1. 09 Dec, 2022 3 commits
    • Baokun Li's avatar
      ext4: fix bug_on in __es_tree_search caused by bad quota inode · d3238774
      Baokun Li authored
      We got a issue as fllows:
      ==================================================================
       kernel BUG at fs/ext4/extents_status.c:202!
       invalid opcode: 0000 [#1] PREEMPT SMP
       CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352
       RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0
       RSP: 0018:ffffc90001227900 EFLAGS: 00010202
       RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000
       RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8
       RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001
       R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10
       R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000
       FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       Call Trace:
        <TASK>
        ext4_es_cache_extent+0xe2/0x210
        ext4_cache_extents+0xd2/0x110
        ext4_find_extent+0x5d5/0x8c0
        ext4_ext_map_blocks+0x9c/0x1d30
        ext4_map_blocks+0x431/0xa50
        ext4_getblk+0x82/0x340
        ext4_bread+0x14/0x110
        ext4_quota_read+0xf0/0x180
        v2_read_header+0x24/0x90
        v2_check_quota_file+0x2f/0xa0
        dquot_load_quota_sb+0x26c/0x760
        dquot_load_quota_inode+0xa5/0x190
        ext4_enable_quotas+0x14c/0x300
        __ext4_fill_super+0x31cc/0x32c0
        ext4_fill_super+0x115/0x2d0
        get_tree_bdev+0x1d2/0x360
        ext4_get_tree+0x19/0x30
        vfs_get_tree+0x26/0xe0
        path_mount+0x81d/0xfc0
        do_mount+0x8d/0xc0
        __x64_sys_mount+0xc0/0x160
        do_syscall_64+0x35/0x80
        entry_SYSCALL_64_after_hwframe+0x63/0xcd
        </TASK>
      ==================================================================
      
      Above issue may happen as follows:
      -------------------------------------
      ext4_fill_super
       ext4_orphan_cleanup
        ext4_enable_quotas
         ext4_quota_enable
          ext4_iget --> get error inode <5>
           ext4_ext_check_inode --> Wrong imode makes it escape inspection
           make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode
          dquot_load_quota_inode
           vfs_setup_quota_inode --> check pass
           dquot_load_quota_sb
            v2_check_quota_file
             v2_read_header
              ext4_quota_read
               ext4_bread
                ext4_getblk
                 ext4_map_blocks
                  ext4_ext_map_blocks
                   ext4_find_extent
                    ext4_cache_extents
                     ext4_es_cache_extent
                      __es_tree_search.isra.0
                       ext4_es_end --> Wrong extents trigger BUG_ON
      
      In the above issue, s_usr_quota_inum is set to 5, but inode<5> contains
      incorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,
      the ext4_ext_check_inode check in the ext4_iget function can be bypassed,
      finally, the extents that are not checked trigger the BUG_ON in the
      __es_tree_search function. To solve this issue, check whether the inode is
      bad_inode in vfs_setup_quota_inode().
      Signed-off-by: default avatarBaokun Li <libaokun1@huawei.com>
      Reviewed-by: default avatarChaitanya Kulkarni <kch@nvidia.com>
      Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20221026042310.3839669-2-libaokun1@huawei.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      d3238774
    • Luís Henriques's avatar
      ext4: remove trailing newline from ext4_msg() message · 78742d4d
      Luís Henriques authored
      The ext4_msg() function adds a new line to the message.  Remove extra '\n'
      from call to ext4_msg() in ext4_orphan_cleanup().
      Signed-off-by: default avatarLuís Henriques <lhenriques@suse.de>
      Link: https://lore.kernel.org/r/20221011155758.15287-1-lhenriques@suse.deSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      78742d4d
    • Bixuan Cui's avatar
      jbd2: use the correct print format · d87a7b4c
      Bixuan Cui authored
      The print format error was found when using ftrace event:
          <...>-1406 [000] .... 23599442.895823: jbd2_end_commit: dev 252,8 transaction -1866216965 sync 0 head -1866217368
          <...>-1406 [000] .... 23599442.896299: jbd2_start_commit: dev 252,8 transaction -1866216964 sync 0
      
      Use the correct print format for transaction, head and tid.
      
