March 2021 - Linux-stable-mirror

by Greg Kroah-Hartman

I'm announcing the release of the 4.4.259 kernel. All users of the 4.4 kernel series must upgrade. The updated 4.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/compressed/head.S | 4 arch/arm/boot/dts/exynos5250-spring.dts | 2 arch/arm/boot/dts/exynos5420-arndale-octa.dts | 2 arch/mips/kernel/vmlinux.lds.S | 1 arch/mips/lantiq/irq.c | 2 arch/mips/mm/c-r4k.c | 2 arch/powerpc/Kconfig | 2 arch/powerpc/platforms/pseries/dlpar.c | 7 - arch/sparc/Kconfig | 2 arch/sparc/lib/memset.S | 1 arch/x86/kernel/reboot.c | 29 ++---- arch/xtensa/platforms/iss/simdisk.c | 1 block/blk-settings.c | 12 ++ drivers/amba/bus.c | 20 ++-- drivers/block/brd.c | 1 drivers/block/floppy.c | 27 +++-- drivers/block/rbd.c | 9 - drivers/block/zram/zram_drv.h | 1 drivers/clk/meson/clk-pll.c | 2 drivers/clocksource/mxs_timer.c | 5 - drivers/dma/fsldma.c | 6 + drivers/gpio/gpio-pcf857x.c | 2 drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c | 22 ++-- drivers/gpu/drm/gma500/psb_drv.c | 2 drivers/hid/hid-core.c | 9 + drivers/i2c/busses/i2c-brcmstb.c | 2 drivers/ide/ide-cd.c | 8 - drivers/ide/ide-cd.h | 6 - drivers/infiniband/core/user_mad.c | 7 + drivers/input/joydev.c | 7 + drivers/input/joystick/xpad.c | 1 drivers/input/serio/i8042-x86ia64io.h | 4 drivers/input/touchscreen/elo.c | 4 drivers/md/dm-era-target.c | 93 ++++++++++++-------- drivers/media/pci/cx25821/cx25821-core.c | 4 drivers/media/pci/saa7134/saa7134-empress.c | 5 - drivers/media/usb/dvb-usb-v2/lmedm04.c | 2 drivers/media/usb/tm6000/tm6000-dvb.c | 4 drivers/media/usb/uvc/uvc_v4l2.c | 18 +-- drivers/mfd/wm831x-auxadc.c | 3 drivers/misc/eeprom/eeprom_93xx46.c | 1 drivers/misc/vmw_vmci/vmci_queue_pair.c | 5 - drivers/mmc/host/usdhi6rol0.c | 4 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 drivers/net/ethernet/intel/igb/igb_main.c | 2 drivers/net/wireless/b43/phy_n.c | 2 drivers/net/xen-netback/interface.c | 9 + drivers/nvdimm/dimm_devs.c | 18 +++ drivers/nvdimm/nd.h | 1 drivers/pci/syscall.c | 10 +- drivers/regulator/axp20x-regulator.c | 7 - drivers/scsi/bnx2fc/Kconfig | 1 drivers/scsi/gdth.h | 3 drivers/spi/spi-s3c24xx-fiq.S | 9 - drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 drivers/usb/core/quirks.c | 3 drivers/usb/dwc2/hcd_intr.c | 14 ++- drivers/usb/dwc3/gadget.c | 19 +++- drivers/usb/renesas_usbhs/fifo.c | 2 drivers/usb/serial/mos7720.c | 4 drivers/usb/serial/mos7840.c | 4 drivers/usb/serial/option.c | 3 drivers/video/fbdev/Kconfig | 2 fs/btrfs/free-space-cache.c | 6 + fs/btrfs/relocation.c | 4 fs/f2fs/file.c | 3 fs/gfs2/lock_dlm.c | 8 - fs/isofs/dir.c | 1 fs/isofs/namei.c | 1 fs/jffs2/summary.c | 3 fs/jfs/jfs_dmap.c | 2 fs/ntfs/inode.c | 6 + include/linux/blkdev.h | 42 ++++++--- include/linux/device-mapper.h | 2 include/linux/ide.h | 1 include/uapi/linux/msdos_fs.h | 2 kernel/debug/kdb/kdb_private.h | 2 kernel/futex.c | 7 - kernel/module.c | 21 ++++ kernel/tracepoint.c | 80 +++++++++++++---- mm/hugetlb.c | 43 +++++++++ mm/memory.c | 6 - net/bluetooth/a2mp.c | 3 net/bluetooth/hci_core.c | 6 - scripts/recordmcount.pl | 6 + security/keys/trusted.c | 2 sound/soc/codecs/cs42l56.c | 3 tools/perf/tests/sample-parsing.c | 2 tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 3 90 files changed, 493 insertions(+), 242 deletions(-) Adrian Hunter (1): perf intel-pt: Fix missing CYC processing in PSB Al Viro (1): sparc32: fix a user-triggerable oops in clear_user() Alexander Lobakin (1): MIPS: vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section Arnd Bergmann (1): ARM: s3c: fix fiq for clang IAS Aswath Govindraju (2): misc: eeprom_93xx46: Fix module alias to enable module autoprobe misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users Bart Van Assche (1): block: Move SECTOR_SIZE and SECTOR_SHIFT definitions into <linux/blkdev.h> Bob Peterson (1): gfs2: Don't skip dlm unlock if glock has an lvb Chao Yu (1): f2fs: fix out-of-repair __setattr_copy() Christophe JAILLET (4): media: cx25821: Fix a bug when reallocating some dma memory dmaengine: fsldma: Fix a resource leak in the remove function dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe Christophe Leroy (1): powerpc/47x: Disable 256k page size Christopher William Snowhill (1): Bluetooth: Fix initializing response id after clearing struct Colin Ian King (2): b43: N-PHY: Fix the update of coef for the PHY revision >= 3case fs/jfs: fix potential integer overflow on shift of a int Corinna Vinschen (1): igb: Remove incorrect "unexpected SYS WRAP" log message Dan Carpenter (7): gma500: clean up error handling in init ASoC: cs42l56: fix up error handling in probe mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() Input: elo - fix an error code in elo_connect() Input: joydev - prevent potential