[5.9,236/391] btrfs: fix readahead hang and use-after-free after removing a device

From: Filipe Manana <fdmanana@suse.com>

From: Filipe Manana <fdmanana@suse.com>

commit 66d204a16c94f24ad08290a7663ab67e7fc04e82 upstream.

Very sporadically I had test case btrfs/069 from fstests hanging (for
years, it is not a recent regression), with the following traces in
dmesg/syslog:

  [162301.160628] BTRFS info (device sdc): dev_replace from /dev/sdd (devid 2) to /dev/sdg started
  [162301.181196] BTRFS info (device sdc): scrub: finished on devid 4 with status: 0
  [162301.287162] BTRFS info (device sdc): dev_replace from /dev/sdd (devid 2) to /dev/sdg finished
  [162513.513792] INFO: task btrfs-transacti:1356167 blocked for more than 120 seconds.
  [162513.514318]       Not tainted 5.9.0-rc6-btrfs-next-69 #1
  [162513.514522] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  [162513.514747] task:btrfs-transacti state:D stack:    0 pid:1356167 ppid:     2 flags:0x00004000
  [162513.514751] Call Trace:
  [162513.514761]  __schedule+0x5ce/0xd00
  [162513.514765]  ? _raw_spin_unlock_irqrestore+0x3c/0x60
  [162513.514771]  schedule+0x46/0xf0
  [162513.514844]  wait_current_trans+0xde/0x140 [btrfs]
  [162513.514850]  ? finish_wait+0x90/0x90
  [162513.514864]  start_transaction+0x37c/0x5f0 [btrfs]
  [162513.514879]  transaction_kthread+0xa4/0x170 [btrfs]
  [162513.514891]  ? btrfs_cleanup_transaction+0x660/0x660 [btrfs]
  [162513.514894]  kthread+0x153/0x170
  [162513.514897]  ? kthread_stop+0x2c0/0x2c0
  [162513.514902]  ret_from_fork+0x22/0x30
  [162513.514916] INFO: task fsstress:1356184 blocked for more than 120 seconds.
  [162513.515192]       Not tainted 5.9.0-rc6-btrfs-next-69 #1
  [162513.515431] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  [162513.515680] task:fsstress        state:D stack:    0 pid:1356184 ppid:1356177 flags:0x00004000
  [162513.515682] Call Trace:
  [162513.515688]  __schedule+0x5ce/0xd00
  [162513.515691]  ? _raw_spin_unlock_irqrestore+0x3c/0x60
  [162513.515697]  schedule+0x46/0xf0
  [162513.515712]  wait_current_trans+0xde/0x140 [btrfs]
  [162513.515716]  ? finish_wait+0x90/0x90
  [162513.515729]  start_transaction+0x37c/0x5f0 [btrfs]
  [162513.515743]  btrfs_attach_transaction_barrier+0x1f/0x50 [btrfs]
  [162513.515753]  btrfs_sync_fs+0x61/0x1c0 [btrfs]
  [162513.515758]  ? __ia32_sys_fdatasync+0x20/0x20
  [162513.515761]  iterate_supers+0x87/0xf0
  [162513.515765]  ksys_sync+0x60/0xb0
  [162513.515768]  __do_sys_sync+0xa/0x10
  [162513.515771]  do_syscall_64+0x33/0x80
  [162513.515774]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  [162513.515781] RIP: 0033:0x7f5238f50bd7
  [162513.515782] Code: Bad RIP value.
  [162513.515784] RSP: 002b:00007fff67b978e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a2
  [162513.515786] RAX: ffffffffffffffda RBX: 000055b1fad2c560 RCX: 00007f5238f50bd7
  [162513.515788] RDX: 00000000ffffffff RSI: 000000000daf0e74 RDI: 000000000000003a
  [162513.515789] RBP: 0000000000000032 R08: 000000000000000a R09: 00007f5239019be0
  [162513.515791] R10: fffffffffffff24f R11: 0000000000000206 R12: 000000000000003a
  [162513.515792] R13: 00007fff67b97950 R14: 00007fff67b97906 R15: 000055b1fad1a340
  [162513.515804] INFO: task fsstress:1356185 blocked for more than 120 seconds.
  [162513.516064]       Not tainted 5.9.0-rc6-btrfs-next-69 #1
  [162513.516329] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  [162513.516617] task:fsstress        state:D stack:    0 pid:1356185 ppid:1356177 flags:0x00000000
  [162513.516620] Call Trace:
  [162513.516625]  __schedule+0x5ce/0xd00
  [162513.516628]  ? _raw_spin_unlock_irqrestore+0x3c/0x60
  [162513.516634]  schedule+0x46/0xf0
  [162513.516647]  wait_current_trans+0xde/0x140 [btrfs]
  [162513.516650]  ? finish_wait+0x90/0x90
  [162513.516662]  start_transaction+0x4d7/0x5f0 [btrfs]
  [162513.516679]  btrfs_setxattr_trans+0x3c/0x100 [btrfs]
  [162513.516686]  __vfs_setxattr+0x66/0x80
  [162513.516691]  __vfs_setxattr_noperm+0x70/0x200
  [162513.516697]  vfs_setxattr+0x6b/0x120
  [162513.516703]  setxattr+0x125/0x240
  [162513.516709]  ? lock_acquire+0xb1/0x480
  [162513.516712]  ? mnt_want_write+0x20/0x50
  [162513.516721]  ? rcu_read_lock_any_held+0x8e/0xb0
  [162513.516723]  ? preempt_count_add+0x49/0xa0
  [162513.516725]  ? __sb_start_write+0x19b/0x290
  [162513.516727]  ? preempt_count_add+0x49/0xa0
  [162513.516732]  path_setxattr+0xba/0xd0
  [162513.516739]  __x64_sys_setxattr+0x27/0x30
  [162513.516741]  do_syscall_64+0x33/0x80
  [162513.516743]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  [162513.516745] RIP: 0033:0x7f5238f56d5a
  [162513.516746] Code: Bad RIP value.
  [162513.516748] RSP: 002b:00007fff67b97868 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc
  [162513.516750] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f5238f56d5a
  [162513.516751] RDX: 000055b1fbb0d5a0 RSI: 00007fff67b978a0 RDI: 000055b1fbb0d470
  [162513.516753] RBP: 000055b1fbb0d5a0 R08: 0000000000000001 R09: 00007fff67b97700
  [162513.516754] R10: 0000000000000004 R11: 0000000000000202 R12: 0000000000000004
  [162513.516756] R13: 0000000000000024 R14: 0000000000000001 R15: 00007fff67b978a0
  [162513.516767] INFO: task fsstress:1356196 blocked for more than 120 seconds.
  [162513.517064]       Not tainted 5.9.0-rc6-btrfs-next-69 #1
  [162513.517365] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  [162513.517763] task:fsstress        state:D stack:    0 pid:1356196 ppid:1356177 flags:0x00004000
  [162513.517780] Call Trace:
  [162513.517786]  __schedule+0x5ce/0xd00
  [162513.517789]  ? _raw_spin_unlock_irqrestore+0x3c/0x60
  [162513.517796]  schedule+0x46/0xf0
  [162513.517810]  wait_current_trans+0xde/0x140 [btrfs]
  [162513.517814]  ? finish_wait+0x90/0x90
  [162513.517829]  start_transaction+0x37c/0x5f0 [btrfs]
  [162513.517845]  btrfs_attach_transaction_barrier+0x1f/0x50 [btrfs]
  [162513.517857]  btrfs_sync_fs+0x61/0x1c0 [btrfs]
  [162513.517862]  ? __ia32_sys_fdatasync+0x20/0x20
  [162513.517865]  iterate_supers+0x87/0xf0
  [162513.517869]  ksys_sync+0x60/0xb0
  [162513.517872]  __do_sys_sync+0xa/0x10
  [162513.517875]  do_syscall_64+0x33/0x80
  [162513.517878]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  [162513.517881] RIP: 0033:0x7f5238f50bd7
  [162513.517883] Code: Bad RIP value.
  [162513.517885] RSP: 002b:00007fff67b978e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a2
