June 2023 - Linux-stable-mirror

[PATCH 02/11] drm/i915/mst: Remove broken MST DSC support

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> The MST DSC code has a myriad of issues: - Platform checks are wrong (MST+DSC is TGL+ only IIRC) - Return values of .mode_valid_ctx() are wrong - .mode_valid_ctx() assumes bigjoiner might be used, but ther rest of the code doesn't agree - compressed bpp calculations don't make sense - FEC handling needs to consider the entire link as opposed to just the single stream. Currently FEC would only get enabled if the first enabled stream is compressed. Also I'm not seeing anything that would account for the FEC overhead in any bandwidth calculations - PPS SDP is only handled for the first stream via the dig_port hooks, other streams will not be transmittitng any PPS SDPs - PPS SDP readout is missing (also missing for SST!) - VDSC readout is missing (also missing for SST!) The FEC issues is really the big one since we have no way currently to apply such link wide configuration constraints. Changing that is going to require a much bigger rework of the higher level modeset .compute_config() logic. We will also need such a rework to properly distribute the available bandwidth across all the streams on the same link (which is a must to eg. enable deep color). Cc: stable(a)vger.kernel.org Cc: Vinod Govindapillai <vinod.govindapillai(a)intel.com> Cc: Stanislav Lisovskiy <stanislav.lisovskiy(a)intel.com> Fixes: d51f25eb479a ("drm/i915: Add DSC support to MST path") Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_dp_mst.c | 176 +------------------- 1 file changed, 5 insertions(+), 171 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_dp_mst.c b/drivers/gpu/drm/i915/display/intel_dp_mst.c index 44c15d6faac4..d762f37fafb5 100644 --- a/drivers/gpu/drm/i915/display/intel_dp_mst.c +++ b/drivers/gpu/drm/i915/display/intel_dp_mst.c @@ -72,8 +72,7 @@ static int intel_dp_mst_find_vcpi_slots_for_bpp(struct intel_encoder *encoder, int min_bpp, struct link_config_limits *limits, struct drm_connector_state *conn_state, - int step, - bool dsc) + int step) { struct drm_atomic_state *state = crtc_state->uapi.state; struct intel_dp_mst_encoder *intel_mst = enc_to_mst(encoder); @@ -104,7 +103,7 @@ static int intel_dp_mst_find_vcpi_slots_for_bpp(struct intel_encoder *encoder, for (bpp = max_bpp; bpp >= min_bpp; bpp -= step) { drm_dbg_kms(&i915->drm, "Trying bpp %d\n", bpp); - ret = intel_dp_mst_check_constraints(i915, bpp, adjusted_mode, crtc_state, dsc); + ret = intel_dp_mst_check_constraints(i915, bpp, adjusted_mode, crtc_state, false); if (ret) continue; @@ -136,11 +135,8 @@ static int intel_dp_mst_find_vcpi_slots_for_bpp(struct intel_encoder *encoder, drm_dbg_kms(&i915->drm, "failed finding vcpi slots:%d\n", slots); } else { - if (!dsc) - crtc_state->pipe_bpp = bpp; - else - crtc_state->dsc.compressed_bpp = bpp; - drm_dbg_kms(&i915->drm, "Got %d slots for pipe bpp %d dsc %d\n", slots, bpp, dsc); + crtc_state->pipe_bpp = bpp; + drm_dbg_kms(&i915->drm, "Got %d slots for pipe bpp %d\n", slots, bpp); } return slots; @@ -157,7 +153,7 @@ static int intel_dp_mst_compute_link_config(struct intel_encoder *encoder, slots = intel_dp_mst_find_vcpi_slots_for_bpp(encoder, crtc_state, limits->max_bpp, limits->min_bpp, limits, - conn_state, 2 * 3, false); + conn_state, 2 * 3); if (slots < 0) return slots; @@ -173,99 +169,6 @@ static int intel_dp_mst_compute_link_config(struct intel_encoder *encoder, return 0; } -static int intel_dp_dsc_mst_compute_link_config(struct intel_encoder *encoder, - struct intel_crtc_state *crtc_state, - struct drm_connector_state *conn_state, - struct link_config_limits *limits) -{ - struct intel_dp_mst_encoder *intel_mst = enc_to_mst(encoder); - struct intel_dp *intel_dp = &intel_mst->primary->dp; - struct intel_connector *connector = - to_intel_connector(conn_state->connector); - struct drm_i915_private *i915 = to_i915(connector->base.dev); - const struct drm_display_mode *adjusted_mode = - &crtc_state->hw.adjusted_mode; - int slots = -EINVAL; - int i, num_bpc; - u8 dsc_bpc[3] = {0}; - int min_bpp, max_bpp, sink_min_bpp, sink_max_bpp; - u8 dsc_max_bpc; - bool need_timeslot_recalc = false; - u32 last_compressed_bpp; - - /* Max DSC Input BPC for ICL is 10 and for TGL+ is 12 */ - if (DISPLAY_VER(i915) >= 12) - dsc_max_bpc = min_t(u8, 12, conn_state->max_requested_bpc); - else - dsc_max_bpc = min_t(u8, 