1. 12 Jul, 2024 16 commits
    • Li Nan's avatar
      ubi: block: fix null-pointer-dereference in ubiblock_create() · 4f9d406c
      Li Nan authored
      Similar to commit adbf4c49 ("ubi: block: fix memleak in
      ubiblock_create()"), 'dev->gd' is not assigned but dereferenced if
      blk_mq_alloc_tag_set() fails, and leading to a null-pointer-dereference.
      Fix it by using pr_err() and variable 'dev' to print error log.
      
      Additionally, the log in the error handle path of idr_alloc() has
      been improved by using pr_err(), too. Before initializing device
      name, using dev_err() will print error log with 'null' instead of
      the actual device name, like this:
        block (null): ...
              ~~~~~~
      It is unclear. Using pr_err() can print more details of the device.
      The improved log is:
        ubiblock0_0: ...
      
      Fixes: 77567b25 ("ubi: use blk_mq_alloc_disk and blk_cleanup_disk")
      Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Signed-off-by: default avatarLi Nan <linan122@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Reviewed-by: default avatarDaniel Golle <daniel@makrotopia.org>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      4f9d406c
    • Jeff Johnson's avatar
      ubifs: fix kernel-doc warnings · 39986148
      Jeff Johnson authored
      make C=1 reports the following kernel-doc warnings:
      
      fs/ubifs/compress.c:103: warning: Function parameter or struct member 'c' not described in 'ubifs_compress'
      fs/ubifs/compress.c:155: warning: Function parameter or struct member 'c' not described in 'ubifs_decompress'
      fs/ubifs/find.c:353: warning: Excess function parameter 'data' description in 'scan_for_free_cb'
      fs/ubifs/find.c:353: warning: Function parameter or struct member 'arg' not described in 'scan_for_free_cb'
      fs/ubifs/find.c:594: warning: Excess function parameter 'data' description in 'scan_for_idx_cb'
      fs/ubifs/find.c:594: warning: Function parameter or struct member 'arg' not described in 'scan_for_idx_cb'
      fs/ubifs/find.c:786: warning: Excess function parameter 'data' description in 'scan_dirty_idx_cb'
      fs/ubifs/find.c:786: warning: Function parameter or struct member 'arg' not described in 'scan_dirty_idx_cb'
      fs/ubifs/find.c:86: warning: Excess function parameter 'data' description in 'scan_for_dirty_cb'
      fs/ubifs/find.c:86: warning: Function parameter or struct member 'arg' not described in 'scan_for_dirty_cb'
      fs/ubifs/journal.c:369: warning: expecting prototype for wake_up_reservation(). Prototype was for add_or_start_queue() instead
      fs/ubifs/lprops.c:1018: warning: Excess function parameter 'lst' description in 'scan_check_cb'
      fs/ubifs/lprops.c:1018: warning: Function parameter or struct member 'arg' not described in 'scan_check_cb'
      fs/ubifs/lpt.c:1938: warning: Function parameter or struct member 'ptr' not described in 'lpt_scan_node'
      fs/ubifs/replay.c:60: warning: Function parameter or struct member 'hash' not described in 'replay_entry'
      
      Fix them.
      Signed-off-by: default avatarJeff Johnson <quic_jjohnson@quicinc.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      39986148
    • ZhaoLong Wang's avatar
      ubifs: correct UBIFS_DFS_DIR_LEN macro definition and improve code clarity · 7037c96d
      ZhaoLong Wang authored
      The UBIFS_DFS_DIR_LEN macro, which defines the maximum length of the UBIFS
      debugfs directory name, has an incorrect formula and misleading comments.
      The current formula is (3 + 1 + 2*2 + 1), which assumes that both UBI device
      number and volume ID are limited to 2 characters. However, UBI device number
      ranges from 0 to 31 (2 characters), and volume ID ranges from 0 to 127 (up
      to 3 characters).
      
      Although the current code works due to the cancellation of mathematical
      errors (9 + 1 = 10, which matches the correct UBIFS_DFS_DIR_LEN value), it
      can lead to confusion and potential issues in the future.
      
      This patch aims to improve the code clarity and maintainability by making
      the following changes:
      
      1. Corrects the UBIFS_DFS_DIR_LEN macro definition to (3 + 1 + 2 + 3 + 1),
         accommodating the maximum lengths of both UBI device number and volume ID,
         plus the separators and null terminator.
      2. Updates the snprintf calls to use UBIFS_DFS_DIR_LEN instead of
         UBIFS_DFS_DIR_LEN + 1, removing the unnecessary +1.
      3. Modifies the error checks to compare against UBIFS_DFS_DIR_LEN using >=
         instead of >, aligning with the corrected macro definition.
      4. Removes the redundant +1 in the dfs_dir_name array definitions in ubi.h
         and debug.h.
      
