1. 08 Apr, 2021 4 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · d381b05e
      Linus Torvalds authored
      Pull kvm fix from Paolo Bonzini:
       "A lone x86 patch, for a bug found while developing a backport to
        stable versions"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86/mmu: preserve pending TLB flush across calls to kvm_tdp_mmu_zap_sp
      d381b05e
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2021-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux · 4ea51e0e
      Linus Torvalds authored
      Pull close_range() fix from Christian Brauner:
       "Syzbot reported a bug in close_range.
      
        Debugging this showed we didn't recalculate the current maximum fd
        number for CLOSE_RANGE_UNSHARE | CLOSE_RANGE_CLOEXEC after we unshared
        the file descriptors table. As a result, max_fd could exceed the
        current fdtable maximum causing us to set excessive bits.
      
        As a concrete example, let's say the user requested everything from fd
        4 to ~0UL to be closed and their current fdtable size is 256 with
        their highest open fd being 4. With CLOSE_RANGE_UNSHARE the caller
        will end up with a new fdtable which has room for 64 file descriptors
        since that is the lowest fdtable size we accept. But now max_fd will
        still point to 255 and needs to be adjusted. Fix this by retrieving
        the correct maximum fd value in __range_cloexec().
      
        I've carried this fix for a little while but since there was no
        linux-next release over easter I waited until now.
      
        With this change close_range() can be further simplified but imho we
        are in no hurry to do that and so I'll defer this for the 5.13 merge
        window"
      
      * tag 'for-linus-2021-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
        file: fix close_range() for unshare+cloexec
      4ea51e0e
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 035d8069
      Linus Torvalds authored
      Pull umount fix from Al Viro:
       "Brown paperbag time: dumb braino in the series that went into 5.7
        broke the 'don't step into ->d_weak_revalidate() when umount(2) looks
        the victim up' behaviour.
      
        Spotted only now - saw
      
              if (!err && unlikely(nd->flags & LOOKUP_MOUNTPOINT)) {
                      err = handle_lookup_down(nd);
                      nd->flags &= ~LOOKUP_JUMPED; // no d_weak_revalidate(), please...
              }
      
        and went "why do we clear that flag here - nothing below that point is
        going to check it anyway" / "wait a minute, what is it doing *after*
        complete_walk() (which is where we check that flag and call
        ->d_weak_revalidate())" / "how could that possibly _not_ break?",
        followed by reproducing the breakage and verifying that the obvious
        fix of that braino does, indeed, fix it.
      
        The reproducer is (assuming that $DIR exists and is exported r/w to
        localhost)
      
            mkdir $DIR/a
            mkdir /tmp/foo
            mount --bind /tmp/foo /tmp/foo
            mkdir /tmp/foo/a
            mkdir /tmp/foo/b
            mount -t nfs4 localhost:$DIR/a /tmp/foo/a
            mount -t nfs4 localhost:$DIR /tmp/foo/b
            rmdir /tmp/foo/b/a
            umount /tmp/foo/b
            umount /tmp/foo/a
            umount -l /tmp/foo      # will get everything under /tmp/foo, no matter what
      
        Correct behaviour is successful umount; broken kernels (5.7-rc1 and
        later) get
      
            umount.nfs4: /tmp/foo/a: Stale file handle
      
        Note that bind mount is there to be able to recover - on broken
        kernels we'd get stuck with impossible-to-umount filesystem if not for
        that.
      
        FWIW, that braino had been posted for review back then, at least
        twice. Unfortunately, the call of complete_walk() was outside of diff
        context, so the bogosity hadn't been immediately obvious from the
        patch alone ;-/"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        LOOKUP_MOUNTPOINT: we are cleaning "jumped" flag too late
      035d8069
    • Paolo Bonzini's avatar
      KVM: x86/mmu: preserve pending TLB flush across calls to kvm_tdp_mmu_zap_sp · 315f02c6
      Paolo Bonzini authored
      Right now, if a call to kvm_tdp_mmu_zap_sp returns false, the caller
      will skip the TLB flush, which is wrong.  There are two ways to fix
      it:
      
      - since kvm_tdp_mmu_zap_sp will not yield and therefore will not flush
        the TLB itself, we could change the call to kvm_tdp_mmu_zap_sp to
        use "flush |= ..."
      
      - or we can chain the flush argument through kvm_tdp_mmu_zap_sp down
        to __kvm_tdp_mmu_zap_gfn_range.  Note that kvm_tdp_mmu_zap_sp will
        neither yield nor flush, so flush would never go from true to
        false.
      
      This patch does the former to simplify application to stable kernels,
      and to make it further clearer that kvm_tdp_mmu_zap_sp will not flush.
      
