From: Greg Kroah-Hartman Date: Sat, 26 Aug 2023 20:36:16 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.1.49~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=26aff78f3c5c034a3ef5da02ed494076659c11d5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch batman-adv-don-t-increase-mtu-when-set-by-user.patch batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch batman-adv-trigger-events-for-auto-adjusted-mtu.patch lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch nfsd-fix-race-to-free_stateid-and-cl_revoked.patch of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch radix-tree-remove-unused-variable.patch selinux-set-next-pointer-before-attaching-to-list.patch --- diff --git a/queue-5.10/batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch b/queue-5.10/batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch new file mode 100644 index 00000000000..20128a15bf3 --- /dev/null +++ b/queue-5.10/batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch @@ -0,0 +1,122 @@ +From eac27a41ab641de074655d2932fc7f8cdb446881 Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Fri, 28 Jul 2023 15:38:50 +0200 +Subject: batman-adv: Do not get eth header before batadv_check_management_packet + +From: Remi Pommarel + +commit eac27a41ab641de074655d2932fc7f8cdb446881 upstream. + +If received skb in batadv_v_elp_packet_recv or batadv_v_ogm_packet_recv +is either cloned or non linearized then its data buffer will be +reallocated by batadv_check_management_packet when skb_cow or +skb_linearize get called. Thus geting ethernet header address inside +skb data buffer before batadv_check_management_packet had any chance to +reallocate it could lead to the following kernel panic: + + Unable to handle kernel paging request at virtual address ffffff8020ab069a + Mem abort info: + ESR = 0x96000007 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x07: level 3 translation fault + Data abort info: + ISV = 0, ISS = 0x00000007 + CM = 0, WnR = 0 + swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000040f45000 + [ffffff8020ab069a] pgd=180000007fffa003, p4d=180000007fffa003, pud=180000007fffa003, pmd=180000007fefe003, pte=0068000020ab0706 + Internal error: Oops: 96000007 [#1] SMP + Modules linked in: ahci_mvebu libahci_platform libahci dvb_usb_af9035 dvb_usb_dib0700 dib0070 dib7000m dibx000_common ath11k_pci ath10k_pci ath10k_core mwl8k_new nf_nat_sip nf_conntrack_sip xhci_plat_hcd xhci_hcd nf_nat_pptp nf_conntrack_pptp at24 sbsa_gwdt + CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.15.42-00066-g3242268d425c-dirty #550 + Hardware name: A8k (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : batadv_is_my_mac+0x60/0xc0 + lr : batadv_v_ogm_packet_recv+0x98/0x5d0 + sp : ffffff8000183820 + x29: ffffff8000183820 x28: 0000000000000001 x27: ffffff8014f9af00 + x26: 0000000000000000 x25: 0000000000000543 x24: 0000000000000003 + x23: ffffff8020ab0580 x22: 0000000000000110 x21: ffffff80168ae880 + x20: 0000000000000000 x19: ffffff800b561000 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 x15: 00dc098924ae0032 + x14: 0f0405433e0054b0 x13: ffffffff00000080 x12: 0000004000000001 + x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 + x8 : 0000000000000000 x7 : ffffffc076dae000 x6 : ffffff8000183700 + x5 : ffffffc00955e698 x4 : ffffff80168ae000 x3 : ffffff80059cf000 + x2 : ffffff800b561000 x1 : ffffff8020ab0696 x0 : ffffff80168ae880 + Call trace: + batadv_is_my_mac+0x60/0xc0 + batadv_v_ogm_packet_recv+0x98/0x5d0 + batadv_batman_skb_recv+0x1b8/0x244 + __netif_receive_skb_core.isra.0+0x440/0xc74 + __netif_receive_skb_one_core+0x14/0x20 + netif_receive_skb+0x68/0x140 + br_pass_frame_up+0x70/0x80 + br_handle_frame_finish+0x108/0x284 + br_handle_frame+0x190/0x250 + __netif_receive_skb_core.isra.0+0x240/0xc74 + __netif_receive_skb_list_core+0x6c/0x90 + netif_receive_skb_list_internal+0x1f4/0x310 + napi_complete_done+0x64/0x1d0 + gro_cell_poll+0x7c/0xa0 + __napi_poll+0x34/0x174 + net_rx_action+0xf8/0x2a0 + _stext+0x12c/0x2ac + run_ksoftirqd+0x4c/0x7c + smpboot_thread_fn+0x120/0x210 + kthread+0x140/0x150 + ret_from_fork+0x10/0x20 + Code: f9403844 eb03009f 54fffee1 f94 + +Thus ethernet header address should only be fetched after +batadv_check_management_packet has been called. + +Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure") +Cc: stable@vger.kernel.org +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 3 ++- + net/batman-adv/bat_v_ogm.