1. 17 May, 2022 6 commits
    • Baokun Li's avatar
      ext4: fix race condition between ext4_write and ext4_convert_inline_data · f87c7a4b
      Baokun Li authored
      Hulk Robot reported a BUG_ON:
       ==================================================================
       EXT4-fs error (device loop3): ext4_mb_generate_buddy:805: group 0,
       block bitmap and bg descriptor inconsistent: 25 vs 31513 free clusters
       kernel BUG at fs/ext4/ext4_jbd2.c:53!
       invalid opcode: 0000 [#1] SMP KASAN PTI
       CPU: 0 PID: 25371 Comm: syz-executor.3 Not tainted 5.10.0+ #1
       RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline]
       RIP: 0010:__ext4_journal_stop+0x10e/0x110 fs/ext4/ext4_jbd2.c:116
       [...]
       Call Trace:
        ext4_write_inline_data_end+0x59a/0x730 fs/ext4/inline.c:795
        generic_perform_write+0x279/0x3c0 mm/filemap.c:3344
        ext4_buffered_write_iter+0x2e3/0x3d0 fs/ext4/file.c:270
        ext4_file_write_iter+0x30a/0x11c0 fs/ext4/file.c:520
        do_iter_readv_writev+0x339/0x3c0 fs/read_write.c:732
        do_iter_write+0x107/0x430 fs/read_write.c:861
        vfs_writev fs/read_write.c:934 [inline]
        do_pwritev+0x1e5/0x380 fs/read_write.c:1031
       [...]
       ==================================================================
      
      Above issue may happen as follows:
                 cpu1                     cpu2
      __________________________|__________________________
      do_pwritev
       vfs_writev
        do_iter_write
         ext4_file_write_iter
          ext4_buffered_write_iter
           generic_perform_write
            ext4_da_write_begin
                                 vfs_fallocate
                                  ext4_fallocate
                                   ext4_convert_inline_data
                                    ext4_convert_inline_data_nolock
                                     ext4_destroy_inline_data_nolock
                                      clear EXT4_STATE_MAY_INLINE_DATA
                                     ext4_map_blocks
                                      ext4_ext_map_blocks
                                       ext4_mb_new_blocks
                                        ext4_mb_regular_allocator
                                         ext4_mb_good_group_nolock
                                          ext4_mb_init_group
                                           ext4_mb_init_cache
                                            ext4_mb_generate_buddy  --> error
             ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)
                                      ext4_restore_inline_data
                                       set EXT4_STATE_MAY_INLINE_DATA
             ext4_block_write_begin
            ext4_da_write_end
             ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)
             ext4_write_inline_data_end
              handle=NULL
              ext4_journal_stop(handle)
               __ext4_journal_stop
                ext4_put_nojournal(handle)
                 ref_cnt = (unsigned long)handle
                 BUG_ON(ref_cnt == 0)  ---> BUG_ON
      
      The lock held by ext4_convert_inline_data is xattr_sem, but the lock
      held by generic_perform_write is i_rwsem. Therefore, the two locks can
      be concurrent.
      
      To solve above issue, we add inode_lock() for ext4_convert_inline_data().
      At the same time, move ext4_convert_inline_data() in front of
      ext4_punch_hole(), remove similar handling from ext4_punch_hole().
      
      Fixes: 0c8d414f ("ext4: let fallocate handle inline data correctly")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarBaokun Li <libaokun1@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20220428134031.4153381-1-libaokun1@huawei.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      f87c7a4b
    • Zhang Yi's avatar
      ext4: convert symlink external data block mapping to bdev · 6493792d
      Zhang Yi authored
      Symlink's external data block is one kind of metadata block, and now
      that almost all ext4 metadata block's page cache (e.g. directory blocks,
      quota blocks...) belongs to bdev backing inode except the symlink. It
      is essentially worked in data=journal mode like other regular file's
      data block because probably in order to make it simple for generic VFS
      code handling symlinks or some other historical reasons, but the logic
      of creating external data block in ext4_symlink() is complicated. and it
      also make things confused if user do not want to let the filesystem
      worked in data=journal mode. This patch convert the final exceptional
      case and make things clean, move the mapping of the symlink's external
      data block to bdev like any other metadata block does.
      Signed-off-by: default avatarZhang Yi <yi.zhang@huawei.com>
      Link: https://lore.kernel.org/r/20220424140936.1898920-3-yi.zhang@huawei.com
      6493792d
    • Zhang Yi's avatar
      ext4: add nowait mode for ext4_getblk() · 9558cf14
      Zhang Yi authored
      Current ext4_getblk() might sleep if some resources are not valid or
      could be race with a concurrent extents modifing procedure. So we
      cannot call ext4_getblk() and ext4_map_blocks() to get map blocks in
      the atomic context in some fast path (e.g. the upcoming procedure of
      getting symlink external block in the RCU context), even if the map
      extents have already been check and cached.
      Signed-off-by: default avatarZhang Yi <yi.zhang@huawei.com>
      Link: https://lore.kernel.org/r/20220424140936.1898920-2-yi.zhang@huawei.com
      9558cf14
    • Ojaswin Mujoo's avatar
      ext4: fix journal_ioprio mount option handling · e4e58e5d
      Ojaswin Mujoo authored
      In __ext4_super() we always overwrote the user specified journal_ioprio
      value with a default value, expecting parse_apply_sb_mount_options() to
      later correctly set ctx->journal_ioprio to the user specified value.
      However, if parse_apply_sb_mount_options() returned early because of
      empty sbi->es_s->s_mount_opts, the correct journal_ioprio value was
      never set.
      
