 
            This is the start of the stable review cycle for the 4.9.330 release. There are 30 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 28 Sep 2022 10:07:26 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.330-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below.
thanks,
greg k-h
------------- Pseudo-Shortlog of commits:
Greg Kroah-Hartman gregkh@linuxfoundation.org Linux 4.9.330-rc1
Jan Kara jack@suse.cz ext4: make directory inode spreading reflect flexbg size
Vitaly Kuznetsov vkuznets@redhat.com Drivers: hv: Never allocate anything besides framebuffer from framebuffer memory region
Stefan Haberland sth@linux.ibm.com s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup
Ilpo Järvinen ilpo.jarvinen@linux.intel.com serial: tegra: Use uart_xmit_advance(), fixes icount.tx accounting
Ilpo Järvinen ilpo.jarvinen@linux.intel.com serial: Create uart_xmit_advance()
Sean Anderson seanga2@gmail.com net: sunhme: Fix packet reception for len < RX_COPY_THRESHOLD
Adrian Hunter adrian.hunter@intel.com perf kcore_copy: Do not check /proc/modules is unchanged
Marc Kleine-Budde mkl@pengutronix.de can: gs_usb: gs_can_open(): fix race dev->can.state condition
Randy Dunlap rdunlap@infradead.org MIPS: lantiq: export clk_get_io() for lantiq_wdt.ko
Benjamin Poirier bpoirier@nvidia.com net: team: Unsync device addresses on ndo_stop
Lu Wei luwei32@huawei.com ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
David Leadbeater dgl@dgl.cx netfilter: nf_conntrack_irc: Tighten matching on DCC message
Igor Ryzhov iryzhov@nfware.com netfilter: nf_conntrack_sip: fix ct_sip_walk_headers
Chao Yu chao.yu@oppo.com mm/slub: fix to return errno if kmalloc() fails
Kai Vehmanen kai.vehmanen@linux.intel.com ALSA: hda: add Intel 5 Series / 3400 PCI DID
Mohan Kumar mkumard@nvidia.com ALSA: hda/tegra: set depop delay for tegra
Alan Stern stern@rowland.harvard.edu USB: core: Fix RST error in hub.c
Siddh Raman Pant code@siddh.me wifi: mac80211: Fix UAF in ieee80211_scan_rx()
Liang He windhl@126.com arm: mach-spear: Add missing of_node_put() in time.c
Liang He windhl@126.com mips: lantiq: Add missing of_node_put() in irq.c
Liang He windhl@126.com mips/pic32/pic32mzda: Fix refcount leak bugs
Liang He windhl@126.com mips: lantiq: xway: Fix refcount leak bug in sysctrl
Liang He windhl@126.com mips: lantiq: falcon: Fix refcount leak bug in sysctrl
Yihao Han hanyihao@vivo.com video: fbdev: simplefb: Check before clk_put() not needed
Hyunwoo Kim imv4bel@gmail.com video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
Petr Cvek petrcvekcz@gmail.com video: fbdev: intelfb: Use aperture size from pci_resource_len
Xiang wangx wangxiang@cdjrlc.com video: fbdev: skeletonfb: Fix syntax errors in comments
Maxime Ripard maxime@cerno.tech drm/vc4: crtc: Use an union to store the page flip callback
Stefan Metzmacher metze@samba.org cifs: don't send down the destination address to sendmsg for a SOCK_STREAM
Yang Yingliang yangyingliang@huawei.com parisc: ccio-dma: Add missing iounmap in error path in ccio_probe()
-------------
Diffstat:
Makefile | 4 ++-- arch/arm/mach-spear/time.c | 8 ++++++-- arch/mips/lantiq/clk.c | 1 + arch/mips/lantiq/falcon/sysctrl.c | 6 ++++++ arch/mips/lantiq/irq.c | 1 + arch/mips/lantiq/xway/sysctrl.c | 4 ++++ arch/mips/pic32/pic32mzda/init.c | 7 ++++++- arch/mips/pic32/pic32mzda/time.c | 3 +++ drivers/gpu/drm/vc4/vc4_crtc.c | 20 +++++++++++++------ drivers/hv/vmbus_drv.c | 10 +++++++++- drivers/net/can/usb/gs_usb.c | 4 ++-- drivers/net/ethernet/sun/sunhme.c | 4 ++-- drivers/net/ipvlan/ipvlan_core.c | 6 ++++-- drivers/net/team/team.c | 24 +++++++++++++++++------ drivers/parisc/ccio-dma.c | 1 + drivers/s390/block/dasd_alias.c | 9 +++++++-- drivers/tty/serial/serial-tegra.c | 5 ++--- drivers/usb/core/hub.c | 2 +- drivers/video/fbdev/intelfb/intelfbhw.c | 12 +++++------- drivers/video/fbdev/pxa3xx-gcu.c | 2 +- drivers/video/fbdev/simplefb.c | 3 +-- drivers/video/fbdev/skeletonfb.c | 2 +- fs/cifs/transport.c | 4 ++-- fs/ext4/ialloc.c | 2 +- include/linux/serial_core.h | 17 +++++++++++++++++ mm/slub.c | 5 ++++- net/mac80211/scan.c | 11 +++++++---- net/netfilter/nf_conntrack_irc.c | 34 +++++++++++++++++++++++++++------ net/netfilter/nf_conntrack_sip.c | 4 ++-- sound/pci/hda/hda_intel.c | 2 ++ sound/pci/hda/patch_hdmi.c | 1 + tools/perf/util/symbol-elf.c | 7 ++----- 32 files changed, 163 insertions(+), 62 deletions(-)
 
            From: Yang Yingliang yangyingliang@huawei.com
[ Upstream commit 38238be4e881a5d0abbe4872b4cd6ed790be06c8 ]
Add missing iounmap() before return from ccio_probe(), if ccio_init_resources() fails.
Fixes: d46c742f827f ("parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()") Signed-off-by: Yang Yingliang yangyingliang@huawei.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/parisc/ccio-dma.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c index 633762f8d775..84a93ddcd57a 100644 --- a/drivers/parisc/ccio-dma.c +++ b/drivers/parisc/ccio-dma.c @@ -1569,6 +1569,7 @@ static int __init ccio_probe(struct parisc_device *dev) ioc->ioc_regs = ioremap_nocache(dev->hpa.start, 4096); ccio_ioc_init(ioc); if (ccio_init_resources(ioc)) { + iounmap(ioc->ioc_regs); kfree(ioc); return -ENOMEM; }
 
            From: Stefan Metzmacher metze@samba.org
commit 17d3df38dc5f4cec9b0ac6eb79c1859b6e2693a4 upstream.
This is ignored anyway by the tcp layer.
Signed-off-by: Stefan Metzmacher metze@samba.org Cc: stable@vger.kernel.org Reviewed-by: Ronnie Sahlberg lsahlber@redhat.com Reviewed-by: Paulo Alcantara (SUSE) pc@cjr.nz Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/cifs/transport.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/cifs/transport.c +++ b/fs/cifs/transport.c @@ -140,8 +140,8 @@ smb_send_kvec(struct TCP_Server_Info *se
*sent = 0;
- smb_msg->msg_name = (struct sockaddr *) &server->dstaddr; - smb_msg->msg_namelen = sizeof(struct sockaddr); + smb_msg->msg_name = NULL; + smb_msg->msg_namelen = 0; smb_msg->msg_control = NULL; smb_msg->msg_controllen = 0; if (server->noblocksnd)
 
