1. 09 1月, 2017 26 次提交
  2. 08 1月, 2017 4 次提交
    • J
      mm: workingset: fix use-after-free in shadow node shrinker · ea07b862
      Johannes Weiner 提交于
      Several people report seeing warnings about inconsistent radix tree
      nodes followed by crashes in the workingset code, which all looked like
      use-after-free access from the shadow node shrinker.
      
      Dave Jones managed to reproduce the issue with a debug patch applied,
      which confirmed that the radix tree shrinking indeed frees shadow nodes
      while they are still linked to the shadow LRU:
      
        WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
        CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
        Call Trace:
           delete_node+0x1e4/0x200
           __radix_tree_delete_node+0xd/0x10
           shadow_lru_isolate+0xe6/0x220
           __list_lru_walk_one.isra.4+0x9b/0x190
           list_lru_walk_one+0x23/0x30
           scan_shadow_nodes+0x2e/0x40
           shrink_slab.part.44+0x23d/0x5d0
           shrink_node+0x22c/0x330
           kswapd+0x392/0x8f0
      
      This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
      inlined radix_tree_shrink().
      
      The problem is with 14b46879 ("mm: workingset: move shadow entry
      tracking to radix tree exceptional tracking"), which passes an update
      callback into the radix tree to link and unlink shadow leaf nodes when
      tree entries change, but forgot to pass the callback when reclaiming a
      shadow node.
      
      While the reclaimed shadow node itself is unlinked by the shrinker, its
      deletion from the tree can cause the left-most leaf node in the tree to
      be shrunk.  If that happens to be a shadow node as well, we don't unlink
      it from the LRU as we should.
      
      Consider this tree, where the s are shadow entries:
      
             root->rnode
                  |
             [0       n]
              |       |
           [s    ] [sssss]
      
      Now the shadow node shrinker reclaims the rightmost leaf node through
      the shadow node LRU:
      
             root->rnode
                  |
             [0        ]
              |
          [s     ]
      
      Because the parent of the deleted node is the first level below the
      root and has only one child in the left-most slot, the intermediate
      level is shrunk and the node containing the single shadow is put in
      its place:
      
             root->rnode
                  |
             [s        ]
      
      The shrinker again sees a single left-most slot in a first level node
      and thus decides to store the shadow in root->rnode directly and free
      the node - which is a leaf node on the shadow node LRU.
      
        root->rnode
             |
             s
      
      Without the update callback, the freed node remains on the shadow LRU,
      where it causes later shrinker runs to crash.
      
      Pass the node updater callback into __radix_tree_delete_node() in case
      the deletion causes the left-most branch in the tree to collapse too.
      
      Also add warnings when linked nodes are freed right away, rather than
      wait for the use-after-free when the list is scanned much later.
      
      Fixes: 14b46879 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
      Reported-by: NDave Chinner <david@fromorbit.com>
      Reported-by: NHugh Dickins <hughd@google.com>
      Reported-by: NAndrea Arcangeli <aarcange@redhat.com>
      Reported-and-tested-by: NDave Jones <davej@codemonkey.org.uk>
      Signed-off-by: NJohannes Weiner <hannes@cmpxchg.org>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Chris Leech <cleech@redhat.com>
      Cc: Lee Duncan <lduncan@suse.com>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ea07b862
    • H
      mm: stop leaking PageTables · b0b9b3df
      Hugh Dickins 提交于
      4.10-rc loadtest (even on x86, and even without THPCache) fails with
      "fork: Cannot allocate memory" or some such; and /proc/meminfo shows
      PageTables growing.
      
      Commit 953c66c2 ("mm: THP page cache support for ppc64") that got
      merged in rc1 removed the freeing of an unused preallocated pagetable
      after do_fault_around() has called map_pages().
      
      This is usually a good optimization, so that the followup doesn't have
      to reallocate one; but it's not sufficient to shift the freeing into
      alloc_set_pte(), since there are failure cases (most commonly
      VM_FAULT_RETRY) which never reach finish_fault().
      
      Check and free it at the outer level in do_fault(), then we don't need
      to worry in alloc_set_pte(), and can restore that to how it was (I
      cannot find any reason to pte_free() under lock as it was doing).
      
      And fix a separate pagetable leak, or crash, introduced by the same
      change, that could only show up on some ppc64: why does do_set_pmd()'s
      failure case attempt to withdraw a pagetable when it never deposited
      one, at the same time overwriting (so leaking) the vmf->prealloc_pte?
      Residue of an earlier implementation, perhaps? Delete it.
      
      Fixes: 953c66c2 ("mm: THP page cache support for ppc64")
      Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Michael Neuling <mikey@neuling.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Balbir Singh <bsingharora@gmail.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NHugh Dickins <hughd@google.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b0b9b3df
    • L
      Merge branch 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild · 87bc6107
      Linus Torvalds 提交于
      Pull kbuild fix from Michal Marek:
       "The asm-prototypes.h file added in the last merge window results in
        invalid code with CONFIG_KMEMCHECK=y. The net result is that genksyms
        segfaults.
      
