1. 09 Jun, 2021 5 commits
    • Andrew Gabbasov's avatar
      usb: gadget: f_fs: Fix setting of device and driver data cross-references · ecfbd7b9
      Andrew Gabbasov authored
      FunctionFS device structure 'struct ffs_dev' and driver data structure
      'struct ffs_data' are bound to each other with cross-reference pointers
      'ffs_data->private_data' and 'ffs_dev->ffs_data'. While the first one
      is supposed to be valid through the whole life of 'struct ffs_data'
      (and while 'struct ffs_dev' exists non-freed), the second one is cleared
      in 'ffs_closed()' (called from 'ffs_data_reset()' or the last
      'ffs_data_put()'). This can be called several times, alternating in
      different order with 'ffs_free_inst()', that, if possible, clears
      the other cross-reference.
      
      As a result, different cases of these calls order may leave stale
      cross-reference pointers, used when the pointed structure is already
      freed. Even if it occasionally doesn't cause kernel crash, this error
      is reported by KASAN-enabled kernel configuration.
      
      For example, the case [last 'ffs_data_put()' - 'ffs_free_inst()'] was
      fixed by commit cdafb6d8 ("usb: gadget: f_fs: Fix use-after-free in
      ffs_free_inst").
      
      The other case ['ffs_data_reset()' - 'ffs_free_inst()' - 'ffs_data_put()']
      now causes KASAN reported error [1], when 'ffs_data_reset()' clears
      'ffs_dev->ffs_data', then 'ffs_free_inst()' frees the 'struct ffs_dev',
      but can't clear 'ffs_data->private_data', which is then accessed
      in 'ffs_closed()' called from 'ffs_data_put()'. This happens since
      'ffs_dev->ffs_data' reference is cleared too early.
      
      Moreover, one more use case, when 'ffs_free_inst()' is called immediately
      after mounting FunctionFS device (that is before the descriptors are
      written and 'ffs_ready()' is called), and then 'ffs_data_reset()'
      or 'ffs_data_put()' is called from accessing "ep0" file or unmounting
      the device. This causes KASAN error report like [2], since
      'ffs_dev->ffs_data' is not yet set when 'ffs_free_inst()' can't properly
      clear 'ffs_data->private_data', that is later accessed to freed structure.
      
      Fix these (and may be other) cases of stale pointers access by moving
      setting and clearing of the mentioned cross-references to the single
      places, setting both of them when 'struct ffs_data' is created and
      bound to 'struct ffs_dev', and clearing both of them when one of the
      structures is destroyed. It seems convenient to make this pointer
      initialization and structures binding in 'ffs_acquire_dev()' and
      make pointers clearing in 'ffs_release_dev()'. This required some
      changes in these functions parameters and return types.
      
      Also, 'ffs_release_dev()' calling requires some cleanup, fixing minor
      issues, like (1) 'ffs_release_dev()' is not called if 'ffs_free_inst()'
      is called without unmounting the device, and "release_dev" callback
      is not called at all, or (2) "release_dev" callback is called before
      "ffs_closed" callback on unmounting, which seems to be not correctly
      nested with "acquire_dev" and "ffs_ready" callbacks.
      Make this cleanup togther with other mentioned 'ffs_release_dev()' changes.
      
      [1]
      ==================================================================
      root@rcar-gen3:~# mkdir /dev/cfs
      root@rcar-gen3:~# mkdir /dev/ffs
      root@rcar-gen3:~# modprobe libcomposite
      root@rcar-gen3:~# mount -t configfs none /dev/cfs
      root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1
      root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
      [   64.340664] file system registered
      root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs
      root@rcar-gen3:~# cd /dev/ffs
      root@rcar-gen3:/dev/ffs# /home/root/ffs-test
      ffs-test: info: ep0: writing descriptors (in v2 format)
      [   83.181442] read descriptors
      [   83.186085] read strings
      ffs-test: info: ep0: writing strings
      ffs-test: dbg:  ep1: starting
      ffs-test: dbg:  ep2: starting
      ffs-test: info: ep1: starts
      ffs-test: info: ep2: starts
      ffs-test: info: ep0: starts
      