            From: Maxime Ripard maxime@cerno.tech
[ Upstream commit 2523e9dcc3be91bf9fdc0d1e542557ca00bbef42 ]
We'll need to extend the vc4_async_flip_state structure to rely on another callback implementation, so let's move the current one into a union.
Reviewed-by: Melissa Wen mwen@igalia.com Signed-off-by: Maxime Ripard maxime@cerno.tech Link: https://lore.kernel.org/r/20220610115149.964394-10-maxime@cerno.tech Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/vc4/vc4_crtc.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c index 51d34e7275ab..9d97f535a4d6 100644 --- a/drivers/gpu/drm/vc4/vc4_crtc.c +++ b/drivers/gpu/drm/vc4/vc4_crtc.c @@ -717,17 +717,17 @@ struct vc4_async_flip_state { struct drm_framebuffer *fb; struct drm_pending_vblank_event *event;
- struct vc4_seqno_cb cb; + union { + struct vc4_seqno_cb seqno; + } cb; };
/* Called when the V3D execution for the BO being flipped to is done, so that * we can actually update the plane's address to point to it. */ static void -vc4_async_page_flip_complete(struct vc4_seqno_cb *cb) +vc4_async_page_flip_complete(struct vc4_async_flip_state *flip_state) { - struct vc4_async_flip_state *flip_state = - container_of(cb, struct vc4_async_flip_state, cb); struct drm_crtc *crtc = flip_state->crtc; struct drm_device *dev = crtc->dev; struct vc4_dev *vc4 = to_vc4_dev(dev); @@ -749,6 +749,14 @@ vc4_async_page_flip_complete(struct vc4_seqno_cb *cb) up(&vc4->async_modeset); }
+static void vc4_async_page_flip_seqno_complete(struct vc4_seqno_cb *cb) +{ + struct vc4_async_flip_state *flip_state = + container_of(cb, struct vc4_async_flip_state, cb.seqno); + + vc4_async_page_flip_complete(flip_state); +} + /* Implements async (non-vblank-synced) page flips. * * The page flip ioctl needs to return immediately, so we grab the @@ -794,8 +802,8 @@ static int vc4_async_page_flip(struct drm_crtc *crtc, drm_atomic_set_fb_for_plane(plane->state, fb); plane->fb = fb;
- vc4_queue_seqno_cb(dev, &flip_state->cb, bo->seqno, - vc4_async_page_flip_complete); + vc4_queue_seqno_cb(dev, &flip_state->cb.seqno, bo->seqno, + vc4_async_page_flip_seqno_complete);
/* Driver takes ownership of state on successful async commit. */ return 0;
 
            Hi!
From: Maxime Ripard maxime@cerno.tech
[ Upstream commit 2523e9dcc3be91bf9fdc0d1e542557ca00bbef42 ]
We'll need to extend the vc4_async_flip_state structure to rely on another callback implementation, so let's move the current one into a union.
AFAICT this is preparation, not a bugfix; and I don't see patch this prepares for queued. So we should not have this one, either.
Best regards, Pavel
+++ b/drivers/gpu/drm/vc4/vc4_crtc.c @@ -717,17 +717,17 @@ struct vc4_async_flip_state { struct drm_framebuffer *fb; struct drm_pending_vblank_event *event;
- struct vc4_seqno_cb cb;
- union {
struct vc4_seqno_cb seqno;- } cb;
}; /* Called when the V3D execution for the BO being flipped to is done, so that
- we can actually update the plane's address to point to it.
*/ static void -vc4_async_page_flip_complete(struct vc4_seqno_cb *cb) +vc4_async_page_flip_complete(struct vc4_async_flip_state *flip_state) {
- struct vc4_async_flip_state *flip_state =
struct drm_crtc *crtc = flip_state->crtc; struct drm_device *dev = crtc->dev; struct vc4_dev *vc4 = to_vc4_dev(dev);
container_of(cb, struct vc4_async_flip_state, cb);@@ -749,6 +749,14 @@ vc4_async_page_flip_complete(struct vc4_seqno_cb *cb) up(&vc4->async_modeset); } +static void vc4_async_page_flip_seqno_complete(struct vc4_seqno_cb *cb) +{
- struct vc4_async_flip_state *flip_state =
container_of(cb, struct vc4_async_flip_state, cb.seqno);- vc4_async_page_flip_complete(flip_state);
+}
/* Implements async (non-vblank-synced) page flips.
- The page flip ioctl needs to return immediately, so we grab the
@@ -794,8 +802,8 @@ static int vc4_async_page_flip(struct drm_crtc *crtc, drm_atomic_set_fb_for_plane(plane->state, fb); plane->fb = fb;
- vc4_queue_seqno_cb(dev, &flip_state->cb, bo->seqno,
vc4_async_page_flip_complete);
- vc4_queue_seqno_cb(dev, &flip_state->cb.seqno, bo->seqno,
vc4_async_page_flip_seqno_complete);/* Driver takes ownership of state on successful async commit. */ return 0;
 
            On Mon, Sep 26, 2022 at 12:38:00PM +0200, Pavel Machek wrote:
Hi!
From: Maxime Ripard maxime@cerno.tech
[ Upstream commit 2523e9dcc3be91bf9fdc0d1e542557ca00bbef42 ]
We'll need to extend the vc4_async_flip_state structure to rely on another callback implementation, so let's move the current one into a union.
AFAICT this is preparation, not a bugfix; and I don't see patch this prepares for queued. So we should not have this one, either.
Dropped.
For some reason we had a bunch of 4.9-only patches that were not in any other stable tree, so they shouldn't have only gone to 4.9. I'll review them all again and then push out a -rc2.
thanks,
greg k-h
 
            From: Xiang wangx wangxiang@cdjrlc.com
[ Upstream commit fc378794a2f7a19cf26010dc33b89ba608d4c70f ]
Delete the redundant word 'its'.
Signed-off-by: Xiang wangx wangxiang@cdjrlc.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/video/fbdev/skeletonfb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/skeletonfb.c b/drivers/video/fbdev/skeletonfb.c index f948baa16d82..254bb6e2187c 100644 --- a/drivers/video/fbdev/skeletonfb.c +++ b/drivers/video/fbdev/skeletonfb.c @@ -96,7 +96,7 @@ static struct fb_fix_screeninfo xxxfb_fix = {
/* * Modern graphical hardware not only supports pipelines but some - * also support multiple monitors where each display can have its + * also support multiple monitors where each display can have * its own unique data. In this case each display could be * represented by a separate framebuffer device thus a separate * struct fb_info. Now the struct xxx_par represents the graphics
 
            On Mon 2022-09-26 12:11:35, Greg Kroah-Hartman wrote:
From: Xiang wangx wangxiang@cdjrlc.com
[ Upstream commit fc378794a2f7a19cf26010dc33b89ba608d4c70f ]
Delete the redundant word 'its'.
This does not belong in stable.
Best regards, Pavel
+++ b/drivers/video/fbdev/skeletonfb.c @@ -96,7 +96,7 @@ static struct fb_fix_screeninfo xxxfb_fix = { /* * Modern graphical hardware not only supports pipelines but some
* also support multiple monitors where each display can have its
* also support multiple monitors where each display can have * its own unique data. In this case each display could be * represented by a separate framebuffer device thus a separate * struct fb_info. Now the struct xxx_par represents the graphics
 
            On 9/26/22 17:28, Pavel Machek wrote:
On Mon 2022-09-26 12:11:35, Greg Kroah-Hartman wrote:
From: Xiang wangx wangxiang@cdjrlc.com
[ Upstream commit fc378794a2f7a19cf26010dc33b89ba608d4c70f ]
Delete the redundant word 'its'.
This does not belong in stable.
Without seeing the upstream commit, the patch subject is misleading: the patch doesn't fix any syntax errors as one might get from the compiler.
Also, what I find irritating is that I have never seen reply from @cdjrlc.com people to review comments pointing flaws of their patch. I guess they don't have any other jobs here in LKML other than just throwing one-line redundant word stripping patches. The similar cause is why Jani Nikula [1] and Greg NAKed cgel.zte patches (ignoring reviews and "atypical" corporate email structure [2])
Hence NAK (agree with your verdict). However, should the upstream commit be reverted?
[1]: https://lore.kernel.org/lkml/878rn1dd8l.fsf@intel.com/ [2]: https://lore.kernel.org/lkml/Yylv5hbSBejJ58nt@kroah.com/
 
