1. 20 Aug, 2024 9 commits
    • Deven Bowers's avatar
      audit,ipe: add IPE auditing support · f44554b5
      Deven Bowers authored
      Users of IPE require a way to identify when and why an operation fails,
      allowing them to both respond to violations of policy and be notified
      of potentially malicious actions on their systems with respect to IPE
      itself.
      
      This patch introduces 3 new audit events.
      
      AUDIT_IPE_ACCESS(1420) indicates the result of an IPE policy evaluation
      of a resource.
      AUDIT_IPE_CONFIG_CHANGE(1421) indicates the current active IPE policy
      has been changed to another loaded policy.
      AUDIT_IPE_POLICY_LOAD(1422) indicates a new IPE policy has been loaded
      into the kernel.
      
      This patch also adds support for success auditing, allowing users to
      identify why an allow decision was made for a resource. However, it is
      recommended to use this option with caution, as it is quite noisy.
      
      Here are some examples of the new audit record types:
      
      AUDIT_IPE_ACCESS(1420):
      
          audit: AUDIT1420 ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1
            pid=297 comm="sh" path="/root/vol/bin/hello" dev="tmpfs"
            ino=3897 rule="op=EXECUTE boot_verified=TRUE action=ALLOW"
      
          audit: AUDIT1420 ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1
            pid=299 comm="sh" path="/mnt/ipe/bin/hello" dev="dm-0"
            ino=2 rule="DEFAULT action=DENY"
      
          audit: AUDIT1420 ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1
           pid=300 path="/tmp/tmpdp2h1lub/deny/bin/hello" dev="tmpfs"
            ino=131 rule="DEFAULT action=DENY"
      
      The above three records were generated when the active IPE policy only
      allows binaries from the initramfs to run. The three identical `hello`
      binary were placed at different locations, only the first hello from
      the rootfs(initramfs) was allowed.
      
      Field ipe_op followed by the IPE operation name associated with the log.
      
      Field ipe_hook followed by the name of the LSM hook that triggered the IPE
      event.
      
      Field enforcing followed by the enforcement state of IPE. (it will be
      introduced in the next commit)
      
      Field pid followed by the pid of the process that triggered the IPE
      event.
      
      Field comm followed by the command line program name of the process that
      triggered the IPE event.
      
      Field path followed by the file's path name.
      
      Field dev followed by the device name as found in /dev where the file is
      from.
      Note that for device mappers it will use the name `dm-X` instead of
      the name in /dev/mapper.
      For a file in a temp file system, which is not from a device, it will use
      `tmpfs` for the field.
      The implementation of this part is following another existing use case
      LSM_AUDIT_DATA_INODE in security/lsm_audit.c
      
      Field ino followed by the file's inode number.
      
      Field rule followed by the IPE rule made the access decision. The whole
      rule must be audited because the decision is based on the combination of
      all property conditions in the rule.
      
      Along with the syscall audit event, user can know why a blocked
      happened. For example:
      
          audit: AUDIT1420 ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1
            pid=2138 comm="bash" path="/mnt/ipe/bin/hello" dev="dm-0"
            ino=2 rule="DEFAULT action=DENY"
          audit[1956]: SYSCALL arch=c000003e syscall=59
            success=no exit=-13 a0=556790138df0 a1=556790135390 a2=5567901338b0
            a3=ab2a41a67f4f1f4e items=1 ppid=147 pid=1956 auid=4294967295 uid=0
            gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
            ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)
      
      The above two records showed bash used execve to run "hello" and got
      blocked by IPE. Note that the IPE records are always prior to a SYSCALL
      record.
      
      AUDIT_IPE_CONFIG_CHANGE(1421):
      
          audit: AUDIT1421
            old_active_pol_name="Allow_All" old_active_pol_version=0.0.0
            old_policy_digest=sha256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649
            new_active_pol_name="boot_verified" new_active_pol_version=0.0.0
            new_policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F
            auid=4294967295 ses=4294967295 lsm=ipe res=1
      
      The above record showed the current IPE active policy switch from
      `Allow_All` to `boot_verified` along with the version and the hash
      digest of the two policies. Note IPE can only have one policy active
      at a time, all access decision evaluation is based on the current active
      policy.
      The normal procedure to deploy a policy is loading the policy to deploy
      into the kernel first, then switch the active policy to it.
      
