<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/block/blk-core.c, branch linux-3.12.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>SCSI: Fix NULL pointer dereference in runtime PM</title>
<updated>2016-02-24T09:23:26+00:00</updated>
<author>
<name>Ken Xue</name>
<email>ken.xue@amd.com</email>
</author>
<published>2015-12-01T06:45:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=229ad79ae873c93add15917f5bdafdee1e4ef5e4'/>
<id>229ad79ae873c93add15917f5bdafdee1e4ef5e4</id>
<content type='text'>
commit 4fd41a8552afc01054d9d9fc7f1a63c324867d27 upstream.

The routines in scsi_pm.c assume that if a runtime-PM callback is
invoked for a SCSI device, it can only mean that the device's driver
has asked the block layer to handle the runtime power management (by
calling blk_pm_runtime_init(), which among other things sets q-&gt;dev).

However, this assumption turns out to be wrong for things like the ses
driver.  Normally ses devices are not allowed to do runtime PM, but
userspace can override this setting.  If this happens, the kernel gets
a NULL pointer dereference when blk_post_runtime_resume() tries to use
the uninitialized q-&gt;dev pointer.

This patch fixes the problem by checking q-&gt;dev in block layer before
handle runtime PM. Since ses doesn't define any PM callbacks and call
blk_pm_runtime_init(), the crash won't occur.

This fixes Bugzilla #101371.
https://bugzilla.kernel.org/show_bug.cgi?id=101371

More discussion can be found from below link.
http://marc.info/?l=linux-scsi&amp;m=144163730531875&amp;w=2

Signed-off-by: Ken Xue &lt;Ken.Xue@amd.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Cc: Xiangliang Yu &lt;Xiangliang.Yu@amd.com&gt;
Cc: James E.J. Bottomley &lt;JBottomley@odin.com&gt;
Cc: Jens Axboe &lt;axboe@kernel.dk&gt;
Cc: Michael Terry &lt;Michael.terry@canonical.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4fd41a8552afc01054d9d9fc7f1a63c324867d27 upstream.

The routines in scsi_pm.c assume that if a runtime-PM callback is
invoked for a SCSI device, it can only mean that the device's driver
has asked the block layer to handle the runtime power management (by
calling blk_pm_runtime_init(), which among other things sets q-&gt;dev).

However, this assumption turns out to be wrong for things like the ses
driver.  Normally ses devices are not allowed to do runtime PM, but
userspace can override this setting.  If this happens, the kernel gets
a NULL pointer dereference when blk_post_runtime_resume() tries to use
the uninitialized q-&gt;dev pointer.

This patch fixes the problem by checking q-&gt;dev in block layer before
handle runtime PM. Since ses doesn't define any PM callbacks and call
blk_pm_runtime_init(), the crash won't occur.

This fixes Bugzilla #101371.
https://bugzilla.kernel.org/show_bug.cgi?id=101371

More discussion can be found from below link.
http://marc.info/?l=linux-scsi&amp;m=144163730531875&amp;w=2

Signed-off-by: Ken Xue &lt;Ken.Xue@amd.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Cc: Xiangliang Yu &lt;Xiangliang.Yu@amd.com&gt;
Cc: James E.J. Bottomley &lt;JBottomley@odin.com&gt;
Cc: Jens Axboe &lt;axboe@kernel.dk&gt;
Cc: Michael Terry &lt;Michael.terry@canonical.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>block: Always check queue limits for cloned requests</title>
<updated>2016-01-11T15:07:39+00:00</updated>
<author>
<name>Hannes Reinecke</name>
<email>hare@suse.de</email>
</author>
<published>2015-11-26T07:46:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=052bd81382379ccaf002ae7a0c3d4ff6f058428b'/>
<id>052bd81382379ccaf002ae7a0c3d4ff6f058428b</id>
<content type='text'>
commit bf4e6b4e757488dee1b6a581f49c7ac34cd217f8 upstream.

When a cloned request is retried on other queues it always needs
to be checked against the queue limits of that queue.
Otherwise the calculations for nr_phys_segments might be wrong,
leading to a crash in scsi_init_sgtable().

To clarify this the patch renames blk_rq_check_limits()
to blk_cloned_rq_check_limits() and removes the symbol
export, as the new function should only be used for
cloned requests and never exported.

Cc: Mike Snitzer &lt;snitzer@redhat.com&gt;
Cc: Ewan Milne &lt;emilne@redhat.com&gt;
Cc: Jeff Moyer &lt;jmoyer@redhat.com&gt;
Signed-off-by: Hannes Reinecke &lt;hare@suse.de&gt;
Fixes: e2a60da74 ("block: Clean up special command handling logic")
Acked-by: Mike Snitzer &lt;snitzer@redhat.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit bf4e6b4e757488dee1b6a581f49c7ac34cd217f8 upstream.

When a cloned request is retried on other queues it always needs
to be checked against the queue limits of that queue.
Otherwise the calculations for nr_phys_segments might be wrong,
leading to a crash in scsi_init_sgtable().

