-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0lmYwACgkQONu9yGCS
aT4h5w//ZG0BYEwxoa4Qc8rwvncnk78miK/VRH5JVTiToDqTuttHZQoMp+NLD2fQ
V679f/2+VqEPn8o6yJsrbM8uea0iIratI8U6L2OEt6TKPbar3CPcRUPJeqlPWkej
tf3qjAtvNNjLcl7xCYt9JNvpF4RwA8rLWWP5hZyYMi7xcMiB0FOriTlVJYHJ0PLK
Iqg+edkBxKwx7mvFlZnJkT0ln5hCqT4QBq2XrOYGUfy2Ans5Ytg5dhhp41QDD6iu
oE4mS+fybCzNOR3BWl7pfpeJRg8TKq4XNzYsQr9ftt2e3OZxOi3Jg+RLsgzjJB9P
1aTsuSzSeMXVGrAwRpBAot7TC+8F88sci0gibh4pg5N0ujGdvRW4gyzYHtdKhsTc
wmjYMKbAxJWwz0vkRp1aSnUMSRur4Wo3qCWaOWpjkP4xhSBTTER5e5cqeuVSWde5
FaD8s0yjnQsUaH3oxZ7zDL//MR0N+C4Izs9c2A8HkdksWTdTvI7YX8c766iIZgrm
JFV0FIZYIHAyuXT04W9n3VSvV4tLS+ouwYZpgG09oK0lBA8NT6RyZWzijY3VE0ed
Kl+t6iu02qZgZrvnq4pHUVnLQtw7KfyL3mzeljVxEeaTbGODPOJfypY1OMfhWYw+
dIlmsmfa2aANf5wttl8CjLkAIIG3JmuWO2exMQidvXlGCE+rKVM=
=u7q2
-----END PGP SIGNATURE-----
Merge 4.19.58 into android-4.19
Changes in 4.19.58
Bluetooth: Fix faulty expression for minimum encryption key size check
block: Fix a NULL pointer dereference in generic_make_request()
md/raid0: Do not bypass blocking queue entered for raid0 bios
netfilter: nf_flow_table: ignore DF bit setting
netfilter: nft_flow_offload: set liberal tracking mode for tcp
netfilter: nft_flow_offload: don't offload when sequence numbers need adjustment
netfilter: nft_flow_offload: IPCB is only valid for ipv4 family
ASoC : cs4265 : readable register too low
ASoC: ak4458: add return value for ak4458_probe
ASoC: soc-pcm: BE dai needs prepare when pause release after resume
ASoC: ak4458: rstn_control - return a non-zero on error only
spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
drm/mediatek: fix unbind functions
drm/mediatek: unbind components in mtk_drm_unbind()
drm/mediatek: call drm_atomic_helper_shutdown() when unbinding driver
drm/mediatek: clear num_pipes when unbind driver
drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable()
ASoC: max98090: remove 24-bit format support if RJ is 0
ASoC: sun4i-i2s: Fix sun8i tx channel offset mask
ASoC: sun4i-i2s: Add offset to RX channel select
x86/CPU: Add more Icelake model numbers
usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i]
usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC
ALSA: hdac: fix memory release for SST and SOF drivers
SoC: rt274: Fix internal jack assignment in set_jack callback
scsi: hpsa: correct ioaccel2 chaining
drm: panel-orientation-quirks: Add quirk for GPD pocket2
drm: panel-orientation-quirks: Add quirk for GPD MicroPC
platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi
platform/x86: intel-vbtn: Report switch events when event wakes device
platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device registration
platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow
i2c: pca-platform: Fix GPIO lookup code
cpuset: restore sanity to cpuset_cpus_allowed_fallback()
scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE
mm/mlock.c: change count_mm_mlocked_page_nr return type
tracing: avoid build warning with HAVE_NOP_MCOUNT
module: Fix livepatch/ftrace module text permissions race
ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper()
drm/i915/dmc: protect against reading random memory
ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
crypto: user - prevent operating on larval algorithms
crypto: cryptd - Fix skcipher instance memory leak
ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
ALSA: line6: Fix write on zero-sized buffer
ALSA: usb-audio: fix sign unintended sign extension on left shifts
ALSA: hda/realtek: Add quirks for several Clevo notebook barebones
ALSA: hda/realtek - Change front mic location for Lenovo M710q
lib/mpi: Fix karactx leak in mpi_powm
fs/userfaultfd.c: disable irqs for fault_pending and event locks
tracing/snapshot: Resize spare buffer if size changed
ARM: dts: armada-xp-98dx3236: Switch to armada-38x-uart serial node
arm64: kaslr: keep modules inside module region when KASAN is enabled
drm/amd/powerplay: use hardware fan control if no powerplay fan table
drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE
drm/etnaviv: add missing failure path to destroy suballoc
drm/imx: notify drm core before sending event during crtc disable
drm/imx: only send event on crtc disable if kept disabled
ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()
mm/vmscan.c: prevent useless kswapd loops
btrfs: Ensure replaced device doesn't have pending chunk allocation
tty: rocket: fix incorrect forward declaration of 'rp_init()'
mlxsw: spectrum: Handle VLAN device unlinking
net/smc: move unhash before release of clcsock
media: s5p-mfc: fix incorrect bus assignment in virtual child device
drm/fb-helper: generic: Don't take module ref for fbcon
f2fs: don't access node/meta inode mapping after iput
mac80211: mesh: fix missing unlock on error in table_path_del()
scsi: tcmu: fix use after free
selftests: fib_rule_tests: Fix icmp proto with ipv6
x86/boot/compressed/64: Do not corrupt EDX on EFER.LME=1 setting
net: hns: Fixes the missing put_device in positive leg for roce reset
ALSA: hda: Initialize power_state field properly
rds: Fix warning.
ip6: fix skb leak in ip6frag_expire_frag_queue()
netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
sc16is7xx: move label 'err_spi' to correct section
net: hns: fix unsigned comparison to less than zero
bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K
netfilter: ipv6: nf_defrag: accept duplicate fragments again
KVM: x86: degrade WARN to pr_warn_ratelimited
KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC
nfsd: Fix overflow causing non-working mounts on 1 TB machines
svcrdma: Ignore source port when computing DRC hash
MIPS: Fix bounds check virt_addr_valid
MIPS: Add missing EHB in mtc0 -> mfc0 sequence.
MIPS: have "plain" make calls build dtbs for selected platforms
dmaengine: qcom: bam_dma: Fix completed descriptors count
dmaengine: imx-sdma: remove BD_INTR for channel0
Linux 4.19.58
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit dffcac2cb88e4ec5906235d64a83d802580b119e upstream.
In production we have noticed hard lockups on large machines running
large jobs due to kswaps hoarding lru lock within isolate_lru_pages when
sc->reclaim_idx is 0 which is a small zone. The lru was couple hundred
GiBs and the condition (page_zonenum(page) > sc->reclaim_idx) in
isolate_lru_pages() was basically skipping GiBs of pages while holding
the LRU spinlock with interrupt disabled.
On further inspection, it seems like there are two issues:
(1) If kswapd on the return from balance_pgdat() could not sleep (i.e.
node is still unbalanced), the classzone_idx is unintentionally set
to 0 and the whole reclaim cycle of kswapd will try to reclaim only
the lowest and smallest zone while traversing the whole memory.
(2) Fundamentally isolate_lru_pages() is really bad when the
allocation has woken kswapd for a smaller zone on a very large machine
running very large jobs. It can hoard the LRU spinlock while skipping
over 100s of GiBs of pages.
This patch only fixes (1). (2) needs a more fundamental solution. To
fix (1), in the kswapd context, if pgdat->kswapd_classzone_idx is
invalid use the classzone_idx of the previous kswapd loop otherwise use
the one the waker has requested.
Link: http://lkml.kernel.org/r/20190701201847.251028-1-shakeelb@google.com
Fixes: e716f2eb24 ("mm, vmscan: prevent kswapd sleeping prematurely due to mismatched classzone_idx")
Signed-off-by: Shakeel Butt <shakeelb@google.com>
Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Hillf Danton <hdanton@sina.com>
Cc: Roman Gushchin <guro@fb.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 0874bb49bb21bf24deda853e8bf61b8325e24bcb ]
On a 64-bit machine the value of "vma->vm_end - vma->vm_start" may be
negative when using 32 bit ints and the "count >> PAGE_SHIFT"'s result
will be wrong. So change the local variable and return value to
unsigned long to fix the problem.
Link: http://lkml.kernel.org/r/20190513023701.83056-1-swkhack@gmail.com
Fixes: 0cf2f6f6dc ("mm: mlock: check against vma for actual mlock() size")
Signed-off-by: swkhack <swkhack@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0cjioACgkQONu9yGCS
aT4TNg//Sr2cN3HmcbJrjfNAifpjT1XRix0Qy0EOYMhieCh26SbHyB0yo/N0UMCK
iGv4ThqoBE+goK9bfb1F4CL0iMo88RM11lTy7UbemSQg2+MNJb8mvaq8YkpexTdw
SRgXT1kyOPoHVGCypTgQcKHLdLAuOkQQGCxccU0n+Vc006nLPI0b9yRvgUnUwzvY
EO9zLSfMLQhCcsLVoXLqaJ0AeU+VG5mkILjHZjcNElT+0T/LwoPO+VBLkuQt3KLp
BWe+N11xsc2ZR53jptpl9UU2aaUGIKeYttKgwj7rcqUuigk4hQ0AIZmZuQWzhgBu
6ERnKRgKARKQt4igxL5IsbIJiSK4/VJvuaR+26Sobc6zfDPQ0qfOuJaZeLYQjRQe
SXjLNXzozA1SV593o1atLhFeY+tGMRQ4dlFCE9x/gJ68v5dya+f0e7X+zP8+HV+v
u7pfgHT3Jb43D/G6H4sHE0VZZF4vh3Ba675Xp4NzOQOaFHJtQQUPCROiyYjJF6+H
2fgkwsokE8oFPgqWrYuOIzV9t5THjSNqhT7lyZ/LNDJiMTnJytqfQ01zbHoaHCAb
i5QB09x+72L7L/U9B9BGH+zEPTC2myw3dKmMv7kUxNx/3QKVDb/6cVnLnTWs4zrJ
lw52HzgB2aV8pRtvgg0OeHedJ8UGVYfVq2/YHUHbiukgZ61n3J8=
=OkFp
-----END PGP SIGNATURE-----
Merge 4.19.57 into android-4.19
Changes in 4.19.57
perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul
perf help: Remove needless use of strncpy()
perf header: Fix unchecked usage of strncpy()
arm64: Don't unconditionally add -Wno-psabi to KBUILD_CFLAGS
Revert "x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP"
IB/hfi1: Close PSM sdma_progress sleep window
9p/xen: fix check for xenbus_read error in front_probe
9p: Use a slab for allocating requests
9p: embed fcall in req to round down buffer allocs
9p: add a per-client fcall kmem_cache
9p: rename p9_free_req() function
9p: Add refcount to p9_req_t
9p/rdma: do not disconnect on down_interruptible EAGAIN
9p: Rename req to rreq in trans_fd
9p: acl: fix uninitialized iattr access
9p/rdma: remove useless check in cm_event_handler
9p: p9dirent_read: check network-provided name length
9p: potential NULL dereference
9p/trans_fd: abort p9_read_work if req status changed
9p/trans_fd: put worker reqs on destroy
net/9p: include trans_common.h to fix missing prototype warning.
qmi_wwan: Fix out-of-bounds read
Revert "usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup"
usb: dwc3: gadget: combine unaligned and zero flags
usb: dwc3: gadget: track number of TRBs per request
usb: dwc3: gadget: use num_trbs when skipping TRBs on ->dequeue()
usb: dwc3: gadget: extract dwc3_gadget_ep_skip_trbs()
usb: dwc3: gadget: introduce cancelled_list
usb: dwc3: gadget: move requests to cancelled_list
usb: dwc3: gadget: remove wait_end_transfer
usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup
fs/proc/array.c: allow reporting eip/esp for all coredumping threads
mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask
fs/binfmt_flat.c: make load_flat_shared_library() work
clk: socfpga: stratix10: fix divider entry for the emac clocks
mm: soft-offline: return -EBUSY if set_hwpoison_free_buddy_page() fails
mm: hugetlb: soft-offline: dissolve_free_huge_page() return zero on !PageHuge
mm/page_idle.c: fix oops because end_pfn is larger than max_pfn
dm log writes: make sure super sector log updates are written in order
scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()
x86/speculation: Allow guests to use SSBD even if host does not
x86/microcode: Fix the microcode load on CPU hotplug for real
x86/resctrl: Prevent possible overrun during bitmap operations
KVM: x86/mmu: Allocate PAE root array when using SVM's 32-bit NPT
NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O
cpu/speculation: Warn on unsupported mitigations= parameter
SUNRPC: Clean up initialisation of the struct rpc_rqst
irqchip/mips-gic: Use the correct local interrupt map registers
eeprom: at24: fix unexpected timeout under high load
af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET
bonding: Always enable vlan tx offload
ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop
net/packet: fix memory leak in packet_set_ring()
net: remove duplicate fetch in sock_getsockopt
net: stmmac: fixed new system time seconds value calculation
net: stmmac: set IC bit when transmitting frames with HW timestamp
sctp: change to hold sk after auth shkey is created successfully
team: Always enable vlan tx offload
tipc: change to use register_pernet_device
tipc: check msg->req data len in tipc_nl_compat_bearer_disable
tun: wake up waitqueues after IFF_UP is set
bpf: simplify definition of BPF_FIB_LOOKUP related flags
bpf: lpm_trie: check left child of last leftmost node for NULL
bpf: fix nested bpf tracepoints with per-cpu data
bpf: fix unconnected udp hooks
bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro
bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err
arm64: futex: Avoid copying out uninitialised stack in failed cmpxchg()
bpf, arm64: use more scalable stadd over ldxr / stxr loop in xadd
futex: Update comments and docs about return values of arch futex code
RDMA: Directly cast the sockaddr union to sockaddr
tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb
usb: dwc3: Reset num_trbs after skipping
arm64: insn: Fix ldadd instruction encoding
Linux 4.19.57
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit faf53def3b143df11062d87c12afe6afeb6f8cc7 upstream.
madvise(MADV_SOFT_OFFLINE) often returns -EBUSY when calling soft offline
for hugepages with overcommitting enabled. That was caused by the
suboptimal code in current soft-offline code. See the following part:
ret = migrate_pages(&pagelist, new_page, NULL, MPOL_MF_MOVE_ALL,
MIGRATE_SYNC, MR_MEMORY_FAILURE);
if (ret) {
...
} else {
/*
* We set PG_hwpoison only when the migration source hugepage
* was successfully dissolved, because otherwise hwpoisoned
* hugepage remains on free hugepage list, then userspace will
* find it as SIGBUS by allocation failure. That's not expected
* in soft-offlining.
*/
ret = dissolve_free_huge_page(page);
if (!ret) {
if (set_hwpoison_free_buddy_page(page))
num_poisoned_pages_inc();
}
}
return ret;
Here dissolve_free_huge_page() returns -EBUSY if the migration source page
was freed into buddy in migrate_pages(), but even in that case we actually
has a chance that set_hwpoison_free_buddy_page() succeeds. So that means
current code gives up offlining too early now.
dissolve_free_huge_page() checks that a given hugepage is suitable for
dissolving, where we should return success for !PageHuge() case because
the given hugepage is considered as already dissolved.
This change also affects other callers of dissolve_free_huge_page(), which
are cleaned up together.
[n-horiguchi@ah.jp.nec.com: v3]
Link: http://lkml.kernel.org/r/1560761476-4651-3-git-send-email-n-horiguchi@ah.jp.nec.comLink: http://lkml.kernel.org/r/1560154686-18497-3-git-send-email-n-horiguchi@ah.jp.nec.com
Fixes: 6bc9b56433 ("mm: fix race on soft-offlining")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reported-by: Chen, Jerry T <jerry.t.chen@intel.com>
Tested-by: Chen, Jerry T <jerry.t.chen@intel.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Xishi Qiu <xishi.qiuxishi@alibaba-inc.com>
Cc: "Chen, Jerry T" <jerry.t.chen@intel.com>
Cc: "Zhuo, Qiuxu" <qiuxu.zhuo@intel.com>
Cc: <stable@vger.kernel.org> [4.19+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b38e5962f8ed0d2a2b28a887fc2221f7f41db119 upstream.
