1. 03 10月, 2018 3 次提交
    • S
      kvm: arm64: Allow tuning the physical address size for VM · 233a7cb2
      Suzuki K Poulose 提交于
      Allow specifying the physical address size limit for a new
      VM via the kvm_type argument for the KVM_CREATE_VM ioctl. This
      allows us to finalise the stage2 page table as early as possible
      and hence perform the right checks on the memory slots
      without complication. The size is encoded as Log2(PA_Size) in
      bits[7:0] of the type field. For backward compatibility the
      value 0 is reserved and implies 40bits. Also, lift the limit
      of the IPA to host limit and allow lower IPA sizes (e.g, 32).
      
      The userspace could check the extension KVM_CAP_ARM_VM_IPA_SIZE
      for the availability of this feature. The cap check returns the
      maximum limit for the physical address shift supported by the host.
      
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Christoffer Dall <cdall@kernel.org>
      Cc: Peter Maydell <peter.maydell@linaro.org>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Reviewed-by: NEric Auger <eric.auger@redhat.com>
      Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      233a7cb2
    • S
      kvm: arm64: Limit the minimum number of page table levels · 58b3efc8
      Suzuki K Poulose 提交于
      Since we are about to remove the lower limit on the IPA size,
      make sure that we do not go to 1 level page table (e.g, with
      32bit IPA on 64K host with concatenation) to avoid splitting
      the host PMD huge pages at stage2.
      
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Christoffer Dall <cdall@kernel.org>
      Reviewed-by: NEric Auger <eric.auger@redhat.com>
      Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      58b3efc8
    • S
      kvm: arm64: Set a limit on the IPA size · 0f62f0e9
      Suzuki K Poulose 提交于
      So far we have restricted the IPA size of the VM to the default
      value (40bits). Now that we can manage the IPA size per VM and
      support dynamic stage2 page tables, we can allow VMs to have
      larger IPA. This patch introduces a the maximum IPA size
      supported on the host. This is decided by the following factors :
      
       1) Maximum PARange supported by the CPUs - This can be inferred
          from the system wide safe value.
       2) Maximum PA size supported by the host kernel (48 vs 52)
       3) Number of levels in the host page table (as we base our
          stage2 tables on the host table helpers).
      
      Since the stage2 page table code is dependent on the stage1
      page table, we always ensure that :
      
        Number of Levels at Stage1 >= Number of Levels at Stage2
      
      So we limit the IPA to make sure that the above condition
      is satisfied. This will affect the following combinations
      of VA_BITS and IPA for different page sizes.
      
        Host configuration | Unsupported IPA ranges
        39bit VA, 4K       | [44, 48]
        36bit VA, 16K      | [41, 48]
        42bit VA, 64K      | [47, 52]
      
      Supporting the above combinations need independent stage2
      page table manipulation code, which would need substantial
      changes. We could purse the solution independently and
      switch the page table code once we have it ready.
      
