1. 01 Apr, 2021 2 commits
    • Christophe Leroy's avatar
      powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO · acca5721
      Christophe Leroy authored
      PPC32 encounters a KUAP fault when trying to handle a signal with
      VDSO unmapped.
      
      	Kernel attempted to read user page (7fc07ec0) - exploit attempt? (uid: 0)
      	BUG: Unable to handle kernel data access on read at 0x7fc07ec0
      	Faulting instruction address: 0xc00111d4
      	Oops: Kernel access of bad area, sig: 11 [#1]
      	BE PAGE_SIZE=16K PREEMPT CMPC885
      	CPU: 0 PID: 353 Comm: sigreturn_vdso Not tainted 5.12.0-rc4-s3k-dev-01553-gb30c310ea220 #4814
      	NIP:  c00111d4 LR: c0005a28 CTR: 00000000
      	REGS: cadb3dd0 TRAP: 0300   Not tainted  (5.12.0-rc4-s3k-dev-01553-gb30c310ea220)
      	MSR:  00009032 <EE,ME,IR,DR,RI>  CR: 48000884  XER: 20000000
      	DAR: 7fc07ec0 DSISR: 88000000
      	GPR00: c0007788 cadb3e90 c28d4a40 7fc07ec0 7fc07ed0 000004e0 7fc07ce0 00000000
      	GPR08: 00000001 00000001 7fc07ec0 00000000 28000282 1001b828 100a0920 00000000
      	GPR16: 100cac0c 100b0000 105c43a4 105c5685 100d0000 100d0000 100d0000 100b2e9e
      	GPR24: ffffffff 105c43c8 00000000 7fc07ec8 cadb3f40 cadb3ec8 c28d4a40 00000000
      	NIP [c00111d4] flush_icache_range+0x90/0xb4
      	LR [c0005a28] handle_signal32+0x1bc/0x1c4
      	Call Trace:
      	[cadb3e90] [100d0000] 0x100d0000 (unreliable)
      	[cadb3ec0] [c0007788] do_notify_resume+0x260/0x314
      	[cadb3f20] [c000c764] syscall_exit_prepare+0x120/0x184
      	[cadb3f30] [c00100b4] ret_from_syscall+0xc/0x28
      	--- interrupt: c00 at 0xfe807f8
      	NIP:  0fe807f8 LR: 10001060 CTR: c0139378
      	REGS: cadb3f40 TRAP: 0c00   Not tainted  (5.12.0-rc4-s3k-dev-01553-gb30c310ea220)
      	MSR:  0000d032 <EE,PR,ME,IR,DR,RI>  CR: 28000482  XER: 20000000
      
      	GPR00: 00000025 7fc081c0 77bb1690 00000000 0000000a 28000482 00000001 0ff03a38
      	GPR08: 0000d032 00006de5 c28d4a40 00000009 88000482 1001b828 100a0920 00000000
      	GPR16: 100cac0c 100b0000 105c43a4 105c5685 100d0000 100d0000 100d0000 100b2e9e
      	GPR24: ffffffff 105c43c8 00000000 77ba7628 10002398 10010000 10002124 00024000
      	NIP [0fe807f8] 0xfe807f8
      	LR [10001060] 0x10001060
      	--- interrupt: c00
      	Instruction dump:
      	38630010 7c001fac 38630010 4200fff0 7c0004ac 4c00012c 4e800020 7c001fac
      	2c0a0000 38630010 4082ffcc 4bffffe4 <7c00186c> 2c070000 39430010 4082ff8c
      	---[ end trace 3973fb72b049cb06 ]---
      
      This is because flush_icache_range() is called on user addresses.
      
      The same problem was detected some time ago on PPC64. It was fixed by
      enabling KUAP in commit 59bee45b ("powerpc/mm: Fix missing KUAP
      disable in flush_coherent_icache()").
      
      PPC32 doesn't use flush_coherent_icache() and fallbacks on
      clean_dcache_range() and invalidate_icache_range().
      
      We could fix it similarly by enabling user access in those functions,
      but this is overkill for just flushing two instructions.
      
      The two instructions are 8 bytes aligned, so a single dcbst/icbi is
      enough to flush them. Do like __patch_instruction() and inline
      a dcbst followed by an icbi just after the write of the instructions,
      while user access is still allowed. The isync is not required because
      rfi will be used to return to user.
      
      icbi() is handled as a read so read-write user access is needed.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/bde9154e5351a5ac7bca3d59cdb5a5e8edacbb79.1617199569.git.christophe.leroy@csgroup.eu
      acca5721
    • Christophe Leroy's avatar
      powerpc/ptrace: Don't return error when getting/setting FP regs without CONFIG_PPC_FPU_REGS · 3618250c
      Christophe Leroy authored
      An #ifdef CONFIG_PPC_FPU_REGS is missing in arch_ptrace() leading
      to the following Oops because [REGSET_FPR] entry is not initialised in
      native_regsets[].
      
