Commit Graph

9082 Commits

Author SHA1 Message Date
Linus Torvalds bc88aa51a6 This pull request contains the following bug fixes for UBI and UBIFS:
- Fix for a stable patch: Fix failure attaching when vid_hdr offset equals to (sub)page size
 - Fix for a deadlock in UBI's worker thread
 -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCAA0FiEEdgfidid8lnn52cLTZvlZhesYu8EFAmQ66wwWHHJpY2hhcmRA
 c2lnbWEtc3Rhci5hdAAKCRBm+VmF6xi7wUEdD/4j9N9vWsufIixVezlFZM60XAFK
 JmJZ+407gPlbDsmrBAu7u99UF9I6CYEthyKPeVIDwoMis+bR1f189WGGgWz7ImT5
 my3Uuq1WCklzJRdYxjCznaHa6XPCu/RnXYvbqPBFvgIK4fu2Lkem01uhw+7gaw/S
 tU8rwGfTfM8pNhv3LnwyJ8uAZ41uRv1Yaa3irfTZYbapmnCZeQ+XrXPntdOXfOyg
 nR2EdLP7JcnXM7Xemd47gx1AxsJk6Lzl/RTeA7zO+1JWLcz5Lprk0o/5aokz5HUO
 JXUaejhcvrtnDlXAWKhw4FGddGsJRmH3iM536J9It1UZgX5/XNHfYq9MtXhWdhjj
 pDlyEszrYn8LJR3f+uL/jjtc8CjUD0vqGfgCh//6yL3K7OoPRzC6oAxYob5Zxp7D
 xZv+FzWcgXbtqyirQivcY8Z82VAVoIDRPRkjPHzaMg4+8+0gCJ/fvT5nxD/t0t12
 UR9+7VHJ376KCWvYbAXKopOTe93sfWBdezX4z7sOcGRE9UnP35zwB/2cSQgkAXtq
 wtV5fJBTKxFXzG5LvnZVFdQJxe1cAtMBl+ochcRsGIbLy9sTZ7rVggiiGLmeYGEX
 NOxbVuupQHlffVYQ+XTXSQ6C/PCU4NmLmQap/rD5N+PjSMKfiPhnuklt9IWoKfzH
 HW6gFDuAMVUu/aWQmg==
 =s5M1
 -----END PGP SIGNATURE-----

Merge tag 'ubifs-for-linus-6.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs

Pull UBI fixes from Richard Weinberger:

 - Fix failure to attach when vid_hdr offset equals the (sub)page size

 - Fix for a deadlock in UBI's worker thread

* tag 'ubifs-for-linus-6.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
  ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
  ubi: Fix deadlock caused by recursively holding work_sem
2023-04-15 16:55:09 -07:00
Arseniy Krasnov 93942b7046 mtd: rawnand: meson: fix bitmask for length in command word
Valid mask is 0x3FFF, without this patch the following problems were
found:

1) [    0.938914] Could not find a valid ONFI parameter page, trying
                  bit-wise majority to recover it
   [    0.947384] ONFI parameter recovery failed, aborting

2) Read with disabled ECC mode was broken.

Fixes: 8fae856c53 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/3794ffbf-dfea-e96f-1f97-fe235b005e19@sberdevices.ru
2023-04-03 17:58:01 +02:00
Bang Li 0c3089601f mtdblock: tolerate corrected bit-flips
mtd_read() may return -EUCLEAN in case of corrected bit-flips.This
particular condition should not be treated like an error.

Signed-off-by: Bang Li <libang.linuxer@gmail.com>
Fixes: e47f68587b ("mtd: check for max_bitflips in mtd_read_oob()")
Cc: <stable@vger.kernel.org> # v3.7
Acked-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230328163012.4264-1-libang.linuxer@gmail.com
2023-04-03 17:57:59 +02:00
Christophe Kerello ddbb664b6a mtd: rawnand: stm32_fmc2: use timings.mode instead of checking tRC_min
Use timings.mode value instead of checking tRC_min timing
for EDO mode support.

Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
Fixes: 2cd457f328 ("mtd: rawnand: stm32_fmc2: add STM32 FMC2 NAND flash controller driver")
Cc: stable@vger.kernel.org #v5.10+
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230328155819.225521-3-christophe.kerello@foss.st.com
2023-04-03 17:57:57 +02:00
Christophe Kerello f71e0e329c mtd: rawnand: stm32_fmc2: remove unsupported EDO mode
Remove the EDO mode support from as the FMC2 controller does not
support the feature.

Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
Fixes: 2cd457f328 ("mtd: rawnand: stm32_fmc2: add STM32 FMC2 NAND flash controller driver")
Cc: stable@vger.kernel.org #v5.4+
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230328155819.225521-2-christophe.kerello@foss.st.com
2023-04-03 17:57:56 +02:00
Linus Torvalds a10ca0950a Driver core fixes for 6.3-rc5
Here are 3 small changes for 6.3-rc5 semi-related to driver core stuff:
   - documentation update where we move the security_bugs file to a more
     relevant location.
   - mdt/spi-nor debugfs memory leak fix that's been floating around for
     a long time and acked by the maintainer
   - cacheinfo bugfix for a regression in 6.3-rc1
 
 All have been in linux-next with no reported problems.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCZCmVyg8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ylq2ACgl6+JkJU4g8mZb1wUel8w8n9u8J8AmQE+DhVz
 ER9zOe+7njI+ZAsyUVZl
 =d5f4
 -----END PGP SIGNATURE-----

Merge tag 'driver-core-6.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull driver core fixes from Greg KH:
 "Here are three small changes for 6.3-rc5 semi-related to driver core
  stuff:

   - documentation update where we move the security_bugs file to a more
     relevant location.

   - mdt/spi-nor debugfs memory leak fix that's been floating around for
     a long time and acked by the maintainer

   - cacheinfo bugfix for a regression in 6.3-rc1

  All have been in linux-next with no reported problems"

* tag 'driver-core-6.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  cacheinfo: Fix LLC is not exported through sysfs
  Documentation/security-bugs: move from admin-guide/ to process/
  mtd: spi-nor: fix memory leak when using debugfs_lookup()
2023-04-02 10:10:16 -07:00
Zhihao Cheng 1e020e1b96 ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
Following process will make ubi attaching failed since commit
1b42b1a36f ("ubi: ensure that VID header offset ... size"):

ID="0xec,0xa1,0x00,0x15" # 128M 128KB 2KB
modprobe nandsim id_bytes=$ID
flash_eraseall /dev/mtd0
modprobe ubi mtd="0,2048"  # set vid_hdr offset as 2048 (one page)
(dmesg):
  ubi0 error: ubi_attach_mtd_dev [ubi]: VID header offset 2048 too large.
  UBI error: cannot attach mtd0
  UBI error: cannot initialize UBI, error -22

Rework original solution, the key point is making sure
'vid_hdr_shift + UBI_VID_HDR_SIZE < ubi->vid_hdr_alsize',
so we should check vid_hdr_shift rather not vid_hdr_offset.
Then, ubi still support (sub)page aligined VID header offset.

Fixes: 1b42b1a36f ("ubi: ensure that VID header offset ... size")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Tested-by: Nicolas Schichan <nschichan@freebox.fr>
Tested-by: Miquel Raynal <miquel.raynal@bootlin.com> # v5.10, v4.19
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-03-29 23:32:57 +02:00
Linus Torvalds fc5d1a9233 Raw NAND controller driver fixes:
* meson:
   - Invalidate cache on polling ECC bit
   - Initialize struct with zeroes
 * nandsim: Artificially prevent sequential page reads
 
 ECC engine driver fixes:
 * mxic-ecc: Fix mxic_ecc_data_xfer_wait_for_completion() when irq is used
 
 Binging fixes:
 * jedec,spi-nor: Document CPOL/CPHA support
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEE9HuaYnbmDhq/XIDIJWrqGEe9VoQFAmQhTz0ACgkQJWrqGEe9
 VoQ4pQf/RFWoA3FVAWZAakknPFDlCw7si1zmtvLzRDEJ9vqWpYpcs0jCeY0nFryV
 FgeCZC67BeEIYO/o2Wb/6iZtlWQV0CIsOpdj9Nx7TfUBJC3ZheU0bU3uZnSC6m96
 rwJ55QFrA1JIbH0OBYEjq3Spkf3A4WnYTOEc+JxV1JjYD4JcWa82UgP2qHQc7pIr
 tTgjvgWNvDYxCeHk2a79cwMbS5roKi8FKHnGHtAfjDoFvYYGeSM9M0XTUfpneHRC
 PlpVnNwzwy+eEqo9tlvFCAOgyiZL/+Rqc/AE5/CxM7C8BTjccCFn8Hw2eVh7kkf1
 PhigYZtLJOFFfNrOFdUeOlE2i8E3Bw==
 =l91F
 -----END PGP SIGNATURE-----

Merge tag 'mtd/fixes-for-6.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux

Pull MTD fixes from Miquel Raynal:
 "Raw NAND controller driver fixes:

   - meson:
      - Invalidate cache on polling ECC bit
      - Initialize struct with zeroes

   - nandsim: Artificially prevent sequential page reads

  ECC engine driver fixes:

   - mxic-ecc: Fix mxic_ecc_data_xfer_wait_for_completion() when irq is
     used

  Binging fixes:

   - jedec,spi-nor: Document CPOL/CPHA support"

* tag 'mtd/fixes-for-6.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
  mtd: rawnand: meson: invalidate cache on polling ECC bit
  mtd: rawnand: nandsim: Artificially prevent sequential page reads
  dt-bindings: mtd: jedec,spi-nor: Document CPOL/CPHA support
  mtd: nand: mxic-ecc: Fix mxic_ecc_data_xfer_wait_for_completion() when irq is used
  mtd: rawnand: meson: initialize struct with zeroes
2023-03-27 09:41:17 -07:00
Arseniy Krasnov e732e39ed9 mtd: rawnand: meson: invalidate cache on polling ECC bit
'info_buf' memory is cached and driver polls ECC bit in it. This bit
is set by the NAND controller. If 'usleep_range()' returns before device
sets this bit, 'info_buf' will be cached and driver won't see update of
this bit and will loop forever.

Fixes: 8fae856c53 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller")
Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/d4ef0bd6-816e-f6fa-9385-f05f775f0ae2@sberdevices.ru
2023-03-22 16:59:29 +01:00
Miquel Raynal 9b043c6490 mtd: rawnand: nandsim: Artificially prevent sequential page reads
The continuous read support added recently makes nandsim
unhappy. Indeed, all the supported commands should be re-encoded into
internal commands, so of course there is currently no support for the
commands and patterns needed for continuous reads to work.

I tried to add support for them but nandsim (which is more a tool to
develop/debug upper layers rather than the raw NAND core) suffers from a
big limitation: it's internal parser needs to know what exact operation
is happening when the address cycles are performed. The research is then
sequential from the start up to the address cycles, but does not check
what's coming next even though the information is available. This is a
limitation which is related to the old API used by the core which kind
of forced the controllers to guess what operation was being performed
rather early. Today the core uses a more transparent API called
->exec_op() which no longer requires controller drivers to do any more
guessing, but despite being updated to ->exec_op(), nandsim is still a
bit constrained on this regard and thus cannot handle sequential page
reads because the start sequence beginning is identical to a regular
page read.

If the internal algorithm is updated some day, it should be possible to
make it support sequential page reads by adding something like:

       /* Large page devices continuous read page start */
       {OPT_LARGEPAGE, {STATE_CMD_READ0, STATE_ADDR_PAGE, STATE_CMD_READSTART,
                        STATE_CMD_READCACHESEQ | ACTION_CPY, STATE_DATAOUT,
                        STATE_READY}},
       /* Large page devices continuous read page continue */
       {OPT_LARGEPAGE, {STATE_CMD_READCACHESEQ | ACTION_CPY_NEXT, STATE_DATAOUT,
                        STATE_READY}},
       /* Large page devices continuous read page end */
       {OPT_LARGEPAGE, {STATE_CMD_READCACHEEND | ACTION_CPY_NEXT, STATE_DATAOUT,
                        STATE_READY}},

For now, we just return -EOPNOTSUPP when the core asks controller
drivers if they support the feature in order to prevent any further use
of these opcodes.

Note: This is a hack, ->exec_op() is not supposed to check against the
COMMAND opcodes unless _really_ needed.

Fixes: 003fe4b954 ("mtd: rawnand: Support for sequential cache reads")
Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://lore.kernel.org/linux-mtd/fd34fe55-7f4a-030d-8653-9bb9cf08410d@huawei.com/
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Zhihao Cheng <chengzhihao1@huawei.com>
Acked-by: Richard Weinberger <richard@nod.at>
Link: https://lore.kernel.org/linux-mtd/20230310085452.1368716-1-miquel.raynal@bootlin.com
2023-03-22 16:59:29 +01:00
Linus Torvalds 81ff855485 * regression fix for the notifier handling of the I2C core
* final coversions of drivers away from deprecated .probe
 * make .probe_new the standard probe and convert I2C core to use it
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAmQMKqcACgkQFA3kzBSg
 KbYXLg/9GuZdcLgodr+h1xckLPYLP8+AL4RKr0O7Cm9M4z4h8eIAkFIumuDaL5sd
 fe/zEbvA9ldP2t0tAp5JPsrYJNOr4RAoYyeOz05Ijdy5cLgWrldwD9JFVtsDECyU
 sKHQZyrhTmQUUOmgleu5WKFnlDJLGe/HGv3XPsuKldXCyBii2yKZ4FG3Z0h25lPX
 /SPWYS3VXGNBDIYv6U63dm/Hd2YiuDR6r+4+DyuoDkI3Wmg97X+N4nwzOBO7iJLe
 PXNX9oN3hbZipTrXut3fm13+PL3XBauqtdr3i/Fkm5UO45rTW21vK+6NO1relylh
 TvaV2wcE9Wobrua1CS7f1BJ9C7PdQ6wphhSE3EQav6oBWTYHsFbkrbsKoOpBJjyW
 DxyC+y8DhwQDfQksQH+ifF4tVNNF6MXLehXGQtAMjTKa+tRTnQbC4WhPVXVFi2PK
 8eloIH3xuSxBB24n6O7TThqGOV/IY3mIIhEJtKanDKT5s7MXuvx4B6ehYtPy2JrS
 W5M8Swe5syWlPkJLC/gCZdID89YPhLd0UaJ1i0HuLZt6ZOgr7mYkFu8EPaEHPoLz
 mxa0Qm+TGpfwCIj+t0mksXfnoDiSOpMjB1wEpBo4D14AKcbyJGHDN5OVw3I3OOHj
 1wr5x31HOBUobpcUt8wWKMF+7nw7l4O4LJ0oNLFzsnmZ23mEKJQ=
 =jm/G
 -----END PGP SIGNATURE-----

Merge tag 'i2c-for-6.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux

Pull i2c updates from Wolfram Sang:
 "This marks the end of a transition to let I2C have the same probe
  semantics as other subsystems. Uwe took care that no drivers in the
  current tree nor in -next use the deprecated .probe call. So, it is a
  good time to switch to the new, standard semantics now.

  There is also a regression fix:

   - regression fix for the notifier handling of the I2C core

   - final coversions of drivers away from deprecated .probe

   - make .probe_new the standard probe and convert I2C core to use it

* tag 'i2c-for-6.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: dev: Fix bus callback return values
  i2c: Convert drivers to new .probe() callback
  i2c: mux: Convert all drivers to new .probe() callback
  i2c: Switch .probe() to not take an id parameter
  media: i2c: ov2685: convert to i2c's .probe_new()
  media: i2c: ov5695: convert to i2c's .probe_new()
  w1: ds2482: Convert to i2c's .probe_new()
  serial: sc16is7xx: Convert to i2c's .probe_new()
  mtd: maps: pismo: Convert to i2c's .probe_new()
  misc: ad525x_dpot-i2c: Convert to i2c's .probe_new()
2023-03-11 09:24:05 -08:00
Richard Weinberger e25c54d179 ubi: block: Fix missing blk_mq_end_request
Switching to BLK_MQ_F_BLOCKING wrongly removed the call to
blk_mq_end_request(). Add it back to have our IOs finished

Fixes: 91cc8fbcc8 ("ubi: block: set BLK_MQ_F_BLOCKING")
Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Daniel Palmer <daniel@0x0f.com>
Link: https://lore.kernel.org/linux-mtd/CAHk-=wi29bbBNh3RqJKu3PxzpjDN5D5K17gEVtXrb7-6bfrnMQ@mail.gmail.com/
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Tested-by: Daniel Palmer <daniel@0x0f.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2023-03-11 09:00:25 -08:00
Uwe Kleine-König 0b79d5d1e5 mtd: maps: pismo: Convert to i2c's .probe_new()
The probe function doesn't make use of the i2c_device_id * parameter so it
can be trivially converted.

Acked-by: Richard Weinberger <richard@nod.at>
Link: https://lore.kernel.org/lkml/20221118224540.619276-497-uwe@kleine-koenig.org
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
2023-03-09 21:58:49 +01:00
Christophe JAILLET 75dce6a941 mtd: nand: mxic-ecc: Fix mxic_ecc_data_xfer_wait_for_completion() when irq is used
wait_for_completion_timeout() and readl_poll_timeout() don't handle their
return value the same way.

wait_for_completion_timeout() returns 0 on time out (and >0 in all other
cases)
readl_poll_timeout() returns 0 on success and -ETIMEDOUT upon a timeout.

In order for the error handling path to work in both cases, the logic
against wait_for_completion_timeout() needs to be inverted.

Fixes: 48e6633a9f ("mtd: nand: mxic-ecc: Add Macronix external ECC engine support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/beddbc374557e44ceec897e68c4a5d12764ddbb9.1676459308.git.christophe.jaillet@wanadoo.fr
2023-03-06 16:30:25 +01:00
Arseniy Krasnov 4ce341de6c mtd: rawnand: meson: initialize struct with zeroes
This structure must be zeroed, because it's field 'hw->core' is used as
'parent' in 'clk_core_fill_parent_index()', but it will be uninitialized.
This happens, because when this struct is not zeroed, pointer 'hw' is
"initialized" by garbage, which is valid pointer, but points to some
garbage. So 'hw' will be dereferenced, but 'core' contains some random
data which will be interpreted as a pointer. The following backtrace is
result of dereference of such pointer:

[    1.081319]  __clk_register+0x414/0x820
[    1.085113]  devm_clk_register+0x64/0xd0
[    1.088995]  meson_nfc_probe+0x258/0x6ec
[    1.092875]  platform_probe+0x70/0xf0
[    1.096498]  really_probe+0xc8/0x3e0
[    1.100034]  __driver_probe_device+0x84/0x190
[    1.104346]  driver_probe_device+0x44/0x120
[    1.108487]  __driver_attach+0xb4/0x220
[    1.112282]  bus_for_each_dev+0x78/0xd0
[    1.116077]  driver_attach+0x2c/0x40
[    1.119613]  bus_add_driver+0x184/0x240
[    1.123408]  driver_register+0x80/0x140
[    1.127203]  __platform_driver_register+0x30/0x40
[    1.131860]  meson_nfc_driver_init+0x24/0x30

Fixes: 1e4d3ba668 ("mtd: rawnand: meson: fix the clock")
Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230227102425.793841-1-AVKrasnov@sberdevices.ru
2023-03-06 16:30:25 +01:00
Greg Kroah-Hartman ec738ca127 mtd: spi-nor: fix memory leak when using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time.  To solve this, remove the
lookup and create the directory on the first device found, and then
remove it when the module is unloaded.

Cc: Tudor Ambarus <tudor.ambarus@microchip.com>
Cc: Pratyush Yadav <pratyush@kernel.org>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Vignesh Raghavendra <vigneshr@ti.com>
Cc: linux-mtd@lists.infradead.org
Reviewed-by: Michael Walle <michael@walle.cc>
Link: https://lore.kernel.org/r/20230208160230.2179905-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-03-06 07:52:03 +01:00
ZhaoLong Wang f773f0a331 ubi: Fix deadlock caused by recursively holding work_sem
During the processing of the bgt, if the sync_erase() return -EBUSY
or some other error code in __erase_worker(),schedule_erase() called
again lead to the down_read(ubi->work_sem) hold twice and may get
block by down_write(ubi->work_sem) in ubi_update_fastmap(),
which cause deadlock.

          ubi bgt                        other task
 do_work
  down_read(&ubi->work_sem)          ubi_update_fastmap
  erase_worker                         # Blocked by down_read
   __erase_worker                      down_write(&ubi->work_sem)
    schedule_erase
     schedule_ubi_work
      down_read(&ubi->work_sem)

Fix this by changing input parameter @nested of the schedule_erase() to
'true' to avoid recursively acquiring the down_read(&ubi->work_sem).

Also, fix the incorrect comment about @nested parameter of the
schedule_erase() because when down_write(ubi->work_sem) is held, the
@nested is also need be true.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=217093
Fixes: 2e8f08deab ("ubi: Fix races around ubi_refill_pools()")
Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-03-04 17:59:12 +01:00
Linus Torvalds e31b283a58 This pull request contains updates for JFFS2, UBI and UBIFS
JFFS2:
 	- Fix memory corruption in error path
 	- Spelling and coding style fixes
 
 UBI:
 	- Switch to BLK_MQ_F_BLOCKING in ubiblock
 	- Wire up partent device (for sysfs)
 	- Multiple UAF bugfixes
 	- Fix for an infinite loop in WL error path
 
 UBIFS:
 	- Fix for multiple memory leaks in error paths
 	- Fixes for wrong space accounting
 	- Minor cleanups
 	- Spelling and coding style fixes
 -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCAA0FiEEdgfidid8lnn52cLTZvlZhesYu8EFAmP/BSMWHHJpY2hhcmRA
 c2lnbWEtc3Rhci5hdAAKCRBm+VmF6xi7wX5QEADnPsAW87AIi44UlkbAsJEjkEqU
 yQrI9UPsdqfE7K5OR7Vb2tOti3MLfaiJ5MTG64xNaTEgmrbcqo4GgENk4Pe6zJ9q
 azO/xWTr6r8G4aE70KhsUBc9Vc/99Ok48rxLHJS+u7s+FvOJ//WirGXjyNZEVDyx
 TgvH80rhUlfj1ExqEXLcUfQ53WUnR3PefOw+zIi29ldtgaI/TFmnWObl2A/XtsGr
 0ExIdqDnoTfSsYecfGP71jVbYH8u2mLFe2zNOYW1pvrHYhcet6Q6e+69fgnyNRf9
 5s5dbDPmmWN2Qdz63AWwHfC4mncoQdc7HbnnKIk6bTm3v6gqXQSrgy/hZEX3LmWr
 G41j7RLhBMZ2mljRfFQH97V71n9TL010T6jZ5zurvqErXtVdFImmInGmqY3AR13I
 fzUWnJf81xKgcMv6My2/nEVGDtrGLFdILoT8j6VIXQO6teqtF7Vip7UfamrwL399
 57fy0Iwbx2aume/IdwI3TZYacBQ2d8GvQxTZshJ+qx+gCvhb6EyiSIn3AOgtrbAo
 srXMy+6xXJecKNHR7Bl1C5BLei/25HDIYjk/yiAH/IhhV20c5eiySSvA+q720Gcz
 reBLFh7EtcP51B2GXMdSCOgYY8wGaMl5zlbiLYzY79ptgnnBJ7luuYjc3c02MGB9
 25qVLnpvC/ZREzZqLg==
 =fTYq
 -----END PGP SIGNATURE-----

Merge tag 'ubifs-for-linus-6.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs

Pull jffs2, ubi and ubifs updates from Richard Weinberger:
 "JFFS2:
   - Fix memory corruption in error path
   - Spelling and coding style fixes

  UBI:
   - Switch to BLK_MQ_F_BLOCKING in ubiblock
   - Wire up partent device (for sysfs)
   - Multiple UAF bugfixes
   - Fix for an infinite loop in WL error path

  UBIFS:
   - Fix for multiple memory leaks in error paths
   - Fixes for wrong space accounting
   - Minor cleanups
   - Spelling and coding style fixes"

* tag 'ubifs-for-linus-6.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs: (36 commits)
  ubi: block: Fix a possible use-after-free bug in ubiblock_create()
  ubifs: make kobj_type structures constant
  mtd: ubi: block: wire-up device parent
  mtd: ubi: wire-up parent MTD device
  ubi: use correct names in function kernel-doc comments
  ubi: block: set BLK_MQ_F_BLOCKING
  jffs2: Fix list_del corruption if compressors initialized failed
  jffs2: Use function instead of macro when initialize compressors
  jffs2: fix spelling mistake "neccecary"->"necessary"
  ubifs: Fix kernel-doc
  ubifs: Fix some kernel-doc comments
  UBI: Fastmap: Fix kernel-doc
  ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
  ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
  ubi: fastmap: Fix missed fm_anchor PEB in wear-leveling after disabling fastmap
  ubifs: ubifs_releasepage: Remove ubifs_assert(0) to valid this process
  ubifs: ubifs_writepage: Mark page dirty after writing inode failed
  ubifs: dirty_cow_znode: Fix memleak in error handling path
  ubifs: Re-statistic cleaned znode count if commit failed
  ubi: Fix permission display of the debugfs files
  ...
2023-03-01 09:06:51 -08:00
Linus Torvalds 11c7052998 ARM: SoC drivers for 6.3
As usual, there are lots of minor driver changes across SoC platforms
 from  NXP, Amlogic, AMD Zynq, Mediatek, Qualcomm, Apple and Samsung.
 These usually add support for additional chip variations in existing
 drivers, but also add features or bugfixes.
 
 The SCMI firmware subsystem gains a unified raw userspace interface
 through debugfs, which can be used for validation purposes.
 
 Newly added drivers include:
 
  - New power management drivers for StarFive JH7110, Allwinner D1 and
    Renesas RZ/V2M
 
  - A driver for Qualcomm battery and power supply status
 
  - A SoC device driver for identifying Nuvoton WPCM450 chips
 
  - A regulator coupler driver for Mediatek MT81xxv
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmPtSN8ACgkQmmx57+YA
 GNkOSw/+JS5tElm/ZP7c3uWYp6uwvcb0jUlKW/U3aCtPiPEcYDLEqIEXwcNdaDMh
 m4rW3GYlW0IRL3FsyuYkSLx+EIIUIfs40wldYXJOqRDj0XasndiloIwltOQJGfd9
 C/UVM0FpJdxMJrcBMFgwLLQCIbAVnhHP34i6ppDRgxW/MfTeiCaaG6fnS70iv6mC
 oh2N7FoZSKDtTrFtlR5TqFiK5v/W1CgNJVuglkFB0ceFpjyBpp/8AT0FGS887xCz
 IYSTqm4Q/79vaZXI1Y2oog257cgdwsVqgPrnK5CuSFhTnAcJMCekiFelHq8Yhyuk
 Rw7j/B3KO3AOaxmR75c6SZdeZ+VHgUMRC/RKe3fay0sm3Zea2kAIPXA6Zn+r/cxb
 8M94V59qBz+f8XmpXRTK1UR3s3EbwFIuNyuDIkeorMtpSKtvqJXmZxGDwNIfXr2F
 /voo++MKjzdtdxdW/D/5Tc9DC0Pyb4HLi0EYj2QCzA03njmfLDF1w73NfzMec+GD
 R1zAd3FEbiJQx8Hin0PSPjYXpfMnkjkGAEcE9N9Ralg4ewNWAxfOFsAhHKTZNssL
 pitTAvHR/+dXtvkX7FUi2l/6fqn8nJUrg/xRazPPp3scRbpuk8m6P4MNr3/lsaHk
 HTQ/hYwDdecWLvKXjw5y9yIr3yhLmPPcloTVIIFFjsM0t8b+d9E=
 =p6Xp
 -----END PGP SIGNATURE-----

Merge tag 'soc-drivers-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC driver updates from Arnd Bergmann:
 "As usual, there are lots of minor driver changes across SoC platforms
  from NXP, Amlogic, AMD Zynq, Mediatek, Qualcomm, Apple and Samsung.
  These usually add support for additional chip variations in existing
  drivers, but also add features or bugfixes.

  The SCMI firmware subsystem gains a unified raw userspace interface
  through debugfs, which can be used for validation purposes.

  Newly added drivers include:

   - New power management drivers for StarFive JH7110, Allwinner D1 and
     Renesas RZ/V2M

   - A driver for Qualcomm battery and power supply status

   - A SoC device driver for identifying Nuvoton WPCM450 chips

   - A regulator coupler driver for Mediatek MT81xxv"

* tag 'soc-drivers-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (165 commits)
  power: supply: Introduce Qualcomm PMIC GLINK power supply
  soc: apple: rtkit: Do not copy the reg state structure to the stack
  soc: sunxi: SUN20I_PPU should depend on PM
  memory: renesas-rpc-if: Remove redundant division of dummy
  soc: qcom: socinfo: Add IDs for IPQ5332 and its variant
  dt-bindings: arm: qcom,ids: Add IDs for IPQ5332 and its variant
  dt-bindings: power: qcom,rpmpd: add RPMH_REGULATOR_LEVEL_LOW_SVS_L1
  firmware: qcom_scm: Move qcom_scm.h to include/linux/firmware/qcom/
  MAINTAINERS: Update qcom CPR maintainer entry
  dt-bindings: firmware: document Qualcomm SM8550 SCM
  dt-bindings: firmware: qcom,scm: add qcom,scm-sa8775p compatible
  soc: qcom: socinfo: Add Soc IDs for IPQ8064 and variants
  dt-bindings: arm: qcom,ids: Add Soc IDs for IPQ8064 and variants
  soc: qcom: socinfo: Add support for new field in revision 17
  soc: qcom: smd-rpm: Add IPQ9574 compatible
  soc: qcom: pmic_glink: remove redundant calculation of svid
  soc: qcom: stats: Populate all subsystem debugfs files
  dt-bindings: soc: qcom,rpmh-rsc: Update to allow for generic nodes
  soc: qcom: pmic_glink: add CONFIG_NET/CONFIG_OF dependencies
  soc: qcom: pmic_glink: Introduce altmode support
  ...
2023-02-27 10:04:49 -08:00
Linus Torvalds 2e3036a264 MTD changes:
* parsers: ofpart: add workaround for #size-cells 0
 * dt-bindings: partitions: Fix partition node name pattern
 * dataflash: remove duplicate SPI ID table
 
 Raw NAND core changes:
 * Check the data only read pattern only once
 * Prepare the late addition of supported operation checks
 * Support for sequential cache reads
 * Fix nand_chip kdoc
 
 Raw NAND driver changes:
 * Fsl_elbc: Propagate HW ECC settings to HW
 * Marvell: Add missing layouts
 * Pasemi: Don't use static data to track per-device state
 * Sunxi:
   - Fix the size of the last OOB region
   - Remove an unnecessary check
   - Remove an unnecessary check
   - Clean up chips after failed init
   - Precompute the ECC_CTL register value
   - Embed sunxi_nand_hw_ecc by value
   - Update OOB layout to match hardware
 * tmio_nand: Remove driver
 * vf610_nfc: Use regular comments for functions
 
 SPI-NAND driver changes:
 * Add support for AllianceMemory AS5F34G04SND
 * Macronix: use scratch buffer for DMA operation
 
 NAND ECC changes:
 * Mediatek:
   - Add ECC support fot MT7986 IC
   - Add compatible for MT7986
   - dt-bindings: Split ECC engine with rawnand controller
 
 SPI NOR changes:
 * Misc core fixes
 
 SPI NOR driver changes:
 * Spansion: Minor fixes
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEE9HuaYnbmDhq/XIDIJWrqGEe9VoQFAmP3MqwACgkQJWrqGEe9
 VoTnsQf/bfzBqf0LbMBU7c+2VUjnE2dgLRssf0WqJB2INvDIAHQ8HKE2rqF6j1G0
 wBnJOMf9fRpH6M3k45siNL37HPnacUq8QFZE3B3A3pUewWNtx5ldFrzT1awlsTu8
 zIG37pnd2rJ+W3wfDDnNjTqQUfm3sLI7k/B3S8aqJA8i63DFLqih7ju0mgPVT7TX
 C1X0VAx8gNMHQ6WqTX53SRZ4Ef9dJAcVwcFhkjHY09Q9VEW56ZlQ7uxyhwYqXjiJ
 zDDGfPFhAsfwcykdFI3DtvNRT2bVbJl7N4GvTD8N4Rf+GIuMhVJnUjp5yTkAeEHx
 HjXqBSI3ykHimsW7BRtE3HLR4775bA==
 =FLt2
 -----END PGP SIGNATURE-----

Merge tag 'mtd/for-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux

Pull MTD updates from Miquel Raynal:
 "MTD changes:

   - parsers: ofpart: add workaround for #size-cells 0

   - dt-bindings: partitions: Fix partition node name pattern

   - dataflash: remove duplicate SPI ID table

  Raw NAND core changes:

   - Check the data only read pattern only once

   - Prepare the late addition of supported operation checks

   - Support for sequential cache reads

   - Fix nand_chip kdoc

  Raw NAND driver changes:

   - Fsl_elbc: Propagate HW ECC settings to HW

   - Marvell: Add missing layouts

   - Pasemi: Don't use static data to track per-device state

   - Sunxi:
      - Fix the size of the last OOB region
      - Remove an unnecessary check
      - Remove an unnecessary check
      - Clean up chips after failed init
      - Precompute the ECC_CTL register value
      - Embed sunxi_nand_hw_ecc by value
      - Update OOB layout to match hardware

   - tmio_nand: Remove driver

   - vf610_nfc: Use regular comments for functions

  SPI-NAND driver changes:

   - Add support for AllianceMemory AS5F34G04SND

   - Macronix: use scratch buffer for DMA operation

  NAND ECC changes:

   - Mediatek:
      - Add ECC support fot MT7986 IC
      - Add compatible for MT7986
      - dt-bindings: Split ECC engine with rawnand controller

  SPI NOR changes:

   - Misc core fixes

  SPI NOR driver changes:

   - Spansion: Minor fixes"

* tag 'mtd/for-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: (33 commits)
  mtd: parsers: ofpart: add workaround for #size-cells 0
  mtd: rawnand: sunxi: Precompute the ECC_CTL register value
  mtd: rawnand: sunxi: Embed sunxi_nand_hw_ecc by value
  mtd: rawnand: sunxi: Update OOB layout to match hardware
  mtd: spi-nor: Sort headers alphabetically
  mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type
  mtd: nand: ecc-mtk: Add ECC support fot MT7986 IC
  dt-bindings: mtd: mediatek,nand-ecc-engine: Add compatible for MT7986
  dt-bindings: mtd: Split ECC engine with rawnand controller
  mtd: rawnand: fsl_elbc: Propagate HW ECC settings to HW
  mtd: spinand: Add support for AllianceMemory AS5F34G04SND
  dt-bindings: mtd: partitions: Fix partition node name pattern
  mtd: spi-nor: Create macros to define chip IDs and geometries
  mtd: spi-nor: spansion: Make CFRx reg fields generic
  mtd: spi-nor: spansion: Consider reserved bits in CFR5 register
  mtd: spi-nor: core: fix implicit declaration warning
  mtd: spinand: macronix: use scratch buffer for DMA operation
  mtd: rawnand: Fix nand_chip kdoc
  mtd: rawnand: vf610_nfc: use regular comments for functions
  mtd: rawnand: Support for sequential cache reads
  ...
2023-02-25 15:05:08 -08:00
Linus Torvalds a93e884edf Driver core changes for 6.3-rc1
Here is the large set of driver core changes for 6.3-rc1.
 
 There's a lot of changes this development cycle, most of the work falls
 into two different categories:
   - fw_devlink fixes and updates.  This has gone through numerous review
     cycles and lots of review and testing by lots of different devices.
     Hopefully all should be good now, and Saravana will be keeping a
     watch for any potential regression on odd embedded systems.
   - driver core changes to work to make struct bus_type able to be moved
     into read-only memory (i.e. const)  The recent work with Rust has
     pointed out a number of areas in the driver core where we are
     passing around and working with structures that really do not have
     to be dynamic at all, and they should be able to be read-only making
     things safer overall.  This is the contuation of that work (started
     last release with kobject changes) in moving struct bus_type to be
     constant.  We didn't quite make it for this release, but the
     remaining patches will be finished up for the release after this
     one, but the groundwork has been laid for this effort.
 
 Other than that we have in here:
   - debugfs memory leak fixes in some subsystems
   - error path cleanups and fixes for some never-able-to-be-hit
     codepaths.
   - cacheinfo rework and fixes
   - Other tiny fixes, full details are in the shortlog
 
 All of these have been in linux-next for a while with no reported
 problems.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCY/ipdg8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ynL3gCgwzbcWu0So3piZyLiJKxsVo9C2EsAn3sZ9gN6
 6oeFOjD3JDju3cQsfGgd
 =Su6W
 -----END PGP SIGNATURE-----

Merge tag 'driver-core-6.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull driver core updates from Greg KH:
 "Here is the large set of driver core changes for 6.3-rc1.

  There's a lot of changes this development cycle, most of the work
  falls into two different categories:

   - fw_devlink fixes and updates. This has gone through numerous review
     cycles and lots of review and testing by lots of different devices.
     Hopefully all should be good now, and Saravana will be keeping a
     watch for any potential regression on odd embedded systems.

   - driver core changes to work to make struct bus_type able to be
     moved into read-only memory (i.e. const) The recent work with Rust
     has pointed out a number of areas in the driver core where we are
     passing around and working with structures that really do not have
     to be dynamic at all, and they should be able to be read-only
     making things safer overall. This is the contuation of that work
     (started last release with kobject changes) in moving struct
     bus_type to be constant. We didn't quite make it for this release,
     but the remaining patches will be finished up for the release after
     this one, but the groundwork has been laid for this effort.

  Other than that we have in here:

   - debugfs memory leak fixes in some subsystems

   - error path cleanups and fixes for some never-able-to-be-hit
     codepaths.

   - cacheinfo rework and fixes

   - Other tiny fixes, full details are in the shortlog

  All of these have been in linux-next for a while with no reported
  problems"

[ Geert Uytterhoeven points out that that last sentence isn't true, and
  that there's a pending report that has a fix that is queued up - Linus ]

* tag 'driver-core-6.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (124 commits)
  debugfs: drop inline constant formatting for ERR_PTR(-ERROR)
  OPP: fix error checking in opp_migrate_dentry()
  debugfs: update comment of debugfs_rename()
  i3c: fix device.h kernel-doc warnings
  dma-mapping: no need to pass a bus_type into get_arch_dma_ops()
  driver core: class: move EXPORT_SYMBOL_GPL() lines to the correct place
  Revert "driver core: add error handling for devtmpfs_create_node()"
  Revert "devtmpfs: add debug info to handle()"
  Revert "devtmpfs: remove return value of devtmpfs_delete_node()"
  driver core: cpu: don't hand-override the uevent bus_type callback.
  devtmpfs: remove return value of devtmpfs_delete_node()
  devtmpfs: add debug info to handle()
  driver core: add error handling for devtmpfs_create_node()
  driver core: bus: update my copyright notice
  driver core: bus: add bus_get_dev_root() function
  driver core: bus: constify bus_unregister()
  driver core: bus: constify some internal functions
  driver core: bus: constify bus_get_kset()
  driver core: bus: constify bus_register/unregister_notifier()
  driver core: remove private pointer from struct bus_type
  ...
2023-02-24 12:58:55 -08:00
Miquel Raynal f4440abc08 NAND core changes:
* Check the data only read pattern only once
 * Prepare the late addition of supported operation checks
 * Support for sequential cache reads
 * Fix nand_chip kdoc
 
 Raw NAND changes:
 * Fsl_elbc: Propagate HW ECC settings to HW
 * Marvell: Add missing layouts
 * Pasemi: Don't use static data to track per-device state
 * Sunxi:
   - Fix the size of the last OOB region
   - Remove an unnecessary check
   - Remove an unnecessary check
   - Clean up chips after failed init
   - Precompute the ECC_CTL register value
   - Embed sunxi_nand_hw_ecc by value
   - Update OOB layout to match hardware
 * tmio_nand: Remove driver
 * vf610_nfc: Use regular comments for functions
 
 SPI-NAND changes:
 * Add support for AllianceMemory AS5F34G04SND
 * Macronix: use scratch buffer for DMA operation
 
 NAND ECC changes:
 * Mediatek:
   - Add ECC support fot MT7986 IC
   - Add compatible for MT7986
   - dt-bindings: Split ECC engine with rawnand controller
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEE9HuaYnbmDhq/XIDIJWrqGEe9VoQFAmP3L4MACgkQJWrqGEe9
 VoSVKgf+PUOBlR6U/QaNlzavYsTOz1Hgc9MjuC32CtStED8/uKfEG9odBRw1Fp+I
 fNpgVnaWrU7KpW9yzsMTLQy//6lI/Hjn4KUMqKcsBmN3dOvzca60YrbehWLlrARb
 exRDFvwuw6qZ0jRYMsKC9jsKhvU69TXnAWCdC+TSWRwfXci5dfjm3HxMNpRvT+PQ
 q3sWqFMGj+omLOr/R+sBzhSV0WU1FpQsG9NB6I0VbFiJGy9YMMaI2tr/TKJyYeqM
 CM0T3tccjKAajJ9i9qKIPZnRYWQYx/FyJ5Uyg6DRxjeoVjsFhGom1pQbH/2eHVs6
 iND3n1yQCsnPaR/D7yRZgiTERQzqdw==
 =psZR
 -----END PGP SIGNATURE-----

Merge tag 'nand/for-6.3' into mtd/next

NAND core changes:
* Check the data only read pattern only once
* Prepare the late addition of supported operation checks
* Support for sequential cache reads
* Fix nand_chip kdoc

Raw NAND changes:
* Fsl_elbc: Propagate HW ECC settings to HW
* Marvell: Add missing layouts
* Pasemi: Don't use static data to track per-device state
* Sunxi:
  - Fix the size of the last OOB region
  - Remove an unnecessary check
  - Remove an unnecessary check
  - Clean up chips after failed init
  - Precompute the ECC_CTL register value
  - Embed sunxi_nand_hw_ecc by value
  - Update OOB layout to match hardware
* tmio_nand: Remove driver
* vf610_nfc: Use regular comments for functions

SPI-NAND changes:
* Add support for AllianceMemory AS5F34G04SND
* Macronix: use scratch buffer for DMA operation

NAND ECC changes:
* Mediatek:
  - Add ECC support fot MT7986 IC
  - Add compatible for MT7986
  - dt-bindings: Split ECC engine with rawnand controller
2023-02-23 10:28:29 +01:00
Miquel Raynal 27121864ab SPI NOR changes:
* small fixes on core and spansion driver.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEHUIqys8OyG1eHf7fS1VPR6WNFOkFAmPgyGUACgkQS1VPR6WN
 FOkv+AgAmqp68REEM7SicPy2dIy6fdLFOLjma9CSiWwGTMEJRM60ZBNFCJcAuUjD
 1Sf+TCZEkBHc2crYCun5SqBErOA9oQCxI4nVtKZEQ9RyBklz/e5DsLONsVlLKrJU
 lwemyeZ2tAV8023iBdjCi1nJ831eRmYipQMIEvr2xbOP/G95Ccc/wG6vKeMDi2QR
 BxWdPD4XXvIVRY923nvnz9kK65QiqEQASJ8Rpf/AIYw+C/oukQFql8J3SMMs9kLH
 DLagTnyhTx8qMd0V7Z6OVA3Ljf+bMd5gI7Z2fFQhErKo1mvT1Jw13sDQwxGGs+XS
 9yxomEDKX+d/LdWEoZaSWFYwHVEixQ==
 =fazc
 -----END PGP SIGNATURE-----

Merge tag 'spi-nor/for-6.3' into mtd/next

SPI NOR changes:
* small fixes on core and spansion driver.
2023-02-23 10:27:32 +01:00
Linus Torvalds ff0c7e1862 ARM: unused boardfile removal for 6.3
This is a follow-up to the deprecation of most of the old-style board
 files that was merged in linux-6.0, removing them for good.
 
 This branch is almost exclusively dead code removal based on those
 annotations. Some device driver removals went through separate subsystem
 trees, but the majority is in the same branch, in order to better handle
 dependencies between the patches and avoid breaking bisection.
 
 Unfortunately that leads to merge conflicts against other changes in the
 subsystem trees, but they should all be trivial to resolve by removing
 the files.
 
 See commit 7d0d3fa733 ("Merge tag 'arm-boardfiles-6.0' of
 git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc") for the
 description of which machines were marked unused and are now removed. The
 only removals that got postponed are Terastation WXL (mv78xx0) and
 Jornada720 (StrongARM1100), which turned out to still have potential
 users.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmPvuCEACgkQmmx57+YA
 GNm04Q//Q1W+qDOpK09BPskn7sFrpo1OOt9C+qRmAOmqZ/qY8JNfoqOLWLjS12st
 qaTcODuSooGfFclWHsN5gNqT6yNfs3d2rRQEAd5ka+vt2dgV3OignNu1iEvjJmtG
 sDxLHu1XYlHETz3k3pBGVv22SyuZTRowj1bdlerEBfOXgvJsxg1LkZowU+ffEau5
 7LJeHwEGoi3LdfW/pVeNRU6iLwiBThVIXq94ZrOXsw1WNy4Bz6kmHfhlMis7hbhk
 6X3JJCpDbtJp/4jccZFC/+Cc5DxYc1nnvkWGdUSpZWq3liWaNI0AoKm40p0vwdKa
 ozflhYjM9PpB3JibwdkvkOrPj4GWOEHojKP1agN0fPBxEaWppmDpi7rbDU8Jvfxj
 AwBM60fblqn6E+1HbckNpgyFx7rldcipmgQLPo5/ZhUnvad8Os0GLxmrH8Nqcycx
 LktPcwOPJxd0mtaboHWc9qfeb5jeKqyEfQdhIN7H+u5HDEYA7EbcrhYAdMdmkduw
 9C8sfTXQaD9/3/XBaq3elvTEVqNF1iOVwkXpbFUPjBNq9gQ2jHe5gxMuyoZ6lFz2
 SnYMBo8DF+3EP5+UR6MgpbVn4zntk6o5hwbb6CZZGp9KXXic4kohh58nv8aQOOvx
 Iy0Xxr38eXINAn4vsro89pFDmulpP1m7MKC1Cfw/9RZl4s/r0hg=
 =WejQ
 -----END PGP SIGNATURE-----

Merge tag 'arm-boardfile-remove-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC boardfile updates from Arnd Bergmann
 "Unused boardfile removal for 6.3

  This is a follow-up to the deprecation of most of the old-style board
  files that was merged in linux-6.0, removing them for good.

  This branch is almost exclusively dead code removal based on those
  annotations. Some device driver removals went through separate
  subsystem trees, but the majority is in the same branch, in order to
  better handle dependencies between the patches and avoid breaking
  bisection.

  Unfortunately that leads to merge conflicts against other changes in
  the subsystem trees, but they should all be trivial to resolve by
  removing the files.

  See commit 7d0d3fa733 ("Merge tag 'arm-boardfiles-6.0' of
  git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc") for the
  description of which machines were marked unused and are now removed.

  The only removals that got postponed are Terastation WXL (mv78xx0) and
  Jornada720 (StrongARM1100), which turned out to still have potential
  users"

* tag 'arm-boardfile-remove-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (91 commits)
  mmc: omap: drop TPS65010 dependency
  ARM: pxa: restore mfp-pxa320.h
  usb: ohci-omap: avoid unused-variable warning
  ARM: debug: remove references in DEBUG_UART_8250_SHIFT to removed configs
  ARM: s3c: remove obsolete s3c-cpu-freq header
  MAINTAINERS: adjust SAMSUNG SOC CLOCK DRIVERS after s3c24xx support removal
  MAINTAINERS: update file entries after arm multi-platform rework and mach-pxa removal
  ARM: remove CONFIG_UNUSED_BOARD_FILES
  mfd: remove htc-pasic3 driver
  w1: remove ds1wm driver
  usb: remove ohci-tmio driver
  fbdev: remove w100fb driver
  fbdev: remove tmiofb driver
  mmc: remove tmio_mmc driver
  mfd: remove ucb1400 support
  mfd: remove toshiba tmio drivers
  rtc: remove v3020 driver
  power: remove pda_power supply driver
  ASoC: pxa: remove unused board support
  pcmcia: remove unused pxa/sa1100 drivers
  ...
2023-02-20 15:28:57 -08:00
Harshit Mogalapalli 8fcf2d012c ubi: block: Fix a possible use-after-free bug in ubiblock_create()
Smatch warns:
	drivers/mtd/ubi/block.c:438 ubiblock_create()
	warn: '&dev->list' not removed from list

'dev' is freed in 'out_free_dev:, but it is still on the list.

To fix this, delete the list item before freeing.

Fixes: 91cc8fbcc8 ("ubi: block: set BLK_MQ_F_BLOCKING")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-14 15:17:55 +01:00
Daniel Golle 05b8773ca3 mtd: ubi: block: wire-up device parent
ubiblock devices were previously only identifyable by their name, but
not connected to their parent UBI volume device e.g. in sysfs.
Properly parent ubiblock device as descendant of a UBI volume device
to reflect device model hierachy.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-13 22:24:10 +01:00
Daniel Golle 1ecf9e3904 mtd: ubi: wire-up parent MTD device
Wire up the device parent pointer of UBI devices to their lower MTD
device, typically an MTD partition or whole-chip device.

The most noticeable change is that in sysfs, previously ubi devices
would be could in /sys/devices/virtual/ubi while after this change they
would be correctly attached to their parent MTD device, e.g.

/sys/devices/platform/1100d000.spi/spi_master/spi1/spi1.0/mtd/mtd2/ubi0.

Locating UBI devices using /sys/class/ubi/ of course still works as
well.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-13 22:23:03 +01:00
Saravana Kannan fb42378dcc mtd: mtdpart: Don't create platform device that'll never probe
These "nvmem-cells" platform devices never get probed because there's no
platform driver for it and it's never used anywhere else. So it's a
waste of memory. These devices also cause fw_devlink to block nvmem
consumers of "nvmem-cells" partition from probing because the supplier
device never probes.

So stop creating platform devices for nvmem-cells partitions to avoid
wasting memory and to avoid blocking probing of consumers.

Reported-by: Maxim Kiselev <bigunclemax@gmail.com>
Fixes: bcdf0315a6 ("mtd: call of_platform_populate() for MTD partitions")
Signed-off-by: Saravana Kannan <saravanak@google.com>
Tested-by: Maksim Kiselev <bigunclemax@gmail.com>
Tested-by: Douglas Anderson <dianders@chromium.org>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Luca Weiss <luca.weiss@fairphone.com> # qcom/sm7225-fairphone-fp4
Link: https://lore.kernel.org/r/20230207014207.1678715-13-saravanak@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-02-08 13:37:55 +01:00
Francesco Dolcini 84549c816d mtd: parsers: ofpart: add workaround for #size-cells 0
Add a mechanism to handle the case in which partitions are present as
direct child of the nand controller node and #size-cells is set to <0>.

This could happen if the nand-controller node in the DTS is supposed to
have #size-cells set to 0, but for some historical reason/bug it was set
to 1 in the past, and the firmware (e.g. U-Boot) is adding the partition
as direct children of the nand-controller defaulting to #size-cells
being to 1.

This prevents a real boot failure on colibri-imx7 that happened during v6.1
development cycles.

Link: https://lore.kernel.org/all/Y4dgBTGNWpM6SQXI@francesco-nb.int.toradex.com/
Link: https://lore.kernel.org/all/20221202071900.1143950-1-francesco@dolcini.it/
Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230124104444.330913-1-francesco@dolcini.it
2023-02-06 12:54:23 +01:00
Samuel Holland ef3e6327ff mtd: rawnand: sunxi: Precompute the ECC_CTL register value
The value computed by this function never changes for a given chip.
Compute the whole register value once up front, instead of every time
the ECC engine is enabled.

Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230204143520.9682-4-samuel@sholland.org
2023-02-06 12:53:08 +01:00
Samuel Holland ac1c7072e3 mtd: rawnand: sunxi: Embed sunxi_nand_hw_ecc by value
The sunxi_nand_hw_ecc object is not shared, and it has the same lifetime
as the sunxi_nand_chip which points to it, so we can embed it in the
outer structure instead of using a pointer. This removes an unnecessary
memory allocation and simplifies the error handling code.

Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230204143520.9682-3-samuel@sholland.org
2023-02-06 12:53:07 +01:00
Samuel Holland 3998a4611e mtd: rawnand: sunxi: Update OOB layout to match hardware
When using the hardware ECC engine, the OOB data is made available in
the NFC_REG_USER_DATA registers, as one 32-bit word per ECC step. Any
additional bytes are only accessible through raw reads and software
descrambling. For efficiency, and to match the vendor driver, ignore
these extra bytes when using hardware ECC.

Note that until commit 34569d8695 ("mtd: rawnand: sunxi: Fix the size
of the last OOB region"), this extra free area was reported with length
zero, so this is not a functional change for any stable kernel user.

Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230204143520.9682-2-samuel@sholland.org
2023-02-06 12:53:06 +01:00
Tudor Ambarus f047382519 MTD changes:
* cfi: Allow building spi-intel standalone to avoid build issues
 * parsers: scpart: Fix __udivdi3 undefined on mips
 * parsers: tplink_safeloader: Fix potential memory leak during parsing
 
 MAINTAINERS change:
 * Update email of Tudor Ambarus
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEE9HuaYnbmDhq/XIDIJWrqGEe9VoQFAmO/1kYACgkQJWrqGEe9
 VoTnewgAoLj1jxAaRQm7Qg9tk2wGfWVp+WGJ+nsqhZyXo5ohW99sp2vWbvYmr9ZI
 g2KKdiYR/pmRNtwBkWQFNPGpztp5CYkijWVfYl7uEYvJRRHnn8mRhZbd5vQmdV+V
 kFManEZucajNGSn5PsqaJEh28dY2Hw4WhAIVgWIcqMV8hD3CKD7Bn+pDHjPSpcXK
 AkkPthBSJdhmuv2CzQ8ZFboI1dy+FH8rriPI9U5Xqm65bfMcrgh1zGQ1FbyYulBn
 26dinpl72iSdzBUXvkNSOUbKxUwP4gBmXW6bz6U5NAa2t9YJD/VKAjR+D5gRVppo
 cKIA6plbPMJRdqVMyyfJNKGRTZv5FQ==
 =WxrV
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEHUIqys8OyG1eHf7fS1VPR6WNFOkFAmPgx3MACgkQS1VPR6WN
 FOkc6wgApxgN/y09cVW/Nbm6zdNSeWDIAyjmn4mUnnDAHEO2DKcuSddwcxIL8dX+
 ++sB2ew5PGXJurewGFmBt12vI9joejmSh9QcVPjX8WWLM1G2f0aFZoZllImg7VOp
 4dA+nTSDqtTgM1bBgPjjrH1Z+wj8Q3aVOhOSbU8SfrirZ+BECDygFpwawmJQlXnH
 fHS7abFkPpX2go5Z0KtVRQJJbayNP0Zckzax965UxyAhGZ0huHbCaXubhvFFzZHK
 OGDp0KoIRsH3KDwk1regGkOfFK4aHhbe3cJJmbQGnyabGqsco97hDpGthFkqYWG8
 ITNx5VM3Eyrv0+J+UwxMqnFkTGYYVA==
 =dOT3
 -----END PGP SIGNATURE-----

Merge tag 'mtd/fixes-for-6.2-rc4' into spi-nor/next

Merge 'mtd/fixes-for-6.2-rc4' into spi-nor/next to fix conflict on
include headers in drivers/mtd/spi-nor/core.c.

Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
2023-02-06 11:23:34 +02:00
Tudor Ambarus 893fd950c8
mtd: spi-nor: Sort headers alphabetically
Sort headers alphabetically - it helps locating duplicates, and makes it
easier to figure out where to insert new headers. Alphabetic order should
also prove that each header is self-contained, i.e. can be included without
prerequisites.

Link: https://lore.kernel.org/r/20230202144628.14443-1-tudor.ambarus@linaro.org
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
2023-02-06 10:37:03 +02:00
Louis Rannou f0f0cfdc3a
mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type
spi_nor_set_erase_type() was used either to set or to mask out an erase
type. When we used it to mask out an erase type a shift-out-of-bounds
was hit:
UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24
shift exponent 4294967295 is too large for 32-bit type 'int'

The setting of the size_{shift, mask} and of the opcode are unnecessary
when the erase size is zero, as throughout the code just the erase size
is considered to determine whether an erase type is supported or not.
Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF
is an unused opcode. Thus when masking out an erase type, just set the
erase size to zero. This will fix the shift-out-of-bounds.

Fixes: 5390a8df76 ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories")
Cc: stable@vger.kernel.org
Reported-by: Alexander Stein <Alexander.Stein@tq-group.com>
Signed-off-by: Louis Rannou <lrannou@baylibre.com>
Tested-by: Alexander Stein <Alexander.Stein@tq-group.com>
Link: https://lore.kernel.org/r/20230203070754.50677-1-tudor.ambarus@linaro.org
[ta: refine changes, new commit message, fix compilation error]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
2023-02-06 10:36:18 +02:00
Randy Dunlap 0b3bc49c93 ubi: use correct names in function kernel-doc comments
Fix kernel-doc warnings by using the correct function names in
their kernel-doc notation:

drivers/mtd/ubi/eba.c:72: warning: expecting prototype for next_sqnum(). Prototype was for ubi_next_sqnum() instead
drivers/mtd/ubi/wl.c:176: warning: expecting prototype for wl_tree_destroy(). Prototype was for wl_entry_destroy() instead
drivers/mtd/ubi/misc.c:24: warning: expecting prototype for calc_data_len(). Prototype was for ubi_calc_data_len() instead

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>
Cc: Vignesh Raghavendra <vigneshr@ti.com>
Cc: linux-mtd@lists.infradead.org
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-05 22:36:39 +01:00
Christoph Hellwig 91cc8fbcc8 ubi: block: set BLK_MQ_F_BLOCKING
Set BLK_MQ_F_BLOCKING so that the block layer always calls ->queue_rq
from process context and drop the driver internal workqueue.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-05 22:36:12 +01:00
Xiangsheng Hou 4d21176f48 mtd: nand: ecc-mtk: Add ECC support fot MT7986 IC
Add ECC support fot MT7986 IC, and change err_mask value with
GENMASK macro.

Signed-off-by: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230201021500.26769-6-xiangsheng.hou@mediatek.com
2023-02-03 19:09:44 +01:00
Jiapeng Chong b5dd034f8f UBI: Fastmap: Fix kernel-doc
drivers/mtd/ubi/fastmap.c:104: warning: expecting prototype for new_fm_vhdr(). Prototype was for new_fm_vbuf() instead.

Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2289
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:51 +01:00
Zhihao Cheng 4d57a7333e ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
Following process will trigger an infinite loop in ubi_wl_put_peb():

	ubifs_bgt		ubi_bgt
ubifs_leb_unmap
  ubi_leb_unmap
    ubi_eba_unmap_leb
      ubi_wl_put_peb	wear_leveling_worker
                          e1 = rb_entry(rb_first(&ubi->used)
			  e2 = get_peb_for_wl(ubi)
			  ubi_io_read_vid_hdr  // return err (flash fault)
			  out_error:
			    ubi->move_from = ubi->move_to = NULL
			    wl_entry_destroy(ubi, e1)
			      ubi->lookuptbl[e->pnum] = NULL
      retry:
        e = ubi->lookuptbl[pnum];	// return NULL
	if (e == ubi->move_from) {	// NULL == NULL gets true
	  goto retry;			// infinite loop !!!

$ top
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     COMMAND
  7676 root     20   0       0      0      0 R 100.0  0.0  ubifs_bgt0_0

Fix it by:
 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has
    been removed from 'ubi->lookuptbl'.
 2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an
    use-after-free problem for wl entry in ubi_wl_put_peb().

Fetch a reproducer in [Link].

Fixes: 43f9b25a9c ("UBI: bugfix: protect from volume removal")
Fixes: ee59ba8b06 ("UBI: Fix stale pointers in ubi->lookuptbl")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216111
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:50 +01:00
Zhihao Cheng a240bc5c43 ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
Wear-leveling entry could be freed in error path, which may be accessed
again in eraseblk_count_seq_show(), for example:

__erase_worker                eraseblk_count_seq_show
                                wl = ubi->lookuptbl[*block_number]
				if (wl)
  wl_entry_destroy
    ubi->lookuptbl[e->pnum] = NULL
    kmem_cache_free(ubi_wl_entry_slab, e)
		                   erase_count = wl->ec  // UAF!

Wear-leveling entry updating/accessing in ubi->lookuptbl should be
protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize
wl entry accessing between wl_entry_destroy() and
eraseblk_count_seq_show().

Fetch a reproducer in [Link].

Link: https://bugzilla.kernel.org/show_bug.cgi?id=216305
Fixes: 7bccd12d27 ("ubi: Add debugfs file for tracking PEB state")
Fixes: 801c135ce7 ("UBI: Unsorted Block Images")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:50 +01:00
Zhihao Cheng 76f9476ece ubi: fastmap: Fix missed fm_anchor PEB in wear-leveling after disabling fastmap
After disabling fastmap(ubi->fm_disabled = 1), fastmap won't be updated,
fm_anchor PEB is missed being scheduled for erasing. Besides, fm_anchor
PEB may have smallest erase count, it doesn't participate wear-leveling.
The difference of erase count between fm_anchor PEB and other PEBs will
be larger and larger later on.

In which situation fastmap can be disabled? Initially, we have an UBI
image with fastmap. Then the image will be atttached without module
parameter 'fm_autoconvert', ubi turns to full scanning mode in one
random attaching process(eg. bad fastmap caused by powercut), ubi
fastmap is disabled since then.

Fix it by not getting fm_anchor if fastmap is disabled in
ubi_refill_pools().

Fetch a reproducer in [Link].

Link: https://bugzilla.kernel.org/show_bug.cgi?id=216341
Fixes: 4b68bf9a69 ("ubi: Select fastmap anchor PEBs considering ...")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:49 +01:00
ZhaoLong Wang 2de203d8ab ubi: Fix permission display of the debugfs files
Some interface files in debugfs support the read method
dfs_file_read(), but their rwx permissions is shown as
unreadable.

In the user mode, the following problem can be clearly seen:

 # ls -l /sys/kernel/debug/ubi/ubi0/
 total 0
 --w------- 1 root root 0 Oct 22 16:26 chk_fastmap
 --w------- 1 root root 0 Oct 22 16:26 chk_gen
 --w------- 1 root root 0 Oct 22 16:26 chk_io
 -r-------- 1 root root 0 Oct 22 16:26 detailed_erase_block_info
 --w------- 1 root root 0 Oct 22 16:26 tst_disable_bgt
 --w------- 1 root root 0 Oct 22 16:26 tst_emulate_bitflips
 --w------- 1 root root 0 Oct 22 16:26 tst_emulate_io_failures
 --w------- 1 root root 0 Oct 22 16:26 tst_emulate_power_cut
 --w------- 1 root root 0 Oct 22 16:26 tst_emulate_power_cut_max
 --w------- 1 root root 0 Oct 22 16:26 tst_emulate_power_cut_min

It shows that these files do not have read permission 'r',
but we can actually read their contents.

 # echo 1 > /sys/kernel/debug/ubi/ubi0/chk_io
 # cat /sys/kernel/debug/ubi/ubi0/chk_io
 1

User's permission access is determined by capabilities.
Of course, the root user is not restricted from reading
these files.

When reading a debugfs file, the process is as follows:

 ksys_read()
   vfs_read()
     if (file->f_op->read)
       file->f_op->read()
         full_proxy_open()
           real_fops->read()
             dfs_file_read() -- Read method of debugfs file.
     else if (file->f_op->read_iter)
       new_sync_read()
     else
       ret = -EINVAL -- Return -EINVAL if no read method.

This indicates that the debugfs file can be read as long as the read
method of the debugfs file is registered. This patch adds the read
permission display for file that support the read method.

Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:45 +01:00
Yang Yingliang c15859bfd3 ubi: Fix possible null-ptr-deref in ubi_free_volume()
It willl cause null-ptr-deref in the following case:

uif_init()
  ubi_add_volume()
    cdev_add() -> if it fails, call kill_volumes()
    device_register()

kill_volumes() -> if ubi_add_volume() fails call this function
  ubi_free_volume()
    cdev_del()
    device_unregister() -> trying to delete a not added device,
			   it causes null-ptr-deref

So in ubi_free_volume(), it delete devices whether they are added
or not, it will causes null-ptr-deref.

Handle the error case whlie calling ubi_add_volume() to fix this
problem. If add volume fails, set the corresponding vol to null,
so it can not be accessed in kill_volumes() and release the
resource in ubi_add_volume() error path.

Fixes: 801c135ce7 ("UBI: Unsorted Block Images")
Suggested-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:44 +01:00
ZhaoLong Wang 7af73882dd ubi: fastmap: Add fastmap control support for module parameter
The UBI driver can use the IOCTL to disable the fastmap after the
mainline 669d204469 ("ubi: fastmap: Add fastmap control support
for 'UBI_IOCATT' ioctl"). To destroy the fastmap on a old image,
we need to reattach the device in user space.

However, if the UBI driver build in kernel and the UBI volume is
the root partition, the UBI device cannot be reattached in user
space. To disable fastmap in this case, the UBI must provide the
kernel cmdline parameters to disable fastmap during attach.

This patch add 'enable_fm' as 5th module init parameter of mtd=xx to
control fastmap enable or not. When the value is 0, fastmap will not
create and existed fastmap will destroyed for the given ubi device.
Default value is 0.

To enable or disable fastmap during module loading, fm_autoconvert
must be set to non-zero.

+-----------------+---------------+---------------------------+
|        \        |  enable_fm=0  |  enable_fm=1              |
+-----------------+---------------+---------------------------+
|fm_autoconvert=Y |  disable fm   |  enable fm                |
+---------------------------------+---------------------------+
|fm_autoconvert=N |  disable fm   | Enable fastmap if fastmap |
|                 |               | exists on the old image   |
+-------------------------------------------------------------+

Example:
  # - Attach mtd1 to ubi1, disable fastmap, mtd2 to ubi2, enable
      fastmap.
  # modprobe ubi mtd=1,0,0,1,0 mtd=2,0,0,2,1 fm_autoconvert=1

  # - If 5th parameter is not specified, the value is 0, fastmap is
      disable
  # modprobe ubi mtd=1 fm_autoconvert=1

Link: https://bugzilla.kernel.org/show_bug.cgi?id=216623
Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:43 +01:00
Li Zetao 1e591ea072 ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()
There is a memory leaks problem reported by kmemleak:

unreferenced object 0xffff888102007a00 (size 128):
  comm "ubirsvol", pid 32090, jiffies 4298464136 (age 2361.231s)
  hex dump (first 32 bytes):
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
  backtrace:
[<ffffffff8176cecd>] __kmalloc+0x4d/0x150
[<ffffffffa02a9a36>] ubi_eba_create_table+0x76/0x170 [ubi]
[<ffffffffa029764e>] ubi_resize_volume+0x1be/0xbc0 [ubi]
[<ffffffffa02a3321>] ubi_cdev_ioctl+0x701/0x1850 [ubi]
[<ffffffff81975d2d>] __x64_sys_ioctl+0x11d/0x170
[<ffffffff83c142a5>] do_syscall_64+0x35/0x80
[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

This is due to a mismatch between create and destroy interfaces, and
in detail that "new_eba_tbl" created by ubi_eba_create_table() but
destroyed by kfree(), while will causing "new_eba_tbl->entries" not
freed.

Fix it by replacing kfree(new_eba_tbl) with
ubi_eba_destroy_table(new_eba_tbl)

Fixes: 799dca34ac ("UBI: hide EBA internals")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:42 +01:00
Li Zetao 9af31d6ec1 ubi: Fix use-after-free when volume resizing failed
There is an use-after-free problem reported by KASAN:
  ==================================================================
  BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]
  Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735

  CPU: 2 PID: 4735 Comm: ubirsvol
  Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
  BIOS 1.14.0-1.fc33 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x34/0x44
   print_report+0x171/0x472
   kasan_report+0xad/0x130
   ubi_eba_copy_table+0x11f/0x1c0 [ubi]
   ubi_resize_volume+0x4f9/0xbc0 [ubi]
   ubi_cdev_ioctl+0x701/0x1850 [ubi]
   __x64_sys_ioctl+0x11d/0x170
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0
   </TASK>

When ubi_change_vtbl_record() returns an error in ubi_resize_volume(),
"new_eba_tbl" will be freed on error handing path, but it is holded
by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle
of "vol->eba_tbl" and "vol" are different, so when resizing volume in
next time, it causing an use-after-free fault.

Fix it by not freeing "new_eba_tbl" after it replaced in
ubi_eba_replace_table(), while will be freed in next volume resizing.

Fixes: 801c135ce7 ("UBI: Unsorted Block Images")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:41 +01:00
Mårten Lindahl 6addbe91fc ubi: block: Reduce warning print to info for static volumes
If volume size is not multiple of the sector size 512 a warning is
printed saying that the last non-sector aligned bytes will be ignored.

This should be valid for resizable volumes, but when creating static
volumes which are read only this will always be printed even if the
unaligned data is deliberate.

The message is still valid but the severity should be lowered for static
volumes.

Signed-off-by: Mårten Lindahl <marten.lindahl@axis.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:35 +01:00
George Kennedy 1b42b1a36f ubi: ensure that VID header offset + VID header size <= alloc, size
Ensure that the VID header offset + VID header size does not exceed
the allocated area to avoid slab OOB.

BUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline]
BUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline]
BUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197
Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555

CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G        W
6.0.0-1868 #1
Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29
04/01/2014
Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x85/0xad lib/dump_stack.c:106
  print_address_description mm/kasan/report.c:317 [inline]
  print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433
  kasan_report+0xa7/0x11b mm/kasan/report.c:495
  crc32_body lib/crc32.c:111 [inline]
  crc32_le_generic lib/crc32.c:179 [inline]
  crc32_le_base+0x58c/0x626 lib/crc32.c:197
  ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067
  create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317
  create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
  ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
  ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
  ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
  ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
  vfs_ioctl fs/ioctl.c:51 [inline]
  __do_sys_ioctl fs/ioctl.c:870 [inline]
  __se_sys_ioctl fs/ioctl.c:856 [inline]
  __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0x0
RIP: 0033:0x7f96d5cf753d
Code:
RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d
RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003
RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0
R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000
  </TASK>

Allocated by task 1555:
  kasan_save_stack+0x20/0x3d mm/kasan/common.c:38
  kasan_set_track mm/kasan/common.c:45 [inline]
  set_alloc_info mm/kasan/common.c:437 [inline]
  ____kasan_kmalloc mm/kasan/common.c:516 [inline]
  __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525
  kasan_kmalloc include/linux/kasan.h:234 [inline]
  __kmalloc+0x138/0x257 mm/slub.c:4429
  kmalloc include/linux/slab.h:605 [inline]
  ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline]
  create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295
  create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
  ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
  ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
  ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
  ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
  vfs_ioctl fs/ioctl.c:51 [inline]
  __do_sys_ioctl fs/ioctl.c:870 [inline]
  __se_sys_ioctl fs/ioctl.c:856 [inline]
  __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0x0

The buggy address belongs to the object at ffff88802bb36e00
  which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes to the right of
  256-byte region [ffff88802bb36e00, ffff88802bb36f00)

The buggy address belongs to the physical page:
page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x2bb36
head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                    ^
  ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 801c135ce7 ("UBI: Unsorted Block Images")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2023-02-02 21:13:33 +01:00
Pali Rohár b56265257d mtd: rawnand: fsl_elbc: Propagate HW ECC settings to HW
It is possible that current chip->ecc.engine_type value does not match to
configured HW value (if HW ECC checking and generating is enabled or not).

This can happen with old U-Boot bootloader version which either does not
initialize NAND (and let it in some default unusable state) or initialize
NAND with different parameters than what is specified in kernel DTS file.

So if kernel chose to use some chip->ecc.engine_type settings (e.g. from
DTS file) then do not depend on bootloader HW configuration and configures
HW ECC settings according to chip->ecc.engine_type value.

BR_DECC must be set to BR_DECC_CHK_GEN when HW is doing ECC (both
generating and checking), or to BR_DECC_OFF when HW is not doing ECC.

This change fixes usage of SW ECC support in case bootloader explicitly
enabled HW ECC support and kernel DTS file has specified to use SW ECC.
(Of course this works only in case when NAND is not a boot device and both
bootloader and kernel are loaded from different location, e.g. FLASH NOR.)

Fixes: f6424c22aa ("mtd: rawnand: fsl_elbc: Make SW ECC work")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230128134111.32559-1-pali@kernel.org
2023-01-30 17:17:42 +01:00