1. 23 Aug, 2019 12 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 9140d8bd
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
       "No beating around the bush: this is a monster pull request for an -rc5
        kernel. Intel hit me with a series of fixes for TID processing.
        Mellanox hit me with a series for their UMR memory support.
      
        And we had one fix for siw that fixes the 32bit build warnings and
        because of the number of casts that had to be changed to properly
        silence the warnings, that one patch alone is a full 40% of the LOC of
        this entire pull request. Given that this is the initial release
        kernel for siw, I'm trying to fix anything in it that we can, so that
        adds to the impetus to take fixes for it like this one.
      
        I had to do a rebase early in the week. Jason had thought he put a
        patch on the rc queue that he needed to be there so he could base some
        work off of it, and it had actually not been placed there. So he asked
        me (on Tuesday) to fix that up before pushing my wip branch to the
        official rc branch. I did, and that's why the early patches look like
        they were all committed at the same time on Tuesday. That bunch had
        been in my queue prior.
      
        The various patches all pass my test for being legitimate fixes and
        not attempts to slide new features or development into a late rc.
        Well, they were all fixes with the exception of a couple clean up
        patches people wrote for making the fixes they also wrote better (like
        a cleanup patch to move UMR checking into a function so that the
        remaining UMR fix patches can reference that function), so I left
        those in place too.
      
        My apologies for the LOC count and the number of patches here, it's
        just how the cards fell this cycle.
      
        Summary:
      
         - Fix siw buffer mapping issue
      
         - Fix siw 32/64 casting issues
      
         - Fix a KASAN access issue in bnxt_re
      
         - Fix several memory leaks (hfi1, mlx4)
      
         - Fix a NULL deref in cma_cleanup
      
         - Fixes for UMR memory support in mlx5 (4 patch series)
      
         - Fix namespace check for restrack
      
         - Fixes for counter support
      
         - Fixes for hfi1 TID processing (5 patch series)
      
         - Fix potential NULL deref in siw
      
         - Fix memory page calculations in mlx5"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (21 commits)
        RDMA/siw: Fix 64/32bit pointer inconsistency
        RDMA/siw: Fix SGL mapping issues
        RDMA/bnxt_re: Fix stack-out-of-bounds in bnxt_qplib_rcfw_send_message
        infiniband: hfi1: fix memory leaks
        infiniband: hfi1: fix a memory leak bug
        IB/mlx4: Fix memory leaks
        RDMA/cma: fix null-ptr-deref Read in cma_cleanup
        IB/mlx5: Block MR WR if UMR is not possible
        IB/mlx5: Fix MR re-registration flow to use UMR properly
        IB/mlx5: Report and handle ODP support properly
        IB/mlx5: Consolidate use_umr checks into single function
        RDMA/restrack: Rewrite PID namespace check to be reliable
        RDMA/counters: Properly implement PID checks
        IB/core: Fix NULL pointer dereference when bind QP to counter
        IB/hfi1: Drop stale TID RDMA packets that cause TIDErr
        IB/hfi1: Add additional checks when handling TID RDMA WRITE DATA packet
        IB/hfi1: Add additional checks when handling TID RDMA READ RESP packet
        IB/hfi1: Unsafe PSN checking for TID RDMA READ Resp packet
        IB/hfi1: Drop stale TID RDMA packets
        RDMA/siw: Fix potential NULL de-ref
        ...
      9140d8bd
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190823' of git://git.kernel.dk/linux-block · b9bd6806
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Here's a set of fixes that should go into this release. This contains:
      
         - Three minor fixes for NVMe.
      
         - Three minor tweaks for the io_uring polling logic.
      
         - Officially mark Song as the MD maintainer, after he's been filling
           that role sucessfully for the last 6 months or so"
      
      * tag 'for-linus-20190823' of git://git.kernel.dk/linux-block:
        io_uring: add need_resched() check in inner poll loop
        md: update MAINTAINERS info
        io_uring: don't enter poll loop if we have CQEs pending
        nvme: Add quirk for LiteON CL1 devices running FW 22301111
        nvme: Fix cntlid validation when not using NVMEoF
        nvme-multipath: fix possible I/O hang when paths are updated
        io_uring: fix potential hang with polled IO
      b9bd6806
    • Linus Torvalds's avatar
      Merge tag 'for-5.3/dm-fixes-2' of... · dd469a45
      Linus Torvalds authored
      Merge tag 'for-5.3/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - Revert a DM bufio change from during the 5.3 merge window now that a
         proper fix has been made to the block loopback driver.
      
       - Fix DM kcopyd to wakeup so failed subjobs get completed.
      