            On Mon, Sep 26, 2022 at 12:28:01PM +0200, Pavel Machek wrote:
On Mon 2022-09-26 12:11:35, Greg Kroah-Hartman wrote:
From: Xiang wangx wangxiang@cdjrlc.com
[ Upstream commit fc378794a2f7a19cf26010dc33b89ba608d4c70f ]
Delete the redundant word 'its'.
This does not belong in stable.
Agreed, I thought I caught this before. Now dropped.
greg k-h
 
            From: Petr Cvek petrcvekcz@gmail.com
[ Upstream commit 25c9a15fb7bbfafb94dd3b4e3165c18b8e1bd039 ]
Aperture size for i9x5 variants is determined from PCI base address.
if (pci_resource_start(pdev, 2) & 0x08000000) *aperture_size = MB(128); ...
This condition is incorrect as 128 MiB address can have the address set as 0x?8000000 or 0x?0000000. Also the code can be simplified to just use pci_resource_len().
The true settings of the aperture size is in the MSAC register, which could be used instead. However the value is used only as an info message, so it doesn't matter.
Signed-off-by: Petr Cvek petrcvekcz@gmail.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/video/fbdev/intelfb/intelfbhw.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/drivers/video/fbdev/intelfb/intelfbhw.c b/drivers/video/fbdev/intelfb/intelfbhw.c index d31ed4e2c46f..3aa93565e935 100644 --- a/drivers/video/fbdev/intelfb/intelfbhw.c +++ b/drivers/video/fbdev/intelfb/intelfbhw.c @@ -199,13 +199,11 @@ int intelfbhw_get_memory(struct pci_dev *pdev, int *aperture_size, case PCI_DEVICE_ID_INTEL_945GME: case PCI_DEVICE_ID_INTEL_965G: case PCI_DEVICE_ID_INTEL_965GM: - /* 915, 945 and 965 chipsets support a 256MB aperture. - Aperture size is determined by inspected the - base address of the aperture. */ - if (pci_resource_start(pdev, 2) & 0x08000000) - *aperture_size = MB(128); - else - *aperture_size = MB(256); + /* + * 915, 945 and 965 chipsets support 64MB, 128MB or 256MB + * aperture. Determine size from PCI resource length. + */ + *aperture_size = pci_resource_len(pdev, 2); break; default: if ((tmp & INTEL_GMCH_MEM_MASK) == INTEL_GMCH_MEM_64M)
 
            From: Hyunwoo Kim imv4bel@gmail.com
[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ]
In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of type int. Then, copy_from_user() may cause a heap overflow because it is used as the third argument of copy_from_user().
Signed-off-by: Hyunwoo Kim imv4bel@gmail.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/video/fbdev/pxa3xx-gcu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c index 184773b6b9e4..2cca4b763d8d 100644 --- a/drivers/video/fbdev/pxa3xx-gcu.c +++ b/drivers/video/fbdev/pxa3xx-gcu.c @@ -391,7 +391,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, struct pxa3xx_gcu_batch *buffer; struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);
- int words = count / 4; + size_t words = count / 4;
/* Does not need to be atomic. There's a lock in user space, * but anyhow, this is just for statistics. */
 
            From: Yihao Han hanyihao@vivo.com
[ Upstream commit 5491424d17bdeb7b7852a59367858251783f8398 ]
clk_put() already checks the clk ptr using !clk and IS_ERR() so there is no need to check it again before calling it.
Signed-off-by: Yihao Han hanyihao@vivo.com Reviewed-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/video/fbdev/simplefb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c index 61f799a515dc..1efdbbc20f99 100644 --- a/drivers/video/fbdev/simplefb.c +++ b/drivers/video/fbdev/simplefb.c @@ -231,8 +231,7 @@ static int simplefb_clocks_init(struct simplefb_par *par, if (IS_ERR(clock)) { if (PTR_ERR(clock) == -EPROBE_DEFER) { while (--i >= 0) { - if (par->clks[i]) - clk_put(par->clks[i]); + clk_put(par->clks[i]); } kfree(par->clks); return -EPROBE_DEFER;
 
            Hi!
From: Yihao Han hanyihao@vivo.com
[ Upstream commit 5491424d17bdeb7b7852a59367858251783f8398 ]
clk_put() already checks the clk ptr using !clk and IS_ERR() so there is no need to check it again before calling it.
This does not really fix any bug, so I'd preffer not to have it in stable.
Best regards, Pavel
+++ b/drivers/video/fbdev/simplefb.c @@ -231,8 +231,7 @@ static int simplefb_clocks_init(struct simplefb_par *par, if (IS_ERR(clock)) { if (PTR_ERR(clock) == -EPROBE_DEFER) { while (--i >= 0) {
if (par->clks[i])
clk_put(par->clks[i]);
clk_put(par->clks[i]); } kfree(par->clks); return -EPROBE_DEFER;
 
            On Mon, Sep 26, 2022 at 12:29:26PM +0200, Pavel Machek wrote:
Hi!
From: Yihao Han hanyihao@vivo.com
[ Upstream commit 5491424d17bdeb7b7852a59367858251783f8398 ]
clk_put() already checks the clk ptr using !clk and IS_ERR() so there is no need to check it again before calling it.
This does not really fix any bug, so I'd preffer not to have it in stable.
Now dropped, thanks.
greg k-h
 
            From: Liang He windhl@126.com
[ Upstream commit 72a2af539fff975caadd9a4db3f99963569bd9c9 ]
In ltq_soc_init(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore.
Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/lantiq/falcon/sysctrl.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/arch/mips/lantiq/falcon/sysctrl.c b/arch/mips/lantiq/falcon/sysctrl.c index 714d92659489..665739bd4190 100644 --- a/arch/mips/lantiq/falcon/sysctrl.c +++ b/arch/mips/lantiq/falcon/sysctrl.c @@ -210,6 +210,12 @@ void __init ltq_soc_init(void) of_address_to_resource(np_sysgpe, 0, &res_sys[2])) panic("Failed to get core resources");
+ of_node_put(np_status); + of_node_put(np_ebu); + of_node_put(np_sys1); + of_node_put(np_syseth); + of_node_put(np_sysgpe); + if ((request_mem_region(res_status.start, resource_size(&res_status), res_status.name) < 0) || (request_mem_region(res_ebu.start, resource_size(&res_ebu),
 
            From: Liang He windhl@126.com
[ Upstream commit 76695592711ef1e215cc24ed3e1cd857d7fc3098 ]
In ltq_soc_init(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore.
Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/lantiq/xway/sysctrl.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/arch/mips/lantiq/xway/sysctrl.c b/arch/mips/lantiq/xway/sysctrl.c index dd7c36a193e3..6891456a7603 100644 --- a/arch/mips/lantiq/xway/sysctrl.c +++ b/arch/mips/lantiq/xway/sysctrl.c @@ -457,6 +457,10 @@ void __init ltq_soc_init(void) of_address_to_resource(np_ebu, 0, &res_ebu)) panic("Failed to get core resources");
+ of_node_put(np_pmu); + of_node_put(np_cgu); + of_node_put(np_ebu); + if (!request_mem_region(res_pmu.start, resource_size(&res_pmu), res_pmu.name) || !request_mem_region(res_cgu.start, resource_size(&res_cgu),
 
