Commit Graph

1138429 Commits

Author SHA1 Message Date
Hawkins Jiawei
5559405df6 nfs: fix possible null-ptr-deref when parsing param
According to commit "vfs: parse: deal with zero length string value",
kernel will set the param->string to null pointer in vfs_parse_fs_string()
if fs string has zero length.

Yet the problem is that, nfs_fs_context_parse_param() will dereferences the
param->string, without checking whether it is a null pointer, which may
trigger a null-ptr-deref bug.

This patch solves it by adding sanity check on param->string
in nfs_fs_context_parse_param().

Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-12-06 10:43:24 -05:00
ChenXiaoSong
d564d2c4c2 NFSv4: check FMODE_EXEC from open context mode in nfs4_opendata_access()
After converting file f_flags to open context mode by flags_to_mode(), open
context mode will have FMODE_EXEC when file open for exec, so we check
FMODE_EXEC from open context mode.

No functional change, just simplify the code.

Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-12-06 10:39:17 -05:00
ChenXiaoSong
6f1c1d95dc NFS: make sure open context mode have FMODE_EXEC when file open for exec
Because file f_mode never have FMODE_EXEC, open context mode won't get
FMODE_EXEC from file f_mode. Open context mode only care about FMODE_READ/
FMODE_WRITE/FMODE_EXEC, and all info about open context mode can be convert
from file f_flags, so convert file f_flags to open context mode by
flags_to_mode().

Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-12-06 10:38:38 -05:00
Trond Myklebust
d01c6ed6db NFS4.x/pnfs: Fix up logging of layout stateids
If the layout is invalid, then just log a '0' value.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-12-05 14:27:05 -05:00
Trond Myklebust
5776a9cd2a NFS: Fix a race in nfs_call_unlink()
We should check that the filehandles match before transferring the
sillyrename data to the newly looked-up dentry in case the name was
reused on the server.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:10:00 -05:00
Trond Myklebust
35e3b6ae84 NFS: Fix an Oops in nfs_d_automount()
When mounting from a NFSv4 referral, path->dentry can end up being a
negative dentry, so derive the struct nfs_server from the dentry
itself instead.

Fixes: 2b0143b5c9 ("VFS: normal filesystems (and lustre): d_inode() annotations")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:10:00 -05:00
Trond Myklebust
51069e4aef NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
If we're asked to recover open state while a delegation return is
outstanding, then the state manager thread cannot use a cached open, so
if the server returns a delegation, we can end up deadlocked behind the
pending delegreturn.
To avoid this problem, let's just ask the server not to give us a
delegation unless we're explicitly reclaiming one.

Fixes: be36e185bd ("NFSv4: nfs4_open_recover_helper() must set share access")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:09:59 -05:00
Trond Myklebust
e83458fce0 NFSv4: Fix a credential leak in _nfs4_discover_trunking()
Fixes: 4f40a5b554 ("NFSv4: Add an fattr allocation to _nfs4_discover_trunking()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:09:59 -05:00
Benjamin Coddington
85aa8ddc38 NFS: Trigger the "ls -l" readdir heuristic sooner
Since commit 1a34c8c9a4 ("NFS: Support larger readdir buffers") has
updated dtsize, and with recent improvements to the READDIRPLUS helper
heuristic, the heuristic may not trigger until many dentries are emitted
to userspace.   This will cause many thousands of GETATTR calls for "ls
-l" when the directory's pagecache has already been populated.  This
manifests as poor performance for long directory listings after an
initially fast "ls -l".

Fix this by emitting only 17 entries for any first pass through the NFS
directory's ->iterate_shared(), which allows userpace to prime the
counters for the heuristic.

Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:09:59 -05:00
Trond Myklebust
c528f70f50 NFSv4.2: Fix initialisation of struct nfs4_label
The call to nfs4_label_init_security() should return a fully initialised
label.

Fixes: aa9c266962 ("NFS: Client implementation of Labeled-NFS")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:09:59 -05:00
Trond Myklebust
43c1031f71 NFSv4.2: Fix a memory stomp in decode_attr_security_label
We must not change the value of label->len if it is zero, since that
indicates we stored a label.

Fixes: b4487b9354 ("nfs: Fix getxattr kernel panic and memory overflow")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:09:59 -05:00
Trond Myklebust
c8a62f4402 NFSv4.2: Always decode the security label
If the server returns a reply that includes a security label, then we
must decode it whether or not we can store the results.

Fixes: 1e2f67da89 ("NFS: Remove the nfs4_label argument from decode_getattr_*() functions")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:09:59 -05:00
Trond Myklebust
eef7314caf NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding
We need to clear the FATTR4_WORD2_SECURITY_LABEL bitmap flag
irrespective of whether or not the label is too long.

Fixes: aa9c266962 ("NFS: Client implementation of Labeled-NFS")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:09:59 -05:00
Trond Myklebust
0eb43812c0 NFS: Clear the file access cache upon login
POSIX typically only refreshes the user's supplementary group
information upon login. Since NFS servers may often refresh their
concept of the user supplementary group membership at their own cadence,
it is possible for the NFS client's access cache to become stale due to
the user's group membership changing on the server after the user has
already logged in on the client.
While it is reasonable to expect that such group membership changes are
rare, and that we do not want to optimise the cache to accommodate them,
it is also not unreasonable for the user to expect that if they log out
and log back in again, that the staleness would clear up.

Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Tested-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2022-11-27 22:09:59 -05:00
Linus Torvalds
b7b275e60b Linux 6.1-rc7 2022-11-27 13:31:48 -08:00
Linus Torvalds
cf562a45a0 Amir's copy_file_range() fix
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQQqUNBr3gm4hGXdBJlZ7Krx/gZQ6wUCY4OtEwAKCRBZ7Krx/gZQ
 66LvAP9tMMKsXoZY5dNjkAeQo/I5PHx81iLYu5GyigqTsf0g8gD+MeM2qxQE9QTt
 6gngWpnNif7Pe5Jj5yuwl4IGbjDG9AQ=
 =Tx7P
 -----END PGP SIGNATURE-----

Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull vfs fix from Al Viro:
 "Amir's copy_file_range() fix"

* tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  vfs: fix copy_file_range() averts filesystem freeze protection
2022-11-27 12:40:06 -08:00
Linus Torvalds
9066e15186 USB fixes for 6.1-rc7
Here are some small USB fixes for 6.1-rc7 that resolve some reported
 problems:
 	- cdnsp driver fixes for reported problems
 	- dwc3 fixes for some small reported problems
 	- uvc gadget driver fix for reported regression due to changes
 	  in 6.1-rc1.
 
 All of these have been in linux-next with no reported problems.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCY4NttA8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ynf/gCgrBbxZPNyta4Z9ufj5bDTJafRQGkAoNKnZzY+
 6QzcyjQzNn5phzFGn7Yu
 =/qTO
 -----END PGP SIGNATURE-----

Merge tag 'usb-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB fixes from Greg KH:
 "Here are some small USB fixes for 6.1-rc7 that resolve some reported
  problems:

   - cdnsp driver fixes for reported problems

   - dwc3 fixes for some small reported problems

   - uvc gadget driver fix for reported regression

  All of these have been in linux-next with no reported problems"

* tag 'usb-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  usb: cdnsp: fix issue with ZLP - added TD_SIZE = 1
  usb: dwc3: gadget: Clear ep descriptor last
  usb: dwc3: exynos: Fix remove() function
  usb: cdnsp: Fix issue with Clear Feature Halt Endpoint
  usb: dwc3: gadget: Disable GUSB2PHYCFG.SUSPHY for End Transfer
  usb: gadget: uvc: also use try_format in set_format
2022-11-27 12:30:57 -08:00
Linus Torvalds
db3182484f Char/Misc driver fixes for 6.1-rc7
Here are some small driver fixes for 6.1-rc7, they include:
 	- build warning fix for the vdso when using new versions of grep
 	- iio driver fixes for reported issues
 	- small nvmem driver fixes
 	- fpga Kconfig fix
 	- interconnect dt binding fix
 
 All of these have been in linux-next with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCY4NssA8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ynIiwCeKIuEGSNjFeyHe/GFRGD3tH/BjjIAn2kAGgJy
 CaZ5u/MpUd2ZEnsaNvV3
 =oNVq
 -----END PGP SIGNATURE-----

Merge tag 'char-misc-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc driver fixes from Greg KH:
 "Here are some small driver fixes for 6.1-rc7, they include:

   - build warning fix for the vdso when using new versions of grep

   - iio driver fixes for reported issues

   - small nvmem driver fixes

   - fpga Kconfig fix

   - interconnect dt binding fix

  All of these have been in linux-next with no reported issues"

* tag 'char-misc-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  lib/vdso: use "grep -E" instead of "egrep"
  nvmem: lan9662-otp: Change return type of lan9662_otp_wait_flag_clear()
  nvmem: rmem: Fix return value check in rmem_read()
  fpga: m10bmc-sec: Fix kconfig dependencies
  dt-bindings: iio: adc: Remove the property "aspeed,trim-data-valid"
  iio: adc: aspeed: Remove the trim valid dts property.
  iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails
  iio: accel: bma400: Fix memory leak in bma400_get_steps_reg()
  iio: light: rpr0521: add missing Kconfig dependencies
  iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw
  iio: health: afe4403: Fix oob read in afe4403_read_raw
  iio: light: apds9960: fix wrong register for gesture gain
  dt-bindings: interconnect: qcom,msm8998-bwmon: Correct SC7280 CPU compatible
2022-11-27 12:17:10 -08:00
Linus Torvalds
715d2d9608 - Return the proper timer register width (31 bits) for a 32-bit signed
register in order to avoid a timer interrupt storm on ARM XGene-1
 hardware running in NO_HZ mode
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmODSS0ACgkQEsHwGGHe
 VUrsvhAAhRdjf9obB82fGsx8mpBH2kCCD89yHqUEuuw/lRDyEeAQ8Xz/+OQkNMUN
 d+dgS6Dza3ZxM2SKkdE6QFMDF5d5Aj8qukB2QqJX3WfAv94SopSOKMo9r9ssGh4O
 HQPhhOqcR8ejCkO5OESzA2AtRFIqWNqOjl1eL666dtc6Oof+34ZdJX5JLEYAwEVq
 ECMJnmR5hAcjai/F/GqyMMQCL/xhMApu8CoUAMWJrJmIrwf0o32/UxM3A/xjxCGj
 9RQnjX7oSXHoGbK6nzbDrABExbWginL3/Pn2MGKxDBjfikeu1/wdtO6Tm+YeXdnm
 sNfBvrFBEJ6qugNbwSLyrmemhgw1HCa690ZoygM4TVF2ITFMIaYPN+OJCHHc3Vtn
 x5ZcD73gDo+ErfwDnLUxY8ovG2i6wRwUp7T+MRcZv88/G4+gAxinR7fshar+dJRv
 Hp7WeZb1WVTOpTzS7m04kWU5RXhfE6Oezqhhzba7kFIrhUyhp+omFun8VfhubHH4
 1jbLURWIu4x85I84XKjLJgy4YyldPGpH0ROVX9aXJ4dtHB4nVZpDLPfNv1OmLSQN
 NJtJ5lAXwdYOTOlgmUr9/ro6TzXJM/Kcd+3JW+N5JGbNRMfYhNEloRD0msmdzhFj
 sB/z1oTTxFj5ai85LNKv7olHR1gCYKnKFDsBVYIZSBv2i33tQR0=
 =PDBt
 -----END PGP SIGNATURE-----