  [162513.517887] RAX: ffffffffffffffda RBX: 000055b1fad2c560 RCX: 00007f5238f50bd7
  [162513.517889] RDX: 0000000000000000 RSI: 000000007660add2 RDI: 0000000000000053
  [162513.517891] RBP: 0000000000000032 R08: 0000000000000067 R09: 00007f5239019be0
  [162513.517893] R10: fffffffffffff24f R11: 0000000000000206 R12: 0000000000000053
  [162513.517895] R13: 00007fff67b97950 R14: 00007fff67b97906 R15: 000055b1fad1a340
  [162513.517908] INFO: task fsstress:1356197 blocked for more than 120 seconds.
  [162513.518298]       Not tainted 5.9.0-rc6-btrfs-next-69 #1
  [162513.518672] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  [162513.519157] task:fsstress        state:D stack:    0 pid:1356197 ppid:1356177 flags:0x00000000
  [162513.519160] Call Trace:
  [162513.519165]  __schedule+0x5ce/0xd00
  [162513.519168]  ? _raw_spin_unlock_irqrestore+0x3c/0x60
  [162513.519174]  schedule+0x46/0xf0
  [162513.519190]  wait_current_trans+0xde/0x140 [btrfs]
  [162513.519193]  ? finish_wait+0x90/0x90
  [162513.519206]  start_transaction+0x4d7/0x5f0 [btrfs]
  [162513.519222]  btrfs_create+0x57/0x200 [btrfs]
  [162513.519230]  lookup_open+0x522/0x650
  [162513.519246]  path_openat+0x2b8/0xa50
  [162513.519270]  do_filp_open+0x91/0x100
  [162513.519275]  ? find_held_lock+0x32/0x90
  [162513.519280]  ? lock_acquired+0x33b/0x470
  [162513.519285]  ? do_raw_spin_unlock+0x4b/0xc0
  [162513.519287]  ? _raw_spin_unlock+0x29/0x40
  [162513.519295]  do_sys_openat2+0x20d/0x2d0
  [162513.519300]  do_sys_open+0x44/0x80
  [162513.519304]  do_syscall_64+0x33/0x80
  [162513.519307]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  [162513.519309] RIP: 0033:0x7f5238f4a903
  [162513.519310] Code: Bad RIP value.
  [162513.519312] RSP: 002b:00007fff67b97758 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
  [162513.519314] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f5238f4a903
  [162513.519316] RDX: 0000000000000000 RSI: 00000000000001b6 RDI: 000055b1fbb0d470
  [162513.519317] RBP: 00007fff67b978c0 R08: 0000000000000001 R09: 0000000000000002
  [162513.519319] R10: 00007fff67b974f7 R11: 0000000000000246 R12: 0000000000000013
  [162513.519320] R13: 00000000000001b6 R14: 00007fff67b97906 R15: 000055b1fad1c620
  [162513.519332] INFO: task btrfs:1356211 blocked for more than 120 seconds.
  [162513.519727]       Not tainted 5.9.0-rc6-btrfs-next-69 #1
  [162513.520115] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  [162513.520508] task:btrfs           state:D stack:    0 pid:1356211 ppid:1356178 flags:0x00004002
  [162513.520511] Call Trace:
  [162513.520516]  __schedule+0x5ce/0xd00
  [162513.520519]  ? _raw_spin_unlock_irqrestore+0x3c/0x60
  [162513.520525]  schedule+0x46/0xf0
  [162513.520544]  btrfs_scrub_pause+0x11f/0x180 [btrfs]
  [162513.520548]  ? finish_wait+0x90/0x90
  [162513.520562]  btrfs_commit_transaction+0x45a/0xc30 [btrfs]
  [162513.520574]  ? start_transaction+0xe0/0x5f0 [btrfs]
  [162513.520596]  btrfs_dev_replace_finishing+0x6d8/0x711 [btrfs]
  [162513.520619]  btrfs_dev_replace_by_ioctl.cold+0x1cc/0x1fd [btrfs]
  [162513.520639]  btrfs_ioctl+0x2a25/0x36f0 [btrfs]
  [162513.520643]  ? do_sigaction+0xf3/0x240
  [162513.520645]  ? find_held_lock+0x32/0x90
  [162513.520648]  ? do_sigaction+0xf3/0x240
  [162513.520651]  ? lock_acquired+0x33b/0x470
  [162513.520655]  ? _raw_spin_unlock_irq+0x24/0x50
  [162513.520657]  ? lockdep_hardirqs_on+0x7d/0x100
  [162513.520660]  ? _raw_spin_unlock_irq+0x35/0x50
  [162513.520662]  ? do_sigaction+0xf3/0x240
  [162513.520671]  ? __x64_sys_ioctl+0x83/0xb0
  [162513.520672]  __x64_sys_ioctl+0x83/0xb0
  [162513.520677]  do_syscall_64+0x33/0x80
  [162513.520679]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  [162513.520681] RIP: 0033:0x7fc3cd307d87
  [162513.520682] Code: Bad RIP value.
  [162513.520684] RSP: 002b:00007ffe30a56bb8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
  [162513.520686] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fc3cd307d87
  [162513.520687] RDX: 00007ffe30a57a30 RSI: 00000000ca289435 RDI: 0000000000000003
  [162513.520689] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
  [162513.520690] R10: 0000000000000008 R11: 0000000000000202 R12: 0000000000000003
  [162513.520692] R13: 0000557323a212e0 R14: 00007ffe30a5a520 R15: 0000000000000001
  [162513.520703]
		  Showing all locks held in the system:
  [162513.520712] 1 lock held by khungtaskd/54:
  [162513.520713]  #0: ffffffffb40a91a0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x15/0x197
  [162513.520728] 1 lock held by in:imklog/596:
  [162513.520729]  #0: ffff8f3f0d781400 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x4d/0x60
  [162513.520782] 1 lock held by btrfs-transacti/1356167:
  [162513.520784]  #0: ffff8f3d810cc848 (&fs_info->transaction_kthread_mutex){+.+.}-{3:3}, at: transaction_kthread+0x4a/0x170 [btrfs]
  [162513.520798] 1 lock held by btrfs/1356190:
  [162513.520800]  #0: ffff8f3d57644470 (sb_writers#15){.+.+}-{0:0}, at: mnt_want_write_file+0x22/0x60
  [162513.520805] 1 lock held by fsstress/1356184:
  [162513.520806]  #0: ffff8f3d576440e8 (&type->s_umount_key#62){++++}-{3:3}, at: iterate_supers+0x6f/0xf0
  [162513.520811] 3 locks held by fsstress/1356185:
  [162513.520812]  #0: ffff8f3d57644470 (sb_writers#15){.+.+}-{0:0}, at: mnt_want_write+0x20/0x50
  [162513.520815]  #1: ffff8f3d80a650b8 (&type->i_mutex_dir_key#10){++++}-{3:3}, at: vfs_setxattr+0x50/0x120
  [162513.520820]  #2: ffff8f3d57644690 (sb_internal#2){.+.+}-{0:0}, at: start_transaction+0x40e/0x5f0 [btrfs]
  [162513.520833] 1 lock held by fsstress/1356196:
  [162513.520834]  #0: ffff8f3d576440e8 (&type->s_umount_key#62){++++}-{3:3}, at: iterate_supers+0x6f/0xf0
  [162513.520838] 3 locks held by fsstress/1356197:
  [162513.520839]  #0: ffff8f3d57644470 (sb_writers#15){.+.+}-{0:0}, at: mnt_want_write+0x20/0x50
  [162513.520843]  #1: ffff8f3d506465e8 (&type->i_mutex_dir_key#10){++++}-{3:3}, at: path_openat+0x2a7/0xa50
  [162513.520846]  #2: ffff8f3d57644690 (sb_internal#2){.+.+}-{0:0}, at: start_transaction+0x40e/0x5f0 [btrfs]
  [162513.520858] 2 locks held by btrfs/1356211:
  [162513.520859]  #0: ffff8f3d810cde30 (&fs_info->dev_replace.lock_finishing_cancel_unmount){+.+.}-{3:3}, at: btrfs_dev_replace_finishing+0x52/0x711 [btrfs]
  [162513.520877]  #1: ffff8f3d57644690 (sb_internal#2){.+.+}-{0:0}, at: start_transaction+0x40e/0x5f0 [btrfs]

