1. 19 May, 2020 12 commits
    • David Howells's avatar
      smack: Implement the watch_key and post_notification hooks · a8478a60
      David Howells authored
      Implement the watch_key security hook in Smack to make sure that a key
      grants the caller Read permission in order to set a watch on a key.
      
      Also implement the post_notification security hook to make sure that the
      notification source is granted Write permission by the watch queue.
      
      For the moment, the watch_devices security hook is left unimplemented as
      it's not obvious what the object should be since the queue is global and
      didn't previously exist.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      a8478a60
    • David Howells's avatar
      selinux: Implement the watch_key security hook · 3e412ccc
      David Howells authored
      Implement the watch_key security hook to make sure that a key grants the
      caller View permission in order to set a watch on a key.
      
      For the moment, the watch_devices security hook is left unimplemented as
      it's not obvious what the object should be since the queue is global and
      didn't previously exist.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Reviewed-by: default avatarJames Morris <jamorris@linux.microsoft.com>
      3e412ccc
    • David Howells's avatar
      keys: Make the KEY_NEED_* perms an enum rather than a mask · 8c0637e9
      David Howells authored
      Since the meaning of combining the KEY_NEED_* constants is undefined, make
      it so that you can't do that by turning them into an enum.
      
      The enum is also given some extra values to represent special
      circumstances, such as:
      
       (1) The '0' value is reserved and causes a warning to trap the parameter
           being unset.
      
       (2) The key is to be unlinked and we require no permissions on it, only
           the keyring, (this replaces the KEY_LOOKUP_FOR_UNLINK flag).
      
       (3) An override due to CAP_SYS_ADMIN.
      
       (4) An override due to an instantiation token being present.
      
       (5) The permissions check is being deferred to later key_permission()
           calls.
      
      The extra values give the opportunity for LSMs to audit these situations.
      
      [Note: This really needs overhauling so that lookup_user_key() tells
       key_task_permission() and the LSM what operation is being done and leaves
       it to those functions to decide how to map that onto the available
       permits.  However, I don't really want to make these change in the middle
       of the notifications patchset.]
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      cc: Paul Moore <paul@paul-moore.com>
      cc: Stephen Smalley <stephen.smalley.work@gmail.com>
      cc: Casey Schaufler <casey@schaufler-ca.com>
      cc: keyrings@vger.kernel.org
      cc: selinux@vger.kernel.org
      8c0637e9
    • David Howells's avatar
      pipe: Add notification lossage handling · e7d553d6
      David Howells authored
      Add handling for loss of notifications by having read() insert a
      loss-notification message after it has read the pipe buffer that was last
      in the ring when the loss occurred.
      
      Lossage can come about either by running out of notification descriptors or
      by running out of space in the pipe ring.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      e7d553d6
    • David Howells's avatar
      pipe: Allow buffers to be marked read-whole-or-error for notifications · 8cfba763
      David Howells authored
      Allow a buffer to be marked such that read() must return the entire buffer
      in one go or return ENOBUFS.  Multiple buffers can be amalgamated into a
      single read, but a short read will occur if the next "whole" buffer won't
      fit.
      
      This is useful for watch queue notifications to make sure we don't split a
      notification across multiple reads, especially given that we need to
      fabricate an overrun record under some circumstances - and that isn't in
      the buffers.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      8cfba763
    • David Howells's avatar
      Add sample notification program · f5b5a164
      David Howells authored
      The sample program is run like:
      
      	./samples/watch_queue/watch_test
      
      and watches "/" for mount changes and the current session keyring for key
      changes:
      
      	# keyctl add user a a @s
      	1035096409
      	# keyctl unlink 1035096409 @s
      
      producing:
      
      	# ./watch_test
      	read() = 16
      	NOTIFY[000]: ty=000001 sy=02 i=00000110
      	KEY 2ffc2e5d change=2[linked] aux=1035096409
      	read() = 16
      	NOTIFY[000]: ty=000001 sy=02 i=00000110
      	KEY 2ffc2e5d change=3[unlinked] aux=1035096409
      
      Other events may be produced, such as with a failing disk:
      
      	read() = 22
      	NOTIFY[000]: ty=000003 sy=02 i=00000416
      	USB 3-7.7 dev-reset e=0 r=0
      	read() = 24
      	NOTIFY[000]: ty=000002 sy=06 i=00000418
      	BLOCK 00800050 e=6[critical medium] s=64000ef8
      
      This corresponds to:
      
      	blk_update_request: critical medium error, dev sdf, sector 1677725432 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
      
      in dmesg.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f5b5a164
    • David Howells's avatar
      watch_queue: Add a key/keyring notification facility · f7e47677
      David Howells authored
      Add a key/keyring change notification facility whereby notifications about
      changes in key and keyring content and attributes can be received.
      
