1. 25 4月, 2019 11 次提交
    • C
      bcache: return error immediately in bch_journal_replay() · 68d10e69
      Coly Li 提交于
      When failure happens inside bch_journal_replay(), calling
      cache_set_err_on() and handling the failure in async way is not a good
      idea. Because after bch_journal_replay() returns, registering code will
      continue to execute following steps, and unregistering code triggered
      by cache_set_err_on() is running in same time. First it is unnecessary
      to handle failure and unregister cache set in an async way, second there
      might be potential race condition to run register and unregister code
      for same cache set.
      
      So in this patch, if failure happens in bch_journal_replay(), we don't
      call cache_set_err_on(), and just print out the same error message to
      kernel message buffer, then return -EIO immediately caller. Then caller
      can detect such failure and handle it in synchrnozied way.
      Signed-off-by: NColy Li <colyli@suse.de>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      68d10e69
    • C
      bcache: add comments for kobj release callback routine · 2d17456e
      Coly Li 提交于
      Bcache has several routines to release resources in implicit way, they
      are called when the associated kobj released. This patch adds code
      comments to notice when and which release callback will be called,
      - When dc->disk.kobj released:
        void bch_cached_dev_release(struct kobject *kobj)
      - When d->kobj released:
        void bch_flash_dev_release(struct kobject *kobj)
      - When c->kobj released:
        void bch_cache_set_release(struct kobject *kobj)
      - When ca->kobj released
        void bch_cache_release(struct kobject *kobj)
      Signed-off-by: NColy Li <colyli@suse.de>
      Reviewed-by: NChaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      2d17456e
    • C
      bcache: add failure check to run_cache_set() for journal replay · ce3e4cfb
      Coly Li 提交于
      Currently run_cache_set() has no return value, if there is failure in
      bch_journal_replay(), the caller of run_cache_set() has no idea about
      such failure and just continue to execute following code after
      run_cache_set().  The internal failure is triggered inside
      bch_journal_replay() and being handled in async way. This behavior is
      inefficient, while failure handling inside bch_journal_replay(), cache
      register code is still running to start the cache set. Registering and
      unregistering code running as same time may introduce some rare race
      condition, and make the code to be more hard to be understood.
      
      This patch adds return value to run_cache_set(), and returns -EIO if
      bch_journal_rreplay() fails. Then caller of run_cache_set() may detect
      such failure and stop registering code flow immedidately inside
      register_cache_set().
      
      If journal replay fails, run_cache_set() can report error immediately
      to register_cache_set(). This patch makes the failure handling for
      bch_journal_replay() be in synchronized way, easier to understand and
      debug, and avoid poetential race condition for register-and-unregister
      in same time.
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      ce3e4cfb
    • C
      bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() · 1bee2add
      Coly Li 提交于
      In journal_reclaim() ja->cur_idx of each cache will be update to
      reclaim available journal buckets. Variable 'int n' is used to count how
      many cache is successfully reclaimed, then n is set to c->journal.key
      by SET_KEY_PTRS(). Later in journal_write_unlocked(), a for_each_cache()
      loop will write the jset data onto each cache.
      
      The problem is, if all jouranl buckets on each cache is full, the
      following code in journal_reclaim(),
      
      529 for_each_cache(ca, c, iter) {
      530       struct journal_device *ja = &ca->journal;
      531       unsigned int next = (ja->cur_idx + 1) % ca->sb.njournal_buckets;
      532
      533       /* No space available on this device */
      534       if (next == ja->discard_idx)
      535               continue;
      536
      537       ja->cur_idx = next;
      538       k->ptr[n++] = MAKE_PTR(0,
      539                         bucket_to_sector(c, ca->sb.d[ja->cur_idx]),
      540                         ca->sb.nr_this_dev);
      541 }
      542
      543 bkey_init(k);
      544 SET_KEY_PTRS(k, n);
      
      If there is no available bucket to reclaim, the if() condition at line
      534 will always true, and n remains 0. Then at line 544, SET_KEY_PTRS()
      will set KEY_PTRS field of c->journal.key to 0.
      
      Setting KEY_PTRS field of c->journal.key to 0 is wrong. Because in
      journal_write_unlocked() the journal data is written in following loop,
      
      649	for (i = 0; i < KEY_PTRS(k); i++) {
      650-671		submit journal data to cache device
      672	}
      
      If KEY_PTRS field is set to 0 in jouranl_reclaim(), the journal data
      won't be written to cache device here. If system crahed or rebooted
      before bkeys of the lost journal entries written into btree nodes, data
      corruption will be reported during bcache reload after rebooting the
      system.
      
