January 2019 - Linux-stable-mirror

Re: [PATCH] kprobe: safely access memory specified by userspace

by Changbin Du

Hi, Please hold until Steven returned from Linux Conf Au. Thanks! On Tue, Jan 29, 2019 at 12:35:20AM +0000, Sasha Levin wrote: > Hi, > > [This is an automated email] > > This commit has been processed because it contains a -stable tag. > The stable tag indicates that it's relevant for the following trees: all > > The bot has tested the following trees: v4.20.5, v4.19.18, v4.14.96, v4.9.153, v4.4.172, v3.18.133. > > v4.20.5: Build OK! > v4.19.18: Failed to apply! Possible dependencies: > 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code") > 56de76305279 ("tracing: probeevent: Cleanup print argument functions") > 9178412ddf5a ("tracing: probeevent: Return consumed bytes of dynamic area") > > v4.14.96: Failed to apply! Possible dependencies: > 45408c4f9250 ("tracing: kprobes: Prohibit probing on notrace function") > 4bebdc7a85aa ("bpf: add helper bpf_perf_prog_read_value") > 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code") > 908432ca84fc ("bpf: add helper bpf_perf_event_read_value for perf event array map") > 97562633bcba ("bpf: perf event change needed for subsequent bpf helpers") > 9802d86585db ("bpf: add a bpf_override_function helper") > b4da3340eae2 ("tracing/kprobe: bpf: Check error injectable event is on function entry") > cd86d1fd2102 ("bpf: Adding helper function bpf_getsockops") > dd0bb688eaa2 ("bpf: add a bpf_override_function helper") > de8f3a83b0a0 ("bpf: add meta pointer for direct access") > f3edacbd697f ("bpf: Revert bpf_overrid_function() helper changes.") > > v4.9.153: Failed to apply! Possible dependencies: > 17bedab27231 ("bpf: xdp: Allow head adjustment in XDP prog") > 1d9995771fcb ("s390: update defconfigs") > 23a4e389bdc7 ("nfp: create separate define for max number of vectors") > 416db5c1e448 ("nfp: remove support for nfp3200") > 45408c4f9250 ("tracing: kprobes: Prohibit probing on notrace function") > 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code") > 67f8b1dcb9ee ("net/mlx4_en: Refactor the XDP forwarding rings scheme") > 68453c7a8973 ("nfp: centralize runtime reconfiguration logic") > 6b0b7551428e ("perf/core: Rename CONFIG_[UK]PROBE_EVENT to CONFIG_[UK]PROBE_EVENTS") > 7ff5c83a1deb ("nfp: simplify nfp_net_poll()") > 9802d86585db ("bpf: add a bpf_override_function helper") > a4b562bb8ebd ("nfp: use unsigned int for vector/ring counts") > b4da3340eae2 ("tracing/kprobe: bpf: Check error injectable event is on function entry") > bf187ea01b07 ("nfp: centralize the buffer size calculation") > cbeaf7aa733a ("nfp: bring back support for different ring counts") > ccc109b8ed24 ("net/mlx4_en: Add TX_XDP for CQ types") > dd0bb688eaa2 ("bpf: add a bpf_override_function helper") > e390b55d5aef ("bpf: make bpf_xdp_adjust_head support mandatory") > ecd63a0217d5 ("nfp: add XDP support in the driver") > f18f97ac43d7 ("tracing/kprobes: Add a helper method to return number of probe hits") > f3edacbd697f ("bpf: Revert bpf_overrid_function() helper changes.") > > v4.4.172: Failed to apply! Possible dependencies: > 1d9995771fcb ("s390: update defconfigs") > 45408c4f9250 ("tracing: kprobes: Prohibit probing on notrace function") > 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code") > 6b0b7551428e ("perf/core: Rename CONFIG_[UK]PROBE_EVENT to CONFIG_[UK]PROBE_EVENTS") > 6e127efeeae5 ("s390/config: make the vector optimized crc function builtin") > a086171ad886 ("s390: Updated kernel config files") > cb14def6a9ca ("s390/configs: update default configurations") > e9bc15f28e5f ("s390/config: update default configuration") > fdcebf6f18ee ("s390/config: Enable config options for Docker") > > v3.18.133: Failed to apply! Possible dependencies: > 1a6877b9c0c2 ("lib: introduce strncpy_from_unsafe()") > 34c0dad75229 ("s390/hypfs: Add diagnose 0c support") > 45408c4f9250 ("tracing: kprobes: Prohibit probing on notrace function") > 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code") > 5a79859ae0f3 ("s390: remove 31 bit support") > 5c6497c50f8d ("s390/jump label: add sanity checks") > 6b0b7551428e ("perf/core: Rename CONFIG_[UK]PROBE_EVENT to CONFIG_[UK]PROBE_EVENTS") > 8461b63ca01d ("s390: translate cputime magic constants to macros") > a763bc8b656d ("s390/numa: enable support in s390 configs") > c07af4f1ce41 ("mm: add missing __PAGETABLE_{PUD,PMD}_FOLDED defines") > c933146a5e41 ("s390/ftrace,kprobes: allow to patch first instruction") > d5caa4dbf9bd ("s390/jump label: use different nop instruction") > e9bc15f28e5f ("s390/config: update default configuration") > f8b2dcbd9e6d ("s390: add z13 code generation support") > > > How should we proceed with this patch? > > -- > Thanks, > Sasha -- Cheers, Changbin Du

