From: Sasha Levin Date: Tue, 17 Dec 2019 15:29:48 +0000 (-0500) Subject: fixes for 4.14 X-Git-Tag: v5.4.4~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db4c0f7be1e960c0ea15066953665d34d4adde26;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch b/queue-4.14/gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch new file mode 100644 index 00000000000..85ba02c08a6 --- /dev/null +++ b/queue-4.14/gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch @@ -0,0 +1,93 @@ +From c167cbe3fb731c25fc72250b60e7af13676bd349 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 09:49:11 -0500 +Subject: gfs2: fix glock reference problem in gfs2_trans_remove_revoke + +From: Bob Peterson + +[ Upstream commit fe5e7ba11fcf1d75af8173836309e8562aefedef ] + +Commit 9287c6452d2b fixed a situation in which gfs2 could use a glock +after it had been freed. To do that, it temporarily added a new glock +reference by calling gfs2_glock_hold in function gfs2_add_revoke. +However, if the bd element was removed by gfs2_trans_remove_revoke, it +failed to drop the additional reference. + +This patch adds logic to gfs2_trans_remove_revoke to properly drop the +additional glock reference. + +Fixes: 9287c6452d2b ("gfs2: Fix occasional glock use-after-free") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/log.c | 8 ++++++++ + fs/gfs2/log.h | 1 + + fs/gfs2/lops.c | 5 +---- + fs/gfs2/trans.c | 2 ++ + 4 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c +index 483b82e2be923..a3208511f35aa 100644 +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -594,6 +594,14 @@ void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd) + list_add(&bd->bd_list, &sdp->sd_log_le_revoke); + } + ++void gfs2_glock_remove_revoke(struct gfs2_glock *gl) ++{ ++ if (atomic_dec_return(&gl->gl_revokes) == 0) { ++ clear_bit(GLF_LFLUSH, &gl->gl_flags); ++ gfs2_glock_queue_put(gl); ++ } ++} ++ + void gfs2_write_revokes(struct gfs2_sbd *sdp) + { + struct gfs2_trans *tr; +diff --git a/fs/gfs2/log.h b/fs/gfs2/log.h +index 9499a60492129..3b7b7839ec6aa 100644 +--- a/fs/gfs2/log.h ++++ b/fs/gfs2/log.h +@@ -80,6 +80,7 @@ extern void gfs2_ail1_flush(struct gfs2_sbd *sdp, struct writeback_control *wbc) + extern void gfs2_log_shutdown(struct gfs2_sbd *sdp); + extern int gfs2_logd(void *data); + extern void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd); ++extern void gfs2_glock_remove_revoke(struct gfs2_glock *gl); + extern void gfs2_write_revokes(struct gfs2_sbd *sdp); + + #endif /* __LOG_DOT_H__ */ +diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c +index 049f8c6721b4a..a5041e6d2c0d7 100644 +--- a/fs/gfs2/lops.c ++++ b/fs/gfs2/lops.c +@@ -660,10 +660,7 @@ static void revoke_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr) + bd = list_entry(head->next, struct gfs2_bufdata, bd_list); + list_del_init(&bd->bd_list); + gl = bd->bd_gl; +- if (atomic_dec_return(&gl->gl_revokes) == 0) { +- clear_bit(GLF_LFLUSH, &gl->gl_flags); +- gfs2_glock_queue_put(gl); +- } ++ gfs2_glock_remove_revoke(gl); + kmem_cache_free(gfs2_bufdata_cachep, bd); + } + } +diff --git a/fs/gfs2/trans.c b/fs/gfs2/trans.c +index affef3c066e09..69e3402a3cc59 100644 +--- a/fs/gfs2/trans.c ++++ b/fs/gfs2/trans.c +@@ -277,6 +277,8 @@ void gfs2_trans_add_unrevoke(struct gfs2_sbd *sdp, u64 blkno, unsigned int len) + list_del_init(&bd->bd_list); + gfs2_assert_withdraw(sdp, sdp->sd_log_num_revoke); + sdp->sd_log_num_revoke--; ++ if (bd->bd_gl) ++ gfs2_glock_remove_revoke(bd->bd_gl); + kmem_cache_free(gfs2_bufdata_cachep, bd); + tr->tr_num_revoke_rm++; + if (--n == 0) +-- +2.20.1 + diff --git a/queue-4.14/gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch b/queue-4.14/gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch new file mode 100644 index 00000000000..a07ff7fc083 --- /dev/null +++ b/queue-4.14/gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch @@ -0,0 +1,67 @@ +From 9f66f2793b62525d5f85905b033bdee75fcd4935 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 12:51:09 +0100 +Subject: gpiolib: acpi: Add Terra Pad 1061 to the + run_edge_events_on_boot_blacklist + +From: Hans de Goede + +[ Upstream commit 2727315df3f5ffbebcb174eed3153944a858b66f ] + +The Terra Pad 1061 has the usual micro-USB-B id-pin handler, but instead +of controlling the actual micro-USB-B it turns the 5V boost for the +tablet's USB-A connector and its keyboard-cover connector off. + +The actual micro-USB-B connector on the tablet is wired for charging only, +and its id pin is *not* connected to the GPIO which is used for the +(broken) id-pin event handler in the DSDT. + +While at it not only add a comment why the Terra Pad 1061 is on the +blacklist, but also fix the missing comment for the