- Linux-stable-mirror - lists.linaro.org

[PATCH] LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg

by Huacai Chen

When building kernel with LLVM there are occasionally such errors: In file included from ./include/linux/spinlock.h:59: In file included from ./include/linux/irqflags.h:17: arch/loongarch/include/asm/irqflags.h:38:3: error: must not be $r0 or $r1 38 | "csrxchg %[val], %[mask], %[reg]\n\t" | ^ <inline asm>:1:16: note: instantiated into assembly here 1 | csrxchg $a1, $ra, 0 | ^ The "mask" of the csrxchg instruction should not be $r0 or $r1, but the compiler cannot avoid generating such code currently. So force to use t0 in the inline asm, in order to avoid using $r0/$r1. Cc: stable(a)vger.kernel.org Suggested-by: WANG Rui <wangrui(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/include/asm/irqflags.h | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/arch/loongarch/include/asm/irqflags.h b/arch/loongarch/include/asm/irqflags.h index 319a8c616f1f..003172b8406b 100644 --- a/arch/loongarch/include/asm/irqflags.h +++ b/arch/loongarch/include/asm/irqflags.h @@ -14,40 +14,48 @@ static inline void arch_local_irq_enable(void) { u32 flags = CSR_CRMD_IE; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } static inline void arch_local_irq_disable(void) { u32 flags = 0; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } static inline unsigned long arch_local_irq_save(void) { u32 flags = 0; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); return flags; } static inline void arch_local_irq_restore(unsigned long flags) { + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } -- 2.47.1

3 months, 3 weeks

4
3
0 0

[PATCH v1 1/1] x86/fred/signal: Prevent single-step upon ERETU completion

by Xin Li (Intel)

From: Xin Li <xin(a)zytor.com> Clear the software event flag in the augmented SS to prevent infinite SIGTRAP handler loop if TF is used without an external debugger. Following is a typical single-stepping flow for a user process: 1) The user process is prepared for single-stepping by setting RFLAGS.TF = 1. 2) When any instruction in user space completes, a #DB is triggered. 3) The kernel handles the #DB and returns to user space, invoking the SIGTRAP handler with RFLAGS.TF = 0. 4) After the SIGTRAP handler finishes, the user process performs a sigreturn syscall, restoring the original state, including RFLAGS.TF = 1. 5) Goto step 2. According to the FRED specification: A) Bit 17 in the augmented SS is designated as the software event flag, which is set to 1 for FRED event delivery of SYSCALL, SYSENTER, or INT n. B) If bit 17 of the augmented SS is 1 and ERETU would result in RFLAGS.TF = 1, a single-step trap will be pending upon completion of ERETU. In step 4) above, the software event flag is set upon the sigreturn syscall, and its corresponding ERETU would restore RFLAGS.TF = 1. This combination causes a pending single-step trap upon completion of ERETU. Therefore, another #DB is triggered before any user space instruction is executed, which leads to an infinite loop in which the SIGTRAP handler keeps being invoked on the same user space IP. Suggested-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: stable(a)vger.kernel.org --- arch/x86/include/asm/sighandling.h | 20 ++++++++++++++++++++ arch/x86/kernel/signal_32.c | 4 ++++ arch/x86/kernel/signal_64.c | 4 ++++ 3 files changed, 28 insertions(+) diff --git a/arch/x86/include/asm/sighandling.h b/arch/x86/include/asm/sighandling.h index e770c4fc47f4..ecb0411fe88c 100644 --- a/arch/x86/include/asm/sighandling.h +++ b/arch/x86/include/asm/sighandling.h @@ -24,4 +24,24 @@ int ia32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); +/* + * To prevent infinite SIGTRAP handler loop if TF is used without an external + * debugger, clear the software event flag in the augmented SS, ensuring no + * single-step trap is pending upon ERETU completion. + * + * Note, this function should be called in sigreturn() before the original state + * is restored to make sure the TF is read from the entry frame. + */ +static __always_inline void prevent_single_step_upon_eretu(struct pt_regs *regs) +{ + /* + * If the trap flag (TF) is set, i.e., the sigreturn() SYSCALL instruction + * is being single-stepped, do not clear the software event flag in the + * augmented SS, thus a debugger won't skip over the following instruction. + */ + if (IS_ENABLED(CONFIG_X86_FRED) && cpu_feature_enabled(X86_FEATURE_FRED) && + !(regs->flags & X86_EFLAGS_TF)) + regs->fred_ss.swevent = 0; +} + #endif /* _ASM_X86_SIGHANDLING_H */ diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c index 98123ff10506..42bbc42bd350 100644 --- a/arch/x86/kernel/signal_32.c +++ b/arch/x86/kernel/signal_32.c @@ -152,6 +152,8 @@ SYSCALL32_DEFINE0(sigreturn) struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); sigset_t set; + prevent_single_step_upon_eretu(regs); + if (!access_ok(frame, sizeof(*frame))) goto badframe; if (__get_user(set.sig[0], &frame->sc.oldmask) @@ -175,6 +177,8 @@ SYSCALL32_DEFINE0(rt_sigreturn) struct rt_sigframe_ia32 __user *frame; sigset_t set; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); if (!access_ok(frame, sizeof(*frame))) diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c index ee9453891901..d483b585c6c6 100644 --- a/arch/x86/kernel/signal_64.c +++ b/arch/x86/kernel/signal_64.c @@ -250,6 +250,8 @@ SYSCALL_DEFINE0(rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long)); if (!access_ok(frame, sizeof(*frame))) goto badframe; @@ -366,6 +368,8 @@ COMPAT_SYSCALL_DEFINE0(x32_rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8); if (!access_ok(frame, sizeof(*frame))) base-commit: 6a7c3c2606105a41dde81002c0037420bc1ddf00 -- 2.49.0

3 months, 3 weeks

6
8
0 0

[PATCH v3 1/1] x86/fred/signal: Prevent single-step upon ERETU completion

by Xin Li (Intel)

From: Xin Li <xin(a)zytor.com> Clear the software event flag in the augmented SS to prevent infinite SIGTRAP handler loop if TF is used without an external debugger. Following is a typical single-stepping flow for a user process: 1) The user process is prepared for single-stepping by setting RFLAGS.TF = 1. 2) When any instruction in user space completes, a #DB is triggered. 3) The kernel handles the #DB and returns to user space, invoking the SIGTRAP handler with RFLAGS.TF = 0. 4) After the SIGTRAP handler finishes, the user process performs a sigreturn syscall, restoring the original state, including RFLAGS.TF = 1. 5) Goto step 2. According to the FRED specification: A) Bit 17 in the augmented SS is designated as the software event flag, which is set to 1 for FRED event delivery of SYSCALL, SYSENTER, or INT n. B) If bit 17 of the augmented SS is 1 and ERETU would result in RFLAGS.TF = 1, a single-step trap will be pending upon completion of ERETU. In step 4) above, the software event flag is set upon the sigreturn syscall, and its corresponding ERETU would restore RFLAGS.TF = 1. This combination causes a pending single-step trap upon completion of ERETU. Therefore, another #DB is triggered before any user space instruction is executed, which leads to an infinite loop in which the SIGTRAP handler keeps being invoked on the same user space IP. Suggested-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: stable(a)vger.kernel.org --- Change in v3: *) Use "#ifdef CONFIG_X86_FRED" instead of IS_ENABLED(CONFIG_X86_FRED) (Intel LKP). Change in v2: *) Remove the check cpu_feature_enabled(X86_FEATURE_FRED), because regs->fred_ss.swevent will always be 0 otherwise (H. Peter Anvin). --- arch/x86/include/asm/sighandling.h | 21 +++++++++++++++++++++ arch/x86/kernel/signal_32.c | 4 ++++ arch/x86/kernel/signal_64.c | 4 ++++ 3 files changed, 29 insertions(+) diff --git a/arch/x86/include/asm/sighandling.h b/arch/x86/include/asm/sighandling.h index e770c4fc47f4..530eecc371fc 100644 --- a/arch/x86/include/asm/sighandling.h +++ b/arch/x86/include/asm/sighandling.h @@ -24,4 +24,25 @@ int ia32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); +/* + * To prevent infinite SIGTRAP handler loop if TF is used without an external + * debugger, clear the software event flag in the augmented SS, ensuring no + * single-step trap is pending upon ERETU completion. + * + * Note, this function should be called in sigreturn() before the original state + * is restored to make sure the TF is read from the entry frame. + */ +static __always_inline void prevent_single_step_upon_eretu(struct pt_regs *regs) +{ + /* + * If the trap flag (TF) is set, i.e., the sigreturn() SYSCALL instruction + * is being single-stepped, do not clear the software event flag in the + * augmented SS, thus a debugger won't skip over the following instruction. + */ +#ifdef CONFIG_X86_FRED + if (!(regs->flags & X86_EFLAGS_TF)) + regs->fred_ss.swevent = 0; +#endif +} + #endif /* _ASM_X86_SIGHANDLING_H */ diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c index 98123ff10506..42bbc42bd350 100644 --- a/arch/x86/kernel/signal_32.c +++ b/arch/x86/kernel/signal_32.c @@ -152,6 +152,8 @@ SYSCALL32_DEFINE0(sigreturn) struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); sigset_t set; + prevent_single_step_upon_eretu(regs); + if (!access_ok(frame, sizeof(*frame))) goto badframe; if (__get_user(set.sig[0], &frame->sc.oldmask) @@ -175,6 +177,8 @@ SYSCALL32_DEFINE0(rt_sigreturn) struct rt_sigframe_ia32 __user *frame; sigset_t set; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); if (!access_ok(frame, sizeof(*frame))) diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c index ee9453891901..d483b585c6c6 100644 --- a/arch/x86/kernel/signal_64.c +++ b/arch/x86/kernel/signal_64.c @@ -250,6 +250,8 @@ SYSCALL_DEFINE0(rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long)); if (!access_ok(frame, sizeof(*frame))) goto badframe; @@ -366,6 +368,8 @@ COMPAT_SYSCALL_DEFINE0(x32_rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8); if (!access_ok(frame, sizeof(*frame))) base-commit: 6a7c3c2606105a41dde81002c0037420bc1ddf00 -- 2.49.0

