1. 01 Mar, 2016 9 commits
    • Kees Cook's avatar
      lkdtm: improve use-after-free tests · 7c0ae5be
      Kees Cook authored
      This improves the order of operations on the use-after-free tests to
      try to make sure we've executed any available sanity-checking code,
      and to report the poisoning that was found.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      7c0ae5be
    • David Windsor's avatar
      lkdtm: add test for atomic_t underflow/overflow · 5fd9e480
      David Windsor authored
      dmesg output of running this LKDTM test with PaX:
      
      [187095.475573] lkdtm: No crash points registered, enable through debugfs
      [187118.020257] lkdtm: Performing direct entry WRAP_ATOMIC
      [187118.030045] lkdtm: attempting atomic underflow
      [187118.030929] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
      [187118.071667] PAX: refcount overflow occured at: lkdtm_do_action+0x19e/0x400 [lkdtm]
      [187118.081423] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
      [187118.083403] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [187118.102596] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
      [187118.111321] RIP: 0010:[<ffffffffc00fc2fe>]  [<ffffffffc00fc2fe>] lkdtm_do_action+0x19e/0x400 [lkdtm]
      ...
      [187118.128074] lkdtm: attempting atomic overflow
      [187118.128080] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
      [187118.128082] PAX: refcount overflow occured at: lkdtm_do_action+0x1b6/0x400 [lkdtm]
      [187118.128085] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
      [187118.128086] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [187118.128088] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
      [187118.128092] RIP: 0010:[<ffffffffc00fc316>]  [<ffffffffc00fc316>] lkdtm_do_action+0x1b6/0x400 [lkdtm]
      Signed-off-by: default avatarDavid Windsor <dave@progbits.org>
      [cleaned up whitespacing, keescook]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      5fd9e480
    • Laura Abbott's avatar
      lkdtm: Add read/write after free tests for buddy memory · 920d451f
      Laura Abbott authored
      The current tests for read/write after free work on slab
      allocated memory. Memory straight from the buddy allocator
      may behave slightly differently and have a different set
      of parameters to test. Add tests for those cases as well.
      
      On a basic x86 boot:
      
       # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   22.291950] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
      [   22.292983] lkdtm: Writing to the buddy page before free
      [   22.293950] lkdtm: Attempting bad write to the buddy page after free
      
       # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   32.375601] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
      [   32.379896] lkdtm: Value in memory before free: 12345678
      [   32.383854] lkdtm: Attempting to read from freed memory
      [   32.389309] lkdtm: Buddy page was not poisoned
      
      On x86 with CONFIG_DEBUG_PAGEALLOC and debug_pagealloc=on:
      
       # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   17.475533] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
      [   17.477360] lkdtm: Writing to the buddy page before free
      [   17.479089] lkdtm: Attempting bad write to the buddy page after free
      [   17.480904] BUG: unable to handle kernel paging request at
      ffff88000ebd8000
      
       # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   14.606433] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
      [   14.607447] lkdtm: Value in memory before free: 12345678
      [   14.608161] lkdtm: Attempting to read from freed memory
      [   14.608860] BUG: unable to handle kernel paging request at
      ffff88000eba3000
      
      Note that arches without ARCH_SUPPORTS_DEBUG_PAGEALLOC may not
      produce the same crash.
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      920d451f
    • Laura Abbott's avatar
      lkdtm: Update WRITE_AFTER_FREE test · 250a8988
      Laura Abbott authored
      The SLUB allocator may use the first word of a freed block to store the
      freelist information. This may make it harder to test poisoning
      features. Change the WRITE_AFTER_FREE test to better match what
      the READ_AFTER_FREE test does and also print out a big more information.
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      250a8988
    • Laura Abbott's avatar
      lkdtm: Add READ_AFTER_FREE test · bc0b8cc6
      Laura Abbott authored
      In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE
      test to test free poisoning features. Sample output when
      no sanitization is present:
      
       # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   17.542473] lkdtm: Performing direct entry READ_AFTER_FREE
      [   17.543866] lkdtm: Value in memory before free: 12345678
      [   17.545212] lkdtm: Attempting bad read from freed memory
      [   17.546542] lkdtm: Memory was not poisoned
      
      with slub_debug=P:
      
       # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   22.415531] lkdtm: Performing direct entry READ_AFTER_FREE
      [   22.416366] lkdtm: Value in memory before free: 12345678
      [   22.417137] lkdtm: Attempting bad read from freed memory
      [   22.417897] lkdtm: Memory correctly poisoned, calling BUG
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      bc0b8cc6
    • Kees Cook's avatar
      MAINTAINERS: add myself as lkdtm maintainer · ea861d73
      Kees Cook authored
      Officially claim maintainership over the LKDTM code.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      ea861d73
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 7d46af20
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
      
       1) System call tracing doesn't handle register contents properly across
          the trace.  From Mike Frysinger.
      
       2) Hook up copy_file_range
      
       3) Build fix for 32-bit with newer tools.
      
       4) New sun4v watchdog driver, from Wim Coekaerts.
      
       5) Set context system call has to allow for servicable faults when we
          flush the register windows to memory
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix sparc64_set_context stack handling.
        sparc32: Add -Wa,-Av8 to KBUILD_CFLAGS.
        Add sun4v_wdt watchdog driver
        sparc: Fix system call tracing register handling.
        sparc: Hook up copy_file_range syscall.
      7d46af20
    • David S. Miller's avatar
      sparc64: Fix sparc64_set_context stack handling. · 397d1533
      David S. Miller authored
      Like a signal return, we should use synchronize_user_stack() rather
      than flush_user_windows().
      Reported-by: default avatarIlya Malakhov <ilmalakhovthefirst@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      397d1533
    • David S. Miller's avatar
      sparc32: Add -Wa,-Av8 to KBUILD_CFLAGS. · 22be3b10
      David S. Miller authored
      Binutils used to be (erroneously) extremely permissive about
      instruction usage.  But that got fixed and if you don't properly tell
      it to accept classes of instructions it will fail.
      
      This uncovered a specs bug on sparc in gcc where it wouldn't pass the
      proper options to binutils options.
      
      Deal with this in the kernel build by adding -Wa,-Av8 to KBUILD_CFLAGS.
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22be3b10
  2. 28 Feb, 2016 15 commits
    • Linus Torvalds's avatar
      Linux 4.5-rc6 · fc77dbd3
      Linus Torvalds authored
      fc77dbd3
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1b9540ce
      Linus Torvalds authored
      Pull perf fixes from Thomas Gleixner:
       "A rather largish series of 12 patches addressing a maze of race
        conditions in the perf core code from Peter Zijlstra"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf: Robustify task_function_call()
        perf: Fix scaling vs. perf_install_in_context()
        perf: Fix scaling vs. perf_event_enable()
        perf: Fix scaling vs. perf_event_enable_on_exec()
        perf: Fix ctx time tracking by introducing EVENT_TIME
        perf: Cure event->pending_disable race
        perf: Fix race between event install and jump_labels
        perf: Fix cloning
        perf: Only update context time when active
        perf: Allow perf_release() with !event->ctx
        perf: Do not double free
        perf: Close install vs. exit race
      1b9540ce
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4b696dcb
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "This update contains:
      
         - Hopefully the last ASM CLAC fixups
      
         - A fix for the Quark family related to the IMR lock which makes
           kexec work again
      
         - A off-by-one fix in the MPX code.  Ironic, isn't it?
      
