1. 20 Nov, 2022 1 commit
  2. 18 Nov, 2022 2 commits
  3. 17 Nov, 2022 8 commits
    • Shang XiaoJing's avatar
      tracing: Fix wild-memory-access in register_synth_event() · 1b5f1c34
      Shang XiaoJing authored
      In register_synth_event(), if set_synth_event_print_fmt() failed, then
      both trace_remove_event_call() and unregister_trace_event() will be
      called, which means the trace_event_call will call
      __unregister_trace_event() twice. As the result, the second unregister
      will causes the wild-memory-access.
      
      register_synth_event
          set_synth_event_print_fmt failed
          trace_remove_event_call
              event_remove
                  if call->event.funcs then
                  __unregister_trace_event (first call)
          unregister_trace_event
              __unregister_trace_event (second call)
      
      Fix the bug by avoiding to call the second __unregister_trace_event() by
      checking if the first one is called.
      
      general protection fault, probably for non-canonical address
      	0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI
      KASAN: maybe wild-memory-access in range
      [0xdead000000000120-0xdead000000000127]
      CPU: 0 PID: 3807 Comm: modprobe Not tainted
      6.1.0-rc1-00186-g76f33a7eedb4 #299
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
      RIP: 0010:unregister_trace_event+0x6e/0x280
      Code: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48
      b8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02
      00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b
      RSP: 0018:ffff88810413f370 EFLAGS: 00010a06
      RAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000
      RDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20
      RBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481
      R10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122
      R13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028
      FS:  00007f7823e8d540(0000) GS:ffff888119e00000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       __create_synth_event+0x1e37/0x1eb0
       create_or_delete_synth_event+0x110/0x250
       synth_event_run_command+0x2f/0x110
       test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test]
       synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test]
       do_one_initcall+0xdb/0x480
       do_init_module+0x1cf/0x680
       load_module+0x6a50/0x70a0
       __do_sys_finit_module+0x12f/0x1c0
       do_syscall_64+0x3f/0x90
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Link: https://lkml.kernel.org/r/20221117012346.22647-3-shangxiaojing@huawei.com
      
      Fixes: 4b147936 ("tracing: Add support for 'synthetic' events")
      Signed-off-by: default avatarShang XiaoJing <shangxiaojing@huawei.com>
      Cc: stable@vger.kernel.org
      Cc: <mhiramat@kernel.org>
      Cc: <zanussi@kernel.org>
      Cc: <fengguang.wu@intel.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      1b5f1c34
    • Shang XiaoJing's avatar
      tracing: Fix memory leak in test_gen_synth_cmd() and test_empty_synth_event() · a4527fef
      Shang XiaoJing authored
      test_gen_synth_cmd() only free buf in fail path, hence buf will leak
      when there is no failure. Add kfree(buf) to prevent the memleak. The
      same reason and solution in test_empty_synth_event().
      
      unreferenced object 0xffff8881127de000 (size 2048):
        comm "modprobe", pid 247, jiffies 4294972316 (age 78.756s)
        hex dump (first 32 bytes):
          20 67 65 6e 5f 73 79 6e 74 68 5f 74 65 73 74 20   gen_synth_test
          20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69 64 5f   pid_t next_pid_
        backtrace:
          [<000000004254801a>] kmalloc_trace+0x26/0x100
          [<0000000039eb1cf5>] 0xffffffffa00083cd
          [<000000000e8c3bc8>] 0xffffffffa00086ba
          [<00000000c293d1ea>] do_one_initcall+0xdb/0x480
          [<00000000aa189e6d>] do_init_module+0x1cf/0x680
          [<00000000d513222b>] load_module+0x6a50/0x70a0
          [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0
          [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90
          [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      unreferenced object 0xffff8881127df000 (size 2048):
        comm "modprobe", pid 247, jiffies 4294972324 (age 78.728s)
        hex dump (first 32 bytes):
          20 65 6d 70 74 79 5f 73 79 6e 74 68 5f 74 65 73   empty_synth_tes
          74 20 20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69  t  pid_t next_pi
        backtrace:
          [<000000004254801a>] kmalloc_trace+0x26/0x100
          [<00000000d4db9a3d>] 0xffffffffa0008071
          [<00000000c31354a5>] 0xffffffffa00086ce
          [<00000000c293d1ea>] do_one_initcall+0xdb/0x480
          [<00000000aa189e6d>] do_init_module+0x1cf/0x680
          [<00000000d513222b>] load_module+0x6a50/0x70a0
          [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0
          [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90
          [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Link: https://lkml.kernel.org/r/20221117012346.22647-2-shangxiaojing@huawei.com
      
      Cc: <mhiramat@kernel.org>
      Cc: <zanussi@kernel.org>
      Cc: <fengguang.wu@intel.com>
      Cc: stable@vger.kernel.org
      Fixes: 9fe41efa ("tracing: Add synth event generation test module")
      Signed-off-by: default avatarShang XiaoJing <shangxiaojing@huawei.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      a4527fef
    • Xiu Jianfeng's avatar
      ftrace: Fix null pointer dereference in ftrace_add_mod() · 19ba6c8a
      Xiu Jianfeng authored
      The @ftrace_mod is allocated by kzalloc(), so both the members {prev,next}
      of @ftrace_mode->list are NULL, it's not a valid state to call list_del().
      If kstrdup() for @ftrace_mod->{func|module} fails, it goes to @out_free
      tag and calls free_ftrace_mod() to destroy @ftrace_mod, then list_del()
      will write prev->next and next->prev, where null pointer dereference
      happens.
      