      While these changes do not affect the runtime behavior, they make the code
      more readable, maintainable, and less prone to future errors.
      
      v2->v3:
      
       - Removes the duplicated UBIFS_DFS_DIR_LEN and UBIFS_DFS_DIR_NAME macro
         definitions in ubifs.h, as they are already defined in debug.h.
      Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      7037c96d
    • Ben Hutchings's avatar
      mtd: ubi: Restore missing cleanup on ubi_init() failure path · 72f3d3da
      Ben Hutchings authored
      We need to clean-up debugfs and ubiblock if we fail after initialising
      them.
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@mind.be>
      Fixes: 927c1452 ("mtd: ubi: attach from device tree")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      72f3d3da
    • Zhihao Cheng's avatar
      ubifs: dbg_orphan_check: Fix missed key type checking · 06776df7
      Zhihao Cheng authored
      When selinux/encryption is enabled, xattr entry node is added into TNC
      before host inode when creating new file. So it is possible to find
      xattr entry without host inode from TNC. Orphan debug checking is called
      by ubifs_orphan_end_commit(), at that time, the commit semaphore is
      already unlock, so the new creation won't be blocked.
      
      Fixes: d7f0b70d ("UBIFS: Add security.* XATTR support for the UBIFS")
      Fixes: d475a507 ("ubifs: Add skeleton for fscrypto")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      06776df7
    • Zhihao Cheng's avatar
      ubifs: Fix unattached inode when powercut happens in creating · 3af2d3a8
      Zhihao Cheng authored
      For selinux or encryption scenarios, UBIFS could become inconsistent
      while creating new files in powercut case. Encryption/selinux related
      xattrs will be created before creating file dentry, which makes creation
      process is not atomic, details are shown as:
      
      Encryption case:
      ubifs_create
       ubifs_new_inode
        fscrypt_set_context
         ubifs_xattr_set
          create_xattr
           ubifs_jnl_update  // Disk: xentry xinode inode(LAST_OF_NODE_GROUP)
       >> power cut <<
       ubifs_jnl_update  // Disk: dentry inode parent_inode(LAST_OF_NODE_GROUP)
      
      Selinux case:
      ubifs_create
       ubifs_new_inode
       ubifs_init_security
        security_inode_init_security
         ubifs_xattr_set
          create_xattr
           ubifs_jnl_update  // Disk: xentry xinode inode(LAST_OF_NODE_GROUP)
       >> power cut <<
       ubifs_jnl_update  // Disk: dentry inode parent_inode(LAST_OF_NODE_GROUP)
      
      Above process will make chk_fs failed in next mounting:
       UBIFS error (ubi0:0 pid 7995): dbg_check_filesystem [ubifs]: inode 66
       nlink is 1, but calculated nlink is 0
      
      Fix it by allocating orphan inode for each non-xattr file creation, then
      removing orphan list in journal writing process, which ensures that both
      xattr and dentry be effective in atomic when powercut happens.
      
      Fixes: d7f0b70d ("UBIFS: Add security.* XATTR support for the UBIFS")
      Fixes: d475a507 ("ubifs: Add skeleton for fscrypto")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=218309Suggested-by: default avatarZhang Yi <yi.zhang@huawei.com>
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      3af2d3a8
    • Zhihao Cheng's avatar
      ubifs: Fix space leak when powercut happens in linking tmpfile · b25e6a5f
      Zhihao Cheng authored
      There is a potential space leak problem when powercut happens in linking
      tmpfile, in which case, inode node (with nlink=0) and its' data nodes can
      be found from tnc (on flash), but there are no dentries related to the
      inode, so the file is invisible but takes free space. Detailed process is
      shown as:
       ubifs_tmpfile
        ubifs_jnl_update // Add bud A into log area
         ubifs_add_orphan // Add inode into orphan list
      
           P1             P2
       ubifs_link
        ubifs_delete_orphan // Delete inode from orphan list, then inode won't
      		      // be written into orphan area, there is no chance
      		      // to delete inode by replaying orphan.
                      commit // bud A won't be replayed in next mounting
         >> powercut <<
        ubifs_jnl_update // Link inode to dentry
      
      The root cause is that orphan entry deletion and journal writing(for link)
      are interrupted by commit, which makes the two operations are not atomic.
      Fix it by doing ubifs_delete_orphan under the protection of c->commit_sem
      within ubifs_jnl_update. This is also a preparation to support all creating
      new files by orphan inode.
      
      v1 is https://lore.kernel.org/linux-mtd/20200701093227.674945-1-chengzhihao1@huawei.com/
      