10, conn_state->max_requested_bpc); - - max_bpp = min_t(u8, dsc_max_bpc * 3, limits->max_bpp); - min_bpp = limits->min_bpp; - - num_bpc = drm_dp_dsc_sink_supported_input_bpcs(intel_dp->dsc_dpcd, - dsc_bpc); - - drm_dbg_kms(&i915->drm, "DSC Source supported min bpp %d max bpp %d\n", - min_bpp, max_bpp); - - sink_max_bpp = dsc_bpc[0] * 3; - sink_min_bpp = sink_max_bpp; - - for (i = 1; i < num_bpc; i++) { - if (sink_min_bpp > dsc_bpc[i] * 3) - sink_min_bpp = dsc_bpc[i] * 3; - if (sink_max_bpp < dsc_bpc[i] * 3) - sink_max_bpp = dsc_bpc[i] * 3; - } - - drm_dbg_kms(&i915->drm, "DSC Sink supported min bpp %d max bpp %d\n", - sink_min_bpp, sink_max_bpp); - - if (min_bpp < sink_min_bpp) - min_bpp = sink_min_bpp; - - if (max_bpp > sink_max_bpp) - max_bpp = sink_max_bpp; - - slots = intel_dp_mst_find_vcpi_slots_for_bpp(encoder, crtc_state, max_bpp, - min_bpp, limits, - conn_state, 2 * 3, true); - - if (slots < 0) - return slots; - - last_compressed_bpp = crtc_state->dsc.compressed_bpp; - - crtc_state->dsc.compressed_bpp = intel_dp_dsc_nearest_valid_bpp(i915, - last_compressed_bpp, - crtc_state->pipe_bpp); - - if (crtc_state->dsc.compressed_bpp != last_compressed_bpp) - need_timeslot_recalc = true; - - /* - * Apparently some MST hubs dislike if vcpi slots are not matching precisely - * the actual compressed bpp we use. - */ - if (need_timeslot_recalc) { - slots = intel_dp_mst_find_vcpi_slots_for_bpp(encoder, crtc_state, - crtc_state->dsc.compressed_bpp, - crtc_state->dsc.compressed_bpp, - limits, conn_state, 2 * 3, true); - if (slots < 0) - return slots; - } - - intel_link_compute_m_n(crtc_state->dsc.compressed_bpp, - crtc_state->lane_count, - adjusted_mode->crtc_clock, - crtc_state->port_clock, - &crtc_state->dp_m_n, - crtc_state->fec_enable); - crtc_state->dp_m_n.tu = slots; - - return 0; -} static int intel_dp_mst_update_slots(struct intel_encoder *encoder, struct intel_crtc_state *crtc_state, struct drm_connector_state *conn_state) @@ -349,29 +252,6 @@ static int intel_dp_mst_compute_config(struct intel_encoder *encoder, ret = intel_dp_mst_compute_link_config(encoder, pipe_config, conn_state, &limits); - - if (ret == -EDEADLK) - return ret; - - /* enable compression if the mode doesn't fit available BW */ - drm_dbg_kms(&dev_priv->drm, "Force DSC en = %d\n", intel_dp->force_dsc_en); - if (ret || intel_dp->force_dsc_en) { - /* - * Try to get at least some timeslots and then see, if - * we can fit there with DSC. - */ - drm_dbg_kms(&dev_priv->drm, "Trying to find VCPI slots in DSC mode\n"); - - ret = intel_dp_dsc_mst_compute_link_config(encoder, pipe_config, - conn_state, &limits); - if (ret < 0) - return ret; - - ret = intel_dp_dsc_compute_config(intel_dp, pipe_config, - conn_state, &limits, - pipe_config->dp_m_n.tu, false); - } - if (ret) return ret; @@ -909,10 +789,6 @@ intel_dp_mst_mode_valid_ctx(struct drm_connector *connector, int max_dotclk = to_i915(connector->dev)->max_dotclk_freq; int max_rate, mode_rate, max_lanes, max_link_clock; int ret; - bool dsc = false, bigjoiner = false; - u16 dsc_max_output_bpp = 0; - u8 dsc_slice_count = 0; - int target_clock = mode->clock; if (drm_connector_is_unregistered(connector)) { *status = MODE_ERROR; @@ -950,48 +826,6 @@ intel_dp_mst_mode_valid_ctx(struct drm_connector *connector, return 0; } - if (intel_dp_need_bigjoiner(intel_dp, mode->hdisplay, target_clock)) { - bigjoiner = true; - max_dotclk *= 2; - } - - if (DISPLAY_VER(dev_priv) >= 10 && - drm_dp_sink_supports_dsc(intel_dp->dsc_dpcd)) { - /* - * TBD pass the connector BPC, - * for now U8_MAX so that max BPC on that platform would be picked - */ - int pipe_bpp = intel_dp_dsc_compute_bpp(intel_dp, U8_MAX); - - if (drm_dp_sink_supports_fec(intel_dp->fec_capable)) { - dsc_max_output_bpp = - intel_dp_dsc_get_output_bpp(dev_priv, - max_link_clock, - max_lanes, - target_clock, - mode->hdisplay, - bigjoiner, - pipe_bpp, 64) >> 4; - dsc_slice_count = - intel_dp_dsc_get_slice_count(intel_dp, - target_clock, - mode->hdisplay, - bigjoiner); - } - - dsc = dsc_max_output_bpp && dsc_slice_count; - } - - /* - * Big joiner configuration needs DSC for TGL which is not true for - * XE_LPD where uncompressed joiner is supported. - */ - if (DISPLAY_VER(dev_priv) < 13 && bigjoiner && !dsc) - return MODE_CLOCK_HIGH; - - if (mode_rate > max_rate && !dsc) - return MODE_CLOCK_HIGH; - *status = intel_mode_valid_max_plane_size(dev_priv, mode, false); return 0; } -- 2.39.2

