1. 25 Oct, 2021 10 commits
  2. 24 Oct, 2021 7 commits
    • Zheyu Ma's avatar
      ata: sata_mv: Fix the error handling of mv_chip_id() · a0023bb9
      Zheyu Ma authored
      mv_init_host() propagates the value returned by mv_chip_id() which in turn
      gets propagated by mv_pci_init_one() and hits local_pci_probe().
      
      During the process of driver probing, the probe function should return < 0
      for failure, otherwise, the kernel will treat value > 0 as success.
      
      Since this is a bug rather than a recoverable runtime error we should
      use dev_alert() instead of dev_err().
      Signed-off-by: default avatarZheyu Ma <zheyuma97@gmail.com>
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@opensource.wdc.com>
      a0023bb9
    • Linus Torvalds's avatar
      Revert "mm/secretmem: use refcount_t instead of atomic_t" · 87066fdd
      Linus Torvalds authored
      This reverts commit 11086054.
      
      Converting the "secretmem_users" counter to a refcount is incorrect,
      because a refcount is special in zero and can't just be incremented (but
      a count of users is not, and "no users" is actually perfectly valid and
      not a sign of a free'd resource).
      
      Reported-by: syzbot+75639e6a0331cd61d3e2@syzkaller.appspotmail.com
      Cc: Jordy Zomer <jordy@pwning.systems>
      Cc: Kees Cook <keescook@chromium.org>,
      Cc: Jordy Zomer <jordy@jordyzomer.github.io>
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Cc: Mike Rapoport <rppt@kernel.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      87066fdd
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · b20078fd
      Linus Torvalds authored
      Pull autofs fix from Al Viro:
       "Fix for a braino of mine (in getting rid of open-coded
        dentry_path_raw() in autofs a couple of cycles ago).
      
        Mea culpa...  Obvious -stable fodder"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        autofs: fix wait name hash calculation in autofs_wait()
      b20078fd
    • Linus Torvalds's avatar
      Merge tag 'sched_urgent_for_v5.15_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 6c62666d
      Linus Torvalds authored
      Pull scheduler fix from Borislav Petkov:
       "Reset clang's Shadow Call Stack on hotplug to prevent it from
        overflowing"
      
      * tag 'sched_urgent_for_v5.15_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/scs: Reset the shadow stack when idle_task_exit
      6c62666d
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v5.15_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 16bc1776
      Linus Torvalds authored
      Pull x86 fix from Borislav Petkov:
       "A single change adding Dave Hansen to our maintainers team"
      
      * tag 'x86_urgent_for_v5.15_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        MAINTAINERS: Add Dave Hansen to the x86 maintainer team
      16bc1776
    • Linus Torvalds's avatar
      Merge tag '5.15-rc6-ksmbd-fixes' of git://git.samba.org/ksmbd · c460e789
      Linus Torvalds authored
      Pull ksmbd fixes from Steve French:
       "Ten fixes for the ksmbd kernel server, for improved security and
        additional buffer overflow checks:
      
         - a security improvement to session establishment to reduce the
           possibility of dictionary attacks
      
         - fix to ensure that maximum i/o size negotiated in the protocol is
           not less than 64K and not more than 8MB to better match expected
           behavior
      
         - fix for crediting (flow control) important to properly verify that
           sufficient credits are available for the requested operation
      
         - seven additional buffer overflow, buffer validation checks"
      
      * tag '5.15-rc6-ksmbd-fixes' of git://git.samba.org/ksmbd:
        ksmbd: add buffer validation in session setup
        ksmbd: throttle session setup failures to avoid dictionary attacks
        ksmbd: validate OutputBufferLength of QUERY_DIR, QUERY_INFO, IOCTL requests
        ksmbd: validate credit charge after validating SMB2 PDU body size
        ksmbd: add buffer validation for smb direct
        ksmbd: limit read/write/trans buffer size not to exceed 8MB
        ksmbd: validate compound response buffer
        ksmbd: fix potencial 32bit overflow from data area check in smb2_write
        ksmbd: improve credits management
        ksmbd: add validation in smb2_ioctl
      c460e789
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 0f386a60
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Ten fixes, seven of which are in drivers.
      
