1. 01 May, 2019 3 commits
    • Mark Rutland's avatar
      io_uring: free allocated io_memory once · 52e04ef4
      Mark Rutland authored
      If io_allocate_scq_urings() fails to allocate an sq_* region, it will
      call io_mem_free() for any previously allocated regions, but leave
      dangling pointers to these regions in the ctx. Any regions which have
      not yet been allocated are left NULL. Note that when returning
      -EOVERFLOW, the previously allocated sq_ring is not freed, which appears
      to be an unintentional leak.
      
      When io_allocate_scq_urings() fails, io_uring_create() will call
      io_ring_ctx_wait_and_kill(), which calls io_mem_free() on all the sq_*
      regions, assuming the pointers are valid and not NULL.
      
      This can result in pages being freed multiple times, which has been
      observed to corrupt the page state, leading to subsequent fun. This can
      also result in virt_to_page() on NULL, resulting in the use of bogus
      page addresses, and yet more subsequent fun. The latter can be detected
      with CONFIG_DEBUG_VIRTUAL on arm64.
      
      Adding a cleanup path to io_allocate_scq_urings() complicates the logic,
      so let's leave it to io_ring_ctx_free() to consistently free these
      pointers, and simplify the io_allocate_scq_urings() error paths.
      
      Full splats from before this patch below. Note that the pointer logged
      by the DEBUG_VIRTUAL "non-linear address" warning has been hashed, and
      is actually NULL.
      
      [   26.098129] page:ffff80000e949a00 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
      [   26.102976] flags: 0x63fffc000000()
      [   26.104373] raw: 000063fffc000000 ffff80000e86c188 ffff80000ea3df08 0000000000000000
      [   26.108917] raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000
      [   26.137235] page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
      [   26.143960] ------------[ cut here ]------------
      [   26.146020] kernel BUG at include/linux/mm.h:547!
      [   26.147586] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      [   26.149163] Modules linked in:
      [   26.150287] Process syz-executor.21 (pid: 20204, stack limit = 0x000000000e9cefeb)
      [   26.153307] CPU: 2 PID: 20204 Comm: syz-executor.21 Not tainted 5.1.0-rc7-00004-g7d30b2ea43d6 #18
      [   26.156566] Hardware name: linux,dummy-virt (DT)
      [   26.158089] pstate: 40400005 (nZcv daif +PAN -UAO)
      [   26.159869] pc : io_mem_free+0x9c/0xa8
      [   26.161436] lr : io_mem_free+0x9c/0xa8
      [   26.162720] sp : ffff000013003d60
      [   26.164048] x29: ffff000013003d60 x28: ffff800025048040
      [   26.165804] x27: 0000000000000000 x26: ffff800025048040
      [   26.167352] x25: 00000000000000c0 x24: ffff0000112c2820
      [   26.169682] x23: 0000000000000000 x22: 0000000020000080
      [   26.171899] x21: ffff80002143b418 x20: ffff80002143b400
      [   26.174236] x19: ffff80002143b280 x18: 0000000000000000
      [   26.176607] x17: 0000000000000000 x16: 0000000000000000
      [   26.178997] x15: 0000000000000000 x14: 0000000000000000
      [   26.181508] x13: 00009178a5e077b2 x12: 0000000000000001
      [   26.183863] x11: 0000000000000000 x10: 0000000000000980
      [   26.186437] x9 : ffff000013003a80 x8 : ffff800025048a20
      [   26.189006] x7 : ffff8000250481c0 x6 : ffff80002ffe9118
      [   26.191359] x5 : ffff80002ffe9118 x4 : 0000000000000000
      [   26.193863] x3 : ffff80002ffefe98 x2 : 44c06ddd107d1f00
      [   26.196642] x1 : 0000000000000000 x0 : 000000000000003e
      [   26.198892] Call trace:
      [   26.199893]  io_mem_free+0x9c/0xa8
      [   26.201155]  io_ring_ctx_wait_and_kill+0xec/0x180
      [   26.202688]  io_uring_setup+0x6c4/0x6f0
      [   26.204091]  __arm64_sys_io_uring_setup+0x18/0x20
      [   26.205576]  el0_svc_common.constprop.0+0x7c/0xe8
      [   26.207186]  el0_svc_handler+0x28/0x78
      [   26.208389]  el0_svc+0x8/0xc
      [   26.209408] Code: aa0203e0 d0006861 9133a021 97fcdc3c (d4210000)
      [   26.211995] ---[ end trace bdb81cd43a21e50d ]---
      
