1. 22 Aug, 2020 3 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · b2d9e996
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
      
       - PAE and PKU bugfixes for x86
      
       - selftests fix for new binutils
      
       - MMU notifier fix for arm64
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: arm64: Only reschedule if MMU_NOTIFIER_RANGE_BLOCKABLE is not set
        KVM: Pass MMU notifier range flags to kvm_unmap_hva_range()
        kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode
        kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode
        KVM: x86: fix access code passed to gva_to_gpa
        selftests: kvm: Use a shorter encoding to clear RAX
      b2d9e996
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 9e574b74
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "23 fixes in 5 drivers (qla2xxx, ufs, scsi_debug, fcoe, zfcp). The bulk
        of the changes are in qla2xxx and ufs and all are mostly small and
        definitely don't impact the core"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (23 commits)
        Revert "scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe"
        Revert "scsi: qla2xxx: Fix crash on qla2x00_mailbox_command"
        scsi: qla2xxx: Fix null pointer access during disconnect from subsystem
        scsi: qla2xxx: Check if FW supports MQ before enabling
        scsi: qla2xxx: Fix WARN_ON in qla_nvme_register_hba
        scsi: qla2xxx: Allow ql2xextended_error_logging special value 1 to be set anytime
        scsi: qla2xxx: Reduce noisy debug message
        scsi: qla2xxx: Fix login timeout
        scsi: qla2xxx: Indicate correct supported speeds for Mezz card
        scsi: qla2xxx: Flush I/O on zone disable
        scsi: qla2xxx: Flush all sessions on zone disable
        scsi: qla2xxx: Use MBX_TOV_SECONDS for mailbox command timeout values
        scsi: scsi_debug: Fix scp is NULL errors
        scsi: zfcp: Fix use-after-free in request timeout handlers
        scsi: ufs: No need to send Abort Task if the task in DB was cleared
        scsi: ufs: Clean up completed request without interrupt notification
        scsi: ufs: Improve interrupt handling for shared interrupts
        scsi: ufs: Fix interrupt error message for shared interrupts
        scsi: ufs-pci: Add quirk for broken auto-hibernate for Intel EHL
        scsi: ufs-mediatek: Fix incorrect time to wait link status
        ...
      9e574b74
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · d6af6330
      Linus Torvalds authored
      Pull devicetree fixes from Rob Herring:
       "Another set of DT fixes:
      
         - restore range parsing error check
      
         - workaround PCI range parsing with missing 'device_type' now
           required
      
         - correct description of 'phy-connection-type'
      
         - fix erroneous matching on 'snps,dw-pcie' by 'intel,lgm-pcie' schema
      
         - a couple of grammar and whitespace fixes
      
         - update Shawn Guo's email"
      
      * tag 'devicetree-fixes-for-5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: vendor-prefixes: Remove trailing whitespace
        dt-bindings: net: correct description of phy-connection-type
        dt-bindings: PCI: intel,lgm-pcie: Fix matching on all snps,dw-pcie instances
        of: address: Work around missing device_type property in pcie nodes
        dt: writing-schema: Miscellaneous grammar fixes
        dt-bindings: Use Shawn Guo's preferred e-mail for i.MX bindings
        of/address: check for invalid range.cpu_addr
      d6af6330
  2. 21 Aug, 2020 29 commits
    • Geert Uytterhoeven's avatar
      5cd841d2
    • Will Deacon's avatar
      KVM: arm64: Only reschedule if MMU_NOTIFIER_RANGE_BLOCKABLE is not set · b5331379
      Will Deacon authored
      When an MMU notifier call results in unmapping a range that spans multiple
      PGDs, we end up calling into cond_resched_lock() when crossing a PGD boundary,
      since this avoids running into RCU stalls during VM teardown. Unfortunately,
      if the VM is destroyed as a result of OOM, then blocking is not permitted
      and the call to the scheduler triggers the following BUG():
      
       | BUG: sleeping function called from invalid context at arch/arm64/kvm/mmu.c:394
       | in_atomic(): 1, irqs_disabled(): 0, non_block: 1, pid: 36, name: oom_reaper
       | INFO: lockdep is turned off.
       | CPU: 3 PID: 36 Comm: oom_reaper Not tainted 5.8.0 #1
       | Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
       | Call trace:
       |  dump_backtrace+0x0/0x284
       |  show_stack+0x1c/0x28
       |  dump_stack+0xf0/0x1a4
       |  ___might_sleep+0x2bc/0x2cc
       |  unmap_stage2_range+0x160/0x1ac
       |  kvm_unmap_hva_range+0x1a0/0x1c8
       |  kvm_mmu_notifier_invalidate_range_start+0x8c/0xf8
       |  __mmu_notifier_invalidate_range_start+0x218/0x31c
       |  mmu_notifier_invalidate_range_start_nonblock+0x78/0xb0
       |  __oom_reap_task_mm+0x128/0x268
       |  oom_reap_task+0xac/0x298
       |  oom_reaper+0x178/0x17c
       |  kthread+0x1e4/0x1fc
       |  ret_from_fork+0x10/0x30
      
