1. 14 Feb, 2023 1 commit
  2. 13 Feb, 2023 3 commits
  3. 05 Feb, 2023 2 commits
  4. 02 Feb, 2023 30 commits
    • Zhang Xiaoxu's avatar
      jffs2: Fix list_del corruption if compressors initialized failed · 3432e574
      Zhang Xiaoxu authored
      There is a list_del corruption when remove the jffs2 module:
      
        list_del corruption, ffffffffa0623e60->next is NULL
        WARNING: CPU: 6 PID: 6332 at lib/list_debug.c:49 __list_del_entry_valid+0x98/0x130
        Modules linked in: jffs2(-) ]
        CPU: 6 PID: 6332 Comm: rmmod Tainted: G        W          6.1.0-rc2+ #5
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
        RIP: 0010:__list_del_entry_valid+0x98/0x130
        ...
        Call Trace:
         <TASK>
         jffs2_unregister_compressor+0x3e/0xe0 [jffs2]
         jffs2_zlib_exit+0x11/0x30 [jffs2]
         jffs2_compressors_exit+0x1e/0x30 [jffs2]
         exit_jffs2_fs+0x16/0x44f [jffs2]
         __do_sys_delete_module.constprop.0+0x244/0x370
         do_syscall_64+0x35/0x80
         entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      If one of the compressor initialize failed, the module always insert
      success since jffs2_compressors_init() always return success, then
      something bad may happen during remove the module.
      
      For this scenario, let's insmod failed.
      Signed-off-by: default avatarZhang Xiaoxu <zhangxiaoxu5@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      3432e574
    • Zhang Xiaoxu's avatar
      jffs2: Use function instead of macro when initialize compressors · d5711ae5
      Zhang Xiaoxu authored
      The initialized compressors should be released if one of them
      initialize fail, this is the pre-patch for fix the problem, use
      function instead of the macro in jffs2_compressors_init() to
      simplify the codes, no functional change intended.
      Signed-off-by: default avatarZhang Xiaoxu <zhangxiaoxu5@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      d5711ae5
    • Yu Zhe's avatar
      jffs2: fix spelling mistake "neccecary"->"necessary" · 7198c9c0
      Yu Zhe authored
      There is a spelling mistake in comment. Fix it.
      Signed-off-by: default avatarYu Zhe <yuzhe@nfschina.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      7198c9c0
    • Yang Li's avatar
      ubifs: Fix kernel-doc · 42212523
      Yang Li authored
      Fix function name in fs/ubifs/io.c kernel-doc comment
      to remove some warnings found by clang(make W=1 LLVM=1).
      
      fs/ubifs/io.c:497: warning: expecting prototype for
      wbuf_timer_callback(). Prototype was for wbuf_timer_callback_nolock()
      instead
      fs/ubifs/io.c:513: warning: expecting prototype for new_wbuf_timer().
      Prototype was for new_wbuf_timer_nolock() instead
      fs/ubifs/io.c:538: warning: expecting prototype for cancel_wbuf_timer().
      Prototype was for cancel_wbuf_timer_nolock() instead
      Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Signed-off-by: default avatarYang Li <yang.lee@linux.alibaba.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      42212523
    • Yang Li's avatar
      ubifs: Fix some kernel-doc comments · 415c9453
      Yang Li authored
      Remove warnings found by running scripts/kernel-doc,
      which is caused by using 'make W=1'.
      fs/ubifs/journal.c:1221: warning: Function parameter or member
      'old_inode' not described in 'ubifs_jnl_rename'
      fs/ubifs/journal.c:1221: warning: Function parameter or member 'old_nm'
      not described in 'ubifs_jnl_rename'
      fs/ubifs/journal.c:1221: warning: Function parameter or member
      'new_inode' not described in 'ubifs_jnl_rename'
      fs/ubifs/journal.c:1221: warning: Function parameter or member 'new_nm'
      not described in 'ubifs_jnl_rename'
      fs/ubifs/journal.c:1221: warning: Function parameter or member
      'whiteout' not described in 'ubifs_jnl_rename'
      fs/ubifs/journal.c:1221: warning: Excess function parameter 'old_dentry'
      description in 'ubifs_jnl_rename'
      fs/ubifs/journal.c:1221: warning: Excess function parameter 'new_dentry'
      description in 'ubifs_jnl_rename'
      Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Signed-off-by: default avatarYang Li <yang.lee@linux.alibaba.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      415c9453
    • Jiapeng Chong's avatar
      UBI: Fastmap: Fix kernel-doc · b5dd034f
      Jiapeng Chong authored
      drivers/mtd/ubi/fastmap.c:104: warning: expecting prototype for new_fm_vhdr(). Prototype was for new_fm_vbuf() instead.
      
      Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2289Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Signed-off-by: default avatarJiapeng Chong <jiapeng.chong@linux.alibaba.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      b5dd034f
    • Zhihao Cheng's avatar
      ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed · 4d57a733
      Zhihao Cheng authored
      Following process will trigger an infinite loop in ubi_wl_put_peb():
      
      	ubifs_bgt		ubi_bgt
      ubifs_leb_unmap
        ubi_leb_unmap
          ubi_eba_unmap_leb
            ubi_wl_put_peb	wear_leveling_worker
                                e1 = rb_entry(rb_first(&ubi->used)
      			  e2 = get_peb_for_wl(ubi)
      			  ubi_io_read_vid_hdr  // return err (flash fault)
      			  out_error:
      			    ubi->move_from = ubi->move_to = NULL
      			    wl_entry_destroy(ubi, e1)
      			      ubi->lookuptbl[e->pnum] = NULL
            retry:
              e = ubi->lookuptbl[pnum];	// return NULL
      	if (e == ubi->move_from) {	// NULL == NULL gets true
      	  goto retry;			// infinite loop !!!
      