3 months, 3 weeks

1
0
0 0

Re: Patch "btrfs: allow buffered write to avoid full page read if it's block aligned" has been added to the 6.14-stable tree

by Qu Wenruo

在 2025/5/23 06:35, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > btrfs: allow buffered write to avoid full page read if it's block aligned > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-allow-buffered-write-to-avoid-full-page-read-i.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this patch from all stable branches. Although this patch mentions a failure in fstests, it acts more like an optimization for btrfs. Furthermore it relies quite some patches that may not be in stable kernels. Without all the dependency, this can lead to data corruption. Please drop this one from all stable kernels. Thanks, Qu > > > > commit de0860d610aaaee77a8c5c713c41fea584ac83b3 > Author: Qu Wenruo <wqu(a)suse.com> > Date: Wed Oct 30 17:04:02 2024 +1030 > > btrfs: allow buffered write to avoid full page read if it's block aligned > > [ Upstream commit 0d31ca6584f21821c708752d379871b9fce2dc48 ] > > [BUG] > Since the support of block size (sector size) < page size for btrfs, > test case generic/563 fails with 4K block size and 64K page size: > > --- tests/generic/563.out 2024-04-25 18:13:45.178550333 +0930 > +++ /home/adam/xfstests-dev/results//generic/563.out.bad 2024-09-30 09:09:16.155312379 +0930 > @@ -3,7 +3,8 @@ > read is in range > write is in range > write -> read/write > -read is in range > +read has value of 8388608 > +read is NOT in range -33792 .. 33792 > write is in range > ... > > [CAUSE] > The test case creates a 8MiB file, then does buffered write into the 8MiB > using 4K block size, to overwrite the whole file. > > On 4K page sized systems, since the write range covers the full block and > page, btrfs will not bother reading the page, just like what XFS and EXT4 > do. > > But on 64K page sized systems, although the 4K sized write is still block > aligned, it's not page aligned anymore, thus btrfs will read the full > page, which will be accounted by cgroup and fail the test. > > As the test case itself expects such 4K block aligned write should not > trigger any read. > > Such expected behavior is an optimization to reduce folio reads when > possible, and unfortunately btrfs does not implement such optimization. > > [FIX] > To skip the full page read, we need to do the following modification: > > - Do not trigger full page read as long as the buffered write is block > aligned > This is pretty simple by modifying the check inside > prepare_uptodate_page(). > > - Skip already uptodate blocks during full page read > Or we can lead to the following data corruption: > > 0 32K 64K > |///////| | > > Where the file range [0, 32K) is dirtied by buffered write, the > remaining range [32K, 64K) is not. > > When reading the full page, since [0,32K) is only dirtied but not > written back, there is no data extent map for it, but a hole covering > [0, 64k). > > If we continue reading the full page range [0, 64K), the dirtied range > will be filled with 0 (since there is only a hole covering the whole > range). > This causes the dirtied range to get lost. > > With this optimization, btrfs can pass generic/563 even if the page size > is larger than fs block size. > > Reviewed-by: Filipe Manana <fdmanana(a)suse.com> > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c > index 06922529f19dc..13b5359ea1b77 100644 > --- a/fs/btrfs/extent_io.c > +++ b/fs/btrfs/extent_io.c > @@ -974,6 +974,10 @@ static int btrfs_do_readpage(struct folio *folio, struct extent_map **em_cached, > end_folio_read(folio, true, cur, iosize); > break; > } > + if (btrfs_folio_test_uptodate(fs_info, folio, cur, blocksize)) { > + end_folio_read(folio, true, cur, blocksize); > + continue; > + } > em = get_extent_map(BTRFS_I(inode), folio, cur, end - cur + 1, em_cached); > if (IS_ERR(em)) { > end_folio_read(folio, false, cur, end + 1 - cur); > diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c > index cd4e40a719186..61ad1a79e5698 100644 > --- a/fs/btrfs/file.c > +++ b/fs/btrfs/file.c > @@ -804,14 +804,15 @@ static int prepare_uptodate_folio(struct inode *inode, struct folio *folio, u64 > { > u64 clamp_start = max_t(u64, pos, folio_pos(folio)); > u64 clamp_end = min_t(u64, pos + len, folio_pos(folio) + folio_size(folio)); > + const u32 blocksize = inode_to_fs_info(inode)->sectorsize; > int ret = 0; > > if (folio_test_uptodate(folio)) > return 0; > > if (!force_uptodate && > - IS_ALIGNED(clamp_start, PAGE_SIZE) && > - IS_ALIGNED(clamp_end, PAGE_SIZE)) > + IS_ALIGNED(clamp_start, blocksize) && > + IS_ALIGNED(clamp_end, blocksize)) > return 0; > > ret = btrfs_read_folio(NULL, folio);

3 months, 3 weeks

2
1
0 0

[PATCH v4] net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()

by Wentao Liang

The function mlx5_query_nic_vport_node_guid() calls the function mlx5_query_nic_vport_context() but does not check its return value. A proper implementation can be found in mlx5_nic_vport_query_local_lb(). Add error handling for mlx5_query_nic_vport_context(). If it fails, free the out buffer via kvfree() and return error code. Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") Cc: stable(a)vger.kernel.org # v4.5 Target: net Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v4: Fix code error. v3: Explicitly mention target branch. Change improper code. v2: Remove redundant reassignment. Fix typo error. drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c index 0d5f750faa45..c34cd9a1a79b 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c @@ -465,19 +465,22 @@ int mlx5_query_nic_vport_node_guid(struct mlx5_core_dev *mdev, u64 *node_guid) { u32 *out; int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); + int err; out = kvzalloc(outlen, GFP_KERNEL); if (!out) return -ENOMEM; - mlx5_query_nic_vport_context(mdev, 0, out); + err = mlx5_query_nic_vport_context(mdev, 0, out); + if (err) + goto out; *node_guid = MLX5_GET64(query_nic_vport_context_out, out, nic_vport_context.node_guid); - +out: kvfree(out); - return 0; + return err; } EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_node_guid); -- 2.42.0.windows.2

3 months, 3 weeks

2
1
0 0

[PATCH 1/2] block: Make __submit_bio_noacct() preserve the bio submission order

by Bart Van Assche

submit_bio() may be called recursively. To limit the stack depth, recursive calls result in bios being added to a list (current->bio_list). __submit_bio_noacct() sets up that list and maintains two lists with requests: * bio_list_on_stack[0] is the list with bios submitted by recursive submit_bio() calls from inside the latest __submit_bio() call. * bio_list_on_stack[1] is the list with bios submitted by recursive submit_bio() calls from inside previous __submit_bio() calls. Make sure that bios are submitted to lower devices in the order these have been submitted by submit_bio() by adding new bios at the end of the list instead of at the front. This patch fixes unaligned write errors that I encountered with F2FS submitting zoned writes to a dm driver stacked on top of a zoned UFS device. Cc: Christoph Hellwig <hch(a)lst.de> Cc: Damien Le Moal <dlemoal(a)kernel.org> Cc: Yu Kuai <yukuai1(a)huaweicloud.com> Cc: Ming Lei <ming.lei(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- block/blk-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/blk-core.c b/block/blk-core.c index b862c66018f2..4b728fa1c138 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -704,9 +704,9 @@ static void __submit_bio_noacct(struct bio *bio) /* * Now assemble so we handle the lowest level first. */ + bio_list_on_stack[0] = bio_list_on_stack[1]; bio_list_merge(&bio_list_on_stack[0], &lower); bio_list_merge(&bio_list_on_stack[0], &same); - bio_list_merge(&bio_list_on_stack[0], &bio_list_on_stack[1]); } while ((bio = bio_list_pop(&bio_list_on_stack[0]))); current->bio_list = NULL;

3 months, 3 weeks

3
9
0 0

Re: Patch "f2fs: defer readonly check vs norecovery" has been added to the 6.14-stable tree

by Eric Sandeen

On 5/22/25 4:10 PM, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > f2fs: defer readonly check vs norecovery > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > f2fs-defer-readonly-check-vs-norecovery.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. I already replied to the AUTOSEL email on 5/5 saying that this is not a bug fix and should not be in the stable tree, but here we are. > commit 442e4090bb78d5dce4506a591214ce2447d6ea50 > Author: Eric Sandeen <sandeen(a)redhat.com> > Date: Mon Mar 3 11:12:17 2025 -0600 > > f2fs: defer readonly check vs norecovery > > [ Upstream commit 9cca49875997a1a7e92800a828a62bacb0f577b9 ] > > Defer the readonly-vs-norecovery check until after option parsing is done > so that option parsing does not require an active superblock for the test. > Add a helpful message, while we're at it. > > (I think could be moved back into parsing after we switch to the new mount > API if desired, as the fs context will have RO state available.) > > Signed-off-by: Eric Sandeen <sandeen(a)redhat.com> > Reviewed-by: Chao Yu <chao(a)kernel.org> > Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c > index b8a0e925a4011..d3b04a589b525 100644 > --- a/fs/f2fs/super.c > +++ b/fs/f2fs/super.c > @@ -728,10 +728,8 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) > set_opt(sbi, DISABLE_ROLL_FORWARD); > break; > case Opt_norecovery: > - /* this option mounts f2fs with ro */ > + /* requires ro mount, checked in f2fs_default_check */ > set_opt(sbi, NORECOVERY); > - if (!f2fs_readonly(sb)) > - return -EINVAL; > break; > case Opt_discard: > if (!f2fs_hw_support_discard(sbi)) { > @@ -1418,6 +1416,12 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) > f2fs_err(sbi, "Allow to mount readonly mode only"); > return -EROFS; > } > + > + if (test_opt(sbi, NORECOVERY) && !f2fs_readonly(sbi->sb)) { > + f2fs_err(sbi, "norecovery requires readonly mount"); > + return -EINVAL; > + } > + > return 0; > } > >