       - Various fixes to DM zoned target to address error handling, and other
         small tweaks (SPDX license identifiers and fix typos).
      
       - Fix DM integrity range locking race by tracking whether journal has
         changed.
      
       - Fix DM dust target to detect reads of badblocks beyond the first 512b
         sector (applicable if blocksize is larger than 512b).
      
       - Fix DM persistent-data issue in both the DM btree and DM
         space-map-metadata interfaces.
      
       - Fix out of bounds memory access with certain DM table configurations.
      
      * tag 'for-5.3/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm table: fix invalid memory accesses with too high sector number
        dm space map metadata: fix missing store of apply_bops() return value
        dm btree: fix order of block initialization in btree_split_beneath
        dm raid: add missing cleanup in raid_ctr()
        dm zoned: fix potential NULL dereference in dmz_do_reclaim()
        dm dust: use dust block size for badblocklist index
        dm integrity: fix a crash due to BUG_ON in __journal_read_write()
        dm zoned: fix a few typos
        dm zoned: add SPDX license identifiers
        dm zoned: properly handle backing device failure
        dm zoned: improve error handling in i/o map code
        dm zoned: improve error handling in reclaim
        dm kcopyd: always complete failed jobs
        Revert "dm bufio: fix deadlock with loop device"
      dd469a45
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.3-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · f576518c
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "Here are a few more bug fixes that trickled in since the last pull.
        They've survived the usual xfstests runs and merge cleanly with this
        morning's master.
      
        I expect there to be one more pull request tomorrow for the fix to
        that quota related inode unlock bug that we were reviewing last night,
        but it will continue to soak in the testing machine for several more
        hours.
      
         - Fix missing compat ioctl handling for get/setlabel
      
         - Fix missing ioctl pointer sanitization on s390
      
         - Fix a page locking deadlock in the dedupe comparison code
      
         - Fix inadequate locking in reflink code w.r.t. concurrent directio
      
         - Fix broken error detection when breaking layouts"
      
      * tag 'xfs-5.3-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        fs/xfs: Fix return code of xfs_break_leased_layouts()
        xfs: fix reflink source file racing with directio writes
        vfs: fix page locking deadlocks when deduping files
        xfs: compat_ioctl: use compat_ptr()
        xfs: fall back to native ioctls for unhandled compat ones
      f576518c
    • Linus Torvalds's avatar
      Merge tag 'modules-for-v5.3-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux · e3fb13b7
      Linus Torvalds authored
      Pull modules fixes from Jessica Yu:
       "Fix BUG_ON() being triggered in frob_text() due to non-page-aligned
        module sections"
      
      * tag 'modules-for-v5.3-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux:
        modules: page-align module section allocations only for arches supporting strict module rwx
        modules: always page-align module section allocations
      e3fb13b7
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-5.3-rc6' of git://github.com/ceph/ceph-client · 4e563944
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "Three important fixes tagged for stable (an indefinite hang, a crash
        on an assert and a NULL pointer dereference) plus a small series from
        Luis fixing instances of vfree() under spinlock"
      
      * tag 'ceph-for-5.3-rc6' of git://github.com/ceph/ceph-client:
        libceph: fix PG split vs OSD (re)connect race
        ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply
        ceph: clear page dirty before invalidate page
        ceph: fix buffer free while holding i_ceph_lock in fill_inode()
        ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob()
        ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr()
        libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer
      4e563944
    • Bernard Metzler's avatar
      RDMA/siw: Fix 64/32bit pointer inconsistency · c536277e
      Bernard Metzler authored
      Fixes improper casting between addresses and unsigned types.
      Changes siw_pbl_get_buffer() function to return appropriate
      dma_addr_t, and not u64.
      
      Also fixes debug prints. Now any potentially kernel private
      pointers are printed formatted as '%pK', to allow keeping that
      information secret.
      
      Fixes: d941bfe500be ("RDMA/siw: Change CQ flags from 64->32 bits")
      Fixes: b0fff731 ("rdma/siw: completion queue methods")
      Fixes: 8b6a361b ("rdma/siw: receive path")
      Fixes: b9be6f18 ("rdma/siw: transmit path")
      Fixes: f29dd55b ("rdma/siw: queue pair methods")
      Fixes: 2251334d ("rdma/siw: application buffer management")
      Fixes: 303ae1cd ("rdma/siw: application interface")
      Fixes: 6c52fdc2 ("rdma/siw: connection management")
      Fixes: a5319752 ("rdma/siw: main include file")
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Reported-by: default avatarJason Gunthorpe <jgg@ziepe.ca>
      Reported-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarBernard Metzler <bmt@zurich.ibm.com>
      Link: https://lore.kernel.org/r/20190822173738.26817-1-bmt@zurich.ibm.comSigned-off-by: default avatarDoug Ledford <dledford@redhat.com>
      c536277e
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-08-23' of git://anongit.freedesktop.org/drm/drm · 1374a22e
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Live from the laundromat after my washing machine broke down, we have
        the 5.3-rc6 fixes. Changelog is in the tag below, but nothing too
        noteworthy in here:
      