         - A fix for X86_PAE which addresses once more an unsigned long vs
           phys_addr_t hickup"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mpx: Fix off-by-one comparison with nr_registers
        x86/mm: Fix slow_virt_to_phys() for X86_PAE again
        x86/entry/compat: Add missing CLAC to entry_INT80_32
        x86/entry/32: Add an ASM_CLAC to entry_SYSENTER_32
        x86/platform/intel/quark: Change the kernel's IMR lock bit to false
      4b696dcb
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 76c03f0f
      Linus Torvalds authored
      Pull scheduler fixlet from Thomas Gleixner:
       "A trivial printk typo fix"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/deadline: Fix trivial typo in printk() message
      76c03f0f
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f055ae04
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "Four small fixes for irqchip drivers:
      
         - Add missing low level irq handler initialization on mxs, so
           interrupts can acutally be delivered
      
         - Add a missing barrier to the GIC driver
      
         - Two fixes for the GIC-V3-ITS driver, addressing a double EOI write
           and a cache flush beyond the actual region"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar()
        irqchip/mxs: Add missing set_handle_irq()
        irqchip/gicv3-its: Avoid cache flush beyond ITS_BASERn memory size
        irqchip/gic-v3-its: Fix double ICC_EOIR write for LPI in EOImode==1
      f055ae04
    • Linus Torvalds's avatar
      Merge tag 'staging-4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 8da51430
      Linus Torvalds authored
      Pull staging/android fix from Greg KH:
       "Here is one patch, for the android binder driver, to resolve a
        reported problem.  Turns out it has been around for a while (since
        3.15), so it is good to finally get it resolved.
      
        It has been in linux-next for a while with no reported issues"
      
      * tag 'staging-4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE
      8da51430
    • Linus Torvalds's avatar
      Merge tag 'usb-4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 62718e30
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a few USB fixes for 4.5-rc6
      
        They fix a reported bug for some USB 3 devices by reverting the recent
        patch, a MAINTAINERS change for some drivers, some new device ids, and
        of course, the usual bunch of USB gadget driver fixes.
      
        All have been in linux-next for a while with no reported issues"
      
      * tag 'usb-4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        MAINTAINERS: drop OMAP USB and MUSB maintainership
        usb: musb: fix DMA for host mode
        usb: phy: msm: Trigger USB state detection work in DRD mode
        usb: gadget: net2280: fix endpoint max packet for super speed connections
        usb: gadget: gadgetfs: unregister gadget only if it got successfully registered
        usb: gadget: remove driver from pending list on probe error
        Revert "usb: hub: do not clear BOS field during reset device"
        usb: chipidea: fix return value check in ci_hdrc_pci_probe()
        usb: chipidea: error on overflow for port_test_write
        USB: option: add "4G LTE usb-modem U901"
        USB: cp210x: add IDs for GE B650V3 and B850V3 boards
        USB: option: add support for SIM7100E
        usb: musb: Fix DMA desired mode for Mentor DMA engine
        usb: gadget: fsl_qe_udc: fix IS_ERR_VALUE usage
        usb: dwc2: USB_DWC2 should depend on HAS_DMA
        usb: dwc2: host: fix the data toggle error in full speed descriptor dma
        usb: dwc2: host: fix logical omissions in dwc2_process_non_isoc_desc
        usb: dwc3: Fix assignment of EP transfer resources
        usb: dwc2: Add extra delay when forcing dr_mode
      62718e30
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 12b9fa6a
      Linus Torvalds authored
      Pull vfs fixes from Al Viro.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        do_last(): ELOOP failure exit should be done after leaving RCU mode
        should_follow_link(): validate ->d_seq after having decided to follow
        namei: ->d_inode of a pinned dentry is stable only for positives
        do_last(): don't let a bogus return value from ->open() et.al. to confuse us
        fs: return -EOPNOTSUPP if clone is not supported
        hpfs: don't truncate the file when delete fails
      12b9fa6a
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 340b3a5b
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "We didn't have a batch last week, so this one is slightly larger.
      
        None of them are scary though, a handful of fixes for small DT pieces,
        replacing properties with newer conventions.
      