This was weird because the stack traces show that a transaction commit,
triggered by a device replace operation, is blocking trying to pause any
running scrubs but there are no stack traces of blocked tasks doing a
scrub.

After poking around with drgn, I noticed there was a scrub task that was
constantly running and blocking for shorts periods of time:

  >>> t = find_task(prog, 1356190)
  >>> prog.stack_trace(t)
  #0  __schedule+0x5ce/0xcfc
  #1  schedule+0x46/0xe4
  #2  schedule_timeout+0x1df/0x475
  #3  btrfs_reada_wait+0xda/0x132
  #4  scrub_stripe+0x2a8/0x112f
  #5  scrub_chunk+0xcd/0x134
  #6  scrub_enumerate_chunks+0x29e/0x5ee
  #7  btrfs_scrub_dev+0x2d5/0x91b
  #8  btrfs_ioctl+0x7f5/0x36e7
  #9  __x64_sys_ioctl+0x83/0xb0
  #10 do_syscall_64+0x33/0x77
  #11 entry_SYSCALL_64+0x7c/0x156

Which corresponds to:

int btrfs_reada_wait(void *handle)
{
    struct reada_control *rc = handle;
    struct btrfs_fs_info *fs_info = rc->fs_info;

    while (atomic_read(&rc->elems)) {
        if (!atomic_read(&fs_info->reada_works_cnt))
            reada_start_machine(fs_info);
        wait_event_timeout(rc->wait, atomic_read(&rc->elems) == 0,
                          (HZ + 9) / 10);
    }
(...)

