1. 08 3月, 2020 5 次提交
    • V
      efi: Fix a race and a buffer overflow while reading efivars via sysfs · 286d3250
      Vladis Dronov 提交于
      There is a race and a buffer overflow corrupting a kernel memory while
      reading an EFI variable with a size more than 1024 bytes via the older
      sysfs method. This happens because accessing struct efi_variable in
      efivar_{attr,size,data}_read() and friends is not protected from
      a concurrent access leading to a kernel memory corruption and, at best,
      to a crash. The race scenario is the following:
      
      CPU0:                                CPU1:
      efivar_attr_read()
        var->DataSize = 1024;
        efivar_entry_get(... &var->DataSize)
          down_interruptible(&efivars_lock)
                                           efivar_attr_read() // same EFI var
                                             var->DataSize = 1024;
                                             efivar_entry_get(... &var->DataSize)
                                               down_interruptible(&efivars_lock)
          virt_efi_get_variable()
          // returns EFI_BUFFER_TOO_SMALL but
          // var->DataSize is set to a real
          // var size more than 1024 bytes
          up(&efivars_lock)
                                               virt_efi_get_variable()
                                               // called with var->DataSize set
                                               // to a real var size, returns
                                               // successfully and overwrites
                                               // a 1024-bytes kernel buffer
                                               up(&efivars_lock)
      
      This can be reproduced by concurrent reading of an EFI variable which size
      is more than 1024 bytes:
      
        ts# for cpu in $(seq 0 $(nproc --ignore=1)); do ( taskset -c $cpu \
        cat /sys/firmware/efi/vars/KEKDefault*/size & ) ; done
      
      Fix this by using a local variable for a var's data buffer size so it
      does not get overwritten.
      
      Fixes: e14ab23d ("efivars: efivar_entry API")
      Reported-by: Bob Sanders <bob.sanders@hpe.com> and the LTP testsuite
      Signed-off-by: NVladis Dronov <vdronov@redhat.com>
      Signed-off-by: NArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200305084041.24053-2-vdronov@redhat.com
      Link: https://lore.kernel.org/r/20200308080859.21568-24-ardb@kernel.org
      286d3250
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 61a09258
      Linus Torvalds 提交于
      Pull rdma fixes from Jason Gunthorpe:
       "Nothing particularly exciting, some small ODP regressions from the mmu
        notifier rework, another bunch of syzkaller fixes, and a bug fix for a
        botched syzkaller fix in the first rc pull request.
      
         - Fix busted syzkaller fix in 'get_new_pps' - this turned out to
           crash on certain HW configurations
      
         - Bug fixes for various missed things in error unwinds
      
         - Add a missing rcu_read_lock annotation in hfi/qib
      
         - Fix two ODP related regressions from the recent mmu notifier
           changes
      
         - Several more syzkaller bugs in siw, RDMA netlink, verbs and iwcm
      
         - Revert an old patch in CMA as it is now shown to not be allocating
           port numbers properly"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/iwcm: Fix iwcm work deallocation
        RDMA/siw: Fix failure handling during device creation
        RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing
        RDMA/odp: Ensure the mm is still alive before creating an implicit child
        RDMA/core: Fix protection fault in ib_mr_pool_destroy
        IB/mlx5: Fix implicit ODP race
        IB/hfi1, qib: Ensure RCU is locked when accessing list
        RDMA/core: Fix pkey and port assignment in get_new_pps
        RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
        RDMA/rw: Fix error flow during RDMA context initialization
        RDMA/core: Fix use of logical OR in get_new_pps
        Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"
      61a09258
    • L
      Merge tag 'io_uring-5.6-2020-03-07' of git://git.kernel.dk/linux-block · c2003765
      Linus Torvalds 提交于
      Pull io_uring fixes from Jens Axboe:
       "Here are a few io_uring fixes that should go into this release. This
        contains:
      
         - Removal of (now) unused io_wq_flush() and associated flag (Pavel)
      
         - Fix cancelation lockup with linked timeouts (Pavel)
      
         - Fix for potential use-after-free when freeing percpu ref for fixed
           file sets
      
         - io-wq cancelation fixups (Pavel)"
      
      * tag 'io_uring-5.6-2020-03-07' of git://git.kernel.dk/linux-block:
        io_uring: fix lockup with timeouts
        io_uring: free fixed_file_data after RCU grace period
        io-wq: remove io_wq_flush and IO_WQ_WORK_INTERNAL
        io-wq: fix IO_WQ_WORK_NO_CANCEL cancellation
      c2003765
    • L
      Merge tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block · 5dfcc139
      Linus Torvalds 提交于
      Pull block fixes from Jens Axboe:
       "Here are a few fixes that should go into this release. This contains:
      
         - Revert of a bad bcache patch from this merge window
      
         - Removed unused function (Daniel)
      
         - Fixup for the blktrace fix from Jan from this release (Cengiz)
      
         - Fix of deeper level bfqq overwrite in BFQ (Carlo)"
      
      * tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block:
        block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
        blktrace: fix dereference after null check
        Revert "bcache: ignore pending signals when creating gc and allocator thread"
        block: Remove used kblockd_schedule_work_on()
      5dfcc139
    • L
      Merge tag 'media/v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 6f784a31
      Linus Torvalds 提交于
      Pull media fixes from Mauro Carvalho Chehab:
      
       - a fix for the media controller links in both hantro driver and in
         v4l2-mem2mem core
      
       - some fixes for the pulse8-cec driver
      
       - vicodec: handle alpha channel for RGB32 formats, as it may be used
      
       - mc-entity.c: fix handling of pad flags
      
      * tag 'media/v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        media: hantro: Fix broken media controller links
        media: mc-entity.c: use & to check pad flags, not ==
        media: v4l2-mem2mem.c: fix broken links
        media: vicodec: process all 4 components for RGB32 formats
        media: pulse8-cec: close serio in disconnect, not adap_free
        media: pulse8-cec: INIT_DELAYED_WORK was called too late
      6f784a31
  2. 07 3月, 2020 23 次提交
    • P
      io_uring: fix lockup with timeouts · f0e20b89
      Pavel Begunkov 提交于
      There is a recipe to deadlock the kernel: submit a timeout sqe with a
      linked_timeout (e.g.  test_single_link_timeout_ception() from liburing),
      and SIGKILL the process.
      