5 years, 8 months

1
0
0 0

+ mm-proc-smaps_rollup-fix-pss_locked-calculation.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: fs/proc/task_mmu.c: fix smaps_rollup pss_locked calculation has been added to the -mm tree. Its filename is mm-proc-smaps_rollup-fix-pss_locked-calculation.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-proc-smaps_rollup-fix-pss_locke… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-proc-smaps_rollup-fix-pss_locke… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Sandeep Patil <sspatil(a)android.com> Subject: fs/proc/task_mmu.c: fix smaps_rollup pss_locked calculation The 'pss_locked' field of smaps_rollup was being calculated incorrectly as it accumulated the current pss everytime a locked VMA was found. Fix that by making sure we record the current pss value before each VMA is walked. So, we can only add the delta if the VMA was found to be VM_LOCKED. Link: http://lkml.kernel.org/r/20190121011049.160505-1-sspatil@android.com Fixes: 493b0e9d945f ("mm: add /proc/pid/smaps_rollup") Signed-off-by: Sandeep Patil <sspatil(a)android.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: Andrey Vagin <avagin(a)openvz.org> Cc: Daniel Colascione <dancol(a)google.com> Cc: <stable(a)vger.kernel.org> [4.14.x 4.19.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/fs/proc/task_mmu.c~mm-proc-smaps_rollup-fix-pss_locked-calculation +++ a/fs/proc/task_mmu.c @@ -721,6 +721,7 @@ static void smap_gather_stats(struct vm_ #endif .mm = vma->vm_mm, }; + unsigned long pss; smaps_walk.private = mss; @@ -749,11 +750,12 @@ static void smap_gather_stats(struct vm_ } } #endif - + /* record current pss so we can calculate the delta after page walk */ + pss = mss->pss; /* mmap_sem is held in m_start */ walk_page_vma(vma, &smaps_walk); if (vma->vm_flags & VM_LOCKED) - mss->pss_locked += mss->pss; + mss->pss_locked += mss->pss - pss; } #define SEQ_PUT_DEC(str, val) \ _ Patches currently in -mm which might be from sspatil(a)android.com are mm-proc-smaps_rollup-fix-pss_locked-calculation.patch

5 years, 8 months

1
0
0 0

+ mm-oom-fix-use-after-free-in-oom_kill_process.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, oom: fix use-after-free in oom_kill_process has been added to the -mm tree. Its filename is mm-oom-fix-use-after-free-in-oom_kill_process.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-oom-fix-use-after-free-in-oom_k… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-oom-fix-use-after-free-in-oom_k… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Shakeel Butt <shakeelb(a)google.com> Subject: mm, oom: fix use-after-free in oom_kill_process Syzbot instance running on upstream kernel found a use-after-free bug in oom_kill_process. On further inspection it seems like the process selected to be oom-killed has exited even before reaching read_lock(&tasklist_lock) in oom_kill_process(). More specifically the tsk->usage is 1 which is due to get_task_struct() in oom_evaluate_task() and the put_task_struct within for_each_thread() frees the tsk and for_each_thread() tries to access the tsk. The easiest fix is to do get/put across the for_each_thread() on the selected task. Now the next question is should we continue with the oom-kill as the previously selected task has exited? However before adding more complexity and heuristics, let's answer why we even look at the children of oom-kill selected task? The select_bad_process() has already selected the worst process in the system/memcg. Due to race, the selected process might not be the worst at the kill time but does that matter? The userspace can use the oom_score_adj interface to prefer children to be killed before the parent. I looked at the history but it seems like this is there before git history. Link: http://lkml.kernel.org/r/20190121215850.221745-1-shakeelb@google.com Reported-by: syzbot+7fbbfa368521945f0e3d(a)syzkaller.appspotmail.com Fixes: 6b0c81b3be11 ("mm, oom: reduce dependency on tasklist_lock") Signed-off-by: Shakeel Butt <shakeelb(a)google.com> Reviewed-by: Roman Gushchin <guro(a)fb.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Tetsuo Handa <penguin-kernel(a)i-love.sakura.ne.jp> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/oom_kill.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/mm/oom_kill.c~mm-oom-fix-use-after-free-in-oom_kill_process +++ a/mm/oom_kill.c @@ -975,6 +975,13 @@ static void oom_kill_process(struct oom_ * still freeing memory. */ read_lock(&tasklist_lock); + + /* + * The task 'p' might have already exited before reaching here. The + * put_task_struct() will free task_struct 'p' while the loop still try + * to access the field of 'p', so, get an extra reference. + */ + get_task_struct(p); for_each_thread(p, t) { list_for_each_entry(child, &t->children, sibling) { unsigned int child_points; @@ -994,6 +1001,7 @@ static void oom_kill_process(struct oom_ } } } + put_task_struct(p); read_unlock(&tasklist_lock); /* _ Patches currently in -mm which might be from shakeelb(a)google.com are mm-oom-fix-use-after-free-in-oom_kill_process.patch memcg-localize-memcg_kmem_enabled-check.patch memcg-schedule-high-reclaim-for-remote-memcgs-on-high_work.patch memcg-schedule-high-reclaim-for-remote-memcgs-on-high_work-v3.patch mm-oom-remove-prefer-children-over-parent-heuristic.patch