1 year, 6 months

4
5
0 0

[net PATCH v2] net: ethernet: stmicro: stmmac: fix possible memory leak in __stmmac_open

by Christian Marangi

Fix a possible memory leak in __stmmac_open when stmmac_init_phy fails. It's also needed to free everything allocated by stmmac_setup_dma_desc and not just the dma_conf struct. Drop free_dma_desc_resources from __stmmac_open and correctly call free_dma_desc_resources on each user of __stmmac_open on error. Reported-by: Jose Abreu <Jose.Abreu(a)synopsys.com> Fixes: ba39b344e924 ("net: ethernet: stmicro: stmmac: generate stmmac dma conf before open") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> Cc: stable(a)vger.kernel.org --- Changes v2: - Move free_dma_desc_resources to each user of __stmmac_open drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index fa07b0d50b46..5c645b6d5660 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -3877,7 +3877,6 @@ static int __stmmac_open(struct net_device *dev, stmmac_hw_teardown(dev); init_error: - free_dma_desc_resources(priv, &priv->dma_conf); phylink_disconnect_phy(priv->phylink); init_phy_error: pm_runtime_put(priv->device); @@ -3895,6 +3894,9 @@ static int stmmac_open(struct net_device *dev) return PTR_ERR(dma_conf); ret = __stmmac_open(dev, dma_conf); + if (ret) + free_dma_desc_resources(priv, dma_conf); + kfree(dma_conf); return ret; } @@ -5637,12 +5639,15 @@ static int stmmac_change_mtu(struct net_device *dev, int new_mtu) stmmac_release(dev); ret = __stmmac_open(dev, dma_conf); - kfree(dma_conf); if (ret) { + free_dma_desc_resources(priv, dma_conf); + kfree(dma_conf); netdev_err(priv->dev, "failed reopening the interface after MTU change\n"); return ret; } + kfree(dma_conf); + stmmac_set_rx_mode(dev); } -- 2.40.1