Minix Neo Z83-4 entry. + +Fixes: 61f7f7c8f978 ("gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist") +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index 715babaa886ae..3aa7fe6baf2a6 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1314,11 +1314,28 @@ late_initcall_sync(acpi_gpio_handle_deferred_request_irqs); + + static const struct dmi_system_id run_edge_events_on_boot_blacklist[] = { + { ++ /* ++ * The Minix Neo Z83-4 has a micro-USB-B id-pin handler for ++ * a non existing micro-USB-B connector which puts the HDMI ++ * DDC pins in GPIO mode, breaking HDMI support. ++ */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "MINIX"), + DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"), + } + }, ++ { ++ /* ++ * The Terra Pad 1061 has a micro-USB-B id-pin handler, which ++ * instead of controlling the actual micro-USB-B turns the 5V ++ * boost for its USB-A connector off. The actual micro-USB-B ++ * connector is wired for charging only. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Wortmann_AG"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "TERRA_PAD_1061"), ++ } ++ }, + {} /* Terminating entry */ + }; + +-- +2.20.1 + diff --git a/queue-4.14/kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch b/queue-4.14/kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch new file mode 100644 index 00000000000..f15f48ff807 --- /dev/null +++ b/queue-4.14/kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch @@ -0,0 +1,61 @@ +From 5246f6fa5436eaa1b8993ce4047b14f77ddd9697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 12:29:50 +0300 +Subject: kernel/module.c: wakeup processes in module_wq on module unload + +From: Konstantin Khorenko + +[ Upstream commit 5d603311615f612320bb77bd2a82553ef1ced5b7 ] + +Fix the race between load and unload a kernel module. + +sys_delete_module() + try_stop_module() + mod->state = _GOING + add_unformed_module() + old = find_module_all() + (old->state == _GOING => + wait_event_interruptible()) + + During pre-condition + finished_loading() rets 0 + schedule() + (never gets waken up later) + free_module() + mod->state = _UNFORMED + list_del_rcu(&mod->list) + (dels mod from "modules" list) + +return + +The race above leads to modprobe hanging forever on loading +a module. + +Error paths on loading module call wake_up_all(&module_wq) after +freeing module, so let's do the same on straight module unload. + +Fixes: 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for modules that have finished loading") +Reviewed-by: Prarit Bhargava +Signed-off-by: Konstantin Khorenko +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/module.c b/kernel/module.c +index 4685675912414..feb1e0fbc3e85 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1020,6 +1020,8 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user, + strlcpy(last_unloaded_module, mod->name, sizeof(last_unloaded_module)); + + free_module(mod); ++ /* someone could wait for the module in add_unformed_module() */ ++ wake_up_all(&module_wq); + return 0; + out: + mutex_unlock(&module_mutex); +-- +2.20.1 + diff --git a/queue-4.14/net-mlx5e-fix-sff-8472-eeprom-length.patch b/queue-4.14/net-mlx5e-fix-sff-8472-eeprom-length.patch new file mode 100644 index 00000000000..b8b78f5dd39 --- /dev/null +++ b/queue-4.14/net-mlx5e-fix-sff-8472-eeprom-length.patch @@ -0,0 +1,37 @@ +From 869acf0e5d10b4cad098e91bc5bb2bc7a0e6c767 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 10:30:22 +0200 +Subject: net/mlx5e: Fix SFF 8472 eeprom length + +From: Eran Ben Elisha + +[ Upstream commit c431f8597863a91eea6024926e0c1b179cfa4852 ] + +SFF 8472 eeprom length is 512 bytes. Fix module info return value to +support 512 bytes read. + +Fixes: ace329f4ab3b ("net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query") +Signed-off-by: Eran Ben Elisha +Reviewed-by: Aya Levin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index f6beb5ef5971f..c3f1e2d76a463 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1625,7 +1625,7 @@ static int mlx5e_get_module_info(struct net_device *netdev, + break; + case MLX5_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = MLX5_EEPROM_PAGE_LENGTH; ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; + break; + default: + netdev_err(priv->netdev, "%s: cable type not recognized:0x%x\n", +-- +2.20.1 + diff --git a/queue-4.14/of-unittest-fix-memory-leak-in-attach_node_and_child.patch b/queue-4.14/of-unittest-fix-memory-leak-in-attach_node_and_child.patch new file mode 100644 index 00000000000..5688e6eea6b --- /dev/null +++ b/queue-4.14/of-unittest-fix-memory-leak-in-attach_node_and_child.patch @@ -0,0 +1,47 @@ +From 81e4c37cb20d46ff203666a84aeb63e43dbaa370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2019 