1. 30 Jul, 2020 1 commit
    • David Brazdil's avatar
      KVM: arm64: Ensure that all nVHE hyp code is in .hyp.text · bdbc0c7a
      David Brazdil authored
      Some compilers may put a subset of generated functions into '.text.*'
      ELF sections and the linker may leverage this division to optimize ELF
      layout. Unfortunately, the recently introduced HYPCOPY command assumes
      that all executable code (with the exception of specialized sections
      such as '.hyp.idmap.text') is in the '.text' section. If this
      assumption is broken, code in '.text.*' will be merged into kernel
      proper '.text' instead of the '.hyp.text' that is mapped in EL2.
      
      To ensure that this cannot happen, insert an OBJDUMP assertion into
      HYPCOPY. The command dumps a list of ELF sections in the input object
      file and greps for '.text.'. If found, compilation fails. Tested with
      both binutils' and LLVM's objdump (the output format is different).
      
      GCC offers '-fno-reorder-functions' to disable this behaviour. Select
      the flag if it is available. From inspection of GCC source (latest
      Git in July 2020), this flag does force all code into '.text'.
      By default, GCC uses profile data, heuristics and attributes to select
      a subsection.
      
      LLVM/Clang currently does not have a similar optimization pass. It can
      place static constructors into '.text.startup' and it's optimizer can
      be provided with profile data to reorder hot/cold functions. Neither
      of these is applicable to nVHE hyp code. If this changes in the future,
      the OBJDUMP assertion should alert users to the problem.
      Signed-off-by: default avatarDavid Brazdil <dbrazdil@google.com>
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Link: https://lore.kernel.org/r/20200730132519.48787-1-dbrazdil@google.com
      bdbc0c7a
  2. 07 Jul, 2020 1 commit
    • Marc Zyngier's avatar
      KVM: arm64: Don't use has_vhe() for CHOOSE_HYP_SYM() · 6de7dd31
      Marc Zyngier authored
      The recently introduced CHOOSE_HYP_SYM() macro picks one symbol
      or another, depending on whether the kernel run as a VHE
      hypervisor or not. For that, it uses the has_vhe() helper, which
      is itself implemented as a final capability.
      
      Unfortunately, __copy_hyp_vect_bpi now indirectly uses CHOOSE_HYP_SYM
      to get the __bp_harden_hyp_vecs symbol, using has_vhe() in the process.
      At this stage, the capability isn't final and things explode:
      
      [    0.000000] ACPI: SRAT not present
      [    0.000000] percpu: Embedded 34 pages/cpu s101264 r8192 d29808 u139264
      [    0.000000] Detected PIPT I-cache on CPU0
      [    0.000000] ------------[ cut here ]------------
      [    0.000000] kernel BUG at arch/arm64/include/asm/cpufeature.h:459!
      [    0.000000] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      [    0.000000] Modules linked in:
      [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 5.8.0-rc4-00080-gd630681366e5 #1388
      [    0.000000] pstate: 80000085 (Nzcv daIf -PAN -UAO BTYPE=--)
      [    0.000000] pc : check_branch_predictor+0x3a4/0x408
      [    0.000000] lr : check_branch_predictor+0x2a4/0x408
      [    0.000000] sp : ffff800011693e90
      [    0.000000] x29: ffff800011693e90 x28: ffff8000116a1530
      [    0.000000] x27: ffff8000112c1008 x26: ffff800010ca6ff8
      [    0.000000] x25: ffff8000112c1000 x24: ffff8000116a1320
      [    0.000000] x23: 0000000000000000 x22: ffff8000112c1000
      [    0.000000] x21: ffff800010177120 x20: ffff8000116ae108
      [    0.000000] x19: 0000000000000000 x18: ffff800011965c90
      [    0.000000] x17: 0000000000022000 x16: 0000000000000003
      [    0.000000] x15: 00000000ffffffff x14: ffff8000118c3a38
      [    0.000000] x13: 0000000000000021 x12: 0000000000000022
      [    0.000000] x11: d37a6f4de9bd37a7 x10: 000000000000001d
      [    0.000000] x9 : 0000000000000000 x8 : ffff800011f8dad8
      [    0.000000] x7 : ffff800011965ad0 x6 : 0000000000000003
      [    0.000000] x5 : 0000000000000000 x4 : 0000000000000000
      [    0.000000] x3 : 0000000000000100 x2 : 0000000000000004
      [    0.000000] x1 : ffff8000116ae148 x0 : 0000000000000000
      [    0.000000] Call trace:
      [    0.000000]  check_branch_predictor+0x3a4/0x408
      [    0.000000]  update_cpu_capabilities+0x84/0x138
      [    0.000000]  init_cpu_features+0x2c0/0x2d8
      [    0.000000]  cpuinfo_store_boot_cpu+0x54/0x64
      [    0.000000]  smp_prepare_boot_cpu+0x2c/0x60
      [    0.000000]  start_kernel+0x16c/0x574
      [    0.000000] Code: 17ffffc7 91010281 14000198 17ffffca (d4210000)
      