      [   81.770626] ------------[ cut here ]------------
      [   81.825015] virt_to_phys used for non-linear address: 000000000d42f2c7 (          (null))
      [   81.827860] WARNING: CPU: 1 PID: 30171 at arch/arm64/mm/physaddr.c:15 __virt_to_phys+0x48/0x68
      [   81.831202] Modules linked in:
      [   81.832212] CPU: 1 PID: 30171 Comm: syz-executor.20 Not tainted 5.1.0-rc7-00004-g7d30b2ea43d6 #19
      [   81.835616] Hardware name: linux,dummy-virt (DT)
      [   81.836863] pstate: 60400005 (nZCv daif +PAN -UAO)
      [   81.838727] pc : __virt_to_phys+0x48/0x68
      [   81.840572] lr : __virt_to_phys+0x48/0x68
      [   81.842264] sp : ffff80002cf67c70
      [   81.843858] x29: ffff80002cf67c70 x28: ffff800014358e18
      [   81.846463] x27: 0000000000000000 x26: 0000000020000080
      [   81.849148] x25: 0000000000000000 x24: ffff80001bb01f40
      [   81.851986] x23: ffff200011db06c8 x22: ffff2000127e3c60
      [   81.854351] x21: ffff800014358cc0 x20: ffff800014358d98
      [   81.856711] x19: 0000000000000000 x18: 0000000000000000
      [   81.859132] x17: 0000000000000000 x16: 0000000000000000
      [   81.861586] x15: 0000000000000000 x14: 0000000000000000
      [   81.863905] x13: 0000000000000000 x12: ffff1000037603e9
      [   81.866226] x11: 1ffff000037603e8 x10: 0000000000000980
      [   81.868776] x9 : ffff80002cf67840 x8 : ffff80001bb02920
      [   81.873272] x7 : ffff1000037603e9 x6 : ffff80001bb01f47
      [   81.875266] x5 : ffff1000037603e9 x4 : dfff200000000000
      [   81.876875] x3 : ffff200010087528 x2 : ffff1000059ecf58
      [   81.878751] x1 : 44c06ddd107d1f00 x0 : 0000000000000000
      [   81.880453] Call trace:
      [   81.881164]  __virt_to_phys+0x48/0x68
      [   81.882919]  io_mem_free+0x18/0x110
      [   81.886585]  io_ring_ctx_wait_and_kill+0x13c/0x1f0
      [   81.891212]  io_uring_setup+0xa60/0xad0
      [   81.892881]  __arm64_sys_io_uring_setup+0x2c/0x38
      [   81.894398]  el0_svc_common.constprop.0+0xac/0x150
      [   81.896306]  el0_svc_handler+0x34/0x88
      [   81.897744]  el0_svc+0x8/0xc
      [   81.898715] ---[ end trace b4a703802243cbba ]---
      
      Fixes: 2b188cc1 ("Add io_uring IO interface")
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: linux-block@vger.kernel.org
      Cc: linux-fsdevel@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      52e04ef4
    • Mark Rutland's avatar
      io_uring: fix SQPOLL cpu validation · 975554b0
      Mark Rutland authored
      In io_sq_offload_start(), we call cpu_possible() on an unbounded cpu
      value from userspace. On v5.1-rc7 on arm64 with
      CONFIG_DEBUG_PER_CPU_MAPS, this results in a splat:
      
        WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 cpu_max_bits_warn include/linux/cpumask.h:121 [inline]
      
      There was an attempt to fix this in commit:
      
        917257da ("io_uring: only test SQPOLL cpu after we've verified it")
      
      ... by adding a check after the cpu value had been limited to NR_CPU_IDS
      using array_index_nospec(). However, this left an unbound check at the
      start of the function, for which the warning still fires.
      
      Let's fix this correctly by checking that the cpu value is bound by
      nr_cpu_ids before passing it to cpu_possible(). Note that only
      nr_cpu_ids of a cpumask are guaranteed to exist at runtime, and
      nr_cpu_ids can be significantly smaller than NR_CPUs. For example, an
      arm64 defconfig has NR_CPUS=256, while my test VM has 4 vCPUs.
      
