Commit graph

1059914 commits

Author SHA1 Message Date
Adrian Hunter
0c8e32fe48 perf inject: Fix segfault due to close without open
The fixed commit attempts to close inject.output even if it was never
opened e.g.

  $ perf record uname
  Linux
  [ perf record: Woken up 1 times to write data ]
  [ perf record: Captured and wrote 0.002 MB perf.data (7 samples) ]
  $ perf inject -i perf.data --vm-time-correlation=dry-run
  Segmentation fault (core dumped)
  $ gdb --quiet perf
  Reading symbols from perf...
  (gdb) r inject -i perf.data --vm-time-correlation=dry-run
  Starting program: /home/ahunter/bin/perf inject -i perf.data --vm-time-correlation=dry-run
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

  Program received signal SIGSEGV, Segmentation fault.
  0x00007eff8afeef5b in _IO_new_fclose (fp=0x0) at iofclose.c:48
  48      iofclose.c: No such file or directory.
  (gdb) bt
  #0  0x00007eff8afeef5b in _IO_new_fclose (fp=0x0) at iofclose.c:48
  #1  0x0000557fc7b74f92 in perf_data__close (data=data@entry=0x7ffcdafa6578) at util/data.c:376
  #2  0x0000557fc7a6b807 in cmd_inject (argc=<optimized out>, argv=<optimized out>) at builtin-inject.c:1085
  #3  0x0000557fc7ac4783 in run_builtin (p=0x557fc8074878 <commands+600>, argc=4, argv=0x7ffcdafb6a60) at perf.c:313
  #4  0x0000557fc7a25d5c in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:365
  #5  run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:409
  #6  main (argc=4, argv=0x7ffcdafb6a60) at perf.c:539
  (gdb)

Fixes: 02e6246f53 ("perf inject: Close inject.output on exit")
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Riccardo Mancini <rickyman7@gmail.com>
Cc: stable@vger.kernel.org
Link: http://lore.kernel.org/lkml/20211213084829.114772-2-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2021-12-18 08:31:14 -03:00
Miaoqian Lin
0a515a06c5 perf expr: Fix missing check for return value of hashmap__new()
The hashmap__new() function may return ERR_PTR(-ENOMEM) when malloc()
fails, add IS_ERR() checking for ctx->ids.

Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lore.kernel.org/lkml/20211212062504.25841-1-linmq006@gmail.com
[ s/kfree()/free()/ and add missing linux/err.h include ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2021-12-18 08:31:14 -03:00
Zqiang
8f556a326c locking/rtmutex: Fix incorrect condition in rtmutex_spin_on_owner()
Optimistic spinning needs to be terminated when the spinning waiter is not
longer the top waiter on the lock, but the condition is negated. It
terminates if the waiter is the top waiter, which is defeating the whole
purpose.

Fixes: c3123c4314 ("locking/rtmutex: Dont dereference waiter lockless")
Signed-off-by: Zqiang <qiang1.zhang@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211217074207.77425-1-qiang1.zhang@intel.com
2021-12-18 10:55:51 +01:00
Linus Torvalds
9eaa88c703 libata fixes for 5.16-rc6
A single fix for this cycle:
 * Check that ATA16 passthrough commands that do not transfer any data
   have a DMA direction set to DMA_NONE (From George).
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQSRPv8tYSvhwAzJdzjdoc3SxdoYdgUCYb0jqgAKCRDdoc3SxdoY
 dp0wAP9f94IpD34NWE1xpEup9jX4mKWREy6fkBoGdEVkNrBNsQD/dFymgWy3ajec
 bZQACZ4V2aOnIrrjaGGdP6zjyHfrrwY=
 =ZCMn
 -----END PGP SIGNATURE-----

Merge tag 'libata-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata

Pull libata fix from Damien Le Moal:
 "A single fix for this cycle:

   - Check that ATA16 passthrough commands that do not transfer any data
     have a DMA direction set to DMA_NONE (From George)"

* tag 'libata-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
  libata: if T_LENGTH is zero, dma direction should be DMA_NONE
2021-12-17 17:24:53 -08:00
Linus Torvalds
1887bf5cc4 zonefs fixes for 5.16-rc6
One fix and one trivial update for rc6:
 * Add MODULE_ALIAS_FS to get automatic module loading on mount (from
   Naohiro)
 * Update Damien's email address in the MAINTAINERS file (from me).
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQSRPv8tYSvhwAzJdzjdoc3SxdoYdgUCYb0hkgAKCRDdoc3SxdoY
 dlciAP4lGpsiFcO7TdLY2W64EHgIkcstGx1UitsqBTR5iZnp6QD/bAfaHOaTNQDG
 Nr8GznsB3di4WRbFoV7BhBsKFcC4cgA=
 =GWY0
 -----END PGP SIGNATURE-----

Merge tag 'zonefs-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs

Pull zonefs fixes from Damien Le Moal:
 "One fix and one trivial update for rc6:

   - Add MODULE_ALIAS_FS to get automatic module loading on mount
     (Naohiro)

   - Update Damien's email address in the MAINTAINERS file (me)"

* tag 'zonefs-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs:
  MAITAINERS: Change zonefs maintainer email address
  zonefs: add MODULE_ALIAS_FS
2021-12-17 17:19:51 -08:00
Thiago Rafael Becker
a31080899d cifs: sanitize multiple delimiters in prepath
mount.cifs can pass a device with multiple delimiters in it. This will
cause rename(2) to fail with ENOENT.

V2:
  - Make sanitize_path more readable.
  - Fix multiple delimiters between UNC and prepath.
  - Avoid a memory leak if a bad user starts putting a lot of delimiters
    in the path on purpose.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=2031200
Fixes: 24e0a1eff9 ("cifs: switch to new mount api")
Cc: stable@vger.kernel.org # 5.11+
Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Thiago Rafael Becker <trbecker@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2021-12-17 19:16:49 -06:00
Shyam Prasad N
b774302e88 cifs: ignore resource_id while getting fscache super cookie
We have a cyclic dependency between fscache super cookie
and root inode cookie. The super cookie relies on
tcon->resource_id, which gets populated from the root inode
number. However, fetching the root inode initializes inode
cookie as a child of super cookie, which is yet to be populated.

resource_id is only used as auxdata to check the validity of
super cookie. We can completely avoid setting resource_id to
remove the circular dependency. Since vol creation time and
vol serial numbers are used for auxdata, we should be fine.
Additionally, there will be auxiliary data check for each
inode cookie as well.

Fixes: 5bf91ef03d ("cifs: wait for tcon resource_id before getting fscache super")
CC: David Howells <dhowells@redhat.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2021-12-17 19:09:06 -06:00
Yu Liao
4e8c11b6b3 timekeeping: Really make sure wall_to_monotonic isn't positive
Even after commit e1d7ba8735 ("time: Always make sure wall_to_monotonic
isn't positive") it is still possible to make wall_to_monotonic positive
by running the following code:

    int main(void)
    {
        struct timespec time;

        clock_gettime(CLOCK_MONOTONIC, &time);
        time.tv_nsec = 0;
        clock_settime(CLOCK_REALTIME, &time);
        return 0;
    }

The reason is that the second parameter of timespec64_compare(), ts_delta,
may be unnormalized because the delta is calculated with an open coded
substraction which causes the comparison of tv_sec to yield the wrong
result:

  wall_to_monotonic = { .tv_sec = -10, .tv_nsec =  900000000 }
  ts_delta 	    = { .tv_sec =  -9, .tv_nsec = -900000000 }

That makes timespec64_compare() claim that wall_to_monotonic < ts_delta,
but actually the result should be wall_to_monotonic > ts_delta.

After normalization, the result of timespec64_compare() is correct because
the tv_sec comparison is not longer misleading:

  wall_to_monotonic = { .tv_sec = -10, .tv_nsec =  900000000 }
  ts_delta 	    = { .tv_sec = -10, .tv_nsec =  100000000 }

Use timespec64_sub() to ensure that ts_delta is normalized, which fixes the
issue.

Fixes: e1d7ba8735 ("time: Always make sure wall_to_monotonic isn't positive")
Signed-off-by: Yu Liao <liaoyu15@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211213135727.1656662-1-liaoyu15@huawei.com
2021-12-17 23:06:22 +01:00
Linus Torvalds
5d65f6f3df SCSI fixes on 20211217
One driver fix: the pm8001 has never actually worked on a system with
 an IOMMU and this fixes that use case.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCYb0E6yYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishSNgAPsFHTM+
 5uvAtK7W5pNQHnG3DaBPwED7LuklKmNfxH0c2AEA2BE7ijAda1DOrYC61BKQJtGm
 8W+shJ/O0/mJSYqcCbQ=
 =J2/2
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fix from James Bottomley:
 "One driver fix: the pm8001 has never actually worked on a system with
  an IOMMU and this fixes that use case"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: pm8001: Fix phys_to_virt() usage on dma_addr_t
2021-12-17 13:55:03 -08:00
Linus Torvalds
9609134186 for-5.16-rc5-tag
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAmG8+tEACgkQxWXV+ddt
 WDuuGA/9E75ZMqsMLW5az7z8Rt5voBjPeweyRHmGCLZKpgfaj0QjrJRvu0CTKU/W
 zCSQf+ShTTY2D3cmh1eEwKyX/waKQ71qBrMX/SgIeA0OjmlhK1UGB18MF5sAVGCB
 mymVYJh7IntYJE7S7OiMUL/yILmIWZYrYT+iaPZlIc9M6h0b1gjMIsE0VEmxJMCN
 X8RAQ4CfL9bpTTKItNehSyXx+J7TB5yamh5AspaiB/ivyN1DcUcsFf3AoaWXeh2D
 YIBzq4WbGnDMfUdWXKE2rqDfQgaTXtN9ffGUvphJnegg8Tqfp29LyLZ1GU0qGSXc
 /K8g5QNmM3nhubXq2MG5zfbHPJ1H2CgnvkDqiCcyeop+09yj/ugxTt+ULaIbJL76
 pKSpcuIFXTmoW2Z7ZwijIEX4H5Dgk2l2DbE8SkJT4LjJybgpHfBT1KDQrj5iQdx+
 XgmG/CbRELuGGltJNuldp0SqIyMNRgDuv6Rheg9N9H73m9epwfH5oiM0Fj/FYyQ6
 lfgle6DQCP4xaDmk1zA9zrJHTUqi8Caeyg+tQYT6AbkoeCoXnvEAPgv9OOGe1M+C
 Ks7zeAseWs3A/j/+wCdiCKombOfR+AY3RGkPzlodUJj4YYOTyXrigtb5yhTz6Zdv
 ozVBZ71LUMMOf0NV45mGtqsiLqyfe3cnlqj1XtHQKaajyjgHvW8=
 =G7CE
 -----END PGP SIGNATURE-----

Merge tag 'for-5.16-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:
 "A few more fixes, almost all error handling one-liners and for stable.

