--- /dev/null
+From 613b14884b8595e20b9fac4126bf627313827fbe Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 4 Jan 2023 08:51:19 -0700
+Subject: block: handle bio_split_to_limits() NULL return
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 613b14884b8595e20b9fac4126bf627313827fbe upstream.
+
+This can't happen right now, but in preparation for allowing
+bio_split_to_limits() returning NULL if it ended the bio, check for it
+in all the callers.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-merge.c | 4 +++-
+ block/blk-mq.c | 2 ++
+ drivers/block/drbd/drbd_req.c | 2 ++
+ drivers/block/pktcdvd.c | 2 ++
+ drivers/block/ps3vram.c | 2 ++
+ drivers/block/rsxx/dev.c | 2 ++
+ drivers/md/md.c | 2 ++
+ drivers/nvme/host/multipath.c | 2 ++
+ drivers/s390/block/dcssblk.c | 2 ++
+ 9 files changed, 19 insertions(+), 1 deletion(-)
+
+--- a/block/blk-merge.c
++++ b/block/blk-merge.c
+@@ -348,11 +348,13 @@ void __blk_queue_split(struct bio **bio,
+ break;
+ }
+ split = blk_bio_segment_split(q, *bio, &q->bio_split, nr_segs);
++ if (IS_ERR(split))
++ *bio = split = NULL;
+ break;
+ }
+
+ if (split) {
+- /* there isn't chance to merge the splitted bio */
++ /* there isn't chance to merge the split bio */
+ split->bi_opf |= REQ_NOMERGE;
+
+ bio_chain(split, *bio);
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2193,6 +2193,8 @@ blk_qc_t blk_mq_submit_bio(struct bio *b
+
+ blk_queue_bounce(q, &bio);
+ __blk_queue_split(&bio, &nr_segs);
++ if (!bio)
++ goto queue_exit;
+
+ if (!bio_integrity_prep(bio))
+ goto queue_exit;
+--- a/drivers/block/drbd/drbd_req.c
++++ b/drivers/block/drbd/drbd_req.c
+@@ -1602,6 +1602,8 @@ blk_qc_t drbd_submit_bio(struct bio *bio
+ struct drbd_device *device = bio->bi_bdev->bd_disk->private_data;
+
+ blk_queue_split(&bio);
++ if (!bio)
++ return BLK_QC_T_NONE;
+
+ /*
+ * what we "blindly" assume:
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -2407,6 +2407,8 @@ static blk_qc_t pkt_submit_bio(struct bi
+ struct bio *split;
+
+ blk_queue_split(&bio);
++ if (!bio)
++ return BLK_QC_T_NONE;
+
+ pd = bio->bi_bdev->bd_disk->queue->queuedata;
+ if (!pd) {
+--- a/drivers/block/ps3vram.c
++++ b/drivers/block/ps3vram.c
+@@ -587,6 +587,8 @@ static blk_qc_t ps3vram_submit_bio(struc
+ dev_dbg(&dev->core, "%s\n", __func__);
+
+ blk_queue_split(&bio);
++ if (!bio)
++ return BLK_QC_T_NONE;
+
+ spin_lock_irq(&priv->lock);
+ busy = !bio_list_empty(&priv->list);
+--- a/drivers/block/rsxx/dev.c
++++ b/drivers/block/rsxx/dev.c
+@@ -127,6 +127,8 @@ static blk_qc_t rsxx_submit_bio(struct b
+ blk_status_t st = BLK_STS_IOERR;
+
+ blk_queue_split(&bio);
++ if (!bio)
++ return BLK_QC_T_NONE;
+
+ might_sleep();
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -458,6 +458,8 @@ static blk_qc_t md_submit_bio(struct bio
+ }
+
+ blk_queue_split(&bio);
++ if (!bio)
++ return BLK_QC_T_NONE;
+
+ if (mddev->ro == 1 && unlikely(rw == WRITE)) {
+ if (bio_sectors(bio) != 0)
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -329,6 +329,8 @@ static blk_qc_t nvme_ns_head_submit_bio(
+ * pool from the original queue to allocate the bvecs from.
+ */
+ blk_queue_split(&bio);
++ if (!bio)
++ return BLK_QC_T_NONE;
+
+ srcu_idx = srcu_read_lock(&head->srcu);
+ ns = nvme_find_path(head);
+--- a/drivers/s390/block/dcssblk.c
++++ b/drivers/s390/block/dcssblk.c
+@@ -866,6 +866,8 @@ dcssblk_submit_bio(struct bio *bio)
+ unsigned long bytes_done;
+
+ blk_queue_split(&bio);
++ if (!bio)
++ return BLK_QC_T_NONE;
+
+ bytes_done = 0;
+ dev_info = bio->bi_bdev->bd_disk->private_data;
--- /dev/null
+From af82425c6a2d2f347c79b63ce74fca6dc6be157f Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 2 Jan 2023 16:49:46 -0700
+Subject: io_uring/io-wq: free worker if task_work creation is canceled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit af82425c6a2d2f347c79b63ce74fca6dc6be157f upstream.
