75 function symbol(s) added
  'u64 __blkg_prfill_rwstat(struct seq_file*, struct blkg_policy_data*, const struct blkg_rwstat_sample*)'
  'int __percpu_counter_init_many(struct percpu_counter*, s64, gfp_t, u32, struct lock_class_key*)'
  's64 __percpu_counter_sum(struct percpu_counter*)'
  'int _atomic_dec_and_lock_irqsave(atomic_t*, spinlock_t*, unsigned long*)'
  'void add_disk_randomness(struct gendisk*)'
  'ssize_t badblocks_show(struct badblocks*, char*, int)'
  'void bdev_end_io_acct(struct block_device*, enum req_op, unsigned int, unsigned long)'
  'unsigned long bdev_start_io_acct(struct block_device*, enum req_op, unsigned long)'
  'const char* bdi_dev_name(struct backing_dev_info*)'
  'void bio_associate_blkg_from_css(struct bio*, struct cgroup_subsys_state*)'
  'struct bio* bio_split(struct bio*, int, gfp_t, struct bio_set*)'
  'void bio_uninit(struct bio*)'
  'struct gendisk* blk_mq_alloc_disk_for_queue(struct request_queue*, struct lock_class_key*)'
  'void blk_queue_required_elevator_features(struct request_queue*, unsigned int)'
  'void blkcg_print_blkgs(struct seq_file*, struct blkcg*, u64(*)(struct seq_file*, struct blkg_policy_data*, int), const struct blkcg_policy*, int, bool)'
  'int blkg_conf_prep(struct blkcg*, const struct blkcg_policy*, struct blkg_conf_ctx*)'
  'u64 blkg_prfill_rwstat(struct seq_file*, struct blkg_policy_data*, int)'
  'void blkg_rwstat_exit(struct blkg_rwstat*)'
  'int blkg_rwstat_init(struct blkg_rwstat*, gfp_t)'
  'void blkg_rwstat_recursive_sum(struct blkcg_gq*, struct blkcg_policy*, int, struct blkg_rwstat_sample*)'
  'enum scsi_pr_type block_pr_type_to_scsi(enum pr_type)'
  'int block_read_full_folio(struct folio*, get_block_t*)'
  'struct bsg_device* bsg_register_queue(struct request_queue*, struct device*, const char*, bsg_sg_io_fn*)'
  'void bsg_unregister_queue(struct bsg_device*)'
  'void call_rcu_hurry(struct callback_head*, rcu_callback_t)'
  'unsigned long clock_t_to_jiffies(unsigned long)'
  'int devcgroup_check_permission(short, u32, u32, short)'
  'bool disk_check_media_change(struct gendisk*)'
  'struct device_driver* driver_find(const char*, const struct bus_type*)'
  'blk_status_t errno_to_blk_status(int)'
  'bool folio_mark_dirty(struct folio*)'
  'struct cpumask* group_cpus_evenly(unsigned int)'
  'struct io_cq* ioc_find_get_icq(struct request_queue*)'
  'struct io_cq* ioc_lookup_icq(struct request_queue*)'
  'void* kmem_cache_alloc_node(struct kmem_cache*, gfp_t, int)'
  'void* mempool_alloc_pages(gfp_t, void*)'
  'void mempool_free_pages(void*, void*)'
  'unsigned int mmc_calc_max_discard(struct mmc_card*)'
  'int mmc_card_alternative_gpt_sector(struct mmc_card*, sector_t*)'
  'int mmc_cqe_recovery(struct mmc_host*)'
  'int mmc_cqe_start_req(struct mmc_host*, struct mmc_request*)'
  'void mmc_crypto_prepare_req(struct mmc_queue_req*)'
  'int mmc_detect_card_removed(struct mmc_host*)'
  'int mmc_erase(struct mmc_card*, unsigned int, unsigned int, unsigned int)'
  'int mmc_poll_for_busy(struct mmc_card*, unsigned int, bool, enum mmc_busy_cmd)'
  'int mmc_register_driver(struct mmc_driver*)'
  'void mmc_retune_pause(struct mmc_host*)'
  'void mmc_retune_unpause(struct mmc_host*)'
  'void mmc_run_bkops(struct mmc_card*)'
  'int mmc_sanitize(struct mmc_card*, unsigned int)'
  'int mmc_start_request(struct mmc_host*, struct mmc_request*)'
  'void mmc_unregister_driver(struct mmc_driver*)'
  'void percpu_counter_destroy_many(struct percpu_counter*, u32)'
  'bool percpu_ref_is_zero(struct percpu_ref*)'
  'void percpu_ref_kill_and_confirm(struct percpu_ref*, percpu_ref_func_t*)'
  'void percpu_ref_resurrect(struct percpu_ref*)'
  'void percpu_ref_switch_to_atomic_sync(struct percpu_ref*)'
  'void percpu_ref_switch_to_percpu(struct percpu_ref*)'
  'void put_io_context(struct io_context*)'
  'int radix_tree_preload(gfp_t)'
  'struct folio* read_cache_folio(struct address_space*, unsigned long, filler_t*, struct file*)'
  'enum scsi_disposition scsi_check_sense(struct scsi_cmnd*)'
  'int scsi_device_set_state(struct scsi_device*, enum scsi_device_state)'
  'void scsi_eh_finish_cmd(struct scsi_cmnd*, struct list_head*)'
  'enum pr_type scsi_pr_type_to_block(enum scsi_pr_type)'
  'int scsi_rescan_device(struct scsi_device*)'
  'const u8* scsi_sense_desc_find(const u8*, int, int)'
  'void sdev_evt_send_simple(struct scsi_device*, enum scsi_device_event, gfp_t)'
  'int thaw_super(struct super_block*, enum freeze_holder)'
  'void trace_seq_puts(struct trace_seq*, const char*)'
  'int transport_add_device(struct device*)'
  'void transport_configure_device(struct device*)'
  'void transport_destroy_device(struct device*)'
  'void transport_remove_device(struct device*)'
  'void transport_setup_device(struct device*)'

2 variable symbol(s) added
  'struct cgroup_subsys io_cgrp_subsys'
  'struct static_key_true io_cgrp_subsys_on_dfl_key'

Bug: 400475995
Bug: 403204595
Change-Id: I959e7f45641df674096da689089096bd14e4ed65
Signed-off-by: xiaoxiang.xiong <xiaoxiang.xiong@transsion.com>
(cherry picked from commit ca0752ee)

Due to 72d04bdc ("sbitmap: fix io hung due to race on sbitmap_word
::cleared") directly adding spinlock_t swap_1ock to struct sbitmap_word
in sbitmap.h, KMI was damaged. In order to achieve functionality without
damaging KMI, we can only apply for a block of memory with a size of
map_nr * (sizeof (* sb ->map)+sizeof(spinlock_t)) to ensure that each
struct sbitmap-word receives protection from spinlock.
The actual memory distribution used is as follows:
----------------------
struct sbitmap_word[0]
......................
struct sbitmap_word[n]
-----------------------
spinlock_t swap_lock[0]
.......................
spinlock_t swap_lock[n]
----------------------
sbitmap_word[0] corresponds to swap_lock[0], and sbitmap_word[n]
corresponds to swap_lock[n], and so on.

Fixes: ea86ea2c ("sbitmap: ammortize cost of clearing bits")
Signed-off-by: Yang Yang <yang.yang@vivo.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>

Bug: 382398521
Link: https://lore.kernel.org/r/20240716082644.659566-1-yang.yang@vivo.com


Change-Id: Idcab0dd5fd7c3147efd05dd6cc51757c2b0464f6
Signed-off-by: liuyu <liuyu@allwinnertech.com>
Bug: 401681610

Configuration for sbq:
  depth=64, wake_batch=6, shift=6, map_nr=1

1. There are 64 requests in progress:
  map->word = 0xFFFFFFFFFFFFFFFF
2. After all the 64 requests complete, and no more requests come:
  map->word = 0xFFFFFFFFFFFFFFFF, map->cleared = 0xFFFFFFFFFFFFFFFF
3. Now two tasks try to allocate requests:
  T1:                                       T2:
  __blk_mq_get_tag                          .
  __sbitmap_queue_get                       .
  sbitmap_get                               .
  sbitmap_find_bit                          .
  sbitmap_find_bit_in_word                  .
  __sbitmap_get_word  -> nr=-1              __blk_mq_get_tag
  sbitmap_deferred_clear                    __sbitmap_queue_get
  /* map->cleared=0xFFFFFFFFFFFFFFFF */     sbitmap_find_bit
    if (!READ_ONCE(map->cleared))           sbitmap_find_bit_in_word
      return false;                         __sbitmap_get_word -> nr=-1
    mask = xchg(&map->cleared, 0)           sbitmap_deferred_clear
    atomic_long_andnot()                    /* map->cleared=0 */
                                              if (!(map->cleared))
                                                return false;
                                     /*
                                      * map->cleared is cleared by T1
                                      * T2 fail to acquire the tag
                                      */

4. T2 is the sole tag waiter. When T1 puts the tag, T2 cannot be woken
up due to the wake_batch being set at 6. If no more requests come, T1
will wait here indefinitely.

This patch achieves two purposes:
1. Check on ->cleared and update on both ->cleared and ->word need to
be done atomically, and using spinlock could be the simplest solution.
2. Add extra check in sbitmap_deferred_clear(), to identify whether
->word has free bits.

Fixes: ea86ea2c ("sbitmap: ammortize cost of clearing bits")
Signed-off-by: Yang Yang <yang.yang@vivo.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20240716082644.659566-1-yang.yang@vivo.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit 72d04bdc)
Signed-off-by: liuyu <liuyu@allwinnertech.com>
Change-Id: Ibab11ef6a94d4db33fae5c4b314b119abc1cabc8
Bug: 401681610

Bug: 401669922
Bug: 397697166
Signed-off-by: Junaid Syed <junaidsyed@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:75dbaf8e8d3f2e427921ba4e174e6b301ea6124b)
Merged-In: Ib930ba50c9c8f09b1e5c48f75185aeb519bde383
Change-Id: Ib930ba50c9c8f09b1e5c48f75185aeb519bde383

This reverts commit cf57490a.

The USB_XHCI_SIDEBAND driver is currently under development in the
upstream kernel. Enabling it in the Generic Kernel Image (GKI) at this
stage poses potential risks. The snapshot of the driver included in
android15-6.6 is an early revision and lacks several critical fixes
present in the latest upstream revisions.

Bug: 391779198
Bug: 399809445
Change-Id: Ifc0106e3773064b0e1ec5f770f22cb6ba68c4cad
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
(cherry picked from commit 3d4074a7)
Signed-off-by: Lee Jones <joneslee@google.com>

Users of such symbols have been notified and are in agreement.

7 function symbol(s) removed
  'int xhci_sideband_add_endpoint(struct xhci_sideband*, struct usb_host_endpoint*)'
  'int xhci_sideband_create_interrupter(struct xhci_sideband*, int, int, bool)'
  'int xhci_sideband_enable_interrupt(struct xhci_sideband*, u32)'
  'struct xhci_sideband* xhci_sideband_register(struct usb_device*)'
  'int xhci_sideband_remove_endpoint(struct xhci_sideband*, struct usb_host_endpoint*)'
  'void xhci_sideband_remove_interrupter(struct xhci_sideband*)'
  'void xhci_sideband_unregister(struct xhci_sideband*)'

Bug: 394470945
Bug: 399809445
Change-Id: Ie553e3ccf96def4f2e9f3deffbf498296b082325
Signed-off-by: Carlos Llamas <cmllamas@google.com>
(cherry picked from commit b2ae7d71)
[Lee: Resolved some surrounding diff conflicts - some of the original patch wasn't relevant]
Signed-off-by: Lee Jones <joneslee@google.com>

This reverts commit 7c12a8c0.

Reason for revert: Disabling CONFIG_USB_XHCI_SIDEBAND in gerrit
https://r.android.com/3464443

, so revert symbol change also.

Bug: 391779198
Bug: 399809445
Change-Id: I29eeee78d8e5a8495032b587d4268766d24bebe8
Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
(cherry picked from commit 23855221)
Signed-off-by: Lee Jones <joneslee@google.com>

6 function symbol(s) added
  'struct config_item* config_group_find_item(struct config_group*, const char*)'
  'int usb_function_activate(struct usb_function*)'
  'int usb_function_deactivate(struct usb_function*)'
  'int usb_gadget_frame_number(struct usb_gadget*)'
  'const struct uvc_format_desc* uvc_format_by_guid(const u8*)'
  'void v4l2_simplify_fraction(u32*, u32*, unsigned int, unsigned int)'

Bug: 397526098
Bug: 398754601
Signed-off-by: Seiya Wang <seiya.wang@mediatek.com>
Change-Id: Ia49ebfd566ebc0d408be6702d599fd39529bfd54
(cherry picked from commit a5fde818)

ABI impact

3 function symbol(s) added
  'u16 cec_get_edid_phys_addr(const u8*, unsigned int, unsigned int*)'
  'bool v4l2_find_dv_timings_cap(struct v4l2_dv_timings*, const struct v4l2_dv_timings_cap*, unsigned int, v4l2_check_dv_timings_fnc*, void*)'
  'void v4l2_print_dv_timings(const char*, const char*, const struct v4l2_dv_timings*, bool)'

Symbols added

cec_get_edid_phys_addr
dentry_open
device_get_named_child_node
__folio_lock
full_name_hash
hci_alloc_dev_priv
hci_free_dev
hci_recv_frame
hci_register_dev
hci_unregister_dev
of_machine_compatible_match
ptp_clock_event
ptp_clock_index
ptp_clock_register
ptp_clock_unregister
rebuild_sched_domains
v4l2_enum_dv_timings_cap
v4l2_fh_release
v4l2_find_dv_timings_cap
v4l2_match_dv_timings
v4l2_print_dv_timings
v4l2_src_change_event_subdev_subscribe
v4l2_valid_dv_timings

Bug: 391957747
Bug: 398754601
Signed-off-by: Seiya Wang <seiya.wang@mediatek.com>
Change-Id: I01afe6e002458fdf1390fc4337cb28d15e8a2579
(cherry picked from commit bec9b9a8)

This list contains symbols for  Paragon UFSD driver for NTFS and exFAT file systems.

18 function symbol(s) added
  'int __cond_resched_lock(spinlock_t*)'
  'struct buffer_head* __find_get_block(struct block_device*, sector_t, unsigned int)'
  'int __posix_acl_create(struct posix_acl**, gfp_t, umode_t*)'
  'int add_to_page_cache_lru(struct page*, struct address_space*, unsigned long, gfp_t)'
  'struct buffer_head* alloc_buffer_head(gfp_t)'
  'void d_rehash(struct dentry*)'
  'int filemap_fdatawrite_wbc(struct address_space*, struct writeback_control*)'
  'void free_buffer_head(struct buffer_head*)'
  'int posix_acl_equiv_mode(const struct posix_acl*, umode_t*)'
  'struct posix_acl* posix_acl_from_xattr(struct user_namespace*, const void*, size_t)'
  'int posix_acl_to_xattr(struct user_namespace*, const struct posix_acl*, void*, size_t)'
  'int posix_acl_valid(struct user_namespace*, const struct posix_acl*)'
  'void set_cached_acl(struct inode*, int, struct posix_acl*)'
  'void shrink_dcache_sb(struct super_block*)'
  'void sync_inodes_sb(struct super_block*)'
  'void wait_for_completion_io(struct completion*)'
  'void write_dirty_buffer(struct buffer_head*, blk_opf_t)'
  'void yield()'

Bug: 393994588
Bug: 396588892
Signed-off-by: Konstantin Komarov <Konstantin.Komarov.GKI@paragon-software.com>
Change-Id: I817b3e0c7ad779c72333cf0e7973eb02873f1cee
(cherry picked from commit fe75a290)

Bug: 396722618
Bug: 396645549
Signed-off-by: Ben Fennema <fennema@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:bcd73628053a510cda6037cd4805a2bc5429108e)
Merged-In: Ibdf2c325be034d19ce83f371d5adbb80bb97674f
Change-Id: Ibdf2c325be034d19ce83f371d5adbb80bb97674f

Bug: 388403617
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I5cca87f410b4e4bf29ae344cee42b0360263ef20

Append the compatible string "qcom,gunyah-hypervisor" to match the
driver with an additional Gunyah Hypervisor version and extend support
to it. This ensures proper identification and functionality of the
Gunyah Hypervisor driver across multiple versions of Gunyah.

Bug: 393501838
Change-Id: Ic394de301352f84d2735537cb28b304bfe592015
Signed-off-by: Hrishabh Rajput <quic_hrishabh@quicinc.com>

When emulating the userspace page size, /proc/*/pagemap
doesn't support PFNs since it is not guaranteed that
the PFNs of the virtually contiguous pages are also
contiguous physically and therefore cannot be collapsed
for purposes of the page size emulation.

On x86_64 16K devices, PFN bit of pagemap entries are
always zero, hence disable APIs that consume PFNs
from pagemap:
  - /proc/kpagecount
  - /proc/kpageflags
  - /proc/kpagecgroup
  - /sys/kernel/mm/page_idle/bitmap

Bug: 385167611
Test: atest vts_ltp_test_x86_64:syscalls.msync04_64bit#syscalls.msync04_64bit
Test: atest vts_ltp_test_x86_64:syscalls.mmap12_64bit#syscalls.mmap12_64bit
Test: atest libmeminfo_test
Test: atest bionic-unit-tests:DlExtRelroSharingTest#VerifyMemorySaving
Note: bionic-unit-tests must be run as root (add require_root: true)
Change-Id: I214c8737c6f7385346436769f144c5ecd429a5b7
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

pread() can read from a specified offset of the file without
changing the files offset position.

In the case of reading /proc/*/pagemap with pread() in an emulated
16KB x86_64 device, userspace believes the pages are large than
they actually are; we adjust the start offset of the pread to emulate
reading the correct page map entries. Adjustment of the count is
handled by .pagemap_read() which will be called by the VFS layer.

This is effectively a no-op in the page size isn't being emulated.

Bug: 385167611
Test: atest vts_ltp_test_x86_64:syscalls.msync04_64bit#syscalls.msync04_64bit
Test: atest vts_ltp_test_x86_64:syscalls.mmap12_64bit#syscalls.mmap12_64bit
Test: atest libmeminfo_test
Test: atest bionic-unit-tests:DlExtRelroSharingTest#VerifyMemorySaving
Note: bionic-unit-tests must be run as root (add require_root: true)
Change-Id: I139d510d7fdb7040236e01a2dc9ee9d5c9c207fd
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

Collapse X kernelpage pagemap entries into a single emulated pagemap
entry.

PM_PFRAME_BITS are zeroed since there is no guarantee these are
contiguous in physical memory.

Swap related bits are also zeored since there is no guarantee that swap
offset have to be contiguous.

UFFD WP bit is zeroed as it is not supported for x86_64 16K [1].

All other bits are set if any of the subpages' bits are set.

Also introduce __pagemap_lseek(), to adjust the file offset to compensate
for the fact that userspace believes the page size is larger than it
actually is.

[1] https://r.android.com/3424862



Bug: 385167611
Test: atest vts_ltp_test_x86_64:syscalls.msync04_64bit#syscalls.msync04_64bit
Test: atest vts_ltp_test_x86_64:syscalls.mmap12_64bit#syscalls.mmap12_64bit
Test: atest libmeminfo_test
Test: atest bionic-unit-tests:DlExtRelroSharingTest#VerifyMemorySaving
Note: bionic-unit-tests must be run as root (add require_root: true)
Change-Id: Ifc159f63f4b18dc43799b104d6be7d3dcb4fca49
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

When testing the atomic write fix patches, the f2fs_bug_on was
triggered as below:

------------[ cut here ]------------
kernel BUG at fs/f2fs/inode.c:935!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 3 UID: 0 PID: 257 Comm: bash Not tainted 6.13.0-rc1-00033-gc283a70d3497 #5
RIP: 0010:f2fs_evict_inode+0x50f/0x520
Call Trace:
 <TASK>
 ? __die_body+0x65/0xb0
 ? die+0x9f/0xc0
 ? do_trap+0xa1/0x170
 ? f2fs_evict_inode+0x50f/0x520
 ? f2fs_evict_inode+0x50f/0x520
 ? handle_invalid_op+0x65/0x80
 ? f2fs_evict_inode+0x50f/0x520
 ? exc_invalid_op+0x39/0x50
 ? asm_exc_invalid_op+0x1a/0x20
 ? __pfx_f2fs_get_dquots+0x10/0x10
 ? f2fs_evict_inode+0x50f/0x520
 ? f2fs_evict_inode+0x2e5/0x520
 evict+0x186/0x2f0
 prune_icache_sb+0x75/0xb0
 super_cache_scan+0x1a8/0x200
 do_shrink_slab+0x163/0x320
 shrink_slab+0x2fc/0x470
 drop_slab+0x82/0xf0
 drop_caches_sysctl_handler+0x4e/0xb0
 proc_sys_call_handler+0x183/0x280
 vfs_write+0x36d/0x450
 ksys_write+0x68/0xd0
 do_syscall_64+0xc8/0x1a0
 ? arch_exit_to_user_mode_prepare+0x11/0x60
 ? irqentry_exit_to_user_mode+0x7e/0xa0

The root cause is: f2fs uses FI_ATOMIC_DIRTIED to indicate dirty
atomic files during commit. If the inode is dirtied during commit,
such as by f2fs_i_pino_write, the vfs inode keeps clean and the
f2fs inode is set to FI_DIRTY_INODE. The FI_DIRTY_INODE flag cann't
be cleared by write_inode later due to the clean vfs inode. Finally,
f2fs_bug_on is triggered due to this inconsistent state when evict.

To reproduce this situation:
- fd = open("/mnt/test.db", O_WRONLY)
- ioctl(fd, F2FS_IOC_START_ATOMIC_WRITE)
- mv /mnt/test.db /mnt/test1.db
- ioctl(fd, F2FS_IOC_COMMIT_ATOMIC_WRITE)
- echo 3 > /proc/sys/vm/drop_caches

To fix this problem, clear FI_DIRTY_INODE after commit, then
f2fs_mark_inode_dirty_sync will ensure a consistent dirty state.

Fixes: fccaa81d ("f2fs: prevent atomic file from being dirtied before commit")
Change-Id: I2c637b4bc544453b07ab124527efb694da9b757f
Signed-off-by: Yunlei He <heyunlei@xiaomi.com>
Signed-off-by: Jianan Huang <huangjianan@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 03511e93)

The following two 'check only recovery' processes are very dependent on
the return value of f2fs_recover_fsync_data, especially when the return
value is greater than 0.
1. when device has readonly mode, shown as commit
23738e74 ("f2fs: fix to restrict mount condition on readonly block device")
2. mount optiont NORECOVERY or DISABLE_ROLL_FORWARD is set, shown as commit
6781eabb ("f2fs: give -EINVAL for norecovery and rw mount")

However, commit c426d991 ("f2fs: Check write pointer consistency of open zones")
will change the return value unexpectedly, thereby changing the caller's behavior

This patch let the f2fs_recover_fsync_data return correct value,and not do
f2fs_check_and_fix_write_pointer when the device is read-only.

Fixes: c426d991 ("f2fs: Check write pointer consistency of open zones")
Change-Id: I9d426257e2900b8558c78cc4e5dc8da56fd3cb30
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit edf3c086)

Now f2fs_invalidate_blocks() supports a continuous range of addresses,
so the for loop can be omitted.

Change-Id: I6a1f01c9701ba55940ef2207242b60f26f26b2de
Signed-off-by: Yi Sun <yi.sun@unisoc.com>
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 6d4008dc)

Show mtime in segment_bits for debug.

cat /proc/fs//f2fs/loop0/segment_bits
format: segment_type|valid_blocks|bitmaps|mtime
segment_type(0:HD, 1:WD, 2:CD, 3:HN, 4:WN, 5:CN)
0         3|1  | 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00| ffffffffffffffff
1         4|3  | 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00| ffffffffffffffff
2         5|0  | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00| ffffffffffffffff
3         0|1  | 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00| ffffffffffffffff

Change-Id: I7399a15f119a520f4f4b5db8623c223f94bac997
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit f6370a36)

syzbot reported a f2fs bug as below:

------------[ cut here ]------------
kernel BUG at fs/f2fs/gc.c:373!
CPU: 0 UID: 0 PID: 5316 Comm: syz.0.0 Not tainted 6.13.0-rc3-syzkaller-00044-gaef25be35d23 #0
RIP: 0010:get_cb_cost fs/f2fs/gc.c:373 [inline]
RIP: 0010:get_gc_cost fs/f2fs/gc.c:406 [inline]
RIP: 0010:f2fs_get_victim+0x68b1/0x6aa0 fs/f2fs/gc.c:912
Call Trace:
 <TASK>
 __get_victim fs/f2fs/gc.c:1707 [inline]
 f2fs_gc+0xc89/0x2f60 fs/f2fs/gc.c:1915
 f2fs_ioc_gc fs/f2fs/file.c:2624 [inline]
 __f2fs_ioctl+0x4cc9/0xb8b0 fs/f2fs/file.c:4482
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

w/ below testcase, it can reproduce directly:
- dd if=/dev/zero of=/tmp/file bs=1M count=64
- mkfs.f2fs /tmp/file
- mount -t f2fs -o loop,mode=fragment:block /tmp/file /mnt/f2fs
- echo 0 >  /sys/fs/f2fs/loop0/min_ssr_sections
- dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=5
- umount /mnt/f2fs
- for((i=4096;i<16384;i+=512)) do inject.f2fs --sit 0 --blk $i --mb mtime --val -1 /tmp/file; done
- mount -o loop /tmp/file /mnt/f2fs
- f2fs_io gc 0 /mnt/f2fs/file

static unsigned int get_cb_cost()
{
	...
	mtime = f2fs_get_section_mtime(sbi, segno);
	f2fs_bug_on(sbi, mtime == INVALID_MTIME);
	...
}

The root cause is: mtime in f2fs_sit_entry can be fuzzed to INVALID_MTIME,
then it will trigger BUG_ON in get_cb_cost() during GC.

Let's change behavior of f2fs_get_section_mtime() as below for fix:
- return INVALID_MTIME only if total valid blocks is zero.
- return INVALID_MTIME - 1 if average mtime calculated is
INVALID_MTIME.

Fixes: b19ee727 ("f2fs: introduce f2fs_get_section_mtime")
Reported-by:  <syzbot+b9972806adbe20a910eb@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/linux-f2fs-devel/6768c82e.050a0220.226966.0035.GAE@google.com


Cc: liuderong <liuderong@oppo.com>
Change-Id: Ic98e6b11a5e1a12055c8e951c3ace7642bee85c5
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 207764e5)

When building for 32-bit platforms, for which 'size_t' is 'unsigned int',
there is a warning due to an incorrect format specifier:

  fs/f2fs/inode.c:320:6: error: format specifies type 'unsigned long' but the argument has type 'unsigned int' [-Werror,-Wformat]
    318 |                 f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, min: %lu, max: %lu",
        |                                                                                                 ~~~
        |                                                                                                 %u
    319 |                           __func__, inode->i_ino, fi->i_inline_xattr_size,
    320 |                           MIN_INLINE_XATTR_SIZE, MAX_INLINE_XATTR_SIZE);
        |                           ^~~~~~~~~~~~~~~~~~~~~
  fs/f2fs/f2fs.h:1855:46: note: expanded from macro 'f2fs_warn'
   1855 |         f2fs_printk(sbi, false, KERN_WARNING fmt, ##__VA_ARGS__)
        |                                              ~~~    ^~~~~~~~~~~
  fs/f2fs/xattr.h:86:31: note: expanded from macro 'MIN_INLINE_XATTR_SIZE'
     86 | #define MIN_INLINE_XATTR_SIZE (sizeof(struct f2fs_xattr_header) / sizeof(__le32))
        |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use the format specifier for 'size_t', '%zu', to resolve the warning.

Fixes: 5c1768b6 ("f2fs: fix to do sanity check correctly on i_inline_xattr_size")
Change-Id: Ifd7e25295b312b3b6943848ce34fede6fd7b2a6c
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit a68905d4)

In f2fs_new_inode(), if we fail to get a new inode, we go iput(), followed by
f2fs_evict_inode(). If the inode is not marked as bad, it'll try to call
f2fs_remove_inode_page() which tries to read the inode block given node id.
But, there's no block address allocated yet, which gives a chance to access
a wrong block address, if the block device has some garbage data in NAT table.

We need to make sure NAT table should have zero data for all the unallocated
node ids, but also would be better to take this unnecessary path as well.
Let's mark the faild inode as bad.

Fixes: 0abd675e ("f2fs: support plain user/group quota")
Reviewed-by: Chao Yu <chao@kernel.org>
Change-Id: I37bfd94f0612e1521ae43fe529fd186954f3dece
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit e0293861)

syzbot reported an out-of-range access issue as below:

UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3292:19
index 18446744073709550491 is out of range for type '__le32[923]' (aka 'unsigned int[923]')
CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 read_inline_xattr+0x273/0x280
 lookup_all_xattrs fs/f2fs/xattr.c:341 [inline]
 f2fs_getxattr+0x57b/0x13b0 fs/f2fs/xattr.c:533
 vfs_getxattr_alloc+0x472/0x5c0 fs/xattr.c:393
 ima_read_xattr+0x38/0x60 security/integrity/ima/ima_appraise.c:229
 process_measurement+0x117a/0x1fb0 security/integrity/ima/ima_main.c:353
 ima_file_check+0xd9/0x120 security/integrity/ima/ima_main.c:572
 security_file_post_open+0xb9/0x280 security/security.c:3121
 do_open fs/namei.c:3830 [inline]
 path_openat+0x2ccd/0x3590 fs/namei.c:3987
 do_file_open_root+0x3a7/0x720 fs/namei.c:4039
 file_open_root+0x247/0x2a0 fs/open.c:1382
 do_handle_open+0x85b/0x9d0 fs/fhandle.c:414
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

index: 18446744073709550491 (decimal, unsigned long long)
= 0xfffffffffffffb9b (hexadecimal) = -1125 (decimal, long long)
UBSAN detects that inline_xattr_addr() tries to access .i_addr[-1125].

w/ below testcase, it can reproduce this bug easily:
- mkfs.f2fs -f -O extra_attr,flexible_inline_xattr /dev/sdb
- mount -o inline_xattr_size=512 /dev/sdb /mnt/f2fs
- touch /mnt/f2fs/file
- umount /mnt/f2fs
- inject.f2fs --node --mb i_inline --nid 4 --val 0x1 /dev/sdb
- inject.f2fs --node --mb i_inline_xattr_size --nid 4 --val 2048 /dev/sdb
- mount /dev/sdb /mnt/f2fs
- getfattr /mnt/f2fs/file

The root cause is if metadata of filesystem and inode were fuzzed as below:
- extra_attr feature is enabled
- flexible_inline_xattr feature is enabled
- ri.i_inline_xattr_size = 2048
- F2FS_EXTRA_ATTR bit in ri.i_inline was not set

sanity_check_inode() will skip doing sanity check on fi->i_inline_xattr_size,
result in using invalid inline_xattr_size later incorrectly, fix it.

Meanwhile, let's fix to check lower boundary for .i_inline_xattr_size w/
MIN_INLINE_XATTR_SIZE like we did in parse_options().

There is a related issue reported by syzbot, Qasim Ijaz has anlyzed and
fixed it w/ very similar way [1], as discussed, we all agree that it will
be better to do sanity check in sanity_check_inode() for fix, so finally,
let's fix these two related bugs w/ current patch.

Including commit message from Qasim's patch as below, thanks a lot for
his contribution.

"In f2fs_getxattr(), the function lookup_all_xattrs() allocates a 12-byte
(base_size) buffer for an inline extended attribute. However, when
__find_inline_xattr() calls __find_xattr(), it uses the macro
"list_for_each_xattr(entry, addr)", which starts by calling
XATTR_FIRST_ENTRY(addr). This skips a 24-byte struct f2fs_xattr_header
at the beginning of the buffer, causing an immediate out-of-bounds read
in a 12-byte allocation. The subsequent !IS_XATTR_LAST_ENTRY(entry)
check then dereferences memory outside the allocated region, triggering
the slab-out-of bounds read.

This patch prevents the out-of-bounds read by adding a check to bail
out early if inline_size is too small and does not account for the
header plus the 4-byte value that IS_XATTR_LAST_ENTRY reads."

[1]: https://lore.kernel.org/linux-f2fs-devel/Z32y1rfBY9Qb5ZjM@qasdev.system/



Fixes: 6afc662e ("f2fs: support flexible inline xattr size")
Reported-by:  <syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/linux-f2fs-devel/674f4e7d.050a0220.17bd51.004f.GAE@google.com


Reported-by: syzbot <syzbot+f5e74075e096e757bdbf@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf


Tested-by: syzbot <syzbot+f5e74075e096e757bdbf@syzkaller.appspotmail.com>
Tested-by: Qasim Ijaz <qasdev00@gmail.com>
Change-Id: I7a2668aa5740c793b45713d4708d75aedabd284f
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 5c1768b6)

Let's remove unclear blk_finish_plug.

Reviewed-by: Chao Yu <chao@kernel.org>
Change-Id: Ib79024198878acb791aa204ad29a888f90ff9362
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 4811fee8)

Function f2fs_invalidate_blocks() can process consecutive
blocks at a time, so f2fs_truncate_data_blocks_range() is
optimized to use the new functionality of
f2fs_invalidate_blocks().

Add two variables @blkstart and @blklen, @blkstart records
the first address of the consecutive blocks, and @blkstart
records the number of consecutive blocks.

Change-Id: I219866b6c60a8f23f92aee64429064a04e7282d2
Signed-off-by: Yi Sun <yi.sun@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 120ac1dc)

When f2fs_write_single_data_page fails, f2fs_write_cache_pages
will use the last 'submitted' value incorrectly, which will cause
'nwritten' and 'wbc->nr_to_write' calculation errors

Change-Id: I8818719f99cef08d73b08188c6d6dbbebeea019a
Signed-off-by: zangyangyang1 <zangyangyang1@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit c84c2424)

New function can process some consecutive blocks at a time.

Function f2fs_invalidate_blocks()->down_write() and up_write()
are very time-consuming, so if f2fs_invalidate_blocks() can
process consecutive blocks at one time, it will save a lot of time.

Change-Id: I6600c5be55f0261b142285fc45212921da8121fb
Signed-off-by: Yi Sun <yi.sun@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit e53c568f)

This function can process some consecutive blocks at a time.

When using update_sit_entry() to release consecutive blocks,
ensure that the consecutive blocks belong to the same segment.
Because after update_sit_entry_for_realese(), @segno is still
in use in update_sit_entry().

Change-Id: Ia6be213c3838351292d1000a52bd54a1090f1137
Signed-off-by: Yi Sun <yi.sun@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 81ffbd22)

No logical changes, just for cleanliness.

Change-Id: I4dddab6be974476879af46cda814dee2223ed21d
Signed-off-by: Yi Sun <yi.sun@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 66baee2b)

This patch should avoid the below warning which does not corrupt the metadata
tho.

[   51.508120][  T253] F2FS-fs (dm-59): access invalid blkaddr:36
[   51.508156][  T253]  __f2fs_is_valid_blkaddr+0x330/0x384
[   51.508162][  T253]  f2fs_is_valid_blkaddr_raw+0x10/0x24
[   51.508163][  T253]  f2fs_truncate_data_blocks_range+0x1ec/0x438
[   51.508177][  T253]  f2fs_remove_inode_page+0x8c/0x148
[   51.508194][  T253]  f2fs_evict_inode+0x230/0x76c

Fixes: 128d333f ("f2fs: introduce device aliasing file")
Reviewed-by: Chao Yu <chao@kernel.org>
Change-Id: I52340d7ccd1015c7bfe96ec52db21e0a4d5e961f
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit cf5817ce)

This patch addresses an issue where some files in case-insensitive
directories become inaccessible due to changes in how the kernel function,
utf8_casefold(), generates case-folded strings from the commit 5c26d2f1
("unicode: Don't special case ignorable code points").

F2FS uses these case-folded names to calculate hash values for locating
dentries and stores them on disk. Since utf8_casefold() can produce
different output across kernel versions, stored hash values and newly
calculated hash values may differ. This results in affected files no
longer being found via the hash-based lookup.

To resolve this, the patch introduces a linear search fallback.
If the initial hash-based search fails, F2FS will sequentially scan the
directory entries.

Fixes: 5c26d2f1 ("unicode: Don't special case ignorable code points")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219586


Change-Id: I132991d663432792c73ad939f8450df82bbfeeb0
Signed-off-by: Daniel Lee <chullee@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 91b587ba)

New function can process some consecutive blocks at a time.

Change-Id: I6741915ec3fba137ae6295688b6c4f8474411177
Signed-off-by: Yi Sun <yi.sun@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit d217b5ce)

New function f2fs_invalidate_compress_pages_range() adds the @len
parameter. So it can process some consecutive blocks at a time.

Change-Id: I3b30396567771e1d3608395fa0b7e5e379ddc805
Signed-off-by: Yi Sun <yi.sun@unisoc.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 3d56fbb1)

Syzbot has reported the following KMSAN splat:

BUG: KMSAN: uninit-value in f2fs_new_node_page+0x1494/0x1630
 f2fs_new_node_page+0x1494/0x1630
 f2fs_new_inode_page+0xb9/0x100
 f2fs_init_inode_metadata+0x176/0x1e90
 f2fs_add_inline_entry+0x723/0xc90
 f2fs_do_add_link+0x48f/0xa70
 f2fs_symlink+0x6af/0xfc0
 vfs_symlink+0x1f1/0x470
 do_symlinkat+0x471/0xbc0
 __x64_sys_symlink+0xcf/0x140
 x64_sys_call+0x2fcc/0x3d90
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable new_ni created at:
 f2fs_new_node_page+0x9d/0x1630
 f2fs_new_inode_page+0xb9/0x100

So adjust 'f2fs_get_node_info()' to ensure that 'flag'
field of 'struct node_info' is always initialized.

Reported-by:  <syzbot+5141f6db57a2f7614352@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=5141f6db57a2f7614352


Fixes: e05df3b1 ("f2fs: add node operations")
Suggested-by: Chao Yu <chao@kernel.org>
Change-Id: I280a1e4b8be3232b8c52cf2a04448b4f00f32733
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 76f01376)

In SSR mode, the segment selected for allocation might be the same as
the target segment of the GC triggered by ioctl, resulting in the GC
moving the CURSEG_I(sbi, type)->segno.
Thread A				Thread B or Thread A
- f2fs_ioc_gc_range
 - __f2fs_ioc_gc_range(.victim_segno=segno#N)
  - f2fs_gc
   - __get_victim
    - f2fs_get_victim
    : segno#N is valid, return segno#N as source segment of GC
					- f2fs_allocate_data_block
						- need_new_seg
						- get_ssr_segment
						- f2fs_get_victim
						: get segno #N as destination segment
						- change_curseg

Fixes: e066b83c ("f2fs: add ioctl to flush data from faster device to cold area")
Change-Id: I715be25c6e8c59469f8ad6e0d8f49c8b8655d5b3
Signed-off-by: Yongpeng Yang <yangyongpeng1@oppo.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit e9a844f6)

While traversing dir entries in dentry page, it's better to refresh current
accessed page in lru list by using FGP_ACCESSED flag, otherwise, such page
may has less chance to survive during memory reclaim, result in causing
additional IO when revisiting dentry page.

Change-Id: Ia97da0427de95fe7e4a6f65985b3adecac94c85a
Signed-off-by: zangyangyang1 <zangyangyang1@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 5f659454)

All folios that f2fs sees belong to f2fs and not to the swapcache
so it can dereference folio->mapping directly like all other
filesystems do.

Change-Id: I7c2861340cd368439d132bff1fc7dcc63542f904
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit c910a64b)

Remove the last call to page_file_mapping() as both callers can now pass
in a folio.

Change-Id: I28819fd1773700ec234595470343466964c75afb
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 19bbd306)

Remove a call to compound_head().  We can call bio_add_folio_nofail()
here because we just allocated the bio, so we know it can't fail and
thus the error path can never be taken.

Change-Id: I877933550970e7ebe30152e579f08ae7030bcd84
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit f58d8645)