &= CAN_ERR_MASK;
+
++ rtnl_lock();
+ lock_sock(sk);
+
+- if (ro->bound && ro->ifindex)
++ if (ro->bound && ro->ifindex) {
+ dev = dev_get_by_index(sock_net(sk), ro->ifindex);
++ if (!dev) {
++ err = -ENODEV;
++ goto out_err;
++ }
++ }
+
+ /* remove current error mask */
+ if (ro->bound) {
+@@ -629,6 +644,7 @@ static int raw_setsockopt(struct socket
+ dev_put(dev);
+
+ release_sock(sk);
++ rtnl_unlock();
+
+ break;
+
--- /dev/null
+From 0e865f0c31928d6a313269ef624907eec55287c4 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 27 Jul 2021 19:59:57 +0300
+Subject: can: usb_8dev: fix memory leak
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 0e865f0c31928d6a313269ef624907eec55287c4 upstream.
+
+In usb_8dev_start() MAX_RX_URBS coherent buffers are allocated and
+there is nothing, that frees them:
+
+1) In callback function the urb is resubmitted and that's all
+2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER
+ is not set (see usb_8dev_start) and this flag cannot be used with
+ coherent buffers.
+
+So, all allocated buffers should be freed with usb_free_coherent()
+explicitly.
+
+Side note: This code looks like a copy-paste of other can drivers. The
+same patch was applied to mcba_usb driver and it works nice with real
+hardware. There is no change in functionality, only clean-up code for
+coherent buffers.
+
+Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
+Link: https://lore.kernel.org/r/d39b458cd425a1cf7f512f340224e6e9563b07bd.1627404470.git.paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/usb_8dev.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/usb_8dev.c
++++ b/drivers/net/can/usb/usb_8dev.c
+@@ -137,7 +137,8 @@ struct usb_8dev_priv {
+ u8 *cmd_msg_buffer;
+
+ struct mutex usb_8dev_cmd_lock;
+-
++ void *rxbuf[MAX_RX_URBS];
++ dma_addr_t rxbuf_dma[MAX_RX_URBS];
+ };
+
+ /* tx frame */
+@@ -733,6 +734,7 @@ static int usb_8dev_start(struct usb_8de
+ for (i = 0; i < MAX_RX_URBS; i++) {
+ struct urb *urb = NULL;
+ u8 *buf;
++ dma_addr_t buf_dma;
+
+ /* create a URB, and a buffer for it */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -742,7 +744,7 @@ static int usb_8dev_start(struct usb_8de
+ }
+
+ buf = usb_alloc_coherent(priv->udev, RX_BUFFER_SIZE, GFP_KERNEL,
+- &urb->transfer_dma);
++ &buf_dma);
+ if (!buf) {
+ netdev_err(netdev, "No memory left for USB buffer\n");
+ usb_free_urb(urb);
+@@ -750,6 +752,8 @@ static int usb_8dev_start(struct usb_8de
+ break;
+ }
+
++ urb->transfer_dma = buf_dma;
++
+ usb_fill_bulk_urb(urb, priv->udev,
+ usb_rcvbulkpipe(priv->udev,
+ USB_8DEV_ENDP_DATA_RX),
+@@ -767,6 +771,9 @@ static int usb_8dev_start(struct usb_8de
+ break;
+ }
+
++ priv->rxbuf[i] = buf;
++ priv->rxbuf_dma[i] = buf_dma;
++
+ /* Drop reference, USB core will take care of freeing it */
+ usb_free_urb(urb);
+ }
+@@ -836,6 +843,10 @@ static void unlink_all_urbs(struct usb_8
+
+ usb_kill_anchored_urbs(&priv->rx_submitted);
+
++ for (i = 0; i < MAX_RX_URBS; ++i)
++ usb_free_coherent(priv->udev, RX_BUFFER_SIZE,
++ priv->rxbuf[i], priv->rxbuf_dma[i]);
++
+ usb_kill_anchored_urbs(&priv->tx_submitted);
+ atomic_set(&priv->active_tx_urbs, 0);
+
--- /dev/null
+From 6ca2350e11f09d5d3e53777d1eff8ff6d300ed93 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Mon, 19 Jul 2021 13:55:28 -0700
+Subject: HID: wacom: Re-enable touch by default for Cintiq 24HDT / 27QHDT
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 6ca2350e11f09d5d3e53777d1eff8ff6d300ed93 upstream.
