--- /dev/null
+From 3c414eb65c294719a91a746260085363413f91c1 Mon Sep 17 00:00:00 2001
+From: Brendan Grieve <brendan@grieve.com.au>
+Date: Fri, 15 Oct 2021 10:53:35 +0800
+Subject: ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset
+
+From: Brendan Grieve <brendan@grieve.com.au>
+
+commit 3c414eb65c294719a91a746260085363413f91c1 upstream.
+
+As per discussion at: https://github.com/szszoke/sennheiser-gsp670-pulseaudio-profile/issues/13
+
+The GSP670 has 2 playback and 1 recording device that by default are
+detected in an incompatible order for alsa. This may have been done to make
+it compatible for the console by the manufacturer and only affects the
+latest firmware which uses its own ID.
+
+This quirk will resolve this by reordering the channels.
+
+Signed-off-by: Brendan Grieve <brendan@grieve.com.au>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211015025335.196592-1-brendan@grieve.com.au
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks-table.h | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3446,5 +3446,37 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
+ }
+ }
+ },
++{
++ /*
++ * Sennheiser GSP670
++ * Change order of interfaces loaded
++ */
++ USB_DEVICE(0x1395, 0x0300),
++ .bInterfaceClass = USB_CLASS_PER_INTERFACE,
++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
++ .ifnum = QUIRK_ANY_INTERFACE,
++ .type = QUIRK_COMPOSITE,
++ .data = &(const struct snd_usb_audio_quirk[]) {
++ // Communication
++ {
++ .ifnum = 3,
++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
++ },
++ // Recording
++ {
++ .ifnum = 4,
++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
++ },
++ // Main
++ {
++ .ifnum = 1,
++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
++ },
++ {
++ .ifnum = -1
++ }
++ }
++ }
++},
+
+ #undef USB_DEVICE_VENDOR_SPEC
--- /dev/null
+From 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 6 Oct 2021 16:17:12 +0200
+Subject: ASoC: DAPM: Fix missing kctl change notifications
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 5af82c81b2c49cfb1cad84d9eb6eab0e3d1c4842 upstream.
+
+The put callback of a kcontrol is supposed to return 1 when the value
+is changed, and this will be notified to user-space. However, some
+DAPM kcontrols always return 0 (except for errors), hence the
+user-space misses the update of a control value.
+
+This patch corrects the behavior by properly returning 1 when the
+value gets updated.
+
+Reported-and-tested-by: Hans de Goede <hdegoede@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20211006141712.2439-1-tiwai@suse.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -2410,6 +2410,7 @@ static int snd_soc_dapm_set_pin(struct s
+ const char *pin, int status)
+ {
+ struct snd_soc_dapm_widget *w = dapm_find_widget(dapm, pin, true);
++ int ret = 0;
+
+ dapm_assert_locked(dapm);
+
+@@ -2422,13 +2423,14 @@ static int snd_soc_dapm_set_pin(struct s
+ dapm_mark_dirty(w, "pin configuration");
+ dapm_widget_invalidate_input_paths(w);
+ dapm_widget_invalidate_output_paths(w);
++ ret = 1;
+ }
+
+ w->connected = status;
+ if (status == 0)
+ w->force = 0;
+
+- return 0;
++ return ret;
+ }
+
+ /**
+@@ -3323,14 +3325,15 @@ int snd_soc_dapm_put_pin_switch(struct s
+ {
+ struct snd_soc_card *card = snd_kcontrol_chip(kcontrol);
+ const char *pin = (const char *)kcontrol->private_value;
++ int ret;
+
+ if (ucontrol->value.integer.value[0])
+- snd_soc_dapm_enable_pin(&card->dapm, pin);
++ ret = snd_soc_dapm_enable_pin(&card->dapm, pin);
+ else
+- snd_soc_dapm_disable_pin(&card->dapm, pin);
++ ret = snd_soc_dapm_disable_pin(&card->dapm, pin);
+
+ snd_soc_dapm_sync(&card->dapm);
+- return 0;
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(snd_soc_dapm_put_pin_switch);
+
+@@ -3706,7 +3709,7 @@ static int snd_soc_dapm_dai_link_put(str
+
+ w->params_select = ucontrol->value.enumerated.item[0];
+
+- return 0;
++ return 1;
+ }
+
+ int snd_soc_dapm_new_pcm(struct snd_soc_card *card,
--- /dev/null
+From 949fe9b35570361bc6ee2652f89a0561b26eec98 Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Thu, 14 Oct 2021 06:28:33 +0000
+Subject: can: peak_pci: peak_pci_remove(): fix UAF
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit 949fe9b35570361bc6ee2652f89a0561b26eec98 upstream.