      Then, io_kill_timeouts() takes @ctx->completion_lock, but the timeout
      isn't flagged with REQ_F_COMP_LOCKED, and will try to double grab it
      during io_put_free() to cancel the linked timeout. Probably, the same
      can happen with another io_kill_timeout() call site, that is
      io_commit_cqring().
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      f0e20b89
    • L
      Merge tag 's390-5.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 9d588f63
      Linus Torvalds 提交于
      Pull s390 fixes from Vasily Gorbik:
      
       - Fix panic in gup_fast on large pud by providing an implementation of
         pud_write. This has been overlooked during migration to common gup
         code.
      
       - Fix unexpected write combining on PCI stores.
      
      * tag 's390-5.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/pci: Fix unexpected write combine on resource
        s390/mm: fix panic in gup_fast on large pud
      9d588f63
    • L
      Merge tag 'powerpc-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 5236647a
      Linus Torvalds 提交于
      Pull powerpc fixes from Michael Ellerman:
       "Some more powerpc fixes for 5.6:
      
         - One fix for a recent regression to our breakpoint/watchpoint code.
      
         - Another fix for our KUAP support, this time a missing annotation in
           a rarely used path in signal handling.
      
         - A fix for our handling of a CPU feature that effects the PMU, when
           booting guests in some configurations.
      
         - A minor fix to our linker script to explicitly include the .BTF
           section.
      
        Thanks to: Christophe Leroy, Desnes A. Nunes do Rosario, Leonardo
        Bras, Naveen N. Rao, Ravi Bangoria, Stefan Berger"
      
      * tag 'powerpc-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()
        powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
        powerpc: Include .BTF section
        powerpc/watchpoint: Don't call dar_within_range() for Book3S
      5236647a
    • L
      Merge tag 'for-linus-5.6b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · cbee7c8b
      Linus Torvalds 提交于
      Pull xen fixes from Juergen Gross:
       "Four fixes and a small cleanup patch:
      
         - two fixes by Dongli Zhang fixing races in the xenbus driver
      
         - two fixes by me fixing issues introduced in 5.6
      
         - a small cleanup by Gustavo Silva replacing a zero-length array with
           a flexible-array"
      
      * tag 'for-linus-5.6b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/blkfront: fix ring info addressing
        xen/xenbus: fix locking
        xenbus: req->err should be updated before req->state
        xenbus: req->body should be updated before req->state
        xen: Replace zero-length array with flexible-array member
      cbee7c8b
    • L
      Merge tag 'for-linus-2020-03-07' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux · fa883d6a
      Linus Torvalds 提交于
      Pull thread fixes from Christian Brauner:
       "Here are a few hopefully uncontroversial fixes:
      
         - Use RCU_INIT_POINTER() when initializing rcu protected members in
           task_struct to fix sparse warnings.
      
         - Add pidfd_fdinfo_test binary to .gitignore file"
      
      * tag 'for-linus-2020-03-07' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux:
        selftests: pidfd: Add pidfd_fdinfo_test in .gitignore
        exit: Fix Sparse errors and warnings
        fork: Use RCU_INIT_POINTER() instead of rcu_access_pointer()
      fa883d6a
    • L
      Merge tag 'sound-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 676fc8de
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "The regular "bump-in-the-middle" updates, containing mostly ASoC-
        related fixes at this time. All changes are reasonably small.
      
        A few entries are for ASoC and ALSA core parts (DAPM, PCM, topology)
        for followups of the recent changes and potential buffer overflow by
        snprintf(), while the rest are (both new and old) device-specific
        fixes for Intel, meson, tas2562, rt1015, as well as the usual HD-audio
        quirks"
      
      * tag 'sound-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (25 commits)
        ALSA: sgio2audio: Remove usage of dropped hw_params/hw_free functions
        ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
        ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
        ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1
        ALSA: hda/realtek - Add Headset Mic supported
        ASoC: wm8741: Fix typo in Kconfig prompt
        ASoC: stm32: sai: manage rebind issue
        ASoC: SOF: Fix snd_sof_ipc_stream_posn()
        ASoC: rt1015: modify pre-divider for sysclk
        ASoC: rt1015: add operation callback function for rt1015_dai[]
        ASoC: soc-component: tidyup snd_soc_pcm_component_sync_stop()
        ASoC: dapm: Correct DAPM handling of active widgets during shutdown
        ASoC: tas2562: Fix sample rate error message
        ASoC: Intel: Skylake: Fix available clock counter incrementation
        ASoC: soc-pcm/soc-compress: don't use snd_soc_dapm_stream_stop()
        ASoC: meson: g12a: add tohdmitx reset
        ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
        ASoC: soc-core: fix for_rtd_codec_dai_rollback() macro
        ASoC: topology: Fix memleak in soc_tplg_manifest_load()
        ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
        ...
      676fc8de
    • T
      Merge tag 'asoc-fix-v5.6-rc4' of... · 5a56996b
      Takashi Iwai 提交于
      Merge tag 'asoc-fix-v5.6-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v5.6
      
      More fixes that have arrived since the merge window, spread out all
      over.  There's a few things like the operation callback addition for
      rt1015 and the meson reset addition which add small new bits of
      functionality to fix non-working systems, they're all very small and for
      parts of newly added functionality.
      5a56996b
    • L
      Merge tag 'linux-kselftest-5.6-rc5' of... · 63849c8f
      Linus Torvalds 提交于
      Merge tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest update from Shuah Khan:
       "This consists of a cleanup patch to undo changes to global .gitignore
        that added selftests/lkdtm objects and add them to a local
        selftests/lkdtm/.gitignore.
      
