--- /dev/null
+From cf89af146b7e62af55470cf5f3ec3c56ec144a5e Mon Sep 17 00:00:00 2001
+From: Anand Jain <anand.jain@oracle.com>
+Date: Fri, 30 Oct 2020 06:53:56 +0800
+Subject: btrfs: dev-replace: fail mount if we don't have replace item with target device
+
+From: Anand Jain <anand.jain@oracle.com>
+
+commit cf89af146b7e62af55470cf5f3ec3c56ec144a5e upstream.
+
+If there is a device BTRFS_DEV_REPLACE_DEVID without the device replace
+item, then it means the filesystem is inconsistent state. This is either
+corruption or a crafted image. Fail the mount as this needs a closer
+look what is actually wrong.
+
+As of now if BTRFS_DEV_REPLACE_DEVID is present without the replace
+item, in __btrfs_free_extra_devids() we determine that there is an
+extra device, and free those extra devices but continue to mount the
+device.
+However, we were wrong in keeping tack of the rw_devices so the syzbot
+testcase failed:
+
+ WARNING: CPU: 1 PID: 3612 at fs/btrfs/volumes.c:1166 close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166
+ Kernel panic - not syncing: panic_on_warn set ...
+ CPU: 1 PID: 3612 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x198/0x1fd lib/dump_stack.c:118
+ panic+0x347/0x7c0 kernel/panic.c:231
+ __warn.cold+0x20/0x46 kernel/panic.c:600
+ report_bug+0x1bd/0x210 lib/bug.c:198
+ handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234
+ exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254
+ asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
+ RIP: 0010:close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166
+ RSP: 0018:ffffc900091777e0 EFLAGS: 00010246
+ RAX: 0000000000040000 RBX: ffffffffffffffff RCX: ffffc9000c8b7000
+ RDX: 0000000000040000 RSI: ffffffff83097f47 RDI: 0000000000000007
+ RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff8880988a187f
+ R10: 0000000000000000 R11: 0000000000000001 R12: ffff88809593a130
+ R13: ffff88809593a1ec R14: ffff8880988a1908 R15: ffff88809593a050
+ close_fs_devices fs/btrfs/volumes.c:1193 [inline]
+ btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1179
+ open_ctree+0x4984/0x4a2d fs/btrfs/disk-io.c:3434
+ btrfs_fill_super fs/btrfs/super.c:1316 [inline]
+ btrfs_mount_root.cold+0x14/0x165 fs/btrfs/super.c:1672
+
+The fix here is, when we determine that there isn't a replace item
+then fail the mount if there is a replace target device (devid 0).
+
+CC: stable@vger.kernel.org # 4.19+
+Reported-by: syzbot+4cfe71a4da060be47502@syzkaller.appspotmail.com
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/dev-replace.c | 26 ++++++++++++++++++++++++--
+ fs/btrfs/volumes.c | 26 +++++++-------------------
+ 2 files changed, 31 insertions(+), 21 deletions(-)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -54,6 +54,17 @@ int btrfs_init_dev_replace(struct btrfs_
+ ret = btrfs_search_slot(NULL, dev_root, &key, path, 0, 0);
+ if (ret) {
+ no_valid_dev_replace_entry_found:
++ /*
++ * We don't have a replace item or it's corrupted. If there is
++ * a replace target, fail the mount.
++ */
++ if (btrfs_find_device(fs_info->fs_devices,
++ BTRFS_DEV_REPLACE_DEVID, NULL, NULL, false)) {
++ btrfs_err(fs_info,
++ "found replace target device without a valid replace item");
++ ret = -EUCLEAN;
++ goto out;
++ }
+ ret = 0;
+ dev_replace->replace_state =
+ BTRFS_DEV_REPLACE_ITEM_STATE_NEVER_STARTED;
+@@ -107,8 +118,19 @@ no_valid_dev_replace_entry_found:
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED:
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_FINISHED:
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_CANCELED:
+- dev_replace->srcdev = NULL;
+- dev_replace->tgtdev = NULL;
++ /*
++ * We don't have an active replace item but if there is a
++ * replace target, fail the mount.
