asm/unaligned.h is always an include of asm-generic/unaligned.h;
might as well move that thing to linux/unaligned.h and include
that - there's nothing arch-specific in that header.
auto-generated by the following:
for i in `git grep -l -w asm/unaligned.h`; do
sed -i -e "s/asm\/unaligned.h/linux\/unaligned.h/" $i
done
for i in `git grep -l -w asm-generic/unaligned.h`; do
sed -i -e "s/asm-generic\/unaligned.h/linux\/unaligned.h/" $i
done
git mv include/asm-generic/unaligned.h include/linux/unaligned.h
git mv tools/include/asm-generic/unaligned.h tools/include/linux/unaligned.h
sed -i -e "/unaligned.h/d" include/asm-generic/Kbuild
sed -i -e "s/__ASM_GENERIC/__LINUX/" include/linux/unaligned.h tools/include/linux/unaligned.h
no_llseek had been defined to NULL two years ago, in commit 868941b144
("fs: remove no_llseek")
To quote that commit,
At -rc1 we'll need do a mechanical removal of no_llseek -
git grep -l -w no_llseek | grep -v porting.rst | while read i; do
sed -i '/\<no_llseek\>/d' $i
done
would do it.
Unfortunately, that hadn't been done. Linus, could you do that now, so
that we could finally put that thing to rest? All instances are of the
form
.llseek = no_llseek,
so it's obviously safe.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Pull char / misc driver updates from Greg KH:
"Here is the "big" set of char/misc and other driver subsystem changes
for 6.12-rc1.
Lots of changes in here, primarily dominated by the usual IIO driver
updates and additions, but there are also small driver subsystem
updates all over the place. Included in here are:
- lots and lots of new IIO drivers and updates to existing ones
- interconnect subsystem updates and new drivers
- nvmem subsystem updates and new drivers
- mhi driver updates
- power supply subsystem updates
- kobj_type const work for many different small subsystems
- comedi driver fix
- coresight subsystem and driver updates
- fpga subsystem improvements
- slimbus fixups
- binder new feature addition for "frozen" notifications
- lots and lots of other small driver updates and cleanups
All of these have been in linux-next for a long time with no reported
problems"
* tag 'char-misc-6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (354 commits)
greybus: gb-beagleplay: Add firmware upload API
arm64: dts: ti: k3-am625-beagleplay: Add bootloader-backdoor-gpios to cc1352p7
dt-bindings: net: ti,cc1352p7: Add bootloader-backdoor-gpios
MAINTAINERS: Update path for U-Boot environment variables YAML
nvmem: layouts: add U-Boot env layout
comedi: ni_routing: tools: Check when the file could not be opened
ocxl: Remove the unused declarations in headr file
hpet: Fix the wrong format specifier
uio: Constify struct kobj_type
cxl: Constify struct kobj_type
binder: modify the comment for binder_proc_unlock
iio: adc: axp20x_adc: add support for AXP717 ADC
dt-bindings: iio: adc: Add AXP717 compatible
iio: adc: axp20x_adc: Add adc_en1 and adc_en2 to axp_data
w1: ds2482: Drop explicit initialization of struct i2c_device_id::driver_data to 0
tools: iio: rm .*.cmd when make clean
iio: adc: standardize on formatting for id match tables
iio: proximity: aw96103: Add support for aw96103/aw96105 proximity sensor
bus: mhi: host: pci_generic: Enable EDL trigger for Foxconn modems
bus: mhi: host: pci_generic: Update EDL firmware path for Foxconn modems
...
Pull non-MM updates from Andrew Morton:
"Many singleton patches - please see the various changelogs for
details.
Quite a lot of nilfs2 work this time around.
Notable patch series in this pull request are:
- "mul_u64_u64_div_u64: new implementation" by Nicolas Pitre, with
assistance from Uwe Kleine-König. Reimplement mul_u64_u64_div_u64()
to provide (much) more accurate results. The current implementation
was causing Uwe some issues in the PWM drivers.
- "xz: Updates to license, filters, and compression options" from
Lasse Collin. Miscellaneous maintenance and kinor feature work to
the xz decompressor.
- "Fix some GDB command error and add some GDB commands" from
Kuan-Ying Lee. Fixes and enhancements to the gdb scripts.
- "treewide: add missing MODULE_DESCRIPTION() macros" from Jeff
Johnson. Adds lots of MODULE_DESCRIPTIONs, thus fixing lots of
warnings about this.
- "nilfs2: add support for some common ioctls" from Ryusuke Konishi.
Adds various commonly-available ioctls to nilfs2.
- "This series fixes a number of formatting issues in kernel doc
comments" from Ryusuke Konishi does that.
- "nilfs2: prevent unexpected ENOENT propagation" from Ryusuke
Konishi. Fix issues where -ENOENT was being unintentionally and
inappropriately returned to userspace.
- "nilfs2: assorted cleanups" from Huang Xiaojia.
- "nilfs2: fix potential issues with empty b-tree nodes" from Ryusuke
Konishi fixes some issues which can occur on corrupted nilfs2
filesystems.
- "scripts/decode_stacktrace.sh: improve error reporting and
usability" from Luca Ceresoli does those things"
* tag 'mm-nonmm-stable-2024-09-21-07-52' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (103 commits)
list: test: increase coverage of list_test_list_replace*()
list: test: fix tests for list_cut_position()
proc: use __auto_type more
treewide: correct the typo 'retun'
ocfs2: cleanup return value and mlog in ocfs2_global_read_info()
nilfs2: remove duplicate 'unlikely()' usage
nilfs2: fix potential oob read in nilfs_btree_check_delete()
nilfs2: determine empty node blocks as corrupted
nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()
user_namespace: use kmemdup_array() instead of kmemdup() for multiple allocation
tools/mm: rm thp_swap_allocator_test when make clean
squashfs: fix percpu address space issues in decompressor_multi_percpu.c
lib: glob.c: added null check for character class
nilfs2: refactor nilfs_segctor_thread()
nilfs2: use kthread_create and kthread_stop for the log writer thread
nilfs2: remove sc_timer_task
nilfs2: do not repair reserved inode bitmap in nilfs_new_inode()
nilfs2: eliminate the shared counter and spinlock for i_generation
nilfs2: separate inode type information from i_state field
nilfs2: use the BITS_PER_LONG macro
...
Pull MMC updates from Ulf Hansson:
"MMC core:
- Add documentation for the mmc-test driver
- Register the eMMC RPMB partition with the RPMB subsystem
- Some various cleanups
MMC host:
- dw_mmc-rockchip: Add support for the RK3576 variant
- renesas_sdhi: Add support for the RZ/V2H(P) variant
- sdhci_am654: Add a retry mechanism for tuning
- sdhci-atmel: Convert DT bindings to json schema
- sdhci-of-dwcmshc:
- Add eMMC HW reset support for BlueField-3 SoC
- Add support for the RK3576 variant
- Add support for the Sophgo SG2042 variant
- sdhci-of-ma35d1: Add new driver for the Nuvoton MA35D1 SDHCI
Misc/Tee:
- Add Replay Protected Memory Block (RPMB) subsystem
- Let optee probe RPMB device using RPMB subsystem"
* tag 'mmc-v6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (41 commits)
mmc: core: Use dev_err_probe for deferred regulators
optee: Fix a NULL vs IS_ERR() check
mmc: sdhci_am654: Add prints to tuning algorithm
mmc: sdhci_am654: Add retry tuning
dt-bindings: mmc: Add support for rk3576 eMMC
Documentation: mmc: Add mmc-test doc
rpmb: fix error path in rpmb_dev_register()
optee: add RPMB dependency
mmc: block: add RPMB dependency
mmc: core Convert UNSTUFF_BITS macro to inline function
dt-bindings: mmc: sdhci-atmel: Convert to json schema
mmc: core: Convert simple_stroul to kstroul
mmc: core: Calculate size from pointer
mmc: cqhci: Make use of cqhci_halted() routine
mmc: core: Replace the argument of mmc_sd_switch() with defines
mmc: dw_mmc-rockchip: Add support for rk3576 SoCs
mmc: dw_mmc-rockchip: Add internal phase support
dt-bindings: mmc: Add support for rk3576 dw-mshc
mmc: sdhci-of-dwcmshc: Add hw_reset() support for BlueField-3 SoC
mmc: core: remove left-over data structure declarations
...
Until this patch was rpmb_dev_register() always freeing rdev in the error
path. However, past device_register() it must not do that since the memory
is now managed by the device even if it failed to register properly. So fix
this by doing a put_device() before returning the error code.
Fixes the smatch warning:
drivers/misc/rpmb-core.c:204 rpmb_dev_register()
warn: freeing device managed memory (leak): 'rdev'
Fixes: 1e9046e3a1 ("rpmb: add Replay Protected Memory Block (RPMB) subsystem")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Link: https://lore.kernel.org/r/20240902105803.2885544-1-jens.wiklander@linaro.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
When removing a resource from vmci_resource_table in
vmci_resource_remove(), the search is performed using the resource
handle by comparing context and resource fields.
It is possible though to create two resources with different types
but same handle (same context and resource fields).
When trying to remove one of the resources, vmci_resource_remove()
may not remove the intended one, but the object will still be freed
as in the case of the datagram type in vmci_datagram_destroy_handle().
vmci_resource_table will still hold a pointer to this freed resource
leading to a use-after-free vulnerability.
BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239
__kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425
kasan_report+0x38/0x51 mm/kasan/report.c:442
vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182
ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444
kref_put include/linux/kref.h:65 [inline]
vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]
vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195
vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143
__fput+0x261/0xa34 fs/file_table.c:282
task_work_run+0xf0/0x194 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187
exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220
__syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]
syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313
do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x6e/0x0
This change ensures the type is also checked when removing
the resource from vmci_resource_table in vmci_resource_remove().
Fixes: bc63dedb7d ("VMCI: resource object implementation.")
Cc: stable@vger.kernel.org
Reported-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez@oracle.com>
Link: https://lore.kernel.org/r/20240828154338.754746-1-david.fernandez.gonzalez@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
A number of storage technologies support a specialised hardware
partition designed to be resistant to replay attacks. The underlying
HW protocols differ but the operations are common. The RPMB partition
cannot be accessed via standard block layer, but by a set of specific
RPMB commands. Such a partition provides authenticated and replay
protected access, hence suitable as a secure storage.
The initial aim of this patch is to provide a simple RPMB driver
interface which can be accessed by the optee driver to facilitate early
RPMB access to OP-TEE OS (secure OS) during the boot time.
A TEE device driver can claim the RPMB interface, for example, via
rpmb_interface_register() or rpmb_dev_find_device(). The RPMB driver
provides a callback to route RPMB frames to the RPMB device accessible
via rpmb_route_frames().
The detailed operation of implementing the access is left to the TEE
device driver itself.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Shyam Saini <shyamsaini@linux.microsoft.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Tested-by: Manuel Traut <manut@mecka.net>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20240814153558.708365-2-jens.wiklander@linaro.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Pull char / misc fixes from Greg KH:
"Here are some small char/misc fixes for 6.11-rc4 to resolve reported
problems. Included in here are:
- fastrpc revert of a change that broke userspace
- xillybus fixes for reported issues
Half of these have been in linux-next this week with no reported
problems, I don't know if the last bit of xillybus driver changes made
it in, but they are 'obviously correct' so will be safe :)"
* tag 'char-misc-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
char: xillybus: Check USB endpoints when probing device
char: xillybus: Refine workqueue handling
Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD"
char: xillybus: Don't destroy workqueue from work item running on it
Pull hardening fixes from Kees Cook:
- gcc-plugins: randstruct: Remove GCC 4.7 or newer requirement
(Thorsten Blum)
- kallsyms: Clean up interaction with LTO suffixes (Song Liu)
- refcount: Report UAF for refcount_sub_and_test(0) when counter==0
(Petr Pavlu)
- kunit/overflow: Avoid misallocation of driver name (Ivan Orlov)
* tag 'hardening-v6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
kallsyms: Match symbols exactly with CONFIG_LTO_CLANG
kallsyms: Do not cleanup .llvm.<hash> suffix before sorting symbols
kunit/overflow: Fix UB in overflow_allocation_test
gcc-plugins: randstruct: Remove GCC 4.7 or newer requirement
refcount: Report UAF for refcount_sub_and_test(0) when counter==0
The test for access watchpoints (hw_access_break_test) was broken
(always failed) because the compiler optimized out the write to the
static helper variable (hw_break_val2), as it is never read anywhere.
This resulted in the target variable (hw_break_val) not being accessed
and thus the breakpoint not being triggered.
Remove the helper variable (hw_break_val2), and use READ_ONCE to force
reading the target variable (hw_break_val).
Signed-off-by: Florian Rommel <mail@florommel.de>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20240812085459.291741-1-mail@florommel.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When a reference counter is at zero and refcount_sub_and_test() is invoked
to subtract zero, the function accepts this request without any warning and
returns true. This behavior does not seem ideal because the counter being
already at zero indicates a use-after-free. Furthermore, returning true by
refcount_sub_and_test() in this case potentially results in a double-free
done by its caller.
Modify the underlying function __refcount_sub_and_test() to warn about this
case as a use-after-free and have it return false to avoid the potential
double-free.
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20240717130023.5675-1-petr.pavlu@suse.com
Signed-off-by: Kees Cook <kees@kernel.org>
The CXL driver has its own custom implementations of typed DT property
accessors. Replace the custom property accessor functions with the
common DT property functions.
This clean-up is part of a larger effort to remove of_get_property() and
other DT functions which leak pointers to DT node and property data.
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Link: https://lore.kernel.org/r/20240729-dt-cxl-cleanup-v1-2-a75eea80d231@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
