-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBtjk0ACgkQONu9yGCS
aT67fA//b+kjELShGiGxLBK+dWFXnYn8tLJJ6G1Bq2WvBiMxSkbXgG5tCqJKAk0t
yhva5Ljo7eAJ9GEQnv/UL3qnsrW4r6ThT3u0Ort2YxBi3pw2U8PyU7pRTFSnGj/C
QxtGvXfh5DIsxOWppbUz5X8jWABTrYXmMEe7WCONVFTLWwHuhV4RRPycvis8wY4w
1NtGx5KVJR1EYANXHrhKsI4J9dCAXg+K9I6PyWkHDEzCgXrwdticMNOVYgZ5ByTN
ofkmBX+j/AL2veXTV8sAOA/H9SQ0pJStzy99IoZQ/IzFAKqCuh+JhkMvnDQYhfx1
eDwTFG7Dl6pCbyCsb2iGXzJioTuk5LGXw7+uqVXO1YRUNpekl7x97rhn/q6PoEof
OImU1+MOBPhVZVA0yYYQf6URCxh7F/s7MsbenmxZbIF9tstZC7HoezqzdFg4YF/I
pKqlIBxSes+fJCZb1LiQI2KkaNtD0i/KJljGduCkPF4Axgb2/KEmePDyIeB8hr12
nT++9BIkIFM4d19IgtBnWrOIuALx15WeEQKXzbUxl9nt2peh7K6HvjcXJUOxJz2W
qsdHnjGE1v6atKHD4DiDRAnliD9cJ41ImP3S8WHH1UxWNOMQ/dTlBAY7Z+XC/4eo
8+6gqAE8MHKvP62yd4zsuWXkhnUeryRtL8AGBvVxkTFa/mtaKAU=
=rqGc
-----END PGP SIGNATURE-----
Merge 4.19.185 into android-4.19-stable
Changes in 4.19.185
selinux: vsock: Set SID for socket returned by accept()
tcp: relookup sock for RST+ACK packets handled by obsolete req sock
ipv6: weaken the v4mapped source check
ext4: fix bh ref count on error paths
rpc: fix NULL dereference on kmalloc failure
ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10
ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10
ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe
ASoC: es8316: Simplify adc_pga_gain_tlv table
ASoC: cs42l42: Fix Bitclock polarity inversion
ASoC: cs42l42: Fix channel width support
ASoC: cs42l42: Fix mixer volume control
ASoC: cs42l42: Always wait at least 3ms after reset
vhost: Fix vhost_vq_reset()
scsi: st: Fix a use after free in st_open()
scsi: qla2xxx: Fix broken #endif placement
staging: comedi: cb_pcidas: fix request_irq() warn
staging: comedi: cb_pcidas64: fix request_irq() warn
ASoC: rt5659: Update MCLK rate in set_sysclk()
thermal/core: Add NULL pointer check before using cooling device stats
locking/ww_mutex: Simplify use_ww_ctx & ww_ctx handling
ext4: do not iput inode under running transaction in ext4_rename()
brcmfmac: clear EAP/association status bits on linkdown events
ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr()
net: ethernet: aquantia: Handle error cleanup of start on open
appletalk: Fix skb allocation size in loopback case
net: wan/lmc: unregister device when no matching device is found
bpf: Remove MTU check in __bpf_skb_max_len
ALSA: usb-audio: Apply sample rate quirk to Logitech Connect
ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO
ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook
PM: runtime: Fix race getting/putting suppliers at probe
PM: runtime: Fix ordering in pm_runtime_get_suppliers()
tracing: Fix stack trace event size
mm: fix race by making init_zero_pfn() early_initcall
drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings()
drm/amdgpu: check alignment on CPU page for bo map
reiserfs: update reiserfs_xattrs_initialized() condition
pinctrl: rockchip: fix restore error in resume
extcon: Add stubs for extcon_register_notifier_all() functions
extcon: Fix error handling in extcon_dev_register
firewire: nosy: Fix a use-after-free bug in nosy_ioctl()
usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control()
USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem
usb: musb: Fix suspend with devices connected for a64
usb: xhci-mtk: fix broken streams issue on 0.96 xHCI
cdc-acm: fix BREAK rx code path adding necessary calls
USB: cdc-acm: untangle a circular dependency between callback and softint
USB: cdc-acm: downgrade message to debug
USB: cdc-acm: fix double free on probe failure
USB: cdc-acm: fix use-after-free after probe failure
usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference
usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board.
staging: rtl8192e: Fix incorrect source in memcpy()
staging: rtl8192e: Change state information from u16 to u8
drivers: video: fbcon: fix NULL dereference in fbcon_cursor()
Linux 4.19.185
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I65f4fd7d1b60193895371093882ab33943d22e7c
commit e720e7d0e983bf05de80b231bccc39f1487f0f16 upstream.
There are code paths that rely on zero_pfn to be fully initialized
before core_initcall. For example, wq_sysfs_init() is a core_initcall
function that eventually results in a call to kernel_execve, which
causes a page fault with a subsequent mmput. If zero_pfn is not
initialized by then it may not get cleaned up properly and result in an
error:
BUG: Bad rss-counter state mm:(ptrval) type:MM_ANONPAGES val:1
Here is an analysis of the race as seen on a MIPS device. On this
particular MT7621 device (Ubiquiti ER-X), zero_pfn is PFN 0 until
initialized, at which point it becomes PFN 5120:
1. wq_sysfs_init calls into kobject_uevent_env at core_initcall:
kobject_uevent_env+0x7e4/0x7ec
kset_register+0x68/0x88
bus_register+0xdc/0x34c
subsys_virtual_register+0x34/0x78
wq_sysfs_init+0x1c/0x4c
do_one_initcall+0x50/0x1a8
kernel_init_freeable+0x230/0x2c8
kernel_init+0x10/0x100
ret_from_kernel_thread+0x14/0x1c
2. kobject_uevent_env() calls call_usermodehelper_exec() which executes
kernel_execve asynchronously.
3. Memory allocations in kernel_execve cause a page fault, bumping the
MM reference counter:
add_mm_counter_fast+0xb4/0xc0
handle_mm_fault+0x6e4/0xea0
__get_user_pages.part.78+0x190/0x37c
__get_user_pages_remote+0x128/0x360
get_arg_page+0x34/0xa0
copy_string_kernel+0x194/0x2a4
kernel_execve+0x11c/0x298
call_usermodehelper_exec_async+0x114/0x194
4. In case zero_pfn has not been initialized yet, zap_pte_range does
not decrement the MM_ANONPAGES RSS counter and the BUG message is
triggered shortly afterwards when __mmdrop checks the ref counters:
__mmdrop+0x98/0x1d0
free_bprm+0x44/0x118
kernel_execve+0x160/0x1d8
call_usermodehelper_exec_async+0x114/0x194
ret_from_kernel_thread+0x14/0x1c
To avoid races such as described above, initialize init_zero_pfn at
early_initcall level. Depending on the architecture, ZERO_PAGE is
either constant or gets initialized even earlier, at paging_init, so
there is no issue with initializing zero_pfn earlier.
Link: https://lkml.kernel.org/r/CALCv0x2YqOXEAy2Q=hafjhHCtTHVodChv1qpM=niAXOpqEbt7w@mail.gmail.com
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: stable@vger.kernel.org
Tested-by: 周琰杰 (Zhou Yanjie) <zhouyanjie@wanyeetech.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBSI8oACgkQONu9yGCS
aT7NwhAAsXPkFGT0ZgUX0t3HZUL4RB1e9j8xD2qr4CTspGiK/cF2ykd1RXWtfaY2
o5uc7wRmBBVQV33vS7djyJJMI5NgO588r0TT2DrlzIskfl+aWvTxKggh4A+DPKsu
QCRX5fOOd4EFYiKyLNtPxg5z6R8yg0Ejqgjzzvc03wYn8AL5SLWH8bgPb1FCNEfm
8YzYrRIu7rTUC3PrXPq81gWWHR77eojME7K9NUKSkUnh7mbdu6CVdrYb+wRvoAnf
qwlhV5Mf0GWzf/z3v9TKgKSuMjmlcoQnZD72rYClEiLBIleN/VzWhfKK/E+ODidr
WImeQGLJPfDDKiiU9tNypvmWdKjuqcNcVkIWAVzEkEIhaAOI8LPFWgc/iH0+9fWk
o5s/hcs1FZ9dSbEHotR5ENUFmy85/XMl+wgkOmfUwvWufqsqkS3mYipbszJ9MMBH
d7dYL4CTa/+KQ/uPbFJSnnxO9KgjLNO14IAiMY9lPshT8gkTy4eP2WtmsF6MyGEs
Y/p2KP0Ga4ib1b9lkmeVq3MK5vqaHQnI9BF4tyHI6RFwH29phapKzbC/AYpA69fd
Jn3y7uywt/f7++V1JUDiQ0QD6jV9/xgRbFBjSj59zjrD2xzZYLQ5kWoocNnUhq+g
TH5zTlyeODZTA58Ut623T30Rw5YYXpJtnGZGuOKqVAyWQHBd7Ls=
=wNgO
-----END PGP SIGNATURE-----
Merge 4.19.181 into android-4.19-stable
Changes in 4.19.181
uapi: nfnetlink_cthelper.h: fix userspace compilation error
ethernet: alx: fix order of calls on resume
ath9k: fix transmitting to stations in dynamic SMPS mode
net: Fix gro aggregation for udp encaps with zero csum
net: Introduce parse_protocol header_ops callback
can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership
can: flexcan: assert FRZ bit in flexcan_chip_freeze()
can: flexcan: enable RX FIFO after FRZ/HALT valid
netfilter: x_tables: gpf inside xt_find_revision()
mt76: dma: do not report truncated frames to mac80211
tcp: annotate tp->copied_seq lockless reads
tcp: annotate tp->write_seq lockless reads
tcp: add sanity tests to TCP_QUEUE_SEQ
cifs: return proper error code in statfs(2)
scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names
Revert "mm, slub: consider rest of partial list if acquire_slab() fails"
sh_eth: fix TRSCER mask for SH771x
net: check if protocol extracted by virtio_net_hdr_set_proto is correct
net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
net/mlx4_en: update moderation when config reset
net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10
net: sched: avoid duplicates in classes dump
net: usb: qmi_wwan: allow qmimux add/del with master up
cipso,calipso: resolve a number of problems with the DOI refcounts
net: lapbether: Remove netif_start_queue / netif_stop_queue
net: davicom: Fix regulator not turned off on failed probe
net: davicom: Fix regulator not turned off on driver removal
net: qrtr: fix error return code of qrtr_sendmsg()
net: stmmac: stop each tx channel independently
net: stmmac: fix watchdog timeout during suspend/resume stress test
selftests: forwarding: Fix race condition in mirror installation
perf traceevent: Ensure read cmdlines are null terminated.
s390/cio: return -EFAULT if copy_to_user() fails again
drm/compat: Clear bounce structures
drm: meson_drv add shutdown function
s390/cio: return -EFAULT if copy_to_user() fails
sh_eth: fix TRSCER mask for R7S9210
media: usbtv: Fix deadlock on suspend
media: v4l: vsp1: Fix uif null pointer access
media: v4l: vsp1: Fix bru null pointer access
net: phy: fix save wrong speed and duplex problem if autoneg is on
i2c: rcar: optimize cacheline to minimize HW race condition
udf: fix silent AED tagLocation corruption
mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()'
mmc: mediatek: fix race condition between msdc_request_timeout and irq
powerpc/pci: Add ppc_md.discover_phbs()
powerpc: improve handling of unrecoverable system reset
powerpc/perf: Record counter overflow always if SAMPLE_IP is unset
sparc32: Limit memblock allocation to low memory
sparc64: Use arch_validate_flags() to validate ADI flag
PCI: xgene-msi: Fix race in installing chained irq handler
PCI: mediatek: Add missing of_node_put() to fix reference leak
PCI: Fix pci_register_io_range() memory leak
i40e: Fix memory leak in i40e_probe
s390/smp: __smp_rescan_cpus() - move cpumask away from stack
scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling
scsi: target: core: Add cmd length set before cmd complete
scsi: target: core: Prevent underflow for service actions
ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk
ALSA: hda/hdmi: Cancel pending works before suspend
ALSA: hda: Drop the BATCH workaround for AMD controllers
ALSA: hda: Avoid spurious unsol event handling during S3/S4
ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar
ALSA: usb-audio: Apply the control quirk to Plantronics headsets
Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities")
s390/dasd: fix hanging DASD driver unbind
s390/dasd: fix hanging IO request during DASD driver unbind
mmc: core: Fix partition switch time for eMMC
mmc: cqhci: Fix random crash when remove mmc module/card
Goodix Fingerprint device is not a modem
USB: gadget: u_ether: Fix a configfs return code
usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot
usb: gadget: f_uac1: stop playback on function disable
usb: dwc3: qcom: Honor wakeup enabled/disabled state
USB: usblp: fix a hang in poll() if disconnected
usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM
xhci: Improve detection of device initiated wake signal.
usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing
USB: serial: io_edgeport: fix memory leak in edge_startup
USB: serial: ch341: add new Product ID
USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter
USB: serial: cp210x: add some more GE USB IDs
usbip: fix stub_dev to check for stream socket
usbip: fix vhci_hcd to check for stream socket
usbip: fix vudc to check for stream socket
usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
usbip: fix vhci_hcd attach_store() races leading to gpf
usbip: fix vudc usbip_sockfd_store races leading to gpf
staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan()
staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()
staging: rtl8712: unterminated string leads to read overflow
staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data()
staging: ks7010: prevent buffer overflow in ks_wlan_set_scan()
staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd
staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
staging: comedi: addi_apci_1032: Fix endian problem for COS sample
staging: comedi: addi_apci_1500: Fix endian problem for command sample
staging: comedi: adv_pci1710: Fix endian problem for AI command data
staging: comedi: das6402: Fix endian problem for AI command data
staging: comedi: das800: Fix endian problem for AI command data
staging: comedi: dmm32at: Fix endian problem for AI command data
staging: comedi: me4000: Fix endian problem for AI command data
staging: comedi: pcl711: Fix endian problem for AI command data
staging: comedi: pcl818: Fix endian problem for AI command data
sh_eth: fix TRSCER mask for R7S72100
NFSv4.2: fix return value of _nfs4_get_security_label()
block: rsxx: fix error return code of rsxx_pci_probe()
configfs: fix a use-after-free in __configfs_open_file
hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event()
stop_machine: mark helpers __always_inline
include/linux/sched/mm.h: use rcu_dereference in in_vfork()
powerpc/64s: Fix instruction encoding for lis in ppc_function_entry()
binfmt_misc: fix possible deadlock in bm_register_write
x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2
hwmon: (lm90) Fix max6658 sporadic wrong temperature reading
KVM: arm64: Fix exclusive limit for IPA size
xen/events: reset affinity of 2-level event when tearing it down
xen/events: don't unmask an event channel when an eoi is pending
xen/events: avoid handling the same event on two cpus at the same time
Linux 4.19.181
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ia622d8e9146f5ff0e1542780a39f83a7b6fed8d1
commit 9b1ea29bc0d7b94d420f96a0f4121403efc3dd85 upstream.
This reverts commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf.
The kernel test robot reports a huge performance regression due to the
commit, and the reason seems fairly straightforward: when there is
contention on the page list (which is what causes acquire_slab() to
fail), we do _not_ want to just loop and try again, because that will
transfer the contention to the 'n->list_lock' spinlock we hold, and
just make things even worse.
This is admittedly likely a problem only on big machines - the kernel
test robot report comes from a 96-thread dual socket Intel Xeon Gold
6252 setup, but the regression there really is quite noticeable:
-47.9% regression of stress-ng.rawpkt.ops_per_sec
and the commit that was marked as being fixed (7ced371971: "slub:
Acquire_slab() avoid loop") actually did the loop exit early very
intentionally (the hint being that "avoid loop" part of that commit
message), exactly to avoid this issue.
