1. 29 May, 2020 6 commits
  2. 28 May, 2020 14 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 75caf310
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "5 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        include/asm-generic/topology.h: guard cpumask_of_node() macro argument
        fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
        mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()
        mm,thp: stop leaking unreleased file pages
        mm/z3fold: silence kmemleak false positives of slots
      75caf310
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · d16eea2f
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
       "Just a few random driver fixups"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: synaptics - add a second working PNP_ID for Lenovo T470s
        Input: applespi - replace zero-length array with flexible-array
        Input: axp20x-pek - always register interrupt handlers
        Input: lm8333 - update contact email
        Input: synaptics-rmi4 - fix error return code in rmi_driver_probe()
        Input: synaptics-rmi4 - really fix attn_data use-after-free
        Input: i8042 - add ThinkPad S230u to i8042 reset list
        Revert "Input: i8042 - add ThinkPad S230u to i8042 nomux list"
        Input: dlink-dir685-touchkeys - fix a typo in driver name
        Input: xpad - add custom init packet for Xbox One S controllers
        Input: evdev - call input_flush_device() on release(), not flush()
        Input: i8042 - add ThinkPad S230u to i8042 nomux list
        Input: usbtouchscreen - add support for BonXeon TP
        Input: cros_ec_keyb - use cros_ec_cmd_xfer_status helper
        Input: mms114 - fix handling of mms345l
        Input: elants_i2c - support palm detection
      d16eea2f
    • Linus Torvalds's avatar
      Merge tag 'csky-for-linus-5.7-rc8' of git://github.com/c-sky/csky-linux · 6b5f2590
      Linus Torvalds authored
      Pull csky fixes from Guo Ren:
       "Another four fixes for csky:
      
         - fix req_syscall debug
      
         - fix abiv2 syscall_trace
      
         - fix preempt enable
      
         - clean up regs usage in entry.S"
      
      * tag 'csky-for-linus-5.7-rc8' of git://github.com/c-sky/csky-linux:
        csky: Fixup CONFIG_DEBUG_RSEQ
        csky: Coding convention in entry.S
        csky: Fixup abiv2 syscall_trace break a4 & a5
        csky: Fixup CONFIG_PREEMPT panic
      6b5f2590
    • Arnd Bergmann's avatar
      include/asm-generic/topology.h: guard cpumask_of_node() macro argument · 4377748c
      Arnd Bergmann authored
      drivers/hwmon/amd_energy.c:195:15: error: invalid operands to binary expression ('void' and 'int')
                                              (channel - data->nr_cpus));
                                              ~~~~~~~~~^~~~~~~~~~~~~~~~~
      include/asm-generic/topology.h:51:42: note: expanded from macro 'cpumask_of_node'
          #define cpumask_of_node(node)       ((void)node, cpu_online_mask)
                                                     ^~~~
      include/linux/cpumask.h:618:72: note: expanded from macro 'cpumask_first_and'
       #define cpumask_first_and(src1p, src2p) cpumask_next_and(-1, (src1p), (src2p))
                                                                             ^~~~~
      
      Fixes: f0b848ce ("cpumask: Introduce cpumask_of_{node,pcibus} to replace {node,pcibus}_to_cpumask")
      Fixes: 8abee956 ("hwmon: Add amd_energy driver to report energy counters")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Link: http://lkml.kernel.org/r/20200527134623.930247-1-arnd@arndb.deSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4377748c
    • Alexander Potapenko's avatar
      fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() · 1d605416
      Alexander Potapenko authored
      KMSAN reported uninitialized data being written to disk when dumping
      core.  As a result, several kilobytes of kmalloc memory may be written
      to the core file and then read by a non-privileged user.
      Reported-by: default avatarsam <sunhaoyl@outlook.com>
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20200419100848.63472-1-glider@google.com
      Link: https://github.com/google/kmsan/issues/76Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1d605416
    • Konstantin Khlebnikov's avatar
      mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() · 6988f31d
      Konstantin Khlebnikov authored
      Replace superfluous VM_BUG_ON() with comment about correct usage.
      
      Technically reverts commit 1d148e21 ("mm: add VM_BUG_ON_PAGE() to
      page_mapcount()"), but context lines have changed.
      