3 months, 3 weeks

1
0
0 0

Re: [PATCH 6.6 005/568] md: fix deadlock between mddev_suspend and flush bio

by Andrew Kanner

> [...] > > Additionally, the only difference between fixing the issue and before is > that there is no return error handling of make_request(). But after > previous patch cleaned md_write_start(), make_requst() only return error > in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456, > md/raid456: fix a deadlock for dm-raid456 while io concurrent with > reshape)". Since dm always splits data and flush operation into two > separate io, io size of flush submitted by dm always is 0, make_request() > will not be called in md_submit_flush_data(). To prevent future > modifications from introducing issues, add WARN_ON to ensure > make_request() no error is returned in this context. > > [...] > @@ -560,8 +552,20 @@ static void md_submit_flush_data(struct work_struct *ws) > bio_endio(bio); > } else { > bio->bi_opf &= ~REQ_PREFLUSH; > - md_handle_request(mddev, bio); > + > + /* > + * make_requst() will never return error here, it only > + * returns error in raid5_make_request() by dm-raid. > + * Since dm always splits data and flush operation into > + * two separate io, io size of flush submitted by dm > + * always is 0, make_request() will not be called here. > + */ > + if (WARN_ON_ONCE(!mddev->pers->make_request(mddev, bio))) > + bio_io_error(bio);; > } Hello, It looks we can hit this WARN_ON_ONCE() after which rootfs is switching to read-only: May 20 15:13:35 hostname kernel: WARNING: CPU: 35 PID: 1517323 at drivers/md/md.c:621 md_submit_flush_data+0x9b/0xe0 ... May 20 15:13:35 hostname kernel: XFS (md125): log I/O error -5 May 20 15:13:35 hostname kernel: XFS (md125): Filesystem has been shut down due to log error (0x2). May 20 15:13:35 hostname kernel: XFS (md125): Please unmount the filesystem and rectify the problem(s). Can you double check if the following regression is actual? Since both stable/linux-6.1.y and stable/linux-6.6.y branches don't have b75197e86e6d ("md: Remove flush handling") there is a minor issue with this backport. Statement "previous patch cleaned md_write_start(), make_requst() only return error in raid5_make_request() by dm-raid" will not work for both branches since 03e792eaf18e ("md: change the return value type of md_write_start to void") was not backported. So we should either backport it, or do error handling, not the WARN_ON_ONCE(). -- Andrew Kanner

3 months, 3 weeks

1
0
0 0

Re: Patch "dm vdo vio-pool: allow variable-sized metadata vios" has been added to the 6.12-stable tree

by Matthew Sakai

On 5/22/25 6:31 PM, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > dm vdo vio-pool: allow variable-sized metadata vios > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > dm-vdo-vio-pool-allow-variable-sized-metadata-vios.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. There is no reason to pull this patch into 6.12 since there are no features in 6.12 that would use it. Matt > > commit ac663217ac4eeab508db348a67511d45ccd9846f > Author: Ken Raeburn <raeburn(a)redhat.com> > Date: Fri Jan 31 21:18:05 2025 -0500 > > dm vdo vio-pool: allow variable-sized metadata vios > > [ Upstream commit f979da512553a41a657f2c1198277e84d66f8ce3 ] > > With larger-sized metadata vio pools, vdo will sometimes need to > issue I/O with a smaller size than the allocated size. Since > vio_reset_bio is where the bvec array and I/O size are initialized, > this reset interface must now specify what I/O size to use. > > Signed-off-by: Ken Raeburn <raeburn(a)redhat.com> > Signed-off-by: Matthew Sakai <msakai(a)redhat.com> > Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/md/dm-vdo/io-submitter.c b/drivers/md/dm-vdo/io-submitter.c > index ab62abe18827b..a664be89c15d7 100644 > --- a/drivers/md/dm-vdo/io-submitter.c > +++ b/drivers/md/dm-vdo/io-submitter.c > @@ -327,6 +327,7 @@ void vdo_submit_data_vio(struct data_vio *data_vio) > * @error_handler: the handler for submission or I/O errors (may be NULL) > * @operation: the type of I/O to perform > * @data: the buffer to read or write (may be NULL) > + * @size: the I/O amount in bytes > * > * The vio is enqueued on a vdo bio queue so that bio submission (which may block) does not block > * other vdo threads. > @@ -338,7 +339,7 @@ void vdo_submit_data_vio(struct data_vio *data_vio) > */ > void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > - blk_opf_t operation, char *data) > + blk_opf_t operation, char *data, int size) > { > int result; > struct vdo_completion *completion = &vio->completion; > @@ -349,7 +350,8 @@ void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > > vdo_reset_completion(completion); > completion->error_handler = error_handler; > - result = vio_reset_bio(vio, data, callback, operation | REQ_META, physical); > + result = vio_reset_bio_with_size(vio, data, size, callback, operation | REQ_META, > + physical); > if (result != VDO_SUCCESS) { > continue_vio(vio, result); > return; > diff --git a/drivers/md/dm-vdo/io-submitter.h b/drivers/md/dm-vdo/io-submitter.h > index 80748699496f2..3088f11055fdd 100644 > --- a/drivers/md/dm-vdo/io-submitter.h > +++ b/drivers/md/dm-vdo/io-submitter.h > @@ -8,6 +8,7 @@ > > #include <linux/bio.h> > > +#include "constants.h" > #include "types.h" > > struct io_submitter; > @@ -26,14 +27,25 @@ void vdo_submit_data_vio(struct data_vio *data_vio); > > void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > - blk_opf_t operation, char *data); > + blk_opf_t operation, char *data, int size); > > static inline void vdo_submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > blk_opf_t operation) > { > __submit_metadata_vio(vio, physical, callback, error_handler, > - operation, vio->data); > + operation, vio->data, vio->block_count * VDO_BLOCK_SIZE); > +} > + > +static inline void vdo_submit_metadata_vio_with_size(struct vio *vio, > + physical_block_number_t physical, > + bio_end_io_t callback, > + vdo_action_fn error_handler, > + blk_opf_t operation, > + int size) > +{ > + __submit_metadata_vio(vio, physical, callback, error_handler, > + operation, vio->data, size); > } > > static inline void vdo_submit_flush_vio(struct vio *vio, bio_end_io_t callback, > @@ -41,7 +53,7 @@ static inline void vdo_submit_flush_vio(struct vio *vio, bio_end_io_t callback, > { > /* FIXME: Can we just use REQ_OP_FLUSH? */ > __submit_metadata_vio(vio, 0, callback, error_handler, > - REQ_OP_WRITE | REQ_PREFLUSH, NULL); > + REQ_OP_WRITE | REQ_PREFLUSH, NULL, 0); > } > > #endif /* VDO_IO_SUBMITTER_H */ > diff --git a/drivers/md/dm-vdo/types.h b/drivers/md/dm-vdo/types.h > index dbe892b10f265..cdf36e7d77021 100644 > --- a/drivers/md/dm-vdo/types.h > +++ b/drivers/md/dm-vdo/types.h > @@ -376,6 +376,9 @@ struct vio { > /* The size of this vio in blocks */ > unsigned int block_count; > > + /* The amount of data to be read or written, in bytes */ > + unsigned int io_size; > + > /* The data being read or written. */ > char *data; > > diff --git a/drivers/md/dm-vdo/vio.c b/drivers/md/dm-vdo/vio.c > index b291578f726f5..7c417c1af4516 100644 > --- a/drivers/md/dm-vdo/vio.c > +++ b/drivers/md/dm-vdo/vio.c > @@ -188,14 +188,23 @@ void vdo_set_bio_properties(struct bio *bio, struct vio *vio, bio_end_io_t callb > > /* > * Prepares the bio to perform IO with the specified buffer. May only be used on a VDO-allocated > - * bio, as it assumes the bio wraps a 4k buffer that is 4k aligned, but there does not have to be a > - * vio associated with the bio. > + * bio, as it assumes the bio wraps a 4k-multiple buffer that is 4k aligned, but there does not > + * have to be a vio associated with the bio. > */ > int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > blk_opf_t bi_opf, physical_block_number_t pbn) > { > - int bvec_count, offset, len, i; > + return vio_reset_bio_with_size(vio, data, vio->block_count * VDO_BLOCK_SIZE, > + callback, bi_opf, pbn); > +} > + > +int vio_reset_bio_with_size(struct vio *vio, char *data, int size, bio_end_io_t callback, > + blk_opf_t bi_opf, physical_block_number_t pbn) > +{ > + int bvec_count, offset, i; > struct bio *bio = vio->bio; > + int vio_size = vio->block_count * VDO_BLOCK_SIZE; > + int remaining; > > bio_reset(bio, bio->bi_bdev, bi_opf); > vdo_set_bio_properties(bio, vio, callback, bi_opf, pbn); > @@ -204,22 +213,21 @@ int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > > bio->bi_io_vec = bio->bi_inline_vecs; > bio->bi_max_vecs = vio->block_count + 1; > - len = VDO_BLOCK_SIZE * vio->block_count; > + if (VDO_ASSERT(size <= vio_size, "specified size %d is not greater than allocated %d", > + size, vio_size) != VDO_SUCCESS) > + size = vio_size; > + vio->io_size = size; > offset = offset_in_page(data); > - bvec_count = DIV_ROUND_UP(offset + len, PAGE_SIZE); > + bvec_count = DIV_ROUND_UP(offset + size, PAGE_SIZE); > + remaining = size; > > - /* > - * If we knew that data was always on one page, or contiguous pages, we wouldn't need the > - * loop. But if we're using vmalloc, it's not impossible that the data is in different > - * pages that can't be merged in bio_add_page... > - */ > - for (i = 0; (i < bvec_count) && (len > 0); i++) { > + for (i = 0; (i < bvec_count) && (remaining > 0); i++) { > struct page *page; > int bytes_added; > int bytes = PAGE_SIZE - offset; > > - if (bytes > len) > - bytes = len; > + if (bytes > remaining) > + bytes = remaining; > > page = is_vmalloc_addr(data) ? vmalloc_to_page(data) : virt_to_page(data); > bytes_added = bio_add_page(bio, page, bytes, offset); > @@ -231,7 +239,7 @@ int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > } > > data += bytes; > - len -= bytes; > + remaining -= bytes; > offset = 0; > } > > diff --git a/drivers/md/dm-vdo/vio.h b/drivers/md/dm-vdo/vio.h > index 3490e9f59b04a..74e8fd7c8c029 100644 > --- a/drivers/md/dm-vdo/vio.h > +++ b/drivers/md/dm-vdo/vio.h > @@ -123,6 +123,8 @@ void vdo_set_bio_properties(struct bio *bio, struct vio *vio, bio_end_io_t callb > > int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > blk_opf_t bi_opf, physical_block_number_t pbn); > +int vio_reset_bio_with_size(struct vio *vio, char *data, int size, bio_end_io_t callback, > + blk_opf_t bi_opf, physical_block_number_t pbn); > > void update_vio_error_stats(struct vio *vio, const char *format, ...) > __printf(2, 3); >

