1. 02 Aug, 2020 6 commits
    • Zhe Li's avatar
      jffs2: fix jffs2 mounting failure · a68005a3
      Zhe Li authored
      Thanks for the advice mentioned in the email.
      This is my v3 patch for this problem.
      
      Mounting jffs2 on nand flash will get message "failed: I/O error"
      with the steps listed below.
      1.umount jffs2
      2.erase nand flash
      3.mount jffs2 on it (this mounting operation will be successful)
      4.do chown or chmod to the mount point directory
      5.umount jffs2
      6.mount jffs2 on nand flash
      After step 6, we will get message "mount ... failed: I/O error".
      
      Typical image of this problem is like:
      Empty space found from 0x00000000 to 0x008a0000
      Inode node at xx, totlen 0x00000044, #ino 1, version 1, isize 0...
      
      The reason for this mounting failure is that at the end of function
      jffs2_scan_medium(), jffs2 will check the used_size and some info
      of nr_blocks.If conditions are met, it will return -EIO.
      
      The detail is that, in the steps listed above, step 4 will write
      jffs2_raw_inode into flash without jffs2_raw_dirent, which will
      cause that there are some jffs2_raw_inode but no jffs2_raw_dirent
      on flash. This will meet the condition at the end of function
      jffs2_scan_medium() and return -EIO if we umount jffs2 and mount it
      again.
      
      We notice that jffs2 add the value of c->unchecked_size if we find
      an inode node while mounting. And jffs2 will never add the value of
      c->unchecked_size in other situations. So this patch add one more
      condition about c->unchecked_size of the judgement to fix this problem.
      Signed-off-by: default avatarZhe Li <lizhe67@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      a68005a3
    • Zhihao Cheng's avatar
      ubifs: Fix wrong orphan node deletion in ubifs_jnl_update|rename · 094b6d12
      Zhihao Cheng authored
      There a wrong orphan node deleting in error handling path in
      ubifs_jnl_update() and ubifs_jnl_rename(), which may cause
      following error msg:
      
        UBIFS error (ubi0:0 pid 1522): ubifs_delete_orphan [ubifs]:
        missing orphan ino 65
      
      Fix this by checking whether the node has been operated for
      adding to orphan list before being deleted,
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Fixes: 823838a4 ("ubifs: Add hashes to the tree node cache")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      094b6d12
    • Zhihao Cheng's avatar
      ubi: fastmap: Free fastmap next anchor peb during detach · c3fc1a39
      Zhihao Cheng authored
      ubi_wl_entry related with the fm_next_anchor PEB is not freed during
      detach, which causes a memory leak.
      Don't forget to release fm_next_anchor PEB while detaching ubi from
      mtd when CONFIG_MTD_UBI_FASTMAP is enabled.
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Fixes: 4b68bf9a ("ubi: Select fastmap anchor PEBs considering...")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      c3fc1a39
    • Zhihao Cheng's avatar
      ubi: fastmap: Don't produce the initial next anchor PEB when fastmap is disabled · 3b185255
      Zhihao Cheng authored
      Following process triggers a memleak caused by forgetting to release the
      initial next anchor PEB (CONFIG_MTD_UBI_FASTMAP is disabled):
      1. attach -> __erase_worker -> produce the initial next anchor PEB
      2. detach -> ubi_fastmap_close (Do nothing, it should have released the
         initial next anchor PEB)
      
      Don't produce the initial next anchor PEB in __erase_worker() when fastmap
      is disabled.
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Suggested-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Fixes: f9c34bb5 ("ubi: Fix producing anchor PEBs")
      Reported-by: syzbot+d9aab50b1154e3d163f5@syzkaller.appspotmail.com
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      3b185255
    • Randy Dunlap's avatar
      ubifs: misc.h: delete a duplicated word · fcf44196
      Randy Dunlap authored
      Drop the repeated word "as" in a comment.
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: linux-mtd@lists.infradead.org
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      fcf44196
    • Martin Kaistra's avatar
      ubifs: add option to specify version for new file systems · a7a8f4a1
      Martin Kaistra authored
      Instead of creating ubifs file systems with UBIFS_FORMAT_VERSION
      by default, add a module parameter ubifs.default_version to allow
      the user to specify the desired version. Valid values are 4 to
      UBIFS_FORMAT_VERSION (currently 5).
      