        rcar-du:
         - LVDS dual-link mode fix
      
        mediatek:
         - of node refcount fix
         - prime buffer import fix
         - dma max seg fix
      
        komeda:
         - output polling fix
         - abfc format fix
         - memory-region DT fix
      
        amdgpu:
         - bpc display fix
         - ioctl memory leak fix
         - gfxoff fix
         - smu warnings fix
      
        i915:
         - HDMI mode readout fix"
      
      * tag 'drm-fixes-2019-08-23' of git://anongit.freedesktop.org/drm/drm:
        drm/amdgpu/powerplay: silence a warning in smu_v11_0_setup_pptable
        drm/amd/display: Calculate bpc based on max_requested_bpc
        drm/amdgpu: prevent memory leaks in AMDGPU_CS ioctl
        drm/amd/amdgpu: disable MMHUB PG for navi10
        drm/amd/powerplay: remove duplicate macro smu_get_uclk_dpm_states in amdgpu_smu.h
        drm/amd/powerplay: fix variable type errors in smu_v11_0_setup_pptable
        drm/amdgpu/gfx9: update pg_flags after determining if gfx off is possible
        drm/i915: Fix HW readout for crtc_clock in HDMI mode
        drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto
        drm: rcar_lvds: Fix dual link mode operations
        drm/mediatek: set DMA max segment size
        drm/mediatek: use correct device to import PRIME buffers
        drm/omap: ensure we have a valid dma_mask
        drm/komeda: Add support for 'memory-region' DT node property
        drm/komeda: Adds internal bpp computing for arm afbc only format YU08 YU10
        drm/komeda: Initialize and enable output polling on Komeda
      1374a22e
    • Mikulas Patocka's avatar
      dm table: fix invalid memory accesses with too high sector number · 1cfd5d33
      Mikulas Patocka authored
      If the sector number is too high, dm_table_find_target() should return a
      pointer to a zeroed dm_target structure (the caller should test it with
      dm_target_is_valid).
      
      However, for some table sizes, the code in dm_table_find_target() that
      performs btree lookup will access out of bound memory structures.
      
      Fix this bug by testing the sector number at the beginning of
      dm_table_find_target(). Also, add an "inline" keyword to the function
      dm_table_get_size() because this is a hot path.
      
      Fixes: 512875bd ("dm: table detect io beyond device")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarZhang Tao <kontais@zoho.com>
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      1cfd5d33
    • Alex Deucher's avatar
      drm/amdgpu/powerplay: silence a warning in smu_v11_0_setup_pptable · 75710f08
      Alex Deucher authored
      I think gcc is confused as I don't see how size could be used
      unitialized, but go ahead and silence the warning.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Reviewed-by: default avatarEvan Quan <evan.quan@amd.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190822032527.1376-1-alexander.deucher@amd.com
      75710f08
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2019-08-22' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · cf3627fb
      Dave Airlie authored
      Fixes for v5.3-rc6:
      - dma fix for omap.
      - Make output polling work on komeda.
      - Fix bpp computing for AFBC formats in komeda.
      - Support the memory-region property in komeda.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/5f1fdfe3-814e-fad1-663c-7279217fc085@linux.intel.com
      cf3627fb
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2019-08-22' of... · dd89c112
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2019-08-22' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      drm/i915 fixes for v5.3-rc6:
      - fix hardware state readout for 10 bpc HDMI
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Jani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/87sgptd114.fsf@intel.com
      dd89c112
  2. 22 Aug, 2019 23 commits
    • Jens Axboe's avatar
      io_uring: add need_resched() check in inner poll loop · 08f5439f
      Jens Axboe authored
      The outer poll loop checks for whether we need to reschedule, and
      returns to userspace if we do. However, it's possible to get stuck
      in the inner loop as well, if the CPU we are running on needs to
      reschedule to finish the IO work.
      