      This patch fixes __ext4_super() to only use the default value if the
      user has not specified any value for journal_ioprio.
      
      Similarly, the remount behavior was to either use journal_ioprio
      value specified during initial mount, or use the default value
      irrespective of the journal_ioprio value specified during remount.
      This patch modifies this to first check if a new value for ioprio
      has been passed during remount and apply it.  If no new value is
      passed, use the value specified during initial mount.
      Signed-off-by: default avatarOjaswin Mujoo <ojaswin@linux.ibm.com>
      Reviewed-by: default avatarRitesh Harjani <riteshh@linux.ibm.com>
      Tested-by: default avatarRitesh Harjani <riteshh@linux.ibm.com>
      Link: https://lore.kernel.org/r/20220418083545.45778-1-ojaswin@linux.ibm.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      e4e58e5d
    • Dmitry Monakhov's avatar
      ext4: mark group as trimmed only if it was fully scanned · d63c00ea
      Dmitry Monakhov authored
      Otherwise nonaligned fstrim calls will works inconveniently for iterative
      scanners, for example:
      
      // trim [0,16MB] for group-1, but mark full group as trimmed
      fstrim  -o $((1024*1024*128)) -l $((1024*1024*16)) ./m
      // handle [16MB,16MB] for group-1, do nothing because group already has the flag.
      fstrim  -o $((1024*1024*144)) -l $((1024*1024*16)) ./m
      
      [ Update function documentation for ext4_trim_all_free -- TYT ]
      Signed-off-by: default avatarDmitry Monakhov <dmtrmonakhov@yandex-team.ru>
      Link: https://lore.kernel.org/r/1650214995-860245-1-git-send-email-dmtrmonakhov@yandex-team.ruSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      d63c00ea
    • Ye Bin's avatar
      ext4: fix use-after-free in ext4_rename_dir_prepare · 0be698ec
      Ye Bin authored
      We got issue as follows:
      EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
      ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478
      ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000
      ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae
      ==================================================================
      BUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220
      Read of size 4 at addr ffff88810beee6ae by task rep/1895
      
      CPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241
      Call Trace:
       dump_stack+0xbe/0xf9
       print_address_description.constprop.0+0x1e/0x220
       kasan_report.cold+0x37/0x7f
       ext4_rename_dir_prepare+0x152/0x220
       ext4_rename+0xf44/0x1ad0
       ext4_rename2+0x11c/0x170
       vfs_rename+0xa84/0x1440
       do_renameat2+0x683/0x8f0
       __x64_sys_renameat+0x53/0x60
       do_syscall_64+0x33/0x40
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x7f45a6fc41c9
      RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9
      RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005
      RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080
      R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0
      R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000
      
      The buggy address belongs to the page:
      page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee
      flags: 0x200000000000000()
      raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000
      raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
       ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      ==================================================================
      Disabling lock debugging due to kernel taint
      ext4_rename_dir_prepare: [2] parent_de->inode=3537895424
      ext4_rename_dir_prepare: [3] dir=0xffff888124170140
      ext4_rename_dir_prepare: [4] ino=2
      ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872
      
      Reason is first directory entry which 'rec_len' is 34478, then will get illegal
      parent entry. Now, we do not check directory entry after read directory block
      in 'ext4_get_first_dir_block'.
      To solve this issue, check directory entry in 'ext4_get_first_dir_block'.
      
      [ Trigger an ext4_error() instead of just warning if the directory is
        missing a '.' or '..' entry.   Also make sure we return an error code
        if the file system is corrupted.  -TYT ]
      Signed-off-by: default avatarYe Bin <yebin10@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20220414025223.4113128-1-yebin10@huawei.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      0be698ec
  2. 13 May, 2022 2 commits
  3. 11 May, 2022 5 commits
  4. 01 May, 2022 5 commits
    • Linus Torvalds's avatar
      Linux 5.18-rc5 · 672c0c51
      Linus Torvalds authored
      672c0c51
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · b6b26489
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "ARM:
      
         - Take care of faults occuring between the PARange and IPA range by
           injecting an exception
      
         - Fix S2 faults taken from a host EL0 in protected mode
      
         - Work around Oops caused by a PMU access from a 32bit guest when PMU
           has been created. This is a temporary bodge until we fix it for
           good.
      
        x86:
      