      Use the new 'flags' argument to kvm_unmap_hva_range() to ensure that we
      only reschedule if MMU_NOTIFIER_RANGE_BLOCKABLE is set in the notifier
      flags.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 8b3405e3
      
       ("kvm: arm/arm64: Fix locking for kvm_free_stage2_pgd")
      Cc: Marc Zyngier <maz@kernel.org>
      Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
      Cc: James Morse <james.morse@arm.com>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Message-Id: <20200811102725.7121-3-will@kernel.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      b5331379
    • Will Deacon's avatar
      KVM: Pass MMU notifier range flags to kvm_unmap_hva_range() · fdfe7cbd
      Will Deacon authored
      
      
      The 'flags' field of 'struct mmu_notifier_range' is used to indicate
      whether invalidate_range_{start,end}() are permitted to block. In the
      case of kvm_mmu_notifier_invalidate_range_start(), this field is not
      forwarded on to the architecture-specific implementation of
      kvm_unmap_hva_range() and therefore the backend cannot sensibly decide
      whether or not to block.
      
      Add an extra 'flags' parameter to kvm_unmap_hva_range() so that
      architectures are aware as to whether or not they are permitted to block.
      
      Cc: <stable@vger.kernel.org>
      Cc: Marc Zyngier <maz@kernel.org>
      Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
      Cc: James Morse <james.morse@arm.com>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Message-Id: <20200811102725.7121-2-will@kernel.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      fdfe7cbd
    • Madalin Bucur's avatar
      dt-bindings: net: correct description of phy-connection-type · 5f53584c
      Madalin Bucur authored
      
      
      The phy-connection-type parameter is described in ePAPR 1.1:
      
      Specifies interface type between the Ethernet device and a physical
      layer (PHY) device. The value of this property is specific to the
      implementation.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@oss.nxp.com>
      Link: https://lore.kernel.org/r/1597917724-11127-1-git-send-email-madalin.bucur@oss.nxp.com
      
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      5f53584c
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.9-2020-08-21' of git://git.kernel.dk/linux-block · f873db9a
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Make sure the head link cancelation includes async work
      
       - Get rid of kiocb_wait_page_queue_init(), makes no sense to have it as
         a separate function since you moved it into io_uring itself
      
       - io_import_iovec cleanups (Pavel, me)
      
       - Use system_unbound_wq for ring exit work, to avoid spawning tons of
         these if we have tons of rings exiting at the same time
      
       - Fix req->flags overflow flag manipulation (Pavel)
      
      * tag 'io_uring-5.9-2020-08-21' of git://git.kernel.dk/linux-block:
        io_uring: kill extra iovec=NULL in import_iovec()
        io_uring: comment on kfree(iovec) checks
        io_uring: fix racy req->flags modification
        io_uring: use system_unbound_wq for ring exit work
        io_uring: cleanup io_import_iovec() of pre-mapped request
        io_uring: get rid of kiocb_wait_page_queue_init()
        io_uring: find and cancel head link async work on files exit
      f873db9a
    • Rob Herring's avatar
      dt-bindings: PCI: intel,lgm-pcie: Fix matching on all snps,dw-pcie instances · a326462c
      Rob Herring authored
      The intel,lgm-pcie binding is matching on all snps,dw-pcie instances
      which is wrong. Add a custom 'select' entry to fix this.
      
      Fixes: e54ea45a
      
       ("dt-bindings: PCI: intel: Add YAML schemas for the PCIe RC controller")
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: linux-pci@vger.kernel.org
      Reviewed-by: default avatarDilip Kota <eswara.kota@linux.intel.com>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      a326462c
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 349111f0
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "11 patches.
      
