1. 11 Nov, 2022 7 commits
    • Michael Zaidman's avatar
      HID: ft260: skip unexpected HID input reports · b7121e3c
      Michael Zaidman authored
      The FT260 is not supposed to generate unexpected HID reports. However,
      in theory, the unsolicited HID Input reports can be issued by a specially
      crafted malicious USB device masquerading as FT260 when the attacker has
      physical access to the USB port. In this case, the read_buf pointer points
      to the final data portion of the previous I2C Read transfer, and the memcpy
      invoked in the ft260_raw_event() will try copying the content of the
      unexpected report into the wrong location.
      
      This commit sets the Read buffer pointer to NULL on the I2C Read
      transaction completion and checks it in the ft260_raw_event() to detect
      and skip the unsolicited Input report.
      Reported-by: default avatarEnrik Berkhan <Enrik.Berkhan@inka.de>
      Signed-off-by: default avatarMichael Zaidman <michael.zaidman@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      b7121e3c
    • Michael Zaidman's avatar
      HID: ft260: do not populate /dev/hidraw device · 76e76e79
      Michael Zaidman authored
      Do not populate the /dev/hidraw on ft260 interfaces when the hid-ft260
      driver is loaded.
      
      $ sudo insmod hid-ft260.ko
      $ ls /dev/hidraw*
      /dev/hidraw0
      
      $ sudo rmmod hid-ft260.ko
      $ ls /dev/hidraw*
      /dev/hidraw0  /dev/hidraw1  /dev/hidraw2
      Reported-by: default avatarEnrik Berkhan <Enrik.Berkhan@inka.de>
      Signed-off-by: default avatarMichael Zaidman <michael.zaidman@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      76e76e79
    • Michael Zaidman's avatar
      HID: ft260: improve i2c large reads performance · 54410c14
      Michael Zaidman authored
      The patch increases the read buffer size to 180 bytes. It reduces
      the number of ft260_i2c_read() calls by three, improving the big
      reads performance.
      
      $ sudo i2ctransfer -y -f 13 w2@0x51 0x0 0x0 r180
      
      Before:
      
      [  +4.071878] ft260_i2c_write_read: off 0x0 rlen 180 wlen 2
      [  +0.000005] ft260_i2c_write: rep 0xd0 addr 0x51 off 0 len 2 wlen 2 flag 0x2 d[0] 0x0
      [  +0.001097] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000175] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000004] ft260_i2c_read: rep 0xc2 addr 0x51 len 180 rlen 60 flag 0x3
      [  +0.008579] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.000208] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000001] ft260_i2c_read: rep 0xc2 addr 0x51 len 120 rlen 60 flag 0x0
      [  +0.008794] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.000181] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000002] ft260_i2c_read: rep 0xc2 addr 0x51 len 60 rlen 60 flag 0x4
      [  +0.008817] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.000223] ft260_xfer_status: bus_status 0x20, clock 100
      
      After:
      
      [ +11.611642] ft260_i2c_write_read: off 0x0 rlen 180 wlen 2
      [  +0.000005] ft260_i2c_write: rep 0xd0 addr 0x51 off 0 len 2 wlen 2 flag 0x2 d[0] 0x0
      [  +0.008001] ft260_xfer_status: bus_status 0x20, clock 100
      [  +0.000001] ft260_i2c_read: rep 0xc2 addr 0x51 len 180 rlen 180 flag 0x7
      [  +0.008994] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.007987] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.007992] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.000206] ft260_xfer_status: bus_status 0x20, clock 100
      Suggested-by: default avatarEnrik Berkhan <Enrik.Berkhan@inka.de>
      Signed-off-by: default avatarMichael Zaidman <michael.zaidman@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      54410c14
    • Michael Zaidman's avatar
      HID: ft260: support i2c reads greater than HID report size · 0acb869f
      Michael Zaidman authored
      A random i2c read operation in EEPROM devices is implemented as a dummy
      write operation, followed by a current address read operation. The dummy
      write operation is used to load the target byte or word address (a.k.a
      offset) into the offset counter, from which the subsequent read operation
      then reads.
      
      To support longer than one HID report size random read, the ft260 driver
      issues multiple pairs of i2c write offset + read data transactions of HID
      report size so that the EEPROM device sees many i2c random read requests
      from different offsets.
      
      Two issues with the current implementation:
      - This approach suffers from extra overhead caused by writing offset
        requests.
      - Necessity to handle offset per HID report in big-endian representation
        as EEPROM devices expect. The current implementation does not do it and
        correctly handles the reads up to 60 bytes only.
      
      This patch addresses both issues by implementing more efficient approach.
      It issues a single i2c read request of up to the EEPROM page size and then
      waits for the data to arrive in multiple HID reports. For example, to read
      the 256 bytes from a 24LC512 chip, which has 128 bytes page size, the old
      method performs six ft260_i2c_write_read transactions while the new - two
      only.
      
      Before:
      
      $ sudo ./i2cperf -d 2 -o 2 -s 128 -r 0-0xff 13 0x51 -S
      
        Read block via i2ctransfer by chunks
        -------------------------------------------------------------------
        data rate(bps)  efficiency(%)  data size(B)  total IOs   IO size(B)
        -------------------------------------------------------------------
        40803           85             256           2           128
      
      Kernel log of a single 128 bytes read request:
      
      [  +2.376308] ft260_i2c_write_read: read_off 0x0 left_len 128 len 60
      [  +0.000002] ft260_i2c_write: rep 0xd0 addr 0x51 off 0 len 2 wlen 2 flag 0x2 d[0] 0x0
      [  +0.000707] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000173] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000001] ft260_i2c_read: rep 0xc2 addr 0x51 len 60
      [  +0.008660] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.000156] ft260_xfer_status: bus_status 0x20, clock 100
      [  +0.000001] ft260_i2c_write_read: read_off 0x3c left_len 68 len 60
      [  +0.000001] ft260_i2c_write: rep 0xd0 addr 0x51 off 0 len 2 wlen 2 flag 0x2 d[0] 0x3c
      [  +0.001034] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000191] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000001] ft260_i2c_read: rep 0xc2 addr 0x51 len 60
      [  +0.008614] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.000203] ft260_xfer_status: bus_status 0x20, clock 100
      [  +0.000001] ft260_i2c_write_read: read_off 0x78 left_len 8 len 8
      [  +0.000001] ft260_i2c_write: rep 0xd0 addr 0x51 off 0 len 2 wlen 2 flag 0x2 d[0] 0x78
      [  +0.000987] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000192] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000001] ft260_i2c_read: rep 0xc2 addr 0x51 len 8
      [  +0.002614] ft260_raw_event: i2c resp: rep 0xd1 len 8
      [  +0.000200] ft260_xfer_status: bus_status 0x20, clock 100
      
