1. 02 Feb, 2023 24 commits
    • Zhihao Cheng's avatar
      ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed · 4d57a733
      Zhihao Cheng authored
      Following process will trigger an infinite loop in ubi_wl_put_peb():
      
      	ubifs_bgt		ubi_bgt
      ubifs_leb_unmap
        ubi_leb_unmap
          ubi_eba_unmap_leb
            ubi_wl_put_peb	wear_leveling_worker
                                e1 = rb_entry(rb_first(&ubi->used)
      			  e2 = get_peb_for_wl(ubi)
      			  ubi_io_read_vid_hdr  // return err (flash fault)
      			  out_error:
      			    ubi->move_from = ubi->move_to = NULL
      			    wl_entry_destroy(ubi, e1)
      			      ubi->lookuptbl[e->pnum] = NULL
            retry:
              e = ubi->lookuptbl[pnum];	// return NULL
      	if (e == ubi->move_from) {	// NULL == NULL gets true
      	  goto retry;			// infinite loop !!!
      
      $ top
        PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     COMMAND
        7676 root     20   0       0      0      0 R 100.0  0.0  ubifs_bgt0_0
      
      Fix it by:
       1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has
          been removed from 'ubi->lookuptbl'.
       2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an
          use-after-free problem for wl entry in ubi_wl_put_peb().
      
      Fetch a reproducer in [Link].
      
      Fixes: 43f9b25a ("UBI: bugfix: protect from volume removal")
      Fixes: ee59ba8b ("UBI: Fix stale pointers in ubi->lookuptbl")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216111Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      4d57a733
    • Zhihao Cheng's avatar
      ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() · a240bc5c
      Zhihao Cheng authored
      Wear-leveling entry could be freed in error path, which may be accessed
      again in eraseblk_count_seq_show(), for example:
      
      __erase_worker                eraseblk_count_seq_show
                                      wl = ubi->lookuptbl[*block_number]
      				if (wl)
        wl_entry_destroy
          ubi->lookuptbl[e->pnum] = NULL
          kmem_cache_free(ubi_wl_entry_slab, e)
      		                   erase_count = wl->ec  // UAF!
      
      Wear-leveling entry updating/accessing in ubi->lookuptbl should be
      protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize
      wl entry accessing between wl_entry_destroy() and
      eraseblk_count_seq_show().
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216305
      Fixes: 7bccd12d ("ubi: Add debugfs file for tracking PEB state")
      Fixes: 801c135c ("UBI: Unsorted Block Images")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      a240bc5c
    • Zhihao Cheng's avatar
      ubi: fastmap: Fix missed fm_anchor PEB in wear-leveling after disabling fastmap · 76f9476e
      Zhihao Cheng authored
      After disabling fastmap(ubi->fm_disabled = 1), fastmap won't be updated,
      fm_anchor PEB is missed being scheduled for erasing. Besides, fm_anchor
      PEB may have smallest erase count, it doesn't participate wear-leveling.
      The difference of erase count between fm_anchor PEB and other PEBs will
      be larger and larger later on.
      
      In which situation fastmap can be disabled? Initially, we have an UBI
      image with fastmap. Then the image will be atttached without module
      parameter 'fm_autoconvert', ubi turns to full scanning mode in one
      random attaching process(eg. bad fastmap caused by powercut), ubi
      fastmap is disabled since then.
      
      Fix it by not getting fm_anchor if fastmap is disabled in
      ubi_refill_pools().
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216341
      Fixes: 4b68bf9a ("ubi: Select fastmap anchor PEBs considering ...")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      76f9476e
    • Zhihao Cheng's avatar
      ubifs: ubifs_releasepage: Remove ubifs_assert(0) to valid this process · 66f4742e
      Zhihao Cheng authored
      There are two states for ubifs writing pages:
      1. Dirty, Private
      2. Not Dirty, Not Private
      
      The normal process cannot go to ubifs_releasepage() which means there
      exists pages being private but not dirty. Reproducer[1] shows that it
      could occur (which maybe related to [2]) with following process:
      
           PA                     PB                    PC
      lock(page)[PA]
      ubifs_write_end
        attach_page_private         // set Private
        __set_page_dirty_nobuffers  // set Dirty
      unlock(page)
      
      write_cache_pages[PA]
        lock(page)
        clear_page_dirty_for_io(page)	// clear Dirty
        ubifs_writepage
      
                              do_truncation[PB]
      			  truncate_setsize
      			    i_size_write(inode, newsize) // newsize = 0
      
          i_size = i_size_read(inode)	// i_size = 0
          end_index = i_size >> PAGE_SHIFT
          if (page->index > end_index)
            goto out // jump
      out:
      unlock(page)   // Private, Not Dirty
      
      						generic_fadvise[PC]
      						  lock(page)
      						  invalidate_inode_page
      						    try_to_release_page
      						      ubifs_releasepage
      						        ubifs_assert(c, 0)
      		                                        // bad assertion!
      						  unlock(page)
      			  truncate_pagecache[PB]
      
      Then we may get following assertion failed:
        UBIFS error (ubi0:0 pid 1683): ubifs_assert_failed [ubifs]:
        UBIFS assert failed: 0, in fs/ubifs/file.c:1513
        UBIFS warning (ubi0:0 pid 1683): ubifs_ro_mode [ubifs]:
        switched to read-only mode, error -22
        CPU: 2 PID: 1683 Comm: aa Not tainted 5.16.0-rc5-00184-g0bca5994cacc-dirty #308
        Call Trace:
          dump_stack+0x13/0x1b
          ubifs_ro_mode+0x54/0x60 [ubifs]
          ubifs_assert_failed+0x4b/0x80 [ubifs]
          ubifs_releasepage+0x67/0x1d0 [ubifs]
          try_to_release_page+0x57/0xe0
          invalidate_inode_page+0xfb/0x130
          __invalidate_mapping_pages+0xb9/0x280
          invalidate_mapping_pagevec+0x12/0x20
          generic_fadvise+0x303/0x3c0
          ksys_fadvise64_64+0x4c/0xb0
      
