1. 10 Mar, 2022 8 commits
  2. 09 Mar, 2022 7 commits
  3. 08 Mar, 2022 12 commits
  4. 07 Mar, 2022 13 commits
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · ea4424be
      Linus Torvalds authored
      Pull MTD fix from Miquel Raynal:
       "As part of a previous changeset introducing support for the K3
        architecture, the OMAP_GPMC (a non visible symbol) got selected by the
        selection of MTD_NAND_OMAP2 instead of doing so from the architecture
        directly (like for the other users of these two drivers). Indeed, from
        a hardware perspective, the OMAP NAND controller needs the GPMC to
        work.
      
        This led to a robot error which got addressed in fix merge into -rc4.
        Unfortunately, the approach at this time still used "select" and lead
        to further build error reports (sparc64:allmodconfig).
      
        This time we switch to 'depends on' in order to prevent random
        misconfigurations. The different dependencies will however need a
        future cleanup"
      
      * tag 'mtd/fixes-for-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: rawnand: omap2: Actually prevent invalid configuration and build error
      ea4424be
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 06be3029
      Linus Torvalds authored
      Pull virtio fixes from Michael Tsirkin:
       "Some last minute fixes that took a while to get ready. Not
        regressions, but they look safe and seem to be worth to have"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        tools/virtio: handle fallout from folio work
        tools/virtio: fix virtio_test execution
        vhost: remove avail_event arg from vhost_update_avail_event()
        virtio: drop default for virtio-mem
        vdpa: fix use-after-free on vp_vdpa_remove
        virtio-blk: Remove BUG_ON() in virtio_queue_rq()
        virtio-blk: Don't use MAX_DISCARD_SEGMENTS if max_discard_seg is zero
        vhost: fix hung thread due to erroneous iotlb entries
        vduse: Fix returning wrong type in vduse_domain_alloc_iova()
        vdpa/mlx5: add validation for VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command
        vdpa/mlx5: should verify CTRL_VQ feature exists for MQ
        vdpa: factor out vdpa_set_features_unlocked for vdpa internal use
        virtio_console: break out of buf poll on remove
        virtio: document virtio_reset_device
        virtio: acknowledge all features before access
        virtio: unexport virtio_finalize_features
      06be3029
    • Halil Pasic's avatar
      swiotlb: rework "fix info leak with DMA_FROM_DEVICE" · aa6f8dcb
      Halil Pasic authored
      Unfortunately, we ended up merging an old version of the patch "fix info
      leak with DMA_FROM_DEVICE" instead of merging the latest one. Christoph
      (the swiotlb maintainer), he asked me to create an incremental fix
      (after I have pointed this out the mix up, and asked him for guidance).
      So here we go.
      
      The main differences between what we got and what was agreed are:
      * swiotlb_sync_single_for_device is also required to do an extra bounce
      * We decided not to introduce DMA_ATTR_OVERWRITE until we have exploiters
      * The implantation of DMA_ATTR_OVERWRITE is flawed: DMA_ATTR_OVERWRITE
        must take precedence over DMA_ATTR_SKIP_CPU_SYNC
      
      Thus this patch removes DMA_ATTR_OVERWRITE, and makes
      swiotlb_sync_single_for_device() bounce unconditionally (that is, also
      when dir == DMA_TO_DEVICE) in order do avoid synchronising back stale
      data from the swiotlb buffer.
      
      Let me note, that if the size used with dma_sync_* API is less than the
      size used with dma_[un]map_*, under certain circumstances we may still
      end up with swiotlb not being transparent. In that sense, this is no
      perfect fix either.
      
      To get this bullet proof, we would have to bounce the entire
      mapping/bounce buffer. For that we would have to figure out the starting
      address, and the size of the mapping in
      swiotlb_sync_single_for_device(). While this does seem possible, there
      seems to be no firm consensus on how things are supposed to work.
      Signed-off-by: default avatarHalil Pasic <pasic@linux.ibm.com>
      Fixes: ddbd89de ("swiotlb: fix info leak with DMA_FROM_DEVICE")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      aa6f8dcb
    • James Morse's avatar
      arm64: proton-pack: Include unprivileged eBPF status in Spectre v2 mitigation reporting · 58c9a506
      James Morse authored
      The mitigations for Spectre-BHB are only applied when an exception is
      taken from user-space. The mitigation status is reported via the spectre_v2
      sysfs vulnerabilities file.
      
      When unprivileged eBPF is enabled the mitigation in the exception vectors
      can be avoided by an eBPF program.
      
      When unprivileged eBPF is enabled, print a warning and report vulnerable
      via the sysfs vulnerabilities file.
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      58c9a506
    • Roger Quadros's avatar
      mtd: rawnand: omap2: Actually prevent invalid configuration and build error · 42da5a4b
      Roger Quadros authored
      The root of the problem is that we are selecting symbols that have
      dependencies. This can cause random configurations that can fail.
      The cleanest solution is to avoid using select.
      
      This driver uses interfaces from the OMAP_GPMC driver so we have to
      depend on it instead.
      
      Fixes: 4cd335da ("mtd: rawnand: omap2: Prevent invalid configuration and build error")
      Signed-off-by: default avatarRoger Quadros <rogerq@kernel.org>
      Signed-off-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Tested-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Link: https://lore.kernel.org/linux-mtd/20220219193600.24892-1-rogerq@kernel.org
      42da5a4b
    • Miklos Szeredi's avatar
      fuse: fix pipe buffer lifetime for direct_io · 0c4bcfde
      Miklos Szeredi authored
      In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls
      fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then
      imports the write buffer with fuse_get_user_pages(), which uses
      iov_iter_get_pages() to grab references to userspace pages instead of
      actually copying memory.
      