1 year, 6 months

4
3
0 0

[PATCH net v2] nfp: fix rcu_read_lock/unlock while rcu_derefrencing

by Louis Peens

From: Tianyu Yuan <tianyu.yuan(a)corigine.com> When CONFIG_PROVE_LOCKING and CONFIG_PROVE_RCU are enabled, using OVS with vf reprs on bridge will lead to following log in dmesg: .../nfp/flower/main.c:269 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 no locks held by swapper/15/0. ...... Call Trace: <IRQ> dump_stack_lvl+0x8c/0xa0 lockdep_rcu_suspicious+0x118/0x1a0 nfp_flower_dev_get+0xc1/0x240 [nfp] nfp_nfd3_rx+0x419/0xb90 [nfp] ? validate_chain+0x640/0x1880 nfp_nfd3_poll+0x3e/0x180 [nfp] __napi_poll+0x28/0x1d0 net_rx_action+0x2bd/0x3c0 ? _raw_spin_unlock_irqrestore+0x42/0x70 __do_softirq+0xc3/0x3c6 irq_exit_rcu+0xeb/0x130 common_interrupt+0xb9/0xd0 </IRQ> <TASK> ...... </TASK> In previous patch rcu_read_lock()/unlock() are removed because rcu-lock may affect xdp_prog. However this removal will make RCU lockdep report above warning because of missing of rcu_read_lock()/unlock() pair around rcu_deference(). This patch resolves this problem by replacing rcu_deference() with rcu_dereference_check() to annotate that access is safe if rcu_read_lock/rcu_read_lock_bh is held. Fixes: d5789621b658 ("nfp: Remove rcu_read_lock() around XDP program invocation") CC: stable(a)vger.kernel.org Signed-off-by: Tianyu Yuan <tianyu.yuan(a)corigine.com> Acked-by: Simon Horman <simon.horman(a)corigine.com> Signed-off-by: Louis Peens <louis.peens(a)corigine.com> --- v1 -> v2: Remove unnessary nfp_app_dev_get_locked() helper function Replace rcu_dereference() with rcu_dereference_check() in .get_dev() Improve commit message --- drivers/net/ethernet/netronome/nfp/abm/main.c | 4 ++-- drivers/net/ethernet/netronome/nfp/flower/main.c | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/netronome/nfp/abm/main.c b/drivers/net/ethernet/netronome/nfp/abm/main.c index 5d3df28c648f..10b73297a313 100644 --- a/drivers/net/ethernet/netronome/nfp/abm/main.c +++ b/drivers/net/ethernet/netronome/nfp/abm/main.c @@ -63,14 +63,14 @@ nfp_abm_repr_get(struct nfp_app *app, u32 port_id, bool *redir_egress) rtype = FIELD_GET(NFP_ABM_PORTID_TYPE, port_id); port = FIELD_GET(NFP_ABM_PORTID_ID, port_id); - reprs = rcu_dereference(app->reprs[rtype]); + reprs = rcu_dereference_check(app->reprs[rtype], rcu_read_lock_bh_held()); if (!reprs) return NULL; if (port >= reprs->num_reprs) return NULL; - return rcu_dereference(reprs->reprs[port]); + return rcu_dereference_check(reprs->reprs[port], rcu_read_lock_bh_held()); } static int diff --git a/drivers/net/ethernet/netronome/nfp/flower/main.c b/drivers/net/ethernet/netronome/nfp/flower/main.c index 83eaa5ae3cd4..d33cc22c788d 100644 --- a/drivers/net/ethernet/netronome/nfp/flower/main.c +++ b/drivers/net/ethernet/netronome/nfp/flower/main.c @@ -257,14 +257,15 @@ nfp_flower_dev_get(struct nfp_app *app, u32 port_id, bool *redir_egress) if (repr_type > NFP_REPR_TYPE_MAX) return NULL; - reprs = rcu_dereference(app->reprs[repr_type]); + reprs = rcu_dereference_check(app->reprs[repr_type], + rcu_read_lock_bh_held()); if (!reprs) return NULL; if (port >= reprs->num_reprs) return NULL; - return rcu_dereference(reprs->reprs[port]); + return rcu_dereference_check(reprs->reprs[port], rcu_read_lock_bh_held()); } static int -- 2.34.1

1 year, 6 months

2
1
0 0

BPF regression in 5.10.168 and 5.15.93 impacting Cilium

by Robert Kolchmeyer

Hi all, I believe 5.10.168 and 5.15.93 introduced a regression that impacts the Cilium project. Some information on the nature of the regression is available at https://github.com/cilium/cilium/issues/25500. The primary symptom seems to be the error `BPF program is too large.` My colleague has found that reverting the following two commits: 8de8c4a "bpf: Support <8-byte scalar spill and refill" 9ff2beb "bpf: Fix incorrect state pruning for <8B spill/fill" resolves the regression. If we revert these in the stable tree, there may be a few changes that depend on those that also need to be reverted, but I'm not sure yet. Would it make sense to revert these changes (and any dependent ones) in the 5.10 and 5.15 trees? If anyone has other ideas, I can help test possible solutions. Thanks, -Robert

1 year, 6 months

3
3
0 0

[PATCH] thermal/intel/intel_soc_dts_iosf: Fix reporting wrong temperatures

by Hans de Goede

Since commit 955fb8719efb ("thermal/intel/intel_soc_dts_iosf: Use Intel TCC library") intel_soc_dts_iosf is reporting the wrong temperature. The driver expects tj_max to be in milli-degrees-celcius but after the switch to the TCC library this is now in degrees celcius so instead of e.g. 90000 it is set to 90 causing a temperature 45 degrees below tj_max to be reported as -44910 milli-degrees instead of as 45000 milli-degrees. Fix this by adding back the lost factor of 1000. Fixes: 955fb8719efb ("thermal/intel/intel_soc_dts_iosf: Use Intel TCC library") Reported-by: Bernhard Krug <b.krug(a)elektronenpumpe.de> Cc: Zhang Rui <rui.zhang(a)intel.com> Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- Note reported by private email, so no Closes: tag --- drivers/thermal/intel/intel_soc_dts_iosf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/thermal/intel/intel_soc_dts_iosf.c b/drivers/thermal/intel/intel_soc_dts_iosf.c index f99dc7e4ae89..db97499f4f0a 100644 --- a/drivers/thermal/intel/intel_soc_dts_iosf.c +++ b/drivers/thermal/intel/intel_soc_dts_iosf.c @@ -398,7 +398,7 @@ struct intel_soc_dts_sensors *intel_soc_dts_iosf_init( spin_lock_init(&sensors->intr_notify_lock); mutex_init(&sensors->dts_update_lock); sensors->intr_type = intr_type; - sensors->tj_max = tj_max; + sensors->tj_max = tj_max * 1000; if (intr_type == INTEL_SOC_DTS_INTERRUPT_NONE) notification = false; else -- 2.40.1

1 year, 6 months

3
2
0 0

[PATCH] ASoC: soc-compress: Fix deadlock in soc_compr_open_fe

by yixuanjiang

Modify the error handling flow by release lock. The require pcm_mutex will keep holding if open fail. Fixes: aa9ff6a4955f ("ASoC: soc-compress: Reposition and add pcm_mutex") Signed-off-by: yixuanjiang <yixuanjiang(a)google.com> Cc: stable(a)vger.kernel.org # v5.15+ --- sound/soc/soc-compress.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c index 256e45001f85..b6727b91dd85 100644 --- a/sound/soc/soc-compress.c +++ b/sound/soc/soc-compress.c @@ -166,6 +166,7 @@ static int soc_compr_open_fe(struct snd_compr_stream *cstream) snd_soc_dai_compr_shutdown(cpu_dai, cstream, 1); out: dpcm_path_put(&list); + mutex_unlock(&fe->card->pcm_mutex); be_err: fe->dpcm[stream].runtime_update = SND_SOC_DPCM_UPDATE_NO; mutex_unlock(&fe->card->mutex); -- 2.41.0.162.gfafddb0af9-goog

1 year, 6 months

3
2
0 0

[PATCH v6 0/5] mfd: tps6586x: register restart handler

by Benjamin Bara

Hi! The Tegra20 requires an enabled VDE power domain during startup. As the VDE is currently not used, it is disabled during runtime. Since 8f0c714ad9be, there is a workaround for the "normal restart path" which enables the VDE before doing PMC's warm reboot. This workaround is not executed in the "emergency restart path", leading to a hang-up during start. This series implements and registers a new pmic-based restart handler for boards with tps6586x. This cold reboot ensures that the VDE power domain is enabled during startup on tegra20-based boards. Since bae1d3a05a8b, i2c transfers are non-atomic while preemption is disabled (which is e.g. done during panic()). This could lead to warnings ("Voluntary context switch within RCU") in i2c-based restart handlers during emergency restart. The state of preemption should be detected by i2c_in_atomic_xfer_mode() to use atomic i2c xfer when required. Beside the new system_state check, the check is the same as the one pre v5.2. v5: https://lore.kernel.org/r/20230327-tegra-pmic-reboot-v5-0-ab090e03284d@skid… v6: - drop 4/6 to abort restart on unexpected failure (suggested by Dmitry) - 4,5: fix comments in handlers (suggested by Lee) - 4,5: same delay for both handlers (suggested by Lee) v5: - introduce new 3 & 4, therefore 3 -> 5, 4 -> 6 - 3: provide dev to sys_off handler, if it is known - 4: return NOTIFY_DONE from sys_off_notify, to avoid skipping - 5: drop Reviewed-by from Dmitry, add poweroff timeout - 5,6: return notifier value instead of direct errno from handler - 5,6: use new dev field instead of passing dev as cb_data - 5,6: increase timeout values based on error observations - 6: skip unsupported reboot modes in restart handler --- Benjamin Bara (5): kernel/reboot: emergency_restart: set correct system_state i2c: core: run atomic i2c xfer when !preemptible kernel/reboot: add device to sys_off_handler mfd: tps6586x: use devm-based power off handler mfd: tps6586x: register restart handler drivers/i2c/i2c-core.h | 2 +- drivers/mfd/tps6586x.c | 55 ++++++++++++++++++++++++++++++++++++++++++-------- include/linux/reboot.h | 3 +++ kernel/reboot.c | 4 ++++ 4 files changed, 55 insertions(+), 9 deletions(-) --- base-commit: 197b6b60ae7bc51dd0814953c562833143b292aa change-id: 20230327-tegra-pmic-reboot-4175ff814a4b Best regards, -- Benjamin Bara <benjamin.bara(a)skidata.com>

1 year, 6 months

4
8
0 0

[PATCH 6/6] bcache: fixup btree_cache_wait list damage

by Coly Li

From: Mingzhe Zou <mingzhe.zou(a)easystack.cn> We get a kernel crash about "list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68)." crash> struct list_head 0xffff9c801bc01210 struct list_head { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct list_head 0xffff9c77b688237c struct list_head { next = 0x0, prev = 0x0 } crash> struct list_head 0xffffae586d8afe68 struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback" Cannot access memory at address 0xffffae586d8afe68 [230469.019492] Call Trace: [230469.032041] prepare_to_wait+0x8a/0xb0 [230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache] [230469.056533] mca_cannibalize_lock+0x72/0x90 [escache] [230469.068788] mca_alloc+0x2ae/0x450 [escache] [230469.080790] bch_btree_node_get+0x136/0x2d0 [escache] [230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache] [230469.104382] ? finish_wait+0x80/0x80 [230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache] [230469.127259] kthread+0x112/0x130 [230469.138448] ? kthread_flush_work_fn+0x10/0x10 [230469.149477] ret_from_fork+0x35/0x40 bch_btree_check_thread() and bch_dirty_init_thread() maybe call mca_cannibalize() to cannibalize other cached btree nodes. Only one thread can do it at a time, so the op of other threads will be added to the btree_cache_wait list. We must call finish_wait() to remove op from btree_cache_wait before free it's memory address. Otherwise, the list will be damaged. Also should call bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up other waiters. Fixes: 8e7102273f59 ("bcache: make bch_btree_check() to be multithreaded") Fixes: b144e45fc576 ("bcache: make bch_sectors_dirty_init() to be multithreaded") Cc: stable(a)vger.kernel.org Signed-off-by: Mingzhe Zou <mingzhe.zou(a)easystack.cn> Signed-off-by: Coly Li <colyli(a)suse.de> --- drivers/md/bcache/btree.c | 11 ++++++++++- drivers/md/bcache/btree.h | 1 + drivers/md/bcache/writeback.c | 10 ++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c index 0ddf91204782..68b9d7ca864e 100644 --- a/drivers/md/bcache/btree.c +++ b/drivers/md/bcache/btree.c @@ -885,7 +885,7 @@ static struct btree *mca_cannibalize(struct cache_set *c, struct btree_op *op, * cannibalize_bucket() will take. This means every time we unlock the root of * the btree, we need to release this lock if we have it held. */ -static void bch_cannibalize_unlock(struct cache_set *c) +void bch_cannibalize_unlock(struct cache_set *c) { spin_lock(&c->btree_cannibalize_lock); if (c->btree_cache_alloc_lock == current) { @@ -1970,6 +1970,15 @@ static int bch_btree_check_thread(void *arg) c->gc_stats.nodes++; bch_btree_op_init(&op, 0); ret = bcache_btree(check_recurse, p, c->root, &op); + /* + * The op may be added to cache_set's btree_cache_wait + * in mca_cannibalize(), must ensure it is removed from + * the list and release btree_cache_alloc_lock before + * free op memory. + * Otherwise, the btree_cache_wait will be damaged. + */ + bch_cannibalize_unlock(c); + finish_wait(&c->btree_cache_wait, &(&op)->wait); if (ret) goto out; } diff --git a/drivers/md/bcache/btree.h b/drivers/md/bcache/btree.h index 1b5fdbc0d83e..a2920bbfcad5 100644 --- a/drivers/md/bcache/btree.h +++ b/drivers/md/bcache/btree.h @@ -282,6 +282,7 @@ void bch_initial_gc_finish(struct cache_set *c); void bch_moving_gc(struct cache_set *c); int bch_btree_check(struct cache_set *c); void bch_initial_mark_key(struct cache_set *c, int level, struct bkey *k); +void bch_cannibalize_unlock(struct cache_set *c); static inline void wake_up_gc(struct cache_set *c) { diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c index d4a5fc0650bb..24c049067f61 100644 --- a/drivers/md/bcache/writeback.c +++ b/drivers/md/bcache/writeback.c @@ -890,6 +890,16 @@ static int bch_root_node_dirty_init(struct cache_set *c, if (ret < 0) pr_warn("sectors dirty init failed, ret=%d!\n", ret); + /* + * The op may be added to cache_set's btree_cache_wait + * in mca_cannibalize(), must ensure it is removed from + * the list and release btree_cache_alloc_lock before + * free op memory. + * Otherwise, the btree_cache_wait will be damaged. + */ + bch_cannibalize_unlock(c); + finish_wait(&c->btree_cache_wait, &(&op.op)->wait); + return ret; } -- 2.35.3

1 year, 6 months

1
0
0 0

[PATCH 5/6] bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent

by Coly Li

From: Zheng Wang <zyytlz.wz(a)163.com> In some specific situation, the return value of __bch_btree_node_alloc may be NULL. This may lead to poential NULL pointer dereference in caller function like a calling chaion : btree_split->bch_btree_node_alloc->__bch_btree_node_alloc. Fix it by initialize return value in __bch_btree_node_alloc before return. Fixes: cafe56359144 ("bcache: A block layer cache") Cc: stable(a)vger.kernel.org Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Coly Li <colyli(a)suse.de> --- drivers/md/bcache/btree.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c index 7c21e54468bf..0ddf91204782 100644 --- a/drivers/md/bcache/btree.c +++ b/drivers/md/bcache/btree.c @@ -1090,10 +1090,12 @@ struct btree *__bch_btree_node_alloc(struct cache_set *c, struct btree_op *op, struct btree *parent) { BKEY_PADDED(key) k; - struct btree *b = ERR_PTR(-EAGAIN); + struct btree *b; mutex_lock(&c->bucket_lock); retry: + /* return ERR_PTR(-EAGAIN) when it fails */ + b = ERR_PTR(-EAGAIN); if (__bch_bucket_alloc_set(c, RESERVE_BTREE, &k.key, wait)) goto err; -- 2.35.3