      [   41.917608] BUG: Unable to handle kernel instruction fetch
      [   41.922849] Faulting instruction address: 0xff8fd228
      [   41.927760] Oops: Kernel access of bad area, sig: 11 [#1]
      [   41.933089] BE PAGE_SIZE=4K PREEMPT CMPC885
      [   41.940753] Modules linked in:
      [   41.943768] CPU: 0 PID: 366 Comm: gdb Not tainted 5.12.0-rc5-s3k-dev-01666-g7aac86a0f057-dirty #4835
      [   41.952800] NIP:  ff8fd228 LR: c004d9e0 CTR: ff8fd228
      [   41.957790] REGS: caae9df0 TRAP: 0400   Not tainted  (5.12.0-rc5-s3k-dev-01666-g7aac86a0f057-dirty)
      [   41.966741] MSR:  40009032 <EE,ME,IR,DR,RI>  CR: 82004248  XER: 20000000
      [   41.973540]
      [   41.973540] GPR00: c004d9b4 caae9eb0 c1b64f60 c1b64520 c0713cd4 caae9eb8 c1bacdfc 00000004
      [   41.973540] GPR08: 00000200 ff8fd228 c1bac700 00001032 28004242 1061aaf4 00000001 106d64a0
      [   41.973540] GPR16: 00000000 00000000 7fa0a774 10610000 7fa0aef9 00000000 10610000 7fa0a538
      [   41.973540] GPR24: 7fa0a580 7fa0a570 c1bacc00 c1b64520 c1bacc00 caae9ee8 00000108 c0713cd4
      [   42.009685] NIP [ff8fd228] 0xff8fd228
      [   42.013300] LR [c004d9e0] __regset_get+0x100/0x124
      [   42.018036] Call Trace:
      [   42.020443] [caae9eb0] [c004d9b4] __regset_get+0xd4/0x124 (unreliable)
      [   42.026899] [caae9ee0] [c004da94] copy_regset_to_user+0x5c/0xb0
      [   42.032751] [caae9f10] [c002f640] sys_ptrace+0xe4/0x588
      [   42.037915] [caae9f30] [c0011010] ret_from_syscall+0x0/0x28
      [   42.043422] --- interrupt: c00 at 0xfd1f8e4
      [   42.047553] NIP:  0fd1f8e4 LR: 1004a688 CTR: 00000000
      [   42.052544] REGS: caae9f40 TRAP: 0c00   Not tainted  (5.12.0-rc5-s3k-dev-01666-g7aac86a0f057-dirty)
      [   42.061494] MSR:  0000d032 <EE,PR,ME,IR,DR,RI>  CR: 48004442  XER: 00000000
      [   42.068551]
      [   42.068551] GPR00: 0000001a 7fa0a040 77dad7e0 0000000e 00000170 00000000 7fa0a078 00000004
      [   42.068551] GPR08: 00000000 108deb88 108dda40 106d6010 44004442 1061aaf4 00000001 106d64a0
      [   42.068551] GPR16: 00000000 00000000 7fa0a774 10610000 7fa0aef9 00000000 10610000 7fa0a538
      [   42.068551] GPR24: 7fa0a580 7fa0a570 1078fe00 1078fd70 1078fd70 00000170 0fdd3244 0000000d
      [   42.104696] NIP [0fd1f8e4] 0xfd1f8e4
      [   42.108225] LR [1004a688] 0x1004a688
      [   42.111753] --- interrupt: c00
      [   42.114768] Instruction dump:
      [   42.117698] XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
      [   42.125443] XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
      [   42.133195] ---[ end trace d35616f22ab2100c ]---
      
      Adding the missing #ifdef is not good because gdb doesn't like getting
      an error when getting registers.
      
      Instead, make ptrace return 0s when CONFIG_PPC_FPU_REGS is not set.
      
      Fixes: b6254ced ("powerpc/signal: Don't manage floating point regs when no FPU")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/9121a44a2d50ba1af18d8aa5ada06c9a3bea8afd.1617200085.git.christophe.leroy@csgroup.eu
      3618250c
  2. 26 Mar, 2021 1 commit
    • Aneesh Kumar K.V's avatar
      powerpc/mm/book3s64: Use the correct storage key value when calling H_PROTECT · 53f1d317
      Aneesh Kumar K.V authored
      H_PROTECT expects the flag value to include flags:
        AVPN, pp0, pp1, pp2, key0-key4, Noexec, CMO Option flags
      
      This patch updates hpte_updatepp() to fetch the storage key value from
      the linux page table and use the same in H_PROTECT hcall.
      
      native_hpte_updatepp() is not updated because the kernel doesn't clear
      the existing storage key value there. The kernel also doesn't use
      hpte_updatepp() callback for updating storage keys.
      
      This fixes the below kernel crash observed with KUAP enabled.
      
        BUG: Unable to handle kernel data access on write at 0xc009fffffc440000
        Faulting instruction address: 0xc0000000000b7030
        Key fault AMR: 0xfcffffffffffffff IAMR: 0xc0000077bc498100
        Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194
        Oops: Kernel access of bad area, sig: 11 [#1]
        LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
        ...
        CFAR: c000000000010100 DAR: c009fffffc440000 DSISR: 02200000 IRQMASK: 0
        ...
        NIP memset+0x68/0x104
        LR  pcpu_alloc+0x54c/0xb50
        Call Trace:
          pcpu_alloc+0x55c/0xb50 (unreliable)
          blk_stat_alloc_callback+0x94/0x150
          blk_mq_init_allocated_queue+0x64/0x560
          blk_mq_init_queue+0x54/0xb0
          scsi_mq_alloc_queue+0x30/0xa0
          scsi_alloc_sdev+0x1cc/0x300
          scsi_probe_and_add_lun+0xb50/0x1020
          __scsi_scan_target+0x17c/0x790
          scsi_scan_channel+0x90/0xe0
          scsi_scan_host_selected+0x148/0x1f0
          do_scan_async+0x2c/0x2a0
          async_run_entry_fn+0x78/0x220
          process_one_work+0x264/0x540
          worker_thread+0xa8/0x600
          kthread+0x190/0x1a0
          ret_from_kernel_thread+0x5c/0x6c
      
      With KUAP enabled the kernel uses storage key 3 for all its
      translations. But as shown by the debug print, in this specific case we
      have the hash page table entry created with key value 0.
      
        Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194
      
      and DSISR indicates a key fault.
      
      This can happen due to parallel fault on the same EA by different CPUs:
      
        CPU 0					CPU 1
        fault on X
      
        H_PAGE_BUSY set
        					fault on X
      
        finish fault handling and
        clear H_PAGE_BUSY
        					check for H_PAGE_BUSY
        					continue with fault handling.
      
      This implies CPU1 will end up calling hpte_updatepp for address X and
      the kernel updated the hash pte entry with key 0
      
      Fixes: d94b827e ("powerpc/book3s64/kuap: Use Key 3 for kernel mapping with hash translation")
      Reported-by: default avatarMurilo Opsfelder Araujo <muriloo@linux.ibm.com>
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Debugged-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20210326070755.304625-1-aneesh.kumar@linux.ibm.com
      53f1d317
  3. 22 Mar, 2021 2 commits
  4. 17 Mar, 2021 1 commit
    • Tyrel Datwyler's avatar
      PCI: rpadlpar: Fix potential drc_name corruption in store functions · cc7a0bb0
      Tyrel Datwyler authored
      Both add_slot_store() and remove_slot_store() try to fix up the
      drc_name copied from the store buffer by placing a NUL terminator at
      nbyte + 1 or in place of a '\n' if present. However, the static buffer
      that we copy the drc_name data into is not zeroed and can contain
      anything past the n-th byte.
      
      This is problematic if a '\n' byte appears in that buffer after nbytes
      and the string copied into the store buffer was not NUL terminated to
      start with as the strchr() search for a '\n' byte will mark this
      incorrectly as the end of the drc_name string resulting in a drc_name
      string that contains garbage data after the n-th byte.
      
      Additionally it will cause us to overwrite that '\n' byte on the stack
      with NUL, potentially corrupting data on the stack.
      
      The following debugging shows an example of the drmgr utility writing
      "PHB 4543" to the add_slot sysfs attribute, but add_slot_store()
      logging a corrupted string value.
      
        drmgr: drmgr: -c phb -a -s PHB 4543 -d 1
        add_slot_store: drc_name = PHB 4543°|<82>!, rc = -19
      
      Fix this by using strscpy() instead of memcpy() to ensure the string
      is NUL terminated when copied into the static drc_name buffer.
      Further, since the string is now NUL terminated the code only needs to
      change '\n' to '\0' when present.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTyrel Datwyler <tyreld@linux.ibm.com>
      [mpe: Reformat change log and add mention of possible stack corruption]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20210315214821.452959-1-tyreld@linux.ibm.com
      cc7a0bb0
  5. 14 Mar, 2021 2 commits
  6. 12 Mar, 2021 1 commit
  7. 10 Mar, 2021 1 commit
    • Christophe Leroy's avatar
      powerpc: Fix missing declaration of [en/dis]able_kernel_vsx() · bd737588
      Christophe Leroy authored
      Add stub instances of enable_kernel_vsx() and disable_kernel_vsx()
      when CONFIG_VSX is not set, to avoid following build failure.
      
        CC [M]  drivers/gpu/drm/amd/amdgpu/../display/dc/calcs/dcn_calcs.o
        In file included from ./drivers/gpu/drm/amd/amdgpu/../display/dc/dm_services_types.h:29,
                         from ./drivers/gpu/drm/amd/amdgpu/../display/dc/dm_services.h:37,
                         from drivers/gpu/drm/amd/amdgpu/../display/dc/calcs/dcn_calcs.c:27:
        drivers/gpu/drm/amd/amdgpu/../display/dc/calcs/dcn_calcs.c: In function 'dcn_bw_apply_registry_override':
        ./drivers/gpu/drm/amd/amdgpu/../display/dc/os_types.h:64:3: error: implicit declaration of function 'enable_kernel_vsx'; did you mean 'enable_kernel_fp'? [-Werror=implicit-function-declaration]
           64 |   enable_kernel_vsx(); \
              |   ^~~~~~~~~~~~~~~~~
        drivers/gpu/drm/amd/amdgpu/../display/dc/calcs/dcn_calcs.c:640:2: note: in expansion of macro 'DC_FP_START'
          640 |  DC_FP_START();
              |  ^~~~~~~~~~~
        ./drivers/gpu/drm/amd/amdgpu/../display/dc/os_types.h:75:3: error: implicit declaration of function 'disable_kernel_vsx'; did you mean 'disable_kernel_fp'? [-Werror=implicit-function-declaration]
           75 |   disable_kernel_vsx(); \
              |   ^~~~~~~~~~~~~~~~~~
        drivers/gpu/drm/amd/amdgpu/../display/dc/calcs/dcn_calcs.c:676:2: note: in expansion of macro 'DC_FP_END'
          676 |  DC_FP_END();
              |  ^~~~~~~~~
        cc1: some warnings being treated as errors
        make[5]: *** [drivers/gpu/drm/amd/amdgpu/../display/dc/calcs/dcn_calcs.o] Error 1
      
      This works because the caller is checking if VSX is available using
      cpu_has_feature():
      
        #define DC_FP_START() { \
        	if (cpu_has_feature(CPU_FTR_VSX_COMP)) { \
        		preempt_disable(); \
        		enable_kernel_vsx(); \
        	} else if (cpu_has_feature(CPU_FTR_ALTIVEC_COMP)) { \
        		preempt_disable(); \
        		enable_kernel_altivec(); \
        	} else if (!cpu_has_feature(CPU_FTR_FPU_UNAVAILABLE)) { \
        		preempt_disable(); \
        		enable_kernel_fp(); \
        	} \
      
      When CONFIG_VSX is not selected, cpu_has_feature(CPU_FTR_VSX_COMP)
      constant folds to 'false' so the call to enable_kernel_vsx() is
      discarded and the build succeeds.
      
      Fixes: 16a9dea1 ("amdgpu: Enable initial DCN support on POWER")
      Cc: stable@vger.kernel.org # v5.6+
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
      [mpe: Incorporate some discussion comments into the change log]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/8d7d285a027e9d21f5ff7f850fa71a2655b0c4af.1615279170.git.christophe.leroy@csgroup.eu
      bd737588
  8. 09 Mar, 2021 4 commits
  9. 07 Mar, 2021 2 commits
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · fbda7904
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "One non-fix, the conversion of vio_driver->remove() to return void,
        which touches various powerpc specific drivers.
      
        Fix the privilege checks we do in our perf handling, which could cause
        soft/hard lockups in some configurations.
      
        Fix a bug with IRQ affinity seen on kdump kernels when CPU 0 is
        offline in the second kernel.
      
        Fix missed page faults after mprotect(..., PROT_NONE) on 603 (32-bit).
      
        Fix a bug in our VSX (vector) instruction emulation, which should only
        be seen when doing VSX ops to cache inhibited mappings.
      
        Three commits fixing various build issues with obscure configurations.
      
        Thanks to Athira Rajeev, Cédric Le Goater, Christophe Leroy, Christoph
        Plattner, Greg Kurz, Jordan Niethe, Laurent Vivier, Ravi Bangoria,
        Tyrel Datwyler, and Uwe Kleine-König"
      
      * tag 'powerpc-5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/sstep: Fix VSX instruction emulation
        powerpc/perf: Fix handling of privilege level checks in perf interrupt context
        powerpc: Force inlining of mmu_has_feature to fix build failure
        vio: make remove callback return void
        powerpc/syscall: Force inlining of __prep_irq_for_enabled_exit()
        powerpc/603: Fix protection of user pages mapped with PROT_NONE
        powerpc/pseries: Don't enforce MSI affinity with kdump
        powerpc/4xx: Fix build errors from mfdcr()
      fbda7904
    • Linus Torvalds's avatar
      Merge tag 'm68k-for-v5.12-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k · dac51870
      Linus Torvalds authored
      Pull m68k fix from Geert Uytterhoeven:
       "Fix virt_addr_valid() W=1 compiler warnings.
      
        This is a single non-critical fix. As the build bots are now testing
        all new code with W=1, these warnings are popping up everywhere,
        confusing people. Hence I think it makes sense to silence it as soon
        as possible"
      
      * tag 'm68k-for-v5.12-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k:
        m68k: Fix virt_addr_valid() W=1 compiler warnings
      dac51870
  10. 06 Mar, 2021 5 commits
  11. 05 Mar, 2021 19 commits
    • Linus Torvalds's avatar
      Merge tag 'for-5.12/dm-fixes' of... · 63dcd69d
      Linus Torvalds authored
      Merge tag 'for-5.12/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
       "Fix DM verity target's optional Forward Error Correction (FEC) for
        Reed-Solomon roots that are unaligned to block size"
      
      * tag 'for-5.12/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm verity: fix FEC for RS roots unaligned to block size
        dm bufio: subtract the number of initial sectors in dm_bufio_get_device_size
      63dcd69d
    • Linus Torvalds's avatar
      Merge tag 'block-5.12-2021-03-05' of git://git.kernel.dk/linux-block · 47454caf
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe fixes:
            - more device quirks (Julian Einwag, Zoltán Böszörményi, Pascal
              Terjan)
            - fix a hwmon error return (Daniel Wagner)
            - fix the keep alive timeout initialization (Martin George)
            - ensure the model_number can't be changed on a used subsystem
              (Max Gurtovoy)
      
       - rsxx missing -EFAULT on copy_to_user() failure (Dan)
      
       - rsxx remove unused linux.h include (Tian)
      
       - kill unused RQF_SORTED (Jean)
      
       - updated outdated BFQ comments (Joseph)
      
       - revert work-around commit for bd_size_lock, since we removed the
         offending user in this merge window (Damien)
      
      * tag 'block-5.12-2021-03-05' of git://git.kernel.dk/linux-block:
        nvmet: model_number must be immutable once set
        nvme-fabrics: fix kato initialization
        nvme-hwmon: Return error code when registration fails
        nvme-pci: add quirks for Lexar 256GB SSD
        nvme-pci: mark Kingston SKC2000 as not supporting the deepest power state
        nvme-pci: mark Seagate Nytro XM1440 as QUIRK_NO_NS_DESC_LIST.
        rsxx: Return -EFAULT if copy_to_user() fails
        block/bfq: update comments and default value in docs for fifo_expire
        rsxx: remove unused including <linux/version.h>
        block: Drop leftover references to RQF_SORTED
        block: revert "block: fix bd_size_lock use"
      47454caf
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.12-2021-03-05' of git://git.kernel.dk/linux-block · f292e873
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "A bit of a mix between fallout from the worker change, cleanups and
        reductions now possible from that change, and fixes in general. In
        detail:
      
         - Fully serialize manager and worker creation, fixing races due to
           that.
      
         - Clean up some naming that had gone stale.
      
         - SQPOLL fixes.
      
         - Fix race condition around task_work rework that went into this
           merge window.
      
         - Implement unshare. Used for when the original task does unshare(2)
           or setuid/seteuid and friends, drops the original workers and forks
           new ones.
      
         - Drop the only remaining piece of state shuffling we had left, which
           was cred. Move it into issue instead, and we can drop all of that
           code too.
      
         - Kill f_op->flush() usage. That was such a nasty hack that we had
           out of necessity, we no longer need it.
      
         - Following from ->flush() removal, we can also drop various bits of
           ctx state related to SQPOLL and cancelations.
      
         - Fix an issue with IOPOLL retry, which originally was fallout from a
           filemap change (removing iov_iter_revert()), but uncovered an issue
           with iovec re-import too late.
      
         - Fix an issue with system suspend.
      
         - Use xchg() for fallback work, instead of cmpxchg().
      
         - Properly destroy io-wq on exec.
      
         - Add create_io_thread() core helper, and use that in io-wq and
           io_uring. This allows us to remove various silly completion events
           related to thread setup.
      
         - A few error handling fixes.
      
        This should be the grunt of fixes necessary for the new workers, next
        week should be quieter. We've got a pending series from Pavel on
        cancelations, and how tasks and rings are indexed. Outside of that,
        should just be minor fixes. Even with these fixes, we're still killing
        a net ~80 lines"
      
      * tag 'io_uring-5.12-2021-03-05' of git://git.kernel.dk/linux-block: (41 commits)
        io_uring: don't restrict issue_flags for io_openat
        io_uring: make SQPOLL thread parking saner
        io-wq: kill hashed waitqueue before manager exits
        io_uring: clear IOCB_WAITQ for non -EIOCBQUEUED return
        io_uring: don't keep looping for more events if we can't flush overflow
        io_uring: move to using create_io_thread()
        kernel: provide create_io_thread() helper
        io_uring: reliably cancel linked timeouts
        io_uring: cancel-match based on flags
        io-wq: ensure all pending work is canceled on exit
        io_uring: ensure that threads freeze on suspend
        io_uring: remove extra in_idle wake up
        io_uring: inline __io_queue_async_work()
        io_uring: inline io_req_clean_work()
        io_uring: choose right tctx->io_wq for try cancel
        io_uring: fix -EAGAIN retry with IOPOLL
        io-wq: fix error path leak of buffered write hash map
        io_uring: remove sqo_task
        io_uring: kill sqo_dead and sqo submission halting
        io_uring: ignore double poll add on the same waitqueue head
        ...
      f292e873
    • Linus Torvalds's avatar
      Merge tag 'pm-5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 6d47254c
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix the usage of device links in the runtime PM core code and
        update the DTPM (Dynamic Thermal Power Management) feature added
        recently.
      
        Specifics:
      
         - Make the runtime PM core code avoid attempting to suspend supplier
           devices before updating the PM-runtime status of a consumer to
           'suspended' (Rafael Wysocki).
      
         - Fix DTPM (Dynamic Thermal Power Management) root node
           initialization and label that feature as EXPERIMENTAL in Kconfig
           (Daniel Lezcano)"
      
      * tag 'pm-5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        powercap/drivers/dtpm: Add the experimental label to the option description
        powercap/drivers/dtpm: Fix root node initialization
        PM: runtime: Update device status before letting suppliers suspend
      6d47254c
    • Linus Torvalds's avatar
      Merge tag 'acpi-5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · ea6be461
      Linus Torvalds authored
      Pull ACPI fix from Rafael Wysocki:
       "Make the empty stubs of some helper functions used when CONFIG_ACPI is
        not set actually match those functions (Andy Shevchenko)"
      
      * tag 'acpi-5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: bus: Constify is_acpi_node() and friends (part 2)
      ea6be461
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · fc2c8d0a
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
      
       - Fix a sleeping-while-atomic issue in the AMD IOMMU code
      
       - Disable lazy IOTLB flush for untrusted devices in the Intel VT-d
         driver
      
       - Fix status code definitions for Intel VT-d
      
       - Fix IO Page Fault issue in Tegra IOMMU driver
      
      * tag 'iommu-fixes-v5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/vt-d: Fix status code for Allocate/Free PASID command
        iommu: Don't use lazy flush for untrusted device
        iommu/tegra-smmu: Fix mc errors on tegra124-nyan
        iommu/amd: Fix sleeping in atomic in increase_address_space()
      fc2c8d0a
    • Linus Torvalds's avatar
      Merge tag 'for-5.12-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · f09b04cc
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "More regression fixes and stabilization.
      
        Regressions:
      
         - zoned mode
            - count zone sizes in wider int types
            - fix space accounting for read-only block groups
      
         - subpage: fix page tail zeroing
      
        Fixes:
      
         - fix spurious warning when remounting with free space tree
      
         - fix warning when creating a directory with smack enabled
      
         - ioctl checks for qgroup inheritance when creating a snapshot
      
         - qgroup
            - fix missing unlock on error path in zero range
            - fix amount of released reservation on error
            - fix flushing from unsafe context with open transaction,
              potentially deadlocking
      
         - minor build warning fixes"
      
      * tag 'for-5.12-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: zoned: do not account freed region of read-only block group as zone_unusable
        btrfs: zoned: use sector_t for zone sectors
        btrfs: subpage: fix the false data csum mismatch error
        btrfs: fix warning when creating a directory with smack enabled
        btrfs: don't flush from btrfs_delayed_inode_reserve_metadata
        btrfs: export and rename qgroup_reserve_meta
        btrfs: free correct amount of space in btrfs_delayed_inode_reserve_metadata
        btrfs: fix spurious free_space_tree remount warning
        btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl
        btrfs: unlock extents in btrfs_zero_range in case of quota reservation errors
        btrfs: ref-verify: use 'inline void' keyword ordering
      f09b04cc
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 6bf331d5
      Linus Torvalds authored
      Pull devicetree fixes from Rob Herring:
      
       - Another batch of graph and video-interfaces schema conversions
      
       - Drop DT header symlink for dropped C6X arch
      
       - Fix bcm2711-hdmi schema error
      
      * tag 'devicetree-fixes-for-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: media: Use graph and video-interfaces schemas, round 2
        dts: drop dangling c6x symlink
        dt-bindings: bcm2711-hdmi: Fix broken schema
      6bf331d5
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 54663cf3
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Functional fixes:
      
         - Fix big endian conversion for arm64 in recordmcount processing
      
         - Fix timestamp corruption in ring buffer on discarding events
      
         - Fix memory leak in __create_synth_event()
      
         - Skip selftests if tracing is disabled as it will cause them to
           fail.
      
        Non-functional fixes:
      
         - Fix help text in Kconfig
      
         - Remove duplicate prototype for trace_empty()
      
         - Fix stale comment about the trace_event_call flags.
      
        Self test update:
      
         - Add more information to the validation output of when a corrupt
           timestamp is found in the ring buffer, and also trigger a warning
           to make sure that tests catch it"
      
      * tag 'trace-v5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix comment about the trace_event_call flags
        tracing: Skip selftests if tracing is disabled
        tracing: Fix memory leak in __create_synth_event()
        ring-buffer: Add a little more information and a WARN when time stamp going backwards is detected
        ring-buffer: Force before_stamp and write_stamp to be different on discard
        tracing: Fix help text of TRACEPOINT_BENCHMARK in Kconfig
        tracing: Remove duplicate declaration from trace.h
        ftrace: Have recordmcount use w8 to read relp->r_info in arm64_is_fake_mcount
      54663cf3
    • Bob Pearson's avatar
      RDMA/rxe: Fix errant WARN_ONCE in rxe_completer() · 545c4ab4
      Bob Pearson authored
      In rxe_comp.c in rxe_completer() the function free_pkt() did not clear skb
      which triggered a warning at 'done:' and could possibly at 'exit:'. The
      WARN_ONCE() calls are not actually needed.  The call to free_pkt() is
      moved to the end to clearly show that all skbs are freed.
      
      Fixes: 899aba89 ("RDMA/rxe: Fix FIXME in rxe_udp_encap_recv()")
      Link: https://lore.kernel.org/r/20210304192048.2958-1-rpearson@hpe.comSigned-off-by: default avatarBob Pearson <rpearsonhpe@gmail.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
      545c4ab4
    • Bob Pearson's avatar
      RDMA/rxe: Fix extra deref in rxe_rcv_mcast_pkt() · 5e4a7ccc
      Bob Pearson authored
      rxe_rcv_mcast_pkt() dropped a reference to ib_device when no error
      occurred causing an underflow on the reference counter.  This code is
      cleaned up to be clearer and easier to read.
      
      Fixes: 899aba89 ("RDMA/rxe: Fix FIXME in rxe_udp_encap_recv()")
      Link: https://lore.kernel.org/r/20210304192048.2958-1-rpearson@hpe.comSigned-off-by: default avatarBob Pearson <rpearsonhpe@gmail.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
      5e4a7ccc
    • Bob Pearson's avatar
      RDMA/rxe: Fix missed IB reference counting in loopback · 21e27ac8
      Bob Pearson authored
      When the noted patch below extending the reference taken by
      rxe_get_dev_from_net() in rxe_udp_encap_recv() until each skb is freed it
      was not matched by a reference in the loopback path resulting in
      underflows.
      
      Fixes: 899aba89 ("RDMA/rxe: Fix FIXME in rxe_udp_encap_recv()")
      Link: https://lore.kernel.org/r/20210304192048.2958-1-rpearson@hpe.comSigned-off-by: default avatarBob Pearson <rpearsonhpe@gmail.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
      21e27ac8
    • Pavel Begunkov's avatar
      io_uring: don't restrict issue_flags for io_openat · e45cff58
      Pavel Begunkov authored
      45d189c6 ("io_uring: replace force_nonblock with flags") did
      something strange for io_openat() slicing all issue_flags but
      IO_URING_F_NONBLOCK. Not a bug for now, but better to just forward the
      flags.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      e45cff58
    • Jens Axboe's avatar
      Merge tag 'nvme-5.12-2021-03-05' of git://git.infradead.org/nvme into block-5.12 · a2b658e4
      Jens Axboe authored
      Pull NVMe fixes from Christoph:
      
      "nvme fixes for 5.12:
      
       - more device quirks (Julian Einwag, Zoltán Böszörményi, Pascal Terjan)
       - fix a hwmon error return (Daniel Wagner)
       - fix the keep alive timeout initialization (Martin George)
       - ensure the model_number can't be changed on a used subsystem
         (Max Gurtovoy)"
      
      * tag 'nvme-5.12-2021-03-05' of git://git.infradead.org/nvme:
        nvmet: model_number must be immutable once set
        nvme-fabrics: fix kato initialization
        nvme-hwmon: Return error code when registration fails
        nvme-pci: add quirks for Lexar 256GB SSD
        nvme-pci: mark Kingston SKC2000 as not supporting the deepest power state
        nvme-pci: mark Seagate Nytro XM1440 as QUIRK_NO_NS_DESC_LIST.
      a2b658e4
    • Jens Axboe's avatar
      io_uring: make SQPOLL thread parking saner · 86e0d676
      Jens Axboe authored
      We have this weird true/false return from parking, and then some of the
      callers decide to look at that. It can lead to unbalanced parks and
      sqd locking. Have the callers check the thread status once it's parked.
      We know we have the lock at that point, so it's either valid or it's NULL.
      
      Fix race with parking on thread exit. We need to be careful here with
      ordering of the sdq->lock and the IO_SQ_THREAD_SHOULD_PARK bit.
      
      Rename sqd->completion to sqd->parked to reflect that this is the only
      thing this completion event doesn.
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      86e0d676
    • Jens Axboe's avatar
      io-wq: kill hashed waitqueue before manager exits · 09ca6c40
      Jens Axboe authored
      If we race with shutting down the io-wq context and someone queueing
      a hashed entry, then we can exit the manager with it armed. If it then
      triggers after the manager has exited, we can have a use-after-free where
      io_wqe_hash_wake() attempts to wake a now gone manager process.
      
      Move the killing of the hashed write queue into the manager itself, so
      that we know we've killed it before the task exits.
      
      Fixes: e941894e ("io-wq: make buffered file write hashed work map per-ctx")
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      09ca6c40
    • Jens Axboe's avatar
      io_uring: clear IOCB_WAITQ for non -EIOCBQUEUED return · b5b0ecb7
      Jens Axboe authored
      The callback can only be armed, if we get -EIOCBQUEUED returned. It's
      important that we clear the WAITQ bit for other cases, otherwise we can
      queue for async retry and filemap will assume that we're armed and
      return -EAGAIN instead of just blocking for the IO.
      
      Cc: stable@vger.kernel.org # 5.9+
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      b5b0ecb7
    • Jens Axboe's avatar
      io_uring: don't keep looping for more events if we can't flush overflow · ca0a2651
      Jens Axboe authored
      It doesn't make sense to wait for more events to come in, if we can't
      even flush the overflow we already have to the ring. Return -EBUSY for
      that condition, just like we do for attempts to submit with overflow
      pending.
      
      Cc: stable@vger.kernel.org # 5.11
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      ca0a2651
    • Jens Axboe's avatar
      io_uring: move to using create_io_thread() · 46fe18b1
      Jens Axboe authored
      This allows us to do task creation and setup without needing to use
      completions to try and synchronize with the starting thread. Get rid of
      the old io_wq_fork_thread() wrapper, and the 'wq' and 'worker' startup
      completion events - we can now do setup before the task is running.
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      46fe18b1