Merge tag 'timers_urgent_for_v6.1_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull timer fix from Borislav Petkov:

 - Return the proper timer register width (31 bits) for a 32-bit signed
   register in order to avoid a timer interrupt storm on ARM XGene-1
   hardware running in NO_HZ mode

* tag 'timers_urgent_for_v6.1_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  clocksource/drivers/arm_arch_timer: Fix XGene-1 TVAL register math error
2022-11-27 12:11:00 -08:00
Linus Torvalds
b465cf1773 - Handle different output of readelf on different distros running
ppc64le which confuses faddr2line's function offsets conversion
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmODSCEACgkQEsHwGGHe
 VUoN7BAAscJobTTygbwyPI4UYE49jMxDH49ZNCTskcrifkA3CExBhN8uN0Lqb3Wq
 HFYHd0mS7KZa5Fg8CqNQClqwJ6Soo33jgBKy85AsZXZbH5yUa7V0GgdV4UNk62GF
 ldF2CK/B49RnuQHS339/BeQgU5xdVvuKlZUswc2pxRIW5wgHGP37TA2rh4GimPbs
 px194cTceYpmKMfHeU7COM5NiIWMqGhwn3JEkKCOVaWabLVglVolmcBDlDHCz0Ge
 wZWkyurk80r5e7qo+UnTbKTuKFOOOBd5KY3MhDRexRPFQKytVgzuoy74OlUfl+md
 SQWr6rcEo5goFHoudMTPsqy9i2+CLPwAg/9biVHsgwQiqhRBnNs/YfWT+JTfaZpZ
 EvMlN8NsPsMpmNK/AW32fr8S8gB4noXCztOmiKX8xh//eEEZ+lL2ExQcNrJ5XKBJ
 8/CvbttSERXHjp7raomowxh4WQNA7q9Kx87fP2FI75pkC28pMaOPa+r04sTtiJQj
 E9hc/3J/a6rb2iZb+obFf/lpHDXY6KfrH1sYrlsOTDl4DAOt22bocuvgiOluJMTj
 7/XwKu7gUF7pJ2lkFVEjloRLfRdNFDWthnDqxo3Ryf259fECOxTzo2QS+li2vNmP
 /PcluaoJokB+yh27YeULzq1NFz51ufMw+KgKbcVZOxhgTAgIAb0=
 =HslR
 -----END PGP SIGNATURE-----

Merge tag 'objtool_urgent_for_v6.1_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull objtool fix from Borislav Petkov:

 - Handle different output of readelf on different distros running
   ppc64le which confuses faddr2line's function offsets conversion

* tag 'objtool_urgent_for_v6.1_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  scripts/faddr2line: Fix regression in name resolution on ppc64le
2022-11-27 12:08:17 -08:00
Linus Torvalds
08b0644126 - ioremap: mask out the bits which are not part of the physical address
*after* the size computation is done to prevent and hypothetical ioremap
 failures
 
 - Change the MSR save/restore functionality during suspend to rely on
 flags denoting that the related MSRs are actually supported vs reading
 them and assuming they are (an Atom one allows reading but not writing,
 thus breaking this scheme at resume time.)
 
 - prevent IV reuse in the AES-GCM communication scheme between SNP
 guests and the AMD secure processor
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmODRegACgkQEsHwGGHe
 VUr3Fw//dZr1BpLA2PoHBWRKw+tJA7NZ5QgYPwYgpZysI3LiSd3wHiYx12AMYl/1
 rvG0ELCwR5MUt3s0owqm4XlzmNbFG/ISsaR3d2mUlqgPrztYKZTHUP14LjzbCgdx
 53FSWqxeK5+NkQcUXF/GsR5flbHHG40wM9PK6UDm+xZPvoTKkBlCNcId+5yMtq0J
 ZvemhZ9rMGoA6bRWvRIhzKdzz9+MRcKMMjcAULNtngIlE/CfdkkIGios0JmPshSB
 h10/CmYRz38U90sqFXF/9DJPo6oFB9DOxIZmyb6cTmJCasSwfuU4uEtTiIuNMw0Y
 zflc1vNnOkpdPvn8nXWwo/OWdjg9oh/TJOzthjyxjlVs4DYjBRnXykdO6lUQWjVI
 XWE4sP8lt2J4wsiURzcaroqfqpQu1Y/hlh/io5xp8vE2qZaOjgADYV1ZHgB/Y20I
 Opm4ICsMYN4ZQqejKfhq/Fu15Y6qqGIl0pNBjOJK0rdaDPthFd4+UEJGvd57RdNl
 RCWC8EvsI8LGWDkGJeR1sytVJT7adWsfy6bYg98BQ2rId4oj89kZYZNqJROf/hv5
 aU7i9AMh8WodZTGh2bfwq+dLvACccc2rqbYh0Q7Uwm3IjaPTWiPHanqsvSo6+GrO
 aO4IUoUidXheVPJu3qfiNTJ4GtTUnqDiatpbfA+Do+Rva2wWBFw=
 =xYpH
 -----END PGP SIGNATURE-----

Merge tag 'x86_urgent_for_v6.1_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Borislav Petkov:

 - ioremap: mask out the bits which are not part of the physical address
   *after* the size computation is done to prevent any hypothetical
   ioremap failures

 - Change the MSR save/restore functionality during suspend to rely on
   flags denoting that the related MSRs are actually supported vs
   reading them and assuming they are (an Atom one allows reading but
   not writing, thus breaking this scheme at resume time)

 - prevent IV reuse in the AES-GCM communication scheme between SNP
   guests and the AMD secure processor

* tag 'x86_urgent_for_v6.1_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/ioremap: Fix page aligned size calculation in __ioremap_caller()
  x86/pm: Add enumeration check before spec MSRs save/restore setup
  x86/tsx: Add a feature bit for TSX control MSR support
  virt/sev-guest: Prevent IV reuse in the SNP guest driver
2022-11-27 11:59:14 -08:00
Linus Torvalds
5afcab2217 - Two more fixes to the perf sigtrap handling:
- output the address in the sample only when it has been requested
  - handle the case where user-only events can hit in kernel and thus
    upset the sigtrap sanity checking
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmODP5wACgkQEsHwGGHe
 VUqmBhAAnxQTCg4agqtKQyHAnFGZb09dE6pYghcpJzF2sOh9sffCYl9XYd53AGVS
 z7nTGagPmT0AxdtjbFvDnxXuvpPVfcS9rIKG6oBzPUcXSVKr9PsqzZJJiAibg+uP
 OSkC75tqNgBTnyDSGc+C5yd7LmWV98Y66t0fhwGUTHpAPY+vkbvYvi8yJYfVqZsA
 Fc/6j+MJMFO1/52GoP42HVs2F7oyuXceJAAVhyYkYitC23mvrK2BRTZAkKsfRKBk
 Un5gFMo+iFUTrOMo48f8BMNEtgfC5iAPPK2ZlFGwTEbDQ98+inf461s8jZq/Yeg7
 KcdHw0Tk1rynBrFlbbUQArDEPyqzmj10FMVZ5VgUNdMneGEy+EUdpcoilX0ZccaA
 NMnNDMPpU4S0cbuGn43Y2Jlv4QA9oECHqZ8NndAoJ5domR9g12WyVibD5W/bYBYQ
 4Z2lv6luOCfWd2xQgT4s0tfMjwQb7NKmTrT4No9je7/IBDS5YjzBjPriAd4kbhFj
 MUt6KKLK0fN4ASmxajXp6iYRALL2nvgJ2w1gzO0pcjMGCJ1WZBKDdfbNLbgulCwq
 GJHNc55F7lWmkMNFLbWb28YLHjXGskQj4J/RARFszQq9khQnPEFj4X69StQfrghT
 77rJF9CrS3KnxG4gCNWe5qvfQb9+Fi7IhwyWDI9VR0DITxGogvY=
 =9CQa
 -----END PGP SIGNATURE-----

Merge tag 'perf_urgent_for_v6.1_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull perf fixes from Borislav Petkov:
 "Two more fixes to the perf sigtrap handling:

   - output the address in the sample only when it has been requested

   - handle the case where user-only events can hit in kernel and thus
     upset the sigtrap sanity checking"

* tag 'perf_urgent_for_v6.1_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf: Consider OS filter fail
  perf: Fixup SIGTRAP and sample_flags interaction
2022-11-27 11:53:41 -08:00
Linus Torvalds
bf82d38c91 x86:
* Fixes for Xen emulation.  While nobody should be enabling it in
   the kernel (the only public users of the feature are the selftests),
   the bug effectively allows userspace to read arbitrary memory.
 
 * Correctness fixes for nested hypervisors that do not intercept INIT
   or SHUTDOWN on AMD; the subsequent CPU reset can cause a use-after-free
   when it disables virtualization extensions.  While downgrading the panic
   to a WARN is quite easy, the full fix is a bit more laborious; there
   are also tests.  This is the bulk of the pull request.
 
 * Fix race condition due to incorrect mmu_lock use around
   make_mmu_pages_available().
 