02:48:04 +0100 +Subject: of: unittest: fix memory leak in attach_node_and_children + +From: Erhard Furtner + +[ Upstream commit 2aacace6dbbb6b6ce4e177e6c7ea901f389c0472 ] + +In attach_node_and_children memory is allocated for full_name via +kasprintf. If the condition of the 1st if is not met the function +returns early without freeing the memory. Add a kfree() to fix that. + +This has been detected with kmemleak: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=205327 + +It looks like the leak was introduced by this commit: +Fixes: 5babefb7f7ab ("of: unittest: allow base devicetree to have symbol metadata") + +Signed-off-by: Erhard Furtner +Reviewed-by: Michael Ellerman +Reviewed-by: Tyrel Datwyler +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 9d204649c963c..4bf6a9db6ac0c 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -965,8 +965,10 @@ static void attach_node_and_children(struct device_node *np) + full_name = kasprintf(GFP_KERNEL, "%pOF", np); + + if (!strcmp(full_name, "/__local_fixups__") || +- !strcmp(full_name, "/__fixups__")) ++ !strcmp(full_name, "/__fixups__")) { ++ kfree(full_name); + return; ++ } + + dup = of_find_node_by_path(full_name); + kfree(full_name); +-- +2.20.1 + diff --git a/queue-4.14/raid5-need-to-set-stripe_handle-for-batch-head.patch b/queue-4.14/raid5-need-to-set-stripe_handle-for-batch-head.patch new file mode 100644 index 00000000000..cf82d0b0346 --- /dev/null +++ b/queue-4.14/raid5-need-to-set-stripe_handle-for-batch-head.patch @@ -0,0 +1,45 @@ +From 63c57d3921e739f2eab8c7150fec6eb60bcbabd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 17:57:50 +0100 +Subject: raid5: need to set STRIPE_HANDLE for batch head + +From: Guoqing Jiang + +[ Upstream commit a7ede3d16808b8f3915c8572d783530a82b2f027 ] + +With commit 6ce220dd2f8ea71d6afc29b9a7524c12e39f374a ("raid5: don't set +STRIPE_HANDLE to stripe which is in batch list"), we don't want to set +STRIPE_HANDLE flag for sh which is already in batch list. + +However, the stripe which is the head of batch list should set this flag, +otherwise panic could happen inside init_stripe at BUG_ON(sh->batch_head), +it is reproducible with raid5 on top of nvdimm devices per Xiao oberserved. + +Thanks for Xiao's effort to verify the change. + +Fixes: 6ce220dd2f8ea ("raid5: don't set STRIPE_HANDLE to stripe which is in batch list") +Reported-by: Xiao Ni +Tested-by: Xiao Ni +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 4c49bed40f1fb..d5c14d56a7141 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -5721,7 +5721,7 @@ static bool raid5_make_request(struct mddev *mddev, struct bio * bi) + do_flush = false; + } + +- if (!sh->batch_head) ++ if (!sh->batch_head || sh == sh->batch_head) + set_bit(STRIPE_HANDLE, &sh->state); + clear_bit(STRIPE_DELAYED, &sh->state); + if ((!sh->batch_head || sh == sh->batch_head) && +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index f96bc05d14f..29f27518ff4 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -265,3 +265,10 @@ ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch mfd-rk808-fix-rk818-id-template.patch blk-mq-make-sure-that-line-break-can-be-printed.patch workqueue-fix-missing-kfree-rescuer-in-destroy_workqueue.patch +sunrpc-fix-crash-when-cache_head-become-valid-before.patch +net-mlx5e-fix-sff-8472-eeprom-length.patch +gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch +kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch +gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch +raid5-need-to-set-stripe_handle-for-batch-head.patch +of-unittest-fix-memory-leak-in-attach_node_and_child.patch diff --git a/queue-4.14/sunrpc-fix-crash-when-cache_head-become-valid-before.patch b/queue-4.14/sunrpc-fix-crash-when-cache_head-become-valid-before.patch new file mode 100644 index 00000000000..1e06bef6f87 --- /dev/null +++ b/queue-4.14/sunrpc-fix-crash-when-cache_head-become-valid-before.patch @@ -0,0 +1,127 @@ +From 9b3577e9b916609812d027c78aec528045bf57bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 11:03:59 +0300 +Subject: sunrpc: fix crash when cache_head become valid before update + +From: Pavel Tikhomirov + +[ Upstream commit 5fcaf6982d1167f1cd9b264704f6d1ef4c505d54 ] + +I was investigating a crash in our Virtuozzo7 kernel which happened in +in svcauth_unix_set_client. I found out that we access m_client field +in ip_map structure, which was received from sunrpc_cache_lookup (we +have a bit older kernel, now the code is in sunrpc_cache_add_entry), and +these field looks uninitialized (m_client == 0x74 don't look like a +pointer) but in the cache_head in flags we see 0x1 which is CACHE_VALID. + +It looks like