      Cc: seanjc@google.com
      Fixes: 048f4980 ("KVM: x86/mmu: Ensure TLBs are flushed for TDP MMU during NX zapping")
      Cc: <stable@vger.kernel.org> # 5.10.x: 048f4980: KVM: x86/mmu: Ensure TLBs are flushed for TDP MMU during NX zapping
      Cc: <stable@vger.kernel.org> # 5.10.x: 33a31641: KVM: x86/mmu: Don't allow TDP MMU to yield when recovering NX pages
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarSean Christopherson <seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      315f02c6
  2. 07 Apr, 2021 6 commits
    • Linus Torvalds's avatar
      Merge tag 'arc-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 454859c5
      Linus Torvalds authored
      Pull ARC fixlets from Vineet Gupta:
       "A few straggler fixes for ARC"
      
      * tag 'arc-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: treewide: avoid the pointer addition with NULL pointer
        arc: kernel: Return -EFAULT if copy_to_user() fails
        ARC: haps: bump memory to 1 GB
      454859c5
    • Linus Torvalds's avatar
      Merge tag 'arm-fixes-5.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 3a229812
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "Most of the changes again are devicetree fixes, but there are also
        five trivial build fixes for issues I found when test building with
        gcc-11 or when running 'make W=1', and some OMAP platform specific
        code fixups.
      
        Broadcom:
         - One revert for a Raspberry pi interrupt controller change that
           caused a regression.
      
        TI OMAP:
         - Remove unused duplicate sha2md5_fck clock node that can race with
           the OMAP4_SHA2MD5_CLKCTRL clock node for disable for unused clocks
      
         - Add aliases for omap4/5 mmc to put the slots back into the right
           order again
      
         - Fix typo for bionic voltage controllers that accidentally use mpu
           for all instances instead of mpu, core and iva
      
         - Fix random hangs for droid4 caused by missing fix from TI Android
           kernel tree to do a dummy smc call on cpuidle wakeup path
      
        NXP i.MX:
         - Fix a system failure on imx6qdl-phytec-pfla02 board when booting
           from SD, by adding missing vmmc supply for SD interfaces.
      
         - Fix address typo in i.MX8MM/Q IOMUXC_SD1_DATA0_GPIO2_IO2
           definition.
      
        Marvell mvebu:
         - Fix storm interrupt on Turris Omnia
      
         - Enable hardware buffer management as it should be
      
        ... and build fixes for PXA, Freescale, Marvell, OMAP1 and Keystone"
      
      * tag 'arm-fixes-5.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin
        ARM: dts: turris-omnia: fix hardware buffer management
        Revert "arm64: dts: marvell: armada-cp110: Switch to per-port SATA interrupts"
        ARM: mvebu: avoid clang -Wtautological-constant warning
        ARM: pxa: mainstone: avoid -Woverride-init warning
        ARM: omap1: fix building with clang IAS
        soc/fsl: qbman: fix conflicting alignment attributes
        ARM: keystone: fix integer overflow warning
        ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces
        arm64: dts: imx8mm/q: Fix pad control of SD1_DATA0
        ARM: OMAP4: PM: update ROM return address for OSWR and OFF
        ARM: OMAP4: Fix PMIC voltage domains for bionic
        ARM: dts: Fix moving mmc devices with aliases for omap4 & 5
        ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race
        Revert "ARM: dts: bcm2711: Add the BSC interrupt controller"
      3a229812
    • Linus Torvalds's avatar
      Merge branch 'parisc-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · dbaa5d1c
      Linus Torvalds authored
      Pull parisc fixes from Helge Deller:
       "One link error fix found by the kernel test robot, one sparse warning
        fix, remove a duplicate declaration and some spelling fixes"
      
      * 'parisc-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: math-emu: Few spelling fixes in the file fpu.h
        parisc: avoid a warning on u8 cast for cmpxchg on u8 pointers
        parisc: parisc-agp requires SBA IOMMU driver
        parisc: Remove duplicate struct task_struct declaration
      dbaa5d1c
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v5.12-3' of... · 5ba091db
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fix from Hans de Goede:
       "A single bugfix to fix spurious wakeups from suspend caused by recent
        intel-hid driver changes"
      
      * tag 'platform-drivers-x86-v5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86: intel-hid: Fix spurious wakeups caused by tablet-mode events during suspend
      5ba091db
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v5.12-rc6' of... · e3bb2f4f
      Linus Torvalds authored
      Merge tag 'regulator-fix-v5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "bd9571mwv regulator fixes for v5.12.
      