      Following the intent from the commit message for 917257da, the
      check is moved under the SQ_AFF branch, which is the only branch where
      the cpu values is consumed. The check is performed before bounding the
      value with array_index_nospec() so that we don't silently accept bogus
      cpu values from userspace, where array_index_nospec() would force these
      values to 0.
      
      I suspect we can remove the array_index_nospec() call entirely, but I've
      conservatively left that in place, updated to use nr_cpu_ids to match
      the prior check.
      
      Tested on arm64 with the Syzkaller reproducer:
      
        https://syzkaller.appspot.com/bug?extid=cd714a07c6de2bc34293
        https://syzkaller.appspot.com/x/repro.syz?x=15d8b397200000
      
      Full splat from before this patch:
      
      WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 cpu_max_bits_warn include/linux/cpumask.h:121 [inline]
      WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 cpumask_check include/linux/cpumask.h:128 [inline]
      WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 cpumask_test_cpu include/linux/cpumask.h:344 [inline]
      WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 io_sq_offload_start fs/io_uring.c:2244 [inline]
      WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 io_uring_create fs/io_uring.c:2864 [inline]
      WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 io_uring_setup+0x1108/0x15a0 fs/io_uring.c:2916
      Kernel panic - not syncing: panic_on_warn set ...
      CPU: 1 PID: 27601 Comm: syz-executor.0 Not tainted 5.1.0-rc7 #3
      Hardware name: linux,dummy-virt (DT)
      Call trace:
       dump_backtrace+0x0/0x2f0 include/linux/compiler.h:193
       show_stack+0x20/0x30 arch/arm64/kernel/traps.c:158
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x110/0x190 lib/dump_stack.c:113
       panic+0x384/0x68c kernel/panic.c:214
       __warn+0x2bc/0x2c0 kernel/panic.c:571
       report_bug+0x228/0x2d8 lib/bug.c:186
       bug_handler+0xa0/0x1a0 arch/arm64/kernel/traps.c:956
       call_break_hook arch/arm64/kernel/debug-monitors.c:301 [inline]
       brk_handler+0x1d4/0x388 arch/arm64/kernel/debug-monitors.c:316
       do_debug_exception+0x1a0/0x468 arch/arm64/mm/fault.c:831
       el1_dbg+0x18/0x8c
       cpu_max_bits_warn include/linux/cpumask.h:121 [inline]
       cpumask_check include/linux/cpumask.h:128 [inline]
       cpumask_test_cpu include/linux/cpumask.h:344 [inline]
       io_sq_offload_start fs/io_uring.c:2244 [inline]
       io_uring_create fs/io_uring.c:2864 [inline]
       io_uring_setup+0x1108/0x15a0 fs/io_uring.c:2916
       __do_sys_io_uring_setup fs/io_uring.c:2929 [inline]
       __se_sys_io_uring_setup fs/io_uring.c:2926 [inline]
       __arm64_sys_io_uring_setup+0x50/0x70 fs/io_uring.c:2926
       __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
       el0_svc_common.constprop.0+0x148/0x2e0 arch/arm64/kernel/syscall.c:83
       el0_svc_handler+0xdc/0x100 arch/arm64/kernel/syscall.c:129
       el0_svc+0x8/0xc arch/arm64/kernel/entry.S:948
      SMP: stopping secondary CPUs
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Kernel Offset: disabled
      CPU features: 0x002,23000438
      Memory Limit: none
      Rebooting in 1 seconds..
      
      Fixes: 917257da ("io_uring: only test SQPOLL cpu after we've verified it")
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: linux-block@vger.kernel.org
      Cc: linux-fsdevel@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      
      Simplied the logic
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      975554b0
    • Jens Axboe's avatar
      io_uring: have submission side sqe errors post a cqe · 5c8b0b54
      Jens Axboe authored
      Currently we only post a cqe if we get an error OUTSIDE of submission.
      For submission, we return the error directly through io_uring_enter().
      This is a bit awkward for applications, and it makes more sense to
      always post a cqe with an error, if the error happens on behalf of an
      sqe.
      