+
+Commit 670e90924bfe ("HID: wacom: support named keys on older devices")
+added support for sending named events from the soft buttons on the
+24HDT and 27QHDT. In the process, however, it inadvertantly disabled the
+touchscreen of the 24HDT and 27QHDT by default. The
+`wacom_set_shared_values` function would normally enable touch by default
+but because it checks the state of the non-shared `has_mute_touch_switch`
+flag and `wacom_setup_touch_input_capabilities` sets the state of the
+/shared/ version, touch ends up being disabled by default.
+
+This patch sets the non-shared flag, letting `wacom_set_shared_values`
+take care of copying the value over to the shared version and setting
+the default touch state to "on".
+
+Fixes: 670e90924bfe ("HID: wacom: support named keys on older devices")
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_wac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -3829,7 +3829,7 @@ int wacom_setup_touch_input_capabilities
+ wacom_wac->shared->touch->product == 0xF6) {
+ input_dev->evbit[0] |= BIT_MASK(EV_SW);
+ __set_bit(SW_MUTE_DEVICE, input_dev->swbit);
+- wacom_wac->shared->has_mute_touch_switch = true;
++ wacom_wac->has_mute_touch_switch = true;
+ }
+ /* fall through */
+
--- /dev/null
+From 8750f9bbda115f3f79bfe43be85551ee5e12b6ff Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 27 Jul 2021 08:43:10 -0400
+Subject: KVM: add missing compat KVM_CLEAR_DIRTY_LOG
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 8750f9bbda115f3f79bfe43be85551ee5e12b6ff upstream.
+
+The arguments to the KVM_CLEAR_DIRTY_LOG ioctl include a pointer,
+therefore it needs a compat ioctl implementation. Otherwise,
+32-bit userspace fails to invoke it on 64-bit kernels; for x86
+it might work fine by chance if the padding is zero, but not
+on big-endian architectures.
+
+Reported-by: Thomas Sattler
+Cc: stable@vger.kernel.org
+Fixes: 2a31b9db1535 ("kvm: introduce manual dirty log reprotect")
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3570,6 +3570,16 @@ struct compat_kvm_dirty_log {
+ };
+ };
+
++struct compat_kvm_clear_dirty_log {
++ __u32 slot;
++ __u32 num_pages;
++ __u64 first_page;
++ union {
++ compat_uptr_t dirty_bitmap; /* one bit per page */
++ __u64 padding2;
++ };
++};
++
+ static long kvm_vm_compat_ioctl(struct file *filp,
+ unsigned int ioctl, unsigned long arg)
+ {
+@@ -3579,6 +3589,24 @@ static long kvm_vm_compat_ioctl(struct f
+ if (kvm->mm != current->mm)
+ return -EIO;
+ switch (ioctl) {
++#ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT
++ case KVM_CLEAR_DIRTY_LOG: {
++ struct compat_kvm_clear_dirty_log compat_log;
++ struct kvm_clear_dirty_log log;
++
++ if (copy_from_user(&compat_log, (void __user *)arg,
++ sizeof(compat_log)))
++ return -EFAULT;
++ log.slot = compat_log.slot;
++ log.num_pages = compat_log.num_pages;
++ log.first_page = compat_log.first_page;
++ log.padding2 = compat_log.padding2;
++ log.dirty_bitmap = compat_ptr(compat_log.dirty_bitmap);
++
++ r = kvm_vm_ioctl_clear_dirty_log(kvm, &log);
++ break;
++ }
++#endif
+ case KVM_GET_DIRTY_LOG: {
+ struct compat_kvm_dirty_log compat_log;
+ struct kvm_dirty_log log;
--- /dev/null
+From 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Wed, 28 Jul 2021 08:49:09 +0200
+Subject: nfc: nfcsim: fix use after free during module unload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 upstream.
+
+There is a use after free memory corruption during module exit:
+ - nfcsim_exit()
+ - nfcsim_device_free(dev0)
+ - nfc_digital_unregister_device()
+ This iterates over command queue and frees all commands,
+ - dev->up = false
+ - nfcsim_link_shutdown()
+ - nfcsim_link_recv_wake()
+ This wakes the sleeping thread nfcsim_link_recv_skb().
+
+ - nfcsim_link_recv_skb()
+ Wake from wait_event_interruptible_timeout(),
+ call directly the deb->cb callback even though (dev->up == false),
+ - digital_send_cmd_complete()
+ Dereference of "struct digital_cmd" cmd which was freed earlier by
+ nfc_digital_unregister_device().