      This is addressed using a two-fold process:
      - Replace has_vhe() with is_kernel_in_hyp_mode(), which tests
        whether we are running at EL2.
      - Make CHOOSE_HYP_SYM() return an *undefined* symbol when
        compiled in the nVHE hypervisor, as we really should never
        use this helper in the nVHE-specific code.
      
      With this in place, we're back to a bootable kernel again.
      
      Fixes: b877e984 ("KVM: arm64: Build hyp-entry.S separately for VHE/nVHE")
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      6de7dd31
  3. 05 Jul, 2020 15 commits
  4. 28 Jun, 2020 23 commits
    • Linus Torvalds's avatar
      Linux 5.8-rc3 · 9ebcfadb
      Linus Torvalds authored
      9ebcfadb
    • Linus Torvalds's avatar
      Merge tag 'arm-omap-fixes-5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · f7db192b
      Linus Torvalds authored
      Pull ARM OMAP fixes from Arnd Bergmann:
       "The OMAP developers are particularly active at hunting down
        regressions, so this is a separate branch with OMAP specific
        fixes for v5.8:
      
        As Tony explains
          "The recent display subsystem (DSS) related platform data changes
           caused display related regressions for suspend and resume. Looks
           like I only tested suspend and resume before dropping the legacy
           platform data, and forgot to test it after dropping it. Turns out
           the main issue was that we no longer have platform code calling
           pm_runtime_suspend for DSS like we did for the legacy platform data
           case, and that fix is still being discussed on the dri-devel list
           and will get merged separately. The DSS related testing exposed a
           pile other other display related issues that also need fixing
           though":
      
         - Fix ti-sysc optional clock handling and reset status checks for
           devices that reset automatically in idle like DSS
      
         - Ignore ti-sysc clockactivity bit unless separately requested to
           avoid unexpected performance issues
      
         - Init ti-sysc framedonetv_irq to true and disable for am4
      
         - Avoid duplicate DSS reset for legacy mode with dts data
      
         - Remove LCD timings for am4 as they cause warnings now that we're
           using generic panels
      
        Other OMAP changes from Tony include:
      
         - Fix omap_prm reset deassert as we still have drivers setting the
           pm_runtime_irq_safe() flag
      
         - Flush posted write for ti-sysc enable and disable
      
         - Fix droid4 spi related errors with spi flags
      
         - Fix am335x USB range and a typo for softreset
      
         - Fix dra7 timer nodes for clocks for IPU and DSP
      
         - Drop duplicate mailboxes after mismerge for dra7
      
         - Prevent pocketgeagle header line signal from accidentally setting
           micro-SD write protection signal by removing the default mux
      
         - Fix NFSroot flakeyness after resume for duover by switching the
           smsc911x gpio interrupt to back to level sensitive
      
         - Fix regression for omap4 clockevent source after recent system
           timer changes
      
         - Yet another ethernet regression fix for the "rgmii" vs "rgmii-rxid"
           phy-mode
      
         - One patch to convert am3/am4 DT files to use the regular sdhci-omap
           driver instead of the old hsmmc driver, this was meant for the
           merge window but got lost in the process"
      