++ */
++ if (btrfs_find_device(fs_info->fs_devices,
++ BTRFS_DEV_REPLACE_DEVID, NULL, NULL, false)) {
++ btrfs_err(fs_info,
++ "replace devid present without an active replace item");
++ ret = -EUCLEAN;
++ } else {
++ dev_replace->srcdev = NULL;
++ dev_replace->tgtdev = NULL;
++ }
+ break;
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED:
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED:
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -974,22 +974,13 @@ again:
+ continue;
+ }
+
+- if (device->devid == BTRFS_DEV_REPLACE_DEVID) {
+- /*
+- * In the first step, keep the device which has
+- * the correct fsid and the devid that is used
+- * for the dev_replace procedure.
+- * In the second step, the dev_replace state is
+- * read from the device tree and it is known
+- * whether the procedure is really active or
+- * not, which means whether this device is
+- * used or whether it should be removed.
+- */
+- if (step == 0 || test_bit(BTRFS_DEV_STATE_REPLACE_TGT,
+- &device->dev_state)) {
+- continue;
+- }
+- }
++ /*
++ * We have already validated the presence of BTRFS_DEV_REPLACE_DEVID,
++ * in btrfs_init_dev_replace() so just continue.
++ */
++ if (device->devid == BTRFS_DEV_REPLACE_DEVID)
++ continue;
++
+ if (device->bdev) {
+ blkdev_put(device->bdev, device->mode);
+ device->bdev = NULL;
+@@ -998,9 +989,6 @@ again:
+ if (test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) {
+ list_del_init(&device->dev_alloc_list);
+ clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state);
+- if (!test_bit(BTRFS_DEV_STATE_REPLACE_TGT,
+- &device->dev_state))
+- fs_devices->rw_devices--;
+ }
+ list_del_init(&device->dev_list);
+ fs_devices->num_devices--;
--- /dev/null
+From a1fbc6750e212c5675a4e48d7f51d44607eb8756 Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Sun, 4 Oct 2020 19:04:26 +0100
+Subject: btrfs: fix potential overflow in cluster_pages_for_defrag on 32bit arch
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit a1fbc6750e212c5675a4e48d7f51d44607eb8756 upstream.
+
+On 32-bit systems, this shift will overflow for files larger than 4GB as
+start_index is unsigned long while the calls to btrfs_delalloc_*_space
+expect u64.
+
+CC: stable@vger.kernel.org # 4.4+
+Fixes: df480633b891 ("btrfs: extent-tree: Switch to new delalloc space reserve and release")
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ define the variable instead of repeating the shift ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -1239,6 +1239,7 @@ static int cluster_pages_for_defrag(stru
+ u64 page_start;
+ u64 page_end;
+ u64 page_cnt;
++ u64 start = (u64)start_index << PAGE_SHIFT;
+ int ret;
+ int i;
+ int i_done;
+@@ -1255,8 +1256,7 @@ static int cluster_pages_for_defrag(stru
+ page_cnt = min_t(u64, (u64)num_pages, (u64)file_end - start_index + 1);
+
+ ret = btrfs_delalloc_reserve_space(inode, &data_reserved,
+- start_index << PAGE_SHIFT,
+- page_cnt << PAGE_SHIFT);
++ start, page_cnt << PAGE_SHIFT);
+ if (ret)
+ return ret;
+ i_done = 0;
+@@ -1346,8 +1346,7 @@ again:
+ btrfs_mod_outstanding_extents(BTRFS_I(inode), 1);
+ spin_unlock(&BTRFS_I(inode)->lock);
+ btrfs_delalloc_release_space(inode, data_reserved,
+- start_index << PAGE_SHIFT,
+- (page_cnt - i_done) << PAGE_SHIFT, true);
++ start, (page_cnt - i_done) << PAGE_SHIFT, true);
+ }
+
+
+@@ -1374,8 +1373,7 @@ out:
+ put_page(pages[i]);
+ }
+ btrfs_delalloc_release_space(inode, data_reserved,
+- start_index << PAGE_SHIFT,
+- page_cnt << PAGE_SHIFT, true);
++ start, page_cnt << PAGE_SHIFT, true);
+ btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT);
+ extent_changeset_free(data_reserved);
+ return ret;
--- /dev/null
+From 468600c6ec28613b756193c5f780aac062f1acdf Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Wed, 21 Oct 2020 13:36:55 +0800
+Subject: btrfs: ref-verify: fix memory leak in btrfs_ref_tree_mod
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit 468600c6ec28613b756193c5f780aac062f1acdf upstream.