      After:
      
      $ sudo ./i2cperf -d 2 -o 2 -s 128 -r 0-0xff 13 0x51 -S
      
        Read block via i2ctransfer by chunks
        -------------------------------------------------------------------
        data rate(bps)  efficiency(%)  data size(B)  total IOs   IO size(B)
        -------------------------------------------------------------------
        43990           85             256           2           128
      
      Kernel log of a single 128 bytes read request:
      
      [  +1.464346] ft260_i2c_write_read: off 0x0 rlen 128 wlen 2
      [  +0.000002] ft260_i2c_write: rep 0xd0 addr 0x51 off 0 len 2 wlen 2 flag 0x2 d[0] 0x0
      [  +0.001653] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000188] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000002] ft260_i2c_read: rep 0xc2 addr 0x51 len 128 rlen 60 flag 0x3
      [  +0.008609] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.000157] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000002] ft260_i2c_read: rep 0xc2 addr 0x51 len 68 rlen 60 flag 0x0
      [  +0.008840] ft260_raw_event: i2c resp: rep 0xde len 60
      [  +0.000203] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000002] ft260_i2c_read: rep 0xc2 addr 0x51 len 8 rlen 8 flag 0x4
      [  +0.002794] ft260_raw_event: i2c resp: rep 0xd1 len 8
      [  +0.000201] ft260_xfer_status: bus_status 0x20, clock 100
      Signed-off-by: default avatarMichael Zaidman <michael.zaidman@gmail.com>
      Tested-by: default avatarGuillaume Champagne <champagne.guillaume.c@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      0acb869f
    • Michael Zaidman's avatar
      HID: ft260: support i2c writes larger than HID report size · 1edfae51
      Michael Zaidman authored
      To support longer than one HID report size write, the driver splits a
      single i2c message data payload into multiple i2c messages of HID report
      size. However, it does not replicate the offset bytes within the EEPROM
      chip in every consequent HID report because it is not and should not be
      aware of the EEPROM type. It breaks the i2c write message integrity and
      causes the EEPROM device not to acknowledge the second HID report keeping
      the i2c bus busy until the ft260 controller reports failure.
      
      This patch preserves the i2c write message integrity by manipulating the
      i2c flag bits across multiple HID reports to be seen by the EEPROM device
      as a single i2c write transfer.
      
      Before:
      
      $ sudo ./i2cperf -f 2 -o 2 -s 64 -r 0-0xff 13 0x51 -S
      Error: Sending messages failed: Input/output error
      
      [  +3.667741] ft260_i2c_write: rep 0xde addr 0x51 off 0 len 60 d[0] 0x0
      [  +0.007330] ft260_hid_output_report_check_status: wait 6400 usec, len 64
      [  +0.000203] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.000001] ft260_i2c_write: rep 0xd1 addr 0x51 off 60 len 6 d[0] 0x0
      [  +0.002337] ft260_hid_output_report_check_status: wait 1000 usec, len 10
      [  +0.000157] ft260_xfer_status: bus_status 0x2e, clock 100
      [  +0.000241] ft260_i2c_reset: done
      [  +0.000003] ft260_i2c_write: failed to start transfer, ret -5
      
      After:
      
      $ sudo ./i2cperf -f 2 -o 2 -s 128 -r 0-0xff 13 0x51 -S
      
        Fill block with increment via i2ctransfer by chunks
        -------------------------------------------------------------------
        data rate(bps)  efficiency(%)  data size(B)  total IOs   IO size(B)
        -------------------------------------------------------------------
        71260           86             256           2           128
      Signed-off-by: default avatarMichael Zaidman <michael.zaidman@gmail.com>
      Tested-by: default avatarGuillaume Champagne <champagne.guillaume.c@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      1edfae51
    • Michael Zaidman's avatar
      HID: ft260: improve i2c write performance · 6fca5e3f
      Michael Zaidman authored
      The patch improves the I2C write performance by 20 - 30 percent by
      revising the sleep time in the ft260_hid_output_report_check_status()
      in the following ways:
      
      1. Reduce the wait time and start to poll earlier.
      
      Sending a large amount of data at a low I2C clock rate saturates the
      internal FT260 buffer and causes hiccups in status readiness, as shown
      below in the log fragment. Aligning the status check wait time to the
      worst case significantly reduces the write performance.
      
      [Oct22 10:28] ft260_i2c_write: rep 0xd8 addr 0x51 off 0 len 34 d[0] 0x0
      [  +0.005296] ft260_xfer_status: bus_status 0x20, clock 100
      [  +0.013460] ft260_i2c_write: rep 0xd8 addr 0x51 off 0 len 34 d[0] 0x0
      [  +0.003244] ft260_hid_output_report_check_status: wait 1920 usec, len 38
      [  +0.000190] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.015324] ft260_i2c_write: rep 0xd8 addr 0x51 off 0 len 34 d[0] 0x0
      [  +0.003491] ft260_hid_output_report_check_status: wait 1920 usec, len 38
      [  +0.000202] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.016047] ft260_i2c_write: rep 0xd8 addr 0x51 off 0 len 34 d[0] 0x0
      [  +0.002768] ft260_hid_output_report_check_status: wait 1920 usec, len 38
      [  +0.000150] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.011389] ft260_i2c_write: rep 0xd8 addr 0x51 off 0 len 34 d[0] 0x0
      [  +0.003467] ft260_hid_output_report_check_status: wait 1920 usec, len 38
      [  +0.000191] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000172] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000131] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000241] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000233] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000190] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000196] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.011314] ft260_i2c_write: rep 0xd8 addr 0x51 off 0 len 34 d[0] 0x0
      [  +0.003334] ft260_hid_output_report_check_status: wait 1920 usec, len 38
      [  +0.000227] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000204] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000198] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000147] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.011060] ft260_i2c_write: rep 0xd8 addr 0x51 off 0 len 34 d[0] 0x0
      
        Before:
          $ sudo ./i2cperf -f 2 -o 2 -s 32 -r 0-0xff 13 0x51 -S
      
            Fill block with increment via i2ctransfer by chunks
            -------------------------------------------------------------------
            data rate(bps)  efficiency(%)  data size(B)  total IOs   IO size(B)
            -------------------------------------------------------------------
            40510           80             256           8           32
      
        After:
          $ sudo ./i2cperf -f 2 -o 2 -s 32 -r 0-0xff 13 0x51 -S
      
            Fill block with increment via i2ctransfer by chunks
            -------------------------------------------------------------------
            data rate(bps)  efficiency(%)  data size(B)  total IOs   IO size(B)
            -------------------------------------------------------------------
            52584           80             256           8           32
      
      2. Do not sleep if the estimated I2C transfer time is below 2 ms since
         the first xfer status query frequently takes around 1.5 ms, and the
         following status queries take about 200us on average. So we usually
         return from the routine after the first 1 - 3 status checks.
      