      Add the need_resched() check in the inner loop as well. This fixes
      a potential hang if the kernel is configured with
      CONFIG_PREEMPT_VOLUNTARY=y.
      Reported-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Tested-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      08f5439f
    • Linus Torvalds's avatar
      Merge tag 'pci-v5.3-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 59c36bc8
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - Reset both NVIDIA GPU and HDA in ThinkPad P50 quirk, which was broken
         by another quirk that enabled the HDA device (Lyude Paul)
      
       - Fix pciebus-howto.rst documentation filename typo (Bjorn Helgaas)
      
      * tag 'pci-v5.3-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        Documentation PCI: Fix pciebus-howto.rst filename typo
        PCI: Reset both NVIDIA GPU and HDA in ThinkPad P50 workaround
      59c36bc8
    • ZhangXiaoxu's avatar
      dm space map metadata: fix missing store of apply_bops() return value · ae148243
      ZhangXiaoxu authored
      In commit 6096d91a ("dm space map metadata: fix occasional leak
      of a metadata block on resize"), we refactor the commit logic to a new
      function 'apply_bops'.  But when that logic was replaced in out() the
      return value was not stored.  This may lead out() returning a wrong
      value to the caller.
      
      Fixes: 6096d91a ("dm space map metadata: fix occasional leak of a metadata block on resize")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarZhangXiaoxu <zhangxiaoxu5@huawei.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      ae148243
    • ZhangXiaoxu's avatar
      dm btree: fix order of block initialization in btree_split_beneath · e4f9d601
      ZhangXiaoxu authored
      When btree_split_beneath() splits a node to two new children, it will
      allocate two blocks: left and right.  If right block's allocation
      failed, the left block will be unlocked and marked dirty.  If this
      happened, the left block'ss content is zero, because it wasn't
      initialized with the btree struct before the attempot to allocate the
      right block.  Upon return, when flushing the left block to disk, the
      validator will fail when check this block.  Then a BUG_ON is raised.
      
      Fix this by completely initializing the left block before allocating and
      initializing the right block.
      
      Fixes: 4dcb8b57 ("dm btree: fix leak of bufio-backed block in btree_split_beneath error path")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarZhangXiaoxu <zhangxiaoxu5@huawei.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      e4f9d601
    • Linus Torvalds's avatar
      Merge tag 'Wimplicit-fallthrough-5.3-rc6' of... · 20eabc89
      Linus Torvalds authored
      Merge tag 'Wimplicit-fallthrough-5.3-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux
      
      Pull more fallthrough fixes from Gustavo A. R. Silva:
       "Fix fall-through warnings on arm and mips for multiple configurations"
      
      * tag 'Wimplicit-fallthrough-5.3-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux:
        video: fbdev: acornfb: Mark expected switch fall-through
        scsi: libsas: sas_discover: Mark expected switch fall-through
        MIPS: Octeon: Mark expected switch fall-through
        power: supply: ab8500_charger: Mark expected switch fall-through
        watchdog: wdt285: Mark expected switch fall-through
        mtd: sa1100: Mark expected switch fall-through
        drm/sun4i: tcon: Mark expected switch fall-through
        drm/sun4i: sun6i_mipi_dsi: Mark expected switch fall-through
        ARM: riscpc: Mark expected switch fall-through
        dmaengine: fsldma: Mark expected switch fall-through
      20eabc89
    • Linus Torvalds's avatar
      Merge tag 'tag-chrome-platform-fixes-for-v5.3-rc6' of... · e5b7c167
      Linus Torvalds authored
      Merge tag 'tag-chrome-platform-fixes-for-v5.3-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux
      
      Pull chrome platform fix from Benson Leung:
       "Fix a kernel crash during suspend/resume of cros_ec_ishtp"
      
      * tag 'tag-chrome-platform-fixes-for-v5.3-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux:
        platform/chrome: cros_ec_ishtp: fix crash during suspend
      e5b7c167
    • Linus Torvalds's avatar
      Merge tag 'afs-fixes-20190822' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · e8c3fa9f
      Linus Torvalds authored
      Pull AFS fixes from David Howells:
      
       - Fix a cell record leak due to the default error not being cleared.
      
       - Fix an oops in tracepoint due to a pointer that may contain an error.
      
       - Fix the ACL storage op for YFS where the wrong op definition is being
         used. By luck, this only actually affects the information appearing
         in traces.
      