To clarify this the patch renames blk_rq_check_limits()
to blk_cloned_rq_check_limits() and removes the symbol
export, as the new function should only be used for
cloned requests and never exported.

Cc: Mike Snitzer &lt;snitzer@redhat.com&gt;
Cc: Ewan Milne &lt;emilne@redhat.com&gt;
Cc: Jeff Moyer &lt;jmoyer@redhat.com&gt;
Signed-off-by: Hannes Reinecke &lt;hare@suse.de&gt;
Fixes: e2a60da74 ("block: Clean up special command handling logic")
Acked-by: Mike Snitzer &lt;snitzer@redhat.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>blktrace: fix accounting of partially completed requests</title>
<updated>2014-05-29T09:38:08+00:00</updated>
<author>
<name>Roman Pen</name>
<email>r.peniaev@gmail.com</email>
</author>
<published>2014-03-04T14:13:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5104b40a981d26212ced149fbd43ad0b6b72910b'/>
<id>5104b40a981d26212ced149fbd43ad0b6b72910b</id>
<content type='text'>
commit af5040da01ef980670b3741b3e10733ee3e33566 upstream.

trace_block_rq_complete does not take into account that request can
be partially completed, so we can get the following incorrect output
of blkparser:

  C   R 232 + 240 [0]
  C   R 240 + 232 [0]
  C   R 248 + 224 [0]
  C   R 256 + 216 [0]

but should be:

  C   R 232 + 8 [0]
  C   R 240 + 8 [0]
  C   R 248 + 8 [0]
  C   R 256 + 8 [0]

Also, the whole output summary statistics of completed requests and
final throughput will be incorrect.

This patch takes into account real completion size of the request and
fixes wrong completion accounting.

Signed-off-by: Roman Pen &lt;r.peniaev@gmail.com&gt;
CC: Steven Rostedt &lt;rostedt@goodmis.org&gt;
CC: Frederic Weisbecker &lt;fweisbec@gmail.com&gt;
CC: Ingo Molnar &lt;mingo@redhat.com&gt;
CC: linux-kernel@vger.kernel.org
Signed-off-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit af5040da01ef980670b3741b3e10733ee3e33566 upstream.

trace_block_rq_complete does not take into account that request can
be partially completed, so we can get the following incorrect output
of blkparser:

  C   R 232 + 240 [0]
  C   R 240 + 232 [0]
  C   R 248 + 224 [0]
  C   R 256 + 216 [0]

but should be:

  C   R 232 + 8 [0]
  C   R 240 + 8 [0]
  C   R 248 + 8 [0]
  C   R 256 + 8 [0]

Also, the whole output summary statistics of completed requests and
final throughput will be incorrect.

This patch takes into account real completion size of the request and
fixes wrong completion accounting.

Signed-off-by: Roman Pen &lt;r.peniaev@gmail.com&gt;
CC: Steven Rostedt &lt;rostedt@goodmis.org&gt;
CC: Frederic Weisbecker &lt;fweisbec@gmail.com&gt;
CC: Ingo Molnar &lt;mingo@redhat.com&gt;
CC: linux-kernel@vger.kernel.org
Signed-off-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>elevator: Fix a race in elevator switching and md device initialization</title>
<updated>2013-12-08T15:29:16+00:00</updated>
<author>
<name>Tomoki Sekiyama</name>
<email>tomoki.sekiyama@hds.com</email>
</author>
<published>2013-10-15T22:42:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d6a5267e403642c8802e5bc59cf754ba44a8993b'/>
<id>d6a5267e403642c8802e5bc59cf754ba44a8993b</id>
<content type='text'>
commit eb1c160b22655fd4ec44be732d6594fd1b1e44f4 upstream.

The soft lockup below happens at the boot time of the system using dm
multipath and the udev rules to switch scheduler.

[  356.127001] BUG: soft lockup - CPU#3 stuck for 22s! [sh:483]
[  356.127001] RIP: 0010:[&lt;ffffffff81072a7d&gt;]  [&lt;ffffffff81072a7d&gt;] lock_timer_base.isra.35+0x1d/0x50
...
[  356.127001] Call Trace:
[  356.127001]  [&lt;ffffffff81073810&gt;] try_to_del_timer_sync+0x20/0x70
[  356.127001]  [&lt;ffffffff8118b08a&gt;] ? kmem_cache_alloc_node_trace+0x20a/0x230
[  356.127001]  [&lt;ffffffff810738b2&gt;] del_timer_sync+0x52/0x60
[  356.127001]  [&lt;ffffffff812ece22&gt;] cfq_exit_queue+0x32/0xf0
[  356.127001]  [&lt;ffffffff812c98df&gt;] elevator_exit+0x2f/0x50
[  356.127001]  [&lt;ffffffff812c9f21&gt;] elevator_change+0xf1/0x1c0
[  356.127001]  [&lt;ffffffff812caa50&gt;] elv_iosched_store+0x20/0x50
[  356.127001]  [&lt;ffffffff812d1d09&gt;] queue_attr_store+0x59/0xb0
[  356.127001]  [&lt;ffffffff812143f6&gt;] sysfs_write_file+0xc6/0x140
[  356.127001]  [&lt;ffffffff811a326d&gt;] vfs_write+0xbd/0x1e0
[  356.127001]  [&lt;ffffffff811a3ca9&gt;] SyS_write+0x49/0xa0
[  356.127001]  [&lt;ffffffff8164e899&gt;] system_call_fastpath+0x16/0x1b

This is caused by a race between md device initialization by multipathd and
shell script to switch the scheduler using sysfs.

