17 Mar, 2017
28 commits
-
Drop the page lock before waiting for page writeback.
Signed-off-by: David Howells
-
The ->writepage() op shouldn't call clear_page_dirty_for_io() as that has
already been called by the caller.Fix afs_writepage() by moving the call out of
afs_write_back_from_locked_page() to afs_writepages_region() where it is
needed.Signed-off-by: David Howells
-
Fix the way in which a call that's in progress and being waited for is
aborted in the case that EINTR is detected. We should be sending
RX_USER_ABORT rather than RX_CALL_DEAD as the abort code.Note that since the only two ways out of the loop are if the call completes
or if a signal happens, the kill-the-call clause after the loop has
finished can only happen in the case of EINTR. This means that we only
have one abort case to deal with, not two, and the "KWC" case can never
happen and so can be deleted.Note further that simply aborting the call isn't necessarily the best thing
here since at this point: the request has been entirely sent and it's
likely the server will do the operation anyway - whether we abort it or
not. In future, we should punt the handling of the remainder of the call
off to a background thread.Reported-by: Marc Dionne
Signed-off-by: David Howells -
afs_send_pages() should only put the call into the AFS_CALL_AWAIT_REPLY
state if it has sent all the pages - but the check it makes is incorrect
and sometimes it will finish the loop early.Signed-off-by: David Howells
-
Fix afs_kill_pages() in two ways:
(1) If a writeback has been partially flushed, then if we try and kill the
pages it contains, some of them may no longer be undergoing writeback
and end_page_writeback() will assert.Fix this by checking to see whether the page in question is actually
undergoing writeback before ending that writeback.(2) The loop that scans for pages to kill doesn't increase the first page
index, and so the loop may not terminate, but it will try to process
the same pages over and over again.Fix this by increasing the first page index to one after the last page
we processed.Signed-off-by: David Howells
-
afs_write_begin() leaks a ref and a lock on a page if afs_fill_page()
fails. Fix the leak by unlocking and releasing the page in the error path.Signed-off-by: David Howells
-
Don't set PG_error on a page if we get local EINTR or ENOMEM when filling a
page for writing.Signed-off-by: David Howells
-
The inode timestamps should be set from the client time
in the status received from the server, rather than the
server time which is meant for internal server use.Set AFS_SET_MTIME and populate the mtime for operations
that take an input status, such as file/dir creation
and StoreData. If an input time is not provided the
server will set the vnode times based on the current server
time.In a situation where the server has some skew with the
client, this could lead to the client seeing a timestamp
in the future for a file that it just created or wrote.Signed-off-by: Marc Dionne
Signed-off-by: David Howells -
If we receive a network error, a remote abort or a protocol error whilst
we're still transmitting data, make sure we return an appropriate error to
the caller rather than ESHUTDOWN or ECONNABORTED.Signed-off-by: David Howells
-
When we are given an invalid operation ID, we should abort that with
RXGEN_OPCODE rather than RX_INVALID_OPERATION.Also map RXGEN_OPCODE to -ENOTSUPP.
Signed-off-by: David Howells
-
afs_fs_store_data() works out of the size of the write it's going to make,
but it uses 32-bit unsigned subtraction in one place that gets
automatically cast to loff_t.However, if to < offset, then the number goes negative, but as the result
isn't signed, this doesn't get sign-extended to 64-bits when placed in a
loff_t.Fix by casting the operands to loff_t.
