From 2f9e146dd091eebe8cf6d05aa108f7112015ba0a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 24 Oct 2024 07:16:24 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...4-force-position-independent-veneers.patch | 113 +++++++++++ ...s-rx-macro-add-missing-cdc_rx_bcl_vb.patch | 39 ++++ ...ble-fifo-continue-on-error-fcont-bit.patch | 63 ++++++ ...-add-qrb4210-rb2-sndcard-compatible-.patch | 35 ++++ ...ocress-reference-leakage-for-bfqq-in.patch | 159 +++++++++++++++ ...place-fake-vla-at-end-of-vbva_mouse_.patch | 72 +++++++ ...on-t-warn-for-racy-path_noexec-check.patch | 100 ++++++++++ ...re-attributes-checks-in-mi_enum_attr.patch | 148 ++++++++++++++ ...l-sysman-add-support-for-alienware-p.patch | 35 ++++ queue-6.1/series | 11 ++ ...nit-value-use-in-udf_get_fileshortad.patch | 54 +++++ ...tor-udf_current_aext-to-handle-error.patch | 187 ++++++++++++++++++ 12 files changed, 1016 insertions(+) create mode 100644 queue-6.1/arm64-force-position-independent-veneers.patch create mode 100644 queue-6.1/asoc-codecs-lpass-rx-macro-add-missing-cdc_rx_bcl_vb.patch create mode 100644 queue-6.1/asoc-fsl_sai-enable-fifo-continue-on-error-fcont-bit.patch create mode 100644 queue-6.1/asoc-qcom-sm8250-add-qrb4210-rb2-sndcard-compatible-.patch create mode 100644 queue-6.1/block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch create mode 100644 queue-6.1/drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch create mode 100644 queue-6.1/exec-don-t-warn-for-racy-path_noexec-check.patch create mode 100644 queue-6.1/fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch create mode 100644 queue-6.1/platform-x86-dell-sysman-add-support-for-alienware-p.patch create mode 100644 queue-6.1/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch create mode 100644 queue-6.1/udf-refactor-udf_current_aext-to-handle-error.patch diff --git a/queue-6.1/arm64-force-position-independent-veneers.patch b/queue-6.1/arm64-force-position-independent-veneers.patch new file mode 100644 index 00000000000..39294b7defb --- /dev/null +++ b/queue-6.1/arm64-force-position-independent-veneers.patch @@ -0,0 +1,113 @@ +From c4d0ca15076e8324024e7dd7cef628f8cef0bd00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 11:18:38 +0100 +Subject: arm64: Force position-independent veneers + +From: Mark Rutland + +[ Upstream commit 9abe390e689f4f5c23c5f507754f8678431b4f72 ] + +Certain portions of code always need to be position-independent +regardless of CONFIG_RELOCATABLE, including code which is executed in an +idmap or which is executed before relocations are applied. In some +kernel configurations the LLD linker generates position-dependent +veneers for such code, and when executed these result in early boot-time +failures. + +Marc Zyngier encountered a boot failure resulting from this when +building a (particularly cursed) configuration with LLVM, as he reported +to the list: + + https://lore.kernel.org/linux-arm-kernel/86wmjwvatn.wl-maz@kernel.org/ + +In Marc's kernel configuration, the .head.text and .rodata.text sections +end up more than 128MiB apart, requiring a veneer to branch between the +two: + +| [mark@lakrids:~/src/linux]% usekorg 14.1.0 aarch64-linux-objdump -t vmlinux | grep -w _text +| ffff800080000000 g .head.text 0000000000000000 _text +| [mark@lakrids:~/src/linux]% usekorg 14.1.0 aarch64-linux-objdump -t vmlinux | grep -w primary_entry +| ffff8000889df0e0 g .rodata.text 000000000000006c primary_entry, + +... consequently, LLD inserts a position-dependent veneer for the branch +from _stext (in .head.text) to primary_entry (in .rodata.text): + +| ffff800080000000 <_text>: +| ffff800080000000: fa405a4d ccmp x18, #0x0, #0xd, pl // pl = nfrst +| ffff800080000004: 14003fff b ffff800080010000 <__AArch64AbsLongThunk_primary_entry> +... +| ffff800080010000 <__AArch64AbsLongThunk_primary_entry>: +| ffff800080010000: 58000050 ldr x16, ffff800080010008 <__AArch64AbsLongThunk_primary_entry+0x8> +| ffff800080010004: d61f0200 br x16 +| ffff800080010008: 889df0e0 .word 0x889df0e0 +| ffff80008001000c: ffff8000 .word 0xffff8000 + +... and as this is executed early in boot before the kernel is mapped in +TTBR1 this results in a silent boot failure. + +Fix this by passing '--pic-veneer' to the linker, which will cause the +linker to use position-independent veneers, e.g. + +| ffff800080000000 <_text>: +| ffff800080000000: fa405a4d ccmp x18, #0x0, #0xd, pl // pl = nfrst +| ffff800080000004: 14003fff b ffff800080010000 <__AArch64ADRPThunk_primary_entry> +... +| ffff800080010000 <__AArch64ADRPThunk_primary_entry>: +| ffff800080010000: f004e3f0 adrp x16, ffff800089c8f000 <__idmap_text_start> +| ffff800080010004: 91038210 add x16, x16, #0xe0 +| ffff800080010008: d61f0200 br x16 + +I've opted to pass '--pic-veneer' unconditionally, as: + +* In addition to solving the boot failure, these sequences are generally + nicer as they require fewer instructions and don't need to perform + data accesses. + +* While the position-independent veneer sequences have a limited +/-2GiB + range, this is not a new restriction. Even kernels built with + CONFIG_RELOCATABLE=n are limited to 2GiB in size as we have several + structues using 32-bit relative offsets and PPREL32 relocations, which + are similarly limited to +/-2GiB in range. These include extable + entries, jump table entries, and alt_instr entries. + +* GNU LD defaults to using position-independent veneers, and supports + the same '--pic-veneer' option, so this change is not expected to + adversely affect GNU LD. + +I've tested with GNU LD 2.30 to 2.42 inclusive and LLVM 13.0.1 to 19.1.0 +inclusive, using the kernel.org binaries from: + +* https://mirrors.edge.kernel.org/pub/tools/crosstool/ +* https://mirrors.edge.kernel.org/pub/tools/llvm/ + +Signed-off-by: Mark Rutland +Reported-by: Marc Zyngier +Cc: Ard Biesheuvel +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Will Deacon +Acked-by: Ard Biesheuvel +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20240927101838.3061054-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile +index c9496539c3351..85a30ebae19ff 100644 +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -10,7 +10,7 @@ + # + # Copyright (C) 1995-2001 by Russell King + +-LDFLAGS_vmlinux :=--no-undefined -X ++LDFLAGS_vmlinux :=--no-undefined -X --pic-veneer + + ifeq ($(CONFIG_RELOCATABLE), y) + # Pass --no-apply-dynamic-relocs to restore pre-binutils-2.27 behaviour +-- +2.43.0 + diff --git a/queue-6.1/asoc-codecs-lpass-rx-macro-add-missing-cdc_rx_bcl_vb.patch b/queue-6.1/asoc-codecs-lpass-rx-macro-add-missing-cdc_rx_bcl_vb.patch new file mode 100644 index 00000000000..5e991b4be41 --- /dev/null +++ b/queue-6.1/asoc-codecs-lpass-rx-macro-add-missing-cdc_rx_bcl_vb.patch @@ -0,0 +1,39 @@ +From 7425f5a25303e88318d59bd256a7d15b5846a653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 05:38:23 +0100 +Subject: ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to + default regs values + +From: Alexey Klimov + +[ Upstream commit e249786b2188107a7c50e7174d35f955a60988a1 ] + +CDC_RX_BCL_VBAT_RF_PROC1 is listed twice and its default value +is 0x2a which is overwriten by its next occurence in rx_defaults[]. +The second one should be missing CDC_RX_BCL_VBAT_RF_PROC2 instead +and its default value is expected 0x0. + +Signed-off-by: Alexey Klimov +Link: https://patch.msgid.link/20240925043823.520218-2-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-rx-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-rx-macro.c b/sound/soc/codecs/lpass-rx-macro.c +index 1639f3b66facb..aa45c472994e3 100644 +--- a/sound/soc/codecs/lpass-rx-macro.c ++++ b/sound/soc/codecs/lpass-rx-macro.c +@@ -909,7 +909,7 @@ static const struct reg_default rx_defaults[] = { + { CDC_RX_BCL_VBAT_PK_EST2, 0x01 }, + { CDC_RX_BCL_VBAT_PK_EST3, 0x40 }, + { CDC_RX_BCL_VBAT_RF_PROC1, 0x2A }, +- { CDC_RX_BCL_VBAT_RF_PROC1, 0x00 }, ++ { CDC_RX_BCL_VBAT_RF_PROC2, 0x00 }, + { CDC_RX_BCL_VBAT_TAC1, 0x00 }, + { CDC_RX_BCL_VBAT_TAC2, 0x18 }, + { CDC_RX_BCL_VBAT_TAC3, 0x18 }, +-- +2.43.0 + diff --git a/queue-6.1/asoc-fsl_sai-enable-fifo-continue-on-error-fcont-bit.patch b/queue-6.1/asoc-fsl_sai-enable-fifo-continue-on-error-fcont-bit.patch new file mode 100644 index 00000000000..f17e2b3e395 --- /dev/null +++ b/queue-6.1/asoc-fsl_sai-enable-fifo-continue-on-error-fcont-bit.patch @@ -0,0 +1,63 @@ +From 1e95425206c171075a03360cc6b18db50c0319e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 14:08:28 +0800 +Subject: ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit + +From: Shengjiu Wang + +[ Upstream commit 72455e33173c1a00c0ce93d2b0198eb45d5f4195 ] + +FCONT=1 means On FIFO error, the SAI will continue from the +same word that caused the FIFO error to set after the FIFO +warning flag has been cleared. + +Set FCONT bit in control register to avoid the channel swap +issue after SAI xrun. + +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/1727676508-22830-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 5 ++++- + sound/soc/fsl/fsl_sai.h | 1 + + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index cf1cd0460ad98..4b155e49cbfc5 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -604,6 +604,9 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream, + + val_cr4 |= FSL_SAI_CR4_FRSZ(slots); + ++ /* Set to avoid channel swap */ ++ val_cr4 |= FSL_SAI_CR4_FCONT; ++ + /* Set to output mode to avoid tri-stated data pins */ + if (tx) + val_cr4 |= FSL_SAI_CR4_CHMOD; +@@ -690,7 +693,7 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream, + + regmap_update_bits(sai->regmap, FSL_SAI_xCR4(tx, ofs), + FSL_SAI_CR4_SYWD_MASK | FSL_SAI_CR4_FRSZ_MASK | +- FSL_SAI_CR4_CHMOD_MASK, ++ FSL_SAI_CR4_CHMOD_MASK | FSL_SAI_CR4_FCONT_MASK, + val_cr4); + regmap_update_bits(sai->regmap, FSL_SAI_xCR5(tx, ofs), + FSL_SAI_CR5_WNW_MASK | FSL_SAI_CR5_W0W_MASK | +diff --git a/sound/soc/fsl/fsl_sai.h b/sound/soc/fsl/fsl_sai.h +index b4d616a44023c..e2799f39a81ed 100644 +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -137,6 +137,7 @@ + + /* SAI Transmit and Receive Configuration 4 Register */ + ++#define FSL_SAI_CR4_FCONT_MASK BIT(28) + #define FSL_SAI_CR4_FCONT BIT(28) + #define FSL_SAI_CR4_FCOMB_SHIFT BIT(26) + #define FSL_SAI_CR4_FCOMB_SOFT BIT(27) +-- +2.43.0 + diff --git a/queue-6.1/asoc-qcom-sm8250-add-qrb4210-rb2-sndcard-compatible-.patch b/queue-6.1/asoc-qcom-sm8250-add-qrb4210-rb2-sndcard-compatible-.patch new file mode 100644 index 00000000000..e2b307690f8 --- /dev/null +++ b/queue-6.1/asoc-qcom-sm8250-add-qrb4210-rb2-sndcard-compatible-.patch @@ -0,0 +1,35 @@ +From d7ebbe1845f285663c231dd0f4abaa3f04b3f2de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 03:20:10 +0100 +Subject: ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string + +From: Alexey Klimov + +[ Upstream commit b97bc0656a66f89f78098d4d72dc04fa9518ab11 ] + +Add "qcom,qrb4210-rb2-sndcard" to the list of recognizable +devices. + +Signed-off-by: Alexey Klimov +Link: https://patch.msgid.link/20241002022015.867031-3-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/sm8250.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/qcom/sm8250.c b/sound/soc/qcom/sm8250.c +index 9626a9ef78c23..41be09a07ca71 100644 +--- a/sound/soc/qcom/sm8250.c ++++ b/sound/soc/qcom/sm8250.c +@@ -153,6 +153,7 @@ static int sm8250_platform_probe(struct platform_device *pdev) + + static const struct of_device_id snd_sm8250_dt_match[] = { + {.compatible = "qcom,sm8250-sndcard"}, ++ {.compatible = "qcom,qrb4210-rb2-sndcard"}, + {.compatible = "qcom,qrb5165-rb5-sndcard"}, + {} + }; +-- +2.43.0 + diff --git a/queue-6.1/block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch b/queue-6.1/block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch new file mode 100644 index 00000000000..bdf179b827c --- /dev/null +++ b/queue-6.1/block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch @@ -0,0 +1,159 @@ +From 8a3bb5b587e5fea6226176d39c4441bd8733cd60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2024 11:39:50 +0800 +Subject: block, bfq: fix procress reference leakage for bfqq in merge chain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Kuai + +[ Upstream commit 73aeab373557fa6ee4ae0b742c6211ccd9859280 ] + +Original state: + + Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + Λ | | | + \--------------\ \-------------\ \-------------\| + V V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 + ref 0 1 2 4 + +After commit 0e456dba86c7 ("block, bfq: choose the last bfqq from merge +chain in bfq_setup_cooperator()"), if P1 issues a new IO: + +Without the patch: + + Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + Λ | | | + \------------------------------\ \-------------\| + V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 + ref 0 0 2 4 + +bfqq3 will be used to handle IO from P1, this is not expected, IO +should be redirected to bfqq4; + +With the patch: + + ------------------------------------------- + | | + Process 1 Process 2 Process 3 | Process 4 + (BIC1) (BIC2) (BIC3) | (BIC4) + | | | | + \-------------\ \-------------\| + V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 + ref 0 0 2 4 + +IO is redirected to bfqq4, however, procress reference of bfqq3 is still +2, while there is only P2 using it. + +Fix the problem by calling bfq_merge_bfqqs() for each bfqq in the merge +chain. Also change bfqq_merge_bfqqs() to return new_bfqq to simplify +code. + +Fixes: 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240909134154.954924-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 37 +++++++++++++++++-------------------- + 1 file changed, 17 insertions(+), 20 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index bfce6343a5777..8e797782cfe33 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -3117,10 +3117,12 @@ void bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq) + bfq_put_queue(bfqq); + } + +-static void +-bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, +- struct bfq_queue *bfqq, struct bfq_queue *new_bfqq) ++static struct bfq_queue *bfq_merge_bfqqs(struct bfq_data *bfqd, ++ struct bfq_io_cq *bic, ++ struct bfq_queue *bfqq) + { ++ struct bfq_queue *new_bfqq = bfqq->new_bfqq; ++ + bfq_log_bfqq(bfqd, bfqq, "merging with queue %lu", + (unsigned long)new_bfqq->pid); + /* Save weight raising and idle window of the merged queues */ +@@ -3214,6 +3216,8 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, + bfq_reassign_last_bfqq(bfqq, new_bfqq); + + bfq_release_process_ref(bfqd, bfqq); ++ ++ return new_bfqq; + } + + static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, +@@ -3249,14 +3253,8 @@ static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, + * fulfilled, i.e., bic can be redirected to new_bfqq + * and bfqq can be put. + */ +- bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq, +- new_bfqq); +- /* +- * If we get here, bio will be queued into new_queue, +- * so use new_bfqq to decide whether bio and rq can be +- * merged. +- */ +- bfqq = new_bfqq; ++ while (bfqq != new_bfqq) ++ bfqq = bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq); + + /* + * Change also bqfd->bio_bfqq, as +@@ -5616,9 +5614,7 @@ bfq_do_early_stable_merge(struct bfq_data *bfqd, struct bfq_queue *bfqq, + * state before killing it. + */ + bfqq->bic = bic; +- bfq_merge_bfqqs(bfqd, bic, bfqq, new_bfqq); +- +- return new_bfqq; ++ return bfq_merge_bfqqs(bfqd, bic, bfqq); + } + + /* +@@ -6066,6 +6062,7 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) + bool waiting, idle_timer_disabled = false; + + if (new_bfqq) { ++ struct bfq_queue *old_bfqq = bfqq; + /* + * Release the request's reference to the old bfqq + * and make sure one is taken to the shared queue. +@@ -6081,18 +6078,18 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) + * then complete the merge and redirect it to + * new_bfqq. + */ +- if (bic_to_bfqq(RQ_BIC(rq), 1) == bfqq) +- bfq_merge_bfqqs(bfqd, RQ_BIC(rq), +- bfqq, new_bfqq); ++ if (bic_to_bfqq(RQ_BIC(rq), 1) == bfqq) { ++ while (bfqq != new_bfqq) ++ bfqq = bfq_merge_bfqqs(bfqd, RQ_BIC(rq), bfqq); ++ } + +- bfq_clear_bfqq_just_created(bfqq); ++ bfq_clear_bfqq_just_created(old_bfqq); + /* + * rq is about to be enqueued into new_bfqq, + * release rq reference on bfqq + */ +- bfq_put_queue(bfqq); ++ bfq_put_queue(old_bfqq); + rq->elv.priv[1] = new_bfqq; +- bfqq = new_bfqq; + } + + bfq_update_io_thinktime(bfqd, bfqq); +-- +2.43.0 + diff --git a/queue-6.1/drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch b/queue-6.1/drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch new file mode 100644 index 00000000000..aa5b031e400 --- /dev/null +++ b/queue-6.1/drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch @@ -0,0 +1,72 @@ +From bd1117ada344442988f4b01925fb7c8d3437c29b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 12:45:23 +0200 +Subject: drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape + with real VLA + +From: Hans de Goede + +[ Upstream commit d92b90f9a54d9300a6e883258e79f36dab53bfae ] + +Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with +a real VLA to fix a "memcpy: detected field-spanning write error" warning: + +[ 13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4) +[ 13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo] +[ 13.320038] Call Trace: +[ 13.320173] hgsmi_update_pointer_shape [vboxvideo] +[ 13.320184] vbox_cursor_atomic_update [vboxvideo] + +Note as mentioned in the added comment it seems the original length +calculation for the allocated and send hgsmi buffer is 4 bytes too large. +Changing this is not the goal of this patch, so this behavior is kept. + +Signed-off-by: Hans de Goede +Reviewed-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20240827104523.17442-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 +++++++++- + drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 +--- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vboxvideo/hgsmi_base.c b/drivers/gpu/drm/vboxvideo/hgsmi_base.c +index 8c041d7ce4f1b..87dccaecc3e57 100644 +--- a/drivers/gpu/drm/vboxvideo/hgsmi_base.c ++++ b/drivers/gpu/drm/vboxvideo/hgsmi_base.c +@@ -139,7 +139,15 @@ int hgsmi_update_pointer_shape(struct gen_pool *ctx, u32 flags, + flags |= VBOX_MOUSE_POINTER_VISIBLE; + } + +- p = hgsmi_buffer_alloc(ctx, sizeof(*p) + pixel_len, HGSMI_CH_VBVA, ++ /* ++ * The 4 extra bytes come from switching struct vbva_mouse_pointer_shape ++ * from having a 4 bytes fixed array at the end to using a proper VLA ++ * at the end. These 4 extra bytes were not subtracted from sizeof(*p) ++ * before the switch to the VLA, so this way the behavior is unchanged. ++ * Chances are these 4 extra bytes are not necessary but they are kept ++ * to avoid regressions. ++ */ ++ p = hgsmi_buffer_alloc(ctx, sizeof(*p) + pixel_len + 4, HGSMI_CH_VBVA, + VBVA_MOUSE_POINTER_SHAPE); + if (!p) + return -ENOMEM; +diff --git