      AUDIT_IPE_POLICY_LOAD(1422):
      
          audit: AUDIT1422 policy_name="boot_verified" policy_version=0.0.0
            policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F2676
            auid=4294967295 ses=4294967295 lsm=ipe res=1
      
      The above record showed a new policy has been loaded into the kernel
      with the policy name, policy version and policy hash.
      Signed-off-by: default avatarDeven Bowers <deven.desai@linux.microsoft.com>
      Signed-off-by: default avatarFan Wu <wufan@linux.microsoft.com>
      [PM: subject line tweak]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      f44554b5
    • Deven Bowers's avatar
      ipe: add userspace interface · 2261306f
      Deven Bowers authored
      As is typical with LSMs, IPE uses securityfs as its interface with
      userspace. for a complete list of the interfaces and the respective
      inputs/outputs, please see the documentation under
      admin-guide/LSM/ipe.rst
      Signed-off-by: default avatarDeven Bowers <deven.desai@linux.microsoft.com>
      Signed-off-by: default avatarFan Wu <wufan@linux.microsoft.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      2261306f
    • Fan Wu's avatar
      lsm: add new securityfs delete function · 7138679f
      Fan Wu authored
      When deleting a directory in the security file system, the existing
      securityfs_remove requires the directory to be empty, otherwise
      it will do nothing. This leads to a potential risk that the security
      file system might be in an unclean state when the intended deletion
      did not happen.
      
      This commit introduces a new function securityfs_recursive_remove
      to recursively delete a directory without leaving an unclean state.
      Co-developed-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      Signed-off-by: default avatarFan Wu <wufan@linux.microsoft.com>
      [PM: subject line tweak]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      7138679f
    • Fan Wu's avatar
      ipe: introduce 'boot_verified' as a trust provider · a8a74df1
      Fan Wu authored
      IPE is designed to provide system level trust guarantees, this usually
      implies that trust starts from bootup with a hardware root of trust,
      which validates the bootloader. After this, the bootloader verifies
      the kernel and the initramfs.
      
      As there's no currently supported integrity method for initramfs, and
      it's typically already verified by the bootloader. This patch introduces
      a new IPE property `boot_verified` which allows author of IPE policy to
      indicate trust for files from initramfs.
      
      The implementation of this feature utilizes the newly added
      `initramfs_populated` hook. This hook marks the superblock of the rootfs
      after the initramfs has been unpacked into it.
      
      Before mounting the real rootfs on top of the initramfs, initramfs
      script will recursively remove all files and directories on the
      initramfs. This is typically implemented by using switch_root(8)
      (https://man7.org/linux/man-pages/man8/switch_root.8.html).
      Therefore the initramfs will be empty and not accessible after the real
      rootfs takes over. It is advised to switch to a different policy
      that doesn't rely on the `boot_verified` property after this point.
      This ensures that the trust policies remain relevant and effective
      throughout the system's operation.
      Signed-off-by: default avatarDeven Bowers <deven.desai@linux.microsoft.com>
      Signed-off-by: default avatarFan Wu <wufan@linux.microsoft.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      a8a74df1
    • Fan Wu's avatar
      initramfs,lsm: add a security hook to do_populate_rootfs() · 2fea0c26
      Fan Wu authored
      This patch introduces a new hook to notify security system that the
      content of initramfs has been unpacked into the rootfs.
      
      Upon receiving this notification, the security system can activate
      a policy to allow only files that originated from the initramfs to
      execute or load into kernel during the early stages of booting.
      
      This approach is crucial for minimizing the attack surface by
      ensuring that only trusted files from the initramfs are operational
      in the critical boot phase.
      Signed-off-by: default avatarFan Wu <wufan@linux.microsoft.com>
      [PM: subject line tweak]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      2fea0c26
    • Deven Bowers's avatar
      ipe: add LSM hooks on execution and kernel read · 52443cb6
      Deven Bowers authored
      IPE's initial goal is to control both execution and the loading of
      kernel modules based on the system's definition of trust. It
      accomplishes this by plugging into the security hooks for
      bprm_check_security, file_mprotect, mmap_file, kernel_load_data,
      and kernel_read_data.
      Signed-off-by: default avatarDeven Bowers <deven.desai@linux.microsoft.com>
      Signed-off-by: default avatarFan Wu <wufan@linux.microsoft.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      52443cb6
    • Deven Bowers's avatar
      ipe: add evaluation loop · 05a35163
      Deven Bowers authored
      Introduce a core evaluation function in IPE that will be triggered by
      various security hooks (e.g., mmap, bprm_check, kexec). This function
      systematically assesses actions against the defined IPE policy, by
      iterating over rules specific to the action being taken. This critical
      addition enables IPE to enforce its security policies effectively,
      ensuring that actions intercepted by these hooks are scrutinized for policy
      compliance before they are allowed to proceed.
      Signed-off-by: default avatarDeven Bowers <deven.desai@linux.microsoft.com>
      Signed-off-by: default avatarFan Wu <wufan@linux.microsoft.com>
      Reviewed-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      05a35163
    • Deven Bowers's avatar
      ipe: add policy parser · 54a88cd2
      Deven Bowers authored
      IPE's interpretation of the what the user trusts is accomplished through
      its policy. IPE's design is to not provide support for a single trust
      provider, but to support multiple providers to enable the end-user to
      choose the best one to seek their needs.
      
