1. 12 10月, 2020 27 次提交
  2. 11 10月, 2020 3 次提交
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · da690031
      Linus Torvalds 提交于
      Pull i2c fixes from Wolfram Sang:
       "Some more driver bugfixes for I2C. Including a revert - the updated
        series for it will come during the next merge window"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: owl: Clear NACK and BUS error bits
        Revert "i2c: imx: Fix reset of I2SR_IAL flag"
        i2c: meson: fixup rate calculation with filter delay
        i2c: meson: keep peripheral clock enabled
        i2c: meson: fix clock setting overwrite
        i2c: imx: Fix reset of I2SR_IAL flag
      da690031
    • V
      cifs: Fix incomplete memory allocation on setxattr path · 64b7f674
      Vladimir Zapolskiy 提交于
      On setxattr() syscall path due to an apprent typo the size of a dynamically
      allocated memory chunk for storing struct smb2_file_full_ea_info object is
      computed incorrectly, to be more precise the first addend is the size of
      a pointer instead of the wanted object size. Coincidentally it makes no
      difference on 64-bit platforms, however on 32-bit targets the following
      memcpy() writes 4 bytes of data outside of the dynamically allocated memory.
      
        =============================================================================
        BUG kmalloc-16 (Not tainted): Redzone overwritten
        -----------------------------------------------------------------------------
      
        Disabling lock debugging due to kernel taint
        INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc
        INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201
        INFO: Object 0x6f171df3 @offset=352 fp=0x00000000
      
        Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
        Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69  ........snrub.fi
        Redzone 79e69a6f: 73 68 32 0a                                      sh2.
        Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
        CPU: 0 PID: 8196 Comm: attr Tainted: G    B             5.9.0-rc8+ #3
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
        Call Trace:
         dump_stack+0x54/0x6e
         print_trailer+0x12c/0x134
         check_bytes_and_report.cold+0x3e/0x69
         check_object+0x18c/0x250
         free_debug_processing+0xfe/0x230
         __slab_free+0x1c0/0x300
         kfree+0x1d3/0x220
         smb2_set_ea+0x27d/0x540
         cifs_xattr_set+0x57f/0x620
         __vfs_setxattr+0x4e/0x60
         __vfs_setxattr_noperm+0x4e/0x100
         __vfs_setxattr_locked+0xae/0xd0
         vfs_setxattr+0x4e/0xe0
         setxattr+0x12c/0x1a0
         path_setxattr+0xa4/0xc0
         __ia32_sys_lsetxattr+0x1d/0x20
         __do_fast_syscall_32+0x40/0x70
         do_fast_syscall_32+0x29/0x60
         do_SYSENTER_32+0x15/0x20
         entry_SYSENTER_32+0x9f/0xf2
      
      Fixes: 5517554e ("cifs: Add support for writing attributes on SMB2+")
      Signed-off-by: NVladimir Zapolskiy <vladimir@tuxera.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      64b7f674
    • H
      mm/khugepaged: fix filemap page_to_pgoff(page) != offset · 033b5d77
      Hugh Dickins 提交于
      There have been elusive reports of filemap_fault() hitting its
      VM_BUG_ON_PAGE(page_to_pgoff(page) != offset, page) on kernels built
      with CONFIG_READ_ONLY_THP_FOR_FS=y.
      
      Suren has hit it on a kernel with CONFIG_READ_ONLY_THP_FOR_FS=y and
      CONFIG_NUMA is not set: and he has analyzed it down to how khugepaged
      without NUMA reuses the same huge page after collapse_file() failed
      (whereas NUMA targets its allocation to the respective node each time).
      And most of us were usually testing with CONFIG_NUMA=y kernels.
      
      collapse_file(old start)
        new_page = khugepaged_alloc_page(hpage)
        __SetPageLocked(new_page)
        new_page->index = start // hpage->index=old offset
        new_page->mapping = mapping
        xas_store(&xas, new_page)
      
                                filemap_fault
                                  page = find_get_page(mapping, offset)
                                  // if offset falls inside hpage then
                                  // compound_head(page) == hpage
                                  lock_page_maybe_drop_mmap()
                                    __lock_page(page)
      
        // collapse fails
        xas_store(&xas, old page)
        new_page->mapping = NULL
        unlock_page(new_page)
      
      collapse_file(new start)
        new_page = khugepaged_alloc_page(hpage)
        __SetPageLocked(new_page)
        new_page->index = start // hpage->index=new offset
        new_page->mapping = mapping // mapping becomes valid again
      
                                  // since compound_head(page) == hpage
                                  // page_to_pgoff(page) got changed
                                  VM_BUG_ON_PAGE(page_to_pgoff(page) != offset)
      
      An initial patch replaced __SetPageLocked() by lock_page(), which did
      fix the race which Suren illustrates above.  But testing showed that it's
      not good enough: if the racing task's __lock_page() gets delayed long
      after its find_get_page(), then it may follow collapse_file(new start)'s
      successful final unlock_page(), and crash on the same VM_BUG_ON_PAGE.
      
      It could be fixed by relaxing filemap_fault()'s VM_BUG_ON_PAGE to a
      check and retry (as is done for mapping), with similar relaxations in
      find_lock_entry() and pagecache_get_page(): but it's not obvious what
      else might get caught out; and khugepaged non-NUMA appears to be unique
      in exposing a page to page cache, then revoking, without going through
      a full cycle of freeing before reuse.
      