      BUG: kernel NULL pointer dereference, address: 0000000000000008
      Oops: 0002 [#1] PREEMPT SMP NOPTI
      Call Trace:
       <TASK>
       ftrace_mod_callback+0x20d/0x220
       ? do_filp_open+0xd9/0x140
       ftrace_process_regex.isra.51+0xbf/0x130
       ftrace_regex_write.isra.52.part.53+0x6e/0x90
       vfs_write+0xee/0x3a0
       ? __audit_filter_op+0xb1/0x100
       ? auditd_test_task+0x38/0x50
       ksys_write+0xa5/0xe0
       do_syscall_64+0x3a/0x90
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      Kernel panic - not syncing: Fatal exception
      
      So call INIT_LIST_HEAD() to initialize the list member to fix this issue.
      
      Link: https://lkml.kernel.org/r/20221116015207.30858-1-xiujianfeng@huawei.com
      
      Cc: stable@vger.kernel.org
      Fixes: 673feb9d ("ftrace: Add :mod: caching infrastructure to trace_array")
      Signed-off-by: default avatarXiu Jianfeng <xiujianfeng@huawei.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      19ba6c8a
    • Daniil Tatianin's avatar
      ring_buffer: Do not deactivate non-existant pages · 56f4ca0a
      Daniil Tatianin authored
      rb_head_page_deactivate() expects cpu_buffer to contain a valid list of
      ->pages, so verify that the list is actually present before calling it.
      
      Found by Linux Verification Center (linuxtesting.org) with the SVACE
      static analysis tool.
      
      Link: https://lkml.kernel.org/r/20221114143129.3534443-1-d-tatianin@yandex-team.ru
      
      Cc: stable@vger.kernel.org
      Fixes: 77ae365e ("ring-buffer: make lockless")
      Signed-off-by: default avatarDaniil Tatianin <d-tatianin@yandex-team.ru>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      56f4ca0a
    • Wang Wensheng's avatar
      ftrace: Optimize the allocation for mcount entries · bcea02b0
      Wang Wensheng authored
      If we can't allocate this size, try something smaller with half of the
      size. Its order should be decreased by one instead of divided by two.
      
      Link: https://lkml.kernel.org/r/20221109094434.84046-3-wangwensheng4@huawei.com
      
      Cc: <mhiramat@kernel.org>
      Cc: <mark.rutland@arm.com>
      Cc: stable@vger.kernel.org
      Fixes: a7900875 ("ftrace: Allocate the mcount record pages as groups")
      Signed-off-by: default avatarWang Wensheng <wangwensheng4@huawei.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      bcea02b0
    • Wang Wensheng's avatar
      ftrace: Fix the possible incorrect kernel message · 08948cae
      Wang Wensheng authored
      If the number of mcount entries is an integer multiple of
      ENTRIES_PER_PAGE, the page count showing on the console would be wrong.
      
      Link: https://lkml.kernel.org/r/20221109094434.84046-2-wangwensheng4@huawei.com
      
      Cc: <mhiramat@kernel.org>
      Cc: <mark.rutland@arm.com>
      Cc: stable@vger.kernel.org
      Fixes: 5821e1b7 ("function tracing: fix wrong pos computing when read buffer has been fulfilled")
      Signed-off-by: default avatarWang Wensheng <wangwensheng4@huawei.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      08948cae
    • Aashish Sharma's avatar
      tracing: Fix warning on variable 'struct trace_array' · bedf0683
      Aashish Sharma authored
      Move the declaration of 'struct trace_array' out of #ifdef
      CONFIG_TRACING block, to fix the following warning when CONFIG_TRACING
      is not set:
      
      >> include/linux/trace.h:63:45: warning: 'struct trace_array' declared
      inside parameter list will not be visible outside of this definition or
      declaration
      
