summaryrefslogtreecommitdiff
path: root/fs
AgeCommit message (Collapse)Author
2021-12-22Merge 4.4.296 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.296 nfc: fix segfault in nfc_genl_dump_devices_done parisc/agp: Annotate parisc agp init functions with __init i2c: rk3x: Handle a spurious start completion interrupt flag net: netlink: af_netlink: Prevent empty skb by adding a check on len. hwmon: (dell-smm) Fix warning on /proc/i8k creation error mac80211: send ADDBA requests using the tid/queue of the aggregation session recordmcount.pl: look for jgnop instruction as well as bcrl on s390 dm btree remove: fix use after free in rebalance_children() nfsd: fix use-after-free due to delegation race soc/tegra: fuse: Fix bitwise vs. logical OR warning igbvf: fix double free in `igbvf_probe` USB: gadget: bRequestType is a bitfield, not a enum PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error USB: serial: option: add Telit FN990 compositions timekeeping: Really make sure wall_to_monotonic isn't positive net: systemport: Add global locking for descriptor lifecycle net: lan78xx: Avoid unnecessary self assignment ARM: 8805/2: remove unneeded naked function usage Input: touchscreen - avoid bitwise vs logical OR warning xen/blkfront: harden blkfront against event channel storms xen/netfront: harden netfront against event channel storms xen/console: harden hvc_xen against event channel storms xen/netback: don't queue unlimited number of packages Linux 4.4.296 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ic14e24f8aace34bee9cf82757fa4908dc5ac2c43
2021-12-22nfsd: fix use-after-free due to delegation raceJ. Bruce Fields
commit 548ec0805c399c65ed66c6641be467f717833ab5 upstream. A delegation break could arrive as soon as we've called vfs_setlease. A delegation break runs a callback which immediately (in nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we then exit nfs4_set_delegation without hashing the delegation, it will be freed as soon as the callback is done with it, without ever being removed from del_recall_lru. Symptoms show up later as use-after-free or list corruption warnings, usually in the laundromat thread. I suspect aba2072f4523 "nfsd: grant read delegations to clients holding writes" made this bug easier to hit, but I looked as far back as v3.0 and it looks to me it already had the same problem. So I'm not sure where the bug was introduced; it may have been there from the beginning. Cc: stable@vger.kernel.org Signed-off-by: J. Bruce Fields <bfields@redhat.com> [Salvatore Bonaccorso: Backport for context changes to versions which do not have 20b7d86f29d3 ("nfsd: use boottime for lease expiry calculation")] Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-14Merge 4.4.295 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.295 HID: introduce hid_is_using_ll_driver HID: add hid_is_usb() function to make it simpler for USB detection HID: add USB_HID dependancy to hid-prodikeys HID: add USB_HID dependancy to hid-chicony HID: add USB_HID dependancy on some USB HID drivers HID: wacom: fix problems when device is not a valid USB device HID: check for valid USB device for many HID drivers can: sja1000: fix use after free in ems_pcmcia_add_card() nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done mm: bdi: initialize bdi_min_ratio when bdi is unregistered ALSA: ctl: Fix copy of updated id with element read/write ALSA: pcm: oss: Fix negative period/buffer sizes ALSA: pcm: oss: Limit the period size to 16MB ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() tracefs: Have new files inherit the ownership of their parent can: pch_can: pch_can_rx_normal: fix use after free libata: add horkage for ASMedia 1092 wait: add wake_up_pollfree() binder: use wake_up_pollfree() signalfd: use wake_up_pollfree() tracefs: Set all files to the same group ownership as the mount option block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero net: altera: set a couple error code in probe() net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() net, neigh: clear whole pneigh_entry at alloc time net/qla3xxx: fix an error code in ql_adapter_up() USB: gadget: detect too-big endpoint 0 requests USB: gadget: zero allocate endpoint 0 buffers usb: core: config: fix validation of wMaxPacketValue entries iio: stk3310: Don't return error code in interrupt handler iio: mma8452: Fix trigger reference couting iio: ltr501: Don't return error code in trigger handler iio: itg3200: Call iio_trigger_notify_done() on error iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL irqchip: nvic: Fix offset for Interrupt Priority Offsets Linux 4.4.295 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4810f7e2ebd538739fb0d62f9eade0921a9badfb
2021-12-14tracefs: Set all files to the same group ownership as the mount optionSteven Rostedt (VMware)
commit 48b27b6b5191e2e1f2798cd80877b6e4ef47c351 upstream. As people have been asking to allow non-root processes to have access to the tracefs directory, it was considered best to only allow groups to have access to the directory, where it is easier to just set the tracefs file system to a specific group (as other would be too dangerous), and that way the admins could pick which processes would have access to tracefs. Unfortunately, this broke tooling on Android that expected the other bit to be set. For some special cases, for non-root tools to trace the system, tracefs would be mounted and change the permissions of the top level directory which gave access to all running tasks permission to the tracing directory. Even though this would be dangerous to do in a production environment, for testing environments this can be useful. Now with the new changes to not allow other (which is still the proper thing to do), it breaks the testing tooling. Now more code needs to be loaded on the system to change ownership of the tracing directory. The real solution is to have tracefs honor the gid=xxx option when mounting. That is, (tracing group tracing has value 1003) mount -t tracefs -o gid=1003 tracefs /sys/kernel/tracing should have it that all files in the tracing directory should be of the given group. Copy the logic from d_walk() from dcache.c and simplify it for the mount case of tracefs if gid is set. All the files in tracefs will be walked and their group will be set to the value passed in. Link: https://lkml.kernel.org/r/20211207171729.2a54e1b3@gandalf.local.home Cc: Ingo Molnar <mingo@kernel.org> Cc: Kees Cook <keescook@chromium.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: linux-fsdevel@vger.kernel.org Cc: Al Viro <viro@ZenIV.linux.org.uk> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reported-by: Kalesh Singh <kaleshsingh@google.com> Reported-by: Yabin Cui <yabinc@google.com> Fixes: 49d67e445742 ("tracefs: Have tracefs directories not set OTH permission bits by default") Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-14signalfd: use wake_up_pollfree()Eric Biggers
commit 9537bae0da1f8d1e2361ab6d0479e8af7824e160 upstream. wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll and aio poll are fortunately not affected by this, but it's very fragile. Thus, the new function wake_up_pollfree() has been introduced. Convert signalfd to use wake_up_pollfree(). Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Fixes: d80e731ecab4 ("epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20211209010455.42744-4-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-14tracefs: Have new files inherit the ownership of their parentSteven Rostedt (VMware)
