1. 25 Oct, 2023 1 commit
    • Aneesh Kumar K.V's avatar
      powerpc/mm: Avoid calling arch_enter/leave_lazy_mmu() in set_ptes · 47b8def9
      Aneesh Kumar K.V authored
      With commit 9fee28ba ("powerpc: implement the new page table range
      API") we added set_ptes to powerpc architecture. The implementation
      included calling arch_enter/leave_lazy_mmu() calls.
      
      The patch removes the usage of arch_enter/leave_lazy_mmu() because
      set_pte is not supposed to be used when updating a pte entry. Powerpc
      architecture uses this rule to skip the expensive tlb invalidate which
      is not needed when you are setting up the pte for the first time. See
      commit 56eecdb9 ("mm: Use ptep/pmdp_set_numa() for updating
      _PAGE_NUMA bit") for more details
      
      The patch also makes sure we are not using the interface to update a
      valid/present pte entry by adding VM_WARN_ON check all the ptes we
      are setting up. Furthermore, we add a comment to set_pte_filter to
      clarify it can only update folio-related flags and cannot filter
      pfn specific details in pte filtering.
      
      Removal of arch_enter/leave_lazy_mmu() also will avoid nesting of
      these functions that are not supported. For ex:
      
      remap_pte_range()
        -> arch_enter_lazy_mmu()
        -> set_ptes()
            -> arch_enter_lazy_mmu()
            -> arch_leave_lazy_mmu()
        -> arch_leave_lazy_mmu()
      
      Fixes: 9fee28ba ("powerpc: implement the new page table range API")
      Signed-off-by: default avatar"Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://msgid.link/20231024143604.16749-1-aneesh.kumar@linux.ibm.com
      47b8def9
  2. 23 Oct, 2023 1 commit
    • Michael Ellerman's avatar
      powerpc/mm: Fix boot crash with FLATMEM · daa9ada2
      Michael Ellerman authored
      Erhard reported that his G5 was crashing with v6.6-rc kernels:
      
        mpic: Setting up HT PICs workarounds for U3/U4
        BUG: Unable to handle kernel data access at 0xfeffbb62ffec65fe
        Faulting instruction address: 0xc00000000005dc40
        Oops: Kernel access of bad area, sig: 11 [#1]
        BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac
        Modules linked in:
        CPU: 0 PID: 0 Comm: swapper/0 Tainted: G                T  6.6.0-rc3-PMacGS #1
        Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac
        NIP:  c00000000005dc40 LR: c000000000066660 CTR: c000000000007730
        REGS: c0000000022bf510 TRAP: 0380   Tainted: G                T (6.6.0-rc3-PMacGS)
        MSR:  9000000000001032 <SF,HV,ME,IR,DR,RI>  CR: 44004242  XER: 00000000
        IRQMASK: 3
        GPR00: 0000000000000000 c0000000022bf7b0 c0000000010c0b00 00000000000001ac
        GPR04: 0000000003c80000 0000000000000300 c0000000f20001ae 0000000000000300
        GPR08: 0000000000000006 feffbb62ffec65ff 0000000000000001 0000000000000000
        GPR12: 9000000000001032 c000000002362000 c000000000f76b80 000000000349ecd8
        GPR16: 0000000002367ba8 0000000002367f08 0000000000000006 0000000000000000
        GPR20: 00000000000001ac c000000000f6f920 c0000000022cd985 000000000000000c
        GPR24: 0000000000000300 00000003b0a3691d c0003e008030000e 0000000000000000
        GPR28: c00000000000000c c0000000f20001ee feffbb62ffec65fe 00000000000001ac
        NIP hash_page_do_lazy_icache+0x50/0x100
        LR  __hash_page_4K+0x420/0x590
        Call Trace:
          hash_page_mm+0x364/0x6f0
          do_hash_fault+0x114/0x2b0
          data_access_common_virt+0x198/0x1f0
        --- interrupt: 300 at mpic_init+0x4bc/0x10c4
        NIP:  c000000002020a5c LR: c000000002020a04 CTR: 0000000000000000
        REGS: c0000000022bf9f0 TRAP: 0300   Tainted: G                T (6.6.0-rc3-PMacGS)
        MSR:  9000000000001032 <SF,HV,ME,IR,DR,RI>  CR: 24004248  XER: 00000000
        DAR: c0003e008030000e DSISR: 40000000 IRQMASK: 1
        ...
        NIP mpic_init+0x4bc/0x10c4
        LR  mpic_init+0x464/0x10c4
        --- interrupt: 300
          pmac_setup_one_mpic+0x258/0x2dc
          pmac_pic_init+0x28c/0x3d8
          init_IRQ+0x90/0x140
          start_kernel+0x57c/0x78c
          start_here_common+0x1c/0x20
      
      A bisect pointed to the breakage beginning with commit 9fee28ba ("powerpc:
      implement the new page table range API").
      
      Analysis of the oops pointed to a struct page with a corrupted
      compound_head being loaded via page_folio() -> _compound_head() in
      hash_page_do_lazy_icache().
      
      The access by the mpic code is to an MMIO address, so the expectation
      is that the struct page for that address would be initialised by
      init_unavailable_range(), as pointed out by Aneesh.
      
      Instrumentation showed that was not the case, which eventually lead to
      the realisation that pfn_valid() was returning false for that address,
      causing the struct page to not be initialised.
      
      Because the system is using FLATMEM, the version of pfn_valid() in
      memory_model.h is used:
      
      static inline int pfn_valid(unsigned long pfn)
      {
      	...
      	return pfn >= pfn_offset && (pfn - pfn_offset) < max_mapnr;
      }
      
      Which relies on max_mapnr being initialised. Early in boot max_mapnr is
      zero meaning no PFNs are valid.
      
      max_mapnr is initialised in mem_init() called via:
      
        start_kernel()
          mm_core_init()  # init/main.c:928
            mem_init()
      
      But that is too late for the usage in init_unavailable_range() called via:
      
        start_kernel()
          setup_arch()    # init/main.c:893
            paging_init()
              free_area_init()
                init_unavailable_range()
      
      Although max_mapnr is currently set in mem_init(), the value is actually
      already available much earlier, as soon as mem_topology_setup() has
      completed, which is also before paging_init() is called. So move the
      initialisation there, which causes paging_init() to correctly initialise
      the struct page and fixes the bug.
      
      This bug seems to have been lurking for years, but went unnoticed
      because the pre-folio code was inspecting the uninitialised page->flags
      but not dereferencing it.
      
      Thanks to Erhard and Aneesh for help debugging.
      Reported-by: default avatarErhard Furtner <erhard_f@mailbox.org>
      Closes: https://lore.kernel.org/all/20230929132750.3cd98452@yea/Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://msgid.link/20231023112500.1550208-1-mpe@ellerman.id.au
      daa9ada2
  3. 18 Oct, 2023 1 commit
  4. 17 Oct, 2023 1 commit
    • Michael Ellerman's avatar
      powerpc/64s/radix: Don't warn on copros in radix__tlb_flush() · 20045f01
      Michael Ellerman authored
      Sachin reported a warning when running the inject-ra-err selftest:
      
        # selftests: powerpc/mce: inject-ra-err
        Disabling lock debugging due to kernel taint
        MCE: CPU19: machine check (Severe)  Real address Load/Store (foreign/control memory) [Not recovered]
        MCE: CPU19: PID: 5254 Comm: inject-ra-err NIP: [0000000010000e48]
        MCE: CPU19: Initiator CPU
        MCE: CPU19: Unknown
        ------------[ cut here ]------------
        WARNING: CPU: 19 PID: 5254 at arch/powerpc/mm/book3s64/radix_tlb.c:1221 radix__tlb_flush+0x160/0x180
        CPU: 19 PID: 5254 Comm: inject-ra-err Kdump: loaded Tainted: G   M        E      6.6.0-rc3-00055-g9ed22ae6 #4
        Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1030.20 (NH1030_058) hv:phyp pSeries
        ...
        NIP radix__tlb_flush+0x160/0x180
        LR  radix__tlb_flush+0x104/0x180
        Call Trace:
          radix__tlb_flush+0xf4/0x180 (unreliable)
          tlb_finish_mmu+0x15c/0x1e0
          exit_mmap+0x1a0/0x510
          __mmput+0x60/0x1e0
          exit_mm+0xdc/0x170
          do_exit+0x2bc/0x5a0
          do_group_exit+0x4c/0xc0
          sys_exit_group+0x28/0x30
          system_call_exception+0x138/0x330
          system_call_vectored_common+0x15c/0x2ec
      
      And bisected it to commit e43c0a0c ("powerpc/64s/radix: combine
      final TLB flush and lazy tlb mm shootdown IPIs"), which added a warning
      in radix__tlb_flush() if mm->context.copros is still elevated.
      
      However it's possible for the copros count to be elevated if a process
      exits without first closing file descriptors that are associated with a
      copro, eg. VAS.
      
      If the process exits with a VAS file still open, the release callback
      is queued up for exit_task_work() via:
        exit_files()
          put_files_struct()
            close_files()
              filp_close()
                fput()
      
      And called via:
        exit_task_work()
          ____fput()
            __fput()
              file->f_op->release(inode, file)
                coproc_release()
                  vas_user_win_ops->close_win()
                    vas_deallocate_window()
                      mm_context_remove_vas_window()
                        mm_context_remove_copro()
      
      But that is after exit_mm() has been called from do_exit() and triggered
      the warning.
      
      Fix it by dropping the warning, and always calling __flush_all_mm().
      
      In the normal case of no copros, that will result in a call to
      _tlbiel_pid(mm->context.id, RIC_FLUSH_ALL) just as the current code
      does.
      
      If the copros count is elevated then it will cause a global flush, which
      should flush translations from any copros. Note that the process table
      entry was cleared in arch_exit_mmap(), so copros should not be able to
      fetch any new translations.
      
      Fixes: e43c0a0c ("powerpc/64s/radix: combine final TLB flush and lazy tlb mm shootdown IPIs")
      Reported-by: default avatarSachin Sant <sachinp@linux.ibm.com>
      Closes: https://lore.kernel.org/all/A8E52547-4BF1-47CE-8AEA-BC5A9D7E3567@linux.ibm.com/Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Tested-by: default avatarSachin Sant <sachinp@linux.ibm.com>
      Link: https://msgid.link/20231017121527.1574104-1-mpe@ellerman.id.au
      20045f01
  5. 15 Oct, 2023 1 commit
  6. 10 Oct, 2023 2 commits
    • Michael Ellerman's avatar
      powerpc/47x: Fix 47x syscall return crash · f0eee815
      Michael Ellerman authored
      Eddie reported that newer kernels were crashing during boot on his 476
      FSP2 system:
      
        kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)
        BUG: Unable to handle kernel instruction fetch
        Faulting instruction address: 0xb7ee2000
        Oops: Kernel access of bad area, sig: 11 [#1]
        BE PAGE_SIZE=4K FSP-2
        Modules linked in:
        CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1
        Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2
        NIP:  b7ee2000 LR: 8c008000 CTR: 00000000
        REGS: bffebd83 TRAP: 0400   Not tainted (6.1.55-d23900f.ppcnf-fs p2)
        MSR:  00000030 <IR,DR>  CR: 00001000  XER: 20000000
        GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000
        GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000
        GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0
        GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0
        NIP [b7ee2000] 0xb7ee2000
        LR [8c008000] 0x8c008000
        Call Trace:
        Instruction dump:
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        ---[ end trace 0000000000000000 ]---
      
      The problem is in ret_from_syscall where the check for
      icache_44x_need_flush is done. When the flush is needed the code jumps
      out-of-line to do the flush, and then intends to jump back to continue
      the syscall return.
      
      However the branch back to label 1b doesn't return to the correct
      location, instead branching back just prior to the return to userspace,
      causing bogus register values to be used by the rfi.
      
      The breakage was introduced by commit 6f76a011
      ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which
      inadvertently removed the "1" label and reused it elsewhere.
      
      Fix it by adding named local labels in the correct locations. Note that
      the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n
      compiles.
      
      Fixes: 6f76a011 ("powerpc/syscall: implement system call entry/exit logic in C for PPC32")
      Cc: stable@vger.kernel.org # v5.12+
      Reported-by: default avatarEddie James <eajames@linux.ibm.com>
      Tested-by: default avatarEddie James <eajames@linux.ibm.com>
      Link: https://lore.kernel.org/linuxppc-dev/fdaadc46-7476-9237-e104-1d2168526e72@linux.ibm.com/Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Reviewed-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
      Link: https://msgid.link/20231010114750.847794-1-mpe@ellerman.id.au
      f0eee815
    • Christophe Leroy's avatar
      powerpc/85xx: Fix math emulation exception · 8e8a12ec
      Christophe Leroy authored
      Booting mpc85xx_defconfig kernel on QEMU leads to:
      
      Bad trap at PC: fe9bab0, SR: 2d000, vector=800
      awk[82]: unhandled trap (5) at 0 nip fe9bab0 lr fe9e01c code 5 in libc-2.27.so[fe5a000+17a000]
      awk[82]: code: 3aa00000 3a800010 4bffe03c 9421fff0 7ca62b78 38a00000 93c10008 83c10008
      awk[82]: code: 38210010 4bffdec8 9421ffc0 7c0802a6 <fc00048e> d8010008 4815190d 93810030
      Trace/breakpoint trap
      WARNING: no useful console
      
      This is because allthough CONFIG_MATH_EMULATION is selected,
      Exception 800 calls unknown_exception().
      
      Call emulation_assist_interrupt() instead.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://msgid.link/066caa6d9480365da9b8ed83692d7101e10ac5f8.1695657339.git.christophe.leroy@csgroup.eu
      8e8a12ec
  7. 09 Oct, 2023 2 commits
  8. 30 Sep, 2023 2 commits
    • Athira Rajeev's avatar
      powerpc/pseries: Remove unused r0 in the hcall tracing code · dfb5f8cb
      Athira Rajeev authored
      In the plpar_hcall trace code, currently we use r0
      to store the value of r4. But this value is not
      used subsequently in the code. Hence remove this unused
      save to r0 in plpar_hcall and plpar_hcall9
      Suggested-by: default avatarNaveen N Rao <naveen@kernel.org>
      Signed-off-by: default avatarAthira Rajeev <atrajeev@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://msgid.link/20230929172337.7906-2-atrajeev@linux.vnet.ibm.com
      dfb5f8cb
    • Athira Rajeev's avatar
      powerpc/pseries: Fix STK_PARAM access in the hcall tracing code · 3b678768
      Athira Rajeev authored
      In powerpc pseries system, below behaviour is observed while
      enabling tracing on hcall:
        # cd /sys/kernel/debug/tracing/
        # cat events/powerpc/hcall_exit/enable
        0
        # echo 1 > events/powerpc/hcall_exit/enable
      
        # ls
        -bash: fork: Bad address
      
      Above is from power9 lpar with latest kernel. Past this, softlockup
      is observed. Initially while attempting via perf_event_open to
      use "PERF_TYPE_TRACEPOINT", kernel panic was observed.
      
      perf config used:
      ================
        memset(&pe[1],0,sizeof(struct perf_event_attr));
        pe[1].type=PERF_TYPE_TRACEPOINT;
        pe[1].size=96;
        pe[1].config=0x26ULL; /* 38 raw_syscalls/sys_exit */
        pe[1].sample_type=0; /* 0 */
        pe[1].read_format=PERF_FORMAT_TOTAL_TIME_ENABLED|PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_ID|PERF_FORMAT_GROUP|0x10ULL; /* 1f */
        pe[1].inherit=1;
        pe[1].precise_ip=0; /* arbitrary skid */
        pe[1].wakeup_events=0;
        pe[1].bp_type=HW_BREAKPOINT_EMPTY;
        pe[1].config1=0x1ULL;
      
      Kernel panic logs:
      ==================
      
        Kernel attempted to read user page (8) - exploit attempt? (uid: 0)
        BUG: Kernel NULL pointer dereference on read at 0x00000008
        Faulting instruction address: 0xc0000000004c2814
        Oops: Kernel access of bad area, sig: 11 [#1]
        LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
        Modules linked in: nfnetlink bonding tls rfkill sunrpc dm_service_time dm_multipath pseries_rng xts vmx_crypto xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ibmvfc scsi_transport_fc ibmveth dm_mirror dm_region_hash dm_log dm_mod fuse
        CPU: 0 PID: 1431 Comm: login Not tainted 6.4.0+ #1
        Hardware name: IBM,8375-42A POWER9 (raw) 0x4e0202 0xf000005 of:IBM,FW950.30 (VL950_892) hv:phyp pSeries
        NIP page_remove_rmap+0x44/0x320
        LR  wp_page_copy+0x384/0xec0
        Call Trace:
          0xc00000001416e400 (unreliable)
          wp_page_copy+0x384/0xec0
          __handle_mm_fault+0x9d4/0xfb0
          handle_mm_fault+0xf0/0x350
          ___do_page_fault+0x48c/0xc90
          hash__do_page_fault+0x30/0x70
          do_hash_fault+0x1a4/0x330
          data_access_common_virt+0x198/0x1f0
         --- interrupt: 300 at 0x7fffae971abc
      
      git bisect tracked this down to below commit:
      'commit baa49d81 ("powerpc/pseries: hvcall stack frame overhead")'
      
      This commit changed STACK_FRAME_OVERHEAD (112 ) to
      STACK_FRAME_MIN_SIZE (32 ) since 32 bytes is the minimum size
      for ELFv2 stack. With the latest kernel, when running on ELFv2,
      STACK_FRAME_MIN_SIZE is used to allocate stack size.
      
      During plpar_hcall_trace, first call is made to HCALL_INST_PRECALL
      which saves the registers and allocates new stack frame. In the
      plpar_hcall_trace code, STK_PARAM is accessed at two places.
        1. To save r4: std     r4,STK_PARAM(R4)(r1)
        2. To access r4 back: ld      r12,STK_PARAM(R4)(r1)
      
      HCALL_INST_PRECALL precall allocates a new stack frame. So all
      the stack parameter access after the precall, needs to be accessed
      with +STACK_FRAME_MIN_SIZE. So the store instruction should be:
        std     r4,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1)
      
      If the "std" is not updated with STACK_FRAME_MIN_SIZE, we will
      end up with overwriting stack contents and cause corruption.
      But instead of updating 'std', we can instead remove it since
      HCALL_INST_PRECALL already saves it to the correct location.
      
      similarly load instruction should be:
        ld      r12,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1)
      
      Fix the load instruction to correctly access the stack parameter
      with +STACK_FRAME_MIN_SIZE and remove the store of r4 since the
      precall saves it correctly.
      
      Cc: stable@vger.kernel.org # v6.2+
      Fixes: baa49d81 ("powerpc/pseries: hvcall stack frame overhead")
      Co-developed-by: default avatarNaveen N Rao <naveen@kernel.org>
      Signed-off-by: default avatarNaveen N Rao <naveen@kernel.org>
      Signed-off-by: default avatarAthira Rajeev <atrajeev@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://msgid.link/20230929172337.7906-1-atrajeev@linux.vnet.ibm.com
      3b678768
  9. 22 Sep, 2023 2 commits
  10. 18 Sep, 2023 7 commits
  11. 17 Sep, 2023 11 commits
  12. 16 Sep, 2023 9 commits
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.6' of... · f0b0d403
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Fix kernel-devel RPM and linux-headers Deb package
      
       - Fix too long argument list error in 'make modules_install'
      
      * tag 'kbuild-fixes-v6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: avoid long argument lists in make modules_install
        kbuild: fix kernel-devel RPM package and linux-headers Deb package
      f0b0d403
    • Linus Torvalds's avatar
      vm: fix move_vma() memory accounting being off · 3cec5049
      Linus Torvalds authored
      Commit 408579cd ("mm: Update do_vmi_align_munmap() return
      semantics") seems to have updated one of the callers of do_vmi_munmap()
      incorrectly: it used to check for the error case (which didn't
      change: negative means error).
      
      That commit changed the check to the success case (which did change:
      before that commit, 0 was success, and 1 was "success and lock
      downgraded".  After the change, it's always 0 for success, and the lock
      will have been released if requested).
      
      This didn't change any actual VM behavior _except_ for memory accounting
      when 'VM_ACCOUNT' was set on the vma.  Which made the wrong return value
      test fairly subtle, since everything continues to work.
      
      Or rather - it continues to work but the "Committed memory" accounting
      goes all wonky (Committed_AS value in /proc/meminfo), and depending on
      settings that then causes problems much much later as the VM relies on
      bogus statistics for its heuristics.
      
      Revert that one line of the change back to the original logic.
      
      Fixes: 408579cd ("mm: Update do_vmi_align_munmap() return semantics")
      Reported-by: default avatarChristoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
      Reported-bisected-and-tested-by: default avatarMichael Labiuk <michael.labiuk@virtuozzo.com>
      Cc: Bagas Sanjaya <bagasdotme@gmail.com>
      Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
      Link: https://lore.kernel.org/all/1694366957@msgid.manchmal.in-ulm.de/Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3cec5049
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · ad8a69f3
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "16 small(ish) fixes all in drivers.
      
        The major fixes are in pm8001 (fixes MSI-X issue going back to its
        origin), the qla2xxx endianness fix, which fixes a bug on big endian
        and the lpfc ones which can cause an oops on module removal without
        them"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports
        scsi: lpfc: Early return after marking final NLP_DROPPED flag in dev_loss_tmo
        scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
        scsi: target: core: Fix target_cmd_counter leak
        scsi: pm8001: Setup IRQs on resume
        scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command
        scsi: pm80xx: Use phy-specific SAS address when sending PHY_START command
        scsi: ufs: core: Poll HCS.UCRDY before issuing a UIC command
        scsi: ufs: core: Move __ufshcd_send_uic_cmd() outside host_lock
        scsi: qedf: Add synchronization between I/O completions and abort
        scsi: target: Replace strlcpy() with strscpy()
        scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir()
        scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()
        scsi: qla2xxx: Correct endianness for rqstlen and rsplen
        scsi: ppa: Fix accidentally reversed conditions for 16-bit and 32-bit EPP
        scsi: megaraid_sas: Fix deadlock on firmware crashdump
      ad8a69f3
    • Linus Torvalds's avatar
      Merge tag 'ata-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · cc3e5afc
      Linus Torvalds authored
      Pull ata fixes from Damien Le Moal:
      
       - Fix link power management transitions to disallow unsupported states
         (Niklas)
      
       - A small string handling fix for the sata_mv driver (Christophe)
      
       - Clear port pending interrupts before reset, as per AHCI
         specifications (Szuying).
      
         Followup fixes for this one are to not clear ATA_PFLAG_EH_PENDING in
         ata_eh_reset() to allow EH to continue on with other actions recorded
         with error interrupts triggered before EH completes. And an
         additional fix to avoid thawing a port twice in EH (Niklas)
      
       - Small code style fixes in the pata_parport driver to silence the
         build bot as it keeps complaining about bad indentation (me)
      
       - A fix for the recent CDL code to avoid fetching sense data for
         successful commands when not necessary for correct operation (Niklas)
      
      * tag 'ata-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: libata-core: fetch sense data for successful commands iff CDL enabled
        ata: libata-eh: do not thaw the port twice in ata_eh_reset()
        ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
        ata: pata_parport: Fix code style issues
        ata: libahci: clear pending interrupt status
        ata: sata_mv: Fix incorrect string length computation in mv_dump_mem()
        ata: libata: disallow dev-initiated LPM transitions to unsupported states
      cc3e5afc
    • Linus Torvalds's avatar
      Merge tag 'usb-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · cce67b6b
      Linus Torvalds authored
      Pull USB fix from Greg KH:
       "Here is a single USB fix for a much-reported regression for 6.6-rc1.
      
        It resolves a crash in the typec debugfs code for many systems. It's
        been in linux-next with no reported issues, and many people have
        reported it resolving their problem with 6.6-rc1"
      
      * tag 'usb-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: typec: ucsi: Fix NULL pointer dereference
      cce67b6b
    • Linus Torvalds's avatar
      Merge tag 'driver-core-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · 205d0494
      Linus Torvalds authored
      Pull driver core fixes from Greg KH:
       "Here is a single driver core fix for a much-reported-by-sysbot issue
        that showed up in 6.6-rc1. It's been submitted by many people, all in
        the same way, so it obviously fixes things for them all.
      
        Also in here is a single documentation update adding riscv to the
        embargoed hardware document in case there are any future issues with
        that processor family.
      
        Both of these have been in linux-next with no reported problems"
      
      * tag 'driver-core-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        Documentation: embargoed-hardware-issues.rst: Add myself for RISC-V
        driver core: return an error when dev_set_name() hasn't happened
      205d0494
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · fd455e77
      Linus Torvalds authored
      Pull char/misc fix from Greg KH:
       "Here is a single patch for 6.6-rc2 that reverts a 6.5 change for the
        comedi subsystem that has ended up being incorrect and caused drivers
        that were working for people to be unable to be able to be selected to
        build at all.
      
        To fix this, the Kconfig change needs to be reverted and a future set
        of fixes for the ioport dependancies will show up in 6.7-rc1 (there's
        no rush for them.)
      
        This has been in linux-next with no reported issues"
      
      * tag 'char-misc-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        Revert "comedi: add HAS_IOPORT dependencies"
      fd455e77
    • Linus Torvalds's avatar
      Merge tag 'i2c-for-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · c37f8efc
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "The main thing is the removal of 'probe_new' because all i2c client
        drivers are converted now. Thanks Uwe, this marks the end of a long
        conversion process.
      
        Other than that, we have a few Kconfig updates and driver bugfixes"
      
      * tag 'i2c-for-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: cadence: Fix the kernel-doc warnings
        i2c: aspeed: Reset the i2c controller when timeout occurs
        i2c: I2C_MLXCPLD on ARM64 should depend on ACPI
        i2c: Make I2C_ATR invisible
        i2c: Drop legacy callback .probe_new()
        w1: ds2482: Switch back to use struct i2c_driver's .probe()
      c37f8efc
    • Niklas Cassel's avatar
      ata: libata-core: fetch sense data for successful commands iff CDL enabled · 5e35a9ac
      Niklas Cassel authored
      Currently, we fetch sense data for a _successful_ command if either:
      1) Command was NCQ and ATA_DFLAG_CDL_ENABLED flag set (flag
         ATA_DFLAG_CDL_ENABLED will only be set if the Successful NCQ command
         sense data supported bit is set); or
      2) Command was non-NCQ and regular sense data reporting is enabled.
      
      This means that case 2) will trigger for a non-NCQ command which has
      ATA_SENSE bit set, regardless if CDL is enabled or not.
      
      This decision was by design. If the device reports that it has sense data
      available, it makes sense to fetch that sense data, since the sk/asc/ascq
      could be important information regardless if CDL is enabled or not.
      
      However, the fetching of sense data for a successful command is done via
      ATA EH. Considering how intricate the ATA EH is, we really do not want to
      invoke ATA EH unless absolutely needed.
      
      Before commit 18bd7718 ("scsi: ata: libata: Handle completion of CDL
      commands using policy 0xD") we never fetched sense data for successful
      commands.
      
      In order to not invoke the ATA EH unless absolutely necessary, even if the
      device claims support for sense data reporting, only fetch sense data for
      successful (NCQ and non-NCQ commands) commands that are using CDL.
      
      [Damien] Modified the check to test the qc flag ATA_QCFLAG_HAS_CDL
      instead of the device support for CDL, which is implied for commands
      using CDL.
      
      Fixes: 3ac873c7 ("ata: libata-core: fix when to fetch sense data for successful commands")
      Signed-off-by: default avatarNiklas Cassel <niklas.cassel@wdc.com>
      Signed-off-by: default avatarDamien Le Moal <dlemoal@kernel.org>
      5e35a9ac