      This changes submission behavior a bit. io_uring_enter() returns -ERROR
      for an error, and > 0 for number of sqes submitted. Before this change,
      if you wanted to submit 8 entries and had an error on the 5th entry,
      io_uring_enter() would return 4 (for number of entries successfully
      submitted) and rewind the sqring. The application would then have to
      peek at the sqring and figure out what was wrong with the head sqe, and
      then skip it itself. With this change, we'll return 5 since we did
      consume 5 sqes, and the last sqe (with the error) will result in a cqe
      being posted with the error.
      
      This makes the logic easier to handle in the application, and it cleans
      up the submission part.
      Suggested-by: default avatarStefan Bühler <source@stbuehler.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      5c8b0b54
  2. 30 Apr, 2019 8 commits
  3. 29 Apr, 2019 1 commit
  4. 28 Apr, 2019 5 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · 9520b532
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "A small number of ARM fixes
      
         - Fix function tracer and unwinder dependencies so that we don't end
           up building kernels that will crash
      
         - Fix ARMv7M nommu initialisation (missing register initialisation)
      
         - Fix EFI decompressor entry (ensuring barrier instructions are
           enabled prior to use)"
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning the cache
        ARM: 8856/1: NOMMU: Fix CCR register faulty initialization when MPU is disabled
        ARM: fix function graph tracer and unwinder dependencies
      9520b532
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 0d82044e
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "A one-liner to make our Radix MMU support depend on HUGETLB_PAGE. We
        use some of the hugetlb inlines (eg. pud_huge()) when operating on the
        linear mapping and if they're compiled into empty wrappers we can
        corrupt memory.
      
        Then two fixes to our VFIO IOMMU code. The first is not a regression
        but fixes the locking to avoid a user-triggerable deadlock.
      
        The second does fix a regression since rc1, and depends on the first
        fix. It makes it possible to run guests with large amounts of memory
        again (~256GB).
      
        Thanks to Alexey Kardashevskiy"
      
      * tag 'powerpc-5.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/mm_iommu: Allow pinning large regions
        powerpc/mm_iommu: Fix potential deadlock
        powerpc/mm/radix: Make Radix require HUGETLB_PAGE
      0d82044e
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190428' of git://git.kernel.dk/linux-block · 975a0f40
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A set of io_uring fixes that should go into this release. In
        particular, this contains:
      
         - The mutex lock vs ctx ref count fix (me)
      
         - Removal of a dead variable (me)
      
         - Two race fixes (Stefan)
      
         - Ring head/tail condition fix for poll full SQ detection (Stefan)"
      
      * tag 'for-linus-20190428' of git://git.kernel.dk/linux-block:
        io_uring: remove 'state' argument from io_{read,write} path
        io_uring: fix poll full SQ detection
        io_uring: fix race condition when sq threads goes sleeping
        io_uring: fix race condition reading SQ entries
        io_uring: fail io_uring_register(2) on a dying io_uring instance
      975a0f40
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 14f974d7
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "One core bug fix and a few driver ones
      
         - FRWR memory registration for hfi1/qib didn't work with with some
           iovas causing a NFSoRDMA failure regression due to a fix in the NFS
           side
      
         - A command flow error in mlx5 allowed user space to send a corrupt
           command (and also smash the kernel stack we've since learned)
      
         - Fix a regression and some bugs with device hot unplug that was
           discovered while reviewing Andrea's patches
      
         - hns has a failure if the user asks for certain QP configurations"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/hns: Bugfix for mapping user db
        RDMA/ucontext: Fix regression with disassociate
        RDMA/mlx5: Use rdma_user_map_io for mapping BAR pages
        RDMA/mlx5: Do not allow the user to write to the clock page
        IB/mlx5: Fix scatter to CQE in DCT QP creation
        IB/rdmavt: Fix frwr memory registration
      14f974d7
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.1-rc7' of git://git.infradead.org/users/vkoul/slave-dma · 72a6e35d
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
      
       - fix for wrong register use in mediatek driver
      
       - fix in sh driver for glitch is tx_status and treating 0 a valid
         residue for cyclic
      