a/drivers/gpu/drm/vboxvideo/vboxvideo.h b/drivers/gpu/drm/vboxvideo/vboxvideo.h +index f60d82504da02..79ec8481de0e4 100644 +--- a/drivers/gpu/drm/vboxvideo/vboxvideo.h ++++ b/drivers/gpu/drm/vboxvideo/vboxvideo.h +@@ -351,10 +351,8 @@ struct vbva_mouse_pointer_shape { + * Bytes in the gap between the AND and the XOR mask are undefined. + * XOR mask scanlines have no gap between them and size of XOR mask is: + * xor_len = width * 4 * height. +- * +- * Preallocate 4 bytes for accessing actual data as p->data. + */ +- u8 data[4]; ++ u8 data[]; + } __packed; + + /* pointer is visible */ +-- +2.43.0 + diff --git a/queue-6.1/exec-don-t-warn-for-racy-path_noexec-check.patch b/queue-6.1/exec-don-t-warn-for-racy-path_noexec-check.patch new file mode 100644 index 00000000000..9e126d0d865 --- /dev/null +++ b/queue-6.1/exec-don-t-warn-for-racy-path_noexec-check.patch @@ -0,0 +1,100 @@ +From cd6668a0a2be7cafc4417e5f1146f66fd657f6f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2024 15:45:25 -0300 +Subject: exec: don't WARN for racy path_noexec check + +From: Mateusz Guzik + +[ Upstream commit 0d196e7589cefe207d5d41f37a0a28a1fdeeb7c6 ] + +Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact +of the previous implementation. They used to legitimately check for the +condition, but that got moved up in two commits: +633fb6ac3980 ("exec: move S_ISREG() check earlier") +0fd338b2d2cd ("exec: move path_noexec() check earlier") + +Instead of being removed said checks are WARN_ON'ed instead, which +has some debug value. + +However, the spurious path_noexec check is racy, resulting in +unwarranted warnings should someone race with setting the noexec flag. + +One can note there is more to perm-checking whether execve is allowed +and none of the conditions are guaranteed to still hold after they were +tested for. + +Additionally this does not validate whether the code path did any perm +checking to begin with -- it will pass if the inode happens to be +regular. + +Keep the redundant path_noexec() check even though it's mindless +nonsense checking for guarantee that isn't given so drop the WARN. + +Reword the commentary and do small tidy ups while here. + +Signed-off-by: Mateusz Guzik +Link: https://lore.kernel.org/r/20240805131721.765484-1-mjguzik@gmail.com +[brauner: keep redundant path_noexec() check] +Signed-off-by: Christian Brauner +[cascardo: keep exit label and use it] +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Sasha Levin +--- + fs/exec.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/fs/exec.c b/fs/exec.c +index 65d3ebc24fd34..a42c9b8b070d7 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -141,13 +141,11 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) + goto out; + + /* +- * may_open() has already checked for this, so it should be +- * impossible to trip now. But we need to be extra cautious +- * and check again at the very end too. ++ * Check do_open_execat() for an explanation. + */ + error = -EACCES; +- if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || +- path_noexec(&file->f_path))) ++ if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || ++ path_noexec(&file->f_path)) + goto exit; + + fsnotify_open(file); +@@ -927,16 +925,16 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) + + file = do_filp_open(fd, name, &open_exec_flags); + if (IS_ERR(file)) +- goto out; ++ return file; + + /* +- * may_open() has already checked for this, so it should be +- * impossible to trip now. But we need to be extra cautious +- * and check again at the very end too. ++ * In the past the regular type check was here. It moved to may_open() in ++ * 633fb6ac3980 ("exec: move S_ISREG() check earlier"). Since then it is ++ * an invariant that all non-regular files error out before we get here. + */ + err = -EACCES; +- if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || +- path_noexec(&file->f_path))) ++ if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || ++ path_noexec(&file->f_path)) + goto exit; + + err = deny_write_access(file); +@@ -946,7 +944,6 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) + if (name->name[0] != '\0') + fsnotify_open(file); + +-out: + return file; + + exit: +-- +2.43.0 + diff --git a/queue-6.1/fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch b/queue-6.1/fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch new file mode 100644 index 00000000000..2e230a01fd6 --- /dev/null +++ b/queue-6.1/fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch @@ -0,0 +1,148 @@ +From 2679c3a8717bd87dbd3c7ed5ca474c55c49fc1c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2024 16:53:50 +0800 +Subject: fs/ntfs3: Add more attributes checks in mi_enum_attr() + +From: Konstantin