1. 18 Mar, 2018 3 commits
  2. 16 Mar, 2018 13 commits
  3. 15 Mar, 2018 8 commits
    • Eric W. Biederman's avatar
      fs: Teach path_connected to handle nfs filesystems with multiple roots. · 95dd7758
      Eric W. Biederman authored
      On nfsv2 and nfsv3 the nfs server can export subsets of the same
      filesystem and report the same filesystem identifier, so that the nfs
      client can know they are the same filesystem.  The subsets can be from
      disjoint directory trees.  The nfsv2 and nfsv3 filesystems provides no
      way to find the common root of all directory trees exported form the
      server with the same filesystem identifier.
      
      The practical result is that in struct super s_root for nfs s_root is
      not necessarily the root of the filesystem.  The nfs mount code sets
      s_root to the root of the first subset of the nfs filesystem that the
      kernel mounts.
      
      This effects the dcache invalidation code in generic_shutdown_super
      currently called shrunk_dcache_for_umount and that code for years
      has gone through an additional list of dentries that might be dentry
      trees that need to be freed to accomodate nfs.
      
      When I wrote path_connected I did not realize nfs was so special, and
      it's hueristic for avoiding calling is_subdir can fail.
      
      The practical case where this fails is when there is a move of a
      directory from the subtree exposed by one nfs mount to the subtree
      exposed by another nfs mount.  This move can happen either locally or
      remotely.  With the remote case requiring that the move directory be cached
      before the move and that after the move someone walks the path
      to where the move directory now exists and in so doing causes the
      already cached directory to be moved in the dcache through the magic
      of d_splice_alias.
      
      If someone whose working directory is in the move directory or a
      subdirectory and now starts calling .. from the initial mount of nfs
      (where s_root == mnt_root), then path_connected as a heuristic will
      not bother with the is_subdir check.  As s_root really is not the root
      of the nfs filesystem this heuristic is wrong, and the path may
      actually not be connected and path_connected can fail.
      
      The is_subdir function might be cheap enough that we can call it
      unconditionally.  Verifying that will take some benchmarking and
      the result may not be the same on all kernels this fix needs
      to be backported to.  So I am avoiding that for now.
      
      Filesystems with snapshots such as nilfs and btrfs do something
      similar.  But as the directory tree of the snapshots are disjoint
      from one another and from the main directory tree rename won't move
      things between them and this problem will not occur.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Fixes: 397d425d ("vfs: Test for and handle paths that are unreachable from their mnt_root")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      95dd7758
    • Rodrigo Vivi's avatar
      Merge tag 'gvt-fixes-2018-03-15' of https://github.com/intel/gvt-linux into drm-intel-fixes · 05b429a8
      Rodrigo Vivi authored
      gvt-fixes-2018-03-15
      
      - Two warnings fix for runtime pm and usr copy (Xiong, Zhenyu)
      - OA context fix for vGPU profiling (Min)
      - privilege batch buffer reloc fix (Fred)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20180315100023.5n5a74afky6qinoh@zhen-hp.sh.intel.com
      05b429a8
    • David S. Miller's avatar
      sparc64: Fix regression in pmdp_invalidate(). · cfb61b5e
      David S. Miller authored
      pmdp_invalidate() was changed to update the pmd atomically
      (to not lose dirty/access bits) and return the original pmd
      value.
      
      However, in doing so, we lost a lot of the essential work that
      set_pmd_at() does, namely to update hugepage mapping counts and
      queuing up the batched TLB flush entry.
      
      Thus we were not flushing entries out of the TLB when making
      such PMD changes.
      
      Fix this by abstracting the accounting work of set_pmd_at() out into a
      separate function, and call it from pmdp_establish().
      
