From 4221166073d5028bd753d44923ba148d37bf932f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 13 Aug 2022 11:48:04 +0200 Subject: [PATCH] 5.15-stable patches added patches: alsa-hda-cirrus-support-for-imac-12-1-model.patch alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch alsa-hda-realtek-add-a-quirk-for-hp-omen-15-8786-mute-led.patch alsa-hda-realtek-add-quirk-for-another-asus-k42jz-model.patch crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-prevent-kernel-memory-leak.patch fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-still-shown.patch fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-parameters.patch fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch fs-add-missing-umask-strip-in-vfs_tmpfile.patch ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch thermal-sysfs-fix-cooling_device_stats_setup-error-code-path.patch tty-vt-initialize-unicode-screen-buffer.patch usbnet-fix-linkwatch-use-after-free-on-disconnect.patch vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch --- ...a-cirrus-support-for-imac-12-1-model.patch | 34 ++++++++ ...uirk-for-lenovo-20149-notebook-model.patch | 57 +++++++++++++ ...a-quirk-for-hp-omen-15-8786-mute-led.patch | 31 +++++++ ...d-quirk-for-another-asus-k42jz-model.patch | 56 ++++++++++++ ...rfaces-to-prevent-kernel-memory-leak.patch | 84 ++++++++++++++++++ ...-scrolling-while-logo-is-still-shown.patch | 52 ++++++++++++ ...checks-for-fbcon-vc-n1-n2-parameters.patch | 54 ++++++++++++ ...opy-handling-in-copy_mc_pipe_to_iter.patch | 82 ++++++++++++++++++ ...d-missing-umask-strip-in-vfs_tmpfile.patch | 40 +++++++++ ...n_on-dentry-is-null-in-ovl_encode_fh.patch | 57 +++++++++++++ queue-5.15/series | 14 +++ ...g_device_stats_setup-error-code-path.patch | 69 +++++++++++++++ ...-vt-initialize-unicode-screen-buffer.patch | 51 +++++++++++ ...nkwatch-use-after-free-on-disconnect.patch | 85 +++++++++++++++++++ ...ate-maximum-size-in-inode_newsize_ok.patch | 68 +++++++++++++++ 15 files changed, 834 insertions(+) create mode 100644 queue-5.15/alsa-hda-cirrus-support-for-imac-12-1-model.patch create mode 100644 queue-5.15/alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch create mode 100644 queue-5.15/alsa-hda-realtek-add-a-quirk-for-hp-omen-15-8786-mute-led.patch create mode 100644 queue-5.15/alsa-hda-realtek-add-quirk-for-another-asus-k42jz-model.patch create mode 100644 queue-5.15/crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-prevent-kernel-memory-leak.patch create mode 100644 queue-5.15/fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-still-shown.patch create mode 100644 queue-5.15/fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-parameters.patch create mode 100644 queue-5.15/fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch create mode 100644 queue-5.15/fs-add-missing-umask-strip-in-vfs_tmpfile.patch create mode 100644 queue-5.15/ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch create mode 100644 queue-5.15/thermal-sysfs-fix-cooling_device_stats_setup-error-code-path.patch create mode 100644 queue-5.15/tty-vt-initialize-unicode-screen-buffer.patch create mode 100644 queue-5.15/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch create mode 100644 queue-5.15/vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch diff --git a/queue-5.15/alsa-hda-cirrus-support-for-imac-12-1-model.patch b/queue-5.15/alsa-hda-cirrus-support-for-imac-12-1-model.patch new file mode 100644 index 00000000000..cfb912af0a1 --- /dev/null +++ b/queue-5.15/alsa-hda-cirrus-support-for-imac-12-1-model.patch @@ -0,0 +1,34 @@ +From 74bba640d69914cf832b87f6bbb700e5ba430672 Mon Sep 17 00:00:00 2001 +From: Allen Ballway +Date: Wed, 10 Aug 2022 15:27:22 +0000 +Subject: ALSA: hda/cirrus - support for iMac 12,1 model + +From: Allen Ballway + +commit 74bba640d69914cf832b87f6bbb700e5ba430672 upstream. + +The 12,1 model requires the same configuration as the 12,2 model +to enable headphones but has a different codec SSID. Adds +12,1 SSID for matching quirk. + +[ re-sorted in SSID order by tiwai ] + +Signed-off-by: Allen Ballway +Cc: +Link: https://lore.kernel.org/r/20220810152701.1.I902c2e591bbf8de9acb649d1322fa1f291849266@changeid +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_cirrus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -395,6 +395,7 @@ static const struct snd_pci_quirk cs420x + + /* codec SSID */ + SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122), ++ SND_PCI_QUIRK(0x106b, 0x0900, "iMac 12,1", CS420X_IMAC27_122), + SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81), + SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122), + SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101), diff --git a/queue-5.15/alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch b/queue-5.15/alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch new file mode 100644 index 00000000000..6700f4f6217 --- /dev/null +++ b/queue-5.15/alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch @@ -0,0 +1,57 @@ +From f83bb2592482fe94c6eea07a8121763c80f36ce5 Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Mon, 8 Aug 2022 15:34:06 +0800 +Subject: ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model + +From: Meng Tang + +commit f83bb2592482fe94c6eea07a8121763c80f36ce5 upstream. + +There is another LENOVO 20149 (Type1Sku0) Notebook model with +CX20590, the device PCI SSID is 17aa:3977, which headphones are +not responding, that requires the quirk CXT_PINCFG_LENOVO_NOTEBOOK. +Add the corresponding entry to the quirk table. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220808073406.19460-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -222,6 +222,7 @@ enum { + CXT_PINCFG_LEMOTE_A1205, + CXT_PINCFG_COMPAQ_CQ60, + CXT_FIXUP_STEREO_DMIC, ++ CXT_PINCFG_LENOVO_NOTEBOOK, + CXT_FIXUP_INC_MIC_BOOST, + CXT_FIXUP_HEADPHONE_MIC_PIN, + CXT_FIXUP_HEADPHONE_MIC, +@@ -772,6 +773,14 @@ static const struct hda_fixup cxt_fixups + .type = HDA_FIXUP_FUNC, + .v.func = cxt_fixup_stereo_dmic, + }, ++ [CXT_PINCFG_LENOVO_NOTEBOOK] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x1a, 0x05d71030 }, ++ { } ++ }, ++ .chain_id = CXT_FIXUP_STEREO_DMIC, ++ }, + [CXT_FIXUP_INC_MIC_BOOST] = { + .type = HDA_FIXUP_FUNC, + .v.func = cxt5066_increase_mic_boost, +@@ -971,7 +980,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC), +- SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC), ++ SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_PINCFG_LENOVO_NOTEBOOK), + SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo G50-70", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK_VENDOR(0x17aa, "Thinkpad", CXT_FIXUP_THINKPAD_ACPI), diff --git a/queue-5.15/alsa-hda-realtek-add-a-quirk-for-hp-omen-15-8786-mute-led.patch b/queue-5.15/alsa-hda-realtek-add-a-quirk-for-hp-omen-15-8786-mute-led.patch new file mode 100644 index 00000000000..09acb5b8367 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-a-quirk-for-hp-omen-15-8786-mute-led.patch @@ -0,0 +1,31 @@ +From 30267718fe2d4dbea49015b022f6f1fe16ca31ab Mon Sep 17 00:00:00 2001 +From: Bedant Patnaik +Date: Tue, 9 Aug 2022 19:54:55 +0530 +Subject: ALSA: hda/realtek: Add a quirk for HP OMEN 15 (8786) mute LED + +From: Bedant Patnaik + +commit 30267718fe2d4dbea49015b022f6f1fe16ca31ab upstream. + +Board ID 8786 seems to be another variant of the Omen 15 that needs +ALC285_FIXUP_HP_MUTE_LED for working mute LED. + +Signed-off-by: Bedant Patnaik +Cc: +Link: https://lore.kernel.org/r/20220809142455.6473-1-bedant.patnaik@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8879,6 +8879,7 @@ static const struct snd_pci_quirk alc269 + ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8783, "HP ZBook Fury 15 G7 Mobile Workstation", + ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x8786, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8787, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), diff --git a/queue-5.15/alsa-hda-realtek-add-quirk-for-another-asus-k42jz-model.patch b/queue-5.15/alsa-hda-realtek-add-quirk-for-another-asus-k42jz-model.patch new file mode 100644 index 00000000000..899dd8dd83e --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirk-for-another-asus-k42jz-model.patch @@ -0,0 +1,56 @@ +From f882c4bef9cb914d9f7be171afb10ed26536bfa7 Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Fri, 5 Aug 2022 15:45:34 +0800 +Subject: ALSA: hda/realtek: Add quirk for another Asus K42JZ model + +From: Meng Tang + +commit f882c4bef9cb914d9f7be171afb10ed26536bfa7 upstream. + +There is another Asus K42JZ model with the PCI SSID 1043:1313 +that requires the quirk ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE. +Add the corresponding entry to the quirk table. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220805074534.20003-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6721,6 +6721,7 @@ enum { + ALC269_FIXUP_LIMIT_INT_MIC_BOOST, + ALC269VB_FIXUP_ASUS_ZENBOOK, + ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A, ++ ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE, + ALC269_FIXUP_LIMIT_INT_MIC_BOOST_MUTE_LED, + ALC269VB_FIXUP_ORDISSIMO_EVE2, + ALC283_FIXUP_CHROME_BOOK, +@@ -7297,6 +7298,15 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC269VB_FIXUP_ASUS_ZENBOOK, + }, ++ [ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x18, 0x01a110f0 }, /* use as headset mic */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HEADSET_MIC ++ }, + [ALC269_FIXUP_LIMIT_INT_MIC_BOOST_MUTE_LED] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc269_fixup_limit_int_mic_boost, +@@ -8919,6 +8929,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x12a0, "ASUS X441UV", ALC233_FIXUP_EAPD_COEF_AND_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x12e0, "ASUS X541SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x12f0, "ASUS X541UV", ALC256_FIXUP_ASUS_MIC), ++ SND_PCI_QUIRK(0x1043, 0x1313, "Asus K42JZ", ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x13b0, "ASUS Z550SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK), + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), diff --git a/queue-5.15/crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-prevent-kernel-memory-leak.patch b/queue-5.15/crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-prevent-kernel-memory-leak.patch new file mode 100644 index 00000000000..2697cea5444 --- /dev/null +++ b/queue-5.15/crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-prevent-kernel-memory-leak.patch @@ -0,0 +1,84 @@ +From 13dc15a3f5fd7f884e4bfa8c011a0ae868df12ae Mon Sep 17 00:00:00 2001 +From: John Allen +Date: Wed, 18 May 2022 15:31:26 +0000 +Subject: crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak + +From: John Allen + +commit 13dc15a3f5fd7f884e4bfa8c011a0ae868df12ae upstream. + +For some sev ioctl interfaces, input may be passed that is less than or +equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP +firmware returns. In this case, kmalloc will allocate memory that is the +size of the input rather than the size of the data. Since PSP firmware +doesn't fully overwrite the buffer, the sev ioctl interfaces with the +issue may return uninitialized slab memory. + +Currently, all of the ioctl interfaces in the ccp driver are safe, but +to prevent future problems, change all ioctl interfaces that allocate +memory with kmalloc to use kzalloc and memset the data buffer to zero +in sev_ioctl_do_platform_status. + +Fixes: 38103671aad3 ("crypto: ccp: Use the stack and common buffer for status commands") +Fixes: e799035609e15 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command") +Fixes: 76a2b524a4b1d ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command") +Fixes: d6112ea0cb344 ("crypto: ccp - introduce SEV_GET_ID2 command") +Cc: stable@vger.kernel.org +Reported-by: Andy Nguyen +Suggested-by: David Rientjes +Suggested-by: Peter Gonda +Signed-off-by: John Allen +Reviewed-by: Peter Gonda +Acked-by: David Rientjes +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sev-dev.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -388,6 +388,8 @@ static int sev_ioctl_do_platform_status( + struct sev_user_data_status data; + int ret; + ++ memset(&data, 0, sizeof(data)); ++ + ret = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, &argp->error); + if (ret) + return ret; +@@ -441,7 +443,7 @@ static int sev_ioctl_do_pek_csr(struct s + if (input.length > SEV_FW_BLOB_MAX_SIZE) + return -EFAULT; + +- blob = kmalloc(input.length, GFP_KERNEL); ++ blob = kzalloc(input.length, GFP_KERNEL); + if (!blob) + return -ENOMEM; + +@@ -665,7 +667,7 @@ static int sev_ioctl_do_get_id2(struct s + input_address = (void __user *)input.address; + + if (input.address && input.length) { +- id_blob = kmalloc(input.length, GFP_KERNEL); ++ id_blob = kzalloc(input.length, GFP_KERNEL); + if (!id_blob) + return -ENOMEM; + +@@ -784,14 +786,14 @@ static int sev_ioctl_do_pdh_export(struc + if (input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE) + return -EFAULT; + +- pdh_blob = kmalloc(input.pdh_cert_len, GFP_KERNEL); ++ pdh_blob = kzalloc(input.pdh_cert_len, GFP_KERNEL); + if (!pdh_blob) + return -ENOMEM; + + data.pdh_cert_address = __psp_pa(pdh_blob); + data.pdh_cert_len = input.pdh_cert_len; + +- cert_blob = kmalloc(input.cert_chain_len, GFP_KERNEL); ++ cert_blob = kzalloc(input.cert_chain_len, GFP_KERNEL); + if (!cert_blob) { + ret = -ENOMEM; + goto e_free_pdh; diff --git a/queue-5.15/fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-still-shown.patch b/queue-5.15/fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-still-shown.patch new file mode 100644 index 00000000000..7ecf1efc19d --- /dev/null +++ b/queue-5.15/fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-still-shown.patch @@ -0,0 +1,52 @@ +From 3866cba87dcd0162fb41e9b3b653d0af68fad5ec Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 2 Jun 2022 22:08:38 +0200 +Subject: fbcon: Fix accelerated fbdev scrolling while logo is still shown + +From: Helge Deller + +commit 3866cba87dcd0162fb41e9b3b653d0af68fad5ec upstream. + +There is no need to directly skip over to the SCROLL_REDRAW case while +the logo is still shown. + +When using DRM, this change has no effect because the code will reach +the SCROLL_REDRAW case immediately anyway. + +But if you run an accelerated fbdev driver and have +FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION enabled, console scrolling is +slowed down by factors so that it feels as if you use a 9600 baud +terminal. + +So, drop those unnecessary checks and speed up fbdev console +acceleration during bootup. + +Cc: stable@vger.kernel.org # v5.10+ +Acked-by: Daniel Vetter +Signed-off-by: Helge Deller +Link: https://patchwork.freedesktop.org/patch/msgid/YpkYxk7wsBPx3po+@p100 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -1706,8 +1706,6 @@ static bool fbcon_scroll(struct vc_data + case SM_UP: + if (count > vc->vc_rows) /* Maximum realistic size */ + count = vc->vc_rows; +- if (logo_shown >= 0) +- goto redraw_up; + switch (fb_scrollmode(p)) { + case SCROLL_MOVE: + fbcon_redraw_blit(vc, info, p, t, b - t - count, +@@ -1796,8 +1794,6 @@ static bool fbcon_scroll(struct vc_data + case SM_DOWN: + if (count > vc->vc_rows) /* Maximum realistic size */ + count = vc->vc_rows; +- if (logo_shown >= 0) +- goto redraw_down; + switch (fb_scrollmode(p)) { + case SCROLL_MOVE: + fbcon_redraw_blit(vc, info, p, b - 1, b - t - count, diff --git a/queue-5.15/fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-parameters.patch b/queue-5.15/fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-parameters.patch new file mode 100644 index 00000000000..9376c295682 --- /dev/null +++ b/queue-5.15/fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-parameters.patch @@ -0,0 +1,54 @@ +From cad564ca557f8d3bb3b1fa965d9a2b3f6490ec69 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 2 Jun 2022 22:06:28 +0200 +Subject: fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters + +From: Helge Deller + +commit cad564ca557f8d3bb3b1fa965d9a2b3f6490ec69 upstream. + +The user may use the fbcon=vc:- option to tell fbcon to take +over the given range (n1...n2) of consoles. The value for n1 and n2 +needs to be a positive number and up to (MAX_NR_CONSOLES - 1). +The given values were not fully checked against those boundaries yet. + +To fix the issue, convert first_fb_vc and last_fb_vc to unsigned +integers and check them against the upper boundary, and make sure that +first_fb_vc is smaller than last_fb_vc. + +Cc: stable@vger.kernel.org # v4.19+ +Reviewed-by: Daniel Vetter +Signed-off-by: Helge Deller +Link: https://patchwork.freedesktop.org/patch/msgid/YpkYRMojilrtZIgM@p100 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -115,8 +115,8 @@ static int logo_lines; + enums. */ + static int logo_shown = FBCON_LOGO_CANSHOW; + /* console mappings */ +-static int first_fb_vc; +-static int last_fb_vc = MAX_NR_CONSOLES - 1; ++static unsigned int first_fb_vc; ++static unsigned int last_fb_vc = MAX_NR_CONSOLES - 1; + static int fbcon_is_default = 1; + static int primary_device = -1; + static int fbcon_has_console_bind; +@@ -464,10 +464,12 @@ static int __init fb_console_setup(char + options += 3; + if (*options) + first_fb_vc = simple_strtoul(options, &options, 10) - 1; +- if (first_fb_vc < 0) ++ if (first_fb_vc >= MAX_NR_CONSOLES) + first_fb_vc = 0; + if (*options++ == '-') + last_fb_vc = simple_strtoul(options, &options, 10) - 1; ++ if (last_fb_vc < first_fb_vc || last_fb_vc >= MAX_NR_CONSOLES) ++ last_fb_vc = MAX_NR_CONSOLES - 1; + fbcon_is_default = 0; + continue; + } diff --git a/queue-5.15/fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch b/queue-5.15/fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch new file mode 100644 index 00000000000..15d47b3ec59 --- /dev/null +++ b/queue-5.15/fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch @@ -0,0 +1,82 @@ +From c3497fd009ef2c59eea60d21c3ac22de3585ed7d Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 12 Jun 2022 19:50:29 -0400 +Subject: fix short copy handling in copy_mc_pipe_to_iter() + +From: Al Viro + +commit c3497fd009ef2c59eea60d21c3ac22de3585ed7d upstream. + +Unlike other copying operations on ITER_PIPE, copy_mc_to_iter() can +result in a short copy. In that case we need to trim the unused +buffers, as well as the length of partially filled one - it's not +enough to set ->head, ->iov_offset and ->count to reflect how +much had we copied. Not hard to fix, fortunately... + +I'd put a helper (pipe_discard_from(pipe, head)) into pipe_fs_i.h, +rather than iov_iter.c - it has nothing to do with iov_iter and +having it will allow us to avoid an ugly kludge in fs/splice.c. +We could put it into lib/iov_iter.c for now and move it later, +but I don't see the point going that way... + +Cc: stable@kernel.org # 4.19+ +Fixes: ca146f6f091e "lib/iov_iter: Fix pipe handling in _copy_to_iter_mcsafe()" +Reviewed-by: Jeff Layton +Reviewed-by: Christian Brauner (Microsoft) +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/pipe_fs_i.h | 9 +++++++++ + lib/iov_iter.c | 15 +++++++++++---- + 2 files changed, 20 insertions(+), 4 deletions(-) + +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -229,6 +229,15 @@ static inline bool pipe_buf_try_steal(st + return buf->ops->try_steal(pipe, buf); + } + ++static inline void pipe_discard_from(struct pipe_inode_info *pipe, ++ unsigned int old_head) ++{ ++ unsigned int mask = pipe->ring_size - 1; ++ ++ while (pipe->head > old_head) ++ pipe_buf_release(pipe, &pipe->bufs[--pipe->head & mask]); ++} ++ + /* Differs from PIPE_BUF in that PIPE_SIZE is the length of the actual + memory allocation, whereas PIPE_BUF makes atomicity guarantees. */ + #define PIPE_SIZE PAGE_SIZE +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -691,6 +691,7 @@ static size_t copy_mc_pipe_to_iter(const + struct pipe_inode_info *pipe = i->pipe; + unsigned int p_mask = pipe->ring_size - 1; + unsigned int i_head; ++ unsigned int valid = pipe->head; + size_t n, off, xfer = 0; + + if (!sanity(i)) +@@ -704,11 +705,17 @@ static size_t copy_mc_pipe_to_iter(const + rem = copy_mc_to_kernel(p + off, addr + xfer, chunk); + chunk -= rem; + kunmap_local(p); +- i->head = i_head; +- i->iov_offset = off + chunk; +- xfer += chunk; +- if (rem) ++ if (chunk) { ++ i->head = i_head; ++ i->iov_offset = off + chunk; ++ xfer += chunk; ++ valid = i_head + 1; ++ } ++ if (rem) { ++ pipe->bufs[i_head & p_mask].len -= rem; ++ pipe_discard_from(pipe, valid); + break; ++ } + n -= chunk; + off = 0; + i_head++; diff --git a/queue-5.15/fs-add-missing-umask-strip-in-vfs_tmpfile.patch b/queue-5.15/fs-add-missing-umask-strip-in-vfs_tmpfile.patch new file mode 100644 index 00000000000..170ff241812 --- /dev/null +++ b/queue-5.15/fs-add-missing-umask-strip-in-vfs_tmpfile.patch @@ -0,0 +1,40 @@ +From ac6800e279a22b28f4fc21439843025a0d5bf03e Mon Sep 17 00:00:00 2001 +From: Yang Xu +Date: Thu, 14 Jul 2022 14:11:26 +0800 +Subject: fs: Add missing umask strip in vfs_tmpfile + +From: Yang Xu + +commit ac6800e279a22b28f4fc21439843025a0d5bf03e upstream. + +All creation paths except for O_TMPFILE handle umask in the vfs directly +if the filesystem doesn't support or enable POSIX ACLs. If the filesystem +does then umask handling is deferred until posix_acl_create(). +Because, O_TMPFILE misses umask handling in the vfs it will not honor +umask settings. Fix this by adding the missing umask handling. + +Link: https://lore.kernel.org/r/1657779088-2242-2-git-send-email-xuyang2018.jy@fujitsu.com +Fixes: 60545d0d4610 ("[O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...") +Cc: # 4.19+ +Reported-by: Christian Brauner (Microsoft) +Reviewed-by: Darrick J. Wong +Reviewed-and-Tested-by: Jeff Layton +Acked-by: Christian Brauner (Microsoft) +Signed-off-by: Yang Xu +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Greg Kroah-Hartman +--- + fs/namei.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3523,6 +3523,8 @@ struct dentry *vfs_tmpfile(struct user_n + child = d_alloc(dentry, &slash_name); + if (unlikely(!child)) + goto out_err; ++ if (!IS_POSIXACL(dir)) ++ mode &= ~current_umask(); + error = dir->i_op->tmpfile(mnt_userns, dir, child, mode); + if (error) + goto out_err; diff --git a/queue-5.15/ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch b/queue-5.15/ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch new file mode 100644 index 00000000000..db30436661a --- /dev/null +++ b/queue-5.15/ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch @@ -0,0 +1,57 @@ +From dd524b7f317de8d31d638cbfdc7be4cf9b770e42 Mon Sep 17 00:00:00 2001 +From: Jiachen Zhang +Date: Thu, 28 Jul 2022 19:49:15 +0800 +Subject: ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() + +From: Jiachen Zhang + +commit dd524b7f317de8d31d638cbfdc7be4cf9b770e42 upstream. + +Some code paths cannot guarantee the inode have any dentry alias. So +WARN_ON() all !dentry may flood the kernel logs. + +For example, when an overlayfs inode is watched by inotifywait (1), and +someone is trying to read the /proc/$(pidof inotifywait)/fdinfo/INOTIFY_FD, +at that time if the dentry has been reclaimed by kernel (such as +echo 2 > /proc/sys/vm/drop_caches), there will be a WARN_ON(). The +printed call stack would be like: + + ? show_mark_fhandle+0xf0/0xf0 + show_mark_fhandle+0x4a/0xf0 + ? show_mark_fhandle+0xf0/0xf0 + ? seq_vprintf+0x30/0x50 + ? seq_printf+0x53/0x70 + ? show_mark_fhandle+0xf0/0xf0 + inotify_fdinfo+0x70/0x90 + show_fdinfo.isra.4+0x53/0x70 + seq_show+0x130/0x170 + seq_read+0x153/0x440 + vfs_read+0x94/0x150 + ksys_read+0x5f/0xe0 + do_syscall_64+0x59/0x1e0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +So let's drop WARN_ON() to avoid kernel log flooding. + +Reported-by: Hongbo Yin +Signed-off-by: Jiachen Zhang +Signed-off-by: Tianci Zhang +Fixes: 8ed5eec9d6c4 ("ovl: encode pure upper file handles") +Cc: # v4.16 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/overlayfs/export.c ++++ b/fs/overlayfs/export.c +@@ -259,7 +259,7 @@ static int ovl_encode_fh(struct inode *i + return FILEID_INVALID; + + dentry = d_find_any_alias(inode); +- if (WARN_ON(!dentry)) ++ if (!dentry) + return FILEID_INVALID; + + bytes = ovl_dentry_to_fid(ofs, dentry, fid, buflen); diff --git a/queue-5.15/series b/queue-5.15/series index 564c3f3be1d..4035f112523 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -32,3 +32,17 @@ kvm-x86-tag-kvm_mmu_x86_module_init-with-__init.patch kvm-x86-do-not-report-preemption-if-the-steal-time-cache-is-stale.patch kvm-x86-revalidate-steal-time-cache-if-msr-value-changes.patch riscv-set-default-pm_power_off-to-null.patch +alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch +alsa-hda-cirrus-support-for-imac-12-1-model.patch +alsa-hda-realtek-add-quirk-for-another-asus-k42jz-model.patch +alsa-hda-realtek-add-a-quirk-for-hp-omen-15-8786-mute-led.patch +tty-vt-initialize-unicode-screen-buffer.patch +vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch +fs-add-missing-umask-strip-in-vfs_tmpfile.patch +thermal-sysfs-fix-cooling_device_stats_setup-error-code-path.patch +fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-parameters.patch +fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-still-shown.patch +usbnet-fix-linkwatch-use-after-free-on-disconnect.patch +fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch +crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-prevent-kernel-memory-leak.patch +ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch diff --git a/queue-5.15/thermal-sysfs-fix-cooling_device_stats_setup-error-code-path.patch b/queue-5.15/thermal-sysfs-fix-cooling_device_stats_setup-error-code-path.patch new file mode 100644 index 00000000000..6d2b97b0c61 --- /dev/null +++ b/queue-5.15/thermal-sysfs-fix-cooling_device_stats_setup-error-code-path.patch @@ -0,0 +1,69 @@ +From d5a8aa5d7d80d21ab6b266f1bed4194b61746199 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Fri, 29 Jul 2022 17:39:07 +0200 +Subject: thermal: sysfs: Fix cooling_device_stats_setup() error code path + +From: Rafael J. Wysocki + +commit d5a8aa5d7d80d21ab6b266f1bed4194b61746199 upstream. + +If cooling_device_stats_setup() fails to create the stats object, it +must clear the last slot in cooling_device_attr_groups that was +initially empty (so as to make it possible to add stats attributes to +the cooling device attribute groups). + +Failing to do so may cause the stats attributes to be created by +mistake for a device that doesn't have a stats object, because the +slot in question might be populated previously during the registration +of another cooling device. + +Fixes: 8ea229511e06 ("thermal: Add cooling device's statistics in sysfs") +Reported-by: Di Shen +Tested-by: Di Shen +Cc: 4.17+ # 4.17+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_sysfs.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/thermal/thermal_sysfs.c ++++ b/drivers/thermal/thermal_sysfs.c +@@ -813,12 +813,13 @@ static const struct attribute_group cool + + static void cooling_device_stats_setup(struct thermal_cooling_device *cdev) + { ++ const struct attribute_group *stats_attr_group = NULL; + struct cooling_dev_stats *stats; + unsigned long states; + int var; + + if (cdev->ops->get_max_state(cdev, &states)) +- return; ++ goto out; + + states++; /* Total number of states is highest state + 1 */ + +@@ -828,7 +829,7 @@ static void cooling_device_stats_setup(s + + stats = kzalloc(var, GFP_KERNEL); + if (!stats) +- return; ++ goto out; + + stats->time_in_state = (ktime_t *)(stats + 1); + stats->trans_table = (unsigned int *)(stats->time_in_state + states); +@@ -838,9 +839,12 @@ static void cooling_device_stats_setup(s + + spin_lock_init(&stats->lock); + ++ stats_attr_group = &cooling_device_stats_attr_group; ++ ++out: + /* Fill the empty slot left in cooling_device_attr_groups */ + var = ARRAY_SIZE(cooling_device_attr_groups) - 2; +- cooling_device_attr_groups[var] = &cooling_device_stats_attr_group; ++ cooling_device_attr_groups[var] = stats_attr_group; + } + + static void cooling_device_stats_destroy(struct thermal_cooling_device *cdev) diff --git a/queue-5.15/tty-vt-initialize-unicode-screen-buffer.patch b/queue-5.15/tty-vt-initialize-unicode-screen-buffer.patch new file mode 100644 index 00000000000..e5b8ad3cba9 --- /dev/null +++ b/queue-5.15/tty-vt-initialize-unicode-screen-buffer.patch @@ -0,0 +1,51 @@ +From af77c56aa35325daa2bc2bed5c2ebf169be61b86 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 19 Jul 2022 14:49:39 +0900 +Subject: tty: vt: initialize unicode screen buffer + +From: Tetsuo Handa + +commit af77c56aa35325daa2bc2bed5c2ebf169be61b86 upstream. + +syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read +immediately after resize operation. Initialize buffer using kzalloc(). + + ---------- + #include + #include + #include + #include + + int main(int argc, char *argv[]) + { + struct fb_var_screeninfo var = { }; + const int fb_fd = open("/dev/fb0", 3); + ioctl(fb_fd, FBIOGET_VSCREENINFO, &var); + var.yres = 0x21; + ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var); + return read(open("/dev/vcsu", O_RDONLY), &var, sizeof(var)) == -1; + } + ---------- + +Link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3 [1] +Cc: stable +Reported-by: syzbot +Reviewed-by: Jiri Slaby +Signed-off-by: Tetsuo Handa +Link: https://lore.kernel.org/r/4ef053cf-e796-fb5e-58b7-3ae58242a4ad@I-love.SAKURA.ne.jp +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -344,7 +344,7 @@ static struct uni_screen *vc_uniscr_allo + /* allocate everything in one go */ + memsize = cols * rows * sizeof(char32_t); + memsize += rows * sizeof(char32_t *); +- p = vmalloc(memsize); ++ p = vzalloc(memsize); + if (!p) + return NULL; + diff --git a/queue-5.15/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch b/queue-5.15/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch new file mode 100644 index 00000000000..764698e8125 --- /dev/null +++ b/queue-5.15/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch @@ -0,0 +1,85 @@ +From a69e617e533edddf3fa3123149900f36e0a6dc74 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 23 Jun 2022 14:50:59 +0200 +Subject: usbnet: Fix linkwatch use-after-free on disconnect + +From: Lukas Wunner + +commit a69e617e533edddf3fa3123149900f36e0a6dc74 upstream. + +usbnet uses the work usbnet_deferred_kevent() to perform tasks which may +sleep. On disconnect, completion of the work was originally awaited in +->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic +commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock": + + https://git.kernel.org/tglx/history/c/0f138bbfd83c + +The change was made because back then, the kernel's workqueue +implementation did not allow waiting for a single work. One had to wait +for completion of *all* work by calling flush_scheduled_work(), and that +could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex +held in ->ndo_stop(). + +The commit solved one problem but created another: It causes a +use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c, +ax88179_178a.c, ch9200.c and smsc75xx.c: + +* If the drivers receive a link change interrupt immediately before + disconnect, they raise EVENT_LINK_RESET in their (non-sleepable) + ->status() callback and schedule usbnet_deferred_kevent(). +* usbnet_deferred_kevent() invokes the driver's ->link_reset() callback, + which calls netif_carrier_{on,off}(). +* That in turn schedules the work linkwatch_event(). + +Because usbnet_deferred_kevent() is awaited after unregister_netdev(), +netif_carrier_{on,off}() may operate on an unregistered netdev and +linkwatch_event() may run after free_netdev(), causing a use-after-free. + +In 2010, usbnet was changed to only wait for a single instance of +usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf +("drivers/net: don't use flush_scheduled_work()"). + +Unfortunately the commit neglected to move the wait back to +->ndo_stop(). Rectify that omission at long last. + +Reported-by: Jann Horn +Link: https://lore.kernel.org/netdev/CAG48ez0MHBbENX5gCdHAUXZ7h7s20LnepBF-pa5M=7Bi-jZrEA@mail.gmail.com/ +Reported-by: Oleksij Rempel +Link: https://lore.kernel.org/netdev/20220315113841.GA22337@pengutronix.de/ +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org +Acked-by: Oliver Neukum +Link: https://lore.kernel.org/r/d1c87ebe9fc502bffcd1576e238d685ad08321e4.1655987888.git.lukas@wunner.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -847,13 +847,11 @@ int usbnet_stop (struct net_device *net) + + mpn = !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags); + +- /* deferred work (task, timer, softirq) must also stop. +- * can't flush_scheduled_work() until we drop rtnl (later), +- * else workers could deadlock; so make workers a NOP. +- */ ++ /* deferred work (timer, softirq, task) must also stop */ + dev->flags = 0; + del_timer_sync (&dev->delay); + tasklet_kill (&dev->bh); ++ cancel_work_sync(&dev->kevent); + if (!pm) + usb_autopm_put_interface(dev->intf); + +@@ -1617,8 +1615,6 @@ void usbnet_disconnect (struct usb_inter + net = dev->net; + unregister_netdev (net); + +- cancel_work_sync(&dev->kevent); +- + usb_scuttle_anchored_urbs(&dev->deferred); + + if (dev->driver_info->unbind) diff --git a/queue-5.15/vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch b/queue-5.15/vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch new file mode 100644 index 00000000000..de47bfc9bd8 --- /dev/null +++ b/queue-5.15/vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch @@ -0,0 +1,68 @@ +From e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 8 Aug 2022 09:52:35 +0100 +Subject: vfs: Check the truncate maximum size in inode_newsize_ok() + +From: David Howells + +commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream. + +If something manages to set the maximum file size to MAX_OFFSET+1, this +can cause the xfs and ext4 filesystems at least to become corrupt. + +Ordinarily, the kernel protects against userspace trying this by +checking the value early in the truncate() and ftruncate() system calls +calls - but there are at least two places that this check is bypassed: + + (1) Cachefiles will round up the EOF of the backing file to DIO block + size so as to allow DIO on the final block - but this might push + the offset negative. It then calls notify_change(), but this + inadvertently bypasses the checking. This can be triggered if + someone puts an 8EiB-1 file on a server for someone else to try and + access by, say, nfs. + + (2) ksmbd doesn't check the value it is given in set_end_of_file_info() + and then calls vfs_truncate() directly - which also bypasses the + check. + +In both cases, it is potentially possible for a network filesystem to +cause a disk filesystem to be corrupted: cachefiles in the client's +cache filesystem; ksmbd in the server's filesystem. + +nfsd is okay as it checks the value, but we can then remove this check +too. + +Fix this by adding a check to inode_newsize_ok(), as called from +setattr_prepare(), thereby catching the issue as filesystems set up to +perform the truncate with minimal opportunity for bypassing the new +check. + +Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") +Fixes: f44158485826 ("cifsd: add file operations") +Signed-off-by: David Howells +Reported-by: Jeff Layton +Tested-by: Jeff Layton +Reviewed-by: Namjae Jeon +Cc: stable@kernel.org +Acked-by: Alexander Viro +cc: Steve French +cc: Hyunchul Lee +cc: Chuck Lever +cc: Dave Wysochanski +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/attr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/attr.c ++++ b/fs/attr.c +@@ -184,6 +184,8 @@ EXPORT_SYMBOL(setattr_prepare); + */ + int inode_newsize_ok(const struct inode *inode, loff_t offset) + { ++ if (offset < 0) ++ return -EINVAL; + if (inode->i_size < offset) { + unsigned long limit; + -- 2.47.3