1. 24 Feb, 2020 40 commits
    • Oleksandr Natalenko's avatar
      163f0333
    • Greg Kroah-Hartman's avatar
      Linux 5.5.6 · d542c06f
      Greg Kroah-Hartman authored
      d542c06f
    • Alexandre Belloni's avatar
      rtc: Kconfig: select REGMAP_I2C when necessary · 0ff29753
      Alexandre Belloni authored
      [ Upstream commit 578c2b66 ]
      
      Some i2c RTC drivers are using regmap but are not selecting REGMAP_I2C
      which may lead to build failures.
      
      Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarAlexandre Belloni <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      0ff29753
    • Coly Li's avatar
      bcache: properly initialize 'path' and 'err' in register_bcache() · 1341ccf2
      Coly Li authored
      [ Upstream commit 29cda393 ]
      
      Patch "bcache: rework error unwinding in register_bcache" from
      Christoph Hellwig changes the local variables 'path' and 'err'
      in undefined initial state. If the code in register_bcache() jumps
      to label 'out:' or 'out_module_put:' by goto, these two variables
      might be reference with undefined value by the following line,
      
      	out_module_put:
      	        module_put(THIS_MODULE);
      	out:
      	        pr_info("error %s: %s", path, err);
      	        return ret;
      
      Therefore this patch initializes these two local variables properly
      in register_bcache() to avoid such issue.
      Signed-off-by: default avatarColy Li <[email protected]>
      Signed-off-by: default avatarJens Axboe <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      1341ccf2
    • Alex Deucher's avatar
      drm/amdgpu/display: handle multiple numbers of fclks in dcn_calcs.c (v2) · 8d12e0b3
      Alex Deucher authored
      [ Upstream commit c3724357 ]
      
      We might get different numbers of clocks from powerplay depending
      on what the OEM has populated.
      
      v2: add assert for at least one level
      
      Bug: https://gitlab.freedesktop.org/drm/amd/issues/963Reviewed-by: default avatarNicholas Kazlauskas <[email protected]>
      Signed-off-by: default avatarAlex Deucher <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      8d12e0b3
    • Niklas Schnelle's avatar
      s390/pci: Recover handle in clp_set_pci_fn() · 4b3da4c8
      Niklas Schnelle authored
      [ Upstream commit 17cdec96 ]
      
      When we try to recover a PCI function using
      
          echo 1 > /sys/bus/pci/devices/<id>/recover
      
      or manually with
      
          echo 1 > /sys/bus/pci/devices/<id>/remove
          echo 0 > /sys/bus/pci/slots/<slot>/power
          echo 1 > /sys/bus/pci/slots/<slot>/power
      
      clp_disable_fn() / clp_enable_fn() call clp_set_pci_fn() to first
      disable and then reenable the function.
      
      When the function is already in the requested state we may be left with
      an invalid function handle.
      
      To get a new valid handle we do a clp_list_pci() call. For this we need
      both the function ID and function handle in clp_set_pci_fn() so pass the
      zdev and get both.
      
      To simplify things also pull setting the refreshed function handle into
      clp_set_pci_fn()
      Signed-off-by: default avatarNiklas Schnelle <[email protected]>
      Reviewed-by: default avatarPeter Oberparleiter <[email protected]>
      Signed-off-by: default avatarVasily Gorbik <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      4b3da4c8
    • Ido Schimmel's avatar
      mlxsw: spectrum_dpipe: Add missing error path · edad0910
      Ido Schimmel authored
      [ Upstream commit 3a99cbb6 ]
      
      In case devlink_dpipe_entry_ctx_prepare() failed, release RTNL that was
      previously taken and free the memory allocated by
      mlxsw_sp_erif_entry_prepare().
      
      Fixes: 2ba5999f ("mlxsw: spectrum: Add Support for erif table entries access")
      Signed-off-by: default avatarIdo Schimmel <[email protected]>
      Signed-off-by: default avatarDavid S. Miller <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      edad0910
    • Vadim Pasternak's avatar
      mlxsw: core: Add validation of hardware device types for MGPIR register · ee4ac92e
      Vadim Pasternak authored
      [ Upstream commit 36844c85 ]
      
      When reading the number of gearboxes from the hardware, the driver does
      not validate the returned 'device type' field. The driver can therefore
      wrongly assume that the queried devices are gearboxes.
      
      On Spectrum-3 systems that support different types of devices, this can
      prevent the driver from loading, as it will try to query the
      temperature sensors from devices which it assumes are gearboxes and in
      fact are not.
      
      For example:
      [  218.129230] mlxsw_minimal 2-0048: Reg cmd access status failed (status=7(bad parameter))
      [  218.138282] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=write)
      [  218.147131] mlxsw_minimal 2-0048: Failed to setup temp sensor number 256
      [  218.534480] mlxsw_minimal 2-0048: Fail to register core bus
      [  218.540714] mlxsw_minimal: probe of 2-0048 failed with error -5
      
      Fix this by validating the 'device type' field.
      
      Fixes: 2e265a8b ("mlxsw: core: Extend hwmon interface with inter-connect temperature attributes")
      Fixes: f14f4e62 ("mlxsw: core: Extend thermal core with per inter-connect device thermal zones")
      Signed-off-by: default avatarVadim Pasternak <[email protected]>
      Acked-by: default avatarJiri Pirko <[email protected]>
      Signed-off-by: default avatarIdo Schimmel <[email protected]>
      Signed-off-by: default avatarDavid S. Miller <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      ee4ac92e
    • Miklos Szeredi's avatar
      fuse: don't overflow LLONG_MAX with end offset · f5654d8d
      Miklos Szeredi authored
      [ Upstream commit 2f139829 ]
      
      Handle the special case of fuse_readpages() wanting to read the last page
      of a hugest file possible and overflowing the end offset in the process.
      