The pass/fail of soft offline should be judged by checking whether the
raw error page was finally contained or not (i.e. the result of
set_hwpoison_free_buddy_page()), but current code do not work like
that. It might lead us to misjudge the test result when
set_hwpoison_free_buddy_page() fails.
Without this fix, there are cases where madvise(MADV_SOFT_OFFLINE) may
not offline the original page and will not return an error.
Link: http://lkml.kernel.org/r/1560154686-18497-2-git-send-email-n-horiguchi@ah.jp.nec.com
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Fixes: 6bc9b56433 ("mm: fix race on soft-offlining")
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Xishi Qiu <xishi.qiuxishi@alibaba-inc.com>
Cc: "Chen, Jerry T" <jerry.t.chen@intel.com>
Cc: "Zhuo, Qiuxu" <qiuxu.zhuo@intel.com>
Cc: <stable@vger.kernel.org> [4.19+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 29b190fa774dd1b72a1a6f19687d55dc72ea83be upstream.
mpol_rebind_nodemask() is called for MPOL_BIND and MPOL_INTERLEAVE
mempoclicies when the tasks's cpuset's mems_allowed changes. For
policies created without MPOL_F_STATIC_NODES or MPOL_F_RELATIVE_NODES,
it works by remapping the policy's allowed nodes (stored in v.nodes)
using the previous value of mems_allowed (stored in
w.cpuset_mems_allowed) as the domain of map and the new mems_allowed
(passed as nodes) as the range of the map (see the comment of
bitmap_remap() for details).
The result of remapping is stored back as policy's nodemask in v.nodes,
and the new value of mems_allowed should be stored in
w.cpuset_mems_allowed to facilitate the next rebind, if it happens.
However, 213980c0f2 ("mm, mempolicy: simplify rebinding mempolicies
when updating cpusets") introduced a bug where the result of remapping
is stored in w.cpuset_mems_allowed instead. Thus, a mempolicy's
allowed nodes can evolve in an unexpected way after a series of
rebinding due to cpuset mems_allowed changes, possibly binding to a
wrong node or a smaller number of nodes which may e.g. overload them.
This patch fixes the bug so rebinding again works as intended.
[vbabka@suse.cz: new changlog]
Link: http://lkml.kernel.org/r/ef6a69c6-c052-b067-8f2c-9d615c619bb9@suse.cz
Link: http://lkml.kernel.org/r/1558768043-23184-1-git-send-email-zhongjiang@huawei.com
Fixes: 213980c0f2 ("mm, mempolicy: simplify rebinding mempolicies when updating cpusets")
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Anshuman Khandual <khandual@linux.vnet.ibm.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Ralph Campbell <rcampbell@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0Nx3oACgkQONu9yGCS
aT7hJRAAzdu1EKr/VUiFJshvPL/+veH1MLdMgafW6gXcoQCQSdMuv1j3mv3axElC
dz2e/nHXvIhMKMrhzgEvVwV8m8eKPwM4IZjTJ8ji8st9uy0R2UIdbPUHrLtRAQzI
bK2BIk6697B9/9z2s8nDXhKex9EtZ2vj8DeQLT1AgQKMM0+abPA2YR9+cp9HEjQR
Wa5NjajwWgpty1VVk+Q6GMD+GBnEILyqxtVGv30z/prWoVadFAXJEZrWsaXotUvh
ySc2CS9Iu/muiIegTSStnNXaWaawZblA4JdDcdRJ235rPK8sbACYtDgZispYopi4
y/9kUtuZzWEv61aFZkXd13jKZ8pJsrLZLoc+yDqew0IA6M2Hz7d7Pq/UWQ0m4qnt
rCcU1vTFooSp/IHOToXN0oQQrTqD2oK5zO4V9S5McwQniuO/RqUPJfX/sKjtrvNT
SI/yLVKMXImAwVXxNEfO4bE+T9F/QYptOHdpfqJkPvpKLzjxnPBPswG8poIKwQzJ
w3p1AoQ1ISuW6b94a/nI5nSC28gVslVg+oTjRjF7kfIcOtvglX79XPvfdM5bB2DC
qD51A8veEGCtAu57/tSyisGOomqTqqqbaiYXwuhgTI1NSszbqKDLNvjsw1GKj0rK
mSmDzVMgQhxaHOagOeDqLYlj1zgTamx5R6+dretf8AOXyEE2RSg=
=+MJy
-----END PGP SIGNATURE-----
Merge 4.19.54 into android-4.19
Changes in 4.19.54
ax25: fix inconsistent lock state in ax25_destroy_timer
be2net: Fix number of Rx queues used for flow hashing
hv_netvsc: Set probe mode to sync
ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
lapb: fixed leak of control-blocks.
neigh: fix use-after-free read in pneigh_get_next
net: dsa: rtl8366: Fix up VLAN filtering
net: openvswitch: do not free vport if register_netdevice() is failed.
nfc: Ensure presence of required attributes in the deactivate_target handler
sctp: Free cookie before we memdup a new one
sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
tipc: purge deferredq list for each grp member in tipc_group_delete
vsock/virtio: set SOCK_DONE on peer shutdown
net/mlx5: Avoid reloading already removed devices
net: mvpp2: prs: Fix parser range for VID filtering
net: mvpp2: prs: Use the correct helpers when removing all VID filters
Staging: vc04_services: Fix a couple error codes
perf/x86/intel/ds: Fix EVENT vs. UEVENT PEBS constraints
netfilter: nf_queue: fix reinject verdict handling
ipvs: Fix use-after-free in ip_vs_in
selftests: netfilter: missing error check when setting up veth interface
clk: ti: clkctrl: Fix clkdm_clk handling
powerpc/powernv: Return for invalid IMC domain
usb: xhci: Fix a potential null pointer dereference in xhci_debugfs_create_endpoint()
mISDN: make sure device name is NUL terminated
x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor
perf/ring_buffer: Fix exposing a temporarily decreased data_head
perf/ring_buffer: Add ordering to rb->nest increment
perf/ring-buffer: Always use {READ,WRITE}_ONCE() for rb->user_page data
gpio: fix gpio-adp5588 build errors
net: stmmac: update rx tail pointer register to fix rx dma hang issue.
net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE()
ACPI/PCI: PM: Add missing wakeup.flags.valid checks
drm/etnaviv: lock MMU while dumping core
net: aquantia: tx clean budget logic error
net: aquantia: fix LRO with FCS error
i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
ALSA: hda - Force polling mode on CNL for fixing codec communication
configfs: Fix use-after-free when accessing sd->s_dentry
perf data: Fix 'strncat may truncate' build failure with recent gcc
perf namespace: Protect reading thread's namespace
perf record: Fix s390 missing module symbol and warning for non-root users
ia64: fix build errors by exporting paddr_to_nid()
xen/pvcalls: Remove set but not used variable
xenbus: Avoid deadlock during suspend due to open transactions
KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list
KVM: PPC: Book3S HV: Don't take kvm->lock around kvm_for_each_vcpu
arm64: fix syscall_fn_t type
arm64: use the correct function type in SYSCALL_DEFINE0
arm64: use the correct function type for __arm64_sys_ni_syscall
net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs
net: phylink: ensure consistent phy interface mode
net: phy: dp83867: Set up RGMII TX delay
scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route()
scsi: smartpqi: properly set both the DMA mask and the coherent DMA mask
scsi: scsi_dh_alua: Fix possible null-ptr-deref
scsi: libsas: delete sas port if expander discover failed
mlxsw: spectrum: Prevent force of 56G
ocfs2: fix error path kobject memory leak
coredump: fix race condition between collapse_huge_page() and core dumping
Abort file_remove_privs() for non-reg. files
Linux 4.19.54
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 59ea6d06cfa9247b586a695c21f94afa7183af74 upstream.
When fixing the race conditions between the coredump and the mmap_sem
holders outside the context of the process, we focused on
mmget_not_zero()/get_task_mm() callers in 04f5866e41fb70 ("coredump: fix
race condition between mmget_not_zero()/get_task_mm() and core
dumping"), but those aren't the only cases where the mmap_sem can be
taken outside of the context of the process as Michal Hocko noticed
while backporting that commit to older -stable kernels.
If mmgrab() is called in the context of the process, but then the
mm_count reference is transferred outside the context of the process,
that can also be a problem if the mmap_sem has to be taken for writing
through that mm_count reference.
khugepaged registration calls mmgrab() in the context of the process,
but the mmap_sem for writing is taken later in the context of the
khugepaged kernel thread.
collapse_huge_page() after taking the mmap_sem for writing doesn't
modify any vma, so it's not obvious that it could cause a problem to the
coredump, but it happens to modify the pmd in a way that breaks an
invariant that pmd_trans_huge_lock() relies upon. collapse_huge_page()
needs the mmap_sem for writing just to block concurrent page faults that
call pmd_trans_huge_lock().
Specifically the invariant that "!pmd_trans_huge()" cannot become a
"pmd_trans_huge()" doesn't hold while collapse_huge_page() runs.
The coredump will call __get_user_pages() without mmap_sem for reading,
which eventually can invoke a lockless page fault which will need a
functional pmd_trans_huge_lock().
So collapse_huge_page() needs to use mmget_still_valid() to check it's
not running concurrently with the coredump... as long as the coredump
can invoke page faults without holding the mmap_sem for reading.
This has "Fixes: khugepaged" to facilitate backporting, but in my view
it's more a bug in the coredump code that will eventually have to be
rewritten to stop invoking page faults without the mmap_sem for reading.
So the long term plan is still to drop all mmget_still_valid().
Link: http://lkml.kernel.org/r/20190607161558.32104-1-aarcange@redhat.com
Fixes: ba76149f47 ("thp: khugepaged")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Michal Hocko <mhocko@suse.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Jason Gunthorpe <jgg@mellanox.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0J4rgACgkQONu9yGCS
aT6JVhAAouXsxBjKDxMlJkMrcCFPVHTgWyrHMJ0aeV3jWACGoKbd+RBZtEoNrD4n
X5/AJdDMvSPuPMWqE8BO/+Q1e4YQYRoHQyQ24aRkq66a8+UpybRMpshFb+tfGQO+
ysVypoBg97Y+8ao0MFKxu79+rrJor566f8jXznrxvFG3MnI0Kq3BBGq59UcQTu4z
e1jd2OJjQxttZovOlA6v9rRTdHdzoI/84DZfYgqV1pUoC8pwjg7UO0+1cwnKlqem
No4iWGP4lmfXN/VuzRpBs9a6kqE14GL5Ah13U3uhYXk9Dd2iLkS2fPKPiaDpiHql
/SIL/3q4BCJVDZePIZuLoRe9qKLDh7rdNziIDhSUskW1H1tHAhsJUktWo0HarZW2
6Z5K10S/MsXAxWoFnY1TMBhZg+h+f/pHxy6FqZdvV4DGsx7uDWoVhn+o4Qw5WTSG
7KGMvvyDE7EyciwXVkQoN3hwX9pcxBwDtMswzSbW1VM9h3nYOzfY6OwSc/GDbM+f
9zQb+sgLIu1K5FUqyYNMfV/YXGGHpml181ZRWm3bZ4N63odDKMwzWfkc5RlIlDoM
kqmMZKvpTSA4MeRzGzcUMsIpXv8SeNvR3cotCBqau+IRAIkLX8tZClJL+4FilLIN
PkOjXtuEt648ZDybVGZykmAPIVuWreosWdtIH79ZOmnpveRQN7I=
=DiXP
-----END PGP SIGNATURE-----
Merge 4.19.53 into android-4.19
Changes in 4.19.53
drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)
nouveau: Fix build with CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT disabled
HID: multitouch: handle faulty Elo touch device
HID: wacom: Don't set tool type until we're in range
HID: wacom: Don't report anything prior to the tool entering range
HID: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact
HID: wacom: Correct button numbering 2nd-gen Intuos Pro over Bluetooth
HID: wacom: Sync INTUOSP2_BT touch state after each frame if necessary
Revert "ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops"
ALSA: oxfw: allow PCM capture for Stanton SCS.1m
ALSA: hda/realtek - Update headset mode for ALC256
ALSA: firewire-motu: fix destruction of data for isochronous resources
libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node
fs/ocfs2: fix race in ocfs2_dentry_attach_lock()
mm/vmscan.c: fix trying to reclaim unevictable LRU page
signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
ptrace: restore smp_rmb() in __ptrace_may_access()
iommu/arm-smmu: Avoid constant zero in TLBI writes
i2c: acorn: fix i2c warning
bcache: fix stack corruption by PRECEDING_KEY()
bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached
cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()
ASoC: cs42xx8: Add regcache mask dirty
ASoC: fsl_asrc: Fix the issue about unsupported rate
drm/i915/sdvo: Implement proper HDMI audio support for SDVO
x86/uaccess, kcov: Disable stack protector
ALSA: seq: Protect in-kernel ioctl calls with mutex
ALSA: seq: Fix race of get-subscription call vs port-delete ioctls
Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex"
s390/kasan: fix strncpy_from_user kasan checks
Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var
f2fs: fix to avoid accessing xattr across the boundary
scsi: qedi: remove memset/memcpy to nfunc and use func instead
scsi: qedi: remove set but not used variables 'cdev' and 'udev'
scsi: lpfc: correct rcu unlock issue in lpfc_nvme_info_show
scsi: lpfc: add check for loss of ndlp when sending RRQ
arm64/mm: Inhibit huge-vmap with ptdump
nvme: fix srcu locking on error return in nvme_get_ns_from_disk
nvme: remove the ifdef around nvme_nvm_ioctl
nvme: merge nvme_ns_ioctl into nvme_ioctl
nvme: release namespace SRCU protection before performing controller ioctls
nvme: fix memory leak for power latency tolerance
platform/x86: pmc_atom: Add Lex 3I380D industrial PC to critclk_systems DMI table
platform/x86: pmc_atom: Add several Beckhoff Automation boards to critclk_systems DMI table
scsi: bnx2fc: fix incorrect cast to u64 on shift operation
libnvdimm: Fix compilation warnings with W=1
selftests: fib_rule_tests: fix local IPv4 address typo
selftests/timers: Add missing fflush(stdout) calls
tracing: Prevent hist_field_var_ref() from accessing NULL tracing_map_elts
usbnet: ipheth: fix racing condition
KVM: arm/arm64: Move cc/it checks under hyp's Makefile to avoid instrumentation
KVM: x86/pmu: mask the result of rdpmc according to the width of the counters
KVM: x86/pmu: do not mask the value that is written to fixed PMUs
KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
tools/kvm_stat: fix fields filter for child events
drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
usb: dwc2: Fix DMA cache alignment issues
usb: dwc2: host: Fix wMaxPacketSize handling (fix webcam regression)
USB: Fix chipmunk-like voice when using Logitech C270 for recording audio.
USB: usb-storage: Add new ID to ums-realtek
USB: serial: pl2303: add Allied Telesis VT-Kit3
USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode
USB: serial: option: add Telit 0x1260 and 0x1261 compositions
timekeeping: Repair ktime_get_coarse*() granularity
RAS/CEC: Convert the timer callback to a workqueue
RAS/CEC: Fix binary search function
x86/microcode, cpuhotplug: Add a microcode loader CPU hotplug callback
x86/kasan: Fix boot with 5-level paging and KASAN
x86/mm/KASLR: Compute the size of the vmemmap section properly
x86/resctrl: Prevent NULL pointer dereference when local MBM is disabled
drm/edid: abstract override/firmware EDID retrieval
drm: add fallback override/firmware EDID modes workaround
rtc: pcf8523: don't return invalid date when battery is low
Linux 4.19.53
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit a58f2cef26e1ca44182c8b22f4f4395e702a5795 upstream.
There was the below bug report from Wu Fangsuo.