            From: Liang He windhl@126.com
[ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
of_find_matching_node(), of_find_compatible_node() and of_find_node_by_path() will return node pointers with refcout incremented. We should call of_node_put() when they are not used anymore.
Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/pic32/pic32mzda/init.c | 7 ++++++- arch/mips/pic32/pic32mzda/time.c | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/mips/pic32/pic32mzda/init.c b/arch/mips/pic32/pic32mzda/init.c index 406c6c5cec29..f8985d4573e6 100644 --- a/arch/mips/pic32/pic32mzda/init.c +++ b/arch/mips/pic32/pic32mzda/init.c @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup) np = of_find_compatible_node(NULL, NULL, lookup->compatible); if (np) { lookup->name = (char *)np->name; - if (lookup->phys_addr) + if (lookup->phys_addr) { + of_node_put(np); continue; + } if (!of_address_to_resource(np, 0, &res)) lookup->phys_addr = res.start; + of_node_put(np); } }
+ of_node_put(root); + return 0; }
diff --git a/arch/mips/pic32/pic32mzda/time.c b/arch/mips/pic32/pic32mzda/time.c index 62a0a78b6c64..bfafe241c1b5 100644 --- a/arch/mips/pic32/pic32mzda/time.c +++ b/arch/mips/pic32/pic32mzda/time.c @@ -40,6 +40,9 @@ static unsigned int pic32_xlate_core_timer_irq(void) goto default_map;
irq = irq_of_parse_and_map(node, 0); + + of_node_put(node); + if (!irq) goto default_map;
 
            Hi!
[ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
of_find_matching_node(), of_find_compatible_node() and of_find_node_by_path() will return node pointers with refcout incremented. We should call of_node_put() when they are not used anymore.
True. But we absolutely should not call put when we still use the reference.
+++ b/arch/mips/pic32/pic32mzda/init.c @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup) np = of_find_compatible_node(NULL, NULL, lookup->compatible); if (np) { lookup->name = (char *)np->name;
if (lookup->phys_addr)
if (lookup->phys_addr) {
of_node_put(np); continue;
} if (!of_address_to_resource(np, 0, &res)) lookup->phys_addr = res.start;} }
of_node_put(np);
As we stored np->name in lookup, we should not be putting that node, we are still using it.
Best regards, Pavel
 
            On Mon, Sep 26, 2022 at 12:40:42PM +0200, Pavel Machek wrote:
Hi!
[ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
of_find_matching_node(), of_find_compatible_node() and of_find_node_by_path() will return node pointers with refcout incremented. We should call of_node_put() when they are not used anymore.
True. But we absolutely should not call put when we still use the reference.
+++ b/arch/mips/pic32/pic32mzda/init.c @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup) np = of_find_compatible_node(NULL, NULL, lookup->compatible); if (np) { lookup->name = (char *)np->name;
if (lookup->phys_addr)
if (lookup->phys_addr) {
of_node_put(np); continue;
} if (!of_address_to_resource(np, 0, &res)) lookup->phys_addr = res.start;} }
of_node_put(np);As we stored np->name in lookup, we should not be putting that node, we are still using it.
Now dropped, thanks.
greg k-h
 
            From: Liang He windhl@126.com
[ Upstream commit 3748d2185ac4c2c6f80989672253aad909ecaf95 ]
In icu_of_init(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore.
Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/lantiq/irq.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c index e64f678ca12c..e29dc58271b2 100644 --- a/arch/mips/lantiq/irq.c +++ b/arch/mips/lantiq/irq.c @@ -460,6 +460,7 @@ int __init icu_of_init(struct device_node *node, struct device_node *parent) if (!ltq_eiu_membase) panic("Failed to remap eiu memory"); } + of_node_put(eiu_node);
return 0; }
 
            From: Liang He windhl@126.com
[ Upstream commit 2c629dd2d14fd7f64a553f809eda6d0b3a4f615a ]
In spear_setup_of_timer(), of_find_matching_node() will return a node pointer with refcount incrementd. We should use of_node_put() in each fail path or when it is not used anymore.
Signed-off-by: Liang He windhl@126.com Acked-by: Viresh Kumar viresh.kumar@linaro.org Link: https://lore.kernel.org/r/20220616093027.3984903-1-windhl@126.com' Signed-off-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm/mach-spear/time.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-spear/time.c b/arch/arm/mach-spear/time.c index aaaa6781b9fe..57b77c7effa9 100644 --- a/arch/arm/mach-spear/time.c +++ b/arch/arm/mach-spear/time.c @@ -223,13 +223,13 @@ void __init spear_setup_of_timer(void) irq = irq_of_parse_and_map(np, 0); if (!irq) { pr_err("%s: No irq passed for timer via DT\n", __func__); - return; + goto err_put_np; }
gpt_base = of_iomap(np, 0); if (!gpt_base) { pr_err("%s: of iomap failed\n", __func__); - return; + goto err_put_np; }
gpt_clk = clk_get_sys("gpt0", NULL); @@ -244,6 +244,8 @@ void __init spear_setup_of_timer(void) goto err_prepare_enable_clk; }
+ of_node_put(np); + spear_clockevent_init(irq); spear_clocksource_init();
@@ -253,4 +255,6 @@ void __init spear_setup_of_timer(void) clk_put(gpt_clk); err_iomap: iounmap(gpt_base); +err_put_np: + of_node_put(np); }
 
            From: Siddh Raman Pant code@siddh.me
[ Upstream commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c ]
ieee80211_scan_rx() tries to access scan_req->flags after a null check, but a UAF is observed when the scan is completed and __ieee80211_scan_completed() executes, which then calls cfg80211_scan_done() leading to the freeing of scan_req.
Since scan_req is rcu_dereference()'d, prevent the racing in __ieee80211_scan_completed() by ensuring that from mac80211's POV it is no longer accessed from an RCU read critical section before we call cfg80211_scan_done().
Cc: stable@vger.kernel.org Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d Reported-by: syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com Suggested-by: Johannes Berg johannes@sipsolutions.net Signed-off-by: Siddh Raman Pant code@siddh.me Link: https://lore.kernel.org/r/20220819200340.34826-1-code@siddh.me Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/mac80211/scan.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index 701adcb9262e..a73c362a0182 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -385,10 +385,6 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted) scan_req = rcu_dereference_protected(local->scan_req, lockdep_is_held(&local->mtx));
- if (scan_req != local->int_scan_req) { - local->scan_info.aborted = aborted; - cfg80211_scan_done(scan_req, &local->scan_info); - } RCU_INIT_POINTER(local->scan_req, NULL);
scan_sdata = rcu_dereference_protected(local->scan_sdata, @@ -398,6 +394,13 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted) local->scanning = 0; local->scan_chandef.chan = NULL;
+ synchronize_rcu(); + + if (scan_req != local->int_scan_req) { + local->scan_info.aborted = aborted; + cfg80211_scan_done(scan_req, &local->scan_info); + } + /* Set power back to normal operating levels. */ ieee80211_hw_config(local, 0);
 
            From: Alan Stern stern@rowland.harvard.edu
commit 766a96dc558385be735a370db867e302c8f22153 upstream.
A recent commit added an invalid RST expression to a kerneldoc comment in hub.c. The fix is trivial.
Fixes: 9c6d778800b9 ("USB: core: Prevent nested device-reset calls") Cc: stable@vger.kernel.org Reported-by: Stephen Rothwell sfr@canb.auug.org.au Reviewed-by: Bagas Sanjaya bagasdotme@gmail.com Signed-off-by: Alan Stern stern@rowland.harvard.edu Link: https://lore.kernel.org/r/YxDDcsLtRZ7c20pq@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/usb/core/hub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5702,7 +5702,7 @@ re_enumerate_no_bos: * * Return: The same as for usb_reset_and_verify_device(). * However, if a reset is already in progress (for instance, if a - * driver doesn't have pre_ or post_reset() callbacks, and while + * driver doesn't have pre_reset() or post_reset() callbacks, and while * being unbound or re-bound during the ongoing reset its disconnect() * or probe() routine tries to perform a second, nested reset), the * routine returns -EINPROGRESS.
 