        Subsystems affected by this: misc, mm/hugetlb, mm/vmalloc, mm/misc,
        romfs, relay, uprobes, squashfs, mm/cma, mm/pagealloc"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm, page_alloc: fix core hung in free_pcppages_bulk()
        mm: include CMA pages in lowmem_reserve at boot
        squashfs: avoid bio_alloc() failure with 1Mbyte blocks
        uprobes: __replace_page() avoid BUG in munlock_vma_page()
        kernel/relay.c: fix memleak on destroy relay channel
        romfs: fix uninitialized memory leak in romfs_dev_read()
        mm/rodata_test.c: fix missing function declaration
        mm/vunmap: add cond_resched() in vunmap_pmd_range
        khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter()
        hugetlb_cgroup: convert comma to semicolon
        mailmap: add Andi Kleen
      349111f0
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · f22c5579
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - The CLINT driver has been split in two: one to handle the M-mode
         CLINT (memory mapped and used on NOMMU systems) and one to handle the
         S-mode CLINT (via SBI).
      
       - The addition of SiFive's drivers to rv32_defconfig
      
      * tag 'riscv-for-linus-5.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: Add SiFive drivers to rv32_defconfig
        dt-bindings: timer: Add CLINT bindings
        RISC-V: Remove CLINT related code from timer and arch
        clocksource/drivers: Add CLINT timer driver
        RISC-V: Add mechanism to provide custom IPI operations
      f22c5579
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.9-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · c0a4f5b3
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "One build fix and a minor fix for suppressing a useless warning when
        booting a Xen dom0 via UEFI"
      
      * tag 'for-linus-5.9-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        Fix build error when CONFIG_ACPI is not set/enabled:
        efi: avoid error message when booting under Xen
      c0a4f5b3
    • Linus Torvalds's avatar
      Merge tag 'pm-5.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 985c788b
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix a few issues in the operating performance points (OPP)
        framework.
      
        Specifics:
      
         - Fix re-enabling of resources in dev_pm_opp_set_rate() (Rajendra
           Nayak)
      
         - Fix OPP table reference counting in error paths (Stephen Boyd)"
      
      * tag 'pm-5.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        opp: Enable resources again if they were disabled earlier
        opp: Put opp table in dev_pm_opp_set_rate() if _set_opp_bw() fails
        opp: Put opp table in dev_pm_opp_set_rate() for empty tables
      985c788b
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · d723b99e
      Linus Torvalds authored
      Pull ext4 updates from Ted Ts'o:
       "Improvements to ext4's block allocator performance for very large file
        systems, especially when the file system or files which are highly
        fragmented. There is a new mount option, prefetch_block_bitmaps which
        will pull in the block bitmaps and set up the in-memory buddy bitmaps
        when the file system is initially mounted.
      
        Beyond that, a lot of bug fixes and cleanups. In particular, a number
        of changes to make ext4 more robust in the face of write errors or
        file system corruptions"
      
      * tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: (46 commits)
        ext4: limit the length of per-inode prealloc list
        ext4: reorganize if statement of ext4_mb_release_context()
        ext4: add mb_debug logging when there are lost chunks
        ext4: Fix comment typo "the the".
        jbd2: clean up checksum verification in do_one_pass()
        ext4: change to use fallthrough macro
        ext4: remove unused parameter of ext4_generic_delete_entry function
        mballoc: replace seq_printf with seq_puts
        ext4: optimize the implementation of ext4_mb_good_group()
        ext4: delete invalid comments near ext4_mb_check_limits()
        ext4: fix typos in ext4_mb_regular_allocator() comment
        ext4: fix checking of directory entry validity for inline directories
        fs: prevent BUG_ON in submit_bh_wbc()
        ext4: correctly restore system zone info when remount fails
        ext4: handle add_system_zone() failure in ext4_setup_system_zone()
        ext4: fold ext4_data_block_valid_rcu() into the caller
        ext4: check journal inode extents more carefully
        ext4: don't allow overlapping system zones
        ext4: handle error of ext4_setup_system_zone() on remount
        ext4: delete the invalid BUGON in ext4_mb_load_buddy_gfp()
        ...
      d723b99e
    • David Howells's avatar
      afs: Fix NULL deref in afs_dynroot_depopulate() · 5e0b17b0
      David Howells authored
      If an error occurs during the construction of an afs superblock, it's
      possible that an error occurs after a superblock is created, but before
      we've created the root dentry.  If the superblock has a dynamic root
      (ie.  what's normally mounted on /afs), the afs_kill_super() will call
      afs_dynroot_depopulate() to unpin any created dentries - but this will
      oops if the root hasn't been created yet.
      
      Fix this by skipping that bit of code if there is no root dentry.
      