   - regression fix in directory logging items

   - regression fix of extent buffer status bits handling after an error

   - fix memory leak in error handling path in tree-log

   - fix freeing invalid anon device number when handling errors during
     subvolume creation

   - fix warning when freeing leaf after subvolume creation failure

   - fix missing blkdev put in device scan error handling

   - fix invalid delayed ref after subvolume creation failure"

* tag 'for-5.16-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: fix missing blkdev_put() call in btrfs_scan_one_device()
  btrfs: fix warning when freeing leaf after subvolume creation failure
  btrfs: fix invalid delayed ref after subvolume creation failure
  btrfs: check WRITE_ERR when trying to read an extent buffer
  btrfs: fix missing last dir item offset update when logging directory
  btrfs: fix double free of anon_dev after failure to create subvolume
  btrfs: fix memory leak in __add_inode_ref()
2021-12-17 13:50:58 -08:00
Linus Torvalds
f1f05ef383 selinux/stable-5.16 PR 20211217
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmG86EcUHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXNtWxAAmjRflVuJNyVC23KUTGpKNSl+zFPN
 O526Mizwouv8ZO4PWo6jHr0M+UtcEAc9Tn3XFPznskOEmFWycqHSlaNXL2RiFhwR
 qSfwZEqQwZoKGb7fiD2XcHbY+OPQxixARVMQQHu77kCmY3sfz/Mjz3IAaihaEUnU
 nmZ6qpndyg2vbnOmkKJGH1WWNWEq+zKFrc/w6EeMCdOAZ455qTCMXLz0lsxDF6G5
 mYHnFlYgz4jnmU96BaN2GjWlG0/9Nrv52MAiSJzTnvBRbmhARaxQdAWaD+6vBQP6
 F/KJwwynU6ojfgKGaKBVf7pcRXkRh+c6Y0d5uA9/Xd4noEDYKlD5Vf/yyUytiuYo
 u9sUVBME+Vjk5vqPF3fZneMVx43IN73Bspii2DI/sAwllTCgayUXwB0apN3ZH1GR
 xvjHbnsuSc+WNZBRTEr3FOvM0uax2N4TcjgjIiLbmZTPjpiol0sqARKRW7vY8Ld/
 1/GSHlHvxz7ZT37ICbZreYnldXjpvdp+k4DirNb03Rc71x6+w3xInFI/jCfMXtzS
 8VuA33m1q420DRCFgdY4KxYjl5dAbcFZDpU2FILH3NvduuYGN8Qbh24BbToNBwUZ
 U7Hojk8EAWO7+YpGpEOYZc9hcGH2GemvyPLt2m7AO9T4a81f8IHBBvRTMGi/R/lN
 r1PyoZR3GMkpHko=
 =1nOw
 -----END PGP SIGNATURE-----

Merge tag 'selinux-pr-20211217' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux fix from Paul Moore:
 "Another small SELinux fix for v5.16 to ensure that we don't block on
  memory allocations while holding a spinlock.

  This passes all our tests without problem"

* tag 'selinux-pr-20211217' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: fix sleeping function called from invalid context
2021-12-17 12:03:14 -08:00
Linus Torvalds
0bb43aec33 RISC-V Fixes for 5.16-rc6
* A handful of DT updates for the SiFive HiFive Unmatched, that fix the
   regulator handling.  These should stop some warning spew.
 * A pair of fixes for both the SiFive Hifive Unleashed and Unmatched,
   that correctly hook up the MMC card detect signal.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEEKzw3R0RoQ7JKlDp6LhMZ81+7GIkFAmG81C0THHBhbG1lckBk
 YWJiZWx0LmNvbQAKCRAuExnzX7sYifPXEACTBo8Tp9vz6ikWcLd/TOOP6JSaCYaq
 0Y6aZgQ8kMdUBex9F9o0EwezD28EMgLl4rYNODfwHTp+h4IXMTYrVIvWaGrsbiDU
 HqGT/uxBwyzHZlchppdh8y2nCSoDsWdE8joUWVQEDg1sKzTQNcvOfy9OhY9DBpwN
 ZAGZpjesf6W53NnmmJOqFRY8+lQuEKRqUPZRUor9n5fCZRxlfuYRUHkNQ7Wsq2vH
 +fyfNm+ejhon/TVZ28L265JniINDllMCoz3MXdp4pXLB6MqvbnbibTvwjdOD9TN6
 6wD0NYBJcS2gJzvt2KFN//GSFs1emlYE5kt8z+Y7Mo9KHBozj2Vk2Tw42gPM9p5n
 fbAClH+CRjCGNcGhylDo3GJ2lf0OU7T7Oq0j7FmDmK7Af355lNAe18V4zfD8rTjS
 tfbVzQaUj/ts43KQ0R8hJKC2tZtjjCjy95dwwYchJqXXyPp4MS0IMZooTMobxaqg
 XF213otwb59xvxjhWEMu/XIIGPmFA8FcBCDuwSGxl7WG7UsdrKkY7aRLUAPXJnkA
 kOK7SfeiXD3TE6wY1GTqdFWB2Q0yXBZMJtLEtfISVD8EEQN1DVePugaBANGAjsYd
 lfszduR/zxSrYM2SB+HiFPb++QvYLqDX7bs/ViH2ojEvulpZkQJusdIpQOYUJbyD
 uOoqHwcqCfmrBg==
 =P1aR
 -----END PGP SIGNATURE-----

Merge tag 'riscv-for-linus-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux

Pull RISC-V fixes from Palmer Dabbelt:

 - A handful of DT updates for the SiFive HiFive Unmatched, that fix the
   regulator handling. These should stop some warning spew.

 - A pair of fixes for both the SiFive Hifive Unleashed and Unmatched,
   that correctly hook up the MMC card detect signal.

* tag 'riscv-for-linus-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: dts: sifive unmatched: Link the tmp451 with its power supply
  riscv: dts: sifive unmatched: Fix regulator for board rev3
  riscv: dts: sifive unmatched: Expose the PMIC sub-functions
  riscv: dts: sifive unmatched: Expose the board ID eeprom
  riscv: dts: sifive unmatched: Name gpio lines
  riscv: dts: unmatched: Add gpio card detect to mmc-spi-slot
  riscv: dts: unleashed: Add gpio card detect to mmc-spi-slot
2021-12-17 11:55:35 -08:00
Linus Torvalds
fa09ca5ebc block-5.16-2021-12-17
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmG8wJ4QHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpp+aD/9C6yo/8I2rbP0iJqIWKaADKoU9WGo4E4Q5
 NFPsEF17IY2mxZGfvpjMMx2fWPbgfvMuXnWPyfHnFv/00Bm3sr79eQ4Y7Ak8pZWQ
 r0YzNz1lbgHn8S+EsqWGxWbDZisptaYN2d0skT81dTE62s2dcZc7WYHBJnCW5JZb
 OTwx68e5QoHrWnoHVnCx8toUszFr0OMiQVRVwbrRtJKVh+2rQODIKz2qs2ajceHo
 IN2Bk35W1xsv6TWGLKCK4zk9k+/Nz5Cqx+FF59bKAIs3kPy3dt10PDjN30jQGR17
 DuGZe08wZ+lCMQGXd1XNcjz3GS9qWlc+mbzVpqUATNMQSGbqwW8JyheiNZwfNClw
 SzWasQD0KipdBiU0hOxBbDko2n4TVFHbnISfBwz0vHEz54HHHtltNd4iBowJuaq4
 VG/zuD2CyWaj7p9Xpymrir1xMonVNTRFRL3mkkU8feTxqTEhy2zIix9CbKdGkU5e
 rEhAAb5i1+/58A8dcCh9X+zULvXjFL6FfbnCGSMrLEq0ymyysc/+w0BPNzq93Jva
 F8qSx2nUGq0250u+Boc+wL9uB7AXWwR8addyWWlwaAZ52nqVhciWus4gh1jn8CAV
 EhO+NFbx/9K1rmPkvbJau1/fgnz4+gJS8iBC0pxlyhvt6rNzMFCJB719jcdr05tG
 JO0131r51g==
 =Huz8
 -----END PGP SIGNATURE-----

Merge tag 'block-5.16-2021-12-17' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:

 - Fix for hammering on the delayed run queue timer (me)

 - bcache regression fix for this merge window (Lin)

 - Fix a divide-by-zero in the blk-iocost code (Tejun)