         - Fix potential races when walking host page table
      
         - Fix shadow page table leak when KVM runs nested
      
         - Work around bug in userspace when KVM synthesizes leaf 0x80000021
           on older (pre-EPYC) or Intel processors
      
        Generic (but affects only RISC-V):
      
         - Fix bad user ABI for KVM_EXIT_SYSTEM_EVENT"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: work around QEMU issue with synthetic CPUID leaves
        Revert "x86/mm: Introduce lookup_address_in_mm()"
        KVM: x86/mmu: fix potential races when walking host page table
        KVM: fix bad user ABI for KVM_EXIT_SYSTEM_EVENT
        KVM: x86/mmu: Do not create SPTEs for GFNs that exceed host.MAXPHYADDR
        KVM: arm64: Inject exception on out-of-IPA-range translation fault
        KVM/arm64: Don't emulate a PMU for 32-bit guests if feature not set
        KVM: arm64: Handle host stage-2 faults from 32-bit EL0
      b6b26489
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v5.18_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b2da7df5
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
      
       - A fix to disable PCI/MSI[-X] masking for XEN_HVM guests as that is
         solely controlled by the hypervisor
      
       - A build fix to make the function prototype (__warn()) as visible as
         the definition itself
      
       - A bunch of objtool annotation fixes which have accumulated over time
      
       - An ORC unwinder fix to handle bad input gracefully
      
       - Well, we thought the microcode gets loaded in time in order to
         restore the microcode-emulated MSRs but we thought wrong. So there's
         a fix for that to have the ordering done properly
      
       - Add new Intel model numbers
      
       - A spelling fix
      
      * tag 'x86_urgent_for_v5.18_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/pci/xen: Disable PCI/MSI[-X] masking for XEN_HVM guests
        bug: Have __warn() prototype defined unconditionally
        x86/Kconfig: fix the spelling of 'becoming' in X86_KERNEL_IBT config
        objtool: Use offstr() to print address of missing ENDBR
        objtool: Print data address for "!ENDBR" data warnings
        x86/xen: Add ANNOTATE_NOENDBR to startup_xen()
        x86/uaccess: Add ENDBR to __put_user_nocheck*()
        x86/retpoline: Add ANNOTATE_NOENDBR for retpolines
        x86/static_call: Add ANNOTATE_NOENDBR to static call trampoline
        objtool: Enable unreachable warnings for CLANG LTO
        x86,objtool: Explicitly mark idtentry_body()s tail REACHABLE
        x86,objtool: Mark cpu_startup_entry() __noreturn
        x86,xen,objtool: Add UNWIND hint
        lib/strn*,objtool: Enforce user_access_begin() rules
        MAINTAINERS: Add x86 unwinding entry
        x86/unwind/orc: Recheck address range after stack info was updated
        x86/cpu: Load microcode during restore_processor_state()
        x86/cpu: Add new Alderlake and Raptorlake CPU model numbers
      b2da7df5
    • Linus Torvalds's avatar
      Merge tag 'objtool_urgent_for_v5.18_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b70ed23c
      Linus Torvalds authored
      Pull objtool fixes from Borislav Petkov:
       "A bunch of objtool fixes to improve unwinding, sibling call detection,
        fallthrough detection and relocation handling of weak symbols when the
        toolchain strips section symbols"
      
      * tag 'objtool_urgent_for_v5.18_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Fix code relocs vs weak symbols
        objtool: Fix type of reloc::addend
        objtool: Fix function fallthrough detection for vmlinux
        objtool: Fix sibling call detection in alternatives
        objtool: Don't set 'jump_dest' for sibling calls
        x86/uaccess: Don't jump between functions
      b70ed23c
    • Linus Torvalds's avatar
      Merge tag 'irq_urgent_for_v5.18_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d4af0c17
      Linus Torvalds authored
      Pull irq fix from Borislav Petkov:
      
       - Fix locking when accessing device MSI descriptors
      
      * tag 'irq_urgent_for_v5.18_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        bus: fsl-mc-msi: Fix MSI descriptor mutex lock for msi_first_desc()
      d4af0c17
  5. 30 Apr, 2022 5 commits
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.18-rc5' of... · 57ae8a49
      Linus Torvalds authored
      Merge tag 'driver-core-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core fixes from Greg KH:
       "Here are some small driver core and kernfs fixes for some reported
        problems. They include:
      
         - kernfs regression that is causing oopses in 5.17 and newer releases
      
         - topology sysfs fixes for a few small reported problems.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'driver-core-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        kernfs: fix NULL dereferencing in kernfs_remove
        topology: Fix up build warning in topology_is_visible()
        arch_topology: Do not set llc_sibling if llc_id is invalid
        topology: make core_mask include at least cluster_siblings
        topology/sysfs: Hide PPIN on systems that do not support it.
      57ae8a49
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · e2e5ebec
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are a small number of char/misc/other driver fixes for 5.18-rc5
      
        Nothing major in here, this is mostly IIO driver fixes along with some
        other small things:
      