+
+There is one error handling path that does not free ref, which may cause
+a minor memory leak.
+
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ref-verify.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/ref-verify.c
++++ b/fs/btrfs/ref-verify.c
+@@ -854,6 +854,7 @@ int btrfs_ref_tree_mod(struct btrfs_root
+ "dropping a ref for a root that doesn't have a ref on the block");
+ dump_block_entry(fs_info, be);
+ dump_ref_action(fs_info, ra);
++ kfree(ref);
+ kfree(ra);
+ goto out_unlock;
+ }
--- /dev/null
+From 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d Mon Sep 17 00:00:00 2001
+From: Kaixu Xia <kaixuxia@tencent.com>
+Date: Thu, 29 Oct 2020 23:46:36 +0800
+Subject: ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA
+
+From: Kaixu Xia <kaixuxia@tencent.com>
+
+commit 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d upstream.
+
+The macro MOPT_Q is used to indicates the mount option is related to
+quota stuff and is defined to be MOPT_NOSUPPORT when CONFIG_QUOTA is
+disabled. Normally the quota options are handled explicitly, so it
+didn't matter that the MOPT_STRING flag was missing, even though the
+usrjquota and grpjquota mount options take a string argument. It's
+important that's present in the !CONFIG_QUOTA case, since without
+MOPT_STRING, the mount option matcher will match usrjquota= followed
+by an integer, and will otherwise skip the table entry, and so "mount
+option not supported" error message is never reported.
+
+[ Fixed up the commit description to better explain why the fix
+ works. --TYT ]
+
+Fixes: 26092bf52478 ("ext4: use a table-driven handler for mount options")
+Signed-off-by: Kaixu Xia <kaixuxia@tencent.com>
+Link: https://lore.kernel.org/r/1603986396-28917-1-git-send-email-kaixuxia@tencent.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1748,8 +1748,8 @@ static const struct mount_opts {
+ {Opt_noquota, (EXT4_MOUNT_QUOTA | EXT4_MOUNT_USRQUOTA |
+ EXT4_MOUNT_GRPQUOTA | EXT4_MOUNT_PRJQUOTA),
+ MOPT_CLEAR | MOPT_Q},
+- {Opt_usrjquota, 0, MOPT_Q},
+- {Opt_grpjquota, 0, MOPT_Q},
++ {Opt_usrjquota, 0, MOPT_Q | MOPT_STRING},
++ {Opt_grpjquota, 0, MOPT_Q | MOPT_STRING},
+ {Opt_offusrjquota, 0, MOPT_Q},
+ {Opt_offgrpjquota, 0, MOPT_Q},
+ {Opt_jqfmt_vfsold, QFMT_VFS_OLD, MOPT_QFMT},
--- /dev/null
+From 7067b2619017d51e71686ca9756b454de0e5826a Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Tue, 3 Nov 2020 10:29:02 +0800
+Subject: ext4: unlock xattr_sem properly in ext4_inline_data_truncate()
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit 7067b2619017d51e71686ca9756b454de0e5826a upstream.