commit ee7f3666995d8537dec17b1d35425f28877671a9 upstream. If directories in tracefs have their ownership changed, then any new files and directories that are created under those directories should inherit the ownership of the director they are created in. Link: https://lkml.kernel.org/r/20211208075720.4855d180@gandalf.local.home Cc: Kees Cook <keescook@chromium.org> Cc: Ingo Molnar <mingo@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Yabin Cui <yabinc@google.com> Cc: Christian Brauner <christian.brauner@ubuntu.com> Cc: stable@vger.kernel.org Fixes: 4282d60689d4f ("tracefs: Add new tracefs file system") Reported-by: Kalesh Singh <kaleshsingh@google.com> Reported: https://lore.kernel.org/all/CAC_TJve8MMAv+H_NdLSJXZUSoxOEq2zB_pVaJ9p=7H6Bu3X76g@mail.gmail.com/ Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-08Merge 4.4.294 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.294 staging: ion: Prevent incorrect reference counting behavour USB: serial: option: add Telit LE910S1 0x9200 composition USB: serial: option: add Fibocom FM101-GL variants usb: hub: Fix usb enumeration issue due to address0 race usb: hub: Fix locking issues with address0_mutex binder: fix test regression due to sender_euid change ALSA: ctxfi: Fix out-of-range access staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() xen: don't continue xenstore initialization in case of errors xen: detect uninitialized xenbus in xenbus_init ARM: dts: BCM5301X: Add interrupt properties to GPIO node ASoC: topology: Add missing rwsem around snd_ctl_remove() calls net: ieee802154: handle iftypes as u32 NFSv42: Don't fail clone() unless the OP_CLONE operation failed ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE scsi: mpt3sas: Fix kernel panic during drive powercycle test tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows tracing: Check pid filtering when creating events hugetlbfs: flush TLBs correctly after huge_pmd_unshare proc/vmcore: fix clearing user buffer by properly using clear_user() NFC: add NCI_UNREG flag to eliminate the race fuse: fix page stealing fuse: release pipe buf after last use shm: extend forced shm destroy to support objects from several IPC nses xen: sync include/xen/interface/io/ring.h with Xen's newest version xen/blkfront: read response from backend only once xen/blkfront: don't take local copy of a request from the ring page xen/blkfront: don't trust the backend response data blindly xen/netfront: read response from backend only once xen/netfront: don't read data from request on the ring page xen/netfront: disentangle tx_skb_freelist xen/netfront: don't trust the backend response data blindly tty: hvc: replace BUG_ON() with negative return value hugetlb: take PMD sharing into account when flushing tlb/caches net: return correct error code platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep s390/setup: avoid using memblock_enforce_memory_limit scsi: iscsi: Unblock session then wake up error handler net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() kprobes: Limit max data_size of the kretprobe instances sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl fs: add fget_many() and fput_many() fget: check that the fd still exists after getting a ref to it natsemi: xtensa: fix section mismatch warnings net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() siphash: use _unaligned version by default parisc: Fix "make install" on newer debian releases vgacon: Propagate console boot parameters before calling `vc_resize' tty: serial: msm_serial: Deactivate RX DMA for polling support serial: pl011: Add ACPI SBSA UART match id Linux 4.4.294 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id3cafc33da957a0501bcf61d000025167d552797
2021-12-08fget: check that the fd still exists after getting a ref to itLinus Torvalds
commit 054aa8d439b9185d4f5eb9a90282d1ce74772969 upstream. Jann Horn points out that there is another possible race wrt Unix domain socket garbage collection, somewhat reminiscent of the one fixed in commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK"). See the extended comment about the garbage collection requirements added to unix_peek_fds() by that commit for details. The race comes from how we can locklessly look up a file descriptor just as it is in the process of being closed, and with the right artificial timing (Jann added a few strategic 'mdelay(500)' calls to do that), the Unix domain socket garbage collector could see the reference count decrement of the close() happen before fget() took its reference to the file and the file was attached onto a new file descriptor. This is all (intentionally) correct on the 'struct file *' side, with RCU lookups and lockless reference counting very much part of the design. Getting that reference count out of order isn't a problem per se. But the garbage collector can get confused by seeing this situation of having seen a file not having any remaining external references and then seeing it being attached to an fd. In commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK") the fix was to serialize the file descriptor install with the garbage collector by taking and releasing the unix_gc_lock. That's not really an option here, but since this all happens when we are in the process of looking up a file descriptor, we can instead simply just re-check that the file hasn't been closed in the meantime, and just re-do the lookup if we raced with a concurrent close() of the same file descriptor. Reported-and-tested-by: Jann Horn <jannh@google.com> Acked-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-08fs: add fget_many() and fput_many()Jens Axboe
commit 091141a42e15fe47ada737f3996b317072afcefb upstream. Some uses cases repeatedly get and put references to the same file, but the only exposed interface is doing these one at the time. As each of these entail an atomic inc or dec on a shared structure, that cost can add up. Add fget_many(), which works just like fget(), except it takes an argument for how many references to get on the file. Ditto fput_many(), which can drop an arbitrary number of references to a file. Reviewed-by: Hannes Reinecke <hare@suse.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-08fuse: release pipe buf after last useMiklos Szeredi
commit 473441720c8616dfaf4451f9c7ea14f0eb5e5d65 upstream. Checking buf->flags should be done before the pipe_buf_release() is called on the pipe buffer, since releasing the buffer might modify the flags. This is exactly what page_cache_pipe_buf_release() does, and which results in the same VM_BUG_ON_PAGE(PageLRU(page)) that the original patch was trying to fix. Reported-by: Justin Forbes <jmforbes@linuxtx.org> Fixes: 712a951025c0 ("fuse: fix page stealing") Cc: <stable@vger.kernel.org> # v2.6.35 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-08fuse: fix page stealingMiklos Szeredi
commit 712a951025c0667ff00b25afc360f74e639dfabe upstream. It is possible to trigger a crash by splicing anon pipe bufs to the fuse device. The reason for this is that anon_pipe_buf_release() will reuse buf->page if the refcount is 1, but that page might have already been stolen and its flags modified (e.g. PG_lru added). This happens in the unlikely case of fuse_dev_splice_write() getting around to calling pipe_buf_release() after a page has been stolen, added to the page cache and removed from the page cache. Fix by calling pipe_buf_release() right after the page was inserted into the page cache. In this case the page has an elevated refcount so any release function will know that the page isn't reusable. Reported-by: Frank Dinoff <fdinoff@google.com> Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/ Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") Cc: <stable@vger.kernel.org> # v2.6.35 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-08proc/vmcore: fix clearing user buffer by properly using clear_user()David Hildenbrand
commit c1e63117711977cc4295b2ce73de29dd17066c82 upstream. To clear a user buffer we cannot simply use memset, we have to use clear_user(). With a virtio-mem device that registers a vmcore_cb and has some logically unplugged memory inside an added Linux memory block, I can easily trigger a BUG by copying the vmcore via "cp": systemd[1]: Starting Kdump Vmcore Save Service... kdump[420]: Kdump is using the default log level(3). kdump[453]: saving to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[458]: saving vmcore-dmesg.txt to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[465]: saving vmcore-dmesg.txt complete kdump[467]: saving vmcore BUG: unable to handle page fault for address: 00007f2374e01000 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 7a523067 P4D 7a523067 PUD 7a528067 PMD 7a525067 PTE 800000007048f867 Oops: 0003 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 468 Comm: cp Not tainted 5.15.0+ #6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_from_oldmem.part.0.cold+0x1d/0x86 Code: ff ff ff e8 05 ff fe ff e9 b9 e9 7f ff 48 89 de 48 c7 c7 38 3b 60 82 e8 f1 fe fe ff 83 fd 08 72 3c 49 8d 7d 08 4c 89 e9 89 e8 <49> c7 45 00 00 00 00 00 49 c7 44 05 f8 00 00 00 00 48 83 e7 f81 RSP: 0018:ffffc9000073be08 EFLAGS: 00010212 RAX: 0000000000001000 RBX: 00000000002fd000 RCX: 00007f2374e01000 RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00007f2374e01008 RBP: 0000000000001000 R08: 0000000000000000 R09: ffffc9000073bc50 R10: ffffc9000073bc48 R11: ffffffff829461a8 R12: 000000000000f000 R13: 00007f2374e01000 R14: 0000000000000000 R15: ffff88807bd421e8 FS: 00007f2374e12140(0000) GS:ffff88807f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2374e01000 CR3: 000000007a4aa000 CR4: 0000000000350eb0 Call Trace: read_vmcore+0x236/0x2c0 proc_reg_read+0x55/0xa0 vfs_read+0x95/0x190 ksys_read+0x4f/0xc0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Some x86-64 CPUs have a CPU feature called "Supervisor Mode Access Prevention (SMAP)", which is used to detect wrong access from the kernel to user buffers like this: SMAP triggers a permissions violation on wrong access. In the x86-64 variant of clear_user(), SMAP is properly handled via clac()+stac(). To fix, properly use clear_user() when we're dealing with a user buffer. Link: https://lkml.kernel.org/r/20211112092750.6921-1-david@redhat.com Fixes: 997c136f518c ("fs/proc/vmcore.c: add hook to read_from_oldmem() to check for non-ram pages") Signed-off-by: David Hildenbrand <david@redhat.com> Acked-by: Baoquan He <bhe@redhat.com> Cc: Dave Young <dyoung@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Philipp Rudo <prudo@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-08NFSv42: Don't fail clone() unless the OP_CLONE operation failedTrond Myklebust