      [Oct22 11:14] ft260_i2c_write: rep 0xd4 addr 0x51 off 0 len 18 d[0] 0x0
      [  +0.004270] ft260_xfer_status: bus_status 0x20, clock 100
      [  +0.013889] ft260_i2c_write: rep 0xd4 addr 0x51 off 0 len 18 d[0] 0x0
      [  +0.000856] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000138] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.013352] ft260_i2c_write: rep 0xd4 addr 0x51 off 0 len 18 d[0] 0x0
      [  +0.001501] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000177] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.014477] ft260_i2c_write: rep 0xd4 addr 0x51 off 0 len 18 d[0] 0x0
      [  +0.001377] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000233] ft260_xfer_status: bus_status 0x41, clock 100
      [  +0.000191] ft260_xfer_status: bus_status 0x40, clock 100
      [  +0.013197] ft260_i2c_write: rep 0xd4 addr 0x51 off 0 len 18 d[0] 0x0
      
        Before:
          $ sudo ./i2cperf -f 2 -o 2 -s 16 -r 0-0xff 13 0x51 -S
      
            Fill block with increment via i2ctransfer by chunks
            -------------------------------------------------------------------
            data rate(bps)  efficiency(%)  data size(B)  total IOs   IO size(B)
            -------------------------------------------------------------------
            28826           73             256           16          16
      
        After:
          $ sudo ./i2cperf -f 2 -o 2 -s 16 -r 0-0xff 13 0x51 -S
      
            Fill block with increment via i2ctransfer by chunks
            -------------------------------------------------------------------
            data rate(bps)  efficiency(%)  data size(B)  total IOs   IO size(B)
            -------------------------------------------------------------------
            45138           73             256           16          16
      Signed-off-by: default avatarMichael Zaidman <michael.zaidman@gmail.com>
      Tested-by: default avatarGuillaume Champagne <champagne.guillaume.c@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      6fca5e3f
    • Michael Zaidman's avatar
      HID: ft260: ft260_xfer_status routine cleanup · f45d50ed
      Michael Zaidman authored
      After clarifying with FTDI's support, it turned out that the error
      condition (bit 1) in byte 1 of the i2c status HID report is a status
      bit reflecting all error conditions. When bits 2, 3, or 4 are raised
      to 1, bit 1 is set to 1 also. Since the ft260_xfer_status routine tests
      the error condition bit and exits in the case of an error, the program
      flow never reaches the conditional expressions for 2, 3, and 4 bits when
      any of them indicates an error state. Though these expressions are never
      evaluated to true, they are checked several times per IO, increasing the
      ft260_xfer_status polling cycle duration.
      
      The patch removes the conditional expressions for 2, 3, and 4 bits in
      byte 1 of the i2c status HID report.
      Signed-off-by: default avatarMichael Zaidman <michael.zaidman@gmail.com>
      Tested-by: default avatarGuillaume Champagne <champagne.guillaume.c@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      f45d50ed
  2. 22 Oct, 2022 1 commit
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2022102101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 334fe5d3
      Linus Torvalds authored
      Pull HID fixes from Benjamin Tissoires:
      
       - a 12 year old bug fix for the Apple Magic Trackpad v1 (José Expósito)
      
       - a fix for a potential crash on removal of the Playstation controllers
         (Roderick Colenbrander)
      
       - a few new device IDs and device-specific quirks, most notably support
         of the new Playstation DualSense Edge controller
      
      * tag 'for-linus-2022102101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: lenovo: Make array tp10ubkbd_led static const
        HID: saitek: add madcatz variant of MMO7 mouse device ID
        HID: playstation: support updated DualSense rumble mode.
        HID: playstation: add initial DualSense Edge controller support
        HID: playstation: stop DualSense output work on remove.
        HID: magicmouse: Do not set BTN_MOUSE on double report
      334fe5d3
  3. 21 Oct, 2022 31 commits
    • Linus Torvalds's avatar
      Merge tag '6.1-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · bd8e9634
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
      
       - memory leak fixes
      
       - fixes for directory leases, including an important one which fixes a
         problem noticed by git functional tests
      
       - fixes relating to missing free_xid calls (helpful for
         tracing/debugging of entry/exit into cifs.ko)
      
       - a multichannel fix
      
       - a small cleanup fix (use of list_move instead of list_del/list_add)
      
      * tag '6.1-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: update internal module number
        cifs: fix memory leaks in session setup
        cifs: drop the lease for cached directories on rmdir or rename
        smb3: interface count displayed incorrectly
        cifs: Fix memory leak when build ntlmssp negotiate blob failed
        cifs: set rc to -ENOENT if we can not get a dentry for the cached dir
        cifs: use LIST_HEAD() and list_move() to simplify code
        cifs: Fix xid leak in cifs_get_file_info_unix()
        cifs: Fix xid leak in cifs_ses_add_channel()
        cifs: Fix xid leak in cifs_flock()
        cifs: Fix xid leak in cifs_copy_file_range()
        cifs: Fix xid leak in cifs_create()
      bd8e9634
    • Linus Torvalds's avatar
      Merge tag 'nfsd-6.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · 022c028f
      Linus Torvalds authored
      Pull nfsd fixes from Chuck Lever:
       "Fixes for patches merged in v6.1"
      
      * tag 'nfsd-6.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        nfsd: ensure we always call fh_verify_error tracepoint
        NFSD: unregister shrinker when nfsd_init_net() fails
      022c028f
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · ed537795
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Two small changes, one in the lpfc driver and the other in the core.
      
        The core change is an additional footgun guard which prevents users
        from writing the wrong state to sysfs and causing a hang"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: lpfc: Fix memory leak in lpfc_create_port()
        scsi: core: Restrict legal sdev_state transitions via sysfs
      ed537795
    • Linus Torvalds's avatar
      Merge tag 'block-6.1-2022-10-20' of git://git.kernel.dk/linux · d4b7332e
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request via Christoph:
            - fix nvme-hwmon for DMA non-cohehrent architectures (Serge Semin)
            - add a nvme-hwmong maintainer (Christoph Hellwig)
            - fix error pointer dereference in error handling (Dan Carpenter)
            - fix invalid memory reference in nvmet_subsys_attr_qid_max_show
              (Daniel Wagner)
            - don't limit the DMA segment size in nvme-apple (Russell King)
            - fix workqueue MEM_RECLAIM flushing dependency (Sagi Grimberg)
            - disable write zeroes on various Kingston SSDs (Xander Li)
      
       - fix a memory leak with block device tracing (Ye)
      