Komarov + +[ Upstream commit 013ff63b649475f0ee134e2c8d0c8e65284ede50 ] + +Signed-off-by: Konstantin Komarov +CVE: CVE-2023-45896 +Signed-off-by: Xiangyu Chen +Signed-off-by: Sasha Levin +--- + fs/ntfs3/record.c | 67 ++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 54 insertions(+), 13 deletions(-) + +diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c +index 1351fb02e1401..7ab4527105729 100644 +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -193,8 +193,9 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + { + const struct MFT_REC *rec = mi->mrec; + u32 used = le32_to_cpu(rec->used); +- u32 t32, off, asize; ++ u32 t32, off, asize, prev_type; + u16 t16; ++ u64 data_size, alloc_size, tot_size; + + if (!attr) { + u32 total = le32_to_cpu(rec->total); +@@ -213,6 +214,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + if (!is_rec_inuse(rec)) + return NULL; + ++ prev_type = 0; + attr = Add2Ptr(rec, off); + } else { + /* Check if input attr inside record. */ +@@ -226,6 +228,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + return NULL; + } + ++ /* Overflow check. */ ++ if (off + asize < off) ++ return NULL; ++ ++ prev_type = le32_to_cpu(attr->type); + attr = Add2Ptr(attr, asize); + off += asize; + } +@@ -245,7 +252,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + + /* 0x100 is last known attribute for now. */ + t32 = le32_to_cpu(attr->type); +- if ((t32 & 0xf) || (t32 > 0x100)) ++ if (!t32 || (t32 & 0xf) || (t32 > 0x100)) ++ return NULL; ++ ++ /* attributes in record must be ordered by type */ ++ if (t32 < prev_type) + return NULL; + + /* Check overflow and boundary. */ +@@ -254,16 +265,15 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + + /* Check size of attribute. */ + if (!attr->non_res) { ++ /* Check resident fields. */ + if (asize < SIZEOF_RESIDENT) + return NULL; + + t16 = le16_to_cpu(attr->res.data_off); +- + if (t16 > asize) + return NULL; + +- t32 = le32_to_cpu(attr->res.data_size); +- if (t16 + t32 > asize) ++ if (t16 + le32_to_cpu(attr->res.data_size) > asize) + return NULL; + + if (attr->name_len && +@@ -274,21 +284,52 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + return attr; + } + +- /* Check some nonresident fields. */ +- if (attr->name_len && +- le16_to_cpu(attr->name_off) + sizeof(short) * attr->name_len > +- le16_to_cpu(attr->nres.run_off)) { ++ /* Check nonresident fields. */ ++ if (attr->non_res != 1) + return NULL; +- } + +- if (attr->nres.svcn || !is_attr_ext(attr)) { ++ t16 = le16_to_cpu(attr->nres.run_off); ++ if (t16 > asize) ++ return NULL; ++ ++ t32 = sizeof(short) * attr->name_len; ++ if (t32 && le16_to_cpu(attr->name_off) + t32 > t16) ++ return NULL; ++ ++ /* Check start/end vcn. */ ++ if (le64_to_cpu(attr->nres.svcn) > le64_to_cpu(attr->nres.evcn) + 1) ++ return NULL; ++ ++ data_size = le64_to_cpu(attr->nres.data_size); ++ if (le64_to_cpu(attr->nres.valid_size) > data_size) ++ return NULL; ++ ++ alloc_size = le64_to_cpu(attr->nres.alloc_size); ++ if (data_size > alloc_size) ++ return NULL; ++ ++ t32 = mi->sbi->cluster_mask; ++ if (alloc_size & t32) ++ return NULL; ++ ++ if (!attr->nres.svcn && is_attr_ext(attr)) { ++ /* First segment of sparse/compressed attribute */ ++ if (asize + 8 < SIZEOF_NONRESIDENT_EX) ++ return NULL; ++ ++ tot_size = le64_to_cpu(attr->nres.total_size); ++ if (tot_size & t32) ++ return NULL; ++ ++ if (tot_size > alloc_size) ++ return NULL; ++ } else { + if (asize + 8 < SIZEOF_NONRESIDENT) + return NULL; + + if (attr->nres.c_unit) + return NULL; +- } else if (asize + 8 < SIZEOF_NONRESIDENT_EX) +- return NULL; ++ } + + return attr; + } +-- +2.43.0 + diff --git a/queue-6.1/platform-x86-dell-sysman-add-support-for-alienware-p.patch b/queue-6.1/platform-x86-dell-sysman-add-support-for-alienware-p.patch new file mode 100644 index 00000000000..b2a71d85cf4 --- /dev/null +++ b/queue-6.1/platform-x86-dell-sysman-add-support-for-alienware-p.patch @@ -0,0 +1,35 @@ +From 577e198b1217e959476900a20ae9c5477640e93b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 23:27:58 +0800 +Subject: platform/x86: dell-sysman: add support for alienware products + +From: Crag Wang + +[ Upstream commit a561509b4187a8908eb7fbb2d1bf35bbc20ec74b ] + +Alienware supports firmware-attributes and has its own OEM string. + +Signed-off-by: Crag Wang +Link: https://lore.kernel.org/r/20241004152826.93992-1-crag_wang@dell.