Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/kgdb-avoid-suspicious-rcu-usage-warning.patch b/queue-4.19/kgdb-avoid-suspicious-rcu-usage-warning.patch
new file mode 100644 (file)
index 0000000..64c33d1
--- /dev/null
+++ b/queue-4.19/kgdb-avoid-suspicious-rcu-usage-warning.patch
@@ -0,0 +1,109 @@
+From fc035f9a98d553740909c0aefe012f468834e5b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2020 15:47:39 -0700
+Subject: kgdb: Avoid suspicious RCU usage warning
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 440ab9e10e2e6e5fd677473ee6f9e3af0f6904d6 ]
+
+At times when I'm using kgdb I see a splat on my console about
+suspicious RCU usage.  I managed to come up with a case that could
+reproduce this that looked like this:
+
+  WARNING: suspicious RCU usage
+  5.7.0-rc4+ #609 Not tainted
+  -----------------------------
+  kernel/pid.c:395 find_task_by_pid_ns() needs rcu_read_lock() protection!
+
+  other info that might help us debug this:
+
+    rcu_scheduler_active = 2, debug_locks = 1
+  3 locks held by swapper/0/1:
+   #0: ffffff81b6b8e988 (&dev->mutex){....}-{3:3}, at: __device_attach+0x40/0x13c
+   #1: ffffffd01109e9e8 (dbg_master_lock){....}-{2:2}, at: kgdb_cpu_enter+0x20c/0x7ac
+   #2: ffffffd01109ea90 (dbg_slave_lock){....}-{2:2}, at: kgdb_cpu_enter+0x3ec/0x7ac
+
+  stack backtrace:
+  CPU: 7 PID: 1 Comm: swapper/0 Not tainted 5.7.0-rc4+ #609
+  Hardware name: Google Cheza (rev3+) (DT)
+  Call trace:
+   dump_backtrace+0x0/0x1b8
+   show_stack+0x1c/0x24
+   dump_stack+0xd4/0x134
+   lockdep_rcu_suspicious+0xf0/0x100
+   find_task_by_pid_ns+0x5c/0x80
+   getthread+0x8c/0xb0
+   gdb_serial_stub+0x9d4/0xd04
+   kgdb_cpu_enter+0x284/0x7ac
+   kgdb_handle_exception+0x174/0x20c
+   kgdb_brk_fn+0x24/0x30
+   call_break_hook+0x6c/0x7c
+   brk_handler+0x20/0x5c
+   do_debug_exception+0x1c8/0x22c
+   el1_sync_handler+0x3c/0xe4
+   el1_sync+0x7c/0x100
+   rpmh_rsc_probe+0x38/0x420
+   platform_drv_probe+0x94/0xb4
+   really_probe+0x134/0x300
+   driver_probe_device+0x68/0x100
+   __device_attach_driver+0x90/0xa8
+   bus_for_each_drv+0x84/0xcc
+   __device_attach+0xb4/0x13c
+   device_initial_probe+0x18/0x20
+   bus_probe_device+0x38/0x98
+   device_add+0x38c/0x420
+
+If I understand properly we should just be able to blanket kgdb under
+one big RCU read lock and the problem should go away.  We'll add it to
+the beast-of-a-function known as kgdb_cpu_enter().
+
+With this I no longer get any splats and things seem to work fine.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20200602154729.v2.1.I70e0d4fd46d5ed2aaf0c98a355e8e1b7a5bb7e4e@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/debug_core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
+index 6a1dc2613bb92..fbb1bfdd2fa53 100644
+--- a/kernel/debug/debug_core.c
++++ b/kernel/debug/debug_core.c
+@@ -489,6 +489,7 @@ static int kgdb_cpu_enter(struct kgdb_state *ks, struct pt_regs *regs,
+               arch_kgdb_ops.disable_hw_break(regs);
+ 
+ acquirelock:
++      rcu_read_lock();
+       /*
+        * Interrupts will be restored by the 'trap return' code, except when
+        * single stepping.