       - flexible-array fix for ublk (Yushan)
      
       - document the ublk recovery feature from this merge window
         (ZiyangZhang)
      
       - remove dead bfq variable in struct (Yuwei)
      
       - error handling rq clearing fix (Yu)
      
       - add an IRQ safety check for the cached bio freeing (Pavel)
      
       - drbd bio cloning fix (Christoph)
      
      * tag 'block-6.1-2022-10-20' of git://git.kernel.dk/linux:
        blktrace: remove unnessary stop block trace in 'blk_trace_shutdown'
        blktrace: fix possible memleak in '__blk_trace_remove'
        blktrace: introduce 'blk_trace_{start,stop}' helper
        bio: safeguard REQ_ALLOC_CACHE bio put
        block, bfq: remove unused variable for bfq_queue
        drbd: only clone bio if we have a backing device
        ublk_drv: use flexible-array member instead of zero-length array
        nvmet: fix invalid memory reference in nvmet_subsys_attr_qid_max_show
        nvmet: fix workqueue MEM_RECLAIM flushing dependency
        nvme-hwmon: kmalloc the NVME SMART log buffer
        nvme-hwmon: consistently ignore errors from nvme_hwmon_init
        nvme: add Guenther as nvme-hwmon maintainer
        nvme-apple: don't limit DMA segement size
        nvme-pci: disable write zeroes on various Kingston SSD
        nvme: fix error pointer dereference in error handling
        Documentation: document ublk user recovery feature
        blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()
      d4b7332e
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.1-2022-10-20' of git://git.kernel.dk/linux · 294e73ff
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Fix a potential memory leak in the error handling path of io-wq setup
         (Rafael)
      
       - Kill an errant debug statement that got added in this release (me)
      
       - Fix an oops with an invalid direct descriptor with IORING_OP_MSG_RING
         (Harshit)
      
       - Remove unneeded FFS_SCM flagging (Pavel)
      
       - Remove polling off the exit path (Pavel)
      
       - Move out direct descriptor debug check to the cleanup path (Pavel)
      
       - Use the proper helper rather than open-coding cached request get
         (Pavel)
      
      * tag 'io_uring-6.1-2022-10-20' of git://git.kernel.dk/linux:
        io-wq: Fix memory leak in worker creation
        io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()
        io_uring/rw: remove leftover debug statement
        io_uring: don't iopoll from io_ring_ctx_wait_and_kill()
        io_uring: reuse io_alloc_req()
        io_uring: kill hot path fixed file bitmap debug checks
        io_uring: remove FFS_SCM
      294e73ff
    • Linus Torvalds's avatar
      Merge tag 'for-linus-6.1-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 1d61754c
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Just two fixes for the new 'virtio with grants' feature"
      
      * tag 'for-linus-6.1-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/virtio: Convert PAGE_SIZE/PAGE_SHIFT/PFN_UP to Xen counterparts
        xen/virtio: Handle cases when page offset > PAGE_SIZE properly
      1d61754c
    • Linus Torvalds's avatar
      Merge tag 'selinux-pr-20221020' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux · 0de0b768
      Linus Torvalds authored
      Pull selinux fix from Paul Moore:
       "A small SELinux fix for a GFP_KERNEL allocation while a spinlock is
        held.
      
        The patch, while still fairly small, is a bit larger than one might
        expect from a simple s/GFP_KERNEL/GFP_ATOMIC/ conversion because we
        added support for the function to be called with different gfp flags
        depending on the context, preserving GFP_KERNEL for those cases that
        can safely sleep"
      
      * tag 'selinux-pr-20221020' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
        selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
      0de0b768
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2022-10-20' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm · 440b7895
      Linus Torvalds authored
      Pull misc fixes from Andrew Morron:
       "Seventeen hotfixes, mainly for MM.
      
        Five are cc:stable and the remainder address post-6.0 issues"
      
      * tag 'mm-hotfixes-stable-2022-10-20' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
        nouveau: fix migrate_to_ram() for faulting page
        mm/huge_memory: do not clobber swp_entry_t during THP split
        hugetlb: fix memory leak associated with vma_lock structure
        mm/page_alloc: reduce potential fragmentation in make_alloc_exact()
        mm: /proc/pid/smaps_rollup: fix maple tree search
        mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages
        mm/mmap: fix MAP_FIXED address return on VMA merge
        mm/mmap.c: __vma_adjust(): suppress uninitialized var warning
        mm/mmap: undo ->mmap() when mas_preallocate() fails
        init: Kconfig: fix spelling mistake "satify" -> "satisfy"
        ocfs2: clear dinode links count in case of error
        ocfs2: fix BUG when iput after ocfs2_mknod fails
        gcov: support GCC 12.1 and newer compilers
        zsmalloc: zs_destroy_pool: add size_class NULL check
        mm/mempolicy: fix mbind_range() arguments to vma_merge()
        mailmap: update email for Qais Yousef
        mailmap: update Dan Carpenter's email address
      440b7895
    • Linus Torvalds's avatar
      Merge tag 'trace-tools-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · ce3d90a8
      Linus Torvalds authored
      Pull tracing tool update from Steven Rostedt:
      
       - Make dot2c generate monitor's automata definition static
      
      * tag 'trace-tools-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        rv/dot2c: Make automaton definition static
      ce3d90a8
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-6.1-rc2' of git://www.linux-watchdog.org/linux-watchdog · 4f1e0c18
      Linus Torvalds authored
      Pull watchdog updates from Wim Van Sebroeck:
      
       - Add tracing events for the most common watchdog events
      
      * tag 'linux-watchdog-6.1-rc2' of git://www.linux-watchdog.org/linux-watchdog:
        watchdog: Add tracing events for the most usual watchdog events
      4f1e0c18
    • Alistair Popple's avatar
      nouveau: fix migrate_to_ram() for faulting page · 97061d44
      Alistair Popple authored
      Commit 16ce101d ("mm/memory.c: fix race when faulting a device private
      page") changed the migrate_to_ram() callback to take a reference on the
      device page to ensure it can't be freed while handling the fault. 
      Unfortunately the corresponding update to Nouveau to accommodate this
      change was inadvertently dropped from that patch causing GPU to CPU
      migration to fail so add it here.
      
