May 2024 - Linux-stable-mirror

"ata: libata: move ata_{port,link,dev}_dbg to standard pr_XXX() macros" - 742bef476ca5352b16063161fb73a56629a6d995 changed logging behavior and disabled a number of messages

by Krzysztof Olędzki

Hi, I noticed that since https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… (which also got backported to -stable kernels) several of messages from dmesg regarding the ATA subsystem are no longer logged. For example, on my Dell PowerEdge 840 which has only one PATA port I used to get: scsi host1: ata_piix ata1: PATA max UDMA/100 cmd 0x1f0 ctl 0x3f6 bmdma 0xfc00 irq 14 ata2: PATA max UDMA/100 cmd 0x170 ctl 0x376 bmdma 0xfc08 irq 15 ata_piix 0000:00:1f.2: MAP [ P0 P2 P1 P3 ] ata2: port disabled--ignoring ata1.01: NODEV after polling detection ata1.00: ATAPI: SAMSUNG CD-R/RW SW-248F, R602, max UDMA/33 After that commit, the following two log entries are missing: ata2: port disabled--ignoring ata1.01: NODEV after polling detection Note that these are just examples, there are many more messages impacted by that. Looking at the code, these messages are logged via ata_link_dbg / ata_dev_dbg: ata_link_dbg(link, "port disabled--ignoring\n"); [in drivers/ata/libata-eh.c] ata_dev_dbg(dev, "NODEV after polling detection\n"); [in drivers/ata/libata-core.c] The commit change how the logging is called - ata_dev_printk function which was calling printk() directly got replaced with the following macro: +#define ata_dev_printk(level, dev, fmt, ...) \ + pr_ ## level("ata%u.%02u: " fmt, \ + (dev)->link->ap->print_id, \ + (dev)->link->pmp + (dev)->devno, \ + ##__VA_ARGS__) (...) #define ata_link_dbg(link, fmt, ...) \ - ata_link_printk(link, KERN_DEBUG, fmt, ##__VA_ARGS__) + ata_link_printk(debug, link, fmt, ##__VA_ARGS__) (...) #define ata_dev_dbg(dev, fmt, ...) \ - ata_dev_printk(dev, KERN_DEBUG, fmt, ##__VA_ARGS__) + ata_dev_printk(debug, dev, fmt, ##__VA_ARGS__ So, instead of printk(..., level == KERN_DEBUG, ) we now call pr_debug(...). This is a problem as printk(msg, KERN_DEBUG) != pr_debug(msg). pr_debug is defined as: /* If you are writing a driver, please use dev_dbg instead */ #if defined(CONFIG_DYNAMIC_DEBUG) || \ (defined(CONFIG_DYNAMIC_DEBUG_CORE) && defined(DYNAMIC_DEBUG_MODULE)) #include <linux/dynamic_debug.h> /** * pr_debug - Print a debug-level message conditionally * @fmt: format string * @...: arguments for the format string * * This macro expands to dynamic_pr_debug() if CONFIG_DYNAMIC_DEBUG is * set. Otherwise, if DEBUG is defined, it's equivalent to a printk with * KERN_DEBUG loglevel. If DEBUG is not defined it does nothing. * * It uses pr_fmt() to generate the format string (dynamic_pr_debug() uses * pr_fmt() internally). */ #define pr_debug(fmt, ...) \ dynamic_pr_debug(fmt, ##__VA_ARGS__) #elif defined(DEBUG) #define pr_debug(fmt, ...) \ printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__) #else #define pr_debug(fmt, ...) \ no_printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__) #endif Without CONFIG_DYNAMIC_DEBUG and if no CONFIG_DEBUG is enabled, the end result is calling no_printk which means nothing gets logged. Looking at the code, there are more impacted calls, like for example ata_dev_dbg(dev, "disabling queued TRIM support\n") for ATA_HORKAGE_NO_NCQ_TRIM, which also seems like an important information to log, and there are more. Was this change done intentionally? Note that most of the "debug" printks in libata code seem to be guarded by ata_msg_info / ata_msg_probe / ATA_DEBUG which was sufficient to prevent excess debug information logging. One of the cases like this was covered in the patch: -#ifdef ATA_DEBUG if (status != 0xff && (status & (ATA_BUSY | ATA_DRQ))) - ata_port_printk(ap, KERN_DEBUG, "abnormal Status 0x%X\n", - status); -#endif + ata_port_dbg(ap, "abnormal Status 0x%X\n", status); Assuming this is the intended direction, would it make sense for now to at promote "unconditionally" logged messages from ata_link_dbg/ata_dev_dbg to ata_link_info/ata_dev_info? Longer term, perhaps we want to revisit ata_msg_info/ata_msg_probe/ATA_DEBUG/ATA_VERBOSE_DEBUG vs ata_dev_printk/ata_link_printk/pr_debug (and maybe also pr_devel), especially that DYNAMIC_DEBUG is available these days... Best regards, Krzysztof Olędzki

1 year, 5 months

4
7
0 0

FAILED: patch "[PATCH] nilfs2: fix use-after-free of timer for log writer thread" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024052609-speckled-elusive-2d6c@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Mon, 20 May 2024 22:26:19 +0900 Subject: [PATCH] nilfs2: fix use-after-free of timer for log writer thread Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive. Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: "Bai, Shuangpeng" <sjb7183(a)psu.edu> Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index 6be7dd423fbd..7cb34e1c9206 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2118,8 +2118,10 @@ static void nilfs_segctor_start_timer(struct nilfs_sc_info *sci) { spin_lock(&sci->sc_state_lock); if (!(sci->sc_state & NILFS_SEGCTOR_COMMIT)) { - sci->sc_timer.expires = jiffies + sci->sc_interval; - add_timer(&sci->sc_timer); + if (sci->sc_task) { + sci->sc_timer.expires = jiffies + sci->sc_interval; + add_timer(&sci->sc_timer); + } sci->sc_state |= NILFS_SEGCTOR_COMMIT; } spin_unlock(&sci->sc_state_lock); @@ -2320,10 +2322,21 @@ int nilfs_construct_dsync_segment(struct super_block *sb, struct inode *inode, */ static void nilfs_segctor_accept(struct nilfs_sc_info *sci) { + bool thread_is_alive; + spin_lock(&sci->sc_state_lock); sci->sc_seq_accepted = sci->sc_seq_request; + thread_is_alive = (bool)sci->sc_task; spin_unlock(&sci->sc_state_lock); - del_timer_sync(&sci->sc_timer); + + /* + * This function does not race with the log writer thread's + * termination. Therefore, deleting sc_timer, which should not be + * done after the log writer thread exits, can be done safely outside + * the area protected by sc_state_lock. + */ + if (thread_is_alive) + del_timer_sync(&sci->sc_timer); } /** @@ -2349,7 +2362,7 @@ static void nilfs_segctor_notify(struct nilfs_sc_info *sci, int mode, int err) sci->sc_flush_request &= ~FLUSH_DAT_BIT; /* re-enable timer if checkpoint creation was not done */ - if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && + if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && sci->sc_task && time_before(jiffies, sci->sc_timer.expires)) add_timer(&sci->sc_timer); } @@ -2539,6 +2552,7 @@ static int nilfs_segctor_thread(void *arg) int timeout = 0; sci->sc_timer_task = current; + timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); /* start sync. */ sci->sc_task = current; @@ -2606,6 +2620,7 @@ static int nilfs_segctor_thread(void *arg) end_thread: /* end sync. */ sci->sc_task = NULL; + timer_shutdown_sync(&sci->sc_timer); wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */ spin_unlock(&sci->sc_state_lock); return 0; @@ -2669,7 +2684,6 @@ static struct nilfs_sc_info *nilfs_segctor_new(struct super_block *sb, INIT_LIST_HEAD(&sci->sc_gc_inodes); INIT_LIST_HEAD(&sci->sc_iput_queue); INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func); - timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT; sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ; @@ -2748,7 +2762,6 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci) down_write(&nilfs->ns_segctor_sem); - timer_shutdown_sync(&sci->sc_timer); kfree(sci); }

1 year, 5 months

1
0
0 0

FAILED: patch "[PATCH] nilfs2: fix use-after-free of timer for log writer thread" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024052606-skater-friction-3021@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Mon, 20 May 2024 22:26:19 +0900 Subject: [PATCH] nilfs2: fix use-after-free of timer for log writer thread Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive. Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: "Bai, Shuangpeng" <sjb7183(a)psu.edu> Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index 6be7dd423fbd..7cb34e1c9206 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2118,8 +2118,10 @@ static void nilfs_segctor_start_timer(struct nilfs_sc_info *sci) { spin_lock(&sci->sc_state_lock); if (!(sci->sc_state & NILFS_SEGCTOR_COMMIT)) { - sci->sc_timer.expires = jiffies + sci->sc_interval; - add_timer(&sci->sc_timer); + if (sci->sc_task) { + sci->sc_timer.expires = jiffies + sci->sc_interval; + add_timer(&sci->sc_timer); + } sci->sc_state |= NILFS_SEGCTOR_COMMIT; } spin_unlock(&sci->sc_state_lock); @@ -2320,10 +2322,21 @@ int nilfs_construct_dsync_segment(struct super_block *sb, struct inode *inode, */ static void nilfs_segctor_accept(struct nilfs_sc_info *sci) { + bool thread_is_alive; + spin_lock(&sci->sc_state_lock); sci->sc_seq_accepted = sci->sc_seq_request; + thread_is_alive = (bool)sci->sc_task; spin_unlock(&sci->sc_state_lock); - del_timer_sync(&sci->sc_timer); + + /* + * This function does not race with the log writer thread's + * termination. Therefore, deleting sc_timer, which should not be + * done after the log writer thread exits, can be done safely outside + * the area protected by sc_state_lock. + */ + if (thread_is_alive) + del_timer_sync(&sci->sc_timer); } /** @@ -2349,7 +2362,7 @@ static void nilfs_segctor_notify(struct nilfs_sc_info *sci, int mode, int err) sci->sc_flush_request &= ~FLUSH_DAT_BIT; /* re-enable timer if checkpoint creation was not done */ - if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && + if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && sci->sc_task && time_before(jiffies, sci->sc_timer.expires)) add_timer(&sci->sc_timer); } @@ -2539,6 +2552,7 @@ static int nilfs_segctor_thread(void *arg) int timeout = 0; sci->sc_timer_task = current; + timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); /* start sync. */ sci->sc_task = current; @@ -2606,6 +2620,7 @@ static int nilfs_segctor_thread(void *arg) end_thread: /* end sync. */ sci->sc_task = NULL; + timer_shutdown_sync(&sci->sc_timer); wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */ spin_unlock(&sci->sc_state_lock); return 0; @@ -2669,7 +2684,6 @@ static struct nilfs_sc_info *nilfs_segctor_new(struct super_block *sb, INIT_LIST_HEAD(&sci->sc_gc_inodes); INIT_LIST_HEAD(&sci->sc_iput_queue); INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func); - timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT; sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ; @@ -2748,7 +2762,6 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci) down_write(&nilfs->ns_segctor_sem); - timer_shutdown_sync(&sci->sc_timer); kfree(sci); }

1 year, 5 months

1
0
0 0

FAILED: patch "[PATCH] nilfs2: fix use-after-free of timer for log writer thread" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024052605-pretext-jugular-5085@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Mon, 20 May 2024 22:26:19 +0900 Subject: [PATCH] nilfs2: fix use-after-free of timer for log writer thread Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive. Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: "Bai, Shuangpeng" <sjb7183(a)psu.edu> Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index 6be7dd423fbd..7cb34e1c9206 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2118,8 +2118,10 @@ static void nilfs_segctor_start_timer(struct nilfs_sc_info *sci) { spin_lock(&sci->sc_state_lock); if (!(sci->sc_state & NILFS_SEGCTOR_COMMIT)) { - sci->sc_timer.expires = jiffies + sci->sc_interval; - add_timer(&sci->sc_timer); + if (sci->sc_task) { + sci->sc_timer.expires = jiffies + sci->sc_interval; + add_timer(&sci->sc_timer); + } sci->sc_state |= NILFS_SEGCTOR_COMMIT; } spin_unlock(&sci->sc_state_lock); @@ -2320,10 +2322,21 @@ int nilfs_construct_dsync_segment(struct super_block *sb, struct inode *inode, */ static void nilfs_segctor_accept(struct nilfs_sc_info *sci) { + bool thread_is_alive; + spin_lock(&sci->sc_state_lock); sci->sc_seq_accepted = sci->sc_seq_request; + thread_is_alive = (bool)sci->sc_task; spin_unlock(&sci->sc_state_lock); - del_timer_sync(&sci->sc_timer); + + /* + * This function does not race with the log writer thread's + * termination. Therefore, deleting sc_timer, which should not be + * done after the log writer thread exits, can be done safely outside + * the area protected by sc_state_lock. + */ + if (thread_is_alive) + del_timer_sync(&sci->sc_timer); } /** @@ -2349,7 +2362,7 @@ static void nilfs_segctor_notify(struct nilfs_sc_info *sci, int mode, int err) sci->sc_flush_request &= ~FLUSH_DAT_BIT; /* re-enable timer if checkpoint creation was not done */ - if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && + if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && sci->sc_task && time_before(jiffies, sci->sc_timer.expires)) add_timer(&sci->sc_timer); } @@ -2539,6 +2552,7 @@ static int nilfs_segctor_thread(void *arg) int timeout = 0; sci->sc_timer_task = current; + timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); /* start sync. */ sci->sc_task = current; @@ -2606,6 +2620,7 @@ static int nilfs_segctor_thread(void *arg) end_thread: /* end sync. */ sci->sc_task = NULL; + timer_shutdown_sync(&sci->sc_timer); wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */ spin_unlock(&sci->sc_state_lock); return 0; @@ -2669,7 +2684,6 @@ static struct nilfs_sc_info *nilfs_segctor_new(struct super_block *sb, INIT_LIST_HEAD(&sci->sc_gc_inodes); INIT_LIST_HEAD(&sci->sc_iput_queue); INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func); - timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT; sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ; @@ -2748,7 +2762,6 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci) down_write(&nilfs->ns_segctor_sem); - timer_shutdown_sync(&sci->sc_timer); kfree(sci); }

1 year, 5 months

1
0
0 0

FAILED: patch "[PATCH] nilfs2: fix use-after-free of timer for log writer thread" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024052603-probing-percolate-6265@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Mon, 20 May 2024 22:26:19 +0900 Subject: [PATCH] nilfs2: fix use-after-free of timer for log writer thread Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive. Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: "Bai, Shuangpeng" <sjb7183(a)psu.edu> Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index 6be7dd423fbd..7cb34e1c9206 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2118,8 +2118,10 @@ static void nilfs_segctor_start_timer(struct nilfs_sc_info *sci) { spin_lock(&sci->sc_state_lock); if (!(sci->sc_state & NILFS_SEGCTOR_COMMIT)) { - sci->sc_timer.expires = jiffies + sci->sc_interval; - add_timer(&sci->sc_timer); + if (sci->sc_task) { + sci->sc_timer.expires = jiffies + sci->sc_interval; + add_timer(&sci->sc_timer); + } sci->sc_state |= NILFS_SEGCTOR_COMMIT; } spin_unlock(&sci->sc_state_lock); @@ -2320,10 +2322,21 @@ int nilfs_construct_dsync_segment(struct super_block *sb, struct inode *inode, */ static void nilfs_segctor_accept(struct nilfs_sc_info *sci) { + bool thread_is_alive; + spin_lock(&sci->sc_state_lock); sci->sc_seq_accepted = sci->sc_seq_request; + thread_is_alive = (bool)sci->sc_task; spin_unlock(&sci->sc_state_lock); - del_timer_sync(&sci->sc_timer); + + /* + * This function does not race with the log writer thread's + * termination. Therefore, deleting sc_timer, which should not be + * done after the log writer thread exits, can be done safely outside + * the area protected by sc_state_lock. + */ + if (thread_is_alive) + del_timer_sync(&sci->sc_timer); } /** @@ -2349,7 +2362,7 @@ static void nilfs_segctor_notify(struct nilfs_sc_info *sci, int mode, int err) sci->sc_flush_request &= ~FLUSH_DAT_BIT; /* re-enable timer if checkpoint creation was not done */ - if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && + if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && sci->sc_task && time_before(jiffies, sci->sc_timer.expires)) add_timer(&sci->sc_timer); } @@ -2539,6 +2552,7 @@ static int nilfs_segctor_thread(void *arg) int timeout = 0; sci->sc_timer_task = current; + timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); /* start sync. */ sci->sc_task = current; @@ -2606,6 +2620,7 @@ static int nilfs_segctor_thread(void *arg) end_thread: /* end sync. */ sci->sc_task = NULL; + timer_shutdown_sync(&sci->sc_timer); wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */ spin_unlock(&sci->sc_state_lock); return 0; @@ -2669,7 +2684,6 @@ static struct nilfs_sc_info *nilfs_segctor_new(struct super_block *sb, INIT_LIST_HEAD(&sci->sc_gc_inodes); INIT_LIST_HEAD(&sci->sc_iput_queue); INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func); - timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT; sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ; @@ -2748,7 +2762,6 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci) down_write(&nilfs->ns_segctor_sem); - timer_shutdown_sync(&sci->sc_timer); kfree(sci); }

1 year, 5 months

1
0
0 0

[PATCH] drm/amd: Fix shutdown (again) on some SMU v13.0.4/11 platforms

by Mario Limonciello

commit cd94d1b182d2 ("dm/amd/pm: Fix problems with reboot/shutdown for some SMU 13.0.4/13.0.11 users") attempted to fix shutdown issues that were reported since commit 31729e8c21ec ("drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11") but caused issues for some people. Adjust the workaround flow to properly only apply in the S4 case: -> For shutdown go through SMU_MSG_PrepareMp1ForUnload -> For S4 go through SMU_MSG_GfxDeviceDriverReset and SMU_MSG_PrepareMp1ForUnload Reported-and-tested-by: lectrode <electrodexsnet(a)gmail.com> Closes: https://github.com/void-linux/void-packages/issues/50417 Cc: stable(a)vger.kernel.org Fixes: cd94d1b182d2 ("dm/amd/pm: Fix problems with reboot/shutdown for some SMU 13.0.4/13.0.11 users") Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- Cc: regressions(a)lists.linux.dev --- .../drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c index 4abfcd32747d..c7ab0d7027d9 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c @@ -226,15 +226,17 @@ static int smu_v13_0_4_system_features_control(struct smu_context *smu, bool en) struct amdgpu_device *adev = smu->adev; int ret = 0; - if (!en && adev->in_s4) { - /* Adds a GFX reset as workaround just before sending the - * MP1_UNLOAD message to prevent GC/RLC/PMFW from entering - * an invalid state. - */ - ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_GfxDeviceDriverReset, - SMU_RESET_MODE_2, NULL); - if (ret) - return ret; + if (!en && !adev->in_s0ix) { + if (adev->in_s4) { + /* Adds a GFX reset as workaround just before sending the + * MP1_UNLOAD message to prevent GC/RLC/PMFW from entering + * an invalid state. + */ + ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_GfxDeviceDriverReset, + SMU_RESET_MODE_2, NULL); + if (ret) + return ret; + } ret = smu_cmn_send_smc_msg(smu, SMU_MSG_PrepareMp1ForUnload, NULL); } -- 2.43.0

1 year, 5 months

2
1
0 0

RE: [BUG] NPE with Linux 6.8.10 and Linux 6.8.11 SCSI optical drive.

by Chris Rankin

FWW this is the output from faddr2line for Linux 6.8.11: $ scripts/faddr2line --list vmlinux blk_try_enter_queue+0xc/0x75 blk_try_enter_queue+0xc/0x75: __ref_is_percpu at include/linux/percpu-refcount.h:174 (discriminator 2) 169 * READ_ONCE() is required when fetching it. 170 * 171 * The dependency ordering from the READ_ONCE() pairs 172 * with smp_store_release() in __percpu_ref_switch_to_percpu(). 173 */ >174< percpu_ptr = READ_ONCE(ref->percpu_count_ptr); 175 176 /* 177 * Theoretically, the following could test just ATOMIC; however, 178 * then we'd have to mask off DEAD separately as DEAD may be 179 * visible without ATOMIC if we race with percpu_ref_kill(). DEAD (inlined by) percpu_ref_tryget_live_rcu at include/linux/percpu-refcount.h:282 (discriminator 2) 277 unsigned long __percpu *percpu_count; 278 bool ret = false; 279 280 WARN_ON_ONCE(!rcu_read_lock_held()); 281 >282< if (likely(__ref_is_percpu(ref, &percpu_count))) { 283 this_cpu_inc(*percpu_count); 284 ret = true; 285 } else if (!(ref->percpu_count_ptr & __PERCPU_REF_DEAD)) { 286 ret = atomic_long_inc_not_zero(&ref->data->count); 287 } (inlined by) blk_try_enter_queue at block/blk.h:43 (discriminator 2) 38 void submit_bio_noacct_nocheck(struct bio *bio); 39 40 static inline bool blk_try_enter_queue(struct request_queue *q, bool pm) 41 { 42 rcu_read_lock(); >43< if (!percpu_ref_tryget_live_rcu(&q->q_usage_counter)) 44 goto fail; 45 46 /* 47 * The code that increments the pm_only counter must ensure that the 48 * counter is globally visible before the queue is unfrozen.

1 year, 5 months

1
0
0 0

[BUG] NPE with Linux 6.8.10 and Linux 6.8.11 SCSI optical drive.

by Chris Rankin

Hi, I have recently purchased a new UHD optical disc which is proving so difficult to read that both the 6.8.10 and 6.8.11 kernels throw NPE errors: With vanilla 6.8.11: [ 173.866492] BUG: kernel NULL pointer dereference, address: 0000000000000048 [ 173.872158] #PF: supervisor read access in kernel mode [ 173.875995] #PF: error_code(0x0000) - not-present page [ 173.879836] PGD 0 P4D 0 [ 173.881075] Oops: 0000 [#1] PREEMPT SMP PTI [ 173.883960] CPU: 0 PID: 4183 Comm: umount Tainted: G I E 6.8.10 #2 [ 173.890052] Hardware name: Gigabyte Technology Co., Ltd. EX58-UD3R/EX58-UD3R, BIOS FB 05/04/2009 [ 173.897619] RIP: 0010:blk_try_enter_queue+0xc/0x75 [ 173.901120] Code: 41 00 eb 04 65 48 ff 08 58 e9 05 90 d6 ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 89 f5 53 48 89 fb e8 04 54 d6 ff <48> 8b 43 48 a8 03 74 0f f6 43 48 02 75 4d 48 8b 53 50 48 8b 02 eb [ 173.918568] RSP: 0018:ffffc90002e87b60 EFLAGS: 00010202 [ 173.922493] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 [ 173.928324] RDX: ffff88810c434740 RSI: 0000000000000000 RDI: 0000000000000000 [ 173.934156] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000001b58 [ 173.939991] R10: 0000000000000020 R11: 0000000000000223 R12: 0000000000000000 [ 173.945824] R13: 0000000000000000 R14: ffffc90002e87d20 R15: 0000000000001b58 [ 173.951656] FS: 00007fc145466800(0000) GS:ffff888343c00000(0000) knlGS:0000000000000000 [ 173.958442] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 173.962887] CR2: 0000000000000048 CR3: 00000001413be000 CR4: 00000000000006f0 [ 173.968720] Call Trace: [ 173.969867] <TASK> [ 173.970671] ? __die_body+0x1a/0x5c [ 173.972862] ? page_fault_oops+0x321/0x36e [ 173.975664] ? exc_page_fault+0x105/0x117 [ 173.978374] ? asm_exc_page_fault+0x22/0x30 [ 173.981263] ? blk_try_enter_queue+0xc/0x75 [ 173.984147] blk_queue_enter+0x37/0x10b [ 173.986688] blk_mq_alloc_request+0x154/0x1b7 [ 173.989750] scsi_alloc_request+0xa/0x57 [scsi_mod] [ 173.993351] scsi_execute_cmd+0x5d/0x174 [scsi_mod] [ 173.996948] sr_do_ioctl+0x8d/0x1ac [sr_mod] [ 173.999930] sr_packet+0x39/0x42 [sr_mod] [ 174.002653] cdrom_get_disc_info+0x60/0xc9 [cdrom] [ 174.006156] cdrom_mrw_exit+0x25/0xe6 [cdrom] [ 174.009220] ? xa_destroy+0x7e/0xb8 [ 174.011413] ? preempt_latency_start+0x2b/0x46 [ 174.014560] sr_free_disk+0x40/0x56 [sr_mod] [ 174.017542] disk_release+0xb6/0xc4 [ 174.019735] device_release+0x5a/0x80 [ 174.022098] kobject_put+0x84/0xa4 [ 174.024204] bdev_release+0x153/0x165 [ 174.026573] deactivate_locked_super+0x2f/0x68 [ 174.029726] cleanup_mnt+0xab/0xd3 [ 174.031832] task_work_run+0x6b/0x80 [ 174.034110] resume_user_mode_work+0x22/0x55 [ 174.037082] syscall_exit_to_user_mode+0x5d/0x7b [ 174.040404] do_syscall_64+0x86/0xdc [ 174.042681] entry_SYSCALL_64_after_hwframe+0x60/0x68 [ 174.046434] RIP: 0033:0x7fc14568715b [ 174.048739] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 89 9c 0c 00 f7 d8 [ 174.066185] RSP: 002b:00007ffddee09a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 174.072450] RAX: 0000000000000000 RBX: 000055607dd37e60 RCX: 00007fc14568715b [ 174.078283] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055607dd38270 [ 174.084117] RBP: 00007ffddee09b60 R08: 000055607dd3a350 R09: 00007fc145751b20 [ 174.089947] R10: 0000000000000008 R11: 0000000000000246 R12: 000055607dd37f68 [ 174.095773] R13: 0000000000000000 R14: 000055607dd38270 R15: 000055607dd393d0 [ 174.101608] </TASK> [ 174.102500] Modules linked in: udf snd_seq_dummy rpcrdma rdma_cm iw_cm ib_cm ib_core nf_nat_ftp nf_conntrack_ftp cfg80211 af_packet nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_tables ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_mangle iptable_raw iptable_security ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables it87 hwmon_vid bnep binfmt_misc snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic snd_hda_intel uvcvideo intel_powerclamp coretemp snd_intel_dspcfg btusb kvm_intel uvc videobuf2_vmalloc videobuf2_memops btintel snd_hda_codec snd_usb_audio btbcm videobuf2_v4l2 kvm bluetooth snd_virtuoso snd_hda_core videodev snd_usbmidi_lib snd_oxygen_lib snd_mpu401_uart snd_hwdep usb_storage snd_seq videobuf2_common snd_rawmidi [ 174.102617] input_leds ecdh_generic mc joydev snd_seq_device led_class rfkill snd_pcm ecc iTCO_wdt r8169 gpio_ich irqbypass pktcdvd snd_hrtimer realtek intel_cstate snd_timer intel_uncore mdio_devres psmouse libphy snd i2c_i801 mxm_wmi acpi_cpufreq i2c_smbus tiny_power_button pcspkr lpc_ich soundcore i7core_edac button nfsd(E) auth_rpcgss nfs_acl lockd grace sunrpc fuse dm_mod loop configfs dax nfnetlink zram zsmalloc amdgpu ext4 crc32c_generic crc16 mbcache jbd2 video amdxcp i2c_algo_bit mfd_core drm_ttm_helper ttm drm_exec gpu_sched sr_mod drm_suballoc_helper drm_buddy drm_display_helper cdrom sd_mod hid_microsoft usbhid drm_kms_helper ahci libahci pata_jmicron drm uhci_hcd xhci_pci libata ehci_pci ehci_hcd xhci_hcd scsi_mod usbcore firewire_ohci crc32c_intel sha512_ssse3 firewire_core sha256_ssse3 drm_panel_orientation_quirks cec sha1_ssse3 serio_raw bsg rc_core crc_itu_t usb_common scsi_common wmi msr [ 174.269914] CR2: 0000000000000048 [ 174.271981] ---[ end trace 0000000000000000 ]--- [ 174.275308] RIP: 0010:blk_try_enter_queue+0xc/0x75 [ 174.278892] Code: 41 00 eb 04 65 48 ff 08 58 e9 05 90 d6 ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 89 f5 53 48 89 fb e8 04 54 d6 ff <48> 8b 43 48 a8 03 74 0f f6 43 48 02 75 4d 48 8b 53 50 48 8b 02 eb [ 174.296345] RSP: 0018:ffffc90002e87b60 EFLAGS: 00010202 [ 174.300320] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 [ 174.306156] RDX: ffff88810c434740 RSI: 0000000000000000 RDI: 0000000000000000 [ 174.312035] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000001b58 [ 174.317946] R10: 0000000000000020 R11: 0000000000000223 R12: 0000000000000000 [ 174.323860] R13: 0000000000000000 R14: ffffc90002e87d20 R15: 0000000000001b58 [ 174.329743] FS: 00007fc145466800(0000) GS:ffff888343c00000(0000) knlGS:0000000000000000 [ 174.336601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 174.341136] CR2: 0000000000000048 CR3: 00000001413be000 CR4: 00000000000006f0 And with vanilla 6.8.10: [ 4426.333116] BUG: kernel NULL pointer dereference, address: 0000000000000048 [ 4426.338778] #PF: supervisor read access in kernel mode [ 4426.342617] #PF: error_code(0x0000) - not-present page [ 4426.346455] PGD 0 P4D 0 [ 4426.347696] Oops: 0000 [#1] PREEMPT SMP PTI [ 4426.350581] CPU: 4 PID: 9349 Comm: umount Tainted: G I 6.8.11 #1 [ 4426.356674] Hardware name: Gigabyte Technology Co., Ltd. EX58-UD3R/EX58-UD3R, BIOS FB 05/04/2009 [ 4426.364242] RIP: 0010:blk_try_enter_queue+0xc/0x75 [ 4426.367744] Code: 41 00 eb 04 65 48 ff 08 58 e9 05 90 d6 ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 89 f5 53 48 89 fb e8 04 54 d6 ff <48> 8b 43 48 a8 03 74 0f f6 43 48 02 75 4d 48 8b 53 50 48 8b 02 eb [ 4426.385189] RSP: 0018:ffffc9000186bb60 EFLAGS: 00010202 [ 4426.389114] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 [ 4426.394946] RDX: ffff8881852b3900 RSI: 0000000000000000 RDI: 0000000000000000 [ 4426.400780] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000001b58 [ 4426.406611] R10: 0000000000000020 R11: 0000000000000235 R12: 0000000000000000 [ 4426.412445] R13: 0000000000000000 R14: ffffc9000186bd20 R15: 0000000000001b58 [ 4426.418279] FS: 00007f2d5041e800(0000) GS:ffff888343d00000(0000) knlGS:0000000000000000 [ 4426.425063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4426.429510] CR2: 0000000000000048 CR3: 000000021d394000 CR4: 00000000000006f0 [ 4426.435350] Call Trace: [ 4426.436505] <TASK> [ 4426.437311] ? __die_body+0x1a/0x5c [ 4426.439511] ? page_fault_oops+0x321/0x36e [ 4426.442320] ? exc_page_fault+0x105/0x117 [ 4426.445031] ? asm_exc_page_fault+0x22/0x30 [ 4426.447924] ? blk_try_enter_queue+0xc/0x75 [ 4426.450812] blk_queue_enter+0x37/0x10b [ 4426.453354] blk_mq_alloc_request+0x154/0x1b7 [ 4426.456421] scsi_alloc_request+0xa/0x57 [scsi_mod] [ 4426.460026] scsi_execute_cmd+0x5d/0x174 [scsi_mod] [ 4426.463633] sr_do_ioctl+0x8d/0x1ac [sr_mod] [ 4426.466613] sr_packet+0x39/0x42 [sr_mod] [ 4426.469335] cdrom_get_disc_info+0x60/0xc9 [cdrom] [ 4426.472837] cdrom_mrw_exit+0x25/0xe6 [cdrom] [ 4426.475904] ? xa_destroy+0x7e/0xb8 [ 4426.478104] ? preempt_latency_start+0x2b/0x46 [ 4426.481251] sr_free_disk+0x40/0x56 [sr_mod] [ 4426.484232] disk_release+0xb6/0xc4 [ 4426.486424] device_release+0x5a/0x80 [ 4426.488790] kobject_put+0x84/0xa4 [ 4426.490895] bdev_release+0x153/0x165 [ 4426.493263] deactivate_locked_super+0x2f/0x68 [ 4426.496408] cleanup_mnt+0xab/0xd3 [ 4426.498514] task_work_run+0x6b/0x80 [ 4426.500811] resume_user_mode_work+0x22/0x55 [ 4426.503784] syscall_exit_to_user_mode+0x5d/0x7b [ 4426.507102] do_syscall_64+0x86/0xdc [ 4426.509383] entry_SYSCALL_64_after_hwframe+0x60/0x68 [ 4426.513143] RIP: 0033:0x7f2d5063f15b [ 4426.515456] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 89 9c 0c 00 f7 d8 [ 4426.532903] RSP: 002b:00007fff2878dcb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 4426.539167] RAX: 0000000000000000 RBX: 000055cd5ee85e60 RCX: 00007f2d5063f15b [ 4426.545002] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055cd5ee86270 [ 4426.550891] RBP: 00007fff2878dd90 R08: 000055cd5ee88350 R09: 00007f2d50709b20 [ 4426.556719] R10: 0000000000000008 R11: 0000000000000246 R12: 000055cd5ee85f68 [ 4426.562550] R13: 0000000000000000 R14: 000055cd5ee86270 R15: 000055cd5ee873d0 [ 4426.568386] </TASK> [ 4426.569277] Modules linked in: sg udf usb_storage uinput snd_seq_dummy rpcrdma rdma_cm iw_cm ib_cm ib_core nf_nat_ftp nf_conntrack_ftp cfg80211 af_packet nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_tables ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_mangle iptable_raw iptable_security ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables it87 hwmon_vid bnep rc_pinnacle_pctv_hd em28xx_rc binfmt_misc tda18271 snd_hda_codec_realtek snd_hda_codec_hdmi cxd2820r snd_hda_codec_generic snd_hda_intel regmap_i2c em28xx_dvb dvb_core uvcvideo btusb btintel uvc intel_powerclamp videobuf2_vmalloc coretemp btbcm snd_usb_audio videobuf2_memops em28xx kvm_intel videobuf2_v4l2 bluetooth tveeprom snd_intel_dspcfg videodev snd_hda_codec snd_virtuoso kvm [ 4426.569392] videobuf2_common [ 4426.583929] usb 2-4: new high-speed USB device number 6 using ehci-pci [ 4426.657557] snd_oxygen_lib snd_usbmidi_lib snd_hda_core snd_mpu401_uart snd_hwdep snd_rawmidi mc snd_seq input_leds led_class joydev ecdh_generic rfkill snd_seq_device ecc iTCO_wdt gpio_ich r8169 snd_pcm irqbypass snd_hrtimer pktcdvd realtek snd_timer intel_cstate mdio_devres snd libphy psmouse intel_uncore i2c_i801 pcspkr acpi_cpufreq i2c_smbus mxm_wmi soundcore lpc_ich i7core_edac tiny_power_button button nfsd auth_rpcgss nfs_acl lockd grace dm_mod sunrpc fuse loop configfs dax nfnetlink zram zsmalloc amdgpu ext4 crc32c_generic crc16 mbcache jbd2 video amdxcp i2c_algo_bit mfd_core drm_ttm_helper ttm drm_exec gpu_sched drm_suballoc_helper drm_buddy drm_display_helper drm_kms_helper sr_mod hid_microsoft sd_mod cdrom usbhid drm xhci_pci uhci_hcd ehci_pci ahci ehci_hcd pata_jmicron libahci xhci_hcd libata drm_panel_orientation_quirks cec usbcore crc32c_intel scsi_mod sha512_ssse3 rc_core firewire_ohci firewire_core bsg serio_raw sha256_ssse3 sha1_ssse3 usb_common crc_itu_t scsi_common wmi msr [ 4426.750898] CR2: 0000000000000048 [ 4426.752950] ---[ end trace 0000000000000000 ]--- [ 4426.756276] RIP: 0010:blk_try_enter_queue+0xc/0x75 [ 4426.759776] Code: 41 00 eb 04 65 48 ff 08 58 e9 05 90 d6 ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 89 f5 53 48 89 fb e8 04 54 d6 ff <48> 8b 43 48 a8 03 74 0f f6 43 48 02 75 4d 48 8b 53 50 48 8b 02 eb [ 4426.777232] RSP: 0018:ffffc9000186bb60 EFLAGS: 00010202 [ 4426.781165] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 [ 4426.786998] RDX: ffff8881852b3900 RSI: 0000000000000000 RDI: 0000000000000000 [ 4426.790807] usb-storage 2-4:1.0: USB Mass Storage device detected [ 4426.792867] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000001b58 [ 4426.797877] scsi host10: usb-storage 2-4:1.0 [ 4426.803501] R10: 0000000000000020 R11: 0000000000000235 R12: 0000000000000000 [ 4426.812322] R13: 0000000000000000 R14: ffffc9000186bd20 R15: 0000000000001b58 [ 4426.818165] FS: 00007f2d5041e800(0000) GS:ffff888343d00000(0000) knlGS:0000000000000000 [ 4426.824958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4426.829402] CR2: 0000000000000048 CR3: 000000021d394000 CR4: 00000000000006f0 [ 4427.835567] scsi 10:0:0:0: CD-ROM HL-DT-ST BD-RE BU40N 1.00 PQ: 0 ANSI: 0 Cheers, Chris

1 year, 5 months

1
0
0 0

[PATCH AUTOSEL 4.19] rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment

by Sasha Levin

From: "Paul E. McKenney" <paulmck(a)kernel.org> [ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ] The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should not happen, but...". This is only true when testing an RCU whose grace periods are always long enough. This commit therefore fixes this comment. Reported-by: Linus Torvalds <torvalds(a)linux-foundation.org> Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOK… Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/rcu/rcutorture.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c index 0b7af7e2bcbb1..8986ef3a95888 100644 --- a/kernel/rcu/rcutorture.c +++ b/kernel/rcu/rcutorture.c @@ -1334,7 +1334,8 @@ static bool rcu_torture_one_read(struct torture_random_state *trsp) preempt_disable(); pipe_count = p->rtort_pipe_count; if (pipe_count > RCU_TORTURE_PIPE_LEN) { - /* Should not happen, but... */ + // Should not happen in a correct RCU implementation, + // happens quite often for torture_type=busted. pipe_count = RCU_TORTURE_PIPE_LEN; } completed = cur_ops->get_gp_seq(); -- 2.43.0

1 year, 5 months

1
0
0 0

[PATCH AUTOSEL 5.4] rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment

by Sasha Levin

From: "Paul E. McKenney" <paulmck(a)kernel.org> [ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ] The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should not happen, but...". This is only true when testing an RCU whose grace periods are always long enough. This commit therefore fixes this comment. Reported-by: Linus Torvalds <torvalds(a)linux-foundation.org> Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOK… Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/rcu/rcutorture.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c index 3c9feca1eab17..aef4d01c4f61e 100644 --- a/kernel/rcu/rcutorture.c +++ b/kernel/rcu/rcutorture.c @@ -1291,7 +1291,8 @@ static bool rcu_torture_one_read(struct torture_random_state *trsp) preempt_disable(); pipe_count = p->rtort_pipe_count; if (pipe_count > RCU_TORTURE_PIPE_LEN) { - /* Should not happen, but... */ + // Should not happen in a correct RCU implementation, + // happens quite often for torture_type=busted. pipe_count = RCU_TORTURE_PIPE_LEN; } completed = cur_ops->get_gp_seq(); -- 2.43.0

1 year, 5 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2024