      Fixes: 32fe905c ("ubifs: Fix O_TMPFILE corner case in ubifs_link()")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=208405Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      b25e6a5f
    • Zhihao Cheng's avatar
      ubifs: Move ui->data initialization after initializing security · 9f5ecacf
      Zhihao Cheng authored
      Host inode and its' xattr will be written on disk after initializing
      security when creating symlink or dev, then the host inode and its
      dentry will be written again in ubifs_jnl_update.
      There is no need to write inode data in the security initialization
      pass, just move the ui->data initialization after initializing
      security.
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      9f5ecacf
    • Zhihao Cheng's avatar
      ubifs: Fix adding orphan entry twice for the same inode · 7efc34b5
      Zhihao Cheng authored
      The tmpfile could be added into orphan list twice, first time is
      creation, the second time is removing after it is linked. The orphan
      entry could be added twice for tmpfile if following sequence is
      satisfied:
      
      ubifs_tmpfile
       ubifs_jnl_update
        ubifs_add_orphan // first time to add orphan entry
      
          P1                        P2
      ubifs_link                 do_commit
                                  ubifs_orphan_start_commit
      			     orphan->cmt = 1
       ubifs_delete_orphan
        orphan_delete
         if (orph->cmt)
          orph->del = 1; // orphan entry is not deleted from tree
          return
      ubifs_unlink
       ubifs_jnl_update
        ubifs_add_orphan
         orphan_add // found old orphan entry, second time to add orphan entry
          ubifs_err(c, "orphaned twice")
          return -EINVAL // unlink failed!
                                  ubifs_orphan_end_commit
      			     erase_deleted // delete old orphan entry
      			      rb_erase(&orphan->rb, &c->orph_tree)
      
      Fix it by removing orphan entry from orphan tree in advance, rather than
      remove it from orphan tree in committing process.
      
      Fixes: 32fe905c ("ubifs: Fix O_TMPFILE corner case in ubifs_link()")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=218672Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      7efc34b5
    • Zhihao Cheng's avatar
      ubifs: Remove insert_dead_orphan from replaying orphan process · 6376d750
      Zhihao Cheng authored
      UBIFS will do commit at the end of mounting process(rw mode), dead
      orphans(added by insert_dead_orphan in replaying orphan) are deleted
      by ubifs_orphan_end_commit(). The only reason why dead orphans are
      added into orphan list is that old orpans may be lost when powercut
      happens in ubifs_orphan_end_commit():
      ubifs_orphan_end_commit  // TNC(updated by orphans) is not written yet
       if (c->cmt_orphans != 0)
        commit_orphans
         consolidate // traverse orphan list
        write_orph_nodes // rewrite all orphans by ubifs_leb_change
        // If dead orphans are not in list, they will be lost when powercut
        // happens, then TNC won't be updated by old orphans in next mounting.
      Luckily, the condition 'c->cmt_orphans != 0' will never be true in
      mounting process, there can't be new orphans added into orphan list
      before mounting returned, but commit will be done at the end of mounting.
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      6376d750
    • Zhihao Cheng's avatar
      Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path" · 7bed61a1
      Zhihao Cheng authored
      This reverts commit 6379b44c. Commit
      1e022216 ("ubifs: ubifs_symlink: Fix memleak of inode->i_link in
      error path") is applied again in commit 6379b44c ("ubifs:
      ubifs_symlink: Fix memleak of inode->i_link in error path"), which
      changed ubifs_mknod (It won't become a real problem). Just revert it.
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      7bed61a1
    • Zhihao Cheng's avatar
      ubifs: Don't add xattr inode into orphan area · 354c1796
      Zhihao Cheng authored
      Now, the entire inode with its' xattrs are removed while replaying
      orphan nodes. There is no need to add xattr inodes into orphan area,
      which is based on the fact that xattr entries won't be cleared from
      disk before deleting xattr inodes, in another words, current logic
      can make sure that xattr inode be deleted in any cases even UBIFS not
      record xattr inode into orphan area.
      Let's looking for possible paths that could clear xattr entries from
      disk but leave the xattr inode on TNC:
       1. unlink/tmpfile -> ubifs_jnl_update: inode(nlink=0) is written
          into bud LEB and added into orphan list, then:
          a. powercut: ubifs_tnc_remove_ino(xattr entry/inode can be found
             from TNC and being deleted) is invoked in replaying journal.
          b. commit + powercut: inode is written into orphan area, and
             ubifs_tnc_remove_ino is invoked in replaying orphan nodes.
          c. evicting + powercut: xattr inode(nlink=0) is written on disk,
             xattr is removed from TNC, gc could clear xattr entries from
             disk. ubifs_tnc_remove_ino will apply on inode and xattr inode
             in replaying journal, so lost xattr entries will make no
             influence.
          d. evicting + commit + powercut: xattr inode/entry are removed from
             index tree(on disk) by ubifs_jnl_write_inode, xattr inode is
             cleared from orphan area by ubifs_jnl_write_inode + commit.
          e. commit + evicting + powercut: inode is written into orphan area,
             then equivalent to c.
       2. remove xattr -> ubifs_jnl_delete_xattr: xattr entry(inum=0) and
          xattr inode(nlink=0) is written into bud LEB, xattr entry/inode are
          removed from TNC, then:
          a. powercut: gc could clear xattr entries from disk, which won't
             affect deleting xattr entry from TNC. ubifs_tnc_remove_ino will
             apply on xattr inode in replaying journal, ubifs_tnc_remove_nm
             will apply on xattr entry in replaying journal.
          b. commit + powercut: xattr entry/inode are removed from index tree
             (on disk).
      Tracking xattr inode in orphan list is imported by commit 988bec41
      ("ubifs: orphan: Handle xattrs like files"), it aims to fix the similar
      problem described in commit 7959cf3a ("ubifs: journal: Handle
      xattrs like files"). Actually, the problem only exist in journal case
      but not the orphan case. So, we can remove the orphan tracking for xattr
      inodes.
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      354c1796
    • Zhihao Cheng's avatar
      ubifs: Fix unattached xattr inode if powercut happens after deleting · 02eb1846
      Zhihao Cheng authored
      When powercut happens after deleting file, the xattr inode could be
      alone existing in TNC but its' xattr entry cannot be found in TNC.
      File inode and xattr inode are added into orphan list after deleting
      file, file inode's nlink is 0 but xattr inode's nlink is not 0 (PS:
      zero nlink xattr inode is written on disk in evicting process by
      ubifs_jnl_write_inode). So, following process could happen:
       1. touch file
       2. setxattr(file)
       3. unlink file
          // inode(nlink=0), xattr inode(nlink=1) are added into orphan list
       4. commit
          // write inode inum and xattr inum into orphan area
       5. powercut
       6. mount
          do_kill_orphans
           // inode(nlink=0) is deleted from TNC by ubifs_tnc_remove_range,
           // xattr entry is deleted too.
           // xattr inode(nlink=1) is not deleted from TNC
      Finally we could see following error while debugging UBIFS:
       UBIFS error (ubi0:0 pid 1093): dbg_check_filesystem [ubifs]: inode 66
       nlink is 1, but calculated nlink is 0
       UBIFS (ubi0:0): dump of the inode 66 sitting in LEB 12:2128
         node_type      0 (inode node)
         group_type     1 (in node group)
         len            197
         key            (66, inode)
         size           37
         nlink          1
         flags          0x20
         xattr_cnt      0
         xattr_size     0
         xattr_names    0
         data len       37
      