+
+When remove the module peek_pci, referencing 'chan' again after
+releasing 'dev' will cause UAF.
+
+Fix this by releasing 'dev' later.
+
+The following log reveals it:
+
+[ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537
+[ 35.965513 ] Call Trace:
+[ 35.965718 ] dump_stack_lvl+0xa8/0xd1
+[ 35.966028 ] print_address_description+0x87/0x3b0
+[ 35.966420 ] kasan_report+0x172/0x1c0
+[ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170
+[ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.967945 ] __asan_report_load8_noabort+0x14/0x20
+[ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci]
+[ 35.968752 ] pci_device_remove+0xa9/0x250
+
+Fixes: e6d9c80b7ca1 ("can: peak_pci: add support of some new PEAK-System PCI cards")
+Link: https://lore.kernel.org/all/1634192913-15639-1-git-send-email-zheyuma97@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/sja1000/peak_pci.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/sja1000/peak_pci.c
++++ b/drivers/net/can/sja1000/peak_pci.c
+@@ -736,16 +736,15 @@ static void peak_pci_remove(struct pci_d
+ struct net_device *prev_dev = chan->prev_dev;
+
+ dev_info(&pdev->dev, "removing device %s\n", dev->name);
++ /* do that only for first channel */
++ if (!prev_dev && chan->pciec_card)
++ peak_pciec_remove(chan->pciec_card);
+ unregister_sja1000dev(dev);
+ free_sja1000dev(dev);
+ dev = prev_dev;
+
+- if (!dev) {
+- /* do that only for first channel */
+- if (chan->pciec_card)
+- peak_pciec_remove(chan->pciec_card);
++ if (!dev)
+ break;
+- }
+ priv = netdev_priv(dev);
+ chan = priv->priv;
+ }
--- /dev/null
+From 3d031abc7e7249573148871180c28ecedb5e27df Mon Sep 17 00:00:00 2001
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Wed, 29 Sep 2021 16:21:10 +0200
+Subject: can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+commit 3d031abc7e7249573148871180c28ecedb5e27df upstream.
+
+This corrects the lack of notification of a return to ERROR_ACTIVE
+state for USB - CANFD devices from PEAK-System.
+
+Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
+Link: https://lore.kernel.org/all/20210929142111.55757-1-s.grosjean@peak-system.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -559,11 +559,10 @@ static int pcan_usb_fd_decode_status(str
+ } else if (sm->channel_p_w_b & PUCAN_BUS_WARNING) {
+ new_state = CAN_STATE_ERROR_WARNING;
+ } else {
+- /* no error bit (so, no error skb, back to active state) */
+- dev->can.state = CAN_STATE_ERROR_ACTIVE;
++ /* back to (or still in) ERROR_ACTIVE state */
++ new_state = CAN_STATE_ERROR_ACTIVE;
+ pdev->bec.txerr = 0;
+ pdev->bec.rxerr = 0;
+- return 0;
+ }
+
+ /* state hasn't changed */
--- /dev/null
+From f7c05c3987dcfde9a4e8c2d533db013fabebca0d Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Fri, 24 Sep 2021 16:55:56 +0900
+Subject: can: rcar_can: fix suspend/resume
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit f7c05c3987dcfde9a4e8c2d533db013fabebca0d upstream.
+
+If the driver was not opened, rcar_can_suspend() should not call
+clk_disable() because the clock was not enabled.
+
+Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver")
+Link: https://lore.kernel.org/all/20210924075556.223685-1-yoshihiro.shimoda.uh@renesas.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Ayumi Nakamichi <ayumi.nakamichi.kf@renesas.com>
+Reviewed-by: Ulrich Hecht <uli+renesas@fpond.eu>
+Tested-by: Biju Das <biju.das.jz@bp.renesas.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/rcar/rcar_can.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/can/rcar/rcar_can.c
++++ b/drivers/net/can/rcar/rcar_can.c
+@@ -858,10 +858,12 @@ static int __maybe_unused rcar_can_suspe
+ struct rcar_can_priv *priv = netdev_priv(ndev);
+ u16 ctlr;
+
+- if (netif_running(ndev)) {
+- netif_stop_queue(ndev);
+- netif_device_detach(ndev);
+- }
++ if (!netif_running(ndev))
++ return 0;
++
++ netif_stop_queue(ndev);
++ netif_device_detach(ndev);
++
+ ctlr = readw(&priv->regs->ctlr);
+ ctlr |= RCAR_CAN_CTLR_CANM_HALT;
+ writew(ctlr, &priv->regs->ctlr);
+@@ -880,6 +882,9 @@ static int __maybe_unused rcar_can_resum
+ u16 ctlr;
+ int err;
+
++ if (!netif_running(ndev))
++ return 0;
++
+ err = clk_enable(priv->clk);
+ if (err) {
+ netdev_err(ndev, "clk_enable() failed, error %d\n", err);
+@@ -893,10 +898,9 @@ static int __maybe_unused rcar_can_resum
+ writew(ctlr, &priv->regs->ctlr);
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
+
+- if (netif_running(ndev)) {
+- netif_device_attach(ndev);
+- netif_start_queue(ndev);
+- }
++ netif_device_attach(ndev);
++ netif_start_queue(ndev);
++
+ return 0;
+ }
+
--- /dev/null
+From b0e901280d9860a0a35055f220e8e457f300f40a Mon Sep 17 00:00:00 2001
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Date: Mon, 18 Oct 2021 15:16:09 -0700
+Subject: elfcore: correct reference to CONFIG_UML
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+commit b0e901280d9860a0a35055f220e8e457f300f40a upstream.