            From: Mohan Kumar mkumard@nvidia.com
commit 3c4d8c24fb6c44f426e447b04800b0ed61a7b5ae upstream.
Reduce the suspend time by setting depop delay to 10ms for tegra.
Signed-off-by: Mohan Kumar mkumard@nvidia.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220913053641.23299-1-mkumard@nvidia.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- sound/pci/hda/patch_hdmi.c | 1 + 1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -3247,6 +3247,7 @@ static int patch_tegra_hdmi(struct hda_c if (err) return err;
+ codec->depop_delay = 10; codec->patch_ops.build_pcms = tegra_hdmi_build_pcms; spec = codec->spec; spec->chmap.ops.chmap_cea_alloc_validate_get_type =
 
            From: Kai Vehmanen kai.vehmanen@linux.intel.com
commit 4d40ceef4745536289012670103c59264e0fb3ec upstream.
Handle 0x3b57 variant with same AZX_DCAPS_INTEL_PCH_NOPM capabilities as 0x3b56. In practise this allow use of HDMI/DP display audio via i915.
BugLink: https://gitlab.freedesktop.org/drm/intel/-/issues/2751 Signed-off-by: Kai Vehmanen kai.vehmanen@linux.intel.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220912183716.2126312-1-kai.vehmanen@linux.intel.... Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- sound/pci/hda/hda_intel.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c @@ -2316,6 +2316,8 @@ static const struct pci_device_id azx_id /* 5 Series/3400 */ { PCI_DEVICE(0x8086, 0x3b56), .driver_data = AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_NOPM }, + { PCI_DEVICE(0x8086, 0x3b57), + .driver_data = AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_NOPM }, /* Poulsbo */ { PCI_DEVICE(0x8086, 0x811b), .driver_data = AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_BASE },
 
            From: Chao Yu chao.yu@oppo.com
commit 7e9c323c52b379d261a72dc7bd38120a761a93cd upstream.
In create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to out-of-memory, if it fails, return errno correctly rather than triggering panic via BUG_ON();
kernel BUG at mm/slub.c:5893! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Call trace: sysfs_slab_add+0x258/0x260 mm/slub.c:5973 __kmem_cache_create+0x60/0x118 mm/slub.c:4899 create_cache mm/slab_common.c:229 [inline] kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335 kmem_cache_create+0x1c/0x28 mm/slab_common.c:390 f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline] f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808 f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149 mount_bdev+0x1b8/0x210 fs/super.c:1400 f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512 legacy_get_tree+0x30/0x74 fs/fs_context.c:610 vfs_get_tree+0x40/0x140 fs/super.c:1530 do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040 path_mount+0x358/0x914 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568
Cc: stable@kernel.org Fixes: 81819f0fc8285 ("SLUB core") Reported-by: syzbot+81684812ea68216e08c5@syzkaller.appspotmail.com Reviewed-by: Muchun Song songmuchun@bytedance.com Reviewed-by: Hyeonggon Yoo 42.hyeyoo@gmail.com Signed-off-by: Chao Yu chao.yu@oppo.com Acked-by: David Rientjes rientjes@google.com Signed-off-by: Vlastimil Babka vbabka@suse.cz Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- mm/slub.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/mm/slub.c +++ b/mm/slub.c @@ -5601,7 +5601,8 @@ static char *create_unique_id(struct kme char *name = kmalloc(ID_STR_LENGTH, GFP_KERNEL); char *p = name;
- BUG_ON(!name); + if (!name) + return ERR_PTR(-ENOMEM);
*p++ = ':'; /* @@ -5649,6 +5650,8 @@ static int sysfs_slab_add(struct kmem_ca * for the symlinks. */ name = create_unique_id(s); + if (IS_ERR(name)) + return PTR_ERR(name); }
s->kobj.kset = cache_kset(s);
 
            From: Igor Ryzhov iryzhov@nfware.com
[ Upstream commit 39aebedeaaa95757f5c1f2ddb5f43fdddbf478ca ]
ct_sip_next_header and ct_sip_get_header return an absolute value of matchoff, not a shift from current dataoff. So dataoff should be assigned matchoff, not incremented by it.
This issue can be seen in the scenario when there are multiple Contact headers and the first one is using a hostname and other headers use IP addresses. In this case, ct_sip_walk_headers will work as follows:
The first ct_sip_get_header call to will find the first Contact header but will return -1 as the header uses a hostname. But matchoff will be changed to the offset of this header. After that, dataoff should be set to matchoff, so that the next ct_sip_get_header call find the next Contact header. But instead of assigning dataoff to matchoff, it is incremented by it, which is not correct, as matchoff is an absolute value of the offset. So on the next call to the ct_sip_get_header, dataoff will be incorrect, and the next Contact header may not be found at all.
Fixes: 05e3ced297fe ("[NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper") Signed-off-by: Igor Ryzhov iryzhov@nfware.com Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Sasha Levin sashal@kernel.org --- net/netfilter/nf_conntrack_sip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 3a8dc39a9116..7dc23df7b4e3 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -471,7 +471,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr, return ret; if (ret == 0) break; - dataoff += *matchoff; + dataoff = *matchoff; } *in_header = 0; } @@ -483,7 +483,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr, break; if (ret == 0) return ret; - dataoff += *matchoff; + dataoff = *matchoff; }
if (in_header)
 
            From: David Leadbeater dgl@dgl.cx
[ Upstream commit e8d5dfd1d8747b56077d02664a8838c71ced948e ]
CTCP messages should only be at the start of an IRC message, not anywhere within it.
While the helper only decodes packes in the ORIGINAL direction, its possible to make a client send a CTCP message back by empedding one into a PING request. As-is, thats enough to make the helper believe that it saw a CTCP message.
Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port") Signed-off-by: David Leadbeater dgl@dgl.cx Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Sasha Levin sashal@kernel.org --- net/netfilter/nf_conntrack_irc.c | 34 ++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index c6a8bdc3a226..5d630288f86c 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -150,15 +150,37 @@ static int help(struct sk_buff *skb, unsigned int protoff, data = ib_ptr; data_limit = ib_ptr + skb->len - dataoff;
- /* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24 - * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */ - while (data < data_limit - (19 + MINMATCHLEN)) { - if (memcmp(data, "\1DCC ", 5)) { + /* Skip any whitespace */ + while (data < data_limit - 10) { + if (*data == ' ' || *data == '\r' || *data == '\n') + data++; + else + break; + } + + /* strlen("PRIVMSG x ")=10 */ + if (data < data_limit - 10) { + if (strncasecmp("PRIVMSG ", data, 8)) + goto out; + data += 8; + } + + /* strlen(" :\1DCC SENT t AAAAAAAA P\1\n")=26 + * 7+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=26 + */ + while (data < data_limit - (21 + MINMATCHLEN)) { + /* Find first " :", the start of message */ + if (memcmp(data, " :", 2)) { data++; continue; } + data += 2; + + /* then check that place only for the DCC command */ + if (memcmp(data, "\1DCC ", 5)) + goto out; data += 5; - /* we have at least (19+MINMATCHLEN)-5 bytes valid data left */ + /* we have at least (21+MINMATCHLEN)-(2+5) bytes valid data left */
iph = ip_hdr(skb); pr_debug("DCC found in master %pI4:%u %pI4:%u\n", @@ -174,7 +196,7 @@ static int help(struct sk_buff *skb, unsigned int protoff, pr_debug("DCC %s detected\n", dccprotos[i]);
/* we have at least - * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid + * (21+MINMATCHLEN)-7-dccprotos[i].matchlen bytes valid * data left (== 14/13 bytes) */ if (parse_dcc(data, data_limit, &dcc_ip, &dcc_port, &addr_beg_p, &addr_end_p)) {
 