      Fixes: a8e654f0 ("sparc64: update pmdp_invalidate() to return old pmd value")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cfb61b5e
    • Linus Torvalds's avatar
      Merge tag 'sound-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · e2c15aff
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A series of small fixes in ASoC, HD-audio and core stuff:
      
         - a UAF fix in ALSA PCM core
      
         - yet more hardening for ALSA sequencer
      
         - a regression fix for the previous HD-audio power_save option change
      
         - various ASoC codec fixes (sgtl5000, rt5651, hdmi-codec, wm_adsp)
      
         - minor ASoC platform fixes (AMD ACP, sun4i)"
      
      * tag 'sound-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Revert power_save option default value
        ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
        ALSA: seq: Clear client entry before deleting else at closing
        ALSA: seq: Fix possible UAF in snd_seq_check_queue()
        ASoC: amd: 16bit resolution support for i2s sp instance
        ASoC: wm_adsp: For TLV controls only register TLV get/set
        ASoC: sun4i-i2s: Fix RX slot number of SUN8I
        ASoC: hdmi-codec: Fix module unloading caused kernel crash
        ASoC: rt5651: Fix regcache sync errors on resume
        ASoC: sgtl5000: Fix suspend/resume
        MAINTAINERS: Add myself as sgtl5000 maintainer
        ASoC: samsung: Add the DT binding files entry to MAINTAINERS
        sgtl5000: change digital_mute policy
      e2c15aff
    • Linus Torvalds's avatar
      Merge tag 'for-4.16/dm-fixes-3' of... · 667058ae
      Linus Torvalds authored
      Merge tag 'for-4.16/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - a stable DM multipath fix to restore ability to pass integrity data
      
       - two DM multipath fixes for a fix that was merged into 4.16-rc5
      
      * tag 'for-4.16/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm mpath: fix passing integrity data
        dm mpath: eliminate need to use scsi_device_from_queue
        dm mpath: fix uninitialized 'pg_init_wait' waitqueue_head NULL pointer
      667058ae
    • Zhenyu Wang's avatar
      drm/i915/gvt: fix user copy warning by whitelist workload rb_tail field · 850555d1
      Zhenyu Wang authored
      This is to fix warning got as:
      
      [ 6730.476938] ------------[ cut here ]------------
      [ 6730.476979] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLAB object 'gvt-g_vgpu_workload' (offset 120, size 4)!
      [ 6730.477021] WARNING: CPU: 2 PID: 441 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
      [ 6730.477042] Modules linked in: tun(E) bridge(E) stp(E) llc(E) kvmgt(E) x86_pkg_temp_thermal(E) vfio_mdev(E) intel_powerclamp(E) mdev(E) coretemp(E) vfio_iommu_type1(E) vfio(E) kvm_intel(E) kvm(E) hid_generic(E) irqbypass(E) crct10dif_pclmul(E) crc32_pclmul(E) usbhid(E) i915(E) crc32c_intel(E) hid(E) ghash_clmulni_intel(E) pcbc(E) aesni_intel(E) aes_x86_64(E) crypto_simd(E) cryptd(E) glue_helper(E) intel_cstate(E) idma64(E) evdev(E) virt_dma(E) iTCO_wdt(E) intel_uncore(E) intel_rapl_perf(E) intel_lpss_pci(E) sg(E) shpchp(E) mei_me(E) pcspkr(E) iTCO_vendor_support(E) intel_lpss(E) intel_pch_thermal(E) prime_numbers(E) mei(E) mfd_core(E) video(E) acpi_pad(E) button(E) binfmt_misc(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) fscrypto(E) sd_mod(E) e1000e(E) xhci_pci(E) sdhci_pci(E)
      [ 6730.477244]  ptp(E) cqhci(E) xhci_hcd(E) pps_core(E) sdhci(E) mmc_core(E) i2c_i801(E) usbcore(E) thermal(E) fan(E)
      [ 6730.477276] CPU: 2 PID: 441 Comm: gvt workload 0 Tainted: G            E    4.16.0-rc1-gvt-staging-0213+ #127
      [ 6730.477303] Hardware name:  /NUC6i5SYB, BIOS SYSKLi35.86A.0039.2016.0316.1747 03/16/2016
      [ 6730.477326] RIP: 0010:usercopy_warn+0x7e/0xa0
      [ 6730.477340] RSP: 0018:ffffba6301223d18 EFLAGS: 00010286
      [ 6730.477355] RAX: 0000000000000000 RBX: ffff8f41caae9838 RCX: 0000000000000006
      [ 6730.477375] RDX: 0000000000000007 RSI: 0000000000000082 RDI: ffff8f41dad166f0
      [ 6730.477395] RBP: 0000000000000004 R08: 0000000000000576 R09: 0000000000000000
      [ 6730.477415] R10: ffffffffb1293fb2 R11: 00000000ffffffff R12: 0000000000000001
      [ 6730.477447] R13: ffff8f41caae983c R14: ffff8f41caae9838 R15: 00007f183ca2b000
      [ 6730.477467] FS:  0000000000000000(0000) GS:ffff8f41dad00000(0000) knlGS:0000000000000000
      [ 6730.477489] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 6730.477506] CR2: 0000559462817291 CR3: 000000028b46c006 CR4: 00000000003626e0
      [ 6730.477526] Call Trace:
      [ 6730.477537]  __check_object_size+0x9c/0x1a0
      [ 6730.477562]  __kvm_write_guest_page+0x45/0x90 [kvm]
      [ 6730.477585]  kvm_write_guest+0x46/0x80 [kvm]
      [ 6730.477599]  kvmgt_rw_gpa+0x9b/0xf0 [kvmgt]
      [ 6730.477642]  workload_thread+0xa38/0x1040 [i915]
      [ 6730.477659]  ? do_wait_intr_irq+0xc0/0xc0
      [ 6730.477673]  ? finish_wait+0x80/0x80
      [ 6730.477707]  ? clean_workloads+0x120/0x120 [i915]
      [ 6730.477722]  kthread+0x111/0x130
      [ 6730.477733]  ? _kthread_create_worker_on_cpu+0x60/0x60
      [ 6730.477750]  ? exit_to_usermode_loop+0x6f/0xb0
      [ 6730.477766]  ret_from_fork+0x35/0x40
      [ 6730.477777] Code: 48 c7 c0 20 e3 25 b1 48 0f 44 c2 41 50 51 41 51 48 89 f9 49 89 f1 4d 89 d8 4c 89 d2 48 89 c6 48 c7 c7 78 e3 25 b1 e8 b2 bc e4 ff <0f> ff 48 83 c4 18 c3 48 c7 c6 09 d0 26 b1 49 89 f1 49 89 f3 eb
      [ 6730.477849] ---[ end trace cae869c1c323e45a ]---
      
