1. 20 Jun, 2023 4 commits
    • Linus Torvalds's avatar
      Merge tag 'for-6.4-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 4b0c7a1b
      Linus Torvalds authored
      Pull btrfs fix from David Sterba:
       "One more regression fix for an assertion failure that uncovered a
        nasty problem with stripe calculations. This is caused by a u32
        overflow when there are enough devices. The fstests require 6 so this
        hasn't been caught, I was able to hit it with 8.
      
        The fix is minimal and only adds u64 casts, we'll clean that up later.
        I did various additional tests to be sure"
      
      * tag 'for-6.4-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix u32 overflows when left shifting stripe_nr
      4b0c7a1b
    • Linus Torvalds's avatar
      Merge tag '6.4-rc6-smb3-server-fixes' of git://git.samba.org/ksmbd · 99ec1ed7
      Linus Torvalds authored
      Pull smb server fixes from Steve French:
       "Four smb3 server fixes, all also for stable:
      
         - fix potential oops in parsing compounded requests
      
         - fix various paths (mkdir, create etc) where mnt_want_write was not
           checked first
      
         - fix slab out of bounds in check_message and write"
      
      * tag '6.4-rc6-smb3-server-fixes' of git://git.samba.org/ksmbd:
        ksmbd: validate session id and tree id in the compound request
        ksmbd: fix out-of-bound read in smb2_write
        ksmbd: add mnt_want_write to ksmbd vfs functions
        ksmbd: validate command payload size
      99ec1ed7
    • Qu Wenruo's avatar
      btrfs: fix u32 overflows when left shifting stripe_nr · a7299a18
      Qu Wenruo authored
      [BUG]
      David reported an ASSERT() get triggered during fio load on 8 devices
      with data/raid6 and metadata/raid1c3:
      
        fio --rw=randrw --randrepeat=1 --size=3000m \
      	  --bsrange=512b-64k --bs_unaligned \
      	  --ioengine=libaio --fsync=1024 \
      	  --name=job0 --name=job1 \
      
      The ASSERT() is from rbio_add_bio() of raid56.c:
      
      	ASSERT(orig_logical >= full_stripe_start &&
      	       orig_logical + orig_len <= full_stripe_start +
      	       rbio->nr_data * BTRFS_STRIPE_LEN);
      
      Which is checking if the target rbio is crossing the full stripe
      boundary.
      
