1. 18 May, 2020 3 commits
    • Alex Williamson's avatar
      vfio-pci: Invalidate mmaps and block MMIO access on disabled memory · abafbc55
      Alex Williamson authored
      Accessing the disabled memory space of a PCI device would typically
      result in a master abort response on conventional PCI, or an
      unsupported request on PCI express.  The user would generally see
      these as a -1 response for the read return data and the write would be
      silently discarded, possibly with an uncorrected, non-fatal AER error
      triggered on the host.  Some systems however take it upon themselves
      to bring down the entire system when they see something that might
      indicate a loss of data, such as this discarded write to a disabled
      memory space.
      
      To avoid this, we want to try to block the user from accessing memory
      spaces while they're disabled.  We start with a semaphore around the
      memory enable bit, where writers modify the memory enable state and
      must be serialized, while readers make use of the memory region and
      can access in parallel.  Writers include both direct manipulation via
      the command register, as well as any reset path where the internal
      mechanics of the reset may both explicitly and implicitly disable
      memory access, and manipulation of the MSI-X configuration, where the
      MSI-X vector table resides in MMIO space of the device.  Readers
      include the read and write file ops to access the vfio device fd
      offsets as well as memory mapped access.  In the latter case, we make
      use of our new vma list support to zap, or invalidate, those memory
      mappings in order to force them to be faulted back in on access.
      
      Our semaphore usage will stall user access to MMIO spaces across
      internal operations like reset, but the user might experience new
      behavior when trying to access the MMIO space while disabled via the
      PCI command register.  Access via read or write while disabled will
      return -EIO and access via memory maps will result in a SIGBUS.  This
      is expected to be compatible with known use cases and potentially
      provides better error handling capabilities than present in the
      hardware, while avoiding the more readily accessible and severe
      platform error responses that might otherwise occur.
      
      Fixes: CVE-2020-12888
      Reviewed-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      abafbc55
    • Alex Williamson's avatar
      vfio-pci: Fault mmaps to enable vma tracking · 11c4cd07
      Alex Williamson authored
      Rather than calling remap_pfn_range() when a region is mmap'd, setup
      a vm_ops handler to support dynamic faulting of the range on access.
      This allows us to manage a list of vmas actively mapping the area that
      we can later use to invalidate those mappings.  The open callback
      invalidates the vma range so that all tracking is inserted in the
      fault handler and removed in the close handler.
      Reviewed-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      11c4cd07
    • Alex Williamson's avatar
      vfio/type1: Support faulting PFNMAP vmas · 41311242
      Alex Williamson authored
      With conversion to follow_pfn(), DMA mapping a PFNMAP range depends on
      the range being faulted into the vma.  Add support to manually provide
      that, in the same way as done on KVM with hva_to_pfn_remapped().
      Reviewed-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      41311242
  2. 17 May, 2020 9 commits
    • Linus Torvalds's avatar
      Linux 5.7-rc6 · b9bbe6ed
      Linus Torvalds authored
      b9bbe6ed
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.7-2' of git://github.com/cminyard/linux-ipmi · 8feea623
      Linus Torvalds authored
      Pull IPMI update from Corey Minyard:
       "Convert i2c_new_device() to i2c_new_client_device()
      
        Wolfram Sang has asked to have this included in 5.7 so the deprecated
        API can be removed next release. There should be no functional
        difference.
      
        I think that entire this section of code can be removed; it is
        leftover from other things that have since changed, but this is the
        safer thing to do for now. The full removal can happen next release"
      
      * tag 'for-linus-5.7-2' of git://github.com/cminyard/linux-ipmi:
        char: ipmi: convert to use i2c_new_client_device()
      8feea623
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 9b1f2cbd
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "Some more clk driver fixes and one core framework fix:
      
         - A handful of TI driver fixes for bad of_node_put() and incorrect
           parent names
      
         - Rockchip rk3228 aclk_gpu* creation was interfering with lima GPU
           work so we use a composite clk now
      
         - Resuming from suspend on Tegra Jetson TK1 was broken because an
           audio PLL calculated an incorrect rate
      
         - A fix for devicetree probing on IM-PD1 by actually specifying a clk
           name which is required to pass clk registration
      
         - Avoid list corruption if registration fails for a critical clk"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: ti: clkctrl: convert subclocks to use proper names also
        clk: ti: am33xx: fix RTC clock parent
        clk: ti: clkctrl: Fix Bad of_node_put within clkctrl_get_name
        clk: tegra: Fix initial rate for pll_a on Tegra124
        clk: impd1: Look up clock-output-names
        clk: Unlink clock if failed to prepare or enable
        clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks
      9b1f2cbd
    • Linus Torvalds's avatar
      Merge tag 'usb-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · fb27bc03
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a number of USB fixes for 5.7-rc6
      
        The "largest" in here is a bunch of raw-gadget fixes and api changes
        as the driver just showed up in -rc1 and work has been done to fix up
        some uapi issues found with the original submission, before it shows
        up in a -final release.
      