+
+This causes memory corruption shortly after (with unrelated stack
+trace):
+
+ nfc nfc0: NFC: nfcsim_recv_wq: Device is down
+ llcp: nfc_llcp_recv: err -19
+ nfc nfc1: NFC: nfcsim_recv_wq: Device is down
+ BUG: unable to handle page fault for address: ffffffffffffffed
+ Call Trace:
+ fsnotify+0x54b/0x5c0
+ __fsnotify_parent+0x1fe/0x300
+ ? vfs_write+0x27c/0x390
+ vfs_write+0x27c/0x390
+ ksys_write+0x63/0xe0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+KASAN report:
+
+ BUG: KASAN: use-after-free in digital_send_cmd_complete+0x16/0x50
+ Write of size 8 at addr ffff88800a05f720 by task kworker/0:2/71
+ Workqueue: events nfcsim_recv_wq [nfcsim]
+ Call Trace:
+ dump_stack_lvl+0x45/0x59
+ print_address_description.constprop.0+0x21/0x140
+ ? digital_send_cmd_complete+0x16/0x50
+ ? digital_send_cmd_complete+0x16/0x50
+ kasan_report.cold+0x7f/0x11b
+ ? digital_send_cmd_complete+0x16/0x50
+ ? digital_dep_link_down+0x60/0x60
+ digital_send_cmd_complete+0x16/0x50
+ nfcsim_recv_wq+0x38f/0x3d5 [nfcsim]
+ ? nfcsim_in_send_cmd+0x4a/0x4a [nfcsim]
+ ? lock_is_held_type+0x98/0x110
+ ? finish_wait+0x110/0x110
+ ? rcu_read_lock_sched_held+0x9c/0xd0
+ ? rcu_read_lock_bh_held+0xb0/0xb0
+ ? lockdep_hardirqs_on_prepare+0x12e/0x1f0
+
+This flow of calling digital_send_cmd_complete() callback on driver exit
+is specific to nfcsim which implements reading and sending work queues.
+Since the NFC digital device was unregistered, the callback should not
+be called.
+
+Fixes: 204bddcb508f ("NFC: nfcsim: Make use of the Digital layer")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/nfcsim.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/nfc/nfcsim.c
++++ b/drivers/nfc/nfcsim.c
+@@ -192,8 +192,7 @@ static void nfcsim_recv_wq(struct work_s
+
+ if (!IS_ERR(skb))
+ dev_kfree_skb(skb);
+-
+- skb = ERR_PTR(-ENODEV);
++ return;
+ }
+
+ dev->cb(dev->nfc_digital_dev, dev->arg, skb);
--- /dev/null
+From 15bbf8bb4d4ab87108ecf5f4155ec8ffa3c141d6 Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Fri, 23 Jul 2021 16:13:04 +0100
+Subject: NIU: fix incorrect error return, missed in previous revert
+
+From: Paul Jakma <paul@jakma.org>
+
+commit 15bbf8bb4d4ab87108ecf5f4155ec8ffa3c141d6 upstream.
+
+Commit 7930742d6, reverting 26fd962, missed out on reverting an incorrect
+change to a return value. The niu_pci_vpd_scan_props(..) == 1 case appears
+to be a normal path - treating it as an error and return -EINVAL was
+breaking VPD_SCAN and causing the driver to fail to load.
+
+Fix, so my Neptune card works again.
+
+Cc: Kangjie Lu <kjlu@umn.edu>
+Cc: Shannon Nelson <shannon.lee.nelson@gmail.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 7930742d ('Revert "niu: fix missing checks of niu_pci_eeprom_read"')
+Signed-off-by: Paul Jakma <paul@jakma.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sun/niu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -8191,8 +8191,9 @@ static int niu_pci_vpd_fetch(struct niu
+ err = niu_pci_vpd_scan_props(np, here, end);
+ if (err < 0)
+ return err;
++ /* ret == 1 is not an error */
+ if (err == 1)
+- return -EINVAL;
++ return 0;
+ }
+ return 0;
+ }
--- /dev/null
+From f267aeb6dea5e468793e5b8eb6a9c72c0020d418 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 29 Jul 2021 14:53:38 -0700
+Subject: ocfs2: fix zero out valid data
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit f267aeb6dea5e468793e5b8eb6a9c72c0020d418 upstream.