5 years, 8 months

1
0
0 0

[PATCH] Fix: membarrier: racy access to p->mm in membarrier_global_expedited()

by Mathieu Desnoyers

Jann Horn identified a racy access to p->mm in the global expedited command of the membarrier system call. The suggested fix is to hold the task_lock() around the accesses to p->mm and to the mm_struct membarrier_state field to guarantee the existence of the mm_struct. Link: https://lore.kernel.org/lkml/CAG48ez2G8ctF8dHS42TF37pThfr3y0RNOOYTmxvACm4u8… Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Tested-by: Jann Horn <jannh(a)google.com> CC: Jann Horn <jannh(a)google.com> CC: Thomas Gleixner <tglx(a)linutronix.de> CC: Peter Zijlstra (Intel) <peterz(a)infradead.org> CC: Ingo Molnar <mingo(a)kernel.org> CC: Andrea Parri <parri.andrea(a)gmail.com> CC: Andy Lutomirski <luto(a)kernel.org> CC: Avi Kivity <avi(a)scylladb.com> CC: Benjamin Herrenschmidt <benh(a)kernel.crashing.org> CC: Boqun Feng <boqun.feng(a)gmail.com> CC: Dave Watson <davejwatson(a)fb.com> CC: David Sehr <sehr(a)google.com> CC: H. Peter Anvin <hpa(a)zytor.com> CC: Linus Torvalds <torvalds(a)linux-foundation.org> CC: Maged Michael <maged.michael(a)gmail.com> CC: Michael Ellerman <mpe(a)ellerman.id.au> CC: Paul E. McKenney <paulmck(a)linux.vnet.ibm.com> CC: Paul Mackerras <paulus(a)samba.org> CC: Russell King <linux(a)armlinux.org.uk> CC: Will Deacon <will.deacon(a)arm.com> CC: stable(a)vger.kernel.org # v4.16+ CC: linux-api(a)vger.kernel.org --- kernel/sched/membarrier.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/kernel/sched/membarrier.c b/kernel/sched/membarrier.c index 76e0eaf4654e..305fdcc4c5f7 100644 --- a/kernel/sched/membarrier.c +++ b/kernel/sched/membarrier.c @@ -81,12 +81,27 @@ static int membarrier_global_expedited(void) rcu_read_lock(); p = task_rcu_dereference(&cpu_rq(cpu)->curr); - if (p && p->mm && (atomic_read(&p->mm->membarrier_state) & - MEMBARRIER_STATE_GLOBAL_EXPEDITED)) { - if (!fallback) - __cpumask_set_cpu(cpu, tmpmask); - else - smp_call_function_single(cpu, ipi_mb, NULL, 1); + /* + * Skip this CPU if the runqueue's current task is NULL or if + * it is a kernel thread. + */ + if (p && READ_ONCE(p->mm)) { + bool mm_match; + + /* + * Read p->mm and access membarrier_state while holding + * the task lock to ensure existence of mm. + */ + task_lock(p); + mm_match = p->mm && (atomic_read(&p->mm->membarrier_state) & + MEMBARRIER_STATE_GLOBAL_EXPEDITED); + task_unlock(p); + if (mm_match) { + if (!fallback) + __cpumask_set_cpu(cpu, tmpmask); + else + smp_call_function_single(cpu, ipi_mb, NULL, 1); + } } rcu_read_unlock(); } -- 2.17.1