      Fix it by removing entire inode with it's xattrs while replaying orphan,
      just replace function ubifs_tnc_remove_range by ubifs_tnc_remove_ino.
      
      Fixes: ee1438ce ("ubifs: Check link count of inodes when killing orphans.")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=218661Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      02eb1846
    • Arnd Bergmann's avatar
      mtd: ubi: avoid expensive do_div() on 32-bit machines · 02096a0c
      Arnd Bergmann authored
      The use of do_div() in ubi_nvmem_reg_read() makes calling it on
      32-bit machines rather expensive. Since the 'from' variable is
      known to be a 32-bit quantity, it is clearly never needed and
      can be optimized into a regular division operation.
      
      Fixes: b8a77b9a ("mtd: ubi: fix NVMEM over UBI volumes on 32-bit systems")
      Fixes: 3ce48580 ("mtd: ubi: provide NVMEM layer over UBI volumes")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      02096a0c
    • Ricardo B. Marliere's avatar
      mtd: ubi: make ubi_class constant · 299af26e
      Ricardo B. Marliere authored
      Since commit 43a7206b ("driver core: class: make class_register() take
      a const *"), the driver core allows for struct class to be in read-only
      memory, so move the ubi_class structure to be declared at build time
      placing it into read-only memory, instead of having to be dynamically
      allocated at boot time.
      
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Suggested-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarRicardo B. Marliere <ricardo@marliere.net>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Reviewed-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      299af26e
    • Fedor Pchelkin's avatar
      ubi: eba: properly rollback inside self_check_eba · 745d9f4a
      Fedor Pchelkin authored
      In case of a memory allocation failure in the volumes loop we can only
      process the already allocated scan_eba and fm_eba array elements on the
      error path - others are still uninitialized.
      
      Found by Linux Verification Center (linuxtesting.org).
      
      Fixes: 00abf304 ("UBI: Add self_check_eba()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFedor Pchelkin <pchelkin@ispras.ru>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      745d9f4a
  2. 30 Jun, 2024 16 commits
    • Linus Torvalds's avatar
      Linux 6.10-rc6 · 22a40d14
      Linus Torvalds authored
      22a40d14
    • Linus Torvalds's avatar
      Merge tag 'ata-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux · aca7c377
      Linus Torvalds authored
      Pull ata fixes from Niklas Cassel:
      
       - Add NOLPM quirk for for all Crucial BX SSD1 models.
      