      This leads to an oops looking like:
      
      	general protection fault, ...
      	KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
      	...
      	RIP: 0010:afs_dynroot_depopulate+0x25f/0x529 fs/afs/dynroot.c:385
      	...
      	Call Trace:
      	 afs_kill_super+0x13b/0x180 fs/afs/super.c:535
      	 deactivate_locked_super+0x94/0x160 fs/super.c:335
      	 afs_get_tree+0x1124/0x1460 fs/afs/super.c:598
      	 vfs_get_tree+0x89/0x2f0 fs/super.c:1547
      	 do_new_mount fs/namespace.c:2875 [inline]
      	 path_mount+0x1387/0x2070 fs/namespace.c:3192
      	 do_mount fs/namespace.c:3205 [inline]
      	 __do_sys_mount fs/namespace.c:3413 [inline]
      	 __se_sys_mount fs/namespace.c:3390 [inline]
      	 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
      	 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
      	 entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      which is oopsing on this line:
      
      	inode_lock(root->d_inode);
      
      presumably because sb->s_root was NULL.
      
      Fixes: 0da0b7fd
      
       ("afs: Display manually added cells in dynamic root mount")
      Reported-by: syzbot+c1eff8205244ae7e11a6@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5e0b17b0
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · cd02217a
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "One regression from 5.8 and a few bugs from earlier kernels:
      
         - Various spelling corrections in kernel prints
      
         - Bug fixes in hfi1 and bntx_re
      
         - Revert a 5.8 patch in hns
      
         - Batch update for Mellanox and Cumulus maintainers emails"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        MAINTAINERS: Update Mellanox and Cumulus Network addresses to new domain
        Revert "RDMA/hns: Reserve one sge in order to avoid local length error"
        RDMA/hfi1: Correct an interlock issue for TID RDMA WRITE request
        RDMA/bnxt_re: Do not add user qps to flushlist
        RDMA/core: Fix spelling mistake "Could't" -> "Couldn't"
        RDMA/usnic: Fix spelling mistake "transistion" -> "transition"
        RDMA/hns: Fix spelling mistake "epmty" -> "empty"
      cd02217a
    • Linus Torvalds's avatar
      Merge tag 'sound-5.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 7f04f3ed
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of small fixes over several drivers, but all are driver-
        specific and nothing looks scary.
      
        Slightly large changes are seen in ASoC qcom driver for the bugs that
        were revealed by the recent ASoC core change to report the invalid
        register access errors. Also ASoC fsl got a slight intensive change
        for the distortion fix.
      
        Others are only trivial fixes or device-specific quirks"
      
      * tag 'sound-5.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (25 commits)
        ALSA: hda: avoid reset of sdo_limit
        ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion
        ALSA: usb-audio: ignore broken processing/extension unit
        ASoC: intel: Fix memleak in sst_media_open
        ASoC: wm8994: Avoid attempts to read unreadable registers
        ASoC: msm8916-wcd-analog: fix register Interrupt offset
        ASoC: wm8994: Prevent access to invalid VU register bits on WM1811
        ALSA: hda/realtek: Add model alc298-samsung-headphone
        ALSA: usb-audio: Update documentation comment for MS2109 quirk
        ALSA: isa: fix spelling mistakes in the comments
        ALSA: usb-audio: Add capture support for Saffire 6 (USB 1.1)
        ALSA: hda/realtek: Add quirk for Samsung Galaxy Flex Book
        ASoC: q6routing: add dummy register read/write function
        ASoC: q6afe-dai: mark all widgets registers as SND_SOC_NOPM
        ASoC: Make soc_component_read() returning an error code again
        ASoC: amd: Replacing component->name with codec_dai->name.
        ASoC: fsl: Fix unused variable warning
        ASoC: tegra: tegra210_i2s: Fix compile warning with CONFIG_PM=n
        ASoC: tegra: tegra210_dmic: Fix compile warning with CONFIG_PM=n
        ASoC: tegra: tegra210_ahub: Fix compile warning with CONFIG_PM=n
        ...
      7f04f3ed
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-08-21' of git://anongit.freedesktop.org/drm/drm · 43d387a4
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Regular fixes pull for rc2. Usual rc2 doesn't seem too busy, mainly
        i915 and amdgpu. I'd expect the usual uptick for rc3.
      