        Summary of Linus's comments on local vs. global gitignore scope:
      
         - Keep local gitignore patterns in local files.
      
         - Put only global gitignore patterns in the top-level gitignore file.
      
        Local scope keeps things much better separated. It also incidentally
        means that if a directory gets renamed, the gitignore file continues
        to work unless in the case of renaming the actual files themselves
        that are named in the gitignore"
      
      * tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftest/lkdtm: Use local .gitignore
      63849c8f
    • L
      Merge tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 7e6582ef
      Linus Torvalds 提交于
      Pull RISC-V fixes from Palmer Dabbelt:
       "This contains a handful of fixes that I would like to target for 5.6:
      
         - A pair of fixes to module loading, which we hope solve the last of
           the issues with module text being loaded too sparsely for our call
           relocations.
      
         - A Kconfig fix that disallows selecting memory models not supported
           by NOMMU.
      
         - A series of Kconfig updates to ease selecting the drivers necessary
           to run on QEMU's virt platform.
      
         - DTS updates for SiFive's HiFive Unleashed.
      
         - A fix to our seccomp support that avoids mangling restartable
           syscalls"
      
      * tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: fix seccomp reject syscall code path
        riscv: dts: Add GPIO reboot method to HiFive Unleashed DTS file
        RISC-V: Select Goldfish RTC driver for QEMU virt machine
        RISC-V: Select SYSCON Reboot and Poweroff for QEMU virt machine
        RISC-V: Enable QEMU virt machine support in defconfigs
        RISC-V: Add kconfig option for QEMU virt machine
        riscv: Fix range looking for kernel image memblock
        riscv: Force flat memory model with no-mmu
        riscv: Change code model of module to medany to improve data accessing
        riscv: avoid the PIC offset of static percpu data in module beyond 2G limits
      7e6582ef
    • J
      parse-maintainers: Mark as executable · 611d61f9
      Jonathan Neuschäfer 提交于
      This makes the script more convenient to run.
      Signed-off-by: NJonathan Neuschäfer <j.neuschaefer@gmx.net>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      611d61f9
    • L
      Merge tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · bdf1ea7c
      Linus Torvalds 提交于
      Pull devicetree fixes from Rob Herring:
       "Another batch of DT fixes. I think this should be the last of it, but
        sending pull requests seems to cause people to send more fixes.
      
        Summary:
      
         - Fixes for warnings introduced by hierarchical PSCI binding changes
      
         - Fixes for broken doc references due to DT schema conversions
      
         - Several grammar and typo fixes
      
         - Fix a bunch of dtc warnings in examples"
      
      * tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: arm: Fixup the DT bindings for hierarchical PSCI states
        dt-bindings: power: Extend nodename pattern for power-domain providers
        MAINTAINERS: update ALLWINNER CPUFREQ DRIVER entry
        dt-bindings: bus: Drop empty compatible string in example
        dt-bindings: power: Convert domain-idle-states bindings to json-schema
        dt-bindings: arm: Fix cpu compatibles in the hierarchical example for PSCI
        dt-bindings: arm: Correct links to idle states definitions
        dt-bindings: mfd: Fix typo in file name of twl-familly.txt
        dt-bindings: mfd: tps65910: Improve grammar
        dt-bindings: mfd: zii,rave-sp: Fix a typo ("onborad")
        dt-bindings: arm: fsl: fix APF6Dev compatible
        dt-bindings: Fix dtc warnings in examples
        docs: dt: fix several broken doc references
        docs: dt: fix several broken references due to renames
        MAINTAINERS: clean up PCIE DRIVER FOR CAVIUM THUNDERX
      bdf1ea7c
    • L
      Merge tag 'drm-fixes-2020-03-06-1' of git://anongit.freedesktop.org/drm/drm · 2f501bb1
      Linus Torvalds 提交于
      Pull vgacon fix from Daniel Vetter:
       "One vgacon input check for stable"
      
      * tag 'drm-fixes-2020-03-06-1' of git://anongit.freedesktop.org/drm/drm:
        vgacon: Fix a UAF in vgacon_invert_region
      2f501bb1
    • L
      Merge tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 30fe0d07
      Linus Torvalds 提交于
      Pull btrfs fix from David Sterba:
       "One fixup for DIO when in use with the new checksums, a missed case
        where the checksum size was still assuming u32"
      
      * tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix RAID direct I/O reads with alternate csums
      30fe0d07
    • L
      Merge tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux · 0b25d458
      Linus Torvalds 提交于
      Pull file locking fixes from Jeff Layton:
       "Just a couple of late-breaking patches for the file locking code. The
        second patch (from yangerkun) fixes a rather nasty looking potential
        use-after-free that should go to stable.
      