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Christoffer Dall <cdall@kernel.org>
      Reviewed-by: NEric Auger <eric.auger@redhat.com>
      Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      0f62f0e9
  2. 01 10月, 2018 15 次提交
  3. 24 9月, 2018 1 次提交
  4. 23 9月, 2018 6 次提交
  5. 22 9月, 2018 2 次提交
  6. 21 9月, 2018 13 次提交
    • G
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · a27fb6d9
      Greg Kroah-Hartman 提交于
      Paolo writes:
        "It's mostly small bugfixes and cleanups, mostly around x86 nested
         virtualization.  One important change, not related to nested
         virtualization, is that the ability for the guest kernel to trap
         CPUID instructions (in Linux that's the ARCH_SET_CPUID arch_prctl) is
         now masked by default.  This is because the feature is detected
         through an MSR; a very bad idea that Intel seems to like more and
         more.  Some applications choke if the other fields of that MSR are
         not initialized as on real hardware, hence we have to disable the
         whole MSR by default, as was the case before Linux 4.12."
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (23 commits)
        KVM: nVMX: Fix bad cleanup on error of get/set nested state IOCTLs
        kvm: selftests: Add platform_info_test
        KVM: x86: Control guest reads of MSR_PLATFORM_INFO
        KVM: x86: Turbo bits in MSR_PLATFORM_INFO
        nVMX x86: Check VPID value on vmentry of L2 guests
        nVMX x86: check posted-interrupt descriptor addresss on vmentry of L2
        KVM: nVMX: Wake blocked vCPU in guest-mode if pending interrupt in virtual APICv
        KVM: VMX: check nested state and CR4.VMXE against SMM
        kvm: x86: make kvm_{load|put}_guest_fpu() static
        x86/hyper-v: rename ipi_arg_{ex,non_ex} structures
        KVM: VMX: use preemption timer to force immediate VMExit
        KVM: VMX: modify preemption timer bit only when arming timer
        KVM: VMX: immediately mark preemption timer expired only for zero value
        KVM: SVM: Switch to bitmap_zalloc()
        KVM/MMU: Fix comment in walk_shadow_page_lockless_end()
        kvm: selftests: use -pthread instead of -lpthread
        KVM: x86: don't reset root in kvm_mmu_setup()
        kvm: mmu: Don't read PDPTEs when paging is not enabled
        x86/kvm/lapic: always disable MMIO interface in x2APIC mode
        KVM: s390: Make huge pages unavailable in ucontrol VMs
        ...
      a27fb6d9
    • G
      Merge tag 'upstream-4.19-rc4' of git://git.infradead.org/linux-ubifs · 0eba8697
      Greg Kroah-Hartman 提交于
      Richard writes:
        "This pull request contains fixes for UBIFS:
         - A wrong UBIFS assertion in mount code
         - Fix for a NULL pointer deref in mount code
         - Revert of a bad fix for xattrs"
      
      * tag 'upstream-4.19-rc4' of git://git.infradead.org/linux-ubifs:
        Revert "ubifs: xattr: Don't operate on deleted inodes"
        ubifs: drop false positive assertion
        ubifs: Check for name being NULL while mounting
      0eba8697
    • G
      Merge tag 'for-linus-20180920' of git://git.kernel.dk/linux-block · 211b100a
      Greg Kroah-Hartman 提交于
      Jens writes:
        "Storage fixes for 4.19-rc5
      
        - Fix for leaking kernel pointer in floppy ioctl (Andy Whitcroft)
      
        - NVMe pull request from Christoph, and a single ANA log page fix
          (Hannes)
      
        - Regression fix for libata qd32 support, where we trigger an illegal
          active command transition. This fixes a CD-ROM detection issue that
          was reported, but could also trigger premature completion of the
          internal tag (me)"
      
      * tag 'for-linus-20180920' of git://git.kernel.dk/linux-block:
        floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
        libata: mask swap internal and hardware tag
        nvme: count all ANA groups for ANA Log page
      211b100a
    • G
      Merge tag 'drm-fixes-2018-09-21' of git://anongit.freedesktop.org/drm/drm · a38fd7d8
      Greg Kroah-Hartman 提交于
      David writes:
        "drm fixes for 4.19-rc5:
      
         - core: fix debugfs for atomic, fix the check for atomic for
           non-modesetting drivers
         - amdgpu: adds a new PCI id, some kfd fixes and a sdma fix
         - i915: a bunch of GVT fixes.
         - vc4: scaling fix
         - vmwgfx: modesetting fixes and a old buffer eviction fix
         - udl: framebuffer destruction fix
         - sun4i: disable on R40 fix until next kernel
         - pl111: NULL termination on table fix"
      