      * tag 'afs-fixes-20190822' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        afs: use correct afs_call_type in yfs_fs_store_opaque_acl2
        afs: Fix possible oops in afs_lookup trace event
        afs: Fix leak in afs_lookup_cell_rcu()
      e8c3fa9f
    • Bernard Metzler's avatar
      RDMA/siw: Fix SGL mapping issues · fab4f97e
      Bernard Metzler authored
      All user level and most in-kernel applications submit WQEs
      where the SG list entries are all of a single type.
      iSER in particular, however, will send us WQEs with mixed SG
      types: sge[0] = kernel buffer, sge[1] = PBL region.
      Check and set is_kva on each SG entry individually instead of
      assuming the first SGE type carries through to the last.
      This fixes iSER over siw.
      
      Fixes: b9be6f18 ("rdma/siw: transmit path")
      Reported-by: default avatarKrishnamraju Eraparaju <krishna2@chelsio.com>
      Tested-by: default avatarKrishnamraju Eraparaju <krishna2@chelsio.com>
      Signed-off-by: default avatarBernard Metzler <bmt@zurich.ibm.com>
      Link: https://lore.kernel.org/r/20190822150741.21871-1-bmt@zurich.ibm.comSigned-off-by: default avatarDoug Ledford <dledford@redhat.com>
      fab4f97e
    • Selvin Xavier's avatar
      RDMA/bnxt_re: Fix stack-out-of-bounds in bnxt_qplib_rcfw_send_message · d37b1e53
      Selvin Xavier authored
      Driver copies FW commands to the HW queue as  units of 16 bytes. Some
      of the command structures are not exact multiple of 16. So while copying
      the data from those structures, the stack out of bounds messages are
      reported by KASAN. The following error is reported.
      
      [ 1337.530155] ==================================================================
      [ 1337.530277] BUG: KASAN: stack-out-of-bounds in bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
      [ 1337.530413] Read of size 16 at addr ffff888725477a48 by task rmmod/2785
      
      [ 1337.530540] CPU: 5 PID: 2785 Comm: rmmod Tainted: G           OE     5.2.0-rc6+ #75
      [ 1337.530541] Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.0.4 08/28/2014
      [ 1337.530542] Call Trace:
      [ 1337.530548]  dump_stack+0x5b/0x90
      [ 1337.530556]  ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
      [ 1337.530560]  print_address_description+0x65/0x22e
      [ 1337.530568]  ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
      [ 1337.530575]  ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
      [ 1337.530577]  __kasan_report.cold.3+0x37/0x77
      [ 1337.530581]  ? _raw_write_trylock+0x10/0xe0
      [ 1337.530588]  ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
      [ 1337.530590]  kasan_report+0xe/0x20
      [ 1337.530592]  memcpy+0x1f/0x50
      [ 1337.530600]  bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
      [ 1337.530608]  ? bnxt_qplib_creq_irq+0xa0/0xa0 [bnxt_re]
      [ 1337.530611]  ? xas_create+0x3aa/0x5f0
      [ 1337.530613]  ? xas_start+0x77/0x110
      [ 1337.530615]  ? xas_clear_mark+0x34/0xd0
      [ 1337.530623]  bnxt_qplib_free_mrw+0x104/0x1a0 [bnxt_re]
      [ 1337.530631]  ? bnxt_qplib_destroy_ah+0x110/0x110 [bnxt_re]
      [ 1337.530633]  ? bit_wait_io_timeout+0xc0/0xc0
      [ 1337.530641]  bnxt_re_dealloc_mw+0x2c/0x60 [bnxt_re]
      [ 1337.530648]  bnxt_re_destroy_fence_mr+0x77/0x1d0 [bnxt_re]
      [ 1337.530655]  bnxt_re_dealloc_pd+0x25/0x60 [bnxt_re]
      [ 1337.530677]  ib_dealloc_pd_user+0xbe/0xe0 [ib_core]
      [ 1337.530683]  srpt_remove_one+0x5de/0x690 [ib_srpt]
      [ 1337.530689]  ? __srpt_close_all_ch+0xc0/0xc0 [ib_srpt]
      [ 1337.530692]  ? xa_load+0x87/0xe0
      ...
      [ 1337.530840]  do_syscall_64+0x6d/0x1f0
      [ 1337.530843]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 1337.530845] RIP: 0033:0x7ff5b389035b
      [ 1337.530848] Code: 73 01 c3 48 8b 0d 2d 0b 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d fd 0a 2c 00 f7 d8 64 89 01 48
      [ 1337.530849] RSP: 002b:00007fff83425c28 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [ 1337.530852] RAX: ffffffffffffffda RBX: 00005596443e6750 RCX: 00007ff5b389035b
      [ 1337.530853] RDX: 000000000000000a RSI: 0000000000000800 RDI: 00005596443e67b8
      [ 1337.530854] RBP: 0000000000000000 R08: 00007fff83424ba1 R09: 0000000000000000
      [ 1337.530856] R10: 00007ff5b3902960 R11: 0000000000000206 R12: 00007fff83425e50
      [ 1337.530857] R13: 00007fff8342673c R14: 00005596443e6260 R15: 00005596443e6750
      
