1. 27 Mar, 2023 19 commits
    • Konstantin Komarov's avatar
      fs/ntfs3: Use bh_read to simplify code · c20bc9c6
      Konstantin Komarov authored
      The duplicating code is replaced by a generic function bh_read()
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      c20bc9c6
    • Jia-Ju Bai's avatar
      fs/ntfs3: Fix a possible null-pointer dereference in ni_clear() · ec275bf9
      Jia-Ju Bai authored
      In a previous commit c1006bd13146, ni->mi.mrec in ni_write_inode()
      could be NULL, and thus a NULL check is added for this variable.
      
      However, in the same call stack, ni->mi.mrec can be also dereferenced
      in ni_clear():
      
      ntfs_evict_inode(inode)
        ni_write_inode(inode, ...)
          ni = ntfs_i(inode);
          is_rec_inuse(ni->mi.mrec) -> Add a NULL check by previous commit
        ni_clear(ntfs_i(inode))
          is_rec_inuse(ni->mi.mrec) -> No check
      
      Thus, a possible null-pointer dereference may exist in ni_clear().
      To fix it, a NULL check is added in this function.
      Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@gmail.com>
      Reported-by: default avatarTOTE Robot <oslab@tsinghua.edu.cn>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      ec275bf9
    • Konstantin Komarov's avatar
      fs/ntfs3: Refactoring of various minor issues · 6827d50b
      Konstantin Komarov authored
      Removed unused macro.
      Changed null pointer checking.
      Fixed inconsistent indenting.
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      6827d50b
    • Konstantin Komarov's avatar
      fs/ntfs3: Restore overflow checking for attr size in mi_enum_attr · 30200ef8
      Konstantin Komarov authored
      Fixed comment.
      Removed explicit initialization for INDEX_ROOT.
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      30200ef8
    • Konstantin Komarov's avatar
      fs/ntfs3: Check for extremely large size of $AttrDef · 318d016e
      Konstantin Komarov authored
      Added additional checking for size of $AttrDef.
      Added comment.
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      318d016e
    • Konstantin Komarov's avatar
      fs/ntfs3: Improved checking of attribute's name length · 0addfb1c
      Konstantin Komarov authored
      Added comment, added null pointer checking.
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      0addfb1c
    • Konstantin Komarov's avatar
      fs/ntfs3: Add null pointer checks · fc499245
      Konstantin Komarov authored
      Added null pointer checks in function ntfs_security_init.
      Also added le32_to_cpu in functions ntfs_security_init and indx_read.
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      fc499245
    • Yu Zhe's avatar
      fs/ntfs3: fix spelling mistake "attibute" -> "attribute" · e479f0a6
      Yu Zhe authored
      There is a spelling mistake in comment. Fix it.
      Signed-off-by: default avatarYu Zhe <yuzhe@nfschina.com>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      e479f0a6
    • Edward Lo's avatar
      fs/ntfs3: Add length check in indx_get_root · 08e8cf5f
      Edward Lo authored
      This adds a length check to guarantee the retrieved index root is legit.
      
      [  162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320
      [  162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243
      [  162.460851]
      [  162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42
      [  162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
      [  162.462609] Call Trace:
      [  162.462954]  <TASK>
      [  162.463276]  dump_stack_lvl+0x49/0x63
      [  162.463822]  print_report.cold+0xf5/0x689
      [  162.464608]  ? unwind_get_return_address+0x3a/0x60
      [  162.465766]  ? hdr_find_e.isra.0+0x10c/0x320
      [  162.466975]  kasan_report+0xa7/0x130
      [  162.467506]  ? _raw_spin_lock_irq+0xc0/0xf0
      [  162.467998]  ? hdr_find_e.isra.0+0x10c/0x320
      [  162.468536]  __asan_load2+0x68/0x90
      [  162.468923]  hdr_find_e.isra.0+0x10c/0x320
      [  162.469282]  ? cmp_uints+0xe0/0xe0
      [  162.469557]  ? cmp_sdh+0x90/0x90
      [  162.469864]  ? ni_find_attr+0x214/0x300
      [  162.470217]  ? ni_load_mi+0x80/0x80
      [  162.470479]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [  162.470931]  ? ntfs_bread_run+0x190/0x190
      [  162.471307]  ? indx_get_root+0xe4/0x190
      [  162.471556]  ? indx_get_root+0x140/0x190
      [  162.471833]  ? indx_init+0x1e0/0x1e0
      [  162.472069]  ? fnd_clear+0x115/0x140
      [  162.472363]  ? _raw_spin_lock_irqsave+0x100/0x100
      [  162.472731]  indx_find+0x184/0x470
      [  162.473461]  ? sysvec_apic_timer_interrupt+0x57/0xc0
      [  162.474429]  ? indx_find_buffer+0x2d0/0x2d0
      [  162.474704]  ? do_syscall_64+0x3b/0x90
      [  162.474962]  dir_search_u+0x196/0x2f0
      [  162.475381]  ? ntfs_nls_to_utf16+0x450/0x450
      [  162.475661]  ? ntfs_security_init+0x3d6/0x440
      [  162.475906]  ? is_sd_valid+0x180/0x180
      [  162.476191]  ntfs_extend_init+0x13f/0x2c0
      [  162.476496]  ? ntfs_fix_post_read+0x130/0x130
      [  162.476861]  ? iput.part.0+0x286/0x320
      [  162.477325]  ntfs_fill_super+0x11e0/0x1b50
      [  162.477709]  ? put_ntfs+0x1d0/0x1d0
      [  162.477970]  ? vsprintf+0x20/0x20
      [  162.478258]  ? set_blocksize+0x95/0x150
      [  162.478538]  get_tree_bdev+0x232/0x370
      [  162.478789]  ? put_ntfs+0x1d0/0x1d0
      [  162.479038]  ntfs_fs_get_tree+0x15/0x20
      [  162.479374]  vfs_get_tree+0x4c/0x130
      [  162.479729]  path_mount+0x654/0xfe0
      [  162.480124]  ? putname+0x80/0xa0
      [  162.480484]  ? finish_automount+0x2e0/0x2e0
      [  162.480894]  ? putname+0x80/0xa0
      [  162.481467]  ? kmem_cache_free+0x1c4/0x440
      [  162.482280]  ? putname+0x80/0xa0
      [  162.482714]  do_mount+0xd6/0xf0
      [  162.483264]  ? path_mount+0xfe0/0xfe0
      [  162.484782]  ? __kasan_check_write+0x14/0x20
      [  162.485593]  __x64_sys_mount+0xca/0x110
      [  162.486024]  do_syscall_64+0x3b/0x90
      [  162.486543]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [  162.487141] RIP: 0033:0x7f9d374e948a
      [  162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
      [  162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a
      [  162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0
      [  162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020
      [  162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0
      [  162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff
      [  162.493644]  </TASK>
      [  162.493908]
      [  162.494214] The buggy address belongs to the physical page:
      [  162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc
      [  162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)
      [  162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000
      [  162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000
      [  162.500542] page dumped because: kasan: bad access detected
      [  162.501057]
      [  162.501242] Memory state around the buggy address:
      [  162.502230]  ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  162.502977]  ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  162.503963]                             ^
      [  162.504370]  ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  162.504766]  ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      Signed-off-by: default avatarEdward Lo <edward.lo@ambergroup.io>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      08e8cf5f
    • Zeng Heng's avatar
      fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de() · ab84eee4
      Zeng Heng authored
      Here is a BUG report from syzbot:
      
      BUG: KASAN: slab-out-of-bounds in hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806
      Read of size 16842960 at addr ffff888079cc0600 by task syz-executor934/3631
      
      Call Trace:
       memmove+0x25/0x60 mm/kasan/shadow.c:54
       hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806
       indx_delete_entry+0x74f/0x3670 fs/ntfs3/index.c:2193
       ni_remove_name+0x27a/0x980 fs/ntfs3/frecord.c:2910
       ntfs_unlink_inode+0x3d4/0x720 fs/ntfs3/inode.c:1712
       ntfs_rename+0x41a/0xcb0 fs/ntfs3/namei.c:276
      
      Before using the meta-data in struct INDEX_HDR, we need to
      check index header valid or not. Otherwise, the corruptedi
      (or malicious) fs image can cause out-of-bounds access which
      could make kernel panic.
      
      Fixes: 82cae269 ("fs/ntfs3: Add initialization of super block")
      Reported-by: syzbot+9c2811fd56591639ff5f@syzkaller.appspotmail.com
      Signed-off-by: default avatarZeng Heng <zengheng4@huawei.com>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      ab84eee4
    • Edward Lo's avatar
      fs/ntfs3: Validate MFT flags before replaying logs · 98bea253
      Edward Lo authored
      Log load and replay is part of the metadata handle flow during mount
      operation. The $MFT record will be loaded and used while replaying logs.
      However, a malformed $MFT record, say, has RECORD_FLAG_DIR flag set and
      contains an ATTR_ROOT attribute will misguide kernel to treat it as a
      directory, and try to free the allocated resources when the
      corresponding inode is freed, which will cause an invalid kfree because
      the memory hasn't actually been allocated.
      
      [  101.368647] BUG: KASAN: invalid-free in kvfree+0x2c/0x40
      [  101.369457]
      [  101.369986] CPU: 0 PID: 198 Comm: mount Not tainted 6.0.0-rc7+ #5
      [  101.370529] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
      [  101.371362] Call Trace:
      [  101.371795]  <TASK>
      [  101.372157]  dump_stack_lvl+0x49/0x63
      [  101.372658]  print_report.cold+0xf5/0x689
      [  101.373022]  ? ni_write_inode+0x754/0xd90
      [  101.373378]  ? kvfree+0x2c/0x40
      [  101.373698]  kasan_report_invalid_free+0x77/0xf0
      [  101.374058]  ? kvfree+0x2c/0x40
      [  101.374352]  ? kvfree+0x2c/0x40
      [  101.374668]  __kasan_slab_free+0x189/0x1b0
      [  101.374992]  ? kvfree+0x2c/0x40
      [  101.375271]  kfree+0x168/0x3b0
      [  101.375717]  kvfree+0x2c/0x40
      [  101.376002]  indx_clear+0x26/0x60
      [  101.376316]  ni_clear+0xc5/0x290
      [  101.376661]  ntfs_evict_inode+0x45/0x70
      [  101.377001]  evict+0x199/0x280
      [  101.377432]  iput.part.0+0x286/0x320
      [  101.377819]  iput+0x32/0x50
      [  101.378166]  ntfs_loadlog_and_replay+0x143/0x320
      [  101.378656]  ? ntfs_bio_fill_1+0x510/0x510
      [  101.378968]  ? iput.part.0+0x286/0x320
      [  101.379367]  ntfs_fill_super+0xecb/0x1ba0
      [  101.379729]  ? put_ntfs+0x1d0/0x1d0
      [  101.380046]  ? vsprintf+0x20/0x20
      [  101.380542]  ? mutex_unlock+0x81/0xd0
      [  101.380914]  ? set_blocksize+0x95/0x150
      [  101.381597]  get_tree_bdev+0x232/0x370
      [  101.382254]  ? put_ntfs+0x1d0/0x1d0
      [  101.382699]  ntfs_fs_get_tree+0x15/0x20
      [  101.383094]  vfs_get_tree+0x4c/0x130
      [  101.383675]  path_mount+0x654/0xfe0
      [  101.384203]  ? putname+0x80/0xa0
      [  101.384540]  ? finish_automount+0x2e0/0x2e0
      [  101.384943]  ? putname+0x80/0xa0
      [  101.385362]  ? kmem_cache_free+0x1c4/0x440
      [  101.385968]  ? putname+0x80/0xa0
      [  101.386666]  do_mount+0xd6/0xf0
      [  101.387228]  ? path_mount+0xfe0/0xfe0
      [  101.387585]  ? __kasan_check_write+0x14/0x20
      [  101.387979]  __x64_sys_mount+0xca/0x110
      [  101.388436]  do_syscall_64+0x3b/0x90
      [  101.388757]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [  101.389289] RIP: 0033:0x7fa0f70e948a
      [  101.390048] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
      [  101.391297] RSP: 002b:00007ffc24fdecc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
      [  101.391988] RAX: ffffffffffffffda RBX: 000055932c183060 RCX: 00007fa0f70e948a
      [  101.392494] RDX: 000055932c183260 RSI: 000055932c1832e0 RDI: 000055932c18bce0
      [  101.393053] RBP: 0000000000000000 R08: 000055932c183280 R09: 0000000000000020
      [  101.393577] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055932c18bce0
      [  101.394044] R13: 000055932c183260 R14: 0000000000000000 R15: 00000000ffffffff
      [  101.394747]  </TASK>
      [  101.395402]
      [  101.396047] Allocated by task 198:
      [  101.396724]  kasan_save_stack+0x26/0x50
      [  101.397400]  __kasan_slab_alloc+0x6d/0x90
      [  101.397974]  kmem_cache_alloc_lru+0x192/0x5a0
      [  101.398524]  ntfs_alloc_inode+0x23/0x70
      [  101.399137]  alloc_inode+0x3b/0xf0
      [  101.399534]  iget5_locked+0x54/0xa0
      [  101.400026]  ntfs_iget5+0xaf/0x1780
      [  101.400414]  ntfs_loadlog_and_replay+0xe5/0x320
      [  101.400883]  ntfs_fill_super+0xecb/0x1ba0
      [  101.401313]  get_tree_bdev+0x232/0x370
      [  101.401774]  ntfs_fs_get_tree+0x15/0x20
      [  101.402224]  vfs_get_tree+0x4c/0x130
      [  101.402673]  path_mount+0x654/0xfe0
      [  101.403160]  do_mount+0xd6/0xf0
      [  101.403537]  __x64_sys_mount+0xca/0x110
      [  101.404058]  do_syscall_64+0x3b/0x90
      [  101.404333]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [  101.404816]
      [  101.405067] The buggy address belongs to the object at ffff888008cc9ea0
      [  101.405067]  which belongs to the cache ntfs_inode_cache of size 992
      [  101.406171] The buggy address is located 232 bytes inside of
      [  101.406171]  992-byte region [ffff888008cc9ea0, ffff888008cca280)
      [  101.406995]
      [  101.408559] The buggy address belongs to the physical page:
      [  101.409320] page:00000000dccf19dd refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cc8
      [  101.410654] head:00000000dccf19dd order:2 compound_mapcount:0 compound_pincount:0
      [  101.411533] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
      [  101.412665] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888003695140
      [  101.413209] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000
      [  101.413799] page dumped because: kasan: bad access detected
      [  101.414213]
      [  101.414427] Memory state around the buggy address:
      [  101.414991]  ffff888008cc9e80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
      [  101.415785]  ffff888008cc9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  101.416933] >ffff888008cc9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  101.417857]                       ^
      [  101.418566]  ffff888008cca000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  101.419704]  ffff888008cca080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Signed-off-by: default avatarEdward Lo <edward.lo@ambergroup.io>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      98bea253
    • Abdun Nihaal's avatar
      fs/ntfs3: Fix NULL dereference in ni_write_inode · 8dae4f63
      Abdun Nihaal authored
      Syzbot reports a NULL dereference in ni_write_inode.
      When creating a new inode, if allocation fails in mi_init function
      (called in mi_format_new function), mi->mrec is set to NULL.
      In the error path of this inode creation, mi->mrec is later
      dereferenced in ni_write_inode.
      
      Add a NULL check to prevent NULL dereference.
      
      Link: https://syzkaller.appspot.com/bug?extid=f45957555ed4a808cc7a
      Reported-and-tested-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com
      Signed-off-by: default avatarAbdun Nihaal <abdun.nihaal@gmail.com>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      8dae4f63
    • Edward Lo's avatar
      fs/ntfs3: Enhance the attribute size check · 4f082a75
      Edward Lo authored
      This combines the overflow and boundary check so that all attribute size
      will be properly examined while enumerating them.
      
      [  169.181521] BUG: KASAN: slab-out-of-bounds in run_unpack+0x2e3/0x570
      [  169.183161] Read of size 1 at addr ffff8880094b6240 by task mount/247
      [  169.184046]
      [  169.184925] CPU: 0 PID: 247 Comm: mount Not tainted 6.0.0-rc7+ #3
      [  169.185908] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
      [  169.187066] Call Trace:
      [  169.187492]  <TASK>
      [  169.188049]  dump_stack_lvl+0x49/0x63
      [  169.188495]  print_report.cold+0xf5/0x689
      [  169.188964]  ? run_unpack+0x2e3/0x570
      [  169.189331]  kasan_report+0xa7/0x130
      [  169.189714]  ? run_unpack+0x2e3/0x570
      [  169.190079]  __asan_load1+0x51/0x60
      [  169.190634]  run_unpack+0x2e3/0x570
      [  169.191290]  ? run_pack+0x840/0x840
      [  169.191569]  ? run_lookup_entry+0xb3/0x1f0
      [  169.192443]  ? mi_enum_attr+0x20a/0x230
      [  169.192886]  run_unpack_ex+0xad/0x3e0
      [  169.193276]  ? run_unpack+0x570/0x570
      [  169.193557]  ? ni_load_mi+0x80/0x80
      [  169.193889]  ? debug_smp_processor_id+0x17/0x20
      [  169.194236]  ? mi_init+0x4a/0x70
      [  169.194496]  attr_load_runs_vcn+0x166/0x1c0
      [  169.194851]  ? attr_data_write_resident+0x250/0x250
      [  169.195188]  mi_read+0x133/0x2c0
      [  169.195481]  ntfs_iget5+0x277/0x1780
      [  169.196017]  ? call_rcu+0x1c7/0x330
      [  169.196392]  ? ntfs_get_block_bmap+0x70/0x70
      [  169.196708]  ? evict+0x223/0x280
      [  169.197014]  ? __kmalloc+0x33/0x540
      [  169.197305]  ? wnd_init+0x15b/0x1b0
      [  169.197599]  ntfs_fill_super+0x1026/0x1ba0
      [  169.197994]  ? put_ntfs+0x1d0/0x1d0
      [  169.198299]  ? vsprintf+0x20/0x20
      [  169.198583]  ? mutex_unlock+0x81/0xd0
      [  169.198930]  ? set_blocksize+0x95/0x150
      [  169.199269]  get_tree_bdev+0x232/0x370
      [  169.199750]  ? put_ntfs+0x1d0/0x1d0
      [  169.200094]  ntfs_fs_get_tree+0x15/0x20
      [  169.200431]  vfs_get_tree+0x4c/0x130
      [  169.200714]  path_mount+0x654/0xfe0
      [  169.201067]  ? putname+0x80/0xa0
      [  169.201358]  ? finish_automount+0x2e0/0x2e0
      [  169.201965]  ? putname+0x80/0xa0
      [  169.202445]  ? kmem_cache_free+0x1c4/0x440
      [  169.203075]  ? putname+0x80/0xa0
      [  169.203414]  do_mount+0xd6/0xf0
      [  169.203719]  ? path_mount+0xfe0/0xfe0
      [  169.203977]  ? __kasan_check_write+0x14/0x20
      [  169.204382]  __x64_sys_mount+0xca/0x110
      [  169.204711]  do_syscall_64+0x3b/0x90
      [  169.205059]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [  169.205571] RIP: 0033:0x7f67a80e948a
      [  169.206327] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
      [  169.208296] RSP: 002b:00007ffddf020f58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
      [  169.209253] RAX: ffffffffffffffda RBX: 000055e2547a6060 RCX: 00007f67a80e948a
      [  169.209777] RDX: 000055e2547a6260 RSI: 000055e2547a62e0 RDI: 000055e2547aeaf0
      [  169.210342] RBP: 0000000000000000 R08: 000055e2547a6280 R09: 0000000000000020
      [  169.210843] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055e2547aeaf0
      [  169.211307] R13: 000055e2547a6260 R14: 0000000000000000 R15: 00000000ffffffff
      [  169.211913]  </TASK>
      [  169.212304]
      [  169.212680] Allocated by task 0:
      [  169.212963] (stack is not available)
      [  169.213200]
      [  169.213472] The buggy address belongs to the object at ffff8880094b5e00
      [  169.213472]  which belongs to the cache UDP of size 1152
      [  169.214095] The buggy address is located 1088 bytes inside of
      [  169.214095]  1152-byte region [ffff8880094b5e00, ffff8880094b6280)
      [  169.214639]
      [  169.215004] The buggy address belongs to the physical page:
      [  169.215766] page:000000002e324c8c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94b4
      [  169.218412] head:000000002e324c8c order:2 compound_mapcount:0 compound_pincount:0
      [  169.219078] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
      [  169.220272] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888002409b40
      [  169.221006] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
      [  169.222320] page dumped because: kasan: bad access detected
      [  169.222922]
      [  169.223119] Memory state around the buggy address:
      [  169.224056]  ffff8880094b6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  169.224908]  ffff8880094b6180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  169.225677] >ffff8880094b6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  169.226445]                                            ^
      [  169.227055]  ffff8880094b6280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  169.227638]  ffff8880094b6300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      Signed-off-by: default avatarEdward Lo <edward.lo@ambergroup.io>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      4f082a75
    • ZhangPeng's avatar
      fs/ntfs3: Fix OOB read in indx_insert_into_buffer · b8c44949
      ZhangPeng authored
      Syzbot reported a OOB read bug:
      
      BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0
      fs/ntfs3/index.c:1755
      Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630
      
      Call Trace:
       <TASK>
       memmove+0x25/0x60 mm/kasan/shadow.c:54
       indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755
       indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863
       ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548
       ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100
       lookup_open fs/namei.c:3413 [inline]
      
      If the member struct INDEX_BUFFER *index of struct indx_node is
      incorrect, that is, the value of __le32 used is greater than the value
      of __le32 total in struct INDEX_HDR. Therefore, OOB read occurs when
      memmove is called in indx_insert_into_buffer().
      Fix this by adding a check in hdr_find_e().
      
      Fixes: 82cae269 ("fs/ntfs3: Add initialization of super block")
      Reported-by: syzbot+d882d57193079e379309@syzkaller.appspotmail.com
      Signed-off-by: default avatarZhangPeng <zhangpeng362@huawei.com>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      b8c44949
    • Ye Bin's avatar
      fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode' · db2a3cc6
      Ye Bin authored
      Syzbot found the following issue:
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016
      Mem abort info:
        ESR = 0x0000000096000006
        EC = 0x25: DABT (current EL), IL = 32 bits
        SET = 0, FnV = 0
        EA = 0, S1PTW = 0
        FSC = 0x06: level 2 translation fault
      Data abort info:
        ISV = 0, ISS = 0x00000006
        CM = 0, WnR = 0
      user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000
      [0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000
      Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
      pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]
      pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232
      lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226
      sp : ffff8000126c3800
      x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000
      x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000
      x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000
      x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0
      x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500
      x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500
      x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500
      x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000
      x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
      x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000
      Call trace:
       is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]
       ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232
       ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744
       evict+0xec/0x334 fs/inode.c:665
       iput_final fs/inode.c:1748 [inline]
       iput+0x2c4/0x324 fs/inode.c:1774
       ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660
       ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278
       ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100
       lookup_open fs/namei.c:3413 [inline]
       open_last_lookups fs/namei.c:3481 [inline]
       path_openat+0x804/0x11c4 fs/namei.c:3688
       do_filp_open+0xdc/0x1b8 fs/namei.c:3718
       do_sys_openat2+0xb8/0x22c fs/open.c:1311
       do_sys_open fs/open.c:1327 [inline]
       __do_sys_openat fs/open.c:1343 [inline]
       __se_sys_openat fs/open.c:1338 [inline]
       __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
       el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
       do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
       el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
       el0t_64_sync+0x18c/0x190
      Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14)
      ---[ end trace 0000000000000000 ]---
      
      Above issue may happens as follows:
      ntfs_new_inode
        mi_init
          mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory
            if (!mi->mrec)
              return -ENOMEM;
      iput
        iput_final
          evict
            ntfs_evict_inode
              ni_write_inode
      	  is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref
      
      To solve above issue if new inode failed make inode bad before call 'iput()' in
      'ntfs_new_inode()'.
      
      Reported-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com
      Signed-off-by: default avatarYe Bin <yebin10@huawei.com>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      db2a3cc6
    • ZhangPeng's avatar
      fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup() · 254e69f2
      ZhangPeng authored
      Syzbot reported a null-ptr-deref bug:
      
      ntfs3: loop0: Different NTFS' sector size (1024) and media sector size
      (512)
      ntfs3: loop0: Mark volume as dirty due to NTFS errors
      general protection fault, probably for non-canonical address
      0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      RIP: 0010:d_flags_for_inode fs/dcache.c:1980 [inline]
      RIP: 0010:__d_add+0x5ce/0x800 fs/dcache.c:2796
      Call Trace:
       <TASK>
       d_splice_alias+0x122/0x3b0 fs/dcache.c:3191
       lookup_open fs/namei.c:3391 [inline]
       open_last_lookups fs/namei.c:3481 [inline]
       path_openat+0x10e6/0x2df0 fs/namei.c:3688
       do_filp_open+0x264/0x4f0 fs/namei.c:3718
       do_sys_openat2+0x124/0x4e0 fs/open.c:1310
       do_sys_open fs/open.c:1326 [inline]
       __do_sys_open fs/open.c:1334 [inline]
       __se_sys_open fs/open.c:1330 [inline]
       __x64_sys_open+0x221/0x270 fs/open.c:1330
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      If the MFT record of ntfs inode is not a base record, inode->i_op can be
      NULL. And a null-ptr-deref may happen:
      
      ntfs_lookup()
          dir_search_u() # inode->i_op is set to NULL
          d_splice_alias()
              __d_add()
                  d_flags_for_inode() # inode->i_op->get_link null-ptr-deref
      
      Fix this by adding a Check on inode->i_op before calling the
      d_splice_alias() function.
      
      Fixes: 4342306f ("fs/ntfs3: Add file operations and implementation")
      Reported-by: syzbot+a8f26a403c169b7593fe@syzkaller.appspotmail.com
      Signed-off-by: default avatarZhangPeng <zhangpeng362@huawei.com>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      254e69f2
    • Jiasheng Jiang's avatar
      fs/ntfs3: Add check for kmemdup · e6c3cef2
      Jiasheng Jiang authored
      Since the kmemdup may return NULL pointer,
      it should be better to add check for the return value
      in order to avoid NULL pointer dereference.
      
      Fixes: b46acd6a ("fs/ntfs3: Add NTFS journal")
      Signed-off-by: default avatarJiasheng Jiang <jiasheng@iscas.ac.cn>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      e6c3cef2
    • Chen Zhongjin's avatar
      fs/ntfs3: Fix memory leak if ntfs_read_mft failed · bfa434c6
      Chen Zhongjin authored
      Label ATTR_ROOT in ntfs_read_mft() sets is_root = true and
      ni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC
      and alloc ni->dir.alloc_run. However two states are not always
      consistent and can make memory leak.
      
       1) attr_name in ATTR_ROOT does not fit the condition it will set
       is_root = true but NI_FLAG_DIR is not set.
       2) next attr_name in ATTR_ALLOC fits the condition and alloc
       ni->dir.alloc_run
       3) in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees
       ni->dir.alloc_run, otherwise it frees ni->file.run
       4) because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is
       leaked as kmemleak reported:
      
      unreferenced object 0xffff888003bc5480 (size 64):
        backtrace:
          [<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0
          [<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0
          [<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3]
          [<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3]
          [<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3]
          [<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3]
          [<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3]
          [<00000000b9170608>] get_tree_bdev+0x3fb/0x710
          [<000000004833798a>] vfs_get_tree+0x8e/0x280
          [<000000006e20b8e6>] path_mount+0xf3c/0x1930
          [<000000007bf15a5f>] do_mount+0xf3/0x110
          ...
      
      Fix this by always setting is_root and NI_FLAG_DIR together.
      
      Fixes: 82cae269 ("fs/ntfs3: Add initialization of super block")
      Signed-off-by: default avatarChen Zhongjin <chenzhongjin@huawei.com>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      bfa434c6
    • Daniel Pinto's avatar
      fs/ntfs3: Fix wrong cast in xattr.c · 0203471d
      Daniel Pinto authored
      cpu_to_be32 and be32_to_cpu respectively return and receive
      __be32, change the cast to the correct types.
      
      Fixes the following sparse warnings:
      fs/ntfs3/xattr.c:811:48: sparse: sparse: incorrect type in
                               assignment (different base types)
      fs/ntfs3/xattr.c:901:34: sparse: sparse: cast to restricted __be32
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarDaniel Pinto <danielpinto52@gmail.com>
      Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
      0203471d
  2. 26 Mar, 2023 7 commits
    • Linus Torvalds's avatar
      Linux 6.3-rc4 · 197b6b60
      Linus Torvalds authored
      197b6b60
    • Linus Torvalds's avatar
      Merge tag 'usb-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 0ec57cfa
      Linus Torvalds authored
      Pull USB / Thunderbolt driver fixes from Greg KH:
       "Here are a small set of USB and Thunderbolt driver fixes for reported
        problems and a documentation update, for 6.3-rc4.
      
        Included in here are:
      
         - documentation update for uvc gadget driver
      
         - small thunderbolt driver fixes
      
         - cdns3 driver fixes
      
         - dwc3 driver fixes
      
         - dwc2 driver fixes
      
         - chipidea driver fixes
      
         - typec driver fixes
      
         - onboard_usb_hub device id updates
      
         - quirk updates
      
        All of these have been in linux-next with no reported problems"
      
      * tag 'usb-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (30 commits)
        usb: dwc2: fix a race, don't power off/on phy for dual-role mode
        usb: dwc2: fix a devres leak in hw_enable upon suspend resume
        usb: chipidea: core: fix possible concurrent when switch role
        usb: chipdea: core: fix return -EINVAL if request role is the same with current role
        thunderbolt: Rename shadowed variables bit to interrupt_bit and auto_clear_bit
        thunderbolt: Disable interrupt auto clear for rings
        thunderbolt: Use const qualifier for `ring_interrupt_index`
        usb: gadget: Use correct endianness of the wLength field for WebUSB
        uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2
        usb: cdnsp: changes PCI Device ID to fix conflict with CNDS3 driver
        usb: cdns3: Fix issue with using incorrect PCI device function
        usb: cdnsp: Fixes issue with redundant Status Stage
        MAINTAINERS: make me a reviewer of USB/IP
        thunderbolt: Use scale field when allocating USB3 bandwidth
        thunderbolt: Limit USB3 bandwidth of certain Intel USB4 host routers
        thunderbolt: Call tb_check_quirks() after initializing adapters
        thunderbolt: Add missing UNSET_INBOUND_SBTX for retimer access
        thunderbolt: Fix memory leak in margining
        usb: dwc2: drd: fix inconsistent mode if role-switch-default-mode="host"
        docs: usb: Add documentation for the UVC Gadget
        ...
      0ec57cfa
    • Linus Torvalds's avatar
      Merge tag 'sched_urgent_for_v6.3_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 18940c88
      Linus Torvalds authored
      Pull scheduler fix from Borislav Petkov:
      
       - Fix a corner case where vruntime of a task is not being sanitized
      
      * tag 'sched_urgent_for_v6.3_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/fair: Sanitize vruntime of entity being migrated
      18940c88
    • Linus Torvalds's avatar
      Merge tag 'perf_urgent_for_v6.3_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 974fc943
      Linus Torvalds authored
      Pull perf fix from Borislav Petkov:
      
       - Properly clear perf event status tracking in the AMD perf event
         overflow handler
      
      * tag 'perf_urgent_for_v6.3_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/amd/core: Always clear status for idx
      974fc943
    • Linus Torvalds's avatar
      Merge tag 'core_urgent_for_v6.3_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f6cdaeb0
      Linus Torvalds authored
      Pull core fixes from Borislav Petkov:
      
       - Do the delayed RCU wakeup for kthreads in the proper order so that
         former doesn't get ignored
      
       - A noinstr warning fix
      
      * tag 'core_urgent_for_v6.3_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        entry/rcu: Check TIF_RESCHED _after_ delayed RCU wake-up
        entry: Fix noinstr warning in __enter_from_user_mode()
      f6cdaeb0
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v6.3_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 986c6374
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
      
       - Add a AMX ptrace self test
      
       - Prevent a false-positive warning when retrieving the (invalid)
         address of dynamic FPU features in their init state which are not
         saved in init_fpstate at all
      
       - Randomize per-CPU entry areas only when KASLR is enabled
      
      * tag 'x86_urgent_for_v6.3_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        selftests/x86/amx: Add a ptrace test
        x86/fpu/xstate: Prevent false-positive warning in __copy_xstate_uabi_buf()
        x86/mm: Do not shuffle CPU entry areas without KASLR
      986c6374
    • Linus Torvalds's avatar
      Merge tag 'smb3-client-fixes-6.3-rc3' of git://git.samba.org/sfrench/cifs-2.6 · 6485ac65
      Linus Torvalds authored
      Pull cifs client fixes from Steve French:
       "Twelve cifs/smb3 client fixes (most also for stable)
      
         - forced umount fix
      
         - fix for two perf regressions
      
         - reconnect fixes
      
         - small debugging improvements
      
         - multichannel fixes"
      
      * tag 'smb3-client-fixes-6.3-rc3' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: fix unusable share after force unmount failure
        cifs: fix dentry lookups in directory handle cache
        smb3: lower default deferred close timeout to address perf regression
        cifs: fix missing unload_nls() in smb2_reconnect()
        cifs: avoid race conditions with parallel reconnects
        cifs: append path to open_enter trace event
        cifs: print session id while listing open files
        cifs: dump pending mids for all channels in DebugData
        cifs: empty interface list when server doesn't support query interfaces
        cifs: do not poll server interfaces too regularly
        cifs: lock chan_lock outside match_session
        cifs: check only tcon status on tcon related functions
      6485ac65
  3. 25 Mar, 2023 7 commits
    • Linus Torvalds's avatar
      Merge tag 'nfsd-6.3-4' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · da8e7da1
      Linus Torvalds authored
      Pull nfsd fix from Chuck Lever:
      
       - Fix a crash when using NFS with krb5p
      
      * tag 'nfsd-6.3-4' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        SUNRPC: Fix a crash in gss_krb5_checksum()
      da8e7da1
    • Linus Torvalds's avatar
      Merge tag 'xfs-6.3-fixes-7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 5b9ff397
      Linus Torvalds authored
      Pull yet more xfs bug fixes from Darrick Wong:
       "The first bugfix addresses a longstanding problem where we use the
        wrong file mapping cursors when trying to compute the speculative
        preallocation quantity. This has been causing sporadic crashes when
        alwayscow mode is engaged.
      
        The other two fixes correct minor problems in more recent changes.
      
         - Fix the new allocator tracepoints because git am mismerged the
           changes such that the trace_XXX got rebased to be in function YYY
           instead of XXX
      
         - Ensure that the perag AGFL_RESET state is consistent with whatever
           we've just read off the disk
      
         - Fix a bug where we used the wrong iext cursor during a write begin"
      
      * tag 'xfs-6.3-fixes-7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: fix mismerged tracepoints
        xfs: clear incore AGFL_RESET state if it's not needed
        xfs: pass the correct cursor to xfs_iomap_prealloc_size
      5b9ff397
    • Linus Torvalds's avatar
      Merge tag 'xfs-6.3-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · f768b35a
      Linus Torvalds authored
      Pull xfs percpu counter fixes from Darrick Wong:
       "We discovered a filesystem summary counter corruption problem that was
        traced to cpu hot-remove racing with the call to percpu_counter_sum
        that sets the free block count in the superblock when writing it to
        disk. The root cause is that percpu_counter_sum doesn't cull from
        dying cpus and hence misses those counter values if the cpu shutdown
        hooks have not yet run to merge the values.
      
        I'm hoping this is a fairly painless fix to the problem, since the
        dying cpu mask should generally be empty. It's been in for-next for a
        week without any complaints from the bots.
      
         - Fix a race in the percpu counters summation code where the
           summation failed to add in the values for any CPUs that were dying
           but not yet dead. This fixes some minor discrepancies and incorrect
           assertions when running generic/650"
      
      * tag 'xfs-6.3-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        pcpcntr: remove percpu_counter_sum_all()
        fork: remove use of percpu_counter_sum_all
        pcpcntrs: fix dying cpu summation race
        cpumask: introduce for_each_cpu_or
      f768b35a
    • Linus Torvalds's avatar
      Merge tag 'xfs-6.3-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · d7044263
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "This batch started with some debugging enhancements to the new
        allocator refactoring that we put in 6.3-rc1 to assist developers in
        rebasing their dev branches.
      
        As for more serious code changes -- there's a bug fix to make the
        lockless allocator scan the whole filesystem before resorting to the
        locking allocator. We're also adding a selftest for the venerable
        directory/xattr hash function to make sure that it produces consistent
        results so that we can address any fallout as soon as possible.
      
         - Add a few debugging assertions so that people (me) trying to port
           code to the new allocator functions don't mess up the caller
           requirements
      
         - Relax some overly cautious lock ordering enforcement in the new
           allocator code, which means that file allocations will locklessly
           scan for the best space they can get before backing off to the
           traditional lock-and-really-get-it behavior
      
         - Add tracepoints to make it easier to trace the xfs allocator
           behavior
      
         - Actually test the dir/xattr hash algorithm to make sure it produces
           consistent results across all the platforms XFS supports"
      
      * tag 'xfs-6.3-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: test dir/attr hash when loading module
        xfs: add tracepoints for each of the externally visible allocators
        xfs: walk all AGs if TRYLOCK passed to xfs_alloc_vextent_iterate_ags
        xfs: try to idiot-proof the allocators
      d7044263
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v6.3-rc4' of... · 4bdec23f
      Linus Torvalds authored
      Merge tag 'hwmon-for-v6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
      
       - it87: Fix voltage scaling for chips with 10.9mV ADCs
      
       - xgene: Fix ioremap and memremap leak
      
       - peci/cputemp: Fix miscalculated DTS temperature for SKX
      
       - hwmon core: fix potential sensor registration failure with thermal
         subsystem if of_node is missing
      
      * tag 'hwmon-for-v6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon (it87): Fix voltage scaling for chips with 10.9mV  ADCs
        hwmon: (xgene) Fix ioremap and memremap leak
        hwmon: fix potential sensor registration fail if of_node is missing
        hwmon: (peci/cputemp) Fix miscalculated DTS for SKX
      4bdec23f
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2023-03-24-17-09' of... · 65aca32e
      Linus Torvalds authored
      Merge tag 'mm-hotfixes-stable-2023-03-24-17-09' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
      
      Pull misc fixes from Andrew Morton:
       "21 hotfixes, 8 of which are cc:stable. 11 are for MM, the remainder
        are for other subsystems"
      
      * tag 'mm-hotfixes-stable-2023-03-24-17-09' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (21 commits)
        mm: mmap: remove newline at the end of the trace
        mailmap: add entries for Richard Leitner
        kcsan: avoid passing -g for test
        kfence: avoid passing -g for test
        mm: kfence: fix using kfence_metadata without initialization in show_object()
        lib: dhry: fix unstable smp_processor_id(_) usage
        mailmap: add entry for Enric Balletbo i Serra
        mailmap: map Sai Prakash Ranjan's old address to his current one
        mailmap: map Rajendra Nayak's old address to his current one
        Revert "kasan: drop skip_kasan_poison variable in free_pages_prepare"
        mailmap: add entry for Tobias Klauser
        kasan, powerpc: don't rename memintrinsics if compiler adds prefixes
        mm/ksm: fix race with VMA iteration and mm_struct teardown
        kselftest: vm: fix unused variable warning
        mm: fix error handling for map_deny_write_exec
        mm: deduplicate error handling for map_deny_write_exec
        checksyscalls: ignore fstat to silence build warning on LoongArch
        nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
        test_maple_tree: add more testing for mas_empty_area()
        maple_tree: fix mas_skip_node() end slot detection
        ...
      65aca32e
    • Linus Torvalds's avatar
      Merge tag '6.3-rc3-ksmbd-smb3-server-fixes' of git://git.samba.org/ksmbd · 90c8ce31
      Linus Torvalds authored
      Pull ksmbd server fixes from Steve French:
      
       - return less confusing messages on unsupported dialects
         (STATUS_NOT_SUPPORTED instead of I/O error)
      
       - fix for overly frequent inactive session termination
      
       - fix refcount leak
      
       - fix bounds check problems found by static checkers
      
       - fix to advertise named stream support correctly
      
       - Fix AES256 signing bug when connected to from MacOS
      
      * tag '6.3-rc3-ksmbd-smb3-server-fixes' of git://git.samba.org/ksmbd:
        ksmbd: return unsupported error on smb1 mount
        ksmbd: return STATUS_NOT_SUPPORTED on unsupported smb2.0 dialect
        ksmbd: don't terminate inactive sessions after a few seconds
        ksmbd: fix possible refcount leak in smb2_open()
        ksmbd: add low bound validation to FSCTL_QUERY_ALLOCATED_RANGES
        ksmbd: add low bound validation to FSCTL_SET_ZERO_DATA
        ksmbd: set FILE_NAMED_STREAMS attribute in FS_ATTRIBUTE_INFORMATION
        ksmbd: fix wrong signingkey creation when encryption is AES256
      90c8ce31
  4. 24 Mar, 2023 7 commits
    • Linus Torvalds's avatar
      Merge tag 'arm-fixes-6.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · e76db6e5
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "As usual, most of the bug fixes address issues in the devicetree
        files, and out of these, most are for the Qualcomm and NXP platforms,
        including:
      
         - A missing 'reserved-memory' property on LG G Watch R that is needed
           to prevent clashing with firmware
      
         - Annotations for cache coherency on multiple machines
      
         - Corrections for pinctrl, regulator, clock, iommu and power domain
           properties for i.MX and Qualcomm to correctly reflect the hardware
           settings
      
         - Firmware file names on multiple machines SA8540P Ride board
      
         - An incompatible change to the qcom vadc driver requires adding
           individual labels
      
         - Fix EQoS PHY reset GPIO by dropping the deprecated/wrong property
           and switch to the new bindings.
      
         - A fix for PCI bus address translation Tegra194 and Tegra234.
      
        There are also a couple of device driver fixes, addressing:
      
         - A race condition in the amdtee driver
      
         - A performance regression in the Qualcomm 'llcc' driver
      
         - An unitialized variable use NXP i.MX 'weim' driver
      
         - Error handling issues in Qualcomm 'rmtfs', and 'scm' drivers and
           the Arm scmi firmware driver"
      
      * tag 'arm-fixes-6.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (48 commits)
        arm64: dts: qcom: sc8280xp-x13s: mark bob regulator as always-on
        arm64: dts: qcom: sc8280xp-x13s: mark s12b regulator as always-on
        arm64: dts: qcom: sc8280xp-x13s: mark s10b regulator as always-on
        arm64: dts: qcom: sc8280xp-x13s: mark s11b regulator as always-on
        arm64: dts: imx93: add missing #address-cells and #size-cells to i2c nodes
        bus: imx-weim: fix branch condition evaluates to a garbage value
        arm64: dts: imx8mn: specify #sound-dai-cells for SAI nodes
        ARM: dts: imx6sl: tolino-shine2hd: fix usbotg1 pinctrl
        ARM: dts: imx6sll: e60k02: fix usbotg1 pinctrl
        ARM: dts: imx6sll: e70k02: fix usbotg1 pinctrl
        arm64: dts: imx93: Fix eqos properties
        arm64: dts: imx8mp: Fix LCDIF2 node clock order
        arm64: dts: imx8mm-nitrogen-r2: fix WM8960 clock name
        arm64: dts: imx8dxl-evk: Fix eqos phy reset gpio
        firmware: qcom: scm: fix bogus irq error at probe
        arm64: dts: qcom: sm8550: Mark UFS controller as cache coherent
        arm64: dts: qcom: sa8540p-ride: correct name of remoteproc_nsp0 firmware
        arm64: dts: qcom: sm8450: Mark UFS controller as cache coherent
        arm64: dts: qcom: sm8350: Mark UFS controller as cache coherent
        arm64: dts: qcom: sm8550: fix LPASS pinctrl slew base address
        ...
      e76db6e5
    • Linus Torvalds's avatar
      Merge tag 'for-v6.3-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply · d7b5c942
      Linus Torvalds authored
      Pull power supply fixes from Sebastian Reichel:
      
       - rk817: Fix compiler warning
      
       - cros_usbpd-charger: Fix excessive error printing
      
       - axp288_fuel_gauge: handle platform_get_irq error
      
       - bq24190 and da9150: Fix race condition in remove path
      
      * tag 'for-v6.3-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply:
        power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition
        power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition
        power: supply: axp288_fuel_gauge: Added check for negative values
        power: supply: cros_usbpd: reclassify "default case!" as debug
        power: supply: rk817: Fix unsigned comparison with less than zero
      d7b5c942
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-03-24' of git://anongit.freedesktop.org/drm/drm · 37154c19
      Linus Torvalds authored
      Pull drm fixes from Daniel Vetter:
      
       - usual pile of fixes for amdgpu & i915
      
       - probe error handling fixes for meson, lt8912b bridge
      
       - the host1x patch from Arnd
      
       - panel-orientation fix for Lenovo Book X90F
      
      * tag 'drm-fixes-2023-03-24' of git://anongit.freedesktop.org/drm/drm: (23 commits)
        gpu: host1x: fix uninitialized variable use
        drm/amd/display: Set dcn32 caps.seamless_odm
        drm/amd/display: fix wrong index used in dccg32_set_dpstreamclk
        drm/amdgpu/nv: Apply ASPM quirk on Intel ADL + AMD Navi
        drm/amd/display: remove outdated 8bpc comments
        drm/amdgpu/gfx: set cg flags to enter/exit safe mode
        drm/amdgpu: Force signal hw_fences that are embedded in non-sched jobs
        drm/amdgpu: add mes resume when do gfx post soft reset
        drm/amdgpu: skip ASIC reset for APUs when go to S4
        drm/amdgpu: reposition the gpu reset checking for reuse
        drm/bridge: lt8912b: return EPROBE_DEFER if bridge is not found
        drm/meson: fix missing component unbind on bind errors
        drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F
        Revert "drm/i915/hwmon: Enable PL1 power limit"
        drm/i915: Update vblank timestamping stuff on seamless M/N change
        drm/i915: Fix format for perf_limit_reasons
        drm/i915/gt: perform uc late init after probe error injection
        drm/i915/active: Fix missing debug object activation
        drm/i915/guc: Fix missing ecodes
        drm/i915/mtl: Disable MC6 for MTL A step
        ...
      37154c19
    • Linus Torvalds's avatar
      Merge tag 'for-6.3/dm-fixes' of... · 5ad4fe96
      Linus Torvalds authored
      Merge tag 'for-6.3/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - Fix DM thin to work as a swap device by using 'limit_swap_bios' DM
         target flag (initially added to allow swap to dm-crypt) to throttle
         the amount of outstanding swap bios.
      
       - Fix DM crypt soft lockup warnings by calling cond_resched() from the
         cpu intensive loop in dmcrypt_write().
      
       - Fix DM crypt to not access an uninitialized tasklet. This fix allows
         for consistent handling of IO completion, by _not_ needlessly punting
         to a workqueue when tasklets are not needed.
      
       - Fix DM core's alloc_dev() initialization for DM stats to check for
         and propagate alloc_percpu() failure.
      
      * tag 'for-6.3/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm stats: check for and propagate alloc_percpu failure
        dm crypt: avoid accessing uninitialized tasklet
        dm crypt: add cond_resched() to dmcrypt_write()
        dm thin: fix deadlock when swapping to thin device
      5ad4fe96
    • Linus Torvalds's avatar
      Merge tag 'block-6.3-2023-03-24' of git://git.kernel.dk/linux · 83511470
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request via Christoph:
           - Send Identify with CNS 06h only to I/O controllers (Martin
             George)
           - Fix nvme_tcp_term_pdu to match spec (Caleb Sander)
      
       - Pass in issue_flags for uring_cmd, so the end_io handlers don't need
         to assume what the right context is (me)
      
       - Fix for ublk, marking it as LIVE before adding it to avoid races on
         the initial IO (Ming)
      
      * tag 'block-6.3-2023-03-24' of git://git.kernel.dk/linux:
        nvme-tcp: fix nvme_tcp_term_pdu to match spec
        nvme: send Identify with CNS 06h only to I/O controllers
        block/io_uring: pass in issue_flags for uring_cmd task_work handling
        block: ublk_drv: mark device as LIVE before adding disk
      83511470
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.3-2023-03-24' of git://git.kernel.dk/linux · e344eb7b
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Fix an issue with repeated -ECONNREFUSED on a socket (me)
      
       - Fix a NULL pointer deference due to a stale lookup cache for
         allocating direct descriptors (Savino)
      
      * tag 'io_uring-6.3-2023-03-24' of git://git.kernel.dk/linux:
        io_uring/rsrc: fix null-ptr-deref in io_file_bitmap_get()
        io_uring/net: avoid sending -ECONNABORTED on repeated connection requests
      e344eb7b
    • Linus Torvalds's avatar
      Merge tag 'thermal-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · fd3d06ff
      Linus Torvalds authored
      Pull thermal control fixes from Rafael Wysocki:
       "These address two recent regressions related to thermal control.
      
        Specifics:
      
         - Restore the thermal core behavior regarding zero-temperature trip
           points to avoid a driver regression (Ido Schimmel)
      
         - Fix a recent regression in the ACPI processor driver preventing it
           from changing the number of CPU cooling device states exposed via
           sysfs after the given CPU cooling device has been registered
           (Rafael Wysocki)"
      
      * tag 'thermal-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        thermal: core: Restore behavior regarding invalid trip points
        ACPI: processor: thermal: Update CPU cooling devices on cpufreq policy changes
        thermal: core: Introduce thermal_cooling_device_update()
        thermal: core: Introduce thermal_cooling_device_present()
        ACPI: processor: Reorder acpi_processor_driver_init()
      fd3d06ff