+
+It takes xattr_sem to check inline data again but without unlock it
+in case not have. So unlock it before return.
+
+Fixes: aef1c8513c1f ("ext4: let ext4_truncate handle inline data correctly")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Tao Ma <boyu.mt@taobao.com>
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Link: https://lore.kernel.org/r/1604370542-124630-1-git-send-email-joseph.qi@linux.alibaba.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inline.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1921,6 +1921,7 @@ int ext4_inline_data_truncate(struct ino
+
+ ext4_write_lock_xattr(inode, &no_expand);
+ if (!ext4_has_inline_data(inode)) {
++ ext4_write_unlock_xattr(inode, &no_expand);
+ *has_inline = 0;
+ ext4_journal_stop(handle);
+ return 0;
--- /dev/null
+From 1e106aa3509b86738769775969822ffc1ec21bf4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 6 Nov 2020 11:52:05 +0300
+Subject: futex: Don't enable IRQs unconditionally in put_pi_state()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 1e106aa3509b86738769775969822ffc1ec21bf4 upstream.
+
+The exit_pi_state_list() function calls put_pi_state() with IRQs disabled
+and is not expecting that IRQs will be enabled inside the function.
+
+Use the _irqsave() variant so that IRQs are restored to the original state
+instead of being enabled unconditionally.
+
+Fixes: 153fbd1226fb ("futex: Fix more put_pi_state() vs. exit_pi_state_list() races")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20201106085205.GA1159983@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -856,8 +856,9 @@ static void put_pi_state(struct futex_pi
+ */
+ if (pi_state->owner) {
+ struct task_struct *owner;
++ unsigned long flags;
+
+- raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
++ raw_spin_lock_irqsave(&pi_state->pi_mutex.wait_lock, flags);
+ owner = pi_state->owner;
+ if (owner) {
+ raw_spin_lock(&owner->pi_lock);
+@@ -865,7 +866,7 @@ static void put_pi_state(struct futex_pi
+ raw_spin_unlock(&owner->pi_lock);
+ }
+ rt_mutex_proxy_unlock(&pi_state->pi_mutex, owner);
+- raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
++ raw_spin_unlock_irqrestore(&pi_state->pi_mutex.wait_lock, flags);
+ }
+
+ if (current->pi_state_cache) {
--- /dev/null
+From bcbc0b2e275f0a797de11a10eff495b4571863fc Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Thu, 29 Oct 2020 11:54:42 +0200
+Subject: mei: protect mei_cl_mtu from null dereference
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit bcbc0b2e275f0a797de11a10eff495b4571863fc upstream.
+
+A receive callback is queued while the client is still connected
+but can still be called after the client was disconnected. Upon
+disconnect cl->me_cl is set to NULL, hence we need to check
+that ME client is not-NULL in mei_cl_mtu to avoid
+null dereference.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20201029095444.957924-2-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/client.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/mei/client.h
++++ b/drivers/misc/mei/client.h
+@@ -138,11 +138,11 @@ static inline u8 mei_cl_me_id(const stru
+ *
+ * @cl: host client
+ *
+- * Return: mtu
++ * Return: mtu or 0 if client is not connected
+ */
+ static inline size_t mei_cl_mtu(const struct mei_cl *cl)
+ {
+- return cl->me_cl->props.max_msg_length;
++ return cl->me_cl ? cl->me_cl->props.max_msg_length : 0;
+ }
+
+ /**
--- /dev/null
+From f5785283dd64867a711ca1fb1f5bb172f252ecdf Mon Sep 17 00:00:00 2001
+From: Wengang Wang <wen.gang.wang@oracle.com>
+Date: Fri, 13 Nov 2020 22:52:23 -0800
+Subject: ocfs2: initialize ip_next_orphan
+
+From: Wengang Wang <wen.gang.wang@oracle.com>
+
+commit f5785283dd64867a711ca1fb1f5bb172f252ecdf upstream.