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -509,7 +509,7 @@ int batadv_v_elp_packet_recv(struct sk_b + struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface); + struct batadv_elp_packet *elp_packet; + struct batadv_hard_iface *primary_if; +- struct ethhdr *ethhdr = (struct ethhdr *)skb_mac_header(skb); ++ struct ethhdr *ethhdr; + bool res; + int ret = NET_RX_DROP; + +@@ -517,6 +517,7 @@ int batadv_v_elp_packet_recv(struct sk_b + if (!res) + goto free_skb; + ++ ethhdr = eth_hdr(skb); + if (batadv_is_my_mac(bat_priv, ethhdr->h_source)) + goto free_skb; + +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -998,7 +998,7 @@ int batadv_v_ogm_packet_recv(struct sk_b + { + struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface); + struct batadv_ogm2_packet *ogm_packet; +- struct ethhdr *ethhdr = eth_hdr(skb); ++ struct ethhdr *ethhdr; + int ogm_offset; + u8 *packet_pos; + int ret = NET_RX_DROP; +@@ -1012,6 +1012,7 @@ int batadv_v_ogm_packet_recv(struct sk_b + if (!batadv_check_management_packet(skb, if_incoming, BATADV_OGM2_HLEN)) + goto free_skb; + ++ ethhdr = eth_hdr(skb); + if (batadv_is_my_mac(bat_priv, ethhdr->h_source)) + goto free_skb; + diff --git a/queue-5.10/batman-adv-don-t-increase-mtu-when-set-by-user.patch b/queue-5.10/batman-adv-don-t-increase-mtu-when-set-by-user.patch new file mode 100644 index 00000000000..64ea211a1ed --- /dev/null +++ b/queue-5.10/batman-adv-don-t-increase-mtu-when-set-by-user.patch @@ -0,0 +1,83 @@ +From d8e42a2b0addf238be8b3b37dcd9795a5c1be459 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 19 Jul 2023 10:01:15 +0200 +Subject: batman-adv: Don't increase MTU when set by user + +From: Sven Eckelmann + +commit d8e42a2b0addf238be8b3b37dcd9795a5c1be459 upstream. + +If the user set an MTU value, it usually means that there are special +requirements for the MTU. But if an interface gots activated, the MTU was +always recalculated and then the user set value was overwritten. + +The only reason why this user set value has to be overwritten, is when the +MTU has to be decreased because batman-adv is not able to transfer packets +with the user specified size. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/hard-interface.c | 14 +++++++++++++- + net/batman-adv/soft-interface.c | 3 +++ + net/batman-adv/types.h | 6 ++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -632,7 +632,19 @@ out: + */ + void batadv_update_min_mtu(struct net_device *soft_iface) + { +- dev_set_mtu(soft_iface, batadv_hardif_min_mtu(soft_iface)); ++ struct batadv_priv *bat_priv = netdev_priv(soft_iface); ++ int limit_mtu; ++ int mtu; ++ ++ mtu = batadv_hardif_min_mtu(soft_iface); ++ ++ if (bat_priv->mtu_set_by_user) ++ limit_mtu = bat_priv->mtu_set_by_user; ++ else ++ limit_mtu = ETH_DATA_LEN; ++ ++ mtu = min(mtu, limit_mtu); ++ dev_set_mtu(soft_iface, mtu); + + /* Check if the local translate table should be cleaned up to match a + * new (and smaller) MTU. +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -156,11 +156,14 @@ static int batadv_interface_set_mac_addr + + static int batadv_interface_change_mtu(struct net_device *dev, int new_mtu) + { ++ struct batadv_priv *bat_priv = netdev_priv(dev); ++ + /* check ranges */ + if (new_mtu < 68 || new_mtu > batadv_hardif_min_mtu(dev)) + return -EINVAL; + + dev->mtu = new_mtu; ++ bat_priv->mtu_set_by_user = new_mtu; + + return 0; + } +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -1567,6 +1567,12 @@ struct batadv_priv { + struct net_device *soft_iface; + + /** ++ * @mtu_set_by_user: MTU was set once by user ++ * protected by rtnl_lock ++ */ ++ int mtu_set_by_user; ++ ++ /** + * @bat_counters: mesh internal traffic statistic counters (see + * batadv_counters) + */ diff --git a/queue-5.10/batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch b/queue-5.10/batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch new file mode 100644 index 00000000000..4f9cd60602a --- /dev/null +++ b/queue-5.10/batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch @@ -0,0 +1,56 @@ +From 421d467dc2d483175bad4fb76a31b9e5a3d744cf Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Wed, 9 Aug 2023 17:29:13 +0200 +Subject: batman-adv: Fix batadv_v_ogm_aggr_send memory leak + +From: Remi Pommarel + +commit 421d467dc2d483175bad4fb76a31b9e5a3d744cf upstream. + +When batadv_v_ogm_aggr_send is called for an inactive interface, the skb +is silently dropped by batadv_v_ogm_send_to_if() but never freed causing +the following memory leak: + + unreferenced object 0xffff00000c164800 (size 512): + comm "kworker/u8:1", pid 2648, jiffies 4295122303 (age 97.656s) + hex dump (first 32 bytes): + 00 80 af 09 00 00 ff ff e1 09 00 00 75 01 60 83 ............u.