        amdgpu:
         - Fix allocation size
         - SR-IOV fixes
         - Vega20 SMU feature state caching fix
         - Fix custom pptable handling
         - Arcturus golden settings update
         - Several display fixes
         - Fixes for Navy Flounder
         - Misc display fixes
         - RAS fix
      
        amdkfd:
         - SDMA fix for renoir
      
        i915:
         - Fix device parameter usage for selftest mock i915 device
         - Fix LPSP capability debugfs NULL dereference
         - Fix buddy register pagemask table
         - Fix intel_atomic_check() non-negative return value
         - Fix selftests passing a random 0 into ilog2()
         - Fix TGL power well enable/disable ordering
         - Switch to PMU module refcounting
         - GVT fixes
      
        virtio:
         - Add missing dma_fence_put() in virtio_gpu_execbuffer_ioctl()
         - Fix memory leak in virtio_gpu_cleanup_object()"
      
      * tag 'drm-fixes-2020-08-21' of git://anongit.freedesktop.org/drm/drm: (34 commits)
        Revert "drm/amdgpu: disable gfxoff for navy_flounder"
        drm/i915/tgl: Make sure TC-cold is blocked before enabling TC AUX power wells
        drm/i915/selftests: Avoid passing a random 0 into ilog2
        drm/i915: Fix wrong return value in intel_atomic_check()
        drm/i915: Update bw_buddy pagemask table
        drm/i915/display: Check for an LPSP encoder before dereferencing
        drm/i915: Copy default modparams to mock i915_device
        drm/i915: Provide the perf pmu.module
        drm/amd/display: fix pow() crashing when given base 0
        drm/amd/display: Reset scrambling on Test Pattern
        drm/amd/display: fix dcn3 wide timing dsc validation
        drm/amd/display: Fix DFPstate hang due to view port changed
        drm/amd/display: Assign correct left shift
        drm/amd/display: Call DMUB for eDP power control
        drm/amdkfd: fix the wrong sdma instance query for renoir
        drm/amdgpu: parse ta firmware for navy_flounder
        drm/amdgpu: fix NULL pointer access issue when unloading driver
        drm/amdgpu: fix uninit-value in arcturus_log_thermal_throttling_event()
        drm/amdgpu: disable gfxoff for navy_flounder
        drm/amdgpu/display: use GFP_ATOMIC in dcn20_validate_bandwidth_internal
        ...
      43d387a4
    • Charan Teja Reddy's avatar
      mm, page_alloc: fix core hung in free_pcppages_bulk() · 88e8ac11
      Charan Teja Reddy authored
      The following race is observed with the repeated online, offline and a
      delay between two successive online of memory blocks of movable zone.
      
      P1						P2
      
      Online the first memory block in
      the movable zone. The pcp struct
      values are initialized to default
      values,i.e., pcp->high = 0 &
      pcp->batch = 1.
      
      					Allocate the pages from the
      					movable zone.
      
      Try to Online the second memory
      block in the movable zone thus it
      entered the online_pages() but yet
      to call zone_pcp_update().
      					This process is entered into
      					the exit path thus it tries
      					to release the order-0 pages
      					to pcp lists through
      					free_unref_page_commit().
      					As pcp->high = 0, pcp->count = 1
      					proceed to call the function
      					free_pcppages_bulk().
      Update the pcp values thus the
      new pcp values are like, say,
      pcp->high = 378, pcp->batch = 63.
      					Read the pcp's batch value using
      					READ_ONCE() and pass the same to
      					free_pcppages_bulk(), pcp values
      					passed here are, batch = 63,
      					count = 1.
      
      					Since num of pages in the pcp
      					lists are less than ->batch,
      					then it will stuck in
      					while(list_empty(list)) loop
      					with interrupts disabled thus
      					a core hung.
      
      Avoid this by ensuring free_pcppages_bulk() is called with proper count of
      pcp list pages.
      
      The mentioned race is some what easily reproducible without [1] because
      pcp's are not updated for the first memory block online and thus there is
      a enough race window for P2 between alloc+free and pcp struct values
      update through onlining of second memory block.
      
      With [1], the race still exists but it is very narrow as we update the pcp
      struct values for the first memory block online itself.
      
      This is not limited to the movable zone, it could also happen in cases
      with the normal zone (e.g., hotplug to a node that only has DMA memory, or
      no other memory yet).
      
      [1]: https://patchwork.kernel.org/patch/11696389/
      
      Fixes: 5f8dcc21
      
       ("page-allocator: split per-cpu list into one-list-per-migrate-type")
      Signed-off-by: default avatarCharan Teja Reddy <charante@codeaurora.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarDavid Hildenbrand <david@redhat.com>
      Acked-by: default avatarDavid Rientjes <rientjes@google.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Vinayak Menon <vinmenon@codeaurora.org>
      Cc: <stable@vger.kernel.org> [2.6+]
      Link: http://lkml.kernel.org/r/1597150703-19003-1-git-send-email-charante@codeaurora.org
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      88e8ac11
    • Doug Berger's avatar
      mm: include CMA pages in lowmem_reserve at boot · e08d3fdf
      Doug Berger authored
      The lowmem_reserve arrays provide a means of applying pressure against
      allocations from lower zones that were targeted at higher zones.  Its
      values are a function of the number of pages managed by higher zones and
      are assigned by a call to the setup_per_zone_lowmem_reserve() function.
      