 - multipathd:
   SyS_ioctl -&gt; do_vfs_ioctl -&gt; dm_ctl_ioctl -&gt; ctl_ioctl -&gt; table_load
   -&gt; dm_setup_md_queue -&gt; blk_init_allocated_queue -&gt; elevator_init
    q-&gt;elevator = elevator_alloc(q, e); // not yet initialized

 - sh -c 'echo deadline &gt; /sys/$DEVPATH/queue/scheduler':
   elevator_switch (in the call trace above)
    struct elevator_queue *old = q-&gt;elevator;
    q-&gt;elevator = elevator_alloc(q, new_e);
    elevator_exit(old);                 // lockup! (*)

 - multipathd: (cont.)
    err = e-&gt;ops.elevator_init_fn(q);   // init fails; q-&gt;elevator is modified

(*) When del_timer_sync() is called, lock_timer_base() will loop infinitely
while timer-&gt;base == NULL. In this case, as timer will never initialized,
it results in lockup.

This patch introduces acquisition of q-&gt;sysfs_lock around elevator_init()
into blk_init_allocated_queue(), to provide mutual exclusion between
initialization of the q-&gt;scheduler and switching of the scheduler.

This should fix this bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=902012

Signed-off-by: Tomoki Sekiyama &lt;tomoki.sekiyama@hds.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
Cc: Josh Boyer &lt;jwboyer@fedoraproject.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit eb1c160b22655fd4ec44be732d6594fd1b1e44f4 upstream.

The soft lockup below happens at the boot time of the system using dm
multipath and the udev rules to switch scheduler.

[  356.127001] BUG: soft lockup - CPU#3 stuck for 22s! [sh:483]
[  356.127001] RIP: 0010:[&lt;ffffffff81072a7d&gt;]  [&lt;ffffffff81072a7d&gt;] lock_timer_base.isra.35+0x1d/0x50
...
[  356.127001] Call Trace:
[  356.127001]  [&lt;ffffffff81073810&gt;] try_to_del_timer_sync+0x20/0x70
[  356.127001]  [&lt;ffffffff8118b08a&gt;] ? kmem_cache_alloc_node_trace+0x20a/0x230
[  356.127001]  [&lt;ffffffff810738b2&gt;] del_timer_sync+0x52/0x60
[  356.127001]  [&lt;ffffffff812ece22&gt;] cfq_exit_queue+0x32/0xf0
[  356.127001]  [&lt;ffffffff812c98df&gt;] elevator_exit+0x2f/0x50
[  356.127001]  [&lt;ffffffff812c9f21&gt;] elevator_change+0xf1/0x1c0
[  356.127001]  [&lt;ffffffff812caa50&gt;] elv_iosched_store+0x20/0x50
[  356.127001]  [&lt;ffffffff812d1d09&gt;] queue_attr_store+0x59/0xb0
[  356.127001]  [&lt;ffffffff812143f6&gt;] sysfs_write_file+0xc6/0x140
[  356.127001]  [&lt;ffffffff811a326d&gt;] vfs_write+0xbd/0x1e0
[  356.127001]  [&lt;ffffffff811a3ca9&gt;] SyS_write+0x49/0xa0
[  356.127001]  [&lt;ffffffff8164e899&gt;] system_call_fastpath+0x16/0x1b

This is caused by a race between md device initialization by multipathd and
shell script to switch the scheduler using sysfs.

 - multipathd:
   SyS_ioctl -&gt; do_vfs_ioctl -&gt; dm_ctl_ioctl -&gt; ctl_ioctl -&gt; table_load
   -&gt; dm_setup_md_queue -&gt; blk_init_allocated_queue -&gt; elevator_init
    q-&gt;elevator = elevator_alloc(q, e); // not yet initialized

 - sh -c 'echo deadline &gt; /sys/$DEVPATH/queue/scheduler':
   elevator_switch (in the call trace above)
    struct elevator_queue *old = q-&gt;elevator;
    q-&gt;elevator = elevator_alloc(q, new_e);
    elevator_exit(old);                 // lockup! (*)

 - multipathd: (cont.)
    err = e-&gt;ops.elevator_init_fn(q);   // init fails; q-&gt;elevator is modified

(*) When del_timer_sync() is called, lock_timer_base() will loop infinitely
while timer-&gt;base == NULL. In this case, as timer will never initialized,
it results in lockup.

This patch introduces acquisition of q-&gt;sysfs_lock around elevator_init()
into blk_init_allocated_queue(), to provide mutual exclusion between
initialization of the q-&gt;scheduler and switching of the scheduler.

