1. 27 May, 2022 1 commit
  2. 25 May, 2022 1 commit
  3. 24 May, 2022 10 commits
  4. 22 May, 2022 4 commits
  5. 21 May, 2022 3 commits
  6. 20 May, 2022 3 commits
  7. 19 May, 2022 1 commit
    • Paulo Alcantara's avatar
      cifs: fix signed integer overflow when fl_end is OFFSET_MAX · d80c6984
      Paulo Alcantara authored
      This fixes the following when running xfstests generic/504:
      
      [  134.394698] CIFS: Attempting to mount \\win16.vm.test\Share
      [  134.420905] CIFS: VFS: generate_smb3signingkey: dumping generated
      AES session keys
      [  134.420911] CIFS: VFS: Session Id    05 00 00 00 00 c4 00 00
      [  134.420914] CIFS: VFS: Cipher type   1
      [  134.420917] CIFS: VFS: Session Key   ea 0b d9 22 2e af 01 69 30 1b
      15 74 bf 87 41 11
      [  134.420920] CIFS: VFS: Signing Key   59 28 43 5c f0 b6 b1 6f f5 7b
      65 f2 9f 9e 58 7d
      [  134.420923] CIFS: VFS: ServerIn Key  eb aa 58 c8 95 01 9a f7 91 98
      e4 fa bc d8 74 f1
      [  134.420926] CIFS: VFS: ServerOut Key 08 5b 21 e5 2e 4e 86 f6 05 c2
      58 e0 af 53 83 e7
      [  134.771946]
      ================================================================================
      [  134.771953] UBSAN: signed-integer-overflow in fs/cifs/file.c:1706:19
      [  134.771957] 9223372036854775807 + 1 cannot be represented in type
      'long long int'
      [  134.771960] CPU: 4 PID: 2773 Comm: flock Not tainted 5.11.22 #1
      [  134.771964] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
      [  134.771966] Call Trace:
      [  134.771970]  dump_stack+0x8d/0xb5
      [  134.771981]  ubsan_epilogue+0x5/0x50
      [  134.771988]  handle_overflow+0xa3/0xb0
      [  134.771997]  ? lockdep_hardirqs_on_prepare+0xe8/0x1b0
      [  134.772006]  cifs_setlk+0x63c/0x680 [cifs]
      [  134.772085]  ? _get_xid+0x5f/0xa0 [cifs]
      [  134.772085]  cifs_flock+0x131/0x400 [cifs]
      [  134.772085]  __x64_sys_flock+0xfc/0x120
      [  134.772085]  do_syscall_64+0x33/0x40
      [  134.772085]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  134.772085] RIP: 0033:0x7fea4f83b3fb
      [  134.772085] Code: ff 48 8b 15 8f 1a 0d 00 f7 d8 64 89 02 b8 ff ff
      ff ff eb da e8 16 0b 02 00 66 0f 1f 44 00 00 f3 0f 1e fa b8 49 00 00
      00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5d 1a 0d 00 f7 d8 64 89
      01 48
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      d80c6984
  8. 17 May, 2022 1 commit
    • Steve French's avatar
      SMB3: EBADF/EIO errors in rename/open caused by race condition in smb2_compound_op · 0a55cf74
      Steve French authored
      There is  a race condition in smb2_compound_op:
      
      after_close:
      	num_rqst++;
      
      	if (cfile) {
      		cifsFileInfo_put(cfile); // sends SMB2_CLOSE to the server
      		cfile = NULL;
      
      This is triggered by smb2_query_path_info operation that happens during
      revalidate_dentry. In smb2_query_path_info, get_readable_path is called to
      load the cfile, increasing the reference counter. If in the meantime, this
      reference becomes the very last, this call to cifsFileInfo_put(cfile) will
      trigger a SMB2_CLOSE request sent to the server just before sending this compound
      request – and so then the compound request fails either with EBADF/EIO depending
      on the timing at the server, because the handle is already closed.
      
      In the first scenario, the race seems to be happening between smb2_query_path_info
      triggered by the rename operation, and between “cleanup” of asynchronous writes – while
      fsync(fd) likely waits for the asynchronous writes to complete, releasing the writeback
      structures can happen after the close(fd) call. So the EBADF/EIO errors will pop up if
      the timing is such that:
      1) There are still outstanding references after close(fd) in the writeback structures
      2) smb2_query_path_info successfully fetches the cfile, increasing the refcounter by 1
      3) All writeback structures release the same cfile, reducing refcounter to 1
      4) smb2_compound_op is called with that cfile
      
      In the second scenario, the race seems to be similar – here open triggers the
      smb2_query_path_info operation, and if all other threads in the meantime decrease the
      refcounter to 1 similarly to the first scenario, again SMB2_CLOSE will be sent to the
      server just before issuing the compound request. This case is harder to reproduce.
      