      The function is initially called at boot time by the function
      init_per_zone_wmark_min() and may be called later by accesses of the
      /proc/sys/vm/lowmem_reserve_ratio sysctl file.
      
      The function init_per_zone_wmark_min() was moved up from a module_init to
      a core_initcall to resolve a sequencing issue with khugepaged.
      Unfortunately this created a sequencing issue with CMA page accounting.
      
      The CMA pages are added to the managed page count of a zone when
      cma_init_reserved_areas() is called at boot also as a core_initcall.  This
      makes it uncertain whether the CMA pages will be added to the managed page
      counts of their zones before or after the call to
      init_per_zone_wmark_min() as it becomes dependent on link order.  With the
      current link order the pages are added to the managed count after the
      lowmem_reserve arrays are initialized at boot.
      
      This means the lowmem_reserve values at boot may be lower than the values
      used later if /proc/sys/vm/lowmem_reserve_ratio is accessed even if the
      ratio values are unchanged.
      
      In many cases the difference is not significant, but for example
      an ARM platform with 1GB of memory and the following memory layout
      
        cma: Reserved 256 MiB at 0x0000000030000000
        Zone ranges:
          DMA      [mem 0x0000000000000000-0x000000002fffffff]
          Normal   empty
          HighMem  [mem 0x0000000030000000-0x000000003fffffff]
      
      would result in 0 lowmem_reserve for the DMA zone.  This would allow
      userspace to deplete the DMA zone easily.
      
      Funnily enough
      
        $ cat /proc/sys/vm/lowmem_reserve_ratio
      
      would fix up the situation because as a side effect it forces
      setup_per_zone_lowmem_reserve.
      
      This commit breaks the link order dependency by invoking
      init_per_zone_wmark_min() as a postcore_initcall so that the CMA pages
      have the chance to be properly accounted in their zone(s) and allowing
      the lowmem_reserve arrays to receive consistent values.
      
      Fixes: bc22af74
      
       ("mm: update min_free_kbytes from khugepaged after core initialization")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Jason Baron <jbaron@akamai.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/1597423766-27849-1-git-send-email-opendmb@gmail.com
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e08d3fdf
    • Phillip Lougher's avatar
      squashfs: avoid bio_alloc() failure with 1Mbyte blocks · f26044c8
      Phillip Lougher authored
      This is a regression introduced by the patch "migrate from ll_rw_block
      usage to BIO".
      
      Bio_alloc() is limited to 256 pages (1 Mbyte).  This can cause a failure
      when reading 1 Mbyte block filesystems.  The problem is a datablock can be
      fully (or almost uncompressed), requiring 256 pages, but, because blocks
      are not aligned to page boundaries, it may require 257 pages to read.
      
      Bio_kmalloc() can handle 1024 pages, and so use this for the edge
      condition.
      
      Fixes: 93e72b3c
      
       ("squashfs: migrate from ll_rw_block usage to BIO")
      Reported-by: default avatarNicolas Prochazka <nicolas.prochazka@gmail.com>
      Reported-by: default avatarTomoatsu Shimada <shimada@walbrix.com>
      Signed-off-by: default avatarPhillip Lougher <phillip@squashfs.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarGuenter Roeck <groeck@chromium.org>
      Cc: Philippe Liard <pliard@google.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Adrien Schildknecht <adrien+dev@schischi.me>
      Cc: Daniel Rosenberg <drosen@google.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20200815035637.15319-1-phillip@squashfs.org.uk
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f26044c8
    • Hugh Dickins's avatar
      uprobes: __replace_page() avoid BUG in munlock_vma_page() · c17c3dc9
      Hugh Dickins authored
      syzbot crashed on the VM_BUG_ON_PAGE(PageTail) in munlock_vma_page(), when
      called from uprobes __replace_page().  Which of many ways to fix it?
      Settled on not calling when PageCompound (since Head and Tail are equals
      in this context, PageCompound the usual check in uprobes.c, and the prior
      use of FOLL_SPLIT_PMD will have cleared PageMlocked already).
      