      Link: https://lkml.kernel.org/r/20221107160556.2139463-1-shraash@google.com
      
      Fixes: 1a77dd1c ("scsi: tracing: Fix compile error in trace_array calls when TRACING is disabled")
      Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
      Cc: Arun Easi <aeasi@marvell.com>
      Acked-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarAashish Sharma <shraash@google.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      bedf0683
    • Wang Yufen's avatar
      tracing: Fix memory leak in tracing_read_pipe() · 649e7207
      Wang Yufen authored
      kmemleak reports this issue:
      
      unreferenced object 0xffff888105a18900 (size 128):
        comm "test_progs", pid 18933, jiffies 4336275356 (age 22801.766s)
        hex dump (first 32 bytes):
          25 73 00 90 81 88 ff ff 26 05 00 00 42 01 58 04  %s......&...B.X.
          03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<00000000560143a1>] __kmalloc_node_track_caller+0x4a/0x140
          [<000000006af00822>] krealloc+0x8d/0xf0
          [<00000000c309be6a>] trace_iter_expand_format+0x99/0x150
          [<000000005a53bdb6>] trace_check_vprintf+0x1e0/0x11d0
          [<0000000065629d9d>] trace_event_printf+0xb6/0xf0
          [<000000009a690dc7>] trace_raw_output_bpf_trace_printk+0x89/0xc0
          [<00000000d22db172>] print_trace_line+0x73c/0x1480
          [<00000000cdba76ba>] tracing_read_pipe+0x45c/0x9f0
          [<0000000015b58459>] vfs_read+0x17b/0x7c0
          [<000000004aeee8ed>] ksys_read+0xed/0x1c0
          [<0000000063d3d898>] do_syscall_64+0x3b/0x90
          [<00000000a06dda7f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      iter->fmt alloced in
        tracing_read_pipe() -> .. ->trace_iter_expand_format(), but not
      freed, to fix, add free in tracing_release_pipe()
      
      Link: https://lkml.kernel.org/r/1667819090-4643-1-git-send-email-wangyufen@huawei.com
      
      Cc: stable@vger.kernel.org
      Fixes: efbbdaa2 ("tracing: Show real address for trace event arguments")
      Acked-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Signed-off-by: default avatarWang Yufen <wangyufen@huawei.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      649e7207
  4. 16 Nov, 2022 2 commits
    • Steven Rostedt (Google)'s avatar
      ring-buffer: Include dropped pages in counting dirty patches · 31029a8b
      Steven Rostedt (Google) authored
      The function ring_buffer_nr_dirty_pages() was created to find out how many
      pages are filled in the ring buffer. There's two running counters. One is
      incremented whenever a new page is touched (pages_touched) and the other
      is whenever a page is read (pages_read). The dirty count is the number
      touched minus the number read. This is used to determine if a blocked task
      should be woken up if the percentage of the ring buffer it is waiting for
      is hit.
      
      The problem is that it does not take into account dropped pages (when the
      new writes overwrite pages that were not read). And then the dirty pages
      will always be greater than the percentage.
      
      This makes the "buffer_percent" file inaccurate, as the number of dirty
      pages end up always being larger than the percentage, event when it's not
      and this causes user space to be woken up more than it wants to be.
      
      Add a new counter to keep track of lost pages, and include that in the
      accounting of dirty pages so that it is actually accurate.
      
      Link: https://lkml.kernel.org/r/20221021123013.55fb6055@gandalf.local.home
      
      Fixes: 2c2b0a78 ("ring-buffer: Add percentage of ring buffer full to wake up reader")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      31029a8b
    • Steven Rostedt (Google)'s avatar
      tracing/ring-buffer: Have polling block on watermark · 42fb0a1e
      Steven Rostedt (Google) authored
      Currently the way polling works on the ring buffer is broken. It will
      return immediately if there's any data in the ring buffer whereas a read
      will block until the watermark (defined by the tracefs buffer_percent file)
      is hit.
      
      That is, a select() or poll() will return as if there's data available,
      but then the following read will block. This is broken for the way
      select()s and poll()s are supposed to work.
      
      Have the polling on the ring buffer also block the same way reads and
      splice does on the ring buffer.
      
      Link: https://lkml.kernel.org/r/20221020231427.41be3f26@gandalf.local.home
      
      Cc: Linux Trace Kernel <linux-trace-kernel@vger.kernel.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Primiano Tucci <primiano@google.com>
      Cc: stable@vger.kernel.org
      Fixes: 1e0d6714 ("ring-buffer: Do not wake up a splice waiter when page is not full")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      42fb0a1e
  5. 13 Nov, 2022 3 commits
  6. 12 Nov, 2022 6 commits
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · fef7fd48
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Three small fixes, all in drivers.
      
        The sas one is in an unlikely error leg, the debug one is to make it
        more standards conformant and the ibmvfc one is to fix a user visible
        bug where a failover could lose all paths to the device"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: scsi_debug: Make the READ CAPACITY response compliant with ZBC
        scsi: scsi_transport_sas: Fix error handling in sas_phy_add()
        scsi: ibmvfc: Avoid path failures during live migration
      fef7fd48
    • Linus Torvalds's avatar
      Merge tag 'sound-fix-6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · f95077ac
      Linus Torvalds authored
      Pull additional sound fix from Takashi Iwai:
       "A regression fix for the latest memalloc helper change"
      
      * tag 'sound-fix-6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: memalloc: Try dma_alloc_noncontiguous() at first
      f95077ac
    • Takashi Iwai's avatar
      ALSA: memalloc: Try dma_alloc_noncontiguous() at first · 9d8e536d
      Takashi Iwai authored
      The latest fix for the non-contiguous memalloc helper changed the
      allocation method for a non-IOMMU system to use only the fallback
      allocator.  This should have worked, but it caused a problem sometimes
      when too many non-contiguous pages are allocated that can't be treated
      by HD-audio controller.
      