+@@ -545,6 +546,7 @@ return_normal:
+                       atomic_dec(&slaves_in_kgdb);
+                       dbg_touch_watchdogs();
+                       local_irq_restore(flags);
++                      rcu_read_unlock();
+                       return 0;
+               }
+               cpu_relax();
+@@ -563,6 +565,7 @@ return_normal:
+               raw_spin_unlock(&dbg_master_lock);
+               dbg_touch_watchdogs();
+               local_irq_restore(flags);
++              rcu_read_unlock();
+ 
+               goto acquirelock;
+       }
+@@ -686,6 +689,7 @@ kgdb_restore:
+       raw_spin_unlock(&dbg_master_lock);
+       dbg_touch_watchdogs();
+       local_irq_restore(flags);
++      rcu_read_unlock();
+ 
+       return kgdb_info[cpu].ret_state;
+ }
+-- 
+2.25.1
+

diff --git a/queue-4.19/mm-slub-fix-stack-overruns-with-slub_stats.patch b/queue-4.19/mm-slub-fix-stack-overruns-with-slub_stats.patch
new file mode 100644 (file)
index 0000000..1242488
--- /dev/null
+++ b/queue-4.19/mm-slub-fix-stack-overruns-with-slub_stats.patch
@@ -0,0 +1,90 @@
+From 40d9df1fff53576094bee0501f1961433452cf19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 21:45:57 -0700
+Subject: mm/slub: fix stack overruns with SLUB_STATS
+
+From: Qian Cai <cai@lca.pw>
+
+[ Upstream commit a68ee0573991e90af2f1785db309206408bad3e5 ]
+
+There is no need to copy SLUB_STATS items from root memcg cache to new
+memcg cache copies.  Doing so could result in stack overruns because the
+store function only accepts 0 to clear the stat and returns an error for
+everything else while the show method would print out the whole stat.
+
+Then, the mismatch of the lengths returns from show and store methods
+happens in memcg_propagate_slab_attrs():
+
+       else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf))
+               buf = mbuf;
+
+max_attr_size is only 2 from slab_attr_store(), then, it uses mbuf[64]
+in show_stat() later where a bounch of sprintf() would overrun the stack
+variable.  Fix it by always allocating a page of buffer to be used in
+show_stat() if SLUB_STATS=y which should only be used for debug purpose.
+
+  # echo 1 > /sys/kernel/slab/fs_cache/shrink
+  BUG: KASAN: stack-out-of-bounds in number+0x421/0x6e0
+  Write of size 1 at addr ffffc900256cfde0 by task kworker/76:0/53251
+
+  Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019
+  Workqueue: memcg_kmem_cache memcg_kmem_cache_create_func
+  Call Trace:
+    number+0x421/0x6e0
+    vsnprintf+0x451/0x8e0
+    sprintf+0x9e/0xd0
+    show_stat+0x124/0x1d0
+    alloc_slowpath_show+0x13/0x20
+    __kmem_cache_create+0x47a/0x6b0
+
+  addr ffffc900256cfde0 is located in stack of task kworker/76:0/53251 at offset 0 in frame:
+   process_one_work+0x0/0xb90
+
+  this frame has 1 object:
+   [32, 72) 'lockdep_map'
+
+  Memory state around the buggy address:
+   ffffc900256cfc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   ffffc900256cfd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  >ffffc900256cfd80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
+                                                         ^
+   ffffc900256cfe00: 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00
+   ffffc900256cfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  ==================================================================
+  Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: __kmem_cache_create+0x6ac/0x6b0
+  Workqueue: memcg_kmem_cache memcg_kmem_cache_create_func
+  Call Trace:
+    __kmem_cache_create+0x6ac/0x6b0
+
+Fixes: 107dab5c92d5 ("slub: slub-specific propagation changes")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Glauber Costa <glauber@scylladb.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Link: http://lkml.kernel.org/r/20200429222356.4322-1-cai@lca.pw
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/slub.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mm/slub.c b/mm/slub.c
+index 473e0a8afb802..882a1e0ae89c8 100644
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -5610,7 +5610,8 @@ static void memcg_propagate_slab_attrs(struct kmem_cache *s)
+                */
+               if (buffer)
+                       buf = buffer;
+-              else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf))
++              else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf) &&
++                       !IS_ENABLED(CONFIG_SLUB_STATS))
+                       buf = mbuf;
+               else {
+                       buffer = (char *) get_zeroed_page(GFP_KERNEL);
+-- 
+2.25.1
+

diff --git a/queue-4.19/mm-slub.c-fix-corrupted-freechain-in-deactivate_slab.patch b/queue-4.19/mm-slub.c-fix-corrupted-freechain-in-deactivate_slab.patch
new file mode 100644 (file)
index 0000000..ef7a12b
--- /dev/null
+++ b/queue-4.19/mm-slub.c-fix-corrupted-freechain-in-deactivate_slab.patch
@@ -0,0 +1,115 @@
+From ecc0e10d80e57864ea3e831dd3850c7a557ae5e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 21:45:47 -0700
+Subject: mm/slub.c: fix corrupted freechain in deactivate_slab()
+
+From: Dongli Zhang <dongli.zhang@oracle.com>
+
+[ Upstream commit 52f23478081ae0dcdb95d1650ea1e7d52d586829 ]
+
+The slub_debug is able to fix the corrupted slab freelist/page.