      Fixes: 5a52c9df
      
       ("uprobe: use FOLL_SPLIT_PMD instead of FOLL_SPLIT")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarSrikar Dronamraju <srikar@linux.vnet.ibm.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: <stable@vger.kernel.org>	[5.4+]
      Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008161338360.20413@eggly.anvils
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c17c3dc9
    • Wei Yongjun's avatar
      kernel/relay.c: fix memleak on destroy relay channel · 71e84329
      Wei Yongjun authored
      kmemleak report memory leak as follows:
      
        unreferenced object 0x607ee4e5f948 (size 8):
        comm "syz-executor.1", pid 2098, jiffies 4295031601 (age 288.468s)
        hex dump (first 8 bytes):
        00 00 00 00 00 00 00 00 ........
        backtrace:
           relay_open kernel/relay.c:583 [inline]
           relay_open+0xb6/0x970 kernel/relay.c:563
           do_blk_trace_setup+0x4a8/0xb20 kernel/trace/blktrace.c:557
           __blk_trace_setup+0xb6/0x150 kernel/trace/blktrace.c:597
           blk_trace_ioctl+0x146/0x280 kernel/trace/blktrace.c:738
           blkdev_ioctl+0xb2/0x6a0 block/ioctl.c:613
           block_ioctl+0xe5/0x120 fs/block_dev.c:1871
           vfs_ioctl fs/ioctl.c:48 [inline]
           __do_sys_ioctl fs/ioctl.c:753 [inline]
           __se_sys_ioctl fs/ioctl.c:739 [inline]
           __x64_sys_ioctl+0x170/0x1ce fs/ioctl.c:739
           do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
           entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      'chan->buf' is malloced in relay_open() by alloc_percpu() but not free
      while destroy the relay channel.  Fix it by adding free_percpu() before
      return from relay_destroy_channel().
      
      Fixes: 017c59c0
      
       ("relay: Use per CPU constructs for the relay channel buffer pointers")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Michel Lespinasse <walken@google.com>
      Cc: Daniel Axtens <dja@axtens.net>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Akash Goel <akash.goel@intel.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20200817122826.48518-1-weiyongjun1@huawei.com
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      71e84329
    • Jann Horn's avatar
      romfs: fix uninitialized memory leak in romfs_dev_read() · bcf85fce
      Jann Horn authored
      romfs has a superblock field that limits the size of the filesystem; data
      beyond that limit is never accessed.
      
      romfs_dev_read() fetches a caller-supplied number of bytes from the
      backing device.  It returns 0 on success or an error code on failure;
      therefore, its API can't represent short reads, it's all-or-nothing.
      
      However, when romfs_dev_read() detects that the requested operation would
      cross the filesystem size limit, it currently silently truncates the
      requested number of bytes.  This e.g.  means that when the content of a
      file with size 0x1000 starts one byte before the filesystem size limit,
      ->readpage() will only fill a single byte of the supplied page while
      leaving the rest uninitialized, leaking that uninitialized memory to
      userspace.
      
      Fix it by returning an error code instead of truncating the read when the
      requested read operation would go beyond the end of the filesystem.
      
      Fixes: da4458bd ("NOMMU: Make it possible for RomFS to use ...
      bcf85fce
    • Leon Romanovsky's avatar
      mm/rodata_test.c: fix missing function declaration · 86f54bb7
      Leon Romanovsky authored
      The compilation with CONFIG_DEBUG_RODATA_TEST set produces the following
      warning due to the missing include.
      
       mm/rodata_test.c:15:6: warning: no previous prototype for 'rodata_test' [-Wmissing-prototypes]
          15 | void rodata_test(void)
             |      ^~~~~~~~~~~
      
      Fixes: 2959a5f7
      
       ("mm: add arch-independent testcases for RODATA")
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarAnshuman Khandual <anshuman.khandual@arm.com>
      Link: https://lkml.kernel.org/r/20200819080026.918134-1-leon@kernel.org
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      86f54bb7
    • Aneesh Kumar K.V's avatar
      mm/vunmap: add cond_resched() in vunmap_pmd_range · e47110e9
      Aneesh Kumar K.V authored
      
      
      Like zap_pte_range add cond_resched so that we can avoid softlockups as
      reported below.  On non-preemptible kernel with large I/O map region (like
      the one we get when using persistent memory with sector mode), an unmap of
      the namespace can report below softlockups.
      