      Link: https://lkml.kernel.org/r/20221019122934.866205-1-apopple@nvidia.com
      Fixes: 16ce101d ("mm/memory.c: fix race when faulting a device private page")
      Signed-off-by: default avatarAlistair Popple <apopple@nvidia.com>
      Cc: John Hubbard <jhubbard@nvidia.com>
      Cc: Ralph Campbell <rcampbell@nvidia.com>
      Cc: Lyude Paul <lyude@redhat.com>
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      97061d44
    • Mel Gorman's avatar
      mm/huge_memory: do not clobber swp_entry_t during THP split · 71e2d666
      Mel Gorman authored
      The following has been observed when running stressng mmap since commit
      b653db77 ("mm: Clear page->private when splitting or migrating a page")
      
         watchdog: BUG: soft lockup - CPU#75 stuck for 26s! [stress-ng:9546]
         CPU: 75 PID: 9546 Comm: stress-ng Tainted: G            E      6.0.0-revert-b653db77-fix+ #29 0357d79b60fb09775f678e4f3f64ef0579ad1374
         Hardware name: SGI.COM C2112-4GP3/X10DRT-P-Series, BIOS 2.0a 05/09/2016
         RIP: 0010:xas_descend+0x28/0x80
         Code: cc cc 0f b6 0e 48 8b 57 08 48 d3 ea 83 e2 3f 89 d0 48 83 c0 04 48 8b 44 c6 08 48 89 77 18 48 89 c1 83 e1 03 48 83 f9 02 75 08 <48> 3d fd 00 00 00 76 08 88 57 12 c3 cc cc cc cc 48 c1 e8 02 89 c2
         RSP: 0018:ffffbbf02a2236a8 EFLAGS: 00000246
         RAX: ffff9cab7d6a0002 RBX: ffffe04b0af88040 RCX: 0000000000000002
         RDX: 0000000000000030 RSI: ffff9cab60509b60 RDI: ffffbbf02a2236c0
         RBP: 0000000000000000 R08: ffff9cab60509b60 R09: ffffbbf02a2236c0
         R10: 0000000000000001 R11: ffffbbf02a223698 R12: 0000000000000000
         R13: ffff9cab4e28da80 R14: 0000000000039c01 R15: ffff9cab4e28da88
         FS:  00007fab89b85e40(0000) GS:ffff9cea3fcc0000(0000) knlGS:0000000000000000
         CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
         CR2: 00007fab84e00000 CR3: 00000040b73a4003 CR4: 00000000003706e0
         DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
         DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
         Call Trace:
          <TASK>
          xas_load+0x3a/0x50
          __filemap_get_folio+0x80/0x370
          ? put_swap_page+0x163/0x360
          pagecache_get_page+0x13/0x90
          __try_to_reclaim_swap+0x50/0x190
          scan_swap_map_slots+0x31e/0x670
          get_swap_pages+0x226/0x3c0
          folio_alloc_swap+0x1cc/0x240
          add_to_swap+0x14/0x70
          shrink_page_list+0x968/0xbc0
          reclaim_page_list+0x70/0xf0
          reclaim_pages+0xdd/0x120
          madvise_cold_or_pageout_pte_range+0x814/0xf30
          walk_pgd_range+0x637/0xa30
          __walk_page_range+0x142/0x170
          walk_page_range+0x146/0x170
          madvise_pageout+0xb7/0x280
          ? asm_common_interrupt+0x22/0x40
          madvise_vma_behavior+0x3b7/0xac0
          ? find_vma+0x4a/0x70
          ? find_vma+0x64/0x70
          ? madvise_vma_anon_name+0x40/0x40
          madvise_walk_vmas+0xa6/0x130
          do_madvise+0x2f4/0x360
          __x64_sys_madvise+0x26/0x30
          do_syscall_64+0x5b/0x80
          ? do_syscall_64+0x67/0x80
          ? syscall_exit_to_user_mode+0x17/0x40
          ? do_syscall_64+0x67/0x80
          ? syscall_exit_to_user_mode+0x17/0x40
          ? do_syscall_64+0x67/0x80
          ? do_syscall_64+0x67/0x80
          ? common_interrupt+0x8b/0xa0
          entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      The problem can be reproduced with the mmtests config
      config-workload-stressng-mmap.  It does not always happen and when it
      triggers is variable but it has happened on multiple machines.
      
      The intent of commit b653db77 patch was to avoid the case where
      PG_private is clear but folio->private is not-NULL.  However, THP tail
      pages uses page->private for "swp_entry_t if folio_test_swapcache()" as
      stated in the documentation for struct folio.  This patch only clobbers
      page->private for tail pages if the head page was not in swapcache and
      warns once if page->private had an unexpected value.
      
      Link: https://lkml.kernel.org/r/20221019134156.zjyyn5aownakvztf@techsingularity.net
      Fixes: b653db77 ("mm: Clear page->private when splitting or migrating a page")
      Signed-off-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Yang Shi <shy828301@gmail.com>
      Cc: Brian Foster <bfoster@redhat.com>
      Cc: Dan Streetman <ddstreet@ieee.org>
      Cc: Miaohe Lin <linmiaohe@huawei.com>
      Cc: Oleksandr Natalenko <oleksandr@natalenko.name>
      Cc: Seth Jennings <sjenning@redhat.com>
      Cc: Vitaly Wool <vitaly.wool@konsulko.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      71e2d666
    • Mike Kravetz's avatar
      hugetlb: fix memory leak associated with vma_lock structure · 612b8a31
      Mike Kravetz authored
      The hugetlb vma_lock structure hangs off the vm_private_data pointer of
      sharable hugetlb vmas.  The structure is vma specific and can not be
      shared between vmas.  At fork and various other times, vmas are duplicated
      via vm_area_dup().  When this happens, the pointer in the newly created
      vma must be cleared and the structure reallocated.  Two hugetlb specific
      routines deal with this hugetlb_dup_vma_private and hugetlb_vm_op_open. 
      Both routines are called for newly created vmas.  hugetlb_dup_vma_private
      would always clear the pointer and hugetlb_vm_op_open would allocate the
      new vms_lock structure.  This did not work in the case of this calling
      sequence pointed out in [1].
      
        move_vma
          copy_vma
            new_vma = vm_area_dup(vma);
            new_vma->vm_ops->open(new_vma); --> new_vma has its own vma lock.
          is_vm_hugetlb_page(vma)
            clear_vma_resv_huge_pages
              hugetlb_dup_vma_private --> vma->vm_private_data is set to NULL
      
      When clearing hugetlb_dup_vma_private we actually leak the associated
      vma_lock structure.
      
      The vma_lock structure contains a pointer to the associated vma.  This
      information can be used in hugetlb_dup_vma_private and hugetlb_vm_op_open
      to ensure we only clear the vm_private_data of newly created (copied)
      vmas.  In such cases, the vma->vma_lock->vma field will not point to the
      vma.
      
      Update hugetlb_dup_vma_private and hugetlb_vm_op_open to not clear
      vm_private_data if vma->vma_lock->vma == vma.  Also, log a warning if
      hugetlb_vm_op_open ever encounters the case where vma_lock has already
      been correctly allocated for the vma.
      