      Function isolate_migratepages_block() runs some checks out of lru_lock
      when choose pages for migration.  After checking PageLRU() it checks
      extra page references by comparing page_count() and page_mapcount().
      Between these two checks page could be removed from lru, freed and taken
      by slab.
      
      As a result this race triggers VM_BUG_ON(PageSlab()) in page_mapcount().
      Race window is tiny.  For certain workload this happens around once a
      year.
      
          page:ffffea0105ca9380 count:1 mapcount:0 mapping:ffff88ff7712c180 index:0x0 compound_mapcount: 0
          flags: 0x500000000008100(slab|head)
          raw: 0500000000008100 dead000000000100 dead000000000200 ffff88ff7712c180
          raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
          page dumped because: VM_BUG_ON_PAGE(PageSlab(page))
          ------------[ cut here ]------------
          kernel BUG at ./include/linux/mm.h:628!
          invalid opcode: 0000 [#1] SMP NOPTI
          CPU: 77 PID: 504 Comm: kcompactd1 Tainted: G        W         4.19.109-27 #1
          Hardware name: Yandex T175-N41-Y3N/MY81-EX0-Y3N, BIOS R05 06/20/2019
          RIP: 0010:isolate_migratepages_block+0x986/0x9b0
      
      The code in isolate_migratepages_block() was added in commit
      119d6d59 ("mm, compaction: avoid isolating pinned pages") before
      adding VM_BUG_ON into page_mapcount().
      
      This race has been predicted in 2015 by Vlastimil Babka (see link
      below).
      
      [akpm@linux-foundation.org: comment tweaks, per Hugh]
      Fixes: 1d148e21 ("mm: add VM_BUG_ON_PAGE() to page_mapcount()")
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: David Rientjes <rientjes@google.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/159032779896.957378.7852761411265662220.stgit@buzz
      Link: https://lore.kernel.org/lkml/557710E1.6060103@suse.cz/
      Link: https://lore.kernel.org/linux-mm/158937872515.474360.5066096871639561424.stgit@buzz/T/ (v1)
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6988f31d
    • Hugh Dickins's avatar
      mm,thp: stop leaking unreleased file pages · 2f33a706
      Hugh Dickins authored
      When collapse_file() calls try_to_release_page(), it has already isolated
      the page: so if releasing buffers happens to fail (as it sometimes does),
      remember to putback_lru_page(): otherwise that page is left unreclaimable
      and unfreeable, and the file extent uncollapsible.
      
      Fixes: 99cb0dbd ("mm,thp: add read-only THP support for (non-shmem) FS")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: <stable@vger.kernel.org>	[5.4+]
      Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2005231837500.1766@eggly.anvilsSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      2f33a706
    • Qian Cai's avatar
      mm/z3fold: silence kmemleak false positives of slots · af4798a5
      Qian Cai authored
      Kmemleak reported many leaks while under memory pressue in,
      
          slots = alloc_slots(pool, gfp);
      
      which is referenced by "zhdr" in init_z3fold_page(),
      
          zhdr->slots = slots;
      
      However, "zhdr" could be gone without freeing slots as the later will be
      freed separately when the last "handle" off of "handles" array is freed.
      It will be within "slots" which is always aligned.
      
        unreferenced object 0xc000000fdadc1040 (size 104):
        comm "oom04", pid 140476, jiffies 4295359280 (age 3454.970s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          z3fold_zpool_malloc+0x7b0/0xe10
          alloc_slots at mm/z3fold.c:214
          (inlined by) init_z3fold_page at mm/z3fold.c:412
          (inlined by) z3fold_alloc at mm/z3fold.c:1161
          (inlined by) z3fold_zpool_malloc at mm/z3fold.c:1735
          zpool_malloc+0x34/0x50
          zswap_frontswap_store+0x60c/0xda0
          zswap_frontswap_store at mm/zswap.c:1093
          __frontswap_store+0x128/0x330
          swap_writepage+0x58/0x110
          pageout+0x16c/0xa40
          shrink_page_list+0x1ac8/0x25c0
          shrink_inactive_list+0x270/0x730
          shrink_lruvec+0x444/0xf30
          shrink_node+0x2a4/0x9c0
          do_try_to_free_pages+0x158/0x640
          try_to_free_pages+0x1bc/0x5f0
          __alloc_pages_slowpath.constprop.60+0x4dc/0x15a0
          __alloc_pages_nodemask+0x520/0x650
          alloc_pages_vma+0xc0/0x420
          handle_mm_fault+0x1174/0x1bf0
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarVitaly Wool <vitaly.wool@konsulko.com>
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Link: http://lkml.kernel.org/r/20200522220052.2225-1-cai@lca.pwSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      af4798a5
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-5.7-2020-05-27' of... · ed52a9b5
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-5.7-2020-05-27' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
      
      amd-drm-fixes-5.7-2020-05-27:
      
      amdgpu:
      - Display atomic test fix
      - Fix soft hang in display vupdate code
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200527222700.4378-1-alexander.deucher@amd.com
      ed52a9b5
    • Guo Ren's avatar
      csky: Fixup CONFIG_DEBUG_RSEQ · f36e0aab
      Guo Ren authored
      Put the rseq_syscall check point at the prologue of the syscall
      will break the a0 ... a7. This will casue system call bug when
      DEBUG_RSEQ is enabled.
      
      So move it to the epilogue of syscall, but before syscall_trace.
      Signed-off-by: default avatarGuo Ren <guoren@linux.alibaba.com>
      f36e0aab
    • Guo Ren's avatar
      csky: Coding convention in entry.S · 20f69538
      Guo Ren authored
      There is no fixup or feature in the patch, we only cleanup with:
      
       - Remove unnecessary reg used (r11, r12), just use r9 & r10 &
         syscallid regs as temp useage.
       - Add _TIF_SYSCALL_WORK and _TIF_WORK_MASK to gather macros.
      Signed-off-by: default avatarGuo Ren <guoren@linux.alibaba.com>
      20f69538
    • Guo Ren's avatar
      csky: Fixup abiv2 syscall_trace break a4 & a5 · e0bbb538
      Guo Ren authored
      Current implementation could destory a4 & a5 when strace, so we need to get them
      from pt_regs by SAVE_ALL.
      Signed-off-by: default avatarGuo Ren <guoren@linux.alibaba.com>
      e0bbb538
    • Guo Ren's avatar
      csky: Fixup CONFIG_PREEMPT panic · 90089759
      Guo Ren authored
      log:
      [    0.13373200] Calibrating delay loop...
      [    0.14077600] ------------[ cut here ]------------
      [    0.14116700] WARNING: CPU: 0 PID: 0 at kernel/sched/core.c:3790 preempt_count_add+0xc8/0x11c
      [    0.14348000] DEBUG_LOCKS_WARN_ON((preempt_count() < 0))Modules linked in:
      [    0.14395100] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0 #7
      [    0.14410800]
      [    0.14427400] Call Trace:
      [    0.14450700] [<807cd226>] dump_stack+0x8a/0xe4
      [    0.14473500] [<80072792>] __warn+0x10e/0x15c
      [    0.14495900] [<80072852>] warn_slowpath_fmt+0x72/0xc0
      [    0.14518600] [<800a5240>] preempt_count_add+0xc8/0x11c
      [    0.14544900] [<807ef918>] _raw_spin_lock+0x28/0x68
      [    0.14572600] [<800e0eb8>] vprintk_emit+0x84/0x2d8
      [    0.14599000] [<800e113a>] vprintk_default+0x2e/0x44
      [    0.14625100] [<800e2042>] vprintk_func+0x12a/0x1d0
      [    0.14651300] [<800e1804>] printk+0x30/0x48
      [    0.14677600] [<80008052>] lockdep_init+0x12/0xb0
      [    0.14703800] [<80002080>] start_kernel+0x558/0x7f8
      [    0.14730000] [<800052bc>] csky_start+0x58/0x94
      [    0.14756600] irq event stamp: 34
      [    0.14775100] hardirqs last  enabled at (33): [<80067370>] ret_from_exception+0x2c/0x72
      [    0.14793700] hardirqs last disabled at (34): [<800e0eae>] vprintk_emit+0x7a/0x2d8
      [    0.14812300] softirqs last  enabled at (32): [<800655b0>] __do_softirq+0x578/0x6d8
      [    0.14830800] softirqs last disabled at (25): [<8007b3b8>] irq_exit+0xec/0x128
      
      The preempt_count of reg could be destroyed after csky_do_IRQ without reload
      from memory.
      
      After reference to other architectures (arm64, riscv), we move preempt entry
      into ret_from_exception and disable irq at the beginning of
      ret_from_exception instead of RESTORE_ALL.
      Signed-off-by: default avatarGuo Ren <guoren@linux.alibaba.com>
      Reported-by: default avatarLu Baoquan <lu.baoquan@intellif.com>
      90089759
    • Valentine Fatiev's avatar
      IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode · 1acba6a8
      Valentine Fatiev authored
      When connected mode is set, and we have connected and datagram traffic in
      parallel, ipoib might crash with double free of datagram skb.
      
      The current mechanism assumes that the order in the completion queue is
      the same as the order of sent packets for all QPs. Order is kept only for
      specific QP, in case of mixed UD and CM traffic we have few QPs (one UD and
      few CM's) in parallel.
      
      The problem:
      ----------------------------------------------------------
      
      Transmit queue:
      -----------------
      UD skb pointer kept in queue itself, CM skb kept in spearate queue and
      uses transmit queue as a placeholder to count the number of total
      transmitted packets.
      
      0   1   2   3   4  5  6  7  8   9  10  11 12 13 .........127
      ------------------------------------------------------------
      NL ud1 UD2 CM1 ud3 cm2 cm3 ud4 cm4 ud5 NL NL NL ...........
      ------------------------------------------------------------
          ^                                  ^
         tail                               head
      
      Completion queue (problematic scenario) - the order not the same as in
      the transmit queue:
      
        1  2  3  4  5  6  7  8  9
      ------------------------------------
       ud1 CM1 UD2 ud3 cm2 cm3 ud4 cm4 ud5
      ------------------------------------
      
      1. CM1 'wc' processing
         - skb freed in cm separate ring.
         - tx_tail of transmit queue increased although UD2 is not freed.
           Now driver assumes UD2 index is already freed and it could be used for
           new transmitted skb.
      
      0   1   2   3   4  5  6  7  8   9  10  11 12 13 .........127
      ------------------------------------------------------------
      NL NL  UD2 CM1 ud3 cm2 cm3 ud4 cm4 ud5 NL NL NL ...........
      ------------------------------------------------------------
              ^   ^                       ^
            (Bad)tail                    head
      (Bad - Could be used for new SKB)
      
      In this case (due to heavy load) UD2 skb pointer could be replaced by new
      transmitted packet UD_NEW, as the driver assumes its free.  At this point
      we will have to process two 'wc' with same index but we have only one
      pointer to free.
      
      During second attempt to free the same skb we will have NULL pointer
      exception.
      
      2. UD2 'wc' processing
         - skb freed according the index we got from 'wc', but it was already
           overwritten by mistake. So actually the skb that was released is the
           skb of the new transmitted packet and not the original one.
      
      3. UD_NEW 'wc' processing
         - attempt to free already freed skb. NUll pointer exception.
      
      The fix:
      -----------------------------------------------------------------------
      
      The fix is to stop using the UD ring as a placeholder for CM packets, the
      cyclic ring variables tx_head and tx_tail will manage the UD tx_ring, a
      new cyclic variables global_tx_head and global_tx_tail are introduced for
      managing and counting the overall outstanding sent packets, then the send
      queue will be stopped and waken based on these variables only.
      
      Note that no locking is needed since global_tx_head is updated in the xmit
      flow and global_tx_tail is updated in the NAPI flow only.  A previous
      attempt tried to use one variable to count the outstanding sent packets,
      but it did not work since xmit and NAPI flows can run at the same time and
      the counter will be updated wrongly. Thus, we use the same simple cyclic
      head and tail scheme that we have today for the UD tx_ring.
      
      Fixes: 2c104ea6 ("IB/ipoib: Get rid of the tx_outstanding variable in all modes")
      Link: https://lore.kernel.org/r/20200527134705.480068-1-leon@kernel.orgSigned-off-by: default avatarValentine Fatiev <valentinef@mellanox.com>
      Signed-off-by: default avatarAlaa Hleihel <alaa@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Acked-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      1acba6a8
  3. 27 May, 2020 11 commits
  4. 26 May, 2020 6 commits
  5. 25 May, 2020 2 commits
  6. 24 May, 2020 1 commit