       - fix in bcm driver for using right memory allocation flag
      
      * tag 'dmaengine-fix-5.1-rc7' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: mediatek-cqdma: fix wrong register usage in mtk_cqdma_start
        dmaengine: sh: rcar-dmac: Fix glitch in dmaengine_tx_status
        dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid
        dmaengine: bcm2835: Avoid GFP_KERNEL in device_prep_slave_sg
      72a6e35d
  5. 27 Apr, 2019 7 commits
  6. 26 Apr, 2019 16 commits
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 857e17c2
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - keep the tail of an unaligned initrd reserved
      
       - adjust ftrace_make_call() to deal with the relative nature of PLTs
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64/module: ftrace: deal with place relative nature of PLTs
        arm64: mm: Ensure tail of unaligned initrd is reserved
      857e17c2
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · e9e1a2e7
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Three tracing fixes:
      
         - Use "nosteal" for ring buffer splice pages
      
         - Memory leak fix in error path of trace_pid_write()
      
         - Fix preempt_enable_no_resched() (use preempt_enable()) in ring
           buffer code"
      
      * tag 'trace-v5.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        trace: Fix preempt_enable_no_resched() abuse
        tracing: Fix a memory leak by early error exit in trace_pid_write()
        tracing: Fix buffer_ref pipe ops
      e9e1a2e7
    • Linus Torvalds's avatar
      Merge tag 'gpio-v5.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 29279d21
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "Not much to say about them, regular fixes:
      
         - Fix a bug on the errorpath of gpiochip_add_data_with_key()
      
         - IRQ type setting on the spreadtrum GPIO driver"
      
      * tag 'gpio-v5.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: Fix gpiochip_add_data_with_key() error path
        gpio: eic: sprd: Fix incorrect irq type setting for the sync EIC
      29279d21
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-04-26' of git://anongit.freedesktop.org/drm/drm · 4e40f0f3
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Regular drm fixes, nothing too outstanding, I'm guessing Easter was
        slowing people down.
      
        i915:
         - FEC enable fix
         - BXT display lanes fix
      
        ttm:
         - fix reinit for reloading drivers regression
      
        imx:
         - DP CSC fix
      
        sun4i:
         - module unload/load fix
      
        vc4:
         - memory leak fix
         - compile fix
      
        dw-hdmi:
         - rockchip scdc overflow fix
      
        sched:
         - docs fix
      
        vmwgfx:
         - dma api layering fix"
      
      * tag 'drm-fixes-2019-04-26' of git://anongit.freedesktop.org/drm/drm:
        drm/bridge: dw-hdmi: fix SCDC configuration for ddc-i2c-bus
        drm/vmwgfx: Fix dma API layer violation
        drm/vc4: Fix compilation error reported by kbuild test bot
        drm/sun4i: Unbind components before releasing DRM and memory
        drm/vc4: Fix memory leak during gpu reset.
        drm/sched: Fix description of drm_sched_stop
        drm/imx: don't skip DP channel disable for background plane
        gpu: ipu-v3: dp: fix CSC handling
        drm/ttm: fix re-init of global structures
        drm/sun4i: Fix component unbinding and component master deletion
        drm/sun4i: Set device driver data at bind time for use in unbind
        drm/sun4i: Add missing drm_atomic_helper_shutdown at driver unbind
        drm/i915: Restore correct bxt_ddi_phy_calc_lane_lat_optim_mask() calculation
        drm/i915: Do not enable FEC without DSC
        drm: bridge: dw-hdmi: Fix overflow workaround for Rockchip SoCs
      4e40f0f3
    • Linus Torvalds's avatar
      Merge tag 'for-5.1-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · d0473f97
      Linus Torvalds authored
      Pull btrfs fix from David Sterba:
       "One patch to fix a crash in io submission path, due to memory
        allocation errors.
      
        In short, the multipage bio work that landed in 5.1 caused larger bios
        that in turn require larger temporary memory for checksums. The patch
        is a workaround, we're going to rework the allocation so it does not
        require the vmalloc fallback.
      
        It took a while to identify that it's caused by patches in 5.1 and not
        a patchset that did some changes in error handling in the code. I've
        tested it on various memory/cpu combinations, it could hit OOM but
        does not crash.
      
