1. 13 Aug, 2024 3 commits
    • Phillip Lougher's avatar
      Squashfs: sanity check symbolic link size · 810ee43d
      Phillip Lougher authored
      Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.
      
      This is caused by an uninitialised page, which is ultimately caused
      by a corrupted symbolic link size read from disk.
      
      The reason why the corrupted symlink size causes an uninitialised
      page is due to the following sequence of events:
      
      1. squashfs_read_inode() is called to read the symbolic
         link from disk.  This assigns the corrupted value
         3875536935 to inode->i_size.
      
      2. Later squashfs_symlink_read_folio() is called, which assigns
         this corrupted value to the length variable, which being a
         signed int, overflows producing a negative number.
      
      3. The following loop that fills in the page contents checks that
         the copied bytes is less than length, which being negative means
         the loop is skipped, producing an uninitialised page.
      
      This patch adds a sanity check which checks that the symbolic
      link size is not larger than expected.
      
      --
      Signed-off-by: default avatarPhillip Lougher <phillip@squashfs.org.uk>
      Link: https://lore.kernel.org/r/20240811232821.13903-1-phillip@squashfs.org.ukReported-by: default avatarLizhi Xu <lizhi.xu@windriver.com>
      Reported-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/all/000000000000a90e8c061e86a76b@google.com/
      V2: fix spelling mistake.
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      810ee43d
    • Dominique Martinet's avatar
      9p: Fix DIO read through netfs · e3786b29
      Dominique Martinet authored
      If a program is watching a file on a 9p mount, it won't see any change in
      size if the file being exported by the server is changed directly in the
      source filesystem, presumably because 9p doesn't have change notifications,
      and because netfs skips the reads if the file is empty.
      
      Fix this by attempting to read the full size specified when a DIO read is
      requested (such as when 9p is operating in unbuffered mode) and dealing
      with a short read if the EOF was less than the expected read.
      
      To make this work, filesystems using netfslib must not set
      NETFS_SREQ_CLEAR_TAIL if performing a DIO read where that read hit the EOF.
      I don't want to mandatorily clear this flag in netfslib for DIO because,
      say, ceph might make a read from an object that is not completely filled,
      but does not reside at the end of file - and so we need to clear the
      excess.
      
      This can be tested by watching an empty file over 9p within a VM (such as
      in the ktest framework):
      
              while true; do read content; if [ -n "$content" ]; then echo $content; break; fi; done < /host/tmp/foo
      
      then writing something into the empty file.  The watcher should immediately
      display the file content and break out of the loop.  Without this fix, it
      remains in the loop indefinitely.
      
      Fixes: 80105ed2 ("9p: Use netfslib read/write_iter")
      Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218916Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Link: https://lore.kernel.org/r/1229195.1723211769@warthog.procyon.org.uk
      cc: Eric Van Hensbergen <ericvh@kernel.org>
      cc: Latchesar Ionkov <lucho@ionkov.net>
      cc: Christian Schoenebeck <linux_oss@crudebyte.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: Ilya Dryomov <idryomov@gmail.com>
      cc: Steve French <sfrench@samba.org>
      cc: Paulo Alcantara <pc@manguebit.com>
      cc: Trond Myklebust <trond.myklebust@hammerspace.com>
      cc: v9fs@lists.linux.dev
      cc: linux-afs@lists.infradead.org
      cc: ceph-devel@vger.kernel.org
      cc: linux-cifs@vger.kernel.org
      cc: linux-nfs@vger.kernel.org
      cc: netfs@lists.linux.dev
      cc: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarDominique Martinet <asmadeus@codewreck.org>
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      e3786b29
    • Zhihao Cheng's avatar
      vfs: Don't evict inode under the inode lru traversing context · 2a062983
      Zhihao Cheng authored
      The inode reclaiming process(See function prune_icache_sb) collects all
      reclaimable inodes and mark them with I_FREEING flag at first, at that
      time, other processes will be stuck if they try getting these inodes
      (See function find_inode_fast), then the reclaiming process destroy the
      inodes by function dispose_list(). Some filesystems(eg. ext4 with
      ea_inode feature, ubifs with xattr) may do inode lookup in the inode
      evicting callback function, if the inode lookup is operated under the
      inode lru traversing context, deadlock problems may happen.
      
      Case 1: In function ext4_evict_inode(), the ea inode lookup could happen
              if ea_inode feature is enabled, the lookup process will be stuck
      	under the evicting context like this:
      
       1. File A has inode i_reg and an ea inode i_ea
       2. getfattr(A, xattr_buf) // i_ea is added into lru // lru->i_ea
       3. Then, following three processes running like this:
      
          PA                              PB
       echo 2 > /proc/sys/vm/drop_caches
        shrink_slab
         prune_dcache_sb
         // i_reg is added into lru, lru->i_ea->i_reg
         prune_icache_sb
          list_lru_walk_one
           inode_lru_isolate
            i_ea->i_state |= I_FREEING // set inode state
           inode_lru_isolate
            __iget(i_reg)
            spin_unlock(&i_reg->i_lock)
            spin_unlock(lru_lock)
                                           rm file A
                                            i_reg->nlink = 0
            iput(i_reg) // i_reg->nlink is 0, do evict
             ext4_evict_inode
              ext4_xattr_delete_inode
               ext4_xattr_inode_dec_ref_all
                ext4_xattr_inode_iget
                 ext4_iget(i_ea->i_ino)
                  iget_locked
                   find_inode_fast
                    __wait_on_freeing_inode(i_ea) ----→ AA deadlock
          dispose_list // cannot be executed by prune_icache_sb
           wake_up_bit(&i_ea->i_state)
      
      Case 2: In deleted inode writing function ubifs_jnl_write_inode(), file
              deleting process holds BASEHD's wbuf->io_mutex while getting the
      	xattr inode, which could race with inode reclaiming process(The
              reclaiming process could try locking BASEHD's wbuf->io_mutex in
      	inode evicting function), then an ABBA deadlock problem would
      	happen as following:
      
       1. File A has inode ia and a xattr(with inode ixa), regular file B has
          inode ib and a xattr.
       2. getfattr(A, xattr_buf) // ixa is added into lru // lru->ixa
       3. Then, following three processes running like this:
      
              PA                PB                        PC
                      echo 2 > /proc/sys/vm/drop_caches
                       shrink_slab
                        prune_dcache_sb
                        // ib and ia are added into lru, lru->ixa->ib->ia
                        prune_icache_sb
                         list_lru_walk_one
                          inode_lru_isolate
                           ixa->i_state |= I_FREEING // set inode state
                          inode_lru_isolate
                           __iget(ib)
                           spin_unlock(&ib->i_lock)
                           spin_unlock(lru_lock)
                                                         rm file B
                                                          ib->nlink = 0
       rm file A
        iput(ia)
         ubifs_evict_inode(ia)
          ubifs_jnl_delete_inode(ia)
           ubifs_jnl_write_inode(ia)
            make_reservation(BASEHD) // Lock wbuf->io_mutex
            ubifs_iget(ixa->i_ino)
             iget_locked
              find_inode_fast
               __wait_on_freeing_inode(ixa)
                |          iput(ib) // ib->nlink is 0, do evict
                |           ubifs_evict_inode
                |            ubifs_jnl_delete_inode(ib)
                ↓             ubifs_jnl_write_inode
           ABBA deadlock ←-----make_reservation(BASEHD)
                         dispose_list // cannot be executed by prune_icache_sb
                          wake_up_bit(&ixa->i_state)
      
      Fix the possible deadlock by using new inode state flag I_LRU_ISOLATING
      to pin the inode in memory while inode_lru_isolate() reclaims its pages
      instead of using ordinary inode reference. This way inode deletion
      cannot be triggered from inode_lru_isolate() thus avoiding the deadlock.
      evict() is made to wait for I_LRU_ISOLATING to be cleared before
      proceeding with inode cleanup.
      
      Link: https://lore.kernel.org/all/37c29c42-7685-d1f0-067d-63582ffac405@huaweicloud.com/
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=219022
      Fixes: e50e5129 ("ext4: xattr-in-inode support")
      Fixes: 7959cf3a ("ubifs: journal: Handle xattrs like files")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Link: https://lore.kernel.org/r/20240809031628.1069873-1-chengzhihao@huaweicloud.comReviewed-by: default avatarJan Kara <jack@suse.cz>
      Suggested-by: default avatarJan Kara <jack@suse.cz>
      Suggested-by: default avatarMateusz Guzik <mjguzik@gmail.com>
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      2a062983
  2. 12 Aug, 2024 10 commits
    • David Howells's avatar
      netfs: Fix handling of USE_PGPRIV2 and WRITE_TO_CACHE flags · 7b589a9b
      David Howells authored
      The NETFS_RREQ_USE_PGPRIV2 and NETFS_RREQ_WRITE_TO_CACHE flags aren't used
      correctly.  The problem is that we try to set them up in the request
      initialisation, but we the cache may be in the process of setting up still,
      and so the state may not be correct.  Further, we secondarily sample the
      cache state and make contradictory decisions later.
      
      The issue arises because we set up the cache resources, which allows the
      cache's ->prepare_read() to switch on NETFS_SREQ_COPY_TO_CACHE - which
      triggers cache writing even if we didn't set the flags when allocating.
      
      Fix this in the following way:
      
       (1) Drop NETFS_ICTX_USE_PGPRIV2 and instead set NETFS_RREQ_USE_PGPRIV2 in
           ->init_request() rather than trying to juggle that in
           netfs_alloc_request().
      
       (2) Repurpose NETFS_RREQ_USE_PGPRIV2 to merely indicate that if caching is
           to be done, then PG_private_2 is to be used rather than only setting
           it if we decide to cache and then having netfs_rreq_unlock_folios()
           set the non-PG_private_2 writeback-to-cache if it wasn't set.
      
       (3) Split netfs_rreq_unlock_folios() into two functions, one of which
           contains the deprecated code for using PG_private_2 to avoid
           accidentally doing the writeback path - and always use it if
           USE_PGPRIV2 is set.
      
       (4) As NETFS_ICTX_USE_PGPRIV2 is removed, make netfs_write_begin() always
           wait for PG_private_2.  This function is deprecated and only used by
           ceph anyway, and so label it so.
      
       (5) Drop the NETFS_RREQ_WRITE_TO_CACHE flag and use
           fscache_operation_valid() on the cache_resources instead.  This has
           the advantage of picking up the result of netfs_begin_cache_read() and
           fscache_begin_write_operation() - which are called after the object is
           initialised and will wait for the cache to come to a usable state.
      
      Just reverting ae678317[1] isn't a sufficient fix, so this need to be
      applied on top of that.  Without this as well, things like:
      
       rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: {
      
      and:
      
       WARNING: CPU: 13 PID: 3621 at fs/ceph/caps.c:3386
      
      may happen, along with some UAFs due to PG_private_2 not getting used to
      wait on writeback completion.
      
      Fixes: 2ff1e975 ("netfs: Replace PG_fscache by setting folio->private and marking dirty")
      Reported-by: default avatarMax Kellermann <max.kellermann@ionos.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Ilya Dryomov <idryomov@gmail.com>
      cc: Xiubo Li <xiubli@redhat.com>
      cc: Hristo Venev <hristo@venev.name>
      cc: Jeff Layton <jlayton@kernel.org>
      cc: Matthew Wilcox <willy@infradead.org>
      cc: ceph-devel@vger.kernel.org
      cc: netfs@lists.linux.dev
      cc: linux-fsdevel@vger.kernel.org
      cc: linux-mm@kvack.org
      Link: https://lore.kernel.org/r/3575457.1722355300@warthog.procyon.org.uk/ [1]
      Link: https://lore.kernel.org/r/1173209.1723152682@warthog.procyon.org.ukSigned-off-by: default avatarChristian Brauner <brauner@kernel.org>
      7b589a9b
    • David Howells's avatar
      netfs, ceph: Revert "netfs: Remove deprecated use of PG_private_2 as a second writeback flag" · 8e5ced78
      David Howells authored
      This reverts commit ae678317.
      
      Revert the patch that removes the deprecated use of PG_private_2 in
      netfslib for the moment as Ceph is actually still using this to track
      data copied to the cache.
      
      Fixes: ae678317 ("netfs: Remove deprecated use of PG_private_2 as a second writeback flag")
      Reported-by: default avatarMax Kellermann <max.kellermann@ionos.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Ilya Dryomov <idryomov@gmail.com>
      cc: Xiubo Li <xiubli@redhat.com>
      cc: Jeff Layton <jlayton@kernel.org>
      cc: Matthew Wilcox <willy@infradead.org>
      cc: ceph-devel@vger.kernel.org
      cc: netfs@lists.linux.dev
      cc: linux-fsdevel@vger.kernel.org
      cc: linux-mm@kvack.org
      https: //lore.kernel.org/r/3575457.1722355300@warthog.procyon.org.uk
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      8e5ced78
    • Mathias Krause's avatar
      file: fix typo in take_fd() comment · 86509e38
      Mathias Krause authored
      The explanatory comment above take_fd() contains a typo, fix that to not
      confuse readers.
      Signed-off-by: default avatarMathias Krause <minipli@grsecurity.net>
      Link: https://lore.kernel.org/r/20240809135035.748109-1-minipli@grsecurity.netSigned-off-by: default avatarChristian Brauner <brauner@kernel.org>
      86509e38
    • Christian Brauner's avatar
      pidfd: prevent creation of pidfds for kthreads · 3b5bbe79
      Christian Brauner authored
      It's currently possible to create pidfds for kthreads but it is unclear
      what that is supposed to mean. Until we have use-cases for it and we
      figured out what behavior we want block the creation of pidfds for
      kthreads.
      
      Link: https://lore.kernel.org/r/20240731-gleis-mehreinnahmen-6bbadd128383@brauner
      Fixes: 32fcb426 ("pid: add pidfd_open()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      3b5bbe79
    • Lukas Bulwahn's avatar
      netfs: clean up after renaming FSCACHE_DEBUG config · 889ced4c
      Lukas Bulwahn authored
      Commit 6b8e61472529 ("netfs: Rename CONFIG_FSCACHE_DEBUG to
      CONFIG_NETFS_DEBUG") renames the config, but introduces two issues: First,
      NETFS_DEBUG mistakenly depends on the non-existing config NETFS, whereas
      the actual intended config is called NETFS_SUPPORT. Second, the config
      renaming misses to adjust the documentation of the functionality of this
      config.
      
      Clean up those two points.
      Signed-off-by: default avatarLukas Bulwahn <lukas.bulwahn@redhat.com>
      Link: https://lore.kernel.org/r/20240731073902.69262-1-lukas.bulwahn@redhat.comSigned-off-by: default avatarChristian Brauner <brauner@kernel.org>
      889ced4c
    • yangerkun's avatar
      libfs: fix infinite directory reads for offset dir · 64a7ce76
      yangerkun authored
      After we switch tmpfs dir operations from simple_dir_operations to
      simple_offset_dir_operations, every rename happened will fill new dentry
      to dest dir's maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free
      key starting with octx->newx_offset, and then set newx_offset equals to
      free key + 1. This will lead to infinite readdir combine with rename
      happened at the same time, which fail generic/736 in xfstests(detail show
      as below).
      
      1. create 5000 files(1 2 3...) under one dir
      2. call readdir(man 3 readdir) once, and get one entry
      3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry)
      4. loop 2~3, until readdir return nothing or we loop too many
         times(tmpfs break test with the second condition)
      
      We choose the same logic what commit 9b378f6a ("btrfs: fix infinite
      directory reads") to fix it, record the last_index when we open dir, and
      do not emit the entry which index >= last_index. The file->private_data
      now used in offset dir can use directly to do this, and we also update
      the last_index when we llseek the dir file.
      
      Fixes: a2e45955 ("shmem: stable directory offsets")
      Signed-off-by: default avataryangerkun <yangerkun@huawei.com>
      Link: https://lore.kernel.org/r/20240731043835.1828697-1-yangerkun@huawei.comReviewed-by: default avatarChuck Lever <chuck.lever@oracle.com>
      [brauner: only update last_index after seek when offset is zero like Jan suggested]
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      64a7ce76
    • Christian Brauner's avatar
      nsfs: fix ioctl declaration · 42b0f8da
      Christian Brauner authored
      The kernel is writing an object of type __u64, so the ioctl has to be
      defined to _IOR(NSIO, 0x5, __u64) instead of _IO(NSIO, 0x5).
      Reported-by: default avatarDmitry V. Levin <ldv@strace.io>
      Link: https://lore.kernel.org/r/20240730164554.GA18486@altlinux.orgSigned-off-by: default avatarChristian Brauner <brauner@kernel.org>
      42b0f8da
    • Max Kellermann's avatar
      fs/netfs/fscache_cookie: add missing "n_accesses" check · f71aa063
      Max Kellermann authored
      This fixes a NULL pointer dereference bug due to a data race which
      looks like this:
      
        BUG: kernel NULL pointer dereference, address: 0000000000000008
        #PF: supervisor read access in kernel mode
        #PF: error_code(0x0000) - not-present page
        PGD 0 P4D 0
        Oops: 0000 [#1] SMP PTI
        CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43
        Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018
        Workqueue: events_unbound netfs_rreq_write_to_cache_work
        RIP: 0010:cachefiles_prepare_write+0x30/0xa0
        Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 <48> 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10
        RSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286
        RAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000
        RDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438
        RBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001
        R10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68
        R13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00
        FS:  0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0
        Call Trace:
         <TASK>
         ? __die+0x1f/0x70
         ? page_fault_oops+0x15d/0x440
         ? search_module_extables+0xe/0x40
         ? fixup_exception+0x22/0x2f0
         ? exc_page_fault+0x5f/0x100
         ? asm_exc_page_fault+0x22/0x30
         ? cachefiles_prepare_write+0x30/0xa0
         netfs_rreq_write_to_cache_work+0x135/0x2e0
         process_one_work+0x137/0x2c0
         worker_thread+0x2e9/0x400
         ? __pfx_worker_thread+0x10/0x10
         kthread+0xcc/0x100
         ? __pfx_kthread+0x10/0x10
         ret_from_fork+0x30/0x50
         ? __pfx_kthread+0x10/0x10
         ret_from_fork_asm+0x1b/0x30
         </TASK>
        Modules linked in:
        CR2: 0000000000000008
        ---[ end trace 0000000000000000 ]---
      
      This happened because fscache_cookie_state_machine() was slow and was
      still running while another process invoked fscache_unuse_cookie();
      this led to a fscache_cookie_lru_do_one() call, setting the
      FSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by
      fscache_cookie_state_machine(), withdrawing the cookie via
      cachefiles_withdraw_cookie(), clearing cookie->cache_priv.
      
      At the same time, yet another process invoked
      cachefiles_prepare_write(), which found a NULL pointer in this code
      line:
      
        struct cachefiles_object *object = cachefiles_cres_object(cres);
      
      The next line crashes, obviously:
      
        struct cachefiles_cache *cache = object->volume->cache;
      
      During cachefiles_prepare_write(), the "n_accesses" counter is
      non-zero (via fscache_begin_operation()).  The cookie must not be
      withdrawn until it drops to zero.
      
      The counter is checked by fscache_cookie_state_machine() before
      switching to FSCACHE_COOKIE_STATE_RELINQUISHING and
      FSCACHE_COOKIE_STATE_WITHDRAWING (in "case
      FSCACHE_COOKIE_STATE_FAILED"), but not for
      FSCACHE_COOKIE_STATE_LRU_DISCARDING ("case
      FSCACHE_COOKIE_STATE_ACTIVE").
      
      This patch adds the missing check.  With a non-zero access counter,
      the function returns and the next fscache_end_cookie_access() call
      will queue another fscache_cookie_state_machine() call to handle the
      still-pending FSCACHE_COOKIE_DO_LRU_DISCARD.
      
      Fixes: 12bb21a2 ("fscache: Implement cookie user counting and resource pinning")
      Signed-off-by: default avatarMax Kellermann <max.kellermann@ionos.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Link: https://lore.kernel.org/r/20240729162002.3436763-2-dhowells@redhat.com
      cc: Jeff Layton <jlayton@kernel.org>
      cc: netfs@lists.linux.dev
      cc: linux-fsdevel@vger.kernel.org
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      f71aa063
    • Omar Sandoval's avatar
      filelock: fix name of file_lease slab cache · 3f65f3c0
      Omar Sandoval authored
      When struct file_lease was split out from struct file_lock, the name of
      the file_lock slab cache was copied to the new slab cache for
      file_lease. This name conflict causes confusion in /proc/slabinfo and
      /sys/kernel/slab. In particular, it caused failures in drgn's test case
      for slab cache merging.
      
      Link: https://github.com/osandov/drgn/blob/9ad29fd86499eb32847473e928b6540872d3d59a/tests/linux_kernel/helpers/test_slab.py#L81
      Fixes: c69ff407 ("filelock: split leases out of struct file_lock")
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Link: https://lore.kernel.org/r/2d1d053da1cafb3e7940c4f25952da4f0af34e38.1722293276.git.osandov@fb.comReviewed-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      3f65f3c0
    • Matthew Wilcox (Oracle)'s avatar
      netfs: Fault in smaller chunks for non-large folio mappings · 98055bc3
      Matthew Wilcox (Oracle) authored
      As in commit 4e527d58 ("iomap: fault in smaller chunks for non-large
      folio mappings"), we can see a performance loss for filesystems
      which have not yet been converted to large folios.
      
      Fixes: c38f4e96 ("netfs: Provide func to copy data to pagecache for buffered write")
      Signed-off-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Link: https://lore.kernel.org/r/20240527201735.1898381-1-willy@infradead.orgReviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      98055bc3
  3. 28 Jul, 2024 12 commits
    • Linus Torvalds's avatar
      Linux 6.11-rc1 · 8400291e
      Linus Torvalds authored
      8400291e
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.11' of... · a0c04bd5
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Fix RPM package build error caused by an incorrect locale setup
      
       - Mark modules.weakdep as ghost in RPM package
      
       - Fix the odd combination of -S and -c in stack protector scripts,
         which is an error with the latest Clang
      
      * tag 'kbuild-fixes-v6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: Fix '-S -c' in x86 stack protector scripts
        kbuild: rpm-pkg: ghost modules.weakdep file
        kbuild: rpm-pkg: Fix C locale setup
      a0c04bd5
    • Linus Torvalds's avatar
      minmax: simplify and clarify min_t()/max_t() implementation · 017fa3e8
      Linus Torvalds authored
      This simplifies the min_t() and max_t() macros by no longer making them
      work in the context of a C constant expression.
      
      That means that you can no longer use them for static initializers or
      for array sizes in type definitions, but there were only a couple of
      such uses, and all of them were converted (famous last words) to use
      MIN_T/MAX_T instead.
      
      Cc: David Laight <David.Laight@aculab.com>
      Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      017fa3e8
    • Linus Torvalds's avatar
      minmax: add a few more MIN_T/MAX_T users · 4477b39c
      Linus Torvalds authored
      Commit 3a7e02c0 ("minmax: avoid overly complicated constant
      expressions in VM code") added the simpler MIN_T/MAX_T macros in order
      to avoid some excessive expansion from the rather complicated regular
      min/max macros.
      
      The complexity of those macros stems from two issues:
      
       (a) trying to use them in situations that require a C constant
           expression (in static initializers and for array sizes)
      
       (b) the type sanity checking
      
      and MIN_T/MAX_T avoids both of these issues.
      
      Now, in the whole (long) discussion about all this, it was pointed out
      that the whole type sanity checking is entirely unnecessary for
      min_t/max_t which get a fixed type that the comparison is done in.
      
      But that still leaves min_t/max_t unnecessarily complicated due to
      worries about the C constant expression case.
      
      However, it turns out that there really aren't very many cases that use
      min_t/max_t for this, and we can just force-convert those.
      
      This does exactly that.
      
      Which in turn will then allow for much simpler implementations of
      min_t()/max_t().  All the usual "macros in all upper case will evaluate
      the arguments multiple times" rules apply.
      
      We should do all the same things for the regular min/max() vs MIN/MAX()
      cases, but that has the added complexity of various drivers defining
      their own local versions of MIN/MAX, so that needs another level of
      fixes first.
      
      Link: https://lore.kernel.org/all/b47fad1d0cf8449886ad148f8c013dae@AcuMS.aculab.com/
      Cc: David Laight <David.Laight@aculab.com>
      Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4477b39c
    • Linus Torvalds's avatar
      Merge tag 'ubifs-for-linus-6.11-rc1-take2' of... · 7e2d0ba7
      Linus Torvalds authored
      Merge tag 'ubifs-for-linus-6.11-rc1-take2' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs
      
      Pull UBI and UBIFS updates from Richard Weinberger:
      
       - Many fixes for power-cut issues by Zhihao Cheng
      
       - Another ubiblock error path fix
      
       - ubiblock section mismatch fix
      
       - Misc fixes all over the place
      
      * tag 'ubifs-for-linus-6.11-rc1-take2' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
        ubi: Fix ubi_init() ubiblock_exit() section mismatch
        ubifs: add check for crypto_shash_tfm_digest
        ubifs: Fix inconsistent inode size when powercut happens during appendant writing
        ubi: block: fix null-pointer-dereference in ubiblock_create()
        ubifs: fix kernel-doc warnings
        ubifs: correct UBIFS_DFS_DIR_LEN macro definition and improve code clarity
        mtd: ubi: Restore missing cleanup on ubi_init() failure path
        ubifs: dbg_orphan_check: Fix missed key type checking
        ubifs: Fix unattached inode when powercut happens in creating
        ubifs: Fix space leak when powercut happens in linking tmpfile
        ubifs: Move ui->data initialization after initializing security
        ubifs: Fix adding orphan entry twice for the same inode
        ubifs: Remove insert_dead_orphan from replaying orphan process
        Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path"
        ubifs: Don't add xattr inode into orphan area
        ubifs: Fix unattached xattr inode if powercut happens after deleting
        mtd: ubi: avoid expensive do_div() on 32-bit machines
        mtd: ubi: make ubi_class constant
        ubi: eba: properly rollback inside self_check_eba
      7e2d0ba7
    • Nathan Chancellor's avatar
      kbuild: Fix '-S -c' in x86 stack protector scripts · 3415b10a
      Nathan Chancellor authored
      After a recent change in clang to stop consuming all instances of '-S'
      and '-c' [1], the stack protector scripts break due to the kernel's use
      of -Werror=unused-command-line-argument to catch cases where flags are
      not being properly consumed by the compiler driver:
      
        $ echo | clang -o - -x c - -S -c -Werror=unused-command-line-argument
        clang: error: argument unused during compilation: '-c' [-Werror,-Wunused-command-line-argument]
      
      This results in CONFIG_STACKPROTECTOR getting disabled because
      CONFIG_CC_HAS_SANE_STACKPROTECTOR is no longer set.
      
      '-c' and '-S' both instruct the compiler to stop at different stages of
      the pipeline ('-S' after compiling, '-c' after assembling), so having
      them present together in the same command makes little sense. In this
      case, the test wants to stop before assembling because it is looking at
      the textual assembly output of the compiler for either '%fs' or '%gs',
      so remove '-c' from the list of arguments to resolve the error.
      
      All versions of GCC continue to work after this change, along with
      versions of clang that do or do not contain the change mentioned above.
      
      Cc: stable@vger.kernel.org
      Fixes: 4f7fd4d7 ("[PATCH] Add the -fstack-protector option to the CFLAGS")
      Fixes: 60a5317f ("x86: implement x86_32 stack protector")
      Link: https://github.com/llvm/llvm-project/commit/6461e537815f7fa68cef06842505353cf5600e9c [1]
      Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      3415b10a
    • Richard Weinberger's avatar
      ubi: Fix ubi_init() ubiblock_exit() section mismatch · 92a286e9
      Richard Weinberger authored
      Since ubiblock_exit() is now called from an init function,
      the __exit section no longer makes sense.
      
      Cc: Ben Hutchings <bwh@kernel.org>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202407131403.wZJpd8n2-lkp@intel.com/Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      92a286e9
    • Linus Torvalds's avatar
      Merge tag 'v6.11-merge' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux · e172f1e9
      Linus Torvalds authored
      Pull turbostat updates from Len Brown:
      
       - Enable turbostat extensions to add both perf and PMT (Intel
         Platform Monitoring Technology) counters via the cmdline
      
       - Demonstrate PMT access with built-in support for Meteor Lake's
         Die C6 counter
      
      * tag 'v6.11-merge' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux:
        tools/power turbostat: version 2024.07.26
        tools/power turbostat: Include umask=%x in perf counter's config
        tools/power turbostat: Document PMT in turbostat.8
        tools/power turbostat: Add MTL's PMT DC6 builtin counter
        tools/power turbostat: Add early support for PMT counters
        tools/power turbostat: Add selftests for added perf counters
        tools/power turbostat: Add selftests for SMI, APERF and MPERF counters
        tools/power turbostat: Move verbose counter messages to level 2
        tools/power turbostat: Move debug prints from stdout to stderr
        tools/power turbostat: Fix typo in turbostat.8
        tools/power turbostat: Add perf added counter example to turbostat.8
        tools/power turbostat: Fix formatting in turbostat.8
        tools/power turbostat: Extend --add option with perf counters
        tools/power turbostat: Group SMI counter with APERF and MPERF
        tools/power turbostat: Add ZERO_ARRAY for zero initializing builtin array
        tools/power turbostat: Replace enum rapl_source and cstate_source with counter_source
        tools/power turbostat: Remove anonymous union from rapl_counter_info_t
        tools/power/turbostat: Switch to new Intel CPU model defines
      e172f1e9
    • Linus Torvalds's avatar
      Merge tag 'cxl-for-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl · e62f81bb
      Linus Torvalds authored
      Pull CXL updates from Dave Jiang:
       "Core:
      
         - A CXL maturity map has been added to the documentation to detail
           the current state of CXL enabling.
      
           It provides the status of the current state of various CXL features
           to inform current and future contributors of where things are and
           which areas need contribution.
      
         - A notifier handler has been added in order for a newly created CXL
           memory region to trigger the abstract distance metrics calculation.
      
           This should bring parity for CXL memory to the same level vs
           hotplugged DRAM for NUMA abstract distance calculation. The
           abstract distance reflects relative performance used for memory
           tiering handling.
      
         - An addition for XOR math has been added to address the CXL DPA to
           SPA translation.
      
           CXL address translation did not support address interleave math
           with XOR prior to this change.
      
        Fixes:
      
         - Fix to address race condition in the CXL memory hotplug notifier
      
         - Add missing MODULE_DESCRIPTION() for CXL modules
      
         - Fix incorrect vendor debug UUID define
      
        Misc:
      
         - A warning has been added to inform users of an unsupported
           configuration when mixing CXL VH and RCH/RCD hierarchies
      
         - The ENXIO error code has been replaced with EBUSY for inject poison
           limit reached via debugfs and cxl-test support
      
         - Moving the PCI config read in cxl_dvsec_rr_decode() to avoid
           unnecessary PCI config reads
      
         - A refactor to a common struct for DRAM and general media CXL
           events"
      
      * tag 'cxl-for-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
        cxl/core/pci: Move reading of control register to immediately before usage
        cxl: Remove defunct code calculating host bridge target positions
        cxl/region: Verify target positions using the ordered target list
        cxl: Restore XOR'd position bits during address translation
        cxl/core: Fold cxl_trace_hpa() into cxl_dpa_to_hpa()
        cxl/test: Replace ENXIO with EBUSY for inject poison limit reached
        cxl/memdev: Replace ENXIO with EBUSY for inject poison limit reached
        cxl/acpi: Warn on mixed CXL VH and RCH/RCD Hierarchy
        cxl/core: Fix incorrect vendor debug UUID define
        Documentation: CXL Maturity Map
        cxl/region: Simplify cxl_region_nid()
        cxl/region: Support to calculate memory tier abstract distance
        cxl/region: Fix a race condition in memory hotplug notifier
        cxl: add missing MODULE_DESCRIPTION() macros
        cxl/events: Use a common struct for DRAM and General Media events
      e62f81bb
    • Linus Torvalds's avatar
      Merge tag 'unicode-next-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/krisman/unicode · 7b5d4818
      Linus Torvalds authored
      Pull unicode update from Gabriel Krisman Bertazi:
       "Two small fixes to silence the compiler and static analyzers tools
        from Ben Dooks and Jeff Johnson"
      
      * tag 'unicode-next-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/krisman/unicode:
        unicode: add MODULE_DESCRIPTION() macros
        unicode: make utf8 test count static
      7b5d4818
    • Jose Ignacio Tornos Martinez's avatar
      kbuild: rpm-pkg: ghost modules.weakdep file · d01c1407
      Jose Ignacio Tornos Martinez authored
      In the same way as for other similar files, mark as ghost the new file
      generated by depmod for configured weak dependencies for modules,
      modules.weakdep, so that although it is not included in the package,
      claim the ownership on it.
      Signed-off-by: default avatarJose Ignacio Tornos Martinez <jtornosm@redhat.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      d01c1407
    • Linus Torvalds's avatar
      Merge tag '6.11-rc-smb-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · 5437f30d
      Linus Torvalds authored
      Pull more smb client updates from Steve French:
      
       - fix for potential null pointer use in init cifs
      
       - additional dynamic trace points to improve debugging of some common
         scenarios
      
       - two SMB1 fixes (one addressing reconnect with POSIX extensions, one a
         mount parsing error)
      
      * tag '6.11-rc-smb-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: add dynamic trace point for session setup key expired failures
        smb3: add four dynamic tracepoints for copy_file_range and reflink
        smb3: add dynamic tracepoint for reflink errors
        cifs: mount with "unix" mount option for SMB1 incorrectly handled
        cifs: fix reconnect with SMB1 UNIX Extensions
        cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path
      5437f30d
  4. 27 Jul, 2024 15 commits
    • Linus Torvalds's avatar
      Merge tag 'block-6.11-20240726' of git://git.kernel.dk/linux · 6342649c
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request via Keith:
           - Fix request without payloads cleanup  (Leon)
           - Use new protection information format (Francis)
           - Improved debug message for lost pci link (Bart)
           - Another apst quirk (Wang)
           - Use appropriate sysfs api for printing chars (Markus)
      
       - ublk async device deletion fix (Ming)
      
       - drbd kerneldoc fixups (Simon)
      
       - Fix deadlock between sd removal and release (Yang)
      
      * tag 'block-6.11-20240726' of git://git.kernel.dk/linux:
        nvme-pci: add missing condition check for existence of mapped data
        ublk: fix UBLK_CMD_DEL_DEV_ASYNC handling
        block: fix deadlock between sd_remove & sd_release
        drbd: Add peer_device to Kernel doc
        nvme-core: choose PIF from QPIF if QPIFS supports and PIF is QTYPE
        nvme-pci: Fix the instructions for disabling power management
        nvme: remove redundant bdev local variable
        nvme-fabrics: Use seq_putc() in __nvmf_concat_opt_tokens()
        nvme/pci: Add APST quirk for Lenovo N60z laptop
      6342649c
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.11-20240726' of git://git.kernel.dk/linux · 8c930747
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Fix a syzbot issue for the msg ring cache added in this release. No
         ill effects from this one, but it did make KMSAN unhappy (me)
      
       - Sanitize the NAPI timeout handling, by unifying the value handling
         into all ktime_t rather than converting back and forth (Pavel)
      
       - Fail NAPI registration for IOPOLL rings, it's not supported (Pavel)
      
       - Fix a theoretical issue with ring polling and cancelations (Pavel)
      
       - Various little cleanups and fixes (Pavel)
      
      * tag 'io_uring-6.11-20240726' of git://git.kernel.dk/linux:
        io_uring/napi: pass ktime to io_napi_adjust_timeout
        io_uring/napi: use ktime in busy polling
        io_uring/msg_ring: fix uninitialized use of target_req->flags
        io_uring: align iowq and task request error handling
        io_uring: kill REQ_F_CANCEL_SEQ
        io_uring: simplify io_uring_cmd return
        io_uring: fix io_match_task must_hold
        io_uring: don't allow netpolling with SETUP_IOPOLL
        io_uring: tighten task exit cancellations
      8c930747
    • Linus Torvalds's avatar
      Merge tag 'vfs-6.11-rc1.fixes.3' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs · bc4eee85
      Linus Torvalds authored
      Pull vfs fixes from Christian Brauner:
       "This contains two fixes for this merge window:
      
        VFS:
      
         - I noticed that it is possible for a privileged user to mount most
           filesystems with a non-initial user namespace in sb->s_user_ns.
      
           When fsopen() is called in a non-init namespace the caller's
           namespace is recorded in fs_context->user_ns. If the returned file
           descriptor is then passed to a process privileged in init_user_ns,
           that process can call fsconfig(fd_fs, FSCONFIG_CMD_CREATE*),
           creating a new superblock with sb->s_user_ns set to the namespace
           of the process which called fsopen().
      
           This is problematic as only filesystems that raise FS_USERNS_MOUNT
           are known to be able to support a non-initial s_user_ns. Others may
           suffer security issues, on-disk corruption or outright crash the
           kernel. Prevent that by restricting such delegation to filesystems
           that allow FS_USERNS_MOUNT.
      
           Note, that this delegation requires a privileged process to
           actually create the superblock so either the privileged process is
           cooperaing or someone must have tricked a privileged process into
           operating on a fscontext file descriptor whose origin it doesn't
           know (a stupid idea).
      
           The bug dates back to about 5 years afaict.
      
        Misc:
      
         - Fix hostfs parsing when the mount request comes in via the legacy
           mount api.
      
           In the legacy mount api hostfs allows to specify the host directory
           mount without any key.
      
           Restore that behavior"
      
      * tag 'vfs-6.11-rc1.fixes.3' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
        hostfs: fix the host directory parse when mounting.
        fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT
      bc4eee85
    • Linus Torvalds's avatar
      Merge tag 'rust-6.11' of https://github.com/Rust-for-Linux/linux · 910bfc26
      Linus Torvalds authored
      Pull Rust updates from Miguel Ojeda:
       "The highlight is the establishment of a minimum version for the Rust
        toolchain, including 'rustc' (and bundled tools) and 'bindgen'.
      
        The initial minimum will be the pinned version we currently have, i.e.
        we are just widening the allowed versions. That covers three stable
        Rust releases: 1.78.0, 1.79.0, 1.80.0 (getting released tomorrow),
        plus beta, plus nightly.
      
        This should already be enough for kernel developers in distributions
        that provide recent Rust compiler versions routinely, such as Arch
        Linux, Debian Unstable (outside the freeze period), Fedora Linux,
        Gentoo Linux (especially the testing channel), Nix (unstable) and
        openSUSE Slowroll and Tumbleweed.
      
        In addition, the kernel is now being built-tested by Rust's pre-merge
        CI. That is, every change that is attempting to land into the Rust
        compiler is tested against the kernel, and it is merged only if it
        passes. Similarly, the bindgen tool has agreed to build the kernel in
        their CI too.
      
        Thus, with the pre-merge CI in place, both projects hope to avoid
        unintentional changes to Rust that break the kernel. This means that,
        in general, apart from intentional changes on their side (that we will
        need to workaround conditionally on our side), the upcoming Rust
        compiler versions should generally work.
      
        In addition, the Rust project has proposed getting the kernel into
        stable Rust (at least solving the main blockers) as one of its three
        flagship goals for 2024H2 [1].
      
        I would like to thank Niko, Sid, Emilio et al. for their help
        promoting the collaboration between Rust and the kernel.
      
        Toolchain and infrastructure:
      
         - Support several Rust toolchain versions.
      
         - Support several bindgen versions.
      
         - Remove 'cargo' requirement and simplify 'rusttest', thanks to
           'alloc' having been dropped last cycle.
      
         - Provide proper error reporting for the 'rust-analyzer' target.
      
        'kernel' crate:
      
         - Add 'uaccess' module with a safe userspace pointers abstraction.
      
         - Add 'page' module with a 'struct page' abstraction.
      
         - Support more complex generics in workqueue's 'impl_has_work!'
           macro.
      
        'macros' crate:
      
         - Add 'firmware' field support to the 'module!' macro.
      
         - Improve 'module!' macro documentation.
      
        Documentation:
      
         - Provide instructions on what packages should be installed to build
           the kernel in some popular Linux distributions.
      
         - Introduce the new kernel.org LLVM+Rust toolchains.
      
         - Explain '#[no_std]'.
      
        And a few other small bits"
      
      Link: https://rust-lang.github.io/rust-project-goals/2024h2/index.html#flagship-goals [1]
      
      * tag 'rust-6.11' of https://github.com/Rust-for-Linux/linux: (26 commits)
        docs: rust: quick-start: add section on Linux distributions
        rust: warn about `bindgen` versions 0.66.0 and 0.66.1
        rust: start supporting several `bindgen` versions
        rust: work around `bindgen` 0.69.0 issue
        rust: avoid assuming a particular `bindgen` build
        rust: start supporting several compiler versions
        rust: simplify Clippy warning flags set
        rust: relax most deny-level lints to warnings
        rust: allow `dead_code` for never constructed bindings
        rust: init: simplify from `map_err` to `inspect_err`
        rust: macros: indent list item in `paste!`'s docs
        rust: add abstraction for `struct page`
        rust: uaccess: add typed accessors for userspace pointers
        uaccess: always export _copy_[from|to]_user with CONFIG_RUST
        rust: uaccess: add userspace pointers
        kbuild: rust-analyzer: improve comment documentation
        kbuild: rust-analyzer: better error handling
        docs: rust: no_std is used
        rust: alloc: add __GFP_HIGHMEM flag
        rust: alloc: fix typo in docs for GFP_NOWAIT
        ...
      910bfc26
    • Linus Torvalds's avatar
      Merge tag 'apparmor-pr-2024-07-25' of... · ff305644
      Linus Torvalds authored
      Merge tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
      
      Pull apparmor updates from John Johansen:
       "Cleanups
         - optimization: try to avoid refing the label in apparmor_file_open
         - remove useless static inline function is_deleted
         - use kvfree_sensitive to free data->data
         - fix typo in kernel doc
      
        Bug fixes:
         - unpack transition table if dfa is not present
         - test: add MODULE_DESCRIPTION()
         - take nosymfollow flag into account
         - fix possible NULL pointer dereference
         - fix null pointer deref when receiving skb during sock creation"
      
      * tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
        apparmor: unpack transition table if dfa is not present
        apparmor: try to avoid refing the label in apparmor_file_open
        apparmor: test: add MODULE_DESCRIPTION()
        apparmor: take nosymfollow flag into account
        apparmor: fix possible NULL pointer dereference
        apparmor: fix typo in kernel doc
        apparmor: remove useless static inline function is_deleted
        apparmor: use kvfree_sensitive to free data->data
        apparmor: Fix null pointer deref when receiving skb during sock creation
      ff305644
    • Linus Torvalds's avatar
      Merge tag 'landlock-6.11-rc1-houdini-fix' of... · 86b405ad
      Linus Torvalds authored
      Merge tag 'landlock-6.11-rc1-houdini-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
      
      Pull landlock fix from Mickaël Salaün:
       "Jann Horn reported a sandbox bypass for Landlock. This includes the
        fix and new tests. This should be backported"
      
      * tag 'landlock-6.11-rc1-houdini-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
        selftests/landlock: Add cred_transfer test
        landlock: Don't lose track of restrictions on cred_transfer
      86b405ad
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · 8e333791
      Linus Torvalds authored
      Pull gpio fix from Bartosz Golaszewski:
      
       - don't use sprintf() with non-constant format string
      
      * tag 'gpio-fixes-for-v6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpio: virtuser: avoid non-constant format string
      8e333791
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-6.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · bf80f139
      Linus Torvalds authored
      Pull more devicetree updates from Rob Herring:
       "Most of this is a treewide change to of_property_for_each_u32() which
        was small enough to do in one go before rc1 and avoids the need to
        create of_property_for_each_u32_some_new_name().
      
         - Treewide conversion of of_property_for_each_u32() to drop internal
           arguments making struct property opaque
      
         - Add binding for Amlogic A4 SoC watchdog
      
         - Fix constraints for AD7192 'single-channel' property"
      
      * tag 'devicetree-fixes-for-6.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: iio: adc: ad7192: Fix 'single-channel' constraints
        of: remove internal arguments from of_property_for_each_u32()
        dt-bindings: watchdog: add support for Amlogic A4 SoCs
      bf80f139
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux · b465ed28
      Linus Torvalds authored
      Pull iommu fixes from Will Deacon:
       "We're still resolving a regression with the handling of unexpected
        page faults on SMMUv3, but we're not quite there with a fix yet.
      
         - Fix NULL dereference when freeing domain in Unisoc SPRD driver
      
         - Separate assignment statements with semicolons in AMD page-table
           code
      
         - Fix Tegra erratum workaround when the CPU is using 16KiB pages"
      
      * tag 'iommu-fixes-v6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux:
        iommu: arm-smmu: Fix Tegra workaround for PAGE_SIZE mappings
        iommu/amd: Convert comma to semicolon
        iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en
      b465ed28
    • Linus Torvalds's avatar
      Merge tag 'firewire-fixes-6.11-rc1' of... · 04216211
      Linus Torvalds authored
      Merge tag 'firewire-fixes-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394
      
      Pull firewire fixes from Takashi Sakamoto:
       "The recent integration of compiler collections introduced the
        technology to check flexible array length at runtime by providing
        proper annotations. In v6.10 kernel, a patch was merged into firewire
        subsystem to utilize it, however the annotation was inadequate.
      
        There is also the related change for the flexible array in sound
        subsystem, but it causes a regression where the data in the payload of
        isochronous packet is incorrect for some devices. These bugs are now
        fixed"
      
      * tag 'firewire-fixes-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
        ALSA: firewire-lib: fix wrong value as length of header for CIP_NO_HEADER case
        Revert "firewire: Annotate struct fw_iso_packet with __counted_by()"
      04216211
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.11-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · ab11658f
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "The bulk of this is a series of fixes for the microchip-core driver
        mostly originating from one of their customers, I also applied an
        additional patch adding support for controlling the word size which
        came along with it since it's still the merge window and clearly had a
        bunch of fairly thorough testing.
      
        We also have a fix for the compatible used to bind spidev to the
        BH2228FV"
      
      * tag 'spi-fix-v6.11-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: spidev: add correct compatible for Rohm BH2228FV
        dt-bindings: trivial-devices: fix Rohm BH2228FV compatible string
        spi: microchip-core: add support for word sizes of 1 to 32 bits
        spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer
        spi: microchip-core: fix init function not setting the master and motorola modes
        spi: microchip-core: only disable SPI controller when register value change requires it
        spi: microchip-core: defer asserting chip select until just before write to TX FIFO
        spi: microchip-core: fix the issues in the isr
      ab11658f
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v6.11-merge-window' of... · 560e8050
      Linus Torvalds authored
      Merge tag 'regulator-fix-v6.11-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "These two commits clean up the excessively loose dependencies for the
        RZG2L USB VBCTRL regulator driver, ensuring it shouldn't prompt for
        people who can't use it"
      
      * tag 'regulator-fix-v6.11-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: Further restrict RZG2L USB VBCTRL regulator dependencies
        regulator: renesas-usb-vbus-regulator: Update the default
      560e8050
    • Linus Torvalds's avatar
      Merge tag 'regmap-fix-v6.11-merge-window' of... · 8f3f7598
      Linus Torvalds authored
      Merge tag 'regmap-fix-v6.11-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap
      
      Pull regmap fix from Mark Brown:
       "Arnd sent a workaround for a false positive warning which was showing
        up with GCC 14.1"
      
      * tag 'regmap-fix-v6.11-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
        regmap: maple: work around gcc-14.1 false-positive warning
      8f3f7598
    • Linus Torvalds's avatar
      Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · de5f4fbe
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A few clk driver fixes for the merge window to fix the build and boot
        on some SoCs.
      
         - Initialize struct clk_init_data in the TI da8xx-cfgchip driver so
           that stack contents aren't used for things like clk flags leading
           to unexpected behavior
      
         - Don't leak stack contents in a debug print in the new Sophgo clk
           driver
      
         - Disable the new T-Head clk driver on 32-bit targets to fix the
           build due to a division
      
         - Fix Samsung Exynos4 fin_pll wreckage from the clkdev rework done
           last cycle by using a struct clk_hw directly instead of a struct
           clk consumer"
      
      * tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: samsung: fix getting Exynos4 fin_pll rate from external clocks
        clk: T-Head: Disable on 32-bit Targets
        clk: sophgo: clk-sg2042-pll: Fix uninitialized variable in debug output
        clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
      de5f4fbe
    • Linus Torvalds's avatar
      Merge tag 'i3c/for-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux · c85e1497
      Linus Torvalds authored
      Pull i3c updates from Alexandre Belloni:
       "This cycle, there are new features for the Designware controller and
        fixes for the other IPs:
      
         - dw: optional apb clock and power management support, IBI handling
           fixes
      
         - mipi-i3c-hci: IBI handling fixes
      
         - svc: a few fixes"
      
      * tag 'i3c/for-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux:
        dt-bindings: i3c: add header for generic I3C flags
        i3c: master: svc: Fix error code in svc_i3c_master_do_daa_locked()
        i3c: master: Enhance i3c_bus_type visibility for device searching & event monitoring
        i3c: dw: Add power management support
        i3c: dw: Add some functions for reusability
        i3c: dw: Save timing registers and other values
        i3c: master: svc: Improve DAA STOP handle code logic
        i3c: dw: Add optional apb clock
        i3c: dw: Use new *_enabled clk API
        dt-bindings: i3c: dw: Add apb clock binding
        i3c: master: svc: Convert comma to semicolon
        i3c: mipi-i3c-hci: Round IBI data chunk size to HW supported value
        i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup
        i3c: mipi-i3c-hci: Set IBI Status and Data Ring base addresses
        i3c: mipi-i3c-hci: Switch to lower_32_bits()/upper_32_bits() helpers
        i3c: dw: Remove ibi_capable property
        i3c: dw: Fix IBI intr programming
        i3c: dw: Fix clearing queue thld
        i3c: mipi-i3c-hci: Fix number of DAT/DCT entries for HCI versions < 1.1
        i3c: master: svc: resend target address when get NACK
      c85e1497