-LINUX_VERSION-5.15 = .168
-LINUX_KERNEL_HASH-5.15.168 = cfbebbd57456827013b97689aa3cad1fbfbe864dd80b0ecf16bb29990b38e17a
+LINUX_VERSION-5.15 = .169
+LINUX_KERNEL_HASH-5.15.169 = e618c6d845fd1bc89477508e8d084bbe791fc88bf7623adee2deb6ecb2275370
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 20 Dec 2022 12:38:45 +0100
+Subject: udf: Allocate name buffer in directory iterator on heap
+
+commit 0aba4860b0d0216a1a300484ff536171894d49d8 upstream.
+
+Currently we allocate name buffer in directory iterators (struct
+udf_fileident_iter) on stack. These structures are relatively large
+(some 360 bytes on 64-bit architectures). For udf_rename() which needs
+to keep three of these structures in parallel the stack usage becomes
+rather heavy - 1536 bytes in total. Allocate the name buffer in the
+iterator from heap to avoid excessive stack usage.
+
+Link: https://lore.kernel.org/all/202212200558.lK9x1KW0-lkp@intel.com
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+[Add extra include linux/slab.h]
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+---
+ fs/udf/directory.c | 24 ++++++++++++++++--------
+ fs/udf/udfdecl.h | 2 +-
+ 2 files changed, 17 insertions(+), 9 deletions(-)
+
+--- a/fs/udf/directory.c
++++ b/fs/udf/directory.c
+@@ -19,6 +19,7 @@
+ #include <linux/bio.h>
+ #include <linux/crc-itu-t.h>
+ #include <linux/iversion.h>
++#include <linux/slab.h>
+
+ static int udf_verify_fi(struct udf_fileident_iter *iter)
+ {
+@@ -248,9 +249,14 @@ int udf_fiiter_init(struct udf_fileident
+ iter->elen = 0;
+ iter->epos.bh = NULL;
+ iter->name = NULL;
++ iter->namebuf = kmalloc(UDF_NAME_LEN_CS0, GFP_KERNEL);
++ if (!iter->namebuf)
++ return -ENOMEM;
+
+- if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB)
+- return udf_copy_fi(iter);
++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
++ err = udf_copy_fi(iter);
++ goto out;
++ }
+
+ if (inode_bmap(dir, iter->pos >> dir->i_blkbits, &iter->epos,
+ &iter->eloc, &iter->elen, &iter->loffset) !=
+@@ -260,17 +266,17 @@ int udf_fiiter_init(struct udf_fileident
+ udf_err(dir->i_sb,
+ "position %llu not allocated in directory (ino %lu)\n",
+ (unsigned long long)pos, dir->i_ino);
+- return -EFSCORRUPTED;
++ err = -EFSCORRUPTED;
++ goto out;
+ }
+ err = udf_fiiter_load_bhs(iter);
+ if (err < 0)
+- return err;
++ goto out;
+ err = udf_copy_fi(iter);
+- if (err < 0) {
++out:
++ if (err < 0)
+ udf_fiiter_release(iter);
+- return err;
+- }
+- return 0;
++ return err;
+ }
+
+ int udf_fiiter_advance(struct udf_fileident_iter *iter)
+@@ -307,6 +313,8 @@ void udf_fiiter_release(struct udf_filei
+ brelse(iter->bh[0]);
+ brelse(iter->bh[1]);
+ iter->bh[0] = iter->bh[1] = NULL;
++ kfree(iter->namebuf);
++ iter->namebuf = NULL;
+ }
+
+ static void udf_copy_to_bufs(void *buf1, int len1, void *buf2, int len2,
+--- a/fs/udf/udfdecl.h
++++ b/fs/udf/udfdecl.h
+@@ -99,7 +99,7 @@ struct udf_fileident_iter {
+ struct extent_position epos; /* Position after the above extent */
+ struct fileIdentDesc fi; /* Copied directory entry */
+ uint8_t *name; /* Pointer to entry name */
+- uint8_t namebuf[UDF_NAME_LEN_CS0]; /* Storage for entry name in case
++ uint8_t *namebuf; /* Storage for entry name in case
+ * the name is split between two blocks
+ */
+ };
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 9 Feb 2023 10:33:09 +0100
+Subject: udf: Avoid directory type conversion failure due to ENOMEM
+
+commit df97f64dfa317a5485daf247b6c043a584ef95f9 upstream.
+
+When converting directory from in-ICB to normal format, the last
+iteration through the directory fixing up directory enteries can fail
+due to ENOMEM. We do not expect this iteration to fail since the
+directory is already verified to be correct and it is difficult to undo
+the conversion at this point. So just use GFP_NOFAIL to make sure the
+small allocation cannot fail.
+
+Reported-by: syzbot+111eaa994ff74f8d440f@syzkaller.appspotmail.com
+Fixes: 0aba4860b0d0 ("udf: Allocate name buffer in directory iterator on heap")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/directory.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/udf/directory.c
++++ b/fs/udf/directory.c
+@@ -249,9 +249,12 @@ int udf_fiiter_init(struct udf_fileident
+ iter->elen = 0;
+ iter->epos.bh = NULL;
+ iter->name = NULL;
+- iter->namebuf = kmalloc(UDF_NAME_LEN_CS0, GFP_KERNEL);
+- if (!iter->namebuf)
+- return -ENOMEM;
++ /*
++ * When directory is verified, we don't expect directory iteration to
++ * fail and it can be difficult to undo without corrupting filesystem.
++ * So just do not allow memory allocation failures here.
++ */
++ iter->namebuf = kmalloc(UDF_NAME_LEN_CS0, GFP_KERNEL | __GFP_NOFAIL);
+
+ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ err = udf_copy_fi(iter);
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
-@@ -2296,6 +2296,23 @@ struct btmtk_section_map {
+@@ -2301,6 +2301,23 @@ struct btmtk_section_map {
};
} __packed;
static void btusb_mtk_wmt_recv(struct urb *urb)
{
struct hci_dev *hdev = urb->context;
-@@ -3950,6 +3967,7 @@ static int btusb_probe(struct usb_interf
+@@ -3955,6 +3972,7 @@ static int btusb_probe(struct usb_interf
hdev->shutdown = btusb_mtk_shutdown;
hdev->manufacturer = 70;
hdev->cmd_timeout = btusb_mtk_cmd_timeout;
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
-@@ -2301,7 +2301,7 @@ static int btusb_set_bdaddr_mtk(struct h
+@@ -2306,7 +2306,7 @@ static int btusb_set_bdaddr_mtk(struct h
struct sk_buff *skb;
long ret;
#define QUECTEL_VENDOR_ID 0x2c7c
/* These Quectel products use Quectel's vendor ID */
-@@ -1158,6 +1163,11 @@ static const struct usb_device_id option
+@@ -1159,6 +1164,11 @@ static const struct usb_device_id option
{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000), /* SIMCom SIM5218 */
.driver_info = NCTRL(0) | NCTRL(1) | NCTRL(2) | NCTRL(3) | RSVD(4) },
/* Quectel products using Qualcomm vendor ID */
{ USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
{ USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
-@@ -1199,6 +1209,11 @@ static const struct usb_device_id option
+@@ -1200,6 +1210,11 @@ static const struct usb_device_id option
.driver_info = ZLP },
{ USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96),
.driver_info = RSVD(4) },
projects / openwrt / openwrt.git / commitdiff