 Generic:
 
 * Obey changes to the kvm.halt_poll_ns module parameter in VMs
   not using KVM_CAP_HALT_POLL, restoring behavior from before
   the introduction of the capability
 -----BEGIN PGP SIGNATURE-----
 
 iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmODI84UHHBib256aW5p
 QHJlZGhhdC5jb20ACgkQv/vSX3jHroPVJwgAombWOBf549JiHGPtwejuQO20nTSj
 Om9pzWQ9dR182P+ju/FdqSPXt/Lc8i+z5zSXDrV3HQ6/a3zIItA+bOAUiMFvHNAQ
 w/7pEb1MzVOsEg2SXGOjZvW3WouB4Z4R0PosInYjrFrRGRAaw5iaTOZHGezE44t2
 WBWk1PpdMap7J/8sjNT1ble72ig9JdSW4qeJUQ1GWxHCigI5sESCQVqF446KM0jF
 gTYPGX5TqpbWiIejF0yNew9yNKMi/yO4Pz8I5j3vtopeHx24DCIqUAGaEg6ykErX
 vnzYbVP7NaFrqtje49PsK6i1cu2u7uFPArj0dxo3DviQVZVHV1q6tNmI4A==
 =Qgei
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
 "x86:

   - Fixes for Xen emulation. While nobody should be enabling it in the
     kernel (the only public users of the feature are the selftests),
     the bug effectively allows userspace to read arbitrary memory.

   - Correctness fixes for nested hypervisors that do not intercept INIT
     or SHUTDOWN on AMD; the subsequent CPU reset can cause a
     use-after-free when it disables virtualization extensions. While
     downgrading the panic to a WARN is quite easy, the full fix is a
     bit more laborious; there are also tests. This is the bulk of the
     pull request.

   - Fix race condition due to incorrect mmu_lock use around
     make_mmu_pages_available().

  Generic:

   - Obey changes to the kvm.halt_poll_ns module parameter in VMs not
     using KVM_CAP_HALT_POLL, restoring behavior from before the
     introduction of the capability"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: Update gfn_to_pfn_cache khva when it moves within the same page
  KVM: x86/xen: Only do in-kernel acceleration of hypercalls for guest CPL0
  KVM: x86/xen: Validate port number in SCHEDOP_poll
  KVM: x86/mmu: Fix race condition in direct_page_fault
  KVM: x86: remove exit_int_info warning in svm_handle_exit
  KVM: selftests: add svm part to triple_fault_test
  KVM: x86: allow L1 to not intercept triple fault
  kvm: selftests: add svm nested shutdown test
  KVM: selftests: move idt_entry to header
  KVM: x86: forcibly leave nested mode on vCPU reset
  KVM: x86: add kvm_leave_nested
  KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use
  KVM: x86: nSVM: leave nested mode on vCPU free
  KVM: Obey kvm.halt_poll_ns in VMs not using KVM_CAP_HALT_POLL
  KVM: Avoid re-reading kvm->max_halt_poll_ns during halt-polling
  KVM: Cap vcpu->halt_poll_ns before halting rather than after
2022-11-27 09:08:40 -08:00
Linus Torvalds
30a853c1bd Two small cifs/smb3 client fixes
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmOC6QYACgkQiiy9cAdy
 T1EaUgv/eEFpIzkRXuJHuPBlxWM7Gz6DiFkWd83ADcB15+4ADzPVdc1HqbnSw0/0
 yPsxfhn95Ydo+zORPJ5puGUpveqNIen8xPeGaORGCCEMCYw5A58K2I8bkSYcMJUd
 63hiLmw9ZpaXxkLXX/Y04hSYBwPIhwLSrT1kfPy7jru78DjvmOya1WHaBzQZQ0ej
 374cDrG9yhWl+udFWJi1HxQt+fnJecaMNJy51BDeOeN3mM4j/kqHgYw2q5GfcbhL
 nyr56UTxHvBpyciguKzqNIUVcFiANr7Il5Yz++NSjRcFUnhgoxPZ+eHMU1X6fpFB
 fgLhcDsbBeWhPZnOAsb4X3HEhb41f61i5s2pYzwU7bhXYla0UrqEIS9RNjh3dgPx
 WnRErVPiOwPP6mRl+064KITWcv3riDb8QbwEtqJQQT1TUPXM0b190wq59lHqIpJk
 rV41bV7s3z839CulF+2Y9fuQVe5SL90kDSxF3gOue4SCzBfbl0Tww5gn3IIHvo+5
 cyZZ3wQU
 =89M+
 -----END PGP SIGNATURE-----

Merge tag '6.1-rc6-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fixes from Steve French:
 "Two small cifs/smb3 client fixes:

   - an unlock missing in an error path in copychunk_range found by
     xfstest 476

   - a fix for a use after free in a debug code path"

* tag '6.1-rc6-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: fix missing unlock in cifs_file_copychunk_range()
  cifs: Use after free in debug code
2022-11-27 08:48:26 -08:00
Linus Torvalds
faf68e3523 Kbuild fixes for v6.1 (4th)
- Fix CC_HAS_ASM_GOTO_TIED_OUTPUT test in Kconfig
 
  - Fix noisy "No such file or directory" message when KBUILD_BUILD_VERSION
    is passed
 
  - Include rust/ in source tarballs
 
  - Fix missing FORCE for ARCH=nios2 builds
 -----BEGIN PGP SIGNATURE-----
 
 iQJJBAABCgAzFiEEbmPs18K1szRHjPqEPYsBB53g2wYFAmOCoa0VHG1hc2FoaXJv
 eUBrZXJuZWwub3JnAAoJED2LAQed4NsGPfsP/j8YoPvEzI4GrI/htAHw1qdlSdns
 xuGnRFItyRpAZaEnKENG4qBQVCxs+FhQy7B4Omtrer4Jjm6V75zVGGgv883Tlpoe
 9y8K0nXKmA2BVIu+o0rgQZAX9BXWryWaoaWE5/Jt3bX4xdUaCOb0kyay5ix3/jw0
 8eTtYFXZEy108IEqMlDoe2jzXjYdZ2SqCoTMwtQIhghxha7cGEN1APXFtauouvED
 MH3KsqzzJv7tsfsHPE3tPQM3T3o9Cp22B0a6lZq1eXoARvOB8U0o5ykdk09MPC+u
 SSShqkVYIhNnyfd+bmHb1qAizOtdISa24wEpgGQNKBEgmfXu/FYtRkUHKfnQF4iq
 1ugpvVdDsB2o5OoQEZop4kKWGmFYX6aA6DZQflplJwT233TVknTrqxZShJ/IhWz3
 hOgzMe+nf2ySm5Sd0E7hJbHmeE5r3ZQHeKAO4nv0flw6sCUmzMlcxitVXwMgPDFH
 b9bpZHNMx8NXuuQfRVjTJmxg5RPMX5cvdzxGF/g1LwNwR5c5FcYvLvjhHtctKL1W
 VcikG1w7Ovs0YKliCbsLAwatXu+cjiTErnX3pNARG0H92qC5m3cEvw+m9eVoW4zW
 W1NlKzWAVNW9tRFe7Fw5VvA+0Qu3RzfRT/EMaSj0l2nSwSl2wHYas6bhriY1Y1fl
 z50jQCkoHOOMfni0
 =r9W4
 -----END PGP SIGNATURE-----

Merge tag 'kbuild-fixes-v6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

Pull Kbuild fixes from Masahiro Yamada:

 - Fix CC_HAS_ASM_GOTO_TIED_OUTPUT test in Kconfig

 - Fix noisy "No such file or directory" message when
   KBUILD_BUILD_VERSION is passed

 - Include rust/ in source tarballs

 - Fix missing FORCE for ARCH=nios2 builds

* tag 'kbuild-fixes-v6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
  nios2: add FORCE for vmlinuz.gz
  scripts: add rust in scripts/Makefile.package
  kbuild: fix "cat: .version: No such file or directory"
  init/Kconfig: fix CC_HAS_ASM_GOTO_TIED_OUTPUT test with dash
2022-11-26 16:38:56 -08:00
Randy Dunlap
869e4ae4cd nios2: add FORCE for vmlinuz.gz
Add FORCE to placate a warning from make:

arch/nios2/boot/Makefile:24: FORCE prerequisite is missing

Fixes: 2fc8483fdc ("nios2: Build infrastructure")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
2022-11-27 08:28:41 +09:00
Linus Torvalds
e5f3ec38c8 Fixes:
- Fix rare data corruption on READ operations
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEKLLlsBKG3yQ88j7+M2qzM29mf5cFAmOCPhcACgkQM2qzM29m
 f5ewTRAAuAjJvtnsRxZBILs76U3KpAnn3ghtYKtzCmanq1UEJAlTz5vLLCqJRTXw
 OajN4f/T/kD3bY5XxYcsbSMhVJhgd7JMx/DyPjp3rY+nS1cS/CB+TxN3VqhOZJDl
 MfEJTN0MxWrq0pXKYxuPECmwk/C7jAU4vjWU+sDWhu4Anig564fdPxGGWw9vRfh5
 YP8U8cuM5LIFCM2ZSjPsqWEXgd7pbYpYdOx6JPA74ftia8RBU1YVbIqZ6uFXiTnV
 tpKAuQYem2ixV6UfsrVbeHDfsSkQcX2iaTGlcLB5y12nprV0wTOQM6lONTD878vh
 37oc8zG9cdpWfcRzkyB8a58jHfSk74pMkV300C38CeV1KtajFVoRkoTvLYJdxbf8
 WPcRcbsXbotb4+A1D2H6QvPKUbrlK+HIHe8POU67tKq5BI8xRw+ojTsJ2ANYr9Jt
 OviLUraUnKFvCK2LN03+Op4l+UBTIdOGzGMqveILfxPD6zlTYJbQQ64Nih4JLfJG
 uDN2892H4He3he5oD9Dzoh2xSWfLV5PJEAaN9wW7pyv8D5HfYBXWPan6JeaMHnfW
 +NcoFQ3cSewyMZ1Rw0aCsKfXRGwikJrbAsrlvNe+uFRD6ueeWULp5fnTlOn+0tW1
 tp+EzLOMoNkL9NW/rLeCIPN1MNXzgabgd4Diq8U3iTDRxf0FahU=
 =zxjk
 -----END PGP SIGNATURE-----

Merge tag 'nfsd-6.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux

Pull nfsd fix from Chuck Lever:

 - Fix rare data corruption on READ operations

* tag 'nfsd-6.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
  NFSD: Fix reads with a non-zero offset that don't end on a page boundary
2022-11-26 12:25:49 -08:00
Linus Torvalds
644e952438 Power Supply Fixes for 6.1 cycle
Fixes for the 6.1 cycle:
  * rk817: Two error handling fixes
  * ip5xxx: fix inter overflow in current calculation
  * ab8500: fix thermal zone probing
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE72YNB0Y/i3JqeVQT2O7X88g7+poFAmOBZXQACgkQ2O7X88g7
 +pqq8hAAod1RmFosXcbIoAxGkblosmq9PYCCYp2eBbbqUSbawjCEH4NzOGTIQZlK
 xc6kJPOX0/2Z56pCWr9sfbj/cPbM0wTS067RyxA9Lh7e2bmPsHe19VXEKYfQf+xC
 D8q0IFZVdQSxtJMbMK2WhutH38y2vDN35h/HpG1Tkial6ZEMJMBpuZEB8GkVddgr
 mm7o+218U4WViMKcFUtLk/4ZTKiMRoHy89p3COe8Z9Cl9FdumIF2LHULDcqbXkOs
 ytQ8kKGgd9SANJ8YXWAxPW9Y9v5rl6+0A8KRNltnBpqXkXOtnTI7IltXODuLdfPm
 k6veoy+SLR0l1gtEMczZiw+833kmJWSFj3oIzdslQpZjJJrsRBStJsiukmkgzQCq
 7fb3EmUDUR5dwfUKryWu/qbHXVnJ67zHodUT4xZmqsC6NS4UdDjJ4LNVx44rCUTa
 FP+4+vHumY1rQWE6fcX2Nt6TjCO8RTVDp6uTCxjvkyVUsu/CTST0/COIu67anbJP
 0L2rICgb0v7Nadc1AOWasx+PeCw92jUNCO/Q0s2dEnSzpo+HmSy3PqXwU07FNApv
 f4Y+bwD041q0I+/TrSUVbJjFc4bOyShXTfPxUM8cLV+dhBZy1DM/CeVwRsaa05JK
 oPSkHldAeKO/bEmaMvnfI3IH+YAp40kFv494kEfSi+665LWLE9o=
 =Iplg
 -----END PGP SIGNATURE-----

Merge tag 'for-v6.1-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply

Pull power supply fixes from Sebastian Reichel:

 - rk817: Two error handling fixes

 - ip5xxx: fix inter overflow in current calculation

 - ab8500: fix thermal zone probing

* tag 'for-v6.1-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply:
  power: supply: ab8500: Defer thermal zone probe
  power: supply: ip5xxx: Fix integer overflow in current_now calculation
  power: supply: rk817: Change rk817_chg_cur_to_reg to int
  power: supply: rk817: check correct variable
2022-11-25 18:02:49 -08:00
Linus Torvalds
990f320031 block-6.1-2022-11-25
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmOBLEoQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgponRD/90Nx2W6P8iN21w3ZtzhtYiG9WVBhUtQqhK
 IFCUuaq7Meh8Iz6dpoOhEBHZ3alxZRptYLVVKMGUxkOUjzJPKljermvcb/If288G
 5yaRrBtwkL+opZuDTwTiDFrUFGAY8+Uk/cmse8iqLkmQ+eJxmpr28tTrkOEToinS
 D8JEnXG0YTRNe7o52wBC0rD2zJURHidAqyHuKdXP9DnPntSKfWQNZHK6kWwiJ20W
 UQDgk3sycbmv8WXQ2nsDvrGf1s9FeQzS+gu5gWiA1sbQ5yhBvnGpT/U9E8WOeCZR
 wszfWlsjOfv6N095o6plNeVo3Ti/QgliGiJvuBhkEhU6M9kOCEKzTh0W5DNyDpyo
 DVB4/FmSyBKf1Aif9eo3gUqBdaaKaNn5b2vmgwuY/P5ALjanrL8izsnzdMfxOyRf
 wNFgiYlD3VOksWxHUnPLx9nMtM9uDjkdE8IeRr/4bfP46qxSOpC1dZWvu6Ot1vPr
 bfYo0QM+wUis4tfdxW9MIIi8oDAV0jbPN3zC2/c1end0KfZzlBiRh/1aernWweAj
 NgVJC+9GhzR0RV0T74vH1JY5Xa5PF3VREbNeCYhzLPH/QtI/dCNIVhAv13p06+6x
 zkeyMKUo8oLNl7WJRDb5WU/k2gr1msbwxvS/IdE1PuopqTefU9zdDlP/bYab0xla
 E6DHJ2aHlw==
 =41zr
 -----END PGP SIGNATURE-----

Merge tag 'block-6.1-2022-11-25' of git://git.kernel.dk/linux

Pull block fixes from Jens Axboe:

 - A few fixes for s390 sads (Stefan, Colin)

 - Ensure that ublk doesn't reorder requests, as that can be problematic
   on devices that need specific ordering (Ming)

 - Fix a queue reference leak in disk allocation handling (Christoph)

* tag 'block-6.1-2022-11-25' of git://git.kernel.dk/linux:
  ublk_drv: don't forward io commands in reserve order
  s390/dasd: fix possible buffer overflow in copy_pair_show
  s390/dasd: fix no record found for raw_track_access
  s390/dasd: increase printing of debug data payload
  s390/dasd: Fix spelling mistake "Ivalid" -> "Invalid"
  blk-mq: fix queue reference leak on blk_mq_alloc_disk_for_queue failure
2022-11-25 17:50:57 -08:00
Linus Torvalds
364eb61834 io_uring-6.1-2022-11-25
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmOBLDcQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgptRwD/0bExcw6CCDp/Lseux/77lUuxO58GdSQqWL
 I6LA11rY1wcQvvcPfDG4e1JEiMHsmbvLNtv2/ZyVcLT8vJwf+FBZuzLeKrZAv24K
 8XTKmWrHhqEGJqyKctbHQuS79XZt2tOcb+y5S5Ny3lzArql2CAiQrDyNZsQx5eFf
 PIUJ0stqu4bp9ag/4q/DxJLXdX0CEvv+06xb8PaeqaN67iWwp95GTqkyKop7D+Vj
 Qs626dqK3jp1HWpkn46uF90b4MOl1IU52r1uVEKH0yf1Iu37WajAP/w0G6krRq2P
 57+HOsfrHiih22stjKCF9SzTncSCzQPgtF7we0w5dtz6TfOkHpPbXu1t6dIcmeXV
 nT+oQ4kfeAGRNpW0B0gwbuxyVZys8C4RmZ7nMDj+u6Z6cBCxjBAHLlUbjp/dejXn
 PcRdumeGq+1zzK9oRUiMiQEPft3BWWiizGztOzYeonN9G8LkCI4187UpzlTb1mmN
 9CnRoCnx8v9zjqNF4TjH08atmJxjqWf+0AzH81dTxbJO60RX9ByvEJNwpV6BwxQ7
 XAiA00h3s6MeX77RkazdoEsA9GCZd1C2gyCHpwH0cG5vgobMOn0M3M8F/OPfxI9e
 v8AVJgp2x8cMUXzt0PRJyxjXfOV8yRfuiVFpZ1ArIBKlCF1/6JfF0MDWSE6+zkXj
 9KgZQ1poVQ==
 =SpdW
 -----END PGP SIGNATURE-----

Merge tag 'io_uring-6.1-2022-11-25' of git://git.kernel.dk/linux

Pull io_uring fixes from Jens Axboe:

 - A few poll related fixes. One fixing a race condition between poll
   cancelation and trigger, and one making the overflow handling a bit
   more robust (Lin, Pavel)

 - Fix an fput() for error handling in the direct file table (Lin)

 - Fix for a regression introduced in this cycle, where we don't always
   get TIF_NOTIFY_SIGNAL cleared appropriately (me)

* tag 'io_uring-6.1-2022-11-25' of git://git.kernel.dk/linux:
  io_uring: clear TIF_NOTIFY_SIGNAL if set and task_work not available
  io_uring/poll: fix poll_refs race with cancelation
  io_uring/filetable: fix file reference underflow
  io_uring: make poll refs more robust
  io_uring: cmpxchg for poll arm refs release
2022-11-25 17:46:04 -08:00
Linus Torvalds
3e0d88f911 zonefs fixes for 6.1-rc7
- Fix a race between zonefs module initialization of sysfs attribute
    directory and mounting a drive (from Xiaoxu).
 
  - Fix active zone accounting in the rare case of an IO error due to a
    zone transition to offline or read-only state (from me).
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQSRPv8tYSvhwAzJdzjdoc3SxdoYdgUCY4FHbQAKCRDdoc3SxdoY
 dtVJAQDQPKQW7GlxgmfsxNZz4bR9CT2DHqoprN1g1bbKM9hYKwEApq0xtpBjyqX2
 EaePIFvlYa67f5kWnW4XEd5vetbh0AI=
 =imdG
 -----END PGP SIGNATURE-----

Merge tag 'zonefs-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs

Pull zonefs fixes from Damien Le Moal:

 - Fix a race between zonefs module initialization of sysfs attribute
   directory and mounting a drive (from Xiaoxu).

 - Fix active zone accounting in the rare case of an IO error due to a
   zone transition to offline or read-only state (from me).

* tag 'zonefs-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs:
  zonefs: Fix active zone accounting
  zonefs: Fix race between modprobe and mount
2022-11-25 16:34:39 -08:00
Linus Torvalds
f10b439638 regulator: Late fixes for v6.1
This is more changes than I'd like this late although the diffstat is
 still fairly small, I kept on holding off as new fixes came in to give
 things time to soak in -next but should probably have tagged and sent an
 additional pull request earlier.
 
 There's some relatively large fixes to the twl6030 driver to fix issues
 with the TWL6032 variant which resulted from some work on the core
 TWL6030 driver, a couple of fixes for error handling paths (mostly in
 the core), and a nice stability fix for the sgl51000 driver that's been
 pulled out of a BSP.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmOBOHkACgkQJNaLcl1U
 h9DSNwf+KFunln/2mpx6UrLa5kl5QQGDtBruEcEBkKnUAx/YZlZ2nFT08bV4V1D0
 /STa4PZdThem89VBRClQvxdyPE4qKIUvWsLmTUXF9P48m11bI+PMGCBMoKgjs4ZL
 jMTZi/JD+4oZcJcOG5Qu3rihdBxotrsvlk2QUMs+PaPx2JPyr1CpBXAseMkVcqrD
 QzyRWUgCjS2bfnc9Xd7gll1MXeSIcN2oD14ec//5Wv0KItGs2i0cOCUY+U4Dffus
 b+75g7sU4znCD6bcycKdTJEqcqrotrZycGnq3K36ycrAGulQrH4SwohEc2PUlnUa
 ZrKBjC6iFkSutk0dYlSz4k7AfRzjrw==
 =kf38
 -----END PGP SIGNATURE-----

Merge tag 'regulator-fix-v6.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "This is more changes than I'd like this late although the diffstat is
  still fairly small, I kept on holding off as new fixes came in to give
  things time to soak in -next but should probably have tagged and sent
  an additional pull request earlier.