      [1] https://lore.kernel.org/linux-mm/5154292a-4c55-28cd-0935-82441e512fc3@huawei.com/
      
      Link: https://lkml.kernel.org/r/20221019201957.34607-1-mike.kravetz@oracle.com
      Fixes: 131a79b4 ("hugetlb: fix vma lock handling during split vma and range unmapping")
      Signed-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Reviewed-by: default avatarMiaohe Lin <linmiaohe@huawei.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Axel Rasmussen <axelrasmussen@google.com>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: James Houghton <jthoughton@google.com>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Mina Almasry <almasrymina@google.com>
      Cc: Muchun Song <songmuchun@bytedance.com>
      Cc: Naoya Horiguchi <naoya.horiguchi@linux.dev>
      Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
      Cc: Peter Xu <peterx@redhat.com>
      Cc: Prakash Sangappa <prakash.sangappa@oracle.com>
      Cc: Sven Schnelle <svens@linux.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      612b8a31
    • Liam R. Howlett's avatar
      mm/page_alloc: reduce potential fragmentation in make_alloc_exact() · df48a5f7
      Liam R. Howlett authored
      Try to avoid using the left over split page on the next request for a page
      by calling __free_pages_ok() with FPI_TO_TAIL.  This increases the
      potential of defragmenting memory when it's used for a short period of
      time.
      
      Link: https://lkml.kernel.org/r/20220531185626.yvlmymbxyoe5vags@revolverSigned-off-by: default avatarLiam R. Howlett <Liam.Howlett@oracle.com>
      Suggested-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      df48a5f7
    • Hugh Dickins's avatar
      mm: /proc/pid/smaps_rollup: fix maple tree search · 08ac8552
      Hugh Dickins authored
      /proc/pid/smaps_rollup showed 0 kB for everything: now find first vma.
      
      Link: https://lkml.kernel.org/r/3011bee7-182-97a2-1083-d5f5b688e54b@google.com
      Fixes: c4c84f06 ("fs/proc/task_mmu: stop using linked list and highest_vm_end")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Reviewed-by: default avatarLiam R. Howlett <Liam.Howlett@oracle.com>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      08ac8552
    • Rik van Riel's avatar
      mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages · 12df140f
      Rik van Riel authored
      The h->*_huge_pages counters are protected by the hugetlb_lock, but
      alloc_huge_page has a corner case where it can decrement the counter
      outside of the lock.
      
      This could lead to a corrupted value of h->resv_huge_pages, which we have
      observed on our systems.
      
      Take the hugetlb_lock before decrementing h->resv_huge_pages to avoid a
      potential race.
      
      Link: https://lkml.kernel.org/r/20221017202505.0e6a4fcd@imladris.surriel.com
      Fixes: a88c7695 ("mm: hugetlb: fix hugepage memory leak caused by wrong reserve count")
      Signed-off-by: default avatarRik van Riel <riel@surriel.com>
      Reviewed-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Glen McCready <gkmccready@meta.com>
      Cc: Mike Kravetz <mike.kravetz@oracle.com>
      Cc: Muchun Song <songmuchun@bytedance.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      12df140f
    • Liam Howlett's avatar
      mm/mmap: fix MAP_FIXED address return on VMA merge · a57b7051
      Liam Howlett authored
      mmap should return the start address of newly mapped area when successful.
      On a successful merge of a VMA, the return address was changed and thus
      was violating that expectation from userspace.
      
      This is a restoration of functionality provided by 309d08d9
      (mm/mmap.c: fix mmap return value when vma is merged after call_mmap()). 
      For completeness of fixing MAP_FIXED, implement the comments from the
      previous discussion to never update the address and fail if the address
      changes.  Leaving the error as a WARN_ON() to avoid crashing the kernel.
      
      Link: https://lkml.kernel.org/r/20221018191613.4133459-1-Liam.Howlett@oracle.com
      Link: https://lore.kernel.org/all/Y06yk66SKxlrwwfb@lakrids/
      Link: https://lore.kernel.org/all/20201203085350.22624-1-liuzixian4@huawei.com/
      Fixes: 4dd1b841 ("mm/mmap: use advanced maple tree API for mmap_region()")
      Signed-off-by: default avatarLiam R. Howlett <Liam.Howlett@oracle.com>
      Reported-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Liu Zixian <liuzixian4@huawei.com>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Jason Gunthorpe <jgg@nvidia.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      a57b7051
    • Andrew Morton's avatar
      mm/mmap.c: __vma_adjust(): suppress uninitialized var warning · 1cd916d0
      Andrew Morton authored
      The code is OK, but it fools gcc.
      
      mm/mmap.c:802 __vma_adjust() error: uninitialized symbol 'next_next'.
      
      Fixes: 524e00b3 ("mm: remove rb tree.")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      1cd916d0
    • Mike Kravetz's avatar
      mm/mmap: undo ->mmap() when mas_preallocate() fails · 5789151e
      Mike Kravetz authored
      A memory leak in hugetlb_reserve_pages was reported in [1].  The root
      cause was traced to an error path in mmap_region when mas_preallocate()
      fails.  In this case, the vma is freed after a successful call to
      filesystem specific mmap.  The hugetlbfs mmap routine may allocate data
      structures pointed to by m_private_data.  These need to be cleaned up by
      the hugetlb vm_ops->close() routine.
      
      The same issue was addressed by commit deb0f656 ("mm/mmap: undo
      ->mmap() when arch_validate_flags() fails") for the arch_validate_flags()
      test.  Go to the same close_and_free_vma label if mas_preallocate() fails.
      
      [1] https://lore.kernel.org/linux-mm/CAKXUXMxf7OiCwbxib7MwfR4M1b5+b3cNTU7n5NV9Zm4967=FPQ@mail.gmail.com/
      
      Link: https://lkml.kernel.org/r/20221018024945.415036-1-mike.kravetz@oracle.com
      Fixes: d4af56c5 ("mm: start tracking VMAs with maple tree")
      Signed-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Reported-by: default avatarLukas Bulwahn <lukas.bulwahn@gmail.com>
      Reviewed-by: default avatarLiam R. Howlett <Liam.Howlett@oracle.com>
      Cc: Andrii Nakryiko <andrii@kernel.org>
      Cc: Carlos Llamas <cmllamas@google.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Muchun Song <songmuchun@bytedance.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      5789151e
    • Colin Ian King's avatar
      eacf96d2
    • Joseph Qi's avatar
      ocfs2: clear dinode links count in case of error · 28f4821b
      Joseph Qi authored
      In ocfs2_mknod(), if error occurs after dinode successfully allocated,
      ocfs2 i_links_count will not be 0.
      