        [100.789] assertion failed: orig_logical >= full_stripe_start && orig_logical + orig_len <= full_stripe_start + rbio->nr_data * BTRFS_STRIPE_LEN, in fs/btrfs/raid56.c:1622
        [100.795] ------------[ cut here ]------------
        [100.796] kernel BUG at fs/btrfs/raid56.c:1622!
        [100.797] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
        [100.798] CPU: 1 PID: 100 Comm: kworker/u8:4 Not tainted 6.4.0-rc6-default+ #124
        [100.799] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552-rebuilt.opensuse.org 04/01/2014
        [100.802] Workqueue: writeback wb_workfn (flush-btrfs-1)
        [100.803] RIP: 0010:rbio_add_bio+0x204/0x210 [btrfs]
        [100.806] RSP: 0018:ffff888104a8f300 EFLAGS: 00010246
        [100.808] RAX: 00000000000000a1 RBX: ffff8881075907e0 RCX: ffffed1020951e01
        [100.809] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000001
        [100.811] RBP: 0000000141d20000 R08: 0000000000000001 R09: ffff888104a8f04f
        [100.813] R10: ffffed1020951e09 R11: 0000000000000003 R12: ffff88810e87f400
        [100.815] R13: 0000000041d20000 R14: 0000000144529000 R15: ffff888101524000
        [100.817] FS:  0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000
        [100.821] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [100.822] CR2: 000055d54e44c270 CR3: 000000010a9a1006 CR4: 00000000003706a0
        [100.824] Call Trace:
        [100.825]  <TASK>
        [100.825]  ? die+0x32/0x80
        [100.826]  ? do_trap+0x12d/0x160
        [100.827]  ? rbio_add_bio+0x204/0x210 [btrfs]
        [100.827]  ? rbio_add_bio+0x204/0x210 [btrfs]
        [100.829]  ? do_error_trap+0x90/0x130
        [100.830]  ? rbio_add_bio+0x204/0x210 [btrfs]
        [100.831]  ? handle_invalid_op+0x2c/0x30
        [100.833]  ? rbio_add_bio+0x204/0x210 [btrfs]
        [100.835]  ? exc_invalid_op+0x29/0x40
        [100.836]  ? asm_exc_invalid_op+0x16/0x20
        [100.837]  ? rbio_add_bio+0x204/0x210 [btrfs]
        [100.837]  raid56_parity_write+0x64/0x270 [btrfs]
        [100.838]  btrfs_submit_chunk+0x26e/0x800 [btrfs]
        [100.840]  ? btrfs_bio_init+0x80/0x80 [btrfs]
        [100.841]  ? release_pages+0x503/0x6d0
        [100.842]  ? folio_unlock+0x2f/0x60
        [100.844]  ? __folio_put+0x60/0x60
        [100.845]  ? btrfs_do_readpage+0xae0/0xae0 [btrfs]
        [100.847]  btrfs_submit_bio+0x21/0x60 [btrfs]
        [100.847]  submit_one_bio+0x6a/0xb0 [btrfs]
        [100.849]  extent_write_cache_pages+0x395/0x680 [btrfs]
        [100.850]  ? __extent_writepage+0x520/0x520 [btrfs]
        [100.851]  ? mark_usage+0x190/0x190
        [100.852]  extent_writepages+0xdb/0x130 [btrfs]
        [100.853]  ? extent_write_locked_range+0x480/0x480 [btrfs]
        [100.854]  ? mark_usage+0x190/0x190
        [100.854]  ? attach_extent_buffer_page+0x220/0x220 [btrfs]
        [100.855]  ? reacquire_held_locks+0x178/0x280
        [100.856]  ? writeback_sb_inodes+0x245/0x7f0
        [100.857]  do_writepages+0x102/0x2e0
        [100.858]  ? page_writeback_cpu_online+0x10/0x10
        [100.859]  ? __lock_release.isra.0+0x14a/0x4d0
        [100.860]  ? reacquire_held_locks+0x280/0x280
        [100.861]  ? __lock_acquired+0x1e9/0x3d0
        [100.862]  ? do_raw_spin_lock+0x1b0/0x1b0
        [100.863]  __writeback_single_inode+0x94/0x450
        [100.864]  writeback_sb_inodes+0x372/0x7f0
        [100.864]  ? lock_sync+0xd0/0xd0
        [100.865]  ? do_raw_spin_unlock+0x93/0xf0
        [100.866]  ? sync_inode_metadata+0xc0/0xc0
        [100.867]  ? rwsem_optimistic_spin+0x340/0x340
        [100.868]  __writeback_inodes_wb+0x70/0x130
        [100.869]  wb_writeback+0x2d1/0x530
        [100.869]  ? __writeback_inodes_wb+0x130/0x130
        [100.870]  ? lockdep_hardirqs_on_prepare.part.0+0xf1/0x1c0
        [100.870]  wb_do_writeback+0x3eb/0x480
        [100.871]  ? wb_writeback+0x530/0x530
        [100.871]  ? mark_lock_irq+0xcd0/0xcd0
        [100.872]  wb_workfn+0xe0/0x3f0<
      
      [CAUSE]
      Commit a97699d1 ("btrfs: replace map_lookup->stripe_len by
      BTRFS_STRIPE_LEN") changes how we calculate the map length, to reduce
      u64 division.
      
      Function btrfs_max_io_len() is to get the length to the stripe boundary.
      
      It calculates the full stripe start offset (inside the chunk) by the
      following code:
      
      		*full_stripe_start =
      			rounddown(*stripe_nr, nr_data_stripes(map)) <<
      			BTRFS_STRIPE_LEN_SHIFT;
      
      The calculation itself is fine, but the value returned by rounddown() is
      dependent on both @stripe_nr (which is u32) and nr_data_stripes() (which
      returned int).
      
      Thus the result is also u32, then we do the left shift, which can
      overflow u32.
      
      If such overflow happens, @full_stripe_start will be a value way smaller
      than @offset, causing later "full_stripe_len - (offset -
      *full_stripe_start)" to underflow, thus make later length calculation to
      have no stripe boundary limit, resulting a write bio to exceed stripe
      boundary.
      
      There are some other locations like this, with a u32 @stripe_nr got left
      shift, which can lead to a similar overflow.
      