        The other patch could technically wait for 5.7, but it's fairly
        innocuous so I figured we might as well take it"
      
      * tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux:
        locks: fix a potential use-after-free problem when wakeup a waiter
        fcntl: Distribute switch variables for initialization
      0b25d458
    • L
      Merge tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · ae24a21b
      Linus Torvalds 提交于
      Pull spi fixes from Mark Brown:
       "A selection of small fixes, mostly for drivers, that have arrived
        since the merge window. None of them are earth shattering in
        themselves but all useful for affected systems"
      
      * tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: spi_register_controller(): free bus id on error paths
        spi: bcm63xx-hsspi: Really keep pll clk enabled
        spi: atmel-quadspi: fix possible MMIO window size overrun
        spi/zynqmp: remove entry that causes a cs glitch
        spi: pxa2xx: Add CS control clock quirk
        spi: spidev: Fix CS polarity if GPIO descriptors are used
        spi: qup: call spi_qup_pm_resume_runtime before suspending
        spi: spi-omap2-mcspi: Support probe deferral for DMA channels
        spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x
      ae24a21b
    • L
      Merge tag 'regulator-fix-v5.6-rc4' of... · 43c63729
      Linus Torvalds 提交于
      Merge tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "A couple of small fixes, one for a minor issue in the stm32-vrefbuf
        driver and a documentation fix in the Qualcomm code"
      
      * tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling
        regulator: qcom_spmi: Fix docs for PM8004
      43c63729
    • L
      Merge tag 'hwmon-for-v5.6-rc5' of... · 08e39fcb
      Linus Torvalds 提交于
      Merge tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
       "Fix an error return in the adt7462 driver, bad voltage limits reported
        by the xdpe12284 driver, and a broken documentation reference in the
        adm1177 driver documentation"
      
      * tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
        hwmon: (pmbus/xdpe12284) Add callback for vout limits conversion
        docs: adm1177: fix a broken reference
      08e39fcb
    • L
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · c20c4a08
      Linus Torvalds 提交于
      Pull arm64 fixes from Will Deacon:
       "Here are another three arm64 fixes for 5.6, all pretty minor. Main
        thing is fixing a silly bug in the fsl_imx8_ddr PMU driver where we
        would zero the counters when disabling them.
      
         - Fix misreporting of ASID limit when KPTI is enabled
      
         - Fix busted NULL pointer checks for GICC structure in ACPI PMU code
      
         - Avoid nobbling the "fsl_imx8_ddr" PMU counters when disabling them"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: context: Fix ASID limit in boot messages
        drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
        drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition
      c20c4a08
    • Z
      vgacon: Fix a UAF in vgacon_invert_region · 513dc792
      Zhang Xiaoxu 提交于
      When syzkaller tests, there is a UAF:
        BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
          ffff880000100000
        Read of size 2 by task syz-executor.1/16489
        page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
        index:0x0
        page flags: 0xfffff00000000()
        page dumped because: kasan: bad access detected
        CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
        Call Trace:
          [<ffffffffb119f309>] dump_stack+0x1e/0x20
          [<ffffffffb04af957>] kasan_report+0x577/0x950
          [<ffffffffb04ae652>] __asan_load2+0x62/0x80
          [<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
          [<ffffffffb0a39d95>] invert_screen+0xe5/0x470
          [<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
          [<ffffffffb0a3bfae>] tioclinux+0xee/0x490
          [<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
          [<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
          [<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
          [<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
          [<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
          Memory state around the buggy address:
           ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00
           ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00 00
          >ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
           ff ff ff
      
      It can be reproduce in the linux mainline by the program:
        #include <stdio.h>
        #include <stdlib.h>
        #include <unistd.h>
        #include <fcntl.h>
        #include <sys/types.h>
        #include <sys/stat.h>
        #include <sys/ioctl.h>
        #include <linux/vt.h>
      
        struct tiocl_selection {
          unsigned short xs;      /* X start */
          unsigned short ys;      /* Y start */
          unsigned short xe;      /* X end */
          unsigned short ye;      /* Y end */
          unsigned short sel_mode; /* selection mode */
        };
      
        #define TIOCL_SETSEL    2
        struct tiocl {
          unsigned char type;
          unsigned char pad;
          struct tiocl_selection sel;
        };
      
        int main()
        {
          int fd = 0;
          const char *dev = "/dev/char/4:1";
      
          struct vt_consize v = {0};
          struct tiocl tioc = {0};
      
          fd = open(dev, O_RDWR, 0);
      
          v.v_rows = 3346;
          ioctl(fd, VT_RESIZEX, &v);
      
          tioc.type = TIOCL_SETSEL;
          ioctl(fd, TIOCLINUX, &tioc);
      
          return 0;
        }
      
      When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
      but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
      for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
      smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
      the offset, it maybe larger than the vga_vram_size in vgacon driver, then
      bad access.
      Also, if set an larger screenbuf firstly, then set an more larger
      screenbuf, when copy old_origin to new_origin, a bad access may happen.
      
      So, If the screen size larger than vga_vram, resize screen should be
      failed. This alse fix CVE-2020-8649 and CVE-2020-8647.
      
      Linus pointed out that overflow checking seems absent. We're saved by
      the existing bounds checks in vc_do_resize() with rather strict
      limits:
      
      	if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
      		return -EINVAL;
      
      Fixes: 0aec4867 ("[PATCH] SVGATextMode fix")
      Reference: CVE-2020-8647 and CVE-2020-8649
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Signed-off-by: NZhang Xiaoxu <zhangxiaoxu5@huawei.com>
      [danvet: augment commit message to point out overflow safety]
      Cc: stable@vger.kernel.org
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
      513dc792
    • U
      dt-bindings: arm: Fixup the DT bindings for hierarchical PSCI states · d2334a91
      Ulf Hansson 提交于
      The hierarchical topology with power-domain should be described through
      child nodes, rather than as currently described in the PSCI root node. Fix
      this by adding a patternProperties with a corresponding reference to the
      power-domain DT binding.
      
      Additionally, update the example to conform to the new pattern, but also to
      the adjusted domain-idle-state DT binding.
      
