commit b86ee2b7ae42b6b37a918b66236608e2cc325f59
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Jan 29 10:17:07 2022 +0100

    Linux 4.14.264
    
    Link: https://lore.kernel.org/r/20220127180256.764665162@linuxfoundation.org
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e8d092a62449dcfc73517ca43963d2b8f44d0516
Author: Mathias Krause <minipli@grsecurity.net>
Date:   Thu Jan 27 18:34:19 2022 +1000

    drm/vmwgfx: Fix stale file descriptors on failed usercopy
    
    commit a0f90c8815706981c483a652a6aefca51a5e191c upstream.
    
    A failing usercopy of the fence_rep object will lead to a stale entry in
    the file descriptor table as put_unused_fd() won't release it. This
    enables userland to refer to a dangling 'file' object through that still
    valid file descriptor, leading to all kinds of use-after-free
    exploitation scenarios.
    
    Fix this by deferring the call to fd_install() until after the usercopy
    has succeeded.
    
    Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
    Signed-off-by: Mathias Krause <minipli@grsecurity.net>
    Signed-off-by: Zack Rusin <zackr@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 632881680ba0fab07a47157e9db3a029710abbac
Author: Ziyang Xuan <william.xuanziyang@huawei.com>
Date:   Sat Jan 22 18:25:06 2022 +0800

    can: bcm: fix UAF of bcm op
    
    Stopping tasklet and hrtimer rely on the active state of tasklet and
    hrtimer sequentially in bcm_remove_op(), the op object will be freed
    if they are all unactive. Assume the hrtimer timeout is short, the
    hrtimer cb has been excuted after tasklet conditional judgment which
    must be false after last round tasklet_kill() and before condition
    hrtimer_active(), it is false when execute to hrtimer_active(). Bug
    is triggerd, because the stopping action is end and the op object
    will be freed, but the tasklet is scheduled. The resources of the op
    object will occur UAF bug.
    
    Move hrtimer_cancel() behind tasklet_kill() and switch 'while () {...}'
    to 'do {...} while ()' to fix the op UAF problem.
    
    Fixes: a06393ed0316 ("can: bcm: fix hrtimer/tasklet termination in bcm op removal")
    Reported-by: syzbot+5ca851459ed04c778d1d@syzkaller.appspotmail.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eed39c1918f1803948d736c444bfacba2a482ad0
Author: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Date:   Tue Oct 19 13:27:10 2021 +0100

    drm/i915: Flush TLBs before releasing backing store
    
    commit 7938d61591d33394a21bdd7797a245b65428f44c upstream.
    
    We need to flush TLBs before releasing backing store otherwise userspace
    is able to encounter stale entries if a) it is not declaring access to
    certain buffers and b) it races with the backing store release from a
    such undeclared execution already executing on the GPU in parallel.
    
    The approach taken is to mark any buffer objects which were ever bound
    to the GPU and to trigger a serialized TLB flush when their backing
    store is released.
    
    Alternatively the flushing could be done on VMA unbind, at which point
    we would be able to ascertain whether there is potential a parallel GPU
    execution (which could race), but essentially it boils down to paying
    the cost of TLB flushes potentially needlessly at VMA unbind time (when
    the backing store is not known to be going away so not needed for
    safety), versus potentially needlessly at backing store relase time
    (since we at that point cannot tell whether there is anything executing
    on the GPU which uses that object).
    
    Thereforce simplicity of implementation has been chosen for now with
    scope to benchmark and refine later as required.
    
    Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
    Reported-by: Sushma Venkatesh Reddy <sushma.venkatesh.reddy@intel.com>
    Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Acked-by: Dave Airlie <airlied@redhat.com>
    Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
    Cc: Jon Bloomfield <jon.bloomfield@intel.com>
    Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
    Cc: Jani Nikula <jani.nikula@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>