      ^C
      root@rcar-gen3:/dev/ffs# cd /home/root/
      root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
      [   98.935061] unloading
      root@rcar-gen3:~# umount /dev/ffs
      [  102.734301] ==================================================================
      [  102.742059] BUG: KASAN: use-after-free in ffs_release_dev+0x64/0xa8 [usb_f_fs]
      [  102.749683] Write of size 1 at addr ffff0004d46ff549 by task umount/2997
      [  102.756709]
      [  102.758311] CPU: 0 PID: 2997 Comm: umount Not tainted 5.13.0-rc4+ #8
      [  102.764971] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
      [  102.772179] Call trace:
      [  102.774779]  dump_backtrace+0x0/0x330
      [  102.778653]  show_stack+0x20/0x2c
      [  102.782152]  dump_stack+0x11c/0x1ac
      [  102.785833]  print_address_description.constprop.0+0x30/0x274
      [  102.791862]  kasan_report+0x14c/0x1c8
      [  102.795719]  __asan_report_store1_noabort+0x34/0x58
      [  102.800840]  ffs_release_dev+0x64/0xa8 [usb_f_fs]
      [  102.805801]  ffs_fs_kill_sb+0x50/0x84 [usb_f_fs]
      [  102.810663]  deactivate_locked_super+0xa0/0xf0
      [  102.815339]  deactivate_super+0x98/0xac
      [  102.819378]  cleanup_mnt+0xd0/0x1b0
      [  102.823057]  __cleanup_mnt+0x1c/0x28
      [  102.826823]  task_work_run+0x104/0x180
      [  102.830774]  do_notify_resume+0x458/0x14e0
      [  102.835083]  work_pending+0xc/0x5f8
      [  102.838762]
      [  102.840357] Allocated by task 2988:
      [  102.844032]  kasan_save_stack+0x28/0x58
      [  102.848071]  kasan_set_track+0x28/0x3c
      [  102.852016]  ____kasan_kmalloc+0x84/0x9c
      [  102.856142]  __kasan_kmalloc+0x10/0x1c
      [  102.860088]  __kmalloc+0x214/0x2f8
      [  102.863678]  kzalloc.constprop.0+0x14/0x20 [usb_f_fs]
      [  102.868990]  ffs_alloc_inst+0x8c/0x208 [usb_f_fs]
      [  102.873942]  try_get_usb_function_instance+0xf0/0x164 [libcomposite]
      [  102.880629]  usb_get_function_instance+0x64/0x68 [libcomposite]
      [  102.886858]  function_make+0x128/0x1ec [libcomposite]
      [  102.892185]  configfs_mkdir+0x330/0x590 [configfs]
      [  102.897245]  vfs_mkdir+0x12c/0x1bc
      [  102.900835]  do_mkdirat+0x180/0x1d0
      [  102.904513]  __arm64_sys_mkdirat+0x80/0x94
      [  102.908822]  invoke_syscall+0xf8/0x25c
      [  102.912772]  el0_svc_common.constprop.0+0x150/0x1a0
      [  102.917891]  do_el0_svc+0xa0/0xd4
      [  102.921386]  el0_svc+0x24/0x34
      [  102.924613]  el0_sync_handler+0xcc/0x154
      [  102.928743]  el0_sync+0x198/0x1c0
      [  102.932238]
      [  102.933832] Freed by task 2996:
      [  102.937144]  kasan_save_stack+0x28/0x58
      [  102.941181]  kasan_set_track+0x28/0x3c
      [  102.945128]  kasan_set_free_info+0x28/0x4c
      [  102.949435]  ____kasan_slab_free+0x104/0x118
      [  102.953921]  __kasan_slab_free+0x18/0x24
      [  102.958047]  slab_free_freelist_hook+0x148/0x1f0
      [  102.962897]  kfree+0x318/0x440
      [  102.966123]  ffs_free_inst+0x164/0x2d8 [usb_f_fs]
      [  102.971075]  usb_put_function_instance+0x84/0xa4 [libcomposite]
      [  102.977302]  ffs_attr_release+0x18/0x24 [usb_f_fs]
      [  102.982344]  config_item_put+0x140/0x1a4 [configfs]
      [  102.987486]  configfs_rmdir+0x3fc/0x518 [configfs]
      [  102.992535]  vfs_rmdir+0x114/0x234
      [  102.996122]  do_rmdir+0x274/0x2b0
      [  102.999617]  __arm64_sys_unlinkat+0x94/0xc8
      [  103.004015]  invoke_syscall+0xf8/0x25c
      [  103.007961]  el0_svc_common.constprop.0+0x150/0x1a0
      [  103.013080]  do_el0_svc+0xa0/0xd4
      [  103.016575]  el0_svc+0x24/0x34
      [  103.019801]  el0_sync_handler+0xcc/0x154
      [  103.023930]  el0_sync+0x198/0x1c0
      [  103.027426]
      [  103.029020] The buggy address belongs to the object at ffff0004d46ff500
      [  103.029020]  which belongs to the cache kmalloc-128 of size 128
      [  103.042079] The buggy address is located 73 bytes inside of
      [  103.042079]  128-byte region [ffff0004d46ff500, ffff0004d46ff580)
      [  103.054236] The buggy address belongs to the page:
      [  103.059262] page:0000000021aa849b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0004d46fee00 pfn:0x5146fe
      [  103.070437] head:0000000021aa849b order:1 compound_mapcount:0
      [  103.076456] flags: 0x8000000000010200(slab|head|zone=2)
      [  103.081948] raw: 8000000000010200 fffffc0013521a80 0000000d0000000d ffff0004c0002300
      [  103.090052] raw: ffff0004d46fee00 000000008020001e 00000001ffffffff 0000000000000000
      [  103.098150] page dumped because: kasan: bad access detected
      [  103.103985]
      [  103.105578] Memory state around the buggy address:
      [  103.110602]  ffff0004d46ff400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  103.118161]  ffff0004d46ff480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  103.125726] >ffff0004d46ff500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  103.133284]                                               ^
      [  103.139120]  ffff0004d46ff580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  103.146679]  ffff0004d46ff600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  103.154238] ==================================================================
      [  103.161792] Disabling lock debugging due to kernel taint
      [  103.167319] Unable to handle kernel paging request at virtual address 0037801d6000018e
      [  103.175406] Mem abort info:
      [  103.178457]   ESR = 0x96000004
      [  103.181609]   EC = 0x25: DABT (current EL), IL = 32 bits
      [  103.187020]   SET = 0, FnV = 0
      [  103.190185]   EA = 0, S1PTW = 0
      [  103.193417] Data abort info:
      [  103.196385]   ISV = 0, ISS = 0x00000004
      [  103.200315]   CM = 0, WnR = 0
      [  103.203366] [0037801d6000018e] address between user and kernel address ranges
      [  103.210611] Internal error: Oops: 96000004 [#1] PREEMPT SMP
      [  103.216231] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk sata_rc4
      [  103.259233] CPU: 0 PID: 2997 Comm: umount Tainted: G    B             5.13.0-rc4+ #8
      [  103.267031] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
      [  103.273951] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--)
      [  103.280001] pc : ffs_data_clear+0x138/0x370 [usb_f_fs]
      [  103.285197] lr : ffs_data_clear+0x124/0x370 [usb_f_fs]
      [  103.290385] sp : ffff800014777a80
      [  103.293725] x29: ffff800014777a80 x28: ffff0004d7649c80 x27: 0000000000000000
      [  103.300931] x26: ffff800014777fb0 x25: ffff60009aec9394 x24: ffff0004d7649ca4
      [  103.308136] x23: 1fffe0009a3d063a x22: dfff800000000000 x21: ffff0004d1e831d0
      [  103.315340] x20: e1c000eb00000bb4 x19: ffff0004d1e83000 x18: 0000000000000000
      [  103.322545] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
      [  103.329748] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000012ef658
      [  103.336952] x11: ffff7000012ef658 x10: 0720072007200720 x9 : ffff800011322648
      [  103.344157] x8 : ffff800014777818 x7 : ffff80000977b2c7 x6 : 0000000000000000
      [  103.351359] x5 : 0000000000000001 x4 : ffff7000012ef659 x3 : 0000000000000001
      [  103.358562] x2 : 0000000000000000 x1 : 1c38001d6000018e x0 : e1c000eb00000c70
      [  103.365766] Call trace:
      [  103.368235]  ffs_data_clear+0x138/0x370 [usb_f_fs]
      [  103.373076]  ffs_data_reset+0x20/0x304 [usb_f_fs]
      [  103.377829]  ffs_data_closed+0x1ec/0x244 [usb_f_fs]
      [  103.382755]  ffs_fs_kill_sb+0x70/0x84 [usb_f_fs]
      [  103.387420]  deactivate_locked_super+0xa0/0xf0
      [  103.391905]  deactivate_super+0x98/0xac
      [  103.395776]  cleanup_mnt+0xd0/0x1b0
      [  103.399299]  __cleanup_mnt+0x1c/0x28
      [  103.402906]  task_work_run+0x104/0x180
      [  103.406691]  do_notify_resume+0x458/0x14e0
      [  103.410823]  work_pending+0xc/0x5f8
      [  103.414351] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821)
      [  103.420490] ---[ end trace 57b43a50e8244f57 ]---
      Segmentation fault
      root@rcar-gen3:~#
      ==================================================================
      