`. + 1f 00 00 00 b8 00 00 00 15 00 05 00 da e3 d3 64 ...............d + backtrace: + [<0000000007ad20f6>] __kmalloc_track_caller+0x1a8/0x310 + [<00000000d1029e55>] kmalloc_reserve.constprop.0+0x70/0x13c + [<000000008b9d4183>] __alloc_skb+0xec/0x1fc + [<00000000c7af5051>] __netdev_alloc_skb+0x48/0x23c + [<00000000642ee5f5>] batadv_v_ogm_aggr_send+0x50/0x36c + [<0000000088660bd7>] batadv_v_ogm_aggr_work+0x24/0x40 + [<0000000042fc2606>] process_one_work+0x3b0/0x610 + [<000000002f2a0b1c>] worker_thread+0xa0/0x690 + [<0000000059fae5d4>] kthread+0x1fc/0x210 + [<000000000c587d3a>] ret_from_fork+0x10/0x20 + +Free the skb in that case to fix this leak. + +Cc: stable@vger.kernel.org +Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure") +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_ogm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -123,8 +123,10 @@ static void batadv_v_ogm_send_to_if(stru + { + struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface); + +- if (hard_iface->if_status != BATADV_IF_ACTIVE) ++ if (hard_iface->if_status != BATADV_IF_ACTIVE) { ++ kfree_skb(skb); + return; ++ } + + batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_TX); + batadv_add_counter(bat_priv, BATADV_CNT_MGMT_TX_BYTES, diff --git a/queue-5.10/batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch b/queue-5.10/batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch new file mode 100644 index 00000000000..601a4849a99 --- /dev/null +++ b/queue-5.10/batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch @@ -0,0 +1,85 @@ +From d25ddb7e788d34cf27ff1738d11a87cb4b67d446 Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Fri, 4 Aug 2023 11:39:36 +0200 +Subject: batman-adv: Fix TT global entry leak when client roamed back + +From: Remi Pommarel + +commit d25ddb7e788d34cf27ff1738d11a87cb4b67d446 upstream. + +When a client roamed back to a node before it got time to destroy the +pending local entry (i.e. within the same originator interval) the old +global one is directly removed from hash table and left as such. + +But because this entry had an extra reference taken at lookup (i.e using +batadv_tt_global_hash_find) there is no way its memory will be reclaimed +at any time causing the following memory leak: + + unreferenced object 0xffff0000073c8000 (size 18560): + comm "softirq", pid 0, jiffies 4294907738 (age 228.644s) + hex dump (first 32 bytes): + 06 31 ac 12 c7 7a 05 00 01 00 00 00 00 00 00 00 .1...z.......... + 2c ad be 08 00 80 ff ff 6c b6 be 08 00 80 ff ff ,.......l....... + backtrace: + [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300 + [<000000000ff2fdbc>] batadv_tt_global_add+0x700/0xe20 + [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790 + [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110 + [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10 + [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0 + [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4 + [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0 + [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90 + [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74 + [<000000000f39a009>] __netif_receive_skb+0x48/0xe0 + [<00000000f2cd8888>] process_backlog+0x174/0x344 + [<00000000507d6564>] __napi_poll+0x58/0x1f4 + [<00000000b64ef9eb>] net_rx_action+0x504/0x590 + [<00000000056fa5e4>] _stext+0x1b8/0x418 + [<00000000878879d6>] run_ksoftirqd+0x74/0xa4 + unreferenced object 0xffff00000bae1a80 (size 56): + comm "softirq", pid 0, jiffies 4294910888 (age 216.092s) + hex dump (first 32 bytes): + 00 78 b1 0b 00 00 ff ff 0d 50 00 00 00 00 00 00 .x.......P...... + 00 00 00 00 00 00 00 00 50 c8 3c 07 00 00 ff ff ........P.<..... + backtrace: + [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300 + [<00000000d9aaa49e>] batadv_tt_global_add+0x53c/0xe20 + [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790 + [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110 + [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10 + [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0 + [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4 + [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0 + [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90 + [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74 + [<000000000f39a009>] __netif_receive_skb+0x48/0xe0 + [<00000000f2cd8888>] process_backlog+0x174/0x344 + [<00000000507d6564>] __napi_poll+0x58/0x1f4 + [<00000000b64ef9eb>] net_rx_action+0x504/0x590 + [<00000000056fa5e4>] _stext+0x1b8/0x418 + [<00000000878879d6>] run_ksoftirqd+0x74/0xa4 + +Releasing the extra reference from batadv_tt_global_hash_find even at +roam back when batadv_tt_global_free is called fixes this memory leak. + +Cc: stable@vger.kernel.org +Fixes: 068ee6e204e1 ("batman-adv: roaming handling mechanism redesign") +Signed-off-by: Remi Pommarel +Signed-off-by; Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/translation-table.