Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-6.0.y 2022-01-09T20:13:28+00:00 2022-01-09T20:13:28+00:00 Baokun Li libaokun1@huawei.com 2021-11-05T09:30:22+00:00 urn:sha1:3cbf0e392f173ba0ce425968c8374a6aa3e90f2e Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain Fixes: 714fb87e8bc0 ("ubi: Fix race condition between ubi device creation and udev") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Baokun Li <libaokun1@huawei.com> Signed-off-by: Richard Weinberger <richard@nod.at> 2021-04-15T20:00:43+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2021-03-05T08:28:32+00:00 urn:sha1:8aa058d79b6d491778836626ba94a5165589acaf In preparation to enable -Wimplicit-fallthrough for Clang, fix a warning by explicitly adding a break statement instead of letting the code fall through to the next case. Link: https://github.com/KSPP/linux/issues/115 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by: Richard Weinberger <richard@nod.at> 2020-12-18T01:46:34+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-12-18T01:46:34+00:00 urn:sha1:787fec8ac15cc693b9a7bc1b4a338b92483d993c Pull jffs2, ubi and ubifs updates from Richard Weinberger: "JFFS2: - Fix for a remount regression - Fix for an abnormal GC exit - Fix for a possible NULL pointer issue while mounting UBI: - Add support ECC-ed NOR flash - Removal of dead code UBIFS: - Make node dumping debug code more reliable - Various cleanups: less ifdefs, less typos - Fix for an info leak" * tag 'for-linus-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs: ubifs: ubifs_dump_node: Dump all branches of the index node ubifs: ubifs_dump_sleb: Remove unused function ubifs: Pass node length in all node dumping callers Revert "ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len" ubifs: Limit dumping length by size of memory which is allocated for the node ubifs: Remove the redundant return in dbg_check_nondata_nodes_order jffs2: Fix NULL pointer dereference in rp_size fs option parsing ubifs: Fixed print foramt mismatch in ubifs ubi: Do not zero out EC and VID on ECC-ed NOR flashes jffs2: remove trailing semicolon in macro definition ubifs: Fix error return code in ubifs_init_authentication() ubifs: wbuf: Don't leak kernel memory to flash ubi: Remove useless code in bytes_str_to_int ubifs: Fix the printing type of c->big_lpt jffs2: Allow setting rp_size to zero during remounting jffs2: Fix ignoring mounting options problem during remounting jffs2: Fix GC exit abnormally ubifs: Code cleanup by removing ifdef macro surrounding jffs2: Fix if/else empty body warnings ubifs: Delete duplicated words + other fixes 2020-12-13T20:57:21+00:00 Pratyush Yadav p.yadav@ti.com 2020-12-01T10:27:09+00:00 urn:sha1:f669e74be820386244290d5824938969d397b8fb For NOR flashes EC and VID are zeroed out before an erase is issued to make sure UBI does not mistakenly treat the PEB as used and associate it with an LEB. But on some flashes, like the Cypress Semper S28 SPI NOR flash family, multi-pass page programming is not allowed on the default ECC scheme. This means zeroing out these magic numbers will result in the flash throwing a page programming error. Do not zero out EC and VID for such flashes. A writesize > 1 is an indication of an ECC-ed flash. Signed-off-by: Pratyush Yadav <p.yadav@ti.com> Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com> Signed-off-by: Richard Weinberger <richard@nod.at> 2020-12-13T20:57:10+00:00 k00524021 kechengsong@huawei.com 2020-11-03T11:56:45+00:00 urn:sha1:619ea229e9b54e65955f8746a31ae15797d297fc As a local variable, "endp" is neither refered nor returned after this line "endp += 2", it looks like a useless code, suggest to remove it. Signed-off-by: Chengsong Ke <kechengsong@huawei.com> Signed-off-by: Richard Weinberger <richard@nod.at> 2020-11-20T11:37:30+00:00 Lee Jones lee.jones@linaro.org 2020-11-09T18:21:51+00:00 urn:sha1:9efbb507b7e66137dc0814c7fb9517dbdd410cc0 Fixes the following W=1 kernel build warning(s): drivers/mtd/ubi/build.c:61: warning: Function parameter or member 'ubi_num' not described in 'mtd_dev_param' Cc: Richard Weinberger <richard@nod.at> Cc: Miquel Raynal <miquel.raynal@bootlin.com> Cc: Vignesh Raghavendra <vigneshr@ti.com> Cc: linux-mtd@lists.infradead.org Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/linux-mtd/20201109182206.3037326-9-lee.jones@linaro.org 2020-05-11T07:51:42+00:00 Boris Brezillon bbrezillon@kernel.org 2020-05-03T15:53:41+00:00 urn:sha1:66aaba3a07cb8e53878bbeabe54660a646b55a34 The MTD layer provides an SLC mode (purely software emulation of SLC behavior) addressing the paired-pages corruption issue, which was the main reason for refusing attaching MLC NANDs to UBI. Relax this rule and allow partitions that have the MTD_EMULATE_SLC_ON_MLC flag set to be attached. Signed-off-by: Boris Brezillon <bbrezillon@kernel.org> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Acked-by: Richard Weinberger <richard@nod.at> Link: https://lore.kernel.org/linux-mtd/20200503155341.16712-9-miquel.raynal@bootlin.com 2020-03-30T08:14:54+00:00 Miquel Raynal miquel.raynal@bootlin.com 2020-03-25T21:21:15+00:00 urn:sha1:025a06c1104cd8995646b761d117816b5f28c873 Use Joe Perches cvt_fallthrough.pl script to convert /* fallthrough */ comments (and its derivatives) into a fallthrough; statement. This automatically drops useless ones. Do it MTD-wide. Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Acked-by: Vignesh Raghavendra <vigneshr@ti.com> Acked-by: Tudor Ambarus <tudor.ambarus@microchip.com> Acked-by: Richard Weinberger <richard@nod.at> Link: https://lore.kernel.org/linux-mtd/20200325212115.14170-1-miquel.raynal@bootlin.com 2020-02-04T03:05:27+00:00 Masahiro Yamada masahiroy@kernel.org 2020-02-04T01:37:45+00:00 urn:sha1:45586c7078d42b932c5399953d21746800083691 'PTR_ERR(p) == -E*' is a stronger condition than IS_ERR(p). Hence, IS_ERR(p) is unneeded. The semantic patch that generates this commit is as follows: // <smpl> @@ expression ptr; constant error_code; @@ -IS_ERR(ptr) && (PTR_ERR(ptr) == - error_code) +PTR_ERR(ptr) == - error_code // </smpl> Link: http://lkml.kernel.org/r/20200106045833.1725-1-masahiroy@kernel.org Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Cc: Julia Lawall <julia.lawall@lip6.fr> Acked-by: Stephen Boyd <sboyd@kernel.org> [drivers/clk/clk.c] Acked-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> [GPIO] Acked-by: Wolfram Sang <wsa@the-dreams.de> [drivers/i2c] Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> [acpi/scan.c] Acked-by: Rob Herring <robh@kernel.org> Cc: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2020-01-16T22:35:59+00:00 Hou Tao houtao1@huawei.com 2019-11-30T09:48:25+00:00 urn:sha1:fc55dacf7fea793e70c9c75a1acff47a4fb02017 The allocated normal volumes saved in ubi->volumes are not freed in the error paths in ubi_attach_mtd_dev() and its callees (e.g. ubi_attach() and ubi_read_volume_table()). These normal volumes should be freed through kill_volumes() and vol_release(), but ubi_attach_mtd_dev() may fail before calling uif_init(), and there will be memory leaks. So adding a new helper ubi_free_all_volumes() to free the normal and the internal volumes. And in order to prevent double-free of volume, reset ubi->volumes[i] to NULL after freeing. Signed-off-by: Hou Tao <houtao1@huawei.com> Signed-off-by: Richard Weinberger <richard@nod.at>