      [2]
      ==================================================================
      root@rcar-gen3:~# mkdir /dev/ffs
      root@rcar-gen3:~# modprobe libcomposite
      root@rcar-gen3:~#
      root@rcar-gen3:~# mount -t configfs none /dev/cfs
      root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1
      root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
      [   54.766480] file system registered
      root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs
      root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
      [   63.197597] unloading
      root@rcar-gen3:~# cat /dev/ffs/ep0
      cat: read error:[   67.213506] ==================================================================
      [   67.222095] BUG: KASAN: use-after-free in ffs_data_clear+0x70/0x370 [usb_f_fs]
      [   67.229699] Write of size 1 at addr ffff0004c26e974a by task cat/2994
      [   67.236446]
      [   67.238045] CPU: 0 PID: 2994 Comm: cat Not tainted 5.13.0-rc4+ #8
      [   67.244431] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
      [   67.251624] Call trace:
      [   67.254212]  dump_backtrace+0x0/0x330
      [   67.258081]  show_stack+0x20/0x2c
      [   67.261579]  dump_stack+0x11c/0x1ac
      [   67.265260]  print_address_description.constprop.0+0x30/0x274
      [   67.271286]  kasan_report+0x14c/0x1c8
      [   67.275143]  __asan_report_store1_noabort+0x34/0x58
      [   67.280265]  ffs_data_clear+0x70/0x370 [usb_f_fs]
      [   67.285220]  ffs_data_reset+0x20/0x304 [usb_f_fs]
      [   67.290172]  ffs_data_closed+0x240/0x244 [usb_f_fs]
      [   67.295305]  ffs_ep0_release+0x40/0x54 [usb_f_fs]
      [   67.300256]  __fput+0x304/0x580
      [   67.303576]  ____fput+0x18/0x24
      [   67.306893]  task_work_run+0x104/0x180
      [   67.310846]  do_notify_resume+0x458/0x14e0
      [   67.315154]  work_pending+0xc/0x5f8
      [   67.318834]
      [   67.320429] Allocated by task 2988:
      [   67.324105]  kasan_save_stack+0x28/0x58
      [   67.328144]  kasan_set_track+0x28/0x3c
      [   67.332090]  ____kasan_kmalloc+0x84/0x9c
      [   67.336217]  __kasan_kmalloc+0x10/0x1c
      [   67.340163]  __kmalloc+0x214/0x2f8
      [   67.343754]  kzalloc.constprop.0+0x14/0x20 [usb_f_fs]
      [   67.349066]  ffs_alloc_inst+0x8c/0x208 [usb_f_fs]
      [   67.354017]  try_get_usb_function_instance+0xf0/0x164 [libcomposite]
      [   67.360705]  usb_get_function_instance+0x64/0x68 [libcomposite]
      [   67.366934]  function_make+0x128/0x1ec [libcomposite]
      [   67.372260]  configfs_mkdir+0x330/0x590 [configfs]
      [   67.377320]  vfs_mkdir+0x12c/0x1bc
      [   67.380911]  do_mkdirat+0x180/0x1d0
      [   67.384589]  __arm64_sys_mkdirat+0x80/0x94
      [   67.388899]  invoke_syscall+0xf8/0x25c
      [   67.392850]  el0_svc_common.constprop.0+0x150/0x1a0
      [   67.397969]  do_el0_svc+0xa0/0xd4
      [   67.401464]  el0_svc+0x24/0x34
      [   67.404691]  el0_sync_handler+0xcc/0x154
      [   67.408819]  el0_sync+0x198/0x1c0
      [   67.412315]
      [   67.413909] Freed by task 2993:
      [   67.417220]  kasan_save_stack+0x28/0x58
      [   67.421257]  kasan_set_track+0x28/0x3c
      [   67.425204]  kasan_set_free_info+0x28/0x4c
      [   67.429513]  ____kasan_slab_free+0x104/0x118
      [   67.434001]  __kasan_slab_free+0x18/0x24
      [   67.438128]  slab_free_freelist_hook+0x148/0x1f0
      [   67.442978]  kfree+0x318/0x440
      [   67.446205]  ffs_free_inst+0x164/0x2d8 [usb_f_fs]
      [   67.451156]  usb_put_function_instance+0x84/0xa4 [libcomposite]
      [   67.457385]  ffs_attr_release+0x18/0x24 [usb_f_fs]
      [   67.462428]  config_item_put+0x140/0x1a4 [configfs]
      [   67.467570]  configfs_rmdir+0x3fc/0x518 [configfs]
      [   67.472626]  vfs_rmdir+0x114/0x234
      [   67.476215]  do_rmdir+0x274/0x2b0
      [   67.479710]  __arm64_sys_unlinkat+0x94/0xc8
      [   67.484108]  invoke_syscall+0xf8/0x25c
      [   67.488055]  el0_svc_common.constprop.0+0x150/0x1a0
      [   67.493175]  do_el0_svc+0xa0/0xd4
      [   67.496671]  el0_svc+0x24/0x34
      [   67.499896]  el0_sync_handler+0xcc/0x154
      [   67.504024]  el0_sync+0x198/0x1c0
      [   67.507520]
      [   67.509114] The buggy address belongs to the object at ffff0004c26e9700