      [ 1337.530885] The buggy address belongs to the page:
      [ 1337.530962] page:ffffea001c951dc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
      [ 1337.530964] flags: 0x57ffffc0000000()
      [ 1337.530967] raw: 0057ffffc0000000 0000000000000000 ffffffff1c950101 0000000000000000
      [ 1337.530970] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [ 1337.530970] page dumped because: kasan: bad access detected
      
      [ 1337.530996] Memory state around the buggy address:
      [ 1337.531072]  ffff888725477900: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 f2 f2 f2
      [ 1337.531180]  ffff888725477980: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
      [ 1337.531288] >ffff888725477a00: 00 f2 f2 f2 f2 f2 f2 00 00 00 f2 00 00 00 00 00
      [ 1337.531393]                                                  ^
      [ 1337.531478]  ffff888725477a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [ 1337.531585]  ffff888725477b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [ 1337.531691] ==================================================================
      
      Fix this by passing the exact size of each FW command to
      bnxt_qplib_rcfw_send_message as req->cmd_size. Before sending
      the command to HW, modify the req->cmd_size to number of 16 byte units.
      
      Fixes: 1ac5a404 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
      Signed-off-by: default avatarSelvin Xavier <selvin.xavier@broadcom.com>
      Link: https://lore.kernel.org/r/1566468170-489-1-git-send-email-selvin.xavier@broadcom.comSigned-off-by: default avatarDoug Ledford <dledford@redhat.com>
      d37b1e53
    • YueHaibing's avatar
      afs: use correct afs_call_type in yfs_fs_store_opaque_acl2 · 7533be85
      YueHaibing authored
      It seems that 'yfs_RXYFSStoreOpaqueACL2' should be use in
      yfs_fs_store_opaque_acl2().
      
      Fixes: f5e45463 ("afs: Implement YFS ACL setting")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      7533be85
    • Marc Dionne's avatar
      afs: Fix possible oops in afs_lookup trace event · c4c613ff
      Marc Dionne authored
      The afs_lookup trace event can cause the following:
      
      [  216.576777] BUG: kernel NULL pointer dereference, address: 000000000000023b
      [  216.576803] #PF: supervisor read access in kernel mode
      [  216.576813] #PF: error_code(0x0000) - not-present page
      ...
      [  216.576913] RIP: 0010:trace_event_raw_event_afs_lookup+0x9e/0x1c0 [kafs]
      
      If the inode from afs_do_lookup() is an error other than ENOENT, or if it
      is ENOENT and afs_try_auto_mntpt() returns an error, the trace event will
      try to dereference the error pointer as a valid pointer.
      
      Use IS_ERR_OR_NULL to only pass a valid pointer for the trace, or NULL.
      
      Ideally the trace would include the error value, but for now just avoid
      the oops.
      
      Fixes: 80548b03 ("afs: Add more tracepoints")
      Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      c4c613ff
    • David Howells's avatar
      afs: Fix leak in afs_lookup_cell_rcu() · a5fb8e6c
      David Howells authored
      Fix a leak on the cell refcount in afs_lookup_cell_rcu() due to
      non-clearance of the default error in the case a NULL cell name is passed
      and the workstation default cell is used.
      
      Also put a bit at the end to make sure we don't leak a cell ref if we're
      going to be returning an error.
      
      This leak results in an assertion like the following when the kafs module is
      unloaded:
      
      	AFS: Assertion failed
      	2 == 1 is false
      	0x2 == 0x1 is false
      	------------[ cut here ]------------
      	kernel BUG at fs/afs/cell.c:770!
      	...
      	RIP: 0010:afs_manage_cells+0x220/0x42f [kafs]
      	...
      	 process_one_work+0x4c2/0x82c
      	 ? pool_mayday_timeout+0x1e1/0x1e1
      	 ? do_raw_spin_lock+0x134/0x175
      	 worker_thread+0x336/0x4a6
      	 ? rescuer_thread+0x4af/0x4af
      	 kthread+0x1de/0x1ee
      	 ? kthread_park+0xd4/0xd4
      	 ret_from_fork+0x24/0x30
      
      Fixes: 989782dc ("afs: Overhaul cell database management")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      a5fb8e6c
    • Ilya Dryomov's avatar
      libceph: fix PG split vs OSD (re)connect race · a5613724
      Ilya Dryomov authored
      We can't rely on ->peer_features in calc_target() because it may be
      called both when the OSD session is established and open and when it's
      not.  ->peer_features is not valid unless the OSD session is open.  If
      this happens on a PG split (pg_num increase), that could mean we don't
      resend a request that should have been resent, hanging the client
      indefinitely.
      