[ Upstream commit d3c45824ad65aebf765fcf51366d317a29538820 ] The failure to retrieve post-op attributes has no bearing on whether or not the clone operation itself was successful. We must therefore ignore the return value of decode_getfattr() when looking at the success or failure of nfs4_xdr_dec_clone(). Fixes: 36022770de6c ("nfs42: add CLONE xdr functions") Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-11-26Merge 4.4.293 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.293 binder: use euid from cred instead of using task binder: use cred instead of task for selinux checks xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay Input: elantench - fix misreporting trackpoint coordinates Input: i8042 - Add quirk for Fujitsu Lifebook T725 libata: fix read log timeout value ocfs2: fix data corruption on truncate mmc: dw_mmc: Dont wait for DRTO on Write RSP error parisc: Fix ptrace check on syscall return media: ite-cir: IR receiver stop working after receive overflow ALSA: ua101: fix division by zero at probe ALSA: 6fire: fix control and bulk message timeouts ALSA: line6: fix control and interrupt message timeouts ALSA: synth: missing check for possible NULL after the call to kstrdup ALSA: timer: Fix use-after-free problem ALSA: timer: Unconditionally unlink slave instances, too x86/irq: Ensure PI wakeup handler is unregistered before module unload hyperv/vmbus: include linux/bitops.h mmc: winbond: don't build on M68K xen/netfront: stop tx queues during live migration spi: spl022: fix Microwire full duplex mode vmxnet3: do not stop tx queues after netif_device_detach() btrfs: fix lost error handling when replaying directory deletes hwmon: (pmbus/lm25066) Add offset coefficients EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell mwifiex: fix division by zero in fw download path ath6kl: fix division by zero in send path ath6kl: fix control-message timeout PCI: Mark Atheros QCA6174 to avoid bus reset wcn36xx: Fix HT40 capability for 2Ghz band mwifiex: Read a PCI register after writing the TX ring write pointer signal: Remove the bogus sigkill_pending in ptrace_stop power: supply: max17042_battery: Prevent int underflow in set_soc_threshold power: supply: max17042_battery: use VFSOC for capacity when no rsns ALSA: mixer: oss: Fix racy access to slots ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume quota: check block number when reading the block in quota file quota: correct error number in free_dqentry() iio: dac: ad5446: Fix ad5622_write() return value USB: serial: keyspan: fix memleak on probe errors USB: iowarrior: fix control-message timeouts Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() Bluetooth: fix use-after-free error in lock_sock_nested() platform/x86: wmi: do not fail if disabling fails MIPS: lantiq: dma: add small delay after reset MIPS: lantiq: dma: reset correct number of channel smackfs: Fix use-after-free in netlbl_catmap_walk() x86: Increase exception stack sizes media: mt9p031: Fix corrupted frame after restarting stream media: netup_unidvb: handle interrupt properly according to the firmware media: uvcvideo: Set capability in s_param media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe() media: mceusb: return without resubmitting URB in case of -EPROTO error. ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK ACPICA: Avoid evaluating methods too early during system resume media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte() tracefs: Have tracefs directories not set OTH permission bits by default ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create() ACPI: battery: Accept charges over the design capacity as full memstick: r592: Fix a UAF bug when removing the driver lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression lib/xz: Validate the value before assigning it to an enum variable mwl8k: Fix use-after-free in mwl8k_fw_state_machine() PM: hibernate: Get block device exclusively in swsusp_check() iwlwifi: mvm: disable RX-diversity in powersave smackfs: use __GFP_NOFAIL for smk_cipso_doi() ARM: clang: Do not rely on lr register for stacktrace ARM: 9136/1: ARMv7-M uses BE-8, not BE-32 parisc: fix warning in flush_tlb_all parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling media: dvb-usb: fix ununit-value in az6027_rc_query media: si470x: Avoid card name truncation cpuidle: Fix kobject memory leaks in error paths ath9k: Fix potential interrupt storm on queue reset crypto: qat - detect PFVF collision after ACK b43legacy: fix a lower bounds test b43: fix a lower bounds test memstick: avoid out-of-range warning memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() drm/msm: uninitialized variable in msm_gem_import() net: stream: don't purge sk_error_queue in sk_stream_kill_queues() platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning mwifiex: Send DELBA requests according to spec smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi libertas_tf: Fix possible memory leak in probe and disconnect libertas: Fix possible memory leak in probe and disconnect crypto: pcrypt - Delay write to padata->info ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc() scsi: dc395: Fix error case unwinding JFS: fix memleak in jfs_mount memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe video: fbdev: chipsfb: use memset_io() instead of memset() serial: 8250_dw: Drop wrong use of ACPI_PTR() usb: gadget: hid: fix error code in do_config() power: supply: rt5033_battery: Change voltage values to µV scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() RDMA/mlx4: Return missed an error if device doesn't support steering dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro netfilter: nfnetlink_queue: fix OOB when mac header was cleared m68k: set a default value for MEMORY_RESERVE watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT scsi: qla2xxx: Turn off target reset during issue_lip xen-pciback: Fix return in pm_ctrl_init() net: davinci_emac: Fix interrupt pacing disable bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed llc: fix out-of-bound array index in llc_sk_dev_hash() nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails vsock: prevent unnecessary refcnt inc for nonblocking connect USB: chipidea: fix interrupt deadlock ARM: 9156/1: drop cc-option fallbacks for architecture selection mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros parisc/entry: fix trace test in syscall exit path PCI/MSI: Destroy sysfs before freeing entries net: batman-adv: fix error handling scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() usb: musb: tusb6010: check return value after calling platform_get_resource() scsi: advansys: Fix kernel pointer leak ARM: dts: omap: fix gpmc,mux-add-data type usb: host: ohci-tmio: check return value after calling platform_get_resource() tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc MIPS: sni: Fix the build scsi: target: Fix ordered tag handling scsi: target: Fix alua_tg_pt_gps_count tracking powerpc/5200: dts: fix memory node unit name ALSA: gus: fix null pointer dereference on pointer block powerpc/dcr: Use cmplwi instead of 3-argument cmpli sh: check return code of request_irq maple: fix wrong return value of maple_bus_init(). sh: fix kconfig unmet dependency warning for FRAME_POINTER sh: define __BIG_ENDIAN for math-emu mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain() net: bnx2x: fix variable dereferenced before check mips: bcm63xx: add support for clk_get_parent() platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()' NFC: reorganize the functions in nci_request NFC: reorder the logic in nfc_{un,}register_device tun: fix bonding active backup with arp monitoring hexagon: export raw I/O routines for modules mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag btrfs: fix memory ordering between normal and ordered work functions parisc/sticon: fix reverse colors cfg80211: call cfg80211_stop_ap when switch from P2P_GO type drm/udl: fix control-message timeout drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors batman-adv: Keep fragments equally sized batman-adv: Fix multicast TT issues with bogus ROAM flags batman-adv: Prevent duplicated softif_vlan entry batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh batman-adv: set .owner to THIS_MODULE batman-adv: Consider fragmentation for needed_headroom batman-adv: Reserve needed_*room for fragments batman-adv: Don't always reallocate the fragmentation skb head batman-adv: Avoid WARN_ON timing related checks ASoC: DAPM: Cover regression by kctl change notification fix usb: max-3421: Use driver data instead of maintaining a list of bound devices Linux 4.4.293 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I233cfa7b0fe613afd388fcc316caf184005eaee9