        This pull request fixes the header, the genksyms fix is in my kbuild
        branch for 4.11"
      
      * 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
        asm-prototypes: Clear any CPP defines before declaring the functions
      87bc6107
    • G
      MAINTAINERS: add greybus subsystem mailing list · 01d0f715
      Greg Kroah-Hartman 提交于
      The Greybus driver subsystem has a mailing list, so list it in the
      MAINTAINERS file so that people know to send patches there as well.
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: NJohan Hovold <johan@kernel.org>
      Reviewed-by: NViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      01d0f715
  3. 07 1月, 2017 10 次提交
    • L
      Merge tag 'sound-4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 308c470b
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "Nothing particular stands out, only a few small fixes for USB-audio,
        HD-audio and Firewire. The USB-audio fix is the respin of the previous
        race fix after a revert due to the regression"
      
      * tag 'sound-4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        Revert "ALSA: firewire-lib: change structure member with proper type"
        ALSA: usb-audio: test EP_FLAG_RUNNING at urb completion
        ALSA: usb-audio: Fix irq/process data synchronization
        ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL
        ALSA: hda - Fix up GPIO for ASUS ROG Ranger
        ALSA: firewire-lib: change structure member with proper type
        ALSA: firewire-tascam: Fix to handle error from initialization of stream data
        ALSA: fireworks: fix asymmetric API call at unit removal
      308c470b
    • L
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · d72f0ded
      Linus Torvalds 提交于
      Pull clk fixes from Stephen Boyd:
       "One fix for a broken driver on Renesas RZ/A1 SoCs with bootloaders
        that don't turn all the clks on and another fix for stm32f4 SoCs where
        we have multiple drivers attaching to the same DT node"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: stm32f4: Use CLK_OF_DECLARE_DRIVER initialization method
        clk: renesas: mstp: Support 8-bit registers for r7s72100
      d72f0ded
    • L
      Merge tag 'hwmon-for-linus-v4.10-rc3' of... · baaf0315
      Linus Torvalds 提交于
      Merge tag 'hwmon-for-linus-v4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fix from Guenter Roeck:
       "Fix temp1_max_alarm attribute in lm90 driver"
      
      * tag 'hwmon-for-linus-v4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (lm90) fix temp1_max_alarm attribute
      baaf0315
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 08289086
      Linus Torvalds 提交于
      Pull KVM fixes from Radim Krčmář:
       "MIPS:
         - fix host kernel crashes when receiving a signal with 64-bit
           userspace
      
         - flush instruction cache on all vcpus after generating entry code
      
           (both for stable)
      
        x86:
         - fix NULL dereference in MMU caused by SMM transitions (for stable)
      
         - correct guest instruction pointer after emulating some VMX errors
      
         - minor cleanup"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: VMX: remove duplicated declaration
        KVM: MIPS: Flush KVM entry code from icache globally
        KVM: MIPS: Don't clobber CP0_Status.UX
        KVM: x86: reset MMU on KVM_SET_VCPU_EVENTS
        KVM: nVMX: fix instruction skipping during emulated vm-entry
      08289086
    • L
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · b1ee5170
      Linus Torvalds 提交于
      Pull arm64 fixes from Catalin Marinas:
      
       - re-introduce the arm64 get_current() optimisation
      
       - KERN_CONT fallout fix in show_pte()
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: restore get_current() optimisation
        arm64: mm: fix show_pte KERN_CONT fallout
      b1ee5170
    • L
      Merge tag 'vfio-v4.10-rc3' of git://github.com/awilliam/linux-vfio · 5824f924
      Linus Torvalds 提交于
      Pull VFIO fixes from Alex Williamson:
       - Add mtty sample driver properly into build system (Alex Williamson)
       - Restore type1 mapping performance after mdev (Alex Williamson)
       - Fix mdev device race (Alex Williamson)
       - Cleanups to the mdev ABI used by vendor drivers (Alex Williamson)
       - Build fix for old compilers (Arnd Bergmann)
       - Fix sample driver error path (Dan Carpenter)
       - Handle pci_iomap() error (Arvind Yadav)
       - Fix mdev ioctl return type (Paul Gortmaker)
      
      * tag 'vfio-v4.10-rc3' of git://github.com/awilliam/linux-vfio:
        vfio-mdev: fix non-standard ioctl return val causing i386 build fail
        vfio-pci: Handle error from pci_iomap
        vfio-mdev: fix some error codes in the sample code
        vfio-pci: use 32-bit comparisons for register address for gcc-4.5
        vfio-mdev: Make mdev_device private and abstract interfaces
        vfio-mdev: Make mdev_parent private
        vfio-mdev: de-polute the namespace, rename parent_device & parent_ops
        vfio-mdev: Fix remove race
        vfio/type1: Restore mapping performance with mdev support
        vfio-mdev: Fix mtty sample driver building
      5824f924
    • L
      Merge branch 'stable/for-linus-4.10' of... · 2fd8774c
      Linus Torvalds 提交于
      Merge branch 'stable/for-linus-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb
      
      Pull swiotlb fixes from Konrad Rzeszutek Wilk:
       "This has one fix to make i915 work when using Xen SWIOTLB, and a
        feature from Geert to aid in debugging of devices that can't do DMA
        outside the 32-bit address space.
      