      Fixes: a3f048b5 ("dt: psci: Update DT bindings to support hierarchical PSCI states")
      Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      [robh: Add missing allOf, tweak power-domain node name]
      Signed-off-by: NRob Herring <robh@kernel.org>
      d2334a91
    • U
      dt-bindings: power: Extend nodename pattern for power-domain providers · 14ee09a0
      Ulf Hansson 提交于
      The existing binding requires the nodename to have a '@', which is a bit
      limiting for the wider use case. Therefore, let's extend the pattern to
      allow either '@' or '-'.
      
      Fixes: a3f048b5 ("dt: psci: Update DT bindings to support hierarchical PSCI states")
      Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      [robh: drop example change]
      Signed-off-by: NRob Herring <robh@kernel.org>
      14ee09a0
    • J
      io_uring: free fixed_file_data after RCU grace period · c1e2148f
      Jens Axboe 提交于
      The percpu refcount protects this structure, and we can have an atomic
      switch in progress when exiting. This makes it unsafe to just free the
      struct normally, and can trigger the following KASAN warning:
      
      BUG: KASAN: use-after-free in percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
      Read of size 1 at addr ffff888181a19a30 by task swapper/0/0
      
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc4+ #5747
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      Call Trace:
       <IRQ>
       dump_stack+0x76/0xa0
       print_address_description.constprop.0+0x3b/0x60
       ? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
       ? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
       __kasan_report.cold+0x1a/0x3d
       ? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
       percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
       rcu_core+0x370/0x830
       ? percpu_ref_exit+0x50/0x50
       ? rcu_note_context_switch+0x7b0/0x7b0
       ? run_rebalance_domains+0x11d/0x140
       __do_softirq+0x10a/0x3e9
       irq_exit+0xd5/0xe0
       smp_apic_timer_interrupt+0x86/0x200
       apic_timer_interrupt+0xf/0x20
       </IRQ>
      RIP: 0010:default_idle+0x26/0x1f0
      
      Fix this by punting the final exit and free of the struct to RCU, then
      we know that it's safe to do so. Jann suggested the approach of using a
      double rcu callback to achieve this. It's important that we do a nested
      call_rcu() callback, as otherwise the free could be ordered before the
      atomic switch, even if the latter was already queued.
      
      Reported-by: syzbot+e017e49c39ab484ac87a@syzkaller.appspotmail.com
      Suggested-by: NJann Horn <jannh@google.com>
      Reviewed-by: NPaul E. McKenney <paulmck@kernel.org>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      c1e2148f
    • Y
      locks: fix a potential use-after-free problem when wakeup a waiter · 6d390e4b
      yangerkun 提交于
      '16306a61 ("fs/locks: always delete_block after waiting.")' add the
      logic to check waiter->fl_blocker without blocked_lock_lock. And it will
      trigger a UAF when we try to wakeup some waiter:
      
      Thread 1 has create a write flock a on file, and now thread 2 try to
      unlock and delete flock a, thread 3 try to add flock b on the same file.
      
      Thread2                         Thread3
                                      flock syscall(create flock b)
      	                        ...flock_lock_inode_wait
      				    flock_lock_inode(will insert
      				    our fl_blocked_member list
      				    to flock a's fl_blocked_requests)
      				   sleep
      flock syscall(unlock)
      ...flock_lock_inode_wait
          locks_delete_lock_ctx
          ...__locks_wake_up_blocks
              __locks_delete_blocks(
      	b->fl_blocker = NULL)
      	...
                                         break by a signal
      				   locks_delete_block
      				    b->fl_blocker == NULL &&
      				    list_empty(&b->fl_blocked_requests)
      	                            success, return directly
      				 locks_free_lock b
      	wake_up(&b->fl_waiter)
      	trigger UAF
      
      Fix it by remove this logic, and this patch may also fix CVE-2019-19769.
      
      Cc: stable@vger.kernel.org
      Fixes: 16306a61 ("fs/locks: always delete_block after waiting.")
      Signed-off-by: Nyangerkun <yangerkun@huawei.com>
      Signed-off-by: NJeff Layton <jlayton@kernel.org>
      6d390e4b
  3. 06 3月, 2020 12 次提交
    • C
      block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() · 14afc593
      Carlo Nonato 提交于
      The bfq_find_set_group() function takes as input a blkcg (which represents
      a cgroup) and retrieves the corresponding bfq_group, then it updates the
      bfq internal group hierarchy (see comments inside the function for why
      this is needed) and finally it returns the bfq_group.
      In the hierarchy update cycle, the pointer holding the correct bfq_group
      that has to be returned is mistakenly used to traverse the hierarchy
      bottom to top, meaning that in each iteration it gets overwritten with the
      parent of the current group. Since the update cycle stops at root's
      children (depth = 2), the overwrite becomes a problem only if the blkcg
      describes a cgroup at a hierarchy level deeper than that (depth > 2). In
      this case the root's child that happens to be also an ancestor of the
      correct bfq_group is returned. The main consequence is that processes
      contained in a cgroup at depth greater than 2 are wrongly placed in the
      group described above by BFQ.
      