         Considering that we now have had bug reports for 3 different BX SSD1
         variants from Crucial with the same product name, make the quirk more
         inclusive, to catch more device models from the same generation.
      
       - Fix a trivial NULL pointer dereference in the error path for
         ata_host_release().
      
       - Create a ata_port_free(), so that we don't miss freeing ata_port
         struct members when freeing a struct ata_port.
      
       - Fix a trivial double free in the error path for ata_host_alloc().
      
       - Ensure that we remove the libata "remapped NVMe device count" sysfs
         entry on .probe() error.
      
      * tag 'ata-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
        ata: ahci: Clean up sysfs file on error
        ata: libata-core: Fix double free on error
        ata,scsi: libata-core: Do not leak memory for ata_port struct members
        ata: libata-core: Fix null pointer dereference on error
        ata: libata-core: Add ATA_HORKAGE_NOLPM for all Crucial BX SSD1 models
      aca7c377
    • Niklas Cassel's avatar
      ata: ahci: Clean up sysfs file on error · eeb25a09
      Niklas Cassel authored
      .probe() (ahci_init_one()) calls sysfs_add_file_to_group(), however,
      if probe() fails after this call, we currently never call
      sysfs_remove_file_from_group().
      
      (The sysfs_remove_file_from_group() call in .remove() (ahci_remove_one())
      does not help, as .remove() is not called on .probe() error.)
      
      Thus, if probe() fails after the sysfs_add_file_to_group() call, the next
      time we insmod the module we will get:
      
      sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:04.0/remapped_nvme'
      CPU: 11 PID: 954 Comm: modprobe Not tainted 6.10.0-rc5 #43
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl+0x5d/0x80
       sysfs_warn_dup.cold+0x17/0x23
       sysfs_add_file_mode_ns+0x11a/0x130
       sysfs_add_file_to_group+0x7e/0xc0
       ahci_init_one+0x31f/0xd40 [ahci]
      
      Fixes: 894fba7f ("ata: ahci: Add sysfs attribute to show remapped NVMe device count")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDamien Le Moal <dlemoal@kernel.org>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Link: https://lore.kernel.org/r/20240629124210.181537-10-cassel@kernel.orgSigned-off-by: default avatarNiklas Cassel <cassel@kernel.org>
      eeb25a09
    • Niklas Cassel's avatar
      ata: libata-core: Fix double free on error · ab9e0c52
      Niklas Cassel authored
      If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump
      to the err_out label, which will call devres_release_group().
      devres_release_group() will trigger a call to ata_host_release().
      ata_host_release() calls kfree(host), so executing the kfree(host) in
      ata_host_alloc() will lead to a double free:
      
      kernel BUG at mm/slub.c:553!
      Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
      RIP: 0010:kfree+0x2cf/0x2f0
      Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da
      RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246
      RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320
      RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0
      RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000
      R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780
      R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006
      FS:  00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0
      PKRU: 55555554
      Call Trace:
       <TASK>
       ? __die_body.cold+0x19/0x27
       ? die+0x2e/0x50
       ? do_trap+0xca/0x110
       ? do_error_trap+0x6a/0x90
       ? kfree+0x2cf/0x2f0
       ? exc_invalid_op+0x50/0x70
       ? kfree+0x2cf/0x2f0
       ? asm_exc_invalid_op+0x1a/0x20
       ? ata_host_alloc+0xf5/0x120 [libata]
       ? ata_host_alloc+0xf5/0x120 [libata]
       ? kfree+0x2cf/0x2f0
       ata_host_alloc+0xf5/0x120 [libata]
       ata_host_alloc_pinfo+0x14/0xa0 [libata]
       ahci_init_one+0x6c9/0xd20 [ahci]
      
      Ensure that we will not call kfree(host) twice, by performing the kfree()
      only if the devres_open_group() call failed.
      
      Fixes: dafd6c49 ("libata: ensure host is free'd on error exit paths")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDamien Le Moal <dlemoal@kernel.org>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Link: https://lore.kernel.org/r/20240629124210.181537-9-cassel@kernel.orgSigned-off-by: default avatarNiklas Cassel <cassel@kernel.org>
      ab9e0c52
    • Niklas Cassel's avatar
      ata,scsi: libata-core: Do not leak memory for ata_port struct members · f6549f53
      Niklas Cassel authored
      libsas is currently not freeing all the struct ata_port struct members,
      e.g. ncq_sense_buf for a driver supporting Command Duration Limits (CDL).
      