  There's some relatively large fixes to the twl6030 driver to fix
  issues with the TWL6032 variant which resulted from some work on the
  core TWL6030 driver, a couple of fixes for error handling paths
  (mostly in the core), and a nice stability fix for the sgl51000 driver
  that's been pulled out of a BSP"

* tag 'regulator-fix-v6.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: twl6030: fix get status of twl6032 regulators
  regulator: twl6030: re-add TWL6032_SUBCLASS
  regulator: slg51000: Wait after asserting CS pin
  regulator: core: fix UAF in destroy_regulator()
  regulator: rt5759: fix OOB in validate_desc()
  regulator: core: fix kobject release warning and memory leak in regulator_register()
2022-11-25 13:54:48 -08:00
Linus Torvalds
3eaea0db25 for-6.1-rc6-tag
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAmOBCJEACgkQxWXV+ddt
 WDu5Nw/+P59ARfAm/4HRId4iL6UKozSMc+blWLeP9KkjcytdAfek0oGe3gZ7NJVK
 8VYa93yNneCTkNFLIEpqEduGQjN04dr0odRUXD/kIR8EEtjbgDrH9ZmL47An5wVH
 qE8ILlh2+DXk/QLTpjo8n4mm+MJDJYzfz/jVV9vl8ehMahjj1M0/KmO/vNvDbP2s
 owWU1FBjX7TV6kHa+SQGqd1HfXS1YUx203I4SDmPj8vSXtysvSOWClT3HO6i6O5S
 MSS3Me+rx9eMFMISNghL8I466+lPlGxK14DmLUE4l0kfoKyd4eHQw+ft76D6Twuz
 JqjegAGA1nzqDO0XDXb4WPjrPKG8r8Ven2eInF3kncku9GyeEafL+L+nmj7PHsE7
 dixWo2TQ9z1Wm/n1NWlU02ZSLdbetUtYTvZczUhevtNzuYUtILihcFZO3+Cp7V4p
 R2WwJ5XXdfS8g8Q9kJCOuVd9fZ+3hQvEF1IwWCP9ZZfmIC6/4/uGGFB6TJu7HmZC
 trpQYn9l5aP9L9Uq8t+9j+XoDEzQW0tZGpiYI9ypAa5Q5xbw3Ez2JNTbF7YVqQE2
 iFDwuuy/X1iNvifniQgdodKVQLK/PcNrlcNb/gPG6cGCWjlTj3SKT9SlrwAgSDZW
 pFWFb9NtN3ORjLeCiONo/ZGpZzM9/XQplub+4WuXQXGNJasRIoE=
 =Q4JA
 -----END PGP SIGNATURE-----

Merge tag 'for-6.1-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:

 - fix a regression in nowait + buffered write

 - in zoned mode fix endianness when comparing super block generation

 - locking and lockdep fixes:
     - fix potential sleeping under spinlock when setting qgroup limit
     - lockdep warning fixes when btrfs_path is freed after copy_to_user
     - do not modify log tree while holding a leaf from fs tree locked

 - fix freeing of sysfs files of static features on error

 - use kv.alloc for zone map allocation as a fallback to avoid warnings
   due to high order allocation

 - send, avoid unaligned encoded writes when attempting to clone range

* tag 'for-6.1-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: sysfs: normalize the error handling branch in btrfs_init_sysfs()
  btrfs: do not modify log tree while holding a leaf from fs tree locked
  btrfs: use kvcalloc in btrfs_get_dev_zone_info
  btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
  btrfs: send: avoid unaligned encoded writes when attempting to clone range
  btrfs: zoned: fix missing endianness conversion in sb_write_pointer
  btrfs: free btrfs_path before copying subvol info to userspace
  btrfs: free btrfs_path before copying fspath to userspace
  btrfs: free btrfs_path before copying inodes to userspace
  btrfs: free btrfs_path before copying root refs to userspace
  btrfs: fix assertion failure and blocking during nowait buffered write
2022-11-25 13:24:05 -08:00
Linus Torvalds
88817acb8b Power management fixes for 6.1-rc7
- Revert a recent schedutil cpufreq governor change that introduced
    a performace regression on Pixel 6 (Sam Wu).
 
  - Fix amd-pstate driver initialization after running the kernel via
    kexec (Wyes Karny).
 
  - Turn amd-pstate into a built-in driver which allows it to take
    precedence over acpi-cpufreq by default on supported systems and
    amend it with a mechanism to disable this behavior (Perry Yuan).
 
  - Update amd-pstate documentation in accordance with the other changes
    made to it (Perry Yuan).
 -----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCAAwFiEE4fcc61cGeeHD/fCwgsRv/nhiVHEFAmOA9bgSHHJqd0Byand5
 c29ja2kubmV0AAoJEILEb/54YlRxfpsP/j1JTOy3tPCsvPgI+b/RCWq33sm5PpaU
 iFYpfxE9uexy2FyGgsZSqp4fMpMw9fCjiCpv/yfxtLmKccmOyW2kG7IYnNuV5QuN
 FnN6B9WfsLohbuk87H07GpuGZTy4OISjmEGE/gTHXhY6n0eQ9utiX9b8zQuRdhsO
 Gz7N0GaYrDh1lo9HeHNXiXbgIuVSj8iRyzWjJwdeha8NhZxwzQ3tZz5zNcBlCeJ+
 sFtopCWqDZ5DbmKQy4rYXRuW8zC6UUQ4opqcpG5+0e5e51aa0lexJtUqxcyuKqHd
 8plSZEEofCd7XecsvdXGzxhN29FFFIPkHZHic6/GQQou0gC8uGdp/LQMCoiZ3sJ1
 3YblYJkYXMCsi9COjCAesMwy6PENL98XLfQYVmfT/EEHPgyxG1hD0a/xf0UvXzsf
 V2h/gX+gfnDspCtStkrprapQb1WTCgA8d4tOB6x47EpCfY+H3HrNPFNIpJ93ErQJ
 rAe8jAARh1qAbOEWYipc0XmnJLV4aDBAkR+6uE7GHXu6ESOUfvOzpVrQ5d3x4Ohk
 a+vyupwiRGxRRoBjuGFyf/v15g6/UeLi5A/4Qi5SpCM7Uet7RnE/ltxjbgZJZgfG
 gtBJvNaFExWJI5hFZIpz4hubsWvFMaF6SwlXnVMdYGuKZl0w119wAHFLkyO4EmHk
 5RacLxDHEJ4q
 =+qZV
 -----END PGP SIGNATURE-----

Merge tag 'pm-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "These revert a recent change in the schedutil cpufreq governor that
  had not been expected to make any functional difference, but turned
  out to introduce a performance regression, fix an initialization issue
  in the amd-pstate driver and make it actually replace the venerable
  ACPI cpufreq driver on the supported systems by default.

  Specifics:

   - Revert a recent schedutil cpufreq governor change that introduced a
     performace regression on Pixel 6 (Sam Wu)

   - Fix amd-pstate driver initialization after running the kernel via
     kexec (Wyes Karny)

   - Turn amd-pstate into a built-in driver which allows it to take
     precedence over acpi-cpufreq by default on supported systems and
     amend it with a mechanism to disable this behavior (Perry Yuan)

   - Update amd-pstate documentation in accordance with the other
     changes made to it (Perry Yuan)"

* tag 'pm-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  Documentation: add amd-pstate kernel command line options
  Documentation: amd-pstate: add driver working mode introduction
  cpufreq: amd-pstate: add amd-pstate driver parameter for mode selection
  cpufreq: amd-pstate: change amd-pstate driver to be built-in type
  cpufreq: amd-pstate: cpufreq: amd-pstate: reset MSR_AMD_PERF_CTL register at init
  Revert "cpufreq: schedutil: Move max CPU capacity to sugov_policy"
2022-11-25 12:43:33 -08:00
Linus Torvalds
e3ebac80b6 s390 updates for 6.1-rc7
- Fix size of incorrectly increased from four to eight bytes
   TOD field of crash dump save area. As result in case of
   kdump NT_S390_TODPREG ELF notes section contains correct
   value and "detected read beyond size of field" compiler
   warning goes away.
 
 - Fix memory leak in cryptographic Adjunct Processors (AP)
   module on initialization failure path.
 
 - Add Gerald Schaefer <gerald.schaefer@linux.ibm.com> and
   Alexander Gordeev <agordeev@linux.ibm.com> as S390 memory
   management maintainers. Also rename the S390 section to
   S390 ARCHITECTURE to be a bit more precise.
 -----BEGIN PGP SIGNATURE-----
 
 iI0EABYIADUWIQQrtrZiYVkVzKQcYivNdxKlNrRb8AUCY4DkjxccYWdvcmRlZXZA
 bGludXguaWJtLmNvbQAKCRDNdxKlNrRb8JrmAP928nAXDg4Gfctxka3tANgqu6uZ
 SLQ79G717Hq+OHyYjwD9GHFrKjfaimYocAsyf9jPyKnnac4jVydA42CLdLbV2AI=
 =Vl1I
 -----END PGP SIGNATURE-----

Merge tag 's390-6.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 updates from Alexander Gordeev:

 - Fix size of incorrectly increased from four to eight bytes TOD field
   of crash dump save area. As result in case of kdump NT_S390_TODPREG
   ELF notes section contains correct value and "detected read beyond
   size of field" compiler warning goes away.

 - Fix memory leak in cryptographic Adjunct Processors (AP) module on
   initialization failure path.

 - Add Gerald Schaefer <gerald.schaefer@linux.ibm.com> and Alexander
   Gordeev <agordeev@linux.ibm.com> as S390 memory management
   maintainers. Also rename the S390 section to S390 ARCHITECTURE to be
   a bit more precise.

