Linux 5.4.224

 
ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices [+ + +]
Author: John Veness <john-linux@pelago.org.uk>
Date:   Fri Jun 24 15:07:57 2022 +0100

    ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices
    
    commit 6e2c9105e0b743c92a157389d40f00b81bdd09fe upstream.
    
    Treat the claimed 96kHz 1ch in the descriptors as 48kHz 2ch, so that
    the audio stream doesn't sound mono. Also fix initial stream
    alignment, so that left and right channels are in the correct order.
    
    Signed-off-by: John Veness <john-linux@pelago.org.uk>
    Link: https://lore.kernel.org/r/20220624140757.28758-1-john-linux@pelago.org.uk
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ata: pata_legacy: fix pdc20230_set_piomode() [+ + +]
Author: Sergey Shtylyov <s.shtylyov@omp.ru>
Date:   Sat Oct 29 00:07:06 2022 +0300

    ata: pata_legacy: fix pdc20230_set_piomode()
    
    [ Upstream commit 171a93182eccd6e6835d2c86b40787f9f832efaa ]
    
    Clang gives a warning when compiling pata_legacy.c with 'make W=1' about
    the 'rt' local variable in pdc20230_set_piomode() being set but unused.
    Quite obviously, there is an outb() call missing to write back the updated
    variable. Moreover, checking the docs by Petr Soucek revealed that bitwise
    AND should have been done with a negated timing mask and the master/slave
    timing masks were swapped while updating...
    
    Fixes: 669a5db411d8 ("[libata] Add a bunch of PATA drivers.")
    Reported-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
binder: fix UAF of alloc->vma in race with munmap() [+ + +]
Author: Carlos Llamas <cmllamas@google.com>
Date:   Fri Nov 4 17:55:33 2022 +0000

    binder: fix UAF of alloc->vma in race with munmap()
    
    In commit 720c24192404 ("ANDROID: binder: change down_write to
    down_read") binder assumed the mmap read lock is sufficient to protect
    alloc->vma inside binder_update_page_range(). This used to be accurate
    until commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in
    munmap"), which now downgrades the mmap_lock after detaching the vma
    from the rbtree in munmap(). Then it proceeds to teardown and free the
    vma with only the read lock held.
    
    This means that accesses to alloc->vma in binder_update_page_range() now
    will race with vm_area_free() in munmap() and can cause a UAF as shown
    in the following KASAN trace:
    
      ==================================================================
      BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0
      Read of size 8 at addr ffff16204ad00600 by task server/558
    
      CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1
      Hardware name: linux,dummy-virt (DT)
      Call trace:
       dump_backtrace+0x0/0x2a0
       show_stack+0x18/0x2c
       dump_stack+0xf8/0x164
       print_address_description.constprop.0+0x9c/0x538
       kasan_report+0x120/0x200
       __asan_load8+0xa0/0xc4
       vm_insert_page+0x7c/0x1f0
       binder_update_page_range+0x278/0x50c
       binder_alloc_new_buf+0x3f0/0xba0
       binder_transaction+0x64c/0x3040
       binder_thread_write+0x924/0x2020
       binder_ioctl+0x1610/0x2e5c
       __arm64_sys_ioctl+0xd4/0x120
       el0_svc_common.constprop.0+0xac/0x270
       do_el0_svc+0x38/0xa0
       el0_svc+0x1c/0x2c
       el0_sync_handler+0xe8/0x114
       el0_sync+0x180/0x1c0
    
      Allocated by task 559:
       kasan_save_stack+0x38/0x6c
       __kasan_kmalloc.constprop.0+0xe4/0xf0
       kasan_slab_alloc+0x18/0x2c
       kmem_cache_alloc+0x1b0/0x2d0
       vm_area_alloc+0x28/0x94
       mmap_region+0x378/0x920
       do_mmap+0x3f0/0x600
       vm_mmap_pgoff+0x150/0x17c
       ksys_mmap_pgoff+0x284/0x2dc
       __arm64_sys_mmap+0x84/0xa4
       el0_svc_common.constprop.0+0xac/0x270
       do_el0_svc+0x38/0xa0
       el0_svc+0x1c/0x2c
       el0_sync_handler+0xe8/0x114
       el0_sync+0x180/0x1c0
    
      Freed by task 560:
       kasan_save_stack+0x38/0x6c
       kasan_set_track+0x28/0x40
       kasan_set_free_info+0x24/0x4c
       __kasan_slab_free+0x100/0x164
       kasan_slab_free+0x14/0x20
       kmem_cache_free+0xc4/0x34c
       vm_area_free+0x1c/0x2c
       remove_vma+0x7c/0x94
       __do_munmap+0x358/0x710
       __vm_munmap+0xbc/0x130
       __arm64_sys_munmap+0x4c/0x64
       el0_svc_common.constprop.0+0xac/0x270
       do_el0_svc+0x38/0xa0
       el0_svc+0x1c/0x2c
       el0_sync_handler+0xe8/0x114
       el0_sync+0x180/0x1c0
    
      [...]
      ==================================================================
    
    To prevent the race above, revert back to taking the mmap write lock
    inside binder_update_page_range(). One might expect an increase of mmap
    lock contention. However, binder already serializes these calls via top
    level alloc->mutex. Also, there was no performance impact shown when
    running the binder benchmark tests.
    
    Note this patch is specific to stable branches 5.4 and 5.10. Since in
    newer kernel releases binder no longer caches a pointer to the vma.
    Instead, it has been refactored to use vma_lookup() which avoids the
    issue described here. This switch was introduced in commit a43cfc87caaf
    ("android: binder: stop saving a pointer to the VMA").
    
    Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
    Reported-by: Jann Horn <jannh@google.com>
    Cc: <stable@vger.kernel.org> # 5.4.x
    Cc: Minchan Kim <minchan@kernel.org>
    Cc: Yang Shi <yang.shi@linux.alibaba.com>
    Cc: Liam Howlett <liam.howlett@oracle.com>
    Signed-off-by: Carlos Llamas <cmllamas@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
block, bfq: protect 'bfqd->queued' by 'bfqd->lock' [+ + +]
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Fri May 13 10:35:06 2022 +0800

    block, bfq: protect 'bfqd->queued' by 'bfqd->lock'
    
    commit 181490d5321806e537dc5386db5ea640b826bf78 upstream.
    
    If bfq_schedule_dispatch() is called from bfq_idle_slice_timer_body(),
    then 'bfqd->queued' is read without holding 'bfqd->lock'. This is
    wrong since it can be wrote concurrently.
    
    Fix the problem by holding 'bfqd->lock' in such case.
    
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
    Link: https://lore.kernel.org/r/20220513023507.2625717-2-yukuai3@huawei.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Cc: Khazhy Kumykov <khazhy@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Bluetooth: L2CAP: Fix attempting to access uninitialized memory [+ + +]
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Mon Oct 31 16:10:52 2022 -0700

    Bluetooth: L2CAP: Fix attempting to access uninitialized memory
    
    commit b1a2cd50c0357f243b7435a732b4e62ba3157a2e upstream.
    
    On l2cap_parse_conf_req the variable efs is only initialized if
    remote_efs has been set.
    
    CVE: CVE-2022-42895
    CC: stable@vger.kernel.org
    Reported-by: Tamás Koczka <poprdi@google.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu [+ + +]
Author: Maxim Mikityanskiy <maxtram95@gmail.com>
Date:   Wed Oct 5 00:27:18 2022 +0300

    Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
    
    [ Upstream commit 3aff8aaca4e36dc8b17eaa011684881a80238966 ]
    
    Fix the race condition between the following two flows that run in
    parallel:
    
    1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) ->
       __sock_queue_rcv_skb.
    
    2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram.
    
    An SKB can be queued by the first flow and immediately dequeued and
    freed by the second flow, therefore the callers of l2cap_reassemble_sdu
    can't use the SKB after that function returns. However, some places
    continue accessing struct l2cap_ctrl that resides in the SKB's CB for a
    short time after l2cap_reassemble_sdu returns, leading to a
    use-after-free condition (the stack trace is below, line numbers for
    kernel 5.19.8).
    
    Fix it by keeping a local copy of struct l2cap_ctrl.
    
    BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
    Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169
    
    Workqueue: hci0 hci_rx_work [bluetooth]
    Call Trace:
     <TASK>
     dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
     print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429)
     ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
     kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
     ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
     l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
     l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth
     ret_from_fork (arch/x86/entry/entry_64.S:306)
     </TASK>
    
    Allocated by task 43169:
     kasan_save_stack (mm/kasan/common.c:39)
     __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
     kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293)
     __alloc_skb (net/core/skbuff.c:414)
     l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth
     l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth
     hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth
     process_one_work (kernel/workqueue.c:2289)
     worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437)
     kthread (kernel/kthread.c:376)
     ret_from_fork (arch/x86/entry/entry_64.S:306)
    
    Freed by task 27920:
     kasan_save_stack (mm/kasan/common.c:39)
     kasan_set_track (mm/kasan/common.c:45)
     kasan_set_free_info (mm/kasan/generic.c:372)
     ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328)
     slab_free_freelist_hook (mm/slub.c:1780)
     kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553)
     skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323)
     bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth
     l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth
     sock_read_iter (net/socket.c:1087)
     new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401)
     vfs_read (fs/read_write.c:482)
     ksys_read (fs/read_write.c:620)
     do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
     entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
    
    Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u
    Fixes: d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine")
    Fixes: 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier")
    Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Mon Oct 17 15:58:13 2022 +0800

    Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
    
    [ Upstream commit 0d0e2d032811280b927650ff3c15fe5020e82533 ]
    
    When l2cap_recv_frame() is invoked to receive data, and the cid is
    L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.
    However, after a channel is created, the hold operation of the channel
    is not performed. In this case, the value of channel reference counting
    is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()
    invokes the close hook function of A2MP to release the channel. Then
     l2cap_chan_unlock(chan) will trigger UAF issue.
    
    The process is as follows:
    Receive data:
    l2cap_data_channel()
        a2mp_channel_create()  --->channel ref is 2
        l2cap_chan_put()       --->channel ref is 1
    
    Triger event:
        hci_error_reset()
            hci_dev_do_close()
            ...
            l2cap_disconn_cfm()
                l2cap_conn_del()
                    l2cap_chan_hold()    --->channel ref is 2
                    l2cap_chan_del()     --->channel ref is 1
                    a2mp_chan_close_cb() --->channel ref is 0, release channel
                    l2cap_chan_unlock()  --->UAF of channel
    
    The detailed Call Trace is as follows:
    BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0
    Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593
    Workqueue: hci0 hci_error_reset
    Call Trace:
     <TASK>
     dump_stack_lvl+0xcd/0x134
     print_report.cold+0x2ba/0x719
     kasan_report+0xb1/0x1e0
     kasan_check_range+0x140/0x190
     __mutex_unlock_slowpath+0xa6/0x5e0
     l2cap_conn_del+0x404/0x7b0
     l2cap_disconn_cfm+0x8c/0xc0
     hci_conn_hash_flush+0x11f/0x260
     hci_dev_close_sync+0x5f5/0x11f0
     hci_dev_do_close+0x2d/0x70
     hci_error_reset+0x9e/0x140
     process_one_work+0x98a/0x1620
     worker_thread+0x665/0x1080
     kthread+0x2e4/0x3a0
     ret_from_fork+0x1f/0x30
     </TASK>
    
    Allocated by task 7593:
     kasan_save_stack+0x1e/0x40
     __kasan_kmalloc+0xa9/0xd0
     l2cap_chan_create+0x40/0x930
     amp_mgr_create+0x96/0x990
     a2mp_channel_create+0x7d/0x150
     l2cap_recv_frame+0x51b8/0x9a70
     l2cap_recv_acldata+0xaa3/0xc00
     hci_rx_work+0x702/0x1220
     process_one_work+0x98a/0x1620
     worker_thread+0x665/0x1080
     kthread+0x2e4/0x3a0
     ret_from_fork+0x1f/0x30
    