      Fixes: 879c5e6b ('jbd2: convert instrumentation from markers to tracepoints')
      Signed-off-by: default avatarBixuan Cui <cuibixuan@linux.alibaba.com>
      Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
      Link: https://lore.kernel.org/r/1665488024-95172-1-git-send-email-cuibixuan@linux.alibaba.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      d87a7b4c
  2. 01 Dec, 2022 5 commits
  3. 29 Nov, 2022 2 commits
  4. 28 Nov, 2022 1 commit
    • Zhang Yi's avatar
      ext4: silence the warning when evicting inode with dioread_nolock · bc12ac98
      Zhang Yi authored
      When evicting an inode with default dioread_nolock, it could be raced by
      the unwritten extents converting kworker after writeback some new
      allocated dirty blocks. It convert unwritten extents to written, the
      extents could be merged to upper level and free extent blocks, so it
      could mark the inode dirty again even this inode has been marked
      I_FREEING. But the inode->i_io_list check and warning in
      ext4_evict_inode() missing this corner case. Fortunately,
      ext4_evict_inode() will wait all extents converting finished before this
      check, so it will not lead to inode use-after-free problem, every thing
      is OK besides this warning. The WARN_ON_ONCE was originally designed
      for finding inode use-after-free issues in advance, but if we add
      current dioread_nolock case in, it will become not quite useful, so fix
      this warning by just remove this check.
      
       ======
       WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227
       ext4_evict_inode+0x875/0xc60
       ...
       RIP: 0010:ext4_evict_inode+0x875/0xc60
       ...
       Call Trace:
        <TASK>
        evict+0x11c/0x2b0
        iput+0x236/0x3a0
        do_unlinkat+0x1b4/0x490
        __x64_sys_unlinkat+0x4c/0xb0
        do_syscall_64+0x3b/0x90
        entry_SYSCALL_64_after_hwframe+0x46/0xb0
       RIP: 0033:0x7fa933c1115b
       ======
      
      rm                          kworker
                                  ext4_end_io_end()
      vfs_unlink()
       ext4_unlink()
                                   ext4_convert_unwritten_io_end_vec()
                                    ext4_convert_unwritten_extents()
                                     ext4_map_blocks()
                                      ext4_ext_map_blocks()
                                       ext4_ext_try_to_merge_up()
                                        __mark_inode_dirty()
                                         check !I_FREEING
                                         locked_inode_to_wb_and_lock_list()
       iput()
        iput_final()
         evict()
          ext4_evict_inode()
           truncate_inode_pages_final() //wait release io_end
                                          inode_io_list_move_locked()
                                   ext4_release_io_end()
           trigger WARN_ON_ONCE()
      
      Cc: stable@kernel.org
      Fixes: ceff86fd ("ext4: Avoid freeing inodes on dirty list")
      Signed-off-by: default avatarZhang Yi <yi.zhang@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20220629112647.4141034-1-yi.zhang@huawei.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      bc12ac98
  5. 22 Nov, 2022 1 commit
  6. 07 Nov, 2022 1 commit
    • Baokun Li's avatar
      ext4: fix use-after-free in ext4_ext_shift_extents · f6b1a1cf
      Baokun Li authored
      If the starting position of our insert range happens to be in the hole
      between the two ext4_extent_idx, because the lblk of the ext4_extent in
      the previous ext4_extent_idx is always less than the start, which leads
      to the "extent" variable access across the boundary, the following UAF is
      triggered:
      ==================================================================
      BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790
      Read of size 4 at addr ffff88819807a008 by task fallocate/8010
      CPU: 3 PID: 8010 Comm: fallocate Tainted: G            E     5.10.0+ #492
      Call Trace:
       dump_stack+0x7d/0xa3
       print_address_description.constprop.0+0x1e/0x220
       kasan_report.cold+0x67/0x7f
       ext4_ext_shift_extents+0x257/0x790
       ext4_insert_range+0x5b6/0x700
       ext4_fallocate+0x39e/0x3d0
       vfs_fallocate+0x26f/0x470
       ksys_fallocate+0x3a/0x70
       __x64_sys_fallocate+0x4f/0x60
       do_syscall_64+0x33/0x40
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      ==================================================================
      
      For right shifts, we can divide them into the following situations:
      
      1. When the first ee_block of ext4_extent_idx is greater than or equal to
         start, make right shifts directly from the first ee_block.
          1) If it is greater than start, we need to continue searching in the
             previous ext4_extent_idx.
          2) If it is equal to start, we can exit the loop (iterator=NULL).
      
      2. When the first ee_block of ext4_extent_idx is less than start, then
         traverse from the last extent to find the first extent whose ee_block
         is less than start.
          1) If extent is still the last extent after traversal, it means that
             the last ee_block of ext4_extent_idx is less than start, that is,
             start is located in the hole between idx and (idx+1), so we can
             exit the loop directly (break) without right shifts.
          2) Otherwise, make right shifts at the corresponding position of the
             found extent, and then exit the loop (iterator=NULL).
      
