September 2024 - Linux-stable-mirror

[PATCH] fbcon: Fix a NULL pointer dereference issue in fbcon_putcs

by Qianqiang Liu

syzbot has found a NULL pointer dereference bug in fbcon [1]. This issue is caused by ops->putcs being a NULL pointer. We need to check the pointer before using it. [1] https://syzkaller.appspot.com/bug?extid=3d613ae53c031502687a Cc: stable(a)vger.kernel.org Reported-and-tested-by: syzbot+3d613ae53c031502687a(a)syzkaller.appspotmail.com Signed-off-by: Qianqiang Liu <qianqiang.liu(a)163.com> --- drivers/video/fbdev/core/fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 3f7333dca508..96c1262cc981 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1284,7 +1284,7 @@ static void fbcon_putcs(struct vc_data *vc, const u16 *s, unsigned int count, struct fbcon_display *p = &fb_display[vc->vc_num]; struct fbcon_ops *ops = info->fbcon_par; - if (!fbcon_is_inactive(vc, info)) + if (!fbcon_is_inactive(vc, info) && ops->putcs) ops->putcs(vc, info, s, count, real_y(p, ypos), xpos, get_color(vc, info, scr_readw(s), 1), get_color(vc, info, scr_readw(s), 0)); -- 2.39.2

8 months, 2 weeks

2
2
0 0

[PATCH 5.4] bpf: Fix DEVMAP_HASH overflow check on 32-bit arches

by Pu Lehui

From: Toke Høiland-Jørgensen <toke(a)redhat.com> [ Upstream commit 281d464a34f540de166cee74b723e97ac2515ec3 ] The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation. Fixes: 6f9d451ab1a3 ("xdp: Add devmap_hash map type for looking up devices by hashed index") Link: https://lore.kernel.org/r/000000000000ed666a0611af6818@google.com Reported-and-tested-by: syzbot+8cd36f6b65f3cafd400a(a)syzkaller.appspotmail.com Signed-off-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Message-ID: <20240307120340.99577-2-toke(a)redhat.com> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/devmap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 4b2819b0a05a..2370fc31169f 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -130,10 +130,13 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) cost = (u64) sizeof(struct list_head) * num_possible_cpus(); if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { - dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); - - if (!dtab->n_buckets) /* Overflow check */ + /* hash table size must be power of 2; roundup_pow_of_two() can + * overflow into UB on 32-bit arches, so check that first + */ + if (dtab->map.max_entries > 1UL << 31) return -EINVAL; + + dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); cost += (u64) sizeof(struct hlist_head) * dtab->n_buckets; } else { cost += (u64) dtab->map.max_entries * sizeof(struct bpf_dtab_netdev *); -- 2.34.1

8 months, 2 weeks

1
0
0 0

[PATCH] Input: adp5588-keys - Added checking of key and key_val variables

by Denis Arefev

If the adp5588_read function returns 0, then there will be an overflow of the kpad->keycode buffer. If the adp5588_read function returns a negative value, then the logic is broken - the wrong value is used as an index of the kpad->keycode array. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org # v5.10+ Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/input/keyboard/adp5588-keys.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/input/keyboard/adp5588-keys.c b/drivers/input/keyboard/adp5588-keys.c index 1b0279393df4..d05387f9c11f 100644 --- a/drivers/input/keyboard/adp5588-keys.c +++ b/drivers/input/keyboard/adp5588-keys.c @@ -526,14 +526,17 @@ static void adp5588_report_events(struct adp5588_kpad *kpad, int ev_cnt) int i; for (i = 0; i < ev_cnt; i++) { - int key = adp5588_read(kpad->client, KEY_EVENTA + i); - int key_val = key & KEY_EV_MASK; - int key_press = key & KEY_EV_PRESSED; + int key, key_val, key_press; + key = adp5588_read(kpad->client, KEY_EVENTA + i); + if (key < 0) + continue; + key_val = key & KEY_EV_MASK; + key_press = key & KEY_EV_PRESSED; if (key_val >= GPI_PIN_BASE && key_val <= GPI_PIN_END) { /* gpio line used as IRQ source */ adp5588_gpio_irq_handle(kpad, key_val, key_press); - } else { + } else if (key_val > 0) { int row = (key_val - 1) / ADP5588_COLS_MAX; int col = (key_val - 1) % ADP5588_COLS_MAX; int code = MATRIX_SCAN_CODE(row, col, kpad->row_shift); -- 2.25.1