      Indeed there is only one cache in a cache set, there is no need to set
      KEY_PTRS field in journal_reclaim() at all. But in order to keep the
      for_each_cache() logic consistent for now, this patch fixes the above
      problem by not setting 0 KEY_PTRS of journal key, if there is no bucket
      available to reclaim.
      Signed-off-by: NColy Li <colyli@suse.de>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      1bee2add
    • C
      bcache: move definition of 'int ret' out of macro read_bucket() · 14215ee0
      Coly Li 提交于
      'int ret' is defined as a local variable inside macro read_bucket().
      Since this macro is called multiple times, and following patches will
      use a 'int ret' variable in bch_journal_read(), this patch moves
      definition of 'int ret' from macro read_bucket() to range of function
      bch_journal_read().
      Signed-off-by: NColy Li <colyli@suse.de>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      14215ee0
    • L
      bcache: fix a race between cache register and cacheset unregister · a4b732a2
      Liang Chen 提交于
      There is a race between cache device register and cache set unregister.
      For an already registered cache device, register_bcache will call
      bch_is_open to iterate through all cachesets and check every cache
      there. The race occurs if cache_set_free executes at the same time and
      clears the caches right before ca is dereferenced in bch_is_open_cache.
      To close the race, let's make sure the clean up work is protected by
      the bch_register_lock as well.
      
      This issue can be reproduced as follows,
      while true; do echo /dev/XXX> /sys/fs/bcache/register ; done&
      while true; do echo 1> /sys/block/XXX/bcache/set/unregister ; done &
      
      and results in the following oops,
      
      [  +0.000053] BUG: unable to handle kernel NULL pointer dereference at 0000000000000998
      [  +0.000457] #PF error: [normal kernel read fault]
      [  +0.000464] PGD 800000003ca9d067 P4D 800000003ca9d067 PUD 3ca9c067 PMD 0
      [  +0.000388] Oops: 0000 [#1] SMP PTI
      [  +0.000269] CPU: 1 PID: 3266 Comm: bash Not tainted 5.0.0+ #6
      [  +0.000346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014
      [  +0.000472] RIP: 0010:register_bcache+0x1829/0x1990 [bcache]
      [  +0.000344] Code: b0 48 83 e8 50 48 81 fa e0 e1 10 c0 0f 84 a9 00 00 00 48 89 c6 48 89 ca 0f b7 ba 54 04 00 00 4c 8b 82 60 0c 00 00 85 ff 74 2f <49> 3b a8 98 09 00 00 74 4e 44 8d 47 ff 31 ff 49 c1 e0 03 eb 0d
      [  +0.000839] RSP: 0018:ffff92ee804cbd88 EFLAGS: 00010202
      [  +0.000328] RAX: ffffffffc010e190 RBX: ffff918b5c6b5000 RCX: ffff918b7d8e0000
      [  +0.000399] RDX: ffff918b7d8e0000 RSI: ffffffffc010e190 RDI: 0000000000000001
      [  +0.000398] RBP: ffff918b7d318340 R08: 0000000000000000 R09: ffffffffb9bd2d7a
      [  +0.000385] R10: ffff918b7eb253c0 R11: ffffb95980f51200 R12: ffffffffc010e1a0
      [  +0.000411] R13: fffffffffffffff2 R14: 000000000000000b R15: ffff918b7e232620
      [  +0.000384] FS:  00007f955bec2740(0000) GS:ffff918b7eb00000(0000) knlGS:0000000000000000
      [  +0.000420] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  +0.000801] CR2: 0000000000000998 CR3: 000000003cad6000 CR4: 00000000001406e0
      [  +0.000837] Call Trace:
      [  +0.000682]  ? _cond_resched+0x10/0x20
      [  +0.000691]  ? __kmalloc+0x131/0x1b0
      [  +0.000710]  kernfs_fop_write+0xfa/0x170
      [  +0.000733]  __vfs_write+0x2e/0x190
      [  +0.000688]  ? inode_security+0x10/0x30
      [  +0.000698]  ? selinux_file_permission+0xd2/0x120
      [  +0.000752]  ? security_file_permission+0x2b/0x100
      [  +0.000753]  vfs_write+0xa8/0x1a0
      [  +0.000676]  ksys_write+0x4d/0xb0
      [  +0.000699]  do_syscall_64+0x3a/0xf0
      [  +0.000692]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: NLiang Chen <liangchen.linux@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      a4b732a2
    • G
      bcache: Clean up bch_get_congested() · 3a394727
      George Spelvin 提交于
      There are a few nits in this function.  They could in theory all
      be separate patches, but that's probably taking small commits
      too far.
      