+However, alloc_debug_processing() only checks the validity of current
+and next freepointer during allocation path.  As a result, once some
+objects have their freepointers corrupted, deactivate_slab() may lead to
+page fault.
+
+Below is from a test kernel module when 'slub_debug=PUF,kmalloc-128
+slub_nomerge'.  The test kernel corrupts the freepointer of one free
+object on purpose.  Unfortunately, deactivate_slab() does not detect it
+when iterating the freechain.
+
+  BUG: unable to handle page fault for address: 00000000123456f8
+  #PF: supervisor read access in kernel mode
+  #PF: error_code(0x0000) - not-present page
+  PGD 0 P4D 0
+  Oops: 0000 [#1] SMP PTI
+  ... ...
+  RIP: 0010:deactivate_slab.isra.92+0xed/0x490
+  ... ...
+  Call Trace:
+   ___slab_alloc+0x536/0x570
+   __slab_alloc+0x17/0x30
+   __kmalloc+0x1d9/0x200
+   ext4_htree_store_dirent+0x30/0xf0
+   htree_dirblock_to_tree+0xcb/0x1c0
+   ext4_htree_fill_tree+0x1bc/0x2d0
+   ext4_readdir+0x54f/0x920
+   iterate_dir+0x88/0x190
+   __x64_sys_getdents+0xa6/0x140
+   do_syscall_64+0x49/0x170
+   entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Therefore, this patch adds extra consistency check in deactivate_slab().
+Once an object's freepointer is corrupted, all following objects
+starting at this object are isolated.
+
+[akpm@linux-foundation.org: fix build with CONFIG_SLAB_DEBUG=n]
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Joe Jin <joe.jin@oracle.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Link: http://lkml.kernel.org/r/20200331031450.12182-1-dongli.zhang@oracle.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/slub.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/mm/slub.c b/mm/slub.c
+index b94ba8d35a025..473e0a8afb802 100644
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -645,6 +645,20 @@ static void slab_fix(struct kmem_cache *s, char *fmt, ...)
+       va_end(args);
+ }
+ 
++static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
++                             void *freelist, void *nextfree)
++{
++      if ((s->flags & SLAB_CONSISTENCY_CHECKS) &&
++          !check_valid_pointer(s, page, nextfree)) {
++              object_err(s, page, freelist, "Freechain corrupt");
++              freelist = NULL;
++              slab_fix(s, "Isolate corrupted freechain");
++              return true;
++      }
++
++      return false;
++}
++
+ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)
+ {
+       unsigned int off;       /* Offset of last byte */
+@@ -1328,6 +1342,11 @@ static inline void inc_slabs_node(struct kmem_cache *s, int node,
+ static inline void dec_slabs_node(struct kmem_cache *s, int node,
+                                                       int objects) {}
+ 
++static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
++                             void *freelist, void *nextfree)
++{
++      return false;
++}
+ #endif /* CONFIG_SLUB_DEBUG */
+ 
+ /*
+@@ -2013,6 +2032,14 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page,
+               void *prior;
+               unsigned long counters;
+ 
++              /*
++               * If 'nextfree' is invalid, it is possible that the object at
++               * 'freelist' is already corrupted.  So isolate all objects
++               * starting at 'freelist'.