3 months, 3 weeks

1
0
0 0

Re: Patch "btrfs: prevent inline data extents read from touching blocks beyond its range" has been added to the 6.12-stable tree

by Qu Wenruo

在 2025/5/23 07:31, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > btrfs: prevent inline data extents read from touching blocks beyond its range > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-prevent-inline-data-extents-read-from-touching.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this one from all stable trees. Although the patch won't cause any behavior change, the main reason for this patch is to prepare for the subpage optimization (and future large folios support). Thanks, Qu > > > > commit 98504dd74a2688ff63dba6bf1d9f8abc7f0b322e > Author: Qu Wenruo <wqu(a)suse.com> > Date: Fri Nov 15 19:15:34 2024 +1030 > > btrfs: prevent inline data extents read from touching blocks beyond its range > > [ Upstream commit 1a5b5668d711d3d1ef447446beab920826decec3 ] > > Currently reading an inline data extent will zero out the remaining > range in the page. > > This is not yet causing problems even for block size < page size > (subpage) cases because: > > 1) An inline data extent always starts at file offset 0 > Meaning at page read, we always read the inline extent first, before > any other blocks in the page. Then later blocks are properly read out > and re-fill the zeroed out ranges. > > 2) Currently btrfs will read out the whole page if a buffered write is > not page aligned > So a page is either fully uptodate at buffered write time (covers the > whole page), or we will read out the whole page first. > Meaning there is nothing to lose for such an inline extent read. > > But it's still not ideal: > > - We're zeroing out the page twice > Once done by read_inline_extent()/uncompress_inline(), once done by > btrfs_do_readpage() for ranges beyond i_size. > > - We're touching blocks that don't belong to the inline extent > In the incoming patches, we can have a partial uptodate folio, of > which some dirty blocks can exist while the page is not fully uptodate: > > The page size is 16K and block size is 4K: > > 0 4K 8K 12K 16K > | | |/////////| | > > And range [8K, 12K) is dirtied by a buffered write, the remaining > blocks are not uptodate. > > If range [0, 4K) contains an inline data extent, and we try to read > the whole page, the current behavior will overwrite range [8K, 12K) > with zero and cause data loss. > > So to make the behavior more consistent and in preparation for future > changes, limit the inline data extents read to only zero out the range > inside the first block, not the whole page. > > Reviewed-by: Filipe Manana <fdmanana(a)suse.com> > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 0da2611fb9c85..ee8c18d298758 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -6825,6 +6825,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > { > int ret; > struct extent_buffer *leaf = path->nodes[0]; > + const u32 blocksize = leaf->fs_info->sectorsize; > char *tmp; > size_t max_size; > unsigned long inline_size; > @@ -6841,7 +6842,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > > read_extent_buffer(leaf, tmp, ptr, inline_size); > > - max_size = min_t(unsigned long, PAGE_SIZE, max_size); > + max_size = min_t(unsigned long, blocksize, max_size); > ret = btrfs_decompress(compress_type, tmp, folio, 0, inline_size, > max_size); > > @@ -6853,8 +6854,8 @@ static noinline int uncompress_inline(struct btrfs_path *path, > * cover that region here. > */ > > - if (max_size < PAGE_SIZE) > - folio_zero_range(folio, max_size, PAGE_SIZE - max_size); > + if (max_size < blocksize) > + folio_zero_range(folio, max_size, blocksize - max_size); > kfree(tmp); > return ret; > } > @@ -6862,6 +6863,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > static int read_inline_extent(struct btrfs_inode *inode, struct btrfs_path *path, > struct folio *folio) > { > + const u32 blocksize = path->nodes[0]->fs_info->sectorsize; > struct btrfs_file_extent_item *fi; > void *kaddr; > size_t copy_size; > @@ -6876,14 +6878,14 @@ static int read_inline_extent(struct btrfs_inode *inode, struct btrfs_path *path > if (btrfs_file_extent_compression(path->nodes[0], fi) != BTRFS_COMPRESS_NONE) > return uncompress_inline(path, folio, fi); > > - copy_size = min_t(u64, PAGE_SIZE, > + copy_size = min_t(u64, blocksize, > btrfs_file_extent_ram_bytes(path->nodes[0], fi)); > kaddr = kmap_local_folio(folio, 0); > read_extent_buffer(path->nodes[0], kaddr, > btrfs_file_extent_inline_start(fi), copy_size); > kunmap_local(kaddr); > - if (copy_size < PAGE_SIZE) > - folio_zero_range(folio, copy_size, PAGE_SIZE - copy_size); > + if (copy_size < blocksize) > + folio_zero_range(folio, copy_size, blocksize - copy_size); > return 0; > } >

3 months, 3 weeks

1
0
0 0

+ mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ge Yang <yangge1116(a)126.com> Subject: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios Date: Thu, 22 May 2025 11:22:17 +0800 A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: <TASK> replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL. Link: https://lkml.kernel.org/r/1747884137-26685-1-git-send-email-yangge1116@126.… Fixes: 04f13d241b8b ("mm: replace free hugepage folios after migration") Signed-off-by: Ge Yang <yangge1116(a)126.com> Reviewed-by: Muchun Song <muchun.song(a)linux.dev> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <21cnbao(a)gmail.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/mm/hugetlb.c~mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios +++ a/mm/hugetlb.c @@ -2949,12 +2949,20 @@ int replace_free_hugepage_folios(unsigne while (start_pfn < end_pfn) { folio = pfn_folio(start_pfn); + + /* + * The folio might have been dissolved from under our feet, so make sure + * to carefully check the state under the lock. + */ + spin_lock_irq(&hugetlb_lock); if (folio_test_hugetlb(folio)) { h = folio_hstate(folio); } else { + spin_unlock_irq(&hugetlb_lock); start_pfn++; continue; } + spin_unlock_irq(&hugetlb_lock); if (!folio_ref_count(folio)) { ret = alloc_and_dissolve_hugetlb_folio(h, folio, _ Patches currently in -mm which might be from yangge1116(a)126.com are mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios.patch

3 months, 3 weeks

1
0
0 0

Re: Patch "dm vdo vio-pool: allow variable-sized metadata vios" has been added to the 6.14-stable tree