This should fix this bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=902012

Signed-off-by: Tomoki Sekiyama &lt;tomoki.sekiyama@hds.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
Cc: Josh Boyer &lt;jwboyer@fedoraproject.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>blk-core: Fix memory corruption if blkcg_init_queue fails</title>
<updated>2013-12-04T19:05:37+00:00</updated>
<author>
<name>Mikulas Patocka</name>
<email>mpatocka@redhat.com</email>
</author>
<published>2013-10-14T16:11:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f5360a4c39d79c150f527ebf32ee18eb2a820e1d'/>
<id>f5360a4c39d79c150f527ebf32ee18eb2a820e1d</id>
<content type='text'>
commit fff4996b7db7955414ac74386efa5e07fd766b50 upstream.

If blkcg_init_queue fails, blk_alloc_queue_node doesn't call bdi_destroy
to clean up structures allocated by the backing dev.

------------[ cut here ]------------
WARNING: at lib/debugobjects.c:260 debug_print_object+0x85/0xa0()
ODEBUG: free active (active state 0) object type: percpu_counter hint:           (null)
Modules linked in: dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev ipt_MASQUERADE iptable_nat nf_nat_ipv4 msr nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_powersave cpufreq_ondemand cpufreq_conservative spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack lm85 hwmon_vid snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq freq_table mperf sata_svw serverworks kvm_amd ide_core ehci_pci ohci_hcd libata ehci_hcd kvm usbcore tg3 usb_common libphy k10temp pcspkr ptp i2c_piix4 i2c_core evdev microcode hwmon rtc_cmos pps_core e100 skge floppy mii processor button unix
CPU: 0 PID: 2739 Comm: lvchange Tainted: G        W
3.10.15-devel #14
Hardware name: empty empty/S3992-E, BIOS 'V1.06   ' 06/09/2009
 0000000000000009 ffff88023c3c1ae8 ffffffff813c8fd4 ffff88023c3c1b20
 ffffffff810399eb ffff88043d35cd58 ffffffff81651940 ffff88023c3c1bf8
 ffffffff82479d90 0000000000000005 ffff88023c3c1b80 ffffffff81039a67
Call Trace:
 [&lt;ffffffff813c8fd4&gt;] dump_stack+0x19/0x1b
 [&lt;ffffffff810399eb&gt;] warn_slowpath_common+0x6b/0xa0
 [&lt;ffffffff81039a67&gt;] warn_slowpath_fmt+0x47/0x50
 [&lt;ffffffff8122aaaf&gt;] ? debug_check_no_obj_freed+0xcf/0x250
 [&lt;ffffffff81229a15&gt;] debug_print_object+0x85/0xa0
 [&lt;ffffffff8122abe3&gt;] debug_check_no_obj_freed+0x203/0x250
 [&lt;ffffffff8113c4ac&gt;] kmem_cache_free+0x20c/0x3a0
 [&lt;ffffffff811f6709&gt;] blk_alloc_queue_node+0x2a9/0x2c0
 [&lt;ffffffff811f672e&gt;] blk_alloc_queue+0xe/0x10
 [&lt;ffffffffa04c0093&gt;] dm_create+0x1a3/0x530 [dm_mod]
 [&lt;ffffffffa04c6bb0&gt;] ? list_version_get_info+0xe0/0xe0 [dm_mod]
 [&lt;ffffffffa04c6c07&gt;] dev_create+0x57/0x2b0 [dm_mod]
 [&lt;ffffffffa04c6bb0&gt;] ? list_version_get_info+0xe0/0xe0 [dm_mod]
 [&lt;ffffffffa04c6bb0&gt;] ? list_version_get_info+0xe0/0xe0 [dm_mod]
 [&lt;ffffffffa04c6528&gt;] ctl_ioctl+0x268/0x500 [dm_mod]
 [&lt;ffffffff81097662&gt;] ? get_lock_stats+0x22/0x70
 [&lt;ffffffffa04c67ce&gt;] dm_ctl_ioctl+0xe/0x20 [dm_mod]
 [&lt;ffffffff81161aad&gt;] do_vfs_ioctl+0x2ed/0x520
 [&lt;ffffffff8116cfc7&gt;] ? fget_light+0x377/0x4e0
 [&lt;ffffffff81161d2b&gt;] SyS_ioctl+0x4b/0x90
 [&lt;ffffffff813cff16&gt;] system_call_fastpath+0x1a/0x1f
---[ end trace 4b5ff0d55673d986 ]---
------------[ cut here ]------------

This fix should be backported to stable kernels starting with 2.6.37. Note
that in the kernels prior to 3.5 the affected code is different, but the
bug is still there - bdi_init is called and bdi_destroy isn't.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Acked-by: Tejun Heo &lt;tj@kernel.org&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit fff4996b7db7955414ac74386efa5e07fd766b50 upstream.

If blkcg_init_queue fails, blk_alloc_queue_node doesn't call bdi_destroy
to clean up structures allocated by the backing dev.

