May 2024 - Linux-stable-mirror

FAILED: patch "[PATCH] nilfs2: fix use-after-free of timer for log writer thread" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024052603-probing-percolate-6265@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Mon, 20 May 2024 22:26:19 +0900 Subject: [PATCH] nilfs2: fix use-after-free of timer for log writer thread Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive. Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: "Bai, Shuangpeng" <sjb7183(a)psu.edu> Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index 6be7dd423fbd..7cb34e1c9206 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2118,8 +2118,10 @@ static void nilfs_segctor_start_timer(struct nilfs_sc_info *sci) { spin_lock(&sci->sc_state_lock); if (!(sci->sc_state & NILFS_SEGCTOR_COMMIT)) { - sci->sc_timer.expires = jiffies + sci->sc_interval; - add_timer(&sci->sc_timer); + if (sci->sc_task) { + sci->sc_timer.expires = jiffies + sci->sc_interval; + add_timer(&sci->sc_timer); + } sci->sc_state |= NILFS_SEGCTOR_COMMIT; } spin_unlock(&sci->sc_state_lock); @@ -2320,10 +2322,21 @@ int nilfs_construct_dsync_segment(struct super_block *sb, struct inode *inode, */ static void nilfs_segctor_accept(struct nilfs_sc_info *sci) { + bool thread_is_alive; + spin_lock(&sci->sc_state_lock); sci->sc_seq_accepted = sci->sc_seq_request; + thread_is_alive = (bool)sci->sc_task; spin_unlock(&sci->sc_state_lock); - del_timer_sync(&sci->sc_timer); + + /* + * This function does not race with the log writer thread's + * termination. Therefore, deleting sc_timer, which should not be + * done after the log writer thread exits, can be done safely outside + * the area protected by sc_state_lock. + */ + if (thread_is_alive) + del_timer_sync(&sci->sc_timer); } /** @@ -2349,7 +2362,7 @@ static void nilfs_segctor_notify(struct nilfs_sc_info *sci, int mode, int err) sci->sc_flush_request &= ~FLUSH_DAT_BIT; /* re-enable timer if checkpoint creation was not done */ - if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && + if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && sci->sc_task && time_before(jiffies, sci->sc_timer.expires)) add_timer(&sci->sc_timer); } @@ -2539,6 +2552,7 @@ static int nilfs_segctor_thread(void *arg) int timeout = 0; sci->sc_timer_task = current; + timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); /* start sync. */ sci->sc_task = current; @@ -2606,6 +2620,7 @@ static int nilfs_segctor_thread(void *arg) end_thread: /* end sync. */ sci->sc_task = NULL; + timer_shutdown_sync(&sci->sc_timer); wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */ spin_unlock(&sci->sc_state_lock); return 0; @@ -2669,7 +2684,6 @@ static struct nilfs_sc_info *nilfs_segctor_new(struct super_block *sb, INIT_LIST_HEAD(&sci->sc_gc_inodes); INIT_LIST_HEAD(&sci->sc_iput_queue); INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func); - timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT; sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ; @@ -2748,7 +2762,6 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci) down_write(&nilfs->ns_segctor_sem); - timer_shutdown_sync(&sci->sc_timer); kfree(sci); }

11 months

1
0
0 0

[PATCH] drm/amd: Fix shutdown (again) on some SMU v13.0.4/11 platforms

by Mario Limonciello

commit cd94d1b182d2 ("dm/amd/pm: Fix problems with reboot/shutdown for some SMU 13.0.4/13.0.11 users") attempted to fix shutdown issues that were reported since commit 31729e8c21ec ("drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11") but caused issues for some people. Adjust the workaround flow to properly only apply in the S4 case: -> For shutdown go through SMU_MSG_PrepareMp1ForUnload -> For S4 go through SMU_MSG_GfxDeviceDriverReset and SMU_MSG_PrepareMp1ForUnload Reported-and-tested-by: lectrode <electrodexsnet(a)gmail.com> Closes: https://github.com/void-linux/void-packages/issues/50417 Cc: stable(a)vger.kernel.org Fixes: cd94d1b182d2 ("dm/amd/pm: Fix problems with reboot/shutdown for some SMU 13.0.4/13.0.11 users") Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- Cc: regressions(a)lists.linux.dev --- .../drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c index 4abfcd32747d..c7ab0d7027d9 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c @@ -226,15 +226,17 @@ static int smu_v13_0_4_system_features_control(struct smu_context *smu, bool en) struct amdgpu_device *adev = smu->adev; int ret = 0; - if (!en && adev->in_s4) { - /* Adds a GFX reset as workaround just before sending the - * MP1_UNLOAD message to prevent GC/RLC/PMFW from entering - * an invalid state. - */ - ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_GfxDeviceDriverReset, - SMU_RESET_MODE_2, NULL); - if (ret) - return ret; + if (!en && !adev->in_s0ix) { + if (adev->in_s4) { + /* Adds a GFX reset as workaround just before sending the + * MP1_UNLOAD message to prevent GC/RLC/PMFW from entering + * an invalid state. + */ + ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_GfxDeviceDriverReset, + SMU_RESET_MODE_2, NULL); + if (ret) + return ret; + } ret = smu_cmn_send_smc_msg(smu, SMU_MSG_PrepareMp1ForUnload, NULL); } -- 2.43.0

11 months

2
1
0 0

RE: [BUG] NPE with Linux 6.8.10 and Linux 6.8.11 SCSI optical drive.

by Chris Rankin

FWW this is the output from faddr2line for Linux 6.8.11: $ scripts/faddr2line --list vmlinux blk_try_enter_queue+0xc/0x75 blk_try_enter_queue+0xc/0x75: __ref_is_percpu at include/linux/percpu-refcount.h:174 (discriminator 2) 169 * READ_ONCE() is required when fetching it. 170 * 171 * The dependency ordering from the READ_ONCE() pairs 172 * with smp_store_release() in __percpu_ref_switch_to_percpu(). 173 */ >174< percpu_ptr = READ_ONCE(ref->percpu_count_ptr); 175 176 /* 177 * Theoretically, the following could test just ATOMIC; however, 178 * then we'd have to mask off DEAD separately as DEAD may be 179 * visible without ATOMIC if we race with percpu_ref_kill(). DEAD (inlined by) percpu_ref_tryget_live_rcu at include/linux/percpu-refcount.h:282 (discriminator 2) 277 unsigned long __percpu *percpu_count; 278 bool ret = false; 279 280 WARN_ON_ONCE(!rcu_read_lock_held()); 281 >282< if (likely(__ref_is_percpu(ref, &percpu_count))) { 283 this_cpu_inc(*percpu_count); 284 ret = true; 285 } else if (!(ref->percpu_count_ptr & __PERCPU_REF_DEAD)) { 286 ret = atomic_long_inc_not_zero(&ref->data->count); 287 } (inlined by) blk_try_enter_queue at block/blk.h:43 (discriminator 2) 38 void submit_bio_noacct_nocheck(struct bio *bio); 39 40 static inline bool blk_try_enter_queue(struct request_queue *q, bool pm) 41 { 42 rcu_read_lock(); >43< if (!percpu_ref_tryget_live_rcu(&q->q_usage_counter)) 44 goto fail; 45 46 /* 47 * The code that increments the pm_only counter must ensure that the 48 * counter is globally visible before the queue is unfrozen.

11 months

1
0
0 0

[BUG] NPE with Linux 6.8.10 and Linux 6.8.11 SCSI optical drive.

by Chris Rankin

Hi, I have recently purchased a new UHD optical disc which is proving so difficult to read that both the 6.8.10 and 6.8.11 kernels throw NPE errors: With vanilla 6.8.11: [ 173.866492] BUG: kernel NULL pointer dereference, address: 0000000000000048 [ 173.872158] #PF: supervisor read access in kernel mode [ 173.875995] #PF: error_code(0x0000) - not-present page [ 173.879836] PGD 0 P4D 0 [ 173.881075] Oops: 0000 [#1] PREEMPT SMP PTI [ 173.883960] CPU: 0 PID: 4183 Comm: umount Tainted: G I E 6.8.10 #2 [ 173.890052] Hardware name: Gigabyte Technology Co., Ltd. EX58-UD3R/EX58-UD3R, BIOS FB 05/04/2009 [ 173.897619] RIP: 0010:blk_try_enter_queue+0xc/0x75 [ 173.901120] Code: 41 00 eb 04 65 48 ff 08 58 e9 05 90 d6 ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 89 f5 53 48 89 fb e8 04 54 d6 ff <48> 8b 43 48 a8 03 74 0f f6 43 48 02 75 4d 48 8b 53 50 48 8b 02 eb [ 173.918568] RSP: 0018:ffffc90002e87b60 EFLAGS: 00010202 [ 173.922493] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 [ 173.928324] RDX: ffff88810c434740 RSI: 0000000000000000 RDI: 0000000000000000 [ 173.934156] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000001b58 [ 173.939991] R10: 0000000000000020 R11: 0000000000000223 R12: 0000000000000000 [ 173.945824] R13: 0000000000000000 R14: ffffc90002e87d20 R15: 0000000000001b58 [ 173.951656] FS: 00007fc145466800(0000) GS:ffff888343c00000(0000) knlGS:0000000000000000 [ 173.958442] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 173.962887] CR2: 0000000000000048 CR3: 00000001413be000 CR4: 00000000000006f0 [ 173.968720] Call Trace: [ 173.969867] <TASK> [ 173.970671] ? __die_body+0x1a/0x5c [ 173.972862] ? page_fault_oops+0x321/0x36e [ 173.975664] ? exc_page_fault+0x105/0x117 [ 173.978374] ? asm_exc_page_fault+0x22/0x30 [ 173.981263] ? blk_try_enter_queue+0xc/0x75 [ 173.984147] blk_queue_enter+0x37/0x10b [ 173.986688] blk_mq_alloc_request+0x154/0x1b7 [ 173.989750] scsi_alloc_request+0xa/0x57 [scsi_mod] [ 173.993351] scsi_execute_cmd+0x5d/0x174 [scsi_mod] [ 173.996948] sr_do_ioctl+0x8d/0x1ac [sr_mod] [ 173.999930] sr_packet+0x39/0x42 [sr_mod] [ 174.002653] cdrom_get_disc_info+0x60/0xc9 [cdrom] [ 174.006156] cdrom_mrw_exit+0x25/0xe6 [cdrom] [ 174.009220] ? xa_destroy+0x7e/0xb8 [ 174.011413] ? preempt_latency_start+0x2b/0x46 [ 174.014560] sr_free_disk+0x40/0x56 [sr_mod] [ 174.017542] disk_release+0xb6/0xc4 [ 174.019735] device_release+0x5a/0x80 [ 174.022098] kobject_put+0x84/0xa4 [ 174.024204] bdev_release+0x153/0x165 [ 174.026573] deactivate_locked_super+0x2f/0x68 [ 174.029726] cleanup_mnt+0xab/0xd3 [ 174.031832] task_work_run+0x6b/0x80 [ 174.034110] resume_user_mode_work+0x22/0x55 [ 174.037082] syscall_exit_to_user_mode+0x5d/0x7b [ 174.040404] do_syscall_64+0x86/0xdc [ 174.042681] entry_SYSCALL_64_after_hwframe+0x60/0x68 [ 174.046434] RIP: 0033:0x7fc14568715b [ 174.048739] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 89 9c 0c 00 f7 d8 [ 174.066185] RSP: 002b:00007ffddee09a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 174.072450] RAX: 0000000000000000 RBX: 000055607dd37e60 RCX: 00007fc14568715b [ 174.078283] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055607dd38270 [ 174.084117] RBP: 00007ffddee09b60 R08: 000055607dd3a350 R09: 00007fc145751b20 [ 174.089947] R10: 0000000000000008 R11: 0000000000000246 R12: 000055607dd37f68 [ 174.095773] R13: 0000000000000000 R14: 000055607dd38270 R15: 000055607dd393d0 [ 174.101608] </TASK> [ 174.102500] Modules linked in: udf snd_seq_dummy rpcrdma rdma_cm iw_cm ib_cm ib_core nf_nat_ftp nf_conntrack_ftp cfg80211 af_packet nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_tables ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_mangle iptable_raw iptable_security ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables it87 hwmon_vid bnep binfmt_misc snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic snd_hda_intel uvcvideo intel_powerclamp coretemp snd_intel_dspcfg btusb kvm_intel uvc videobuf2_vmalloc videobuf2_memops btintel snd_hda_codec snd_usb_audio btbcm videobuf2_v4l2 kvm bluetooth snd_virtuoso snd_hda_core videodev snd_usbmidi_lib snd_oxygen_lib snd_mpu401_uart snd_hwdep usb_storage snd_seq videobuf2_common snd_rawmidi [ 174.102617] input_leds ecdh_generic mc joydev snd_seq_device led_class rfkill snd_pcm ecc iTCO_wdt r8169 gpio_ich irqbypass pktcdvd snd_hrtimer realtek intel_cstate snd_timer intel_uncore mdio_devres psmouse libphy snd i2c_i801 mxm_wmi acpi_cpufreq i2c_smbus tiny_power_button pcspkr lpc_ich soundcore i7core_edac button nfsd(E) auth_rpcgss nfs_acl lockd grace sunrpc fuse dm_mod loop configfs dax nfnetlink zram zsmalloc amdgpu ext4 crc32c_generic crc16 mbcache jbd2 video amdxcp i2c_algo_bit mfd_core drm_ttm_helper ttm drm_exec gpu_sched sr_mod drm_suballoc_helper drm_buddy drm_display_helper cdrom sd_mod hid_microsoft usbhid drm_kms_helper ahci libahci pata_jmicron drm uhci_hcd xhci_pci libata ehci_pci ehci_hcd xhci_hcd scsi_mod usbcore firewire_ohci crc32c_intel sha512_ssse3 firewire_core sha256_ssse3 drm_panel_orientation_quirks cec sha1_ssse3 serio_raw bsg rc_core crc_itu_t usb_common scsi_common wmi msr [ 174.269914] CR2: 0000000000000048 [ 174.271981] ---[ end trace 0000000000000000 ]--- [ 174.275308] RIP: 0010:blk_try_enter_queue+0xc/0x75 [ 174.278892] Code: 41 00 eb 04 65 48 ff 08 58 e9 05 90 d6 ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 89 f5 53 48 89 fb e8 04 54 d6 ff <48> 8b 43 48 a8 03 74 0f f6 43 48 02 75 4d 48 8b 53 50 48 8b 02 eb [ 174.296345] RSP: 0018:ffffc90002e87b60 EFLAGS: 00010202 [ 174.300320] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 [ 174.306156] RDX: ffff88810c434740 RSI: 0000000000000000 RDI: 0000000000000000 [ 174.312035] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000001b58 [ 174.317946] R10: 0000000000000020 R11: 0000000000000223 R12: 0000000000000000 [ 174.323860] R13: 0000000000000000 R14: ffffc90002e87d20 R15: 0000000000001b58 [ 174.329743] FS: 00007fc145466800(0000) GS:ffff888343c00000(0000) knlGS:0000000000000000 [ 174.336601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 174.341136] CR2: 0000000000000048 CR3: 00000001413be000 CR4: 00000000000006f0 And with vanilla 6.8.10: [ 4426.333116] BUG: kernel NULL pointer dereference, address: 0000000000000048 [ 4426.338778] #PF: supervisor read access in kernel mode [ 4426.342617] #PF: error_code(0x0000) - not-present page [ 4426.346455] PGD 0 P4D 0 [ 4426.347696] Oops: 0000 [#1] PREEMPT SMP PTI [ 4426.350581] CPU: 4 PID: 9349 Comm: umount Tainted: G I 6.8.11 #1 [ 4426.356674] Hardware name: Gigabyte Technology Co., Ltd. EX58-UD3R/EX58-UD3R, BIOS FB 05/04/2009 [ 4426.364242] RIP: 0010:blk_try_enter_queue+0xc/0x75 [ 4426.367744] Code: 41 00 eb 04 65 48 ff 08 58 e9 05 90 d6 ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 89 f5 53 48 89 fb e8 04 54 d6 ff <48> 8b 43 48 a8 03 74 0f f6 43 48 02 75 4d 48 8b 53 50 48 8b 02 eb [ 4426.385189] RSP: 0018:ffffc9000186bb60 EFLAGS: 00010202 [ 4426.389114] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 [ 4426.394946] RDX: ffff8881852b3900 RSI: 0000000000000000 RDI: 0000000000000000 [ 4426.400780] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000001b58 [ 4426.406611] R10: 0000000000000020 R11: 0000000000000235 R12: 0000000000000000 [ 4426.412445] R13: 0000000000000000 R14: ffffc9000186bd20 R15: 0000000000001b58 [ 4426.418279] FS: 00007f2d5041e800(0000) GS:ffff888343d00000(0000) knlGS:0000000000000000 [ 4426.425063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4426.429510] CR2: 0000000000000048 CR3: 000000021d394000 CR4: 00000000000006f0 [ 4426.435350] Call Trace: [ 4426.436505] <TASK> [ 4426.437311] ? __die_body+0x1a/0x5c [ 4426.439511] ? page_fault_oops+0x321/0x36e [ 4426.442320] ? exc_page_fault+0x105/0x117 [ 4426.445031] ? asm_exc_page_fault+0x22/0x30 [ 4426.447924] ? blk_try_enter_queue+0xc/0x75 [ 4426.450812] blk_queue_enter+0x37/0x10b [ 4426.453354] blk_mq_alloc_request+0x154/0x1b7 [ 4426.456421] scsi_alloc_request+0xa/0x57 [scsi_mod] [ 4426.460026] scsi_execute_cmd+0x5d/0x174 [scsi_mod] [ 4426.463633] sr_do_ioctl+0x8d/0x1ac [sr_mod] [ 4426.466613] sr_packet+0x39/0x42 [sr_mod] [ 4426.469335] cdrom_get_disc_info+0x60/0xc9 [cdrom] [ 4426.472837] cdrom_mrw_exit+0x25/0xe6 [cdrom] [ 4426.475904] ? xa_destroy+0x7e/0xb8 [ 4426.478104] ? preempt_latency_start+0x2b/0x46 [ 4426.481251] sr_free_disk+0x40/0x56 [sr_mod] [ 4426.484232] disk_release+0xb6/0xc4 [ 4426.486424] device_release+0x5a/0x80 [ 4426.488790] kobject_put+0x84/0xa4 [ 4426.490895] bdev_release+0x153/0x165 [ 4426.493263] deactivate_locked_super+0x2f/0x68 [ 4426.496408] cleanup_mnt+0xab/0xd3 [ 4426.498514] task_work_run+0x6b/0x80 [ 4426.500811] resume_user_mode_work+0x22/0x55 [ 4426.503784] syscall_exit_to_user_mode+0x5d/0x7b [ 4426.507102] do_syscall_64+0x86/0xdc [ 4426.509383] entry_SYSCALL_64_after_hwframe+0x60/0x68 [ 4426.513143] RIP: 0033:0x7f2d5063f15b [ 4426.515456] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 89 9c 0c 00 f7 d8 [ 4426.532903] RSP: 002b:00007fff2878dcb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 4426.539167] RAX: 0000000000000000 RBX: 000055cd5ee85e60 RCX: 00007f2d5063f15b [ 4426.545002] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055cd5ee86270 [ 4426.550891] RBP: 00007fff2878dd90 R08: 000055cd5ee88350 R09: 00007f2d50709b20 [ 4426.556719] R10: 0000000000000008 R11: 0000000000000246 R12: 000055cd5ee85f68 [ 4426.562550] R13: 0000000000000000 R14: 000055cd5ee86270 R15: 000055cd5ee873d0 [ 4426.568386] </TASK> [ 4426.569277] Modules linked in: sg udf usb_storage uinput snd_seq_dummy rpcrdma rdma_cm iw_cm ib_cm ib_core nf_nat_ftp nf_conntrack_ftp cfg80211 af_packet nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_tables ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_mangle iptable_raw iptable_security ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables it87 hwmon_vid bnep rc_pinnacle_pctv_hd em28xx_rc binfmt_misc tda18271 snd_hda_codec_realtek snd_hda_codec_hdmi cxd2820r snd_hda_codec_generic snd_hda_intel regmap_i2c em28xx_dvb dvb_core uvcvideo btusb btintel uvc intel_powerclamp videobuf2_vmalloc coretemp btbcm snd_usb_audio videobuf2_memops em28xx kvm_intel videobuf2_v4l2 bluetooth tveeprom snd_intel_dspcfg videodev snd_hda_codec snd_virtuoso kvm [ 4426.569392] videobuf2_common [ 4426.583929] usb 2-4: new high-speed USB device number 6 using ehci-pci [ 4426.657557] snd_oxygen_lib snd_usbmidi_lib snd_hda_core snd_mpu401_uart snd_hwdep snd_rawmidi mc snd_seq input_leds led_class joydev ecdh_generic rfkill snd_seq_device ecc iTCO_wdt gpio_ich r8169 snd_pcm irqbypass snd_hrtimer pktcdvd realtek snd_timer intel_cstate mdio_devres snd libphy psmouse intel_uncore i2c_i801 pcspkr acpi_cpufreq i2c_smbus mxm_wmi soundcore lpc_ich i7core_edac tiny_power_button button nfsd auth_rpcgss nfs_acl lockd grace dm_mod sunrpc fuse loop configfs dax nfnetlink zram zsmalloc amdgpu ext4 crc32c_generic crc16 mbcache jbd2 video amdxcp i2c_algo_bit mfd_core drm_ttm_helper ttm drm_exec gpu_sched drm_suballoc_helper drm_buddy drm_display_helper drm_kms_helper sr_mod hid_microsoft sd_mod cdrom usbhid drm xhci_pci uhci_hcd ehci_pci ahci ehci_hcd pata_jmicron libahci xhci_hcd libata drm_panel_orientation_quirks cec usbcore crc32c_intel scsi_mod sha512_ssse3 rc_core firewire_ohci firewire_core bsg serio_raw sha256_ssse3 sha1_ssse3 usb_common crc_itu_t scsi_common wmi msr [ 4426.750898] CR2: 0000000000000048 [ 4426.752950] ---[ end trace 0000000000000000 ]--- [ 4426.756276] RIP: 0010:blk_try_enter_queue+0xc/0x75 [ 4426.759776] Code: 41 00 eb 04 65 48 ff 08 58 e9 05 90 d6 ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 89 f5 53 48 89 fb e8 04 54 d6 ff <48> 8b 43 48 a8 03 74 0f f6 43 48 02 75 4d 48 8b 53 50 48 8b 02 eb [ 4426.777232] RSP: 0018:ffffc9000186bb60 EFLAGS: 00010202 [ 4426.781165] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 [ 4426.786998] RDX: ffff8881852b3900 RSI: 0000000000000000 RDI: 0000000000000000 [ 4426.790807] usb-storage 2-4:1.0: USB Mass Storage device detected [ 4426.792867] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000001b58 [ 4426.797877] scsi host10: usb-storage 2-4:1.0 [ 4426.803501] R10: 0000000000000020 R11: 0000000000000235 R12: 0000000000000000 [ 4426.812322] R13: 0000000000000000 R14: ffffc9000186bd20 R15: 0000000000001b58 [ 4426.818165] FS: 00007f2d5041e800(0000) GS:ffff888343d00000(0000) knlGS:0000000000000000 [ 4426.824958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4426.829402] CR2: 0000000000000048 CR3: 000000021d394000 CR4: 00000000000006f0 [ 4427.835567] scsi 10:0:0:0: CD-ROM HL-DT-ST BD-RE BU40N 1.00 PQ: 0 ANSI: 0 Cheers, Chris

11 months

1
0
0 0

[PATCH AUTOSEL 4.19] rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment

by Sasha Levin

From: "Paul E. McKenney" <paulmck(a)kernel.org> [ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ] The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should not happen, but...". This is only true when testing an RCU whose grace periods are always long enough. This commit therefore fixes this comment. Reported-by: Linus Torvalds <torvalds(a)linux-foundation.org> Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOK… Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/rcu/rcutorture.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c index 0b7af7e2bcbb1..8986ef3a95888 100644 --- a/kernel/rcu/rcutorture.c +++ b/kernel/rcu/rcutorture.c @@ -1334,7 +1334,8 @@ static bool rcu_torture_one_read(struct torture_random_state *trsp) preempt_disable(); pipe_count = p->rtort_pipe_count; if (pipe_count > RCU_TORTURE_PIPE_LEN) { - /* Should not happen, but... */ + // Should not happen in a correct RCU implementation, + // happens quite often for torture_type=busted. pipe_count = RCU_TORTURE_PIPE_LEN; } completed = cur_ops->get_gp_seq(); -- 2.43.0

11 months

1
0
0 0

[PATCH AUTOSEL 5.4] rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment

by Sasha Levin

From: "Paul E. McKenney" <paulmck(a)kernel.org> [ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ] The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should not happen, but...". This is only true when testing an RCU whose grace periods are always long enough. This commit therefore fixes this comment. Reported-by: Linus Torvalds <torvalds(a)linux-foundation.org> Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOK… Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/rcu/rcutorture.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c index 3c9feca1eab17..aef4d01c4f61e 100644 --- a/kernel/rcu/rcutorture.c +++ b/kernel/rcu/rcutorture.c @@ -1291,7 +1291,8 @@ static bool rcu_torture_one_read(struct torture_random_state *trsp) preempt_disable(); pipe_count = p->rtort_pipe_count; if (pipe_count > RCU_TORTURE_PIPE_LEN) { - /* Should not happen, but... */ + // Should not happen in a correct RCU implementation, + // happens quite often for torture_type=busted. pipe_count = RCU_TORTURE_PIPE_LEN; } completed = cur_ops->get_gp_seq(); -- 2.43.0

11 months

1
0
0 0

[PATCH AUTOSEL 5.10 1/5] padata: Disable BH when taking works lock on MT path

by Sasha Levin

From: Herbert Xu <herbert(a)gondor.apana.org.au> [ Upstream commit 58329c4312031603bb1786b44265c26d5065fe72 ] As the old padata code can execute in softirq context, disable softirqs for the new padata_do_mutithreaded code too as otherwise lockdep will get antsy. Reported-by: syzbot+0cb5bb0f4bf9e79db3b3(a)syzkaller.appspotmail.com Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Acked-by: Daniel Jordan <daniel.m.jordan(a)oracle.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/padata.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/padata.c b/kernel/padata.c index fdcd78302cd72..471ccbc44541d 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -111,7 +111,7 @@ static int __init padata_work_alloc_mt(int nworks, void *data, { int i; - spin_lock(&padata_works_lock); + spin_lock_bh(&padata_works_lock); /* Start at 1 because the current task participates in the job. */ for (i = 1; i < nworks; ++i) { struct padata_work *pw = padata_work_alloc(); @@ -121,7 +121,7 @@ static int __init padata_work_alloc_mt(int nworks, void *data, padata_work_init(pw, padata_mt_helper, data, 0); list_add(&pw->pw_list, head); } - spin_unlock(&padata_works_lock); + spin_unlock_bh(&padata_works_lock); return i; } @@ -139,12 +139,12 @@ static void __init padata_works_free(struct list_head *works) if (list_empty(works)) return; - spin_lock(&padata_works_lock); + spin_lock_bh(&padata_works_lock); list_for_each_entry_safe(cur, next, works, pw_list) { list_del(&cur->pw_list); padata_work_free(cur); } - spin_unlock(&padata_works_lock); + spin_unlock_bh(&padata_works_lock); } static void padata_parallel_worker(struct work_struct *parallel_work) -- 2.43.0

11 months

1
4
0 0

[PATCH AUTOSEL 5.15 1/7] padata: Disable BH when taking works lock on MT path

by Sasha Levin

From: Herbert Xu <herbert(a)gondor.apana.org.au> [ Upstream commit 58329c4312031603bb1786b44265c26d5065fe72 ] As the old padata code can execute in softirq context, disable softirqs for the new padata_do_mutithreaded code too as otherwise lockdep will get antsy. Reported-by: syzbot+0cb5bb0f4bf9e79db3b3(a)syzkaller.appspotmail.com Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Acked-by: Daniel Jordan <daniel.m.jordan(a)oracle.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/padata.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/padata.c b/kernel/padata.c index 47f146f061fb1..809978bb249c2 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -98,7 +98,7 @@ static int __init padata_work_alloc_mt(int nworks, void *data, { int i; - spin_lock(&padata_works_lock); + spin_lock_bh(&padata_works_lock); /* Start at 1 because the current task participates in the job. */ for (i = 1; i < nworks; ++i) { struct padata_work *pw = padata_work_alloc(); @@ -108,7 +108,7 @@ static int __init padata_work_alloc_mt(int nworks, void *data, padata_work_init(pw, padata_mt_helper, data, 0); list_add(&pw->pw_list, head); } - spin_unlock(&padata_works_lock); + spin_unlock_bh(&padata_works_lock); return i; } @@ -126,12 +126,12 @@ static void __init padata_works_free(struct list_head *works) if (list_empty(works)) return; - spin_lock(&padata_works_lock); + spin_lock_bh(&padata_works_lock); list_for_each_entry_safe(cur, next, works, pw_list) { list_del(&cur->pw_list); padata_work_free(cur); } - spin_unlock(&padata_works_lock); + spin_unlock_bh(&padata_works_lock); } static void padata_parallel_worker(struct work_struct *parallel_work) -- 2.43.0

11 months

1
6
0 0

[PATCH AUTOSEL 6.1 1/9] md: Fix overflow in is_mddev_idle

by Sasha Levin

From: Li Nan <linan122(a)huawei.com> [ Upstream commit 3f9f231236ce7e48780d8a4f1f8cb9fae2df1e4e ] UBSAN reports this problem: UBSAN: Undefined behaviour in drivers/md/md.c:8175:15 signed integer overflow: -2147483291 - 2072033152 cannot be represented in type 'int' Call trace: dump_backtrace+0x0/0x310 show_stack+0x28/0x38 dump_stack+0xec/0x15c ubsan_epilogue+0x18/0x84 handle_overflow+0x14c/0x19c __ubsan_handle_sub_overflow+0x34/0x44 is_mddev_idle+0x338/0x3d8 md_do_sync+0x1bb8/0x1cf8 md_thread+0x220/0x288 kthread+0x1d8/0x1e0 ret_from_fork+0x10/0x18 'curr_events' will overflow when stat accum or 'sync_io' is greater than INT_MAX. Fix it by changing sync_io, last_events and curr_events to 64bit. Signed-off-by: Li Nan <linan122(a)huawei.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240117031946.2324519-2-linan666@huaweicloud.com Signed-off-by: Song Liu <song(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/md/md.c | 7 ++++--- drivers/md/md.h | 4 ++-- include/linux/blkdev.h | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/md/md.c b/drivers/md/md.c index 788acc81e7a84..7b7c048e2670a 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -8541,14 +8541,15 @@ static int is_mddev_idle(struct mddev *mddev, int init) { struct md_rdev *rdev; int idle; - int curr_events; + long long curr_events; idle = 1; rcu_read_lock(); rdev_for_each_rcu(rdev, mddev) { struct gendisk *disk = rdev->bdev->bd_disk; - curr_events = (int)part_stat_read_accum(disk->part0, sectors) - - atomic_read(&disk->sync_io); + curr_events = + (long long)part_stat_read_accum(disk->part0, sectors) - + atomic64_read(&disk->sync_io); /* sync IO will cause sync_io to increase before the disk_stats * as sync_io is counted when a request starts, and * disk_stats is counted when it completes. diff --git a/drivers/md/md.h b/drivers/md/md.h index 4f0b480974552..5910527514db2 100644 --- a/drivers/md/md.h +++ b/drivers/md/md.h @@ -50,7 +50,7 @@ struct md_rdev { sector_t sectors; /* Device size (in 512bytes sectors) */ struct mddev *mddev; /* RAID array if running */ - int last_events; /* IO event timestamp */ + long long last_events; /* IO event timestamp */ /* * If meta_bdev is non-NULL, it means that a separate device is @@ -576,7 +576,7 @@ extern void mddev_unlock(struct mddev *mddev); static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors) { - atomic_add(nr_sectors, &bdev->bd_disk->sync_io); + atomic64_add(nr_sectors, &bdev->bd_disk->sync_io); } static inline void md_sync_acct_bio(struct bio *bio, unsigned long nr_sectors) diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index e255674a9ee72..02e55676e0283 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -161,7 +161,7 @@ struct gendisk { struct list_head slave_bdevs; #endif struct timer_rand_state *random; - atomic_t sync_io; /* RAID */ + atomic64_t sync_io; /* RAID */ struct disk_events *ev; #ifdef CONFIG_BLK_DEV_INTEGRITY struct kobject integrity_kobj; -- 2.43.0

11 months

1
8
0 0

[PATCH AUTOSEL 6.6 01/11] fs/writeback: bail out if there is no more inodes for IO and queued once

by Sasha Levin

From: Kemeng Shi <shikemeng(a)huaweicloud.com> [ Upstream commit d92109891f21cf367caa2cc6dff11a4411d917f4 ] For case there is no more inodes for IO in io list from last wb_writeback, We may bail out early even there is inode in dirty list should be written back. Only bail out when we queued once to avoid missing dirtied inode. This is from code reading... Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Link: https://lore.kernel.org/r/20240228091958.288260-3-shikemeng@huaweicloud.com Reviewed-by: Jan Kara <jack(a)suse.cz> [brauner(a)kernel.org: fold in memory corruption fix from Jan in [1]] Link: https://lore.kernel.org/r/20240405132346.bid7gibby3lxxhez@quack3 [1] Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/fs-writeback.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c index 1767493dffda7..0a498bc60f557 100644 --- a/fs/fs-writeback.c +++ b/fs/fs-writeback.c @@ -2044,6 +2044,7 @@ static long wb_writeback(struct bdi_writeback *wb, struct inode *inode; long progress; struct blk_plug plug; + bool queued = false; blk_start_plug(&plug); for (;;) { @@ -2086,8 +2087,10 @@ static long wb_writeback(struct bdi_writeback *wb, dirtied_before = jiffies; trace_writeback_start(wb, work); - if (list_empty(&wb->b_io)) + if (list_empty(&wb->b_io)) { queue_io(wb, work, dirtied_before); + queued = true; + } if (work->sb) progress = writeback_sb_inodes(work->sb, wb, work); else @@ -2102,7 +2105,7 @@ static long wb_writeback(struct bdi_writeback *wb, * mean the overall work is done. So we keep looping as long * as made some progress on cleaning pages or inodes. */ - if (progress) { + if (progress || !queued) { spin_unlock(&wb->list_lock); continue; } -- 2.43.0

11 months

1
10
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2024