    Freed by task 7593:
     kasan_save_stack+0x1e/0x40
     kasan_set_track+0x21/0x30
     kasan_set_free_info+0x20/0x30
     ____kasan_slab_free+0x167/0x1c0
     slab_free_freelist_hook+0x89/0x1c0
     kfree+0xe2/0x580
     l2cap_chan_put+0x22a/0x2d0
     l2cap_conn_del+0x3fc/0x7b0
     l2cap_disconn_cfm+0x8c/0xc0
     hci_conn_hash_flush+0x11f/0x260
     hci_dev_close_sync+0x5f5/0x11f0
     hci_dev_do_close+0x2d/0x70
     hci_error_reset+0x9e/0x140
     process_one_work+0x98a/0x1620
     worker_thread+0x665/0x1080
     kthread+0x2e4/0x3a0
     ret_from_fork+0x1f/0x30
    
    Last potentially related work creation:
     kasan_save_stack+0x1e/0x40
     __kasan_record_aux_stack+0xbe/0xd0
     call_rcu+0x99/0x740
     netlink_release+0xe6a/0x1cf0
     __sock_release+0xcd/0x280
     sock_close+0x18/0x20
     __fput+0x27c/0xa90
     task_work_run+0xdd/0x1a0
     exit_to_user_mode_prepare+0x23c/0x250
     syscall_exit_to_user_mode+0x19/0x50
     do_syscall_64+0x42/0x80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Second to last potentially related work creation:
     kasan_save_stack+0x1e/0x40
     __kasan_record_aux_stack+0xbe/0xd0
     call_rcu+0x99/0x740
     netlink_release+0xe6a/0x1cf0
     __sock_release+0xcd/0x280
     sock_close+0x18/0x20
     __fput+0x27c/0xa90
     task_work_run+0xdd/0x1a0
     exit_to_user_mode_prepare+0x23c/0x250
     syscall_exit_to_user_mode+0x19/0x50
     do_syscall_64+0x42/0x80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
btrfs: fix inode list leak during backref walking at find_parent_nodes() [+ + +]
Author: Filipe Manana <fdmanana@suse.com>
Date:   Tue Nov 1 16:15:38 2022 +0000

    btrfs: fix inode list leak during backref walking at find_parent_nodes()
    
    [ Upstream commit 92876eec382a0f19f33d09d2c939e9ca49038ae5 ]
    
    During backref walking, at find_parent_nodes(), if we are dealing with a
    data extent and we get an error while resolving the indirect backrefs, at
    resolve_indirect_refs(), or in the while loop that iterates over the refs
    in the direct refs rbtree, we end up leaking the inode lists attached to
    the direct refs we have in the direct refs rbtree that were not yet added
    to the refs ulist passed as argument to find_parent_nodes(). Since they
    were not yet added to the refs ulist and prelim_release() does not free
    the lists, on error the caller can only free the lists attached to the
    refs that were added to the refs ulist, all the remaining refs get their
    inode lists never freed, therefore leaking their memory.
    
    Fix this by having prelim_release() always free any attached inode list
    to each ref found in the rbtree, and have find_parent_nodes() set the
    ref's inode list to NULL once it transfers ownership of the inode list
    to a ref added to the refs ulist passed to find_parent_nodes().
    
    Fixes: 86d5f9944252 ("btrfs: convert prelimary reference tracking to use rbtrees")
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

btrfs: fix inode list leak during backref walking at resolve_indirect_refs() [+ + +]
Author: Filipe Manana <fdmanana@suse.com>
Date:   Tue Nov 1 16:15:37 2022 +0000

    btrfs: fix inode list leak during backref walking at resolve_indirect_refs()
    
    [ Upstream commit 5614dc3a47e3310fbc77ea3b67eaadd1c6417bf1 ]
    
    During backref walking, at resolve_indirect_refs(), if we get an error
    we jump to the 'out' label and call ulist_free() on the 'parents' ulist,
    which frees all the elements in the ulist - however that does not free
    any inode lists that may be attached to elements, through the 'aux' field
    of a ulist node, so we end up leaking lists if we have any attached to
    the unodes.
    
    Fix this by calling free_leaf_list() instead of ulist_free() when we exit
    from resolve_indirect_refs(). The static function free_leaf_list() is
    moved up for this to be possible and it's slightly simplified by removing
    unnecessary code.
    
    Fixes: 3301958b7c1d ("Btrfs: add inodes before dropping the extent lock in find_all_leafs")
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

btrfs: fix type of parameter generation in btrfs_get_dentry [+ + +]
Author: David Sterba <dsterba@suse.com>
Date:   Tue Oct 18 16:05:52 2022 +0200

    btrfs: fix type of parameter generation in btrfs_get_dentry
    
    commit 2398091f9c2c8e0040f4f9928666787a3e8108a7 upstream.
    
    The type of parameter generation has been u32 since the beginning,
    however all callers pass a u64 generation, so unify the types to prevent
    potential loss.
    
    CC: stable@vger.kernel.org # 4.9+
    Reviewed-by: Josef Bacik <josef@toxicpanda.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: fix ulist leaks in error paths of qgroup self tests [+ + +]
Author: Filipe Manana <fdmanana@suse.com>
Date:   Tue Nov 1 16:15:39 2022 +0000

    btrfs: fix ulist leaks in error paths of qgroup self tests
    
    [ Upstream commit d37de92b38932d40e4a251e876cc388f9aee5f42 ]
    
    In the test_no_shared_qgroup() and test_multiple_refs() qgroup self tests,
    if we fail to add the tree ref, remove the extent item or remove the
    extent ref, we are returning from the test function without freeing the
    "old_roots" ulist that was allocated by the previous calls to
    btrfs_find_all_roots(). Fix that by calling ulist_free() before returning.
    
    Fixes: 442244c96332 ("btrfs: qgroup: Switch self test to extent-oriented qgroup mechanism.")
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
capabilities: fix potential memleak on error path from vfs_getxattr_alloc() [+ + +]
Author: Gaosheng Cui <cuigaosheng1@huawei.com>
Date:   Tue Oct 25 21:33:57 2022 +0800

    capabilities: fix potential memleak on error path from vfs_getxattr_alloc()
    
    commit 8cf0a1bc12870d148ae830a4ba88cfdf0e879cee upstream.
    
    In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to
    complete the memory allocation of tmpbuf, if we have completed
    the memory allocation of tmpbuf, but failed to call handler->get(...),
    there will be a memleak in below logic:
    
      |-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...)
        |           /* ^^^ alloc for tmpbuf */
        |-- value = krealloc(*xattr_value, error + 1, flags)
        |           /* ^^^ alloc memory */
        |-- error = handler->get(handler, ...)
        |           /* error! */
        |-- *xattr_value = value
        |           /* xattr_value is &tmpbuf (memory leak!) */
    
    So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it.
    
    Cc: stable@vger.kernel.org
    Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")
    Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
    Acked-by: Serge Hallyn <serge@hallyn.com>
    [PM: subject line and backtrace tweaks]
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/i915/sdvo: Filter out invalid outputs more sensibly [+ + +]
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Wed Oct 26 13:11:27 2022 +0300

    drm/i915/sdvo: Filter out invalid outputs more sensibly
    
    commit 3e206b6aa6df7eed4297577e0cf8403169b800a2 upstream.
    
    We try to filter out the corresponding xxx1 output
    if the xxx0 output is not present. But the way that is
    being done is pretty awkward. Make it less so.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20221026101134.20865-2-ville.syrjala@linux.intel.com
    Reviewed-by: Jani Nikula <jani.nikula@intel.com>
    (cherry picked from commit cc1e66394daaa7e9f005e2487a84e34a39f9308b)
    Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/i915/sdvo: Setup DDC fully before output init [+ + +]
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Wed Oct 26 13:11:28 2022 +0300

    drm/i915/sdvo: Setup DDC fully before output init
    
    commit e79762512120f11c51317570519a1553c70805d8 upstream.
    
    Call intel_sdvo_select_ddc_bus() before initializing any
    of the outputs. And before that is functional (assuming no VBT)
    we have to set up the controlled_outputs thing. Otherwise DDC
    won't be functional during the output init but LVDS really
    needs it for the fixed mode setup.
    
    Note that the whole multi output support still looks very
    bogus, and more work will be needed to make it correct.
    But for now this should at least fix the LVDS EDID fixed mode
    setup.
    
    Cc: stable@vger.kernel.org
    Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7301
    Fixes: aa2b88074a56 ("drm/i915/sdvo: Fix multi function encoder stuff")
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20221026101134.20865-3-ville.syrjala@linux.intel.com
    Reviewed-by: Jani Nikula <jani.nikula@intel.com>
    (cherry picked from commit 64b7b557dc8a96d9cfed6aedbf81de2df80c025d)
    Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/rockchip: dsi: Force synchronous probe [+ + +]
Author: Brian Norris <briannorris@chromium.org>
Date:   Wed Oct 19 17:03:49 2022 -0700

    drm/rockchip: dsi: Force synchronous probe
    
    commit 81e592f86f7afdb76d655e7fbd7803d7b8f985d8 upstream.
    
    We can't safely probe a dual-DSI display asynchronously
    (driver_async_probe='*' or driver_async_probe='dw-mipi-dsi-rockchip'
    cmdline), because dw_mipi_dsi_rockchip_find_second() pokes one DSI
    device's drvdata from the other device without any locking.
    
    Request synchronous probe, at least until this driver learns some
    appropriate locking for dual-DSI initialization.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Brian Norris <briannorris@chromium.org>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/20221019170255.2.I6b985b0ca372b7e35c6d9ea970b24bcb262d4fc1@changeid
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
efi: random: reduce seed size to 32 bytes [+ + +]
Author: Ard Biesheuvel <ardb@kernel.org>
Date:   Thu Oct 20 10:39:08 2022 +0200

    efi: random: reduce seed size to 32 bytes
    
    commit 161a438d730dade2ba2b1bf8785f0759aba4ca5f upstream.
    
    We no longer need at least 64 bytes of random seed to permit the early
    crng init to complete. The RNG is now based on Blake2s, so reduce the
    EFI seed size to the Blake2s hash size, which is sufficient for our
    purposes.
    
    While at it, drop the READ_ONCE(), which was supposed to prevent size
    from being evaluated after seed was unmapped. However, this cannot
    actually happen, so READ_ONCE() is unnecessary here.
    
    Cc: <stable@vger.kernel.org> # v4.14+
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ext4: fix BUG_ON() when directory entry has invalid rec_len [+ + +]
Author: Luís Henriques <lhenriques@suse.de>
Date:   Wed Oct 12 14:13:30 2022 +0100

    ext4: fix BUG_ON() when directory entry has invalid rec_len
    
    commit 17a0bc9bd697f75cfdf9b378d5eb2d7409c91340 upstream.
    
    The rec_len field in the directory entry has to be a multiple of 4.  A
    corrupted filesystem image can be used to hit a BUG() in
    ext4_rec_len_to_disk(), called from make_indexed_dir().
    
     ------------[ cut here ]------------
     kernel BUG at fs/ext4/ext4.h:2413!
     ...
     RIP: 0010:make_indexed_dir+0x53f/0x5f0
     ...
     Call Trace:
      <TASK>
      ? add_dirent_to_buf+0x1b2/0x200
      ext4_add_entry+0x36e/0x480
      ext4_add_nondir+0x2b/0xc0
      ext4_create+0x163/0x200
      path_openat+0x635/0xe90
      do_filp_open+0xb4/0x160
      ? __create_object.isra.0+0x1de/0x3b0
      ? _raw_spin_unlock+0x12/0x30
      do_sys_openat2+0x91/0x150
      __x64_sys_open+0x6c/0xa0
      do_syscall_64+0x3c/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
    
    The fix simply adds a call to ext4_check_dir_entry() to validate the
    directory entry, returning -EFSCORRUPTED if the entry is invalid.
    