On the CMA allocation path, isolate_migratepages_range() could isolate
unevictable LRU pages and reclaim_clean_page_from_list() can try to
reclaim them if they are clean file-backed pages.
page:ffffffbf02f33b40 count:86 mapcount:84 mapping:ffffffc08fa7a810 index:0x24
flags: 0x19040c(referenced|uptodate|arch_1|mappedtodisk|unevictable|mlocked)
raw: 000000000019040c ffffffc08fa7a810 0000000000000024 0000005600000053
raw: ffffffc009b05b20 ffffffc009b05b20 0000000000000000 ffffffc09bf3ee80
page dumped because: VM_BUG_ON_PAGE(PageLRU(page) || PageUnevictable(page))
page->mem_cgroup:ffffffc09bf3ee80
------------[ cut here ]------------
kernel BUG at /home/build/farmland/adroid9.0/kernel/linux/mm/vmscan.c:1350!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 7125 Comm: syz-executor Tainted: G S 4.14.81 #3
Hardware name: ASR AQUILAC EVB (DT)
task: ffffffc00a54cd00 task.stack: ffffffc009b00000
PC is at shrink_page_list+0x1998/0x3240
LR is at shrink_page_list+0x1998/0x3240
pc : [<ffffff90083a2158>] lr : [<ffffff90083a2158>] pstate: 60400045
sp : ffffffc009b05940
..
shrink_page_list+0x1998/0x3240
reclaim_clean_pages_from_list+0x3c0/0x4f0
alloc_contig_range+0x3bc/0x650
cma_alloc+0x214/0x668
ion_cma_allocate+0x98/0x1d8
ion_alloc+0x200/0x7e0
ion_ioctl+0x18c/0x378
do_vfs_ioctl+0x17c/0x1780
SyS_ioctl+0xac/0xc0
Wu found it's due to commit ad6b67041a ("mm: remove SWAP_MLOCK in
ttu"). Before that, unevictable pages go to cull_mlocked so that we
can't reach the VM_BUG_ON_PAGE line.
To fix the issue, this patch filters out unevictable LRU pages from the
reclaim_clean_pages_from_list in CMA.
Link: http://lkml.kernel.org/r/20190524071114.74202-1-minchan@kernel.org
Fixes: ad6b67041a ("mm: remove SWAP_MLOCK in ttu")
Signed-off-by: Minchan Kim <minchan@kernel.org>
Reported-by: Wu Fangsuo <fangsuowu@asrmicro.com>
Debugged-by: Wu Fangsuo <fangsuowu@asrmicro.com>
Tested-by: Wu Fangsuo <fangsuowu@asrmicro.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Pankaj Suryawanshi <pankaj.suryawanshi@einfochips.com>
Cc: <stable@vger.kernel.org> [4.12+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIyBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0EwEMACgkQONu9yGCS
aT4UpA/3UqmMAaHH4g20cic8YDoBkYXoQUyj/kbf1w6bXqCuLTHOFS/qXa6QtPK3
WfwNWChIob+EbfAMjreQZjT6pwBbxyCNUvsvpB0k8YhJ3v/sIZL/Wc+1ZDu+jBC9
xfqwT9+JGzgu8P4PUTr1BsGMhgiH9qoJAeq7RCuDcicMIJ4/aJVr4Cvrs+18PVUe
95T5vSn6G62QyOrUExmuuztvNM2P/kos6yJTkN80l3uPLMUjsnWCsMKu+9utd5ea
ew332Z/BQs+ff4oljH1uRwsM/Z7+AKXlXatXD0sHQ8CTEqh44SgUSU96vB/h9W8I
6a0t4M2atsdaGjMHmiiPA+gIgd1rW0lsHk6ob6qgfzuRBFGN9BTUfZgQwhOW7uXt
e4o5RrWELkbk/TlJzrG1dFjhfyeb7q3LHOOg8kOVU0KdPD44ekJW9qoI8tlMPI+5
mafCCS/oS6TaW20ZKmjjkIbfTndzdO3dy5EWLy3elCEyLF2gDZ6WCAL+SMngdApC
/dbuBigF/+RBaEU1e56DkcYUYXjt6UO84O3dYAx69s6EhHS5CP4yCySuYpdxyg/G
MWdFDhtbnFyMXqoK1ROS0hNnxpydkh+R1Ns0TeSYibJI2J2enMGIa0thu4aVLD3v
+GLqHV2PsPTRQmF5ChnvNV7O53i4j4WBQQjL+80PQulJwRFb/A==
=bIqz
-----END PGP SIGNATURE-----
Merge 4.19.51 into android-4.19
Changes in 4.19.51
rapidio: fix a NULL pointer dereference when create_workqueue() fails
fs/fat/file.c: issue flush after the writeback of FAT
sysctl: return -EINVAL if val violates minmax
ipc: prevent lockup on alloc_msg and free_msg
drm/pl111: Initialize clock spinlock early
ARM: prevent tracing IPI_CPU_BACKTRACE
mm/hmm: select mmu notifier when selecting HMM
hugetlbfs: on restore reserve error path retain subpool reservation
mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE
mm/cma.c: fix crash on CMA allocation if bitmap allocation fails
initramfs: free initrd memory if opening /initrd.image fails
mm/cma.c: fix the bitmap status to show failed allocation reason
mm: page_mkclean vs MADV_DONTNEED race
mm/cma_debug.c: fix the break condition in cma_maxchunk_get()
mm/slab.c: fix an infinite loop in leaks_show()
kernel/sys.c: prctl: fix false positive in validate_prctl_map()
thermal: rcar_gen3_thermal: disable interrupt in .remove
drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER
mfd: tps65912-spi: Add missing of table registration
mfd: intel-lpss: Set the device in reset state when init
drm/nouveau/disp/dp: respect sink limits when selecting failsafe link configuration
mfd: twl6040: Fix device init errors for ACCCTL register
perf/x86/intel: Allow PEBS multi-entry in watermark mode
drm/nouveau/kms/gf119-gp10x: push HeadSetControlOutputResource() mthd when encoders change
drm/bridge: adv7511: Fix low refresh rate selection
objtool: Don't use ignore flag for fake jumps
drm/nouveau/kms/gv100-: fix spurious window immediate interlocks
bpf: fix undefined behavior in narrow load handling
EDAC/mpc85xx: Prevent building as a module
pwm: meson: Use the spin-lock only to protect register modifications
mailbox: stm32-ipcc: check invalid irq
ntp: Allow TAI-UTC offset to be set to zero
f2fs: fix to avoid panic in do_recover_data()
f2fs: fix to avoid panic in f2fs_inplace_write_data()
f2fs: fix to avoid panic in f2fs_remove_inode_page()
f2fs: fix to do sanity check on free nid
f2fs: fix to clear dirty inode in error path of f2fs_iget()
f2fs: fix to avoid panic in dec_valid_block_count()
f2fs: fix to use inline space only if inline_xattr is enable
f2fs: fix to do sanity check on valid block count of segment
f2fs: fix to do checksum even if inode page is uptodate
percpu: remove spurious lock dependency between percpu and sched
configfs: fix possible use-after-free in configfs_register_group
uml: fix a boot splat wrt use of cpu_all_mask
PCI: dwc: Free MSI in dw_pcie_host_init() error path
PCI: dwc: Free MSI IRQ page in dw_pcie_free_msi()
ovl: do not generate duplicate fsnotify events for "fake" path
mmc: mmci: Prevent polling for busy detection in IRQ context
netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast
netfilter: nf_conntrack_h323: restore boundary check correctness
mips: Make sure dt memory regions are valid
netfilter: nf_tables: fix base chain stat rcu_dereference usage
watchdog: imx2_wdt: Fix set_timeout for big timeout values
watchdog: fix compile time error of pretimeout governors
blk-mq: move cancel of requeue_work into blk_mq_release
iommu/vt-d: Set intel_iommu_gfx_mapped correctly
misc: pci_endpoint_test: Fix test_reg_bar to be updated in pci_endpoint_test
PCI: designware-ep: Use aligned ATU window for raising MSI interrupts
nvme-pci: unquiesce admin queue on shutdown
nvme-pci: shutdown on timeout during deletion
netfilter: nf_flow_table: check ttl value in flow offload data path
netfilter: nf_flow_table: fix netdev refcnt leak
ALSA: hda - Register irq handler after the chip initialization
nvmem: core: fix read buffer in place
nvmem: sunxi_sid: Support SID on A83T and H5
fuse: retrieve: cap requested size to negotiated max_write
nfsd: allow fh_want_write to be called twice
nfsd: avoid uninitialized variable warning
vfio: Fix WARNING "do not call blocking ops when !TASK_RUNNING"
iommu/arm-smmu-v3: Don't disable SMMU in kdump kernel
switchtec: Fix unintended mask of MRPC event
net: thunderbolt: Unregister ThunderboltIP protocol handler when suspending
x86/PCI: Fix PCI IRQ routing table memory leak
i40e: Queues are reserved despite "Invalid argument" error
platform/chrome: cros_ec_proto: check for NULL transfer function
PCI: keystone: Prevent ARM32 specific code to be compiled for ARM64
soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
soc: rockchip: Set the proper PWM for rk3288
ARM: dts: imx51: Specify IMX5_CLK_IPG as "ahb" clock to SDMA
ARM: dts: imx50: Specify IMX5_CLK_IPG as "ahb" clock to SDMA
ARM: dts: imx53: Specify IMX5_CLK_IPG as "ahb" clock to SDMA
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA
ARM: dts: imx6sll: Specify IMX6SLL_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx7d: Specify IMX7D_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6ul: Specify IMX6UL_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA
PCI: rpadlpar: Fix leaked device_node references in add/remove paths
drm/amd/display: Use plane->color_space for dpp if specified
ARM: OMAP2+: pm33xx-core: Do not Turn OFF CEFUSE as PPA may be using it
platform/x86: intel_pmc_ipc: adding error handling
power: supply: max14656: fix potential use-before-alloc
net: hns3: return 0 and print warning when hit duplicate MAC
PCI: rcar: Fix a potential NULL pointer dereference
PCI: rcar: Fix 64bit MSI message address handling
scsi: qla2xxx: Reset the FCF_ASYNC_{SENT|ACTIVE} flags
video: hgafb: fix potential NULL pointer dereference
video: imsttfb: fix potential NULL pointer dereferences
block, bfq: increase idling for weight-raised queues
PCI: xilinx: Check for __get_free_pages() failure
gpio: gpio-omap: add check for off wake capable gpios
ice: Add missing case in print_link_msg for printing flow control
dmaengine: idma64: Use actual device for DMA transfers
pwm: tiehrpwm: Update shadow register for disabling PWMs
ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa
pwm: Fix deadlock warning when removing PWM device
ARM: exynos: Fix undefined instruction during Exynos5422 resume
usb: typec: fusb302: Check vconn is off when we start toggling
soc: renesas: Identify R-Car M3-W ES1.3
gpio: vf610: Do not share irq_chip
percpu: do not search past bitmap when allocating an area
Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections"
Revert "drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)"
ovl: check the capability before cred overridden
ovl: support stacked SEEK_HOLE/SEEK_DATA
drm/vc4: fix fb references in async update
ALSA: seq: Cover unsubscribe_port() in list_mutex
Linux 4.19.51
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 8c43004af01635cc9fbb11031d070e5e0d327ef2 ]
pcpu_find_block_fit() guarantees that a fit is found within
PCPU_BITMAP_BLOCK_BITS. Iteration is used to determine the first fit as
it compares against the block's contig_hint. This can lead to
incorrectly scanning past the end of the bitmap. The behavior was okay
given the check after for bit_off >= end and the correctness of the
hints from pcpu_find_block_fit().
This patch fixes this by bounding the end offset by the number of bits
in a chunk.
Signed-off-by: Dennis Zhou <dennis@kernel.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 198790d9a3aeaef5792d33a560020861126edc22 ]
In free_percpu() we sometimes call pcpu_schedule_balance_work() to
queue a work item (which does a wakeup) while holding pcpu_lock.
This creates an unnecessary lock dependency between pcpu_lock and
the scheduler's pi_lock. There are other places where we call
pcpu_schedule_balance_work() without hold pcpu_lock, and this case
doesn't need to be different.
Moving the call outside the lock prevents the following lockdep splat
when running tools/testing/selftests/bpf/{test_maps,test_progs} in
sequence with lockdep enabled:
======================================================
WARNING: possible circular locking dependency detected
5.1.0-dbg-DEV #1 Not tainted
------------------------------------------------------
kworker/23:255/18872 is trying to acquire lock:
000000000bc79290 (&(&pool->lock)->rlock){-.-.}, at: __queue_work+0xb2/0x520
but task is already holding lock:
00000000e3e7a6aa (pcpu_lock){..-.}, at: free_percpu+0x36/0x260
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 (pcpu_lock){..-.}:
lock_acquire+0x9e/0x180
_raw_spin_lock_irqsave+0x3a/0x50
pcpu_alloc+0xfa/0x780
__alloc_percpu_gfp+0x12/0x20
alloc_htab_elem+0x184/0x2b0
__htab_percpu_map_update_elem+0x252/0x290
bpf_percpu_hash_update+0x7c/0x130
__do_sys_bpf+0x1912/0x1be0
__x64_sys_bpf+0x1a/0x20
do_syscall_64+0x59/0x400
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #3 (&htab->buckets[i].lock){....}:
lock_acquire+0x9e/0x180
_raw_spin_lock_irqsave+0x3a/0x50
htab_map_update_elem+0x1af/0x3a0
-> #2 (&rq->lock){-.-.}:
lock_acquire+0x9e/0x180
_raw_spin_lock+0x2f/0x40
task_fork_fair+0x37/0x160
sched_fork+0x211/0x310
copy_process.part.43+0x7b1/0x2160
_do_fork+0xda/0x6b0
kernel_thread+0x29/0x30
rest_init+0x22/0x260
arch_call_rest_init+0xe/0x10
start_kernel+0x4fd/0x520
x86_64_start_reservations+0x24/0x26
x86_64_start_kernel+0x6f/0x72
secondary_startup_64+0xa4/0xb0
-> #1 (&p->pi_lock){-.-.}:
lock_acquire+0x9e/0x180
_raw_spin_lock_irqsave+0x3a/0x50
try_to_wake_up+0x41/0x600
wake_up_process+0x15/0x20
create_worker+0x16b/0x1e0
workqueue_init+0x279/0x2ee
kernel_init_freeable+0xf7/0x288
kernel_init+0xf/0x180
ret_from_fork+0x24/0x30
-> #0 (&(&pool->lock)->rlock){-.-.}:
__lock_acquire+0x101f/0x12a0
lock_acquire+0x9e/0x180
_raw_spin_lock+0x2f/0x40
__queue_work+0xb2/0x520
queue_work_on+0x38/0x80
free_percpu+0x221/0x260
pcpu_freelist_destroy+0x11/0x20
stack_map_free+0x2a/0x40
bpf_map_free_deferred+0x3c/0x50
process_one_work+0x1f7/0x580
worker_thread+0x54/0x410
kthread+0x10f/0x150
ret_from_fork+0x24/0x30
other info that might help us debug this:
Chain exists of:
&(&pool->lock)->rlock --> &htab->buckets[i].lock --> pcpu_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(pcpu_lock);
lock(&htab->buckets[i].lock);
lock(pcpu_lock);
lock(&(&pool->lock)->rlock);
*** DEADLOCK ***
3 locks held by kworker/23:255/18872:
#0: 00000000b36a6e16 ((wq_completion)events){+.+.},
at: process_one_work+0x17a/0x580
#1: 00000000dfd966f0 ((work_completion)(&map->work)){+.+.},
at: process_one_work+0x17a/0x580
#2: 00000000e3e7a6aa (pcpu_lock){..-.},
at: free_percpu+0x36/0x260
stack backtrace:
CPU: 23 PID: 18872 Comm: kworker/23:255 Not tainted 5.1.0-dbg-DEV #1
Hardware name: ...
Workqueue: events bpf_map_free_deferred
Call Trace:
dump_stack+0x67/0x95
print_circular_bug.isra.38+0x1c6/0x220
check_prev_add.constprop.50+0x9f6/0xd20
__lock_acquire+0x101f/0x12a0
lock_acquire+0x9e/0x180
_raw_spin_lock+0x2f/0x40
__queue_work+0xb2/0x520
queue_work_on+0x38/0x80
free_percpu+0x221/0x260
pcpu_freelist_destroy+0x11/0x20
stack_map_free+0x2a/0x40
bpf_map_free_deferred+0x3c/0x50
process_one_work+0x1f7/0x580
worker_thread+0x54/0x410
kthread+0x10f/0x150
ret_from_fork+0x24/0x30
Signed-off-by: John Sperbeck <jsperbeck@google.com>
Signed-off-by: Dennis Zhou <dennis@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 745e10146c31b1c6ed3326286704ae251b17f663 ]
"cat /proc/slab_allocators" could hang forever on SMP machines with
kmemleak or object debugging enabled due to other CPUs running do_drain()
will keep making kmemleak_object or debug_objects_cache dirty and unable
to escape the first loop in leaks_show(),
do {
set_store_user_clean(cachep);
drain_cpu_caches(cachep);
...