      [1] https://bugzilla.kernel.org/show_bug.cgi?id=215373
      [2] https://linux-mtd.infradead.narkive.com/NQoBeT1u/patch-rfc-ubifs-fix-assert-failed-in-ubifs-set-page-dirty
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      66f4742e
    • Zhihao Cheng's avatar
      ubifs: ubifs_writepage: Mark page dirty after writing inode failed · fb8bc4c7
      Zhihao Cheng authored
      There are two states for ubifs writing pages:
      1. Dirty, Private
      2. Not Dirty, Not Private
      
      There is a third possibility which maybe related to [1] that page is
      private but not dirty caused by following process:
      
                PA
      lock(page)
      ubifs_write_end
        attach_page_private		// set Private
          __set_page_dirty_nobuffers	// set Dirty
      unlock(page)
      
      write_cache_pages
        lock(page)
        clear_page_dirty_for_io(page)	// clear Dirty
        ubifs_writepage
          write_inode
          // fail, goto out, following codes are not executed
          // do_writepage
          //   set_page_writeback 	// set Writeback
          //   detach_page_private	// clear Private
          //   end_page_writeback 	// clear Writeback
          out:
          unlock(page)		// Private, Not Dirty
      
                                             PB
      				ksys_fadvise64_64
      				  generic_fadvise
      				     invalidate_inode_page
      				     // page is neither Dirty nor Writeback
      				       invalidate_complete_page
      				       // page_has_private is true
      					 try_to_release_page
      					   ubifs_releasepage
      					     ubifs_assert(c, 0) !!!
      
      Then we may get following assertion failed:
        UBIFS error (ubi0:0 pid 1492): ubifs_assert_failed [ubifs]:
        UBIFS assert failed: 0, in fs/ubifs/file.c:1499
        UBIFS warning (ubi0:0 pid 1492): ubifs_ro_mode [ubifs]:
        switched to read-only mode, error -22
        CPU: 2 PID: 1492 Comm: aa Not tainted 5.16.0-rc2-00012-g7bb767dee0ba-dirty
        Call Trace:
          dump_stack+0x13/0x1b
          ubifs_ro_mode+0x54/0x60 [ubifs]
          ubifs_assert_failed+0x4b/0x80 [ubifs]
          ubifs_releasepage+0x7e/0x1e0 [ubifs]
          try_to_release_page+0x57/0xe0
          invalidate_inode_page+0xfb/0x130
          invalidate_mapping_pagevec+0x12/0x20
          generic_fadvise+0x303/0x3c0
          vfs_fadvise+0x35/0x40
          ksys_fadvise64_64+0x4c/0xb0
      
      Jump [2] to find a reproducer.
      
      [1] https://linux-mtd.infradead.narkive.com/NQoBeT1u/patch-rfc-ubifs-fix-assert-failed-in-ubifs-set-page-dirty
      [2] https://bugzilla.kernel.org/show_bug.cgi?id=215357
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      fb8bc4c7
    • Zhihao Cheng's avatar
      ubifs: dirty_cow_znode: Fix memleak in error handling path · 122deabf
      Zhihao Cheng authored
      Following process will cause a memleak for copied up znode:
      
      dirty_cow_znode
        zn = copy_znode(c, znode);
        err = insert_old_idx(c, zbr->lnum, zbr->offs);
        if (unlikely(err))
           return ERR_PTR(err);   // No one refers to zn.
      
      Fix it by adding copied znode back to tnc, then it will be freed
      by ubifs_destroy_tnc_subtree() while closing tnc.
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216705
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      122deabf
    • Zhihao Cheng's avatar
      ubifs: Re-statistic cleaned znode count if commit failed · 944e096a
      Zhihao Cheng authored
      Dirty znodes will be written on flash in committing process with
      following states:
      
      	      process A			|  znode state
      ------------------------------------------------------
      do_commit				| DIRTY_ZNODE
        ubifs_tnc_start_commit		| DIRTY_ZNODE
         get_znodes_to_commit			| DIRTY_ZNODE | COW_ZNODE
          layout_commit			| DIRTY_ZNODE | COW_ZNODE
           fill_gap                           | 0
        write master				| 0 or OBSOLETE_ZNODE
      
      	      process B			|  znode state
      ------------------------------------------------------
      do_commit				| DIRTY_ZNODE[1]
        ubifs_tnc_start_commit		| DIRTY_ZNODE
         get_znodes_to_commit			| DIRTY_ZNODE | COW_ZNODE
        ubifs_tnc_end_commit			| DIRTY_ZNODE | COW_ZNODE
         write_index                          | 0
        write master				| 0 or OBSOLETE_ZNODE[2] or
      					| DIRTY_ZNODE[3]
      
      [1] znode is dirtied without concurrent committing process
      [2] znode is copied up (re-dirtied by other process) before cleaned
          up in committing process
      [3] znode is re-dirtied after cleaned up in committing process
      
      Currently, the clean znode count is updated in free_obsolete_znodes(),
      which is called only in normal path. If do_commit failed, clean znode
      count won't be updated, which triggers a failure ubifs assertion[4] in
      ubifs_tnc_close():
       ubifs_assert_failed [ubifs]: UBIFS assert failed: freed == n
      
      [4] Commit 380347e9 ("UBIFS: Add an assertion for clean_zn_cnt").
      
      Fix it by re-statisticing cleaned znode count in tnc_destroy_cnext().
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216704
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      944e096a
    • ZhaoLong Wang's avatar
      ubi: Fix permission display of the debugfs files · 2de203d8
      ZhaoLong Wang authored
      Some interface files in debugfs support the read method
      dfs_file_read(), but their rwx permissions is shown as
      unreadable.
      
      In the user mode, the following problem can be clearly seen:
      
       # ls -l /sys/kernel/debug/ubi/ubi0/
       total 0
       --w------- 1 root root 0 Oct 22 16:26 chk_fastmap
       --w------- 1 root root 0 Oct 22 16:26 chk_gen
       --w------- 1 root root 0 Oct 22 16:26 chk_io
       -r-------- 1 root root 0 Oct 22 16:26 detailed_erase_block_info
       --w------- 1 root root 0 Oct 22 16:26 tst_disable_bgt
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_bitflips
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_io_failures
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_power_cut
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_power_cut_max
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_power_cut_min
      
      It shows that these files do not have read permission 'r',
      but we can actually read their contents.
      