      This way, one can for example create a file system with version 4
      on kernel 4.19 which can still be mounted rw when downgrading to
      kernel 4.9.
      Signed-off-by: default avatarMartin Kaistra <martin.kaistra@linutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      a7a8f4a1
  2. 26 Jul, 2020 9 commits
  3. 25 Jul, 2020 17 commits
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.8-rc7' of... · 04300d66
      Linus Torvalds authored
      Merge tag 'riscv-for-linus-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux into master
      
      Pull RISC-V fixes from Palmer Dabbelt:
       "A few more fixes this week:
      
         - A fix to avoid using SBI calls during kasan initialization, as the
           SBI calls themselves have not been probed yet.
      
         - Three fixes related to systems with multiple memory regions"
      
      * tag 'riscv-for-linus-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: Parse all memory blocks to remove unusable memory
        RISC-V: Do not rely on initrd_start/end computed during early dt parsing
        RISC-V: Set maximum number of mapped pages correctly
        riscv: kasan: use local_tlb_flush_all() to avoid uninitialized __sbi_rfence
      04300d66
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-07-25' of... · fbe0d451
      Linus Torvalds authored
      Merge tag 'x86-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into master
      
      Pull x86 fixes from Ingo Molnar:
       "Misc fixes:
      
         - Fix a section end page alignment assumption that was causing
           crashes
      
         - Fix ORC unwinding on freshly forked tasks which haven't executed
           yet and which have empty user task stacks
      
         - Fix the debug.exception-trace=1 sysctl dumping of user stacks,
           which was broken by recent maccess changes"
      
      * tag 'x86-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/dumpstack: Dump user space code correctly again
        x86/stacktrace: Fix reliable check for empty user task stacks
        x86/unwind/orc: Fix ORC for newly forked tasks
        x86, vmlinux.lds: Page-align end of ..page_aligned sections
      fbe0d451
    • Linus Torvalds's avatar
      Merge tag 'perf-urgent-2020-07-25' of... · 78b1afe2
      Linus Torvalds authored
      Merge tag 'perf-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into master
      
      Pull uprobe fix from Ingo Molnar:
       "Fix an interaction/regression between uprobes based shared library
        tracing & GDB"
      
      * tag 'perf-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix GDB regression
      78b1afe2
    • Linus Torvalds's avatar
      Merge tag 'timers-urgent-2020-07-25' of... · a7b36c2b
      Linus Torvalds authored
      Merge tag 'timers-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into master
      
      Pull timer fix from Ingo Molnar:
       "Fix a suspend/resume regression (crash) on TI AM3/AM4 SoC's"
      
      * tag 'timers-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        clocksource/drivers/timer-ti-dm: Fix suspend and resume for am3 and am4
      a7b36c2b
    • Linus Torvalds's avatar
      Merge tag 'sched-urgent-2020-07-25' of... · 3077805e
      Linus Torvalds authored
      Merge tag 'sched-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into master
      
      Pull scheduler fixes from Ingo Molnar:
       "Fix a race introduced by the recent loadavg race fix, plus add a debug
        check for a hard to debug case of bogus wakeup function flags"
      
      * tag 'sched-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched: Warn if garbage is passed to default_wake_function()
        sched: Fix race against ptrace_freeze_trace()
      3077805e
    • Linus Torvalds's avatar
      Merge tag 'efi-urgent-2020-07-25' of... · 17baa442
      Linus Torvalds authored
      Merge tag 'efi-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into master
      
      Pull EFI fixes from Ingo Molnar:
       "Various EFI fixes:
      
         - Fix the layering violation in the use of the EFI runtime services
           availability mask in users of the 'efivars' abstraction
      
         - Revert build fix for GCC v4.8 which is no longer supported
      
         - Clean up some x86 EFI stub details, some of which are borderline
           bugs that copy around garbage into padding fields - let's fix these
           out of caution.
      