      This commits fixes this problem by using a different bfq_group pointer in
      the update cycle in order to avoid the overwrite of the variable holding
      the original group reference.
      Reported-by: NKwon Je Oh <kwonje.oh2@gmail.com>
      Signed-off-by: NCarlo Nonato <carlo.nonato95@gmail.com>
      Signed-off-by: NPaolo Valente <paolo.valente@linaro.org>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      14afc593
    • L
      Merge branch 'akpm' (patches from Andrew) · aeb542a1
      Linus Torvalds 提交于
      Merge misc fixes from Andrew Morton:
       "7 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        arch/Kconfig: update HAVE_RELIABLE_STACKTRACE description
        mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled
        mm/z3fold.c: do not include rwlock.h directly
        fat: fix uninit-memory access for partial initialized inode
        mm: avoid data corruption on CoW fault into PFN-mapped VMA
        mm: fix possible PMD dirty bit lost in set_pmd_migration_entry()
        mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa
      aeb542a1
    • M
      arch/Kconfig: update HAVE_RELIABLE_STACKTRACE description · 140d7e88
      Miroslav Benes 提交于
      save_stack_trace_tsk_reliable() is not the only function providing the
      reliable stack traces anymore.  Architecture might define ARCH_STACKWALK
      which provides a newer stack walking interface and has
      arch_stack_walk_reliable() function.  Update the description accordingly.
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NMiroslav Benes <mbenes@suse.cz>
      Acked-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Link: http://lkml.kernel.org/r/20200120154042.9934-1-mbenes@suse.czSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      140d7e88
    • V
      mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled · c87cbc1f
      Vlastimil Babka 提交于
      Commit cd02cf1a ("mm/hotplug: fix an imbalance with DEBUG_PAGEALLOC")
      fixed memory hotplug with debug_pagealloc enabled, where onlining a page
      goes through page freeing, which removes the direct mapping.  Some arches
      don't like when the page is not mapped in the first place, so
      generic_online_page() maps it first.  This is somewhat wasteful, but
      better than special casing page freeing fast paths.
      
      The commit however missed that DEBUG_PAGEALLOC configured doesn't mean
      it's actually enabled.  One has to test debug_pagealloc_enabled() since
      031bc574 ("mm/debug-pagealloc: make debug-pagealloc boottime
      configurable"), or alternatively debug_pagealloc_enabled_static() since
      8e57f8ac ("mm, debug_pagealloc: don't rely on static keys too early"),
      but this is not done.
      
      As a result, a s390 kernel with DEBUG_PAGEALLOC configured but not enabled
      will crash:
      
      Unable to handle kernel pointer dereference in virtual kernel address space
      Failing address: 0000000000000000 TEID: 0000000000000483
      Fault in home space mode while using kernel ASCE.
      AS:0000001ece13400b R2:000003fff7fd000b R3:000003fff7fcc007 S:000003fff7fd7000 P:000000000000013d
      Oops: 0004 ilc:2 [#1] SMP
      CPU: 1 PID: 26015 Comm: chmem Kdump: loaded Tainted: GX 5.3.18-5-default #1 SLE15-SP2 (unreleased)
      Krnl PSW : 0704e00180000000 0000001ecd281b9e (__kernel_map_pages+0x166/0x188)
      R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
      Krnl GPRS: 0000000000000000 0000000000000800 0000400b00000000 0000000000000100
      0000000000000001 0000000000000000 0000000000000002 0000000000000100
      0000001ece139230 0000001ecdd98d40 0000400b00000100 0000000000000000
      000003ffa17e4000 001fffe0114f7d08 0000001ecd4d93ea 001fffe0114f7b20
      Krnl Code: 0000001ecd281b8e: ec17ffff00d8 ahik %r1,%r7,-1
      0000001ecd281b94: ec111dbc0355 risbg %r1,%r1,29,188,3
      >0000001ecd281b9e: 94fb5006 ni 6(%r5),251
      0000001ecd281ba2: 41505008 la %r5,8(%r5)
      0000001ecd281ba6: ec51fffc6064 cgrj %r5,%r1,6,1ecd281b9e
      0000001ecd281bac: 1a07 ar %r0,%r7
      0000001ecd281bae: ec03ff584076 crj %r0,%r3,4,1ecd281a5e
      Call Trace:
      [<0000001ecd281b9e>] __kernel_map_pages+0x166/0x188
      [<0000001ecd4d9516>] online_pages_range+0xf6/0x128
      [<0000001ecd2a8186>] walk_system_ram_range+0x7e/0xd8
      [<0000001ecda28aae>] online_pages+0x2fe/0x3f0
      [<0000001ecd7d02a6>] memory_subsys_online+0x8e/0xc0
      [<0000001ecd7add42>] device_online+0x5a/0xc8
      [<0000001ecd7d0430>] state_store+0x88/0x118
      [<0000001ecd5b9f62>] kernfs_fop_write+0xc2/0x200
      [<0000001ecd5064b6>] vfs_write+0x176/0x1e0
      [<0000001ecd50676a>] ksys_write+0xa2/0x100
      [<0000001ecda315d4>] system_call+0xd8/0x2c8
      
      Fix this by checking debug_pagealloc_enabled_static() before calling
      kernel_map_pages(). Backports for kernel before 5.5 should use
      debug_pagealloc_enabled() instead. Also add comments.
      
      Fixes: cd02cf1a ("mm/hotplug: fix an imbalance with DEBUG_PAGEALLOC")
      Reported-by: NGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NVlastimil Babka <vbabka@suse.cz>
      Reviewed-by: NDavid Hildenbrand <david@redhat.com>
      Cc: <stable@vger.kernel.org>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Qian Cai <cai@lca.pw>
      Link: http://lkml.kernel.org/r/20200224094651.18257-1-vbabka@suse.czSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c87cbc1f
    • S
      mm/z3fold.c: do not include rwlock.h directly · a8198fed
      Sebastian Andrzej Siewior 提交于
      rwlock.h should not be included directly. Instead linux/splinlock.h
      should be included. One thing it does is to break the RT build.
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Vitaly Wool <vitaly.wool@konsulko.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20200224133631.1510569-1-bigeasy@linutronix.deSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a8198fed
    • O
      fat: fix uninit-memory access for partial initialized inode · bc87302a
      OGAWA Hirofumi 提交于
      When get an error in the middle of reading an inode, some fields in the
      inode might be still not initialized.  And then the evict_inode path may
      access those fields via iput().
      
      To fix, this makes sure that inode fields are initialized.
      