        Highlights:
         - N900 fix for setting system revision
         - onenand init fix to avoid filesystem corruption
         - Clock fix for audio on Beaglebone-x15
         - Fixes on shmobile to deal with CONFIG_DEBUG_RODATA (default y in 4.6)
      
        + misc smaller stuff"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        MAINTAINERS: Extend info, add wiki and ml for meson arch
        MAINTAINERS: alpine: add a new maintainer and update the entry
        ARM: at91/dt: fix typo in sama5d2 pinmux descriptions
        ARM: OMAP2+: Fix onenand initialization to avoid filesystem corruption
        Revert "regulator: tps65217: remove tps65217.dtsi file"
        ARM: shmobile: Remove shmobile_boot_arg
        ARM: shmobile: Move shmobile_smp_{mpidr, fn, arg}[] from .text to .bss
        ARM: shmobile: r8a7779: Remove remainings of removed SCU boot setup code
        ARM: shmobile: Move shmobile_scu_base from .text to .bss
        ARM: OMAP2+: Fix omap_device for module reload on PM runtime forbid
        ARM: OMAP2+: Improve omap_device error for driver writers
        ARM: DTS: am57xx-beagle-x15: Select SYS_CLK2 for audio clocks
        ARM: dts: am335x/am57xx: replace gpio-key,wakeup with wakeup-source property
        ARM: OMAP2+: Set system_rev from ATAGS for n900
        ARM: dts: orion5x: fix the missing mtd flash on linkstation lswtgl
        ARM: dts: kirkwood: use unique machine name for ds112
        ARM: dts: imx6: remove bogus interrupt-parent from CAAM node
      340b3a5b
    • Al Viro's avatar
      do_last(): ELOOP failure exit should be done after leaving RCU mode · 5129fa48
      Al Viro authored
      ... or we risk seeing a bogus value of d_is_symlink() there.
      
      Cc: stable@vger.kernel.org # v4.2+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5129fa48
    • Al Viro's avatar
      should_follow_link(): validate ->d_seq after having decided to follow · a7f77542
      Al Viro authored
      ... otherwise d_is_symlink() above might have nothing to do with
      the inode value we've got.
      
      Cc: stable@vger.kernel.org # v4.2+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a7f77542
    • Al Viro's avatar
      namei: ->d_inode of a pinned dentry is stable only for positives · d4565649
      Al Viro authored
      both do_last() and walk_component() risk picking a NULL inode out
      of dentry about to become positive, *then* checking its flags and
      seeing that it's not negative anymore and using (already stale by
      then) value they'd fetched earlier.  Usually ends up oopsing soon
      after that...
      
      Cc: stable@vger.kernel.org # v3.13+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d4565649
    • Al Viro's avatar
      do_last(): don't let a bogus return value from ->open() et.al. to confuse us · c80567c8
      Al Viro authored
      ... into returning a positive to path_openat(), which would interpret that
      as "symlink had been encountered" and proceed to corrupt memory, etc.
      It can only happen due to a bug in some ->open() instance or in some LSM
      hook, etc., so we report any such event *and* make sure it doesn't trick
      us into further unpleasantness.
      
      Cc: stable@vger.kernel.org # v3.6+, at least
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c80567c8
    • Christoph Hellwig's avatar
      fs: return -EOPNOTSUPP if clone is not supported · 0fcbf996
      Christoph Hellwig authored
      -EBADF is a rather confusing error if an operations is not supported,
      and nfsd gets rather upset about it.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0fcbf996
    • Mikulas Patocka's avatar
      hpfs: don't truncate the file when delete fails · b6853f78
      Mikulas Patocka authored
      The delete opration can allocate additional space on the HPFS filesystem
      due to btree split. The HPFS driver checks in advance if there is
      available space, so that it won't corrupt the btree if we run out of space
      during splitting.
      
      If there is not enough available space, the HPFS driver attempted to
      truncate the file, but this results in a deadlock since the commit
      7dd29d8d ("HPFS: Introduce a global mutex
      and lock it on every callback from VFS").
      