        The core fixes are one to fix a potential crash on resume, one to sort
        out our reference count releases to avoid releasing in-use modules and
        one to adjust the cmd per lun calculation to avoid an overflow in
        hyper-v"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: ufs: ufs-pci: Force a full restore after suspend-to-disk
        scsi: qla2xxx: Fix unmap of already freed sgl
        scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()
        scsi: qla2xxx: Return -ENOMEM if kzalloc() fails
        scsi: sd: Fix crashes in sd_resume_runtime()
        scsi: mpi3mr: Fix duplicate device entries when scanning through sysfs
        scsi: core: Put LLD module refcnt after SCSI device is released
        scsi: storvsc: Fix validation for unsolicited incoming packets
        scsi: iscsi: Fix set_param() handling
        scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma()
      0f386a60
  3. 23 Oct, 2021 2 commits
  4. 22 Oct, 2021 19 commits
    • Linus Torvalds's avatar
      Merge tag 'fuse-fixes-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse · 5ab2ed0a
      Linus Torvalds authored
      Pull fuse fixes from Miklos Szeredi:
       "Syzbot discovered a race in case of reusing the fuse sb (introduced in
        this cycle).
      
        Fix it by doing the s_fs_info initialization at the proper place"
      
      * tag 'fuse-fixes-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
        fuse: clean up error exits in fuse_fill_super()
        fuse: always initialize sb->s_fs_info
        fuse: clean up fuse_mount destruction
        fuse: get rid of fuse_put_super()
        fuse: check s_root when destroying sb
      5ab2ed0a
    • Linus Torvalds's avatar
      Merge tag 'hyperv-fixes-signed-20211022' of... · 477b4e80
      Linus Torvalds authored
      Merge tag 'hyperv-fixes-signed-20211022' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
      
      Pull hyper-v fix from Wei Liu:
      
       - Fix vmbus ARM64 build (Arnd Bergmann)
      
      * tag 'hyperv-fixes-signed-20211022' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
        hyperv/vmbus: include linux/bitops.h
      477b4e80
    • Arnd Bergmann's avatar
      hyperv/vmbus: include linux/bitops.h · 8017c996
      Arnd Bergmann authored
      On arm64 randconfig builds, hyperv sometimes fails with this
      error:
      
      In file included from drivers/hv/hv_trace.c:3:
      In file included from drivers/hv/hyperv_vmbus.h:16:
      In file included from arch/arm64/include/asm/sync_bitops.h:5:
      arch/arm64/include/asm/bitops.h:11:2: error: only <linux/bitops.h> can be included directly
      In file included from include/asm-generic/bitops/hweight.h:5:
      include/asm-generic/bitops/arch_hweight.h:9:9: error: implicit declaration of function '__sw_hweight32' [-Werror,-Wimplicit-function-declaration]
      include/asm-generic/bitops/atomic.h:17:7: error: implicit declaration of function 'BIT_WORD' [-Werror,-Wimplicit-function-declaration]
      
      Include the correct header first.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20211018131929.2260087-1-arnd@kernel.orgSigned-off-by: default avatarWei Liu <wei.liu@kernel.org>
      8017c996
    • Linus Torvalds's avatar
      Merge tag 'acpi-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 1d4590f5
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix two regressions, one related to ACPI power resources
        management and one that broke ACPI tools compilation.
      
        Specifics:
      
         - Stop turning off unused ACPI power resources in an unknown state to
           address a regression introduced during the 5.14 cycle (Rafael
           Wysocki).
      
         - Fix an ACPI tools build issue introduced recently when the minimal
           stdarg.h was added (Miguel Bernal Marin)"
      
      * tag 'acpi-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: PM: Do not turn off power resources in unknown state
        ACPI: tools: fix compilation error
      1d4590f5
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · cd82c4a7
      Linus Torvalds authored
      Pull more x86 kvm fixes from Paolo Bonzini:
      