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -775,7 +775,6 @@ check_roaming: + if (roamed_back) { + batadv_tt_global_free(bat_priv, tt_global, + "Roaming canceled"); +- tt_global = NULL; + } else { + /* The global entry has to be marked as ROAMING and + * has to be kept for consistency purpose diff --git a/queue-5.10/batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch b/queue-5.10/batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch new file mode 100644 index 00000000000..ccbf0ba4eff --- /dev/null +++ b/queue-5.10/batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch @@ -0,0 +1,45 @@ +From 987aae75fc1041072941ffb622b45ce2359a99b9 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 21 Aug 2023 21:48:48 +0200 +Subject: batman-adv: Hold rtnl lock during MTU update via netlink + +From: Sven Eckelmann + +commit 987aae75fc1041072941ffb622b45ce2359a99b9 upstream. + +The automatic recalculation of the maximum allowed MTU is usually triggered +by code sections which are already rtnl lock protected by callers outside +of batman-adv. But when the fragmentation setting is changed via +batman-adv's own batadv genl family, then the rtnl lock is not yet taken. + +But dev_set_mtu requires that the caller holds the rtnl lock because it +uses netdevice notifiers. And this code will then fail the check for this +lock: + + RTNL: assertion failed at net/core/dev.c (1953) + +Cc: stable@vger.kernel.org +Reported-by: syzbot+f8812454d9b3ac00d282@syzkaller.appspotmail.com +Fixes: c6a953cce8d0 ("batman-adv: Trigger events for auto adjusted MTU") +Signed-off-by: Sven Eckelmann +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230821-batadv-missing-mtu-rtnl-lock-v1-1-1c5a7bfe861e@narfation.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/batman-adv/netlink.c ++++ b/net/batman-adv/netlink.c +@@ -496,7 +496,10 @@ static int batadv_netlink_set_mesh(struc + attr = info->attrs[BATADV_ATTR_FRAGMENTATION_ENABLED]; + + atomic_set(&bat_priv->fragmentation, !!nla_get_u8(attr)); ++ ++ rtnl_lock(); + batadv_update_min_mtu(bat_priv->soft_iface); ++ rtnl_unlock(); + } + + if (info->attrs[BATADV_ATTR_GW_BANDWIDTH_DOWN]) { diff --git a/queue-5.10/batman-adv-trigger-events-for-auto-adjusted-mtu.patch b/queue-5.10/batman-adv-trigger-events-for-auto-adjusted-mtu.patch new file mode 100644 index 00000000000..a80aef6647c --- /dev/null +++ b/queue-5.10/batman-adv-trigger-events-for-auto-adjusted-mtu.patch @@ -0,0 +1,38 @@ +From c6a953cce8d0438391e6da48c8d0793d3fbfcfa6 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 19 Jul 2023 09:29:29 +0200 +Subject: batman-adv: Trigger events for auto adjusted MTU + +From: Sven Eckelmann + +commit c6a953cce8d0438391e6da48c8d0793d3fbfcfa6 upstream. + +If an interface changes the MTU, it is expected that an NETDEV_PRECHANGEMTU +and NETDEV_CHANGEMTU notification events is triggered. This worked fine for +.ndo_change_mtu based changes because core networking code took care of it. +But for auto-adjustments after hard-interfaces changes, these events were +simply missing. + +Due to this problem, non-batman-adv components weren't aware of MTU changes +and thus couldn't perform their own tasks correctly. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/hard-interface.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -632,7 +632,7 @@ out: + */ + void batadv_update_min_mtu(struct net_device *soft_iface) + { +- soft_iface->mtu = batadv_hardif_min_mtu(soft_iface); ++ dev_set_mtu(soft_iface, batadv_hardif_min_mtu(soft_iface)); + + /* Check if the local translate table should be cleaned up to match a + * new (and smaller) MTU. diff --git a/queue-5.10/lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch b/queue-5.10/lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch new file mode 100644 index 00000000000..be10831e130 --- /dev/null +++ b/queue-5.10/lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch @@ -0,0 +1,120 @@ +From 382d4cd1847517ffcb1800fd462b625db7b2ebea Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 25 Aug 2023 21:50:33 +0200 +Subject: lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels + +From: Helge Deller + +commit 382d4cd1847517ffcb1800fd462b625db7b2ebea upstream. + +The gcc compiler translates on some architectures the 64-bit +__builtin_clzll() function to a call to the libgcc function __clzdi2(), +which should take a 64-bit parameter on 32- and 64-bit platforms. + +But in the current kernel code, the built-in __clzdi2() function is +defined to operate (wrongly) on 32-bit parameters if BITS_PER_LONG == +32, thus the return values on 32-bit kernels are in the range from +[0..31] instead