      By whitelist guest page write from workload struct allocated from kmem cache.
      Reviewed-by: default avatarHang Yuan <hang.yuan@linux.intel.com>
      Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      (cherry picked from commit 5627705406874df57fdfad3b4e0c9aedd3b007df)
      850555d1
    • fred gao's avatar
      drm/i915/gvt: Correct the privilege shadow batch buffer address · ef75c685
      fred gao authored
      Once the ring buffer is copied to ring_scan_buffer and scanned,
      the shadow batch buffer start address is only updated into
      ring_scan_buffer, not the real ring address allocated through
      intel_ring_begin in later copy_workload_to_ring_buffer.
      
      This patch is only to set the right shadow batch buffer address
      from Ring buffer, not include the shadow_wa_ctx.
      
      v2:
      - refine some comments. (Zhenyu)
      v3:
      - fix typo in title. (Zhenyu)
      v4:
      - remove the unnecessary comments. (Zhenyu)
      - add comments in bb_start_cmd_va update. (Zhenyu)
      
      Fixes: 0a53bc07 ("drm/i915/gvt: Separate cmd scan from request allocation")
      Cc: stable@vger.kernel.org  # v4.15
      Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
      Cc: Yulei Zhang <yulei.zhang@intel.com>
      Signed-off-by: default avatarfred gao <fred.gao@intel.com>
      Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      ef75c685
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 0aa3fdb8
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is four patches, consisting of one regression from the merge
        window (qla2xxx), one long-standing memory leak (sd_zbc), one event
        queue mislabelling which we want to eliminate to discourage the
        pattern (mpt3sas), and one behaviour change because re-reading the
        partition table shouldn't clear the ro flag"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: sd: Keep disk read-only when re-reading partition
        scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure
        scsi: sd_zbc: Fix potential memory leak
        scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM
      0aa3fdb8
  4. 14 Mar, 2018 16 commits
    • Joern Engel's avatar
      btree: avoid variable-length allocations · 8df3aaaf
      Joern Engel authored
      geo->keylen cannot be larger than 4.  So we might as well make
      fixed-size allocations.
      
