September 2024 - Linux-stable-mirror

[PATCH 1/4] drm/xe/client: fix deadlock in show_meminfo()

by Matthew Auld

There is a real deadlock as well as sleeping in atomic() bug in here, if the bo put happens to be the last ref, since bo destruction wants to grab the same spinlock and sleeping locks. Fix that by dropping the ref using xe_bo_put_deferred(), and moving the final commit outside of the lock. Dropping the lock around the put is tricky since the bo can go out of scope and delete itself from the list, making it difficult to navigate to the next list entry. Fixes: 0845233388f8 ("drm/xe: Implement fdinfo memory stats printing") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2727 Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Cc: Tejas Upadhyay <tejas.upadhyay(a)intel.com> Cc: "Thomas Hellström" <thomas.hellstrom(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_drm_client.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_drm_client.c b/drivers/gpu/drm/xe/xe_drm_client.c index e64f4b645e2e..badfa045ead8 100644 --- a/drivers/gpu/drm/xe/xe_drm_client.c +++ b/drivers/gpu/drm/xe/xe_drm_client.c @@ -196,6 +196,7 @@ static void show_meminfo(struct drm_printer *p, struct drm_file *file) struct xe_drm_client *client; struct drm_gem_object *obj; struct xe_bo *bo; + LLIST_HEAD(deferred); unsigned int id; u32 mem_type; @@ -215,11 +216,14 @@ static void show_meminfo(struct drm_printer *p, struct drm_file *file) list_for_each_entry(bo, &client->bos_list, client_link) { if (!kref_get_unless_zero(&bo->ttm.base.refcount)) continue; + bo_meminfo(bo, stats); - xe_bo_put(bo); + xe_bo_put_deferred(bo, &deferred); } spin_unlock(&client->bos_lock); + xe_bo_put_commit(&deferred); + for (mem_type = XE_PL_SYSTEM; mem_type < TTM_NUM_MEM_TYPES; ++mem_type) { if (!xe_mem_type_to_name[mem_type]) continue; -- 2.46.0

3 months, 3 weeks

3
7
0 0

[PATCH RESEND] soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps"

by Krzysztof Kozlowski

This reverts commit ab8d66d132bc8f1992d3eb6cab8d32dda6733c84 because it breaks codecs using non-continuous masks in source and sink ports. The commit missed the point that port numbers are not used as indices for iterating over prop.sink_ports or prop.source_ports. Soundwire core and existing codecs expect that the array passed as prop.sink_ports and prop.source_ports is continuous. The port mask still might be non-continuous, but that's unrelated. Reported-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> Closes: https://lore.kernel.org/all/b6c75eee-761d-44c8-8413-2a5b34ee2f98@linux.inte… Fixes: ab8d66d132bc ("soundwire: stream: fix programming slave ports for non-continous port maps") Acked-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> Reviewed-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- Resending with Ack/Rb tags and missing Cc-stable. --- drivers/soundwire/stream.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c index f275143d7b18..7aa4900dcf31 100644 --- a/drivers/soundwire/stream.c +++ b/drivers/soundwire/stream.c @@ -1291,18 +1291,18 @@ struct sdw_dpn_prop *sdw_get_slave_dpn_prop(struct sdw_slave *slave, unsigned int port_num) { struct sdw_dpn_prop *dpn_prop; - unsigned long mask; + u8 num_ports; int i; if (direction == SDW_DATA_DIR_TX) { - mask = slave->prop.source_ports; + num_ports = hweight32(slave->prop.source_ports); dpn_prop = slave->prop.src_dpn_prop; } else { - mask = slave->prop.sink_ports; + num_ports = hweight32(slave->prop.sink_ports); dpn_prop = slave->prop.sink_dpn_prop; } - for_each_set_bit(i, &mask, 32) { + for (i = 0; i < num_ports; i++) { if (dpn_prop[i].num == port_num) return &dpn_prop[i]; } -- 2.43.0

3 months, 3 weeks

3
4
0 0

Follow-up to "net: drop bad gso csum_start and offset in virtio_net_hdr" - backport for 5.15 needed

by Christian Theune

Hi, the issue was so far handled in https://lore.kernel.org/regressions/ZsyMzW-4ee_U8NoX@eldamar.lan/T/#m390d6e… and https://bugzilla.kernel.org/show_bug.cgi?id=219129 I haven’t seen any communication whether a backport for 5.15 is already in progress, so I thought I’d follow up here. Today we rolled out 5.15.165 and immediately ran into the same issue. There’s at least one other person asking for a 5.15 backport in Bugzilla. Hugs, Christian -- Christian Theune - A97C62CE - 0179 7808366 @theuni - christian(a)theune.cc

3 months, 3 weeks

4
9
0 0

[PATCH v5 2/2] ufs: core: requeue aborted request

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> ufshcd_abort_all forcibly aborts all on-going commands and the host controller will automatically fill in the OCS field of the corresponding response with OCS_ABORTED based on different working modes. MCQ mode: aborts a command using SQ cleanup, The host controller will post a Completion Queue entry with OCS = ABORTED. SDB mode: aborts a command using UTRLCLR. Task Management response which means a Transfer Request was aborted. For these two cases, set a flag to notify SCSI to requeue the command after receiving response with OCS_ABORTED. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 35 ++++++++++++++++++++--------------- include/ufs/ufshcd.h | 3 +++ 2 files changed, 23 insertions(+), 15 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index a6f818cdef0e..8380e8861d83 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -3006,6 +3006,7 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd) ufshcd_prepare_lrbp_crypto(scsi_cmd_to_rq(cmd), lrbp); lrbp->req_abort_skip = false; + lrbp->abort_initiated_by_eh = false; ufshcd_comp_scsi_upiu(hba, lrbp); @@ -5404,7 +5405,10 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp, } break; case OCS_ABORTED: - result |= DID_ABORT << 16; + if (lrbp->abort_initiated_by_eh) + result |= DID_REQUEUE << 16; + else + result |= DID_ABORT << 16; break; case OCS_INVALID_COMMAND_STATUS: result |= DID_REQUEUE << 16; @@ -6471,26 +6475,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) struct scsi_device *sdev = cmd->device; struct Scsi_Host *shost = sdev->host; struct ufs_hba *hba = shost_priv(shost); - struct ufshcd_lrb *lrbp = &hba->lrb[tag]; - struct ufs_hw_queue *hwq; - unsigned long flags; *ret = ufshcd_try_to_abort_task(hba, tag); dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag, hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1, *ret ? "failed" : "succeeded"); - /* Release cmd in MCQ mode if abort succeeds */ - if (hba->mcq_enabled && (*ret == 0)) { - hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd)); - if (!hwq) - return 0; - spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) - ufshcd_release_scsi_cmd(hba, lrbp); - spin_unlock_irqrestore(&hwq->cq_lock, flags); - } - return *ret == 0; } @@ -7561,6 +7551,21 @@ int ufshcd_try_to_abort_task(struct ufs_hba *hba, int tag) goto out; } + /* + * When the host software receives a "FUNCTION COMPLETE", set flag + * to requeue command after receive response with OCS_ABORTED + * SDB mode: UTRLCLR Task Management response which means a Transfer + * Request was aborted. + * MCQ mode: Host will post to CQ with OCS_ABORTED after SQ cleanup + * + * This flag is set because error handler ufshcd_abort_all forcibly + * aborts all commands, and the host controller will automatically + * fill in the OCS field of the corresponding response with OCS_ABORTED. + * Therefore, upon receiving this response, it needs to be requeued. + */ + if (!err) + lrbp->abort_initiated_by_eh = true; + err = ufshcd_clear_cmd(hba, tag); if (err) dev_err(hba->dev, "%s: Failed clearing cmd at tag %d, err %d\n", diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index 0fd2aebac728..07b5e60e6c44 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -173,6 +173,8 @@ struct ufs_pm_lvl_states { * @crypto_key_slot: the key slot to use for inline crypto (-1 if none) * @data_unit_num: the data unit number for the first block for inline crypto * @req_abort_skip: skip request abort task flag + * @abort_initiated_by_eh: The flag is specifically used to handle + * ufshcd_err_handler forcibly aborts. */ struct ufshcd_lrb { struct utp_transfer_req_desc *utr_descriptor_ptr; @@ -202,6 +204,7 @@ struct ufshcd_lrb { #endif bool req_abort_skip; + bool abort_initiated_by_eh; }; /** -- 2.45.2

3 months, 3 weeks

1
0
0 0

[PATCH v5 1/2] ufs: core: fix the issue of ICU failure

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When setting the ICU bit without using read-modify-write, SQRTCy will restart SQ again and receive an RTC return error code 2 (Failure - SQ not stopped). Additionally, the error log has been modified so that this type of error can be observed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> Reviewed-by: Bao D. Nguyen <quic_nguyenb(a)quicinc.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/ufs/core/ufs-mcq.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index 5891cdacd0b3..3903947dbed1 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -539,7 +539,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) struct scsi_cmnd *cmd = lrbp->cmd; struct ufs_hw_queue *hwq; void __iomem *reg, *opr_sqd_base; - u32 nexus, id, val; + u32 nexus, id, val, rtc; int err; if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC) @@ -569,17 +569,18 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id); writel(nexus, opr_sqd_base + REG_SQCTI); - /* SQRTCy.ICU = 1 */ - writel(SQ_ICU, opr_sqd_base + REG_SQRTC); + /* Initiate Cleanup */ + writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU, + opr_sqd_base + REG_SQRTC); /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */ reg = opr_sqd_base + REG_SQRTS; err = read_poll_timeout(readl, val, val & SQ_CUS, 20, MCQ_POLL_US, false, reg); - if (err) - dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n", - __func__, id, task_tag, - FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))); + rtc = FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg)); + if (err || rtc) + dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%d\n", + __func__, id, task_tag, err, rtc); if (ufshcd_mcq_sq_start(hba, hwq)) err = -ETIMEDOUT; -- 2.45.2

3 months, 3 weeks

1
0
0 0

[PATCH] fbdev/xen-fbfront: Assign fb_info->device

by Jason Andryuk

From: Jason Andryuk <jason.andryuk(a)amd.com> Probing xen-fbfront faults in video_is_primary_device(). The passed-in struct device is NULL since xen-fbfront doesn't assign it and the memory is kzalloc()-ed. Assign fb_info->device to avoid this. This was exposed by the conversion of fb_is_primary_device() to video_is_primary_device() which dropped a NULL check for struct device. Fixes: f178e96de7f0 ("arch: Remove struct fb_info from video helpers") Reported-by: Arthur Borsboom <arthurborsboom(a)gmail.com> Closes: https://lore.kernel.org/xen-devel/CALUcmUncX=LkXWeiSiTKsDY-cOe8QksWhFvcCneO… Tested-by: Arthur Borsboom <arthurborsboom(a)gmail.com> CC: stable(a)vger.kernel.org Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> --- The other option would be to re-instate the NULL check in video_is_primary_device() --- drivers/video/fbdev/xen-fbfront.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/fbdev/xen-fbfront.c b/drivers/video/fbdev/xen-fbfront.c index 66d4628a96ae..c90f48ebb15e 100644 --- a/drivers/video/fbdev/xen-fbfront.c +++ b/drivers/video/fbdev/xen-fbfront.c @@ -407,6 +407,7 @@ static int xenfb_probe(struct xenbus_device *dev, /* complete the abuse: */ fb_info->pseudo_palette = fb_info->par; fb_info->par = info; + fb_info->device = &dev->dev; fb_info->screen_buffer = info->fb; -- 2.43.0

3 months, 3 weeks

6
8
0 0

[PATCH 5.10 000/151] 5.10.225-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.225 release. There are 151 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 03 Sep 2024 16:07:34 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.225-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.225-rc1 Guenter Roeck <linux(a)roeck-us.net> apparmor: fix policy_unpack_test on big endian systems Ben Hutchings <benh(a)debian.org> scsi: aacraid: Fix double-free on probe failure Zijun Hu <quic_zijuhu(a)quicinc.com> usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> usb: dwc3: st: add missing depopulate in probe error path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> usb: dwc3: st: fix probed platform device ref count on probe error path Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: core: Prevent USB core invalid event buffer address access Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> usb: dwc3: omap: add missing depopulate in probe error path ZHANG Yuntian <yt(a)radxa.com> USB: serial: option: add MeiG Smart SRM825L Ian Ray <ian.ray(a)gehealthcare.com> cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller Volodymyr Babchuk <Volodymyr_Babchuk(a)epam.com> soc: qcom: cmd-db: Map shared memory as WC, not WB Aleksandr Mishin <amishin(a)t-argos.ru> nfc: pn533: Add poll mod list filling check Eric Dumazet <edumazet(a)google.com> net: busy-poll: use ktime_get_ns() instead of local_clock() Cong Wang <cong.wang(a)bytedance.com> gtp: fix a potential NULL pointer dereference Jamie Bainbridge <jamie.bainbridge(a)gmail.com> ethtool: check device is present when getting link settings Serge Semin <fancer.lancer(a)gmail.com> dmaengine: dw: Add memory bus width verification Serge Semin <fancer.lancer(a)gmail.com> dmaengine: dw: Add peripheral bus width verification Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: fix programming slave ports for non-continous port maps Miklos Szeredi <mszeredi(a)redhat.com> ovl: do not fail because of O_NOATIME Allison Henderson <allison.henderson(a)oracle.com> net:rds: Fix possible deadlock in rds_message_put Chen Ridong <chenridong(a)huawei.com> cgroup/cpuset: Prevent UAF in proc_cpuset_show() Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Fix null pointer dereference on error Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "Input: ioc3kbd - convert to platform remove callback returning void" Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Fix integer overflow calculating timestamp Alex Deucher <alexander.deucher(a)amd.com> drm/amdkfd: don't allow mapping the MMIO HDP page with large pages Rafael Aquini <aquini(a)redhat.com> ipc: replace costly bailout check in sysvipc_find_ipc() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sched: check both backup in retrans Sascha Hauer <s.hauer(a)pengutronix.de> wifi: mwifiex: duplicate static structs used in driver instances Ma Ke <make24(a)iscas.ac.cn> pinctrl: single: fix potential NULL dereference in pcs_get_function() Huang-Huang Bao <i(a)eh5.me> pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins Sami Tolvanen <samitolvanen(a)google.com> KVM: arm64: Don't use cbz/adr with external symbols Jesse Zhang <jesse.zhang(a)amd.com> drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Alexander Lobakin <aleksander.lobakin(a)intel.com> tools: move alignment-related macros to new <linux/align.h> Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Input: MT - limit max slots Lee, Chun-Yi <joeyli.kernel(a)gmail.com> Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO Kuniyuki Iwashima <kuniyu(a)amazon.com> nfsd: Don't call freezable_schedule_timeout() after each successful page allocation in svc_alloc_arg(). Takashi Iwai <tiwai(a)suse.de> ALSA: timer: Relax start tick time check for slave timer elements Alex Hung <alex.hung(a)amd.com> Revert "drm/amd/display: Validate hw_points_num before using it" Ben Whitten <ben.whitten(a)gmail.com> mmc: dw_mmc: allow biu and ciu clocks to defer Marc Zyngier <maz(a)kernel.org> KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Nikolay Kuratov <kniv(a)yandex-team.ru> cxgb4: add forgotten u64 ivlan cast before shift Siarhei Vishniakou <svv(a)google.com> HID: microsoft: Add rumble support to latest xbox controllers Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Defer calculation of resolution until resolution_code is known Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Loongson64: Set timer mode in cpu-probe Laurent Vivier <laurent(a)vivier.eu> binfmt_misc: pass binfmt_misc flags to the interpreter Griffin Kroah-Hartman <griffin(a)kroah.com> Bluetooth: MGMT: Add error handling to pair_device() Dan Carpenter <dan.carpenter(a)linaro.org> mmc: mmc_test: Fix NULL dereference on allocation failure Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dp: reset the link phy params before link training Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: don't play tricks with debug macros Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix dangling multicast addresses Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Always disable promiscuous mode Eric Dumazet <edumazet(a)google.com> ipv6: prevent UAF in ip6_send_skb() Stephen Hemminger <stephen(a)networkplumber.org> netem: fix return value if duplicate enqueue fails Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Fix out-of-bound access Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: replace ATU violation prints with trace points Hans J. Schultz <netdev(a)kapio-technology.com> net: dsa: mv88e6xxx: read FID when handling ATU violations Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: fix ICE_LAST_OFFSET formula Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix xfrm state handling when clearing active slave Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix xfrm real_dev null pointer dereference Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix null pointer deref in bond_ipsec_offload_ok Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix bond_ipsec_offload_ok return type Thomas Bogendoerfer <tbogendoerfer(a)suse.de> ip6_tunnel: Fix broken GRO Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Synchronize nft_counter_reset() against reader. Kuniyuki Iwashima <kuniyu(a)amazon.com> kcm: Serialise kcm_sendmsg() for the same socket. Simon Horman <horms(a)kernel.org> tc-testing: don't access non-existent variable on exception Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix assumption of Central always being Initiator Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix LE quote calculation Mikulas Patocka <mpatocka(a)redhat.com> dm suspend: return -ERESTARTSYS instead of -EINTR Aurelien Jarno <aurelien(a)aurel32.net> media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) Tetsuo Handa <penguin-kernel(a)i-love.sakura.ne.jp> block: use "unsigned long" for blk_validate_block_size(). Eric Dumazet <edumazet(a)google.com> gtp: pull network headers in gtp_dev_xmit() Phil Chang <phil.chang(a)mediatek.com> hrtimer: Prevent queuing of hrtimer without a function callback Sagi Grimberg <sagi(a)grimberg.me> nvmet-rdma: fix possible bad dereference when freeing rsps Baokun Li <libaokun1(a)huawei.com> ext4: set the type of max_zeroout to unsigned int to avoid overflow Guanrui Huang <guanrui.huang(a)linux.alibaba.com> irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc Abdulrasaq Lawani <abdulrasaqolawani(a)gmail.com> fbdev: offb: replace of_node_put with __free(device_node) Krishna Kurapati <quic_kriskura(a)quicinc.com> usb: dwc3: core: Skip setting event buffers for host only controllers Alexander Gordeev <agordeev(a)linux.ibm.com> s390/iucv: fix receive buffer virtual vs physical address confusion Oreoluwa Babatunde <quic_obabatun(a)quicinc.com> openrisc: Call setup_memory() earlier in the init sequence NeilBrown <neilb(a)suse.de> NFS: avoid infinite loop in pnfs_update_layout. Hannes Reinecke <hare(a)suse.de> nvmet-tcp: do not continue for invalid icreq Jian Shen <shenjian15(a)huawei.com> net: hns3: add checking for vf id of mailbox Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: bnep: Fix out-of-bound access Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> usb: gadget: fsl: Increase size of name buffer for endpoints Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: fix to do sanity check in update_sit_entry David Sterba <dsterba(a)suse.com> btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() David Sterba <dsterba(a)suse.com> btrfs: send: handle unexpected data in header buffer in begin_cmd() David Sterba <dsterba(a)suse.com> btrfs: handle invalid root reference found in may_destroy_subvol() David Sterba <dsterba(a)suse.com> btrfs: change BUG_ON to assertion when checking for delayed_node root Michael Ellerman <mpe(a)ellerman.id.au> powerpc/boot: Only free if realloc() succeeds Li zeming <zeming(a)nfschina.com> powerpc/boot: Handle allocation failure in simple_realloc() Helge Deller <deller(a)gmx.de> parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 Christophe Kerello <christophe.kerello(a)foss.st.com> memory: stm32-fmc2-ebi: check regmap_read return value Kees Cook <keescook(a)chromium.org> x86: Increase brk randomness entropy for 64-bit systems Li Nan <linan122(a)huawei.com> md: clean up invalid BUG_ON in md_ioctl Eric Dumazet <edumazet(a)google.com> netlink: hold nlk->cb_mutex longer in __netlink_dump_start() Stefan Hajnoczi <stefanha(a)redhat.com> virtiofs: forbid newlines in tags Erico Nunes <nunes.erico(a)gmail.com> drm/lima: set gp bus_stop bit before hard reset Kees Cook <keescook(a)chromium.org> net/sun3_82586: Avoid reading past buffer in debug output Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() Max Filippov <jcmvbkbc(a)gmail.com> fs: binfmt_elf_efpic: don't use missing interpreter's properties Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: pci: cx23885: check cx23885_vdev_init() return Jan Kara <jack(a)suse.cz> quota: Remove BUG_ON from dqget() Baokun Li <libaokun1(a)huawei.com> ext4: do not trim the group with corrupted block bitmap Daniel Wagner <dwagner(a)suse.de> nvmet-trace: avoid dereferencing pointer too early Kunwu Chan <chentao(a)kylinos.cn> powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu Chengfeng Ye <dg573847474(a)gmail.com> IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: abort scan when rfkill on but device enabled Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: setattr_chown: Add missing initialization Mike Christie <michael.christie(a)oracle.com> scsi: spi: Fix sshdr use Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: qcom: venus: fix incorrect return value Christian Brauner <christian.brauner(a)ubuntu.com> binfmt_misc: cleanup on filesystem umount Chengfeng Ye <dg573847474(a)gmail.com> staging: ks7010: disable bh on tx_dev_lock Alex Hung <alex.hung(a)amd.com> drm/amd/display: Validate hw_points_num before using it David Lechner <dlechner(a)baylibre.com> staging: iio: resolver: ad2s1210: fix use before initialization Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: radio-isa: use dev_name to fill in bus_info Heiko Carstens <hca(a)linux.ibm.com> s390/smp,mcck: fix early IPI handling Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rtrs: Fix the problem of variable not initialized fully Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: riic: avoid potential division by zero Jeff Johnson <quic_jjohnson(a)quicinc.com> wifi: cw1200: Avoid processing an invalid TIM IE Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix BA session teardown race Rand Deeb <rand.sec96(a)gmail.com> ssb: Fix division by zero issue in ssb_calc_clock_rate Parsa Poorshikhian <parsa.poorsh(a)gmail.com> ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Jie Wang <wangjie125(a)huawei.com> net: hns3: fix a deadlock problem when config TC during resetting Jie Wang <wangjie125(a)huawei.com> net: hns3: fix wrong use of semaphore up Donald Hunter <donald.hunter(a)gmail.com> netfilter: flowtable: initialise extack before use Eugene Syromiatnikov <esyr(a)redhat.com> mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: check busy flag in MDIO operations Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: use read_poll_timeout instead delay loop Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: pass value in phy_write operation Radhey Shyam Pandey <radhey.shyam.pandey(a)amd.com> net: axienet: Fix register defines comment description Dan Carpenter <dan.carpenter(a)linaro.org> atm: idt77252: prevent use after free in dequeue_rx() Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Correctly report errors for ethtool rx flows Claudio Imbrenda <imbrenda(a)linux.ibm.com> s390/uv: Panic for set and remove shared access UVC errors Alexander Lobakin <aleksander.lobakin(a)intel.com> btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() Alexander Lobakin <aleksander.lobakin(a)intel.com> s390/cio: rename bitmap_size() -> idset_bitmap_size() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/jpeg2: properly set atomics vmid field Al Viro <viro(a)zeniv.linux.org.uk> memcg_write_event_control(): fix a user-triggerable oops Bas Nieuwenhuizen <bas(a)basnieuwenhuizen.nl> drm/amdgpu: Actually check flags for all context ops. Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: add dev extent item checks Zhen Lei <thunder.leizhen(a)huawei.com> selinux: fix potential counting error in avc_add_xperms_decision() Al Viro <viro(a)zeniv.linux.org.uk> fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE Alexander Lobakin <aleksander.lobakin(a)intel.com> bitmap: introduce generic optimized bitmap_size() Zhihao Cheng <chengzhihao1(a)huawei.com> vfs: Don't evict inode under the inode lru traversing context Mikulas Patocka <mpatocka(a)redhat.com> dm persistent data: fix memory allocation failure Khazhismel Kumykov <khazhy(a)google.com> dm resume: don't return EINVAL when signalled Haibo Xu <haibo1.xu(a)intel.com> arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: fix error recovery leading to data corruption on ESE devices Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Mark XDomain as unplugged when router is removed Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Juan José Arboleda <soyjuanarbol(a)gmail.com> ALSA: usb-audio: Support Yamaha P-125 quirk entry Jann Horn <jannh(a)google.com> fuse: Initialize beyond-EOF page contents before setting uptodate ------------- Diffstat: Makefile | 4 +- arch/arm64/kernel/acpi_numa.c | 2 +- arch/arm64/kvm/hyp/entry.S | 6 +- arch/arm64/kvm/sys_regs.c | 6 + arch/arm64/kvm/vgic/vgic.h | 7 + arch/mips/kernel/cpu-probe.c | 4 + arch/openrisc/kernel/setup.c | 6 +- arch/parisc/kernel/irq.c | 4 +- arch/powerpc/boot/simple_alloc.c | 7 +- arch/powerpc/sysdev/xics/icp-native.c | 2 + arch/s390/include/asm/uv.h | 5 +- arch/s390/kernel/early.c | 12 +- arch/s390/kernel/smp.c | 4 +- arch/x86/kernel/process.c | 5 +- drivers/ata/libata-core.c | 3 + drivers/atm/idt77252.c | 9 +- drivers/bluetooth/hci_ldisc.c | 3 +- drivers/dma/dw/core.c | 89 ++++++++- drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 + drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 4 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 5 +- drivers/gpu/drm/lima/lima_gp.c | 12 ++ drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 +- drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 + drivers/hid/hid-ids.h | 10 +- drivers/hid/hid-microsoft.c | 11 +- drivers/hid/wacom_wac.c | 4 +- drivers/i2c/busses/i2c-riic.c | 2 +- drivers/infiniband/hw/hfi1/chip.c | 5 +- drivers/infiniband/ulp/rtrs/rtrs.c | 2 +- drivers/input/input-mt.c | 3 + drivers/input/serio/ioc3kbd.c | 6 +- drivers/irqchip/irq-gic-v3-its.c | 2 - drivers/md/dm-clone-metadata.c | 5 - drivers/md/dm-ioctl.c | 22 ++- drivers/md/dm.c | 4 +- drivers/md/md.c | 5 - drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- drivers/media/pci/cx23885/cx23885-video.c | 8 + drivers/media/pci/solo6x10/solo6x10-offsets.h | 10 +- drivers/media/platform/qcom/venus/pm_helpers.c | 2 +- drivers/media/radio/radio-isa.c | 2 +- drivers/media/usb/uvc/uvc_video.c | 10 +- drivers/memory/stm32-fmc2-ebi.c | 122 ++++++++---- drivers/mmc/core/mmc_test.c | 9 +- drivers/mmc/host/dw_mmc.c | 8 + drivers/net/bonding/bond_main.c | 21 +- drivers/net/bonding/bond_options.c | 2 +- drivers/net/dsa/mv88e6xxx/Makefile | 4 + drivers/net/dsa/mv88e6xxx/global1_atu.c | 82 ++++++-- drivers/net/dsa/mv88e6xxx/trace.c | 6 + drivers/net/dsa/mv88e6xxx/trace.h | 66 +++++++ drivers/net/dsa/vitesse-vsc73xx-core.c | 69 +++++-- drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 4 +- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 +- drivers/net/ethernet/i825xx/sun3_82586.c | 2 +- drivers/net/ethernet/intel/ice/ice_txrx.c | 2 +- .../ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 2 +- drivers/net/ethernet/xilinx/xilinx_axienet.h | 17 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 25 +-- drivers/net/gtp.c | 5 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 32 ++- drivers/net/wireless/st/cw1200/txrx.c | 2 +- drivers/nfc/pn533/pn533.c | 5 + drivers/nvme/target/rdma.c | 16 +- drivers/nvme/target/tcp.c | 1 + drivers/nvme/target/trace.c | 6 +- drivers/nvme/target/trace.h | 28 +-- drivers/pinctrl/pinctrl-rockchip.c | 2 +- drivers/pinctrl/pinctrl-single.c | 2 + drivers/s390/block/dasd.c | 36 ++-- drivers/s390/block/dasd_3990_erp.c | 10 +- drivers/s390/block/dasd_eckd.c | 57 +++--- drivers/s390/block/dasd_int.h | 2 +- drivers/s390/cio/idset.c | 12 +- drivers/scsi/aacraid/comminit.c | 2 + drivers/scsi/lpfc/lpfc_sli.c | 2 +- drivers/scsi/scsi_transport_spi.c | 4 +- drivers/soc/qcom/cmd-db.c | 2 +- drivers/soundwire/stream.c | 8 +- drivers/ssb/main.c | 2 +- drivers/staging/iio/resolver/ad2s1210.c | 7 +- drivers/staging/ks7010/ks7010_sdio.c | 4 +- drivers/thunderbolt/switch.c | 1 + drivers/usb/class/cdc-acm.c | 3 + drivers/usb/core/sysfs.c | 1 + drivers/usb/dwc3/core.c | 21 ++ drivers/usb/dwc3/dwc3-omap.c | 4 +- drivers/usb/dwc3/dwc3-st.c | 16 +- drivers/usb/gadget/udc/fsl_udc_core.c | 2 +- drivers/usb/host/xhci.c | 8 +- drivers/usb/serial/option.c | 5 + drivers/video/fbdev/offb.c | 3 +- fs/binfmt_elf.c | 5 +- fs/binfmt_elf_fdpic.c | 7 +- fs/binfmt_misc.c | 220 ++++++++++++++++----- fs/btrfs/delayed-inode.c | 2 +- fs/btrfs/free-space-cache.c | 8 +- fs/btrfs/inode.c | 9 +- fs/btrfs/qgroup.c | 2 - fs/btrfs/send.c | 7 +- fs/btrfs/tree-checker.c | 69 +++++++ fs/ext4/extents.c | 3 +- fs/ext4/mballoc.c | 3 + fs/f2fs/segment.c | 5 +- fs/file.c | 28 ++- fs/fuse/dev.c | 6 +- fs/fuse/virtio_fs.c | 10 + fs/gfs2/inode.c | 2 +- fs/inode.c | 39 +++- fs/nfs/pnfs.c | 8 + fs/overlayfs/file.c | 11 +- fs/quota/dquot.c | 5 +- include/linux/binfmts.h | 4 + include/linux/bitmap.h | 20 +- include/linux/blkdev.h | 2 +- include/linux/cpumask.h | 2 +- include/linux/fs.h | 5 + include/net/busy_poll.h | 2 +- include/net/kcm.h | 1 + include/uapi/linux/binfmts.h | 4 + ipc/util.c | 16 +- kernel/cgroup/cpuset.c | 13 +- kernel/time/hrtimer.c | 2 + lib/math/prime_numbers.c | 2 - mm/memcontrol.c | 7 +- net/bluetooth/bnep/core.c | 3 +- net/bluetooth/hci_core.c | 19 +- net/bluetooth/mgmt.c | 4 + net/bluetooth/smp.c | 146 +++++++------- net/core/net-sysfs.c | 2 +- net/ethtool/ioctl.c | 3 + net/ipv6/ip6_output.c | 2 + net/ipv6/ip6_tunnel.c | 12 +- net/iucv/iucv.c | 3 +- net/kcm/kcmsock.c | 4 + net/mac80211/agg-tx.c | 6 +- net/mac80211/driver-ops.c | 3 - net/mac80211/sta_info.c | 14 ++ net/mptcp/diag.c | 2 +- net/mptcp/protocol.c | 2 +- net/netfilter/nf_flow_table_offload.c | 2 +- net/netfilter/nft_counter.c | 5 + net/netlink/af_netlink.c | 13 +- net/rds/recv.c | 13 +- net/sched/sch_netem.c | 47 +++-- net/sunrpc/svc_xprt.c | 2 +- security/apparmor/policy_unpack_test.c | 6 +- security/selinux/avc.c | 2 +- sound/core/timer.c | 2 +- sound/pci/hda/patch_realtek.c | 1 - sound/usb/quirks-table.h | 1 + tools/include/linux/align.h | 12 ++ tools/include/linux/bitmap.h | 9 +- tools/testing/selftests/core/close_range_test.c | 35 ++++ tools/testing/selftests/tc-testing/tdc.py | 1 - 161 files changed, 1422 insertions(+), 597 deletions(-)

3 months, 3 weeks

7
164
0 0

[PATCH net] net: tighten bad gso csum offset check in virtio_net_hdr

by Willem de Bruijn

From: Willem de Bruijn <willemb(a)google.com> The referenced commit drops bad input, but has false positives. Tighten the check to avoid these. The check detects illegal checksum offload requests, which produce csum_start/csum_off beyond end of packet after segmentation. But it is based on two incorrect assumptions: 1. virtio_net_hdr_to_skb with VIRTIO_NET_HDR_GSO_TCP[46] implies GSO. True in callers that inject into the tx path, such as tap. But false in callers that inject into rx, like virtio-net. Here, the flags indicate GRO, and CHECKSUM_UNNECESSARY or CHECKSUM_NONE without VIRTIO_NET_HDR_F_NEEDS_CSUM is normal. 2. TSO requires checksum offload, i.e., ip_summed == CHECKSUM_PARTIAL. False, as tcp[46]_gso_segment will fix up csum_start and offset for all other ip_summed by calling __tcp_v4_send_check. Because of 2, we can limit the scope of the fix to virtio_net_hdr that do try to set these fields, with a bogus value. Link: https://lore.kernel.org/netdev/20240909094527.GA3048202@port70.net/ Fixes: 89add40066f9 ("net: drop bad gso csum_start and offset in virtio_net_hdr") Signed-off-by: Willem de Bruijn <willemb(a)google.com> Cc: <stable(a)vger.kernel.net> --- Verified that the syzbot repro is still caught. An equivalent alternative would be to move the check for csum_offset to where the csum_start check is in segmentation: - if (unlikely(skb_checksum_start(skb) != skb_transport_header(skb))) + if (unlikely(skb_checksum_start(skb) != skb_transport_header(skb) || + skb->csum_offset != offsetof(struct tcphdr, check))) Cleaner, but messier stable backport. We'll need an equivalent patch to this for VIRTIO_NET_HDR_GSO_UDP_L4. But that csum_offset test was in a different commit, so different Fixes tag. --- include/linux/virtio_net.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index 6c395a2600e8d..276ca543ef44d 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -173,7 +173,8 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, break; case SKB_GSO_TCPV4: case SKB_GSO_TCPV6: - if (skb->csum_offset != offsetof(struct tcphdr, check)) + if (skb->ip_summed == CHECKSUM_PARTIAL && + skb->csum_offset != offsetof(struct tcphdr, check)) return -EINVAL; break; } -- 2.46.0.598.g6f2099f65c-goog

3 months, 3 weeks

6
10
0 0

[PATCH v2 3/3] block: fix ordering between checking BLK_MQ_S_STOPPED and adding requests

by Muchun Song

Supposing first scenario with a virtio_blk driver. CPU0 CPU1 blk_mq_try_issue_directly() __blk_mq_issue_directly() q->mq_ops->queue_rq() virtio_queue_rq() blk_mq_stop_hw_queue() virtblk_done() blk_mq_request_bypass_insert() blk_mq_start_stopped_hw_queues() /* Add IO request to dispatch list */ 1) store blk_mq_start_stopped_hw_queue() clear_bit(BLK_MQ_S_STOPPED) 3) store blk_mq_run_hw_queue() blk_mq_run_hw_queue() if (!blk_mq_hctx_has_pending()) if (!blk_mq_hctx_has_pending()) 4) load return return blk_mq_sched_dispatch_requests() blk_mq_sched_dispatch_requests() if (blk_mq_hctx_stopped()) 2) load if (blk_mq_hctx_stopped()) return return __blk_mq_sched_dispatch_requests() __blk_mq_sched_dispatch_requests() Supposing another scenario. CPU0 CPU1 blk_mq_requeue_work() /* Add IO request to dispatch list */ 1) store virtblk_done() blk_mq_run_hw_queues()/blk_mq_delay_run_hw_queues() blk_mq_start_stopped_hw_queues() if (blk_mq_hctx_stopped()) 2) load blk_mq_start_stopped_hw_queue() continue clear_bit(BLK_MQ_S_STOPPED) 3) store blk_mq_run_hw_queue()/blk_mq_delay_run_hw_queue() blk_mq_run_hw_queue() if (!blk_mq_hctx_has_pending()) 4) load return blk_mq_sched_dispatch_requests() Both scenarios are similar, the full memory barrier should be inserted between 1) and 2), as well as between 3) and 4) to make sure that either CPU0 sees BLK_MQ_S_STOPPED is cleared or CPU1 sees dispatch list. Otherwise, either CPU will not rerun the hardware queue causing starvation of the request. The easy way to fix it is to add the essential full memory barrier into helper of blk_mq_hctx_stopped(). In order to not affect the fast path (hardware queue is not stopped most of the time), we only insert the barrier into the slow path. Actually, only slow path needs to care about missing of dispatching the request to the low-level device driver. Fixes: 320ae51feed5c ("blk-mq: new multi-queue block IO queueing mechanism") Cc: stable(a)vger.kernel.org Cc: Muchun Song <muchun.song(a)linux.dev> Signed-off-by: Muchun Song <songmuchun(a)bytedance.com> --- block/blk-mq.c | 6 ++++++ block/blk-mq.h | 13 +++++++++++++ 2 files changed, 19 insertions(+) diff --git a/block/blk-mq.c b/block/blk-mq.c index ac39f2a346a52..48a6a437fba5e 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2413,6 +2413,12 @@ void blk_mq_start_stopped_hw_queue(struct blk_mq_hw_ctx *hctx, bool async) return; clear_bit(BLK_MQ_S_STOPPED, &hctx->state); + /* + * Pairs with the smp_mb() in blk_mq_hctx_stopped() to order the + * clearing of BLK_MQ_S_STOPPED above and the checking of dispatch + * list in the subsequent routine. + */ + smp_mb__after_atomic(); blk_mq_run_hw_queue(hctx, async); } EXPORT_SYMBOL_GPL(blk_mq_start_stopped_hw_queue); diff --git a/block/blk-mq.h b/block/blk-mq.h index 260beea8e332c..f36f3bff70d86 100644 --- a/block/blk-mq.h +++ b/block/blk-mq.h @@ -228,6 +228,19 @@ static inline struct blk_mq_tags *blk_mq_tags_from_data(struct blk_mq_alloc_data static inline bool blk_mq_hctx_stopped(struct blk_mq_hw_ctx *hctx) { + /* Fast path: hardware queue is not stopped most of the time. */ + if (likely(!test_bit(BLK_MQ_S_STOPPED, &hctx->state))) + return false; + + /* + * This barrier is used to order adding of dispatch list before and + * the test of BLK_MQ_S_STOPPED below. Pairs with the memory barrier + * in blk_mq_start_stopped_hw_queue() so that dispatch code could + * either see BLK_MQ_S_STOPPED is cleared or dispatch list is not + * empty to avoid missing dispatching requests. + */ + smp_mb(); + return test_bit(BLK_MQ_S_STOPPED, &hctx->state); } -- 2.20.1

3 months, 3 weeks

4
3
0 0

[PATCH v2 1/3] block: fix missing dispatching request when queue is started or unquiesced

by Muchun Song

Supposing the following scenario with a virtio_blk driver. CPU0 CPU1 CPU2 blk_mq_try_issue_directly() __blk_mq_issue_directly() q->mq_ops->queue_rq() virtio_queue_rq() blk_mq_stop_hw_queue() blk_mq_try_issue_directly() virtblk_done() if (blk_mq_hctx_stopped()) blk_mq_request_bypass_insert() blk_mq_start_stopped_hw_queue() blk_mq_run_hw_queue() blk_mq_run_hw_queue() blk_mq_insert_request() return // Who is responsible for dispatching this IO request? After CPU0 has marked the queue as stopped, CPU1 will see the queue is stopped. But before CPU1 puts the request on the dispatch list, CPU2 receives the interrupt of completion of request, so it will run the hardware queue and marks the queue as non-stopped. Meanwhile, CPU1 also runs the same hardware queue. After both CPU1 and CPU2 complete blk_mq_run_hw_queue(), CPU1 just puts the request to the same hardware queue and returns. It misses dispatching a request. Fix it by running the hardware queue explicitly. And blk_mq_request_issue_directly() should handle a similar situation. Fix it as well. Fixes: d964f04a8fde8 ("blk-mq: fix direct issue") Cc: stable(a)vger.kernel.org Cc: Muchun Song <muchun.song(a)linux.dev> Signed-off-by: Muchun Song <songmuchun(a)bytedance.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> --- block/blk-mq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/block/blk-mq.c b/block/blk-mq.c index e3c3c0c21b553..b2d0f22de0c7f 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2619,6 +2619,7 @@ static void blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx, if (blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(rq->q)) { blk_mq_insert_request(rq, 0); + blk_mq_run_hw_queue(hctx, false); return; } @@ -2649,6 +2650,7 @@ static blk_status_t blk_mq_request_issue_directly(struct request *rq, bool last) if (blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(rq->q)) { blk_mq_insert_request(rq, 0); + blk_mq_run_hw_queue(hctx, false); return BLK_STS_OK; } -- 2.20.1

3 months, 3 weeks

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2024