         - at25 driver fix for systems without a dma-able stack
      
         - phy driver fixes for reported issues
      
         - binder driver fixes for reported issues
      
        All of these have been in linux-next without any reported problems"
      
      * tag 'char-misc-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (31 commits)
        eeprom: at25: Use DMA safe buffers
        binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0
        binder: Address corner cases in deferred copy and fixup
        phy: amlogic: fix error path in phy_g12a_usb3_pcie_probe()
        iio: imu: inv_icm42600: Fix I2C init possible nack
        iio: dac: ltc2688: fix voltage scale read
        interconnect: qcom: sdx55: Drop IP0 interconnects
        interconnect: qcom: sc7180: Drop IP0 interconnects
        phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe
        phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe
        phy: ti: omap-usb2: Fix error handling in omap_usb2_enable_clocks
        bus: mhi: host: pci_generic: Flush recovery worker during freeze
        bus: mhi: host: pci_generic: Add missing poweroff() PM callback
        phy: ti: tusb1210: Fix an error handling path in tusb1210_probe()
        phy: samsung: exynos5250-sata: fix missing device put in probe error paths
        phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe
        phy: ti: Fix missing of_node_put in ti_pipe3_get_sysctrl()
        phy: ti: tusb1210: Make tusb1210_chg_det_states static
        iio:dac:ad3552r: Fix an IS_ERR() vs NULL check
        iio: sx9324: Fix default precharge internal resistance register
        ...
      e2e5ebec
    • Linus Torvalds's avatar
      Merge tag 'tty-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · a6b5c5dc
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are some small serial driver fixes, and a larger number of GSM
        line discipline fixes for 5.18-rc5.
      
        These include:
      
         - lots of tiny n_gsm fixes for issues to resolve a number of reported
           problems. Seems that people are starting to actually use this code
           again.
      
         - 8250 driver fixes for some devices
      
         - imx serial driver fix
      
         - amba-pl011 driver fix
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'tty-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (27 commits)
        tty: n_gsm: fix sometimes uninitialized warning in gsm_dlci_modem_output()
        serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device
        serial: 8250: Also set sticky MCR bits in console restoration
        tty: n_gsm: fix software flow control handling
        tty: n_gsm: fix invalid use of MSC in advanced option
        tty: n_gsm: fix broken virtual tty handling
        Revert "serial: sc16is7xx: Clear RS485 bits in the shutdown"
        tty: n_gsm: fix missing update of modem controls after DLCI open
        serial: 8250: Fix runtime PM for start_tx() for empty buffer
        serial: imx: fix overrun interrupts in DMA mode
        serial: amba-pl011: do not time out prematurely when draining tx fifo
        tty: n_gsm: fix incorrect UA handling
        tty: n_gsm: fix reset fifo race condition
        tty: n_gsm: fix missing tty wakeup in convergence layer type 2
        tty: n_gsm: fix wrong signal octets encoding in MSC
        tty: n_gsm: fix wrong command frame length field encoding
        tty: n_gsm: fix wrong command retry handling
        tty: n_gsm: fix missing explicit ldisc flush
        tty: n_gsm: fix wrong DLCI release order
        tty: n_gsm: fix insufficient txframe size
        ...
      a6b5c5dc
    • Linus Torvalds's avatar
      Merge tag 'usb-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · da1b4042
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a number of small USB driver fixes for 5.18-rc5 for some
        reported issues and new quirks. They include:
      
         - dwc3 driver fixes
      
         - xhci driver fixes
      
         - typec driver fixes
      
         - new usb-serial driver ids
      
         - added new USB devices to existing quirk tables
      
         - other tiny fixes
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'usb-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (31 commits)
        usb: phy: generic: Get the vbus supply
        usb: dwc3: gadget: Return proper request status
        usb: dwc3: pci: add support for the Intel Meteor Lake-P
        usb: dwc3: core: Only handle soft-reset in DCTL
        usb: gadget: configfs: clear deactivation flag in configfs_composite_unbind()
        usb: misc: eud: Fix an error handling path in eud_probe()
        usb: core: Don't hold the device lock while sleeping in do_proc_control()
        usb: dwc3: Try usb-role-switch first in dwc3_drd_init
        usb: dwc3: core: Fix tx/rx threshold settings
        usb: mtu3: fix USB 3.0 dual-role-switch from device to host
        xhci: Enable runtime PM on second Alderlake controller
        usb: dwc3: fix backwards compat with rockchip devices
        dt-bindings: usb: samsung,exynos-usb2: add missing required reg
        usb: misc: fix improper handling of refcount in uss720_probe()
        USB: Fix ehci infinite suspend-resume loop issue in zhaoxin
        usb: typec: tcpm: Fix undefined behavior due to shift overflowing the constant
        usb: typec: rt1719: Fix build error without CONFIG_POWER_SUPPLY
        usb: typec: ucsi: Fix role swapping
        usb: typec: ucsi: Fix reuse of completion structure
        usb: xhci: tegra:Fix PM usage reference leak of tegra_xusb_unpowergate_partitions
        ...
      da1b4042
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · e9512f36
      Linus Torvalds authored
      Pull SCSI fix from James Bottomley:
       "One fix for an endless error loop with the target driver affecting
        tapes"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: target: pscsi: Set SCF_TREAT_READ_AS_NORMAL flag only if there is valid data
      e9512f36
  6. 29 Apr, 2022 17 commits
    • Linus Torvalds's avatar
      Merge tag 'soc-fixes-5.18-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 8013d1d3
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
      
       - A fix for a regression caused by the previous set of bugfixes
         changing tegra and at91 pinctrl properties.
      