       # echo 1 > /sys/kernel/debug/ubi/ubi0/chk_io
       # cat /sys/kernel/debug/ubi/ubi0/chk_io
       1
      
      User's permission access is determined by capabilities.
      Of course, the root user is not restricted from reading
      these files.
      
      When reading a debugfs file, the process is as follows:
      
       ksys_read()
         vfs_read()
           if (file->f_op->read)
             file->f_op->read()
               full_proxy_open()
                 real_fops->read()
                   dfs_file_read() -- Read method of debugfs file.
           else if (file->f_op->read_iter)
             new_sync_read()
           else
             ret = -EINVAL -- Return -EINVAL if no read method.
      
      This indicates that the debugfs file can be read as long as the read
      method of the debugfs file is registered. This patch adds the read
      permission display for file that support the read method.
      Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      2de203d8
    • Yang Yingliang's avatar
      ubi: Fix possible null-ptr-deref in ubi_free_volume() · c15859bf
      Yang Yingliang authored
      It willl cause null-ptr-deref in the following case:
      
      uif_init()
        ubi_add_volume()
          cdev_add() -> if it fails, call kill_volumes()
          device_register()
      
      kill_volumes() -> if ubi_add_volume() fails call this function
        ubi_free_volume()
          cdev_del()
          device_unregister() -> trying to delete a not added device,
      			   it causes null-ptr-deref
      
      So in ubi_free_volume(), it delete devices whether they are added
      or not, it will causes null-ptr-deref.
      
      Handle the error case whlie calling ubi_add_volume() to fix this
      problem. If add volume fails, set the corresponding vol to null,
      so it can not be accessed in kill_volumes() and release the
      resource in ubi_add_volume() error path.
      
      Fixes: 801c135c ("UBI: Unsorted Block Images")
      Suggested-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      c15859bf
    • ZhaoLong Wang's avatar
      ubi: fastmap: Add fastmap control support for module parameter · 7af73882
      ZhaoLong Wang authored
      The UBI driver can use the IOCTL to disable the fastmap after the
      mainline 669d2044 ("ubi: fastmap: Add fastmap control support
      for 'UBI_IOCATT' ioctl"). To destroy the fastmap on a old image,
      we need to reattach the device in user space.
      
      However, if the UBI driver build in kernel and the UBI volume is
      the root partition, the UBI device cannot be reattached in user
      space. To disable fastmap in this case, the UBI must provide the
      kernel cmdline parameters to disable fastmap during attach.
      
      This patch add 'enable_fm' as 5th module init parameter of mtd=xx to
      control fastmap enable or not. When the value is 0, fastmap will not
      create and existed fastmap will destroyed for the given ubi device.
      Default value is 0.
      
      To enable or disable fastmap during module loading, fm_autoconvert
      must be set to non-zero.
      
      +-----------------+---------------+---------------------------+
      |        \        |  enable_fm=0  |  enable_fm=1              |
      +-----------------+---------------+---------------------------+
      |fm_autoconvert=Y |  disable fm   |  enable fm                |
      +---------------------------------+---------------------------+
      |fm_autoconvert=N |  disable fm   | Enable fastmap if fastmap |
      |                 |               | exists on the old image   |
      +-------------------------------------------------------------+
      
      Example:
        # - Attach mtd1 to ubi1, disable fastmap, mtd2 to ubi2, enable
            fastmap.
        # modprobe ubi mtd=1,0,0,1,0 mtd=2,0,0,2,1 fm_autoconvert=1
      
        # - If 5th parameter is not specified, the value is 0, fastmap is
            disable
        # modprobe ubi mtd=1 fm_autoconvert=1
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216623Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      7af73882
    • Li Zetao's avatar
      ubifs: Fix memory leak in alloc_wbufs() · 4a1ff3c5
      Li Zetao authored
      kmemleak reported a sequence of memory leaks, and show them as following:
      
        unreferenced object 0xffff8881575f8400 (size 1024):
          comm "mount", pid 19625, jiffies 4297119604 (age 20.383s)
          hex dump (first 32 bytes):
            00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
            00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          backtrace:
            [<ffffffff8176cecd>] __kmalloc+0x4d/0x150
            [<ffffffffa0406b2b>] ubifs_mount+0x307b/0x7170 [ubifs]
            [<ffffffff819fa8fd>] legacy_get_tree+0xed/0x1d0
            [<ffffffff81936f2d>] vfs_get_tree+0x7d/0x230
            [<ffffffff819b2bd4>] path_mount+0xdd4/0x17b0
            [<ffffffff819b37aa>] __x64_sys_mount+0x1fa/0x270
            [<ffffffff83c14295>] do_syscall_64+0x35/0x80
            [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
        unreferenced object 0xffff8881798a6e00 (size 512):
          comm "mount", pid 19677, jiffies 4297121912 (age 37.816s)
          hex dump (first 32 bytes):
            6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
            6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
          backtrace:
            [<ffffffff8176cecd>] __kmalloc+0x4d/0x150
            [<ffffffffa0418342>] ubifs_wbuf_init+0x52/0x480 [ubifs]
            [<ffffffffa0406ca5>] ubifs_mount+0x31f5/0x7170 [ubifs]
            [<ffffffff819fa8fd>] legacy_get_tree+0xed/0x1d0
            [<ffffffff81936f2d>] vfs_get_tree+0x7d/0x230
            [<ffffffff819b2bd4>] path_mount+0xdd4/0x17b0
            [<ffffffff819b37aa>] __x64_sys_mount+0x1fa/0x270
            [<ffffffff83c14295>] do_syscall_64+0x35/0x80
            [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      The problem is that the ubifs_wbuf_init() returns an error in the
      loop which in the alloc_wbufs(), then the wbuf->buf and wbuf->inodes
      that were successfully alloced before are not freed.
      