      [   67.509114]  which belongs to the cache kmalloc-128 of size 128
      [   67.522171] The buggy address is located 74 bytes inside of
      [   67.522171]  128-byte region [ffff0004c26e9700, ffff0004c26e9780)
      [   67.534328] The buggy address belongs to the page:
      [   67.539355] page:000000003177a217 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5026e8
      [   67.549175] head:000000003177a217 order:1 compound_mapcount:0
      [   67.555195] flags: 0x8000000000010200(slab|head|zone=2)
      [   67.560687] raw: 8000000000010200 fffffc0013037100 0000000c00000002 ffff0004c0002300
      [   67.568791] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
      [   67.576890] page dumped because: kasan: bad access detected
      [   67.582725]
      [   67.584318] Memory state around the buggy address:
      [   67.589343]  ffff0004c26e9600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   67.596903]  ffff0004c26e9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   67.604463] >ffff0004c26e9700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   67.612022]                                               ^
      [   67.617860]  ffff0004c26e9780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   67.625421]  ffff0004c26e9800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.632981] ==================================================================
      [   67.640535] Disabling lock debugging due to kernel taint
       File descriptor[   67.646100] Unable to handle kernel paging request at virtual address fabb801d4000018d
       in bad state
      [   67.655456] Mem abort info:
      [   67.659619]   ESR = 0x96000004
      [   67.662801]   EC = 0x25: DABT (current EL), IL = 32 bits
      [   67.668225]   SET = 0, FnV = 0
      [   67.671375]   EA = 0, S1PTW = 0
      [   67.674613] Data abort info:
      [   67.677587]   ISV = 0, ISS = 0x00000004
      [   67.681522]   CM = 0, WnR = 0
      [   67.684588] [fabb801d4000018d] address between user and kernel address ranges
      [   67.691849] Internal error: Oops: 96000004 [#1] PREEMPT SMP
      [   67.697470] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce gf128mul sha2_ce sha1_ce evdev sata_rcar libata xhci_plat_hcd scsi_mod xhci_hcd rene4
      [   67.740467] CPU: 0 PID: 2994 Comm: cat Tainted: G    B             5.13.0-rc4+ #8
      [   67.748005] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
      [   67.754924] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--)
      [   67.760974] pc : ffs_data_clear+0x138/0x370 [usb_f_fs]
      [   67.766178] lr : ffs_data_clear+0x124/0x370 [usb_f_fs]
      [   67.771365] sp : ffff800014767ad0
      [   67.774706] x29: ffff800014767ad0 x28: ffff800009cf91c0 x27: ffff0004c54861a0
      [   67.781913] x26: ffff0004dc90b288 x25: 1fffe00099ec10f5 x24: 00000000000a801d
      [   67.789118] x23: 1fffe00099f6953a x22: dfff800000000000 x21: ffff0004cfb4a9d0
      [   67.796322] x20: d5e000ea00000bb1 x19: ffff0004cfb4a800 x18: 0000000000000000
      [   67.803526] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
      [   67.810730] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000028ecefa
      [   67.817934] x11: ffff7000028ecefa x10: 0720072007200720 x9 : ffff80001132c014
      [   67.825137] x8 : ffff8000147677d8 x7 : ffff8000147677d7 x6 : 0000000000000000
      [   67.832341] x5 : 0000000000000001 x4 : ffff7000028ecefb x3 : 0000000000000001
      [   67.839544] x2 : 0000000000000005 x1 : 1abc001d4000018d x0 : d5e000ea00000c6d
      [   67.846748] Call trace:
      [   67.849218]  ffs_data_clear+0x138/0x370 [usb_f_fs]
      [   67.854058]  ffs_data_reset+0x20/0x304 [usb_f_fs]
      [   67.858810]  ffs_data_closed+0x240/0x244 [usb_f_fs]
      [   67.863736]  ffs_ep0_release+0x40/0x54 [usb_f_fs]
      [   67.868488]  __fput+0x304/0x580
      [   67.871665]  ____fput+0x18/0x24
      [   67.874837]  task_work_run+0x104/0x180
      [   67.878622]  do_notify_resume+0x458/0x14e0
      [   67.882754]  work_pending+0xc/0x5f8
      [   67.886282] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821)
      [   67.892422] ---[ end trace 6d7cedf53d7abbea ]---
      Segmentation fault
      root@rcar-gen3:~#
      ==================================================================
      