      Reported-by: syzbot+9d82b8de2992579da5d0@syzkaller.appspotmail.com
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NOGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/871rqnreqx.fsf@mail.parknet.co.jpSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      bc87302a
    • K
      mm: avoid data corruption on CoW fault into PFN-mapped VMA · c3e5ea6e
      Kirill A. Shutemov 提交于
      Jeff Moyer has reported that one of xfstests triggers a warning when run
      on DAX-enabled filesystem:
      
      	WARNING: CPU: 76 PID: 51024 at mm/memory.c:2317 wp_page_copy+0xc40/0xd50
      	...
      	wp_page_copy+0x98c/0xd50 (unreliable)
      	do_wp_page+0xd8/0xad0
      	__handle_mm_fault+0x748/0x1b90
      	handle_mm_fault+0x120/0x1f0
      	__do_page_fault+0x240/0xd70
      	do_page_fault+0x38/0xd0
      	handle_page_fault+0x10/0x30
      
      The warning happens on failed __copy_from_user_inatomic() which tries to
      copy data into a CoW page.
      
      This happens because of race between MADV_DONTNEED and CoW page fault:
      
      	CPU0					CPU1
       handle_mm_fault()
         do_wp_page()
           wp_page_copy()
             do_wp_page()
      					madvise(MADV_DONTNEED)
      					  zap_page_range()
      					    zap_pte_range()
      					      ptep_get_and_clear_full()
      					      <TLB flush>
      	 __copy_from_user_inatomic()
      	 sees empty PTE and fails
      	 WARN_ON_ONCE(1)
      	 clear_page()
      
      The solution is to re-try __copy_from_user_inatomic() under PTL after
      checking that PTE is matches the orig_pte.
      
      The second copy attempt can still fail, like due to non-readable PTE, but
      there's nothing reasonable we can do about, except clearing the CoW page.
      Reported-by: NJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Tested-by: NJeff Moyer <jmoyer@redhat.com>
      Cc: <stable@vger.kernel.org>
      Cc: Justin He <Justin.He@arm.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Link: http://lkml.kernel.org/r/20200218154151.13349-1-kirill.shutemov@linux.intel.comSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c3e5ea6e
    • H
      mm: fix possible PMD dirty bit lost in set_pmd_migration_entry() · 8a8683ad
      Huang Ying 提交于
      In set_pmd_migration_entry(), pmdp_invalidate() is used to change PMD
      atomically.  But the PMD is read before that with an ordinary memory
      reading.  If the THP (transparent huge page) is written between the PMD
      reading and pmdp_invalidate(), the PMD dirty bit may be lost, and cause
      data corruption.  The race window is quite small, but still possible in
      theory, so need to be fixed.
      
      The race is fixed via using the return value of pmdp_invalidate() to get
      the original content of PMD, which is a read/modify/write atomic
      operation.  So no THP writing can occur in between.
      
      The race has been introduced when the THP migration support is added in
      the commit 616b8371 ("mm: thp: enable thp migration in generic path").
      But this fix depends on the commit d52605d7 ("mm: do not lose dirty
      and accessed bits in pmdp_invalidate()").  So it's easy to be backported
      after v4.16.  But the race window is really small, so it may be fine not
      to backport the fix at all.
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: N"Huang, Ying" <ying.huang@intel.com>
      Reviewed-by: NZi Yan <ziy@nvidia.com>
      Reviewed-by: NWilliam Kucharski <william.kucharski@oracle.com>
      Acked-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: <stable@vger.kernel.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Link: http://lkml.kernel.org/r/20200220075220.2327056-1-ying.huang@intel.comSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8a8683ad
    • M
      mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa · 8b272b3c
      Mel Gorman 提交于
      : A user reported a bug against a distribution kernel while running a
      : proprietary workload described as "memory intensive that is not swapping"
      : that is expected to apply to mainline kernels.  The workload is
      : read/write/modifying ranges of memory and checking the contents.  They
      : reported that within a few hours that a bad PMD would be reported followed
      : by a memory corruption where expected data was all zeros.  A partial
      : report of the bad PMD looked like
      :
      :   [ 5195.338482] ../mm/pgtable-generic.c:33: bad pmd ffff8888157ba008(000002e0396009e2)
      :   [ 5195.341184] ------------[ cut here ]------------
      :   [ 5195.356880] kernel BUG at ../mm/pgtable-generic.c:35!
      :   ....
      :   [ 5195.410033] Call Trace:
      :   [ 5195.410471]  [<ffffffff811bc75d>] change_protection_range+0x7dd/0x930
      :   [ 5195.410716]  [<ffffffff811d4be8>] change_prot_numa+0x18/0x30
      :   [ 5195.410918]  [<ffffffff810adefe>] task_numa_work+0x1fe/0x310
      :   [ 5195.411200]  [<ffffffff81098322>] task_work_run+0x72/0x90
      :   [ 5195.411246]  [<ffffffff81077139>] exit_to_usermode_loop+0x91/0xc2
      :   [ 5195.411494]  [<ffffffff81003a51>] prepare_exit_to_usermode+0x31/0x40
      :   [ 5195.411739]  [<ffffffff815e56af>] retint_user+0x8/0x10
      :
      : Decoding revealed that the PMD was a valid prot_numa PMD and the bad PMD
      : was a false detection.  The bug does not trigger if automatic NUMA
      : balancing or transparent huge pages is disabled.
      :
      : The bug is due a race in change_pmd_range between a pmd_trans_huge and
      : pmd_nond_or_clear_bad check without any locks held.  During the
      : pmd_trans_huge check, a parallel protection update under lock can have
      : cleared the PMD and filled it with a prot_numa entry between the transhuge
      : check and the pmd_none_or_clear_bad check.
      :
      : While this could be fixed with heavy locking, it's only necessary to make
      : a copy of the PMD on the stack during change_pmd_range and avoid races.  A
      : new helper is created for this as the check if quite subtle and the
      : existing similar helpful is not suitable.  This passed 154 hours of
      : testing (usually triggers between 20 minutes and 24 hours) without
      : detecting bad PMDs or corruption.  A basic test of an autonuma-intensive
      : workload showed no significant change in behaviour.
      