      Fix it by adding error hanging path in alloc_wbufs() which frees
      the memory alloced before when ubifs_wbuf_init() returns an error.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarLi Zetao <lizetao1@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      4a1ff3c5
    • Li Zetao's avatar
      ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume() · 1e591ea0
      Li Zetao authored
      There is a memory leaks problem reported by kmemleak:
      
      unreferenced object 0xffff888102007a00 (size 128):
        comm "ubirsvol", pid 32090, jiffies 4298464136 (age 2361.231s)
        hex dump (first 32 bytes):
      ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
      ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
        backtrace:
      [<ffffffff8176cecd>] __kmalloc+0x4d/0x150
      [<ffffffffa02a9a36>] ubi_eba_create_table+0x76/0x170 [ubi]
      [<ffffffffa029764e>] ubi_resize_volume+0x1be/0xbc0 [ubi]
      [<ffffffffa02a3321>] ubi_cdev_ioctl+0x701/0x1850 [ubi]
      [<ffffffff81975d2d>] __x64_sys_ioctl+0x11d/0x170
      [<ffffffff83c142a5>] do_syscall_64+0x35/0x80
      [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      This is due to a mismatch between create and destroy interfaces, and
      in detail that "new_eba_tbl" created by ubi_eba_create_table() but
      destroyed by kfree(), while will causing "new_eba_tbl->entries" not
      freed.
      
      Fix it by replacing kfree(new_eba_tbl) with
      ubi_eba_destroy_table(new_eba_tbl)
      
      Fixes: 799dca34 ("UBI: hide EBA internals")
      Signed-off-by: default avatarLi Zetao <lizetao1@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      1e591ea0
    • Li Zetao's avatar
      ubi: Fix use-after-free when volume resizing failed · 9af31d6e
      Li Zetao authored
      There is an use-after-free problem reported by KASAN:
        ==================================================================
        BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]
        Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735
      
        CPU: 2 PID: 4735 Comm: ubirsvol
        Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
        BIOS 1.14.0-1.fc33 04/01/2014
        Call Trace:
         <TASK>
         dump_stack_lvl+0x34/0x44
         print_report+0x171/0x472
         kasan_report+0xad/0x130
         ubi_eba_copy_table+0x11f/0x1c0 [ubi]
         ubi_resize_volume+0x4f9/0xbc0 [ubi]
         ubi_cdev_ioctl+0x701/0x1850 [ubi]
         __x64_sys_ioctl+0x11d/0x170
         do_syscall_64+0x35/0x80
         entry_SYSCALL_64_after_hwframe+0x46/0xb0
         </TASK>
      
      When ubi_change_vtbl_record() returns an error in ubi_resize_volume(),
      "new_eba_tbl" will be freed on error handing path, but it is holded
      by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle
      of "vol->eba_tbl" and "vol" are different, so when resizing volume in
      next time, it causing an use-after-free fault.
      
      Fix it by not freeing "new_eba_tbl" after it replaced in
      ubi_eba_replace_table(), while will be freed in next volume resizing.
      
      Fixes: 801c135c ("UBI: Unsorted Block Images")
      Signed-off-by: default avatarLi Zetao <lizetao1@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      9af31d6e
    • Zhihao Cheng's avatar
      ubifs: Reserve one leb for each journal head while doing budget · e874dcde
      Zhihao Cheng authored
      UBIFS calculates available space by c->main_bytes - c->lst.total_used
      (which means non-index lebs' free and dirty space is accounted into
      total available), then index lebs and four lebs (one for gc_lnum, one
      for deletions, two for journal heads) are deducted.
      In following situation, ubifs may get -ENOSPC from make_reservation():
       LEB 84: DATAHD   free 122880 used 1920  dirty 2176  dark 6144
       LEB 110:DELETION free 126976 used 0     dirty 0     dark 6144 (empty)
       LEB 201:gc_lnum  free 126976 used 0     dirty 0     dark 6144
       LEB 272:GCHD     free 77824  used 47672 dirty 1480  dark 6144
       LEB 356:BASEHD   free 0      used 39776 dirty 87200 dark 6144
       OTHERS: index lebs, zero-available non-index lebs
      
      UBIFS calculates the available bytes is 6888 (How to calculate it:
      126976 * 5[remain main bytes] - 1920[used] - 47672[used] - 39776[used] -
      126976 * 1[deletions] - 126976 * 1[gc_lnum] - 126976 * 2[journal heads]
      - 6144 * 5[dark] = 6888) after doing budget, however UBIFS cannot use
      BASEHD's dirty space(87200), because UBIFS cannot find next BASEHD to
      reclaim current BASEHD. (c->bi.min_idx_lebs equals to c->lst.idx_lebs,
      the empty leb won't be found by ubifs_find_free_space(), and dirty index
      lebs won't be picked as gced lebs. All non-index lebs has dirty space
      less then c->dead_wm, non-index lebs won't be picked as gced lebs
      either. So new free lebs won't be produced.). See more details in Link.
      
      To fix it, reserve one leb for each journal head while doing budget.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216562
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      e874dcde
    • Zhihao Cheng's avatar
      ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 · 25fce616
      Zhihao Cheng authored
      If target inode is a special file (eg. block/char device) with nlink
      count greater than 1, the inode with ui->data will be re-written on
      disk. However, UBIFS losts target inode's data_len while doing space
      budget. Bad space budget may let make_reservation() return with -ENOSPC,
      which could turn ubifs to read-only mode in do_writepage() process.
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216494
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      25fce616
    • Zhihao Cheng's avatar
      ubifs: Fix wrong dirty space budget for dirty inode · b248eaf0
      Zhihao Cheng authored
      Each dirty inode should reserve 'c->bi.inode_budget' bytes in space
      budget calculation. Currently, space budget for dirty inode reports
      more space than what UBIFS actually needs to write.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      b248eaf0
    • Zhihao Cheng's avatar
      ubifs: Add comments and debug info for ubifs_xrename() · c04cc68d
      Zhihao Cheng authored
      Just like other operations (eg. ubifs_create, do_rename), add comments
      and debug information for ubifs_xrename().
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      c04cc68d
    • Zhihao Cheng's avatar
      ubifs: Rectify space budget for ubifs_xrename() · 1b2ba090
      Zhihao Cheng authored
      There is no space budget for ubifs_xrename(). It may let
      make_reservation() return with -ENOSPC, which could turn
      ubifs to read-only mode in do_writepage() process.
      Fix it by adding space budget for ubifs_xrename().
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216569
      Fixes: 9ec64962 ("ubifs: Implement RENAME_EXCHANGE")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      1b2ba090
    • Zhihao Cheng's avatar
      ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted · c2c36cc6
      Zhihao Cheng authored
      Fix bad space budget when symlink file is encrypted. Bad space budget
      may let make_reservation() return with -ENOSPC, which could turn ubifs
      to read-only mode in do_writepage() process.
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216490
      Fixes: ca7f85be ("ubifs: Add support for encrypted symlinks")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      c2c36cc6
    • Mårten Lindahl's avatar
      ubi: block: Reduce warning print to info for static volumes · 6addbe91
      Mårten Lindahl authored
      If volume size is not multiple of the sector size 512 a warning is
      printed saying that the last non-sector aligned bytes will be ignored.
      
