1. 02 Dec, 2020 14 commits
    • Mark Rutland's avatar
      arm64: uaccess: remove addr_limit_user_check() · b5a5a01d
      Mark Rutland authored
      Now that set_fs() is gone, addr_limit_user_check() is redundant. Remove
      the checks and associated thread flag.
      
      To ensure that _TIF_WORK_MASK can be used as an immediate value in an
      AND instruction (as it is in `ret_to_user`), TIF_MTE_ASYNC_FAULT is
      renumbered to keep the constituent bits of _TIF_WORK_MASK contiguous.
      
      There should be no functional change as a result of this patch.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201202131558.39270-11-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      b5a5a01d
    • Mark Rutland's avatar
      arm64: uaccess: remove set_fs() · 3d2403fd
      Mark Rutland authored
      Now that the uaccess primitives dont take addr_limit into account, we
      have no need to manipulate this via set_fs() and get_fs(). Remove
      support for these, along with some infrastructure this renders
      redundant.
      
      We no longer need to flip UAO to access kernel memory under KERNEL_DS,
      and head.S unconditionally clears UAO for all kernel configurations via
      an ERET in init_kernel_el. Thus, we don't need to dynamically flip UAO,
      nor do we need to context-switch it. However, we still need to adjust
      PAN during SDEI entry.
      
      Masking of __user pointers no longer needs to use the dynamic value of
      addr_limit, and can use a constant derived from the maximum possible
      userspace task size. A new TASK_SIZE_MAX constant is introduced for
      this, which is also used by core code. In configurations supporting
      52-bit VAs, this may include a region of unusable VA space above a
      48-bit TTBR0 limit, but never includes any portion of TTBR1.
      
      Note that TASK_SIZE_MAX is an exclusive limit, while USER_DS and
      KERNEL_DS were inclusive limits, and is converted to a mask by
      subtracting one.
      
      As the SDEI entry code repurposes the otherwise unnecessary
      pt_regs::orig_addr_limit field to store the TTBR1 of the interrupted
      context, for now we rename that to pt_regs::sdei_ttbr1. In future we can
      consider factoring that out.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Acked-by: default avatarJames Morse <james.morse@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201202131558.39270-10-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      3d2403fd
    • Mark Rutland's avatar
      arm64: uaccess cleanup macro naming · 7b90dc40
      Mark Rutland authored
      Now the uaccess primitives use LDTR/STTR unconditionally, the
      uao_{ldp,stp,user_alternative} asm macros are misnamed, and have a
      redundant argument. Let's remove the redundant argument and rename these
      to user_{ldp,stp,ldst} respectively to clean this up.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: default avatarRobin Murohy <robin.murphy@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201202131558.39270-9-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      7b90dc40
    • Mark Rutland's avatar
      arm64: uaccess: split user/kernel routines · fc703d80
      Mark Rutland authored
      This patch separates arm64's user and kernel memory access primitives
      into distinct routines, adding new __{get,put}_kernel_nofault() helpers
      to access kernel memory, upon which core code builds larger copy
      routines.
      
      The kernel access routines (using LDR/STR) are not affected by PAN (when
      legitimately accessing kernel memory), nor are they affected by UAO.
      Switching to KERNEL_DS may set UAO, but this does not adversely affect
      the kernel access routines.
      
      The user access routines (using LDTR/STTR) are not affected by PAN (when
      legitimately accessing user memory), but are affected by UAO. As these
      are only legitimate to use under USER_DS with UAO clear, this should not
      be problematic.
      
      Routines performing atomics to user memory (futex and deprecated
      instruction emulation) still need to transiently clear PAN, and these
      are left as-is. These are never used on kernel memory.
      
      Subsequent patches will refactor the uaccess helpers to remove redundant
      code, and will also remove the redundant PAN/UAO manipulation.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201202131558.39270-8-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      fc703d80
    • Mark Rutland's avatar
      arm64: uaccess: refactor __{get,put}_user · f253d827
      Mark Rutland authored
      As a step towards implementing __{get,put}_kernel_nofault(), this patch
      splits most user-memory specific logic out of __{get,put}_user(), with
      the memory access and fault handling in new __{raw_get,put}_mem()
      helpers.
      
      For now the LDR/LDTR patching is left within the *get_mem() helpers, and
      will be removed in a subsequent patch.
      