+
+Commit 6e7b64b9dd6d ("elfcore: fix building with clang") introduces
+special handling for two architectures, ia64 and User Mode Linux.
+However, the wrong name, i.e., CONFIG_UM, for the intended Kconfig
+symbol for User-Mode Linux was used.
+
+Although the directory for User Mode Linux is ./arch/um; the Kconfig
+symbol for this architecture is called CONFIG_UML.
+
+Luckily, ./scripts/checkkconfigsymbols.py warns on non-existing configs:
+
+ UM
+ Referencing files: include/linux/elfcore.h
+ Similar symbols: UML, NUMA
+
+Correct the name of the config to the intended one.
+
+[akpm@linux-foundation.org: fix um/x86_64, per Catalin]
+ Link: https://lkml.kernel.org/r/20211006181119.2851441-1-catalin.marinas@arm.com
+ Link: https://lkml.kernel.org/r/YV6pejGzLy5ppEpt@arm.com
+
+Link: https://lkml.kernel.org/r/20211006082209.417-1-lukas.bulwahn@gmail.com
+Fixes: 6e7b64b9dd6d ("elfcore: fix building with clang")
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Barret Rhoden <brho@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/elfcore.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/elfcore.h
++++ b/include/linux/elfcore.h
+@@ -55,7 +55,7 @@ static inline int elf_core_copy_task_xfp
+ }
+ #endif
+
+-#if defined(CONFIG_UM) || defined(CONFIG_IA64)
++#if (defined(CONFIG_UML) && defined(CONFIG_X86_32)) || defined(CONFIG_IA64)
+ /*
+ * These functions parameterize elf_core_dump in fs/binfmt_elf.c to write out
+ * extra segments containing the gate DSO contents. Dumping its
--- /dev/null
+From 5314454ea3ff6fc746eaf71b9a7ceebed52888fa Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 18 Oct 2021 15:15:39 -0700
+Subject: ocfs2: fix data corruption after conversion from inline format
+
+From: Jan Kara <jack@suse.cz>
+
+commit 5314454ea3ff6fc746eaf71b9a7ceebed52888fa upstream.
+
+Commit 6dbf7bb55598 ("fs: Don't invalidate page buffers in
+block_write_full_page()") uncovered a latent bug in ocfs2 conversion
+from inline inode format to a normal inode format.
+
+The code in ocfs2_convert_inline_data_to_extents() attempts to zero out
+the whole cluster allocated for file data by grabbing, zeroing, and
+dirtying all pages covering this cluster. However these pages are
+beyond i_size, thus writeback code generally ignores these dirty pages
+and no blocks were ever actually zeroed on the disk.
+
+This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero
+pages past i_size.") for standard ocfs2 write path, inline conversion
+path was apparently forgotten; the commit log also has a reasoning why
+the zeroing actually is not needed.
+
+After commit 6dbf7bb55598, things became worse as writeback code stopped
+invalidating buffers on pages beyond i_size and thus these pages end up
+with clean PageDirty bit but with buffers attached to these pages being
+still dirty. So when a file is converted from inline format, then
+writeback triggers, and then the file is grown so that these pages
+become valid, the invalid dirtiness state is preserved,
+mark_buffer_dirty() does nothing on these pages (buffers are already
+dirty) but page is never written back because it is clean. So data
+written to these pages is lost once pages are reclaimed.
+
+Simple reproducer for the problem is:
+
+ xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \
+ -c "pwrite 4000 2000" ocfs2_file
+
+After unmounting and mounting the fs again, you can observe that end of
+'ocfs2_file' has lost its contents.