      1) I added a brief comment saying what it does.
      
      2) I like to declare pointer parameters "const" where possible
         for documentation reasons.
      
      3) It uses bitmap_weight(&rand, BITS_PER_LONG) to compute the Hamming
      weight of a 32-bit random number (giving a random integer with
      mean 16 and variance 8).  Passing by reference in a 64-bit variable
      is silly; just use hweight32().
      
      4) Its helper function fract_exp_two is unnecessarily tangled.
      Gcc can optimize the multiply by (1 << x) to a shift, but it can
      be written in a much more straightforward way at the cost of one
      more bit of internal precision.  Some analysis reveals that this
      bit is always available.
      
      This shrinks the object code for fract_exp_two(x, 6) from 23 bytes:
      
      0000000000000000 <foo1>:
         0:   89 f9                   mov    %edi,%ecx
         2:   c1 e9 06                shr    $0x6,%ecx
         5:   b8 01 00 00 00          mov    $0x1,%eax
         a:   d3 e0                   shl    %cl,%eax
         c:   83 e7 3f                and    $0x3f,%edi
         f:   d3 e7                   shl    %cl,%edi
        11:   c1 ef 06                shr    $0x6,%edi
        14:   01 f8                   add    %edi,%eax
        16:   c3                      retq
      
      To 19:
      
      0000000000000017 <foo2>:
        17:   89 f8                   mov    %edi,%eax
        19:   83 e0 3f                and    $0x3f,%eax
        1c:   83 c0 40                add    $0x40,%eax
        1f:   89 f9                   mov    %edi,%ecx
        21:   c1 e9 06                shr    $0x6,%ecx
        24:   d3 e0                   shl    %cl,%eax
        26:   c1 e8 06                shr    $0x6,%eax
        29:   c3                      retq
      
      (Verified with 0 <= frac_bits <= 8, 0 <= x < 16<<frac_bits;
      both versions produce the same output.)
      
      5) And finally, the call to bch_get_congested() in check_should_bypass()
      is separated from the use of the value by multiple tests which
      could moot the need to compute it.  Move the computation down to
      where it's needed.  This also saves a local register to hold the
      computed value.
      Signed-off-by: NGeorge Spelvin <lkml@sdf.org>
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      3a394727
    • G
      bcache: use kmemdup_nul for CACHED_LABEL buffer · 792732d9
      Geliang Tang 提交于
      This patch uses kmemdup_nul to create a NUL-terminated string from
      dc->sb.label. This is better than open coding it.
      
      With this, we can move env[2] initialization into env[] array to make
      code more elegant.
      Signed-off-by: NGeliang Tang <geliangtang@gmail.com>
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      792732d9
    • A
      bcache: avoid clang -Wunintialized warning · 78d4eb8a
      Arnd Bergmann 提交于
      clang has identified a code path in which it thinks a
      variable may be unused:
      
      drivers/md/bcache/alloc.c:333:4: error: variable 'bucket' is used uninitialized whenever 'if' condition is false
            [-Werror,-Wsometimes-uninitialized]
                              fifo_pop(&ca->free_inc, bucket);
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
       #define fifo_pop(fifo, i)       fifo_pop_front(fifo, (i))
                                      ^~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/md/bcache/util.h:189:6: note: expanded from macro 'fifo_pop_front'
              if (_r) {                                                       \
                  ^~
      drivers/md/bcache/alloc.c:343:46: note: uninitialized use occurs here
                              allocator_wait(ca, bch_allocator_push(ca, bucket));
                                                                        ^~~~~~
      drivers/md/bcache/alloc.c:287:7: note: expanded from macro 'allocator_wait'
                      if (cond)                                               \
                          ^~~~
      drivers/md/bcache/alloc.c:333:4: note: remove the 'if' if its condition is always true
                              fifo_pop(&ca->free_inc, bucket);
                              ^
      drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
       #define fifo_pop(fifo, i)       fifo_pop_front(fifo, (i))
                                      ^
      drivers/md/bcache/util.h:189:2: note: expanded from macro 'fifo_pop_front'
              if (_r) {                                                       \
              ^
      drivers/md/bcache/alloc.c:331:15: note: initialize the variable 'bucket' to silence this warning
                              long bucket;
                                         ^
      
      This cannot happen in practice because we only enter the loop
      if there is at least one element in the list.
      
