1. 21 Feb, 2022 3 commits
    • Jason A. Donenfeld's avatar
      random: use linear min-entropy accumulation crediting · c5704490
      Jason A. Donenfeld authored
      30e37ec5 ("random: account for entropy loss due to overwrites")
      assumed that adding new entropy to the LFSR pool probabilistically
      cancelled out old entropy there, so entropy was credited asymptotically,
      approximating Shannon entropy of independent sources (rather than a
      stronger min-entropy notion) using 1/8th fractional bits and replacing
      a constant 2-2/√𝑒 term (~0.786938) with 3/4 (0.75) to slightly
      underestimate it. This wasn't superb, but it was perhaps better than
      nothing, so that's what was done. Which entropy specifically was being
      cancelled out and how much precisely each time is hard to tell, though
      as I showed with the attack code in my previous commit, a motivated
      adversary with sufficient information can actually cancel out
      everything.
      
      Since we're no longer using an LFSR for entropy accumulation, this
      probabilistic cancellation is no longer relevant. Rather, we're now
      using a computational hash function as the accumulator and we've
      switched to working in the random oracle model, from which we can now
      revisit the question of min-entropy accumulation, which is done in
      detail in <https://eprint.iacr.org/2019/198>.
      
      Consider a long input bit string that is built by concatenating various
      smaller independent input bit strings. Each one of these inputs has a
      designated min-entropy, which is what we're passing to
      credit_entropy_bits(h). When we pass the concatenation of these to a
      random oracle, it means that an adversary trying to receive back the
      same reply as us would need to become certain about each part of the
      concatenated bit string we passed in, which means becoming certain about
      all of those h values. That means we can estimate the accumulation by
      simply adding up the h values in calls to credit_entropy_bits(h);
      there's no probabilistic cancellation at play like there was said to be
      for the LFSR. Incidentally, this is also what other entropy accumulators
      based on computational hash functions do as well.
      
      So this commit replaces credit_entropy_bits(h) with essentially `total =
      min(POOL_BITS, total + h)`, done with a cmpxchg loop as before.
      
      What if we're wrong and the above is nonsense? It's not, but let's
      assume we don't want the actual _behavior_ of the code to change much.
      Currently that behavior is not extracting from the input pool until it
      has 128 bits of entropy in it. With the old algorithm, we'd hit that
      magic 128 number after roughly 256 calls to credit_entropy_bits(1). So,
      we can retain more or less the old behavior by waiting to extract from
      the input pool until it hits 256 bits of entropy using the new code. For
      people concerned about this change, it means that there's not that much
      practical behavioral change. And for folks actually trying to model
      the behavior rigorously, it means that we have an even higher margin
      against attacks.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarJean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      c5704490
    • Jason A. Donenfeld's avatar
      random: simplify entropy debiting · 9c07f578
      Jason A. Donenfeld authored
      Our pool is 256 bits, and we only ever use all of it or don't use it at
      all, which is decided by whether or not it has at least 128 bits in it.
      So we can drastically simplify the accounting and cmpxchg loop to do
      exactly this.  While we're at it, we move the minimum bit size into a
      constant so it can be shared between the two places where it matters.
      
      The reason we want any of this is for the case in which an attacker has
      compromised the current state, and then bruteforces small amounts of
      entropy added to it. By demanding a particular minimum amount of entropy
      be present before reseeding, we make that bruteforcing difficult.
      
      Note that this rationale no longer includes anything about /dev/random
      blocking at the right moment, since /dev/random no longer blocks (except
      for at ~boot), but rather uses the crng. In a former life, /dev/random
      was different and therefore required a more nuanced account(), but this
      is no longer.
      
      Behaviorally, nothing changes here. This is just a simplification of
      the code.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      9c07f578
    • Jason A. Donenfeld's avatar
      random: use computational hash for entropy extraction · 6e8ec255
      Jason A. Donenfeld authored
      The current 4096-bit LFSR used for entropy collection had a few
      desirable attributes for the context in which it was created. For
      example, the state was huge, which meant that /dev/random would be able
      to output quite a bit of accumulated entropy before blocking. It was
      also, in its time, quite fast at accumulating entropy byte-by-byte,
      which matters given the varying contexts in which mix_pool_bytes() is
      called. And its diffusion was relatively high, which meant that changes
      would ripple across several words of state rather quickly.
      