      So even though we clear inode i_nlink before iput in error handling, it
      still won't wipe inode since we'll refresh inode from dinode during inode
      lock.  So just like clear inode i_nlink, we clear ocfs2 i_links_count as
      well.  Also do the same change for ocfs2_symlink().
      
      Link: https://lkml.kernel.org/r/20221017130227.234480-2-joseph.qi@linux.alibaba.comSigned-off-by: default avatarJoseph Qi <joseph.qi@linux.alibaba.com>
      Reported-by: default avatarYan Wang <wangyan122@huawei.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Changwei Ge <gechangwei@live.cn>
      Cc: Gang He <ghe@suse.com>
      Cc: Jun Piao <piaojun@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      28f4821b
    • Joseph Qi's avatar
      ocfs2: fix BUG when iput after ocfs2_mknod fails · 759a7c61
      Joseph Qi authored
      Commit b1529a41 "ocfs2: should reclaim the inode if
      '__ocfs2_mknod_locked' returns an error" tried to reclaim the claimed
      inode if __ocfs2_mknod_locked() fails later.  But this introduce a race,
      the freed bit may be reused immediately by another thread, which will
      update dinode, e.g.  i_generation.  Then iput this inode will lead to BUG:
      inode->i_generation != le32_to_cpu(fe->i_generation)
      
      We could make this inode as bad, but we did want to do operations like
      wipe in some cases.  Since the claimed inode bit can only affect that an
      dinode is missing and will return back after fsck, it seems not a big
      problem.  So just leave it as is by revert the reclaim logic.
      
      Link: https://lkml.kernel.org/r/20221017130227.234480-1-joseph.qi@linux.alibaba.com
      Fixes: b1529a41 ("ocfs2: should reclaim the inode if '__ocfs2_mknod_locked' returns an error")
      Signed-off-by: default avatarJoseph Qi <joseph.qi@linux.alibaba.com>
      Reported-by: default avatarYan Wang <wangyan122@huawei.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Changwei Ge <gechangwei@live.cn>
      Cc: Gang He <ghe@suse.com>
      Cc: Jun Piao <piaojun@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      759a7c61
    • Martin Liska's avatar
      gcov: support GCC 12.1 and newer compilers · 977ef30a
      Martin Liska authored
      Starting with GCC 12.1, the created .gcda format can't be read by gcov
      tool.  There are 2 significant changes to the .gcda file format that
      need to be supported:
      
      a) [gcov: Use system IO buffering]
         (23eb66d1d46a34cb28c4acbdf8a1deb80a7c5a05) changed that all sizes in
         the format are in bytes and not in words (4B)
      
      b) [gcov: make profile merging smarter]
         (72e0c742bd01f8e7e6dcca64042b9ad7e75979de) add a new checksum to the
         file header.
      
      Tested with GCC 7.5, 10.4, 12.2 and the current master.
      
      Link: https://lkml.kernel.org/r/624bda92-f307-30e9-9aaa-8cc678b2dfb2@suse.czSigned-off-by: default avatarMartin Liska <mliska@suse.cz>
      Tested-by: default avatarPeter Oberparleiter <oberpar@linux.ibm.com>
      Reviewed-by: default avatarPeter Oberparleiter <oberpar@linux.ibm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      977ef30a
    • Alexey Romanov's avatar
      zsmalloc: zs_destroy_pool: add size_class NULL check · 4249a05f
      Alexey Romanov authored
      Inside the zs_destroy_pool() function, there can still be NULL size_class
      pointers: if when the next size_class is allocated, inside
      zs_create_pool() function, kzalloc will return NULL and handling the error
      condition, zs_create_pool() will call zs_destroy_pool().
      
      Link: https://lkml.kernel.org/r/20221013112825.61869-1-avromanov@sberdevices.ru
      Fixes: f24263a5 ("zsmalloc: remove unnecessary size_class NULL check")
      Signed-off-by: default avatarAlexey Romanov <avromanov@sberdevices.ru>
      Reviewed-by: default avatarSergey Senozhatsky <senozhatsky@chromium.org>
      Cc: Minchan Kim <minchan@kernel.org>
      Cc: Nitin Gupta <ngupta@vflare.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      4249a05f
    • Liam Howlett's avatar
      mm/mempolicy: fix mbind_range() arguments to vma_merge() · 7329e3eb
      Liam Howlett authored
      Fuzzing produced an invalid argument to vma_merge() which was caught by
      the newly added verification of the number of VMAs being removed on
      process exit.  Analyzing the failure eventually resulted in finding an
      issue with the search of a VMA that started at address 0, which caused an
      underflow and thus the loss of many VMAs being tracked in the tree.  Fix
      the underflow by changing the search of the maple tree to use the start
      address directly.
      
      Link: https://lkml.kernel.org/r/20221015021135.2816178-1-Liam.Howlett@oracle.com
      Fixes: 66850be5 ("mm/mempolicy: use vma iterator & maple state instead of vma linked list")
      Signed-off-by: default avatarLiam R. Howlett <Liam.Howlett@oracle.com>
      Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
        Link: https://lore.kernel.org/r/202210052318.5ad10912-oliver.sang@intel.com
      Cc: Yu Zhao <yuzhao@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      7329e3eb
    • Qais Yousef's avatar
      mailmap: update email for Qais Yousef · cef408e7
      Qais Yousef authored
      Update my email address for old entry and add a new entry for my
      contribution while working with arm to continue support that work.
      
      Link: https://lkml.kernel.org/r/20221014141016.539625-1-qyousef@layalina.ioSigned-off-by: default avatarQais Yousef <qyousef@layalina.io>
      Acked-by: default avatarQais Yousef <qais.yousef@arm.com>
      Acked-by: default avatarQais Yousef <qsyousef@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      cef408e7
    • Dan Carpenter's avatar
      mailmap: update Dan Carpenter's email address · 5ad15f1b
      Dan Carpenter authored
      My time at Oracle is ending at the end of the month.  Update my email
      address accordingly.
      
      Link: https://lkml.kernel.org/r/Y0a+6+5SHMdvUnpg@kiliSigned-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Joe Perches <joe@perches.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      5ad15f1b
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2022-10-21' of git://anongit.freedesktop.org/drm/drm · e35184f3
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Usual fixes for the week.
      
        The amdgpu contains fixes for two regressions, one reported in
        response to rc1 which broke on SI GPUs, and one gfx9 APU regression.
      
        Otherwise it's mostly fixes for new IP, and some GPU reset fixes. vc4
        is just HDMI fixes, and panfrost has some mnor types fixes.
      