+
+Fix the problem by not doing the pointless zeroing during conversion
+from inline format similarly as in the standard write path.
+
+[akpm@linux-foundation.org: fix whitespace, per Joseph]
+
+Link: https://lkml.kernel.org/r/20210930095405.21433-1-jack@suse.cz
+Fixes: 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Tested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Acked-by: Gang He <ghe@suse.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: "Markov, Andrey" <Markov.Andrey@Dell.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/alloc.c | 46 ++++++++++++----------------------------------
+ 1 file changed, 12 insertions(+), 34 deletions(-)
+
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -6891,7 +6891,7 @@ void ocfs2_set_inode_data_inline(struct
+ int ocfs2_convert_inline_data_to_extents(struct inode *inode,
+ struct buffer_head *di_bh)
+ {
+- int ret, i, has_data, num_pages = 0;
++ int ret, has_data, num_pages = 0;
+ int need_free = 0;
+ u32 bit_off, num;
+ handle_t *handle;
+@@ -6900,26 +6900,17 @@ int ocfs2_convert_inline_data_to_extents
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+ struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data;
+ struct ocfs2_alloc_context *data_ac = NULL;
+- struct page **pages = NULL;
+- loff_t end = osb->s_clustersize;
++ struct page *page = NULL;
+ struct ocfs2_extent_tree et;
+ int did_quota = 0;
+
+ has_data = i_size_read(inode) ? 1 : 0;
+
+ if (has_data) {
+- pages = kcalloc(ocfs2_pages_per_cluster(osb->sb),
+- sizeof(struct page *), GFP_NOFS);
+- if (pages == NULL) {
+- ret = -ENOMEM;
+- mlog_errno(ret);
+- return ret;
+- }
+-
+ ret = ocfs2_reserve_clusters(osb, 1, &data_ac);
+ if (ret) {
+ mlog_errno(ret);
+- goto free_pages;
++ goto out;
+ }
+ }
+
+@@ -6939,7 +6930,8 @@ int ocfs2_convert_inline_data_to_extents
+ }
+
+ if (has_data) {
+- unsigned int page_end;
++ unsigned int page_end = min_t(unsigned, PAGE_SIZE,
++ osb->s_clustersize);
+ u64 phys;
+
+ ret = dquot_alloc_space_nodirty(inode,
+@@ -6963,15 +6955,8 @@ int ocfs2_convert_inline_data_to_extents
+ */
+ block = phys = ocfs2_clusters_to_blocks(inode->i_sb, bit_off);
+
+- /*
+- * Non sparse file systems zero on extend, so no need
+- * to do that now.
+- */
+- if (!ocfs2_sparse_alloc(osb) &&
+- PAGE_SIZE < osb->s_clustersize)
+- end = PAGE_SIZE;
+-
+- ret = ocfs2_grab_eof_pages(inode, 0, end, pages, &num_pages);
++ ret = ocfs2_grab_eof_pages(inode, 0, page_end, &page,
++ &num_pages);
+ if (ret) {
+ mlog_errno(ret);
+ need_free = 1;
+@@ -6982,20 +6967,15 @@ int ocfs2_convert_inline_data_to_extents
+ * This should populate the 1st page for us and mark
+ * it up to date.
+ */
+- ret = ocfs2_read_inline_data(inode, pages[0], di_bh);
++ ret = ocfs2_read_inline_data(inode, page, di_bh);
+ if (ret) {
+ mlog_errno(ret);
+ need_free = 1;
+ goto out_unlock;
+ }
+
+- page_end = PAGE_SIZE;
+- if (PAGE_SIZE > osb->s_clustersize)
+- page_end = osb->s_clustersize;
+-
+- for (i = 0; i < num_pages; i++)
+- ocfs2_map_and_dirty_page(inode, handle, 0, page_end,
+- pages[i], i > 0, &phys);
++ ocfs2_map_and_dirty_page(inode, handle, 0, page_end, page, 0,
++ &phys);
+ }
+
+ spin_lock(&oi->ip_lock);
+@@ -7026,8 +7006,8 @@ int ocfs2_convert_inline_data_to_extents
+ }
+
+ out_unlock:
+- if (pages)
+- ocfs2_unlock_and_free_pages(pages, num_pages);
++ if (page)
++ ocfs2_unlock_and_free_pages(&page, num_pages);
+
+ out_commit:
+ if (ret < 0 && did_quota)
+@@ -7051,8 +7031,6 @@ out_commit:
+ out:
+ if (data_ac)
+ ocfs2_free_alloc_context(data_ac);
+-free_pages:
+- kfree(pages);
+ return ret;
+ }
+
--- /dev/null
+From b15fa9224e6e1239414525d8d556d824701849fc Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Mon, 18 Oct 2021 15:15:42 -0700
+Subject: ocfs2: mount fails with buffer overflow in strlen
+
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+
+commit b15fa9224e6e1239414525d8d556d824701849fc upstream.