      Fixes: 331573fe ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate")
      Cc: stable@vger.kernel.org # v4.2+
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarBaokun Li <libaokun1@huawei.com>
      Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      f6b1a1cf
  7. 06 Nov, 2022 17 commits
    • Linus Torvalds's avatar
      Linux 6.1-rc4 · f0c4d9fc
      Linus Torvalds authored
      f0c4d9fc
    • Linus Torvalds's avatar
      Merge tag 'cxl-fixes-for-6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl · 16c7a368
      Linus Torvalds authored
      Pull cxl fixes from Dan Williams:
       "Several fixes for CXL region creation crashes, leaks and failures.
      
        This is mainly fallout from the original implementation of dynamic CXL
        region creation (instantiate new physical memory pools) that arrived
        in v6.0-rc1.
      
        Given the theme of "failures in the presence of pass-through decoders"
        this also includes new regression test infrastructure for that case.
      
        Summary:
      
         - Fix region creation crash with pass-through decoders
      
         - Fix region creation crash when no decoder allocation fails
      
         - Fix region creation crash when scanning regions to enforce the
           increasing physical address order constraint that CXL mandates
      
         - Fix a memory leak for cxl_pmem_region objects, track 1:N instead of
           1:1 memory-device-to-region associations.
      
         - Fix a memory leak for cxl_region objects when regions with active
           targets are deleted
      
         - Fix assignment of NUMA nodes to CXL regions by CFMWS (CXL Window)
           emulated proximity domains.
      
         - Fix region creation failure for switch attached devices downstream
           of a single-port host-bridge
      
         - Fix false positive memory leak of cxl_region objects by recycling
           recently used region ids rather than freeing them
      
         - Add regression test infrastructure for a pass-through decoder
           configuration
      
         - Fix some mailbox payload handling corner cases"
      
      * tag 'cxl-fixes-for-6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
        cxl/region: Recycle region ids
        cxl/region: Fix 'distance' calculation with passthrough ports
        tools/testing/cxl: Add a single-port host-bridge regression config
        tools/testing/cxl: Fix some error exits
        cxl/pmem: Fix cxl_pmem_region and cxl_memdev leak
        cxl/region: Fix cxl_region leak, cleanup targets at region delete
        cxl/region: Fix region HPA ordering validation
        cxl/pmem: Use size_add() against integer overflow
        cxl/region: Fix decoder allocation crash
        ACPI: NUMA: Add CXL CFMWS 'nodes' to the possible nodes set
        cxl/pmem: Fix failure to account for 8 byte header for writes to the device LSA.
        cxl/region: Fix null pointer dereference due to pass through decoder commit
        cxl/mbox: Add a check on input payload size
      16c7a368
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v6.1-rc4' of... · aa529949
      Linus Torvalds authored
      Merge tag 'hwmon-for-v6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
       "Fix two regressions:
      
         - Commit 54cc3dbf ("hwmon: (pmbus) Add regulator supply into
           macro") resulted in regulator undercount when disabling regulators.
           Revert it.
      
         - The thermal subsystem rework caused the scmi driver to no longer
           register with the thermal subsystem because index values no longer
           match. To fix the problem, the scmi driver now directly registers
           with the thermal subsystem, no longer through the hwmon core"
      
      * tag 'hwmon-for-v6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        Revert "hwmon: (pmbus) Add regulator supply into macro"
        hwmon: (scmi) Register explicitly with Thermal Framework
      aa529949
    • Linus Torvalds's avatar
      Merge tag 'perf_urgent_for_v6.1_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 727ea09e
      Linus Torvalds authored
      Pull perf fixes from Borislav Petkov:
      
       - Add Cooper Lake's stepping to the PEBS guest/host events isolation
         fixed microcode revisions checking quirk
      
       - Update Icelake and Sapphire Rapids events constraints
      
       - Use the standard energy unit for Sapphire Rapids in RAPL
      
       - Fix the hw_breakpoint test to fail more graciously on !SMP configs
      
      * tag 'perf_urgent_for_v6.1_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/intel: Add Cooper Lake stepping to isolation_ucodes[]
        perf/x86/intel: Fix pebs event constraints for SPR
        perf/x86/intel: Fix pebs event constraints for ICL
        perf/x86/rapl: Use standard Energy Unit for SPR Dram RAPL domain
        perf/hw_breakpoint: test: Skip the test if dependencies unmet
      727ea09e
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v6.1_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f6f52047
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
      
       - Add new Intel CPU models
      
       - Enforce that TDX guests are successfully loaded only on TDX hardware
         where virtualization exception (#VE) delivery on kernel memory is
         disabled because handling those in all possible cases is "essentially
         impossible"
      