      Slightly rearranging the code makes this clearer to both the
      reader and the compiler, which avoids the warning.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      78d4eb8a
    • G
      bcache: fix inaccurate result of unused buckets · 4e0c04ec
      Guoju Fang 提交于
      To get the amount of unused buckets in sysfs_priority_stats, the code
      count the buckets which GC_SECTORS_USED is zero. It's correct and should
      not be overwritten by the count of buckets which prio is zero.
      Signed-off-by: NGuoju Fang <fangguoju@gmail.com>
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      4e0c04ec
    • G
      bcache: fix crashes stopping bcache device before read miss done · 1568ee7e
      Guoju Fang 提交于
      The bio from upper layer is considered completed when bio_complete()
      returns. In most scenarios bio_complete() is called in search_free(),
      but when read miss happens, the bio_compete() is called when backing
      device reading completed, while the struct search is still in use until
      cache inserting finished.
      
      If someone stops the bcache device just then, the device may be closed
      and released, but after cache inserting finished the struct search will
      access a freed struct cached_dev.
      
      This patch add the reference of bcache device before bio_complete() when
      read miss happens, and put it after the search is not used.
      Signed-off-by: NGuoju Fang <fangguoju@gmail.com>
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      1568ee7e
  2. 22 4月, 2019 1 次提交
  3. 20 4月, 2019 2 次提交
  4. 19 4月, 2019 3 次提交
  5. 17 4月, 2019 13 次提交
    • C
      ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier · 3b9a9072
      Corey Minyard 提交于
      free_user() could be called in atomic context.
      
      This patch pushed the free operation off into a workqueue.
      
      Example:
      
       BUG: sleeping function called from invalid context at kernel/workqueue.c:2856
       in_atomic(): 1, irqs_disabled(): 0, pid: 177, name: ksoftirqd/27
       CPU: 27 PID: 177 Comm: ksoftirqd/27 Not tainted 4.19.25-3 #1
       Hardware name: AIC 1S-HV26-08/MB-DPSB04-06, BIOS IVYBV060 10/21/2015
       Call Trace:
        dump_stack+0x5c/0x7b
        ___might_sleep+0xec/0x110
        __flush_work+0x48/0x1f0
        ? try_to_del_timer_sync+0x4d/0x80
        _cleanup_srcu_struct+0x104/0x140
        free_user+0x18/0x30 [ipmi_msghandler]
        ipmi_free_recv_msg+0x3a/0x50 [ipmi_msghandler]
        deliver_response+0xbd/0xd0 [ipmi_msghandler]
        deliver_local_response+0xe/0x30 [ipmi_msghandler]
        handle_one_recv_msg+0x163/0xc80 [ipmi_msghandler]
        ? dequeue_entity+0xa0/0x960
        handle_new_recv_msgs+0x15c/0x1f0 [ipmi_msghandler]
        tasklet_action_common.isra.22+0x103/0x120
        __do_softirq+0xf8/0x2d7
        run_ksoftirqd+0x26/0x50
        smpboot_thread_fn+0x11d/0x1e0
        kthread+0x103/0x140
        ? sort_range+0x20/0x20
        ? kthread_destroy_worker+0x40/0x40
        ret_from_fork+0x1f/0x40
      
      Fixes: 77f82696 ("ipmi: fix use-after-free of user->release_barrier.rda")
      Reported-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: NCorey Minyard <cminyard@mvista.com>
      Cc: stable@vger.kernel.org # 5.0
      Cc: Yang Yingliang <yangyingliang@huawei.com>
      3b9a9072
    • M
      vt: fix cursor when clearing the screen · b2ecf006
      Mikulas Patocka 提交于
      The patch a6dbe442 ("vt: perform safe console erase in the right
      order") introduced a bug. The conditional do_update_region() was
      replaced by a call to update_region() that does contain the conditional
      already, but with unwanted extra side effects such as restoring the cursor
      drawing.
      
      In order to reproduce the bug:
      - use framebuffer console with the AMDGPU driver
      - type "links" to start the console www browser
      - press 'q' and space to exit links
      
      Now the cursor will be permanently visible in the center of the
      screen. It will stay there until something overwrites it.
      
