--- /dev/null
+From d36a1dd9f77ae1e72da48f4123ed35627848507d Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 5 Jan 2021 14:43:46 -0500
+Subject: dump_common_audit_data(): fix racy accesses to ->d_name
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream.
+
+We are not guaranteed the locking environment that would prevent
+dentry getting renamed right under us. And it's possible for
+old long name to be freed after rename, leading to UAF here.
+
+Cc: stable@kernel.org # v2.6.2+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/lsm_audit.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/security/lsm_audit.c
++++ b/security/lsm_audit.c
+@@ -264,7 +264,9 @@ static void dump_common_audit_data(struc
+ struct inode *inode;
+
+ audit_log_format(ab, " name=");
++ spin_lock(&a->u.dentry->d_lock);
+ audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
++ spin_unlock(&a->u.dentry->d_lock);
+
+ inode = d_backing_inode(a->u.dentry);
+ if (inode) {
+@@ -282,8 +284,9 @@ static void dump_common_audit_data(struc
+ dentry = d_find_alias(inode);
+ if (dentry) {
+ audit_log_format(ab, " name=");
+- audit_log_untrustedstring(ab,
+- dentry->d_name.name);
++ spin_lock(&dentry->d_lock);
++ audit_log_untrustedstring(ab, dentry->d_name.name);
++ spin_unlock(&dentry->d_lock);
+ dput(dentry);
+ }
+ audit_log_format(ab, " dev=");
--- /dev/null
+From dfd56c2c0c0dbb11be939b804ddc8d5395ab3432 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 16 Dec 2020 11:18:43 +0100
+Subject: ext4: fix superblock checksum failure when setting password salt
+
+From: Jan Kara <jack@suse.cz>
+
+commit dfd56c2c0c0dbb11be939b804ddc8d5395ab3432 upstream.
+
+When setting password salt in the superblock, we forget to recompute the
+superblock checksum so it will not match until the next superblock
+modification which recomputes the checksum. Fix it.
+
+CC: Michael Halcrow <mhalcrow@google.com>
+Reported-by: Andreas Dilger <adilger@dilger.ca>
+Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20201216101844.22917-8-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ioctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -675,7 +675,10 @@ encryption_policy_out:
+ err = ext4_journal_get_write_access(handle, sbi->s_sbh);
+ if (err)
+ goto pwsalt_err_journal;
++ lock_buffer(sbi->s_sbh);
+ generate_random_uuid(sbi->s_es->s_encrypt_pw_salt);
++ ext4_superblock_csum_set(sb);
++ unlock_buffer(sbi->s_sbh);
+ err = ext4_handle_dirty_metadata(handle, NULL,
+ sbi->s_sbh);
+ pwsalt_err_journal:
--- /dev/null
+From e8b95728f724797f958912fd9b765a695595d3a6 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 1 Sep 2017 17:13:43 -0700
+Subject: Input: uinput - avoid FF flush when destroying device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit e8b95728f724797f958912fd9b765a695595d3a6 upstream.
+
+Normally, when input device supporting force feedback effects is being
+destroyed, we try to "flush" currently playing effects, so that the
+physical device does not continue vibrating (or executing other effects).
+Unfortunately this does not work well for uinput as flushing of the effects
+deadlocks with the destroy action:
+
+- if device is being destroyed because the file descriptor is being closed,
+ then there is noone to even service FF requests;
+
+- if device is being destroyed because userspace sent UI_DEV_DESTROY,
+ while theoretically it could be possible to service FF requests,
+ userspace is unlikely to do so (they'd need to make sure FF handling
+ happens on a separate thread) even if kernel solves the issue with FF
+ ioctls deadlocking with UI_DEV_DESTROY ioctl on udev->mutex.
+
+To avoid lockups like the one below, let's install a custom input device
+flush handler, and avoid trying to flush force feedback effects when we
+destroying the device, and instead rely on uinput to shut off the device
+properly.
+
+NMI watchdog: Watchdog detected hard LOCKUP on cpu 3
+...