      This requires the policy to be rather flexible and modular so that
      integrity providers, like fs-verity, dm-verity, or some other system,
      can plug into the policy with minimal code changes.
      Signed-off-by: default avatarDeven Bowers <deven.desai@linux.microsoft.com>
      Signed-off-by: default avatarFan Wu <wufan@linux.microsoft.com>
      [PM: added NULL check in parse_rule() as discussed]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      54a88cd2
    • Deven Bowers's avatar
      lsm: add IPE lsm · 03115077
      Deven Bowers authored
      Integrity Policy Enforcement (IPE) is an LSM that provides an
      complimentary approach to Mandatory Access Control than existing LSMs
      today.
      
      Existing LSMs have centered around the concept of access to a resource
      should be controlled by the current user's credentials. IPE's approach,
      is that access to a resource should be controlled by the system's trust
      of a current resource.
      
      The basis of this approach is defining a global policy to specify which
      resource can be trusted.
      Signed-off-by: default avatarDeven Bowers <deven.desai@linux.microsoft.com>
      Signed-off-by: default avatarFan Wu <wufan@linux.microsoft.com>
      [PM: subject line tweak]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      03115077
  2. 15 Aug, 2024 1 commit
  3. 12 Aug, 2024 2 commits
    • Paul Moore's avatar
      lsm: add the inode_free_security_rcu() LSM implementation hook · 63dff3e4
      Paul Moore authored
      The LSM framework has an existing inode_free_security() hook which
      is used by LSMs that manage state associated with an inode, but
      due to the use of RCU to protect the inode, special care must be
      taken to ensure that the LSMs do not fully release the inode state
      until it is safe from a RCU perspective.
      
      This patch implements a new inode_free_security_rcu() implementation
      hook which is called when it is safe to free the LSM's internal inode
      state.  Unfortunately, this new hook does not have access to the inode
      itself as it may already be released, so the existing
      inode_free_security() hook is retained for those LSMs which require
      access to the inode.
      
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+5446fbf332b0602ede0b@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/r/00000000000076ba3b0617f65cc8@google.comSigned-off-by: default avatarPaul Moore <paul@paul-moore.com>
      63dff3e4
    • Paul Moore's avatar
      lsm: cleanup lsm_hooks.h · 711f5c5c
      Paul Moore authored
      Some cleanup and style corrections for lsm_hooks.h.
      
       * Drop the lsm_inode_alloc() extern declaration, it is not needed.
       * Relocate lsm_get_xattr_slot() and extern variables in the file to
         improve grouping of related objects.
       * Don't use tabs to needlessly align structure fields.
      Reviewed-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      711f5c5c
  4. 31 Jul, 2024 2 commits
  5. 29 Jul, 2024 6 commits
  6. 28 Jul, 2024 12 commits
    • Linus Torvalds's avatar
      Linux 6.11-rc1 · 8400291e
      Linus Torvalds authored
      8400291e
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.11' of... · a0c04bd5
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Fix RPM package build error caused by an incorrect locale setup
      
       - Mark modules.weakdep as ghost in RPM package
      
       - Fix the odd combination of -S and -c in stack protector scripts,
         which is an error with the latest Clang
      
      * tag 'kbuild-fixes-v6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: Fix '-S -c' in x86 stack protector scripts
        kbuild: rpm-pkg: ghost modules.weakdep file
        kbuild: rpm-pkg: Fix C locale setup
      a0c04bd5
    • Linus Torvalds's avatar
      minmax: simplify and clarify min_t()/max_t() implementation · 017fa3e8
      Linus Torvalds authored
      This simplifies the min_t() and max_t() macros by no longer making them
      work in the context of a C constant expression.
      
      That means that you can no longer use them for static initializers or
      for array sizes in type definitions, but there were only a couple of
      such uses, and all of them were converted (famous last words) to use
      MIN_T/MAX_T instead.
      