++               */
++              if (freelist_corrupted(s, page, freelist, nextfree))
++                      break;
++
+               do {
+                       prior = page->freelist;
+                       counters = page->counters;
+-- 
+2.25.1
+

diff --git a/queue-4.19/nvme-fix-possible-deadlock-when-i-o-is-blocked.patch b/queue-4.19/nvme-fix-possible-deadlock-when-i-o-is-blocked.patch
new file mode 100644 (file)
index 0000000..aaf2202
--- /dev/null
+++ b/queue-4.19/nvme-fix-possible-deadlock-when-i-o-is-blocked.patch
@@ -0,0 +1,124 @@
+From bf6f07e595da01974334f6d10892543d85fd1696 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 01:53:08 -0700
+Subject: nvme: fix possible deadlock when I/O is blocked
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 3b4b19721ec652ad2c4fe51dfbe5124212b5f581 ]
+
+Revert fab7772bfbcf ("nvme-multipath: revalidate nvme_ns_head gendisk
+in nvme_validate_ns")
+
+When adding a new namespace to the head disk (via nvme_mpath_set_live)
+we will see partition scan which triggers I/O on the mpath device node.
+This process will usually be triggered from the scan_work which holds
+the scan_lock. If I/O blocks (if we got ana change currently have only
+available paths but none are accessible) this can deadlock on the head
+disk bd_mutex as both partition scan I/O takes it, and head disk revalidation
+takes it to check for resize (also triggered from scan_work on a different
+path). See trace [1].
+
+The mpath disk revalidation was originally added to detect online disk
+size change, but this is no longer needed since commit cb224c3af4df
+("nvme: Convert to use set_capacity_revalidate_and_notify") which already
+updates resize info without unnecessarily revalidating the disk (the
+mpath disk doesn't even implement .revalidate_disk fop).
+
+[1]:
+--
+kernel: INFO: task kworker/u65:9:494 blocked for more than 241 seconds.
+kernel:       Tainted: G           OE     5.3.5-050305-generic #201910071830
+kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+kernel: kworker/u65:9   D    0   494      2 0x80004000
+kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core]
+kernel: Call Trace:
+kernel:  __schedule+0x2b9/0x6c0
+kernel:  schedule+0x42/0xb0
+kernel:  schedule_preempt_disabled+0xe/0x10
+kernel:  __mutex_lock.isra.0+0x182/0x4f0
+kernel:  __mutex_lock_slowpath+0x13/0x20
+kernel:  mutex_lock+0x2e/0x40
+kernel:  revalidate_disk+0x63/0xa0
+kernel:  __nvme_revalidate_disk+0xfe/0x110 [nvme_core]
+kernel:  nvme_revalidate_disk+0xa4/0x160 [nvme_core]
+kernel:  ? evict+0x14c/0x1b0
+kernel:  revalidate_disk+0x2b/0xa0
+kernel:  nvme_validate_ns+0x49/0x940 [nvme_core]
+kernel:  ? blk_mq_free_request+0xd2/0x100
+kernel:  ? __nvme_submit_sync_cmd+0xbe/0x1e0 [nvme_core]
+kernel:  nvme_scan_work+0x24f/0x380 [nvme_core]
+kernel:  process_one_work+0x1db/0x380
+kernel:  worker_thread+0x249/0x400
+kernel:  kthread+0x104/0x140
+kernel:  ? process_one_work+0x380/0x380
+kernel:  ? kthread_park+0x80/0x80
+kernel:  ret_from_fork+0x1f/0x40
+...
+kernel: INFO: task kworker/u65:1:2630 blocked for more than 241 seconds.