            From: Lu Wei luwei32@huawei.com
[ Upstream commit 81225b2ea161af48e093f58e8dfee6d705b16af4 ]
If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following:
================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
The root cause is: 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers()
2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()
In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use "skb->head + skb->mac_header", out-of-bound access occurs.
This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug.
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Signed-off-by: Lu Wei luwei32@huawei.com Reviewed-by: Eric Dumazet edumazet@google.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ipvlan/ipvlan_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index 6c0982a39486..7668584c3843 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -441,7 +441,6 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
static int ipvlan_process_outbound(struct sk_buff *skb) { - struct ethhdr *ethh = eth_hdr(skb); int ret = NET_XMIT_DROP;
/* The ipvlan is a pseudo-L2 device, so the packets that we receive @@ -451,6 +450,8 @@ static int ipvlan_process_outbound(struct sk_buff *skb) if (skb_mac_header_was_set(skb)) { /* In this mode we dont care about * multicast and broadcast traffic */ + struct ethhdr *ethh = eth_hdr(skb); + if (is_multicast_ether_addr(ethh->h_dest)) { pr_debug_ratelimited( "Dropped {multi|broad}cast of type=[%x]\n", @@ -520,7 +521,7 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev) static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) { const struct ipvl_dev *ipvlan = netdev_priv(dev); - struct ethhdr *eth = eth_hdr(skb); + struct ethhdr *eth = skb_eth_hdr(skb); struct ipvl_addr *addr; void *lyr3h; int addr_type; @@ -544,6 +545,7 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) return dev_forward_skb(ipvlan->phy_dev, skb);
} else if (is_multicast_ether_addr(eth->h_dest)) { + skb_reset_mac_header(skb); ipvlan_skb_crossing_ns(skb, NULL); ipvlan_multicast_enqueue(ipvlan->port, skb); return NET_XMIT_SUCCESS;
 
            From: Benjamin Poirier bpoirier@nvidia.com
[ Upstream commit bd60234222b2fd5573526da7bcd422801f271f5f ]
Netdev drivers are expected to call dev_{uc,mc}_sync() in their ndo_set_rx_mode method and dev_{uc,mc}_unsync() in their ndo_stop method. This is mentioned in the kerneldoc for those dev_* functions.
The team driver calls dev_{uc,mc}_unsync() during ndo_uninit instead of ndo_stop. This is ineffective because address lists (dev->{uc,mc}) have already been emptied in unregister_netdevice_many() before ndo_uninit is called. This mistake can result in addresses being leftover on former team ports after a team device has been deleted; see test_LAG_cleanup() in the last patch in this series.
Add unsync calls at their expected location, team_close().
v3: * When adding or deleting a port, only sync/unsync addresses if the team device is up. In other cases, it is taken care of at the right time by ndo_open/ndo_set_rx_mode/ndo_stop.
Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") Signed-off-by: Benjamin Poirier bpoirier@nvidia.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/team/team.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c index 001dea7aaba3..657e12e0b5e2 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -1280,10 +1280,12 @@ static int team_port_add(struct team *team, struct net_device *port_dev) } }
- netif_addr_lock_bh(dev); - dev_uc_sync_multiple(port_dev, dev); - dev_mc_sync_multiple(port_dev, dev); - netif_addr_unlock_bh(dev); + if (dev->flags & IFF_UP) { + netif_addr_lock_bh(dev); + dev_uc_sync_multiple(port_dev, dev); + dev_mc_sync_multiple(port_dev, dev); + netif_addr_unlock_bh(dev); + }
port->index = -1; list_add_tail_rcu(&port->list, &team->port_list); @@ -1354,8 +1356,10 @@ static int team_port_del(struct team *team, struct net_device *port_dev) netdev_rx_handler_unregister(port_dev); team_port_disable_netpoll(port); vlan_vids_del_by_dev(port_dev, dev); - dev_uc_unsync(port_dev, dev); - dev_mc_unsync(port_dev, dev); + if (dev->flags & IFF_UP) { + dev_uc_unsync(port_dev, dev); + dev_mc_unsync(port_dev, dev); + } dev_close(port_dev); team_port_leave(team, port);
@@ -1703,6 +1707,14 @@ static int team_open(struct net_device *dev)
static int team_close(struct net_device *dev) { + struct team *team = netdev_priv(dev); + struct team_port *port; + + list_for_each_entry(port, &team->port_list, list) { + dev_uc_unsync(port->dev, dev); + dev_mc_unsync(port->dev, dev); + } + return 0; }
 
            From: Randy Dunlap rdunlap@infradead.org
[ Upstream commit 502550123bee6a2ffa438409b5b9aad4d6db3a8c ]
The lantiq WDT driver uses clk_get_io(), which is not exported, so export it to fix a build error:
ERROR: modpost: "clk_get_io" [drivers/watchdog/lantiq_wdt.ko] undefined!
Fixes: 287e3f3f4e68 ("MIPS: lantiq: implement support for clkdev api") Signed-off-by: Randy Dunlap rdunlap@infradead.org Reported-by: kernel test robot lkp@intel.com Cc: Thomas Bogendoerfer tsbogend@alpha.franken.de Cc: John Crispin john@phrozen.org Cc: linux-mips@vger.kernel.org Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/lantiq/clk.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c index d1de57b86683..e0835a743e41 100644 --- a/arch/mips/lantiq/clk.c +++ b/arch/mips/lantiq/clk.c @@ -52,6 +52,7 @@ struct clk *clk_get_io(void) { return &cpu_clk_generic[2]; } +EXPORT_SYMBOL_GPL(clk_get_io);
struct clk *clk_get_ppe(void) {
 
            From: Marc Kleine-Budde mkl@pengutronix.de
[ Upstream commit 5440428b3da65408dba0241985acb7a05258b85e ]
The dev->can.state is set to CAN_STATE_ERROR_ACTIVE, after the device has been started. On busy networks the CAN controller might receive CAN frame between and go into an error state before the dev->can.state is assigned.
Assign dev->can.state before starting the controller to close the race window.
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Link: https://lore.kernel.org/all/20220920195216.232481-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/can/usb/gs_usb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index e3dc59fffdb7..8472667ffe71 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -687,6 +687,7 @@ static int gs_can_open(struct net_device *netdev) flags |= GS_CAN_MODE_TRIPLE_SAMPLE;
/* finally start device */ + dev->can.state = CAN_STATE_ERROR_ACTIVE; dm->mode = cpu_to_le32(GS_CAN_MODE_START); dm->flags = cpu_to_le32(flags); rc = usb_control_msg(interface_to_usbdev(dev->iface), @@ -703,13 +704,12 @@ static int gs_can_open(struct net_device *netdev) if (rc < 0) { netdev_err(netdev, "Couldn't start device (err=%d)\n", rc); kfree(dm); + dev->can.state = CAN_STATE_STOPPED; return rc; }
kfree(dm);
- dev->can.state = CAN_STATE_ERROR_ACTIVE; - parent->active_channels++; if (!(dev->can.ctrlmode & CAN_CTRLMODE_LISTENONLY)) netif_start_queue(netdev);
 