5 years, 8 months

3
4
0 0

+ mmmemory_hotplug-fix-scan_movable_pages-for-gigantic-hugepages.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm,memory_hotplug: fix scan_movable_pages() for gigantic hugepages has been added to the -mm tree. Its filename is mmmemory_hotplug-fix-scan_movable_pages-for-gigantic-hugepages.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mmmemory_hotplug-fix-scan_movable_… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mmmemory_hotplug-fix-scan_movable_… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Oscar Salvador <osalvador(a)suse.de> Subject: mm,memory_hotplug: fix scan_movable_pages() for gigantic hugepages This is the same sort of error we saw in 17e2e7d7e1b83 ("mm, page_alloc: fix has_unmovable_pages for HugePages"). Gigantic hugepages cross several memblocks, so it can be that the page we get in scan_movable_pages() is a page-tail belonging to a 1G-hugepage. If that happens, page_hstate()->size_to_hstate() will return NULL, and we will blow up in hugepage_migration_supported(). The splat is as follows: kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 kernel: #PF error: [normal kernel read fault] kernel: PGD 0 P4D 0 kernel: Oops: 0000 [#1] SMP PTI kernel: CPU: 1 PID: 1350 Comm: bash Tainted: G E 5.0.0-rc1-mm1-1-default+ #27 kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 kernel: RIP: 0010:__offline_pages+0x6ae/0x900 kernel: Code: 48 c7 c6 d0 3e a4 81 e8 44 c8 ad ff 49 8b 04 24 bf 00 10 00 00 a9 00 00 01 00 74 09 41 0f b6 4c 24 51 48 d3 e7 e8 42 2a c1 ff <8b> 40 08 83 f8 09 0f 84 b0 fc ff ff 83 f8 12 0f 84 a7 fc ff ff 83 kernel: RSP: 0018:ffffc900008e3d20 EFLAGS: 00010246 kernel: RAX: 0000000000000000 RBX: ffffea0000000000 RCX: 0000000000000009 kernel: RDX: ffffffff825c64f0 RSI: 0000000000001000 RDI: 0000000000001000 kernel: RBP: ffffc900008e3d68 R08: 0000000000200000 R09: 00000000000001e4 kernel: R10: 0000000000000058 R11: ffffffff8254a854 R12: ffffea0004200000 kernel: R13: 0000000000108000 R14: 0000000000110000 R15: 0000000000000000 kernel: FS: 00007ff172339b80(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000008 CR3: 0000000038d78006 CR4: 00000000003606a0 kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 kernel: Call Trace: kernel: ? klist_next+0x79/0xe0 kernel: memory_subsys_offline+0x42/0x60 kernel: device_offline+0x80/0xa0 kernel: state_store+0xab/0xc0 kernel: kernfs_fop_write+0x102/0x180 kernel: __vfs_write+0x26/0x190 kernel: ? set_close_on_exec+0x49/0x70 kernel: vfs_write+0xad/0x1b0 kernel: ksys_write+0x42/0x90 kernel: do_syscall_64+0x5b/0x180 kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 kernel: RIP: 0033:0x7ff1719febe4 kernel: Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 80 00 00 00 00 8b 05 4a fc 2c 00 48 63 ff 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 55 53 48 89 d5 48 89 f3 48 83 kernel: RSP: 002b:00007ffd50b7ddc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 kernel: RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007ff1719febe4 kernel: RDX: 0000000000000008 RSI: 00005556e9216b20 RDI: 0000000000000001 kernel: RBP: 00005556e9216b20 R08: 000000000000000a R09: 0000000000000000 kernel: R10: 000000000000000a R11: 0000000000000246 R12: 0000000000000008 kernel: R13: 0000000000000001 R14: 00007ff171cca720 R15: 0000000000000008 kernel: Modules linked in: af_packet(E) xt_tcpudp(E) ipt_REJECT(E) xt_conntrack(E) nf_conntrack(E) nf_defrag_ipv4(E) ip_set(E) nfnetlink(E) ebtable_nat(E) ebtable_broute(E) bridge(E) stp(E) llc(E) iptable_mangle(E) iptable_raw(E) iptable_security(E) ebtable_filter(E) ebtables(E) iptable_filter(E) ip_tables(E) x_tables(E) kvm_intel(E) kvm(E) irqbypass(E) crct10dif_pclmul(E) crc32_pclmul(E) ghash_clmulni_intel(E) bochs_drm(E) ttm(E) aesni_intel(E) drm_kms_helper(E) aes_x86_64(E) crypto_simd(E) cryptd(E) glue_helper(E) drm(E) virtio_net(E) syscopyarea(E) sysfillrect(E) net_failover(E) sysimgblt(E) pcspkr(E) failover(E) i2c_piix4(E) fb_sys_fops(E) parport_pc(E) parport(E) button(E) btrfs(E) libcrc32c(E) xor(E) zstd_decompress(E) zstd_compress(E) xxhash(E) raid6_pq(E) sd_mod(E) ata_generic(E) ata_piix(E) ahci(E) libahci(E) libata(E) crc32c_intel(E) serio_raw(E) virtio_pci(E) virtio_ring(E) virtio(E) sg(E) scsi_mod(E) autofs4(E) kernel: CR2: 0000000000000008 kernel: ---[ end trace bdb71590872849fb ]--- kernel: RIP: 0010:__offline_pages+0x6ae/0x900 kernel: Code: 48 c7 c6 d0 3e a4 81 e8 44 c8 ad ff 49 8b 04 24 bf 00 10 00 00 a9 00 00 01 00 74 09 41 0f b6 4c 24 51 48 d3 e7 e8 42 2a c1 ff <8b> 40 08 83 f8 09 0f 84 b0 fc ff ff 83 f8 12 0f 84 a7 fc ff ff 83 kernel: RSP: 0018:ffffc900008e3d20 EFLAGS: 00010246 kernel: RAX: 0000000000000000 RBX: ffffea0000000000 RCX: 0000000000000009 kernel: RDX: ffffffff825c64f0 RSI: 0000000000001000 RDI: 0000000000001000 kernel: RBP: ffffc900008e3d68 R08: 0000000000200000 R09: 00000000000001e4 kernel: R10: 0000000000000058 R11: ffffffff8254a854 R12: ffffea0004200000 kernel: R13: 0000000000108000 R14: 0000000000110000 R15: 0000000000000000 kernel: FS: 00007ff172339b80(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000008 CR3: 0000000038d78006 CR4: 00000000003606a0 kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Link: http://lkml.kernel.org/r/20190122154407.18417-1-osalvador@suse.de Signed-off-by: Oscar Salvador <osalvador(a)suse.de> Reviewed-by: Anthony Yznaga <anthony.yznaga(a)oracle.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory_hotplug.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) --- a/mm/memory_hotplug.c~mmmemory_hotplug-fix-scan_movable_pages-for-gigantic-hugepages +++ a/mm/memory_hotplug.c @@ -1314,12 +1314,17 @@ static unsigned long scan_movable_pages( if (__PageMovable(page)) return pfn; if (PageHuge(page)) { - if (hugepage_migration_supported(page_hstate(page)) && - page_huge_active(page)) + struct page *head = compound_head(page); + + if (hugepage_migration_supported(page_hstate(head)) && + page_huge_active(head)) return pfn; - else - pfn = round_up(pfn + 1, - 1 << compound_order(page)) - 1; + else { + unsigned long skip; + + skip = (1 << compound_order(head)) - (page - head); + pfn += skip - 1; + } } } } _ Patches currently in -mm which might be from osalvador(a)suse.de are mm-memory_hotplug-dont-bail-out-in-do_migrate_range-prematurely.patch mmmemory_hotplug-fix-scan_movable_pages-for-gigantic-hugepages.patch