         - Fix build issues while working on RISC-V support
      
         - Avoid --whole-archive when linking the stub on arm64"
      
      * tag 'efi-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        efi: Revert "efi/x86: Fix build with gcc 4"
        efi/efivars: Expose RT service availability via efivars abstraction
        efi/libstub: Move the function prototypes to header file
        efi/libstub: Fix gcc error around __umoddi3 for 32 bit builds
        efi/libstub/arm64: link stub lib.a conditionally
        efi/x86: Only copy upto the end of setup_header
        efi/x86: Remove unused variables
      17baa442
    • Linus Torvalds's avatar
      Merge tag '5.8-rc6-cifs-fix' of git://git.samba.org/sfrench/cifs-2.6 into master · 7cb3a5c5
      Linus Torvalds authored
      Pull cifs fix from Steve French:
       "A fix for a recently discovered regression in rename to older servers
        caused by a recent patch"
      
      * tag '5.8-rc6-cifs-fix' of git://git.samba.org/sfrench/cifs-2.6:
        Revert "cifs: Fix the target file was deleted when rename failed."
      7cb3a5c5
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net into master · 1b64b2e2
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix RCU locaking in iwlwifi, from Johannes Berg.
      
       2) mt76 can access uninitialized NAPI struct, from Felix Fietkau.
      
       3) Fix race in updating pause settings in bnxt_en, from Vasundhara
          Volam.
      
       4) Propagate error return properly during unbind failures in ax88172a,
          from George Kennedy.
      
       5) Fix memleak in adf7242_probe, from Liu Jian.
      
       6) smc_drv_probe() can leak, from Wang Hai.
      
       7) Don't muck with the carrier state if register_netdevice() fails in
          the bonding driver, from Taehee Yoo.
      
       8) Fix memleak in dpaa_eth_probe, from Liu Jian.
      
       9) Need to check skb_put_padto() return value in hsr_fill_tag(), from
          Murali Karicheri.
      
      10) Don't lose ionic RSS hash settings across FW update, from Shannon
          Nelson.
      
      11) Fix clobbered SKB control block in act_ct, from Wen Xu.
      
      12) Missing newlink in "tx_timeout" sysfs output, from Xiongfeng Wang.
      
      13) IS_UDPLITE cleanup a long time ago, incorrectly handled
          transformations involving UDPLITE_RECV_CC. From Miaohe Lin.
      
      14) Unbalanced locking in netdevsim, from Taehee Yoo.
      
      15) Suppress false-positive error messages in qed driver, from Alexander
          Lobakin.
      
      16) Out of bounds read in ax25_connect and ax25_sendmsg, from Peilin Ye.
      
      17) Missing SKB release in cxgb4's uld_send(), from Navid Emamdoost.
      
      18) Uninitialized value in geneve_changelink(), from Cong Wang.
      
      19) Fix deadlock in xen-netfront, from Andera Righi.
      
      19) flush_backlog() frees skbs with IRQs disabled, so should use
          dev_kfree_skb_irq() instead of kfree_skb(). From Subash Abhinov
          Kasiviswanathan.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (111 commits)
        drivers/net/wan: lapb: Corrected the usage of skb_cow
        dev: Defer free of skbs in flush_backlog
        qrtr: orphan socket in qrtr_release()
        xen-netfront: fix potential deadlock in xennet_remove()
        flow_offload: Move rhashtable inclusion to the source file
        geneve: fix an uninitialized value in geneve_changelink()
        bonding: check return value of register_netdevice() in bond_newlink()
        tcp: allow at most one TLP probe per flight
        AX.25: Prevent integer overflows in connect and sendmsg
        cxgb4: add missing release on skb in uld_send()
        net: atlantic: fix PTP on AQC10X
        AX.25: Prevent out-of-bounds read in ax25_sendmsg()
        sctp: shrink stream outq when fails to do addstream reconf
        sctp: shrink stream outq only when new outcnt < old outcnt
        AX.25: Fix out-of-bounds read in ax25_connect()
        enetc: Remove the mdio bus on PF probe bailout
        net: ethernet: ti: add NETIF_F_HW_TC hw feature flag for taprio offload
        net: ethernet: ave: Fix error returns in ave_init
        drivers/net/wan/x25_asy: Fix to make it work
        ipvs: fix the connection sync failed in some cases
        ...
      1b64b2e2
    • Atish Patra's avatar
      riscv: Parse all memory blocks to remove unusable memory · fa5a1983
      Atish Patra authored
      Currently, maximum physical memory allowed is equal to -PAGE_OFFSET.
      That's why we remove any memory blocks spanning beyond that size. However,
      it is done only for memblock containing linux kernel which will not work
      if there are multiple memblocks.
      