+
+If append-dio feature is enabled, direct-io write and fallocate could
+run in parallel to extend file size, fallocate used "orig_isize" to
+record i_size before taking "ip_alloc_sem", when
+ocfs2_zeroout_partial_cluster() zeroout EOF blocks, i_size maybe already
+extended by ocfs2_dio_end_io_write(), that will cause valid data zeroed
+out.
+
+Link: https://lkml.kernel.org/r/20210722054923.24389-1-junxiao.bi@oracle.com
+Fixes: 6bba4471f0cc ("ocfs2: fix data corruption by fallocate")
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1935,7 +1935,6 @@ static int __ocfs2_change_file_space(str
+ goto out_inode_unlock;
+ }
+
+- orig_isize = i_size_read(inode);
+ switch (sr->l_whence) {
+ case 0: /*SEEK_SET*/
+ break;
+@@ -1943,7 +1942,7 @@ static int __ocfs2_change_file_space(str
+ sr->l_start += f_pos;
+ break;
+ case 2: /*SEEK_END*/
+- sr->l_start += orig_isize;
++ sr->l_start += i_size_read(inode);
+ break;
+ default:
+ ret = -EINVAL;
+@@ -1998,6 +1997,7 @@ static int __ocfs2_change_file_space(str
+ ret = -EINVAL;
+ }
+
++ orig_isize = i_size_read(inode);
+ /* zeroout eof blocks in the cluster. */
+ if (!ret && change_size && orig_isize < size) {
+ ret = ocfs2_zeroout_partial_cluster(inode, orig_isize,
--- /dev/null
+From 9449ad33be8480f538b11a593e2dda2fb33ca06d Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 29 Jul 2021 14:53:41 -0700
+Subject: ocfs2: issue zeroout to EOF blocks
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 9449ad33be8480f538b11a593e2dda2fb33ca06d upstream.
+
+For punch holes in EOF blocks, fallocate used buffer write to zero the
+EOF blocks in last cluster. But since ->writepage will ignore EOF
+pages, those zeros will not be flushed.
+
+This "looks" ok as commit 6bba4471f0cc ("ocfs2: fix data corruption by
+fallocate") will zero the EOF blocks when extend the file size, but it
+isn't. The problem happened on those EOF pages, before writeback, those
+pages had DIRTY flag set and all buffer_head in them also had DIRTY flag
+set, when writeback run by write_cache_pages(), DIRTY flag on the page
+was cleared, but DIRTY flag on the buffer_head not.
+
+When next write happened to those EOF pages, since buffer_head already
+had DIRTY flag set, it would not mark page DIRTY again. That made
+writeback ignore them forever. That will cause data corruption. Even
+directio write can't work because it will fail when trying to drop pages
+caches before direct io, as it found the buffer_head for those pages
+still had DIRTY flag set, then it will fall back to buffer io mode.
+
+To make a summary of the issue, as writeback ingores EOF pages, once any
+EOF page is generated, any write to it will only go to the page cache,
+it will never be flushed to disk even file size extends and that page is
+not EOF page any more. The fix is to avoid zero EOF blocks with buffer
+write.
+
+The following code snippet from qemu-img could trigger the corruption.
+
+ 656 open("6b3711ae-3306-4bdd-823c-cf1c0060a095.conv.2", O_RDWR|O_DIRECT|O_CLOEXEC) = 11
+ ...
+ 660 fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2275868672, 327680 <unfinished ...>
+ 660 fallocate(11, 0, 2275868672, 327680) = 0
+ 658 pwrite64(11, "
+
+Link: https://lkml.kernel.org/r/20210722054923.24389-2-junxiao.bi@oracle.com
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/file.c | 99 +++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 60 insertions(+), 39 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1529,6 +1529,45 @@ static void ocfs2_truncate_cluster_pages
+ }
+ }
+
++/*
++ * zero out partial blocks of one cluster.
++ *
++ * start: file offset where zero starts, will be made upper block aligned.
++ * len: it will be trimmed to the end of current cluster if "start + len"
++ * is bigger than it.