         More work is needed to figure out what this should actually be, but a
         revert makes it work for the moment.
      
       - Defconfig regression fixes for tegra after renamed symbols
      
       - Build-time warning and static checker fixes for imx, op-tee, sunxi,
         meson, at91, and omap
      
       - More at91 DT fixes for audio, regulator and spi nodes
      
       - A regression fix for Renesas Hyperflash memory probe
      
       - A stability fix for amlogic boards, modifying the allowed cpufreq
         states
      
       - Multiple fixes for system suspend on omap2+
      
       - DT fixes for various i.MX bugs
      
       - A probe error fix for imx6ull-colibri MMC
      
       - A MAINTAINERS file entry for samsung bug reports
      
      * tag 'soc-fixes-5.18-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (42 commits)
        Revert "arm: dts: at91: Fix boolean properties with values"
        bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create()
        Revert "arm64: dts: tegra: Fix boolean properties with values"
        arm64: dts: imx8mn-ddr4-evk: Describe the 32.768 kHz PMIC clock
        ARM: dts: imx6ull-colibri: fix vqmmc regulator
        MAINTAINERS: add Bug entry for Samsung and memory controller drivers
        memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode
        ARM: dts: logicpd-som-lv: Fix wrong pinmuxing on OMAP35
        ARM: dts: am3517-evm: Fix misc pinmuxing
        ARM: dts: am33xx-l4: Add missing touchscreen clock properties
        ARM: dts: Fix mmc order for omap3-gta04
        ARM: dts: at91: fix pinctrl phandles
        ARM: dts: at91: sama5d4_xplained: fix pinctrl phandle name
        ARM: dts: at91: Describe regulators on at91sam9g20ek
        ARM: dts: at91: Map MCLK for wm8731 on at91sam9g20ek
        ARM: dts: at91: Fix boolean properties with values
        ARM: dts: at91: use generic node name for dataflash
        ARM: dts: at91: align SPI NOR node name with dtschema
        ARM: dts: at91: sama7g5ek: Align the impedance of the QSPI0's HSIO and PCB lines
        ARM: dts: at91: sama7g5ek: enable pull-up on flexcom3 console lines
        ...
      8013d1d3
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · c0e6265e
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A semi-large pile of clk driver fixes this time around.
      
        Nothing is touching the core so these fixes are fairly well contained
        to specific devices that use these clk drivers.
      
         - Some Allwinner SoC fixes to gracefully handle errors and mark an
           RTC clk as critical so that the RTC keeps ticking.
      
         - Fix AXI bus clks and RTC clk design for Microchip PolarFire SoC
           driver introduced this cycle. This has some devicetree bits acked
           by riscv maintainers. We're fixing it now so that the prior
           bindings aren't released in a major kernel version.
      
         - Remove a reset on Microchip PolarFire SoCs that broke when enabling
           CONFIG_PM.
      
         - Set a min/max for the Qualcomm graphics clk. This got broken by the
           clk rate range patches introduced this cycle"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource()
        clk: sunxi-ng: sun6i-rtc: Mark rtc-32k as critical
        riscv: dts: microchip: reparent mpfs clocks
        clk: microchip: mpfs: add RTCREF clock control
        clk: microchip: mpfs: re-parent the configurable clocks
        dt-bindings: rtc: add refclk to mpfs-rtc
        dt-bindings: clk: mpfs: add defines for two new clocks
        dt-bindings: clk: mpfs document msspll dri registers
        riscv: dts: microchip: fix usage of fic clocks on mpfs
        clk: microchip: mpfs: mark CLK_ATHENA as critical
        clk: microchip: mpfs: fix parents for FIC clocks
        clk: qcom: clk-rcg2: fix gfx3d frequency calculation
        clk: microchip: mpfs: don't reset disabled peripherals
        clk: sunxi-ng: fix not NULL terminated coccicheck error
      c0e6265e
    • Linus Torvalds's avatar
      Merge tag 'block-5.18-2022-04-29' of git://git.kernel.dk/linux-block · bd3d3ade
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Revert of a patch that caused timestamp issues (Tejun)
      
       - iocost warning fix (Tejun)
      
       - bfq warning fix (Jan)
      
      * tag 'block-5.18-2022-04-29' of git://git.kernel.dk/linux-block:
        bfq: Fix warning in bfqq_request_over_limit()
        Revert "block: inherit request start time from bio for BLK_CGROUP"
        iocost: don't reset the inuse weight of under-weighted debtors
      bd3d3ade
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.18-2022-04-29' of git://git.kernel.dk/linux-block · 63b7b3ea
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Pretty boring:
      
         - three patches just adding reserved field checks (me, Eugene)
      
         - Fixing a potential regression with IOPOLL caused by a block change
           (Joseph)"
      
      Boring is good.
      