        A set of driver specific fixes here, the main one is a fix to not try
        to set unsupported voltages on this device. The other two patches
        clean up the error handling and eliminate the possibility that we
        could overflow the page when writing sysfs output (which AFAICT wasn't
        an issue but better to be sure)"
      
      * tag 'regulator-fix-v5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: bd9571mwv: Convert device attribute to sysfs_emit()
        regulator: bd9571mwv: Fix regulator name printed on registration failure
        regulator: bd9571mwv: Fix AVS and DVFS voltage range
      e3bb2f4f
    • Al Viro's avatar
      LOOKUP_MOUNTPOINT: we are cleaning "jumped" flag too late · 4f0ed93f
      Al Viro authored
      That (and traversals in case of umount .) should be done before
      complete_walk().  Either a braino or mismerge damage on queue
      reorders - either way, I should've spotted that much earlier.
      Fucked-up-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      X-Paperbag: Brown
      Fixes: 161aff1d "LOOKUP_MOUNTPOINT: fold path_mountpointat() into path_lookupat()"
      Cc: stable@vger.kernel.org # v5.7+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      4f0ed93f
  3. 06 Apr, 2021 8 commits
  4. 05 Apr, 2021 1 commit
  5. 04 Apr, 2021 4 commits
    • Linus Torvalds's avatar
      Linux 5.12-rc6 · e49d033b
      Linus Torvalds authored
      e49d033b
    • Zheyu Ma's avatar
      firewire: nosy: Fix a use-after-free bug in nosy_ioctl() · 829933ef
      Zheyu Ma authored
      For each device, the nosy driver allocates a pcilynx structure.
      A use-after-free might happen in the following scenario:
      
       1. Open nosy device for the first time and call ioctl with command
          NOSY_IOC_START, then a new client A will be malloced and added to
          doubly linked list.
       2. Open nosy device for the second time and call ioctl with command
          NOSY_IOC_START, then a new client B will be malloced and added to
          doubly linked list.
       3. Call ioctl with command NOSY_IOC_START for client A, then client A
          will be readded to the doubly linked list. Now the doubly linked
          list is messed up.
       4. Close the first nosy device and nosy_release will be called. In
          nosy_release, client A will be unlinked and freed.
       5. Close the second nosy device, and client A will be referenced,
          resulting in UAF.
      
      The root cause of this bug is that the element in the doubly linked list
      is reentered into the list.
      
      Fix this bug by adding a check before inserting a client.  If a client
      is already in the linked list, don't insert it.
      
      The following KASAN report reveals it:
      
         BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210
         Write of size 8 at addr ffff888102ad7360 by task poc
         CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6
         Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
         Call Trace:
           nosy_release+0x1ea/0x210
           __fput+0x1e2/0x840
           task_work_run+0xe8/0x180
           exit_to_user_mode_prepare+0x114/0x120
           syscall_exit_to_user_mode+0x1d/0x40
           entry_SYSCALL_64_after_hwframe+0x44/0xae
      
         Allocated by task 337:
           nosy_open+0x154/0x4d0
           misc_open+0x2ec/0x410
           chrdev_open+0x20d/0x5a0
           do_dentry_open+0x40f/0xe80
           path_openat+0x1cf9/0x37b0
           do_filp_open+0x16d/0x390
           do_sys_openat2+0x11d/0x360
           __x64_sys_open+0xfd/0x1a0
           do_syscall_64+0x33/0x40
           entry_SYSCALL_64_after_hwframe+0x44/0xae
      
         Freed by task 337:
           kfree+0x8f/0x210
           nosy_release+0x158/0x210
           __fput+0x1e2/0x840
           task_work_run+0xe8/0x180
           exit_to_user_mode_prepare+0x114/0x120
           syscall_exit_to_user_mode+0x1d/0x40
           entry_SYSCALL_64_after_hwframe+0x44/0xae
      
         The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128
         The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)
      
      [ Modified to use 'list_empty()' inside proper lock  - Linus ]
      
      Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/Reported-and-tested-by: default avatar马哲宇 (Zheyu Ma) <zheyuma97@gmail.com>
      Signed-off-by: default avatarZheyu Ma <zheyuma97@gmail.com>
      Cc: Greg Kroah-Hartman <greg@kroah.com>
      Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      829933ef
    • Wang Qing's avatar
      workqueue/watchdog: Make unbound workqueues aware of touch_softlockup_watchdog() · 89e28ce6
      Wang Qing authored
      84;0;0c84;0;0c
      There are two workqueue-specific watchdog timestamps:
      
          + @wq_watchdog_touched_cpu (per-CPU) updated by
            touch_softlockup_watchdog()
      
          + @wq_watchdog_touched (global) updated by
            touch_all_softlockup_watchdogs()
      
      watchdog_timer_fn() checks only the global @wq_watchdog_touched for
      unbound workqueues. As a result, unbound workqueues are not aware
      of touch_softlockup_watchdog(). The watchdog might report a stall
      even when the unbound workqueues are blocked by a known slow code.
      