2021-11-26btrfs: fix memory ordering between normal and ordered work functionsNikolay Borisov
commit 45da9c1767ac31857df572f0a909fbe88fd5a7e9 upstream. Ordered work functions aren't guaranteed to be handled by the same thread which executed the normal work functions. The only way execution between normal/ordered functions is synchronized is via the WORK_DONE_BIT, unfortunately the used bitops don't guarantee any ordering whatsoever. This manifested as seemingly inexplicable crashes on ARM64, where async_chunk::inode is seen as non-null in async_cow_submit which causes submit_compressed_extents to be called and crash occurs because async_chunk::inode suddenly became NULL. The call trace was similar to: pc : submit_compressed_extents+0x38/0x3d0 lr : async_cow_submit+0x50/0xd0 sp : ffff800015d4bc20 <registers omitted for brevity> Call trace: submit_compressed_extents+0x38/0x3d0 async_cow_submit+0x50/0xd0 run_ordered_work+0xc8/0x280 btrfs_work_helper+0x98/0x250 process_one_work+0x1f0/0x4ac worker_thread+0x188/0x504 kthread+0x110/0x114 ret_from_fork+0x10/0x18 Fix this by adding respective barrier calls which ensure that all accesses preceding setting of WORK_DONE_BIT are strictly ordered before setting the flag. At the same time add a read barrier after reading of WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads would be strictly ordered after reading the bit. This in turn ensures are all accesses before WORK_DONE_BIT are going to be strictly ordered before any access that can occur in ordered_func. Reported-by: Chris Murphy <lists@colorremedies.com> Fixes: 08a9ff326418 ("btrfs: Added btrfs_workqueue_struct implemented ordered execution based on kernel workqueue") CC: stable@vger.kernel.org # 4.4+ Link: https://bugzilla.redhat.com/show_bug.cgi?id=2011928 Reviewed-by: Josef Bacik <josef@toxicpanda.com> Tested-by: Chris Murphy <chris@colorremedies.com> Signed-off-by: Nikolay Borisov <nborisov@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-26JFS: fix memleak in jfs_mountDongliang Mu
[ Upstream commit c48a14dca2cb57527dde6b960adbe69953935f10 ] In jfs_mount, when diMount(ipaimap2) fails, it goes to errout35. However, the following code does not free ipaimap2 allocated by diReadSpecial. Fix this by refactoring the error handling code of jfs_mount. To be specific, modify the lable name and free ipaimap2 when the above error ocurrs. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-11-26tracefs: Have tracefs directories not set OTH permission bits by defaultSteven Rostedt (VMware)
[ Upstream commit 49d67e445742bbcb03106b735b2ab39f6e5c56bc ] The tracefs file system is by default mounted such that only root user can access it. But there are legitimate reasons to create a group and allow those added to the group to have access to tracing. By changing the permissions of the tracefs mount point to allow access, it will allow group access to the tracefs directory. There should not be any real reason to allow all access to the tracefs directory as it contains sensitive information. Have the default permission of directories being created not have any OTH (other) bits set, such that an admin that wants to give permission to a group has to first disable all OTH bits in the file system. Link: https://lkml.kernel.org/r/20210818153038.664127804@goodmis.org Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-11-26quota: correct error number in free_dqentry()Zhang Yi
commit d0e36a62bd4c60c09acc40e06ba4831a4d0bc75b upstream. Fix the error path in free_dqentry(), pass out the error number if the block to free is not correct. Fixes: 1ccd14b9c271 ("quota: Split off quota tree handling into a separate file") Link: https://lore.kernel.org/r/20211008093821.1001186-3-yi.zhang@huawei.com Signed-off-by: Zhang Yi <yi.zhang@huawei.com> Cc: stable@kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-26quota: check block number when reading the block in quota fileZhang Yi
commit 9bf3d20331295b1ecb81f4ed9ef358c51699a050 upstream. The block number in the quota tree on disk should be smaller than the v2_disk_dqinfo.dqi_blocks. If the quota file was corrupted, we may be allocating an 'allocated' block and that would lead to a loop in a tree, which will probably trigger oops later. This patch adds a check for the block number in the quota tree to prevent such potential issue. Link: https://lore.kernel.org/r/20211008093821.1001186-2-yi.zhang@huawei.com Signed-off-by: Zhang Yi <yi.zhang@huawei.com> Cc: stable@kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-26btrfs: fix lost error handling when replaying directory deletesFilipe Manana
commit 10adb1152d957a4d570ad630f93a88bb961616c1 upstream. At replay_dir_deletes(), if find_dir_range() returns an error we break out of the main while loop and then assign a value of 0 (success) to the 'ret' variable, resulting in completely ignoring that an error happened. Fix that by jumping to the 'out' label when find_dir_range() returns an error (negative value). CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Josef Bacik <josef@toxicpanda.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-26ocfs2: fix data corruption on truncateJan Kara
commit 839b63860eb3835da165642923120d305925561d upstream. Patch series "ocfs2: Truncate data corruption fix". As further testing has shown, commit 5314454ea3f ("ocfs2: fix data corruption after conversion from inline format") didn't fix all the data corruption issues the customer started observing after 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") This time I have tracked them down to two bugs in ocfs2 truncation code. One bug (truncating page cache before clearing tail cluster and setting i_size) could cause data corruption even before 6dbf7bb55598, but before that commit it needed a race with page fault, after 6dbf7bb55598 it started to be pretty deterministic. Another bug (zeroing pages beyond old i_size) used to be harmless inefficiency before commit 6dbf7bb55598. But after commit 6dbf7bb55598 in combination with the first bug it resulted in deterministic data corruption. Although fixing only the first problem is needed to stop data corruption, I've fixed both issues to make the code more robust. This patch (of 2): ocfs2_truncate_file() did unmap invalidate page cache pages before zeroing partial tail cluster and setting i_size. Thus some pages could be left (and likely have left if the cluster zeroing happened) in the page cache beyond i_size after truncate finished letting user possibly see stale data once the file was extended again. Also the tail cluster zeroing was not guaranteed to finish before truncate finished causing possible stale data exposure. The problem started to be particularly easy to hit after commit 6dbf7bb55598 "fs: Don't invalidate page buffers in block_write_full_page()" stopped invalidation of pages beyond i_size from page writeback path. Fix these problems by unmapping and invalidating pages in the page cache after the i_size is reduced and tail cluster is zeroed out. Link: https://lkml.kernel.org/r/20211025150008.29002-1-jack@suse.cz Link: https://lkml.kernel.org/r/20211025151332.11301-1-jack@suse.cz Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") Signed-off-by: Jan Kara <jack@suse.cz> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Gang He <ghe@suse.com> Cc: Jun Piao <piaojun@huawei.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-12Merge 4.4.292 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.292 scsi: core: Put LLD module refcnt after SCSI device is released ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" net: hso: register netdev later to avoid a race condition IB/qib: Use struct_size() helper IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields usb: gadget: Mark USB_FSL_QE broken on 64-bit usb-storage: Add compatibility quirk flags for iODD 2531/2541 printk/console: Allow to disable console output by using console="" or console=null usb: hso: fix error handling code of hso_create_net_device isofs: Fix out of bound access for corrupted isofs image comedi: dt9812: fix DMA buffers on stack comedi: ni_usb6501: fix NULL-deref in command paths staging: comedi: drivers: replace le16_to_cpu() with usb_endpoint_maxp() comedi: vmk80xx: fix transfer-buffer overflows comedi: vmk80xx: fix bulk-buffer overflow comedi: vmk80xx: fix bulk and interrupt message timeouts staging: r8712u: fix control-message timeout staging: rtl8192u: fix control-message timeouts rsi: fix control-message timeout Linux 4.4.292 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If914ee57e7bf4d5993bd24826726bb4908a2f978