the problem appeared from our previous fix to sunrpc (1): +commit 4ecd55ea0742 ("sunrpc: fix cache_head leak due to queued +request") + +And we've also found a patch already fixing our patch (2): +commit d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.") + +Though the crash is eliminated, I think the core of the problem is not +completely fixed: + +Neil in the patch (2) makes cache_head CACHE_NEGATIVE, before +cache_fresh_locked which was added in (1) to fix crash. These way +cache_is_valid won't say the cache is valid anymore and in +svcauth_unix_set_client the function cache_check will return error +instead of 0, and we don't count entry as initialized. + +But it looks like we need to remove cache_fresh_locked completely in +sunrpc_cache_lookup: + +In (1) we've only wanted to make cache_fresh_unlocked->cache_dequeue so +that cache_requests with no readers also release corresponding +cache_head, to fix their leak. We with Vasily were not sure if +cache_fresh_locked and cache_fresh_unlocked should be used in pair or +not, so we've guessed to use them in pair. + +Now we see that we don't want the CACHE_VALID bit set here by +cache_fresh_locked, as "valid" means "initialized" and there is no +initialization in sunrpc_cache_add_entry. Both expiry_time and +last_refresh are not used in cache_fresh_unlocked code-path and also not +required for the initial fix. + +So to conclude cache_fresh_locked was called by mistake, and we can just +safely remove it instead of crutching it with CACHE_NEGATIVE. It looks +ideologically better for me. Hope I don't miss something here. + +Here is our crash backtrace: +[13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074 +[13108726.326365] IP: [] svcauth_unix_set_client+0x2ab/0x520 [sunrpc] +[13108726.326448] PGD 0 +[13108726.326468] Oops: 0002 [#1] SMP +[13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4 +[13108726.327173] dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat +[13108726.327817] ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1] +[13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G W O ------------ 3.10.0-862.20.2.vz7.73.29 #1 73.29 +[13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018 +[13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000 +[13108726.328610] RIP: 0010:[] [] svcauth_unix_set_client+0x2ab/0x520 [sunrpc] +[13108726.328706] RSP: 0018:ffffa0c2a74bfd80 EFLAGS: 00010246 +[13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000 +[13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0 +[13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001 +[13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000 +[13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4 +[13108726.329022] FS: 0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000 +[13108726.329081] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0 +[13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[13108726.338908] PKRU: 00000000 +[13108726.341047] Call Trace: +[13108726.343074] [] ? groups_alloc+0x34/0x110 +[13108726.344837] [] svc_set_client+0x24/0x30 [sunrpc] +[13108726.346631] [] svc_process_common+0x241/0x710 [sunrpc] +[13108726.348332] [] svc_process+0x103/0x190 [sunrpc] +[13108726.350016] [] nfsd+0xdf/0x150 [nfsd] +[13108726.351735] [] ? nfsd_destroy+0x80/0x80 [nfsd] +[13108726.353459] [] kthread+0xd1/0xe0 +[13108726.355195] [] ? create_kthread+0x60/0x60 +[13108726.356896] [] ret_from_fork_nospec_begin+0x7/0x21 +[13108726.358577] [] ? create_kthread+0x60/0x60 +[13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38 +[13108726.363769] RIP [] svcauth_unix_set_client+0x2ab/0x520 [sunrpc] +[13108726.365530] RSP +[13108726.367179] CR2: 0000000000000074 + +Fixes: d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.") +Signed-off-by: Pavel Tikhomirov +Acked-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/cache.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 475b453dc7ae1..556989b0b5fc4 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -54,9 +54,6 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail) + h->last_refresh = now; + } + +-static inline int cache_is_valid(struct cache_head *h); +-static void cache_fresh_locked(struct cache_head *head, time_t expiry, +- struct cache_detail *detail); + static void cache_fresh_unlocked(struct cache_head *head, + struct cache_detail *detail); + +@@ -101,9 +98,6 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + if (cache_is_expired(detail, tmp)) { + hlist_del_init(&tmp->cache_list); + detail->entries --; +- if (cache_is_valid(tmp) == -EAGAIN) +- set_bit(CACHE_NEGATIVE, &tmp->flags); +- cache_fresh_locked(tmp, 0, detail); + freeme = tmp; + break; + } +-- +2.20.1 +