      Given the one remaining user, geo->keylen cannot even be larger than 1.
      Logfs used to have 64bit and 128bit keys, tcm_qla2xxx only has 32bit
      keys.  But let's not break the code if we don't have to.
      Signed-off-by: default avatarJoern Engel <joern@purestorage.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8df3aaaf
    • Linus Torvalds's avatar
      Merge branch 'percpu_ref-rcu-audit-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/misc · fed8f509
      Linus Torvalds authored
      Pull percpu_ref rcu fixes from Tejun Heo:
       "Jann Horn found that aio was depending on the internal RCU grace
        periods of percpu-ref and that it's broken because aio uses regular
        RCU while percpu_ref uses sched-RCU.
      
        Depending on percpu_ref's internal grace periods isn't a good idea
        because
      
         - The RCU type might not match.
      
         - percpu_ref's grace periods are used to switch to atomic mode. They
           aren't between the last put and the invocation of the last release.
           This is easy to get confused about and can lead to subtle bugs.
      
         - percpu_ref might not have grace periods at all depending on its
           current operation mode.
      
        This patchset audits and fixes percpu_ref users for their RCU usages"
      
      [ There's a continuation of this series that clarifies percpu_ref
        documentation that the internal grace periods must not be depended
        upon, and introduces rcu_work to simplify bouncing to a workqueue
        after an RCU grace period.
      
        That will go in for 4.17 - this is just the minimal set with the fixes
        that are tagged for -stable ]
      
      * 'percpu_ref-rcu-audit-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/misc:
        RDMAVT: Fix synchronization around percpu_ref
        fs/aio: Use RCU accessors for kioctx_table->table[]
        fs/aio: Add explicit RCU grace period when freeing kioctx
      fed8f509
    • Ard Biesheuvel's avatar
      Revert "mm/page_alloc: fix memmap_init_zone pageblock alignment" · 3e04040d
      Ard Biesheuvel authored
      This reverts commit 864b75f9.
      
      Commit 864b75f9 ("mm/page_alloc: fix memmap_init_zone pageblock
      alignment") modified the logic in memmap_init_zone() to initialize
      struct pages associated with invalid PFNs, to appease a VM_BUG_ON()
      in move_freepages(), which is redundant by its own admission, and
      dereferences struct page fields to obtain the zone without checking
      whether the struct pages in question are valid to begin with.
      
      Commit 864b75f9 only makes it worse, since the rounding it does
      may cause pfn assume the same value it had in a prior iteration of
      the loop, resulting in an infinite loop and a hang very early in the
      boot. Also, since it doesn't perform the same rounding on start_pfn
      itself but only on intermediate values following an invalid PFN, we
      may still hit the same VM_BUG_ON() as before.
      
      So instead, let's fix this at the core, and ensure that the BUG
      check doesn't dereference struct page fields of invalid pages.
      
      Fixes: 864b75f9 ("mm/page_alloc: fix memmap_init_zone pageblock alignment")
      Tested-by: default avatarJan Glauber <jglauber@cavium.com>
      Tested-by: default avatarShanker Donthineni <shankerd@codeaurora.org>
      Cc: Daniel Vacek <neelx@redhat.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Paul Burton <paul.burton@imgtec.com>
      Cc: Pavel Tatashin <pasha.tatashin@oracle.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3e04040d
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2018-03-14' of... · 67f19766
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2018-03-14' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - 1 display fix for bxt
      - 1 gem fix for fences
      - 1 gem/pm fix for rps freq
      
      * tag 'drm-intel-fixes-2018-03-14' of git://anongit.freedesktop.org/drm/drm-intel:
        drm/i915: Kick the rps worker when changing the boost frequency
        drm/i915: Only prune fences after wait-for-all
        drm/i915: Enable VBT based BL control for DP
      67f19766
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.16' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 4cdc8f12
      Dave Airlie authored
      A few fixes for 4.16:
      - Fix a backlight S/R regression on amdgpu
      - Fix prime teardown on radeon and amdgpu
      - DP fix for amdgpu
      