+
+Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an
+ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the
+trace below. Problem seems to be that strings for cluster stack and
+cluster name are not guaranteed to be null terminated in the disk
+representation, while strlcpy assumes that the source string is always
+null terminated. This causes a read outside of the source string
+triggering the buffer overflow detection.
+
+ detected buffer overflow in strlen
+ ------------[ cut here ]------------
+ kernel BUG at lib/string.c:1149!
+ invalid opcode: 0000 [#1] SMP PTI
+ CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1
+ Debian 5.14.6-2
+ RIP: 0010:fortify_panic+0xf/0x11
+ ...
+ Call Trace:
+ ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]
+ ocfs2_fill_super+0x359/0x19b0 [ocfs2]
+ mount_bdev+0x185/0x1b0
+ legacy_get_tree+0x27/0x40
+ vfs_get_tree+0x25/0xb0
+ path_mount+0x454/0xa20
+ __x64_sys_mount+0x103/0x140
+ do_syscall_64+0x3b/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Link: https://lkml.kernel.org/r/20210929180654.32460-1-vvidic@valentin-vidic.from.hr
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/super.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -2189,11 +2189,17 @@ static int ocfs2_initialize_super(struct
+ }
+
+ if (ocfs2_clusterinfo_valid(osb)) {
++ /*
++ * ci_stack and ci_cluster in ocfs2_cluster_info may not be null
++ * terminated, so make sure no overflow happens here by using
++ * memcpy. Destination strings will always be null terminated
++ * because osb is allocated using kzalloc.
++ */
+ osb->osb_stackflags =
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags;
+- strlcpy(osb->osb_cluster_stack,
++ memcpy(osb->osb_cluster_stack,
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_stack,
+- OCFS2_STACK_LABEL_LEN + 1);
++ OCFS2_STACK_LABEL_LEN);
+ if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) {
+ mlog(ML_ERROR,
+ "couldn't mount because of an invalid "
+@@ -2202,9 +2208,9 @@ static int ocfs2_initialize_super(struct
+ status = -EINVAL;
+ goto bail;
+ }
+- strlcpy(osb->osb_cluster_name,
++ memcpy(osb->osb_cluster_name,
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster,
+- OCFS2_CLUSTER_NAME_LEN + 1);
++ OCFS2_CLUSTER_NAME_LEN);
+ } else {
+ /* The empty string is identical with classic tools that
+ * don't know about s_cluster_info. */
nfsd-keep-existing-listeners-on-portlist-error.patch
netfilter-ipvs-make-global-sysctl-readonly-in-non-in.patch
nios2-irqflags-rename-a-redefined-register-name.patch
+can-rcar_can-fix-suspend-resume.patch
+can-peak_usb-pcan_usb_fd_decode_status-fix-back-to-error_active-state-notification.patch
+can-peak_pci-peak_pci_remove-fix-uaf.patch
+ocfs2-fix-data-corruption-after-conversion-from-inline-format.patch
+ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
+elfcore-correct-reference-to-config_uml.patch
+vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch
+alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch
+asoc-dapm-fix-missing-kctl-change-notifications.patch
--- /dev/null
+From 032146cda85566abcd1c4884d9d23e4e30a07e9a Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Mon, 18 Oct 2021 15:16:12 -0700
+Subject: vfs: check fd has read access in kernel_read_file_from_fd()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit 032146cda85566abcd1c4884d9d23e4e30a07e9a upstream.
+
+If we open a file without read access and then pass the fd to a syscall
+whose implementation calls kernel_read_file_from_fd(), we get a warning
+from __kernel_read():
+
+ if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ)))
+
+This currently affects both finit_module() and kexec_file_load(), but it
+could affect other syscalls in the future.
+
+Link: https://lkml.kernel.org/r/20211007220110.600005-1-willy@infradead.org
+Fixes: b844f0ecbc56 ("vfs: define kernel_copy_file_from_fd()")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Mimi Zohar <zohar@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -994,7 +994,7 @@ int kernel_read_file_from_fd(int fd, voi
+ struct fd f = fdget(fd);
+ int ret = -EBADF;
+
+- if (!f.file)
++ if (!f.file || !(f.file->f_mode & FMODE_READ))
+ goto out;
+
+ ret = kernel_read_file(f.file, buf, size, max_size, id);
projects / thirdparty / kernel / stable-queue.git / commitdiff
