From f0abbf0e31232b07d42c0697c2262dd8f4765d4e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 12 Mar 2021 23:07:14 -0500 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...-race-condition-between-msdc_request.patch | 85 +++++++++++++++++++ ...a-resource-leak-in-an-error-handling.patch | 37 ++++++++ ...-missing-of_node_put-to-fix-referenc.patch | 66 ++++++++++++++ ...x-race-in-installing-chained-irq-han.patch | 50 +++++++++++ ...handling-of-unrecoverable-system-res.patch | 41 +++++++++ ...ord-counter-overflow-always-if-sampl.patch | 80 +++++++++++++++++ ...escan_cpus-move-cpumask-away-from-st.patch | 36 ++++++++ ...x-iscsi_prep_scsi_cmd_pdu-error-hand.patch | 50 +++++++++++ queue-4.14/series | 9 ++ ...ix-silent-aed-taglocation-corruption.patch | 53 ++++++++++++ 10 files changed, 507 insertions(+) create mode 100644 queue-4.14/mmc-mediatek-fix-race-condition-between-msdc_request.patch create mode 100644 queue-4.14/mmc-mxs-mmc-fix-a-resource-leak-in-an-error-handling.patch create mode 100644 queue-4.14/pci-mediatek-add-missing-of_node_put-to-fix-referenc.patch create mode 100644 queue-4.14/pci-xgene-msi-fix-race-in-installing-chained-irq-han.patch create mode 100644 queue-4.14/powerpc-improve-handling-of-unrecoverable-system-res.patch create mode 100644 queue-4.14/powerpc-perf-record-counter-overflow-always-if-sampl.patch create mode 100644 queue-4.14/s390-smp-__smp_rescan_cpus-move-cpumask-away-from-st.patch create mode 100644 queue-4.14/scsi-libiscsi-fix-iscsi_prep_scsi_cmd_pdu-error-hand.patch create mode 100644 queue-4.14/udf-fix-silent-aed-taglocation-corruption.patch diff --git a/queue-4.14/mmc-mediatek-fix-race-condition-between-msdc_request.patch b/queue-4.14/mmc-mediatek-fix-race-condition-between-msdc_request.patch new file mode 100644 index 00000000000..5e592314b29 --- /dev/null +++ b/queue-4.14/mmc-mediatek-fix-race-condition-between-msdc_request.patch @@ -0,0 +1,85 @@ +From ef26ed60f69af201fbfacf58e3225a1345142f9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Dec 2020 15:16:11 +0800 +Subject: mmc: mediatek: fix race condition between msdc_request_timeout and + irq + +From: Chaotian Jing + +[ Upstream commit 0354ca6edd464a2cf332f390581977b8699ed081 ] + +when get request SW timeout, if CMD/DAT xfer done irq coming right now, +then there is race between the msdc_request_timeout work and irq handler, +and the host->cmd and host->data may set to NULL in irq handler. also, +current flow ensure that only one path can go to msdc_request_done(), so +no need check the return value of cancel_delayed_work(). + +Signed-off-by: Chaotian Jing +Link: https://lore.kernel.org/r/20201218071611.12276-1-chaotian.jing@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mtk-sd.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c +index 1a5d5c40324b..e51a62cff5ec 100644 +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -758,13 +758,13 @@ static void msdc_track_cmd_data(struct msdc_host *host, + static void msdc_request_done(struct msdc_host *host, struct mmc_request *mrq) + { + unsigned long flags; +- bool ret; + +- ret = cancel_delayed_work(&host->req_timeout); +- if (!ret) { +- /* delay work already running */ +- return; +- } ++ /* ++ * No need check the return value of cancel_delayed_work, as only ONE ++ * path will go here! ++ */ ++ cancel_delayed_work(&host->req_timeout); ++ + spin_lock_irqsave(&host->lock, flags); + host->mrq = NULL; + spin_unlock_irqrestore(&host->lock, flags); +@@ -782,7 +782,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events, + bool done = false; + bool sbc_error; + unsigned long flags; +- u32 *rsp = cmd->resp; ++ u32 *rsp; + + if (mrq->sbc && cmd == mrq->cmd && + (events & (MSDC_INT_ACMDRDY | MSDC_INT_ACMDCRCERR +@@ -803,6 +803,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events, + + if (done) + return true; ++ rsp = cmd->resp; + + sdr_clr_bits(host->base + MSDC_INTEN, cmd_ints_mask); + +@@ -984,7 +985,7 @@ static void msdc_data_xfer_next(struct msdc_host *host, + static bool msdc_data_xfer_done(struct msdc_host *host, u32 events, + struct mmc_request *mrq, struct mmc_data *data) + { +- struct mmc_command *stop = data->stop; ++ struct mmc_command *stop; + unsigned long flags; + bool done; + unsigned int check_data = events & +@@ -1000,6 +1001,7 @@ static bool msdc_data_xfer_done(struct msdc_host *host, u32 events, + + if (done) + return true; ++ stop = data->stop; + + if (check_data || (stop && stop->error)) { + dev_dbg(host->dev, "DMA status: 0x%8X\n", +-- +2.30.1 + diff --git a/queue-4.14/mmc-mxs-mmc-fix-a-resource-leak-in-an-error-handling.patch b/queue-4.14/mmc-mxs-mmc-fix-a-resource-leak-in-an-error-handling.patch new file mode 100644 index 00000000000..ddd37c7d1e8 --- /dev/null +++ b/queue-4.14/mmc-mxs-mmc-fix-a-resource-leak-in-an-error-handling.patch @@ -0,0 +1,37 @@ +From 77671edf9657a9a157741d28225ce578ca5807f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Dec 2020 21:35:27 +0100 +Subject: mmc: mxs-mmc: Fix a resource leak in an error handling path in + 'mxs_mmc_probe()' + +From: Christophe JAILLET + +[ Upstream commit 0bb7e560f821c7770973a94e346654c4bdccd42c ] + +If 'mmc_of_parse()' fails, we must undo the previous 'dma_request_chan()' +call. + +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201208203527.49262-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mxs-mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mxs-mmc.c b/drivers/mmc/host/mxs-mmc.c +index add1e70195ea..7125687faf76 100644 +--- a/drivers/mmc/host/mxs-mmc.c ++++ b/drivers/mmc/host/mxs-mmc.c +@@ -659,7 +659,7 @@ static int mxs_mmc_probe(struct platform_device *pdev) + + ret = mmc_of_parse(mmc); + if (ret) +- goto out_clk_disable; ++ goto out_free_dma; + + mmc->ocr_avail = MMC_VDD_32_33 | MMC_VDD_33_34; + +-- +2.30.1 + diff --git a/queue-4.14/pci-mediatek-add-missing-of_node_put-to-fix-referenc.patch b/queue-4.14/pci-mediatek-add-missing-of_node_put-to-fix-referenc.patch new file mode 100644 index 00000000000..042e583c530 --- /dev/null +++ b/queue-4.14/pci-mediatek-add-missing-of_node_put-to-fix-referenc.patch @@ -0,0 +1,66 @@ +From a2c83c283e918bf9f8c61cb435854c37304e7f70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 18:48:10 +0000 +Subject: PCI: mediatek: Add missing of_node_put() to fix reference leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Wilczyński + +[ Upstream commit 42814c438aac79746d310f413a27d5b0b959c5de ] + +The for_each_available_child_of_node helper internally makes use of the +of_get_next_available_child() which performs an of_node_get() on each +iteration when searching for next available child node. + +Should an available child node be found, then it would return a device +node pointer with reference count incremented, thus early return from +the middle of the loop requires an explicit of_node_put() to prevent +reference count leak. + +To stop the reference leak, explicitly call of_node_put() before +returning after an error occurred. + +Link: https://lore.kernel.org/r/20210120184810.3068794-1-kw@linux.com +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pcie-mediatek.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/host/pcie-mediatek.c b/drivers/pci/host/pcie-mediatek.c +index c896bb9ef968..60c3110b5151 100644 +--- a/drivers/pci/host/pcie-mediatek.c ++++ b/drivers/pci/host/pcie-mediatek.c +@@ -1042,14 +1042,14 @@ static int mtk_pcie_setup(struct mtk_pcie *pcie) + err = of_pci_get_devfn(child); + if (err < 0) { + dev_err(dev, "failed to parse devfn: %d\n", err); +- return err; ++ goto error_put_node; + } + + slot = PCI_SLOT(err); + + err = mtk_pcie_parse_port(pcie, child, slot); + if (err) +- return err; ++ goto error_put_node; + } + + err = mtk_pcie_subsys_powerup(pcie); +@@ -1065,6 +1065,9 @@ static int mtk_pcie_setup(struct mtk_pcie *pcie) + mtk_pcie_subsys_powerdown(pcie); + + return 0; ++error_put_node: ++ of_node_put(child); ++ return err; + } + + static int mtk_pcie_request_resources(struct mtk_pcie *pcie) +-- +2.30.1 + diff --git a/queue-4.14/pci-xgene-msi-fix-race-in-installing-chained-irq-han.patch b/queue-4.14/pci-xgene-msi-fix-race-in-installing-chained-irq-han.patch new file mode 100644 index 