      There should be no functional change as a result of this patch.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201202131558.39270-7-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      f253d827
    • Mark Rutland's avatar
      arm64: uaccess: simplify __copy_user_flushcache() · 9e94fdad
      Mark Rutland authored
      Currently __copy_user_flushcache() open-codes raw_copy_from_user(), and
      doesn't use uaccess_mask_ptr() on the user address. Let's have it call
      raw_copy_from_user(), which is both a simplification and ensures that
      user pointers are masked under speculation.
      
      There should be no functional change as a result of this patch.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201202131558.39270-6-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      9e94fdad
    • Mark Rutland's avatar
      arm64: uaccess: rename privileged uaccess routines · 923e1e7d
      Mark Rutland authored
      We currently have many uaccess_*{enable,disable}*() variants, which
      subsequent patches will cut down as part of removing set_fs() and
      friends. Once this simplification is made, most uaccess routines will
      only need to ensure that the user page tables are mapped in TTBR0, as is
      currently dealt with by uaccess_ttbr0_{enable,disable}().
      
      The existing uaccess_{enable,disable}() routines ensure that user page
      tables are mapped in TTBR0, and also disable PAN protections, which is
      necessary to be able to use atomics on user memory, but also permit
      unrelated privileged accesses to access user memory.
      
      As preparatory step, let's rename uaccess_{enable,disable}() to
      uaccess_{enable,disable}_privileged(), highlighting this caveat and
      discouraging wider misuse. Subsequent patches can reuse the
      uaccess_{enable,disable}() naming for the common case of ensuring the
      user page tables are mapped in TTBR0.
      
      There should be no functional change as a result of this patch.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201202131558.39270-5-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      923e1e7d
    • Mark Rutland's avatar
      arm64: sdei: explicitly simulate PAN/UAO entry · 2376e75c
      Mark Rutland authored
      In preparation for removing addr_limit and set_fs() we must decouple the
      SDEI PAN/UAO manipulation from the uaccess code, and explicitly
      reinitialize these as required.
      
      SDEI enters the kernel with a non-architectural exception, and prior to
      the most recent revision of the specification (ARM DEN 0054B), PSTATE
      bits (e.g. PAN, UAO) are not manipulated in the same way as for
      architectural exceptions. Notably, older versions of the spec can be
      read ambiguously as to whether PSTATE bits are inherited unchanged from
      the interrupted context or whether they are generated from scratch, with
      TF-A doing the latter.
      
      We have three cases to consider:
      
      1) The existing TF-A implementation of SDEI will clear PAN and clear UAO
         (along with other bits in PSTATE) when delivering an SDEI exception.
      
      2) In theory, implementations of SDEI prior to revision B could inherit
         PAN and UAO (along with other bits in PSTATE) unchanged from the
         interrupted context. However, in practice such implementations do not
         exist.
      
      3) Going forward, new implementations of SDEI must clear UAO, and
         depending on SCTLR_ELx.SPAN must either inherit or set PAN.
      
      As we can ignore (2) we can assume that upon SDEI entry, UAO is always
      clear, though PAN may be clear, inherited, or set per SCTLR_ELx.SPAN.
      Therefore, we must explicitly initialize PAN, but do not need to do
      anything for UAO.
      
      Considering what we need to do:
      
      * When set_fs() is removed, force_uaccess_begin() will have no HW
        side-effects. As this only clears UAO, which we can assume has already
        been cleared upon entry, this is not a problem. We do not need to add
        code to manipulate UAO explicitly.
      
      * PAN may be cleared upon entry (in case 1 above), so where a kernel is
        built to use PAN and this is supported by all CPUs, the kernel must
        set PAN upon entry to ensure expected behaviour.
      
      * PAN may be inherited from the interrupted context (in case 3 above),
        and so where a kernel is not built to use PAN or where PAN support is
        not uniform across CPUs, the kernel must clear PAN to ensure expected
        behaviour.
      
      This patch reworks the SDEI code accordingly, explicitly setting PAN to
      the expected state in all cases. To cater for the cases where the kernel
      does not use PAN or this is not uniformly supported by hardware we add a
      new cpu_has_pan() helper which can be used regardless of whether the
      kernel is built to use PAN.
      
      The existing system_uses_ttbr0_pan() is redefined in terms of
      system_uses_hw_pan() both for clarity and as a minor optimization when
      HW PAN is not selected.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: default avatarJames Morse <james.morse@arm.com>
      Cc: James Morse <james.morse@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201202131558.39270-3-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      2376e75c
    • Mark Rutland's avatar
      arm64: sdei: move uaccess logic to arch/arm64/ · a0ccf2ba
      Mark Rutland authored
      The SDEI support code is split across arch/arm64/ and drivers/firmware/,
      largley this is split so that the arch-specific portions are under
      arch/arm64, and the management logic is under drivers/firmware/.
      However, exception entry fixups are currently under drivers/firmware.
      
      Let's move the exception entry fixups under arch/arm64/. This
      de-clutters the management logic, and puts all the arch-specific
      portions in one place. Doing this also allows the fixups to be applied
      earlier, so things like PAN and UAO will be in a known good state before
      we run other logic. This will also make subsequent refactoring easier.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: default avatarJames Morse <james.morse@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201202131558.39270-2-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      a0ccf2ba
    • Mark Rutland's avatar
      arm64: head.S: always initialize PSTATE · d87a8e65
      Mark Rutland authored
      As with SCTLR_ELx and other control registers, some PSTATE bits are
      UNKNOWN out-of-reset, and we may not be able to rely on hardware or
      firmware to initialize them to our liking prior to entry to the kernel,
      e.g. in the primary/secondary boot paths and return from idle/suspend.
      
      It would be more robust (and easier to reason about) if we consistently
      initialized PSTATE to a default value, as we do with control registers.
      This will ensure that the kernel is not adversely affected by bits it is
      not aware of, e.g. when support for a feature such as PAN/UAO is
      disabled.
      
      This patch ensures that PSTATE is consistently initialized at boot time
      via an ERET. This is not intended to relax the existing requirements
      (e.g. DAIF bits must still be set prior to entering the kernel). For
      features detected dynamically (which may require system-wide support),
      it is still necessary to subsequently modify PSTATE.
      
      As ERET is not always a Context Synchronization Event, an ISB is placed
      before each exception return to ensure updates to control registers have
      taken effect. This handles the kernel being entered with SCTLR_ELx.EOS
      clear (or any future control bits being in an UNKNOWN state).
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201113124937.20574-6-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      d87a8e65
    • Mark Rutland's avatar
      arm64: head.S: cleanup SCTLR_ELx initialization · 2ffac9e3
      Mark Rutland authored
      Let's make SCTLR_ELx initialization a bit clearer by using meaningful
      names for the initialization values, following the same scheme for
      SCTLR_EL1 and SCTLR_EL2.
      
      These definitions will be used more widely in subsequent patches.
      
      There should be no functional change as a result of this patch.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201113124937.20574-5-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      2ffac9e3
    • Mark Rutland's avatar
      arm64: head.S: rename el2_setup -> init_kernel_el · ecbb11ab
      Mark Rutland authored
      For a while now el2_setup has performed some basic initialization of EL1
      even when the kernel is booted at EL1, so the name is a little
      misleading. Further, some comments are stale as with VHE it doesn't drop
      the CPU to EL1.
      
      To clarify things, rename el2_setup to init_kernel_el, and update
      comments to be clearer as to the function's purpose.
      
      There should be no functional change as a result of this patch.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201113124937.20574-4-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      ecbb11ab
    • Mark Rutland's avatar
      arm64: add C wrappers for SET_PSTATE_*() · 515d5c8a
      Mark Rutland authored
      To make callsites easier to read, add trivial C wrappers for the
      SET_PSTATE_*() helpers, and convert trivial uses over to these. The new
      wrappers will be used further in subsequent patches.
      
      There should be no functional change as a result of this patch.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201113124937.20574-3-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      515d5c8a
    • Mark Rutland's avatar
      arm64: ensure ERET from kthread is illegal · f80d0340
      Mark Rutland authored
      For consistency, all tasks have a pt_regs reserved at the highest
      portion of their task stack. Among other things, this ensures that a
      task's SP is always pointing within its stack rather than pointing
      immediately past the end.
      
      While it is never legitimate to ERET from a kthread, we take pains to
      initialize pt_regs for kthreads as if this were legitimate. As this is
      never legitimate, the effects of an erroneous return are rarely tested.
      
      Let's simplify things by initializing a kthread's pt_regs such that an
      ERET is caught as an illegal exception return, and removing the explicit
      initialization of other exception context. Note that as
      spectre_v4_enable_task_mitigation() only manipulates the PSTATE within
      the unused regs this is safe to remove.
      
      As user tasks will have their exception context initialized via
      start_thread() or start_compat_thread(), this should only impact cases
      where something has gone very wrong and we'd like that to be clearly
      indicated.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: James Morse <james.morse@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20201113124937.20574-2-mark.rutland@arm.comSigned-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      f80d0340
  2. 09 Nov, 2020 6 commits
  3. 08 Nov, 2020 13 commits
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.10-rc3' of... · 15f5d201
      Linus Torvalds authored
      Merge tag 'driver-core-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core documentation fixes from Greg KH:
       "Some small Documentation fixes that were fallout from the larger
        documentation update we did in 5.10-rc2.
      
        Nothing major here at all, but all of these have been in linux-next
        and resolve build warnings when building the documentation files"
      
      * tag 'driver-core-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        Documentation: remove mic/index from misc-devices/index.rst
        scripts: get_api.pl: Add sub-titles to ABI output
        scripts: get_abi.pl: Don't let ABI files to create subtitles
        docs: leds: index.rst: add a missing file
        docs: ABI: sysfs-class-net: fix a typo
        docs: ABI: sysfs-driver-dma-ioatdma: what starts with /sys
      15f5d201
    • Linus Torvalds's avatar
      Merge tag 'tty-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · bbc82184
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are a small number of small tty and serial fixes for some
        reported problems for the tty core, vt code, and some serial drivers.
      
        They include fixes for:
      
         - a buggy and obsolete vt font ioctl removal
      
         - 8250_mtk serial baudrate runtime warnings
      
         - imx serial earlycon build configuration fix
      
         - txx9 serial driver error path cleanup issues
      
         - tty core fix in release_tty that can be triggered by trying to bind
           an invalid serial port name to a speakup console device
      
        Almost all of these have been in linux-next without any problems, the
        only one that hasn't, just deletes code :)"
      
      * tag 'tty-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        vt: Disable KD_FONT_OP_COPY
        tty: fix crash in release_tty if tty->port is not set
        serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init
        tty: serial: imx: enable earlycon by default if IMX_SERIAL_CONSOLE is enabled
        serial: 8250_mtk: Fix uart_get_baud_rate warning
      bbc82184
    • Linus Torvalds's avatar
      Merge tag 'usb-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · df53b815
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes and new device ids:
      
         - USB gadget fixes for some reported issues
      
         - Fixes for the ever-troublesome apple fastcharge driver, hopefully
           we finally have it right.
      
         - More USB core quirks for odd devices
      
         - USB serial driver fixes for some long-standing issues that were
           recently found
      
         - some new USB serial driver device ids
      
        All have been in linux-next with no reported issues"
      
      * tag 'usb-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: apple-mfi-fastcharge: fix reference leak in apple_mfi_fc_set_property
        usb: mtu3: fix panic in mtu3_gadget_stop()
        USB: serial: option: add Telit FN980 composition 0x1055
        USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231
        USB: serial: cyberjack: fix write-URB completion race
        USB: Add NO_LPM quirk for Kingston flash drive
        USB: serial: option: add Quectel EC200T module support
        usb: raw-gadget: fix memory leak in gadget_setup
        usb: dwc2: Avoid leaving the error_debugfs label unused
        usb: dwc3: ep0: Fix delay status handling
        usb: gadget: fsl: fix null pointer checking
        usb: gadget: goku_udc: fix potential crashes in probe
        usb: dwc3: pci: add support for the Intel Alder Lake-S
      df53b815
    • Eddy Wu's avatar
      fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent · b4e00444
      Eddy Wu authored
      current->group_leader->exit_signal may change during copy_process() if
      current->real_parent exits.
      
      Move the assignment inside tasklist_lock to avoid the race.
      Signed-off-by: default avatarEddy Wu <eddy_wu@trendmicro.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b4e00444
    • Daniel Vetter's avatar
      vt: Disable KD_FONT_OP_COPY · 3c4e0dff
      Daniel Vetter authored
      It's buggy:
      
      On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote:
      > We recently discovered a slab-out-of-bounds read in fbcon in the latest
      > kernel ( v5.10-rc2 for now ).  The root cause of this vulnerability is that
      > "fbcon_do_set_font" did not handle "vc->vc_font.data" and
      > "vc->vc_font.height" correctly, and the patch
      > <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX can't handle this
      > issue.
      >
      > Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and
      > use  KD_FONT_OP_SET again to set a large font.height for tty1. After that,
      > we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data
      > in "fbcon_do_set_font", while tty1 retains the original larger
      > height. Obviously, this will cause an out-of-bounds read, because we can
      > access a smaller vc_font.data with a larger vc_font.height.
      
      Further there was only one user ever.
      - Android's loadfont, busybox and console-tools only ever use OP_GET
        and OP_SET
      - fbset documentation only mentions the kernel cmdline font: option,
        not anything else.
      - systemd used OP_COPY before release 232 published in Nov 2016
      
      Now unfortunately the crucial report seems to have gone down with
      gmane, and the commit message doesn't say much. But the pull request
      hints at OP_COPY being broken
      
      https://github.com/systemd/systemd/pull/3651
      
      So in other words, this never worked, and the only project which
      foolishly every tried to use it, realized that rather quickly too.
      
      Instead of trying to fix security issues here on dead code by adding
      missing checks, fix the entire thing by removing the functionality.
      
      Note that systemd code using the OP_COPY function ignored the return
      value, so it doesn't matter what we're doing here really - just in
      case a lone server somewhere happens to be extremely unlucky and
      running an affected old version of systemd. The relevant code from
      font_copy_to_all_vcs() in systemd was:
      
      	/* copy font from active VT, where the font was uploaded to */
      	cfo.op = KD_FONT_OP_COPY;
      	cfo.height = vcs.v_active-1; /* tty1 == index 0 */
      	(void) ioctl(vcfd, KDFONTOP, &cfo);
      
      Note this just disables the ioctl, garbage collecting the now unused
      callbacks is left for -next.
      
      v2: Tetsuo found the old mail, which allowed me to find it on another
      archive. Add the link too.
      Acked-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
      Reported-by: default avatarMinh Yuan <yuanmingbuaa@gmail.com>
      References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html
      References: https://github.com/systemd/systemd/pull/3651
      Cc: Greg KH <greg@kroah.com>
      Cc: Peilin Ye <yepeilin.cs@gmail.com>
      Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.chSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c4e0dff
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.10-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 9dbc1c03
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
      
       - Fix an uninitialized struct problem
      
       - Fix an iomap problem zeroing unwritten EOF blocks
      
       - Fix some clumsy error handling when writeback fails on filesystems
         with blocksize < pagesize
      
       - Fix a retry loop not resetting loop variables properly
      
       - Fix scrub flagging rtinherit inodes on a non-rt fs, since the kernel
         actually does permit that combination
      
       - Fix excessive page cache flushing when unsharing part of a file
      
      * tag 'xfs-5.10-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: only flush the unshared range in xfs_reflink_unshare
        xfs: fix scrub flagging rtinherit even if there is no rt device
        xfs: fix missing CoW blocks writeback conversion retry
        iomap: clean up writeback state logic on writepage error
        iomap: support partial page discard on writeback block mapping failure
        xfs: flush new eof page on truncate to avoid post-eof corruption
        xfs: set xefi_discard when creating a deferred agfl free log intent item
      9dbc1c03
    • Linus Torvalds's avatar
      Merge branch 'hch' (patches from Christoph) · 6b2c4d52
      Linus Torvalds authored
      Merge procfs splice read fixes from Christoph Hellwig:
       "Greg reported a problem due to the fact that Android tests use procfs
        files to test splice, which stopped working with the changes for
        set_fs() removal.
      
        This series adds read_iter support for seq_file, and uses those for
        various proc files using seq_file to restore splice read support"
      
      [ Side note: Christoph initially had a scripted "move everything over"
        patch, which looks fine, but I personally would prefer us to actively
        discourage splice() on random files.  So this does just the minimal
        basic core set of proc file op conversions.
      
        For completeness, and in case people care, that script was
      
           sed -i -e 's/\.proc_read\(\s*=\s*\)seq_read/\.proc_read_iter\1seq_read_iter/g'
      
        but I'll wait and see if somebody has a strong argument for using
        splice on random small /proc files before I'd run it on the whole
        kernel.   - Linus ]
      
      * emailed patches from Christoph Hellwig <hch@lst.de>:
        proc "seq files": switch to ->read_iter
        proc "single files": switch to ->read_iter
        proc/stat: switch to ->read_iter
        proc/cpuinfo: switch to ->read_iter
        proc: wire up generic_file_splice_read for iter ops
        seq_file: add seq_read_iter
      6b2c4d52
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 40be821d
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A set of x86 fixes:
      
         - Use SYM_FUNC_START_WEAK in the mem* ASM functions instead of a
           combination of .weak and SYM_FUNC_START_LOCAL which makes LLVMs
           integrated assembler upset
      
         - Correct the mitigation selection logic which prevented the related
           prctl to work correctly
      
         - Make the UV5 hubless system work correctly by fixing up the
           malformed table entries and adding the missing ones"
      
      * tag 'x86-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/platform/uv: Recognize UV5 hubless system identifier
        x86/platform/uv: Remove spaces from OEM IDs
        x86/platform/uv: Fix missing OEM_TABLE_ID
        x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP
        x86/lib: Change .weak to SYM_FUNC_START_WEAK for arch/x86/lib/mem*_64.S
      40be821d
    • Linus Torvalds's avatar
      Merge tag 'perf-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 100e3891
      Linus Torvalds authored
      Pull perf fix from Thomas Gleixner:
       "A single fix for the perf core plugging a memory leak in the address
        filter parser"
      
      * tag 'perf-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/core: Fix a memory leak in perf_event_parse_addr_filter()
      100e3891
    • Linus Torvalds's avatar
      Merge tag 'locking-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · aaaaa7ec
      Linus Torvalds authored
      Pull futex fix from Thomas Gleixner:
       "A single fix for the futex code where an intermediate state in the
        underlying RT mutex was not handled correctly and triggering a BUG()
        instead of treating it as another variant of retry condition"
      
      * tag 'locking-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        futex: Handle transient "ownerless" rtmutex state correctly
      aaaaa7ec
    • Linus Torvalds's avatar
      Merge tag 'irq-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 15a98444
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "A set of fixes for interrupt chip drivers:
      
         - Fix the fallout of the IPI as interrupt conversion in Kconfig and
           the BCM2836 interrupt chip driver
      
         - Fixes for interrupt affinity setting and the handling of
           hierarchical irq domains in the SiFive PLIC driver
      
         - Make the unmapped event handling in the TI SCI driver work
           correctly
      
         - A few minor fixes and cleanups in various chip drivers and Kconfig"
      
      * tag 'irq-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        dt-bindings: irqchip: ti, sci-inta: Fix diagram indentation for unmapped events
        irqchip/ti-sci-inta: Add support for unmapped event handling
        dt-bindings: irqchip: ti, sci-inta: Update for unmapped event handling
        irqchip/renesas-intc-irqpin: Merge irlm_bit and needs_irlm
        irqchip/sifive-plic: Fix chip_data access within a hierarchy
        irqchip/sifive-plic: Fix broken irq_set_affinity() callback
        irqchip/stm32-exti: Add all LP timer exti direct events support
        irqchip/bcm2836: Fix missing __init annotation
        irqchip/mips: Drop selection of IRQ_DOMAIN_HIERARCHY
        irqchip/mst: Make mst_intc_of_init static
        irqchip/mst: MST_IRQ should depend on ARCH_MEDIATEK or ARCH_MSTARV7
        genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY
      15a98444
    • Linus Torvalds's avatar
      Merge tag 'core-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 6a8d0d28
      Linus Torvalds authored
      Pull entry code fix from Thomas Gleixner:
       "A single fix for the generic entry code to correct the wrong
        assumption that the lockdep interrupt state needs not to be
        established before calling the RCU check"
      
      * tag 'core-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        entry: Fix the incorrect ordering of lockdep and RCU check
      6a8d0d28
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · e942d752
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - fix miscompilation with GCC 4.9 by using asm_goto_volatile for put_user()
      
       - fix for an RCU splat at boot caused by a recent lockdep change
      
       - fix for a possible deadlock in our EEH debugfs code
      
       - several fixes for handling of _PAGE_ACCESSED on 32-bit platforms
      
       - build fix when CONFIG_NUMA=n
      
      Thanks to Andreas Schwab, Christophe Leroy, Oliver O'Halloran, Qian Cai,
      and Scott Cheloha.
      
      * tag 'powerpc-5.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/numa: Fix build when CONFIG_NUMA=n
        powerpc/8xx: Manage _PAGE_ACCESSED through APG bits in L1 entry
        powerpc/8xx: Always fault when _PAGE_ACCESSED is not set
        powerpc/40x: Always fault when _PAGE_ACCESSED is not set
        powerpc/603: Always fault when _PAGE_ACCESSED is not set
        powerpc: Use asm_goto_volatile for put_user()
        powerpc/smp: Call rcu_cpu_starting() earlier
        powerpc/eeh_cache: Fix a possible debugfs deadlock
      e942d752
  4. 07 Nov, 2020 7 commits
    • Linus Torvalds's avatar
      Merge tag 'block-5.10-2020-11-07' of git://git.kernel.dk/linux-block · 4429f14a
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request from Christoph:
          - revert a nvme_queue size optimization (Keith Bush)
          - fabrics timeout races fixes (Chao Leng and Sagi Grimberg)"
      
       - null_blk zone locking fix (Damien)
      
      * tag 'block-5.10-2020-11-07' of git://git.kernel.dk/linux-block:
        null_blk: Fix scheduling in atomic with zoned mode
        nvme-tcp: avoid repeated request completion
        nvme-rdma: avoid repeated request completion
        nvme-tcp: avoid race between time out and tear down
        nvme-rdma: avoid race between time out and tear down
        nvme: introduce nvme_sync_io_queues
        Revert "nvme-pci: remove last_sq_tail"
      4429f14a
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.10-2020-11-07' of git://git.kernel.dk/linux-block · e9c02d68
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "A set of fixes for io_uring:
      
         - SQPOLL cancelation fixes
      
         - Two fixes for the io_identity COW
      
         - Cancelation overflow fix (Pavel)
      
         - Drain request cancelation fix (Pavel)
      
         - Link timeout race fix (Pavel)"
      
      * tag 'io_uring-5.10-2020-11-07' of git://git.kernel.dk/linux-block:
        io_uring: fix link lookup racing with link timeout
        io_uring: use correct pointer for io_uring_show_cred()
        io_uring: don't forget to task-cancel drained reqs
        io_uring: fix overflowed cancel w/ linked ->files
        io_uring: drop req/tctx io_identity separately
        io_uring: ensure consistent view of original task ->mm from SQPOLL
        io_uring: properly handle SQPOLL request cancelations
        io-wq: cancel request if it's asking for files and we don't have them
      e9c02d68
    • Mike Galbraith's avatar
      futex: Handle transient "ownerless" rtmutex state correctly · 9f5d1c33
      Mike Galbraith authored
      Gratian managed to trigger the BUG_ON(!newowner) in fixup_pi_state_owner().
      This is one possible chain of events leading to this:
      
      Task Prio       Operation
      T1   120	lock(F)
      T2   120	lock(F)   -> blocks (top waiter)
      T3   50 (RT)	lock(F)   -> boosts T1 and blocks (new top waiter)
      XX   		timeout/  -> wakes T2
      		signal
      T1   50		unlock(F) -> wakes T3 (rtmutex->owner == NULL, waiter bit is set)
      T2   120	cleanup   -> try_to_take_mutex() fails because T3 is the top waiter
           			     and the lower priority T2 cannot steal the lock.
           			  -> fixup_pi_state_owner() sees newowner == NULL -> BUG_ON()
      
      The comment states that this is invalid and rt_mutex_real_owner() must
      return a non NULL owner when the trylock failed, but in case of a queued
      and woken up waiter rt_mutex_real_owner() == NULL is a valid transient
      state. The higher priority waiter has simply not yet managed to take over
      the rtmutex.
      
      The BUG_ON() is therefore wrong and this is just another retry condition in
      fixup_pi_state_owner().
      
      Drop the locks, so that T3 can make progress, and then try the fixup again.
      
      Gratian provided a great analysis, traces and a reproducer. The analysis is
      to the point, but it confused the hell out of that tglx dude who had to
      page in all the futex horrors again. Condensed version is above.
      
      [ tglx: Wrote comment and changelog ]
      
      Fixes: c1e2f0ea ("futex: Avoid violating the 10th rule of futex")
      Reported-by: default avatarGratian Crisan <gratian.crisan@ni.com>
      Signed-off-by: default avatarMike Galbraith <efault@gmx.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/87a6w6x7bb.fsf@ni.com
      Link: https://lore.kernel.org/r/87sg9pkvf7.fsf@nanos.tec.linutronix.de
      9f5d1c33
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · af6e7de0
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Driver bugfixes for I2C.
      
        Most of them are for the new mlxbf driver which got more exposure
        after rc1. The sh_mobile patch should already have reached you during
        the merge window, but I accidently dropped it. However, since it fixes
        a problem with rebooting, it is still fine for rc3"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: designware: slave should do WRITE_REQUESTED before WRITE_RECEIVED
        i2c: designware: call i2c_dw_read_clear_intrbits_slave() once
        i2c: mlxbf: I2C_MLXBF should depend on MELLANOX_PLATFORM
        i2c: mlxbf: Update author and maintainer email info
        i2c: mlxbf: Update reference clock frequency
        i2c: mlxbf: Remove unecessary wrapper functions
        i2c: mlxbf: Fix resrticted cast warning of sparse
        i2c: mlxbf: Add CONFIG_ACPI to guard ACPI function call
        i2c: sh_mobile: implement atomic transfers
        i2c: mediatek: move dma reset before i2c reset
      af6e7de0
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 4b1d362d
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - SPDX comment style fix
      
       - ignore memory that is unusable
      
       - avoid setting a kernel text offset for the !MMU kernels, where
         skipping the first page of memory is both unnecessary and costly
      
       - avoid passing the flag bits in satp to pfn_to_virt()
      
       - fix __put_kernel_nofault, where we had the arguments to
         __put_user_nocheck reversed
      
       - workaround for a bug in the FU540 to avoid triggering PMP issues
         during early boot
      
       - change to how we pull symbols out of the vDSO. The old mechanism was
         removed from binutils-2.35 (and has been backported to Debian's 2.34)
      
      * tag 'riscv-for-linus-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        RISC-V: Fix the VDSO symbol generaton for binutils-2.35+
        RISC-V: Use non-PGD mappings for early DTB access
        riscv: uaccess: fix __put_kernel_nofault()
        riscv: fix pfn_to_virt err in do_page_fault().
        riscv: Set text_offset correctly for M-Mode
        RISC-V: Remove any memblock representing unusable memory area
        risc-v: kernel: ftrace: Fixes improper SPDX comment style
      4b1d362d
    • Greg Kroah-Hartman's avatar
      Merge tag 'usb-serial-5.10-rc3' of... · db388a6c
      Greg Kroah-Hartman authored
      Merge tag 'usb-serial-5.10-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus
      
      Johan writes:
      
      USB-serial fixes for 5.10-rc3
      
      Here's a fix for a long-standing issue with the cyberjack driver and
      some new device ids.
      
      All have been in linux-next with no reported issues.
      
      * tag 'usb-serial-5.10-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial:
        USB: serial: option: add Telit FN980 composition 0x1055
        USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231
        USB: serial: cyberjack: fix write-URB completion race
        USB: serial: option: add Quectel EC200T module support
      db388a6c
    • kiyin(尹亮)'s avatar
      perf/core: Fix a memory leak in perf_event_parse_addr_filter() · 7bdb157c
      kiyin(尹亮) authored
      As shown through runtime testing, the "filename" allocation is not
      always freed in perf_event_parse_addr_filter().
      
      There are three possible ways that this could happen:
      
       - It could be allocated twice on subsequent iterations through the loop,
       - or leaked on the success path,
       - or on the failure path.
      
      Clean up the code flow to make it obvious that 'filename' is always
      freed in the reallocation path and in the two return paths as well.
      
      We rely on the fact that kfree(NULL) is NOP and filename is initialized
      with NULL.
      
      This fixes the leak. No other side effects expected.
      
      [ Dan Carpenter: cleaned up the code flow & added a changelog. ]
      [ Ingo Molnar: updated the changelog some more. ]
      
      Fixes: 375637bc ("perf/core: Introduce address range filtering")
      Signed-off-by: default avatar"kiyin(尹亮)" <kiyin@tencent.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu>
      Cc: Anthony Liguori <aliguori@amazon.com>
      --
       kernel/events/core.c | 12 +++++-------
       1 file changed, 5 insertions(+), 7 deletions(-)
      7bdb157c