       - Add the proper include to the syscall wrappers so that BTF can see
         the real pt_regs definition and not only the forward declaration
      
      * tag 'x86_urgent_for_v6.1_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/cpu: Add several Intel server CPU model numbers
        x86/tdx: Panic on bad configs that #VE on "private" memory access
        x86/tdx: Prepare for using "INFO" call for a second purpose
        x86/syscall: Include asm/ptrace.h in syscall_wrapper header
      f6f52047
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.1-2' of... · 35697d81
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Use POSIX-compatible grep options
      
       - Document git-related tips for reproducible builds
      
       - Fix a typo in the modpost rule
      
       - Suppress SIGPIPE error message from gcc-ar and llvm-ar
      
       - Fix segmentation fault in the menuconfig search
      
      * tag 'kbuild-fixes-v6.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kconfig: fix segmentation fault in menuconfig search
        kbuild: fix SIGPIPE error message for AR=gcc-ar and AR=llvm-ar
        kbuild: fix typo in modpost
        Documentation: kbuild: Add description of git for reproducible builds
        kbuild: use POSIX-compatible grep option
      35697d81
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 089d1c31
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
      "ARM:
      
         - Fix the pKVM stage-1 walker erronously using the stage-2 accessor
      
         - Correctly convert vcpu->kvm to a hyp pointer when generating an
           exception in a nVHE+MTE configuration
      
         - Check that KVM_CAP_DIRTY_LOG_* are valid before enabling them
      
         - Fix SMPRI_EL1/TPIDR2_EL0 trapping on VHE
      
         - Document the boot requirements for FGT when entering the kernel at
           EL1
      
        x86:
      
         - Use SRCU to protect zap in __kvm_set_or_clear_apicv_inhibit()
      
         - Make argument order consistent for kvcalloc()
      
         - Userspace API fixes for DEBUGCTL and LBRs"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Fix a typo about the usage of kvcalloc()
        KVM: x86: Use SRCU to protect zap in __kvm_set_or_clear_apicv_inhibit()
        KVM: VMX: Ignore guest CPUID for host userspace writes to DEBUGCTL
        KVM: VMX: Fold vmx_supported_debugctl() into vcpu_supported_debugctl()
        KVM: VMX: Advertise PMU LBRs if and only if perf supports LBRs
        arm64: booting: Document our requirements for fine grained traps with SME
        KVM: arm64: Fix SMPRI_EL1/TPIDR2_EL0 trapping on VHE
        KVM: Check KVM_CAP_DIRTY_LOG_{RING, RING_ACQ_REL} prior to enabling them
        KVM: arm64: Fix bad dereference on MTE-enabled systems
        KVM: arm64: Use correct accessor to parse stage-1 PTEs
      089d1c31
    • Linus Torvalds's avatar
      Merge tag 'for-linus-6.1-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 6e8c78d3
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "One fix for silencing a smatch warning, and a small cleanup patch"
      
      * tag 'for-linus-6.1-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        x86/xen: simplify sysenter and syscall setup
        x86/xen: silence smatch warning in pmu_msr_chk_emulated()
      6e8c78d3
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 9761070d
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "Fix a number of bugs, including some regressions, the most serious of
        which was one which would cause online resizes to fail with file
        systems with metadata checksums enabled.
      
        Also fix a warning caused by the newly added fortify string checker,
        plus some bugs that were found using fuzzed file systems"
      
      * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: fix fortify warning in fs/ext4/fast_commit.c:1551
        ext4: fix wrong return err in ext4_load_and_init_journal()
        ext4: fix warning in 'ext4_da_release_space'
        ext4: fix BUG_ON() when directory entry has invalid rec_len
        ext4: update the backup superblock's at the end of the online resize
      9761070d
    • Linus Torvalds's avatar
      Merge tag '6.1-rc4-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 90153f92
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "One symlink handling fix and two fixes foir multichannel issues with
        iterating channels, including for oplock breaks when leases are
        disabled"
      
      * tag '6.1-rc4-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: fix use-after-free on the link name
        cifs: avoid unnecessary iteration of tcp sessions
        cifs: always iterate smb sessions using primary channel
      90153f92
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 8391aa4b
      Linus Torvalds authored
      Pull `lTracing fixes for 6.1-rc3:
      
       - Fixed NULL pointer dereference in the ring buffer wait-waiters code
         for machines that have less CPUs than what nr_cpu_ids returns.
      
         The buffer array is of size nr_cpu_ids, but only the online CPUs get
         initialized.
      
       - Fixed use after free call in ftrace_shutdown.
      