} while (!is_store_user_clean(cachep));
For example,
do_drain
slabs_destroy
slab_destroy
kmem_cache_free
__cache_free
___cache_free
kmemleak_free_recursive
delete_object_full
__delete_object
put_object
free_object_rcu
kmem_cache_free
cache_free_debugcheck --> dirty kmemleak_object
One approach is to check cachep->name and skip both kmemleak_object and
debug_objects_cache in leaks_show(). The other is to set store_user_clean
after drain_cpu_caches() which leaves a small window between
drain_cpu_caches() and set_store_user_clean() where per-CPU caches could
be dirty again lead to slightly wrong information has been stored but
could also speed up things significantly which sounds like a good
compromise. For example,
# cat /proc/slab_allocators
0m42.778s # 1st approach
0m0.737s # 2nd approach
[akpm@linux-foundation.org: tweak comment]
Link: http://lkml.kernel.org/r/20190411032635.10325-1-cai@lca.pw
Fixes: d31676dfde ("mm/slab: alternative implementation for DEBUG_SLAB_LEAK")
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f0fd50504a54f5548eb666dc16ddf8394e44e4b7 ]
If not find zero bit in find_next_zero_bit(), it will return the size
parameter passed in, so the start bit should be compared with bitmap_maxno
rather than cma->count. Although getting maxchunk is working fine due to
zero value of order_per_bit currently, the operation will be stuck if
order_per_bit is set as non-zero.
Link: http://lkml.kernel.org/r/20190319092734.276-1-zbestahu@gmail.com
Signed-off-by: Yue Hu <huyue2@yulong.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Joe Perches <joe@perches.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Dmitry Safonov <d.safonov@partner.samsung.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 024eee0e83f0df52317be607ca521e0fc572aa07 ]
MADV_DONTNEED is handled with mmap_sem taken in read mode. We call
page_mkclean without holding mmap_sem.
MADV_DONTNEED implies that pages in the region are unmapped and subsequent
access to the pages in that range is handled as a new page fault. This
implies that if we don't have parallel access to the region when
MADV_DONTNEED is run we expect those range to be unallocated.
w.r.t page_mkclean() we need to make sure that we don't break the
MADV_DONTNEED semantics. MADV_DONTNEED check for pmd_none without holding
pmd_lock. This implies we skip the pmd if we temporarily mark pmd none.
Avoid doing that while marking the page clean.
Keep the sequence same for dax too even though we don't support
MADV_DONTNEED for dax mapping
The bug was noticed by code review and I didn't observe any failures w.r.t
test run. This is similar to
commit 58ceeb6bec
Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Date: Thu Apr 13 14:56:26 2017 -0700
thp: fix MADV_DONTNEED vs. MADV_FREE race
commit ced108037c
Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Date: Thu Apr 13 14:56:20 2017 -0700
thp: fix MADV_DONTNEED vs. numa balancing race
Link: http://lkml.kernel.org/r/20190321040610.14226-1-aneesh.kumar@linux.ibm.com
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc:"Kirill A . Shutemov" <kirill@shutemov.name>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2b59e01a3aa665f751d1410b99fae9336bd424e1 ]
Currently one bit in cma bitmap represents number of pages rather than
one page, cma->count means cma size in pages. So to find available pages
via find_next_zero_bit()/find_next_bit() we should use cma size not in
pages but in bits although current free pages number is correct due to
zero value of order_per_bit. Once order_per_bit is changed the bitmap
status will be incorrect.
The size input in cma_debug_show_areas() is not correct. It will
affect the available pages at some position to debug the failure issue.
This is an example with order_per_bit = 1
Before this change:
[ 4.120060] cma: number of available pages: 1@93+4@108+7@121+7@137+7@153+7@169+7@185+7@201+3@213+3@221+3@229+3@237+3@245+3@253+3@261+3@269+3@277+3@285+3@293+3@301+3@309+3@317+3@325+19@333+15@369+512@512=> 638 free of 1024 total pages
After this change:
[ 4.143234] cma: number of available pages: 2@93+8@108+14@121+14@137+14@153+14@169+14@185+14@201+6@213+6@221+6@229+6@237+6@245+6@253+6@261+6@269+6@277+6@285+6@293+6@301+6@309+6@317+6@325+38@333+30@369=> 252 free of 1024 total pages
Obviously the bitmap status before is incorrect.
Link: http://lkml.kernel.org/r/20190320060829.9144-1-zbestahu@gmail.com
Signed-off-by: Yue Hu <huyue2@yulong.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Laura Abbott <labbott@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 1df3a339074e31db95c4790ea9236874b13ccd87 ]
f022d8cb7e ("mm: cma: Don't crash on allocation if CMA area can't be
activated") fixes the crash issue when activation fails via setting
cma->count as 0, same logic exists if bitmap allocation fails.
Link: http://lkml.kernel.org/r/20190325081309.6004-1-zbestahu@gmail.com
Signed-off-by: Yue Hu <huyue2@yulong.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 299c83dce9ea3a79bb4b5511d2cb996b6b8e5111 ]
342332e6a9 ("mm/page_alloc.c: introduce kernelcore=mirror option") and
later patches rewrote the calculation of node spanned pages.
e506b99696 ("mem-hotplug: fix node spanned pages when we have a movable
node"), but the current code still has problems,
When we have a node with only zone_movable and the node id is not zero,
the size of node spanned pages is double added.
That's because we have an empty normal zone, and zone_start_pfn or
zone_end_pfn is not between arch_zone_lowest_possible_pfn and
arch_zone_highest_possible_pfn, so we need to use clamp to constrain the
range just like the commit <96e907d13602> (bootmem: Reimplement
__absent_pages_in_range() using for_each_mem_pfn_range()).
e.g.
Zone ranges:
DMA [mem 0x0000000000001000-0x0000000000ffffff]
DMA32 [mem 0x0000000001000000-0x00000000ffffffff]
Normal [mem 0x0000000100000000-0x000000023fffffff]
Movable zone start for each node
Node 0: 0x0000000100000000
Node 1: 0x0000000140000000
Early memory node ranges
node 0: [mem 0x0000000000001000-0x000000000009efff]
node 0: [mem 0x0000000000100000-0x00000000bffdffff]
node 0: [mem 0x0000000100000000-0x000000013fffffff]
node 1: [mem 0x0000000140000000-0x000000023fffffff]
node 0 DMA spanned:0xfff present:0xf9e absent:0x61
node 0 DMA32 spanned:0xff000 present:0xbefe0 absent:0x40020
node 0 Normal spanned:0 present:0 absent:0
node 0 Movable spanned:0x40000 present:0x40000 absent:0
On node 0 totalpages(node_present_pages): 1048446
node_spanned_pages:1310719
node 1 DMA spanned:0 present:0 absent:0
node 1 DMA32 spanned:0 present:0 absent:0
node 1 Normal spanned:0x100000 present:0x100000 absent:0
node 1 Movable spanned:0x100000 present:0x100000 absent:0
On node 1 totalpages(node_present_pages): 2097152
node_spanned_pages:2097152
Memory: 6967796K/12582392K available (16388K kernel code, 3686K rwdata,
4468K rodata, 2160K init, 10444K bss, 5614596K reserved, 0K
cma-reserved)
It shows that the current memory of node 1 is double added.
After this patch, the problem is fixed.
node 0 DMA spanned:0xfff present:0xf9e absent:0x61
node 0 DMA32 spanned:0xff000 present:0xbefe0 absent:0x40020
node 0 Normal spanned:0 present:0 absent:0
node 0 Movable spanned:0x40000 present:0x40000 absent:0
On node 0 totalpages(node_present_pages): 1048446
node_spanned_pages:1310719
node 1 DMA spanned:0 present:0 absent:0
node 1 DMA32 spanned:0 present:0 absent:0
node 1 Normal spanned:0 present:0 absent:0
node 1 Movable spanned:0x100000 present:0x100000 absent:0
On node 1 totalpages(node_present_pages): 1048576
node_spanned_pages:1048576
memory: 6967796K/8388088K available (16388K kernel code, 3686K rwdata,
4468K rodata, 2160K init, 10444K bss, 1420292K reserved, 0K
cma-reserved)
Link: http://lkml.kernel.org/r/1554178276-10372-1-git-send-email-fanglinxu@huawei.com
Signed-off-by: Linxu Fang <fanglinxu@huawei.com>
Cc: Taku Izumi <izumi.taku@jp.fujitsu.com>
Cc: Xishi Qiu <qiuxishi@huawei.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
Cc: Oscar Salvador <osalvador@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0919e1b69ab459e06df45d3ba6658d281962db80 ]
When a huge page is allocated, PagePrivate() is set if the allocation
consumed a reservation. When freeing a huge page, PagePrivate is checked.
If set, it indicates the reservation should be restored. PagePrivate
being set at free huge page time mostly happens on error paths.
When huge page reservations are created, a check is made to determine if
the mapping is associated with an explicitly mounted filesystem. If so,
pages are also reserved within the filesystem. The default action when
freeing a huge page is to decrement the usage count in any associated
explicitly mounted filesystem. However, if the reservation is to be
restored the reservation/use count within the filesystem should not be
decrementd. Otherwise, a subsequent page allocation and free for the same
mapping location will cause the file filesystem usage to go 'negative'.
Filesystem Size Used Avail Use% Mounted on
nodev 4.0G -4.0M 4.1G - /opt/hugepool
To fix, when freeing a huge page do not adjust filesystem usage if
PagePrivate() is set to indicate the reservation should be restored.
I did not cc stable as the problem has been around since reserves were
added to hugetlbfs and nobody has noticed.
Link: http://lkml.kernel.org/r/20190328234704.27083-2-mike.kravetz@oracle.com
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 734fb89968900b5c5f8edd5038bd4cdeab8c61d2 ]
To avoid random config build issue, select mmu notifier when HMM is
selected. In any cases when HMM get selected it will be by users that
will also wants the mmu notifier.
Link: http://lkml.kernel.org/r/20190403193318.16478-2-jglisse@redhat.com
Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
Acked-by: Balbir Singh <bsingharora@gmail.com>
Cc: Ralph Campbell <rcampbell@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Ira Weiny <ira.weiny@intel.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Souptick Joarder <jrdr.linux@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlz8soUACgkQONu9yGCS
aT5o7w//cc+XhbVg3ro68Rq2byYVuntdiKtYDYlEQtv5DORELdX29g6gBlLlO+ma
J29W/8quC9fi8EERG14TRvhh8MJNlQCv5g+Afvqr42zCOBowUFL4q3o06dON2e3v
qhKsEhwcvHH/dR+ixtw1zpSNl6bIdG87C5gxYpWvpjCHpVpVDwLHfRK7GbSS/ioe
Ys2uJwtbB4ZpileCoA4O61alYNLq/zP/gJiKraMbrwfOPfY3dmDIqo6KMniUyFs3
0E0w6AKp2PalsoVxyl6mD0KGFFChWz0AfSE6b3IdlzXC2qOZkWlAKPWxpQMHWdme
HVGXHxrW6aDVk+RGOmIk1dKWDdVqTZJ1Cx1RscrtIQsQwuXqR/STgoqu1hbQ/B4W
/jMak4BICuyfnOzsmuQbIhOWaf8KTIokYfQ92SAEDQl+xRhxqe2VTSCkl0gVE+Yr
KxMoyzyZTYidpWRedUGJiACNjlgogYp3L9xiJjHz2dlQD9r4GTsHXo2CbzV1jYrL
HKqmkz6angoHx3Vw6tffCe9117KFKkOxX8MG3xRMZMfRglRbNd3m8Uo+YGOWcscU
e1mUE+71woj89TquN7cTg5hY5/kRiGwVJBqihSuWzeJsf0LPab9Txv7ipHKuzh84
i8e3Isi3eoZR55ZsU7Jl8QeDIZ2OSNprUy9ldvaI2K4fg/VxpA4=
=hIeN
-----END PGP SIGNATURE-----
Merge 4.19.49 into android-4.19
Changes in 4.19.49
sparc64: Fix regression in non-hypervisor TLB flush xcall
include/linux/bitops.h: sanitize rotate primitives
xhci: update bounce buffer with correct sg num
xhci: Use %zu for printing size_t type
xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
usb: xhci: avoid null pointer deref when bos field is NULL
usbip: usbip_host: fix BUG: sleeping function called from invalid context
usbip: usbip_host: fix stub_dev lock context imbalance regression
USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
USB: sisusbvga: fix oops in error path of sisusb_probe
USB: Add LPM quirk for Surface Dock GigE adapter
USB: rio500: refuse more than one device at a time
USB: rio500: fix memory leak in close after disconnect
media: usb: siano: Fix general protection fault in smsusb
media: usb: siano: Fix false-positive "uninitialized variable" warning
media: smsusb: better handle optional alignment
brcmfmac: fix NULL pointer derefence during USB disconnect
scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
tracing: Avoid memory leak in predicate_parse()
Btrfs: fix wrong ctime and mtime of a directory after log replay
Btrfs: fix race updating log root item during fsync
Btrfs: fix fsync not persisting changed attributes of a directory
Btrfs: incremental send, fix file corruption when no-holes feature is enabled
iio: dac: ds4422/ds4424 fix chip verification
iio: adc: ti-ads8688: fix timestamp is not updated in buffer
s390/crypto: fix gcm-aes-s390 selftest failures
s390/crypto: fix possible sleep during spinlock aquired
KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of passthrough interrupts
powerpc/perf: Fix MMCRA corruption by bhrb_filter
ALSA: line6: Assure canceling delayed work at disconnection
ALSA: hda/realtek - Set default power save node to 0
ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops
KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID
drm/nouveau/i2c: Disable i2c bus access after ->fini()
i2c: mlxcpld: Fix wrong initialization order in probe
i2c: synquacer: fix synquacer_i2c_doxfer() return value
tty: serial: msm_serial: Fix XON/XOFF
tty: max310x: Fix external crystal register setup
memcg: make it work on sparse non-0-node systems
kernel/signal.c: trace_signal_deliver when signal_group_exit
arm64: Fix the arm64_personality() syscall wrapper redirection
docs: Fix conf.py for Sphinx 2.0
doc: Cope with the deprecation of AutoReporter
doc: Cope with Sphinx logging deprecations
ima: show rules with IMA_INMASK correctly
evm: check hash algorithm passed to init_desc()
vt/fbcon: deinitialize resources in visual_init() after failed memory allocation
serial: sh-sci: disable DMA for uart_console
staging: vc04_services: prevent integer overflow in create_pagelist()
staging: wlan-ng: fix adapter initialization failure
cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case
CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
Revert "lockd: Show pid of lockd for remote locks"
gcc-plugins: Fix build failures under Darwin host
drm/tegra: gem: Fix CPU-cache maintenance for BO's allocated using get_pages()
drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set
drm/sun4i: Fix sun8i HDMI PHY clock initialization
drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz
drm/rockchip: shutdown drm subsystem on shutdown
drm/lease: Make sure implicit planes are leased
Compiler Attributes: add support for __copy (gcc >= 9)
include/linux/module.h: copy __init/__exit attrs to init/cleanup_module
Revert "x86/build: Move _etext to actual end of .text"
Revert "binder: fix handling of misaligned binder object"
binder: fix race between munmap() and direct reclaim
x86/ftrace: Do not call function graph from dynamic trampolines
x86/ftrace: Set trampoline pages as executable
x86/kprobes: Set instruction page as executable
scsi: lpfc: Fix backport of faf5a744f4f8 ("scsi: lpfc: avoid uninitialized variable warning")
of: overlay: validate overlay properties #address-cells and #size-cells
of: overlay: set node fields from properties when add new overlay node
media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
Linux 4.19.49
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 upstream.