      However, it also suffers from a few security vulnerabilities. In
      particular, inputs learned by an attacker can be undone, but moreover,
      if the state of the pool leaks, its contents can be controlled and
      entirely zeroed out. I've demonstrated this attack with this SMT2
      script, <https://xn--4db.cc/5o9xO8pb>, which Boolector/CaDiCal solves in
      a matter of seconds on a single core of my laptop, resulting in little
      proof of concept C demonstrators such as <https://xn--4db.cc/jCkvvIaH/c>.
      
      For basically all recent formal models of RNGs, these attacks represent
      a significant cryptographic flaw. But how does this manifest
      practically? If an attacker has access to the system to such a degree
      that he can learn the internal state of the RNG, arguably there are
      other lower hanging vulnerabilities -- side-channel, infoleak, or
      otherwise -- that might have higher priority. On the other hand, seed
      files are frequently used on systems that have a hard time generating
      much entropy on their own, and these seed files, being files, often leak
      or are duplicated and distributed accidentally, or are even seeded over
      the Internet intentionally, where their contents might be recorded or
      tampered with. Seen this way, an otherwise quasi-implausible
      vulnerability is a bit more practical than initially thought.
      
      Another aspect of the current mix_pool_bytes() function is that, while
      its performance was arguably competitive for the time in which it was
      created, it's no longer considered so. This patch improves performance
      significantly: on a high-end CPU, an i7-11850H, it improves performance
      of mix_pool_bytes() by 225%, and on a low-end CPU, a Cortex-A7, it
      improves performance by 103%.
      
      This commit replaces the LFSR of mix_pool_bytes() with a straight-
      forward cryptographic hash function, BLAKE2s, which is already in use
      for pool extraction. Universal hashing with a secret seed was considered
      too, something along the lines of <https://eprint.iacr.org/2013/338>,
      but the requirement for a secret seed makes for a chicken & egg problem.
      Instead we go with a formally proven scheme using a computational hash
      function, described in sections 5.1, 6.4, and B.1.8 of
      <https://eprint.iacr.org/2019/198>.
      
      BLAKE2s outputs 256 bits, which should give us an appropriate amount of
      min-entropy accumulation, and a wide enough margin of collision
      resistance against active attacks. mix_pool_bytes() becomes a simple
      call to blake2s_update(), for accumulation, while the extraction step
      becomes a blake2s_final() to generate a seed, with which we can then do
      a HKDF-like or BLAKE2X-like expansion, the first part of which we fold
      back as an init key for subsequent blake2s_update()s, and the rest we
      produce to the caller. This then is provided to our CRNG like usual. In
      that expansion step, we make opportunistic use of 32 bytes of RDRAND
      output, just as before. We also always reseed the crng with 32 bytes,
      unconditionally, or not at all, rather than sometimes with 16 as before,
      as we don't win anything by limiting beyond the 16 byte threshold.
      
      Going for a hash function as an entropy collector is a conservative,
      proven approach. The result of all this is a much simpler and much less
      bespoke construction than what's there now, which not only plugs a
      vulnerability but also improves performance considerably.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: default avatarJean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      6e8ec255
  2. 20 Feb, 2022 13 commits
  3. 19 Feb, 2022 5 commits
  4. 18 Feb, 2022 10 commits
    • Dmitry Torokhov's avatar
      Input: psmouse - set up dependency between PS/2 and SMBus companions · 7b1f781f
      Dmitry Torokhov authored
      When we switch from emulated PS/2 to native (RMI4 or Elan) protocols, we
      create SMBus companion devices that are attached to I2C/SMBus controllers.
      However, when suspending and resuming, we also need to make sure that we
      take into account the PS/2 device they are associated with, so that PS/2
      device is suspended after the companion and resumed before it, otherwise
      companions will not work properly. Before I2C devices were marked for
      asynchronous suspend/resume, this ordering happened naturally, but now we
      need to enforce it by establishing device links, with PS/2 devices being
      suppliers and SMBus companions being consumers.
      
