* refs/heads/tmp-9cdc723:
Revert "usb: dwc3: gadget: Fix logical condition"
Revert "FROMLIST: scsi: ufs-qcom: Adjust bus bandwidth voting and unvoting"
Linux 5.4.5
r8169: add missing RX enabling for WoL on RTL8125
net: mscc: ocelot: unregister the PTP clock on deinit
ionic: keep users rss hash across lif reset
xdp: obtain the mem_id mutex before trying to remove an entry.
page_pool: do not release pool until inflight == 0.
net/mlx5e: ethtool, Fix analysis of speed setting
net/mlx5e: Fix translation of link mode into speed
net/mlx5e: Fix freeing flow with kfree() and not kvfree()
net/mlx5e: Fix SFF 8472 eeprom length
act_ct: support asymmetric conntrack
net/mlx5e: Fix TXQ indices to be sequential
net: Fixed updating of ethertype in skb_mpls_push()
hsr: fix a NULL pointer dereference in hsr_dev_xmit()
Fixed updating of ethertype in function skb_mpls_pop
gre: refetch erspan header from skb->data after pskb_may_pull()
cls_flower: Fix the behavior using port ranges with hw-offload
net: sched: allow indirect blocks to bind to clsact in TC
net: core: rename indirect block ingress cb function
tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
tcp: tighten acceptance of ACKs not matching a child socket
tcp: fix rejected syncookies due to stale timestamps
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
net: ipv6: add net argument to ip6_dst_lookup_flow
net/mlx5e: Query global pause state before setting prio2buffer
tipc: fix ordering of tipc module init and exit routine
tcp: md5: fix potential overestimation of TCP option space
openvswitch: support asymmetric conntrack
net/tls: Fix return values to avoid ENOTSUPP
net: thunderx: start phy before starting autonegotiation
net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add()
net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues
net: ethernet: ti: cpsw: fix extra rx interrupt
net: dsa: fix flow dissection on Tx path
net: bridge: deny dev_set_mac_address() when unregistering
mqprio: Fix out-of-bounds access in mqprio_dump
inet: protect against too small mtu values.
ANDROID: add initial ABI whitelist for android-5.4
ANDROID: abi update for 5.4.4
ANDROID: mm: Throttle rss_stat tracepoint
FROMLIST: vsprintf: Inline call to ptr_to_hashval
UPSTREAM: rss_stat: Add support to detect RSS updates of external mm
UPSTREAM: mm: emit tracepoint when RSS changes
Linux 5.4.4
EDAC/ghes: Do not warn when incrementing refcount on 0
r8169: fix rtl_hw_jumbo_disable for RTL8168evl
workqueue: Fix missing kfree(rescuer) in destroy_workqueue()
blk-mq: make sure that line break can be printed
ext4: fix leak of quota reservations
ext4: fix a bug in ext4_wait_for_tail_page_commit
splice: only read in as much information as there is pipe buffer space
rtc: disable uie before setting time and enable after
USB: dummy-hcd: increase max number of devices to 32
powerpc: Define arch_is_kernel_initmem_freed() for lockdep
mm/shmem.c: cast the type of unmap_start to u64
s390/kaslr: store KASLR offset for early dumps
s390/smp,vdso: fix ASCE handling
firmware: qcom: scm: Ensure 'a0' status code is treated as signed
ext4: work around deleting a file with i_nlink == 0 safely
mm: memcg/slab: wait for !root kmem_cache refcnt killing on root kmem_cache destruction
mfd: rk808: Fix RK818 ID template
mm, memfd: fix COW issue on MAP_PRIVATE and F_SEAL_FUTURE_WRITE mappings
powerpc: Fix vDSO clock_getres()
powerpc: Avoid clang warnings around setjmp and longjmp
omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251
omap: pdata-quirks: revert pandora specific gpiod additions
iio: ad7949: fix channels mixups
iio: ad7949: kill pointless "readback"-handling code
Revert "scsi: qla2xxx: Fix memory leak when sending I/O fails"
scsi: qla2xxx: Fix a dma_pool_free() call
scsi: qla2xxx: Fix SRB leak on switch command timeout
reiserfs: fix extended attributes on the root directory
ext4: Fix credit estimate for final inode freeing
quota: fix livelock in dquot_writeback_dquots
seccomp: avoid overflow in implicit constant conversion
ext2: check err when partial != NULL
quota: Check that quota is not dirty before release
video/hdmi: Fix AVI bar unpack
powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts
powerpc: Allow flush_icache_range to work across ranges >4GB
powerpc/xive: Prevent page fault issues in the machine crash handler
powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB
coresight: Serialize enabling/disabling a link device.
stm class: Lose the protocol driver when dropping its reference
ppdev: fix PPGETTIME/PPSETTIME ioctls
RDMA/core: Fix ib_dma_max_seg_size()
ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity
mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card
pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init
pinctrl: samsung: Fix device node refcount leaks in init code
pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init
pinctrl: samsung: Fix device node refcount leaks in Exynos wakeup controller init
pinctrl: samsung: Add of_node_put() before return in error path
pinctrl: armada-37xx: Fix irq mask access in armada_37xx_irq_set_type()
pinctrl: rza2: Fix gpio name typos
ACPI: PM: Avoid attaching ACPI PM domain to certain devices
ACPI: EC: Rework flushing of pending work
ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()
ACPI: OSL: only free map once in osl.c
ACPI / hotplug / PCI: Allocate resources directly under the non-hotplug bridge
ACPI: LPSS: Add dmi quirk for skipping _DEP check for some device-links
ACPI: LPSS: Add LNXVIDEO -> BYT I2C1 to lpss_device_links
ACPI: LPSS: Add LNXVIDEO -> BYT I2C7 to lpss_device_links
ACPI / utils: Move acpi_dev_get_first_match_dev() under CONFIG_ACPI
ALSA: hda/realtek - Line-out jack doesn't work on a Dell AIO
ALSA: oxfw: fix return value in error path of isochronous resources reservation
ALSA: fireface: fix return value in error path of isochronous resources reservation
cpufreq: powernv: fix stack bloat and hard limit on number of CPUs
PM / devfreq: Lock devfreq in trans_stat_show
intel_th: pci: Add Tiger Lake CPU support
intel_th: pci: Add Ice Lake CPU support
intel_th: Fix a double put_device() in error path
powerpc/perf: Disable trace_imc pmu
drm/panfrost: Open/close the perfcnt BO
perf tests: Fix out of bounds memory access
erofs: zero out when listxattr is called with no xattr
cpuidle: use first valid target residency as poll time
cpuidle: teo: Fix "early hits" handling for disabled idle states
cpuidle: teo: Consider hits and misses metrics of disabled states
cpuidle: teo: Rename local variable in teo_select()
cpuidle: teo: Ignore disabled idle states that are too deep
cpuidle: Do not unset the driver if it is there already
media: cec.h: CEC_OP_REC_FLAG_ values were swapped
media: radio: wl1273: fix interrupt masking on release
media: bdisp: fix memleak on release
media: vimc: sen: remove unused kthread_sen field
media: hantro: Fix picture order count table enable
media: hantro: Fix motion vectors usage condition
media: hantro: Fix s_fmt for dynamic resolution changes
s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported
ar5523: check NULL before memcpy() in ar5523_cmd()
wil6210: check len before memcpy() calls
cgroup: pids: use atomic64_t for pids->limit
blk-mq: avoid sysfs buffer overflow with too many CPU cores
md: improve handling of bio with REQ_PREFLUSH in md_flush_request()
ASoC: fsl_audmix: Add spin lock to protect tdms
ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report
ASoC: rt5645: Fixed typo for buddy jack support.
ASoC: rt5645: Fixed buddy jack support.
workqueue: Fix pwq ref leak in rescuer_thread()
workqueue: Fix spurious sanity check failures in destroy_workqueue()
dm zoned: reduce overhead of backing device checks
dm writecache: handle REQ_FUA
hwrng: omap - Fix RNG wait loop timeout
ovl: relax WARN_ON() on rename to self
ovl: fix corner case of non-unique st_dev;st_ino
ovl: fix lookup failure on multi lower squashfs
lib: raid6: fix awk build warnings
rtlwifi: rtl8192de: Fix missing enable interrupt flag
rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer
rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address
btrfs: record all roots for rename exchange on a subvol
Btrfs: send, skip backreference walking for extents with many references
btrfs: Remove btrfs_bio::flags member
btrfs: Avoid getting stuck during cyclic writebacks
Btrfs: fix negative subv_writers counter and data space leak after buffered write
Btrfs: fix metadata space leak on fixup worker failure to set range as delalloc
btrfs: use refcount_inc_not_zero in kill_all_nodes
btrfs: use btrfs_block_group_cache_done in update_block_group
btrfs: check page->mapping when loading free space cache
iwlwifi: pcie: fix support for transmitting SKBs with fraglist
usb: typec: fix use after free in typec_register_port()
phy: renesas: rcar-gen3-usb2: Fix sysfs interface of "role"
usb: dwc3: ep0: Clear started flag on completion
usb: dwc3: gadget: Clear started flag for non-IOC
usb: dwc3: gadget: Fix logical condition
usb: dwc3: pci: add ID for the Intel Comet Lake -H variant
virtio-balloon: fix managed page counts when migrating pages between zones
virt_wifi: fix use-after-free in virt_wifi_newlink()
mtd: rawnand: Change calculating of position page containing BBM
mtd: spear_smi: Fix Write Burst mode
brcmfmac: disable PCIe interrupts before bus reset
EDAC/altera: Use fast register IO for S10 IRQs
tpm: Switch to platform_get_irq_optional()
tpm: add check after commands attribs tab allocation
usb: mon: Fix a deadlock in usbmon between mmap and read
usb: core: urb: fix URB structure initialization function
USB: adutux: fix interface sanity check
usb: roles: fix a potential use after free
USB: serial: io_edgeport: fix epic endpoint lookup
USB: idmouse: fix interface sanity checks
USB: atm: ueagle-atm: add missing endpoint check
iio: adc: ad7124: Enable internal reference
iio: adc: ad7606: fix reading unnecessary data from device
iio: imu: inv_mpu6050: fix temperature reporting using bad unit
iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting
iio: adis16480: Fix scales factors
iio: imu: st_lsm6dsx: fix ODR check in st_lsm6dsx_write_raw
iio: adis16480: Add debugfs_reg_access entry
ARM: dts: pandora-common: define wl1251 as child node of mmc3
usb: common: usb-conn-gpio: Don't log an error on probe deferral
interconnect: qcom: qcs404: Walk the list safely on node removal
interconnect: qcom: sdm845: Walk the list safely on node removal
xhci: make sure interrupts are restored to correct state
xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour.
xhci: Increase STS_HALT timeout in xhci_suspend()
xhci: fix USB3 device initiated resume race with roothub autosuspend
xhci: Fix memory leak in xhci_add_in_port()
usb: xhci: only set D3hot for pci device
staging: gigaset: add endpoint-type sanity check
staging: gigaset: fix illegal free on probe errors
staging: gigaset: fix general protection fault on probe
staging: vchiq: call unregister_chrdev_region() when driver registration fails
staging: rtl8712: fix interface sanity check
staging: rtl8188eu: fix interface sanity check
staging: exfat: fix multiple definition error of `rename_file'
binder: fix incorrect calculation for num_valid
usb: host: xhci-tegra: Correct phy enable sequence
usb: Allow USB device to be warm reset in suspended state
USB: documentation: flags on usb-storage versus UAS
USB: uas: heed CAPACITY_HEURISTICS
USB: uas: honor flag to avoid CAPACITY16
media: venus: remove invalid compat_ioctl32 handler
ceph: fix compat_ioctl for ceph_dir_operations
compat_ioctl: add compat_ptr_ioctl()
scsi: qla2xxx: Fix memory leak when sending I/O fails
scsi: qla2xxx: Fix double scsi_done for abort path
scsi: qla2xxx: Fix driver unload hang
scsi: qla2xxx: Do command completion on abort timeout
scsi: zfcp: trace channel log even for FCP command responses
scsi: lpfc: Fix bad ndlp ptr in xri aborted handling
Revert "nvme: Add quirk for Kingston NVME SSD running FW E8FK11.T"
nvme: Namepace identification descriptor list is optional
usb: gadget: pch_udc: fix use after free
usb: gadget: configfs: Fix missing spin_lock_init()
BACKPORT: FROMLIST: scsi: ufs: Export query request interfaces
ANDROID: update abi with unbindable_ports sysctl
BACKPORT: FROMLIST: net: introduce ip_local_unbindable_ports sysctl
ANDROID: update abi for 5.4.3 merge
ANDROID: update abi_gki_aarch64.xml for ion, drm changes
ANDROID: drivers: gpu: drm: export drm_mode_convert_umode symbol
ANDROID: ion: flush cache before exporting non-cached buffers
Linux 5.4.3
kselftest: Fix NULL INSTALL_PATH for TARGETS runlist
perf script: Fix invalid LBR/binary mismatch error
EDAC/ghes: Fix locking and memory barrier issues
watchdog: aspeed: Fix clock behaviour for ast2600
drm/mcde: Fix an error handling path in 'mcde_probe()'
md/raid0: Fix an error message in raid0_make_request()
cpufreq: imx-cpufreq-dt: Correct i.MX8MN's default speed grade value
ALSA: hda - Fix pending unsol events at shutdown
KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
binder: Handle start==NULL in binder_update_page_range()
binder: Prevent repeated use of ->mmap() via NULL mapping
binder: Fix race between mmap() and binder_alloc_print_pages()
Revert "serial/8250: Add support for NI-Serial PXI/PXIe+485 devices"
vcs: prevent write access to vcsu devices
thermal: Fix deadlock in thermal thermal_zone_device_check
iomap: Fix pipe page leakage during splicing
bdev: Refresh bdev size for disks without partitioning
bdev: Factor out bdev revalidation into a common helper
rfkill: allocate static minor
RDMA/qib: Validate ->show()/store() callbacks before calling them
can: ucan: fix non-atomic allocation in completion handler
spi: Fix NULL pointer when setting SPI_CS_HIGH for GPIO CS
spi: Fix SPI_CS_HIGH setting when using native and GPIO CS
spi: atmel: Fix CS high support
spi: stm32-qspi: Fix kernel oops when unbinding driver
spi: spi-fsl-qspi: Clear TDH bits in FLSHCR register
crypto: user - fix memory leak in crypto_reportstat
crypto: user - fix memory leak in crypto_report
crypto: ecdh - fix big endian bug in ECC library
crypto: ccp - fix uninitialized list head
crypto: geode-aes - switch to skcipher for cbc(aes) fallback
crypto: af_alg - cast ki_complete ternary op to int
crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize
crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
KVM: x86: Grab KVM's srcu lock when setting nested state
KVM: x86: Remove a spurious export of a static function
KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
KVM: x86: do not modify masked bits of shared MSRs
KVM: arm/arm64: vgic: Don't rely on the wrong pending table
KVM: nVMX: Always write vmcs02.GUEST_CR3 during nested VM-Enter
KVM: PPC: Book3S HV: XIVE: Set kvm->arch.xive when VPs are allocated
KVM: PPC: Book3S HV: XIVE: Fix potential page leak on error path
KVM: PPC: Book3S HV: XIVE: Free previous EQ page when setting up a new one
arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node"
arm64: Validate tagged addresses in access_ok() called from kernel threads
drm/i810: Prevent underflow in ioctl
drm: damage_helper: Fix race checking plane->state->fb
drm/msm: fix memleak on release
jbd2: Fix possible overflow in jbd2_log_space_left()
kernfs: fix ino wrap-around detection
nfsd: restore NFSv3 ACL support
nfsd: Ensure CLONE persists data and metadata changes to the target file
can: slcan: Fix use-after-free Read in slcan_open
tty: vt: keyboard: reject invalid keycodes
CIFS: Fix SMB2 oplock break processing
CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all()
media: rc: mark input device as pointing stick
Input: Fix memory leak in psxpad_spi_probe
coresight: etm4x: Fix input validation for sysfs.
Input: goodix - add upside-down quirk for Teclast X89 tablet
Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers
Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash
Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus
soc: mediatek: cmdq: fixup wrong input order of write api
ALSA: hda: Modify stream stripe mask only when needed
ALSA: hda - Add mute led support for HP ProBook 645 G4
ALSA: pcm: oss: Avoid potential buffer overflows
ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G
ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236
ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC
SUNRPC: Avoid RPC delays when exiting suspend
io_uring: ensure req->submit is copied when req is deferred
io_uring: fix missing kmap() declaration on powerpc
fuse: verify attributes
fuse: verify write return
fuse: verify nlink
fuse: fix leak of fuse_io_priv
io_uring: transform send/recvmsg() -ERESTARTSYS to -EINTR
io_uring: fix dead-hung for non-iter fixed rw
mwifiex: Re-work support for SDIO HW reset
serial: ifx6x60: add missed pm_runtime_disable
serial: 8250_dw: Avoid double error messaging when IRQ absent
serial: stm32: fix clearing interrupt error flags
serial: serial_core: Perform NULL checks for break_ctl ops
serial: pl011: Fix DMA ->flush_buffer()
tty: serial: msm_serial: Fix flow control
tty: serial: fsl_lpuart: use the sg count from dma_map_sg
serial: 8250-mtk: Use platform_get_irq_optional() for optional irq
usb: gadget: u_serial: add missing port entry locking
staging/octeon: Use stubs for MIPS && !CAVIUM_OCTEON_SOC
mailbox: tegra: Fix superfluous IRQ error message
time: Zero the upper 32-bits in __kernel_timespec on 32-bit
lp: fix sparc64 LPSETTIMEOUT ioctl
sparc64: implement ioremap_uc
perf scripts python: exported-sql-viewer.py: Fix use of TRUE with SQLite
arm64: tegra: Fix 'active-low' warning for Jetson Xavier regulator
arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator
rsi: release skb if rsi_prepare_beacon fails
FROMLIST: scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic
FROMLIST: scsi: ufs: Add dev ref clock gating wait time support
FROMLIST: scsi: ufs-qcom: Adjust bus bandwidth voting and unvoting
FROMLIST: scsi: ufs: Remove the check before call setup clock notify vops
FROMLIST: scsi: ufs: set load before setting voltage in regulators
FROMLIST: scsi: ufs: Flush exception event before suspend
FROMLIST: scsi: ufs: Do not rely on prefetched data
FROMLIST: scsi: ufs: Fix up clock scaling
FROMGIT: scsi: ufs: Do not free irq in suspend
FROMGIT: scsi: ufs: Do not clear the DL layer timers
FROMGIT: scsi: ufs: Release clock if DMA map fails
FROMGIT: scsi: ufs: Use DBD setting in mode sense
FROMGIT: scsi: core: Adjust DBD setting in MODE SENSE for caching mode page per LLD
FROMGIT: scsi: ufs: Complete pending requests in host reset and restore path
FROMGIT: scsi: ufs: Avoid messing up the compl_time_stamp of lrbs
FROMGIT: scsi: ufs: Update VCCQ2 and VCCQ min/max voltage hard codes
FROMGIT: scsi: ufs: Recheck bkops level if bkops is disabled
ANDROID: update abi_gki_aarch64.xml for LTO, CFI, and SCS
ANDROID: gki_defconfig: enable LTO, CFI, and SCS
ANDROID: update abi_gki_aarch64.xml for CONFIG_GNSS
ANDROID: cuttlefish_defconfig: Enable CONFIG_GNSS
ANDROID: gki_defconfig: enable HID configs
UPSTREAM: arm64: Validate tagged addresses in access_ok() called from kernel threads
ANDROID: kbuild: limit LTO inlining
ANDROID: kbuild: merge module sections with LTO
ANDROID: f2fs: fix possible merge of unencrypted with encrypted I/O
ANDROID: gki_defconfig: Enable UCLAMP by default
ANDROID: make sure proc mount options are applied
ANDROID: sound: usb: Add helper APIs to enable audio stream
ANDROID: Update ABI representation
ANDROID: Don't base allmodconfig on gki_defconfig
ANDROID: Disable UNWINDER_ORC for allmodconfig
ANDROID: ASoC: Fix 'allmodconfig' build break
Linux 5.4.2
platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
HID: core: check whether Usage Page item is after Usage ID items
crypto: talitos - Fix build error by selecting LIB_DES
Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()"
ext4: add more paranoia checking in ext4_expand_extra_isize handling
r8169: fix resume on cable plug-in
r8169: fix jumbo configuration for RTL8168evl
selftests: pmtu: use -oneline for ip route list cache
tipc: fix link name length check
selftests: bpf: correct perror strings
selftests: bpf: test_sockmap: handle file creation failures gracefully
net/tls: use sg_next() to walk sg entries
net/tls: remove the dead inplace_crypto code
selftests/tls: add a test for fragmented messages
net: skmsg: fix TLS 1.3 crash with full sk_msg
net/tls: free the record on encryption error
net/tls: take into account that bpf_exec_tx_verdict() may free the record
openvswitch: remove another BUG_ON()
openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
sctp: cache netns in sctp_ep_common
slip: Fix use-after-free Read in slip_open
sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook
openvswitch: fix flow command message size
net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
net: psample: fix skb_over_panic
net: macb: add missed tasklet_kill
net: dsa: sja1105: fix sja1105_parse_rgmii_delays()
mdio_bus: don't use managed reset-controller
macvlan: schedule bc_work even if error
gve: Fix the queue page list allocated pages count
x86/fpu: Don't cache access to fpu_fpregs_owner_ctx
thunderbolt: Power cycle the router if NVM authentication fails
mei: me: add comet point V device id
mei: bus: prefix device names on bus with the bus name
USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P
staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids
staging: rtl8723bs: Drop ACPI device ids
staging: rtl8192e: fix potential use after free
staging: wilc1000: fix illegal memory access in wilc_parse_join_bss_param()
usb: dwc2: use a longer core rest timeout in dwc2_core_reset()
driver core: platform: use the correct callback type for bus_find_device
crypto: inside-secure - Fix stability issue with Macchiatobin
net: disallow ancillary data for __sys_{send,recv}msg_file()
net: separate out the msghdr copy from ___sys_{send,recv}msg()
io_uring: async workers should inherit the user creds
ANDROID: Update ABI representation
UPSTREAM: of: property: Add device link support for interrupt-parent, dmas and -gpio(s)
UPSTREAM: of: property: Fix the semantics of of_is_ancestor_of()
UPSTREAM: i2c: of: Populate fwnode in of_i2c_get_board_info()
UPSTREAM: regulator: core: Don't try to remove device links if add failed
UPSTREAM: driver core: Clarify documentation for fwnode_operations.add_links()
ANDROID: Update ABI representation
ANDROID: gki_defconfig: IIO=y
ANDROID: Update ABI representation
ANDROID: ASoC: core - add hostless DAI support
ANDROID: gki_defconfig: =m's applied for virtio configs in arm64
ANDROID: Update ABI representation after 5.4.1 merge
Linux 5.4.1
KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel
powerpc/book3s64: Fix link stack flush on context switch
staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error
USB: serial: option: add support for Foxconn T77W968 LTE modules
USB: serial: option: add support for DW5821e with eSIM support
USB: serial: mos7840: fix remote wakeup
USB: serial: mos7720: fix remote wakeup
USB: serial: mos7840: add USB ID to support Moxa UPort 2210
appledisplay: fix error handling in the scheduled work
USB: chaoskey: fix error case of a timeout
usb-serial: cp201x: support Mark-10 digital force gauge
usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit()
usbip: tools: fix fd leakage in the function of read_attr_usbip_status
USBIP: add config dependency for SGL_ALLOC
ALSA: hda - Disable audio component for legacy Nvidia HDMI codecs
media: mceusb: fix out of bounds read in MCE receiver buffer
media: imon: invalid dereference in imon_touch_event
media: cxusb: detect cxusb_ctrl_msg error in query
media: b2c2-flexcop-usb: add sanity checking
media: uvcvideo: Fix error path in control parsing failure
futex: Prevent exit livelock
futex: Provide distinct return value when owner is exiting
futex: Add mutex around futex exit
futex: Provide state handling for exec() as well
futex: Sanitize exit state handling
futex: Mark the begin of futex exit explicitly
futex: Set task::futex_state to DEAD right after handling futex exit
futex: Split futex_mm_release() for exit/exec
exit/exec: Seperate mm_release()
futex: Replace PF_EXITPIDONE with a state
futex: Move futex exit handling into futex code
cpufreq: Add NULL checks to show() and store() methods of cpufreq
media: usbvision: Fix races among open, close, and disconnect
media: usbvision: Fix invalid accesses after device disconnect
media: vivid: Fix wrong locking that causes race conditions on streaming stop
media: vivid: Set vid_cap_streaming and vid_out_streaming to true
ALSA: usb-audio: Fix Scarlett 6i6 Gen 2 port data
ALSA: usb-audio: Fix NULL dereference at parsing BADD
futex: Prevent robust futex exit race
x86/entry/32: Fix FIXUP_ESPFIX_STACK with user CR3
x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the CPU_ENTRY_AREA_PAGES assert precise
selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel
selftests/x86/mov_ss_trap: Fix the SYSENTER test
x86/entry/32: Fix NMI vs ESPFIX
x86/entry/32: Unwind the ESPFIX stack earlier on exception entry
x86/entry/32: Move FIXUP_FRAME after pushing %fs in SAVE_ALL
x86/entry/32: Use %ss segment where required
x86/entry/32: Fix IRET exception
x86/cpu_entry_area: Add guard page for entry stack on 32bit
x86/pti/32: Size initial_page_table correctly
x86/doublefault/32: Fix stack canaries in the double fault handler
x86/xen/32: Simplify ring check in xen_iret_crit_fixup()
x86/xen/32: Make xen_iret_crit_fixup() independent of frame layout
x86/stackframe/32: Repair 32-bit Xen PV
nbd: prevent memory leak
x86/speculation: Fix redundant MDS mitigation message
x86/speculation: Fix incorrect MDS/TAA mitigation status
x86/insn: Fix awk regexp warnings
md/raid10: prevent access of uninitialized resync_pages offset
Revert "dm crypt: use WQ_HIGHPRI for the IO and crypt workqueues"
Revert "Bluetooth: hci_ll: set operational frequency earlier"
ath10k: restore QCA9880-AR1A (v1) detection
ath10k: Fix HOST capability QMI incompatibility
ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
ath9k_hw: fix uninitialized variable data
Bluetooth: Fix invalid-free in bcsp_close()
ANDROID: gki_defconfig: enable CONFIG_REGULATOR_FIXED_VOLTAGE
FROMLIST: crypto: arm64/sha: fix function types
ANDROID: arm64: kvm: disable CFI
ANDROID: arm64: add __nocfi to __apply_alternatives
ANDROID: arm64: add __pa_function
ANDROID: arm64: add __nocfi to functions that jump to a physical address
ANDROID: arm64: bpf: implement arch_bpf_jit_check_func
ANDROID: bpf: validate bpf_func when BPF_JIT is enabled with CFI
ANDROID: add support for Clang's Control Flow Integrity (CFI)
ANDROID: arm64: allow LTO_CLANG and THINLTO to be selected
FROMLIST: arm64: fix alternatives with LLVM's integrated assembler
FROMLIST: arm64: lse: fix LSE atomics with LLVM's integrated assembler
ANDROID: arm64: disable HAVE_ARCH_PREL32_RELOCATIONS with LTO_CLANG
ANDROID: arm64: vdso: disable LTO
ANDROID: irqchip/gic-v3: rename gic_of_init to work around a ThinLTO+CFI bug
ANDROID: soc/tegra: disable ARCH_TEGRA_210_SOC with LTO
ANDROID: init: ensure initcall ordering with LTO
ANDROID: drivers/misc/lkdtm: disable LTO for rodata.o
ANDROID: efi/libstub: disable LTO
ANDROID: scripts/mod: disable LTO for empty.c
ANDROID: kbuild: fix dynamic ftrace with clang LTO
ANDROID: kbuild: add support for Clang LTO
ANDROID: kbuild: add CONFIG_LD_IS_LLD
FROMGIT: driver core: platform: use the correct callback type for bus_find_device
FROMLIST: arm64: implement Shadow Call Stack
FROMLIST: arm64: disable SCS for hypervisor code
FROMLIST: arm64: vdso: disable Shadow Call Stack
FROMLIST: arm64: efi: restore x18 if it was corrupted
FROMLIST: arm64: preserve x18 when CPU is suspended
FROMLIST: arm64: reserve x18 from general allocation with SCS
FROMLIST: arm64: disable function graph tracing with SCS
FROMLIST: scs: add support for stack usage debugging
FROMLIST: scs: add accounting
FROMLIST: add support for Clang's Shadow Call Stack (SCS)
FROMLIST: arm64: kernel: avoid x18 in __cpu_soft_restart
FROMLIST: arm64: kvm: stop treating register x18 as caller save
FROMLIST: arm64/lib: copy_page: avoid x18 register in assembler code
FROMLIST: arm64: mm: avoid x18 in idmap_kpti_install_ng_mappings
ANDROID: clang: update to 10.0.1
ANDROID: update ABI representation
Conflicts:
Documentation/devicetree/bindings
Documentation/devicetree/bindings/net/wireless/qcom,ath10k.txt
arch/arm64/Kconfig
drivers/firmware/qcom_scm-64.c
drivers/hwtracing/coresight/coresight.c
drivers/scsi/ufs/ufs.h
drivers/scsi/ufs/ufshcd.c
drivers/scsi/ufs/ufshcd.h
drivers/scsi/ufs/unipro.h
drivers/staging/android/ion/heaps/ion_cma_heap.c
drivers/staging/android/ion/heaps/ion_system_heap.c
drivers/usb/dwc3/ep0.c
drivers/usb/dwc3/gadget.c
include/sound/pcm.h
include/sound/soc.h
kernel/exit.c
kernel/sched/core.c
Change-Id: I66ea973ddcafd352ba999a1dc98e04df33397e3b
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
This snapshot is taken from msm-4.19 as of commit 5debecbe7195
("trace: filter out spurious preemption and IRQs disable traces").
Change-Id: I8fab4084971baadcaa037f40ab549fc073a4b1ea
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
commit 18f694385c upstream.
Instead of relying on PF_EXITING use an explicit state for the futex exit
and set it in the futex exit function. This moves the smp barrier and the
lock/unlock serialization into the futex code.
As with the DEAD state this is restricted to the exit path as exec
continues to use the same task struct.
This allows to simplify that logic in a next step.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20191106224556.539409004@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4610ba7ad8 upstream.
mm_release() contains the futex exit handling. mm_release() is called from
do_exit()->exit_mm() and from exec()->exec_mm().
In the exit_mm() case PF_EXITING and the futex state is updated. In the
exec_mm() case these states are not touched.
As the futex exit code needs further protections against exit races, this
needs to be split into two functions.
Preparatory only, no functional change.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20191106224556.240518241@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3d4775df0a upstream.
The futex exit handling relies on PF_ flags. That's suboptimal as it
requires a smp_mb() and an ugly lock/unlock of the exiting tasks pi_lock in
the middle of do_exit() to enforce the observability of PF_EXITING in the
futex code.
Add a futex_state member to task_struct and convert the PF_EXITPIDONE logic
over to the new state. The PF_EXITING dependency will be cleaned up in a
later step.
This prepares for handling various futex exit issues later.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20191106224556.149449274@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Remove work arounds that were written before there was a grace period
after tasks left the runqueue in finish_task_switch().
In particular now that there tasks exiting the runqueue exprience
a RCU grace period none of the work performed by task_rcu_dereference()
excpet the rcu_dereference() is necessary so replace task_rcu_dereference()
with rcu_dereference().
Remove the code in rcuwait_wait_event() that checks to ensure the current
task has not exited. It is no longer necessary as it is guaranteed
that any running task will experience a RCU grace period after it
leaves the run queueue.
Remove the comment in rcuwait_wake_up() as it is no longer relevant.
Ref: 8f95c90ceb ("sched/wait, RCU: Introduce rcuwait machinery")
Ref: 150593bf86 ("sched/api: Introduce task_rcu_dereference() and try_get_task_struct()")
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Kirill Tkhai <tkhai@yandex.ru>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Paul E. McKenney <paulmck@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Russell King - ARM Linux admin <linux@armlinux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/87lfurdpk9.fsf_-_@x220.int.ebiederm.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Pull pidfd/waitid updates from Christian Brauner:
"This contains two features and various tests.
First, it adds support for waiting on process through pidfds by adding
the P_PIDFD type to the waitid() syscall. This completes the basic
functionality of the pidfd api (cf. [1]). In the meantime we also have
a new adition to the userspace projects that make use of the pidfd
api. The qt project was nice enough to send a mail pointing out that
they have a pr up to switch to the pidfd api (cf. [2]).
Second, this tag contains an extension to the waitid() syscall to make
it possible to wait on the current process group in a race free manner
(even though the actual problem is very unlikely) by specifing 0
together with the P_PGID type. This extension traces back to a
discussion on the glibc development mailing list.
There are also a range of tests for the features above. Additionally,
the test-suite which detected the pidfd-polling race we fixed in [3]
is included in this tag"
[1] https://lwn.net/Articles/794707/
[2] https://codereview.qt-project.org/c/qt/qtbase/+/108456
[3] commit b191d6491b ("pidfd: fix a poll race when setting exit_state")
* tag 'core-process-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
waitid: Add support for waiting for the current process group
tests: add pidfd poll tests
tests: move common definitions and functions into pidfd.h
pidfd: add pidfd_wait tests
pidfd: add P_PIDFD to waitid()
It was recently discovered that the linux version of waitid is not a
superset of the other wait functions because it does not include support
for waiting for the current process group. This has two downsides:
1. An extra system call is needed to get the current process group.
2. After the current process group is received and before it is passed
to waitid a signal could arrive causing the current process group to change.
Inherent race-conditions as these make it impossible for userspace to
emulate this functionaly and thus violate async-signal safety
requirements for waitpid.
Arguments can be made for using a different choice of idtype and id
for this case but the BSDs already use this P_PGID and 0 to indicate
waiting for the current process's process group. So be nice to user
space programmers and don't introduce an unnecessary incompatibility.
Some people have noted that the posix description is that
waitpid will wait for the current process group, and that in
the presence of pthreads that process group can change. To get
clarity on this issue I looked at XNU, FreeBSD, and Luminos. All of
those flavors of unix waited for the current process group at the
time of call and as written could not adapt to the process group
changing after the call.
At one point Linux did adapt to the current process group changing but
that stopped in 161550d74c ("pid: sys_wait... fixes"). It has been
over 11 years since Linux has that behavior, no programs that fail
with the change in behavior have been reported, and I could not
find any other unix that does this. So I think it is safe to clarify
the definition of current process group, to current process group
at the time of the wait function.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Palmer Dabbelt <palmer@sifive.com>
Cc: Rich Felker <dalias@libc.org>
Cc: Alistair Francis <alistair23@gmail.com>
Cc: Zong Li <zongbox@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: GNU C Library <libc-alpha@sourceware.org>
Link: https://lore.kernel.org/r/20190814154400.6371-2-christian.brauner@ubuntu.com
This adds the P_PIDFD type to waitid().
One of the last remaining bits for the pidfd api is to make it possible
to wait on pidfds. With P_PIDFD added to waitid() the parts of userspace
that want to use the pidfd api to exclusively manage processes can do so
now.
One of the things this will unblock in the future is the ability to make
it possible to retrieve the exit status via waitid(P_PIDFD) for
non-parent processes if handed a _suitable_ pidfd that has this feature
set. This is similar to what you can do on FreeBSD with kqueue(). It
might even end up being possible to wait on a process as a non-parent if
an appropriate property is enabled on the pidfd.
With P_PIDFD no scoping of the process identified by the pidfd is
possible, i.e. it explicitly blocks things such as wait4(-1), wait4(0),
waitid(P_ALL), waitid(P_PGID) etc. It only allows for semantics
equivalent to wait4(pid), waitid(P_PID). Users that need scoping should
rely on pid-based wait*() syscalls for now.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Link: https://lore.kernel.org/r/20190727222229.6516-2-christian@brauner.io
Since commit b191d6491b ("pidfd: fix a poll race when setting exit_state")
we unconditionally set exit_state to EXIT_ZOMBIE before calling into
do_notify_parent(). This was done to eliminate a race when querying
exit_state in do_notify_pidfd().
Back then we decided to do the absolute minimal thing to fix this and
not touch the rest of the exit_notify() function where exit_state is
set.
Since this fix has not caused any issues change the setting of
exit_state to EXIT_DEAD in the autoreap case to account for the fact hat
exit_state is set to EXIT_ZOMBIE unconditionally. This fix was planned
but also explicitly requested in [1] and makes the whole code more
consistent.
/* References */
[1]: https://lore.kernel.org/lkml/CAHk-=wigcxGFR2szue4wavJtH5cYTTeNES=toUBVGsmX0rzX+g@mail.gmail.com
Signed-off-by: Christian Brauner <christian@brauner.io>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
There is a race between reading task->exit_state in pidfd_poll and
writing it after do_notify_parent calls do_notify_pidfd. Expected
sequence of events is:
CPU 0 CPU 1
------------------------------------------------
exit_notify
do_notify_parent
do_notify_pidfd
tsk->exit_state = EXIT_DEAD
pidfd_poll
if (tsk->exit_state)
However nothing prevents the following sequence:
CPU 0 CPU 1
------------------------------------------------
exit_notify
do_notify_parent
do_notify_pidfd
pidfd_poll
if (tsk->exit_state)
tsk->exit_state = EXIT_DEAD
This causes a polling task to wait forever, since poll blocks because
exit_state is 0 and the waiting task is not notified again. A stress
test continuously doing pidfd poll and process exits uncovered this bug.
To fix it, we make sure that the task's exit_state is always set before
calling do_notify_pidfd.
Fixes: b53b0b9d9a ("pidfd: add polling support")
Cc: kernel-team@android.com
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Link: https://lore.kernel.org/r/20190717172100.261204-1-joel@joelfernandes.org
[christian@brauner.io: adapt commit message and drop unneeded changes from wait_task_zombie]
Signed-off-by: Christian Brauner <christian@brauner.io>
cgroup_release() calls cgroup_subsys->release() which is used by the
pids controller to uncharge its pid. We want to use it to manage
iteration of dying tasks which requires putting it before
__unhash_process(). Move cgroup_release() above __exit_signal().
While this makes it uncharge before the pid is freed, pid is RCU freed
anyway and the window is very narrow.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Add SPDX license identifiers to all files which:
- Have no license information of any form
- Have EXPORT_.*_SYMBOL_GPL inside which was used in the
initial scan/conversion to ignore the file
These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:
GPL-2.0-only
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently, exit_ptrace() adds all ptraced tasks in a dead list, then
zap_pid_ns_processes() waits on all tasks in a current pidns, and only
then are tasks from the dead list released.
zap_pid_ns_processes() can get stuck on waiting tasks from the dead
list. In this case, we will have one unkillable process with one or
more dead children.
Thanks to Oleg for the advice to release tasks in find_child_reaper().
Link: http://lkml.kernel.org/r/20190110175200.12442-1-avagin@gmail.com
Fixes: 7c8bd2322c ("exit: ptrace: shift "reap dead" code from exit_ptrace() to forget_original_parent()")
Signed-off-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The only user of cgroup_subsys->free() callback is pids_cgrp_subsys which
needs pids_free() to uncharge the pid.
However, ->free() is called from __put_task_struct()->cgroup_free() and this
is too late. Even the trivial program which does
for (;;) {
int pid = fork();
assert(pid >= 0);
if (pid)
wait(NULL);
else
exit(0);
}
can run out of limits because release_task()->call_rcu(delayed_put_task_struct)
implies an RCU gp after the task/pid goes away and before the final put().
Test-case:
mkdir -p /tmp/CG
mount -t cgroup2 none /tmp/CG
echo '+pids' > /tmp/CG/cgroup.subtree_control
mkdir /tmp/CG/PID
echo 2 > /tmp/CG/PID/pids.max
perl -e 'while ($p = fork) { wait; } $p // die "fork failed: $!\n"' &
echo $! > /tmp/CG/PID/cgroup.procs
Without this patch the forking process fails soon after migration.
Rename cgroup_subsys->free() to cgroup_subsys->release() and move the callsite
into the new helper, cgroup_release(), called by release_task() which actually
frees the pid(s).
Reported-by: Herton R. Krzesinski <hkrzesin@redhat.com>
Reported-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
For some peculiar reason rcuwait_wake_up() has the right barrier in
the comment, but not in the code.
This mistake has been observed to cause a deadlock in the following
situation:
P1 P2
percpu_up_read() percpu_down_write()
rcu_sync_is_idle() // false
rcu_sync_enter()
...
__percpu_up_read()
[S] ,- __this_cpu_dec(*sem->read_count)
| smp_rmb();
[L] | task = rcu_dereference(w->task) // NULL
|
| [S] w->task = current
| smp_mb();
| [L] readers_active_check() // fail
`-> <store happens here>
Where the smp_rmb() (obviously) fails to constrain the store.
[ peterz: Added changelog. ]
Signed-off-by: Prateek Sood <prsood@codeaurora.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Andrea Parri <andrea.parri@amarulasolutions.com>
Acked-by: Davidlohr Bueso <dbueso@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 8f95c90ceb ("sched/wait, RCU: Introduce rcuwait machinery")
Link: https://lkml.kernel.org/r/1543590656-7157-1-git-send-email-prsood@codeaurora.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Pull networking fixes from David Miller:
1) Fix regression in multi-SKB responses to RTM_GETADDR, from Arthur
Gautier.
2) Fix ipv6 frag parsing in openvswitch, from Yi-Hung Wei.
3) Unbounded recursion in ipv4 and ipv6 GUE tunnels, from Stefano
Brivio.
4) Use after free in hns driver, from Yonglong Liu.
5) icmp6_send() needs to handle the case of NULL skb, from Eric
Dumazet.
6) Missing rcu read lock in __inet6_bind() when operating on mapped
addresses, from David Ahern.
7) Memory leak in tipc-nl_compat_publ_dump(), from Gustavo A. R. Silva.
8) Fix PHY vs r8169 module loading ordering issues, from Heiner
Kallweit.
9) Fix bridge vlan memory leak, from Ido Schimmel.
10) Dev refcount leak in AF_PACKET, from Jason Gunthorpe.
11) Infoleak in ipv6_local_error(), flow label isn't completely
initialized. From Eric Dumazet.
12) Handle mv88e6390 errata, from Andrew Lunn.
13) Making vhost/vsock CID hashing consistent, from Zha Bin.
14) Fix lack of UMH cleanup when it unexpectedly exits, from Taehee Yoo.
15) Bridge forwarding must clear skb->tstamp, from Paolo Abeni.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
bnxt_en: Fix context memory allocation.
bnxt_en: Fix ring checking logic on 57500 chips.
mISDN: hfcsusb: Use struct_size() in kzalloc()
net: clear skb->tstamp in bridge forwarding path
net: bpfilter: disallow to remove bpfilter module while being used
net: bpfilter: restart bpfilter_umh when error occurred
net: bpfilter: use cleanup callback to release umh_info
umh: add exit routine for UMH process
isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
vhost/vsock: fix vhost vsock cid hashing inconsistent
net: stmmac: Prevent RX starvation in stmmac_napi_poll()
net: stmmac: Fix the logic of checking if RX Watchdog must be enabled
net: stmmac: Check if CBS is supported before configuring
net: stmmac: dwxgmac2: Only clear interrupts that are active
net: stmmac: Fix PCI module removal leak
tools/bpf: fix bpftool map dump with bitfields
tools/bpf: test btf bitfield with >=256 struct member offset
bpf: fix bpffs bitfield pretty print
net: ethernet: mediatek: fix warning in phy_start_aneg
tcp: change txhash on SYN-data timeout
...
A UMH process which is created by the fork_usermode_blob() such as
bpfilter needs to release members of the umh_info when process is
terminated.
But the do_exit() does not release members of the umh_info. hence module
which uses UMH needs own code to detect whether UMH process is
terminated or not.
But this implementation needs extra code for checking the status of
UMH process. it eventually makes the code more complex.
The new PF_UMH flag is added and it is used to identify UMH processes.
The exit_umh() does not release members of the umh_info.
Hence umh_info->cleanup callback should release both members of the
umh_info and the private data.
Suggested-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Originally, the rule used to be that you'd have to do access_ok()
separately, and then user_access_begin() before actually doing the
direct (optimized) user access.
But experience has shown that people then decide not to do access_ok()
at all, and instead rely on it being implied by other operations or
similar. Which makes it very hard to verify that the access has
actually been range-checked.
If you use the unsafe direct user accesses, hardware features (either
SMAP - Supervisor Mode Access Protection - on x86, or PAN - Privileged
Access Never - on ARM) do force you to use user_access_begin(). But
nothing really forces the range check.
By putting the range check into user_access_begin(), we actually force
people to do the right thing (tm), and the range check vill be visible
near the actual accesses. We have way too long a history of people
trying to avoid them.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This passes the information we already have at the call sight
into group_send_sig_info. Ultimatelly allowing for to better handle
signals sent to a group of processes.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Everywhere except in the pid array we distinguish between a tasks pid and
a tasks tgid (thread group id). Even in the enumeration we want that
distinction sometimes so we have added __PIDTYPE_TGID. With leader_pid
we almost have an implementation of PIDTYPE_TGID in struct signal_struct.
Add PIDTYPE_TGID as a first class member of the pid_type enumeration and
into the pids array. Then remove the __PIDTYPE_TGID special case and the
leader_pid in signal_struct.
The net size increase is just an extra pointer added to struct pid and
an extra pair of pointers of an hlist_node added to task_struct.
The effect on code maintenance is the removal of a number of special
cases today and the potential to remove many more special cases as
PIDTYPE_TGID gets used to it's fullest. The long term potential
is allowing zombie thread group leaders to exit, which will remove
a lot more special cases in the code.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
gcc toggle -fisolate-erroneous-paths-dereference (default at -O2
onwards) isolates faulty code paths such as null pointer access, divide
by zero etc. If gcc port doesnt implement __builtin_trap, an abort() is
generated which causes kernel link error.
In this case, gcc is generating abort due to 'divide by zero' in
lib/mpi/mpih-div.c.
Currently 'frv' and 'arc' are failing. Previously other arch was also
broken like m32r was fixed by commit d22e3d69ee ("m32r: fix build
failure").
Let's define this weak function which is common for all arch and fix the
problem permanently. We can even remove the arch specific 'abort' after
this is done.
Link: http://lkml.kernel.org/r/1513118956-8718-1-git-send-email-sudipm.mukherjee@gmail.com
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Please do not apply this to mainline directly, instead please re-run the
coccinelle script shown below and apply its output.
For several reasons, it is desirable to use {READ,WRITE}_ONCE() in
preference to ACCESS_ONCE(), and new code is expected to use one of the
former. So far, there's been no reason to change most existing uses of
ACCESS_ONCE(), as these aren't harmful, and changing them results in
churn.
However, for some features, the read/write distinction is critical to
correct operation. To distinguish these cases, separate read/write
accessors must be used. This patch migrates (most) remaining
ACCESS_ONCE() instances to {READ,WRITE}_ONCE(), using the following
coccinelle script:
----
// Convert trivial ACCESS_ONCE() uses to equivalent READ_ONCE() and
// WRITE_ONCE()
// $ make coccicheck COCCI=/home/mark/once.cocci SPFLAGS="--include-headers" MODE=patch
virtual patch
@ depends on patch @
expression E1, E2;
@@
- ACCESS_ONCE(E1) = E2
+ WRITE_ONCE(E1, E2)
@ depends on patch @
expression E;
@@
- ACCESS_ONCE(E)
+ READ_ONCE(E)
----
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: davem@davemloft.net
Cc: linux-arch@vger.kernel.org
Cc: mpe@ellerman.id.au
Cc: shuah@kernel.org
Cc: snitzer@redhat.com
Cc: thor.thayer@linux.intel.com
Cc: tj@kernel.org
Cc: viro@zeniv.linux.org.uk
Cc: will.deacon@arm.com
Link: http://lkml.kernel.org/r/1508792849-3115-19-git-send-email-paulmck@linux.vnet.ibm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
As pointed out by Linus and David, the earlier waitid() fix resulted in
a (currently harmless) unbalanced user_access_end() call. This fixes it
to just directly return EFAULT on access_ok() failure.
Fixes: 96ca579a1e ("waitid(): Add missing access_ok() checks")
Acked-by: David Daney <david.daney@cavium.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
case and waitid(2) rusage should've been copied out exactly in that case, *not*
whenever kernel_waitid() has not returned an error. Compat variant shares that
braino; none of kernel_wait4() callers do, so the below ought to fix it.
Reported-and-tested-by: Alexander Potapenko <glider@google.com>
Fixes: ce72a16fa7 ("wait4(2)/waitid(2): separate copying rusage to userland")
Cc: stable@vger.kernel.org # v4.13
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Pull namespace updates from Eric Biederman:
"Life has been busy and I have not gotten half as much done this round
as I would have liked. I delayed it so that a minor conflict
resolution with the mips tree could spend a little time in linux-next
before I sent this pull request.
This includes two long delayed user namespace changes from Kirill
Tkhai. It also includes a very useful change from Serge Hallyn that
allows the security capability attribute to be used inside of user
namespaces. The practical effect of this is people can now untar
tarballs and install rpms in user namespaces. It had been suggested to
generalize this and encode some of the namespace information
information in the xattr name. Upon close inspection that makes the
things that should be hard easy and the things that should be easy
more expensive.
Then there is my bugfix/cleanup for signal injection that removes the
magic encoding of the siginfo union member from the kernel internal
si_code. The mips folks reported the case where I had used FPE_FIXME
me is impossible so I have remove FPE_FIXME from mips, while at the
same time including a return statement in that case to keep gcc from
complaining about unitialized variables.
I almost finished the work to get make copy_siginfo_to_user a trivial
copy to user. The code is available at:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git neuter-copy_siginfo_to_user-v3
But I did not have time/energy to get the code posted and reviewed
before the merge window opened.
I was able to see that the security excuse for just copying fields
that we know are initialized doesn't work in practice there are buggy
initializations that don't initialize the proper fields in siginfo. So
we still sometimes copy unitialized data to userspace"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
Introduce v3 namespaced file capabilities
mips/signal: In force_fcr31_sig return in the impossible case
signal: Remove kernel interal si_code magic
fcntl: Don't use ambiguous SIG_POLL si_codes
prctl: Allow local CAP_SYS_ADMIN changing exe_file
security: Use user_namespace::level to avoid redundant iterations in cap_capable()
userns,pidns: Verify the userns for new pid namespaces
signal/testing: Don't look for __SI_FAULT in userspace
signal/mips: Document a conflict with SI_USER with SIGFPE
signal/sparc: Document a conflict with SI_USER with SIGFPE
signal/ia64: Document a conflict with SI_USER with SIGFPE
signal/alpha: Document a conflict with SI_USER for SIGTRAP
Pull locking updates from Ingo Molnar:
- Add 'cross-release' support to lockdep, which allows APIs like
completions, where it's not the 'owner' who releases the lock, to be
tracked. It's all activated automatically under
CONFIG_PROVE_LOCKING=y.
- Clean up (restructure) the x86 atomics op implementation to be more
readable, in preparation of KASAN annotations. (Dmitry Vyukov)
- Fix static keys (Paolo Bonzini)
- Add killable versions of down_read() et al (Kirill Tkhai)
- Rework and fix jump_label locking (Marc Zyngier, Paolo Bonzini)
- Rework (and fix) tlb_flush_pending() barriers (Peter Zijlstra)
- Remove smp_mb__before_spinlock() and convert its usages, introduce
smp_mb__after_spinlock() (Peter Zijlstra)
* 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (56 commits)
locking/lockdep/selftests: Fix mixed read-write ABBA tests
sched/completion: Avoid unnecessary stack allocation for COMPLETION_INITIALIZER_ONSTACK()
acpi/nfit: Fix COMPLETION_INITIALIZER_ONSTACK() abuse
locking/pvqspinlock: Relax cmpxchg's to improve performance on some architectures
smp: Avoid using two cache lines for struct call_single_data
locking/lockdep: Untangle xhlock history save/restore from task independence
locking/refcounts, x86/asm: Disable CONFIG_ARCH_HAS_REFCOUNT for the time being
futex: Remove duplicated code and fix undefined behaviour
Documentation/locking/atomic: Finish the document...
locking/lockdep: Fix workqueue crossrelease annotation
workqueue/lockdep: 'Fix' flush_work() annotation
locking/lockdep/selftests: Add mixed read-write ABBA tests
mm, locking/barriers: Clarify tlb_flush_pending() barriers
locking/lockdep: Make CONFIG_LOCKDEP_CROSSRELEASE and CONFIG_LOCKDEP_COMPLETIONS truly non-interactive
locking/lockdep: Explicitly initialize wq_barrier::done::map
locking/lockdep: Rename CONFIG_LOCKDEP_COMPLETE to CONFIG_LOCKDEP_COMPLETIONS
locking/lockdep: Reword title of LOCKDEP_CROSSRELEASE config
locking/lockdep: Make CONFIG_LOCKDEP_CROSSRELEASE part of CONFIG_PROVE_LOCKING
locking/refcounts, x86/asm: Implement fast refcount overflow protection
locking/lockdep: Fix the rollback and overwrite detection logic in crossrelease
...
There is no agreed-upon definition of spin_unlock_wait()'s semantics, and
it appears that all callers could do just as well with a lock/unlock pair.
This commit therefore replaces the spin_unlock_wait() call in do_exit()
with spin_lock() followed immediately by spin_unlock(). This should be
safe from a performance perspective because the lock is a per-task lock,
and this is happening only at task-exit time.
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Andrea Parri <parri.andrea@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Currently, the exit-time support for TASKS_RCU is open-coded in do_exit().
This commit creates exit_tasks_rcu_start() and exit_tasks_rcu_finish()
APIs for do_exit() use. This has the benefit of confining the use of the
tasks_rcu_exit_srcu variable to one file, allowing it to become static.
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
struct siginfo is a union and the kernel since 2.4 has been hiding a union
tag in the high 16bits of si_code using the values:
__SI_KILL
__SI_TIMER
__SI_POLL
__SI_FAULT
__SI_CHLD
__SI_RT
__SI_MESGQ
__SI_SYS
While this looks plausible on the surface, in practice this situation has
not worked well.
- Injected positive signals are not copied to user space properly
unless they have these magic high bits set.
- Injected positive signals are not reported properly by signalfd
unless they have these magic high bits set.
- These kernel internal values leaked to userspace via ptrace_peek_siginfo
- It was possible to inject these kernel internal values and cause the
the kernel to misbehave.
- Kernel developers got confused and expected these kernel internal values
in userspace in kernel self tests.
- Kernel developers got confused and set si_code to __SI_FAULT which
is SI_USER in userspace which causes userspace to think an ordinary user
sent the signal and that it was not kernel generated.
- The values make it impossible to reorganize the code to transform
siginfo_copy_to_user into a plain copy_to_user. As si_code must
be massaged before being passed to userspace.
So remove these kernel internal si codes and make the kernel code simpler
and more maintainable.
To replace these kernel internal magic si_codes introduce the helper
function siginfo_layout, that takes a signal number and an si_code and
computes which union member of siginfo is being used. Have
siginfo_layout return an enumeration so that gcc will have enough
information to warn if a switch statement does not handle all of union
members.
A couple of architectures have a messed up ABI that defines signal
specific duplications of SI_USER which causes more special cases in
siginfo_layout than I would like. The good news is only problem
architectures pay the cost.
Update all of the code that used the previous magic __SI_ values to
use the new SIL_ values and to call siginfo_layout to get those
values. Escept where not all of the cases are handled remove the
defaults in the switch statements so that if a new case is missed in
the future the lack will show up at compile time.
Modify the code that copies siginfo si_code to userspace to just copy
the value and not cast si_code to a short first. The high bits are no
longer used to hold a magic union member.
Fixup the siginfo header files to stop including the __SI_ values in
their constants and for the headers that were missing it to properly
update the number of si_codes for each signal type.
The fixes to copy_siginfo_from_user32 implementations has the
interesting property that several of them perviously should never have
worked as the __SI_ values they depended up where kernel internal.
With that dependency gone those implementations should work much
better.
The idea of not passing the __SI_ values out to userspace and then
not reinserting them has been tested with criu and criu worked without
changes.
Ref: 2.4.0-test1
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
We lose the distinction between "found a PID" and "nothing, but that's not
an error" a bit too early in waitid(). Easily fixed, fortunately...
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Fixes: 67d7ddded3 ("waitid(2): leave copyout of siginfo to syscall itself")
Tested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Pull wait syscall updates from Al Viro:
"Consolidating sys_wait* and compat counterparts.
Gets rid of set_fs()/double-copy mess, simplifies the whole thing
(lifting the copyouts to the syscalls means less headache in the part
that does actual work - fewer failure exits, to start with), gets rid
of the overhead of field-by-field __put_user()"
* 'work.sys_wait' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
osf_wait4: switch to kernel_wait4()
waitid(): switch copyout of siginfo to unsafe_put_user()
wait_task_zombie: consolidate info logics
kill wait_noreap_copyout()
lift getrusage() from wait_noreap_copyout()
waitid(2): leave copyout of siginfo to syscall itself
kernel_wait4()/kernel_waitid(): delay copying status to userland
wait4(2)/waitid(2): separate copying rusage to userland
move compat wait4 and waitid next to native variants
Rename:
wait_queue_t => wait_queue_entry_t
'wait_queue_t' was always a slight misnomer: its name implies that it's a "queue",
but in reality it's a queue *entry*. The 'real' queue is the wait queue head,
which had to carry the name.
Start sorting this out by renaming it to 'wait_queue_entry_t'.
This also allows the real structure name 'struct __wait_queue' to
lose its double underscore and become 'struct wait_queue_entry',
which is the more canonical nomenclature for such data types.
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
