Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.9.1 2024-05-17T10:18:09+00:00 2024-05-17T10:18:09+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-05-17T10:18:09+00:00 urn:sha1:b019fcc08127f9f9a50d19fe1ea1869607652838 Link: https://lore.kernel.org/r/20240515082345.213796290@linuxfoundation.org Tested-by: Ron Economos <re@w6rz.net> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Bagas Sanjaya <bagasdotme@gmail.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-05-17T10:18:09+00:00 Ben Greear greearb@candelatech.com 2024-03-27T00:11:31+00:00 urn:sha1:ddb02739a2be54ed922bce3cb57d5f901590ee70 commit 2f7cf3b61d85228ae749b6cb8eda1e1df9d4926f upstream. Looks like this was missed in the initial patch that made the conversion to the emulated chanctx drivers. Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers") Tested-by: James Courtier-Dutton <james.dutton@gmail.com> Signed-off-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-05-17T10:18:09+00:00 Silvio Gissi sifonsec@amazon.com 2024-03-15T19:05:39+00:00 urn:sha1:cc219cb8afbc40ec100c0de941047bb29373126a commit 9da27fb65a14c18efd4473e2e82b76b53ba60252 upstream. The expiry time of a key is unconditionally overwritten during instantiation, defaulting to turn it permanent. This causes a problem for DNS resolution as the expiration set by user-space is overwritten to TIME64_MAX, disabling further DNS updates. Fix this by restoring the condition that key_set_expiry is only called when the pre-parser sets a specific expiry. Fixes: 39299bdd2546 ("keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry") Signed-off-by: Silvio Gissi <sifonsec@amazon.com> cc: David Howells <dhowells@redhat.com> cc: Hazem Mohamed Abuelfotoh <abuehaze@amazon.com> cc: linux-afs@lists.infradead.org cc: linux-cifs@vger.kernel.org cc: keyrings@vger.kernel.org cc: netdev@vger.kernel.org cc: stable@vger.kernel.org Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-05-17T10:18:09+00:00 Nikhil Rao nikhil.rao@intel.com 2024-04-24T15:16:12+00:00 urn:sha1:21a8f1ce35d3da4a830250f4e10a81b379807e39 commit 6827738dc684a87ad54ebba3ae7f3d7c977698eb upstream. After the patch to restrict the use of mmap() to CAP_SYS_RAWIO for the currently existing devices, most applications can no longer make use of the accelerators as in production "you don't run things as root". To keep the DSA and IAA accelerators usable, hook up a write() method so that applications can still submit work. In the write method, sufficient input validation is performed to avoid the security issue that required the mmap CAP_SYS_RAWIO check. One complication is that the DSA device allows for indirect ("batched") descriptors. There is no reasonable way to do the input validation on these indirect descriptors so the write() method will not allow these to be submitted to the hardware on affected hardware, and the sysfs enumeration of support for the opcode is also removed. Early performance data shows that the performance delta for most common cases is within the noise. Signed-off-by: Nikhil Rao <nikhil.rao@intel.com> Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-05-17T10:18:09+00:00 Arjan van de Ven arjan@linux.intel.com 2024-04-24T14:43:22+00:00 urn:sha1:8da3a84ebb9260b70b9127c4850c9a118f1eac12 commit e11452eb071b2a8e6ba52892b2e270bbdaa6640d upstream. On Sapphire Rapids and related platforms, the DSA and IAA devices have an erratum that causes direct access (for example, by using the ENQCMD or MOVDIR64 instructions) from untrusted applications to be a security problem. To solve this, add a flag to the PCI device enumeration and device structures to indicate the presence/absence of this security exposure. In the mmap() method of the device, this flag is then used to enforce that the user has the CAP_SYS_RAWIO capability. In a future patch, a write() based method will be added that allows untrusted applications submit work to the accelerator, where the kernel can do sanity checking on the user input to ensure secure operation of the accelerator. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-05-17T10:18:09+00:00 Arjan van de Ven arjan@linux.intel.com 2024-03-21T19:44:07+00:00 urn:sha1:fa20fd0f9cd9748490175f58091e7d695ef675a0 commit 95feb3160eef0caa6018e175a5560b816aee8e79 upstream. Due to an erratum with the SPR_DSA and SPR_IAX devices, it is not secure to assign these devices to virtual machines. Add the PCI IDs of these devices to the VFIO denylist to ensure that this is handled appropriately by the VFIO subsystem. The SPR_DSA and SPR_IAX devices are on-SOC devices for the Sapphire Rapids (and related) family of products that perform data movement and compression. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-05-12T21:12:29+00:00 Linus Torvalds torvalds@linux-foundation.org 2024-05-12T21:12:29+00:00 urn:sha1:a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 2024-05-12T20:01:59+00:00 Linus Torvalds torvalds@linux-foundation.org 2024-05-12T20:01:59+00:00 urn:sha1:af300a3959290b005f27ab5858bfebcb4840cd66 Pull Kselftest fixes from Mickaël Salaün: "Fix Kselftest's vfork() side effects. As reported by Kernel Test Robot and Sean Christopherson, some tests fail since v6.9-rc1 . This is due to the use of vfork() which introduced some side effects. Similarly, while making it more generic, a previous commit made some Landlock file system tests flaky, and subject to the host's file system mount configuration. This fixes all these side effects by replacing vfork() with clone3() and CLONE_VFORK, which is cleaner (no arbitrary shared memory) and makes the Kselftest framework more robust" Link: https://lore.kernel.org/oe-lkp/202403291015.1fcfa957-oliver.sang@intel.com Link: https://lore.kernel.org/r/ZjPelW6-AbtYvslu@google.com Link: https://lore.kernel.org/r/20240511171445.904356-1-mic@digikod.net * tag 'kselftest-fix-vfork-2024-05-12' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: selftests/harness: Handle TEST_F()'s explicit exit codes selftests/harness: Fix vfork() side effects selftests/harness: Share _metadata between forked processes selftests/pidfd: Fix wrong expectation selftests/harness: Constify fixture variants selftests/landlock: Do not allocate memory in fixture data selftests/harness: Fix interleaved scheduling leading to race conditions selftests/harness: Fix fixture teardown selftests/landlock: Fix FS tests when run on a private mount point selftests/pidfd: Fix config for pidfd_setns_test 2024-05-12T19:15:39+00:00 Linus Torvalds torvalds@linux-foundation.org 2024-05-12T19:15:39+00:00 urn:sha1:2842076beb698b8b5f76aa9c987f4aa95b0e74d7 Pull kvm fix from Paolo Bonzini: - Fix NULL pointer read on s390 in ioctl(KVM_CHECK_EXTENSION) for /dev/kvm * tag 'for-linus-6.9' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: s390: Check kvm pointer when testing KVM_CAP_S390_HPAGE_1M 2024-05-12T16:09:27+00:00 Linus Torvalds torvalds@linux-foundation.org 2024-05-12T16:09:27+00:00 urn:sha1:ba16c1cf11c9f264b5455cb7d57267b39925409a Pull EDAC fix from Borislav Petkov: - Fix a race condition when clearing error count bits and toggling the error interrupt throug the same register, in synopsys_edac * tag 'edac_urgent_for_v6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras: EDAC/synopsys: Fix ECC status and IRQ control race condition