       - Fix accounting of if a kprobe is enabled
      
       - Fix NULL pointer dereference on error path of fprobe rethook_alloc().
      
       - Fix unregistering of fprobe_kprobe_handler
      
       - Fix memory leak in kprobe test module
      
      * tag 'trace-v6.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing: kprobe: Fix memory leak in test_gen_kprobe/kretprobe_cmd()
        tracing/fprobe: Fix to check whether fprobe is registered correctly
        fprobe: Check rethook_alloc() return in rethook initialization
        kprobe: reverse kp->flags when arm_kprobe failed
        ftrace: Fix use-after-free for dynamic ftrace_ops
        ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()
      8391aa4b
    • Paolo Bonzini's avatar
      Merge tag 'kvmarm-fixes-6.1-3' of... · f4298cac
      Paolo Bonzini authored
      Merge tag 'kvmarm-fixes-6.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD
      
      * Fix the pKVM stage-1 walker erronously using the stage-2 accessor
      
      * Correctly convert vcpu->kvm to a hyp pointer when generating
        an exception in a nVHE+MTE configuration
      
      * Check that KVM_CAP_DIRTY_LOG_* are valid before enabling them
      
      * Fix SMPRI_EL1/TPIDR2_EL0 trapping on VHE
      
      * Document the boot requirements for FGT when entering the kernel
        at EL1
      f4298cac
    • Paolo Bonzini's avatar
      Merge branch 'kvm-master' into HEAD · 14620149
      Paolo Bonzini authored
      x86:
      * Use SRCU to protect zap in __kvm_set_or_clear_apicv_inhibit()
      
      * Make argument order consistent for kvcalloc()
      
      * Userspace API fixes for DEBUGCTL and LBRs
      14620149
    • Theodore Ts'o's avatar
      ext4: fix fortify warning in fs/ext4/fast_commit.c:1551 · 0d043351
      Theodore Ts'o authored
      With the new fortify string system, rework the memcpy to avoid this
      warning:
      
      memcpy: detected field-spanning write (size 60) of single field "&raw_inode->i_generation" at fs/ext4/fast_commit.c:1551 (size 4)
      
      Cc: stable@kernel.org
      Fixes: 54d9469b ("fortify: Add run-time WARN for cross-field memcpy()")
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      0d043351
    • Jason Yan's avatar
      ext4: fix wrong return err in ext4_load_and_init_journal() · 9f2a1d9f
      Jason Yan authored
      The return value is wrong in ext4_load_and_init_journal(). The local
      variable 'err' need to be initialized before goto out. The original code
      in __ext4_fill_super() is fine because it has two return values 'ret'
      and 'err' and 'ret' is initialized as -EINVAL. After we factor out
      ext4_load_and_init_journal(), this code is broken. So fix it by directly
      returning -EINVAL in the error handler path.
      
      Cc: stable@kernel.org
      Fixes: 9c1dd22d ("ext4: factor out ext4_load_and_init_journal()")
      Signed-off-by: default avatarJason Yan <yanaijie@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20221025040206.3134773-1-yanaijie@huawei.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      9f2a1d9f
    • Ye Bin's avatar
      ext4: fix warning in 'ext4_da_release_space' · 1b8f787e
      Ye Bin authored
      Syzkaller report issue as follows:
      EXT4-fs (loop0): Free/Dirty block details
      EXT4-fs (loop0): free_blocks=0
      EXT4-fs (loop0): dirty_blocks=0
      EXT4-fs (loop0): Block reservation details
      EXT4-fs (loop0): i_reserved_data_blocks=0
      EXT4-fs warning (device loop0): ext4_da_release_space:1527: ext4_da_release_space: ino 18, to_free 1 with only 0 reserved data blocks
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 92 at fs/ext4/inode.c:1528 ext4_da_release_space+0x25e/0x370 fs/ext4/inode.c:1524
      Modules linked in:
      CPU: 0 PID: 92 Comm: kworker/u4:4 Not tainted 6.0.0-syzkaller-09423-g493ffd66 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
      Workqueue: writeback wb_workfn (flush-7:0)
      RIP: 0010:ext4_da_release_space+0x25e/0x370 fs/ext4/inode.c:1528
      RSP: 0018:ffffc900015f6c90 EFLAGS: 00010296
      RAX: 42215896cd52ea00 RBX: 0000000000000000 RCX: 42215896cd52ea00
      RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
      RBP: 1ffff1100e907d96 R08: ffffffff816aa79d R09: fffff520002bece5
      R10: fffff520002bece5 R11: 1ffff920002bece4 R12: ffff888021fd2000
      R13: ffff88807483ecb0 R14: 0000000000000001 R15: ffff88807483e740
      FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00005555569ba628 CR3: 000000000c88e000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       ext4_es_remove_extent+0x1ab/0x260 fs/ext4/extents_status.c:1461
       mpage_release_unused_pages+0x24d/0xef0 fs/ext4/inode.c:1589
       ext4_writepages+0x12eb/0x3be0 fs/ext4/inode.c:2852
       do_writepages+0x3c3/0x680 mm/page-writeback.c:2469
       __writeback_single_inode+0xd1/0x670 fs/fs-writeback.c:1587
       writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1870
       wb_writeback+0x41f/0x7b0 fs/fs-writeback.c:2044
       wb_do_writeback fs/fs-writeback.c:2187 [inline]
       wb_workfn+0x3cb/0xef0 fs/fs-writeback.c:2227
       process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
       worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
       kthread+0x266/0x300 kernel/kthread.c:376
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
       </TASK>
      