++ */
++static int ocfs2_zeroout_partial_cluster(struct inode *inode,
++ u64 start, u64 len)
++{
++ int ret;
++ u64 start_block, end_block, nr_blocks;
++ u64 p_block, offset;
++ u32 cluster, p_cluster, nr_clusters;
++ struct super_block *sb = inode->i_sb;
++ u64 end = ocfs2_align_bytes_to_clusters(sb, start);
++
++ if (start + len < end)
++ end = start + len;
++
++ start_block = ocfs2_blocks_for_bytes(sb, start);
++ end_block = ocfs2_blocks_for_bytes(sb, end);
++ nr_blocks = end_block - start_block;
++ if (!nr_blocks)
++ return 0;
++
++ cluster = ocfs2_bytes_to_clusters(sb, start);
++ ret = ocfs2_get_clusters(inode, cluster, &p_cluster,
++ &nr_clusters, NULL);
++ if (ret)
++ return ret;
++ if (!p_cluster)
++ return 0;
++
++ offset = start_block - ocfs2_clusters_to_blocks(sb, cluster);
++ p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset;
++ return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS);
++}
++
+ static int ocfs2_zero_partial_clusters(struct inode *inode,
+ u64 start, u64 len)
+ {
+@@ -1538,6 +1577,7 @@ static int ocfs2_zero_partial_clusters(s
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+ unsigned int csize = osb->s_clustersize;
+ handle_t *handle;
++ loff_t isize = i_size_read(inode);
+
+ /*
+ * The "start" and "end" values are NOT necessarily part of
+@@ -1558,6 +1598,26 @@ static int ocfs2_zero_partial_clusters(s
+ if ((start & (csize - 1)) == 0 && (end & (csize - 1)) == 0)
+ goto out;
+
++ /* No page cache for EOF blocks, issue zero out to disk. */
++ if (end > isize) {
++ /*
++ * zeroout eof blocks in last cluster starting from
++ * "isize" even "start" > "isize" because it is
++ * complicated to zeroout just at "start" as "start"
++ * may be not aligned with block size, buffer write
++ * would be required to do that, but out of eof buffer
++ * write is not supported.
++ */
++ ret = ocfs2_zeroout_partial_cluster(inode, isize,
++ end - isize);
++ if (ret) {
++ mlog_errno(ret);
++ goto out;
++ }
++ if (start >= isize)
++ goto out;
++ end = isize;
++ }
+ handle = ocfs2_start_trans(osb, OCFS2_INODE_UPDATE_CREDITS);
+ if (IS_ERR(handle)) {
+ ret = PTR_ERR(handle);
+@@ -1856,45 +1916,6 @@ out:
+ }
+
+ /*
+- * zero out partial blocks of one cluster.
+- *
+- * start: file offset where zero starts, will be made upper block aligned.
+- * len: it will be trimmed to the end of current cluster if "start + len"
+- * is bigger than it.
+- */
+-static int ocfs2_zeroout_partial_cluster(struct inode *inode,
+- u64 start, u64 len)
+-{
+- int ret;
+- u64 start_block, end_block, nr_blocks;
+- u64 p_block, offset;
+- u32 cluster, p_cluster, nr_clusters;
+- struct super_block *sb = inode->i_sb;
+- u64 end = ocfs2_align_bytes_to_clusters(sb, start);
+-
+- if (start + len < end)
+- end = start + len;
+-
+- start_block = ocfs2_blocks_for_bytes(sb, start);
+- end_block = ocfs2_blocks_for_bytes(sb, end);
+- nr_blocks = end_block - start_block;
+- if (!nr_blocks)
+- return 0;
+-
+- cluster = ocfs2_bytes_to_clusters(sb, start);
+- ret = ocfs2_get_clusters(inode, cluster, &p_cluster,
+- &nr_clusters, NULL);
+- if (ret)
+- return ret;
+- if (!p_cluster)
+- return 0;
+-
+- offset = start_block - ocfs2_clusters_to_blocks(sb, cluster);
+- p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset;
+- return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS);
+-}
+-
+-/*
+ * Parts of this function taken from xfs_change_file_space()
+ */
+ static int __ocfs2_change_file_space(struct file *file, struct inode *inode,
--- /dev/null
+From e0eef3690dc66b3ecc6e0f1267f332403eb22bea Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 28 Jul 2021 23:19:58 +0800
+Subject: Revert "ACPI: resources: Add checks for ACPI IRQ override"
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit e0eef3690dc66b3ecc6e0f1267f332403eb22bea upstream.
+
+The commit 0ec4e55e9f57 ("ACPI: resources: Add checks for ACPI IRQ
+override") introduces regression on some platforms, at least it makes
+the UART can't get correct irq setting on two different platforms,
+and it makes the kernel can't bootup on these two platforms.
+
+This reverts commit 0ec4e55e9f571f08970ed115ec0addc691eda613.