      [FIX]
      Fix all @stripe_nr with left shift with a type cast to u64 before the
      left shift.
      
      Those involved @stripe_nr or similar variables are recording the stripe
      number inside the chunk, which is small enough to be contained by u32,
      but their offset inside the chunk can not fit into u32.
      
      Thus for those specific left shifts, a type cast to u64 is necessary so
      this patch does not touch them and the code will be cleaned up in the
      future to keep the fix minimal.
      Reported-by: default avatarDavid Sterba <dsterba@suse.com>
      Fixes: a97699d1 ("btrfs: replace map_lookup->stripe_len by BTRFS_STRIPE_LEN")
      Tested-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      a7299a18
    • Linus Torvalds's avatar
      Merge tag 'hyperv-fixes-signed-20230619' of... · 692b7dc8
      Linus Torvalds authored
      Merge tag 'hyperv-fixes-signed-20230619' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
      
      Pull hyperv fixes from Wei Liu:
      
       - Fix races in Hyper-V PCI controller (Dexuan Cui)
      
       - Fix handling of hyperv_pcpu_input_arg (Michael Kelley)
      
       - Fix vmbus_wait_for_unload to scan present CPUs (Michael Kelley)
      
       - Call hv_synic_free in the failure path of hv_synic_alloc (Dexuan Cui)
      
       - Add noop for real mode handlers for virtual trust level code (Saurabh
         Sengar)
      
      * tag 'hyperv-fixes-signed-20230619' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
        PCI: hv: Add a per-bus mutex state_lock
        Revert "PCI: hv: Fix a timing issue which causes kdump to fail occasionally"
        PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev
        PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic
        PCI: hv: Fix a race condition bug in hv_pci_query_relations()
        arm64/hyperv: Use CPUHP_AP_HYPERV_ONLINE state to fix CPU online sequencing
        x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline
        Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs
        Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails
        x86/hyperv/vtl: Add noop for realmode pointers
      692b7dc8
  2. 19 Jun, 2023 3 commits
  3. 18 Jun, 2023 11 commits
  4. 17 Jun, 2023 11 commits
    • Michael Kelley's avatar
      arm64/hyperv: Use CPUHP_AP_HYPERV_ONLINE state to fix CPU online sequencing · 52ae076c
      Michael Kelley authored
      State CPUHP_AP_HYPERV_ONLINE has been introduced to correctly sequence the
      initialization of hyperv_pcpu_input_arg. Use this new state for Hyper-V
      initialization so that hyperv_pcpu_input_arg is allocated early enough.
      Signed-off-by: default avatarMichael Kelley <mikelley@microsoft.com>
      Reviewed-by: default avatarDexuan Cui <decui@microsoft.com>
      Link: https://lore.kernel.org/r/1684862062-51576-2-git-send-email-mikelley@microsoft.comSigned-off-by: default avatarWei Liu <wei.liu@kernel.org>
      52ae076c
    • Michael Kelley's avatar
      x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline · 9636be85
      Michael Kelley authored
      These commits
      
      a494aef2 ("PCI: hv: Replace retarget_msi_interrupt_params with hyperv_pcpu_input_arg")
      2c6ba421 ("PCI: hv: Enable PCI pass-thru devices in Confidential VMs")
      
      update the Hyper-V virtual PCI driver to use the hyperv_pcpu_input_arg
      because that memory will be correctly marked as decrypted or encrypted
      for all VM types (CoCo or normal). But problems ensue when CPUs in the
      VM go online or offline after virtual PCI devices have been configured.
      
      When a CPU is brought online, the hyperv_pcpu_input_arg for that CPU is
      initialized by hv_cpu_init() running under state CPUHP_AP_ONLINE_DYN.
      But this state occurs after state CPUHP_AP_IRQ_AFFINITY_ONLINE, which
      may call the virtual PCI driver and fault trying to use the as yet
      uninitialized hyperv_pcpu_input_arg. A similar problem occurs in a CoCo
      VM if the MMIO read and write hypercalls are used from state
      CPUHP_AP_IRQ_AFFINITY_ONLINE.
      
      When a CPU is taken offline, IRQs may be reassigned in state
      CPUHP_TEARDOWN_CPU. Again, the virtual PCI driver may fault trying to
      use the hyperv_pcpu_input_arg that has already been freed by a
      higher state.
      