      Solution:
      touch_softlockup_watchdog() must touch also the global @wq_watchdog_touched
      timestamp.
      
      The global timestamp can no longer be used for bound workqueues because
      it is now updated from all CPUs. Instead, bound workqueues have to check
      only @wq_watchdog_touched_cpu and these timestamps have to be updated for
      all CPUs in touch_all_softlockup_watchdogs().
      
      Beware:
      The change might cause the opposite problem. An unbound workqueue
      might get blocked on CPU A because of a real softlockup. The workqueue
      watchdog would miss it when the timestamp got touched on CPU B.
      
      It is acceptable because softlockups are detected by softlockup
      watchdog. The workqueue watchdog is there to detect stalls where
      a work never finishes, for example, because of dependencies of works
      queued into the same workqueue.
      
      V3:
      - Modify the commit message clearly according to Petr's suggestion.
      Signed-off-by: default avatarWang Qing <wangqing@vivo.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      89e28ce6
    • Zqiang's avatar
      workqueue: Move the position of debug_work_activate() in __queue_work() · 0687c66b
      Zqiang authored
      The debug_work_activate() is called on the premise that
      the work can be inserted, because if wq be in WQ_DRAINING
      status, insert work may be failed.
      
      Fixes: e41e704b ("workqueue: improve destroy_workqueue() debuggability")
      Signed-off-by: default avatarZqiang <qiang.zhang@windriver.com>
      Reviewed-by: default avatarLai Jiangshan <jiangshanlai@gmail.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      0687c66b
  6. 03 Apr, 2021 14 commits
  7. 02 Apr, 2021 3 commits
    • Linus Torvalds's avatar
      Merge tag 'block-5.12-2021-04-02' of git://git.kernel.dk/linux-block · d93a0d43
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Remove comment that never came to fruition in 22 years of development
         (Christoph)
      
       - Remove unused request flag (Christoph)
      
       - Fix for null_blk fake timeout handling (Damien)
      
       - Fix for IOCB_NOWAIT being ignored for O_DIRECT on raw bdevs (Pavel)
      
       - Error propagation fix for multiple split bios (Yufen)
      
      * tag 'block-5.12-2021-04-02' of git://git.kernel.dk/linux-block:
        block: remove the unused RQF_ALLOCED flag
        block: update a few comments in uapi/linux/blkpg.h
        block: don't ignore REQ_NOWAIT for direct IO
        null_blk: fix command timeout completion handling
        block: only update parent bi_status when bio fail
      d93a0d43
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.12-2021-04-02' of git://git.kernel.dk/linux-block · 1faccb63
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Nothing really major in here, and finally nothing really related to
        signals. A few minor fixups related to the threading changes, and some
        general fixes, that's it.
      
        There's the pending gdb-get-confused-about-arch, but that's more of a
        cosmetic issue, nothing that hinder use of it. And given that other
        archs will likely be affected by that oddity too, better to postpone
        any changes there until 5.13 imho"
      
      * tag 'io_uring-5.12-2021-04-02' of git://git.kernel.dk/linux-block:
        io_uring: move reissue into regular IO path
        io_uring: fix EIOCBQUEUED iter revert
        io_uring/io-wq: protect against sprintf overflow
        io_uring: don't mark S_ISBLK async work as unbounded
        io_uring: drop sqd lock before handling signals for SQPOLL
        io_uring: handle setup-failed ctx in kill_timeouts
        io_uring: always go for cancellation spin on exec
      1faccb63
    • Linus Torvalds's avatar
      Merge tag 'acpi-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 0a84c2e4
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix an ACPI tables management issue, an issue related to the
        ACPI enumeration of devices and CPU wakeup in the ACPI processor
        driver.
      
        Specifics:
      
         - Ensure that the memory occupied by ACPI tables on x86 will always
           be reserved to prevent it from being allocated for other purposes
           which was possible in some cases (Rafael Wysocki).
      
         - Fix the ACPI device enumeration code to prevent it from attempting
           to evaluate the _STA control method for devices with unmet
           dependencies which is likely to fail (Hans de Goede).
      
         - Fix the handling of CPU0 wakeup in the ACPI processor driver to
           prevent CPU0 online failures from occurring (Vitaly Kuznetsov)"
      
      * tag 'acpi-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: processor: Fix CPU0 wakeup in acpi_idle_play_dead()
        ACPI: scan: Fix _STA getting called on devices with unmet dependencies
        ACPI: tables: x86: Reserve memory occupied by ACPI tables
      0a84c2e4