      * 'drm-fixes-4.16' of git://people.freedesktop.org/~agd5f/linux:
        drm/amdgpu/dce: Don't turn off DP sink when disconnected
        drm/amdgpu: save/restore backlight level in legacy dce code
        drm/radeon: fix prime teardown order
        drm/amdgpu: fix prime teardown order
      4cdc8f12
    • Edmund Nadolski's avatar
      btrfs: add missing initialization in btrfs_check_shared · 18bf591b
      Edmund Nadolski authored
      This patch addresses an issue that causes fiemap to falsely
      report a shared extent.  The test case is as follows:
      
      xfs_io -f -d -c "pwrite -b 16k 0 64k" -c "fiemap -v" /media/scratch/file5
      sync
      xfs_io  -c "fiemap -v" /media/scratch/file5
      
      which gives the resulting output:
      
      wrote 65536/65536 bytes at offset 0
      64 KiB, 4 ops; 0.0000 sec (121.359 MiB/sec and 7766.9903 ops/sec)
      /media/scratch/file5:
       EXT: FILE-OFFSET      BLOCK-RANGE      TOTAL FLAGS
         0: [0..127]:        24576..24703       128 0x2001
      /media/scratch/file5:
       EXT: FILE-OFFSET      BLOCK-RANGE      TOTAL FLAGS
         0: [0..127]:        24576..24703       128   0x1
      
      This is because btrfs_check_shared calls find_parent_nodes
      repeatedly in a loop, passing a share_check struct to report
      the count of shared extent. But btrfs_check_shared does not
      re-initialize the count value to zero for subsequent calls
      from the loop, resulting in a false share count value. This
      is a regressive behavior from 4.13.
      
      With proper re-initialization the test result is as follows:
      
      wrote 65536/65536 bytes at offset 0
      64 KiB, 4 ops; 0.0000 sec (110.035 MiB/sec and 7042.2535 ops/sec)
      /media/scratch/file5:
       EXT: FILE-OFFSET      BLOCK-RANGE      TOTAL FLAGS
         0: [0..127]:        24576..24703       128   0x1
      /media/scratch/file5:
       EXT: FILE-OFFSET      BLOCK-RANGE      TOTAL FLAGS
         0: [0..127]:        24576..24703       128   0x1
      
      which corrects the regression.
      
      Fixes: 3ec4d323 ("btrfs: allow backref search checks for shared extents")
      Signed-off-by: default avatarEdmund Nadolski <enadolski@suse.com>
      [ add text from cover letter to changelog ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      18bf591b
    • Dmitriy Gorokh's avatar
      btrfs: Fix NULL pointer exception in find_bio_stripe · 047fdea6
      Dmitriy Gorokh authored
      On detaching of a disk which is a part of a RAID6 filesystem, the
      following kernel OOPS may happen:
      