+ <<EOE>> [<ffffffff817a0307>] _raw_spin_lock_irqsave+0x37/0x40
+ [<ffffffff810e633d>] complete+0x1d/0x50
+ [<ffffffffa00ba08c>] uinput_request_done+0x3c/0x40 [uinput]
+ [<ffffffffa00ba587>] uinput_request_submit.part.7+0x47/0xb0 [uinput]
+ [<ffffffffa00bb62b>] uinput_dev_erase_effect+0x5b/0x76 [uinput]
+ [<ffffffff815d91ad>] erase_effect+0xad/0xf0
+ [<ffffffff815d929d>] flush_effects+0x4d/0x90
+ [<ffffffff815d4cc0>] input_flush_device+0x40/0x60
+ [<ffffffff815daf1c>] evdev_cleanup+0xac/0xc0
+ [<ffffffff815daf5b>] evdev_disconnect+0x2b/0x60
+ [<ffffffff815d74ac>] __input_unregister_device+0xac/0x150
+ [<ffffffff815d75f7>] input_unregister_device+0x47/0x70
+ [<ffffffffa00bac45>] uinput_destroy_device+0xb5/0xc0 [uinput]
+ [<ffffffffa00bb2de>] uinput_ioctl_handler.isra.9+0x65e/0x740 [uinput]
+ [<ffffffff811231ab>] ? do_futex+0x12b/0xad0
+ [<ffffffffa00bb3f8>] uinput_ioctl+0x18/0x20 [uinput]
+ [<ffffffff81241248>] do_vfs_ioctl+0x298/0x480
+ [<ffffffff81337553>] ? security_file_ioctl+0x43/0x60
+ [<ffffffff812414a9>] SyS_ioctl+0x79/0x90
+ [<ffffffff817a04ee>] entry_SYSCALL_64_fastpath+0x12/0x71
+
+Reported-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
+Reported-by: Clément VUCHENER <clement.vuchener@gmail.com>
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=193741
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/ff-core.c | 13 ++++++++++---
+ drivers/input/misc/uinput.c | 18 ++++++++++++++++++
+ include/linux/input.h | 1 +
+ 3 files changed, 29 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/ff-core.c
++++ b/drivers/input/ff-core.c
+@@ -237,9 +237,15 @@ int input_ff_erase(struct input_dev *dev
+ EXPORT_SYMBOL_GPL(input_ff_erase);
+
+ /*
+- * flush_effects - erase all effects owned by a file handle
++ * input_ff_flush - erase all effects owned by a file handle
++ * @dev: input device to erase effect from
++ * @file: purported owner of the effects
++ *
++ * This function erases all force-feedback effects associated with
++ * the given owner from specified device. Note that @file may be %NULL,
++ * in which case all effects will be erased.
+ */
+-static int flush_effects(struct input_dev *dev, struct file *file)
++int input_ff_flush(struct input_dev *dev, struct file *file)
+ {
+ struct ff_device *ff = dev->ff;
+ int i;
+@@ -255,6 +261,7 @@ static int flush_effects(struct input_de
+
+ return 0;
+ }
++EXPORT_SYMBOL_GPL(input_ff_flush);
+
+ /**
+ * input_ff_event() - generic handler for force-feedback events
+@@ -343,7 +350,7 @@ int input_ff_create(struct input_dev *de
+ mutex_init(&ff->mutex);
+
+ dev->ff = ff;
+- dev->flush = flush_effects;
++ dev->flush = input_ff_flush;
+ dev->event = input_ff_event;
+ __set_bit(EV_FF, dev->evbit);
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -230,6 +230,18 @@ static int uinput_dev_erase_effect(struc
+ return uinput_request_submit(udev, &request);
+ }
+
++static int uinput_dev_flush(struct input_dev *dev, struct file *file)
++{
++ /*
++ * If we are called with file == NULL that means we are tearing
++ * down the device, and therefore we can not handle FF erase
++ * requests: either we are handling UI_DEV_DESTROY (and holding
++ * the udev->mutex), or the file descriptor is closed and there is
++ * nobody on the other side anymore.
++ */
++ return file ? input_ff_flush(dev, file) : 0;
++}
++
+ static void uinput_destroy_device(struct uinput_device *udev)
+ {
+ const char *name, *phys;
+@@ -273,6 +285,12 @@ static int uinput_create_device(struct u
+ dev->ff->playback = uinput_dev_playback;
+ dev->ff->set_gain = uinput_dev_set_gain;
+ dev->ff->set_autocenter = uinput_dev_set_autocenter;
++ /*
++ * The standard input_ff_flush() implementation does
++ * not quite work for uinput as we can't reasonably
++ * handle FF requests during device teardown.
++ */
++ dev->flush = uinput_dev_flush;
+ }
+
+ error = input_register_device(udev->dev);
+--- a/include/linux/input.h
++++ b/include/linux/input.h
+@@ -529,6 +529,7 @@ int input_ff_event(struct input_dev *dev
+
+ int input_ff_upload(struct input_dev *dev, struct ff_effect *effect, struct file *file);
+ int input_ff_erase(struct input_dev *dev, int effect_id, struct file *file);
++int input_ff_flush(struct input_dev *dev, struct file *file);
+
+ int input_ff_create_memless(struct input_dev *dev, void *data,
+ int (*play_effect)(struct input_dev *, void *, struct ff_effect *));
--- /dev/null
+From 8ff60eb052eeba95cfb3efe16b08c9199f8121cf Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 12 Jan 2021 15:49:04 -0800
+Subject: mm, slub: consider rest of partial list if acquire_slab() fails
+
+From: Jann Horn <jannh@google.com>
+
+commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf upstream.
+
+acquire_slab() fails if there is contention on the freelist of the page
+(probably because some other CPU is concurrently freeing an object from
+the page). In that case, it might make sense to look for a different page
+(since there might be more remote frees to the page from other CPUs, and
+we don't want contention on struct page).
+
+However, the current code accidentally stops looking at the partial list
+completely in that case. Especially on kernels without CONFIG_NUMA set,
+this means that get_partial() fails and new_slab_objects() falls back to
+new_slab(), allocating new pages. This could lead to an unnecessary
+increase in memory fragmentation.