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c +index b2406a595be9a..3ef90211c51a6 100644 +--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c +@@ -524,6 +524,7 @@ static int __init sysman_init(void) + int ret = 0; + + if (!dmi_find_device(DMI_DEV_TYPE_OEM_STRING, "Dell System", NULL) && ++ !dmi_find_device(DMI_DEV_TYPE_OEM_STRING, "Alienware", NULL) && + !dmi_find_device(DMI_DEV_TYPE_OEM_STRING, "www.dell.com", NULL)) { + pr_err("Unable to run on non-Dell system\n"); + return -ENODEV; +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 55439245db6..9a128d62bcd 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -68,3 +68,14 @@ usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch tty-serial-make-dcd_change-uart_handle_dcd_change-st.patch serial-make-uart_handle_cts_change-status-param-bool.patch serial-imx-update-mctrl-old_status-on-rtsd-interrupt.patch +block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch +exec-don-t-warn-for-racy-path_noexec-check.patch +fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch +drm-vboxvideo-replace-fake-vla-at-end-of-vbva_mouse_.patch +asoc-codecs-lpass-rx-macro-add-missing-cdc_rx_bcl_vb.patch +asoc-fsl_sai-enable-fifo-continue-on-error-fcont-bit.patch +arm64-force-position-independent-veneers.patch +udf-refactor-udf_current_aext-to-handle-error.patch +udf-fix-uninit-value-use-in-udf_get_fileshortad.patch +asoc-qcom-sm8250-add-qrb4210-rb2-sndcard-compatible-.patch +platform-x86-dell-sysman-add-support-for-alienware-p.patch diff --git a/queue-6.1/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch b/queue-6.1/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch new file mode 100644 index 00000000000..b7ba836d6e4 --- /dev/null +++ b/queue-6.1/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch @@ -0,0 +1,54 @@ +From 532ba98db977978ef64bc3a2e352f652763fd7e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 09:46:15 +0200 +Subject: udf: fix uninit-value use in udf_get_fileshortad + +From: Gianfranco Trad + +[ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ] + +Check for overflow when computing alen in udf_current_aext to mitigate +later uninit-value use in udf_get_fileshortad KMSAN bug[1]. +After applying the patch reproducer did not trigger any issue[2]. + +[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df +[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 + +Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df +Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com +Suggested-by: Jan Kara +Signed-off-by: Gianfranco Trad +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index fac28caca356a..d7d6ccd0af064 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -2107,12 +2107,15 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos, + alen = udf_file_entry_alloc_offset(inode) + + iinfo->i_lenAlloc; + } else { ++ struct allocExtDesc *header = ++ (struct allocExtDesc *)epos->bh->b_data; ++ + if (!epos->offset) + epos->offset = sizeof(struct allocExtDesc); + ptr = epos->bh->b_data + epos->offset; +- alen = sizeof(struct allocExtDesc) + +- le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> +- lengthAllocDescs); ++ if (check_add_overflow(sizeof(struct allocExtDesc), ++ le32_to_cpu(header->lengthAllocDescs), &alen)) ++ return -1; + } + + switch (iinfo->i_alloc_type) { +-- +2.43.0 + diff --git a/queue-6.1/udf-refactor-udf_current_aext-to-handle-error.patch b/queue-6.1/udf-refactor-udf_current_aext-to-handle-error.patch new file mode 100644 index 00000000000..d91f8cc291b --- /dev/null +++ b/queue-6.1/udf-refactor-udf_current_aext-to-handle-error.patch @@ -0,0 +1,187 @@ +From 7fd3099e2a4df1272f8a0282c064c9817ec316fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 19:54:23 +0800 +Subject: udf: refactor udf_current_aext() to handle error + +From: Zhao Mengmeng + +[ Upstream commit ee703a7068f95764cfb62b57db1d36e465cb9b26 ] + +As Jan suggested in links below, refactor udf_current_aext() to +differentiate between error, hit EOF and success, it now takes pointer to +etype to store the extent type, return 1 when getting etype success, +return 0 when hitting EOF and return -errno when err. + +Link: https://lore.kernel.org/all/20240912111235.6nr3wuqvktecy3vh@quack3/ +Signed-off-by: Zhao Mengmeng +Suggested-by: Jan Kara +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20241001115425.266556-2-zhaomzhao@126.com +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 40 ++++++++++++++++++++++++++-------------- + fs/udf/truncate.c | 10 ++++++++-- + fs/udf/udfdecl.h | 5 +++-- + 3 files changed, 37 insertions(+), 18 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 77471e33ccf75..fac28caca356a 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1838,6 +1838,7 @@ int udf_setup_indirect_aext(struct inode *inode, udf_pblk_t block, + struct extent_position nepos; + struct kernel_lb_addr neloc; + int ver, adsize; ++ int err = 0; + + if (UDF_I(inode)->i_alloc_type == ICBTAG_FLAG_AD_SHORT) + adsize = sizeof(struct short_ad); +@@ -1882,10 +1883,12 @@ int