        Other than that, a bunch of other small USB gadget fixes, xhci fixes,
        some quirks, andother tiny fixes for reported issues.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (26 commits)
        USB: gadget: fix illegal array access in binding with UDC
        usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B
        USB: usbfs: fix mmap dma mismatch
        usb: host: xhci-plat: keep runtime active when removing host
        usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list
        usb: cdns3: gadget: make a bunch of functions static
        usb: mtu3: constify struct debugfs_reg32
        usb: gadget: udc: atmel: Make some symbols static
        usb: raw-gadget: fix null-ptr-deref when reenabling endpoints
        usb: raw-gadget: documentation updates
        usb: raw-gadget: support stalling/halting/wedging endpoints
        usb: raw-gadget: fix gadget endpoint selection
        usb: raw-gadget: improve uapi headers comments
        usb: typec: mux: intel: Fix DP_HPD_LVL bit field
        usb: raw-gadget: fix return value of ep read ioctls
        usb: dwc3: select USB_ROLE_SWITCH
        usb: gadget: legacy: fix error return code in gncm_bind()
        usb: gadget: legacy: fix error return code in cdc_bind()
        usb: gadget: legacy: fix redundant initialization warnings
        usb: gadget: tegra-xudc: Fix idle suspend/resume
        ...
      fb27bc03
    • Linus Torvalds's avatar
      Merge branch 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · b48397cb
      Linus Torvalds authored
      Pull execve fix from Eric Biederman:
       "While working on my exec cleanups I found a bug in exec that I
        introduced by accident a couple of years ago. I apparently missed the
        fact that bprm->file can change.
      
        Now I have a very personal motive to clean up exec and make it more
        approachable.
      
        The change is just moving woud_dump to where it acts on the final
        bprm->file not the initial bprm->file. I have been careful and tested
        and verify this fix works"
      
      * 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        exec: Move would_dump into flush_old_exec
      b48397cb
    • Linus Torvalds's avatar
      Merge tag 'objtool-urgent-2020-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ef0d5b91
      Linus Torvalds authored
      Pull x86 stack unwinding fix from Thomas Gleixner:
       "A single bugfix for the ORC unwinder to ensure that the error flag
        which tells the unwinding code whether a stack trace can be trusted or
        not is always set correctly.
      
        This was messed up by a couple of changes in the recent past"
      
      * tag 'objtool-urgent-2020-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/unwind/orc: Fix error handling in __unwind_start()
      ef0d5b91
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 43567139
      Linus Torvalds authored
      Pull x86 fix from Borislav Petkov:
       "A single fix for early boot crashes of kernels built with gcc10 and
        stack protector enabled"
      
      * tag 'x86_urgent_for_v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86: Fix early boot crash on gcc-10, third try
      43567139
    • Eric W. Biederman's avatar
      exec: Move would_dump into flush_old_exec · f87d1c95
      Eric W. Biederman authored
      I goofed when I added mm->user_ns support to would_dump.  I missed the
      fact that in the case of binfmt_loader, binfmt_em86, binfmt_misc, and
      binfmt_script bprm->file is reassigned.  Which made the move of
      would_dump from setup_new_exec to __do_execve_file before exec_binprm
      incorrect as it can result in would_dump running on the script instead
      of the interpreter of the script.
      
      The net result is that the code stopped making unreadable interpreters
      undumpable.  Which allows them to be ptraced and written to disk
      without special permissions.  Oops.
      
      The move was necessary because the call in set_new_exec was after
      bprm->mm was no longer valid.
      
      To correct this mistake move the misplaced would_dump from
      __do_execve_file into flos_old_exec, before exec_mmap is called.
      
      I tested and confirmed that without this fix I can attach with gdb to
      a script with an unreadable interpreter, and with this fix I can not.
      