        The timestamp of the patch is less than a day due to updates in the
        changelog, tests were running meanwhile"
      
      * tag 'for-5.1-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: Switch memory allocations in async csum calculation path to kvmalloc
      d0473f97
    • Linus Torvalds's avatar
      Merge tag '5.1-rc6-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 58130235
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Three small SMB3 fixes (all for stable as well): two leaks and a
        rename bug"
      
      * tag '5.1-rc6-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: fix page reference leak with readv/writev
        cifs: do not attempt cifs operation on smb2+ rename error
        cifs: fix memory leak in SMB2_read
      58130235
    • YueHaibing's avatar
      fs/proc/proc_sysctl.c: Fix a NULL pointer dereference · 89189557
      YueHaibing authored
      Syzkaller report this:
      
        sysctl could not get directory: /net//bridge -12
        kasan: CONFIG_KASAN_INLINE enabled
        kasan: GPF could be caused by NULL-ptr deref or user memory access
        general protection fault: 0000 [#1] SMP KASAN PTI
        CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G         C        5.1.0-rc3+ #8
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
        RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline]
        RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline]
        RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline]
        RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459
        Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48
        RSP: 0018:ffff8881bb507778 EFLAGS: 00010206
        RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a
        RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568
        RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4
        R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558
        R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
        FS:  00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        PKRU: 55555554
        Call Trace:
         erase_entry fs/proc/proc_sysctl.c:178 [inline]
         erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207
         start_unregistering fs/proc/proc_sysctl.c:331 [inline]
         drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631
         get_subdir fs/proc/proc_sysctl.c:1022 [inline]
         __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
         br_netfilter_init+0x68/0x1000 [br_netfilter]
         do_one_initcall+0xbc/0x47d init/main.c:901
         do_init_module+0x1b5/0x547 kernel/module.c:3456
         load_module+0x6405/0x8c10 kernel/module.c:3804
         __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle
         iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter]
        Dumping ftrace buffer:
           (ftrace buffer empty)
        ---[ end trace 68741688d5fbfe85 ]---
      
      commit 23da9588 ("fs/proc/proc_sysctl.c: fix NULL pointer
      dereference in put_links") forgot to handle start_unregistering() case,
      while header->parent is NULL, it calls erase_header() and as seen in the
      above syzkaller call trace, accessing &header->parent->root will trigger
      a NULL pointer dereference.
      
      As that commit explained, there is also no need to call
      start_unregistering() if header->parent is NULL.
      
      Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com
      Fixes: 23da9588 ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links")
      Fixes: 0e47c99d ("sysctl: Replace root_list with links between sysctl_table_sets")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Luis Chamberlain <mcgrof@kernel.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      89189557
    • Andrey Ryabinin's avatar
      mm/page_alloc.c: fix never set ALLOC_NOFRAGMENT flag · 8118b82e
      Andrey Ryabinin authored
      Commit 0a79cdad ("mm: use alloc_flags to record if kswapd can wake")
      removed setting of the ALLOC_NOFRAGMENT flag.  Bring it back.
      
      The runtime effect is that ALLOC_NOFRAGMENT behaviour is restored so
      that allocations are spread across local zones to avoid fragmentation
      due to mixing pageblocks as long as possible.
      
      Link: http://lkml.kernel.org/r/20190423120806.3503-2-aryabinin@virtuozzo.com
      Fixes: 0a79cdad ("mm: use alloc_flags to record if kswapd can wake")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Acked-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8118b82e
    • Andrey Ryabinin's avatar
      mm/page_alloc.c: avoid potential NULL pointer dereference · 8139ad04
      Andrey Ryabinin authored
      ac.preferred_zoneref->zone passed to alloc_flags_nofragment() can be NULL.
      'zone' pointer unconditionally derefernced in alloc_flags_nofragment().
      Bail out on NULL zone to avoid potential crash.  Currently we don't see
      any crashes only because alloc_flags_nofragment() has another bug which
      allows compiler to optimize away all accesses to 'zone'.
      
      Link: http://lkml.kernel.org/r/20190423120806.3503-1-aryabinin@virtuozzo.com
      Fixes: 6bb15450 ("mm, page_alloc: spread allocations across zones before introducing fragmentation")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Acked-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8139ad04
    • Mel Gorman's avatar
      mm, page_alloc: always use a captured page regardless of compaction result · ee8ab0ee
      Mel Gorman authored
      During the development of commit 5e1f0f09 ("mm, compaction: capture
      a page under direct compaction"), a paranoid check was added to ensure
      that if a captured page was available after compaction that it was
      consistent with the final state of compaction.  The intent was to catch
      serious programming bugs such as using a stale page pointer and causing
      corruption problems.
      