udf_setup_indirect_aext(struct inode *inode, udf_pblk_t block, + if (epos->offset + adsize > sb->s_blocksize) { + struct kernel_lb_addr cp_loc; + uint32_t cp_len; +- int cp_type; ++ int8_t cp_type; + + epos->offset -= adsize; +- cp_type = udf_current_aext(inode, epos, &cp_loc, &cp_len, 0); ++ err = udf_current_aext(inode, epos, &cp_loc, &cp_len, &cp_type, 0); ++ if (err <= 0) ++ goto err_out; + cp_len |= ((uint32_t)cp_type) << 30; + + __udf_add_aext(inode, &nepos, &cp_loc, cp_len, 1); +@@ -1900,6 +1903,9 @@ int udf_setup_indirect_aext(struct inode *inode, udf_pblk_t block, + *epos = nepos; + + return 0; ++err_out: ++ brelse(bh); ++ return err; + } + + /* +@@ -2050,9 +2056,12 @@ int8_t udf_next_aext(struct inode *inode, struct extent_position *epos, + { + int8_t etype; + unsigned int indirections = 0; ++ int ret = 0; + +- while ((etype = udf_current_aext(inode, epos, eloc, elen, inc)) == +- (EXT_NEXT_EXTENT_ALLOCDESCS >> 30)) { ++ while ((ret = udf_current_aext(inode, epos, eloc, elen, ++ &etype, inc)) > 0) { ++ if (etype != (EXT_NEXT_EXTENT_ALLOCDESCS >> 30)) ++ break; + udf_pblk_t block; + + if (++indirections > UDF_MAX_INDIR_EXTS) { +@@ -2073,14 +2082,17 @@ int8_t udf_next_aext(struct inode *inode, struct extent_position *epos, + } + } + +- return etype; ++ return ret > 0 ? etype : -1; + } + +-int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, +- struct kernel_lb_addr *eloc, uint32_t *elen, int inc) ++/* ++ * Returns 1 on success, -errno on error, 0 on hit EOF. ++ */ ++int udf_current_aext(struct inode *inode, struct extent_position *epos, ++ struct kernel_lb_addr *eloc, uint32_t *elen, int8_t *etype, ++ int inc) + { + int alen; +- int8_t etype; + uint8_t *ptr; + struct short_ad *sad; + struct long_ad *lad; +@@ -2107,8 +2119,8 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, + case ICBTAG_FLAG_AD_SHORT: + sad = udf_get_fileshortad(ptr, alen, &epos->offset, inc); + if (!sad) +- return -1; +- etype = le32_to_cpu(sad->extLength) >> 30; ++ return 0; ++ *etype = le32_to_cpu(sad->extLength) >> 30; + eloc->logicalBlockNum = le32_to_cpu(sad->extPosition); + eloc->partitionReferenceNum = + iinfo->i_location.partitionReferenceNum; +@@ -2117,17 +2129,17 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, + case ICBTAG_FLAG_AD_LONG: + lad = udf_get_filelongad(ptr, alen, &epos->offset, inc); + if (!lad) +- return -1; +- etype = le32_to_cpu(lad->extLength) >> 30; ++ return 0; ++ *etype = le32_to_cpu(lad->extLength) >> 30; + *eloc = lelb_to_cpu(lad->extLocation); + *elen = le32_to_cpu(lad->extLength) & UDF_EXTENT_LENGTH_MASK; + break; + default: + udf_debug("alloc_type = %u unsupported\n", iinfo->i_alloc_type); +- return -1; ++ return -EINVAL; + } + +- return etype; ++ return 1; + } + + static int udf_insert_aext(struct inode *inode, struct extent_position epos, +diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c +index 036ebd892b852..f0de6e106ce65 100644 +--- a/fs/udf/truncate.c ++++ b/fs/udf/truncate.c +@@ -192,6 +192,7 @@ int udf_truncate_extents(struct inode *inode) + loff_t byte_offset; + int adsize; + struct udf_inode_info *iinfo = UDF_I(inode); ++ int ret = 0; + + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT) + adsize = sizeof(struct short_ad); +@@ -221,8 +222,8 @@ int udf_truncate_extents(struct inode *inode) + else + lenalloc -= sizeof(struct allocExtDesc); + +- while ((etype = udf_current_aext(inode, &epos, &eloc, +- &elen, 0)) != -1) { ++ while ((ret = udf_current_aext(inode, &epos, &eloc, ++ &elen, &etype, 0)) > 0) { + if (etype == (EXT_NEXT_EXTENT_ALLOCDESCS >> 30)) { + udf_write_aext(inode, &epos, &neloc, nelen, 0); + if (indirect_ext_len) { +@@ -257,6 +258,11 @@ int udf_truncate_extents(struct inode *inode) + } + } + ++ if (ret < 0) { ++ brelse(epos.bh); ++ return ret; ++ } ++ + if (indirect_ext_len) { + BUG_ON(!epos.bh); + udf_free_blocks(sb, NULL, &epos.block, 0, indirect_ext_len); +diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h +index d35aa42bb5777..1d19434d4a47c 100644 +--- a/fs/udf/udfdecl.h ++++ b/fs/udf/udfdecl.h +@@ -174,8 +174,9 @@ extern void udf_write_aext(struct inode *, struct extent_position *, + extern int8_t udf_delete_aext(struct inode *, struct extent_position); + extern int8_t udf_next_aext(struct inode *, struct extent_position *, + struct kernel_lb_addr *, uint32_t *, int); +-extern int8_t udf_current_aext(struct inode *, struct extent_position *, +- struct kernel_lb_addr *, uint32_t *, int); ++extern int udf_current_aext(struct inode *inode, struct extent_position *epos, ++ struct kernel_lb_addr *eloc, uint32_t *elen, ++ int8_t *etype, int inc); + extern void udf_update_extra_perms(struct inode *inode, umode_t mode); + + /* misc.c */ +-- +2.43.0 + -- 2.47.2