      * tag 'drm-fixes-2018-09-21' of git://anongit.freedesktop.org/drm/drm: (21 commits)
        drm/amdkfd: Fix ATS capablity was not reported correctly on some APUs
        drm/amdkfd: Change the control stack MTYPE from UC to NC on GFX9
        drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7
        drm/vmwgfx: Fix buffer object eviction
        drm/vmwgfx: Don't impose STDU limits on framebuffer size
        drm/vmwgfx: limit mode size for all display unit to texture_max
        drm/vmwgfx: limit screen size to stdu_max during check_modeset
        drm/vmwgfx: don't check for old_crtc_state enable status
        drm/amdgpu: add new polaris pci id
        drm: sun4i: drop second PLL from A64 HDMI PHY
        drm: fix drm_drv_uses_atomic_modeset on non modesetting drivers.
        drm/i915/gvt: clear ggtt entries when destroy vgpu
        drm/i915/gvt: request srcu_read_lock before checking if one gfn is valid
        drm/i915/gvt: Add GEN9_CLKGATE_DIS_4 to default BXT mmio handler
        drm/i915/gvt: Init PHY related registers for BXT
        drm/atomic: Use drm_drv_uses_atomic_modeset() for debugfs creation
        drm/fb-helper: Remove set but not used variable 'connector_funcs'
        drm: udl: Destroy framebuffer only if it was initialized
        drm/sun4i: Remove R40 display pipeline compatibles
        drm/pl111: Make sure of_device_id tables are NULL terminated
        ...
      a38fd7d8
    • D
      Merge branch 'drm-fixes-4.19' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 4fcb7f8b
      Dave Airlie 提交于
      A few fixes for 4.19:
      - Add a new polaris pci id
      - KFD fixes for raven and gfx7
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20180920155850.5455-1-alexander.deucher@amd.com
      4fcb7f8b
    • D
      Merge branch 'vmwgfx-fixes-4.19' of git://people.freedesktop.org/~thomash/linux into drm-fixes · 618cc151
      Dave Airlie 提交于
      A couple of modesetting fixes and a fix for a long-standing buffer-eviction
      problem cc'd stable.
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      From: Thomas Hellstrom <thellstrom@vmware.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20180920063935.35492-1-thellstrom@vmware.com
      618cc151
    • F
      x86/mm: Expand static page table for fixmap space · 05ab1d8a
      Feng Tang 提交于
      We met a kernel panic when enabling earlycon, which is due to the fixmap
      address of earlycon is not statically setup.
      
      Currently the static fixmap setup in head_64.S only covers 2M virtual
      address space, while it actually could be in 4M space with different
      kernel configurations, e.g. when VSYSCALL emulation is disabled.
      
      So increase the static space to 4M for now by defining FIXMAP_PMD_NUM to 2,
      and add a build time check to ensure that the fixmap is covered by the
      initial static page tables.
      
      Fixes: 1ad83c85 ("x86_64,vsyscall: Make vsyscall emulation configurable")
      Suggested-by: NThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NFeng Tang <feng.tang@intel.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Tested-by: Nkernel test robot <rong.a.chen@intel.com>
      Reviewed-by: Juergen Gross <jgross@suse.com> (Xen parts)
      Cc: H Peter Anvin <hpa@linux.intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Andy Lutomirsky <luto@kernel.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180920025828.23699-1-feng.tang@intel.com
      05ab1d8a
    • J
      ocfs2: fix ocfs2 read block panic · 234b69e3
      Junxiao Bi 提交于
      While reading block, it is possible that io error return due to underlying
      storage issue, in this case, BH_NeedsValidate was left in the buffer head.
      Then when reading the very block next time, if it was already linked into
      journal, that will trigger the following panic.
      
      [203748.702517] kernel BUG at fs/ocfs2/buffer_head_io.c:342!
      [203748.702533] invalid opcode: 0000 [#1] SMP
      [203748.702561] Modules linked in: ocfs2 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs sunrpc dm_switch dm_queue_length dm_multipath bonding be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i iw_cxgb4 cxgb4 cxgb3i libcxgbi iw_cxgb3 cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_devintf iTCO_wdt iTCO_vendor_support dcdbas ipmi_ssif i2c_core ipmi_si ipmi_msghandler acpi_pad pcspkr sb_edac edac_core lpc_ich mfd_core shpchp sg tg3 ptp pps_core ext4 jbd2 mbcache2 sr_mod cdrom sd_mod ahci libahci megaraid_sas wmi dm_mirror dm_region_hash dm_log dm_mod
      [203748.703024] CPU: 7 PID: 38369 Comm: touch Not tainted 4.1.12-124.18.6.el6uek.x86_64 #2
      [203748.703045] Hardware name: Dell Inc. PowerEdge R620/0PXXHP, BIOS 2.5.2 01/28/2015
      [203748.703067] task: ffff880768139c00 ti: ffff88006ff48000 task.ti: ffff88006ff48000
      [203748.703088] RIP: 0010:[<ffffffffa05e9f09>]  [<ffffffffa05e9f09>] ocfs2_read_blocks+0x669/0x7f0 [ocfs2]
      [203748.703130] RSP: 0018:ffff88006ff4b818  EFLAGS: 00010206
      [203748.703389] RAX: 0000000008620029 RBX: ffff88006ff4b910 RCX: 0000000000000000
      [203748.703885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000023079fe
      [203748.704382] RBP: ffff88006ff4b8d8 R08: 0000000000000000 R09: ffff8807578c25b0
      [203748.704877] R10: 000000000f637376 R11: 000000003030322e R12: 0000000000000000
      [203748.705373] R13: ffff88006ff4b910 R14: ffff880732fe38f0 R15: 0000000000000000
      [203748.705871] FS:  00007f401992c700(0000) GS:ffff880bfebc0000(0000) knlGS:0000000000000000
      [203748.706370] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [203748.706627] CR2: 00007f4019252440 CR3: 00000000a621e000 CR4: 0000000000060670
      [203748.707124] Stack:
      [203748.707371]  ffff88006ff4b828 ffffffffa0609f52 ffff88006ff4b838 0000000000000001
      [203748.707885]  0000000000000000 0000000000000000 ffff880bf67c3800 ffffffffa05eca00
      [203748.708399]  00000000023079ff ffffffff81c58b80 0000000000000000 0000000000000000
      [203748.708915] Call Trace:
      [203748.709175]  [<ffffffffa0609f52>] ? ocfs2_inode_cache_io_unlock+0x12/0x20 [ocfs2]
      [203748.709680]  [<ffffffffa05eca00>] ? ocfs2_empty_dir_filldir+0x80/0x80 [ocfs2]
      [203748.710185]  [<ffffffffa05ec0cb>] ocfs2_read_dir_block_direct+0x3b/0x200 [ocfs2]
      [203748.710691]  [<ffffffffa05f0fbf>] ocfs2_prepare_dx_dir_for_insert.isra.57+0x19f/0xf60 [ocfs2]
      [203748.711204]  [<ffffffffa065660f>] ? ocfs2_metadata_cache_io_unlock+0x1f/0x30 [ocfs2]
      [203748.711716]  [<ffffffffa05f4f3a>] ocfs2_prepare_dir_for_insert+0x13a/0x890 [ocfs2]
      [203748.712227]  [<ffffffffa05f442e>] ? ocfs2_check_dir_for_entry+0x8e/0x140 [ocfs2]
      [203748.712737]  [<ffffffffa061b2f2>] ocfs2_mknod+0x4b2/0x1370 [ocfs2]
      [203748.713003]  [<ffffffffa061c385>] ocfs2_create+0x65/0x170 [ocfs2]
      [203748.713263]  [<ffffffff8121714b>] vfs_create+0xdb/0x150
      [203748.713518]  [<ffffffff8121b225>] do_last+0x815/0x1210
      [203748.713772]  [<ffffffff812192e9>] ? path_init+0xb9/0x450
      [203748.714123]  [<ffffffff8121bca0>] path_openat+0x80/0x600
      [203748.714378]  [<ffffffff811bcd45>] ? handle_pte_fault+0xd15/0x1620
      [203748.714634]  [<ffffffff8121d7ba>] do_filp_open+0x3a/0xb0
      [203748.714888]  [<ffffffff8122a767>] ? __alloc_fd+0xa7/0x130
      [203748.715143]  [<ffffffff81209ffc>] do_sys_open+0x12c/0x220
      [203748.715403]  [<ffffffff81026ddb>] ? syscall_trace_enter_phase1+0x11b/0x180
      [203748.715668]  [<ffffffff816f0c9f>] ? system_call_after_swapgs+0xe9/0x190
      [203748.715928]  [<ffffffff8120a10e>] SyS_open+0x1e/0x20
      [203748.716184]  [<ffffffff816f0d5e>] system_call_fastpath+0x18/0xd7
      [203748.716440] Code: 00 00 48 8b 7b 08 48 83 c3 10 45 89 f8 44 89 e1 44 89 f2 4c 89 ee e8 07 06 11 e1 48 8b 03 48 85 c0 75 df 8b 5d c8 e9 4d fa ff ff <0f> 0b 48 8b 7d a0 e8 dc c6 06 00 48 b8 00 00 00 00 00 00 00 10
      [203748.717505] RIP  [<ffffffffa05e9f09>] ocfs2_read_blocks+0x669/0x7f0 [ocfs2]
      [203748.717775]  RSP <ffff88006ff4b818>
      
      Joesph ever reported a similar panic.
      Link: https://oss.oracle.com/pipermail/ocfs2-devel/2013-May/008931.html
      
      Link: http://lkml.kernel.org/r/20180912063207.29484-1-junxiao.bi@oracle.comSigned-off-by: NJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Joseph Qi <jiangqi903@gmail.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Changwei Ge <ge.changwei@h3c.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      234b69e3
    • R
      mm: slowly shrink slabs with a relatively small number of objects · 172b06c3
      Roman Gushchin 提交于
      9092c71b ("mm: use sc->priority for slab shrink targets") changed the
      way that the target slab pressure is calculated and made it
      priority-based:
      
          delta = freeable >> priority;
          delta *= 4;
          do_div(delta, shrinker->seeks);
      
      The problem is that on a default priority (which is 12) no pressure is
      applied at all, if the number of potentially reclaimable objects is less
      than 4096 (1<<12).
      
      This causes the last objects on slab caches of no longer used cgroups to
      (almost) never get reclaimed.  It's obviously a waste of memory.
      
      It can be especially painful, if these stale objects are holding a
      reference to a dying cgroup.  Slab LRU lists are reparented on memcg
      offlining, but corresponding objects are still holding a reference to the
      dying cgroup.  If we don't scan these objects, the dying cgroup can't go
      away.  Most likely, the parent cgroup hasn't any directly charged objects,
      only remaining objects from dying children cgroups.  So it can easily hold
      a reference to hundreds of dying cgroups.
      
      If there are no big spikes in memory pressure, and new memory cgroups are
      created and destroyed periodically, this causes the number of dying
      cgroups grow steadily, causing a slow-ish and hard-to-detect memory
      "leak".  It's not a real leak, as the memory can be eventually reclaimed,
      but it could not happen in a real life at all.  I've seen hosts with a
      steadily climbing number of dying cgroups, which doesn't show any signs of
      a decline in months, despite the host is loaded with a production
      workload.
      
      It is an obvious waste of memory, and to prevent it, let's apply a minimal
      pressure even on small shrinker lists.  E.g.  if there are freeable
      objects, let's scan at least min(freeable, scan_batch) objects.
      
      This fix significantly improves a chance of a dying cgroup to be
      reclaimed, and together with some previous patches stops the steady growth
      of the dying cgroups number on some of our hosts.
      
      Link: http://lkml.kernel.org/r/20180905230759.12236-1-guro@fb.com
      Fixes: 9092c71b ("mm: use sc->priority for slab shrink targets")
      Signed-off-by: NRoman Gushchin <guro@fb.com>
      Acked-by: NRik van Riel <riel@surriel.com>
      Cc: Josef Bacik <jbacik@fb.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Shakeel Butt <shakeelb@google.com>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      172b06c3
    • Y
    • J
      mm: shmem.c: Correctly annotate new inodes for lockdep · b45d71fb
      Joel Fernandes (Google) 提交于
      Directories and inodes don't necessarily need to be in the same lockdep
      class.  For ex, hugetlbfs splits them out too to prevent false positives
      in lockdep.  Annotate correctly after new inode creation.  If its a
      directory inode, it will be put into a different class.
      
      This should fix a lockdep splat reported by syzbot:
      
      > ======================================================
      > WARNING: possible circular locking dependency detected
      > 4.18.0-rc8-next-20180810+ #36 Not tainted
      > ------------------------------------------------------
      > syz-executor900/4483 is trying to acquire lock:
      > 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at: inode_lock
      > include/linux/fs.h:765 [inline]
      > 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at:
      > shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
      >
      > but task is already holding lock:
      > 0000000025208078 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630
      > drivers/staging/android/ashmem.c:448
      >
      > which lock already depends on the new lock.
      >
      > -> #2 (ashmem_mutex){+.+.}:
      >        __mutex_lock_common kernel/locking/mutex.c:925 [inline]
      >        __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073
      >        mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088
      >        ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361
      >        call_mmap include/linux/fs.h:1844 [inline]
      >        mmap_region+0xf27/0x1c50 mm/mmap.c:1762
      >        do_mmap+0xa10/0x1220 mm/mmap.c:1535
      >        do_mmap_pgoff include/linux/mm.h:2298 [inline]
      >        vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357
      >        ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585
      >        __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
      >        __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
      >        __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
      >        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
      >        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      >
      > -> #1 (&mm->mmap_sem){++++}:
      >        __might_fault+0x155/0x1e0 mm/memory.c:4568
      >        _copy_to_user+0x30/0x110 lib/usercopy.c:25
      >        copy_to_user include/linux/uaccess.h:155 [inline]
      >        filldir+0x1ea/0x3a0 fs/readdir.c:196
      >        dir_emit_dot include/linux/fs.h:3464 [inline]
      >        dir_emit_dots include/linux/fs.h:3475 [inline]
      >        dcache_readdir+0x13a/0x620 fs/libfs.c:193
      >        iterate_dir+0x48b/0x5d0 fs/readdir.c:51
      >        __do_sys_getdents fs/readdir.c:231 [inline]
      >        __se_sys_getdents fs/readdir.c:212 [inline]
      >        __x64_sys_getdents+0x29f/0x510 fs/readdir.c:212
      >        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
      >        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      >
      > -> #0 (&sb->s_type->i_mutex_key#9){++++}:
      >        lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
      >        down_write+0x8f/0x130 kernel/locking/rwsem.c:70
      >        inode_lock include/linux/fs.h:765 [inline]
      >        shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
      >        ashmem_shrink_scan+0x236/0x630 drivers/staging/android/ashmem.c:455
      >        ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797
      >        vfs_ioctl fs/ioctl.c:46 [inline]
      >        file_ioctl fs/ioctl.c:501 [inline]
      >        do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
      >        ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
      >        __do_sys_ioctl fs/ioctl.c:709 [inline]
      >        __se_sys_ioctl fs/ioctl.c:707 [inline]
      >        __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
      >        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
      >        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      >
      > other info that might help us debug this:
      >
      > Chain exists of:
      >   &sb->s_type->i_mutex_key#9 --> &mm->mmap_sem --> ashmem_mutex
      >
      >  Possible unsafe locking scenario:
      >
      >        CPU0                    CPU1
      >        ----                    ----
      >   lock(ashmem_mutex);
      >                                lock(&mm->mmap_sem);
      >                                lock(ashmem_mutex);
      >   lock(&sb->s_type->i_mutex_key#9);
      >
      >  *** DEADLOCK ***
      >
      > 1 lock held by syz-executor900/4483:
      >  #0: 0000000025208078 (ashmem_mutex){+.+.}, at:
      > ashmem_shrink_scan+0xb4/0x630 drivers/staging/android/ashmem.c:448
      
      Link: http://lkml.kernel.org/r/20180821231835.166639-1-joel@joelfernandes.orgSigned-off-by: NJoel Fernandes (Google) <joel@joelfernandes.org>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: NNeilBrown <neilb@suse.com>
      Suggested-by: NNeilBrown <neilb@suse.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b45d71fb
    • D
      fs/proc/kcore.c: fix invalid memory access in multi-page read optimization · a1b3d2f2
      Dominique Martinet 提交于
      The 'm' kcore_list item could point to kclist_head, and it is incorrect to
      look at m->addr / m->size in this case.
      
