13290 commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Greg Kroah-Hartman
|
8c62f42548 |
This is the 4.19.185 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBtjk0ACgkQONu9yGCS aT67fA//b+kjELShGiGxLBK+dWFXnYn8tLJJ6G1Bq2WvBiMxSkbXgG5tCqJKAk0t yhva5Ljo7eAJ9GEQnv/UL3qnsrW4r6ThT3u0Ort2YxBi3pw2U8PyU7pRTFSnGj/C QxtGvXfh5DIsxOWppbUz5X8jWABTrYXmMEe7WCONVFTLWwHuhV4RRPycvis8wY4w 1NtGx5KVJR1EYANXHrhKsI4J9dCAXg+K9I6PyWkHDEzCgXrwdticMNOVYgZ5ByTN ofkmBX+j/AL2veXTV8sAOA/H9SQ0pJStzy99IoZQ/IzFAKqCuh+JhkMvnDQYhfx1 eDwTFG7Dl6pCbyCsb2iGXzJioTuk5LGXw7+uqVXO1YRUNpekl7x97rhn/q6PoEof OImU1+MOBPhVZVA0yYYQf6URCxh7F/s7MsbenmxZbIF9tstZC7HoezqzdFg4YF/I pKqlIBxSes+fJCZb1LiQI2KkaNtD0i/KJljGduCkPF4Axgb2/KEmePDyIeB8hr12 nT++9BIkIFM4d19IgtBnWrOIuALx15WeEQKXzbUxl9nt2peh7K6HvjcXJUOxJz2W qsdHnjGE1v6atKHD4DiDRAnliD9cJ41ImP3S8WHH1UxWNOMQ/dTlBAY7Z+XC/4eo 8+6gqAE8MHKvP62yd4zsuWXkhnUeryRtL8AGBvVxkTFa/mtaKAU= =rqGc -----END PGP SIGNATURE----- Merge 4.19.185 into android-4.19-stable Changes in 4.19.185 selinux: vsock: Set SID for socket returned by accept() tcp: relookup sock for RST+ACK packets handled by obsolete req sock ipv6: weaken the v4mapped source check ext4: fix bh ref count on error paths rpc: fix NULL dereference on kmalloc failure ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe ASoC: es8316: Simplify adc_pga_gain_tlv table ASoC: cs42l42: Fix Bitclock polarity inversion ASoC: cs42l42: Fix channel width support ASoC: cs42l42: Fix mixer volume control ASoC: cs42l42: Always wait at least 3ms after reset vhost: Fix vhost_vq_reset() scsi: st: Fix a use after free in st_open() scsi: qla2xxx: Fix broken #endif placement staging: comedi: cb_pcidas: fix request_irq() warn staging: comedi: cb_pcidas64: fix request_irq() warn ASoC: rt5659: Update MCLK rate in set_sysclk() thermal/core: Add NULL pointer check before using cooling device stats locking/ww_mutex: Simplify use_ww_ctx & ww_ctx handling ext4: do not iput inode under running transaction in ext4_rename() brcmfmac: clear EAP/association status bits on linkdown events ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() net: ethernet: aquantia: Handle error cleanup of start on open appletalk: Fix skb allocation size in loopback case net: wan/lmc: unregister device when no matching device is found bpf: Remove MTU check in __bpf_skb_max_len ALSA: usb-audio: Apply sample rate quirk to Logitech Connect ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook PM: runtime: Fix race getting/putting suppliers at probe PM: runtime: Fix ordering in pm_runtime_get_suppliers() tracing: Fix stack trace event size mm: fix race by making init_zero_pfn() early_initcall drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() drm/amdgpu: check alignment on CPU page for bo map reiserfs: update reiserfs_xattrs_initialized() condition pinctrl: rockchip: fix restore error in resume extcon: Add stubs for extcon_register_notifier_all() functions extcon: Fix error handling in extcon_dev_register firewire: nosy: Fix a use-after-free bug in nosy_ioctl() usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem usb: musb: Fix suspend with devices connected for a64 usb: xhci-mtk: fix broken streams issue on 0.96 xHCI cdc-acm: fix BREAK rx code path adding necessary calls USB: cdc-acm: untangle a circular dependency between callback and softint USB: cdc-acm: downgrade message to debug USB: cdc-acm: fix double free on probe failure USB: cdc-acm: fix use-after-free after probe failure usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board. staging: rtl8192e: Fix incorrect source in memcpy() staging: rtl8192e: Change state information from u16 to u8 drivers: video: fbcon: fix NULL dereference in fbcon_cursor() Linux 4.19.185 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I65f4fd7d1b60193895371093882ab33943d22e7c |
||
Ilya Lipnitskiy
|
7d1b3f635a |
mm: fix race by making init_zero_pfn() early_initcall
commit e720e7d0e983bf05de80b231bccc39f1487f0f16 upstream. There are code paths that rely on zero_pfn to be fully initialized before core_initcall. For example, wq_sysfs_init() is a core_initcall function that eventually results in a call to kernel_execve, which causes a page fault with a subsequent mmput. If zero_pfn is not initialized by then it may not get cleaned up properly and result in an error: BUG: Bad rss-counter state mm:(ptrval) type:MM_ANONPAGES val:1 Here is an analysis of the race as seen on a MIPS device. On this particular MT7621 device (Ubiquiti ER-X), zero_pfn is PFN 0 until initialized, at which point it becomes PFN 5120: 1. wq_sysfs_init calls into kobject_uevent_env at core_initcall: kobject_uevent_env+0x7e4/0x7ec kset_register+0x68/0x88 bus_register+0xdc/0x34c subsys_virtual_register+0x34/0x78 wq_sysfs_init+0x1c/0x4c do_one_initcall+0x50/0x1a8 kernel_init_freeable+0x230/0x2c8 kernel_init+0x10/0x100 ret_from_kernel_thread+0x14/0x1c 2. kobject_uevent_env() calls call_usermodehelper_exec() which executes kernel_execve asynchronously. 3. Memory allocations in kernel_execve cause a page fault, bumping the MM reference counter: add_mm_counter_fast+0xb4/0xc0 handle_mm_fault+0x6e4/0xea0 __get_user_pages.part.78+0x190/0x37c __get_user_pages_remote+0x128/0x360 get_arg_page+0x34/0xa0 copy_string_kernel+0x194/0x2a4 kernel_execve+0x11c/0x298 call_usermodehelper_exec_async+0x114/0x194 4. In case zero_pfn has not been initialized yet, zap_pte_range does not decrement the MM_ANONPAGES RSS counter and the BUG message is triggered shortly afterwards when __mmdrop checks the ref counters: __mmdrop+0x98/0x1d0 free_bprm+0x44/0x118 kernel_execve+0x160/0x1d8 call_usermodehelper_exec_async+0x114/0x194 ret_from_kernel_thread+0x14/0x1c To avoid races such as described above, initialize init_zero_pfn at early_initcall level. Depending on the architecture, ZERO_PAGE is either constant or gets initialized even earlier, at paging_init, so there is no issue with initializing zero_pfn earlier. Link: https://lkml.kernel.org/r/CALCv0x2YqOXEAy2Q=hafjhHCtTHVodChv1qpM=niAXOpqEbt7w@mail.gmail.com Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com> Cc: Hugh Dickins <hughd@google.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: stable@vger.kernel.org Tested-by: 周琰杰 (Zhou Yanjie) <zhouyanjie@wanyeetech.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Matthias Maennich
|
9790f49ad8 |
ANDROID: Add OWNERS files referring to the respective android-mainline OWNERS
This was generated with $ build/synchronize_owners common-mainline/ android-mainline common-4.19-stable Bug: 184248201 Signed-off-by: Matthias Maennich <maennich@google.com> Change-Id: I5e56eb34fcbb5a2a013dd03bc9dcc4f159fb90de |
||
Greg Kroah-Hartman
|
04fd6558af |
This is the 4.19.181 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBSI8oACgkQONu9yGCS aT7NwhAAsXPkFGT0ZgUX0t3HZUL4RB1e9j8xD2qr4CTspGiK/cF2ykd1RXWtfaY2 o5uc7wRmBBVQV33vS7djyJJMI5NgO588r0TT2DrlzIskfl+aWvTxKggh4A+DPKsu QCRX5fOOd4EFYiKyLNtPxg5z6R8yg0Ejqgjzzvc03wYn8AL5SLWH8bgPb1FCNEfm 8YzYrRIu7rTUC3PrXPq81gWWHR77eojME7K9NUKSkUnh7mbdu6CVdrYb+wRvoAnf qwlhV5Mf0GWzf/z3v9TKgKSuMjmlcoQnZD72rYClEiLBIleN/VzWhfKK/E+ODidr WImeQGLJPfDDKiiU9tNypvmWdKjuqcNcVkIWAVzEkEIhaAOI8LPFWgc/iH0+9fWk o5s/hcs1FZ9dSbEHotR5ENUFmy85/XMl+wgkOmfUwvWufqsqkS3mYipbszJ9MMBH d7dYL4CTa/+KQ/uPbFJSnnxO9KgjLNO14IAiMY9lPshT8gkTy4eP2WtmsF6MyGEs Y/p2KP0Ga4ib1b9lkmeVq3MK5vqaHQnI9BF4tyHI6RFwH29phapKzbC/AYpA69fd Jn3y7uywt/f7++V1JUDiQ0QD6jV9/xgRbFBjSj59zjrD2xzZYLQ5kWoocNnUhq+g TH5zTlyeODZTA58Ut623T30Rw5YYXpJtnGZGuOKqVAyWQHBd7Ls= =wNgO -----END PGP SIGNATURE----- Merge 4.19.181 into android-4.19-stable Changes in 4.19.181 uapi: nfnetlink_cthelper.h: fix userspace compilation error ethernet: alx: fix order of calls on resume ath9k: fix transmitting to stations in dynamic SMPS mode net: Fix gro aggregation for udp encaps with zero csum net: Introduce parse_protocol header_ops callback can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership can: flexcan: assert FRZ bit in flexcan_chip_freeze() can: flexcan: enable RX FIFO after FRZ/HALT valid netfilter: x_tables: gpf inside xt_find_revision() mt76: dma: do not report truncated frames to mac80211 tcp: annotate tp->copied_seq lockless reads tcp: annotate tp->write_seq lockless reads tcp: add sanity tests to TCP_QUEUE_SEQ cifs: return proper error code in statfs(2) scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names Revert "mm, slub: consider rest of partial list if acquire_slab() fails" sh_eth: fix TRSCER mask for SH771x net: check if protocol extracted by virtio_net_hdr_set_proto is correct net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 net/mlx4_en: update moderation when config reset net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10 net: sched: avoid duplicates in classes dump net: usb: qmi_wwan: allow qmimux add/del with master up cipso,calipso: resolve a number of problems with the DOI refcounts net: lapbether: Remove netif_start_queue / netif_stop_queue net: davicom: Fix regulator not turned off on failed probe net: davicom: Fix regulator not turned off on driver removal net: qrtr: fix error return code of qrtr_sendmsg() net: stmmac: stop each tx channel independently net: stmmac: fix watchdog timeout during suspend/resume stress test selftests: forwarding: Fix race condition in mirror installation perf traceevent: Ensure read cmdlines are null terminated. s390/cio: return -EFAULT if copy_to_user() fails again drm/compat: Clear bounce structures drm: meson_drv add shutdown function s390/cio: return -EFAULT if copy_to_user() fails sh_eth: fix TRSCER mask for R7S9210 media: usbtv: Fix deadlock on suspend media: v4l: vsp1: Fix uif null pointer access media: v4l: vsp1: Fix bru null pointer access net: phy: fix save wrong speed and duplex problem if autoneg is on i2c: rcar: optimize cacheline to minimize HW race condition udf: fix silent AED tagLocation corruption mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()' mmc: mediatek: fix race condition between msdc_request_timeout and irq powerpc/pci: Add ppc_md.discover_phbs() powerpc: improve handling of unrecoverable system reset powerpc/perf: Record counter overflow always if SAMPLE_IP is unset sparc32: Limit memblock allocation to low memory sparc64: Use arch_validate_flags() to validate ADI flag PCI: xgene-msi: Fix race in installing chained irq handler PCI: mediatek: Add missing of_node_put() to fix reference leak PCI: Fix pci_register_io_range() memory leak i40e: Fix memory leak in i40e_probe s390/smp: __smp_rescan_cpus() - move cpumask away from stack scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling scsi: target: core: Add cmd length set before cmd complete scsi: target: core: Prevent underflow for service actions ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk ALSA: hda/hdmi: Cancel pending works before suspend ALSA: hda: Drop the BATCH workaround for AMD controllers ALSA: hda: Avoid spurious unsol event handling during S3/S4 ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar ALSA: usb-audio: Apply the control quirk to Plantronics headsets Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities") s390/dasd: fix hanging DASD driver unbind s390/dasd: fix hanging IO request during DASD driver unbind mmc: core: Fix partition switch time for eMMC mmc: cqhci: Fix random crash when remove mmc module/card Goodix Fingerprint device is not a modem USB: gadget: u_ether: Fix a configfs return code usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot usb: gadget: f_uac1: stop playback on function disable usb: dwc3: qcom: Honor wakeup enabled/disabled state USB: usblp: fix a hang in poll() if disconnected usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM xhci: Improve detection of device initiated wake signal. usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing USB: serial: io_edgeport: fix memory leak in edge_startup USB: serial: ch341: add new Product ID USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter USB: serial: cp210x: add some more GE USB IDs usbip: fix stub_dev to check for stream socket usbip: fix vhci_hcd to check for stream socket usbip: fix vudc to check for stream socket usbip: fix stub_dev usbip_sockfd_store() races leading to gpf usbip: fix vhci_hcd attach_store() races leading to gpf usbip: fix vudc usbip_sockfd_store races leading to gpf staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan() staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() staging: rtl8712: unterminated string leads to read overflow staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan staging: comedi: addi_apci_1032: Fix endian problem for COS sample staging: comedi: addi_apci_1500: Fix endian problem for command sample staging: comedi: adv_pci1710: Fix endian problem for AI command data staging: comedi: das6402: Fix endian problem for AI command data staging: comedi: das800: Fix endian problem for AI command data staging: comedi: dmm32at: Fix endian problem for AI command data staging: comedi: me4000: Fix endian problem for AI command data staging: comedi: pcl711: Fix endian problem for AI command data staging: comedi: pcl818: Fix endian problem for AI command data sh_eth: fix TRSCER mask for R7S72100 NFSv4.2: fix return value of _nfs4_get_security_label() block: rsxx: fix error return code of rsxx_pci_probe() configfs: fix a use-after-free in __configfs_open_file hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event() stop_machine: mark helpers __always_inline include/linux/sched/mm.h: use rcu_dereference in in_vfork() powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() binfmt_misc: fix possible deadlock in bm_register_write x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2 hwmon: (lm90) Fix max6658 sporadic wrong temperature reading KVM: arm64: Fix exclusive limit for IPA size xen/events: reset affinity of 2-level event when tearing it down xen/events: don't unmask an event channel when an eoi is pending xen/events: avoid handling the same event on two cpus at the same time Linux 4.19.181 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia622d8e9146f5ff0e1542780a39f83a7b6fed8d1 |
||
Linus Torvalds
|
c6afb0eeed |
Revert "mm, slub: consider rest of partial list if acquire_slab() fails"
commit 9b1ea29bc0d7b94d420f96a0f4121403efc3dd85 upstream.
This reverts commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf.
The kernel test robot reports a huge performance regression due to the
commit, and the reason seems fairly straightforward: when there is
contention on the page list (which is what causes acquire_slab() to
fail), we do _not_ want to just loop and try again, because that will
transfer the contention to the 'n->list_lock' spinlock we hold, and
just make things even worse.
This is admittedly likely a problem only on big machines - the kernel
test robot report comes from a 96-thread dual socket Intel Xeon Gold
6252 setup, but the regression there really is quite noticeable:
-47.9% regression of stress-ng.rawpkt.ops_per_sec
and the commit that was marked as being fixed (
|
||
Greg Kroah-Hartman
|
4266b7dc92 |
This is the 4.19.179 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBEtr4ACgkQONu9yGCS aT4XKBAAsMHn1gRHESusKj1zToyBDJL5fQW6nWbUuwZKh+q7KLPF45dWgRbTShKl 5HAEN+wTGTx0MkQ1yMs6zr49Ck0z63WRQ5rk48dznPDlJMMWu5oK+hpHU5n/z82v /y6n2+d2xzpxWIVQYFC6pryjbeNJ2NcnAyrIimput86MK7vz1GZWsjAq+SP92kaZ xzK4mUlZg6gLr+IMuuNnkHxbmWku32Ucw1qQ24/dAv7OF+BzfaoD2SpKp3yac6jM OOZgEnlO+kB8m0G+iYM+yslpvxrs8jlLlJKGdf3fQA5Q9JKNNaNmZezjp3FWYXBR u+t4JDOjjyBt7/s83AJ8+zGLxniQBLmF1BRgbxcFCIv/AN2DeSIFA4xaK6xLGzKL rDm4PMhVWjCMN5heB644OOT0tx0k/h2Y/hO8gMRoMcycFhoRp10a0Vw2bQRKBVak k3iXRIUv9Ypkpe5zLIN+icnt8ztgo2IJ3MR2VyMpENiBnRfLvAammwCXRC9pB/nR 225uMlCzwYAJfnVJ40FUbw/jTqyB9XhmAl3l2alYS6eiEVNmp9c4Vv4B6f2Uylk1 oYdF+ABtFlWZSsbB7vqIJW8Wrew/FPkJrQnTW8hVhkV46Ry4FRiN2y/+1B6WrZ9j 1UvSEwyYVITSB0wWsZRTrwxXjAivY57yCknCR7uHkJHTsXgPkyw= =7KpC -----END PGP SIGNATURE----- Merge 4.19.179 into android-4.19-stable Changes in 4.19.179 net: usb: qmi_wwan: support ZTE P685M modem hugetlb: fix update_and_free_page contig page struct assumption drm/virtio: use kvmalloc for large allocations virtio/s390: implement virtio-ccw revision 2 correctly arm64 module: set plt* section addresses to 0x0 arm64: Avoid redundant type conversions in xchg() and cmpxchg() arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint arm64: Use correct ll/sc atomic constraints MIPS: VDSO: Use CLANG_FLAGS instead of filtering out '--target=' JFS: more checks for invalid superblock udlfb: Fix memory leak in dlfb_usb_probe media: mceusb: sanity check for prescaler value xfs: Fix assert failure in xfs_setattr_size() smackfs: restrict bytes count in smackfs write functions net: fix up truesize of cloned skb in skb_prepare_for_shift() mm/hugetlb.c: fix unnecessary address expansion of pmd sharing net: bridge: use switchdev for port flags set through sysfs too dt-bindings: net: btusb: DT fix s/interrupt-name/interrupt-names/ rsi: Fix TX EAPOL packet handling against iwlwifi AP rsi: Move card interrupt handling to RX thread staging: fwserial: Fix error handling in fwserial_create x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk vt/consolemap: do font sum unsigned wlcore: Fix command execute failure 19 for wl12xx Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl pktgen: fix misuse of BUG_ON() in pktgen_thread_worker() ath10k: fix wmi mgmt tx queue full due to race condition x86/build: Treat R_386_PLT32 relocation as R_386_PC32 Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data staging: most: sound: add sanity check for function argument crypto: tcrypt - avoid signed overflow in byte count PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails media: uvcvideo: Allow entities with no pads f2fs: handle unallocated section and zone on pinned/atgc f2fs: fix to set/clear I_LINKABLE under i_lock btrfs: fix error handling in commit_fs_roots parisc: Bump 64-bit IRQ stack size to 64 KB ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet scsi: iscsi: Restrict sessions and handles to admin capabilities sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE scsi: iscsi: Verify lengths on passthrough PDUs Xen/gnttab: handle p2m update errors on a per-slot basis xen-netback: respect gnttab_map_refs()'s return value zsmalloc: account the number of compacted pages correctly swap: fix swapfile read/write offset media: v4l: ioctl: Fix memory leak in video_usercopy ALSA: hda/realtek: Add quirk for Clevo NH55RZQ ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board Linux 4.19.179 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3a22f45d69254beca09db0f33bc3cab3a0cadf80 |
||
Jens Axboe
|
6ceea9a764 |
swap: fix swapfile read/write offset
commit caf6912f3f4af7232340d500a4a2008f81b93f14 upstream.
We're not factoring in the start of the file for where to write and
read the swapfile, which leads to very unfortunate side effects of
writing where we should not be...
[This issue only affects swapfiles on filesystems on top of blockdevs
that implement rw_page ops (brd, zram, btt, pmem), and not on top of any
other block devices, in contrast to the upstream commit fix.]
Fixes:
|
||
Rokudo Yan
|
638c954653 |
zsmalloc: account the number of compacted pages correctly
commit 2395928158059b8f9858365fce7713ce7fef62e4 upstream.
There exists multiple path may do zram compaction concurrently.
1. auto-compaction triggered during memory reclaim
2. userspace utils write zram<id>/compaction node
So, multiple threads may call zs_shrinker_scan/zs_compact concurrently.
But pages_compacted is a per zsmalloc pool variable and modification
of the variable is not serialized(through under class->lock).
There are two issues here:
1. the pages_compacted may not equal to total number of pages
freed(due to concurrently add).
2. zs_shrinker_scan may not return the correct number of pages
freed(issued by current shrinker).
The fix is simple:
1. account the number of pages freed in zs_compact locally.
2. use actomic variable pages_compacted to accumulate total number.
Link: https://lkml.kernel.org/r/20210202122235.26885-1-wu-yan@tcl.com
Fixes:
|
||
Li Xinhai
|
66a013879c |
mm/hugetlb.c: fix unnecessary address expansion of pmd sharing
commit a1ba9da8f0f9a37d900ff7eff66482cf7de8015e upstream. The current code would unnecessarily expand the address range. Consider one example, (start, end) = (1G-2M, 3G+2M), and (vm_start, vm_end) = (1G-4M, 3G+4M), the expected adjustment should be keep (1G-2M, 3G+2M) without expand. But the current result will be (1G-4M, 3G+4M). Actually, the range (1G-4M, 1G) and (3G, 3G+4M) would never been involved in pmd sharing. After this patch, we will check that the vma span at least one PUD aligned size and the start,end range overlap the aligned range of vma. With above example, the aligned vma range is (1G, 3G), so if (start, end) range is within (1G-4M, 1G), or within (3G, 3G+4M), then no adjustment to both start and end. Otherwise, we will have chance to adjust start downwards or end upwards without exceeding (vm_start, vm_end). Mike: : The 'adjusted range' is used for calls to mmu notifiers and cache(tlb) : flushing. Since the current code unnecessarily expands the range in some : cases, more entries than necessary would be flushed. This would/could : result in performance degradation. However, this is highly dependent on : the user runtime. Is there a combination of vma layout and calls to : actually hit this issue? If the issue is hit, will those entries : unnecessarily flushed be used again and need to be unnecessarily reloaded? Link: https://lkml.kernel.org/r/20210104081631.2921415-1-lixinhai.lxh@gmail.com Fixes: 75802ca66354 ("mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible") Signed-off-by: Li Xinhai <lixinhai.lxh@gmail.com> Suggested-by: Mike Kravetz <mike.kravetz@oracle.com> Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com> Cc: Peter Xu <peterx@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Mike Kravetz
|
08831f662b |
hugetlb: fix update_and_free_page contig page struct assumption
commit dbfee5aee7e54f83d96ceb8e3e80717fac62ad63 upstream.
page structs are not guaranteed to be contiguous for gigantic pages. The
routine update_and_free_page can encounter a gigantic page, yet it assumes
page structs are contiguous when setting page flags in subpages.
If update_and_free_page encounters non-contiguous page structs, we can see
“BUG: Bad page state in process …” errors.
Non-contiguous page structs are generally not an issue. However, they can
exist with a specific kernel configuration and hotplug operations. For
example: Configure the kernel with CONFIG_SPARSEMEM and
!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where
the gigantic page will be allocated. Zi Yan outlined steps to reproduce
here [1].
[1] https://lore.kernel.org/linux-mm/16F7C58B-4D79-41C5-9B64-A1A1628F4AF2@nvidia.com/
Link: https://lkml.kernel.org/r/20210217184926.33567-1-mike.kravetz@oracle.com
Fixes:
|
||
Greg Kroah-Hartman
|
6455a150fa |
Merge 4.19.178 into android-4.19-stable
Changes in 4.19.178 HID: make arrays usage and value to be the same USB: quirks: sort quirk entries usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable ntfs: check for valid standard information attribute arm64: tegra: Add power-domain for Tegra210 HDA scripts: use pkg-config to locate libcrypto scripts: set proper OpenSSL include dir also for sign-file block: add helper for checking if queue is registered block: split .sysfs_lock into two locks block: fix race between switching elevator and removing queues block: don't release queue's sysfs lock during switching elevator NET: usb: qmi_wwan: Adding support for Cinterion MV31 cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath. scripts/recordmcount.pl: support big endian for ARCH sh jump_label/lockdep: Assert we hold the hotplug lock for _cpuslocked() operations locking/static_key: Fix false positive warnings on concurrent dec/inc vmlinux.lds.h: add DWARF v5 sections kdb: Make memory allocations more robust PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 bfq: Avoid false bfq queue merging ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode MIPS: vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section random: fix the RNDRESEEDCRNG ioctl ath10k: Fix error handling in case of CE pipe init failure Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function Bluetooth: Fix initializing response id after clearing struct ARM: dts: exynos: correct PMIC interrupt trigger level on Artik 5 ARM: dts: exynos: correct PMIC interrupt trigger level on Monk ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato ARM: dts: exynos: correct PMIC interrupt trigger level on Spring ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale Octa ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid XU3 family arm64: dts: exynos: correct PMIC interrupt trigger level on TM2 arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args arm64: dts: allwinner: A64: properly connect USB PHY to port 0 arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card arm64: dts: allwinner: A64: Limit MMC2 bus frequency to 150 MHz cpufreq: brcmstb-avs-cpufreq: Free resources in error path cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() ACPICA: Fix exception code class checks usb: gadget: u_audio: Free requests only after callback Bluetooth: drop HCI device reference before return Bluetooth: Put HCI device if inquiry procedure interrupts memory: ti-aemif: Drop child node when jumping out loop ARM: dts: Configure missing thermal interrupt for 4430 usb: dwc2: Do not update data length if it is 0 on inbound transfers usb: dwc2: Abort transaction after errors with unknown reason usb: dwc2: Make "trimming xfer length" a debug message staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules ARM: dts: armada388-helios4: assign pinctrl to LEDs ARM: dts: armada388-helios4: assign pinctrl to each fan arm64: dts: msm8916: Fix reserved and rfsa nodes unit address ARM: s3c: fix fiq for clang IAS soc: aspeed: snoop: Add clock control logic bpf_lru_list: Read double-checked variable once without lock ath9k: fix data bus crash when setting nf_override via debugfs ibmvnic: Set to CLOSED state even on error bnxt_en: reverse order of TX disable and carrier off xen/netback: fix spurious event detection for common event case mac80211: fix potential overflow when multiplying to u32 integers bpf: Fix bpf_fib_lookup helper MTU check for SKB ctx tcp: fix SO_RCVLOWAT related hangs under mem pressure cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds b43: N-PHY: Fix the update of coef for the PHY revision >= 3case ibmvnic: add memory barrier to protect long term buffer ibmvnic: skip send_request_unmap for timeout reset net: amd-xgbe: Reset the PHY rx data path when mailbox command timeout net: amd-xgbe: Fix NETDEV WATCHDOG transmit queue timeout warning net: amd-xgbe: Reset link when the link never comes back net: amd-xgbe: Fix network fluctuations when using 1G BELFUSE SFP net: mvneta: Remove per-cpu queue mapping for Armada 3700 fbdev: aty: SPARC64 requires FB_ATY_CT drm/gma500: Fix error return code in psb_driver_load() gma500: clean up error handling in init crypto: sun4i-ss - fix kmap usage drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition MIPS: c-r4k: Fix section mismatch for loongson2_sc_init MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 media: i2c: ov5670: Fix PIXEL_RATE minimum value media: camss: missing error code in msm_video_register() media: vsp1: Fix an error handling path in the probe function media: em28xx: Fix use-after-free in em28xx_alloc_urbs media: media/pci: Fix memleak in empress_init media: tm6000: Fix memleak in tm6000_start_stream ASoC: cs42l56: fix up error handling in probe crypto: bcm - Rename struct device_private to bcm_device_private drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction. media: lmedm04: Fix misuse of comma media: qm1d1c0042: fix error return code in qm1d1c0042_init() media: cx25821: Fix a bug when reallocating some dma memory media: pxa_camera: declare variable when DEBUG is defined media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) ata: ahci_brcm: Add back regulators management ASoC: cpcap: fix microphone timeslot mask f2fs: fix to avoid inconsistent quota data drm/amdgpu: Prevent shift wrapping in amdgpu_read_mask() Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() btrfs: clarify error returns values in __load_free_space_cache hwrng: timeriomem - Fix cooldown period calculation crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() ima: Free IMA measurement buffer on error ima: Free IMA measurement buffer after kexec syscall fs/jfs: fix potential integer overflow on shift of a int jffs2: fix use after free in jffs2_sum_write_data() capabilities: Don't allow writing ambiguous v3 file capabilities clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL quota: Fix memory leak when handling corrupted quota file spi: cadence-quadspi: Abort read if dummy cycles required are too many clk: sunxi-ng: h6: Fix CEC clock HID: core: detect and skip invalid inputs to snto32() dmaengine: fsldma: Fix a resource leak in the remove function dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function dmaengine: owl-dma: Fix a resource leak in the remove function dmaengine: hsu: disable spurious interrupt mfd: bd9571mwv: Use devm_mfd_add_devices() fdt: Properly handle "no-map" field in the memory region of/fdt: Make sure no-map does not remove already reserved regions power: reset: at91-sama5d2_shdwc: fix wkupdbc mask rtc: s5m: select REGMAP_I2C clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation clk: sunxi-ng: h6: Fix clock divider range on some clocks regulator: axp20x: Fix reference cout leak certs: Fix blacklist flag type confusion spi: atmel: Put allocated master before return regulator: s5m8767: Drop regulators OF node reference isofs: release buffer head before return auxdisplay: ht16k33: Fix refresh rate handling IB/umad: Return EIO in case of when device disassociated IB/umad: Return EPOLLERR in case of when device disassociated KVM: PPC: Make the VMX instruction emulation routines static powerpc/47x: Disable 256k page size mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores amba: Fix resource leak for drivers without .remove tracepoint: Do not fail unregistering a probe due to memory failure perf tools: Fix DSO filtering when not finding a map for a sampled address RDMA/rxe: Fix coding error in rxe_recv.c RDMA/rxe: Correct skb on loopback path spi: stm32: properly handle 0 byte transfer mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() powerpc/pseries/dlpar: handle ibm, configure-connector delay status powerpc/8xx: Fix software emulation interrupt clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs spi: pxa2xx: Fix the controller numbering for Wildcat Point Input: sur40 - fix an error code in sur40_probe() perf intel-pt: Fix missing CYC processing in PSB perf test: Fix unaligned access in sample parsing test Input: elo - fix an error code in elo_connect() sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set misc: eeprom_93xx46: Fix module alias to enable module autoprobe misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() VMCI: Use set_page_dirty_lock() when unregistering guest memory PCI: Align checking of syscall user config accessors drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) ext4: fix potential htree index checksum corruption regmap: sdw: use _no_pm functions in regmap_read/write i40e: Fix flow for IPv6 next header (extension header) i40e: Add zero-initialization of AQ command structures i40e: Fix overwriting flow control settings during driver loading i40e: Fix VFs not created i40e: Fix add TC filter for IPv6 net/mlx4_core: Add missed mlx4_free_cmd_mailbox() vxlan: move debug check after netdev unregister ocfs2: fix a use after free on error mm/memory.c: fix potential pte_unmap_unlock pte error mm/hugetlb: fix potential double free in hugetlb_register_node() error path r8169: fix jumbo packet handling on RTL8168e arm64: Add missing ISB after invalidating TLB in __primary_switch i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition mm/rmap: fix potential pte_unmap on an not mapped pte scsi: bnx2fc: Fix Kconfig warning & CNIC build errors blk-settings: align max_sectors on "logical_block_size" boundary ACPI: property: Fix fwnode string properties matching ACPI: configfs: add missing check after configfs_register_default_group() HID: wacom: Ignore attempts to overwrite the touch_max value from HID Input: raydium_ts_i2c - do not send zero length Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S Input: joydev - prevent potential read overflow in ioctl Input: i8042 - add ASUS Zenbook Flip to noselftest list USB: serial: option: update interface mapping for ZTE P685M usb: musb: Fix runtime PM race in musb_queue_resume_work usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt USB: serial: ftdi_sio: fix FTX sub-integer prescaler USB: serial: mos7840: fix error code in mos7840_write() USB: serial: mos7720: fix error code in mos7720_write() ALSA: hda/realtek: modify EAPD in the ALC886 tpm_tis: Fix check_locality for correct locality acquisition tpm_tis: Clean up locality release KEYS: trusted: Fix migratable=1 failing btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root btrfs: fix reloc root leak with 0 ref reloc roots on recovery btrfs: fix extent buffer leak on failure to copy root crypto: arm64/sha - add missing module aliases crypto: sun4i-ss - checking sg length is not sufficient crypto: sun4i-ss - handle BigEndian for cipher seccomp: Add missing return in non-void function misc: rtsx: init of rts522a add OCP power off when no card is present drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue pstore: Fix typo in compression option name dts64: mt7622: fix slow sd card access staging/mt7621-dma: mtk-hsdma.c->hsdma-mt7621.c staging: gdm724x: Fix DMA from stack staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() x86/reboot: Force all cpus to exit VMX root if VMX is supported floppy: reintroduce O_NDELAY fix arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing watchdog: mei_wdt: request stop on unregister mtd: spi-nor: hisi-sfc: Put child node np on error path fs/affs: release old buffer head on error path seq_file: document how per-entry resources are managed. x86: fix seq_file iteration for pat/memtype.c hugetlb: fix copy_huge_page_from_user contig page struct assumption libnvdimm/dimm: Avoid race between probe and available_slots_show() arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols mmc: sdhci-esdhc-imx: fix kernel panic when remove module gpio: pcf857x: Fix missing first interrupt printk: fix deadlock when kernel panic cpufreq: intel_pstate: Get per-CPU max freq via MSR_HWP_CAPABILITIES if available f2fs: fix out-of-repair __setattr_copy() sparc32: fix a user-triggerable oops in clear_user() gfs2: Don't skip dlm unlock if glock has an lvb dm: fix deadlock when swapping to encrypted device dm era: Recover committed writeset after crash dm era: Verify the data block size hasn't changed dm era: Fix bitset memory leaks dm era: Use correct value size in equality function of writeset tree dm era: Reinitialize bitset cache before digesting a new writeset dm era: only resize metadata in preresume icmp: introduce helper for nat'd source address in network device context icmp: allow icmpv6_ndo_send to work with CONFIG_IPV6=n gtp: use icmp_ndo_send helper sunvnet: use icmp_ndo_send helper xfrm: interface: use icmp_ndo_send helper ipv6: icmp6: avoid indirect call for icmpv6_send() ipv6: silence compilation warning for non-IPV6 builds net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending dm era: Update in-core bitset after committing the metadata net: qrtr: Fix memory leak in qrtr_tun_open ARM: dts: aspeed: Add LCLK to lpc-snoop Linux 4.19.178 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I8c07c10dd29a1233f238b533622d7b32bd22bdb0 |
||
Mike Kravetz
|
669e2d7db2 |
hugetlb: fix copy_huge_page_from_user contig page struct assumption
commit 3272cfc2525b3a2810a59312d7a1e6f04a0ca3ef upstream.
page structs are not guaranteed to be contiguous for gigantic pages. The
routine copy_huge_page_from_user can encounter gigantic pages, yet it
assumes page structs are contiguous when copying pages from user space.
Since page structs for the target gigantic page are not contiguous, the
data copied from user space could overwrite other pages not associated
with the gigantic page and cause data corruption.
Non-contiguous page structs are generally not an issue. However, they can
exist with a specific kernel configuration and hotplug operations. For
example: Configure the kernel with CONFIG_SPARSEMEM and
!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where
the gigantic page will be allocated.
Link: https://lkml.kernel.org/r/20210217184926.33567-2-mike.kravetz@oracle.com
Fixes:
|
||
Miaohe Lin
|
2d0324108f |
mm/hugetlb: fix potential double free in hugetlb_register_node() error path
[ Upstream commit cc2205a67dec5a700227a693fc113441e73e4641 ]
In hugetlb_sysfs_add_hstate(), we would do kobject_put() on hstate_kobjs
when failed to create sysfs group but forget to set hstate_kobjs to NULL.
Then in hugetlb_register_node() error path, we may free it again via
hugetlb_unregister_node().
Link: https://lkml.kernel.org/r/20210107123249.36964-1-linmiaohe@huawei.com
Fixes:
|
||
Miaohe Lin
|
39e913ee4c |
mm/memory.c: fix potential pte_unmap_unlock pte error
[ Upstream commit 90a3e375d324b2255b83e3dd29e99e2b05d82aaf ] Since commit |
||
Greg Kroah-Hartman
|
98d8ec1f71 |
This is the 4.19.176 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAny3gACgkQONu9yGCS aT4MmQ/9E2NZRb+tAheddFN7G5CsWTtPPLN+pqYJoYPQPyVUH4P9CcxaY/RyWHbs vE+LaHEsMtDvrYY/zEBxBfb1xY6zevNK1it4JEzxYEbl8L2obNATbyNfY8jFjaUP fb2ozowi+cUOUJNiFDjaMW0D19sV26QdMnCgBGWE5KMcQAsJZhwfJyXFdDH94CKc Eyb8zTYa4vJw/VCjI3TmidsDa4Ni05PuQpJ4kxXkfQtAZVk/zAA1d06JKJBN2Wkg EP9wg2WT0ydoqchkmO8rxkLp83Mjb+czwPnHD+sxNKU4A5cwd+kxkkSgRauOJgIF ZZzRpCCfQIfFhR67XzP7CcovaddLBiV3CT2JM3Y1Qba3yJQYik2OkZagtTqPQTys Z3UyY77aoqT0N7QSnZ3Y9oZqvSbvGy1n42SrCXRf12xcvZv1qsTk3oHh6IFCefcj I9au5NNbg8YI0JeciqM8RnbRCgwbhBMOjBQt4RB/pVp+xMDEKjEYznTB9DZGpxtz M8nBYZk1+rWK9wvcmFSYqF1I31sD+0NtDCRlTHia1YQM0r1Th4rO1sNJwl3CFTIZ TD1bqzsWs1pyMPtBsTPj9jXAFemamBtVCC5WsG2Dv1BvY+wSc2zweRk6j7uLOc5t wpq6AOM++Hz6l1hnC5gP92+cUMq0plhkBRkDpOJbRlmVuZxg8lM= =+d6M -----END PGP SIGNATURE----- Merge 4.19.176 into android-4.19-stable Changes in 4.19.176 tracing/kprobe: Fix to support kretprobe events on unloaded modules block: fix NULL pointer dereference in register_disk fgraph: Initialize tracing_graph_pause at task creation remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load af_key: relax availability checks for skb size calculation regulator: core: avoid regulator_resolve_supply() race condition chtls: Fix potential resource leak pNFS/NFSv4: Try to return invalid layout in pnfs_layout_process() iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap iwlwifi: pcie: fix context info memory leak iwlwifi: mvm: guard against device removal in reprobe SUNRPC: Move simple_get_bytes and simple_get_netobj into private header SUNRPC: Handle 0 length opaque XDR object data properly lib/string: Add strscpy_pad() function include/trace/events/writeback.h: fix -Wstringop-truncation warnings memcg: fix a crash in wb_workfn when a device disappears Fix unsynchronized access to sev members through svm_register_enc_region block: don't hold q->sysfs_lock in elevator_init_mq blk-mq: don't hold q->sysfs_lock in blk_mq_map_swqueue squashfs: add more sanity checks in id lookup squashfs: add more sanity checks in inode lookup squashfs: add more sanity checks in xattr id lookup regulator: core: enable power when setting up constraints regulator: core: Clean enabling always-on regulators + their supplies regulator: Fix lockdep warning resolving supplies Linux 4.19.176 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I33c221717e4e5c3213a7a21a648933a013bb2753 |
||
Theodore Ts'o
|
050462f040 |
memcg: fix a crash in wb_workfn when a device disappears
[ Upstream commit 68f23b89067fdf187763e75a56087550624fdbee ] Without memcg, there is a one-to-one mapping between the bdi and bdi_writeback structures. In this world, things are fairly straightforward; the first thing bdi_unregister() does is to shutdown the bdi_writeback structure (or wb), and part of that writeback ensures that no other work queued against the wb, and that the wb is fully drained. With memcg, however, there is a one-to-many relationship between the bdi and bdi_writeback structures; that is, there are multiple wb objects which can all point to a single bdi. There is a refcount which prevents the bdi object from being released (and hence, unregistered). So in theory, the bdi_unregister() *should* only get called once its refcount goes to zero (bdi_put will drop the refcount, and when it is zero, release_bdi gets called, which calls bdi_unregister). Unfortunately, del_gendisk() in block/gen_hd.c never got the memo about the Brave New memcg World, and calls bdi_unregister directly. It does this without informing the file system, or the memcg code, or anything else. This causes the root wb associated with the bdi to be unregistered, but none of the memcg-specific wb's are shutdown. So when one of these wb's are woken up to do delayed work, they try to dereference their wb->bdi->dev to fetch the device name, but unfortunately bdi->dev is now NULL, thanks to the bdi_unregister() called by del_gendisk(). As a result, *boom*. Fortunately, it looks like the rest of the writeback path is perfectly happy with bdi->dev and bdi->owner being NULL, so the simplest fix is to create a bdi_dev_name() function which can handle bdi->dev being NULL. This also allows us to bulletproof the writeback tracepoints to prevent them from dereferencing a NULL pointer and crashing the kernel if one is tracing with memcg's enabled, and an iSCSI device dies or a USB storage stick is pulled. The most common way of triggering this will be hotremoval of a device while writeback with memcg enabled is going on. It was triggering several times a day in a heavily loaded production environment. Google Bug Id: 145475544 Link: https://lore.kernel.org/r/20191227194829.150110-1-tytso@mit.edu Link: http://lkml.kernel.org/r/20191228005211.163952-1-tytso@mit.edu Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: Chris Mason <clm@fb.com> Cc: Tejun Heo <tj@kernel.org> Cc: Jens Axboe <axboe@kernel.dk> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
19d4991aa6 |
This is the 4.19.175 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAjmCsACgkQONu9yGCS aT6zjw//T/sN/vtlHmZZUD/iUcbYHUJiM82izt8yu6SsgcjiUkjwXKH373zX0EsN O7iQIWXMWxXCWc73esvJ1L8uOLmYto3fJq4bb+emsd8R6M/NQuQqSX7fvvlnpLo/ wkTkctk1l+EyVjk67M2izCK35Zz2rVvLHGYXYMj+bJZxxCrnhG06pXcV+0udX53j Nl0ejBoYLhKZW3wyfkLbORQToFATM1IxSaBqUESQj1Wkie989c4ARcJ1mUuOOW6T XMhdxazbV5I4kQzcBWmhVbGX5hv28FIeeugu2aW4bxX4up8zcq+S0Z1I5c0Q0MWL 1AI+4HDS+9/USXuQc4kqgqF893Y25hXwk3tck7boRu0OznLC3j9RTXMrDVl08ZOv 3Y9fkyEoRwwbsik5+8Sf3H0OamNaL6qcWYbJczlz50BltaVH2k960itCGlnfnJjT 9FZQMmWzx3JnZbDHD6iCYuVCnPdZn2AUK5ZwF5kjME7CcJVDWGH23uFpTw5MDXMO 1arKj615PPTKzZ+gODM4Q0H2+ek3uclKpNqDNlR4sZgRxcr+bimw7tke3Pv4L+4p iU5W9o9TBXqoeNwKCO37eoRHySpU/mJ8OslHTrf/YzXH/q9uHNnVo9sM9/SEyqr1 94OrfbKTE8InON0/jgu482i7SHODdNUoD4wDXyZDQ1jb5J/+H3k= =uSwA -----END PGP SIGNATURE----- Merge 4.19.175 into android-4.19-stable Changes in 4.19.175 USB: serial: cp210x: add pid/vid for WSDA-200-USB USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 USB: serial: option: Adding support for Cinterion MV31 elfcore: fix building with clang Input: i8042 - unbreak Pegatron C15B rxrpc: Fix deadlock around release of dst cached on udp tunnel arm64: dts: ls1046a: fix dcfg address range net: lapb: Copy the skb before sending a packet net: mvpp2: TCAM entry enable should be written after SRAM data memblock: do not start bottom-up allocations with kernel_end USB: gadget: legacy: fix an error code in eth_bind() USB: usblp: don't call usb_set_interface if there's a single alt usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop() usb: dwc2: Fix endpoint direction check in ep_from_windex usb: dwc3: fix clock issue during resume in OTG mode ovl: fix dentry leak in ovl_get_redirect mac80211: fix station rate table updates on assoc kretprobe: Avoid re-registration of the same kretprobe earlier genirq/msi: Activate Multi-MSI early when MSI_FLAG_ACTIVATE_EARLY is set xhci: fix bounce buffer usage for non-sg list case cifs: report error instead of invalid when revalidating a dentry fails smb3: Fix out-of-bounds bug in SMB2_negotiate() mmc: core: Limit retries when analyse of SDIO tuples fails nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs KVM: SVM: Treat SVM as unsupported when running as an SEV guest ARM: footbridge: fix dc21285 PCI configuration accessors mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page mm: hugetlb: fix a race between freeing and dissolving the page mm: hugetlb: fix a race between isolating and freeing page mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active mm: thp: fix MADV_REMOVE deadlock on shmem THP x86/build: Disable CET instrumentation in the kernel x86/apic: Add extra serialization for non-serializing MSRs Input: xpad - sync supported devices with fork on GitHub iommu/vt-d: Do not use flush-queue when caching-mode is on md: Set prev_flush_start and flush_bio in an atomic way net: ip_tunnel: fix mtu calculation net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add Linux 4.19.175 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iac6d5c4ad079946ef1c032791e8e583b9264917b |
||
Hugh Dickins
|
081438440a |
mm: thp: fix MADV_REMOVE deadlock on shmem THP
commit 1c2f67308af4c102b4e1e6cd6f69819ae59408e0 upstream. Sergey reported deadlock between kswapd correctly doing its usual lock_page(page) followed by down_read(page->mapping->i_mmap_rwsem), and madvise(MADV_REMOVE) on an madvise(MADV_HUGEPAGE) area doing down_write(page->mapping->i_mmap_rwsem) followed by lock_page(page). This happened when shmem_fallocate(punch hole)'s unmap_mapping_range() reaches zap_pmd_range()'s call to __split_huge_pmd(). The same deadlock could occur when partially truncating a mapped huge tmpfs file, or using fallocate(FALLOC_FL_PUNCH_HOLE) on it. __split_huge_pmd()'s page lock was added in 5.8, to make sure that any concurrent use of reuse_swap_page() (holding page lock) could not catch the anon THP's mapcounts and swapcounts while they were being split. Fortunately, reuse_swap_page() is never applied to a shmem or file THP (not even by khugepaged, which checks PageSwapCache before calling), and anonymous THPs are never created in shmem or file areas: so that __split_huge_pmd()'s page lock can only be necessary for anonymous THPs, on which there is no risk of deadlock with i_mmap_rwsem. Link: https://lkml.kernel.org/r/alpine.LSU.2.11.2101161409470.2022@eggly.anvils Fixes: c444eb564fb1 ("mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()") Signed-off-by: Hugh Dickins <hughd@google.com> Reported-by: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com> Reviewed-by: Andrea Arcangeli <aarcange@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Muchun Song
|
6bf5461ae9 |
mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active
commit ecbf4724e6061b4b01be20f6d797d64d462b2bc8 upstream.
The page_huge_active() can be called from scan_movable_pages() which do
not hold a reference count to the HugeTLB page. So when we call
page_huge_active() from scan_movable_pages(), the HugeTLB page can be
freed parallel. Then we will trigger a BUG_ON which is in the
page_huge_active() when CONFIG_DEBUG_VM is enabled. Just remove the
VM_BUG_ON_PAGE.
Link: https://lkml.kernel.org/r/20210115124942.46403-6-songmuchun@bytedance.com
Fixes:
|
||
Muchun Song
|
532574ae25 |
mm: hugetlb: fix a race between isolating and freeing page
commit 0eb2df2b5629794020f75e94655e1994af63f0d4 upstream.
There is a race between isolate_huge_page() and __free_huge_page().
CPU0: CPU1:
if (PageHuge(page))
put_page(page)
__free_huge_page(page)
spin_lock(&hugetlb_lock)
update_and_free_page(page)
set_compound_page_dtor(page,
NULL_COMPOUND_DTOR)
spin_unlock(&hugetlb_lock)
isolate_huge_page(page)
// trigger BUG_ON
VM_BUG_ON_PAGE(!PageHead(page), page)
spin_lock(&hugetlb_lock)
page_huge_active(page)
// trigger BUG_ON
VM_BUG_ON_PAGE(!PageHuge(page), page)
spin_unlock(&hugetlb_lock)
When we isolate a HugeTLB page on CPU0. Meanwhile, we free it to the
buddy allocator on CPU1. Then, we can trigger a BUG_ON on CPU0, because
it is already freed to the buddy allocator.
Link: https://lkml.kernel.org/r/20210115124942.46403-5-songmuchun@bytedance.com
Fixes:
|
||
Muchun Song
|
db510d8f98 |
mm: hugetlb: fix a race between freeing and dissolving the page
commit 7ffddd499ba6122b1a07828f023d1d67629aa017 upstream.
There is a race condition between __free_huge_page()
and dissolve_free_huge_page().
CPU0: CPU1:
// page_count(page) == 1
put_page(page)
__free_huge_page(page)
dissolve_free_huge_page(page)
spin_lock(&hugetlb_lock)
// PageHuge(page) && !page_count(page)
update_and_free_page(page)
// page is freed to the buddy
spin_unlock(&hugetlb_lock)
spin_lock(&hugetlb_lock)
clear_page_huge_active(page)
enqueue_huge_page(page)
// It is wrong, the page is already freed
spin_unlock(&hugetlb_lock)
The race window is between put_page() and dissolve_free_huge_page().
We should make sure that the page is already on the free list when it is
dissolved.
As a result __free_huge_page would corrupt page(s) already in the buddy
allocator.
Link: https://lkml.kernel.org/r/20210115124942.46403-4-songmuchun@bytedance.com
Fixes:
|
||
Muchun Song
|
b6e04c19c5 |
mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page
commit 585fc0d2871c9318c949fbf45b1f081edd489e96 upstream.
If a new hugetlb page is allocated during fallocate it will not be
marked as active (set_page_huge_active) which will result in a later
isolate_huge_page failure when the page migration code would like to
move that page. Such a failure would be unexpected and wrong.
Only export set_page_huge_active, just leave clear_page_huge_active as
static. Because there are no external users.
Link: https://lkml.kernel.org/r/20210115124942.46403-3-songmuchun@bytedance.com
Fixes:
|
||
Roman Gushchin
|
50b2181099 |
memblock: do not start bottom-up allocations with kernel_end
[ Upstream commit 2dcb3964544177c51853a210b6ad400de78ef17d ] With kaslr the kernel image is placed at a random place, so starting the bottom-up allocation with the kernel_end can result in an allocation failure and a warning like this one: hugetlb_cma: reserve 2048 MiB, up to 2048 MiB per node ------------[ cut here ]------------ memblock: bottom-up allocation failed, memory hotremove may be affected WARNING: CPU: 0 PID: 0 at mm/memblock.c:332 memblock_find_in_range_node+0x178/0x25a Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 5.10.0+ #1169 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 RIP: 0010:memblock_find_in_range_node+0x178/0x25a Code: e9 6d ff ff ff 48 85 c0 0f 85 da 00 00 00 80 3d 9b 35 df 00 00 75 15 48 c7 c7 c0 75 59 88 c6 05 8b 35 df 00 01 e8 25 8a fa ff <0f> 0b 48 c7 44 24 20 ff ff ff ff 44 89 e6 44 89 ea 48 c7 c1 70 5c RSP: 0000:ffffffff88803d18 EFLAGS: 00010086 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000240000000 RCX: 00000000ffffdfff RDX: 00000000ffffdfff RSI: 00000000ffffffea RDI: 0000000000000046 RBP: 0000000100000000 R08: ffffffff88922788 R09: 0000000000009ffb R10: 00000000ffffe000 R11: 3fffffffffffffff R12: 0000000000000000 R13: 0000000000000000 R14: 0000000080000000 R15: 00000001fb42c000 FS: 0000000000000000(0000) GS:ffffffff88f71000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa080fb401000 CR3: 00000001fa80a000 CR4: 00000000000406b0 Call Trace: memblock_alloc_range_nid+0x8d/0x11e cma_declare_contiguous_nid+0x2c4/0x38c hugetlb_cma_reserve+0xdc/0x128 flush_tlb_one_kernel+0xc/0x20 native_set_fixmap+0x82/0xd0 flat_get_apic_id+0x5/0x10 register_lapic_address+0x8e/0x97 setup_arch+0x8a5/0xc3f start_kernel+0x66/0x547 load_ucode_bsp+0x4c/0xcd secondary_startup_64_no_verify+0xb0/0xbb random: get_random_bytes called from __warn+0xab/0x110 with crng_init=0 ---[ end trace f151227d0b39be70 ]--- At the same time, the kernel image is protected with memblock_reserve(), so we can just start searching at PAGE_SIZE. In this case the bottom-up allocation has the same chances to success as a top-down allocation, so there is no reason to fallback in the case of a failure. All together it simplifies the logic. Link: https://lkml.kernel.org/r/20201217201214.3414100-2-guro@fb.com Fixes: 8fabc623238e ("powerpc: Ensure that swiotlb buffer is allocated from low memory") Signed-off-by: Roman Gushchin <guro@fb.com> Reviewed-by: Mike Rapoport <rppt@linux.ibm.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Michal Hocko <mhocko@kernel.org> Cc: Rik van Riel <riel@surriel.com> Cc: Wonhyuk Yang <vvghjk1234@gmail.com> Cc: Thiago Jung Bauermann <bauerman@linux.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
1a02ec69a6 |
This is the 4.19.172 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAVUdoACgkQONu9yGCS aT6CVw/8CyxF0mRo1B3AdXBy4Tx9a++myhnU0Mg3K2AawKzN2dzF2qWMJq1jz8Ut jrRXeaoAQ9Wx9676NCfpkLCDGKPFtRGPq4fel9g4eBbqzSGuhzoe64Qr9mfbIHuU 3efAiutlTMjQL5FhpeHTqgJTh1j1NsmThIRZA+yIUcL3YbH6HWx7wQGthF1JooWP hZ/YQ1MKt9IZlhyafNcO6wvtEfL5DY6DANHSyKsbwY1jMPJIQ0k90Z4zbHRAlwKZ HaMdV1vvCXjVNXu6e6Mlto2HcQolzg5l3uNVsc7ZzqHp9yOwrDfPMqRqxNuI2MrP r3J38mfRywOV2Woe++aTwOHSj0c/YGTThxbWj/lqJepu3Bc4LBwkACVchWskglY/ W59XNg5ijxG1PBJy7NW05hkH/d2C6KWilhXvlqe4hRPf6/H3VM1YGTwpHiiVlNsr vZYYx0A8ugRo6rigtIrfOBt3xc8ZyQSxlA/mrnzHddH1zzoaZJ7+ecIQgO0lEZh1 ICV2SY4cinvY5sBGcrgcFYFoQSyCHCjO36h03hHGzVxGVBYIas80DYuqRDes4E9H 6jEz3TphqCdtSxBsT1D1iIacr+xYyfgAO4YwkpiPhjztRIUaOjAop6U94BHhmPha Yz+ia5+odCGo4n6u0k7BYAwSGFlr0+xz/MTMAN5IuFcPWB7w4qA= =7rAE -----END PGP SIGNATURE----- Merge 4.19.172 into android-4.19-stable Changes in 4.19.172 gpio: mvebu: fix pwm .get_state period calculation Revert "mm/slub: fix a memory leak in sysfs_slab_add()" futex: Move futex exit handling into futex code futex: Replace PF_EXITPIDONE with a state exit/exec: Seperate mm_release() futex: Split futex_mm_release() for exit/exec futex: Set task::futex_state to DEAD right after handling futex exit futex: Mark the begin of futex exit explicitly futex: Sanitize exit state handling futex: Provide state handling for exec() as well futex: Add mutex around futex exit futex: Provide distinct return value when owner is exiting futex: Prevent exit livelock futex: Ensure the correct return value from futex_lock_pi() futex: Replace pointless printk in fixup_owner() futex: Provide and use pi_state_update_owner() rtmutex: Remove unused argument from rt_mutex_proxy_unlock() futex: Use pi_state_update_owner() in put_pi_state() futex: Simplify fixup_pi_state_owner() futex: Handle faults correctly for PI futexes HID: wacom: Correct NULL dereference on AES pen proximity tracing: Fix race in trace_open and buffer resize call tools: Factor HOSTCC, HOSTLD, HOSTAR definitions dm integrity: conditionally disable "recalculate" feature writeback: Drop I_DIRTY_TIME_EXPIRE fs: fix lazytime expiration handling in __writeback_single_inode() Linux 4.19.172 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9b5391e9e955a105ab9c144fa6258dcbea234211 |
||
Wang Hai
|
08b227d9f3 |
Revert "mm/slub: fix a memory leak in sysfs_slab_add()"
commit 757fed1d0898b893d7daa84183947c70f27632f3 upstream. This reverts commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2. syzbot report a double-free bug. The following case can cause this bug. - mm/slab_common.c: create_cache(): if the __kmem_cache_create() fails, it does: out_free_cache: kmem_cache_free(kmem_cache, s); - but __kmem_cache_create() - at least for slub() - will have done sysfs_slab_add(s) -> sysfs_create_group() .. fails .. -> kobject_del(&s->kobj); .. which frees s ... We can't remove the kmem_cache_free() in create_cache(), because other error cases of __kmem_cache_create() do not free this. So, revert the commit dde3c6b72a16 ("mm/slub: fix a memory leak in sysfs_slab_add()") to fix this. Reported-by: syzbot+d0bd96b4696c1ef67991@syzkaller.appspotmail.com Fixes: dde3c6b72a16 ("mm/slub: fix a memory leak in sysfs_slab_add()") Acked-by: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Wang Hai <wanghai38@huawei.com> Cc: <stable@vger.kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Greg Kroah-Hartman
|
709f9b702e |
This is the 4.19.171 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAROwsACgkQONu9yGCS aT4T5w//XnQz3KLe6G/Gu641fwHbOmNmYg/Ob43DRj0JtMRDFsGm7wl5KVYXgf3l eI4/K8vMevO0XlSly8Xo8MkYoKiVbv8BX/owsZ9SUTbcGguJ79xKjJ++cXnezsFf knwiHKQRg+3KM/PZdT29mgkcYo2T6ndcmeq1Q2Q49Xn7vDdCCJuzLYccKRRaR5zm RoWn9AKtobUaFhuhkMm4gi0mkpH9viD4Su62k3EjQW8ysE5l4OPmlMcy6M+dpt5A Nh0DMsMnjuqPp1Bm5bSSY5gJ7foHZ9iNAC7UxoD+EIXPMN1jVOoCnqmfSKy+dE65 ROgex14HP1Zmrn5Zj7spc4zX2zWMbIyJgLQDpp+0dK+4wpINw97yXXoyYW+V5iyY ouf5BKXfudv4Du/PiKkAqf/s0Q5Lh19XSns0hygb+WG67h0CLJxQcH3o2wFWKzl3 JniD5BohTYpqsu5V/zSANqJuugHVxyx2N2SSWtpsYZoFX7GRCtNBOV2NSgH65jW7 S+N4Md8Hfx6rlp+BOkhKfBtDePev6orrSt4wxZ4JSRH++/ztFKo/1CY23NkLsdGN 9PIC6dawYIPTNGtrczwvmebEdBUbEYDBLyeKTcCeRLB1yP4sbb4a2yOoCmjdmAeD AKUMnx2+20Tl5k67HdrUKxA17KJ1qD5IkurfQkRpUo2uUkSEqpY= =Ao4u -----END PGP SIGNATURE----- Merge 4.19.171 into android-4.19-stable Changes in 4.19.171 i2c: bpmp-tegra: Ignore unknown I2C_M flags ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() ALSA: hda/via: Add minimum mute flag ACPI: scan: Make acpi_bus_get_device() clear return pointer on error btrfs: fix lockdep splat in btrfs_recover_relocation mmc: core: don't initialize block size from ext_csd if not present mmc: sdhci-xenon: fix 1.8v regulator stabilization dm: avoid filesystem lookup in dm_get_dev_t() dm integrity: fix a crash if "recalculate" used without "internal_hash" drm/atomic: put state on error path ASoC: Intel: haswell: Add missing pm_ops scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback scsi: qedi: Correct max length of CHAP secret riscv: Fix kernel time_init() HID: Ignore battery for Elan touchscreen on ASUS UX550 clk: tegra30: Add hda clock default rates to clock driver xen: Fix event channel callback via INTX/GSI drm/nouveau/bios: fix issue shadowing expansion ROMs drm/nouveau/privring: ack interrupts the same way as RM drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields drm/nouveau/mmu: fix vram heap sizing drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0 scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression i2c: octeon: check correct size of maximum RECV_LEN packet platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list selftests: net: fib_tests: remove duplicate log test can: dev: can_restart: fix use after free bug can: vxcan: vxcan_xmit: fix use after free bug can: peak_usb: fix use after free bugs iio: ad5504: Fix setting power-down state irqchip/mips-cpu: Set IPI domain parent chip intel_th: pci: Add Alder Lake-P support stm class: Fix module init return on allocation failure serial: mvebu-uart: fix tx lost characters at power off ehci: fix EHCI host controller initialization sequence USB: ehci: fix an interrupt calltrace error usb: gadget: aspeed: fix stop dma register setting. usb: udc: core: Use lock when write to soft_connect usb: bdc: Make bdc pci driver depend on BROKEN xhci: make sure TRB is fully written before giving it to the controller xhci: tegra: Delay for disabling LFPS detector driver core: Extend device_is_dependent() netfilter: rpfilter: mask ecn bits before fib lookup sh: dma: fix kconfig dependency for G2_DMA sh_eth: Fix power down vs. is_opened flag ordering skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow kasan: fix incorrect arguments passing in kasan_add_zero_shadow udp: mask TOS bits in udp_v4_early_demux() ipv6: create multicast route with RTPROT_KERNEL net_sched: avoid shift-out-of-bounds in tcindex_set_parms() net_sched: reject silly cell_log in qdisc_get_rtab() ipv6: set multicast flag on the multicast route net: mscc: ocelot: allow offloading of bridge on top of LAG net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled net: dsa: b53: fix an off by one in checking "vlan->vid" Linux 4.19.171 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I2be7d084a443bfc87e6a3d5753d9c233f54788ac |
||
Lecopzer Chen
|
1ad3d65c19 |
kasan: fix incorrect arguments passing in kasan_add_zero_shadow
commit 5dabd1712cd056814f9ab15f1d68157ceb04e741 upstream.
kasan_remove_zero_shadow() shall use original virtual address, start and
size, instead of shadow address.
Link: https://lkml.kernel.org/r/20210103063847.5963-1-lecopzer@gmail.com
Fixes:
|
||
Lecopzer Chen
|
5cb8624526 |
kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow
commit a11a496ee6e2ab6ed850233c96b94caf042af0b9 upstream.
During testing kasan_populate_early_shadow and kasan_remove_zero_shadow,
if the shadow start and end address in kasan_remove_zero_shadow() is not
aligned to PMD_SIZE, the remain unaligned PTE won't be removed.
In the test case for kasan_remove_zero_shadow():
shadow_start: 0xffffffb802000000, shadow end: 0xffffffbfbe000000
3-level page table:
PUD_SIZE: 0x40000000 PMD_SIZE: 0x200000 PAGE_SIZE: 4K
0xffffffbf80000000 ~ 0xffffffbfbdf80000 will not be removed because in
kasan_remove_pud_table(), kasan_pmd_table(*pud) is true but the next
address is 0xffffffbfbdf80000 which is not aligned to PUD_SIZE.
In the correct condition, this should fallback to the next level
kasan_remove_pmd_table() but the condition flow always continue to skip
the unaligned part.
Fix by correcting the condition when next and addr are neither aligned.
Link: https://lkml.kernel.org/r/20210103135621.83129-1-lecopzer@gmail.com
Fixes:
|
||
Greg Kroah-Hartman
|
ea0aa59740 |
This is the 4.19.169 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAHFgcACgkQONu9yGCS aT7vaw//QfIjoGSMrv88n6b+2CBKU7yZyUqDhV1YvfLs3CwAHc0NDrBgmHanje5j SIBBoa0PhzhzVE2zPMLlfWisGs8dt0844R5LL+Kc8h7oa7OCSKY1tws8lm9L0qgj DE5/DD1ztmg9glKhiJyQxRwZfbWQlp2eAyN8TEqKCrfxrP2UOW6JNW0dMniqACvM CmPNgopFfnObTVSjbLYYlonJJsOE++EUue5XN+MvBQSOaamTBOB5cwr3esEG0RX7 GGu+P0dQXpJUythkqypDCH2LVe95szOeCEwmTFnQKauFLYQijVx0s4kMSiiU/ByP o0sHFOSdsayi5rOYek3lnomnzqzWvQgIrs3VqkXhT//j8hcXE0+owYvNbpTbC4c6 E8qULLht6pahtD/53MYk0XGDC6y5uIgbIQGQylWyg4+bZFfnXlz6UErrFXM/gyEp 0uARhrwJT3BmKsNQPKsTCWuzpfVuKCTseYfpiOZMqZptyKtFyWSnCvyTRyPk4ZvS VeMXG46qENiWDXUrvggL9zK4bzgqsyneLbzkJ6eqEA9YxE7MPlH6I4TUhjPm4KWl CHMl60lDwA/N/M76WiPkHVXp1/ODpnK2ebKRXSM2goT0/jsOA2CTLVGSQ9tzH4e4 7zrnG0JnETw6ib2w4rfKJRi/OSS49r03lO2PnrLOexA4Y+U8daI= =H0Tc -----END PGP SIGNATURE----- Merge 4.19.169 into android-4.19-stable Changes in 4.19.169 ASoC: dapm: remove widget from dirty list on free x86/hyperv: check cpu mask after interrupt has been disabled tracing/kprobes: Do the notrace functions check without kprobes on ftrace MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB MIPS: relocatable: fix possible boot hangup with KASLR enabled ACPI: scan: Harden acpi_device_add() against device ID overflows mm/hugetlb: fix potential missing huge page size info dm snapshot: flush merged data before committing metadata dm integrity: fix the maximum number of arguments r8152: Add Lenovo Powered USB-C Travel Hub ext4: fix bug for rename with RENAME_WHITEOUT ARC: build: remove non-existing bootpImage from KBUILD_IMAGE ARC: build: add uImage.lzma to the top-level target ARC: build: add boot_targets to PHONY btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram bfq: Fix computation of shallow depth arch/arc: add copy_user_page() to <asm/page.h> to fix build error on ARC misdn: dsp: select CONFIG_BITREVERSE net: ethernet: fs_enet: Add missing MODULE_LICENSE ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI drm/msm: Call msm_init_vram before binding the gpu ARM: picoxcell: fix missing interrupt-parent properties ima: Remove __init annotation from ima_pcrread() dump_common_audit_data(): fix racy accesses to ->d_name ASoC: meson: axg-tdm-interface: fix loopback ASoC: Intel: fix error code cnl_set_dsp_D0() NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock pNFS: Mark layout for return if return-on-close was not sent NFS/pNFS: Fix a leak of the layout 'plh_outstanding' counter NFS: nfs_igrab_and_active must first reference the superblock ext4: fix superblock checksum failure when setting password salt RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp RDMA/mlx5: Fix wrong free of blue flame register on error mm, slub: consider rest of partial list if acquire_slab() fails net: sunrpc: interpret the return value of kstrtou32 correctly dm: eliminate potential source of excessive kernel log noise ALSA: firewire-tascam: Fix integer overflow in midi_port_work() ALSA: fireface: Fix integer overflow in transmit_midi_msg() netfilter: conntrack: fix reading nf_conntrack_buckets netfilter: nf_nat: Fix memleak in nf_nat_init kbuild: enforce -Werror=return-type Linux 4.19.169 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I74309249e2b6a77421acd7f8d19f60cc48c328db |
||
Jann Horn
|
21a466aed7 |
mm, slub: consider rest of partial list if acquire_slab() fails
commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf upstream.
acquire_slab() fails if there is contention on the freelist of the page
(probably because some other CPU is concurrently freeing an object from
the page). In that case, it might make sense to look for a different page
(since there might be more remote frees to the page from other CPUs, and
we don't want contention on struct page).
However, the current code accidentally stops looking at the partial list
completely in that case. Especially on kernels without CONFIG_NUMA set,
this means that get_partial() fails and new_slab_objects() falls back to
new_slab(), allocating new pages. This could lead to an unnecessary
increase in memory fragmentation.
Link: https://lkml.kernel.org/r/20201228130853.1871516-1-jannh@google.com
Fixes:
|
||
Miaohe Lin
|
bba1a0da5b |
mm/hugetlb: fix potential missing huge page size info
commit 0eb98f1588c2cc7a79816d84ab18a55d254f481c upstream.
The huge page size is encoded for VM_FAULT_HWPOISON errors only. So if
we return VM_FAULT_HWPOISON, huge page size would just be ignored.
Link: https://lkml.kernel.org/r/20210107123449.38481-1-linmiaohe@huawei.com
Fixes:
|
||
Quentin Perret
|
e6487e273e |
Revert "BACKPORT: FROMGIT: mm: improve mprotect(R|W) efficiency on pages referenced once"
This reverts commit
|
||
Peter Collingbourne
|
6c376abc01 |
BACKPORT: FROMGIT: mm: improve mprotect(R|W) efficiency on pages referenced once
In the Scudo memory allocator [1] we would like to be able to detect use-after-free vulnerabilities involving large allocations by issuing mprotect(PROT_NONE) on the memory region used for the allocation when it is deallocated. Later on, after the memory region has been "quarantined" for a sufficient period of time we would like to be able to use it for another allocation by issuing mprotect(PROT_READ|PROT_WRITE). Before this patch, after removing the write protection, any writes to the memory region would result in page faults and entering the copy-on-write code path, even in the usual case where the pages are only referenced by a single PTE, harming performance unnecessarily. Make it so that any pages in anonymous mappings that are only referenced by a single PTE are immediately made writable during the mprotect so that we can avoid the page faults. This program shows the critical syscall sequence that we intend to use in the allocator: #include <string.h> #include <sys/mman.h> enum { kSize = 131072 }; int main(int argc, char **argv) { char *addr = (char *)mmap(0, kSize, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); for (int i = 0; i != 100000; ++i) { memset(addr, i, kSize); mprotect((void *)addr, kSize, PROT_NONE); mprotect((void *)addr, kSize, PROT_READ | PROT_WRITE); } } The effect of this patch on the above program was measured on a DragonBoard 845c by taking the median real time execution time of 10 runs. Before: 3.19s After: 0.79s The effect was also measured using one of the microbenchmarks that we normally use to benchmark the allocator [2], after modifying it to make the appropriate mprotect calls [3]. With an allocation size of 131072 bytes to trigger the allocator's "large allocation" code path the per-iteration time was measured as follows: Before: 33364ns After: 6886ns This patch means that we do more work during the mprotect call itself in exchange for less work when the pages are accessed. In the worst case, the pages are not accessed at all. The effect of this patch in such cases was measured using the following program: #include <string.h> #include <sys/mman.h> enum { kSize = 131072 }; int main(int argc, char **argv) { char *addr = (char *)mmap(0, kSize, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); memset(addr, 1, kSize); for (int i = 0; i != 100000; ++i) { #ifdef PAGE_FAULT memset(addr + (i * 4096) % kSize, i, 4096); #endif mprotect((void *)addr, kSize, PROT_NONE); mprotect((void *)addr, kSize, PROT_READ | PROT_WRITE); } } With PAGE_FAULT undefined (0 pages touched after removing write protection) the median real time execution time of 100 runs was measured as follows: Before: 0.325928s After: 0.365493s With PAGE_FAULT defined (1 page touched) the measurements were as follows: Before: 0.441516s After: 0.380251s So it seems that even with a single page fault the new approach is faster. I saw similar results if I adjusted the programs to use a larger mapping size. With kSize = 1048576 I get these numbers with PAGE_FAULT undefined: Before: 1.563078s After: 1.607476s i.e. around 3%. And these with PAGE_FAULT defined: Before: 1.684663s After: 1.683272s i.e. about the same. What I think we may conclude from these results is that for smaller mappings the advantage of the previous approach, although measurable, is wiped out by a single page fault. I think we may expect that there should be at least one access resulting in a page fault (under the previous approach) after making the pages writable, since the program presumably made the pages writable for a reason. For larger mappings we may guesstimate that the new approach wins if the density of future page faults is > 0.4%. But for the mappings that are large enough for density to matter (not just the absolute number of page faults) it doesn't seem like the increase in mprotect latency would be very large relative to the total mprotect execution time. Link: https://lkml.kernel.org/r/20201230004134.1185017-1-pcc@google.com Link: https://linux-review.googlesource.com/id/I98d75ef90e20330c578871c87494d64b1df3f1b8 Link: [1] https://source.android.com/devices/tech/debug/scudo Link: [2] https://cs.android.com/android/platform/superproject/+/master:bionic/benchmarks/stdlib_benchmark.cpp;l=53;drc=e8693e78711e8f45ccd2b610e4dbe0b94d551cc9 Link: [3] https://github.com/pcc/llvm-project/commit/scudo-mprotect-secondary Signed-off-by: Peter Collingbourne <pcc@google.com> [pcc: resolved minor conflict] Cc: Kostya Kortchinsky <kostyak@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> (cherry picked from commit 2a9e75c907fa2de626d77dd4051fc038f0dbaf52 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git akpm) Bug: 135772972 Change-Id: I98d75ef90e20330c578871c87494d64b1df3f1b8 |
||
Greg Kroah-Hartman
|
a175946a5a |
This is the 4.19.163 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl/TZyUACgkQONu9yGCS aT6Z8Q/+It2xbx52eGrQbN1beQ4vlER+kfbyvIWGgj3GYgiTn1nBTf0COJs5ukXG YiKfimV7vUth1NOFkgb4/FKLaU1YkIBpKgOruFA8bxL/XIfX617Y9e3zIFU7Dhsx R/fuLm0+EqaIlT9nO59vf3MU1Fe6Ty8jBzwrVlgAUwSDWqtPLvvevwwpS1dJLQ77 5O3Q8/tO9epc6r5RxSzdcaFZDAp1SeT/lIxzKQD9rBeySJeB/e0usoo00SpjcGiL biZSgKAbpLQ2Y5Mbev5OClNxP3zCObOy8Hj20xOl1jlUil+UNQXfbU+bLNuQKfWU ilPjhrqUarBaMHydsJDZ9CTHOB94dVqUPB1YJYgtDr3cC5X/yQkqZwPGoK8tEe5u IO2XUkCGd6bj4nnqikkodh6zYlfxMYbHaFRAUaOMkE5c5Y3mb3h+/DW8cFuEIEg3 4dYnujItqCnqlNP3/bmT6i2uicxNzbAGYNZ/7B883WyCsBlxaPTJlY8yzFxoPk03 HYXKxM9lY1gn0zFXttvWp0l91UWnuIuJqRyc97NuhTxKr9+ZHbnBDWXnF3Dm3iie 262DXA+dAIc5FR9LQHG83nrrnLVk+3d1fiaduHCmaMjx/T1kJquMRuuWEUJZf/CG ++DecqyoGCqNJAQfbu5OUywPnakRfaCdXUo73qfCfloS4OYe5ck= =hIcD -----END PGP SIGNATURE----- Merge 4.19.163 into android-4.19-stable Changes in 4.19.163 pinctrl: baytrail: Replace WARN with dev_info_once when setting direct-irq pin to output pinctrl: baytrail: Fix pin being driven low for a while on gpiod_get(..., GPIOD_OUT_HIGH) usb: gadget: f_fs: Use local copy of descriptors for userspace copy USB: serial: kl5kusb105: fix memleak on open USB: serial: ch341: add new Product ID for CH341A USB: serial: ch341: sort device-id entries USB: serial: option: add Fibocom NL668 variants USB: serial: option: add support for Thales Cinterion EXS82 USB: serial: option: fix Quectel BG96 matching tty: Fix ->pgrp locking in tiocspgrp() tty: Fix ->session locking ALSA: hda/realtek: Add mute LED quirk to yet another HP x360 model ALSA: hda/realtek: Enable headset of ASUS UX482EG & B9400CEA with ALC294 ALSA: hda/realtek - Add new codec supported for ALC897 ALSA: hda/generic: Add option to enforce preferred_dacs pairs ftrace: Fix updating FTRACE_FL_TRAMP cifs: fix potential use-after-free in cifs_echo_request() i2c: imx: Don't generate STOP condition if arbitration has been lost scsi: mpt3sas: Fix ioctl timeout dm writecache: fix the maximum number of arguments dm: remove invalid sparse __acquires and __releases annotations mm: list_lru: set shrinker map bit when child nr_items is not zero mm/swapfile: do not sleep with a spin lock held x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes i2c: imx: Fix reset of I2SR_IAL flag i2c: imx: Check for I2SR_IAL after every byte speakup: Reject setting the speakup line discipline outside of speakup iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs spi: Introduce device-managed SPI controller allocation spi: bcm-qspi: Fix use-after-free on unbind spi: bcm2835: Fix use-after-free on unbind spi: bcm2835: Release the DMA channel if probe fails after dma_init tracing: Fix userstacktrace option for instances gfs2: check for empty rgrp tree in gfs2_ri_update i2c: qup: Fix error return code in qup_i2c_bam_schedule_desc() dm writecache: remove BUG() and fail gracefully instead Input: i8042 - fix error return code in i8042_setup_aux() netfilter: nf_tables: avoid false-postive lockdep splat x86/insn-eval: Use new for_each_insn_prefix() macro to loop over prefixes bytes Revert "geneve: pull IP header before ECN decapsulation" Linux 4.19.163 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I65bc0b27c576e6d5c75f0bc085cb80e9a2f0a2d3 |
||
Qian Cai
|
2498ae2460 |
mm/swapfile: do not sleep with a spin lock held
commit b11a76b37a5aa7b07c3e3eeeaae20b25475bddd3 upstream. We can't call kvfree() with a spin lock held, so defer it. Fixes a might_sleep() runtime warning. Fixes: 873d7bcfd066 ("mm/swapfile.c: use kvzalloc for swap_info_struct allocation") Signed-off-by: Qian Cai <qcai@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Cc: Hugh Dickins <hughd@google.com> Cc: <stable@vger.kernel.org> Link: https://lkml.kernel.org/r/20201202151549.10350-1-qcai@redhat.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Yang Shi
|
7517a38342 |
mm: list_lru: set shrinker map bit when child nr_items is not zero
commit 8199be001a470209f5c938570cc199abb012fe53 upstream. When investigating a slab cache bloat problem, significant amount of negative dentry cache was seen, but confusingly they neither got shrunk by reclaimer (the host has very tight memory) nor be shrunk by dropping cache. The vmcore shows there are over 14M negative dentry objects on lru, but tracing result shows they were even not scanned at all. Further investigation shows the memcg's vfs shrinker_map bit is not set. So the reclaimer or dropping cache just skip calling vfs shrinker. So we have to reboot the hosts to get the memory back. I didn't manage to come up with a reproducer in test environment, and the problem can't be reproduced after rebooting. But it seems there is race between shrinker map bit clear and reparenting by code inspection. The hypothesis is elaborated as below. The memcg hierarchy on our production environment looks like: root / \ system user The main workloads are running under user slice's children, and it creates and removes memcg frequently. So reparenting happens very often under user slice, but no task is under user slice directly. So with the frequent reparenting and tight memory pressure, the below hypothetical race condition may happen: CPU A CPU B reparent dst->nr_items == 0 shrinker: total_objects == 0 add src->nr_items to dst set_bit return SHRINK_EMPTY clear_bit child memcg offline replace child's kmemcg_id with parent's (in memcg_offline_kmem()) list_lru_del() between shrinker runs see parent's kmemcg_id dec dst->nr_items reparent again dst->nr_items may go negative due to concurrent list_lru_del() The second run of shrinker: read nr_items without any synchronization, so it may see intermediate negative nr_items then total_objects may return 0 coincidently keep the bit cleared dst->nr_items != 0 skip set_bit add scr->nr_item to dst After this point dst->nr_item may never go zero, so reparenting will not set shrinker_map bit anymore. And since there is no task under user slice directly, so no new object will be added to its lru to set the shrinker map bit either. That bit is kept cleared forever. How does list_lru_del() race with reparenting? It is because reparenting replaces children's kmemcg_id to parent's without protecting from nlru->lock, so list_lru_del() may see parent's kmemcg_id but actually deleting items from child's lru, but dec'ing parent's nr_items, so the parent's nr_items may go negative as commit |
||
Greg Kroah-Hartman
|
f8d9d560b9 |
This is the 4.19.160 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+8/EkACgkQONu9yGCS aT6g6xAAxZs2sTi6peZpLHhzTgMUZtZYJf9rgAWeF3wwIT1DeEVi8dpOuQbu6j17 bK65D/qJjmiZGJbFG+Mjt5GcQBOnQz+hQ+EaaADk3HOt6G9oFB99Bybmg6JP94TH 184JkzUMBnHWj9O4wBtF9IjqPoN5iDIz07D8RArxAqXW8+IWX6BjY2Qzd/dO2vns UufBBoKznAC1HWwI1WGyMTki+DHtk1m8hV4+H0G4wHrux4cQRXWzxZx3Zfnmkjqh v7Ig90GzVegxHjreYc7RnxDi4XCgOhRqevB+0uf5jms7mzd4spxz1kaAZqO5r/DQ tTn/90CL2n7+LC6HGZSGnD5WdKawEZwgbimjpsAQ8uygWyzTJ23hL71ZiGxFaKPc Yc7UqVMsSsFCAxUc+ri7ZLrKqBEn3NFZNNjAlqZRW4k1ayjuNz7EdP6CS9T6AZih vqmeygmnALbKaX/VPDk/GChWtcpSOfNRA4d3XkSdANavIsNoI114tKZOwwLUQQjd D/8h2gng7gnX6TquMQSLyQmYTTV3UxK8UW1Ipi00KLMfmYVHMSI0gn2fGDUwOyfJ vkwi/15GJXKQ+GJAvkuyJEDTwFE0iU/+gM28Jv56L9Kv25vWu7vdQVcDU6vslEhY bbPMzkOA8zSwOkTZTWS8k6cpMMeiWbIZyxHKovXsU84n0nSf6Hs= =IcSi -----END PGP SIGNATURE----- Merge 4.19.160 into android-4.19-stable Changes in 4.19.160 ah6: fix error return code in ah6_input() atm: nicstar: Unmap DMA on send error bnxt_en: read EEPROM A2h address using page 0 devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() lan743x: fix issue causing intermittent kernel log warnings lan743x: prevent entire kernel HANG on open, for some platforms mlxsw: core: Use variable timeout for EMAD retries net: b44: fix error return code in b44_init_one() net: bridge: add missing counters to ndo_get_stats64 callback net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 net: Have netpoll bring-up DSA management interface netlabel: fix our progress tracking in netlbl_unlabel_staticlist() netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() net/mlx4_core: Fix init_hca fields offset net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request page_frag: Recover from memory pressure qed: fix error return code in qed_iwarp_ll2_start() qlcnic: fix error return code in qlcnic_83xx_restart_hw() sctp: change to hold/put transport for proto_unreach_timer tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate net/mlx5: Disable QoS when min_rates on all VFs are zero net: usb: qmi_wwan: Set DTR quirk for MR400 net/ncsi: Fix netlink registration net: ftgmac100: Fix crash when removing driver pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq scsi: ufs: Fix unbalanced scsi_block_reqs_cnt caused by ufshcd_hold() selftests: kvm: Fix the segment descriptor layout to match the actual layout ACPI: button: Add DMI quirk for Medion Akoya E2228T arm64: psci: Avoid printing in cpu_psci_cpu_die() vfs: remove lockdep bogosity in __sb_start_write arm64: dts: allwinner: a64: Pine64 Plus: Fix ethernet node arm64: dts: allwinner: h5: OrangePi PC2: Fix ethernet node ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix ethernet node Revert "arm: sun8i: orangepi-pc-plus: Set EMAC activity LEDs to active high" ARM: dts: sun8i: h3: orangepi-plus2e: Enable RGMII RX/TX delay on Ethernet PHY ARM: dts: sun8i: a83t: Enable both RGMII RX/TX delay on Ethernet PHY arm64: dts: allwinner: a64: bananapi-m64: Enable RGMII RX/TX delay on PHY Input: adxl34x - clean up a data type in adxl34x_probe() MIPS: export has_transparent_hugepage() for modules arm64: dts: allwinner: h5: OrangePi Prime: Fix ethernet node arm: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy ARM: dts: imx50-evk: Fix the chip select 1 IOMUX Input: resistive-adc-touch - fix kconfig dependency on IIO_BUFFER perf lock: Don't free "lock_seq_stat" if read_count isn't zero ip_tunnels: Set tunnel option flag when tunnel metadata is present can: af_can: prevent potential access of uninitialized member in can_rcv() can: af_can: prevent potential access of uninitialized member in canfd_rcv() can: dev: can_restart(): post buffer from the right context can: ti_hecc: Fix memleak in ti_hecc_probe can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to can_put_echo_skb() can: peak_usb: fix potential integer overflow on shift of a int can: m_can: m_can_handle_state_change(): fix state change ASoC: qcom: lpass-platform: Fix memory leak MIPS: Alchemy: Fix memleak in alchemy_clk_setup_cpu drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind() can: kvaser_usb: kvaser_usb_hydra: Fix KCAN bittiming limits xfs: fix the minrecs logic when dealing with inode root child blocks xfs: strengthen rmap record flags checking regulator: ti-abb: Fix array out of bound read access on the first transition fail_function: Remove a redundant mutex unlock xfs: revert "xfs: fix rmap key and record comparison functions" efi/x86: Free efi_pgd with free_pages() libfs: fix error cast of negative value in simple_attr_write() speakup: Do not let the line discipline be used several times ALSA: firewire: Clean up a locking issue in copy_resp_to_buf() ALSA: usb-audio: Add delay quirk for all Logitech USB devices ALSA: ctl: fix error path at adding user-defined element set ALSA: mixart: Fix mutex deadlock ALSA: hda/realtek: Add some Clove SSID in the ALC293(ALC1220) tty: serial: imx: keep console clocks always on efivarfs: fix memory leak in efivarfs_create() staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids ext4: fix bogus warning in ext4_update_dx_flag() iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting tablet-mode regulator: pfuze100: limit pfuze-support-disable-sw to pfuze{100,200} regulator: fix memory leak with repeated set_machine_constraints() regulator: avoid resolve_supply() infinite recursion regulator: workaround self-referent regulators xtensa: disable preemption around cache alias management calls mac80211: minstrel: remove deferred sampling code mac80211: minstrel: fix tx status processing corner case mac80211: free sta in sta_info_insert_finish() on errors s390/cpum_sf.c: fix file permission for cpum_sfb_size s390/dasd: fix null pointer dereference for ERP requests ptrace: Set PF_SUPERPRIV when checking capability seccomp: Set PF_SUPERPRIV when checking capability x86/microcode/intel: Check patch signature before saving microcode for early loading mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() Linux 4.19.160 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3a7304be6687f4ffe96f0e765da0c0ec7dcb971d |
||
Gerald Schaefer
|
dc94f8e932 |
mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault()
commit bfe8cc1db02ab243c62780f17fc57f65bde0afe1 upstream. Alexander reported a syzkaller / KASAN finding on s390, see below for complete output. In do_huge_pmd_anonymous_page(), the pre-allocated pagetable will be freed in some cases. In the case of userfaultfd_missing(), this will happen after calling handle_userfault(), which might have released the mmap_lock. Therefore, the following pte_free(vma->vm_mm, pgtable) will access an unstable vma->vm_mm, which could have been freed or re-used already. For all architectures other than s390 this will go w/o any negative impact, because pte_free() simply frees the page and ignores the passed-in mm. The implementation for SPARC32 would also access mm->page_table_lock for pte_free(), but there is no THP support in SPARC32, so the buggy code path will not be used there. For s390, the mm->context.pgtable_list is being used to maintain the 2K pagetable fragments, and operating on an already freed or even re-used mm could result in various more or less subtle bugs due to list / pagetable corruption. Fix this by calling pte_free() before handle_userfault(), similar to how it is already done in __do_huge_pmd_anonymous_page() for the WRITE / non-huge_zero_page case. Commit |
||
Dongli Zhang
|
082b21d034 |
page_frag: Recover from memory pressure
[ Upstream commit d8c19014bba8f565d8a2f1f46b4e38d1d97bf1a7 ]
The ethernet driver may allocate skb (and skb->data) via napi_alloc_skb().
This ends up to page_frag_alloc() to allocate skb->data from
page_frag_cache->va.
During the memory pressure, page_frag_cache->va may be allocated as
pfmemalloc page. As a result, the skb->pfmemalloc is always true as
skb->data is from page_frag_cache->va. The skb will be dropped if the
sock (receiver) does not have SOCK_MEMALLOC. This is expected behaviour
under memory pressure.
However, once kernel is not under memory pressure any longer (suppose large
amount of memory pages are just reclaimed), the page_frag_alloc() may still
re-use the prior pfmemalloc page_frag_cache->va to allocate skb->data. As a
result, the skb->pfmemalloc is always true unless page_frag_cache->va is
re-allocated, even if the kernel is not under memory pressure any longer.
Here is how kernel runs into issue.
1. The kernel is under memory pressure and allocation of
PAGE_FRAG_CACHE_MAX_ORDER in __page_frag_cache_refill() will fail. Instead,
the pfmemalloc page is allocated for page_frag_cache->va.
2: All skb->data from page_frag_cache->va (pfmemalloc) will have
skb->pfmemalloc=true. The skb will always be dropped by sock without
SOCK_MEMALLOC. This is an expected behaviour.
3. Suppose a large amount of pages are reclaimed and kernel is not under
memory pressure any longer. We expect skb->pfmemalloc drop will not happen.
4. Unfortunately, page_frag_alloc() does not proactively re-allocate
page_frag_alloc->va and will always re-use the prior pfmemalloc page. The
skb->pfmemalloc is always true even kernel is not under memory pressure any
longer.
Fix this by freeing and re-allocating the page instead of recycling it.
References: https://lore.kernel.org/lkml/20201103193239.1807-1-dongli.zhang@oracle.com/
References: https://lore.kernel.org/linux-mm/20201105042140.5253-1-willy@infradead.org/
Suggested-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
Cc: Bert Barbe <bert.barbe@oracle.com>
Cc: Rama Nichanamatlu <rama.nichanamatlu@oracle.com>
Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
Cc: Manjunath Patil <manjunath.b.patil@oracle.com>
Cc: Joe Jin <joe.jin@oracle.com>
Cc: SRINIVAS <srinivas.eeda@oracle.com>
Fixes:
|
||
Qian Cai
|
bd9a94a360 |
UPSTREAM: slab: store tagged freelist for off-slab slabmgmt
Commit 51dedad06b5f ("kasan, slab: make freelist stored without tags") calls kasan_reset_tag() for off-slab slab management object leading to freelist being stored non-tagged. However, cache_grow_begin() calls alloc_slabmgmt() which calls kmem_cache_alloc_node() assigns a tag for the address and stores it in the shadow address. As the result, it causes endless errors below during boot due to drain_freelist() -> slab_destroy() -> kasan_slab_free() which compares already untagged freelist against the stored tag in the shadow address. Since off-slab slab management object freelist is such a special case, just store it tagged. Non-off-slab management object freelist is still stored untagged which has not been assigned a tag and should not cause any other troubles with this inconsistency. BUG: KASAN: double-free or invalid-free in slab_destroy+0x84/0x88 Pointer tag: [ff], memory tag: [99] CPU: 0 PID: 1376 Comm: kworker/0:4 Tainted: G W 5.1.0-rc3+ #8 Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.0.6 07/10/2018 Workqueue: cgroup_destroy css_killed_work_fn Call trace: print_address_description+0x74/0x2a4 kasan_report_invalid_free+0x80/0xc0 __kasan_slab_free+0x204/0x208 kasan_slab_free+0xc/0x18 kmem_cache_free+0xe4/0x254 slab_destroy+0x84/0x88 drain_freelist+0xd0/0x104 __kmem_cache_shrink+0x1ac/0x224 __kmemcg_cache_deactivate+0x1c/0x28 memcg_deactivate_kmem_caches+0xa0/0xe8 memcg_offline_kmem+0x8c/0x3d4 mem_cgroup_css_offline+0x24c/0x290 css_killed_work_fn+0x154/0x618 process_one_work+0x9cc/0x183c worker_thread+0x9b0/0xe38 kthread+0x374/0x390 ret_from_fork+0x10/0x18 Allocated by task 1625: __kasan_kmalloc+0x168/0x240 kasan_slab_alloc+0x18/0x20 kmem_cache_alloc_node+0x1f8/0x3a0 cache_grow_begin+0x4fc/0xa24 cache_alloc_refill+0x2f8/0x3e8 kmem_cache_alloc+0x1bc/0x3bc sock_alloc_inode+0x58/0x334 alloc_inode+0xb8/0x164 new_inode_pseudo+0x20/0xec sock_alloc+0x74/0x284 __sock_create+0xb0/0x58c sock_create+0x98/0xb8 __sys_socket+0x60/0x138 __arm64_sys_socket+0xa4/0x110 el0_svc_handler+0x2c0/0x47c el0_svc+0x8/0xc Freed by task 1625: __kasan_slab_free+0x114/0x208 kasan_slab_free+0xc/0x18 kfree+0x1a8/0x1e0 single_release+0x7c/0x9c close_pdeo+0x13c/0x43c proc_reg_release+0xec/0x108 __fput+0x2f8/0x784 ____fput+0x1c/0x28 task_work_run+0xc0/0x1b0 do_notify_resume+0xb44/0x1278 work_pending+0x8/0x10 The buggy address belongs to the object at ffff809681b89e00 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 0 bytes inside of 128-byte region [ffff809681b89e00, ffff809681b89e80) The buggy address belongs to the page: page:ffff7fe025a06e00 count:1 mapcount:0 mapping:01ff80082000fb00 index:0xffff809681b8fe04 flags: 0x17ffffffc000200(slab) raw: 017ffffffc000200 ffff7fe025a06d08 ffff7fe022ef7b88 01ff80082000fb00 raw: ffff809681b8fe04 ffff809681b80000 00000001000000e0 0000000000000000 page dumped because: kasan: bad access detected page allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE) prep_new_page+0x4e0/0x5e0 get_page_from_freelist+0x4ce8/0x50d4 __alloc_pages_nodemask+0x738/0x38b8 cache_grow_begin+0xd8/0xa24 ____cache_alloc_node+0x14c/0x268 __kmalloc+0x1c8/0x3fc ftrace_free_mem+0x408/0x1284 ftrace_free_init_mem+0x20/0x28 kernel_init+0x24/0x548 ret_from_fork+0x10/0x18 Memory state around the buggy address: ffff809681b89c00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ffff809681b89d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe >ffff809681b89e00: 99 99 99 99 99 99 99 99 fe fe fe fe fe fe fe fe ^ ffff809681b89f00: 43 43 43 43 43 fe fe fe fe fe fe fe fe fe fe fe ffff809681b8a000: 6d fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe Link: http://lkml.kernel.org/r/20190403022858.97584-1-cai@lca.pw Fixes: 51dedad06b5f ("kasan, slab: make freelist stored without tags") Signed-off-by: Qian Cai <cai@lca.pw> Reviewed-by: Andrey Konovalov <andreyknvl@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 1a62b18d51e5c5ecc0345c85bb9fef870ab721ed) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I99046a0e1cb893062167a376795fee3a59f56b36 |
||
Jan Kara
|
e608889947 |
UPSTREAM: mm/filemap.c: don't bother dropping mmap_sem for zero size readahead
When handling a page fault, we drop mmap_sem to start async readahead so that we don't block on IO submission with mmap_sem held. However there's no point to drop mmap_sem in case readahead is disabled. Handle that case to avoid pointless dropping of mmap_sem and retrying the fault. This was actually reported to block mlockall(MCL_CURRENT) indefinitely. Fixes: 6b4c9f446981 ("filemap: drop the mmap_sem for all blocking operations") Reported-by: Minchan Kim <minchan@kernel.org> Reported-by: Robert Stupp <snazy@gmx.de> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Minchan Kim <minchan@kernel.org> Link: http://lkml.kernel.org/r/20200212101356.30759-1-jack@suse.cz Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 5c72feee3e45b40a3c96c7145ec422899d0e8964) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iecc3a1972853a74d2faf70203fa34d912235be0b |
||
Qian Cai
|
1091b1b93c |
UPSTREAM: mm/page_alloc: silence a KASAN false positive
kernel_init_free_pages() will use memset() on s390 to clear all pages from kmalloc_order() which will override KASAN redzones because a redzone was setup from the end of the allocation size to the end of the last page. Silence it by not reporting it there. An example of the report is, BUG: KASAN: slab-out-of-bounds in __free_pages_ok Write of size 4096 at addr 000000014beaa000 Call Trace: show_stack+0x152/0x210 dump_stack+0x1f8/0x248 print_address_description.isra.13+0x5e/0x4d0 kasan_report+0x130/0x178 check_memory_region+0x190/0x218 memset+0x34/0x60 __free_pages_ok+0x894/0x12f0 kfree+0x4f2/0x5e0 unpack_to_rootfs+0x60e/0x650 populate_rootfs+0x56/0x358 do_one_initcall+0x1f4/0xa20 kernel_init_freeable+0x758/0x7e8 kernel_init+0x1c/0x170 ret_from_fork+0x24/0x28 Memory state around the buggy address: 000000014bea9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000014bea9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >000000014beaa000: 03 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ 000000014beaa080: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 000000014beaa100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe Fixes: 6471384af2a6 ("mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options") Signed-off-by: Qian Cai <cai@lca.pw> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Tested-by: Vasily Gorbik <gor@linux.ibm.com> Acked-by: Vasily Gorbik <gor@linux.ibm.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Christian Borntraeger <borntraeger@de.ibm.com> Cc: Alexander Potapenko <glider@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Link: http://lkml.kernel.org/r/20200610052154.5180-1-cai@lca.pw Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 9e15afa5a87a3bf969a3b33c3dadfb8b46df42c0) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9375f117c1aa08c0d5d0e881bb5a917458f97c99 |
||
Greg Kroah-Hartman
|
bc09bee25e |
This is the 4.19.156 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+qe0EACgkQONu9yGCS aT6MSw//TZRP6iLK2RhIrZu2jKD8jfYbHMT9JgKV2QCw7meg9q0JMj+SNP9CPbiL oOYtsXsRFRnAh98aBXNMFmzV7Zm0uUu0XGeFGxnf8y2X7EI1nZ6plvrCUYD8dCiF IPR67yyc5MojNQTfm0XDvQ3C7bKx5PuheRCLwhSuKclnrDxi8FNjS2NSBxi5G32j B7NzateeG7m/zE9fG1RkiJzfwu8/k0PKKecEYFwjRSC5QrXwvtEKdz/X/HkoXsck 345wWHCTObpcDbDWkkUF5VuR36kCWMP+uYT4lNihZTV9+9b8Gz9ghhanDIuVCoU1 biEsJnCORe/PV/xcgGJNkpEtabbDQNJ5Dn3wLKSuRAbBOkN2/nwzZa4EDoXWQSTv PDhzbLDjFjMu8Yb9PKrylhYGTmlNS4mA3hMszF4QNszhRyxTyDGln4MbUkpKg4sO HgU4JLvDOCfkCsGTBJ4XGTBcH+6ZxZwm1b+e4uy3FFZW2CEqSetZ3TCyIBxdLupa 8JYmfqQjmaj0KUiUV9l1SJ6uHcIyg/FoNuCAdtDl7mLuzZdwtEhk3TeaZn4iwxWJ Ku+2qY0X6wsePOTfIA7puWBbK+IonM24Q3oIDVqjA+2yrmLJGlYuaQJrSPzEJHoh upHznwsU2W7MIfA6hJIcQeWIvzM4w5GSKUr3YeknVPIStP1ZqRg= =trRk -----END PGP SIGNATURE----- Merge 4.19.156 into android-4.19-stable Changes in 4.19.156 drm/i915: Break up error capture compression loops with cond_resched() tipc: fix use-after-free in tipc_bcast_get_mode ptrace: fix task_join_group_stop() for the case when current is traced cadence: force nonlinear buffers to be cloned chelsio/chtls: fix memory leaks caused by a race chelsio/chtls: fix always leaking ctrl_skb gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP gianfar: Account for Tx PTP timestamp in the skb headroom net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition sctp: Fix COMM_LOST/CANT_STR_ASSOC err reporting on big-endian platforms sfp: Fix error handing in sfp_probe() blktrace: fix debugfs use after free btrfs: extent_io: Kill the forward declaration of flush_write_bio btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up Revert "btrfs: flush write bio if we loop in extent_write_cache_pages" btrfs: flush write bio if we loop in extent_write_cache_pages btrfs: extent_io: Handle errors better in extent_write_full_page() btrfs: extent_io: Handle errors better in btree_write_cache_pages() btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() Btrfs: fix unwritten extent buffers and hangs on future writeback attempts btrfs: Don't submit any btree write bio if the fs has errors btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it btrfs: tree-checker: Make chunk item checker messages more readable btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO btrfs: tree-checker: Check chunk item at tree block read time btrfs: tree-checker: Verify dev item btrfs: tree-checker: Fix wrong check on max devid btrfs: tree-checker: Enhance chunk checker to validate chunk profile btrfs: tree-checker: Verify inode item btrfs: tree-checker: fix the error message for transid error Fonts: Replace discarded const qualifier ALSA: usb-audio: Add implicit feedback quirk for Zoom UAC-2 ALSA: usb-audio: add usb vendor id as DSD-capable for Khadas devices ALSA: usb-audio: Add implicit feedback quirk for Qu-16 ALSA: usb-audio: Add implicit feedback quirk for MODX mm: mempolicy: fix potential pte_unmap_unlock pte error lib/crc32test: remove extra local_irq_disable/enable kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled mm: always have io_remap_pfn_range() set pgprot_decrypted() gfs2: Wake up when sd_glock_disposal becomes zero ring-buffer: Fix recursion protection transitions between interrupt context ftrace: Fix recursion check for NMI test ftrace: Handle tracing when switching between context tracing: Fix out of bounds write in get_trace_buf futex: Handle transient "ownerless" rtmutex state correctly ARM: dts: sun4i-a10: fix cpu_alert temperature x86/kexec: Use up-to-dated screen_info copy to fill boot params of: Fix reserved-memory overlap detection blk-cgroup: Fix memleak on error path blk-cgroup: Pre-allocate tree node on blkg_conf_prep scsi: core: Don't start concurrent async scan on same host vsock: use ns_capable_noaudit() on socket create drm/vc4: drv: Add error handding for bind ACPI: NFIT: Fix comparison to '-ENXIO' vt: Disable KD_FONT_OP_COPY fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent serial: 8250_mtk: Fix uart_get_baud_rate warning serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init USB: serial: cyberjack: fix write-URB completion race USB: serial: option: add Quectel EC200T module support USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 USB: serial: option: add Telit FN980 composition 0x1055 USB: Add NO_LPM quirk for Kingston flash drive usb: mtu3: fix panic in mtu3_gadget_stop() ARC: stack unwinding: avoid indefinite looping Revert "ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE" PM: runtime: Resume the device earlier in __device_release_driver() perf/core: Fix a memory leak in perf_event_parse_addr_filter() tools: perf: Fix build error in v4.19.y net: dsa: read mac address from DT for slave device arm64: dts: marvell: espressobin: Add ethernet switch aliases Linux 4.19.156 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I87af8871465f54de0332fa74bc1f342b7fe99061 |
||
Shijie Luo
|
d4fea27ffc |
mm: mempolicy: fix potential pte_unmap_unlock pte error
commit 3f08842098e842c51e3b97d0dcdebf810b32558e upstream. When flags in queue_pages_pte_range don't have MPOL_MF_MOVE or MPOL_MF_MOVE_ALL bits, code breaks and passing origin pte - 1 to pte_unmap_unlock seems like not a good idea. queue_pages_pte_range can run in MPOL_MF_MOVE_ALL mode which doesn't migrate misplaced pages but returns with EIO when encountering such a page. Since commit a7f40cfe3b7a ("mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified") and early break on the first pte in the range results in pte_unmap_unlock on an underflow pte. This can lead to lockups later on when somebody tries to lock the pte resp. page_table_lock again.. Fixes: a7f40cfe3b7a ("mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified") Signed-off-by: Shijie Luo <luoshijie1@huawei.com> Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Reviewed-by: Oscar Salvador <osalvador@suse.de> Acked-by: Michal Hocko <mhocko@suse.com> Cc: Miaohe Lin <linmiaohe@huawei.com> Cc: Feilong Lin <linfeilong@huawei.com> Cc: Shijie Luo <luoshijie1@huawei.com> Cc: <stable@vger.kernel.org> Link: https://lkml.kernel.org/r/20201019074853.50856-1-luoshijie1@huawei.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Daniel Vetter
|
d624a2b1ab |
UPSTREAM: mm/sl[uo]b: export __kmalloc_track(_node)_caller
slab does this already, and I want to use this in a memory allocation tracker in drm for stuff that's tied to the lifetime of a drm_device, not the underlying struct device. Kinda like devres, but for drm. Acked-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: linux-mm@kvack.org Link: https://patchwork.freedesktop.org/patch/msgid/20200323144950.3018436-2-daniel.vetter@ffwll.ch (cherry picked from commit fd7cb5753ef49964ea9db5121c3fc9a4ec21ed8e) Bug: 163141236 Signed-off-by: Alistair Delva <adelva@google.com> Change-Id: I10790befc779311a5f2ee441e4d073e51a5a7a62 |
||
Greg Kroah-Hartman
|
b9a942466b |
This is the 4.19.153 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+ag5UACgkQONu9yGCS aT5O3w//RaOcwQdi47/UJz8zyja1ZG8MSSCGibpwvaDwrsXu9es1QtqLAC38H10o ygxNLBZQHxhScsRpicNc+Dy87+lcSj8cF1ed7sd1LU8rvmQ18uIeFUZxfzYth8jW i6erzas0Ojw8IMy566GDxkfAC6n5GhJuJTVFQWUQpoEbsb5rXcGCLx3u+S3Ew+5t Xb9qE6r5cImYymvMkMy7RQ4Db2qgOwjkaCj+Ol+4BSR0bF4OweMQLPJs9gN8pJpr o2nxHg7wdO8SKJZCBVw8ZmfO4zF6czcKy+KzFajn+4LA2oT5mgiV8y21cd9CWYeQ JQK1jZGwwl/xljrM1yLd+crG8i11DhCStY90+4bxD68r8H+g1kwZ8jELmCwuuyx6 dk1s7jOxyKl9qAnMt6r2HqrjgxGD+2hL+2S84jPGRBow5IYjrdD0REXZjyk1R7Rp 8k00lRk1ATEy7H2lj4JW34tcsTEEDcn8PqUFx7MRKtCUI2uo4Gr5HXqf6wTJDp6S BsDe8mm77jd81vtw/AZ8Fv7Fg42QIPt7G1QV9wBbFvDmKmDa7Gj6SuQqTeu75oU9 M++aWSwyOb08wZEE0y94wsm6r4raN3A8o70Df9FltNFTALowuIcR+CVtOnQfHEuL BUBJcWg3SDsIxkXYgvQ9jO5h38i6dhAIVGAcU4VB0rgP/ePKMQs= =GiLo -----END PGP SIGNATURE----- Merge 4.19.153 into android-4.19-stable Changes in 4.19.153 ibmveth: Switch order of ibmveth_helper calls. ibmveth: Identify ingress large send packets. ipv4: Restore flowi4_oif update before call to xfrm_lookup_route mlx4: handle non-napi callers to napi_poll net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() net: fec: Fix PHY init after phy_reset_after_clk_enable() net: fix pos incrementment in ipv6_route_seq_next net/smc: fix valid DMBE buffer sizes net: usb: qmi_wwan: add Cellient MPL200 card tipc: fix the skb_unshare() in tipc_buf_append() net/ipv4: always honour route mtu during forwarding r8169: fix data corruption issue on RTL8402 net/tls: sendfile fails with ktls offload binder: fix UAF when releasing todo list ALSA: bebob: potential info leak in hwdep_read() chelsio/chtls: fix socket lock chelsio/chtls: correct netdevice for vlan interface chelsio/chtls: correct function return and return type net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() tcp: fix to update snd_wl1 in bulk receiver fast path r8169: fix operation under forced interrupt threading icmp: randomize the global rate limiter ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 cifs: remove bogus debug code cifs: Return the error from crypt_message when enc/dec key not found. KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages KVM: SVM: Initialize prev_ga_tag before use ima: Don't ignore errors from crypto_shash_update() crypto: algif_aead - Do not set MAY_BACKLOG on the async path EDAC/i5100: Fix error handling order in i5100_init_one() EDAC/ti: Fix handling of platform_get_irq() error x86/fpu: Allow multiple bits in clearcpuid= parameter drivers/perf: xgene_pmu: Fix uninitialized resource struct x86/nmi: Fix nmi_handle() duration miscalculation x86/events/amd/iommu: Fix sizeof mismatch crypto: algif_skcipher - EBUSY on aio should be an error crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call crypto: picoxcell - Fix potential race condition bug media: tuner-simple: fix regression in simple_set_radio_freq media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" media: m5mols: Check function pointer in m5mols_sensor_power media: uvcvideo: Set media controller entity functions media: uvcvideo: Silence shift-out-of-bounds warning media: omap3isp: Fix memleak in isp_probe crypto: omap-sham - fix digcnt register handling with export/import hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61} cypto: mediatek - fix leaks in mtk_desc_ring_alloc media: mx2_emmaprp: Fix memleak in emmaprp_probe media: tc358743: initialize variable media: tc358743: cleanup tc358743_cec_isr media: rcar-vin: Fix a reference count leak. media: rockchip/rga: Fix a reference count leak. media: platform: fcp: Fix a reference count leak. media: camss: Fix a reference count leak. media: s5p-mfc: Fix a reference count leak media: stm32-dcmi: Fix a reference count leak media: ti-vpe: Fix a missing check and reference count leak regulator: resolve supply after creating regulator pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() spi: spi-s3c64xx: Check return values ath10k: provide survey info as accumulated data Bluetooth: hci_uart: Cancel init work before unregistering ath6kl: prevent potential array overflow in ath6kl_add_new_sta() ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 ASoC: qcom: lpass-platform: fix memory leak ASoC: qcom: lpass-cpu: fix concurrency issue brcmfmac: check ndev pointer mwifiex: Do not use GFP_KERNEL in atomic context staging: rtl8192u: Do not use GFP_KERNEL in atomic context drm/gma500: fix error check scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba() scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() backlight: sky81452-backlight: Fix refcount imbalance on error VMCI: check return value of get_user_pages_fast() for errors tty: serial: earlycon dependency tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup() pty: do tty_flip_buffer_push without port->lock in pty_write pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() pwm: lpss: Add range limit check for the base_unit register value drivers/virt/fsl_hypervisor: Fix error handling path video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error video: fbdev: sis: fix null ptr dereference video: fbdev: radeon: Fix memleak in radeonfb_pci_register HID: roccat: add bounds checking in kone_sysfs_write_settings() pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser pinctrl: mcp23s08: Fix mcp23x17 precious range net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow net: stmmac: use netif_tx_start|stop_all_queues() function cpufreq: armada-37xx: Add missing MODULE_DEVICE_TABLE net: dsa: rtl8366: Check validity of passed VLANs net: dsa: rtl8366: Refactor VLAN/PVID init net: dsa: rtl8366: Skip PVID setting if not requested net: dsa: rtl8366rb: Support all 4096 VLANs ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() misc: mic: scif: Fix error handling path ALSA: seq: oss: Avoid mutex lock for a long-time ioctl usb: dwc2: Fix parameter type in function pointer prototype quota: clear padding in v2r1_mem2diskdqb() slimbus: core: check get_addr before removing laddr ida slimbus: core: do not enter to clock pause mode in core slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback HID: hid-input: fix stylus battery reporting qtnfmac: fix resource leaks on unsupported iftype error return path net: enic: Cure the enic api locking trainwreck mfd: sm501: Fix leaks in probe() iwlwifi: mvm: split a print to avoid a WARNING in ROC usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well nl80211: fix non-split wiphy information usb: dwc2: Fix INTR OUT transfers in DDMA mode. scsi: target: tcmu: Fix warning: 'page' may be used uninitialized scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() platform/x86: mlx-platform: Remove PSU EEPROM configuration mwifiex: fix double free ipvs: clear skb->tstamp in forwarding path net: korina: fix kfree of rx/tx descriptor array netfilter: nf_log: missing vlan offload tag and proto mm/memcg: fix device private memcg accounting mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary IB/mlx4: Fix starvation in paravirt mux/demux IB/mlx4: Adjust delayed work when a dup is observed powerpc/pseries: Fix missing of_node_put() in rng_init() powerpc/icp-hv: Fix missing of_node_put() in success path RDMA/ucma: Fix locking for ctx->events_reported RDMA/ucma: Add missing locking around rdma_leave_multicast() mtd: lpddr: fix excessive stack usage with clang powerpc/pseries: explicitly reschedule during drmem_lmb list traversal mtd: mtdoops: Don't write panic data twice ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER xfs: limit entries returned when counting fsmap records xfs: fix high key handling in the rt allocator's query_range function RDMA/qedr: Fix use of uninitialized field RDMA/qedr: Fix inline size returned for iWARP powerpc/tau: Use appropriate temperature sample interval powerpc/tau: Convert from timer to workqueue powerpc/tau: Remove duplicated set_thresholds() call Linux 4.19.153 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9e85e8ca67ab8e28d04a77339f80fdbf3c568956 |
||
Suren Baghdasaryan
|
a3d0ceee71 |
mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary
[ Upstream commit 67197a4f28d28d0b073ab0427b03cb2ee5382578 ]
Currently __set_oom_adj loops through all processes in the system to keep
oom_score_adj and oom_score_adj_min in sync between processes sharing
their mm. This is done for any task with more that one mm_users, which
includes processes with multiple threads (sharing mm and signals).
However for such processes the loop is unnecessary because their signal
structure is shared as well.
Android updates oom_score_adj whenever a tasks changes its role
(background/foreground/...) or binds to/unbinds from a service, making it
more/less important. Such operation can happen frequently. We noticed
that updates to oom_score_adj became more expensive and after further
investigation found out that the patch mentioned in "Fixes" introduced a
regression. Using Pixel 4 with a typical Android workload, write time to
oom_score_adj increased from ~3.57us to ~362us. Moreover this regression
linearly depends on the number of multi-threaded processes running on the
system.
Mark the mm with a new MMF_MULTIPROCESS flag bit when task is created with
(CLONE_VM && !CLONE_THREAD && !CLONE_VFORK). Change __set_oom_adj to use
MMF_MULTIPROCESS instead of mm_users to decide whether oom_score_adj
update should be synchronized between multiple processes. To prevent
races between clone() and __set_oom_adj(), when oom_score_adj of the
process being cloned might be modified from userspace, we use
oom_adj_mutex. Its scope is changed to global.
The combination of (CLONE_VM && !CLONE_THREAD) is rarely used except for
the case of vfork(). To prevent performance regressions of vfork(), we
skip taking oom_adj_mutex and setting MMF_MULTIPROCESS when CLONE_VFORK is
specified. Clearing the MMF_MULTIPROCESS flag (when the last process
sharing the mm exits) is left out of this patch to keep it simple and
because it is believed that this threading model is rare. Should there
ever be a need for optimizing that case as well, it can be done by hooking
into the exit path, likely following the mm_update_next_owner pattern.
With the combination of (CLONE_VM && !CLONE_THREAD && !CLONE_VFORK) being
quite rare, the regression is gone after the change is applied.
[surenb@google.com: v3]
Link: https://lkml.kernel.org/r/20200902012558.2335613-1-surenb@google.com
Fixes:
|
||
Ralph Campbell
|
2761fff65f |
mm/memcg: fix device private memcg accounting
[ Upstream commit 9a137153fc8798a89d8fce895cd0a06ea5b8e37c ]
The code in mc_handle_swap_pte() checks for non_swap_entry() and returns
NULL before checking is_device_private_entry() so device private pages are
never handled. Fix this by checking for non_swap_entry() after handling
device private swap PTEs.
I assume the memory cgroup accounting would be off somehow when moving
a process to another memory cgroup. Currently, the device private page
is charged like a normal anonymous page when allocated and is uncharged
when the page is freed so I think that path is OK.
Signed-off-by: Ralph Campbell <rcampbell@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Ira Weiny <ira.weiny@intel.com>
Link: https://lkml.kernel.org/r/20201009215952.2726-1-rcampbell@nvidia.com
xFixes:
|
||
Greg Kroah-Hartman
|
9f80205d66 |
This is the 4.19.151 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+Gt3oACgkQONu9yGCS aT4MAQ/+NmMSJHbPu5DRX4qfg+toj9SRdDJfv0H6+dmJ/Wabeogq3GF6VB5ku8fJ N5uJLVb+iz/n4cbvTvE1sI+5WEPzK/nRVRnwUUH3SDycB+tCk4loKbGwV+gZTvYi PsHqHQ9UUKpdBs4gJm9I/FCOlA4mtcdK2W0JDMfdCmZc3ACyCWo+y83ESAfjOcO9 vda/1xaeqNPaPFxteVKpmXujlHQw3meH8ZzpkQi7t1HeZ6bnpoObMIy8c1gtYjSt jeLvw9pnvgQEpAidIZb3MwVyxHE/mFGRcoQmI0WYoWWXOnRAHUfFQTsK7ZWbTYAF MUvJlGg3zchhBetfo2523rdGM9/AHMnwmGAuTs5PkZdPDRwLaWjeFs2u8njmjEk9 R8SrtF+2zxuO92SPp37jXqRUb7G69vPnlZ6IIcMpr61qeUAf78dWN67VW0kVMs/K hMHsl0E1Ax3K9GV9ZSQc7oe7/fMj+xXabpeuDZ/5lxvbBKrIP/UZLMJeZg28y+91 0JbFhMfEN71sTfCHXpxe9bAvmI1XKlYh37RLAOJtNQRqwKsP2Tuim5C+tJsREmF9 eAPZq0QrjjTb1t8wii7HKXyjnrSfTpOS7HUPsGbeiU4JSVmWGeLy6IxmjZh1fjY+ WLr+Hn0Q62w5OGXBxS7rEfq3FMnAEkT/27a5IwrDPoGje+rO6WY= =TSOP -----END PGP SIGNATURE----- Merge 4.19.151 into android-4.19-stable Changes in 4.19.151 fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts fbcon: Fix global-out-of-bounds read in fbcon_get_font() Revert "ravb: Fixed to be able to unload modules" net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() drm/nouveau/mem: guard against NULL pointer access in mem_del usermodehelper: reset umask to default before executing user process platform/x86: intel-vbtn: Fix SW_TABLET_MODE always reporting 1 on the HP Pavilion 11 x360 platform/x86: thinkpad_acpi: initialize tp_nvram_state variable platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse driver core: Fix probe_count imbalance in really_probe() perf top: Fix stdio interface input handling with glibc 2.28+ i2c: i801: Exclude device from suspend direct complete optimization mtd: rawnand: sunxi: Fix the probe error path arm64: dts: stratix10: add status to qspi dts node nvme-core: put ctrl ref when module ref get fail macsec: avoid use-after-free in macsec_handle_frame() mm/khugepaged: fix filemap page_to_pgoff(page) != offset xfrmi: drop ignore_df check before updating pmtu cifs: Fix incomplete memory allocation on setxattr path i2c: meson: fix clock setting overwrite i2c: meson: fixup rate calculation with filter delay i2c: owl: Clear NACK and BUS error bits sctp: fix sctp_auth_init_hmacs() error path team: set dev->needed_headroom in team_setup_by_port() net: team: fix memory leak in __team_options_register openvswitch: handle DNAT tuple collision drm/amdgpu: prevent double kfree ttm->sg xfrm: clone XFRMA_SET_MARK in xfrm_do_migrate xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate xfrm: clone XFRMA_SEC_CTX in xfrm_do_migrate xfrm: clone whole liftime_cur structure in xfrm_do_migrate net: stmmac: removed enabling eee in EEE set callback platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP xfrm: Use correct address family in xfrm_state_find bonding: set dev->needed_headroom in bond_setup_by_slave() mdio: fix mdio-thunder.c dependency & build error net: usb: ax88179_178a: fix missing stop entry in driver_info net/mlx5e: Fix VLAN cleanup flow net/mlx5e: Fix VLAN create flow rxrpc: Fix rxkad token xdr encoding rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() rxrpc: Fix some missing _bh annotations on locking conn->state_lock rxrpc: Fix server keyring leak perf: Fix task_function_call() error handling mmc: core: don't set limits.discard_granularity as 0 mm: khugepaged: recalculate min_free_kbytes after memory hotplug as expected by khugepaged net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails Linux 4.19.151 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9ee2b0fc4fc39f27be6ae680529e1046f249a3e6 |
||
Vijay Balakrishna
|
94c5167581 |
mm: khugepaged: recalculate min_free_kbytes after memory hotplug as expected by khugepaged
commit 4aab2be0983031a05cb4a19696c9da5749523426 upstream.
When memory is hotplug added or removed the min_free_kbytes should be
recalculated based on what is expected by khugepaged. Currently after
hotplug, min_free_kbytes will be set to a lower default and higher
default set when THP enabled is lost.
This change restores min_free_kbytes as expected for THP consumers.
[vijayb@linux.microsoft.com: v5]
Link: https://lkml.kernel.org/r/1601398153-5517-1-git-send-email-vijayb@linux.microsoft.com
Fixes:
|