* tag 'block-5.16-2021-12-17' of git://git.kernel.dk/linux-block:
  bcache: fix NULL pointer reference in cached_dev_detach_finish
  block: reduce kblockd_mod_delayed_work_on() CPU consumption
  iocost: Fix divide-by-zero on donation from low hweight cgroup
2021-12-17 11:46:07 -08:00
Linus Torvalds
cb29eee3b2 io_uring-5.16-2021-12-17
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmG8wLIQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpncuD/wI9UnDapmyWodpXCw+f/GN0ZfuGzKAblkR
 yYJcA3spTIYHHZiR4KCKke1vM+j8PoPBTGwCuDX9EhHFq9EIEAAAFqQwbta85Rcu
 c3iKhb7qWGN2VQwqdmQDZtegdblM5usNsY3fNUA3iaGeQy+7qvYEyk0u5CDSIKCQ
 oR0NQpE/cHYlyoqUbITlCvOwD32QvcuHK2oCBnGW02FYiKq3gddJ3EPxnBkLcTUI
 zeHRCtslZTFrZexapQ/w4rAJ0O6bMR/08TYjtRDxLB4bTpYR34Hx23tvEsZk4jqE
 olpUlJDwV2B+vZ1aAKqCrabbkNQpiws7Y1EMSwM1pqqZYaPhpVeEmcqkpDNsSgY2
 s764iXPKjJnKB6XWUuuShobOjiwwk0rAyNdWKVdvzNVkEnhpNnFVmfllChOiphqM
 jHua88LHpRJpmHSDdfJMO9qT1uffixv1AIfhEoc0hBCddwp9RwqhijelbJDYIjou
 KKE7aip0rzwK90tOTFGP9lD7cUl3aFig3yQNLaJpXybm2Qa+xE//hdUk4lm1i57c
 ciEYtz8S827lCx/CzhpWoTszG11cpT249IMXyxtspoZZh44VTXYC83EeYI2cyG24
 q8zfmgMLNMYn6dc4dP5oAA/d0r7s9AY9GvyblhwmLGpjO5mANqJPZAtl2PpSYWg6
 jVh1NDEyKw==
 =IY1e
 -----END PGP SIGNATURE-----

Merge tag 'io_uring-5.16-2021-12-17' of git://git.kernel.dk/linux-block

Pull io_uring fix from Jens Axboe:
 "Just a single fix, fixing an issue with the worker creation change
  that was merged last week"

* tag 'io_uring-5.16-2021-12-17' of git://git.kernel.dk/linux-block:
  io-wq: drop wqe lock before creating new worker
2021-12-17 11:31:46 -08:00
Linus Torvalds
43d1c6a639 dmaengine fixes for v5.16
Bunch of driver fixes, notably:
  - uninit variable fix for dw-axi-dmac driver
  - return value check dw-edma driver
  - calling wq quiesce inside spinlock and missed completion for idxd driver
  - mod alias fix for st_fdma driver
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE+vs47OPLdNbVcHzyfBQHDyUjg0cFAmG8I7IACgkQfBQHDyUj
 g0ezKA//bKmv7YKYIh1ZeyBRY7jLGqdREEQ970JEmvvWALDHAVuC+MCBiKxO9Liv
 CeIVJ9Q8v2mnNb0pY0AQH7NS8sYThTNseqbwzBHDX/izJO/SjL3BdEEGXgSdTWa9
 LkEHi9GEGJwcNzAiLIxY1JM/r0rYf0bG1yzvEXwxxUi/lieFPoek6J/jNI+ivtsa
 xk0CF12fxXbLUOyvgUj3Q2/40E1KnTzE1G7G9XfDJeSzDXglzKe/0kjiMrvQQc90
 0EL8sP+u8ZCk2UhXpCb102o0ubQcKxqm57V+pu1OaLQu9+TxzZUvksC2uvb66BMa
 pHYRDsh0Djtof7xTTKbOW745wJjNZD25AgW5xf+rKdH3OGURxP/6yusZ9LQdn1eH
 A08Rdi/3TzbSnQrrAgpNWH137drd4f4ZI4m1sX90ybd0Sc0fYbum3AVyE4Zqg9YX
 dAz9q6CtgS3E3w7PF7ZhZjG20bEKaJPlvxtQr1MipE39zVBSjzSO/vKO22MHQ6fD
 v02E9n/gs1oC+YTzpap16SiE9cI1NDATHkhbFiU8039/TVJOXFFPsImb7myIrHG7
 7JiPf6WdVaOQ2HZuKdUjhT2i5cFX5g7GUu+INmKwsArmnm8EltlljIT2OMwFgfto
 AkPaEaAwn3wrfwUGWl9z4NMPiNKKlrw263xxH/IUbet6yeYpwQ8=
 =6Sd2
 -----END PGP SIGNATURE-----

Merge tag 'dmaengine-fix-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine

Pull dmaengine fixes from Vinod Koul:
 "A bunch of driver fixes, notably:

   - uninit variable fix for dw-axi-dmac driver

   - return value check dw-edma driver

   - calling wq quiesce inside spinlock and missed completion for idxd
     driver

   - mod alias fix for st_fdma driver"

* tag 'dmaengine-fix-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine:
  dmaengine: st_fdma: fix MODULE_ALIAS
  dmaengine: idxd: fix missed completion on abort path
  dmaengine: ti: k3-udma: Fix smatch warnings
  dmaengine: idxd: fix calling wq quiesce inside spinlock
  dmaengine: dw-edma: Fix return value check for dma_set_mask_and_coherent()
  dmaengine: dw-axi-dmac: Fix uninitialized variable in axi_chan_block_xfer_start()
2021-12-17 11:25:50 -08:00
Linus Torvalds
4f549bf33e drm fixes for 5.16-rc6
i915:
 - Fix a bound check in the DMC fw load.
 
 ast:
 - NULL ptr deref fix
 
 simpledrm:
 - pixel clock units fix
 
 fb-helper:
 - userspace regression revert
 
 amdgpu:
 - Fix RLC register offset
 - GMC fix
 - Properly cache SMU FW version on Yellow Carp
 - Fix missing callback on DCN3.1
 - Reset DMCUB before HW init
 - Fix for GMC powergating on PCO
 - Fix a possible memory leak in GPU metrics table handling on RN
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmG8IyoACgkQDHTzWXnE
 hr6lsQ/+NZofDFJQUEc5Qk/VTfM7FGBa70IVxG7H8T6wDtkA8eTpiZxw2dgYwTcO
 gAMjI4o4ctmps8BAbs0kYjMu+31G+kK4WXJFtSHhKVNSBfARTBa4WnNJT2lQcKRq
 jYbovRmaNuaIS9nD9NkqO+z14PCSozj4fbCY61j4l67jW+bpRW8UUBsk0zzEoLSJ
 CruVBvgvvzsQYc33WrU/3G+mjCWADZXQGHxLVmMn3oGscarWK87JHAuyEhW1vbzf
 FffZcf85aW7CV+3qqtBxxtXE0DBHMo+IMS5N1XRs7YrgUkMmP3VheCIQ9D4EupqZ
 ezd5FZ9Rs3/Mzdfzftzyzr4CZOR5MzSjT6IHZ2NMo0VpM2rgI4FMyq/lf/Jnjx+K
 KZT6sN/SGNy+ZxOunkmySK7j7k3OtFo6q6vVMu+5bPeMj24/+Yv1JQjfOP+Dnoxx
 3EhaI7i37QJBr9lUAlu+B6ywRX1PAPyYhuaTVb4WMOOvIKjzb7FoeaAAURiSlQqL
 4DXtROtoinYMgAZqlbZMFJ6ZTWpy4Yj8s2HIOUMfSTZaztos17oAAskQ5/o+rhMQ
 /WDsXcSUaEaOTK1Df8B51Ol6LC6U50yhkFEHvUPw5fzqyprd5XD/FajMYG02ID3C
 KNJdMnq5AoyTdUiRsjQLC9G3TrXH2x2qqBcF3eo9PNc8PG/Q5ZM=
 =rNVA
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2021-12-17-1' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Mostly amdgpu fixes this week scattered around the driver, otherwise
  one i915, one ast, one simpledrm. There is a revert in the fb-helper
  for places userspace was using a string that we tried to change.

  i915:
   - Fix a bound check in the DMC fw load.

  ast:
   - NULL ptr deref fix

  simpledrm:
   - pixel clock units fix

  fb-helper:
   - userspace regression revert

  amdgpu:
   - Fix RLC register offset
   - GMC fix
   - Properly cache SMU FW version on Yellow Carp
   - Fix missing callback on DCN3.1
   - Reset DMCUB before HW init
   - Fix for GMC powergating on PCO
   - Fix a possible memory leak in GPU metrics table handling on RN"

* tag 'drm-fixes-2021-12-17-1' of git://anongit.freedesktop.org/drm/drm:
  drm/amd/pm: fix a potential gpu_metrics_table memory leak
  drm/amdgpu: correct the wrong cached state for GMC on PICASSO
  drm/amd/display: Reset DMCUB before HW init
  drm/amd/display: Set exit_optimized_pwr_state for DCN31
  drm/amd/pm: fix reading SMU FW version from amdgpu_firmware_info on YC
  drm/amdgpu: don't override default ECO_BITs setting
  drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE
  drm/i915/display: Fix an unsigned subtraction which can never be negative.
  drm/ast: potential dereference of null pointer
  drm: simpledrm: fix wrong unit with pixel clock
  Revert "drm/fb-helper: improve DRM fbdev emulation device names"
2021-12-17 11:07:13 -08:00
Greg Kroah-Hartman
c4d936efa4 Revert "usb: early: convert to readl_poll_timeout_atomic()"
This reverts commit 796eed4b23.

This change causes boot lockups when using "arlyprintk=xdbc" because
ktime can not be used at this point in time in the boot process.  Also,
it is not needed for very small delays like this.

Reported-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Reported-by: Peter Zijlstra <peterz@infradead.org>
Cc: Jann Horn <jannh@google.com>
Cc: Chunfeng Yun <chunfeng.yun@mediatek.com>
Fixes: 796eed4b23 ("usb: early: convert to readl_poll_timeout_atomic()")
Link: https://lore.kernel.org/r/c2b5c9bb-1b75-bf56-3754-b5b18812d65e@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-17 16:29:11 +01:00
Greg Kroah-Hartman
a0b24a5662 USB-serial fixes for 5.16-rc6
Here's a fix for a reported problem in the cp210x gpio-registration code
 and some more modem device ids.
 
 All have been in linux-next with no reported issues.
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQQHbPq+cpGvN/peuzMLxc3C7H1lCAUCYbxXXwAKCRALxc3C7H1l
 CPNXAP9Hnq8QjObNmWmZw81TRpCZJgglKoOoNtNT8MhC/A/ThwD9E7EXq1LS0pmm
 th7tA25gUtpg4T1w3lW2ILVdl7RDKAc=
 =tHPt
 -----END PGP SIGNATURE-----

Merge tag 'usb-serial-5.16-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus

Johan writes:

USB-serial fixes for 5.16-rc6

Here's a fix for a reported problem in the cp210x gpio-registration code
and some more modem device ids.