      Cc: David Laight <David.Laight@aculab.com>
      Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      017fa3e8
    • Linus Torvalds's avatar
      minmax: add a few more MIN_T/MAX_T users · 4477b39c
      Linus Torvalds authored
      Commit 3a7e02c0 ("minmax: avoid overly complicated constant
      expressions in VM code") added the simpler MIN_T/MAX_T macros in order
      to avoid some excessive expansion from the rather complicated regular
      min/max macros.
      
      The complexity of those macros stems from two issues:
      
       (a) trying to use them in situations that require a C constant
           expression (in static initializers and for array sizes)
      
       (b) the type sanity checking
      
      and MIN_T/MAX_T avoids both of these issues.
      
      Now, in the whole (long) discussion about all this, it was pointed out
      that the whole type sanity checking is entirely unnecessary for
      min_t/max_t which get a fixed type that the comparison is done in.
      
      But that still leaves min_t/max_t unnecessarily complicated due to
      worries about the C constant expression case.
      
      However, it turns out that there really aren't very many cases that use
      min_t/max_t for this, and we can just force-convert those.
      
      This does exactly that.
      
      Which in turn will then allow for much simpler implementations of
      min_t()/max_t().  All the usual "macros in all upper case will evaluate
      the arguments multiple times" rules apply.
      
      We should do all the same things for the regular min/max() vs MIN/MAX()
      cases, but that has the added complexity of various drivers defining
      their own local versions of MIN/MAX, so that needs another level of
      fixes first.
      
      Link: https://lore.kernel.org/all/b47fad1d0cf8449886ad148f8c013dae@AcuMS.aculab.com/
      Cc: David Laight <David.Laight@aculab.com>
      Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4477b39c
    • Linus Torvalds's avatar
      Merge tag 'ubifs-for-linus-6.11-rc1-take2' of... · 7e2d0ba7
      Linus Torvalds authored
      Merge tag 'ubifs-for-linus-6.11-rc1-take2' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs
      
      Pull UBI and UBIFS updates from Richard Weinberger:
      
       - Many fixes for power-cut issues by Zhihao Cheng
      
       - Another ubiblock error path fix
      
       - ubiblock section mismatch fix
      
       - Misc fixes all over the place
      
      * tag 'ubifs-for-linus-6.11-rc1-take2' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
        ubi: Fix ubi_init() ubiblock_exit() section mismatch
        ubifs: add check for crypto_shash_tfm_digest
        ubifs: Fix inconsistent inode size when powercut happens during appendant writing
        ubi: block: fix null-pointer-dereference in ubiblock_create()
        ubifs: fix kernel-doc warnings
        ubifs: correct UBIFS_DFS_DIR_LEN macro definition and improve code clarity
        mtd: ubi: Restore missing cleanup on ubi_init() failure path
        ubifs: dbg_orphan_check: Fix missed key type checking
        ubifs: Fix unattached inode when powercut happens in creating
        ubifs: Fix space leak when powercut happens in linking tmpfile
        ubifs: Move ui->data initialization after initializing security
        ubifs: Fix adding orphan entry twice for the same inode
        ubifs: Remove insert_dead_orphan from replaying orphan process
        Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path"
        ubifs: Don't add xattr inode into orphan area
        ubifs: Fix unattached xattr inode if powercut happens after deleting
        mtd: ubi: avoid expensive do_div() on 32-bit machines
        mtd: ubi: make ubi_class constant
        ubi: eba: properly rollback inside self_check_eba
      7e2d0ba7
    • Nathan Chancellor's avatar
      kbuild: Fix '-S -c' in x86 stack protector scripts · 3415b10a
      Nathan Chancellor authored
      After a recent change in clang to stop consuming all instances of '-S'
      and '-c' [1], the stack protector scripts break due to the kernel's use
      of -Werror=unused-command-line-argument to catch cases where flags are
      not being properly consumed by the compiler driver:
      
        $ echo | clang -o - -x c - -S -c -Werror=unused-command-line-argument
        clang: error: argument unused during compilation: '-c' [-Werror,-Wunused-command-line-argument]
      
      This results in CONFIG_STACKPROTECTOR getting disabled because
      CONFIG_CC_HAS_SANE_STACKPROTECTOR is no longer set.
      
      '-c' and '-S' both instruct the compiler to stop at different stages of
      the pipeline ('-S' after compiling, '-c' after assembling), so having
      them present together in the same command makes little sense. In this
      case, the test wants to stop before assembling because it is looking at
      the textual assembly output of the compiler for either '%fs' or '%gs',
      so remove '-c' from the list of arguments to resolve the error.
      