      Process all memory blocks to figure out how much memory needs to be removed
      and remove at the end instead of updating the memblock list in place.
      Signed-off-by: default avatarAtish Patra <atish.patra@wdc.com>
      Signed-off-by: default avatarPalmer Dabbelt <palmerdabbelt@google.com>
      fa5a1983
    • Atish Patra's avatar
      RISC-V: Do not rely on initrd_start/end computed during early dt parsing · 4400231c
      Atish Patra authored
      Currently, initrd_start/end are computed during early_init_dt_scan
      but used during arch_setup. We will get the following panic if initrd is used
      and CONFIG_DEBUG_VIRTUAL is turned on.
      
      [    0.000000] ------------[ cut here ]------------
      [    0.000000] kernel BUG at arch/riscv/mm/physaddr.c:33!
      [    0.000000] Kernel BUG [#1]
      [    0.000000] Modules linked in:
      [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 5.8.0-rc4-00015-ged0b226fed02 #886
      [    0.000000] epc: ffffffe0002058d2 ra : ffffffe0000053f0 sp : ffffffe001001f40
      [    0.000000]  gp : ffffffe00106e250 tp : ffffffe001009d40 t0 : ffffffe00107ee28
      [    0.000000]  t1 : 0000000000000000 t2 : ffffffe000a2e880 s0 : ffffffe001001f50
      [    0.000000]  s1 : ffffffe0001383e8 a0 : ffffffe00c087e00 a1 : 0000000080200000
      [    0.000000]  a2 : 00000000010bf000 a3 : ffffffe00106f3c8 a4 : ffffffe0010bf000
      [    0.000000]  a5 : ffffffe000000000 a6 : 0000000000000006 a7 : 0000000000000001
      [    0.000000]  s2 : ffffffe00106f068 s3 : ffffffe00106f070 s4 : 0000000080200000
      [    0.000000]  s5 : 0000000082200000 s6 : 0000000000000000 s7 : 0000000000000000
      [    0.000000]  s8 : 0000000080011010 s9 : 0000000080012700 s10: 0000000000000000
      [    0.000000]  s11: 0000000000000000 t3 : 000000000001fe30 t4 : 000000000001fe30
      [    0.000000]  t5 : 0000000000000000 t6 : ffffffe00107c471
      [    0.000000] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003
      [    0.000000] random: get_random_bytes called from print_oops_end_marker+0x22/0x46 with crng_init=0
      
      To avoid the error, initrd_start/end can be computed from phys_initrd_start/size
      in setup itself. It also improves the initrd placement by aligning the start
      and size with the page size.
      
      Fixes: 76d2a049 ("RISC-V: Init and Halt Code")
      Signed-off-by: default avatarAtish Patra <atish.patra@wdc.com>
      Signed-off-by: default avatarPalmer Dabbelt <palmerdabbelt@google.com>
      4400231c
    • Xie He's avatar
      drivers/net/wan: lapb: Corrected the usage of skb_cow · 8754e137
      Xie He authored
      This patch fixed 2 issues with the usage of skb_cow in LAPB drivers
      "lapbether" and "hdlc_x25":
      
      1) After skb_cow fails, kfree_skb should be called to drop a reference
      to the skb. But in both drivers, kfree_skb is not called.
      
      2) skb_cow should be called before skb_push so that is can ensure the
      safety of skb_push. But in "lapbether", it is incorrectly called after
      skb_push.
      
      More details about these 2 issues:
      
      1) The behavior of calling kfree_skb on failure is also the behavior of
      netif_rx, which is called by this function with "return netif_rx(skb);".
      So this function should follow this behavior, too.
      