All have been in linux-next with no reported issues.

* tag 'usb-serial-5.16-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial:
  USB: serial: option: add Telit FN990 compositions
  USB: serial: cp210x: fix CP2105 GPIO registration
2021-12-17 10:37:02 +01:00
Damien Le Moal
bce472f909 MAITAINERS: Change zonefs maintainer email address
Update my email address from damien.lemoal@wdc.com to
damien.lemoal@opensource.wdc.com.

Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
2021-12-17 16:56:49 +09:00
Naohiro Aota
8ffea2599f zonefs: add MODULE_ALIAS_FS
Add MODULE_ALIAS_FS() to load the module automatically when you do "mount
-t zonefs".

Fixes: 8dcc1a9d90 ("fs: New zonefs file system")
Cc: stable <stable@vger.kernel.org> # 5.6+
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: Johannes Thumshirn <jth@kernel.org>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
2021-12-17 16:56:35 +09:00
Vincent Pelletier
f6f7fbb89b
riscv: dts: sifive unmatched: Link the tmp451 with its power supply
Fixes the following probe warning:
  lm90 0-004c: Looking up vcc-supply from device tree
  lm90 0-004c: Looking up vcc-supply property in node /soc/i2c@10030000/temperature-sensor@4c failed
  lm90 0-004c: supply vcc not found, using dummy regulator

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2021-12-16 21:27:45 -08:00
Vincent Pelletier
ad931d9b3b
riscv: dts: sifive unmatched: Fix regulator for board rev3
The existing values are rejected by the da9063 regulator driver, as they
are unachievable with the declared chip setup (non-merged vcore and bmem
are unable to provide the declared curent).

Fix voltages to match rev3 schematics, which also matches their boot-up
configuration within the chip's available precision.
Declare bcore1/bcore2 and bmem/bio as merged.
Set ldo09 and ldo10 as always-on as their consumers are not declared but
exist.
Drop ldo current limits as there is no current limit feature for these
regulators in the DA9063. Fixes warnings like:
  DA9063_LDO3: Operation of current configuration missing

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2021-12-16 21:27:36 -08:00
Vincent Pelletier
cd29cc8ad2
riscv: dts: sifive unmatched: Expose the PMIC sub-functions
These sub-functions are available in the chip revision on this board, so
expose them.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2021-12-16 21:27:29 -08:00
Vincent Pelletier
8120393b74
riscv: dts: sifive unmatched: Expose the board ID eeprom
Mark it as read-only as it is factory-programmed with identifying
information, and no executable nor configuration:
- eth MAC address
- board model (PCB version, BoM version)
- board serial number
Accidental modification would cause misidentification which could brick
the board, so marking read-only seem like both a safe and non-constraining
choice.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2021-12-16 21:27:21 -08:00
Vincent Pelletier
ea81b91e4e
riscv: dts: sifive unmatched: Name gpio lines
Follow the pin descriptions given in the version 3 of the board schematics.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2021-12-16 21:27:14 -08:00
Dave Airlie
a2fbfd5171 Merge tag 'amd-drm-fixes-5.16-2021-12-15' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
amd-drm-fixes-5.16-2021-12-15:

amdgpu:
- Fix RLC register offset
- GMC fix
- Properly cache SMU FW version on Yellow Carp
- Fix missing callback on DCN3.1
- Reset DMCUB before HW init
- Fix for GMC powergating on PCO
- Fix a possible memory leak in GPU metrics table handling on RN

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211216035239.5787-1-alexander.deucher@amd.com
2021-12-17 15:01:01 +10:00
Dave Airlie
78fed39af1 One null pointer dereference fix for ast, a pixel clock unit fix for
simpledrm and a user-space regression revert for fb-helper
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRcEzekXsqa64kGDp7j7w1vZxhRxQUCYbr2+QAKCRDj7w1vZxhR
 xaI/AQDw8wCws8TXFMiU/5RHkYPVRXN1NSzHt8C/Pf44Yu6ZWwEAiuzP1OpnNyxP
 WmQIC4vJ0NX4s63enEgQJ8gVznYkOwk=
 =fTbn
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2021-12-16-1' of ssh://git.freedesktop.org/git/drm/drm-misc into drm-fixes

One null pointer dereference fix for ast, a pixel clock unit fix for
simpledrm and a user-space regression revert for fb-helper

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maxime Ripard <maxime@cerno.tech>
Link: https://patchwork.freedesktop.org/patch/msgid/20211216082603.pm6yzlckmxvwnqyv@houat
2021-12-17 14:17:19 +10:00
George Kennedy
5da5231bb4 libata: if T_LENGTH is zero, dma direction should be DMA_NONE
Avoid data corruption by rejecting pass-through commands where
T_LENGTH is zero (No data is transferred) and the dma direction
is not DMA_NONE.

Cc: <stable@vger.kernel.org>
Reported-by: syzkaller<syzkaller@googlegroups.com>
Signed-off-by: George Kennedy<george.kennedy@oracle.com>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
2021-12-17 09:32:13 +09:00
Linus Torvalds
6441998e2e audit/stable-5.16 PR 20211216
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmG7vm8UHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXOCYw//Z7N53pFP1Ci1ToZWTgjdwBAV1lM/
 52uG1aEg/TxAVHt/3STNXEmsUc3BaxpYQxBIevjkGYbxe3MRvE9ZJlSQdFpyjXOs
 DrXxCC38TrcJ2wJpOPUidbokMSoyyJSX3dfSOwD566q1RCK1z9O7G544eh1DW651
 ewYLVClOFuoyxiQiBQwSPPjaOV8vTmFWl+omsoZS74CcshPglAngqqZcLRNJ14RV
 6TpnKZ1q4az7GQY1lqad1YmEwmMEgH32qfz/pFUvQ3s8omi3JhC1+IBggW2iE76G
 Ssdw62sqrn3dEoSG5TADc8NxDH+MFLauF2XgRP9ct3eKFG3X3Z605eWEpDFJ1i8S
 1FhOyherjQ1uSc6EOMMKfoyo7thrhoQ92wyCQBt4EkZxW8hULVuhqSX8KDs2p1+l
 0epQmlpCrzAzbPSMHlC5LATga8zzaUbyoVj03AcDAb+I+29v5fNRmzAbJrKZruwM
 dJosdAsJ9tlVE6GqyCIBLeC3PQxJ5Xjw3jpsrutD/aoFYkgKASve+Y927OWIj24r
 KpFqjdLOS3dTKmxEQr97iF5w1IaW80lGykaQAjW2JZVp2CWOCUxQOtqTaUQYzQAp
 H4D2aYzy9RJVHxvK0HYceT+FhrB+yIPKBMOaLz+UjDWopIkYzuJZ3AbaxLGVdGIh
 pEMYpVR3XXm87z0=
 =jWtt
 -----END PGP SIGNATURE-----

Merge tag 'audit-pr-20211216' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit fix from Paul Moore:
 "A single patch to fix a problem where the audit queue could grow
  unbounded when the audit daemon is forcibly stopped"

* tag 'audit-pr-20211216' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
  audit: improve robustness of the audit queue handling
2021-12-16 15:24:46 -08:00
Linus Torvalds
180f3bcfe3 Networking fixes for 5.16-rc6, including fixes from mac80211, wifi, bpf.
Current release - regressions:
 
  - dpaa2-eth: fix buffer overrun when reporting ethtool statistics
 
 Current release - new code bugs:
 
  - bpf: fix incorrect state pruning for <8B spill/fill
 
  - iavf:
      - add missing unlocks in iavf_watchdog_task()
      - do not override the adapter state in the watchdog task (again)
 
  - mlxsw: spectrum_router: consolidate MAC profiles when possible
 
 Previous releases - regressions:
 
  - mac80211, fix:
      - rate control, avoid driver crash for retransmitted frames
      - regression in SSN handling of addba tx
      - a memory leak where sta_info is not freed
      - marking TX-during-stop for TX in in_reconfig, prevent stall
 
  - cfg80211: acquire wiphy mutex on regulatory work
 
  - wifi drivers: fix build regressions and LED config dependency
 
  - virtio_net: fix rx_drops stat for small pkts
 
  - dsa: mv88e6xxx: unforce speed & duplex in mac_link_down()
 
 Previous releases - always broken:
 
  - bpf, fix:
     - kernel address leakage in atomic fetch
     - kernel address leakage in atomic cmpxchg's r0 aux reg
     - signed bounds propagation after mov32
     - extable fixup offset
     - extable address check
 
  - mac80211:
      - fix the size used for building probe request
      - send ADDBA requests using the tid/queue of the aggregation
        session
      - agg-tx: don't schedule_and_wake_txq() under sta->lock,
        avoid deadlocks
      - validate extended element ID is present
 
  - mptcp:
      - never allow the PM to close a listener subflow (null-defer)
      - clear 'kern' flag from fallback sockets, prevent crash
      - fix deadlock in __mptcp_push_pending()
 
  - inet_diag: fix kernel-infoleak for UDP sockets
 
  - xsk: do not sleep in poll() when need_wakeup set
 
  - smc: avoid very long waits in smc_release()
 
  - sch_ets: don't remove idle classes from the round-robin list
 
  - netdevsim:
      - zero-initialize memory for bpf map's value, prevent info leak
      - don't let user space overwrite read only (max) ethtool parms
 
  - ixgbe: set X550 MDIO speed before talking to PHY
 
  - stmmac:
      - fix null-deref in flower deletion w/ VLAN prio Rx steering
      - dwmac-rk: fix oob read in rk_gmac_setup
 
  - ice: time stamping fixes
 
  - systemport: add global locking for descriptor life cycle
 
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmG7rdUACgkQMUZtbf5S
 IrtRvw//etsgeg2+zxe+fBSbe7ZihcCB4yzWUoRDdNzPrLNLsnWxKT1wYblDcZft
 b1f/SpTy9ycfg+fspn2qET8gzydn4m9xHkjmlQPzmXB9tdIDF6mECFTAXYlar1hQ
 RQIijpfZYyrZeGdgHpsyq72YC4dpNdbZrxmQFVdpMr3cK8P2N0Dn32bBVa//+jb+
 LCv3Uw9C0yNbqhtRIiukkWIE20+/pXtKm0uErDVmvonqFMWPo6mYD0C2PwC20PwR
 Kv5ok6jH+44fCSwDoLChbB+Wes0AtrIQdUvUwXGXaF3MDfZl+24oLkX5xJl3EHWT
 90Mh0k0NhRORgBZ3NItwK7OliohrRHCYxlAXPjg1Dicxl+kxl0wPlva8v64eAA+u
 ZhwXwaQpCrZNdKoxHJw9kQ/CmbggtxcWkVolbZp3TzDjYY1E7qxuwg51YMhGmGT1
 FPjradYGvHKi+thizJiEdiZaMKRc8bpaL0hbpROxFQvfjNwFOwREQhtnXYP3W5Kd
 lK88fWaH86dxqL+ABvbrMnSZKuNlSL8R/CROWpZuF+vyLRXaxhAvYRrL79bgmkKq
 zvImnh1mFovdyKGJhibFMdy92X14z8FzoyX3VQuFcl9EB+2NQXnNZ6abDLJlufZX
 A0jQ5r46Ce/yyaXXmS61PrP7Pf5sxhs/69fqAIDQfSSzpyUKHd4=
 =VIbd
 -----END PGP SIGNATURE-----

Merge tag 'net-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Jakub Kicinski:
 "Networking fixes, including fixes from mac80211, wifi, bpf.