       - Cache coherency fix for SEV live migration
      
       - Fix for instruction emulation with PKU
      
       - fixes for rare delaying of interrupt delivery
      
       - fix for SEV-ES buffer overflow
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: SEV-ES: go over the sev_pio_data buffer in multiple passes if needed
        KVM: SEV-ES: keep INS functions together
        KVM: x86: remove unnecessary arguments from complete_emulator_pio_in
        KVM: x86: split the two parts of emulator_pio_in
        KVM: SEV-ES: clean up kvm_sev_es_ins/outs
        KVM: x86: leave vcpu->arch.pio.count alone in emulator_pio_in_out
        KVM: SEV-ES: rename guest_ins_data to sev_pio_data
        KVM: SEV: Flush cache on non-coherent systems before RECEIVE_UPDATE_DATA
        KVM: MMU: Reset mmu->pkru_mask to avoid stale data
        KVM: nVMX: promptly process interrupts delivered while in guest mode
        KVM: x86: check for interrupts before deciding whether to exit the fast path
      cd82c4a7
    • Rafael J. Wysocki's avatar
      Merge branch 'acpi-tools' · 7a748900
      Rafael J. Wysocki authored
      Merge a fix for a recent ACPI tools bild regresson.
      
      * acpi-tools:
        ACPI: tools: fix compilation error
      7a748900
    • Paolo Bonzini's avatar
      KVM: SEV-ES: go over the sev_pio_data buffer in multiple passes if needed · 95e16b47
      Paolo Bonzini authored
      The PIO scratch buffer is larger than a single page, and therefore
      it is not possible to copy it in a single step to vcpu->arch/pio_data.
      Bound each call to emulator_pio_in/out to a single page; keep
      track of how many I/O operations are left in vcpu->arch.sev_pio_count,
      so that the operation can be restarted in the complete_userspace_io
      callback.
      
      For OUT, this means that the previous kvm_sev_es_outs implementation
      becomes an iterator of the loop, and we can consume the sev_pio_data
      buffer before leaving to userspace.
      
      For IN, instead, consuming the buffer and decreasing sev_pio_count
      is always done in the complete_userspace_io callback, because that
      is when the memcpy is done into sev_pio_data.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Reported-by: default avatarFelix Wilhelm <fwilhelm@google.com>
      Reviewed-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      95e16b47
    • Paolo Bonzini's avatar
      KVM: SEV-ES: keep INS functions together · 4fa4b38d
      Paolo Bonzini authored
      Make the diff a little nicer when we actually get to fixing
      the bug.  No functional change intended.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Reviewed-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      4fa4b38d
    • Paolo Bonzini's avatar
      KVM: x86: remove unnecessary arguments from complete_emulator_pio_in · 6b5efc93
      Paolo Bonzini authored
      complete_emulator_pio_in can expect that vcpu->arch.pio has been filled in,
      and therefore does not need the size and count arguments.  This makes things
      nicer when the function is called directly from a complete_userspace_io
      callback.
      
      No functional change intended.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Reviewed-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      6b5efc93
    • Paolo Bonzini's avatar
      KVM: x86: split the two parts of emulator_pio_in · 3b27de27
      Paolo Bonzini authored
      emulator_pio_in handles both the case where the data is pending in
      vcpu->arch.pio.count, and the case where I/O has to be done via either
      an in-kernel device or a userspace exit.  For SEV-ES we would like
      to split these, to identify clearly the moment at which the
      sev_pio_data is consumed.  To this end, create two different
      functions: __emulator_pio_in fills in vcpu->arch.pio.count, while
      complete_emulator_pio_in clears it and releases vcpu->arch.pio.data.
      
      Because this patch has to be backported, things are left a bit messy.
      kernel_pio() operates on vcpu->arch.pio, which leads to emulator_pio_in()
      having with two calls to complete_emulator_pio_in().  It will be fixed
      in the next release.
      
      While at it, remove the unused void* val argument of emulator_pio_in_out.
      The function currently hardcodes vcpu->arch.pio_data as the
      source/destination buffer, which sucks but will be fixed after the more
      severe SEV-ES buffer overflow.
      
      No functional change intended.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      3b27de27
    • Paolo Bonzini's avatar
      KVM: SEV-ES: clean up kvm_sev_es_ins/outs · ea724ea4
      Paolo Bonzini authored
      A few very small cleanups to the functions, smushed together because
      the patch is already very small like this:
      
      - inline emulator_pio_in_emulated and emulator_pio_out_emulated,
        since we already have the vCPU
      
      - remove the data argument and pull setting vcpu->arch.sev_pio_data into
        the caller
      
      - remove unnecessary clearing of vcpu->arch.pio.count when
        emulation is done by the kernel (and therefore vcpu->arch.pio.count
        is already clear on exit from emulator_pio_in and emulator_pio_out).
      