------------[ cut here ]------------
WARNING: at lib/debugobjects.c:260 debug_print_object+0x85/0xa0()
ODEBUG: free active (active state 0) object type: percpu_counter hint:           (null)
Modules linked in: dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev ipt_MASQUERADE iptable_nat nf_nat_ipv4 msr nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_powersave cpufreq_ondemand cpufreq_conservative spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack lm85 hwmon_vid snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq freq_table mperf sata_svw serverworks kvm_amd ide_core ehci_pci ohci_hcd libata ehci_hcd kvm usbcore tg3 usb_common libphy k10temp pcspkr ptp i2c_piix4 i2c_core evdev microcode hwmon rtc_cmos pps_core e100 skge floppy mii processor button unix
CPU: 0 PID: 2739 Comm: lvchange Tainted: G        W
3.10.15-devel #14
Hardware name: empty empty/S3992-E, BIOS 'V1.06   ' 06/09/2009
 0000000000000009 ffff88023c3c1ae8 ffffffff813c8fd4 ffff88023c3c1b20
 ffffffff810399eb ffff88043d35cd58 ffffffff81651940 ffff88023c3c1bf8
 ffffffff82479d90 0000000000000005 ffff88023c3c1b80 ffffffff81039a67
Call Trace:
 [&lt;ffffffff813c8fd4&gt;] dump_stack+0x19/0x1b
 [&lt;ffffffff810399eb&gt;] warn_slowpath_common+0x6b/0xa0
 [&lt;ffffffff81039a67&gt;] warn_slowpath_fmt+0x47/0x50
 [&lt;ffffffff8122aaaf&gt;] ? debug_check_no_obj_freed+0xcf/0x250
 [&lt;ffffffff81229a15&gt;] debug_print_object+0x85/0xa0
 [&lt;ffffffff8122abe3&gt;] debug_check_no_obj_freed+0x203/0x250
 [&lt;ffffffff8113c4ac&gt;] kmem_cache_free+0x20c/0x3a0
 [&lt;ffffffff811f6709&gt;] blk_alloc_queue_node+0x2a9/0x2c0
 [&lt;ffffffff811f672e&gt;] blk_alloc_queue+0xe/0x10
 [&lt;ffffffffa04c0093&gt;] dm_create+0x1a3/0x530 [dm_mod]
 [&lt;ffffffffa04c6bb0&gt;] ? list_version_get_info+0xe0/0xe0 [dm_mod]
 [&lt;ffffffffa04c6c07&gt;] dev_create+0x57/0x2b0 [dm_mod]
 [&lt;ffffffffa04c6bb0&gt;] ? list_version_get_info+0xe0/0xe0 [dm_mod]
 [&lt;ffffffffa04c6bb0&gt;] ? list_version_get_info+0xe0/0xe0 [dm_mod]
 [&lt;ffffffffa04c6528&gt;] ctl_ioctl+0x268/0x500 [dm_mod]
 [&lt;ffffffff81097662&gt;] ? get_lock_stats+0x22/0x70
 [&lt;ffffffffa04c67ce&gt;] dm_ctl_ioctl+0xe/0x20 [dm_mod]
 [&lt;ffffffff81161aad&gt;] do_vfs_ioctl+0x2ed/0x520
 [&lt;ffffffff8116cfc7&gt;] ? fget_light+0x377/0x4e0
 [&lt;ffffffff81161d2b&gt;] SyS_ioctl+0x4b/0x90
 [&lt;ffffffff813cff16&gt;] system_call_fastpath+0x1a/0x1f
---[ end trace 4b5ff0d55673d986 ]---
------------[ cut here ]------------

This fix should be backported to stable kernels starting with 2.6.37. Note
that in the kernels prior to 3.5 the affected code is different, but the
bug is still there - bdi_init is called and bdi_destroy isn't.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Acked-by: Tejun Heo &lt;tj@kernel.org&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>block: fix race between request completion and timeout handling</title>
<updated>2013-11-29T19:28:06+00:00</updated>
<author>
<name>Jeff Moyer</name>
<email>jmoyer@redhat.com</email>
</author>
<published>2013-10-08T18:36:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6c8a390a12e552d1545485809246aeaae7a39a9e'/>
<id>6c8a390a12e552d1545485809246aeaae7a39a9e</id>
<content type='text'>
commit 4912aa6c11e6a5d910264deedbec2075c6f1bb73 upstream.

crocode i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma dca be2net sg ses enclosure ext4 mbcache jbd2 sd_mod crc_t10dif ahci megaraid_sas(U) dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan]