by Matthew Sakai

On 5/22/25 5:44 PM, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > dm vdo vio-pool: allow variable-sized metadata vios > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > dm-vdo-vio-pool-allow-variable-sized-metadata-vios.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > This patch should probably not get added to 6.14 or any earlier stable tree. It implements an interface for a new feature added in in 6.15, but without backporting that feature, nothing will use the new interface so this patch is unnecessary. Thanks, Matt > > commit 921200c5e2f6a07ad93419d800d6a1a2fbf7abc7 > Author: Ken Raeburn <raeburn(a)redhat.com> > Date: Fri Jan 31 21:18:05 2025 -0500 > > dm vdo vio-pool: allow variable-sized metadata vios > > [ Upstream commit f979da512553a41a657f2c1198277e84d66f8ce3 ] > > With larger-sized metadata vio pools, vdo will sometimes need to > issue I/O with a smaller size than the allocated size. Since > vio_reset_bio is where the bvec array and I/O size are initialized, > this reset interface must now specify what I/O size to use. > > Signed-off-by: Ken Raeburn <raeburn(a)redhat.com> > Signed-off-by: Matthew Sakai <msakai(a)redhat.com> > Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/md/dm-vdo/io-submitter.c b/drivers/md/dm-vdo/io-submitter.c > index 421e5436c32c9..11d47770b54d2 100644 > --- a/drivers/md/dm-vdo/io-submitter.c > +++ b/drivers/md/dm-vdo/io-submitter.c > @@ -327,6 +327,7 @@ void vdo_submit_data_vio(struct data_vio *data_vio) > * @error_handler: the handler for submission or I/O errors (may be NULL) > * @operation: the type of I/O to perform > * @data: the buffer to read or write (may be NULL) > + * @size: the I/O amount in bytes > * > * The vio is enqueued on a vdo bio queue so that bio submission (which may block) does not block > * other vdo threads. > @@ -338,7 +339,7 @@ void vdo_submit_data_vio(struct data_vio *data_vio) > */ > void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > - blk_opf_t operation, char *data) > + blk_opf_t operation, char *data, int size) > { > int result; > struct vdo_completion *completion = &vio->completion; > @@ -349,7 +350,8 @@ void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > > vdo_reset_completion(completion); > completion->error_handler = error_handler; > - result = vio_reset_bio(vio, data, callback, operation | REQ_META, physical); > + result = vio_reset_bio_with_size(vio, data, size, callback, operation | REQ_META, > + physical); > if (result != VDO_SUCCESS) { > continue_vio(vio, result); > return; > diff --git a/drivers/md/dm-vdo/io-submitter.h b/drivers/md/dm-vdo/io-submitter.h > index 80748699496f2..3088f11055fdd 100644 > --- a/drivers/md/dm-vdo/io-submitter.h > +++ b/drivers/md/dm-vdo/io-submitter.h > @@ -8,6 +8,7 @@ > > #include <linux/bio.h> > > +#include "constants.h" > #include "types.h" > > struct io_submitter; > @@ -26,14 +27,25 @@ void vdo_submit_data_vio(struct data_vio *data_vio); > > void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > - blk_opf_t operation, char *data); > + blk_opf_t operation, char *data, int size); > > static inline void vdo_submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > blk_opf_t operation) > { > __submit_metadata_vio(vio, physical, callback, error_handler, > - operation, vio->data); > + operation, vio->data, vio->block_count * VDO_BLOCK_SIZE); > +} > + > +static inline void vdo_submit_metadata_vio_with_size(struct vio *vio, > + physical_block_number_t physical, > + bio_end_io_t callback, > + vdo_action_fn error_handler, > + blk_opf_t operation, > + int size) > +{ > + __submit_metadata_vio(vio, physical, callback, error_handler, > + operation, vio->data, size); > } > > static inline void vdo_submit_flush_vio(struct vio *vio, bio_end_io_t callback, > @@ -41,7 +53,7 @@ static inline void vdo_submit_flush_vio(struct vio *vio, bio_end_io_t callback, > { > /* FIXME: Can we just use REQ_OP_FLUSH? */ > __submit_metadata_vio(vio, 0, callback, error_handler, > - REQ_OP_WRITE | REQ_PREFLUSH, NULL); > + REQ_OP_WRITE | REQ_PREFLUSH, NULL, 0); > } > > #endif /* VDO_IO_SUBMITTER_H */ > diff --git a/drivers/md/dm-vdo/types.h b/drivers/md/dm-vdo/types.h > index dbe892b10f265..cdf36e7d77021 100644 > --- a/drivers/md/dm-vdo/types.h > +++ b/drivers/md/dm-vdo/types.h > @@ -376,6 +376,9 @@ struct vio { > /* The size of this vio in blocks */ > unsigned int block_count; > > + /* The amount of data to be read or written, in bytes */ > + unsigned int io_size; > + > /* The data being read or written. */ > char *data; > > diff --git a/drivers/md/dm-vdo/vio.c b/drivers/md/dm-vdo/vio.c > index e710f3c5a972d..725d87ecf2150 100644 > --- a/drivers/md/dm-vdo/vio.c > +++ b/drivers/md/dm-vdo/vio.c > @@ -188,14 +188,23 @@ void vdo_set_bio_properties(struct bio *bio, struct vio *vio, bio_end_io_t callb > > /* > * Prepares the bio to perform IO with the specified buffer. May only be used on a VDO-allocated > - * bio, as it assumes the bio wraps a 4k buffer that is 4k aligned, but there does not have to be a > - * vio associated with the bio. > + * bio, as it assumes the bio wraps a 4k-multiple buffer that is 4k aligned, but there does not > + * have to be a vio associated with the bio. > */ > int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > blk_opf_t bi_opf, physical_block_number_t pbn) > { > - int bvec_count, offset, len, i; > + return vio_reset_bio_with_size(vio, data, vio->block_count * VDO_BLOCK_SIZE, > + callback, bi_opf, pbn); > +} > + > +int vio_reset_bio_with_size(struct vio *vio, char *data, int size, bio_end_io_t callback, > + blk_opf_t bi_opf, physical_block_number_t pbn) > +{ > + int bvec_count, offset, i; > struct bio *bio = vio->bio; > + int vio_size = vio->block_count * VDO_BLOCK_SIZE; > + int remaining; > > bio_reset(bio, bio->bi_bdev, bi_opf); > vdo_set_bio_properties(bio, vio, callback, bi_opf, pbn); > @@ -205,22 +214,21 @@ int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > bio->bi_ioprio = 0; > bio->bi_io_vec = bio->bi_inline_vecs; > bio->bi_max_vecs = vio->block_count + 1; > - len = VDO_BLOCK_SIZE * vio->block_count; > + if (VDO_ASSERT(size <= vio_size, "specified size %d is not greater than allocated %d", > + size, vio_size) != VDO_SUCCESS) > + size = vio_size; > + vio->io_size = size; > offset = offset_in_page(data); > - bvec_count = DIV_ROUND_UP(offset + len, PAGE_SIZE); > + bvec_count = DIV_ROUND_UP(offset + size, PAGE_SIZE); > + remaining = size; > > - /* > - * If we knew that data was always on one page, or contiguous pages, we wouldn't need the > - * loop. But if we're using vmalloc, it's not impossible that the data is in different > - * pages that can't be merged in bio_add_page... > - */ > - for (i = 0; (i < bvec_count) && (len > 0); i++) { > + for (i = 0; (i < bvec_count) && (remaining > 0); i++) { > struct page *page; > int bytes_added; > int bytes = PAGE_SIZE - offset; > > - if (bytes > len) > - bytes = len; > + if (bytes > remaining) > + bytes = remaining; > > page = is_vmalloc_addr(data) ? vmalloc_to_page(data) : virt_to_page(data); > bytes_added = bio_add_page(bio, page, bytes, offset); > @@ -232,7 +240,7 @@ int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > } > > data += bytes; > - len -= bytes; > + remaining -= bytes; > offset = 0; > } > > diff --git a/drivers/md/dm-vdo/vio.h b/drivers/md/dm-vdo/vio.h > index 3490e9f59b04a..74e8fd7c8c029 100644 > --- a/drivers/md/dm-vdo/vio.h > +++ b/drivers/md/dm-vdo/vio.h > @@ -123,6 +123,8 @@ void vdo_set_bio_properties(struct bio *bio, struct vio *vio, bio_end_io_t callb > > int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > blk_opf_t bi_opf, physical_block_number_t pbn); > +int vio_reset_bio_with_size(struct vio *vio, char *data, int size, bio_end_io_t callback, > + blk_opf_t bi_opf, physical_block_number_t pbn); > > void update_vio_error_stats(struct vio *vio, const char *format, ...) > __printf(2, 3); >

3 months, 3 weeks

1
0
0 0

+ mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: swap: fix potensial buffer overflow in setup_clusters() has been added to the -mm mm-new branch. Its filename is mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: fix potensial buffer overflow in setup_clusters() Date: Thu, 22 May 2025 20:25:53 +0800 In setup_swap_map(), we only ensure badpages are in range (0, last_page]. As maxpages might be < last_page, setup_clusters() will encounter a buffer overflow when a badpage is >= maxpages. Only call inc_cluster_info_page() for badpage which is < maxpages to fix the issue. Link: https://lkml.kernel.org/r/20250522122554.12209-4-shikemeng@huaweicloud.com Fixes: b843786b0bd01 ("mm: swapfile: fix SSD detection with swapfile on btrfs") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: <stable(a)vger.kernel.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kairui Song <kasong(a)tencent.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/mm/swapfile.c~mm-swap-fix-potensial-buffer-overflow-in-setup_clusters +++ a/mm/swapfile.c @@ -3208,9 +3208,13 @@ static struct swap_cluster_info *setup_c * and the EOF part of the last cluster. */ inc_cluster_info_page(si, cluster_info, 0); - for (i = 0; i < swap_header->info.nr_badpages; i++) - inc_cluster_info_page(si, cluster_info, - swap_header->info.badpages[i]); + for (i = 0; i < swap_header->info.nr_badpages; i++) { + unsigned int page_nr = swap_header->info.badpages[i]; + + if (page_nr >= maxpages) + continue; + inc_cluster_info_page(si, cluster_info, page_nr); + } for (i = maxpages; i < round_up(maxpages, SWAPFILE_CLUSTER); i++) inc_cluster_info_page(si, cluster_info, i); _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are mm-shmem-avoid-unpaired-folio_unlock-in-shmem_swapin_folio.patch mm-shmem-add-missing-shmem_unacct_size-in-__shmem_file_setup.patch mm-shmem-fix-potential-dead-loop-in-shmem_unuse.patch mm-shmem-only-remove-inode-from-swaplist-when-its-swapped-page-count-is-0.patch mm-shmem-remove-unneeded-xa_is_value-check-in-shmem_unuse_swap_entries.patch mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch mm-swap-remove-stale-comment-stale-comment-in-cluster_alloc_swap_entry.patch