      No functional change intended.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Reviewed-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      ea724ea4
    • Paolo Bonzini's avatar
      KVM: x86: leave vcpu->arch.pio.count alone in emulator_pio_in_out · 0d33b1ba
      Paolo Bonzini authored
      Currently emulator_pio_in clears vcpu->arch.pio.count twice if
      emulator_pio_in_out performs kernel PIO.  Move the clear into
      emulator_pio_out where it is actually necessary.
      
      No functional change intended.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Reviewed-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      0d33b1ba
    • Paolo Bonzini's avatar
      KVM: SEV-ES: rename guest_ins_data to sev_pio_data · b5998402
      Paolo Bonzini authored
      We will be using this field for OUTS emulation as well, in case the
      data that is pushed via OUTS spans more than one page.  In that case,
      there will be a need to save the data pointer across exits to userspace.
      
      So, change the name to something that refers to any kind of PIO.
      Also spell out what it is used for, namely SEV-ES.
      
      No functional change intended.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Reviewed-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      b5998402
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2021-10-22' of git://anongit.freedesktop.org/drm/drm · 64222515
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Nothing too crazy at the end of the cycle, the kmb modesetting fixes
        are probably a bit large but it's not a major driver, and its fixing
        monitor doesn't turn on type problems.
      
        Otherwise it's just a few minor patches, one ast regression revert, an
        msm power stability fix.
      
        ast:
         - fix regression with connector detect
      
        msm:
         - fix power stability issue
      
        msxfb:
         - fix crash on unload
      
        panel:
         - sync fix
      
        kmb:
         - modesetting fixes"
      
      * tag 'drm-fixes-2021-10-22' of git://anongit.freedesktop.org/drm/drm:
        Revert "drm/ast: Add detect function support"
        drm/kmb: Enable ADV bridge after modeset
        drm/kmb: Corrected typo in handle_lcd_irq
        drm/kmb: Disable change of plane parameters
        drm/kmb: Remove clearing DPHY regs
        drm/kmb: Limit supported mode to 1080p
        drm/kmb: Work around for higher system clock
        drm/panel: ilitek-ili9881c: Fix sync for Feixin K101-IM2BYL02 panel
        drm: mxsfb: Fix NULL pointer dereference crash on unload
        drm/msm/devfreq: Restrict idle clamping to a618 for now
      64222515
    • Mike Rapoport's avatar
      memblock: exclude MEMBLOCK_NOMAP regions from kmemleak · 658aafc8
      Mike Rapoport authored
      Vladimir Zapolskiy reports:
      
      Commit a7259df7 ("memblock: make memblock_find_in_range method
      private") invokes a kernel panic while running kmemleak on OF platforms
      with nomaped regions:
      
        Unable to handle kernel paging request at virtual address fff000021e00000
        [...]
          scan_block+0x64/0x170
          scan_gray_list+0xe8/0x17c
          kmemleak_scan+0x270/0x514
          kmemleak_write+0x34c/0x4ac
      
      The memory allocated from memblock is registered with kmemleak, but if
      it is marked MEMBLOCK_NOMAP it won't have linear map entries so an
      attempt to scan such areas will fault.
      
      Ideally, memblock_mark_nomap() would inform kmemleak to ignore
      MEMBLOCK_NOMAP memory, but it can be called before kmemleak interfaces
      operating on physical addresses can use __va() conversion.
      
      Make sure that functions that mark allocated memory as MEMBLOCK_NOMAP
      take care of informing kmemleak to ignore such memory.
      
      Link: https://lore.kernel.org/all/8ade5174-b143-d621-8c8e-dc6a1898c6fb@linaro.org
      Link: https://lore.kernel.org/all/c30ff0a2-d196-c50d-22f0-bd50696b1205@quicinc.com
      Fixes: a7259df7 ("memblock: make memblock_find_in_range method private")
      Reported-by: default avatarVladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
      Signed-off-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Tested-by: default avatarVladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
      Tested-by: default avatarQian Cai <quic_qiancai@quicinc.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      658aafc8
    • Mike Rapoport's avatar
      Revert "memblock: exclude NOMAP regions from kmemleak" · 6c9a5455
      Mike Rapoport authored
      Commit 6e44bd6d ("memblock: exclude NOMAP regions from kmemleak")
      breaks boot on EFI systems with kmemleak and VM_DEBUG enabled:
      
        efi: Processing EFI memory map:
        efi:   0x000090000000-0x000091ffffff [Conventional|   |  |  |  |  |  |  |  |  |   |WB|WT|WC|UC]
        efi:   0x000092000000-0x0000928fffff [Runtime Data|RUN|  |  |  |  |  |  |  |  |   |WB|WT|WC|UC]
        ------------[ cut here ]------------
        kernel BUG at mm/kmemleak.c:1140!
        Internal error: Oops - BUG: 0 [#1] SMP
        Modules linked in:
        CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.0-rc6-next-20211019+ #104
        pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
        pc : kmemleak_free_part_phys+0x64/0x8c
        lr : kmemleak_free_part_phys+0x38/0x8c
        sp : ffff800011eafbc0
        x29: ffff800011eafbc0 x28: 1fffff7fffb41c0d x27: fffffbfffda0e068
        x26: 0000000092000000 x25: 1ffff000023d5f94 x24: ffff800011ed84d0
        x23: ffff800011ed84c0 x22: ffff800011ed83d8 x21: 0000000000900000
        x20: ffff800011782000 x19: 0000000092000000 x18: ffff800011ee0730
        x17: 0000000000000000 x16: 0000000000000000 x15: 1ffff0000233252c
        x14: ffff800019a905a0 x13: 0000000000000001 x12: ffff7000023d5ed7
        x11: 1ffff000023d5ed6 x10: ffff7000023d5ed6 x9 : dfff800000000000
        x8 : ffff800011eaf6b7 x7 : 0000000000000001 x6 : ffff800011eaf6b0
        x5 : 00008ffffdc2a12a x4 : ffff7000023d5ed7 x3 : 1ffff000023dbf99
        x2 : 1ffff000022f0463 x1 : 0000000000000000 x0 : ffffffffffffffff
        Call trace:
         kmemleak_free_part_phys+0x64/0x8c
         memblock_mark_nomap+0x5c/0x78
         reserve_regions+0x294/0x33c
         efi_init+0x2d0/0x490
         setup_arch+0x80/0x138
         start_kernel+0xa0/0x3ec
         __primary_switched+0xc0/0xc8
        Code: 34000041 97d526e7 f9418e80 36000040 (d4210000)
        random: get_random_bytes called from print_oops_end_marker+0x34/0x80 with crng_init=0
        ---[ end trace 0000000000000000 ]---
      
      The crash happens because kmemleak_free_part_phys() tries to use __va()
      before memstart_addr is initialized and this triggers a VM_BUG_ON() in
      arch/arm64/include/asm/memory.h:
      
      Revert 6e44bd6d ("memblock: exclude NOMAP regions from kmemleak"),
      the issue it is fixing will be fixed differently.
      Reported-by: default avatarQian Cai <quic_qiancai@quicinc.com>
      Signed-off-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6c9a5455
    • Linus Torvalds's avatar
      Merge branch 'ucount-fixes-for-v5.15' of... · 9d235ac0
      Linus Torvalds authored
      Merge branch 'ucount-fixes-for-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
      
      Pull ucounts fixes from Eric Biederman:
       "There has been one very hard to track down bug in the ucount code that
        we have been tracking since roughly v5.14 was released. Alex managed
        to find a reliable reproducer a few days ago and then I was able to
        instrument the code and figure out what the issue was.
      
        It turns out the sigqueue_alloc single atomic operation optimization
        did not play nicely with ucounts multiple level rlimits. It turned out
        that either sigqueue_alloc or sigqueue_free could be operating on
        multiple levels and trigger the conditions for the optimization on
        more than one level at the same time.
      
        To deal with that situation I have introduced inc_rlimit_get_ucounts
        and dec_rlimit_put_ucounts that just focuses on the optimization and
        the rlimit and ucount changes.
      
        While looking into the big bug I found I couple of other little issues
        so I am including those fixes here as well.
      
        When I have time I would very much like to dig into process ownership
        of the shared signal queue and see if we could pick a single owner for
        the entire queue so that all of the rlimits can count to that owner.
        That should entirely remove the need to call get_ucounts and
        put_ucounts in sigqueue_alloc and sigqueue_free. It is difficult
        because Linux unlike POSIX supports setuid that works on a single
        thread"
      
      * 'ucount-fixes-for-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        ucounts: Move get_ucounts from cred_alloc_blank to key_change_session_keyring
        ucounts: Proper error handling in set_cred_ucounts
        ucounts: Pair inc_rlimit_ucounts with dec_rlimit_ucoutns in commit_creds
        ucounts: Fix signal ucount refcounting
      9d235ac0
    • Linus Torvalds's avatar
      Merge tag 'net-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 6c2c7127
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter, and can.
      
        We'll have one more fix for a socket accounting regression, it's still
        getting polished. Otherwise things look fine.
      
        Current release - regressions:
      
         - revert "vrf: reset skb conntrack connection on VRF rcv", there are
           valid uses for previous behavior
      
         - can: m_can: fix iomap_read_fifo() and iomap_write_fifo()
      
        Current release - new code bugs:
      
         - mlx5: e-switch, return correct error code on group creation failure
      
        Previous releases - regressions:
      
         - sctp: fix transport encap_port update in sctp_vtag_verify
      
         - stmmac: fix E2E delay mechanism (in PTP timestamping)
      
        Previous releases - always broken:
      
         - netfilter: ip6t_rt: fix out-of-bounds read of ipv6_rt_hdr
      
         - netfilter: xt_IDLETIMER: fix out-of-bound read caused by lack of
           init
      
         - netfilter: ipvs: make global sysctl read-only in non-init netns
      
         - tcp: md5: fix selection between vrf and non-vrf keys
      
         - ipv6: count rx stats on the orig netdev when forwarding
      
         - bridge: mcast: use multicast_membership_interval for IGMPv3
      
         - can:
            - j1939: fix UAF for rx_kref of j1939_priv abort sessions on
              receiving bad messages
      
            - isotp: fix TX buffer concurrent access in isotp_sendmsg() fix
              return error on FC timeout on TX path
      
         - ice: fix re-init of RDMA Tx queues and crash if RDMA was not inited
      
         - hns3: schedule the polling again when allocation fails, prevent
           stalls
      
         - drivers: add missing of_node_put() when aborting
           for_each_available_child_of_node()
      
         - ptp: fix possible memory leak and UAF in ptp_clock_register()
      
         - e1000e: fix packet loss in burst mode on Tiger Lake and later
      
         - mlx5e: ipsec: fix more checksum offload issues"
      
      * tag 'net-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (75 commits)
        usbnet: sanity check for maxpacket
        net: enetc: make sure all traffic classes can send large frames
        net: enetc: fix ethtool counter name for PM0_TERR
        ptp: free 'vclock_index' in ptp_clock_release()
        sfc: Don't use netif_info before net_device setup
        sfc: Export fibre-specific supported link modes
        net/mlx5e: IPsec: Fix work queue entry ethernet segment checksum flags
        net/mlx5e: IPsec: Fix a misuse of the software parser's fields
        net/mlx5e: Fix vlan data lost during suspend flow
        net/mlx5: E-switch, Return correct error code on group creation failure
        net/mlx5: Lag, change multipath and bonding to be mutually exclusive
        ice: Add missing E810 device ids
        igc: Update I226_K device ID
        e1000e: Fix packet loss on Tiger Lake and later
        e1000e: Separate TGP board type from SPT
        ptp: Fix possible memory leak in ptp_clock_register()
        net: stmmac: Fix E2E delay mechanism
        nfc: st95hf: Make spi remove() callback return zero
        net: hns3: disable sriov before unload hclge layer
        net: hns3: fix vf reset workqueue cannot exit
        ...
      6c2c7127
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.15-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 0a3221b6
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix a bug exposed by a previous fix, where running guests with
         certain SMT topologies could crash the host on Power8.
      
       - Fix atomic sleep warnings when re-onlining CPUs, when PREEMPT is
         enabled.
      
      Thanks to Nathan Lynch, Srikar Dronamraju, and Valentin Schneider.
      
      * tag 'powerpc-5.15-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/smp: do not decrement idle task preempt count in CPU offline
        powerpc/idle: Don't corrupt back chain when going idle
      0a3221b6
  5. 21 Oct, 2021 2 commits
    • Kim Phillips's avatar
      Revert "drm/ast: Add detect function support" · 595cb5e0
      Kim Phillips authored
      This reverts commit aae74ff9,
      since it prevents my AMD Milan system from booting, with:
      
      [   27.189558] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [   27.197506] #PF: supervisor write access in kernel mode
      [   27.203333] #PF: error_code(0x0002) - not-present page
      [   27.209064] PGD 0 P4D 0
      [   27.211885] Oops: 0002 [#1] PREEMPT SMP NOPTI
      [   27.216744] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-rc6+ #15
      [   27.223928] Hardware name: AMD Corporation ETHANOL_X/ETHANOL_X, BIOS RXM1006B 08/20/2021
      [   27.232955] RIP: 0010:run_timer_softirq+0x38b/0x4a0
      [   27.238397] Code: 4c 89 f7 e8 37 27 ac 00 49 c7 46 08 00 00 00 00 49 8b 04 24 48 85 c0 74 71 4d 8b 3c 24 4d 89 7e 08 66 90 49 8b 07 49 8b 57 08 <48> 89 02 48 85 c0 74 04 48 89 50 08 49 8b 77 18 41 f6 47 22 20 4c
      [   27.259350] RSP: 0018:ffffc42d00003ee8 EFLAGS: 00010086
      [   27.265176] RAX: dead000000000122 RBX: 0000000000000000 RCX: 0000000000000101
      [   27.273134] RDX: 0000000000000000 RSI: 0000000000000087 RDI: 0000000000000001
      [   27.281084] RBP: ffffc42d00003f70 R08: 0000000000000000 R09: 00000000000003eb
      [   27.289043] R10: ffffa0860cb300d0 R11: ffffa0c44de290b0 R12: ffffc42d00003ef8
      [   27.297002] R13: 00000000fffef200 R14: ffffa0c44de18dc0 R15: ffffa0867a882350
      [   27.304961] FS:  0000000000000000(0000) GS:ffffa0c44de00000(0000) knlGS:0000000000000000
      [   27.313988] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   27.320396] CR2: 0000000000000000 CR3: 000000014569c001 CR4: 0000000000770ef0
      [   27.328346] PKRU: 55555554
      [   27.331359] Call Trace:
      [   27.334073]  <IRQ>
      [   27.336314]  ? __queue_work+0x420/0x420
      [   27.340589]  ? lapic_next_event+0x21/0x30
      [   27.345060]  ? clockevents_program_event+0x8f/0xe0
      [   27.350402]  __do_softirq+0xfb/0x2db
      [   27.354388]  irq_exit_rcu+0x98/0xd0
      [   27.358275]  sysvec_apic_timer_interrupt+0xac/0xd0
      [   27.363620]  </IRQ>
      [   27.365955]  asm_sysvec_apic_timer_interrupt+0x12/0x20
      [   27.371685] RIP: 0010:cpuidle_enter_state+0xcc/0x390
      [   27.377292] Code: 3d 01 79 0a 50 e8 44 ed 77 ff 49 89 c6 0f 1f 44 00 00 31 ff e8 f5 f8 77 ff 80 7d d7 00 0f 85 e6 01 00 00 fb 66 0f 1f 44 00 00 <45> 85 ff 0f 88 17 01 00 00 49 63 c7 4c 2b 75 c8 48 8d 14 40 48 8d
      [   27.398243] RSP: 0018:ffffffffb0e03dc8 EFLAGS: 00000246
      [   27.404069] RAX: ffffa0c44de00000 RBX: 0000000000000001 RCX: 000000000000001f
      [   27.412028] RDX: 0000000000000000 RSI: ffffffffb0bafc1f RDI: ffffffffb0bbdb81
      [   27.419986] RBP: ffffffffb0e03e00 R08: 00000006549f8f3f R09: ffffffffb1065200
      [   27.427935] R10: ffffa0c44de27ae4 R11: ffffa0c44de27ac4 R12: ffffa0c5634cb000
      [   27.435894] R13: ffffffffb1065200 R14: 00000006549f8f3f R15: 0000000000000001
      [   27.443854]  ? cpuidle_enter_state+0xbb/0x390
      [   27.448712]  cpuidle_enter+0x2e/0x40
      [   27.452695]  call_cpuidle+0x23/0x40
      [   27.456584]  do_idle+0x1f0/0x270
      [   27.460181]  cpu_startup_entry+0x20/0x30
      [   27.464553]  rest_init+0xd4/0xe0
      [   27.468149]  arch_call_rest_init+0xe/0x1b
      [   27.472619]  start_kernel+0x6bc/0x6e2