      Firstly, an event queue needs to be created:
      
      	pipe2(fds, O_NOTIFICATION_PIPE);
      	ioctl(fds[1], IOC_WATCH_QUEUE_SET_SIZE, 256);
      
      then a notification can be set up to report notifications via that queue:
      
      	struct watch_notification_filter filter = {
      		.nr_filters = 1,
      		.filters = {
      			[0] = {
      				.type = WATCH_TYPE_KEY_NOTIFY,
      				.subtype_filter[0] = UINT_MAX,
      			},
      		},
      	};
      	ioctl(fds[1], IOC_WATCH_QUEUE_SET_FILTER, &filter);
      	keyctl_watch_key(KEY_SPEC_SESSION_KEYRING, fds[1], 0x01);
      
      After that, records will be placed into the queue when events occur in
      which keys are changed in some way.  Records are of the following format:
      
      	struct key_notification {
      		struct watch_notification watch;
      		__u32	key_id;
      		__u32	aux;
      	} *n;
      
      Where:
      
      	n->watch.type will be WATCH_TYPE_KEY_NOTIFY.
      
      	n->watch.subtype will indicate the type of event, such as
      	NOTIFY_KEY_REVOKED.
      
      	n->watch.info & WATCH_INFO_LENGTH will indicate the length of the
      	record.
      
      	n->watch.info & WATCH_INFO_ID will be the second argument to
      	keyctl_watch_key(), shifted.
      
      	n->key will be the ID of the affected key.
      
      	n->aux will hold subtype-dependent information, such as the key
      	being linked into the keyring specified by n->key in the case of
      	NOTIFY_KEY_LINKED.
      
      Note that it is permissible for event records to be of variable length -
      or, at least, the length may be dependent on the subtype.  Note also that
      the queue can be shared between multiple notifications of various types.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJames Morris <jamorris@linux.microsoft.com>
      f7e47677
    • David Howells's avatar
      security: Add hooks to rule on setting a watch · 998f5040
      David Howells authored
      Add security hooks that will allow an LSM to rule on whether or not a watch
      may be set.  More than one hook is required as the watches watch different
      types of object.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarJames Morris <jamorris@linux.microsoft.com>
      cc: Casey Schaufler <casey@schaufler-ca.com>
      cc: Stephen Smalley <sds@tycho.nsa.gov>
      cc: linux-security-module@vger.kernel.org
      998f5040
    • David Howells's avatar
      pipe: Add general notification queue support · c73be61c
      David Howells authored
      Make it possible to have a general notification queue built on top of a
      standard pipe.  Notifications are 'spliced' into the pipe and then read
      out.  splice(), vmsplice() and sendfile() are forbidden on pipes used for
      notifications as post_one_notification() cannot take pipe->mutex.  This
      means that notifications could be posted in between individual pipe
      buffers, making iov_iter_revert() difficult to effect.
      
      The way the notification queue is used is:
      
       (1) An application opens a pipe with a special flag and indicates the
           number of messages it wishes to be able to queue at once (this can
           only be set once):
      
      	pipe2(fds, O_NOTIFICATION_PIPE);
      	ioctl(fds[0], IOC_WATCH_QUEUE_SET_SIZE, queue_depth);
      
       (2) The application then uses poll() and read() as normal to extract data
           from the pipe.  read() will return multiple notifications if the
           buffer is big enough, but it will not split a notification across
           buffers - rather it will return a short read or EMSGSIZE.
      
           Notification messages include a length in the header so that the
           caller can split them up.
      
      Each message has a header that describes it:
      
      	struct watch_notification {
      		__u32	type:24;
      		__u32	subtype:8;
      		__u32	info;
      	};
      
      The type indicates the source (eg. mount tree changes, superblock events,
      keyring changes, block layer events) and the subtype indicates the event
      type (eg. mount, unmount; EIO, EDQUOT; link, unlink).  The info field
      indicates a number of things, including the entry length, an ID assigned to
      a watchpoint contributing to this buffer and type-specific flags.
      
      Supplementary data, such as the key ID that generated an event, can be
      attached in additional slots.  The maximum message size is 127 bytes.
      Messages may not be padded or aligned, so there is no guarantee, for
      example, that the notification type will be on a 4-byte bounary.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      c73be61c
    • David Howells's avatar
      pipe: Add O_NOTIFICATION_PIPE · b580b936
      David Howells authored
      Add an O_NOTIFICATION_PIPE flag that can be passed to pipe2() to indicate
      that the pipe being created is going to be used for notifications.  This
      suppresses the use of splice(), vmsplice(), tee() and sendfile() on the
      pipe as calling iov_iter_revert() on a pipe when a kernel notification
      message has been inserted into the middle of a multi-buffer splice will be
      messy.
      
      The flag is given the same value as O_EXCL as it seems unlikely that
      this flag will ever be applicable to pipes and I don't want to use up
      another O_* bit unnecessarily.  An alternative could be to add a pipe3()
      system call.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      b580b936
    • David Howells's avatar
      security: Add a hook for the point of notification insertion · 344fa64e
      David Howells authored
      Add a security hook that allows an LSM to rule on whether a notification
      message is allowed to be inserted into a particular watch queue.
      
      The hook is given the following information:
      
       (1) The credentials of the triggerer (which may be init_cred for a system
           notification, eg. a hardware error).
      
       (2) The credentials of the whoever set the watch.
      
       (3) The notification message.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarJames Morris <jamorris@linux.microsoft.com>
      cc: Casey Schaufler <casey@schaufler-ca.com>
      cc: Stephen Smalley <sds@tycho.nsa.gov>
      cc: linux-security-module@vger.kernel.org
      344fa64e
    • David Howells's avatar
      uapi: General notification queue definitions · 0858caa4
      David Howells authored
      Add UAPI definitions for the general notification queue, including the
      following pieces:
      
       (*) struct watch_notification.
      
           This is the metadata header for notification messages.  It includes a
           type and subtype that indicate the source of the message
           (eg. WATCH_TYPE_MOUNT_NOTIFY) and the kind of the message
           (eg. NOTIFY_MOUNT_NEW_MOUNT).
      
           The header also contains an information field that conveys the
           following information:
      
      	- WATCH_INFO_LENGTH.  The size of the entry (entries are variable
                length).
      
      	- WATCH_INFO_ID.  The watch ID specified when the watchpoint was
                set.
      
      	- WATCH_INFO_TYPE_INFO.  (Sub)type-specific information.
      
      	- WATCH_INFO_FLAG_*.  Flag bits overlain on the type-specific
                information.  For use by the type.
      
           All the information in the header can be used in filtering messages at
           the point of writing into the buffer.
      
       (*) struct watch_notification_removal
      
           This is an extended watch-removal notification record that includes an
           'id' field that can indicate the identifier of the object being
           removed if available (for instance, a keyring serial number).
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      0858caa4
  2. 17 May, 2020 9 commits
    • Linus Torvalds's avatar
      Linux 5.7-rc6 · b9bbe6ed
      Linus Torvalds authored
      b9bbe6ed
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.7-2' of git://github.com/cminyard/linux-ipmi · 8feea623
      Linus Torvalds authored
      Pull IPMI update from Corey Minyard:
       "Convert i2c_new_device() to i2c_new_client_device()
      
        Wolfram Sang has asked to have this included in 5.7 so the deprecated
        API can be removed next release. There should be no functional
        difference.
      
        I think that entire this section of code can be removed; it is
        leftover from other things that have since changed, but this is the
        safer thing to do for now. The full removal can happen next release"
      
      * tag 'for-linus-5.7-2' of git://github.com/cminyard/linux-ipmi:
        char: ipmi: convert to use i2c_new_client_device()
      8feea623
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 9b1f2cbd
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "Some more clk driver fixes and one core framework fix:
      
         - A handful of TI driver fixes for bad of_node_put() and incorrect
           parent names
      
         - Rockchip rk3228 aclk_gpu* creation was interfering with lima GPU
           work so we use a composite clk now
      
         - Resuming from suspend on Tegra Jetson TK1 was broken because an
           audio PLL calculated an incorrect rate
      
         - A fix for devicetree probing on IM-PD1 by actually specifying a clk
           name which is required to pass clk registration
      
         - Avoid list corruption if registration fails for a critical clk"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: ti: clkctrl: convert subclocks to use proper names also
        clk: ti: am33xx: fix RTC clock parent
        clk: ti: clkctrl: Fix Bad of_node_put within clkctrl_get_name
        clk: tegra: Fix initial rate for pll_a on Tegra124
        clk: impd1: Look up clock-output-names
        clk: Unlink clock if failed to prepare or enable
        clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks
      9b1f2cbd
    • Linus Torvalds's avatar
      Merge tag 'usb-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · fb27bc03
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a number of USB fixes for 5.7-rc6
      
        The "largest" in here is a bunch of raw-gadget fixes and api changes
        as the driver just showed up in -rc1 and work has been done to fix up
        some uapi issues found with the original submission, before it shows
        up in a -final release.
      
        Other than that, a bunch of other small USB gadget fixes, xhci fixes,
        some quirks, andother tiny fixes for reported issues.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (26 commits)
        USB: gadget: fix illegal array access in binding with UDC
        usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B
        USB: usbfs: fix mmap dma mismatch
        usb: host: xhci-plat: keep runtime active when removing host
        usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list
        usb: cdns3: gadget: make a bunch of functions static
        usb: mtu3: constify struct debugfs_reg32
        usb: gadget: udc: atmel: Make some symbols static
        usb: raw-gadget: fix null-ptr-deref when reenabling endpoints
        usb: raw-gadget: documentation updates
        usb: raw-gadget: support stalling/halting/wedging endpoints
        usb: raw-gadget: fix gadget endpoint selection
        usb: raw-gadget: improve uapi headers comments
        usb: typec: mux: intel: Fix DP_HPD_LVL bit field
        usb: raw-gadget: fix return value of ep read ioctls
        usb: dwc3: select USB_ROLE_SWITCH
        usb: gadget: legacy: fix error return code in gncm_bind()
        usb: gadget: legacy: fix error return code in cdc_bind()
        usb: gadget: legacy: fix redundant initialization warnings
        usb: gadget: tegra-xudc: Fix idle suspend/resume
        ...
      fb27bc03
    • Linus Torvalds's avatar
      Merge branch 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · b48397cb
      Linus Torvalds authored
      Pull execve fix from Eric Biederman:
       "While working on my exec cleanups I found a bug in exec that I
        introduced by accident a couple of years ago. I apparently missed the
        fact that bprm->file can change.
      
        Now I have a very personal motive to clean up exec and make it more
        approachable.
      
        The change is just moving woud_dump to where it acts on the final
        bprm->file not the initial bprm->file. I have been careful and tested
        and verify this fix works"
      
      * 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        exec: Move would_dump into flush_old_exec
      b48397cb
    • Linus Torvalds's avatar
      Merge tag 'objtool-urgent-2020-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ef0d5b91
      Linus Torvalds authored
      Pull x86 stack unwinding fix from Thomas Gleixner:
       "A single bugfix for the ORC unwinder to ensure that the error flag
        which tells the unwinding code whether a stack trace can be trusted or
        not is always set correctly.
      
        This was messed up by a couple of changes in the recent past"
      
      * tag 'objtool-urgent-2020-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/unwind/orc: Fix error handling in __unwind_start()
      ef0d5b91
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 43567139
      Linus Torvalds authored
      Pull x86 fix from Borislav Petkov:
       "A single fix for early boot crashes of kernels built with gcc10 and
        stack protector enabled"
      
      * tag 'x86_urgent_for_v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86: Fix early boot crash on gcc-10, third try
      43567139
    • Eric W. Biederman's avatar
      exec: Move would_dump into flush_old_exec · f87d1c95
      Eric W. Biederman authored
      I goofed when I added mm->user_ns support to would_dump.  I missed the
      fact that in the case of binfmt_loader, binfmt_em86, binfmt_misc, and
      binfmt_script bprm->file is reassigned.  Which made the move of
      would_dump from setup_new_exec to __do_execve_file before exec_binprm
      incorrect as it can result in would_dump running on the script instead
      of the interpreter of the script.
      
      The net result is that the code stopped making unreadable interpreters
      undumpable.  Which allows them to be ptraced and written to disk
      without special permissions.  Oops.
      
      The move was necessary because the call in set_new_exec was after
      bprm->mm was no longer valid.
      
      To correct this mistake move the misplaced would_dump from
      __do_execve_file into flos_old_exec, before exec_mmap is called.
      
      I tested and confirmed that without this fix I can attach with gdb to
      a script with an unreadable interpreter, and with this fix I can not.
      
      Cc: stable@vger.kernel.org
      Fixes: f84df2a6 ("exec: Ensure mm->user_ns contains the execed files")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      f87d1c95
    • Linus Torvalds's avatar
      Merge tag '5.7-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 5a9ffb95
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Three small cifs/smb3 fixes, one for stable"
      
      * tag '5.7-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: fix leaked reference on requeued write
        cifs: Fix null pointer check in cifs_read
        CIFS: Spelling s/EACCESS/EACCES/
      5a9ffb95
  3. 16 May, 2020 8 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 5d438e07
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "A new testcase for guest debugging (gdbstub) that exposed a bunch of
        bugs, mostly for AMD processors. And a few other x86 fixes"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce
        KVM: x86: Fix pkru save/restore when guest CR4.PKE=0, move it to x86.c
        KVM: SVM: Disable AVIC before setting V_IRQ
        KVM: Introduce kvm_make_all_cpus_request_except()
        KVM: VMX: pass correct DR6 for GD userspace exit
        KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6
        KVM: SVM: keep DR6 synchronized with vcpu->arch.dr6
        KVM: nSVM: trap #DB and #BP to userspace if guest debugging is on
        KVM: selftests: Add KVM_SET_GUEST_DEBUG test
        KVM: X86: Fix single-step with KVM_SET_GUEST_DEBUG
        KVM: X86: Set RTM for DB_VECTOR too for KVM_EXIT_DEBUG
        KVM: x86: fix DR6 delivery for various cases of #DB injection
        KVM: X86: Declare KVM_CAP_SET_GUEST_DEBUG properly
      5d438e07
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · befc42e5
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - A fix for unrecoverable SLB faults in the interrupt exit path,
         introduced by the recent rewrite of interrupt exit in C.
      
       - Four fixes for our KUAP (Kernel Userspace Access Prevention) support
         on 64-bit. These are all fairly minor with the exception of the
         change to evaluate the get/put_user() arguments before we enable user
         access, which reduces the amount of code we run with user access
         enabled.
      
       - A fix for our secure boot IMA rules, if enforcement of module
         signatures is enabled at runtime rather than build time.
      
       - A fix to our 32-bit VDSO clock_getres() which wasn't falling back to
         the syscall for unknown clocks.
      
       - A build fix for CONFIG_PPC_KUAP_DEBUG on 32-bit BookS, and another
         for 40x.
      
      Thanks to: Christophe Leroy, Hugh Dickins, Nicholas Piggin, Aurelien
      Jarno, Mimi Zohar, Nayna Jain.
      
      * tag 'powerpc-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/40x: Make more space for system call exception
        powerpc/vdso32: Fallback on getres syscall when clock is unknown
        powerpc/32s: Fix build failure with CONFIG_PPC_KUAP_DEBUG
        powerpc/ima: Fix secure boot rules in ima arch policy
        powerpc/64s/kuap: Restore AMR in fast_interrupt_return
        powerpc/64s/kuap: Restore AMR in system reset exception
        powerpc/64/kuap: Move kuap checks out of MSR[RI]=0 regions of exit code
        powerpc/64s: Fix unrecoverable SLB crashes due to preemption check
        powerpc/uaccess: Evaluate macro arguments once, before user access is allowed
      befc42e5
    • Linus Torvalds's avatar
      Merge tag 'csky-for-linus-5.7-rc6' of git://github.com/c-sky/csky-linux · 26b089a7
      Linus Torvalds authored
      Pull csky updates from Guo Ren:
      
       - fix for copy_from/to_user (a hard-to-find bug, thx Viro)
      
       - fix for calltrace panic without FRAME_POINT
      
       - two fixes for perf
      
       - two build fixes
      
       - four fixes for non-fatal bugs (msa, rm dis_irq, cleanup psr,
         gdbmacros.txt)
      
      * tag 'csky-for-linus-5.7-rc6' of git://github.com/c-sky/csky-linux:
        csky: Fixup raw_copy_from_user()
        csky: Fixup gdbmacros.txt with name sp in thread_struct
        csky: Fixup remove unnecessary save/restore PSR code
        csky: Fixup remove duplicate irq_disable
        csky: Fixup calltrace panic
        csky: Fixup perf callchain unwind
        csky: Fixup msa highest 3 bits mask
        csky: Fixup perf probe -x hungup
        csky: Fixup compile error for abiv1 entry.S
        csky/ftrace: Fixup error when disable CONFIG_DYNAMIC_FTRACE
      26b089a7
    • Linus Torvalds's avatar
      Merge tag 'arm-soc-fixes-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 5c33696f
      Linus Torvalds authored
      Pull ARM SoC/dt fixes from Arnd Bergmann:
       "This round of fixes is almost exclusively device tree changes, with
        trivial defconfig fixes and one compiler warning fix added in.
      
        A number of patches are to fix dtc warnings, in particular on Amlogic,
        i.MX and Rockchips.
      
        Other notable changes include:
      
        Renesas:
         - Fix a wrong clock configuration on R-Mobile A1
         - Fix IOMMU support on R-Car V3H
      
        Allwinner
         - Multiple audio fixes
      
        Qualcomm
         - Use a safe CPU voltage on MSM8996
         - Fixes to match a late audio driver change
      
        Rockchip:
         - Some fixes for the newly added Pinebook Pro
      
        NXP i.MX:
         - Fix I2C1 pinctrl configuration for i.MX27 phytec-phycard board
         - Fix imx6dl-yapp4-ursa board Ethernet connection
      
        OMAP:
         - A regression fix for non-existing can device on am534x-idk
         - Fix flakey wlan on droid4 where some devices would not connect at
           all because of internal pull being used with an external pull
         - Fix occasional missed wake-up events on droid4 modem uart"
      
      * tag 'arm-soc-fixes-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (51 commits)
        ARM: dts: iwg20d-q7-dbcm-ca: Remove unneeded properties in hdmi@39
        ARM: dts: renesas: Make hdmi encoder nodes compliant with DT bindings
        arm64: dts: renesas: Make hdmi encoder nodes compliant with DT bindings
        arm64: defconfig: add MEDIA_PLATFORM_SUPPORT
        arm64: defconfig: ARCH_R8A7795: follow changed config symbol name
        arm64: defconfig: add DRM_DISPLAY_CONNECTOR
        arm64: defconfig: DRM_DUMB_VGA_DAC: follow changed config symbol name
        ARM: oxnas: make ox820_boot_secondary static
        ARM: dts: r8a7740: Add missing extal2 to CPG node
        ARM: dts: omap4-droid4: Fix occasional lost wakeirq for uart1
        ARM: dts: omap4-droid4: Fix flakey wlan by disabling internal pull for gpio
        arm64: dts: allwinner: a64: Remove unused SPDIF sound card
        arm64: dts: allwinner: a64: pinetab: Fix cpvdd supply name
        arm64: dts: meson-g12: remove spurious blank line
        arm64: dts: meson-g12b-khadas-vim3: add missing frddr_a status property
        arm64: dts: meson-g12-common: fix dwc2 clock names
        arm64: dts: meson-g12b-ugoos-am6: fix usb vbus-supply
        arm64: dts: freescale: imx8mp: update input_val for AUDIOMIX_BIT_STREAM
        ARM: dts: r7s9210: Remove bogus clock-names from OSTM nodes
        ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi
        ...
      5c33696f
    • Linus Torvalds's avatar
      Merge tag 'block-5.7-2020-05-16' of git://git.kernel.dk/linux-block · 3d1c1e59
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Just a single NVMe pull in here, with a single fix for a missing DMA
        read memory barrier for completions"
      
      * tag 'block-5.7-2020-05-16' of git://git.kernel.dk/linux-block:
        nvme-pci: dma read memory barrier for completions
      3d1c1e59
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · cf0ca701
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "A bunch of pin control fixes, some a bit overly ripe, sorry about
        that. We have important systems like Intel laptops and Qualcomm mobile
        chips covered.
      
         - Pad lock register on Intel Sunrisepoint had the wrong offset
      
         - Fix pin config setting for the Baytrail GPIO chip
      
         - Fix a compilation warning in the Mediatek driver
      
         - Fix a function group name in the Actions driver
      
         - Fix a behaviour bug in the edge polarity code in the Qualcomm
           driver
      
         - Add a missing spinlock in the Intel Cherryview driver
      
         - Add affinity callbacks to the Qualcomm MSMGPIO chip"
      
      * tag 'pinctrl-v5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: qcom: Add affinity callbacks to msmgpio IRQ chip
        pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler
        pinctrl: qcom: fix wrong write in update_dual_edge
        pinctrl: actions: fix function group name for i2c0_group
        pinctrl: mediatek: remove shadow variable declaration
        pinctrl: baytrail: Enable pin configuration setting for GPIO chip
        pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H
      cf0ca701
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.7-2020-05-15' of git://git.kernel.dk/linux-block · 18e70f3a
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Two small fixes that should go into this release:
      
         - Check and handle zero length splice (Pavel)
      
         - Fix a regression in this merge window for fixed files used with
           polled block IO"
      
      * tag 'io_uring-5.7-2020-05-15' of git://git.kernel.dk/linux-block:
        io_uring: polled fixed file must go through free iteration
        io_uring: fix zero len do_splice()
      18e70f3a
    • Jens Axboe's avatar
      Merge branch 'nvme-5.7' of git://git.infradead.org/nvme into block-5.7 · 39489553
      Jens Axboe authored
      Pull NVMe fix from Christoph.
      
      * 'nvme-5.7' of git://git.infradead.org/nvme:
        nvme-pci: dma read memory barrier for completions
      39489553
  4. 15 May, 2020 11 commits
    • Arnd Bergmann's avatar
      Merge tag 'renesas-fixes-for-v5.7-tag2' of... · d5fef88c
      Arnd Bergmann authored
      Merge tag 'renesas-fixes-for-v5.7-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel into arm/fixes
      
      Renesas fixes for v5.7 (take two)
      
        - Fix a wrong clock configuration on R-Mobile A1,
        - Minor fixes that are fast-tracked to avoid introducing regressions
          during conversion of DT bindings to json-schema.
      
      * tag 'renesas-fixes-for-v5.7-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel:
        ARM: dts: iwg20d-q7-dbcm-ca: Remove unneeded properties in hdmi@39
        ARM: dts: renesas: Make hdmi encoder nodes compliant with DT bindings
        arm64: dts: renesas: Make hdmi encoder nodes compliant with DT bindings
        ARM: dts: r8a7740: Add missing extal2 to CPG node
      
      Link: https://lore.kernel.org/r/20200515125043.22811-1-geert+renesas@glider.beSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      d5fef88c
    • Arnd Bergmann's avatar
      Merge tag 'sunxi-fixes-for-5.7-1' of... · 495e1356
      Arnd Bergmann authored
      Merge tag 'sunxi-fixes-for-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into arm/fixes
      
      Two fixes for the Allwinner SoCs, one to remove some inexistant sound card on
      the A64, and one to fix the audio codec regulator on the pinetab.
      
      * tag 'sunxi-fixes-for-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux:
        arm64: dts: allwinner: a64: Remove unused SPDIF sound card
        arm64: dts: allwinner: a64: pinetab: Fix cpvdd supply name
      
      Link: https://lore.kernel.org/r/f7a98a47-316d-4b1a-b5a5-0e1e330d5f52.lettre@localhostSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      495e1356
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.7-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 12bf0b63
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
       "Highlights include:
      
        Stable fixes:
         - nfs: fix NULL deference in nfs4_get_valid_delegation
      
        Bugfixes:
         - Fix corruption of the return value in cachefiles_read_or_alloc_pages()
         - Fix several fscache cookie issues
         - Fix a fscache queuing race that can trigger a BUG_ON
         - NFS: Fix two use-after-free regressions due to the RPC_TASK_CRED_NOREF flag
         - SUNRPC: Fix a use-after-free regression in rpc_free_client_work()
         - SUNRPC: Fix a race when tearing down the rpc client debugfs directory
         - SUNRPC: Signalled ASYNC tasks need to exit
         - NFSv3: fix rpc receive buffer size for MOUNT call"
      
      * tag 'nfs-for-5.7-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFSv3: fix rpc receive buffer size for MOUNT call
        SUNRPC: 'Directory with parent 'rpc_clnt' already present!'
        NFS/pnfs: Don't use RPC_TASK_CRED_NOREF with pnfs
        NFS: Don't use RPC_TASK_CRED_NOREF with delegreturn
        SUNRPC: Signalled ASYNC tasks need to exit
        nfs: fix NULL deference in nfs4_get_valid_delegation
        SUNRPC: fix use-after-free in rpc_free_client_work()
        cachefiles: Fix race between read_waiter and read_copier involving op->to_do
        NFSv4: Fix fscache cookie aux_data to ensure change_attr is included
        NFS: Fix fscache super_cookie allocation
        NFS: Fix fscache super_cookie index_key from changing after umount
        cachefiles: Fix corruption of the return value in cachefiles_read_or_alloc_pages()
      12bf0b63
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f85c1598
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix sk_psock reference count leak on receive, from Xiyu Yang.
      
       2) CONFIG_HNS should be invisible, from Geert Uytterhoeven.
      
       3) Don't allow locking route MTUs in ipv6, RFCs actually forbid this,
          from Maciej Żenczykowski.
      
       4) ipv4 route redirect backoff wasn't actually enforced, from Paolo
          Abeni.
      
       5) Fix netprio cgroup v2 leak, from Zefan Li.
      
       6) Fix infinite loop on rmmod in conntrack, from Florian Westphal.
      
       7) Fix tcp SO_RCVLOWAT hangs, from Eric Dumazet.
      
       8) Various bpf probe handling fixes, from Daniel Borkmann.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (68 commits)
        selftests: mptcp: pm: rm the right tmp file
        dpaa2-eth: properly handle buffer size restrictions
        bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier
        bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range
        bpf: Restrict bpf_probe_read{, str}() only to archs where they work
        MAINTAINERS: Mark networking drivers as Maintained.
        ipmr: Add lockdep expression to ipmr_for_each_table macro
        ipmr: Fix RCU list debugging warning
        drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c
        net: phy: broadcom: fix BCM54XX_SHD_SCR3_TRDDAPD value for BCM54810
        tcp: fix error recovery in tcp_zerocopy_receive()
        MAINTAINERS: Add Jakub to networking drivers.
        MAINTAINERS: another add of Karsten Graul for S390 networking
        drivers: ipa: fix typos for ipa_smp2p structure doc
        pppoe: only process PADT targeted at local interfaces
        selftests/bpf: Enforce returning 0 for fentry/fexit programs
        bpf: Enforce returning 0 for fentry/fexit progs
        net: stmmac: fix num_por initialization
        security: Fix the default value of secid_to_secctx hook
        libbpf: Fix register naming in PT_REGS s390 macros
        ...
      f85c1598
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · d5dfe4f1
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "A few minor bug fixes for user visible defects, and one regression:
      
         - Various bugs from static checkers and syzkaller
      
         - Add missing error checking in mlx4
      
         - Prevent RTNL lock recursion in i40iw
      
         - Fix segfault in cxgb4 in peer abort cases
      
         - Fix a regression added in 5.7 where the IB_EVENT_DEVICE_FATAL could
           be lost, and wasn't delivered to all the FDs"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj
        RDMA/uverbs: Do not discard the IB_EVENT_DEVICE_FATAL event
        RDMA/iw_cxgb4: Fix incorrect function parameters
        RDMA/core: Fix double put of resource
        IB/core: Fix potential NULL pointer dereference in pkey cache
        IB/hfi1: Fix another case where pq is left on waitlist
        IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
        IB/mlx4: Test return value of calls to ib_get_cached_pkey
        RDMA/rxe: Always return ERR_PTR from rxe_create_mmap_info()
        i40iw: Fix error handling in i40iw_manage_arp_cache()
      d5dfe4f1
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-5.7-rc6' of... · ce247296
      Linus Torvalds authored
      Merge tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fixes from Shuah Khan:
      
       - lkdtm runner fixes to prevent dmesg clearing and shellcheck errors
      
       - ftrace test handling when test module doesn't exist
      
       - nsfs test fix to replace zero-length array with flexible-array
      
       - dmabuf-heaps test fix to return clear error value
      
      * tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/lkdtm: Use grep -E instead of egrep
        selftests/lkdtm: Don't clear dmesg when running tests
        selftests/ftrace: mark irqsoff_tracer.tc test as unresolved if the test module does not exist
        tools/testing: Replace zero-length array with flexible-array
        kselftests: dmabuf-heaps: Fix confused return value on expected error testing
      ce247296
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 67e45621
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
       "A handful of build fixes, all found by Huawei's autobuilder.
      
        None of these patches should have any functional impact on kernels
        that build, and they're mostly related to various features
        intermingling with !MMU.
      
        While some of these might be better hoisted to generic code, it seems
        better to have the simple fixes in the meanwhile.
      
        As far as I know these are the only outstanding patches for 5.7"
      
      * tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: mmiowb: Fix implicit declaration of function 'smp_processor_id'
        riscv: pgtable: Fix __kernel_map_pages build error if NOMMU
        riscv: Make SYS_SUPPORTS_HUGETLBFS depends on MMU
        riscv: Disable ARCH_HAS_DEBUG_VIRTUAL if NOMMU
        riscv: Add pgprot_writecombine/device and PAGE_SHARED defination if NOMMU
        riscv: stacktrace: Fix undefined reference to `walk_stackframe'
        riscv: Fix unmet direct dependencies built based on SOC_VIRT
        riscv: perf: RISCV_BASE_PMU should be independent
        riscv: perf_event: Make some funciton static
      67e45621
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 01d8a748
      Linus Torvalds authored
      Pull arm64 fix from Catalin Marinas:
       "Fix flush_icache_range() second argument in machine_kexec() to be an
        address rather than size"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: fix the flush_icache_range arguments in machine_kexec
      01d8a748
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 8e138104
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2020-05-15
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 9 non-merge commits during the last 2 day(s) which contain
      a total of 14 files changed, 137 insertions(+), 43 deletions(-).
      
      The main changes are:
      
      1) Fix secid_to_secctx LSM hook default value, from Anders.
      
      2) Fix bug in mmap of bpf array, from Andrii.
      
      3) Restrict bpf_probe_read to archs where they work, from Daniel.
      
      4) Enforce returning 0 for fentry/fexit progs, from Yonghong.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e138104
    • Jim Mattson's avatar
      KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce · c4e0e4ab
      Jim Mattson authored
      Bank_num is a one-based count of banks, not a zero-based index. It
      overflows the allocated space only when strictly greater than
      KVM_MAX_MCE_BANKS.
      
      Fixes: a9e38c3e ("KVM: x86: Catch potential overrun in MCE setup")
      Signed-off-by: default avatarJue Wang <juew@google.com>
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Reviewed-by: default avatarPeter Shier <pshier@google.com>
      Message-Id: <20200511225616.19557-1-jmattson@google.com>
      Reviewed-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      c4e0e4ab
    • Paolo Bonzini's avatar
      Merge branch 'kvm-amd-fixes' into HEAD · f6bfd9c8
      Paolo Bonzini authored
      This topic branch will be included in both kvm/master and kvm/next
      (for 5.8) in order to simplify testing of kvm/next.
      f6bfd9c8