3 months, 3 weeks

1
0
0 0

+ mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potensial deadloop has been added to the -mm mm-new branch. Its filename is mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potensial deadloop Date: Thu, 22 May 2025 20:25:52 +0800 We use maxpages from read_swap_header() to initialize swap_info_struct, however the maxpages might be reduced in setup_swap_extents() and the si->max is assigned with the reduced maxpages from the setup_swap_extents(). Obviously, this could lead to memory waste as we allocated memory based on larger maxpages, besides, this could lead to a potensial deadloop as following: 1) When calling setup_clusters() with larger maxpages, unavailable pages within range [si->max, larger maxpages) are not accounted with inc_cluster_info_page(). As a result, these pages are assumed available but can not be allocated. The cluster contains these pages can be moved to frag_clusters list after it's all available pages were allocated. 2) When the cluster mentioned in 1) is the only cluster in frag_clusters list, cluster_alloc_swap_entry() assume order 0 allocation will never failed and will enter a deadloop by keep trying to allocate page from the only cluster in frag_clusters which contains no actually available page. Call setup_swap_extents() to get the final maxpages before swap_info_struct initialization to fix the issue. Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com Fixes: 661383c6111a3 ("mm: swap: relaim the cached parts that got scanned") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: <stable(a)vger.kernel.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kairui Song <kasong(a)tencent.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 47 ++++++++++++++++++++--------------------------- 1 file changed, 20 insertions(+), 27 deletions(-) --- a/mm/swapfile.c~mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop +++ a/mm/swapfile.c @@ -3141,43 +3141,30 @@ static unsigned long read_swap_header(st return maxpages; } -static int setup_swap_map_and_extents(struct swap_info_struct *si, - union swap_header *swap_header, - unsigned char *swap_map, - unsigned long maxpages, - sector_t *span) +static int setup_swap_map(struct swap_info_struct *si, + union swap_header *swap_header, + unsigned char *swap_map, + unsigned long maxpages) { - unsigned int nr_good_pages; unsigned long i; - int nr_extents; - - nr_good_pages = maxpages - 1; /* omit header page */ + swap_map[0] = SWAP_MAP_BAD; /* omit header page */ for (i = 0; i < swap_header->info.nr_badpages; i++) { unsigned int page_nr = swap_header->info.badpages[i]; if (page_nr == 0 || page_nr > swap_header->info.last_page) return -EINVAL; if (page_nr < maxpages) { swap_map[page_nr] = SWAP_MAP_BAD; - nr_good_pages--; + si->pages--; } } - if (nr_good_pages) { - swap_map[0] = SWAP_MAP_BAD; - si->max = maxpages; - si->pages = nr_good_pages; - nr_extents = setup_swap_extents(si, span); - if (nr_extents < 0) - return nr_extents; - nr_good_pages = si->pages; - } - if (!nr_good_pages) { + if (!si->pages) { pr_warn("Empty swap-file\n"); return -EINVAL; } - return nr_extents; + return 0; } #define SWAP_CLUSTER_INFO_COLS \ @@ -3217,7 +3204,7 @@ static struct swap_cluster_info *setup_c * Mark unusable pages as unavailable. The clusters aren't * marked free yet, so no list operations are involved yet. * - * See setup_swap_map_and_extents(): header page, bad pages, + * See setup_swap_map(): header page, bad pages, * and the EOF part of the last cluster. */ inc_cluster_info_page(si, cluster_info, 0); @@ -3354,6 +3341,15 @@ SYSCALL_DEFINE2(swapon, const char __use goto bad_swap_unlock_inode; } + si->max = maxpages; + si->pages = maxpages - 1; + nr_extents = setup_swap_extents(si, &span); + if (nr_extents < 0) { + error = nr_extents; + goto bad_swap_unlock_inode; + } + maxpages = si->max; + /* OK, set up the swap map and apply the bad block list */ swap_map = vzalloc(maxpages); if (!swap_map) { @@ -3365,12 +3361,9 @@ SYSCALL_DEFINE2(swapon, const char __use if (error) goto bad_swap_unlock_inode; - nr_extents = setup_swap_map_and_extents(si, swap_header, swap_map, - maxpages, &span); - if (unlikely(nr_extents < 0)) { - error = nr_extents; + error = setup_swap_map(si, swap_header, swap_map, maxpages); + if (error) goto bad_swap_unlock_inode; - } /* * Use kvmalloc_array instead of bitmap_zalloc as the allocation order might _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are mm-shmem-avoid-unpaired-folio_unlock-in-shmem_swapin_folio.patch mm-shmem-add-missing-shmem_unacct_size-in-__shmem_file_setup.patch mm-shmem-fix-potential-dead-loop-in-shmem_unuse.patch mm-shmem-only-remove-inode-from-swaplist-when-its-swapped-page-count-is-0.patch mm-shmem-remove-unneeded-xa_is_value-check-in-shmem_unuse_swap_entries.patch mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch mm-swap-remove-stale-comment-stale-comment-in-cluster_alloc_swap_entry.patch

3 months, 3 weeks

1
0
0 0

+ mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc() has been added to the -mm mm-new branch. Its filename is mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc() Date: Thu, 22 May 2025 20:25:51 +0800 Patch series "Some randome fixes and cleanups to swapfile". Patch 0-3 are some random fixes. Patch 4 is a cleanup. More details can be found in respective patches. This patch (of 4): When folio_alloc_swap() encounters a failure in either mem_cgroup_try_charge_swap() or add_to_swap_cache(), nr_swap_pages counter is not decremented for allocated entry. However, the following put_swap_folio() will increase nr_swap_pages counter unpairly and lead to an imbalance. Move nr_swap_pages decrement from folio_alloc_swap() to swap_range_alloc() to pair the nr_swap_pages counting. Link: https://lkml.kernel.org/r/20250522122554.12209-1-shikemeng@huaweicloud.com Link: https://lkml.kernel.org/r/20250522122554.12209-2-shikemeng@huaweicloud.com Fixes: 0ff67f990bd45 ("mm, swap: remove swap slot cache") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Kairui Song <kasong(a)tencent.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/swapfile.c~mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc +++ a/mm/swapfile.c @@ -1115,6 +1115,7 @@ static void swap_range_alloc(struct swap if (vm_swap_full()) schedule_work(&si->reclaim_work); } + atomic_long_sub(nr_entries, &nr_swap_pages); } static void swap_range_free(struct swap_info_struct *si, unsigned long offset, @@ -1313,7 +1314,6 @@ int folio_alloc_swap(struct folio *folio if (add_to_swap_cache(folio, entry, gfp | __GFP_NOMEMALLOC, NULL)) goto out_free; - atomic_long_sub(size, &nr_swap_pages); return 0; out_free: _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are mm-shmem-avoid-unpaired-folio_unlock-in-shmem_swapin_folio.patch mm-shmem-add-missing-shmem_unacct_size-in-__shmem_file_setup.patch mm-shmem-fix-potential-dead-loop-in-shmem_unuse.patch mm-shmem-only-remove-inode-from-swaplist-when-its-swapped-page-count-is-0.patch mm-shmem-remove-unneeded-xa_is_value-check-in-shmem_unuse_swap_entries.patch mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch mm-swap-remove-stale-comment-stale-comment-in-cluster_alloc_swap_entry.patch

3 months, 3 weeks

1
0
0 0

Re: Patch "btrfs: prevent inline data extents read from touching blocks beyond its range" has been added to the 6.14-stable tree

by Qu Wenruo

在 2025/5/23 06:35, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > btrfs: prevent inline data extents read from touching blocks beyond its range > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-prevent-inline-data-extents-read-from-touching.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this patch. This is again a preparation patch for larger folios support of btrfs, and the optimization to dirty a block without reading the full page. This patch alone doesn't cause any difference for older kernels and should not be backported. Thanks, Qu > > > > commit 6a2d904623a8d1711b6b5065845d52cb3f2be60a > Author: Qu Wenruo <wqu(a)suse.com> > Date: Fri Nov 15 19:15:34 2024 +1030 > > btrfs: prevent inline data extents read from touching blocks beyond its range > > [ Upstream commit 1a5b5668d711d3d1ef447446beab920826decec3 ] > > Currently reading an inline data extent will zero out the remaining > range in the page. > > This is not yet causing problems even for block size < page size > (subpage) cases because: > > 1) An inline data extent always starts at file offset 0 > Meaning at page read, we always read the inline extent first, before > any other blocks in the page. Then later blocks are properly read out > and re-fill the zeroed out ranges. > > 2) Currently btrfs will read out the whole page if a buffered write is > not page aligned > So a page is either fully uptodate at buffered write time (covers the > whole page), or we will read out the whole page first. > Meaning there is nothing to lose for such an inline extent read. > > But it's still not ideal: > > - We're zeroing out the page twice > Once done by read_inline_extent()/uncompress_inline(), once done by > btrfs_do_readpage() for ranges beyond i_size. > > - We're touching blocks that don't belong to the inline extent > In the incoming patches, we can have a partial uptodate folio, of > which some dirty blocks can exist while the page is not fully uptodate: > > The page size is 16K and block size is 4K: > > 0 4K 8K 12K 16K > | | |/////////| | > > And range [8K, 12K) is dirtied by a buffered write, the remaining > blocks are not uptodate. > > If range [0, 4K) contains an inline data extent, and we try to read > the whole page, the current behavior will overwrite range [8K, 12K) > with zero and cause data loss. > > So to make the behavior more consistent and in preparation for future > changes, limit the inline data extents read to only zero out the range > inside the first block, not the whole page. > > Reviewed-by: Filipe Manana <fdmanana(a)suse.com> > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 9a648fb130230..a7136311a13c6 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -6779,6 +6779,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > { > int ret; > struct extent_buffer *leaf = path->nodes[0]; > + const u32 blocksize = leaf->fs_info->sectorsize; > char *tmp; > size_t max_size; > unsigned long inline_size; > @@ -6795,7 +6796,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > > read_extent_buffer(leaf, tmp, ptr, inline_size); > > - max_size = min_t(unsigned long, PAGE_SIZE, max_size); > + max_size = min_t(unsigned long, blocksize, max_size); > ret = btrfs_decompress(compress_type, tmp, folio, 0, inline_size, > max_size); > > @@ -6807,14 +6808,15 @@ static noinline int uncompress_inline(struct btrfs_path *path, > * cover that region here. > */ > > - if (max_size < PAGE_SIZE) > - folio_zero_range(folio, max_size, PAGE_SIZE - max_size); > + if (max_size < blocksize) > + folio_zero_range(folio, max_size, blocksize - max_size); > kfree(tmp); > return ret; > } > > static int read_inline_extent(struct btrfs_path *path, struct folio *folio) > { > + const u32 blocksize = path->nodes[0]->fs_info->sectorsize; > struct btrfs_file_extent_item *fi; > void *kaddr; > size_t copy_size; > @@ -6829,14 +6831,14 @@ static int read_inline_extent(struct btrfs_path *path, struct folio *folio) > if (btrfs_file_extent_compression(path->nodes[0], fi) != BTRFS_COMPRESS_NONE) > return uncompress_inline(path, folio, fi); > > - copy_size = min_t(u64, PAGE_SIZE, > + copy_size = min_t(u64, blocksize, > btrfs_file_extent_ram_bytes(path->nodes[0], fi)); > kaddr = kmap_local_folio(folio, 0); > read_extent_buffer(path->nodes[0], kaddr, > btrfs_file_extent_inline_start(fi), copy_size); > kunmap_local(kaddr); > - if (copy_size < PAGE_SIZE) > - folio_zero_range(folio, copy_size, PAGE_SIZE - copy_size); > + if (copy_size < blocksize) > + folio_zero_range(folio, copy_size, blocksize - copy_size); > return 0; > } >