5 years, 8 months

1
0
0 0

FAILED: patch "[PATCH] vmbus: fix subchannel removal" failed to apply to 4.20-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.20-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From b5679cebf780c6f1c2451a73bf1842a4409840e7 Mon Sep 17 00:00:00 2001 From: Dexuan Cui <decui(a)microsoft.com> Date: Wed, 9 Jan 2019 20:56:06 +0000 Subject: [PATCH] vmbus: fix subchannel removal The changes to split ring allocation from open/close, broke the cleanup of subchannels. This resulted in problems using uio on network devices because the subchannel was left behind when the network device was unbound. The cause was in the disconnect logic which used list splice to move the subchannel list into a local variable. This won't work because the subchannel list is needed later during the process of the rescind messages (relid2channel). The fix is to just leave the subchannel list in place which is what the original code did. The list is cleaned up later when the host rescind is processed. Without the fix, we have a lot of "hang" issues in netvsc when we try to change the NIC's MTU, set the number of channels, etc. Fixes: ae6935ed7d42 ("vmbus: split ring buffer allocation from open") Cc: stable(a)vger.kernel.org Signed-off-by: Stephen Hemminger <sthemmin(a)microsoft.com> Signed-off-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index ce0ba2062723..bea4c9850247 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c @@ -701,19 +701,12 @@ static int vmbus_close_internal(struct vmbus_channel *channel) int vmbus_disconnect_ring(struct vmbus_channel *channel) { struct vmbus_channel *cur_channel, *tmp; - unsigned long flags; - LIST_HEAD(list); int ret; if (channel->primary_channel != NULL) return -EINVAL; - /* Snapshot the list of subchannels */ - spin_lock_irqsave(&channel->lock, flags); - list_splice_init(&channel->sc_list, &list); - spin_unlock_irqrestore(&channel->lock, flags); - - list_for_each_entry_safe(cur_channel, tmp, &list, sc_list) { + list_for_each_entry_safe(cur_channel, tmp, &channel->sc_list, sc_list) { if (cur_channel->rescind) wait_for_completion(&cur_channel->rescind_event);