00000000000..18a2ed50f67 --- /dev/null +++ b/queue-4.14/pci-xgene-msi-fix-race-in-installing-chained-irq-han.patch @@ -0,0 +1,50 @@ +From 47f87619f87d8d8a8ae1930b90eb3c45747b2c52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 22:24:35 +0100 +Subject: PCI: xgene-msi: Fix race in installing chained irq handler + +From: Martin Kaiser + +[ Upstream commit a93c00e5f975f23592895b7e83f35de2d36b7633 ] + +Fix a race where a pending interrupt could be received and the handler +called before the handler's data has been setup, by converting to +irq_set_chained_handler_and_data(). + +See also 2cf5a03cb29d ("PCI/keystone: Fix race in installing chained IRQ +handler"). + +Based on the mail discussion, it seems ok to drop the error handling. + +Link: https://lore.kernel.org/r/20210115212435.19940-3-martin@kaiser.cx +Signed-off-by: Martin Kaiser +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pci-xgene-msi.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/pci/host/pci-xgene-msi.c b/drivers/pci/host/pci-xgene-msi.c +index 1f42a202b021..784b3f61199e 100644 +--- a/drivers/pci/host/pci-xgene-msi.c ++++ b/drivers/pci/host/pci-xgene-msi.c +@@ -393,13 +393,9 @@ static int xgene_msi_hwirq_alloc(unsigned int cpu) + if (!msi_group->gic_irq) + continue; + +- irq_set_chained_handler(msi_group->gic_irq, +- xgene_msi_isr); +- err = irq_set_handler_data(msi_group->gic_irq, msi_group); +- if (err) { +- pr_err("failed to register GIC IRQ handler\n"); +- return -EINVAL; +- } ++ irq_set_chained_handler_and_data(msi_group->gic_irq, ++ xgene_msi_isr, msi_group); ++ + /* + * Statically allocate MSI GIC IRQs to each CPU core. + * With 8-core X-Gene v1, 2 MSI GIC IRQs are allocated +-- +2.30.1 + diff --git a/queue-4.14/powerpc-improve-handling-of-unrecoverable-system-res.patch b/queue-4.14/powerpc-improve-handling-of-unrecoverable-system-res.patch new file mode 100644 index 00000000000..3599be047c1 --- /dev/null +++ b/queue-4.14/powerpc-improve-handling-of-unrecoverable-system-res.patch @@ -0,0 +1,41 @@ +From 14e524121b941b10dc273619bd810e7ccd8ada35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Jan 2021 23:08:35 +1000 +Subject: powerpc: improve handling of unrecoverable system reset + +From: Nicholas Piggin + +[ Upstream commit 11cb0a25f71818ca7ab4856548ecfd83c169aa4d ] + +If an unrecoverable system reset hits in process context, the system +does not have to panic. Similar to machine check, call nmi_exit() +before die(). + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210130130852.2952424-26-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/traps.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index 0f1a888c04a8..05c1aabad01c 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -360,8 +360,11 @@ void system_reset_exception(struct pt_regs *regs) + die("Unrecoverable nested System Reset", regs, SIGABRT); + #endif + /* Must die if the interrupt is not recoverable */ +- if (!(regs->msr & MSR_RI)) ++ if (!(regs->msr & MSR_RI)) { ++ /* For the reason explained in die_mce, nmi_exit before die */ ++ nmi_exit(); + die("Unrecoverable System Reset", regs, SIGABRT); ++ } + + if (!nested) + nmi_exit(); +-- +2.30.1 + diff --git a/queue-4.14/powerpc-perf-record-counter-overflow-always-if-sampl.patch b/queue-4.14/powerpc-perf-record-counter-overflow-always-if-sampl.patch new file mode 100644 index 00000000000..2a5fda5249d --- /dev/null +++ b/queue-4.14/powerpc-perf-record-counter-overflow-always-if-sampl.patch @@ -0,0 +1,80 @@ +From b9590c938ba8b3ff9fcf196a7994000faefcd6f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 04:14:52 -0500 +Subject: powerpc/perf: Record counter overflow always if SAMPLE_IP is unset + +From: Athira Rajeev + +[ Upstream commit d137845c973147a22622cc76c7b0bc16f6206323 ] + +While sampling for marked events, currently we record the sample only +if the SIAR valid bit of Sampled Instruction Event Register (SIER) is +set. SIAR_VALID bit is used for fetching the instruction address from +Sampled Instruction Address Register(SIAR). But there are some +usecases, where the user is interested