      Add a function, ata_port_free(), that is used to free a ata_port,
      including its struct members. It makes sense to keep the code related to
      freeing a ata_port in its own function, which will also free all the
      struct members of struct ata_port.
      
      Fixes: 18bd7718 ("scsi: ata: libata: Handle completion of CDL commands using policy 0xD")
      Reviewed-by: default avatarJohn Garry <john.g.garry@oracle.com>
      Link: https://lore.kernel.org/r/20240629124210.181537-8-cassel@kernel.orgSigned-off-by: default avatarNiklas Cassel <cassel@kernel.org>
      f6549f53
    • Niklas Cassel's avatar
      ata: libata-core: Fix null pointer dereference on error · 5d92c7c5
      Niklas Cassel authored
      If the ata_port_alloc() call in ata_host_alloc() fails,
      ata_host_release() will get called.
      
      However, the code in ata_host_release() tries to free ata_port struct
      members unconditionally, which can lead to the following:
      
      BUG: unable to handle page fault for address: 0000000000003990
      PGD 0 P4D 0
      Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
      RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]
      Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41
      RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246
      RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0
      RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68
      R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004
      R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006
      FS:  00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0
      PKRU: 55555554
      Call Trace:
       <TASK>
       ? __die_body.cold+0x19/0x27
       ? page_fault_oops+0x15a/0x2f0
       ? exc_page_fault+0x7e/0x180
       ? asm_exc_page_fault+0x26/0x30
       ? ata_host_release.cold+0x2f/0x6e [libata]
       ? ata_host_release.cold+0x2f/0x6e [libata]
       release_nodes+0x35/0xb0
       devres_release_group+0x113/0x140
       ata_host_alloc+0xed/0x120 [libata]
       ata_host_alloc_pinfo+0x14/0xa0 [libata]
       ahci_init_one+0x6c9/0xd20 [ahci]
      
      Do not access ata_port struct members unconditionally.
      
      Fixes: 633273a3 ("libata-pmp: hook PMP support and enable it")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDamien Le Moal <dlemoal@kernel.org>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Reviewed-by: default avatarJohn Garry <john.g.garry@oracle.com>
      Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.orgSigned-off-by: default avatarNiklas Cassel <cassel@kernel.org>
      5d92c7c5
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.10-3' of... · e0b668b0
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Remove the executable bit from installed DTB files
      
       - Escape $ in subshell execution in the debian-orig target
      
       - Fix RPM builds with CONFIG_MODULES=n
      
       - Fix xconfig with the O= option
      
       - Fix scripts_gdb with the O= option
      
      * tag 'kbuild-fixes-v6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: scripts/gdb: bring the "abspath" back
        kbuild: Use $(obj)/%.cc to fix host C++ module builds
        kbuild: rpm-pkg: fix build error with CONFIG_MODULES=n
        kbuild: Fix build target deb-pkg: ln: failed to create hard link
        kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates
        kbuild: Install dtb files as 0644 in Makefile.dtbinst
      e0b668b0
    • Linus Torvalds's avatar
      x86-32: fix cmpxchg8b_emu build error with clang · 76932725
      Linus Torvalds authored
      The kernel test robot reported that clang no longer compiles the 32-bit
      x86 kernel in some configurations due to commit 95ece481
      ("locking/atomic/x86: Rewrite x86_32 arch_atomic64_{,fetch}_{and,or,xor}()
      functions").
      
      The build fails with
      
        arch/x86/include/asm/cmpxchg_32.h:149:9: error: inline assembly requires more registers than available
      
      and the reason seems to be that not only does the cmpxchg8b instruction
      need four fixed registers (EDX:EAX and ECX:EBX), with the emulation
      fallback the inline asm also wants a fifth fixed register for the
      address (it uses %esi for that, but that's just a software convention
      with cmpxchg8b_emu).
      
      Avoiding using another pointer input to the asm (and just forcing it to
      use the "0(%esi)" addressing that we end up requiring for the sw
      fallback) seems to fix the issue.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202406230912.F6XFIyA6-lkp@intel.com/
      Fixes: 95ece481 ("locking/atomic/x86: Rewrite x86_32 arch_atomic64_{,fetch}_{and,or,xor}() functions")
      Link: https://lore.kernel.org/all/202406230912.F6XFIyA6-lkp@intel.com/Suggested-by: default avatarUros Bizjak <ubizjak@gmail.com>
      Reviewed-and-Tested-by: default avatarUros Bizjak <ubizjak@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      76932725
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 84dd4373
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small driver fixes for 6.10-rc6. Included in here are:
      
         - IIO driver fixes for reported issues
      
         - Counter driver fix for a reported problem.
      
        All of these have been in linux-next this week with no reported
        issues"
      
      * tag 'char-misc-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        counter: ti-eqep: enable clock at probe
        iio: chemical: bme680: Fix sensor data read operation
        iio: chemical: bme680: Fix overflows in compensate() functions
        iio: chemical: bme680: Fix calibration data variable
        iio: chemical: bme680: Fix pressure value output
        iio: humidity: hdc3020: fix hysteresis representation
        iio: dac: fix ad9739a random config compile error
        iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF
        iio: adc: ad7266: Fix variable checking bug
        iio: xilinx-ams: Don't include ams_ctrl_channels in scan_mask
      84dd4373
    • Linus Torvalds's avatar
      Merge tag 'staging-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 12529aa1
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are two small staging driver fixes for 6.10-rc6, both for the
        vc04_services drivers:
      
         - build fix if CONFIG_DEBUGFS was not set
      
         - initialization check fix that was much reported.
      
        Both of these have been in linux-next this week with no reported
        issues"
      
      * tag 'staging-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: vchiq_debugfs: Fix build if CONFIG_DEBUG_FS is not set
        staging: vc04_services: vchiq_arm: Fix initialisation check
      12529aa1
    • Linus Torvalds's avatar
      Merge tag 'tty-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 3e334486
      Linus Torvalds authored
      Pull tty / serial / console fixes from Greg KH:
       "Here are a bunch of fixes/reverts for 6.10-rc6.  Include in here are:
      
         - revert the bunch of tty/serial/console changes that landed in -rc1
           that didn't quite work properly yet.
      
           Everyone agreed to just revert them for now and will work on making
           them better for a future release instead of trying to quick fix the
           existing changes this late in the release cycle
      
         - 8250 driver port count bugfix
      
         - Other tiny serial port bugfixes for reported issues
      
        All of these have been in linux-next this week with no reported
        issues"
      
      * tag 'tty-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        Revert "printk: Save console options for add_preferred_console_match()"
        Revert "printk: Don't try to parse DEVNAME:0.0 console options"
        Revert "printk: Flag register_console() if console is set on command line"
        Revert "serial: core: Add support for DEVNAME:0.0 style naming for kernel console"
        Revert "serial: core: Handle serial console options"
        Revert "serial: 8250: Add preferred console in serial8250_isa_init_ports()"
        Revert "Documentation: kernel-parameters: Add DEVNAME:0.0 format for serial ports"
        Revert "serial: 8250: Fix add preferred console for serial8250_isa_init_ports()"
        Revert "serial: core: Fix ifdef for serial base console functions"
        serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited()
        serial: core: introduce uart_port_tx_limited_flags()
        Revert "serial: core: only stop transmit when HW fifo is empty"
        serial: imx: set receiver level before starting uart
        tty: mcf: MCF54418 has 10 UARTS
        serial: 8250_omap: Implementation of Errata i2310
        tty: serial: 8250: Fix port count mismatch with the device
      3e334486
    • Linus Torvalds's avatar
      Merge tag 'usb-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 2c01c3d5
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a handful of small USB driver fixes for 6.10-rc6 to resolve
        some reported issues. Included in here are:
      
         - typec driver bugfixes
      
         - usb gadget driver reverts for commits that were reported to have
           problems
      
         - resource leak bugfix
      
         - gadget driver bugfixes
      
         - dwc3 driver bugfixes
      
         - usb atm driver bugfix for when syzbot got loose on it
      
        All of these have been in linux-next this week with no reported issues"
      
      * tag 'usb-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: dwc3: core: Workaround for CSR read timeout
        Revert "usb: gadget: u_ether: Replace netif_stop_queue with netif_device_detach"
        Revert "usb: gadget: u_ether: Re-attach netif device to mirror detachment"
        usb: gadget: aspeed_udc: fix device address configuration
        usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock
        usb: typec: ucsi: glink: fix child node release in probe function
        usb: musb: da8xx: fix a resource leak in probe()
        usb: typec: ucsi_acpi: Add LG Gram quirk
        usb: ucsi: stm32: fix command completion handling
        usb: atm: cxacru: fix endpoint checking in cxacru_bind()
        usb: gadget: printer: fix races against disable
        usb: gadget: printer: SS+ support
      2c01c3d5
    • Linus Torvalds's avatar
      Merge tag 'smp_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 3ffea9a7
      Linus Torvalds authored
      Pull smp fixes from Borislav Petkov:
      
       - Fix "nosmp" and "maxcpus=0" after the parallel CPU bringup work went
         in and broke them
      
       - Make sure CPU hotplug dynamic prepare states are actually executed
      
      * tag 'smp_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        cpu: Fix broken cmdline "nosmp" and "maxcpus=0"
        cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()
      3ffea9a7
    • Linus Torvalds's avatar
      Merge tag 'irq_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4e412160
      Linus Torvalds authored
      Pull irq fixes from Borislav Petkov:
      