2021-11-12isofs: Fix out of bound access for corrupted isofs imageJan Kara
commit e96a1866b40570b5950cda8602c2819189c62a48 upstream. When isofs image is suitably corrupted isofs_read_inode() can read data beyond the end of buffer. Sanity-check the directory entry length before using it. Reported-and-tested-by: syzbot+6fc7fb214625d82af7d1@syzkaller.appspotmail.com CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-27Merge 4.4.290 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.290 ALSA: seq: Fix a potential UAF by wrong private_free call order s390: fix strrchr() implementation xhci: Enable trust tx length quirk for Fresco FL11 USB controller cb710: avoid NULL pointer subtraction efi/cper: use stack buffer for error record decoding Input: xpad - add support for another USB ID of Nacon GC-100 USB: serial: qcserial: add EM9191 QDL support USB: serial: option: add Telit LE910Cx composition 0x1204 nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells iio: adc128s052: Fix the error handling path of 'adc128_probe()' iio: ssp_sensors: add more range checking in ssp_parse_dataframe() iio: ssp_sensors: fix error code in ssp_print_mcu_debug() net: arc: select CRC32 net: korina: select CRC32 net: encx24j600: check error in devm_regmap_init_encx24j600 ethernet: s2io: fix setting mac address during resume nfc: fix error handling of nfc_proto_register() NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() NFC: digital: fix possible memory leak in digital_in_send_sdd_req() pata_legacy: fix a couple uninitialized variable bugs drm/msm: Fix null pointer dereference on pointer edp r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 NFSD: Keep existing listeners on portlist error netfilter: ipvs: make global sysctl readonly in non-init netns NIOS2: irqflags: rename a redefined register name can: rcar_can: fix suspend/resume can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification can: peak_pci: peak_pci_remove(): fix UAF ocfs2: mount fails with buffer overflow in strlen elfcore: correct reference to CONFIG_UML ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset ASoC: DAPM: Fix missing kctl change notifications ovl: fix missing negative dentry check in ovl_rename() nfc: nci: fix the UAF of rf_conn_info object isdn: cpai: check ctr->cnr to avoid array index out of bound netfilter: Kconfig: use 'default y' instead of 'm' for bool config option ARM: dts: spear3xx: Fix gmac node isdn: mISDN: Fix sleeping function called from invalid context platform/x86: intel_scu_ipc: Update timeout value in comment ALSA: hda: avoid write to STATESTS if controller is in reset net: mdiobus: Fix memory leak in __mdiobus_register tracing: Have all levels of checks prevent recursion ARM: 9122/1: select HAVE_FUTEX_CMPXCHG Linux 4.4.290 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I97fdd4fb10f590df04407cb87713af101af36f67
2021-10-27ovl: fix missing negative dentry check in ovl_rename()Zheng Liang
commit a295aef603e109a47af355477326bd41151765b6 upstream. The following reproducer mkdir lower upper work merge touch lower/old touch lower/new mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge rm merge/new mv merge/old merge/new & unlink upper/new may result in this race: PROCESS A: rename("merge/old", "merge/new"); overwrite=true,ovl_lower_positive(old)=true, ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE PROCESS B: unlink("upper/new"); PROCESS A: lookup newdentry in new_upperdir call vfs_rename() with negative newdentry and RENAME_EXCHANGE Fix by adding the missing check for negative newdentry. Signed-off-by: Zheng Liang <zhengliang6@huawei.com> Fixes: e9be9d5e76e3 ("overlay filesystem") Cc: <stable@vger.kernel.org> # v3.18 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
2021-10-27ocfs2: mount fails with buffer overflow in strlenValentin Vidic
commit b15fa9224e6e1239414525d8d556d824701849fc upstream. Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the trace below. Problem seems to be that strings for cluster stack and cluster name are not guaranteed to be null terminated in the disk representation, while strlcpy assumes that the source string is always null terminated. This causes a read outside of the source string triggering the buffer overflow detection. detected buffer overflow in strlen ------------[ cut here ]------------ kernel BUG at lib/string.c:1149! invalid opcode: 0000 [#1] SMP PTI CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 Debian 5.14.6-2 RIP: 0010:fortify_panic+0xf/0x11 ... Call Trace: ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] ocfs2_fill_super+0x359/0x19b0 [ocfs2] mount_bdev+0x185/0x1b0 legacy_get_tree+0x27/0x40 vfs_get_tree+0x25/0xb0 path_mount+0x454/0xa20 __x64_sys_mount+0x103/0x140 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae Link: https://lkml.kernel.org/r/20210929180654.32460-1-vvidic@valentin-vidic.from.hr Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Gang He <ghe@suse.com> Cc: Jun Piao <piaojun@huawei.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-27NFSD: Keep existing listeners on portlist errorBenjamin Coddington
[ Upstream commit c20106944eb679fa3ab7e686fe5f6ba30fbc51e5 ] If nfsd has existing listening sockets without any processes, then an error returned from svc_create_xprt() for an additional transport will remove those existing listeners. We're seeing this in practice when userspace attempts to create rpcrdma transports without having the rpcrdma modules present before creating nfsd kernel processes. Fix this by checking for existing sockets before calling nfsd_destroy(). Signed-off-by: Benjamin Coddington <bcodding@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-17Merge 4.4.289 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.289 USB: cdc-acm: fix racy tty buffer accesses USB: cdc-acm: fix break reporting nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero xtensa: call irqchip_init only when CONFIG_USE_OF is selected phy: mdio: fix memory leak net_sched: fix NULL deref in fifo_set_limit() ptp_pch: Load module automatically if ID matches ARM: imx6: disable the GIC CPU interface before calling stby-poweroff sequence netlink: annotate data races around nlk->bound i40e: fix endless loop under rtnl gup: document and work around "COW can break either way" issue mm: check VMA flags to avoid invalid PROT_NONE NUMA balancing HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS netfilter: ip6_tables: zero-initialize fragment offset mac80211: Drop frames from invalid MAC address in ad-hoc mode scsi: ses: Fix unsigned comparison with less than zero scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported" perf/x86: Reset destroy callback on event init failure Linux 4.4.289 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3a65de3023522d2c5370858c3f0e98e86ad6b7ff
2021-10-17nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zeroTrond Myklebust
commit f2e717d655040d632c9015f19aa4275f8b16e7f2 upstream. RFC3530 notes that the 'dircount' field may be zero, in which case the recommendation is to ignore it, and only enforce the 'maxcount' field. In RFC5661, this recommendation to ignore a zero valued field becomes a requirement. Fixes: aee377644146 ("nfsd4: fix rd_dircount enforcement") Cc: <stable@vger.kernel.org> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-09Merge 4.4.288 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.288 af_unix: fix races in sk_peer_pid and sk_peer_cred accesses xen-netback: correct success/error reporting for the SKB-with-fraglist case sparc64: fix pci_iounmap() when CONFIG_PCI is not set ext2: fix sleeping in atomic bugs on error scsi: sd: Free scsi_disk device via put_device() usb: testusb: Fix for showing the connection speed libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD. Linux 4.4.288 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id6d93b8ff677b720c77d0f1384141464e0aaf1e8