We have a single node system with node 0 disabled:
Scanning NUMA topology in Northbridge 24
Number of physical nodes 2
Skipping disabled node 0
Node 1 MemBase 0000000000000000 Limit 00000000fbff0000
NODE_DATA(1) allocated [mem 0xfbfda000-0xfbfeffff]
This causes crashes in memcg when system boots:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
#PF error: [normal kernel read fault]
...
RIP: 0010:list_lru_add+0x94/0x170
...
Call Trace:
d_lru_add+0x44/0x50
dput.part.34+0xfc/0x110
__fput+0x108/0x230
task_work_run+0x9f/0xc0
exit_to_usermode_loop+0xf5/0x100
It is reproducible as far as 4.12. I did not try older kernels. You have
to have a new enough systemd, e.g. 241 (the reason is unknown -- was not
investigated). Cannot be reproduced with systemd 234.
The system crashes because the size of lru array is never updated in
memcg_update_all_list_lrus and the reads are past the zero-sized array,
causing dereferences of random memory.
The root cause are list_lru_memcg_aware checks in the list_lru code. The
test in list_lru_memcg_aware is broken: it assumes node 0 is always
present, but it is not true on some systems as can be seen above.
So fix this by avoiding checks on node 0. Remember the memcg-awareness by
a bool flag in struct list_lru.
Link: http://lkml.kernel.org/r/20190522091940.3615-1-jslaby@suse.cz
Fixes: 60d3fd32a7 ("list_lru: introduce per-memcg lists")
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Suggested-by: Vladimir Davydov <vdavydov.dev@gmail.com>
Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzk4CsACgkQONu9yGCS
aT5Xaw//UWopx4Yqbiv+4HBgW+2ijP4utxI4lBNYITD44jvkyVJnztUtVkWepu5r
Tkl/7zytXOpxbpuhS0xqpWwG7lL5eT4NCG08KSX4lYQVjIWX4YzVkw9gLe9V2AaK
IqTzaWtbuagARbnR3UC65TI4kjRGsr9ldY0AbbGGVTM6IwPquHN9Qd9TAzRwRohn
CxY94Bwp1RcN2sSPkD3nUCUGOSNh97BXyypeM7FyceOzOpyAdQCXoUPc84cPqdNC
4GBkd5Z1IL/7zX3HDjQeGS0KK6e1enslSmsbSSUVuHI90LCr3CZPJkFF8RFnPnff
2RA7bdhp8C1JPeLDimr+SNSLEl9yywoH6d4UQAnBwoLDjiFCEITVgjDtYzzd81+1
ES6lbUAs8v/LXkaCaExq6pNNd1prg6Mj9Fe6cz+G9V/YV1tLUsoAJHdFucu8Sp7w
rwz/PZ6waCf8VRO4aYFF9b+u7PQ/RFZWQYsz22P7PhAYg0CTajV1FWGk1AYi0+wQ
5YCmthbWhDo9U5lAFyQ0pVTXv/UNgEu6MfV1/jKtCk5AzsbE77orj1xusKckHq2e
QojgmELmHMlFFajI0h/ddDo7iwz/5OrPVs9D03RysiOciMzdTKPucPyC0Ah4yEBA
sJ0cQkaVtqO2Nu3E42lfQTpVIqBgi8NGav+kRwryB1YyKeaXLsM=
=HJ7O
-----END PGP SIGNATURE-----
Merge 4.19.45 into android-4.19
Changes in 4.19.45
locking/rwsem: Prevent decrement of reader count before increment
x86/speculation/mds: Revert CPU buffer clear on double fault exit
x86/speculation/mds: Improve CPU buffer clear documentation
objtool: Fix function fallthrough detection
arm64: dts: rockchip: Disable DCMDs on RK3399's eMMC controller.
ARM: dts: exynos: Fix interrupt for shared EINTs on Exynos5260
ARM: dts: exynos: Fix audio (microphone) routing on Odroid XU3
mmc: sdhci-of-arasan: Add DTS property to disable DCMDs.
ARM: exynos: Fix a leaked reference by adding missing of_node_put
power: supply: axp288_charger: Fix unchecked return value
power: supply: axp288_fuel_gauge: Add ACEPC T8 and T11 mini PCs to the blacklist
arm64: mmap: Ensure file offset is treated as unsigned
arm64: arch_timer: Ensure counter register reads occur with seqlock held
arm64: compat: Reduce address limit
arm64: Clear OSDLR_EL1 on CPU boot
arm64: Save and restore OSDLR_EL1 across suspend/resume
sched/x86: Save [ER]FLAGS on context switch
crypto: crypto4xx - fix ctr-aes missing output IV
crypto: crypto4xx - fix cfb and ofb "overran dst buffer" issues
crypto: salsa20 - don't access already-freed walk.iv
crypto: chacha20poly1305 - set cra_name correctly
crypto: ccp - Do not free psp_master when PLATFORM_INIT fails
crypto: vmx - fix copy-paste error in CTR mode
crypto: skcipher - don't WARN on unprocessed data after slow walk step
crypto: crct10dif-generic - fix use via crypto_shash_digest()
crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
crypto: arm64/gcm-aes-ce - fix no-NEON fallback code
crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
crypto: rockchip - update IV buffer to contain the next IV
crypto: arm/aes-neonbs - don't access already-freed walk.iv
crypto: arm64/aes-neonbs - don't access already-freed walk.iv
mmc: core: Fix tag set memory leak
ALSA: line6: toneport: Fix broken usage of timer for delayed execution
ALSA: usb-audio: Fix a memory leak bug
ALSA: hda/hdmi - Read the pin sense from register when repolling
ALSA: hda/hdmi - Consider eld_valid when reporting jack event
ALSA: hda/realtek - EAPD turn on later
ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)
ASoC: max98090: Fix restore of DAPM Muxes
ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
ASoC: fsl_esai: Fix missing break in switch statement
ASoC: codec: hdac_hdmi add device_link to card device
bpf, arm64: remove prefetch insn in xadd mapping
crypto: ccree - remove special handling of chained sg
crypto: ccree - fix mem leak on error path
crypto: ccree - don't map MAC key on stack
crypto: ccree - use correct internal state sizes for export
crypto: ccree - don't map AEAD key and IV on stack
crypto: ccree - pm resume first enable the source clk
crypto: ccree - HOST_POWER_DOWN_EN should be the last CC access during suspend
crypto: ccree - add function to handle cryptocell tee fips error
crypto: ccree - handle tee fips error during power management resume
mm/mincore.c: make mincore() more conservative
mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned addresses
mm/hugetlb.c: don't put_page in lock of hugetlb_lock
hugetlb: use same fault hash key for shared and private mappings
ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
userfaultfd: use RCU to free the task struct when fork fails
ACPI: PM: Set enable_for_wake for wakeup GPEs during suspend-to-idle
mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values
mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write
tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0
tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
jbd2: check superblock mapped prior to committing
ext4: make sanity check in mballoc more strict
ext4: ignore e_value_offs for xattrs with value-in-ea-inode
ext4: avoid drop reference to iloc.bh twice
ext4: fix use-after-free race with debug_want_extra_isize
ext4: actually request zeroing of inode table after grow
ext4: fix ext4_show_options for file systems w/o journal
btrfs: Check the first key and level for cached extent buffer
btrfs: Correctly free extent buffer in case btree_read_extent_buffer_pages fails
btrfs: Honour FITRIM range constraints during free space trim
Btrfs: send, flush dellaloc in order to avoid data loss
Btrfs: do not start a transaction during fiemap
Btrfs: do not start a transaction at iterate_extent_inodes()
bcache: fix a race between cache register and cacheset unregister
bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
ipmi:ssif: compare block number correctly for multi-part return messages
crypto: ccm - fix incompatibility between "ccm" and "ccm_base"
fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
tty: Don't force RISCV SBI console as preferred console
ext4: zero out the unused memory region in the extent tree block
ext4: fix data corruption caused by overlapping unaligned and aligned IO
ext4: fix use-after-free in dx_release()
ext4: avoid panic during forced reboot due to aborted journal
ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14)
ALSA: hda/realtek - Fixup headphone noise via runtime suspend
ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
jbd2: fix potential double free
KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
KVM: lapic: Busy wait for timer to expire when using hv_timer
kbuild: turn auto.conf.cmd into a mandatory include file
xen/pvh: set xen_domain_type to HVM in xen_pvh_init
libnvdimm/namespace: Fix label tracking error
iov_iter: optimize page_copy_sane()
pstore: Centralize init/exit routines
pstore: Allocate compression during late_initcall()
pstore: Refactor compression initialization
ext4: fix compile error when using BUFFER_TRACE
ext4: don't update s_rev_level if not required
Linux 4.19.45
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 1b426bac66e6cc83c9f2d92b96e4e72acf43419a upstream.
hugetlb uses a fault mutex hash table to prevent page faults of the
same pages concurrently. The key for shared and private mappings is
different. Shared keys off address_space and file index. Private keys
off mm and virtual address. Consider a private mappings of a populated
hugetlbfs file. A fault will map the page from the file and if needed
do a COW to map a writable page.
Hugetlbfs hole punch uses the fault mutex to prevent mappings of file
pages. It uses the address_space file index key. However, private
mappings will use a different key and could race with this code to map
the file page. This causes problems (BUG) for the page cache remove
code as it expects the page to be unmapped. A sample stack is:
page dumped because: VM_BUG_ON_PAGE(page_mapped(page))
kernel BUG at mm/filemap.c:169!
...
RIP: 0010:unaccount_page_cache_page+0x1b8/0x200
...
Call Trace:
__delete_from_page_cache+0x39/0x220
delete_from_page_cache+0x45/0x70
remove_inode_hugepages+0x13c/0x380
? __add_to_page_cache_locked+0x162/0x380
hugetlbfs_fallocate+0x403/0x540
? _cond_resched+0x15/0x30
? __inode_security_revalidate+0x5d/0x70
? selinux_file_permission+0x100/0x130
vfs_fallocate+0x13f/0x270
ksys_fallocate+0x3c/0x80
__x64_sys_fallocate+0x1a/0x20
do_syscall_64+0x5b/0x180
entry_SYSCALL_64_after_hwframe+0x44/0xa9
There seems to be another potential COW issue/race with this approach
of different private and shared keys as noted in commit 8382d914eb
("mm, hugetlb: improve page-fault scalability").
Since every hugetlb mapping (even anon and private) is actually a file
mapping, just use the address_space index key for all mappings. This
results in potentially more hash collisions. However, this should not
be the common case.
Link: http://lkml.kernel.org/r/20190328234704.27083-3-mike.kravetz@oracle.com
Link: http://lkml.kernel.org/r/20190412165235.t4sscoujczfhuiyt@linux-r8p5
Fixes: b5cec28d36 ("hugetlbfs: truncate_hugepages() takes a range of pages")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reviewed-by: Davidlohr Bueso <dbueso@suse.de>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 134fca9063ad4851de767d1768180e5dede9a881 upstream.
The semantics of what mincore() considers to be resident is not
completely clear, but Linux has always (since 2.3.52, which is when
mincore() was initially done) treated it as "page is available in page
cache".
That's potentially a problem, as that [in]directly exposes
meta-information about pagecache / memory mapping state even about
memory not strictly belonging to the process executing the syscall,
opening possibilities for sidechannel attacks.
Change the semantics of mincore() so that it only reveals pagecache
information for non-anonymous mappings that belog to files that the
calling process could (if it tried to) successfully open for writing;
otherwise we'd be including shared non-exclusive mappings, which
- is the sidechannel
- is not the usecase for mincore(), as that's primarily used for data,
not (shared) text
[jkosina@suse.cz: v2]
Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
[mhocko@suse.com: restructure can_do_mincore() conditions]
Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Josh Snyder <joshs@netflix.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
Originally-by: Dominique Martinet <asmadeus@codewreck.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Kevin Easton <kevin@guarana.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Cyril Hrubis <chrubis@suse.cz>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Daniel Gruss <daniel@gruss.cc>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We can just pass a NULL filler and do the right thing inside of
do_read_cache_page based on the NULL parameter.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Bug: 133186739
Change-Id: I720afb2e0c28d5649b62ed3852b48ac63dc0d7a8
Link: https://lkml.org/lkml/2019/5/1/294
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzdoMwACgkQONu9yGCS
aT5H9RAAkvsM0ryV/0BLcS7bAc2qXHz3shwcqMRHeqLSHCI728Ew3vbrenquQ9ou
I1I2gXVjVr3fT5IrNeEKC/RJg5EvUBD25dm3Iei9cTf8kqnnFaEqQFe+jIvVOMfR
zr//hEG3lOO5tLtyK1pnZxrW1uKl7B+1O64bVMpHSola+5teV51r/PxqYM5lNKYm
A0YhhcrTZ4f1ZY1nctgb3g5XousPHJAMhe8ACv6zO7I+eWwn410nUeAJL7WK8SvL
UqW0xgLAkKsYrriaDCPC9VeOVMUetCHeT9KbYQ8W9p+kb5bMQua4d/YJtCxulnqH
TAQosuCVSVoq+jQIZS+El4+teCQW/aAkHFGo+08e9ti+trEliz2u2PxiloZoGlxl
M4iIPwjkp7YJ9WHoVdNjObPiv5vt+2pWDEPhB7p++nsk5/2ArbShqWVDREj09SRp
RpOJ7UGl+Nckk8IppfQgRUOlVyMW6a+Fw7GX7dxnyh9U1g48w5ebNTVeUvKxQVCJ
a99U9qqGRgmEsgicnOXs4tRMYuU0gn3j0Qjhd9G2xYijh8ElMLgTJyv+2JiUIavC
nXmSVW3G54dR7N94aDfWm/z85w/uFmTmT4BiqNuc4/gHVyyk12Q9RbsV4T617xls
wiCkGoLKlpi9cp6abxB9H+oav9PdZd9ztwZMSB35k1AIgh6oeo0=
=v14F
-----END PGP SIGNATURE-----
Merge 4.19.44 into android-4.19
Changes in 4.19.44
bfq: update internal depth state when queue depth changes
platform/x86: sony-laptop: Fix unintentional fall-through
platform/x86: thinkpad_acpi: Disable Bluetooth for some machines
platform/x86: dell-laptop: fix rfkill functionality
hwmon: (pwm-fan) Disable PWM if fetching cooling data fails
kernfs: fix barrier usage in __kernfs_new_node()
virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace
USB: serial: fix unthrottle races
iio: adc: xilinx: fix potential use-after-free on remove
iio: adc: xilinx: fix potential use-after-free on probe
iio: adc: xilinx: prevent touching unclocked h/w on remove
acpi/nfit: Always dump _DSM output payload
libnvdimm/namespace: Fix a potential NULL pointer dereference
HID: input: add mapping for Expose/Overview key
HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
HID: input: add mapping for "Toggle Display" key
libnvdimm/btt: Fix a kmemdup failure check
s390/dasd: Fix capacity calculation for large volumes
mac80211: fix unaligned access in mesh table hash function
mac80211: Increase MAX_MSG_LEN
cfg80211: Handle WMM rules in regulatory domain intersection
mac80211: fix memory accounting with A-MSDU aggregation
nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands
libnvdimm/pmem: fix a possible OOB access when read and write pmem
s390/3270: fix lockdep false positive on view->lock
drm/amd/display: extending AUX SW Timeout
clocksource/drivers/npcm: select TIMER_OF
clocksource/drivers/oxnas: Fix OX820 compatible
selftests: fib_tests: Fix 'Command line is not complete' errors
mISDN: Check address length before reading address family
vxge: fix return of a free'd memblock on a failed dma mapping
qede: fix write to free'd pointer error and double free of ptp
afs: Unlock pages for __pagevec_release()
drm/amd/display: If one stream full updates, full update all planes
s390/pkey: add one more argument space for debug feature entry
x86/build/lto: Fix truncated .bss with -fdata-sections
x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T
KVM: fix spectrev1 gadgets
KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing
tools lib traceevent: Fix missing equality check for strcmp
ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash
ocelot: Don't sleep in atomic context (irqs_disabled())
scsi: aic7xxx: fix EISA support
mm: fix inactive list balancing between NUMA nodes and cgroups
init: initialize jump labels before command line option parsing
selftests: netfilter: check icmp pkttoobig errors are set as related
ipvs: do not schedule icmp errors from tunnels
netfilter: ctnetlink: don't use conntrack/expect object addresses as id
netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook()
MIPS: perf: ath79: Fix perfcount IRQ assignment
s390: ctcm: fix ctcm_new_device error return code
drm/sun4i: Set device driver data at bind time for use in unbind
drm/sun4i: Fix component unbinding and component master deletion
selftests/net: correct the return value for run_netsocktests
netfilter: fix nf_l4proto_log_invalid to log invalid packets
gpu: ipu-v3: dp: fix CSC handling
drm/imx: don't skip DP channel disable for background plane
ARM: 8856/1: NOMMU: Fix CCR register faulty initialization when MPU is disabled
spi: Micrel eth switch: declare missing of table
spi: ST ST95HF NFC: declare missing of table
drm/sun4i: Unbind components before releasing DRM and memory
Input: synaptics-rmi4 - fix possible double free
RDMA/hns: Bugfix for mapping user db
mm/memory_hotplug.c: drop memory device reference after find_memory_block()
powerpc/smp: Fix NMI IPI timeout
powerpc/smp: Fix NMI IPI xmon timeout
net: dsa: mv88e6xxx: fix few issues in mv88e6390x_port_set_cmode
mm/memory.c: fix modifying of page protection by insert_pfn()
usb: typec: Fix unchecked return value
netfilter: nf_tables: use-after-free in dynamic operations
netfilter: nf_tables: add missing ->release_ops() in error path of newrule()
net: fec: manage ahb clock in runtime pm
mlxsw: spectrum_switchdev: Add MDB entries in prepare phase
mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue
mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue
mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue
net/tls: fix the IV leaks
net: strparser: partially revert "strparser: Call skb_unclone conditionally"
NFC: nci: Add some bounds checking in nci_hci_cmd_received()
nfc: nci: Potential off by one in ->pipes[] array
x86/kprobes: Avoid kretprobe recursion bug
cw1200: fix missing unlock on error in cw1200_hw_scan()
mwl8k: Fix rate_idx underflow
rtlwifi: rtl8723ae: Fix missing break in switch statement
Don't jump to compute_result state from check_result state
um: Don't hardcode path as it is architecture dependent
powerpc/64s: Include cpu header
bonding: fix arp_validate toggling in active-backup mode
bridge: Fix error path for kobject_init_and_add()
dpaa_eth: fix SG frame cleanup
fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied
ipv4: Fix raw socket lookup for local traffic
net: dsa: Fix error cleanup path in dsa_init_module
net: ethernet: stmmac: dwmac-sun8i: enable support of unicast filtering
net: macb: Change interrupt and napi enable order in open
net: seeq: fix crash caused by not set dev.parent
net: ucc_geth - fix Oops when changing number of buffers in the ring
packet: Fix error path in packet_init
selinux: do not report error on connect(AF_UNSPEC)
vlan: disable SIOCSHWTSTAMP in container
vrf: sit mtu should not be updated when vrf netdev is the link
tuntap: fix dividing by zero in ebpf queue selection
tuntap: synchronize through tfiles array instead of tun->numqueues
isdn: bas_gigaset: use usb_fill_int_urb() properly
tipc: fix hanging clients using poll with EPOLLOUT flag
drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
powerpc/book3s/64: check for NULL pointer in pgd_alloc()
powerpc/powernv/idle: Restore IAMR after idle
powerpc/booke64: set RI in default MSR
PCI: hv: Fix a memory leak in hv_eject_device_work()
PCI: hv: Add hv_pci_remove_slots() when we unload the driver
PCI: hv: Add pci_destroy_slot() in pci_devices_present_work(), if necessary
Linux 4.19.44
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit cae85cb8add35f678cf487139d05e083ce2f570a ]
Aneesh has reported that PPC triggers the following warning when
excercising DAX code:
IP set_pte_at+0x3c/0x190
LR insert_pfn+0x208/0x280
Call Trace:
insert_pfn+0x68/0x280
dax_iomap_pte_fault.isra.7+0x734/0xa40
__xfs_filemap_fault+0x280/0x2d0
do_wp_page+0x48c/0xa40
__handle_mm_fault+0x8d0/0x1fd0
handle_mm_fault+0x140/0x250
__do_page_fault+0x300/0xd60
handle_page_fault+0x18
Now that is WARN_ON in set_pte_at which is
VM_WARN_ON(pte_hw_valid(*ptep) && !pte_protnone(*ptep));
The problem is that on some architectures set_pte_at() cannot cope with
a situation where there is already some (different) valid entry present.
Use ptep_set_access_flags() instead to modify the pfn which is built to
deal with modifying existing PTE.
Link: http://lkml.kernel.org/r/20190311084537.16029-1-jack@suse.cz
Fixes: b2770da642 "mm: add vm_insert_mixed_mkwrite()"
Signed-off-by: Jan Kara <jack@suse.cz>
Reported-by: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Cc: Chandan Rajendra <chandan@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
[ Upstream commit 89c02e69fc5245f8a2f34b58b42d43a737af1a5e ]
Right now we are using find_memory_block() to get the node id for the
pfn range to online. We are missing to drop a reference to the memory
block device. While the device still gets unregistered via
device_unregister(), resulting in no user visible problem, the device is
never released via device_release(), resulting in a memory leak. Fix
that by properly using a put_device().
Link: http://lkml.kernel.org/r/20190411110955.1430-1-david@redhat.com
Fixes: d0dc12e86b ("mm/memory_hotplug: optimize memory hotplug")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Reviewed-by: Wei Yang <richard.weiyang@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Pankaj Gupta <pagupta@redhat.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Qian Cai <cai@lca.pw>
Cc: Arun KS <arunks@codeaurora.org>
Cc: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 3b991208b897f52507168374033771a984b947b1 ]
During !CONFIG_CGROUP reclaim, we expand the inactive list size if it's
thrashing on the node that is about to be reclaimed. But when cgroups
are enabled, we suddenly ignore the node scope and use the cgroup scope
only. The result is that pressure bleeds between NUMA nodes depending
on whether cgroups are merely compiled into Linux. This behavioral
difference is unexpected and undesirable.
When the refault adaptivity of the inactive list was first introduced,
there were no statistics at the lruvec level - the intersection of node
and memcg - so it was better than nothing.
But now that we have that infrastructure, use lruvec_page_state() to
make the list balancing decision always NUMA aware.
[hannes@cmpxchg.org: fix bisection hole]
Link: http://lkml.kernel.org/r/20190417155241.GB23013@cmpxchg.org
Link: http://lkml.kernel.org/r/20190412144438.2645-1-hannes@cmpxchg.org
Fixes: 2a2e48854d ("mm: vmscan: fix IO/refault regression in cache workingset transition")
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Michal Hocko <mhocko@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzVnqQACgkQONu9yGCS
aT4iJQ//SEDeqCHsZIblTqIywc87Xn/M4WGvQSr5l7NlFFWXRmIZ2VqGSa8IqY6m
mbq0WJHIb0N3fJ09rh6/OuoFz8j7L4aq3OngCsAfmj3Esb2mAt8QkpvHgKdO8wEp
iWstqAUUgCJLaaCO2KN5Z4uvpib+HhpaoOkHNto94w6M5Hc9Ax9iqMWqOk+ugcy9
q3nPWomhesrmzNjw4gOtG2gyGlkqUZOkbvQDYttXO5jAV2sgfy1puaG3maApRRvT
uZFOYBJEa13MFx+QgaLvZ7asyhtlBVzQyRx/CcBjecCMRv3oC/ZZtemDmwqEZ4ll
kj4IaRMzthRhmkpLEEW4SkN/TZDL3C0n114Wp+hRMmLviY7yOOovrbiHs8k/RYzU
eOKZ2v/zI2FKGYbH0Nsa1HPJdOO1ESAVIxs/XHyk8odOPCpx+KN8NOPdnWILrM1l
uhVKK62iQlZsLlny+EE7Oy3nqZAg1hHwNkV7WuyLfFrSVDQ/IOLK953QJdNlmgCd
NbVRCcZ8gtL47jLD4F3uf8bcNQhheg/1m/A95xl860WmTDXrQSvN3FmvVWZ9LUCf
ftsA76tMcDFlpw/Xu12z+P93VliaATt/I6aRbJyKvL3BBL5dB7Cx0asMDi5ecT6P
sgaxYPp56xX0m6V10vEtaFCRcyuP2JmR60uU5Zvq9t5CtG+7BL0=
=SzxN
-----END PGP SIGNATURE-----
Merge 4.19.42 into android-4.19
Changes in 4.19.42
net: stmmac: Use bfsize1 in ndesc_init_rx_desc
scsi: libsas: fix a race condition when smp task timeout
Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup()
ubsan: Fix nasty -Wbuiltin-declaration-mismatch GCC-9 warnings
staging: greybus: power_supply: fix prop-descriptor request size
staging: most: cdev: fix chrdev_region leak in mod_exit
ASoC: tlv320aic3x: fix reset gpio reference counting
ASoC: hdmi-codec: fix S/PDIF DAI
ASoC: stm32: sai: fix iec958 controls indexation
ASoC: stm32: sai: fix exposed capabilities in spdif mode
ASoC:soc-pcm:fix a codec fixup issue in TDM case
ASoC:intel:skl:fix a simultaneous playback & capture issue on hda platform
ASoC: nau8824: fix the issue of the widget with prefix name
ASoC: nau8810: fix the issue of widget with prefixed name
ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate
ASoC: rt5682: recording has no sound after booting
ASoC: wm_adsp: Add locking to wm_adsp2_bus_error
clk: meson-gxbb: round the vdec dividers to closest
ASoC: stm32: dfsdm: manage multiple prepare
ASoC: stm32: dfsdm: fix debugfs warnings on entry creation
ASoC: cs4270: Set auto-increment bit for register writes
ASoC: dapm: Fix NULL pointer dereference in snd_soc_dapm_free_kcontrol
drm/omap: hdmi4_cec: Fix CEC clock handling for PM
IB/hfi1: Eliminate opcode tests on mr deref
IB/hfi1: Fix the allocation of RSM table
MIPS: KGDB: fix kgdb support for SMP platforms.
ASoC: tlv320aic32x4: Fix Common Pins
drm/mediatek: Fix an error code in mtk_hdmi_dt_parse_pdata()
perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS
perf/x86/intel: Initialize TFA MSR
linux/kernel.h: Use parentheses around argument in u64_to_user_ptr()
ASoC: rockchip: pdm: fix regmap_ops hang issue
drm/amd/display: fix cursor black issue
ASoC: cs35l35: Disable regulators on driver removal
objtool: Add rewind_stack_do_exit() to the noreturn list
slab: fix a crash by reading /proc/slab_allocators
drm/sun4i: tcon top: Fix NULL/invalid pointer dereference in sun8i_tcon_top_un/bind
virtio_pci: fix a NULL pointer reference in vp_del_vqs
RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove
RDMA/hns: Fix bug that caused srq creation to fail
scsi: csiostor: fix missing data copy in csio_scsi_err_handler()
drm/mediatek: fix possible object reference leak
ASoC: Intel: kbl: fix wrong number of channels
virtio-blk: limit number of hw queues by nr_cpu_ids
nvme-fc: correct csn initialization and increments on error
platform/x86: pmc_atom: Drop __initconst on dmi table
perf/core: Fix perf_event_disable_inatomic() race
iommu/amd: Set exclusion range correctly
genirq: Prevent use-after-free and work list corruption
usb: dwc3: Fix default lpm_nyet_threshold value
USB: serial: f81232: fix interrupt worker not stop
USB: cdc-acm: fix unthrottle races
usb-storage: Set virt_boundary_mask to avoid SG overflows
intel_th: pci: Add Comet Lake support
cpufreq: armada-37xx: fix frequency calculation for opp
soc: sunxi: Fix missing dependency on REGMAP_MMIO
scsi: lpfc: change snprintf to scnprintf for possible overflow
scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines
scsi: qla2xxx: Fix device staying in blocked state
Bluetooth: hidp: fix buffer overflow
Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
UAS: fix alignment of scatter/gather segments
ASoC: Intel: avoid Oops if DMA setup fails
locking/futex: Allow low-level atomic operations to return -EAGAIN
arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP
Linux 4.19.42
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit fcf88917dd435c6a4cb2830cb086ee58605a1d85 ]
The commit 510ded33e0 ("slab: implement slab_root_caches list")
changes the name of the list node within "struct kmem_cache" from "list"
to "root_caches_node", but leaks_show() still use the "list" which
causes a crash when reading /proc/slab_allocators.
You need to have CONFIG_SLAB=y and CONFIG_MEMCG=y to see the problem,
because without MEMCG all slab caches are root caches, and the "list"
node happens to be the right one.
Fixes: 510ded33e0 ("slab: implement slab_root_caches list")
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Tobin C. Harding <tobin@kernel.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzSZ3MACgkQONu9yGCS
aT7f2hAAww50MxygeVQXgB0zJ7oSlEBwJAUH1GRCj1ual70pDoK9W8iuacPI4gNu
+A0V4cD+lndMZ8E+F9/Vmzhmj/xHdxRfCkRmtnpa5IKUJqA/bLr1kdspYO6G354G
ZBGvizvmFaAikbqNSnoadQZ5AYoT/C4FxxD6t/meQtnwmrK+OhRlh1xCkTddAbQo
UEPDns9pxqrwHK7tS0GbPXLWgsr4y7BPq92ILdt/GFZGmEBJa0+tf66/DF+RMKjD
OCmAkiFr+hN8KScUHeZpJKdmI3s7dHEUnQnwkHyC1TwjEXwxhtA0QZgzl9j1F8JI
f27kbJrpmYuw2QADJyZmCnTiqBo7XglItxEZ2csJKyV7+jFFlzKT4S26iyrHwgXp
BTdSuTaVe2Ubp/EiULwoSsmxaIyW6fROotQK/x4oB0eDm+OSXq217nnbnF2MRpMb
eOqzRPCd5CvL8+7T9rc0kOJcDuK/9h95OjzZWBo9rDGz0glxlokw7cJ4fUyrJMPo
kcw7ZIRRHLtKGTD/ZKX3XrErAqz9I4RAEzBRAXT6W0is7PUi00vFNcOU4ThNSsSK
ihfuHsp9Jq/SKEUl6/CumU8e91LWv77/gqYxLLuygpuKLFLpMMc/PQOruxXT6ojx
QC/KIUtcMfTP+xy23Wg2UQ1BXhl+HcfShXzvcEXxHzjgHpglKvc=
=S4RT
-----END PGP SIGNATURE-----
Merge 4.19.41 into android-4.19
Changes in 4.19.41
iwlwifi: fix driver operation for 5350
mwifiex: Make resume actually do something useful again on SDIO cards
mac80211: don't attempt to rename ERR_PTR() debugfs dirs
i2c: synquacer: fix enumeration of slave devices
i2c: imx: correct the method of getting private data in notifier_call
i2c: Remove unnecessary call to irq_find_mapping
i2c: Clear client->irq in i2c_device_remove
i2c: Allow recovery of the initial IRQ by an I2C client device.
i2c: Prevent runtime suspend of adapter when Host Notify is required
ALSA: hda/realtek - Add new Dell platform for headset mode
ALSA: hda/realtek - Fixed Dell AIO speaker noise
ALSA: hda/realtek - Apply the fixup for ASUS Q325UAR
USB: yurex: Fix protection fault after device removal
USB: w1 ds2490: Fix bug caused by improper use of altsetting array
USB: dummy-hcd: Fix failure to give back unlinked URBs
usb: usbip: fix isoc packet num validation in get_pipe
USB: core: Fix unterminated string returned by usb_string()
USB: core: Fix bug caused by duplicate interface PM usage counter
nvme-loop: init nvmet_ctrl fatal_err_work when allocate
efi: Fix debugobjects warning on 'efi_rts_work'
arm64: dts: rockchip: fix rk3328-roc-cc gmac2io tx/rx_delay
HID: logitech: check the return value of create_singlethread_workqueue
HID: debug: fix race condition with between rdesc_show() and device removal
rtc: cros-ec: Fail suspend/resume if wake IRQ can't be configured
rtc: sh: Fix invalid alarm warning for non-enabled alarm
batman-adv: Reduce claim hash refcnt only for removed entry
batman-adv: Reduce tt_local hash refcnt only for removed entry
batman-adv: Reduce tt_global hash refcnt only for removed entry
batman-adv: fix warning in function batadv_v_elp_get_throughput
ARM: dts: rockchip: Fix gpu opp node names for rk3288
reset: meson-audio-arb: Fix missing .owner setting of reset_controller_dev
igb: Fix WARN_ONCE on runtime suspend
riscv: fix accessing 8-byte variable from RV32
HID: quirks: Fix keyboard + touchpad on Lenovo Miix 630
net: hns3: fix compile error
net/mlx5: E-Switch, Fix esw manager vport indication for more vport commands
bonding: show full hw address in sysfs for slave entries
net: stmmac: use correct DMA buffer size in the RX descriptor
net: stmmac: ratelimit RX error logs
net: stmmac: don't stop NAPI processing when dropping a packet
net: stmmac: don't overwrite discard_frame status
net: stmmac: fix dropping of multi-descriptor RX frames
net: stmmac: don't log oversized frames
jffs2: fix use-after-free on symlink traversal
debugfs: fix use-after-free on symlink traversal
mfd: twl-core: Disable IRQ while suspended
block: use blk_free_flush_queue() to free hctx->fq in blk_mq_init_hctx
rtc: da9063: set uie_unsupported when relevant
HID: input: add mapping for Assistant key
vfio/pci: use correct format characters
scsi: core: add new RDAC LENOVO/DE_Series device
scsi: storvsc: Fix calculation of sub-channel count
arm/mach-at91/pm : fix possible object reference leak
arm64: fix wrong check of on_sdei_stack in nmi context
net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw()
net: hns: Use NAPI_POLL_WEIGHT for hns driver
net: hns: Fix probabilistic memory overwrite when HNS driver initialized
net: hns: fix ICMP6 neighbor solicitation messages discard problem
net: hns: Fix WARNING when remove HNS driver with SMMU enabled
libcxgb: fix incorrect ppmax calculation
KVM: SVM: prevent DBG_DECRYPT and DBG_ENCRYPT overflow
kmemleak: powerpc: skip scanning holes in the .bss section
hugetlbfs: fix memory leak for resv_map
sh: fix multiple function definition build errors
xsysace: Fix error handling in ace_setup
fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
ARM: orion: don't use using 64-bit DMA masks
ARM: iop: don't use using 64-bit DMA masks
block: pass no-op callback to INIT_WORK().
perf/x86/amd: Update generic hardware cache events for Family 17h
Bluetooth: btusb: request wake pin with NOAUTOEN
Bluetooth: mediatek: fix up an error path to restore bdev->tx_state
clk: qcom: Add missing freq for usb30_master_clk on 8998
staging: iio: adt7316: allow adt751x to use internal vref for all dacs
staging: iio: adt7316: fix the dac read calculation
staging: iio: adt7316: fix the dac write calculation
scsi: RDMA/srpt: Fix a credit leak for aborted commands
ASoC: Intel: bytcr_rt5651: Revert "Fix DMIC map headsetmic mapping"
ASoC: wm_adsp: Correct handling of compressed streams that restart
ASoC: stm32: fix sai driver name initialisation
platform/x86: intel_pmc_core: Fix PCH IP name
platform/x86: intel_pmc_core: Handle CFL regmap properly
IB/core: Unregister notifier before freeing MAD security
IB/core: Fix potential memory leak while creating MAD agents
IB/core: Destroy QP if XRC QP fails
Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ
Input: stmfts - acknowledge that setting brightness is a blocking call
gpio: mxc: add check to return defer probe if clock tree NOT ready
selinux: avoid silent denials in permissive mode under RCU walk
selinux: never allow relabeling on context mounts
mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode
powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search
x86/mce: Improve error message when kernel cannot recover, p2
clk: x86: Add system specific quirk to mark clocks as critical
x86/mm/KASLR: Fix the size of the direct mapping section
x86/mm: Fix a crash with kmemleak_scan()
x86/mm/tlb: Revert "x86/mm: Align TLB invalidation info"
i2c: i2c-stm32f7: Fix SDADEL minimum formula
media: v4l2: i2c: ov7670: Fix PLL bypass register values
ASoC: wm_adsp: Check for buffer in trigger stop
mm/kmemleak.c: fix unused-function warning
Linux 4.19.41
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit dce5b0bdeec61bdbee56121ceb1d014151d5cab1 upstream.
The only references outside of the #ifdef have been removed, so now we
get a warning in non-SMP configurations:
mm/kmemleak.c:1404:13: error: unused function 'scan_large_block' [-Werror,-Wunused-function]
Add a new #ifdef around it.
Link: http://lkml.kernel.org/r/20190416123148.3502045-1-arnd@arndb.de
Fixes: 298a32b13208 ("kmemleak: powerpc: skip scanning holes in the .bss section")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Vincent Whitchurch <vincent.whitchurch@axis.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 298a32b132087550d3fa80641ca58323c5dfd4d9 ]
Commit 2d4f567103 ("KVM: PPC: Introduce kvm_tmp framework") adds
kvm_tmp[] into the .bss section and then free the rest of unused spaces
back to the page allocator.
kernel_init
kvm_guest_init
kvm_free_tmp
free_reserved_area
free_unref_page
free_unref_page_prepare
With DEBUG_PAGEALLOC=y, it will unmap those pages from kernel. As the
result, kmemleak scan will trigger a panic when it scans the .bss
section with unmapped pages.
This patch creates dedicated kmemleak objects for the .data, .bss and
potentially .data..ro_after_init sections to allow partial freeing via
the kmemleak_free_part() in the powerpc kvm_free_tmp() function.
Link: http://lkml.kernel.org/r/20190321171917.62049-1-catalin.marinas@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-by: Qian Cai <cai@lca.pw>
Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
Tested-by: Qian Cai <cai@lca.pw>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Avi Kivity <avi@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krcmar <rkrcmar@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64 upstream.
If the page refcount wraps around past zero, it will be freed while
there are still four billion references to it. One of the possible
avenues for an attacker to try to make this happen is by doing direct IO
on a page multiple times. This patch makes get_user_pages() refuse to
take a new page reference if there are already more than two billion
references to the page.
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Matthew Wilcox <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzKo0YACgkQONu9yGCS
aT4dbQ//U1bo/8bdBJec+a0aNMy3cxzPF1Ozbrb/vEaHofj1BR87hgo4BODBO7pu
6ppwloPle9VFrsfT1FYOjsicUBhT4NmieHlsC3msAR4xlBEbHEOBTEbUdu3HinGV
Jn/uL/NDTrq+wA5rROGOh9sTlQ5w6dqItjHAWvnGkXlerbUJwIgnzbgH5qGBFZhQ
6SbPmqJv5V+C+qYy3yXNs2CnbtS7+cfulLy26MNnkFMEZGbHTWeNbeu9H41AK6T4
xtO8INse28RD6lbAPvW/xb//iAXsOHv+7KF1TgtZq89Z1RmlaqLSdPdgTYvCxm+Y
RhWa8KyIdhADJ8z8sRcPviFI5bR65cfCMUAEgBcFNYYByDv36KCBLsXajn4JbBsF
OOOtqnGaZyAJBZgMXySfVJIXLAx7cUlt07YD9cIdsOzjl1DCMP76XvypeGXLw5Mk
ZBXBJ+By+8jwnE7PAtecij/VH6qCDsfn4HqoRELsRLVahFsnFFid5lutVIjsO21j
QHrwi4hChuYGa89MhD48KyC2ZuaQmbs3rm6F3O0iQ0aipknvlsDoB4jYYp9qRI04
0FYMlZLlVyg+sNYOM2XvTtpOBFa1PFwFwscqXoyt0CGtig0D+pD3gDYExRONj6Fp
8h+OUBWbVHWscceMc6G1p/Qu+YcgmQTu8CFAUO8l/X8xq655c1A=
=isRm
-----END PGP SIGNATURE-----
Merge 4.19.38 into android-4.19
Changes in 4.19.38
netfilter: nft_compat: use refcnt_t type for nft_xt reference count
netfilter: nft_compat: make lists per netns
netfilter: nf_tables: split set destruction in deactivate and destroy phase
netfilter: nft_compat: destroy function must not have side effects
netfilter: nf_tables: warn when expr implements only one of activate/deactivate
netfilter: nf_tables: unbind set in rule from commit path
netfilter: nft_compat: don't use refcount_inc on newly allocated entry
netfilter: nft_compat: use .release_ops and remove list of extension
netfilter: nf_tables: fix set double-free in abort path
netfilter: nf_tables: bogus EBUSY when deleting set after flush
netfilter: nf_tables: bogus EBUSY in helper removal from transaction
net/ibmvnic: Fix RTNL deadlock during device reset
net: mvpp2: fix validate for PPv2.1
ext4: fix some error pointer dereferences
tipc: handle the err returned from cmd header function
loop: do not print warn message if partition scan is successful
drm/rockchip: fix for mailbox read validation.
vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock
ipvs: fix warning on unused variable
powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64
ALSA: hda/ca0132 - Fix build error without CONFIG_PCI
net: dsa: mv88e6xxx: add call to mv88e6xxx_ports_cmode_init to probe for new DSA framework
cifs: fix memory leak in SMB2_read
cifs: do not attempt cifs operation on smb2+ rename error
tracing: Fix a memory leak by early error exit in trace_pid_write()
tracing: Fix buffer_ref pipe ops
gpio: eic: sprd: Fix incorrect irq type setting for the sync EIC
zram: pass down the bvec we need to read into in the work struct
lib/Kconfig.debug: fix build error without CONFIG_BLOCK
MIPS: scall64-o32: Fix indirect syscall number load
trace: Fix preempt_enable_no_resched() abuse
IB/rdmavt: Fix frwr memory registration
RDMA/mlx5: Do not allow the user to write to the clock page
sched/numa: Fix a possible divide-by-zero
ceph: only use d_name directly when parent is locked
ceph: ensure d_name stability in ceph_dentry_hash()
ceph: fix ci->i_head_snapc leak
nfsd: Don't release the callback slot unless it was actually held
sunrpc: don't mark uninitialised items as VALID.
perf/x86/intel: Update KBL Package C-state events to also include PC8/PC9/PC10 counters
Input: synaptics-rmi4 - write config register values to the right offset
vfio/type1: Limit DMA mappings per container
dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid
dmaengine: sh: rcar-dmac: Fix glitch in dmaengine_tx_status
ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning the cache
powerpc/mm/radix: Make Radix require HUGETLB_PAGE
drm/vc4: Fix memory leak during gpu reset.
Revert "drm/i915/fbdev: Actually configure untiled displays"
drm/vc4: Fix compilation error reported by kbuild test bot
USB: Add new USB LPM helpers
USB: Consolidate LPM checks to avoid enabling LPM twice
slip: make slhc_free() silently accept an error pointer
intel_th: gth: Fix an off-by-one in output unassigning
fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
workqueue: Try to catch flush_work() without INIT_WORK().
binder: fix handling of misaligned binder object
sched/deadline: Correctly handle active 0-lag timers
NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
fm10k: Fix a potential NULL pointer dereference
tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
tipc: check link name with right length in tipc_nl_compat_link_set
net: netrom: Fix error cleanup path of nr_proto_init
net/rds: Check address length before reading address family
rxrpc: fix race condition in rxrpc_input_packet()
aio: clear IOCB_HIPRI
aio: use assigned completion handler
aio: separate out ring reservation from req allocation
aio: don't zero entire aio_kiocb aio_get_req()
aio: use iocb_put() instead of open coding it
aio: split out iocb copy from io_submit_one()
aio: abstract out io_event filler helper
aio: initialize kiocb private in case any filesystems expect it.
aio: simplify - and fix - fget/fput for io_submit()
pin iocb through aio.
aio: fold lookup_kiocb() into its sole caller
aio: keep io_event in aio_kiocb
aio: store event at final iocb_put()
Fix aio_poll() races
x86, retpolines: Raise limit for generating indirect calls from switch-case
x86/retpolines: Disable switch jump tables when retpolines are enabled
mm: Fix warning in insert_pfn()
x86/fpu: Don't export __kernel_fpu_{begin,end}()
ipv4: add sanity checks in ipv4_link_failure()
ipv4: set the tcp_min_rtt_wlen range from 0 to one day
mlxsw: spectrum: Fix autoneg status in ethtool
net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query
net: rds: exchange of 8K and 1M pool
net/rose: fix unbound loop in rose_loopback_timer()
net: stmmac: move stmmac_check_ether_addr() to driver probe
net/tls: fix refcount adjustment in fallback
stmmac: pci: Adjust IOT2000 matching
team: fix possible recursive locking when add slaves
net: hns: Fix WARNING when hns modules installed
mlxsw: pci: Reincrease PCI reset timeout
mlxsw: spectrum: Put MC TCs into DWRR mode
net/mlx5e: Fix the max MTU check in case of XDP
net/mlx5e: Fix use-after-free after xdp_return_frame
net/tls: avoid potential deadlock in tls_set_device_offload_rx()
net/tls: don't leak IV and record seq when offload fails
powerpc/fsl: Add FSL_PPC_BOOK3E as supported arch for nospectre_v2 boot arg
Linux 4.19.38
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit f2c57d91b0d96aa13ccff4e3b178038f17b00658 upstream.
In DAX mode a write pagefault can race with write(2) in the following
way:
CPU0 CPU1
write fault for mapped zero page (hole)
dax_iomap_rw()
iomap_apply()
xfs_file_iomap_begin()
- allocates blocks
dax_iomap_actor()
invalidate_inode_pages2_range()
- invalidates radix tree entries in given range
dax_iomap_pte_fault()
grab_mapping_entry()
- no entry found, creates empty
...
xfs_file_iomap_begin()
- finds already allocated block
...
vmf_insert_mixed_mkwrite()
- WARNs and does nothing because there
is still zero page mapped in PTE
unmap_mapping_pages()
This race results in WARN_ON from insert_pfn() and is occasionally
triggered by fstest generic/344. Note that the race is otherwise
harmless as before write(2) on CPU0 is finished, we will invalidate page
tables properly and thus user of mmap will see modified data from
write(2) from that point on. So just restrict the warning only to the
case when the PFN in PTE is not zero page.
Link: http://lkml.kernel.org/r/20180824154542.26872-1-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzEBokACgkQONu9yGCS
aT7G7w/8C93URGM67H7ynkCHTo8y3hkRE2rUJPckJNdS+IJKuecmOphak4tF0h07
qPWDPya70Q1S0cNu661TuVAGrhmE5jBx8/xfZaAOeaaU0xtZive+TfSHdAQQaHct
tDk32O85N1aZ49rDEz9ibr7CGLVFDZtyhxV5gFMYQpjbqA7MzJC61zQg1jHyPSCz
sKjQzW+uXMuSLru8jXHMvp41K5sFFp5gYdQbAVKlWtt79qPxWdxZPJbLbM0LBbtz
XHt9E45Ink3ALF9P6tZ4e6gi4zzlNbh9yR92+X5NK5/8AP57yWba4W9JHWIfMBpC
yyDYTOEAzdxqa2Jrgwr4WTdKH6U7FbQZFmWfTBB4VotbHLBWkVXj0OnF10qxP9eQ
p5wGDTJAlWezhX1BTCfYroglDsvqhj+gHfwHzDRF1Del1dRgydRMQc0qLD1d9tul
ovzwOkx1xyJrM2wq05I5gc0FoVyOL6/KCwqMrpVfKa3WKY7Uttjgf56bMqdIIkns
i/6opzF+wtvwlLlCoXgYPXdm6kbWdgvS+skVHfWcHmZFMuGrFGGzJNwzXb7qnVjK
T0hD1OestsfTyD/amnDNYkNeCkoOZqtHAi+xYOQR4kGY5cxP1lQJf85MgAy6RZSY
h+rjys76Qf6+hTCtrowLr8SgksX4ACWxm+UarfAiiNnnDXwGfu8=
=SrFV
-----END PGP SIGNATURE-----
Merge 4.19.37 into android-4.19
Changes in 4.19.37
bonding: fix event handling for stacked bonds
failover: allow name change on IFF_UP slave interfaces
net: atm: Fix potential Spectre v1 vulnerabilities
net: bridge: fix per-port af_packet sockets
net: bridge: multicast: use rcu to access port list from br_multicast_start_querier
net: Fix missing meta data in skb with vlan packet
net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv
tcp: tcp_grow_window() needs to respect tcp_space()
team: set slave to promisc if team is already in promisc mode
tipc: missing entries in name table of publications
vhost: reject zero size iova range
ipv4: recompile ip options in ipv4_link_failure
ipv4: ensure rcu_read_lock() in ipv4_link_failure()
net: thunderx: raise XDP MTU to 1508
net: thunderx: don't allow jumbo frames with XDP
net/mlx5: FPGA, tls, hold rcu read lock a bit longer
net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()
net/mlx5: FPGA, tls, idr remove on flow delete
route: Avoid crash from dereferencing NULL rt->from
sch_cake: Use tc_skb_protocol() helper for getting packet protocol
sch_cake: Make sure we can write the IP header before changing DSCP bits
nfp: flower: replace CFI with vlan present
nfp: flower: remove vlan CFI bit from push vlan action
sch_cake: Simplify logic in cake_select_tin()
net: IP defrag: encapsulate rbtree defrag code into callable functions
net: IP6 defrag: use rbtrees for IPv6 defrag
net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c
CIFS: keep FileInfo handle live during oplock break
cifs: Fix use-after-free in SMB2_write
cifs: Fix use-after-free in SMB2_read
cifs: fix handle leak in smb2_query_symlink()
KVM: x86: Don't clear EFER during SMM transitions for 32-bit vCPU
KVM: x86: svm: make sure NMI is injected after nmi_singlestep
Staging: iio: meter: fixed typo
staging: iio: ad7192: Fix ad7193 channel address
iio: gyro: mpu3050: fix chip ID reading
iio/gyro/bmg160: Use millidegrees for temperature scale
iio:chemical:bme680: Fix, report temperature in millidegrees
iio:chemical:bme680: Fix SPI read interface
iio: cros_ec: Fix the maths for gyro scale calculation
iio: ad_sigma_delta: select channel when reading register
iio: dac: mcp4725: add missing powerdown bits in store eeprom
iio: Fix scan mask selection
iio: adc: at91: disable adc channel interrupt in timeout case
iio: core: fix a possible circular locking dependency
io: accel: kxcjk1013: restore the range after resume.
staging: most: core: use device description as name
staging: comedi: vmk80xx: Fix use of uninitialized semaphore
staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf
staging: comedi: ni_usb6501: Fix use of uninitialized mutex
staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf
ALSA: hda/realtek - add two more pin configuration sets to quirk table
ALSA: core: Fix card races between register and disconnect
Input: elan_i2c - add hardware ID for multiple Lenovo laptops
serial: sh-sci: Fix HSCIF RX sampling point adjustment
serial: sh-sci: Fix HSCIF RX sampling point calculation
vt: fix cursor when clearing the screen
scsi: core: set result when the command cannot be dispatched
Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO"
Revert "svm: Fix AVIC incomplete IPI emulation"
coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier
crypto: x86/poly1305 - fix overflow during partial reduction
drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
arm64: futex: Restore oldval initialization to work around buggy compilers
x86/kprobes: Verify stack frame on kretprobe
kprobes: Mark ftrace mcount handler functions nokprobe
kprobes: Fix error check when reusing optimized probes
rt2x00: do not increment sequence number while re-transmitting
mac80211: do not call driver wake_tx_queue op during reconfig
drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming
perf/x86/amd: Add event map for AMD Family 17h
x86/cpu/bugs: Use __initconst for 'const' init data
perf/x86: Fix incorrect PEBS_REGS
x86/speculation: Prevent deadlock on ssb_state::lock
timers/sched_clock: Prevent generic sched_clock wrap caused by tick_freeze()
nfit/ars: Remove ars_start_flags
nfit/ars: Introduce scrub_flags
nfit/ars: Allow root to busy-poll the ARS state machine
nfit/ars: Avoid stale ARS results
mmc: sdhci: Fix data command CRC error handling
mmc: sdhci: Rename SDHCI_ACMD12_ERR and SDHCI_INT_ACMD12ERR
mmc: sdhci: Handle auto-command errors
modpost: file2alias: go back to simple devtable lookup
modpost: file2alias: check prototype of handler
tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete
tpm: Fix the type of the return value in calc_tpm2_event_size()
Revert "kbuild: use -Oz instead of -Os when using clang"
sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup
device_cgroup: fix RCU imbalance in error case
mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n
ALSA: info: Fix racy addition/deletion of nodes
percpu: stop printing kernel addresses
tools include: Adopt linux/bits.h
ASoC: rockchip: add missing INTERLEAVED PCM attribute
i2c-hid: properly terminate i2c_hid_dmi_desc_override_table[] array
Revert "locking/lockdep: Add debug_locks check in __lock_downgrade()"
kernel/sysctl.c: fix out-of-bounds access when setting file-max
Linux 4.19.37
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 00206a69ee32f03e6f40837684dcbe475ea02266 upstream.
Since commit ad67b74d24 ("printk: hash addresses printed with %p"),
at boot "____ptrval____" is printed instead of actual addresses:
percpu: Embedded 38 pages/cpu @(____ptrval____) s124376 r0 d31272 u524288
Instead of changing the print to "%px", and leaking kernel addresses,
just remove the print completely, cfr. e.g. commit 071929dbdd
("arm64: Stop printing the virtual memory layout").
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: Dennis Zhou <dennis@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e8277b3b52240ec1caad8e6df278863e4bf42eac upstream.
Commit 58bc4c34d2 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
depends on skipping vmstat entries with empty name introduced in
7aaf772723 ("mm: don't show nr_indirectly_reclaimable in
/proc/vmstat") but reverted in b29940c1abd7 ("mm: rename and change
semantics of nr_indirectly_reclaimable_bytes").
So skipping no longer works and /proc/vmstat has misformatted lines " 0".
This patch simply shows debug counters "nr_tlb_remote_*" for UP.
Link: http://lkml.kernel.org/r/155481488468.467.4295519102880913454.stgit@buzz
Fixes: 58bc4c34d2 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Roman Gushchin <guro@fb.com>
Cc: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.
The core dumping code has always run without holding the mmap_sem for
writing, despite that is the only way to ensure that the entire vma
layout will not change from under it. Only using some signal
serialization on the processes belonging to the mm is not nearly enough.
This was pointed out earlier. For example in Hugh's post from Jul 2017:
https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils
"Not strictly relevant here, but a related note: I was very surprised
to discover, only quite recently, how handle_mm_fault() may be called
without down_read(mmap_sem) - when core dumping. That seems a
misguided optimization to me, which would also be nice to correct"
In particular because the growsdown and growsup can move the
vm_start/vm_end the various loops the core dump does around the vma will
not be consistent if page faults can happen concurrently.
Pretty much all users calling mmget_not_zero()/get_task_mm() and then
taking the mmap_sem had the potential to introduce unexpected side
effects in the core dumping code.
Adding mmap_sem for writing around the ->core_dump invocation is a
viable long term fix, but it requires removing all copy user and page
faults and to replace them with get_dump_page() for all binary formats
which is not suitable as a short term fix.
For the time being this solution manually covers the places that can
confuse the core dump either by altering the vma layout or the vma flags
while it runs. Once ->core_dump runs under mmap_sem for writing the
function mmget_still_valid() can be dropped.
Allowing mmap_sem protected sections to run in parallel with the
coredump provides some minor parallelism advantage to the swapoff code
(which seems to be safe enough by never mangling any vma field and can
keep doing swapins in parallel to the core dumping) and to some other
corner case.
In order to facilitate the backporting I added "Fixes: 86039bd3b4e6"
however the side effect of this same race condition in /proc/pid/mem
should be reproducible since before 2.6.12-rc2 so I couldn't add any
other "Fixes:" because there's no hash beyond the git genesis commit.
Because find_extend_vma() is the only location outside of the process
context that could modify the "mm" structures under mmap_sem for
reading, by adding the mmget_still_valid() check to it, all other cases
that take the mmap_sem for reading don't need the new check after
mmget_not_zero()/get_task_mm(). The expand_stack() in page fault
context also doesn't need the new check, because all tasks under core
dumping are frozen.
Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com
Fixes: 86039bd3b4 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Jann Horn <jannh@google.com>
Acked-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAly6xzUACgkQONu9yGCS
aT5sIA//b7nAk2zuhmbkonsBfzFq5uBJmqXcCrOgy3XHMs4fE+Q11kLd1wMAV7dx
U7FNHe4PIJ8Rczxgqr2VP3VmFbV6UuTK+UTclJKfbV3ouIAQiQBuutABBmbDUj2p
FInc/yAYyhVc9n7gX78czTiUxKnKi4+sisUYDCZPr3hr6jDPcLvm/WVWdyrcXJje
rYFNmE/2MBH1NofG+MOpq+ILhKHXlf2APN2/spl+I42a8bwodiSl9g+dhuWr7wgT
Ln2Ocf7BZ6BPCQKoveZdD1Gd56NNR/lJh4ulqpuhaZw4Yp+B/C7GmrBtdPzVSGka
IwPWoSc9/9VSUl+ooSZHms78VLbqq0rNNclskL2bN6m962u04Eu7sB2Tg/bwUs52
Wkcw0DY4J/oMJtj/CMHcQOUPsk6vwHxqnjsj+LYJ1ZjHO68tUshnENxXrbAoDc45
2fuY3TCA+XqFvqNt5HbkLPtFR78u8QmZ1lP/Pkri6xoG/GA6O0EAxhS0Z9hncGK7
8wJNuxLMd2UX94wlajQ+DF7yyCU4HOFEdeSEOwlHHBid/fckXsGzL2tKJUAbbUPP
ux3An8kJHni8nQrmUkyy1Nx29ROyAFxBLOQshWGpXgJrV3qRMYLyB2Icv0WYCGFk
zZCTupPgvb46u81VzqxrLH4RZdy4Ar4uB3BQGPKs596rlYmvnSo=
=CArs
-----END PGP SIGNATURE-----
Merge 4.19.36 into android-4.19
Changes in 4.19.36
ARC: u-boot args: check that magic number is correct
arc: hsdk_defconfig: Enable CONFIG_BLK_DEV_RAM
inotify: Fix fsnotify_mark refcount leak in inotify_update_existing_watch()
perf/core: Restore mmap record type correctly
ext4: avoid panic during forced reboot
ext4: add missing brelse() in add_new_gdb_meta_bg()
ext4: report real fs size after failed resize
ALSA: echoaudio: add a check for ioremap_nocache
ALSA: sb8: add a check for request_region
auxdisplay: hd44780: Fix memory leak on ->remove()
drm/udl: use drm_gem_object_put_unlocked.
IB/mlx4: Fix race condition between catas error reset and aliasguid flows
i40iw: Avoid panic when handling the inetdev event
mmc: davinci: remove extraneous __init annotation
ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration
thermal/intel_powerclamp: fix __percpu declaration of worker_data
thermal: samsung: Fix incorrect check after code merge
thermal: bcm2835: Fix crash in bcm2835_thermal_debugfs
thermal/int340x_thermal: Add additional UUIDs
thermal/int340x_thermal: fix mode setting
thermal/intel_powerclamp: fix truncated kthread name
scsi: iscsi: flush running unbind operations when removing a session
sched/cpufreq: Fix 32-bit math overflow
sched/core: Fix buffer overflow in cgroup2 property cpu.max
x86/mm: Don't leak kernel addresses
tools/power turbostat: return the exit status of a command
perf list: Don't forget to drop the reference to the allocated thread_map
perf config: Fix an error in the config template documentation
perf config: Fix a memory leak in collect_config()
perf build-id: Fix memory leak in print_sdt_events()
perf top: Fix error handling in cmd_top()
perf hist: Add missing map__put() in error case
perf evsel: Free evsel->counts in perf_evsel__exit()
perf tests: Fix a memory leak of cpu_map object in the openat_syscall_event_on_all_cpus test
perf tests: Fix memory leak by expr__find_other() in test__expr()
perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test()
ACPI / utils: Drop reference in test for device presence
PM / Domains: Avoid a potential deadlock
blk-iolatency: #include "blk.h"
drm/exynos/mixer: fix MIXER shadow registry synchronisation code
irqchip/stm32: Don't clear rising/falling config registers at init
irqchip/mbigen: Don't clear eventid when freeing an MSI
x86/hpet: Prevent potential NULL pointer dereference
x86/hyperv: Prevent potential NULL pointer dereference
x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors
drm/nouveau/debugfs: Fix check of pm_runtime_get_sync failure
iommu/vt-d: Check capability before disabling protected memory
x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error
fix incorrect error code mapping for OBJECTID_NOT_FOUND
x86/gart: Exclude GART aperture from kcore
ext4: prohibit fstrim in norecovery mode
drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up
gpio: pxa: handle corner case of unprobed device
rsi: improve kernel thread handling to fix kernel panic
f2fs: fix to avoid NULL pointer dereference on se->discard_map
9p: do not trust pdu content for stat item size
9p locks: add mount option for lock retry interval
ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx()
f2fs: fix to do sanity check with current segment number
netfilter: xt_cgroup: shrink size of v2 path
serial: uartps: console_setup() can't be placed to init section
powerpc/pseries: Remove prrn_work workqueue
media: au0828: cannot kfree dev before usb disconnect
Bluetooth: Fix debugfs NULL pointer dereference
HID: i2c-hid: override HID descriptors for certain devices
pinctrl: core: make sure strcmp() doesn't get a null parameter
ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms
usbip: fix vhci_hcd controller counting
ACPI / SBS: Fix GPE storm on recent MacBookPro's
HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2
KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail
compiler.h: update definition of unreachable()
netfilter: nf_flow_table: remove flowtable hook flush routine in netns exit routine
f2fs: cleanup dirty pages if recover failed
net: stmmac: Set OWN bit for jumbo frames
cifs: fallback to older infolevels on findfirst queryinfo retry
kernel: hung_task.c: disable on suspend
platform/x86: Add Intel AtomISP2 dummy / power-management driver
drm/ttm: Fix bo_global and mem_global kfree error
ALSA: hda: fix front speakers on Huawei MBXP
ACPI: EC / PM: Disable non-wakeup GPEs for suspend-to-idle
net/rds: fix warn in rds_message_alloc_sgs
xfrm: destroy xfrm_state synchronously on net exit path
crypto: sha256/arm - fix crash bug in Thumb2 build
crypto: sha512/arm - fix crash bug in Thumb2 build
net: ip6_gre: fix possible NULL pointer dereference in ip6erspan_set_version
iommu/dmar: Fix buffer overflow during PCI bus notification
scsi: core: Avoid that system resume triggers a kernel warning
soc/tegra: pmc: Drop locking from tegra_powergate_is_powered()
lkdtm: Print real addresses
lkdtm: Add tests for NULL pointer dereference
drm/panel: panel-innolux: set display off in innolux_panel_unprepare
crypto: axis - fix for recursive locking from bottom half
Revert "ACPI / EC: Remove old CLEAR_ON_RESUME quirk"
coresight: cpu-debug: Support for CA73 CPUs
PCI: Blacklist power management of Gigabyte X299 DESIGNARE EX PCIe ports
drm/nouveau/volt/gf117: fix speedo readout register
ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t
drm/amdkfd: use init_mqd function to allocate object for hid_mqd (CI)
appletalk: Fix use-after-free in atalk_proc_exit
lib/div64.c: off by one in shift
rxrpc: Fix client call connect/disconnect race
f2fs: fix to dirty inode for i_mode recovery
include/linux/swap.h: use offsetof() instead of custom __swapoffset macro
bpf: fix use after free in bpf_evict_inode
IB/hfi1: Failed to drain send queue when QP is put into error state
mm: hide incomplete nr_indirectly_reclaimable in /proc/zoneinfo
mm: hide incomplete nr_indirectly_reclaimable in sysfs
appletalk: Fix compile regression
Linux 4.19.36
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman
Shakeel Butt
swkhack
Colin Ian King
Naoya Horiguchi
zhong jiang
Andrea Arcangeli
Minchan Kim
Dennis Zhou
John Sperbeck
Qian Cai
Yue Hu
Aneesh Kumar K.V
Linxu Fang
Mike Kravetz
Jérôme Glisse
Jiri Slaby
Kai Shen
Dan Williams
Jiri Kosina
Christoph Hellwig
Jan Kara
David Hildenbrand
Johannes Weiner
Arnd Bergmann
Catalin Marinas
Linus Torvalds
Matteo Croce
Konstantin Khlebnikov