      This patch removes the code that tries to truncate the file and -ENOSPC is
      returned instead. If the user hits -ENOSPC on delete, he should try to
      delete other files (that are stored in a leaf btree node), so that the
      delete operation will make some space for deleting the file stored in
      non-leaf btree node.
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarMikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
      Cc: stable@vger.kernel.org	# 2.6.39+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b6853f78
  3. 27 Feb, 2016 16 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 691429e1
      Linus Torvalds authored
      Merge fixes from Andrew Morton:
       "10 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        dax: move writeback calls into the filesystems
        dax: give DAX clearing code correct bdev
        ext4: online defrag not supported with DAX
        ext2, ext4: only set S_DAX for regular inodes
        block: disable block device DAX by default
        ocfs2: unlock inode if deleting inode from orphan fails
        mm: ASLR: use get_random_long()
        drivers: char: random: add get_random_long()
        mm: numa: quickly fail allocations for NUMA balancing on full nodes
        mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED
      691429e1
    • Linus Torvalds's avatar
      Merge tag 'tags/ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 1c271479
      Linus Torvalds authored
      Pull ext2/4 DAX fix from Ted Ts'o:
       "This fixes a file system corruption bug with DAX"
      
      * tag 'tags/ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext2, ext4: fix issue with missing journal entry in ext4_dax_mkwrite()
      1c271479
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.5-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · a9f8094a
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
       "Enumeration:
          Revert x86 pcibios_alloc_irq() to fix regression (Bjorn Helgaas)
      
        Marvell MVEBU host bridge driver:
          Restrict build to 32-bit ARM (Thierry Reding)"
      
      * tag 'pci-v4.5-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: mvebu: Restrict build to 32-bit ARM
        Revert "PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()"
        Revert "PCI: Add helpers to manage pci_dev->irq and pci_dev->irq_managed"
        Revert "x86/PCI: Don't alloc pcibios-irq when MSI is enabled"
      a9f8094a
    • Ross Zwisler's avatar
      ext2, ext4: fix issue with missing journal entry in ext4_dax_mkwrite() · 1e9d180b
      Ross Zwisler authored
      As it is currently written ext4_dax_mkwrite() assumes that the call into
      __dax_mkwrite() will not have to do a block allocation so it doesn't create
      a journal entry.  For a read that creates a zero page to cover a hole
      followed by a write that actually allocates storage this is incorrect.  The
      ext4_dax_mkwrite() -> __dax_mkwrite() -> __dax_fault() path calls
      get_blocks() to allocate storage.
      
      Fix this by having the ->page_mkwrite fault handler call ext4_dax_fault()
      as this function already has all the logic needed to allocate a journal
      entry and call __dax_fault().
      
      Also update the ext2 fault handlers in this same way to remove duplicate
      code and keep the logic between ext2 and ext4 the same.
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      1e9d180b
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · b9ea44bf
      Linus Torvalds authored
      Pull clk fix from Stephen Boyd:
       "One small fix to keep OMAP platforms working across a suspend/resume
        cycle"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: ti: omap3+: dpll: use non-locking version of clk_get_rate
      b9ea44bf
    • Ross Zwisler's avatar
      dax: move writeback calls into the filesystems · 7f6d5b52
      Ross Zwisler authored
      Previously calls to dax_writeback_mapping_range() for all DAX filesystems
      (ext2, ext4 & xfs) were centralized in filemap_write_and_wait_range().
      
      dax_writeback_mapping_range() needs a struct block_device, and it used
      to get that from inode->i_sb->s_bdev.  This is correct for normal inodes
      mounted on ext2, ext4 and XFS filesystems, but is incorrect for DAX raw
      block devices and for XFS real-time files.
      
