--- /dev/null
+From 867de40c4c23e6d7f89f9ce4272a5d1b1484c122 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 21 Jun 2021 14:48:29 -0400
+Subject: dm writecache: write at least 4k when committing
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 867de40c4c23e6d7f89f9ce4272a5d1b1484c122 upstream.
+
+SSDs perform badly with sub-4k writes (because they perfrorm
+read-modify-write internally), so make sure writecache writes at least
+4k when committing.
+
+Fixes: 991bd8d7bc78 ("dm writecache: commit just one block, not a full page")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-writecache.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -532,7 +532,11 @@ static void ssd_commit_superblock(struct
+
+ region.bdev = wc->ssd_dev->bdev;
+ region.sector = 0;
+- region.count = wc->block_size >> SECTOR_SHIFT;
++ region.count = max(4096U, wc->block_size) >> SECTOR_SHIFT;
++
++ if (unlikely(region.sector + region.count > wc->metadata_sectors))
++ region.count = wc->metadata_sectors - region.sector;
++
+ region.sector += wc->start_sector;
+
+ req.bi_op = REQ_OP_WRITE;
--- /dev/null
+From 0ecb51824e838372e01330752503ddf9c0430ef7 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Thu, 29 Apr 2021 12:50:57 +0200
+Subject: drm/ast: Remove reference to struct drm_device.pdev
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 0ecb51824e838372e01330752503ddf9c0430ef7 upstream.
+
+Using struct drm_device.pdev is deprecated. Upcast with to_pci_dev()
+from struct drm_device.dev to get the PCI device structure.
+
+v9:
+ * fix remaining pdev references
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Fixes: ba4e0339a6a3 ("drm/ast: Fixed CVE for DP501")
+Cc: KuoHsiang Chou <kuohsiang_chou@aspeedtech.com>
+Cc: kernel test robot <lkp@intel.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20210429105101.25667-2-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ast/ast_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/ast/ast_main.c
++++ b/drivers/gpu/drm/ast/ast_main.c
+@@ -406,7 +406,6 @@ struct ast_private *ast_device_create(st
+ return ast;
+ dev = &ast->base;
+
+- dev->pdev = pdev;
+ pci_set_drvdata(pdev, dev);
+
+ ast->regs = pcim_iomap(pdev, 1, 0);
+@@ -448,8 +447,8 @@ struct ast_private *ast_device_create(st
+
+ /* map reserved buffer */
+ ast->dp501_fw_buf = NULL;
+- if (dev->vram_mm->vram_size < pci_resource_len(dev->pdev, 0)) {
+- ast->dp501_fw_buf = pci_iomap_range(dev->pdev, 0, dev->vram_mm->vram_size, 0);
++ if (dev->vram_mm->vram_size < pci_resource_len(pdev, 0)) {
++ ast->dp501_fw_buf = pci_iomap_range(pdev, 0, dev->vram_mm->vram_size, 0);
+ if (!ast->dp501_fw_buf)
+ drm_info(dev, "failed to map reserved buffer!\n");
+ }
--- /dev/null
+From 618f003199c6188e01472b03cdbba227f1dc5f24 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 30 Apr 2021 21:50:46 +0300
+Subject: ext4: fix memory leak in ext4_fill_super
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 618f003199c6188e01472b03cdbba227f1dc5f24 upstream.
+
+static int kthread(void *_create) will return -ENOMEM
+or -EINTR in case of internal failure or
+kthread_stop() call happens before threadfn call.
+
+To prevent fancy error checking and make code
+more straightforward we moved all cleanup code out
+of kmmpd threadfn.
+
+Also, dropped struct mmpd_data at all. Now struct super_block
+is a threadfn data and struct buffer_head embedded into
+struct ext4_sb_info.
