linux-stable.git/drivers/mtd, branch v6.7.2 Linux kernel stable tree mtd: Fix gluebi NULL pointer dereference caused by ftl notifier 2024-01-25T23:44:40+00:00 ZhaoLong Wang wangzhaolong1@huawei.com 2023-12-20T02:46:19+00:00 b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc [ Upstream commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 ] If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULL Detailed reproduction information available at the Link [1], In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME. Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module") Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1] Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2] Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com> Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com> Acked-by: Richard Weinberger <richard@nod.at> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/linux-mtd/20231220024619.2138625-1-wangzhaolong1@huawei.com Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 ]

If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
triggers NULL pointer dereference when trying to access
‘gluebi->desc’ in gluebi_read().

ubi_gluebi_init
  ubi_register_volume_notifier
    ubi_enumerate_volumes
      ubi_notify_all
        gluebi_notify    nb->notifier_call()
          gluebi_create
            mtd_device_register
              mtd_device_parse_register
                add_mtd_device
                  blktrans_notify_add   not->add()
                    ftl_add_mtd         tr->add_mtd()
                      scan_header
                        mtd_read
                          mtd_read_oob
                            mtd_read_oob_std
                              gluebi_read   mtd->read()
                                gluebi->desc - NULL

Detailed reproduction information available at the Link [1],

In the normal case, obtain gluebi->desc in the gluebi_get_device(),
and access gluebi->desc in the gluebi_read(). However,
gluebi_get_device() is not executed in advance in the
ftl_add_mtd() process, which leads to NULL pointer dereference.

The solution for the gluebi module is to run jffs2 on the UBI
volume without considering working with ftl or mtdblock [2].
Therefore, this problem can be avoided by preventing gluebi from
creating the mtdblock device after creating mtd partition of the
type MTD_UBIVOLUME.

Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1]
Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2]
Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Acked-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20231220024619.2138625-1-wangzhaolong1@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response 2024-01-25T23:44:39+00:00 Ronald Monthero debug.penguin32@gmail.com 2023-11-18T08:31:51+00:00 dfdcc0502f371c53ce4ff04db88e3cd3ab33ff18 [ Upstream commit 923fb6238cb3ac529aa2bf13b3b1e53762186a8b ] Under heavy load it is likely that the controller is done with its own task but the thread unlocking the wait is not scheduled in time. Increasing IFC_TIMEOUT_MSECS allows the controller to respond within allowable timeslice of 1 sec. fsl,ifc-nand 7e800000.nand: Controller is not responding [<804b2047>] (nand_get_device) from [<804b5335>] (nand_write_oob+0x1b/0x4a) [<804b5335>] (nand_write_oob) from [<804a3585>] (mtd_write+0x41/0x5c) [<804a3585>] (mtd_write) from [<804c1d47>] (ubi_io_write+0x17f/0x22c) [<804c1d47>] (ubi_io_write) from [<804c047b>] (ubi_eba_write_leb+0x5b/0x1d0) Fixes: 82771882d960 ("NAND Machine support for Integrated Flash Controller") Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/linux-mtd/20231118083156.776887-1-debug.penguin32@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 923fb6238cb3ac529aa2bf13b3b1e53762186a8b ]

Under heavy load it is likely that the controller is done
with its own task but the thread unlocking the wait is not
scheduled in time. Increasing IFC_TIMEOUT_MSECS allows the
controller to respond within allowable timeslice of 1 sec.

fsl,ifc-nand 7e800000.nand: Controller is not responding

[<804b2047>] (nand_get_device) from [<804b5335>] (nand_write_oob+0x1b/0x4a)
[<804b5335>] (nand_write_oob) from [<804a3585>] (mtd_write+0x41/0x5c)
[<804a3585>] (mtd_write) from [<804c1d47>] (ubi_io_write+0x17f/0x22c)
[<804c1d47>] (ubi_io_write) from [<804c047b>] (ubi_eba_write_leb+0x5b/0x1d0)

Fixes: 82771882d960 ("NAND Machine support for Integrated Flash Controller")
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20231118083156.776887-1-debug.penguin32@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Merge tag 'mips_6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux 2023-11-10T17:19:46+00:00 Linus Torvalds torvalds@linux-foundation.org 2023-11-10T17:19:46+00:00 656d88c3b654c0ccc0ff63aa75101c6c9f0a5300 Pull MIPS updates from Thomas Bogendoerfer: - removed AR7 platform support - cleanups and fixes * tag 'mips_6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: MIPS: AR7: remove platform watchdog: ar7_wdt: remove driver to prepare for platform removal vlynq: remove bus driver mtd: parsers: ar7: remove support serial: 8250: remove AR7 support arch: mips: remove ReiserFS from defconfig MIPS: lantiq: Remove unnecessary include of <linux/of_irq.h> MIPS: lantiq: Fix pcibios_plat_dev_init() "no previous prototype" warning MIPS: KVM: Fix a build warning about variable set but not used MIPS: Remove dead code in relocate_new_kernel mips: dts: ralink: mt7621: rename to GnuBee GB-PC1 and GnuBee GB-PC2 mips: dts: ralink: mt7621: define each reset as an item mips: dts: ingenic: Remove unneeded probe-type properties MIPS: loongson32: Remove dma.h and nand.h 
Pull MIPS updates from Thomas Bogendoerfer:

 - removed AR7 platform support

 - cleanups and fixes

* tag 'mips_6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
  MIPS: AR7: remove platform
  watchdog: ar7_wdt: remove driver to prepare for platform removal
  vlynq: remove bus driver
  mtd: parsers: ar7: remove support
  serial: 8250: remove AR7 support
  arch: mips: remove ReiserFS from defconfig
  MIPS: lantiq: Remove unnecessary include of <linux/of_irq.h>
  MIPS: lantiq: Fix pcibios_plat_dev_init() "no previous prototype" warning
  MIPS: KVM: Fix a build warning about variable set but not used
  MIPS: Remove dead code in relocate_new_kernel
  mips: dts: ralink: mt7621: rename to GnuBee GB-PC1 and GnuBee GB-PC2
  mips: dts: ralink: mt7621: define each reset as an item
  mips: dts: ingenic: Remove unneeded probe-type properties
  MIPS: loongson32: Remove dma.h and nand.h
Merge tag 'ubifs-for-linus-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs 2023-11-05T18:28:32+00:00 Linus Torvalds torvalds@linux-foundation.org 2023-11-05T18:28:32+00:00 2153fc3d68170bb67be8e389c2f6e0f4a9eb7cd3 Pull UBI and UBIFS updates from Richard Weinberger: - UBI Fastmap improvements - Minor issues found by static analysis bots in both UBI and UBIFS - Fix for wrong dentry length UBIFS in fscrypt mode * tag 'ubifs-for-linus-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs: ubifs: ubifs_link: Fix wrong name len calculating when UBIFS is encrypted ubi: block: Fix use-after-free in ubiblock_cleanup ubifs: fix possible dereference after free ubi: fastmap: Add control in 'UBI_IOCATT' ioctl to reserve PEBs for filling pools ubi: fastmap: Add module parameter to control reserving filling pool PEBs ubi: fastmap: Fix lapsed wear leveling for first 64 PEBs ubi: fastmap: Get wl PEB even ec beyonds the 'max' if free PEBs are run out ubi: fastmap: may_reserve_for_fm: Don't reserve PEB if fm_anchor exists ubi: fastmap: Remove unneeded break condition while filling pools ubi: fastmap: Wait until there are enough free PEBs before filling pools ubi: fastmap: Use free pebs reserved for bad block handling ubi: Replace erase_block() with sync_erase() ubi: fastmap: Allocate memory with GFP_NOFS in ubi_update_fastmap ubi: fastmap: erase_block: Get erase counter from wl_entry rather than flash ubi: fastmap: Fix missed ec updating after erasing old fastmap data block ubifs: Fix missing error code err ubifs: Fix memory leak of bud->log_hash ubifs: Fix some kernel-doc comments 
Pull UBI and UBIFS updates from Richard Weinberger:

 - UBI Fastmap improvements

 - Minor issues found by static analysis bots in both UBI and UBIFS

 - Fix for wrong dentry length UBIFS in fscrypt mode

* tag 'ubifs-for-linus-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
  ubifs: ubifs_link: Fix wrong name len calculating when UBIFS is encrypted
  ubi: block: Fix use-after-free in ubiblock_cleanup
  ubifs: fix possible dereference after free
  ubi: fastmap: Add control in 'UBI_IOCATT' ioctl to reserve PEBs for filling pools
  ubi: fastmap: Add module parameter to control reserving filling pool PEBs
  ubi: fastmap: Fix lapsed wear leveling for first 64 PEBs
  ubi: fastmap: Get wl PEB even ec beyonds the 'max' if free PEBs are run out
  ubi: fastmap: may_reserve_for_fm: Don't reserve PEB if fm_anchor exists
  ubi: fastmap: Remove unneeded break condition while filling pools
  ubi: fastmap: Wait until there are enough free PEBs before filling pools
  ubi: fastmap: Use free pebs reserved for bad block handling
  ubi: Replace erase_block() with sync_erase()
  ubi: fastmap: Allocate memory with GFP_NOFS in ubi_update_fastmap
  ubi: fastmap: erase_block: Get erase counter from wl_entry rather than flash
  ubi: fastmap: Fix missed ec updating after erasing old fastmap data block
  ubifs: Fix missing error code err
  ubifs: Fix memory leak of bud->log_hash
  ubifs: Fix some kernel-doc comments
Merge tag 'mtd/for-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux 2023-11-04T21:04:30+00:00 Linus Torvalds torvalds@linux-foundation.org 2023-11-04T21:04:30+00:00 b1dfbda8636b54cde21f9f5d352fd25c4deff584 Pull mtd updates from Miquel Raynal: "The main set of changes is related to Uwe's work converting platform remove callbacks to return void. Comes next (in number of changes) Kees' additional structures annotations to improve the sanitizers. The usual amount of cleanups apply. About the more substancial contribution, one main function of the partitions core could return an error which was not checked, this is now fixed. On the bindings side, fixed partitions can now have a compression property. Finally, an erroneous situation is now always avoided in the MAP RAM driver. CFI: - A several years old byte swap has been fixed. NAND: - The subsystem has, as usual, seen a bit of cleanup being done this cycle, typically return values of platform_get_irq() and devm_kasprintf(). There is also a better ECC check in the Arasan driver. This comes with smaller misc changes. - In the SPI-NAND world there is now support for Foresee F35SQA002G, Winbond W25N and XTX XT26 chips. SPI NOR: - For SPI NOR we cleaned the flash info entries in order to have them slimmer and self explanatory. In order to make the entries as slim as possible, we introduced sane default values so that the actual flash entries don't need to specify them. We now use a flexible macro to specify the flash ID instead of the previous INFOx() macros that had hardcoded ID lengths. Instead of: { "w25q512nwm", INFO(0xef8020, 0, 64 * 1024, 0) OTP_INFO(256, 3, 0x1000, 0x1000) }, We now use: .id = SNOR_ID(0xef, 0x80, 0x20), .name = "w25q512nwm", .otp = SNOR_OTP(256, 3, 0x1000, 0x1000), - We also removed some flash entries: the very old Catalyst SPI EEPROMs that were introduced once with the SPI-NOR subsystem, and a Fujitsu MRAM. Both should use the at25 EEPROM driver. The latter even has device tree bindings for the at25 driver. - We made sure that the conversion didn't introduce any unwanted changes by comparing the .rodata segment before and after the conversion. The patches landed in linux-next immediately after v6.6-rc2, we haven't seen any regressions yet. - Apart of the autumn cleaning we introduced a new flash entry, at25ff321a, and added block protection support for mt25qu512a" * tag 'mtd/for-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: (91 commits) mtd: cfi_cmdset_0001: Byte swap OTP info mtd: rawnand: meson: check return value of devm_kasprintf() mtd: rawnand: intel: check return value of devm_kasprintf() mtd: rawnand: sh_flctl: Convert to module_platform_driver() mtd: spi-nor: micron-st: use SFDP table for mt25qu512a mtd: spi-nor: micron-st: enable lock/unlock for mt25qu512a mtd: rawnand: Remove unused of_gpio.h inclusion mtd: spinand: Add support for XTX XT26xxxDxxxxx mtd: spinand: winbond: add support for serial NAND flash mtd: rawnand: cadence: Annotate struct cdns_nand_chip with __counted_by mtd: rawnand: Annotate struct mtk_nfc_nand_chip with __counted_by mtd: spinand: add support for FORESEE F35SQA002G mtd: rawnand: rockchip: Use struct_size() mtd: rawnand: arasan: Include ECC syndrome along with in-band data while checking for ECC failure mtd: Use device_get_match_data() mtd: spi-nor: nxp-spifi: Convert to platform remove callback returning void mtd: spi-nor: hisi-sfc: Convert to platform remove callback returning void mtd: maps: sun_uflash: Convert to platform remove callback returning void mtd: maps: sa1100-flash: Convert to platform remove callback returning void mtd: maps: pxa2xx-flash: Convert to platform remove callback returning void ... 
Pull mtd updates from Miquel Raynal:
 "The main set of changes is related to Uwe's work converting platform
  remove callbacks to return void. Comes next (in number of changes)
  Kees' additional structures annotations to improve the sanitizers. The
  usual amount of cleanups apply.

  About the more substancial contribution, one main function of the
  partitions core could return an error which was not checked, this is
  now fixed. On the bindings side, fixed partitions can now have a
  compression property. Finally, an erroneous situation is now always
  avoided in the MAP RAM driver.

  CFI:

   - A several years old byte swap has been fixed.

  NAND:

   - The subsystem has, as usual, seen a bit of cleanup being done this
     cycle, typically return values of platform_get_irq() and
     devm_kasprintf(). There is also a better ECC check in the Arasan
     driver. This comes with smaller misc changes.

   - In the SPI-NAND world there is now support for Foresee F35SQA002G,
     Winbond W25N and XTX XT26 chips.

  SPI NOR:

   - For SPI NOR we cleaned the flash info entries in order to have them
     slimmer and self explanatory. In order to make the entries as slim
     as possible, we introduced sane default values so that the actual
     flash entries don't need to specify them. We now use a flexible
     macro to specify the flash ID instead of the previous INFOx()
     macros that had hardcoded ID lengths.

     Instead of:

         { "w25q512nwm", INFO(0xef8020, 0, 64 * 1024, 0)
                 OTP_INFO(256, 3, 0x1000, 0x1000) },

     We now use:

         .id = SNOR_ID(0xef, 0x80, 0x20),
         .name = "w25q512nwm",
         .otp = SNOR_OTP(256, 3, 0x1000, 0x1000),

   - We also removed some flash entries: the very old Catalyst SPI
     EEPROMs that were introduced once with the SPI-NOR subsystem, and a
     Fujitsu MRAM. Both should use the at25 EEPROM driver. The latter
     even has device tree bindings for the at25 driver.

   - We made sure that the conversion didn't introduce any unwanted
     changes by comparing the .rodata segment before and after the
     conversion. The patches landed in linux-next immediately after
     v6.6-rc2, we haven't seen any regressions yet.

   - Apart of the autumn cleaning we introduced a new flash entry,
     at25ff321a, and added block protection support for mt25qu512a"

* tag 'mtd/for-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: (91 commits)
  mtd: cfi_cmdset_0001: Byte swap OTP info
  mtd: rawnand: meson: check return value of devm_kasprintf()
  mtd: rawnand: intel: check return value of devm_kasprintf()
  mtd: rawnand: sh_flctl: Convert to module_platform_driver()
  mtd: spi-nor: micron-st: use SFDP table for mt25qu512a
  mtd: spi-nor: micron-st: enable lock/unlock for mt25qu512a
  mtd: rawnand: Remove unused of_gpio.h inclusion
  mtd: spinand: Add support for XTX XT26xxxDxxxxx
  mtd: spinand: winbond: add support for serial NAND flash
  mtd: rawnand: cadence: Annotate struct cdns_nand_chip with __counted_by
  mtd: rawnand: Annotate struct mtk_nfc_nand_chip with __counted_by
  mtd: spinand: add support for FORESEE F35SQA002G
  mtd: rawnand: rockchip: Use struct_size()
  mtd: rawnand: arasan: Include ECC syndrome along with in-band data while checking for ECC failure
  mtd: Use device_get_match_data()
  mtd: spi-nor: nxp-spifi: Convert to platform remove callback returning void
  mtd: spi-nor: hisi-sfc: Convert to platform remove callback returning void
  mtd: maps: sun_uflash: Convert to platform remove callback returning void
  mtd: maps: sa1100-flash: Convert to platform remove callback returning void
  mtd: maps: pxa2xx-flash: Convert to platform remove callback returning void
  ...
Merge tag 'nand/for-6.7' into mtd/next 2023-11-04T10:50:34+00:00 Miquel Raynal miquel.raynal@bootlin.com 2023-11-04T10:50:22+00:00 6d55d31e927eec68ba6db344688044ed253223e9 The raw NAND subsystem has, as usual, seen a bit of cleanup being done this cycle, typically return values of platform_get_irq() and devm_kasprintf(), plus structure annotations for sanitizers. There is also a better ECC check in the Arasan driver. This comes with smaller misc changes. In the SPI-NAND world there is now support for Foresee F35SQA002G, Winbond W25N and XTX XT26 chips. Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> 
The raw NAND subsystem has, as usual, seen a bit of cleanup being done
this cycle, typically return values of platform_get_irq() and
devm_kasprintf(), plus structure annotations for sanitizers. There is
also a better ECC check in the Arasan driver. This comes with smaller
misc changes.

In the SPI-NAND world there is now support for Foresee F35SQA002G,
Winbond W25N and XTX XT26 chips.

Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Merge tag 'spi-nor/for-6.7' into mtd/next 2023-11-04T10:50:13+00:00 Miquel Raynal miquel.raynal@bootlin.com 2023-11-04T10:49:52+00:00 3a8ab4a13d17f2a16cd4f125e5238096c1c55149 For SPI NOR we cleaned the flash info entries in order to have them slimmer and self explanatory. In order to make the entries as slim as possible, we introduced sane default values so that the actual flash entries don't need to specify them. We now use a flexible macro to specify the flash ID instead of the previous INFOx() macros that had hardcoded ID lengths. Instead of: - { "w25q512nwm", INFO(0xef8020, 0, 64 * 1024, 0) - OTP_INFO(256, 3, 0x1000, 0x1000) }, We now use: + .id = SNOR_ID(0xef, 0x80, 0x20), + .name = "w25q512nwm", + .otp = SNOR_OTP(256, 3, 0x1000, 0x1000), We also removed some flash entries: the very old Catalyst SPI EEPROMs that were introduced once with the SPI-NOR subsystem, and a Fujitsu MRAM. Both should use the at25 EEPROM driver. The latter even has device tree bindings for the at25 driver. We made sure that the conversion didn't introduce any unwanted changes by comparing the .rodata segment before and after the conversion. The patches landed in linux-next immediately after v6.6-rc2, we haven't seen any regressions yet. Apart of the autumn cleaning we introduced a new flash entry, at25ff321a, and added block protection support for mt25qu512a. Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> 
For SPI NOR we cleaned the flash info entries in order to have
them slimmer and self explanatory. In order to make the entries
as slim as possible, we introduced sane default values so that
the actual flash entries don't need to specify them. We now use
a flexible macro to specify the flash ID instead of the previous
INFOx() macros that had hardcoded ID lengths.

Instead of:
-       { "w25q512nwm", INFO(0xef8020, 0, 64 * 1024, 0)
-               OTP_INFO(256, 3, 0x1000, 0x1000) },

We now use:
+               .id = SNOR_ID(0xef, 0x80, 0x20),
+               .name = "w25q512nwm",
+               .otp = SNOR_OTP(256, 3, 0x1000, 0x1000),

We also removed some flash entries: the very old Catalyst
SPI EEPROMs that were introduced once with the SPI-NOR subsystem,
and a Fujitsu MRAM. Both should use the at25 EEPROM driver.
The latter even has device tree bindings for the at25 driver.

We made sure that the conversion didn't introduce any unwanted
changes by comparing the .rodata segment before and after the
conversion. The patches landed in linux-next immediately after
v6.6-rc2, we haven't seen any regressions yet.

Apart of the autumn cleaning we introduced a new flash entry,
at25ff321a, and added block protection support for mt25qu512a.

Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Merge tag 'char-misc-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc 2023-11-04T00:51:08+00:00 Linus Torvalds torvalds@linux-foundation.org 2023-11-04T00:51:08+00:00 d99b91a99be430be45413052bb428107c435918b Pull char/misc updates from Greg KH: "Here is the big set of char/misc and other small driver subsystem changes for 6.7-rc1. Included in here are: - IIO subsystem driver updates and additions (largest part of this pull request) - FPGA subsystem driver updates - Counter subsystem driver updates - ICC subsystem driver updates - extcon subsystem driver updates - mei driver updates and additions - nvmem subsystem driver updates and additions - comedi subsystem dependency fixes - parport driver fixups - cdx subsystem driver and core updates - splice support for /dev/zero and /dev/full - other smaller driver cleanups All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (326 commits) cdx: add sysfs for subsystem, class and revision cdx: add sysfs for bus reset cdx: add support for bus enable and disable cdx: Register cdx bus as a device on cdx subsystem cdx: Create symbol namespaces for cdx subsystem cdx: Introduce lock to protect controller ops cdx: Remove cdx controller list from cdx bus system dts: ti: k3-am625-beagleplay: Add beaglecc1352 greybus: Add BeaglePlay Linux Driver dt-bindings: net: Add ti,cc1352p7 dt-bindings: eeprom: at24: allow NVMEM cells based on old syntax dt-bindings: nvmem: SID: allow NVMEM cells based on old syntax Revert "nvmem: add new config option" MAINTAINERS: coresight: Add missing Coresight files misc: pci_endpoint_test: Add deviceID for J721S2 PCIe EP device support firmware: xilinx: Move EXPORT_SYMBOL_GPL next to zynqmp_pm_feature definition uacce: make uacce_class constant ocxl: make ocxl_class constant cxl: make cxl_class constant misc: phantom: make phantom_class constant ... 
Pull char/misc updates from Greg KH:
 "Here is the big set of char/misc and other small driver subsystem
  changes for 6.7-rc1. Included in here are:

   - IIO subsystem driver updates and additions (largest part of this
     pull request)

   - FPGA subsystem driver updates

   - Counter subsystem driver updates

   - ICC subsystem driver updates

   - extcon subsystem driver updates

   - mei driver updates and additions

   - nvmem subsystem driver updates and additions

   - comedi subsystem dependency fixes

   - parport driver fixups

   - cdx subsystem driver and core updates

   - splice support for /dev/zero and /dev/full

   - other smaller driver cleanups

  All of these have been in linux-next for a while with no reported
  issues"

* tag 'char-misc-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (326 commits)
  cdx: add sysfs for subsystem, class and revision
  cdx: add sysfs for bus reset
  cdx: add support for bus enable and disable
  cdx: Register cdx bus as a device on cdx subsystem
  cdx: Create symbol namespaces for cdx subsystem
  cdx: Introduce lock to protect controller ops
  cdx: Remove cdx controller list from cdx bus system
  dts: ti: k3-am625-beagleplay: Add beaglecc1352
  greybus: Add BeaglePlay Linux Driver
  dt-bindings: net: Add ti,cc1352p7
  dt-bindings: eeprom: at24: allow NVMEM cells based on old syntax
  dt-bindings: nvmem: SID: allow NVMEM cells based on old syntax
  Revert "nvmem: add new config option"
  MAINTAINERS: coresight: Add missing Coresight files
  misc: pci_endpoint_test: Add deviceID for J721S2 PCIe EP device support
  firmware: xilinx: Move EXPORT_SYMBOL_GPL next to zynqmp_pm_feature definition
  uacce: make uacce_class constant
  ocxl: make ocxl_class constant
  cxl: make cxl_class constant
  misc: phantom: make phantom_class constant
  ...
Merge tag 'gpio-updates-for-v6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux 2023-11-01T03:21:54+00:00 Linus Torvalds torvalds@linux-foundation.org 2023-11-01T03:21:54+00:00 b05ddad00903b24931cb4b45516f1bc1b5c288f2 Pull gpio updates from Bartosz Golaszewski: "We don't have any new drivers. The loongson driver is getting extended with support for new models. There's a big refactor of gpio-pca953x and many small improvements to others. The GPIO code in the kernel has acquired a lot of cruft over the years as well as many abusers of the API across the kernel tree. This release cycle we have started a major cleanup and improvement effort that will most likely span several releases. We have started by converting external users of struct gpio_chip to accessing the wrapper around it - struct gpio_device. This is because the latter is reference counted while the former is removed when the provider is unbound. We also removed several instances of drivers accessing private GPIOLIB structures and including the private header from drivers/gpio/. To that end you'll see several commits aimed at different subsystems (acked by relevant maintainers) as well as two merges from the x86/platform tree. We'll then rework the locking in GPIOLIB which currently uses a big spinlock for many different things and could use becoming more fine-grained, especially as it doesn't even get the locking right. We'll also use SRCU for protecting the gpio_chip pointer against in-kernel hot-unplug crashes similar to what we saw triggered from user-space and fixed with semaphores in gpiolib-cdev. The core GPIOLIB is still vulnerable to these use-cases. I'm just mentioning the plans here, this is not part of this PR. You'll see some new instances of using __free(). We've added a gpio_device_put cleanup helper similar to the put_device one introduced by Peter Zijlstra and used it according to the preferred pattern except where it didn't make sense. GPIOLIB core: - provide interfaces allowing users to retrieve, manage and query the reference counted GPIO device instead of accessing the private gpio_chip structure - replace gpiochip_find() with gpio_device_find() - remove unused acpi_get_and_request_gpiod() - improve the ignore_interrupt functionality in GPIO ACPI - correct notifier return codes in gpiolib-of - unexport gpiod_set_transitory() as it's unused outside of core GPIO code - while there are still external users accessing struct gpio_chip, let's make gpiochip_get_desc() public so that they at least use the preferred helper - improve locking for lookup tables - annotate struct linereq with __counted_by - improve GPIOLIB docs - add an OF quirk for LED trigger sources Driver improvements: - convert all GPIO drivers with .remove() callbacks to using the new variant returning void instead of int - stop accessing the GPIOLIB private structures in gpio-mockup, i2c-mux-gpio, hte-tegra194, gpio-sim - use the recommended pattern for autofree variables in gpio-sim - add support for more models to gpio-loongson - use a notifier chain to notify other blocks about interrupts in gpio-eic-sprd instead of looking up GPIO devices on every interrupt - convert gpio-pca953x and gpio-fx6408 to using the maple tree regmap cache - don't include GPIOLIB internal headers in drivers which don't need them - move the ingenic NAND quirk into gpiolib-of - add an ignore interrupt quirk for Peaq C1010 - drop static GPIO base from gpio-omap, gpio-f7188x - use the preferred device_get_match_data() function in drivers that still don't - refactor gpio-pca953x: switch to using DEFINE_SIMPLE_DEV_PM_OPS(), use cleanup helpers, use dev_err_probe() where it makes sense, fully convert to using devres and some other minor tweaks DT bindings: - add support for a new model to gpio-vf610 and update existing properties - add support for more loongson models - add missing support for imx models that are used but undocumented - convert bindings for Intel IXP4xx to schema Minor stuff: - deprecate gpio-mockup in favor of gpio-sim - include missing headers here and there - stop using gpiochip_find() in OMAP1 board files - minor tweaks in gpio-vf610, gpio-hisi - remove unneeded 'extern' specifiers from headers" * tag 'gpio-updates-for-v6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: (108 commits) hte: tegra194: add GPIOLIB dependency hte: tegra194: don't access struct gpio_chip gpiolib: provide gpio_device_get_base() i2c: mux: gpio: don't fiddle with GPIOLIB internals gpiolib: provide gpiod_to_gpio_device() gpiolib: provide gpio_device_to_device() gpio: hisi: Fix format specifier gpiolib: provide gpio_device_find_by_fwnode() gpio: acpi: remove acpi_get_and_request_gpiod() gpio: Use device_get_match_data() gpio: vf610: update comment for i.MX8ULP and i.MX93 legacy compatibles platform/x86: int3472: Switch to devm_get_gpiod() platform/x86: int3472: Stop using gpiod_toggle_active_low() platform/x86: int3472: Add new skl_int3472_gpiod_get_from_temp_lookup() helper platform/x86: int3472: Add new skl_int3472_fill_gpiod_lookup() helper gpio: vf610: simplify code by dropping data check gpio: vf610: add i.MX8ULP of_device_id entry dt-bindings: gpio: vf610: add i.MX95 compatible dt-bindings: gpio: vf610: correct i.MX8ULP and i.MX93 dt-bindings: gpio: vf610: update gpio-ranges ... 
Pull gpio updates from Bartosz Golaszewski:
 "We don't have any new drivers. The loongson driver is getting extended
  with support for new models. There's a big refactor of gpio-pca953x
  and many small improvements to others.

  The GPIO code in the kernel has acquired a lot of cruft over the years
  as well as many abusers of the API across the kernel tree. This
  release cycle we have started a major cleanup and improvement effort
  that will most likely span several releases. We have started by
  converting external users of struct gpio_chip to accessing the wrapper
  around it - struct gpio_device. This is because the latter is
  reference counted while the former is removed when the provider is
  unbound. We also removed several instances of drivers accessing
  private GPIOLIB structures and including the private header from
  drivers/gpio/.

  To that end you'll see several commits aimed at different subsystems
  (acked by relevant maintainers) as well as two merges from the
  x86/platform tree.

  We'll then rework the locking in GPIOLIB which currently uses a big
  spinlock for many different things and could use becoming more
  fine-grained, especially as it doesn't even get the locking right.
  We'll also use SRCU for protecting the gpio_chip pointer against
  in-kernel hot-unplug crashes similar to what we saw triggered from
  user-space and fixed with semaphores in gpiolib-cdev. The core GPIOLIB
  is still vulnerable to these use-cases. I'm just mentioning the plans
  here, this is not part of this PR.

  You'll see some new instances of using __free(). We've added a
  gpio_device_put cleanup helper similar to the put_device one
  introduced by Peter Zijlstra and used it according to the preferred
  pattern except where it didn't make sense.

  GPIOLIB core:
   - provide interfaces allowing users to retrieve, manage and query the
     reference counted GPIO device instead of accessing the private
     gpio_chip structure
   - replace gpiochip_find() with gpio_device_find()
   - remove unused acpi_get_and_request_gpiod()
   - improve the ignore_interrupt functionality in GPIO ACPI
   - correct notifier return codes in gpiolib-of
   - unexport gpiod_set_transitory() as it's unused outside of core GPIO
     code
   - while there are still external users accessing struct gpio_chip,
     let's make gpiochip_get_desc() public so that they at least use the
     preferred helper
   - improve locking for lookup tables
   - annotate struct linereq with __counted_by
   - improve GPIOLIB docs
   - add an OF quirk for LED trigger sources

  Driver improvements:
   - convert all GPIO drivers with .remove() callbacks to using the new
     variant returning void instead of int
   - stop accessing the GPIOLIB private structures in gpio-mockup,
     i2c-mux-gpio, hte-tegra194, gpio-sim
   - use the recommended pattern for autofree variables in gpio-sim
   - add support for more models to gpio-loongson
   - use a notifier chain to notify other blocks about interrupts in
     gpio-eic-sprd instead of looking up GPIO devices on every interrupt
   - convert gpio-pca953x and gpio-fx6408 to using the maple tree regmap
     cache
   - don't include GPIOLIB internal headers in drivers which don't need
     them
   - move the ingenic NAND quirk into gpiolib-of
   - add an ignore interrupt quirk for Peaq C1010
   - drop static GPIO base from gpio-omap, gpio-f7188x
   - use the preferred device_get_match_data() function in drivers that
     still don't
   - refactor gpio-pca953x: switch to using DEFINE_SIMPLE_DEV_PM_OPS(),
     use cleanup helpers, use dev_err_probe() where it makes sense,
     fully convert to using devres and some other minor tweaks

  DT bindings:
   - add support for a new model to gpio-vf610 and update existing
     properties
   - add support for more loongson models
   - add missing support for imx models that are used but undocumented
   - convert bindings for Intel IXP4xx to schema

  Minor stuff:
   - deprecate gpio-mockup in favor of gpio-sim
   - include missing headers here and there
   - stop using gpiochip_find() in OMAP1 board files
   - minor tweaks in gpio-vf610, gpio-hisi
   - remove unneeded 'extern' specifiers from headers"

* tag 'gpio-updates-for-v6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: (108 commits)
  hte: tegra194: add GPIOLIB dependency
  hte: tegra194: don't access struct gpio_chip
  gpiolib: provide gpio_device_get_base()
  i2c: mux: gpio: don't fiddle with GPIOLIB internals
  gpiolib: provide gpiod_to_gpio_device()
  gpiolib: provide gpio_device_to_device()
  gpio: hisi: Fix format specifier
  gpiolib: provide gpio_device_find_by_fwnode()
  gpio: acpi: remove acpi_get_and_request_gpiod()
  gpio: Use device_get_match_data()
  gpio: vf610: update comment for i.MX8ULP and i.MX93 legacy compatibles
  platform/x86: int3472: Switch to devm_get_gpiod()
  platform/x86: int3472: Stop using gpiod_toggle_active_low()
  platform/x86: int3472: Add new skl_int3472_gpiod_get_from_temp_lookup() helper
  platform/x86: int3472: Add new skl_int3472_fill_gpiod_lookup() helper
  gpio: vf610: simplify code by dropping data check
  gpio: vf610: add i.MX8ULP of_device_id entry
  dt-bindings: gpio: vf610: add i.MX95 compatible
  dt-bindings: gpio: vf610: correct i.MX8ULP and i.MX93
  dt-bindings: gpio: vf610: update gpio-ranges
  ...
ubi: block: Fix use-after-free in ubiblock_cleanup 2023-10-28T21:18:39+00:00 ZhaoLong Wang wangzhaolong1@huawei.com 2023-09-21T02:01:42+00:00 d07cec9c238ae8fc6c1a9f3f5d30a2f8ec6cdc71 The following BUG is reported when a ubiblock is removed: ================================================================== BUG: KASAN: slab-use-after-free in ubiblock_cleanup+0x88/0xa0 [ubi] Read of size 4 at addr ffff88810c8f3804 by task ubiblock/1716 CPU: 5 PID: 1716 Comm: ubiblock Not tainted 6.6.0-rc2+ #135 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x37/0x50 print_report+0xd0/0x620 kasan_report+0xb6/0xf0 ubiblock_cleanup+0x88/0xa0 [ubi] ubiblock_remove+0x121/0x190 [ubi] vol_cdev_ioctl+0x355/0x630 [ubi] __x64_sys_ioctl+0xc7/0x100 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f08d7445577 Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 8 RSP: 002b:00007ffde05a3018 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f08d7445577 RDX: 0000000000000000 RSI: 0000000000004f08 RDI: 0000000000000003 RBP: 0000000000816010 R08: 00000000008163a7 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000000003 R13: 00007ffde05a3130 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 1715: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x7f/0x90 __alloc_disk_node+0x40/0x2b0 __blk_mq_alloc_disk+0x3e/0xb0 ubiblock_create+0x2ba/0x620 [ubi] vol_cdev_ioctl+0x581/0x630 [ubi] __x64_sys_ioctl+0xc7/0x100 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 0: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 __kasan_slab_free+0x10e/0x190 __kmem_cache_free+0x96/0x220 bdev_free_inode+0xa4/0xf0 rcu_core+0x496/0xec0 __do_softirq+0xeb/0x384 The buggy address belongs to the object at ffff88810c8f3800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 4 bytes inside of freed 1024-byte region [ffff88810c8f3800, ffff88810c8f3c00) The buggy address belongs to the physical page: page:00000000d03de848 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10c8f0 head:00000000d03de848 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000840(slab|head|node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000840 ffff888100042dc0 ffffea0004244400 dead000000000002 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88810c8f3700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88810c8f3780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88810c8f3800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88810c8f3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88810c8f3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Fix it by using a local variable to record the gendisk ID. Fixes: 77567b25ab9f ("ubi: use blk_mq_alloc_disk and blk_cleanup_disk") Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com> Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com> Signed-off-by: Richard Weinberger <richard@nod.at> 
The following BUG is reported when a ubiblock is removed:

 ==================================================================
 BUG: KASAN: slab-use-after-free in ubiblock_cleanup+0x88/0xa0 [ubi]
 Read of size 4 at addr ffff88810c8f3804 by task ubiblock/1716

 CPU: 5 PID: 1716 Comm: ubiblock Not tainted 6.6.0-rc2+ #135
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x37/0x50
  print_report+0xd0/0x620
  kasan_report+0xb6/0xf0
  ubiblock_cleanup+0x88/0xa0 [ubi]
  ubiblock_remove+0x121/0x190 [ubi]
  vol_cdev_ioctl+0x355/0x630 [ubi]
  __x64_sys_ioctl+0xc7/0x100
  do_syscall_64+0x3f/0x90
  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
 RIP: 0033:0x7f08d7445577
 Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 8
 RSP: 002b:00007ffde05a3018 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
 RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f08d7445577
 RDX: 0000000000000000 RSI: 0000000000004f08 RDI: 0000000000000003
 RBP: 0000000000816010 R08: 00000000008163a7 R09: 0000000000000000
 R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000000003
 R13: 00007ffde05a3130 R14: 0000000000000000 R15: 0000000000000000
  </TASK>

 Allocated by task 1715:
  kasan_save_stack+0x22/0x50
  kasan_set_track+0x25/0x30
  __kasan_kmalloc+0x7f/0x90
  __alloc_disk_node+0x40/0x2b0
  __blk_mq_alloc_disk+0x3e/0xb0
  ubiblock_create+0x2ba/0x620 [ubi]
  vol_cdev_ioctl+0x581/0x630 [ubi]
  __x64_sys_ioctl+0xc7/0x100
  do_syscall_64+0x3f/0x90
  entry_SYSCALL_64_after_hwframe+0x6e/0xd8

 Freed by task 0:
  kasan_save_stack+0x22/0x50
  kasan_set_track+0x25/0x30
  kasan_save_free_info+0x2b/0x50
  __kasan_slab_free+0x10e/0x190
  __kmem_cache_free+0x96/0x220
  bdev_free_inode+0xa4/0xf0
  rcu_core+0x496/0xec0
  __do_softirq+0xeb/0x384

 The buggy address belongs to the object at ffff88810c8f3800
  which belongs to the cache kmalloc-1k of size 1024
 The buggy address is located 4 bytes inside of
  freed 1024-byte region [ffff88810c8f3800, ffff88810c8f3c00)

 The buggy address belongs to the physical page:
 page:00000000d03de848 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10c8f0
 head:00000000d03de848 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
 flags: 0x200000000000840(slab|head|node=0|zone=2)
 page_type: 0xffffffff()
 raw: 0200000000000840 ffff888100042dc0 ffffea0004244400 dead000000000002
 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff88810c8f3700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff88810c8f3780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 >ffff88810c8f3800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                    ^
  ffff88810c8f3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88810c8f3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

Fix it by using a local variable to record the gendisk ID.

Fixes: 77567b25ab9f ("ubi: use blk_mq_alloc_disk and blk_cleanup_disk")
Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>