      See https://bugzilla.samba.org/show_bug.cgi?id=15051
      
      Cc: stable@vger.kernel.org
      Fixes: 8de9e86c ("cifs: create a helper to find a writeable handle by path name")
      Signed-off-by: default avatarOndrej Hubsch <ohubsch@purestorage.com>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      0a55cf74
  9. 16 May, 2022 1 commit
  10. 15 May, 2022 8 commits
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.18-rc7' of... · 0cdd776e
      Linus Torvalds authored
      Merge tag 'driver-core-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core fixes from Greg KH:
       "Here is one fix, and three documentation updates for 5.18-rc7.
      
        The fix is for the firmware loader which resolves a long-reported
        problem where the credentials of the firmware loader could be set to a
        userspace process without enough permissions to actually load the
        firmware image. Many Android vendors have been reporting this for
        quite some time.
      
        The documentation updates are for the embargoed-hardware-issues.rst
        file to add a new entry, change an existing one, and sort the list to
        make changes easier in the future.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'driver-core-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        Documentation/process: Update ARM contact for embargoed hardware issues
        Documentation/process: Add embargoed HW contact for Ampere Computing
        Documentation/process: Make groups alphabetical and use tabs consistently
        firmware_loader: use kernel credentials when reading firmware
      0cdd776e
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 5becde60
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are two small driver fixes for 5.18-rc7 that resolve reported
        problems:
      
         - slimbus driver irq bugfix
      
         - interconnect sync state bugfix
      
        Both of these have been in linux-next with no reported problems"
      
      * tag 'char-misc-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        slimbus: qcom: Fix IRQ check in qcom_slim_probe
        interconnect: Restore sync state by ignoring ipa-virt in provider count
      5becde60
    • Linus Torvalds's avatar
      Merge tag 'tty-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 6811a466
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are some small tty n_gsm and serial driver fixes for 5.18-rc7
        that resolve reported problems. They include:
      
         - n_gsm fixes for reported issues
      
         - 8250_mtk driver fixes for some platforms
      
         - fsl_lpuart driver fix for reported problem.
      
         - digicolor driver fix for reported problem.
      
        All have been in linux-next for a while with no reported problems"
      
      * tag 'tty-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        fsl_lpuart: Don't enable interrupts too early
        tty: n_gsm: fix invalid gsmtty_write_room() result
        tty: n_gsm: fix mux activation issues in gsm_config()
        tty: n_gsm: fix buffer over-read in gsm_dlci_data()
        serial: 8250_mtk: Fix register address for XON/XOFF character
        serial: 8250_mtk: Make sure to select the right FEATURE_SEL
        serial: 8250_mtk: Fix UART_EFR register address
        tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe()
      6811a466
    • Linus Torvalds's avatar
      Merge tag 'usb-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · fc49583c
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small fixes for reported issues with some USB drivers.
        They include:
      
         - xhci fixes for xhci-mtk platform driver
      
         - typec driver fixes for reported problems.
      
         - cdc-wdm read-stuck fix
      
         - gadget driver fix for reported race condition
      
         - new usb-serial driver ids
      
        All of these have been in linux-next with no reported problems"
      
      * tag 'usb-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: xhci-mtk: remove bandwidth budget table
        usb: xhci-mtk: fix fs isoc's transfer error
        usb: gadget: fix race when gadget driver register via ioctl
        usb: typec: tcpci_mt6360: Update for BMC PHY setting
        usb: gadget: uvc: allow for application to cleanly shutdown
        usb: typec: tcpci: Don't skip cleanup in .remove() on error
        usb: cdc-wdm: fix reading stuck on device close
        USB: serial: qcserial: add support for Sierra Wireless EM7590
        USB: serial: option: add Fibocom MA510 modem
        USB: serial: option: add Fibocom L610 modem
        USB: serial: pl2303: add device id for HP LM930 Display
      fc49583c
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.18-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · bc403203
      Linus Torvalds authored
      Pull powerpc fix from Michael Ellerman:
      
       - Fix KVM PR on 32-bit, which was broken by some MMU code refactoring.
      
