1. 12 Mar, 2021 29 commits
    • Linus Torvalds's avatar
      Merge tag 'block-5.12-2021-03-12-v2' of git://git.kernel.dk/linux-block · ce307084
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Mostly just random fixes all over the map.
      
        The only odd-one-out change is finally getting the rename of
        BIO_MAX_PAGES to BIO_MAX_VECS done. This should've been done with the
        multipage bvec change, but it's been left.
      
        Do it now to avoid hassles around changes piling up for the next merge
        window.
      
        Summary:
      
         - NVMe pull request:
            - one more quirk (Dmitry Monakhov)
            - fix max_zone_append_sectors initialization (Chaitanya Kulkarni)
            - nvme-fc reset/create race fix (James Smart)
            - fix status code on aborts/resets (Hannes Reinecke)
            - fix the CSS check for ZNS namespaces (Chaitanya Kulkarni)
            - fix a use after free in a debug printk in nvme-rdma (Lv Yunlong)
      
         - Follow-up NVMe error fix for NULL 'id' (Christoph)
      
         - Fixup for the bd_size_lock being IRQ safe, now that the offending
           driver has been dropped (Damien).
      
         - rsxx probe failure error return (Jia-Ju)
      
         - umem probe failure error return (Wei)
      
         - s390/dasd unbind fixes (Stefan)
      
         - blk-cgroup stats summing fix (Xunlei)
      
         - zone reset handling fix (Damien)
      
         - Rename BIO_MAX_PAGES to BIO_MAX_VECS (Christoph)
      
         - Suppress uevent trigger for hidden devices (Daniel)
      
         - Fix handling of discard on busy device (Jan)
      
         - Fix stale cache issue with zone reset (Shin'ichiro)"
      
      * tag 'block-5.12-2021-03-12-v2' of git://git.kernel.dk/linux-block:
        nvme: fix the nsid value to print in nvme_validate_or_alloc_ns
        block: Discard page cache of zone reset target range
        block: Suppress uevent for hidden device when removed
        block: rename BIO_MAX_PAGES to BIO_MAX_VECS
        nvme-pci: add the DISABLE_WRITE_ZEROES quirk for a Samsung PM1725a
        nvme-rdma: Fix a use after free in nvmet_rdma_write_data_done
        nvme-core: check ctrl css before setting up zns
        nvme-fc: fix racing controller reset and create association
        nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted
        nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange()
        nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request()
        nvme: simplify error logic in nvme_validate_ns()
        nvme: set max_zone_append_sectors nvme_revalidate_zones
        block: rsxx: fix error return code of rsxx_pci_probe()
        block: Fix REQ_OP_ZONE_RESET_ALL handling
        umem: fix error return code in mm_pci_probe()
        blk-cgroup: Fix the recursive blkg rwstat
        s390/dasd: fix hanging IO request during DASD driver unbind
        s390/dasd: fix hanging DASD driver unbind
        block: Try to handle busy underlying device on discard
      ce307084
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.12-2021-03-12' of git://git.kernel.dk/linux-block · 9278be92
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Not quite as small this week as I had hoped, but at least this should
        be the end of it. All the little known issues have been ironed out -
        most of it little stuff, but cancelations being the bigger part. Only
        minor tweaks and/or regular fixes expected beyond this point.
      
         - Fix the creds tracking for async (io-wq and SQPOLL)
      
         - Various SQPOLL fixes related to parking, sharing, forking, IOPOLL,
           completions, and life times. Much simpler now.
      
         - Make IO threads unfreezable by default, on account of a bug report
           that had them spinning on resume. Honestly not quite sure why
           thawing leaves us with a perpetual signal pending (causing the
           spin), but for now make them unfreezable like there were in 5.11
           and prior.
      
         - Move personality_idr to xarray, solving a use-after-free related to
           removing an entry from the iterator callback. Buffer idr needs the
           same treatment.
      
         - Re-org around and task vs context tracking, enabling the fixing of
           cancelations, and then cancelation fixes on top.
      
         - Various little bits of cleanups and hardening, and removal of now
           dead parts"
      
      * tag 'io_uring-5.12-2021-03-12' of git://git.kernel.dk/linux-block: (34 commits)
        io_uring: fix OP_ASYNC_CANCEL across tasks
        io_uring: cancel sqpoll via task_work
        io_uring: prevent racy sqd->thread checks
        io_uring: remove useless ->startup completion
        io_uring: cancel deferred requests in try_cancel
        io_uring: perform IOPOLL reaping if canceler is thread itself
        io_uring: force creation of separate context for ATTACH_WQ and non-threads
        io_uring: remove indirect ctx into sqo injection
        io_uring: fix invalid ctx->sq_thread_idle
        kernel: make IO threads unfreezable by default
        io_uring: always wait for sqd exited when stopping SQPOLL thread
        io_uring: remove unneeded variable 'ret'
        io_uring: move all io_kiocb init early in io_init_req()
        io-wq: fix ref leak for req in case of exit cancelations
        io_uring: fix complete_post races for linked req
        io_uring: add io_disarm_next() helper
        io_uring: fix io_sq_offload_create error handling
        io-wq: remove unused 'user' member of io_wq
        io_uring: Convert personality_idr to XArray
        io_uring: clean R_DISABLED startup mess
        ...
      9278be92
    • Linus Torvalds's avatar
      Merge tag 'devprop-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 26141008
      Linus Torvalds authored
      Pull device properties framework fixes from Rafael Wysocki:
       "Prevent software nodes from being registered before their parents and
        fix a recent mistake causing already registered software nodes to be
        registered again in some cases (Heikki Krogerus)"
      
      * tag 'devprop-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        software node: Fix device_add_software_node()
        software node: Fix node registration
      26141008
    • Linus Torvalds's avatar
      Merge tag 'pm-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 3077f027
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix an operating performance point (OPP) reference counting
        issue and three issues in ARM cpufreq drivers.
      