      All versions of GCC continue to work after this change, along with
      versions of clang that do or do not contain the change mentioned above.
      
      Cc: stable@vger.kernel.org
      Fixes: 4f7fd4d7 ("[PATCH] Add the -fstack-protector option to the CFLAGS")
      Fixes: 60a5317f ("x86: implement x86_32 stack protector")
      Link: https://github.com/llvm/llvm-project/commit/6461e537815f7fa68cef06842505353cf5600e9c [1]
      Signed-off-by: default avatarNathan Chancellor <nathan@kernel.org>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      3415b10a
    • Richard Weinberger's avatar
      ubi: Fix ubi_init() ubiblock_exit() section mismatch · 92a286e9
      Richard Weinberger authored
      Since ubiblock_exit() is now called from an init function,
      the __exit section no longer makes sense.
      
      Cc: Ben Hutchings <bwh@kernel.org>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202407131403.wZJpd8n2-lkp@intel.com/Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      92a286e9
    • Linus Torvalds's avatar
      Merge tag 'v6.11-merge' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux · e172f1e9
      Linus Torvalds authored
      Pull turbostat updates from Len Brown:
      
       - Enable turbostat extensions to add both perf and PMT (Intel
         Platform Monitoring Technology) counters via the cmdline
      
       - Demonstrate PMT access with built-in support for Meteor Lake's
         Die C6 counter
      
      * tag 'v6.11-merge' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux:
        tools/power turbostat: version 2024.07.26
        tools/power turbostat: Include umask=%x in perf counter's config
        tools/power turbostat: Document PMT in turbostat.8
        tools/power turbostat: Add MTL's PMT DC6 builtin counter
        tools/power turbostat: Add early support for PMT counters
        tools/power turbostat: Add selftests for added perf counters
        tools/power turbostat: Add selftests for SMI, APERF and MPERF counters
        tools/power turbostat: Move verbose counter messages to level 2
        tools/power turbostat: Move debug prints from stdout to stderr
        tools/power turbostat: Fix typo in turbostat.8
        tools/power turbostat: Add perf added counter example to turbostat.8
        tools/power turbostat: Fix formatting in turbostat.8
        tools/power turbostat: Extend --add option with perf counters
        tools/power turbostat: Group SMI counter with APERF and MPERF
        tools/power turbostat: Add ZERO_ARRAY for zero initializing builtin array
        tools/power turbostat: Replace enum rapl_source and cstate_source with counter_source
        tools/power turbostat: Remove anonymous union from rapl_counter_info_t
        tools/power/turbostat: Switch to new Intel CPU model defines
      e172f1e9
    • Linus Torvalds's avatar
      Merge tag 'cxl-for-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl · e62f81bb
      Linus Torvalds authored
      Pull CXL updates from Dave Jiang:
       "Core:
      
         - A CXL maturity map has been added to the documentation to detail
           the current state of CXL enabling.
      
           It provides the status of the current state of various CXL features
           to inform current and future contributors of where things are and
           which areas need contribution.
      
         - A notifier handler has been added in order for a newly created CXL
           memory region to trigger the abstract distance metrics calculation.
      
           This should bring parity for CXL memory to the same level vs
           hotplugged DRAM for NUMA abstract distance calculation. The
           abstract distance reflects relative performance used for memory
           tiering handling.
      
         - An addition for XOR math has been added to address the CXL DPA to
           SPA translation.
      
           CXL address translation did not support address interleave math
           with XOR prior to this change.
      
        Fixes:
      
         - Fix to address race condition in the CXL memory hotplug notifier
      
         - Add missing MODULE_DESCRIPTION() for CXL modules
      
         - Fix incorrect vendor debug UUID define
      
        Misc:
      
         - A warning has been added to inform users of an unsupported
           configuration when mixing CXL VH and RCH/RCD hierarchies
      
         - The ENXIO error code has been replaced with EBUSY for inject poison
           limit reached via debugfs and cxl-test support
      
         - Moving the PCI config read in cxl_dvsec_rr_decode() to avoid
           unnecessary PCI config reads
      
         - A refactor to a common struct for DRAM and general media CXL
           events"
      