      * tag 'io_uring-5.18-2022-04-29' of git://git.kernel.dk/linux-block:
        io_uring: check that data field is 0 in ringfd unregister
        io_uring: fix uninitialized field in rw io_kiocb
        io_uring: check reserved fields for recv/recvmsg
        io_uring: check reserved fields for send/sendmsg
      63b7b3ea
    • Linus Torvalds's avatar
      Merge tag 'random-5.18-rc5-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random · bdda8303
      Linus Torvalds authored
      Pull random number generator fixes from Jason Donenfeld:
      
       - Eric noticed that the memmove() in crng_fast_key_erasure() was bogus,
         so this has been changed to a memcpy() and the confusing situation
         clarified with a detailed comment.
      
       - [Half]SipHash documentation updates from Bagas and Eric, after Eric
         pointed out that the use of HalfSipHash in random.c made a bit of the
         text potentially misleading.
      
      * tag 'random-5.18-rc5-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
        Documentation: siphash: disambiguate HalfSipHash algorithm from hsiphash functions
        Documentation: siphash: enclose HalfSipHash usage example in the literal block
        Documentation: siphash: convert danger note to warning for HalfSipHash
        random: document crng_fast_key_erasure() destination possibility
      bdda8303
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-5.18-rc5' of https://github.com/ceph/ceph-client · bd383b8e
      Linus Torvalds authored
      Pull ceph client fixes from Ilya Dryomov:
       "A fix for a NULL dereference that turns out to be easily triggerable
        by fsync (marked for stable) and a false positive WARN and snap_rwsem
        locking fixups"
      
      * tag 'ceph-for-5.18-rc5' of https://github.com/ceph/ceph-client:
        ceph: fix possible NULL pointer dereference for req->r_session
        ceph: remove incorrect session state check
        ceph: get snap_rwsem read lock in handle_cap_export for ceph_add_cap
        libceph: disambiguate cluster/pool full log message
      bd383b8e
    • Arnd Bergmann's avatar
      Revert "arm: dts: at91: Fix boolean properties with values" · adee8aa2
      Arnd Bergmann authored
      This reverts commit 0dc23d1a, which caused another regression
      as the pinctrl code actually expects an integer value of 0 or 1
      rather than a simple boolean property.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      adee8aa2
    • Paolo Bonzini's avatar
      KVM: x86: work around QEMU issue with synthetic CPUID leaves · f751d8ea
      Paolo Bonzini authored
      Synthesizing AMD leaves up to 0x80000021 caused problems with QEMU,
      which assumes the *host* CPUID[0x80000000].EAX is higher or equal
      to what KVM_GET_SUPPORTED_CPUID reports.
      
      This causes QEMU to issue bogus host CPUIDs when preparing the input
      to KVM_SET_CPUID2.  It can even get into an infinite loop, which is
      only terminated by an abort():
      
         cpuid_data is full, no space for cpuid(eax:0x8000001d,ecx:0x3e)
      
      To work around this, only synthesize those leaves if 0x8000001d exists
      on the host.  The synthetic 0x80000021 leaf is mostly useful on Zen2,
      which satisfies the condition.
      
      Fixes: f144c49e ("KVM: x86: synthesize CPUID leaf 0x80000021h if useful")
      Reported-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      f751d8ea
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-fixes-for-v5.18-2022-04-29' of... · 3e71713c
      Linus Torvalds authored
      Merge tag 'perf-tools-fixes-for-v5.18-2022-04-29' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
      
      Pull perf tools fixes from Arnaldo Carvalho de Melo:
      
       - Fix Intel PT (Processor Trace) timeless decoding with perf.data
         directory.
      
       - ARM SPE (Statistical Profiling Extensions) address fixes, for
         synthesized events and for SPE events with physical addresses. Add a
         simple 'perf test' entry to make sure this doesn't regress.
      
       - Remove arch specific processing of kallsyms data to fixup symbol end
         address, fixing excessive memory consumption in the annotation code.
      
      * tag 'perf-tools-fixes-for-v5.18-2022-04-29' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux:
        perf symbol: Remove arch__symbols__fixup_end()
        perf symbol: Update symbols__fixup_end()
        perf symbol: Pass is_kallsyms to symbols__fixup_end()
        perf test: Add perf_event_attr test for Arm SPE
        perf arm-spe: Fix SPE events with phys addresses
        perf arm-spe: Fix addresses of synthesized SPE events
        perf intel-pt: Fix timeless decoding with perf.data directory
      3e71713c
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 2d0de93c
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - A fix to properly ensure a single CPU is running during patch_text().
      