      [   27.476764]  x86_64_start_reservations+0x24/0x26
      [   27.481912]  x86_64_start_kernel+0x75/0x79
      [   27.486477]  secondary_startup_64_no_verify+0xb0/0xbb
      [   27.492111] Modules linked in: kvm_amd(+) kvm ipmi_si(+) ipmi_devintf rapl wmi_bmof ipmi_msghandler input_leds ccp k10temp mac_hid sch_fq_codel msr ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear ast i2c_algo_bit drm_vram_helper drm_ttm_helper ttm drm_kms_helper crct10dif_pclmul crc32_pclmul ghash_clmulni_intel syscopyarea aesni_intel sysfillrect crypto_simd sysimgblt fb_sys_fops cryptd hid_generic cec nvme ahci usbhid drm e1000e nvme_core hid libahci i2c_piix4 wmi
      [   27.551789] CR2: 0000000000000000
      [   27.555482] ---[ end trace 897987dfe93dccc6 ]---
      [   27.560630] RIP: 0010:run_timer_softirq+0x38b/0x4a0
      [   27.566069] Code: 4c 89 f7 e8 37 27 ac 00 49 c7 46 08 00 00 00 00 49 8b 04 24 48 85 c0 74 71 4d 8b 3c 24 4d 89 7e 08 66 90 49 8b 07 49 8b 57 08 <48> 89 02 48 85 c0 74 04 48 89 50 08 49 8b 77 18 41 f6 47 22 20 4c
      [   27.587021] RSP: 0018:ffffc42d00003ee8 EFLAGS: 00010086
      [   27.592848] RAX: dead000000000122 RBX: 0000000000000000 RCX: 0000000000000101
      [   27.600808] RDX: 0000000000000000 RSI: 0000000000000087 RDI: 0000000000000001
      [   27.608765] RBP: ffffc42d00003f70 R08: 0000000000000000 R09: 00000000000003eb
      [   27.616716] R10: ffffa0860cb300d0 R11: ffffa0c44de290b0 R12: ffffc42d00003ef8
      [   27.624673] R13: 00000000fffef200 R14: ffffa0c44de18dc0 R15: ffffa0867a882350
      [   27.632624] FS:  0000000000000000(0000) GS:ffffa0c44de00000(0000) knlGS:0000000000000000
      [   27.641650] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   27.648159] CR2: 0000000000000000 CR3: 000000014569c001 CR4: 0000000000770ef0
      [   27.656119] PKRU: 55555554
      [   27.659133] Kernel panic - not syncing: Fatal exception in interrupt
      [   29.030411] Shutting down cpus with NMI
      [   29.034699] Kernel Offset: 0x2e600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [   29.046790] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Since unreliable, found by bisecting for KASAN's use-after-free in
      enqueue_timer+0x4f/0x1e0, where the timer callback is called.
      Reported-by: default avatarKim Phillips <kim.phillips@amd.com>
      Signed-off-by: default avatarKim Phillips <kim.phillips@amd.com>
      Fixes: aae74ff9 ("drm/ast: Add detect function support")
      Link: https://lore.kernel.org/lkml/0f7871be-9ca6-5ae4-3a40-5db9a8fb2365@amd.com/
      Cc: Ainux <ainux.wang@gmail.com>
      Cc: Thomas Zimmermann <tzimmermann@suse.de>
      Cc: David Airlie <airlied@redhat.com>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: sterlingteng@gmail.com
      Cc: chenhuacai@kernel.org
      Cc: Chuck Lever III <chuck.lever@oracle.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Jon Grimm <jon.grimm@amd.com>
      Cc: dri-devel <dri-devel@lists.freedesktop.org>
      Cc: linux-kernel <linux-kernel@vger.kernel.org>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20211021153006.92983-1-kim.phillips@amd.com
      595cb5e0
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2021-10-21-1' of... · 7e1c5440
      Dave Airlie authored
      Merge tag 'drm-misc-fixes-2021-10-21-1' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes
      
      drm-misc-fixes for v5.15-rc7:
      - Rebased, to remove vc4 patches.
      - Fix mxsfb crash on unload.
      - Use correct sync parameters for Feixin K101-IM2BYL02.
      - Assorted kmb modeset/atomic fixes.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/e66eaf89-b9b9-41f5-d0d2-dad7e59fabb5@linux.intel.com
      7e1c5440