only in the PMU stats at each +counter overflow and the exact IP of the overflow event is not +required. Dropping SIAR invalid samples will fail to record some of +the counter overflows in such cases. + +Example of such usecase is dumping the PMU stats (event counts) after +some regular amount of instructions/events from the userspace (ex: via +ptrace). Here counter overflow is indicated to userspace via signal +handler, and captured by monitoring and enabling I/O signaling on the +event file descriptor. In these cases, we expect to get +sample/overflow indication after each specified sample_period. + +Perf event attribute will not have PERF_SAMPLE_IP set in the +sample_type if exact IP of the overflow event is not requested. So +while profiling if SAMPLE_IP is not set, just record the counter +overflow irrespective of SIAR_VALID check. + +Suggested-by: Michael Ellerman +Signed-off-by: Athira Rajeev +[mpe: Reflow comment and if formatting] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1612516492-1428-1-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/core-book3s.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index 56f16c803590..2669847434b8 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -2055,7 +2055,17 @@ static void record_and_restart(struct perf_event *event, unsigned long val, + left += period; + if (left <= 0) + left = period; +- record = siar_valid(regs); ++ ++ /* ++ * If address is not requested in the sample via ++ * PERF_SAMPLE_IP, just record that sample irrespective ++ * of SIAR valid check. ++ */ ++ if (event->attr.sample_type & PERF_SAMPLE_IP) ++ record = siar_valid(regs); ++ else ++ record = 1; ++ + event->hw.last_period = event->hw.sample_period; + } + if (left < 0x80000000LL) +@@ -2073,9 +2083,10 @@ static void record_and_restart(struct perf_event *event, unsigned long val, + * MMCR2. Check attr.exclude_kernel and address to drop the sample in + * these cases. + */ +- if (event->attr.exclude_kernel && record) +- if (is_kernel_addr(mfspr(SPRN_SIAR))) +- record = 0; ++ if (event->attr.exclude_kernel && ++ (event->attr.sample_type & PERF_SAMPLE_IP) && ++ is_kernel_addr(mfspr(SPRN_SIAR))) ++ record = 0; + + /* + * Finally record data if requested. +-- +2.30.1 + diff --git a/queue-4.14/s390-smp-__smp_rescan_cpus-move-cpumask-away-from-st.patch b/queue-4.14/s390-smp-__smp_rescan_cpus-move-cpumask-away-from-st.patch new file mode 100644 index 00000000000..e30da9d9a8c --- /dev/null +++ b/queue-4.14/s390-smp-__smp_rescan_cpus-move-cpumask-away-from-st.patch @@ -0,0 +1,36 @@ +From b507bec8dea6ec3af2427cb1eac1964bb78a209a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Feb 2021 07:13:02 +0100 +Subject: s390/smp: __smp_rescan_cpus() - move cpumask away from stack + +From: Heiko Carstens + +[ Upstream commit 62c8dca9e194326802b43c60763f856d782b225c ] + +Avoid a potentially large stack frame and overflow by making +"cpumask_t avail" a static variable. There is no concurrent +access due to the existing locking. + +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c +index 40946c8587a5..d43b48d8f67d 100644 +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -761,7 +761,7 @@ static int smp_add_core(struct sclp_core_entry *core, cpumask_t *avail, + static int __smp_rescan_cpus(struct sclp_core_info *info, bool early) + { + struct sclp_core_entry *core; +- cpumask_t avail; ++ static cpumask_t avail; + bool configured; + u16 core_id; + int nr, i; +-- +2.30.1 + diff --git a/queue-4.14/scsi-libiscsi-fix-iscsi_prep_scsi_cmd_pdu-error-hand.patch b/queue-4.14/scsi-libiscsi-fix-iscsi_prep_scsi_cmd_pdu-error-hand.patch new file mode 100644 index 00000000000..c874a8e9f10 --- /dev/null +++ b/queue-4.14/scsi-libiscsi-fix-iscsi_prep_scsi_cmd_pdu-error-hand.patch @@ -0,0 +1,50 @@ +From 70eec042e0722ec23676e1eb35309afb6ddcd45b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Feb 2021 22:46:00 -0600 +Subject: scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling + +From: Mike Christie + +[ Upstream commit d28d48c699779973ab9a3bd0e5acfa112bd4fdef ] + +If iscsi_prep_scsi_cmd_pdu() fails