Pid: 491, comm: scsi_eh_0 Tainted: G        W  ----------------   2.6.32-220.13.1.el6.x86_64 #1 IBM  -[8722PAX]-/00D1461
RIP: 0010:[&lt;ffffffff8124e424&gt;]  [&lt;ffffffff8124e424&gt;] blk_requeue_request+0x94/0xa0
RSP: 0018:ffff881057eefd60  EFLAGS: 00010012
RAX: ffff881d99e3e8a8 RBX: ffff881d99e3e780 RCX: ffff881d99e3e8a8
RDX: ffff881d99e3e8a8 RSI: ffff881d99e3e780 RDI: ffff881d99e3e780
RBP: ffff881057eefd80 R08: ffff881057eefe90 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff881057f92338
R13: 0000000000000000 R14: ffff881057f92338 R15: ffff883058188000
FS:  0000000000000000(0000) GS:ffff880040200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 00000000006d3ec0 CR3: 000000302cd7d000 CR4: 00000000000406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process scsi_eh_0 (pid: 491, threadinfo ffff881057eee000, task ffff881057e29540)
Stack:
 0000000000001057 0000000000000286 ffff8810275efdc0 ffff881057f16000
&lt;0&gt; ffff881057eefdd0 ffffffff81362323 ffff881057eefe20 ffffffff8135f393
&lt;0&gt; ffff881057e29af8 ffff8810275efdc0 ffff881057eefe78 ffff881057eefe90
Call Trace:
 [&lt;ffffffff81362323&gt;] __scsi_queue_insert+0xa3/0x150
 [&lt;ffffffff8135f393&gt;] ? scsi_eh_ready_devs+0x5e3/0x850
 [&lt;ffffffff81362a23&gt;] scsi_queue_insert+0x13/0x20
 [&lt;ffffffff8135e4d4&gt;] scsi_eh_flush_done_q+0x104/0x160
 [&lt;ffffffff8135fb6b&gt;] scsi_error_handler+0x35b/0x660
 [&lt;ffffffff8135f810&gt;] ? scsi_error_handler+0x0/0x660
 [&lt;ffffffff810908c6&gt;] kthread+0x96/0xa0
 [&lt;ffffffff8100c14a&gt;] child_rip+0xa/0x20
 [&lt;ffffffff81090830&gt;] ? kthread+0x0/0xa0
 [&lt;ffffffff8100c140&gt;] ? child_rip+0x0/0x20
Code: 00 00 eb d1 4c 8b 2d 3c 8f 97 00 4d 85 ed 74 bf 49 8b 45 00 49 83 c5 08 48 89 de 4c 89 e7 ff d0 49 8b 45 00 48 85 c0 75 eb eb a4 &lt;0f&gt; 0b eb fe 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00
RIP  [&lt;ffffffff8124e424&gt;] blk_requeue_request+0x94/0xa0
 RSP &lt;ffff881057eefd60&gt;

The RIP is this line:
        BUG_ON(blk_queued_rq(rq));

After digging through the code, I think there may be a race between the
request completion and the timer handler running.

A timer is started for each request put on the device's queue (see
blk_start_request-&gt;blk_add_timer).  If the request does not complete
before the timer expires, the timer handler (blk_rq_timed_out_timer)
will mark the request complete atomically:

static inline int blk_mark_rq_complete(struct request *rq)
{
        return test_and_set_bit(REQ_ATOM_COMPLETE, &amp;rq-&gt;atomic_flags);
}

and then call blk_rq_timed_out.  The latter function will call
scsi_times_out, which will return one of BLK_EH_HANDLED,
BLK_EH_RESET_TIMER or BLK_EH_NOT_HANDLED.  If BLK_EH_RESET_TIMER is
returned, blk_clear_rq_complete is called, and blk_add_timer is again
called to simply wait longer for the request to complete.

Now, if the request happens to complete while this is going on, what
happens?  Given that we know the completion handler will bail if it
finds the REQ_ATOM_COMPLETE bit set, we need to focus on the completion
handler running after that bit is cleared.  So, from the above
paragraph, after the call to blk_clear_rq_complete.  If the completion
sets REQ_ATOM_COMPLETE before the BUG_ON in blk_add_timer, we go boom
there (I haven't seen this in the cores).  Next, if we get the
completion before the call to list_add_tail, then the timer will
eventually fire for an old req, which may either be freed or reallocated
(there is evidence that this might be the case).  Finally, if the
completion comes in *after* the addition to the timeout list, I think
it's harmless.  The request will be removed from the timeout list,
req_atom_complete will be set, and all will be well.

This will only actually explain the coredumps *IF* the request
structure was freed, reallocated *and* queued before the error handler
thread had a chance to process it.  That is possible, but it may make
sense to keep digging for another race.  I think that if this is what
was happening, we would see other instances of this problem showing up
as null pointer or garbage pointer dereferences, for example when the
request structure was not re-used.  It looks like we actually do run
into that situation in other reports.

This patch moves the BUG_ON(test_bit(REQ_ATOM_COMPLETE,
&amp;req-&gt;atomic_flags)); from blk_add_timer to the only caller that could
trip over it (blk_start_request).  It then inverts the calls to
blk_clear_rq_complete and blk_add_timer in blk_rq_timed_out to address
the race.  I've boot tested this patch, but nothing more.