       - Make sure multi-bridge machines get all eiointc interrupt controllers
         initialized even if the number of CPUs has been limited by a cmdline
         param
      
       - Make sure interrupt lines on liointc hw are configured properly even
         when interrupt routing changes
      
       - Avoid use-after-free in the error path of the MSI init code
      
      * tag 'irq_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        PCI/MSI: Fix UAF in msi_capability_init
        irqchip/loongson-liointc: Set different ISRs for different cores
        irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node()
      4e412160
    • Linus Torvalds's avatar
      Merge tag 'timers_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 03c8b0bd
      Linus Torvalds authored
      Pull timer fix from Borislav Petkov:
      
       - Warn when an hrtimer doesn't get a callback supplied
      
      * tag 'timers_urgent_for_v6.10_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        hrtimer: Prevent queuing of hrtimer without a function callback
      03c8b0bd
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-6.10-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog · 327fceff
      Linus Torvalds authored
      Pull watchdog fixes from Wim Van Sebroeck:
      
       - lenovo_se10_wdt: add HAS_IOPORT dependency
      
       - add missing MODULE_DESCRIPTION() macros
      
      * tag 'linux-watchdog-6.10-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog:
        watchdog: add missing MODULE_DESCRIPTION() macros
        watchdog: lenovo_se10_wdt: add HAS_IOPORT dependency
      327fceff
  3. 29 Jun, 2024 5 commits
  4. 28 Jun, 2024 3 commits
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · de0a9f44
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - A fix for vector load/store instruction decoding, which could result
         in reserved vector element length encodings decoding as valid vector
         instructions.
      
       - Instruction patching now aggressively flushes the local instruction
         cache, to avoid situations where patching functions on the flush path
         results in torn instructions being fetched.
      
       - A fix to prevent the stack walker from showing up as part of traces.
      
      * tag 'riscv-for-linus-6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: stacktrace: convert arch_stack_walk() to noinstr
        riscv: patch: Flush the icache right after patching to avoid illegal insns
        RISC-V: fix vector insn load/store width mask
      de0a9f44
    • Linus Torvalds's avatar
      Merge tag 'hardening-v6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · b75f9472
      Linus Torvalds authored
      Pull hardening fixes from Kees Cook:
      
       - Remove invalid tty __counted_by annotation (Nathan Chancellor)
      
       - Add missing MODULE_DESCRIPTION()s for KUnit string tests (Jeff
         Johnson)
      
       - Remove non-functional per-arch kstack entropy filtering
      
      * tag 'hardening-v6.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        tty: mxser: Remove __counted_by from mxser_board.ports[]
        randomize_kstack: Remove non-functional per-arch entropy filtering
        string: kunit: add missing MODULE_DESCRIPTION() macros
      b75f9472
    • Linus Torvalds's avatar
      x86: stop playing stack games in profile_pc() · 093d9603
      Linus Torvalds authored
      The 'profile_pc()' function is used for timer-based profiling, which
      isn't really all that relevant any more to begin with, but it also ends
      up making assumptions based on the stack layout that aren't necessarily
      valid.
      
      Basically, the code tries to account the time spent in spinlocks to the
      caller rather than the spinlock, and while I support that as a concept,
      it's not worth the code complexity or the KASAN warnings when no serious
      profiling is done using timers anyway these days.
      
      And the code really does depend on stack layout that is only true in the
      simplest of cases.  We've lost the comment at some point (I think when
      the 32-bit and 64-bit code was unified), but it used to say:
      
      	Assume the lock function has either no stack frame or a copy
      	of eflags from PUSHF.
      
      which explains why it just blindly loads a word or two straight off the
      stack pointer and then takes a minimal look at the values to just check
      if they might be eflags or the return pc:
      
      	Eflags always has bits 22 and up cleared unlike kernel addresses
      
      but that basic stack layout assumption assumes that there isn't any lock
      debugging etc going on that would complicate the code and cause a stack
      frame.
      
      It causes KASAN unhappiness reported for years by syzkaller [1] and
      others [2].
      
      With no real practical reason for this any more, just remove the code.
      
      Just for historical interest, here's some background commits relating to
      this code from 2006:
      
        0cb91a22 ("i386: Account spinlocks to the caller during profiling for !FP kernels")
        31679f38 ("Simplify profile_pc on x86-64")
      
      and a code unification from 2009:
      
        ef451288 ("x86: time_32/64.c unify profile_pc")
      
      but the basics of this thing actually goes back to before the git tree.
      
      Link: https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3 [1]
      Link: https://lore.kernel.org/all/CAK55_s7Xyq=nh97=K=G1sxueOFrJDAvPOJAL4TPTCAYvmxO9_A@mail.gmail.com/ [2]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      093d9603