      Cc: stable@vger.kernel.org
      Fixes: f84df2a6 ("exec: Ensure mm->user_ns contains the execed files")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      f87d1c95
    • Linus Torvalds's avatar
      Merge tag '5.7-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 5a9ffb95
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Three small cifs/smb3 fixes, one for stable"
      
      * tag '5.7-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: fix leaked reference on requeued write
        cifs: Fix null pointer check in cifs_read
        CIFS: Spelling s/EACCESS/EACCES/
      5a9ffb95
  3. 16 May, 2020 8 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 5d438e07
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "A new testcase for guest debugging (gdbstub) that exposed a bunch of
        bugs, mostly for AMD processors. And a few other x86 fixes"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce
        KVM: x86: Fix pkru save/restore when guest CR4.PKE=0, move it to x86.c
        KVM: SVM: Disable AVIC before setting V_IRQ
        KVM: Introduce kvm_make_all_cpus_request_except()
        KVM: VMX: pass correct DR6 for GD userspace exit
        KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6
        KVM: SVM: keep DR6 synchronized with vcpu->arch.dr6
        KVM: nSVM: trap #DB and #BP to userspace if guest debugging is on
        KVM: selftests: Add KVM_SET_GUEST_DEBUG test
        KVM: X86: Fix single-step with KVM_SET_GUEST_DEBUG
        KVM: X86: Set RTM for DB_VECTOR too for KVM_EXIT_DEBUG
        KVM: x86: fix DR6 delivery for various cases of #DB injection
        KVM: X86: Declare KVM_CAP_SET_GUEST_DEBUG properly
      5d438e07
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · befc42e5
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - A fix for unrecoverable SLB faults in the interrupt exit path,
         introduced by the recent rewrite of interrupt exit in C.
      
       - Four fixes for our KUAP (Kernel Userspace Access Prevention) support
         on 64-bit. These are all fairly minor with the exception of the
         change to evaluate the get/put_user() arguments before we enable user
         access, which reduces the amount of code we run with user access
         enabled.
      
       - A fix for our secure boot IMA rules, if enforcement of module
         signatures is enabled at runtime rather than build time.
      
       - A fix to our 32-bit VDSO clock_getres() which wasn't falling back to
         the syscall for unknown clocks.
      
       - A build fix for CONFIG_PPC_KUAP_DEBUG on 32-bit BookS, and another
         for 40x.
      
      Thanks to: Christophe Leroy, Hugh Dickins, Nicholas Piggin, Aurelien
      Jarno, Mimi Zohar, Nayna Jain.
      
      * tag 'powerpc-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/40x: Make more space for system call exception
        powerpc/vdso32: Fallback on getres syscall when clock is unknown
        powerpc/32s: Fix build failure with CONFIG_PPC_KUAP_DEBUG
        powerpc/ima: Fix secure boot rules in ima arch policy
        powerpc/64s/kuap: Restore AMR in fast_interrupt_return
        powerpc/64s/kuap: Restore AMR in system reset exception
        powerpc/64/kuap: Move kuap checks out of MSR[RI]=0 regions of exit code
        powerpc/64s: Fix unrecoverable SLB crashes due to preemption check
        powerpc/uaccess: Evaluate macro arguments once, before user access is allowed
      befc42e5
    • Linus Torvalds's avatar
      Merge tag 'csky-for-linus-5.7-rc6' of git://github.com/c-sky/csky-linux · 26b089a7
      Linus Torvalds authored
      Pull csky updates from Guo Ren:
      
       - fix for copy_from/to_user (a hard-to-find bug, thx Viro)
      
       - fix for calltrace panic without FRAME_POINT
      
       - two fixes for perf
      
       - two build fixes
      
       - four fixes for non-fatal bugs (msa, rm dis_irq, cleanup psr,
         gdbmacros.txt)
      
      * tag 'csky-for-linus-5.7-rc6' of git://github.com/c-sky/csky-linux:
        csky: Fixup raw_copy_from_user()
        csky: Fixup gdbmacros.txt with name sp in thread_struct
        csky: Fixup remove unnecessary save/restore PSR code
        csky: Fixup remove duplicate irq_disable
        csky: Fixup calltrace panic
        csky: Fixup perf callchain unwind
        csky: Fixup msa highest 3 bits mask
        csky: Fixup perf probe -x hungup
        csky: Fixup compile error for abiv1 entry.S
        csky/ftrace: Fixup error when disable CONFIG_DYNAMIC_FTRACE
      26b089a7
    • Linus Torvalds's avatar
      Merge tag 'arm-soc-fixes-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 5c33696f
      Linus Torvalds authored
      Pull ARM SoC/dt fixes from Arnd Bergmann:
       "This round of fixes is almost exclusively device tree changes, with
        trivial defconfig fixes and one compiler warning fix added in.
      
        A number of patches are to fix dtc warnings, in particular on Amlogic,
        i.MX and Rockchips.
      