      Above issue may happens as follows:
      ext4_da_write_begin
        ext4_create_inline_data
          ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS);
          ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA);
      __ext4_ioctl
        ext4_ext_migrate -> will lead to eh->eh_entries not zero, and set extent flag
      ext4_da_write_begin
        ext4_da_convert_inline_data_to_extent
          ext4_da_write_inline_data_begin
            ext4_da_map_blocks
              ext4_insert_delayed_block
      	  if (!ext4_es_scan_clu(inode, &ext4_es_is_delonly, lblk))
      	    if (!ext4_es_scan_clu(inode, &ext4_es_is_mapped, lblk))
      	      ext4_clu_mapped(inode, EXT4_B2C(sbi, lblk)); -> will return 1
      	       allocated = true;
                ext4_es_insert_delayed_block(inode, lblk, allocated);
      ext4_writepages
        mpage_map_and_submit_extent(handle, &mpd, &give_up_on_write); -> return -ENOSPC
        mpage_release_unused_pages(&mpd, give_up_on_write); -> give_up_on_write == 1
          ext4_es_remove_extent
            ext4_da_release_space(inode, reserved);
              if (unlikely(to_free > ei->i_reserved_data_blocks))
      	  -> to_free == 1  but ei->i_reserved_data_blocks == 0
      	  -> then trigger warning as above
      
      To solve above issue, forbid inode do migrate which has inline data.
      
      Cc: stable@kernel.org
      Reported-by: syzbot+c740bb18df70ad00952e@syzkaller.appspotmail.com
      Signed-off-by: default avatarYe Bin <yebin10@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20221018022701.683489-1-yebin10@huawei.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      1b8f787e
    • Luís Henriques's avatar
      ext4: fix BUG_ON() when directory entry has invalid rec_len · 17a0bc9b
      Luís Henriques authored
      The rec_len field in the directory entry has to be a multiple of 4.  A
      corrupted filesystem image can be used to hit a BUG() in
      ext4_rec_len_to_disk(), called from make_indexed_dir().
      
       ------------[ cut here ]------------
       kernel BUG at fs/ext4/ext4.h:2413!
       ...
       RIP: 0010:make_indexed_dir+0x53f/0x5f0
       ...
       Call Trace:
        <TASK>
        ? add_dirent_to_buf+0x1b2/0x200
        ext4_add_entry+0x36e/0x480
        ext4_add_nondir+0x2b/0xc0
        ext4_create+0x163/0x200
        path_openat+0x635/0xe90
        do_filp_open+0xb4/0x160
        ? __create_object.isra.0+0x1de/0x3b0
        ? _raw_spin_unlock+0x12/0x30
        do_sys_openat2+0x91/0x150
        __x64_sys_open+0x6c/0xa0
        do_syscall_64+0x3c/0x80
        entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      The fix simply adds a call to ext4_check_dir_entry() to validate the
      directory entry, returning -EFSCORRUPTED if the entry is invalid.
      