    CC: stable@kernel.org
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=216540
    Signed-off-by: Luís Henriques <lhenriques@suse.de>
    Link: https://lore.kernel.org/r/20221012131330.32456-1-lhenriques@suse.de
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: fix warning in 'ext4_da_release_space' [+ + +]
Author: Ye Bin <yebin10@huawei.com>
Date:   Tue Oct 18 10:27:01 2022 +0800

    ext4: fix warning in 'ext4_da_release_space'
    
    commit 1b8f787ef547230a3249bcf897221ef0cc78481b upstream.
    
    Syzkaller report issue as follows:
    EXT4-fs (loop0): Free/Dirty block details
    EXT4-fs (loop0): free_blocks=0
    EXT4-fs (loop0): dirty_blocks=0
    EXT4-fs (loop0): Block reservation details
    EXT4-fs (loop0): i_reserved_data_blocks=0
    EXT4-fs warning (device loop0): ext4_da_release_space:1527: ext4_da_release_space: ino 18, to_free 1 with only 0 reserved data blocks
    ------------[ cut here ]------------
    WARNING: CPU: 0 PID: 92 at fs/ext4/inode.c:1528 ext4_da_release_space+0x25e/0x370 fs/ext4/inode.c:1524
    Modules linked in:
    CPU: 0 PID: 92 Comm: kworker/u4:4 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
    Workqueue: writeback wb_workfn (flush-7:0)
    RIP: 0010:ext4_da_release_space+0x25e/0x370 fs/ext4/inode.c:1528
    RSP: 0018:ffffc900015f6c90 EFLAGS: 00010296
    RAX: 42215896cd52ea00 RBX: 0000000000000000 RCX: 42215896cd52ea00
    RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
    RBP: 1ffff1100e907d96 R08: ffffffff816aa79d R09: fffff520002bece5
    R10: fffff520002bece5 R11: 1ffff920002bece4 R12: ffff888021fd2000
    R13: ffff88807483ecb0 R14: 0000000000000001 R15: ffff88807483e740
    FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00005555569ba628 CR3: 000000000c88e000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     ext4_es_remove_extent+0x1ab/0x260 fs/ext4/extents_status.c:1461
     mpage_release_unused_pages+0x24d/0xef0 fs/ext4/inode.c:1589
     ext4_writepages+0x12eb/0x3be0 fs/ext4/inode.c:2852
     do_writepages+0x3c3/0x680 mm/page-writeback.c:2469
     __writeback_single_inode+0xd1/0x670 fs/fs-writeback.c:1587
     writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1870
     wb_writeback+0x41f/0x7b0 fs/fs-writeback.c:2044
     wb_do_writeback fs/fs-writeback.c:2187 [inline]
     wb_workfn+0x3cb/0xef0 fs/fs-writeback.c:2227
     process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
     worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
     kthread+0x266/0x300 kernel/kthread.c:376
     ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
     </TASK>
    
    Above issue may happens as follows:
    ext4_da_write_begin
      ext4_create_inline_data
        ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS);
        ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA);
    __ext4_ioctl
      ext4_ext_migrate -> will lead to eh->eh_entries not zero, and set extent flag
    ext4_da_write_begin
      ext4_da_convert_inline_data_to_extent
        ext4_da_write_inline_data_begin
          ext4_da_map_blocks
            ext4_insert_delayed_block
              if (!ext4_es_scan_clu(inode, &ext4_es_is_delonly, lblk))
                if (!ext4_es_scan_clu(inode, &ext4_es_is_mapped, lblk))
                  ext4_clu_mapped(inode, EXT4_B2C(sbi, lblk)); -> will return 1
                   allocated = true;
              ext4_es_insert_delayed_block(inode, lblk, allocated);
    ext4_writepages
      mpage_map_and_submit_extent(handle, &mpd, &give_up_on_write); -> return -ENOSPC
      mpage_release_unused_pages(&mpd, give_up_on_write); -> give_up_on_write == 1
        ext4_es_remove_extent
          ext4_da_release_space(inode, reserved);
            if (unlikely(to_free > ei->i_reserved_data_blocks))
              -> to_free == 1  but ei->i_reserved_data_blocks == 0
              -> then trigger warning as above
    
    To solve above issue, forbid inode do migrate which has inline data.
    
    Cc: stable@kernel.org
    Reported-by: syzbot+c740bb18df70ad00952e@syzkaller.appspotmail.com
    Signed-off-by: Ye Bin <yebin10@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20221018022701.683489-1-yebin10@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fuse: add file_modified() to fallocate [+ + +]
Author: Miklos Szeredi <mszeredi@redhat.com>
Date:   Fri Oct 28 14:25:20 2022 +0200

    fuse: add file_modified() to fallocate
    
    commit 4a6f278d4827b59ba26ceae0ff4529ee826aa258 upstream.
    
    Add missing file_modified() call to fuse_file_fallocate().  Without this
    fallocate on fuse failed to clear privileges.
    
    Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
HID: saitek: add madcatz variant of MMO7 mouse device ID [+ + +]
Author: Samuel Bailey <samuel.bailey1@gmail.com>
Date:   Wed Oct 5 19:51:23 2022 +0100

    HID: saitek: add madcatz variant of MMO7 mouse device ID
    
    [ Upstream commit 79425b297f56bd481c6e97700a9a4e44c7bcfa35 ]
    
    The MadCatz variant of the MMO7 mouse has the ID 0738:1713 and the same
    quirks as the Saitek variant.
    
    Signed-off-by: Samuel Bailey <samuel.bailey1@gmail.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
i2c: xiic: Add platform module alias [+ + +]
Author: Martin Tůma <martin.tuma@digiteqautomotive.com>
Date:   Tue Oct 18 16:03:37 2022 +0200

    i2c: xiic: Add platform module alias
    
    [ Upstream commit b8caf0a0e04583fb71e21495bef84509182227ea ]
    
    The missing "platform" alias is required for the mgb4 v4l2 driver to load
    the i2c controller driver when probing the HW.
    
    Signed-off-by: Martin Tůma <martin.tuma@digiteqautomotive.com>
    Acked-by: Michal Simek <michal.simek@amd.com>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
IB/hfi1: Correctly move list in sc_disable() [+ + +]
Author: Dean Luick <dean.luick@cornelisnetworks.com>
Date:   Tue Oct 18 10:27:50 2022 -0400

    IB/hfi1: Correctly move list in sc_disable()
    
    [ Upstream commit 1afac08b39d85437187bb2a92d89a741b1078f55 ]
    
    Commit 13bac861952a ("IB/hfi1: Fix abba locking issue with sc_disable()")
    incorrectly tries to move a list from one list head to another.  The
    result is a kernel crash.
    
    The crash is triggered when a link goes down and there are waiters for a
    send to complete.  The following signature is seen:
    
      BUG: kernel NULL pointer dereference, address: 0000000000000030
      [...]
      Call Trace:
       sc_disable+0x1ba/0x240 [hfi1]
       pio_freeze+0x3d/0x60 [hfi1]
       handle_freeze+0x27/0x1b0 [hfi1]
       process_one_work+0x1b0/0x380
       ? process_one_work+0x380/0x380
       worker_thread+0x30/0x360
       ? process_one_work+0x380/0x380
       kthread+0xd7/0x100
       ? kthread_complete_and_exit+0x20/0x20
       ret_from_fork+0x1f/0x30
    
    The fix is to use the correct call to move the list.
    
    Fixes: 13bac861952a ("IB/hfi1: Fix abba locking issue with sc_disable()")
    Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
    Link: https://lore.kernel.org/r/166610327042.674422.6146908799669288976.stgit@awfm-02.cornelisnetworks.com
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipc: remove memcg accounting for sops objects in do_semtimedop() [+ + +]
Author: Vasily Averin <vasily.averin@linux.dev>
Date:   Sat Sep 11 10:40:08 2021 +0300

    ipc: remove memcg accounting for sops objects in do_semtimedop()
    
    commit 6a4746ba06191e23d30230738e94334b26590a8a upstream.
    
    Linus proposes to revert an accounting for sops objects in
    do_semtimedop() because it's really just a temporary buffer
    for a single semtimedop() system call.
    
    This object can consume up to 2 pages, syscall is sleeping
    one, size and duration can be controlled by user, and this
    allocation can be repeated by many thread at the same time.
    
    However Shakeel Butt pointed that there are much more popular
    objects with the same life time and similar memory
    consumption, the accounting of which was decided to be
    rejected for performance reasons.
    
    Considering at least 2 pages for task_struct and 2 pages for
    the kernel stack, a back of the envelope calculation gives a
    footprint amplification of <1.5 so this temporal buffer can be
    safely ignored.
    
    The factor would IMO be interesting if it was >> 2 (from the
    PoV of excessive (ab)use, fine-grained accounting seems to be
    currently unfeasible due to performance impact).
    
    Link: https://lore.kernel.org/lkml/90e254df-0dfe-f080-011e-b7c53ee7fd20@virtuozzo.com/
    Fixes: 18319498fdd4 ("memcg: enable accounting of ipc resources")
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Reviewed-by: Michal Koutný <mkoutny@suse.com>
    Acked-by: Shakeel Butt <shakeelb@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ipv6: fix WARNING in ip6_route_net_exit_late() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Wed Nov 2 10:06:10 2022 +0800

    ipv6: fix WARNING in ip6_route_net_exit_late()
    
    [ Upstream commit 768b3c745fe5789f2430bdab02f35a9ad1148d97 ]
    
    During the initialization of ip6_route_net_init_late(), if file
    ipv6_route or rt6_stats fails to be created, the initialization is
    successful by default. Therefore, the ipv6_route or rt6_stats file
    doesn't be found during the remove in ip6_route_net_exit_late(). It
    will cause WRNING.
    
    The following is the stack information:
    name 'rt6_stats'
    WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:712 remove_proc_entry+0x389/0x460
    Modules linked in:
    Workqueue: netns cleanup_net
    RIP: 0010:remove_proc_entry+0x389/0x460
    PKRU: 55555554
    Call Trace:
    <TASK>
    ops_exit_list+0xb0/0x170
    cleanup_net+0x4ea/0xb00
    process_one_work+0x9bf/0x1710
    worker_thread+0x665/0x1080
    kthread+0x2e4/0x3a0
    ret_from_fork+0x1f/0x30
    </TASK>
    
    Fixes: cdb1876192db ("[NETNS][IPV6] route6 - create route6 proc files for the namespace")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://lore.kernel.org/r/20221102020610.351330-1-shaozhengchao@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipvs: fix WARNING in __ip_vs_cleanup_batch() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Mon Oct 31 20:07:04 2022 +0800

    ipvs: fix WARNING in __ip_vs_cleanup_batch()
    
    [ Upstream commit 3d00c6a0da8ddcf75213e004765e4a42acc71d5d ]
    
    During the initialization of ip_vs_conn_net_init(), if file ip_vs_conn
    or ip_vs_conn_sync fails to be created, the initialization is successful
    by default. Therefore, the ip_vs_conn or ip_vs_conn_sync file doesn't
    be found during the remove.
    