      This should be valid for resizable volumes, but when creating static
      volumes which are read only this will always be printed even if the
      unaligned data is deliberate.
      
      The message is still valid but the severity should be lowered for static
      volumes.
      Signed-off-by: default avatarMårten Lindahl <marten.lindahl@axis.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      6addbe91
    • Liu Shixin's avatar
      ubifs: Fix memory leak in ubifs_sysfs_init() · 203a55f0
      Liu Shixin authored
      When insmod ubifs.ko, a kmemleak reported as below:
      
       unreferenced object 0xffff88817fb1a780 (size 8):
         comm "insmod", pid 25265, jiffies 4295239702 (age 100.130s)
         hex dump (first 8 bytes):
           75 62 69 66 73 00 ff ff                          ubifs...
         backtrace:
           [<ffffffff81b3fc4c>] slab_post_alloc_hook+0x9c/0x3c0
           [<ffffffff81b44bf3>] __kmalloc_track_caller+0x183/0x410
           [<ffffffff8198d3da>] kstrdup+0x3a/0x80
           [<ffffffff8198d486>] kstrdup_const+0x66/0x80
           [<ffffffff83989325>] kvasprintf_const+0x155/0x190
           [<ffffffff83bf55bb>] kobject_set_name_vargs+0x5b/0x150
           [<ffffffff83bf576b>] kobject_set_name+0xbb/0xf0
           [<ffffffff8100204c>] do_one_initcall+0x14c/0x5a0
           [<ffffffff8157e380>] do_init_module+0x1f0/0x660
           [<ffffffff815857be>] load_module+0x6d7e/0x7590
           [<ffffffff8158644f>] __do_sys_finit_module+0x19f/0x230
           [<ffffffff815866b3>] __x64_sys_finit_module+0x73/0xb0
           [<ffffffff88c98e85>] do_syscall_64+0x35/0x80
           [<ffffffff88e00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      When kset_register() failed, we should call kset_put to cleanup it.
      
      Fixes: 2e3cbf42 ("ubifs: Export filesystem error counters")
      Signed-off-by: default avatarLiu Shixin <liushixin2@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      203a55f0
    • Li Hua's avatar
      ubifs: Fix build errors as symbol undefined · aa6d148e
      Li Hua authored
      With CONFIG_UBIFS_FS_AUTHENTICATION not set, the compiler can assume that
      ubifs_node_check_hash() is never true and drops the call to ubifs_bad_hash().
      Is CONFIG_CC_OPTIMIZE_FOR_SIZE enabled this optimization does not happen anymore.
      
      So When CONFIG_UBIFS_FS and CONFIG_CC_OPTIMIZE_FOR_SIZE is enabled but
      CONFIG_UBIFS_FS_AUTHENTICATION is not set, the build errors is as followd:
          ERROR: modpost: "ubifs_bad_hash" [fs/ubifs/ubifs.ko] undefined!
      
      Fix it by add no-op ubifs_bad_hash() for the CONFIG_UBIFS_FS_AUTHENTICATION=n case.
      
      Fixes: 16a26b20 ("ubifs: authentication: Add hashes to index nodes")
      Signed-off-by: default avatarLi Hua <hucool.lihua@huawei.com>
      Reviewed-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      aa6d148e
    • George Kennedy's avatar
      ubi: ensure that VID header offset + VID header size <= alloc, size · 1b42b1a3
      George Kennedy authored
      Ensure that the VID header offset + VID header size does not exceed
      the allocated area to avoid slab OOB.
      
      BUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline]
      BUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline]
      BUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197
      Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555
      
      CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G        W
      6.0.0-1868 #1
      Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29
      04/01/2014
      Call Trace:
        <TASK>
        __dump_stack lib/dump_stack.c:88 [inline]
        dump_stack_lvl+0x85/0xad lib/dump_stack.c:106
        print_address_description mm/kasan/report.c:317 [inline]
        print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433
        kasan_report+0xa7/0x11b mm/kasan/report.c:495
        crc32_body lib/crc32.c:111 [inline]
        crc32_le_generic lib/crc32.c:179 [inline]
        crc32_le_base+0x58c/0x626 lib/crc32.c:197
        ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067
        create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317
        create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
        ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
        ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
        ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
        ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
        vfs_ioctl fs/ioctl.c:51 [inline]
        __do_sys_ioctl fs/ioctl.c:870 [inline]
        __se_sys_ioctl fs/ioctl.c:856 [inline]
        __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
        do_syscall_x64 arch/x86/entry/common.c:50 [inline]
        do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
        entry_SYSCALL_64_after_hwframe+0x63/0x0
      RIP: 0033:0x7f96d5cf753d
      Code:
      RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d
      RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003
      RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0
      R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000
        </TASK>
      
      Allocated by task 1555:
        kasan_save_stack+0x20/0x3d mm/kasan/common.c:38
        kasan_set_track mm/kasan/common.c:45 [inline]
        set_alloc_info mm/kasan/common.c:437 [inline]
        ____kasan_kmalloc mm/kasan/common.c:516 [inline]
        __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525
        kasan_kmalloc include/linux/kasan.h:234 [inline]
        __kmalloc+0x138/0x257 mm/slub.c:4429
        kmalloc include/linux/slab.h:605 [inline]
        ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline]
        create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295
        create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
        ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
        ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
        ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
        ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
        vfs_ioctl fs/ioctl.c:51 [inline]
        __do_sys_ioctl fs/ioctl.c:870 [inline]
        __se_sys_ioctl fs/ioctl.c:856 [inline]
        __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
        do_syscall_x64 arch/x86/entry/common.c:50 [inline]
        do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
        entry_SYSCALL_64_after_hwframe+0x63/0x0
      
