Commit graph

1059914 commits

Author SHA1 Message Date
Linus Torvalds
b9902641b5 Thermal control fix for 5.16-rc5
Fix the definition of one of the Tiger Lake MMIO registers in the
 int340x thermal driver (Sumeet Pawnikar).
 -----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCAAwFiEE4fcc61cGeeHD/fCwgsRv/nhiVHEFAmGzrbMSHHJqd0Byand5
 c29ja2kubmV0AAoJEILEb/54YlRxVokQAIpCQJ0m7qrG61hcrDHEKjOJFVrWs3CF
 ombKEUZHTqqjvzzETMfiJQjq8+FXdpWFMQPzUdNm5NuhOkJY711O8N6WWKwStC9P
 HGPDAoI5mzR8TpdZjeCMSFgf7sVunrZfWROfdxd/L5ySJby6sCGOJhJ11Cre/shY
 3Pq3WhjJj6WA7eK6eyv+dTibD+l8qdkhNZmuaJJoi6/gVF/T7w+r+6FNbT/cyJc+
 rT3ETCs5vVK9D5Xv1/URj5km+6mCVHXl/KLZ4gzAo2h6WXfbF+Sh2VTaml9a36Vv
 plzJh5S/3Npg1ijcswiHzCgTqlS7ba4raxv4PpMS35fQbjELCHDiqcYJ/C911lpx
 FYZtJ9+UMRKsAc42pFJ9lvso6nyhYxAO5fJkcCqX9JqmslpAGTfBtyx6tHp8X6ey
 oIccz3qrdfnsADfGYftML0D4zWBzeZ9NZewaElUU2cj6xNs30fQ+VAeApA/1OIHA
 C9a2d1S8CwkDCOFFW0j2/wLjgeQ+99VPRf3xKiZbG2tpecw/It+npKcGjR6UOUMi
 EJ0pdiwu7htGNTnJTwtfhKQuzvAe/Dzcru55an/i4uJz+ARu4ZlypEOj0PIax50C
 ZAQ9FqLmA4fF9CbFR2kaEkrdgDkrb7eUqCRUdawPzSmWyULL6Sr30eHHTyfQkDBH
 G6ltCwAkNQW5
 =pl8B
 -----END PGP SIGNATURE-----

Merge tag 'thermal-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull thermal control fix from Rafael Wysocki:
 "Fix the definition of one of the Tiger Lake MMIO registers in the
  int340x thermal driver (Sumeet Pawnikar)"

* tag 'thermal-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  thermal: int340x: Fix VCoRefLow MMIO bit offset for TGL
2021-12-10 17:02:46 -08:00
Linus Torvalds
9e65da135b ACPI fix for 5.16-rc5
Create the output directory for the ACPI tools during build if it has
 not been present before and prevent the compilation from failing in
 that case (Chen Yu).
 -----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCAAwFiEE4fcc61cGeeHD/fCwgsRv/nhiVHEFAmGzrMQSHHJqd0Byand5
 c29ja2kubmV0AAoJEILEb/54YlRxEZAP/RUAlFyiYOgL8iyRJxFkRNL0VdzS7ATY
 2p+rT53mPRkcUN0e4ZdrUtNr50p1rC2Qx614Tm++2QLsQ08tz7IOb2PDX7GcKx34
 Gs6z/tYQzjgwy+bElfSa+lnbczGndkm1m4hWgIcs0MkIQzZwaGRfQ3mc5TE7FfyJ
 F1ALLsMM8fY2K/3akbQ5ysPLXA3AYEmnC/V1tw4b5sxH7Mi1vkfFYyTmk5Te5VyW
 Zp9u63DoEmaNYKZeWsfkHUJM9QjvUOAhdIGK+OVBjlF9/qvSiLOTL5jYuRt/74ab
 7vOSWWzEcihW5xa2mPWCz3YWQzZyB6qNM1b1DVN3sDZvv7zLhd1ntcZ5B/M/sT+I
 SuRB1AMj92t8bgvp+U21ehUIygQdJuJ0Ny16q89yDgDv0qY0m8ZDq28IrXEkMVc6
 g5iAwI7LlYovD3wnSGXL391sG6dSUQzWxuLp+h3bcJJZkSTiYYW9M2iQHVJgDI1h
 T4Scdm0aUPr6lO1o/J8Chg8G9dMtPX89+WK5+6JA0P2PwHYHd9s79KDzq14zrltZ
 vZWG7ishOqMoRJhxd5mI9Y63DZesO4kcuIzCADqO/K2WVCEgJ2sooNQAF0Ys440R
 HypRBRs8FZmohS/gznFDmtrS/lhXfacXQVS+CKhM9XbNI+E8AQq9F6AmqHotqZRF
 0MZ8HPOg3kKP
 =lLS7
 -----END PGP SIGNATURE-----

Merge tag 'acpi-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fix from Rafael Wysocki:
 "Create the output directory for the ACPI tools during build if it has
  not been present before and prevent the compilation from failing in
  that case (Chen Yu)"

* tag 'acpi-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI: tools: Fix compilation when output directory is not present
2021-12-10 14:43:16 -08:00
Linus Torvalds
d46bca632c Power management fix for 5.16-rc5
Fix a kernedoc comment that doesn't match the behavior of the
 function documented by it.
 -----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCAAwFiEE4fcc61cGeeHD/fCwgsRv/nhiVHEFAmGzq+ISHHJqd0Byand5
 c29ja2kubmV0AAoJEILEb/54YlRxHRQP/09O03Tm3A9phiOaeHulxMwxxJu/t6E9
 +0ZbzM4vSmkg0mPdlIAJt7/gAd6hWiS9XEOrrLZ+Q9/v00pIz4nF2510E7MbLxLO
 9LPYO9PBw7tTG1sxMf9zULSvw3SzLcBEdgsuzicQO+QUf8uyYRXblUrlppgyW+YN
 XEl6SjBYSLWPjuQYs5ZZx1JIic57zfj1g7XUyFmvIKrN0tx1GKo4YQsedhcAiW8O
 523V+9H4acQ70tQfNHzwrkyBF7GImocZFxWBdb5c+JhfJgz0TigCXFB84D+3U9WW
 3dMrfIKafygYS0PvrPk0ovk3SgmXj85i/x5v41DZA22gmoYFAbKNc3Uk4T6Z1D08
 scjKtydpALnMagEBbkJ378Oa4Q4Tq5pvVW/sf78RdOjF3mTrfpe6yMAQCE3+GTNK
 IbnidQGunEFJObaGoh4/U9XQS6cfjIr5FVw83hNxYvSq7YoWtzsHarBNHxUFTgML
 E5DZaiLWeEIoVaFBo3tkxTsP5AKZo2NYxD/cX85cXLxNygY64CRSHvJ+rC6bQRae
 7w5ZwgWisNaypwblO741WPxxqs16uD4ZpRz2dqDVmTjsSP4EJCZe6C8aECzbGNDD
 Wqy+3edya/fHdV7qra+yMRNgK4po3/rzr7CZ7WqRaNZ5dH7o3wDBPKBhhHwKtK/w
 ymPawTBfYNQR
 =Hvf1
 -----END PGP SIGNATURE-----

Merge tag 'pm-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fix from Rafael Wysocki:
 "Fix a kernedoc comment that doesn't match the behavior of the function
  documented by it"

* tag 'pm-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM: runtime: Fix pm_runtime_active() kerneldoc comment
2021-12-10 14:36:06 -08:00
Linus Torvalds
1e050cd539 hwmon fixes for v5.16-rc5
- In the pwm-fan driver, ensure that the internal pwm state matches
   the state assumed by the pwm code.
 - Avoid EREMOTEIO errors in sht4 driver
 - In the nct6775 driver, make it explicit that the register value
   passed to nct6775_asuswmi_read() is an 8-bit value
 - Avoid WARNing in dell-smm driver removal after failing to create
   /proc/i8k
 - Stop using a plain integer as NULL pointer in corsair-psu driver
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEiHPvMQj9QTOCiqgVyx8mb86fmYEFAmGzuzMACgkQyx8mb86f
 mYFA7xAAo9Bt0sjsRqgu9ZD+0cC6wKQV6HVkq1Gd5CnvG/gnS98/Yog7AGdpvGdp
 x4FssJ8Xgr6CZJfAwZA2koX60aEyl/VT7QORFZdeg0yhUHNxnU9W/INH7OZ2Bs3q
 n+ceE1MHFyyesRgqD9mrMEiiOodQxOch2RmGpXercYyVfpZciPL5ITYVcwS0xU1C
 ESCSi5bQGxfgw3lcH92fDFrmtXYBwxNYbq19qJvzRlT9bqvxUjyQD69Mxl/yKfev
 NXUFizBAMmXbe7d7Uqg3HKWQzLfyz7FCIor37suclYoiWY/Nn4Fx8oBLq7PuYf51
 7/jFX2xCB/GZFz5zjDj/83/Kxj9KR2yyHu1IyWqBGhGGQlFTiu11m308CIBJpKL8
 LkoIt9N95oyDI66YEDrxDRQvx+uW35igMlxRmk+E4WQLwJcOdfpEFHkvMAey3/D5
 qYybXKMRQ/UlNSzpgDJSpUFu34RdaJJczYi68yCpCVy30PbTLL+8jLUW5RhrS6H4
 g6Rupx0ggJFWPs2gIjgoA0ERaoW7pO9BKmqxqbSdafje5xzYUngiXxsAc9qSl5fI
 p8Gzq4tQNogvC35SFJKjjtJy8m43fKxPFD4O6ShwZYn5i7J+ugm9Q75U4hcCCeeQ
 hW0tNC6aK17NJE2F/RkWVnE9nWpwKULeRDTUqLJuvP3pVZJVyXQ=
 =Fjl2
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-v5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:

 - In the pwm-fan driver, ensure that the internal pwm state matches the
   state assumed by the pwm code.