Signed-off-by: Jeff Moyer &lt;jmoyer@redhat.com&gt;
Acked-by: Hannes Reinecke &lt;hare@suse.de&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4912aa6c11e6a5d910264deedbec2075c6f1bb73 upstream.

crocode i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma dca be2net sg ses enclosure ext4 mbcache jbd2 sd_mod crc_t10dif ahci megaraid_sas(U) dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan]

Pid: 491, comm: scsi_eh_0 Tainted: G        W  ----------------   2.6.32-220.13.1.el6.x86_64 #1 IBM  -[8722PAX]-/00D1461
RIP: 0010:[&lt;ffffffff8124e424&gt;]  [&lt;ffffffff8124e424&gt;] blk_requeue_request+0x94/0xa0
RSP: 0018:ffff881057eefd60  EFLAGS: 00010012
RAX: ffff881d99e3e8a8 RBX: ffff881d99e3e780 RCX: ffff881d99e3e8a8
RDX: ffff881d99e3e8a8 RSI: ffff881d99e3e780 RDI: ffff881d99e3e780
RBP: ffff881057eefd80 R08: ffff881057eefe90 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff881057f92338
R13: 0000000000000000 R14: ffff881057f92338 R15: ffff883058188000
FS:  0000000000000000(0000) GS:ffff880040200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 00000000006d3ec0 CR3: 000000302cd7d000 CR4: 00000000000406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process scsi_eh_0 (pid: 491, threadinfo ffff881057eee000, task ffff881057e29540)
Stack:
 0000000000001057 0000000000000286 ffff8810275efdc0 ffff881057f16000
&lt;0&gt; ffff881057eefdd0 ffffffff81362323 ffff881057eefe20 ffffffff8135f393
&lt;0&gt; ffff881057e29af8 ffff8810275efdc0 ffff881057eefe78 ffff881057eefe90
Call Trace:
 [&lt;ffffffff81362323&gt;] __scsi_queue_insert+0xa3/0x150
 [&lt;ffffffff8135f393&gt;] ? scsi_eh_ready_devs+0x5e3/0x850
 [&lt;ffffffff81362a23&gt;] scsi_queue_insert+0x13/0x20
 [&lt;ffffffff8135e4d4&gt;] scsi_eh_flush_done_q+0x104/0x160
 [&lt;ffffffff8135fb6b&gt;] scsi_error_handler+0x35b/0x660
 [&lt;ffffffff8135f810&gt;] ? scsi_error_handler+0x0/0x660
 [&lt;ffffffff810908c6&gt;] kthread+0x96/0xa0
 [&lt;ffffffff8100c14a&gt;] child_rip+0xa/0x20
 [&lt;ffffffff81090830&gt;] ? kthread+0x0/0xa0
 [&lt;ffffffff8100c140&gt;] ? child_rip+0x0/0x20
Code: 00 00 eb d1 4c 8b 2d 3c 8f 97 00 4d 85 ed 74 bf 49 8b 45 00 49 83 c5 08 48 89 de 4c 89 e7 ff d0 49 8b 45 00 48 85 c0 75 eb eb a4 &lt;0f&gt; 0b eb fe 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00
RIP  [&lt;ffffffff8124e424&gt;] blk_requeue_request+0x94/0xa0
 RSP &lt;ffff881057eefd60&gt;

The RIP is this line:
        BUG_ON(blk_queued_rq(rq));

After digging through the code, I think there may be a race between the
request completion and the timer handler running.

A timer is started for each request put on the device's queue (see
blk_start_request-&gt;blk_add_timer).  If the request does not complete
before the timer expires, the timer handler (blk_rq_timed_out_timer)
will mark the request complete atomically:

static inline int blk_mark_rq_complete(struct request *rq)
{
        return test_and_set_bit(REQ_ATOM_COMPLETE, &amp;rq-&gt;atomic_flags);
}

and then call blk_rq_timed_out.  The latter function will call
scsi_times_out, which will return one of BLK_EH_HANDLED,
BLK_EH_RESET_TIMER or BLK_EH_NOT_HANDLED.  If BLK_EH_RESET_TIMER is
returned, blk_clear_rq_complete is called, and blk_add_timer is again
called to simply wait longer for the request to complete.

Now, if the request happens to complete while this is going on, what
happens?  Given that we know the completion handler will bail if it
finds the REQ_ATOM_COMPLETE bit set, we need to focus on the completion
handler running after that bit is cleared.  So, from the above
paragraph, after the call to blk_clear_rq_complete.  If the completion
sets REQ_ATOM_COMPLETE before the BUG_ON in blk_add_timer, we go boom
there (I haven't seen this in the cores).  Next, if we get the
completion before the call to list_add_tail, then the timer will
eventually fire for an old req, which may either be freed or reallocated
(there is evidence that this might be the case).  Finally, if the
completion comes in *after* the addition to the timeout list, I think
it's harmless.  The request will be removed from the timeout list,
req_atom_complete will be set, and all will be well.

This will only actually explain the coredumps *IF* the request
structure was freed, reallocated *and* queued before the error handler
thread had a chance to process it.  That is possible, but it may make
sense to keep digging for another race.  I think that if this is what
was happening, we would see other instances of this problem showing up
as null pointer or garbage pointer dereferences, for example when the
request structure was not re-used.  It looks like we actually do run
into that situation in other reports.

This patch moves the BUG_ON(test_bit(REQ_ATOM_COMPLETE,
&amp;req-&gt;atomic_flags)); from blk_add_timer to the only caller that could
trip over it (blk_start_request).  It then inverts the calls to
blk_clear_rq_complete and blk_add_timer in blk_rq_timed_out to address
the race.  I've boot tested this patch, but nothing more.