      However, it is possible to get a captured page even if compaction was
      unsuccessful if an interrupt triggered and happened to free pages in
      interrupt context that got merged into a suitable high-order page.  It's
      highly unlikely but Li Wang did report the following warning on s390
      occuring when testing OOM handling.  Note that the warning is slightly
      edited for clarity.
      
        WARNING: CPU: 0 PID: 9783 at mm/page_alloc.c:3777 __alloc_pages_direct_compact+0x182/0x190
        Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs
          lockd grace fscache sunrpc pkey ghash_s390 prng xts aes_s390
          des_s390 des_generic sha512_s390 zcrypt_cex4 zcrypt vmur binfmt_misc
          ip_tables xfs libcrc32c dasd_fba_mod qeth_l2 dasd_eckd_mod dasd_mod
          qeth qdio lcs ctcm ccwgroup fsm dm_mirror dm_region_hash dm_log
          dm_mod
        CPU: 0 PID: 9783 Comm: copy.sh Kdump: loaded Not tainted 5.1.0-rc 5 #1
      
      This patch simply removes the check entirely instead of trying to be
      clever about pages freed from interrupt context.  If a serious
      programming error was introduced, it is highly likely to be caught by
      prep_new_page() instead.
      
      Link: http://lkml.kernel.org/r/20190419085133.GH18914@techsingularity.net
      Fixes: 5e1f0f09 ("mm, compaction: capture a page under direct compaction")
      Signed-off-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Reported-by: default avatarLi Wang <liwang@redhat.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ee8ab0ee
    • Mel Gorman's avatar
      mm: do not boost watermarks to avoid fragmentation for the DISCONTIG memory model · 24512228
      Mel Gorman authored
      Mikulas Patocka reported that commit 1c30844d ("mm: reclaim small
      amounts of memory when an external fragmentation event occurs") "broke"
      memory management on parisc.
      
      The machine is not NUMA but the DISCONTIG model creates three pgdats
      even though it's a UMA machine for the following ranges
      
              0) Start 0x0000000000000000 End 0x000000003fffffff Size   1024 MB
              1) Start 0x0000000100000000 End 0x00000001bfdfffff Size   3070 MB
              2) Start 0x0000004040000000 End 0x00000040ffffffff Size   3072 MB
      
      Mikulas reported:
      
      	With the patch 1c30844d, the kernel will incorrectly reclaim the
      	first zone when it fills up, ignoring the fact that there are two
      	completely free zones. Basiscally, it limits cache size to 1GiB.
      
      	For example, if I run:
      	# dd if=/dev/sda of=/dev/null bs=1M count=2048
      
      	- with the proper kernel, there should be "Buffers - 2GiB"
      	when this command finishes. With the patch 1c30844d, buffers
      	will consume just 1GiB or slightly more, because the kernel was
      	incorrectly reclaiming them.
      
      The page allocator and reclaim makes assumptions that pgdats really
      represent NUMA nodes and zones represent ranges and makes decisions on
      that basis.  Watermark boosting for small pgdats leads to unexpected
      results even though this would have behaved reasonably on SPARSEMEM.
      
      DISCONTIG is essentially deprecated and even parisc plans to move to
      SPARSEMEM so there is no need to be fancy, this patch simply disables
      watermark boosting by default on DISCONTIGMEM.
      
      Link: http://lkml.kernel.org/r/20190419094335.GJ18914@techsingularity.net
      Fixes: 1c30844d ("mm: reclaim small amounts of memory when an external fragmentation event occurs")
      Signed-off-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Reported-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Tested-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: James Bottomley <James.Bottomley@hansenpartnership.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      24512228
    • Uladzislau Rezki (Sony)'s avatar
      lib/test_vmalloc.c: do not create cpumask_t variable on stack · e7898035
      Uladzislau Rezki (Sony) authored
      On my "Intel(R) Xeon(R) W-2135 CPU @ 3.70GHz" system(12 CPUs) i get the
      warning from the compiler about frame size:
      
         warning: the frame size of 1096 bytes is larger than 1024 bytes [-Wframe-larger-than=]
      
      the size of cpumask_t depends on number of CPUs, therefore just make use
      of cpumask_of() in set_cpus_allowed_ptr() as a second argument.
      