read overflow in ioctl USB: serial: mos7840: fix error code in mos7840_write() USB: serial: mos7720: fix error code in mos7720_write() Dan Williams (1): libnvdimm/dimm: Avoid race between probe and available_slots_show() David Vrabel (1): xen-netback: delete NAPI instance when queue fails to initialize Dinghao Liu (2): media: media/pci: Fix memleak in empress_init media: tm6000: Fix memleak in tm6000_start_stream Edwin Peer (1): bnxt_en: reverse order of TX disable and carrier off Fangrui Song (1): module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols Greg Kroah-Hartman (1): Linux 4.4.259 Guenter Roeck (2): usb: dwc2: Abort transaction after errors with unknown reason usb: dwc2: Make "trimming xfer length" a debug message Heiner Kallweit (1): PCI: Align checking of syscall user config accessors Jarkko Sakkinen (1): KEYS: trusted: Fix migratable=1 failing Jialin Zhang (1): drm/gma500: Fix error return code in psb_driver_load() Jiri Kosina (1): floppy: reintroduce O_NDELAY fix Joe Perches (1): media: lmedm04: Fix misuse of comma Jorgen Hansen (1): VMCI: Use set_page_dirty_lock() when unregistering guest memory Josef Bacik (1): btrfs: fix reloc root leak with 0 ref reloc roots on recovery Juergen Gross (1): xen/netback: fix spurious event detection for common event case Krzysztof Kozlowski (2): ARM: dts: exynos: correct PMIC interrupt trigger level on Spring ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale Octa Laurent Pinchart (1): media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values Lech Perczak (1): USB: serial: option: update interface mapping for ZTE P685M Marcos Paulo de Souza (1): Input: i8042 - add ASUS Zenbook Flip to noselftest list Martin Blumenstingl (1): clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL Martin Kaiser (1): staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table Maxim Kiselev (1): gpio: pcf857x: Fix missing first interrupt Maxime Ripard (1): i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition Miaohe Lin (2): mm/memory.c: fix potential pte_unmap_unlock pte error mm/hugetlb: fix potential double free in hugetlb_register_node() error path Mikulas Patocka (1): blk-settings: align max_sectors on "logical_block_size" boundary Muchun Song (1): mm: hugetlb: fix a race between freeing and dissolving the page Namhyung Kim (1): perf test: Fix unaligned access in sample parsing test Nathan Chancellor (2): MIPS: c-r4k: Fix section mismatch for loongson2_sc_init MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 Nathan Lynch (1): powerpc/pseries/dlpar: handle ibm, configure-connector delay status Nikos Tsironis (7): dm era: Recover committed writeset after crash dm era: Verify the data block size hasn't changed dm era: Fix bitset memory leaks dm era: Use correct value size in equality function of writeset tree dm era: Reinitialize bitset cache before digesting a new writeset dm era: only resize metadata in preresume dm era: Update in-core bitset after committing the metadata Olivier Crête (1): Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S Pan Bian (4): Bluetooth: drop HCI device reference before return Bluetooth: Put HCI device if inquiry procedure interrupts regulator: axp20x: Fix reference cout leak isofs: release buffer head before return Peter Zijlstra (1): futex: Fix OWNER_DEAD fixup Randy Dunlap (4): fbdev: aty: SPARC64 requires FB_ATY_CT HID: core: detect and skip invalid inputs to snto32() sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set scsi: bnx2fc: Fix Kconfig warning & CNIC build errors Rong Chen (1): scripts/recordmcount.pl: support big endian for ARCH sh Rustam Kovhaev (1): ntfs: check for valid standard information attribute Sabyrzhan Tasbolatov (1): drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue Sean Christopherson (1): x86/reboot: Force all cpus to exit VMX root if VMX is supported Shay Drory (1): IB/umad: Return EIO in case of when device disassociated Stefan Ursella (1): usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable Steven Rostedt (VMware) (1): tracepoint: Do not fail unregistering a probe due to memory failure Sumit Garg (1): kdb: Make memory allocations more robust Thinh Nguyen (2): usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt Tom Rix (2): jffs2: fix use after free in jffs2_sum_write_data() clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined Uwe Kleine-König (1): amba: Fix resource leak for drivers without .remove Vladimir Murzin (1): ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores Will McVicker (1): HID: make arrays usage and value to be the same Yoshihiro Shimoda (1): usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop() Zhihao Cheng (1): btrfs: clarify error returns values in __load_free_space_cache

3 years, 7 months

1
1
0 0

[PATCH v4 02/13] phy: ti: j721e-wiz: Invoke wiz_init() before of_platform_device_create()

by Kishon Vijay Abraham I

Invoke wiz_init() before configuring anything else in Sierra/Torrent (invoked as part of of_platform_device_create()). wiz_init() resets the SERDES device and any configuration done in the probe() of Sierra/Torrent will be lost. In order to prevent SERDES configuration from getting reset, invoke wiz_init() immediately before invoking of_platform_device_create(). Fixes: 091876cc355d ("phy: ti: j721e-wiz: Add support for WIZ module present in TI J721E SoC") Signed-off-by: Kishon Vijay Abraham I <kishon(a)ti.com> Cc: <stable(a)vger.kernel.org> # v5.10 --- drivers/phy/ti/phy-j721e-wiz.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/drivers/phy/ti/phy-j721e-wiz.c b/drivers/phy/ti/phy-j721e-wiz.c index 995c7dbec77b..1bb73822f44a 100644 --- a/drivers/phy/ti/phy-j721e-wiz.c +++ b/drivers/phy/ti/phy-j721e-wiz.c @@ -1262,27 +1262,24 @@ static int wiz_probe(struct platform_device *pdev) goto err_get_sync; } + ret = wiz_init(wiz); + if (ret) { + dev_err(dev, "WIZ initialization failed\n"); + goto err_wiz_init; + } + serdes_pdev = of_platform_device_create(child_node, NULL, dev); if (!serdes_pdev) { dev_WARN(dev, "Unable to create SERDES platform device\n"); ret = -ENOMEM; - goto err_pdev_create; - } - wiz->serdes_pdev = serdes_pdev; - - ret = wiz_init(wiz); - if (ret) { - dev_err(dev, "WIZ initialization failed\n"); goto err_wiz_init; } + wiz->serdes_pdev = serdes_pdev; of_node_put(child_node); return 0; err_wiz_init: - of_platform_device_destroy(&serdes_pdev->dev, NULL); - -err_pdev_create: wiz_clock_cleanup(wiz, node); err_get_sync: -- 2.17.1

3 years, 7 months

1
0
0 0

RE: [PATCH v2] exfat: fix erroneous discard when clear cluster bit

by Namjae Jeon

> If mounted with discard option, exFAT issues discard command when clear cluster bit to remove file. > But the input parameter of cluster-to-sector calculation is abnormally added by reserved cluster size > which is 2, leading to discard unrelated sectors included in target+2 cluster. > With fixing this, remove the wrong comments in set/clear/find bitmap functions. > > Fixes: 1e49a94cf707 ("exfat: add bitmap operations") Cc: stable(a)vger.kernel.org # v5.7+ > Signed-off-by: Hyeongseok Kim <hyeongseok(a)gmail.com> > Acked-by: Sungjong Seo <sj1557.seo(a)samsung.com> Applied. Thanks for your patch! > --- > fs/exfat/balloc.c | 15 +-------------- > 1 file changed, 1 insertion(+), 14 deletions(-) > > diff --git a/fs/exfat/balloc.c b/fs/exfat/balloc.c index 761c79c3a4ba..54f1bcbddb26 100644 > --- a/fs/exfat/balloc.c > +++ b/fs/exfat/balloc.c > @@ -141,10 +141,6 @@ void exfat_free_bitmap(struct exfat_sb_info *sbi) > kfree(sbi->vol_amap); > } > > -/* > - * If the value of "clu" is 0, it means cluster 2 which is the first cluster of > - * the cluster heap. > - */ > int exfat_set_bitmap(struct inode *inode, unsigned int clu) { > int i, b; > @@ -162,10 +158,6 @@ int exfat_set_bitmap(struct inode *inode, unsigned int clu) > return 0; > } > > -/* > - * If the value of "clu" is 0, it means cluster 2 which is the first cluster of > - * the cluster heap. > - */ > void exfat_clear_bitmap(struct inode *inode, unsigned int clu, bool sync) { > int i, b; > @@ -186,8 +178,7 @@ void exfat_clear_bitmap(struct inode *inode, unsigned int clu, bool sync) > int ret_discard; > > ret_discard = sb_issue_discard(sb, > - exfat_cluster_to_sector(sbi, clu + > - EXFAT_RESERVED_CLUSTERS), > + exfat_cluster_to_sector(sbi, clu), > (1 << sbi->sect_per_clus_bits), GFP_NOFS, 0); > > if (ret_discard == -EOPNOTSUPP) { > @@ -197,10 +188,6 @@ void exfat_clear_bitmap(struct inode *inode, unsigned int clu, bool sync) > } > } > > -/* > - * If the value of "clu" is 0, it means cluster 2 which is the first cluster of > - * the cluster heap. > - */ > unsigned int exfat_find_free_bitmap(struct super_block *sb, unsigned int clu) { > unsigned int i, map_i, map_b, ent_idx; > -- > 2.27.0.83.g0313f36

3 years, 7 months

1
0
0 0

stable/linux-4.9.y baseline: 107 runs, 5 regressions (v4.9.259)

by kernelci.org bot

stable/linux-4.9.y baseline: 107 runs, 5 regressions (v4.9.259) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------------------+-------+-----------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-baylibre | gcc-8 | versatile_defconfig | 1 qemu_arm-versatilepb | arm | lab-cip | gcc-8 | versatile_defconfig | 1 qemu_arm-versatilepb | arm | lab-collabora | gcc-8 | versatile_defconfig | 1 qemu_arm-versatilepb | arm | lab-linaro-lkft | gcc-8 | versatile_defconfig | 1 r8a7795-salvator-x | arm64 | lab-baylibre | gcc-8 | defconfig | 1 Details: https://kernelci.org/test/job/stable/branch/linux-4.9.y/kernel/v4.9.259/pla… Test: baseline Tree: stable Branch: linux-4.9.y Describe: v4.9.259 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git SHA: 2e782b1d9958ac86cccb317a83e5574f154c3b1b Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------------------+-------+-----------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-baylibre | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/603ffe0e9bdfe9680aaddcdb Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm/versatile_def… HTML log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm/versatile_def… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-4-g97706c5d… * baseline.login: https://kernelci.org/test/case/id/603ffe0e9bdfe9680aaddcdc failing since 105 days (last pass: v4.9.243, first fail: v4.9.244) platform | arch | lab | compiler | defconfig | regressions ---------------------+-------+-----------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-cip | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/603ffe2d684444cc70addcc5 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm/versatile_def… HTML log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm/versatile_def… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-4-g97706c5d… * baseline.login: https://kernelci.org/test/case/id/603ffe2d684444cc70addcc6 failing since 105 days (last pass: v4.9.243, first fail: v4.9.244) platform | arch | lab | compiler | defconfig | regressions ---------------------+-------+-----------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-collabora | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/603ffdb42f85a5daeeaddcc4 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm/versatile_def… HTML log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm/versatile_def… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-4-g97706c5d… * baseline.login: https://kernelci.org/test/case/id/603ffdb42f85a5daeeaddcc5 failing since 105 days (last pass: v4.9.243, first fail: v4.9.244) platform | arch | lab | compiler | defconfig | regressions ---------------------+-------+-----------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-linaro-lkft | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/603ffdbd2f85a5daeeaddccc Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm/versatile_def… HTML log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm/versatile_def… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-4-g97706c5d… * baseline.login: https://kernelci.org/test/case/id/603ffdbd2f85a5daeeaddccd failing since 105 days (last pass: v4.9.243, first fail: v4.9.244) platform | arch | lab | compiler | defconfig | regressions ---------------------+-------+-----------------+----------+---------------------+------------ r8a7795-salvator-x | arm64 | lab-baylibre | gcc-8 | defconfig | 1 Details: https://kernelci.org/test/plan/id/60400034c82bb2f459addcbf Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-8 (aarch64-linux-gnu-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm64/defconfig/g… HTML log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.259/arm64/defconfig/g… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-4-g97706c5d… * baseline.login: https://kernelci.org/test/case/id/60400034c82bb2f459addcc0 failing since 105 days (last pass: v4.9.243, first fail: v4.9.244)

3 years, 7 months

1
0
0 0

stable/linux-4.14.y baseline: 84 runs, 3 regressions (v4.14.223)

by kernelci.org bot

stable/linux-4.14.y baseline: 84 runs, 3 regressions (v4.14.223) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------------------+------+-----------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-cip | gcc-8 | versatile_defconfig | 1 qemu_arm-versatilepb | arm | lab-collabora | gcc-8 | versatile_defconfig | 1 qemu_arm-versatilepb | arm | lab-linaro-lkft | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/job/stable/branch/linux-4.14.y/kernel/v4.14.223/p… Test: baseline Tree: stable Branch: linux-4.14.y Describe: v4.14.223 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git SHA: 397a88b2cc869c823bf40bc403d36a62afec1edd Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------------------+------+-----------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-cip | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/603ffd2a7c1c018550addcd3 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.223/arm/versatile_d… HTML log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.223/arm/versatile_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-4-g97706c5d… * baseline.login: https://kernelci.org/test/case/id/603ffd2a7c1c018550addcd4 failing since 105 days (last pass: v4.14.206, first fail: v4.14.207) platform | arch | lab | compiler | defconfig | regressions ---------------------+------+-----------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-collabora | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/603ffa81c7670e8f49addcd1 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.223/arm/versatile_d… HTML log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.223/arm/versatile_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-4-g97706c5d… * baseline.login: https://kernelci.org/test/case/id/603ffa81c7670e8f49addcd2 failing since 105 days (last pass: v4.14.206, first fail: v4.14.207) platform | arch | lab | compiler | defconfig | regressions ---------------------+------+-----------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-linaro-lkft | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/603ffa89cd6997f4ecaddcd3 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.223/arm/versatile_d… HTML log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.223/arm/versatile_d… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-4-g97706c5d… * baseline.login: https://kernelci.org/test/case/id/603ffa89cd6997f4ecaddcd4 failing since 105 days (last pass: v4.14.206, first fail: v4.14.207)

3 years, 7 months

1
0
0 0

[PATCH kcsan 1/4] kcsan, debugfs: Move debugfs file creation out of early init

by paulmck＠kernel.org

From: Marco Elver <elver(a)google.com> Commit 56348560d495 ("debugfs: do not attempt to create a new file before the filesystem is initalized") forbids creating new debugfs files until debugfs is fully initialized. This means that KCSAN's debugfs file creation, which happened at the end of __init(), no longer works. And was apparently never supposed to work! However, there is no reason to create KCSAN's debugfs file so early. This commit therefore moves its creation to a late_initcall() callback. Cc: "Rafael J. Wysocki" <rafael(a)kernel.org> Cc: stable <stable(a)vger.kernel.org> Fixes: 56348560d495 ("debugfs: do not attempt to create a new file before the filesystem is initalized") Reviewed-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Marco Elver <elver(a)google.com> Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> --- kernel/kcsan/core.c | 2 -- kernel/kcsan/debugfs.c | 4 +++- kernel/kcsan/kcsan.h | 5 ----- 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/kernel/kcsan/core.c b/kernel/kcsan/core.c index 3bf98db..23e7acb 100644 --- a/kernel/kcsan/core.c +++ b/kernel/kcsan/core.c @@ -639,8 +639,6 @@ void __init kcsan_init(void) BUG_ON(!in_task()); - kcsan_debugfs_init(); - for_each_possible_cpu(cpu) per_cpu(kcsan_rand_state, cpu) = (u32)get_cycles(); diff --git a/kernel/kcsan/debugfs.c b/kernel/kcsan/debugfs.c index 3c8093a..209ad8d 100644 --- a/kernel/kcsan/debugfs.c +++ b/kernel/kcsan/debugfs.c @@ -261,7 +261,9 @@ static const struct file_operations debugfs_ops = .release = single_release }; -void __init kcsan_debugfs_init(void) +static void __init kcsan_debugfs_init(void) { debugfs_create_file("kcsan", 0644, NULL, NULL, &debugfs_ops); } + +late_initcall(kcsan_debugfs_init); diff --git a/kernel/kcsan/kcsan.h b/kernel/kcsan/kcsan.h index 8d4bf34..87ccdb3 100644 --- a/kernel/kcsan/kcsan.h +++ b/kernel/kcsan/kcsan.h @@ -31,11 +31,6 @@ void kcsan_save_irqtrace(struct task_struct *task); void kcsan_restore_irqtrace(struct task_struct *task); /* - * Initialize debugfs file. - */ -void kcsan_debugfs_init(void); - -/* * Statistics counters displayed via debugfs; should only be modified in * slow-paths. */ -- 2.9.5

3 years, 7 months

1
0
0 0

[PATCH 27/33] io_uring: fix -EAGAIN retry with IOPOLL

by Jens Axboe

We no longer revert the iovec on -EIOCBQUEUED, see commit ab2125df921d, and this started causing issues for IOPOLL on devies that run out of request slots. Turns out what outside of needing a revert for those, we also had a bug where we didn't properly setup retry inside the submission path. That could cause re-import of the iovec, if any, and that could lead to spurious results if the application had those allocated on the stack. Catch -EAGAIN retry and make the iovec stable for IOPOLL, just like we do for !IOPOLL retries. Cc: <stable(a)vger.kernel.org> # 5.9+ Reported-by: Abaci Robot <abaci(a)linux.alibaba.com> Reported-by: Xiaoguang Wang <xiaoguang.wang(a)linux.alibaba.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- fs/io_uring.c | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 28a360aac4a3..c765b7fba8a1 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2423,23 +2423,32 @@ static bool io_resubmit_prep(struct io_kiocb *req) return false; return !io_setup_async_rw(req, iovec, inline_vecs, &iter, false); } -#endif -static bool io_rw_reissue(struct io_kiocb *req) +static bool io_rw_should_reissue(struct io_kiocb *req) { -#ifdef CONFIG_BLOCK umode_t mode = file_inode(req->file)->i_mode; + struct io_ring_ctx *ctx = req->ctx; if (!S_ISBLK(mode) && !S_ISREG(mode)) return false; - if ((req->flags & REQ_F_NOWAIT) || io_wq_current_is_worker()) + if ((req->flags & REQ_F_NOWAIT) || (io_wq_current_is_worker() && + !(ctx->flags & IORING_SETUP_IOPOLL))) return false; /* * If ref is dying, we might be running poll reap from the exit work. * Don't attempt to reissue from that path, just let it fail with * -EAGAIN. */ - if (percpu_ref_is_dying(&req->ctx->refs)) + if (percpu_ref_is_dying(&ctx->refs)) + return false; + return true; +} +#endif + +static bool io_rw_reissue(struct io_kiocb *req) +{ +#ifdef CONFIG_BLOCK + if (!io_rw_should_reissue(req)) return false; lockdep_assert_held(&req->ctx->uring_lock); @@ -2482,6 +2491,19 @@ static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2) { struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb); +#ifdef CONFIG_BLOCK + /* Rewind iter, if we have one. iopoll path resubmits as usual */ + if (res == -EAGAIN && io_rw_should_reissue(req)) { + struct io_async_rw *rw = req->async_data; + + if (rw) + iov_iter_revert(&rw->iter, + req->result - iov_iter_count(&rw->iter)); + else if (!io_resubmit_prep(req)) + res = -EIO; + } +#endif + if (kiocb->ki_flags & IOCB_WRITE) kiocb_end_write(req); @@ -3230,6 +3252,8 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags) ret = io_iter_do_read(req, iter); if (ret == -EIOCBQUEUED) { + if (req->async_data) + iov_iter_revert(iter, io_size - iov_iter_count(iter)); goto out_free; } else if (ret == -EAGAIN) { /* IOPOLL retry should happen for io-wq threads */ @@ -3361,6 +3385,8 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags) /* no retry on NONBLOCK nor RWF_NOWAIT */ if (ret2 == -EAGAIN && (req->flags & REQ_F_NOWAIT)) goto done; + if (ret2 == -EIOCBQUEUED && req->async_data) + iov_iter_revert(iter, io_size - iov_iter_count(iter)); if (!force_nonblock || ret2 != -EAGAIN) { /* IOPOLL retry should happen for io-wq threads */ if ((req->ctx->flags & IORING_SETUP_IOPOLL) && ret2 == -EAGAIN) -- 2.30.1

3 years, 7 months

1
0
0 0

[PATCH 23/33] io_uring: ignore double poll add on the same waitqueue head

by Jens Axboe

syzbot reports a deadlock, attempting to lock the same spinlock twice: ============================================ WARNING: possible recursive locking detected 5.11.0-syzkaller #0 Not tainted -------------------------------------------- swapper/1/0 is trying to acquire lock: ffff88801b2b1130 (&runtime->sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] ffff88801b2b1130 (&runtime->sleep){..-.}-{2:2}, at: io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 but task is already holding lock: ffff88801b2b3130 (&runtime->sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&runtime->sleep); lock(&runtime->sleep); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by swapper/1/0: #0: ffff888147474908 (&group->lock){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 #1: ffff88801b2b3130 (&runtime->sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 stack backtrace: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xfa/0x151 lib/dump_stack.c:120 print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] check_deadlock kernel/locking/lockdep.c:2872 [inline] validate_chain kernel/locking/lockdep.c:3661 [inline] __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 lock_acquire kernel/locking/lockdep.c:5510 [inline] lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu kernel/softirq.c:422 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 </IRQ> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline] RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline] RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:516 Code: dd 38 6e f8 84 db 75 ac e8 54 32 6e f8 e8 0f 1c 74 f8 e9 0c 00 00 00 e8 45 32 6e f8 0f 00 2d 4e 4a c5 00 e8 39 32 6e f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 14 3a 6e f8 48 85 db RSP: 0018:ffffc90000d47d18 EFLAGS: 00000293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff8880115c3780 RSI: ffffffff89052537 RDI: 0000000000000000 RBP: ffff888141127064 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff81794168 R11: 0000000000000000 R12: 0000000000000001 R13: ffff888141127000 R14: ffff888141127064 R15: ffff888143331804 acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:647 cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351 call_cpuidle kernel/sched/idle.c:158 [inline] cpuidle_idle_call kernel/sched/idle.c:239 [inline] do_idle+0x3e1/0x590 kernel/sched/idle.c:300 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:397 start_secondary+0x274/0x350 arch/x86/kernel/smpboot.c:272 secondary_startup_64_no_verify+0xb0/0xbb which is due to the driver doing poll_wait() twice on the same wait_queue_head. That is perfectly valid, but from checking the rest of the kernel tree, it's the only driver that does this. We can handle this just fine, we just need to ignore the second addition as we'll get woken just fine on the first one. Cc: stable(a)vger.kernel.org # 5.8+ Fixes: 18bceab101ad ("io_uring: allow POLL_ADD with double poll_wait() users") Reported-by: syzbot+28abd693db9e92c160d8(a)syzkaller.appspotmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- fs/io_uring.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index 549a5c5ee0b5..bdaeda5eefd5 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4959,6 +4959,9 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt, pt->error = -EINVAL; return; } + /* double add on the same waitqueue head, ignore */ + if (poll->head == head) + return; poll = kmalloc(sizeof(*poll), GFP_ATOMIC); if (!poll) { pt->error = -ENOMEM; -- 2.30.1

3 years, 7 months

1
0
0 0

[PATCH tip/core/rcu 09/12] rcu/nocb: Fix missed nocb_timer requeue

by paulmck＠kernel.org

From: Frederic Weisbecker <frederic(a)kernel.org> This sequence of events can lead to a failure to requeue a CPU's ->nocb_timer: 1. There are no callbacks queued for any CPU covered by CPU 0-2's ->nocb_gp_kthread. Note that ->nocb_gp_kthread is associated with CPU 0. 2. CPU 1 enqueues its first callback with interrupts disabled, and thus must defer awakening its ->nocb_gp_kthread. It therefore queues its rcu_data structure's ->nocb_timer. At this point, CPU 1's rdp->nocb_defer_wakeup is RCU_NOCB_WAKE. 3. CPU 2, which shares the same ->nocb_gp_kthread, also enqueues a callback, but with interrupts enabled, allowing it to directly awaken the ->nocb_gp_kthread. 4. The newly awakened ->nocb_gp_kthread associates both CPU 1's and CPU 2's callbacks with a future grace period and arranges for that grace period to be started. 5. This ->nocb_gp_kthread goes to sleep waiting for the end of this future grace period. 6. This grace period elapses before the CPU 1's timer fires. This is normally improbably given that the timer is set for only one jiffy, but timers can be delayed. Besides, it is possible that kernel was built with CONFIG_RCU_STRICT_GRACE_PERIOD=y. 7. The grace period ends, so rcu_gp_kthread awakens the ->nocb_gp_kthread, which in turn awakens both CPU 1's and CPU 2's ->nocb_cb_kthread. Then ->nocb_gb_kthread sleeps waiting for more newly queued callbacks. 8. CPU 1's ->nocb_cb_kthread invokes its callback, then sleeps waiting for more invocable callbacks. 9. Note that neither kthread updated any ->nocb_timer state, so CPU 1's ->nocb_defer_wakeup is still set to RCU_NOCB_WAKE. 10. CPU 1 enqueues its second callback, this time with interrupts enabled so it can wake directly ->nocb_gp_kthread. It does so with calling wake_nocb_gp() which also cancels the pending timer that got queued in step 2. But that doesn't reset CPU 1's ->nocb_defer_wakeup which is still set to RCU_NOCB_WAKE. So CPU 1's ->nocb_defer_wakeup and its ->nocb_timer are now desynchronized. 11. ->nocb_gp_kthread associates the callback queued in 10 with a new grace period, arranges for that grace period to start and sleeps waiting for it to complete. 12. The grace period ends, rcu_gp_kthread awakens ->nocb_gp_kthread, which in turn wakes up CPU 1's ->nocb_cb_kthread which then invokes the callback queued in 10. 13. CPU 1 enqueues its third callback, this time with interrupts disabled so it must queue a timer for a deferred wakeup. However the value of its ->nocb_defer_wakeup is RCU_NOCB_WAKE which incorrectly indicates that a timer is already queued. Instead, CPU 1's ->nocb_timer was cancelled in 10. CPU 1 therefore fails to queue the ->nocb_timer. 14. CPU 1 has its pending callback and it may go unnoticed until some other CPU ever wakes up ->nocb_gp_kthread or CPU 1 ever calls an explicit deferred wakeup, for example, during idle entry. This commit fixes this bug by resetting rdp->nocb_defer_wakeup everytime we delete the ->nocb_timer. It is quite possible that there is a similar scenario involving ->nocb_bypass_timer and ->nocb_defer_wakeup. However, despite some effort from several people, a failure scenario has not yet been located. However, that by no means guarantees that no such scenario exists. Finding a failure scenario is left as an exercise for the reader, and the "Fixes:" tag below relates to ->nocb_bypass_timer instead of ->nocb_timer. Fixes: d1b222c6be1f (rcu/nocb: Add bypass callback queueing) Cc: <stable(a)vger.kernel.org> Cc: Josh Triplett <josh(a)joshtriplett.org> Cc: Lai Jiangshan <jiangshanlai(a)gmail.com> Cc: Joel Fernandes <joel(a)joelfernandes.org> Cc: Boqun Feng <boqun.feng(a)gmail.com> Reviewed-by: Neeraj Upadhyay <neeraju(a)codeaurora.org> Signed-off-by: Frederic Weisbecker <frederic(a)kernel.org> Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> --- kernel/rcu/tree_plugin.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h index a1a17ad..e392bd1 100644 --- a/kernel/rcu/tree_plugin.h +++ b/kernel/rcu/tree_plugin.h @@ -1708,7 +1708,11 @@ static bool wake_nocb_gp(struct rcu_data *rdp, bool force, rcu_nocb_unlock_irqrestore(rdp, flags); return false; } - del_timer(&rdp->nocb_timer); + + if (READ_ONCE(rdp->nocb_defer_wakeup) > RCU_NOCB_WAKE_NOT) { + WRITE_ONCE(rdp->nocb_defer_wakeup, RCU_NOCB_WAKE_NOT); + del_timer(&rdp->nocb_timer); + } rcu_nocb_unlock_irqrestore(rdp, flags); raw_spin_lock_irqsave(&rdp_gp->nocb_gp_lock, flags); if (force || READ_ONCE(rdp_gp->nocb_gp_sleep)) { @@ -2335,7 +2339,6 @@ static bool do_nocb_deferred_wakeup_common(struct rcu_data *rdp) return false; } ndw = READ_ONCE(rdp->nocb_defer_wakeup); - WRITE_ONCE(rdp->nocb_defer_wakeup, RCU_NOCB_WAKE_NOT); ret = wake_nocb_gp(rdp, ndw == RCU_NOCB_WAKE_FORCE, flags); trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, TPS("DeferredWake")); -- 2.9.5

3 years, 7 months

1
0
0 0

[PATCH RESEND v3] mm/userfaultfd: fix memory corruption due to writeprotect

by Nadav Amit

From: Nadav Amit <namit(a)vmware.com> Userfaultfd self-test fails occasionally, indicating a memory corruption. Analyzing this problem indicates that there is a real bug since mmap_lock is only taken for read in mwriteprotect_range() and defers flushes, and since there is insufficient consideration of concurrent deferred TLB flushes in wp_page_copy(). Although the PTE is flushed from the TLBs in wp_page_copy(), this flush takes place after the copy has already been performed, and therefore changes of the page are possible between the time of the copy and the time in which the PTE is flushed. To make matters worse, memory-unprotection using userfaultfd also poses a problem. Although memory unprotection is logically a promotion of PTE permissions, and therefore should not require a TLB flush, the current userrfaultfd code might actually cause a demotion of the architectural PTE permission: when userfaultfd_writeprotect() unprotects memory region, it unintentionally *clears* the RW-bit if it was already set. Note that this unprotecting a PTE that is not write-protected is a valid use-case: the userfaultfd monitor might ask to unprotect a region that holds both write-protected and write-unprotected PTEs. The scenario that happens in selftests/vm/userfaultfd is as follows: cpu0 cpu1 cpu2 ---- ---- ---- [ Writable PTE cached in TLB ] userfaultfd_writeprotect() [ write-*unprotect* ] mwriteprotect_range() mmap_read_lock() change_protection() change_protection_range() ... change_pte_range() [ *clear* “write”-bit ] [ defer TLB flushes ] [ page-fault ] ... wp_page_copy() cow_user_page() [ copy page ] [ write to old page ] ... set_pte_at_notify() A similar scenario can happen: cpu0 cpu1 cpu2 cpu3 ---- ---- ---- ---- [ Writable PTE cached in TLB ] userfaultfd_writeprotect() [ write-protect ] [ deferred TLB flush ] userfaultfd_writeprotect() [ write-unprotect ] [ deferred TLB flush] [ page-fault ] wp_page_copy() cow_user_page() [ copy page ] ... [ write to page ] set_pte_at_notify() This race exists since commit 292924b26024 ("userfaultfd: wp: apply _PAGE_UFFD_WP bit"). Yet, as Yu Zhao pointed, these races became apparent since commit 09854ba94c6a ("mm: do_wp_page() simplification") which made wp_page_copy() more likely to take place, specifically if page_count(page) > 1. To resolve the aforementioned races, check whether there are pending flushes on uffd-write-protected VMAs, and if there are, perform a flush before doing the COW. Further optimizations will follow to avoid during uffd-write-unprotect unnecassary PTE write-protection and TLB flushes. Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Pavel Emelyanov <xemul(a)openvz.org> Cc: Mike Kravetz <mike.kravetz(a)oracle.com> Cc: Mike Rapoport <rppt(a)linux.vnet.ibm.com> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org Suggested-by: Yu Zhao <yuzhao(a)google.com> Fixes: 292924b26024 ("userfaultfd: wp: apply _PAGE_UFFD_WP bit") Signed-off-by: Nadav Amit <namit(a)vmware.com> --- v2->v3: * Do not acquire mmap_lock for write, flush conditionally instead [Yu] * Change the fixes tag to the patch that made the race apparent [Yu] * Removing patch to avoid write-protect on uffd unprotect. More comprehensive solution to follow (and avoid the TLB flush as well). --- mm/memory.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/mm/memory.c b/mm/memory.c index 9e8576a83147..06da04f98936 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -3092,6 +3092,13 @@ static vm_fault_t do_wp_page(struct vm_fault *vmf) return handle_userfault(vmf, VM_UFFD_WP); } + /* + * Userfaultfd write-protect can defer flushes. Ensure the TLB + * is flushed in this case before copying. + */ + if (userfaultfd_wp(vmf->vma) && mm_tlb_flush_pending(vmf->vma->vm_mm)) + flush_tlb_page(vmf->vma, vmf->address); + vmf->page = vm_normal_page(vma, vmf->address, vmf->orig_pte); if (!vmf->page) { /* -- 2.25.1

3 years, 7 months

2
2
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2021