we try to add it back to the cmdqueue, +but we leave it partially setup. We don't have functions that can undo the +pdu and init task setup. We only have cleanup_task which can clean up both +parts. So this has us just fail the cmd and go through the standard cleanup +routine and then have the SCSI midlayer retry it like is done when it fails +in the queuecommand path. + +Link: https://lore.kernel.org/r/20210207044608.27585-2-michael.christie@oracle.com +Reviewed-by: Lee Duncan +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index f180d1b4553c..21efe27ebfcc 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1569,14 +1569,9 @@ static int iscsi_data_xmit(struct iscsi_conn *conn) + } + rc = iscsi_prep_scsi_cmd_pdu(conn->task); + if (rc) { +- if (rc == -ENOMEM || rc == -EACCES) { +- spin_lock_bh(&conn->taskqueuelock); +- list_add_tail(&conn->task->running, +- &conn->cmdqueue); +- conn->task = NULL; +- spin_unlock_bh(&conn->taskqueuelock); +- goto done; +- } else ++ if (rc == -ENOMEM || rc == -EACCES) ++ fail_scsi_task(conn->task, DID_IMM_RETRY); ++ else + fail_scsi_task(conn->task, DID_ABORT); + spin_lock_bh(&conn->taskqueuelock); + continue; +-- +2.30.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 86e878b2a75..f16eee8394e 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -29,3 +29,12 @@ drm-meson_drv-add-shutdown-function.patch s390-cio-return-efault-if-copy_to_user-fails-take-2.patch media-usbtv-fix-deadlock-on-suspend.patch net-phy-fix-save-wrong-speed-and-duplex-problem-if-a.patch +udf-fix-silent-aed-taglocation-corruption.patch +mmc-mxs-mmc-fix-a-resource-leak-in-an-error-handling.patch +mmc-mediatek-fix-race-condition-between-msdc_request.patch +powerpc-improve-handling-of-unrecoverable-system-res.patch +powerpc-perf-record-counter-overflow-always-if-sampl.patch +pci-xgene-msi-fix-race-in-installing-chained-irq-han.patch +pci-mediatek-add-missing-of_node_put-to-fix-referenc.patch +s390-smp-__smp_rescan_cpus-move-cpumask-away-from-st.patch +scsi-libiscsi-fix-iscsi_prep_scsi_cmd_pdu-error-hand.patch diff --git a/queue-4.14/udf-fix-silent-aed-taglocation-corruption.patch b/queue-4.14/udf-fix-silent-aed-taglocation-corruption.patch new file mode 100644 index 00000000000..289b618e758 --- /dev/null +++ b/queue-4.14/udf-fix-silent-aed-taglocation-corruption.patch @@ -0,0 +1,53 @@ +From 2d9b28d222a258c8e8a209b4b38021c894b94d83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 17:41:16 -0600 +Subject: udf: fix silent AED tagLocation corruption + +From: Steven J. Magnani + +[ Upstream commit 63c9e47a1642fc817654a1bc18a6ec4bbcc0f056 ] + +When extending a file, udf_do_extend_file() may enter following empty +indirect extent. At the end of udf_do_extend_file() we revert prev_epos +to point to the last written extent. However if we end up not adding any +further extent in udf_do_extend_file(), the reverting points prev_epos +into the header area of the AED and following updates of the extents +(in udf_update_extents()) will corrupt the header. + +Make sure that we do not follow indirect extent if we are not going to +add any more extents so that returning back to the last written extent +works correctly. + +Link: https://lore.kernel.org/r/20210107234116.6190-2-magnani@ieee.org +Signed-off-by: Steven J. Magnani +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index dd57bd446340..e0e2bc19c929 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -540,11 +540,14 @@ static int udf_do_extend_file(struct inode *inode, + + udf_write_aext(inode, last_pos, &last_ext->extLocation, + last_ext->extLength, 1); ++ + /* +- * We've rewritten the last extent but there may be empty +- * indirect extent after it - enter it. ++ * We've rewritten the last extent. If we are going to add ++ * more extents, we may need to enter possible following ++ * empty indirect extent. + */ +- udf_next_aext(inode, last_pos, &tmploc, &tmplen, 0); ++ if (new_block_bytes || prealloc_len) ++ udf_next_aext(inode, last_pos, &tmploc, &tmplen, 0); + } + + /* Managed to do everything necessary? */ +-- +2.30.1 + -- 2.47.3