The correct thing to do may be to pick some kind of reasonable middle
ground: instead of breaking out of the loop on the very first sign of
contention, or trying over and over and over again, the right thing may
be to re-try _once_, and then give up on the second failure (or pick
your favorite value for "once"..).
Reported-by: kernel test robot <oliver.sang@intel.com>
Link: https://lore.kernel.org/lkml/20210301080404.GF12822@xsang-OptiPlex-9020/
Cc: Jann Horn <jannh@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Acked-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBEtr4ACgkQONu9yGCS
aT4XKBAAsMHn1gRHESusKj1zToyBDJL5fQW6nWbUuwZKh+q7KLPF45dWgRbTShKl
5HAEN+wTGTx0MkQ1yMs6zr49Ck0z63WRQ5rk48dznPDlJMMWu5oK+hpHU5n/z82v
/y6n2+d2xzpxWIVQYFC6pryjbeNJ2NcnAyrIimput86MK7vz1GZWsjAq+SP92kaZ
xzK4mUlZg6gLr+IMuuNnkHxbmWku32Ucw1qQ24/dAv7OF+BzfaoD2SpKp3yac6jM
OOZgEnlO+kB8m0G+iYM+yslpvxrs8jlLlJKGdf3fQA5Q9JKNNaNmZezjp3FWYXBR
u+t4JDOjjyBt7/s83AJ8+zGLxniQBLmF1BRgbxcFCIv/AN2DeSIFA4xaK6xLGzKL
rDm4PMhVWjCMN5heB644OOT0tx0k/h2Y/hO8gMRoMcycFhoRp10a0Vw2bQRKBVak
k3iXRIUv9Ypkpe5zLIN+icnt8ztgo2IJ3MR2VyMpENiBnRfLvAammwCXRC9pB/nR
225uMlCzwYAJfnVJ40FUbw/jTqyB9XhmAl3l2alYS6eiEVNmp9c4Vv4B6f2Uylk1
oYdF+ABtFlWZSsbB7vqIJW8Wrew/FPkJrQnTW8hVhkV46Ry4FRiN2y/+1B6WrZ9j
1UvSEwyYVITSB0wWsZRTrwxXjAivY57yCknCR7uHkJHTsXgPkyw=
=7KpC
-----END PGP SIGNATURE-----
Merge 4.19.179 into android-4.19-stable
Changes in 4.19.179
net: usb: qmi_wwan: support ZTE P685M modem
hugetlb: fix update_and_free_page contig page struct assumption
drm/virtio: use kvmalloc for large allocations
virtio/s390: implement virtio-ccw revision 2 correctly
arm64 module: set plt* section addresses to 0x0
arm64: Avoid redundant type conversions in xchg() and cmpxchg()
arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint
arm64: Use correct ll/sc atomic constraints
MIPS: VDSO: Use CLANG_FLAGS instead of filtering out '--target='
JFS: more checks for invalid superblock
udlfb: Fix memory leak in dlfb_usb_probe
media: mceusb: sanity check for prescaler value
xfs: Fix assert failure in xfs_setattr_size()
smackfs: restrict bytes count in smackfs write functions
net: fix up truesize of cloned skb in skb_prepare_for_shift()
mm/hugetlb.c: fix unnecessary address expansion of pmd sharing
net: bridge: use switchdev for port flags set through sysfs too
dt-bindings: net: btusb: DT fix s/interrupt-name/interrupt-names/
rsi: Fix TX EAPOL packet handling against iwlwifi AP
rsi: Move card interrupt handling to RX thread
staging: fwserial: Fix error handling in fwserial_create
x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk
vt/consolemap: do font sum unsigned
wlcore: Fix command execute failure 19 for wl12xx
Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl
pktgen: fix misuse of BUG_ON() in pktgen_thread_worker()
ath10k: fix wmi mgmt tx queue full due to race condition
x86/build: Treat R_386_PLT32 relocation as R_386_PC32
Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data
staging: most: sound: add sanity check for function argument
crypto: tcrypt - avoid signed overflow in byte count
PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse
drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails
media: uvcvideo: Allow entities with no pads
f2fs: handle unallocated section and zone on pinned/atgc
f2fs: fix to set/clear I_LINKABLE under i_lock
btrfs: fix error handling in commit_fs_roots
parisc: Bump 64-bit IRQ stack size to 64 KB
ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet
ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet
ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet
scsi: iscsi: Restrict sessions and handles to admin capabilities
sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE
scsi: iscsi: Verify lengths on passthrough PDUs
Xen/gnttab: handle p2m update errors on a per-slot basis
xen-netback: respect gnttab_map_refs()'s return value
zsmalloc: account the number of compacted pages correctly
swap: fix swapfile read/write offset
media: v4l: ioctl: Fix memory leak in video_usercopy
ALSA: hda/realtek: Add quirk for Clevo NH55RZQ
ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board
Linux 4.19.179
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3a22f45d69254beca09db0f33bc3cab3a0cadf80
commit caf6912f3f4af7232340d500a4a2008f81b93f14 upstream.
We're not factoring in the start of the file for where to write and
read the swapfile, which leads to very unfortunate side effects of
writing where we should not be...
[This issue only affects swapfiles on filesystems on top of blockdevs
that implement rw_page ops (brd, zram, btt, pmem), and not on top of any
other block devices, in contrast to the upstream commit fix.]
Fixes: dd6bd0d9c7 ("swap: use bdev_read_page() / bdev_write_page()")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Anthony Iliopoulos <ailiop@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2395928158059b8f9858365fce7713ce7fef62e4 upstream.
There exists multiple path may do zram compaction concurrently.
1. auto-compaction triggered during memory reclaim
2. userspace utils write zram<id>/compaction node
So, multiple threads may call zs_shrinker_scan/zs_compact concurrently.
But pages_compacted is a per zsmalloc pool variable and modification
of the variable is not serialized(through under class->lock).
There are two issues here:
1. the pages_compacted may not equal to total number of pages
freed(due to concurrently add).
2. zs_shrinker_scan may not return the correct number of pages
freed(issued by current shrinker).
The fix is simple:
1. account the number of pages freed in zs_compact locally.
2. use actomic variable pages_compacted to accumulate total number.
Link: https://lkml.kernel.org/r/20210202122235.26885-1-wu-yan@tcl.com
Fixes: 860c707dca ("zsmalloc: account the number of compacted pages")
Signed-off-by: Rokudo Yan <wu-yan@tcl.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a1ba9da8f0f9a37d900ff7eff66482cf7de8015e upstream.
The current code would unnecessarily expand the address range. Consider
one example, (start, end) = (1G-2M, 3G+2M), and (vm_start, vm_end) =
(1G-4M, 3G+4M), the expected adjustment should be keep (1G-2M, 3G+2M)
without expand. But the current result will be (1G-4M, 3G+4M). Actually,
the range (1G-4M, 1G) and (3G, 3G+4M) would never been involved in pmd
sharing.
After this patch, we will check that the vma span at least one PUD aligned
size and the start,end range overlap the aligned range of vma.
With above example, the aligned vma range is (1G, 3G), so if (start, end)
range is within (1G-4M, 1G), or within (3G, 3G+4M), then no adjustment to
both start and end. Otherwise, we will have chance to adjust start
downwards or end upwards without exceeding (vm_start, vm_end).
Mike:
: The 'adjusted range' is used for calls to mmu notifiers and cache(tlb)
: flushing. Since the current code unnecessarily expands the range in some
: cases, more entries than necessary would be flushed. This would/could
: result in performance degradation. However, this is highly dependent on
: the user runtime. Is there a combination of vma layout and calls to
: actually hit this issue? If the issue is hit, will those entries
: unnecessarily flushed be used again and need to be unnecessarily reloaded?
Link: https://lkml.kernel.org/r/20210104081631.2921415-1-lixinhai.lxh@gmail.com
Fixes: 75802ca66354 ("mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible")
Signed-off-by: Li Xinhai <lixinhai.lxh@gmail.com>
Suggested-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Peter Xu <peterx@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dbfee5aee7e54f83d96ceb8e3e80717fac62ad63 upstream.
page structs are not guaranteed to be contiguous for gigantic pages. The
routine update_and_free_page can encounter a gigantic page, yet it assumes
page structs are contiguous when setting page flags in subpages.
If update_and_free_page encounters non-contiguous page structs, we can see
“BUG: Bad page state in process …” errors.
Non-contiguous page structs are generally not an issue. However, they can
exist with a specific kernel configuration and hotplug operations. For
example: Configure the kernel with CONFIG_SPARSEMEM and
!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where
the gigantic page will be allocated. Zi Yan outlined steps to reproduce
here [1].
[1] https://lore.kernel.org/linux-mm/16F7C58B-4D79-41C5-9B64-A1A1628F4AF2@nvidia.com/
Link: https://lkml.kernel.org/r/20210217184926.33567-1-mike.kravetz@oracle.com
Fixes: 944d9fec8d ("hugetlb: add support for gigantic page allocation at runtime")
Signed-off-by: Zi Yan <ziy@nvidia.com>
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Joao Martins <joao.m.martins@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Changes in 4.19.178
HID: make arrays usage and value to be the same
USB: quirks: sort quirk entries
usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable
ntfs: check for valid standard information attribute
arm64: tegra: Add power-domain for Tegra210 HDA
scripts: use pkg-config to locate libcrypto
scripts: set proper OpenSSL include dir also for sign-file
block: add helper for checking if queue is registered
block: split .sysfs_lock into two locks
block: fix race between switching elevator and removing queues
block: don't release queue's sysfs lock during switching elevator
NET: usb: qmi_wwan: Adding support for Cinterion MV31
cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath.
scripts/recordmcount.pl: support big endian for ARCH sh
jump_label/lockdep: Assert we hold the hotplug lock for _cpuslocked() operations
locking/static_key: Fix false positive warnings on concurrent dec/inc
vmlinux.lds.h: add DWARF v5 sections
kdb: Make memory allocations more robust
PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064
bfq: Avoid false bfq queue merging
ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode
MIPS: vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section
random: fix the RNDRESEEDCRNG ioctl
ath10k: Fix error handling in case of CE pipe init failure
Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function
Bluetooth: Fix initializing response id after clearing struct
ARM: dts: exynos: correct PMIC interrupt trigger level on Artik 5
ARM: dts: exynos: correct PMIC interrupt trigger level on Monk
ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato
ARM: dts: exynos: correct PMIC interrupt trigger level on Spring
ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale Octa
ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid XU3 family
arm64: dts: exynos: correct PMIC interrupt trigger level on TM2
arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso
bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args
arm64: dts: allwinner: A64: properly connect USB PHY to port 0
arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card
arm64: dts: allwinner: A64: Limit MMC2 bus frequency to 150 MHz
cpufreq: brcmstb-avs-cpufreq: Free resources in error path
cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove()
ACPICA: Fix exception code class checks
usb: gadget: u_audio: Free requests only after callback
Bluetooth: drop HCI device reference before return
Bluetooth: Put HCI device if inquiry procedure interrupts
memory: ti-aemif: Drop child node when jumping out loop
ARM: dts: Configure missing thermal interrupt for 4430
usb: dwc2: Do not update data length if it is 0 on inbound transfers
usb: dwc2: Abort transaction after errors with unknown reason
usb: dwc2: Make "trimming xfer length" a debug message
staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules
ARM: dts: armada388-helios4: assign pinctrl to LEDs
ARM: dts: armada388-helios4: assign pinctrl to each fan
arm64: dts: msm8916: Fix reserved and rfsa nodes unit address
ARM: s3c: fix fiq for clang IAS
soc: aspeed: snoop: Add clock control logic
bpf_lru_list: Read double-checked variable once without lock
ath9k: fix data bus crash when setting nf_override via debugfs
ibmvnic: Set to CLOSED state even on error
bnxt_en: reverse order of TX disable and carrier off
xen/netback: fix spurious event detection for common event case
mac80211: fix potential overflow when multiplying to u32 integers
bpf: Fix bpf_fib_lookup helper MTU check for SKB ctx
tcp: fix SO_RCVLOWAT related hangs under mem pressure
cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds
b43: N-PHY: Fix the update of coef for the PHY revision >= 3case
ibmvnic: add memory barrier to protect long term buffer
ibmvnic: skip send_request_unmap for timeout reset
net: amd-xgbe: Reset the PHY rx data path when mailbox command timeout
net: amd-xgbe: Fix NETDEV WATCHDOG transmit queue timeout warning
net: amd-xgbe: Reset link when the link never comes back
net: amd-xgbe: Fix network fluctuations when using 1G BELFUSE SFP
net: mvneta: Remove per-cpu queue mapping for Armada 3700
fbdev: aty: SPARC64 requires FB_ATY_CT
drm/gma500: Fix error return code in psb_driver_load()
gma500: clean up error handling in init
crypto: sun4i-ss - fix kmap usage
drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition
MIPS: c-r4k: Fix section mismatch for loongson2_sc_init
MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0
media: i2c: ov5670: Fix PIXEL_RATE minimum value
media: camss: missing error code in msm_video_register()
media: vsp1: Fix an error handling path in the probe function
media: em28xx: Fix use-after-free in em28xx_alloc_urbs
media: media/pci: Fix memleak in empress_init
media: tm6000: Fix memleak in tm6000_start_stream
ASoC: cs42l56: fix up error handling in probe
crypto: bcm - Rename struct device_private to bcm_device_private
drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction.