      * tag 'cxl-for-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
        cxl/core/pci: Move reading of control register to immediately before usage
        cxl: Remove defunct code calculating host bridge target positions
        cxl/region: Verify target positions using the ordered target list
        cxl: Restore XOR'd position bits during address translation
        cxl/core: Fold cxl_trace_hpa() into cxl_dpa_to_hpa()
        cxl/test: Replace ENXIO with EBUSY for inject poison limit reached
        cxl/memdev: Replace ENXIO with EBUSY for inject poison limit reached
        cxl/acpi: Warn on mixed CXL VH and RCH/RCD Hierarchy
        cxl/core: Fix incorrect vendor debug UUID define
        Documentation: CXL Maturity Map
        cxl/region: Simplify cxl_region_nid()
        cxl/region: Support to calculate memory tier abstract distance
        cxl/region: Fix a race condition in memory hotplug notifier
        cxl: add missing MODULE_DESCRIPTION() macros
        cxl/events: Use a common struct for DRAM and General Media events
      e62f81bb
    • Linus Torvalds's avatar
      Merge tag 'unicode-next-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/krisman/unicode · 7b5d4818
      Linus Torvalds authored
      Pull unicode update from Gabriel Krisman Bertazi:
       "Two small fixes to silence the compiler and static analyzers tools
        from Ben Dooks and Jeff Johnson"
      
      * tag 'unicode-next-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/krisman/unicode:
        unicode: add MODULE_DESCRIPTION() macros
        unicode: make utf8 test count static
      7b5d4818
    • Jose Ignacio Tornos Martinez's avatar
      kbuild: rpm-pkg: ghost modules.weakdep file · d01c1407
      Jose Ignacio Tornos Martinez authored
      In the same way as for other similar files, mark as ghost the new file
      generated by depmod for configured weak dependencies for modules,
      modules.weakdep, so that although it is not included in the package,
      claim the ownership on it.
      Signed-off-by: default avatarJose Ignacio Tornos Martinez <jtornosm@redhat.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      d01c1407
    • Linus Torvalds's avatar
      Merge tag '6.11-rc-smb-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · 5437f30d
      Linus Torvalds authored
      Pull more smb client updates from Steve French:
      
       - fix for potential null pointer use in init cifs
      
       - additional dynamic trace points to improve debugging of some common
         scenarios
      
       - two SMB1 fixes (one addressing reconnect with POSIX extensions, one a
         mount parsing error)
      
      * tag '6.11-rc-smb-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: add dynamic trace point for session setup key expired failures
        smb3: add four dynamic tracepoints for copy_file_range and reflink
        smb3: add dynamic tracepoint for reflink errors
        cifs: mount with "unix" mount option for SMB1 incorrectly handled
        cifs: fix reconnect with SMB1 UNIX Extensions
        cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path
      5437f30d
  7. 27 Jul, 2024 8 commits
    • Linus Torvalds's avatar
      Merge tag 'block-6.11-20240726' of git://git.kernel.dk/linux · 6342649c
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request via Keith:
           - Fix request without payloads cleanup  (Leon)
           - Use new protection information format (Francis)
           - Improved debug message for lost pci link (Bart)
           - Another apst quirk (Wang)
           - Use appropriate sysfs api for printing chars (Markus)
      
       - ublk async device deletion fix (Ming)
      
       - drbd kerneldoc fixups (Simon)
      
       - Fix deadlock between sd removal and release (Yang)
      
      * tag 'block-6.11-20240726' of git://git.kernel.dk/linux:
        nvme-pci: add missing condition check for existence of mapped data
        ublk: fix UBLK_CMD_DEL_DEV_ASYNC handling
        block: fix deadlock between sd_remove & sd_release
        drbd: Add peer_device to Kernel doc
        nvme-core: choose PIF from QPIF if QPIFS supports and PIF is QTYPE
        nvme-pci: Fix the instructions for disabling power management
        nvme: remove redundant bdev local variable
        nvme-fabrics: Use seq_putc() in __nvmf_concat_opt_tokens()
        nvme/pci: Add APST quirk for Lenovo N60z laptop
      6342649c
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.11-20240726' of git://git.kernel.dk/linux · 8c930747
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Fix a syzbot issue for the msg ring cache added in this release. No
         ill effects from this one, but it did make KMSAN unhappy (me)
      
       - Sanitize the NAPI timeout handling, by unifying the value handling
         into all ktime_t rather than converting back and forth (Pavel)
      
       - Fail NAPI registration for IOPOLL rings, it's not supported (Pavel)
      
       - Fix a theoretical issue with ring polling and cancelations (Pavel)
      
       - Various little cleanups and fixes (Pavel)
      