+
+Though problem if found on a lower 4.1.12 kernel, I think upstream has
+same issue.
+
+In one node in the cluster, there is the following callback trace:
+
+ # cat /proc/21473/stack
+ __ocfs2_cluster_lock.isra.36+0x336/0x9e0 [ocfs2]
+ ocfs2_inode_lock_full_nested+0x121/0x520 [ocfs2]
+ ocfs2_evict_inode+0x152/0x820 [ocfs2]
+ evict+0xae/0x1a0
+ iput+0x1c6/0x230
+ ocfs2_orphan_filldir+0x5d/0x100 [ocfs2]
+ ocfs2_dir_foreach_blk+0x490/0x4f0 [ocfs2]
+ ocfs2_dir_foreach+0x29/0x30 [ocfs2]
+ ocfs2_recover_orphans+0x1b6/0x9a0 [ocfs2]
+ ocfs2_complete_recovery+0x1de/0x5c0 [ocfs2]
+ process_one_work+0x169/0x4a0
+ worker_thread+0x5b/0x560
+ kthread+0xcb/0xf0
+ ret_from_fork+0x61/0x90
+
+The above stack is not reasonable, the final iput shouldn't happen in
+ocfs2_orphan_filldir() function. Looking at the code,
+
+ 2067 /* Skip inodes which are already added to recover list, since dio may
+ 2068 * happen concurrently with unlink/rename */
+ 2069 if (OCFS2_I(iter)->ip_next_orphan) {
+ 2070 iput(iter);
+ 2071 return 0;
+ 2072 }
+ 2073
+
+The logic thinks the inode is already in recover list on seeing
+ip_next_orphan is non-NULL, so it skip this inode after dropping a
+reference which incremented in ocfs2_iget().
+
+While, if the inode is already in recover list, it should have another
+reference and the iput() at line 2070 should not be the final iput
+(dropping the last reference). So I don't think the inode is really in
+the recover list (no vmcore to confirm).
+
+Note that ocfs2_queue_orphans(), though not shown up in the call back
+trace, is holding cluster lock on the orphan directory when looking up
+for unlinked inodes. The on disk inode eviction could involve a lot of
+IOs which may need long time to finish. That means this node could hold
+the cluster lock for very long time, that can lead to the lock requests
+(from other nodes) to the orhpan directory hang for long time.
+
+Looking at more on ip_next_orphan, I found it's not initialized when
+allocating a new ocfs2_inode_info structure.
+
+This causes te reflink operations from some nodes hang for very long
+time waiting for the cluster lock on the orphan directory.
+
+Fix: initialize ip_next_orphan as NULL.
+
+Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20201109171746.27884-1-wen.gang.wang@oracle.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -1747,6 +1747,7 @@ static void ocfs2_inode_init_once(void *
+
+ oi->ip_blkno = 0ULL;
+ oi->ip_clusters = 0;
++ oi->ip_next_orphan = NULL;
+
+ ocfs2_resv_init_once(&oi->ip_la_data_resv);
+
of-address-fix-of_node-memory-leak-in-of_dma_is_cohe.patch
cosa-add-missing-kfree-in-error-path-of-cosa_write.patch
perf-fix-get_recursion_context.patch
+ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch
+ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch
+btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch
+btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch
+thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch
+thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch
+uio-fix-use-after-free-in-uio_unregister_device.patch
+usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch
+xhci-hisilicon-fix-refercence-leak-in-xhci_histb_probe.patch
+mei-protect-mei_cl_mtu-from-null-dereference.patch
+futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch
+ocfs2-initialize-ip_next_orphan.patch
+btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch
--- /dev/null
+From 7342ca34d931a357d408aaa25fadd031e46af137 Mon Sep 17 00:00:00 2001
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Date: Thu, 15 Oct 2020 16:40:53 +0800
+Subject: thunderbolt: Add the missed ida_simple_remove() in ring_request_msix()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+commit 7342ca34d931a357d408aaa25fadd031e46af137 upstream.