      Instead, non-NUMA khugepaged_prealloc_page() release the old page
      if anyone else has a reference to it (1% of cases when I tested).
      
      Although never reported on huge tmpfs, I believe its find_lock_entry()
      has been at similar risk; but huge tmpfs does not rely on khugepaged
      for its normal working nearly so much as READ_ONLY_THP_FOR_FS does.
      Reported-by: NDenis Lisov <dennis.lissov@gmail.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206569
      Link: https://lore.kernel.org/linux-mm/?q=20200219144635.3b7417145de19b65f258c943%40linux-foundation.orgReported-by: NQian Cai <cai@lca.pw>
      Link: https://lore.kernel.org/linux-xfs/?q=20200616013309.GB815%40lca.pwReported-and-analyzed-by: NSuren Baghdasaryan <surenb@google.com>
      Fixes: 87c460a0 ("mm/khugepaged: collapse_shmem() without freezing new_page")
      Signed-off-by: NHugh Dickins <hughd@google.com>
      Cc: stable@vger.kernel.org # v4.9+
      Reviewed-by: NMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      033b5d77
  3. 10 10月, 2020 8 次提交
  4. 09 10月, 2020 2 次提交
    • C
      mmc: core: don't set limits.discard_granularity as 0 · 42432191
      Coly Li 提交于
      In mmc_queue_setup_discard() the mmc driver queue's discard_granularity
      might be set as 0 (when card->pref_erase > max_discard) while the mmc
      device still declares to support discard operation. This is buggy and
      triggered the following kernel warning message,
      
      WARNING: CPU: 0 PID: 135 at __blkdev_issue_discard+0x200/0x294
      CPU: 0 PID: 135 Comm: f2fs_discard-17 Not tainted 5.9.0-rc6 #1
      Hardware name: Google Kevin (DT)
      pstate: 00000005 (nzcv daif -PAN -UAO BTYPE=--)
      pc : __blkdev_issue_discard+0x200/0x294
      lr : __blkdev_issue_discard+0x54/0x294
      sp : ffff800011dd3b10
      x29: ffff800011dd3b10 x28: 0000000000000000 x27: ffff800011dd3cc4 x26: ffff800011dd3e18 x25: 000000000004e69b x24: 0000000000000c40 x23: ffff0000f1deaaf0 x22: ffff0000f2849200 x21: 00000000002734d8 x20: 0000000000000008 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000394 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 00000000000008b0 x9 : ffff800011dd3cb0 x8 : 000000000004e69b x7 : 0000000000000000 x6 : ffff0000f1926400 x5 : ffff0000f1940800 x4 : 0000000000000000 x3 : 0000000000000c40 x2 : 0000000000000008 x1 : 00000000002734d8 x0 : 0000000000000000 Call trace:
      __blkdev_issue_discard+0x200/0x294
      __submit_discard_cmd+0x128/0x374
      __issue_discard_cmd_orderly+0x188/0x244
      __issue_discard_cmd+0x2e8/0x33c
      issue_discard_thread+0xe8/0x2f0
      kthread+0x11c/0x120
      ret_from_fork+0x10/0x1c
      ---[ end trace e4c8023d33dfe77a ]---
      
      This patch fixes the issue by setting discard_granularity as SECTOR_SIZE
      instead of 0 when (card->pref_erase > max_discard) is true. Now no more
      complain from __blkdev_issue_discard() for the improper value of discard
      granularity.
      
      This issue is exposed after commit b35fd742 ("block: check queue's
      limits.discard_granularity in __blkdev_issue_discard()"), a "Fixes:" tag
      is also added for the commit to make sure people won't miss this patch
      after applying the change of __blkdev_issue_discard().
      
      Fixes: e056a1b5 ("mmc: queue: let host controllers specify maximum discard timeout")
      Fixes: b35fd742 ("block: check queue's limits.discard_granularity in __blkdev_issue_discard()").
      Reported-and-tested-by: NVicente Bergas <vicencb@gmail.com>
      Signed-off-by: NColy Li <colyli@suse.de>
      Acked-by: NAdrian Hunter <adrian.hunter@intel.com>
      Cc: Ulf Hansson <ulf.hansson@linaro.org>
      Link: https://lore.kernel.org/r/20201002013852.51968-1-colyli@suse.deSigned-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      42432191
    • K
      perf: Fix task_function_call() error handling · 6d6b8b9f
      Kajol Jain 提交于
      The error handling introduced by commit:
      
        2ed6edd3 ("perf: Add cond_resched() to task_function_call()")
      
      looses any return value from smp_call_function_single() that is not
      {0, -EINVAL}. This is a problem because it will return -EXNIO when the
      target CPU is offline. Worse, in that case it'll turn into an infinite
      loop.
      
      Fixes: 2ed6edd3 ("perf: Add cond_resched() to task_function_call()")
      Reported-by: NSrikar Dronamraju <srikar@linux.vnet.ibm.com>
      Signed-off-by: NKajol Jain <kjain@linux.ibm.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Reviewed-by: NBarret Rhoden <brho@google.com>
      Tested-by: NSrikar Dronamraju <srikar@linux.vnet.ibm.com>
      Link: https://lkml.kernel.org/r/20200827064732.20860-1-kjain@linux.ibm.com
      6d6b8b9f