      The buggy address belongs to the object at ffff88802bb36e00
        which belongs to the cache kmalloc-256 of size 256
      The buggy address is located 0 bytes to the right of
        256-byte region [ffff88802bb36e00, ffff88802bb36f00)
      
      The buggy address belongs to the physical page:
      page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000
      index:0x0 pfn:0x2bb36
      head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0
      flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
      raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40
      raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
        ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                          ^
        ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Fixes: 801c135c ("UBI: Unsorted Block Images")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarGeorge Kennedy <george.kennedy@oracle.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      1b42b1a3
    • Yifei Liu's avatar
      jffs2: correct logic when creating a hole in jffs2_write_begin · 23892d38
      Yifei Liu authored
      Bug description and fix:
      
      1. Write data to a file, say all 1s from offset 0 to 16.
      
      2. Truncate the file to a smaller size, say 8 bytes.
      
      3. Write new bytes (say 2s) from an offset past the original size of the
      file, say at offset 20, for 4 bytes.  This is supposed to create a "hole"
      in the file, meaning that the bytes from offset 8 (where it was truncated
      above) up to the new write at offset 20, should all be 0s (zeros).
      
      4. Flush all caches using "echo 3 > /proc/sys/vm/drop_caches" (or unmount
      and remount) the f/s.
      
      5. Check the content of the file.  It is wrong.  The 1s that used to be
      between bytes 9 and 16, before the truncation, have REAPPEARED (they should
      be 0s).
      
      We wrote a script and helper C program to reproduce the bug
      (reproduce_jffs2_write_begin_issue.sh, write_file.c, and Makefile).  We can
      make them available to anyone.
      
      The above example is shown when writing a small file within the same first
      page.  But the bug happens for larger files, as long as steps 1, 2, and 3
      above all happen within the same page.
      
      The problem was traced to the jffs2_write_begin code, where it goes into an
      'if' statement intended to handle writes past the current EOF (i.e., writes
      that may create a hole).  The code computes a 'pageofs' that is the floor
      of the write position (pos), aligned to the page size boundary.  In other
      words, 'pageofs' will never be larger than 'pos'.  The code then sets the
      internal jffs2_raw_inode->isize to the size of max(current inode size,
      pageofs) but that is wrong: the new file size should be the 'pos', which is
      larger than both the current inode size and pageofs.
      
      Similarly, the code incorrectly sets the internal jffs2_raw_inode->dsize to
      the difference between the pageofs minus current inode size; instead it
      should be the current pos minus the current inode size.  Finally,
      inode->i_size was also set incorrectly.
      
      The patch below fixes this bug.  The bug was discovered using a new tool
      for finding f/s bugs using model checking, called MCFS (Model Checking File
      Systems).
      Signed-off-by: default avatarYifei Liu <yifeliu@cs.stonybrook.edu>
      Signed-off-by: default avatarErez Zadok <ezk@cs.stonybrook.edu>
      Signed-off-by: default avatarManish Adkar <madkar@cs.stonybrook.edu>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      23892d38
  2. 22 Jan, 2023 2 commits
    • Linus Torvalds's avatar
      Linux 6.2-rc5 · 2241ab53
      Linus Torvalds authored
      2241ab53
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.2-2023-01-21' of git://git.kernel.dk/linux · 95f184d0
      Linus Torvalds authored
      Pull another io_uring fix from Jens Axboe:
       "Just a single fix for a regression that happened in this release due
        to a poll change. Normally I would've just deferred it to next week,
        but since the original fix got picked up by stable, I think it's
        better to just send this one off separately.
      
        The issue is around the poll race fix, and how it mistakenly also got
        applied to multishot polling. Those don't need the race fix, and we
        should not be doing any reissues for that case. Exhaustive test cases
        were written and committed to the liburing regression suite for the
        reported issue, and additions for similar issues"
      
      * tag 'io_uring-6.2-2023-01-21' of git://git.kernel.dk/linux:
        io_uring/poll: don't reissue in case of poll race on multishot request
      95f184d0
  3. 21 Jan, 2023 9 commits
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · f6714402
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char/misc and other subsystem driver fixes for
        6.2-rc5 to resolve a few reported issues. They include:
      
         - long time pending fastrpc fixes (should have gone into 6.1, my
           fault)
      
         - mei driver/bus fixes and new device ids
      
         - interconnect driver fixes for reported problems
      
         - vmci bugfix
      
         - w1 driver bugfixes for reported problems
      
        Almost all of these have been in linux-next with no reported problems,
        the rest have all passed 0-day bot testing in my tree and on the
        mailing lists where they have sat too long due to me taking a long
        time to catch up on my pending patch queue"
      
      * tag 'char-misc-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        VMCI: Use threaded irqs instead of tasklets
        misc: fastrpc: Pass bitfield into qcom_scm_assign_mem
        gsmi: fix null-deref in gsmi_get_variable
        misc: fastrpc: Fix use-after-free race condition for maps
        misc: fastrpc: Don't remove map on creater_process and device_release
        misc: fastrpc: Fix use-after-free and race in fastrpc_map_find
        misc: fastrpc: fix error code in fastrpc_req_mmap()
        mei: me: add meteor lake point M DID
        mei: bus: fix unlink on bus in error path
        w1: fix WARNING after calling w1_process()
        w1: fix deadloop in __w1_remove_master_device()
        comedi: adv_pci1760: Fix PWM instruction handling
        interconnect: qcom: rpm: Use _optional func for provider clocks
        interconnect: qcom: msm8996: Fix regmap max_register values
        interconnect: qcom: msm8996: Provide UFS clocks to A2NoC
        dt-bindings: interconnect: Add UFS clocks to MSM8996 A2NoC
      f6714402
    • Linus Torvalds's avatar
      Merge tag 'driver-core-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · c88a3114
      Linus Torvalds authored
      Pull driver core fixes from Greg KH:
       "Here are three small driver and kernel core fixes for 6.2-rc5. They
        include:
      