      Fixes: 4b187fce ("usb: gadget: FunctionFS: add devices management code")
      Fixes: 3262ad82 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference")
      Fixes: cdafb6d8 ("usb: gadget: f_fs: Fix use-after-free in ffs_free_inst")
      Reported-by: default avatarBhuvanesh Surachari <bhuvanesh_surachari@mentor.com>
      Tested-by: default avatarEugeniu Rosca <erosca@de.adit-jv.com>
      Reviewed-by: default avatarEugeniu Rosca <erosca@de.adit-jv.com>
      Signed-off-by: default avatarAndrew Gabbasov <andrew_gabbasov@mentor.com>
      Link: https://lore.kernel.org/r/20210603171507.22514-1-andrew_gabbasov@mentor.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ecfbd7b9
    • Sven Peter's avatar
      usb: dwc3: support 64 bit DMA in platform driver · 45d39448
      Sven Peter authored
      Currently, the dwc3 platform driver does not explicitly ask for
      a DMA mask. This makes it fall back to the default 32-bit mask which
      breaks the driver on systems that only have RAM starting above the
      first 4G like the Apple M1 SoC.
      
      Fix this by calling dma_set_mask_and_coherent with a 64bit mask.
      Reviewed-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarSven Peter <sven@svenpeter.dev>
      Link: https://lore.kernel.org/r/20210607061751.89752-1-sven@svenpeter.devSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      45d39448
    • Alan Stern's avatar
      USB: core: Avoid WARNings for 0-length descriptor requests · 60dfe484
      Alan Stern authored
      The USB core has utility routines to retrieve various types of
      descriptors.  These routines will now provoke a WARN if they are asked
      to retrieve 0 bytes (USB "receive" requests must not have zero
      length), so avert this by checking the size argument at the start.
      
      CC: Johan Hovold <johan@kernel.org>
      Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Link: https://lore.kernel.org/r/20210607152307.GD1768031@rowland.harvard.eduSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      60dfe484
    • Baokun Li's avatar
    • Peter Chen's avatar
      usb: dwc3: core: fix kernel panic when do reboot · 2a042767
      Peter Chen authored
      When do system reboot, it calls dwc3_shutdown and the whole debugfs
      for dwc3 has removed first, when the gadget tries to do deinit, and
      remove debugfs for its endpoints, it meets NULL pointer dereference
      issue when call debugfs_lookup. Fix it by removing the whole dwc3
      debugfs later than dwc3_drd_exit.
      
      [ 2924.958838] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000002
      ....
      [ 2925.030994] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--)
      [ 2925.037005] pc : inode_permission+0x2c/0x198
      [ 2925.041281] lr : lookup_one_len_common+0xb0/0xf8
      [ 2925.045903] sp : ffff80001276ba70
      [ 2925.049218] x29: ffff80001276ba70 x28: ffff0000c01f0000 x27: 0000000000000000
      [ 2925.056364] x26: ffff800011791e70 x25: 0000000000000008 x24: dead000000000100
      [ 2925.063510] x23: dead000000000122 x22: 0000000000000000 x21: 0000000000000001
      [ 2925.070652] x20: ffff8000122c6188 x19: 0000000000000000 x18: 0000000000000000
      [ 2925.077797] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000004
      [ 2925.084943] x14: ffffffffffffffff x13: 0000000000000000 x12: 0000000000000030
      [ 2925.092087] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f x9 : ffff8000102b2420
      [ 2925.099232] x8 : 7f7f7f7f7f7f7f7f x7 : feff73746e2f6f64 x6 : 0000000000008080
      [ 2925.106378] x5 : 61c8864680b583eb x4 : 209e6ec2d263dbb7 x3 : 000074756f307065
      [ 2925.113523] x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff8000122c6188
      [ 2925.120671] Call trace:
      [ 2925.123119]  inode_permission+0x2c/0x198
      [ 2925.127042]  lookup_one_len_common+0xb0/0xf8
      [ 2925.131315]  lookup_one_len_unlocked+0x34/0xb0
      [ 2925.135764]  lookup_positive_unlocked+0x14/0x50
      [ 2925.140296]  debugfs_lookup+0x68/0xa0
      [ 2925.143964]  dwc3_gadget_free_endpoints+0x84/0xb0
      [ 2925.148675]  dwc3_gadget_exit+0x28/0x78
      [ 2925.152518]  dwc3_drd_exit+0x100/0x1f8
      [ 2925.156267]  dwc3_remove+0x11c/0x120
      [ 2925.159851]  dwc3_shutdown+0x14/0x20
      [ 2925.163432]  platform_shutdown+0x28/0x38
      [ 2925.167360]  device_shutdown+0x15c/0x378
      [ 2925.171291]  kernel_restart_prepare+0x3c/0x48
      [ 2925.175650]  kernel_restart+0x1c/0x68
      [ 2925.179316]  __do_sys_reboot+0x218/0x240
      [ 2925.183247]  __arm64_sys_reboot+0x28/0x30
      [ 2925.187262]  invoke_syscall+0x48/0x100
      [ 2925.191017]  el0_svc_common.constprop.0+0x48/0xc8
      [ 2925.195726]  do_el0_svc+0x28/0x88
      [ 2925.199045]  el0_svc+0x20/0x30
      [ 2925.202104]  el0_sync_handler+0xa8/0xb0
      [ 2925.205942]  el0_sync+0x148/0x180
      [ 2925.209270] Code: a9025bf5 2a0203f5 121f0056 370802b5 (79400660)
      [ 2925.215372] ---[ end trace 124254d8e485a58b ]---
      [ 2925.220012] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
      [ 2925.227676] Kernel Offset: disabled
      [ 2925.231164] CPU features: 0x00001001,20000846
      [ 2925.235521] Memory Limit: none
      [ 2925.238580] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
      
      Fixes: 5ff90af9 ("usb: dwc3: debugfs: Add and remove endpoint dirs dynamically")
      Cc: Jack Pham <jackp@codeaurora.org>
      Tested-by: default avatarJack Pham <jackp@codeaurora.org>
      Signed-off-by: default avatarPeter Chen <peter.chen@kernel.org>
      Link: https://lore.kernel.org/r/20210608105656.10795-1-peter.chen@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a042767
  2. 04 Jun, 2021 5 commits
  3. 03 Jun, 2021 8 commits
  4. 02 Jun, 2021 3 commits
  5. 31 May, 2021 1 commit
  6. 30 May, 2021 5 commits
    • Linus Torvalds's avatar
      Linux 5.13-rc4 · 8124c8a6
      Linus Torvalds authored
      8124c8a6
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · b90e90f4
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "This is a bit larger than usual at rc4 time. The reason is due to
        Lee's work of fixing newly reported build warnings.
      