    The following is the stack information:
    name 'ip_vs_conn_sync'
    WARNING: CPU: 3 PID: 9 at fs/proc/generic.c:712
    remove_proc_entry+0x389/0x460
    Modules linked in:
    Workqueue: netns cleanup_net
    RIP: 0010:remove_proc_entry+0x389/0x460
    Call Trace:
    <TASK>
    __ip_vs_cleanup_batch+0x7d/0x120
    ops_exit_list+0x125/0x170
    cleanup_net+0x4ea/0xb00
    process_one_work+0x9bf/0x1710
    worker_thread+0x665/0x1080
    kthread+0x2e4/0x3a0
    ret_from_fork+0x1f/0x30
    </TASK>
    
    Fixes: 61b1ab4583e2 ("IPVS: netns, add basic init per netns.")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ipvs: fix WARNING in ip_vs_app_net_cleanup() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Mon Oct 31 20:07:05 2022 +0800

    ipvs: fix WARNING in ip_vs_app_net_cleanup()
    
    [ Upstream commit 5663ed63adb9619c98ab7479aa4606fa9b7a548c ]
    
    During the initialization of ip_vs_app_net_init(), if file ip_vs_app
    fails to be created, the initialization is successful by default.
    Therefore, the ip_vs_app file doesn't be found during the remove in
    ip_vs_app_net_cleanup(). It will cause WRNING.
    
    The following is the stack information:
    name 'ip_vs_app'
    WARNING: CPU: 1 PID: 9 at fs/proc/generic.c:712 remove_proc_entry+0x389/0x460
    Modules linked in:
    Workqueue: netns cleanup_net
    RIP: 0010:remove_proc_entry+0x389/0x460
    Call Trace:
    <TASK>
    ops_exit_list+0x125/0x170
    cleanup_net+0x4ea/0xb00
    process_one_work+0x9bf/0x1710
    worker_thread+0x665/0x1080
    kthread+0x2e4/0x3a0
    ret_from_fork+0x1f/0x30
    </TASK>
    
    Fixes: 457c4cbc5a3d ("[NET]: Make /proc/net per network namespace")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ipvs: use explicitly signed chars [+ + +]
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Wed Oct 26 14:32:16 2022 +0200

    ipvs: use explicitly signed chars
    
    [ Upstream commit 5c26159c97b324dc5174a5713eafb8c855cf8106 ]
    
    The `char` type with no explicit sign is sometimes signed and sometimes
    unsigned. This code will break on platforms such as arm, where char is
    unsigned. So mark it here as explicitly signed, so that the
    todrop_counter decrement and subsequent comparison is correct.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
isdn: mISDN: netjet: fix wrong check of device registration [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Mon Oct 31 20:13:41 2022 +0800

    isdn: mISDN: netjet: fix wrong check of device registration
    
    [ Upstream commit bf00f5426074249058a106a6edbb89e4b25a4d79 ]
    
    The class is set in mISDN_register_device(), but if device_add() returns
    error, it will lead to delete a device without added, fix this by using
    device_is_registered() to check if the device is registered.
    
    Fixes: a900845e5661 ("mISDN: Add support for Traverse Technologies NETJet PCI cards")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
kprobe: reverse kp->flags when arm_kprobe failed [+ + +]
Author: Li Qiang <liq3ea@163.com>
Date:   Fri Nov 4 08:49:31 2022 +0900

    kprobe: reverse kp->flags when arm_kprobe failed
    
    commit 4a6f316d6855a434f56dbbeba05e14c01acde8f8 upstream.
    
    In aggregate kprobe case, when arm_kprobe failed,
    we need set the kp->flags with KPROBE_FLAG_DISABLED again.
    If not, the 'kp' kprobe will been considered as enabled
    but it actually not enabled.
    
    Link: https://lore.kernel.org/all/20220902155820.34755-1-liq3ea@163.com/
    
    Fixes: 12310e343755 ("kprobes: Propagate error from arm_kprobe_ftrace()")
    Cc: stable@vger.kernel.org
    Signed-off-by: Li Qiang <liq3ea@163.com>
    Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
KVM: x86: emulator: em_sysexit should update ctxt->mode [+ + +]
Author: Maxim Levitsky <mlevitsk@redhat.com>
Date:   Tue Oct 25 15:47:28 2022 +0300

    KVM: x86: emulator: em_sysexit should update ctxt->mode
    
    commit 5015bb89b58225f97df6ac44383e7e8c8662c8c9 upstream.
    
    SYSEXIT is one of the instructions that can change the
    processor mode, thus ctxt->mode should be updated after it.
    
    Note that this is likely a benign bug, because the only problematic
    mode change is from 32 bit to 64 bit which can lead to truncation of RIP,
    and it is not possible to do with sysexit,
    since sysexit running in 32 bit mode will be limited to 32 bit version.
    
    Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
    Message-Id: <20221025124741.228045-11-mlevitsk@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

KVM: x86: emulator: introduce emulator_recalc_and_set_mode [+ + +]
Author: Maxim Levitsky <mlevitsk@redhat.com>
Date:   Tue Oct 25 15:47:29 2022 +0300

    KVM: x86: emulator: introduce emulator_recalc_and_set_mode
    
    commit d087e0f79fa0dd336a9a6b2f79ec23120f5eff73 upstream.
    
    Some instructions update the cpu execution mode, which needs to update the
    emulation mode.
    
    Extract this code, and make assign_eip_far use it.
    
    assign_eip_far now reads CS, instead of getting it via a parameter,
    which is ok, because callers always assign CS to the same value
    before calling this function.
    
    No functional change is intended.
    
    Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
    Message-Id: <20221025124741.228045-12-mlevitsk@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

KVM: x86: emulator: update the emulation mode after CR0 write [+ + +]
Author: Maxim Levitsky <mlevitsk@redhat.com>
Date:   Tue Oct 25 15:47:31 2022 +0300

    KVM: x86: emulator: update the emulation mode after CR0 write
    
    commit ad8f9e69942c7db90758d9d774157e53bce94840 upstream.
    
    Update the emulation mode when handling writes to CR0, because
    toggling CR0.PE switches between Real and Protected Mode, and toggling
    CR0.PG when EFER.LME=1 switches between Long and Protected Mode.
    
    This is likely a benign bug because there is no writeback of state,
    other than the RIP increment, and when toggling CR0.PE, the CPU has
    to execute code from a very low memory address.
    
    Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
    Message-Id: <20221025124741.228045-14-mlevitsk@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

KVM: x86: Mask off reserved bits in CPUID.80000008H [+ + +]
Author: Jim Mattson <jmattson@google.com>
Date:   Thu Sep 29 15:52:00 2022 -0700

    KVM: x86: Mask off reserved bits in CPUID.80000008H
    
    commit 7030d8530e533844e2f4b0e7476498afcd324634 upstream.
    
    KVM_GET_SUPPORTED_CPUID should only enumerate features that KVM
    actually supports. The following ranges of CPUID.80000008H are reserved
    and should be masked off:
        ECX[31:18]
        ECX[11:8]
    
    In addition, the PerfTscSize field at ECX[17:16] should also be zero
    because KVM does not set the PERFTSC bit at CPUID.80000001H.ECX[27].
    
    Fixes: 24c82e576b78 ("KVM: Sanitize cpuid")
    Signed-off-by: Jim Mattson <jmattson@google.com>
    Message-Id: <20220929225203.2234702-3-jmattson@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

KVM: x86: Mask off reserved bits in CPUID.8000001AH [+ + +]
Author: Jim Mattson <jmattson@google.com>
Date:   Thu Sep 29 15:52:01 2022 -0700

    KVM: x86: Mask off reserved bits in CPUID.8000001AH
    
    commit 079f6889818dd07903fb36c252532ab47ebb6d48 upstream.
    
    KVM_GET_SUPPORTED_CPUID should only enumerate features that KVM
    actually supports. In the case of CPUID.8000001AH, only three bits are
    currently defined. The 125 reserved bits should be masked off.
    
    Fixes: 24c82e576b78 ("KVM: Sanitize cpuid")
    Signed-off-by: Jim Mattson <jmattson@google.com>
    Message-Id: <20220929225203.2234702-4-jmattson@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 5.4.224 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Nov 10 17:57:58 2022 +0100

    Linux 5.4.224
    
    Link: https://lore.kernel.org/r/20221108133333.659601604@linuxfoundation.org
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
media: cros-ec-cec: limit msg.len to CEC_MAX_MSG_SIZE [+ + +]
Author: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date:   Wed Aug 24 09:06:19 2022 +0200

    media: cros-ec-cec: limit msg.len to CEC_MAX_MSG_SIZE
    
    [ Upstream commit 2dc73b48665411a08c4e5f0f823dea8510761603 ]
    
    I expect that the hardware will have limited this to 16, but just in
    case it hasn't, check for this corner case.
    
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: dvb-frontends/drxk: initialize err to 0 [+ + +]
Author: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date:   Tue Aug 30 07:59:24 2022 +0200

    media: dvb-frontends/drxk: initialize err to 0
    
    [ Upstream commit 20694e96ca089ce6693c2348f8f628ee621e4e74 ]
    
    Fix a compiler warning:
    
    drivers/media/dvb-frontends/drxk_hard.c: In function 'drxk_read_ucblocks':
    drivers/media/dvb-frontends/drxk_hard.c:6673:21: warning: 'err' may be used uninitialized [-Wmaybe-uninitialized]
     6673 |         *ucblocks = (u32) err;
          |                     ^~~~~~~~~
    drivers/media/dvb-frontends/drxk_hard.c:6663:13: note: 'err' was declared here
     6663 |         u16 err;
          |             ^~~
    
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: meson: vdec: fix possible refcount leak in vdec_probe() [+ + +]
Author: Hangyu Hua <hbh25y@gmail.com>
Date:   Tue Sep 6 09:46:30 2022 +0200

    media: meson: vdec: fix possible refcount leak in vdec_probe()
    
    [ Upstream commit 7718999356234d9cc6a11b4641bb773928f1390f ]
    
    v4l2_device_unregister need to be called to put the refcount got by
    v4l2_device_register when vdec_probe fails or vdec_remove is called.
    
    Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE [+ + +]
Author: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date:   Wed Aug 24 09:02:42 2022 +0200

    media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE
    
    [ Upstream commit 93f65ce036863893c164ca410938e0968964b26c ]
    
    I expect that the hardware will have limited this to 16, but just in
    case it hasn't, check for this corner case.
    
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
memcg: enable accounting of ipc resources [+ + +]
Author: Vasily Averin <vasily.averin@linux.dev>
Date:   Thu Sep 2 14:55:31 2021 -0700

    memcg: enable accounting of ipc resources
    
    commit 18319498fdd4cdf8c1c2c48cd432863b1f915d6f upstream.
    
    When user creates IPC objects it forces kernel to allocate memory for
    these long-living objects.
    
    It makes sense to account them to restrict the host's memory consumption
    from inside the memcg-limited container.
    
    This patch enables accounting for IPC shared memory segments, messages
    semaphores and semaphore's undo lists.
    
    Link: https://lkml.kernel.org/r/d6507b06-4df6-78f8-6c54-3ae86e3b5339@virtuozzo.com
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Reviewed-by: Shakeel Butt <shakeelb@google.com>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Alexey Dobriyan <adobriyan@gmail.com>
    Cc: Andrei Vagin <avagin@gmail.com>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Christian Brauner <christian.brauner@ubuntu.com>
    Cc: Dmitry Safonov <0x7f454c46@gmail.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: "J. Bruce Fields" <bfields@fieldses.org>
    Cc: Jeff Layton <jlayton@kernel.org>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: Jiri Slaby <jirislaby@kernel.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
    Cc: Michal Hocko <mhocko@kernel.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Roman Gushchin <guro@fb.com>
    Cc: Serge Hallyn <serge@hallyn.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
    Cc: Yutian Yang <nglaive@gmail.com>
    Cc: Zefan Li <lizefan.x@bytedance.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Luiz Capitulino <luizcap@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mISDN: fix possible memory leak in mISDN_register_device() [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Mon Oct 31 20:13:40 2022 +0800

    mISDN: fix possible memory leak in mISDN_register_device()
    
    [ Upstream commit e7d1d4d9ac0dfa40be4c2c8abd0731659869b297 ]
    
    Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
    bus_id string array"), the name of device is allocated dynamically,
    add put_device() to give up the reference, so that the name can be
    freed in kobject_cleanup() when the refcount is 0.
    
