1. 22 Jan, 2022 1 commit
    • Alistair Popple's avatar
      mm/migrate.c: rework migration_entry_wait() to not take a pageref · ffa65753
      Alistair Popple authored
      This fixes the FIXME in migrate_vma_check_page().
      
      Before migrating a page migration code will take a reference and check
      there are no unexpected page references, failing the migration if there
      are.  When a thread faults on a migration entry it will take a temporary
      reference to the page to wait for the page to become unlocked signifying
      the migration entry has been removed.
      
      This reference is dropped just prior to waiting on the page lock,
      however the extra reference can cause migration failures so it is
      desirable to avoid taking it.
      
      As migration code already has a reference to the migrating page an extra
      reference to wait on PG_locked is unnecessary so long as the reference
      can't be dropped whilst setting up the wait.
      
      When faulting on a migration entry the ptl is taken to check the
      migration entry.  Removing a migration entry also requires the ptl, and
      migration code won't drop its page reference until after the migration
      entry has been removed.  Therefore retaining the ptl of a migration
      entry is sufficient to ensure the page has a reference.  Reworking
      migration_entry_wait() to hold the ptl until the wait setup is complete
      means the extra page reference is no longer needed.
      
      [apopple@nvidia.com: v5]
        Link: https://lkml.kernel.org/r/20211213033848.1973946-1-apopple@nvidia.com
      
      Link: https://lkml.kernel.org/r/20211118020754.954425-1-apopple@nvidia.comSigned-off-by: default avatarAlistair Popple <apopple@nvidia.com>
      Acked-by: default avatarDavid Hildenbrand <david@redhat.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Jason Gunthorpe <jgg@nvidia.com>
      Cc: Jerome Glisse <jglisse@redhat.com>
      Cc: John Hubbard <jhubbard@nvidia.com>
      Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
      Cc: Ralph Campbell <rcampbell@nvidia.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ffa65753
  2. 21 Jan, 2022 15 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 9b57f458
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - fix for race condition that could lead to NULL pointer dereferences
         or UAF during uhid device destruction (Jann Horn)
      
       - contact count handling regression fixes for Wacom devices (Jason
         Gerecke)
      
       - fix for handling unnumbered HID reports handling in Google Vivaldi
         driver (Dmitry Torokhov)
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: wacom: Avoid using stale array indicies to read contact count
        HID: wacom: Ignore the confidence flag when a touch is removed
        HID: wacom: Reset expected and received contact counts at the same time
        HID: uhid: Use READ_ONCE()/WRITE_ONCE() for ->running
        HID: uhid: Fix worker destroying device without any protection
        HID: vivaldi: Minor cleanups
        HID: vivaldi: fix handling devices not using numbered reports
        HID: Ignore battery for Elan touchscreen on HP Envy X360 15t-dr100
      9b57f458
    • Linus Torvalds's avatar
      Merge tag 'block-5.17-2022-01-21' of git://git.kernel.dk/linux-block · 3c7c2503
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Various little minor fixes that should go into this release:
      
         - Fix issue with cloned bios and IO accounting (Christoph)
      
         - Remove redundant assignments (Colin, GuoYong)
      
         - Fix an issue with the mq-deadline async_depth sysfs interface (me)
      
         - Fix brd module loading race (Tetsuo)
      
         - Shared tag map wakeup fix (Laibin)
      
         - End of bdev read fix (OGAWA)
      
         - srcu leak fix (Ming)"
      
      * tag 'block-5.17-2022-01-21' of git://git.kernel.dk/linux-block:
        block: fix async_depth sysfs interface for mq-deadline
        block: Fix wrong offset in bio_truncate()
        block: assign bi_bdev for cloned bios in blk_rq_prep_clone
        block: cleanup q->srcu
        block: Remove unnecessary variable assignment
        brd: remove brd_devices_mutex mutex
        aoe: remove redundant assignment on variable n
        loop: remove redundant initialization of pointer node
        blk-mq: fix tag_get wait task can't be awakened
      3c7c2503
    • Jason Gerecke's avatar
      HID: wacom: Avoid using stale array indicies to read contact count · 20f3cf5f
      Jason Gerecke authored
      If we ever see a touch report with contact count data we initialize
      several variables used to read the contact count in the pre-report
      phase. These variables are never reset if we process a report which
      doesn't contain a contact count, however. This can cause the pre-
      report function to trigger a read of arbitrary memory (e.g. NULL
      if we're lucky) and potentially crash the driver.
      
      This commit restores resetting of the variables back to default
      "none" values that were used prior to the commit mentioned
      below.
      
      Link: https://github.com/linuxwacom/input-wacom/issues/276
      Fixes: 003f50ab (HID: wacom: Update last_slot_field during pre_report phase)
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: default avatarPing Cheng <ping.cheng@wacom.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      20f3cf5f
    • Jason Gerecke's avatar
      HID: wacom: Ignore the confidence flag when a touch is removed · df03e9bd
      Jason Gerecke authored
      AES hardware may internally re-classify a contact that it thought was
      intentional as a palm. Intentional contacts are reported as "down" with
      the confidence bit set. When this re-classification occurs, however, the
      state transitions to "up" with the confidence bit cleared. This kind of
      transition appears to be legal according to Microsoft docs, but we do
      not handle it correctly. Because the confidence bit is clear, we don't
      call `wacom_wac_finger_slot` and update userspace. This causes hung
      touches that confuse userspace and interfere with pen arbitration.
      
      This commit adds a special case to ignore the confidence flag if a contact
      is reported as removed. This ensures we do not leave a hung touch if one
      of these re-classification events occured. Ideally we'd have some way to
      also let userspace know that the touch has been re-classified as a palm
      and needs to be canceled, but that's not possible right now :)
      
      Link: https://github.com/linuxwacom/input-wacom/issues/288
      Fixes: 7fb0413b (HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts)
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: default avatarPing Cheng <ping.cheng@wacom.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      df03e9bd
    • Jason Gerecke's avatar
      HID: wacom: Reset expected and received contact counts at the same time · 546e41ac
      Jason Gerecke authored
      These two values go hand-in-hand and must be valid for the driver to
      behave correctly. We are currently lazy about updating the values and
      rely on the "expected" code flow to take care of making sure they're
      valid at the point they're needed. The "expected" flow changed somewhat
      with commit f8b6a747 ("HID: wacom: generic: Support multiple tools
      per report"), however. This led to problems with the DTH-2452 due (in
      part) to *all* contacts being fully processed -- even those past the
      expected contact count. Specifically, the received count gets reset to
      0 once all expected fingers are processed, but not the expected count.
      The rest of the contacts in the report are then *also* processed since
      now the driver thinks we've only processed 0 of N expected contacts.
      
      Later commits such as 7fb0413b (HID: wacom: Use "Confidence" flag to
      prevent reporting invalid contacts) worked around the DTH-2452 issue by
      skipping the invalid contacts at the end of the report, but this is not
      a complete fix. The confidence flag cannot be relied on when a contact
      is removed (see the following patch), and dealing with that condition
      re-introduces the DTH-2452 issue unless we also address this contact
      count laziness. By resetting expected and received counts at the same
      time we ensure the driver understands that there are 0 more contacts
      expected in the report. Similarly, we also make sure to reset the
      received count if for some reason we're out of sync in the pre-report
      phase.
      
      Link: https://github.com/linuxwacom/input-wacom/issues/288
      Fixes: f8b6a747 ("HID: wacom: generic: Support multiple tools per report")
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: default avatarPing Cheng <ping.cheng@wacom.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      546e41ac
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.17-2022-01-21' of git://git.kernel.dk/linux-block · f3a78227
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Fix the io_uring POLLFREE handling, similarly to how it was done for
         aio (Pavel)
      
       - Remove (now) unused function (Jiapeng)
      
       - Small series fixing an issue with work cancelations. A window exists
         where work isn't locatable in the pending list, and isn't active in a
         worker yet either. (me)
      
      * tag 'io_uring-5.17-2022-01-21' of git://git.kernel.dk/linux-block:
        io-wq: delete dead lock shuffling code
        io_uring: perform poll removal even if async work removal is successful
        io-wq: add intermediate work step between pending list and active work
        io-wq: perform both unstarted and started work cancelations in one go
        io-wq: invoke work cancelation with wqe->lock held
        io-wq: make io_worker lock a raw spinlock
        io-wq: remove useless 'work' argument to __io_worker_busy()
        io_uring: fix UAF due to missing POLLFREE handling
        io_uring: Remove unused function req_ref_put
      f3a78227
    • Linus Torvalds's avatar
      Merge tag 'sound-fix-5.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 1f40caa0
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A small set of HD-audio and USB-audio fixes as well as a couple of
        ALSA core fixes. Most of them are fix-ups for the newly added CS35L41
        codec"
      
      * tag 'sound-fix-5.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/cs8409: Add new Warlock SKUs to patch_cs8409
        ALSA: core: Simplify snd_power_ref_and_wait() with the standard macro
        ALSA: hda: cs35l41: Make cs35l41_hda_remove() return void
        ALSA: hda: cs35l41: Tidyup code
        ALSA: hda: cs35l41: Make use of the helper function dev_err_probe()
        ALSA: hda: cs35l41: Add missing default cases
        ALSA: hda: cs35l41: Move cs35l41* calls to its own symbol namespace
        ALSA: hda: cs35l41: Add calls to newly added test key function
        ALSA: hda: cs35l41: Avoid overwriting register patch
        ALSA: core: Fix SSID quirk lookup for subvendor=0
        ALSA: usb-audio: add mapping for MSI MPG X570S Carbon Max Wifi.
        ALSA: hda/realtek: fix speakers and micmute on HP 855 G8
      1f40caa0
    • Linus Torvalds's avatar
      Merge tag 'rtc-5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux · 75242f31
      Linus Torvalds authored
      Pull RTC updates from Alexandre Belloni:
       "Two new drivers this cycle and a significant rework of the CMOS driver
        make the bulk of the changes.
      
        I also carry powerpc changes with the agreement of Michael.
      
        New drivers:
         - Sunplus SP7021 RTC
         - Nintendo GameCube, Wii and Wii U RTC
      
        Driver updates:
         - cmos: refactor UIP handling and presence check, fix century
         - rs5c372: offset correction support, report low voltage
         - rv8803: Epson RX8804 support"
      
      * tag 'rtc-5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: (33 commits)
        rtc: sunplus: fix return value in sp_rtc_probe()
        rtc: cmos: Evaluate century appropriate
        rtc: gamecube: Fix an IS_ERR() vs NULL check
        rtc: mc146818-lib: fix signedness bug in mc146818_get_time()
        dt-bindings: rtc: qcom-pm8xxx-rtc: update register numbers
        rtc: pxa: fix null pointer dereference
        rtc: ftrtc010: Use platform_get_irq() to get the interrupt
        rtc: Move variable into switch case statement
        rtc: pcf2127: Fix typo in comment
        dt-bindings: rtc: Add Sunplus RTC json-schema
        rtc: Add driver for RTC in Sunplus SP7021
        rtc: rs5c372: fix incorrect oscillation value on r2221tl
        rtc: rs5c372: add offset correction support
        rtc: cmos: avoid UIP when writing alarm time
        rtc: cmos: avoid UIP when reading alarm time
        rtc: mc146818-lib: refactor mc146818_does_rtc_work
        rtc: mc146818-lib: refactor mc146818_get_time
        rtc: mc146818-lib: extract mc146818_avoid_UIP
        rtc: mc146818-lib: fix RTC presence check
        rtc: Check return value from mc146818_get_time()
        ...
      75242f31
    • Linus Torvalds's avatar
      Merge tag 'drm-next-2022-01-21' of git://anongit.freedesktop.org/drm/drm · c2c94b3b
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Thanks to Daniel for taking care of things while I was out, just a set
        of merge window fixes that came in this week, two i915 display fixes
        and a bunch of misc amdgpu, along with a radeon regression fix.
      
        amdgpu:
         - SR-IOV fix
         - VCN harvest fix
         - Suspend/resume fixes
         - Tahiti fix
         - Enable GPU recovery on yellow carp
      
        radeon:
         - Fix error handling regression in radeon_driver_open_kms
      
        i915:
         - Update EHL display voltage swing table
         - Fix programming the ADL-P display TC voltage swing"
      
      * tag 'drm-next-2022-01-21' of git://anongit.freedesktop.org/drm/drm:
        drm/radeon: fix error handling in radeon_driver_open_kms
        drm/amd/amdgpu: fixing read wrong pf2vf data in SRIOV
        drm/amdgpu: apply vcn harvest quirk
        drm/i915/display/adlp: Implement new step in the TC voltage swing prog sequence
        drm/i915/display/ehl: Update voltage swing table
        drm/amd/display: Revert W/A for hard hangs on DCN20/DCN21
        drm/amdgpu: drop flags check for CHIP_IP_DISCOVERY
        drm/amdgpu: Fix rejecting Tahiti GPUs
        drm/amdgpu: don't do resets on APUs which don't support it
        drm/amdgpu: invert the logic in amdgpu_device_should_recover_gpu()
        drm/amdgpu: Enable recovery on yellow carp
      c2c94b3b
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 39e77c48
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "Some hot fixes for clk driver patches merged last week and one oops
        fix:
      
         - Fix license on recent MediaTek drivers
      
         - Initialize a variable before use in the new Visconti driver
      
         - Avoid an oops by unregistering the clk provider in si5341"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: mediatek: relicense mt7986 clock driver to GPL-2.0
        clk: visconti: Fix uninitialized variable in printk
        clk: si5341: Fix clock HW provider cleanup
      39e77c48
    • Linus Torvalds's avatar
      Merge tag 'pci-v5.17-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 4141a5e6
      Linus Torvalds authored
      Pull pci fix from Bjorn Helgaas:
      
       - Reserve "stolen memory" for integrated Intel GPU, even if it's not
         the first GPU to be enumerated (Lucas De Marchi)
      
      * tag 'pci-v5.17-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        x86/gpu: Reserve stolen memory for first integrated Intel GPU
      4141a5e6
    • Linus Torvalds's avatar
      Merge tag 's390-5.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 85e67d56
      Linus Torvalds authored
      Pull more s390 updates from Heiko Carstens:
      
       - add Sven Schnelle as reviewer for s390 code
      
       - make uaccess code more readable
      
       - change cpu measurement facility code to also support counter second
         version number 7, and add discard support for limited samples
      
      * tag 's390-5.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: add Sven Schnelle as reviewer
        s390/uaccess: introduce bit field for OAC specifier
        s390/cpumf: Support for CPU Measurement Sampling Facility LS bit
        s390/cpumf: Support for CPU Measurement Facility CSVN 7
      85e67d56
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.17-merge-6' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 31d94978
      Linus Torvalds authored
      Pull more xfs irix ioctl housecleaning from Darrick Wong:
       "Withdraw the XFS_IOC_ALLOCSP* and XFS_IOC_FREESP* ioctl definitions.
      
        This is the third and final of a series of small pull requests that
        perform some long overdue housecleaning of XFS ioctls. This time,
        we're withdrawing all variants of the ALLOCSP and FREESP ioctls from
        XFS' userspace API. This might be a little premature since we've only
        just removed the functionality, but as I pointed out in the last pull
        request, nobody (including fstests) noticed that it was broken for 20
        years.
      
        In response to the patch, we received a single comment from someone
        who stated that they 'augment' the ioctl for their own purposes, but
        otherwise acquiesced to the withdrawal. I still want to try to clobber
        these old ioctl definitions in 5.17.
      
        So remove the header definitions for these ioctls. The just-removed
        implementation has allowed callers to read stale disk contents for
        more than **21 years** and nobody noticed or complained, which implies
        a lack of users aside from exploit programs"
      
      * tag 'xfs-5.17-merge-6' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: remove the XFS_IOC_{ALLOC,FREE}SP* definitions
      31d94978
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.17-merge-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · d701a8cc
      Linus Torvalds authored
      Pull xfs irix ioctl housecleaning from Darrick Wong:
       "Remove the XFS_IOC_ALLOCSP* and XFS_IOC_FREESP* ioctl families.
      
        This is the second of a series of small pull requests that perform
        some long overdue housecleaning of XFS ioctls. This time, we're
        vacating the implementation of all variants of the ALLOCSP and FREESP
        ioctls, which are holdovers from EFS in Irix, circa 1993. Roughly
        equivalent functionality have been available for both ioctls since
        2.6.25 (April 2008):
      
         - XFS_IOC_FREESP ftruncates a file.
      
         - XFS_IOC_ALLOCSP is the equivalent of fallocate.
      
        As noted in the fix patch for CVE 2021-4155, the ALLOCSP ioctl has
        been serving up stale disk blocks since 2000, and in 21 years
        **nobody** noticed. On those grounds I think it's safe to vacate the
        implementation.
      
        Note that we lose the ability to preallocate and truncate relative to
        the current file position, but as nobody's ever implemented that for
        the VFS, I conclude that it's not in high demand.
      
        Linux has always used fallocate as the space management system call,
        whereas these Irix legacy ioctls only ever worked on XFS, and have
        been the cause of recent stale data disclosure vulnerabilities. As
        equivalent functionality is available elsewhere, remove the code"
      
      * tag 'xfs-5.17-merge-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: kill the XFS_IOC_{ALLOC,FREE}SP* ioctls
      d701a8cc
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.17-merge-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 12a8fb20
      Linus Torvalds authored
      Pull xfs ioctl housecleaning from Darrick Wong:
       "This is the first of a series of small pull requests that perform some
        long overdue housecleaning of XFS ioctls. This first pull request
        removes the FSSETDM ioctl, which was used to set DMAPI event
        attributes on XFS files. The DMAPI support has never been merged
        upstream and the implementation of FSSETDM itself was removed two
        years ago, so let's withdraw it completely.
      
         - Withdraw the ioctl definition for the FSSETDM ioctl"
      
      * tag 'xfs-5.17-merge-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: remove the XFS_IOC_FSSETDM definitions
      12a8fb20
  3. 20 Jan, 2022 24 commits