8 months, 2 weeks

1
0
0 0

[PATCH v7 2/4] ufs: core: requeue aborted request

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> Regarding the specification of MCQ: Aborts a command using SQ cleanup, The host controller will post a Completion Queue entry with OCS = ABORTED. ufshcd_abort_all forcibly aborts all on-going commands. In MCQ mode, set a variable to notify SCSI to requeue the command after receiving response with OCS_ABORTED. This approach would then be consistent with legacy SDB mode. Below is ufshcd_err_handler legacy SDB flow: ufshcd_err_handler() ufshcd_abort_all() ufshcd_abort_one() ufshcd_try_to_abort_task() ufshcd_complete_requests() ufshcd_transfer_req_compl() ufshcd_poll() get outstanding_lock clear outstanding_reqs tag release outstanding_lock __ufshcd_transfer_req_compl() ufshcd_compl_one_cqe() cmd->result = DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done() ufshcd_intr() ufshcd_sl_intr() ufshcd_transfer_req_compl() ufshcd_poll() get outstanding_lock clear outstanding_reqs tag release outstanding_lock __ufshcd_transfer_req_compl() ufshcd_compl_one_cqe() cmd->result = DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done(); Below is ufshcd_err_handler MCQ flow: ufshcd_err_handler() ufshcd_abort_all() ufshcd_abort_one() ufshcd_try_to_abort_task() ufshcd_complete_requests() ufshcd_mcq_compl_pending_transfer() ufshcd_mcq_poll_cqe_lock() ufshcd_mcq_process_cqe() ufshcd_compl_one_cqe() cmd->result = DID_ABORT // should change to DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done() ufs_mtk_mcq_intr() ufshcd_mcq_poll_cqe_lock() ufshcd_mcq_process_cqe() ufshcd_compl_one_cqe() cmd->result = DID_ABORT // should change to DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done() So what we need to correct is to notify SCSI to requeue when MCQ mode receives OCS: ABORTED. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 40 ++++++++++++++++++++++++--------------- include/ufs/ufshcd.h | 8 ++++++++ 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index a6f818cdef0e..4f9c7a632465 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -3006,6 +3006,7 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd) ufshcd_prepare_lrbp_crypto(scsi_cmd_to_rq(cmd), lrbp); lrbp->req_abort_skip = false; + lrbp->abort_initiated_by = UFS_NO_ABORT; ufshcd_comp_scsi_upiu(hba, lrbp); @@ -5404,10 +5405,19 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp, } break; case OCS_ABORTED: - result |= DID_ABORT << 16; + if (lrbp->abort_initiated_by == UFS_ERR_HANDLER) + result |= DID_REQUEUE << 16; + else + result |= DID_ABORT << 16; + dev_warn(hba->dev, + "OCS aborted from controller = %x for tag %d\n", + ocs, lrbp->task_tag); break; case OCS_INVALID_COMMAND_STATUS: result |= DID_REQUEUE << 16; + dev_warn(hba->dev, + "OCS invaild from controller = %x for tag %d\n", + ocs, lrbp->task_tag); break; case OCS_INVALID_CMD_TABLE_ATTR: case OCS_INVALID_PRDT_ATTR: @@ -6471,26 +6481,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) struct scsi_device *sdev = cmd->device; struct Scsi_Host *shost = sdev->host; struct ufs_hba *hba = shost_priv(shost); - struct ufshcd_lrb *lrbp = &hba->lrb[tag]; - struct ufs_hw_queue *hwq; - unsigned long flags; *ret = ufshcd_try_to_abort_task(hba, tag); dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag, hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1, *ret ? "failed" : "succeeded"); - /* Release cmd in MCQ mode if abort succeeds */ - if (hba->mcq_enabled && (*ret == 0)) { - hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd)); - if (!hwq) - return 0; - spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) - ufshcd_release_scsi_cmd(hba, lrbp); - spin_unlock_irqrestore(&hwq->cq_lock, flags); - } - return *ret == 0; } @@ -7561,6 +7557,20 @@ int ufshcd_try_to_abort_task(struct ufs_hba *hba, int tag) goto out; } + /* + * When the host software receives a "FUNCTION COMPLETE", set this + * variable to requeue command after receive response with OCS_ABORTED + * + * MCQ mode: Host will post to CQ with OCS_ABORTED after SQ cleanup + * + * This variable is set because error handler ufshcd_abort_all forcibly + * aborts all commands, and the host controller will automatically + * fill in the OCS field of the corresponding response with OCS_ABORTED. + * Therefore, upon receiving this response, it needs to be requeued. + */ + if (!err && hba->mcq_enabled && ufshcd_eh_in_progress(hba)) + lrbp->abort_initiated_by = UFS_ERR_HANDLER; + err = ufshcd_clear_cmd(hba, tag); if (err) dev_err(hba->dev, "%s: Failed clearing cmd at tag %d, err %d\n", diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index 0fd2aebac728..61a7dc489511 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -145,6 +145,11 @@ enum ufs_pm_level { UFS_PM_LVL_MAX }; +enum ufs_abort_by { + UFS_NO_ABORT, + UFS_ERR_HANDLER, +}; + struct ufs_pm_lvl_states { enum ufs_dev_pwr_mode dev_state; enum uic_link_state link_state; @@ -173,6 +178,8 @@ struct ufs_pm_lvl_states { * @crypto_key_slot: the key slot to use for inline crypto (-1 if none) * @data_unit_num: the data unit number for the first block for inline crypto * @req_abort_skip: skip request abort task flag + * @abort_initiated_by: This variable is used to store the scenario in + * which the abort occurs */ struct ufshcd_lrb { struct utp_transfer_req_desc *utr_descriptor_ptr; @@ -202,6 +209,7 @@ struct ufshcd_lrb { #endif bool req_abort_skip; + int abort_initiated_by; }; /** -- 2.45.2

8 months, 2 weeks

1
0
0 0

[PATCH v7 1/4] ufs: core: fix the issue of ICU failure

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When setting the ICU bit without using read-modify-write, SQRTCy will restart SQ again and receive an RTC return error code 2 (Failure - SQ not stopped). Additionally, the error log has been modified so that this type of error can be observed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> Reviewed-by: Bao D. Nguyen <quic_nguyenb(a)quicinc.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/ufs/core/ufs-mcq.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index 5891cdacd0b3..3903947dbed1 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -539,7 +539,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) struct scsi_cmnd *cmd = lrbp->cmd; struct ufs_hw_queue *hwq; void __iomem *reg, *opr_sqd_base; - u32 nexus, id, val; + u32 nexus, id, val, rtc; int err; if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC) @@ -569,17 +569,18 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id); writel(nexus, opr_sqd_base + REG_SQCTI); - /* SQRTCy.ICU = 1 */ - writel(SQ_ICU, opr_sqd_base + REG_SQRTC); + /* Initiate Cleanup */ + writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU, + opr_sqd_base + REG_SQRTC); /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */ reg = opr_sqd_base + REG_SQRTS; err = read_poll_timeout(readl, val, val & SQ_CUS, 20, MCQ_POLL_US, false, reg); - if (err) - dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n", - __func__, id, task_tag, - FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))); + rtc = FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg)); + if (err || rtc) + dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%d\n", + __func__, id, task_tag, err, rtc); if (ufshcd_mcq_sq_start(hba, hwq)) err = -ETIMEDOUT; -- 2.45.2

8 months, 2 weeks

1
0
0 0

[PATCH 5.10/5.15 0/1] tty: add the option to have a tty reject a new ldisc

by Gavrilov Ilia

Syzkaller reports a sleeping function called from invalid context in do_con_write() in the 5.10 and 5.15 stable releases. The issue has been fixed by the following upstream patch that was adapted to 5.10 and 5.15. All of the changes made to the patch in order to adapt it are described at the end of the commit message. This patch has already been backported to the following stable branches: v6.9 - https://lore.kernel.org/all/20240625085551.368621044@linuxfoundation.org/ v6.6 - https://lore.kernel.org/all/20240625085539.398852153@linuxfoundation.org/ v6.1 - https://lore.kernel.org/all/20240625085527.625846117@linuxfoundation.org/ Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. Linus Torvalds (1): tty: add the option to have a tty reject a new ldisc drivers/tty/tty_ldisc.c | 6 ++++++ drivers/tty/vt/vt.c | 10 ++++++++++ include/linux/tty_driver.h | 8 ++++++++ 3 files changed, 24 insertions(+) -- 2.39.2

8 months, 2 weeks

1
1
0 0

[PATCH v1] usb: typec: Fix arg check for usb_power_delivery_unregister_capabilities

by Amit Sunil Dhamne

usb_power_delivery_register_capabilities() returns ERR_PTR in case of failure. usb_power_delivery_unregister_capabilities() we only check argument ("cap") for NULL. A more robust check would be checking for ERR_PTR as well. Cc: stable(a)vger.kernel.org Fixes: 662a60102c12 ("usb: typec: Separate USB Power Delivery from USB Type-C") Signed-off-by: Amit Sunil Dhamne <amitsd(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> --- drivers/usb/typec/pd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/typec/pd.c b/drivers/usb/typec/pd.c index d78c04a421bc..761fe4dddf1b 100644 --- a/drivers/usb/typec/pd.c +++ b/drivers/usb/typec/pd.c @@ -519,7 +519,7 @@ EXPORT_SYMBOL_GPL(usb_power_delivery_register_capabilities); */ void usb_power_delivery_unregister_capabilities(struct usb_power_delivery_capabilities *cap) { - if (!cap) + if (IS_ERR_OR_NULL(cap)) return; device_for_each_child(&cap->dev, NULL, remove_pdo); base-commit: 68d4209158f43a558c5553ea95ab0c8975eab18c -- 2.46.0.792.g87dc391469-goog

8 months, 3 weeks

3
4
0 0

syzbot: KASAN: slab-out-of-bounds Read in xlog_pack_data

by Andrey Kalachev

Hi, I found that the syzbot bug 'KASAN: slab-out-of-bounds Read in xlog_pack_data' [1] has been fixed in master branch since v6.4-rc6-11-gf1e1765aad7d [2]. But, it still exist in LTS kernels: 5.4, 5.10, 5.15 [3], 6.1 [4] Common c-reproducer code can be found here [5]. I've made backport f1e1765aad7d ("xfs: journal geometry is not properly bounds checked") Patch for v5.15 & v6.1 is same with original upstream code. Patches for v5.4 and v5.10 has some cosmetic variations: `xfs_has_crc(mp)` call replaced by `xfs_sb_version_hascrc(&mp->m_sb)` at most. I would be grateful for any assistance. Regards, AK [1] https://syzkaller.appspot.com/bug?extid=b7854dc75e15ffc8c2ae [2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… [3] https://syzkaller.appspot.com/bug?extid=66f256de193ab682584f [4] https://syzkaller.appspot.com/bug?extid=904ffc7f25c759741787 [5] https://syzkaller.appspot.com/text?tag=ReproC&x=152f7343280000 Reported-by: syzbot+66f256de193ab682584f(a)syzkaller.appspotmail.com Reported-by: syzbot+904ffc7f25c759741787(a)syzkaller.appspotmail.com

8 months, 3 weeks

1
3
0 0

[PATCH v2 5.10.y] udf: Fold udf_getblk() into udf_bread()

by Sergey Shtylyov

Subject: [PATCH v2 5.10.y] udf: Fold udf_getblk() into udf_bread() From: Jan Kara <jack(a)suse.cz> [ Upstream commit 32f123a3f34283f9c6446de87861696f0502b02e ] udf_getblk() has a single call site. Fold it there. [Sergey: moved back to using udf_get_block() and buffer_{mapped|new}().] Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> --- This patch prevents NULL pointer dereference in case sb_getblk() fails... Changes in version 2: - mentioned the original commit. fs/udf/inode.c | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) Index: linux-stable/fs/udf/inode.c =================================================================== --- linux-stable.orig/fs/udf/inode.c +++ linux-stable/fs/udf/inode.c @@ -458,30 +458,6 @@ abort: return err; } -static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block, - int create, int *err) -{ - struct buffer_head *bh; - struct buffer_head dummy; - - dummy.b_state = 0; - dummy.b_blocknr = -1000; - *err = udf_get_block(inode, block, &dummy, create); - if (!*err && buffer_mapped(&dummy)) { - bh = sb_getblk(inode->i_sb, dummy.b_blocknr); - if (buffer_new(&dummy)) { - lock_buffer(bh); - memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); - set_buffer_uptodate(bh); - unlock_buffer(bh); - mark_buffer_dirty_inode(bh, inode); - } - return bh; - } - - return NULL; -} - /* Extend the file with new blocks totaling 'new_block_bytes', * return the number of extents added */ @@ -1197,10 +1173,27 @@ struct buffer_head *udf_bread(struct ino int create, int *err) { struct buffer_head *bh = NULL; + struct buffer_head dummy; + + dummy.b_state = 0; + dummy.b_blocknr = -1000; + *err = udf_get_block(inode, block, &dummy, create); + if (*err || !buffer_mapped(&dummy)) + return NULL; - bh = udf_getblk(inode, block, create, err); - if (!bh) + bh = sb_getblk(inode->i_sb, dummy.b_blocknr); + if (!bh) { + *err = -ENOMEM; return NULL; + } + if (buffer_new(&dummy)) { + lock_buffer(bh); + memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); + set_buffer_uptodate(bh); + unlock_buffer(bh); + mark_buffer_dirty_inode(bh, inode); + return bh; + } if (buffer_uptodate(bh)) return bh;

8 months, 3 weeks

1
0
0 0

[PATCH v2 6.1.y] udf: Fold udf_getblk() into udf_bread()

by Sergey Shtylyov

From: Jan Kara <jack(a)suse.cz> [ Upstream commit 32f123a3f34283f9c6446de87861696f0502b02e ] udf_getblk() has a single call site. Fold it there. [Sergey: moved back to using udf_get_block() and buffer_{mapped|new}().] Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> --- This patch prevents NULL pointer dereference in case sb_getblk() fails... Changes in version 2: - mentioned the original commit. fs/udf/inode.c | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) Index: linux-stable/fs/udf/inode.c =================================================================== --- linux-stable.orig/fs/udf/inode.c +++ linux-stable/fs/udf/inode.c @@ -459,30 +459,6 @@ abort: return err; } -static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block, - int create, int *err) -{ - struct buffer_head *bh; - struct buffer_head dummy; - - dummy.b_state = 0; - dummy.b_blocknr = -1000; - *err = udf_get_block(inode, block, &dummy, create); - if (!*err && buffer_mapped(&dummy)) { - bh = sb_getblk(inode->i_sb, dummy.b_blocknr); - if (buffer_new(&dummy)) { - lock_buffer(bh); - memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); - set_buffer_uptodate(bh); - unlock_buffer(bh); - mark_buffer_dirty_inode(bh, inode); - } - return bh; - } - - return NULL; -} - /* Extend the file with new blocks totaling 'new_block_bytes', * return the number of extents added */ @@ -1198,10 +1174,27 @@ struct buffer_head *udf_bread(struct ino int create, int *err) { struct buffer_head *bh = NULL; + struct buffer_head dummy; + + dummy.b_state = 0; + dummy.b_blocknr = -1000; + *err = udf_get_block(inode, block, &dummy, create); + if (*err || !buffer_mapped(&dummy)) + return NULL; - bh = udf_getblk(inode, block, create, err); - if (!bh) + bh = sb_getblk(inode->i_sb, dummy.b_blocknr); + if (!bh) { + *err = -ENOMEM; return NULL; + } + if (buffer_new(&dummy)) { + lock_buffer(bh); + memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); + set_buffer_uptodate(bh); + unlock_buffer(bh); + mark_buffer_dirty_inode(bh, inode); + return bh; + } if (bh_read(bh, 0) >= 0) return bh;

8 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2024