+
+Regression-discuss: https://bugzilla.kernel.org/show_bug.cgi?id=213031
+Reported-by: PGNd <pgnet.dev@gmail.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/resource.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -430,13 +430,6 @@ static void acpi_dev_get_irqresource(str
+ }
+ }
+
+-static bool irq_is_legacy(struct acpi_resource_irq *irq)
+-{
+- return irq->triggering == ACPI_EDGE_SENSITIVE &&
+- irq->polarity == ACPI_ACTIVE_HIGH &&
+- irq->shareable == ACPI_EXCLUSIVE;
+-}
+-
+ /**
+ * acpi_dev_resource_interrupt - Extract ACPI interrupt resource information.
+ * @ares: Input ACPI resource object.
+@@ -475,7 +468,7 @@ bool acpi_dev_resource_interrupt(struct
+ }
+ acpi_dev_get_irqresource(res, irq->interrupts[index],
+ irq->triggering, irq->polarity,
+- irq->shareable, irq_is_legacy(irq));
++ irq->shareable, true);
+ break;
+ case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
+ ext_irq = &ares->data.extended_irq;
net_sched-check-error-pointer-in-tcf_dump_walker.patch
x86-asm-ensure-asm-proto.h-can-be-included-stand-alo.patch
+btrfs-fix-rw-device-counting-in-__btrfs_free_extra_devids.patch
+btrfs-mark-compressed-range-uptodate-only-if-all-bio-succeed.patch
+revert-acpi-resources-add-checks-for-acpi-irq-override.patch
+x86-kvm-fix-vcpu-id-indexed-array-sizes.patch
+kvm-add-missing-compat-kvm_clear_dirty_log.patch
+ocfs2-fix-zero-out-valid-data.patch
+ocfs2-issue-zeroout-to-eof-blocks.patch
+can-j1939-j1939_xtp_rx_dat_one-fix-rxtimer-value-between-consecutive-tp.dt-to-750ms.patch
+can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-uaf.patch
+can-mcba_usb_start-add-missing-urb-transfer_dma-initialization.patch
+can-usb_8dev-fix-memory-leak.patch
+can-ems_usb-fix-memory-leak.patch
+can-esd_usb2-fix-memory-leak.patch
+hid-wacom-re-enable-touch-by-default-for-cintiq-24hdt-27qhdt.patch
+niu-fix-incorrect-error-return-missed-in-previous-revert.patch
+nfc-nfcsim-fix-use-after-free-during-module-unload.patch
--- /dev/null
+From 76b4f357d0e7d8f6f0013c733e6cba1773c266d3 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 1 Jul 2021 17:41:00 +0200
+Subject: x86/kvm: fix vcpu-id indexed array sizes
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 76b4f357d0e7d8f6f0013c733e6cba1773c266d3 upstream.
+
+KVM_MAX_VCPU_ID is the maximum vcpu-id of a guest, and not the number
+of vcpu-ids. Fix array indexed by vcpu-id to have KVM_MAX_VCPU_ID+1
+elements.
+
+Note that this is currently no real problem, as KVM_MAX_VCPU_ID is
+an odd number, resulting in always enough padding being available at
+the end of those arrays.
+
+Nevertheless this should be fixed in order to avoid rare problems in
+case someone is using an even number for KVM_MAX_VCPU_ID.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-Id: <20210701154105.23215-2-jgross@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/ioapic.c | 2 +-
+ arch/x86/kvm/ioapic.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -91,7 +91,7 @@ static unsigned long ioapic_read_indirec
+ static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic)
+ {
+ ioapic->rtc_status.pending_eoi = 0;
+- bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID);
++ bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID + 1);
+ }
+
+ static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);
+--- a/arch/x86/kvm/ioapic.h
++++ b/arch/x86/kvm/ioapic.h
+@@ -43,13 +43,13 @@ struct kvm_vcpu;
+
+ struct dest_map {
+ /* vcpu bitmap where IRQ has been sent */
+- DECLARE_BITMAP(map, KVM_MAX_VCPU_ID);
++ DECLARE_BITMAP(map, KVM_MAX_VCPU_ID + 1);
+
+ /*
+ * Vector sent to a given vcpu, only valid when
+ * the vcpu's bit in map is set
+ */
+- u8 vectors[KVM_MAX_VCPU_ID];
++ u8 vectors[KVM_MAX_VCPU_ID + 1];
+ };
+
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