      There is no choice but to run through the list of entries for every
      address if we did not find any entry in the previous iteration
      
      Reset 'm' to NULL in that case at Omar Sandoval's suggestion.
      
      [akpm@linux-foundation.org: add comment]
      Link: http://lkml.kernel.org/r/1536100702-28706-1-git-send-email-asmadeus@codewreck.org
      Fixes: bf991c22 ("proc/kcore: optimize multiple page reads")
      Signed-off-by: NDominique Martinet <asmadeus@codewreck.org>
      Reviewed-by: NAndrew Morton <akpm@linux-foundation.org>
      Cc: Omar Sandoval <osandov@osandov.com>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Eric Biederman <ebiederm@xmission.com>
      Cc: James Morse <james.morse@arm.com>
      Cc: Bhupesh Sharma <bhsharma@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1b3d2f2
    • P
      mm: disable deferred struct page for 32-bit arches · 889c695d
      Pasha Tatashin 提交于
      Deferred struct page init is needed only on systems with large amount of
      physical memory to improve boot performance.  32-bit systems do not
      benefit from this feature.
      
      Jiri reported a problem where deferred struct pages do not work well with
      x86-32:
      
      [    0.035162] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
      [    0.035725] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
      [    0.036269] Initializing CPU#0
      [    0.036513] Initializing HighMem for node 0 (00036ffe:0007ffe0)
      [    0.038459] page:f6780000 is uninitialized and poisoned
      [    0.038460] raw: ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
      [    0.039509] page dumped because: VM_BUG_ON_PAGE(1 && PageCompound(page))
      [    0.040038] ------------[ cut here ]------------
      [    0.040399] kernel BUG at include/linux/page-flags.h:293!
      [    0.040823] invalid opcode: 0000 [#1] SMP PTI
      [    0.041166] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc1_pt_jiri #9
      [    0.041694] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
      [    0.042496] EIP: free_highmem_page+0x64/0x80
      [    0.042839] Code: 13 46 d8 c1 e8 18 5d 83 e0 03 8d 04 c0 c1 e0 06 ff 80 ec 5f 44 d8 c3 8d b4 26 00 00 00 00 ba 08 65 28 d8 89 d8 e8 fc 71 02 00 <0f> 0b 8d 76 00 8d bc 27 00 00 00 00 ba d0 b1 26 d8 89 d8 e8 e4 71
      [    0.044338] EAX: 0000003c EBX: f6780000 ECX: 00000000 EDX: d856cbe8
      [    0.044868] ESI: 0007ffe0 EDI: d838df20 EBP: d838df00 ESP: d838defc
      [    0.045372] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00210086
      [    0.045913] CR0: 80050033 CR2: 00000000 CR3: 18556000 CR4: 00040690
      [    0.046413] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [    0.046913] DR6: fffe0ff0 DR7: 00000400
      [    0.047220] Call Trace:
      [    0.047419]  add_highpages_with_active_regions+0xbd/0x10d
      [    0.047854]  set_highmem_pages_init+0x5b/0x71
      [    0.048202]  mem_init+0x2b/0x1e8
      [    0.048460]  start_kernel+0x1d2/0x425
      [    0.048757]  i386_start_kernel+0x93/0x97
      [    0.049073]  startup_32_smp+0x164/0x168
      [    0.049379] Modules linked in:
      [    0.049626] ---[ end trace 337949378db0abbb ]---
      
      We free highmem pages before their struct pages are initialized:
      
      mem_init()
       set_highmem_pages_init()
        add_highpages_with_active_regions()
         free_highmem_page()
          .. Access uninitialized struct page here..
      
      Because there is no reason to have this feature on 32-bit systems, just
      disable it.
      
      Link: http://lkml.kernel.org/r/20180831150506.31246-1-pavel.tatashin@microsoft.com
      Fixes: 2e3ca40f ("mm: relax deferred struct page requirements")
      Signed-off-by: NPavel Tatashin <pavel.tatashin@microsoft.com>
      Reported-by: NJiri Slaby <jslaby@suse.cz>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      889c695d