2021-10-09ext2: fix sleeping in atomic bugs on errorDan Carpenter
[ Upstream commit 372d1f3e1bfede719864d0d1fbf3146b1e638c88 ] The ext2_error() function syncs the filesystem so it sleeps. The caller is holding a spinlock so it's not allowed to sleep. ext2_statfs() <- disables preempt -> ext2_count_free_blocks() -> ext2_get_group_desc() Fix this by using WARN() to print an error message and a stack trace instead of using ext2_error(). Link: https://lore.kernel.org/r/20210921203233.GA16529@kili Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-06Merge 4.4.286 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.286 usb: gadget: r8a66597: fix a loop in set_feature() usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() cifs: fix incorrect check for null pointer in header_assemble xen/x86: fix PV trap handling on secondary processors USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter USB: serial: mos7840: remove duplicated 0xac24 device ID USB: serial: option: add Telit LN920 compositions USB: serial: option: remove duplicate USB device ID USB: serial: option: add device id for Foxconn T99W265 net: hso: fix muxed tty registration net/mlx4_en: Don't allow aRFS for encapsulated packets scsi: iscsi: Adjust iface sysfs attr detection blktrace: Fix uaf in blk_trace access after removing by sysfs m68k: Double cast io functions to unsigned long compiler.h: Introduce absolute_pointer macro net: i825xx: Use absolute_pointer for memcpy from fixed memory location sparc: avoid stringop-overread errors qnx4: avoid stringop-overread errors parisc: Use absolute_pointer() to define PAGE0 arm64: Mark __stack_chk_guard as __ro_after_init alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile net: 6pack: Fix tx timeout and slot time spi: Fix tegra20 build with CONFIG_PM=n qnx4: work around gcc false positive warning bug tty: Fix out-of-bound vmalloc access in imageblit mac80211: fix use-after-free in CCMP/GCMP RX ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 e100: fix length calculation in e100_get_regs_len e100: fix buffer overrun in e100_get_regs ipack: ipoctal: fix stack information leak ipack: ipoctal: fix tty registration race ipack: ipoctal: fix tty-registration error handling ipack: ipoctal: fix missing allocation-failure check ipack: ipoctal: fix module reference leak ext4: fix potential infinite loop in ext4_dx_readdir() EDAC/synopsys: Fix wrong value type assignment for edac_mode arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 HID: betop: fix slab-out-of-bounds Write in betop_probe netfilter: ipset: Fix oversized kvmalloc() calls HID: usbhid: free raw_report buffers in usbhid_stop cred: allow get_cred() and put_cred() to be given NULL. Linux 4.4.286 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3180bfeaddc99c8d216f932c9f149060cc60f16e
2021-10-06ext4: fix potential infinite loop in ext4_dx_readdir()yangerkun
commit 42cb447410d024e9d54139ae9c21ea132a8c384c upstream. When ext4_htree_fill_tree() fails, ext4_dx_readdir() can run into an infinite loop since if info->last_pos != ctx->pos this will reset the directory scan and reread the failing entry. For example: 1. a dx_dir which has 3 block, block 0 as dx_root block, block 1/2 as leaf block which own the ext4_dir_entry_2 2. block 1 read ok and call_filldir which will fill the dirent and update the ctx->pos 3. block 2 read fail, but we has already fill some dirent, so we will return back to userspace will a positive return val(see ksys_getdents64) 4. the second ext4_dx_readdir will reset the world since info->last_pos != ctx->pos, and will also init the curr_hash which pos to block 1 5. So we will read block1 too, and once block2 still read fail, we can only fill one dirent because the hash of the entry in block1(besides the last one) won't greater than curr_hash 6. this time, we forget update last_pos too since the read for block2 will fail, and since we has got the one entry, ksys_getdents64 can return success 7. Latter we will trapped in a loop with step 4~6 Cc: stable@kernel.org Signed-off-by: yangerkun <yangerkun@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Link: https://lore.kernel.org/r/20210914111415.3921954-1-yangerkun@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-06qnx4: work around gcc false positive warning bugLinus Torvalds
commit d5f6545934c47e97c0b48a645418e877b452a992 upstream. In commit b7213ffa0e58 ("qnx4: avoid stringop-overread errors") I tried to teach gcc about how the directory entry structure can be two different things depending on a status flag. It made the code clearer, and it seemed to make gcc happy. However, Arnd points to a gcc bug, where despite using two different members of a union, gcc then gets confused, and uses the size of one of the members to decide if a string overrun happens. And not necessarily the rigth one. End result: with some configurations, gcc-11 will still complain about the source buffer size being overread: fs/qnx4/dir.c: In function 'qnx4_readdir': fs/qnx4/dir.c:76:32: error: 'strnlen' specified bound [16, 48] exceeds source size 1 [-Werror=stringop-overread] 76 | size = strnlen(name, size); | ^~~~~~~~~~~~~~~~~~~ fs/qnx4/dir.c:26:22: note: source object declared here 26 | char de_name; | ^~~~~~~ because gcc will get confused about which union member entry is actually getting accessed, even when the source code is very clear about it. Gcc internally will have combined two "redundant" pointers (pointing to different union elements that are at the same offset), and takes the size checking from one or the other - not necessarily the right one. This is clearly a gcc bug, but we can work around it fairly easily. The biggest thing here is the big honking comment about why we do what we do. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99578#c6 Reported-and-tested-by: Arnd Bergmann <arnd@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-06qnx4: avoid stringop-overread errorsLinus Torvalds
[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ] The qnx4 directory entries are 64-byte blocks that have different contents depending on the a status byte that is in the last byte of the block. In particular, a directory entry can be either a "link info" entry with a 48-byte name and pointers to the real inode information, or an "inode entry" with a smaller 16-byte name and the full inode information. But the code was written to always just treat the directory name as if it was part of that "inode entry", and just extend the name to the longer case if the status byte said it was a link entry. That work just fine and gives the right results, but now that gcc is tracking data structure accesses much more, the code can trigger a compiler error about using up to 48 bytes (the long name) in a structure that only has that shorter name in it: fs/qnx4/dir.c: In function ‘qnx4_readdir’: fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread] 51 | size = strnlen(de->di_fname, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from fs/qnx4/qnx4.h:3, from fs/qnx4/dir.c:16: include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here 45 | char di_fname[QNX4_SHORT_NAME_MAX]; | ^~~~~~~~ which is because the source code doesn't really make this whole "one of two different types" explicit. Fix this by introducing a very explicit union of the two types, and basically explaining to the compiler what is really going on. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-06cifs: fix incorrect check for null pointer in header_assembleSteve French
commit 9ed38fd4a15417cac83967360cf20b853bfab9b6 upstream. Although very unlikely that the tlink pointer would be null in this case, get_next_mid function can in theory return null (but not an error) so need to check for null (not for IS_ERR, which can not be returned here). Address warning: fs/smbfs_client/connect.c:2392 cifs_match_super() warn: 'tlink' isn't an ERR_PTR Pointed out by Dan Carpenter via smatch code analysis tool CC: stable@vger.kernel.org Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Ronnie Sahlberg <lsahlber@redhat.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-09-26Merge 4.4.285 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.285 s390/bpf: Fix optimizing out zero-extensions PM / wakeirq: Fix unbalanced IRQ enable for wakeirq sctp: validate chunk size in __rcv_asconf_lookup sctp: add param size validation for SCTP_PARAM_SET_PRIMARY thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() 9p/trans_virtio: Remove sysfs file on probe failure prctl: allow to setup brk for et_dyn executables profiling: fix shift-out-of-bounds bugs dmaengine: acpi-dma: check for 64-bit MMIO address dmaengine: acpi: Avoid comparison GSI with Linux vIRQ parisc: Move pci_dev_is_behind_card_dino to where it is used dmaengine: ioat: depends on !UML ceph: lockdep annotations for try_nonblocking_invalidate nilfs2: fix memory leak in nilfs_sysfs_create_device_group nilfs2: fix NULL pointer in nilfs_##name##_attr_release nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV sctp: validate from_addr_param return Linux 4.4.285 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I10ef4f8fa6f8c53aaedfa2e6c5212b1faecad1b4
2021-09-26nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_groupNanyong Sun
[ Upstream commit 17243e1c3072b8417a5ebfc53065d0a87af7ca77 ] kobject_put() should be used to cleanup the memory associated with the kobject instead of kobject_del(). See the section "Kobject removal" of "Documentation/core-api/kobject.rst". Link: https://lkml.kernel.org/r/20210629022556.3985106-7-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-7-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-26nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_groupNanyong Sun
[ Upstream commit b2fe39c248f3fa4bbb2a20759b4fdd83504190f7 ] If kobject_init_and_add returns with error, kobject_put() is needed here to avoid memory leak, because kobject_init_and_add may return error without freeing the memory associated with the kobject it allocated. Link: https://lkml.kernel.org/r/20210629022556.3985106-6-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-6-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-26nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_groupNanyong Sun
[ Upstream commit a3e181259ddd61fd378390977a1e4e2316853afa ] The kobject_put() should be used to cleanup the memory associated with the kobject instead of kobject_del. See the section "Kobject removal" of "Documentation/core-api/kobject.rst". Link: https://lkml.kernel.org/r/20210629022556.3985106-5-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-5-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-26nilfs2: fix memory leak in nilfs_sysfs_create_##name##_groupNanyong Sun
[ Upstream commit 24f8cb1ed057c840728167dab33b32e44147c86f ] If kobject_init_and_add return with error, kobject_put() is needed here to avoid memory leak, because kobject_init_and_add may return error without freeing the memory associated with the kobject it allocated. Link: https://lkml.kernel.org/r/20210629022556.3985106-4-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-4-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-26nilfs2: fix NULL pointer in nilfs_##name##_attr_releaseNanyong Sun
[ Upstream commit dbc6e7d44a514f231a64d9d5676e001b660b6448 ] In nilfs_##name##_attr_release, kobj->parent should not be referenced because it is a NULL pointer. The release() method of kobject is always called in kobject_put(kobj), in the implementation of kobject_put(), the kobj->parent will be assigned as NULL before call the release() method. So just use kobj to get the subgroups, which is more efficient and can fix a NULL pointer reference problem. Link: https://lkml.kernel.org/r/20210629022556.3985106-3-sunnanyong@huawei.com Link: https://lkml.kernel.org/r/1625651306-10829-3-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-26nilfs2: fix memory leak in nilfs_sysfs_create_device_groupNanyong Sun
[ Upstream commit 5f5dec07aca7067216ed4c1342e464e7307a9197 ] Patch series "nilfs2: fix incorrect usage of kobject". This patchset from Nanyong Sun fixes memory leak issues and a NULL pointer dereference issue caused by incorrect usage of kboject in nilfs2 sysfs implementation. This patch (of 6): Reported by syzkaller: BUG: memory leak unreferenced object 0xffff888100ca8988 (size 8): comm "syz-executor.1", pid 1930, jiffies 4294745569 (age 18.052s) hex dump (first 8 bytes): 6c 6f 6f 70 31 00 ff ff loop1... backtrace: kstrdup+0x36/0x70 mm/util.c:60 kstrdup_const+0x35/0x60 mm/util.c:83 kvasprintf_const+0xf1/0x180 lib/kasprintf.c:48 kobject_set_name_vargs+0x56/0x150 lib/kobject.c:289 kobject_add_varg lib/kobject.c:384 [inline] kobject_init_and_add+0xc9/0x150 lib/kobject.c:473 nilfs_sysfs_create_device_group+0x150/0x7d0 fs/nilfs2/sysfs.c:986 init_nilfs+0xa21/0xea0 fs/nilfs2/the_nilfs.c:637 nilfs_fill_super fs/nilfs2/super.c:1046 [inline] nilfs_mount+0x7b4/0xe80 fs/nilfs2/super.c:1316 legacy_get_tree+0x105/0x210 fs/fs_context.c:592 vfs_get_tree+0x8e/0x2d0 fs/super.c:1498 do_new_mount fs/namespace.c:2905 [inline] path_mount+0xf9b/0x1990 fs/namespace.c:3235 do_mount+0xea/0x100 fs/namespace.c:3248 __do_sys_mount fs/namespace.c:3456 [inline] __se_sys_mount fs/namespace.c:3433 [inline] __x64_sys_mount+0x14b/0x1f0 fs/namespace.c:3433 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae If kobject_init_and_add return with error, then the cleanup of kobject is needed because memory may be allocated in kobject_init_and_add without freeing. And the place of cleanup_dev_kobject should use kobject_put to free the memory associated with the kobject. As the section "Kobject removal" of "Documentation/core-api/kobject.rst" says, kobject_del() just makes the kobject "invisible", but it is not cleaned up. And no more cleanup will do after cleanup_dev_kobject, so kobject_put is needed here. Link: https://lkml.kernel.org/r/1625651306-10829-1-git-send-email-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/1625651306-10829-2-git-send-email-konishi.ryusuke@gmail.com Reported-by: Hulk Robot <hulkci@huawei.com> Link: https://lkml.kernel.org/r/20210629022556.3985106-2-sunnanyong@huawei.com Signed-off-by: Nanyong Sun <sunnanyong@huawei.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-26ceph: lockdep annotations for try_nonblocking_invalidateJeff Layton
[ Upstream commit 3eaf5aa1cfa8c97c72f5824e2e9263d6cc977b03 ] Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-22Merge 4.4.284 into android-4.4-pGreg Kroah-Hartman
Changes in 4.4.284 ext4: fix race writing to an inline_data file while its xattrs are changing xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG ARC: fix allnoconfig build warning qede: Fix memset corruption cryptoloop: add a deprecation warning ARM: 8918/2: only build return_address() if needed ALSA: pcm: fix divide error in snd_pcm_lib_ioctl ath: Use safer key clearing with key cache entries ath9k: Clear key cache explicitly on disabling hardware ath: Export ath_hw_keysetmac() ath: Modify ath_key_delete() to not need full key entry ath9k: Postpone key cache entry deletion for TXQ frames reference it media: stkwebcam: fix memory leak in stk_camera_probe igmp: Add ip_mc_list lock in ip_check_mc_rcu usb: phy: isp1301: Fix build warning when CONFIG_OF is disabled USB: serial: mos7720: improve OOM-handling in read_mos_reg() PM / wakeirq: Enable dedicated wakeirq for suspend tc358743: fix register i2c_rd/wr function fix ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) s390/disassembler: correct disassembly lines alignment mm/kmemleak.c: make cond_resched() rate-limiting more efficient powerpc/module64: Fix comment in R_PPC64_ENTRY handling powerpc/boot: Delete unneeded .globl _zimage_start net: ll_temac: Remove left-over debug message mm/page_alloc: speed up the iteration of max_order Revert "btrfs: compression: don't try to compress if we don't have enough pages" x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions PCI: Call Max Payload Size-related fixup quirks early crypto: mxs-dcp - Check for DMA mapping errors crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() power: supply: max17042_battery: fix typo in MAx17042_TOFF libata: fix ata_host_start() crypto: qat - do not ignore errors from enable_vf2pf_comms() crypto: qat - fix reuse of completion variable udf_get_extendedattr() had no boundary checks. m68k: emu: Fix invalid free in nfeth_cleanup() certs: Trigger creation of RSA module signing key if it's not an RSA key media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init media: dvb-usb: fix uninit-value in vp702x_read_mac_addr media: go7007: remove redundant initialization Bluetooth: sco: prevent information leak in sco_conn_defer_accept() tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos net: cipso: fix warnings in netlbl_cipsov4_add_std i2c: highlander: add IRQ check PCI: PM: Enable PME if it can be signaled from D3cold Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow arm64: dts: exynos: correct GIC CPU interfaces address range on Exynos7 Bluetooth: fix repeated calls to sco_sock_kill drm/msm/dsi: Fix some reference counted resource leaks usb: gadget: udc: at91: add IRQ check usb: phy: fsl-usb: add IRQ check usb: phy: twl6030: add IRQ checks Bluetooth: Move shutdown callback before flushing tx and rx queue usb: host: ohci-tmio: add IRQ check usb: phy: tahvo: add IRQ check usb: gadget: mv_u3d: request_irq() after initializing UDC Bluetooth: add timeout sanity check to hci_inquiry i2c: iop3xx: fix deferred probing i2c: s3c2410: fix IRQ check mmc: dw_mmc: Fix issue with uninitialized dma_slave_config mmc: moxart: Fix issue with uninitialized dma_slave_config CIFS: Fix a potencially linear read overflow i2c: mt65xx: fix IRQ check usb: ehci-orion: Handle errors of clk_prepare_enable() in probe ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() bcma: Fix memory leak for internally-handled cores ipv4: make exception cache less predictible tty: Fix data race between tiocsti() and flush_to_ldisc() KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is adjusted clk: kirkwood: Fix a clocking boot regression fbmem: don't allow too huge resolutions rtc: tps65910: Correct driver module alias PCI/MSI: Skip masking MSI-X on Xen PV xen: fix setting of max_pfn in shared_info power: supply: max17042: handle fails of reading status register VMCI: fix NULL pointer dereference when unmapping queue pair media: uvc: don't do DMA on stack media: rc-loopback: return number of emitters rather than error libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs ARM: 9105/1: atags_to_fdt: don't warn about stack size PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure openrisc: don't printk() unconditionally pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() crypto: mxs-dcp - Use sg_mapping_iter to copy data PCI: Use pci_update_current_state() in pci_enable_device_flags() iio: dac: ad5624r: Fix incorrect handling of an optional regulator. video: fbdev: kyro: fix a DoS bug by restricting user input netlink: Deal with ESRCH error in nlmsg_notify() Smack: Fix wrong semantics in smk_access_entry() usb: host: fotg210: fix the actual_length of an iso packet usb: gadget: u_ether: fix a potential null pointer dereference tty: serial: jsm: hold port lock when reporting modem line changes bpf/tests: Fix copy-and-paste error in double word test bpf/tests: Do not PASS tests without actually testing the result video: fbdev: asiliantfb: Error out if 'pixclock' equals zero video: fbdev: kyro: Error out if 'pixclock' equals zero video: fbdev: riva: Error out if 'pixclock' equals zero ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() s390/jump_label: print real address in a case of a jump label bug serial: 8250: Define RX trigger levels for OxSemi 950 devices xtensa: ISS: don't panic in rs_init hvsi: don't panic on tty_register_driver failure serial: 8250_pci: make setup_port() parameters explicitly unsigned Bluetooth: skip invalid hci_sync_conn_complete_evt gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() ARM: tegra: tamonten: Fix UART pad setting rpc: fix gss_svc_init cleanup on failure gfs2: Don't call dlm after protocol is unmounted mmc: rtsx_pci: Fix long reads when clock is prescaled cifs: fix wrong release in sess_alloc_buffer() failed path Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set" parport: remove non-zero check on count ath9k: fix OOB read ar9300_eeprom_restore_internal net: fix NULL pointer reference in cipso_v4_doi_free parisc: fix crash with signals and alloca platform/chrome: cros_ec_proto: Send command again when timeout occurs bnx2x: Fix enabling network interfaces without VFs net-caif: avoid user-triggerable WARN_ON(1) ptp: dp83640: don't define PAGE0 dccp: don't duplicate ccid when cloning dccp sock net/l2tp: Fix reference count leak in l2tp_udp_recv_core r6040: Restore MDIO clock frequency after MAC reset tipc: increase timeout in tipc_sk_enqueue() net/af_unix: fix a data-race in unix_dgram_poll x86/mm: Fix kern_addr_valid() to cope with existing but not present entries dt-bindings: mtd: gpmc: Fix the ECC bytes vs. OOB bytes equation ethtool: Fix an error code in cxgb2.c PCI: Sync __pci_register_driver() stub for CONFIG_PCI=n mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' ARC: export clear_user_page() for modules qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom net: renesas: sh_eth: Fix freeing wrong tx descriptor s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant Linux 4.4.284 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Idf3220461e42648ba134a245e9670231dbd18b5c
2021-09-22cifs: fix wrong release in sess_alloc_buffer() failed pathDing Hui
[ Upstream commit d72c74197b70bc3c95152f351a568007bffa3e11 ] smb_buf is allocated by small_smb_init_no_tc(), and buf type is CIFS_SMALL_BUFFER, so we should use cifs_small_buf_release() to release it in failed path. Signed-off-by: Ding Hui <dinghui@sangfor.com.cn> Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-22gfs2: Don't call dlm after protocol is unmountedBob Peterson
[ Upstream commit d1340f80f0b8066321b499a376780da00560e857 ] In the gfs2 withdraw sequence, the dlm protocol is unmounted with a call to lm_unmount. After a withdraw, users are allowed to unmount the withdrawn file system. But at that point we may still have glocks left over that we need to free via unmount's call to gfs2_gl_hash_clear. These glocks may have never been completed because of whatever problem caused the withdraw (IO errors or whatever). Before this patch, function gdlm_put_lock would still try to call into dlm to unlock these leftover glocks, which resulted in dlm returning -EINVAL because the lock space was abandoned. These glocks were never freed because there was no mechanism after that to free them. This patch adds a check to gdlm_put_lock to see if the locking protocol was inactive (DFL_UNMOUNT flag) and if so, free the glock and not make the invalid call into dlm. I could have combined this "if" with the one that follows, related to leftover glock LVBs, but I felt the code was more readable with its own if clause. Signed-off-by: Bob Peterson <rpeterso@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-22CIFS: Fix a potencially linear read overflowLen Baker
[ Upstream commit f980d055a0f858d73d9467bb0b570721bbfcdfb8 ] strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated. Also, the strnlen() call does not avoid the read overflow in the strlcpy function when a not NUL-terminated string is passed. So, replace this block by a call to kstrndup() that avoids this type of overflow and does the same. Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions") Signed-off-by: Len Baker <len.baker@gmx.com> Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-22udf_get_extendedattr() had no boundary checks.Stian Skjelstad
[ Upstream commit 58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb ] When parsing the ExtendedAttr data, malicous or corrupt attribute length could cause kernel hangs and buffer overruns in some special cases. Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com Signed-off-by: Stian Skjelstad <stian.skjelstad@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-09-22Revert "btrfs: compression: don't try to compress if we don't have enough pages"Qu Wenruo
commit 4e9655763b82a91e4c341835bb504a2b1590f984 upstream. This reverts commit f2165627319ffd33a6217275e5690b1ab5c45763. [BUG] It's no longer possible to create compressed inline extent after commit f2165627319f ("btrfs: compression: don't try to compress if we don't have enough pages"). [CAUSE] For compression code, there are several possible reasons we have a range that needs to be compressed while it's no more than one page. - Compressed inline write The data is always smaller than one sector and the test lacks the condition to properly recognize a non-inline extent. - Compressed subpage write For the incoming subpage compressed write support, we require page alignment of the delalloc range. And for 64K page size, we can compress just one page into smaller sectors. For those reasons, the requirement for the data to be more than one page is not correct, and is already causing regression for compressed inline data writeback. The idea of skipping one page to avoid wasting CPU time could be revisited in the future. [FIX] Fix it by reverting the offending commit. Reported-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org> Link: https://lore.kernel.org/linux-btrfs/afa2742.c084f5d6.17b6b08dffc@tnonline.net Fixes: f2165627319f ("btrfs: compression: don't try to compress if we don't have enough pages") CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>