* tag 's390-6.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  MAINTAINERS: add S390 MM section
  s390/crashdump: fix TOD programmable field size
  s390/ap: fix memory leak in ap_init_qci_info()
2022-11-25 12:37:24 -08:00
Linus Torvalds
081f359ef5 hyperv-fixes for 6.1-rc7
-----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCAAxFiEEIbPD0id6easf0xsudhRwX5BBoF4FAmOA1C0THHdlaS5saXVA
 a2VybmVsLm9yZwAKCRB2FHBfkEGgXoofCADVaWCNcmktsiMxeNuMGJULbib5Jf/q
 69axU1totvczkff0Cg9NuDQoqXIJKF9NB4HbO0atqI4VXwInk6Y8xxNFY/EzGAat
 6Dr+y6lT2OL+qzjkk8yMB8CQM67XTfDNOVeo8tVSpTOnCohHyQw4QSJmlh/cO60l
 h33UbvWwzTkxuZCGJxULGOEsydw1ktoEUC/TS0hqWVG/vmqfPBGiEb2oWU+lPE/0
 cARhsV+VpLQ4bX960pcrbRvkEgydEtJHCvkU5k8C5ZoPaStNPvY/6we96eB+r4i+
 htb4LDN8n7M9EZS30/xm/DLmemawKk57bv5fZtVv+98srtQhgO3kc2iu
 =mp04
 -----END PGP SIGNATURE-----

Merge tag 'hyperv-fixes-signed-20221125' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux

Pull hyperv fixes from Wei Liu:

 - Fix IRTE allocation in Hyper-V PCI controller (Dexuan Cui)

 - Fix handling of SCSI srb_status and capacity change events (Michael
   Kelley)

 - Restore VP assist page after CPU offlining and onlining (Vitaly
   Kuznetsov)

 - Fix some memory leak issues in VMBus (Yang Yingliang)

* tag 'hyperv-fixes-signed-20221125' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
  Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register()
  Drivers: hv: vmbus: fix double free in the error path of vmbus_add_channel_work()
  PCI: hv: Only reuse existing IRTE allocation for Multi-MSI
  scsi: storvsc: Fix handling of srb_status and capacity change events
  x86/hyperv: Restore VP assist page after cpu offlining/onlining
2022-11-25 12:32:42 -08:00
Linus Torvalds
0b1dcc2cf5 24 hotfixes. 8 marked cc:stable and 16 for post-6.0 issues.
There have been a lot of hotfixes this cycle, and this is quite a large
 batch given how far we are into the -rc cycle.  Presumably a reflection of
 the unusually large amount of MM material which went into 6.1-rc1.
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQTTMBEPP41GrTpTJgfdBJ7gKXxAjgUCY4Bd6gAKCRDdBJ7gKXxA
 jvX6AQCsG1ld24kMpdD+70XXUyC29g/6/jribgtZApHyDYjxSwD/WmLNpPlUPRax
 WB071Y5w65vjSTUKvwU0OLGbHwyxgAw=
 =swD5
 -----END PGP SIGNATURE-----

Merge tag 'mm-hotfixes-stable-2022-11-24' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Pull hotfixes from Andrew Morton:
 "24 MM and non-MM hotfixes. 8 marked cc:stable and 16 for post-6.0
  issues.

  There have been a lot of hotfixes this cycle, and this is quite a
  large batch given how far we are into the -rc cycle. Presumably a
  reflection of the unusually large amount of MM material which went
  into 6.1-rc1"

* tag 'mm-hotfixes-stable-2022-11-24' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (24 commits)
  test_kprobes: fix implicit declaration error of test_kprobes
  nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty
  mm/cgroup/reclaim: fix dirty pages throttling on cgroup v1
  mm: fix unexpected changes to {failslab|fail_page_alloc}.attr
  swapfile: fix soft lockup in scan_swap_map_slots
  hugetlb: fix __prep_compound_gigantic_page page flag setting
  kfence: fix stack trace pruning
  proc/meminfo: fix spacing in SecPageTables
  mm: multi-gen LRU: retry folios written back while isolated
  mailmap: update email address for Satya Priya
  mm/migrate_device: return number of migrating pages in args->cpages
  kbuild: fix -Wimplicit-function-declaration in license_is_gpl_compatible
  MAINTAINERS: update Alex Hung's email address
  mailmap: update Alex Hung's email address
  mm: mmap: fix documentation for vma_mas_szero
  mm/damon/sysfs-schemes: skip stats update if the scheme directory is removed
  mm/memory: return vm_fault_t result from migrate_to_ram() callback
  mm: correctly charge compressed memory to its memcg
  ipc/shm: call underlying open/close vm_ops
  gcov: clang: fix the buffer overflow issue
  ...
2022-11-25 10:18:25 -08:00
Linus Torvalds
b308570957 a couple of fixes, one of them for this cycle regression...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQQqUNBr3gm4hGXdBJlZ7Krx/gZQ6wUCY4A7qAAKCRBZ7Krx/gZQ
 61SoAP9bWYuW44RNEkitOIPCi/bmWy5D9alVEjWinmxzsT94NgEA5rfc4uuSCLp1
 se+Qgcu5iNKpHTXIOAOX7ozCCQJzQgo=
 =GK/t
 -----END PGP SIGNATURE-----

Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull vfs fixes from Al Viro:
 "A couple of fixes, one of them for this cycle regression..."

* tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  vfs: vfs_tmpfile: ensure O_EXCL flag is enforced
  fs: use acquire ordering in __fget_light()
2022-11-25 10:12:43 -08:00
Jens Axboe
7cfe7a0948 io_uring: clear TIF_NOTIFY_SIGNAL if set and task_work not available
With how task_work is added and signaled, we can have TIF_NOTIFY_SIGNAL
set and no task_work pending as it got run in a previous loop. Treat
TIF_NOTIFY_SIGNAL like get_signal(), always clear it if set regardless
of whether or not task_work is pending to run.

Cc: stable@vger.kernel.org
Fixes: 46a525e199 ("io_uring: don't gate task_work run on TIF_NOTIFY_SIGNAL")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2022-11-25 10:55:08 -07:00
Linus Torvalds
ca66e58001 sound fixes for 6.1-rc7
A few more last-minute fixes for 6.1 that have been gathered in the
 last week; nothing looks too worrisome, mostly device-specific small
 fixes, including the ABI fix for ASoC SOF.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmN/muAOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE/mpRAAlNct2PsBa+zCqY0GRtrCsRKylM1+jQlqHUZ7
 1dibJFA7tJJhgRB8cWnEDpNW8zKcsYiatYKJFIE8HFtECBZ3eMHgeSOaOmGdKLpN
 EG+zaF5X6j37w7YTywTqU/cmZXRkLcDRK+bCcnz6d+TdhZj9DZuBtaWD8yFGQMTz
 aUueasZ5N1Vs64hVLXG1vQWlIlYpzP32yF5MUHZp9Ie0siJqW0cwrghSBO4bZRNv
 qnKIPpryDBZEIcqKv2/VumuYO88X4bDw9F4y2OPAjC4yS/9pxvFe2qIHQs70Zqbg
 Tkv904OcaqcD0krY1Ux43Td7Hk6sBGYMc1knCoBvQlj9UTkjJ3UKugp9Evwscc3h
 eAZABjFuAxzeODAAjYqFRqcP/9aVUEW5YkoBIjfpiSxYhikJaklaxYS2BoA6pmrj
 wUF3EZOq3cOJw1sVu9UgmCtjJk9CojE18zVTQXU4oIPel1G8dA/FNbci+ux7rmQ1
 J7lnySiVDfNtkpUXSJBcj0VC/BXWAFtjuaOEn0uoZDwJfdgYhjRptgeuX8WMB7xT
 lDH30NyZ+YTbQNU+XK/+DtWnz3htjATKmNJGAodtynLhX+8i8Nkfsf7B5jAXsQZ4
 RIkp8086ADD2ALhO82kUmba062xUwpra3VmwdLo7InBTuD9j7eXizd7nmiPt3G+/
 77Oc2ug=
 =5fKR
 -----END PGP SIGNATURE-----

Merge tag 'sound-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "A few more last-minute fixes for 6.1 that have been gathered in the
  last week; nothing looks too worrisome, mostly device-specific small
  fixes, including the ABI fix for ASoC SOF"

* tag 'sound-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ASoC: soc-pcm: Add NULL check in BE reparenting
  ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event
  ASoC: SOF: dai: move AMD_HS to end of list to restore backwards-compatibility
  ASoC: max98373: Add checks for devm_kcalloc
  ASoC: rt711-sdca: fix the latency time of clock stop prepare state machine transitions
  ASoC: soc-pcm: Don't zero TDM masks in __soc_pcm_open()
  ASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove
  ASoC: hdac_hda: fix hda pcm buffer overflow issue
  ASoC: stm32: i2s: remove irqf_oneshot flag
  ASoC: wm8962: Wait for updated value of WM8962_CLOCKING1 register
2022-11-25 09:26:18 -08:00
Linus Torvalds
6fe0e074e7 drm fixes for 6.1-rc7
amdgpu:
 - amdgpu gang submit fix.
 - DCN 3.1.4 fixes
 - DP MST DSC deadlock fixes
 - HMM userptr fixes
 - Fix Aldebaran CU occupancy reporting
 - GFX11 fixes
 - PSP suspend/resume fix
 - DCE12 KASAN fix
 - DCN 3.2.x fixes
 - Rotated cursor fix
 - SMU 13.x fix
 - DELL platform suspend/resume fixes
 - VCN4 SR-IOV fix
 - Display regression fix for polled connectors
 
 i915:
 - Fix GVT KVM reference count handling
 - Never purge busy TTM objects
 - Fix warn in intel_display_power_*_domain() functions
 
 dma-buf:
 - Use dma_fence_unwrap_for_each when importing sync files.
 - Fix race in dma_heap_add().
 
 fbcon:
 - Fix use of uninitialized memory in logo.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmOANPQACgkQDHTzWXnE
 hr4a/A/+JuYIIC0ZtGeY3mcmHIcNQIIeCDmf+/8BGZCp6Dr2Uz62jBhyylbrZ9MQ
 lHHmV3HI1khC3S5v351zeEzFCfK9JKWs64I3sBuBF04yi49PvCD5+8MpgUPRgPWb
 N6t319GlIw1X0ktA2tgzekGVJCSaCyZNUD4kvO9PwrLFTpVeqEoCUoYwmqLCt392
 u0r9FYrAQLmH208/6DG5PnKHLXO5/VspJT09xz3faZdVAJtLc6Pr+npO2kUsx8Y0
 quGtdh0OxhdsExhXWZGSm3DDEMmxqC0e14QX0dXuzOkTfIYRkUzkXLjph99nMEir
 rpszx0wJrdjbWiL98nXi520KlcNZeeCM6s1WbXXBplgJHAhEXrcBuvNEH9s/SedL
 qRBdqKtmxpeJkkimAfpqPvKkSmwyfNIZ01Yekrtm9ovmD2T6uO3zjX5411d4iHJ7
 JiSwkcnaqR75Tbvq7aoOubQUB3S4JXIqqxuVgQicu7H/wcuImbcaaaaWmxPwIYRi
 tn0Dwt+GY84bYi47g9DzcslpxFXV36c5aQv2HwdDfUu8/oqOZakgzYiZoxPIlT5K
 y5TFvInNEhuNExezVRzbxp5asgPy3izEaUrrQIFJ8XchP4N6jr+17x174ix4O019
 T4H9PhNybHGSVGWAkuy9+KTIOGbP5vbY1zzmEGjPlkKmv0BFDfM=
 =o133
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2022-11-25' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Weekly fixes, amdgpu has not quite settled down.

