1. 10 Mar, 2022 9 commits
    • Dongli Zhang's avatar
      xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 · eed05744
      Dongli Zhang authored
      The sched_clock() can be used very early since commit 857baa87
      ("sched/clock: Enable sched clock early"). In addition, with commit
      38669ba2 ("x86/xen/time: Output xen sched_clock time from 0"), kdump
      kernel in Xen HVM guest may panic at very early stage when accessing
      &__this_cpu_read(xen_vcpu)->time as in below:
      
      setup_arch()
       -> init_hypervisor_platform()
           -> x86_init.hyper.init_platform = xen_hvm_guest_init()
               -> xen_hvm_init_time_ops()
                   -> xen_clocksource_read()
                       -> src = &__this_cpu_read(xen_vcpu)->time;
      
      This is because Xen HVM supports at most MAX_VIRT_CPUS=32 'vcpu_info'
      embedded inside 'shared_info' during early stage until xen_vcpu_setup() is
      used to allocate/relocate 'vcpu_info' for boot cpu at arbitrary address.
      
      However, when Xen HVM guest panic on vcpu >= 32, since
      xen_vcpu_info_reset(0) would set per_cpu(xen_vcpu, cpu) = NULL when
      vcpu >= 32, xen_clocksource_read() on vcpu >= 32 would panic.
      
      This patch calls xen_hvm_init_time_ops() again later in
      xen_hvm_smp_prepare_boot_cpu() after the 'vcpu_info' for boot vcpu is
      registered when the boot vcpu is >= 32.
      
      This issue can be reproduced on purpose via below command at the guest
      side when kdump/kexec is enabled:
      
      "taskset -c 33 echo c > /proc/sysrq-trigger"
      
      The bugfix for PVM is not implemented due to the lack of testing
      environment.
      
      [boris: xen_hvm_init_time_ops() returns on errors instead of jumping to end]
      
      Cc: Joe Jin <joe.jin@oracle.com>
      Signed-off-by: default avatarDongli Zhang <dongli.zhang@oracle.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Link: https://lore.kernel.org/r/20220302164032.14569-3-dongli.zhang@oracle.comSigned-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      eed05744
    • Wang Qing's avatar
      xen: use time_is_before_eq_jiffies() instead of open coding it · b537bf42
      Wang Qing authored
      Use the helper function time_is_{before,after}_jiffies() to improve
      code readability.
      Signed-off-by: default avatarWang Qing <wangqing@vivo.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Link: https://lore.kernel.org/r/1646018104-61415-1-git-send-email-wangqing@vivo.comSigned-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      b537bf42
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v5.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 1db333d9
      Linus Torvalds authored
      Pull spi fix from Mark Brown:
       "One fix for type conversion issues when working out maximum
        scatter/gather segment sizes.
      
        It caused problems for some systems where the limits overflow
        due to the type conversion"
      
      * tag 'spi-fix-v5.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: Fix invalid sgs value
      1db333d9
    • Russell King (Oracle)'s avatar
      ARM: fix build warning in proc-v7-bugs.c · b1a384d2
      Russell King (Oracle) authored
      The kernel test robot discovered that building without
      HARDEN_BRANCH_PREDICTOR issues a warning due to a missing
      argument to pr_info().
      
      Add the missing argument.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: 9dd78194 ("ARM: report Spectre v2 status through sysfs")
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b1a384d2
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · cef06913
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
      
       - fix a probe failure for Tegra241 GPIO controller in gpio-tegra186
      
       - revert changes that caused a regression in the sysfs user-space
         interface
      
       - correct the debounce time conversion in GPIO ACPI
      
       - statify a struct in gpio-sim and fix a typo
      
       - update registers in correct order (hardware quirk) in gpio-ts4900
      
      * tag 'gpio-fixes-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpio: sim: fix a typo
        gpio: ts4900: Do not set DAT and OE together
        gpio: sim: Declare gpio_sim_hog_config_item_ops static
        gpiolib: acpi: Convert ACPI value of debounce to microseconds
        gpio: Revert regression in sysfs-gpio (gpiolib.c)
        gpio: tegra186: Add IRQ per bank for Tegra241
      cef06913
    • Bartosz Golaszewski's avatar
      gpio: sim: fix a typo · 55d01c98
      Bartosz Golaszewski authored
      Just noticed this when applying Andy's patch. s/childred/children/
      
      Fixes: cb8c474e ("gpio: sim: new testing module")
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      55d01c98
    • Mark Featherston's avatar
      gpio: ts4900: Do not set DAT and OE together · 03fe0035
      Mark Featherston authored
      This works around an issue with the hardware where both OE and
      DAT are exposed in the same register. If both are updated
      simultaneously, the harware makes no guarantees that OE or DAT
      will actually change in any given order and may result in a
      glitch of a few ns on a GPIO pin when changing direction and value
      in a single write.
      
      Setting direction to input now only affects OE bit. Setting
      direction to output updates DAT first, then OE.
      
      Fixes: 9c668632 ("gpio: add Technologic I2C-FPGA gpio support")
      Signed-off-by: default avatarMark Featherston <mark@embeddedTS.com>
      Signed-off-by: default avatarKris Bahnsen <kris@embeddedTS.com>
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      03fe0035
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 9c674947
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "One more small batch of clk driver fixes:
      
         - A fix for the Qualcomm GDSC power domain delays that avoids black
           screens at boot on some more recent SoCs that use a different delay
           than the hard-coded delays in the driver.
      
         - A build fix LAN966X clk driver that let it be built on
           architectures that didn't have IOMEM"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: lan966x: Fix linking error
        clk: qcom: dispcc: Update the transition delay for MDSS GDSC
        clk: qcom: gdsc: Add support to update GDSC transition delay
      9c674947
    • Linus Torvalds's avatar
      Merge tag 'xsa396-5.17-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · b5521fe9
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Several Linux PV device frontends are using the grant table interfaces
        for removing access rights of the backends in ways being subject to
        race conditions, resulting in potential data leaks, data corruption by
        malicious backends, and denial of service triggered by malicious
        backends:
      
         - blkfront, netfront, scsifront and the gntalloc driver are testing
           whether a grant reference is still in use. If this is not the case,
           they assume that a following removal of the granted access will
           always succeed, which is not true in case the backend has mapped
           the granted page between those two operations.
      
           As a result the backend can keep access to the memory page of the
           guest no matter how the page will be used after the frontend I/O
           has finished. The xenbus driver has a similar problem, as it
           doesn't check the success of removing the granted access of a
           shared ring buffer.
      
         - blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p,
           kbdfront, and pvcalls are using a functionality to delay freeing a
           grant reference until it is no longer in use, but the freeing of
           the related data page is not synchronized with dropping the granted
           access.
      
           As a result the backend can keep access to the memory page even
           after it has been freed and then re-used for a different purpose.
      
         - netfront will fail a BUG_ON() assertion if it fails to revoke
           access in the rx path.
      
           This will result in a Denial of Service (DoS) situation of the
           guest which can be triggered by the backend"
      
      * tag 'xsa396-5.17-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/netfront: react properly to failing gnttab_end_foreign_access_ref()
        xen/gnttab: fix gnttab_end_foreign_access() without page specified
        xen/pvcalls: use alloc/free_pages_exact()
        xen/9p: use alloc/free_pages_exact()
        xen/usb: don't use gnttab_end_foreign_access() in xenhcd_gnttab_done()
        xen: remove gnttab_query_foreign_access()
        xen/gntalloc: don't use gnttab_query_foreign_access()
        xen/scsifront: don't use gnttab_query_foreign_access() for mapped status
        xen/netfront: don't use gnttab_query_foreign_access() for mapped status
        xen/blkfront: don't use gnttab_query_foreign_access() for mapped status
        xen/grant-table: add gnttab_try_end_foreign_access()
        xen/xenbus: don't let xenbus_grant_ring() remove grants in error case
      b5521fe9
  2. 09 Mar, 2022 7 commits
  3. 08 Mar, 2022 12 commits
  4. 07 Mar, 2022 12 commits
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · ea4424be
      Linus Torvalds authored
      Pull MTD fix from Miquel Raynal:
       "As part of a previous changeset introducing support for the K3
        architecture, the OMAP_GPMC (a non visible symbol) got selected by the
        selection of MTD_NAND_OMAP2 instead of doing so from the architecture
        directly (like for the other users of these two drivers). Indeed, from
        a hardware perspective, the OMAP NAND controller needs the GPMC to
        work.
      
        This led to a robot error which got addressed in fix merge into -rc4.
        Unfortunately, the approach at this time still used "select" and lead
        to further build error reports (sparc64:allmodconfig).
      
        This time we switch to 'depends on' in order to prevent random
        misconfigurations. The different dependencies will however need a
        future cleanup"
      
      * tag 'mtd/fixes-for-5.17-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: rawnand: omap2: Actually prevent invalid configuration and build error
      ea4424be
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 06be3029
      Linus Torvalds authored
      Pull virtio fixes from Michael Tsirkin:
       "Some last minute fixes that took a while to get ready. Not
        regressions, but they look safe and seem to be worth to have"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        tools/virtio: handle fallout from folio work
        tools/virtio: fix virtio_test execution
        vhost: remove avail_event arg from vhost_update_avail_event()
        virtio: drop default for virtio-mem
        vdpa: fix use-after-free on vp_vdpa_remove
        virtio-blk: Remove BUG_ON() in virtio_queue_rq()
        virtio-blk: Don't use MAX_DISCARD_SEGMENTS if max_discard_seg is zero
        vhost: fix hung thread due to erroneous iotlb entries
        vduse: Fix returning wrong type in vduse_domain_alloc_iova()
        vdpa/mlx5: add validation for VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command
        vdpa/mlx5: should verify CTRL_VQ feature exists for MQ
        vdpa: factor out vdpa_set_features_unlocked for vdpa internal use
        virtio_console: break out of buf poll on remove
        virtio: document virtio_reset_device
        virtio: acknowledge all features before access
        virtio: unexport virtio_finalize_features
      06be3029
    • Halil Pasic's avatar
      swiotlb: rework "fix info leak with DMA_FROM_DEVICE" · aa6f8dcb
      Halil Pasic authored
      Unfortunately, we ended up merging an old version of the patch "fix info
      leak with DMA_FROM_DEVICE" instead of merging the latest one. Christoph
      (the swiotlb maintainer), he asked me to create an incremental fix
      (after I have pointed this out the mix up, and asked him for guidance).
      So here we go.
      
      The main differences between what we got and what was agreed are:
      * swiotlb_sync_single_for_device is also required to do an extra bounce
      * We decided not to introduce DMA_ATTR_OVERWRITE until we have exploiters
      * The implantation of DMA_ATTR_OVERWRITE is flawed: DMA_ATTR_OVERWRITE
        must take precedence over DMA_ATTR_SKIP_CPU_SYNC
      
      Thus this patch removes DMA_ATTR_OVERWRITE, and makes
      swiotlb_sync_single_for_device() bounce unconditionally (that is, also
      when dir == DMA_TO_DEVICE) in order do avoid synchronising back stale
      data from the swiotlb buffer.
      
      Let me note, that if the size used with dma_sync_* API is less than the
      size used with dma_[un]map_*, under certain circumstances we may still
      end up with swiotlb not being transparent. In that sense, this is no
      perfect fix either.
      
      To get this bullet proof, we would have to bounce the entire
      mapping/bounce buffer. For that we would have to figure out the starting
      address, and the size of the mapping in
      swiotlb_sync_single_for_device(). While this does seem possible, there
      seems to be no firm consensus on how things are supposed to work.
      Signed-off-by: default avatarHalil Pasic <pasic@linux.ibm.com>
      Fixes: ddbd89de ("swiotlb: fix info leak with DMA_FROM_DEVICE")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      aa6f8dcb
    • James Morse's avatar
      arm64: proton-pack: Include unprivileged eBPF status in Spectre v2 mitigation reporting · 58c9a506
      James Morse authored
      The mitigations for Spectre-BHB are only applied when an exception is
      taken from user-space. The mitigation status is reported via the spectre_v2
      sysfs vulnerabilities file.
      
      When unprivileged eBPF is enabled the mitigation in the exception vectors
      can be avoided by an eBPF program.
      
      When unprivileged eBPF is enabled, print a warning and report vulnerable
      via the sysfs vulnerabilities file.
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      58c9a506
    • Roger Quadros's avatar
      mtd: rawnand: omap2: Actually prevent invalid configuration and build error · 42da5a4b
      Roger Quadros authored
      The root of the problem is that we are selecting symbols that have
      dependencies. This can cause random configurations that can fail.
      The cleanest solution is to avoid using select.
      
      This driver uses interfaces from the OMAP_GPMC driver so we have to
      depend on it instead.
      
      Fixes: 4cd335da ("mtd: rawnand: omap2: Prevent invalid configuration and build error")
      Signed-off-by: default avatarRoger Quadros <rogerq@kernel.org>
      Signed-off-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Tested-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Link: https://lore.kernel.org/linux-mtd/20220219193600.24892-1-rogerq@kernel.org
      42da5a4b
    • Miklos Szeredi's avatar
      fuse: fix pipe buffer lifetime for direct_io · 0c4bcfde
      Miklos Szeredi authored
      In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls
      fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then
      imports the write buffer with fuse_get_user_pages(), which uses
      iov_iter_get_pages() to grab references to userspace pages instead of
      actually copying memory.
      
      On the filesystem device side, these pages can then either be read to
      userspace (via fuse_dev_read()), or splice()d over into a pipe using
      fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops.
      
      This is wrong because after fuse_dev_do_read() unlocks the FUSE request,
      the userspace filesystem can mark the request as completed, causing write()
      to return. At that point, the userspace filesystem should no longer have
      access to the pipe buffer.
      
      Fix by copying pages coming from the user address space to new pipe
      buffers.
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: c3021629 ("fuse: support splice() reading from fuse device")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      0c4bcfde
    • Andy Shevchenko's avatar
      gpiolib: acpi: Convert ACPI value of debounce to microseconds · 660c619b
      Andy Shevchenko authored
      It appears that GPIO ACPI library uses ACPI debounce values directly.
      However, the GPIO library APIs expect the debounce timeout to be in
      microseconds.
      
      Convert ACPI value of debounce to microseconds.
      
      While at it, document this detail where it is appropriate.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215664Reported-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Fixes: 8dcb7a15 ("gpiolib: acpi: Take into account debounce settings")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Tested-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Reviewed-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      660c619b
    • Marcelo Roberto Jimenez's avatar
      gpio: Revert regression in sysfs-gpio (gpiolib.c) · fc328a7d
      Marcelo Roberto Jimenez authored
      Some GPIO lines have stopped working after the patch
      commit 2ab73c6d ("gpio: Support GPIO controllers without pin-ranges")
      
      And this has supposedly been fixed in the following patches
      commit 89ad556b ("gpio: Avoid using pin ranges with !PINCTRL")
      commit 6dbbf846 ("gpiolib: Don't free if pin ranges are not defined")
      
      But an erratic behavior where some GPIO lines work while others do not work
      has been introduced.
      
      This patch reverts those changes so that the sysfs-gpio interface works
      properly again.
      Signed-off-by: default avatarMarcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      fc328a7d
    • Akhil R's avatar
      gpio: tegra186: Add IRQ per bank for Tegra241 · 5f84e73f
      Akhil R authored
      Add the number of interrupts per bank for Tegra241 (Grace) to
      fix the probe failure.
      
      Fixes: d1056b77 ("gpio: tegra186: Add support for Tegra241")
      Signed-off-by: default avatarAkhil R <akhilrajeev@nvidia.com>
      Signed-off-by: default avatarBartosz Golaszewski <brgl@bgdev.pl>
      5f84e73f
    • Juergen Gross's avatar
      xen/netfront: react properly to failing gnttab_end_foreign_access_ref() · 66e3531b
      Juergen Gross authored
      When calling gnttab_end_foreign_access_ref() the returned value must
      be tested and the reaction to that value should be appropriate.
      
      In case of failure in xennet_get_responses() the reaction should not be
      to crash the system, but to disable the network device.
      
      The calls in setup_netfront() can be replaced by calls of
      gnttab_end_foreign_access(). While at it avoid double free of ring
      pages and grant references via xennet_disconnect_backend() in this case.
      
      This is CVE-2022-23042 / part of XSA-396.
      Reported-by: default avatarDemi Marie Obenour <demi@invisiblethingslab.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      ---
      V2:
      - avoid double free
      V3:
      - remove pointless initializer (Jan Beulich)
      66e3531b
    • Juergen Gross's avatar
      xen/gnttab: fix gnttab_end_foreign_access() without page specified · 42baefac
      Juergen Gross authored
      gnttab_end_foreign_access() is used to free a grant reference and
      optionally to free the associated page. In case the grant is still in
      use by the other side processing is being deferred. This leads to a
      problem in case no page to be freed is specified by the caller: the
      caller doesn't know that the page is still mapped by the other side
      and thus should not be used for other purposes.
      
      The correct way to handle this situation is to take an additional
      reference to the granted page in case handling is being deferred and
      to drop that reference when the grant reference could be freed
      finally.
      
      This requires that there are no users of gnttab_end_foreign_access()
      left directly repurposing the granted page after the call, as this
      might result in clobbered data or information leaks via the not yet
      freed grant reference.
      
      This is part of CVE-2022-23041 / XSA-396.
      Reported-by: default avatarSimon Gaiser <simon@invisiblethingslab.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      ---
      V4:
      - expand comment in header
      V5:
      - get page ref in case of kmalloc() failure, too
      42baefac
    • Juergen Gross's avatar
      xen/pvcalls: use alloc/free_pages_exact() · b0576cc9
      Juergen Gross authored
      Instead of __get_free_pages() and free_pages() use alloc_pages_exact()
      and free_pages_exact(). This is in preparation of a change of
      gnttab_end_foreign_access() which will prohibit use of high-order
      pages.
      
      This is part of CVE-2022-23041 / XSA-396.
      Reported-by: default avatarSimon Gaiser <simon@invisiblethingslab.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      ---
      V4:
      - new patch
      b0576cc9