+
+ring_request_msix() misses to call ida_simple_remove() in an error path.
+Add a label 'err_ida_remove' and jump to it.
+
+Fixes: 046bee1f9ab8 ("thunderbolt: Add MSI-X support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thunderbolt/nhi.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/thunderbolt/nhi.c
++++ b/drivers/thunderbolt/nhi.c
+@@ -408,12 +408,23 @@ static int ring_request_msix(struct tb_r
+
+ ring->vector = ret;
+
+- ring->irq = pci_irq_vector(ring->nhi->pdev, ring->vector);
+- if (ring->irq < 0)
+- return ring->irq;
++ ret = pci_irq_vector(ring->nhi->pdev, ring->vector);
++ if (ret < 0)
++ goto err_ida_remove;
++
++ ring->irq = ret;
+
+ irqflags = no_suspend ? IRQF_NO_SUSPEND : 0;
+- return request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring);
++ ret = request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring);
++ if (ret)
++ goto err_ida_remove;
++
++ return 0;
++
++err_ida_remove:
++ ida_simple_remove(&nhi->msix_ida, ring->vector);
++
++ return ret;
+ }
+
+ static void ring_release_msix(struct tb_ring *ring)
--- /dev/null
+From a663e0df4a374b8537562a44d1cecafb472cd65b Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 7 Oct 2020 17:06:17 +0300
+Subject: thunderbolt: Fix memory leak if ida_simple_get() fails in enumerate_services()
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit a663e0df4a374b8537562a44d1cecafb472cd65b upstream.
+
+The svc->key field is not released as it should be if ida_simple_get()
+fails so fix that.
+
+Fixes: 9aabb68568b4 ("thunderbolt: Fix to check return value of ida_simple_get")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thunderbolt/xdomain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/thunderbolt/xdomain.c
++++ b/drivers/thunderbolt/xdomain.c
+@@ -774,6 +774,7 @@ static void enumerate_services(struct tb
+
+ id = ida_simple_get(&xd->service_ids, 0, 0, GFP_KERNEL);
+ if (id < 0) {
++ kfree(svc->key);
+ kfree(svc);
+ break;
+ }
--- /dev/null
+From 092561f06702dd4fdd7fb74dd3a838f1818529b7 Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Mon, 2 Nov 2020 21:28:19 +0900
+Subject: uio: Fix use-after-free in uio_unregister_device()
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 092561f06702dd4fdd7fb74dd3a838f1818529b7 upstream.
+
+Commit 8fd0e2a6df26 ("uio: free uio id after uio file node is freed")
+triggered KASAN use-after-free failure at deletion of TCM-user
+backstores [1].
+
+In uio_unregister_device(), struct uio_device *idev is passed to
+uio_free_minor() to refer idev->minor. However, before uio_free_minor()
+call, idev is already freed by uio_device_release() during call to
+device_unregister().
+
+To avoid reference to idev->minor after idev free, keep idev->minor
+value in a local variable. Also modify uio_free_minor() argument to
+receive the value.