+
+Reported-by: syzbot+d9e482e303930fa4f6ff@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/20210430185046.15742-1-paskripkin@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/ext4.h | 4 ++++
+ fs/ext4/mmp.c | 28 +++++++++++++---------------
+ fs/ext4/super.c | 10 ++++------
+ 3 files changed, 21 insertions(+), 21 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1480,6 +1480,7 @@ struct ext4_sb_info {
+ struct kobject s_kobj;
+ struct completion s_kobj_unregister;
+ struct super_block *s_sb;
++ struct buffer_head *s_mmp_bh;
+
+ /* Journaling */
+ struct journal_s *s_journal;
+@@ -3624,6 +3625,9 @@ extern struct ext4_io_end_vec *ext4_last
+ /* mmp.c */
+ extern int ext4_multi_mount_protect(struct super_block *, ext4_fsblk_t);
+
++/* mmp.c */
++extern void ext4_stop_mmpd(struct ext4_sb_info *sbi);
++
+ /* verity.c */
+ extern const struct fsverity_operations ext4_verityops;
+
+--- a/fs/ext4/mmp.c
++++ b/fs/ext4/mmp.c
+@@ -127,9 +127,9 @@ void __dump_mmp_msg(struct super_block *
+ */
+ static int kmmpd(void *data)
+ {
+- struct super_block *sb = ((struct mmpd_data *) data)->sb;
+- struct buffer_head *bh = ((struct mmpd_data *) data)->bh;
++ struct super_block *sb = (struct super_block *) data;
+ struct ext4_super_block *es = EXT4_SB(sb)->s_es;
++ struct buffer_head *bh = EXT4_SB(sb)->s_mmp_bh;
+ struct mmp_struct *mmp;
+ ext4_fsblk_t mmp_block;
+ u32 seq = 0;
+@@ -245,12 +245,18 @@ static int kmmpd(void *data)
+ retval = write_mmp_block(sb, bh);
+
+ exit_thread:
+- EXT4_SB(sb)->s_mmp_tsk = NULL;
+- kfree(data);
+- brelse(bh);
+ return retval;
+ }
+
++void ext4_stop_mmpd(struct ext4_sb_info *sbi)
++{
++ if (sbi->s_mmp_tsk) {
++ kthread_stop(sbi->s_mmp_tsk);
++ brelse(sbi->s_mmp_bh);
++ sbi->s_mmp_tsk = NULL;
++ }
++}
++
+ /*
+ * Get a random new sequence number but make sure it is not greater than
+ * EXT4_MMP_SEQ_MAX.
+@@ -275,7 +281,6 @@ int ext4_multi_mount_protect(struct supe
+ struct ext4_super_block *es = EXT4_SB(sb)->s_es;
+ struct buffer_head *bh = NULL;
+ struct mmp_struct *mmp = NULL;
+- struct mmpd_data *mmpd_data;
+ u32 seq;
+ unsigned int mmp_check_interval = le16_to_cpu(es->s_mmp_update_interval);
+ unsigned int wait_time = 0;
+@@ -364,24 +369,17 @@ skip:
+ goto failed;
+ }
+
+- mmpd_data = kmalloc(sizeof(*mmpd_data), GFP_KERNEL);
+- if (!mmpd_data) {
+- ext4_warning(sb, "not enough memory for mmpd_data");
+- goto failed;
+- }
+- mmpd_data->sb = sb;
+- mmpd_data->bh = bh;
++ EXT4_SB(sb)->s_mmp_bh = bh;
+
+ /*
+ * Start a kernel thread to update the MMP block periodically.
+ */
+- EXT4_SB(sb)->s_mmp_tsk = kthread_run(kmmpd, mmpd_data, "kmmpd-%.*s",
++ EXT4_SB(sb)->s_mmp_tsk = kthread_run(kmmpd, sb, "kmmpd-%.*s",
+ (int)sizeof(mmp->mmp_bdevname),
+ bdevname(bh->b_bdev,
+ mmp->mmp_bdevname));
+ if (IS_ERR(EXT4_SB(sb)->s_mmp_tsk)) {
+ EXT4_SB(sb)->s_mmp_tsk = NULL;
+- kfree(mmpd_data);
+ ext4_warning(sb, "Unable to create kmmpd thread for %s.",
+ sb->s_id);
+ goto failed;
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1260,8 +1260,8 @@ static void ext4_put_super(struct super_
+ ext4_xattr_destroy_cache(sbi->s_ea_block_cache);
+ sbi->s_ea_block_cache = NULL;
+
+- if (sbi->s_mmp_tsk)
+- kthread_stop(sbi->s_mmp_tsk);
++ ext4_stop_mmpd(sbi);
++
+ brelse(sbi->s_sbh);
+ sb->s_fs_info = NULL;
+ /*
+@@ -5173,8 +5173,7 @@ failed_mount3a:
+ ext4_es_unregister_shrinker(sbi);
+ failed_mount3:
+ del_timer_sync(&sbi->s_err_report);
+- if (sbi->s_mmp_tsk)
+- kthread_stop(sbi->s_mmp_tsk);
++ ext4_stop_mmpd(sbi);
+ failed_mount2:
+ rcu_read_lock();
+ group_desc = rcu_dereference(sbi->s_group_desc);
+@@ -5927,8 +5926,7 @@ static int ext4_remount(struct super_blo
+ */
+ ext4_mark_recovery_complete(sb, es);
+ }
+- if (sbi->s_mmp_tsk)
+- kthread_stop(sbi->s_mmp_tsk);
++ ext4_stop_mmpd(sbi);
+ } else {
+ /* Make sure we can mount this feature set readwrite */
+ if (ext4_has_feature_readonly(sb) ||
--- /dev/null
+From cad83c968c2ebe97905f900326988ed37146c347 Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Fri, 7 May 2021 18:10:38 +0800
+Subject: f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit cad83c968c2ebe97905f900326988ed37146c347 upstream.