3 months, 3 weeks

1
0
0 0

Re: Patch "btrfs: properly limit inline data extent according to block size" has been added to the 6.14-stable tree

by Qu Wenruo

在 2025/5/23 06:35, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > btrfs: properly limit inline data extent according to block size > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-properly-limit-inline-data-extent-according-to.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this patch. This is mostly for the incoming large folios support for btrfs. For older kernels this patch will not cause any behavior change. Thanks, Qu> > > > commit ec02842137bdccb74ed331a1b0a335ee22eb179c > Author: Qu Wenruo <wqu(a)suse.com> > Date: Tue Feb 25 14:30:44 2025 +1030 > > btrfs: properly limit inline data extent according to block size > > [ Upstream commit 23019d3e6617a8ec99a8d2f5947aa3dd8a74a1b8 ] > > Btrfs utilizes inline data extent for the following cases: > > - Regular small files > - Symlinks > > And "btrfs check" detects any file extents that are too large as an > error. > > It's not a problem for 4K block size, but for the incoming smaller > block sizes (2K), it can cause problems due to bad limits: > > - Non-compressed inline data extents > We do not allow a non-compressed inline data extent to be as large as > block size. > > - Symlinks > Currently the only real limit on symlinks are 4K, which can be larger > than 2K block size. > > These will result btrfs-check to report too large file extents. > > Fix it by adding proper size checks for the above cases. > > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > Reviewed-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index a06fca7934d55..9a648fb130230 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -583,6 +583,10 @@ static bool can_cow_file_range_inline(struct btrfs_inode *inode, > if (size > fs_info->sectorsize) > return false; > > + /* We do not allow a non-compressed extent to be as large as block size. */ > + if (data_len >= fs_info->sectorsize) > + return false; > + > /* We cannot exceed the maximum inline data size. */ > if (data_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info)) > return false; > @@ -8671,7 +8675,12 @@ static int btrfs_symlink(struct mnt_idmap *idmap, struct inode *dir, > struct extent_buffer *leaf; > > name_len = strlen(symname); > - if (name_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info)) > + /* > + * Symlinks utilize uncompressed inline extent data, which should not > + * reach block size. > + */ > + if (name_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info) || > + name_len >= fs_info->sectorsize) > return -ENAMETOOLONG; > > inode = new_inode(dir->i_sb);

3 months, 3 weeks

1
0
0 0

[PATCH v1] Revert "usb: xhci: Implement xhci_handshake_check_state() helper"

by Roy Luo

This reverts commit 6ccb83d6c4972ebe6ae49de5eba051de3638362c. Commit 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") was introduced to workaround watchdog timeout issues on some platforms, allowing xhci_reset() to bail out early without waiting for the reset to complete. Skipping the xhci handshake during a reset is a dangerous move. The xhci specification explicitly states that certain registers cannot be accessed during reset in section 5.4.1 USB Command Register (USBCMD), Host Controller Reset (HCRST) field: "This bit is cleared to '0' by the Host Controller when the reset process is complete. Software cannot terminate the reset process early by writinga '0' to this bit and shall not write any xHC Operational or Runtime registers until while HCRST is '1'." This behavior causes a regression on SNPS DWC3 USB controller with dual-role capability. When the DWC3 controller exits host mode and removes xhci while a reset is still in progress, and then tries to configure its hardware for device mode, the ongoing reset leads to register access issues; specifically, all register reads returns 0. These issues extend beyond the xhci register space (which is expected during a reset) and affect the entire DWC3 IP block, causing the DWC3 device mode to malfunction. Cc: stable(a)vger.kernel.org Fixes: 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") Signed-off-by: Roy Luo <royluo(a)google.com> --- Changes in v1: - Link to previous patchset: https://lore.kernel.org/r/20250515185227.1507363-1-royluo@google.com/ --- drivers/usb/host/xhci-ring.c | 5 ++--- drivers/usb/host/xhci.c | 26 +------------------------- drivers/usb/host/xhci.h | 2 -- 3 files changed, 3 insertions(+), 30 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 423bf3649570..b720e04ce7d8 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -518,9 +518,8 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags) * In the future we should distinguish between -ENODEV and -ETIMEDOUT * and try to recover a -ETIMEDOUT with a host controller reset. */ - ret = xhci_handshake_check_state(xhci, &xhci->op_regs->cmd_ring, - CMD_RING_RUNNING, 0, 5 * 1000 * 1000, - XHCI_STATE_REMOVING); + ret = xhci_handshake(&xhci->op_regs->cmd_ring, + CMD_RING_RUNNING, 0, 5 * 1000 * 1000); if (ret < 0) { xhci_err(xhci, "Abort failed to stop command ring: %d\n", ret); xhci_halt(xhci); diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 90eb491267b5..472c4b6ae59e 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -83,29 +83,6 @@ int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us) return ret; } -/* - * xhci_handshake_check_state - same as xhci_handshake but takes an additional - * exit_state parameter, and bails out with an error immediately when xhc_state - * has exit_state flag set. - */ -int xhci_handshake_check_state(struct xhci_hcd *xhci, void __iomem *ptr, - u32 mask, u32 done, int usec, unsigned int exit_state) -{ - u32 result; - int ret; - - ret = readl_poll_timeout_atomic(ptr, result, - (result & mask) == done || - result == U32_MAX || - xhci->xhc_state & exit_state, - 1, usec); - - if (result == U32_MAX || xhci->xhc_state & exit_state) - return -ENODEV; - - return ret; -} - /* * Disable interrupts and begin the xHCI halting process. */ @@ -226,8 +203,7 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us) if (xhci->quirks & XHCI_INTEL_HOST) udelay(1000); - ret = xhci_handshake_check_state(xhci, &xhci->op_regs->command, - CMD_RESET, 0, timeout_us, XHCI_STATE_REMOVING); + ret = xhci_handshake(&xhci->op_regs->command, CMD_RESET, 0, timeout_us); if (ret) return ret; diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 242ab9fbc8ae..5e698561b96d 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1855,8 +1855,6 @@ void xhci_remove_secondary_interrupter(struct usb_hcd /* xHCI host controller glue */ typedef void (*xhci_get_quirks_t)(struct device *, struct xhci_hcd *); int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us); -int xhci_handshake_check_state(struct xhci_hcd *xhci, void __iomem *ptr, - u32 mask, u32 done, int usec, unsigned int exit_state); void xhci_quiesce(struct xhci_hcd *xhci); int xhci_halt(struct xhci_hcd *xhci); int xhci_start(struct xhci_hcd *xhci); base-commit: 172a9d94339cea832d89630b89d314e41d622bd8 -- 2.49.0.1112.g889b7c5bd8-goog

3 months, 3 weeks

5
8
0 0

[PATCH v1 2/2] Revert "usb: xhci: Implement xhci_handshake_check_state() helper"

by Roy Luo

This reverts commit 6ccb83d6c4972ebe6ae49de5eba051de3638362c. Commit 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") was introduced to workaround watchdog timeout issues on some platforms, allowing xhci_reset() to bail out early without waiting for the reset to complete. Skipping the xhci handshake during a reset is a dangerous move. The xhci specification explicitly states that certain registers cannot be accessed during reset in section 5.4.1 USB Command Register (USBCMD), Host Controller Reset (HCRST) field: "This bit is cleared to '0' by the Host Controller when the reset process is complete. Software cannot terminate the reset process early by writinga '0' to this bit and shall not write any xHC Operational or Runtime registers until while HCRST is '1'." This behavior causes a regression on SNPS DWC3 USB controller with dual-role capability. When the DWC3 controller exits host mode and removes xhci while a reset is still in progress, and then tries to configure its hardware for device mode, the ongoing reset leads to register access issues; specifically, all register reads returns 0. These issues extend beyond the xhci register space (which is expected during a reset) and affect the entire DWC3 IP block, causing the DWC3 device mode to malfunction. Cc: stable(a)vger.kernel.org Fixes: 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") Signed-off-by: Roy Luo <royluo(a)google.com> --- drivers/usb/host/xhci-ring.c | 5 ++--- drivers/usb/host/xhci.c | 26 +------------------------- drivers/usb/host/xhci.h | 2 -- 3 files changed, 3 insertions(+), 30 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 423bf3649570..b720e04ce7d8 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -518,9 +518,8 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags) * In the future we should distinguish between -ENODEV and -ETIMEDOUT * and try to recover a -ETIMEDOUT with a host controller reset. */ - ret = xhci_handshake_check_state(xhci, &xhci->op_regs->cmd_ring, - CMD_RING_RUNNING, 0, 5 * 1000 * 1000, - XHCI_STATE_REMOVING); + ret = xhci_handshake(&xhci->op_regs->cmd_ring, + CMD_RING_RUNNING, 0, 5 * 1000 * 1000); if (ret < 0) { xhci_err(xhci, "Abort failed to stop command ring: %d\n", ret); xhci_halt(xhci); diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 244b12eafd95..cb9f35acb1f9 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -83,29 +83,6 @@ int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us) return ret; } -/* - * xhci_handshake_check_state - same as xhci_handshake but takes an additional - * exit_state parameter, and bails out with an error immediately when xhc_state - * has exit_state flag set. - */ -int xhci_handshake_check_state(struct xhci_hcd *xhci, void __iomem *ptr, - u32 mask, u32 done, int usec, unsigned int exit_state) -{ - u32 result; - int ret; - - ret = readl_poll_timeout_atomic(ptr, result, - (result & mask) == done || - result == U32_MAX || - xhci->xhc_state & exit_state, - 1, usec); - - if (result == U32_MAX || xhci->xhc_state & exit_state) - return -ENODEV; - - return ret; -} - /* * Disable interrupts and begin the xHCI halting process. */ @@ -226,8 +203,7 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us) if (xhci->quirks & XHCI_INTEL_HOST) udelay(1000); - ret = xhci_handshake_check_state(xhci, &xhci->op_regs->command, - CMD_RESET, 0, timeout_us, XHCI_STATE_REMOVING); + ret = xhci_handshake(&xhci->op_regs->command, CMD_RESET, 0, timeout_us); if (ret) return ret; diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 242ab9fbc8ae..5e698561b96d 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1855,8 +1855,6 @@ void xhci_remove_secondary_interrupter(struct usb_hcd /* xHCI host controller glue */ typedef void (*xhci_get_quirks_t)(struct device *, struct xhci_hcd *); int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us); -int xhci_handshake_check_state(struct xhci_hcd *xhci, void __iomem *ptr, - u32 mask, u32 done, int usec, unsigned int exit_state); void xhci_quiesce(struct xhci_hcd *xhci); int xhci_halt(struct xhci_hcd *xhci); int xhci_start(struct xhci_hcd *xhci); -- 2.49.0.1204.g71687c7c1d-goog