      The bug goes away if we change update_region() back to the conditional
      do_update_region().
      
      [ nico: reworded changelog ]
      Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
      Reviewed-by: NNicolas Pitre <nico@fluxnic.net>
      Cc: stable@vger.kernel.org
      Fixes: a6dbe442 ("vt: perform safe console erase in the right order")
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2ecf006
    • I
      staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf · af4b54a2
      Ian Abbott 提交于
      `ni6501_alloc_usb_buffers()` is called from `ni6501_auto_attach()` to
      allocate RX and TX buffers for USB transfers.  It allocates
      `devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`.  If the
      allocation of `devpriv->usb_tx_buf` fails, it frees
      `devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an
      error.  Later, `ni6501_detach()` will be called from the core comedi
      module code to clean up.  `ni6501_detach()` also frees both
      `devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
      `devpriv->usb_rx_buf` may have already beed freed, leading to a
      double-free error.  Fix it bu removing the call to
      `kfree(devpriv->usb_rx_buf)` from `ni6501_alloc_usb_buffers()`, relying
      on `ni6501_detach()` to free the memory.
      Signed-off-by: NIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af4b54a2
    • I
      staging: comedi: ni_usb6501: Fix use of uninitialized mutex · 660cf4ce
      Ian Abbott 提交于
      If `ni6501_auto_attach()` returns an error, the core comedi module code
      will call `ni6501_detach()` to clean up.  If `ni6501_auto_attach()`
      successfully allocated the comedi device private data, `ni6501_detach()`
      assumes that a `struct mutex mut` contained in the private data has been
      initialized and uses it.  Unfortunately, there are a couple of places
      where `ni6501_auto_attach()` can return an error after allocating the
      device private data but before initializing the mutex, so this
      assumption is invalid.  Fix it by initializing the mutex just after
      allocating the private data in `ni6501_auto_attach()` before any other
      errors can be retturned.  Also move the call to `usb_set_intfdata()`
      just to keep the code a bit neater (either position for the call is
      fine).
      
      I believe this was the cause of the following syzbot crash report
      <https://syzkaller.appspot.com/bug?extid=cf4f2b6c24aff0a3edf6>:
      
      usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
      usb 1-1: config 0 descriptor??
      usb 1-1: string descriptor 0 read error: -71
      comedi comedi0: Wrong number of endpoints
      ni6501 1-1:0.233: driver 'ni6501' failed to auto-configure device.
      INFO: trying to register non-static key.
      the code is fine but needs lockdep annotation.
      turning off the locking correctness validator.
      CPU: 0 PID: 585 Comm: kworker/0:3 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xe8/0x16e lib/dump_stack.c:113
       assign_lock_key kernel/locking/lockdep.c:786 [inline]
       register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
       __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
       lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
       __mutex_lock_common kernel/locking/mutex.c:925 [inline]
       __mutex_lock+0xfe/0x12b0 kernel/locking/mutex.c:1072
       ni6501_detach+0x5b/0x110 drivers/staging/comedi/drivers/ni_usb6501.c:567
       comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204
       comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156
       comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline]
       comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190
       comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline]
       comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880
       comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068
       usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
       generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
       usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
       hub_port_connect drivers/usb/core/hub.c:5089 [inline]
       hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
       port_event drivers/usb/core/hub.c:5350 [inline]
       hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
       process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
       worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
       kthread+0x313/0x420 kernel/kthread.c:253
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      
      Reported-by: syzbot+cf4f2b6c24aff0a3edf6@syzkaller.appspotmail.com
      Signed-off-by: NIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      660cf4ce
    • T
      drm/tegra: hdmi: Setup audio only if configured · 83f8bf4b
      Thierry Reding 提交于
      The audio configuration is only valid if the HDMI codec has been
      properly set up. Do not attempt to set up audio before that happens
      because it causes a division by zero.
      
      Note that this is only problematic on Tegra20 and Tegra30. Later chips
      implement the division instructions which return zero when dividing by
      zero and don't throw an exception.
      