Signed-off-by: David Howells
-
Use a bvec rather than a kvec in afs_send_pages() as we don't then have to
call kmap() in advance. This allows us to pass the array of contiguous
pages that we extracted through to rxrpc in one go rather than passing a
single page at a time.Signed-off-by: David Howells
-
Make struct afs_read::remain 64-bit so that it can handle huge transfers if
we ever request them or the server decides to give us a bit extra data (the
other fields there are already 64-bit).Signed-off-by: David Howells
Tested-by: Marc Dionne -
Fix a bug in AFS read whereby the request page afs_read::index isn't
incremented after calling ->page_done() if ->remain reaches 0, indicating
that the data read is complete.Without this a NULL pointer exception happens when ->page_done() is called
twice for the last page because the page clearing loop will call it also
and afs_readpages_page_done() clears the current entry in the page list.BUG: unable to handle kernel NULL pointer dereference at (null)
IP: afs_readpages_page_done+0x21/0xa4 [kafs]
PGD 0
Oops: 0002 [#1] SMP
Modules linked in: kafs(E)
CPU: 2 PID: 3002 Comm: md5sum Tainted: G E 4.10.0-fscache #485
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
task: ffff8804017d86c0 task.stack: ffff8803fc1d8000
RIP: 0010:afs_readpages_page_done+0x21/0xa4 [kafs]
RSP: 0018:ffff8803fc1db978 EFLAGS: 00010282
RAX: ffff880405d39af8 RBX: 0000000000000000 RCX: ffff880407d83ed4
RDX: 0000000000000000 RSI: ffff880405d39a00 RDI: ffff880405c6f400
RBP: ffff8803fc1db988 R08: 0000000000000000 R09: 0000000000000001
R10: ffff8803fc1db820 R11: ffff88040cf56000 R12: ffff8804088f1780
R13: ffff8804017d86c0 R14: ffff8804088f1780 R15: 0000000000003840
FS: 00007f8154469700(0000) GS:ffff88041fb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000004016ec000 CR4: 00000000001406e0
Call Trace:
afs_deliver_fs_fetch_data+0x5b9/0x60e [kafs]
? afs_make_call+0x316/0x4e8 [kafs]
? afs_make_call+0x359/0x4e8 [kafs]
afs_deliver_to_call+0x173/0x2e8 [kafs]
? afs_make_call+0x316/0x4e8 [kafs]
afs_make_call+0x37a/0x4e8 [kafs]
? wake_up_q+0x4f/0x4f
? __init_waitqueue_head+0x36/0x49
afs_fs_fetch_data+0x21c/0x227 [kafs]
? afs_fs_fetch_data+0x21c/0x227 [kafs]
afs_vnode_fetch_data+0xf3/0x1d2 [kafs]
afs_readpages+0x314/0x3fd [kafs]
__do_page_cache_readahead+0x208/0x2c5
ondemand_readahead+0x3a2/0x3b7
? ondemand_readahead+0x3a2/0x3b7
page_cache_async_readahead+0x5e/0x67
generic_file_read_iter+0x23b/0x70c
? __inode_security_revalidate+0x2f/0x62
__vfs_read+0xc4/0xe8
vfs_read+0xd1/0x15a
SyS_read+0x4c/0x89
do_syscall_64+0x80/0x191
entry_SYSCALL64_slow_path+0x25/0x25Reported-by: Marc Dionne
Signed-off-by: David Howells
Tested-by: Marc Dionne -
get_seconds() returns real wall-clock seconds. On 32-bit systems
this value will overflow in year 2038 and beyond. This patch changes
afs_vnode record to use ktime_get_real_seconds() instead, for the
fields cb_expires and cb_expires_at.Signed-off-by: Tina Ruchandani
Signed-off-by: David Howells -
get_seconds() returns real wall-clock seconds. On 32-bit systems
this value will overflow in year 2038 and beyond. This patch changes
afs's vlocation record to use ktime_get_real_seconds() instead, for the
fields time_of_death and update_at.Signed-off-by: Tina Ruchandani
Signed-off-by: David Howells -
The use of "rcu_assign_pointer()" is NULLing out the pointer.
According to RCU_INIT_POINTER()'s block comment:
"1. This use of RCU_INIT_POINTER() is NULLing out the pointer"
it is better to use it instead of rcu_assign_pointer() because it has a
smaller overhead.The following Coccinelle semantic patch was used:
@@
@@- rcu_assign_pointer
+ RCU_INIT_POINTER
(..., NULL)Signed-off-by: Andreea-Cristina Bernat
Signed-off-by: David Howells -
The use of "rcu_assign_pointer()" is NULLing out the pointer.
According to RCU_INIT_POINTER()'s block comment:
"1. This use of RCU_INIT_POINTER() is NULLing out the pointer"
it is better to use it instead of rcu_assign_pointer() because it has a
smaller overhead.The following Coccinelle semantic patch was used:
@@
@@- rcu_assign_pointer
+ RCU_INIT_POINTER
(..., NULL)Signed-off-by: Andreea-Cristina Bernat
Signed-off-by: David Howells -
In AFS, mountpoints appear as symlinks with mode 0644 and normal symlinks
have mode 0777, so use this to distinguish them rather than reading the
content and parsing it. In the case of a mountpoint, the symlink body is a
formatted string indicating the location of the target volume.Note that with this, kAFS no longer 'pre-fetches' the contents of symlinks,
so afs_readpage() may fail with an access-denial because when the VFS calls
d_automount(), it wraps the call in an credentials override that sets the
initial creds - thereby preventing access to the caller's keyrings and the
authentication keys held therein.To this end, a patch reverting that change to the VFS is required also.