    Set device class before put_device() to avoid null release() function
    WARN message in device_release().
    
    Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times [+ + +]
Author: Sascha Hauer <s.hauer@pengutronix.de>
Date:   Fri Jul 1 13:03:41 2022 +0200

    mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times
    
    commit 0fddf9ad06fd9f439f137139861556671673e31c upstream.
    
    06781a5026350 Fixes the calculation of the DEVICE_BUSY_TIMEOUT register
    value from busy_timeout_cycles. busy_timeout_cycles is calculated wrong
    though: It is calculated based on the maximum page read time, but the
    timeout is also used for page write and block erase operations which
    require orders of magnitude bigger timeouts.
    
    Fix this by calculating busy_timeout_cycles from the maximum of
    tBERS_max and tPROG_max.
    
    This is for now the easiest and most obvious way to fix the driver.
    There's room for improvements though: The NAND_OP_WAITRDY_INSTR tells us
    the desired timeout for the current operation, so we could program the
    timeout dynamically for each operation instead of setting a fixed
    timeout. Also we could wire up the interrupt handler to actually detect
    and forward timeouts occurred when waiting for the chip being ready.
    
    As a sidenote I verified that the change in 06781a5026350 is really
    correct. I wired up the interrupt handler in my tree and measured the
    time between starting the operation and the timeout interrupt handler
    coming in. The time increases 41us with each step in the timeout
    register which corresponds to 4096 clock cycles with the 99MHz clock
    that I have.
    
    Fixes: 06781a5026350 ("mtd: rawnand: gpmi: Fix setting busy timeout setting")
    Fixes: b1206122069aa ("mtd: rawniand: gpmi: use core timings instead of an empirical derivation")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
    Acked-by: Han Xu <han.xu@nxp.com>
    Tested-by: Tomasz Moń <tomasz.mon@camlingroup.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Tim Harvey <tharvey@gateworks.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net, neigh: Fix null-ptr-deref in neigh_table_clear() [+ + +]
Author: Chen Zhongjin <chenzhongjin@huawei.com>
Date:   Tue Nov 1 20:15:52 2022 +0800

    net, neigh: Fix null-ptr-deref in neigh_table_clear()
    
    [ Upstream commit f8017317cb0b279b8ab98b0f3901a2e0ac880dad ]
    
    When IPv6 module gets initialized but hits an error in the middle,
    kenel panic with:
    
    KASAN: null-ptr-deref in range [0x0000000000000598-0x000000000000059f]
    CPU: 1 PID: 361 Comm: insmod
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
    RIP: 0010:__neigh_ifdown.isra.0+0x24b/0x370
    RSP: 0018:ffff888012677908 EFLAGS: 00000202
    ...
    Call Trace:
     <TASK>
     neigh_table_clear+0x94/0x2d0
     ndisc_cleanup+0x27/0x40 [ipv6]
     inet6_init+0x21c/0x2cb [ipv6]
     do_one_initcall+0xd3/0x4d0
     do_init_module+0x1ae/0x670
    ...
    Kernel panic - not syncing: Fatal exception
    
    When ipv6 initialization fails, it will try to cleanup and calls:
    
    neigh_table_clear()
      neigh_ifdown(tbl, NULL)
        pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev == NULL))
        # dev_net(NULL) triggers null-ptr-deref.
    
    Fix it by passing NULL to pneigh_queue_purge() in neigh_ifdown() if dev
    is NULL, to make kernel not panic immediately.
    
    Fixes: 66ba215cb513 ("neigh: fix possible DoS due to net iface start/stop loop")
    Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Denis V. Lunev <den@openvz.org>
    Link: https://lore.kernel.org/r/20221101121552.21890-1-chenzhongjin@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: dsa: Fix possible memory leaks in dsa_loop_init() [+ + +]
Author: Chen Zhongjin <chenzhongjin@huawei.com>
Date:   Wed Oct 26 10:03:21 2022 +0800

    net: dsa: Fix possible memory leaks in dsa_loop_init()
    
    [ Upstream commit 633efc8b3dc96f56f5a57f2a49764853a2fa3f50 ]
    
    kmemleak reported memory leaks in dsa_loop_init():
    
    kmemleak: 12 new suspected memory leaks
    
    unreferenced object 0xffff8880138ce000 (size 2048):
      comm "modprobe", pid 390, jiffies 4295040478 (age 238.976s)
      backtrace:
        [<000000006a94f1d5>] kmalloc_trace+0x26/0x60
        [<00000000a9c44622>] phy_device_create+0x5d/0x970
        [<00000000d0ee2afc>] get_phy_device+0xf3/0x2b0
        [<00000000dca0c71f>] __fixed_phy_register.part.0+0x92/0x4e0
        [<000000008a834798>] fixed_phy_register+0x84/0xb0
        [<0000000055223fcb>] dsa_loop_init+0xa9/0x116 [dsa_loop]
        ...
    
    There are two reasons for memleak in dsa_loop_init().
    
    First, fixed_phy_register() create and register phy_device:
    
    fixed_phy_register()
      get_phy_device()
        phy_device_create() # freed by phy_device_free()
      phy_device_register() # freed by phy_device_remove()
    
    But fixed_phy_unregister() only calls phy_device_remove().
    So the memory allocated in phy_device_create() is leaked.
    
    Second, when mdio_driver_register() fail in dsa_loop_init(),
    it just returns and there is no cleanup for phydevs.
    
    Fix the problems by catching the error of mdio_driver_register()
    in dsa_loop_init(), then calling both fixed_phy_unregister() and
    phy_device_free() to release phydevs.
    Also add a function for phydevs cleanup to avoid duplacate.
    
    Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver")
    Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: fec: fix improper use of NETDEV_TX_BUSY [+ + +]
Author: Zhang Changzhong <zhangchangzhong@huawei.com>
Date:   Fri Oct 28 10:09:11 2022 +0800

    net: fec: fix improper use of NETDEV_TX_BUSY
    
    [ Upstream commit 06a4df5863f73af193a4ff7abf7cb04058584f06 ]
    
    The ndo_start_xmit() method must not free skb when returning
    NETDEV_TX_BUSY, since caller is going to requeue freed skb.
    
    Fix it by returning NETDEV_TX_OK in case of dma_map_single() fails.
    
    Fixes: 79f339125ea3 ("net: fec: Add software TSO support")
    Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: mdio: fix undefined behavior in bit shift for __mdiobus_register [+ + +]
Author: Gaosheng Cui <cuigaosheng1@huawei.com>
Date:   Mon Oct 31 21:26:45 2022 +0800

    net: mdio: fix undefined behavior in bit shift for __mdiobus_register
    
    [ Upstream commit 40e4eb324c59e11fcb927aa46742d28aba6ecb8a ]
    
    Shifting signed 32-bit value by 31 bits is undefined, so changing
    significant bit to unsigned. The UBSAN warning calltrace like below:
    
    UBSAN: shift-out-of-bounds in drivers/net/phy/mdio_bus.c:586:27
    left shift of 1 by 31 places cannot be represented in type 'int'
    Call Trace:
     <TASK>
     dump_stack_lvl+0x7d/0xa5
     dump_stack+0x15/0x1b
     ubsan_epilogue+0xe/0x4e
     __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
     __mdiobus_register+0x49d/0x4e0
     fixed_mdio_bus_init+0xd8/0x12d
     do_one_initcall+0x76/0x430
     kernel_init_freeable+0x3b3/0x422
     kernel_init+0x24/0x1e0
     ret_from_fork+0x1f/0x30
     </TASK>
    
    Fixes: 4fd5f812c23c ("phylib: allow incremental scanning of an mii bus")
    Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Link: https://lore.kernel.org/r/20221031132645.168421-1-cuigaosheng1@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: sched: Fix use after free in red_enqueue() [+ + +]
Author: Dan Carpenter <error27@gmail.com>
Date:   Fri Oct 28 18:05:00 2022 +0300

    net: sched: Fix use after free in red_enqueue()
    
    [ Upstream commit 8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9 ]
    
    We can't use "skb" again after passing it to qdisc_enqueue().  This is
    basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb
    len before calling child enqueue").
    
    Fixes: d7f4f332f082 ("sch_red: update backlog as well")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: tun: fix bugs for oversize packet when napi frags enabled [+ + +]
Author: Ziyang Xuan <william.xuanziyang@huawei.com>
Date:   Sat Oct 29 17:41:01 2022 +0800

    net: tun: fix bugs for oversize packet when napi frags enabled
    
    [ Upstream commit 363a5328f4b0517e59572118ccfb7c626d81dca9 ]
    
    Recently, we got two syzkaller problems because of oversize packet
    when napi frags enabled.
    
    One of the problems is because the first seg size of the iov_iter
    from user space is very big, it is 2147479538 which is bigger than
    the threshold value for bail out early in __alloc_pages(). And
    skb->pfmemalloc is true, __kmalloc_reserve() would use pfmemalloc
    reserves without __GFP_NOWARN flag. Thus we got a warning as following:
    
    ========================================================
    WARNING: CPU: 1 PID: 17965 at mm/page_alloc.c:5295 __alloc_pages+0x1308/0x16c4 mm/page_alloc.c:5295
    ...
    Call trace:
     __alloc_pages+0x1308/0x16c4 mm/page_alloc.c:5295
     __alloc_pages_node include/linux/gfp.h:550 [inline]
     alloc_pages_node include/linux/gfp.h:564 [inline]
     kmalloc_large_node+0x94/0x350 mm/slub.c:4038
     __kmalloc_node_track_caller+0x620/0x8e4 mm/slub.c:4545
     __kmalloc_reserve.constprop.0+0x1e4/0x2b0 net/core/skbuff.c:151
     pskb_expand_head+0x130/0x8b0 net/core/skbuff.c:1654
     __skb_grow include/linux/skbuff.h:2779 [inline]
     tun_napi_alloc_frags+0x144/0x610 drivers/net/tun.c:1477
     tun_get_user+0x31c/0x2010 drivers/net/tun.c:1835
     tun_chr_write_iter+0x98/0x100 drivers/net/tun.c:2036
    
    The other problem is because odd IPv6 packets without NEXTHDR_NONE
    extension header and have big packet length, it is 2127925 which is
    bigger than ETH_MAX_MTU(65535). After ipv6_gso_pull_exthdrs() in
    ipv6_gro_receive(), network_header offset and transport_header offset
    are all bigger than U16_MAX. That would trigger skb->network_header
    and skb->transport_header overflow error, because they are all '__u16'
    type. Eventually, it would affect the value for __skb_push(skb, value),
    and make it be a big value. After __skb_push() in ipv6_gro_receive(),
    skb->data would less than skb->head, an out of bounds memory bug occurred.
    That would trigger the problem as following:
    
    ==================================================================
    BUG: KASAN: use-after-free in eth_type_trans+0x100/0x260
    ...
    Call trace:
     dump_backtrace+0xd8/0x130
     show_stack+0x1c/0x50
     dump_stack_lvl+0x64/0x7c
     print_address_description.constprop.0+0xbc/0x2e8
     print_report+0x100/0x1e4
     kasan_report+0x80/0x120
     __asan_load8+0x78/0xa0
     eth_type_trans+0x100/0x260
     napi_gro_frags+0x164/0x550
     tun_get_user+0xda4/0x1270
     tun_chr_write_iter+0x74/0x130
     do_iter_readv_writev+0x130/0x1ec
     do_iter_write+0xbc/0x1e0
     vfs_writev+0x13c/0x26c
    
    To fix the problems, restrict the packet size less than
    (ETH_MAX_MTU - NET_SKB_PAD - NET_IP_ALIGN) which has considered reserved
    skb space in napi_alloc_skb() because transport_header is an offset from
    skb->head. Add len check in tun_napi_alloc_frags() simply.
    
    Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
    Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://lore.kernel.org/r/20221029094101.1653855-1-william.xuanziyang@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netfilter: nf_tables: release flow rule object from commit path [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Wed Oct 26 09:54:45 2022 +0200

    netfilter: nf_tables: release flow rule object from commit path
    
    [ Upstream commit 26b5934ff4194e13196bedcba373cd4915071d0e ]
    
    No need to postpone this to the commit release path, since no packets
    are walking over this object, this is accessed from control plane only.
    This helped uncovered UAF triggered by races with the netlink notifier.
    
    Fixes: 9dd732e0bdf5 ("netfilter: nf_tables: memleak flow rule from commit path")
    Reported-by: syzbot+8f747f62763bc6c32916@syzkaller.appspotmail.com
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() [+ + +]
Author: Shang XiaoJing <shangxiaojing@huawei.com>
Date:   Thu Oct 27 22:03:32 2022 +0800

    nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()
    
    [ Upstream commit 93d904a734a74c54d945a9884b4962977f1176cd ]
    
    nfcmrvl_i2c_nci_send() will be called by nfcmrvl_nci_send(), and skb
    should be freed in nfcmrvl_i2c_nci_send(). However, nfcmrvl_nci_send()
    will only free skb when i2c_master_send() return >=0, which means skb
    will memleak when i2c_master_send() failed. Free skb no matter whether
    i2c_master_send() succeeds.
    
    Fixes: b5b3e23e4cac ("NFC: nfcmrvl: add i2c driver")
    Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() [+ + +]
Author: Shang XiaoJing <shangxiaojing@huawei.com>
Date:   Thu Oct 27 22:03:31 2022 +0800

    nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send()
    
    [ Upstream commit 3a146b7e3099dc7cf3114f627d9b79291e2d2203 ]
    
    s3fwrn5_nci_send() will call s3fwrn5_i2c_write() or s3fwrn82_uart_write(),
    and free the skb if write() failed. However, even if the write() run
    succeeds, the skb will not be freed in write(). As the result, the skb
    will memleak. s3fwrn5_nci_send() should also free the skb when write()
    succeeds.
    
    Fixes: c04c674fadeb ("nfc: s3fwrn5: Add driver for Samsung S3FWRN5 NFC Chip")
    Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nfs4: Fix kmemleak when allocate slot failed [+ + +]
Author: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Date:   Thu Oct 20 11:20:54 2022 +0800

    nfs4: Fix kmemleak when allocate slot failed
    
    [ Upstream commit 7e8436728e22181c3f12a5dbabd35ed3a8b8c593 ]
    
    If one of the slot allocate failed, should cleanup all the other
    allocated slots, otherwise, the allocated slots will leak:
    
      unreferenced object 0xffff8881115aa100 (size 64):
        comm ""mount.nfs"", pid 679, jiffies 4294744957 (age 115.037s)
        hex dump (first 32 bytes):
          00 cc 19 73 81 88 ff ff 00 a0 5a 11 81 88 ff ff  ...s......Z.....
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<000000007a4c434a>] nfs4_find_or_create_slot+0x8e/0x130
          [<000000005472a39c>] nfs4_realloc_slot_table+0x23f/0x270
          [<00000000cd8ca0eb>] nfs40_init_client+0x4a/0x90
          [<00000000128486db>] nfs4_init_client+0xce/0x270
          [<000000008d2cacad>] nfs4_set_client+0x1a2/0x2b0
          [<000000000e593b52>] nfs4_create_server+0x300/0x5f0
          [<00000000e4425dd2>] nfs4_try_get_tree+0x65/0x110
          [<00000000d3a6176f>] vfs_get_tree+0x41/0xf0
          [<0000000016b5ad4c>] path_mount+0x9b3/0xdd0
          [<00000000494cae71>] __x64_sys_mount+0x190/0x1d0
          [<000000005d56bdec>] do_syscall_64+0x35/0x80
          [<00000000687c9ae4>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
    
    Fixes: abf79bb341bf ("NFS: Add a slot table to struct nfs_client for NFSv4.0 transport blocking")
    Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
NFSv4.1: Handle RECLAIM_COMPLETE trunking errors [+ + +]
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Sun Oct 16 14:44:32 2022 -0400

    NFSv4.1: Handle RECLAIM_COMPLETE trunking errors
    
    [ Upstream commit 5d917cba3201e5c25059df96c29252fd99c4f6a7 ]
    
    If RECLAIM_COMPLETE sets the NFS4CLNT_BIND_CONN_TO_SESSION flag, then we
    need to loop back in order to handle it.
    
    Fixes: 0048fdd06614 ("NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot [+ + +]
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Sun Oct 16 14:44:33 2022 -0400

    NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot
    
    [ Upstream commit e59679f2b7e522ecad99974e5636291ffd47c184 ]
    
    Currently, we are only guaranteed to send RECLAIM_COMPLETE if we have
    open state to recover. Fix the client to always send RECLAIM_COMPLETE
    after setting up the lease.
    
    Fixes: fce5c838e133 ("nfs41: RECLAIM_COMPLETE functionality")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
parisc: Avoid printing the hardware path twice [+ + +]
Author: Helge Deller <deller@gmx.de>
Date:   Fri Oct 28 18:12:49 2022 +0200

    parisc: Avoid printing the hardware path twice
    
    commit 2b6ae0962b421103feb41a80406732944b0665b3 upstream.
    
    Avoid that the hardware path is shown twice in the kernel log, and clean
    up the output of the version numbers to show up in the same order as
    they are listed in the hardware database in the hardware.c file.
    Additionally, optimize the memory footprint of the hardware database
    and mark some code as init code.
    
    Fixes: cab56b51ec0e ("parisc: Fix device names in /proc/iomem")
    Signed-off-by: Helge Deller <deller@gmx.de>
    Cc: <stable@vger.kernel.org> # v4.9+
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parisc: Export iosapic_serial_irq() symbol for serial port driver [+ + +]
Author: Helge Deller <deller@gmx.de>
Date:   Thu Oct 27 09:12:05 2022 +0200

    parisc: Export iosapic_serial_irq() symbol for serial port driver
    
    commit a0c9f1f2e53b8eb2ae43987a30e547ba56b4fa18 upstream.
    
    The parisc serial port driver needs this symbol when it's compiled
    as module.
    
    Signed-off-by: Helge Deller <deller@gmx.de>
    Reported-by: kernel test robot <lkp@intel.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parisc: Make 8250_gsc driver dependend on CONFIG_PARISC [+ + +]
Author: Helge Deller <deller@gmx.de>
Date:   Fri Oct 21 07:44:49 2022 +0200

    parisc: Make 8250_gsc driver dependend on CONFIG_PARISC
    
    commit e8a18e3f00f3ee8d07c17ab1ea3ad4df4a3b6fe0 upstream.
    
    Although the name of the driver 8250_gsc.c suggests that it handles
    only serial ports on the GSC bus, it does handle serial ports listed
    in the parisc machine inventory as well, e.g. the serial ports in a
    C8000 PCI-only workstation.
    
    Change the dependency to CONFIG_PARISC, so that the driver gets included
    in the kernel even if CONFIG_GSC isn't set.
    
    Reported-by: Mikulas Patocka <mpatocka@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
perf/x86/intel: Add Cooper Lake stepping to isolation_ucodes[] [+ + +]
Author: Kan Liang <kan.liang@linux.intel.com>
Date:   Mon Oct 31 08:45:50 2022 -0700

    perf/x86/intel: Add Cooper Lake stepping to isolation_ucodes[]
    
    commit 6f8faf471446844bb9c318e0340221049d5c19f4 upstream.
    
    The intel_pebs_isolation quirk checks both model number and stepping.
    Cooper Lake has a different stepping (11) than the other Skylake Xeon.
    It cannot benefit from the optimization in commit 9b545c04abd4f
    ("perf/x86/kvm: Avoid unnecessary work in guest filtering").
    
    Add the stepping of Cooper Lake into the isolation_ucodes[] table.
    
    Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20221031154550.571663-1-kan.liang@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

perf/x86/intel: Fix pebs event constraints for ICL [+ + +]
Author: Kan Liang <kan.liang@linux.intel.com>
Date:   Mon Oct 31 08:41:18 2022 -0700

    perf/x86/intel: Fix pebs event constraints for ICL
    
    commit acc5568b90c19ac6375508a93b9676cd18a92a35 upstream.
    
    According to the latest event list, update the MEM_INST_RETIRED events
    which support the DataLA facility.
    
    Fixes: 6017608936c1 ("perf/x86/intel: Add Icelake support")
    Reported-by: Jannis Klinkenberg <jannis.klinkenberg@rwth-aachen.de>
    Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20221031154119.571386-1-kan.liang@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
RDMA/cma: Use output interface for net_dev check [+ + +]
Author: Håkon Bugge <haakon.bugge@oracle.com>
Date:   Wed Oct 12 16:15:42 2022 +0200

    RDMA/cma: Use output interface for net_dev check
    
    [ Upstream commit eb83f502adb036cd56c27e13b9ca3b2aabfa790b ]
    
    Commit 27cfde795a96 ("RDMA/cma: Fix arguments order in net device
    validation") swapped the src and dst addresses in the call to
    validate_net_dev().
    
    As a consequence, the test in validate_ipv4_net_dev() to see if the
    net_dev is the right one, is incorrect for port 1 <-> 2 communication when
    the ports are on the same sub-net. This is fixed by denoting the
    flowi4_oif as the device instead of the incoming one.
    
    The bug has not been observed using IPv6 addresses.
    
    Fixes: 27cfde795a96 ("RDMA/cma: Fix arguments order in net device validation")
    Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
    Link: https://lore.kernel.org/r/20221012141542.16925-1-haakon.bugge@oracle.com
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
 
RDMA/core: Fix null-ptr-deref in ib_core_cleanup() [+ + +]
Author: Chen Zhongjin <chenzhongjin@huawei.com>
Date:   Tue Oct 25 10:41:46 2022 +0800

    RDMA/core: Fix null-ptr-deref in ib_core_cleanup()
    
    [ Upstream commit 07c0d131cc0fe1f3981a42958fc52d573d303d89 ]
    
    KASAN reported a null-ptr-deref error:
    
      KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
      CPU: 1 PID: 379
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
      RIP: 0010:destroy_workqueue+0x2f/0x740
      RSP: 0018:ffff888016137df8 EFLAGS: 00000202
      ...
      Call Trace:
       ib_core_cleanup+0xa/0xa1 [ib_core]
       __do_sys_delete_module.constprop.0+0x34f/0x5b0
       do_syscall_64+0x3a/0x90
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7fa1a0d221b7
      ...
    
    It is because the fail of roce_gid_mgmt_init() is ignored:
    
     ib_core_init()
       roce_gid_mgmt_init()
         gid_cache_wq = alloc_ordered_workqueue # fail
     ...
     ib_core_cleanup()
       roce_gid_mgmt_cleanup()
         destroy_workqueue(gid_cache_wq)
         # destroy an unallocated wq
    
    Fix this by catching the fail of roce_gid_mgmt_init() in ib_core_init().
    