      CC: stable@kernel.org
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216540Signed-off-by: default avatarLuís Henriques <lhenriques@suse.de>
      Link: https://lore.kernel.org/r/20221012131330.32456-1-lhenriques@suse.deSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      17a0bc9b
  8. 05 Nov, 2022 8 commits
    • Linus Torvalds's avatar
      Merge tag 'acpi-6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 2f5065a0
      Linus Torvalds authored
      Pull ACPI fix from Rafael Wysocki:
       "Add StorageD3Enable quirk for Dell Inspiron 16 5625 (Mario
        Limonciello)"
      
      * tag 'acpi-6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: x86: Add another system to quirk list for forcing StorageD3Enable
      2f5065a0
    • Rafael J. Wysocki's avatar
      Merge branch 'acpi-x86' · 6faf4ce5
      Rafael J. Wysocki authored
      * acpi-x86:
        ACPI: x86: Add another system to quirk list for forcing StorageD3Enable
      6faf4ce5
    • Linus Torvalds's avatar
      Merge tag 'block-6.1-2022-11-05' of git://git.kernel.dk/linux · 4869f575
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Fixes for the ublk driver (Ming)
      
       - Fixes for error handling memory leaks (Chen Jun, Chen Zhongjin)
      
       - Explicitly clear the last request in a chain when the plug is
         flushed, as it may have already been issued (Al)
      
      * tag 'block-6.1-2022-11-05' of git://git.kernel.dk/linux:
        block: blk_add_rq_to_plug(): clear stale 'last' after flush
        blk-mq: Fix kmemleak in blk_mq_init_allocated_queue
        block: Fix possible memory leak for rq_wb on add_disk failure
        ublk_drv: add ublk_queue_cmd() for cleanup
        ublk_drv: avoid to touch io_uring cmd in blk_mq io path
        ublk_drv: comment on ublk_driver entry of Kconfig
        ublk_drv: return flag of UBLK_F_URING_CMD_COMP_IN_TASK in case of module
      4869f575
    • ChenXiaoSong's avatar
      cifs: fix use-after-free on the link name · 542228db
      ChenXiaoSong authored
      xfstests generic/011 reported use-after-free bug as follows:
      
        BUG: KASAN: use-after-free in __d_alloc+0x269/0x859
        Read of size 15 at addr ffff8880078933a0 by task dirstress/952
      
        CPU: 1 PID: 952 Comm: dirstress Not tainted 6.1.0-rc3+ #77
        Call Trace:
         __dump_stack+0x23/0x29
         dump_stack_lvl+0x51/0x73
         print_address_description+0x67/0x27f
         print_report+0x3e/0x5c
         kasan_report+0x7b/0xa8
         kasan_check_range+0x1b2/0x1c1
         memcpy+0x22/0x5d
         __d_alloc+0x269/0x859
         d_alloc+0x45/0x20c
         d_alloc_parallel+0xb2/0x8b2
         lookup_open+0x3b8/0x9f9
         open_last_lookups+0x63d/0xc26
         path_openat+0x11a/0x261
         do_filp_open+0xcc/0x168
         do_sys_openat2+0x13b/0x3f7
         do_sys_open+0x10f/0x146
         __se_sys_creat+0x27/0x2e
         __x64_sys_creat+0x55/0x6a
         do_syscall_64+0x40/0x96
         entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
        Allocated by task 952:
         kasan_save_stack+0x1f/0x42
         kasan_set_track+0x21/0x2a
         kasan_save_alloc_info+0x17/0x1d
         __kasan_kmalloc+0x7e/0x87
         __kmalloc_node_track_caller+0x59/0x155
         kstrndup+0x60/0xe6
         parse_mf_symlink+0x215/0x30b
         check_mf_symlink+0x260/0x36a
         cifs_get_inode_info+0x14e1/0x1690
         cifs_revalidate_dentry_attr+0x70d/0x964
         cifs_revalidate_dentry+0x36/0x62
         cifs_d_revalidate+0x162/0x446
         lookup_open+0x36f/0x9f9
         open_last_lookups+0x63d/0xc26
         path_openat+0x11a/0x261
         do_filp_open+0xcc/0x168
         do_sys_openat2+0x13b/0x3f7
         do_sys_open+0x10f/0x146
         __se_sys_creat+0x27/0x2e
         __x64_sys_creat+0x55/0x6a
         do_syscall_64+0x40/0x96
         entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
        Freed by task 950:
         kasan_save_stack+0x1f/0x42
         kasan_set_track+0x21/0x2a
         kasan_save_free_info+0x1c/0x34
         ____kasan_slab_free+0x1c1/0x1d5
         __kasan_slab_free+0xe/0x13
         __kmem_cache_free+0x29a/0x387
         kfree+0xd3/0x10e
         cifs_fattr_to_inode+0xb6a/0xc8c
         cifs_get_inode_info+0x3cb/0x1690
         cifs_revalidate_dentry_attr+0x70d/0x964
         cifs_revalidate_dentry+0x36/0x62
         cifs_d_revalidate+0x162/0x446
         lookup_open+0x36f/0x9f9
         open_last_lookups+0x63d/0xc26
         path_openat+0x11a/0x261
         do_filp_open+0xcc/0x168
         do_sys_openat2+0x13b/0x3f7
         do_sys_open+0x10f/0x146
         __se_sys_creat+0x27/0x2e
         __x64_sys_creat+0x55/0x6a
         do_syscall_64+0x40/0x96
         entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      When opened a symlink, link name is from 'inode->i_link', but it may be
      reset to a new value when revalidate the dentry. If some processes get the
      link name on the race scenario, then UAF will happen on link name.
      