So the counter "rc->elems" was set to 1 and never decreased to 0, causing
the scrub task to loop forever in that function. Then I used the following
script for drgn to check the readahead requests:

  $ cat dump_reada.py
  import sys
  import drgn
  from drgn import NULL, Object, cast, container_of, execscript, \
      reinterpret, sizeof
  from drgn.helpers.linux import *

  mnt_path = b"/home/fdmanana/btrfs-tests/scratch_1"

  mnt = None
  for mnt in for_each_mount(prog, dst = mnt_path):
      pass

  if mnt is None:
      sys.stderr.write(f'Error: mount point {mnt_path} not found\n')
      sys.exit(1)

  fs_info = cast('struct btrfs_fs_info *', mnt.mnt.mnt_sb.s_fs_info)

  def dump_re(re):
      nzones = re.nzones.value_()
      print(f're at {hex(re.value_())}')
      print(f'\t logical {re.logical.value_()}')
      print(f'\t refcnt {re.refcnt.value_()}')
      print(f'\t nzones {nzones}')
      for i in range(nzones):
          dev = re.zones[i].device
          name = dev.name.str.string_()
          print(f'\t\t dev id {dev.devid.value_()} name {name}')
      print()

  for _, e in radix_tree_for_each(fs_info.reada_tree):
      re = cast('struct reada_extent *', e)
      dump_re(re)

  $ drgn dump_reada.py
  re at 0xffff8f3da9d25ad8
          logical 38928384
          refcnt 1
          nzones 1
                 dev id 0 name b'/dev/sdd'
  $

So there was one readahead extent with a single zone corresponding to the
source device of that last device replace operation logged in dmesg/syslog.
Also the ID of that zone's device was 0 which is a special value set in
the source device of a device replace operation when the operation finishes
(constant BTRFS_DEV_REPLACE_DEVID set at btrfs_dev_replace_finishing()),
confirming again that device /dev/sdd was the source of a device replace
operation.

Normally there should be as many zones in the readahead extent as there are
devices, and I wasn't expecting the extent to be in a block group with a
'single' profile, so I went and confirmed with the following drgn script
that there weren't any single profile block groups:

  $ cat dump_block_groups.py
  import sys
  import drgn
  from drgn import NULL, Object, cast, container_of, execscript, \
      reinterpret, sizeof
  from drgn.helpers.linux import *

  mnt_path = b"/home/fdmanana/btrfs-tests/scratch_1"

  mnt = None
  for mnt in for_each_mount(prog, dst = mnt_path):
      pass

  if mnt is None:
      sys.stderr.write(f'Error: mount point {mnt_path} not found\n')
      sys.exit(1)

  fs_info = cast('struct btrfs_fs_info *', mnt.mnt.mnt_sb.s_fs_info)

  BTRFS_BLOCK_GROUP_DATA = (1 << 0)
  BTRFS_BLOCK_GROUP_SYSTEM = (1 << 1)
  BTRFS_BLOCK_GROUP_METADATA = (1 << 2)
  BTRFS_BLOCK_GROUP_RAID0 = (1 << 3)
  BTRFS_BLOCK_GROUP_RAID1 = (1 << 4)
  BTRFS_BLOCK_GROUP_DUP = (1 << 5)
  BTRFS_BLOCK_GROUP_RAID10 = (1 << 6)
  BTRFS_BLOCK_GROUP_RAID5 = (1 << 7)
  BTRFS_BLOCK_GROUP_RAID6 = (1 << 8)
  BTRFS_BLOCK_GROUP_RAID1C3 = (1 << 9)
  BTRFS_BLOCK_GROUP_RAID1C4 = (1 << 10)

  def bg_flags_string(bg):
      flags = bg.flags.value_()
      ret = ''
      if flags & BTRFS_BLOCK_GROUP_DATA:
          ret = 'data'
      if flags & BTRFS_BLOCK_GROUP_METADATA:
          if len(ret) > 0:
              ret += '|'
          ret += 'meta'
      if flags & BTRFS_BLOCK_GROUP_SYSTEM:
          if len(ret) > 0:
              ret += '|'
          ret += 'system'
      if flags & BTRFS_BLOCK_GROUP_RAID0:
          ret += ' raid0'
      elif flags & BTRFS_BLOCK_GROUP_RAID1:
          ret += ' raid1'
      elif flags & BTRFS_BLOCK_GROUP_DUP:
          ret += ' dup'
      elif flags & BTRFS_BLOCK_GROUP_RAID10:
          ret += ' raid10'
      elif flags & BTRFS_BLOCK_GROUP_RAID5:
          ret += ' raid5'
      elif flags & BTRFS_BLOCK_GROUP_RAID6:
          ret += ' raid6'
      elif flags & BTRFS_BLOCK_GROUP_RAID1C3:
          ret += ' raid1c3'
      elif flags & BTRFS_BLOCK_GROUP_RAID1C4:
          ret += ' raid1c4'
      else:
          ret += ' single'

      return ret

  def dump_bg(bg):
      print()
      print(f'block group at {hex(bg.value_())}')
      print(f'\t start {bg.start.value_()} length {bg.length.value_()}')
      print(f'\t flags {bg.flags.value_()} - {bg_flags_string(bg)}')

  bg_root = fs_info.block_group_cache_tree.address_of_()
  for bg in rbtree_inorder_for_each_entry('struct btrfs_block_group', bg_root, 'cache_node'):
      dump_bg(bg)

  $ drgn dump_block_groups.py

  block group at 0xffff8f3d673b0400
         start 22020096 length 16777216
         flags 258 - system raid6

  block group at 0xffff8f3d53ddb400
         start 38797312 length 536870912
         flags 260 - meta raid6

  block group at 0xffff8f3d5f4d9c00
         start 575668224 length 2147483648
         flags 257 - data raid6

  block group at 0xffff8f3d08189000
         start 2723151872 length 67108864
         flags 258 - system raid6

  block group at 0xffff8f3db70ff000
         start 2790260736 length 1073741824
         flags 260 - meta raid6

  block group at 0xffff8f3d5f4dd800
         start 3864002560 length 67108864
         flags 258 - system raid6

  block group at 0xffff8f3d67037000
         start 3931111424 length 2147483648
         flags 257 - data raid6
  $

So there were only 2 reasons left for having a readahead extent with a
single zone: reada_find_zone(), called when creating a readahead extent,
returned NULL either because we failed to find the corresponding block
group or because a memory allocation failed. With some additional and
custom tracing I figured out that on every further ocurrence of the
problem the block group had just been deleted when we were looping to
create the zones for the readahead extent (at reada_find_extent()), so we
ended up with only one zone in the readahead extent, corresponding to a
device that ends up getting replaced.