      Thanks to: Alexander Graf, and Matt Evans.
      
      * tag 'powerpc-5.18-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        KVM: PPC: Book3S PR: Enable MSR_DR for switch_mmu_context()
      bc403203
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 79dc4fc2
      Linus Torvalds authored
      Pull x86 fix from Thomas Gleixner:
       "A single fix for the handling of unpopulated sub-pmd spaces.
      
        The copy & pasta from the corresponding s390 code screwed up the
        address calculation for marking the sub-pmd ranges via memset by
        omitting the ALIGN_DOWN() to calculate the proper start address.
      
        It's a mystery why this code is not generic and shared because there
        is nothing architecture specific in there, but that's too intrusive
        for a backportable fix"
      
      * tag 'x86-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mm: Fix marking of unused sub-pmd ranges
      79dc4fc2
    • Linus Torvalds's avatar
      Merge tag 'sched-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 990e798d
      Linus Torvalds authored
      Pull scheduler fix from Thomas Gleixner:
       "The recent expansion of the sched switch tracepoint inserted a new
        argument in the middle of the arguments. This reordering broke BPF
        programs which relied on the old argument list.
      
        While tracepoints are not considered stable ABI, it's not trivial to
        make BPF cope with such a change, but it's being worked on. For now
        restore the original argument order and move the new argument to the
        end of the argument list"
      
      * tag 'sched-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/tracing: Append prev_state to tp args instead
      990e798d
    • Linus Torvalds's avatar
      Merge tag 'irq-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · fb756280
      Linus Torvalds authored
      Pull irq fix from Thomas Gleixner:
       "A single fix for a recent (introduced in 5.16) regression in the core
        interrupt code.
      
        The consolidation of the interrupt handler invocation code added an
        unconditional warning when generic_handle_domain_irq() is invoked from
        outside hard interrupt context. That's overbroad as the requirement
        for invoking these handlers in hard interrupt context is only required
        for certain interrupt types. The subsequently called code already
        contains a warning which triggers conditionally for interrupt chips
        which indicate this requirement in their properties.
      
        Remove the overbroad one"
      
      * tag 'irq-urgent-2022-05-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        genirq: Remove WARN_ON_ONCE() in generic_handle_domain_irq()
      fb756280
  11. 14 May, 2022 1 commit
  12. 13 May, 2022 6 commits
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2022-05-14' of git://anongit.freedesktop.org/drm/drm · ec7f4961
      Linus Torvalds authored
      Pull more drm fixes from Dave Airlie:
       "Turns out I was right, some fixes hadn't made it to me yet. The vmwgfx
        ones also popped up later, but all seem like bad enough things to fix.
        The dma-buf, vc4 and nouveau ones are all pretty small.
      
        The fbdev fixes are a bit more complicated: a fix to cleanup fbdev
        devices properly, uncovered some use-after-free bugs in existing
        drivers. Then the fix for those bugs wasn't correct. This reverts that
        fix, and puts the proper fixes in place in the drivers to avoid the
        use-after-frees.
      
        This has had a fair number of eyes on it at this stage, and I'm
        confident enough that it puts things in the right place, and is less
        dangerous than reverting our way out of the initial change at this
        stage.
      
        fbdev:
         - revert NULL deref fix that turned into a use-after-free
         - prevent use-after-free in fbdev
         - efifb/simplefb/vesafb: fix cleanup paths to avoid use-after-frees
      
        dma-buf:
         - fix panic in stats setup
      
        vc4:
         - fix hdmi build
      
        nouveau:
         - tegra iommu present fix
         - fix leak in backlight name
      
        vmwgfx:
         - Black screen due to fences using FIFO checks on SVGA3
         - Random black screens on boot due to uninitialized drm_mode_fb_cmd2
         - Hangs on SVGA3 due to command buffers being used with gbobjects"
      