      Fixes: db5adf4d ("drm/tegra: hdmi: Fix audio to work with any pixel clock rate")
      Reported-by: NMarcel Ziswiler <marcel.ziswiler@toradex.com>
      Tested-by: NDmitry Osipenko <digetx@gmail.com>
      Signed-off-by: NThierry Reding <treding@nvidia.com>
      83f8bf4b
    • C
      ocelot: Clean up stats update deferred work · 1e1caa97
      Claudiu Manoil 提交于
      This is preventive cleanup that may save troubles later.
      No need to cancel repeateadly queued work if code is properly
      refactored.
      Don't let the ethtool -s process interfere with the stat workqueue
      scheduling.
      Signed-off-by: NClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1e1caa97
    • C
      ocelot: Don't sleep in atomic context (irqs_disabled()) · a8fd48b5
      Claudiu Manoil 提交于
      Preemption disabled at:
       [<ffff000008cabd54>] dev_set_rx_mode+0x1c/0x38
       Call trace:
       [<ffff00000808a5c0>] dump_backtrace+0x0/0x3d0
       [<ffff00000808a9a4>] show_stack+0x14/0x20
       [<ffff000008e6c0c0>] dump_stack+0xac/0xe4
       [<ffff0000080fe76c>] ___might_sleep+0x164/0x238
       [<ffff0000080fe890>] __might_sleep+0x50/0x88
       [<ffff0000082261e4>] kmem_cache_alloc+0x17c/0x1d0
       [<ffff000000ea0ae8>] ocelot_set_rx_mode+0x108/0x188 [mscc_ocelot_common]
       [<ffff000008cabcf0>] __dev_set_rx_mode+0x58/0xa0
       [<ffff000008cabd5c>] dev_set_rx_mode+0x24/0x38
      
      Fixes: a556c76a ("net: mscc: Add initial Ocelot switch support")
      Signed-off-by: NClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a8fd48b5
    • C
      qed: fix spelling mistake "faspath" -> "fastpath" · 3321b6c2
      Colin Ian King 提交于
      There is a spelling mistake in a DP_INFO message, fix it.
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Reviewed-by: NMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3321b6c2
    • T
      ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash · a885bcfd
      Tony Camuso 提交于
      The intended behavior of function ipmi_hardcode_init_one() is to default
      to kcs interface when no type argument is presented when initializing
      ipmi with hard coded addresses.
      
      However, the array of char pointers allocated on the stack by function
      ipmi_hardcode_init() was not inited to zeroes, so it contained stack
      debris.
      
      Consequently, passing the cruft stored in this array to function
      ipmi_hardcode_init_one() caused a crash when it was unable to detect
      that the char * being passed was nonsense and tried to access the
      address specified by the bogus pointer.
      
      The fix is simply to initialize the si_type array to zeroes, so if
      there were no type argument given to at the command line, function
      ipmi_hardcode_init_one() could properly default to the kcs interface.
      Signed-off-by: NTony Camuso <tcamuso@redhat.com>
      Message-Id: <1554837603-40299-1-git-send-email-tcamuso@redhat.com>
      Signed-off-by: NCorey Minyard <cminyard@mvista.com>
      a885bcfd
    • C
      ipmi: Fix failure on SMBIOS specified devices · bd2e98b3
      Corey Minyard 提交于
      An extra memset was put into a place that cleared the interface
      type.
      Reported-by: NTony Camuso <tcamuso@redhat.com>
      Fixes: 3cd83bac ("ipmi: Consolidate the adding of platform devices")
      Signed-off-by: NCorey Minyard <cminyard@mvista.com>
      bd2e98b3
    • N
      md/raid: raid5 preserve the writeback action after the parity check · b2176a1d
      Nigel Croxon 提交于
      The problem is that any 'uptodate' vs 'disks' check is not precise
      in this path. Put a "WARN_ON(!test_bit(R5_UPTODATE, &dev->flags)" on the
      device that might try to kick off writes and then skip the action.
      Better to prevent the raid driver from taking unexpected action *and* keep
      the system alive vs killing the machine with BUG_ON.
      
      Note: fixed warning reported by kbuild test robot <lkp@intel.com>
      Signed-off-by: NDan Williams <dan.j.williams@intel.com>
      Signed-off-by: NNigel Croxon <ncroxon@redhat.com>
      Signed-off-by: NSong Liu <songliubraving@fb.com>
      b2176a1d
    • S
      Revert "Don't jump to compute_result state from check_result state" · a25d8c32
      Song Liu 提交于
      This reverts commit 4f4fd7c5.
      