            From: Adrian Hunter adrian.hunter@intel.com
[ Upstream commit 5b427df27b94aec1312cace48a746782a0925c53 ]
/proc/kallsyms and /proc/modules are compared before and after the copy in order to ensure no changes during the copy.
However /proc/modules also might change due to reference counts changing even though that does not make any difference.
Any modules loaded or unloaded should be visible in changes to kallsyms, so it is not necessary to check /proc/modules also anyway.
Remove the comparison checking that /proc/modules is unchanged.
Fixes: fc1b691d7651d949 ("perf buildid-cache: Add ability to add kcore to the cache") Reported-by: Daniel Dao dqminh@cloudflare.com Signed-off-by: Adrian Hunter adrian.hunter@intel.com Tested-by: Daniel Dao dqminh@cloudflare.com Acked-by: Namhyung Kim namhyung@kernel.org Cc: Ian Rogers irogers@google.com Cc: Jiri Olsa jolsa@kernel.org Link: https://lore.kernel.org/r/20220914122429.8770-1-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- tools/perf/util/symbol-elf.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c index e155783c601a..0a7e1543ce8f 100644 --- a/tools/perf/util/symbol-elf.c +++ b/tools/perf/util/symbol-elf.c @@ -1694,8 +1694,8 @@ static int kcore_copy__compare_file(const char *from_dir, const char *to_dir, * unusual. One significant peculiarity is that the mapping (start -> pgoff) * is not the same for the kernel map and the modules map. That happens because * the data is copied adjacently whereas the original kcore has gaps. Finally, - * kallsyms and modules files are compared with their copies to check that - * modules have not been loaded or unloaded while the copies were taking place. + * kallsyms file is compared with its copy to check that modules have not been + * loaded or unloaded while the copies were taking place. * * Return: %0 on success, %-1 on failure. */ @@ -1758,9 +1758,6 @@ int kcore_copy(const char *from_dir, const char *to_dir) kci.modules_map.len)) goto out_extract_close;
- if (kcore_copy__compare_file(from_dir, to_dir, "modules")) - goto out_extract_close; - if (kcore_copy__compare_file(from_dir, to_dir, "kallsyms")) goto out_extract_close;
 
            From: Sean Anderson seanga2@gmail.com
[ Upstream commit 878e2405710aacfeeb19364c300f38b7a9abfe8f ]
There is a separate receive path for small packets (under 256 bytes). Instead of allocating a new dma-capable skb to be used for the next packet, this path allocates a skb and copies the data into it (reusing the existing sbk for the next packet). There are two bytes of junk data at the beginning of every packet. I believe these are inserted in order to allow aligned DMA and IP headers. We skip over them using skb_reserve. Before copying over the data, we must use a barrier to ensure we see the whole packet. The current code only synchronizes len bytes, starting from the beginning of the packet, including the junk bytes. However, this leaves off the final two bytes in the packet. Synchronize the whole packet.
To reproduce this problem, ping a HME with a payload size between 17 and 214
$ ping -s 17 <hme_address>
which will complain rather loudly about the data mismatch. Small packets (below 60 bytes on the wire) do not have this issue. I suspect this is related to the padding added to increase the minimum packet size.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Sean Anderson seanga2@gmail.com Reviewed-by: Andrew Lunn andrew@lunn.ch Link: https://lore.kernel.org/r/20220920235018.1675956-1-seanga2@gmail.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/sun/sunhme.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c index b38106a7cb5d..b421a1d44783 100644 --- a/drivers/net/ethernet/sun/sunhme.c +++ b/drivers/net/ethernet/sun/sunhme.c @@ -2064,9 +2064,9 @@ static void happy_meal_rx(struct happy_meal *hp, struct net_device *dev)
skb_reserve(copy_skb, 2); skb_put(copy_skb, len); - dma_sync_single_for_cpu(hp->dma_dev, dma_addr, len, DMA_FROM_DEVICE); + dma_sync_single_for_cpu(hp->dma_dev, dma_addr, len + 2, DMA_FROM_DEVICE); skb_copy_from_linear_data(skb, copy_skb->data, len); - dma_sync_single_for_device(hp->dma_dev, dma_addr, len, DMA_FROM_DEVICE); + dma_sync_single_for_device(hp->dma_dev, dma_addr, len + 2, DMA_FROM_DEVICE); /* Reuse original ring buffer. */ hme_write_rxd(hp, this, (RXFLAG_OWN|((RX_BUF_ALLOC_SIZE-RX_OFFSET)<<16)),
 
            From: Ilpo Järvinen ilpo.jarvinen@linux.intel.com
commit e77cab77f2cb3a1ca2ba8df4af45bb35617ac16d upstream.
A very common pattern in the drivers is to advance xmit tail index and do bookkeeping of Tx'ed characters. Create uart_xmit_advance() to handle it.
Reviewed-by: Andy Shevchenko andy.shevchenko@gmail.com Cc: stable stable@kernel.org Signed-off-by: Ilpo Järvinen ilpo.jarvinen@linux.intel.com Link: https://lore.kernel.org/r/20220901143934.8850-2-ilpo.jarvinen@linux.intel.co... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- include/linux/serial_core.h | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
--- a/include/linux/serial_core.h +++ b/include/linux/serial_core.h @@ -294,6 +294,23 @@ struct uart_state { /* number of characters left in xmit buffer before we ask for more */ #define WAKEUP_CHARS 256
+/** + * uart_xmit_advance - Advance xmit buffer and account Tx'ed chars + * @up: uart_port structure describing the port + * @chars: number of characters sent + * + * This function advances the tail of circular xmit buffer by the number of + * @chars transmitted and handles accounting of transmitted bytes (into + * @up's icount.tx). + */ +static inline void uart_xmit_advance(struct uart_port *up, unsigned int chars) +{ + struct circ_buf *xmit = &up->state->xmit; + + xmit->tail = (xmit->tail + chars) & (UART_XMIT_SIZE - 1); + up->icount.tx += chars; +} + struct module; struct tty_driver;
 
            From: Ilpo Järvinen ilpo.jarvinen@linux.intel.com
commit 754f68044c7dd6c52534ba3e0f664830285c4b15 upstream.
DMA complete & stop paths did not correctly account Tx'ed characters into icount.tx. Using uart_xmit_advance() fixes the problem.
Fixes: e9ea096dd225 ("serial: tegra: add serial driver") Cc: stable@vger.kernel.org # serial: Create uart_xmit_advance() Reviewed-by: Andy Shevchenko andy.shevchenko@gmail.com Signed-off-by: Ilpo Järvinen ilpo.jarvinen@linux.intel.com Link: https://lore.kernel.org/r/20220901143934.8850-3-ilpo.jarvinen@linux.intel.co... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/tty/serial/serial-tegra.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/tty/serial/serial-tegra.c +++ b/drivers/tty/serial/serial-tegra.c @@ -409,7 +409,7 @@ static void tegra_uart_tx_dma_complete(v count = tup->tx_bytes_requested - state.residue; async_tx_ack(tup->tx_dma_desc); spin_lock_irqsave(&tup->uport.lock, flags); - xmit->tail = (xmit->tail + count) & (UART_XMIT_SIZE - 1); + uart_xmit_advance(&tup->uport, count); tup->tx_in_progress = 0; if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) uart_write_wakeup(&tup->uport); @@ -493,7 +493,6 @@ static unsigned int tegra_uart_tx_empty( static void tegra_uart_stop_tx(struct uart_port *u) { struct tegra_uart_port *tup = to_tegra_uport(u); - struct circ_buf *xmit = &tup->uport.state->xmit; struct dma_tx_state state; unsigned int count;
@@ -504,7 +503,7 @@ static void tegra_uart_stop_tx(struct ua dmaengine_tx_status(tup->tx_dma_chan, tup->tx_cookie, &state); count = tup->tx_bytes_requested - state.residue; async_tx_ack(tup->tx_dma_desc); - xmit->tail = (xmit->tail + count) & (UART_XMIT_SIZE - 1); + uart_xmit_advance(&tup->uport, count); tup->tx_in_progress = 0; }
 