+
+As syzbot reported, there is an use-after-free issue during f2fs recovery:
+
+Use-after-free write at 0xffff88823bc16040 (in kfence-#10):
+ kmem_cache_destroy+0x1f/0x120 mm/slab_common.c:486
+ f2fs_recover_fsync_data+0x75b0/0x8380 fs/f2fs/recovery.c:869
+ f2fs_fill_super+0x9393/0xa420 fs/f2fs/super.c:3945
+ mount_bdev+0x26c/0x3a0 fs/super.c:1367
+ legacy_get_tree+0xea/0x180 fs/fs_context.c:592
+ vfs_get_tree+0x86/0x270 fs/super.c:1497
+ do_new_mount fs/namespace.c:2905 [inline]
+ path_mount+0x196f/0x2be0 fs/namespace.c:3235
+ do_mount fs/namespace.c:3248 [inline]
+ __do_sys_mount fs/namespace.c:3456 [inline]
+ __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433
+ do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The root cause is multi f2fs filesystem instances can race on accessing
+global fsync_entry_slab pointer, result in use-after-free issue of slab
+cache, fixes to init/destroy this slab cache only once during module
+init/destroy procedure to avoid this issue.
+
+Reported-by: syzbot+9d90dad32dd9727ed084@syzkaller.appspotmail.com
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/f2fs.h | 2 ++
+ fs/f2fs/recovery.c | 23 ++++++++++++++---------
+ fs/f2fs/super.c | 8 +++++++-
+ 3 files changed, 23 insertions(+), 10 deletions(-)
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -3462,6 +3462,8 @@ void f2fs_destroy_garbage_collection_cac
+ */
+ int f2fs_recover_fsync_data(struct f2fs_sb_info *sbi, bool check_only);
+ bool f2fs_space_for_roll_forward(struct f2fs_sb_info *sbi);
++int __init f2fs_create_recovery_cache(void);
++void f2fs_destroy_recovery_cache(void);
+
+ /*
+ * debug.c
+--- a/fs/f2fs/recovery.c
++++ b/fs/f2fs/recovery.c
+@@ -777,13 +777,6 @@ int f2fs_recover_fsync_data(struct f2fs_
+ quota_enabled = f2fs_enable_quota_files(sbi, s_flags & SB_RDONLY);
+ #endif
+
+- fsync_entry_slab = f2fs_kmem_cache_create("f2fs_fsync_inode_entry",
+- sizeof(struct fsync_inode_entry));
+- if (!fsync_entry_slab) {
+- err = -ENOMEM;
+- goto out;
+- }
+-
+ INIT_LIST_HEAD(&inode_list);
+ INIT_LIST_HEAD(&tmp_inode_list);
+ INIT_LIST_HEAD(&dir_list);
+@@ -856,8 +849,6 @@ skip:
+ }
+ }
+
+- kmem_cache_destroy(fsync_entry_slab);
+-out:
+ #ifdef CONFIG_QUOTA
+ /* Turn quotas off */
+ if (quota_enabled)
+@@ -867,3 +858,17 @@ out:
+
+ return ret ? ret: err;
+ }
++
++int __init f2fs_create_recovery_cache(void)
++{
++ fsync_entry_slab = f2fs_kmem_cache_create("f2fs_fsync_inode_entry",
++ sizeof(struct fsync_inode_entry));
++ if (!fsync_entry_slab)
++ return -ENOMEM;
++ return 0;
++}
++
++void f2fs_destroy_recovery_cache(void)
++{
++ kmem_cache_destroy(fsync_entry_slab);
++}
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4027,9 +4027,12 @@ static int __init init_f2fs_fs(void)
+ err = f2fs_create_checkpoint_caches();
+ if (err)
+ goto free_segment_manager_caches;
+- err = f2fs_create_extent_cache();
++ err = f2fs_create_recovery_cache();
+ if (err)
+ goto free_checkpoint_caches;
++ err = f2fs_create_extent_cache();
++ if (err)
++ goto free_recovery_cache;
+ err = f2fs_create_garbage_collection_cache();
+ if (err)
+ goto free_extent_cache;
+@@ -4078,6 +4081,8 @@ free_garbage_collection_cache:
+ f2fs_destroy_garbage_collection_cache();
+ free_extent_cache:
+ f2fs_destroy_extent_cache();
++free_recovery_cache:
++ f2fs_destroy_recovery_cache();
+ free_checkpoint_caches:
+ f2fs_destroy_checkpoint_caches();
+ free_segment_manager_caches:
+@@ -4103,6 +4108,7 @@ static void __exit exit_f2fs_fs(void)
+ f2fs_exit_sysfs();
+ f2fs_destroy_garbage_collection_cache();
+ f2fs_destroy_extent_cache();
++ f2fs_destroy_recovery_cache();
+ f2fs_destroy_checkpoint_caches();
+ f2fs_destroy_segment_manager_caches();
+ f2fs_destroy_node_manager_caches();
--- /dev/null
+From 9d574f985fe33efd6911f4d752de6f485a1ea732 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Sun, 6 Jun 2021 17:24:05 +0300
+Subject: jfs: fix GPF in diFree
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 9d574f985fe33efd6911f4d752de6f485a1ea732 upstream.
+
+Avoid passing inode with
+JFS_SBI(inode->i_sb)->ipimap == NULL to
+diFree()[1]. GFP will appear:
+
+ struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap;
+ struct inomap *imap = JFS_IP(ipimap)->i_imap;
+
+JFS_IP() will return invalid pointer when ipimap == NULL
+
+Call Trace:
+ diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1]
+ jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154
+ evict+0x2ed/0x750 fs/inode.c:578
+ iput_final fs/inode.c:1654 [inline]
+ iput.part.0+0x3fe/0x820 fs/inode.c:1680
+ iput+0x58/0x70 fs/inode.c:1670
+
+Reported-and-tested-by: syzbot+0a89a7b56db04c21a656@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/jfs/inode.c
++++ b/fs/jfs/inode.c
+@@ -151,7 +151,8 @@ void jfs_evict_inode(struct inode *inode
+ if (test_cflag(COMMIT_Freewmap, inode))
+ jfs_free_zero_link(inode);
+
+- diFree(inode);
++ if (JFS_SBI(inode->i_sb)->ipimap)
++ diFree(inode);
+
+ /*
+ * Free the inode from the quota allocation.
--- /dev/null
+From 884af72c90016cfccd5717439c86b48702cbf184 Mon Sep 17 00:00:00 2001
+From: Zou Wei <zou_wei@huawei.com>
+Date: Tue, 8 Jun 2021 14:34:08 +0800
+Subject: pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+commit 884af72c90016cfccd5717439c86b48702cbf184 upstream.
+
+Add the missing unlock before return from function mcp23s08_irq()
+in the error handling case.
+
+v1-->v2:
+ remove the "return IRQ_HANDLED" line
+
+Fixes: 897120d41e7a ("pinctrl: mcp23s08: fix race condition in irq handler")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Link: https://lore.kernel.org/r/1623134048-56051-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -353,7 +353,7 @@ static irqreturn_t mcp23s08_irq(int irq,
+
+ if (intf == 0) {
+ /* There is no interrupt pending */
+- return IRQ_HANDLED;
++ goto unlock;
+ }
+
+ if (mcp_read(mcp, MCP_INTCAP, &intcap))
media-rtl28xxu-fix-zero-length-control-request.patch
media-uvcvideo-fix-pixel-format-change-for-elgato-cam-link-4k.patch
io_uring-fix-clear-ioring_setup_r_disabled-in-wrong-function.patch
+dm-writecache-write-at-least-4k-when-committing.patch
+pinctrl-mcp23s08-fix-missing-unlock-on-error-in-mcp23s08_irq.patch
+drm-ast-remove-reference-to-struct-drm_device.pdev.patch
+jfs-fix-gpf-in-difree.patch
+smackfs-restrict-bytes-count-in-smk_set_cipso.patch
+ext4-fix-memory-leak-in-ext4_fill_super.patch
+f2fs-fix-to-avoid-racing-on-fsync_entry_slab-by-multi-filesystem-instances.patch
--- /dev/null
+From 49ec114a6e62d8d320037ce71c1aaf9650b3cafd Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Date: Mon, 12 Apr 2021 22:45:50 +0900
+Subject: smackfs: restrict bytes count in smk_set_cipso()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+commit 49ec114a6e62d8d320037ce71c1aaf9650b3cafd upstream.
+
+Oops, I failed to update subject line.
+
+From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 12 Apr 2021 22:25:06 +0900
+Subject: smackfs: restrict bytes count in smk_set_cipso()
+
+Commit 7ef4c19d245f3dc2 ("smackfs: restrict bytes count in smackfs write
+functions") missed that count > SMK_CIPSOMAX check applies to only
+format == SMK_FIXED24_FMT case.
+
+Reported-by: syzbot <syzbot+77c53db50c9fff774e8e@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/smack/smackfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -855,6 +855,8 @@ static ssize_t smk_set_cipso(struct file
+ if (format == SMK_FIXED24_FMT &&
+ (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
+ return -EINVAL;
++ if (count > PAGE_SIZE)
++ return -EINVAL;
+
+ data = memdup_user_nul(buf, count);
+ if (IS_ERR(data))
projects / thirdparty / kernel / stable-queue.git / commitdiff