+
+If we cancel the task_work, the worker will never come into existance.
+As this is the last reference to it, ensure that we get it freed
+appropriately.
+
+Cc: stable@vger.kernel.org
+Reported-by: 진호 <wnwlsgh98@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io-wq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -1217,6 +1217,7 @@ static void io_wq_cancel_tw_create(struc
+
+ worker = container_of(cb, struct io_worker, create_work);
+ io_worker_cancel_cb(worker);
++ kfree(worker);
+ }
+ }
+
--- /dev/null
+From e6db6f9398dadcbc06318a133d4c44a2d3844e61 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Sun, 8 Jan 2023 10:39:17 -0700
+Subject: io_uring/io-wq: only free worker if it was allocated for creation
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit e6db6f9398dadcbc06318a133d4c44a2d3844e61 upstream.
+
+We have two types of task_work based creation, one is using an existing
+worker to setup a new one (eg when going to sleep and we have no free
+workers), and the other is allocating a new worker. Only the latter
+should be freed when we cancel task_work creation for a new worker.
+
+Fixes: af82425c6a2d ("io_uring/io-wq: free worker if task_work creation is canceled")
+Reported-by: syzbot+d56ec896af3637bdb7e4@syzkaller.appspotmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io-wq.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -1217,7 +1217,12 @@ static void io_wq_cancel_tw_create(struc
+
+ worker = container_of(cb, struct io_worker, create_work);
+ io_worker_cancel_cb(worker);
+- kfree(worker);
++ /*
++ * Only the worker continuation helper has worker allocated and
++ * hence needs freeing.
++ */
++ if (cb->func == create_worker_cont)
++ kfree(worker);
+ }
+ }
+
--- /dev/null
+From 0c25422d34b4726b2707d5f38560943155a91b80 Mon Sep 17 00:00:00 2001
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Date: Thu, 3 Mar 2022 19:32:03 +0530
+Subject: scsi: mpt3sas: Remove scsi_dma_map() error messages
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+commit 0c25422d34b4726b2707d5f38560943155a91b80 upstream.
+
+When scsi_dma_map() fails by returning a sges_left value less than zero,
+the amount of logging produced can be extremely high. In a recent end-user
+environment, 1200 messages per second were being sent to the log buffer.
+This eventually overwhelmed the system and it stalled.
+
+These error messages are not needed. Remove them.
+
+Link: https://lore.kernel.org/r/20220303140203.12642-1-sreekanth.reddy@broadcom.com
+Suggested-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 18 +++---------------
+ 1 file changed, 3 insertions(+), 15 deletions(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -2594,12 +2594,8 @@ _base_check_pcie_native_sgl(struct MPT3S
+
+ /* Get the SG list pointer and info. */
+ sges_left = scsi_dma_map(scmd);
+- if (sges_left < 0) {
+- sdev_printk(KERN_ERR, scmd->device,
+- "scsi_dma_map failed: request for %d bytes!\n",
+- scsi_bufflen(scmd));
++ if (sges_left < 0)
+ return 1;
+- }
+
+ /* Check if we need to build a native SG list. */
+ if (!base_is_prp_possible(ioc, pcie_device,
+@@ -2706,12 +2702,8 @@ _base_build_sg_scmd(struct MPT3SAS_ADAPT
+
+ sg_scmd = scsi_sglist(scmd);
+ sges_left = scsi_dma_map(scmd);
+- if (sges_left < 0) {
+- sdev_printk(KERN_ERR, scmd->device,
+- "scsi_dma_map failed: request for %d bytes!\n",
+- scsi_bufflen(scmd));
++ if (sges_left < 0)
+ return -ENOMEM;
+- }
+
+ sg_local = &mpi_request->SGL;
+ sges_in_segment = ioc->max_sges_in_main_message;
+@@ -2854,12 +2846,8 @@ _base_build_sg_scmd_ieee(struct MPT3SAS_
+
+ sg_scmd = scsi_sglist(scmd);
+ sges_left = scsi_dma_map(scmd);
+- if (sges_left < 0) {
+- sdev_printk(KERN_ERR, scmd->device,
+- "scsi_dma_map failed: request for %d bytes!\n",
+- scsi_bufflen(scmd));
++ if (sges_left < 0)
+ return -ENOMEM;
+- }
+
+ sg_local = &mpi_request->SGL;
+ sges_in_segment = (ioc->request_sz -
arm64-atomics-remove-ll-sc-trampolines.patch
arm64-cmpxchg_double-hazard-against-entire-exchange-.patch
efi-fix-null-deref-in-init-error-path.patch
+scsi-mpt3sas-remove-scsi_dma_map-error-messages.patch
+io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch
+io_uring-io-wq-only-free-worker-if-it-was-allocated-for-creation.patch
+block-handle-bio_split_to_limits-null-return.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