      As a quirk workaround, go back to the original strategy: use
      dma_alloc_noncontiguous() at first, and apply the fallback only when
      it fails, but only for non-IOMMU case.
      
      We'll need a better fix in the fallback code as well, but this
      workaround should paper over most cases.
      
      Fixes: 9736a325 ("ALSA: memalloc: Don't fall back for SG-buffer with IOMMU")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Link: https://lore.kernel.org/r/CAHk-=wgSH5ubdvt76gNwa004ooZAEJL_1Q-Fyw5M2FDdqL==dg@mail.gmail.com
      Link: https://lore.kernel.org/r/20221112084718.3305-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      9d8e536d
    • Linus Torvalds's avatar
      Merge tag 'ata-6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · 8f2975c2
      Linus Torvalds authored
      Pull ata fixes from Damien Le Moal:
       "Several libata generic code fixes for rc5:
      
         - Add missing translation of the SYNCHRONIZE CACHE 16 scsi command as
           this command is mandatory for host-managed ZBC drives.
      
           The lack of support for it in libata-scsi was causing issues with
           some passthrough applications using ZBC drives (from Shin'ichiro).
      
         - Fix the error path of libata-transport host, port, link and device
           attributes initialization (from Yingliang).
      
         - Prevent issuing new commands to a drive that is in the NCQ error
           state and undergoing recovery (From Niklas).
      
           This bug went unnoticed for a long time as commands issued to a
           drive in error state are aborted immediately and retried by the
           scsi layer, hiding the useless abort-and-retry sequence"
      
      * tag 'ata-6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: libata-core: do not issue non-internal commands once EH is pending
        ata: libata-transport: fix error handling in ata_tdev_add()
        ata: libata-transport: fix error handling in ata_tlink_add()
        ata: libata-transport: fix error handling in ata_tport_add()
        ata: libata-transport: fix double ata_host_put() in ata_tport_add()
        ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure
      8f2975c2
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2022-11-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm · d7c2b1f6
      Linus Torvalds authored
      Pull misc hotfixes from Andrew Morton:
       "22 hotfixes.
      
        Eight are cc:stable and the remainder address issues which were
        introduced post-6.0 or which aren't considered serious enough to
        justify a -stable backport"
      
      * tag 'mm-hotfixes-stable-2022-11-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (22 commits)
        docs: kmsan: fix formatting of "Example report"
        mm/damon/dbgfs: check if rm_contexts input is for a real context
        maple_tree: don't set a new maximum on the node when not reusing nodes
        maple_tree: fix depth tracking in maple_state
        arch/x86/mm/hugetlbpage.c: pud_huge() returns 0 when using 2-level paging
        fs: fix leaked psi pressure state
        nilfs2: fix use-after-free bug of ns_writer on remount
        x86/traps: avoid KMSAN bugs originating from handle_bug()
        kmsan: make sure PREEMPT_RT is off
        Kconfig.debug: ensure early check for KMSAN in CONFIG_KMSAN_WARN
        x86/uaccess: instrument copy_from_user_nmi()
        kmsan: core: kmsan_in_runtime() should return true in NMI context
        mm: hugetlb_vmemmap: include missing linux/moduleparam.h
        mm/shmem: use page_mapping() to detect page cache for uffd continue
        mm/memremap.c: map FS_DAX device memory as decrypted
        Partly revert "mm/thp: carry over dirty bit when thp splits on pmd"
        nilfs2: fix deadlock in nilfs_count_free_blocks()
        mm/mmap: fix memory leak in mmap_region()
        hugetlbfs: don't delete error page from pagecache
        maple_tree: reorganize testing to restore module testing
        ...
      d7c2b1f6
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 5ad6e7ba
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Another fix for rodata=full. Since rodata= is not a simple boolean on
         arm64 (accepting 'full' as well), it got inadvertently broken by
         changes in the core code. If rodata=on is the default and rodata=off
         is passed on the kernel command line, rodata_full is never disabled
      
       - Fix gcc compiler warning of shifting 0xc0 into bits 31:24 without an
         explicit conversion to u32 (triggered by the AMPERE1 MIDR definition)
      
       - Include asm/ptrace.h in asm/syscall_wrapper.h to fix an incomplete
         struct pt_regs type causing the BPF verifier to refuse to load a
         tracing program which accesses pt_regs
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64/syscall: Include asm/ptrace.h in syscall_wrapper header.
        arm64: Fix bit-shifting UB in the MIDR_CPU_MODEL() macro
        arm64: fix rodata=full again
      5ad6e7ba
  7. 11 Nov, 2022 18 commits
    • Niklas Cassel's avatar
      ata: libata-core: do not issue non-internal commands once EH is pending · e20e81a2
      Niklas Cassel authored
      While the ATA specification states that a device should return command
      aborted for all commands queued after the device has entered error state,
      since ATA only keeps the sense data for the latest command (in non-NCQ
      case), we really don't want to send block layer commands to the device
      after it has entered error state. (Only ATA EH commands should be sent,
      to read the sense data etc.)
      
      Currently, scsi_queue_rq() will check if scsi_host_in_recovery()
      (state is SHOST_RECOVERY), and if so, it will _not_ issue a command via:
      scsi_dispatch_cmd() -> host->hostt->queuecommand() (ata_scsi_queuecmd())
      -> __ata_scsi_queuecmd() -> ata_scsi_translate() -> ata_qc_issue()
      
      Before commit e494f6a7 ("[SCSI] improved eh timeout handler"),
      when receiving a TFES error IRQ, the call chain looked like this:
      ahci_error_intr() -> ata_port_abort() -> ata_do_link_abort() ->
      ata_qc_complete() -> ata_qc_schedule_eh() -> blk_abort_request() ->
      blk_rq_timed_out() -> q->rq_timed_out_fn() (scsi_times_out()) ->
      scsi_eh_scmd_add() -> scsi_host_set_state(shost, SHOST_RECOVERY)
      
      Which meant that as soon as an error IRQ was serviced, SHOST_RECOVERY
      would be set.
      
      However, after commit e494f6a7 ("[SCSI] improved eh timeout handler"),
      scsi_times_out() will instead call scsi_abort_command() which will queue
      delayed work, and the worker function scmd_eh_abort_handler() will call
      scsi_eh_scmd_add(), which calls scsi_host_set_state(shost, SHOST_RECOVERY).
      
      So now, after the TFES error IRQ has been serviced, we need to wait for
      the SCSI workqueue to run its work before SHOST_RECOVERY gets set.
      
      It is worth noting that, even before commit e494f6a7 ("[SCSI] improved
      eh timeout handler"), we could receive an error IRQ from the time when
      scsi_queue_rq() checks scsi_host_in_recovery(), to the time when
      ata_scsi_queuecmd() is actually called.
      
      In order to handle both the delayed setting of SHOST_RECOVERY and the
      window where we can receive an error IRQ, add a check against
      ATA_PFLAG_EH_PENDING (which gets set when servicing the error IRQ),
      inside ata_scsi_queuecmd() itself, while holding the ap->lock.
      (Since the ap->lock is held while servicing IRQs.)
      
      Fixes: e494f6a7 ("[SCSI] improved eh timeout handler")
      Signed-off-by: default avatarNiklas Cassel <niklas.cassel@wdc.com>
      Tested-by: default avatarJohn Garry <john.g.garry@oracle.com>
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@opensource.wdc.com>
      e20e81a2
    • Linus Torvalds's avatar
      Merge tag 'block-6.1-2022-11-11' of git://git.kernel.dk/linux · b0b6e2c9
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request via Christoph:
              - Quiet user passthrough command errors (Keith Busch)
              - Fix memory leak in nvmet_subsys_attr_model_store_locked
              - Fix a memory leak in nvmet-auth (Sagi Grimberg)
      
       - Fix a potential NULL point deref in bfq (Yu)
      
       - Allocate command/response buffers separately for DMA for sed-opal,
         rather than rely on embedded alignment (Serge)
      
      * tag 'block-6.1-2022-11-11' of git://git.kernel.dk/linux:
        nvmet: fix a memory leak
        nvmet: fix memory leak in nvmet_subsys_attr_model_store_locked
        nvme: quiet user passthrough command errors
        block: sed-opal: kmalloc the cmd/resp buffers
        block, bfq: fix null pointer dereference in bfq_bio_bfqg()
      b0b6e2c9
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.1-2022-11-11' of git://git.kernel.dk/linux · 4e6b2b2e
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Nothing major, just a few minor tweaks:
      
         - Tweak for the TCP zero-copy io_uring self test (Pavel)
      
         - Rather than use our internal cached value of number of CQ events
           available, use what the user can see (Dylan)
      
         - Fix a typo in a comment, added in this release (me)
      
         - Don't allow wrapping while adding provided buffers (me)
      
         - Fix a double poll race, and add a lockdep assertion for it too
           (Pavel)"
      
      * tag 'io_uring-6.1-2022-11-11' of git://git.kernel.dk/linux:
        io_uring/poll: lockdep annote io_poll_req_insert_locked
        io_uring/poll: fix double poll req->flags races
        io_uring: check for rollover of buffer ID when providing buffers
        io_uring: calculate CQEs from the user visible value
        io_uring: fix typo in io_uring.h comment
        selftests/net: don't tests batched TCP io_uring zc
      4e6b2b2e
    • Linus Torvalds's avatar
      Merge tag 's390-6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · f5020a08
      Linus Torvalds authored
      Pull s390 fixes from Alexander Gordeev:
      