      In userspace this was fixed by looking at require_osd_release and
      get_xinfo[osd].features fields of the osdmap.  However these fields
      belong to the OSD section of the osdmap, which the kernel doesn't
      decode (only the client section is decoded).
      
      Instead, let's drop this feature check.  It effectively checks for
      luminous, so only pre-luminous OSDs would be affected in that on a PG
      split the kernel might resend a request that should not have been
      resent.  Duplicates can occur in other scenarios, so both sides should
      already be prepared for them: see dup/replay logic on the OSD side and
      retry_attempt check on the client side.
      
      Cc: stable@vger.kernel.org
      Fixes: 7de030d6 ("libceph: resend on PG splits if OSD has RESEND_ON_SPLIT")
      Link: https://tracker.ceph.com/issues/41162Reported-by: default avatarJerry Lee <leisurelysw24@gmail.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Tested-by: default avatarJerry Lee <leisurelysw24@gmail.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      a5613724
    • Jeff Layton's avatar
      ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply · 28a28261
      Jeff Layton authored
      When ceph_mdsc_do_request returns an error, we can't assume that the
      filelock_reply pointer will be set. Only try to fetch fields out of
      the r_reply_info when it returns success.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarHector Martin <hector@marcansoft.com>
      Signed-off-by: default avatarJeff Layton <jlayton@kernel.org>
      Reviewed-by: default avatar"Yan, Zheng" <zyan@redhat.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      28a28261
    • Erqi Chen's avatar
      ceph: clear page dirty before invalidate page · c95f1c5f
      Erqi Chen authored
      clear_page_dirty_for_io(page) before mapping->a_ops->invalidatepage().
      invalidatepage() clears page's private flag, if dirty flag is not
      cleared, the page may cause BUG_ON failure in ceph_set_page_dirty().
      
      Cc: stable@vger.kernel.org
      Link: https://tracker.ceph.com/issues/40862Signed-off-by: default avatarErqi Chen <chenerqi@gmail.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      c95f1c5f
    • Luis Henriques's avatar
      ceph: fix buffer free while holding i_ceph_lock in fill_inode() · af8a85a4
      Luis Henriques authored
      Calling ceph_buffer_put() in fill_inode() may result in freeing the
      i_xattrs.blob buffer while holding the i_ceph_lock.  This can be fixed by
      postponing the call until later, when the lock is released.
      
      The following backtrace was triggered by fstests generic/070.
      
        BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
        in_atomic(): 1, irqs_disabled(): 0, pid: 3852, name: kworker/0:4
        6 locks held by kworker/0:4/3852:
         #0: 000000004270f6bb ((wq_completion)ceph-msgr){+.+.}, at: process_one_work+0x1b8/0x5f0
         #1: 00000000eb420803 ((work_completion)(&(&con->work)->work)){+.+.}, at: process_one_work+0x1b8/0x5f0
         #2: 00000000be1c53a4 (&s->s_mutex){+.+.}, at: dispatch+0x288/0x1476
         #3: 00000000559cb958 (&mdsc->snap_rwsem){++++}, at: dispatch+0x2eb/0x1476
         #4: 000000000d5ebbae (&req->r_fill_mutex){+.+.}, at: dispatch+0x2fc/0x1476
         #5: 00000000a83d0514 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: fill_inode.isra.0+0xf8/0xf70
        CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 5.2.0+ #441
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
        Workqueue: ceph-msgr ceph_con_workfn
        Call Trace:
         dump_stack+0x67/0x90
         ___might_sleep.cold+0x9f/0xb1
         vfree+0x4b/0x60
         ceph_buffer_release+0x1b/0x60
         fill_inode.isra.0+0xa9b/0xf70
         ceph_fill_trace+0x13b/0xc70
         ? dispatch+0x2eb/0x1476
         dispatch+0x320/0x1476
         ? __mutex_unlock_slowpath+0x4d/0x2a0
         ceph_con_workfn+0xc97/0x2ec0
         ? process_one_work+0x1b8/0x5f0
         process_one_work+0x244/0x5f0
         worker_thread+0x4d/0x3e0
         kthread+0x105/0x140
         ? process_one_work+0x5f0/0x5f0
         ? kthread_park+0x90/0x90
         ret_from_fork+0x3a/0x50
      Signed-off-by: default avatarLuis Henriques <lhenriques@suse.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      af8a85a4
    • Luis Henriques's avatar
      ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob() · 12fe3dda
      Luis Henriques authored
      Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
      freeing the i_xattrs.blob buffer while holding the i_ceph_lock.  This can
      be fixed by having this function returning the old blob buffer and have
      the callers of this function freeing it when the lock is released.
      