        Specifics:
      
         - Add a flag to mark OPPs that are not referenced by he OPP core any
           more to prevent OPPs from being freed prematurely by mistake (Beata
           Michalska).
      
         - Add ARM Vexpress platforms to the cpufreq-dt-platdev blacklist
           since the actual scaling of them is handled elsewhere (Sudeep
           Holla).
      
         - Fix a function return value check and a possible use-after-free in
           the qcom-hw cpufreq driver (Shawn Guo, Wei Yongjun)"
      
      * tag 'pm-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        opp: Don't drop extra references to OPPs accidentally
        cpufreq: blacklist Arm Vexpress platforms in cpufreq-dt-platdev
        cpufreq: qcom-hw: Fix return value check in qcom_cpufreq_hw_cpu_init()
        cpufreq: qcom-hw: fix dereferencing freed memory 'data'
      3077f027
    • Christoph Hellwig's avatar
      nvme: fix the nsid value to print in nvme_validate_or_alloc_ns · f4f9fc29
      Christoph Hellwig authored
      ns can be NULL at this point, and my move of the check from
      the original patch by Chaitanya broke this.
      
      Fixes: 0ec84df4 ("nvme-core: check ctrl css before setting up zns")
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      f4f9fc29
    • Linus Torvalds's avatar
      Merge tag 'sound-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 34417833
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "No surprise here, only a collection of device-specific fixes for
        USB-audio and HD-audio at this time"
      
      * tag 'sound-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/hdmi: Cancel pending works before suspend
        ALSA: hda: Avoid spurious unsol event handling during S3/S4
        ALSA: hda: Flush pending unsolicited events before suspend
        ALSA: usb-audio: fix use after free in usb_audio_disconnect
        ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe
        ALSA: hda/ca0132: Add Sound BlasterX AE-5 Plus support
        ALSA: hda: Drop the BATCH workaround for AMD controllers
        ALSA: hda/conexant: Add quirk for mute LED control on HP ZBook G5
        ALSA: usb-audio: Apply the control quirk to Plantronics headsets
        ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar
        ALSA: hda: ignore invalid NHLT table
        ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend()
        ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk
      34417833
    • Linus Torvalds's avatar
      Merge tag 'mmc-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 568099a7
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
      
         - Fix partition switch time for eMMC
      
        MMC host:
      
         - mmci: Enforce R1B response to fix busy detection for
           the stm32 variants
      
         - cqhci: Fix crash when removing mmc module/card"
      
      * tag 'mmc-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: cqhci: Fix random crash when remove mmc module/card
        mmc: core: Fix partition switch time for eMMC
        mmc: mmci: Add MMC_CAP_NEED_RSP_BUSY for the stm32 variants
      568099a7
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v5.12-rc2' of... · 270c0551
      Linus Torvalds authored
      Merge tag 'regulator-fix-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "A small collection fo driver specific fixes that have arrived since
        the merge window"
      
      * tag 'regulator-fix-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: mt6315: Fix off-by-one for .n_voltages
        regulator: rt4831: Fix return value check in rt4831_regulator_probe()
        regulator: pca9450: Clear PRESET_EN bit to fix BUCK1/2/3 voltage setting
        regulator: qcom-rpmh: Use correct buck for S1C regulator
        regulator: qcom-rpmh: Correct the pmic5_hfsmps515 buck
        regulator: pca9450: Fix return value when failing to get sd-vsel GPIO
        regulator: mt6315: Return REGULATOR_MODE_INVALID for invalid mode
      270c0551
    • Linus Torvalds's avatar
      Merge tag 'configfs-for-5.12' of git://git.infradead.org/users/hch/configfs · 8d9d53de
      Linus Torvalds authored
      Pull configfs fix from Christoph Hellwig:
      
       - fix a use-after-free in __configfs_open_file (Daiyue Zhang)
      
      * tag 'configfs-for-5.12' of git://git.infradead.org/users/hch/configfs:
        configfs: fix a use-after-free in __configfs_open_file
      8d9d53de
    • Linus Torvalds's avatar
      Merge tag 'gfs2-v5.12-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 · b77b5fdd
      Linus Torvalds authored
      Pull gfs2 fixes from Andreas Gruenbacher:
       "Various gfs2 fixes"
      
      * tag 'gfs2-v5.12-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
        gfs2: bypass log flush if the journal is not live
        gfs2: bypass signal_our_withdraw if no journal
        gfs2: fix use-after-free in trans_drain
        gfs2: make function gfs2_make_fs_ro() to void type
      b77b5fdd
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 17f8fc19
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "We've got a smattering of changes all over the place which we've
        acrued since -rc1. To my knowledge, there aren't any pending issues at
        the moment, but there's still plenty of time for something else to
        crop up...
      
        Summary:
      
         - Fix booting a 52-bit-VA-aware kernel on Qualcomm Amberwing
      
         - Fix pfn_valid() not to reject all ZONE_DEVICE memory
      
         - Fix memory tagging setup for hotplugged memory regions
      
         - Fix KASAN tagging in page_alloc() when DEBUG_VIRTUAL is enabled
      
         - Fix accidental truncation of CPU PMU event counters
      
         - Fix error code initialisation when failing probe of DMC620 PMU
      
         - Fix return value initialisation for sve-ptrace selftest
      
         - Drop broken support for CMDLINE_EXTEND"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        perf/arm_dmc620_pmu: Fix error return code in dmc620_pmu_device_probe()
        arm64: mm: remove unused __cpu_uses_extended_idmap[_level()]
        arm64: mm: use a 48-bit ID map when possible on 52-bit VA builds
        arm64: perf: Fix 64-bit event counter read truncation
        arm64/mm: Fix __enable_mmu() for new TGRAN range values
        kselftest: arm64: Fix exit code of sve-ptrace
        arm64: mte: Map hotplugged memory as Normal Tagged
        arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL
        arm64/mm: Reorganize pfn_valid()
        arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory
        arm64/mm: Drop THP conditionality from FORCE_MAX_ZONEORDER
        arm64/mm: Drop redundant ARCH_WANT_HUGE_PMD_SHARE
        arm64: Drop support for CMDLINE_EXTEND
        arm64: cpufeatures: Fix handling of CONFIG_CMDLINE for idreg overrides
      17f8fc19
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.12b-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 6bf8819f
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Two fix series and a single cleanup:
      
         - a small cleanup patch to remove unneeded symbol exports
      
         - a series to cleanup Xen grant handling (avoiding allocations in
           some cases, and using common defines for "invalid" values)
      
         - a series to address a race issue in Xen event channel handling"
      
      * tag 'for-linus-5.12b-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        Xen/gntdev: don't needlessly use kvcalloc()
        Xen/gnttab: introduce common INVALID_GRANT_{HANDLE,REF}
        Xen/gntdev: don't needlessly allocate k{,un}map_ops[]
        Xen: drop exports of {set,clear}_foreign_p2m_mapping()
        xen/events: avoid handling the same event on two cpus at the same time
        xen/events: don't unmask an event channel when an eoi is pending
        xen/events: reset affinity of 2-level event when tearing it down
      6bf8819f
    • Rafael J. Wysocki's avatar
      Merge branch 'pm-opp' · 71803232
      Rafael J. Wysocki authored
      * pm-opp:
        opp: Don't drop extra references to OPPs accidentally
      71803232
    • Rafael J. Wysocki's avatar
      Merge branch 'opp/linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm · bee7359f
      Rafael J. Wysocki authored
      Pull an operating performance points (OPP) framework fix for 5.12
      from Viresh Kumar:
      
      "Fix OPP refcount issue noticed by Beata."
      
      * 'opp/linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm:
        opp: Don't drop extra references to OPPs accidentally
      bee7359f
    • Pavel Begunkov's avatar
      io_uring: fix OP_ASYNC_CANCEL across tasks · 58f99373
      Pavel Begunkov authored
      IORING_OP_ASYNC_CANCEL tries io-wq cancellation only for current task.
      If it fails go over tctx_list and try it out for every single tctx.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      58f99373
    • Pavel Begunkov's avatar
      io_uring: cancel sqpoll via task_work · 521d6a73
      Pavel Begunkov authored
      1) The first problem is io_uring_cancel_sqpoll() ->
      io_uring_cancel_task_requests() basically doing park(); park(); and so
      hanging.
      
      2) Another one is more subtle, when the master task is doing cancellations,
      but SQPOLL task submits in-between the end of the cancellation but
      before finish() requests taking a ref to the ctx, and so eternally
      locking it up.
      
      3) Yet another is a dying SQPOLL task doing io_uring_cancel_sqpoll() and
      same io_uring_cancel_sqpoll() from the owner task, they race for
      tctx->wait events. And there probably more of them.
      
      Instead do SQPOLL cancellations from within SQPOLL task context via
      task_work, see io_sqpoll_cancel_sync(). With that we don't need temporal
      park()/unpark() during cancellation, which is ugly, subtle and anyway
      doesn't allow to do io_run_task_work() properly.
      
      io_uring_cancel_sqpoll() is called only from SQPOLL task context and
      under sqd locking, so all parking is removed from there. And so,
      io_sq_thread_[un]park() and io_sq_thread_stop() are not used now by
      SQPOLL task, and that spare us from some headache.
      
      Also remove ctx->sqd_list early to avoid 2). And kill tctx->sqpoll,
      which is not used anymore.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      521d6a73
    • Pavel Begunkov's avatar
      io_uring: prevent racy sqd->thread checks · 26984fbf
      Pavel Begunkov authored
      SQPOLL thread to which we're trying to attach may be going away, it's
      not nice but a more serious problem is if io_sq_offload_create() sees
      sqd->thread==NULL, and tries to init it with a new thread. There are
      tons of ways it can be exploited or fail.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      26984fbf
    • Bob Peterson's avatar
      gfs2: bypass log flush if the journal is not live · 0efc4976
      Bob Peterson authored
      Patch fe3e3976 ("gfs2: Rework the log space allocation logic")
      changed gfs2_log_flush to reserve a set of journal blocks in case no
      transaction is active.  However, gfs2_log_flush also gets called in
      cases where we don't have an active journal, for example, for spectator
      mounts.  In that case, trying to reserve blocks would sleep forever, but
      we want gfs2_log_flush to be a no-op instead.
      
      Fixes: fe3e3976 ("gfs2: Rework the log space allocation logic")
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      0efc4976
    • Pavel Begunkov's avatar
      io_uring: remove useless ->startup completion · 0df8ea60
      Pavel Begunkov authored
      We always do complete(&sqd->startup) almost right after sqd->thread
      creation, either in the success path or in io_sq_thread_finish(). It's
      specifically created not started for us to be able to set some stuff
      like sqd->thread and io_uring_alloc_task_context() before following
      right after wake_up_new_task().
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      0df8ea60
    • Pavel Begunkov's avatar
      io_uring: cancel deferred requests in try_cancel · e1915f76
      Pavel Begunkov authored
      As io_uring_cancel_files() and others let SQO to run between
      io_uring_try_cancel_requests(), SQO may generate new deferred requests,
      so it's safer to try to cancel them in it.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      e1915f76
    • Jens Axboe's avatar
      Merge tag 'nvme-5.12-2021-03-12' of git://git.infradead.org/nvme into block-5.12 · d4b64fd7
      Jens Axboe authored
      Pull NVMe fixes from Christoph:
      
      "nvme fixes for 5.12:
      
       - one more quirk (Dmitry Monakhov)
       - fix max_zone_append_sectors initialization (Chaitanya Kulkarni)
       - nvme-fc reset/create race fix (James Smart)
       - fix status code on aborts/resets (Hannes Reinecke)
       - fix the CSS check for ZNS namespaces (Chaitanya Kulkarni)
       - fix a use after free in a debug printk in nvme-rdma (Lv Yunlong)"
      
      * tag 'nvme-5.12-2021-03-12' of git://git.infradead.org/nvme:
        nvme-pci: add the DISABLE_WRITE_ZEROES quirk for a Samsung PM1725a
        nvme-rdma: Fix a use after free in nvmet_rdma_write_data_done
        nvme-core: check ctrl css before setting up zns
        nvme-fc: fix racing controller reset and create association
        nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted
        nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange()
        nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request()
        nvme: simplify error logic in nvme_validate_ns()
        nvme: set max_zone_append_sectors nvme_revalidate_zones
      d4b64fd7
    • Bob Peterson's avatar
      gfs2: bypass signal_our_withdraw if no journal · d5bf630f
      Bob Peterson authored
      Before this patch, function signal_our_withdraw referenced the journal
      inode immediately. But corrupt file systems may have some invalid
      journals, in which case our attempt to read it in will withdraw and the
      resulting signal_our_withdraw would dereference the NULL value.
      
      This patch adds a check to signal_our_withdraw so that if the journal
      has not yet been initialized, it simply returns and does the old-style
      withdraw.
      
      Thanks, Andy Price, for his analysis.
      
      Reported-by: syzbot+50a8a9cf8127f2c6f5df@syzkaller.appspotmail.com
      Fixes: 601ef0d5 ("gfs2: Force withdraw to replay journals and wait for it to finish")
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      d5bf630f
    • Wei Yongjun's avatar
      perf/arm_dmc620_pmu: Fix error return code in dmc620_pmu_device_probe() · c8e38668
      Wei Yongjun authored
      Fix to return negative error code -ENOMEM from the error handling
      case instead of 0, as done elsewhere in this function.
      
      Fixes: 53c218da ("driver/perf: Add PMU driver for the ARM DMC-620 memory controller")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Link: https://lore.kernel.org/r/20210312080421.277562-1-weiyongjun1@huawei.comSigned-off-by: default avatarWill Deacon <will@kernel.org>
      c8e38668
    • Beata Michalska's avatar
      opp: Don't drop extra references to OPPs accidentally · 606a5d42
      Beata Michalska authored
      We are required to call dev_pm_opp_put() from outside of the
      opp_table->lock as debugfs removal needs to happen lock-less to avoid
      circular dependency issues.
      
      commit cf1fac94 ("opp: Reduce the size of critical section in
      _opp_kref_release()") tried to fix that introducing a new routine
      _opp_get_next() which keeps returning OPPs that can be freed by the
      callers and this routine shall be called without holding the
      opp_table->lock.
      
      Though the commit overlooked the fact that the OPPs can be referenced by
      other users as well and this routine will end up dropping references
      which were taken by other users and hence freeing the OPPs prematurely.
      
      In effect, other users of the OPPs will end up having invalid pointers
      at hand. We didn't see any crash reports earlier as the exact situation
      never happened, though it is certainly possible.
      
      We need a way to mark which OPPs are no longer referenced by the OPP
      core, so we don't drop extra references to them accidentally.
      
      This commit adds another OPP flag, "removed", which is used to track
      this. And now we should never end up dropping extra references to the
      OPPs.
      
      Cc: v5.11+ <stable@vger.kernel.org> # v5.11+
      Fixes: cf1fac94 ("opp: Reduce the size of critical section in _opp_kref_release()")
      Signed-off-by: default avatarBeata Michalska <beata.michalska@arm.com>
      [ Viresh: Almost rewrote entire patch, added new "removed" field,
      	  rewrote commit log and added the correct Fixes tag. ]
      Co-developed-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      606a5d42
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2021-03-12-1' of git://anongit.freedesktop.org/drm/drm · f78d76e7
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Regular fixes for rc3. The i915 pull was based on the rc1 tag so I
        just cherry-picked the single fix from there to avoid it. The misc and
        amd trees seem to be on okay bases.
      
        It's a bunch of fixes across the tree, amdgpu has most of them a few
        ttm fixes around qxl, and nouveau.
      
        core:
         - Clear holes when converting compat ioctl's between 32-bits and
           64-bits.
      
        docs:
         - Use gitlab for drm bugzilla now.
      
        ttm:
         - Fix ttm page pool accounting.
      
        fbdev:
         - Fix oops in drm_fbdev_cleanup()
      
        shmem:
         - Assorted fixes for shmem helpers.
      
        qxl:
         - unpin qxl bos created as pinned when freeing them, and make ttm
           only warn once on this behavior.
         - Zero head.surface_id correctly in qxl.
      
        atyfb:
         - Use LCD management for atyfb on PPC_MAC.
      
        meson:
         - Shutdown kms poll helper in meson correctly.
      
        nouveau:
         - fix regression in bo syncing
      
        i915:
         - Wedge the GPU if command parser setup fails
      
        amdgpu:
         - Fix aux backlight control
         - Add a backlight override parameter
         - Various display fixes
         - PCIe DPM fix for vega
         - Polaris watermark fixes
         - Additional S0ix fix
      
        radeon:
         - Fix GEM regression
         - Fix AGP dependency handling"
      
      * tag 'drm-fixes-2021-03-12-1' of git://anongit.freedesktop.org/drm/drm: (33 commits)
        drm/nouveau: fix dma syncing for loops (v2)
        drm/i915: Wedge the GPU if command parser setup fails
        drm/compat: Clear bounce structures
        drm/shmem-helpers: vunmap: Don't put pages for dma-buf
        drm: meson_drv add shutdown function
        drm/shmem-helper: Don't remove the offset in vm_area_struct pgoff
        drm/shmem-helper: Check for purged buffers in fault handler
        qxl: Fix uninitialised struct field head.surface_id
        drm/ttm: Fix TTM page pool accounting
        drm/ttm: soften TTM warnings
        drm: Use USB controller's DMA mask when importing dmabufs
        MAINTAINERS: update drm bug reporting URL
        fbdev: atyfb: use LCD management functions for PPC_PMAC also
        fbdev: atyfb: always declare aty_{ld,st}_lcd()
        drm/qxl: fix lockdep issue in qxl_alloc_release_reserved
        drm/qxl: unpin release objects
        drm/fb-helper: only unmap if buffer not null
        drm/amdgpu: fix S0ix handling when the CONFIG_AMD_PMC=m
        drm/radeon: fix AGP dependency
        drm/radeon: also init GEM funcs in radeon_gem_prime_import_sg_table
        ...
      f78d76e7
    • Dave Airlie's avatar
      drm/nouveau: fix dma syncing for loops (v2) · 4042160c
      Dave Airlie authored
      The index variable should only be increased in one place.
      
      Noticed this while trying to track down another oops.
      
      v2: use while loop.
      
      Fixes: f295c8cf ("drm/nouveau: fix dma syncing warning with debugging on.")
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Reviewed-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20210311043527.5376-1-airlied@gmail.com
      4042160c
    • Tvrtko Ursulin's avatar
      drm/i915: Wedge the GPU if command parser setup fails · a829f033
      Tvrtko Ursulin authored
      Commit 311a50e7 ("drm/i915: Add support for mandatory cmdparsing")
      introduced mandatory command parsing but setup failures were not
      translated into wedging the GPU which was probably the intent.
      
      Possible errors come in two categories. Either the sanity check on
      internal tables has failed, which should be caught in CI unless an
      affected platform would be missed in testing; or memory allocation failure
      happened during driver load, which should be extremely unlikely but for
      correctness should still be handled.
      
      v2:
       * Tidy coding style. (Chris)
      
      [airlied: cherry-picked to avoid rc1 base]
      Signed-off-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Fixes: 311a50e7 ("drm/i915: Add support for mandatory cmdparsing")
      Cc: Jon Bloomfield <jon.bloomfield@intel.com>
      Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Cc: Chris Wilson <chris.p.wilson@intel.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20210302114213.1102223-1-tvrtko.ursulin@linux.intel.com
      (cherry picked from commit 5a1a659762d35a6dc51047c9127c011303c77b7f)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      a829f033
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-5.12-2021-03-10' of... · fb198483
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-5.12-2021-03-10' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-5.12-2021-03-10:
      
      amdgpu:
      - Fix aux backlight control
      - Add a backlight override parameter
      - Various display fixes
      - PCIe DPM fix for vega
      - Polaris watermark fixes
      - Additional S0ix fix
      
      radeon:
      - Fix GEM regression
      - Fix AGP dependency handling
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20210310221141.3974-1-alexander.deucher@amd.com
      fb198483
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2021-03-11' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · e0da9686
      Dave Airlie authored
      drm-misc-fixes for rc3, rebased on rc2:
      - Fix oops in drm_fbdev_cleanup()
      - unpin qxl bos created as pinned when freeing them,
        and make ttm only warn once on this behavior.
      - Use LCD management for atyfb on PPC_MAC.
      - Use gitlab for drm bugzilla now.
      - Fix ttm page pool accounting.
      - Zero head.surface_id correctly in qxl.
      - Assorted fixes for shmem helpers.
      - Shutdown kms poll helper in meson correctly.
      - Clear holes when converting compat ioctl's between 32-bits and 64-bits.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/4606f08e-d0e8-c543-5e96-cee2fd728a41@linux.intel.com
      e0da9686
  2. 11 Mar, 2021 11 commits
    • Shin'ichiro Kawasaki's avatar
      block: Discard page cache of zone reset target range · e5113505
      Shin'ichiro Kawasaki authored
      When zone reset ioctl and data read race for a same zone on zoned block
      devices, the data read leaves stale page cache even though the zone
      reset ioctl zero clears all the zone data on the device. To avoid
      non-zero data read from the stale page cache after zone reset, discard
      page cache of reset target zones in blkdev_zone_mgmt_ioctl(). Introduce
      the helper function blkdev_truncate_zone_range() to discard the page
      cache. Ensure the page cache discarded by calling the helper function
      before and after zone reset in same manner as fallocate does.
      
      This patch can be applied back to the stable kernel version v5.10.y.
      Rework is needed for older stable kernels.
      Signed-off-by: default avatarShin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
      Fixes: 3ed05a98 ("blk-zoned: implement ioctls")
      Cc: <stable@vger.kernel.org> # 5.10+
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarJohannes Thumshirn <johannes.thumshirn@wdc.com>
      Link: https://lore.kernel.org/r/20210311072546.678999-1-shinichiro.kawasaki@wdc.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      e5113505
    • Daniel Wagner's avatar
      block: Suppress uevent for hidden device when removed · 9ec49144
      Daniel Wagner authored
      register_disk() suppress uevents for devices with the GENHD_FL_HIDDEN
      but enables uevents at the end again in order to announce disk after
      possible partitions are created.
      
      When the device is removed the uevents are still on and user land sees
      'remove' messages for devices which were never 'add'ed to the system.
      
        KERNEL[95481.571887] remove   /devices/virtual/nvme-fabrics/ctl/nvme5/nvme0c5n1 (block)
      
      Let's suppress the uevents for GENHD_FL_HIDDEN by not enabling the
      uevents at all.
      Signed-off-by: default avatarDaniel Wagner <dwagner@suse.de>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarMartin Wilck <mwilck@suse.com>
      Link: https://lore.kernel.org/r/20210311151917.136091-1-dwagner@suse.deSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      9ec49144
    • Linus Torvalds's avatar
      Merge tag 'media/v5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 28806e4d
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
       "A couple of fixes:
      
         - fix a build issue with CEC
      
         - fix a deadlock at usbtv driver
      
         - fix some null pointer address issues at vsp1 driver
      
         - fix a wrong bitmap setting at rkisp1 driver"
      
      * tag 'media/v5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        media: rkisp1: params: fix wrong bits settings
        media: v4l: vsp1: Fix uif null pointer access
        media: v4l: vsp1: Fix bru null pointer access
        media: usbtv: Fix deadlock on suspend
        media: rc: compile rc-cec.c into rc-core
      28806e4d
    • Jens Axboe's avatar
      io_uring: perform IOPOLL reaping if canceler is thread itself · d052d1d6
      Jens Axboe authored
      We bypass IOPOLL completion polling (and reaping) for the SQPOLL thread,
      but if it's the thread itself invoking cancelations, then we still need
      to perform it or no one will.
      
      Fixes: 9936c7c2 ("io_uring: deduplicate core cancellations sequence")
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      d052d1d6
    • Jens Axboe's avatar
      io_uring: force creation of separate context for ATTACH_WQ and non-threads · 5c2469e0
      Jens Axboe authored
      Earlier kernels had SQPOLL threads that could share across anything, as
      we grabbed the context we needed on a per-ring basis. This is no longer
      the case, so only allow attaching directly if we're in the same thread
      group. That is the common use case. For non-group tasks, just setup a
      new context and thread as we would've done if sharing wasn't set. This
      isn't 100% ideal in terms of CPU utilization for the forked and share
      case, but hopefully that isn't much of a concern. If it is, there are
      plans in motion for how to improve that. Most importantly, we want to
      avoid app side regressions where sharing worked before and now doesn't.
      With this patch, functionality is equivalent to previous kernels that
      supported IORING_SETUP_ATTACH_WQ with SQPOLL.
      Reported-by: default avatarStefan Metzmacher <metze@samba.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      5c2469e0
    • Christoph Hellwig's avatar
      block: rename BIO_MAX_PAGES to BIO_MAX_VECS · a8affc03
      Christoph Hellwig authored
      Ever since the addition of multipage bio_vecs BIO_MAX_PAGES has been
      horribly confusingly misnamed.  Rename it to BIO_MAX_VECS to stop
      confusing users of the bio API.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Link: https://lore.kernel.org/r/20210311110137.1132391-2-hch@lst.deSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      a8affc03
    • Axel Lin's avatar
      regulator: mt6315: Fix off-by-one for .n_voltages · d450293c
      Axel Lin authored
      The valid selector is 0 ~ 0xbf, so the .n_voltages should be 0xc0.
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Link: https://lore.kernel.org/r/20210311020558.579597-1-axel.lin@ingics.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      d450293c
    • Ard Biesheuvel's avatar
      arm64: mm: remove unused __cpu_uses_extended_idmap[_level()] · 30b26757
      Ard Biesheuvel authored
      These routines lost all existing users during the latest merge window so
      we can remove them. This avoids the need to fix them in the context of
      fixing a regression related to the ID map on 52-bit VA kernels.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Link: https://lore.kernel.org/r/20210310171515.416643-3-ardb@kernel.orgSigned-off-by: default avatarWill Deacon <will@kernel.org>
      30b26757
    • Ard Biesheuvel's avatar
      arm64: mm: use a 48-bit ID map when possible on 52-bit VA builds · 7ba8f2b2
      Ard Biesheuvel authored
      52-bit VA kernels can run on hardware that is only 48-bit capable, but
      configure the ID map as 52-bit by default. This was not a problem until
      recently, because the special T0SZ value for a 52-bit VA space was never
      programmed into the TCR register anwyay, and because a 52-bit ID map
      happens to use the same number of translation levels as a 48-bit one.
      
      This behavior was changed by commit 1401bef7 ("arm64: mm: Always update
      TCR_EL1 from __cpu_set_tcr_t0sz()"), which causes the unsupported T0SZ
      value for a 52-bit VA to be programmed into TCR_EL1. While some hardware
      simply ignores this, Mark reports that Amberwing systems choke on this,
      resulting in a broken boot. But even before that commit, the unsupported
      idmap_t0sz value was exposed to KVM and used to program TCR_EL2 incorrectly
      as well.
      
      Given that we already have to deal with address spaces being either 48-bit
      or 52-bit in size, the cleanest approach seems to be to simply default to
      a 48-bit VA ID map, and only switch to a 52-bit one if the placement of the
      kernel in DRAM requires it. This is guaranteed not to happen unless the
      system is actually 52-bit VA capable.
      
      Fixes: 90ec95cd ("arm64: mm: Introduce VA_BITS_MIN")
      Reported-by: default avatarMark Salter <msalter@redhat.com>
      Link: http://lore.kernel.org/r/20210310003216.410037-1-msalter@redhat.comSigned-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Link: https://lore.kernel.org/r/20210310171515.416643-2-ardb@kernel.orgSigned-off-by: default avatarWill Deacon <will@kernel.org>
      7ba8f2b2
    • Daiyue Zhang's avatar
      configfs: fix a use-after-free in __configfs_open_file · 14fbbc82
      Daiyue Zhang authored
      Commit b0841eef ("configfs: provide exclusion between IO and removals")
      uses ->frag_dead to mark the fragment state, thus no bothering with extra
      refcount on config_item when opening a file. The configfs_get_config_item
      was removed in __configfs_open_file, but not with config_item_put. So the
      refcount on config_item will lost its balance, causing use-after-free
      issues in some occasions like this:
      
      Test:
      1. Mount configfs on /config with read-only items:
      drwxrwx--- 289 root   root            0 2021-04-01 11:55 /config
      drwxr-xr-x   2 root   root            0 2021-04-01 11:54 /config/a
      --w--w--w-   1 root   root         4096 2021-04-01 11:53 /config/a/1.txt
      ......
      
      2. Then run:
      for file in /config
      do
      echo $file
      grep -R 'key' $file
      done
      
      3. __configfs_open_file will be called in parallel, the first one
      got called will do:
      if (file->f_mode & FMODE_READ) {
      	if (!(inode->i_mode & S_IRUGO))
      		goto out_put_module;
      			config_item_put(buffer->item);
      				kref_put()
      					package_details_release()
      						kfree()
      
      the other one will run into use-after-free issues like this:
      BUG: KASAN: use-after-free in __configfs_open_file+0x1bc/0x3b0
      Read of size 8 at addr fffffff155f02480 by task grep/13096
      CPU: 0 PID: 13096 Comm: grep VIP: 00 Tainted: G        W       4.14.116-kasan #1
      TGID: 13096 Comm: grep
      Call trace:
      dump_stack+0x118/0x160
      kasan_report+0x22c/0x294
      __asan_load8+0x80/0x88
      __configfs_open_file+0x1bc/0x3b0
      configfs_open_file+0x28/0x34
      do_dentry_open+0x2cc/0x5c0
      vfs_open+0x80/0xe0
      path_openat+0xd8c/0x2988
      do_filp_open+0x1c4/0x2fc
      do_sys_open+0x23c/0x404
      SyS_openat+0x38/0x48
      
      Allocated by task 2138:
      kasan_kmalloc+0xe0/0x1ac
      kmem_cache_alloc_trace+0x334/0x394
      packages_make_item+0x4c/0x180
      configfs_mkdir+0x358/0x740
      vfs_mkdir2+0x1bc/0x2e8
      SyS_mkdirat+0x154/0x23c
      el0_svc_naked+0x34/0x38
      
      Freed by task 13096:
      kasan_slab_free+0xb8/0x194
      kfree+0x13c/0x910
      package_details_release+0x524/0x56c
      kref_put+0xc4/0x104
      config_item_put+0x24/0x34
      __configfs_open_file+0x35c/0x3b0
      configfs_open_file+0x28/0x34
      do_dentry_open+0x2cc/0x5c0
      vfs_open+0x80/0xe0
      path_openat+0xd8c/0x2988
      do_filp_open+0x1c4/0x2fc
      do_sys_open+0x23c/0x404
      SyS_openat+0x38/0x48
      el0_svc_naked+0x34/0x38
      
      To fix this issue, remove the config_item_put in
      __configfs_open_file to balance the refcount of config_item.
      
      Fixes: b0841eef ("configfs: provide exclusion between IO and removals")
      Signed-off-by: default avatarDaiyue Zhang <zhangdaiyue1@huawei.com>
      Signed-off-by: default avatarYi Chen <chenyi77@huawei.com>
      Signed-off-by: default avatarGe Qiu <qiuge@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      14fbbc82
    • Dmitry Monakhov's avatar
      nvme-pci: add the DISABLE_WRITE_ZEROES quirk for a Samsung PM1725a · abbb5f59
      Dmitry Monakhov authored
      This adds a quirk for Samsung PM1725a drive which fixes timeouts and
      I/O errors due to the fact that the controller does not properly
      handle the Write Zeroes command, dmesg log:
      
      nvme nvme0: I/O 528 QID 10 timeout, aborting
      nvme nvme0: I/O 529 QID 10 timeout, aborting
      nvme nvme0: I/O 530 QID 10 timeout, aborting
      nvme nvme0: I/O 531 QID 10 timeout, aborting
      nvme nvme0: I/O 532 QID 10 timeout, aborting
      nvme nvme0: I/O 533 QID 10 timeout, aborting
      nvme nvme0: I/O 534 QID 10 timeout, aborting
      nvme nvme0: I/O 535 QID 10 timeout, aborting
      nvme nvme0: Abort status: 0x0
      nvme nvme0: Abort status: 0x0
      nvme nvme0: Abort status: 0x0
      nvme nvme0: Abort status: 0x0
      nvme nvme0: Abort status: 0x0
      nvme nvme0: Abort status: 0x0
      nvme nvme0: Abort status: 0x0
      nvme nvme0: Abort status: 0x0
      nvme nvme0: I/O 528 QID 10 timeout, reset controller
      nvme nvme0: controller is down; will reset: CSTS=0x3, PCI_STATUS=0x10
      nvme nvme0: Device not ready; aborting reset, CSTS=0x3
      nvme nvme0: Device not ready; aborting reset, CSTS=0x3
      nvme nvme0: Removing after probe failure status: -19
      nvme0n1: detected capacity change from 6251233968 to 0
      blk_update_request: I/O error, dev nvme0n1, sector 32776 op 0x1:(WRITE) flags 0x3000 phys_seg 6 prio class 0
      blk_update_request: I/O error, dev nvme0n1, sector 113319936 op 0x9:(WRITE_ZEROES) flags 0x800 phys_seg 0 prio class 0
      Buffer I/O error on dev nvme0n1p2, logical block 1, lost async page write
      blk_update_request: I/O error, dev nvme0n1, sector 113319680 op 0x9:(WRITE_ZEROES) flags 0x0 phys_seg 0 prio class 0
      Buffer I/O error on dev nvme0n1p2, logical block 2, lost async page write
      blk_update_request: I/O error, dev nvme0n1, sector 113319424 op 0x9:(WRITE_ZEROES) flags 0x0 phys_seg 0 prio class 0
      Buffer I/O error on dev nvme0n1p2, logical block 3, lost async page write
      blk_update_request: I/O error, dev nvme0n1, sector 113319168 op 0x9:(WRITE_ZEROES) flags 0x0 phys_seg 0 prio class 0
      Buffer I/O error on dev nvme0n1p2, logical block 4, lost async page write
      blk_update_request: I/O error, dev nvme0n1, sector 113318912 op 0x9:(WRITE_ZEROES) flags 0x0 phys_seg 0 prio class 0
      Buffer I/O error on dev nvme0n1p2, logical block 5, lost async page write
      blk_update_request: I/O error, dev nvme0n1, sector 113318656 op 0x9:(WRITE_ZEROES) flags 0x0 phys_seg 0 prio class 0
      Buffer I/O error on dev nvme0n1p2, logical block 6, lost async page write
      blk_update_request: I/O error, dev nvme0n1, sector 113318400 op 0x9:(WRITE_ZEROES) flags 0x0 phys_seg 0 prio class 0
      blk_update_request: I/O error, dev nvme0n1, sector 113318144 op 0x9:(WRITE_ZEROES) flags 0x0 phys_seg 0 prio class 0
      blk_update_request: I/O error, dev nvme0n1, sector 113317888 op 0x9:(WRITE_ZEROES) flags 0x0 phys_seg 0 prio class 0
      Signed-off-by: default avatarDmitry Monakhov <dmtrmonakhov@yandex-team.ru>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      abbb5f59