        Other notable changes include:
      
        Renesas:
         - Fix a wrong clock configuration on R-Mobile A1
         - Fix IOMMU support on R-Car V3H
      
        Allwinner
         - Multiple audio fixes
      
        Qualcomm
         - Use a safe CPU voltage on MSM8996
         - Fixes to match a late audio driver change
      
        Rockchip:
         - Some fixes for the newly added Pinebook Pro
      
        NXP i.MX:
         - Fix I2C1 pinctrl configuration for i.MX27 phytec-phycard board
         - Fix imx6dl-yapp4-ursa board Ethernet connection
      
        OMAP:
         - A regression fix for non-existing can device on am534x-idk
         - Fix flakey wlan on droid4 where some devices would not connect at
           all because of internal pull being used with an external pull
         - Fix occasional missed wake-up events on droid4 modem uart"
      
      * tag 'arm-soc-fixes-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (51 commits)
        ARM: dts: iwg20d-q7-dbcm-ca: Remove unneeded properties in hdmi@39
        ARM: dts: renesas: Make hdmi encoder nodes compliant with DT bindings
        arm64: dts: renesas: Make hdmi encoder nodes compliant with DT bindings
        arm64: defconfig: add MEDIA_PLATFORM_SUPPORT
        arm64: defconfig: ARCH_R8A7795: follow changed config symbol name
        arm64: defconfig: add DRM_DISPLAY_CONNECTOR
        arm64: defconfig: DRM_DUMB_VGA_DAC: follow changed config symbol name
        ARM: oxnas: make ox820_boot_secondary static
        ARM: dts: r8a7740: Add missing extal2 to CPG node
        ARM: dts: omap4-droid4: Fix occasional lost wakeirq for uart1
        ARM: dts: omap4-droid4: Fix flakey wlan by disabling internal pull for gpio
        arm64: dts: allwinner: a64: Remove unused SPDIF sound card
        arm64: dts: allwinner: a64: pinetab: Fix cpvdd supply name
        arm64: dts: meson-g12: remove spurious blank line
        arm64: dts: meson-g12b-khadas-vim3: add missing frddr_a status property
        arm64: dts: meson-g12-common: fix dwc2 clock names
        arm64: dts: meson-g12b-ugoos-am6: fix usb vbus-supply
        arm64: dts: freescale: imx8mp: update input_val for AUDIOMIX_BIT_STREAM
        ARM: dts: r7s9210: Remove bogus clock-names from OSTM nodes
        ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi
        ...
      5c33696f
    • Linus Torvalds's avatar
      Merge tag 'block-5.7-2020-05-16' of git://git.kernel.dk/linux-block · 3d1c1e59
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Just a single NVMe pull in here, with a single fix for a missing DMA
        read memory barrier for completions"
      
      * tag 'block-5.7-2020-05-16' of git://git.kernel.dk/linux-block:
        nvme-pci: dma read memory barrier for completions
      3d1c1e59
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · cf0ca701
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "A bunch of pin control fixes, some a bit overly ripe, sorry about
        that. We have important systems like Intel laptops and Qualcomm mobile
        chips covered.
      
         - Pad lock register on Intel Sunrisepoint had the wrong offset
      
         - Fix pin config setting for the Baytrail GPIO chip
      
         - Fix a compilation warning in the Mediatek driver
      
         - Fix a function group name in the Actions driver
      
         - Fix a behaviour bug in the edge polarity code in the Qualcomm
           driver
      
         - Add a missing spinlock in the Intel Cherryview driver
      
         - Add affinity callbacks to the Qualcomm MSMGPIO chip"
      
      * tag 'pinctrl-v5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: qcom: Add affinity callbacks to msmgpio IRQ chip
        pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler
        pinctrl: qcom: fix wrong write in update_dual_edge
        pinctrl: actions: fix function group name for i2c0_group
        pinctrl: mediatek: remove shadow variable declaration
        pinctrl: baytrail: Enable pin configuration setting for GPIO chip
        pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H
      cf0ca701
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.7-2020-05-15' of git://git.kernel.dk/linux-block · 18e70f3a
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Two small fixes that should go into this release:
      
         - Check and handle zero length splice (Pavel)
      
         - Fix a regression in this merge window for fixed files used with
           polled block IO"
      
      * tag 'io_uring-5.7-2020-05-15' of git://git.kernel.dk/linux-block:
        io_uring: polled fixed file must go through free iteration
        io_uring: fix zero len do_splice()
      18e70f3a
    • Jens Axboe's avatar
      Merge branch 'nvme-5.7' of git://git.infradead.org/nvme into block-5.7 · 39489553
      Jens Axboe authored
      Pull NVMe fix from Christoph.
      
      * 'nvme-5.7' of git://git.infradead.org/nvme:
        nvme-pci: dma read memory barrier for completions
      39489553
  4. 15 May, 2020 20 commits
    • Arnd Bergmann's avatar
      Merge tag 'renesas-fixes-for-v5.7-tag2' of... · d5fef88c
      Arnd Bergmann authored
      Merge tag 'renesas-fixes-for-v5.7-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel into arm/fixes
      
      Renesas fixes for v5.7 (take two)
      
        - Fix a wrong clock configuration on R-Mobile A1,
        - Minor fixes that are fast-tracked to avoid introducing regressions
          during conversion of DT bindings to json-schema.
      