      Fix this by implementing 'get_link' interface to duplicate the link name.
      
      Fixes: 76894f3e ("cifs: improve symlink handling for smb2+")
      Signed-off-by: default avatarChenXiaoSong <chenxiaosong2@huawei.com>
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      542228db
    • Shyam Prasad N's avatar
      cifs: avoid unnecessary iteration of tcp sessions · 23d9b9b7
      Shyam Prasad N authored
      In a few places, we do unnecessary iterations of
      tcp sessions, even when the server struct is provided.
      
      The change avoids it and uses the server struct provided.
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      23d9b9b7
    • Shyam Prasad N's avatar
      cifs: always iterate smb sessions using primary channel · 8abcaeae
      Shyam Prasad N authored
      smb sessions and tcons currently hang off primary channel only.
      Secondary channels have the lists as empty. Whenever there's a
      need to iterate sessions or tcons, we should use the list in the
      corresponding primary channel.
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      8abcaeae
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · b208b9fb
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Avoid kprobe recursion when cortex_a76_erratum_1463225_debug_handler()
         is not inlined (change to __always_inline).
      
       - Fix the visibility of compat hwcaps, broken by recent changes to
         consolidate the visibility of hwcaps and the user-space view of the
         ID registers.
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: cpufeature: Fix the visibility of compat hwcaps
        arm64: entry: avoid kprobe recursion
      b208b9fb
    • Linus Torvalds's avatar
      Merge tag 'i2c-for-6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 74f3f1d7
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "A documentation fix and driver fixes for piix4, tegra, and i801"
      
      * tag 'i2c-for-6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        Documentation: devres: add missing I2C helper
        i2c: i801: add lis3lv02d's I2C address for Vostro 5568
        i2c: tegra: Allocate DMA memory for DMA engine
        i2c: piix4: Fix adapter not be removed in piix4_remove()
      74f3f1d7
  9. 04 Nov, 2022 2 commits
    • Guenter Roeck's avatar
      Revert "hwmon: (pmbus) Add regulator supply into macro" · 1e699e17
      Guenter Roeck authored
      This reverts commit 54cc3dbf.
      
      Zev Weiss reports that the reverted patch may cause a regulator
      undercount. Here is his report:
      
      ... having regulator-dummy set as a supply on my PMBus regulators
      (instead of having them as their own top-level regulators without
      an upstream supply) leads to enable-count underflow errors when
      disabling them:
      
          # echo 0 > /sys/bus/platform/devices/efuse01/state
          [  906.094477] regulator-dummy: Underflow of regulator enable count
          [  906.100563] Failed to disable vout: -EINVAL
          [  136.992676] reg-userspace-consumer efuse01: Failed to configure state: -22
      
      Zev reports that reverting the patch fixes the problem. So let's do that
      for now.
      
      Fixes: 54cc3dbf ("hwmon: (pmbus) Add regulator supply into macro")
      Cc: Marcello Sylvester Bauer <sylv@sylv.io>
      Reported-by: default avatarZev Weiss <zev@bewilderbeest.net>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      1e699e17
    • Cristian Marussi's avatar
      hwmon: (scmi) Register explicitly with Thermal Framework · c4f68373
      Cristian Marussi authored
      Available sensors are enumerated and reported by the SCMI platform server
      using a 16bit identification number; not all such sensors are of a type
      supported by hwmon subsystem and, among the supported ones, only a subset
      could be temperature sensors that have to be registered with the Thermal
      Framework.
      Potential clashes between hwmon channels indexes and the underlying real
      sensors IDs do not play well with the hwmon<-->thermal bridge automatic
      registration routines and could need a sensible number of fake dummy
      sensors to be made up in order to keep indexes and IDs in sync.
      
      Avoid to use the hwmon<-->thermal bridge dropping the HWMON_C_REGISTER_TZ
      attribute and instead explicit register temperature sensors directly with
      the Thermal Framework.
      
      Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Cc: linux-hwmon@vger.kernel.org
      Signed-off-by: default avatarCristian Marussi <cristian.marussi@arm.com>
      Acked-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Link: https://lore.kernel.org/r/20221031114018.59048-1-cristian.marussi@arm.comSigned-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      c4f68373