      * tag 'drm-fixes-2022-05-14' of git://anongit.freedesktop.org/drm/drm:
        drm/vmwgfx: Disable command buffers on svga3 without gbobjects
        drm/vmwgfx: Initialize drm_mode_fb_cmd2
        drm/vmwgfx: Fix fencing on SVGAv3
        drm/vc4: hdmi: Fix build error for implicit function declaration
        dma-buf: call dma_buf_stats_setup after dmabuf is in valid list
        fbdev: efifb: Fix a use-after-free due early fb_info cleanup
        drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name()
        drm/nouveau/tegra: Stop using iommu_present()
        fbdev: vesafb: Cleanup fb_info in .fb_destroy rather than .remove
        fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove
        fbdev: simplefb: Cleanup fb_info in .fb_destroy rather than .remove
        fbdev: Prevent possible use-after-free in fb_release()
        Revert "fbdev: Make fb_release() return -ENODEV if fbdev was unregistered"
      ec7f4961
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2022-05-13' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · eb7bac39
      Dave Airlie authored
      Multiple fixes to fbdev to address a regression at unregistration, an
      iommu detection improvement for nouveau, a memory leak fix for nouveau,
      pointer dereference fix for dma_buf_file_release(), and a build breakage
      fix for vc4
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <maxime@cerno.tech>
      Link: https://patchwork.freedesktop.org/patch/msgid/20220513073044.ymayac7x7bzatrt7@houat
      eb7bac39
    • Dave Airlie's avatar
      Merge tag 'vmwgfx-drm-fixes-5.18-2022-05-13' of... · 30c60ba3
      Dave Airlie authored
      Merge tag 'vmwgfx-drm-fixes-5.18-2022-05-13' of https://gitlab.freedesktop.org/zack/vmwgfx into drm-fixes
      
      vmwgfx fixes for:
      - Black screen due to fences using FIFO checks on SVGA3
      - Random black screens on boot due to uninitialized drm_mode_fb_cmd2
      - Hangs on SVGA3 due to command buffers being used with gbobjects
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Zack Rusin <zackr@vmware.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/a1d32799e4c74b8540216376d7576bb783ca07ba.camel@vmware.com
      30c60ba3
    • Linus Torvalds's avatar
      Merge tag 'gfs2-v5.18-rc4-fix3' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 · d928e8f3
      Linus Torvalds authored
      Pull gfs2 fixes from Andreas Gruenbacher:
       "We've finally identified commit dc732906 ("gfs2: Introduce flag
        for glock holder auto-demotion") to be the other cause of the
        filesystem corruption we've been seeing. This feature isn't strictly
        necessary anymore, so we've decided to stop using it for now.
      
        With this and the gfs_iomap_end rounding fix you've already seen
        ("gfs2: Fix filesystem block deallocation for short writes" in this
        pull request), we're corruption free again now.
      
         - Fix filesystem block deallocation for short writes.
      
         - Stop using glock holder auto-demotion for now.
      
         - Get rid of buffered writes inefficiencies due to page faults being
           disabled.
      
         - Minor other cleanups"
      
      * tag 'gfs2-v5.18-rc4-fix3' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
        gfs2: Stop using glock holder auto-demotion for now
        gfs2: buffered write prefaulting
        gfs2: Align read and write chunks to the page cache
        gfs2: Pull return value test out of should_fault_in_pages
        gfs2: Clean up use of fault_in_iov_iter_{read,write}able
        gfs2: Variable rename
        gfs2: Fix filesystem block deallocation for short writes
      d928e8f3
    • Andreas Gruenbacher's avatar
      gfs2: Stop using glock holder auto-demotion for now · e1fa9ea8
      Andreas Gruenbacher authored
      We're having unresolved issues with the glock holder auto-demotion mechanism
      introduced in commit dc732906.  This mechanism was assumed to be essential
      for avoiding frequent short reads and writes until commit 296abc0d
      ("gfs2: No short reads or writes upon glock contention").  Since then,
      when the inode glock is lost, it is simply re-acquired and the operation
      is resumed.  This means that apart from the performance penalty, we
      might as well drop the inode glock before faulting in pages, and
      re-acquire it afterwards.
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      e1fa9ea8
    • Andreas Gruenbacher's avatar
      gfs2: buffered write prefaulting · fa5dfa64
      Andreas Gruenbacher authored
      In gfs2_file_buffered_write, to increase the likelihood that all the
      user memory we're trying to write will be resident in memory, carry out
      the write in chunks and fault in each chunk of user memory before trying
      to write it.  Otherwise, some workloads will trigger frequent short
      "internal" writes, causing filesystem blocks to be allocated and then
      partially deallocated again when writing into holes, which is wasteful
      and breaks reservations.
      
      Neither the chunked writes nor any of the short "internal" writes are
      user visible.
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      fa5dfa64