  Most of the changes are small, and the non-amdgpu ones are all fine.
  There are a bunch of DP MST DSC fixes that fix some issues introduced
  in a previous larger MST rework.

  The biggest one is mainly propagating some error values properly
  instead of bool returns, and I think it just looks large but doesn't
  really change anything too much, except propagating errors that are
  required to avoid deadlocks. I've gone over it and a few others and
  they've had some decent testing over the last few weeks.

  Summary:

  amdgpu:
   - amdgpu gang submit fix
   - DCN 3.1.4 fixes
   - DP MST DSC deadlock fixes
   - HMM userptr fixes
   - Fix Aldebaran CU occupancy reporting
   - GFX11 fixes
   - PSP suspend/resume fix
   - DCE12 KASAN fix
   - DCN 3.2.x fixes
   - Rotated cursor fix
   - SMU 13.x fix
   - DELL platform suspend/resume fixes
   - VCN4 SR-IOV fix
   - Display regression fix for polled connectors

  i915:
   - Fix GVT KVM reference count handling
   - Never purge busy TTM objects
   - Fix warn in intel_display_power_*_domain() functions

  dma-buf:
   - Use dma_fence_unwrap_for_each when importing sync files
   - Fix race in dma_heap_add()

  fbcon:
   - Fix use of uninitialized memory in logo"

* tag 'drm-fixes-2022-11-25' of git://anongit.freedesktop.org/drm/drm: (30 commits)
  drm/amdgpu/vcn: re-use original vcn0 doorbell value
  drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info correctly when the edid is read"
  drm/amd/display: No display after resume from WB/CB
  drm/amdgpu: fix use-after-free during gpu recovery
  drm/amd/pm: update driver if header for smu_13_0_7
  drm/amd/display: Fix rotated cursor offset calculation
  drm/amd/display: Use new num clk levels struct for max mclk index
  drm/amd/display: Avoid setting pixel rate divider to N/A
  drm/amd/display: Use viewport height for subvp mall allocation size
  drm/amd/display: Update soc bounding box for dcn32/dcn321
  drm/amd/dc/dce120: Fix audio register mapping, stop triggering KASAN
  drm/amdgpu/psp: don't free PSP buffers on suspend
  fbcon: Use kzalloc() in fbcon_prepare_logo()
  dma-buf: fix racing conflict of dma_heap_add()
  drm/amd/amdgpu: reserve vm invalidation engine for firmware
  drm/amdgpu: Enable Aldebaran devices to report CU Occupancy
  drm/amdgpu: fix userptr HMM range handling v2
  drm/amdgpu: always register an MMU notifier for userptr
  drm/amdgpu/dm/mst: Fix uninitialized var in pre_compute_mst_dsc_configs_for_state()
  drm/amdgpu/dm/dp_mst: Don't grab mst_mgr->lock when computing DSC state
  ...
2022-11-25 09:20:42 -08:00
Lin Ma
12ad3d2d6c io_uring/poll: fix poll_refs race with cancelation
There is an interesting race condition of poll_refs which could result
in a NULL pointer dereference. The crash trace is like:

KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 30781 Comm: syz-executor.2 Not tainted 6.0.0-g493ffd6605b2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:io_poll_remove_entry io_uring/poll.c:154 [inline]
RIP: 0010:io_poll_remove_entries+0x171/0x5b4 io_uring/poll.c:190
Code: ...
RSP: 0018:ffff88810dfefba0 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc900030c4000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: 0000000000000008 R08: ffffffff9764d3dd R09: fffffbfff3836781
R10: fffffbfff3836781 R11: 0000000000000000 R12: 1ffff11003422d60
R13: ffff88801a116b04 R14: ffff88801a116ac0 R15: dffffc0000000000
FS:  00007f9c07497700(0000) GS:ffff88811a600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffb5c00ea98 CR3: 0000000105680005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 io_apoll_task_func+0x3f/0xa0 io_uring/poll.c:299
 handle_tw_list io_uring/io_uring.c:1037 [inline]
 tctx_task_work+0x37e/0x4f0 io_uring/io_uring.c:1090
 task_work_run+0x13a/0x1b0 kernel/task_work.c:177
 get_signal+0x2402/0x25a0 kernel/signal.c:2635
 arch_do_signal_or_restart+0x3b/0x660 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0xc2/0x160 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x58/0x160 kernel/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The root cause for this is a tiny overlooking in
io_poll_check_events() when cocurrently run with poll cancel routine
io_poll_cancel_req().

The interleaving to trigger use-after-free:

CPU0                                       |  CPU1
                                           |
io_apoll_task_func()                       |  io_poll_cancel_req()
 io_poll_check_events()                    |
  // do while first loop                   |
  v = atomic_read(...)                     |
  // v = poll_refs = 1                     |
  ...                                      |  io_poll_mark_cancelled()
                                           |   atomic_or()
                                           |   // poll_refs =
IO_POLL_CANCEL_FLAG | 1
                                           |
  atomic_sub_return(...)                   |
  // poll_refs = IO_POLL_CANCEL_FLAG       |
  // loop continue                         |
                                           |
                                           |  io_poll_execute()
                                           |   io_poll_get_ownership()
                                           |   // poll_refs =
IO_POLL_CANCEL_FLAG | 1
                                           |   // gets the ownership
  v = atomic_read(...)                     |
  // poll_refs not change                  |
                                           |
  if (v & IO_POLL_CANCEL_FLAG)             |
   return -ECANCELED;                      |
  // io_poll_check_events return           |
  // will go into                          |
  // io_req_complete_failed() free req     |
                                           |
                                           |  io_apoll_task_func()
                                           |  // also go into
io_req_complete_failed()

And the interleaving to trigger the kernel WARNING:

CPU0                                       |  CPU1
                                           |
io_apoll_task_func()                       |  io_poll_cancel_req()
 io_poll_check_events()                    |
  // do while first loop                   |
  v = atomic_read(...)                     |
  // v = poll_refs = 1                     |
  ...                                      |  io_poll_mark_cancelled()
                                           |   atomic_or()
                                           |   // poll_refs =
IO_POLL_CANCEL_FLAG | 1
                                           |
  atomic_sub_return(...)                   |
  // poll_refs = IO_POLL_CANCEL_FLAG       |
  // loop continue                         |
                                           |
  v = atomic_read(...)                     |
  // v = IO_POLL_CANCEL_FLAG               |
                                           |  io_poll_execute()
                                           |   io_poll_get_ownership()
                                           |   // poll_refs =
IO_POLL_CANCEL_FLAG | 1
                                           |   // gets the ownership
                                           |
  WARN_ON_ONCE(!(v & IO_POLL_REF_MASK)))   |
  // v & IO_POLL_REF_MASK = 0 WARN         |
                                           |
                                           |  io_apoll_task_func()
                                           |  // also go into
io_req_complete_failed()

By looking up the source code and communicating with Pavel, the
implementation of this atomic poll refs should continue the loop of
io_poll_check_events() just to avoid somewhere else to grab the
ownership. Therefore, this patch simply adds another AND operation to
make sure the loop will stop if it finds the poll_refs is exactly equal
to IO_POLL_CANCEL_FLAG. Since io_poll_cancel_req() grabs ownership and
will finally make its way to io_req_complete_failed(), the req will
be reclaimed as expected.

Fixes: aa43477b04 ("io_uring: poll rework")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
[axboe: tweak description and code style]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2022-11-25 07:17:33 -07:00
Lin Ma
9d94c04c0d io_uring/filetable: fix file reference underflow
There is an interesting reference bug when -ENOMEM occurs in calling of
io_install_fixed_file(). KASan report like below:

[   14.057131] ==================================================================
[   14.059161] BUG: KASAN: use-after-free in unix_get_socket+0x10/0x90
[   14.060975] Read of size 8 at addr ffff88800b09cf20 by task kworker/u8:2/45
[   14.062684]
[   14.062768] CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted 6.1.0-rc4 #1
[   14.063099] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[   14.063666] Workqueue: events_unbound io_ring_exit_work
[   14.063936] Call Trace:
[   14.064065]  <TASK>
[   14.064175]  dump_stack_lvl+0x34/0x48
[   14.064360]  print_report+0x172/0x475
[   14.064547]  ? _raw_spin_lock_irq+0x83/0xe0
[   14.064758]  ? __virt_addr_valid+0xef/0x170
[   14.064975]  ? unix_get_socket+0x10/0x90
[   14.065167]  kasan_report+0xad/0x130
[   14.065353]  ? unix_get_socket+0x10/0x90
[   14.065553]  unix_get_socket+0x10/0x90
[   14.065744]  __io_sqe_files_unregister+0x87/0x1e0
[   14.065989]  ? io_rsrc_refs_drop+0x1c/0xd0
[   14.066199]  io_ring_exit_work+0x388/0x6a5
[   14.066410]  ? io_uring_try_cancel_requests+0x5bf/0x5bf
[   14.066674]  ? try_to_wake_up+0xdb/0x910
[   14.066873]  ? virt_to_head_page+0xbe/0xbe
[   14.067080]  ? __schedule+0x574/0xd20
[   14.067273]  ? read_word_at_a_time+0xe/0x20
[   14.067492]  ? strscpy+0xb5/0x190
[   14.067665]  process_one_work+0x423/0x710
[   14.067879]  worker_thread+0x2a2/0x6f0
[   14.068073]  ? process_one_work+0x710/0x710
[   14.068284]  kthread+0x163/0x1a0
[   14.068454]  ? kthread_complete_and_exit+0x20/0x20
[   14.068697]  ret_from_fork+0x22/0x30
[   14.068886]  </TASK>
[   14.069000]
[   14.069088] Allocated by task 289:
[   14.069269]  kasan_save_stack+0x1e/0x40
[   14.069463]  kasan_set_track+0x21/0x30
[   14.069652]  __kasan_slab_alloc+0x58/0x70
[   14.069899]  kmem_cache_alloc+0xc5/0x200
[   14.070100]  __alloc_file+0x20/0x160
[   14.070283]  alloc_empty_file+0x3b/0xc0
[   14.070479]  path_openat+0xc3/0x1770
[   14.070689]  do_filp_open+0x150/0x270
[   14.070888]  do_sys_openat2+0x113/0x270
[   14.071081]  __x64_sys_openat+0xc8/0x140
[   14.071283]  do_syscall_64+0x3b/0x90
[   14.071466]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   14.071791]
[   14.071874] Freed by task 0:
[   14.072027]  kasan_save_stack+0x1e/0x40
[   14.072224]  kasan_set_track+0x21/0x30
[   14.072415]  kasan_save_free_info+0x2a/0x50
[   14.072627]  __kasan_slab_free+0x106/0x190
[   14.072858]  kmem_cache_free+0x98/0x340
[   14.073075]  rcu_core+0x427/0xe50
[   14.073249]  __do_softirq+0x110/0x3cd
[   14.073440]
[   14.073523] Last potentially related work creation:
[   14.073801]  kasan_save_stack+0x1e/0x40
[   14.074017]  __kasan_record_aux_stack+0x97/0xb0
[   14.074264]  call_rcu+0x41/0x550
[   14.074436]  task_work_run+0xf4/0x170
[   14.074619]  exit_to_user_mode_prepare+0x113/0x120
[   14.074858]  syscall_exit_to_user_mode+0x1d/0x40
[   14.075092]  do_syscall_64+0x48/0x90
[   14.075272]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   14.075529]
[   14.075612] Second to last potentially related work creation:
[   14.075900]  kasan_save_stack+0x1e/0x40
[   14.076098]  __kasan_record_aux_stack+0x97/0xb0
[   14.076325]  task_work_add+0x72/0x1b0
[   14.076512]  fput+0x65/0xc0
[   14.076657]  filp_close+0x8e/0xa0
[   14.076825]  __x64_sys_close+0x15/0x50
[   14.077019]  do_syscall_64+0x3b/0x90
[   14.077199]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   14.077448]
[   14.077530] The buggy address belongs to the object at ffff88800b09cf00
[   14.077530]  which belongs to the cache filp of size 232
[   14.078105] The buggy address is located 32 bytes inside of
[   14.078105]  232-byte region [ffff88800b09cf00, ffff88800b09cfe8)
[   14.078685]
[   14.078771] The buggy address belongs to the physical page:
[   14.079046] page:000000001bd520e7 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800b09de00 pfn:0xb09c
[   14.079575] head:000000001bd520e7 order:1 compound_mapcount:0 compound_pincount:0
[   14.079946] flags: 0x100000000010200(slab|head|node=0|zone=1)
[   14.080244] raw: 0100000000010200 0000000000000000 dead000000000001 ffff88800493cc80
[   14.080629] raw: ffff88800b09de00 0000000080190018 00000001ffffffff 0000000000000000
[   14.081016] page dumped because: kasan: bad access detected
[   14.081293]
[   14.081376] Memory state around the buggy address:
[   14.081618]  ffff88800b09ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   14.081974]  ffff88800b09ce80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   14.082336] >ffff88800b09cf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.082690]                                ^
[   14.082909]  ffff88800b09cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   14.083266]  ffff88800b09d000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   14.083622] ==================================================================

The actual tracing of this bug is shown below:

commit 8c71fe7502 ("io_uring: ensure fput() called correspondingly
when direct install fails") adds an additional fput() in
io_fixed_fd_install() when io_file_bitmap_get() returns error values. In
that case, the routine will never make it to io_install_fixed_file() due
to an early return.

static int io_fixed_fd_install(...)
{
  if (alloc_slot) {
    ...
    ret = io_file_bitmap_get(ctx);
    if (unlikely(ret < 0)) {
      io_ring_submit_unlock(ctx, issue_flags);
      fput(file);
      return ret;
    }
    ...
  }
  ...
  ret = io_install_fixed_file(req, file, issue_flags, file_slot);
  ...
}

In the above scenario, the reference is okay as io_fixed_fd_install()
ensures the fput() is called when something bad happens, either via
bitmap or via inner io_install_fixed_file().

However, the commit 61c1b44a21 ("io_uring: fix deadlock on iowq file
slot alloc") breaks the balance because it places fput() into the common
path for both io_file_bitmap_get() and io_install_fixed_file(). Since
io_install_fixed_file() handles the fput() itself, the reference
underflow come across then.

There are some extra commits make the current code into
io_fixed_fd_install() -> __io_fixed_fd_install() ->
io_install_fixed_file()

However, the fact that there is an extra fput() is called if
io_install_fixed_file() calls fput(). Traversing through the code, I
find that the existing two callers to __io_fixed_fd_install():
io_fixed_fd_install() and io_msg_send_fd() have fput() when handling
error return, this patch simply removes the fput() in
io_install_fixed_file() to fix the bug.

Fixes: 61c1b44a21 ("io_uring: fix deadlock on iowq file slot alloc")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Link: https://lore.kernel.org/r/be4ba4b.5d44.184a0a406a4.Coremail.linma@zju.edu.cn
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2022-11-25 06:54:46 -07:00
Pavel Begunkov
a26a35e901 io_uring: make poll refs more robust
poll_refs carry two functions, the first is ownership over the request.
The second is notifying the io_poll_check_events() that there was an
event but wake up couldn't grab the ownership, so io_poll_check_events()
should retry.

We want to make poll_refs more robust against overflows. Instead of
always incrementing it, which covers two purposes with one atomic, check
if poll_refs is elevated enough and if so set a retry flag without
attempts to grab ownership. The gap between the bias check and following
atomics may seem racy, but we don't need it to be strict. Moreover there
might only be maximum 4 parallel updates: by the first and the second
poll entries, __io_arm_poll_handler() and cancellation. From those four,
only poll wake ups may be executed multiple times, but they're protected
by a spin.

Cc: stable@vger.kernel.org
Reported-by: Lin Ma <linma@zju.edu.cn>
Fixes: aa43477b04 ("io_uring: poll rework")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/c762bc31f8683b3270f3587691348a7119ef9c9d.1668963050.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2022-11-25 06:54:46 -07:00
Pavel Begunkov
2f3893437a io_uring: cmpxchg for poll arm refs release
Replace atomically substracting the ownership reference at the end of
arming a poll with a cmpxchg. We try to release ownership by setting 0
assuming that poll_refs didn't change while we were arming. If it did
change, we keep the ownership and use it to queue a tw, which is fully
capable to process all events and (even tolerates spurious wake ups).

It's a bit more elegant as we reduce races b/w setting the cancellation
flag and getting refs with this release, and with that we don't have to
worry about any kinds of underflows. It's not the fastest path for
polling. The performance difference b/w cmpxchg and atomic dec is
usually negligible and it's not the fastest path.

Cc: stable@vger.kernel.org
Fixes: aa43477b04 ("io_uring: poll rework")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/0c95251624397ea6def568ff040cad2d7926fd51.1668963050.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2022-11-25 06:54:16 -07:00
Damien Le Moal
db58653ce0 zonefs: Fix active zone accounting
If a file zone transitions to the offline or readonly state from an
active state, we must clear the zone active flag and decrement the
active seq file counter. Do so in zonefs_account_active() using the new
zonefs inode flags ZONEFS_ZONE_OFFLINE and ZONEFS_ZONE_READONLY. These
flags are set if necessary in zonefs_check_zone_condition() based on the
result of report zones operation after an IO error.

Fixes: 87c9ce3ffe ("zonefs: Add active seq file accounting")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
2022-11-25 17:01:22 +09:00
Amir Goldstein
10bc8e4af6 vfs: fix copy_file_range() averts filesystem freeze protection
Commit 868f9f2f8e ("vfs: fix copy_file_range() regression in cross-fs
copies") removed fallback to generic_copy_file_range() for cross-fs
cases inside vfs_copy_file_range().

To preserve behavior of nfsd and ksmbd server-side-copy, the fallback to
generic_copy_file_range() was added in nfsd and ksmbd code, but that
call is missing sb_start_write(), fsnotify hooks and more.

Ideally, nfsd and ksmbd would pass a flag to vfs_copy_file_range() that
will take care of the fallback, but that code would be subtle and we got
vfs_copy_file_range() logic wrong too many times already.

Instead, add a flag to explicitly request vfs_copy_file_range() to
perform only generic_copy_file_range() and let nfsd and ksmbd use this
flag only in the fallback path.

This choise keeps the logic changes to minimum in the non-nfsd/ksmbd code
paths to reduce the risk of further regressions.

Fixes: 868f9f2f8e ("vfs: fix copy_file_range() regression in cross-fs copies")
Tested-by: Namjae Jeon <linkinjeon@kernel.org>
Tested-by: Luis Henriques <lhenriques@suse.de>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2022-11-25 00:52:28 -05:00
Dave Airlie
e57702069b Merge tag 'amd-drm-fixes-6.1-2022-11-23' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
amd-drm-fixes-6.1-2022-11-23:

amdgpu:
- DCN 3.1.4 fixes
- DP MST DSC deadlock fixes
- HMM userptr fixes
- Fix Aldebaran CU occupancy reporting
- GFX11 fixes
- PSP suspend/resume fix
- DCE12 KASAN fix
- DCN 3.2.x fixes
- Rotated cursor fix
- SMU 13.x fix
- DELL platform suspend/resume fixes
- VCN4 SR-IOV fix
- Display regression fix for polled connectors

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221123143453.8977-1-alexander.deucher@amd.com
2022-11-25 10:55:23 +10:00
Dave Airlie
b65a648865 Merge tag 'drm-intel-fixes-2022-11-24' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
- Fix GVT KVM reference count handling (Sean Christopherson)
- Never purge busy TTM objects (Matthew Auld)
- Fix warn in intel_display_power_*_domain() functions (Imre Deak)

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/Y38u44hb1LZfZC+M@tursulin-desk
2022-11-25 09:42:02 +10:00
Dave Airlie
9e2c5c651a Merge tag 'drm-misc-fixes-2022-11-24' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes
drm-misc-fixes for v6.1-rc7:
- Another amdgpu gang submit fix.
- Use dma_fence_unwrap_for_each when importing sync files.
- Fix race in dma_heap_add().
- Fix use of uninitialized memory in logo.

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/a5721505-4823-98ef-7d6f-0ea478221391@linux.intel.com
2022-11-25 09:21:11 +10:00