       - A defconfig update to include RPMSG_CTRL when RPMSG_CHAR was set,
         necessary after a recent refactoring.
      
      * tag 'riscv-for-linus-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        RISC-V: configs: Configs that had RPMSG_CHAR now get RPMSG_CTRL
        riscv: patch_text: Fixup last cpu should be master
      2d0de93c
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 66c2112b
      Linus Torvalds authored
      Pull arm64 fix from Will Deacon:
       "Rename and reallocate the PT_ARM_MEMTAG_MTE ELF segment type.
      
        This is a fix to the MTE ELF ABI for a bug that was added during the
        most recent merge window as part of the coredump support.
      
        The issue is that the value assigned to the new PT_ARM_MEMTAG_MTE
        segment type has already been allocated to PT_AARCH64_UNWIND by the
        ELF ABI, so we've bumped the value and changed the name of the
        identifier to be better aligned with the existing one"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        elf: Fix the arm64 MTE ELF segment name and value
      66c2112b
    • Sean Christopherson's avatar
      Revert "x86/mm: Introduce lookup_address_in_mm()" · 643d95aa
      Sean Christopherson authored
      Drop lookup_address_in_mm() now that KVM is providing it's own variant
      of lookup_address_in_pgd() that is safe for use with user addresses, e.g.
      guards against page tables being torn down.  A variant that provides a
      non-init mm is inherently dangerous and flawed, as the only reason to use
      an mm other than init_mm is to walk a userspace mapping, and
      lookup_address_in_pgd() does not play nice with userspace mappings, e.g.
      doesn't disable IRQs to block TLB shootdowns and doesn't use READ_ONCE()
      to ensure an upper level entry isn't converted to a huge page between
      checking the PAGE_SIZE bit and grabbing the address of the next level
      down.
      
      This reverts commit 13c72c06.
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <YmwIi3bXr/1yhYV/@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      643d95aa
    • Paolo Bonzini's avatar
      Merge branch 'kvm-fixes-for-5.18-rc5' into HEAD · 73331c5d
      Paolo Bonzini authored
      Fixes for (relatively) old bugs, to be merged in both the -rc and next
      development trees:
      
      * Fix potential races when walking host page table
      
      * Fix bad user ABI for KVM_EXIT_SYSTEM_EVENT
      
      * Fix shadow page table leak when KVM runs nested
      73331c5d
    • Mingwei Zhang's avatar
      KVM: x86/mmu: fix potential races when walking host page table · 44187235
      Mingwei Zhang authored
      KVM uses lookup_address_in_mm() to detect the hugepage size that the host
      uses to map a pfn.  The function suffers from several issues:
      
       - no usage of READ_ONCE(*). This allows multiple dereference of the same
         page table entry. The TOCTOU problem because of that may cause KVM to
         incorrectly treat a newly generated leaf entry as a nonleaf one, and
         dereference the content by using its pfn value.
      
       - the information returned does not match what KVM needs; for non-present
         entries it returns the level at which the walk was terminated, as long
         as the entry is not 'none'.  KVM needs level information of only 'present'
         entries, otherwise it may regard a non-present PXE entry as a present
         large page mapping.
      
       - the function is not safe for mappings that can be torn down, because it
         does not disable IRQs and because it returns a PTE pointer which is never
         safe to dereference after the function returns.
      
      So implement the logic for walking host page tables directly in KVM, and
      stop using lookup_address_in_mm().
      
      Cc: Sean Christopherson <seanjc@google.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarMingwei Zhang <mizhang@google.com>
      Message-Id: <20220429031757.2042406-1-mizhang@google.com>
      [Inline in host_pfn_mapping_level, ensure no semantic change for its
       callers. - Paolo]
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      44187235
    • Paolo Bonzini's avatar
      KVM: fix bad user ABI for KVM_EXIT_SYSTEM_EVENT · d495f942
      Paolo Bonzini authored
      When KVM_EXIT_SYSTEM_EVENT was introduced, it included a flags
      member that at the time was unused.  Unfortunately this extensibility
      mechanism has several issues:
      
      - x86 is not writing the member, so it would not be possible to use it
        on x86 except for new events
      
      - the member is not aligned to 64 bits, so the definition of the
        uAPI struct is incorrect for 32- on 64-bit userspace.  This is a
        problem for RISC-V, which supports CONFIG_KVM_COMPAT, but fortunately
        usage of flags was only introduced in 5.18.
      
      Since padding has to be introduced, place a new field in there
      that tells if the flags field is valid.  To allow further extensibility,
      in fact, change flags to an array of 16 values, and store how many
      of the values are valid.  The availability of the new ndata field
      is tied to a system capability; all architectures are changed to
      fill in the field.
      
      To avoid breaking compilation of userspace that was using the flags
      field, provide a userspace-only union to overlap flags with data[0].
      The new field is placed at the same offset for both 32- and 64-bit
      userspace.
      