      Instead, call dax_writeback_mapping_range() directly from the filesystem
      ->writepages function so that it can supply us with a valid block
      device.  This also fixes DAX code to properly flush caches in response
      to sync(2).
      Signed-off-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Cc: Al Viro <viro@ftp.linux.org.uk>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Jens Axboe <axboe@fb.com>
      Cc: Matthew Wilcox <matthew.r.wilcox@intel.com>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7f6d5b52
    • Ross Zwisler's avatar
      dax: give DAX clearing code correct bdev · 20a90f58
      Ross Zwisler authored
      dax_clear_blocks() needs a valid struct block_device and previously it
      was using inode->i_sb->s_bdev in all cases.  This is correct for normal
      inodes on mounted ext2, ext4 and XFS filesystems, but is incorrect for
      DAX raw block devices and for XFS real-time devices.
      
      Instead, rename dax_clear_blocks() to dax_clear_sectors(), and change
      its arguments to take a bdev and a sector instead of an inode and a
      block.  This better reflects what the function does, and it allows the
      filesystem and raw block device code to pass in an appropriate struct
      block_device.
      Signed-off-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Suggested-by: default avatarDan Williams <dan.j.williams@intel.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Al Viro <viro@ftp.linux.org.uk>
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Jens Axboe <axboe@fb.com>
      Cc: Matthew Wilcox <matthew.r.wilcox@intel.com>
      Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      20a90f58
    • Ross Zwisler's avatar
      ext4: online defrag not supported with DAX · 73f34a5e
      Ross Zwisler authored
      Online defrag operations for ext4 are hard coded to use the page cache.
      See ext4_ioctl() -> ext4_move_extents() -> move_extent_per_page()
      
      When combined with DAX I/O, which circumvents the page cache, this can
      result in data corruption.  This was observed with xfstests ext4/307 and
      ext4/308.
      
      Fix this by only allowing online defrag for non-DAX files.
      Signed-off-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Al Viro <viro@ftp.linux.org.uk>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Jens Axboe <axboe@fb.com>
      Cc: Matthew Wilcox <matthew.r.wilcox@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      73f34a5e
    • Ross Zwisler's avatar
      ext2, ext4: only set S_DAX for regular inodes · 0a6cf913
      Ross Zwisler authored
      When S_DAX is set on an inode we assume that if there are pages attached
      to the mapping (mapping->nrpages != 0), those pages are clean zero pages
      that were used to service reads from holes.  Any dirty data associated
      with the inode should be in the form of DAX exceptional entries
      (mapping->nrexceptional) that is written back via
      dax_writeback_mapping_range().
      
      With the current code, though, this isn't always true.  For example,
      ext2 and ext4 directory inodes can have S_DAX set, but have their dirty
      data stored as dirty page cache entries.  For these types of inodes,
      having S_DAX set doesn't really make sense since their I/O doesn't
      actually happen through the DAX code path.
      
      Instead, only allow S_DAX to be set for regular inodes for ext2 and
      ext4.  This allows us to have strict DAX vs non-DAX paths in the
      writeback code.
      Signed-off-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Al Viro <viro@ftp.linux.org.uk>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Jens Axboe <axboe@fb.com>
      Cc: Matthew Wilcox <matthew.r.wilcox@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0a6cf913
    • Dan Williams's avatar
      block: disable block device DAX by default · 03cdadb0
      Dan Williams authored
      The recent *sync enabling discovered that we are inserting into the
      block_device pagecache counter to the expectations of the dirty data
      tracking for dax mappings.  This can lead to data corruption.
      
      We want to support DAX for block devices eventually, but it requires
      wider changes to properly manage the pagecache.
      
         dump_stack+0x85/0xc2
         dax_writeback_mapping_range+0x60/0xe0
         blkdev_writepages+0x3f/0x50
         do_writepages+0x21/0x30
         __filemap_fdatawrite_range+0xc6/0x100
         filemap_write_and_wait+0x4a/0xa0
         set_blocksize+0x70/0xd0
         sb_set_blocksize+0x1d/0x50
         ext4_fill_super+0x75b/0x3360
         mount_bdev+0x180/0x1b0
         ext4_mount+0x15/0x20
         mount_fs+0x38/0x170
      