  Relatively large batches of fixes from BPF and the WiFi stack, calm in
  general networking.

  Current release - regressions:

   - dpaa2-eth: fix buffer overrun when reporting ethtool statistics

  Current release - new code bugs:

   - bpf: fix incorrect state pruning for <8B spill/fill

   - iavf:
       - add missing unlocks in iavf_watchdog_task()
       - do not override the adapter state in the watchdog task (again)

   - mlxsw: spectrum_router: consolidate MAC profiles when possible

  Previous releases - regressions:

   - mac80211 fixes:
       - rate control, avoid driver crash for retransmitted frames
       - regression in SSN handling of addba tx
       - a memory leak where sta_info is not freed
       - marking TX-during-stop for TX in in_reconfig, prevent stall

   - cfg80211: acquire wiphy mutex on regulatory work

   - wifi drivers: fix build regressions and LED config dependency

   - virtio_net: fix rx_drops stat for small pkts

   - dsa: mv88e6xxx: unforce speed & duplex in mac_link_down()

  Previous releases - always broken:

   - bpf fixes:
       - kernel address leakage in atomic fetch
       - kernel address leakage in atomic cmpxchg's r0 aux reg
       - signed bounds propagation after mov32
       - extable fixup offset
       - extable address check

   - mac80211:
       - fix the size used for building probe request
       - send ADDBA requests using the tid/queue of the aggregation
         session
       - agg-tx: don't schedule_and_wake_txq() under sta->lock, avoid
         deadlocks
       - validate extended element ID is present

   - mptcp:
       - never allow the PM to close a listener subflow (null-defer)
       - clear 'kern' flag from fallback sockets, prevent crash
       - fix deadlock in __mptcp_push_pending()

   - inet_diag: fix kernel-infoleak for UDP sockets

   - xsk: do not sleep in poll() when need_wakeup set

   - smc: avoid very long waits in smc_release()

   - sch_ets: don't remove idle classes from the round-robin list

   - netdevsim:
       - zero-initialize memory for bpf map's value, prevent info leak
       - don't let user space overwrite read only (max) ethtool parms

   - ixgbe: set X550 MDIO speed before talking to PHY

   - stmmac:
       - fix null-deref in flower deletion w/ VLAN prio Rx steering
       - dwmac-rk: fix oob read in rk_gmac_setup

   - ice: time stamping fixes

   - systemport: add global locking for descriptor life cycle"

* tag 'net-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (89 commits)
  bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
  selftest/bpf: Add a test that reads various addresses.
  bpf: Fix extable address check.
  bpf: Fix extable fixup offset.
  bpf, selftests: Add test case trying to taint map value pointer
  bpf: Make 32->64 bounds propagation slightly more robust
  bpf: Fix signed bounds propagation after mov32
  sit: do not call ipip6_dev_free() from sit_init_net()
  net: systemport: Add global locking for descriptor lifecycle
  net/smc: Prevent smc_release() from long blocking
  net: Fix double 0x prefix print in SKB dump
  virtio_net: fix rx_drops stat for small pkts
  dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED
  sfc_ef100: potential dereference of null pointer
  net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup
  net: usb: lan78xx: add Allied Telesis AT29M2-AF
  net/packet: rx_owner_map depends on pg_vec
  netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc
  dpaa2-eth: fix ethtool statistics
  ixgbe: set X550 MDIO speed before talking to PHY
  ...
2021-12-16 15:02:14 -08:00
Linus Torvalds
93db8300f6 ARM: SoC fixes for v5.16, part 3
There are a number of DT fixes, mostly for mistakes found through
 static checking of the dts files again, as well as a couple of
 minor changes to address incorrect DT settings.
 
 For i.MX, there is yet another series of devitree changes to update
 RGMII delay settings for ethernet, which is an ongoing problem after
 some driver changes.
 
 For SoC specific device drivers, a number of smaller fixes came up:
 
  - i.MX SoC identification was incorrectly registered non-i.MX
    machines when the driver is built-in
 
  - One fix on imx8m-blk-ctrl driver to get i.MX8MM MIPI reset work
    properly
 
  - a few compile fixes for warnings that get in the way of -Werror
 
  - a string overflow in the scpi firmware driver
 
  - a boot failure with FORTIFY_SOURCE on Rockchips machines
 
  - broken error handling in the AMD TEE driver
 
  - a revert for a tegra reset driver commit that broke HDA
 
 Signed-off-by: Arnd Bergmann <arnd@arndb.de>
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmG7TYMACgkQmmx57+YA
 GNm47Q//VP+oHAELnCVZ5WGcwz/0uMBgxLfzCxzSOHwKZpbd1W91aJn5OzwW6YWu
 r6AMZdRNBMA6jv9lCx2DsVSCiuFjiSgHfqbPrL8F8xb4plwTs7pZw2b37bXgD0G6
 fJwN0/lIP0tMJBLHzNWB3BveOJOOpqWsggIEtNW9we+jnhHMDCY7YKgTuzSvt3rR
 I1mZZk5ZECILCziVBaY+IPEV4MMcm0z9IHCbckbnBsYPMP6Mf75guQvpdPQZHaJl
 gTivB1/HLaYCbyJV1i/UyVTe06sKqeVNP8Bj3JMSrR755V6PqwkWhJOFKNtHMkhu
 7sY5/Ie4hbpB5sx/0wXCRbOpSPnuEK3mYBKzBkh6ARBFXEDbLmTtCKKNaOLXiOtj
 XEmgqGj3qCkidUDeR/yePpEuVkFeNrtT6G1C64IQWmM8OHYMYoGSC29nViwtNv3O
 XjSRESvZeQVKr9WmGuF6SnvGrPh6Olovw7MedrT8iY7PB7YDTju8PBqh6/bTfTIN
 SchIP/umYEwduuIYdb2arNNPJ4MwmgDdlsxx8A0UEBhIRGXekNrwPTG9YpdJve5P
 Tiu+m3ubdQ6bkFHyx14jZtqC37vazlZjiCY3kiB0VqMFvYZ1e+JG9zwjofAqU7rG
 18I5Vq8AtPcpBcyFItW5oqcDiv0GYggxkjRihJzt13gB0L+iTsE=
 =04HK
 -----END PGP SIGNATURE-----

Merge tag 'soc-fixes-5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fixes from Arnd Bergmann:
 "There are a number of DT fixes, mostly for mistakes found through
  static checking of the dts files again, as well as a couple of minor
  changes to address incorrect DT settings.

  For i.MX, there is yet another series of devitree changes to update
  RGMII delay settings for ethernet, which is an ongoing problem after
  some driver changes.

  For SoC specific device drivers, a number of smaller fixes came up:

   - i.MX SoC identification was incorrectly registered non-i.MX
     machines when the driver is built-in

   - One fix on imx8m-blk-ctrl driver to get i.MX8MM MIPI reset work
     properly

   - a few compile fixes for warnings that get in the way of -Werror

   - a string overflow in the scpi firmware driver

   - a boot failure with FORTIFY_SOURCE on Rockchips machines

   - broken error handling in the AMD TEE driver

   - a revert for a tegra reset driver commit that broke HDA"

* tag 'soc-fixes-5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (25 commits)
  soc/tegra: fuse: Fix bitwise vs. logical OR warning
  firmware: arm_scpi: Fix string overflow in SCPI genpd driver
  soc: imx: Register SoC device only on i.MX boards
  soc: imx: imx8m-blk-ctrl: Fix imx8mm mipi reset
  ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
  arm64: dts: imx8mq: remove interconnect property from lcdif
  ARM: socfpga: dts: fix qspi node compatible
  arm64: dts: apple: add #interrupt-cells property to pinctrl nodes
  dt-bindings: i2c: apple,i2c: allow multiple compatibles
  arm64: meson: remove COMMON_CLK
  arm64: meson: fix dts for JetHub D1
  tee: amdtee: fix an IS_ERR() vs NULL bug
  arm64: dts: apple: change ethernet0 device type to ethernet
  arm64: dts: ten64: remove redundant interrupt declaration for gpio-keys
  arm64: dts: rockchip: fix poweroff on helios64
  arm64: dts: rockchip: fix audio-supply for Rock Pi 4
  arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply
  arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply
  arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge
  ARM: rockchip: Use memcpy_toio instead of memcpy on smp bring-up
  ...
2021-12-16 14:48:57 -08:00
Scott Mayhew
cc274ae776 selinux: fix sleeping function called from invalid context
selinux_sb_mnt_opts_compat() is called via sget_fc() under the sb_lock
spinlock, so it can't use GFP_KERNEL allocations:

[  868.565200] BUG: sleeping function called from invalid context at
               include/linux/sched/mm.h:230
[  868.568246] in_atomic(): 1, irqs_disabled(): 0,
               non_block: 0, pid: 4914, name: mount.nfs
[  868.569626] preempt_count: 1, expected: 0
[  868.570215] RCU nest depth: 0, expected: 0
[  868.570809] Preemption disabled at:
[  868.570810] [<0000000000000000>] 0x0
[  868.571848] CPU: 1 PID: 4914 Comm: mount.nfs Kdump: loaded
               Tainted: G        W         5.16.0-rc5.2585cf9dfa #1
[  868.573273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
               BIOS 1.14.0-4.fc34 04/01/2014
[  868.574478] Call Trace:
[  868.574844]  <TASK>
[  868.575156]  dump_stack_lvl+0x34/0x44
[  868.575692]  __might_resched.cold+0xd6/0x10f
[  868.576308]  slab_pre_alloc_hook.constprop.0+0x89/0xf0
[  868.577046]  __kmalloc_track_caller+0x72/0x420
[  868.577684]  ? security_context_to_sid_core+0x48/0x2b0
[  868.578569]  kmemdup_nul+0x22/0x50
[  868.579108]  security_context_to_sid_core+0x48/0x2b0
[  868.579854]  ? _nfs4_proc_pathconf+0xff/0x110 [nfsv4]
[  868.580742]  ? nfs_reconfigure+0x80/0x80 [nfs]
[  868.581355]  security_context_str_to_sid+0x36/0x40
[  868.581960]  selinux_sb_mnt_opts_compat+0xb5/0x1e0
[  868.582550]  ? nfs_reconfigure+0x80/0x80 [nfs]
[  868.583098]  security_sb_mnt_opts_compat+0x2a/0x40
[  868.583676]  nfs_compare_super+0x113/0x220 [nfs]
[  868.584249]  ? nfs_try_mount_request+0x210/0x210 [nfs]
[  868.584879]  sget_fc+0xb5/0x2f0
[  868.585267]  nfs_get_tree_common+0x91/0x4a0 [nfs]
[  868.585834]  vfs_get_tree+0x25/0xb0
[  868.586241]  fc_mount+0xe/0x30
[  868.586605]  do_nfs4_mount+0x130/0x380 [nfsv4]
[  868.587160]  nfs4_try_get_tree+0x47/0xb0 [nfsv4]
[  868.587724]  vfs_get_tree+0x25/0xb0
[  868.588193]  do_new_mount+0x176/0x310
[  868.588782]  __x64_sys_mount+0x103/0x140
[  868.589388]  do_syscall_64+0x3b/0x90
[  868.589935]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  868.590699] RIP: 0033:0x7f2b371c6c4e
[  868.591239] Code: 48 8b 0d dd 71 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
                     0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00
                     00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d aa 71
                     0e 00 f7 d8 64 89 01 48
[  868.593810] RSP: 002b:00007ffc83775d88 EFLAGS: 00000246
               ORIG_RAX: 00000000000000a5
[  868.594691] RAX: ffffffffffffffda RBX: 00007ffc83775f10 RCX: 00007f2b371c6c4e
[  868.595504] RDX: 0000555d517247a0 RSI: 0000555d51724700 RDI: 0000555d51724540
[  868.596317] RBP: 00007ffc83775f10 R08: 0000555d51726890 R09: 0000555d51726890
[  868.597162] R10: 0000000000000000 R11: 0000000000000246 R12: 0000555d51726890
[  868.598005] R13: 0000000000000003 R14: 0000555d517246e0 R15: 0000555d511ac925
[  868.598826]  </TASK>

Cc: stable@vger.kernel.org
Fixes: 69c4a42d72 ("lsm,selinux: add new hook to compare new mount to an existing mount")
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
[PM: cleanup/line-wrap the backtrace]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2021-12-16 17:47:39 -05:00
Jakub Kicinski
0c3e247460 Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says:

====================
pull-request: bpf 2021-12-16

We've added 15 non-merge commits during the last 7 day(s) which contain
a total of 12 files changed, 434 insertions(+), 30 deletions(-).

The main changes are:

1) Fix incorrect verifier state pruning behavior for <8B register spill/fill,
   from Paul Chaignon.

2) Fix x86-64 JIT's extable handling for fentry/fexit when return pointer
   is an ERR_PTR(), from Alexei Starovoitov.

3) Fix 3 different possibilities that BPF verifier missed where unprivileged
   could leak kernel addresses, from Daniel Borkmann.

4) Fix xsk's poll behavior under need_wakeup flag, from Magnus Karlsson.

5) Fix an oob-write in test_verifier due to a missed MAX_NR_MAPS bump,
   from Kumar Kartikeya Dwivedi.

6) Fix a race in test_btf_skc_cls_ingress selftest, from Martin KaFai Lau.

* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
  selftest/bpf: Add a test that reads various addresses.
  bpf: Fix extable address check.
  bpf: Fix extable fixup offset.
  bpf, selftests: Add test case trying to taint map value pointer
  bpf: Make 32->64 bounds propagation slightly more robust
  bpf: Fix signed bounds propagation after mov32
  bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer
  bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg
  bpf, selftests: Add test case for atomic fetch on spilled pointer
  bpf: Fix kernel address leakage in atomic fetch
  selftests/bpf: Fix OOB write in test_verifier
  xsk: Do not sleep in poll() when need_wakeup set
  selftests/bpf: Tests for state pruning with u32 spill/fill
  bpf: Fix incorrect state pruning for <8B spill/fill
====================

Link: https://lore.kernel.org/r/20211216210005.13815-1-daniel@iogearbox.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-12-16 13:06:49 -08:00
Martin KaFai Lau
c2fcbf81c3 bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
The libbpf CI reported occasional failure in btf_skc_cls_ingress:

  test_syncookie:FAIL:Unexpected syncookie states gen_cookie:80326634 recv_cookie:0
  bpf prog error at line 97

"error at line 97" means the bpf prog cannot find the listening socket
when the final ack is received.  It then skipped processing
the syncookie in the final ack which then led to "recv_cookie:0".

The problem is the userspace program did not do accept() and went
ahead to close(listen_fd) before the kernel (and the bpf prog) had
a chance to process the final ack.

The fix is to add accept() call so that the userspace will wait for
the kernel to finish processing the final ack first before close()-ing
everything.

Fixes: 9a856cae22 ("bpf: selftest: Add test_btf_skc_cls_ingress")
Reported-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20211216191630.466151-1-kafai@fb.com
2021-12-16 21:41:18 +01:00
Alexei Starovoitov
7edc3fcbf9 selftest/bpf: Add a test that reads various addresses.
Add a function to bpf_testmod that returns invalid kernel and user addresses.
Then attach an fexit program to that function that tries to read
memory through these addresses.

This logic checks that bpf_probe_read_kernel and BPF_PROBE_MEM logic is sane.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2021-12-16 21:41:13 +01:00
Alexei Starovoitov
588a25e924 bpf: Fix extable address check.
The verifier checks that PTR_TO_BTF_ID pointer is either valid or NULL,
but it cannot distinguish IS_ERR pointer from valid one.

When offset is added to IS_ERR pointer it may become small positive
value which is a user address that is not handled by extable logic
and has to be checked for at the runtime.

Tighten BPF_PROBE_MEM pointer check code to prevent this case.

Fixes: 4c5de12759 ("bpf: Emit explicit NULL pointer checks for PROBE_LDX instructions.")
Reported-by: Lorenzo Fontana <lorenzo.fontana@elastic.co>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2021-12-16 21:41:04 +01:00
Alexei Starovoitov
433956e912 bpf: Fix extable fixup offset.
The prog - start_of_ldx is the offset before the faulting ldx to the location
after it, so this will be used to adjust pt_regs->ip for jumping over it and
continuing, and with old temp it would have been fixed up to the wrong offset,
causing crash.

Fixes: 4c5de12759 ("bpf: Emit explicit NULL pointer checks for PROBE_LDX instructions.")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2021-12-16 21:18:26 +01:00
Linus Torvalds
a52a8e9eaf A single fix for the clk framework that needed some more bake time in
linux-next. The problem is that two clks being registered at the same
 time can lead to a busted clk tree if the parent isn't fully registered
 by the time the child finds the parent. We rejigger the place where we
 mark the parent as fully registered so that the child can't find the
 parent until things are proper.
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEE9L57QeeUxqYDyoaDrQKIl8bklSUFAmG7kWERHHNib3lkQGtl
 cm5lbC5vcmcACgkQrQKIl8bklSVx+w//fOqrqTa7GmF8sJ8NCupsguITAOjwfZYr
 5Gifw9yRwTOUGpgPX2mrvFrOLhQTdnQ+WzPzve0WNa1IE/KmuxDrt2FaAhRZ6VKy
 w2Ix0xm2oJhECnvVFTUZSrRNSCKQbB1IBph0Zj8hJaFc02ZPftC1alTmSAW2hcAr
 dvx7PB+hhVIsmgJp//7CfXAR0rJI6cEiIpr5sOyoTNTV1Rp0KK0ZqgLuyq1ibUj8
 JEyi1OZsKN/+sXV4xaTGK8ECLwhx16KCKWYQYaUZfd7yL79hbRz3vwCFcEOAK6tg
 HG6MW1ZxaY4GT0dH06XVjBu2JmIeqbmFeXf4UWeIilctKflANikKZlWdkoJrOO2e
 t7aYIVxu1SOkv6WmskugrV5ZM4CmIjs7qGx5q73Iu0bUeXjY0bI3NazfBlVJmV9K
 fTIEex3zFfnjDWCkoloVnCHDjBTUjOJ6CKPWpTH7qlJlT8z3iv4rJWnmZzpIS5Kg
 4tP2xa+mMkmsluhhjGjQk4ofgaK53iQbik+cApdkmZSga/nJTo56cWnaKgUyONAR
 AcWi9QWwVwg0NeeSd8ZyUu+lGb4l+fv91DINeVv+04JmaCKggSdE64v+zrt2hE1n
 zZAHifaGfrebZe9w6Ugr0Ex/81E6Ev7ud8HGPw6MMZyoSScDESwXPHja/zJtnNns
 sClDnXFlJ3g=
 =UA+0
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fix from Stephen Boyd:
 "A single fix for the clk framework that needed some more bake time in
  linux-next.

  The problem is that two clks being registered at the same time can
  lead to a busted clk tree if the parent isn't fully registered by the
  time the child finds the parent. We rejigger the place where we mark
  the parent as fully registered so that the child can't find the parent
  until things are proper"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: Don't parent clks until the parent is fully registered
2021-12-16 11:48:59 -08:00
Daniel Borkmann
b1a7288ded bpf, selftests: Add test case trying to taint map value pointer
Add a test case which tries to taint map value pointer arithmetic into a
unknown scalar with subsequent export through the map.

Before fix:

  # ./test_verifier 1186
  #1186/u map access: trying to leak tained dst reg FAIL
  Unexpected success to load!
  verification time 24 usec
  stack depth 8
  processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
  #1186/p map access: trying to leak tained dst reg FAIL
  Unexpected success to load!
  verification time 8 usec
  stack depth 8
  processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
  Summary: 0 PASSED, 0 SKIPPED, 2 FAILED

After fix:

  # ./test_verifier 1186
  #1186/u map access: trying to leak tained dst reg OK
  #1186/p map access: trying to leak tained dst reg OK
  Summary: 2 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
2021-12-16 19:46:06 +01:00
Daniel Borkmann
e572ff80f0 bpf: Make 32->64 bounds propagation slightly more robust
Make the bounds propagation in __reg_assign_32_into_64() slightly more
robust and readable by aligning it similarly as we did back in the
__reg_combine_64_into_32() counterpart. Meaning, only propagate or
pessimize them as a smin/smax pair.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
2021-12-16 19:45:56 +01:00
Daniel Borkmann
3cf2b61eb0 bpf: Fix signed bounds propagation after mov32
For the case where both s32_{min,max}_value bounds are positive, the
__reg_assign_32_into_64() directly propagates them to their 64 bit
counterparts, otherwise it pessimises them into [0,u32_max] universe and
tries to refine them later on by learning through the tnum as per comment
in mentioned function. However, that does not always happen, for example,
in mov32 operation we call zext_32_to_64(dst_reg) which invokes the
__reg_assign_32_into_64() as is without subsequent bounds update as
elsewhere thus no refinement based on tnum takes place.

Thus, not calling into the __update_reg_bounds() / __reg_deduce_bounds() /
__reg_bound_offset() triplet as we do, for example, in case of ALU ops via
adjust_scalar_min_max_vals(), will lead to more pessimistic bounds when
dumping the full register state:

Before fix:

  0: (b4) w0 = -1
  1: R0_w=invP4294967295
     (id=0,imm=ffffffff,
      smin_value=4294967295,smax_value=4294967295,
      umin_value=4294967295,umax_value=4294967295,
      var_off=(0xffffffff; 0x0),
      s32_min_value=-1,s32_max_value=-1,
      u32_min_value=-1,u32_max_value=-1)

  1: (bc) w0 = w0
  2: R0_w=invP4294967295
     (id=0,imm=ffffffff,
      smin_value=0,smax_value=4294967295,
      umin_value=4294967295,umax_value=4294967295,
      var_off=(0xffffffff; 0x0),
      s32_min_value=-1,s32_max_value=-1,
      u32_min_value=-1,u32_max_value=-1)

Technically, the smin_value=0 and smax_value=4294967295 bounds are not
incorrect, but given the register is still a constant, they break assumptions
about const scalars that smin_value == smax_value and umin_value == umax_value.

After fix:

  0: (b4) w0 = -1
  1: R0_w=invP4294967295
     (id=0,imm=ffffffff,
      smin_value=4294967295,smax_value=4294967295,
      umin_value=4294967295,umax_value=4294967295,
      var_off=(0xffffffff; 0x0),
      s32_min_value=-1,s32_max_value=-1,
      u32_min_value=-1,u32_max_value=-1)

  1: (bc) w0 = w0
  2: R0_w=invP4294967295
     (id=0,imm=ffffffff,
      smin_value=4294967295,smax_value=4294967295,
      umin_value=4294967295,umax_value=4294967295,
      var_off=(0xffffffff; 0x0),
      s32_min_value=-1,s32_max_value=-1,
      u32_min_value=-1,u32_max_value=-1)

Without the smin_value == smax_value and umin_value == umax_value invariant
being intact for const scalars, it is possible to leak out kernel pointers
from unprivileged user space if the latter is enabled. For example, when such
registers are involved in pointer arithmtics, then adjust_ptr_min_max_vals()
will taint the destination register into an unknown scalar, and the latter
can be exported and stored e.g. into a BPF map value.

Fixes: 3f50f132d8 ("bpf: Verifier, do explicit ALU32 bounds tracking")
Reported-by: Kuee K1r0a <liulin063@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
2021-12-16 19:45:46 +01:00
Linus Torvalds
fa36bbe6d4 Fix missing error code on kexec failure path.
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE5RElWfyWxS+3PLO2a9axLQDIXvEFAmG7e6kACgkQa9axLQDI
 XvFceRAAmASJyWDKrl5xTO7U7hzTyIQrV8p4Nrof6E3J+00JDUwoVHQZLSeL17t2
 hB17U8jAIQNLUf42XKH0+JFLCgG/B9Sas3Dgy9HQ29Fm1RhPKOr538ZAiQ8OEKQs
 C4sDC6EvkzI7WXzZm4ZDcdf9CcXNF3g6/Bq89cxtY+Qh3ZfGuQtF/jlNbzKS6aCH
 OO4aeSV9KioznBJ/YvSd1pqbQfHB1g+pOzaFpGIW6O0oJXhUV+kysbrzf1wQmzIK
 s1amQY5x+I/UfUF3liriIoxl843Vo/sYE5KHfBQ+Z8NBmOqLPJKbSDra1DzqDub8
 BJXNjw4R1dY9WSDT1g7ei5a5Qat6m6IMu+zr+4pTC9ehluL240EbLW7e7QUtwGIr
 a5lyFHJ+YaH5qyDIUNezAFOk0FoPDIiz3PrC4se2Bbb44q24pdBRJWhM82Ity9zG
 WySfVsopVcGFv1ebSeJTliiWtI4Vm9xb/MyRrvbPBS6DH22DzIm17bw9KYh1fm5A
 Zi04Giu6geKoyidewYa52ydyHn6EQhr6gODtsbECkRASnQsmyz+gtCkVDnxqdAfX
 IKA13ocJy6kUQ0WijXwgOkpsGZnusao33I5vkb5dTCmxRt7ZSs4a2plfFXUDy1V+
 k7J7DOBEz9QDiDvgXabNlRvlMgOJ3t+FZRLtegSrgXHLMzQqXL4=
 =ZN7K
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fix from Catalin Marinas:
 "Fix missing error code on kexec failure path"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: kexec: Fix missing error code 'ret' warning in load_other_segments()
2021-12-16 10:44:20 -08:00
Linus Torvalds
81eebd5405 - Fix use after free in DM btree remove's rebalance_children().
- Fix DM integrity data corruption, introduced during 5.16 merge, due
   to improper use of bvec_kmap_local().
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEJfWUX4UqZ4x1O2wixSPxCi2dA1oFAmG7cKcACgkQxSPxCi2d
 A1qgxggAn4k9cGzxLTT+xgkufQKwsc+WvegR7Amwb/jzKh5XE9KaXDnMkcyz/4GX
 nHCfynHRgWjPU6V3cESRz/MApG/7sQ6UGtLgIXkZGbeSHIE4aRYf3AECUhpD/uB+
 XPX4kTFz0ZvIHYpk4HielOHVA31DQl+GkYXddDXCijXYmG80rpUgUg2fm0+O+TtQ
 eCQjbQV173KSbi4vlzeDyK9cp2rIGvk/UfmY9cIw1b3Gd5vpCVStW9r+P8MEpSNA
 ar5exvN9c3AR/VIVfBS/9rw0T+l56M8L0efPrSXEV9/pdiXHFzEx+sGEnDUE5F3o
 g9K2VwkLtuk3kubiSV/kjNBIB4cZyA==
 =razj
 -----END PGP SIGNATURE-----

Merge tag 'for-5.16/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Fix use after free in DM btree remove's rebalance_children()

 - Fix DM integrity data corruption, introduced during 5.16 merge, due
   to improper use of bvec_kmap_local()

* tag 'for-5.16/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm integrity: fix data corruption due to improper use of bvec_kmap_local
  dm btree remove: fix use after free in rebalance_children()
2021-12-16 10:05:49 -08:00
Lakshmi Ramasubramanian
9c5d89bc10 arm64: kexec: Fix missing error code 'ret' warning in load_other_segments()
Since commit ac10be5cdb ("arm64: Use common
of_kexec_alloc_and_setup_fdt()"), smatch reports the following warning:

  arch/arm64/kernel/machine_kexec_file.c:152 load_other_segments()
  warn: missing error code 'ret'

Return code is not set to an error code in load_other_segments() when
of_kexec_alloc_and_setup_fdt() call returns a NULL dtb. This results
in status success (return code set to 0) being returned from
load_other_segments().

Set return code to -EINVAL if of_kexec_alloc_and_setup_fdt() returns
NULL dtb.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: ac10be5cdb ("arm64: Use common of_kexec_alloc_and_setup_fdt()")
Link: https://lore.kernel.org/r/20211210010121.101823-1-nramas@linux.microsoft.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2021-12-16 17:44:58 +00:00
David Howells
1744a22ae9 afs: Fix mmap
Fix afs_add_open_map() to check that the vnode isn't already on the list
when it adds it.  It's possible that afs_drop_open_mmap() decremented
the cb_nr_mmap counter, but hadn't yet got into the locked section to
remove it.

Also vnode->cb_mmap_link should be initialised, so fix that too.