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Nigel Croxon <ncroxon@redhat.com>
      Cc: Xiao Ni <xni@redhat.com>
      Signed-off-by: NSong Liu <songliubraving@fb.com>
      a25d8c32
    • P
      md: return -ENODEV if rdev has no mddev assigned · c42d3240
      Pawel Baldysiak 提交于
      Mdadm expects that setting drive as faulty will fail with -EBUSY only if
      this operation will cause RAID to be failed. If this happens, it will
      try to stop the array. Currently -EBUSY might also be returned if rdev
      is in the middle of the removal process - for example there is a race
      with mdmon that already requested the drive to be failed/removed.
      
      If rdev does not contain mddev, return -ENODEV instead, so the caller
      can distinguish between those two cases and behave accordingly.
      Reviewed-by: NNeilBrown <neilb@suse.com>
      Signed-off-by: NPawel Baldysiak <pawel.baldysiak@intel.com>
      Signed-off-by: NSong Liu <songliubraving@fb.com>
      c42d3240
  6. 16 4月, 2019 10 次提交
    • G
      sc16is7xx: move label 'err_spi' to correct section · e00164a0
      Guoqing Jiang 提交于
      err_spi is used when SERIAL_SC16IS7XX_SPI is enabled, so make
      the label only available under SERIAL_SC16IS7XX_SPI option.
      Otherwise, the below warning appears.
      
      drivers/tty/serial/sc16is7xx.c:1523:1: warning: label ‘err_spi’ defined but not used [-Wunused-label]
       err_spi:
        ^~~~~~~
      Signed-off-by: NGuoqing Jiang <gqjiang@suse.com>
      Fixes: ac0cdb3d ("sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e00164a0
    • G
      serial: sh-sci: Fix HSCIF RX sampling point adjustment · 6b87784b
      Geert Uytterhoeven 提交于
      The calculation of the sampling point has min() and max() exchanged.
      Fix this by using the clamp() helper instead.
      
      Fixes: 63ba1e00 ("serial: sh-sci: Support for HSCIF RX sampling point adjustment")
      Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: NUlrich Hecht <uli+renesas@fpond.eu>
      Reviewed-by: NWolfram Sang <wsa+renesas@sang-engineering.com>
      Acked-by: NDirk Behme <dirk.behme@de.bosch.com>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: NSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b87784b
    • G
      serial: sh-sci: Fix HSCIF RX sampling point calculation · ace96569
      Geert Uytterhoeven 提交于
      There are several issues with the formula used for calculating the
      deviation from the intended rate:
        1. While min_err and last_stop are signed, srr and baud are unsigned.
           Hence the signed values are promoted to unsigned, which will lead
           to a bogus value of deviation if min_err is negative,
        2. Srr is the register field value, which is one less than the actual
           sampling rate factor,
        3. The divisions do not use rounding.
      
      Fix this by casting unsigned variables to int, adding one to srr, and
      using a single DIV_ROUND_CLOSEST().
      
      Fixes: 63ba1e00 ("serial: sh-sci: Support for HSCIF RX sampling point adjustment")
      Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: NMukesh Ojha <mojha@codeaurora.org>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: NUlrich Hecht <uli+renesas@fpond.eu>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ace96569
    • N
      clocksource/drivers/timer-ti-dm: Remove omap_dm_timer_set_load_start · 4d86c9f7
      Nathan Chancellor 提交于
      Commit 008258d9 ("clocksource/drivers/timer-ti-dm: Make
      omap_dm_timer_set_load_start() static") made omap_dm_time_set_load_start
      static because its prototype was not defined in a header. Unfortunately,
      this causes a build warning on multi_v7_defconfig because this function
      is not used anywhere in this translation unit:
      
      drivers/clocksource/timer-ti-dm.c:589:12: error: unused function
      'omap_dm_timer_set_load_start' [-Werror,-Wunused-function]
      
      In fact, omap_dm_timer_set_load_start hasn't been used anywhere since
      commit f190be7f ("staging: tidspbridge: remove driver") and the
      prototype was removed in commit 592ea6bd ("clocksource: timer-ti-dm:
      Make unexported functions static"), which is probably where this should
      have happened.
      
      Fixes: 592ea6bd ("clocksource: timer-ti-dm: Make unexported functions static")
      Fixes: 008258d9 ("clocksource/drivers/timer-ti-dm: Make omap_dm_timer_set_load_start() static")
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Acked-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NDaniel Lezcano <daniel.lezcano@linaro.org>
      4d86c9f7
    • G
      staging: erofs: fix unexpected out-of-bound data access · f4e97f5d
      Gao Xiang 提交于
      Unexpected out-of-bound data will be read in erofs_read_raw_page
      after commit 07173c3e ("block: enable multipage bvecs") since
      one iovec could have multiple pages.
      