media: lmedm04: Fix misuse of comma
media: qm1d1c0042: fix error return code in qm1d1c0042_init()
media: cx25821: Fix a bug when reallocating some dma memory
media: pxa_camera: declare variable when DEBUG is defined
media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values
crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error)
ata: ahci_brcm: Add back regulators management
ASoC: cpcap: fix microphone timeslot mask
f2fs: fix to avoid inconsistent quota data
drm/amdgpu: Prevent shift wrapping in amdgpu_read_mask()
Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()
btrfs: clarify error returns values in __load_free_space_cache
hwrng: timeriomem - Fix cooldown period calculation
crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key()
ima: Free IMA measurement buffer on error
ima: Free IMA measurement buffer after kexec syscall
fs/jfs: fix potential integer overflow on shift of a int
jffs2: fix use after free in jffs2_sum_write_data()
capabilities: Don't allow writing ambiguous v3 file capabilities
clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL
quota: Fix memory leak when handling corrupted quota file
spi: cadence-quadspi: Abort read if dummy cycles required are too many
clk: sunxi-ng: h6: Fix CEC clock
HID: core: detect and skip invalid inputs to snto32()
dmaengine: fsldma: Fix a resource leak in the remove function
dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function
dmaengine: owl-dma: Fix a resource leak in the remove function
dmaengine: hsu: disable spurious interrupt
mfd: bd9571mwv: Use devm_mfd_add_devices()
fdt: Properly handle "no-map" field in the memory region
of/fdt: Make sure no-map does not remove already reserved regions
power: reset: at91-sama5d2_shdwc: fix wkupdbc mask
rtc: s5m: select REGMAP_I2C
clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined
RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation
clk: sunxi-ng: h6: Fix clock divider range on some clocks
regulator: axp20x: Fix reference cout leak
certs: Fix blacklist flag type confusion
spi: atmel: Put allocated master before return
regulator: s5m8767: Drop regulators OF node reference
isofs: release buffer head before return
auxdisplay: ht16k33: Fix refresh rate handling
IB/umad: Return EIO in case of when device disassociated
IB/umad: Return EPOLLERR in case of when device disassociated
KVM: PPC: Make the VMX instruction emulation routines static
powerpc/47x: Disable 256k page size
mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe
mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes
ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores
amba: Fix resource leak for drivers without .remove
tracepoint: Do not fail unregistering a probe due to memory failure
perf tools: Fix DSO filtering when not finding a map for a sampled address
RDMA/rxe: Fix coding error in rxe_recv.c
RDMA/rxe: Correct skb on loopback path
spi: stm32: properly handle 0 byte transfer
mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq()
powerpc/pseries/dlpar: handle ibm, configure-connector delay status
powerpc/8xx: Fix software emulation interrupt
clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs
spi: pxa2xx: Fix the controller numbering for Wildcat Point
Input: sur40 - fix an error code in sur40_probe()
perf intel-pt: Fix missing CYC processing in PSB
perf test: Fix unaligned access in sample parsing test
Input: elo - fix an error code in elo_connect()
sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set
misc: eeprom_93xx46: Fix module alias to enable module autoprobe
misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users
pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare()
VMCI: Use set_page_dirty_lock() when unregistering guest memory
PCI: Align checking of syscall user config accessors
drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY)
ext4: fix potential htree index checksum corruption
regmap: sdw: use _no_pm functions in regmap_read/write
i40e: Fix flow for IPv6 next header (extension header)
i40e: Add zero-initialization of AQ command structures
i40e: Fix overwriting flow control settings during driver loading
i40e: Fix VFs not created
i40e: Fix add TC filter for IPv6
net/mlx4_core: Add missed mlx4_free_cmd_mailbox()
vxlan: move debug check after netdev unregister
ocfs2: fix a use after free on error
mm/memory.c: fix potential pte_unmap_unlock pte error
mm/hugetlb: fix potential double free in hugetlb_register_node() error path
r8169: fix jumbo packet handling on RTL8168e
arm64: Add missing ISB after invalidating TLB in __primary_switch
i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition
mm/rmap: fix potential pte_unmap on an not mapped pte
scsi: bnx2fc: Fix Kconfig warning & CNIC build errors
blk-settings: align max_sectors on "logical_block_size" boundary
ACPI: property: Fix fwnode string properties matching
ACPI: configfs: add missing check after configfs_register_default_group()
HID: wacom: Ignore attempts to overwrite the touch_max value from HID
Input: raydium_ts_i2c - do not send zero length
Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S
Input: joydev - prevent potential read overflow in ioctl
Input: i8042 - add ASUS Zenbook Flip to noselftest list
USB: serial: option: update interface mapping for ZTE P685M
usb: musb: Fix runtime PM race in musb_queue_resume_work
usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1
usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt
USB: serial: ftdi_sio: fix FTX sub-integer prescaler
USB: serial: mos7840: fix error code in mos7840_write()
USB: serial: mos7720: fix error code in mos7720_write()
ALSA: hda/realtek: modify EAPD in the ALC886
tpm_tis: Fix check_locality for correct locality acquisition
tpm_tis: Clean up locality release
KEYS: trusted: Fix migratable=1 failing
btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root
btrfs: fix reloc root leak with 0 ref reloc roots on recovery
btrfs: fix extent buffer leak on failure to copy root
crypto: arm64/sha - add missing module aliases
crypto: sun4i-ss - checking sg length is not sufficient
crypto: sun4i-ss - handle BigEndian for cipher
seccomp: Add missing return in non-void function
misc: rtsx: init of rts522a add OCP power off when no card is present
drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue
pstore: Fix typo in compression option name
dts64: mt7622: fix slow sd card access
staging/mt7621-dma: mtk-hsdma.c->hsdma-mt7621.c
staging: gdm724x: Fix DMA from stack
staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table
media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt()
x86/reboot: Force all cpus to exit VMX root if VMX is supported
floppy: reintroduce O_NDELAY fix
arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing
watchdog: mei_wdt: request stop on unregister
mtd: spi-nor: hisi-sfc: Put child node np on error path
fs/affs: release old buffer head on error path
seq_file: document how per-entry resources are managed.
x86: fix seq_file iteration for pat/memtype.c
hugetlb: fix copy_huge_page_from_user contig page struct assumption
libnvdimm/dimm: Avoid race between probe and available_slots_show()
arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55
module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols
mmc: sdhci-esdhc-imx: fix kernel panic when remove module
gpio: pcf857x: Fix missing first interrupt
printk: fix deadlock when kernel panic
cpufreq: intel_pstate: Get per-CPU max freq via MSR_HWP_CAPABILITIES if available
f2fs: fix out-of-repair __setattr_copy()
sparc32: fix a user-triggerable oops in clear_user()
gfs2: Don't skip dlm unlock if glock has an lvb
dm: fix deadlock when swapping to encrypted device
dm era: Recover committed writeset after crash
dm era: Verify the data block size hasn't changed
dm era: Fix bitset memory leaks
dm era: Use correct value size in equality function of writeset tree
dm era: Reinitialize bitset cache before digesting a new writeset
dm era: only resize metadata in preresume
icmp: introduce helper for nat'd source address in network device context
icmp: allow icmpv6_ndo_send to work with CONFIG_IPV6=n
gtp: use icmp_ndo_send helper
sunvnet: use icmp_ndo_send helper
xfrm: interface: use icmp_ndo_send helper
ipv6: icmp6: avoid indirect call for icmpv6_send()
ipv6: silence compilation warning for non-IPV6 builds
net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
dm era: Update in-core bitset after committing the metadata
net: qrtr: Fix memory leak in qrtr_tun_open
ARM: dts: aspeed: Add LCLK to lpc-snoop
Linux 4.19.178
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8c07c10dd29a1233f238b533622d7b32bd22bdb0
commit 3272cfc2525b3a2810a59312d7a1e6f04a0ca3ef upstream.
page structs are not guaranteed to be contiguous for gigantic pages. The
routine copy_huge_page_from_user can encounter gigantic pages, yet it
assumes page structs are contiguous when copying pages from user space.
Since page structs for the target gigantic page are not contiguous, the
data copied from user space could overwrite other pages not associated
with the gigantic page and cause data corruption.
Non-contiguous page structs are generally not an issue. However, they can
exist with a specific kernel configuration and hotplug operations. For
example: Configure the kernel with CONFIG_SPARSEMEM and
!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where
the gigantic page will be allocated.
Link: https://lkml.kernel.org/r/20210217184926.33567-2-mike.kravetz@oracle.com
Fixes: 8fb5debc5f ("userfaultfd: hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Joao Martins <joao.m.martins@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit cc2205a67dec5a700227a693fc113441e73e4641 ]
In hugetlb_sysfs_add_hstate(), we would do kobject_put() on hstate_kobjs
when failed to create sysfs group but forget to set hstate_kobjs to NULL.
Then in hugetlb_register_node() error path, we may free it again via
hugetlb_unregister_node().
Link: https://lkml.kernel.org/r/20210107123249.36964-1-linmiaohe@huawei.com
Fixes: a343787016 ("hugetlb: new sysfs interface")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Muchun Song <smuchun@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 90a3e375d324b2255b83e3dd29e99e2b05d82aaf ]
Since commit 42e4089c78 ("x86/speculation/l1tf: Disallow non privileged
high MMIO PROT_NONE mappings"), when the first pfn modify is not allowed,
we would break the loop with pte unchanged. Then the wrong pte - 1 would
be passed to pte_unmap_unlock.
Andi said:
"While the fix is correct, I'm not sure if it actually is a real bug.
Is there any architecture that would do something else than unlocking
the underlying page? If it's just the underlying page then it should
be always the same page, so no bug"
Link: https://lkml.kernel.org/r/20210109080118.20885-1-linmiaohe@huawei.com
Fixes: 42e4089c78 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings")
Signed-off-by: Hongxiang Lou <louhongxiang@huawei.com>
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAny3gACgkQONu9yGCS
aT4MmQ/9E2NZRb+tAheddFN7G5CsWTtPPLN+pqYJoYPQPyVUH4P9CcxaY/RyWHbs
vE+LaHEsMtDvrYY/zEBxBfb1xY6zevNK1it4JEzxYEbl8L2obNATbyNfY8jFjaUP
fb2ozowi+cUOUJNiFDjaMW0D19sV26QdMnCgBGWE5KMcQAsJZhwfJyXFdDH94CKc
Eyb8zTYa4vJw/VCjI3TmidsDa4Ni05PuQpJ4kxXkfQtAZVk/zAA1d06JKJBN2Wkg
EP9wg2WT0ydoqchkmO8rxkLp83Mjb+czwPnHD+sxNKU4A5cwd+kxkkSgRauOJgIF
ZZzRpCCfQIfFhR67XzP7CcovaddLBiV3CT2JM3Y1Qba3yJQYik2OkZagtTqPQTys
Z3UyY77aoqT0N7QSnZ3Y9oZqvSbvGy1n42SrCXRf12xcvZv1qsTk3oHh6IFCefcj
I9au5NNbg8YI0JeciqM8RnbRCgwbhBMOjBQt4RB/pVp+xMDEKjEYznTB9DZGpxtz
M8nBYZk1+rWK9wvcmFSYqF1I31sD+0NtDCRlTHia1YQM0r1Th4rO1sNJwl3CFTIZ
TD1bqzsWs1pyMPtBsTPj9jXAFemamBtVCC5WsG2Dv1BvY+wSc2zweRk6j7uLOc5t
wpq6AOM++Hz6l1hnC5gP92+cUMq0plhkBRkDpOJbRlmVuZxg8lM=
=+d6M
-----END PGP SIGNATURE-----
Merge 4.19.176 into android-4.19-stable
Changes in 4.19.176
tracing/kprobe: Fix to support kretprobe events on unloaded modules
block: fix NULL pointer dereference in register_disk
fgraph: Initialize tracing_graph_pause at task creation
remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load
remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
af_key: relax availability checks for skb size calculation
regulator: core: avoid regulator_resolve_supply() race condition
chtls: Fix potential resource leak
pNFS/NFSv4: Try to return invalid layout in pnfs_layout_process()
iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time()
iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap
iwlwifi: pcie: fix context info memory leak
iwlwifi: mvm: guard against device removal in reprobe
SUNRPC: Move simple_get_bytes and simple_get_netobj into private header
SUNRPC: Handle 0 length opaque XDR object data properly
lib/string: Add strscpy_pad() function
include/trace/events/writeback.h: fix -Wstringop-truncation warnings
memcg: fix a crash in wb_workfn when a device disappears
Fix unsynchronized access to sev members through svm_register_enc_region
block: don't hold q->sysfs_lock in elevator_init_mq
blk-mq: don't hold q->sysfs_lock in blk_mq_map_swqueue
squashfs: add more sanity checks in id lookup
squashfs: add more sanity checks in inode lookup
squashfs: add more sanity checks in xattr id lookup
regulator: core: enable power when setting up constraints
regulator: core: Clean enabling always-on regulators + their supplies
regulator: Fix lockdep warning resolving supplies
Linux 4.19.176
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I33c221717e4e5c3213a7a21a648933a013bb2753
[ Upstream commit 68f23b89067fdf187763e75a56087550624fdbee ]
Without memcg, there is a one-to-one mapping between the bdi and
bdi_writeback structures. In this world, things are fairly
straightforward; the first thing bdi_unregister() does is to shutdown
the bdi_writeback structure (or wb), and part of that writeback ensures
that no other work queued against the wb, and that the wb is fully
drained.
With memcg, however, there is a one-to-many relationship between the bdi
and bdi_writeback structures; that is, there are multiple wb objects
which can all point to a single bdi. There is a refcount which prevents
the bdi object from being released (and hence, unregistered). So in
theory, the bdi_unregister() *should* only get called once its refcount
goes to zero (bdi_put will drop the refcount, and when it is zero,
release_bdi gets called, which calls bdi_unregister).
Unfortunately, del_gendisk() in block/gen_hd.c never got the memo about
the Brave New memcg World, and calls bdi_unregister directly. It does
this without informing the file system, or the memcg code, or anything
else. This causes the root wb associated with the bdi to be
unregistered, but none of the memcg-specific wb's are shutdown. So when
one of these wb's are woken up to do delayed work, they try to
dereference their wb->bdi->dev to fetch the device name, but
unfortunately bdi->dev is now NULL, thanks to the bdi_unregister()
called by del_gendisk(). As a result, *boom*.
Fortunately, it looks like the rest of the writeback path is perfectly
happy with bdi->dev and bdi->owner being NULL, so the simplest fix is to
create a bdi_dev_name() function which can handle bdi->dev being NULL.
This also allows us to bulletproof the writeback tracepoints to prevent
them from dereferencing a NULL pointer and crashing the kernel if one is
tracing with memcg's enabled, and an iSCSI device dies or a USB storage
stick is pulled.
The most common way of triggering this will be hotremoval of a device
while writeback with memcg enabled is going on. It was triggering
several times a day in a heavily loaded production environment.
Google Bug Id: 145475544
Link: https://lore.kernel.org/r/20191227194829.150110-1-tytso@mit.edu
Link: http://lkml.kernel.org/r/20191228005211.163952-1-tytso@mit.edu
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Chris Mason <clm@fb.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAjmCsACgkQONu9yGCS
aT6zjw//T/sN/vtlHmZZUD/iUcbYHUJiM82izt8yu6SsgcjiUkjwXKH373zX0EsN
O7iQIWXMWxXCWc73esvJ1L8uOLmYto3fJq4bb+emsd8R6M/NQuQqSX7fvvlnpLo/
wkTkctk1l+EyVjk67M2izCK35Zz2rVvLHGYXYMj+bJZxxCrnhG06pXcV+0udX53j
Nl0ejBoYLhKZW3wyfkLbORQToFATM1IxSaBqUESQj1Wkie989c4ARcJ1mUuOOW6T
XMhdxazbV5I4kQzcBWmhVbGX5hv28FIeeugu2aW4bxX4up8zcq+S0Z1I5c0Q0MWL
1AI+4HDS+9/USXuQc4kqgqF893Y25hXwk3tck7boRu0OznLC3j9RTXMrDVl08ZOv
3Y9fkyEoRwwbsik5+8Sf3H0OamNaL6qcWYbJczlz50BltaVH2k960itCGlnfnJjT
9FZQMmWzx3JnZbDHD6iCYuVCnPdZn2AUK5ZwF5kjME7CcJVDWGH23uFpTw5MDXMO
1arKj615PPTKzZ+gODM4Q0H2+ek3uclKpNqDNlR4sZgRxcr+bimw7tke3Pv4L+4p
iU5W9o9TBXqoeNwKCO37eoRHySpU/mJ8OslHTrf/YzXH/q9uHNnVo9sM9/SEyqr1
94OrfbKTE8InON0/jgu482i7SHODdNUoD4wDXyZDQ1jb5J/+H3k=
=uSwA
-----END PGP SIGNATURE-----
Merge 4.19.175 into android-4.19-stable
Changes in 4.19.175
USB: serial: cp210x: add pid/vid for WSDA-200-USB
USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000
USB: serial: option: Adding support for Cinterion MV31
elfcore: fix building with clang
Input: i8042 - unbreak Pegatron C15B
rxrpc: Fix deadlock around release of dst cached on udp tunnel
arm64: dts: ls1046a: fix dcfg address range
net: lapb: Copy the skb before sending a packet
net: mvpp2: TCAM entry enable should be written after SRAM data
memblock: do not start bottom-up allocations with kernel_end
USB: gadget: legacy: fix an error code in eth_bind()
USB: usblp: don't call usb_set_interface if there's a single alt
usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop()
usb: dwc2: Fix endpoint direction check in ep_from_windex
usb: dwc3: fix clock issue during resume in OTG mode
ovl: fix dentry leak in ovl_get_redirect
mac80211: fix station rate table updates on assoc
kretprobe: Avoid re-registration of the same kretprobe earlier
genirq/msi: Activate Multi-MSI early when MSI_FLAG_ACTIVATE_EARLY is set
xhci: fix bounce buffer usage for non-sg list case
cifs: report error instead of invalid when revalidating a dentry fails
smb3: Fix out-of-bounds bug in SMB2_negotiate()
mmc: core: Limit retries when analyse of SDIO tuples fails
nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs
KVM: SVM: Treat SVM as unsupported when running as an SEV guest
ARM: footbridge: fix dc21285 PCI configuration accessors
mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page
mm: hugetlb: fix a race between freeing and dissolving the page
mm: hugetlb: fix a race between isolating and freeing page
mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active
mm: thp: fix MADV_REMOVE deadlock on shmem THP
x86/build: Disable CET instrumentation in the kernel
x86/apic: Add extra serialization for non-serializing MSRs
Input: xpad - sync supported devices with fork on GitHub
iommu/vt-d: Do not use flush-queue when caching-mode is on
md: Set prev_flush_start and flush_bio in an atomic way
net: ip_tunnel: fix mtu calculation
net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add
Linux 4.19.175
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iac6d5c4ad079946ef1c032791e8e583b9264917b
commit 1c2f67308af4c102b4e1e6cd6f69819ae59408e0 upstream.
Sergey reported deadlock between kswapd correctly doing its usual
lock_page(page) followed by down_read(page->mapping->i_mmap_rwsem), and
madvise(MADV_REMOVE) on an madvise(MADV_HUGEPAGE) area doing
down_write(page->mapping->i_mmap_rwsem) followed by lock_page(page).
This happened when shmem_fallocate(punch hole)'s unmap_mapping_range()
reaches zap_pmd_range()'s call to __split_huge_pmd(). The same deadlock
could occur when partially truncating a mapped huge tmpfs file, or using
fallocate(FALLOC_FL_PUNCH_HOLE) on it.
__split_huge_pmd()'s page lock was added in 5.8, to make sure that any
concurrent use of reuse_swap_page() (holding page lock) could not catch
the anon THP's mapcounts and swapcounts while they were being split.
Fortunately, reuse_swap_page() is never applied to a shmem or file THP
(not even by khugepaged, which checks PageSwapCache before calling), and
anonymous THPs are never created in shmem or file areas: so that
__split_huge_pmd()'s page lock can only be necessary for anonymous THPs,
on which there is no risk of deadlock with i_mmap_rwsem.
Link: https://lkml.kernel.org/r/alpine.LSU.2.11.2101161409470.2022@eggly.anvils
Fixes: c444eb564fb1 ("mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()")
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ecbf4724e6061b4b01be20f6d797d64d462b2bc8 upstream.
The page_huge_active() can be called from scan_movable_pages() which do
not hold a reference count to the HugeTLB page. So when we call
page_huge_active() from scan_movable_pages(), the HugeTLB page can be
freed parallel. Then we will trigger a BUG_ON which is in the
page_huge_active() when CONFIG_DEBUG_VM is enabled. Just remove the
VM_BUG_ON_PAGE.
Link: https://lkml.kernel.org/r/20210115124942.46403-6-songmuchun@bytedance.com
Fixes: 7e1f049efb ("mm: hugetlb: cleanup using paeg_huge_active()")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: David Hildenbrand <david@redhat.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0eb2df2b5629794020f75e94655e1994af63f0d4 upstream.
There is a race between isolate_huge_page() and __free_huge_page().
CPU0: CPU1:
if (PageHuge(page))
put_page(page)
__free_huge_page(page)
spin_lock(&hugetlb_lock)
update_and_free_page(page)
set_compound_page_dtor(page,
NULL_COMPOUND_DTOR)
spin_unlock(&hugetlb_lock)
isolate_huge_page(page)
// trigger BUG_ON
VM_BUG_ON_PAGE(!PageHead(page), page)
spin_lock(&hugetlb_lock)
page_huge_active(page)
// trigger BUG_ON
VM_BUG_ON_PAGE(!PageHuge(page), page)
spin_unlock(&hugetlb_lock)
When we isolate a HugeTLB page on CPU0. Meanwhile, we free it to the
buddy allocator on CPU1. Then, we can trigger a BUG_ON on CPU0, because
it is already freed to the buddy allocator.
Link: https://lkml.kernel.org/r/20210115124942.46403-5-songmuchun@bytedance.com
Fixes: c8721bbbdd ("mm: memory-hotplug: enable memory hotplug to handle hugepage")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: David Hildenbrand <david@redhat.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7ffddd499ba6122b1a07828f023d1d67629aa017 upstream.
There is a race condition between __free_huge_page()
and dissolve_free_huge_page().
CPU0: CPU1:
// page_count(page) == 1
put_page(page)
__free_huge_page(page)
dissolve_free_huge_page(page)
spin_lock(&hugetlb_lock)
// PageHuge(page) && !page_count(page)
update_and_free_page(page)
// page is freed to the buddy
spin_unlock(&hugetlb_lock)
spin_lock(&hugetlb_lock)
clear_page_huge_active(page)
enqueue_huge_page(page)
// It is wrong, the page is already freed
spin_unlock(&hugetlb_lock)
The race window is between put_page() and dissolve_free_huge_page().
We should make sure that the page is already on the free list when it is
dissolved.
As a result __free_huge_page would corrupt page(s) already in the buddy
allocator.
Link: https://lkml.kernel.org/r/20210115124942.46403-4-songmuchun@bytedance.com
Fixes: c8721bbbdd ("mm: memory-hotplug: enable memory hotplug to handle hugepage")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 585fc0d2871c9318c949fbf45b1f081edd489e96 upstream.
If a new hugetlb page is allocated during fallocate it will not be
marked as active (set_page_huge_active) which will result in a later
isolate_huge_page failure when the page migration code would like to
move that page. Such a failure would be unexpected and wrong.
Only export set_page_huge_active, just leave clear_page_huge_active as
static. Because there are no external users.
Link: https://lkml.kernel.org/r/20210115124942.46403-3-songmuchun@bytedance.com
Fixes: 70c3547e36 (hugetlbfs: add hugetlbfs_fallocate())
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: David Hildenbrand <david@redhat.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 2dcb3964544177c51853a210b6ad400de78ef17d ]
With kaslr the kernel image is placed at a random place, so starting the
bottom-up allocation with the kernel_end can result in an allocation
failure and a warning like this one:
hugetlb_cma: reserve 2048 MiB, up to 2048 MiB per node
------------[ cut here ]------------
memblock: bottom-up allocation failed, memory hotremove may be affected
WARNING: CPU: 0 PID: 0 at mm/memblock.c:332 memblock_find_in_range_node+0x178/0x25a
Modules linked in:
CPU: 0 PID: 0 Comm: swapper Not tainted 5.10.0+ #1169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
RIP: 0010:memblock_find_in_range_node+0x178/0x25a
Code: e9 6d ff ff ff 48 85 c0 0f 85 da 00 00 00 80 3d 9b 35 df 00 00 75 15 48 c7 c7 c0 75 59 88 c6 05 8b 35 df 00 01 e8 25 8a fa ff <0f> 0b 48 c7 44 24 20 ff ff ff ff 44 89 e6 44 89 ea 48 c7 c1 70 5c
RSP: 0000:ffffffff88803d18 EFLAGS: 00010086 ORIG_RAX: 0000000000000000
RAX: 0000000000000000 RBX: 0000000240000000 RCX: 00000000ffffdfff
RDX: 00000000ffffdfff RSI: 00000000ffffffea RDI: 0000000000000046
RBP: 0000000100000000 R08: ffffffff88922788 R09: 0000000000009ffb
R10: 00000000ffffe000 R11: 3fffffffffffffff R12: 0000000000000000
R13: 0000000000000000 R14: 0000000080000000 R15: 00000001fb42c000
FS: 0000000000000000(0000) GS:ffffffff88f71000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffa080fb401000 CR3: 00000001fa80a000 CR4: 00000000000406b0
Call Trace:
memblock_alloc_range_nid+0x8d/0x11e
cma_declare_contiguous_nid+0x2c4/0x38c
hugetlb_cma_reserve+0xdc/0x128
flush_tlb_one_kernel+0xc/0x20
native_set_fixmap+0x82/0xd0
flat_get_apic_id+0x5/0x10
register_lapic_address+0x8e/0x97
setup_arch+0x8a5/0xc3f
start_kernel+0x66/0x547
load_ucode_bsp+0x4c/0xcd
secondary_startup_64_no_verify+0xb0/0xbb
random: get_random_bytes called from __warn+0xab/0x110 with crng_init=0
---[ end trace f151227d0b39be70 ]---
At the same time, the kernel image is protected with memblock_reserve(),
so we can just start searching at PAGE_SIZE. In this case the bottom-up
allocation has the same chances to success as a top-down allocation, so
there is no reason to fallback in the case of a failure. All together it
simplifies the logic.
Link: https://lkml.kernel.org/r/20201217201214.3414100-2-guro@fb.com
Fixes: 8fabc623238e ("powerpc: Ensure that swiotlb buffer is allocated from low memory")
Signed-off-by: Roman Gushchin <guro@fb.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Wonhyuk Yang <vvghjk1234@gmail.com>
Cc: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAVUdoACgkQONu9yGCS
aT6CVw/8CyxF0mRo1B3AdXBy4Tx9a++myhnU0Mg3K2AawKzN2dzF2qWMJq1jz8Ut
jrRXeaoAQ9Wx9676NCfpkLCDGKPFtRGPq4fel9g4eBbqzSGuhzoe64Qr9mfbIHuU
3efAiutlTMjQL5FhpeHTqgJTh1j1NsmThIRZA+yIUcL3YbH6HWx7wQGthF1JooWP
hZ/YQ1MKt9IZlhyafNcO6wvtEfL5DY6DANHSyKsbwY1jMPJIQ0k90Z4zbHRAlwKZ
HaMdV1vvCXjVNXu6e6Mlto2HcQolzg5l3uNVsc7ZzqHp9yOwrDfPMqRqxNuI2MrP
r3J38mfRywOV2Woe++aTwOHSj0c/YGTThxbWj/lqJepu3Bc4LBwkACVchWskglY/
W59XNg5ijxG1PBJy7NW05hkH/d2C6KWilhXvlqe4hRPf6/H3VM1YGTwpHiiVlNsr
vZYYx0A8ugRo6rigtIrfOBt3xc8ZyQSxlA/mrnzHddH1zzoaZJ7+ecIQgO0lEZh1
ICV2SY4cinvY5sBGcrgcFYFoQSyCHCjO36h03hHGzVxGVBYIas80DYuqRDes4E9H
6jEz3TphqCdtSxBsT1D1iIacr+xYyfgAO4YwkpiPhjztRIUaOjAop6U94BHhmPha
Yz+ia5+odCGo4n6u0k7BYAwSGFlr0+xz/MTMAN5IuFcPWB7w4qA=
=7rAE
-----END PGP SIGNATURE-----
Merge 4.19.172 into android-4.19-stable
Changes in 4.19.172
gpio: mvebu: fix pwm .get_state period calculation
Revert "mm/slub: fix a memory leak in sysfs_slab_add()"
futex: Move futex exit handling into futex code
futex: Replace PF_EXITPIDONE with a state
exit/exec: Seperate mm_release()
futex: Split futex_mm_release() for exit/exec
futex: Set task::futex_state to DEAD right after handling futex exit
futex: Mark the begin of futex exit explicitly
futex: Sanitize exit state handling
futex: Provide state handling for exec() as well
futex: Add mutex around futex exit
futex: Provide distinct return value when owner is exiting
futex: Prevent exit livelock
futex: Ensure the correct return value from futex_lock_pi()
futex: Replace pointless printk in fixup_owner()
futex: Provide and use pi_state_update_owner()
rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
futex: Use pi_state_update_owner() in put_pi_state()
futex: Simplify fixup_pi_state_owner()
futex: Handle faults correctly for PI futexes
HID: wacom: Correct NULL dereference on AES pen proximity
tracing: Fix race in trace_open and buffer resize call
tools: Factor HOSTCC, HOSTLD, HOSTAR definitions
dm integrity: conditionally disable "recalculate" feature
writeback: Drop I_DIRTY_TIME_EXPIRE
fs: fix lazytime expiration handling in __writeback_single_inode()
Linux 4.19.172
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I9b5391e9e955a105ab9c144fa6258dcbea234211
commit 757fed1d0898b893d7daa84183947c70f27632f3 upstream.
This reverts commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2.
syzbot report a double-free bug. The following case can cause this bug.
- mm/slab_common.c: create_cache(): if the __kmem_cache_create() fails,
it does:
out_free_cache:
kmem_cache_free(kmem_cache, s);
- but __kmem_cache_create() - at least for slub() - will have done
sysfs_slab_add(s)
-> sysfs_create_group() .. fails ..
-> kobject_del(&s->kobj); .. which frees s ...
We can't remove the kmem_cache_free() in create_cache(), because other
error cases of __kmem_cache_create() do not free this.
So, revert the commit dde3c6b72a16 ("mm/slub: fix a memory leak in
sysfs_slab_add()") to fix this.
Reported-by: syzbot+d0bd96b4696c1ef67991@syzkaller.appspotmail.com
Fixes: dde3c6b72a16 ("mm/slub: fix a memory leak in sysfs_slab_add()")
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAROwsACgkQONu9yGCS
aT4T5w//XnQz3KLe6G/Gu641fwHbOmNmYg/Ob43DRj0JtMRDFsGm7wl5KVYXgf3l
eI4/K8vMevO0XlSly8Xo8MkYoKiVbv8BX/owsZ9SUTbcGguJ79xKjJ++cXnezsFf
knwiHKQRg+3KM/PZdT29mgkcYo2T6ndcmeq1Q2Q49Xn7vDdCCJuzLYccKRRaR5zm
RoWn9AKtobUaFhuhkMm4gi0mkpH9viD4Su62k3EjQW8ysE5l4OPmlMcy6M+dpt5A
Nh0DMsMnjuqPp1Bm5bSSY5gJ7foHZ9iNAC7UxoD+EIXPMN1jVOoCnqmfSKy+dE65
ROgex14HP1Zmrn5Zj7spc4zX2zWMbIyJgLQDpp+0dK+4wpINw97yXXoyYW+V5iyY
ouf5BKXfudv4Du/PiKkAqf/s0Q5Lh19XSns0hygb+WG67h0CLJxQcH3o2wFWKzl3
JniD5BohTYpqsu5V/zSANqJuugHVxyx2N2SSWtpsYZoFX7GRCtNBOV2NSgH65jW7
S+N4Md8Hfx6rlp+BOkhKfBtDePev6orrSt4wxZ4JSRH++/ztFKo/1CY23NkLsdGN
9PIC6dawYIPTNGtrczwvmebEdBUbEYDBLyeKTcCeRLB1yP4sbb4a2yOoCmjdmAeD
AKUMnx2+20Tl5k67HdrUKxA17KJ1qD5IkurfQkRpUo2uUkSEqpY=
=Ao4u
-----END PGP SIGNATURE-----
Merge 4.19.171 into android-4.19-stable
Changes in 4.19.171
i2c: bpmp-tegra: Ignore unknown I2C_M flags
ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info()
ALSA: hda/via: Add minimum mute flag
ACPI: scan: Make acpi_bus_get_device() clear return pointer on error
btrfs: fix lockdep splat in btrfs_recover_relocation
mmc: core: don't initialize block size from ext_csd if not present
mmc: sdhci-xenon: fix 1.8v regulator stabilization
dm: avoid filesystem lookup in dm_get_dev_t()
dm integrity: fix a crash if "recalculate" used without "internal_hash"
drm/atomic: put state on error path
ASoC: Intel: haswell: Add missing pm_ops
scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback
scsi: qedi: Correct max length of CHAP secret
riscv: Fix kernel time_init()
HID: Ignore battery for Elan touchscreen on ASUS UX550
clk: tegra30: Add hda clock default rates to clock driver
xen: Fix event channel callback via INTX/GSI
drm/nouveau/bios: fix issue shadowing expansion ROMs
drm/nouveau/privring: ack interrupts the same way as RM
drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields
drm/nouveau/mmu: fix vram heap sizing
drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0
scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression
i2c: octeon: check correct size of maximum RECV_LEN packet
platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list
selftests: net: fib_tests: remove duplicate log test
can: dev: can_restart: fix use after free bug
can: vxcan: vxcan_xmit: fix use after free bug
can: peak_usb: fix use after free bugs
iio: ad5504: Fix setting power-down state
irqchip/mips-cpu: Set IPI domain parent chip
intel_th: pci: Add Alder Lake-P support
stm class: Fix module init return on allocation failure
serial: mvebu-uart: fix tx lost characters at power off
ehci: fix EHCI host controller initialization sequence
USB: ehci: fix an interrupt calltrace error
usb: gadget: aspeed: fix stop dma register setting.
usb: udc: core: Use lock when write to soft_connect
usb: bdc: Make bdc pci driver depend on BROKEN
xhci: make sure TRB is fully written before giving it to the controller
xhci: tegra: Delay for disabling LFPS detector
driver core: Extend device_is_dependent()
netfilter: rpfilter: mask ecn bits before fib lookup
sh: dma: fix kconfig dependency for G2_DMA
sh_eth: Fix power down vs. is_opened flag ordering
skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too
kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow
kasan: fix incorrect arguments passing in kasan_add_zero_shadow
udp: mask TOS bits in udp_v4_early_demux()
ipv6: create multicast route with RTPROT_KERNEL
net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
net_sched: reject silly cell_log in qdisc_get_rtab()
ipv6: set multicast flag on the multicast route
net: mscc: ocelot: allow offloading of bridge on top of LAG
net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled
net: dsa: b53: fix an off by one in checking "vlan->vid"
Linux 4.19.171
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I2be7d084a443bfc87e6a3d5753d9c233f54788ac
commit a11a496ee6e2ab6ed850233c96b94caf042af0b9 upstream.
During testing kasan_populate_early_shadow and kasan_remove_zero_shadow,
if the shadow start and end address in kasan_remove_zero_shadow() is not
aligned to PMD_SIZE, the remain unaligned PTE won't be removed.
In the test case for kasan_remove_zero_shadow():
shadow_start: 0xffffffb802000000, shadow end: 0xffffffbfbe000000
3-level page table:
PUD_SIZE: 0x40000000 PMD_SIZE: 0x200000 PAGE_SIZE: 4K
0xffffffbf80000000 ~ 0xffffffbfbdf80000 will not be removed because in
kasan_remove_pud_table(), kasan_pmd_table(*pud) is true but the next
address is 0xffffffbfbdf80000 which is not aligned to PUD_SIZE.
In the correct condition, this should fallback to the next level
kasan_remove_pmd_table() but the condition flow always continue to skip
the unaligned part.
Fix by correcting the condition when next and addr are neither aligned.
Link: https://lkml.kernel.org/r/20210103135621.83129-1-lecopzer@gmail.com
Fixes: 0207df4fa1 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN")
Signed-off-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: YJ Chiang <yj.chiang@mediatek.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAHFgcACgkQONu9yGCS
aT7vaw//QfIjoGSMrv88n6b+2CBKU7yZyUqDhV1YvfLs3CwAHc0NDrBgmHanje5j
SIBBoa0PhzhzVE2zPMLlfWisGs8dt0844R5LL+Kc8h7oa7OCSKY1tws8lm9L0qgj
DE5/DD1ztmg9glKhiJyQxRwZfbWQlp2eAyN8TEqKCrfxrP2UOW6JNW0dMniqACvM
CmPNgopFfnObTVSjbLYYlonJJsOE++EUue5XN+MvBQSOaamTBOB5cwr3esEG0RX7
GGu+P0dQXpJUythkqypDCH2LVe95szOeCEwmTFnQKauFLYQijVx0s4kMSiiU/ByP
o0sHFOSdsayi5rOYek3lnomnzqzWvQgIrs3VqkXhT//j8hcXE0+owYvNbpTbC4c6
E8qULLht6pahtD/53MYk0XGDC6y5uIgbIQGQylWyg4+bZFfnXlz6UErrFXM/gyEp
0uARhrwJT3BmKsNQPKsTCWuzpfVuKCTseYfpiOZMqZptyKtFyWSnCvyTRyPk4ZvS
VeMXG46qENiWDXUrvggL9zK4bzgqsyneLbzkJ6eqEA9YxE7MPlH6I4TUhjPm4KWl
CHMl60lDwA/N/M76WiPkHVXp1/ODpnK2ebKRXSM2goT0/jsOA2CTLVGSQ9tzH4e4
7zrnG0JnETw6ib2w4rfKJRi/OSS49r03lO2PnrLOexA4Y+U8daI=
=H0Tc
-----END PGP SIGNATURE-----
Merge 4.19.169 into android-4.19-stable
Changes in 4.19.169
ASoC: dapm: remove widget from dirty list on free
x86/hyperv: check cpu mask after interrupt has been disabled
tracing/kprobes: Do the notrace functions check without kprobes on ftrace
MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB
MIPS: relocatable: fix possible boot hangup with KASLR enabled
ACPI: scan: Harden acpi_device_add() against device ID overflows
mm/hugetlb: fix potential missing huge page size info
dm snapshot: flush merged data before committing metadata
dm integrity: fix the maximum number of arguments
r8152: Add Lenovo Powered USB-C Travel Hub
ext4: fix bug for rename with RENAME_WHITEOUT
ARC: build: remove non-existing bootpImage from KBUILD_IMAGE
ARC: build: add uImage.lzma to the top-level target
ARC: build: add boot_targets to PHONY
btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan
ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram
bfq: Fix computation of shallow depth
arch/arc: add copy_user_page() to <asm/page.h> to fix build error on ARC
misdn: dsp: select CONFIG_BITREVERSE
net: ethernet: fs_enet: Add missing MODULE_LICENSE
ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI
drm/msm: Call msm_init_vram before binding the gpu
ARM: picoxcell: fix missing interrupt-parent properties
ima: Remove __init annotation from ima_pcrread()
dump_common_audit_data(): fix racy accesses to ->d_name
ASoC: meson: axg-tdm-interface: fix loopback
ASoC: Intel: fix error code cnl_set_dsp_D0()
NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock
pNFS: Mark layout for return if return-on-close was not sent
NFS/pNFS: Fix a leak of the layout 'plh_outstanding' counter
NFS: nfs_igrab_and_active must first reference the superblock
ext4: fix superblock checksum failure when setting password salt
RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp
RDMA/mlx5: Fix wrong free of blue flame register on error
mm, slub: consider rest of partial list if acquire_slab() fails
net: sunrpc: interpret the return value of kstrtou32 correctly
dm: eliminate potential source of excessive kernel log noise
ALSA: firewire-tascam: Fix integer overflow in midi_port_work()
ALSA: fireface: Fix integer overflow in transmit_midi_msg()
netfilter: conntrack: fix reading nf_conntrack_buckets
netfilter: nf_nat: Fix memleak in nf_nat_init
kbuild: enforce -Werror=return-type
Linux 4.19.169
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I74309249e2b6a77421acd7f8d19f60cc48c328db
commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf upstream.
acquire_slab() fails if there is contention on the freelist of the page
(probably because some other CPU is concurrently freeing an object from
the page). In that case, it might make sense to look for a different page
(since there might be more remote frees to the page from other CPUs, and
we don't want contention on struct page).
However, the current code accidentally stops looking at the partial list
completely in that case. Especially on kernels without CONFIG_NUMA set,
this means that get_partial() fails and new_slab_objects() falls back to
new_slab(), allocating new pages. This could lead to an unnecessary
increase in memory fragmentation.
Link: https://lkml.kernel.org/r/20201228130853.1871516-1-jannh@google.com
Fixes: 7ced371971 ("slub: Acquire_slab() avoid loop")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0eb98f1588c2cc7a79816d84ab18a55d254f481c upstream.
The huge page size is encoded for VM_FAULT_HWPOISON errors only. So if
we return VM_FAULT_HWPOISON, huge page size would just be ignored.
Link: https://lkml.kernel.org/r/20210107123449.38481-1-linmiaohe@huawei.com
Fixes: aa50d3a7aa ("Encode huge page size for VM_FAULT_HWPOISON errors")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In the Scudo memory allocator [1] we would like to be able to detect
use-after-free vulnerabilities involving large allocations by issuing
mprotect(PROT_NONE) on the memory region used for the allocation when it
is deallocated. Later on, after the memory region has been "quarantined"
for a sufficient period of time we would like to be able to use it for
another allocation by issuing mprotect(PROT_READ|PROT_WRITE).
Before this patch, after removing the write protection, any writes to the
memory region would result in page faults and entering the copy-on-write
code path, even in the usual case where the pages are only referenced by a
single PTE, harming performance unnecessarily. Make it so that any pages
in anonymous mappings that are only referenced by a single PTE are
immediately made writable during the mprotect so that we can avoid the
page faults.
This program shows the critical syscall sequence that we intend to use in
the allocator:
#include <string.h>
#include <sys/mman.h>
enum { kSize = 131072 };
int main(int argc, char **argv) {
char *addr = (char *)mmap(0, kSize, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
for (int i = 0; i != 100000; ++i) {
memset(addr, i, kSize);
mprotect((void *)addr, kSize, PROT_NONE);
mprotect((void *)addr, kSize, PROT_READ | PROT_WRITE);
}
}
The effect of this patch on the above program was measured on a
DragonBoard 845c by taking the median real time execution time of 10 runs.
Before: 3.19s
After: 0.79s
The effect was also measured using one of the microbenchmarks that
we normally use to benchmark the allocator [2], after modifying it
to make the appropriate mprotect calls [3]. With an allocation size
of 131072 bytes to trigger the allocator's "large allocation" code
path the per-iteration time was measured as follows:
Before: 33364ns
After: 6886ns
This patch means that we do more work during the mprotect call itself
in exchange for less work when the pages are accessed. In the worst
case, the pages are not accessed at all. The effect of this patch in
such cases was measured using the following program:
#include <string.h>
#include <sys/mman.h>
enum { kSize = 131072 };
int main(int argc, char **argv) {
char *addr = (char *)mmap(0, kSize, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
memset(addr, 1, kSize);
for (int i = 0; i != 100000; ++i) {
#ifdef PAGE_FAULT
memset(addr + (i * 4096) % kSize, i, 4096);
#endif
mprotect((void *)addr, kSize, PROT_NONE);
mprotect((void *)addr, kSize, PROT_READ | PROT_WRITE);
}
}
With PAGE_FAULT undefined (0 pages touched after removing write
protection) the median real time execution time of 100 runs was measured
as follows:
Before: 0.325928s
After: 0.365493s
With PAGE_FAULT defined (1 page touched) the measurements were
as follows:
Before: 0.441516s
After: 0.380251s
So it seems that even with a single page fault the new approach is faster.
I saw similar results if I adjusted the programs to use a larger mapping
size. With kSize = 1048576 I get these numbers with PAGE_FAULT undefined:
Before: 1.563078s
After: 1.607476s
i.e. around 3%.
And these with PAGE_FAULT defined:
Before: 1.684663s
After: 1.683272s
i.e. about the same.
What I think we may conclude from these results is that for smaller
mappings the advantage of the previous approach, although measurable, is
wiped out by a single page fault. I think we may expect that there should
be at least one access resulting in a page fault (under the previous
approach) after making the pages writable, since the program presumably
made the pages writable for a reason.
For larger mappings we may guesstimate that the new approach wins if the
density of future page faults is > 0.4%. But for the mappings that are
large enough for density to matter (not just the absolute number of page
faults) it doesn't seem like the increase in mprotect latency would be
very large relative to the total mprotect execution time.
Link: https://lkml.kernel.org/r/20201230004134.1185017-1-pcc@google.com
Link: https://linux-review.googlesource.com/id/I98d75ef90e20330c578871c87494d64b1df3f1b8
Link: [1] https://source.android.com/devices/tech/debug/scudo
Link: [2] https://cs.android.com/android/platform/superproject/+/master:bionic/benchmarks/stdlib_benchmark.cpp;l=53;drc=e8693e78711e8f45ccd2b610e4dbe0b94d551cc9
Link: [3] https://github.com/pcc/llvm-project/commit/scudo-mprotect-secondary
Signed-off-by: Peter Collingbourne <pcc@google.com>
[pcc: resolved minor conflict]
Cc: Kostya Kortchinsky <kostyak@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
(cherry picked from commit 2a9e75c907fa2de626d77dd4051fc038f0dbaf52
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git akpm)
Bug: 135772972
Change-Id: I98d75ef90e20330c578871c87494d64b1df3f1b8
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl/TZyUACgkQONu9yGCS
aT6Z8Q/+It2xbx52eGrQbN1beQ4vlER+kfbyvIWGgj3GYgiTn1nBTf0COJs5ukXG
YiKfimV7vUth1NOFkgb4/FKLaU1YkIBpKgOruFA8bxL/XIfX617Y9e3zIFU7Dhsx
R/fuLm0+EqaIlT9nO59vf3MU1Fe6Ty8jBzwrVlgAUwSDWqtPLvvevwwpS1dJLQ77
5O3Q8/tO9epc6r5RxSzdcaFZDAp1SeT/lIxzKQD9rBeySJeB/e0usoo00SpjcGiL
biZSgKAbpLQ2Y5Mbev5OClNxP3zCObOy8Hj20xOl1jlUil+UNQXfbU+bLNuQKfWU
ilPjhrqUarBaMHydsJDZ9CTHOB94dVqUPB1YJYgtDr3cC5X/yQkqZwPGoK8tEe5u
IO2XUkCGd6bj4nnqikkodh6zYlfxMYbHaFRAUaOMkE5c5Y3mb3h+/DW8cFuEIEg3
4dYnujItqCnqlNP3/bmT6i2uicxNzbAGYNZ/7B883WyCsBlxaPTJlY8yzFxoPk03
HYXKxM9lY1gn0zFXttvWp0l91UWnuIuJqRyc97NuhTxKr9+ZHbnBDWXnF3Dm3iie
262DXA+dAIc5FR9LQHG83nrrnLVk+3d1fiaduHCmaMjx/T1kJquMRuuWEUJZf/CG
++DecqyoGCqNJAQfbu5OUywPnakRfaCdXUo73qfCfloS4OYe5ck=
=hIcD
-----END PGP SIGNATURE-----
Merge 4.19.163 into android-4.19-stable
Changes in 4.19.163
pinctrl: baytrail: Replace WARN with dev_info_once when setting direct-irq pin to output
pinctrl: baytrail: Fix pin being driven low for a while on gpiod_get(..., GPIOD_OUT_HIGH)
usb: gadget: f_fs: Use local copy of descriptors for userspace copy
USB: serial: kl5kusb105: fix memleak on open
USB: serial: ch341: add new Product ID for CH341A
USB: serial: ch341: sort device-id entries
USB: serial: option: add Fibocom NL668 variants
USB: serial: option: add support for Thales Cinterion EXS82
USB: serial: option: fix Quectel BG96 matching
tty: Fix ->pgrp locking in tiocspgrp()
tty: Fix ->session locking
ALSA: hda/realtek: Add mute LED quirk to yet another HP x360 model
ALSA: hda/realtek: Enable headset of ASUS UX482EG & B9400CEA with ALC294
ALSA: hda/realtek - Add new codec supported for ALC897
ALSA: hda/generic: Add option to enforce preferred_dacs pairs
ftrace: Fix updating FTRACE_FL_TRAMP
cifs: fix potential use-after-free in cifs_echo_request()
i2c: imx: Don't generate STOP condition if arbitration has been lost
scsi: mpt3sas: Fix ioctl timeout
dm writecache: fix the maximum number of arguments
dm: remove invalid sparse __acquires and __releases annotations
mm: list_lru: set shrinker map bit when child nr_items is not zero
mm/swapfile: do not sleep with a spin lock held
x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes
i2c: imx: Fix reset of I2SR_IAL flag
i2c: imx: Check for I2SR_IAL after every byte
speakup: Reject setting the speakup line discipline outside of speakup
iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs
spi: Introduce device-managed SPI controller allocation
spi: bcm-qspi: Fix use-after-free on unbind
spi: bcm2835: Fix use-after-free on unbind
spi: bcm2835: Release the DMA channel if probe fails after dma_init
tracing: Fix userstacktrace option for instances
gfs2: check for empty rgrp tree in gfs2_ri_update
i2c: qup: Fix error return code in qup_i2c_bam_schedule_desc()
dm writecache: remove BUG() and fail gracefully instead
Input: i8042 - fix error return code in i8042_setup_aux()
netfilter: nf_tables: avoid false-postive lockdep splat
x86/insn-eval: Use new for_each_insn_prefix() macro to loop over prefixes bytes
Revert "geneve: pull IP header before ECN decapsulation"
Linux 4.19.163
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I65bc0b27c576e6d5c75f0bc085cb80e9a2f0a2d3
commit 8199be001a470209f5c938570cc199abb012fe53 upstream.
When investigating a slab cache bloat problem, significant amount of
negative dentry cache was seen, but confusingly they neither got shrunk
by reclaimer (the host has very tight memory) nor be shrunk by dropping
cache. The vmcore shows there are over 14M negative dentry objects on
lru, but tracing result shows they were even not scanned at all.
Further investigation shows the memcg's vfs shrinker_map bit is not set.
So the reclaimer or dropping cache just skip calling vfs shrinker. So
we have to reboot the hosts to get the memory back.
I didn't manage to come up with a reproducer in test environment, and
the problem can't be reproduced after rebooting. But it seems there is
race between shrinker map bit clear and reparenting by code inspection.
The hypothesis is elaborated as below.
The memcg hierarchy on our production environment looks like:
root
/ \
system user
The main workloads are running under user slice's children, and it
creates and removes memcg frequently. So reparenting happens very often
under user slice, but no task is under user slice directly.
So with the frequent reparenting and tight memory pressure, the below
hypothetical race condition may happen:
CPU A CPU B
reparent
dst->nr_items == 0
shrinker:
total_objects == 0
add src->nr_items to dst
set_bit
return SHRINK_EMPTY
clear_bit
child memcg offline
replace child's kmemcg_id with
parent's (in memcg_offline_kmem())
list_lru_del() between shrinker runs
see parent's kmemcg_id
dec dst->nr_items
reparent again
dst->nr_items may go negative
due to concurrent list_lru_del()
The second run of shrinker:
read nr_items without any
synchronization, so it may
see intermediate negative
nr_items then total_objects
may return 0 coincidently
keep the bit cleared
dst->nr_items != 0
skip set_bit
add scr->nr_item to dst
After this point dst->nr_item may never go zero, so reparenting will not
set shrinker_map bit anymore. And since there is no task under user
slice directly, so no new object will be added to its lru to set the
shrinker map bit either. That bit is kept cleared forever.
How does list_lru_del() race with reparenting? It is because reparenting
replaces children's kmemcg_id to parent's without protecting from
nlru->lock, so list_lru_del() may see parent's kmemcg_id but actually
deleting items from child's lru, but dec'ing parent's nr_items, so the
parent's nr_items may go negative as commit 2788cf0c40 ("memcg:
reparent list_lrus and free kmemcg_id on css offline") says.
Since it is impossible that dst->nr_items goes negative and
src->nr_items goes zero at the same time, so it seems we could set the
shrinker map bit iff src->nr_items != 0. We could synchronize
list_lru_count_one() and reparenting with nlru->lock, but it seems
checking src->nr_items in reparenting is the simplest and avoids lock
contention.
Fixes: fae91d6d8b ("mm/list_lru.c: set bit in memcg shrinker bitmap on first list_lru item appearance")
Suggested-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Yang Shi <shy828301@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Roman Gushchin <guro@fb.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Acked-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: <stable@vger.kernel.org> [4.19]
Link: https://lkml.kernel.org/r/20201202171749.264354-1-shy828301@gmail.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+8/EkACgkQONu9yGCS
aT6g6xAAxZs2sTi6peZpLHhzTgMUZtZYJf9rgAWeF3wwIT1DeEVi8dpOuQbu6j17
bK65D/qJjmiZGJbFG+Mjt5GcQBOnQz+hQ+EaaADk3HOt6G9oFB99Bybmg6JP94TH
184JkzUMBnHWj9O4wBtF9IjqPoN5iDIz07D8RArxAqXW8+IWX6BjY2Qzd/dO2vns
UufBBoKznAC1HWwI1WGyMTki+DHtk1m8hV4+H0G4wHrux4cQRXWzxZx3Zfnmkjqh
v7Ig90GzVegxHjreYc7RnxDi4XCgOhRqevB+0uf5jms7mzd4spxz1kaAZqO5r/DQ
tTn/90CL2n7+LC6HGZSGnD5WdKawEZwgbimjpsAQ8uygWyzTJ23hL71ZiGxFaKPc
Yc7UqVMsSsFCAxUc+ri7ZLrKqBEn3NFZNNjAlqZRW4k1ayjuNz7EdP6CS9T6AZih
vqmeygmnALbKaX/VPDk/GChWtcpSOfNRA4d3XkSdANavIsNoI114tKZOwwLUQQjd
D/8h2gng7gnX6TquMQSLyQmYTTV3UxK8UW1Ipi00KLMfmYVHMSI0gn2fGDUwOyfJ
vkwi/15GJXKQ+GJAvkuyJEDTwFE0iU/+gM28Jv56L9Kv25vWu7vdQVcDU6vslEhY
bbPMzkOA8zSwOkTZTWS8k6cpMMeiWbIZyxHKovXsU84n0nSf6Hs=
=IcSi
-----END PGP SIGNATURE-----
Merge 4.19.160 into android-4.19-stable
Changes in 4.19.160
ah6: fix error return code in ah6_input()
atm: nicstar: Unmap DMA on send error
bnxt_en: read EEPROM A2h address using page 0
devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill()
inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill()
lan743x: fix issue causing intermittent kernel log warnings
lan743x: prevent entire kernel HANG on open, for some platforms
mlxsw: core: Use variable timeout for EMAD retries
net: b44: fix error return code in b44_init_one()
net: bridge: add missing counters to ndo_get_stats64 callback
net: dsa: mv88e6xxx: Avoid VTU corruption on 6097
net: Have netpoll bring-up DSA management interface
netlabel: fix our progress tracking in netlbl_unlabel_staticlist()
netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist()
net/mlx4_core: Fix init_hca fields offset
net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup
net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request
page_frag: Recover from memory pressure
qed: fix error return code in qed_iwarp_ll2_start()
qlcnic: fix error return code in qlcnic_83xx_restart_hw()
sctp: change to hold/put transport for proto_unreach_timer
tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate
net/mlx5: Disable QoS when min_rates on all VFs are zero
net: usb: qmi_wwan: Set DTR quirk for MR400
net/ncsi: Fix netlink registration
net: ftgmac100: Fix crash when removing driver
pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq
scsi: ufs: Fix unbalanced scsi_block_reqs_cnt caused by ufshcd_hold()
selftests: kvm: Fix the segment descriptor layout to match the actual layout
ACPI: button: Add DMI quirk for Medion Akoya E2228T
arm64: psci: Avoid printing in cpu_psci_cpu_die()
vfs: remove lockdep bogosity in __sb_start_write
arm64: dts: allwinner: a64: Pine64 Plus: Fix ethernet node
arm64: dts: allwinner: h5: OrangePi PC2: Fix ethernet node
ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix ethernet node
Revert "arm: sun8i: orangepi-pc-plus: Set EMAC activity LEDs to active high"
ARM: dts: sun8i: h3: orangepi-plus2e: Enable RGMII RX/TX delay on Ethernet PHY
ARM: dts: sun8i: a83t: Enable both RGMII RX/TX delay on Ethernet PHY
arm64: dts: allwinner: a64: bananapi-m64: Enable RGMII RX/TX delay on PHY
Input: adxl34x - clean up a data type in adxl34x_probe()
MIPS: export has_transparent_hugepage() for modules
arm64: dts: allwinner: h5: OrangePi Prime: Fix ethernet node
arm: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy
ARM: dts: imx50-evk: Fix the chip select 1 IOMUX
Input: resistive-adc-touch - fix kconfig dependency on IIO_BUFFER
perf lock: Don't free "lock_seq_stat" if read_count isn't zero
ip_tunnels: Set tunnel option flag when tunnel metadata is present
can: af_can: prevent potential access of uninitialized member in can_rcv()
can: af_can: prevent potential access of uninitialized member in canfd_rcv()
can: dev: can_restart(): post buffer from the right context
can: ti_hecc: Fix memleak in ti_hecc_probe
can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to can_put_echo_skb()
can: peak_usb: fix potential integer overflow on shift of a int
can: m_can: m_can_handle_state_change(): fix state change
ASoC: qcom: lpass-platform: Fix memory leak
MIPS: Alchemy: Fix memleak in alchemy_clk_setup_cpu
drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind()
can: kvaser_usb: kvaser_usb_hydra: Fix KCAN bittiming limits
xfs: fix the minrecs logic when dealing with inode root child blocks
xfs: strengthen rmap record flags checking
regulator: ti-abb: Fix array out of bound read access on the first transition
fail_function: Remove a redundant mutex unlock
xfs: revert "xfs: fix rmap key and record comparison functions"
efi/x86: Free efi_pgd with free_pages()
libfs: fix error cast of negative value in simple_attr_write()
speakup: Do not let the line discipline be used several times
ALSA: firewire: Clean up a locking issue in copy_resp_to_buf()
ALSA: usb-audio: Add delay quirk for all Logitech USB devices
ALSA: ctl: fix error path at adding user-defined element set
ALSA: mixart: Fix mutex deadlock
ALSA: hda/realtek: Add some Clove SSID in the ALC293(ALC1220)
tty: serial: imx: keep console clocks always on
efivarfs: fix memory leak in efivarfs_create()
staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids
ext4: fix bogus warning in ext4_update_dx_flag()
iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum
iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting tablet-mode
regulator: pfuze100: limit pfuze-support-disable-sw to pfuze{100,200}
regulator: fix memory leak with repeated set_machine_constraints()
regulator: avoid resolve_supply() infinite recursion
regulator: workaround self-referent regulators
xtensa: disable preemption around cache alias management calls
mac80211: minstrel: remove deferred sampling code
mac80211: minstrel: fix tx status processing corner case
mac80211: free sta in sta_info_insert_finish() on errors
s390/cpum_sf.c: fix file permission for cpum_sfb_size
s390/dasd: fix null pointer dereference for ERP requests
ptrace: Set PF_SUPERPRIV when checking capability
seccomp: Set PF_SUPERPRIV when checking capability
x86/microcode/intel: Check patch signature before saving microcode for early loading
mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault()
Linux 4.19.160
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3a7304be6687f4ffe96f0e765da0c0ec7dcb971d
commit bfe8cc1db02ab243c62780f17fc57f65bde0afe1 upstream.
Alexander reported a syzkaller / KASAN finding on s390, see below for
complete output.
In do_huge_pmd_anonymous_page(), the pre-allocated pagetable will be
freed in some cases. In the case of userfaultfd_missing(), this will
happen after calling handle_userfault(), which might have released the
mmap_lock. Therefore, the following pte_free(vma->vm_mm, pgtable) will
access an unstable vma->vm_mm, which could have been freed or re-used
already.
For all architectures other than s390 this will go w/o any negative
impact, because pte_free() simply frees the page and ignores the
passed-in mm. The implementation for SPARC32 would also access
mm->page_table_lock for pte_free(), but there is no THP support in
SPARC32, so the buggy code path will not be used there.
For s390, the mm->context.pgtable_list is being used to maintain the 2K
pagetable fragments, and operating on an already freed or even re-used
mm could result in various more or less subtle bugs due to list /
pagetable corruption.
Fix this by calling pte_free() before handle_userfault(), similar to how
it is already done in __do_huge_pmd_anonymous_page() for the WRITE /
non-huge_zero_page case.
Commit 6b251fc96c ("userfaultfd: call handle_userfault() for
userfaultfd_missing() faults") actually introduced both, the
do_huge_pmd_anonymous_page() and also __do_huge_pmd_anonymous_page()
changes wrt to calling handle_userfault(), but only in the latter case
it put the pte_free() before calling handle_userfault().
BUG: KASAN: use-after-free in do_huge_pmd_anonymous_page+0xcda/0xd90 mm/huge_memory.c:744
Read of size 8 at addr 00000000962d6988 by task syz-executor.0/9334
CPU: 1 PID: 9334 Comm: syz-executor.0 Not tainted 5.10.0-rc1-syzkaller-07083-g4c9720875573 #0
Hardware name: IBM 3906 M04 701 (KVM/Linux)
Call Trace:
do_huge_pmd_anonymous_page+0xcda/0xd90 mm/huge_memory.c:744
create_huge_pmd mm/memory.c:4256 [inline]
__handle_mm_fault+0xe6e/0x1068 mm/memory.c:4480
handle_mm_fault+0x288/0x748 mm/memory.c:4607
do_exception+0x394/0xae0 arch/s390/mm/fault.c:479
do_dat_exception+0x34/0x80 arch/s390/mm/fault.c:567
pgm_check_handler+0x1da/0x22c arch/s390/kernel/entry.S:706
copy_from_user_mvcos arch/s390/lib/uaccess.c:111 [inline]
raw_copy_from_user+0x3a/0x88 arch/s390/lib/uaccess.c:174
_copy_from_user+0x48/0xa8 lib/usercopy.c:16
copy_from_user include/linux/uaccess.h:192 [inline]
__do_sys_sigaltstack kernel/signal.c:4064 [inline]
__s390x_sys_sigaltstack+0xc8/0x240 kernel/signal.c:4060
system_call+0xe0/0x28c arch/s390/kernel/entry.S:415
Allocated by task 9334:
slab_alloc_node mm/slub.c:2891 [inline]
slab_alloc mm/slub.c:2899 [inline]
kmem_cache_alloc+0x118/0x348 mm/slub.c:2904
vm_area_dup+0x9c/0x2b8 kernel/fork.c:356
__split_vma+0xba/0x560 mm/mmap.c:2742
split_vma+0xca/0x108 mm/mmap.c:2800
mlock_fixup+0x4ae/0x600 mm/mlock.c:550
apply_vma_lock_flags+0x2c6/0x398 mm/mlock.c:619
do_mlock+0x1aa/0x718 mm/mlock.c:711
__do_sys_mlock2 mm/mlock.c:738 [inline]
__s390x_sys_mlock2+0x86/0xa8 mm/mlock.c:728
system_call+0xe0/0x28c arch/s390/kernel/entry.S:415
Freed by task 9333:
slab_free mm/slub.c:3142 [inline]
kmem_cache_free+0x7c/0x4b8 mm/slub.c:3158
__vma_adjust+0x7b2/0x2508 mm/mmap.c:960
vma_merge+0x87e/0xce0 mm/mmap.c:1209
userfaultfd_release+0x412/0x6b8 fs/userfaultfd.c:868
__fput+0x22c/0x7a8 fs/file_table.c:281
task_work_run+0x200/0x320 kernel/task_work.c:151
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
do_notify_resume+0x100/0x148 arch/s390/kernel/signal.c:538
system_call+0xe6/0x28c arch/s390/kernel/entry.S:416
The buggy address belongs to the object at 00000000962d6948 which belongs to the cache vm_area_struct of size 200
The buggy address is located 64 bytes inside of 200-byte region [00000000962d6948, 00000000962d6a10)
The buggy address belongs to the page: page:00000000313a09fe refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x962d6 flags: 0x3ffff00000000200(slab)
raw: 3ffff00000000200 000040000257e080 0000000c0000000c 000000008020ba00
raw: 0000000000000000 000f001e00000000 ffffffff00000001 0000000096959501
page dumped because: kasan: bad access detected
page->mem_cgroup:0000000096959501
Memory state around the buggy address:
00000000962d6880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000000962d6900: 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
>00000000962d6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
00000000962d6a00: fb fb fc fc fc fc fc fc fc fc 00 00 00 00 00 00
00000000962d6a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Fixes: 6b251fc96c ("userfaultfd: call handle_userfault() for userfaultfd_missing() faults")
Reported-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: <stable@vger.kernel.org> [4.3+]
Link: https://lkml.kernel.org/r/20201110190329.11920-1-gerald.schaefer@linux.ibm.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit d8c19014bba8f565d8a2f1f46b4e38d1d97bf1a7 ]
The ethernet driver may allocate skb (and skb->data) via napi_alloc_skb().
This ends up to page_frag_alloc() to allocate skb->data from
page_frag_cache->va.
During the memory pressure, page_frag_cache->va may be allocated as
pfmemalloc page. As a result, the skb->pfmemalloc is always true as
skb->data is from page_frag_cache->va. The skb will be dropped if the
sock (receiver) does not have SOCK_MEMALLOC. This is expected behaviour
under memory pressure.
However, once kernel is not under memory pressure any longer (suppose large
amount of memory pages are just reclaimed), the page_frag_alloc() may still
re-use the prior pfmemalloc page_frag_cache->va to allocate skb->data. As a
result, the skb->pfmemalloc is always true unless page_frag_cache->va is
re-allocated, even if the kernel is not under memory pressure any longer.
Here is how kernel runs into issue.
1. The kernel is under memory pressure and allocation of
PAGE_FRAG_CACHE_MAX_ORDER in __page_frag_cache_refill() will fail. Instead,
the pfmemalloc page is allocated for page_frag_cache->va.
2: All skb->data from page_frag_cache->va (pfmemalloc) will have
skb->pfmemalloc=true. The skb will always be dropped by sock without
SOCK_MEMALLOC. This is an expected behaviour.
3. Suppose a large amount of pages are reclaimed and kernel is not under
memory pressure any longer. We expect skb->pfmemalloc drop will not happen.
4. Unfortunately, page_frag_alloc() does not proactively re-allocate
page_frag_alloc->va and will always re-use the prior pfmemalloc page. The
skb->pfmemalloc is always true even kernel is not under memory pressure any
longer.
Fix this by freeing and re-allocating the page instead of recycling it.
References: https://lore.kernel.org/lkml/20201103193239.1807-1-dongli.zhang@oracle.com/
References: https://lore.kernel.org/linux-mm/20201105042140.5253-1-willy@infradead.org/
Suggested-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
Cc: Bert Barbe <bert.barbe@oracle.com>
Cc: Rama Nichanamatlu <rama.nichanamatlu@oracle.com>
Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
Cc: Manjunath Patil <manjunath.b.patil@oracle.com>
Cc: Joe Jin <joe.jin@oracle.com>
Cc: SRINIVAS <srinivas.eeda@oracle.com>
Fixes: 79930f5892 ("net: do not deplete pfmemalloc reserve")
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20201115201029.11903-1-dongli.zhang@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 51dedad06b5f ("kasan, slab: make freelist stored without tags")
calls kasan_reset_tag() for off-slab slab management object leading to
freelist being stored non-tagged.
However, cache_grow_begin() calls alloc_slabmgmt() which calls
kmem_cache_alloc_node() assigns a tag for the address and stores it in
the shadow address. As the result, it causes endless errors below
during boot due to drain_freelist() -> slab_destroy() ->
kasan_slab_free() which compares already untagged freelist against the
stored tag in the shadow address.
Since off-slab slab management object freelist is such a special case,
just store it tagged. Non-off-slab management object freelist is still
stored untagged which has not been assigned a tag and should not cause
any other troubles with this inconsistency.
BUG: KASAN: double-free or invalid-free in slab_destroy+0x84/0x88
Pointer tag: [ff], memory tag: [99]
CPU: 0 PID: 1376 Comm: kworker/0:4 Tainted: G W 5.1.0-rc3+ #8
Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.0.6 07/10/2018
Workqueue: cgroup_destroy css_killed_work_fn
Call trace:
print_address_description+0x74/0x2a4
kasan_report_invalid_free+0x80/0xc0
__kasan_slab_free+0x204/0x208
kasan_slab_free+0xc/0x18
kmem_cache_free+0xe4/0x254
slab_destroy+0x84/0x88
drain_freelist+0xd0/0x104
__kmem_cache_shrink+0x1ac/0x224
__kmemcg_cache_deactivate+0x1c/0x28
memcg_deactivate_kmem_caches+0xa0/0xe8
memcg_offline_kmem+0x8c/0x3d4
mem_cgroup_css_offline+0x24c/0x290
css_killed_work_fn+0x154/0x618
process_one_work+0x9cc/0x183c
worker_thread+0x9b0/0xe38
kthread+0x374/0x390
ret_from_fork+0x10/0x18
Allocated by task 1625:
__kasan_kmalloc+0x168/0x240
kasan_slab_alloc+0x18/0x20
kmem_cache_alloc_node+0x1f8/0x3a0
cache_grow_begin+0x4fc/0xa24
cache_alloc_refill+0x2f8/0x3e8
kmem_cache_alloc+0x1bc/0x3bc
sock_alloc_inode+0x58/0x334
alloc_inode+0xb8/0x164
new_inode_pseudo+0x20/0xec
sock_alloc+0x74/0x284
__sock_create+0xb0/0x58c
sock_create+0x98/0xb8
__sys_socket+0x60/0x138
__arm64_sys_socket+0xa4/0x110
el0_svc_handler+0x2c0/0x47c
el0_svc+0x8/0xc
Freed by task 1625:
__kasan_slab_free+0x114/0x208
kasan_slab_free+0xc/0x18
kfree+0x1a8/0x1e0
single_release+0x7c/0x9c
close_pdeo+0x13c/0x43c
proc_reg_release+0xec/0x108
__fput+0x2f8/0x784
____fput+0x1c/0x28
task_work_run+0xc0/0x1b0
do_notify_resume+0xb44/0x1278
work_pending+0x8/0x10
The buggy address belongs to the object at ffff809681b89e00
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 0 bytes inside of
128-byte region [ffff809681b89e00, ffff809681b89e80)
The buggy address belongs to the page:
page:ffff7fe025a06e00 count:1 mapcount:0 mapping:01ff80082000fb00
index:0xffff809681b8fe04
flags: 0x17ffffffc000200(slab)
raw: 017ffffffc000200 ffff7fe025a06d08 ffff7fe022ef7b88 01ff80082000fb00
raw: ffff809681b8fe04 ffff809681b80000 00000001000000e0 0000000000000000
page dumped because: kasan: bad access detected
page allocated via order 0, migratetype Unmovable, gfp_mask
0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE)
prep_new_page+0x4e0/0x5e0
get_page_from_freelist+0x4ce8/0x50d4
__alloc_pages_nodemask+0x738/0x38b8
cache_grow_begin+0xd8/0xa24
____cache_alloc_node+0x14c/0x268
__kmalloc+0x1c8/0x3fc
ftrace_free_mem+0x408/0x1284
ftrace_free_init_mem+0x20/0x28
kernel_init+0x24/0x548
ret_from_fork+0x10/0x18
Memory state around the buggy address:
ffff809681b89c00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff809681b89d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff809681b89e00: 99 99 99 99 99 99 99 99 fe fe fe fe fe fe fe fe
^
ffff809681b89f00: 43 43 43 43 43 fe fe fe fe fe fe fe fe fe fe fe
ffff809681b8a000: 6d fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Link: http://lkml.kernel.org/r/20190403022858.97584-1-cai@lca.pw
Fixes: 51dedad06b5f ("kasan, slab: make freelist stored without tags")
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 1a62b18d51e5c5ecc0345c85bb9fef870ab721ed)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I99046a0e1cb893062167a376795fee3a59f56b36
When handling a page fault, we drop mmap_sem to start async readahead so
that we don't block on IO submission with mmap_sem held. However there's
no point to drop mmap_sem in case readahead is disabled. Handle that case
to avoid pointless dropping of mmap_sem and retrying the fault. This was
actually reported to block mlockall(MCL_CURRENT) indefinitely.
Fixes: 6b4c9f446981 ("filemap: drop the mmap_sem for all blocking operations")
Reported-by: Minchan Kim <minchan@kernel.org>
Reported-by: Robert Stupp <snazy@gmx.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Minchan Kim <minchan@kernel.org>
Link: http://lkml.kernel.org/r/20200212101356.30759-1-jack@suse.cz
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 5c72feee3e45b40a3c96c7145ec422899d0e8964)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iecc3a1972853a74d2faf70203fa34d912235be0b
kernel_init_free_pages() will use memset() on s390 to clear all pages from
kmalloc_order() which will override KASAN redzones because a redzone was
setup from the end of the allocation size to the end of the last page.
Silence it by not reporting it there. An example of the report is,
BUG: KASAN: slab-out-of-bounds in __free_pages_ok
Write of size 4096 at addr 000000014beaa000
Call Trace:
show_stack+0x152/0x210
dump_stack+0x1f8/0x248
print_address_description.isra.13+0x5e/0x4d0
kasan_report+0x130/0x178
check_memory_region+0x190/0x218
memset+0x34/0x60
__free_pages_ok+0x894/0x12f0
kfree+0x4f2/0x5e0
unpack_to_rootfs+0x60e/0x650
populate_rootfs+0x56/0x358
do_one_initcall+0x1f4/0xa20
kernel_init_freeable+0x758/0x7e8
kernel_init+0x1c/0x170
ret_from_fork+0x24/0x28
Memory state around the buggy address:
000000014bea9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000014bea9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>000000014beaa000: 03 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
000000014beaa080: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
000000014beaa100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Fixes: 6471384af2a6 ("mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options")
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: Vasily Gorbik <gor@linux.ibm.com>
Acked-by: Vasily Gorbik <gor@linux.ibm.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Link: http://lkml.kernel.org/r/20200610052154.5180-1-cai@lca.pw
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 9e15afa5a87a3bf969a3b33c3dadfb8b46df42c0)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I9375f117c1aa08c0d5d0e881bb5a917458f97c99
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+qe0EACgkQONu9yGCS
aT6MSw//TZRP6iLK2RhIrZu2jKD8jfYbHMT9JgKV2QCw7meg9q0JMj+SNP9CPbiL
oOYtsXsRFRnAh98aBXNMFmzV7Zm0uUu0XGeFGxnf8y2X7EI1nZ6plvrCUYD8dCiF
IPR67yyc5MojNQTfm0XDvQ3C7bKx5PuheRCLwhSuKclnrDxi8FNjS2NSBxi5G32j
B7NzateeG7m/zE9fG1RkiJzfwu8/k0PKKecEYFwjRSC5QrXwvtEKdz/X/HkoXsck
345wWHCTObpcDbDWkkUF5VuR36kCWMP+uYT4lNihZTV9+9b8Gz9ghhanDIuVCoU1
biEsJnCORe/PV/xcgGJNkpEtabbDQNJ5Dn3wLKSuRAbBOkN2/nwzZa4EDoXWQSTv
PDhzbLDjFjMu8Yb9PKrylhYGTmlNS4mA3hMszF4QNszhRyxTyDGln4MbUkpKg4sO
HgU4JLvDOCfkCsGTBJ4XGTBcH+6ZxZwm1b+e4uy3FFZW2CEqSetZ3TCyIBxdLupa
8JYmfqQjmaj0KUiUV9l1SJ6uHcIyg/FoNuCAdtDl7mLuzZdwtEhk3TeaZn4iwxWJ
Ku+2qY0X6wsePOTfIA7puWBbK+IonM24Q3oIDVqjA+2yrmLJGlYuaQJrSPzEJHoh
upHznwsU2W7MIfA6hJIcQeWIvzM4w5GSKUr3YeknVPIStP1ZqRg=
=trRk
-----END PGP SIGNATURE-----
Merge 4.19.156 into android-4.19-stable
Changes in 4.19.156
drm/i915: Break up error capture compression loops with cond_resched()
tipc: fix use-after-free in tipc_bcast_get_mode
ptrace: fix task_join_group_stop() for the case when current is traced
cadence: force nonlinear buffers to be cloned
chelsio/chtls: fix memory leaks caused by a race
chelsio/chtls: fix always leaking ctrl_skb
gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP
gianfar: Account for Tx PTP timestamp in the skb headroom
net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition
sctp: Fix COMM_LOST/CANT_STR_ASSOC err reporting on big-endian platforms
sfp: Fix error handing in sfp_probe()
blktrace: fix debugfs use after free
btrfs: extent_io: Kill the forward declaration of flush_write_bio
btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up
Revert "btrfs: flush write bio if we loop in extent_write_cache_pages"
btrfs: flush write bio if we loop in extent_write_cache_pages
btrfs: extent_io: Handle errors better in extent_write_full_page()
btrfs: extent_io: Handle errors better in btree_write_cache_pages()
btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io()
Btrfs: fix unwritten extent buffers and hangs on future writeback attempts
btrfs: Don't submit any btree write bio if the fs has errors
btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it
btrfs: tree-checker: Make chunk item checker messages more readable
btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO
btrfs: tree-checker: Check chunk item at tree block read time
btrfs: tree-checker: Verify dev item
btrfs: tree-checker: Fix wrong check on max devid
btrfs: tree-checker: Enhance chunk checker to validate chunk profile
btrfs: tree-checker: Verify inode item
btrfs: tree-checker: fix the error message for transid error
Fonts: Replace discarded const qualifier
ALSA: usb-audio: Add implicit feedback quirk for Zoom UAC-2
ALSA: usb-audio: add usb vendor id as DSD-capable for Khadas devices
ALSA: usb-audio: Add implicit feedback quirk for Qu-16
ALSA: usb-audio: Add implicit feedback quirk for MODX
mm: mempolicy: fix potential pte_unmap_unlock pte error
lib/crc32test: remove extra local_irq_disable/enable
kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled
mm: always have io_remap_pfn_range() set pgprot_decrypted()
gfs2: Wake up when sd_glock_disposal becomes zero
ring-buffer: Fix recursion protection transitions between interrupt context
ftrace: Fix recursion check for NMI test
ftrace: Handle tracing when switching between context
tracing: Fix out of bounds write in get_trace_buf
futex: Handle transient "ownerless" rtmutex state correctly
ARM: dts: sun4i-a10: fix cpu_alert temperature
x86/kexec: Use up-to-dated screen_info copy to fill boot params
of: Fix reserved-memory overlap detection
blk-cgroup: Fix memleak on error path
blk-cgroup: Pre-allocate tree node on blkg_conf_prep
scsi: core: Don't start concurrent async scan on same host
vsock: use ns_capable_noaudit() on socket create
drm/vc4: drv: Add error handding for bind
ACPI: NFIT: Fix comparison to '-ENXIO'
vt: Disable KD_FONT_OP_COPY
fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent
serial: 8250_mtk: Fix uart_get_baud_rate warning
serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init
USB: serial: cyberjack: fix write-URB completion race
USB: serial: option: add Quectel EC200T module support
USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231
USB: serial: option: add Telit FN980 composition 0x1055
USB: Add NO_LPM quirk for Kingston flash drive
usb: mtu3: fix panic in mtu3_gadget_stop()
ARC: stack unwinding: avoid indefinite looping
Revert "ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE"
PM: runtime: Resume the device earlier in __device_release_driver()
perf/core: Fix a memory leak in perf_event_parse_addr_filter()
tools: perf: Fix build error in v4.19.y
net: dsa: read mac address from DT for slave device
arm64: dts: marvell: espressobin: Add ethernet switch aliases
Linux 4.19.156
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I87af8871465f54de0332fa74bc1f342b7fe99061
commit 3f08842098e842c51e3b97d0dcdebf810b32558e upstream.
When flags in queue_pages_pte_range don't have MPOL_MF_MOVE or
MPOL_MF_MOVE_ALL bits, code breaks and passing origin pte - 1 to
pte_unmap_unlock seems like not a good idea.
queue_pages_pte_range can run in MPOL_MF_MOVE_ALL mode which doesn't
migrate misplaced pages but returns with EIO when encountering such a
page. Since commit a7f40cfe3b7a ("mm: mempolicy: make mbind() return
-EIO when MPOL_MF_STRICT is specified") and early break on the first pte
in the range results in pte_unmap_unlock on an underflow pte. This can
lead to lockups later on when somebody tries to lock the pte resp.
page_table_lock again..
Fixes: a7f40cfe3b7a ("mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified")
Signed-off-by: Shijie Luo <luoshijie1@huawei.com>
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Feilong Lin <linfeilong@huawei.com>
Cc: Shijie Luo <luoshijie1@huawei.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20201019074853.50856-1-luoshijie1@huawei.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
slab does this already, and I want to use this in a memory allocation
tracker in drm for stuff that's tied to the lifetime of a drm_device,
not the underlying struct device. Kinda like devres, but for drm.
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org
Link: https://patchwork.freedesktop.org/patch/msgid/20200323144950.3018436-2-daniel.vetter@ffwll.ch
(cherry picked from commit fd7cb5753ef49964ea9db5121c3fc9a4ec21ed8e)
Bug: 163141236
Signed-off-by: Alistair Delva <adelva@google.com>
Change-Id: I10790befc779311a5f2ee441e4d073e51a5a7a62
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+ag5UACgkQONu9yGCS
aT5O3w//RaOcwQdi47/UJz8zyja1ZG8MSSCGibpwvaDwrsXu9es1QtqLAC38H10o
ygxNLBZQHxhScsRpicNc+Dy87+lcSj8cF1ed7sd1LU8rvmQ18uIeFUZxfzYth8jW
i6erzas0Ojw8IMy566GDxkfAC6n5GhJuJTVFQWUQpoEbsb5rXcGCLx3u+S3Ew+5t
Xb9qE6r5cImYymvMkMy7RQ4Db2qgOwjkaCj+Ol+4BSR0bF4OweMQLPJs9gN8pJpr
o2nxHg7wdO8SKJZCBVw8ZmfO4zF6czcKy+KzFajn+4LA2oT5mgiV8y21cd9CWYeQ
JQK1jZGwwl/xljrM1yLd+crG8i11DhCStY90+4bxD68r8H+g1kwZ8jELmCwuuyx6
dk1s7jOxyKl9qAnMt6r2HqrjgxGD+2hL+2S84jPGRBow5IYjrdD0REXZjyk1R7Rp
8k00lRk1ATEy7H2lj4JW34tcsTEEDcn8PqUFx7MRKtCUI2uo4Gr5HXqf6wTJDp6S
BsDe8mm77jd81vtw/AZ8Fv7Fg42QIPt7G1QV9wBbFvDmKmDa7Gj6SuQqTeu75oU9
M++aWSwyOb08wZEE0y94wsm6r4raN3A8o70Df9FltNFTALowuIcR+CVtOnQfHEuL
BUBJcWg3SDsIxkXYgvQ9jO5h38i6dhAIVGAcU4VB0rgP/ePKMQs=
=GiLo
-----END PGP SIGNATURE-----
Merge 4.19.153 into android-4.19-stable
Changes in 4.19.153
ibmveth: Switch order of ibmveth_helper calls.
ibmveth: Identify ingress large send packets.
ipv4: Restore flowi4_oif update before call to xfrm_lookup_route
mlx4: handle non-napi callers to napi_poll
net: fec: Fix phy_device lookup for phy_reset_after_clk_enable()
net: fec: Fix PHY init after phy_reset_after_clk_enable()
net: fix pos incrementment in ipv6_route_seq_next
net/smc: fix valid DMBE buffer sizes
net: usb: qmi_wwan: add Cellient MPL200 card
tipc: fix the skb_unshare() in tipc_buf_append()
net/ipv4: always honour route mtu during forwarding
r8169: fix data corruption issue on RTL8402
net/tls: sendfile fails with ktls offload
binder: fix UAF when releasing todo list
ALSA: bebob: potential info leak in hwdep_read()
chelsio/chtls: fix socket lock
chelsio/chtls: correct netdevice for vlan interface
chelsio/chtls: correct function return and return type
net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device
net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup
net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels
nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download()
tcp: fix to update snd_wl1 in bulk receiver fast path
r8169: fix operation under forced interrupt threading
icmp: randomize the global rate limiter
ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887
cifs: remove bogus debug code
cifs: Return the error from crypt_message when enc/dec key not found.
KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages
KVM: SVM: Initialize prev_ga_tag before use
ima: Don't ignore errors from crypto_shash_update()
crypto: algif_aead - Do not set MAY_BACKLOG on the async path
EDAC/i5100: Fix error handling order in i5100_init_one()
EDAC/ti: Fix handling of platform_get_irq() error
x86/fpu: Allow multiple bits in clearcpuid= parameter
drivers/perf: xgene_pmu: Fix uninitialized resource struct
x86/nmi: Fix nmi_handle() duration miscalculation
x86/events/amd/iommu: Fix sizeof mismatch
crypto: algif_skcipher - EBUSY on aio should be an error
crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc()
crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call
crypto: picoxcell - Fix potential race condition bug
media: tuner-simple: fix regression in simple_set_radio_freq
media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()"
media: m5mols: Check function pointer in m5mols_sensor_power
media: uvcvideo: Set media controller entity functions
media: uvcvideo: Silence shift-out-of-bounds warning
media: omap3isp: Fix memleak in isp_probe
crypto: omap-sham - fix digcnt register handling with export/import
hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61}
cypto: mediatek - fix leaks in mtk_desc_ring_alloc
media: mx2_emmaprp: Fix memleak in emmaprp_probe
media: tc358743: initialize variable
media: tc358743: cleanup tc358743_cec_isr
media: rcar-vin: Fix a reference count leak.
media: rockchip/rga: Fix a reference count leak.
media: platform: fcp: Fix a reference count leak.
media: camss: Fix a reference count leak.
media: s5p-mfc: Fix a reference count leak
media: stm32-dcmi: Fix a reference count leak
media: ti-vpe: Fix a missing check and reference count leak
regulator: resolve supply after creating regulator
pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB
spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath()
spi: spi-s3c64xx: Check return values
ath10k: provide survey info as accumulated data
Bluetooth: hci_uart: Cancel init work before unregistering
ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb()
ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path
wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680
ASoC: qcom: lpass-platform: fix memory leak
ASoC: qcom: lpass-cpu: fix concurrency issue
brcmfmac: check ndev pointer
mwifiex: Do not use GFP_KERNEL in atomic context
staging: rtl8192u: Do not use GFP_KERNEL in atomic context
drm/gma500: fix error check
scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()'
scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba()
scsi: csiostor: Fix wrong return value in csio_hw_prep_fw()
backlight: sky81452-backlight: Fix refcount imbalance on error
VMCI: check return value of get_user_pages_fast() for errors
tty: serial: earlycon dependency
tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()
pty: do tty_flip_buffer_push without port->lock in pty_write
pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare()
pwm: lpss: Add range limit check for the base_unit register value
drivers/virt/fsl_hypervisor: Fix error handling path
video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error
video: fbdev: sis: fix null ptr dereference
video: fbdev: radeon: Fix memleak in radeonfb_pci_register
HID: roccat: add bounds checking in kone_sysfs_write_settings()
pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser
pinctrl: mcp23s08: Fix mcp23x17 precious range
net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow
net: stmmac: use netif_tx_start|stop_all_queues() function
cpufreq: armada-37xx: Add missing MODULE_DEVICE_TABLE
net: dsa: rtl8366: Check validity of passed VLANs
net: dsa: rtl8366: Refactor VLAN/PVID init
net: dsa: rtl8366: Skip PVID setting if not requested
net: dsa: rtl8366rb: Support all 4096 VLANs
ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd()
misc: mic: scif: Fix error handling path
ALSA: seq: oss: Avoid mutex lock for a long-time ioctl
usb: dwc2: Fix parameter type in function pointer prototype
quota: clear padding in v2r1_mem2diskdqb()
slimbus: core: check get_addr before removing laddr ida
slimbus: core: do not enter to clock pause mode in core
slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback
HID: hid-input: fix stylus battery reporting
qtnfmac: fix resource leaks on unsupported iftype error return path
net: enic: Cure the enic api locking trainwreck
mfd: sm501: Fix leaks in probe()
iwlwifi: mvm: split a print to avoid a WARNING in ROC
usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above.
usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well
nl80211: fix non-split wiphy information
usb: dwc2: Fix INTR OUT transfers in DDMA mode.
scsi: target: tcmu: Fix warning: 'page' may be used uninitialized
scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs()
platform/x86: mlx-platform: Remove PSU EEPROM configuration
mwifiex: fix double free
ipvs: clear skb->tstamp in forwarding path
net: korina: fix kfree of rx/tx descriptor array
netfilter: nf_log: missing vlan offload tag and proto
mm/memcg: fix device private memcg accounting
mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary
IB/mlx4: Fix starvation in paravirt mux/demux
IB/mlx4: Adjust delayed work when a dup is observed
powerpc/pseries: Fix missing of_node_put() in rng_init()
powerpc/icp-hv: Fix missing of_node_put() in success path
RDMA/ucma: Fix locking for ctx->events_reported
RDMA/ucma: Add missing locking around rdma_leave_multicast()
mtd: lpddr: fix excessive stack usage with clang
powerpc/pseries: explicitly reschedule during drmem_lmb list traversal
mtd: mtdoops: Don't write panic data twice
ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values
arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER
xfs: limit entries returned when counting fsmap records
xfs: fix high key handling in the rt allocator's query_range function
RDMA/qedr: Fix use of uninitialized field
RDMA/qedr: Fix inline size returned for iWARP
powerpc/tau: Use appropriate temperature sample interval
powerpc/tau: Convert from timer to workqueue
powerpc/tau: Remove duplicated set_thresholds() call
Linux 4.19.153
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I9e85e8ca67ab8e28d04a77339f80fdbf3c568956
[ Upstream commit 67197a4f28d28d0b073ab0427b03cb2ee5382578 ]
Currently __set_oom_adj loops through all processes in the system to keep
oom_score_adj and oom_score_adj_min in sync between processes sharing
their mm. This is done for any task with more that one mm_users, which
includes processes with multiple threads (sharing mm and signals).
However for such processes the loop is unnecessary because their signal
structure is shared as well.
Android updates oom_score_adj whenever a tasks changes its role
(background/foreground/...) or binds to/unbinds from a service, making it
more/less important. Such operation can happen frequently. We noticed
that updates to oom_score_adj became more expensive and after further
investigation found out that the patch mentioned in "Fixes" introduced a
regression. Using Pixel 4 with a typical Android workload, write time to
oom_score_adj increased from ~3.57us to ~362us. Moreover this regression
linearly depends on the number of multi-threaded processes running on the
system.
Mark the mm with a new MMF_MULTIPROCESS flag bit when task is created with
(CLONE_VM && !CLONE_THREAD && !CLONE_VFORK). Change __set_oom_adj to use
MMF_MULTIPROCESS instead of mm_users to decide whether oom_score_adj
update should be synchronized between multiple processes. To prevent
races between clone() and __set_oom_adj(), when oom_score_adj of the
process being cloned might be modified from userspace, we use
oom_adj_mutex. Its scope is changed to global.
The combination of (CLONE_VM && !CLONE_THREAD) is rarely used except for
the case of vfork(). To prevent performance regressions of vfork(), we
skip taking oom_adj_mutex and setting MMF_MULTIPROCESS when CLONE_VFORK is
specified. Clearing the MMF_MULTIPROCESS flag (when the last process
sharing the mm exits) is left out of this patch to keep it simple and
because it is believed that this threading model is rare. Should there
ever be a need for optimizing that case as well, it can be done by hooking
into the exit path, likely following the mm_update_next_owner pattern.
With the combination of (CLONE_VM && !CLONE_THREAD && !CLONE_VFORK) being
quite rare, the regression is gone after the change is applied.
[surenb@google.com: v3]
Link: https://lkml.kernel.org/r/20200902012558.2335613-1-surenb@google.com
Fixes: 44a70adec9 ("mm, oom_adj: make sure processes sharing mm have same view of oom_score_adj")
Reported-by: Tim Murray <timmurray@google.com>
Suggested-by: Michal Hocko <mhocko@kernel.org>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Eugene Syromiatnikov <esyr@redhat.com>
Cc: Christian Kellner <christian@kellner.me>
Cc: Adrian Reber <areber@redhat.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexey Gladkov <gladkov.alexey@gmail.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Bernd Edlinger <bernd.edlinger@hotmail.de>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Yafang Shao <laoar.shao@gmail.com>
Link: https://lkml.kernel.org/r/20200824153036.3201505-1-surenb@google.com
Debugged-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 9a137153fc8798a89d8fce895cd0a06ea5b8e37c ]
The code in mc_handle_swap_pte() checks for non_swap_entry() and returns
NULL before checking is_device_private_entry() so device private pages are
never handled. Fix this by checking for non_swap_entry() after handling
device private swap PTEs.
I assume the memory cgroup accounting would be off somehow when moving
a process to another memory cgroup. Currently, the device private page
is charged like a normal anonymous page when allocated and is uncharged
when the page is freed so I think that path is OK.
Signed-off-by: Ralph Campbell <rcampbell@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Ira Weiny <ira.weiny@intel.com>
Link: https://lkml.kernel.org/r/20201009215952.2726-1-rcampbell@nvidia.com
xFixes: c733a82874 ("mm/memcontrol: support MEMORY_DEVICE_PRIVATE")
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 4aab2be0983031a05cb4a19696c9da5749523426 upstream.
When memory is hotplug added or removed the min_free_kbytes should be
recalculated based on what is expected by khugepaged. Currently after
hotplug, min_free_kbytes will be set to a lower default and higher
default set when THP enabled is lost.
This change restores min_free_kbytes as expected for THP consumers.
[vijayb@linux.microsoft.com: v5]
Link: https://lkml.kernel.org/r/1601398153-5517-1-git-send-email-vijayb@linux.microsoft.com
Fixes: f000565adb ("thp: set recommended min free kbytes")
Signed-off-by: Vijay Balakrishna <vijayb@linux.microsoft.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Pavel Tatashin <pasha.tatashin@soleen.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Allen Pais <apais@microsoft.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/1600305709-2319-2-git-send-email-vijayb@linux.microsoft.com
Link: https://lkml.kernel.org/r/1600204258-13683-1-git-send-email-vijayb@linux.microsoft.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman
Ilya Lipnitskiy
Matthias Maennich
Linus Torvalds
Jens Axboe
Rokudo Yan
Li Xinhai
Mike Kravetz
Miaohe Lin
Theodore Ts'o
Hugh Dickins
Muchun Song
Roman Gushchin
Wang Hai
Lecopzer Chen
Jann Horn
Quentin Perret
Peter Collingbourne
Qian Cai
Yang Shi
Gerald Schaefer
Dongli Zhang
Qian Cai
Jan Kara
Shijie Luo
Daniel Vetter
Suren Baghdasaryan
Ralph Campbell
Vijay Balakrishna