      22724.027334] watchdog: BUG: soft lockup - CPU#49 stuck for 23s! [ndctl:50777]
       NIP [c0000000000dc224] plpar_hcall+0x38/0x58
       LR [c0000000000d8898] pSeries_lpar_hpte_invalidate+0x68/0xb0
       Call Trace:
          flush_hash_page+0x114/0x200
          hpte_need_flush+0x2dc/0x540
          vunmap_page_range+0x538/0x6f0
          free_unmap_vmap_area+0x30/0x70
          remove_vm_area+0xfc/0x140
          __vunmap+0x68/0x270
          __iounmap.part.0+0x34/0x60
          memunmap+0x54/0x70
          release_nodes+0x28c/0x300
          device_release_driver_internal+0x16c/0x280
          unbind_store+0x124/0x170
          drv_attr_store+0x44/0x60
          sysfs_kf_write+0x64/0x90
          kernfs_fop_write+0x1b0/0x290
          __vfs_write+0x3c/0x70
          vfs_write+0xd8/0x260
          ksys_write+0xdc/0x130
          system_call+0x5c/0x70
      Reported-by: default avatarHarish Sriram <harish@linux.ibm.com>
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20200807075933.310240-1-aneesh.kumar@linux.ibm.com
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e47110e9
    • Hugh Dickins's avatar
      khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() · f3f99d63
      Hugh Dickins authored
      syzbot crashes on the VM_BUG_ON_MM(khugepaged_test_exit(mm), mm) in
      __khugepaged_enter(): yes, when one thread is about to dump core, has set
      core_state, and is waiting for others, another might do something calling
      __khugepaged_enter(), which now crashes because I lumped the core_state
      test (known as "mmget_still_valid") into khugepaged_test_exit().  I still
      think it's best to lump them together, so just in this exceptional case,
      check mm->mm_users directly instead of khugepaged_test_exit().
      
      Fixes: bbe98f9c
      
       ("khugepaged: khugepaged_test_exit() check mmget_still_valid()")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarYang Shi <shy828301@gmail.com>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Song Liu <songliubraving@fb.com>
      Cc: Mike Kravetz <mike.kravetz@oracle.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: <stable@vger.kernel.org>	[4.8+]
      Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008141503370.18085@eggly.anvils
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f3f99d63
    • Xu Wang's avatar
      hugetlb_cgroup: convert comma to semicolon · d5a16959
      Xu Wang authored
      Replace a comma between expression statements by a semicolon.
      
      Fixes: faced7e0
      
       ("mm: hugetlb controller for cgroups v2")
      Signed-off-by: default avatarXu Wang <vulab@iscas.ac.cn>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Giuseppe Scrivano <gscrivan@redhat.com>
      Link: http://lkml.kernel.org/r/20200818064333.21759-1-vulab@iscas.ac.cn
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d5a16959
    • Nick Desaulniers's avatar
      mailmap: add Andi Kleen · 00c54a80
      Nick Desaulniers authored
      
      
      I keep getting bounce back from the suse.de address.
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Quentin Perret <qperret@qperret.net>
      Link: http://lkml.kernel.org/r/20200818203214.659955-1-ndesaulniers@google.com
      
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      00c54a80
    • Leon Romanovsky's avatar
      MAINTAINERS: Update Mellanox and Cumulus Network addresses to new domain · f6da70d9
      Leon Romanovsky authored
      Mellanox and Cumulus Network were acquired by Nvidia, so change the
      maintainers emails to new domain name.
      
      Link: https://lore.kernel.org/r/20200810091100.243932-1-leon@kernel.org
      
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Acked-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
      f6da70d9
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2020-08-20' of... · 0790e63f
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2020-08-20' of git://anongit.freedesktop.org/drm/drm-intel
      
       into drm-fixes
      
      drm/i915 fixes for v5.9-rc2:
      - GVT fixes
      - Fix device parameter usage for selftest mock i915 device
      - Fix LPSP capability debugfs NULL dereference
      - Fix buddy register pagemask table
      - Fix intel_atomic_check() non-negative return value
      - Fix selftests passing a random 0 into ilog2()
      - Fix TGL power well enable/disable ordering
      - Switch to PMU module refcounting
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Jani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/87a6yp7jp3.fsf@intel.com
      0790e63f
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-5.9-2020-08-20' of... · ba9086a6
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-5.9-2020-08-20' of git://people.freedesktop.org/~agd5f/linux
      
       into drm-fixes
      
      amd-drm-fixes-5.9-2020-08-20:
      
      amdgpu:
      - Fixes for Navy Flounder
      - Misc display fixes
      - RAS fix
      
      amdkfd:
      - SDMA fix for renoir
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200820041938.3928-1-alexander.deucher@amd.com
      ba9086a6
  3. 20 Aug, 2020 8 commits