Signed-off-by: Jeff Moyer &lt;jmoyer@redhat.com&gt;
Acked-by: Hannes Reinecke &lt;hare@suse.de&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'for-3.12/core' of git://git.kernel.dk/linux-block</title>
<updated>2013-09-22T22:00:11+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2013-09-22T22:00:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=68cf8d0c720cdb76dc912c983d8dae9de6d6e5cf'/>
<id>68cf8d0c720cdb76dc912c983d8dae9de6d6e5cf</id>
<content type='text'>
Pull block IO fixes from Jens Axboe:
 "After merge window, no new stuff this time only a collection of neatly
  confined and simple fixes"

* 'for-3.12/core' of git://git.kernel.dk/linux-block:
  cfq: explicitly use 64bit divide operation for 64bit arguments
  block: Add nr_bios to block_rq_remap tracepoint
  If the queue is dying then we only call the rq-&gt;end_io callout. This leaves bios setup on the request, because the caller assumes when the blk_execute_rq_nowait/blk_execute_rq call has completed that the rq-&gt;bios have been cleaned up.
  bio-integrity: Fix use of bs-&gt;bio_integrity_pool after free
  blkcg: relocate root_blkg setting and clearing
  block: Convert kmalloc_node(...GFP_ZERO...) to kzalloc_node(...)
  block: trace all devices plug operation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull block IO fixes from Jens Axboe:
 "After merge window, no new stuff this time only a collection of neatly
  confined and simple fixes"

* 'for-3.12/core' of git://git.kernel.dk/linux-block:
  cfq: explicitly use 64bit divide operation for 64bit arguments
  block: Add nr_bios to block_rq_remap tracepoint
  If the queue is dying then we only call the rq-&gt;end_io callout. This leaves bios setup on the request, because the caller assumes when the blk_execute_rq_nowait/blk_execute_rq call has completed that the rq-&gt;bios have been cleaned up.
  bio-integrity: Fix use of bs-&gt;bio_integrity_pool after free
  blkcg: relocate root_blkg setting and clearing
  block: Convert kmalloc_node(...GFP_ZERO...) to kzalloc_node(...)
  block: trace all devices plug operation
</pre>
</div>
</content>
</entry>
<entry>
<title>block: trace all devices plug operation</title>
<updated>2013-09-11T19:21:07+00:00</updated>
<author>
<name>Jianpeng Ma</name>
<email>majianpeng@gmail.com</email>
</author>
<published>2013-09-11T19:21:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7aef2e780b13973ea60aed8c556107dabde6a495'/>
<id>7aef2e780b13973ea60aed8c556107dabde6a495</id>
<content type='text'>
In func blk_queue_bio, if list of plug is empty,it will call
blk_trace_plug.
If process deal with a single device,it't ok.But if process deal with
multi devices,it only trace the first device.
Using request_count to judge, it can soleve this problem.

In addition, i modify the comment.

Signed-off-by: Jianpeng Ma &lt;majianpeng@gmail.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In func blk_queue_bio, if list of plug is empty,it will call
blk_trace_plug.
If process deal with a single device,it't ok.But if process deal with
multi devices,it only trace the first device.
Using request_count to judge, it can soleve this problem.

In addition, i modify the comment.

Signed-off-by: Jianpeng Ma &lt;majianpeng@gmail.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SCSI] Return ENODATA on medium error</title>
<updated>2013-08-23T16:54:53+00:00</updated>
<author>
<name>Hannes Reinecke</name>
<email>hare@suse.de</email>
</author>
<published>2013-07-01T13:16:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7e782af57649f8a8e943d80104c946a5cd7af7cc'/>
<id>7e782af57649f8a8e943d80104c946a5cd7af7cc</id>
<content type='text'>
When a medium error is detected the SCSI stack should return
ENODATA to the upper layers.

[jejb: fix whitespace error]
Signed-off-by: Hannes Reinecke &lt;hare@suse.de&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Parallels.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When a medium error is detected the SCSI stack should return
ENODATA to the upper layers.

[jejb: fix whitespace error]
Signed-off-by: Hannes Reinecke &lt;hare@suse.de&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Parallels.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SCSI] return ENOSPC on thin provisioning failure</title>
<updated>2013-08-23T16:43:54+00:00</updated>
<author>
<name>Hannes Reinecke</name>
<email>hare@suse.de</email>
</author>
<published>2013-07-01T13:16:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a9d6ceb838755c24dde8a0ca02c3378926fc63db'/>
<id>a9d6ceb838755c24dde8a0ca02c3378926fc63db</id>
<content type='text'>
When the thin provisioning hard threshold is reached we
should return ENOSPC to inform upper layers about this fact.

Signed-off-by: Hannes Reinecke &lt;hare@suse.de&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Parallels.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When the thin provisioning hard threshold is reached we
should return ENOSPC to inform upper layers about this fact.

Signed-off-by: Hannes Reinecke &lt;hare@suse.de&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Parallels.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