3 months, 3 weeks

1
0
0 0

[PATCH v3] net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()

by Wentao Liang

The function mlx5_query_nic_vport_node_guid() calls the function mlx5_query_nic_vport_context() but does not check its return value. A proper implementation can be found in mlx5_nic_vport_query_local_lb(). Add error handling for mlx5_query_nic_vport_context(). If it fails, free the out buffer via kvfree() and return error code. Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") Cc: stable(a)vger.kernel.org # v4.5 Target: net Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v3: Explicitly mention target branch. Change improper code. v2: Remove redundant reassignment. Fix typo error. drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c index 0d5f750faa45..66e44905c1f0 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c @@ -465,19 +465,22 @@ int mlx5_query_nic_vport_node_guid(struct mlx5_core_dev *mdev, u64 *node_guid) { u32 *out; int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); + int err; out = kvzalloc(outlen, GFP_KERNEL); if (!out) return -ENOMEM; - mlx5_query_nic_vport_context(mdev, 0, out); + ret = mlx5_query_nic_vport_context(mdev, 0, out); + if (err) + goto out; *node_guid = MLX5_GET64(query_nic_vport_context_out, out, nic_vport_context.node_guid); - +out: kvfree(out); - return 0; + return err; } EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_node_guid); -- 2.42.0.windows.2

3 months, 3 weeks

3
2
0 0

[PATCH] remoteproc: mediatek: Add SCP watchdog handler in IRQ processing

by Wentao Liang

In mt8195_scp_c1_irq_handler(), only the IPC interrupt bit (MT8192_SCP_IPC_INT_BIT) was checked., but does not handle when this bit is not set. This could lead to unhandled watchdog events. This could lead to unhandled watchdog events. A proper implementation can be found in mt8183_scp_irq_handler(). Add a new branch to handle SCP watchdog events when the IPC interrupt bit is not set. Fixes: 6a1c9aaf04eb ("remoteproc: mediatek: Add MT8195 SCP core 1 operations") Cc: stable(a)vger.kernel.org # v6.7 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/remoteproc/mtk_scp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/remoteproc/mtk_scp.c b/drivers/remoteproc/mtk_scp.c index 0f4a7065d0bd..316e8c98a503 100644 --- a/drivers/remoteproc/mtk_scp.c +++ b/drivers/remoteproc/mtk_scp.c @@ -273,6 +273,8 @@ static void mt8195_scp_c1_irq_handler(struct mtk_scp *scp) if (scp_to_host & MT8192_SCP_IPC_INT_BIT) scp_ipi_handler(scp); + else + scp_wdt_handler(scp, scp_to_host); writel(scp_to_host, scp->cluster->reg_base + MT8195_SSHUB2APMCU_IPC_CLR); } -- 2.42.0.windows.2

3 months, 3 weeks

3
2
0 0

[PATCH v6 6/7] media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval

by Mathis Foerst

Getting / Setting the frame interval using the V4L2 subdev pad ops get_frame_interval/set_frame_interval causes a deadlock, as the subdev state is locked in the [1] but also in the driver itself. In [2] it's described that the caller is responsible to acquire and release the lock in this case. Therefore, acquiring the lock in the driver is wrong. Remove the lock acquisitions/releases from mt9m114_ifp_get_frame_interval() and mt9m114_ifp_set_frame_interval(). [1] drivers/media/v4l2-core/v4l2-subdev.c - line 1129 [2] Documentation/driver-api/media/v4l2-subdev.rst Fixes: 24d756e914fc ("media: i2c: Add driver for onsemi MT9M114 camera sensor") Cc: stable(a)vger.kernel.org Signed-off-by: Mathis Foerst <mathis.foerst(a)mt.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> --- drivers/media/i2c/mt9m114.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/drivers/media/i2c/mt9m114.c b/drivers/media/i2c/mt9m114.c index e909c1227e51..9ff46c72dbc1 100644 --- a/drivers/media/i2c/mt9m114.c +++ b/drivers/media/i2c/mt9m114.c @@ -1652,13 +1652,9 @@ static int mt9m114_ifp_get_frame_interval(struct v4l2_subdev *sd, if (interval->which != V4L2_SUBDEV_FORMAT_ACTIVE) return -EINVAL; - mutex_lock(sensor->ifp.hdl.lock); - ival->numerator = 1; ival->denominator = sensor->ifp.frame_rate; - mutex_unlock(sensor->ifp.hdl.lock); - return 0; } @@ -1677,8 +1673,6 @@ static int mt9m114_ifp_set_frame_interval(struct v4l2_subdev *sd, if (interval->which != V4L2_SUBDEV_FORMAT_ACTIVE) return -EINVAL; - mutex_lock(sensor->ifp.hdl.lock); - if (ival->numerator != 0 && ival->denominator != 0) sensor->ifp.frame_rate = min_t(unsigned int, ival->denominator / ival->numerator, @@ -1692,8 +1686,6 @@ static int mt9m114_ifp_set_frame_interval(struct v4l2_subdev *sd, if (sensor->streaming) ret = mt9m114_set_frame_rate(sensor); - mutex_unlock(sensor->ifp.hdl.lock); - return ret; } -- 2.34.1

3 months, 3 weeks

1
0
0 0

[PATCH v5 6/7] media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval

by Mathis Foerst

Getting / Setting the frame interval using the V4L2 subdev pad ops get_frame_interval/set_frame_interval causes a deadlock, as the subdev state is locked in the [1] but also in the driver itself. In [2] it's described that the caller is responsible to acquire and release the lock in this case. Therefore, acquiring the lock in the driver is wrong. Remove the lock acquisitions/releases from mt9m114_ifp_get_frame_interval() and mt9m114_ifp_set_frame_interval(). [1] drivers/media/v4l2-core/v4l2-subdev.c - line 1129 [2] Documentation/driver-api/media/v4l2-subdev.rst Fixes: 24d756e914fc ("media: i2c: Add driver for onsemi MT9M114 camera sensor") Cc: stable(a)vger.kernel.org Signed-off-by: Mathis Foerst <mathis.foerst(a)mt.com> --- drivers/media/i2c/mt9m114.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/drivers/media/i2c/mt9m114.c b/drivers/media/i2c/mt9m114.c index e909c1227e51..9ff46c72dbc1 100644 --- a/drivers/media/i2c/mt9m114.c +++ b/drivers/media/i2c/mt9m114.c @@ -1652,13 +1652,9 @@ static int mt9m114_ifp_get_frame_interval(struct v4l2_subdev *sd, if (interval->which != V4L2_SUBDEV_FORMAT_ACTIVE) return -EINVAL; - mutex_lock(sensor->ifp.hdl.lock); - ival->numerator = 1; ival->denominator = sensor->ifp.frame_rate; - mutex_unlock(sensor->ifp.hdl.lock); - return 0; } @@ -1677,8 +1673,6 @@ static int mt9m114_ifp_set_frame_interval(struct v4l2_subdev *sd, if (interval->which != V4L2_SUBDEV_FORMAT_ACTIVE) return -EINVAL; - mutex_lock(sensor->ifp.hdl.lock); - if (ival->numerator != 0 && ival->denominator != 0) sensor->ifp.frame_rate = min_t(unsigned int, ival->denominator / ival->numerator, @@ -1692,8 +1686,6 @@ static int mt9m114_ifp_set_frame_interval(struct v4l2_subdev *sd, if (sensor->streaming) ret = mt9m114_set_frame_rate(sensor); - mutex_unlock(sensor->ifp.hdl.lock); - return ret; } -- 2.34.1

3 months, 3 weeks

1
0
0 0

patch "iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 3c5dfea39a245b2dad869db24e2830aa299b1cf2 Mon Sep 17 00:00:00 2001 From: Arthur-Prince <r2.arthur.prince(a)gmail.com> Date: Wed, 30 Apr 2025 16:07:37 -0300 Subject: iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add dependency to Kconfig’s ti-ads1298 because compiling it as a module failed with an undefined kfifo symbol. Fixes: 00ef7708fa60 ("iio: adc: ti-ads1298: Add driver") Signed-off-by: Arthur-Prince <r2.arthur.prince(a)gmail.com> Co-developed-by: Mariana Valério <mariana.valerio2(a)hotmail.com> Signed-off-by: Mariana Valério <mariana.valerio2(a)hotmail.com> Link: https://patch.msgid.link/20250430191131.120831-1-r2.arthur.prince@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig index ad06cf556785..0fe6601e59ed 100644 --- a/drivers/iio/adc/Kconfig +++ b/drivers/iio/adc/Kconfig @@ -1562,6 +1562,7 @@ config TI_ADS1298 tristate "Texas Instruments ADS1298" depends on SPI select IIO_BUFFER + select IIO_KFIFO_BUF help If you say yes here you get support for Texas Instruments ADS1298 medical ADC chips -- 2.49.0

3 months, 3 weeks

1
0
0 0

patch "iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 3c5dfea39a245b2dad869db24e2830aa299b1cf2 Mon Sep 17 00:00:00 2001 From: Arthur-Prince <r2.arthur.prince(a)gmail.com> Date: Wed, 30 Apr 2025 16:07:37 -0300 Subject: iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add dependency to Kconfig’s ti-ads1298 because compiling it as a module failed with an undefined kfifo symbol. Fixes: 00ef7708fa60 ("iio: adc: ti-ads1298: Add driver") Signed-off-by: Arthur-Prince <r2.arthur.prince(a)gmail.com> Co-developed-by: Mariana Valério <mariana.valerio2(a)hotmail.com> Signed-off-by: Mariana Valério <mariana.valerio2(a)hotmail.com> Link: https://patch.msgid.link/20250430191131.120831-1-r2.arthur.prince@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig index ad06cf556785..0fe6601e59ed 100644 --- a/drivers/iio/adc/Kconfig +++ b/drivers/iio/adc/Kconfig @@ -1562,6 +1562,7 @@ config TI_ADS1298 tristate "Texas Instruments ADS1298" depends on SPI select IIO_BUFFER + select IIO_KFIFO_BUF help If you say yes here you get support for Texas Instruments ADS1298 medical ADC chips -- 2.49.0

3 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror