1. 30 Mar, 2019 5 commits
    • Linus Torvalds's avatar
      Merge tag 'tty-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 52afe190
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are some small tty and serial driver fixes for 5.1-rc3.
      
        Nothing major here, just a number of potential problems fixes for
        error handling paths, as well as some other minor bugfixes for
        reported issues with 5.1-rc1.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'tty-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        tty: fix NULL pointer issue when tty_port ops is not set
        Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc
        dt-bindings: serial: Add compatible for Mediatek MT8183
        tty/serial: atmel: RS485 HD w/DMA: enable RX after TX is stopped
        tty/serial: atmel: Add is_half_duplex helper
        serial: sh-sci: Fix setting SCSCR_TIE while transferring data
        serial: ar933x_uart: Fix build failure with disabled console
        tty: serial: qcom_geni_serial: Initialize baud in qcom_geni_console_setup
        sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()
        tty: mxs-auart: fix a potential NULL pointer dereference
        tty: atmel_serial: fix a potential NULL pointer dereference
        serial: max310x: Fix to avoid potential NULL pointer dereference
        serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference
      52afe190
    • Linus Torvalds's avatar
      Merge tag 'usb-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 8d02a9a8
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes for 5.1-rc3.
      
        Nothing major at all here, just a small collection of fixes for
        reported issues, and potential problems with error handling paths.
        Also a few new device ids, as normal.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (25 commits)
        USB: serial: option: add Olicard 600
        USB: serial: cp210x: add new device id
        usb: u132-hcd: fix resource leak
        usb: cdc-acm: fix race during wakeup blocking TX traffic
        usb: mtu3: fix EXTCON dependency
        usb: usb251xb: fix to avoid potential NULL pointer dereference
        usb: core: Try generic PHY_MODE_USB_HOST if usb_phy_roothub_set_mode fails
        phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs
        xhci: Don't let USB3 ports stuck in polling state prevent suspend
        usb: xhci: dbc: Don't free all memory with spinlock held
        xhci: Fix port resume done detection for SS ports with LPM enabled
        USB: serial: mos7720: fix mos_parport refcount imbalance on error path
        USB: gadget: f_hid: fix deadlock in f_hidg_write()
        usb: gadget: net2272: Fix net2272_dequeue()
        usb: gadget: net2280: Fix net2280_dequeue()
        usb: gadget: net2280: Fix overrun of OUT messages
        usb: dwc3: pci: add support for Comet Lake PCH ID
        usb: usb251xb: Remove unnecessary comparison of unsigned integer with >= 0
        usb: common: Consider only available nodes for dr_mode
        usb: typec: tcpm: Try PD-2.0 if sink does not respond to 3.0 source-caps
        ...
      8d02a9a8
    • Linus Torvalds's avatar
      Merge tag 'acpi-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 782492a7
      Linus Torvalds authored
      Pull ACPI fix from Rafael Wysocki:
       "This corrects a previous attempt to make Linux use its own set of ACPI
        debug flags different from the upstream ACPICA's default (Erik
        Schmauss)"
      
      * tag 'acpi-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: use different default debug value than ACPICA
      782492a7
    • Linus Torvalds's avatar
      Merge tag 'pm-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 8e377a1c
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix CPU base frequency reporting in the intel_pstate driver and
        a use-after-free in the scpi-cpufreq driver.
      
        Specifics:
      
         - Fix the ACPI CPPC library to actually follow the specification when
           decoding the guaranteed performance register information and make
           the intel_pstate driver to fall back to the nominal frequency when
           reporting the base frequency if the guaranteed performance register
           information is not there (Srinivas Pandruvada).
      
         - Fix use-after-free in the exit callback of the scpi-cpufreq left
           after an update during the 5.0 development cycle (Vincent Stehlé)"
      
      * tag 'pm-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: scpi: Fix use after free
        cpufreq: intel_pstate: Also use CPPC nominal_perf for base_frequency
        ACPI / CPPC: Fix guaranteed performance handling
      8e377a1c
    • Linus Torvalds's avatar
      Merge branch 'fixes-v5.1-a' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 12195302
      Linus Torvalds authored
      Pull security layer fixes from James Morris:
       "Yama and LSM config fixes"
      
      * 'fixes-v5.1-a' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        LSM: Revive CONFIG_DEFAULT_SECURITY_* for "make oldconfig"
        Yama: mark local symbols as static
      12195302
  2. 29 Mar, 2019 35 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 922c010c
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "22 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (22 commits)
        fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links
        fs: fs_parser: fix printk format warning
        checkpatch: add %pt as a valid vsprintf extension
        mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate
        drivers/block/zram/zram_drv.c: fix idle/writeback string compare
        mm/page_isolation.c: fix a wrong flag in set_migratetype_isolate()
        mm/memory_hotplug.c: fix notification in offline error path
        ptrace: take into account saved_sigmask in PTRACE{GET,SET}SIGMASK
        fs/proc/kcore.c: make kcore_modules static
        include/linux/list.h: fix list_is_first() kernel-doc
        mm/debug.c: fix __dump_page when mapping->host is not set
        mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified
        include/linux/hugetlb.h: convert to use vm_fault_t
        iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging
        mm: add support for kmem caches in DMA32 zone
        ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock
        mm/hotplug: fix offline undo_isolate_page_range()
        fs/open.c: allow opening only regular files during execve()
        mailmap: add Changbin Du
        mm/debug.c: add a cast to u64 for atomic64_read()
        ...
      922c010c
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · f9007cc6
      Linus Torvalds authored
      Pull arm64 fix from Catalin Marinas:
       "Use memblock_alloc() instead of memblock_alloc_low() in
        request_standard_resources(), the latter being limited to the low 4G
        memory range on arm64"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: replace memblock_alloc_low with memblock_alloc
      f9007cc6
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · c0b7f2a5
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
      
       - Fix a bug in the AMD IOMMU driver not handling exclusion ranges
         correctly. In fact the driver did not reserve these ranges for IOVA
         allocations, so that dma-handles could be allocated in an exclusion
         range, leading to data corruption. Exclusion ranges have not been
         used by any firmware up to now, so this issue remained undiscovered
         for quite some time.
      
       - Fix wrong warning messages that the IOMMU core code prints when it
         tries to allocate the default domain for an iommu group and the
         driver does not support any of the default domain types (like Intel
         VT-d).
      
      * tag 'iommu-fixes-v5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/amd: Reserve exclusion range in iova-domain
        iommu: Don't print warning when IOMMU driver only supports unmanaged domains
      c0b7f2a5
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · eed4897d
      Linus Torvalds authored
      Pull driver core fix from Greg KH:
       "Here is a single driver core patch for 5.1-rc3.
      
        After 5.1-rc1, all of the users of BUS_ATTR() are finally removed, so
        we can now drop this macro from include/linux/device.h so that no more
        new users will be created.
      
        This patch has been in linux-next for a while, with no reported
        issues"
      
      * tag 'driver-core-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        driver core: remove BUS_ATTR()
      eed4897d
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 6f510923
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some binder, habanalabs, and vboxguest driver fixes for
        5.1-rc3.
      
        The Binder fixes resolve some reported issues found by testing, first
        by the selinux developers, and then earlier today by syzbot.
      
        The habanalabs fixes are all minor, resolving a number of tiny things.
      
        The vboxguest patches are a bit larger. They resolve the fact that
        virtual box decided to change their api in their latest release in a
        way that broke the existing kernel code, despite saying that they were
        never going to do that. So this is a bit of a "new feature", but is
        good to get merged so that 5.1 will work with the latest release. The
        changes are not large and of course virtual box "swears" they will not
        break this again, but no one is holding their breath here.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'char-misc-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        virt: vbox: Implement passing requestor info to the host for VirtualBox 6.0.x
        binder: fix race between munmap() and direct reclaim
        binder: fix BUG_ON found by selinux-testsuite
        habanalabs: cast to expected type
        habanalabs: prevent host crash during suspend/resume
        habanalabs: perform accounting for active CS
        habanalabs: fix mapping with page size bigger than 4KB
        habanalabs: complete user context cleanup before hard reset
        habanalabs: fix bug when mapping very large memory area
        habanalabs: fix MMU number of pages calculation
      6f510923
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 3467b907
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Thirteen fixes, seven of which are for IBM fibre channel and three
        additional for fairly serious bugs in drivers (qla2xxx, mpt3sas,
        aacraid).
      
        Of the three core fixes, the most significant is probably the missed
        run queue causing an indefinite hang. The others are fixing a
        potential use after free on device close and silencing an incorrect
        warning"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: ibmvfc: Clean up transport events
        scsi: ibmvfc: Byte swap status and error codes when logging
        scsi: ibmvfc: Add failed PRLI to cmd_status lookup array
        scsi: ibmvfc: Remove "failed" from logged errors
        scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN
        scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices
        scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host
        scsi: sd: Quiesce warning if device does not report optimal I/O size
        scsi: sd: Fix a race between closing an sd device and sd I/O
        scsi: core: Run queue when state is set to running after being blocked
        scsi: qla4xxx: fix a potential NULL pointer dereference
        scsi: aacraid: Insure we don't access PCIe space during AER/EEH
        scsi: mpt3sas: Fix kernel panic during expander reset
      3467b907
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 4ad52836
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "A new ID for the i801 driver and some Documentation fixes to make it
        easier for people to find the bindings (which is also a basis for
        further improvements in that area)"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: wmt: make bindings file name match the driver
        i2c: sun6i-p2wi: make bindings file name match the driver
        i2c: stu300: make bindings file name match the driver
        i2c: mt65xx: make bindings file name match the driver
        i2c: iop3xx: make bindings file name match the driver
        i2c: i801: Add support for Intel Comet Lake
      4ad52836
    • Linus Torvalds's avatar
      Merge tag 'sound-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 9a4a6f0d
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "The important fixes at this time are a couple fixes in ALSA core: a
        fix for PCM is about the OOB access in PCM OSS plugins that has been
        for long time, but hasn't hit so often until now just because we
        allocated a large buffer via vmalloc(), and surfaced more often after
        switching to kvmalloc(). Another fix is for a long-standing PCM
        problem wrt racy PM resume.
      
        Others are trivial nospec coverage and usual HD-audio quirks"
      
      * tag 'sound-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Fix speakers on Acer Predator Helios 500 Ryzen laptops
        ALSA: pcm: Don't suspend stream in unrecoverable PCM state
        ALSA: hda/ca0132 - Simplify alt firmware loading code
        ALSA: pcm: Fix possible OOB access in PCM oss plugins
        ALSA: hda/realtek: Enable headset MIC of ASUS X430UN and X512DK with ALC256
        ALSA: hda/realtek: Enable headset mic of ASUS P5440FF with ALC256
        ALSA: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256
        ALSA: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic
        ALSA: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 with ALC286
        ALSA: seq: oss: Fix Spectre v1 vulnerability
        ALSA: rawmidi: Fix potential Spectre v1 vulnerability
      9a4a6f0d
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v5.1' of... · 0e40da3e
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Remove harmful -Oz option of Clang
      
       - Get back the original behavior (no recursion for in-tree build) for
         GNU Make 4.x
      
       - Some minor fixes for coccinelle patches
      
       - Do not overwrite .gitignore in the output directory in case it is
         version-controlled
      
       - Fix missed record-mcount bug for dynamic ftrace
      
       - Fix endianness bug in modversions for relative CRC
      
       - Cater to '^H' key code in Kconfig ncurses programs
      
      * tag 'kbuild-fixes-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kconfig/[mn]conf: handle backspace (^H) key
        kbuild: modversions: Fix relative CRC byte order interpretation
        scripts: coccinelle: Fix description of badty.cocci
        kbuild: strip whitespace in cmd_record_mcount findstring
        kbuild: do not overwrite .gitignore in output directory
        kbuild: skip parsing pre sub-make code for recursion
        coccinelle: put_device: reduce false positives
        kbuild: skip sub-make for in-tree build with GNU Make 4.x
        Revert "kbuild: use -Oz instead of -Os when using clang"
      0e40da3e
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190329' of git://git.kernel.dk/linux-block · ffb8e45c
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Small set of fixes that should go into this series. This contains:
      
         - compat signal mask fix for io_uring (Arnd)
      
         - EAGAIN corner case for direct vs buffered writes for io_uring
           (Roman)
      
         - NVMe pull request from Christoph with various little fixes
      
         - sbitmap ws_active fix, which caused a perf regression for shared
           tags (me)
      
         - sbitmap bit ordering fix (Ming)
      
         - libata on-stack DMA fix (Raymond)"
      
      * tag 'for-linus-20190329' of git://git.kernel.dk/linux-block:
        nvmet: fix error flow during ns enable
        nvmet: fix building bvec from sg list
        nvme-multipath: relax ANA state check
        nvme-tcp: fix an endianess miss-annotation
        libata: fix using DMA buffers on stack
        io_uring: offload write to async worker in case of -EAGAIN
        sbitmap: order READ/WRITE freed instance and setting clear bit
        blk-mq: fix sbitmap ws_active for shared tags
        io_uring: fix big-endian compat signal mask handling
        blk-mq: update comment for blk_mq_hctx_has_pending()
        blk-mq: use blk_mq_put_driver_tag() to put tag
      ffb8e45c
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-5.1-rc3' of git://github.com/ceph/ceph-client · 7376e39a
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "A patch to avoid choking on multipage bvecs in the messenger and a
        small use-after-free fix"
      
      * tag 'ceph-for-5.1-rc3' of git://github.com/ceph/ceph-client:
        ceph: fix use-after-free on symlink traversal
        libceph: fix breakage caused by multipage bvecs
      7376e39a
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.1-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · c6503f12
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "Here are a few fixes for some corruption bugs and uninitialized
        variable problems. The few patches here have gone through a few days
        worth of fstest runs with no new problems observed.
      
        Changes since last update:
      
         - Fix a bunch of static checker complaints about uninitialized
           variables and insufficient range checks.
      
         - Avoid a crash when incore extent map data are corrupt.
      
         - Disallow FITRIM when we haven't recovered the log and know the
           metadata are stale.
      
         - Fix a data corruption when doing unaligned overlapping dio writes"
      
      * tag 'xfs-5.1-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: serialize unaligned dio writes against all other dio writes
        xfs: prohibit fstrim in norecovery mode
        xfs: always init bma in xfs_bmapi_write
        xfs: fix btree scrub checking with regards to root-in-inode
        xfs: dabtree scrub needs to range-check level
        xfs: don't trip over uninitialized buffer on extent read of corrupted inode
      c6503f12
    • Kees Cook's avatar
      LSM: Revive CONFIG_DEFAULT_SECURITY_* for "make oldconfig" · 2623c4fb
      Kees Cook authored
      Commit 70b62c25 ("LoadPin: Initialize as ordered LSM") removed
      CONFIG_DEFAULT_SECURITY_{SELINUX,SMACK,TOMOYO,APPARMOR,DAC} from
      security/Kconfig and changed CONFIG_LSM to provide a fixed ordering as a
      default value. That commit expected that existing users (upgrading from
      Linux 5.0 and earlier) will edit CONFIG_LSM value in accordance with
      their CONFIG_DEFAULT_SECURITY_* choice in their old kernel configs. But
      since users might forget to edit CONFIG_LSM value, this patch revives
      the choice (only for providing the default value for CONFIG_LSM) in order
      to make sure that CONFIG_LSM reflects CONFIG_DEFAULT_SECURITY_* from their
      old kernel configs.
      
      Note that since TOMOYO can be fully stacked against the other legacy
      major LSMs, when it is selected, it explicitly disables the other LSMs
      to avoid them also initializing since TOMOYO does not expect this
      currently.
      Reported-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Fixes: 70b62c25 ("LoadPin: Initialize as ordered LSM")
      Co-developed-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      2623c4fb
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-03-29' of git://anongit.freedesktop.org/drm/drm · 9df0ef6c
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Weekly fixes roundup, nothing two serious, some usb device regressions
        are fixed, and i915 GVT has a bigger fix but otherwise not really much
        happening here.
      
        core:
         - fb bpp check regression fix
         - release/unplug fix
         - use after free fixes
      
        i915:
         - fix mmap range checks
         - fix gvt ppgtt mm LRU list access races
         - fix selftest error pointer check
         - fix a macro definition (pre-emptive for potential further backports)
         - fix one AML SKU ULX status
      
        amdgpu:
         - one variable refresh rate fix
      
        udl:
         - fix EDID reading
      
        tegra:
         - build/warning fixes
      
        meson:
         - cleanup path fixes
         - TMDS clock filter fix
      
        rockchip:
         - NV12 buffers and scalar fix"
      
      * tag 'drm-fixes-2019-03-29' of git://anongit.freedesktop.org/drm/drm: (22 commits)
        drm/i915/icl: Fix VEBOX mismatch BUG_ON()
        drm/i915/selftests: Fix an IS_ERR() vs NULL check
        drm/i915: Mark AML 0x87CA as ULX
        drm/meson: fix TMDS clock filtering for DMT monitors
        drm/meson: Uninstall IRQ handler
        drm/meson: Fix invalid pointer in meson_drv_unbind()
        drm/udl: Refactor edid retrieving in UDL driver (v2)
        drm: Fix drm_release() and device unplug
        drm/fb: avoid setting 0 depth.
        drm/tegra: vic: Fix implicit function declaration warning
        drm/tegra: hub: Fix dereference before check
        drm/i915/icl: Fix the TRANS_DDI_FUNC_CTL2 bitfield macro
        drm/amd/display: Only allow VRR when vrefresh is within supported range
        drm/rockchip: vop: reset scale mode when win is disabled
        drm/vkms: fix use-after-free when drm_gem_handle_create() fails
        drm/vgem: fix use-after-free when drm_gem_handle_create() fails
        drm/i915/gvt: Add mutual lock for ppgtt mm LRU list
        drm/i915/gvt: Only assign ppgtt root at dispatch time
        drm/i915/gvt: Don't submit request for error workload dispatch
        drm/i915/gvt: stop scheduling workload when vgpu is inactive
        ...
      9df0ef6c
    • YueHaibing's avatar
      fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links · 23da9588
      YueHaibing authored
      Syzkaller reports:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      CPU: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      RIP: 0010:put_links+0x101/0x440 fs/proc/proc_sysctl.c:1599
      Code: 00 0f 85 3a 03 00 00 48 8b 43 38 48 89 44 24 20 48 83 c0 38 48 89 c2 48 89 44 24 28 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 02 00 00 48 8b 74 24 20 48 c7 c7 60 2a 9d 91
      RSP: 0018:ffff8881d828f238 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff8881e01b1140 RCX: ffffffff8ee98267
      RDX: 0000000000000007 RSI: ffffc90001479000 RDI: ffff8881e01b1178
      RBP: dffffc0000000000 R08: ffffed103ee27259 R09: ffffed103ee27259
      R10: 0000000000000001 R11: ffffed103ee27258 R12: fffffffffffffff4
      R13: 0000000000000006 R14: ffff8881f59838c0 R15: dffffc0000000000
      FS:  00007f072254f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fff8b286668 CR3: 00000001f0542002 CR4: 00000000007606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       drop_sysctl_table+0x152/0x9f0 fs/proc/proc_sysctl.c:1629
       get_subdir fs/proc/proc_sysctl.c:1022 [inline]
       __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
       br_netfilter_init+0xbc/0x1000 [br_netfilter]
       do_one_initcall+0xfa/0x5ca init/main.c:887
       do_init_module+0x204/0x5f6 kernel/module.c:3460
       load_module+0x66b2/0x8570 kernel/module.c:3808
       __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f072254ec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
      RBP: 00007f072254ec70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f072254f6bc
      R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
      Modules linked in: br_netfilter(+) dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb_dw2102 dvb_usb classmate_laptop palmas_regulator cn videobuf2_v4l2 v4l2_common snd_soc_bd28623 mptbase snd_usb_usx2y snd_usbmidi_lib snd_rawmidi wmi libnvdimm lockd sunrpc grace rc_kworld_pc150u rc_core rtc_da9063 sha1_ssse3 i2c_cros_ec_tunnel adxl34x_spi adxl34x nfnetlink lib80211 i5500_temp dvb_as102 dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops udc_core lnbp22 leds_lp3952 hid_roccat_ryos s1d13xxxfb mtd vport_geneve openvswitch nf_conncount nf_nat_ipv6 nsh geneve udp_tunnel ip6_udp_tunnel snd_soc_mt6351 sis_agp phylink snd_soc_adau1761_spi snd_soc_adau1761 snd_soc_adau17x1 snd_soc_core snd_pcm_dmaengine ac97_bus snd_compress snd_soc_adau_utils snd_soc_sigmadsp_regmap snd_soc_sigmadsp raid_class hid_roccat_konepure hid_roccat_common hid_roccat c2port_duramar2150 core mdio_bcm_unimac iptable_security iptable_raw iptable_mangle
       iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim devlink vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel joydev mousedev ide_pci_generic piix aesni_intel aes_x86_64 ide_core crypto_simd atkbd cryptd glue_helper serio_raw ata_generic pata_acpi i2c_piix4 floppy sch_fq_codel ip_tables x_tables ipv6 [last unloaded: lm73]
      Dumping ftrace buffer:
         (ftrace buffer empty)
      ---[ end trace 770020de38961fd0 ]---
      
      A new dir entry can be created in get_subdir and its 'header->parent' is
      set to NULL.  Only after insert_header success, it will be set to 'dir',
      otherwise 'header->parent' is set to NULL and drop_sysctl_table is called.
      However in err handling path of get_subdir, drop_sysctl_table also be
      called on 'new->header' regardless its value of parent pointer.  Then
      put_links is called, which triggers NULL-ptr deref when access member of
      header->parent.
      
      In fact we have multiple error paths which call drop_sysctl_table() there,
      upon failure on insert_links() we also call drop_sysctl_table().And even
      in the successful case on __register_sysctl_table() we still always call
      drop_sysctl_table().This patch fix it.
      
      Link: http://lkml.kernel.org/r/20190314085527.13244-1-yuehaibing@huawei.com
      Fixes: 0e47c99d ("sysctl: Replace root_list with links between sysctl_table_sets")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Acked-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: <stable@vger.kernel.org>    [3.4+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      23da9588
    • Randy Dunlap's avatar
      fs: fs_parser: fix printk format warning · 26203278
      Randy Dunlap authored
      Fix printk format warning (seen on i386 builds) by using ptrdiff format
      specifier (%t):
      
        fs/fs_parser.c:413:6: warning: format `%lu' expects argument of type `long unsigned int', but argument 3 has type `int' [-Wformat=]
      
      Link: http://lkml.kernel.org/r/19432668-ffd3-fbb2-af4f-1c8e48f6cc81@infradead.orgSigned-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      26203278
    • Alexandre Belloni's avatar
      checkpatch: add %pt as a valid vsprintf extension · 4462996e
      Alexandre Belloni authored
      Commit 4d42c447 ("lib/vsprintf: Print time and date in human
      readable format via %pt") introduced a new extension, %pt.
      
      Add it in the list of valid extensions.
      
      Link: http://lkml.kernel.org/r/20190314203719.29130-1-alexandre.belloni@bootlin.comSigned-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Cc: Joe Perches <joe@perches.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4462996e
    • Lars Persson's avatar
      mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate · d2b2c6dd
      Lars Persson authored
      Our MIPS 1004Kc SoCs were seeing random userspace crashes with SIGILL
      and SIGSEGV that could not be traced back to a userspace code bug.  They
      had all the magic signs of an I/D cache coherency issue.
      
      Now recently we noticed that the /proc/sys/vm/compact_memory interface
      was quite efficient at provoking this class of userspace crashes.
      
      Studying the code in mm/migrate.c there is a distinction made between
      migrating a page that is mapped at the instant of migration and one that
      is not mapped.  Our problem turned out to be the non-mapped pages.
      
      For the non-mapped page the code performs a copy of the page content and
      all relevant meta-data of the page without doing the required D-cache
      maintenance.  This leaves dirty data in the D-cache of the CPU and on
      the 1004K cores this data is not visible to the I-cache.  A subsequent
      page-fault that triggers a mapping of the page will happily serve the
      process with potentially stale code.
      
      What about ARM then, this bug should have seen greater exposure? Well
      ARM became immune to this flaw back in 2010, see commit c0177800
      ("ARM: 6379/1: Assume new page cache pages have dirty D-cache").
      
      My proposed fix moves the D-cache maintenance inside move_to_new_page to
      make it common for both cases.
      
      Link: http://lkml.kernel.org/r/20190315083502.11849-1-larper@axis.com
      Fixes: 97ee0524 ("flush cache before installing new page at migraton")
      Signed-off-by: default avatarLars Persson <larper@axis.com>
      Reviewed-by: default avatarPaul Burton <paul.burton@mips.com>
      Acked-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d2b2c6dd
    • Minchan Kim's avatar
      drivers/block/zram/zram_drv.c: fix idle/writeback string compare · 0bc9f5d1
      Minchan Kim authored
      Makoto report a below KASAN error: zram does out-of-bounds read.  Because
      strscpy copies from source up to count bytes unconditionally.  It could
      cause out-of-bounds read on next object in slab.
      
      To prevent it, use strlcpy which checks source's length automatically.
      
         BUG: KASAN: slab-out-of-bounds in strscpy+0x68/0x154
         Read of size 8 at addr ffffffc0c3495a00 by task system_server/1314
         ..
         Call trace:
           strscpy+0x68/0x154
           idle_store+0xc4/0x34c
           dev_attr_store+0x50/0x6c
           sysfs_kf_write+0x98/0xb4
           kernfs_fop_write+0x198/0x260
           __vfs_write+0x10c/0x338
           vfs_write+0x114/0x238
           SyS_write+0xc8/0x168
           __sys_trace_return+0x0/0x4
      
         Allocated by task 1314:
          __kmalloc+0x280/0x318
          kernfs_fop_write+0xac/0x260
          __vfs_write+0x10c/0x338
          vfs_write+0x114/0x238
          SyS_write+0xc8/0x168
          __sys_trace_return+0x0/0x4
      
         Freed by task 2855:
          kfree+0x138/0x630
          kernfs_put_open_node+0x10c/0x124
          kernfs_fop_release+0xd8/0x114
          __fput+0x130/0x2a4
          ____fput+0x1c/0x28
          task_work_run+0x16c/0x1c8
          do_notify_resume+0x2bc/0x107c
          work_pending+0x8/0x10
      
         The buggy address belongs to the object at ffffffc0c3495a00
          which belongs to the cache kmalloc-128 of size 128
         The buggy address is located 0 bytes inside of
          128-byte region [ffffffc0c3495a00, ffffffc0c3495a80)
         The buggy address belongs to the page:
         page:ffffffbf030d2500 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
         flags: 0x4000000000010200(slab|head)
         page dumped because: kasan: bad access detected
      
         Memory state around the buggy address:
          ffffffc0c3495900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          ffffffc0c3495980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
         >ffffffc0c3495a00: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                            ^
          ffffffc0c3495a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
          ffffffc0c3495b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      
      Link: http://lkml.kernel.org/r/20190319231911.145968-1-minchan@kernel.org
      Cc: <stable@vger.kernel.org>	[5.0]
      Signed-off-by: default avatarMinchan Kim <minchan@kernel.org>
      Reported-by: default avatarMakoto Wu <makotowu@google.com>
      Reviewed-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0bc9f5d1
    • Qian Cai's avatar
      mm/page_isolation.c: fix a wrong flag in set_migratetype_isolate() · f5777bc2
      Qian Cai authored
      Due to has_unmovable_pages() taking an incorrect irqsave flag instead of
      the isolation flag in set_migratetype_isolate(), there are issues with
      HWPOSION and error reporting where dump_page() is not called when there
      is an unmovable page.
      
      Link: http://lkml.kernel.org/r/20190320204941.53731-1-cai@lca.pw
      Fixes: d381c547 ("mm: only report isolation failures when offlining memory")
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Reviewed-by: default avatarOscar Salvador <osalvador@suse.de>
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Cc: <stable@vger.kernel.org>	[5.0.x]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f5777bc2
    • Qian Cai's avatar
      mm/memory_hotplug.c: fix notification in offline error path · c4efe484
      Qian Cai authored
      When start_isolate_page_range() returned -EBUSY in __offline_pages(), it
      calls memory_notify(MEM_CANCEL_OFFLINE, &arg) with an uninitialized
      "arg".  As the result, it triggers warnings below.  Also, it is only
      necessary to notify MEM_CANCEL_OFFLINE after MEM_GOING_OFFLINE.
      
        page:ffffea0001200000 count:1 mapcount:0 mapping:0000000000000000
        index:0x0
        flags: 0x3fffe000001000(reserved)
        raw: 003fffe000001000 ffffea0001200008 ffffea0001200008 0000000000000000
        raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
        page dumped because: unmovable page
        WARNING: CPU: 25 PID: 1665 at mm/kasan/common.c:665
        kasan_mem_notifier+0x34/0x23b
        CPU: 25 PID: 1665 Comm: bash Tainted: G        W         5.0.0+ #94
        Hardware name: HP ProLiant DL180 Gen9/ProLiant DL180 Gen9, BIOS U20
        10/25/2017
        RIP: 0010:kasan_mem_notifier+0x34/0x23b
        RSP: 0018:ffff8883ec737890 EFLAGS: 00010206
        RAX: 0000000000000246 RBX: ff10f0f4435f1000 RCX: f887a7a21af88000
        RDX: dffffc0000000000 RSI: 0000000000000020 RDI: ffff8881f221af88
        RBP: ffff8883ec737898 R08: ffff888000000000 R09: ffffffffb0bddcd0
        R10: ffffed103e857088 R11: ffff8881f42b8443 R12: dffffc0000000000
        R13: 00000000fffffff9 R14: dffffc0000000000 R15: 0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000560fbd31d730 CR3: 00000004049c6003 CR4: 00000000001606a0
        Call Trace:
         notifier_call_chain+0xbf/0x130
         __blocking_notifier_call_chain+0x76/0xc0
         blocking_notifier_call_chain+0x16/0x20
         memory_notify+0x1b/0x20
         __offline_pages+0x3e2/0x1210
         offline_pages+0x11/0x20
         memory_block_action+0x144/0x300
         memory_subsys_offline+0xe5/0x170
         device_offline+0x13f/0x1e0
         state_store+0xeb/0x110
         dev_attr_store+0x3f/0x70
         sysfs_kf_write+0x104/0x150
         kernfs_fop_write+0x25c/0x410
         __vfs_write+0x66/0x120
         vfs_write+0x15a/0x4f0
         ksys_write+0xd2/0x1b0
         __x64_sys_write+0x73/0xb0
         do_syscall_64+0xeb/0xb78
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f14f75cc3b8
        RSP: 002b:00007ffe84d01d68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
        RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007f14f75cc3b8
        RDX: 0000000000000008 RSI: 0000563f8e433d70 RDI: 0000000000000001
        RBP: 0000563f8e433d70 R08: 000000000000000a R09: 00007ffe84d018f0
        R10: 000000000000000a R11: 0000000000000246 R12: 00007f14f789e780
        R13: 0000000000000008 R14: 00007f14f7899740 R15: 0000000000000008
      
      Link: http://lkml.kernel.org/r/20190320204255.53571-1-cai@lca.pw
      Fixes: 79605093 ("mm, memory_hotplug: print reason for the offlining failure")
      Reviewed-by: default avatarOscar Salvador <osalvador@suse.de>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: <stable@vger.kernel.org>	[5.0.x]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c4efe484
    • Andrei Vagin's avatar
      ptrace: take into account saved_sigmask in PTRACE{GET,SET}SIGMASK · fcfc2aa0
      Andrei Vagin authored
      There are a few system calls (pselect, ppoll, etc) which replace a task
      sigmask while they are running in a kernel-space
      
      When a task calls one of these syscalls, the kernel saves a current
      sigmask in task->saved_sigmask and sets a syscall sigmask.
      
      On syscall-exit-stop, ptrace traps a task before restoring the
      saved_sigmask, so PTRACE_GETSIGMASK returns the syscall sigmask and
      PTRACE_SETSIGMASK does nothing, because its sigmask is replaced by
      saved_sigmask, when the task returns to user-space.
      
      This patch fixes this problem.  PTRACE_GETSIGMASK returns saved_sigmask
      if it's set.  PTRACE_SETSIGMASK drops the TIF_RESTORE_SIGMASK flag.
      
      Link: http://lkml.kernel.org/r/20181120060616.6043-1-avagin@gmail.com
      Fixes: 29000cae ("ptrace: add ability to get/set signal-blocked mask")
      Signed-off-by: default avatarAndrei Vagin <avagin@gmail.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fcfc2aa0
    • YueHaibing's avatar
      fs/proc/kcore.c: make kcore_modules static · eebf3648
      YueHaibing authored
      Fix sparse warning:
      
        fs/proc/kcore.c:591:19: warning:
         symbol 'kcore_modules' was not declared. Should it be static?
      
      Link: http://lkml.kernel.org/r/20190320135417.13272-1-yuehaibing@huawei.comSigned-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Acked-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Omar Sandoval <osandov@fb.com>
      Cc: James Morse <james.morse@arm.com>
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      eebf3648
    • Randy Dunlap's avatar
      include/linux/list.h: fix list_is_first() kernel-doc · b736523f
      Randy Dunlap authored
      Fix typo of kernel-doc parameter notation (there should be no space
      between '@' and the parameter name).
      
      Also fixes bogus kernel-doc notation output formatting.
      
      Link: http://lkml.kernel.org/r/ddce8b80-9a8a-d52d-3546-87b2211c089a@infradead.org
      Fixes: 70b44595 ("mm, compaction: use free lists to quickly locate a migration source")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Reviewed-by: default avatarWilliam Kucharski <william.kucharski@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b736523f
    • Oscar Salvador's avatar
      mm/debug.c: fix __dump_page when mapping->host is not set · 5ae2efb1
      Oscar Salvador authored
      While debugging something, I added a dump_page() into do_swap_page(),
      and I got the splat from below.  The issue happens when dereferencing
      mapping->host in __dump_page():
      
        ...
        else if (mapping) {
      	pr_warn("%ps ", mapping->a_ops);
      	if (mapping->host->i_dentry.first) {
      		struct dentry *dentry;
      		dentry = container_of(mapping->host->i_dentry.first, struct dentry, d_u.d_alias);
      		pr_warn("name:\"%pd\" ", dentry);
      	}
        }
        ...
      
      Swap address space does not contain an inode information, and so
      mapping->host equals NULL.
      
      Although the dump_page() call was added artificially into
      do_swap_page(), I am not sure if we can hit this from any other path, so
      it looks worth fixing it.  We can easily do that by checking
      mapping->host first.
      
      Link: http://lkml.kernel.org/r/20190318072931.29094-1-osalvador@suse.de
      Fixes: 1c6fb1d8 ("mm: print more information about mapping in __dump_page")
      Signed-off-by: default avatarOscar Salvador <osalvador@suse.de>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5ae2efb1
    • Yang Shi's avatar
      mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified · a7f40cfe
      Yang Shi authored
      When MPOL_MF_STRICT was specified and an existing page was already on a
      node that does not follow the policy, mbind() should return -EIO.  But
      commit 6f4576e3 ("mempolicy: apply page table walker on
      queue_pages_range()") broke the rule.
      
      And commit c8633798 ("mm: mempolicy: mbind and migrate_pages support
      thp migration") didn't return the correct value for THP mbind() too.
      
      If MPOL_MF_STRICT is set, ignore vma_migratable() to make sure it
      reaches queue_pages_to_pte_range() or queue_pages_pmd() to check if an
      existing page was already on a node that does not follow the policy.
      And, non-migratable vma may be used, return -EIO too if MPOL_MF_MOVE or
      MPOL_MF_MOVE_ALL was specified.
      
      Tested with https://github.com/metan-ucw/ltp/blob/master/testcases/kernel/syscalls/mbind/mbind02.c
      
      [akpm@linux-foundation.org: tweak code comment]
      Link: http://lkml.kernel.org/r/1553020556-38583-1-git-send-email-yang.shi@linux.alibaba.com
      Fixes: 6f4576e3 ("mempolicy: apply page table walker on queue_pages_range()")
      Signed-off-by: default avatarYang Shi <yang.shi@linux.alibaba.com>
      Signed-off-by: default avatarOscar Salvador <osalvador@suse.de>
      Reported-by: default avatarCyril Hrubis <chrubis@suse.cz>
      Suggested-by: default avatarKirill A. Shutemov <kirill@shutemov.name>
      Acked-by: default avatarRafael Aquini <aquini@redhat.com>
      Reviewed-by: default avatarOscar Salvador <osalvador@suse.de>
      Acked-by: default avatarDavid Rientjes <rientjes@google.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a7f40cfe
    • Souptick Joarder's avatar
      include/linux/hugetlb.h: convert to use vm_fault_t · a953e772
      Souptick Joarder authored
      kbuild produces the below warning:
      
        tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
        head:   5453a3df
        commit 3d353901 ("mm: create the new vm_fault_t type")
        reproduce:
              # apt-get install sparse
              git checkout 3d353901
              make ARCH=x86_64 allmodconfig
              make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'
      
        >> mm/memory.c:3968:21: sparse: incorrect type in assignment (different
        >> base types) @@    expected restricted vm_fault_t [usertype] ret @@
        >> got e] ret @@
           mm/memory.c:3968:21:    expected restricted vm_fault_t [usertype] ret
           mm/memory.c:3968:21:    got int
      
      This patch converts to return vm_fault_t type for hugetlb_fault() when
      CONFIG_HUGETLB_PAGE=n.
      
      Regarding the sparse warning, Luc said:
      
      : This is the expected behaviour.  The constant 0 is magic regarding bitwise
      : types but ({ ...; 0; }) is not, it is just an ordinary expression of type
      : 'int'.
      :
      : So, IMHO, Souptick's patch is the right thing to do.
      
      Link: http://lkml.kernel.org/r/20190318162604.GA31553@jordon-HP-15-Notebook-PCSigned-off-by: default avatarSouptick Joarder <jrdr.linux@gmail.com>
      Reviewed-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a953e772
    • Nicolas Boichat's avatar
      iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging · 0a352554
      Nicolas Boichat authored
      IOMMUs using ARMv7 short-descriptor format require page tables (level 1
      and 2) to be allocated within the first 4GB of RAM, even on 64-bit
      systems.
      
      For level 1/2 pages, ensure GFP_DMA32 is used if CONFIG_ZONE_DMA32 is
      defined (e.g.  on arm64 platforms).
      
      For level 2 pages, allocate a slab cache in SLAB_CACHE_DMA32.  Note that
      we do not explicitly pass GFP_DMA[32] to kmem_cache_zalloc, as this is
      not strictly necessary, and would cause a warning in mm/sl*b.c, as we
      did not update GFP_SLAB_BUG_MASK.
      
      Also, print an error when the physical address does not fit in
      32-bit, to make debugging easier in the future.
      
      Link: http://lkml.kernel.org/r/20181210011504.122604-3-drinkcat@chromium.org
      Fixes: ad67f5a6 ("arm64: replace ZONE_DMA with ZONE_DMA32")
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Hsin-Yi Wang <hsinyi@chromium.org>
      Cc: Huaisheng Ye <yehs1@lenovo.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Matthias Brugger <matthias.bgg@gmail.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Cc: Sasha Levin <Alexander.Levin@microsoft.com>
      Cc: Tomasz Figa <tfiga@google.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Yingjoe Chen <yingjoe.chen@mediatek.com>
      Cc: Yong Wu <yong.wu@mediatek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0a352554
    • Nicolas Boichat's avatar
      mm: add support for kmem caches in DMA32 zone · 6d6ea1e9
      Nicolas Boichat authored
      Patch series "iommu/io-pgtable-arm-v7s: Use DMA32 zone for page tables",
      v6.
      
      This is a followup to the discussion in [1], [2].
      
      IOMMUs using ARMv7 short-descriptor format require page tables (level 1
      and 2) to be allocated within the first 4GB of RAM, even on 64-bit
      systems.
      
      For L1 tables that are bigger than a page, we can just use
      __get_free_pages with GFP_DMA32 (on arm64 systems only, arm would still
      use GFP_DMA).
      
      For L2 tables that only take 1KB, it would be a waste to allocate a full
      page, so we considered 3 approaches:
       1. This series, adding support for GFP_DMA32 slab caches.
       2. genalloc, which requires pre-allocating the maximum number of L2 page
          tables (4096, so 4MB of memory).
       3. page_frag, which is not very memory-efficient as it is unable to reuse
          freed fragments until the whole page is freed. [3]
      
      This series is the most memory-efficient approach.
      
      stable@ note:
        We confirmed that this is a regression, and IOMMU errors happen on 4.19
        and linux-next/master on MT8173 (elm, Acer Chromebook R13). The issue
        most likely starts from commit ad67f5a6 ("arm64: replace ZONE_DMA
        with ZONE_DMA32"), i.e. 4.15, and presumably breaks a number of Mediatek
        platforms (and maybe others?).
      
      [1] https://lists.linuxfoundation.org/pipermail/iommu/2018-November/030876.html
      [2] https://lists.linuxfoundation.org/pipermail/iommu/2018-December/031696.html
      [3] https://patchwork.codeaurora.org/patch/671639/
      
      This patch (of 3):
      
      IOMMUs using ARMv7 short-descriptor format require page tables to be
      allocated within the first 4GB of RAM, even on 64-bit systems.  On arm64,
      this is done by passing GFP_DMA32 flag to memory allocation functions.
      
      For IOMMU L2 tables that only take 1KB, it would be a waste to allocate
      a full page using get_free_pages, so we considered 3 approaches:
       1. This patch, adding support for GFP_DMA32 slab caches.
       2. genalloc, which requires pre-allocating the maximum number of L2
          page tables (4096, so 4MB of memory).
       3. page_frag, which is not very memory-efficient as it is unable
          to reuse freed fragments until the whole page is freed.
      
      This change makes it possible to create a custom cache in DMA32 zone using
      kmem_cache_create, then allocate memory using kmem_cache_alloc.
      
      We do not create a DMA32 kmalloc cache array, as there are currently no
      users of kmalloc(..., GFP_DMA32).  These calls will continue to trigger a
      warning, as we keep GFP_DMA32 in GFP_SLAB_BUG_MASK.
      
      This implies that calls to kmem_cache_*alloc on a SLAB_CACHE_DMA32
      kmem_cache must _not_ use GFP_DMA32 (it is anyway redundant and
      unnecessary).
      
      Link: http://lkml.kernel.org/r/20181210011504.122604-2-drinkcat@chromium.orgSigned-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Sasha Levin <Alexander.Levin@microsoft.com>
      Cc: Huaisheng Ye <yehs1@lenovo.com>
      Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
      Cc: Yong Wu <yong.wu@mediatek.com>
      Cc: Matthias Brugger <matthias.bgg@gmail.com>
      Cc: Tomasz Figa <tfiga@google.com>
      Cc: Yingjoe Chen <yingjoe.chen@mediatek.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Hsin-Yi Wang <hsinyi@chromium.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6d6ea1e9
    • Darrick J. Wong's avatar
      ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock · e6a9467e
      Darrick J. Wong authored
      ocfs2_reflink_inodes_lock() can swap the inode1/inode2 variables so that
      we always grab cluster locks in order of increasing inode number.
      
      Unfortunately, we forget to swap the inode record buffer head pointers
      when we've done this, which leads to incorrect bookkeepping when we're
      trying to make the two inodes have the same refcount tree.
      
      This has the effect of causing filesystem shutdowns if you're trying to
      reflink data from inode 100 into inode 97, where inode 100 already has a
      refcount tree attached and inode 97 doesn't.  The reflink code decides
      to copy the refcount tree pointer from 100 to 97, but uses inode 97's
      inode record to open the tree root (which it doesn't have) and blows up.
      This issue causes filesystem shutdowns and metadata corruption!
      
      Link: http://lkml.kernel.org/r/20190312214910.GK20533@magnolia
      Fixes: 29ac8e85 ("ocfs2: implement the VFS clone_range, copy_range, and dedupe_range features")
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarJoseph Qi <jiangqi903@gmail.com>
      Cc: Mark Fasheh <mfasheh@versity.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e6a9467e
    • Qian Cai's avatar
      mm/hotplug: fix offline undo_isolate_page_range() · 9b7ea46a
      Qian Cai authored
      Commit f1dd2cd1 ("mm, memory_hotplug: do not associate hotadded
      memory to zones until online") introduced move_pfn_range_to_zone() which
      calls memmap_init_zone() during onlining a memory block.
      memmap_init_zone() will reset pagetype flags and makes migrate type to
      be MOVABLE.
      
      However, in __offline_pages(), it also call undo_isolate_page_range()
      after offline_isolated_pages() to do the same thing.  Due to commit
      2ce13640 ("mm: __first_valid_page skip over offline pages") changed
      __first_valid_page() to skip offline pages, undo_isolate_page_range()
      here just waste CPU cycles looping around the offlining PFN range while
      doing nothing, because __first_valid_page() will return NULL as
      offline_isolated_pages() has already marked all memory sections within
      the pfn range as offline via offline_mem_sections().
      
      Also, after calling the "useless" undo_isolate_page_range() here, it
      reaches the point of no returning by notifying MEM_OFFLINE.  Those pages
      will be marked as MIGRATE_MOVABLE again once onlining.  The only thing
      left to do is to decrease the number of isolated pageblocks zone counter
      which would make some paths of the page allocation slower that the above
      commit introduced.
      
      Even if alloc_contig_range() can be used to isolate 16GB-hugetlb pages
      on ppc64, an "int" should still be enough to represent the number of
      pageblocks there.  Fix an incorrect comment along the way.
      
      [cai@lca.pw: v4]
        Link: http://lkml.kernel.org/r/20190314150641.59358-1-cai@lca.pw
      Link: http://lkml.kernel.org/r/20190313143133.46200-1-cai@lca.pw
      Fixes: 2ce13640 ("mm: __first_valid_page skip over offline pages")
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Reviewed-by: default avatarOscar Salvador <osalvador@suse.de>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: <stable@vger.kernel.org>	[4.13+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9b7ea46a
    • Tetsuo Handa's avatar
      fs/open.c: allow opening only regular files during execve() · 73601ea5
      Tetsuo Handa authored
      syzbot is hitting lockdep warning [1] due to trying to open a fifo
      during an execve() operation.  But we don't need to open non regular
      files during an execve() operation, for all files which we will need are
      the executable file itself and the interpreter programs like /bin/sh and
      ld-linux.so.2 .
      
      Since the manpage for execve(2) says that execve() returns EACCES when
      the file or a script interpreter is not a regular file, and the manpage
      for uselib(2) says that uselib() can return EACCES, and we use
      FMODE_EXEC when opening for execve()/uselib(), we can bail out if a non
      regular file is requested with FMODE_EXEC set.
      
      Since this deadlock followed by khungtaskd warnings is trivially
      reproducible by a local unprivileged user, and syzbot's frequent crash
      due to this deadlock defers finding other bugs, let's workaround this
      deadlock until we get a chance to find a better solution.
      
      [1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce
      
      Link: http://lkml.kernel.org/r/1552044017-7890-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jpReported-by: default avatarsyzbot <syzbot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@syzkaller.appspotmail.com>
      Fixes: 8924feff ("splice: lift pipe_lock out of splice_to_pipe()")
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Biggers <ebiggers3@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>	[4.9+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      73601ea5
    • Changbin Du's avatar
      mailmap: add Changbin Du · c1e287c1
      Changbin Du authored
      Add my email in the mailmap file to have a consistent shortlog output.
      
      Link: http://lkml.kernel.org/r/20190308142103.4929-1-changbin.du@gmail.comSigned-off-by: default avatarChangbin Du <changbin.du@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c1e287c1
    • Qian Cai's avatar
      mm/debug.c: add a cast to u64 for atomic64_read() · 44dc1b1f
      Qian Cai authored
      atomic64_read() on ppc64le returns "long int", so fix the same way as
      commit d549f545 ("drm/virtio: use %llu format string form
      atomic64_t") by adding a cast to u64, which makes it work on all arches.
      
          In file included from ./include/linux/printk.h:7,
                           from ./include/linux/kernel.h:15,
                           from mm/debug.c:9:
          mm/debug.c: In function 'dump_mm':
          ./include/linux/kern_levels.h:5:18: warning: format '%llx' expects argument of type 'long long unsigned int', but argument 19 has type 'long int' [-Wformat=]
           #define KERN_SOH "A"  /* ASCII Start Of Header */
                            ^~~~~~
          ./include/linux/kern_levels.h:8:20: note: in expansion of macro
          'KERN_SOH'
           #define KERN_EMERG KERN_SOH "0" /* system is unusable */
                              ^~~~~~~~
          ./include/linux/printk.h:297:9: note: in expansion of macro 'KERN_EMERG'
            printk(KERN_EMERG pr_fmt(fmt), ##__VA_ARGS__)
                   ^~~~~~~~~~
          mm/debug.c:133:2: note: in expansion of macro 'pr_emerg'
            pr_emerg("mm %px mmap %px seqnum %llu task_size %lu"
            ^~~~~~~~
          mm/debug.c:140:17: note: format string is defined here
             "pinned_vm %llx data_vm %lx exec_vm %lx stack_vm %lx"
                        ~~~^
                        %lx
      
      Link: http://lkml.kernel.org/r/20190310183051.87303-1-cai@lca.pw
      Fixes: 70f8a3ca ("mm: make mm->pinned_vm an atomic64 counter")
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Acked-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: Jason Gunthorpe <jgg@mellanox.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      44dc1b1f
    • Jan Kara's avatar
      mm/memory.c: fix modifying of page protection by insert_pfn() · cae85cb8
      Jan Kara authored
      Aneesh has reported that PPC triggers the following warning when
      excercising DAX code:
      
        IP set_pte_at+0x3c/0x190
        LR insert_pfn+0x208/0x280
        Call Trace:
           insert_pfn+0x68/0x280
           dax_iomap_pte_fault.isra.7+0x734/0xa40
           __xfs_filemap_fault+0x280/0x2d0
           do_wp_page+0x48c/0xa40
           __handle_mm_fault+0x8d0/0x1fd0
           handle_mm_fault+0x140/0x250
           __do_page_fault+0x300/0xd60
           handle_page_fault+0x18
      
      Now that is WARN_ON in set_pte_at which is
      
              VM_WARN_ON(pte_hw_valid(*ptep) && !pte_protnone(*ptep));
      
      The problem is that on some architectures set_pte_at() cannot cope with
      a situation where there is already some (different) valid entry present.
      
      Use ptep_set_access_flags() instead to modify the pfn which is built to
      deal with modifying existing PTE.
      
      Link: http://lkml.kernel.org/r/20190311084537.16029-1-jack@suse.cz
      Fixes: b2770da6 "mm: add vm_insert_mixed_mkwrite()"
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reported-by: default avatar"Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
      Reviewed-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Acked-by: default avatarDan Williams <dan.j.williams@intel.com>
      Cc: Chandan Rajendra <chandan@linux.ibm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cae85cb8