         - potential gadget fixup in do_prlimit
      
         - device property refcount leak fix
      
         - test_async_probe bugfix for reported problem"
      
      * tag 'driver-core-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        prlimit: do_prlimit needs to have a speculation check
        driver core: Fix test_async_probe_init saves device in wrong array
        device property: fix of node refcount leak in fwnode_graph_get_next_endpoint()
      c88a3114
    • Linus Torvalds's avatar
      Merge tag 'staging-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · bb86d657
      Linus Torvalds authored
      Pull staging driver fix from Greg KH:
       "Here is a single staging driver fix for 6.2-rc5. It resolves a build
        issue reported and Fixed by Arnd in the vc04_services driver. It's
        been in linux-next this week with no reported problems"
      
      * tag 'staging-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: vchiq_arm: fix enum vchiq_status return types
      bb86d657
    • Linus Torvalds's avatar
      Merge tag 'tty-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · bd5cc6ee
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are some small tty and serial driver fixes for 6.2-rc5 that
        resolve a number of tiny reported issues and some new device ids. They
        include:
      
         - new device id for the exar serial driver
      
         - speakup tty driver bugfix
      
         - atmel serial driver baudrate fixup
      
         - stm32 serial driver bugfix and then revert as the bugfix broke the
           build. That will come back in a later pull request once it is all
           worked out properly.
      
         - amba-pl011 serial driver rs486 mode bugfix
      
         - qcom_geni serial driver bugfix
      
        Most of these have been in linux-next with no reported problems (well,
        other than the build breakage which generated the revert), the new
        device id passed 0-day testing"
      
      * tag 'tty-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: exar: Add support for Sealevel 7xxxC serial cards
        Revert "serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler"
        tty: serial: qcom_geni: avoid duplicate struct member init
        serial: atmel: fix incorrect baudrate setup
        tty: fix possible null-ptr-defer in spk_ttyio_release
        serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler
        serial: amba-pl011: fix high priority character transmission in rs486 mode
        serial: pch_uart: Pass correct sg to dma_unmap_sg()
        tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer
      bd5cc6ee
    • Linus Torvalds's avatar
      Merge tag 'usb-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · e67da288
      Linus Torvalds authored
      Pull USB / Thunderbolt fixes from Greg KH:
       "Here are a number of small USB and Thunderbolt driver fixes and new
        device id changes for 6.2-rc5. Included in here are:
      
         - thunderbolt bugfixes for reported problems
      
         - new usb-serial driver ids added
      
         - onboard_hub usb driver fixes for much-reported problems
      
         - xhci bugfixes
      
         - typec bugfixes
      
         - ehci-fsl driver module alias fix
      
         - iowarrior header size fix
      
         - usb gadget driver fixes
      
        All of these, except for the iowarrior fix, have been in linux-next
        with no reported issues. The iowarrior fix passed the 0-day testing
        and is a one digit change based on a reported problem in the driver
        (which was written to a spec, not the real device that is now
        available)"
      
      * tag 'usb-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (40 commits)
        USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100
        usb: host: ehci-fsl: Fix module alias
        usb: dwc3: fix extcon dependency
        usb: core: hub: disable autosuspend for TI TUSB8041
        USB: fix misleading usb_set_intfdata() kernel doc
        usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()
        USB: gadget: Add ID numbers to configfs-gadget driver names
        usb: typec: tcpm: Fix altmode re-registration causes sysfs create fail
        usb: gadget: g_webcam: Send color matching descriptor per frame
        usb: typec: altmodes/displayport: Use proper macro for pin assignment check
        usb: typec: altmodes/displayport: Fix pin assignment calculation
        usb: typec: altmodes/displayport: Add pin assignment helper
        usb: gadget: f_fs: Ensure ep0req is dequeued before free_request
        usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
        usb: misc: onboard_hub: Move 'attach' work to the driver
        usb: misc: onboard_hub: Invert driver registration order
        usb: ucsi: Ensure connector delayed work items are flushed
        usb: musb: fix error return code in omap2430_probe()
        usb: chipidea: core: fix possible constant 0 if use IS_ERR(ci->role_switch)
        xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables
        ...
      e67da288
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.2-3' of... · 83cd5fd0
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Hide LDFLAGS_vmlinux from decompressor Makefiles to fix error
         messages when GNU Make 4.4 is used.
      
       - Fix 'make modules' build error when CONFIG_DEBUG_INFO_BTF_MODULES=y.
      
       - Fix warnings emitted by GNU Make 4.4 in scripts/kconfig/Makefile.
      
       - Support GNU Make 4.4 for scripts/jobserver-exec.
      
       - Show clearer error message when kernel/gen_kheaders.sh fails due to
         missing cpio.
      
      * tag 'kbuild-fixes-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kheaders: explicitly validate existence of cpio command
        scripts: support GNU make 4.4 in jobserver-exec
        kconfig: Update all declared targets
        scripts: rpm: make clear that mkspec script contains 4.13 feature
        init/Kconfig: fix LOCALVERSION_AUTO help text
        kbuild: fix 'make modules' error when CONFIG_DEBUG_INFO_BTF_MODULES=y
        kbuild: export top-level LDFLAGS_vmlinux only to scripts/Makefile.vmlinux
        init/version-timestamp.c: remove unneeded #include <linux/version.h>
        docs: kbuild: remove mention to dropped $(objtree) feature
      83cd5fd0
    • Linus Torvalds's avatar
      ext4: deal with legacy signed xattr name hash values · f3bbac32
      Linus Torvalds authored
      We potentially have old hashes of the xattr names generated on systems
      with signed 'char' types.  Now that everybody uses '-funsigned-char',
      those hashes will no longer match.
      
      This only happens if you use xattrs names that have the high bit set,
      which probably doesn't happen in practice, but the xfstest generic/454
      shows it.
      