      Fixes: 172d9319 ("i2c: enable async suspend/resume on i2c client devices")
      Reported-and-tested-by: default avatarHugh Dickins <hughd@google.com>
      Tested-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Link: https://lore.kernel.org/r/89456fcd-a113-4c82-4b10-a9bcaefac68f@google.com
      Link: https://lore.kernel.org/r/YgwQN8ynO88CPMju@google.comSigned-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      7b1f781f
    • Rafael J. Wysocki's avatar
      Merge branch 'acpi-processor' · 82926564
      Rafael J. Wysocki authored
      Merge fix for a recent boot lockup regression on 32-bit ThinkPad T40.
      
      * acpi-processor:
        ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40
      82926564
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 7993e65f
      Linus Torvalds authored
      Pull MTD fixes from Miquel Raynal:
       "MTD changes:
      
         - Qcom:
            - Don't print error message on -EPROBE_DEFER
            - Fix kernel panic on skipped partition
            - Fix missing free for pparts in cleanup
      
         - phram: Prevent divide by zero bug in phram_setup()
      
        Raw NAND controller changes:
      
         - ingenic: Fix missing put_device in ingenic_ecc_get
      
         - qcom: Fix clock sequencing in qcom_nandc_probe()
      
         - omap2: Prevent invalid configuration and build error
      
         - gpmi: Don't leak PM reference in error path
      
         - brcmnand: Fix incorrect sub-page ECC status"
      
      * tag 'mtd/fixes-for-5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status
        mtd: rawnand: gpmi: don't leak PM reference in error path
        mtd: phram: Prevent divide by zero bug in phram_setup()
        mtd: rawnand: omap2: Prevent invalid configuration and build error
        mtd: parsers: qcom: Fix missing free for pparts in cleanup
        mtd: parsers: qcom: Fix kernel panic on skipped partition
        mtd: parsers: qcom: Don't print error message on -EPROBE_DEFER
        mtd: rawnand: qcom: Fix clock sequencing in qcom_nandc_probe()
        mtd: rawnand: ingenic: Fix missing put_device in ingenic_ecc_get
      7993e65f
    • Linus Torvalds's avatar
      Merge tag 'block-5.17-2022-02-17' of git://git.kernel.dk/linux-block · b9889768
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Surprise removal fix (Christoph)
      
       - Ensure that pages are zeroed before submitted for userspace IO
         (Haimin)
      
       - Fix blk-wbt accounting issue with BFQ (Laibin)
      
       - Use bsize for discard granularity in loop (Ming)
      
       - Fix missing zone handling in blk_complete_request() (Pankaj)
      
      * tag 'block-5.17-2022-02-17' of git://git.kernel.dk/linux-block:
        block/wbt: fix negative inflight counter when remove scsi device
        block: fix surprise removal for drivers calling blk_set_queue_dying
        block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern
        block: loop:use kstatfs.f_bsize of backing file to set discard granularity
        block: Add handling for zone append command in blk_complete_request
      b9889768
    • Linus Torvalds's avatar
      Merge tag 'sound-5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 2848551b
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of small patches, mostly for old and new regressions and
        device-specific fixes.
      
         - Regression fixes regarding ALSA core SG-buffer helpers
      
         - Regression fix for Realtek HD-audio mutex deadlock
      
         - Regression fix for USB-audio PM resume error
      
         - More coverage of ASoC core control API notification fixes
      
         - Old regression fixes for HD-audio probe mask
      
         - Fixes for ASoC Realtek codec work handling
      
         - Other device-specific quirks / fixes"
      
      * tag 'sound-5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (24 commits)
        ASoC: intel: skylake: Set max DMA segment size
        ASoC: SOF: hda: Set max DMA segment size
        ALSA: hda: Set max DMA segment size
        ALSA: hda/realtek: Fix deadlock by COEF mutex
        ALSA: usb-audio: Don't abort resume upon errors
        ALSA: hda: Fix missing codec probe on Shenker Dock 15
        ALSA: hda: Fix regression on forced probe mask option
        ALSA: hda/realtek: Add quirk for Legion Y9000X 2019
        ALSA: usb-audio: revert to IMPLICIT_FB_FIXED_DEV for M-Audio FastTrack Ultra
        ASoC: wm_adsp: Correct control read size when parsing compressed buffer
        ASoC: qcom: Actually clear DMA interrupt register for HDMI
        ALSA: memalloc: invalidate SG pages before sync
        ALSA: memalloc: Fix dma_need_sync() checks
        MAINTAINERS: update cros_ec_codec maintainers
        ASoC: rt5682: do not block workqueue if card is unbound
        ASoC: rt5668: do not block workqueue if card is unbound
        ASoC: rt5682s: do not block workqueue if card is unbound
        ASoC: tas2770: Insert post reset delay
        ASoC: Revert "ASoC: mediatek: Check for error clk pointer"
        ASoC: amd: acp: Set gpio_spkr_en to None for max speaker amplifer in machine driver
        ...
      2848551b
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 45a98a71
      Linus Torvalds authored
      Pull arm64 fix from Catalin Marinas:
       "Fix wrong branch label in the EL2 GICv3 initialisation code"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: Correct wrong label in macro __init_el2_gicv3
      45a98a71
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.17-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · ea4b3d29
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix boot failure on 603 with DEBUG_PAGEALLOC and KFENCE
      
       - Fix 32-build with newer binutils that rejects 'ptesync' etc
      
      Thanks to Anders Roxell, Christophe Leroy, and Maxime Bizon.
      
      * tag 'powerpc-5.17-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/lib/sstep: fix 'ptesync' build error
        powerpc/603: Fix boot failure with DEBUG_PAGEALLOC and KFENCE
      ea4b3d29
    • Linus Torvalds's avatar
      Merge tag '5.17-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 7476b043
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Six small smb3 client fixes, three for stable:
      
         - fix for snapshot mount option
      
         - two ACL related fixes
      
         - use after free race fix
      
         - fix for confusing warning message logged with older dialects"
      
      * tag '5.17-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: fix confusing unneeded warning message on smb2.1 and earlier
        cifs: modefromsids must add an ACE for authenticated users
        cifs: fix double free race when mount fails in cifs_get_root()
        cifs: do not use uninitialized data in the owner/group sid
        cifs: fix set of group SID via NTSD xattrs
        smb3: fix snapshot mount option
      7476b043
    • Andy Lutomirski's avatar
      x86/ptrace: Fix xfpregs_set()'s incorrect xmm clearing · 44cad52c
      Andy Lutomirski authored
      xfpregs_set() handles 32-bit REGSET_XFP and 64-bit REGSET_FP. The actual
      code treats these regsets as modern FX state (i.e. the beginning part of
      XSTATE). The declarations of the regsets thought they were the legacy
      i387 format. The code thought they were the 32-bit (no xmm8..15) variant
      of XSTATE and, for good measure, made the high bits disappear by zeroing
      the wrong part of the buffer. The latter broke ptrace, and everything
      else confused anyone trying to understand the code. In particular, the
      nonsense definitions of the regsets confused me when I wrote this code.
      
      Clean this all up. Change the declarations to match reality (which
      shouldn't change the generated code, let alone the ABI) and fix
      xfpregs_set() to clear the correct bits and to only do so for 32-bit
      callers.
      
      Fixes: 6164331d ("x86/fpu: Rewrite xfpregs_set()")
      Reported-by: default avatarLuís Ferreira <contact@lsferreira.net>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: <stable@vger.kernel.org>
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=215524
      Link: https://lore.kernel.org/r/YgpFnZpF01WwR8wU@zn.tnic
      44cad52c
    • Rafał Miłecki's avatar
      i2c: brcmstb: fix support for DSL and CM variants · 834cea3a
      Rafał Miłecki authored
      DSL and CM (Cable Modem) support 8 B max transfer size and have a custom
      DT binding for that reason. This driver was checking for a wrong
      "compatible" however which resulted in an incorrect setup.
      
      Fixes: e2e5a2c6 ("i2c: brcmstb: Adding support for CM and DSL SoCs")
      Signed-off-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      834cea3a
  5. 17 Feb, 2022 9 commits
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-fixes-5.17-rc5' of... · 9195e5e0
      Linus Torvalds authored
      Merge tag 'linux-kselftest-fixes-5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull Kselftest fixes from Shuah Khan:
       "Fixes to ftrace, exec, and seccomp tests build, run-time and install
        bugs. These bugs are in the way of running the tests"
      
      * tag 'linux-kselftest-fixes-5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/ftrace: Do not trace do_softirq because of PREEMPT_RT
        selftests/seccomp: Fix seccomp failure by adding missing headers
        selftests/exec: Add non-regular to TEST_GEN_PROGS
      9195e5e0
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2022-02-18' of git://anongit.freedesktop.org/drm/drm · b3d971ec
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Regular fixes for rc5, nothing really stands out, mostly some amdgpu
        and i915 fixes with mediatek, radeon and some misc fixes.
      
        cma-helper:
         - set VM_DONTEXPAND
      
        atomic:
         - error handling fix
      
        mediatek:
         - fix probe defer loop with external bridge
      
        amdgpu:
         - Stable pstate clock fixes for Dimgrey Cavefish and Beige Goby
         - S0ix SDMA fix
         - Yellow Carp GPU reset fix
      
        radeon:
         - Backlight fix for iMac 12,1
      
        i915:
         - GVT kerneldoc cleanup.
         - GVT Kconfig should depend on X86
         - Prevent out of range access in SWSCI display code
         - Fix mbus join and dbuf slice config lookup
         - Fix inverted priority selection in the TTM backend
         - Fix FBC plane end Y offset check"
      
      * tag 'drm-fixes-2022-02-18' of git://anongit.freedesktop.org/drm/drm:
        drm/atomic: Don't pollute crtc_state->mode_blob with error pointers
        drm/radeon: Fix backlight control on iMac 12,1
        drm/amd/pm: correct the sequence of sending gpu reset msg
        drm/amdgpu: skipping SDMA hw_init and hw_fini for S0ix.
        drm/amd/pm: correct UMD pstate clocks for Dimgrey Cavefish and Beige Goby
        drm/i915/fbc: Fix the plane end Y offset check
        drm/i915/opregion: check port number bounds for SWSCI display power state
        drm/i915/ttm: tweak priority hint selection
        drm/i915: Fix mbus join config lookup
        drm/i915: Fix dbuf slice config lookup
        drm/cma-helper: Set VM_DONTEXPAND for mmap
        drm/mediatek: mtk_dsi: Avoid EPROBE_DEFER loop with external bridge
        drm/i915/gvt: Make DRM_I915_GVT depend on X86
        drm/i915/gvt: clean up kernel-doc in gtt.c
      b3d971ec
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2022-02-17' of... · 5666b610
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2022-02-17' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - GVT kerneldoc cleanup. (Randy Dunlap)
      - GVT Kconfig should depend on X86. (Siva Mullati)
      - Prevent out of range access in SWSCI display code. (Jani Nikula)
      - Fix mbus join and dbuf slice config lookup. (Ville Syrjälä)
      - Fix inverted priority selection in the TTM backend. (Matthew Auld)
      - Fix FBC plane end Y offset check. (Ville Syrjälä)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/Yg4lA6k8+xp8u3aB@tursulin-mobl2
      5666b610
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2022-02-17' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · babb1fc3
      Dave Airlie authored
       * drm/cma-helper: Set VM_DONTEXPAND
       * drm/atomic: Fix error handling in drm_atomic_set_mode_for_crtc()
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Thomas Zimmermann <tzimmermann@suse.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/Yg4mzQALMX69UmA3@linux-uq9g
      babb1fc3
    • Linus Torvalds's avatar
      Merge tag 'net-5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 8b97cae3
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from wireless and netfilter.
      
        Current release - regressions:
      
         - dsa: lantiq_gswip: fix use after free in gswip_remove()
      
         - smc: avoid overwriting the copies of clcsock callback functions
      
        Current release - new code bugs:
      
         - iwlwifi:
            - fix use-after-free when no FW is present
            - mei: fix the pskb_may_pull check in ipv4
            - mei: retry mapping the shared area
            - mvm: don't feed the hardware RFKILL into iwlmei
      
        Previous releases - regressions:
      
         - ipv6: mcast: use rcu-safe version of ipv6_get_lladdr()
      
         - tipc: fix wrong publisher node address in link publications
      
         - iwlwifi: mvm: don't send SAR GEO command for 3160 devices, avoid FW
           assertion
      
         - bgmac: make idm and nicpm resource optional again
      
         - atl1c: fix tx timeout after link flap
      
        Previous releases - always broken:
      
         - vsock: remove vsock from connected table when connect is
           interrupted by a signal
      
         - ping: change destination interface checks to match raw sockets
      
         - crypto: af_alg - get rid of alg_memory_allocated to avoid confusing
           semantics (and null-deref) after SO_RESERVE_MEM was added
      
         - ipv6: make exclusive flowlabel checks per-netns
      
         - bonding: force carrier update when releasing slave
      
         - sched: limit TC_ACT_REPEAT loops
      
         - bridge: multicast: notify switchdev driver whenever MC processing
           gets disabled because of max entries reached
      
         - wifi: brcmfmac: fix crash in brcm_alt_fw_path when WLAN not found
      
         - iwlwifi: fix locking when "HW not ready"
      
         - phy: mediatek: remove PHY mode check on MT7531
      
         - dsa: mv88e6xxx: flush switchdev FDB workqueue before removing VLAN
      
         - dsa: lan9303:
            - fix polarity of reset during probe
            - fix accelerated VLAN handling"
      
      * tag 'net-5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (65 commits)
        bonding: force carrier update when releasing slave
        nfp: flower: netdev offload check for ip6gretap
        ipv6: fix data-race in fib6_info_hw_flags_set / fib6_purge_rt
        ipv4: fix data races in fib_alias_hw_flags_set
        net: dsa: lan9303: add VLAN IDs to master device
        net: dsa: lan9303: handle hwaccel VLAN tags
        vsock: remove vsock from connected table when connect is interrupted by a signal
        Revert "net: ethernet: bgmac: Use devm_platform_ioremap_resource_byname"
        ping: fix the dif and sdif check in ping_lookup
        net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990
        net: sched: limit TC_ACT_REPEAT loops
        tipc: fix wrong notification node addresses
        net: dsa: lantiq_gswip: fix use after free in gswip_remove()
        ipv6: per-netns exclusive flowlabel checks
        net: bridge: multicast: notify switchdev driver whenever MC processing gets disabled
        CDC-NCM: avoid overflow in sanity checking
        mctp: fix use after free
        net: mscc: ocelot: fix use-after-free in ocelot_vlan_del()
        bonding: fix data-races around agg_select_timer
        dpaa2-eth: Initialize mutex used in one step timestamping path
        ...
      8b97cae3
    • Zhang Changzhong's avatar
      bonding: force carrier update when releasing slave · a6ab75ce
      Zhang Changzhong authored
      In __bond_release_one(), bond_set_carrier() is only called when bond
      device has no slave. Therefore, if we remove the up slave from a master
      with two slaves and keep the down slave, the master will remain up.
      
      Fix this by moving bond_set_carrier() out of if (!bond_has_slaves(bond))
      statement.
      
      Reproducer:
      $ insmod bonding.ko mode=0 miimon=100 max_bonds=2
      $ ifconfig bond0 up
      $ ifenslave bond0 eth0 eth1
      $ ifconfig eth0 down
      $ ifenslave -d bond0 eth1
      $ cat /proc/net/bonding/bond0
      
      Fixes: ff59c456 ("[PATCH] bonding: support carrier state for master")
      Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Link: https://lore.kernel.org/r/1645021088-38370-1-git-send-email-zhangchangzhong@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a6ab75ce
    • Reinette Chatre's avatar
      x86/sgx: Fix missing poison handling in reclaimer · e5733d8c
      Reinette Chatre authored
      The SGX reclaimer code lacks page poison handling in its main
      free path. This can lead to avoidable machine checks if a
      poisoned page is freed and reallocated instead of being
      isolated.
      
      A troublesome scenario is:
       1. Machine check (#MC) occurs (asynchronous, !MF_ACTION_REQUIRED)
       2. arch_memory_failure() is eventually called
       3. (SGX) page->poison set to 1
       4. Page is reclaimed
       5. Page added to normal free lists by sgx_reclaim_pages()
          ^ This is the bug (poison pages should be isolated on the
          sgx_poison_page_list instead)
       6. Page is reallocated by some innocent enclave, a second (synchronous)
          in-kernel #MC is induced, probably during EADD instruction.
          ^ This is the fallout from the bug
      
      (6) is unfortunate and can be avoided by replacing the open coded
      enclave page freeing code in the reclaimer with sgx_free_epc_page()
      to obtain support for poison page handling that includes placing the
      poisoned page on the correct list.
      
      Fixes: d6d261bd ("x86/sgx: Add new sgx_epc_page flag bit to mark free pages")
      Fixes: 992801ae ("x86/sgx: Initial poison handling for dirty and free pages")
      Signed-off-by: default avatarReinette Chatre <reinette.chatre@intel.com>
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Link: https://lkml.kernel.org/r/dcc95eb2aaefb042527ac50d0a50738c7c160dac.1643830353.git.reinette.chatre@intel.com
      e5733d8c
    • Luis Chamberlain's avatar
      fs/file_table: fix adding missing kmemleak_not_leak() · a3580ac9
      Luis Chamberlain authored
      Commit b42bc9a3 ("Fix regression due to "fs: move binfmt_misc sysctl
      to its own file") fixed a regression, however it failed to add a
      kmemleak_not_leak().
      
      Fixes: b42bc9a3 ("Fix regression due to "fs: move binfmt_misc sysctl to its own file")
      Reported-by: default avatarTong Zhang <ztong0001@gmail.com>
      Cc: Tong Zhang <ztong0001@gmail.com>
      Signed-off-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a3580ac9
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-fixes-for-v5.17-2022-02-17' of... · 2dd3a8a1
      Linus Torvalds authored
      Merge tag 'perf-tools-fixes-for-v5.17-2022-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
      
      Pull perf tools fixes from Arnaldo Carvalho de Melo:
      
       - Fix corrupt inject files when only last branch option is enabled with
         ARM CoreSight ETM
      
       - Fix use-after-free for realloc(..., 0) in libsubcmd, found by gcc 12
      
       - Defer freeing string after possible strlen() on it in the BPF loader,
         found by gcc 12
      
       - Avoid early exit in 'perf trace' due SIGCHLD from non-workload
         processes
      
       - Fix arm64 perf_event_attr 'perf test's wrt --call-graph
         initialization
      
       - Fix libperf 32-bit build for 'perf test' wrt uint64_t printf
      
       - Fix perf_cpu_map__for_each_cpu macro in libperf, providing access to
         the CPU iterator
      
       - Sync linux/perf_event.h UAPI with the kernel sources
      
       - Update Jiri Olsa's email address in MAINTAINERS
      
      * tag 'perf-tools-fixes-for-v5.17-2022-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux:
        perf bpf: Defer freeing string after possible strlen() on it
        perf test: Fix arm64 perf_event_attr tests wrt --call-graph initialization
        libsubcmd: Fix use-after-free for realloc(..., 0)
        libperf: Fix perf_cpu_map__for_each_cpu macro
        perf cs-etm: Fix corrupt inject files when only last branch option is enabled
        perf cs-etm: No-op refactor of synth opt usage
        libperf: Fix 32-bit build for tests uint64_t printf
        tools headers UAPI: Sync linux/perf_event.h with the kernel sources
        perf trace: Avoid early exit due SIGCHLD from non-workload processes
        MAINTAINERS: Update Jiri's email address
      2dd3a8a1