      [63122.680461] BTRFS error (device sdo): bdev /dev/sdo errs: wr 0, rd 0, flush 1, corrupt 0, gen 0
      [63122.719584] BTRFS warning (device sdo): lost page write due to IO error on /dev/sdo
      [63122.719587] BTRFS error (device sdo): bdev /dev/sdo errs: wr 1, rd 0, flush 1, corrupt 0, gen 0
      [63122.803516] BTRFS warning (device sdo): lost page write due to IO error on /dev/sdo
      [63122.803519] BTRFS error (device sdo): bdev /dev/sdo errs: wr 2, rd 0, flush 1, corrupt 0, gen 0
      [63122.863902] BTRFS critical (device sdo): fatal error on device /dev/sdo
      [63122.935338] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
      [63122.946554] IP: fail_bio_stripe+0x58/0xa0 [btrfs]
      [63122.958185] PGD 9ecda067 P4D 9ecda067 PUD b2b37067 PMD 0
      [63122.971202] Oops: 0000 [#1] SMP
      [63123.006760] CPU: 0 PID: 3979 Comm: kworker/u8:9 Tainted: G W 4.14.2-16-scst34x+ #8
      [63123.007091] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [63123.007402] Workqueue: btrfs-worker btrfs_worker_helper [btrfs]
      [63123.007595] task: ffff880036ea4040 task.stack: ffffc90006384000
      [63123.007796] RIP: 0010:fail_bio_stripe+0x58/0xa0 [btrfs]
      [63123.007968] RSP: 0018:ffffc90006387ad8 EFLAGS: 00010287
      [63123.008140] RAX: 0000000000000002 RBX: ffff88004beaa0b8 RCX: ffff8800b2bd5690
      [63123.008359] RDX: 0000000000000000 RSI: ffff88007bb43500 RDI: ffff88004beaa000
      [63123.008621] RBP: ffffc90006387ae8 R08: 0000000099100000 R09: ffff8800b2bd5600
      [63123.008840] R10: 0000000000000004 R11: 0000000000010000 R12: ffff88007bb43500
      [63123.009059] R13: 00000000fffffffb R14: ffff880036fc5180 R15: 0000000000000004
      [63123.009278] FS: 0000000000000000(0000) GS:ffff8800b7000000(0000) knlGS:0000000000000000
      [63123.009564] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [63123.009748] CR2: 0000000000000080 CR3: 00000000b0866000 CR4: 00000000000406f0
      [63123.009969] Call Trace:
      [63123.010085] raid_write_end_io+0x7e/0x80 [btrfs]
      [63123.010251] bio_endio+0xa1/0x120
      [63123.010378] generic_make_request+0x218/0x270
      [63123.010921] submit_bio+0x66/0x130
      [63123.011073] finish_rmw+0x3fc/0x5b0 [btrfs]
      [63123.011245] full_stripe_write+0x96/0xc0 [btrfs]
      [63123.011428] raid56_parity_write+0x117/0x170 [btrfs]
      [63123.011604] btrfs_map_bio+0x2ec/0x320 [btrfs]
      [63123.011759] ? ___cache_free+0x1c5/0x300
      [63123.011909] __btrfs_submit_bio_done+0x26/0x50 [btrfs]
      [63123.012087] run_one_async_done+0x9c/0xc0 [btrfs]
      [63123.012257] normal_work_helper+0x19e/0x300 [btrfs]
      [63123.012429] btrfs_worker_helper+0x12/0x20 [btrfs]
      [63123.012656] process_one_work+0x14d/0x350
      [63123.012888] worker_thread+0x4d/0x3a0
      [63123.013026] ? _raw_spin_unlock_irqrestore+0x15/0x20
      [63123.013192] kthread+0x109/0x140
      [63123.013315] ? process_scheduled_works+0x40/0x40
      [63123.013472] ? kthread_stop+0x110/0x110
      [63123.013610] ret_from_fork+0x25/0x30
      [63123.014469] RIP: fail_bio_stripe+0x58/0xa0 [btrfs] RSP: ffffc90006387ad8
      [63123.014678] CR2: 0000000000000080
      [63123.016590] ---[ end trace a295ea7259c17880 ]—
      
      This is reproducible in a cycle, where a series of writes is followed by
      SCSI device delete command. The test may take up to few minutes.
      
      Fixes: 74d46992 ("block: replace bi_bdev with a gendisk pointer and partitions index")
      [ no signed-off-by provided ]
      Author: Dmitriy Gorokh <Dmitriy.Gorokh@wdc.com>
      Reviewed-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      047fdea6
    • Michel Dänzer's avatar
      drm/amdgpu/dce: Don't turn off DP sink when disconnected · 7d617264
      Michel Dänzer authored
      Turning off the sink in this case causes various issues, because
      userspace expects it to stay on until it turns it off explicitly.
      
      Instead, turn the sink off and back on when a display is connected
      again. This dance seems necessary for link training to work correctly.
      
      Bugzilla: https://bugs.freedesktop.org/105308
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      7d617264
    • Alex Deucher's avatar
      drm/amdgpu: save/restore backlight level in legacy dce code · b5e32413
      Alex Deucher authored
      Save/restore the backlight level scratch register in S3/S4 so the
      backlight level comes back at the previously requested level.
      
      Bug: https://bugzilla.kernel.org/show_bug.cgi?id=199047
      Fixes: 4ec6ecf4 (drm/amdgpu: drop scratch regs save and restore from S3/S4 handling)
      Acked-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Reviewed-by: default avatarHarry Wentland <harry.wentland@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      b5e32413
    • Christian König's avatar
      drm/radeon: fix prime teardown order · 0f4f715b
      Christian König authored
      We unmapped imported DMA-bufs when the GEM handle was dropped, not when the
      hardware was done with the buffere.
      Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      0f4f715b
    • Christian König's avatar
      drm/amdgpu: fix prime teardown order · 342038d9
      Christian König authored
      We unmapped imported DMA-bufs when the GEM handle was dropped, not when the
      hardware was done with the buffere.
      Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      342038d9
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.16-7' of git://git.infradead.org/linux-platform-drivers-x86 · 274a1ff0
      Linus Torvalds authored
      Pull x86 platform drives fixes from Darren Hart:
      
       - DELL_SMBIOS conditionally depends on ACPI_WMI in the same way it
         depends on DCDBAS, update the Kconfig accordingly.
      