      Cc: Will Deacon <will@kernel.org>
      Cc: Marc Zyngier <maz@kernel.org>
      Cc: Peter Gonda <pgonda@google.com>
      Cc: Sean Christopherson <seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Message-Id: <20220422103013.34832-1-pbonzini@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      d495f942
    • Sean Christopherson's avatar
      KVM: x86/mmu: Do not create SPTEs for GFNs that exceed host.MAXPHYADDR · 86931ff7
      Sean Christopherson authored
      Disallow memslots and MMIO SPTEs whose gpa range would exceed the host's
      MAXPHYADDR, i.e. don't create SPTEs for gfns that exceed host.MAXPHYADDR.
      The TDP MMU bounds its zapping based on host.MAXPHYADDR, and so if the
      guest, possibly with help from userspace, manages to coerce KVM into
      creating a SPTE for an "impossible" gfn, KVM will leak the associated
      shadow pages (page tables):
      
        WARNING: CPU: 10 PID: 1122 at arch/x86/kvm/mmu/tdp_mmu.c:57
                                      kvm_mmu_uninit_tdp_mmu+0x4b/0x60 [kvm]
        Modules linked in: kvm_intel kvm irqbypass
        CPU: 10 PID: 1122 Comm: set_memory_regi Tainted: G        W         5.18.0-rc1+ #293
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
        RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x4b/0x60 [kvm]
        Call Trace:
         <TASK>
         kvm_arch_destroy_vm+0x130/0x1b0 [kvm]
         kvm_destroy_vm+0x162/0x2d0 [kvm]
         kvm_vm_release+0x1d/0x30 [kvm]
         __fput+0x82/0x240
         task_work_run+0x5b/0x90
         exit_to_user_mode_prepare+0xd2/0xe0
         syscall_exit_to_user_mode+0x1d/0x40
         entry_SYSCALL_64_after_hwframe+0x44/0xae
         </TASK>
      
      On bare metal, encountering an impossible gpa in the page fault path is
      well and truly impossible, barring CPU bugs, as the CPU will signal #PF
      during the gva=>gpa translation (or a similar failure when stuffing a
      physical address into e.g. the VMCS/VMCB).  But if KVM is running as a VM
      itself, the MAXPHYADDR enumerated to KVM may not be the actual MAXPHYADDR
      of the underlying hardware, in which case the hardware will not fault on
      the illegal-from-KVM's-perspective gpa.
      
      Alternatively, KVM could continue allowing the dodgy behavior and simply
      zap the max possible range.  But, for hosts with MAXPHYADDR < 52, that's
      a (minor) waste of cycles, and more importantly, KVM can't reasonably
      support impossible memslots when running on bare metal (or with an
      accurate MAXPHYADDR as a VM).  Note, limiting the overhead by checking if
      KVM is running as a guest is not a safe option as the host isn't required
      to announce itself to the guest in any way, e.g. doesn't need to set the
      HYPERVISOR CPUID bit.
      
      A second alternative to disallowing the memslot behavior would be to
      disallow creating a VM with guest.MAXPHYADDR > host.MAXPHYADDR.  That
      restriction is undesirable as there are legitimate use cases for doing
      so, e.g. using the highest host.MAXPHYADDR out of a pool of heterogeneous
      systems so that VMs can be migrated between hosts with different
      MAXPHYADDRs without running afoul of the allow_smaller_maxphyaddr mess.
      
      Note that any guest.MAXPHYADDR is valid with shadow paging, and it is
      even useful in order to test KVM with MAXPHYADDR=52 (i.e. without
      any reserved physical address bits).
      
      The now common kvm_mmu_max_gfn() is inclusive instead of exclusive.
      The memslot and TDP MMU code want an exclusive value, but the name
      implies the returned value is inclusive, and the MMIO path needs an
      inclusive check.
      
      Fixes: faaf05b0 ("kvm: x86/mmu: Support zapping SPTEs in the TDP MMU")
      Fixes: 524a1e4e ("KVM: x86/mmu: Don't leak non-leaf SPTEs when zapping all SPTEs")
      Cc: stable@vger.kernel.org
      Cc: Maxim Levitsky <mlevitsk@redhat.com>
      Cc: Ben Gardon <bgardon@google.com>
      Cc: David Matlack <dmatlack@google.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20220428233416.2446833-1-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      86931ff7
    • Paolo Bonzini's avatar
      Merge tag 'kvmarm-fixes-5.18-2' of... · 484c22df
      Paolo Bonzini authored
      Merge tag 'kvmarm-fixes-5.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD
      
      KVM/arm64 fixes for 5.18, take #2
      
      - Take care of faults occuring between the PARange and
        IPA range by injecting an exception
      
      - Fix S2 faults taken from a host EL0 in protected mode
      
      - Work around Oops caused by a PMU access from a 32bit
        guest when PMU has been created. This is a temporary
        bodge until we fix it for good.
      484c22df