      2) In "lapbether", skb_cow is called after skb_push. This results in 2
      logical issues:
         a) skb_push is not protected by skb_cow;
         b) An extra headroom of 1 byte is ensured after skb_push. This extra
            headroom has no use in this function. It also has no use in the
            upper-layer function that this function passes the skb to
            (x25_lapb_receive_frame in net/x25/x25_dev.c).
      So logically skb_cow should instead be called before skb_push.
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Martin Schiller <ms@dev.tdt.de>
      Signed-off-by: default avatarXie He <xie.he.0141@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8754e137
    • Subash Abhinov Kasiviswanathan's avatar
      dev: Defer free of skbs in flush_backlog · 7df5cb75
      Subash Abhinov Kasiviswanathan authored
      IRQs are disabled when freeing skbs in input queue.
      Use the IRQ safe variant to free skbs here.
      
      Fixes: 145dd5f9 ("net: flush the softnet backlog in process context")
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7df5cb75
    • Atish Patra's avatar
      RISC-V: Set maximum number of mapped pages correctly · d0d8aae6
      Atish Patra authored
      Currently, maximum number of mapper pages are set to the pfn calculated
      from the memblock size of the memblock containing kernel. This will work
      until that memblock spans the entire memory. However, it will be set to
      a wrong value if there are multiple memblocks defined in kernel
      (e.g. with efi runtime services).
      
      Set the the maximum value to the pfn calculated from dram size.
      Signed-off-by: default avatarAtish Patra <atish.patra@wdc.com>
      Signed-off-by: default avatarPalmer Dabbelt <palmerdabbelt@google.com>
      d0d8aae6
    • Linus Torvalds's avatar
      Merge tag 'pci-v5.8-fixes-2' of... · 23ee3e4e
      Linus Torvalds authored
      Merge tag 'pci-v5.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci into master
      
      Pull PCI fixes from Bjorn Helgaas:
      
       - Reject invalid IRQ 0 command line argument for virtio_mmio because
         IRQ 0 now generates warnings (Bjorn Helgaas)
      
       - Revert "PCI/PM: Assume ports without DLL Link Active train links in
         100 ms", which broke nouveau (Bjorn Helgaas)
      
      * tag 'pci-v5.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        Revert "PCI/PM: Assume ports without DLL Link Active train links in 100 ms"
        virtio-mmio: Reject invalid IRQ 0 command line argument
      23ee3e4e
    • Cong Wang's avatar
      qrtr: orphan socket in qrtr_release() · af9f691f
      Cong Wang authored
      We have to detach sock from socket in qrtr_release(),
      otherwise skb->sk may still reference to this socket
      when the skb is released in tun->queue, particularly
      sk->sk_wq still points to &sock->wq, which leads to
      a UAF.
      
      Reported-and-tested-by: syzbot+6720d64f31c081c2f708@syzkaller.appspotmail.com
      Fixes: 28fb4e59 ("net: qrtr: Expose tunneling endpoint to user space")
      Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af9f691f
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2020-07-24' of... · 657237f5
      David S. Miller authored
      Merge tag 'wireless-drivers-2020-07-24' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.8
      
      Second set of fixes for v5.8, and hopefully also the last. Three
      important regressions fixed.
      
      ath9k
      
      * fix a regression which broke support for all ath9k usb devices
      
      ath10k
      
      * fix a regression which broke support for all QCA4019 AHB devices
      
      iwlwifi
      
      * fix a regression which broke support for some Killer Wireless-AC 1550 cards
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      657237f5
    • Andrea Righi's avatar
      xen-netfront: fix potential deadlock in xennet_remove() · c2c63310
      Andrea Righi authored
      There's a potential race in xennet_remove(); this is what the driver is
      doing upon unregistering a network device:
      
        1. state = read bus state
        2. if state is not "Closed":
        3.    request to set state to "Closing"
        4.    wait for state to be set to "Closing"
        5.    request to set state to "Closed"
        6.    wait for state to be set to "Closed"
      
      If the state changes to "Closed" immediately after step 1 we are stuck
      forever in step 4, because the state will never go back from "Closed" to
      "Closing".
      
      Make sure to check also for state == "Closed" in step 4 to prevent the
      deadlock.
      
      Also add a 5 sec timeout any time we wait for the bus state to change,
      to avoid getting stuck forever in wait_event().
      Signed-off-by: default avatarAndrea Righi <andrea.righi@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2c63310
  4. 24 Jul, 2020 8 commits