    Fixes: 03db3a2d81e6 ("IB/core: Add RoCE GID table management")
    Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
    Link: https://lore.kernel.org/r/20221025024146.109137-1-chenzhongjin@huawei.com
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
RDMA/qedr: clean up work queue on failure in qedr_alloc_resources() [+ + +]
Author: Dan Carpenter <error27@gmail.com>
Date:   Tue Oct 25 18:32:32 2022 +0300

    RDMA/qedr: clean up work queue on failure in qedr_alloc_resources()
    
    [ Upstream commit 7a47e077e503feb73d56e491ce89aa73b67a3972 ]
    
    Add a check for if create_singlethread_workqueue() fails and also destroy
    the work queue on failure paths.
    
    Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Link: https://lore.kernel.org/r/Y1gBkDucQhhWj5YM@kili
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
rose: Fix NULL pointer dereference in rose_send_frame() [+ + +]
Author: Zhang Qilong <zhangqilong3@huawei.com>
Date:   Sat Oct 29 00:10:49 2022 +0800

    rose: Fix NULL pointer dereference in rose_send_frame()
    
    [ Upstream commit e97c089d7a49f67027395ddf70bf327eeac2611e ]
    
    The syzkaller reported an issue:
    
    KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]
    CPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
    Workqueue: rcu_gp srcu_invoke_callbacks
    RIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101
    Call Trace:
     <IRQ>
     rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255
     rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009
     rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111
     call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
     expire_timers kernel/time/timer.c:1519 [inline]
     __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
     __run_timers kernel/time/timer.c:1768 [inline]
     run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
     __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
     [...]
     </IRQ>
    
    It triggers NULL pointer dereference when 'neigh->dev->dev_addr' is
    called in the rose_send_frame(). It's the first occurrence of the
    `neigh` is in rose_loopback_timer() as `rose_loopback_neigh', and
    the 'dev' in 'rose_loopback_neigh' is initialized sa nullptr.
    
    It had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf
    ("rose: Fix Null pointer dereference in rose_send_frame()") ever.
    But it's introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8
    ("rose: check NULL rose_loopback_neigh->loopback") again.
    
    We fix it by add NULL check in rose_transmit_clear_request(). When
    the 'dev' in 'neigh' is NULL, we don't reply the request and just
    clear it.
    
    syzkaller don't provide repro, and I provide a syz repro like:
    r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
    ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={'rose0\x00', 0x201})
    r1 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
    bind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40)
    connect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)
    
    Fixes: 3c53cd65dece ("rose: check NULL rose_loopback_neigh->loopback")
    Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
scsi: core: Restrict legal sdev_state transitions via sysfs [+ + +]
Author: Uday Shankar <ushankar@purestorage.com>
Date:   Fri Sep 23 18:02:42 2022 -0600

    scsi: core: Restrict legal sdev_state transitions via sysfs
    
    [ Upstream commit 2331ce6126be8864b39490e705286b66e2344aac ]
    
    Userspace can currently write to sysfs to transition sdev_state to RUNNING
    or OFFLINE from any source state. This causes issues because proper
    transitioning out of some states involves steps besides just changing
    sdev_state, so allowing userspace to change sdev_state regardless of the
    source state can result in inconsistencies; e.g. with ISCSI we can end up
    with sdev_state == SDEV_RUNNING while the device queue is quiesced. Any
    task attempting I/O on the device will then hang, and in more recent
    kernels, iscsid will hang as well.
    
    More detail about this bug is provided in my first attempt:
    
    https://groups.google.com/g/open-iscsi/c/PNKca4HgPDs/m/CXaDkntOAQAJ
    
    Link: https://lore.kernel.org/r/20220924000241.2967323-1-ushankar@purestorage.com
    Signed-off-by: Uday Shankar <ushankar@purestorage.com>
    Suggested-by: Mike Christie <michael.christie@oracle.com>
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp/udp: Fix memory leak in ipv6_renew_options(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Thu Oct 6 11:53:45 2022 -0700

    tcp/udp: Fix memory leak in ipv6_renew_options().
    
    commit 3c52c6bb831f6335c176a0fc7214e26f43adbd11 upstream.
    
    syzbot reported a memory leak [0] related to IPV6_ADDRFORM.
    
    The scenario is that while one thread is converting an IPv6 socket into
    IPv4 with IPV6_ADDRFORM, another thread calls do_ipv6_setsockopt() and
    allocates memory to inet6_sk(sk)->XXX after conversion.
    
    Then, the converted sk with (tcp|udp)_prot never frees the IPv6 resources,
    which inet6_destroy_sock() should have cleaned up.
    
    setsockopt(IPV6_ADDRFORM)                 setsockopt(IPV6_DSTOPTS)
    +-----------------------+                 +----------------------+
    - do_ipv6_setsockopt(sk, ...)
      - sockopt_lock_sock(sk)                 - do_ipv6_setsockopt(sk, ...)
        - lock_sock(sk)                         ^._ called via tcpv6_prot
      - WRITE_ONCE(sk->sk_prot, &tcp_prot)          before WRITE_ONCE()
      - xchg(&np->opt, NULL)
      - txopt_put(opt)
      - sockopt_release_sock(sk)
        - release_sock(sk)                      - sockopt_lock_sock(sk)
                                                  - lock_sock(sk)
                                                - ipv6_set_opt_hdr(sk, ...)
                                                  - ipv6_update_options(sk, opt)
                                                    - xchg(&inet6_sk(sk)->opt, opt)
                                                      ^._ opt is never freed.
    
                                                - sockopt_release_sock(sk)
                                                  - release_sock(sk)
    
    Since IPV6_DSTOPTS allocates options under lock_sock(), we can avoid this
    memory leak by testing whether sk_family is changed by IPV6_ADDRFORM after
    acquiring the lock.
    
    This issue exists from the initial commit between IPV6_ADDRFORM and
    IPV6_PKTOPTIONS.
    
    [0]:
    BUG: memory leak
    unreferenced object 0xffff888009ab9f80 (size 96):
      comm "syz-executor583", pid 328, jiffies 4294916198 (age 13.034s)
      hex dump (first 32 bytes):
        01 00 00 00 48 00 00 00 08 00 00 00 00 00 00 00  ....H...........
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<000000002ee98ae1>] kmalloc include/linux/slab.h:605 [inline]
        [<000000002ee98ae1>] sock_kmalloc+0xb3/0x100 net/core/sock.c:2566
        [<0000000065d7b698>] ipv6_renew_options+0x21e/0x10b0 net/ipv6/exthdrs.c:1318
        [<00000000a8c756d7>] ipv6_set_opt_hdr net/ipv6/ipv6_sockglue.c:354 [inline]
        [<00000000a8c756d7>] do_ipv6_setsockopt.constprop.0+0x28b7/0x4350 net/ipv6/ipv6_sockglue.c:668
        [<000000002854d204>] ipv6_setsockopt+0xdf/0x190 net/ipv6/ipv6_sockglue.c:1021
        [<00000000e69fdcf8>] tcp_setsockopt+0x13b/0x2620 net/ipv4/tcp.c:3789
        [<0000000090da4b9b>] __sys_setsockopt+0x239/0x620 net/socket.c:2252
        [<00000000b10d192f>] __do_sys_setsockopt net/socket.c:2263 [inline]
        [<00000000b10d192f>] __se_sys_setsockopt net/socket.c:2260 [inline]
        [<00000000b10d192f>] __x64_sys_setsockopt+0xbe/0x160 net/socket.c:2260
        [<000000000a80d7aa>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
        [<000000000a80d7aa>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
        [<000000004562b5c6>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp/udp: Make early_demux back namespacified. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 13 10:52:07 2022 -0700

    tcp/udp: Make early_demux back namespacified.
    
    commit 11052589cf5c0bab3b4884d423d5f60c38fcf25d upstream.
    
    Commit e21145a9871a ("ipv4: namespacify ip_early_demux sysctl knob") made
    it possible to enable/disable early_demux on a per-netns basis.  Then, we
    introduced two knobs, tcp_early_demux and udp_early_demux, to switch it for
    TCP/UDP in commit dddb64bcb346 ("net: Add sysctl to toggle early demux for
    tcp and udp").  However, the .proc_handler() was wrong and actually
    disabled us from changing the behaviour in each netns.
    
    We can execute early_demux if net.ipv4.ip_early_demux is on and each proto
    .early_demux() handler is not NULL.  When we toggle (tcp|udp)_early_demux,
    the change itself is saved in each netns variable, but the .early_demux()
    handler is a global variable, so the handler is switched based on the
    init_net's sysctl variable.  Thus, netns (tcp|udp)_early_demux knobs have
    nothing to do with the logic.  Whether we CAN execute proto .early_demux()
    is always decided by init_net's sysctl knob, and whether we DO it or not is
    by each netns ip_early_demux knob.
    
    This patch namespacifies (tcp|udp)_early_demux again.  For now, the users
    of the .early_demux() handler are TCP and UDP only, and they are called
    directly to avoid retpoline.  So, we can remove the .early_demux() handler
    from inet6?_protos and need not dereference them in ip6?_rcv_finish_core().
    If another proto needs .early_demux(), we can restore it at that time.
    
    Fixes: dddb64bcb346 ("net: Add sysctl to toggle early demux for tcp and udp")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://lore.kernel.org/r/20220713175207.7727-1-kuniyu@amazon.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
tools/nolibc/string: Fix memcmp() implementation [+ + +]
Author: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Date:   Fri Oct 21 08:01:53 2022 +0200

    tools/nolibc/string: Fix memcmp() implementation
    
    commit b3f4f51ea68a495f8a5956064c33dce711a2df91 upstream.
    
    The C standard says that memcmp() must treat the buffers as consisting
    of "unsigned chars". If char happens to be unsigned, the casts are ok,
    but then obviously the c1 variable can never contain a negative
    value. And when char is signed, the casts are wrong, and there's still
    a problem with using an 8-bit quantity to hold the difference, because
    that can range from -255 to +255.
    
    For example, assuming char is signed, comparing two 1-byte buffers,
    one containing 0x00 and another 0x80, the current implementation would
    return -128 for both memcmp(a, b, 1) and memcmp(b, a, 1), whereas one
    of those should of course return something positive.
    
    Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Fixes: 66b6f755ad45 ("rcutorture: Import a copy of nolibc")
    Cc: stable@vger.kernel.org # v5.0+
    Signed-off-by: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
tracing/histogram: Update document for KEYS_MAX size [+ + +]
Author: Zheng Yejian <zhengyejian1@huawei.com>
Date:   Mon Oct 17 10:38:06 2022 +0000

    tracing/histogram: Update document for KEYS_MAX size
    
    commit a635beeacc6d56d2b71c39e6c0103f85b53d108e upstream.
    
    After commit 4f36c2d85ced ("tracing: Increase tracing map KEYS_MAX size"),
    'keys' supports up to three fields.
    
    Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
    Cc: stable@vger.kernel.org
    Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Link: https://lore.kernel.org/r/20221017103806.2479139-1-zhengyejian1@huawei.com
    Signed-off-by: Jonathan Corbet <corbet@lwn.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() [+ + +]
Author: Dokyung Song <dokyung.song@gmail.com>
Date:   Fri Oct 21 15:13:59 2022 +0900

    wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
    
    commit 6788ba8aed4e28e90f72d68a9d794e34eac17295 upstream.
    
    This patch fixes an intra-object buffer overflow in brcmfmac that occurs
    when the device provides a 'bsscfgidx' equal to or greater than the
    buffer size. The patch adds a check that leads to a safe failure if that
    is the case.
    
    This fixes CVE-2022-3628.
    
    UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
    index 52 is out of range for type 'brcmf_if *[16]'
    CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #132
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
    Workqueue: events brcmf_fweh_event_worker
    Call Trace:
     dump_stack_lvl+0x57/0x7d
     ubsan_epilogue+0x5/0x40
     __ubsan_handle_out_of_bounds+0x69/0x80
     ? memcpy+0x39/0x60
     brcmf_fweh_event_worker+0xae1/0xc00
     ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
     ? rcu_read_lock_sched_held+0xa1/0xd0
     ? rcu_read_lock_bh_held+0xb0/0xb0
     ? lockdep_hardirqs_on_prepare+0x273/0x3e0
     process_one_work+0x873/0x13e0
     ? lock_release+0x640/0x640
     ? pwq_dec_nr_in_flight+0x320/0x320
     ? rwlock_bug.part.0+0x90/0x90
     worker_thread+0x8b/0xd10
     ? __kthread_parkme+0xd9/0x1d0
     ? process_one_work+0x13e0/0x13e0
     kthread+0x379/0x450
     ? _raw_spin_unlock_irq+0x24/0x30
     ? set_kthread_struct+0x100/0x100
     ret_from_fork+0x1f/0x30
    ================================================================================
    general protection fault, probably for non-canonical address 0xe5601c0020023fff: 0000 [#1] SMP KASAN
    KASAN: maybe wild-memory-access in range [0x2b0100010011fff8-0x2b0100010011ffff]
    CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #132
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
    Workqueue: events brcmf_fweh_event_worker
    RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100
    Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00
    RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207
    RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000
    RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50
    RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809
    R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045
    R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000
    FS:  0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    PKRU: 55555554
    Call Trace:
     brcmf_fweh_event_worker+0x117/0xc00
     ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
     ? rcu_read_lock_sched_held+0xa1/0xd0
     ? rcu_read_lock_bh_held+0xb0/0xb0
     ? lockdep_hardirqs_on_prepare+0x273/0x3e0
     process_one_work+0x873/0x13e0
     ? lock_release+0x640/0x640
     ? pwq_dec_nr_in_flight+0x320/0x320
     ? rwlock_bug.part.0+0x90/0x90
     worker_thread+0x8b/0xd10
     ? __kthread_parkme+0xd9/0x1d0
     ? process_one_work+0x13e0/0x13e0
     kthread+0x379/0x450
     ? _raw_spin_unlock_irq+0x24/0x30
     ? set_kthread_struct+0x100/0x100
     ret_from_fork+0x1f/0x30
    Modules linked in: 88XXau(O) 88x2bu(O)
    ---[ end trace 41d302138f3ff55a ]---
    RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100
    Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00
    RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207
    RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000
    RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50
    RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809
    R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045
    R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000
    FS:  0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    PKRU: 55555554
    Kernel panic - not syncing: Fatal exception
    
    Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
    Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
    Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
    Reviewed-by: Arend van Spriel <aspriel@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Dokyung Song <dokyung.song@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20221021061359.GA550858@laguna
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
xfs: Add the missed xfs_perag_put() for xfs_ifree_cluster() [+ + +]
Author: Chuhong Yuan <hslester96@gmail.com>
Date:   Mon Nov 7 09:33:27 2022 +0530

    xfs: Add the missed xfs_perag_put() for xfs_ifree_cluster()
    
    commit 8cc0072469723459dc6bd7beff81b2b3149f4cf4 upstream.
    
    xfs_ifree_cluster() calls xfs_perag_get() at the beginning, but forgets to
    call xfs_perag_put() in one failed path.
    Add the missed function call to fix it.
    
    Fixes: ce92464c180b ("xfs: make xfs_trans_get_buf return an error code")
    Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
    Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Acked-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Chandan Babu R <chandan.babu@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xfs: don't fail unwritten extent conversion on writeback due to edquot [+ + +]
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date:   Mon Nov 7 09:33:26 2022 +0530

    xfs: don't fail unwritten extent conversion on writeback due to edquot
    
    commit 1edd2c055dff9710b1e29d4df01902abb0a55f1f upstream.
    
    During writeback, it's possible for the quota block reservation in
    xfs_iomap_write_unwritten to fail with EDQUOT because we hit the quota
    limit.  This causes writeback errors for data that was already written
    to disk, when it's not even guaranteed that the bmbt will expand to
    exceed the quota limit.  Irritatingly, this condition is reported to
    userspace as EIO by fsync, which is confusing.
    
    We wrote the data, so allow the reservation.  That might put us slightly
    above the hard limit, but it's better than losing data after a write.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Acked-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Chandan Babu R <chandan.babu@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xfs: don't fail verifier on empty attr3 leaf block [+ + +]
Author: Brian Foster <bfoster@redhat.com>
Date:   Mon Nov 7 09:33:22 2022 +0530

    xfs: don't fail verifier on empty attr3 leaf block
    
    commit f28cef9e4daca11337cb9f144cdebedaab69d78c upstream.
    
    The attr fork can transition from shortform to leaf format while
    empty if the first xattr doesn't fit in shortform. While this empty
    leaf block state is intended to be transient, it is technically not
    due to the transactional implementation of the xattr set operation.
    
    We historically have a couple of bandaids to work around this
    problem. The first is to hold the buffer after the format conversion
    to prevent premature writeback of the empty leaf buffer and the
    second is to bypass the xattr count check in the verifier during
    recovery. The latter assumes that the xattr set is also in the log
    and will be recovered into the buffer soon after the empty leaf
    buffer is reconstructed. This is not guaranteed, however.
    
    If the filesystem crashes after the format conversion but before the
    xattr set that induced it, only the format conversion may exist in
    the log. When recovered, this creates a latent corrupted state on
    the inode as any subsequent attempts to read the buffer fail due to
    verifier failure. This includes further attempts to set xattrs on
    the inode or attempts to destroy the attr fork, which prevents the
    inode from ever being removed from the unlinked list.
    
    To avoid this condition, accept that an empty attr leaf block is a
    valid state and remove the count check from the verifier. This means
    that on rare occasions an attr fork might exist in an unexpected
    state, but is otherwise consistent and functional. Note that we
    retain the logic to avoid racing with metadata writeback to reduce
    the window where this can occur.
    
    Signed-off-by: Brian Foster <bfoster@redhat.com>
    Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Acked-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Chandan Babu R <chandan.babu@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xfs: group quota should return EDQUOT when prj quota enabled [+ + +]
Author: Eric Sandeen <sandeen@redhat.com>
Date:   Mon Nov 7 09:33:25 2022 +0530

    xfs: group quota should return EDQUOT when prj quota enabled
    
    commit c8d329f311c4d3d8f8e6dc5897ec235e37f48ae8 upstream.
    
    Long ago, group & project quota were mutually exclusive, and so
    when we turned on XFS_QMOPT_ENOSPC ("return ENOSPC if project quota
    is exceeded") when project quota was enabled, we only needed to
    disable it again for user quota.
    
    When group & project quota got separated, this got missed, and as a
    result if project quota is enabled and group quota is exceeded, the
    error code returned is incorrectly returned as ENOSPC not EDQUOT.
    
    Fix this by stripping XFS_QMOPT_ENOSPC out of flags for group
    quota when we try to reserve the space.
    
    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Acked-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Chandan Babu R <chandan.babu@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xfs: gut error handling in xfs_trans_unreserve_and_mod_sb() [+ + +]
Author: Dave Chinner <david@fromorbit.com>
Date:   Mon Nov 7 09:33:24 2022 +0530

    xfs: gut error handling in xfs_trans_unreserve_and_mod_sb()
    
    commit dc3ffbb14060c943469d5e12900db3a60bc3fa64 upstream.
    
    The error handling in xfs_trans_unreserve_and_mod_sb() is largely
    incorrect - rolling back the changes in the transaction if only one
    counter underruns makes all the other counters incorrect. We still
    allow the change to proceed and committing the transaction, except
    now we have multiple incorrect counters instead of a single
    underflow.
    
    Further, we don't actually report the error to the caller, so this
    is completely silent except on debug kernels that will assert on
    failure before we even get to the rollback code.  Hence this error
    handling is broken, untested, and largely unnecessary complexity.
    
    Just remove it.
    
    Signed-off-by: Dave Chinner <dchinner@redhat.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Acked-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Chandan Babu R <chandan.babu@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xfs: use ordered buffers to initialize dquot buffers during quotacheck [+ + +]
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date:   Mon Nov 7 09:33:23 2022 +0530

    xfs: use ordered buffers to initialize dquot buffers during quotacheck
    
    commit 78bba5c812cc651cee51b64b786be926ab7fe2a9 upstream.
    
    While QAing the new xfs_repair quotacheck code, I uncovered a quota
    corruption bug resulting from a bad interaction between dquot buffer
    initialization and quotacheck.  The bug can be reproduced with the
    following sequence:
    
    # mkfs.xfs -f /dev/sdf
    # mount /dev/sdf /opt -o usrquota
    # su nobody -s /bin/bash -c 'touch /opt/barf'
    # sync
    # xfs_quota -x -c 'report -ahi' /opt
    User quota on /opt (/dev/sdf)
                            Inodes
    User ID      Used   Soft   Hard Warn/Grace
    ---------- ---------------------------------
    root            3      0      0  00 [------]
    nobody          1      0      0  00 [------]
    
    # xfs_io -x -c 'shutdown' /opt
    # umount /opt
    # mount /dev/sdf /opt -o usrquota
    # touch /opt/man2
    # xfs_quota -x -c 'report -ahi' /opt
    User quota on /opt (/dev/sdf)
                            Inodes
    User ID      Used   Soft   Hard Warn/Grace
    ---------- ---------------------------------
    root            1      0      0  00 [------]
    nobody          1      0      0  00 [------]
    
    # umount /opt
    
    Notice how the initial quotacheck set the root dquot icount to 3
    (rootino, rbmino, rsumino), but after shutdown -> remount -> recovery,
    xfs_quota reports that the root dquot has only 1 icount.  We haven't
    deleted anything from the filesystem, which means that quota is now
    under-counting.  This behavior is not limited to icount or the root
    dquot, but this is the shortest reproducer.
    
    I traced the cause of this discrepancy to the way that we handle ondisk
    dquot updates during quotacheck vs. regular fs activity.  Normally, when
    we allocate a disk block for a dquot, we log the buffer as a regular
    (dquot) buffer.  Subsequent updates to the dquots backed by that block
    are done via separate dquot log item updates, which means that they
    depend on the logged buffer update being written to disk before the
    dquot items.  Because individual dquots have their own LSN fields, that
    initial dquot buffer must always be recovered.
    
    However, the story changes for quotacheck, which can cause dquot block
    allocations but persists the final dquot counter values via a delwri
    list.  Because recovery doesn't gate dquot buffer replay on an LSN, this
    means that the initial dquot buffer can be replayed over the (newer)
    contents that were delwritten at the end of quotacheck.  In effect, this
    re-initializes the dquot counters after they've been updated.  If the
    log does not contain any other dquot items to recover, the obsolete
    dquot contents will not be corrected by log recovery.
    
    Because quotacheck uses a transaction to log the setting of the CHKD
    flags in the superblock, we skip quotacheck during the second mount
    call, which allows the incorrect icount to remain.
    
    Fix this by changing the ondisk dquot initialization function to use
    ordered buffers to write out fresh dquot blocks if it detects that we're
    running quotacheck.  If the system goes down before quotacheck can
    complete, the CHKD flags will not be set in the superblock and the next
    mount will run quotacheck again, which can fix uninitialized dquot
    buffers.  This requires amending the defer code to maintaine ordered
    buffer state across defer rolls for the sake of the dquot allocation
    code.
    
    For regular operations we preserve the current behavior since the dquot
    items require properly initialized ondisk dquot records.
    
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Acked-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Chandan Babu R <chandan.babu@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>