       - fix the dell driver init order to ensure that the driver dependencies
         are met, avoiding race conditions resulting in boot failure on
         certain systems when the drivers are built-in.
      
      * tag 'platform-drivers-x86-v4.16-7' of git://git.infradead.org/linux-platform-drivers-x86:
        platform/x86: Fix dell driver init order
        platform/x86: dell-smbios: Resolve dependency error on ACPI_WMI
      274a1ff0
    • Steffen Maier's avatar
      dm mpath: fix passing integrity data · 8c5c1473
      Steffen Maier authored
      After v4.12 commit e2460f2a ("dm: mark targets that pass integrity
      data"), dm-multipath, e.g. on DIF+DIX SCSI disk paths, does not support
      block integrity any more. So add it to the whitelist.
      
      This is also a pre-requisite to use block integrity with other dm layer(s)
      on top of multipath, such as kpartx partitions (dm-linear) or LVM.
      
      Also, bump target version to reflect this fix.
      
      Fixes: e2460f2a ("dm: mark targets that pass integrity data")
      Cc: <stable@vger.kernel.org> #4.12+
      Bisected-by: default avatarFedor Loshakov <loshakov@linux.vnet.ibm.com>
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      8c5c1473
    • Tejun Heo's avatar
      RDMAVT: Fix synchronization around percpu_ref · 74b44bbe
      Tejun Heo authored
      rvt_mregion uses percpu_ref for reference counting and RCU to protect
      accesses from lkey_table.  When a rvt_mregion needs to be freed, it
      first gets unregistered from lkey_table and then rvt_check_refs() is
      called to wait for in-flight usages before the rvt_mregion is freed.
      
      rvt_check_refs() seems to have a couple issues.
      
      * It has a fast exit path which tests percpu_ref_is_zero().  However,
        a percpu_ref reading zero doesn't mean that the object can be
        released.  In fact, the ->release() callback might not even have
        started executing yet.  Proceeding with freeing can lead to
        use-after-free.
      
      * lkey_table is RCU protected but there is no RCU grace period in the
        free path.  percpu_ref uses RCU internally but it's sched-RCU whose
        grace periods are different from regular RCU.  Also, it generally
        isn't a good idea to depend on internal behaviors like this.
      
      To address the above issues, this patch removes the fast exit and adds
      an explicit synchronize_rcu().
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
      Cc: linux-rdma@vger.kernel.org
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      74b44bbe
    • Tejun Heo's avatar
      fs/aio: Use RCU accessors for kioctx_table->table[] · d0264c01
      Tejun Heo authored
      While converting ioctx index from a list to a table, db446a08
      ("aio: convert the ioctx list to table lookup v3") missed tagging
      kioctx_table->table[] as an array of RCU pointers and using the
      appropriate RCU accessors.  This introduces a small window in the
      lookup path where init and access may race.
      
      Mark kioctx_table->table[] with __rcu and use the approriate RCU
      accessors when using the field.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: db446a08 ("aio: convert the ioctx list to table lookup v3")
      Cc: Benjamin LaHaise <bcrl@kvack.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: stable@vger.kernel.org # v3.12+
      d0264c01
    • Tejun Heo's avatar
      fs/aio: Add explicit RCU grace period when freeing kioctx · a6d7cff4
      Tejun Heo authored
      While fixing refcounting, e34ecee2 ("aio: Fix a trinity splat")
      incorrectly removed explicit RCU grace period before freeing kioctx.
      The intention seems to be depending on the internal RCU grace periods
      of percpu_ref; however, percpu_ref uses a different flavor of RCU,
      sched-RCU.  This can lead to kioctx being freed while RCU read
      protected dereferences are still in progress.
      
      Fix it by updating free_ioctx() to go through call_rcu() explicitly.
      
      v2: Comment added to explain double bouncing.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: e34ecee2 ("aio: Fix a trinity splat")
      Cc: Kent Overstreet <kent.overstreet@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: stable@vger.kernel.org # v3.13+
      a6d7cff4