1. 06 Jul, 2022 1 commit
  2. 05 Jul, 2022 1 commit
    • Linus Torvalds's avatar
      Merge tag 'xsa-5.19-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · e35e5b6f
      Linus Torvalds authored
      Pull xen security fixes from Juergen Gross:
      
       - XSA-403 (4 patches for blkfront and netfront drivers):
      
         Linux Block and Network PV device frontends don't zero memory regions
         before sharing them with the backend (CVE-2022-26365,
         CVE-2022-33740). Additionally the granularity of the grant table
         doesn't allow sharing less than a 4K page, leading to unrelated data
         residing in the same 4K page as data shared with a backend being
         accessible by such backend (CVE-2022-33741, CVE-2022-33742).
      
       - XSA-405 (1 patch for netfront driver, only 5.10 and newer):
      
         While adding logic to support XDP (eXpress Data Path), a code label
         was moved in a way allowing for SKBs having references (pointers)
         retained for further processing to nevertheless be freed.
      
       - XSA-406 (1 patch for Arm specific dom0 code):
      
         When mapping pages of guests on Arm, dom0 is using an rbtree to keep
         track of the foreign mappings.
      
         Updating of that rbtree is not always done completely with the
         related lock held, resulting in a small race window, which can be
         used by unprivileged guests via PV devices to cause inconsistencies
         of the rbtree. These inconsistencies can lead to Denial of Service
         (DoS) of dom0, e.g. by causing crashes or the inability to perform
         further mappings of other guests' memory pages.
      
      * tag 'xsa-5.19-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/arm: Fix race in RB-tree based P2M accounting
        xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()
        xen/blkfront: force data bouncing when backend is untrusted
        xen/netfront: force data bouncing when backend is untrusted
        xen/netfront: fix leaking data in shared pages
        xen/blkfront: fix leaking data in shared pages
      e35e5b6f
  3. 04 Jul, 2022 8 commits
  4. 03 Jul, 2022 5 commits
    • Linus Torvalds's avatar
      Linux 5.19-rc5 · 88084a3d
      Linus Torvalds authored
      88084a3d
    • Linus Torvalds's avatar
      lockref: remove unused 'lockref_get_or_lock()' function · b8d5109f
      Linus Torvalds authored
      Looking at the conditional lock acquire functions in the kernel due to
      the new sparse support (see commit 4a557a5d "sparse: introduce
      conditional lock acquire function attribute"), it became obvious that
      the lockref code has a couple of them, but they don't match the usual
      naming convention for the other ones, and their return value logic is
      also reversed.
      
      In the other very similar places, the naming pattern is '*_and_lock()'
      (eg 'atomic_put_and_lock()' and 'refcount_dec_and_lock()'), and the
      function returns true when the lock is taken.
      
      The lockref code is superficially very similar to the refcount code,
      only with the special "atomic wrt the embedded lock" semantics.  But
      instead of the '*_and_lock()' naming it uses '*_or_lock()'.
      
      And instead of returning true in case it took the lock, it returns true
      if it *didn't* take the lock.
      
      Now, arguably the reflock code is quite logical: it really is a "either
      decrement _or_ lock" kind of situation - and the return value is about
      whether the operation succeeded without any special care needed.
      
      So despite the similarities, the differences do make some sense, and
      maybe it's not worth trying to unify the different conditional locking
      primitives in this area.
      
      But while looking at this all, it did become obvious that the
      'lockref_get_or_lock()' function hasn't actually had any users for
      almost a decade.
      
      The only user it ever had was the shortlived 'd_rcu_to_refcount()'
      function, and it got removed and replaced with 'lockref_get_not_dead()'
      back in 2013 in commits 0d98439e ("vfs: use lockred 'dead' flag to
      mark unrecoverably dead dentries") and e5c832d5 ("vfs: fix dentry
      RCU to refcounting possibly sleeping dput()")
      
      In fact, that single use was removed less than a week after the whole
      function was introduced in commit b3abd802 ("lockref: add
      'lockref_get_or_lock() helper") so this function has been around for a
      decade, but only had a user for six days.
      
      Let's just put this mis-designed and unused function out of its misery.
      
      We can think about the naming and semantic oddities of the remaining
      'lockref_put_or_lock()' later, but at least that function has users.
      
      And while the naming is different and the return value doesn't match,
      that function matches the whole '{atomic,refcount}_dec_and_test()'
      pattern much better (ie the magic happens when the count goes down to
      zero, not when it is incremented from zero).
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b8d5109f
    • Arnd Bergmann's avatar
      Merge tag 'qcom-arm64-fixes-for-5.19' of... · 7ecd8a7a
      Arnd Bergmann authored
      Merge tag 'qcom-arm64-fixes-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into arm/fixes
      
      Qualcomm ARM64 DT fixes for v5.19
      
      This removes duplicate includes in the sc7180-trogdor files, which
      accidentally ended up disabling nodes intended to be enabled.
      
      It corrects identifiers for CPU6/7 on MSM8994. On SM8450 the UFS node's
      interconnects property is updated to match the #interconnect-cells,
      avoiding sync_state issues and the GIC ITS is defined, to correct the
      references from the PCIe nodes. On SDM845 the display subsystem's AHB
      clock is corrected and on msm8992 devices, the supplies for lvs 1 and 2
      are correctly specified.
      
      Lastly, a welcome addition of Konrad as reviewer for the Qualcomm SoC.
      
      * tag 'qcom-arm64-fixes-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux:
        arm64: dts: qcom: msm8992-*: Fix vdd_lvs1_2-supply typo
        MAINTAINERS: Add myself as a reviewer for Qualcomm ARM/64 support
        arm64: dts: qcom: sdm845: use dispcc AHB clock for mdss node
        arm64: dts: qcom: sm8450 add ITS device tree node
        arm64: dts: qcom: msm8994: Fix CPU6/7 reg values
        arm64: dts: qcom: sm8450: fix interconnects property of UFS node
        arm64: dts: qcom: Remove duplicate sc7180-trogdor include on lazor/homestar
      
      Link: https://lore.kernel.org/r/20220703030208.408109-1-bjorn.andersson@linaro.orgSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      7ecd8a7a
    • Linus Torvalds's avatar
      sparse: introduce conditional lock acquire function attribute · 4a557a5d
      Linus Torvalds authored
      The kernel tends to try to avoid conditional locking semantics because
      it makes it harder to think about and statically check locking rules,
      but we do have a few fundamental locking primitives that take locks
      conditionally - most obviously the 'trylock' functions.
      
      That has always been a problem for 'sparse' checking for locking
      imbalance, and we've had a special '__cond_lock()' macro that we've used
      to let sparse know how the locking works:
      
          # define __cond_lock(x,c)        ((c) ? ({ __acquire(x); 1; }) : 0)
      
      so that you can then use this to tell sparse that (for example) the
      spinlock trylock macro ends up acquiring the lock when it succeeds, but
      not when it fails:
      
          #define raw_spin_trylock(lock)  __cond_lock(lock, _raw_spin_trylock(lock))
      
      and then sparse can follow along the locking rules when you have code like
      
              if (!spin_trylock(&dentry->d_lock))
                      return LRU_SKIP;
      	.. sparse sees that the lock is held here..
              spin_unlock(&dentry->d_lock);
      
      and sparse ends up happy about the lock contexts.
      
      However, this '__cond_lock()' use does result in very ugly header files,
      and requires you to basically wrap the real function with that macro
      that uses '__cond_lock'.  Which has made PeterZ NAK things that try to
      fix sparse warnings over the years [1].
      
      To solve this, there is now a very experimental patch to sparse that
      basically does the exact same thing as '__cond_lock()' did, but using a
      function attribute instead.  That seems to make PeterZ happy [2].
      
      Note that this does not replace existing use of '__cond_lock()', but
      only exposes the new proposed attribute and uses it for the previously
      unannotated 'refcount_dec_and_lock()' family of functions.
      
      For existing sparse installations, this will make no difference (a
      negative output context was ignored), but if you have the experimental
      sparse patch it will make sparse now understand code that uses those
      functions, the same way '__cond_lock()' makes sparse understand the very
      similar 'atomic_dec_and_lock()' uses that have the old '__cond_lock()'
      annotations.
      
      Note that in some cases this will silence existing context imbalance
      warnings.  But in other cases it may end up exposing new sparse warnings
      for code that sparse just didn't see the locking for at all before.
      
      This is a trial, in other words.  I'd expect that if it ends up being
      successful, and new sparse releases end up having this new attribute,
      we'll migrate the old-style '__cond_lock()' users to use the new-style
      '__cond_acquires' function attribute.
      
      The actual experimental sparse patch was posted in [3].
      
      Link: https://lore.kernel.org/all/20130930134434.GC12926@twins.programming.kicks-ass.net/ [1]
      Link: https://lore.kernel.org/all/Yr60tWxN4P568x3W@worktop.programming.kicks-ass.net/ [2]
      Link: https://lore.kernel.org/all/CAHk-=wjZfO9hGqJ2_hGQG3U_XzSh9_XaXze=HgPdvJbgrvASfA@mail.gmail.com/ [3]
      Acked-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Cc: Alexander Aring <aahringo@redhat.com>
      Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4a557a5d
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.19-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 20855e4c
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "This fixes some stalling problems and corrects the last of the
        problems (I hope) observed during testing of the new atomic xattr
        update feature.
      
         - Fix statfs blocking on background inode gc workers
      
         - Fix some broken inode lock assertion code
      
         - Fix xattr leaf buffer leaks when cancelling a deferred xattr update
           operation
      
         - Clean up xattr recovery to make it easier to understand.
      
         - Fix xattr leaf block verifiers tripping over empty blocks.
      
         - Remove complicated and error prone xattr leaf block bholding mess.
      
         - Fix a bug where an rt extent crossing EOF was treated as "posteof"
           blocks and cleaned unnecessarily.
      
         - Fix a UAF when log shutdown races with unmount"
      
      * tag 'xfs-5.19-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: prevent a UAF when log IO errors race with unmount
        xfs: dont treat rt extents beyond EOF as eofblocks to be cleared
        xfs: don't hold xattr leaf buffers across transaction rolls
        xfs: empty xattr leaf header blocks are not corruption
        xfs: clean up the end of xfs_attri_item_recover
        xfs: always free xattri_leaf_bp when cancelling a deferred op
        xfs: use invalidate_lock to check the state of mmap_lock
        xfs: factor out the common lock flags assert
        xfs: introduce xfs_inodegc_push()
        xfs: bound maximum wait time for inodegc work
      20855e4c
  5. 02 Jul, 2022 8 commits
  6. 01 Jul, 2022 17 commits