+
+[1]
+BUG: KASAN: use-after-free in uio_unregister_device+0x166/0x190
+Read of size 4 at addr ffff888105196508 by task targetcli/49158
+
+CPU: 3 PID: 49158 Comm: targetcli Not tainted 5.10.0-rc1 #1
+Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015
+Call Trace:
+ dump_stack+0xae/0xe5
+ ? uio_unregister_device+0x166/0x190
+ print_address_description.constprop.0+0x1c/0x210
+ ? uio_unregister_device+0x166/0x190
+ ? uio_unregister_device+0x166/0x190
+ kasan_report.cold+0x37/0x7c
+ ? kobject_put+0x80/0x410
+ ? uio_unregister_device+0x166/0x190
+ uio_unregister_device+0x166/0x190
+ tcmu_destroy_device+0x1c4/0x280 [target_core_user]
+ ? tcmu_release+0x90/0x90 [target_core_user]
+ ? __mutex_unlock_slowpath+0xd6/0x5d0
+ target_free_device+0xf3/0x2e0 [target_core_mod]
+ config_item_cleanup+0xea/0x210
+ configfs_rmdir+0x651/0x860
+ ? detach_groups.isra.0+0x380/0x380
+ vfs_rmdir.part.0+0xec/0x3a0
+ ? __lookup_hash+0x20/0x150
+ do_rmdir+0x252/0x320
+ ? do_file_open_root+0x420/0x420
+ ? strncpy_from_user+0xbc/0x2f0
+ ? getname_flags.part.0+0x8e/0x450
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7f9e2bfc91fb
+Code: 73 01 c3 48 8b 0d 9d ec 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6d ec 0c 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffdd2baafe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054
+RAX: ffffffffffffffda RBX: 00007f9e2beb44a0 RCX: 00007f9e2bfc91fb
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f9e1c20be90
+RBP: 00007ffdd2bab000 R08: 0000000000000000 R09: 00007f9e2bdf2440
+R10: 00007ffdd2baaf37 R11: 0000000000000246 R12: 00000000ffffff9c
+R13: 000055f9abb7e390 R14: 000055f9abcf9558 R15: 00007f9e2be7a780
+
+Allocated by task 34735:
+ kasan_save_stack+0x1b/0x40
+ __kasan_kmalloc.constprop.0+0xc2/0xd0
+ __uio_register_device+0xeb/0xd40
+ tcmu_configure_device+0x5a0/0xbc0 [target_core_user]
+ target_configure_device+0x12f/0x760 [target_core_mod]
+ target_dev_enable_store+0x32/0x50 [target_core_mod]
+ configfs_write_file+0x2bb/0x450
+ vfs_write+0x1ce/0x610
+ ksys_write+0xe9/0x1b0
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Freed by task 49158:
+ kasan_save_stack+0x1b/0x40
+ kasan_set_track+0x1c/0x30
+ kasan_set_free_info+0x1b/0x30
+ __kasan_slab_free+0x110/0x150
+ slab_free_freelist_hook+0x5a/0x170
+ kfree+0xc6/0x560
+ device_release+0x9b/0x210
+ kobject_put+0x13e/0x410
+ uio_unregister_device+0xf9/0x190
+ tcmu_destroy_device+0x1c4/0x280 [target_core_user]
+ target_free_device+0xf3/0x2e0 [target_core_mod]
+ config_item_cleanup+0xea/0x210
+ configfs_rmdir+0x651/0x860
+ vfs_rmdir.part.0+0xec/0x3a0
+ do_rmdir+0x252/0x320
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The buggy address belongs to the object at ffff888105196000
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 1288 bytes inside of
+ 2048-byte region [ffff888105196000, ffff888105196800)
+The buggy address belongs to the page:
+page:0000000098e6ca81 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105190
+head:0000000098e6ca81 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x17ffffc0010200(slab|head)
+raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100043040
+raw: 0000000000000000 0000000000080008 00000001ffffffff ffff88810eb55c01
+page dumped because: kasan: bad access detected
+page->mem_cgroup:ffff88810eb55c01
+
+Memory state around the buggy address:
+ ffff888105196400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888105196480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888105196500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888105196580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888105196600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 8fd0e2a6df26 ("uio: free uio id after uio file node is freed")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Link: https://lore.kernel.org/r/20201102122819.2346270-1-shinichiro.kawasaki@wdc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -413,10 +413,10 @@ static int uio_get_minor(struct uio_devi
+ return retval;
+ }
+
+-static void uio_free_minor(struct uio_device *idev)
++static void uio_free_minor(unsigned long minor)
+ {
+ mutex_lock(&minor_lock);
+- idr_remove(&uio_idr, idev->minor);
++ idr_remove(&uio_idr, minor);
+ mutex_unlock(&minor_lock);
+ }
+
+@@ -988,7 +988,7 @@ err_request_irq:
+ err_uio_dev_add_attributes:
+ device_del(&idev->dev);
+ err_device_create:
+- uio_free_minor(idev);
++ uio_free_minor(idev->minor);
+ put_device(&idev->dev);
+ return ret;
+ }
+@@ -1002,11 +1002,13 @@ EXPORT_SYMBOL_GPL(__uio_register_device)
+ void uio_unregister_device(struct uio_info *info)
+ {
+ struct uio_device *idev;
++ unsigned long minor;
+
+ if (!info || !info->uio_dev)
+ return;
+
+ idev = info->uio_dev;
++ minor = idev->minor;
+
+ mutex_lock(&idev->info_lock);
+ uio_dev_del_attributes(idev);
+@@ -1019,7 +1021,7 @@ void uio_unregister_device(struct uio_in
+
+ device_unregister(&idev->dev);
+
+- uio_free_minor(idev);
++ uio_free_minor(minor);
+
+ return;
+ }
--- /dev/null
+From 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 Mon Sep 17 00:00:00 2001
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Wed, 11 Nov 2020 08:12:09 -0500
+Subject: usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+commit 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 upstream.
+
+Renesas R-Car and RZ/G SoCs have a firmware download mode over USB.
+However, on reset a banner string is transmitted out which is not expected
+to be echoed back and will corrupt the protocol.
+
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Link: https://lore.kernel.org/r/20201111131209.3977903-1-chris.brandt@renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1738,6 +1738,15 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
++ { USB_DEVICE(0x045b, 0x023c), /* Renesas USB Download mode */
++ .driver_info = DISABLE_ECHO, /* Don't echo banner */
++ },
++ { USB_DEVICE(0x045b, 0x0248), /* Renesas USB Download mode */
++ .driver_info = DISABLE_ECHO, /* Don't echo banner */
++ },
++ { USB_DEVICE(0x045b, 0x024D), /* Renesas USB Download mode */
++ .driver_info = DISABLE_ECHO, /* Don't echo banner */
++ },
+ { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
--- /dev/null
+From 76255470ffa2795a44032e8b3c1ced11d81aa2db Mon Sep 17 00:00:00 2001
+From: Zhang Qilong <zhangqilong3@huawei.com>
+Date: Fri, 6 Nov 2020 20:22:21 +0800
+Subject: xhci: hisilicon: fix refercence leak in xhci_histb_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+commit 76255470ffa2795a44032e8b3c1ced11d81aa2db upstream.
+
+pm_runtime_get_sync() will increment pm usage at first and it
+will resume the device later. We should decrease the usage count
+whetever it succeeded or failed(maybe runtime of the device has
+error, or device is in inaccessible state, or other error state).
+If we do not call put operation to decrease the reference, it will
+result in reference leak in xhci_histb_probe. Moreover, this
+device cannot enter the idle state and always stay busy or other
+non-idle state later. So we fixed it by jumping to error handling
+branch.
+
+Fixes: c508f41da0788 ("xhci: hisilicon: support HiSilicon STB xHCI host controller")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20201106122221.2304528-1-zhangqilong3@huawei.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-histb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-histb.c
++++ b/drivers/usb/host/xhci-histb.c
+@@ -241,7 +241,7 @@ static int xhci_histb_probe(struct platf
+ /* Initialize dma_mask and coherent_dma_mask to 32-bits */
+ ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(32));
+ if (ret)
+- return ret;
++ goto disable_pm;
+
+ hcd = usb_create_hcd(driver, dev, dev_name(dev));
+ if (!hcd) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