Reported-by: Jeffrey Altman
Signed-off-by: David Howells -
Flush outstanding writes in afs when an fd is closed. This is what NFS and
CIFS do.Reported-by: Marc Dionne
Signed-off-by: David Howells -
Handle the situation where afs_write_begin() is told to expect that a
full-page write will be made, but this doesn't happen (EFAULT, CTRL-C,
etc.), and so afs_write_end() sees a partial write took place. Currently,
no attempt is to deal with the discrepency.Fix this by loading the gap from the server.
Reported-by: Al Viro
Signed-off-by: David Howells -
Kill struct afs_read::pg_offset as nothing uses it. It's unnecessary as pos
can be masked off.Signed-off-by: David Howells
-
When an AFS server is given an FS.FetchData{,64} request to read data from
a file, it is permitted by the protocol to return more or less than was
requested. kafs currently relies on the latter behaviour in readpage{,s}
to handle a partial page at the end of the file (we just ask for a whole
page and clear space beyond the short read).However, we don't handle all cases. Add:
(1) Handle excess data by discarding it rather than aborting. Note that
we use a common static buffer to discard into so that the decryption
algorithm advances the PCBC state.(2) Handle a short read that affects more than just the last page.
Note that if a read comes up unexpectedly short of long, it's possible that
the server's copy of the file changed - in which case the data version
number will have been incremented and the callback will have been broken -
in which case all the pages currently attached to the inode will be zapped
anyway at some point.Signed-off-by: David Howells
-
Servers may send a callback array that is the same size as
the FID array, or an empty array. If the callback count is
0, the code would attempt to read (fid_count * 12) bytes of
data, which would fail and result in an unmarshalling error.
This would lead to stale data for remotely modified files
or directories.Store the callback array size in the internal afs_call
structure and use that to determine the amount of data to
read.Signed-off-by: Marc Dionne
-
Mode bits for an afs file should not be enforced in the usual
way.For files, the absence of user bits can restrict file access
with respect to what is granted by the server.These bits apply regardless of the owner or the current uid; the
rest of the mode bits (group, other) are ignored.Signed-off-by: Marc Dionne
Signed-off-by: David Howells -
The group was hard coded to GLOBAL_ROOT_GID; use the group
ID that was received from the server.Signed-off-by: Marc Dionne
Signed-off-by: David Howells -
afs_fill_page() loads the page it wants to fill into the afs_read request
without incrementing its refcount - but then calls afs_put_read() to clean
up afterwards, which then releases a ref on the page.Fix this by getting a ref on the page before calling
afs_vnode_fetch_data().This causes sync after a write to hang in afs_writepages_region() because
find_get_pages_tag() gets confused and doesn't return.Fixes: 196ee9cd2d04 ("afs: Make afs_fs_fetch_data() take a list of pages")
Reported-by: Marc Dionne
Signed-off-by: David Howells
Tested-by: Marc Dionne -
In afs_writepages_region(), inside the loop where we find dirty pages to
deal with, one of the if-statements is missing a put_page().Signed-off-by: David Howells
16 Mar, 2017
4 commits
-
Pull block fixes from Jens Axboe:
"Four small fixes for this cycle:- followup fix from Neil for a fix that went in before -rc2, ensuring
that we always see the full per-task bio_list.- fix for blk-mq-sched from me that ensures that we retain similar
direct-to-issue behavior on running the queue.- fix from Sagi fixing a potential NULL pointer dereference in blk-mq
on spurious CPU unplug.- a memory leak fix in writeback from Tahsin, fixing a case where
device removal of a mounted device can leak a struct
wb_writeback_work"* 'for-linus' of git://git.kernel.dk/linux-block:
blk-mq-sched: don't run the queue async from blk_mq_try_issue_directly()
writeback: fix memory leak in wb_queue_work()
blk-mq: Fix tagset reinit in the presence of cpu hot-unplug
blk: Ensure users for current->bio_list can see the full list. -
Pull SCSI fixes from James Bottomley:
"This is a rather large set of fixes. The bulk are for lpfc correcting
a lot of issues in the new NVME driver code which just went in in the
merge window.The others are:
- fix a hang in the vmware paravirt driver caused by incorrect
handling of the new MSI vector allocation- long standing bug in storvsc, which recent block changes turned
from being a harmless annoyance into a hang- yet more fallout (in mpt3sas) from the changes to device blocking
The remainder are small fixes and updates"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (34 commits)
scsi: lpfc: Add shutdown method for kexec
scsi: storvsc: Workaround for virtual DVD SCSI version
scsi: lpfc: revise version number to 11.2.0.10
scsi: lpfc: code cleanups in NVME initiator discovery
scsi: lpfc: code cleanups in NVME initiator base
scsi: lpfc: correct rdp diag portnames
scsi: lpfc: remove dead sli3 nvme code
scsi: lpfc: correct double print
scsi: lpfc: Rename LPFC_MAX_EQ_DELAY to LPFC_MAX_EQ_DELAY_EQID_CNT
scsi: lpfc: Rework lpfc Kconfig for NVME options
scsi: lpfc: add transport eh_timed_out reference
scsi: lpfc: Fix eh_deadline setting for sli3 adapters.
scsi: lpfc: add NVME exchange aborts
scsi: lpfc: Fix nvme allocation bug on failed nvme_fc_register_localport
scsi: lpfc: Fix IO submission if WQ is full
scsi: lpfc: Fix NVME CMD IU byte swapped word 1 problem
scsi: lpfc: Fix RCTL value on NVME LS request and response
scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
scsi: lpfc: fix missing spin_unlock on sql_list_lock
scsi: lpfc: don't dereference dma_buf->iocbq before null check
... -
Pull gfs2 fix from Bob Peterson:
"This is an emergency patch for 4.11-rc3The GFS2 developers uncovered a really nasty problem that can lead to
random corruption and kernel panic, much like the last one. Andreas
Gruenbacher wrote a simple one-line patch to fix the problem."* tag 'gfs2-4.11-rc3.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
gfs2: Avoid alignment hole in struct lm_lockname -
Pull crypto fixes from Herbert Xu:
- self-test failure of crc32c on powerpc
- regressions of ecb(aes) when used with xts/lrw in s5p-sss
- a number of bugs in the omap RNG driver
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: s5p-sss - Fix spinlock recursion on LRW(AES)
hwrng: omap - Do not access INTMASK_REG on EIP76
hwrng: omap - use devm_clk_get() instead of of_clk_get()
hwrng: omap - write registers after enabling the clock
crypto: s5p-sss - Fix completing crypto request in IRQ handler
crypto: powerpc - Fix initialisation of crc32c context
15 Mar, 2017
8 commits
-
Commit 88ffbf3e03 switches to using rhashtables for glocks, hashing over
the entire struct lm_lockname instead of its individual fields. On some
architectures, struct lm_lockname contains a hole of uninitialized
memory due to alignment rules, which now leads to incorrect hash values.
Get rid of that hole.Signed-off-by: Andreas Gruenbacher
Signed-off-by: Bob Peterson
CC: #v4.3+ -
Pull networking fixes from David Miller:
1) Ensure that mtu is at least IPV6_MIN_MTU in ipv6 VTI tunnel driver,
from Steffen Klassert.2) Fix crashes when user tries to get_next_key on an LPM bpf map, from
Alexei Starovoitov.3) Fix detection of VLAN fitlering feature for bnx2x VF devices, from
Michal Schmidt.4) We can get a divide by zero when TCP socket are morphed into
listening state, fix from Eric Dumazet.5) Fix socket refcounting bugs in skb_complete_wifi_ack() and
skb_complete_tx_timestamp(). From Eric Dumazet.6) Use after free in dccp_feat_activate_values(), also from Eric
Dumazet.7) Like bonding team needs to use ETH_MAX_MTU as netdev->max_mtu, from
Jarod Wilson.8) Fix use after free in vrf_xmit(), from David Ahern.