      Mark the support broken so its disabled by default, but otherwise still
      available for testing.
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Reported-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Suggested-by: default avatarDave Chinner <david@fromorbit.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: Jens Axboe <axboe@fb.com>
      Cc: Matthew Wilcox <matthew.r.wilcox@intel.com>
      Cc: Al Viro <viro@ftp.linux.org.uk>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      03cdadb0
    • Guozhonghua's avatar
      ocfs2: unlock inode if deleting inode from orphan fails · a4a8481f
      Guozhonghua authored
      When doing append direct io cleanup, if deleting inode fails, it goes
      out without unlocking inode, which will cause the inode deadlock.
      
      This issue was introduced by commit cf1776a9 ("ocfs2: fix a tiny
      race when truncate dio orohaned entry").
      Signed-off-by: default avatarGuozhonghua <guozhonghua@h3c.com>
      Signed-off-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Reviewed-by: default avatarGang He <ghe@suse.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: <stable@vger.kernel.org>	[4.2+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a4a8481f
    • Daniel Cashman's avatar
      mm: ASLR: use get_random_long() · 5ef11c35
      Daniel Cashman authored
      Replace calls to get_random_int() followed by a cast to (unsigned long)
      with calls to get_random_long().  Also address shifting bug which, in
      case of x86 removed entropy mask for mmap_rnd_bits values > 31 bits.
      Signed-off-by: default avatarDaniel Cashman <dcashman@android.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: "Theodore Ts'o" <tytso@mit.edu>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Nick Kralevich <nnk@google.com>
      Cc: Jeff Vander Stoep <jeffv@google.com>
      Cc: Mark Salyzyn <salyzyn@android.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5ef11c35
    • Daniel Cashman's avatar
      drivers: char: random: add get_random_long() · ec9ee4ac
      Daniel Cashman authored
      Commit d07e2259 ("mm: mmap: add new /proc tunable for mmap_base
      ASLR") added the ability to choose from a range of values to use for
      entropy count in generating the random offset to the mmap_base address.
      
      The maximum value on this range was set to 32 bits for 64-bit x86
      systems, but this value could be increased further, requiring more than
      the 32 bits of randomness provided by get_random_int(), as is already
      possible for arm64.  Add a new function: get_random_long() which more
      naturally fits with the mmap usage of get_random_int() but operates
      exactly the same as get_random_int().
      
      Also, fix the shifting constant in mmap_rnd() to be an unsigned long so
      that values greater than 31 bits generate an appropriate mask without
      overflow.  This is especially important on x86, as its shift instruction
      uses a 5-bit mask for the shift operand, which meant that any value for
      mmap_rnd_bits over 31 acts as a no-op and effectively disables mmap_base
      randomization.
      
      Finally, replace calls to get_random_int() with get_random_long() where
      appropriate.
      
      This patch (of 2):
      
      Add get_random_long().
      Signed-off-by: default avatarDaniel Cashman <dcashman@android.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: "Theodore Ts'o" <tytso@mit.edu>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Nick Kralevich <nnk@google.com>
      Cc: Jeff Vander Stoep <jeffv@google.com>
      Cc: Mark Salyzyn <salyzyn@android.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ec9ee4ac
    • Mel Gorman's avatar
      mm: numa: quickly fail allocations for NUMA balancing on full nodes · 8479eba7
      Mel Gorman authored
      Commit 4167e9b2 ("mm: remove GFP_THISNODE") removed the GFP_THISNODE
      flag combination due to confusing semantics.  It noted that
      alloc_misplaced_dst_page() was one such user after changes made by
      commit e97ca8e5 ("mm: fix GFP_THISNODE callers and clarify").
      
      Unfortunately when GFP_THISNODE was removed, users of
      alloc_misplaced_dst_page() started waking kswapd and entering direct
      reclaim because the wrong GFP flags are cleared.  The consequence is
      that workloads that used to fit into memory now get reclaimed which is
      addressed by this patch.
      
      The problem can be demonstrated with "mutilate" that exercises memcached
      which is software dedicated to memory object caching.  The configuration
      uses 80% of memory and is run 3 times for varying numbers of clients.
      The results on a 4-socket NUMA box are
      
      mutilate
                                  4.4.0                 4.4.0
                                vanilla           numaswap-v1
      Hmean    1      8394.71 (  0.00%)     8395.32 (  0.01%)
      Hmean    4     30024.62 (  0.00%)    34513.54 ( 14.95%)
      Hmean    7     32821.08 (  0.00%)    70542.96 (114.93%)
      Hmean    12    55229.67 (  0.00%)    93866.34 ( 69.96%)
      Hmean    21    39438.96 (  0.00%)    85749.21 (117.42%)
      Hmean    30    37796.10 (  0.00%)    50231.49 ( 32.90%)
      Hmean    47    18070.91 (  0.00%)    38530.13 (113.22%)
      
      The metric is queries/second with the more the better.  The results are
      way outside of the noise and the reason for the improvement is obvious
      from some of the vmstats
      
                                       4.4.0       4.4.0
                                     vanillanumaswap-v1r1
      Minor Faults                1929399272  2146148218
      Major Faults                  19746529        3567
      Swap Ins                      57307366        9913
      Swap Outs                     50623229       17094
      Allocation stalls                35909         443
      DMA allocs                           0           0
      DMA32 allocs                  72976349   170567396
      Normal allocs               5306640898  5310651252
      Movable allocs                       0           0
      Direct pages scanned         404130893      799577
      Kswapd pages scanned         160230174           0
      Kswapd pages reclaimed        55928786           0
      Direct pages reclaimed         1843936       41921
      Page writes file                  2391           0
      Page writes anon              50623229       17094
      
      The vanilla kernel is swapping like crazy with large amounts of direct
      reclaim and kswapd activity.  The figures are aggregate but it's known
      that the bad activity is throughout the entire test.
      
      Note that simple streaming anon/file memory consumers also see this
      problem but it's not as obvious.  In those cases, kswapd is awake when
      it should not be.
      
      As there are at least two reclaim-related bugs out there, it's worth
      spelling out the user-visible impact.  This patch only addresses bugs
      related to excessive reclaim on NUMA hardware when the working set is
      larger than a NUMA node.  There is a bug related to high kswapd CPU
      usage but the reports are against laptops and other UMA hardware and is
      not addressed by this patch.
      Signed-off-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: <stable@vger.kernel.org>	[4.1+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8479eba7
    • Andrea Arcangeli's avatar
      mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED · ad33bb04
      Andrea Arcangeli authored
      pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were
      introduced to locklessy (but atomically) detect when a pmd is a regular
      (stable) pmd or when the pmd is unstable and can infinitely transition
      from pmd_none() and pmd_trans_huge() from under us, while only holding
      the mmap_sem for reading (for writing not).
      
      While holding the mmap_sem only for reading, MADV_DONTNEED can run from
      under us and so before we can assume the pmd to be a regular stable pmd
      we need to compare it against pmd_none() and pmd_trans_huge() in an
      atomic way, with pmd_trans_unstable().  The old pmd_trans_huge() left a
      tiny window for a race.
      
      Useful applications are unlikely to notice the difference as doing
      MADV_DONTNEED concurrently with a page fault would lead to undefined
      behavior.
      
      [akpm@linux-foundation.org: tidy up comment grammar/layout]
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Reported-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ad33bb04
    • Thierry Reding's avatar
      PCI: mvebu: Restrict build to 32-bit ARM · 61d9e854
      Thierry Reding authored
      This driver uses PCI glue that is only available on 32-bit ARM.  This used
      to work fine as long as ARCH_MVEBU and ARCH_DOVE were exclusively 32-bit,
      but there's a patch in the pipe to make ARCH_MVEBU also available on 64-bit
      ARM.
      
      [bhelgaas: changelog; patch is coming but not merged yet]
      Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      61d9e854