      * tag 'renesas-fixes-for-v5.7-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel:
        ARM: dts: iwg20d-q7-dbcm-ca: Remove unneeded properties in hdmi@39
        ARM: dts: renesas: Make hdmi encoder nodes compliant with DT bindings
        arm64: dts: renesas: Make hdmi encoder nodes compliant with DT bindings
        ARM: dts: r8a7740: Add missing extal2 to CPG node
      
      Link: https://lore.kernel.org/r/20200515125043.22811-1-geert+renesas@glider.beSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      d5fef88c
    • Arnd Bergmann's avatar
      Merge tag 'sunxi-fixes-for-5.7-1' of... · 495e1356
      Arnd Bergmann authored
      Merge tag 'sunxi-fixes-for-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into arm/fixes
      
      Two fixes for the Allwinner SoCs, one to remove some inexistant sound card on
      the A64, and one to fix the audio codec regulator on the pinetab.
      
      * tag 'sunxi-fixes-for-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux:
        arm64: dts: allwinner: a64: Remove unused SPDIF sound card
        arm64: dts: allwinner: a64: pinetab: Fix cpvdd supply name
      
      Link: https://lore.kernel.org/r/f7a98a47-316d-4b1a-b5a5-0e1e330d5f52.lettre@localhostSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      495e1356
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.7-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 12bf0b63
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
       "Highlights include:
      
        Stable fixes:
         - nfs: fix NULL deference in nfs4_get_valid_delegation
      
        Bugfixes:
         - Fix corruption of the return value in cachefiles_read_or_alloc_pages()
         - Fix several fscache cookie issues
         - Fix a fscache queuing race that can trigger a BUG_ON
         - NFS: Fix two use-after-free regressions due to the RPC_TASK_CRED_NOREF flag
         - SUNRPC: Fix a use-after-free regression in rpc_free_client_work()
         - SUNRPC: Fix a race when tearing down the rpc client debugfs directory
         - SUNRPC: Signalled ASYNC tasks need to exit
         - NFSv3: fix rpc receive buffer size for MOUNT call"
      
      * tag 'nfs-for-5.7-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFSv3: fix rpc receive buffer size for MOUNT call
        SUNRPC: 'Directory with parent 'rpc_clnt' already present!'
        NFS/pnfs: Don't use RPC_TASK_CRED_NOREF with pnfs
        NFS: Don't use RPC_TASK_CRED_NOREF with delegreturn
        SUNRPC: Signalled ASYNC tasks need to exit
        nfs: fix NULL deference in nfs4_get_valid_delegation
        SUNRPC: fix use-after-free in rpc_free_client_work()
        cachefiles: Fix race between read_waiter and read_copier involving op->to_do
        NFSv4: Fix fscache cookie aux_data to ensure change_attr is included
        NFS: Fix fscache super_cookie allocation
        NFS: Fix fscache super_cookie index_key from changing after umount
        cachefiles: Fix corruption of the return value in cachefiles_read_or_alloc_pages()
      12bf0b63
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f85c1598
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix sk_psock reference count leak on receive, from Xiyu Yang.
      
       2) CONFIG_HNS should be invisible, from Geert Uytterhoeven.
      
       3) Don't allow locking route MTUs in ipv6, RFCs actually forbid this,
          from Maciej Żenczykowski.
      
       4) ipv4 route redirect backoff wasn't actually enforced, from Paolo
          Abeni.
      
       5) Fix netprio cgroup v2 leak, from Zefan Li.
      
       6) Fix infinite loop on rmmod in conntrack, from Florian Westphal.
      
       7) Fix tcp SO_RCVLOWAT hangs, from Eric Dumazet.
      
       8) Various bpf probe handling fixes, from Daniel Borkmann.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (68 commits)
        selftests: mptcp: pm: rm the right tmp file
        dpaa2-eth: properly handle buffer size restrictions
        bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier
        bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range
        bpf: Restrict bpf_probe_read{, str}() only to archs where they work
        MAINTAINERS: Mark networking drivers as Maintained.
        ipmr: Add lockdep expression to ipmr_for_each_table macro
        ipmr: Fix RCU list debugging warning
        drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c
        net: phy: broadcom: fix BCM54XX_SHD_SCR3_TRDDAPD value for BCM54810
        tcp: fix error recovery in tcp_zerocopy_receive()
        MAINTAINERS: Add Jakub to networking drivers.
        MAINTAINERS: another add of Karsten Graul for S390 networking
        drivers: ipa: fix typos for ipa_smp2p structure doc
        pppoe: only process PADT targeted at local interfaces
        selftests/bpf: Enforce returning 0 for fentry/fexit programs
        bpf: Enforce returning 0 for fentry/fexit progs
        net: stmmac: fix num_por initialization
        security: Fix the default value of secid_to_secctx hook
        libbpf: Fix register naming in PT_REGS s390 macros
        ...
      f85c1598
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · d5dfe4f1
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "A few minor bug fixes for user visible defects, and one regression:
      
         - Various bugs from static checkers and syzkaller
      
         - Add missing error checking in mlx4
      
         - Prevent RTNL lock recursion in i40iw
      
         - Fix segfault in cxgb4 in peer abort cases
      
         - Fix a regression added in 5.7 where the IB_EVENT_DEVICE_FATAL could
           be lost, and wasn't delivered to all the FDs"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj
        RDMA/uverbs: Do not discard the IB_EVENT_DEVICE_FATAL event
        RDMA/iw_cxgb4: Fix incorrect function parameters
        RDMA/core: Fix double put of resource
        IB/core: Fix potential NULL pointer dereference in pkey cache
        IB/hfi1: Fix another case where pq is left on waitlist
        IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
        IB/mlx4: Test return value of calls to ib_get_cached_pkey
        RDMA/rxe: Always return ERR_PTR from rxe_create_mmap_info()
        i40iw: Fix error handling in i40iw_manage_arp_cache()
      d5dfe4f1
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-5.7-rc6' of... · ce247296
      Linus Torvalds authored
      Merge tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fixes from Shuah Khan:
      
       - lkdtm runner fixes to prevent dmesg clearing and shellcheck errors
      
       - ftrace test handling when test module doesn't exist
      
       - nsfs test fix to replace zero-length array with flexible-array
      
       - dmabuf-heaps test fix to return clear error value
      
      * tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/lkdtm: Use grep -E instead of egrep
        selftests/lkdtm: Don't clear dmesg when running tests
        selftests/ftrace: mark irqsoff_tracer.tc test as unresolved if the test module does not exist
        tools/testing: Replace zero-length array with flexible-array
        kselftests: dmabuf-heaps: Fix confused return value on expected error testing
      ce247296
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 67e45621
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
       "A handful of build fixes, all found by Huawei's autobuilder.
      
        None of these patches should have any functional impact on kernels
        that build, and they're mostly related to various features
        intermingling with !MMU.
      
        While some of these might be better hoisted to generic code, it seems
        better to have the simple fixes in the meanwhile.
      
        As far as I know these are the only outstanding patches for 5.7"
      
      * tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: mmiowb: Fix implicit declaration of function 'smp_processor_id'
        riscv: pgtable: Fix __kernel_map_pages build error if NOMMU
        riscv: Make SYS_SUPPORTS_HUGETLBFS depends on MMU
        riscv: Disable ARCH_HAS_DEBUG_VIRTUAL if NOMMU
        riscv: Add pgprot_writecombine/device and PAGE_SHARED defination if NOMMU
        riscv: stacktrace: Fix undefined reference to `walk_stackframe'
        riscv: Fix unmet direct dependencies built based on SOC_VIRT
        riscv: perf: RISCV_BASE_PMU should be independent
        riscv: perf_event: Make some funciton static
      67e45621
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 01d8a748
      Linus Torvalds authored
      Pull arm64 fix from Catalin Marinas:
       "Fix flush_icache_range() second argument in machine_kexec() to be an
        address rather than size"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: fix the flush_icache_range arguments in machine_kexec
      01d8a748
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 8e138104
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2020-05-15
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 9 non-merge commits during the last 2 day(s) which contain
      a total of 14 files changed, 137 insertions(+), 43 deletions(-).
      
      The main changes are:
      
      1) Fix secid_to_secctx LSM hook default value, from Anders.
      
      2) Fix bug in mmap of bpf array, from Andrii.
      
      3) Restrict bpf_probe_read to archs where they work, from Daniel.
      
      4) Enforce returning 0 for fentry/fexit progs, from Yonghong.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e138104
    • Jim Mattson's avatar
      KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce · c4e0e4ab
      Jim Mattson authored
      Bank_num is a one-based count of banks, not a zero-based index. It
      overflows the allocated space only when strictly greater than
      KVM_MAX_MCE_BANKS.
      
      Fixes: a9e38c3e ("KVM: x86: Catch potential overrun in MCE setup")
      Signed-off-by: default avatarJue Wang <juew@google.com>
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Reviewed-by: default avatarPeter Shier <pshier@google.com>
      Message-Id: <20200511225616.19557-1-jmattson@google.com>
      Reviewed-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      c4e0e4ab
    • Paolo Bonzini's avatar
      Merge branch 'kvm-amd-fixes' into HEAD · f6bfd9c8
      Paolo Bonzini authored
      This topic branch will be included in both kvm/master and kvm/next
      (for 5.8) in order to simplify testing of kvm/next.
      f6bfd9c8
    • Matthieu Baerts's avatar
      selftests: mptcp: pm: rm the right tmp file · 9a2dbb59
      Matthieu Baerts authored
      "$err" is a variable pointing to a temp file. "$out" is not: only used
      as a local variable in "check()" and representing the output of a
      command line.
      
      Fixes: eedbc685 (selftests: add PM netlink functional tests)
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a2dbb59
    • Ioana Ciornei's avatar
      dpaa2-eth: properly handle buffer size restrictions · efa6a7d0
      Ioana Ciornei authored
      Depending on the WRIOP version, the buffer size on the RX path must by a
      multiple of 64 or 256. Handle this restriction properly by aligning down
      the buffer size to the necessary value. Also, use the new buffer size
      dynamically computed instead of the compile time one.
      
      Fixes: 27c87486 ("dpaa2-eth: Use a single page per Rx buffer")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efa6a7d0
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v5.7-rc6' of... · 051e6b7e
      Linus Torvalds authored
      Merge tag 'hwmon-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
      
       - Fix ADC access synchronization problem with da9052 driver
      
       - Fix temperature limit and status reporting in nct7904 driver
      
       - Fix drivetemp temperature reporting if SCT is supported but SCT data
         tables are not.
      
      * tag 'hwmon-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (da9052) Synchronize access with mfd
        hwmon: (nct7904) Fix incorrect range of temperature limit registers
        hwmon: (nct7904) Read all SMI status registers in probe function
        hwmon: (drivetemp) Fix SCT support if SCT data tables are not supported
      051e6b7e
    • Linus Torvalds's avatar
      Merge tag 'sound-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 1742bcd0
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Things look good and calming down; the only change to ALSA core is the
        fix for racy rawmidi buffer accesses spotted by syzkaller, and the
        rest are all small device-specific quirks for HD-audio and USB-audio
        devices"
      
      * tag 'sound-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Limit int mic boost for Thinkpad T530
        ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA
        ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295
        ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295
        ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295
        ALSA: hda/realtek: Add quirk for Samsung Notebook
        ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
        ALSA: usb-audio: add mapping for ASRock TRX40 Creator
        ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse
        Revert "ALSA: hda/realtek: Fix pop noise on ALC225"
        ALSA: firewire-lib: fix 'function sizeof not defined' error of tracepoints format
        ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset
      1742bcd0
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-05-15' of git://anongit.freedesktop.org/drm/drm · e7cea790
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "As mentioned last week an i915 PR came in late, but I left it, so the
        i915 bits of this cover 2 weeks, which is why it's likely a bit larger
        than usual.
      
        Otherwise it's mostly amdgpu fixes, one tegra fix, one meson fix.
      
        i915:
         - Handle idling during i915_gem_evict_something busy loops (Chris)
         - Mark current submissions with a weak-dependency (Chris)
         - Propagate error from completed fences (Chris)
         - Fixes on execlist to avoid GPU hang situation (Chris)
         - Fixes couple deadlocks (Chris)
         - Timeslice preemption fixes (Chris)
         - Fix Display Port interrupt handling on Tiger Lake (Imre)
         - Reduce debug noise around Frame Buffer Compression (Peter)
         - Fix logic around IPC W/a for Coffee Lake and Kaby Lake (Sultan)
         - Avoid dereferencing a dead context (Chris)
      
        tegra:
         - tegra120/4 smmu fixes
      
        amdgpu:
         - Clockgating fixes
         - Fix fbdev with scatter/gather display
         - S4 fix for navi
         - Soft recovery for gfx10
         - Freesync fixes
         - Atomic check cursor fix
         - Add a gfxoff quirk
         - MST fix
      
        amdkfd:
         - Fix GEM reference counting
      
        meson:
         - error code propogation fix"
      
      * tag 'drm-fixes-2020-05-15' of git://anongit.freedesktop.org/drm/drm: (29 commits)
        drm/i915: Handle idling during i915_gem_evict_something busy loops
        drm/meson: pm resume add return errno branch
        drm/amd/amdgpu: Update update_config() logic
        drm/amd/amdgpu: add raven1 part to the gfxoff quirk list
        drm/i915: Mark concurrent submissions with a weak-dependency
        drm/i915: Propagate error from completed fences
        drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest
        drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance.
        drm/amd/display: add basic atomic check for cursor plane
        drm/amd/display: Fix vblank and pageflip event handling for FreeSync
        drm/amdgpu: implement soft_recovery for gfx10
        drm/amdgpu: enable hibernate support on Navi1X
        drm/amdgpu: Use GEM obj reference for KFD BOs
        drm/amdgpu: force fbdev into vram
        drm/amd/powerplay: perform PG ungate prior to CG ungate
        drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate
        drm/amdgpu: disable MGCG/MGLS also on gfx CG ungate
        drm/i915/execlists: Track inflight CCID
        drm/i915/execlists: Avoid reusing the same logical CCID
        drm/i915/gem: Remove object_is_locked assertion from unpin_from_display_plane
        ...
      e7cea790
    • Alexei Starovoitov's avatar
      Merge branch 'restrict-bpf_probe_read' · 59df9f1f
      Alexei Starovoitov authored
      Daniel Borkmann says:
      