of the expected [0..63] range. + +This patch fixes the in-kernel functions __clzdi2() and __ctzdi2() to +take a 64-bit parameter on 32-bit kernels as well, thus it makes the +functions identical for 32- and 64-bit kernels. + +This bug went unnoticed since kernel 3.11 for over 10 years, and here +are some possible reasons for that: + + a) Some architectures have assembly instructions to count the bits and + which are used instead of calling __clzdi2(), e.g. on x86 the bsr + instruction and on ppc cntlz is used. On such architectures the + wrong __clzdi2() implementation isn't used and as such the bug has + no effect and won't be noticed. + + b) Some architectures link to libgcc.a, and the in-kernel weak + functions get replaced by the correct 64-bit variants from libgcc.a. + + c) __builtin_clzll() and __clzdi2() doesn't seem to be used in many + places in the kernel, and most likely only in uncritical functions, + e.g. when printing hex values via seq_put_hex_ll(). The wrong return + value will still print the correct number, but just in a wrong + formatting (e.g. with too many leading zeroes). + + d) 32-bit kernels aren't used that much any longer, so they are less + tested. + +A trivial testcase to verify if the currently running 32-bit kernel is +affected by the bug is to look at the output of /proc/self/maps: + +Here the kernel uses a correct implementation of __clzdi2(): + + root@debian:~# cat /proc/self/maps + 00010000-00019000 r-xp 00000000 08:05 787324 /usr/bin/cat + 00019000-0001a000 rwxp 00009000 08:05 787324 /usr/bin/cat + 0001a000-0003b000 rwxp 00000000 00:00 0 [heap] + f7551000-f770d000 r-xp 00000000 08:05 794765 /usr/lib/hppa-linux-gnu/libc.so.6 + ... + +and this kernel uses the broken implementation of __clzdi2(): + + root@debian:~# cat /proc/self/maps + 0000000010000-0000000019000 r-xp 00000000 000000008:000000005 787324 /usr/bin/cat + 0000000019000-000000001a000 rwxp 000000009000 000000008:000000005 787324 /usr/bin/cat + 000000001a000-000000003b000 rwxp 00000000 00:00 0 [heap] + 00000000f73d1000-00000000f758d000 r-xp 00000000 000000008:000000005 794765 /usr/lib/hppa-linux-gnu/libc.so.6 + ... + +Signed-off-by: Helge Deller +Fixes: 4df87bb7b6a22 ("lib: add weak clz/ctz functions") +Cc: Chanho Min +Cc: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v3.11+ +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + lib/clz_ctz.c | 32 ++++++-------------------------- + 1 file changed, 6 insertions(+), 26 deletions(-) + +--- a/lib/clz_ctz.c ++++ b/lib/clz_ctz.c +@@ -28,36 +28,16 @@ int __weak __clzsi2(int val) + } + EXPORT_SYMBOL(__clzsi2); + +-int __weak __clzdi2(long val); +-int __weak __ctzdi2(long val); +-#if BITS_PER_LONG == 32 +- +-int __weak __clzdi2(long val) ++int __weak __clzdi2(u64 val); ++int __weak __clzdi2(u64 val) + { +- return 32 - fls((int)val); ++ return 64 - fls64(val); + } + EXPORT_SYMBOL(__clzdi2); + +-int __weak __ctzdi2(long val) ++int __weak __ctzdi2(u64 val); ++int __weak __ctzdi2(u64 val) + { +- return __ffs((u32)val); ++ return __ffs64(val); + } + EXPORT_SYMBOL(__ctzdi2); +- +-#elif BITS_PER_LONG == 64 +- +-int __weak __clzdi2(long val) +-{ +- return 64 - fls64((u64)val); +-} +-EXPORT_SYMBOL(__clzdi2); +- +-int __weak __ctzdi2(long val) +-{ +- return __ffs64((u64)val); +-} +-EXPORT_SYMBOL(__ctzdi2); +- +-#else +-#error BITS_PER_LONG not 32 or 64 +-#endif diff --git a/queue-5.10/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch b/queue-5.10/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch new file mode 100644 index 00000000000..0a81a4d1de5 --- /dev/null +++ b/queue-5.10/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch @@ -0,0 +1,37 @@ +From e7f2e65699e2290fd547ec12a17008764e5d9620 Mon Sep 17 00:00:00 2001 +From: Wei Chen +Date: Thu, 10 Aug 2023 08:23:33 +0000 +Subject: media: vcodec: Fix potential array out-of-bounds in encoder queue_setup + +From: Wei Chen + +commit e7f2e65699e2290fd547ec12a17008764e5d9620 upstream. + +variable *nplanes is provided by user via system call argument. The +possible value of q_data->fmt->num_planes is 1-3, while the value +of *nplanes can be 1-8. The array access by index i can cause array +out-of-bounds. + +Fix this bug by checking *nplanes against the array size. + +Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") +Signed-off-by: Wei Chen +Cc: stable@vger.kernel.org +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c +@@ -729,6 +729,8 @@ static int vb2ops_venc_queue_setup(struc + return -EINVAL; + + if (*nplanes) { ++ if (*nplanes != q_data->fmt->num_planes) ++ return -EINVAL; + for (i = 0; i < *nplanes; i++) + if (sizes[i] < q_data->sizeimage[i]) + return -EINVAL; diff --git