So after figuring that out it became obvious why the hang happens:

1) Task A starts a scrub on any device of the filesystem, except for
   device /dev/sdd;

2) Task B starts a device replace with /dev/sdd as the source device;

3) Task A calls btrfs_reada_add() from scrub_stripe() and it is currently
   starting to scrub a stripe from block group X. This call to
   btrfs_reada_add() is the one for the extent tree. When btrfs_reada_add()
   calls reada_add_block(), it passes the logical address of the extent
   tree's root node as its 'logical' argument - a value of 38928384;

4) Task A then enters reada_find_extent(), called from reada_add_block().
   It finds there isn't any existing readahead extent for the logical
   address 38928384, so it proceeds to the path of creating a new one.

   It calls btrfs_map_block() to find out which stripes exist for the block
   group X. On the first iteration of the for loop that iterates over the
   stripes, it finds the stripe for device /dev/sdd, so it creates one
   zone for that device and adds it to the readahead extent. Before getting
   into the second iteration of the loop, the cleanup kthread deletes block
   group X because it was empty. So in the iterations for the remaining
   stripes it does not add more zones to the readahead extent, because the
   calls to reada_find_zone() returned NULL because they couldn't find
   block group X anymore.

   As a result the new readahead extent has a single zone, corresponding to
   the device /dev/sdd;

4) Before task A returns to btrfs_reada_add() and queues the readahead job
   for the readahead work queue, task B finishes the device replace and at
   btrfs_dev_replace_finishing() swaps the device /dev/sdd with the new
   device /dev/sdg;

5) Task A returns to reada_add_block(), which increments the counter
   "->elems" of the reada_control structure allocated at btrfs_reada_add().

   Then it returns back to btrfs_reada_add() and calls
   reada_start_machine(). This queues a job in the readahead work queue to
   run the function reada_start_machine_worker(), which calls
   __reada_start_machine().

   At __reada_start_machine() we take the device list mutex and for each
   device found in the current device list, we call
   reada_start_machine_dev() to start the readahead work. However at this
   point the device /dev/sdd was already freed and is not in the device
   list anymore.

   This means the corresponding readahead for the extent at 38928384 is
   never started, and therefore the "->elems" counter of the reada_control
   structure allocated at btrfs_reada_add() never goes down to 0, causing
   the call to btrfs_reada_wait(), done by the scrub task, to wait forever.

Note that the readahead request can be made either after the device replace
started or before it started, however in pratice it is very unlikely that a
device replace is able to start after a readahead request is made and is
able to complete before the readahead request completes - maybe only on a
very small and nearly empty filesystem.

This hang however is not the only problem we can have with readahead and
device removals. When the readahead extent has other zones other than the
one corresponding to the device that is being removed (either by a device
replace or a device remove operation), we risk having a use-after-free on
the device when dropping the last reference of the readahead extent.

For example if we create a readahead extent with two zones, one for the
device /dev/sdd and one for the device /dev/sde:

1) Before the readahead worker starts, the device /dev/sdd is removed,
   and the corresponding btrfs_device structure is freed. However the
   readahead extent still has the zone pointing to the device structure;

2) When the readahead worker starts, it only finds device /dev/sde in the
   current device list of the filesystem;

3) It starts the readahead work, at reada_start_machine_dev(), using the
   device /dev/sde;

4) Then when it finishes reading the extent from device /dev/sde, it calls
   __readahead_hook() which ends up dropping the last reference on the
   readahead extent through the last call to reada_extent_put();

5) At reada_extent_put() it iterates over each zone of the readahead extent
   and attempts to delete an element from the device's 'reada_extents'
   radix tree, resulting in a use-after-free, as the device pointer of the
   zone for /dev/sdd is now stale. We can also access the device after
   dropping the last reference of a zone, through reada_zone_release(),
   also called by reada_extent_put().

And a device remove suffers the same problem, however since it shrinks the
device size down to zero before removing the device, it is very unlikely to
still have readahead requests not completed by the time we free the device,
the only possibility is if the device has a very little space allocated.

While the hang problem is exclusive to scrub, since it is currently the
only user of btrfs_reada_add() and btrfs_reada_wait(), the use-after-free
problem affects any path that triggers readhead, which includes
btree_readahead_hook() and __readahead_hook() (a readahead worker can
trigger readahed for the children of a node) for example - any path that
ends up calling reada_add_block() can trigger the use-after-free after a
device is removed.

So fix this by waiting for any readahead requests for a device to complete
before removing a device, ensuring that while waiting for existing ones no
new ones can be made.

This problem has been around for a very long time - the readahead code was
added in 2011, device remove exists since 2008 and device replace was
introduced in 2013, hard to pick a specific commit for a git Fixes tag.

CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/ctree.h       |    2 ++
 fs/btrfs/dev-replace.c |    5 +++++
 fs/btrfs/reada.c       |   45 +++++++++++++++++++++++++++++++++++++++++++++
 fs/btrfs/volumes.c     |    3 +++
 fs/btrfs/volumes.h     |    1 +
 5 files changed, 56 insertions(+)

Message ID	20201103203402.922966642@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <SRS0=OO/H=EJ=vger.kernel.org=stable-owner@kernel.org> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED15BC388F7 for <stable@archiver.kernel.org>; Tue, 3 Nov 2020 21:52:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7DB2A223AB for <stable@archiver.kernel.org>; Tue, 3 Nov 2020 21:52:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604440375; bh=i9SA0QsbalQsrVqR2ESEOpcpBwyJKNzLpgjg+MobGrc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=fsNEIWUJ3RcRzLc59LwjEBoHOjl3++a9TmEMaBrgNUqoZ7QU7qiex+4wEs5Y61qfD M5oct+8nZFRxsts4py1J+xmVrs4TJm9uxBlhytepUj+PjpK8X4bAyNyzIPNiuajYF/ M0CAj9i763W5ML+o8+a9//AI5wEVgaf75jA3DUo0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731840AbgKCVwy (ORCPT <rfc822;stable@archiver.kernel.org>); Tue, 3 Nov 2020 16:52:54 -0500 Received: from mail.kernel.org ([198.145.29.99]:36406 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730170AbgKCUqp (ORCPT <rfc822;stable@vger.kernel.org>); Tue, 3 Nov 2020 15:46:45 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AC03A22409; Tue, 3 Nov 2020 20:46:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604436403; bh=i9SA0QsbalQsrVqR2ESEOpcpBwyJKNzLpgjg+MobGrc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=t4NDhNqITI9VSeX2pDWYpQPioxLc48ueeGJsdHe0OFy7myBtkhkuI6B+031bd/kSm UVul6uid5iGBsNrXoI/KS58NqpgKom1MxgKu4DBsykOT3XpdtcVGqVbpZnojV33Hh3 jtIKey2Odb6TwE9nGxVai/DAkc34gLU5212MWQT8= From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Josef Bacik <josef@toxicpanda.com>, Filipe Manana <fdmanana@suse.com>, David Sterba <dsterba@suse.com> Subject: [PATCH 5.9 236/391] btrfs: fix readahead hang and use-after-free after removing a device Date: Tue, 3 Nov 2020 21:34:47 +0100 Message-Id: <20201103203402.922966642@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203348.153465465@linuxfoundation.org> References: <20201103203348.153465465@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: <stable.vger.kernel.org> X-Mailing-List: stable@vger.kernel.org
Series	None \| expand [5.9,002/391] xen/events: add a proper barrier to 2-level uevent unmasking [5.9,004/391] xen/events: add a new "late EOI" evtchn framework [5.9,005/391] xen/blkback: use lateeoi irq binding [5.9,008/391] xen/pvcallsback: use lateeoi irq binding [5.9,010/391] xen/events: switch user event channels to lateeoi model [5.9,014/391] firmware: arm_scmi: Fix ARCH_COLD_RESET [5.9,015/391] firmware: arm_scmi: Expand SMC/HVC message pool to more than one [5.9,016/391] tee: client UUID: Skip REE kernel login method as well [5.9,017/391] firmware: arm_scmi: Add missing Rx size re-initialisation [5.9,018/391] x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled ker... [5.9,022/391] ionic: no rx flush in deinit [5.9,023/391] RDMA/mlx5: Fix devlink deadlock on net namespace deletion [5.9,027/391] afs: Fix afs_launder_page to not clear PG_writeback [5.9,029/391] ata: sata_nv: Fix retrieving of active qcs [5.9,031/391] afs: Fix to take ref on page when PG_private is set [5.9,032/391] afs: Fix page leak on afs_write_begin() failure [5.9,035/391] afs: Alter dirty range encoding in page->private [5.9,036/391] afs: Fix afs_invalidatepage to adjust the dirty region [5.9,039/391] interconnect: qcom: sdm845: Enable keepalive for the MM1 BCM [5.9,042/391] futex: Fix incorrect should_fail_futex() handling [5.9,043/391] powerpc/vmemmap: Fix memory leak with vmemmap list allocation failures. [5.9,045/391] RDMA/core: Change how failing destroy is handled during uobj abort [5.9,047/391] powerpc/watchpoint/ptrace: Fix SETHWDEBUG when CONFIG_HAVE_HW_BREAKPOINT=N [5.9,050/391] sparc64: remove mm_cpumask clearing to fix kthread_use_mm race [5.9,051/391] f2fs: add trace exit in exception path [5.9,052/391] f2fs: do sanity check on zoned block device path [5.9,053/391] f2fs: fix uninit-value in f2fs_lookup [5.9,055/391] s390/startup: avoid save_area_sync overflow [5.9,056/391] f2fs: compress: fix to disallow enabling compress on non-empty file [5.9,057/391] s390/ap/zcrypt: revisit ap and zcrypt error handling [5.9,058/391] um: change sigio_spinlock to a mutex [5.9,061/391] powerpc/64s: handle ISA v3.1 local copy-paste context switches [5.9,063/391] NFS4: Fix oops when copy_file_range is attempted with NFS4.0 source [5.9,068/391] xfs: change the order in which child and parent defer ops are finished [5.9,070/391] io_uring: dont set COMP_LOCKED if wont put [5.9,071/391] ath10k: fix retry packets update in station dump [5.9,073/391] drm/ast: Separate DRM driver from PCI code [5.9,076/391] ath10k: start recovery process when payload length exceeds max htc length for sdio [5.9,078/391] drm/scheduler: Scheduler priority fixes (v2) [5.9,081/391] selftests/x86/fsgsbase: Reap a forgotten child [5.9,082/391] drm/bridge_connector: Set default status connected for eDP connectors [5.9,084/391] ASoC: AMD: Clean kernel log from deferred probe error messages [5.9,085/391] misc: fastrpc: fix common struct sg_table related issues [5.9,086/391] staging: wfx: fix potential use before init [5.9,089/391] media: tw5864: check status of tw5864_frameinterval_get [5.9,092/391] mmc: via-sdmmc: Fix data race bug [5.9,093/391] drm/bridge/synopsys: dsi: add support for non-continuous HS clock [5.9,094/391] brcmfmac: increase F2 watermark for BCM4329 [5.9,095/391] arm64: topology: Stop using MPIDR for topology information [5.9,098/391] selftests/powerpc: Make using_hash_mmu() work on Cell & PowerMac [5.9,099/391] kgdb: Make "kgdbcon" work properly with "kgdb_earlycon" [5.9,101/391] drm: exynos: fix common struct sg_table related issues [5.9,102/391] xen: gntdev: fix common struct sg_table related issues [5.9,103/391] drm: lima: fix common struct sg_table related issues [5.9,104/391] drm: panfrost: fix common struct sg_table related issues [5.9,105/391] media: uvcvideo: Fix dereference of out-of-bound list iterator [5.9,107/391] selftests/bpf: Define string const as global for test_sysctl_prog.c [5.9,109/391] samples/bpf: Fix possible deadlock in xdpsock [5.9,113/391] USB: adutux: fix debugging [5.9,115/391] coresight: Make sysfs functional on topologies with per core sink [5.9,116/391] drm/amdgpu: No sysfs, not an error condition [5.9,119/391] SUNRPC: Mitigate cond_resched() in xprt_transmit() [5.9,123/391] habanalabs: remove security from ARB_MST_QUIET register [5.9,124/391] xfs: dont free rt blocks when were doing a REMAP bunmapi call [5.9,126/391] ACPI: Add out of bounds and numa_off protections to pxm_to_node() [5.9,128/391] brcmfmac: Fix warning message after dongle setup failed [5.9,129/391] ath11k: Use GFP_ATOMIC instead of GFP_KERNEL in ath11k_dp_htt_get_ppdu_desc [5.9,131/391] ath11k: change to disable softirqs for ath11k_regd_update to solve deadlock [5.9,132/391] drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values [5.9,135/391] bus/fsl_mc: Do not rely on caller to provide non NULL mc_io [5.9,136/391] ACPI: HMAT: Fix handling of changes from ACPI 6.2 to ACPI 6.3 [5.9,139/391] drm/amd/display: Avoid set zero in the requested clk [5.9,140/391] ARC: [dts] fix the errors detected by dtbs_check [5.9,142/391] btrfs: fix replace of seed device [5.9,144/391] f2fs: fix to set SBI_NEED_FSCK flag for inconsistent inode [5.9,146/391] rpmsg: glink: Use complete_all for open states [5.9,149/391] nfsd: rename delegation related tracepoints to make them less confusing [5.9,152/391] ceph: encode inodes parent/d_name in cap reconnect message [5.9,154/391] jbd2: avoid transaction reuse after reformatting [5.9,156/391] KVM: PPC: Book3S HV: Do not allocate HPT for a nested guest [5.9,160/391] gfs2: use-after-free in sysfs deregistration [5.9,161/391] gfs2: add validation checks for size of superblock [5.9,163/391] cifs: handle -EINTR in cifs_setattr [5.9,166/391] memory: emif: Remove bogus debugfs error handling [5.9,167/391] ARM: dts: s5pv210: Enable audio on Aries boards [5.9,169/391] ARM: dts: s5pv210: move fixed clocks under root node [5.9,171/391] ARM: dts: s5pv210: remove dedicated audio-subsystem node [5.9,173/391] ARM: dts: s5pv210: align SPI GPIO node name with dtschema in Aries [5.9,174/391] soc: qcom: rpmh-rsc: Sleep waiting for tcs slots to be free [5.9,175/391] soc: ti: k3: ringacc: add am65x sr2.0 support [5.9,176/391] bindings: soc: ti: soc: ringacc: remove ti,dma-ring-reset-quirk [5.9,177/391] firmware: arm_scmi: Move scmi bus init and exit calls into the driver [5.9,178/391] arm64: dts: qcom: kitakami: Temporarily disable SDHCI1 [5.9,179/391] nbd: make the config put is called before the notifying the waiter [5.9,182/391] vmlinux.lds.h: Add PGO and AutoFDO input sections [5.9,183/391] irqchip/loongson-htvec: Fix initial interrupt clearing [5.9,185/391] md/raid5: fix oops during stripe resizing [5.9,189/391] seccomp: Make duplicate listener detection non-racy [5.9,191/391] perf/x86/intel: Fix Ice Lake event constraint table [5.9,192/391] perf/x86/amd: Fix sampling Large Increment per Cycle events [5.9,194/391] perf/x86/amd/ibs: Dont include randomized bits in get_ibs_op_count() [5.9,195/391] perf/x86/amd/ibs: Fix raw sample data accumulation [5.9,197/391] spi: sprd: Release DMA channel also on probe deferral [5.9,198/391] extcon: ptn5150: Fix usage of atomic GPIO with sleeping GPIO chips [5.9,200/391] hwmon: (pmbus/max34440) Fix OC fault limits [5.9,203/391] ACPI: configfs: Add missing config_item_put() to fix refcount leak [5.9,204/391] NFS: fix nfs_path in case of a rename retry [5.9,206/391] ACPI / extlog: Check for RDMSR failure [5.9,208/391] ACPI: debug: dont allow debugging when ACPI is disabled [5.9,210/391] ACPI: EC: PM: Flush EC work unconditionally after wakeup [5.9,212/391] acpi-cpufreq: Honor _PSD table setting on new AMD CPUs [5.9,213/391] io-wq: assign NUMA node locality if appropriate [5.9,215/391] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum [5.9,216/391] scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() [5.9,218/391] scsi: qla2xxx: Fix reset of MPI firmware [5.9,222/391] btrfs: improve device scanning messages [5.9,223/391] btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations [5.9,225/391] btrfs: tracepoints: output proper root owner for trace_find_free_extent() [5.9,226/391] btrfs: reschedule if necessary when logging directory items [5.9,228/391] btrfs: send, recompute reference path after orphanization of a directory [5.9,229/391] btrfs: use kvzalloc() to allocate clone_roots in btrfs_ioctl_send() [5.9,231/391] btrfs: reschedule when cloning lots of extents [5.9,233/391] btrfs: skip devices without magic signature when mounting [5.9,234/391] btrfs: tree-checker: validate number of chunk stripes and parity [5.9,236/391] btrfs: fix readahead hang and use-after-free after removing a device [5.9,237/391] btrfs: drop the path before adding block group sysfs files [5.9,240/391] usb: dwc3: ep0: Fix ZLP for OUT ep0 requests [5.9,242/391] usb: dwc3: gadget: Reclaim extra TRBs after