            From: Stefan Haberland sth@linux.ibm.com
commit db7ba07108a48c0f95b74fabbfd5d63e924f992d upstream.
Fix Oops in dasd_alias_get_start_dev() function caused by the pavgroup pointer being NULL.
The pavgroup pointer is checked on the entrance of the function but without the lcu->lock being held. Therefore there is a race window between dasd_alias_get_start_dev() and _lcu_update() which sets pavgroup to NULL with the lcu->lock held.
Fix by checking the pavgroup pointer with lcu->lock held.
Cc: stable@vger.kernel.org # 2.6.25+ Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") Signed-off-by: Stefan Haberland sth@linux.ibm.com Reviewed-by: Jan Hoeppner hoeppner@linux.ibm.com Link: https://lore.kernel.org/r/20220919154931.4123002-2-sth@linux.ibm.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/s390/block/dasd_alias.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/s390/block/dasd_alias.c +++ b/drivers/s390/block/dasd_alias.c @@ -674,12 +674,12 @@ int dasd_alias_remove_device(struct dasd struct dasd_device *dasd_alias_get_start_dev(struct dasd_device *base_device) { struct dasd_eckd_private *alias_priv, *private = base_device->private; - struct alias_pav_group *group = private->pavgroup; struct alias_lcu *lcu = private->lcu; struct dasd_device *alias_device; + struct alias_pav_group *group; unsigned long flags;
- if (!group || !lcu) + if (!lcu) return NULL; if (lcu->pav == NO_PAV || lcu->flags & (NEED_UAC_UPDATE | UPDATE_PENDING)) @@ -696,6 +696,11 @@ struct dasd_device *dasd_alias_get_start }
spin_lock_irqsave(&lcu->lock, flags); + group = private->pavgroup; + if (!group) { + spin_unlock_irqrestore(&lcu->lock, flags); + return NULL; + } alias_device = group->next; if (!alias_device) { if (list_empty(&group->aliaslist)) {
 
            From: Vitaly Kuznetsov vkuznets@redhat.com
[ Upstream commit f0880e2cb7e1f8039a048fdd01ce45ab77247221 ]
Passed through PCI device sometimes misbehave on Gen1 VMs when Hyper-V DRM driver is also loaded. Looking at IOMEM assignment, we can see e.g.
$ cat /proc/iomem ... f8000000-fffbffff : PCI Bus 0000:00 f8000000-fbffffff : 0000:00:08.0 f8000000-f8001fff : bb8c4f33-2ba2-4808-9f7f-02f3b4da22fe ... fe0000000-fffffffff : PCI Bus 0000:00 fe0000000-fe07fffff : bb8c4f33-2ba2-4808-9f7f-02f3b4da22fe fe0000000-fe07fffff : 2ba2:00:02.0 fe0000000-fe07fffff : mlx4_core
the interesting part is the 'f8000000' region as it is actually the VM's framebuffer:
$ lspci -v ... 0000:00:08.0 VGA compatible controller: Microsoft Corporation Hyper-V virtual VGA (prog-if 00 [VGA controller]) Flags: bus master, fast devsel, latency 0, IRQ 11 Memory at f8000000 (32-bit, non-prefetchable) [size=64M] ...
hv_vmbus: registering driver hyperv_drm hyperv_drm 5620e0c7-8062-4dce-aeb7-520c7ef76171: [drm] Synthvid Version major 3, minor 5 hyperv_drm 0000:00:08.0: vgaarb: deactivate vga console hyperv_drm 0000:00:08.0: BAR 0: can't reserve [mem 0xf8000000-0xfbffffff] hyperv_drm 5620e0c7-8062-4dce-aeb7-520c7ef76171: [drm] Cannot request framebuffer, boot fb still active?
Note: "Cannot request framebuffer" is not a fatal error in hyperv_setup_gen1() as the code assumes there's some other framebuffer device there but we actually have some other PCI device (mlx4 in this case) config space there!
The problem appears to be that vmbus_allocate_mmio() can use dedicated framebuffer region to serve any MMIO request from any device. The semantics one might assume of a parameter named "fb_overlap_ok" aren't implemented because !fb_overlap_ok essentially has no effect. The existing semantics are really "prefer_fb_overlap". This patch implements the expected and needed semantics, which is to not allocate from the frame buffer space when !fb_overlap_ok.
Note, Gen2 VMs are usually unaffected by the issue because framebuffer region is already taken by EFI fb (in case kernel supports it) but Gen1 VMs may have this region unclaimed by the time Hyper-V PCI pass-through driver tries allocating MMIO space if Hyper-V DRM/FB drivers load after it. Devices can be brought up in any sequence so let's resolve the issue by always ignoring 'fb_mmio' region for non-FB requests, even if the region is unclaimed.
Reviewed-by: Michael Kelley mikelley@microsoft.com Signed-off-by: Vitaly Kuznetsov vkuznets@redhat.com Link: https://lore.kernel.org/r/20220827130345.1320254-4-vkuznets@redhat.com Signed-off-by: Wei Liu wei.liu@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/hv/vmbus_drv.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 3248aa7a35b3..cb3e22f10d68 100644 --- a/drivers/hv/vmbus_drv.c +++ b/drivers/hv/vmbus_drv.c @@ -1186,7 +1186,7 @@ int vmbus_allocate_mmio(struct resource **new, struct hv_device *device_obj, bool fb_overlap_ok) { struct resource *iter, *shadow; - resource_size_t range_min, range_max, start; + resource_size_t range_min, range_max, start, end; const char *dev_n = dev_name(&device_obj->device); int retval;
@@ -1221,6 +1221,14 @@ int vmbus_allocate_mmio(struct resource **new, struct hv_device *device_obj, range_max = iter->end; start = (range_min + align - 1) & ~(align - 1); for (; start + size - 1 <= range_max; start += align) { + end = start + size - 1; + + /* Skip the whole fb_mmio region if not fb_overlap_ok */ + if (!fb_overlap_ok && fb_mmio && + (((start >= fb_mmio->start) && (start <= fb_mmio->end)) || + ((end >= fb_mmio->start) && (end <= fb_mmio->end)))) + continue; + shadow = __request_region(iter, start, size, NULL, IORESOURCE_BUSY); if (!shadow)
 
            From: Jan Kara jack@suse.cz
commit 613c5a85898d1cd44e68f28d65eccf64a8ace9cf upstream.
Currently the Orlov inode allocator searches for free inodes for a directory only in flex block groups with at most inodes_per_group/16 more directory inodes than average per flex block group. However with growing size of flex block group this becomes unnecessarily strict. Scale allowed difference from average directory count per flex block group with flex block group size as we do with other metrics.
Tested-by: Stefan Wahren stefan.wahren@i2se.com Tested-by: Ojaswin Mujoo ojaswin@linux.ibm.com Cc: stable@kernel.org Link: https://lore.kernel.org/all/0d81a7c2-46b7-6010-62a4-3e6cfc1628d6@i2se.com/ Signed-off-by: Jan Kara jack@suse.cz Link: https://lore.kernel.org/r/20220908092136.11770-3-jack@suse.cz Signed-off-by: Theodore Ts'o tytso@mit.edu Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/ext4/ialloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/ialloc.c +++ b/fs/ext4/ialloc.c @@ -511,7 +511,7 @@ static int find_group_orlov(struct super goto fallback; }
- max_dirs = ndirs / ngroups + inodes_per_group / 16; + max_dirs = ndirs / ngroups + inodes_per_group*flex_size / 16; min_inodes = avefreei - inodes_per_group*flex_size / 4; if (min_inodes < 1) min_inodes = 1;
 
            Hi!
This is the start of the stable review cycle for the 4.9.330 release. There are 30 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4...
Bunch of issues were detected during review, I sent those in separate emails.
Tested-by: Pavel Machek (CIP) pavel@denx.de
Best regards, Pavel
 
            On 9/26/22 04:11, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.9.330 release. There are 30 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 28 Sep 2022 10:07:26 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.330-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below.
thanks,
greg k-h
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan skhan@linuxfoundation.org
thanks, -- Shuah
linux-stable-mirror@lists.linaro.org