        The rest is fixes as usual"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: (22 commits)
        MAINTAINERS: adjust to removing i2c designware platform data
        i2c: s3c2410: fix possible NULL pointer deref on read message after write
        i2c: mediatek: Disable i2c start_en and clear intr_stat brfore reset
        i2c: i801: Don't generate an interrupt on bus reset
        i2c: mpc: implement erratum A-004447 workaround
        powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers
        powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers
        dt-bindings: i2c: mpc: Add fsl,i2c-erratum-a004447 flag
        i2c: busses: i2c-stm32f4: Remove incorrectly placed ' ' from function name
        i2c: busses: i2c-st: Fix copy/paste function misnaming issues
        i2c: busses: i2c-pnx: Provide descriptions for 'alg_data' data structure
        i2c: busses: i2c-ocores: Place the expected function names into the documentation headers
        i2c: busses: i2c-eg20t: Fix 'bad line' issue and provide description for 'msgs' param
        i2c: busses: i2c-designware-master: Fix misnaming of 'i2c_dw_init_master()'
        i2c: busses: i2c-cadence: Fix incorrectly documented 'enum cdns_i2c_slave_mode'
        i2c: busses: i2c-ali1563: File headers are not good candidates for kernel-doc
        i2c: muxes: i2c-arb-gpio-challenge: Demote non-conformant kernel-doc headers
        i2c: busses: i2c-nomadik: Fix formatting issue pertaining to 'timeout'
        i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E
        i2c: I2C_HISI should depend on ACPI
        ...
      b90e90f4
    • Linus Torvalds's avatar
      Merge tag 'seccomp-fixes-v5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 9a76c0ee
      Linus Torvalds authored
      Pull seccomp fixes from Kees Cook:
       "This fixes a hard-to-hit race condition in the addfd user_notif
        feature of seccomp, visible since v5.9.
      
        And a small documentation fix"
      
      * tag 'seccomp-fixes-v5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        seccomp: Refactor notification handler to prepare for new semantics
        Documentation: seccomp: Fix user notification documentation
      9a76c0ee
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 9d68fe84
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
       "A handful of RISC-V related fixes:
      
         - avoid errors when the stack tracing code is tracing itself.
      
         - resurrect the memtest= kernel command line argument on RISC-V,
           which was briefly enabled during the merge window before a
           refactoring disabled it.
      
         - build fix and some warning cleanups"
      
      * tag 'riscv-for-linus-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: kexec: Fix W=1 build warnings
        riscv: kprobes: Fix build error when MMU=n
        riscv: Select ARCH_USE_MEMTEST
        riscv: stacktrace: fix the riscv stacktrace when CONFIG_FRAME_POINTER enabled
      9d68fe84
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.13-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 75b9c727
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "This week's pile mitigates some decades-old problems in how extent
        size hints interact with realtime volumes, fixes some failures in
        online shrink, and fixes a problem where directory and symlink
        shrinking on extremely fragmented filesystems could fail.
      
        The most user-notable change here is to point users at our (new) IRC
        channel on OFTC. Freedom isn't free, it costs folks like you and me;
        and if you don't kowtow, they'll expel everyone and take over your
        channel. (Ok, ok, that didn't fit the song lyrics...)
      
        Summary:
      
         - Fix a bug where unmapping operations end earlier than expected,
           which can cause chaos on multi-block directory and symlink shrink
           operations.
      
         - Fix an erroneous assert that can trigger if we try to transition a
           bmap structure from btree format to extents format with zero
           extents. This was exposed by xfs/538"
      
      * tag 'xfs-5.13-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: bunmapi has unnecessary AG lock ordering issues
        xfs: btree format inode forks can have zero extents
        xfs: add new IRC channel to MAINTAINERS
        xfs: validate extsz hints against rt extent size when rtinherit is set
        xfs: standardize extent size hint validation
        xfs: check free AG space when making per-AG reservations
      75b9c727
  7. 29 May, 2021 13 commits
    • Sargun Dhillon's avatar
      seccomp: Refactor notification handler to prepare for new semantics · ddc47391
      Sargun Dhillon authored
      This refactors the user notification code to have a do / while loop around
      the completion condition. This has a small change in semantic, in that
      previously we ignored addfd calls upon wakeup if the notification had been
      responded to, but instead with the new change we check for an outstanding
      addfd calls prior to returning to userspace.
      
      Rodrigo Campos also identified a bug that can result in addfd causing
      an early return, when the supervisor didn't actually handle the
      syscall [1].
      
      [1]: https://lore.kernel.org/lkml/20210413160151.3301-1-rodrigo@kinvolk.io/
      
      Fixes: 7cf97b12 ("seccomp: Introduce addfd ioctl to seccomp user notifier")
      Signed-off-by: default avatarSargun Dhillon <sargun@sargun.me>
      Acked-by: default avatarTycho Andersen <tycho@tycho.pizza>
      Acked-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarRodrigo Campos <rodrigo@kinvolk.io>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20210517193908.3113-3-sargun@sargun.me
      ddc47391
    • Linus Torvalds's avatar
      Merge tag 'thermal-v5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux · df8c66c4
      Linus Torvalds authored
      Pull thermal fixes from Daniel Lezcano:
      
       - Fix uninitialized error code value for the SPMI adc driver (Yang
         Yingliang)
      
       - Fix kernel doc warning (Yang Li)
      
       - Fix wrong read-write thermal trip point initialization (Srinivas
         Pandruvada)
      
      * tag 'thermal-v5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux:
        thermal/drivers/qcom: Fix error code in adc_tm5_get_dt_channel_data()
        thermal/ti-soc-thermal: Fix kernel-doc
        thermal/drivers/intel: Initialize RW trip to THERMAL_TEMP_INVALID
      df8c66c4
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · f956cb99
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some tiny char/misc driver fixes for 5.13-rc4.
      