+kernel:       Tainted: G           OE     5.3.5-050305-generic #201910071830
+kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+kernel: kworker/u65:1   D    0  2630      2 0x80004000
+kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core]
+kernel: Call Trace:
+kernel:  __schedule+0x2b9/0x6c0
+kernel:  schedule+0x42/0xb0
+kernel:  io_schedule+0x16/0x40
+kernel:  do_read_cache_page+0x438/0x830
+kernel:  ? __switch_to_asm+0x34/0x70
+kernel:  ? file_fdatawait_range+0x30/0x30
+kernel:  read_cache_page+0x12/0x20
+kernel:  read_dev_sector+0x27/0xc0
+kernel:  read_lba+0xc1/0x220
+kernel:  ? kmem_cache_alloc_trace+0x19c/0x230
+kernel:  efi_partition+0x1e6/0x708
+kernel:  ? vsnprintf+0x39e/0x4e0
+kernel:  ? snprintf+0x49/0x60
+kernel:  check_partition+0x154/0x244
+kernel:  rescan_partitions+0xae/0x280
+kernel:  __blkdev_get+0x40f/0x560
+kernel:  blkdev_get+0x3d/0x140
+kernel:  __device_add_disk+0x388/0x480
+kernel:  device_add_disk+0x13/0x20
+kernel:  nvme_mpath_set_live+0x119/0x140 [nvme_core]
+kernel:  nvme_update_ns_ana_state+0x5c/0x60 [nvme_core]
+kernel:  nvme_set_ns_ana_state+0x1e/0x30 [nvme_core]
+kernel:  nvme_parse_ana_log+0xa1/0x180 [nvme_core]
+kernel:  ? nvme_update_ns_ana_state+0x60/0x60 [nvme_core]
+kernel:  nvme_mpath_add_disk+0x47/0x90 [nvme_core]
+kernel:  nvme_validate_ns+0x396/0x940 [nvme_core]
+kernel:  ? blk_mq_free_request+0xd2/0x100
+kernel:  nvme_scan_work+0x24f/0x380 [nvme_core]
+kernel:  process_one_work+0x1db/0x380
+kernel:  worker_thread+0x249/0x400
+kernel:  kthread+0x104/0x140
+kernel:  ? process_one_work+0x380/0x380
+kernel:  ? kthread_park+0x80/0x80
+kernel:  ret_from_fork+0x1f/0x40
+--
+
+Fixes: fab7772bfbcf ("nvme-multipath: revalidate nvme_ns_head gendisk
+in nvme_validate_ns")
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 0d60f2f8f3eec..5c9326777334f 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1602,7 +1602,6 @@ static void __nvme_revalidate_disk(struct gendisk *disk, struct nvme_id_ns *id)
+       if (ns->head->disk) {
+               nvme_update_disk_info(ns->head->disk, ns, id);
+               blk_queue_stack_limits(ns->head->disk->queue, ns->queue);
+-              revalidate_disk(ns->head->disk);
+       }
+ #endif
+ }
+-- 
+2.25.1
+

diff --git a/queue-4.19/nvme-multipath-fix-deadlock-between-ana_work-and-sca.patch b/queue-4.19/nvme-multipath-fix-deadlock-between-ana_work-and-sca.patch
new file mode 100644 (file)
index 0000000..b282661
--- /dev/null
+++ b/queue-4.19/nvme-multipath-fix-deadlock-between-ana_work-and-sca.patch
@@ -0,0 +1,134 @@
+From 1fcac624d072d7c9e178cc1d611fed2a5ece6e25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 01:53:09 -0700
+Subject: nvme-multipath: fix deadlock between ana_work and scan_work
+
+From: Anton Eidelman <anton@lightbitslabs.com>
+
+[ Upstream commit 489dd102a2c7c94d783a35f9412eb085b8da1aa4 ]
+
+When scan_work calls nvme_mpath_add_disk() this holds ana_lock
+and invokes nvme_parse_ana_log(), which may issue IO
+in device_add_disk() and hang waiting for an accessible path.
+While nvme_mpath_set_live() only called when nvme_state_is_live(),
+a transition may cause NVME_SC_ANA_TRANSITION and requeue the IO.
+
+In order to recover and complete the IO ana_work on the same ctrl
+should be able to update the path state and remove NVME_NS_ANA_PENDING.
+
+The deadlock occurs because scan_work keeps holding ana_lock,
+so ana_work hangs [1].
+
+Fix:
+Now nvme_mpath_add_disk() uses nvme_parse_ana_log() to obtain a copy
+of the ANA group desc, and then calls nvme_update_ns_ana_state() without
+holding ana_lock.
