Commit Graph

1200849 Commits

Author SHA1 Message Date
Linus Torvalds
2b17e90d3f Hi,
I picked three small scale updates from my 'master' branch, which I think
 would improve the quality of the release.
 
 BR, Jarkko
 -----BEGIN PGP SIGNATURE-----
 
 iIgEABYIADAWIQRE6pSOnaBC00OEHEIaerohdGur0gUCZMQGvhIcamFya2tvQGtl
 cm5lbC5vcmcACgkQGnq6IXRrq9IUqQEA9JdRSB36fPdVLYu0NRmkE5lY9hG6YPw1
 lo0Z4738DD8A/iEewsym1k7Hvtae6Dh/kSNeljKAENDDWhMLzoV2zbkF
 =cX64
 -----END PGP SIGNATURE-----

Merge tag 'tpmdd-v6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd

Pull tpm fixes from Jarkko Sakkinen:
 "I picked up three small scale updates that I think would improve the
  quality of the release"

* tag 'tpmdd-v6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
  tpm_tis: Explicitly check for error code
  tpm: Switch i2c drivers back to use .probe()
  security: keys: perform capable check only on privileged operations
2023-07-28 16:44:32 -07:00
Zheng Yejian
2d093282b0 ring-buffer: Fix wrong stat of cpu_buffer->read
When pages are removed in rb_remove_pages(), 'cpu_buffer->read' is set
to 0 in order to make sure any read iterators reset themselves. However,
this will mess 'entries' stating, see following steps:

  # cd /sys/kernel/tracing/
  # 1. Enlarge ring buffer prepare for later reducing:
  # echo 20 > per_cpu/cpu0/buffer_size_kb
  # 2. Write a log into ring buffer of cpu0:
  # taskset -c 0 echo "hello1" > trace_marker
  # 3. Read the log:
  # cat per_cpu/cpu0/trace_pipe
       <...>-332     [000] .....    62.406844: tracing_mark_write: hello1
  # 4. Stop reading and see the stats, now 0 entries, and 1 event readed:
  # cat per_cpu/cpu0/stats
   entries: 0
   [...]
   read events: 1
  # 5. Reduce the ring buffer
  # echo 7 > per_cpu/cpu0/buffer_size_kb
  # 6. Now entries became unexpected 1 because actually no entries!!!
  # cat per_cpu/cpu0/stats
   entries: 1
   [...]
   read events: 0

To fix it, introduce 'page_removed' field to count total removed pages
since last reset, then use it to let read iterators reset themselves
instead of changing the 'read' pointer.

Link: https://lore.kernel.org/linux-trace-kernel/20230724054040.3489499-1-zhengyejian1@huawei.com

Cc: <mhiramat@kernel.org>
Cc: <vnagarnaik@google.com>
Fixes: 83f40318da ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
2023-07-28 19:16:23 -04:00
Linus Torvalds
f837f0a3c9 A couple of SME updates for recent fixes (one of which went to stable):
reverting the flushing of the SME hardware state along with the thread
 flushing and making sure we have the correct vector length before
 reallocating.
 
 An ACPI/IORT fix to avoid skipping ID mappings whose "number of IDs" is
 0 (the spec reports the number of IDs in the mapping range minus 1).
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE5RElWfyWxS+3PLO2a9axLQDIXvEFAmTD40YACgkQa9axLQDI
 XvGmrw/+LSbXPWdBR4d4NnEOuw2YpD7jZ9DosfrtTUm5ca+gnQzLr+6Z9ysVOMX1
 jzEEVMacFHidpY3cSl9waakl/SKHyu6yPFVkKONWz0iFGbqY9w1RWvCQb7APHWUe
 +aaav0GQU/WfnaOGfipuw5mcMpZT4NUTQK3EPZ4C++YvaN4uQiEzivNLmaHkQTqV
 DwY/tUf3AgbEslfV5SO97eXjuZ+TO1DANaI+wdVrHd1k5Zcq+XYIyw+sbTEdUJOx
 KBuK5SjfovNU8x7sg5i1aTBFVR3/sPlPrc0ueGYZsSn3/mWNQHOu/Iy3HYIdFPVM
 P16udTKruXFZsJCLUeykf9DD4d/WnV7wmKZOZgtDTmHUu45CKsZawYC+cVIkNAIx
 kUnEZM+GcLdMY7Ry2oyeeb/deFK6QEt8GfbKfqNubYn/MKvNabTGimKze2gk1cQR
 w7s/WWDN0finRJVy9SZrKvB3NbTw28aUZ+zDd1MzbSQncRtn0mZ2O06muxAbrP+C
 OqgtG1VEmwc0mWs8A79GQ9UBY4NCVCdl49bFTRBlot3eyLWu8nZyDzS6XELqB9/n
 Q5j7SOmj4CiOLfJGeTKNKs5cGf1mm2NUs8hpdEOaCEa0+rkAgfLsUnwDtMmHwQZ8
 sHSsRwf4BR1KexfCpehqoic8XhOA9IjrDMQAx710cbQeLYiJ5iA=
 =qoWG
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Catalin Marinas:

 - A couple of SME updates for recent fixes (one of which went to
   stable): reverting the flushing of the SME hardware state along with
   the thread flushing and making sure we have the correct vector length
   before reallocating.

 - An ACPI/IORT fix to avoid skipping ID mappings whose "number of IDs"
   is 0 (the spec reports the number of IDs in the mapping range minus
   1).

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  ACPI/IORT: Remove erroneous id_count check in iort_node_get_rmr_info()
  arm64/sme: Set new vector length before reallocating
  arm64/fpsimd: Don't flush SME register hardware state along with thread
2023-07-28 11:21:57 -07:00
Linus Torvalds
81eef8909d xen: branch for v6.5-rc4
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQRTLbB6QfY48x44uB6AXGG7T9hjvgUCZMO5BAAKCRCAXGG7T9hj
 vnPZAP9KjUky9BViliBYKbUx5NGsU99z3vyKXgOY5M94+wDIkgD+KEowrcCmS4iY
 +eNt2G+CXDM1u9w3YtnuS1FM8hXIhQ4=
 =jn6A
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-6.5a-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fixes from Juergen Gross:

 - A fix for a performance problem in QubesOS, adding a way to drain the
   queue of grants experiencing delayed unmaps faster

 - A patch enabling the use of static event channels from user mode,
   which was omitted when introducing supporting static event channels

 - A fix for a problem where Xen related code didn't check properly for
   running in a Xen environment, resulting in a WARN splat

* tag 'for-linus-6.5a-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen: speed up grant-table reclaim
  xen/evtchn: Introduce new IOCTL to bind static evtchn
  xenbus: check xen_domain in xenbus_probe_initcall
2023-07-28 11:17:30 -07:00
Alexander Steffen
513253f8c2 tpm_tis: Explicitly check for error code
recv_data either returns the number of received bytes, or a negative value
representing an error code. Adding the return value directly to the total
number of received bytes therefore looks a little weird, since it might add
a negative error code to a sum of bytes.

The following check for size < expected usually makes the function return
ETIME in that case, so it does not cause too many problems in practice. But
to make the code look cleaner and because the caller might still be
interested in the original error code, explicitly check for the presence of
an error code and pass that through.

Cc: stable@vger.kernel.org
Fixes: cb5354253a ("[PATCH] tpm: spacing cleanups 2")
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-07-28 18:13:39 +00:00
Uwe Kleine-König
be6f48a7c8 tpm: Switch i2c drivers back to use .probe()
After commit b8a1a4cd5a ("i2c: Provide a temporary .probe_new()
call-back type"), all drivers being converted to .probe_new() and then
03c835f498 ("i2c: Switch .probe() to not take an id parameter")
convert back to (the new) .probe() to be able to eventually drop
.probe_new() from struct i2c_driver.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-07-28 18:12:40 +00:00
Christian Göttsche
2d7f105edb security: keys: perform capable check only on privileged operations
If the current task fails the check for the queried capability via
`capable(CAP_SYS_ADMIN)` LSMs like SELinux generate a denial message.
Issuing such denial messages unnecessarily can lead to a policy author
granting more privileges to a subject than needed to silence them.

Reorder CAP_SYS_ADMIN checks after the check whether the operation is
actually privileged.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-07-28 18:07:41 +00:00
Linus Torvalds
e62e26d3e9 A patch to reduce the potential for erroneous RBD exclusive lock
blocklisting (fencing) with a couple of prerequisites and a fixup to
 prevent metrics from being sent to the MDS even just once after that
 has been disabled by the user.  All marked for stable.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCAAxFiEEydHwtzie9C7TfviiSn/eOAIR84sFAmTD7MgTHGlkcnlvbW92
 QGdtYWlsLmNvbQAKCRBKf944AhHzi3SBB/4nHdfSQwy0z2+PM766sUKxSlmaRw8X
 4AJyGAIGj5BnHHhtluwLpEYfrh3wfyCRaNYgS64jdsudbUBxPKIIWn2lEFxtyWbC
 w0R2uEc+NGJLJOYfJ+lBP06Q2r6qk7N6OGNy6qLaN+v6xJ8WPw7H3fJBLVhnPgMq
 7lkACRN+0P5Xt6ZJ57kbWWiFQ+vjv7bbDa0P9zMl6uCgoYsIpvrskqygx+gHbdsq
 IcnpsHu3F0ycYAJT5eJ5GcCcThvwbNjWdbJy1fERah7U/LNcX/S3To9V5LPmydOQ
 tYAWMlC/1a99fr+jTYF0Pu5GLUdK0UMKeX04ZN3SKON4pORurpypw3n8
 =rw72
 -----END PGP SIGNATURE-----

Merge tag 'ceph-for-6.5-rc4' of https://github.com/ceph/ceph-client

Pull ceph fixes from Ilya Dryomov:
 "A patch to reduce the potential for erroneous RBD exclusive lock
  blocklisting (fencing) with a couple of prerequisites and a fixup to
  prevent metrics from being sent to the MDS even just once after that
  has been disabled by the user. All marked for stable"

* tag 'ceph-for-6.5-rc4' of https://github.com/ceph/ceph-client:
  rbd: retrieve and check lock owner twice before blocklisting
  rbd: harden get_lock_owner_info() a bit
  rbd: make get_lock_owner_info() return a single locker or NULL
  ceph: never send metrics if disable_send_metrics is set
2023-07-28 10:47:24 -07:00
Linus Torvalds
28d79b746c Misc set of fixes for 9p in 6.5
Most of these clean up warnings we've gotten out of compilation tools, but
 several of them were from inspection while hunting down a couple of
 regressions.
 