      Link: http://lkml.kernel.org/r/20190418193925.9361-1-urezki@gmail.comSigned-off-by: default avatarUladzislau Rezki (Sony) <urezki@gmail.com>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarRoman Gushchin <guro@fb.com>
      Cc: Uladzislau Rezki <urezki@gmail.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Thomas Garnier <thgarnie@google.com>
      Cc: Oleksiy Avramchenko <oleksiy.avramchenko@sonymobile.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Joel Fernandes <joelaf@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Tejun Heo <tj@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e7898035
    • YueHaibing's avatar
      lib/Kconfig.debug: fix build error without CONFIG_BLOCK · ae3d6a32
      YueHaibing authored
      If CONFIG_TEST_KMOD is set to M, while CONFIG_BLOCK is not set, XFS and
      BTRFS can not be compiled successly.
      
      Link: http://lkml.kernel.org/r/20190410075434.35220-1-yuehaibing@huawei.com
      Fixes: d9c6a72d ("kmod: add test driver to stress test the module loader")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Joe Lawrence <joe.lawrence@redhat.com>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Cc: Luis Chamberlain <mcgrof@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ae3d6a32
    • Jérôme Glisse's avatar
      zram: pass down the bvec we need to read into in the work struct · e153abc0
      Jérôme Glisse authored
      When scheduling work item to read page we need to pass down the proper
      bvec struct which points to the page to read into.  Before this patch it
      uses a randomly initialized bvec (only if PAGE_SIZE != 4096) which is
      wrong.
      
      Note that without this patch on arch/kernel where PAGE_SIZE != 4096
      userspace could read random memory through a zram block device (thought
      userspace probably would have no control on the address being read).
      
      Link: http://lkml.kernel.org/r/20190408183219.26377-1-jglisse@redhat.comSigned-off-by: default avatarJérôme Glisse <jglisse@redhat.com>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Acked-by: default avatarMinchan Kim <minchan@kernel.org>
      Cc: Nitin Gupta <ngupta@vflare.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e153abc0
    • David Hildenbrand's avatar
      mm/memory_hotplug.c: drop memory device reference after find_memory_block() · 89c02e69
      David Hildenbrand authored
      Right now we are using find_memory_block() to get the node id for the
      pfn range to online.  We are missing to drop a reference to the memory
      block device.  While the device still gets unregistered via
      device_unregister(), resulting in no user visible problem, the device is
      never released via device_release(), resulting in a memory leak.  Fix
      that by properly using a put_device().
      
      Link: http://lkml.kernel.org/r/20190411110955.1430-1-david@redhat.com
      Fixes: d0dc12e8 ("mm/memory_hotplug: optimize memory hotplug")
      Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reviewed-by: default avatarOscar Salvador <osalvador@suse.de>
      Reviewed-by: default avatarWei Yang <richard.weiyang@gmail.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarPankaj Gupta <pagupta@redhat.com>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
      Cc: Qian Cai <cai@lca.pw>
      Cc: Arun KS <arunks@codeaurora.org>
      Cc: Mathieu Malaterre <malat@debian.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      89c02e69
    • Peter Zijlstra's avatar
      trace: Fix preempt_enable_no_resched() abuse · d6097c9e
      Peter Zijlstra authored
      Unless the very next line is schedule(), or implies it, one must not use
      preempt_enable_no_resched(). It can cause a preemption to go missing and
      thereby cause arbitrary delays, breaking the PREEMPT=y invariant.
      
      Link: http://lkml.kernel.org/r/20190423200318.GY14281@hirez.programming.kicks-ass.net
      
      Cc: Waiman Long <longman@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: the arch/x86 maintainers <x86@kernel.org>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: huang ying <huang.ying.caritas@gmail.com>
      Cc: Roman Gushchin <guro@fb.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: stable@vger.kernel.org
      Fixes: 2c2d7329 ("tracing/ftrace: use preempt_enable_no_resched_notrace in ring_buffer_time_stamp()")
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      d6097c9e