      $ top
        PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     COMMAND
        7676 root     20   0       0      0      0 R 100.0  0.0  ubifs_bgt0_0
      
      Fix it by:
       1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has
          been removed from 'ubi->lookuptbl'.
       2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an
          use-after-free problem for wl entry in ubi_wl_put_peb().
      
      Fetch a reproducer in [Link].
      
      Fixes: 43f9b25a ("UBI: bugfix: protect from volume removal")
      Fixes: ee59ba8b ("UBI: Fix stale pointers in ubi->lookuptbl")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216111Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      4d57a733
    • Zhihao Cheng's avatar
      ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() · a240bc5c
      Zhihao Cheng authored
      Wear-leveling entry could be freed in error path, which may be accessed
      again in eraseblk_count_seq_show(), for example:
      
      __erase_worker                eraseblk_count_seq_show
                                      wl = ubi->lookuptbl[*block_number]
      				if (wl)
        wl_entry_destroy
          ubi->lookuptbl[e->pnum] = NULL
          kmem_cache_free(ubi_wl_entry_slab, e)
      		                   erase_count = wl->ec  // UAF!
      
      Wear-leveling entry updating/accessing in ubi->lookuptbl should be
      protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize
      wl entry accessing between wl_entry_destroy() and
      eraseblk_count_seq_show().
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216305
      Fixes: 7bccd12d ("ubi: Add debugfs file for tracking PEB state")
      Fixes: 801c135c ("UBI: Unsorted Block Images")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      a240bc5c
    • Zhihao Cheng's avatar
      ubi: fastmap: Fix missed fm_anchor PEB in wear-leveling after disabling fastmap · 76f9476e
      Zhihao Cheng authored
      After disabling fastmap(ubi->fm_disabled = 1), fastmap won't be updated,
      fm_anchor PEB is missed being scheduled for erasing. Besides, fm_anchor
      PEB may have smallest erase count, it doesn't participate wear-leveling.
      The difference of erase count between fm_anchor PEB and other PEBs will
      be larger and larger later on.
      
      In which situation fastmap can be disabled? Initially, we have an UBI
      image with fastmap. Then the image will be atttached without module
      parameter 'fm_autoconvert', ubi turns to full scanning mode in one
      random attaching process(eg. bad fastmap caused by powercut), ubi
      fastmap is disabled since then.
      
      Fix it by not getting fm_anchor if fastmap is disabled in
      ubi_refill_pools().
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216341
      Fixes: 4b68bf9a ("ubi: Select fastmap anchor PEBs considering ...")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      76f9476e
    • Zhihao Cheng's avatar
      ubifs: ubifs_releasepage: Remove ubifs_assert(0) to valid this process · 66f4742e
      Zhihao Cheng authored
      There are two states for ubifs writing pages:
      1. Dirty, Private
      2. Not Dirty, Not Private
      
      The normal process cannot go to ubifs_releasepage() which means there
      exists pages being private but not dirty. Reproducer[1] shows that it
      could occur (which maybe related to [2]) with following process:
      
           PA                     PB                    PC
      lock(page)[PA]
      ubifs_write_end
        attach_page_private         // set Private
        __set_page_dirty_nobuffers  // set Dirty
      unlock(page)
      
      write_cache_pages[PA]
        lock(page)
        clear_page_dirty_for_io(page)	// clear Dirty
        ubifs_writepage
      
                              do_truncation[PB]
      			  truncate_setsize
      			    i_size_write(inode, newsize) // newsize = 0
      
          i_size = i_size_read(inode)	// i_size = 0
          end_index = i_size >> PAGE_SHIFT
          if (page->index > end_index)
            goto out // jump
      out:
      unlock(page)   // Private, Not Dirty
      
      						generic_fadvise[PC]
      						  lock(page)
      						  invalidate_inode_page
      						    try_to_release_page
      						      ubifs_releasepage
      						        ubifs_assert(c, 0)
      		                                        // bad assertion!
      						  unlock(page)
      			  truncate_pagecache[PB]
      
      Then we may get following assertion failed:
        UBIFS error (ubi0:0 pid 1683): ubifs_assert_failed [ubifs]:
        UBIFS assert failed: 0, in fs/ubifs/file.c:1513
        UBIFS warning (ubi0:0 pid 1683): ubifs_ro_mode [ubifs]:
        switched to read-only mode, error -22
        CPU: 2 PID: 1683 Comm: aa Not tainted 5.16.0-rc5-00184-g0bca5994cacc-dirty #308
        Call Trace:
          dump_stack+0x13/0x1b
          ubifs_ro_mode+0x54/0x60 [ubifs]
          ubifs_assert_failed+0x4b/0x80 [ubifs]
          ubifs_releasepage+0x67/0x1d0 [ubifs]
          try_to_release_page+0x57/0xe0
          invalidate_inode_page+0xfb/0x130
          __invalidate_mapping_pages+0xb9/0x280
          invalidate_mapping_pagevec+0x12/0x20
          generic_fadvise+0x303/0x3c0
          ksys_fadvise64_64+0x4c/0xb0
      
      [1] https://bugzilla.kernel.org/show_bug.cgi?id=215373
      [2] https://linux-mtd.infradead.narkive.com/NQoBeT1u/patch-rfc-ubifs-fix-assert-failed-in-ubifs-set-page-dirty
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      66f4742e
    • Zhihao Cheng's avatar
      ubifs: ubifs_writepage: Mark page dirty after writing inode failed · fb8bc4c7
      Zhihao Cheng authored
      There are two states for ubifs writing pages:
      1. Dirty, Private
      2. Not Dirty, Not Private
      
      There is a third possibility which maybe related to [1] that page is
      private but not dirty caused by following process:
      
                PA
      lock(page)
      ubifs_write_end
        attach_page_private		// set Private
          __set_page_dirty_nobuffers	// set Dirty
      unlock(page)
      
      write_cache_pages
        lock(page)
        clear_page_dirty_for_io(page)	// clear Dirty
        ubifs_writepage
          write_inode
          // fail, goto out, following codes are not executed
          // do_writepage
          //   set_page_writeback 	// set Writeback
          //   detach_page_private	// clear Private
          //   end_page_writeback 	// clear Writeback
          out:
          unlock(page)		// Private, Not Dirty
      
                                             PB
      				ksys_fadvise64_64
      				  generic_fadvise
      				     invalidate_inode_page
      				     // page is neither Dirty nor Writeback
      				       invalidate_complete_page
      				       // page_has_private is true
      					 try_to_release_page
      					   ubifs_releasepage
      					     ubifs_assert(c, 0) !!!
      
      Then we may get following assertion failed:
        UBIFS error (ubi0:0 pid 1492): ubifs_assert_failed [ubifs]:
        UBIFS assert failed: 0, in fs/ubifs/file.c:1499
        UBIFS warning (ubi0:0 pid 1492): ubifs_ro_mode [ubifs]:
        switched to read-only mode, error -22
        CPU: 2 PID: 1492 Comm: aa Not tainted 5.16.0-rc2-00012-g7bb767dee0ba-dirty
        Call Trace:
          dump_stack+0x13/0x1b
          ubifs_ro_mode+0x54/0x60 [ubifs]
          ubifs_assert_failed+0x4b/0x80 [ubifs]
          ubifs_releasepage+0x7e/0x1e0 [ubifs]
          try_to_release_page+0x57/0xe0
          invalidate_inode_page+0xfb/0x130
          invalidate_mapping_pagevec+0x12/0x20
          generic_fadvise+0x303/0x3c0
          vfs_fadvise+0x35/0x40
          ksys_fadvise64_64+0x4c/0xb0
      
      Jump [2] to find a reproducer.
      
      [1] https://linux-mtd.infradead.narkive.com/NQoBeT1u/patch-rfc-ubifs-fix-assert-failed-in-ubifs-set-page-dirty
      [2] https://bugzilla.kernel.org/show_bug.cgi?id=215357
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      fb8bc4c7
    • Zhihao Cheng's avatar
      ubifs: dirty_cow_znode: Fix memleak in error handling path · 122deabf
      Zhihao Cheng authored
      Following process will cause a memleak for copied up znode:
      
      dirty_cow_znode
        zn = copy_znode(c, znode);
        err = insert_old_idx(c, zbr->lnum, zbr->offs);
        if (unlikely(err))
           return ERR_PTR(err);   // No one refers to zn.
      
      Fix it by adding copied znode back to tnc, then it will be freed
      by ubifs_destroy_tnc_subtree() while closing tnc.
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216705
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      122deabf
    • Zhihao Cheng's avatar
      ubifs: Re-statistic cleaned znode count if commit failed · 944e096a
      Zhihao Cheng authored
      Dirty znodes will be written on flash in committing process with
      following states:
      
      	      process A			|  znode state
      ------------------------------------------------------
      do_commit				| DIRTY_ZNODE
        ubifs_tnc_start_commit		| DIRTY_ZNODE
         get_znodes_to_commit			| DIRTY_ZNODE | COW_ZNODE
          layout_commit			| DIRTY_ZNODE | COW_ZNODE
           fill_gap                           | 0
        write master				| 0 or OBSOLETE_ZNODE
      
      	      process B			|  znode state
      ------------------------------------------------------
      do_commit				| DIRTY_ZNODE[1]
        ubifs_tnc_start_commit		| DIRTY_ZNODE
         get_znodes_to_commit			| DIRTY_ZNODE | COW_ZNODE
        ubifs_tnc_end_commit			| DIRTY_ZNODE | COW_ZNODE
         write_index                          | 0
        write master				| 0 or OBSOLETE_ZNODE[2] or
      					| DIRTY_ZNODE[3]
      
      [1] znode is dirtied without concurrent committing process
      [2] znode is copied up (re-dirtied by other process) before cleaned
          up in committing process
      [3] znode is re-dirtied after cleaned up in committing process
      
      Currently, the clean znode count is updated in free_obsolete_znodes(),
      which is called only in normal path. If do_commit failed, clean znode
      count won't be updated, which triggers a failure ubifs assertion[4] in
      ubifs_tnc_close():
       ubifs_assert_failed [ubifs]: UBIFS assert failed: freed == n
      
      [4] Commit 380347e9 ("UBIFS: Add an assertion for clean_zn_cnt").
      
      Fix it by re-statisticing cleaned znode count in tnc_destroy_cnext().
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216704
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      944e096a
    • ZhaoLong Wang's avatar
      ubi: Fix permission display of the debugfs files · 2de203d8
      ZhaoLong Wang authored
      Some interface files in debugfs support the read method
      dfs_file_read(), but their rwx permissions is shown as
      unreadable.
      
      In the user mode, the following problem can be clearly seen:
      
       # ls -l /sys/kernel/debug/ubi/ubi0/
       total 0
       --w------- 1 root root 0 Oct 22 16:26 chk_fastmap
       --w------- 1 root root 0 Oct 22 16:26 chk_gen
       --w------- 1 root root 0 Oct 22 16:26 chk_io
       -r-------- 1 root root 0 Oct 22 16:26 detailed_erase_block_info
       --w------- 1 root root 0 Oct 22 16:26 tst_disable_bgt
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_bitflips
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_io_failures
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_power_cut
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_power_cut_max
       --w------- 1 root root 0 Oct 22 16:26 tst_emulate_power_cut_min
      
      It shows that these files do not have read permission 'r',
      but we can actually read their contents.
      
       # echo 1 > /sys/kernel/debug/ubi/ubi0/chk_io
       # cat /sys/kernel/debug/ubi/ubi0/chk_io
       1
      
      User's permission access is determined by capabilities.
      Of course, the root user is not restricted from reading
      these files.
      
      When reading a debugfs file, the process is as follows:
      
       ksys_read()
         vfs_read()
           if (file->f_op->read)
             file->f_op->read()
               full_proxy_open()
                 real_fops->read()
                   dfs_file_read() -- Read method of debugfs file.
           else if (file->f_op->read_iter)
             new_sync_read()
           else
             ret = -EINVAL -- Return -EINVAL if no read method.
      
      This indicates that the debugfs file can be read as long as the read
      method of the debugfs file is registered. This patch adds the read
      permission display for file that support the read method.
      Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      2de203d8
    • Yang Yingliang's avatar
      ubi: Fix possible null-ptr-deref in ubi_free_volume() · c15859bf
      Yang Yingliang authored
      It willl cause null-ptr-deref in the following case:
      
      uif_init()
        ubi_add_volume()
          cdev_add() -> if it fails, call kill_volumes()
          device_register()
      
      kill_volumes() -> if ubi_add_volume() fails call this function
        ubi_free_volume()
          cdev_del()
          device_unregister() -> trying to delete a not added device,
      			   it causes null-ptr-deref
      
      So in ubi_free_volume(), it delete devices whether they are added
      or not, it will causes null-ptr-deref.
      
      Handle the error case whlie calling ubi_add_volume() to fix this
      problem. If add volume fails, set the corresponding vol to null,
      so it can not be accessed in kill_volumes() and release the
      resource in ubi_add_volume() error path.
      
      Fixes: 801c135c ("UBI: Unsorted Block Images")
      Suggested-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      c15859bf
    • ZhaoLong Wang's avatar
      ubi: fastmap: Add fastmap control support for module parameter · 7af73882
      ZhaoLong Wang authored
      The UBI driver can use the IOCTL to disable the fastmap after the
      mainline 669d2044 ("ubi: fastmap: Add fastmap control support
      for 'UBI_IOCATT' ioctl"). To destroy the fastmap on a old image,
      we need to reattach the device in user space.
      
      However, if the UBI driver build in kernel and the UBI volume is
      the root partition, the UBI device cannot be reattached in user
      space. To disable fastmap in this case, the UBI must provide the
      kernel cmdline parameters to disable fastmap during attach.
      
      This patch add 'enable_fm' as 5th module init parameter of mtd=xx to
      control fastmap enable or not. When the value is 0, fastmap will not
      create and existed fastmap will destroyed for the given ubi device.
      Default value is 0.
      
      To enable or disable fastmap during module loading, fm_autoconvert
      must be set to non-zero.
      
      +-----------------+---------------+---------------------------+
      |        \        |  enable_fm=0  |  enable_fm=1              |
      +-----------------+---------------+---------------------------+
      |fm_autoconvert=Y |  disable fm   |  enable fm                |
      +---------------------------------+---------------------------+
      |fm_autoconvert=N |  disable fm   | Enable fastmap if fastmap |
      |                 |               | exists on the old image   |
      +-------------------------------------------------------------+
      
      Example:
        # - Attach mtd1 to ubi1, disable fastmap, mtd2 to ubi2, enable
            fastmap.
        # modprobe ubi mtd=1,0,0,1,0 mtd=2,0,0,2,1 fm_autoconvert=1
      
        # - If 5th parameter is not specified, the value is 0, fastmap is
            disable
        # modprobe ubi mtd=1 fm_autoconvert=1
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216623Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      7af73882
    • Li Zetao's avatar
      ubifs: Fix memory leak in alloc_wbufs() · 4a1ff3c5
      Li Zetao authored
      kmemleak reported a sequence of memory leaks, and show them as following:
      
        unreferenced object 0xffff8881575f8400 (size 1024):
          comm "mount", pid 19625, jiffies 4297119604 (age 20.383s)
          hex dump (first 32 bytes):
            00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
            00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          backtrace:
            [<ffffffff8176cecd>] __kmalloc+0x4d/0x150
            [<ffffffffa0406b2b>] ubifs_mount+0x307b/0x7170 [ubifs]
            [<ffffffff819fa8fd>] legacy_get_tree+0xed/0x1d0
            [<ffffffff81936f2d>] vfs_get_tree+0x7d/0x230
            [<ffffffff819b2bd4>] path_mount+0xdd4/0x17b0
            [<ffffffff819b37aa>] __x64_sys_mount+0x1fa/0x270
            [<ffffffff83c14295>] do_syscall_64+0x35/0x80
            [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
        unreferenced object 0xffff8881798a6e00 (size 512):
          comm "mount", pid 19677, jiffies 4297121912 (age 37.816s)
          hex dump (first 32 bytes):
            6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
            6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
          backtrace:
            [<ffffffff8176cecd>] __kmalloc+0x4d/0x150
            [<ffffffffa0418342>] ubifs_wbuf_init+0x52/0x480 [ubifs]
            [<ffffffffa0406ca5>] ubifs_mount+0x31f5/0x7170 [ubifs]
            [<ffffffff819fa8fd>] legacy_get_tree+0xed/0x1d0
            [<ffffffff81936f2d>] vfs_get_tree+0x7d/0x230
            [<ffffffff819b2bd4>] path_mount+0xdd4/0x17b0
            [<ffffffff819b37aa>] __x64_sys_mount+0x1fa/0x270
            [<ffffffff83c14295>] do_syscall_64+0x35/0x80
            [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      The problem is that the ubifs_wbuf_init() returns an error in the
      loop which in the alloc_wbufs(), then the wbuf->buf and wbuf->inodes
      that were successfully alloced before are not freed.
      
      Fix it by adding error hanging path in alloc_wbufs() which frees
      the memory alloced before when ubifs_wbuf_init() returns an error.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarLi Zetao <lizetao1@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      4a1ff3c5
    • Li Zetao's avatar
      ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume() · 1e591ea0
      Li Zetao authored
      There is a memory leaks problem reported by kmemleak:
      
      unreferenced object 0xffff888102007a00 (size 128):
        comm "ubirsvol", pid 32090, jiffies 4298464136 (age 2361.231s)
        hex dump (first 32 bytes):
      ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
      ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
        backtrace:
      [<ffffffff8176cecd>] __kmalloc+0x4d/0x150
      [<ffffffffa02a9a36>] ubi_eba_create_table+0x76/0x170 [ubi]
      [<ffffffffa029764e>] ubi_resize_volume+0x1be/0xbc0 [ubi]
      [<ffffffffa02a3321>] ubi_cdev_ioctl+0x701/0x1850 [ubi]
      [<ffffffff81975d2d>] __x64_sys_ioctl+0x11d/0x170
      [<ffffffff83c142a5>] do_syscall_64+0x35/0x80
      [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      This is due to a mismatch between create and destroy interfaces, and
      in detail that "new_eba_tbl" created by ubi_eba_create_table() but
      destroyed by kfree(), while will causing "new_eba_tbl->entries" not
      freed.
      
      Fix it by replacing kfree(new_eba_tbl) with
      ubi_eba_destroy_table(new_eba_tbl)
      
      Fixes: 799dca34 ("UBI: hide EBA internals")
      Signed-off-by: default avatarLi Zetao <lizetao1@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      1e591ea0
    • Li Zetao's avatar
      ubi: Fix use-after-free when volume resizing failed · 9af31d6e
      Li Zetao authored
      There is an use-after-free problem reported by KASAN:
        ==================================================================
        BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]
        Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735
      
        CPU: 2 PID: 4735 Comm: ubirsvol
        Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
        BIOS 1.14.0-1.fc33 04/01/2014
        Call Trace:
         <TASK>
         dump_stack_lvl+0x34/0x44
         print_report+0x171/0x472
         kasan_report+0xad/0x130
         ubi_eba_copy_table+0x11f/0x1c0 [ubi]
         ubi_resize_volume+0x4f9/0xbc0 [ubi]
         ubi_cdev_ioctl+0x701/0x1850 [ubi]
         __x64_sys_ioctl+0x11d/0x170
         do_syscall_64+0x35/0x80
         entry_SYSCALL_64_after_hwframe+0x46/0xb0
         </TASK>
      
      When ubi_change_vtbl_record() returns an error in ubi_resize_volume(),
      "new_eba_tbl" will be freed on error handing path, but it is holded
      by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle
      of "vol->eba_tbl" and "vol" are different, so when resizing volume in
      next time, it causing an use-after-free fault.
      
      Fix it by not freeing "new_eba_tbl" after it replaced in
      ubi_eba_replace_table(), while will be freed in next volume resizing.
      
      Fixes: 801c135c ("UBI: Unsorted Block Images")
      Signed-off-by: default avatarLi Zetao <lizetao1@huawei.com>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      9af31d6e
    • Zhihao Cheng's avatar
      ubifs: Reserve one leb for each journal head while doing budget · e874dcde
      Zhihao Cheng authored
      UBIFS calculates available space by c->main_bytes - c->lst.total_used
      (which means non-index lebs' free and dirty space is accounted into
      total available), then index lebs and four lebs (one for gc_lnum, one
      for deletions, two for journal heads) are deducted.
      In following situation, ubifs may get -ENOSPC from make_reservation():
       LEB 84: DATAHD   free 122880 used 1920  dirty 2176  dark 6144
       LEB 110:DELETION free 126976 used 0     dirty 0     dark 6144 (empty)
       LEB 201:gc_lnum  free 126976 used 0     dirty 0     dark 6144
       LEB 272:GCHD     free 77824  used 47672 dirty 1480  dark 6144
       LEB 356:BASEHD   free 0      used 39776 dirty 87200 dark 6144
       OTHERS: index lebs, zero-available non-index lebs
      
      UBIFS calculates the available bytes is 6888 (How to calculate it:
      126976 * 5[remain main bytes] - 1920[used] - 47672[used] - 39776[used] -
      126976 * 1[deletions] - 126976 * 1[gc_lnum] - 126976 * 2[journal heads]
      - 6144 * 5[dark] = 6888) after doing budget, however UBIFS cannot use
      BASEHD's dirty space(87200), because UBIFS cannot find next BASEHD to
      reclaim current BASEHD. (c->bi.min_idx_lebs equals to c->lst.idx_lebs,
      the empty leb won't be found by ubifs_find_free_space(), and dirty index
      lebs won't be picked as gced lebs. All non-index lebs has dirty space
      less then c->dead_wm, non-index lebs won't be picked as gced lebs
      either. So new free lebs won't be produced.). See more details in Link.
      
      To fix it, reserve one leb for each journal head while doing budget.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216562
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      e874dcde
    • Zhihao Cheng's avatar
      ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 · 25fce616
      Zhihao Cheng authored
      If target inode is a special file (eg. block/char device) with nlink
      count greater than 1, the inode with ui->data will be re-written on
      disk. However, UBIFS losts target inode's data_len while doing space
      budget. Bad space budget may let make_reservation() return with -ENOSPC,
      which could turn ubifs to read-only mode in do_writepage() process.
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216494
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      25fce616
    • Zhihao Cheng's avatar
      ubifs: Fix wrong dirty space budget for dirty inode · b248eaf0
      Zhihao Cheng authored
      Each dirty inode should reserve 'c->bi.inode_budget' bytes in space
      budget calculation. Currently, space budget for dirty inode reports
      more space than what UBIFS actually needs to write.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      b248eaf0
    • Zhihao Cheng's avatar
      ubifs: Add comments and debug info for ubifs_xrename() · c04cc68d
      Zhihao Cheng authored
      Just like other operations (eg. ubifs_create, do_rename), add comments
      and debug information for ubifs_xrename().
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      c04cc68d
    • Zhihao Cheng's avatar
      ubifs: Rectify space budget for ubifs_xrename() · 1b2ba090
      Zhihao Cheng authored
      There is no space budget for ubifs_xrename(). It may let
      make_reservation() return with -ENOSPC, which could turn
      ubifs to read-only mode in do_writepage() process.
      Fix it by adding space budget for ubifs_xrename().
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216569
      Fixes: 9ec64962 ("ubifs: Implement RENAME_EXCHANGE")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      1b2ba090
    • Zhihao Cheng's avatar
      ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted · c2c36cc6
      Zhihao Cheng authored
      Fix bad space budget when symlink file is encrypted. Bad space budget
      may let make_reservation() return with -ENOSPC, which could turn ubifs
      to read-only mode in do_writepage() process.
      
      Fetch a reproducer in [Link].
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216490
      Fixes: ca7f85be ("ubifs: Add support for encrypted symlinks")
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      c2c36cc6
    • Mårten Lindahl's avatar
      ubi: block: Reduce warning print to info for static volumes · 6addbe91
      Mårten Lindahl authored
      If volume size is not multiple of the sector size 512 a warning is
      printed saying that the last non-sector aligned bytes will be ignored.
      
      This should be valid for resizable volumes, but when creating static
      volumes which are read only this will always be printed even if the
      unaligned data is deliberate.
      
      The message is still valid but the severity should be lowered for static
      volumes.
      Signed-off-by: default avatarMårten Lindahl <marten.lindahl@axis.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      6addbe91
    • Liu Shixin's avatar
      ubifs: Fix memory leak in ubifs_sysfs_init() · 203a55f0
      Liu Shixin authored
      When insmod ubifs.ko, a kmemleak reported as below:
      
       unreferenced object 0xffff88817fb1a780 (size 8):
         comm "insmod", pid 25265, jiffies 4295239702 (age 100.130s)
         hex dump (first 8 bytes):
           75 62 69 66 73 00 ff ff                          ubifs...
         backtrace:
           [<ffffffff81b3fc4c>] slab_post_alloc_hook+0x9c/0x3c0
           [<ffffffff81b44bf3>] __kmalloc_track_caller+0x183/0x410
           [<ffffffff8198d3da>] kstrdup+0x3a/0x80
           [<ffffffff8198d486>] kstrdup_const+0x66/0x80
           [<ffffffff83989325>] kvasprintf_const+0x155/0x190
           [<ffffffff83bf55bb>] kobject_set_name_vargs+0x5b/0x150
           [<ffffffff83bf576b>] kobject_set_name+0xbb/0xf0
           [<ffffffff8100204c>] do_one_initcall+0x14c/0x5a0
           [<ffffffff8157e380>] do_init_module+0x1f0/0x660
           [<ffffffff815857be>] load_module+0x6d7e/0x7590
           [<ffffffff8158644f>] __do_sys_finit_module+0x19f/0x230
           [<ffffffff815866b3>] __x64_sys_finit_module+0x73/0xb0
           [<ffffffff88c98e85>] do_syscall_64+0x35/0x80
           [<ffffffff88e00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      When kset_register() failed, we should call kset_put to cleanup it.
      
      Fixes: 2e3cbf42 ("ubifs: Export filesystem error counters")
      Signed-off-by: default avatarLiu Shixin <liushixin2@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      203a55f0
    • Li Hua's avatar
      ubifs: Fix build errors as symbol undefined · aa6d148e
      Li Hua authored
      With CONFIG_UBIFS_FS_AUTHENTICATION not set, the compiler can assume that
      ubifs_node_check_hash() is never true and drops the call to ubifs_bad_hash().
      Is CONFIG_CC_OPTIMIZE_FOR_SIZE enabled this optimization does not happen anymore.
      
      So When CONFIG_UBIFS_FS and CONFIG_CC_OPTIMIZE_FOR_SIZE is enabled but
      CONFIG_UBIFS_FS_AUTHENTICATION is not set, the build errors is as followd:
          ERROR: modpost: "ubifs_bad_hash" [fs/ubifs/ubifs.ko] undefined!
      
      Fix it by add no-op ubifs_bad_hash() for the CONFIG_UBIFS_FS_AUTHENTICATION=n case.
      
      Fixes: 16a26b20 ("ubifs: authentication: Add hashes to index nodes")
      Signed-off-by: default avatarLi Hua <hucool.lihua@huawei.com>
      Reviewed-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      aa6d148e
    • George Kennedy's avatar
      ubi: ensure that VID header offset + VID header size <= alloc, size · 1b42b1a3
      George Kennedy authored
      Ensure that the VID header offset + VID header size does not exceed
      the allocated area to avoid slab OOB.
      
      BUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline]
      BUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline]
      BUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197
      Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555
      
      CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G        W
      6.0.0-1868 #1
      Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29
      04/01/2014
      Call Trace:
        <TASK>
        __dump_stack lib/dump_stack.c:88 [inline]
        dump_stack_lvl+0x85/0xad lib/dump_stack.c:106
        print_address_description mm/kasan/report.c:317 [inline]
        print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433
        kasan_report+0xa7/0x11b mm/kasan/report.c:495
        crc32_body lib/crc32.c:111 [inline]
        crc32_le_generic lib/crc32.c:179 [inline]
        crc32_le_base+0x58c/0x626 lib/crc32.c:197
        ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067
        create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317
        create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
        ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
        ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
        ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
        ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
        vfs_ioctl fs/ioctl.c:51 [inline]
        __do_sys_ioctl fs/ioctl.c:870 [inline]
        __se_sys_ioctl fs/ioctl.c:856 [inline]
        __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
        do_syscall_x64 arch/x86/entry/common.c:50 [inline]
        do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
        entry_SYSCALL_64_after_hwframe+0x63/0x0
      RIP: 0033:0x7f96d5cf753d
      Code:
      RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d
      RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003
      RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0
      R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000
        </TASK>
      
      Allocated by task 1555:
        kasan_save_stack+0x20/0x3d mm/kasan/common.c:38
        kasan_set_track mm/kasan/common.c:45 [inline]
        set_alloc_info mm/kasan/common.c:437 [inline]
        ____kasan_kmalloc mm/kasan/common.c:516 [inline]
        __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525
        kasan_kmalloc include/linux/kasan.h:234 [inline]
        __kmalloc+0x138/0x257 mm/slub.c:4429
        kmalloc include/linux/slab.h:605 [inline]
        ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline]
        create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295
        create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
        ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
        ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
        ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
        ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
        vfs_ioctl fs/ioctl.c:51 [inline]
        __do_sys_ioctl fs/ioctl.c:870 [inline]
        __se_sys_ioctl fs/ioctl.c:856 [inline]
        __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
        do_syscall_x64 arch/x86/entry/common.c:50 [inline]
        do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
        entry_SYSCALL_64_after_hwframe+0x63/0x0
      
      The buggy address belongs to the object at ffff88802bb36e00
        which belongs to the cache kmalloc-256 of size 256
      The buggy address is located 0 bytes to the right of
        256-byte region [ffff88802bb36e00, ffff88802bb36f00)
      
      The buggy address belongs to the physical page:
      page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000
      index:0x0 pfn:0x2bb36
      head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0
      flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
      raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40
      raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
        ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                          ^
        ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Fixes: 801c135c ("UBI: Unsorted Block Images")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarGeorge Kennedy <george.kennedy@oracle.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      1b42b1a3
    • Yifei Liu's avatar
      jffs2: correct logic when creating a hole in jffs2_write_begin · 23892d38
      Yifei Liu authored
      Bug description and fix:
      
      1. Write data to a file, say all 1s from offset 0 to 16.
      
      2. Truncate the file to a smaller size, say 8 bytes.
      
      3. Write new bytes (say 2s) from an offset past the original size of the
      file, say at offset 20, for 4 bytes.  This is supposed to create a "hole"
      in the file, meaning that the bytes from offset 8 (where it was truncated
      above) up to the new write at offset 20, should all be 0s (zeros).
      
      4. Flush all caches using "echo 3 > /proc/sys/vm/drop_caches" (or unmount
      and remount) the f/s.
      
      5. Check the content of the file.  It is wrong.  The 1s that used to be
      between bytes 9 and 16, before the truncation, have REAPPEARED (they should
      be 0s).
      
      We wrote a script and helper C program to reproduce the bug
      (reproduce_jffs2_write_begin_issue.sh, write_file.c, and Makefile).  We can
      make them available to anyone.
      
      The above example is shown when writing a small file within the same first
      page.  But the bug happens for larger files, as long as steps 1, 2, and 3
      above all happen within the same page.
      
      The problem was traced to the jffs2_write_begin code, where it goes into an
      'if' statement intended to handle writes past the current EOF (i.e., writes
      that may create a hole).  The code computes a 'pageofs' that is the floor
      of the write position (pos), aligned to the page size boundary.  In other
      words, 'pageofs' will never be larger than 'pos'.  The code then sets the
      internal jffs2_raw_inode->isize to the size of max(current inode size,
      pageofs) but that is wrong: the new file size should be the 'pos', which is
      larger than both the current inode size and pageofs.
      
      Similarly, the code incorrectly sets the internal jffs2_raw_inode->dsize to
      the difference between the pageofs minus current inode size; instead it
      should be the current pos minus the current inode size.  Finally,
      inode->i_size was also set incorrectly.
      
      The patch below fixes this bug.  The bug was discovered using a new tool
      for finding f/s bugs using model checking, called MCFS (Model Checking File
      Systems).
      Signed-off-by: default avatarYifei Liu <yifeliu@cs.stonybrook.edu>
      Signed-off-by: default avatarErez Zadok <ezk@cs.stonybrook.edu>
      Signed-off-by: default avatarManish Adkar <madkar@cs.stonybrook.edu>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      23892d38
  5. 22 Jan, 2023 2 commits
    • Linus Torvalds's avatar
      Linux 6.2-rc5 · 2241ab53
      Linus Torvalds authored
      2241ab53
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.2-2023-01-21' of git://git.kernel.dk/linux · 95f184d0
      Linus Torvalds authored
      Pull another io_uring fix from Jens Axboe:
       "Just a single fix for a regression that happened in this release due
        to a poll change. Normally I would've just deferred it to next week,
        but since the original fix got picked up by stable, I think it's
        better to just send this one off separately.
      
        The issue is around the poll race fix, and how it mistakenly also got
        applied to multishot polling. Those don't need the race fix, and we
        should not be doing any reissues for that case. Exhaustive test cases
        were written and committed to the liburing regression suite for the
        reported issue, and additions for similar issues"
      
      * tag 'io_uring-6.2-2023-01-21' of git://git.kernel.dk/linux:
        io_uring/poll: don't reissue in case of poll race on multishot request
      95f184d0
  6. 21 Jan, 2023 2 commits
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · f6714402
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char/misc and other subsystem driver fixes for
        6.2-rc5 to resolve a few reported issues. They include:
      
         - long time pending fastrpc fixes (should have gone into 6.1, my
           fault)
      
         - mei driver/bus fixes and new device ids
      
         - interconnect driver fixes for reported problems
      
         - vmci bugfix
      
         - w1 driver bugfixes for reported problems
      
        Almost all of these have been in linux-next with no reported problems,
        the rest have all passed 0-day bot testing in my tree and on the
        mailing lists where they have sat too long due to me taking a long
        time to catch up on my pending patch queue"
      
      * tag 'char-misc-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        VMCI: Use threaded irqs instead of tasklets
        misc: fastrpc: Pass bitfield into qcom_scm_assign_mem
        gsmi: fix null-deref in gsmi_get_variable
        misc: fastrpc: Fix use-after-free race condition for maps
        misc: fastrpc: Don't remove map on creater_process and device_release
        misc: fastrpc: Fix use-after-free and race in fastrpc_map_find
        misc: fastrpc: fix error code in fastrpc_req_mmap()
        mei: me: add meteor lake point M DID
        mei: bus: fix unlink on bus in error path
        w1: fix WARNING after calling w1_process()
        w1: fix deadloop in __w1_remove_master_device()
        comedi: adv_pci1760: Fix PWM instruction handling
        interconnect: qcom: rpm: Use _optional func for provider clocks
        interconnect: qcom: msm8996: Fix regmap max_register values
        interconnect: qcom: msm8996: Provide UFS clocks to A2NoC
        dt-bindings: interconnect: Add UFS clocks to MSM8996 A2NoC
      f6714402
    • Linus Torvalds's avatar
      Merge tag 'driver-core-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · c88a3114
      Linus Torvalds authored
      Pull driver core fixes from Greg KH:
       "Here are three small driver and kernel core fixes for 6.2-rc5. They
        include:
      
         - potential gadget fixup in do_prlimit
      
         - device property refcount leak fix
      
         - test_async_probe bugfix for reported problem"
      
      * tag 'driver-core-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        prlimit: do_prlimit needs to have a speculation check
        driver core: Fix test_async_probe_init saves device in wrong array
        device property: fix of node refcount leak in fwnode_graph_get_next_endpoint()
      c88a3114