      This is basically to unbreak xfstests:generic/525 and prevent filesystems
      from doing bad things with an overflowing offset.
      Reported-by: Xiao Yang's avatarXiao Yang <[email protected]>
      Signed-off-by: default avatarMiklos Szeredi <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      f5654d8d
    • Michael S. Tsirkin's avatar
      virtio_balloon: prevent pfn array overflow · 2e8420b4
      Michael S. Tsirkin authored
      [ Upstream commit 6e9826e7 ]
      
      Make sure, at build time, that pfn array is big enough to hold a single
      page.  It happens to be true since the PAGE_SHIFT value at the moment is
      20, which is 1M - exactly 256 4K balloon pages.
      Signed-off-by: default avatarMichael S. Tsirkin <[email protected]>
      Reviewed-by: David Hildenbrand's avatarDavid Hildenbrand <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      2e8420b4
    • Steve French's avatar
      cifs: log warning message (once) if out of disk space · 0c987258
      Steve French authored
      [ Upstream commit d6fd4190 ]
      
      We ran into a confusing problem where an application wasn't checking
      return code on close and so user didn't realize that the application
      ran out of disk space.  log a warning message (once) in these
      cases. For example:
      
        [ 8407.391909] Out of space writing to \\oleg-server\small-share
      Signed-off-by: default avatarSteve French <[email protected]>
      Reported-by: default avatarOleg Kravtsov <[email protected]>
      Reviewed-by: default avatarRonnie Sahlberg <[email protected]>
      Reviewed-by: default avatarPavel Shilovsky <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      0c987258
    • Masahiro Yamada's avatar
      kbuild: make multiple directory targets work · 9e8d4189
      Masahiro Yamada authored
      [ Upstream commit f566e1fb ]
      
      Currently, the single-target build does not work when two
      or more sub-directories are given:
      
        $ make fs/ kernel/ lib/
          CALL    scripts/checksyscalls.sh
          CALL    scripts/atomic/check-atomics.sh
          DESCEND  objtool
        make[2]: Nothing to be done for 'kernel/'.
        make[2]: Nothing to be done for 'fs/'.
        make[2]: Nothing to be done for 'lib/'.
      
      Make it work properly.
      Reported-by: default avatarLinus Torvalds <[email protected]>
      Signed-off-by: default avatarMasahiro Yamada <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      9e8d4189
    • Maciej Fijalkowski's avatar
      i40e: Relax i40e_xsk_wakeup's return value when PF is busy · 8080eac0
      Maciej Fijalkowski authored
      [ Upstream commit c77e9f09 ]
      
      Return -EAGAIN instead of -ENETDOWN to provide a slightly milder
      information to user space so that an application will know to retry the
      syscall when __I40E_CONFIG_BUSY bit is set on pf->state.
      
      Fixes: b3873a5b ("net/i40e: Fix concurrency issues between config flow and XSK")
      Signed-off-by: default avatarMaciej Fijalkowski <[email protected]>
      Signed-off-by: default avatarDaniel Borkmann <[email protected]>
      Acked-by: default avatarBjörn Töpel <[email protected]>
      Link: https://lore.kernel.org/bpf/[email protected]Signed-off-by: default avatarSasha Levin <[email protected]>
      8080eac0
    • Vasily Averin's avatar
      help_next should increase position index · d5fd4496
      Vasily Averin authored
      [ Upstream commit 9f198a2a ]
      
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <[email protected]>
      Signed-off-by: default avatarMike Marshall <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      d5fd4496
    • Wenwen Wang's avatar
      NFS: Fix memory leaks · 588f2bf8
      Wenwen Wang authored
      [ Upstream commit 123c23c6 ]
      
      In _nfs42_proc_copy(), 'res->commit_res.verf' is allocated through
      kzalloc() if 'args->sync' is true. In the following code, if
      'res->synchronous' is false, handle_async_copy() will be invoked. If an
      error occurs during the invocation, the following code will not be executed
      and the error will be returned . However, the allocated
      'res->commit_res.verf' is not deallocated, leading to a memory leak. This
      is also true if the invocation of process_copy_commit() returns an error.
      
      To fix the above leaks, redirect the execution to the 'out' label if an
      error is encountered.
      Signed-off-by: Wenwen Wang's avatarWenwen Wang <[email protected]>
      Signed-off-by: default avatarAnna Schumaker <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      588f2bf8
    • Alex Deucher's avatar
      drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_voltage · 24add5b4
      Alex Deucher authored
      [ Upstream commit 1064ad4a ]
      
      Cull out 0 clocks to avoid a warning in DC.
      
      Bug: https://gitlab.freedesktop.org/drm/amd/issues/963Reviewed-by: default avatarEvan Quan <[email protected]>
      Signed-off-by: default avatarAlex Deucher <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      24add5b4
    • Alex Deucher's avatar
      drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_latency · b6bd445a
      Alex Deucher authored
      [ Upstream commit 4d0a72b6 ]
      
      Only send non-0 clocks to DC for validation.  This mirrors
      what the windows driver does.
      
      Bug: https://gitlab.freedesktop.org/drm/amd/issues/963Reviewed-by: default avatarEvan Quan <[email protected]>
      Signed-off-by: default avatarAlex Deucher <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      b6bd445a
    • Zhiqiang Liu's avatar
      brd: check and limit max_part par · a9e60cba
      Zhiqiang Liu authored
      [ Upstream commit c8ab4225 ]
      
      In brd_init func, rd_nr num of brd_device are firstly allocated
      and add in brd_devices, then brd_devices are traversed to add each
      brd_device by calling add_disk func. When allocating brd_device,
      the disk->first_minor is set to i * max_part, if rd_nr * max_part
      is larger than MINORMASK, two different brd_device may have the same
      devt, then only one of them can be successfully added.
      when rmmod brd.ko, it will cause oops when calling brd_exit.
      
      Follow those steps:
        # modprobe brd rd_nr=3 rd_size=102400 max_part=1048576
        # rmmod brd
      then, the oops will appear.
      
      Oops log:
      [  726.613722] Call trace:
      [  726.614175]  kernfs_find_ns+0x24/0x130
      [  726.614852]  kernfs_find_and_get_ns+0x44/0x68
      [  726.615749]  sysfs_remove_group+0x38/0xb0
      [  726.616520]  blk_trace_remove_sysfs+0x1c/0x28
      [  726.617320]  blk_unregister_queue+0x98/0x100
      [  726.618105]  del_gendisk+0x144/0x2b8
      [  726.618759]  brd_exit+0x68/0x560 [brd]
      [  726.619501]  __arm64_sys_delete_module+0x19c/0x2a0
      [  726.620384]  el0_svc_common+0x78/0x130
      [  726.621057]  el0_svc_handler+0x38/0x78
      [  726.621738]  el0_svc+0x8/0xc
      [  726.622259] Code: aa0203f6 aa0103f7 aa1e03e0 d503201f (7940e260)
      
      Here, we add brd_check_and_reset_par func to check and limit max_part par.
      
      --
      V5->V6:
       - remove useless code
      
      V4->V5:(suggested by Ming Lei)
       - make sure max_part is not larger than DISK_MAX_PARTS
      
      V3->V4:(suggested by Ming Lei)
       - remove useless change
       - add one limit of max_part
      
      V2->V3: (suggested by Ming Lei)
       - clear .minors when running out of consecutive minor space in brd_alloc
       - remove limit of rd_nr
      
      V1->V2:
       - add more checks in brd_check_par_valid as suggested by Ming Lei.
      Signed-off-by: default avatarZhiqiang Liu <[email protected]>
      Reviewed-by: default avatarBob Liu <[email protected]>
      Reviewed-by: default avatarMing Lei <[email protected]>
      Signed-off-by: default avatarJens Axboe <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      a9e60cba
    • Shubhrajyoti Datta's avatar
      microblaze: Prevent the overflow of the start · d302f3a5
      Shubhrajyoti Datta authored
      [ Upstream commit 061d2c1d ]
      
      In case the start + cache size is more than the max int the
      start overflows.
      Prevent the same.
      Signed-off-by: default avatarShubhrajyoti Datta <[email protected]>
      Signed-off-by: default avatarMichal Simek <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      d302f3a5
    • dcaratti's avatar
      tc-testing: add missing 'nsPlugin' to basic.json · 18c6d681
      dcaratti authored
      [ Upstream commit e9ed4fa7 ]
      
      since tdc tests for cls_basic need $DEV1, use 'nsPlugin' so that the
      following command can be run without errors:
      
       [[email protected] tc-testing]# ./tdc.py -c basic
      
      Fixes: 4717b053 ("tc-testing: Introduced tdc tests for basic filter")
      Signed-off-by: dcaratti's avatarDavide Caratti <[email protected]>
      Signed-off-by: default avatarDavid S. Miller <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      18c6d681
    • Peter Zijlstra's avatar
      asm-generic/tlb: add missing CONFIG symbol · ece3264b
      Peter Zijlstra authored
      [ Upstream commit 27796d03 ]
      
      Without this the symbol will not actually end up in .config files.
      
      Link: http://lkml.kernel.org/r/[email protected]
      Fixes: a30e32bd ("asm-generic/tlb: Provide generic tlb_flush() based on flush_tlb_mm()")
      Signed-off-by: default avatarPeter Zijlstra (Intel) <[email protected]>
      Signed-off-by: default avatarAneesh Kumar K.V <[email protected]>
      Cc: Michael Ellerman <[email protected]>
      Signed-off-by: default avatarAndrew Morton <[email protected]>
      Signed-off-by: default avatarLinus Torvalds <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      ece3264b
    • Andrei Otcheretianski's avatar
      iwlwifi: mvm: Check the sta is not NULL in iwl_mvm_cfg_he_sta() · c6d67839
      Andrei Otcheretianski authored
      [ Upstream commit 12d47f0e ]
      
      Fix a kernel panic by checking that the sta is not NULL.
      This could happen during a reconfig flow, as mac80211 moves the sta
      between all the states without really checking if the previous state was
      successfully set. So, if for some reason we failed to add back the
      station, subsequent calls to sta_state() callback will be done when the
      station is NULL. This would result in a following panic:
      
      BUG: unable to handle kernel NULL pointer dereference at
      0000000000000040
      IP: iwl_mvm_cfg_he_sta+0xfc/0x690 [iwlmvm]
      [..]
      Call Trace:
       iwl_mvm_mac_sta_state+0x629/0x6f0 [iwlmvm]
       drv_sta_state+0xf4/0x950 [mac80211]
       ieee80211_reconfig+0xa12/0x2180 [mac80211]
       ieee80211_restart_work+0xbb/0xe0 [mac80211]
       process_one_work+0x1e2/0x610
       worker_thread+0x4d/0x3e0
      [..]
      Signed-off-by: default avatarAndrei Otcheretianski <[email protected]>
      Signed-off-by: default avatarLuca Coelho <[email protected]>
      Signed-off-by: default avatarKalle Valo <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      c6d67839
    • Andrei Otcheretianski's avatar
      iwlwifi: mvm: Fix thermal zone registration · 9108ef6b
      Andrei Otcheretianski authored
      [ Upstream commit baa6cf84 ]
      
      Use a unique name when registering a thermal zone. Otherwise, with
      multiple NICS, we hit the following warning during the unregistration.
      
      WARNING: CPU: 2 PID: 3525 at fs/sysfs/group.c:255
       RIP: 0010:sysfs_remove_group+0x80/0x90
       Call Trace:
        dpm_sysfs_remove+0x57/0x60
        device_del+0x5a/0x350
        ? sscanf+0x4e/0x70
        device_unregister+0x1a/0x60
        hwmon_device_unregister+0x4a/0xa0
        thermal_remove_hwmon_sysfs+0x175/0x1d0
        thermal_zone_device_unregister+0x188/0x1e0
        iwl_mvm_thermal_exit+0xe7/0x100 [iwlmvm]
        iwl_op_mode_mvm_stop+0x27/0x180 [iwlmvm]
        _iwl_op_mode_stop.isra.3+0x2b/0x50 [iwlwifi]
        iwl_opmode_deregister+0x90/0xa0 [iwlwifi]
        __exit_compat+0x10/0x2c7 [iwlmvm]
        __x64_sys_delete_module+0x13f/0x270
        do_syscall_64+0x5a/0x110
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: default avatarAndrei Otcheretianski <[email protected]>
      Signed-off-by: default avatarLuca Coelho <[email protected]>
      Signed-off-by: default avatarKalle Valo <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      9108ef6b
    • Christoph Hellwig's avatar
      nvme-pci: remove nvmeq->tags · cef2e37a
      Christoph Hellwig authored
      [ Upstream commit cfa27356 ]
      
      There is no real need to have a pointer to the tagset in
      struct nvme_queue, as we only need it in a single place, and that place
      can derive the used tagset from the device and qid trivially.  This
      fixes a problem with stale pointer exposure when tagsets are reset,
      and also shrinks the nvme_queue structure.  It also matches what most
      other transports have done since day 1.
      Reported-by: default avatarEdmund Nadolski <[email protected]>
      Signed-off-by: default avatarChristoph Hellwig <[email protected]>
      Signed-off-by: default avatarKeith Busch <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      cef2e37a
    • Sagi Grimberg's avatar
      nvmet: fix dsm failure when payload does not match sgl descriptor · 5068f9ec
      Sagi Grimberg authored
      [ Upstream commit b716e688 ]
      
      The host is allowed to pass the controller an sgl describing a buffer
      that is larger than the dsm payload itself, allow it when executing
      dsm.
      Reported-by: default avatarDakshaja Uppalapati <[email protected]>
      Reviewed-by: Christoph Hellwig <[email protected]>,
      Reviewed-by: default avatarMax Gurtovoy <[email protected]>
      Signed-off-by: Sagi Grimberg's avatarSagi Grimberg <[email protected]>
      Signed-off-by: default avatarKeith Busch <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      5068f9ec
    • Amol Grover's avatar
      nvmet: Pass lockdep expression to RCU lists · 5c817cec
      Amol Grover authored
      [ Upstream commit 4ac76436 ]
      
      ctrl->subsys->namespaces and subsys->namespaces are traversed with
      list_for_each_entry_rcu outside an RCU read-side critical section but
      under the protection of ctrl->subsys->lock and subsys->lock respectively.
      
      Hence, add the corresponding lockdep expression to the list traversal
      primitive to silence false-positive lockdep warnings, and harden RCU
      lists.
      Reported-by: default avatarkbuild test robot <[email protected]>
      Reviewed-by: default avatarJoel Fernandes (Google) <[email protected]>
      Signed-off-by: Amol Grover's avatarAmol Grover <[email protected]>
      Signed-off-by: default avatarKeith Busch <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      5c817cec
    • Zenghui Yu's avatar
      irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL · 72c60722
      Zenghui Yu authored
      [ Upstream commit 10794522 ]
      
      It looks like an obvious mistake to use its_mapc_cmd descriptor when
      building the INVALL command block. It so far worked by luck because
      both its_mapc_cmd.col and its_invall_cmd.col sit at the same offset of
      the ITS command descriptor, but we should not rely on it.
      
      Fixes: cc2d3216 ("irqchip: GICv3: ITS command queue")
      Signed-off-by: default avatarZenghui Yu <[email protected]>
      Signed-off-by: default avatarMarc Zyngier <[email protected]>
      Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarSasha Levin <[email protected]>
      72c60722
    • Coly Li's avatar
      bcache: fix incorrect data type usage in btree_flush_write() · 46991b18
      Coly Li authored
      [ Upstream commit d1c3cc34 ]
      
      Dan Carpenter points out that from commit 2aa8c529 ("bcache: avoid
      unnecessary btree nodes flushing in btree_flush_write()"), there is a
      incorrect data type usage which leads to the following static checker
      warning:
      	drivers/md/bcache/journal.c:444 btree_flush_write()
      	warn: 'ref_nr' unsigned <= 0
      
      drivers/md/bcache/journal.c
         422  static void btree_flush_write(struct cache_set *c)
         423  {
         424          struct btree *b, *t, *btree_nodes[BTREE_FLUSH_NR];
         425          unsigned int i, nr, ref_nr;
                                          ^^^^^^
      
         426          atomic_t *fifo_front_p, *now_fifo_front_p;
         427          size_t mask;
         428
         429          if (c->journal.btree_flushing)
         430                  return;
         431
         432          spin_lock(&c->journal.flush_write_lock);
         433          if (c->journal.btree_flushing) {
         434                  spin_unlock(&c->journal.flush_write_lock);
         435                  return;
         436          }
         437          c->journal.btree_flushing = true;
         438          spin_unlock(&c->journal.flush_write_lock);
         439
         440          /* get the oldest journal entry and check its refcount */
         441          spin_lock(&c->journal.lock);
         442          fifo_front_p = &fifo_front(&c->journal.pin);
         443          ref_nr = atomic_read(fifo_front_p);
         444          if (ref_nr <= 0) {
                          ^^^^^^^^^^^
      Unsigned can't be less than zero.
      
         445                  /*
         446                   * do nothing if no btree node references
         447                   * the oldest journal entry
         448                   */
         449                  spin_unlock(&c->journal.lock);
         450                  goto out;
         451          }
         452          spin_unlock(&c->journal.lock);
      
      As the warning information indicates, local varaible ref_nr in unsigned
      int type is wrong, which does not matche atomic_read() and the "<= 0"
      checking.
      
      This patch fixes the above error by defining local variable ref_nr as
      int type.
      
      Fixes: 2aa8c529 ("bcache: avoid unnecessary btree nodes flushing in btree_flush_write()")
      Reported-by: default avatarDan Carpenter <[email protected]>
      Signed-off-by: default avatarColy Li <[email protected]>
      Signed-off-by: default avatarJens Axboe <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      46991b18
    • Coly Li's avatar
      bcache: explicity type cast in bset_bkey_last() · 328c1eab
      Coly Li authored
      [ Upstream commit 7c02b005 ]
      
      In bset.h, macro bset_bkey_last() is defined as,
          bkey_idx((struct bkey *) (i)->d, (i)->keys)
      
      Parameter i can be variable type of data structure, the macro always
      works once the type of struct i has member 'd' and 'keys'.
      
      bset_bkey_last() is also used in macro csum_set() to calculate the
      checksum of a on-disk data structure. When csum_set() is used to
      calculate checksum of on-disk bcache super block, the parameter 'i'
      data type is struct cache_sb_disk. Inside struct cache_sb_disk (also in
      struct cache_sb) the member keys is __u16 type. But bkey_idx() expects
      unsigned int (a 32bit width), so there is problem when sending
      parameters via stack to call bkey_idx().
      
      Sparse tool from Intel 0day kbuild system reports this incompatible
      problem. bkey_idx() is part of user space API, so the simplest fix is
      to cast the (i)->keys to unsigned int type in macro bset_bkey_last().
      Reported-by: default avatarkbuild test robot <[email protected]>
      Signed-off-by: default avatarColy Li <[email protected]>
      Signed-off-by: default avatarJens Axboe <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      328c1eab
    • Coly Li's avatar
      bcache: fix memory corruption in bch_cache_accounting_clear() · 1c6bfe89
      Coly Li authored
      [ Upstream commit 5bebf748 ]
      
      Commit 83ff9318 ("bcache: not use hard coded memset size in
      bch_cache_accounting_clear()") tries to make the code more easy to
      understand by removing the hard coded number with following change,
      	void bch_cache_accounting_clear(...)
      	{
      		memset(&acc->total.cache_hits,
      			0,
      	-		sizeof(unsigned long) * 7);
      	+		sizeof(struct cache_stats));
      	}
      
      Unfortunately the change was wrong (it also tells us the original code
      was not easy to correctly understand). The hard coded number 7 is used
      because in struct cache_stats,
       15 struct cache_stats {
       16         struct kobject          kobj;
       17
       18         unsigned long cache_hits;
       19         unsigned long cache_misses;
       20         unsigned long cache_bypass_hits;
       21         unsigned long cache_bypass_misses;
       22         unsigned long cache_readaheads;
       23         unsigned long cache_miss_collisions;
       24         unsigned long sectors_bypassed;
       25
       26         unsigned int            rescale;
       27 };
      only members in LINE 18-24 want to be set to 0. It is wrong to use
      'sizeof(struct cache_stats)' to replace 'sizeof(unsigned long) * 7), the
      memory objects behind acc->total is staled by this change.
      
      Сорокин Артем Сергеевич reports that by the following steps, kernel
      panic will be triggered,
      1. Create new set: make-bcache -B /dev/nvme1n1 -C /dev/sda --wipe-bcache
      2. Run in /sys/fs/bcache/<uuid>:
         echo 1 > clear_stats && cat stats_five_minute/cache_bypass_hits
      
      I can reproduce the panic and get following dmesg with KASAN enabled,
      [22613.172742] ==================================================================
      [22613.172862] BUG: KASAN: null-ptr-deref in sysfs_kf_seq_show+0x117/0x230
      [22613.172864] Read of size 8 at addr 0000000000000000 by task cat/6753
      
      [22613.172870] CPU: 1 PID: 6753 Comm: cat Not tainted 5.5.0-rc7-lp151.28.16-default+ #11
      [22613.172872] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
      [22613.172873] Call Trace:
      [22613.172964]  dump_stack+0x8b/0xbb
      [22613.172968]  ? sysfs_kf_seq_show+0x117/0x230
      [22613.172970]  ? sysfs_kf_seq_show+0x117/0x230
      [22613.173031]  __kasan_report+0x176/0x192
      [22613.173064]  ? pr_cont_kernfs_name+0x40/0x60
      [22613.173067]  ? sysfs_kf_seq_show+0x117/0x230
      [22613.173070]  kasan_report+0xe/0x20
      [22613.173072]  sysfs_kf_seq_show+0x117/0x230
      [22613.173105]  seq_read+0x199/0x6d0
      [22613.173110]  vfs_read+0xa5/0x1a0
      [22613.173113]  ksys_read+0x110/0x160
      [22613.173115]  ? kernel_write+0xb0/0xb0
      [22613.173177]  do_syscall_64+0x77/0x290
      [22613.173238]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [22613.173241] RIP: 0033:0x7fc2c886ac61
      [22613.173244] Code: fe ff ff 48 8d 3d c7 a0 09 00 48 83 ec 08 e8 46 03 02 00 66 0f 1f 44 00 00 8b 05 ca fb 2c 00 48 63 ff 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 55 53 48 89 d5 48 89
      [22613.173245] RSP: 002b:00007ffebe776d68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
      [22613.173248] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fc2c886ac61
      [22613.173249] RDX: 0000000000020000 RSI: 00007fc2c8cca000 RDI: 0000000000000003
      [22613.173250] RBP: 0000000000020000 R08: ffffffffffffffff R09: 0000000000000000
      [22613.173251] R10: 000000000000038c R11: 0000000000000246 R12: 00007fc2c8cca000
      [22613.173253] R13: 0000000000000003 R14: 00007fc2c8cca00f R15: 0000000000020000
      [22613.173255] ==================================================================
      [22613.173256] Disabling lock debugging due to kernel taint
      [22613.173350] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [22613.178380] #PF: supervisor read access in kernel mode
      [22613.180959] #PF: error_code(0x0000) - not-present page
      [22613.183444] PGD 0 P4D 0
      [22613.184867] Oops: 0000 [#1] SMP KASAN PTI
      [22613.186797] CPU: 1 PID: 6753 Comm: cat Tainted: G    B             5.5.0-rc7-lp151.28.16-default+ #11
      [22613.191253] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
      [22613.196706] RIP: 0010:sysfs_kf_seq_show+0x117/0x230
      [22613.199097] Code: ff 48 8b 0b 48 8b 44 24 08 48 01 e9 eb a6 31 f6 48 89 cf ba 00 10 00 00 48 89 4c 24 10 e8 b1 e6 e9 ff 4c 89 ff e8 19 07 ea ff <49> 8b 07 48 85 c0 48 89 44 24 08 0f 84 91 00 00 00 49 8b 6d 00 48
      [22613.208016] RSP: 0018:ffff8881d4f8fd78 EFLAGS: 00010246
      [22613.210448] RAX: 0000000000000000 RBX: ffff8881eb99b180 RCX: ffffffff810d9ef6
      [22613.213691] RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
      [22613.216893] RBP: 0000000000001000 R08: fffffbfff072ddcd R09: fffffbfff072ddcd
      [22613.220075] R10: 0000000000000001 R11: fffffbfff072ddcc R12: ffff8881de5c0200
      [22613.223256] R13: ffff8881ed175500 R14: ffff8881eb99b198 R15: 0000000000000000
      [22613.226290] FS:  00007fc2c8d3d500(0000) GS:ffff8881f2a80000(0000) knlGS:0000000000000000
      [22613.229637] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [22613.231993] CR2: 0000000000000000 CR3: 00000001ec89a004 CR4: 00000000003606e0
      [22613.234909] Call Trace:
      [22613.235931]  seq_read+0x199/0x6d0
      [22613.237259]  vfs_read+0xa5/0x1a0
      [22613.239229]  ksys_read+0x110/0x160
      [22613.240590]  ? kernel_write+0xb0/0xb0
      [22613.242040]  do_syscall_64+0x77/0x290
      [22613.243625]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [22613.245450] RIP: 0033:0x7fc2c886ac61
      [22613.246706] Code: fe ff ff 48 8d 3d c7 a0 09 00 48 83 ec 08 e8 46 03 02 00 66 0f 1f 44 00 00 8b 05 ca fb 2c 00 48 63 ff 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 55 53 48 89 d5 48 89
      [22613.253296] RSP: 002b:00007ffebe776d68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
      [22613.255835] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fc2c886ac61
      [22613.258472] RDX: 0000000000020000 RSI: 00007fc2c8cca000 RDI: 0000000000000003
      [22613.260807] RBP: 0000000000020000 R08: ffffffffffffffff R09: 0000000000000000
      [22613.263188] R10: 000000000000038c R11: 0000000000000246 R12: 00007fc2c8cca000
      [22613.265598] R13: 0000000000000003 R14: 00007fc2c8cca00f R15: 0000000000020000
      [22613.268729] Modules linked in: scsi_transport_iscsi af_packet iscsi_ibft iscsi_boot_sysfs vmw_vsock_vmci_transport vsock fuse bnep kvm_intel kvm irqbypass crc32_pclmul crc32c_intel ghash_clmulni_intel snd_ens1371 snd_ac97_codec ac97_bus bcache snd_pcm btusb btrtl btbcm btintel crc64 aesni_intel glue_helper crypto_simd vmw_balloon cryptd bluetooth snd_timer snd_rawmidi snd joydev pcspkr e1000 rfkill vmw_vmci soundcore ecdh_generic ecc gameport i2c_piix4 mptctl ac button hid_generic usbhid sr_mod cdrom ata_generic ehci_pci vmwgfx uhci_hcd drm_kms_helper syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ttm ehci_hcd mptspi scsi_transport_spi mptscsih ata_piix mptbase ahci usbcore libahci drm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua
      [22613.292429] CR2: 0000000000000000
      [22613.293563] ---[ end trace a074b26a8508f378 ]---
      [22613.295138] RIP: 0010:sysfs_kf_seq_show+0x117/0x230
      [22613.296769] Code: ff 48 8b 0b 48 8b 44 24 08 48 01 e9 eb a6 31 f6 48 89 cf ba 00 10 00 00 48 89 4c 24 10 e8 b1 e6 e9 ff 4c 89 ff e8 19 07 ea ff <49> 8b 07 48 85 c0 48 89 44 24 08 0f 84 91 00 00 00 49 8b 6d 00 48
      [22613.303553] RSP: 0018:ffff8881d4f8fd78 EFLAGS: 00010246
      [22613.305280] RAX: 0000000000000000 RBX: ffff8881eb99b180 RCX: ffffffff810d9ef6
      [22613.307924] RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
      [22613.310272] RBP: 0000000000001000 R08: fffffbfff072ddcd R09: fffffbfff072ddcd
      [22613.312685] R10: 0000000000000001 R11: fffffbfff072ddcc R12: ffff8881de5c0200
      [22613.315076] R13: ffff8881ed175500 R14: ffff8881eb99b198 R15: 0000000000000000
      [22613.318116] FS:  00007fc2c8d3d500(0000) GS:ffff8881f2a80000(0000) knlGS:0000000000000000
      [22613.320743] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [22613.322628] CR2: 0000000000000000 CR3: 00000001ec89a004 CR4: 00000000003606e0
      
      Here this patch fixes the following problem by explicity set all the 7
      members to 0 in bch_cache_accounting_clear().
      Reported-by: default avatarСорокин Артем Сергеевич <[email protected]>
      Signed-off-by: default avatarColy Li <[email protected]>
      Signed-off-by: default avatarJens Axboe <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      1c6bfe89
    • Yunfeng Ye's avatar
      reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() · a56f1f45
      Yunfeng Ye authored
      [ Upstream commit aacee544 ]
      
      The variable inode may be NULL in reiserfs_insert_item(), but there is
      no check before accessing the member of inode.
      
      Fix this by adding NULL pointer check before calling reiserfs_debug().
      
      Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarYunfeng Ye <[email protected]>
      Cc: zhengbin <[email protected]>
      Cc: Hu Shiyuan <[email protected]>
      Cc: Feilong Lin <[email protected]>
      Cc: Jan Kara <[email protected]>
      Signed-off-by: default avatarAndrew Morton <[email protected]>
      Signed-off-by: default avatarLinus Torvalds <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      a56f1f45
    • Nathan Chancellor's avatar
      lib/scatterlist.c: adjust indentation in __sg_alloc_table · d11dbc09
      Nathan Chancellor authored
      [ Upstream commit 4e456fee ]
      
      Clang warns:
      
        ../lib/scatterlist.c:314:5: warning: misleading indentation; statement
        is not part of the previous 'if' [-Wmisleading-indentation]
                                return -ENOMEM;
                                ^
        ../lib/scatterlist.c:311:4: note: previous statement is here
                                if (prv)
                                ^
        1 warning generated.
      
      This warning occurs because there is a space before the tab on this
      line.  Remove it so that the indentation is consistent with the Linux
      kernel coding style and clang no longer warns.
      
      Link: http://lkml.kernel.org/r/[email protected]
      Link: https://github.com/ClangBuiltLinux/linux/issues/830
      Fixes: edce6820 ("scatterlist: prevent invalid free when alloc fails")
      Signed-off-by: Nathan Chancellor's avatarNathan Chancellor <[email protected]>
      Signed-off-by: default avatarAndrew Morton <[email protected]>
      Signed-off-by: default avatarLinus Torvalds <[email protected]ux-foundation.org>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      d11dbc09
    • wangyan's avatar
      ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans() · f08694f0
      wangyan authored
      [ Upstream commit 9f16ca48 ]
      
      I found a NULL pointer dereference in ocfs2_update_inode_fsync_trans(),
      handle->h_transaction may be NULL in this situation:
      
      ocfs2_file_write_iter
        ->__generic_file_write_iter
            ->generic_perform_write
              ->ocfs2_write_begin
                ->ocfs2_write_begin_nolock
                  ->ocfs2_write_cluster_by_desc
                    ->ocfs2_write_cluster
                      ->ocfs2_mark_extent_written
                        ->ocfs2_change_extent_flag
                          ->ocfs2_split_extent
                            ->ocfs2_try_to_merge_extent
                              ->ocfs2_extend_rotate_transaction
                                ->ocfs2_extend_trans
                                  ->jbd2_journal_restart
                                    ->jbd2__journal_restart
                                      // handle->h_transaction is NULL here
                                      ->handle->h_transaction = NULL;
                                      ->start_this_handle
                                        /* journal aborted due to storage
                                           network disconnection, return error */
                                        ->return -EROFS;
                               /* line 3806 in ocfs2_try_to_merge_extent (),
                                  it will ignore ret error. */
                              ->ret = 0;
              ->...
              ->ocfs2_write_end
                ->ocfs2_write_end_nolock
                  ->ocfs2_update_inode_fsync_trans
                    // NULL pointer dereference
                    ->oi->i_sync_tid = handle->h_transaction->t_tid;
      
      The information of NULL pointer dereference as follows:
          JBD2: Detected IO errors while flushing file data on dm-11-45
          Aborting journal on device dm-11-45.
          JBD2: Error -5 detected when updating journal superblock for dm-11-45.
          (dd,22081,3):ocfs2_extend_trans:474 ERROR: status = -30
          (dd,22081,3):ocfs2_try_to_merge_extent:3877 ERROR: status = -30
          Unable to handle kernel NULL pointer dereference at
          virtual address 0000000000000008
          Mem abort info:
            ESR = 0x96000004
            Exception class = DABT (current EL), IL = 32 bits
            SET = 0, FnV = 0
            EA = 0, S1PTW = 0
          Data abort info:
            ISV = 0, ISS = 0x00000004
            CM = 0, WnR = 0
          user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e74e1338
          [0000000000000008] pgd=0000000000000000
          Internal error: Oops: 96000004 [#1] SMP
          Process dd (pid: 22081, stack limit = 0x00000000584f35a9)
          CPU: 3 PID: 22081 Comm: dd Kdump: loaded
          Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019
          pstate: 60400009 (nZCv daif +PAN -UAO)
          pc : ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2]
          lr : ocfs2_write_end_nolock+0x2a0/0x550 [ocfs2]
          sp : ffff0000459fba70
          x29: ffff0000459fba70 x28: 0000000000000000
          x27: ffff807ccf7f1000 x26: 0000000000000001
          x25: ffff807bdff57970 x24: ffff807caf1d4000
          x23: ffff807cc79e9000 x22: 0000000000001000
          x21: 000000006c6cd000 x20: ffff0000091d9000
          x19: ffff807ccb239db0 x18: ffffffffffffffff
          x17: 000000000000000e x16: 0000000000000007
          x15: ffff807c5e15bd78 x14: 0000000000000000
          x13: 0000000000000000 x12: 0000000000000000
          x11: 0000000000000000 x10: 0000000000000001
          x9 : 0000000000000228 x8 : 000000000000000c
          x7 : 0000000000000fff x6 : ffff807a308ed6b0
          x5 : ffff7e01f10967c0 x4 : 0000000000000018
          x3 : d0bc661572445600 x2 : 0000000000000000
          x1 : 000000001b2e0200 x0 : 0000000000000000
          Call trace:
           ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2]
           ocfs2_write_end+0x4c/0x80 [ocfs2]
           generic_perform_write+0x108/0x1a8
           __generic_file_write_iter+0x158/0x1c8
           ocfs2_file_write_iter+0x668/0x950 [ocfs2]
           __vfs_write+0x11c/0x190
           vfs_write+0xac/0x1c0
           ksys_write+0x6c/0xd8
           __arm64_sys_write+0x24/0x30
           el0_svc_common+0x78/0x130
           el0_svc_handler+0x38/0x78
           el0_svc+0x8/0xc
      
      To prevent NULL pointer dereference in this situation, we use
      is_handle_aborted() before using handle->h_transaction->t_tid.
      
      Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarYan Wang <[email protected]>
      Reviewed-by: JunPiao's avatarJun Piao <[email protected]>
      Cc: Mark Fasheh <[email protected]>
      Cc: Joel Becker <[email protected]>
      Cc: Junxiao Bi <[email protected]>
      Cc: Joseph Qi <[email protected]>
      Cc: Changwei Ge <[email protected]>
      Cc: Gang He <[email protected]>
      Signed-off-by: default avatarAndrew Morton <[email protected]>
      Signed-off-by: default avatarLinus Torvalds <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      f08694f0
    • Masahiro Yamada's avatar
      ocfs2: make local header paths relative to C files · c37a800b
      Masahiro Yamada authored
      [ Upstream commit ca322fb6 ]
      
      Gang He reports the failure of building fs/ocfs2/ as an external module
      of the kernel installed on the system:
      
       $ cd fs/ocfs2
       $ make -C /lib/modules/`uname -r`/build M=`pwd` modules
      
      If you want to make it work reliably, I'd recommend to remove ccflags-y
      from the Makefiles, and to make header paths relative to the C files.  I
      think this is the correct usage of the #include "..." directive.
      
      Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarMasahiro Yamada <[email protected]>
      Signed-off-by: default avatarGang He <[email protected]>
      Reported-by: default avatarGang He <[email protected]>
      Reviewed-by: default avatarGang He <[email protected]>
      Cc: Mark Fasheh <[email protected]>
      Cc: Joel Becker <[email protected]>
      Cc: Junxiao Bi <[email protected]>
      Cc: Joseph Qi <[email protected]>
      Cc: Changwei Ge <[email protected]>
      Cc: Jun Piao <[email protected]>
      Signed-off-by: default avatarAndrew Morton <[email protected]>
      Signed-off-by: default avatarLinus Torvalds <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      c37a800b
    • Tom Zanussi's avatar
      tracing: Fix now invalid var_ref_vals assumption in trace action · c78a2baf
      Tom Zanussi authored
      [ Upstream commit d380dcde ]
      
      The patch 'tracing: Fix histogram code when expression has same var as
      value' added code to return an existing variable reference when
      creating a new variable reference, which resulted in var_ref_vals
      slots being reused instead of being duplicated.
      
      The implementation of the trace action assumes that the end of the
      var_ref_vals array starting at action_data.var_ref_idx corresponds to
      the values that will be assigned to the trace params. The patch
      mentioned above invalidates that assumption, which means that each
      param needs to explicitly specify its index into var_ref_vals.
      
      This fix changes action_data.var_ref_idx to an array of var ref
      indexes to account for that.
      
      Link: https://lore.kernel.org/r/[email protected]
      
      Fixes: 8bcebc77 ("tracing: Fix histogram code when expression has same var as value")
      Signed-off-by: default avatarTom Zanussi <[email protected]>
      Signed-off-by: default avatarSteven Rostedt (VMware) <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      c78a2baf
    • Josef Bacik's avatar
      btrfs: do not do delalloc reservation under page lock · 6026fd9d
      Josef Bacik authored
      [ Upstream commit f4b1363c ]
      
      We ran into a deadlock in production with the fixup worker.  The stack
      traces were as follows:
      
      Thread responsible for the writeout, waiting on the page lock
      
        [<0>] io_schedule+0x12/0x40
        [<0>] __lock_page+0x109/0x1e0
        [<0>] extent_write_cache_pages+0x206/0x360
        [<0>] extent_writepages+0x40/0x60
        [<0>] do_writepages+0x31/0xb0
        [<0>] __writeback_single_inode+0x3d/0x350
        [<0>] writeback_sb_inodes+0x19d/0x3c0
        [<0>] __writeback_inodes_wb+0x5d/0xb0
        [<0>] wb_writeback+0x231/0x2c0
        [<0>] wb_workfn+0x308/0x3c0
        [<0>] process_one_work+0x1e0/0x390
        [<0>] worker_thread+0x2b/0x3c0
        [<0>] kthread+0x113/0x130
        [<0>] ret_from_fork+0x35/0x40
        [<0>] 0xffffffffffffffff
      
      Thread of the fixup worker who is holding the page lock
      
        [<0>] start_delalloc_inodes+0x241/0x2d0
        [<0>] btrfs_start_delalloc_roots+0x179/0x230
        [<0>] btrfs_alloc_data_chunk_ondemand+0x11b/0x2e0
        [<0>] btrfs_check_data_free_space+0x53/0xa0
        [<0>] btrfs_delalloc_reserve_space+0x20/0x70
        [<0>] btrfs_writepage_fixup_worker+0x1fc/0x2a0
        [<0>] normal_work_helper+0x11c/0x360
        [<0>] process_one_work+0x1e0/0x390
        [<0>] worker_thread+0x2b/0x3c0
        [<0>] kthread+0x113/0x130
        [<0>] ret_from_fork+0x35/0x40
        [<0>] 0xffffffffffffffff
      
      Thankfully the stars have to align just right to hit this.  First you
      have to end up in the fixup worker, which is tricky by itself (my
      reproducer does DIO reads into a MMAP'ed region, so not a common
      operation).  Then you have to have less than a page size of free data
      space and 0 unallocated space so you go down the "commit the transaction
      to free up pinned space" path.  This was accomplished by a random
      balance that was running on the host.  Then you get this deadlock.
      
      I'm still in the process of trying to force the deadlock to happen on
      demand, but I've hit other issues.  I can still trigger the fixup worker
      path itself so this patch has been tested in that regard, so the normal
      case is fine.
      
      Fixes: 87826df0 ("btrfs: delalloc for page dirtied out-of-band in fixup worker")
      Signed-off-by: Josef Bacik's avatarJosef Bacik <[email protected]>
      Reviewed-by: default avatarDavid Sterba <[email protected]>
      Signed-off-by: default avatarDavid Sterba <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      6026fd9d
    • Alexandre Ghiti's avatar
      powerpc: Do not consider weak unresolved symbol relocations as bad · 89a2281b
      Alexandre Ghiti authored
      [ Upstream commit 43e76cd3 ]
      
      Commit 8580ac94 ("bpf: Process in-kernel BTF") introduced two weak
      symbols that may be unresolved at link time which result in an absolute
      relocation to 0. relocs_check.sh emits the following warning:
      
      "WARNING: 2 bad relocations
      c000000001a41478 R_PPC64_ADDR64    _binary__btf_vmlinux_bin_start
      c000000001a41480 R_PPC64_ADDR64    _binary__btf_vmlinux_bin_end"
      
      whereas those relocations are legitimate even for a relocatable kernel
      compiled with -pie option.
      
      relocs_check.sh already excluded some weak unresolved symbols explicitly:
      remove those hardcoded symbols and add some logic that parses the symbols
      using nm, retrieves all the weak unresolved symbols and excludes those from
      the list of the potential bad relocations.
      Reported-by: default avatarStephen Rothwell <[email protected]>
      Signed-off-by: default avatarAlexandre Ghiti <[email protected]>
      Signed-off-by: Michael Ellerman's avatarMichael Ellerman <[email protected]>
      Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarSasha Levin <[email protected]>
      89a2281b
    • Daniel Vetter's avatar
      radeon: insert 10ms sleep in dce5_crtc_load_lut · 9d7222c9
      Daniel Vetter authored
      [ Upstream commit ec3d6508 ]
      
      Per at least one tester this is enough magic to recover the regression
      introduced for some people (but not all) in
      
      commit b8e2b019
      Author: Peter Rosin <[email protected]>
      Date:   Tue Jul 4 12:36:57 2017 +0200
      
          drm/fb-helper: factor out pseudo-palette
      
      which for radeon had the side-effect of refactoring out a seemingly
      redudant writing of the color palette.
      
      10ms in a fairly slow modeset path feels like an acceptable form of
      duct-tape, so maybe worth a shot and see what sticks.
      
      Cc: Alex Deucher <[email protected]>
      Cc: Michel Dänzer <[email protected]>
      References: https://bugzilla.kernel.org/show_bug.cgi?id=198123Signed-off-by: default avatarDaniel Vetter <[email protected]>
      Signed-off-by: default avatarAlex Deucher <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      9d7222c9
    • Vasily Averin's avatar
      trigger_next should increase position index · 14329288
      Vasily Averin authored
      [ Upstream commit 6722b23e ]
      
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      Without patch:
       # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger
       dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset
       n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist
       # Available triggers:
       # traceon traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist
       6+1 records in
       6+1 records out
       206 bytes copied, 0.00027916 s, 738 kB/s
      
      Notice the printing of "# Available triggers:..." after the line.
      
      With the patch:
       # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger
       dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset
       n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist
       2+1 records in
       2+1 records out
       88 bytes copied, 0.000526867 s, 167 kB/s
      
      It only prints the end of the file, and does not restart.
      
      Link: http://lkml.kernel.org/r/[email protected]
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <[email protected]>
      Signed-off-by: default avatarSteven Rostedt (VMware) <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      14329288
    • Vasily Averin's avatar
      ftrace: fpid_next() should increase position index · 8306f5c7
      Vasily Averin authored
      [ Upstream commit e4075e8b ]
      
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      Without patch:
       # dd bs=4 skip=1 if=/sys/kernel/tracing/set_ftrace_pid
       dd: /sys/kernel/tracing/set_ftrace_pid: cannot skip to specified offset
       id
       no pid
       2+1 records in
       2+1 records out
       10 bytes copied, 0.000213285 s, 46.9 kB/s
      
      Notice the "id" followed by "no pid".
      
      With the patch:
       # dd bs=4 skip=1 if=/sys/kernel/tracing/set_ftrace_pid
       dd: /sys/kernel/tracing/set_ftrace_pid: cannot skip to specified offset
       id
       0+1 records in
       0+1 records out
       3 bytes copied, 0.000202112 s, 14.8 kB/s
      
      Notice that it only prints "id" and not the "no pid" afterward.
      
      Link: http://lkml.kernel.org/r/[email protected]
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <[email protected]>
      Signed-off-by: default avatarSteven Rostedt (VMware) <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      8306f5c7