5 years, 8 months

3
2
0 0

Stable queue: queue-4.20

by CKI

Hello, We ran automated tests on a patchset that was proposed for merging into this kernel tree. The patches were applied to: Kernel repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: 9f1a389a0b5b Linux 4.20.5 The results of these automated tests are provided below. Overall result: FAILED (see details below) Patch merge: OK Compile: OK Kernel tests: FAILED One or more kernel tests failed: powerpc64le: PASSED s390x: PASSED aarch64: PASSED x86_64: PASSED We hope that these logs can help you find the problem quickly. For the full detail on our testing procedures, please scroll to the bottom of this message. Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Merge testing ------------- We cloned this repository and checked out a ref: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Ref: 9f1a389a0b5b Linux 4.20.5 We then merged the following patches with `git am`: amd-xgbe-fix-mdio-access-for-non-zero-ports-and-clause-45-phys.patch net-bridge-fix-ethernet-header-pointer-before-check-skb-forwardable.patch net-fix-usage-of-pskb_trim_rcsum.patch net-phy-marvell-errata-for-mv88e6390-internal-phys.patch net-phy-mdio_bus-add-missing-device_del-in-mdiobus_register-error-handling.patch net-phy-phy-driver-features-are-mandatory.patch net-sched-act_tunnel_key-fix-memory-leak-in-case-of-action-replace.patch net_sched-refetch-skb-protocol-for-each-filter.patch openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch vhost-log-dirty-page-correctly.patch mlxsw-pci-increase-pci-sw-reset-timeout.patch net-ipv4-fix-memory-leak-in-network-namespace-dismantle.patch mlxsw-spectrum_fid-update-dummy-fid-index.patch mlxsw-pci-ring-cq-s-doorbell-before-rdq-s.patch net-sched-cls_flower-allocate-mask-dynamically-in-fl_change.patch udp-with-udp_segment-release-on-error-path.patch ip6_gre-fix-tunnel-list-corruption-for-x-netns.patch erspan-build-the-header-with-the-right-proto-according-to-erspan_ver.patch net-phy-marvell-fix-deadlock-from-wrong-locking.patch ip6_gre-update-version-related-info-when-changing-link.patch tcp-allow-msg_zerocopy-transmission-also-in-close_wait-state.patch arm-fix-the-cockup-in-the-previous-patch.patch sunrpc-address-kerberos-performance-behavior-regress.patch mei-me-mark-lbg-devices-as-having-dma-support.patch mei-me-add-denverton-innovation-engine-device-ids.patch usb-leds-fix-regression-in-usbport-led-trigger.patch usb-ehci-ehci-mv-add-module_device_table.patch usb-serial-ftdi_sio-fix-gpio-not-working-in-autosuspend.patch usb-serial-simple-add-motorola-tetra-tpg2200-device-id.patch usb-serial-pl2303-add-new-pid-to-support-pl2303tb.patch ceph-clear-inode-pointer-when-snap-realm-gets-dropped-by-its-inode.patch asoc-atom-fix-a-missing-check-of-snd_pcm_lib_malloc_pages.patch asoc-rt5514-spi-fix-potential-null-pointer-dereference.patch asoc-tlv320aic32x4-kernel-oops-while-entering-dapm-standby-mode.patch clk-zynqmp-fix-memory-allocation-in-zynqmp_clk_setup.patch clk-socfpga-stratix10-fix-rate-calculation-for-pll-clocks.patch clk-socfpga-stratix10-fix-naming-convention-for-the-fixed-clocks.patch inotify-fix-fd-refcount-leak-in-inotify_add_watch.patch alsa-hda-realtek-fix-typo-for-alc225-model.patch alsa-hda-add-mute-led-support-for-hp-probook-470-g5.patch arcv2-lib-memeset-fix-doing-prefetchw-outside-of-buffer.patch arc-adjust-memblock_reserve-of-kernel-memory.patch arc-perf-map-generic-branches-to-correct-hardware-condition.patch s390-vdso-correct-vdso-mapping-for-compat-tasks.patch s390-mm-always-force-a-load-of-the-primary-asce-on-context-switch.patch s390-early-improve-machine-detection.patch s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan.patch s390-smp-fix-calling-smp_call_ipl_cpu-from-ipl-cpu.patch misc-ibmvsm-fix-potential-null-pointer-dereference.patch char-mwave-fix-potential-spectre-v1-vulnerability.patch mmc-sdhci-iproc-handle-mmc_of_parse-errors-during-probe.patch mmc-dw_mmc-bluefield-fix-the-license-information.patch mmc-meson-gx-free-irq-in-release-callback.patch staging-rtl8188eu-add-device-code-for-d-link-dwa-121-rev-b1.patch tty-handle-problem-if-line-discipline-does-not-have-receive_buf.patch uart-fix-crash-in-uart_write-and-uart_put_char.patch tty-n_hdlc-fix-__might_sleep-warning.patch hv_balloon-avoid-touching-uninitialized-struct-page-during-tail-onlining.patch drivers-hv-vmbus-check-for-ring-when-getting-debug-info.patch vgacon-unconfuse-vc_origin-when-using-soft-scrollback.patch cifs-fix-possible-hang-during-async-mtu-reads-and-writes.patch cifs-fix-credits-calculations-for-reads-with-errors.patch cifs-fix-credit-calculation-for-encrypted-reads-with-errors.patch cifs-do-not-reconnect-tcp-session-in-add_credits.patch smb3-add-credits-we-receive-from-oplock-break-pdus.patch input-xpad-add-support-for-steelseries-stratus-duo.patch input-input_event-provide-override-for-sparc64.patch input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch acpi-nfit-block-function-zero-dsms.patch acpi-nfit-fix-command-supported-detection.patch scsi-ufs-use-explicit-access-size-in-ufshcd_dump_regs.patch dm-thin-fix-passdown_double_checking_shared_status.patch dm-crypt-fix-parsing-of-extended-iv-arguments.patch drm-amdgpu-add-aptx-quirk-for-lenovo-laptop.patch edac-altera-fix-s10-persistent-register-offset.patch kvm-x86-fix-single-step-debugging.patch kvm-x86-fix-pv-ipis-for-32-bit-kvm-host.patch kvm-x86-warn_once-if-sending-a-pv-ipi-returns-a-fatal-error.patch kvm-x86-vmx-use-kzalloc-for-cached_vmcs12.patch x86-pkeys-properly-copy-pkey-state-at-fork.patch x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch x86-kaslr-fix-incorrect-i8254-outb-parameters.patch x86-entry-64-compat-fix-stack-switching-for-xen-pv.patch posix-cpu-timers-unbreak-timer-rearming.patch net-sun-cassini-cleanup-license-conflict.patch irqchip-gic-v3-its-align-pci-multi-msi-allocation-on-their-size.patch can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch can-bcm-check-timer-values-before-ktime-conversion.patch can-flexcan-fix-null-pointer-exception-during-bringup.patch vt-make-vt_console_print-compatible-with-the-unicode-screen-buffer.patch vt-always-call-notifier-with-the-console-lock-held.patch vt-invoke-notifier-on-screen-size-change.patch Compile testing --------------- We compiled the kernel for 4 architectures: powerpc64le: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/ppc64le/37ab853d978ad56fe7282effaf… s390x: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/s390x/a46196bd00443d94448839972e96… aarch64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/aarch64/ad27f389bdca6633caea1a474f… x86_64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/x86_64/45a926f1b63beab12bfa2e5cd35… Hardware testing ---------------- We booted each kernel and ran the following tests: powerpc: s390: Boot test - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… /distribution/command LTP lite - release 20180926 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… AMTU (Abstract Machine Test Utility) - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu arm64: Boot test - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… /distribution/command LTP lite - release 20180926 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… xfstests: xfs - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… AMTU (Abstract Machine Test Utility) - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu Usex - version 1.9-29 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us… x86_64: Boot test - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… /distribution/command LTP lite - release 20180926 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… xfstests: xfs - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… AMTU (Abstract Machine Test Utility) - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu Usex - version 1.9-29 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us…

5 years, 8 months

1
0
0 0

[RFC PATCH] Fix: membarrier: racy access to p->mm in membarrier_global_expedited()

by Mathieu Desnoyers

Jann Horn identified a racy access to p->mm in the global expedited command of the membarrier system call. The suggested fix is to hold the task_lock() around the accesses to p->mm and to the mm_struct membarrier_state field to guarantee the existence of the mm_struct. Link: https://lore.kernel.org/lkml/CAG48ez2G8ctF8dHS42TF37pThfr3y0RNOOYTmxvACm4u8… Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> CC: Jann Horn <jannh(a)google.com> CC: Thomas Gleixner <tglx(a)linutronix.de> CC: Peter Zijlstra (Intel) <peterz(a)infradead.org> CC: Ingo Molnar <mingo(a)kernel.org> CC: Andrea Parri <parri.andrea(a)gmail.com> CC: Andrew Hunter <ahh(a)google.com> CC: Andy Lutomirski <luto(a)kernel.org> CC: Avi Kivity <avi(a)scylladb.com> CC: Benjamin Herrenschmidt <benh(a)kernel.crashing.org> CC: Boqun Feng <boqun.feng(a)gmail.com> CC: Dave Watson <davejwatson(a)fb.com> CC: David Sehr <sehr(a)google.com> CC: Greg Hackmann <ghackmann(a)google.com> CC: H. Peter Anvin <hpa(a)zytor.com> CC: Linus Torvalds <torvalds(a)linux-foundation.org> CC: Maged Michael <maged.michael(a)gmail.com> CC: Michael Ellerman <mpe(a)ellerman.id.au> CC: Paul E. McKenney <paulmck(a)linux.vnet.ibm.com> CC: Paul Mackerras <paulus(a)samba.org> CC: Russell King <linux(a)armlinux.org.uk> CC: Will Deacon <will.deacon(a)arm.com> CC: stable(a)vger.kernel.org # v4.16+ CC: linux-api(a)vger.kernel.org --- kernel/sched/membarrier.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/kernel/sched/membarrier.c b/kernel/sched/membarrier.c index 76e0eaf4654e..305fdcc4c5f7 100644 --- a/kernel/sched/membarrier.c +++ b/kernel/sched/membarrier.c @@ -81,12 +81,27 @@ static int membarrier_global_expedited(void) rcu_read_lock(); p = task_rcu_dereference(&cpu_rq(cpu)->curr); - if (p && p->mm && (atomic_read(&p->mm->membarrier_state) & - MEMBARRIER_STATE_GLOBAL_EXPEDITED)) { - if (!fallback) - __cpumask_set_cpu(cpu, tmpmask); - else - smp_call_function_single(cpu, ipi_mb, NULL, 1); + /* + * Skip this CPU if the runqueue's current task is NULL or if + * it is a kernel thread. + */ + if (p && READ_ONCE(p->mm)) { + bool mm_match; + + /* + * Read p->mm and access membarrier_state while holding + * the task lock to ensure existence of mm. + */ + task_lock(p); + mm_match = p->mm && (atomic_read(&p->mm->membarrier_state) & + MEMBARRIER_STATE_GLOBAL_EXPEDITED); + task_unlock(p); + if (mm_match) { + if (!fallback) + __cpumask_set_cpu(cpu, tmpmask); + else + smp_call_function_single(cpu, ipi_mb, NULL, 1); + } } rcu_read_unlock(); } -- 2.17.1

5 years, 8 months

4
5
0 0

[PATCH stable 4.20 00/10] BPF stable fixes

by Daniel Borkmann

The following patches are targeted at 4.20 stable tree. Thanks! Daniel Borkmann (10): bpf: move {prev_,}insn_idx into verifier env bpf: move tmp variable into ax register in interpreter bpf: enable access to ax register also from verifier rewrite bpf: restrict map value pointer arithmetic for unprivileged bpf: restrict stack pointer arithmetic for unprivileged bpf: restrict unknown scalars of mixed signed bounds for unprivileged bpf: fix check_map_access smin_value test when pointer contains offset bpf: prevent out of bounds speculation on pointer arithmetic bpf: fix sanitation of alu op with pointer / scalar type from different paths bpf: fix inner map masking to prevent oob under speculation include/linux/bpf_verifier.h | 13 ++ include/linux/filter.h | 10 +- kernel/bpf/core.c | 54 +++-- kernel/bpf/map_in_map.c | 17 +- kernel/bpf/verifier.c | 369 +++++++++++++++++++++++++++++------ 5 files changed, 377 insertions(+), 86 deletions(-) -- 2.17.1

5 years, 8 months

2
11
0 0

[PATCH] drm/nouveau: Don't WARN_ON VCPI allocation failures

by Lyude Paul

This is much louder then we want. VCPI allocation failures are quite normal, since they will happen if any part of the modesetting process is interrupted by removing the DP MST topology in question. So just print a debugging message on VCPI failures instead. Signed-off-by: Lyude Paul <lyude(a)redhat.com> Fixes: f479c0ba4a17 ("drm/nouveau/kms/nv50: initial support for DP 1.2 multi-stream") Cc: Ben Skeggs <bskeggs(a)redhat.com> Cc: dri-devel(a)lists.freedesktop.org Cc: nouveau(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v4.10+ --- drivers/gpu/drm/nouveau/dispnv50/disp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c index 2e8a5fd9b262..09a9c747c7bb 100644 --- a/drivers/gpu/drm/nouveau/dispnv50/disp.c +++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c @@ -811,7 +811,8 @@ nv50_msto_enable(struct drm_encoder *encoder) slots = drm_dp_find_vcpi_slots(&mstm->mgr, mstc->pbn); r = drm_dp_mst_allocate_vcpi(&mstm->mgr, mstc->port, mstc->pbn, slots); - WARN_ON(!r); + if (!r) + DRM_DEBUG_KMS("Failed to allocate VCPI\n"); if (!mstm->links++) nv50_outp_acquire(mstm->outp); -- 2.20.1

5 years, 8 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2019