        The feature from Geert is on top of v4.10 merge window commit
        (specifically you pulling my previous branch), as his changes were
        dependent on the Documentation/ movement patches.
      
        I figured it would just easier than me trying than to cherry-pick the
        Documentation patches to satisfy git.
      
        The patches have been soaking since 12/20, albeit I updated the last
        patch due to linux-next catching an compiler error and adding an
        Tested-and-Reported-by tag"
      
      * 'stable/for-linus-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb:
        swiotlb: Export swiotlb_max_segment to users
        swiotlb: Add swiotlb=noforce debug option
        swiotlb: Convert swiotlb_force from int to enum
        x86, swiotlb: Simplify pci_swiotlb_detect_override()
      2fd8774c
    • L
      Merge tag 'iommu-fixes-v4.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 65cdc405
      Linus Torvalds 提交于
      Pull IOMMU fixes from Joerg Roedel:
       "Three fixes queued up:
      
         - fix an issue with command buffer overflow handling in the AMD IOMMU
           driver
      
         - add an additional context entry flush to the Intel VT-d driver to
           make sure any old context entry from kdump copying is flushed out
           of the cache
      
         - correct the encoding of the PASID table size in the Intel VT-d
           driver"
      
      * tag 'iommu-fixes-v4.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/amd: Fix the left value check of cmd buffer
        iommu/vt-d: Fix pasid table size encoding
        iommu/vt-d: Flush old iommu caches for kdump when the device gets context mapped
      65cdc405
    • L
      Merge tag 'acpi-4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 7397e1e8
      Linus Torvalds 提交于
      Pull ACPI fixes from Rafael Wysocki:
       "These fix a device enumeration problem related to _ADR matching and an
        IOMMU initialization issue related to the DMAR table missing, remove
        an excessive function call from the core ACPI code, update an error
        message in the ACPI WDAT watchdog driver and add a way to work around
        problems with unhandled GPE notifications.
      
        Specifics:
      
         - Fix a device enumeration issue leading to incorrect associations
           between ACPI device objects and platform device objects
           representing physical devices if the given device object has both
           _ADR and _HID (Rafael Wysocki).
      
         - Avoid passing NULL to acpi_put_table() during IOMMU initialization
           which triggers a (rightful) warning from ACPICA (Rafael Wysocki).
      
         - Drop an excessive call to acpi_dma_deconfigure() from the core code
           that binds ACPI device objects to device objects representing
           physical devices (Lorenzo Pieralisi).
      
         - Update an error message in the ACPI WDAT watchdog driver to make it
           provide more useful information (Mika Westerberg).
      
         - Add a mechanism to work around issues with unhandled GPE
           notifications that occur during system initialization and cannot be
           prevented by means of sysfs (Lv Zheng)"
      
      * tag 'acpi-4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / DMAR: Avoid passing NULL to acpi_put_table()
        ACPI / scan: Prefer devices without _HID/_CID for _ADR matching
        ACPI / watchdog: Print out error number when device creation fails
        ACPI / sysfs: Provide quirk mechanism to prevent GPE flooding
        ACPI: Drop misplaced acpi_dma_deconfigure() call from acpi_bind_one()
      7397e1e8
    • L
      Merge tag 'pm-4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · b937a869
      Linus Torvalds 提交于
      Pull power management fixes from Rafael Wysocki:
       "These fix a few issues in the intel_pstate driver, a documetation
        issue, a false-positive compiler warning in the generic power domains
        framework and two problems in the devfreq subsystem. They also update
        the MAINTAINERS entry for devfreq and add a new "compatible" string to
        the generic cpufreq-dt driver.
      
        Specifics:
      
         - Fix a few intel_pstate driver issues: add missing locking it two
           places, avoid exposing a useless debugfs interface and keep the
           attribute values in sysfs in sync (Rafael Wysocki).
      
         - Drop confusing kernel-doc references related to power management
           and ACPI from the driver API manual (Rafael Wysocki).
      
         - Make a false-positive compiler warning in the generic power domains
           framework go away (Augusto Mecking Caringi).
      
         - Fix two initialization issues in the devfreq subsystem and update
           the MAINTAINERS entry for it (Chanwoo Choi).
      
         - Add a new "compatible" string for APM X-Gene 2 to the generic DT
           cpufreq driver (Hoan Tran)"
      
      * tag 'pm-4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: dt: Add support for APM X-Gene 2
        PM / devfreq: exynos-bus: Fix the wrong return value
        PM / devfreq: Fix the bug of devfreq_add_device when governor is NULL
        MAINTAINERS: Add myself as reviewer for DEVFREQ subsystem support
        PM / docs: Drop confusing kernel-doc references from infrastructure.rst
        PM / domains: Fix 'may be used uninitialized' build warning
        cpufreq: intel_pstate: Always keep all limits settings in sync
        cpufreq: intel_pstate: Use locking in intel_cpufreq_verify_policy()
        cpufreq: intel_pstate: Use locking in intel_pstate_resume()
        cpufreq: intel_pstate: Do not expose PID parameters in passive mode
      b937a869