+
+Link: https://lkml.kernel.org/r/20201228130853.1871516-1-jannh@google.com
+Fixes: 7ced37197196 ("slub: Acquire_slab() avoid loop")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Acked-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1682,7 +1682,7 @@ static void *get_partial_node(struct kme
+
+ t = acquire_slab(s, n, page, object == NULL, &objects);
+ if (!t)
+- break;
++ continue; /* cmpxchg raced */
+
+ available += objects;
+ if (!object) {
--- /dev/null
+From 86b53fbf08f48d353a86a06aef537e78e82ba721 Mon Sep 17 00:00:00 2001
+From: "j.nixdorf@avm.de" <j.nixdorf@avm.de>
+Date: Tue, 5 Jan 2021 15:17:01 +0100
+Subject: net: sunrpc: interpret the return value of kstrtou32 correctly
+
+From: j.nixdorf@avm.de <j.nixdorf@avm.de>
+
+commit 86b53fbf08f48d353a86a06aef537e78e82ba721 upstream.
+
+A return value of 0 means success. This is documented in lib/kstrtox.c.
+
+This was found by trying to mount an NFS share from a link-local IPv6
+address with the interface specified by its index:
+
+ mount("[fe80::1%1]:/srv/nfs", "/mnt", "nfs", 0, "nolock,addr=fe80::1%1")
+
+Before this commit this failed with EINVAL and also caused the following
+message in dmesg:
+
+ [...] NFS: bad IP address specified: addr=fe80::1%1
+
+The syscall using the same address based on the interface name instead
+of its index succeeds.
+
+Credits for this patch go to my colleague Christian Speich, who traced
+the origin of this bug to this line of code.
+
+Signed-off-by: Johannes Nixdorf <j.nixdorf@avm.de>
+Fixes: 00cfaa943ec3 ("replace strict_strto calls")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/addr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/addr.c
++++ b/net/sunrpc/addr.c
+@@ -184,7 +184,7 @@ static int rpc_parse_scope_id(struct net
+ scope_id = dev->ifindex;
+ dev_put(dev);
+ } else {
+- if (kstrtou32(p, 10, &scope_id) == 0) {
++ if (kstrtou32(p, 10, &scope_id) != 0) {
+ kfree(p);
+ return 0;
+ }
--- /dev/null
+From 896567ee7f17a8a736cda8a28cc987228410a2ac Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sun, 10 Jan 2021 15:58:08 -0500
+Subject: NFS: nfs_igrab_and_active must first reference the superblock
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 896567ee7f17a8a736cda8a28cc987228410a2ac upstream.
+
+Before referencing the inode, we must ensure that the superblock can be
+referenced. Otherwise, we can end up with iput() calling superblock
+operations that are no longer valid or accessible.
+
+Fixes: ea7c38fef0b7 ("NFSv4: Ensure we reference the inode for return-on-close in delegreturn")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/internal.h | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -534,12 +534,14 @@ extern int nfs41_walk_client_list(struct
+
+ static inline struct inode *nfs_igrab_and_active(struct inode *inode)
+ {
+- inode = igrab(inode);
+- if (inode != NULL && !nfs_sb_active(inode->i_sb)) {
+- iput(inode);
+- inode = NULL;
++ struct super_block *sb = inode->i_sb;
++
++ if (sb && nfs_sb_active(sb)) {
++ if (igrab(inode))
++ return inode;
++ nfs_sb_deactive(sb);
+ }
+- return inode;
++ return NULL;
+ }
+
+ static inline void nfs_iput_and_deactive(struct inode *inode)
--- /dev/null
+From a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Sat, 26 Dec 2020 15:42:48 +0800
+Subject: RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 upstream.
+
+If usnic_ib_qp_grp_create() fails at the first call, dev_list
+will not be freed on error, which leads to memleak.
+
+Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver")
+Link: https://lore.kernel.org/r/20201226074248.2893-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
+@@ -180,6 +180,7 @@ find_free_vf_and_create_qp_grp(struct us
+
+ }
+ usnic_uiom_free_dev_list(dev_list);
++ dev_list = NULL;
+ }
+
+ if (!found) {
+@@ -207,6 +208,8 @@ find_free_vf_and_create_qp_grp(struct us
+ spin_unlock(&vf->lock);
+ if (IS_ERR_OR_NULL(qp_grp)) {
+ usnic_err("Failed to allocate qp_grp\n");
++ if (usnic_ib_share_vf)
++ usnic_uiom_free_dev_list(dev_list);
+ return ERR_PTR(qp_grp ? PTR_ERR(qp_grp) : -ENOMEM);
+ }
+
net-ethernet-fs_enet-add-missing-module_license.patch
acpi-scan-add-stub-acpi_create_platform_device-for-c.patch
arm-picoxcell-fix-missing-interrupt-parent-propertie.patch
+input-uinput-avoid-ff-flush-when-destroying-device.patch
+dump_common_audit_data-fix-racy-accesses-to-d_name.patch
+nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch
+ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch
+rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch
+mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch
+net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