      Let's fix as what Ming's pointed out in the previous email [1].
      
      [1] https://lore.kernel.org/lkml/20190411080953.GE421@ming.t460p/Suggested-by: NMing Lei <ming.lei@redhat.com>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NGao Xiang <gaoxiang25@huawei.com>
      Fixes: 07173c3e ("block: enable multipage bvecs")
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4e97f5d
    • I
      staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf · 663d294b
      Ian Abbott 提交于
      `vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to
      allocate RX and TX buffers for USB transfers.  It allocates
      `devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`.  If the
      allocation of `devpriv->usb_tx_buf` fails, it frees
      `devpriv->usb_rx_buf`,  leaving the pointer set dangling, and returns an
      error.  Later, `vmk80xx_detach()` will be called from the core comedi
      module code to clean up.  `vmk80xx_detach()` also frees both
      `devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
      `devpriv->usb_rx_buf` may have already been freed, leading to a
      double-free error.  Fix it by removing the call to
      `kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying
      on `vmk80xx_detach()` to free the memory.
      Signed-off-by: NIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      663d294b
    • I
      staging: comedi: vmk80xx: Fix use of uninitialized semaphore · 08b7c2f9
      Ian Abbott 提交于
      If `vmk80xx_auto_attach()` returns an error, the core comedi module code
      will call `vmk80xx_detach()` to clean up.  If `vmk80xx_auto_attach()`
      successfully allocated the comedi device private data,
      `vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained
      in the private data has been initialized and uses it.  Unfortunately,
      there are a couple of places where `vmk80xx_auto_attach()` can return an
      error after allocating the device private data but before initializing
      the semaphore, so this assumption is invalid.  Fix it by initializing
      the semaphore just after allocating the private data in
      `vmk80xx_auto_attach()` before any other errors can be returned.
      
      I believe this was the cause of the following syzbot crash report
      <https://syzkaller.appspot.com/bug?extid=54c2f58f15fe6876b6ad>:
      
      usb 1-1: config 0 has no interface number 0
      usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d
      usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
      usb 1-1: config 0 descriptor??
      vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device.
      INFO: trying to register non-static key.
      the code is fine but needs lockdep annotation.
      turning off the locking correctness validator.
      CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xe8/0x16e lib/dump_stack.c:113
       assign_lock_key kernel/locking/lockdep.c:786 [inline]
       register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
       __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
       lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
       down+0x12/0x80 kernel/locking/semaphore.c:58
       vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829
       comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204
       comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156
       comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline]
       comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190
       comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline]
       comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880
       comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068
       usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
       generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
       usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
       hub_port_connect drivers/usb/core/hub.c:5089 [inline]
       hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
       port_event drivers/usb/core/hub.c:5350 [inline]
       hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
       process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
       worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
       kthread+0x313/0x420 kernel/kthread.c:253
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      
      Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com
      Signed-off-by: NIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08b7c2f9
    • J
      scsi: core: set result when the command cannot be dispatched · be549d49
      Jaesoo Lee 提交于
      When SCSI blk-mq is enabled, there is a bug in handling errors in
      scsi_queue_rq.  Specifically, the bug is not setting result field of
      scsi_request correctly when the dispatch of the command has been
      failed. Since the upper layer code including the sg_io ioctl expects to
      receive any error status from result field of scsi_request, the error is
      silently ignored and this could cause data corruptions for some
      applications.
      
      Fixes: d285203c ("scsi: add support for a blk-mq based I/O path.")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NJaesoo Lee <jalee@purestorage.com>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      be549d49
    • C
      bnx2x: fix spelling mistake "dicline" -> "decline" · 614c70f3
      Colin Ian King 提交于
      There is a spelling mistake in a BNX2X_ERR message, fix it.
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      614c70f3
    • S
      bonding: fix event handling for stacked bonds · 92480b39
      Sabrina Dubroca 提交于
      When a bond is enslaved to another bond, bond_netdev_event() only
      handles the event as if the bond is a master, and skips treating the
      bond as a slave.
      
      This leads to a refcount leak on the slave, since we don't remove the
      adjacency to its master and the master holds a reference on the slave.
      
      Reproducer:
        ip link add bondL type bond
        ip link add bondU type bond
        ip link set bondL master bondU
        ip link del bondL
      
      No "Fixes:" tag, this code is older than git history.
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      92480b39
新手
引导
客服 返回
顶部