Fixes: 6e0e99d58a ("afs: Fix mmap coherency vs 3rd-party changes")
Reported-by: kafs-testing+fedora34_64checkkafs-build-300@auristor.com
Suggested-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: kafs-testing+fedora34_64checkkafs-build-300@auristor.com
cc: linux-afs@lists.infradead.org
Link: https://lore.kernel.org/r/686465.1639435380@warthog.procyon.org.uk/ # v1
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-12-16 09:10:13 -08:00
Eric Dumazet
e28587cc49 sit: do not call ipip6_dev_free() from sit_init_net()
ipip6_dev_free is sit dev->priv_destructor, already called
by register_netdevice() if something goes wrong.

Alternative would be to make ipip6_dev_free() robust against
multiple invocations, but other drivers do not implement this
strategy.

syzbot reported:

dst_release underflow
WARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173
Modules linked in:
CPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173
Code: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48
RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246
RAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000
RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c
R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358
R13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000
FS:  00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160
 ipip6_dev_free net/ipv6/sit.c:1414 [inline]
 sit_init_net+0x229/0x550 net/ipv6/sit.c:1936
 ops_init+0x313/0x430 net/core/net_namespace.c:140
 setup_net+0x35b/0x9d0 net/core/net_namespace.c:326
 copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470
 create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226
 ksys_unshare+0x57d/0xb50 kernel/fork.c:3075
 __do_sys_unshare kernel/fork.c:3146 [inline]
 __se_sys_unshare kernel/fork.c:3144 [inline]
 __x64_sys_unshare+0x34/0x40 kernel/fork.c:3144
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f66c882ce99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200
RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000
 </TASK>

Fixes: cf124db566 ("net: Fix inconsistent teardown and release of private netdev state.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20211216111741.1387540-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-12-16 08:38:10 -08:00
Florian Fainelli
8b8e6e7824 net: systemport: Add global locking for descriptor lifecycle
The descriptor list is a shared resource across all of the transmit queues, and
the locking mechanism used today only protects concurrency across a given
transmit queue between the transmit and reclaiming. This creates an opportunity
for the SYSTEMPORT hardware to work on corrupted descriptors if we have
multiple producers at once which is the case when using multiple transmit
queues.

This was particularly noticeable when using multiple flows/transmit queues and
it showed up in interesting ways in that UDP packets would get a correct UDP
header checksum being calculated over an incorrect packet length. Similarly TCP
packets would get an equally correct checksum computed by the hardware over an
incorrect packet length.

The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges
when the driver produces a new descriptor anytime it writes to the
WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to
re-organize its descriptors and it is possible that concurrent TX queues
eventually break this internal allocation scheme to the point where the
length/status part of the descriptor gets used for an incorrect data buffer.

The fix is to impose a global serialization for all TX queues in the short
section where we are writing to the WRITE_PORT_{HI,LO} registers which solves
the corruption even with multiple concurrent TX queues being used.

Fixes: 80105befdb ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20211215202450.4086240-1-f.fainelli@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-12-16 08:15:31 -08:00
D. Wythe
5c15b3123f net/smc: Prevent smc_release() from long blocking
In nginx/wrk benchmark, there's a hung problem with high probability
on case likes that: (client will last several minutes to exit)

server: smc_run nginx

client: smc_run wrk -c 10000 -t 1 http://server

Client hangs with the following backtrace:

0 [ffffa7ce8Of3bbf8] __schedule at ffffffff9f9eOd5f
1 [ffffa7ce8Of3bc88] schedule at ffffffff9f9eløe6
2 [ffffa7ce8Of3bcaO] schedule_timeout at ffffffff9f9e3f3c
3 [ffffa7ce8Of3bd2O] wait_for_common at ffffffff9f9el9de
4 [ffffa7ce8Of3bd8O] __flush_work at ffffffff9fOfeOl3
5 [ffffa7ce8øf3bdfO] smc_release at ffffffffcO697d24 [smc]
6 [ffffa7ce8Of3be2O] __sock_release at ffffffff9f8O2e2d
7 [ffffa7ce8Of3be4ø] sock_close at ffffffff9f8ø2ebl
8 [ffffa7ce8øf3be48] __fput at ffffffff9f334f93
9 [ffffa7ce8Of3be78] task_work_run at ffffffff9flOlff5
10 [ffffa7ce8Of3beaO] do_exit at ffffffff9fOe5Ol2
11 [ffffa7ce8Of3bflO] do_group_exit at ffffffff9fOe592a
12 [ffffa7ce8Of3bf38] __x64_sys_exit_group at ffffffff9fOe5994
13 [ffffa7ce8Of3bf4O] do_syscall_64 at ffffffff9f9d4373
14 [ffffa7ce8Of3bfsO] entry_SYSCALL_64_after_hwframe at ffffffff9fa0007c

This issue dues to flush_work(), which is used to wait for
smc_connect_work() to finish in smc_release(). Once lots of
smc_connect_work() was pending or all executing work dangling,
smc_release() has to block until one worker comes to free, which
is equivalent to wait another smc_connnect_work() to finish.

In order to fix this, There are two changes:

1. For those idle smc_connect_work(), cancel it from the workqueue; for
   executing smc_connect_work(), waiting for it to finish. For that
   purpose, replace flush_work() with cancel_work_sync().

2. Since smc_connect() hold a reference for passive closing, if
   smc_connect_work() has been cancelled, release the reference.

Fixes: 24ac3a08e6 ("net/smc: rebuild nonblocking connect")
Reported-by: Tony Lu <tonylu@linux.alibaba.com>
Tested-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
Acked-by: Karsten Graul <kgraul@linux.ibm.com>
Link: https://lore.kernel.org/r/1639571361-101128-1-git-send-email-alibuda@linux.alibaba.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-12-16 08:11:05 -08:00
Arnd Bergmann
4bc73b7d48 soc/tegra: Fixes for v5.16-rc6
This contains a single build fix without which ARM allmodconfig builds
 are broken if -Werror is enabled.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEEiOrDCAFJzPfAjcif3SOs138+s6EFAmG6FjoTHHRyZWRpbmdA
 bnZpZGlhLmNvbQAKCRDdI6zXfz6zoZm3D/4+KE1PLGuttpYScsRPfir5MYzf3MTG
 Xl3ihkHWKGcoCpBE0vHGqYZXkQGorahsi3CckZy84yvqKFo15HjYxDS8Tn5liTEc
 YmaEvHt5wlmv9VfhCssEFLM6vSE/5n4p0f+y+pzg0HLK+1E1iMGE+gCGDUPrUY4x
 L+WIVaosCXwYZgqt/+tYKE4wUyul1aZBUDsuuTg70uxPKtHGomI/U+Q8mAs4jW+S
 kAVkSrJijaXsMpUX0s6GMaKcu8yNUabcOYUE62w5jm38F2QIdGrM+00soBIEMh68
 4dRH1qEX5G77nh1BFwE9xQ0FOAWErdE8kiYfUp11GWT00fKlIe+vA5ikNcAby6sU
 1p+Y59ocLCzGxSJzyigcXr2xLKh50NR17qTh87oGCI4yyEDGxzuzt4sCMIW0AbMW
 hChBv2njnsPK8eqnmD97J8S3uYSazkewkiplhvP9jA6qSIQcqdKRbeOPAAnQCQ/3
 Lle0UpEAbH9oKEUU6eHroHs4bxYyxuK1xBLLZu7x7mPuTeHPtVsdeDMOxbPRQRe5
 edDRSkKsM3sguAhAqMjgE1aHH9xwm1vpSsECqnXvfwNCjiup1ulKHG1AYYZEcqcb
 h2Njv6CBv4gyS+g9AoGVcUZsu7XJf9xfka2A8FEiY/2UhUnSJcYxE1RkiKrya6uT
 B7rZ5J1sgzhqtg==
 =bWVy
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmG7RvIACgkQmmx57+YA
 GNmhNBAAtueP175g6Wwp/UQLOXaw9CoP6GfD/TkfSTGaYPomE/RAQILpblDuQabS
 7UZZe7Zz1g1CfZd5ABvFuxtppNB+W4yzNW7kWhNbr6FSm+rXxvSnGicPLo5cU6zx
 OmnK4LEp6OdXOdPoQR26ogQTsfIEcQun/1FrFJYgW0mhMhPYfi1MfnKZWDUEIArH
 eZ5XbE4429C/neeEi3OTS3PK5FIj2wUTkceBTNreZe/nhQILVCTPFSwrK4V8FMsK
 bq6OJzkbCVQlSXiHJsF7TrF+CezOR0Mu0gsK3Iygcqw8FgWdrtVqotnr04+LXyzD
 nOo3WWtHNx88hGLt3/LEQ40hQuAKQ0/bFcHj+RGcurQbm03LLjcGoMwGA0WYu4GF
 novIV6xHwCS3MWS1nvcaEh76t8qzcGnlboKVdpOa5wWbWPlGtJ3pM/fbLVGFOi/f
 M6zat3f+FCfY9SBIGOpw4xni/a7vEmzRKJ4C1eFbtndT2pphBxr5iHSQF5ozVfjZ
 Z8MxDeUxEjQYmbTPjDHvLqp4eXsNhbXtZ9LVYST1Vg2sP/VnT1CbGL7KiPu20E3w
 oHxbTBaEuH44axK8sSBvBMvmb4uJgpa/uI+LrIddIIigej8ZE0s1fN8wn/sT7c4y
 ufkR/l7Ik6snylHvUW3OWSsKZmvGzqvlhOOL8+tLApjNqNEOT6Y=
 =2ABQ
 -----END PGP SIGNATURE-----

Merge tag 'tegra-for-5.16-soc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into arm/fixes

soc/tegra: Fixes for v5.16-rc6

This contains a single build fix without which ARM allmodconfig builds
are broken if -Werror is enabled.

* tag 'tegra-for-5.16-soc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux:
  soc/tegra: fuse: Fix bitwise vs. logical OR warning

Link: https://lore.kernel.org/r/20211215162618.3568474-1-thierry.reding@gmail.com
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2021-12-16 15:02:26 +01:00
Gal Pressman
8a03ef676a net: Fix double 0x prefix print in SKB dump
When printing netdev features %pNF already takes care of the 0x prefix,
remove the explicit one.

Fixes: 6413139dfc ("skbuff: increase verbosity when dumping skb data")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-12-16 11:08:15 +00:00