      * tag 'arm-omap-fixes-5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (21 commits)
        ARM: dts: am5729: beaglebone-ai: fix rgmii phy-mode
        ARM: dts: Fix omap4 system timer source clocks
        ARM: dts: Fix duovero smsc interrupt for suspend
        ARM: dts: am335x-pocketbeagle: Fix mmc0 Write Protect
        Revert "bus: ti-sysc: Increase max softreset wait"
        ARM: dts: am437x-epos-evm: remove lcd timings
        ARM: dts: am437x-gp-evm: remove lcd timings
        ARM: dts: am437x-sk-evm: remove lcd timings
        ARM: dts: dra7-evm-common: Fix duplicate mailbox nodes
        ARM: dts: dra7: Fix timer nodes properly for timer_sys_ck clocks
        ARM: dts: Fix am33xx.dtsi ti,sysc-mask wrong softreset flag
        ARM: dts: Fix am33xx.dtsi USB ranges length
        bus: ti-sysc: Increase max softreset wait
        ARM: OMAP2+: Fix legacy mode dss_reset
        bus: ti-sysc: Fix uninitialized framedonetv_irq
        bus: ti-sysc: Ignore clockactivity unless specified as a quirk
        bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit
        ARM: dts: omap4-droid4: Fix spi configuration and increase rate
        bus: ti-sysc: Flush posted write on enable and disable
        soc: ti: omap-prm: use atomic iopoll instead of sleeping one
        ...
      f7db192b
    • Linus Torvalds's avatar
      Merge tag 'arm-fixes-5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · e44b59cd
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "Here are a couple of bug fixes, mostly for devicetree files
      
        NXP i.MX:
         - Use correct voltage on some i.MX8M board device trees to avoid
           hardware damage
         - Code fixes for a compiler warning and incorrect reference counting,
           both harmless.
         - Fix the i.MX8M SoC driver to correctly identify imx8mp
         - Fix watchdog configuration in imx6ul-kontron device tree.
      
        Broadcom:
         - A small regression fix for the Raspberry-Pi firmware driver
         - A Kconfig change to use the correct timer driver on Northstar
         - A DT fix for the Luxul XWC-2000 machine
         - Two more DT fixes for NSP SoCs
      
        STmicroelectronics STI
         - Revert one broken patch for L2 cache configuration
      
        ARM Versatile Express:
         - Fix a regression by reverting a broken DT cleanup
      
        TEE drivers:
         - MAINTAINERS: change tee mailing list"
      
      * tag 'arm-fixes-5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        Revert "ARM: sti: Implement dummy L2 cache's write_sec"
        soc: imx8m: fix build warning
        ARM: imx6: add missing put_device() call in imx6q_suspend_init()
        ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
        soc: imx8m: Correct i.MX8MP UID fuse offset
        ARM: dts: imx6ul-kontron: Change WDOG_ANY signal from push-pull to open-drain
        ARM: dts: imx6ul-kontron: Move watchdog from Kontron i.MX6UL/ULL board to SoM
        arm64: dts: imx8mm-beacon: Fix voltages on LDO1 and LDO2
        arm64: dts: imx8mn-ddr4-evk: correct ldo1/ldo2 voltage range
        arm64: dts: imx8mm-evk: correct ldo1/ldo2 voltage range
        ARM: dts: NSP: Correct FA2 mailbox node
        ARM: bcm2835: Fix integer overflow in rpi_firmware_print_firmware_revision()
        MAINTAINERS: change tee mailing list
        ARM: dts: NSP: Disable PL330 by default, add dma-coherent property
        ARM: bcm: Select ARM_TIMER_SP804 for ARCH_BCM_NSP
        ARM: dts: BCM5301X: Add missing memory "device_type" for Luxul XWC-2000
        arm: dts: vexpress: Move mcc node back into motherboard node
      e44b59cd
    • Linus Torvalds's avatar
      Merge tag 'timers-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 668f532d
      Linus Torvalds authored
      Pull timer fix from Ingo Molnar:
       "A single DocBook fix"
      
      * tag 'timers-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        timekeeping: Fix kerneldoc system_device_crosststamp & al
      668f532d
    • Linus Torvalds's avatar
      Merge tag 'perf-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ae71d4bf
      Linus Torvalds authored
      Pull perf fix from Ingo Molnar:
       "A single Kbuild dependency fix"
      
      * tag 'perf-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/rapl: Fix RAPL config variable bug
      ae71d4bf
    • Linus Torvalds's avatar
      Merge tag 'efi-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · bc53f67d
      Linus Torvalds authored
      Pull EFI fixes from Ingo Molnar:
      
       - Fix build regression on v4.8 and older
      
       - Robustness fix for TPM log parsing code
      
       - kobject refcount fix for the ESRT parsing code
      
       - Two efivarfs fixes to make it behave more like an ordinary file
         system
      