+
+[1]:
+kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core]
+kernel: Call Trace:
+kernel:  __schedule+0x2b9/0x6c0
+kernel:  schedule+0x42/0xb0
+kernel:  io_schedule+0x16/0x40
+kernel:  do_read_cache_page+0x438/0x830
+kernel:  read_cache_page+0x12/0x20
+kernel:  read_dev_sector+0x27/0xc0
+kernel:  read_lba+0xc1/0x220
+kernel:  efi_partition+0x1e6/0x708
+kernel:  check_partition+0x154/0x244
+kernel:  rescan_partitions+0xae/0x280
+kernel:  __blkdev_get+0x40f/0x560
+kernel:  blkdev_get+0x3d/0x140
+kernel:  __device_add_disk+0x388/0x480
+kernel:  device_add_disk+0x13/0x20
+kernel:  nvme_mpath_set_live+0x119/0x140 [nvme_core]
+kernel:  nvme_update_ns_ana_state+0x5c/0x60 [nvme_core]
+kernel:  nvme_set_ns_ana_state+0x1e/0x30 [nvme_core]
+kernel:  nvme_parse_ana_log+0xa1/0x180 [nvme_core]
+kernel:  nvme_mpath_add_disk+0x47/0x90 [nvme_core]
+kernel:  nvme_validate_ns+0x396/0x940 [nvme_core]
+kernel:  nvme_scan_work+0x24f/0x380 [nvme_core]
+kernel:  process_one_work+0x1db/0x380
+kernel:  worker_thread+0x249/0x400
+kernel:  kthread+0x104/0x140
+
+kernel: Workqueue: nvme-wq nvme_ana_work [nvme_core]
+kernel: Call Trace:
+kernel:  __schedule+0x2b9/0x6c0
+kernel:  schedule+0x42/0xb0
+kernel:  schedule_preempt_disabled+0xe/0x10
+kernel:  __mutex_lock.isra.0+0x182/0x4f0
+kernel:  ? __switch_to_asm+0x34/0x70
+kernel:  ? select_task_rq_fair+0x1aa/0x5c0
+kernel:  ? kvm_sched_clock_read+0x11/0x20
+kernel:  ? sched_clock+0x9/0x10
+kernel:  __mutex_lock_slowpath+0x13/0x20
+kernel:  mutex_lock+0x2e/0x40
+kernel:  nvme_read_ana_log+0x3a/0x100 [nvme_core]
+kernel:  nvme_ana_work+0x15/0x20 [nvme_core]
+kernel:  process_one_work+0x1db/0x380
+kernel:  worker_thread+0x4d/0x400
+kernel:  kthread+0x104/0x140
+kernel:  ? process_one_work+0x380/0x380
+kernel:  ? kthread_park+0x80/0x80
+kernel:  ret_from_fork+0x35/0x40
+
+Fixes: 0d0b660f214d ("nvme: add ANA support")
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 6f584a9515f42..3ad6183c5e6b4 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -496,26 +496,34 @@ static ssize_t ana_state_show(struct device *dev, struct device_attribute *attr,
+ }
+ DEVICE_ATTR_RO(ana_state);
+ 
+-static int nvme_set_ns_ana_state(struct nvme_ctrl *ctrl,
++static int nvme_lookup_ana_group_desc(struct nvme_ctrl *ctrl,
+               struct nvme_ana_group_desc *desc, void *data)
+ {
+-      struct nvme_ns *ns = data;
++      struct nvme_ana_group_desc *dst = data;
+ 
+-      if (ns->ana_grpid == le32_to_cpu(desc->grpid)) {
+-              nvme_update_ns_ana_state(desc, ns);
+-              return -ENXIO; /* just break out of the loop */
+-      }
++      if (desc->grpid != dst->grpid)
++              return 0;
+ 
+-      return 0;
++      *dst = *desc;
++      return -ENXIO; /* just break out of the loop */
+ }
+ 
+ void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id)
+ {
+       if (nvme_ctrl_use_ana(ns->ctrl)) {
++              struct nvme_ana_group_desc desc = {
++                      .grpid = id->anagrpid,
++                      .state = 0,
++              };
++
+               mutex_lock(&ns->ctrl->ana_lock);
+               ns->ana_grpid = le32_to_cpu(id->anagrpid);
+-              nvme_parse_ana_log(ns->ctrl, ns, nvme_set_ns_ana_state);
++              nvme_parse_ana_log(ns->ctrl, &desc, nvme_lookup_ana_group_desc);
+               mutex_unlock(&ns->ctrl->ana_lock);
++              if (desc.state) {
++                      /* found the group desc: update */
++                      nvme_update_ns_ana_state(&desc, ns);
++              }
+       } else {
+               mutex_lock(&ns->head->lock);
+               ns->ana_state = NVME_ANA_OPTIMIZED; 
+-- 
+2.25.1
+

diff --git a/queue-4.19/nvme-multipath-set-bdi-capabilities-once.patch b/queue-4.19/nvme-multipath-set-bdi-capabilities-once.patch
new file mode 100644 (file)
index 0000000..8ad320b
--- /dev/null
+++ b/queue-4.19/nvme-multipath-set-bdi-capabilities-once.patch
@@ -0,0 +1,51 @@
+From 87f8cf96f49463d86b4fdcf0ad030ee82ab74d48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 09:09:04 -0700
+Subject: nvme-multipath: set bdi capabilities once
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit b2ce4d90690bd29ce5b554e203cd03682dd59697 ]
+
+The queues' backing device info capabilities don't change with each
+namespace revalidation. Set it only when each path's request_queue
+is initially added to a multipath queue.