      Fix the onlining problem by adding state CPUHP_AP_HYPERV_ONLINE
      immediately after CPUHP_AP_ONLINE_IDLE (similar to CPUHP_AP_KVM_ONLINE)
      and before CPUHP_AP_IRQ_AFFINITY_ONLINE. Use this new state for
      Hyper-V initialization so that hyperv_pcpu_input_arg is allocated
      early enough.
      
      Fix the offlining problem by not freeing hyperv_pcpu_input_arg when
      a CPU goes offline. Retain the allocated memory, and reuse it if
      the CPU comes back online later.
      Signed-off-by: default avatarMichael Kelley <mikelley@microsoft.com>
      Reviewed-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Acked-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
      Reviewed-by: default avatarDexuan Cui <decui@microsoft.com>
      Link: https://lore.kernel.org/r/1684862062-51576-1-git-send-email-mikelley@microsoft.comSigned-off-by: default avatarWei Liu <wei.liu@kernel.org>
      9636be85
    • Linus Torvalds's avatar
      Merge tag 'staging-6.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 1b29d271
      Linus Torvalds authored
      Pull staging driver fix from Greg KH:
       "Here is a single staging driver "fix" for 6.4-rc7. I've been sitting
        on it in my tree for many weeks as it is just a simple documentation
        update, with the hope that maybe some other staging driver fixes would
        need to be merged for 6.4-final, but that does not seem to be the
        case.
      
        So please, pull in this one documentation update so that Aaro doesn't
        get emails going forward that he can't do anything about"
      
      * tag 'staging-6.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: octeon: delete my name from TODO contact
      1b29d271
    • Linus Torvalds's avatar
      Merge tag 'usb-6.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 670062e7
      Linus Torvalds authored
      Pull USB / Thunderbolt fixes from Greg KH:
       "Here are some small USB and Thunderbolt driver fixes and new device
        ids for 6.4-rc7 to resolve some reported problems. Included in here
        are:
      
         - new USB serial device ids
      
         - USB gadget core fixes for long-dissussed problems
      
         - dwc3 bugfixes for reported issues.
      
         - typec driver fixes
      
         - thunderbolt driver fixes
      
        All of these have been in linux-next this week with no reported issues"
      
      * tag 'usb-6.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: gadget: udc: core: Prevent soft_connect_store() race
        usb: gadget: udc: core: Offload usb_udc_vbus_handler processing
        usb: typec: Fix fast_role_swap_current show function
        usb: typec: ucsi: Fix command cancellation
        USB: dwc3: fix use-after-free on core driver unbind
        USB: dwc3: qcom: fix NULL-deref on suspend
        usb: dwc3: gadget: Reset num TRBs before giving back the request
        usb: gadget: udc: renesas_usb3: Fix RZ/V2M {modprobe,bind} error
        USB: serial: option: add Quectel EM061KGL series
        thunderbolt: Mask ring interrupt on Intel hardware as well
        thunderbolt: Do not touch CL state configuration during discovery
        thunderbolt: Increase DisplayPort Connection Manager handshake timeout
        thunderbolt: dma_test: Use correct value for absent rings when creating paths
      670062e7
    • Linus Torvalds's avatar
      Merge tag 'tty-6.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 3c0eb442
      Linus Torvalds authored
      Pull serial driver fixes from Greg KH:
       "Here are two small serial driver fixes for 6.4-rc7 that resolve some
        reported problems:
      
         - lantiq serial driver irq fix
      
         - fsl_lpuart serial driver watermark fix
      
        Both of these have been in linux-next this week with no reported issues"
      
      * tag 'tty-6.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        tty: serial: fsl_lpuart: reduce RX watermark to 0 on LS1028A
        serial: lantiq: add missing interrupt ack
      3c0eb442
    • Ben Hutchings's avatar
      parisc: Delete redundant register definitions in <asm/assembly.h> · b5b2a02b
      Ben Hutchings authored
      We define sp and ipsw in <asm/asmregs.h> using ".reg", and when using
      current binutils (snapshot 2.40.50.20230611) the definitions in
      <asm/assembly.h> using "=" conflict with those:
      
      arch/parisc/include/asm/assembly.h: Assembler messages:
      arch/parisc/include/asm/assembly.h:93: Error: symbol `sp' is already defined
      arch/parisc/include/asm/assembly.h:95: Error: symbol `ipsw' is already defined
      
      Delete the duplicate definitions in <asm/assembly.h>.
      