        Nothing huge here, just some tiny fixes for reported issues:
      
         - two interconnect driver fixes
      
         - kgdb build warning fix for gcc-11
      
         - hgafb regression fix
      
         - soundwire driver fix
      
         - mei driver fix
      
        All have been in linux-next with no reported issues"
      
      * tag 'char-misc-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        mei: request autosuspend after sending rx flow control
        kgdb: fix gcc-11 warnings harder
        video: hgafb: correctly handle card detect failure during probe
        soundwire: qcom: fix handling of qcom,ports-block-pack-mode
        interconnect: qcom: Add missing MODULE_DEVICE_TABLE
        interconnect: qcom: bcm-voter: add a missing of_node_put()
      f956cb99
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.13-rc4' of... · e1a9e3db
      Linus Torvalds authored
      Merge tag 'driver-core-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core fixes from Greg KH:
       "Here are three small driver core / debugfs fixes for 5.13-rc4:
      
         - debugfs fix for incorrect "lockdown" mode for selinux accesses
      
         - two device link changes, one bugfix and one cleanup
      
        All of these have been in linux-next for over a week with no reported
        problems"
      
      * tag 'driver-core-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        drivers: base: Reduce device link removal code duplication
        drivers: base: Fix device link removal
        debugfs: fix security_locked_down() call for SELinux
      e1a9e3db
    • Linus Torvalds's avatar
      Merge tag 'staging-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 494b99f7
      Linus Torvalds authored
      Pull staging and IIO driver fixes from Greg KH:
       "Here are some small IIO and staging driver fixes for reported issues
        for 5.13-rc4.
      
        Nothing major here, tiny changes for reported problems, full details
        are in the shortlog if people are curious.
      
        All have been in linux-next for a while with no reported problems"
      
      * tag 'staging-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        iio: adc: ad7793: Add missing error code in ad7793_setup()
        iio: adc: ad7923: Fix undersized rx buffer.
        iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp()
        iio: dac: ad5770r: Put fwnode in error case during ->probe()
        iio: gyro: fxas21002c: balance runtime power in error path
        staging: emxx_udc: fix loop in _nbu2ss_nuke()
        staging: iio: cdc: ad7746: avoid overwrite of num_channels
        iio: adc: ad7192: handle regulator voltage error first
        iio: adc: ad7192: Avoid disabling a clock that was never enabled.
        iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers
        iio: adc: ad7124: Fix missbalanced regulator enable / disable on error.
      494b99f7
    • Linus Torvalds's avatar
      Merge tag 'tty-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 3837f9a0
      Linus Torvalds authored
      Pull tty / serial driver fixes from Greg KH:
       "Here are some small fixes for reported problems for tty and serial
        drivers for 5.13-rc4.
      
        They consist of:
      
         - 8250 bugfixes and new device support
      
         - lockdown security mode fixup
      
         - syzbot found problems fixed
      
         - 8250_omap fix for interrupt storm
      
         - revert of 8250_omap driver fix as it caused worse problem than the
           original issue
      
        All but the last patch have been in linux-next for a while, the last
        one is a revert of a problem found in linux-next with the 8250_omap
        driver change"
      
      * tag 'tty-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        Revert "serial: 8250: 8250_omap: Fix possible interrupt storm"
        serial: 8250_pci: handle FL_NOIRQ board flag
        serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'
        serial: 8250_pci: Add support for new HPE serial device
        serial: 8250: 8250_omap: Fix possible interrupt storm
        serial: 8250: Use BIT(x) for UART_{CAP,BUG}_*
        serial: 8250: Add UART_BUG_TXRACE workaround for Aspeed VUART
        serial: 8250_dw: Add device HID for new AMD UART controller
        serial: sh-sci: Fix off-by-one error in FIFO threshold register setting
        serial: core: fix suspicious security_locked_down() call
        serial: tegra: Fix a mask operation that is always true
      3837f9a0
    • Linus Torvalds's avatar
      Merge tag 'usb-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 523d0b1e
      Linus Torvalds authored
      Pull USB / Thunderbolt fixes from Greg KH:
       "Here are a number of tiny USB and Thunderbolt driver fixes for
        5.13-rc4.
      
        They consist of:
      
         - thunderbolt fixes for some NVM bound issues
      
         - xhci fixes for reported problems
      
         - control-request fixups
      
         - documentation build warning fixes
      
         - new usb-serial driver device ids
      
         - typec bugfixes for reported issues
      
         - usbfs warning fixups (could be triggered from userspace)
      
         - other tiny fixes for reported problems.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (22 commits)
        xhci: Fix 5.12 regression of missing xHC cache clearing command after a Stall
        xhci: fix giving back URB with incorrect status regression in 5.12
        usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen()
        usb: typec: tcpm: Respond Not_Supported if no snk_vdo
        usb: typec: tcpm: Properly interrupt VDM AMS
        USB: trancevibrator: fix control-request direction
        usb: Restore the usb_header label
        usb: typec: tcpm: Use LE to CPU conversion when accessing msg->header
        usb: typec: ucsi: Clear pending after acking connector change
        usb: typec: mux: Fix matching with typec_altmode_desc
        misc/uss720: fix memory leak in uss720_probe
        usb: dwc3: gadget: Properly track pending and queued SG
        USB: usbfs: Don't WARN about excessively large memory allocations
        thunderbolt: usb4: Fix NVM read buffer bounds and offset issue
        thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue
        usb: chipidea: udc: assign interrupt number to USB gadget structure
        usb: cdnsp: Fix lack of removing request from pending list.
        usb: cdns3: Fix runtime PM imbalance on error
        USB: serial: pl2303: add device id for ADLINK ND-6530 GC
        USB: serial: ti_usb_3410_5052: add startech.com device id
        ...
      523d0b1e
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 22447828
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "ARM fixes:
      
         - Another state update on exit to userspace fix
      
         - Prevent the creation of mixed 32/64 VMs
      
         - Fix regression with irqbypass not restarting the guest on failed
           connect
      
         - Fix regression with debug register decoding resulting in
           overlapping access
      
         - Commit exception state on exit to usrspace
      
         - Fix the MMU notifier return values
      
         - Add missing 'static' qualifiers in the new host stage-2 code
      
        x86 fixes:
      
         - fix guest missed wakeup with assigned devices
      
         - fix WARN reported by syzkaller
      
         - do not use BIT() in UAPI headers
      
         - make the kvm_amd.avic parameter bool
      
        PPC fixes:
      
         - make halt polling heuristics consistent with other architectures
      
        selftests:
      
         - various fixes
      
         - new performance selftest memslot_perf_test
      
         - test UFFD minor faults in demand_paging_test"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (44 commits)
        selftests: kvm: fix overlapping addresses in memslot_perf_test
        KVM: X86: Kill off ctxt->ud
        KVM: X86: Fix warning caused by stale emulation context
        KVM: X86: Use kvm_get_linear_rip() in single-step and #DB/#BP interception
        KVM: x86/mmu: Fix comment mentioning skip_4k
        KVM: VMX: update vcpu posted-interrupt descriptor when assigning device
        KVM: rename KVM_REQ_PENDING_TIMER to KVM_REQ_UNBLOCK
        KVM: x86: add start_assignment hook to kvm_x86_ops
        KVM: LAPIC: Narrow the timer latency between wait_lapic_expire and world switch
        selftests: kvm: do only 1 memslot_perf_test run by default
        KVM: X86: Use _BITUL() macro in UAPI headers
        KVM: selftests: add shared hugetlbfs backing source type
        KVM: selftests: allow using UFFD minor faults for demand paging
        KVM: selftests: create alias mappings when using shared memory
        KVM: selftests: add shmem backing source type
        KVM: selftests: refactor vm_mem_backing_src_type flags
        KVM: selftests: allow different backing source types
        KVM: selftests: compute correct demand paging size
        KVM: selftests: simplify setup_demand_paging error handling
        KVM: selftests: Print a message if /dev/kvm is missing
        ...
      22447828
    • Linus Torvalds's avatar
      Merge tag 's390-5.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 866c4b8a
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
       "Fix races in vfio-ccw request handling"
      
      * tag 's390-5.13-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        vfio-ccw: Serialize FSM IDLE state with I/O completion
        vfio-ccw: Reset FSM state to IDLE inside FSM
        vfio-ccw: Check initialized flag in cp_init()
      866c4b8a
    • Paolo Bonzini's avatar
      selftests: kvm: fix overlapping addresses in memslot_perf_test · 000ac429
      Paolo Bonzini authored
      vm_create allocates memory and maps it close to GPA.  This memory
      is separate from what is allocated in subsequent calls to
      vm_userspace_mem_region_add, so it is incorrect to pass the
      test memory size to vm_create_default.  Just pass a small
      fixed amount of memory which can be used later for page table,
      otherwise GPAs are already allocated at MEM_GPA and the
      test aborts.
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      000ac429
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 6799d4f2
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Ten small fixes, all in drivers"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal
        scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq
        scsi: vmw_pvscsi: Set correct residual data length
        scsi: bnx2fc: Return failure if io_req is already in ABTS processing
        scsi: aic7xxx: Remove multiple definition of globals
        scsi: aic7xxx: Restore several defines for aic7xxx firmware build
        scsi: target: iblock: Fix smp_processor_id() BUG messages
        scsi: libsas: Use _safe() loop in sas_resume_port()
        scsi: target: tcmu: Fix xarray RCU warning
        scsi: target: core: Avoid smp_processor_id() in preemptible code
      6799d4f2
    • Linus Torvalds's avatar
      Merge tag 'block-5.13-2021-05-28' of git://git.kernel.dk/linux-block · 0217a27e
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request (Christoph):
            - fix a memory leak in nvme_cdev_add (Guoqing Jiang)
            - fix inline data size comparison in nvmet_tcp_queue_response (Hou
              Pu)
            - fix false keep-alive timeout when a controller is torn down
              (Sagi Grimberg)
            - fix a nvme-tcp Kconfig dependency (Sagi Grimberg)
            - short-circuit reconnect retries for FC (Hannes Reinecke)
            - decode host pathing error for connect (Hannes Reinecke)
      
       - MD pull request (Song):
            - Fix incorrect chunk boundary assert (Christoph)
      
       - Fix s390/dasd verification panic (Stefan)
      
      * tag 'block-5.13-2021-05-28' of git://git.kernel.dk/linux-block:
        nvmet: fix false keep-alive timeout when a controller is torn down
        nvmet-tcp: fix inline data size comparison in nvmet_tcp_queue_response
        nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME
        md/raid5: remove an incorrect assert in in_chunk_boundary
        s390/dasd: add missing discipline function
        nvme-fabrics: decode host pathing error for connect
        nvme-fc: short-circuit reconnect retries
        nvme: fix potential memory leaks in nvme_cdev_add
      0217a27e
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.13-2021-05-28' of git://git.kernel.dk/linux-block · b3dbbae6
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "A few minor fixes:
      
         - Fix an issue with hashed wait removal on exit (Zqiang, Pavel)
      
         - Fix a recent data race introduced in this series (Marco)"
      
      * tag 'io_uring-5.13-2021-05-28' of git://git.kernel.dk/linux-block:
        io_uring: fix data race to avoid potential NULL-deref
        io-wq: Fix UAF when wakeup wqe in hash waitqueue
        io_uring/io-wq: close io-wq full-stop gap
      b3dbbae6