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 588864beabd80..6f584a9515f42 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -11,6 +11,7 @@
+  * more details.
+  */
+ 
++#include <linux/backing-dev.h>
+ #include <linux/moduleparam.h>
+ #include <trace/events/block.h>
+ #include "nvme.h"
+@@ -521,6 +522,13 @@ void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id)
+               nvme_mpath_set_live(ns);
+               mutex_unlock(&ns->head->lock);
+       }
++
++      if (bdi_cap_stable_pages_required(ns->queue->backing_dev_info)) {
++              struct backing_dev_info *info =
++                                      ns->head->disk->queue->backing_dev_info;
++
++              info->capabilities |= BDI_CAP_STABLE_WRITES;
++      }
+ }
+ 
+ void nvme_mpath_remove_disk(struct nvme_ns_head *head)
+-- 
+2.25.1
+

diff --git a/queue-4.19/s390-debug-avoid-kernel-warning-on-too-large-number-.patch b/queue-4.19/s390-debug-avoid-kernel-warning-on-too-large-number-.patch
new file mode 100644 (file)
index 0000000..9143370
--- /dev/null
+++ b/queue-4.19/s390-debug-avoid-kernel-warning-on-too-large-number-.patch
@@ -0,0 +1,41 @@
+From 456250ed51f184f40b40010ae637e76a67ba5739 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2020 05:57:23 -0400
+Subject: s390/debug: avoid kernel warning on too large number of pages
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+[ Upstream commit 827c4913923e0b441ba07ba4cc41e01181102303 ]
+
+When specifying insanely large debug buffers a kernel warning is
+printed. The debug code does handle the error gracefully, though.
+Instead of duplicating the check let us silence the warning to
+avoid crashes when panic_on_warn is used.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/debug.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
+index d374f9b218b4c..04bbf7e97fea7 100644
+--- a/arch/s390/kernel/debug.c
++++ b/arch/s390/kernel/debug.c
+@@ -198,9 +198,10 @@ static debug_entry_t ***debug_areas_alloc(int pages_per_area, int nr_areas)
+       if (!areas)
+               goto fail_malloc_areas;
+       for (i = 0; i < nr_areas; i++) {
++              /* GFP_NOWARN to avoid user triggerable WARN, we handle fails */
+               areas[i] = kmalloc_array(pages_per_area,
+                                        sizeof(debug_entry_t *),
+-                                       GFP_KERNEL);
++                                       GFP_KERNEL | __GFP_NOWARN);
+               if (!areas[i])
+                       goto fail_malloc_areas2;
+               for (j = 0; j < pages_per_area; j++) {
+-- 
+2.25.1
+

diff --git a/queue-4.19/series b/queue-4.19/series
index e48ae5b90d48cdb8a43a42761e31bc50a50b3f6a..67e8d3bf92da25e9d35c26fcc01d47cb07d0d848 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -1,3 +1,12 @@
 btrfs-fix-a-block-group-ref-counter-leak-after-failu.patch
 mm-fix-swap-cache-node-allocation-mask.patch
 edac-amd64-read-back-the-scrub-rate-pci-register-on-.patch
+usbnet-smsc95xx-fix-use-after-free-after-removal.patch
+mm-slub.c-fix-corrupted-freechain-in-deactivate_slab.patch
+mm-slub-fix-stack-overruns-with-slub_stats.patch
+usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch
+s390-debug-avoid-kernel-warning-on-too-large-number-.patch
+nvme-multipath-set-bdi-capabilities-once.patch
+nvme-fix-possible-deadlock-when-i-o-is-blocked.patch
+nvme-multipath-fix-deadlock-between-ana_work-and-sca.patch
+kgdb-avoid-suspicious-rcu-usage-warning.patch

diff --git a/queue-4.19/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch b/queue-4.19/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch
new file mode 100644 (file)
index 0000000..87c20f4
--- /dev/null
+++ b/queue-4.19/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch
@@ -0,0 +1,69 @@
+From 7a3f84611edf884c6fb6752bc4afc61b427d87c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jun 2020 11:52:10 +0800
+Subject: usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect
+
+From: Zqiang <qiang.zhang@windriver.com>
+
+[ Upstream commit 28ebeb8db77035e058a510ce9bd17c2b9a009dba ]
+
+BUG: memory leak
+unreferenced object 0xffff888055046e00 (size 256):
+  comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
+  hex dump (first 32 bytes):
+    00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff  .p.U......Z.....