 - Avoid EREMOTEIO errors in sht4 driver

 - In the nct6775 driver, make it explicit that the register value
   passed to nct6775_asuswmi_read() is an 8-bit value

 - Avoid WARNing in dell-smm driver removal after failing to create
   /proc/i8k

 - Stop using a plain integer as NULL pointer in corsair-psu driver

* tag 'hwmon-for-v5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (pwm-fan) Ensure the fan going on in .probe()
  hwmon: (sht4x) Fix EREMOTEIO errors
  hwmon: (nct6775) mask out bank number in nct6775_wmi_read_value()
  hwmon: (dell-smm) Fix warning on /proc/i8k creation error
  hwmon: (corsair-psu) fix plain integer used as NULL pointer
2021-12-10 14:31:45 -08:00
Linus Torvalds
257dcf2923 tracing, ftrace and tracefs fixes:
- Have tracefs honor the gid mount option
 
  - Have new files in tracefs inherit the parent ownership
 
  - Have direct_ops unregister when it has no more functions
 
  - Properly clean up the ops when unregistering multi direct ops
 
  - Add a sample module to test the multiple direct ops
 
  - Fix memory leak in error path of __create_synth_event()
 -----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQRRSw7ePDh/lE+zeZMp5XQQmuv6qgUCYbOgPBQccm9zdGVkdEBn
 b29kbWlzLm9yZwAKCRAp5XQQmuv6qgOtAP0YD+cRLxnRKA376oQVB8zmuZ3mZ/4x
 6M1hqruSDlno3AEA19PyHpxl7flFwnBb6Gnfo9VeefcMS5ENDH9p1aHX4wU=
 =Tr6t
 -----END PGP SIGNATURE-----

Merge tag 'trace-v5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace

Pull tracing fixes from Steven Rostedt:
 "Tracing, ftrace and tracefs fixes:

   - Have tracefs honor the gid mount option

   - Have new files in tracefs inherit the parent ownership

   - Have direct_ops unregister when it has no more functions

   - Properly clean up the ops when unregistering multi direct ops

   - Add a sample module to test the multiple direct ops

   - Fix memory leak in error path of __create_synth_event()"

* tag 'trace-v5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  tracing: Fix possible memory leak in __create_synth_event() error path
  ftrace/samples: Add module to test multi direct modify interface
  ftrace: Add cleanup to unregister_ftrace_direct_multi
  ftrace: Use direct_ops hash in unregister_ftrace_direct
  tracefs: Set all files to the same group ownership as the mount option
  tracefs: Have new files inherit the ownership of their parent
2021-12-10 14:24:05 -08:00
Linus Torvalds
0d21e66847 aio poll fixes for 5.16-rc5
Fix three bugs in aio poll, and one issue with POLLFREE more broadly:
 
   - aio poll didn't handle POLLFREE, causing a use-after-free.
   - aio poll could block while the file is ready.
   - aio poll called eventfd_signal() when it isn't allowed.
   - POLLFREE didn't handle multiple exclusive waiters correctly.
 
 This has been tested with the libaio test suite, as well as with test
 programs I wrote that reproduce the first two bugs.  I am sending this
 pull request myself as no one seems to be maintaining this code.
 -----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQSacvsUNc7UX4ntmEPzXCl4vpKOKwUCYbObthQcZWJpZ2dlcnNA
 Z29vZ2xlLmNvbQAKCRDzXCl4vpKOK+3mAQC9W8ApzBleEPI6FXzIIo5AiQT/2jGl
 7FbO1MtkdUBU4QEAzf+VWl4Z4BJTgxl44avRdVDpXGAMnbWkd7heY+e3HwA=
 =mp+r
 -----END PGP SIGNATURE-----

Merge tag 'aio-poll-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux

Pull aio poll fixes from Eric Biggers:
 "Fix three bugs in aio poll, and one issue with POLLFREE more broadly:

   - aio poll didn't handle POLLFREE, causing a use-after-free.

   - aio poll could block while the file is ready.

   - aio poll called eventfd_signal() when it isn't allowed.

   - POLLFREE didn't handle multiple exclusive waiters correctly.

  This has been tested with the libaio test suite, as well as with test
  programs I wrote that reproduce the first two bugs. I am sending this
  pull request myself as no one seems to be maintaining this code"

* tag 'aio-poll-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux:
  aio: Fix incorrect usage of eventfd_signal_allowed()
  aio: fix use-after-free due to missing POLLFREE handling
  aio: keep poll requests on waitqueue until completed
  signalfd: use wake_up_pollfree()
  binder: use wake_up_pollfree()
  wait: add wake_up_pollfree()
2021-12-10 14:15:39 -08:00
Linus Torvalds
b9172f9e88 More x86 fixes:
* Logic bugs in CR0 writes and Hyper-V hypercalls
 * Don't use Enlightened MSR Bitmap for L3
 * Remove user-triggerable WARN
 
 Plus a few selftest fixes and a regression test for the
 user-triggerable WARN.
 -----BEGIN PGP SIGNATURE-----
 
 iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmGzZuIUHHBib256aW5p
 QHJlZGhhdC5jb20ACgkQv/vSX3jHroMD4Qf+Im7Q0XNRZGzK6x4Blu3ZZJSuIIkW
 gEK5mDX/BWSYxoGhRN0IOkyf1Tx/A5qYwbZts87wZSvKONG2MuVzdeQ0mkDxgKc3
 cYwvvIPxCKaW/dQLD2OKVlqdAv6YbeJiFURWXgszMkrcgHvw39H5Tn6ldi0B5nvg
 Gvpj8LtbPDXGXab//Xrhia3+1F9TKOrcOG+obGC5G2mrGKTkG2+pi9L6LohvENhd
 sOSWdpmvQTU4PeqGlhW8RCwcN+vpa+NasHT2i2tHcWZA9Lqp4P81+4ZyQLIBsRB3
 psANG0c40EW+lfjFGbLL/6VR5kypxa6zy9RgX+QiRcj6C0+dJOgnwNY35A==
 =cREz
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
 "More x86 fixes:

   - Logic bugs in CR0 writes and Hyper-V hypercalls

   - Don't use Enlightened MSR Bitmap for L3

   - Remove user-triggerable WARN

  Plus a few selftest fixes and a regression test for the
  user-triggerable WARN"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  selftests: KVM: Add test to verify KVM doesn't explode on "bad" I/O
  KVM: x86: Don't WARN if userspace mucks with RCX during string I/O exit
  KVM: X86: Raise #GP when clearing CR0_PG in 64 bit mode
  selftests: KVM: avoid failures due to reserved HyperTransport region
  KVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req
  KVM: x86: Wait for IPIs to be delivered when handling Hyper-V TLB flush hypercall
  KVM: x86: selftests: svm_int_ctl_test: fix intercept calculation
  KVM: nVMX: Don't use Enlightened MSR Bitmap for L3
2021-12-10 14:09:12 -08:00
Chris Packham
a74c313aca i2c: mpc: Use atomic read and fix break condition
Maxime points out that the polling code in mpc_i2c_isr should use the
_atomic API because it is called in an irq context and that the
behaviour of the MCF bit is that it is 1 when the byte transfer is
complete. All of this means the original code was effectively a
udelay(100).

Fix this by using readb_poll_timeout_atomic() and removing the negation
of the break condition.

Fixes: 4a8ac5e45c ("i2c: mpc: Poll for MCF")
Reported-by: Maxime Bizon <mbizon@freebox.fr>
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Tested-by: Maxime Bizon <mbizon@freebox.fr>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
2021-12-10 22:27:30 +01:00
Jens Axboe
71a8538754 io-wq: check for wq exit after adding new worker task_work
We check IO_WQ_BIT_EXIT before attempting to create a new worker, and
wq exit cancels pending work if we have any. But it's possible to have
a race between the two, where creation checks exit finding it not set,
but we're in the process of exiting. The exit side will cancel pending
creation task_work, but there's a gap where we add task_work after we've
canceled existing creations at exit time.

Fix this by checking the EXIT bit post adding the creation task_work.
If it's set, run the same cancelation that exit does.

Reported-and-tested-by: syzbot+b60c982cb0efc5e05a47@syzkaller.appspotmail.com
Reviewed-by: Hao Xu <haoxu@linux.alibaba.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-12-10 13:56:28 -07:00
Jens Axboe
78a7806020 io_uring: ensure task_work gets run as part of cancelations
If we successfully cancel a work item but that work item needs to be
processed through task_work, then we can be sleeping uninterruptibly
in io_uring_cancel_generic() and never process it. Hence we don't
make forward progress and we end up with an uninterruptible sleep
warning.

While in there, correct a comment that should be IFF, not IIF.

Reported-and-tested-by: syzbot+21e6887c0be14181206d@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-12-10 13:56:28 -07:00
Linus Torvalds
b8a98b6bf6 pci-v5.16-fixes-2
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCgAyFiEEgMe7l+5h9hnxdsnuWYigwDrT+vwFAmGzf4IUHGJoZWxnYWFz
 QGdvb2dsZS5jb20ACgkQWYigwDrT+vwjcBAAiWel9P5H947jR9sTbz4ya6wH1biD
 k2w97VDa65DyH/LBJSgNwmblnXs7yIUuGTd+mRq9bhlpE8CQi9BfeCehP1vCfTeQ
 JtMH62dW8KBLkvIHU83H1SSZZNKQgDn7hqUsrrMa0HD+Z+ovbuQYp4M1Oh6xRAEM
 TTBTKb0KivA8bFwvtgj/mu7K7sVJH+cVMilD9ABoVeGmCWfUSO48ovEjWB+vmBFs
 UyTCU5CUg/FkjvVmZTOv5GY4EL83FA9Jdtzy8inRA+hSWY6ImXHTzmQlAzvA+Rkv
 k344ZQM9GNvbvwKfBa9iW2g+B2y/OJXafGoVL0NBUcj/eiY5dnAX0/tZHvx0aXFy
 G1Txy2utaG2MSkfZzchEKbRvS0tV7kiFiTmqp9lNmffTZiP72k4+kFJHQC5AzvZb
 O7Ce/XSQifQ1Z3f5B+Ymx6EOgKYJUaWO9B1U1KF0EKGMe5GB0TBiXh/tS2EmV1O8
 1hkUJm032Bbf1Bv5R6BLdgKVz4I3UsqmGKH5gg3blyylAQ1oHsioaUKeV6iHSq40
 u9rNZaKGC3SweYZVISNE1uoII4qzEgLOHggHpZvWxhQy35cFBz8ZsNfLwBD3/8z9
 UfFuLSLHjx+hv3Ev5mgDWH1mzAlzyq5KkDT0bodBix07s5mviDH+57yyw3JtHUuL
 F+tMrYjUHK9ArC8=
 =BWkT
 -----END PGP SIGNATURE-----

Merge tag 'pci-v5.16-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:

 - Revert emulation of Marvell Armada A3720 expansion ROM because it
   doesn't work as expected (Marek Behún)

 - Assert PERST# in Apple M1 driver to fix initialization when booting
   from bootloaders using PCIe, such as U-Boot (Marc Zyngier)

 - Describe PERST# as active low in Apple T8103 DT and update driver to
   match (Marc Zyngier)

* tag 'pci-v5.16-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: apple: Fix PERST# polarity
  arm64: dts: apple: t8103: Mark PCIe PERST# polarity active low in DT
  PCI: apple: Follow the PCIe specifications when resetting the port
  Revert "PCI: aardvark: Fix support for PCI_ROM_ADDRESS1 on emulated bridge"
2021-12-10 11:56:05 -08:00
Linus Torvalds
2ca4b65169 MMC host:
- mtk-sd: Fix memory leak during tuning
  - renesas_sdhi: Initialize variable properly when tuning
 -----BEGIN PGP SIGNATURE-----
 
 iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAmGzIyIXHHVsZi5oYW5z
 c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjCmEfA//cKIKY5DdsiQcw/jwZlb9zvyn
 iHQxnrmLQ/fQTrPrzUYvwTEfuPUIMuhX3mo6gNijr0bBPHQ//6LN/yuq+45ZISmK
 ehVOa9bOp5kC0Uw9FF2y3ZrINVIep6k5yp27HDPhZ96qX/xLKH+905tdX13Md5c4
 Wzw1aiYcK5kb69HDYplg2WXKyws+i2mCsA8RhX+S0ZKFPAk0a5SWyT4A47zgoVOz
 02SPQtx/9j7yk14bt2ih/WgsfDq6tTJ+mel6YWjYkneu3JEhyUsq4rIh9bDunGT5
 ycjM6rEji8bue0at+1xCYzV/LIYBJHB6Y4Lp2dT6rGOEYCZxbQHuuJydg0OBRQMR
 bKmfogsJjZKCgN3CK2NTJkBOv5yV7nFzXOcU/W5FNgJlBmKUzkSPFdW0c4BZQMyI
 x2wRI/UutyceSJfpxM4EcSW1/CNqJhS1VgJowu1U7G5dYrZvJnZlvmeq030a2pwo
 t1vFHHAhgkJ7etRctTZBPdVOB/3xaDyYG0FOyyQqhhGzFw1mAILgGZowq8IA/p1w
 5b9ynHYDVsBPJ4TeB50JjGxPOvuJjqYRhqlCRj08YBdRvWUJACOtmYo/sedwKZxE
 Cp3awLefVgAuUuhvPsqZOg5pd5IvyVpGTbBIfLUIJZb6I40Ub7QopE+WK3ixNHr8
 u6l7nmsP5PtDgVB+TBU=
 =nakq
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v5.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC host fixes from Ulf Hansson:

 - mtk-sd: Fix memory leak during tuning

 - renesas_sdhi: Initialize variable properly when tuning

* tag 'mmc-v5.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: mediatek: free the ext_csd when mmc_get_ext_csd success
  mmc: renesas_sdhi: initialize variable properly when tuning
2021-12-10 11:50:21 -08:00
Linus Torvalds
bec8cb26f4 libata fixes for 5.16-rc5
* Fix a sparse warning in the ahci_ceva driver, from me
 * Disable the ASMedia 1092 non-functional device, from Hannes
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQSRPv8tYSvhwAzJdzjdoc3SxdoYdgUCYbMACQAKCRDdoc3SxdoY
 dt1wAQDbewJv2zf5eCUkAF2/NJaRJvrT8HmcbihsGic+NzfdwAD+PvF6XS4DMbr5
 ee6g7c0SYOb5ZtLfVGwVaZQgNNvJAQQ=
 =vV6H
 -----END PGP SIGNATURE-----

Merge tag 'libata-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata

Pull libata fixes from Damien Le Moal:

 - Fix a sparse warning in the ahci_ceva driver (me)

 - Disable the ASMedia 1092 non-functional device (Hannes)

* tag 'libata-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
  libata: add horkage for ASMedia 1092
  ata: ahci_ceva: Fix id array access in ceva_ahci_read_id()
2021-12-10 11:46:53 -08:00
Linus Torvalds
5b46fb0383 sound fixes for 5.16-rc5
Another collection of small fixes.  It's still not quite calm yet,
 but nothing looks scary.
 
 ALSA core got a few fixes for covering the issues detected by fuzzer
 and the 32bit compat problem of control API, while the rest are all
 device-specific small fixes, including the continued fixes for Tegra.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmGyKGsOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE+56w/+ME2YljtbD2RhYzJs2X8ARvusOO3mX1Zjr/36
 +7wBRi8WwRVH3jn59CnhgCDXSxTaM8GYbFje8kAyYv0Ib+f9bAvao7pgFAPFEd//
 ZRZBQ0bCF18Pp4oNqbR/F6K2XyLyzQeRQPWl2z0oZq4zuWXtK59pQnXbEYV/UGx8
 MMciRA4aj7qYaaQj4juBNKuxgixAyCatcOJh6t5O4dy2N9naQi0TShMF49ca8uRR
 nSOq1YeEBpIOd4DVto4P6sQ7tpyfffj4qPhXGvemYnhBfwMhUVJyWxFjXXGJY2rT
 KrFtuOHlS7NlScvT36GowbQdB5wgXJ7eLJg/JXVi3HBCrV4zHlp7Jn/Nbr62SYIu
 h5gkgNN04Hjgel5lTvsJPiirxfxWpbVeF84HOrkrx6teOsGWZtW10Zms0YkovKmg
 hR23YRNbX4qko6evBvg4lRlSlbTznOvzHKY323joebjSYp4kSJyNdqc+8fgVpK3E
 Fx9DJmBSyGp/n2gkKZEhDVSgcWZyGvPkFqondCjwxqWV+jvJWSnScTjUyMeOfUCt
 lFV4tlIMQ58t5u6BRaMGTenTxQ6Dqf5nOR1hwK5EPR5RQwu3chFfYDsm0C9ZKfsG
 mCMe3BTvdl3W2nShwIH11B/ukieqAVZ7uugSFAarYamDfupPcwO69lPIeFAEuzjw
 N+us0rg=
 =g4gf
 -----END PGP SIGNATURE-----

Merge tag 'sound-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Another collection of small fixes. It's still not quite calm yet, but
  nothing looks scary.

  ALSA core got a few fixes for covering the issues detected by fuzzer
  and the 32bit compat problem of control API, while the rest are all
  device-specific small fixes, including the continued fixes for Tegra"

* tag 'sound-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (23 commits)
  ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform
  ALSA: usb-audio: Reorder snd_djm_devices[] entries
  ALSA: hda/realtek: Fix quirk for TongFang PHxTxX1
  ALSA: ctl: Fix copy of updated id with element read/write
  ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
  ALSA: pcm: oss: Limit the period size to 16MB
  ALSA: pcm: oss: Fix negative period/buffer sizes
  ASoC: codecs: wsa881x: fix return values from kcontrol put
  ASoC: codecs: wcd934x: return correct value from mixer put
  ASoC: codecs: wcd934x: handle channel mappping list correctly
  ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer
  ASoC: SOF: Intel: Retry codec probing if it fails
  ASoC: amd: fix uninitialized variable in snd_acp6x_probe()
  ASoC: rockchip: i2s_tdm: Dup static DAI template
  ASoC: rt5682s: Fix crash due to out of scope stack vars
  ASoC: rt5682: Fix crash due to out of scope stack vars
  ASoC: tegra: Use normal system sleep for ADX
  ASoC: tegra: Use normal system sleep for AMX
  ASoC: tegra: Use normal system sleep for Mixer
  ASoC: tegra: Use normal system sleep for MVC
  ...
2021-12-10 11:43:00 -08:00
Linus Torvalds
9b302ffe4e drm fixes for 5.16-rc5
ttm:
 - fix ttm_bo_swapout
 
 syncobj:
 - fix fence find bug with signalled fences
 
 i915:
 - fix error pointer deref in gem execbuffer
 - fix for GT init with GuC/HuC on ICL
 
 amdgpu:
 - DPIA fix
 - eDP fix
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmGy1uEACgkQDHTzWXnE
 hr7KNRAAlW9JhjyhIXBmk3UzXJ71YSi3KkWo9cyfVpoUUhjZ3yLTDhxLxvjyrlYg
 Jv3wkBhQKjcQl8fVyvypaySotfg0s3lqzFNzTp6TDAz+u5wvN5Xbi6uUgfQgav3T
 pecliq53LAtfRSkZchm6AxHTZ2hq9AUk46rT7RgvFCVnEC1xioc3zEL1vEHbua0q
 dTjnu8jovmiZHRbMI+U7sNy2D4tJ7olxQYK2kBhdeDdajpmIxXHX1dFJ8xTyRAK6
 dIt7iVY9Lje8q+qYyayT4m+jOWGfOUrGQRSyFZJrOF4T1Uyjak8H0jpUbxOZQh84
 HCQbrn+INkgXT2aix0vxptFnsaWbwW3aVG70pGf9c1SUob2eWJuyYNIJaLzANdWK
 4RVVjtVu4LJJft3yHpowDFJNLes6pRniDhN+zX9Ym66jhEaxfPlNjL8mVFOKJk8g
 SkHXf6QZU4TGT0rSgv7I9dd803airplQJxxXXVD7sdNrgc7lZBjw+fpCh2Xm66FN
 DbqjStQ/1Is3QJFTYHrlQFVKo43d38M1imTEpxPmPzIK6DXhT7uz79h2A85jSqes
 gA8bYEXHYcMV1a/uDveyoQtOlGcLein4Ji4VoiKr26F1gS5pbQmu5IYoXZnN022Q
 2S/aGS1cL9yJ5I07Zd/gvay3SKaQSWUZRD0McAfbB/+GFaqC9w0=
 =Z2Ds
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2021-12-10' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Regular fixes, pretty small overall, couple of core fixes, two i915
  and two amdgpu, hopefully it stays this quiet.

  ttm:
   - fix ttm_bo_swapout

  syncobj:
   - fix fence find bug with signalled fences

  i915:
   - fix error pointer deref in gem execbuffer
   - fix for GT init with GuC/HuC on ICL

  amdgpu:
   - DPIA fix
   - eDP fix"

* tag 'drm-fixes-2021-12-10' of git://anongit.freedesktop.org/drm/drm:
  drm/i915/gen11: Moving WAs to icl_gt_workarounds_init()
  drm/amd/display: prevent reading unitialized links
  drm/amd/display: Fix DPIA outbox timeout after S3/S4/reset
  drm/i915: Fix error pointer dereference in i915_gem_do_execbuffer()
  drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence.
  drm/ttm: fix ttm_bo_swapout
2021-12-10 11:29:53 -08:00
Jens Axboe
5eff363838 Revert "mtd_blkdevs: don't scan partitions for plain mtdblock"
This reverts commit 776b54e97a.

Looks like a last minute edit snuck into this patch, and as a result,
it doesn't even compile. Revert the change for now.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-12-10 11:52:34 -07:00
Davidlohr Bueso
e6a59aac8a block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
do_each_pid_thread(PIDTYPE_PGID) can race with a concurrent
change_pid(PIDTYPE_PGID) that can move the task from one hlist
to another while iterating. Serialize ioprio_get to take
the tasklist_lock in this case, just like it's set counterpart.

Fixes: d69b78ba1d (ioprio: grab rcu_read_lock in sys_ioprio_{set,get}())
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Link: https://lore.kernel.org/r/20211210182058.43417-1-dave@stgolabs.net
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-12-10 11:26:07 -07:00
Jens Axboe
a5c2455235 Merge branch 'md-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/song/md into block-5.16
Pull MD fixes from Song.

* 'md-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/song/md:
  md: fix double free of mddev->private in autorun_array()
  md: fix update super 1.0 on rdev size change
2021-12-10 10:19:52 -07:00
Paul Chaignon
0be2516f86 selftests/bpf: Tests for state pruning with u32 spill/fill
This patch adds tests for the verifier's tracking for spilled, <8B
registers. The first two test cases ensure the verifier doesn't
incorrectly prune states in case of <8B spill/fills. The last one simply
checks that a filled u64 register is marked unknown if the register
spilled in the same slack slot was less than 8B.

The map value access at the end of the first program is only incorrect
for the path R6=32. If the precision bit for register R8 isn't
backtracked through the u32 spill/fill, the R6=32 path is pruned at
instruction 9 and the program is incorrectly accepted. The second
program is a variation of the same with u32 spills and a u64 fill.

The additional instructions to introduce the first pruning point may be
a bit fragile as they depend on the heuristics for pruning points in the
verifier (currently at least 8 instructions and 2 jumps). If the
heuristics are changed, the pruning point may move (e.g., to the
subsequent jump) or disappear, which would cause the test to always pass.

Signed-off-by: Paul Chaignon <paul@isovalent.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2021-12-10 09:13:21 -08:00
Paul Chaignon
345e004d02 bpf: Fix incorrect state pruning for <8B spill/fill
Commit 354e8f1970 ("bpf: Support <8-byte scalar spill and refill")
introduced support in the verifier to track <8B spill/fills of scalars.
The backtracking logic for the precision bit was however skipping
spill/fills of less than 8B. That could cause state pruning to consider
two states equivalent when they shouldn't be.

As an example, consider the following bytecode snippet:

  0:  r7 = r1
  1:  call bpf_get_prandom_u32
  2:  r6 = 2
  3:  if r0 == 0 goto pc+1
  4:  r6 = 3
  ...
  8: [state pruning point]
  ...
  /* u32 spill/fill */
  10: *(u32 *)(r10 - 8) = r6
  11: r8 = *(u32 *)(r10 - 8)
  12: r0 = 0
  13: if r8 == 3 goto pc+1
  14: r0 = 1
  15: exit

The verifier first walks the path with R6=3. Given the support for <8B
spill/fills, at instruction 13, it knows the condition is true and skips
instruction 14. At that point, the backtracking logic kicks in but stops
at the fill instruction since it only propagates the precision bit for
8B spill/fill. When the verifier then walks the path with R6=2, it will
consider it safe at instruction 8 because R6 is not marked as needing
precision. Instruction 14 is thus never walked and is then incorrectly
removed as 'dead code'.

It's also possible to lead the verifier to accept e.g. an out-of-bound
memory access instead of causing an incorrect dead code elimination.

This regression was found via Cilium's bpf-next CI where it was causing
a conntrack map update to be silently skipped because the code had been
removed by the verifier.

This commit fixes it by enabling support for <8B spill/fills in the
bactracking logic. In case of a <8B spill/fill, the full 8B stack slot
will be marked as needing precision. Then, in __mark_chain_precision,
any tracked register spilled in a marked slot will itself be marked as
needing precision, regardless of the spill size. This logic makes two
assumptions: (1) only 8B-aligned spill/fill are tracked and (2) spilled
registers are only tracked if the spill and fill sizes are equal. Commit
ef979017b8 ("bpf: selftest: Add verifier tests for <8-byte scalar
spill and refill") covers the first assumption and the next commit in
this patchset covers the second.

Fixes: 354e8f1970 ("bpf: Support <8-byte scalar spill and refill")
Signed-off-by: Paul Chaignon <paul@isovalent.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2021-12-10 09:13:19 -08:00
zhangyue
07641b5f32 md: fix double free of mddev->private in autorun_array()
In driver/md/md.c, if the function autorun_array() is called,
the problem of double free may occur.

In function autorun_array(), when the function do_md_run() returns an
error, the function do_md_stop() will be called.

The function do_md_run() called function md_run(), but in function
md_run(), the pointer mddev->private may be freed.

The function do_md_stop() called the function __md_stop(), but in
function __md_stop(), the pointer mddev->private also will be freed
without judging null.

At this time, the pointer mddev->private will be double free, so it
needs to be judged null or not.

Signed-off-by: zhangyue <zhangyue1@kylinos.cn>
Signed-off-by: Song Liu <songliubraving@fb.com>
2021-12-10 09:11:07 -08:00
Markus Hochholdinger
55df1ce0d4 md: fix update super 1.0 on rdev size change
The superblock of version 1.0 doesn't get moved to the new position on a
device size change. This leads to a rdev without a superblock on a known
position, the raid can't be re-assembled.

The line was removed by mistake and is re-added by this patch.

Fixes: d9c0fa509e ("md: fix max sectors calculation for super 1.0")
Cc: stable@vger.kernel.org
Signed-off-by: Markus Hochholdinger <markus@hochholdinger.net>
Reviewed-by: Xiao Ni <xni@redhat.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
2021-12-10 09:11:07 -08:00
J. Bruce Fields
548ec0805c nfsd: fix use-after-free due to delegation race
A delegation break could arrive as soon as we've called vfs_setlease.  A
delegation break runs a callback which immediately (in
nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru.  If we
then exit nfs4_set_delegation without hashing the delegation, it will be
freed as soon as the callback is done with it, without ever being
removed from del_recall_lru.

Symptoms show up later as use-after-free or list corruption warnings,
usually in the laundromat thread.

I suspect aba2072f45 "nfsd: grant read delegations to clients holding
writes" made this bug easier to hit, but I looked as far back as v3.0
and it looks to me it already had the same problem.  So I'm not sure
where the bug was introduced; it may have been there from the beginning.

Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2021-12-10 11:55:15 -05:00
Alexander Sverdlin
b10252c7ae nfsd: Fix nsfd startup race (again)
Commit bd5ae9288d ("nfsd: register pernet ops last, unregister first")
has re-opened rpc_pipefs_event() race against nfsd_net_id registration
(register_pernet_subsys()) which has been fixed by commit bb7ffbf29e
("nfsd: fix nsfd startup race triggering BUG_ON").

Restore the order of register_pernet_subsys() vs register_cld_notifier().
Add WARN_ON() to prevent a future regression.

Crash info:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000012
CPU: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1
pc : rpc_pipefs_event+0x54/0x120 [nfsd]
lr : rpc_pipefs_event+0x48/0x120 [nfsd]
Call trace:
 rpc_pipefs_event+0x54/0x120 [nfsd]
 blocking_notifier_call_chain
 rpc_fill_super
 get_tree_keyed
 rpc_fs_get_tree
 vfs_get_tree
 do_mount
 ksys_mount
 __arm64_sys_mount
 el0_svc_handler
 el0_svc

Fixes: bd5ae9288d ("nfsd: register pernet ops last, unregister first")
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2021-12-10 11:54:59 -05:00
Marc Zyngier
1edb7e74a7 clocksource/drivers/arm_arch_timer: Force inlining of erratum_set_next_event_generic()
With some specific kernel configuration and Clang, the kernel fails
to like with something like:

ld.lld: error: undefined symbol: __compiletime_assert_200
>>> referenced by arch_timer.h:156 (./arch/arm64/include/asm/arch_timer.h:156)
>>>               clocksource/arm_arch_timer.o:(erratum_set_next_event_generic) in archive drivers/built-in.a

ld.lld: error: undefined symbol: __compiletime_assert_197
>>> referenced by arch_timer.h:133 (./arch/arm64/include/asm/arch_timer.h:133)
>>>               clocksource/arm_arch_timer.o:(erratum_set_next_event_generic) in archive drivers/built-in.a
make: *** [Makefile:1161: vmlinux] Error 1

These are due to the BUILD_BUG() macros contained in the low-level
accessors (arch_timer_reg_{write,read}_cp15) being emitted, as the
access type wasn't known at compile time.

Fix this by making erratum_set_next_event_generic() __force_inline,
resulting in the 'access' parameter to be resolved at compile time,
similarly to what is already done for set_next_event().

Fixes: 4775bc63f8 ("Add build-time guards for unhandled register accesses")
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20211117113532.3895208-1-maz@kernel.org
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
2021-12-10 17:47:00 +01:00
Alexey Sheplyakov
a663bd1911 clocksource/drivers/dw_apb_timer_of: Fix probe failure
The driver refuses to probe with -EINVAL since the commit 5d9814df0a
("clocksource/drivers/dw_apb_timer_of: Add error handling if no clock
available").

Before the driver used to probe successfully if either "clock-freq" or
"clock-frequency" properties has been specified in the device tree.

That commit changed

if (A && B)
	panic("No clock nor clock-frequency property");

into

if (!A && !B)
	return 0;

That's a bug: the reverse of `A && B` is '!A || !B', not '!A && !B'

Signed-off-by: Vadim V. Vlasov <vadim.vlasov@elpitech.ru>
Signed-off-by: Alexey Sheplyakov <asheplyakov@basealt.ru>
Fixes: 5d9814df0a ("clocksource/drivers/dw_apb_timer_of: Add error handling if no clock available").
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: Dinh Nguyen <dinguyen@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vadim V. Vlasov <vadim.vlasov@elpitech.ru>
Acked-by: Dinh Nguyen <dinguyen@kernel.org>
Link: https://lore.kernel.org/r/20211109153401.157491-1-asheplyakov@basealt.ru
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
2021-12-10 17:46:54 +01:00
Eric Dumazet
ab443c5391 sch_cake: do not call cake_destroy() from cake_init()
qdiscs are not supposed to call their own destroy() method
from init(), because core stack already does that.

syzbot was able to trigger use after free:

DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline]
WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740
Modules linked in:
CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline]
RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740
Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8
RSP: 0018:ffffc9000627f290 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44
RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000
FS:  0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810
 tcf_block_put_ext net/sched/cls_api.c:1381 [inline]
 tcf_block_put_ext net/sched/cls_api.c:1376 [inline]
 tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394
 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695
 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293
 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:724
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f1bb06badb9
Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f.
RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9
RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003
R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688
R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2
 </TASK>

Fixes: 046f6fd5da ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://lore.kernel.org/r/20211210142046.698336-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-12-10 08:11:36 -08:00
Niklas Schnelle
5dcf0c3084 s390: enable switchdev support in defconfig
The HiperSockets Converged Interface (HSCI) introduced with commit
4e20e73e63 ("s390/qeth: Switchdev event handler") requires
CONFIG_SWITCHDEV=y to be usable. Similarly when using Linux controlled
SR-IOV capable PF devices with the mlx5_core driver CONFIG_SWITCHDEV=y
as well as CONFIG_MLX5_ESWITCH=y are necessary to actually get link on
the created VFs. So let's add these to the defconfig to make both types
of devices usable. Note also that these options are already enabled in
most current distribution kernels.

Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
2021-12-10 16:12:34 +01:00
Alexander Egorenkov
abf0e8e4ef s390/kexec: handle R_390_PLT32DBL rela in arch_kexec_apply_relocations_add()
Starting with gcc 11.3, the C compiler will generate PLT-relative function
calls even if they are local and do not require it. Later on during linking,
the linker will replace all PLT-relative calls to local functions with
PC-relative ones. Unfortunately, the purgatory code of kexec/kdump is
not being linked as a regular executable or shared library would have been,
and therefore, all PLT-relative addresses remain in the generated purgatory
object code unresolved. This leads to the situation where the purgatory
code is being executed during kdump with all PLT-relative addresses
unresolved. And this results in endless loops within the purgatory code.

Furthermore, the clang C compiler has always behaved like described above
and this commit should fix kdump for kernels built with the latter.

Because the purgatory code is no regular executable or shared library,
contains only calls to local functions and has no PLT, all R_390_PLT32DBL
relocation entries can be resolved just like a R_390_PC32DBL one.

* https://refspecs.linuxfoundation.org/ELF/zSeries/lzsabi0_zSeries/x1633.html#AEN1699

Relocation entries of purgatory code generated with gcc 11.3
------------------------------------------------------------

$ readelf -r linux/arch/s390/purgatory/purgatory.o

Relocation section '.rela.text' at offset 0x370 contains 5 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
00000000005c  000c00000013 R_390_PC32DBL     0000000000000000 purgatory_sha_regions + 2
00000000007a  000d00000014 R_390_PLT32DBL    0000000000000000 sha256_update + 2
00000000008c  000e00000014 R_390_PLT32DBL    0000000000000000 sha256_final + 2
000000000092  000800000013 R_390_PC32DBL     0000000000000000 .LC0 + 2
0000000000a0  000f00000014 R_390_PLT32DBL    0000000000000000 memcmp + 2

Relocation entries of purgatory code generated with gcc 11.2
------------------------------------------------------------

$ readelf -r linux/arch/s390/purgatory/purgatory.o

Relocation section '.rela.text' at offset 0x368 contains 5 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
00000000005c  000c00000013 R_390_PC32DBL     0000000000000000 purgatory_sha_regions + 2
00000000007a  000d00000013 R_390_PC32DBL     0000000000000000 sha256_update + 2
00000000008c  000e00000013 R_390_PC32DBL     0000000000000000 sha256_final + 2
000000000092  000800000013 R_390_PC32DBL     0000000000000000 .LC0 + 2
0000000000a0  000f00000013 R_390_PC32DBL     0000000000000000 memcmp + 2

Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Reported-by: Tao Liu <ltao@redhat.com>
Suggested-by: Philipp Rudo <prudo@redhat.com>
Reviewed-by: Philipp Rudo <prudo@redhat.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211209073817.82196-1-egorenar@linux.ibm.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
2021-12-10 16:12:34 +01:00
Jerome Marchand
ac8fc6af1a s390/ftrace: remove preempt_disable()/preempt_enable() pair
It looks like commit ce5e48036c ("ftrace: disable preemption
when recursion locked") missed a spot in kprobe_ftrace_handler() in
arch/s390/kernel/ftrace.c.
Remove the superfluous preempt_disable/enable_notrace() there too.

Fixes: ce5e48036c ("ftrace: disable preemption when recursion locked")
Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Link: https://lore.kernel.org/r/20211208151503.1510381-1-jmarchan@redhat.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
2021-12-10 16:12:34 +01:00
Philipp Rudo
41967a37b8 s390/kexec_file: fix error handling when applying relocations
arch_kexec_apply_relocations_add currently ignores all errors returned
by arch_kexec_do_relocs. This means that every unknown relocation is
silently skipped causing unpredictable behavior while the relocated code
runs. Fix this by checking for errors and fail kexec_file_load if an
unknown relocation type is encountered.

The problem was found after gcc changed its behavior and used
R_390_PLT32DBL relocations for brasl instruction and relied on ld to
resolve the relocations in the final link in case direct calls are
possible. As the purgatory code is only linked partially (option -r)
ld didn't resolve the relocations leaving them for arch_kexec_do_relocs.
But arch_kexec_do_relocs doesn't know how to handle R_390_PLT32DBL
relocations so they were silently skipped. This ultimately caused an
endless loop in the purgatory as the brasl instructions kept branching
to itself.

Fixes: 71406883fd ("s390/kexec_file: Add kexec_file_load system call")
Reported-by: Tao Liu <ltao@redhat.com>
Signed-off-by: Philipp Rudo <prudo@redhat.com>
Link: https://lore.kernel.org/r/20211208130741.5821-3-prudo@redhat.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
2021-12-10 16:12:33 +01:00
Philipp Rudo
edce10ee21 s390/kexec_file: print some more error messages
Be kind and give some more information on what went wrong.

Signed-off-by: Philipp Rudo <prudo@redhat.com>
Link: https://lore.kernel.org/r/20211208130741.5821-2-prudo@redhat.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
2021-12-10 16:12:33 +01:00
Sean Christopherson
10e7a099bf selftests: KVM: Add test to verify KVM doesn't explode on "bad" I/O
Add an x86 selftest to verify that KVM doesn't WARN or otherwise explode
if userspace modifies RCX during a userspace exit to handle string I/O.
This is a regression test for a user-triggerable WARN introduced by
commit 3b27de2718 ("KVM: x86: split the two parts of emulator_pio_in").

Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20211025201311.1881846-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-12-10 09:38:02 -05:00
Sean Christopherson
d07898eaf3 KVM: x86: Don't WARN if userspace mucks with RCX during string I/O exit
Replace a WARN with a comment to call out that userspace can modify RCX
during an exit to userspace to handle string I/O.  KVM doesn't actually
support changing the rep count during an exit, i.e. the scenario can be
ignored, but the WARN needs to go as it's trivial to trigger from
userspace.

Cc: stable@vger.kernel.org
Fixes: 3b27de2718 ("KVM: x86: split the two parts of emulator_pio_in")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20211025201311.1881846-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-12-10 09:38:02 -05:00
Lai Jiangshan
777ab82d7c KVM: X86: Raise #GP when clearing CR0_PG in 64 bit mode
In the SDM:
If the logical processor is in 64-bit mode or if CR4.PCIDE = 1, an
attempt to clear CR0.PG causes a general-protection exception (#GP).
Software should transition to compatibility mode and clear CR4.PCIDE
before attempting to disable paging.

Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
Message-Id: <20211207095230.53437-1-jiangshanlai@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-12-10 09:38:01 -05:00
Mathias Nyman
7faac1953e xhci: avoid race between disable slot command and host runtime suspend
Make xhci_disable_slot() synchronous, thus ensuring it, and
xhci_free_dev() calling it return after xHC controller completes
the disable slot command.

Otherwise the roothub and xHC host may runtime suspend, and clear the
command ring while the disable slot command is being processed.

This causes a command completion mismatch as the completion event can't
be mapped to the correct command.
Command ring gets out of sync and commands time out.
Driver finally assumes host is unresponsive and bails out.

usb 2-4: USB disconnect, device number 10
xhci_hcd 0000:00:0d.0: ERROR mismatched command completion event
...
xhci_hcd 0000:00:0d.0: xHCI host controller not responding, assume dead
xhci_hcd 0000:00:0d.0: HC died; cleaning up

Cc: <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20211210141735.1384209-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-10 15:34:01 +01:00
Kai-Heng Feng
811ae81320 xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending
When the xHCI is quirked with XHCI_RESET_ON_RESUME, runtime resume
routine also resets the controller.

This is bad for USB drivers without reset_resume callback, because
there's no subsequent call of usb_dev_complete() ->
usb_resume_complete() to force rebinding the driver to the device. For
instance, btusb device stops working after xHCI controller is runtime
resumed, if the controlled is quirked with XHCI_RESET_ON_RESUME.

So always take XHCI_RESET_ON_RESUME into account to solve the issue.

Cc: <stable@vger.kernel.org>
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20211210141735.1384209-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-10 15:34:01 +01:00
Jens Axboe
091f06d91c nvme fixes for Linux 5.16
- set ana_log_size to 0 after freeing ana_log_buf (Hou Tao)
  - show subsys nqn for duplicate cntlids (Keith Busch)
  - disable namespace access for unsupported metadata (Keith Busch)
  - report write pointer for a full zone as zone start + zone len
    (Niklas Cassel)
  - fix use after free when disconnecting a reconnecting ctrl
    (Ruozhu Li)
  - fix a list corruption in nvmet-tcp (Sagi Grimberg)
 -----BEGIN PGP SIGNATURE-----
 
 iQI/BAABCgApFiEEgdbnc3r/njty3Iq9D55TZVIEUYMFAmGy8DMLHGhjaEBsc3Qu
 ZGUACgkQD55TZVIEUYP/AxAAwEmPSfDC6KvW0pOFglP14z73WakBZUs8OF7SosCr
 +TEoCGtT8eeNvWAUnh2Ja59sSc1cUKAVeJL/DLj1jEap4RjrGtX6uVma2Hv52Inb
 1YtSSQFW+dea5qq6aUIWJk8X9PSYFT3VW7sjOb11lrp5M38E3xckmzi1QWI9iX4P
 qgVw86wdaOrhFO/sX9H5wlQEm7+ps7HXOjLiZOPrFVoggVca8BPpEyG1YRZPAQvr
 NCnSgv6ciUY4zDfCQUYkT4vXEfEm7Y8Y9eDjOPlCaRuloHHYI6yhHgMgzvJgn2p7
 WkFyai2y8RkSAGtsAtt93bi7mPpM6Zx3t3xXV8yIht/+uyT1eZGCy7feFIjeFEnT
 GXtwRVCkHkhdsIuPR/GV5NAmtGb0sqaLdiMmOw3OCxfWBeqv4KizLROhZmTqNLP5
 V50PXj4aJzyGQrqTbsrcyqfvPDm16HHM9EQwjC/YsaUqjpRHxFHuKrQ3iYb3+BdE
 zx6gRlx5eMIvBAbdxCH5409XWiVcyBNuCw1zjCdeKT0PNQwWAP+HRzH0HVbaPdse
 EnfVKy4r6VtlmFBWqKSKagVQMrULoohaAOmzVrEsqfDBw4OU+LKB3sw2iGlh4kFj
 YW2N+Ey0CnYdkgbqiJ2Z7ahbzNSLcoykI8Gij4omrhT3yIgNCjwtNiokZ6gKOpO0
 coA=
 =Q+lW
 -----END PGP SIGNATURE-----

Merge tag 'nvme-5.16-2021-12-10' of git://git.infradead.org/nvme into block-5.16

Pull NVMe fixes from Christoph:

"nvme fixes for Linux 5.16

 - set ana_log_size to 0 after freeing ana_log_buf (Hou Tao)
 - show subsys nqn for duplicate cntlids (Keith Busch)
 - disable namespace access for unsupported metadata (Keith Busch)
 - report write pointer for a full zone as zone start + zone len
   (Niklas Cassel)
 - fix use after free when disconnecting a reconnecting ctrl
   (Ruozhu Li)
 - fix a list corruption in nvmet-tcp (Sagi Grimberg)"

* tag 'nvme-5.16-2021-12-10' of git://git.infradead.org/nvme:
  nvmet-tcp: fix possible list corruption for unexpected command failure
  nvme: fix use after free when disconnecting a reconnecting ctrl
  nvme-multipath: set ana_log_size to 0 after free ana_log_buf
  nvme: report write pointer for a full zone as zone start + zone len
  nvme: disable namespace access for unsupported metadata
  nvme: show subsys nqn for duplicate cntlids
2021-12-10 06:44:15 -07:00
Ye Guojin
c3fbab7767 irqchip/irq-bcm7120-l2: Add put_device() after of_find_device_by_node()
This was found by coccicheck:
./drivers/irqchip/irq-bcm7120-l2.c,328,1-7,ERROR  missing put_device;
call of_find_device_by_node on line 234, but without a corresponding
object release within this function.
./drivers/irqchip/irq-bcm7120-l2.c,341,1-7,ERROR  missing put_device;
call of_find_device_by_node on line 234, but without a corresponding
object release within this function.

Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Ye Guojin <ye.guojin@zte.com.cn>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20211109055958.130287-1-ye.guojin@zte.com.cn
2021-12-10 13:23:13 +00:00
Paolo Bonzini
c8cc43c1ea selftests: KVM: avoid failures due to reserved HyperTransport region
AMD proceessors define an address range that is reserved by HyperTransport
and causes a failure if used for guest physical addresses.  Avoid
selftests failures by reserving those guest physical addresses; the
rules are:

- On parts with <40 bits, its fully hidden from software.

- Before Fam17h, it was always 12G just below 1T, even if there was more
RAM above this location.  In this case we just not use any RAM above 1T.

- On Fam17h and later, it is variable based on SME, and is either just
below 2^48 (no encryption) or 2^43 (encryption).

Fixes: ef4c9f4f65 ("KVM: selftests: Fix 32-bit truncation of vm_get_max_gfn()")
Cc: stable@vger.kernel.org
Cc: David Matlack <dmatlack@google.com>
Reported-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20210805105423.412878-1-pbonzini@redhat.com>
Reviewed-by: Sean Christopherson <seanjc@google.com>
Tested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-12-10 07:42:20 -05:00
Sean Christopherson
3244867af8 KVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req
Do not bail early if there are no bits set in the sparse banks for a
non-sparse, a.k.a. "all CPUs", IPI request.  Per the Hyper-V spec, it is
legal to have a variable length of '0', e.g. VP_SET's BankContents in
this case, if the request can be serviced without the extra info.

  It is possible that for a given invocation of a hypercall that does
  accept variable sized input headers that all the header input fits
  entirely within the fixed size header. In such cases the variable sized
  input header is zero-sized and the corresponding bits in the hypercall
  input should be set to zero.

Bailing early results in KVM failing to send IPIs to all CPUs as expected
by the guest.

Fixes: 214ff83d44 ("KVM: x86: hyperv: implement PV IPI send hypercalls")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20211207220926.718794-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-12-10 07:12:42 -05:00
Vitaly Kuznetsov
1ebfaa11eb KVM: x86: Wait for IPIs to be delivered when handling Hyper-V TLB flush hypercall
Prior to commit 0baedd7927 ("KVM: x86: make Hyper-V PV TLB flush use
tlb_flush_guest()"), kvm_hv_flush_tlb() was using 'KVM_REQ_TLB_FLUSH |
KVM_REQUEST_NO_WAKEUP' when making a request to flush TLBs on other vCPUs
and KVM_REQ_TLB_FLUSH is/was defined as:

 (0 | KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP)

so KVM_REQUEST_WAIT was lost. Hyper-V TLFS, however, requires that
"This call guarantees that by the time control returns back to the
caller, the observable effects of all flushes on the specified virtual
processors have occurred." and without KVM_REQUEST_WAIT there's a small
chance that the vCPU making the TLB flush will resume running before
all IPIs get delivered to other vCPUs and a stale mapping can get read
there.

Fix the issue by adding KVM_REQUEST_WAIT flag to KVM_REQ_TLB_FLUSH_GUEST:
kvm_hv_flush_tlb() is the sole caller which uses it for
kvm_make_all_cpus_request()/kvm_make_vcpus_request_mask() where
KVM_REQUEST_WAIT makes a difference.

Cc: stable@kernel.org
Fixes: 0baedd7927 ("KVM: x86: make Hyper-V PV TLB flush use tlb_flush_guest()")
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20211209102937.584397-1-vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-12-10 07:12:41 -05:00
Dave Airlie
675a095789 Merge tag 'amd-drm-fixes-5.16-2021-12-08' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
amd-drm-fixes-5.16-2021-12-08:

amdgpu:
- DPIA fix
- eDP fix

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211209042824.6720-1-alexander.deucher@amd.com
2021-12-10 14:10:55 +10:00
Dave Airlie
233bee7e36 A fix to a error pointer dereference in gem_execbuffer and
a fix for GT initialization when GuC/HuC are used on ICL.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEbSBwaO7dZQkcLOKj+mJfZA7rE8oFAmGyVUEACgkQ+mJfZA7r
 E8oOHgf/SY3qplngsYcXMtcW4LQKu2/FyhJmpNEZSx8jS8AHHMaRXKR3YEoD1Xf7
 FyNgzIxtWIEMEgirzcwgzaF8opKa/q4CCXcC8aaeftFS/QQPMCEuCtr2+ljcvsQg
 6MmE9UDZJ+GYpBFbhizP4/0b9WoQQM7vkQu0OoAL75CJX7kk5/I9ACQ5XEvlryrS
 1TqLkpZULgw1ySCA0S3rpX+UUyg+JSG5Srl9ynPcv3roERxF+Uezd9ZwjxwdSZfZ
 aU5YaGnLOqjjS56CQe658TxLPOpOr0owvls9J68kgplsihKpz6X0GEwZMT/eywYl
 IY6BVjD79lt9HhcKyO2Zus3w6Recbw==
 =83mg
 -----END PGP SIGNATURE-----

Merge tag 'drm-intel-fixes-2021-12-09' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

A fix to a error pointer dereference in gem_execbuffer and
a fix for GT initialization when GuC/HuC are used on ICL.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/YbJVWYAd/jeERCYY@intel.com
2021-12-10 14:10:34 +10:00
Dave Airlie
2eb557d293 A fix in syncobj to handle fence already signalled better, and a fix for
a ttm_bo_swapout eviction check.
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRcEzekXsqa64kGDp7j7w1vZxhRxQUCYbH5sAAKCRDj7w1vZxhR
 xSUIAP9JRmE9I/mKjmSQ6HVmVz3Kn/Nso+aiu3Llske0WEm24wEAg9Taq9eJL60s
 YSu/IKHKqQyhv6SyG5jVU8QRZ4wLBwo=
 =RSSQ
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2021-12-09' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

A fix in syncobj to handle fence already signalled better, and a fix for
a ttm_bo_swapout eviction check.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maxime Ripard <maxime@cerno.tech>
Link: https://patchwork.freedesktop.org/patch/msgid/20211209124305.gxhid5zwf7m4oasn@houat
2021-12-10 13:56:08 +10:00
Jie2x Zhou
92816e2629 selftests: net: Correct ping6 expected rc from 2 to 1
./fcnal-test.sh -v -t ipv6_ping
TEST: ping out, VRF bind - ns-B IPv6 LLA                                      [FAIL]
TEST: ping out, VRF bind - multicast IP                                       [FAIL]

ping6 is failing as it should.
COMMAND: ip netns exec ns-A /bin/ping6 -c1 -w1 fe80::7c4c:bcff:fe66:a63a%red
strace of ping6 shows it is failing with '1',
so change the expected rc from 2 to 1.

Fixes: c0644e71df ("selftests: Add ipv6 ping tests to fcnal-test")
Reported-by: kernel test robot <lkp@intel.com>
Suggested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Jie2x Zhou <jie2x.zhou@intel.com>
Link: https://lore.kernel.org/r/20211209020230.37270-1-jie2x.zhou@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-12-09 19:08:05 -08:00
Linus Torvalds
c741e49150 RDMA v5.16 second rc pull request
Quite a few small bug fixes old and new, also Doug Ledford is retiring
 now, we thank him for his work. Details:
 
 - Use after free in rxe
 
 - mlx5 DM regression
 
 - hns bugs triggred by device reset
 
 - Two fixes for CONFIG_DEBUG_PREEMPT
 
 - Several longstanding corner case bugs in hfi1
 
 - Two irdma data path bugs in rare cases and some memory issues
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEfB7FMLh+8QxL+6i3OG33FX4gmxoFAmGybk8ACgkQOG33FX4g
 mxpWGg/9EQCflfYA3ZThFbnOYZpuohldBUWYK/b8G+QAuMbObjaT/PnwWdNts+UJ
 7xsn5LHkt2yuJcY5r8m5o4DqEUPAu7LCHLT8tq2FR//uMTRLkgxtBaehzrfTS58M
 P+4Sy096ByecqzvV8SczZ+dNhN4vKvPv+L9em4453gfWu3GS6+Ny8uBaMcjX5KOT
 VB1s6fLSV3gG+ItmSx60NH/YnS4kFcEKY+nMVJ6N5LsP6Z2LWK9GkmL4MvZaljc5
 dLGJWpDqk6J4gGYFppKEY7g7NTlzc8zaa52KdkdxcztWw/j4OTS3We9OJZtvC7JB
 k4EpuFu6L7ypf2TMXmre5xPNUumz/ZXQq1HjmA96LaTrwhHZ85qpyUm+Oz9/0cKt
 0TmF2PnPIXilOH1RCwFzOpx/ArEN2wyPP89um+EahS5Fi2jd0V57l2Br5D7h2HLs
 Vy82jgKpNQ56Oa/GAm6oporDrL3OzfCWD9+1Nx5ZPzhKxBONeAKLAMTRvVNEYcHK
 kiz+l5ZcHs0KQL5RSxkQHX/zbSLwkgUCeLgEOHaAJq2KUZojGPMwkFvac4LsFhNv
 SPI9lAw27CtHrM7zpeDFwNvLgHYHBemjS2p97RbXC2XuqL37j7ynzOvlaLTFfS3p
 R6MjEIryBMBwRIaLDaVevjYug6rg/n+SrBN6hf56Ke+oNDTeFSE=
 =XgH0
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
 "Quite a few small bug fixes old and new, also Doug Ledford is retiring
  now, we thank him for his work. Details:

   - Use after free in rxe

   - mlx5 DM regression

   - hns bugs triggred by device reset

   - Two fixes for CONFIG_DEBUG_PREEMPT

   - Several longstanding corner case bugs in hfi1

   - Two irdma data path bugs in rare cases and some memory issues"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/irdma: Don't arm the CQ more than two times if no CE for this CQ
  RDMA/irdma: Report correct WC errors
  RDMA/irdma: Fix a potential memory allocation issue in 'irdma_prm_add_pble_mem()'
  RDMA/irdma: Fix a user-after-free in add_pble_prm
  IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr
  IB/hfi1: Fix early init panic
  IB/hfi1: Insure use of smp_processor_id() is preempt disabled
  IB/hfi1: Correct guard on eager buffer deallocation
  RDMA/rtrs: Call {get,put}_cpu_ptr to silence a debug kernel warning
  RDMA/hns: Do not destroy QP resources in the hw resetting phase
  RDMA/hns: Do not halt commands during reset until later
  Remove Doug Ledford from MAINTAINERS
  RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow
  RDMA: Fix use-after-free in rxe_queue_cleanup
2021-12-09 13:20:59 -08:00
Andy Shevchenko
a4f1192cb5 percpu_ref: Replace kernel.h with the necessary inclusions
When kernel.h is used in the headers it adds a lot into dependency hell,
especially when there are circular dependencies are involved.

Replace kernel.h inclusion with the list of what is really being used.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Dennis Zhou <dennis@kernel.org>
2021-12-09 15:41:09 -05:00
Linus Torvalds
ded746bfc9 Networking fixes for 5.16-rc5, including fixes from bpf, can and netfilter.
Current release - regressions:
 
  - bpf, sockmap: re-evaluate proto ops when psock is removed from sockmap
 
 Current release - new code bugs:
 
  - bpf: fix bpf_check_mod_kfunc_call for built-in modules
 
  - ice: fixes for TC classifier offloads
 
  - vrf: don't run conntrack on vrf with !dflt qdisc
 
 Previous releases - regressions:
 
  - bpf: fix the off-by-two error in range markings
 
  - seg6: fix the iif in the IPv6 socket control block
 
  - devlink: fix netns refcount leak in devlink_nl_cmd_reload()
 
  - dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
 
  - dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports
 
 Previous releases - always broken:
 
  - ethtool: do not perform operations on net devices being unregistered
 
  - udp: use datalen to cap max gso segments
 
  - ice: fix races in stats collection
 
  - fec: only clear interrupt of handling queue in fec_enet_rx_queue()
 
  - m_can: pci: fix incorrect reference clock rate
 
  - m_can: disable and ignore ELO interrupt
 
  - mvpp2: fix XDP rx queues registering
 
 Misc:
 
  - treewide: add missing includes masked by cgroup -> bpf.h dependency
 
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmGyN1AACgkQMUZtbf5S
 IrtgMA/8D0qk3c75ts0hCzGXwdNdEBs+e7u1bJVPqdyU8x/ZLAp2c0EKB/7IWuxA
 CtsnbanPcmibqvQJDI1hZEBdafi43BmF5VuFSIxYC4EM/1vLoRprurXlIwL2YWki
 aWi//tyOIGBl6/ClzJ9Vm51HTJQwDmdv8GRnKAbsC1eOTM3pmmcg+6TLbDhycFEQ
 F9kkDCvyB9kWIH645QyJRH+Y5qQOvneCyQCPkkyjTgEADzV5i7YgtRol6J3QIbw3
 umPHSckCBTjMacYcCLsbhQaF2gTMgPV1basNLPMjCquJVrItE0ZaeX3MiD6nBFae
 yY5+Wt5KAZDzjERhneX8AINHoRPA/tNIahC1+ytTmsTA8Hj230FHE5hH1ajWiJ9+
 GSTBCBqjtZXce3r2Efxfzy0Kb9JwL3vDi7LS2eKQLv0zBLfYp2ry9Sp9qe4NhPkb
 OYrxws9kl5GOPvrFB5BWI9XBINciC9yC3PjIsz1noi0vD8/Hi9dPwXeAYh36fXU3
 rwRg9uAt6tvFCpwbuQ9T2rsMST0miur2cDYd8qkJtuJ7zFvc+suMXwBZyI29nF2D
 uyymIC2XStHJfAjUkFsGVUSXF5FhML9OQsqmisdQ8KdH26jMnDeMjIWJM7UWK+zY
 E/fqWT8UyS3mXWqaggid4ZbotipCwA0gxiDHuqqUGTM+dbKrzmk=
 =F6rS
 -----END PGP SIGNATURE-----

Merge tag 'net-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Jakub Kicinski:
 "Including fixes from bpf, can and netfilter.

  Current release - regressions:

   - bpf, sockmap: re-evaluate proto ops when psock is removed from
     sockmap

  Current release - new code bugs:

   - bpf: fix bpf_check_mod_kfunc_call for built-in modules

   - ice: fixes for TC classifier offloads

   - vrf: don't run conntrack on vrf with !dflt qdisc

  Previous releases - regressions:

   - bpf: fix the off-by-two error in range markings

   - seg6: fix the iif in the IPv6 socket control block

   - devlink: fix netns refcount leak in devlink_nl_cmd_reload()

   - dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"

   - dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports

  Previous releases - always broken:

   - ethtool: do not perform operations on net devices being
     unregistered

   - udp: use datalen to cap max gso segments

   - ice: fix races in stats collection

   - fec: only clear interrupt of handling queue in fec_enet_rx_queue()

   - m_can: pci: fix incorrect reference clock rate

   - m_can: disable and ignore ELO interrupt

   - mvpp2: fix XDP rx queues registering

  Misc:

   - treewide: add missing includes masked by cgroup -> bpf.h
     dependency"

* tag 'net-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (82 commits)
  net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports
  net: wwan: iosm: fixes unable to send AT command during mbim tx
  net: wwan: iosm: fixes net interface nonfunctional after fw flash
  net: wwan: iosm: fixes unnecessary doorbell send
  net: dsa: felix: Fix memory leak in felix_setup_mmio_filtering
  MAINTAINERS: s390/net: remove myself as maintainer
  net/sched: fq_pie: prevent dismantle issue
  net: mana: Fix memory leak in mana_hwc_create_wq
  seg6: fix the iif in the IPv6 socket control block
  nfp: Fix memory leak in nfp_cpp_area_cache_add()
  nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
  nfc: fix segfault in nfc_genl_dump_devices_done
  udp: using datalen to cap max gso segments
  net: dsa: mv88e6xxx: error handling for serdes_power functions
  can: kvaser_usb: get CAN clock frequency from device
  can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter
  net: mvpp2: fix XDP rx queues registering
  vmxnet3: fix minimum vectors alloc issue
  net, neigh: clear whole pneigh_entry at alloc time
  net: dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
  ...
2021-12-09 11:26:44 -08:00
Linus Torvalds
27698cd2a3 MTD fixes:
* dataflash: Add device-tree SPI IDs to avoid new warnings
 
 Raw NAND fixes:
 * Fix nand_choose_best_timings() on unsupported interface
 * Fix nand_erase_op delay (wrong unit)
 * fsmc:
   - Fix timing computation
   - Take instruction delay into account
 * denali:
   - Add the dependency on HAS_IOMEM to silence robots
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEE9HuaYnbmDhq/XIDIJWrqGEe9VoQFAmGyNmoACgkQJWrqGEe9
 VoQhjggAmrj400p0f2dC6ipk5k+jKi/lSFpd/mBU+/we1P3/grJvhuYKyERND4PW
 66QaadhTcwq31Ud99EnUhNC87tSlnW1yK2KyeE7UDuaDBiruFvRdyFy9DjbF/zX3
 RCQjOuyuTRMqWM9hK//hT34PvA7PnkEVeFvmHxjHD0sBxbnu5WM3J6K8xYzhWLHW
 VojCeG7lC0elLBNYzPbreIynpqoiKvf5ltFqHJ8iG12zMa65E4HMnpRob0tS/zGO
 SzoTvQ9xkcVuR65LLvcELCKIrwz7lpzz4/2v05z2IhlNkukoXgTuC8ohPrdizw97
 WBIdg6ijLjQGOgfezP+lzpi74YZeGg==
 =s/WS
 -----END PGP SIGNATURE-----

Merge tag 'mtd/fixes-for-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux

Pull mtd fixes from Miquel Raynal:
 "MTD fixes:

   - dataflash: Add device-tree SPI IDs to avoid new warnings

  Raw NAND fixes:

   - Fix nand_choose_best_timings() on unsupported interface

   - Fix nand_erase_op delay (wrong unit)

   - fsmc:
      - Fix timing computation
      - Take instruction delay into account

   - denali:
      - Add the dependency on HAS_IOMEM to silence robots"

* tag 'mtd/fixes-for-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
  mtd: dataflash: Add device-tree SPI IDs
  mtd: rawnand: fsmc: Fix timing computation
  mtd: rawnand: fsmc: Take instruction delay into account
  mtd: rawnand: Fix nand_choose_best_timings() on unsupported interface
  mtd: rawnand: Fix nand_erase_op delay
  mtd: rawnand: denali: Add the dependency on HAS_IOMEM
2021-12-09 11:18:06 -08:00