      Although Mel withdrew the patch on the face of LKML comment
      https://lkml.org/lkml/2017/4/10/922 the race window aforementioned is
      still open, and we have reports of Linpack test reporting bad residuals
      after the bad PMD warning is observed.  In addition to that, bad
      rss-counter and non-zero pgtables assertions are triggered on mm teardown
      for the task hitting the bad PMD.
      
       host kernel: mm/pgtable-generic.c:40: bad pmd 00000000b3152f68(8000000d2d2008e7)
       ....
       host kernel: BUG: Bad rss-counter state mm:00000000b583043d idx:1 val:512
       host kernel: BUG: non-zero pgtables_bytes on freeing mm: 4096
      
      The issue is observed on a v4.18-based distribution kernel, but the race
      window is expected to be applicable to mainline kernels, as well.
      
      [akpm@linux-foundation.org: fix comment typo, per Rafael]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NRafael Aquini <aquini@redhat.com>
      Signed-off-by: NMel Gorman <mgorman@techsingularity.net>
      Cc: <stable@vger.kernel.org>
      Cc: Zi Yan <zi.yan@cs.rutgers.edu>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Michal Hocko <mhocko@suse.com>
      Link: http://lkml.kernel.org/r/20200216191800.22423-1-aquini@redhat.comSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8b272b3c
    • L
      Merge tag 'devprop-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · b0b8a945
      Linus Torvalds 提交于
      Pull device properties framework fix from Rafael Wysocki:
       "Revert a problematic commit from the 5.3 development cycle (Brendan
        Higgins)"
      
      * tag 'devprop-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        Revert "software node: Simplify software_node_release() function"
      b0b8a945
    • L
      Merge tag 'acpi-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · fe67d182
      Linus Torvalds 提交于
      Pull ACPI documentation fix from Rafael Wysocki:
       "Fix Sphinx format warinings in an ACPI fan document added recently
        (Randy Dunlap)"
      
      * tag 'acpi-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        Documentation/admin-guide/acpi: fix fan_performance_states.rst warnings
      fe67d182
    • L
      Merge tag 'drm-fixes-2020-03-06' of git://anongit.freedesktop.org/drm/drm · ba0ae9ac
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "Weekly fixes round, looks like a few people woke up, got a bunch of
        fixes across the drivers. Bit bigger than I'd like but they all seem
        fine and hopefully it quiets down now.
      
        sun4i, kirin, mediatek and exynos on the ARM side. virtio-gpu and core
        have some mmap fixes, and there is a dma-buf leak. one ttm fence leak
        is also fixed.
      
        Otherwise it's mostly amdgpu and i915.
      
        One of the i915 fixes is for a very long latency I was seeing (using
        latencytop) running gnome-shell locally when using firefox and eating
        nearly all my RAM, it really helps with desktop responsiveness esp
        when firefox is chewing a lot.
      
        dma-buf:
         - fix memory leak
      
        core:
         - shmem object mmap fix.
      
        ttm:
         - Fix fence leak in ttm_buffer_object_transfer().
      
        amdgpu:
         - Gfx reset fix for gfx9, 10
         - Fix for gfx10
         - DP MST fix
         - DCC fix
         - Renoir power fixes
         - Navi power fix
      
        i915:
         - Break up long lists of object reclaim with cond_resched()
         - PSR probe fix
         - TGL workarounds
         - Selftest return value fix
         - Drop timeline mutex while waiting for retirement
         - Wait for OA configuration completion before writes to OA buffer
      
        virtio:
         - Fix resource id creation race in virtio.
         - mmap fixes
      
        sun4i:
         - Fixes for sun4i VI layer format support.
      
        kirin:
         - kirin: Revert "Fix for hikey620 display offset problem"
      
        exynos:
         - fix a kernel oops problem in case that driver is loaded as module.
         - fix a regulator warning issue when I2C DDC adapter cannot be gathered.
         - print out an error message only in error case excepting -EPROBE_DEFER.
      
        mediatek:
         - overlay, cursor and gce fixes"
      `
      
      * tag 'drm-fixes-2020-03-06' of git://anongit.freedesktop.org/drm/drm: (38 commits)
        drm/amdgpu/display: navi1x copy dcn watermark clock settings to smu resume from s3 (v2)
        drm/amd/powerplay: map mclk to fclk for COMBINATIONAL_BYPASS case
        drm/amd/powerplay: fix pre-check condition for setting clock range
        drm/amd/display: fix dcc swath size calculations on dcn1
        drm/amd/display: Clear link settings on MST disable connector
        drm/amdgpu: disable 3D pipe 1 on Navi1x
        drm/amdgpu: clean wptr on wb when gpu recovery
        drm: kirin: Revert "Fix for hikey620 display offset problem"
        drm/i915/gt: Drop the timeline->mutex as we wait for retirement
        drm/i915/perf: Reintroduce wait on OA configuration completion
        drm/sun4i: Fix DE2 VI layer format support
        drm/sun4i: Add separate DE3 VI layer formats
        drm/sun4i: de2/de3: Remove unsupported VI layer formats
        drm/i915/selftests: Fix return in assert_mmap_offset()
        drm/i915: Protect i915_request_await_start from early waits
        drm/i915/tgl: Add Wa_1608008084
        drm/i915/tgl: Add Wa_22010178259:tgl
        drm/i915: Program MBUS with rmw during initialization
        drm/i915/psr: Force PSR probe only after full initialization
        drm/i915/gem: Break up long lists of object reclaim
        ...
      ba0ae9ac