request completion [5.9,243/391] usb: dwc3: core: add phy cleanup for probe error handling [5.9,246/391] usb: dwc3: gadget: END_TRANSFER before CLEAR_STALL command [5.9,248/391] usb: cdc-acm: fix cooldown mechanism [5.9,250/391] usb: host: fsl-mph-dr-of: check return of dma_set_mask() [5.9,252/391] USB: apple-mfi-fastcharge: dont probe unhandled devices [5.9,255/391] vt: keyboard, extend func_buf_lock to readers [5.9,257/391] HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery [5.9,258/391] x86/mce: Allow for copy_mc_fragile symbol checksum to be generated [5.9,263/391] powerpc: Fix random segfault when freeing hugetlb range [5.9,265/391] dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status [5.9,267/391] drm/shme-helpers: Fix dma_buf_mmap forwarding bug [5.9,269/391] iio: adc: at91-sama5d2_adc: fix DMA conversion crash [5.9,270/391] iio:imu:inv_mpu6050 Fix dma and ts alignment and data leak issues. [5.9,272/391] iio:light:si1145: Fix timestamp alignment and prevent data leak. [5.9,273/391] iio: adc: gyroadc: fix leak of device node iterator [5.9,275/391] iio:adc:ti-adc0832 Fix alignment issue with timestamp [5.9,276/391] iio:adc:ti-adc12138 Fix alignment issue with timestamp [5.9,277/391] iio:imu:st_lsm6dsx Fix alignment and data leak issues [5.9,278/391] iio:gyro:itg3200: Fix timestamp alignment and prevent data leak. [5.9,281/391] rcu-tasks: Fix low-probability task_struct leak [5.9,282/391] rcu-tasks: Enclose task-list scan in rcu_read_lock() [5.9,283/391] MIPS: DEC: Restore bootmem reservation for firmware working memory area [5.9,286/391] powerpc/rtas: Restrict RTAS requests from userspace [5.9,287/391] powerpc: Warn about use of smt_snooze_delay [5.9,288/391] powerpc/memhotplug: Make lmb size 64bit [5.9,292/391] powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation [5.9,296/391] io_uring: use type appropriate io_kiocb handler for double poll [5.9,298/391] gfs2: Make sure we dont miss any delayed withdraws [5.9,299/391] gfs2: Only access gl_delete for iopen glocks [5.9,301/391] NFSv4.2: support EXCHGID4_FLAG_SUPP_FENCE_OPS 4.2 EXCHANGE_ID flag [5.9,302/391] NFSD: Add missing NFSv2 .pc_func methods [5.9,304/391] ubifs: xattr: Fix some potential memory leaks while iterating entries [5.9,305/391] ubifs: journal: Make sure to not dirty twice for auth nodes [5.9,307/391] ubifs: Dont parse authentication mount options in remount process [5.9,308/391] ubifs: mount_ubifs: Release authentication resource in error handling path [5.9,312/391] ubi: check kthread_should_stop() after the setting of task state [5.9,313/391] ia64: fix build error with !COREDUMP [5.9,315/391] i2c: imx: Fix external abort on interrupt in exit paths [5.9,318/391] drm/amd/display: Increase timeout for DP Disable [5.9,319/391] drm/amdgpu: vcn and jpeg ring synchronization [5.9,320/391] drm/amdgpu: update golden setting for sienna_cichlid [5.9,322/391] drm/amdkfd: Use same SQ prefetch setting as amdgpu [5.9,325/391] drm/amdgpu: increase the reserved VM size to 2MB [5.9,326/391] drm/amd/display: Dont invoke kgdb_breakpoint() unconditionally [5.9,328/391] ceph: promote to unsigned long long before shifting [5.9,332/391] PCI: qcom: Make sure PCIe is reset before init for rev 2.1.0 [5.9,334/391] intel_idle: Ignore _CST if control cannot be taken from the platform [5.9,337/391] cpufreq: Introduce CPUFREQ_NEED_UPDATE_LIMITS driver flag [5.9,338/391] cpufreq: intel_pstate: Avoid missing HWP max updates in passive mode [5.9,340/391] ext4: fix leaking sysfs kobject after failed mount [5.9,343/391] ext4: fix invalid inode checksum [5.9,344/391] ext4: fix superblock checksum calculation race [5.9,346/391] ext4: fix bdev write error check failed when mount fs with ro [5.9,347/391] ext4: fix bs < ps issue reported with dioread_nolock mount opt [5.9,349/391] drm/ttm: fix eviction valuable range check. [5.9,350/391] mmc: sdhci-of-esdhc: make sure delay chain locked for HS400 [5.9,352/391] mmc: sdhci: Use Auto CMD Auto Select only when v4_mode is true [5.9,356/391] drm/amdgpu/swsmu: drop smu i2c bus on navi1x [5.9,358/391] drm/amd/pm: fix pp_dpm_fclk [5.9,359/391] drm/amd/swsmu: add missing feature map for sienna_cichlid [5.9,363/391] arm64: berlin: Select DW_APB_TIMER_OF [5.9,365/391] hil/parisc: Disable HIL driver when it gets stuck [5.9,366/391] arm: dts: mt7623: add missing pause for switchport [5.9,367/391] ARM: aspeed: g5: Do not set sirq polarity [5.9,369/391] ARM: config: aspeed: Fix selection of media drivers [5.9,371/391] ARM: s3c24xx: fix missing system reset [5.9,372/391] arm64: Change .weak to SYM_FUNC_START_WEAK_PI for arch/arm64/lib/mem*.S [5.9,373/391] arm64: dts: marvell: espressobin: Add ethernet switch aliases [5.9,375/391] coresight: cti: Initialize dynamic sysfs attributes [5.9,377/391] device property: Dont clear secondary pointer for shared primary firmware node [5.9,379/391] KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR [5.9,383/391] staging: octeon: repair "fixed-link" support [5.9,384/391] staging: octeon: Drop on uncorrectable alignment or FCS error [5.9,386/391] cpufreq: schedutil: Always call driver if CPUFREQ_NEED_UPDATE_LIMITS is set [5.9,388/391] vdpa/mlx5: Fix error return in map_direct_mr() [5.9,389/391] time: Prevent undefined behaviour in timespec64_to_ns() [5.9,390/391] time/sched_clock: Mark sched_clock_read_begin/retry() as notrace

[5.9,236/391] btrfs: fix readahead hang and use-after-free after removing a device

Commit Message

Patch