      * tag 'io_uring-6.11-20240726' of git://git.kernel.dk/linux:
        io_uring/napi: pass ktime to io_napi_adjust_timeout
        io_uring/napi: use ktime in busy polling
        io_uring/msg_ring: fix uninitialized use of target_req->flags
        io_uring: align iowq and task request error handling
        io_uring: kill REQ_F_CANCEL_SEQ
        io_uring: simplify io_uring_cmd return
        io_uring: fix io_match_task must_hold
        io_uring: don't allow netpolling with SETUP_IOPOLL
        io_uring: tighten task exit cancellations
      8c930747
    • Linus Torvalds's avatar
      Merge tag 'vfs-6.11-rc1.fixes.3' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs · bc4eee85
      Linus Torvalds authored
      Pull vfs fixes from Christian Brauner:
       "This contains two fixes for this merge window:
      
        VFS:
      
         - I noticed that it is possible for a privileged user to mount most
           filesystems with a non-initial user namespace in sb->s_user_ns.
      
           When fsopen() is called in a non-init namespace the caller's
           namespace is recorded in fs_context->user_ns. If the returned file
           descriptor is then passed to a process privileged in init_user_ns,
           that process can call fsconfig(fd_fs, FSCONFIG_CMD_CREATE*),
           creating a new superblock with sb->s_user_ns set to the namespace
           of the process which called fsopen().
      
           This is problematic as only filesystems that raise FS_USERNS_MOUNT
           are known to be able to support a non-initial s_user_ns. Others may
           suffer security issues, on-disk corruption or outright crash the
           kernel. Prevent that by restricting such delegation to filesystems
           that allow FS_USERNS_MOUNT.
      
           Note, that this delegation requires a privileged process to
           actually create the superblock so either the privileged process is
           cooperaing or someone must have tricked a privileged process into
           operating on a fscontext file descriptor whose origin it doesn't
           know (a stupid idea).
      
           The bug dates back to about 5 years afaict.
      
        Misc:
      
         - Fix hostfs parsing when the mount request comes in via the legacy
           mount api.
      
           In the legacy mount api hostfs allows to specify the host directory
           mount without any key.
      
           Restore that behavior"
      
      * tag 'vfs-6.11-rc1.fixes.3' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
        hostfs: fix the host directory parse when mounting.
        fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT
      bc4eee85
    • Linus Torvalds's avatar
      Merge tag 'rust-6.11' of https://github.com/Rust-for-Linux/linux · 910bfc26
      Linus Torvalds authored
      Pull Rust updates from Miguel Ojeda:
       "The highlight is the establishment of a minimum version for the Rust
        toolchain, including 'rustc' (and bundled tools) and 'bindgen'.
      
        The initial minimum will be the pinned version we currently have, i.e.
        we are just widening the allowed versions. That covers three stable
        Rust releases: 1.78.0, 1.79.0, 1.80.0 (getting released tomorrow),
        plus beta, plus nightly.
      
        This should already be enough for kernel developers in distributions
        that provide recent Rust compiler versions routinely, such as Arch
        Linux, Debian Unstable (outside the freeze period), Fedora Linux,
        Gentoo Linux (especially the testing channel), Nix (unstable) and
        openSUSE Slowroll and Tumbleweed.
      
        In addition, the kernel is now being built-tested by Rust's pre-merge
        CI. That is, every change that is attempting to land into the Rust
        compiler is tested against the kernel, and it is merged only if it
        passes. Similarly, the bindgen tool has agreed to build the kernel in
        their CI too.
      
        Thus, with the pre-merge CI in place, both projects hope to avoid
        unintentional changes to Rust that break the kernel. This means that,
        in general, apart from intentional changes on their side (that we will
        need to workaround conditionally on our side), the upcoming Rust
        compiler versions should generally work.
      
        In addition, the Rust project has proposed getting the kernel into
        stable Rust (at least solving the main blockers) as one of its three
        flagship goals for 2024H2 [1].
      
        I would like to thank Niko, Sid, Emilio et al. for their help
        promoting the collaboration between Rust and the kernel.
      
        Toolchain and infrastructure:
      
         - Support several Rust toolchain versions.
      
         - Support several bindgen versions.
      
         - Remove 'cargo' requirement and simplify 'rusttest', thanks to
           'alloc' having been dropped last cycle.
      
         - Provide proper error reporting for the 'rust-analyzer' target.
      
        'kernel' crate:
      
         - Add 'uaccess' module with a safe userspace pointers abstraction.
      
         - Add 'page' module with a 'struct page' abstraction.
      
         - Support more complex generics in workqueue's 'impl_has_work!'
           macro.
      
