1. 17 Jun, 2020 2 commits
    • Jan Kara's avatar
      blktrace: Avoid sparse warnings when assigning q->blk_trace · c3dbe541
      Jan Kara authored
      Mostly for historical reasons, q->blk_trace is assigned through xchg()
      and cmpxchg() atomic operations. Although this is correct, sparse
      complains about this because it violates rcu annotations since commit
      c780e86d ("blktrace: Protect q->blk_trace with RCU") which started
      to use rcu for accessing q->blk_trace. Furthermore there's no real need
      for atomic operations anymore since all changes to q->blk_trace happen
      under q->blk_trace_mutex and since it also makes more sense to check if
      q->blk_trace is set with the mutex held earlier.
      
      So let's just replace xchg() with rcu_replace_pointer() and cmpxchg()
      with explicit check and rcu_assign_pointer(). This makes the code more
      efficient and sparse happy.
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      c3dbe541
    • Luis Chamberlain's avatar
      blktrace: break out of blktrace setup on concurrent calls · 1b0b2836
      Luis Chamberlain authored
      We use one blktrace per request_queue, that means one per the entire
      disk.  So we cannot run one blktrace on say /dev/vda and then /dev/vda1,
      or just two calls on /dev/vda.
      
      We check for concurrent setup only at the very end of the blktrace setup though.
      
      If we try to run two concurrent blktraces on the same block device the
      second one will fail, and the first one seems to go on. However when
      one tries to kill the first one one will see things like this:
      
      The kernel will show these:
      
      ```
      debugfs: File 'dropped' in directory 'nvme1n1' already present!
      debugfs: File 'msg' in directory 'nvme1n1' already present!
      debugfs: File 'trace0' in directory 'nvme1n1' already present!
      ``
      
      And userspace just sees this error message for the second call:
      
      ```
      blktrace /dev/nvme1n1
      BLKTRACESETUP(2) /dev/nvme1n1 failed: 5/Input/output error
      ```
      
      The first userspace process #1 will also claim that the files
      were taken underneath their nose as well. The files are taken
      away form the first process given that when the second blktrace
      fails, it will follow up with a BLKTRACESTOP and BLKTRACETEARDOWN.
      This means that even if go-happy process #1 is waiting for blktrace
      data, we *have* been asked to take teardown the blktrace.
      
      This can easily be reproduced with break-blktrace [0] run_0005.sh test.
      
      Just break out early if we know we're already going to fail, this will
      prevent trying to create the files all over again, which we know still
      exist.
      
      [0] https://github.com/mcgrof/break-blktraceSigned-off-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarBart Van Assche <bvanassche@acm.org>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      1b0b2836
  2. 16 Jun, 2020 1 commit
    • Jason Yan's avatar
      block: Fix use-after-free in blkdev_get() · 2d3a8e2d
      Jason Yan authored
      In blkdev_get() we call __blkdev_get() to do some internal jobs and if
      there is some errors in __blkdev_get(), the bdput() is called which
      means we have released the refcount of the bdev (actually the refcount of
      the bdev inode). This means we cannot access bdev after that point. But
      acctually bdev is still accessed in blkdev_get() after calling
      __blkdev_get(). This results in use-after-free if the refcount is the
      last one we released in __blkdev_get(). Let's take a look at the
      following scenerio:
      
        CPU0            CPU1                    CPU2
      blkdev_open     blkdev_open           Remove disk
                        bd_acquire
      		  blkdev_get
      		    __blkdev_get      del_gendisk
      					bdev_unhash_inode
        bd_acquire          bdev_get_gendisk
          bd_forget           failed because of unhashed
      	  bdput
      	              bdput (the last one)
      		        bdev_evict_inode
      
      	  	    access bdev => use after free
      
      [  459.350216] BUG: KASAN: use-after-free in __lock_acquire+0x24c1/0x31b0
      [  459.351190] Read of size 8 at addr ffff88806c815a80 by task syz-executor.0/20132
      [  459.352347]
      [  459.352594] CPU: 0 PID: 20132 Comm: syz-executor.0 Not tainted 4.19.90 #2
      [  459.353628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      [  459.354947] Call Trace:
      [  459.355337]  dump_stack+0x111/0x19e
      [  459.355879]  ? __lock_acquire+0x24c1/0x31b0
      [  459.356523]  print_address_description+0x60/0x223
      [  459.357248]  ? __lock_acquire+0x24c1/0x31b0
      [  459.357887]  kasan_report.cold+0xae/0x2d8
      [  459.358503]  __lock_acquire+0x24c1/0x31b0
      [  459.359120]  ? _raw_spin_unlock_irq+0x24/0x40
      [  459.359784]  ? lockdep_hardirqs_on+0x37b/0x580
      [  459.360465]  ? _raw_spin_unlock_irq+0x24/0x40
      [  459.361123]  ? finish_task_switch+0x125/0x600
      [  459.361812]  ? finish_task_switch+0xee/0x600
      [  459.362471]  ? mark_held_locks+0xf0/0xf0
      [  459.363108]  ? __schedule+0x96f/0x21d0
      [  459.363716]  lock_acquire+0x111/0x320
      [  459.364285]  ? blkdev_get+0xce/0xbe0
      [  459.364846]  ? blkdev_get+0xce/0xbe0
      [  459.365390]  __mutex_lock+0xf9/0x12a0
      [  459.365948]  ? blkdev_get+0xce/0xbe0
      [  459.366493]  ? bdev_evict_inode+0x1f0/0x1f0
      [  459.367130]  ? blkdev_get+0xce/0xbe0
      [  459.367678]  ? destroy_inode+0xbc/0x110
      [  459.368261]  ? mutex_trylock+0x1a0/0x1a0
      [  459.368867]  ? __blkdev_get+0x3e6/0x1280
      [  459.369463]  ? bdev_disk_changed+0x1d0/0x1d0
      [  459.370114]  ? blkdev_get+0xce/0xbe0
      [  459.370656]  blkdev_get+0xce/0xbe0
      [  459.371178]  ? find_held_lock+0x2c/0x110
      [  459.371774]  ? __blkdev_get+0x1280/0x1280
      [  459.372383]  ? lock_downgrade+0x680/0x680
      [  459.373002]  ? lock_acquire+0x111/0x320
      [  459.373587]  ? bd_acquire+0x21/0x2c0
      [  459.374134]  ? do_raw_spin_unlock+0x4f/0x250
      [  459.374780]  blkdev_open+0x202/0x290
      [  459.375325]  do_dentry_open+0x49e/0x1050
      [  459.375924]  ? blkdev_get_by_dev+0x70/0x70
      [  459.376543]  ? __x64_sys_fchdir+0x1f0/0x1f0
      [  459.377192]  ? inode_permission+0xbe/0x3a0
      [  459.377818]  path_openat+0x148c/0x3f50
      [  459.378392]  ? kmem_cache_alloc+0xd5/0x280
      [  459.379016]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  459.379802]  ? path_lookupat.isra.0+0x900/0x900
      [  459.380489]  ? __lock_is_held+0xad/0x140
      [  459.381093]  do_filp_open+0x1a1/0x280
      [  459.381654]  ? may_open_dev+0xf0/0xf0
      [  459.382214]  ? find_held_lock+0x2c/0x110
      [  459.382816]  ? lock_downgrade+0x680/0x680
      [  459.383425]  ? __lock_is_held+0xad/0x140
      [  459.384024]  ? do_raw_spin_unlock+0x4f/0x250
      [  459.384668]  ? _raw_spin_unlock+0x1f/0x30
      [  459.385280]  ? __alloc_fd+0x448/0x560
      [  459.385841]  do_sys_open+0x3c3/0x500
      [  459.386386]  ? filp_open+0x70/0x70
      [  459.386911]  ? trace_hardirqs_on_thunk+0x1a/0x1c
      [  459.387610]  ? trace_hardirqs_off_caller+0x55/0x1c0
      [  459.388342]  ? do_syscall_64+0x1a/0x520
      [  459.388930]  do_syscall_64+0xc3/0x520
      [  459.389490]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  459.390248] RIP: 0033:0x416211
      [  459.390720] Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83
      04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f
         05 <48> 8b 3c 24 48 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d
            01
      [  459.393483] RSP: 002b:00007fe45dfe9a60 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
      [  459.394610] RAX: ffffffffffffffda RBX: 00007fe45dfea6d4 RCX: 0000000000416211
      [  459.395678] RDX: 00007fe45dfe9b0a RSI: 0000000000000002 RDI: 00007fe45dfe9b00
      [  459.396758] RBP: 000000000076bf20 R08: 0000000000000000 R09: 000000000000000a
      [  459.397930] R10: 0000000000000075 R11: 0000000000000293 R12: 00000000ffffffff
      [  459.399022] R13: 0000000000000bd9 R14: 00000000004cdb80 R15: 000000000076bf2c
      [  459.400168]
      [  459.400430] Allocated by task 20132:
      [  459.401038]  kasan_kmalloc+0xbf/0xe0
      [  459.401652]  kmem_cache_alloc+0xd5/0x280
      [  459.402330]  bdev_alloc_inode+0x18/0x40
      [  459.402970]  alloc_inode+0x5f/0x180
      [  459.403510]  iget5_locked+0x57/0xd0
      [  459.404095]  bdget+0x94/0x4e0
      [  459.404607]  bd_acquire+0xfa/0x2c0
      [  459.405113]  blkdev_open+0x110/0x290
      [  459.405702]  do_dentry_open+0x49e/0x1050
      [  459.406340]  path_openat+0x148c/0x3f50
      [  459.406926]  do_filp_open+0x1a1/0x280
      [  459.407471]  do_sys_open+0x3c3/0x500
      [  459.408010]  do_syscall_64+0xc3/0x520
      [  459.408572]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  459.409415]
      [  459.409679] Freed by task 1262:
      [  459.410212]  __kasan_slab_free+0x129/0x170
      [  459.410919]  kmem_cache_free+0xb2/0x2a0
      [  459.411564]  rcu_process_callbacks+0xbb2/0x2320
      [  459.412318]  __do_softirq+0x225/0x8ac
      
      Fix this by delaying bdput() to the end of blkdev_get() which means we
      have finished accessing bdev.
      
      Fixes: 77ea887e ("implement in-kernel gendisk events handling")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarJason Yan <yanaijie@huawei.com>
      Tested-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Ming Lei <ming.lei@redhat.com>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      2d3a8e2d
  3. 15 Jun, 2020 2 commits
  4. 14 Jun, 2020 8 commits
    • Coly Li's avatar
      bcache: pr_info() format clean up in bcache_device_init() · 4b25bbf5
      Coly Li authored
      scripts/checkpatch.pl reports following warning for patch
      ("bcache: check and adjust logical block size for backing devices"),
          WARNING: quoted string split across lines
          #146: FILE: drivers/md/bcache/super.c:896:
          +  pr_info("%s: sb/logical block size (%u) greater than page size "
          +	       "(%lu) falling back to device logical block size (%u)",
      
      There are two things to fix up,
      - The kernel message print should be in a single line.
      - pr_info() won't automatically add new line since v5.8, a '\n' should
        be added.
      
      This patch just does the above cleanup in bcache_device_init().
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      4b25bbf5
    • Coly Li's avatar
      bcache: use delayed kworker fo asynchronous devices registration · ee4a36f4
      Coly Li authored
      This patch changes the asynchronous registration kworker to a delayed
      kworker. There is probability queue_work() queues the async registration
      kworker to the same CPU (even though very little), then the process
      which writing sysfs interface to reigster bcache device may won't return
      immeidately. queue_delayed_work() in this patch will delay 10 jiffies
      before insert the kworker to run queue, which makes sure the registering
      process may always returns to user space in time.
      
      Fixes: 9e23ccf8 ("bcache: asynchronous devices registration")
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      ee4a36f4
    • Mauricio Faria de Oliveira's avatar
      bcache: check and adjust logical block size for backing devices · dcacbc12
      Mauricio Faria de Oliveira authored
      It's possible for a block driver to set logical block size to
      a value greater than page size incorrectly; e.g. bcache takes
      the value from the superblock, set by the user w/ make-bcache.
      
      This causes a BUG/NULL pointer dereference in the path:
      
        __blkdev_get()
        -> set_init_blocksize() // set i_blkbits based on ...
           -> bdev_logical_block_size()
              -> queue_logical_block_size() // ... this value
        -> bdev_disk_changed()
           ...
           -> blkdev_readpage()
              -> block_read_full_page()
                 -> create_page_buffers() // size = 1 << i_blkbits
                    -> create_empty_buffers() // give size/take pointer
                       -> alloc_page_buffers() // return NULL
                       .. BUG!
      
      Because alloc_page_buffers() is called with size > PAGE_SIZE,
      thus it initializes head = NULL, skips the loop, return head;
      then create_empty_buffers() gets (and uses) the NULL pointer.
      
      This has been around longer than commit ad6bf88a ("block:
      fix an integer overflow in logical block size"); however, it
      increased the range of values that can trigger the issue.
      
      Previously only 8k/16k/32k (on x86/4k page size) would do it,
      as greater values overflow unsigned short to zero, and queue_
      logical_block_size() would then use the default of 512.
      
      Now the range with unsigned int is much larger, and users w/
      the 512k value, which happened to be zero'ed previously and
      work fine, started to hit this issue -- as the zero is gone,
      and queue_logical_block_size() does return 512k (>PAGE_SIZE.)
      
      Fix this by checking the bcache device's logical block size,
      and if it's greater than page size, fallback to the backing/
      cached device's logical page size.
      
      This doesn't affect cache devices as those are still checked
      for block/page size in read_super(); only the backing/cached
      devices are not.
      
      Apparently it's a regression from commit 2903381f ("bcache:
      Take data offset from the bdev superblock."), moving the check
      into BCACHE_SB_VERSION_CDEV only. Now that we have superblocks
      of backing devices out there with this larger value, we cannot
      refuse to load them (i.e., have a similar check in _BDEV.)
      
      Ideally perhaps bcache should use all values from the backing
      device (physical/logical/io_min block size)? But for now just
      fix the problematic case.
      
      Test-case:
      
          # IMG=/root/disk.img
          # dd if=/dev/zero of=$IMG bs=1 count=0 seek=1G
          # DEV=$(losetup --find --show $IMG)
          # make-bcache --bdev $DEV --block 8k
            < see dmesg >
      
      Before:
      
          # uname -r
          5.7.0-rc7
      
          [   55.944046] BUG: kernel NULL pointer dereference, address: 0000000000000000
          ...
          [   55.949742] CPU: 3 PID: 610 Comm: bcache-register Not tainted 5.7.0-rc7 #4
          ...
          [   55.952281] RIP: 0010:create_empty_buffers+0x1a/0x100
          ...
          [   55.966434] Call Trace:
          [   55.967021]  create_page_buffers+0x48/0x50
          [   55.967834]  block_read_full_page+0x49/0x380
          [   55.972181]  do_read_cache_page+0x494/0x610
          [   55.974780]  read_part_sector+0x2d/0xaa
          [   55.975558]  read_lba+0x10e/0x1e0
          [   55.977904]  efi_partition+0x120/0x5a6
          [   55.980227]  blk_add_partitions+0x161/0x390
          [   55.982177]  bdev_disk_changed+0x61/0xd0
          [   55.982961]  __blkdev_get+0x350/0x490
          [   55.983715]  __device_add_disk+0x318/0x480
          [   55.984539]  bch_cached_dev_run+0xc5/0x270
          [   55.986010]  register_bcache.cold+0x122/0x179
          [   55.987628]  kernfs_fop_write+0xbc/0x1a0
          [   55.988416]  vfs_write+0xb1/0x1a0
          [   55.989134]  ksys_write+0x5a/0xd0
          [   55.989825]  do_syscall_64+0x43/0x140
          [   55.990563]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
          [   55.991519] RIP: 0033:0x7f7d60ba3154
          ...
      
      After:
      
          # uname -r
          5.7.0.bcachelbspgsz
      
          [   31.672460] bcache: bcache_device_init() bcache0: sb/logical block size (8192) greater than page size (4096) falling back to device logical block size (512)
          [   31.675133] bcache: register_bdev() registered backing device loop0
      
          # grep ^ /sys/block/bcache0/queue/*_block_size
          /sys/block/bcache0/queue/logical_block_size:512
          /sys/block/bcache0/queue/physical_block_size:8192
      Reported-by: default avatarRyan Finnie <ryan@finnie.org>
      Reported-by: default avatarSebastian Marsching <sebastian@marsching.com>
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      dcacbc12
    • Zhiqiang Liu's avatar
      bcache: fix potential deadlock problem in btree_gc_coalesce · be23e837
      Zhiqiang Liu authored
      coccicheck reports:
        drivers/md//bcache/btree.c:1538:1-7: preceding lock on line 1417
      
      In btree_gc_coalesce func, if the coalescing process fails, we will goto
      to out_nocoalesce tag directly without releasing new_nodes[i]->write_lock.
      Then, it will cause a deadlock when trying to acquire new_nodes[i]->
      write_lock for freeing new_nodes[i] before return.
      
      btree_gc_coalesce func details as follows:
      	if alloc new_nodes[i] fails:
      		goto out_nocoalesce;
      	// obtain new_nodes[i]->write_lock
      	mutex_lock(&new_nodes[i]->write_lock)
      	// main coalescing process
      	for (i = nodes - 1; i > 0; --i)
      		[snipped]
      		if coalescing process fails:
      			// Here, directly goto out_nocoalesce
      			 // tag will cause a deadlock
      			goto out_nocoalesce;
      		[snipped]
      	// release new_nodes[i]->write_lock
      	mutex_unlock(&new_nodes[i]->write_lock)
      	// coalesing succ, return
      	return;
      out_nocoalesce:
      	btree_node_free(new_nodes[i])	// free new_nodes[i]
      	// obtain new_nodes[i]->write_lock
      	mutex_lock(&new_nodes[i]->write_lock);
      	// set flag for reuse
      	clear_bit(BTREE_NODE_dirty, &ew_nodes[i]->flags);
      	// release new_nodes[i]->write_lock
      	mutex_unlock(&new_nodes[i]->write_lock);
      
      To fix the problem, we add a new tag 'out_unlock_nocoalesce' for
      releasing new_nodes[i]->write_lock before out_nocoalesce tag. If
      coalescing process fails, we will go to out_unlock_nocoalesce tag
      for releasing new_nodes[i]->write_lock before free new_nodes[i] in
      out_nocoalesce tag.
      
      (Coly Li helps to clean up commit log format.)
      
      Fixes: 2a285686 ("bcache: btree locking rework")
      Signed-off-by: default avatarZhiqiang Liu <liuzhiqiang26@huawei.com>
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      be23e837
    • Linus Torvalds's avatar
      Linux 5.8-rc1 · b3a9e3b9
      Linus Torvalds authored
      b3a9e3b9
    • Linus Torvalds's avatar
      Merge tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux · 4a87b197
      Linus Torvalds authored
      Pull SafeSetID update from Micah Morton:
       "Add additional LSM hooks for SafeSetID
      
        SafeSetID is capable of making allow/deny decisions for set*uid calls
        on a system, and we want to add similar functionality for set*gid
        calls.
      
        The work to do that is not yet complete, so probably won't make it in
        for v5.8, but we are looking to get this simple patch in for v5.8
        since we have it ready.
      
        We are planning on the rest of the work for extending the SafeSetID
        LSM being merged during the v5.9 merge window"
      
      * tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux:
        security: Add LSM hooks to set*gid syscalls
      4a87b197
    • Thomas Cedeno's avatar
      security: Add LSM hooks to set*gid syscalls · 39030e13
      Thomas Cedeno authored
      The SafeSetID LSM uses the security_task_fix_setuid hook to filter
      set*uid() syscalls according to its configured security policy. In
      preparation for adding analagous support in the LSM for set*gid()
      syscalls, we add the requisite hook here. Tested by putting print
      statements in the security_task_fix_setgid hook and seeing them get hit
      during kernel boot.
      Signed-off-by: default avatarThomas Cedeno <thomascedeno@google.com>
      Signed-off-by: default avatarMicah Morton <mortonm@chromium.org>
      39030e13
    • Linus Torvalds's avatar
      Merge tag 'for-5.8-part2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 9d645db8
      Linus Torvalds authored
      Pull btrfs updates from David Sterba:
       "This reverts the direct io port to iomap infrastructure of btrfs
        merged in the first pull request. We found problems in invalidate page
        that don't seem to be fixable as regressions or without changing iomap
        code that would not affect other filesystems.
      
        There are four reverts in total, but three of them are followup
        cleanups needed to revert a43a67a2 cleanly. The result is the
        buffer head based implementation of direct io.
      
        Reverts are not great, but under current circumstances I don't see
        better options"
      
      * tag 'for-5.8-part2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        Revert "btrfs: switch to iomap_dio_rw() for dio"
        Revert "fs: remove dio_end_io()"
        Revert "btrfs: remove BTRFS_INODE_READDIO_NEED_LOCK"
        Revert "btrfs: split btrfs_direct_IO to read and write part"
      9d645db8
  5. 13 Jun, 2020 27 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 96144c58
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix cfg80211 deadlock, from Johannes Berg.
      
       2) RXRPC fails to send norigications, from David Howells.
      
       3) MPTCP RM_ADDR parsing has an off by one pointer error, fix from
          Geliang Tang.
      
       4) Fix crash when using MSG_PEEK with sockmap, from Anny Hu.
      
       5) The ucc_geth driver needs __netdev_watchdog_up exported, from
          Valentin Longchamp.
      
       6) Fix hashtable memory leak in dccp, from Wang Hai.
      
       7) Fix how nexthops are marked as FDB nexthops, from David Ahern.
      
       8) Fix mptcp races between shutdown and recvmsg, from Paolo Abeni.
      
       9) Fix crashes in tipc_disc_rcv(), from Tuong Lien.
      
      10) Fix link speed reporting in iavf driver, from Brett Creeley.
      
      11) When a channel is used for XSK and then reused again later for XSK,
          we forget to clear out the relevant data structures in mlx5 which
          causes all kinds of problems. Fix from Maxim Mikityanskiy.
      
      12) Fix memory leak in genetlink, from Cong Wang.
      
      13) Disallow sockmap attachments to UDP sockets, it simply won't work.
          From Lorenz Bauer.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (83 commits)
        net: ethernet: ti: ale: fix allmulti for nu type ale
        net: ethernet: ti: am65-cpsw-nuss: fix ale parameters init
        net: atm: Remove the error message according to the atomic context
        bpf: Undo internal BPF_PROBE_MEM in BPF insns dump
        libbpf: Support pre-initializing .bss global variables
        tools/bpftool: Fix skeleton codegen
        bpf: Fix memlock accounting for sock_hash
        bpf: sockmap: Don't attach programs to UDP sockets
        bpf: tcp: Recv() should return 0 when the peer socket is closed
        ibmvnic: Flush existing work items before device removal
        genetlink: clean up family attributes allocations
        net: ipa: header pad field only valid for AP->modem endpoint
        net: ipa: program upper nibbles of sequencer type
        net: ipa: fix modem LAN RX endpoint id
        net: ipa: program metadata mask differently
        ionic: add pcie_print_link_status
        rxrpc: Fix race between incoming ACK parser and retransmitter
        net/mlx5: E-Switch, Fix some error pointer dereferences
        net/mlx5: Don't fail driver on failure to create debugfs
        net/mlx5e: CT: Fix ipv6 nat header rewrite actions
        ...
      96144c58
    • David Sterba's avatar
      Revert "btrfs: switch to iomap_dio_rw() for dio" · 55e20bd1
      David Sterba authored
      This reverts commit a43a67a2.
      
      This patch reverts the main part of switching direct io implementation
      to iomap infrastructure. There's a problem in invalidate page that
      couldn't be solved as regression in this development cycle.
      
      The problem occurs when buffered and direct io are mixed, and the ranges
      overlap. Although this is not recommended, filesystems implement
      measures or fallbacks to make it somehow work. In this case, fallback to
      buffered IO would be an option for btrfs (this already happens when
      direct io is done on compressed data), but the change would be needed in
      the iomap code, bringing new semantics to other filesystems.
      
      Another problem arises when again the buffered and direct ios are mixed,
      invalidation fails, then -EIO is set on the mapping and fsync will fail,
      though there's no real error.
      
      There have been discussions how to fix that, but revert seems to be the
      least intrusive option.
      
      Link: https://lore.kernel.org/linux-btrfs/20200528192103.xm45qoxqmkw7i5yl@fiona/Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      55e20bd1
    • Grygorii Strashko's avatar
      net: ethernet: ti: ale: fix allmulti for nu type ale · bc139119
      Grygorii Strashko authored
      On AM65xx MCU CPSW2G NUSS and 66AK2E/L NUSS allmulti setting does not allow
      unregistered mcast packets to pass.
      
      This happens, because ALE VLAN entries on these SoCs do not contain port
      masks for reg/unreg mcast packets, but instead store indexes of
      ALE_VLAN_MASK_MUXx_REG registers which intended for store port masks for
      reg/unreg mcast packets.
      This path was missed by commit 9d1f6447 ("net: ethernet: ti: ale: fix
      seeing unreg mcast packets with promisc and allmulti disabled").
      
      Hence, fix it by taking into account ALE type in cpsw_ale_set_allmulti().
      
      Fixes: 9d1f6447 ("net: ethernet: ti: ale: fix seeing unreg mcast packets with promisc and allmulti disabled")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc139119
    • Grygorii Strashko's avatar
      net: ethernet: ti: am65-cpsw-nuss: fix ale parameters init · 2074f9ea
      Grygorii Strashko authored
      The ALE parameters structure is created on stack, so it has to be reset
      before passing to cpsw_ale_create() to avoid garbage values.
      
      Fixes: 93a76530 ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2074f9ea
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · fa7566a0
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2020-06-12
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 26 non-merge commits during the last 10 day(s) which contain
      a total of 27 files changed, 348 insertions(+), 93 deletions(-).
      
      The main changes are:
      
      1) sock_hash accounting fix, from Andrey.
      
      2) libbpf fix and probe_mem sanitizing, from Andrii.
      
      3) sock_hash fixes, from Jakub.
      
      4) devmap_val fix, from Jesper.
      
      5) load_bytes_relative fix, from YiFei.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fa7566a0
    • Liao Pingfang's avatar
      net: atm: Remove the error message according to the atomic context · bf97bac9
      Liao Pingfang authored
      Looking into the context (atomic!) and the error message should be dropped.
      Signed-off-by: default avatarLiao Pingfang <liao.pingfang@zte.com.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf97bac9
    • Linus Torvalds's avatar
      Merge tag '5.8-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · f82e7b57
      Linus Torvalds authored
      Pull more cifs updates from Steve French:
       "12 cifs/smb3 fixes, 2 for stable.
      
         - add support for idsfromsid on create and chgrp/chown allowing
           ability to save owner information more naturally for some workloads
      
         - improve query info (getattr) when SMB3.1.1 posix extensions are
           negotiated by using new query info level"
      
      * tag '5.8-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: Add debug message for new file creation with idsfromsid mount option
        cifs: fix chown and chgrp when idsfromsid mount option enabled
        smb3: allow uid and gid owners to be set on create with idsfromsid mount option
        smb311: Add tracepoints for new compound posix query info
        smb311: add support for using info level for posix extensions query
        smb311: Add support for lookup with posix extensions query info
        smb311: Add support for SMB311 query info (non-compounded)
        SMB311: Add support for query info using posix extensions (level 100)
        smb3: add indatalen that can be a non-zero value to calculation of credit charge in smb2 ioctl
        smb3: fix typo in mount options displayed in /proc/mounts
        cifs: Add get_security_type_str function to return sec type.
        smb3: extend fscache mount volume coherency check
      f82e7b57
    • Linus Torvalds's avatar
      binderfs: add gitignore for generated sample program · 4f9b3a37
      Linus Torvalds authored
      Let's keep "git status" happy and quiet.
      
      Fixes: 9762dc14 ("samples: add binderfs sample program
      Fixes: fca5e949 ("samples: binderfs: really compile this sample and fix build issues")
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4f9b3a37
    • Linus Torvalds's avatar
      doc: don't use deprecated "---help---" markers in target docs · 3e1ad405
      Linus Torvalds authored
      I'm not convinced the script makes useful automaed help lines anyway,
      but since we're trying to deprecate the use of "---help---" in Kconfig
      files, let's fix the doc example code too.
      
      See commit a7f7f624 ("treewide: replace '---help---' in Kconfig
      files with 'help'")
      
      Cc: Masahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3e1ad405
    • Linus Torvalds's avatar
      Merge tag 'kbuild-v5.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild · 6adc19fd
      Linus Torvalds authored
      Pull more Kbuild updates from Masahiro Yamada:
      
       - fix build rules in binderfs sample
      
       - fix build errors when Kbuild recurses to the top Makefile
      
       - covert '---help---' in Kconfig to 'help'
      
      * tag 'kbuild-v5.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        treewide: replace '---help---' in Kconfig files with 'help'
        kbuild: fix broken builds because of GZIP,BZIP2,LZOP variables
        samples: binderfs: really compile this sample and fix build issues
      6adc19fd
    • Linus Torvalds's avatar
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 3df83e16
      Linus Torvalds authored
      Pull more SCSI updates from James Bottomley:
       "This is the set of changes collected since just before the merge
        window opened. It's mostly minor fixes in drivers.
      
        The one non-driver set is the three optical disk (sr) changes where
        two are error path fixes and one is a helper conversion.
      
        The big driver change is the hpsa compat_alloc_userspace rework by Al
        so he can kill the remaining user. This has been tested and acked by
        the maintainer"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (21 commits)
        scsi: acornscsi: Fix an error handling path in acornscsi_probe()
        scsi: storvsc: Remove memset before memory freeing in storvsc_suspend()
        scsi: cxlflash: Remove an unnecessary NULL check
        scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM
        scsi: sr: Fix sr_probe() missing deallocate of device minor
        scsi: sr: Fix sr_probe() missing mutex_destroy
        scsi: st: Convert convert get_user_pages() --> pin_user_pages()
        scsi: target: Rename target_setup_cmd_from_cdb() to target_cmd_parse_cdb()
        scsi: target: Fix NULL pointer dereference
        scsi: target: Initialize LUN in transport_init_se_cmd()
        scsi: target: Factor out a new helper, target_cmd_init_cdb()
        scsi: hpsa: hpsa_ioctl(): Tidy up a bit
        scsi: hpsa: Get rid of compat_alloc_user_space()
        scsi: hpsa: Don't bother with vmalloc for BIG_IOCTL_Command_struct
        scsi: hpsa: Lift {BIG_,}IOCTL_Command_struct copy{in,out} into hpsa_ioctl()
        scsi: ufs: Remove redundant urgent_bkop_lvl initialization
        scsi: ufs: Don't update urgent bkops level when toggling auto bkops
        scsi: qedf: Remove redundant initialization of variable rc
        scsi: mpt3sas: Fix memset() in non-RDPQ mode
        scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj
        ...
      3df83e16
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 91fa5884
      Linus Torvalds authored
      Pull i2c updates from Wolfram Sang:
       "I2C has quite some patches for you this time. I hope it is the move to
        per-driver-maintainers which is now showing results. We will see.
      
        The big news is two new drivers (Nuvoton NPCM and Qualcomm CCI),
        larger refactoring of the Designware, Tegra, and PXA drivers, the
        Cadence driver supports being a slave now, and there is support to
        instanciate SPD eeproms for well-known cases (which will be
        user-visible because the i801 driver supports it), and some
        devm_platform_ioremap_resource() conversions which blow up the
        diffstat.
      
        Note that I applied the Nuvoton driver quite late, so some minor fixup
        patches arrived during the merge window. I chose to apply them right
        away because they were trivial"
      
      * 'i2c/for-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: (109 commits)
        i2c: Drop stray comma in MODULE_AUTHOR statements
        i2c: npcm7xx: npcm_i2caddr[] can be static
        MAINTAINERS: npcm7xx: Add maintainer for Nuvoton NPCM BMC
        i2c: npcm7xx: Fix a couple of error codes in probe
        i2c: icy: Fix build with CONFIG_AMIGA_PCMCIA=n
        i2c: npcm7xx: Remove unnecessary parentheses
        i2c: npcm7xx: Add support for slave mode for Nuvoton
        i2c: npcm7xx: Add Nuvoton NPCM I2C controller driver
        dt-bindings: i2c: npcm7xx: add NPCM I2C controller
        i2c: pxa: don't error out if there's no pinctrl
        i2c: add 'single-master' property to generic bindings
        i2c: designware: Add Baikal-T1 System I2C support
        i2c: designware: Move reg-space remapping into a dedicated function
        i2c: designware: Retrieve quirk flags as early as possible
        i2c: designware: Convert driver to using regmap API
        i2c: designware: Discard Cherry Trail model flag
        i2c: designware: Add Baytrail sem config DW I2C platform dependency
        i2c: designware: slave: Set DW I2C core module dependency
        i2c: designware: Use `-y` to build multi-object modules
        dt-bindings: i2c: dw: Add Baikal-T1 SoC I2C controller
        ...
      91fa5884
    • Linus Torvalds's avatar
      Merge tag 'media/v5.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · ac911b31
      Linus Torvalds authored
      Pull more media updates from Mauro Carvalho Chehab:
      
       - a set of atomisp patches. They remove several abstraction layers, and
         fixes clang and gcc warnings (that were hidden via some macros that
         were disabling 4 or 5 types of warnings there). There are also some
         important fixes and sensor auto-detection on newer BIOSes via ACPI
         _DCM tables.
      
       - some fixes
      
      * tag 'media/v5.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (95 commits)
        media: rkvdec: Fix H264 scaling list order
        media: v4l2-ctrls: Unset correct HEVC loop filter flag
        media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size
        media: v4l2-subdev.rst: correct information about v4l2 events
        media: s5p-mfc: Properly handle dma_parms for the allocated devices
        media: medium: cec: Make MEDIA_CEC_SUPPORT default to n if !MEDIA_SUPPORT
        media: cedrus: Implement runtime PM
        media: cedrus: Program output format during each run
        media: atomisp: improve ACPI/DMI detection logs
        media: Revert "media: atomisp: add Asus Transform T101HA ACPI vars"
        media: Revert "media: atomisp: Add some ACPI detection info"
        media: atomisp: improve sensor detection code to use _DSM table
        media: atomisp: get rid of an iomem abstraction layer
        media: atomisp: get rid of a string_support.h abstraction layer
        media: atomisp: use strscpy() instead of less secure variants
        media: atomisp: set DFS to MAX if sensor doesn't report fps
        media: atomisp: use different dfs failed messages
        media: atomisp: change the detection of ISP2401 at runtime
        media: atomisp: use macros from intel-family.h
        media: atomisp: don't set hpll_freq twice with different values
        ...
      ac911b31
    • Linus Torvalds's avatar
      Merge tag 'libnvdimm-for-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · d74b15db
      Linus Torvalds authored
      Pull libnvdimm updates from Dan Williams:
       "Small collection of cleanups to rework usage of ->queuedata and the
        GUID api"
      
      * tag 'libnvdimm-for-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        nvdimm/pmem: stop using ->queuedata
        nvdimm/btt: stop using ->queuedata
        nvdimm/blk: stop using ->queuedata
        libnvdimm: Replace guid_copy() with import_guid() where it makes sense
      d74b15db
    • Linus Torvalds's avatar
      watch_queue: add gitignore for generated sample program · 298ce0fd
      Linus Torvalds authored
      Let's keep "git status" happy and quiet.
      
      Fixes: f5b5a164 ("Add sample notification program")
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      298ce0fd
    • Linus Torvalds's avatar
      Merge tag 'iomap-5.8-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 593bd5e5
      Linus Torvalds authored
      Pull iomap fix from Darrick Wong:
       "A single iomap bug fix for a variable type mistake on 32-bit
        architectures, fixing an integer overflow problem in the unshare
        actor"
      
      * tag 'iomap-5.8-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        iomap: Fix unsharing of an extent >2GB on a 32-bit machine
      593bd5e5
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.8-merge-9' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · c5557227
      Linus Torvalds authored
      Pull xfs fix from Darrick Wong:
       "We've settled down into the bugfix phase; this one fixes a resource
        leak on an error bailout path"
      
      * tag 'xfs-5.8-merge-9' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: Add the missed xfs_perag_put() for xfs_ifree_cluster()
      c5557227
    • Linus Torvalds's avatar
      Merge tag '9p-for-5.8' of git://github.com/martinetd/linux · 61f3e825
      Linus Torvalds authored
      Pull 9p update from Dominique Martinet:
       "Another very quiet cycle... Only one commit: increase the size of the
        ring used for xen transport"
      
      * tag '9p-for-5.8' of git://github.com/martinetd/linux:
        9p/xen: increase XEN_9PFS_RING_ORDER
      61f3e825
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 08bf1a27
      Linus Torvalds authored
      Pull powerpc fix from Michael Ellerman:
       "One fix for a recent change which broke nested KVM guests on Power9.
      
        Thanks to Alexey Kardashevskiy"
      
      * tag 'powerpc-5.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        KVM: PPC: Fix nested guest RC bits update
      08bf1a27
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · cfd230b3
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
      
       - fix for "hex" Kconfig default to use 0x0 rather than 0 to allow these
         to be removed from defconfigs
      
       - fix from Ard Biesheuvel for EFI HYP mode booting
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8985/1: efi/decompressor: deal with HYP mode boot gracefully
        ARM: 8984/1: Kconfig: set default ZBOOT_ROM_TEXT/BSS value to 0x0
      cfd230b3
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://github.com/openrisc/linux · 56192707
      Linus Torvalds authored
      Pull OpenRISC update from Stafford Horne:
       "One patch found wile I was getting the glibc port ready: fix issue
        with clone TLS arg getting overwritten"
      
      * tag 'for-linus' of git://github.com/openrisc/linux:
        openrisc: Fix issue with argument clobbering for clone/fork
      56192707
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha · 66125d93
      Linus Torvalds authored
      Pull alpha updates from Matt Turner:
       "A few changes for alpha. They're mostly small janitorial fixes but
        there's also a build fix and most notably a patch from Mikulas that
        fixes a hang on boot on the Avanti platform, which required quite a
        bit of work and review"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha:
        alpha: Fix build around srm_sysrq_reboot_op
        alpha: c_next should increase position index
        alpha: Replace sg++ with sg = sg_next(sg)
        alpha: fix memory barriers so that they conform to the specification
        alpha: remove unneeded semicolon in sys_eiger.c
        alpha: remove unneeded semicolon in osf_sys.c
        alpha: Replace strncmp with str_has_prefix
        alpha: fix rtc port ranges
        alpha: Kconfig: pedantic formatting
      66125d93
    • Linus Torvalds's avatar
      Merge tag 'ras-core-2020-06-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · a9429089
      Linus Torvalds authored
      Pull x86 RAS updates from Thomas Gleixner:
       "RAS updates from Borislav Petkov:
      
         - Unmap a whole guest page if an MCE is encountered in it to avoid
           follow-on MCEs leading to the guest crashing, by Tony Luck.
      
           This change collided with the entry changes and the merge
           resolution would have been rather unpleasant. To avoid that the
           entry branch was merged in before applying this. The resulting code
           did not change over the rebase.
      
         - AMD MCE error thresholding machinery cleanup and hotplug
           sanitization, by Thomas Gleixner.
      
         - Change the MCE notifiers to denote whether they have handled the
           error and not break the chain early by returning NOTIFY_STOP, thus
           giving the opportunity for the later handlers in the chain to see
           it. By Tony Luck.
      
         - Add AMD family 0x17, models 0x60-6f support, by Alexander Monakov.
      
         - Last but not least, the usual round of fixes and improvements"
      
      * tag 'ras-core-2020-06-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (23 commits)
        x86/mce/dev-mcelog: Fix -Wstringop-truncation warning about strncpy()
        x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned
        EDAC/amd64: Add AMD family 17h model 60h PCI IDs
        hwmon: (k10temp) Add AMD family 17h model 60h PCI match
        x86/amd_nb: Add AMD family 17h model 60h PCI IDs
        x86/mcelog: Add compat_ioctl for 32-bit mcelog support
        x86/mce: Drop bogus comment about mce.kflags
        x86/mce: Fixup exception only for the correct MCEs
        EDAC: Drop the EDAC report status checks
        x86/mce: Add mce=print_all option
        x86/mce: Change default MCE logger to check mce->kflags
        x86/mce: Fix all mce notifiers to update the mce->kflags bitmask
        x86/mce: Add a struct mce.kflags field
        x86/mce: Convert the CEC to use the MCE notifier
        x86/mce: Rename "first" function as "early"
        x86/mce/amd, edac: Remove report_gart_errors
        x86/mce/amd: Make threshold bank setting hotplug robust
        x86/mce/amd: Cleanup threshold device remove path
        x86/mce/amd: Straighten CPU hotplug path
        x86/mce/amd: Sanitize thresholding device creation hotplug path
        ...
      a9429089
    • Linus Torvalds's avatar
      Merge tag 'x86-entry-2020-06-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 076f14be
      Linus Torvalds authored
      Pull x86 entry updates from Thomas Gleixner:
       "The x86 entry, exception and interrupt code rework
      
        This all started about 6 month ago with the attempt to move the Posix
        CPU timer heavy lifting out of the timer interrupt code and just have
        lockless quick checks in that code path. Trivial 5 patches.
      
        This unearthed an inconsistency in the KVM handling of task work and
        the review requested to move all of this into generic code so other
        architectures can share.
      
        Valid request and solved with another 25 patches but those unearthed
        inconsistencies vs. RCU and instrumentation.
      
        Digging into this made it obvious that there are quite some
        inconsistencies vs. instrumentation in general. The int3 text poke
        handling in particular was completely unprotected and with the batched
        update of trace events even more likely to expose to endless int3
        recursion.
      
        In parallel the RCU implications of instrumenting fragile entry code
        came up in several discussions.
      
        The conclusion of the x86 maintainer team was to go all the way and
        make the protection against any form of instrumentation of fragile and
        dangerous code pathes enforcable and verifiable by tooling.
      
        A first batch of preparatory work hit mainline with commit
        d5f744f9 ("Pull x86 entry code updates from Thomas Gleixner")
      
        That (almost) full solution introduced a new code section
        '.noinstr.text' into which all code which needs to be protected from
        instrumentation of all sorts goes into. Any call into instrumentable
        code out of this section has to be annotated. objtool has support to
        validate this.
      
        Kprobes now excludes this section fully which also prevents BPF from
        fiddling with it and all 'noinstr' annotated functions also keep
        ftrace off. The section, kprobes and objtool changes are already
        merged.
      
        The major changes coming with this are:
      
          - Preparatory cleanups
      
          - Annotating of relevant functions to move them into the
            noinstr.text section or enforcing inlining by marking them
            __always_inline so the compiler cannot misplace or instrument
            them.
      
          - Splitting and simplifying the idtentry macro maze so that it is
            now clearly separated into simple exception entries and the more
            interesting ones which use interrupt stacks and have the paranoid
            handling vs. CR3 and GS.
      
          - Move quite some of the low level ASM functionality into C code:
      
             - enter_from and exit to user space handling. The ASM code now
               calls into C after doing the really necessary ASM handling and
               the return path goes back out without bells and whistels in
               ASM.
      
             - exception entry/exit got the equivivalent treatment
      
             - move all IRQ tracepoints from ASM to C so they can be placed as
               appropriate which is especially important for the int3
               recursion issue.
      
          - Consolidate the declaration and definition of entry points between
            32 and 64 bit. They share a common header and macros now.
      
          - Remove the extra device interrupt entry maze and just use the
            regular exception entry code.
      
          - All ASM entry points except NMI are now generated from the shared
            header file and the corresponding macros in the 32 and 64 bit
            entry ASM.
      
          - The C code entry points are consolidated as well with the help of
            DEFINE_IDTENTRY*() macros. This allows to ensure at one central
            point that all corresponding entry points share the same
            semantics. The actual function body for most entry points is in an
            instrumentable and sane state.
      
            There are special macros for the more sensitive entry points, e.g.
            INT3 and of course the nasty paranoid #NMI, #MCE, #DB and #DF.
            They allow to put the whole entry instrumentation and RCU handling
            into safe places instead of the previous pray that it is correct
            approach.
      
          - The INT3 text poke handling is now completely isolated and the
            recursion issue banned. Aside of the entry rework this required
            other isolation work, e.g. the ability to force inline bsearch.
      
          - Prevent #DB on fragile entry code, entry relevant memory and
            disable it on NMI, #MC entry, which allowed to get rid of the
            nested #DB IST stack shifting hackery.
      
          - A few other cleanups and enhancements which have been made
            possible through this and already merged changes, e.g.
            consolidating and further restricting the IDT code so the IDT
            table becomes RO after init which removes yet another popular
            attack vector
      
          - About 680 lines of ASM maze are gone.
      
        There are a few open issues:
      
         - An escape out of the noinstr section in the MCE handler which needs
           some more thought but under the aspect that MCE is a complete
           trainwreck by design and the propability to survive it is low, this
           was not high on the priority list.
      
         - Paravirtualization
      
           When PV is enabled then objtool complains about a bunch of indirect
           calls out of the noinstr section. There are a few straight forward
           ways to fix this, but the other issues vs. general correctness were
           more pressing than parawitz.
      
         - KVM
      
           KVM is inconsistent as well. Patches have been posted, but they
           have not yet been commented on or picked up by the KVM folks.
      
         - IDLE
      
           Pretty much the same problems can be found in the low level idle
           code especially the parts where RCU stopped watching. This was
           beyond the scope of the more obvious and exposable problems and is
           on the todo list.
      
        The lesson learned from this brain melting exercise to morph the
        evolved code base into something which can be validated and understood
        is that once again the violation of the most important engineering
        principle "correctness first" has caused quite a few people to spend
        valuable time on problems which could have been avoided in the first
        place. The "features first" tinkering mindset really has to stop.
      
        With that I want to say thanks to everyone involved in contributing to
        this effort. Special thanks go to the following people (alphabetical
        order): Alexandre Chartre, Andy Lutomirski, Borislav Petkov, Brian
        Gerst, Frederic Weisbecker, Josh Poimboeuf, Juergen Gross, Lai
        Jiangshan, Macro Elver, Paolo Bonzin,i Paul McKenney, Peter Zijlstra,
        Vitaly Kuznetsov, and Will Deacon"
      
      * tag 'x86-entry-2020-06-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (142 commits)
        x86/entry: Force rcu_irq_enter() when in idle task
        x86/entry: Make NMI use IDTENTRY_RAW
        x86/entry: Treat BUG/WARN as NMI-like entries
        x86/entry: Unbreak __irqentry_text_start/end magic
        x86/entry: __always_inline CR2 for noinstr
        lockdep: __always_inline more for noinstr
        x86/entry: Re-order #DB handler to avoid *SAN instrumentation
        x86/entry: __always_inline arch_atomic_* for noinstr
        x86/entry: __always_inline irqflags for noinstr
        x86/entry: __always_inline debugreg for noinstr
        x86/idt: Consolidate idt functionality
        x86/idt: Cleanup trap_init()
        x86/idt: Use proper constants for table size
        x86/idt: Add comments about early #PF handling
        x86/idt: Mark init only functions __init
        x86/entry: Rename trace_hardirqs_off_prepare()
        x86/entry: Clarify irq_{enter,exit}_rcu()
        x86/entry: Remove DBn stacks
        x86/entry: Remove debug IDT frobbing
        x86/entry: Optimize local_db_save() for virt
        ...
      076f14be
    • Masahiro Yamada's avatar
      treewide: replace '---help---' in Kconfig files with 'help' · a7f7f624
      Masahiro Yamada authored
      Since commit 84af7a61 ("checkpatch: kconfig: prefer 'help' over
      '---help---'"), the number of '---help---' has been gradually
      decreasing, but there are still more than 2400 instances.
      
      This commit finishes the conversion. While I touched the lines,
      I also fixed the indentation.
      
      There are a variety of indentation styles found.
      
        a) 4 spaces + '---help---'
        b) 7 spaces + '---help---'
        c) 8 spaces + '---help---'
        d) 1 space + 1 tab + '---help---'
        e) 1 tab + '---help---'    (correct indentation)
        f) 1 tab + 1 space + '---help---'
        g) 1 tab + 2 spaces + '---help---'
      
      In order to convert all of them to 1 tab + 'help', I ran the
      following commend:
      
        $ find . -name 'Kconfig*' | xargs sed -i 's/^[[:space:]]*---help---/\thelp/'
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      a7f7f624
    • Linus Torvalds's avatar
      Merge tag 'notifications-20200601' of... · 6c329784
      Linus Torvalds authored
      Merge tag 'notifications-20200601' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
      
      Pull notification queue from David Howells:
       "This adds a general notification queue concept and adds an event
        source for keys/keyrings, such as linking and unlinking keys and
        changing their attributes.
      
        Thanks to Debarshi Ray, we do have a pull request to use this to fix a
        problem with gnome-online-accounts - as mentioned last time:
      
           https://gitlab.gnome.org/GNOME/gnome-online-accounts/merge_requests/47
      
        Without this, g-o-a has to constantly poll a keyring-based kerberos
        cache to find out if kinit has changed anything.
      
        [ There are other notification pending: mount/sb fsinfo notifications
          for libmount that Karel Zak and Ian Kent have been working on, and
          Christian Brauner would like to use them in lxc, but let's see how
          this one works first ]
      
        LSM hooks are included:
      
         - A set of hooks are provided that allow an LSM to rule on whether or
           not a watch may be set. Each of these hooks takes a different
           "watched object" parameter, so they're not really shareable. The
           LSM should use current's credentials. [Wanted by SELinux & Smack]
      
         - A hook is provided to allow an LSM to rule on whether or not a
           particular message may be posted to a particular queue. This is
           given the credentials from the event generator (which may be the
           system) and the watch setter. [Wanted by Smack]
      
        I've provided SELinux and Smack with implementations of some of these
        hooks.
      
        WHY
        ===
      
        Key/keyring notifications are desirable because if you have your
        kerberos tickets in a file/directory, your Gnome desktop will monitor
        that using something like fanotify and tell you if your credentials
        cache changes.
      
        However, we also have the ability to cache your kerberos tickets in
        the session, user or persistent keyring so that it isn't left around
        on disk across a reboot or logout. Keyrings, however, cannot currently
        be monitored asynchronously, so the desktop has to poll for it - not
        so good on a laptop. This facility will allow the desktop to avoid the
        need to poll.
      
        DESIGN DECISIONS
        ================
      
         - The notification queue is built on top of a standard pipe. Messages
           are effectively spliced in. The pipe is opened with a special flag:
      
              pipe2(fds, O_NOTIFICATION_PIPE);
      
           The special flag has the same value as O_EXCL (which doesn't seem
           like it will ever be applicable in this context)[?]. It is given up
           front to make it a lot easier to prohibit splice&co from accessing
           the pipe.
      
           [?] Should this be done some other way?  I'd rather not use up a new
               O_* flag if I can avoid it - should I add a pipe3() system call
               instead?
      
           The pipe is then configured::
      
              ioctl(fds[1], IOC_WATCH_QUEUE_SET_SIZE, queue_depth);
              ioctl(fds[1], IOC_WATCH_QUEUE_SET_FILTER, &filter);
      
           Messages are then read out of the pipe using read().
      
         - It should be possible to allow write() to insert data into the
           notification pipes too, but this is currently disabled as the
           kernel has to be able to insert messages into the pipe *without*
           holding pipe->mutex and the code to make this work needs careful
           auditing.
      
         - sendfile(), splice() and vmsplice() are disabled on notification
           pipes because of the pipe->mutex issue and also because they
           sometimes want to revert what they just did - but one or more
           notification messages might've been interleaved in the ring.
      
         - The kernel inserts messages with the wait queue spinlock held. This
           means that pipe_read() and pipe_write() have to take the spinlock
           to update the queue pointers.
      
         - Records in the buffer are binary, typed and have a length so that
           they can be of varying size.
      
           This allows multiple heterogeneous sources to share a common
           buffer; there are 16 million types available, of which I've used
           just a few, so there is scope for others to be used. Tags may be
           specified when a watchpoint is created to help distinguish the
           sources.
      
         - Records are filterable as types have up to 256 subtypes that can be
           individually filtered. Other filtration is also available.
      
         - Notification pipes don't interfere with each other; each may be
           bound to a different set of watches. Any particular notification
           will be copied to all the queues that are currently watching for it
           - and only those that are watching for it.
      
         - When recording a notification, the kernel will not sleep, but will
           rather mark a queue as having lost a message if there's
           insufficient space. read() will fabricate a loss notification
           message at an appropriate point later.
      
         - The notification pipe is created and then watchpoints are attached
           to it, using one of:
      
              keyctl_watch_key(KEY_SPEC_SESSION_KEYRING, fds[1], 0x01);
              watch_mount(AT_FDCWD, "/", 0, fd, 0x02);
              watch_sb(AT_FDCWD, "/mnt", 0, fd, 0x03);
      
           where in both cases, fd indicates the queue and the number after is
           a tag between 0 and 255.
      
         - Watches are removed if either the notification pipe is destroyed or
           the watched object is destroyed. In the latter case, a message will
           be generated indicating the enforced watch removal.
      
        Things I want to avoid:
      
         - Introducing features that make the core VFS dependent on the
           network stack or networking namespaces (ie. usage of netlink).
      
         - Dumping all this stuff into dmesg and having a daemon that sits
           there parsing the output and distributing it as this then puts the
           responsibility for security into userspace and makes handling
           namespaces tricky. Further, dmesg might not exist or might be
           inaccessible inside a container.
      
         - Letting users see events they shouldn't be able to see.
      
        TESTING AND MANPAGES
        ====================
      
         - The keyutils tree has a pipe-watch branch that has keyctl commands
           for making use of notifications. Proposed manual pages can also be
           found on this branch, though a couple of them really need to go to
           the main manpages repository instead.
      
           If the kernel supports the watching of keys, then running "make
           test" on that branch will cause the testing infrastructure to spawn
           a monitoring process on the side that monitors a notifications pipe
           for all the key/keyring changes induced by the tests and they'll
           all be checked off to make sure they happened.
      
              https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/log/?h=pipe-watch
      
         - A test program is provided (samples/watch_queue/watch_test) that
           can be used to monitor for keyrings, mount and superblock events.
           Information on the notifications is simply logged to stdout"
      
      * tag 'notifications-20200601' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        smack: Implement the watch_key and post_notification hooks
        selinux: Implement the watch_key security hook
        keys: Make the KEY_NEED_* perms an enum rather than a mask
        pipe: Add notification lossage handling
        pipe: Allow buffers to be marked read-whole-or-error for notifications
        Add sample notification program
        watch_queue: Add a key/keyring notification facility
        security: Add hooks to rule on setting a watch
        pipe: Add general notification queue support
        pipe: Add O_NOTIFICATION_PIPE
        security: Add a hook for the point of notification insertion
        uapi: General notification queue definitions
      6c329784
    • Ard Biesheuvel's avatar
      ARM: 8985/1: efi/decompressor: deal with HYP mode boot gracefully · db227c19
      Ard Biesheuvel authored
      EFI on ARM only supports short descriptors, and given that it mandates
      that the MMU and caches are on, it is implied that booting in HYP mode
      is not supported.
      
      However, implementations of EFI exist (i.e., U-Boot) that ignore this
      requirement, which is not entirely unreasonable, given that it makes
      HYP mode inaccessible to the operating system.
      
      So let's make sure that we can deal with this condition gracefully.
      We already tolerate booting the EFI stub with the caches off (even
      though this violates the EFI spec as well), and so we should deal
      with HYP mode boot with MMU and caches either on or off.
      
      - When the MMU and caches are on, we can ignore the HYP stub altogether,
        since we can carry on executing at HYP. We do need to ensure that we
        disable the MMU at HYP before entering the kernel proper.
      
      - When the MMU and caches are off, we have to drop to SVC mode so that
        we can set up the page tables using short descriptors. In this case,
        we need to install the HYP stub as usual, so that we can return to HYP
        mode before handing over to the kernel proper.
      Tested-by: default avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      db227c19