9) Don't do UDP Fragmentation Offload on IPComp ipsec packets, from
Alexey Kodanev.10) Properly check napi_complete_done() return value in order to decide
whether to re-enable IRQs or not in amd-xgbe driver, from Thomas
Lendacky.11) Fix double free of hwmon device in marvell phy driver, from Andrew
Lunn.12) Don't crash on malformed netlink attributes in act_connmark, from
Etienne Noss.13) Don't remove routes with a higher metric in ipv6 ECMP route replace,
from Sabrina Dubroca.14) Don't write into a cloned SKB in ipv6 fragmentation handling, from
Florian Westphal.15) Fix routing redirect races in dccp and tcp, basically the ICMP
handler can't modify the socket's cached route in it's locked by the
user at this moment. From Jon Maxwell.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (108 commits)
qed: Enable iSCSI Out-of-Order
qed: Correct out-of-bound access in OOO history
qed: Fix interrupt flags on Rx LL2
qed: Free previous connections when releasing iSCSI
qed: Fix mapping leak on LL2 rx flow
qed: Prevent creation of too-big u32-chains
qed: Align CIDs according to DORQ requirement
mlxsw: reg: Fix SPVMLR max record count
mlxsw: reg: Fix SPVM max record count
net: Resend IGMP memberships upon peer notification.
dccp: fix memory leak during tear-down of unsuccessful connection request
tun: fix premature POLLOUT notification on tun devices
dccp/tcp: fix routing redirect race
ucc/hdlc: fix two little issue
vxlan: fix ovs support
net: use net->count to check whether a netns is alive or not
bridge: drop netfilter fake rtable unconditionally
ipv6: avoid write to a possibly cloned skb
net: wimax/i2400m: fix NULL-deref at probe
isdn/gigaset: fix NULL-deref at probe
... -
Pull cgroup fixes from Tejun Heo:
"Three cgroup fixes. Nothing critical:- the pids controller could trigger suspicious RCU warning
spuriously. Fixed.- in the debug controller, %p -> %pK to protect kernel pointer
from getting exposed.- documentation formatting fix"
* 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
cgroups: censor kernel pointer in debug files
cgroup/pids: remove spurious suspicious RCU usage warning
cgroup: Fix indenting in PID controller documentation -
Pull libata fixes from Tejun Heo:
"Three libata fixes:- fix for a circular reference bug in sysfs code which prevented
pata_legacy devices from being released after probe failure, which
in turn prevented devres from releasing the associated resources.- drop spurious WARN in the command issue path which can be triggered
by a legitimate passthrough command.- an ahci_qoriq specific fix"
* 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
ahci: qoriq: correct the sata ecc setting error
libata: drop WARN from protocol error in ata_sff_qc_issue()
libata: transport: Remove circular dependency at free time -
Pull workqueue fix from Tejun Heo:
"If a delayed work is queued with NULL @wq, workqueue code explodes
after the timer expires at which point it's difficult to tell who the
culprit was.This actually happened and the offender was net/smc this time.
Add an explicit sanity check for it in the queueing path"
* 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq -
Pull percpu fixes from Tejun Heo:
- the allocation path was updating pcpu_nr_empty_pop_pages without the
required locking which can lead to incorrect handling of empty chunks
(e.g. keeping too many around), which is buggy but shouldn't lead to
critical failures. Fixed by adding the locking- a trivial patch to drop an unused param from pcpu_get_pages()
* 'for-4.11-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
percpu: remove unused chunk_alloc parameter from pcpu_get_pages()
percpu: acquire pcpu_lock when updating pcpu_nr_empty_pop_pages -
Yuval Mintz says:
====================
qed: Fixes seriesThis address several different issues in qed.
The more significant portions:Patch #1 would cause timeout when qedr utilizes the highest
CIDs availble for it [or when future qede adapters would utilize
queues in some constellations].Patch #4 fixes a leak of mapped addresses; When iommu is enabled,
offloaded storage protocols might eventually run out of resources
and fail to map additional buffers.Patches #6,#7 were missing in the initial iSCSI infrastructure
submissions, and would hamper qedi's stability when it reaches
out-of-order scenarios.
====================Signed-off-by: David S. Miller
-
Missing in the initial submission, qed fails to propagate qedi's
request to enable OOO to firmware.Fixes: fc831825f99e ("qed: Add support for hardware offloaded iSCSI")
Signed-off-by: Yuval Mintz
Signed-off-by: David S. Miller