      ====================
      Small set of fixes in order to restrict BPF helpers for tracing which are
      broken on archs with overlapping address ranges as per discussion in [0].
      I've targetted this for -bpf tree so they can be routed as fixes. Thanks!
      
      v1 -> v2:
        - switch to reusable %pks, %pus format specifiers (Yonghong)
          - fixate %s on kernel_ds probing for archs with overlapping addr space
      
            [0] https://lore.kernel.org/bpf/CAHk-=wjJKo0GVixYLmqPn-Q22WFu0xHaBSjKEo7e7Yw72y5SPQ@mail.gmail.com/T/
      ====================
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      59df9f1f
    • Daniel Borkmann's avatar
      bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier · b2a5212f
      Daniel Borkmann authored
      Usage of plain %s conversion specifier in bpf_trace_printk() suffers from the
      very same issue as bpf_probe_read{,str}() helpers, that is, it is broken on
      archs with overlapping address ranges.
      
      While the helpers have been addressed through work in 6ae08ae3 ("bpf: Add
      probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers"), we need
      an option for bpf_trace_printk() as well to fix it.
      
      Similarly as with the helpers, force users to make an explicit choice by adding
      %pks and %pus specifier to bpf_trace_printk() which will then pick the corresponding
      strncpy_from_unsafe*() variant to perform the access under KERNEL_DS or USER_DS.
      The %pk* (kernel specifier) and %pu* (user specifier) can later also be extended
      for other objects aside strings that are probed and printed under tracing, and
      reused out of other facilities like bpf_seq_printf() or BTF based type printing.
      
      Existing behavior of %s for current users is still kept working for archs where it
      is not broken and therefore gated through CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE.
      For archs not having this property we fall-back to pick probing under KERNEL_DS as
      a sensible default.
      
      Fixes: 8d3b7dce ("bpf: add support for %s specifier to bpf_trace_printk()")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reported-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Brendan Gregg <brendan.d.gregg@gmail.com>
      Link: https://lore.kernel.org/bpf/20200515101118.6508-4-daniel@iogearbox.net
      b2a5212f
    • Daniel Borkmann's avatar
      bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range · 47cc0ed5
      Daniel Borkmann authored
      Given bpf_probe_read{,str}() BPF helpers are now only available under
      CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE, we need to add the drop-in
      replacements of bpf_probe_read_{kernel,user}_str() to do_refine_retval_range()
      as well to avoid hitting the same issue as in 849fa506 ("bpf/verifier:
      refine retval R0 state for bpf_get_stack helper").
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/bpf/20200515101118.6508-3-daniel@iogearbox.net
      47cc0ed5
    • Daniel Borkmann's avatar
      bpf: Restrict bpf_probe_read{, str}() only to archs where they work · 0ebeea8c
      Daniel Borkmann authored
      Given the legacy bpf_probe_read{,str}() BPF helpers are broken on archs
      with overlapping address ranges, we should really take the next step to
      disable them from BPF use there.
      
      To generally fix the situation, we've recently added new helper variants
      bpf_probe_read_{user,kernel}() and bpf_probe_read_{user,kernel}_str().
      For details on them, see 6ae08ae3 ("bpf: Add probe_read_{user, kernel}
      and probe_read_{user,kernel}_str helpers").
      
      Given bpf_probe_read{,str}() have been around for ~5 years by now, there
      are plenty of users at least on x86 still relying on them today, so we
      cannot remove them entirely w/o breaking the BPF tracing ecosystem.
      
      However, their use should be restricted to archs with non-overlapping
      address ranges where they are working in their current form. Therefore,
      move this behind a CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE and
      have x86, arm64, arm select it (other archs supporting it can follow-up
      on it as well).
      
      For the remaining archs, they can workaround easily by relying on the
      feature probe from bpftool which spills out defines that can be used out
      of BPF C code to implement the drop-in replacement for old/new kernels
      via: bpftool feature probe macro
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Brendan Gregg <brendan.d.gregg@gmail.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Link: https://lore.kernel.org/bpf/20200515101118.6508-2-daniel@iogearbox.net
      0ebeea8c