        Core:
         - fix connector DDC pointer
         - fix buffer overflow in format_helper_test
      
        amdgpu:
         - Mode2 reset fixes for Sienna Cichlid
         - Revert broken fan speed sensor fix
         - SMU 13.x fixes
         - GC 11.x fixes
         - RAS fixes
         - SR-IOV fixes
         - Fix BO move breakage on SI
         - Misc compiler fixes
         - Fix gfx9 APU regression caused by PCI AER fix
      
        vc4:
         - HDMI fixes
      
        panfrost:
         - compiler fixes"
      
      * tag 'drm-fixes-2022-10-21' of git://anongit.freedesktop.org/drm/drm: (35 commits)
        drm/amdgpu: fix sdma doorbell init ordering on APUs
        drm/panfrost: replace endian-specific types with native ones
        drm/panfrost: Remove type name from internal structs
        drm/connector: Set DDC pointer in drmm_connector_init
        drm: tests: Fix a buffer overflow in format_helper_test
        drm/amdgpu: use DRM_SCHED_FENCE_DONT_PIPELINE for VM updates
        drm/sched: add DRM_SCHED_FENCE_DONT_PIPELINE flag
        drm/amdgpu: Fix for BO move issue
        drm/amdgpu: dequeue mes scheduler during fini
        drm/amd/pm: enable thermal alert on smu_v13_0_10
        drm/amdgpu: Program GC registers through RLCG interface in gfx_v11/gmc_v11
        drm/amdkfd: Fix type of reset_type parameter in hqd_destroy() callback
        drm/amd/display: Increase frame size limit for display_mode_vba_util_32.o
        drm/amd/pm: add SMU IP v13.0.4 IF version define to V7
        drm/amd/pm: update SMU IP v13.0.4 driver interface version
        drm/amd/pm: Init pm_attr_list when dpm is disabled
        drm/amd/pm: disable cstate feature for gpu reset scenario
        drm/amd/pm: fulfill SMU13.0.7 cstate control interface
        drm/amd/pm: fulfill SMU13.0.0 cstate control interface
        drm/amdgpu: Add sriov vf ras support in amdgpu_ras_asic_supported
        ...
      e35184f3
    • Linus Torvalds's avatar
      Merge tag 'net-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 6d36c728
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from netfilter.
      
        Current release - regressions:
      
         - revert "net: fix cpu_max_bits_warn() usage in
           netif_attrmask_next{,_and}"
      
         - revert "net: sched: fq_codel: remove redundant resource cleanup in
           fq_codel_init()"
      
         - dsa: uninitialized variable in dsa_slave_netdevice_event()
      
         - eth: sunhme: uninitialized variable in happy_meal_init()
      
        Current release - new code bugs:
      
         - eth: octeontx2: fix resource not freed after malloc
      
        Previous releases - regressions:
      
         - sched: fix return value of qdisc ingress handling on success
      
         - sched: fix race condition in qdisc_graft()
      
         - udp: update reuse->has_conns under reuseport_lock.
      
         - tls: strp: make sure the TCP skbs do not have overlapping data
      
         - hsr: avoid possible NULL deref in skb_clone()
      
         - tipc: fix an information leak in tipc_topsrv_kern_subscr
      
         - phylink: add mac_managed_pm in phylink_config structure
      
         - eth: i40e: fix DMA mappings leak
      
         - eth: hyperv: fix a RX-path warning
      
         - eth: mtk: fix memory leaks
      
        Previous releases - always broken:
      
         - sched: cake: fix null pointer access issue when cake_init() fails"
      
      * tag 'net-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (43 commits)
        net: phy: dp83822: disable MDI crossover status change interrupt
        net: sched: fix race condition in qdisc_graft()
        net: hns: fix possible memory leak in hnae_ae_register()
        wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new()
        sfc: include vport_id in filter spec hash and equal()
        genetlink: fix kdoc warnings
        selftests: add selftest for chaining of tc ingress handling to egress
        net: Fix return value of qdisc ingress handling on success
        net: sched: sfb: fix null pointer access issue when sfb_init() fails
        Revert "net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()"
        net: sched: cake: fix null pointer access issue when cake_init() fails
        ethernet: marvell: octeontx2 Fix resource not freed after malloc
        netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements
        netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.
        ionic: catch NULL pointer issue on reconfig
        net: hsr: avoid possible NULL deref in skb_clone()
        bnxt_en: fix memory leak in bnxt_nvm_test()
        ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed
        udp: Update reuse->has_conns under reuseport_lock.
        net: ethernet: mediatek: ppe: Remove the unused function mtk_foe_entry_usable()
        ...
      6d36c728
    • Linus Torvalds's avatar
      Merge tag 'ata-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · c7b00652
      Linus Torvalds authored
      Pull ata fixes from Damien Le Moal:
       "Several minor fixes:
      
         - Fix the module alias for the ahci_imx driver to get autoloading to
           work (Alexander)
      
         - Fix a potential array-index-out-of-bounds problem with the
           enclosure managment support in the ahci driver (Kai-Heng)
      
         - Several patches to fix compilation warnings thrown by clang in the
           ahci_st, sata_rcar, ahci_brcm, ahci_xgene, ahci_imx and ahci_qoriq
           drivers (me)"
      
      * tag 'ata-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: ahci_qoriq: Fix compilation warning
        ata: ahci_imx: Fix compilation warning
        ata: ahci_xgene: Fix compilation warning
        ata: ahci_brcm: Fix compilation warning
        ata: sata_rcar: Fix compilation warning
        ata: ahci_st: Fix compilation warning
        ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS
        ata: ahci-imx: Fix MODULE_ALIAS
      c7b00652
    • Linus Torvalds's avatar
      Merge tag 'for-6.1/dm-changes-v2' of... · a3ccea6e
      Linus Torvalds authored
      Merge tag 'for-6.1/dm-changes-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper updates from Mike Snitzer:
      
       - Fix dm-bufio to use test_bit_acquire to properly test_bit on arches
         with weaker memory ordering.
      
       - DM core replace DMWARN with DMERR or DMCRIT for fatal errors.
      
       - Enable WQ_HIGHPRI on DM verity target's verify_wq.
      
       - Add documentation for DM verity's try_verify_in_tasklet option.
      
       - Various typo and redundant word fixes in code and/or comments.
      
      * tag 'for-6.1/dm-changes-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm clone: Fix typo in block_device format specifier
        dm: remove unnecessary assignment statement in alloc_dev()
        dm verity: Add documentation for try_verify_in_tasklet option
        dm cache: delete the redundant word 'each' in comment
        dm raid: fix typo in analyse_superblocks code comment
        dm verity: enable WQ_HIGHPRI on verify_wq
        dm raid: delete the redundant word 'that' in comment
        dm: change from DMWARN to DMERR or DMCRIT for fatal errors
        dm bufio: use the acquire memory barrier when testing for B_READING
      a3ccea6e
  4. 20 Oct, 2022 1 commit