+    f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff  ..x.....7.......
+  backtrace:
+    [<00000000d121dccf>] kmemleak_alloc_recursive
+include/linux/kmemleak.h:43 [inline]
+    [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
+    [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
+    [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
+    [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
+    [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
+    [<000000005c3c3381>] usbtest_probe+0x286/0x19d0
+drivers/usb/misc/usbtest.c:2790
+    [<000000001cec6910>] usb_probe_interface+0x2bd/0x870
+drivers/usb/core/driver.c:361
+    [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
+    [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
+    [<000000003ef66004>] __device_attach_driver+0x1b6/0x240
+drivers/base/dd.c:831
+    [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
+    [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
+    [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
+    [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
+    [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
+    [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
+drivers/usb/core/message.c:2030
+    [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
+    [<0000000098ade0f1>] usb_probe_device+0x90/0xd0
+drivers/usb/core/driver.c:266
+    [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
+    [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Signed-off-by: Zqiang <qiang.zhang@windriver.com>
+Link: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/usbtest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
+index c7f82310e73ec..fc3fc9d48a553 100644
+--- a/drivers/usb/misc/usbtest.c
++++ b/drivers/usb/misc/usbtest.c
+@@ -2853,6 +2853,7 @@ static void usbtest_disconnect(struct usb_interface *intf)
+ 
+       usb_set_intfdata(intf, NULL);
+       dev_dbg(&intf->dev, "disconnect\n");
++      kfree(dev->buf);
+       kfree(dev);
+ }
+ 
+-- 
+2.25.1
+

diff --git a/queue-4.19/usbnet-smsc95xx-fix-use-after-free-after-removal.patch b/queue-4.19/usbnet-smsc95xx-fix-use-after-free-after-removal.patch
new file mode 100644 (file)
index 0000000..d0c43bd
--- /dev/null
+++ b/queue-4.19/usbnet-smsc95xx-fix-use-after-free-after-removal.patch
@@ -0,0 +1,49 @@
+From fae31f9c5311b778fbbacc067534372c53123ec7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jun 2020 13:43:26 +0300
+Subject: usbnet: smsc95xx: Fix use-after-free after removal
+
+From: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
+
+[ Upstream commit b835a71ef64a61383c414d6bf2896d2c0161deca ]
+
+Syzbot reports an use-after-free in workqueue context:
+
+BUG: KASAN: use-after-free in mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737
+ mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737
+ __smsc95xx_mdio_read drivers/net/usb/smsc95xx.c:217 [inline]
+ smsc95xx_mdio_read+0x583/0x870 drivers/net/usb/smsc95xx.c:278
+ check_carrier+0xd1/0x2e0 drivers/net/usb/smsc95xx.c:644
+ process_one_work+0x777/0xf90 kernel/workqueue.c:2274
+ worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
+ kthread+0x2df/0x300 kernel/kthread.c:255
+
+It looks like that smsc95xx_unbind() is freeing the structures that are
+still in use by the concurrently running workqueue callback. Thus switch
+to using cancel_delayed_work_sync() to ensure the work callback really
+is no longer active.
+
+Reported-by: syzbot+29dc7d4ae19b703ff947@syzkaller.appspotmail.com
+Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 6e971628bb50a..c3389bd87c654 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1338,7 +1338,7 @@ static void smsc95xx_unbind(struct usbnet *dev, struct usb_interface *intf)
+       struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]);
+ 
+       if (pdata) {
+-              cancel_delayed_work(&pdata->carrier_check);
++              cancel_delayed_work_sync(&pdata->carrier_check);
+               netif_dbg(dev, ifdown, dev->net, "free pdata\n");
+               kfree(pdata);
+               pdata = NULL;
+-- 
+2.25.1
+