      The following backtrace was triggered by fstests generic/117.
      
        BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
        in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
        4 locks held by fsstress/649:
         #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
         #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
         #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
         #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
        CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x67/0x90
         ___might_sleep.cold+0x9f/0xb1
         vfree+0x4b/0x60
         ceph_buffer_release+0x1b/0x60
         __ceph_build_xattrs_blob+0x12b/0x170
         __send_cap+0x302/0x540
         ? __lock_acquire+0x23c/0x1e40
         ? __mark_caps_flushing+0x15c/0x280
         ? _raw_spin_unlock+0x24/0x30
         ceph_check_caps+0x5f0/0xc60
         ceph_flush_dirty_caps+0x7c/0x150
         ? __ia32_sys_fdatasync+0x20/0x20
         ceph_sync_fs+0x5a/0x130
         iterate_supers+0x8f/0xf0
         ksys_sync+0x4f/0xb0
         __ia32_sys_sync+0xa/0x10
         do_syscall_64+0x50/0x1c0
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7fc6409ab617
      Signed-off-by: default avatarLuis Henriques <lhenriques@suse.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      12fe3dda
    • Luis Henriques's avatar
      ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() · 86968ef2
      Luis Henriques authored
      Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the
      i_xattrs.prealloc_blob buffer while holding the i_ceph_lock.  This can be
      fixed by postponing the call until later, when the lock is released.
      
      The following backtrace was triggered by fstests generic/117.
      
        BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
        in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress
        3 locks held by fsstress/650:
         #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50
         #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0
         #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: __ceph_setxattr+0x297/0x810
        CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x67/0x90
         ___might_sleep.cold+0x9f/0xb1
         vfree+0x4b/0x60
         ceph_buffer_release+0x1b/0x60
         __ceph_setxattr+0x2b4/0x810
         __vfs_setxattr+0x66/0x80
         __vfs_setxattr_noperm+0x59/0xf0
         vfs_setxattr+0x81/0xa0
         setxattr+0x115/0x230
         ? filename_lookup+0xc9/0x140
         ? rcu_read_lock_sched_held+0x74/0x80
         ? rcu_sync_lockdep_assert+0x2e/0x60
         ? __sb_start_write+0x142/0x1a0
         ? mnt_want_write+0x20/0x50
         path_setxattr+0xba/0xd0
         __x64_sys_lsetxattr+0x24/0x30
         do_syscall_64+0x50/0x1c0
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7ff23514359a
      Signed-off-by: default avatarLuis Henriques <lhenriques@suse.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      86968ef2
    • Luis Henriques's avatar
    • Song Liu's avatar
      md: update MAINTAINERS info · 7035eef4
      Song Liu authored
      I have been reviewing patches for md in the past few months. Mark me
      as the MD maintainer, as I have effectively been filling that role.
      
      Cc: NeilBrown <neilb@suse.com>
      Signed-off-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      7035eef4
    • Dave Airlie's avatar
      Merge tag 'drm-fixes-5.3-2019-08-21' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 1e85e6ca
      Dave Airlie authored
      drm-fixes-5.3-2019-08-21:
      
      amdgpu:
      - Fix gfxoff logic on RV
      - Powerplay fixes
      - Fix a possible memory leak in CS ioctl
      - bpc fix for display
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190822021022.3356-1-alexander.deucher@amd.com
      1e85e6ca
    • Dave Airlie's avatar
      Merge tag 'mediatek-drm-fixes-5.3' of... · 2ba552b2
      Dave Airlie authored
      Merge tag 'mediatek-drm-fixes-5.3' of https://github.com/ckhu-mediatek/linux.git-tags into drm-fixes
      
      Mediatek memory leak drm fix for Linux 5.3
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: CK Hu <ck.hu@mediatek.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/1566264270.30493.4.camel@mtksdaap41
      2ba552b2
    • Dave Airlie's avatar
      Merge tag 'du-fixes-20190816' of git://linuxtv.org/pinchartl/media into drm-fixes · 14673e15
      Dave Airlie authored
      R-Car LVDS encoder fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190816130115.GH5020@pendragon.ideasonboard.com
      14673e15
  3. 21 Aug, 2019 5 commits