       - fix memcpy warning about field-spanning write in zcrypt driver
      
       - minor updates to defconfigs
      
       - remove CONFIG_DEBUG_INFO_BTF from all defconfigs and add btf.config
         addon config file. It significantly decreases compile time and allows
         quickly enabling that option into the current kernel config
      
       - add kasan.config addon config file which allows to easily enable
         KASAN into the current kernel config
      
       - binutils commit 906f69cf65da ("IBM zSystems: Issue error for *DBL
         relocs on misaligned symbols") caused several link errors. Always
         build relocatable kernel to avoid this problem
      
       - raise the minimum clang version to 15.0.0 to avoid silent generation
         of a corrupted code
      
      * tag 's390-6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        scripts/min-tool-version.sh: raise minimum clang version to 15.0.0 for s390
        s390: always build relocatable kernel
        s390/configs: add kasan.config addon config file
        s390/configs: move CONFIG_DEBUG_INFO_BTF into btf.config addon config
        s390: update defconfigs
        s390/zcrypt: fix warning about field-spanning write
      f5020a08
    • Linus Torvalds's avatar
      Merge tag 'hardening-v6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · df65494f
      Linus Torvalds authored
      Pull kernel hardening fix from Kees Cook:
      
       - Fix !SMP placement of '.data..decrypted' section (Nathan Chancellor)
      
      * tag 'hardening-v6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        vmlinux.lds.h: Fix placement of '.data..decrypted' section
      df65494f
    • Linus Torvalds's avatar
      Merge tag 'nfsd-6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · f9bbe0c9
      Linus Torvalds authored
      Pull nfsd fixes from Chuck Lever:
      
       - Fix an export leak
      
       - Fix a potential tracepoint crash
      
      * tag 'nfsd-6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        nfsd: put the export reference in nfsd4_verify_deleg_dentry
        nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint
      f9bbe0c9
    • Linus Torvalds's avatar
      Merge tag 'fixes_for_v6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · e2559b79
      Linus Torvalds authored
      Pull UDF fix from Jan Kara:
       "Fix a possible memory corruption with UDF"
      
      * tag 'fixes_for_v6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        udf: Fix a slab-out-of-bounds write bug in udf_find_entry()
      e2559b79
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-fixes-for-v6.1-2-2022-11-10' of... · eb037f16
      Linus Torvalds authored
      Merge tag 'perf-tools-fixes-for-v6.1-2-2022-11-10' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
      
      Pull perf tools fixes from Arnaldo Carvalho de Melo:
      
       - Fix 'perf stat' crash with --per-node --metric-only in CSV mode, due
         to the AGGR_NODE slot in the 'aggr_header_csv' array not being set.
      
       - Fix printing prefix in CSV output of 'perf stat' metrics in interval
         mode (-I), where an extra separator was being added to the start of
         some lines.
      
       - Fix skipping branch stack sampling 'perf test' entry, that was using
         both --branch-any and --branch-filter, which can't be used together.
      
      * tag 'perf-tools-fixes-for-v6.1-2-2022-11-10' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux:
        perf tools: Add the include/perf/ directory to .gitignore
        perf test: Fix skipping branch stack sampling test
        perf stat: Fix printing os->prefix in CSV metrics output
        perf stat: Fix crash with --per-node --metric-only in CSV mode
      eb037f16
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 991f173c
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - A fix to add the missing PWM LEDs into the SiFive HiFive Unleashed
         device tree.
      
       - A fix to fully clear a task's registers on creation, as they end up
         in userspace and thus leak kernel memory.
      
       - A pair of VDSO-related build fixes that manifest on recent LLVM-based
         toolchains.
      
       - A fix to our early init to ensure the DT is adequately processed
         before reserved memory nodes are processed.
      
      * tag 'riscv-for-linus-6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        RISC-V: vdso: Do not add missing symbols to version section in linker script
        riscv: fix reserved memory setup
        riscv: vdso: fix build with llvm
        riscv: process: fix kernel info leakage
        riscv: dts: sifive unleashed: Add PWM controlled LEDs
      991f173c
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 74bd160f
      Linus Torvalds authored
      Pull kvm
       "This is a pretty large diffstat for this time of the release. The main
        culprit is a reorganization of the AMD assembly trampoline, allowing
        percpu variables to be accessed early.
      
        This is needed for the return stack depth tracking retbleed mitigation
        that will be in 6.2, but it also makes it possible to tighten the IBRS
        restore on vmexit. The latter change is a long tail of the
        spectrev2/retbleed patches (the corresponding Intel change was simpler
        and went in already last June), which is why I am including it right
        now instead of sharing a topic branch with tip.
      
        Being assembly and being rich in comments makes the line count balloon
        a bit, but I am pretty confident in the change (famous last words)
        because the reorganization actually makes everything simpler and more
        understandable than before. It has also had external review and has
        been tested on the aforementioned 6.2 changes, which explode quite
        brutally without the fix.
      
        Apart from this, things are pretty normal.
      
        s390:
      
         - PCI fix
      
         - PV clock fix
      
        x86:
      
         - Fix clash between PMU MSRs and other MSRs
      
         - Prepare SVM assembly trampoline for 6.2 retbleed mitigation and
           for...
      
         - ... tightening IBRS restore on vmexit, moving it before the first
           RET or indirect branch
      
         - Fix log level for VMSA dump
      
         - Block all page faults during kvm_zap_gfn_range()
      
        Tools:
      
         - kvm_stat: fix incorrect detection of debugfs
      
         - kvm_stat: update vmexit definitions"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86/mmu: Block all page faults during kvm_zap_gfn_range()
        KVM: x86/pmu: Limit the maximum number of supported AMD GP counters
        KVM: x86/pmu: Limit the maximum number of supported Intel GP counters
        KVM: x86/pmu: Do not speculatively query Intel GP PMCs that don't exist yet
        KVM: SVM: Only dump VMSA to klog at KERN_DEBUG level
        tools/kvm_stat: update exit reasons for vmx/svm/aarch64/userspace
        tools/kvm_stat: fix incorrect detection of debugfs
        x86, KVM: remove unnecessary argument to x86_virt_spec_ctrl and callers
        KVM: SVM: move MSR_IA32_SPEC_CTRL save/restore to assembly
        KVM: SVM: restore host save area from assembly
        KVM: SVM: move guest vmsave/vmload back to assembly
        KVM: SVM: do not allocate struct svm_cpu_data dynamically
        KVM: SVM: remove dead field from struct svm_cpu_data
        KVM: SVM: remove unused field from struct vcpu_svm
        KVM: SVM: retrieve VMCB from assembly
        KVM: SVM: adjust register allocation for __svm_vcpu_run()
        KVM: SVM: replace regs argument of __svm_vcpu_run() with vcpu_svm
        KVM: x86: use a separate asm-offsets.c file
        KVM: s390: pci: Fix allocation size of aift kzdev elements
        KVM: s390: pv: don't allow userspace to set the clock under PV
      74bd160f
    • Linus Torvalds's avatar
      Merge tag 'hyperv-fixes-signed-20221110' of... · 5be07b3f
      Linus Torvalds authored
      Merge tag 'hyperv-fixes-signed-20221110' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
      
      Pull hyperv fixes from Wei Liu:
      
       - Fix TSC MSR write for root partition (Anirudh Rayabharam)
      
       - Fix definition of vector in pci-hyperv driver (Dexuan Cui)
      
       - A few other misc patches
      
      * tag 'hyperv-fixes-signed-20221110' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
        PCI: hv: Fix the definition of vector in hv_compose_msi_msg()
        MAINTAINERS: remove sthemmin
        x86/hyperv: fix invalid writes to MSRs during root partition kexec
        clocksource/drivers/hyperv: add data structure for reference TSC MSR
        Drivers: hv: fix repeated words in comments
        x86/hyperv: Remove BUG_ON() for kmap_local_page()
      5be07b3f
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine · 91c77a6e
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "Misc minor driver fixes and a big pile of at_hdmac driver fixes. More
        work on this driver is done and sitting in next:
      
         - Pile of at_hdmac driver rework which fixes many long standing
           issues for this driver.
      
         - couple of stm32 driver fixes for clearing structure and race fix
      
         - idxd fixes for RO device state and batch size
      
         - ti driver mem leak fix
      
         - apple fix for grabbing channels in xlate
      
         - resource leak fix in mv xor"
      
      * tag 'dmaengine-fix-6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine: (24 commits)
        dmaengine: at_hdmac: Check return code of dma_async_device_register
        dmaengine: at_hdmac: Fix impossible condition
        dmaengine: at_hdmac: Don't allow CPU to reorder channel enable
        dmaengine: at_hdmac: Fix completion of unissued descriptor in case of errors
        dmaengine: at_hdmac: Fix descriptor handling when issuing it to hardware
        dmaengine: at_hdmac: Fix concurrency over the active list
        dmaengine: at_hdmac: Free the memset buf without holding the chan lock
        dmaengine: at_hdmac: Fix concurrency over descriptor
        dmaengine: at_hdmac: Fix concurrency problems by removing atc_complete_all()
        dmaengine: at_hdmac: Protect atchan->status with the channel lock
        dmaengine: at_hdmac: Do not call the complete callback on device_terminate_all
        dmaengine: at_hdmac: Fix premature completion of desc in issue_pending
        dmaengine: at_hdmac: Start transfer for cyclic channels in issue_pending
        dmaengine: at_hdmac: Don't start transactions at tx_submit level
        dmaengine: at_hdmac: Fix at_lli struct definition
        dmaengine: stm32-dma: fix potential race between pause and resume
        dmaengine: ti: k3-udma-glue: fix memory leak when register device fail
        dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove()
        dmaengine: apple-admac: Fix grabbing of channels in of_xlate
        dmaengine: idxd: fix RO device state error after been disabled/reset
        ...
      91c77a6e
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · a83e18cc
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A relatively large batch of fixes here but all device specific, plus
        an update to MAINTAINERS.
      
        The summary print change to the STM32 driver is fixing an issue where
        the driver could easily end up spamming the logs with something that
        should be a debug message"
      
      * tag 'spi-fix-v6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: amd: Fix SPI_SPD7 value
        spi: stm32: fix stm32_spi_prepare_mbr() that halves spi clk for every run
        spi: meson-spicc: fix do_div build error on non-arm64
        spi: intel: Use correct mask for flash and protected regions
        spi: mediatek: Fix package division error
        spi: tegra210-quad: Don't initialise DMA if not supported
        MAINTAINERS: Update HiSilicon SFC Driver maintainer
        spi: meson-spicc: move wait completion in driver to take bursts delay in account
        spi: stm32: Print summary 'callbacks suppressed' message
      a83e18cc
    • Linus Torvalds's avatar
      Merge tag 'mmc-v6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 7c42d6f5
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
      
       - Provide helper for resetting both SDHCI and CQHCI
      
       - Fix reset for CQHCI (am654, brcmstb, esdhc-imx, of-arasan, tegra)
      
       - Fixup support for MMC_CAP_8_BIT_DATA (esdhc-imx)
      
      * tag 'mmc-v6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-esdhc-imx: use the correct host caps for MMC_CAP_8_BIT_DATA
        mmc: sdhci_am654: Fix SDHCI_RESET_ALL for CQHCI
        mmc: sdhci-tegra: Fix SDHCI_RESET_ALL for CQHCI
        mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI
        mmc: sdhci-brcmstb: Fix SDHCI_RESET_ALL for CQHCI
        mmc: sdhci-of-arasan: Fix SDHCI_RESET_ALL for CQHCI
        mmc: cqhci: Provide helper for resetting both SDHCI and CQHCI
      7c42d6f5
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2022111101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 9c730fe1
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - fix for memory leak (on error path) in Hyper-V driver (Yang
         Yingliang)
      
       - regression fix for handling 3rd barrel switch emulation in Wacom
         driver (Jason Gerecke)
      
      * tag 'for-linus-2022111101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: wacom: Fix logic used for 3rd barrel switch emulation
        HID: hyperv: fix possible memory leak in mousevsc_probe()
        HID: asus: Remove unused variable in asus_report_tool_width()
      9c730fe1
    • Pavel Begunkov's avatar
    • Pavel Begunkov's avatar
      io_uring/poll: fix double poll req->flags races · 30a33669
      Pavel Begunkov authored
      io_poll_double_prepare()            | io_poll_wake()
                                          | poll->head = NULL
      smp_load(&poll->head); /* NULL */   |
      flags = req->flags;                 |
                                          | req->flags &= ~SINGLE_POLL;
      req->flags = flags | DOUBLE_POLL    |
      
      The idea behind io_poll_double_prepare() is to serialise with the
      first poll entry by taking the wq lock. However, it's not safe to assume
      that io_poll_wake() is not running when we can't grab the lock and so we
      may race modifying req->flags.
      
      Skip double poll setup if that happens. It's ok because the first poll
      entry will only be removed when it's definitely completing, e.g.
      pollfree or oneshot with a valid mask.
      
      Fixes: 49f1c68e ("io_uring: optimise submission side poll_refs")
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/b7fab2d502f6121a7d7b199fe4d914a43ca9cdfd.1668184658.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      30a33669
    • Linus Torvalds's avatar
      Merge tag 'sound-6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 64b4aef1
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Things look calming down, as this contains only a few small fixes:
      
         - Fix for a corner-case bug with SG-buffer page allocation helper
      
         - A regression fix for Roland USB-audio device probe
      
         - A potential memory leak fix at the error path
      
         - Handful quirks and device-specific fixes for HD- and USB-audio"
      
      * tag 'sound-6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda: fix potential memleak in 'add_widget_node'
        ALSA: memalloc: Don't fall back for SG-buffer with IOMMU
        ALSA: usb-audio: add quirk to fix Hamedal C20 disconnect issue
        ALSA: hda/realtek: Add Positivo C6300 model quirk
        ALSA: usb-audio: Add DSD support for Accuphase DAC-60
        ALSA: usb-audio: Add quirk entry for M-Audio Micro
        ALSA: hda/hdmi - enable runtime pm for more AMD display audio
        ALSA: usb-audio: Remove redundant workaround for Roland quirk
        ALSA: usb-audio: Yet more regression for for the delayed card registration
        ALSA: hda/ca0132: add quirk for EVGA Z390 DARK
        ALSA: hda: clarify comments on SCF changes
        ALSA: arm: pxa: pxa2xx-ac97-lib: fix return value check of platform_get_irq()
        ALSA: hda/realtek: Add quirk for ASUS Zenbook using CS35L41
      64b4aef1