        'macros' crate:
      
         - Add 'firmware' field support to the 'module!' macro.
      
         - Improve 'module!' macro documentation.
      
        Documentation:
      
         - Provide instructions on what packages should be installed to build
           the kernel in some popular Linux distributions.
      
         - Introduce the new kernel.org LLVM+Rust toolchains.
      
         - Explain '#[no_std]'.
      
        And a few other small bits"
      
      Link: https://rust-lang.github.io/rust-project-goals/2024h2/index.html#flagship-goals [1]
      
      * tag 'rust-6.11' of https://github.com/Rust-for-Linux/linux: (26 commits)
        docs: rust: quick-start: add section on Linux distributions
        rust: warn about `bindgen` versions 0.66.0 and 0.66.1
        rust: start supporting several `bindgen` versions
        rust: work around `bindgen` 0.69.0 issue
        rust: avoid assuming a particular `bindgen` build
        rust: start supporting several compiler versions
        rust: simplify Clippy warning flags set
        rust: relax most deny-level lints to warnings
        rust: allow `dead_code` for never constructed bindings
        rust: init: simplify from `map_err` to `inspect_err`
        rust: macros: indent list item in `paste!`'s docs
        rust: add abstraction for `struct page`
        rust: uaccess: add typed accessors for userspace pointers
        uaccess: always export _copy_[from|to]_user with CONFIG_RUST
        rust: uaccess: add userspace pointers
        kbuild: rust-analyzer: improve comment documentation
        kbuild: rust-analyzer: better error handling
        docs: rust: no_std is used
        rust: alloc: add __GFP_HIGHMEM flag
        rust: alloc: fix typo in docs for GFP_NOWAIT
        ...
      910bfc26
    • Linus Torvalds's avatar
      Merge tag 'apparmor-pr-2024-07-25' of... · ff305644
      Linus Torvalds authored
      Merge tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
      
      Pull apparmor updates from John Johansen:
       "Cleanups
         - optimization: try to avoid refing the label in apparmor_file_open
         - remove useless static inline function is_deleted
         - use kvfree_sensitive to free data->data
         - fix typo in kernel doc
      
        Bug fixes:
         - unpack transition table if dfa is not present
         - test: add MODULE_DESCRIPTION()
         - take nosymfollow flag into account
         - fix possible NULL pointer dereference
         - fix null pointer deref when receiving skb during sock creation"
      
      * tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
        apparmor: unpack transition table if dfa is not present
        apparmor: try to avoid refing the label in apparmor_file_open
        apparmor: test: add MODULE_DESCRIPTION()
        apparmor: take nosymfollow flag into account
        apparmor: fix possible NULL pointer dereference
        apparmor: fix typo in kernel doc
        apparmor: remove useless static inline function is_deleted
        apparmor: use kvfree_sensitive to free data->data
        apparmor: Fix null pointer deref when receiving skb during sock creation
      ff305644
    • Linus Torvalds's avatar
      Merge tag 'landlock-6.11-rc1-houdini-fix' of... · 86b405ad
      Linus Torvalds authored
      Merge tag 'landlock-6.11-rc1-houdini-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
      
      Pull landlock fix from Mickaël Salaün:
       "Jann Horn reported a sandbox bypass for Landlock. This includes the
        fix and new tests. This should be backported"
      
      * tag 'landlock-6.11-rc1-houdini-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
        selftests/landlock: Add cred_transfer test
        landlock: Don't lose track of restrictions on cred_transfer
      86b405ad
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · 8e333791
      Linus Torvalds authored
      Pull gpio fix from Bartosz Golaszewski:
      
       - don't use sprintf() with non-constant format string
      
      * tag 'gpio-fixes-for-v6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpio: virtuser: avoid non-constant format string
      8e333791
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-6.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · bf80f139
      Linus Torvalds authored
      Pull more devicetree updates from Rob Herring:
       "Most of this is a treewide change to of_property_for_each_u32() which
        was small enough to do in one go before rc1 and avoids the need to
        create of_property_for_each_u32_some_new_name().
      
         - Treewide conversion of of_property_for_each_u32() to drop internal
           arguments making struct property opaque
      
         - Add binding for Amlogic A4 SoC watchdog
      
         - Fix constraints for AD7192 'single-channel' property"
      
      * tag 'devicetree-fixes-for-6.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: iio: adc: ad7192: Fix 'single-channel' constraints
        of: remove internal arguments from of_property_for_each_u32()
        dt-bindings: watchdog: add support for Amlogic A4 SoCs
      bf80f139