 The most important one to pull is 75b396821c
 (fs/9p: remove unnecessary and overrestrictive check)
 which caused a regression for some folks by restricting mmap
 in any case where writeback caches weren't enabled.
 
 Most of the other bugs caught via inspection were type mismatches.
 
 Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEElpbw0ZalkJikytFRiP/V+0pf/5gFAmTDH8cACgkQiP/V+0pf
 /5hSJQ//b59cDliC7Knf9B2Of1UsLJ2wYIbxWVYKLwYarKFn3tmtO5dPtWZrQzjB
 Kz6fif5z1c0WdjNFLifs/XNqUq5znX/TY8bV/NmOg8VlaoJqmUQSSYnNQOWZCFKT
 zwxC6BO6gPNNIkJN2xQ8oOq11Qon/nbZbuN9P2VDcT5Yr2KmFx6FHRcrBNRYAm3E
 UzFdjkLrLef3VrvegJNGM3Wv2HqyNBA6QhifZBjDkydtDPMd9fRNns7Q60AARR9K
 aqXV6SihE/Ox7sSmVNjTzYF67eq5Xjt+sSzo2SdfOaZxVIa6wf0UXQuFqmHts6Zs
 QUCdXS5YbQAwQfdkm22rnTIxAwsbEpFOGGweUvMBXzZbl/sq/PK4Nt6DpCS8ZFi3
 81Z5Ey+Q4yaxwdirP521M4ao2Ae2Fzg12bqDTNssZdOYGcXBqBfWiR5IfMbbkgWq
 WzCVI3V/LshQ75pXQyS4BtW/29C2nN7g3jLrF3Q5OTe7XmHMCZFvtP4lKvY0piQy
 ++XoDs1LCJWSZebfkNa05L5nhQ1mYhwiZutHTtF3ejTTiJvcJXQ4xHYLzjOON+4i
 blLTpgWLO0rIRAmX0I8GwPi6q0xL4rFP4XGGz/LDppRQkRa13vtzFtMvuldPyEq7
 g4pcLkI3SPbL982qYbg8UO+GjO/Q9M/DafXQVlUyDw04TQbT8Jg=
 =TAC1
 -----END PGP SIGNATURE-----

Merge tag '9p-fixes-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs

Pull 9p fixes from Eric Van Hensbergen:
 "Misc set of fixes for 9p.

  Most of these clean up warnings we've gotten out of compilation tools,
  but several of them were from inspection while hunting down a couple
  of regressions.

  The most important one is 75b396821c ("fs/9p: remove unnecessary and
  overrestrictive check") which caused a regression for some folks by
  restricting mmap in any case where writeback caches weren't enabled.

  Most of the other bugs caught via inspection were type mismatches"

* tag '9p-fixes-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs:
  fs/9p: Remove unused extern declaration
  9p: remove dead stores (variable set again without being read)
  9p: virtio: skip incrementing unused variable
  9p: virtio: make sure 'offs' is initialized in zc_request
  9p: virtio: fix unlikely null pointer deref in handle_rerror
  9p: fix ignored return value in v9fs_dir_release
  fs/9p: remove unnecessary invalidate_inode_pages2
  fs/9p: fix type mismatch in file cache mode helper
  fs/9p: fix typo in comparison logic for cache mode
  fs/9p: remove unnecessary and overrestrictive check
  fs/9p: Fix a datatype used with V9FS_DIRECT_IO
2023-07-28 10:43:16 -07:00
Linus Torvalds
818680d154 block-6.5-2023-07-28
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmTD2VcQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpqzgEADT9lc0fr8wnp2fu/7NhkdsaPtuoUKiH7ju
 qxWExXIzxxKYM6OdCdYho9SvIjtdblraZOGqrEni8KMcKnR6vDd8BjGzPJ2BJQe2
 GhU0VLVqAw2uoaLhWIZ3m+CyKn7rggoCwpTAUFQG7vL6vSW+ExkWs6g4XcrWhq5V
 XCPJnNRc2o6OdFnv1xBNy1YRrP2ME+HaghJdDNxVM4R9hOv4PVvYrW7P2fK1gurD
 o3JgTAQg6//16ZBAMcZDkwuGGFVdvG16EiE/0z3QdP4WeDqSFqqxYtk8m/LqAx31
 FswUI+YDmKJHSfbLCh6pW4j81xH+svVi0LiANdlxCMGg3zouft+wh/KGdQJC/rcb
 ocFgUCOL4P4208wXkuUjtcAI0zmEMPAIoRQirOzDExja0bI4LJrp3GKJ78U4MbDo
 iBM5qgkH+MqwD/jXMOY5MnEEBzqceW7Q5Al6emE093kRenIYulEL6ZFy05vfqG1+
 NuQcvSJ9f0mgTDUGr0bXytshTG4vSHtKZ9UfAgh5FzPBnPYpwRbxlq6i/7+DxU6k
 33FTzNLuRwDSEo33Uj75KwK1glizofYj6lrqYxVw/9jkVAEEzpjr6H8Su1+dTt8L
 ZbXSQKdxsAxGdbIMeA1lUfUmqQHi1ouTLsBzwkceKCeN3UXmzGOnNBXmvoVXSv0A
 v4RNV+WHCA==
 =TD54
 -----END PGP SIGNATURE-----

Merge tag 'block-6.5-2023-07-28' of git://git.kernel.dk/linux

Pull block fixes from Jens Axboe:
 "A few fixes that should go into the current kernel release, mainly:

   - Set of fixes for dasd (Stefan)

   - Handle interruptible waits returning because of a signal for ublk
     (Ming)"

* tag 'block-6.5-2023-07-28' of git://git.kernel.dk/linux:
  ublk: return -EINTR if breaking from waiting for existed users in DEL_DEV
  ublk: fail to recover device if queue setup is interrupted
  ublk: fail to start device if queue setup is interrupted
  block: Fix a source code comment in include/uapi/linux/blkzoned.h
  s390/dasd: print copy pair message only for the correct error
  s390/dasd: fix hanging device after request requeue
  s390/dasd: use correct number of retries for ERP requests
  s390/dasd: fix hanging device after quiesce/resume
2023-07-28 10:23:41 -07:00
Linus Torvalds
9c65505826 io_uring-6.5-2023-07-28
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmTD2W8QHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgprV3EADCRTtNrDWDbOFjAgfpfzzdRvumc4ANjFZ9
 h8xM9SIt9JBKvD6Lt8w825nYpBvGiK39qmnHssSgKz2Wna0gLM46ocKNQ6ilGWY1
 jP2rIazBpoEHPrR/yecpt4apWhv96c73hh25SISab2B1BBDYpI+WuUp5Hmwfe9Ya
 qAUSxwvlDtw5N4/tgJNNcu25nxWur3ACplMG5zUzp+ruVaJCHQlKsuXgTO5Ae8Nw
 rxkEUb3g+hPAcExofEgvPZjvQFr7k7jFexHC74XgZZznqrUZFnEtIXHwF+44iFb1
 /HgYZrcmQ8Wb2G3mD42fpuu5aMaQlghgJT13tEVZ8sQsqt965wIN5tkxp0CQHjPM
 P1bBEHa3g1I7U80CshKwNoawP0T8teRSKjHj4o62QvFKoH4VH58bImCVby5MwTs1
 eSB3DN3121rfwUY7gNzpdCnFIlpp3jSrSLMkMGmoV5iJuTRkIgpGJ3+uty5lesYs
 DmTkrzguRiuUK8NP5CUvsL7FPZmcTjWU4BXujbC4WCt0Uc4pXZUBIIUWB7AwOBTC
 FHy0W0A3H9pY5yyKyHfKUlDe7CnIgLXDstdznArtbn374R+j7R04dSWlntlg2bIk
 ZDl9wZ0MmQPMXCKXXk8Pc0EcamXt8Tp12Xb0VtF6ETPbDF0Xn6oSSkIIYda7z0WP
 PXjhTzIssQ==
 =+ctz
 -----END PGP SIGNATURE-----

Merge tag 'io_uring-6.5-2023-07-28' of git://git.kernel.dk/linux

Pull io_uring fix from Jens Axboe:
 "Just a single tweak to a patch from last week, to avoid having idle
  cqring waits be attributed as iowait"

* tag 'io_uring-6.5-2023-07-28' of git://git.kernel.dk/linux:
  io_uring: gate iowait schedule on having pending requests
2023-07-28 10:19:44 -07:00
Linus Torvalds
0299a13af0 iommufd for 6.5 rc
Two user triggerable problems:
 
 - Syzkaller found a way to trigger a WARN_ON and leak memory by racing
   destroy with other actions
 
 - There is still a bug in the "batch carry" stuff that gets invoked for
   complex cases with accesses and unmapping of huge pages. The test suite
   found this (triggers rarely)
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQRRRCHOFoQz/8F5bUaFwuHvBreFYQUCZMO+5wAKCRCFwuHvBreF
 YR+YAP446OXo05z243Y6CUIL1qacwS08QfXnfzKjDHIDXqzEuQEAsQf9hbb2BhP/
 +4/rrMgMVHrmeUDfzmCL2poOP+Kvtgc=
 =a/mr
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd

Pull iommufd fixes from Jason Gunthorpe:
 "Two user triggerable problems:

   - Syzkaller found a way to trigger a WARN_ON and leak memory by
     racing destroy with other actions

   - There is still a bug in the "batch carry" stuff that gets invoked
     for complex cases with accesses and unmapping of huge pages. The
     test suite found this (triggers rarely)"

* tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd:
  iommufd: Set end correctly when doing batch carry
  iommufd: IOMMUFD_DESTROY should not increase the refcount
2023-07-28 10:15:44 -07:00
Linus Torvalds
c75981a1be - Fix double free on memory allocation failure in DM integrity
target's integrity_recalc()
 
 - Fix locking in DM raid target's raid_ctr() and around call to
   md_stop()
 
 - Fix DM cache target's cleaner policy to always allow work to be
   queued for writeback; even if cache isn't idle.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEJfWUX4UqZ4x1O2wixSPxCi2dA1oFAmTC1UoACgkQxSPxCi2d
 A1pIGAgAhQjlNQ83DexvmMUoNDRGFxOBiOcL9DnVtiXsLd/wTXZTEDIDXJaH9hCq
 MAj7aqadBeHlWT+vNMOYH9ePPtySEKGs8VM/4/fwNtT6wMyqxZZk4JyN7z+YBVJV
 d/9lryVZYRWK7ICgRenR/VSxv8/JgVTBGZZqyl20SXhtlYxndxGcLeV0X8fP3G1Q
 pxdsNuE7TBclB8qrXiPIOlIK0HcSikz6CfQIar3zgip6fO+Wwb92CZ1DOGGi1RJz
 bsTmZXn08l3d1tMJ+y4umZm+Izq8gvWSgDBywRdWq/D6Ao1ScVqY4TExFSSkjDk0
 PUY49vMF/FsKfNt5/VK0/i2U7QAKDQ==
 =92HI
 -----END PGP SIGNATURE-----

Merge tag 'for-6.5/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Fix double free on memory allocation failure in DM integrity target's
   integrity_recalc()

 - Fix locking in DM raid target's raid_ctr() and around call to
   md_stop()

 - Fix DM cache target's cleaner policy to always allow work to be
   queued for writeback; even if cache isn't idle.

* tag 'for-6.5/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm cache policy smq: ensure IO doesn't prevent cleaner policy progress
  dm raid: protect md_stop() with 'reconfig_mutex'
  dm raid: clean up four equivalent goto tags in raid_ctr()
  dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths
  dm integrity: fix double free on memory allocation failure
2023-07-28 10:08:49 -07:00
Linus Torvalds
6fb9f7f839 sound fixes for 6.5-rc4
A collection of device-specific small fixes such as ASoC Realtek
 codec fixes for PM issues, ASoC nau8821 quirk additions, and usual
 HD- and USB-audio quirks.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmTDriAOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE9oew//d8mUKTQtOC7kY1lWm5IElO3xIP25vg4Ct3jU
 giBZoZOPmuw2idEUvGn2cE7WsbdyXytflZMkRZi4sf5nCnVf4cuwprtKyibnO1Ld
 hCPyVYDNOjv23mLBoNRJNiZPvC7+tU36eg9Li+wcxSk17recxfj8LoP4MoQ3qsiI
 kgpR++BwO5tKJnIjA9/vM/Ksj2OYRHLW6/XNki/o9Y8X1bREU6uNwgAeghrxyKXh
 tnpadV5cgiAC5rhlUcbnqaPWmDrwIXWzNHkrJ7XHf/8cEMrpKRBBhLcQRPFG15Kd
 ZNV8gCcrcthy0drRN8E01QFYvyqmuP5sVvN/4VZNrdOZBYKZWVwHFowlB5KOEnB0
 /8pkjsFMSvGMLmsNJWWAYJFZ7BIp3b5Hghyvujl2FJhy2ClJkj4qZUA1jlo/uoT/
 nj3VRp9RyMelYKZAVemfyLDIowPznmKPkp1nisXsWP21xydYYbdXV5FrY/lgQUtX
 GUf+N0spqAzcRbHc7FKDFqGc1zMJAln30nyICGlyiLdwHZn8ZXXmXwfH5jqUyqGL
 zXw8lVhfeyq6g74wMRbaaNFwdZqkco4+DV7cKzs/0kDwOu4rD5tia6vumZHS0C/O
 oqoi0PBXU2b235u5CyFVD/ZpYda2GlK23TXpDNZT7uihbMwAmjyIx0r2Xh3219UW
 MNLjW9A=
 =XrNX
 -----END PGP SIGNATURE-----

Merge tag 'sound-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "A collection of device-specific small fixes such as ASoC Realtek codec
  fixes for PM issues, ASoC nau8821 quirk additions, and usual HD- and
  USB-audio quirks"

* tag 'sound-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda/realtek: Support ASUS G713PV laptop
  ALSA: usb-audio: Update for native DSD support quirks
  ALSA: usb-audio: Add quirk for Microsoft Modern Wireless Headset
  ALSA: hda/relatek: Enable Mute LED on HP 250 G8
  ASoC: atmel: Fix the 8K sample parameter in I2SC master
  ASoC: rt711-sdca: fix for JD event handling in ClockStop Mode0
  ASoC: rt711: fix for JD event handling in ClockStop Mode0
  ASoC: rt722-sdca: fix for JD event handling in ClockStop Mode0
  ASoC: rt712-sdca: fix for JD event handling in ClockStop Mode0
  ASoc: codecs: ES8316: Fix DMIC config
  ASoC: rt5682-sdw: fix for JD event handling in ClockStop Mode0
  ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register
  ASoC: nau8821: Add DMI quirk mechanism for active-high jack-detect
  ASoC: da7219: Check for failure reading AAD IRQ events
  ASoC: da7219: Flush pending AAD IRQ when suspending
  ALSA: seq: remove redundant unsigned comparison to zero
  ASoC: fsl_spdif: Silence output on stop
2023-07-28 10:04:40 -07:00
Linus Torvalds
17bf3df9af drm fixes for 6.5-rc4
fbdev:
 - remove unused function
 
 amdgpu:
 - gfxhub partition fix
 - Fix error handling in psp_sw_init()
 - SMU13 fix
 - DCN 3.1 fix
 - DCN 3.2 fix
 - Fix for display PHY programming sequence
 - DP MST error handling fix
 - GFX 9.4.3 fix
 
 amdkfd:
 - GFX11 trap handling fix
 
 i915:
 - Use shmem for dpt objects
 - Fix an error handling path in igt_write_huge()
 
 msm:
 - display:
 - Fix to correct the UBWC programming for decoder version 4.3 seen
   on SM8550
 - Add the missing flush and fetch bits for DMA4 and DMA5 SSPPs.
 - Fix to drop the unused dpu_core_perf_data_bus_id enum from the code
 - Drop the unused dsi_phy_14nm_17mA_regulators from QCM 2290 DSI cfg.
 - gpu:
 - Fix warn splat for newer devices without revn
 - Remove name/revn for a690.. we shouldn't be populating these for
   newer devices, for consistency, but it slipped through review
 - Fix a6xx gpu snapshot BINDLESS_DATA size (was listed in bytes
   instead of dwords, causing AHB faults on a6xx gen4/a660-family)
 - Disallow submit with fence id 0
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmTDJSoACgkQDHTzWXnE
 hr5wRA//X87lJG15oNFgmJnUmfCPZ3o1WaNdcj4F1UxhS9n30MP8fDvIpjyQjyOC
 xZ99q8f8XJWzGw7OuP9mjJroRZ+KncFVBv8GN1bts6aTTDRAOQdajBzrDqJrVS/7
 frhoDSJtoAF4ISZEpI3dc0ChPMCYKq7mtJ5IIeacq+Fm7dimBZPGyhtBl3FifRju
 8Ken2OkSlRlbO3KK6r7dZMninxSvYQgs7Cq66M4Wl4UQ9lMCprCC6YlZb09z60sV
 SwV0QY46lgC5GH1THaMtXeKIPKReDwc1AgvQpppMUBCWKU7DPKJwFyB+z1Eeg+NO
 0N92WqLrymqnPCfM2X15rVAH2c8ZQ6T9kbQRjp096ksrT+u71mgDgcZmIEaDCtqd
 tb0f6DK5HYdajFTCL4RAGBYWJeJ12ftfqonbPqiX9+qPplb5jOBnYgBh6czLwDzg
 A246AglZXQHHOIc64A0cRQ7xyeJZBapEVXJdAzvGCWSooIIHMkkx71w2RaRJ4d97
 tCR1TLjpp2NX5vGVL+s2MsFaJEdRN1yE5qIzpX+2kB9+haqKA6BNh6nW3eXhqBmd
 lpDCcCSkFKuKIIkSEfREr71kntlSqZBru9thQKUxdMbdSEfesSaaBzdaq9isVw0F
 kQkbX6dbe97pA+nHl4tum3xzjaA8+tCreYlNv7SZHbeazwKsltc=
 =Hd+m
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2023-07-28' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Regular scheduled fixes, msm and amdgpu leading the way, with some
  i915 and a single misc fbdev, all seems fine.

  fbdev:
   - remove unused function

  amdgpu:
   - gfxhub partition fix
   - Fix error handling in psp_sw_init()
   - SMU13 fix
   - DCN 3.1 fix
   - DCN 3.2 fix
   - Fix for display PHY programming sequence
   - DP MST error handling fix
   - GFX 9.4.3 fix

  amdkfd:
   - GFX11 trap handling fix

  i915:
   - Use shmem for dpt objects
   - Fix an error handling path in igt_write_huge()

  msm:
   - display:
      - Fix to correct the UBWC programming for decoder version 4.3 seen
        on SM8550
      - Add the missing flush and fetch bits for DMA4 and DMA5 SSPPs.
      - Fix to drop the unused dpu_core_perf_data_bus_id enum from the
        code
      - Drop the unused dsi_phy_14nm_17mA_regulators from QCM 2290 DSI
        cfg.
   - gpu:
      - Fix warn splat for newer devices without revn
      - Remove name/revn for a690.. we shouldn't be populating these for
        newer devices, for consistency, but it slipped through review
      - Fix a6xx gpu snapshot BINDLESS_DATA size (was listed in bytes
        instead of dwords, causing AHB faults on a6xx gen4/a660-family)
      - Disallow submit with fence id 0"

* tag 'drm-fixes-2023-07-28' of git://anongit.freedesktop.org/drm/drm: (22 commits)
  drm/msm: Disallow submit with fence id 0
  drm/amdgpu: Restore HQD persistent state register
  drm/amd/display: Unlock on error path in dm_handle_mst_sideband_msg_ready_event()
  drm/amd/display: Exit idle optimizations before attempt to access PHY
  drm/amd/display: Don't apply FIFO resync W/A if rdivider = 0
  drm/amd/display: Guard DCN31 PHYD32CLK logic against chip family
  drm/amd/smu: use AverageGfxclkFrequency* to replace previous GFX Curr Clock
  drm/amd: Fix an error handling mistake in psp_sw_init()
  drm/amdgpu: Fix infinite loop in gfxhub_v1_2_xcc_gart_enable (v2)
  drm/amdkfd: fix trap handling work around for debugging
  drm/fb-helper: Remove unused inline function drm_fb_helper_defio_init()
  drm/i915: Fix an error handling path in igt_write_huge()
  drm/i915/dpt: Use shmem for dpt objects
  drm/msm: Fix hw_fence error path cleanup
  drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb()
  drm/msm/adreno: Fix snapshot BINDLESS_DATA size
  drm/msm/a690: Remove revn and name
  drm/msm/adreno: Fix warn splat for devices without revn
  drm/msm/dsi: Drop unused regulators from QCM2290 14nm DSI PHY config
  drm/msm/dpu: drop enum dpu_core_perf_data_bus_id
  ...
2023-07-28 09:59:39 -07:00
Linus Torvalds
f24767ca4f cxl fixes for v6.5-rc4
- Update MAINTAINERS for cxl
 
 - A few static analysis fixes
 
 - Fix a Kconfig dependency for CONFIG_FW_LOADER
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQT9vPEBxh63bwxRYEEPzq5USduLdgUCZMLhQgAKCRAPzq5USduL
 dliOAPwOV7ieakz6HYV8XlPwwOVob4gFQDdKNKaHXep1T30GlAD9HKieQ2X5gDev
 FR8PjPO7K0sZJ0Bu9NuxK5hINu88FwY=
 =objF
 -----END PGP SIGNATURE-----

Merge tag 'cxl-fixes-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl

Pull cxl fixes from Vishal Verma:

 - Update MAINTAINERS for cxl

 - A few static analysis fixes

 - Fix a Kconfig dependency for CONFIG_FW_LOADER

* tag 'cxl-fixes-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
  tools/testing/cxl: Remove unused SZ_512G macro
  cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws()
  cxl/acpi: Fix a use-after-free in cxl_parse_cfmws()
  cxl: Update MAINTAINERS
  cxl/mem: Fix a double shift bug
  cxl: fix CONFIG_FW_LOADER dependency
2023-07-28 09:50:04 -07:00
Mike Rapoport (IBM)
c442a957b2 Revert "mm,memblock: reset memblock.reserved to system init state to prevent UAF"
This reverts commit 9e46e4dcd9.

kbuild reports a warning in memblock_remove_region() because of a false
positive caused by partial reset of the memblock state.

Doing the full reset will remove the false positives, but will allow
late use of memblock_free() to go unnoticed, so it is better to revert
the offending commit.

   WARNING: CPU: 0 PID: 1 at mm/memblock.c:352 memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1))
   Modules linked in:
   CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.5.0-rc3-00001-g9e46e4dcd9d6 #2
   RIP: 0010:memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1))
   Call Trace:
     memblock_discard (kbuild/src/x86_64/mm/memblock.c:383)
     page_alloc_init_late (kbuild/src/x86_64/include/linux/find.h:208 kbuild/src/x86_64/include/linux/nodemask.h:266 kbuild/src/x86_64/mm/mm_init.c:2405)
     kernel_init_freeable (kbuild/src/x86_64/init/main.c:1325 kbuild/src/x86_64/init/main.c:1546)
     kernel_init (kbuild/src/x86_64/init/main.c:1439)
     ret_from_fork (kbuild/src/x86_64/arch/x86/kernel/process.c:145)
     ret_from_fork_asm (kbuild/src/x86_64/arch/x86/entry/entry_64.S:298)

Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202307271656.447aa17e-oliver.sang@intel.com
Signed-off-by: "Mike Rapoport (IBM)" <rppt@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2023-07-28 09:47:06 -07:00
Jann Horn
6c21e066f9 mm/mempolicy: Take VMA lock before replacing policy
mbind() calls down into vma_replace_policy() without taking the per-VMA
locks, replaces the VMA's vma->vm_policy pointer, and frees the old
policy.  That's bad; a concurrent page fault might still be using the
old policy (in vma_alloc_folio()), resulting in use-after-free.

Normally this will manifest as a use-after-free read first, but it can
result in memory corruption, including because vma_alloc_folio() can
call mpol_cond_put() on the freed policy, which conditionally changes
the policy's refcount member.

This bug is specific to CONFIG_NUMA, but it does also affect non-NUMA
systems as long as the kernel was built with CONFIG_NUMA.

Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Suren Baghdasaryan <surenb@google.com>
Fixes: 5e31275cc9 ("mm: add per-VMA lock and helper functions to control it")
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2023-07-28 09:44:06 -07:00
Guanghui Feng
003e6b56d7 ACPI/IORT: Remove erroneous id_count check in iort_node_get_rmr_info()
According to the ARM IORT specifications DEN 0049 issue E,
the "Number of IDs" field in the ID mapping format reports
the number of IDs in the mapping range minus one.

In iort_node_get_rmr_info(), we erroneously skip ID mappings
whose "Number of IDs" equal to 0, resulting in valid mapping
nodes with a single ID to map being skipped, which is wrong.

Fix iort_node_get_rmr_info() by removing the bogus id_count
check.

Fixes: 491cf4a673 ("ACPI/IORT: Add support to retrieve IORT RMR reserved regions")
Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Cc: <stable@vger.kernel.org> # 6.0.x
Acked-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Tested-by: Hanjun Guo <guohanjun@huawei.com>
Link: https://lore.kernel.org/r/1689593625-45213-1-git-send-email-guanghuifeng@linux.alibaba.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2023-07-28 14:50:50 +01:00
Huacai Chen
1e74ae3280 LoongArch: Cleanup __builtin_constant_p() checking for cpu_has_*
In the current configuration, cpu_has_lsx and cpu_has_lasx cannot be
constants. So cleanup the __builtin_constant_p() checking to reduce the
complexity.

Reviewed-by: WANG Xuerui <git@xen0n.name>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2023-07-28 10:30:42 +08:00
Tiezhu Yang
4eece7e6de LoongArch: BPF: Fix check condition to call lu32id in move_imm()
As the code comment says, the initial aim is to reduce one instruction
in some corner cases, if bit[51:31] is all 0 or all 1, no need to call
lu32id. That is to say, it should call lu32id only if bit[51:31] is not
all 0 and not all 1. The current code always call lu32id, the result is
right but the logic is unexpected and wrong, fix it.

Cc: stable@vger.kernel.org # 6.1
Fixes: 5dc615520c ("LoongArch: Add BPF JIT support")
Reported-by: Colin King (gmail) <colin.i.king@gmail.com>
Closes: https://lore.kernel.org/all/bcf97046-e336-712a-ac68-7fd194f2953e@gmail.com/
Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2023-07-28 10:30:42 +08:00
Chenguang Zhao
de0e30bee8 LoongArch: BPF: Enable bpf_probe_read{, str}() on LoongArch
Currently nettrace does not work on LoongArch due to missing
bpf_probe_read{,str}() support, with the error message:

     ERROR: failed to load kprobe-based eBPF
     ERROR: failed to load kprobe-based bpf

According to commit 0ebeea8ca8 ("bpf: Restrict bpf_probe_read{,
str}() only to archs where they work"), we only need to select
CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE to add said support,
because LoongArch does have non-overlapping address ranges for kernel
and userspace.

Cc: stable@vger.kernel.org # 6.1
Signed-off-by: Chenguang Zhao <zhaochenguang@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2023-07-28 10:30:42 +08:00
WANG Rui
e66d511fc9 LoongArch: Fix return value underflow in exception path
This patch fixes an underflow issue in the return value within the
exception path, specifically at .Llt8 when the remaining length is less
than 8 bytes.

Cc: stable@vger.kernel.org
Fixes: 8941e93ca5 ("LoongArch: Optimize memory ops (memset/memcpy/memmove)")
Reported-by: Weihao Li <liweihao@loongson.cn>
Signed-off-by: WANG Rui <wangrui@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2023-07-28 10:30:42 +08:00
Zhihong Dong
83da30d73b LoongArch: Fix CMDLINE_EXTEND and CMDLINE_BOOTLOADER handling
On FDT systems these command line processing are already taken care of
by early_init_dt_scan_chosen(). Add similar handling to the ACPI (non-
FDT) code path to allow these config options to work for ACPI (non-FDT)
systems too.

Signed-off-by: Zhihong Dong <donmor3000@hotmail.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2023-07-28 10:30:42 +08:00
Huacai Chen
03c53eb90c LoongArch: Fix module relocation error with binutils 2.41
Binutils 2.41 enables linker relaxation by default, but the kernel
module loader doesn't support that, so just disable it. Otherwise we
get such an error when loading modules:

"Unknown relocation type 102"

As an alternative, we could add linker relaxation support in the kernel
module loader. But it is relatively large complexity that may or may not
bring a similar gain, and we don't really want to include this linker
pass in the kernel.

Reviewed-by: WANG Xuerui <git@xen0n.name>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2023-07-28 10:30:42 +08:00
Huacai Chen
54c2c9df08 LoongArch: Only fiddle with CHECKFLAGS if `need-compiler'
This is a port of commit 4fe4a6374c ("MIPS: Only fiddle with
CHECKFLAGS if `need-compiler'") to LoongArch.

We have originally guarded fiddling with CHECKFLAGS in our arch Makefile
by checking for the CONFIG_LOONGARCH variable, not set for targets such
as `distclean', etc. that neither include `.config' nor use the compiler.

Starting from commit 805b2e1d42 ("kbuild: include Makefile.compiler
only when compiler is needed") we have had a generic `need-compiler'
variable explicitly telling us if the compiler will be used and thus its
capabilities need to be checked and expressed in the form of compilation
flags.  If this variable is not set, then `make' functions such as
`cc-option' are undefined, causing all kinds of weirdness to happen if
we expect specific results to be returned.

It doesn't cause problems on LoongArch now. But as a guard we replace
the check for CONFIG_LOONGARCH with one for `need-compiler' instead, so
as to prevent the compiler from being ever called for CHECKFLAGS when
not needed.

Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2023-07-28 10:30:42 +08:00
Niklas Cassel
3ac873c76d ata: libata-core: fix when to fetch sense data for successful commands
The condition to fetch sense data was supposed to be:
ATA_SENSE set AND either
1) Command was NCQ and ATA_DFLAG_CDL_ENABLED flag set (flag
   ATA_DFLAG_CDL_ENABLED will only be set if the Successful NCQ command
   sense data supported bit is set); or
2) Command was non-NCQ and regular sense data reporting is enabled.

However the check in 2) accidentally had the negation at the wrong place,
causing it to try to fetch sense data if it was a non-NCQ command _or_
if regular sense data reporting was _not_ enabled.

Fix this by removing the extra parentheses that should not be there,
such that only the correct return (ata_is_ncq()) is negated.

Fixes: 18bd7718b5 ("scsi: ata: libata: Handle completion of CDL commands using policy 0xD")
Reported-by: Borislav Petkov <bp@alien8.de>
Closes: https://lore.kernel.org/linux-ide/20230722155621.GIZLv8JbURKzHtKvQE@fat_crate.local/
Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
Tested-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
2023-07-28 11:30:34 +09:00
Dave Airlie
9a767faa94 Merge tag 'drm-msm-fixes-2023-07-27' of https://gitlab.freedesktop.org/drm/msm into drm-fixes
Fixes for v6.5-rc4

Display:
+ Fix to correct the UBWC programming for decoder version 4.3 seen
  on SM8550
+ Add the missing flush and fetch bits for DMA4 and DMA5 SSPPs.
+ Fix to drop the unused dpu_core_perf_data_bus_id enum from the code
+ Drop the unused dsi_phy_14nm_17mA_regulators from QCM 2290 DSI cfg.

GPU:
+ Fix warn splat for newer devices without revn
+ Remove name/revn for a690.. we shouldn't be populating these for
  newer devices, for consistency, but it slipped through review
+ Fix a6xx gpu snapshot BINDLESS_DATA size (was listed in bytes
  instead of dwords, causing AHB faults on a6xx gen4/a660-family)
+ Disallow submit with fence id 0

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Rob Clark <robdclark@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/CAF6AEGs9MwCSfiyv8i7yWAsJKYEzCDyzaTx=ujX80Y23rZd9RA@mail.gmail.com
2023-07-28 11:59:14 +10:00
Dave Airlie
0dd9c514d2 amd-drm-fixes-6.5-2023-07-26:
amdgpu:
 - gfxhub partition fix
 - Fix error handling in psp_sw_init()
 - SMU13 fix
 - DCN 3.1 fix
 - DCN 3.2 fix
 - Fix for display PHY programming sequence
 - DP MST error handling fix
 - GFX 9.4.3 fix
 
 amdkfd:
 - GFX11 trap handling fix
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQQgO5Idg2tXNTSZAr293/aFa7yZ2AUCZMFpxwAKCRC93/aFa7yZ
 2BgxAQDI1hcwi2rb4rj2e1G5eU9KLjMPl0ybsEKmpllXWye2nwEAnmP0CFxtMpoR
 hzPkDpPG/kdNXIy0ekxwPqnkeCca9Ak=
 =RojP
 -----END PGP SIGNATURE-----

Merge tag 'amd-drm-fixes-6.5-2023-07-26' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

amd-drm-fixes-6.5-2023-07-26:

amdgpu:
- gfxhub partition fix
- Fix error handling in psp_sw_init()
- SMU13 fix
- DCN 3.1 fix
- DCN 3.2 fix
- Fix for display PHY programming sequence
- DP MST error handling fix
- GFX 9.4.3 fix

amdkfd:
- GFX11 trap handling fix

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230726184936.7812-1-alexander.deucher@amd.com
2023-07-28 11:55:32 +10:00
Dave Airlie
75da46c1fa Merge tag 'drm-intel-fixes-2023-07-27' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
- Use shmem for dpt objects [dpt] (Radhakrishna Sripada)
- Fix an error handling path in igt_write_huge() (Christophe JAILLET)

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/ZMI4Mtom7pDhLB7M@tursulin-desk
2023-07-28 11:53:27 +10:00
Dave Airlie
8e4bc0284c A single patch to remove an unused function.
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRcEzekXsqa64kGDp7j7w1vZxhRxQUCZMIWgwAKCRDj7w1vZxhR
 xcnUAPoDFKdMAqGonOSJUKllNbRDsx86O3uuns2HvgdCAOQiFAD/Q6ZU+5p5+1JN
 zA1Phv1e61GR4mkNYjmAhzgCsuJO1gU=
 =QRfO
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2023-07-27' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

A single patch to remove an unused function.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maxime Ripard <mripard@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/dqvxednqyab5t7gvwvcq72x6yu7ug5gusmhpgs3kq6z7pf3co6@ofr6s7547gbe
2023-07-28 11:46:32 +10:00
Arnd Bergmann
3fc2febb0f ata: pata_ns87415: mark ns87560_tf_read static
The global function triggers a warning because of the missing prototype

drivers/ata/pata_ns87415.c:263:6: warning: no previous prototype for 'ns87560_tf_read' [-Wmissing-prototypes]
  263 | void ns87560_tf_read(struct ata_port *ap, struct ata_taskfile *tf)

There are no other references to this, so just make it static.

Fixes: c4b5b7b6c4 ("pata_ns87415: Initial cut at 87415/87560 IDE support")
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
2023-07-28 08:52:42 +09:00
Sidhartha Kumar
6c54312f96 mm/memory-failure: fix hardware poison check in unpoison_memory()
It was pointed out[1] that using folio_test_hwpoison() is wrong as we need
to check the indiviual page that has poison.  folio_test_hwpoison() only
checks the head page so go back to using PageHWPoison().

User-visible effects include existing hwpoison-inject tests possibly
failing as unpoisoning a single subpage could lead to unpoisoning an
entire folio.  Memory unpoisoning could also not work as expected as
the function will break early due to only checking the head page and
not the actually poisoned subpage.

[1]: https://lore.kernel.org/lkml/ZLIbZygG7LqSI9xe@casper.infradead.org/

Link: https://lkml.kernel.org/r/20230717181812.167757-1-sidhartha.kumar@oracle.com
Fixes: a6fddef49e ("mm/memory-failure: convert unpoison_memory() to folios")
Signed-off-by: Sidhartha Kumar <sidhartha.kumar@oracle.com>
Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:05 -07:00
Dan Carpenter
641db40f3a proc/vmcore: fix signedness bug in read_from_oldmem()
The bug is the error handling:

	if (tmp < nr_bytes) {

"tmp" can hold negative error codes but because "nr_bytes" is type size_t
the negative error codes are treated as very high positive values
(success).  Fix this by changing "nr_bytes" to type ssize_t.  The
"nr_bytes" variable is used to store values between 1 and PAGE_SIZE and
they can fit in ssize_t without any issue.

Link: https://lkml.kernel.org/r/b55f7eed-1c65-4adc-95d1-6c7c65a54a6e@moroto.mountain
Fixes: 5d8de293c2 ("vmcore: convert copy_oldmem_page() to take an iov_iter")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:05 -07:00
Bjorn Andersson
286812b041 mailmap: update remaining active codeaurora.org email addresses
The lack of mailmap updates for @codeaurora.org addresses reduces the
usefulness of tools such as get_maintainer.pl.  Some recent (and welcome!)
additions has been made to improve the situation, this concludes the
effort.

Link: https://lkml.kernel.org/r/20230720210256.1296567-1-quic_bjorande@quicinc.com
Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:05 -07:00
Jann Horn
d8ab9f7b64 mm: lock VMA in dup_anon_vma() before setting ->anon_vma
When VMAs are merged, dup_anon_vma() is called with `dst` pointing to the
VMA that is being expanded to cover the area previously occupied by
another VMA.  This currently happens while `dst` is not write-locked.

This means that, in the `src->anon_vma && !dst->anon_vma` case, as soon as
the assignment `dst->anon_vma = src->anon_vma` has happened, concurrent
page faults can happen on `dst` under the per-VMA lock.  This is already
icky in itself, since such page faults can now install pages into `dst`
that are attached to an `anon_vma` that is not yet tied back to the
`anon_vma` with an `anon_vma_chain`.  But if `anon_vma_clone()` fails due
to an out-of-memory error, things get much worse: `anon_vma_clone()` then
reverts `dst->anon_vma` back to NULL, and `dst` remains completely
unconnected to the `anon_vma`, even though we can have pages in the area
covered by `dst` that point to the `anon_vma`.

This means the `anon_vma` of such pages can be freed while the pages are
still mapped into userspace, which leads to UAF when a helper like
folio_lock_anon_vma_read() tries to look up the anon_vma of such a page.

This theoretically is a security bug, but I believe it is really hard to
actually trigger as an unprivileged user because it requires that you can
make an order-0 GFP_KERNEL allocation fail, and the page allocator tries
pretty hard to prevent that.

I think doing the vma_start_write() call inside dup_anon_vma() is the most
straightforward fix for now.

For a kernel-assisted reproducer, see the notes section of the patch mail.

Link: https://lkml.kernel.org/r/20230721034643.616851-1-jannh@google.com
Fixes: 5e31275cc9 ("mm: add per-VMA lock and helper functions to control it")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:04 -07:00
Jann Horn
b1f02b9575 mm: fix memory ordering for mm_lock_seq and vm_lock_seq
mm->mm_lock_seq effectively functions as a read/write lock; therefore it
must be used with acquire/release semantics.

A specific example is the interaction between userfaultfd_register() and
lock_vma_under_rcu().

userfaultfd_register() does the following from the point where it changes
a VMA's flags to the point where concurrent readers are permitted again
(in a simple scenario where only a single private VMA is accessed and no
merging/splitting is involved):

userfaultfd_register
  userfaultfd_set_vm_flags
    vm_flags_reset
      vma_start_write
        down_write(&vma->vm_lock->lock)
        vma->vm_lock_seq = mm_lock_seq [marks VMA as busy]
        up_write(&vma->vm_lock->lock)
      vm_flags_init
        [sets VM_UFFD_* in __vm_flags]
  vma->vm_userfaultfd_ctx.ctx = ctx
  mmap_write_unlock
    vma_end_write_all
      WRITE_ONCE(mm->mm_lock_seq, mm->mm_lock_seq + 1) [unlocks VMA]

There are no memory barriers in between the __vm_flags update and the
mm->mm_lock_seq update that unlocks the VMA, so the unlock can be
reordered to above the `vm_flags_init()` call, which means from the
perspective of a concurrent reader, a VMA can be marked as a userfaultfd
VMA while it is not VMA-locked.  That's bad, we definitely need a
store-release for the unlock operation.

The non-atomic write to vma->vm_lock_seq in vma_start_write() is mostly
fine because all accesses to vma->vm_lock_seq that matter are always
protected by the VMA lock.  There is a racy read in vma_start_read()
though that can tolerate false-positives, so we should be using
WRITE_ONCE() to keep things tidy and data-race-free (including for KCSAN).

On the other side, lock_vma_under_rcu() works as follows in the relevant
region for locking and userfaultfd check:

lock_vma_under_rcu
  vma_start_read
    vma->vm_lock_seq == READ_ONCE(vma->vm_mm->mm_lock_seq) [early bailout]
    down_read_trylock(&vma->vm_lock->lock)
    vma->vm_lock_seq == READ_ONCE(vma->vm_mm->mm_lock_seq) [main check]
  userfaultfd_armed
    checks vma->vm_flags & __VM_UFFD_FLAGS

Here, the interesting aspect is how far down the mm->mm_lock_seq read can
be reordered - if this read is reordered down below the vma->vm_flags
access, this could cause lock_vma_under_rcu() to partly operate on
information that was read while the VMA was supposed to be locked.  To
prevent this kind of downwards bleeding of the mm->mm_lock_seq read, we
need to read it with a load-acquire.

Some of the comment wording is based on suggestions by Suren.

BACKPORT WARNING: One of the functions changed by this patch (which I've
written against Linus' tree) is vma_try_start_write(), but this function
no longer exists in mm/mm-everything.  I don't know whether the merged
version of this patch will be ordered before or after the patch that
removes vma_try_start_write().  If you're backporting this patch to a tree
with vma_try_start_write(), make sure this patch changes that function.

Link: https://lkml.kernel.org/r/20230721225107.942336-1-jannh@google.com
Fixes: 5e31275cc9 ("mm: add per-VMA lock and helper functions to control it")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:04 -07:00
Drew Fustini
15571273db scripts/spelling.txt: remove 'thead' as a typo
T-Head is a vendor of processor core IP, and they have recently introduced
the RISC-V TH1520 SoC.  Remove 'thead' as a typo of 'thread' to avoid
checkpatch incorrectly warning that 'thead' is typo in patches that add
support for T-Head designs in the kernel.

Link: https://lkml.kernel.org/r/20230723010329.674186-1-dfustini@baylibre.com
Link: https://www.t-head.cn/
Signed-off-by: Drew Fustini <dfustini@baylibre.com>
Acked-by: Guo Ren <guoren@kernel.org>
Cc: Conor Dooley <conor@kernel.org>
Cc: Jisheng Zhang <jszhang@kernel.org>
Cc: Colin Ian King <colin.i.king@gmail.com>
Cc: Diederik de Haas <didi.debian@cknow.org>
Cc: Ian Rogers <irogers@google.com>
Cc: Luca Ceresoli <luca.ceresoli@bootlin.com> # versaclock5
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:04 -07:00
Hugh Dickins
8b1cb4a2e8 mm/pagewalk: fix EFI_PGT_DUMP of espfix area
Booting x86_64 with CONFIG_EFI_PGT_DUMP=y shows messages of the form
"mm/pgtable-generic.c:53: bad pmd (____ptrval____)(8000000100077061)".

EFI_PGT_DUMP dumps all of efi_mm, including the espfix area, which is set
up with pmd entries which fit the pmd_bad() check: so 0d940a9b27 warns
and clears those entries, which would ruin running Win16 binaries.

The failing pte_offset_map() stopped such a kernel from even booting,
until a few commits later be872f83bf changed the pagewalk to tolerate
that: but it needs to be even more careful, to not spoil those entries.

I might have preferred to change init_espfix_ap() not to use "bad" pmd
entries; or to leave them out of the efi_mm dump.  But there is great
value in staying away from there, and a pagewalk check of address against
TASK_SIZE may protect from other such aberrations too.

Link: https://lkml.kernel.org/r/22bca736-4cab-9ee5-6a52-73a3b2bbe865@google.com
Closes: https://lore.kernel.org/linux-mm/CABXGCsN3JqXckWO=V7p=FhPU1tK03RE1w9UE6xL5Y86SMk209w@mail.gmail.com/
Fixes: 0d940a9b27 ("mm/pgtable: allow pte_offset_map[_lock]() to fail")
Fixes: be872f83bf ("mm/pagewalk: walk_pte_range() allow for pte_offset_map()")
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Cc: Bagas Sanjaya <bagasdotme@gmail.com>
Cc: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:04 -07:00
Hugh Dickins
fa598952fa shmem: minor fixes to splice-read implementation
HWPoison: my reading of folio_test_hwpoison() is that it only tests the
head page of a large folio, whereas splice_folio_into_pipe() will splice
as much of the folio as it can: so for safety we should also check the
has_hwpoisoned flag, set if any of the folio's pages are hwpoisoned. 
(Perhaps that ugliness can be improved at the mm end later.)

The call to splice_zeropage_into_pipe() risked overrunning past EOF: ask
it for "part" not "len".

Link: https://lkml.kernel.org/r/32c72c9c-72a8-115f-407d-f0148f368@google.com
Fixes: bd194b1871 ("shmem: Implement splice-read")
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: David Howells <dhowells@redhat.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:03 -07:00
Hugh Dickins
253e5df8b8 tmpfs: fix Documentation of noswap and huge mount options
The noswap mount option is surely not one of the three options for sizing:
move its description down.

The huge= mount option does not accept numeric values: those are just in
an internal enum.  Delete those numbers, and follow the manpage text more
closely (but there's not yet any fadvise() or fcntl() which applies here).

/sys/kernel/mm/transparent_hugepage/shmem_enabled is hard to describe, and
barely relevant to mounting a tmpfs: just refer to transhuge.rst (while
still using the words deny and force, to help as informal reminders).

[rdunlap@infradead.org: fixup Docs table for huge mount options]
  Link: https://lkml.kernel.org/r/20230725052333.26857-1-rdunlap@infradead.org
Link: https://lkml.kernel.org/r/986cb0bf-9780-354-9bb-4bf57aadbab@google.com
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Fixes: d0f5a85442 ("shmem: update documentation")
Fixes: 2c6efe9cf2 ("shmem: add support to ignore swap")
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> 
Cc: Christian Brauner <brauner@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:03 -07:00
Andy Shevchenko
dddfa05eb5 Revert "um: Use swap() to make code cleaner"
This reverts commit 9b0da3f223.

The sigio.c is clearly user space code which is handled by
arch/um/scripts/Makefile.rules (see USER_OBJS rule).

The above mentioned commit simply broke this agreement,
we may not use Linux kernel internal headers in them without
thorough thinking.

Hence, revert the wrong commit.

Link: https://lkml.kernel.org/r/20230724143131.30090-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202307212304.cH79zJp1-lkp@intel.com/
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Herve Codina <herve.codina@bootlin.com>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Richard Weinberger <richard@nod.at>
Cc: Yang Guang <yang.guang5@zte.com.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:03 -07:00
Feng Tang
d1836a3b2a mm/damon/core-test: initialise context before test in damon_test_set_attrs()
Running kunit test for 6.5-rc1 hits one bug:

        ok 10 damon_test_update_monitoring_result
    general protection fault, probably for non-canonical address 0x1bffa5c419cfb81: 0000 [#1] PREEMPT SMP NOPTI
    CPU: 1 PID: 110 Comm: kunit_try_catch Tainted: G                 N 6.5.0-rc2 #15
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
    RIP: 0010:damon_set_attrs+0xb9/0x120
    Code: f8 00 00 00 4c 8d 58 e0 48 39 c3 74 ba 41 ba 59 17 b7 d1 49 8b 43 10 4d
    8d 4b 10 48 8d 70 e0 49 39 c1 74 50 49 8b 40 08 31 d2 <69> 4e 18 10 27 00 00
    49 f7 30 31 d2 48 89 c5 89 c8 f7 f5 31 d2 89
    RSP: 0000:ffffc900005bfd40 EFLAGS: 00010246
    RAX: ffffffff81159fc0 RBX: ffffc900005bfeb8 RCX: 0000000000000000
    RDX: 0000000000000000 RSI: 01bffa5c419cfb69 RDI: ffffc900005bfd70
    RBP: ffffc90000013c10 R08: ffffc900005bfdc0 R09: ffffffff81ff10ed
    R10: 00000000d1b71759 R11: ffffffff81ff10dd R12: ffffc90000013a78
    R13: ffff88810eb78180 R14: ffffffff818297c0 R15: ffffc90000013c28
    FS:  0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 0000000002a1c001 CR4: 0000000000370ee0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     damon_test_set_attrs+0x63/0x1f0
     kunit_generic_run_threadfn_adapter+0x17/0x30
     kthread+0xfd/0x130

The problem seems to be related with the damon_ctx was used without
being initialized. Fix it by adding the initialization.

Link: https://lkml.kernel.org/r/20230718052811.1065173-1-feng.tang@intel.com
Fixes: aa13779be6 ("mm/damon/core-test: add a test for damon_set_attrs()")
Signed-off-by: Feng Tang <feng.tang@intel.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-07-27 13:07:03 -07:00
Linus Torvalds
57012c5753 Networking fixes for 6.5-rc4, including fixes from can, netfilter
Current release - regressions:
 
   - core: fix splice_to_socket() for O_NONBLOCK socket
 
   - af_unix: fix fortify_panic() in unix_bind_bsd().
 
   - can: raw: fix lockdep issue in raw_release()
 
 Previous releases - regressions:
 
   - tcp: reduce chance of collisions in inet6_hashfn().
 
   - netfilter: skip immediate deactivate in _PREPARE_ERROR
 
   - tipc: stop tipc crypto on failure in tipc_node_create
 
   - eth: igc: fix kernel panic during ndo_tx_timeout callback
 
   - eth: iavf: fix potential deadlock on allocation failure
 
 Previous releases - always broken:
 
   - ipv6: fix bug where deleting a mngtmpaddr can create a new temporary address
 
   - eth: ice: fix memory management in ice_ethtool_fdir.c
 
   - eth: hns3: fix the imp capability bit cannot exceed 32 bits issue
 
   - eth: vxlan: calculate correct header length for GPE
 
   - eth: stmmac: apply redundant write work around on 4.xx too
 
 Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCAAwFiEEg1AjqC77wbdLX2LbKSR5jcyPE6QFAmTCbIwSHHBhYmVuaUBy
 ZWRoYXQuY29tAAoJECkkeY3MjxOkbGIP/RBALM+vg1ZpPWMUXRtjcdvuBqWFB2jB
 GsAfOj1PpHhusHx/CCyxl80oCtkmnLW3dE9HdoZJ6FYwxTYfhfwDhoPy02QOJ0OQ
 yy4xbtrczFekBoQECEzUHT+0oBTZXoU7eR+3LOhx5IGNnP2zMX8rQkbnjU21dahq
 Kkqo0Ir2L7VxGck67WDOaMAxJukO/WFB97KFsTJATwkbiQxhpw07NJi1fV4SzeFQ
 WXKfe7MiXBXmq53QWLScbUxRAcq3kduDNl0UCpz+L9ks5kayVJ3MOHkEfnJ5LIAQ
 dL4IJO6ugNj2FSZb9ulw6Kj3ZAjKXbrSWE0gHzU3vO8g6uqs4/yjz0uzbFSffiNs
 mbwASGxYRb48JO22Hn92xHNz9Wjpc1TXzLABp5dA2ykEqzw+XJ39qP0LUndVLlAW
 UBAKNK9w5+8UprN6HQpFq4pTlXN3Tr/WCGzRsB1x4rNVIoYHn5Y1VMtM8IZRODf3
 VcEenHg7k8SP8q4aFknmCueHdXWI4Rc66W4pUbcmyqDfH/+Xl4Q9qXxnH0a/SUx8
 3gxAfKCjFhnCqsXvlvHxwexY4TSN05jE+y5ZjQH0xSKkOFZsr5Qch1h75q5IGo2b
 /d87HwCP5eWPArR8eIl8WiONA94wbjWma04y65KsnoLtRz2iKZHXsei2jP0UtCHn
 zK3gbyXHq+iW
 =rx5z
 -----END PGP SIGNATURE-----

Merge tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
 "Including fixes from can, netfilter.

  Current release - regressions:

   - core: fix splice_to_socket() for O_NONBLOCK socket

   - af_unix: fix fortify_panic() in unix_bind_bsd().

   - can: raw: fix lockdep issue in raw_release()

  Previous releases - regressions:

   - tcp: reduce chance of collisions in inet6_hashfn().

   - netfilter: skip immediate deactivate in _PREPARE_ERROR

   - tipc: stop tipc crypto on failure in tipc_node_create

   - eth: igc: fix kernel panic during ndo_tx_timeout callback

   - eth: iavf: fix potential deadlock on allocation failure

  Previous releases - always broken:

   - ipv6: fix bug where deleting a mngtmpaddr can create a new
     temporary address

   - eth: ice: fix memory management in ice_ethtool_fdir.c

   - eth: hns3: fix the imp capability bit cannot exceed 32 bits issue

   - eth: vxlan: calculate correct header length for GPE

   - eth: stmmac: apply redundant write work around on 4.xx too"

* tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits)
  tipc: stop tipc crypto on failure in tipc_node_create
  af_unix: Terminate sun_path when bind()ing pathname socket.
  tipc: check return value of pskb_trim()
  benet: fix return value check in be_lancer_xmit_workarounds()
  virtio-net: fix race between set queues and probe
  net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64
  splice, net: Fix splice_to_socket() for O_NONBLOCK socket
  net: fec: tx processing does not call XDP APIs if budget is 0
  mptcp: more accurate NL event generation
  selftests: mptcp: join: only check for ip6tables if needed
  tools: ynl-gen: fix parse multi-attr enum attribute
  tools: ynl-gen: fix enum index in _decode_enum(..)
  netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
  netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
  netfilter: nft_set_rbtree: fix overlap expiration walk
  igc: Fix Kernel Panic during ndo_tx_timeout callback
  net: dsa: qca8k: fix mdb add/del case with 0 VID
  net: dsa: qca8k: fix broken search_and_del
  net: dsa: qca8k: fix search_and_insert wrong handling of new rule
  net: dsa: qca8k: enable use_single_write for qca8xxx
  ...
2023-07-27 12:27:37 -07:00
Linus Torvalds
bc168790de soundwire fixes for 6.4
- Core fix for enumeration completion
  - Qualcomm driver fix to update status
  - AMD driver fix for probe error check
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE+vs47OPLdNbVcHzyfBQHDyUjg0cFAmTCWH4ACgkQfBQHDyUj
 g0cfjA//Q8QwotUsvQmTCmY5wSlfp/Rbh2onqOKU9OMszwlKOmS7nK8E7Yj8SXSH
 XmMDJ2GpB/TuVRMlNxJ0tz5gD8kp61411diDXA27qcKaVCmoFE7cC5jfqwTHobFD
 Rk8+2K8QSBksEM7MFSxBhs+E2Fdv9qurtKx2qxkzCRrPv7jVgP4bRvZKln/MXi5r
 5Y4zGaY0TeZmwy6sv1xtCNqfw69yc5DWtrFrVhuSTnXOY6T+yPQiPblWUFdi4877
 cwE9utQqv73GPOdAw7WUUsixhp1aiwdB/MZVPLcr3JAmFtiYGO3/NDwidwTHnjG1
 raOsynFOATybqxL0152e51TdOflYWXrun+IYBvh33iJnoRuKvNZqZ0jUhRXmwNi2
 4KOr3t6UuCN4tAedT0hjwfpjna8uQaWEqd90yZG6ZNKHK5VXlacqa9dF62+dtrsT
 EGEonXZ+A0uvNyWq+zMWGknle8gxNe1uxCs8cIkDnLFB1tcuE+ejMbJscQt6NVOe
 X7pR8qUAePZLyaNBApmE54BItIve00GTDrTHcdchZSVVYX/mSCalywuzKB2k1Bl/
 N8Dhws+IzbnnDUsr8jYY9TJDUg+TNqn1+KAIRjTzoMnno75Dh1zJm/t3ARw+xvkZ
 EDyf9LtMaKMoZuhVhrk/yFuTznLGJvVo6Z5GEVDe5NIDEmBGG5g=
 =+KVr
 -----END PGP SIGNATURE-----

Merge tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire

Pull soundwire fixes from Vinod Koul:

 - Core fix for enumeration completion

 - Qualcomm driver fix to update status

 - AMD driver fix for probe error check

* tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire:
  soundwire: amd: Fix a check for errors in probe()
  soundwire: qcom: update status correctly with mask
  soundwire: fix enumeration completion
2023-07-27 12:07:41 -07:00
Linus Torvalds
53c8621b9e phy fixes for 6.5
- Driver fixes for
    - Out of bound fix for hisilicon phy
    - Qualcomm synopsis femto phy for keeping clock enabled during suspend
      and enabling ref clocks
    - Mediatek driver fixes for upper limit test and error code
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE+vs47OPLdNbVcHzyfBQHDyUjg0cFAmTCVkUACgkQfBQHDyUj
 g0cwAg/+KSYSB1//gIqKQDEzCztwGOeyXPBedF7x/hsxmd0PgJKTJjPKhVMvwDhs
 7Nfk/TR5LcEfZvVUrwQ2kykZTCR03Kqn7egSOq+W+vx57zVyLpQqxV0Gm79LEPPk
 w7ncXf//b2pQ5yRI164skzCWcB6BkpyTaUlH/jZdWXB8FXGkxbdMLDhwmU2Xd5YU
 49Jv3fH5Poym92RRALGZoFJg/jZxmniX/sV8NXqNVkND2mwKuz9psH/iCWh2+ofU
 1TZYyvwfdODCdR3+kYDXY46uUttPy/xeh2vEHCKYlfr/Zp0pbnLM0/jBD3o/1x2C
 /Dgk1eQjMoZNNUgLtaIv2FjSdQRNPX0u8Ml9iLvoFNgQR5LB1gzTHDmtwIRtOHpN
 BInIWWkoGgEgOjxybzPkRTCXhWS/eErAK1K4ZXh24xQfkivBH3YGiDiMpG3eR4Wy
 4rurv/UxDKqqvCdNkweiYCI41N4ThyzG6qr8fcat2a9ZZmdqlvc9lBFlCVXdxmQj
 1p4ZAwriGmo4zFP1/jxTKk1wU/peEh7hzBa8dsyTP77LYO9adcFi+OVnkNM24CJh
 w9cO4EqDl01rZ30vHbh1J1b1yRX3Cwa1+JGHMnGg96g1dJb+mC+1xU6nZ60sMcew
 NKnFeANY94SGEeN2Bn4BDaIcFCZ1UBfcxs0PHeaGO+81s7tj5j8=
 =nyhr
 -----END PGP SIGNATURE-----

Merge tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy

Pull phy fixes from Vinod Koul:

 - Out of bound fix for hisilicon phy

 - Qualcomm synopsis femto phy for keeping clock enabled during suspend
   and enabling ref clocks

 - Mediatek driver fixes for upper limit test and error code

* tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy:
  phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
  phy: qcom-snps-femto-v2: use qcom_snps_hsphy_suspend/resume error code
  phy: qcom-snps-femto-v2: properly enable ref clock
  phy: qcom-snps-femto-v2: keep cfg_ahb_clk enabled during runtime suspend
  phy: mediatek: hdmi: mt8195: fix prediv bad upper limit test
  phy: phy-mtk-dp: Fix an error code in probe()
2023-07-27 11:52:41 -07:00
Linus Torvalds
64de76ce8e for-6.5-rc3-tag
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAmTCTAsACgkQxWXV+ddt
 WDvhYhAAluWrfM2ZzhY/tdDeKUNpf0NIAFGZIV4QP/2E43yIPC2+xMPqW/AnBnIP
 k28gOhgoH7LBP/cr0IrFHMz8Glges3cHz1UxFjJZgjiU3mAA0mgkIttPpzms7vqi
 3SVUxL2bJkebJy53nOpZcHlrcWveg+q0hTUslquCYBb3dA4gb61HBwzA2e0wKFeB
 wYw/gQtEy3TkHQPAxVjUF28ASoaroNKsE9QjfLZV0FDn0u0zBFxqpqj7bFUay++i
 sG3nPVZsqKcgIX7sUSwrpv4XAFu8fHz+GAQqCNqTxKCJ0ZZzsgzJtKs+12rv7dZC
 EvRt0jEt+DgwvmEy7j250TEbcI9rMaQuny8yt2j9sNKH/m9bW0BjptCtwghDoL89
 0D6qqicHbA+dJNq8/kDyxV6xC2Git2Ck0fpOfiU7YzhAFECZc/DkidvXa1keMUay
 usspO+YHOjDtlq0zJ0xixbxCseJfrj4habieVKZ/CnAvb84082ZiLcMxFqop/ewB
 WHKNB0O2+P78xoa7/Be6tp/w1HaaW8ZHvkPicD9d4khKJrXAKLNc/Xny4OqRT14z
 sWWaFuNjC7kIUT15EAQNj0wgymA7XcTL9gM1uuSO95PN+M3j4CleApzEvR3dn9FX
 gmoxuwVfVsJKKcwo6WFByqzu03kuSladEFasSHQAJbh3jyU9LUY=
 =Y/po
 -----END PGP SIGNATURE-----

Merge tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:

 - fix accounting of global block reserve size when block group tree is
   enabled

 - the async discard has been enabled in 6.2 unconditionally, but for
   zoned mode it does not make that much sense to do it asynchronously
   as the zones are reset as needed

 - error handling and proper error value propagation fixes

* tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: check for commit error at btrfs_attach_transaction_barrier()
  btrfs: check if the transaction was aborted at btrfs_wait_for_commit()
  btrfs: remove BUG_ON()'s in add_new_free_space()
  btrfs: account block group tree when calculating global reserve size
  btrfs: zoned: do not enable async discard
2023-07-27 11:44:08 -07:00
Linus Torvalds
379e66711b memblock: reset memblock.reserved to system init state to prevent UAF
A call to memblock_free() or memblock_phys_free() issued after memblock
 data is discarded will result in use after free in
 memblock_isolate_range().
 
 When CONFIG_KASAN is enabled, this will cause a panic early in boot.
 Without CONFIG_KASAN, there is a chance that memblock_isolate_range() might
 scribble on memory that is now in use by somebody else.
 
 Avoid those issues by making sure that memblock_discard points
 memblock.reserved.regions back at the static buffer.
 
 If memblock_free() or memblock_phys_free() is called after memblock memory
 is discarded, that will print a warning in memblock_remove_region().
 -----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCgAuFiEEeOVYVaWZL5900a/pOQOGJssO/ZEFAmTB94cQHHJwcHRAa2Vy
 bmVsLm9yZwAKCRA5A4Ymyw79kesHB/4rNvGFGEI8LFxooARLt8glcv0Hn7oJ+z3L
 Xyczw1ZkglT3DEYsoY78bSriddWPqrV3wWkr+p2NYXPBJWgQZ6t3DRZviqzXcj2l
 Ew2XwLAfT6Vay1eqEFfJJvkGg27QLhnmJPnjDzCWweiXUaR5xOESwKCBmZBWeXUU
 t5EFJMIXLVEoBDLGW5kk+Q4RZDqhU/sJWDqf4ciWQ5vDS8OFTr56hfth7T8XoMxm
 BPlC21+cEJUWrbb1gAJUMbIERTzvYg8odZqSAESlHyNyDEtYjyLce5W6HA6zHK+H
 2gqiti+Pd1OyHbJUc1lN7iRTE8FJ7DQcBr6H9sk81Po5af02Ky7m
 =FRx8
 -----END PGP SIGNATURE-----

Merge tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock

Pull memblock fix from Mike Rapoport:
 "A call to memblock_free() or memblock_phys_free() issued after
  memblock data is discarded will result in use after free in
  memblock_isolate_range().

  Avoid those issues by making sure that memblock_discard points
  memblock.reserved.regions back at the static buffer"

* tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock:
  mm,memblock: reset memblock.reserved to system init state to prevent UAF
2023-07-27 11:37:34 -07:00
Jann Horn
657b514695 mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock
lock_vma_under_rcu() tries to guarantee that __anon_vma_prepare() can't
be called in the VMA-locked page fault path by ensuring that
vma->anon_vma is set.

However, this check happens before the VMA is locked, which means a
concurrent move_vma() can concurrently call unlink_anon_vmas(), which
disassociates the VMA's anon_vma.

This means we can get UAF in the following scenario:

  THREAD 1                   THREAD 2
  ========                   ========
  <page fault>
    lock_vma_under_rcu()
      rcu_read_lock()
      mas_walk()
      check vma->anon_vma

                             mremap() syscall
                               move_vma()
                                vma_start_write()
                                 unlink_anon_vmas()
                             <syscall end>

    handle_mm_fault()
      __handle_mm_fault()
        handle_pte_fault()
          do_pte_missing()
            do_anonymous_page()
              anon_vma_prepare()
                __anon_vma_prepare()
                  find_mergeable_anon_vma()
                    mas_walk() [looks up VMA X]

                             munmap() syscall (deletes VMA X)

                    reusable_anon_vma() [called on freed VMA X]

This is a security bug if you can hit it, although an attacker would
have to win two races at once where the first race window is only a few
instructions wide.

This patch is based on some previous discussion with Linus Torvalds on
the security list.

Cc: stable@vger.kernel.org
Fixes: 5e31275cc9 ("mm: add per-VMA lock and helper functions to control it")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2023-07-27 11:13:22 -07:00
Baskaran Kannan
e146503ac6 hwmon: (k10temp) Enable AMD3255 Proc to show negative temperature
Industrial processor i3255 supports temperatures -40 deg celcius
to 105 deg Celcius. The current implementation of k10temp_read_temp
rounds off any negative temperatures to '0'. To fix this,
the following changes have been made.

A flag 'disp_negative' is added to struct k10temp_data to support
AMD i3255 processors. Flag 'disp_negative' is set if 3255 processor
is found during k10temp_probe.  Flag 'disp_negative' is used to
determine whether to round off negative temperatures to '0' in
k10temp_read_temp.

Signed-off-by: Baskaran Kannan <Baski.Kannan@amd.com>
Link: https://lore.kernel.org/r/20230727162159.1056136-1-Baski.Kannan@amd.com
Fixes: aef17ca127 ("hwmon: (k10temp) Only apply temperature offset if result is positive")
Cc: stable@vger.kernel.org
[groeck: Fixed multi-line comment]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2023-07-27 09:41:07 -07:00