a/queue-5.10/mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch b/queue-5.10/mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch new file mode 100644 index 00000000000..768fd846960 --- /dev/null +++ b/queue-5.10/mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch @@ -0,0 +1,55 @@ +From a50420c79731fc5cf27ad43719c1091e842a2606 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Wed, 9 Aug 2023 18:46:33 +0200 +Subject: mm: add a call to flush_cache_vmap() in vmap_pfn() + +From: Alexandre Ghiti + +commit a50420c79731fc5cf27ad43719c1091e842a2606 upstream. + +flush_cache_vmap() must be called after new vmalloc mappings are installed +in the page table in order to allow architectures to make sure the new +mapping is visible. + +It could lead to a panic since on some architectures (like powerpc), +the page table walker could see the wrong pte value and trigger a +spurious page fault that can not be resolved (see commit f1cb8f9beba8 +("powerpc/64s/radix: avoid ptesync after set_pte and +ptep_set_access_flags")). + +But actually the patch is aiming at riscv: the riscv specification +allows the caching of invalid entries in the TLB, and since we recently +removed the vmalloc page fault handling, we now need to emit a tlb +shootdown whenever a new vmalloc mapping is emitted +(https://lore.kernel.org/linux-riscv/20230725132246.817726-1-alexghiti@rivosinc.com/). +That's a temporary solution, there are ways to avoid that :) + +Link: https://lkml.kernel.org/r/20230809164633.1556126-1-alexghiti@rivosinc.com +Fixes: 3e9a9e256b1e ("mm: add a vmap_pfn function") +Reported-by: Dylan Jhong +Closes: https://lore.kernel.org/linux-riscv/ZMytNY2J8iyjbPPy@atctrx.andestech.com/ +Signed-off-by: Alexandre Ghiti +Reviewed-by: Christoph Hellwig +Reviewed-by: Palmer Dabbelt +Acked-by: Palmer Dabbelt +Reviewed-by: Dylan Jhong +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmalloc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -2453,6 +2453,10 @@ void *vmap_pfn(unsigned long *pfns, unsi + free_vm_area(area); + return NULL; + } ++ ++ flush_cache_vmap((unsigned long)area->addr, ++ (unsigned long)area->addr + count * PAGE_SIZE); ++ + return area->addr; + } + EXPORT_SYMBOL_GPL(vmap_pfn); diff --git a/queue-5.10/nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch b/queue-5.10/nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch new file mode 100644 index 00000000000..efcf3cb82fd --- /dev/null +++ b/queue-5.10/nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch @@ -0,0 +1,65 @@ +From be2fd1560eb57b7298aa3c258ddcca0d53ecdea3 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 8 Aug 2023 21:17:11 -0400 +Subject: NFS: Fix a use after free in nfs_direct_join_group() + +From: Trond Myklebust + +commit be2fd1560eb57b7298aa3c258ddcca0d53ecdea3 upstream. + +Be more careful when tearing down the subrequests of an O_DIRECT write +as part of a retransmission. + +Reported-by: Chris Mason +Fixes: ed5d588fe47f ("NFS: Try to join page groups before an O_DIRECT retransmission") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/direct.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index 9a18c5a69ace..aaffaaa336cc 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -472,20 +472,26 @@ ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter, + return result; + } + +-static void +-nfs_direct_join_group(struct list_head *list, struct inode *inode) ++static void nfs_direct_join_group(struct list_head *list, struct inode *inode) + { +- struct nfs_page *req, *next; ++ struct nfs_page *req, *subreq; + + list_for_each_entry(req, list, wb_list) { +- if (req->wb_head != req || req->wb_this_page == req) ++ if (req->wb_head != req) + continue; +- for (next = req->wb_this_page; +- next != req->wb_head; +- next = next->wb_this_page) { +- nfs_list_remove_request(next); +- nfs_release_request(next); +- } ++ subreq = req->wb_this_page; ++ if (subreq == req) ++ continue; ++ do { ++ /* ++ * Remove subrequests from this list before freeing ++ * them in the call to nfs_join_page_group(). ++ */ ++ if (!list_empty(&subreq->wb_list)) { ++ nfs_list_remove_request(subreq); ++ nfs_release_request(subreq); ++ } ++ } while ((subreq = subreq->wb_this_page) != req); + nfs_join_page_group(req, inode); + } + } +-- +2.42.0 + diff --git a/queue-5.10/nfsd-fix-race-to-free_stateid-and-cl_revoked.patch b/queue-5.10/nfsd-fix-race-to-free_stateid-and-cl_revoked.patch new file mode 100644 index 00000000000..c683413dde8 --- /dev/null +++ b/queue-5.10/nfsd-fix-race-to-free_stateid-and-cl_revoked.patch @@ -0,0 +1,47 @@ +From 3b816601e279756e781e6c4d9b3f3bd21a72ac67 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Fri, 4 Aug 2023 10:52:20 -0400 +Subject: nfsd: Fix race to FREE_STATEID and cl_revoked + +From: Benjamin Coddington + +commit 3b816601e279756e781e6c4d9b3f3bd21a72ac67 upstream. + +We have some reports of linux NFS clients that cannot satisfy a linux knfsd +server that always sets SEQ4_STATUS_RECALLABLE_STATE_REVOKED even though +those clients repeatedly walk all their known state using TEST_STATEID and +receive NFS4_OK for all. + +Its possible for revoke_delegation() to set NFS4_REVOKED_DELEG_STID, then +nfsd4_free_stateid() finds the delegation and returns NFS4_OK to +FREE_STATEID. Afterward, revoke_delegation() moves the same delegation to +cl_revoked. This would produce the observed client/server effect. + +Fix this by ensuring that the setting of sc_type to NFS4_REVOKED_DELEG_STID +and move to cl_revoked happens within the same cl_lock. This will allow +nfsd4_free_stateid() to properly remove the delegation from cl_revoked. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2217103 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2176575 +Signed-off-by: Benjamin Coddington +Cc: stable@vger.kernel.org # v4.17+ +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1145,9 +1145,9 @@ static void revoke_delegation(struct nfs + WARN_ON(!list_empty(&dp->dl_recall_lru)); + + if (clp->cl_minorversion) { ++ spin_lock(&clp->cl_lock); + dp->dl_stid.sc_type = NFS4_REVOKED_DELEG_STID; + refcount_inc(&dp->dl_stid.sc_count); +- spin_lock(&clp->cl_lock); + list_add(&dp->dl_recall_lru, &clp->cl_revoked); + spin_unlock(&clp->cl_lock); + } diff --git a/queue-5.10/of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch b/queue-5.10/of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch new file mode 100644 index 00000000000..0ea8b3c8850 --- /dev/null +++ b/queue-5.10/of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch @@ -0,0 +1,114 @@ +From 914d9d831e6126a6e7a92e27fcfaa250671be42c Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Fri, 18 Aug 2023 15:40:57 -0500 +Subject: of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock + +From: Rob Herring + +commit 914d9d831e6126a6e7a92e27fcfaa250671be42c upstream. + +While originally it was fine to format strings using "%pOF" while +holding devtree_lock, this now causes a deadlock. Lockdep reports: + + of_get_parent from of_fwnode_get_parent+0x18/0x24 + ^^^^^^^^^^^^^ + of_fwnode_get_parent from fwnode_count_parents+0xc/0x28 + fwnode_count_parents from fwnode_full_name_string+0x18/0xac + fwnode_full_name_string from device_node_string+0x1a0/0x404 + device_node_string from pointer+0x3c0/0x534 + pointer from vsnprintf+0x248/0x36c + vsnprintf from vprintk_store+0x130/0x3b4 + +Fix this by moving the printing in __of_changeset_entry_apply() outside +the lock. As the only difference in the multiple prints is the action +name, use the existing "action_names" to refactor the prints into a +single print. + +Fixes: a92eb7621b9fb2c2 ("lib/vsprintf: Make use of fwnode API to obtain node names and separators") +Cc: stable@vger.kernel.org +Reported-by: Geert Uytterhoeven +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230801-dt-changeset-fixes-v3-2-5f0410e007dd@kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/dynamic.c | 31 +++++++++---------------------- + 1 file changed, 9 insertions(+), 22 deletions(-) + +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -63,15 +63,14 @@ int of_reconfig_notifier_unregister(stru + } + EXPORT_SYMBOL_GPL(of_reconfig_notifier_unregister); + +-#ifdef DEBUG +-const char *action_names[] = { ++static const char *action_names[] = { ++ [0] = "INVALID", + [OF_RECONFIG_ATTACH_NODE] = "ATTACH_NODE", + [OF_RECONFIG_DETACH_NODE] = "DETACH_NODE", + [OF_RECONFIG_ADD_PROPERTY] = "ADD_PROPERTY", + [OF_RECONFIG_REMOVE_PROPERTY] = "REMOVE_PROPERTY", + [OF_RECONFIG_UPDATE_PROPERTY] = "UPDATE_PROPERTY", + }; +-#endif + + int of_reconfig_notify(unsigned long action, struct of_reconfig_data *p) + { +@@ -589,21 +588,9 @@ static int __of_changeset_entry_apply(st + } + + ret = __of_add_property(ce->np, ce->prop); +- if (ret) { +- pr_err("changeset: add_property failed @%pOF/%s\n", +- ce->np, +- ce->prop->name); +- break; +- } + break; + case OF_RECONFIG_REMOVE_PROPERTY: + ret = __of_remove_property(ce->np, ce->prop); +- if (ret) { +- pr_err("changeset: remove_property failed @%pOF/%s\n", +- ce->np, +- ce->prop->name); +- break; +- } + break; + + case OF_RECONFIG_UPDATE_PROPERTY: +@@ -617,20 +604,17 @@ static int __of_changeset_entry_apply(st + } + + ret = __of_update_property(ce->np, ce->prop, &old_prop); +- if (ret) { +- pr_err("changeset: update_property failed @%pOF/%s\n", +- ce->np, +- ce->prop->name); +- break; +- } + break; + default: + ret = -EINVAL; + } + raw_spin_unlock_irqrestore(&devtree_lock, flags); + +- if (ret) ++ if (ret) { ++ pr_err("changeset: apply failed: %-15s %pOF:%s\n", ++ action_names[ce->action], ce->np, ce->prop->name); + return ret; ++ } + + switch (ce->action) { + case OF_RECONFIG_ATTACH_NODE: +@@ -913,6 +897,9 @@ int of_changeset_action(struct of_change + if (!ce) + return -ENOMEM; + ++ if (WARN_ON(action >= ARRAY_SIZE(action_names))) ++ return -EINVAL; ++ + /* get a reference to the node */ + ce->action = action; + ce->np = of_node_get(np); diff --git a/queue-5.10/radix-tree-remove-unused-variable.patch b/queue-5.10/radix-tree-remove-unused-variable.patch new file mode 100644 index 00000000000..9ed6edac596 --- /dev/null +++ b/queue-5.10/radix-tree-remove-unused-variable.patch @@ -0,0 +1,42 @@ +From d59070d1076ec5114edb67c87658aeb1d691d381 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 11 Aug 2023 15:10:13 +0200 +Subject: radix tree: remove unused variable + +From: Arnd Bergmann + +commit d59070d1076ec5114edb67c87658aeb1d691d381 upstream. + +Recent versions of clang warn about an unused variable, though older +versions saw the 'slot++' as a use and did not warn: + +radix-tree.c:1136:50: error: parameter 'slot' set but not used [-Werror,-Wunused-but-set-parameter] + +It's clearly not needed any more, so just remove it. + +Link: https://lkml.kernel.org/r/20230811131023.2226509-1-arnd@kernel.org +Fixes: 3a08cd52c37c7 ("radix tree: Remove multiorder support") +Signed-off-by: Arnd Bergmann +Cc: Matthew Wilcox +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Peng Zhang +Cc: Rong Tao +Cc: Tom Rix +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/radix-tree.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/lib/radix-tree.c ++++ b/lib/radix-tree.c +@@ -1133,7 +1133,6 @@ static void set_iter_tags(struct radix_t + void __rcu **radix_tree_iter_resume(void __rcu **slot, + struct radix_tree_iter *iter) + { +- slot++; + iter->index = __radix_tree_iter_add(iter, 1); + iter->next_index = iter->index; + iter->tags = 0; diff --git a/queue-5.10/selinux-set-next-pointer-before-attaching-to-list.patch b/queue-5.10/selinux-set-next-pointer-before-attaching-to-list.patch new file mode 100644 index 00000000000..cce1e5fdbc2 --- /dev/null +++ b/queue-5.10/selinux-set-next-pointer-before-attaching-to-list.patch @@ -0,0 +1,43 @@ +From 70d91dc9b2ac91327d0eefd86163abc3548effa6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 18 Aug 2023 17:33:58 +0200 +Subject: selinux: set next pointer before attaching to list +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian Göttsche + +commit 70d91dc9b2ac91327d0eefd86163abc3548effa6 upstream. + +Set the next pointer in filename_trans_read_helper() before attaching +the new node under construction to the list, otherwise garbage would be +dereferenced on subsequent failure during cleanup in the out goto label. + +Cc: +Fixes: 430059024389 ("selinux: implement new format of filename transitions") +Signed-off-by: Christian Göttsche +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/ss/policydb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/ss/policydb.c ++++ b/security/selinux/ss/policydb.c +@@ -2011,6 +2011,7 @@ static int filename_trans_read_helper(st + if (!datum) + goto out; + ++ datum->next = NULL; + *dst = datum; + + /* ebitmap_read() will at least init the bitmap */ +@@ -2023,7 +2024,6 @@ static int filename_trans_read_helper(st + goto out; + + datum->otype = le32_to_cpu(buf[0]); +- datum->next = NULL; + + dst = &datum->next; + } diff --git a/queue-5.10/series b/queue-5.10/series index 0d9bfc154b8..5f2b0a186f5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -42,3 +42,17 @@ bonding-fix-macvlan-over-alb-bond-support.patch ibmveth-use-dcbf-rather-than-dcbfl.patch nfsv4-fix-dropped-lock-for-racing-open-and-delegation-return.patch clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch +mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch +nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch +nfsd-fix-race-to-free_stateid-and-cl_revoked.patch +selinux-set-next-pointer-before-attaching-to-list.patch +batman-adv-trigger-events-for-auto-adjusted-mtu.patch +batman-adv-don-t-increase-mtu-when-set-by-user.patch +batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch +batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch +batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch +batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch +lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch +radix-tree-remove-unused-variable.patch +of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch +media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch