1. 27 6月, 2018 1 次提交
  2. 24 6月, 2018 1 次提交
  3. 23 6月, 2018 2 次提交
    • J
      bdi: Fix another oops in wb_workfn() · 3ee7e869
      Jan Kara 提交于
      syzbot is reporting NULL pointer dereference at wb_workfn() [1] due to
      wb->bdi->dev being NULL. And Dmitry confirmed that wb->state was
      WB_shutting_down after wb->bdi->dev became NULL. This indicates that
      unregister_bdi() failed to call wb_shutdown() on one of wb objects.
      
      The problem is in cgwb_bdi_unregister() which does cgwb_kill() and thus
      drops bdi's reference to wb structures before going through the list of
      wbs again and calling wb_shutdown() on each of them. This way the loop
      iterating through all wbs can easily miss a wb if that wb has already
      passed through cgwb_remove_from_bdi_list() called from wb_shutdown()
      from cgwb_release_workfn() and as a result fully shutdown bdi although
      wb_workfn() for this wb structure is still running. In fact there are
      also other ways cgwb_bdi_unregister() can race with
      cgwb_release_workfn() leading e.g. to use-after-free issues:
      
      CPU1                            CPU2
                                      cgwb_bdi_unregister()
                                        cgwb_kill(*slot);
      
      cgwb_release()
        queue_work(cgwb_release_wq, &wb->release_work);
      cgwb_release_workfn()
                                        wb = list_first_entry(&bdi->wb_list, ...)
                                        spin_unlock_irq(&cgwb_lock);
        wb_shutdown(wb);
        ...
        kfree_rcu(wb, rcu);
                                        wb_shutdown(wb); -> oops use-after-free
      
      We solve these issues by synchronizing writeback structure shutdown from
      cgwb_bdi_unregister() with cgwb_release_workfn() using a new mutex. That
      way we also no longer need synchronization using WB_shutting_down as the
      mutex provides it for CONFIG_CGROUP_WRITEBACK case and without
      CONFIG_CGROUP_WRITEBACK wb_shutdown() can be called only once from
      bdi_unregister().
      Reported-by: Nsyzbot <syzbot+4a7438e774b21ddd8eca@syzkaller.appspotmail.com>
      Acked-by: NTejun Heo <tj@kernel.org>
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      3ee7e869
    • G
      lightnvm: Remove depends on HAS_DMA in case of platform dependency · 0ae52ddf
      Geert Uytterhoeven 提交于
      Remove dependencies on HAS_DMA where a Kconfig symbol depends on another
      symbol that implies HAS_DMA, and, optionally, on "|| COMPILE_TEST".
      In most cases this other symbol is an architecture or platform specific
      symbol, or PCI.
      
      Generic symbols and drivers without platform dependencies keep their
      dependencies on HAS_DMA, to prevent compiling subsystems or drivers that
      cannot work anyway.
      
      This simplifies the dependencies, and allows to improve compile-testing.
      Signed-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
      Reviewed-by: NMark Brown <broonie@kernel.org>
      Acked-by: NRobin Murphy <robin.murphy@arm.com>
      Reviewed-by: NMatias Bjørling <mb@lightnvm.io>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      0ae52ddf
  4. 22 6月, 2018 2 次提交
    • J
      Merge branch 'nvme-4.18' of git://git.infradead.org/nvme into for-linus · f9da9d07
      Jens Axboe 提交于
      Pull NVMe fixes from Christoph:
      
      "Various relatively small fixes, mostly to fix error handling of various
       sorts."
      
      * 'nvme-4.18' of git://git.infradead.org/nvme:
        nvme-pci: limit max IO size and segments to avoid high order allocations
        nvme-pci: move nvme_kill_queues to nvme_remove_dead_ctrl
        nvme-fc: release io queues to allow fast fail
        nvmet: reset keep alive timer in controller enable
        nvme-rdma: don't override opts->queue_size
        nvme-rdma: Fix command completion race at error recovery
        nvme-rdma: fix possible free of a non-allocated async event buffer
        nvme-rdma: fix possible double free condition when failing to create a controller
      f9da9d07
    • J
      nvme-pci: limit max IO size and segments to avoid high order allocations · 943e942e
      Jens Axboe 提交于
      nvme requires an sg table allocation for each request. If the request
      is large, then the allocation can become quite large. For instance,
      with our default software settings of 1280KB IO size, we'll need
      10248 bytes of sg table. That turns into a 2nd order allocation,
      which we can't always guarantee. If we fail the allocation, blk-mq
      will retry it later. But there's no guarantee that we'll EVER be
      able to allocate that much contigious memory.
      
      Limit the IO size such that we never need more than a single page
      of memory. That's a lot faster and more reliable. Then back that
      allocation with a mempool, so that we know we'll always be able
      to succeed the allocation at some point.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Acked-by: NKeith Busch <keith.busch@intel.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      943e942e
  5. 21 6月, 2018 5 次提交
  6. 20 6月, 2018 7 次提交
    • M
      nvmet: reset keep alive timer in controller enable · d68a90e1
      Max Gurtuvoy 提交于
      Controllers that are not yet enabled should not really enforce keep alive
      timeouts, but we still want to track a timeout and cleanup in case a host
      died before it enabled the controller.  Hence, simply reset the keep
      alive timer when the controller is enabled.
      Suggested-by: NMax Gurtovoy <maxg@mellanox.com>
      Signed-off-by: NSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      d68a90e1
    • S
      nvme-rdma: don't override opts->queue_size · 5e77d61c
      Sagi Grimberg 提交于
      That is user argument, and theoretically controller limits can change
      over time (over reconnects/resets).  Instead, use the sqsize controller
      attribute to check queue depth boundaries and use it to the tagset
      allocation.
      Signed-off-by: NSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      5e77d61c
    • I
      nvme-rdma: Fix command completion race at error recovery · c947657b
      Israel Rukshin 提交于
      The race is between completing the request at error recovery work and
      rdma completions.  If we cancel the request before getting the good
      rdma completion we get a NULL deref of the request MR at
      nvme_rdma_process_nvme_rsp().
      
      When Canceling the request we return its mr to the mr pool (set mr to
      NULL) and also unmap its data.  Canceling the requests while the rdma
      queues are active is not safe.  Because rdma queues are active and we
      get good rdma completions that can use the mr pointer which may be NULL.
      Completing the request too soon may lead also to performing DMA to/from
      user buffers which might have been already unmapped.
      
      The commit fixes the race by draining the QP before starting the abort
      commands mechanism.
      Signed-off-by: NIsrael Rukshin <israelr@mellanox.com>
      Reviewed-by: NMax Gurtovoy <maxg@mellanox.com>
      Signed-off-by: NSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      c947657b
    • S
      nvme-rdma: fix possible free of a non-allocated async event buffer · 94e42213
      Sagi Grimberg 提交于
      If nvme_rdma_configure_admin_queue fails before we allocated
      the async event buffer, we will falsly free it because
      nvme_rdma_free_queue is freeing it. Fix it by allocating the buffer right
      after nvme_rdma_alloc_queue and free it right before nvme_rdma_queue_free
      to maintain orderly reverse cleanup sequence.
      Reported-by: NIsrael Rukshin <israelr@mellanox.com>
      Signed-off-by: NSagi Grimberg <sagi@grimberg.me>
      Reviewed-by: NMax Gurtovoy <maxg@mellanox.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      94e42213
    • S
      nvme-rdma: fix possible double free condition when failing to create a controller · 3d064101
      Sagi Grimberg 提交于
      Failures after nvme_init_ctrl will defer resource cleanups to .free_ctrl
      when the reference is released, hence we should not free the controller
      queues for these failures.
      
      Fix that by moving controller queues allocation before controller
      initialization and correctly freeing them for failures before
      initialization and skip them for failures after initialization.
      Signed-off-by: NSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      3d064101
    • B
      Revert "block: Add warning for bi_next not NULL in bio_endio()" · 9c24c10a
      Bart Van Assche 提交于
      Commit 0ba99ca4 ("block: Add warning for bi_next not NULL in
      bio_endio()") breaks the dm driver. end_clone_bio() detects whether
      or not a bio is the last bio associated with a request by checking
      the .bi_next field. Commit 0ba99ca4 clears that field before
      end_clone_bio() has had a chance to inspect that field. Hence revert
      commit 0ba99ca4.
      
      This patch avoids that KASAN reports the following complaint when
      running the srp-test software (srp-test/run_tests -c -d -r 10 -t 02-mq):
      
      ==================================================================
      BUG: KASAN: use-after-free in bio_advance+0x11b/0x1d0
      Read of size 4 at addr ffff8801300e06d0 by task ksoftirqd/0/9
      
      CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.18.0-rc1-dbg+ #1
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
       dump_stack+0xa4/0xf5
       print_address_description+0x6f/0x270
       kasan_report+0x241/0x360
       __asan_load4+0x78/0x80
       bio_advance+0x11b/0x1d0
       blk_update_request+0xa7/0x5b0
       scsi_end_request+0x56/0x320 [scsi_mod]
       scsi_io_completion+0x7d6/0xb20 [scsi_mod]
       scsi_finish_command+0x1c0/0x280 [scsi_mod]
       scsi_softirq_done+0x19a/0x230 [scsi_mod]
       blk_mq_complete_request+0x160/0x240
       scsi_mq_done+0x50/0x1a0 [scsi_mod]
       srp_recv_done+0x515/0x1330 [ib_srp]
       __ib_process_cq+0xa0/0xf0 [ib_core]
       ib_poll_handler+0x38/0xa0 [ib_core]
       irq_poll_softirq+0xe8/0x1f0
       __do_softirq+0x128/0x60d
       run_ksoftirqd+0x3f/0x60
       smpboot_thread_fn+0x352/0x460
       kthread+0x1c1/0x1e0
       ret_from_fork+0x24/0x30
      
      Allocated by task 1918:
       save_stack+0x43/0xd0
       kasan_kmalloc+0xad/0xe0
       kasan_slab_alloc+0x11/0x20
       kmem_cache_alloc+0xfe/0x350
       mempool_alloc_slab+0x15/0x20
       mempool_alloc+0xfb/0x270
       bio_alloc_bioset+0x244/0x350
       submit_bh_wbc+0x9c/0x2f0
       __block_write_full_page+0x299/0x5a0
       block_write_full_page+0x16b/0x180
       blkdev_writepage+0x18/0x20
       __writepage+0x42/0x80
       write_cache_pages+0x376/0x8a0
       generic_writepages+0xbe/0x110
       blkdev_writepages+0xe/0x10
       do_writepages+0x9b/0x180
       __filemap_fdatawrite_range+0x178/0x1c0
       file_write_and_wait_range+0x59/0xc0
       blkdev_fsync+0x46/0x80
       vfs_fsync_range+0x66/0x100
       do_fsync+0x3d/0x70
       __x64_sys_fsync+0x21/0x30
       do_syscall_64+0x77/0x230
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 9:
       save_stack+0x43/0xd0
       __kasan_slab_free+0x137/0x190
       kasan_slab_free+0xe/0x10
       kmem_cache_free+0xd3/0x380
       mempool_free_slab+0x17/0x20
       mempool_free+0x63/0x160
       bio_free+0x81/0xa0
       bio_put+0x59/0x60
       end_bio_bh_io_sync+0x5d/0x70
       bio_endio+0x1a7/0x360
       blk_update_request+0xd0/0x5b0
       end_clone_bio+0xa3/0xd0 [dm_mod]
       bio_endio+0x1a7/0x360
       blk_update_request+0xd0/0x5b0
       scsi_end_request+0x56/0x320 [scsi_mod]
       scsi_io_completion+0x7d6/0xb20 [scsi_mod]
       scsi_finish_command+0x1c0/0x280 [scsi_mod]
       scsi_softirq_done+0x19a/0x230 [scsi_mod]
       blk_mq_complete_request+0x160/0x240
       scsi_mq_done+0x50/0x1a0 [scsi_mod]
       srp_recv_done+0x515/0x1330 [ib_srp]
       __ib_process_cq+0xa0/0xf0 [ib_core]
       ib_poll_handler+0x38/0xa0 [ib_core]
       irq_poll_softirq+0xe8/0x1f0
       __do_softirq+0x128/0x60d
      
      The buggy address belongs to the object at ffff8801300e0640
       which belongs to the cache bio-0 of size 200
      The buggy address is located 144 bytes inside of
       200-byte region [ffff8801300e0640, ffff8801300e0708)
      The buggy address belongs to the page:
      page:ffffea0004c03800 count:1 mapcount:0 mapping:ffff88015a563a00 index:0x0 compound_mapcount: 0
      flags: 0x8000000000008100(slab|head)
      raw: 8000000000008100 dead000000000100 dead000000000200 ffff88015a563a00
      raw: 0000000000000000 0000000000330033 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8801300e0580: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
       ffff8801300e0600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
      >ffff8801300e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
       ffff8801300e0700: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff8801300e0780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      ==================================================================
      
      Cc: Kent Overstreet <kent.overstreet@gmail.com>
      Fixes: 0ba99ca4 ("block: Add warning for bi_next not NULL in bio_endio()")
      Acked-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NBart Van Assche <bart.vanassche@wdc.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      9c24c10a
    • C
      block: fix timeout changes for legacy request drivers · 0cc61e64
      Christoph Hellwig 提交于
      blk_mq_complete_request can only be called for blk-mq drivers, but when
      removing the BLK_EH_HANDLED return value, two legacy request timeout
      methods incorrectly got switched to call blk_mq_complete_request.
      Call __blk_complete_request instead to reinstance the previous behavior.
      For that __blk_complete_request needs to be exported.
      
      Fixes: 1fc2b62e ("scsi_transport_fc: complete requests from ->timeout")
      Fixes: 0df0bb08 ("null_blk: complete requests from ->timeout")
      Reported-by: NJianchao Wang <jianchao.w.wang@oracle.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      0cc61e64
  7. 15 6月, 2018 6 次提交
  8. 14 6月, 2018 6 次提交
    • C
      blk-mq: remove blk_mq_tagset_iter · e6c3456a
      Christoph Hellwig 提交于
      Unused now that nvme stopped using it.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Reviewed-by: NJens Axboe <axboe@kernel.dk>
      e6c3456a
    • C
      nvme: remove nvme_reinit_tagset · 14dfa400
      Christoph Hellwig 提交于
      Unused now that all transports stopped using it.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Reviewed-by: NJens Axboe <axboe@kernel.dk>
      14dfa400
    • J
      nvme-fc: fix nulling of queue data on reconnect · 3e493c00
      James Smart 提交于
      The reconnect path is calling the init routines to clear a queue
      structure. But the queue structure has state that perhaps needs
      to persist as long as the controller is live.
      
      Remove the nvme_fc_init_queue() calls on reconnect.
      The nvme_fc_free_queue() calls will clear state bits and reset
      any relevant queue state for a new connection.
      Signed-off-by: NJames Smart <james.smart@broadcom.com>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      3e493c00
    • J
      nvme-fc: remove reinit_request routine · 587331f7
      James Smart 提交于
      The reinit_request routine is not necessary. Remove support for the
      op callback.
      
      As all that nvme_reinit_tagset() does is itterate and call the
      reinit routine, it too has no purpose. Remove the call.
      Signed-off-by: NJames Smart <james.smart@broadcom.com>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      587331f7
    • C
      blk-mq: don't time out requests again that are in the timeout handler · da661267
      Christoph Hellwig 提交于
      We can currently call the timeout handler again on a request that has
      already been handed over to the timeout handler.  Prevent that with a new
      flag.
      
      Fixes: 12f5b931 ("blk-mq: Remove generation seqeunce")
      Reported-by: NAndrew Randrianasulu <randrianasulu@gmail.com>
      Tested-by: NAndrew Randrianasulu <randrianasulu@gmail.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      da661267
    • J
      nvme-fc: change controllers first connect to use reconnect path · 4c984154
      James Smart 提交于
      Current code follows the framework that has been in the transports
      from the beginning where initial link-side controller connect occurs
      as part of "creating the controller". Thus that first connect fully
      talks to the controller and obtains values that can then be used in
      for blk-mq setup, etc. It also means that everything about the
      controller is fully know before the "create controller" call returns.
      
      This has several weaknesses:
      - The initial create_ctrl call made by the cli will block for a long
        time as wire transactions are performed synchronously. This delay
        becomes longer if errors occur or connectivity is lost and retries
        need to be performed.
      - Code wise, it means there is a separate connect path for initial
        controller connect vs the (same) steps used in the reconnect path.
      - And as there's separate paths, it means there's separate error
        handling and retry logic. It also plays havoc with the NEW state
        (should transition out of it after successful initial connect) vs
        the RESETTING and CONNECTING (reconnect) states that want to be
        transitioned to on error.
      - As there's separate paths, to recover from errors and disruptions,
        it requires separate recovery/retry paths as well and can severely
        convolute the controller state.
      
      This patch reworks the fc transport to use the same connect paths
      for the initial connection as it uses for reconnect. This makes a
      single path for error recovery and handling.
      
      This patch:
      - Removes the driving of the initial connect and replaces it with
        a state transition to CONNECTING and initiating the reconnect
        thread. A dummy state transition of RESETTING had to be traversed
        as a direct transtion of NEW->CONNECTING is not allowed. Given
        that the controller is "new", the RESETTING transition is a simple
        no-op. Once in the reconnecting thread, the normal behaviors of
        ctrl_loss_tmo (max_retries * connect_delay) and dev_loss_tmo will
        apply before the controller is torn down.
      - Only if the state transitions couldn't be traversed and the
        reconnect thread not scheduled, will the controller be torn down
        while in create_ctrl.
      - The prior code used the controller state of NEW to indicate
        whether request queues had been initialized or not. For the admin
        queue, the request queue is always created, so there's no need to
        check a state. For IO queues, change to tracking whether a successful
        io request queue create has occurred (e.g. 1st successful connect).
      - The initial controller id is initialized to the dynamic controller
        id used in the initial connect message. It will be overwritten by
        the real controller id once the controller is connected on the wire.
      Signed-off-by: NJames Smart <james.smart@broadcom.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      4c984154
  9. 13 6月, 2018 1 次提交
  10. 11 6月, 2018 9 次提交
    • C
      nvmet: free smart-log buffer after use · c42d7a30
      Chaitanya Kulkarni 提交于
      Free smart-log buffer allocated in the function after use.
      Signed-off-by: NChaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      c42d7a30
    • M
      nvme-rdma: fix error flow during mapping request data · 94423a8f
      Max Gurtovoy 提交于
      After dma mapping the sgl, we map the sgl to nvme sgl descriptor. In case
      of failure during the last mapping we never dma unmap the sgl.
      Signed-off-by: NMax Gurtovoy <maxg@mellanox.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      94423a8f
    • H
      nvme: add bio remapping tracepoint · 2796b569
      Hannes Reinecke 提交于
      Adding a tracepoint to trace bio remapping for native nvme multipath.
      Signed-off-by: NHannes Reinecke <hare@suse.com>
      Reviewed-by: NSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      2796b569
    • I
      nvme: fix NULL pointer dereference in nvme_init_subsystem · 16001c10
      Israel Rukshin 提交于
      When using nvme-pci driver the nvmf_ctrl_options is NULL.
      There is no need to check for discovery_nqn flag at non-fabrics controller.
      
      Fixes: 181303d0 ("nvme-fabrics: allow duplicate connections to the discovery controller")
      Signed-off-by: NIsrael Rukshin <israelr@mellanox.com>
      Reviewed-by: NMax Gurtovoy <maxg@mellanox.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      16001c10
    • R
      blk-mq: reinit q->tag_set_list entry only after grace period · a347c7ad
      Roman Pen 提交于
      It is not allowed to reinit q->tag_set_list list entry while RCU grace
      period has not completed yet, otherwise the following soft lockup in
      blk_mq_sched_restart() happens:
      
      [ 1064.252652] watchdog: BUG: soft lockup - CPU#12 stuck for 23s! [fio:9270]
      [ 1064.254445] task: ffff99b912e8b900 task.stack: ffffa6d54c758000
      [ 1064.254613] RIP: 0010:blk_mq_sched_restart+0x96/0x150
      [ 1064.256510] Call Trace:
      [ 1064.256664]  <IRQ>
      [ 1064.256824]  blk_mq_free_request+0xea/0x100
      [ 1064.256987]  msg_io_conf+0x59/0xd0 [ibnbd_client]
      [ 1064.257175]  complete_rdma_req+0xf2/0x230 [ibtrs_client]
      [ 1064.257340]  ? ibtrs_post_recv_empty+0x4d/0x70 [ibtrs_core]
      [ 1064.257502]  ibtrs_clt_rdma_done+0xd1/0x1e0 [ibtrs_client]
      [ 1064.257669]  ib_create_qp+0x321/0x380 [ib_core]
      [ 1064.257841]  ib_process_cq_direct+0xbd/0x120 [ib_core]
      [ 1064.258007]  irq_poll_softirq+0xb7/0xe0
      [ 1064.258165]  __do_softirq+0x106/0x2a2
      [ 1064.258328]  irq_exit+0x92/0xa0
      [ 1064.258509]  do_IRQ+0x4a/0xd0
      [ 1064.258660]  common_interrupt+0x7a/0x7a
      [ 1064.258818]  </IRQ>
      
      Meanwhile another context frees other queue but with the same set of
      shared tags:
      
      [ 1288.201183] INFO: task bash:5910 blocked for more than 180 seconds.
      [ 1288.201833] bash            D    0  5910   5820 0x00000000
      [ 1288.202016] Call Trace:
      [ 1288.202315]  schedule+0x32/0x80
      [ 1288.202462]  schedule_timeout+0x1e5/0x380
      [ 1288.203838]  wait_for_completion+0xb0/0x120
      [ 1288.204137]  __wait_rcu_gp+0x125/0x160
      [ 1288.204287]  synchronize_sched+0x6e/0x80
      [ 1288.204770]  blk_mq_free_queue+0x74/0xe0
      [ 1288.204922]  blk_cleanup_queue+0xc7/0x110
      [ 1288.205073]  ibnbd_clt_unmap_device+0x1bc/0x280 [ibnbd_client]
      [ 1288.205389]  ibnbd_clt_unmap_dev_store+0x169/0x1f0 [ibnbd_client]
      [ 1288.205548]  kernfs_fop_write+0x109/0x180
      [ 1288.206328]  vfs_write+0xb3/0x1a0
      [ 1288.206476]  SyS_write+0x52/0xc0
      [ 1288.206624]  do_syscall_64+0x68/0x1d0
      [ 1288.206774]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      What happened is the following:
      
      1. There are several MQ queues with shared tags.
      2. One queue is about to be freed and now task is in
         blk_mq_del_queue_tag_set().
      3. Other CPU is in blk_mq_sched_restart() and loops over all queues in
         tag list in order to find hctx to restart.
      
      Because linked list entry was modified in blk_mq_del_queue_tag_set()
      without proper waiting for a grace period, blk_mq_sched_restart()
      never ends, spining in list_for_each_entry_rcu_rr(), thus soft lockup.
      
      Fix is simple: reinit list entry after an RCU grace period elapsed.
      
      Fixes: Fixes: 705cda97 ("blk-mq: Make it safe to use RCU to iterate over blk_mq_tag_set.tag_list")
      Cc: stable@vger.kernel.org
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Cc: linux-block@vger.kernel.org
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Reviewed-by: NMing Lei <ming.lei@redhat.com>
      Reviewed-by: NBart Van Assche <bart.vanassche@wdc.com>
      Signed-off-by: NRoman Pen <roman.penyaev@profitbricks.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      a347c7ad
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f0dc7f9c
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix several bpfilter/UMH bugs, in particular make the UMH build not
          depend upon X86 specific Kconfig symbols. From Alexei Starovoitov.
      
       2) Fix handling of modified context pointer in bpf verifier, from
          Daniel Borkmann.
      
       3) Kill regression in ifdown/ifup sequences for hv_netvsc driver, from
          Dexuan Cui.
      
       4) When the bonding primary member name changes, we have to re-evaluate
          the bond->force_primary setting, from Xiangning Yu.
      
       5) Eliminate possible padding beyone end of SKB in cdc_ncm driver, from
          Bjørn Mork.
      
       6) RX queue length reported for UDP sockets in procfs and socket diag
          are inaccurate, from Paolo Abeni.
      
       7) Fix br_fdb_find_port() locking, from Petr Machata.
      
       8) Limit sk_rcvlowat values properly in TCP, from Soheil Hassas
          Yeganeh.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (23 commits)
        tcp: limit sk_rcvlowat by the maximum receive buffer
        net: phy: dp83822: use BMCR_ANENABLE instead of BMSR_ANEGCAPABLE for DP83620
        socket: close race condition between sock_close() and sockfs_setattr()
        net: bridge: Fix locking in br_fdb_find_port()
        udp: fix rx queue len reported by diag and proc interface
        cdc_ncm: avoid padding beyond end of skb
        net/sched: act_simple: fix parsing of TCA_DEF_DATA
        net: fddi: fix a possible null-ptr-deref
        net: aquantia: fix unsigned numvecs comparison with less than zero
        net: stmmac: fix build failure due to missing COMMON_CLK dependency
        bpfilter: fix race in pipe access
        bpf, xdp: fix crash in xdp_umem_unaccount_pages
        xsk: Fix umem fill/completion queue mmap on 32-bit
        tools/bpf: fix selftest get_cgroup_id_user
        bpfilter: fix OUTPUT_FORMAT
        umh: fix race condition
        net: mscc: ocelot: Fix uninitialized error in ocelot_netdevice_event()
        bonding: re-evaluate force_primary when the primary slave name changes
        ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
        hv_netvsc: Fix a network regression after ifdown/ifup
        ...
      f0dc7f9c
    • L
      Merge tag 'rtc-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux · 1aaccb5f
      Linus Torvalds 提交于
      Pull RTC updates from Alexandre Belloni:
       "Setting the supported range from drivers for RTCs failing soon has
        started. A few fixes are developed along the way. Some drivers have
        been switched to SPDX by their maintainers.
      
        Subsystem:
      
         - rework of the rtc-test driver which allows to test the core more
           thoroughly
      
         - rtc_set_alarm() now fails early when alarms are not supported
      
        Drivers:
      
         - mktime() is now replaced by mktime64()
      
         - RTC range added for 88pm80x, ab-b5ze-s3, at91rm9200,
           brcmstb-waketimer, ds1685, ftrtc010, ls1x, mxc_v2, rx8581, sprd,
           st-lpc, tps6586x, tps65910 and vr41xx
      
         - fixed a possible race condition in probe functions
      
         - pxa: fix the probe function that is broken since v4.3
      
         - stm32: now supports stm32mp1"
      
      * tag 'rtc-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: (78 commits)
        rtc: pxa: fix probe function
        rtc: cros-ec: Switch to SPDX identifier.
        rtc: cros-ec: Make license text and module license match.
        rtc: ensure rtc_set_alarm fails when alarms are not supported
        rtc: test: remove alarm support from the first device
        rtc: test: convert to devm_rtc_allocate_device
        rtc: ftrtc010: let the core handle range
        rtc: ftrtc010: handle dates after 2106
        rtc: ftrtc010: switch to devm_rtc_allocate_device
        rtc: mrst: switch to devm functions
        rtc: sunxi: fix possible race condition
        rtc: test: remove irq sysfs file
        rtc: test: emulate alarms using timers
        rtc: test: store time as an offset to system time
        rtc: test: allow registering many devices
        rtc: test: remove useless proc info
        rtc: ds1685: Add range
        rtc: ds1685: fix possible race condition
        rtc: sprd: Add new RTC power down check method
        rtc: sun6i: Fix bit_idx value for clk_register_gate
        ...
      1aaccb5f
    • L
      Merge tag 'upstream-4.18-rc1' of git://git.infradead.org/linux-ubifs · ab0b2e59
      Linus Torvalds 提交于
      Pull UBI and UBIFS updates from Richard Weinberger:
      
       - the UBI on-disk format header file is now dual licensed
      
       - new way to detect Fastmap problems during runtime
      
       - bugfix for Fastmap
      
       - minor updates for UBIFS (spelling, comments, vm_fault_t, ...)
      
      * tag 'upstream-4.18-rc1' of git://git.infradead.org/linux-ubifs:
        mtd: ubi: Update ubi-media.h to dual license
        ubi: fastmap: Detect EBA mismatches on-the-fly
        ubi: fastmap: Check each mapping only once
        ubi: fastmap: Correctly handle interrupted erasures in EBA
        ubi: fastmap: Cancel work upon detach
        ubifs: lpt: Fix wrong pnode number range in comment
        ubifs: gc: Fix typo
        ubifs: log: Some spelling fixes
        ubifs: Spelling fix someting -> something
        ubifs: journal: Remove wrong comment
        ubifs: remove set but never used variable
        ubifs, xattr: remove misguided quota flags
        fs: ubifs: Adding new return type vm_fault_t
      ab0b2e59
    • S
      tcp: limit sk_rcvlowat by the maximum receive buffer · 867f816b
      Soheil Hassas Yeganeh 提交于
      The user-provided value to setsockopt(SO_RCVLOWAT) can be
      larger than the maximum possible receive buffer. Such values
      mute POLLIN signals on the socket which can stall progress
      on the socket.
      
      Limit the user-provided value to half of the maximum receive
      buffer, i.e., half of sk_rcvbuf when the receive buffer size
      is set by the user, or otherwise half of sysctl_tcp_rmem[2].
      
      Fixes: d1361840 ("tcp: fix SO_RCVLOWAT and RCVBUF autotuning")
      Signed-off-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reviewed-by: NNeal Cardwell <ncardwell@google.com>
      Acked-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      867f816b