1 year, 6 months

1
0
0 0

[PATCH 4/6] bcache: Remove some unnecessary NULL point check for the return value of __bch_btree_node_alloc-related pointer

by Coly Li

From: Zheng Wang <zyytlz.wz(a)163.com> Due to the previously fix of __bch_btree_node_alloc, the return value will never be a NULL pointer. So IS_ERR is enough to handle the failure situation. Fix it by replacing IS_ERR_OR_NULL check to IS_ERR check. Fixes: cafe56359144 ("bcache: A block layer cache") Cc: stable(a)vger.kernel.org Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Coly Li <colyli(a)suse.de> --- drivers/md/bcache/btree.c | 10 +++++----- drivers/md/bcache/super.c | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c index 147c493a989a..7c21e54468bf 100644 --- a/drivers/md/bcache/btree.c +++ b/drivers/md/bcache/btree.c @@ -1138,7 +1138,7 @@ static struct btree *btree_node_alloc_replacement(struct btree *b, { struct btree *n = bch_btree_node_alloc(b->c, op, b->level, b->parent); - if (!IS_ERR_OR_NULL(n)) { + if (!IS_ERR(n)) { mutex_lock(&n->write_lock); bch_btree_sort_into(&b->keys, &n->keys, &b->c->sort); bkey_copy_key(&n->key, &b->key); @@ -1340,7 +1340,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, memset(new_nodes, 0, sizeof(new_nodes)); closure_init_stack(&cl); - while (nodes < GC_MERGE_NODES && !IS_ERR_OR_NULL(r[nodes].b)) + while (nodes < GC_MERGE_NODES && !IS_ERR(r[nodes].b)) keys += r[nodes++].keys; blocks = btree_default_blocks(b->c) * 2 / 3; @@ -1352,7 +1352,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, for (i = 0; i < nodes; i++) { new_nodes[i] = btree_node_alloc_replacement(r[i].b, NULL); - if (IS_ERR_OR_NULL(new_nodes[i])) + if (IS_ERR(new_nodes[i])) goto out_nocoalesce; } @@ -1487,7 +1487,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, bch_keylist_free(&keylist); for (i = 0; i < nodes; i++) - if (!IS_ERR_OR_NULL(new_nodes[i])) { + if (!IS_ERR(new_nodes[i])) { btree_node_free(new_nodes[i]); rw_unlock(true, new_nodes[i]); } @@ -1669,7 +1669,7 @@ static int bch_btree_gc_root(struct btree *b, struct btree_op *op, if (should_rewrite) { n = btree_node_alloc_replacement(b, NULL); - if (!IS_ERR_OR_NULL(n)) { + if (!IS_ERR(n)) { bch_btree_node_write_sync(n); bch_btree_set_root(n); diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c index 7e9d19fd21dd..077149c4050b 100644 --- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -1723,7 +1723,7 @@ static void cache_set_flush(struct closure *cl) if (!IS_ERR_OR_NULL(c->gc_thread)) kthread_stop(c->gc_thread); - if (!IS_ERR_OR_NULL(c->root)) + if (!IS_ERR(c->root)) list_add(&c->root->list, &c->btree_cache); /* @@ -2087,7 +2087,7 @@ static int run_cache_set(struct cache_set *c) err = "cannot allocate new btree root"; c->root = __bch_btree_node_alloc(c, NULL, 0, true, NULL); - if (IS_ERR_OR_NULL(c->root)) + if (IS_ERR(c->root)) goto err; mutex_lock(&c->root->write_lock); -- 2.35.3

1 year, 6 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror June 2023