      Instead of adding a new "signed xattr hash filesystem" bit and having to
      deal with all the possible combinations, just calculate the hash both
      ways if the first one fails, and always generate new hashes with the
      proper unsigned char version.
      Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
      Link: https://lore.kernel.org/oe-lkp/202212291509.704a11c9-oliver.sang@intel.com
      Link: https://lore.kernel.org/all/CAHk-=whUNjwqZXa-MH9KMmc_CpQpoFKFjAB9ZKHuu=TbsouT4A@mail.gmail.com/
      Exposed-by: 3bc753c0 ("kbuild: treat char as always unsigned")
      Cc: Eric Biggers <ebiggers@kernel.org>
      Cc: Andreas Dilger <adilger@dilger.ca>
      Cc: Theodore Ts'o <tytso@mit.edu>,
      Cc: Jason Donenfeld <Jason@zx2c4.com>
      Cc: Masahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f3bbac32
    • Greg Kroah-Hartman's avatar
      prlimit: do_prlimit needs to have a speculation check · 73979060
      Greg Kroah-Hartman authored
      do_prlimit() adds the user-controlled resource value to a pointer that
      will subsequently be dereferenced.  In order to help prevent this
      codepath from being used as a spectre "gadget" a barrier needs to be
      added after checking the range.
      Reported-by: default avatarJordy Zomer <jordyzomer@google.com>
      Tested-by: default avatarJordy Zomer <jordyzomer@google.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73979060
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · f883675b
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
      
       - fix a potential race condition and always set GPIOs used as interrupt
         source to input in gpio-mxc
      
       - fix a GPIO ACPI-related issue with system suspend on Clevo NL5xRU
      
      * tag 'gpio-fixes-for-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xRU
        gpiolib: acpi: Allow ignoring wake capability on pins that aren't in _AEI
        gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode
        gpio: mxc: Protect GPIO irqchip RMW with bgpio spinlock
      f883675b
  4. 20 Jan, 2023 5 commits
    • Linus Torvalds's avatar
      Merge tag '6.2-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 4e31bada
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
      
       - important fix for packet signature calculation error
      
       - three fixes to correct DFS deadlock, and DFS refresh problem
      
       - remove an unused DFS function, and duplicate tcon refresh code
      
       - DFS cache lookup fix
      
       - uninitialized rc fix
      
      * tag '6.2-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: remove unused function
        cifs: do not include page data when checking signature
        cifs: fix return of uninitialized rc in dfs_cache_update_tgthint()
        cifs: handle cache lookup errors different than -ENOENT
        cifs: remove duplicate code in __refresh_tcon()
        cifs: don't take exclusive lock for updating target hints
        cifs: avoid re-lookups in dfs_cache_find()
        cifs: fix potential deadlock in cache_refresh_path()
      4e31bada
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 8440ffcd
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
      
       - Compilation fix for Sunplus sp7021
      
       - Add some missing headers after a cleanup to the Nomadik driver
      
       - Fix pull type and mux routes on Rockchip RK3568
      
      * tag 'pinctrl-v6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: rockchip: fix mux route data for rk3568
        pinctrl: rockchip: fix reading pull type on rk3568
        pinctrl: nomadik: Add missing header(s)
        pinctrl: sp7021: fix unused function warning
      8440ffcd
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 8974efaa
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
      
       - Several hfi1 patches fixing some long standing driver bugs
      
       - Overflow when working with sg lists with elements greater than 4G
      
       - An rxe regression with object numbering after the mrs reach their
         limit
      
       - A theoretical problem with the scatterlist merging code
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        lib/scatterlist: Fix to calculate the last_pg properly
        IB/hfi1: Remove user expected buffer invalidate race
        IB/hfi1: Immediately remove invalid memory from hardware
        IB/hfi1: Fix expected receive setup error exit issues
        IB/hfi1: Reserve user expected TIDs
        IB/hfi1: Reject a zero-length user expected buffer
        RDMA/core: Fix ib block iterator counter overflow
        RDMA/rxe: Prevent faulty rkey generation
        RDMA/rxe: Fix inaccurate constants in rxe_type_info
      8974efaa
    • Jens Axboe's avatar
      io_uring/poll: don't reissue in case of poll race on multishot request · 8caa03f1
      Jens Axboe authored
      A previous commit fixed a poll race that can occur, but it's only
      applicable for multishot requests. For a multishot request, we can safely
      ignore a spurious wakeup, as we never leave the waitqueue to begin with.
      
      A blunt reissue of a multishot armed request can cause us to leak a
      buffer, if they are ring provided. While this seems like a bug in itself,
      it's not really defined behavior to reissue a multishot request directly.
      It's less efficient to do so as well, and not required to rearm anything
      like it is for singleshot poll requests.
      
      Cc: stable@vger.kernel.org
      Fixes: 6e5aedb9 ("io_uring/poll: attempt request issue after racy poll wakeup")
      Reported-and-tested-by: default avatarOlivier Langlois <olivier@trillion01.com>
      Link: https://github.com/axboe/liburing/issues/778Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      8caa03f1
    • Linus Torvalds's avatar
      Merge tag 'block-6.2-2023-01-20' of git://git.kernel.dk/linux · edc00350
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Various little tweaks all over the place:
      
         - NVMe pull request via Christoph:
             - fix controller shutdown regression in nvme-apple (Janne Grunau)
             - fix a polling on timeout regression in nvme-pci (Keith Busch)
      
         - Fix a bug in the read request side request allocation caching
           (Pavel)
      
         - pktcdvd was brought back after we configured a NULL return on bio
           splits, make it consistent with the others (me)
      
         - BFQ refcount fix (Yu)
      
         - Block cgroup policy activation fix (Yu)
      
         - Fix for an md regression introduced in the 6.2 cycle (Adrian)"
      
      * tag 'block-6.2-2023-01-20' of git://git.kernel.dk/linux:
        nvme-pci: fix timeout request state check
        nvme-apple: only reset the controller when RTKit is running
        nvme-apple: reset controller during shutdown
        block: fix hctx checks for batch allocation
        block/rnbd-clt: fix wrong max ID in ida_alloc_max
        blk-cgroup: fix missing pd_online_fn() while activating policy
        pktcdvd: check for NULL returna fter calling bio_split_to_limits()
        block, bfq: switch 'bfqg->ref' to use atomic refcount apis
        md: fix incorrect declaration about claim_rdev in md_import_device
      edc00350