       - Style fixup for zero length arrays
      
       - Fix a regression in path separator handling in the initrd loader
      
       - Fix a missing prototype warning
      
       - Add some kerneldoc headers for newly introduced stub routines
      
       - Allow support for SSDT overrides via EFI variables to be disabled
      
       - Report CPU mode and MMU state upon entry for 32-bit ARM
      
       - Use the correct stack pointer alignment when entering from mixed mode
      
      * tag 'efi-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        efi/libstub: arm: Print CPU boot mode and MMU state at boot
        efi/libstub: arm: Omit arch specific config table matching array on arm64
        efi/x86: Setup stack correctly for efi_pe_entry
        efi: Make it possible to disable efivar_ssdt entirely
        efi/libstub: Descriptions for stub helper functions
        efi/libstub: Fix path separator regression
        efi/libstub: Fix missing-prototype warning for skip_spaces()
        efi: Replace zero-length array and use struct_size() helper
        efivarfs: Don't return -EINTR when rate-limiting reads
        efivarfs: Update inode modification time for successful writes
        efi/esrt: Fix reference count leak in esre_create_sysfs_entry.
        efi/tpm: Verify event log header before parsing
        efi/x86: Fix build with gcc 4
      bc53f67d
    • Linus Torvalds's avatar
      Merge tag 'sched_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 91a9a90d
      Linus Torvalds authored
      Pull scheduler fixes from Borislav Petkov:
       "The most anticipated fix in this pull request is probably the horrible
        build fix for the RANDSTRUCT fail that didn't make -rc2. Also included
        is the cleanup that removes those BUILD_BUG_ON()s and replaces it with
        ugly unions.
      
        Also included is the try_to_wake_up() race fix that was first
        triggered by Paul's RCU-torture runs, but was independently hit by
        Dave Chinner's fstest runs as well"
      
      * tag 'sched_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/cfs: change initial value of runnable_avg
        smp, irq_work: Continue smp_call_function*() and irq_work*() integration
        sched/core: s/WF_ON_RQ/WQ_ON_CPU/
        sched/core: Fix ttwu() race
        sched/core: Fix PI boosting between RT and DEADLINE tasks
        sched/deadline: Initialize ->dl_boosted
        sched/core: Check cpus_mask, not cpus_ptr in __set_cpus_allowed_ptr(), to fix mask corruption
        sched/core: Fix CONFIG_GCC_PLUGIN_RANDSTRUCT build fail
      91a9a90d
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 098c7938
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
      
       - AMD Memory bandwidth counter width fix, by Babu Moger.
      
       - Use the proper length type in the 32-bit truncate() syscall variant,
         by Jiri Slaby.
      
       - Reinit IA32_FEAT_CTL during wakeup to fix the case where after
         resume, VMXON would #GP due to VMX not being properly enabled, by
         Sean Christopherson.
      
       - Fix a static checker warning in the resctrl code, by Dan Carpenter.
      
       - Add a CR4 pinning mask for bits which cannot change after boot, by
         Kees Cook.
      
       - Align the start of the loop of __clear_user() to 16 bytes, to improve
         performance on AMD zen1 and zen2 microarchitectures, by Matt Fleming.
      
      * tag 'x86_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/asm/64: Align start of __clear_user() loop to 16-bytes
        x86/cpu: Use pinning mask for CR4 bits needing to be 0
        x86/resctrl: Fix a NULL vs IS_ERR() static checker warning in rdt_cdp_peer_get()
        x86/cpu: Reinitialize IA32_FEAT_CTL MSR on BSP during wakeup
        syscalls: Fix offset type of ksys_ftruncate()
        x86/resctrl: Fix memory bandwidth counter width for AMD
      098c7938
    • Linus Torvalds's avatar
      Merge tag 'rcu_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c141b30e
      Linus Torvalds authored
      Pull RCU-vs-KCSAN fixes from Borislav Petkov:
       "A single commit that uses "arch_" atomic operations to avoid the
        instrumentation that comes with the non-"arch_" versions.
      
        In preparation for that commit, it also has another commit that makes
        these "arch_" atomic operations available to generic code.
      
        Without these commits, KCSAN uses can see pointless errors"
      
      * tag 'rcu_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        rcu: Fixup noinstr warnings
        locking/atomics: Provide the arch_atomic_ interface to generic code
      c141b30e
    • Linus Torvalds's avatar
      Merge tag 'objtool_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7ecb59a5
      Linus Torvalds authored
      Pull objtool fixes from Borislav Petkov:
       "Three fixes from Peter Zijlstra suppressing KCOV instrumentation in
        noinstr sections.
      
        Peter Zijlstra says:
          "Address KCOV vs noinstr. There is no function attribute to
           selectively suppress KCOV instrumentation, instead teach objtool
           to NOP out the calls in noinstr functions"
      
        This cures a bunch of KCOV crashes (as used by syzcaller)"
      
      * tag 'objtool_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Fix noinstr vs KCOV
        objtool: Provide elf_write_{insn,reloc}()
        objtool: Clean up elf_write() condition
      7ecb59a5
    • Linus Torvalds's avatar
      Merge tag 'x86_entry_for_5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · a358505d
      Linus Torvalds authored
      Pull x86 entry fixes from Borislav Petkov:
       "This is the x86/entry urgent pile which has accumulated since the
        merge window.
      
        It is not the smallest but considering the almost complete entry core
        rewrite, the amount of fixes to follow is somewhat higher than usual,
        which is to be expected.
      
        Peter Zijlstra says:
         'These patches address a number of instrumentation issues that were
          found after the x86/entry overhaul. When combined with rcu/urgent
          and objtool/urgent, these patches make UBSAN/KASAN/KCSAN happy
          again.
      
          Part of making this all work is bumping the minimum GCC version for
          KASAN builds to gcc-8.3, the reason for this is that the
          __no_sanitize_address function attribute is broken in GCC releases
          before that.
      
          No known GCC version has a working __no_sanitize_undefined, however
          because the only noinstr violation that results from this happens
          when an UB is found, we treat it like WARN. That is, we allow it to
          violate the noinstr rules in order to get the warning out'"
      
      * tag 'x86_entry_for_5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/entry: Fix #UD vs WARN more
        x86/entry: Increase entry_stack size to a full page
        x86/entry: Fixup bad_iret vs noinstr
        objtool: Don't consider vmlinux a C-file
        kasan: Fix required compiler version
        compiler_attributes.h: Support no_sanitize_undefined check with GCC 4
        x86/entry, bug: Comment the instrumentation_begin() usage for WARN()
        x86/entry, ubsan, objtool: Whitelist __ubsan_handle_*()
        x86/entry, cpumask: Provide non-instrumented variant of cpu_is_offline()
        compiler_types.h: Add __no_sanitize_{address,undefined} to noinstr
        kasan: Bump required compiler version
        x86, kcsan: Add __no_kcsan to noinstr
        kcsan: Remove __no_kcsan_or_inline
        x86, kcsan: Remove __no_kcsan_or_inline usage
      a358505d
    • Vincent Guittot's avatar
      sched/cfs: change initial value of runnable_avg · e21cf434
      Vincent Guittot authored
      Some performance regression on reaim benchmark have been raised with
        commit 070f5e86 ("sched/fair: Take into account runnable_avg to classify group")
      
      The problem comes from the init value of runnable_avg which is initialized
      with max value. This can be a problem if the newly forked task is finally
      a short task because the group of CPUs is wrongly set to overloaded and
      tasks are pulled less agressively.
      
      Set initial value of runnable_avg equals to util_avg to reflect that there
      is no waiting time so far.
      
      Fixes: 070f5e86 ("sched/fair: Take into account runnable_avg to classify group")
      Reported-by: default avatarkernel test robot <rong.a.chen@intel.com>
      Signed-off-by: default avatarVincent Guittot <vincent.guittot@linaro.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/20200624154422.29166-1-vincent.guittot@linaro.org
      e21cf434
    • Peter Zijlstra's avatar
      smp, irq_work: Continue smp_call_function*() and irq_work*() integration · 8c4890d1
      Peter Zijlstra authored
      Instead of relying on BUG_ON() to ensure the various data structures
      line up, use a bunch of horrible unions to make it all automatic.
      
      Much of the union magic is to ensure irq_work and smp_call_function do
      not (yet) see the members of their respective data structures change
      name.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Reviewed-by: default avatarFrederic Weisbecker <frederic@kernel.org>
      Link: https://lkml.kernel.org/r/20200622100825.844455025@infradead.org
      8c4890d1
    • Peter Zijlstra's avatar
      sched/core: s/WF_ON_RQ/WQ_ON_CPU/ · 739f70b4
      Peter Zijlstra authored
      Use a better name for this poorly named flag, to avoid confusion...
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Acked-by: default avatarMel Gorman <mgorman@suse.de>
      Link: https://lkml.kernel.org/r/20200622100825.785115830@infradead.org
      739f70b4
    • Peter Zijlstra's avatar
      sched/core: Fix ttwu() race · b6e13e85
      Peter Zijlstra authored
      Paul reported rcutorture occasionally hitting a NULL deref:
      
        sched_ttwu_pending()
          ttwu_do_wakeup()
            check_preempt_curr() := check_preempt_wakeup()
              find_matching_se()
                is_same_group()
                  if (se->cfs_rq == pse->cfs_rq) <-- *BOOM*
      
      Debugging showed that this only appears to happen when we take the new
      code-path from commit:
      
        2ebb1771 ("sched/core: Offload wakee task activation if it the wakee is descheduling")
      
      and only when @cpu == smp_processor_id(). Something which should not
      be possible, because p->on_cpu can only be true for remote tasks.
      Similarly, without the new code-path from commit:
      
        c6e7bd7a ("sched/core: Optimize ttwu() spinning on p->on_cpu")
      
      this would've unconditionally hit:
      
        smp_cond_load_acquire(&p->on_cpu, !VAL);
      
      and if: 'cpu == smp_processor_id() && p->on_cpu' is possible, this
      would result in an instant live-lock (with IRQs disabled), something
      that hasn't been reported.
      
      The NULL deref can be explained however if the task_cpu(p) load at the
      beginning of try_to_wake_up() returns an old value, and this old value
      happens to be smp_processor_id(). Further assume that the p->on_cpu
      load accurately returns 1, it really is still running, just not here.
      
      Then, when we enqueue the task locally, we can crash in exactly the
      observed manner because p->se.cfs_rq != rq->cfs_rq, because p's cfs_rq
      is from the wrong CPU, therefore we'll iterate into the non-existant
      parents and NULL deref.
      
      The closest semi-plausible scenario I've managed to contrive is
      somewhat elaborate (then again, actual reproduction takes many CPU
      hours of rcutorture, so it can't be anything obvious):
      
      					X->cpu = 1
      					rq(1)->curr = X
      
      	CPU0				CPU1				CPU2
      
      					// switch away from X
      					LOCK rq(1)->lock
      					smp_mb__after_spinlock
      					dequeue_task(X)
      					  X->on_rq = 9
      					switch_to(Z)
      					  X->on_cpu = 0
      					UNLOCK rq(1)->lock
      
      									// migrate X to cpu 0
      									LOCK rq(1)->lock
      									dequeue_task(X)
      									set_task_cpu(X, 0)
      									  X->cpu = 0
      									UNLOCK rq(1)->lock
      
      									LOCK rq(0)->lock
      									enqueue_task(X)
      									  X->on_rq = 1
      									UNLOCK rq(0)->lock
      
      	// switch to X
      	LOCK rq(0)->lock
      	smp_mb__after_spinlock
      	switch_to(X)
      	  X->on_cpu = 1
      	UNLOCK rq(0)->lock
      
      	// X goes sleep
      	X->state = TASK_UNINTERRUPTIBLE
      	smp_mb();			// wake X
      					ttwu()
      					  LOCK X->pi_lock
      					  smp_mb__after_spinlock
      
      					  if (p->state)
      
      					  cpu = X->cpu; // =? 1
      
      					  smp_rmb()
      
      	// X calls schedule()
      	LOCK rq(0)->lock
      	smp_mb__after_spinlock
      	dequeue_task(X)
      	  X->on_rq = 0
      
      					  if (p->on_rq)
      
      					  smp_rmb();
      
      					  if (p->on_cpu && ttwu_queue_wakelist(..)) [*]
      
      					  smp_cond_load_acquire(&p->on_cpu, !VAL)
      
      					  cpu = select_task_rq(X, X->wake_cpu, ...)
      					  if (X->cpu != cpu)
      	switch_to(Y)
      	  X->on_cpu = 0
      	UNLOCK rq(0)->lock
      
      However I'm having trouble convincing myself that's actually possible
      on x86_64 -- after all, every LOCK implies an smp_mb() there, so if ttwu
      observes ->state != RUNNING, it must also observe ->cpu != 1.
      
      (Most of the previous ttwu() races were found on very large PowerPC)
      
      Nevertheless, this fully explains the observed failure case.
      
      Fix it by ordering the task_cpu(p) load after the p->on_cpu load,
      which is easy since nothing actually uses @cpu before this.
      
      Fixes: c6e7bd7a ("sched/core: Optimize ttwu() spinning on p->on_cpu")
      Reported-by: default avatarPaul E. McKenney <paulmck@kernel.org>
      Tested-by: default avatarPaul E. McKenney <paulmck@kernel.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Link: https://lkml.kernel.org/r/20200622125649.GC576871@hirez.programming.kicks-ass.net
      b6e13e85
    • Juri Lelli's avatar
      sched/core: Fix PI boosting between RT and DEADLINE tasks · 740797ce
      Juri Lelli authored
      syzbot reported the following warning:
      
       WARNING: CPU: 1 PID: 6351 at kernel/sched/deadline.c:628
       enqueue_task_dl+0x22da/0x38a0 kernel/sched/deadline.c:1504
      
      At deadline.c:628 we have:
      
       623 static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se)
       624 {
       625 	struct dl_rq *dl_rq = dl_rq_of_se(dl_se);
       626 	struct rq *rq = rq_of_dl_rq(dl_rq);
       627
       628 	WARN_ON(dl_se->dl_boosted);
       629 	WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline));
              [...]
           }
      
      Which means that setup_new_dl_entity() has been called on a task
      currently boosted. This shouldn't happen though, as setup_new_dl_entity()
      is only called when the 'dynamic' deadline of the new entity
      is in the past w.r.t. rq_clock and boosted tasks shouldn't verify this
      condition.
      
      Digging through the PI code I noticed that what above might in fact happen
      if an RT tasks blocks on an rt_mutex hold by a DEADLINE task. In the
      first branch of boosting conditions we check only if a pi_task 'dynamic'
      deadline is earlier than mutex holder's and in this case we set mutex
      holder to be dl_boosted. However, since RT 'dynamic' deadlines are only
      initialized if such tasks get boosted at some point (or if they become
      DEADLINE of course), in general RT 'dynamic' deadlines are usually equal
      to 0 and this verifies the aforementioned condition.
      
      Fix it by checking that the potential donor task is actually (even if
      temporary because in turn boosted) running at DEADLINE priority before
      using its 'dynamic' deadline value.
      
      Fixes: 2d3d891d ("sched/deadline: Add SCHED_DEADLINE inheritance logic")
      Reported-by: syzbot+119ba87189432ead09b4@syzkaller.appspotmail.com
      Signed-off-by: default avatarJuri Lelli <juri.lelli@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Reviewed-by: default avatarDaniel Bristot de Oliveira <bristot@redhat.com>
      Tested-by: default avatarDaniel Wagner <dwagner@suse.de>
      Link: https://lkml.kernel.org/r/20181119153201.GB2119@localhost.localdomain
      740797ce
    • Juri Lelli's avatar
      sched/deadline: Initialize ->dl_boosted · ce9bc3b2
      Juri Lelli authored
      syzbot reported the following warning triggered via SYSC_sched_setattr():
      
        WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 setup_new_dl_entity /kernel/sched/deadline.c:594 [inline]
        WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 enqueue_dl_entity /kernel/sched/deadline.c:1370 [inline]
        WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 enqueue_task_dl+0x1c17/0x2ba0 /kernel/sched/deadline.c:1441
      
      This happens because the ->dl_boosted flag is currently not initialized by
      __dl_clear_params() (unlike the other flags) and setup_new_dl_entity()
      rightfully complains about it.
      
      Initialize dl_boosted to 0.
      
      Fixes: 2d3d891d ("sched/deadline: Add SCHED_DEADLINE inheritance logic")
      Reported-by: syzbot+5ac8bac25f95e8b221e7@syzkaller.appspotmail.com
      Signed-off-by: default avatarJuri Lelli <juri.lelli@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Tested-by: default avatarDaniel Wagner <dwagner@suse.de>
      Link: https://lkml.kernel.org/r/20200617072919.818409-1-juri.lelli@redhat.com
      ce9bc3b2
    • Scott Wood's avatar
      sched/core: Check cpus_mask, not cpus_ptr in __set_cpus_allowed_ptr(), to fix mask corruption · fd844ba9
      Scott Wood authored
      This function is concerned with the long-term CPU mask, not the
      transitory mask the task might have while migrate disabled.  Before
      this patch, if a task was migrate-disabled at the time
      __set_cpus_allowed_ptr() was called, and the new mask happened to be
      equal to the CPU that the task was running on, then the mask update
      would be lost.
      Signed-off-by: default avatarScott Wood <swood@redhat.com>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Link: https://lkml.kernel.org/r/20200617121742.cpxppyi7twxmpin7@linutronix.de
      fd844ba9
    • Peter Zijlstra's avatar
      sched/core: Fix CONFIG_GCC_PLUGIN_RANDSTRUCT build fail · 4f311afc
      Peter Zijlstra authored
      As a temporary build fix, the proper cleanup needs more work.
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reported-by: default avatarEric Biggers <ebiggers@kernel.org>
      Suggested-by: default avatarEric Biggers <ebiggers@kernel.org>
      Suggested-by: default avatarKees Cook <keescook@chromium.org>
      Fixes: a1488664 ("sched: Replace rq::wake_list")
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      4f311afc
    • Arnd Bergmann's avatar
      Merge tag 'imx-fixes-5.8' of... · 42d3f7e8
      Arnd Bergmann authored
      Merge tag 'imx-fixes-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes
      
      i.MX fixes for 5.8:
      
      - Fix LDO1 and LDO2 voltage range for a couple of i.MX8M board device
        trees.
      - Fix i.MX8MP UID fuse offset in i.MX8M SoC driver.
      - Fix watchdog configuration in imx6ul-kontron device tree.
      - Fix one build warning seen on building soc-imx8m driver with
        x86_64-randconfig.
      - Add missing put_device() call for a couple of mach-imx PM functions.
      
      * tag 'imx-fixes-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux:
        soc: imx8m: fix build warning
        ARM: imx6: add missing put_device() call in imx6q_suspend_init()
        ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
        soc: imx8m: Correct i.MX8MP UID fuse offset
        ARM: dts: imx6ul-kontron: Change WDOG_ANY signal from push-pull to open-drain
        ARM: dts: imx6ul-kontron: Move watchdog from Kontron i.MX6UL/ULL board to SoM
        arm64: dts: imx8mm-beacon: Fix voltages on LDO1 and LDO2
        arm64: dts: imx8mn-ddr4-evk: correct ldo1/ldo2 voltage range
        arm64: dts: imx8mm-evk: correct ldo1/ldo2 voltage range
      
      Link: https://lore.kernel.org/r/20200624111725.GA24312@dragonSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      42d3f7e8
    • Arnd Bergmann's avatar
      Merge tag 'arm-soc/for-5.8/drivers-fixes' of https://github.com/Broadcom/stblinux into arm/fixes · 2596ce4b
      Arnd Bergmann authored
      This pull request contains Broadcom ARM/ARM64/MIPS SoCs drivers fixes
      for 5.8, please pull the following:
      
      - Andy provides a fix for the Raspberry Pi firmware driver to print the
        correct time upon boot. This is a fallout from a converstion to use
        the ptT format
      
      * tag 'arm-soc/for-5.8/drivers-fixes' of https://github.com/Broadcom/stblinux:
        ARM: bcm2835: Fix integer overflow in rpi_firmware_print_firmware_revision()
      
      Link: https://lore.kernel.org/r/20200619202250.19029-2-f.fainelli@gmail.comSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      2596ce4b
    • Arnd Bergmann's avatar
      Merge tag 'arm-soc/for-5.8/soc-fixes' of https://github.com/Broadcom/stblinux into arm/fixes · 6d89c73c
      Arnd Bergmann authored
      This pull request contains Broadcom ARM-based SoCs machine/Kconfig fixes
      for 5.8, please pull the following:
      
      - Matthew adds a missing select to permit the use of the standard ARM
        SP804 timers on Norsthstar Plus (NSP)
      
      * tag 'arm-soc/for-5.8/soc-fixes' of https://github.com/Broadcom/stblinux:
        ARM: bcm: Select ARM_TIMER_SP804 for ARCH_BCM_NSP
      
      Link: https://lore.kernel.org/r/20200619202250.19029-3-f.fainelli@gmail.comSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      6d89c73c
    • Arnd Bergmann's avatar
      Merge tag 'arm-soc/for-5.8/devicetree-fixes' of https://github.com/Broadcom/stblinux into arm/fixes · 275087fc
      Arnd Bergmann authored
      This pull request contains Broadcom ARM-based SoCs Device Tree fixes for
      5.8, please pull the following:
      
      - Rafal adds a missing 'device_type' property to the Luxul XWC-2000
        required for the memory nodes to be correctly parsed by Linux
      
      - Matthew provides two fixes for the NSP SoCs, one to disable the PL330
        DMA controller by default since it can be left in reset by the
        bootloader and the second to correct the flow accelerator mailbox node
      
      * tag 'arm-soc/for-5.8/devicetree-fixes' of https://github.com/Broadcom/stblinux:
        ARM: dts: NSP: Correct FA2 mailbox node
        ARM: dts: NSP: Disable PL330 by default, add dma-coherent property
        ARM: dts: BCM5301X: Add missing memory "device_type" for Luxul XWC-2000
      
      Link: https://lore.kernel.org/r/20200619202250.19029-1-f.fainelli@gmail.comSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      275087fc