April 2025 - Linux-stable-mirror

[PATCH] accel/ivpu: Increase state dump msg timeout

by Jacek Lawrynowicz

Increase JMS message state dump command timeout to 100 ms. On some platforms, the FW may take a bit longer than 50 ms to dump its state to the log buffer and we don't want to miss any debug info during TDR. Fixes: 5e162f872d7a ("accel/ivpu: Add FW state dump on TDR") Cc: <stable(a)vger.kernel.org> # v6.13+ Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_hw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/accel/ivpu/ivpu_hw.c b/drivers/accel/ivpu/ivpu_hw.c index ec9a3629da3a9..633160470c939 100644 --- a/drivers/accel/ivpu/ivpu_hw.c +++ b/drivers/accel/ivpu/ivpu_hw.c @@ -119,7 +119,7 @@ static void timeouts_init(struct ivpu_device *vdev) else vdev->timeout.autosuspend = 100; vdev->timeout.d0i3_entry_msg = 5; - vdev->timeout.state_dump_msg = 10; + vdev->timeout.state_dump_msg = 100; } } -- 2.45.1

14 minutes

2
1
0 0

[PATCH 1/2] mm/userfaultfd: Fix uninitialized output field for -EAGAIN race

by Peter Xu

While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Cc: linux-stable <stable(a)vger.kernel.org> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> Signed-off-by: Peter Xu <peterx(a)redhat.com> --- fs/userfaultfd.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index d80f94346199..22f4bf956ba1 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx, user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(struct userfaultfd_ctx *ctx, unsigned long user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userfaultfd_ctx *ctx, user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */ -- 2.48.1

56 minutes

3
3
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041737-impart-slacker-8722@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

1 hour, 8 minutes

2
1
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041736-abrasion-yonder-b301@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

1 hour, 11 minutes

2
1
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041734-deport-antennae-d763@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

1 hour, 14 minutes

2
1
0 0

[REGRESSION] 6.14.3 panic - kernel NULL pointer dereference in htb_dequeue

by Alan J. Wylie

#regzbot introduced: 6.14.2..6.14.3 Since 6.14.3 I have been seeing random panics, all in htb_dequeue. 6.14.2 was fine. One only happened 8 hours after the reboot, so bisecting would be prolonged, since I have no idea what is triggering the crash. I've captured three panics with netconsole. All are very similar. I've also included the script I use to initialise tc. As well as when the ppp over ethernet interface comes up, I also run this every 5 minutes as a cron job since my ADSL line can fluctuate between 22 and 30 Mb/s. However, from the timings of the last few lines in /var/log/messages before the crash, it doesn't seem that this is directly related. Finally, I've decoded the first panic. I'm more than happy to help with debugging, if necessary. The system is running up-to-date Gentoo. Linux version 6.14.3 (alan@bilbo) (gcc (Gentoo Hardened 14.2.1_p20241221 p7) 14.2.1 20241221, GNU ld (Gentoo 2.44 p1) 2.44.0) #20 SMP PREEMPT_DYNAMIC Sun Apr 20 21:18:54 BST 2025 Linux bilbo 6.14.3 #20 SMP PREEMPT_DYNAMIC Sun Apr 20 21:18:54 BST 2025 x86_64 AMD FX(tm)-4300 Quad-Core Processor AuthenticAMD GNU/Linux # equery -q list iproute2 sys-apps/iproute2-6.13.0 BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.14.3 #20 Tainted: [O]=OOT_MODULE Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./970A-DS3P, BIOS FD 02/26/2016 RIP: 0010:rb_next+0x0/0x50 Code: e8 d5 fa ff ff 5b 4c 89 e0 5d 41 5c 41 5d 41 5e e9 85 73 01 00 5b 5d 41 5c 41 5d 41 5e e9 38 76 01 00 0f 1f 84 00 00 00 00 00 <48> 3b 3f 48 89 f8 74 38 48 8b 57 08 48 85 d2 74 11 48 89 d0 48 8b RSP: 0018:ffffc90000003e50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811a764000 RCX: ffff88811a764180 RDX: ffff88835e4c6c00 RSI: ffff888162c998e8 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88811a7642b0 R09: 00000000a535eebc R10: 0000000000000d09 R11: ffffc90000003ff8 R12: ffff88835e4c6c00 R13: ffff88811a7642b8 R14: 00001a951355b383 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88842ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001084b4000 CR4: 00000000000406f0 Call Trace: <IRQ> htb_dequeue+0x42f/0x610 [sch_htb] __qdisc_run+0x253/0x480 ? timerqueue_del+0x2c/0x40 qdisc_run+0x15/0x30 net_tx_action+0x182/0x1b0 handle_softirqs+0x102/0x240 __irq_exit_rcu+0x3e/0xb0 sysvec_apic_timer_interrupt+0x5b/0x70 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x126/0x220 Code: 18 4c 6f 00 85 c0 7e 0b 8b 73 04 83 cf ff e8 a1 22 e5 ff 31 ff e8 9a 2e 98 ff 45 84 ff 74 07 31 ff e8 0e 58 9d ff fb 45 85 ed <0f> 88 cc 00 00 00 49 63 c5 48 8b 3c 24 48 6b c8 68 48 6b d0 30 49 RSP: 0018:ffffffff81e03e40 EFLAGS: 00000202 RAX: ffff88842ec00000 RBX: ffff8881008d9400 RCX: 0000000000000000 RDX: 00001a94d9502071 RSI: fffffffbb3498394 RDI: 0000000000000000 RBP: 0000000000000002 R08: 0000000000000002 R09: 00001a94d7bd7640 R10: 0000000000000006 R11: 0000000000000020 R12: ffffffff81f98280 R13: 0000000000000002 R14: 00001a94d9502071 R15: 0000000000000000 cpuidle_enter+0x2a/0x40 do_idle+0x12d/0x1a0 cpu_startup_entry+0x29/0x30 rest_init+0xbc/0xc0 start_kernel+0x630/0x630 x86_64_start_reservations+0x25/0x30 x86_64_start_kernel+0x73/0x80 common_startup_64+0x12c/0x138 </TASK> Modules linked in: udp_diag netconsole sch_htb cls_u32 sch_ingress sch_cake ifb act_mirred xt_hl xt_nat ts_bm xt_string xt_TARPIT(O) xt_CT xt_tcpudp xt_helper nf_nat_ftp nf_conntrack_ftp ip6t_rt ip6table_nat xt_MASQUERADE iptable_nat nf_nat xt_TCPMSS xt_LOG nf_log_syslog ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 ip6table_raw iptable_raw ip6table_mangle iptable_mangle xt_multiport xt_state xt_limit xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6table_filter ip6_tables iptable_filter ip_tables x_tables tun pppoe binfmt_misc pppox ppp_generic slhc af_packet bridge stp llc ctr ccm dm_crypt radeon drm_client_lib video wmi drm_exec drm_suballoc_helper ath9k drm_ttm_helper syscopyarea ttm sysfillrect ath9k_common sysimgblt ath9k_hw fb_sys_fops drm_display_helper drm_kms_helper ath mac80211 agpgart pl2303 snd_hda_codec_realtek cfbfillrect snd_hda_codec_generic usbserial snd_hda_codec_hdmi snd_hda_scodec_component cfbimgblt snd_hda_intel fb_io_fops snd_intel_dspcfg cfbcopyarea snd_hda_codec i2c_algo_bit fb snd_hda_core aesni_intel cfg80211 cdc_acm snd_pcm crypto_simd font snd_timer cryptd snd at24 e1000 regmap_i2c acpi_cpufreq libarc4 soundcore k10temp fam15h_power evdev nfsd sch_fq_codel auth_rpcgss lockd grace drm sunrpc drm_panel_orientation_quirks fuse backlight configfs loop nfnetlink usbhid ohci_pci xhci_pci xhci_hcd ohci_hcd ehci_pci ehci_hcd sha512_ssse3 usbcore sha256_ssse3 sha1_ssse3 sha1_generic gf128mul usb_common dm_mirror dm_region_hash dm_log cpuid i2c_piix4 i2c_smbus i2c_dev i2c_core it87 hwmon_vid msr dmi_sysfs autofs4 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:rb_next+0x0/0x50 Code: e8 d5 fa ff ff 5b 4c 89 e0 5d 41 5c 41 5d 41 5e e9 85 73 01 00 5b 5d 41 5c 41 5d 41 5e e9 38 76 01 00 0f 1f 84 00 00 00 00 00 <48> 3b 3f 48 89 f8 74 38 48 8b 57 08 48 85 d2 74 11 48 89 d0 48 8b RSP: 0018:ffffc90000003e50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811a764000 RCX: ffff88811a764180 RDX: ffff88835e4c6c00 RSI: ffff888162c998e8 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88811a7642b0 R09: 00000000a535eebc R10: 0000000000000d09 R11: ffffc90000003ff8 R12: ffff88835e4c6c00 R13: ffff88811a7642b8 R14: 00001a951355b383 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88842ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001084b4000 CR4: 00000000000406f0 Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: disabled ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1062b1067 P4D 1062b1067 PUD 1062ae067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G O 6.14.3 #20 Tainted: [O]=OOT_MODULE Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./970A-DS3P, BIOS FD 02/26/2016 RIP: 0010:rb_next+0x0/0x50 Code: e8 d5 fa ff ff 5b 4c 89 e0 5d 41 5c 41 5d 41 5e e9 85 73 01 00 5b 5d 41 5c 41 5d 41 5e e9 38 76 01 00 0f 1f 84 00 00 00 00 00 <48> 3b 3f 48 89 f8 74 38 48 8b 57 08 48 85 d2 74 11 48 89 d0 48 8b RSP: 0018:ffffc9000010ce50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88812106e000 RCX: ffff88812106e180 RDX: ffff888129726c00 RSI: ffff888106a052e8 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88812106e2b0 R09: 0000000036705a4e R10: 0000000000000d03 R11: ffffc9000010cff8 R12: ffff888129726c00 R13: ffff88812106e2b8 R14: 000000d9fd03fce6 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88842ec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000112716000 CR4: 00000000000406f0 Call Trace: <IRQ> htb_dequeue+0x42f/0x610 [sch_htb] __qdisc_run+0x253/0x480 ? timerqueue_del+0x2c/0x40 qdisc_run+0x15/0x30 net_tx_action+0x182/0x1b0 handle_softirqs+0x102/0x240 __irq_exit_rcu+0x3e/0xb0 sysvec_apic_timer_interrupt+0x5b/0x70 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:acpi_safe_halt+0x22/0x30 Code: 0f 1f 84 00 00 00 00 00 65 48 8b 05 b8 38 71 7e 48 8b 00 a8 08 75 14 8b 05 a3 92 bb 00 85 c0 7e 07 0f 00 2d 20 4f 15 00 fb f4 <fa> e9 18 77 00 00 0f 1f 84 00 00 00 00 00 8a 47 08 3c 01 75 05 e9 RSP: 0018:ffffc900000c7e80 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88842ec80000 RDX: ffff888100ddd464 RSI: ffff888100ddd400 RDI: ffff888100ddd464 RBP: 0000000000000001 R08: 0000000000000001 R09: 071c71c71c71c71c R10: 0000000000000006 R11: 0000000000000020 R12: ffffffff81f98280 R13: ffffffff81f982e8 R14: ffffffff81f98300 R15: 0000000000000000 acpi_idle_enter+0x8f/0xa0 cpuidle_enter_state+0xb3/0x220 cpuidle_enter+0x2a/0x40 do_idle+0x12d/0x1a0 cpu_startup_entry+0x29/0x30 start_secondary+0xed/0xf0 common_startup_64+0x12c/0x138 </TASK> Modules linked in: netconsole sch_htb cls_u32 sch_ingress sch_cake ifb act_mirred xt_hl xt_nat ts_bm xt_string xt_TARPIT(O) xt_CT xt_tcpudp xt_helper nf_nat_ftp nf_conntrack_ftp ip6t_rt ip6table_nat xt_MASQUERADE iptable_nat nf_nat xt_TCPMSS xt_LOG nf_log_syslog ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 ip6table_raw iptable_raw ip6table_mangle iptable_mangle xt_multiport xt_state xt_limit xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6table_filter ip6_tables iptable_filter ip_tables x_tables tun pppoe pppox binfmt_misc ppp_generic slhc af_packet bridge stp llc ctr ccm dm_crypt radeon drm_client_lib ath9k video wmi drm_exec ath9k_common drm_suballoc_helper ath9k_hw drm_ttm_helper syscopyarea ttm sysfillrect sysimgblt ath pl2303 snd_hda_codec_realtek fb_sys_fops snd_hda_codec_generic usbserial mac80211 drm_display_helper snd_hda_codec_hdmi snd_hda_scodec_component drm_kms_helper snd_hda_intel snd_intel_dspcfg snd_hda_codec agpgart cfbfillrect snd_hda_core cfbimgblt fb_io_fops aesni_intel snd_pcm cfg80211 e1000 cfbcopyarea i2c_algo_bit cdc_acm fb crypto_simd snd_timer snd cryptd acpi_cpufreq at24 font fam15h_power libarc4 soundcore k10temp regmap_i2c evdev nfsd sch_fq_codel auth_rpcgss lockd drm grace sunrpc drm_panel_orientation_quirks fuse backlight configfs loop nfnetlink usbhid xhci_pci ohci_pci xhci_hcd ohci_hcd ehci_pci ehci_hcd usbcore sha512_ssse3 sha256_ssse3 sha1_ssse3 sha1_generic gf128mul usb_common dm_mirror dm_region_hash dm_log cpuid i2c_piix4 i2c_smbus i2c_dev i2c_core it87 hwmon_vid msr dmi_sysfs autofs4 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:rb_next+0x0/0x50 Code: e8 d5 fa ff ff 5b 4c 89 e0 5d 41 5c 41 5d 41 5e e9 85 73 01 00 5b 5d 41 5c 41 5d 41 5e e9 38 76 01 00 0f 1f 84 00 00 00 00 00 <48> 3b 3f 48 89 f8 74 38 48 8b 57 08 48 85 d2 74 11 48 89 d0 48 8b RSP: 0018:ffffc9000010ce50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88812106e000 RCX: ffff88812106e180 RDX: ffff888129726c00 RSI: ffff888106a052e8 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88812106e2b0 R09: 0000000036705a4e R10: 0000000000000d03 R11: ffffc9000010cff8 R12: ffff888129726c00 R13: ffff88812106e2b8 R14: 000000d9fd03fce6 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88842ec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000112716000 CR4: 00000000000406f0 Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: disabled ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G O 6.14.3 #20 Tainted: [O]=OOT_MODULE Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./970A-DS3P, BIOS FD 02/26/2016 RIP: 0010:rb_next+0x0/0x50 Code: e8 d5 fa ff ff 5b 4c 89 e0 5d 41 5c 41 5d 41 5e e9 85 73 01 00 5b 5d 41 5c 41 5d 41 5e e9 38 76 01 00 0f 1f 84 00 00 00 00 00 <48> 3b 3f 48 89 f8 74 38 48 8b 57 08 48 85 d2 74 11 48 89 d0 48 8b RSP: 0018:ffffc9000010ce50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811899d000 RCX: ffff88811899d180 RDX: ffff8881845f2800 RSI: ffff8881069b7ae8 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88811899d2b0 R09: 000000002997d2aa R10: 0000000000003fbf R11: ffffc9000010cff8 R12: ffff8881845f2800 R13: ffff88811899d2b8 R14: 000000a69ae56401 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88842ec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000103c80000 CR4: 00000000000406f0 Call Trace: <IRQ> htb_dequeue+0x42f/0x610 [sch_htb] __qdisc_run+0x253/0x480 ? timerqueue_del+0x2c/0x40 qdisc_run+0x15/0x30 net_tx_action+0x182/0x1b0 handle_softirqs+0x102/0x240 __irq_exit_rcu+0x3e/0xb0 sysvec_apic_timer_interrupt+0x5b/0x70 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x126/0x220 Code: 18 4c 6f 00 85 c0 7e 0b 8b 73 04 83 cf ff e8 a1 22 e5 ff 31 ff e8 9a 2e 98 ff 45 84 ff 74 07 31 ff e8 0e 58 9d ff fb 45 85 ed <0f> 88 cc 00 00 00 49 63 c5 48 8b 3c 24 48 6b c8 68 48 6b d0 30 49 RSP: 0018:ffffc900000c7e98 EFLAGS: 00000202 RAX: ffff88842ec80000 RBX: ffff888101d7f800 RCX: 0000000000000000 RDX: 000000a6607c6802 RSI: fffffffc350c4254 RDI: 0000000000000000 RBP: 0000000000000002 R08: 0000000000000002 R09: 000000e8ec11c440 R10: 0000000000000006 R11: 0000000000000020 R12: ffffffff81f98280 R13: 0000000000000002 R14: 000000a6607c6802 R15: 0000000000000000 ? cpuidle_enter_state+0x116/0x220 cpuidle_enter+0x2a/0x40 do_idle+0x12d/0x1a0 cpu_startup_entry+0x29/0x30 start_secondary+0xed/0xf0 common_startup_64+0x12c/0x138 </TASK> Modules linked in: sch_htb cls_u32 sch_ingress sch_cake ifb act_mirred xt_hl xt_nat ts_bm xt_string xt_TARPIT(O) xt_CT xt_tcpudp xt_helper nf_nat_ftp nf_conntrack_ftp ip6t_rt ip6table_nat xt_MASQUERADE iptable_nat nf_nat xt_TCPMSS xt_LOG nf_log_syslog ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 ip6table_raw iptable_raw ip6table_mangle iptable_mangle xt_multiport xt_state xt_limit xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6table_filter ip6_tables iptable_filter ip_tables x_tables pppoe tun pppox binfmt_misc ppp_generic slhc netconsole af_packet bridge stp llc ctr ccm dm_crypt radeon drm_client_lib video wmi drm_exec ath9k drm_suballoc_helper drm_ttm_helper syscopyarea ttm ath9k_common ath9k_hw sysfillrect sysimgblt fb_sys_fops drm_display_helper ath pl2303 drm_kms_helper usbserial mac80211 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi agpgart snd_hda_scodec_component cfbfillrect snd_hda_intel cfbimgblt snd_intel_dspcfg snd_hda_codec fb_io_fops snd_hda_core cfbcopyarea aesni_intel i2c_algo_bit cfg80211 snd_pcm fb snd_timer e1000 snd crypto_simd cdc_acm cryptd at24 font acpi_cpufreq libarc4 soundcore fam15h_power regmap_i2c k10temp evdev nfsd sch_fq_codel auth_rpcgss lockd grace sunrpc drm fuse configfs drm_panel_orientation_quirks backlight loop nfnetlink usbhid xhci_pci ohci_pci xhci_hcd ohci_hcd ehci_pci ehci_hcd sha512_ssse3 sha256_ssse3 usbcore sha1_ssse3 sha1_generic gf128mul usb_common dm_mirror dm_region_hash dm_log cpuid i2c_piix4 i2c_smbus i2c_dev i2c_core it87 hwmon_vid msr dmi_sysfs autofs4 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:rb_next+0x0/0x50 Code: e8 d5 fa ff ff 5b 4c 89 e0 5d 41 5c 41 5d 41 5e e9 85 73 01 00 5b 5d 41 5c 41 5d 41 5e e9 38 76 01 00 0f 1f 84 00 00 00 00 00 <48> 3b 3f 48 89 f8 74 38 48 8b 57 08 48 85 d2 74 11 48 89 d0 48 8b RSP: 0018:ffffc9000010ce50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811899d000 RCX: ffff88811899d180 RDX: ffff8881845f2800 RSI: ffff8881069b7ae8 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88811899d2b0 R09: 000000002997d2aa R10: 0000000000003fbf R11: ffffc9000010cff8 R12: ffff8881845f2800 R13: ffff88811899d2b8 R14: 000000a69ae56401 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88842ec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000103c80000 CR4: 00000000000406f0 Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: disabled ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- #!/bin/bash # https://www.bufferbloat.net/projects/codel/wiki/Cake/#installing-cake-out-o… # https://trofi.github.io/posts/217-mitigating%20bufferbloat.html #set -x set -o nounset set -o errexit export PATH=/sbin:/bin:/usr/sbin:/usr/bin ext=ppp0 ext_ingress=ppp0ifb0 # [query ADSL modem for up and down rates] echo -e "pppd pppoe UP $UP DN $DN" | systemd-cat -t traffic-control ext_up=$((UP * 95 / 100))kbit ext_down=$((DN * 95 / 100))kbit # below taken from https://wiki.gentoo.org/wiki/Traffic_shaping q=1486 # HTB Quantum = 1500bytes IP + 14 bytes ethernet. # Higher bandwidths may require a higher htb quantum. MEASURE. # Some ADSL devices might require a stab setting. quantum=300 # fq_codel quantum 300 gives a boost to interactive flows # At higher bandwidths (50Mbit+) don't bother modprobe act_mirred modprobe ifb modprobe sch_cake modprobe sch_fq_codel ethtool -K "$ext" tso off gso off gro off # Also turn of gro on ALL interfaces # e.g ethtool -K eth1 gro off if you have eth1 # some devices you may need to run these # commands independently # Clear old queuing disciplines (qdisc) on the interfaces tc qdisc del dev "$ext" root >& /dev/null || true tc qdisc del dev "$ext" ingress >& /dev/null || true tc qdisc del dev "$ext_ingress" root >& /dev/null || true tc qdisc del dev "$ext_ingress" ingress >& /dev/null || true ip link del "$ext_ingress" >& /dev/null || true ######### # INGRESS ######### # Create ingress on external interface tc qdisc add dev "$ext" handle ffff: ingress ip link add name "$ext_ingress" type ifb ip link set dev "$ext_ingress" up || true # if the interace is not up bad things happen # Forward all ingress traffic to the IFB device tc filter add dev "$ext" parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev "$ext_ingress" # Create an EGRESS filter on the IFB device # Warning: sch_htb: quantum of class 10001 is big. Consider r2q change # https://web.archive.org/web/20030514055053/http://www.docum.org/stef.coene/… # default r2q is 10 # since up ADSL rate went from 24.4 Mb/s to 26.8 Mb/s, "r2q 15" started giving a "too big" error # up it to 20, now OK again tc qdisc add dev "$ext_ingress" root handle 1: htb default 11 r2q 20 # Add root class HTB with rate limiting tc class add dev "$ext_ingress" parent 1: classid 1:1 htb rate $ext_down #|& grep -v "Consider r2q change" || true tc class add dev "$ext_ingress" parent 1:1 classid 1:11 htb rate $ext_down prio 0 quantum $q # Add FQ_CODEL qdisc with ECN support (if you want ecn) tc qdisc add dev "$ext_ingress" parent 1:11 fq_codel quantum $quantum ecn ######### # EGRESS ######### # Add FQ_CODEL to EGRESS on external interface tc qdisc add dev "$ext" root handle 1: htb default 11 # Add root class HTB with rate limiting tc class add dev "$ext" parent 1: classid 1:1 htb rate $ext_up tc class add dev "$ext" parent 1:1 classid 1:11 htb rate $ext_up prio 0 quantum $q # Note: You can apply a packet limit here and on ingress if you are memory constrained - e.g # for low bandwidths and machines with < 64MB of ram, limit 1000 is good, otherwise no point # Add FQ_CODEL qdisc without ECN support - on egress it's generally better to just drop the packet # but feel free to enable it if you want. tc qdisc add dev "$ext" parent 1:11 fq_codel quantum $quantum noecn $ cat ~/1.panic | scripts/decode_stacktrace.sh vmlinux BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.14.3 #20 Tainted: [O]=OOT_MODULE Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./970A-DS3P, BIOS FD 02/26/2016 RIP: 0010:rb_next (lib/rbtree.c:496) Code: e8 d5 fa ff ff 5b 4c 89 e0 5d 41 5c 41 5d 41 5e e9 85 73 01 00 5b 5d 41 5c 41 5d 41 5e e9 38 76 01 00 0f 1f 84 00 00 00 00 00 <48> 3b 3f 48 89 f8 74 38 48 8b 57 08 48 85 d2 74 11 48 89 d0 48 8b All code ======== 0: e8 d5 fa ff ff call 0xfffffffffffffada 5: 5b pop %rbx 6: 4c 89 e0 mov %r12,%rax 9: 5d pop %rbp a: 41 5c pop %r12 c: 41 5d pop %r13 e: 41 5e pop %r14 10: e9 85 73 01 00 jmp 0x1739a 15: 5b pop %rbx 16: 5d pop %rbp 17: 41 5c pop %r12 19: 41 5d pop %r13 1b: 41 5e pop %r14 1d: e9 38 76 01 00 jmp 0x1765a 22: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 29: 00 2a:* 48 3b 3f cmp (%rdi),%rdi <-- trapping instruction 2d: 48 89 f8 mov %rdi,%rax 30: 74 38 je 0x6a 32: 48 8b 57 08 mov 0x8(%rdi),%rdx 36: 48 85 d2 test %rdx,%rdx 39: 74 11 je 0x4c 3b: 48 89 d0 mov %rdx,%rax 3e: 48 rex.W 3f: 8b .byte 0x8b Code starting with the faulting instruction =========================================== 0: 48 3b 3f cmp (%rdi),%rdi 3: 48 89 f8 mov %rdi,%rax 6: 74 38 je 0x40 8: 48 8b 57 08 mov 0x8(%rdi),%rdx c: 48 85 d2 test %rdx,%rdx f: 74 11 je 0x22 11: 48 89 d0 mov %rdx,%rax 14: 48 rex.W 15: 8b .byte 0x8b RSP: 0018:ffffc90000003e50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811a764000 RCX: ffff88811a764180 RDX: ffff88835e4c6c00 RSI: ffff888162c998e8 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88811a7642b0 R09: 00000000a535eebc R10: 0000000000000d09 R11: ffffc90000003ff8 R12: ffff88835e4c6c00 R13: ffff88811a7642b8 R14: 00001a951355b383 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88842ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001084b4000 CR4: 00000000000406f0 Call Trace: <IRQ> htb_dequeue (net/sched/sch_htb.c:351 (discriminator 1) net/sched/sch_htb.c:924 (discriminator 1) net/sched/sch_htb.c:982 (discriminator 1)) sch_htb __qdisc_run (net/sched/sch_generic.c:294 net/sched/sch_generic.c:398 net/sched/sch_generic.c:416) ? timerqueue_del (lib/timerqueue.c:58) qdisc_run (./include/net/pkt_sched.h:128 ./include/net/pkt_sched.h:124) net_tx_action (net/core/dev.c:5553) handle_softirqs (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/jump_label.h:262 ./include/trace/events/irq.h:142 kernel/softirq.c:562) __irq_exit_rcu (kernel/softirq.c:435 kernel/softirq.c:662) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 (discriminator 35) arch/x86/kernel/apic/apic.c:1049 (discriminator 35)) </IRQ> <TASK> asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:574) RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:292) Code: 18 4c 6f 00 85 c0 7e 0b 8b 73 04 83 cf ff e8 a1 22 e5 ff 31 ff e8 9a 2e 98 ff 45 84 ff 74 07 31 ff e8 0e 58 9d ff fb 45 85 ed <0f> 88 cc 00 00 00 49 63 c5 48 8b 3c 24 48 6b c8 68 48 6b d0 30 49 All code ======== 0: 18 4c 6f 00 sbb %cl,0x0(%rdi,%rbp,2) 4: 85 c0 test %eax,%eax 6: 7e 0b jle 0x13 8: 8b 73 04 mov 0x4(%rbx),%esi b: 83 cf ff or $0xffffffff,%edi e: e8 a1 22 e5 ff call 0xffffffffffe522b4 13: 31 ff xor %edi,%edi 15: e8 9a 2e 98 ff call 0xffffffffff982eb4 1a: 45 84 ff test %r15b,%r15b 1d: 74 07 je 0x26 1f: 31 ff xor %edi,%edi 21: e8 0e 58 9d ff call 0xffffffffff9d5834 26: fb sti 27: 45 85 ed test %r13d,%r13d 2a:* 0f 88 cc 00 00 00 js 0xfc <-- trapping instruction 30: 49 63 c5 movslq %r13d,%rax 33: 48 8b 3c 24 mov (%rsp),%rdi 37: 48 6b c8 68 imul $0x68,%rax,%rcx 3b: 48 6b d0 30 imul $0x30,%rax,%rdx 3f: 49 rex.WB Code starting with the faulting instruction =========================================== 0: 0f 88 cc 00 00 00 js 0xd2 6: 49 63 c5 movslq %r13d,%rax 9: 48 8b 3c 24 mov (%rsp),%rdi d: 48 6b c8 68 imul $0x68,%rax,%rcx 11: 48 6b d0 30 imul $0x30,%rax,%rdx 15: 49 rex.WB RSP: 0018:ffffffff81e03e40 EFLAGS: 00000202 RAX: ffff88842ec00000 RBX: ffff8881008d9400 RCX: 0000000000000000 RDX: 00001a94d9502071 RSI: fffffffbb3498394 RDI: 0000000000000000 RBP: 0000000000000002 R08: 0000000000000002 R09: 00001a94d7bd7640 R10: 0000000000000006 R11: 0000000000000020 R12: ffffffff81f98280 R13: 0000000000000002 R14: 00001a94d9502071 R15: 0000000000000000 cpuidle_enter (drivers/cpuidle/cpuidle.c:391 (discriminator 2)) do_idle (kernel/sched/idle.c:234 kernel/sched/idle.c:325) cpu_startup_entry (kernel/sched/idle.c:422) rest_init (init/main.c:743) start_kernel (init/main.c:1525) x86_64_start_reservations (arch/x86/kernel/head64.c:513) x86_64_start_kernel (??:?) common_startup_64 (arch/x86/kernel/head_64.S:421) </TASK> Modules linked in: udp_diag netconsole sch_htb cls_u32 sch_ingress sch_cake ifb act_mirred xt_hl xt_nat ts_bm xt_string xt_TARPIT(O) xt_CT xt_tcpudp xt_helper nf_nat_ftp nf_conntrack_ftp ip6t_rt ip6table_nat xt_MASQUERADE iptable_nat nf_nat xt_TCPMSS xt_LOG nf_log_syslog ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 ip6table_raw iptable_raw ip6table_mangle iptable_mangle xt_multiport xt_state xt_limit xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6table_filter ip6_tables iptable_filter ip_tables x_tables tun pppoe binfmt_misc pppox ppp_generic slhc af_packet bridge stp llc ctr ccm dm_crypt radeon drm_client_lib video wmi drm_exec drm_suballoc_helper ath9k drm_ttm_helper syscopyarea ttm sysfillrect ath9k_common sysimgblt ath9k_hw fb_sys_fops drm_display_helper drm_kms_helper ath mac80211 agpgart pl2303 snd_hda_codec_realtek cfbfillrect snd_hda_codec_generic usbserial snd_hda_codec_hdmi snd_hda_scodec_component cfbimgblt snd_hda_intel fb_io_fops snd_intel_dspcfg cfbcopyarea snd_hda_codec i2c_algo_bit fb snd_hda_core aesni_intel cfg80211 cdc_acm snd_pcm crypto_simd font snd_timer cryptd snd at24 e1000 regmap_i2c acpi_cpufreq libarc4 soundcore k10temp fam15h_power evdev nfsd sch_fq_codel auth_rpcgss lockd grace drm sunrpc drm_panel_orientation_quirks fuse backlight configfs loop nfnetlink usbhid ohci_pci xhci_pci xhci_hcd ohci_hcd ehci_pci ehci_hcd sha512_ssse3 usbcore sha256_ssse3 sha1_ssse3 sha1_generic gf128mul usb_common dm_mirror dm_region_hash dm_log cpuid i2c_piix4 i2c_smbus i2c_dev i2c_core it87 hwmon_vid msr dmi_sysfs autofs4 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:rb_next (lib/rbtree.c:496) Code: e8 d5 fa ff ff 5b 4c 89 e0 5d 41 5c 41 5d 41 5e e9 85 73 01 00 5b 5d 41 5c 41 5d 41 5e e9 38 76 01 00 0f 1f 84 00 00 00 00 00 <48> 3b 3f 48 89 f8 74 38 48 8b 57 08 48 85 d2 74 11 48 89 d0 48 8b All code ======== 0: e8 d5 fa ff ff call 0xfffffffffffffada 5: 5b pop %rbx 6: 4c 89 e0 mov %r12,%rax 9: 5d pop %rbp a: 41 5c pop %r12 c: 41 5d pop %r13 e: 41 5e pop %r14 10: e9 85 73 01 00 jmp 0x1739a 15: 5b pop %rbx 16: 5d pop %rbp 17: 41 5c pop %r12 19: 41 5d pop %r13 1b: 41 5e pop %r14 1d: e9 38 76 01 00 jmp 0x1765a 22: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 29: 00 2a:* 48 3b 3f cmp (%rdi),%rdi <-- trapping instruction 2d: 48 89 f8 mov %rdi,%rax 30: 74 38 je 0x6a 32: 48 8b 57 08 mov 0x8(%rdi),%rdx 36: 48 85 d2 test %rdx,%rdx 39: 74 11 je 0x4c 3b: 48 89 d0 mov %rdx,%rax 3e: 48 rex.W 3f: 8b .byte 0x8b Code starting with the faulting instruction =========================================== 0: 48 3b 3f cmp (%rdi),%rdi 3: 48 89 f8 mov %rdi,%rax 6: 74 38 je 0x40 8: 48 8b 57 08 mov 0x8(%rdi),%rdx c: 48 85 d2 test %rdx,%rdx f: 74 11 je 0x22 11: 48 89 d0 mov %rdx,%rax 14: 48 rex.W 15: 8b .byte 0x8b RSP: 0018:ffffc90000003e50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811a764000 RCX: ffff88811a764180 RDX: ffff88835e4c6c00 RSI: ffff888162c998e8 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88811a7642b0 R09: 00000000a535eebc R10: 0000000000000d09 R11: ffffc90000003ff8 R12: ffff88835e4c6c00 R13: ffff88811a7642b8 R14: 00001a951355b383 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88842ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001084b4000 CR4: 00000000000406f0 Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: disabled ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- $ -- Alan J. Wylie https://www.wylie.me.uk/ mailto:<alan(a)wylie.me.uk> Dance like no-one's watching. / Encrypt like everyone is. Security is inversely proportional to convenience

1 hour, 15 minutes

3
15
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041733-cosmetics-brigade-9ed7@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

1 hour, 22 minutes

2
1
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041731-release-charity-8e70@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

1 hour, 24 minutes

2
1
0 0

Potential Linux Crash: possible deadlock in udf_page_mkwrite in linux6.12.24(longterm maintenance)

by Jianzhou Zhao

Hello, I found a potential bug titled " possible deadlock in udf_page_mkwrite " with modified syzkaller in the Linux6.12.24(longterm maintenance, last updated on April 20, 2025). Unfortunately, I am unable to reproduce this bug. If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <luckd0g(a)163.com>, xingwei lee <xrivendell7(a)gmail.com>,Penglei Jiang <superman.xpt(a)gmail.com> The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=55f8591b98dd132 compiler: gcc version 11.4.0 ------------[ cut here ]----------------------------------------- TITLE: possible deadlock in udf_page_mkwrite ------------[ cut here ]------------ ====================================================== WARNING: possible circular locking dependency detected 6.12.24 #3 Not tainted ------------------------------------------------------ syz.6.870/18445 is trying to acquire lock: ffff888053607700 (mapping.invalidate_lock#4){++++}-{3:3}, at: filemap_invalidate_lock_shared include/linux/fs.h:870 [inline] ffff888053607700 (mapping.invalidate_lock#4){++++}-{3:3}, at: udf_page_mkwrite+0x2af/0xa20 fs/udf/file.c:50 but task is already holding lock: ffff888044124518 (sb_pagefaults#2){.+.+}-{0:0}, at: do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #9 (sb_pagefaults#2){.+.+}-{0:0}: percpu_down_read include/linux/percpu-rwsem.h:51 [inline] __sb_start_write include/linux/fs.h:1716 [inline] sb_start_pagefault include/linux/fs.h:1881 [inline] udf_page_mkwrite+0x18b/0xa20 fs/udf/file.c:48 do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 wp_page_shared mm/memory.c:3562 [inline] do_wp_page+0x1291/0x4860 mm/memory.c:3712 handle_pte_fault mm/memory.c:5786 [inline] __handle_mm_fault+0x150c/0x2a20 mm/memory.c:5913 handle_mm_fault+0x404/0xab0 mm/memory.c:6081 do_user_addr_fault+0x61b/0x13a0 arch/x86/mm/fault.c:1338 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x98/0x180 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 -> #8 (&vma->vm_lock->lock){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 vma_start_write include/linux/mm.h:757 [inline] vma_link+0x268/0x490 mm/vma.c:1604 insert_vm_struct+0x197/0x3f0 mm/mmap.c:2011 __bprm_mm_init fs/exec.c:289 [inline] bprm_mm_init fs/exec.c:393 [inline] alloc_bprm+0x6d1/0xd30 fs/exec.c:1578 kernel_execve+0xb0/0x3d0 fs/exec.c:2010 try_to_run_init_process init/main.c:1397 [inline] kernel_init+0x154/0x2d0 init/main.c:1525 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #7 (&mm->mmap_lock){++++}-{3:3}: __might_fault mm/memory.c:6719 [inline] __might_fault+0x118/0x190 mm/memory.c:6713 _inline_copy_from_user include/linux/uaccess.h:162 [inline] _copy_from_user+0x2b/0xd0 lib/usercopy.c:18 copy_from_user include/linux/uaccess.h:212 [inline] __blk_trace_setup+0x96/0x180 kernel/trace/blktrace.c:626 blk_trace_setup+0x47/0x70 kernel/trace/blktrace.c:648 sg_ioctl_common drivers/scsi/sg.c:1114 [inline] sg_ioctl+0x65e/0x2720 drivers/scsi/sg.c:1156 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #6 (&q->debugfs_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 blk_mq_init_sched+0x436/0x650 block/blk-mq-sched.c:473 elevator_init_mq+0x2cc/0x420 block/elevator.c:610 device_add_disk+0x10e/0x12f0 block/genhd.c:411 sd_probe+0xa0e/0xf80 drivers/scsi/sd.c:4024 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #5 (&q->q_usage_counter(queue)#51){++++}-{0:0}: blk_queue_enter+0x4d0/0x600 block/blk-core.c:328 blk_mq_alloc_request+0x422/0x9c0 block/blk-mq.c:680 scsi_alloc_request drivers/scsi/scsi_lib.c:1227 [inline] scsi_execute_cmd+0x1fe/0xf20 drivers/scsi/scsi_lib.c:304 read_capacity_16+0x1f2/0xe60 drivers/scsi/sd.c:2655 sd_read_capacity drivers/scsi/sd.c:2824 [inline] sd_revalidate_disk.isra.0+0x1989/0xa440 drivers/scsi/sd.c:3734 sd_probe+0x887/0xf80 drivers/scsi/sd.c:4010 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #4 (&q->limits_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 queue_limits_start_update include/linux/blkdev.h:935 [inline] loop_reconfigure_limits+0x1f2/0x960 drivers/block/loop.c:1004 loop_set_block_size drivers/block/loop.c:1474 [inline] lo_simple_ioctl drivers/block/loop.c:1497 [inline] lo_ioctl+0xb92/0x1870 drivers/block/loop.c:1560 blkdev_ioctl+0x27b/0x6c0 block/ioctl.c:693 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #3 (&q->q_usage_counter(io)#19){++++}-{0:0}: bio_queue_enter block/blk.h:76 [inline] blk_mq_submit_bio+0x2167/0x2b70 block/blk-mq.c:3090 __submit_bio+0x399/0x630 block/blk-core.c:629 __submit_bio_noacct_mq block/blk-core.c:716 [inline] submit_bio_noacct_nocheck+0x6c3/0xd00 block/blk-core.c:745 submit_bio_noacct+0x57a/0x1fa0 block/blk-core.c:868 submit_bh fs/buffer.c:2824 [inline] __bread_slow fs/buffer.c:1270 [inline] __bread_gfp+0x189/0x340 fs/buffer.c:1494 sb_bread include/linux/buffer_head.h:346 [inline] read_block_bitmap fs/udf/balloc.c:43 [inline] load_block_bitmap+0x1ff/0x570 fs/udf/balloc.c:99 udf_bitmap_free_blocks fs/udf/balloc.c:150 [inline] udf_free_blocks+0x57c/0x10a0 fs/udf/balloc.c:674 udf_evict_inode+0x34c/0x590 fs/udf/inode.c:163 evict+0x3ef/0x940 fs/inode.c:725 iput_final fs/inode.c:1877 [inline] iput fs/inode.c:1903 [inline] iput+0x511/0x7f0 fs/inode.c:1889 do_unlinkat+0x58f/0x710 fs/namei.c:4540 __do_sys_unlink fs/namei.c:4581 [inline] __se_sys_unlink fs/namei.c:4579 [inline] __x64_sys_unlink+0xc7/0x110 fs/namei.c:4579 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #2 (&sbi->s_alloc_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 udf_bitmap_new_block fs/udf/balloc.c:236 [inline] udf_new_block+0x7e2/0x1750 fs/udf/balloc.c:721 inode_getblk+0xe88/0x3bb0 fs/udf/inode.c:895 udf_map_block+0x2e3/0x5a0 fs/udf/inode.c:447 __udf_get_block+0x9c/0x340 fs/udf/inode.c:461 __block_write_begin_int+0x4e5/0x1670 fs/buffer.c:2121 block_write_begin+0x9a/0x1d0 fs/buffer.c:2231 udf_write_begin+0x1bc/0x280 fs/udf/inode.c:256 generic_perform_write+0x2bd/0x900 mm/filemap.c:4065 __generic_file_write_iter+0x1f6/0x240 mm/filemap.c:4166 udf_file_write_iter+0x233/0x740 fs/udf/file.c:111 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xbfc/0x10d0 fs/read_write.c:683 ksys_write+0x122/0x250 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #1 (&ei->i_data_sem#2){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 udf_expand_file_adinicb+0x174/0x970 fs/udf/inode.c:363 udf_setsize+0x4b2/0x10f0 fs/udf/inode.c:1289 udf_setattr+0x523/0x6c0 fs/udf/file.c:236 notify_change+0x6d3/0x1280 fs/attr.c:503 do_truncate+0x143/0x200 fs/open.c:65 vfs_truncate+0x3e3/0x4c0 fs/open.c:111 do_sys_truncate.part.0+0xf7/0x140 fs/open.c:134 do_sys_truncate fs/open.c:128 [inline] __do_sys_truncate fs/open.c:146 [inline] __se_sys_truncate fs/open.c:144 [inline] __x64_sys_truncate+0x6d/0xa0 fs/open.c:144 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (mapping.invalidate_lock#4){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 down_read+0x9a/0x330 kernel/locking/rwsem.c:1524 filemap_invalidate_lock_shared include/linux/fs.h:870 [inline] udf_page_mkwrite+0x2af/0xa20 fs/udf/file.c:50 do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 wp_page_shared mm/memory.c:3562 [inline] do_wp_page+0x1291/0x4860 mm/memory.c:3712 handle_pte_fault mm/memory.c:5786 [inline] __handle_mm_fault+0x150c/0x2a20 mm/memory.c:5913 handle_mm_fault+0x404/0xab0 mm/memory.c:6081 do_user_addr_fault+0x61b/0x13a0 arch/x86/mm/fault.c:1338 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x98/0x180 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 other info that might help us debug this: Chain exists of: mapping.invalidate_lock#4 --> &vma->vm_lock->lock --> sb_pagefaults#2 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(sb_pagefaults#2); lock(&vma->vm_lock->lock); lock(sb_pagefaults#2); rlock(mapping.invalidate_lock#4); *** DEADLOCK *** 2 locks held by syz.6.870/18445: #0: ffff888050dbed18 (&vma->vm_lock->lock){++++}-{3:3}, at: vma_start_read include/linux/mm.h:704 [inline] #0: ffff888050dbed18 (&vma->vm_lock->lock){++++}-{3:3}, at: lock_vma_under_rcu+0x141/0x9a0 mm/memory.c:6247 #1: ffff888044124518 (sb_pagefaults#2){.+.+}-{0:0}, at: do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 stack backtrace: CPU: 0 UID: 0 PID: 18445 Comm: syz.6.870 Not tainted 6.12.24 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_circular_bug+0x406/0x5c0 kernel/locking/lockdep.c:2074 check_noncircular+0x2f7/0x3e0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 down_read+0x9a/0x330 kernel/locking/rwsem.c:1524 filemap_invalidate_lock_shared include/linux/fs.h:870 [inline] udf_page_mkwrite+0x2af/0xa20 fs/udf/file.c:50 do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 wp_page_shared mm/memory.c:3562 [inline] do_wp_page+0x1291/0x4860 mm/memory.c:3712 handle_pte_fault mm/memory.c:5786 [inline] __handle_mm_fault+0x150c/0x2a20 mm/memory.c:5913 handle_mm_fault+0x404/0xab0 mm/memory.c:6081 do_user_addr_fault+0x61b/0x13a0 arch/x86/mm/fault.c:1338 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x98/0x180 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0033:0x7fc9b0c4f002 Code: f0 48 8b 54 24 f0 8b 8a 80 00 00 00 8b 82 04 01 00 00 21 c8 83 c1 01 c1 e0 04 48 8b b4 02 40 01 00 00 48 8b 84 02 48 01 00 00 <89> 8a 80 00 00 00 48 81 fe 45 23 01 00 74 09 48 81 fe 56 34 02 00 RSP: 002b:00007fc9b1c9af88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00007fc9b0fe6080 RCX: 0000000000000001 RDX: 0000200000ff9000 RSI: 0000000000000000 RDI: 0000200000ff9000 RBP: 00007fc9b0e46d56 R08: 0000000000000000 R09: 0000000000000000 R10: 0000200000ff9000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fc9b0fe6080 R15: 00007fc9b1c7b000 </TASK> ================================================================== I hope it helps. Best regards Jianzhou Zhao

1 hour, 51 minutes

1
0
0 0

[linux-6.6.y bugreport] riscv: kprobe crash as some patchs lost

by Kai Zhang

In most recent linux-6.6.y tree, `arch/riscv/kernel/probes/kprobes.c::arch_prepare_ss_slot` still has the obsolete code: u32 insn = __BUG_INSN_32; unsigned long offset = GET_INSN_LENGTH(p->opcode); p->ainsn.api.restore = (unsigned long)p->addr + offset; patch_text_nosync(p->ainsn.api.insn, &p->opcode, 1); patch_text_nosync((void *)p->ainsn.api.insn + offset, &insn, 1); The last two 1s are wrong size of written instructions , which would lead to kernel crash, like `insmod kprobe_example.ko` gives: [ 509.812815][ T2734] kprobe_init: Planted kprobe at 00000000c5c46130 [ 509.837606][ C5] handler_pre: <kernel_clone> p->addr = 0x00000000c5c46130, pc = 0xffffffff80032ee2, status = 0x200000120 [ 509.839315][ C5] Oops - illegal instruction [#1] I've tried two patchs from torvalds tree and it didn't crash again: 51781ce8f448 riscv: Pass patch_text() the length in bytes (rebased) 13134cc94914 riscv: kprobes: Fix incorrect address calculation Regards, laokz

1 hour, 54 minutes

3
8
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2025