      On the filesystem device side, these pages can then either be read to
      userspace (via fuse_dev_read()), or splice()d over into a pipe using
      fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops.
      
      This is wrong because after fuse_dev_do_read() unlocks the FUSE request,
      the userspace filesystem can mark the request as completed, causing write()
      to return. At that point, the userspace filesystem should no longer have
      access to the pipe buffer.
      
      Fix by copying pages coming from the user address space to new pipe
      buffers.
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: c3021629 ("fuse: support splice() reading from fuse device")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      0c4bcfde
    • Andy Shevchenko's avatar
      gpiolib: acpi: Convert ACPI value of debounce to microseconds · 660c619b
      Andy Shevchenko authored
      It appears that GPIO ACPI library uses ACPI debounce values directly.
      However, the GPIO library APIs expect the debounce timeout to be in
      microseconds.
      
      Convert ACPI value of debounce to microseconds.
      
      While at it, document this detail where it is appropriate.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215664Reported-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Fixes: 8dcb7a15 ("gpiolib: acpi: Take into account debounce settings")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Tested-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Reviewed-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      660c619b
    • Marcelo Roberto Jimenez's avatar
      gpio: Revert regression in sysfs-gpio (gpiolib.c) · fc328a7d
      Marcelo Roberto Jimenez authored
      Some GPIO lines have stopped working after the patch
      commit 2ab73c6d ("gpio: Support GPIO controllers without pin-ranges")
      
      And this has supposedly been fixed in the following patches
      commit 89ad556b ("gpio: Avoid using pin ranges with !PINCTRL")
      commit 6dbbf846 ("gpiolib: Don't free if pin ranges are not defined")
      
      But an erratic behavior where some GPIO lines work while others do not work
      has been introduced.
      
      This patch reverts those changes so that the sysfs-gpio interface works
      properly again.
      Signed-off-by: default avatarMarcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      fc328a7d
    • Akhil R's avatar
      gpio: tegra186: Add IRQ per bank for Tegra241 · 5f84e73f
      Akhil R authored
      Add the number of interrupts per bank for Tegra241 (Grace) to
      fix the probe failure.
      
      Fixes: d1056b77 ("gpio: tegra186: Add support for Tegra241")
      Signed-off-by: default avatarAkhil R <akhilrajeev@nvidia.com>
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      5f84e73f
    • Juergen Gross's avatar
      xen/netfront: react properly to failing gnttab_end_foreign_access_ref() · 66e3531b
      Juergen Gross authored
      When calling gnttab_end_foreign_access_ref() the returned value must
      be tested and the reaction to that value should be appropriate.
      
      In case of failure in xennet_get_responses() the reaction should not be
      to crash the system, but to disable the network device.
      
      The calls in setup_netfront() can be replaced by calls of
      gnttab_end_foreign_access(). While at it avoid double free of ring
      pages and grant references via xennet_disconnect_backend() in this case.
      
      This is CVE-2022-23042 / part of XSA-396.
      Reported-by: default avatarDemi Marie Obenour <demi@invisiblethingslab.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      ---
      V2:
      - avoid double free
      V3:
      - remove pointless initializer (Jan Beulich)
      66e3531b
    • Juergen Gross's avatar
      xen/gnttab: fix gnttab_end_foreign_access() without page specified · 42baefac
      Juergen Gross authored
      gnttab_end_foreign_access() is used to free a grant reference and
      optionally to free the associated page. In case the grant is still in
      use by the other side processing is being deferred. This leads to a
      problem in case no page to be freed is specified by the caller: the
      caller doesn't know that the page is still mapped by the other side
      and thus should not be used for other purposes.
      
      The correct way to handle this situation is to take an additional
      reference to the granted page in case handling is being deferred and
      to drop that reference when the grant reference could be freed
      finally.
      
      This requires that there are no users of gnttab_end_foreign_access()
      left directly repurposing the granted page after the call, as this
      might result in clobbered data or information leaks via the not yet
      freed grant reference.
      
      This is part of CVE-2022-23041 / XSA-396.
      Reported-by: default avatarSimon Gaiser <simon@invisiblethingslab.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      ---
      V4:
      - expand comment in header
      V5:
      - get page ref in case of kmalloc() failure, too
      42baefac
    • Juergen Gross's avatar
      xen/pvcalls: use alloc/free_pages_exact() · b0576cc9
      Juergen Gross authored
      Instead of __get_free_pages() and free_pages() use alloc_pages_exact()
      and free_pages_exact(). This is in preparation of a change of
      gnttab_end_foreign_access() which will prohibit use of high-order
      pages.
      
      This is part of CVE-2022-23041 / XSA-396.
      Reported-by: default avatarSimon Gaiser <simon@invisiblethingslab.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      ---
      V4:
      - new patch
      b0576cc9
    • Juergen Gross's avatar
      xen/9p: use alloc/free_pages_exact() · 5cadd4bb
      Juergen Gross authored
      Instead of __get_free_pages() and free_pages() use alloc_pages_exact()
      and free_pages_exact(). This is in preparation of a change of
      gnttab_end_foreign_access() which will prohibit use of high-order
      pages.
      
      By using the local variable "order" instead of ring->intf->ring_order
      in the error path of xen_9pfs_front_alloc_dataring() another bug is
      fixed, as the error path can be entered before ring->intf->ring_order
      is being set.
      
      By using alloc_pages_exact() the size in bytes is specified for the
      allocation, which fixes another bug for the case of
      order < (PAGE_SHIFT - XEN_PAGE_SHIFT).
      
      This is part of CVE-2022-23041 / XSA-396.
      Reported-by: default avatarSimon Gaiser <simon@invisiblethingslab.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      ---
      V4:
      - new patch
      5cadd4bb