      Also delete the definition of gp, which isn't used anywhere.
      Signed-off-by: default avatarBen Hutchings <benh@debian.org>
      Cc: stable@vger.kernel.org # v6.0+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      b5b2a02b
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · c6cf6be9
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A handful of clk driver fixes:
      
         - Fix an OOB issue in the Mediatek mt8365 driver where arrays of clks
           are mismatched in size
      
         - Use the proper clk_ops for a few clks in the Mediatek mt8365 driver
      
         - Stop using abs() in clk_composite_determine_rate() because 64-bit
           math goes wrong on large unsigned long numbers that are subtracted
           and passed into abs()
      
         - Zero initialize a struct clk_init_data in clk-loongson2 to avoid
           stack junk confusing clk_hw_register()
      
         - Actually use a pointer to __iomem for writel() in
           pxa3xx_clk_update_accr() so we don't oops"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: pxa: fix NULL pointer dereference in pxa3xx_clk_update_accr
        clk: clk-loongson2: Zero init clk_init_data
        clk: mediatek: mt8365: Fix inverted topclk operations
        clk: composite: Fix handling of high clock rates
        clk: mediatek: mt8365: Fix index issue
      c6cf6be9
    • Namjae Jeon's avatar
      ksmbd: validate session id and tree id in the compound request · 5005bcb4
      Namjae Jeon authored
      This patch validate session id and tree id in compound request.
      If first operation in the compound is SMB2 ECHO request, ksmbd bypass
      session and tree validation. So work->sess and work->tcon could be NULL.
      If secound request in the compound access work->sess or tcon, It cause
      NULL pointer dereferecing error.
      
      Cc: stable@vger.kernel.org
      Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21165
      Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      5005bcb4
    • Namjae Jeon's avatar
      ksmbd: fix out-of-bound read in smb2_write · 5fe7f7b7
      Namjae Jeon authored
      ksmbd_smb2_check_message doesn't validate hdr->NextCommand. If
      ->NextCommand is bigger than Offset + Length of smb2 write, It will
      allow oversized smb2 write length. It will cause OOB read in smb2_write.
      
      Cc: stable@vger.kernel.org
      Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21164
      Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      5fe7f7b7
    • Namjae Jeon's avatar
      ksmbd: add mnt_want_write to ksmbd vfs functions · 40b268d3
      Namjae Jeon authored
      ksmbd is doing write access using vfs helpers. There are the cases that
      mnt_want_write() is not called in vfs helper. This patch add missing
      mnt_want_write() to ksmbd vfs functions.
      
      Cc: stable@vger.kernel.org
      Cc: Amir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      40b268d3
    • Namjae Jeon's avatar
      ksmbd: validate command payload size · 2b9b8f3b
      Namjae Jeon authored
      ->StructureSize2 indicates command payload size. ksmbd should validate
      this size with rfc1002 length before accessing it.
      This patch remove unneeded check and add the validation for this.
      
      [    8.912583] BUG: KASAN: slab-out-of-bounds in ksmbd_smb2_check_message+0x12a/0xc50
      [    8.913051] Read of size 2 at addr ffff88800ac7d92c by task kworker/0:0/7
      ...
      [    8.914967] Call Trace:
      [    8.915126]  <TASK>
      [    8.915267]  dump_stack_lvl+0x33/0x50
      [    8.915506]  print_report+0xcc/0x620
      [    8.916558]  kasan_report+0xae/0xe0
      [    8.917080]  kasan_check_range+0x35/0x1b0
      [    8.917334]  ksmbd_smb2_check_message+0x12a/0xc50
      [    8.917935]  ksmbd_verify_smb_message+0xae/0xd0
      [    8.918223]  handle_ksmbd_work+0x192/0x820
      [    8.918478]  process_one_work+0x419/0x760
      [    8.918727]  worker_thread+0x2a2/0x6f0
      [    8.919222]  kthread+0x187/0x1d0
      [    8.919723]  ret_from_fork+0x1f/0x30
      [    8.919954]  </TASK>
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarChih-Yen Chang <cc85nod@gmail.com>
      Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      2b9b8f3b
  5. 16 Jun, 2023 11 commits