1. 23 Sep, 2017 2 commits
    • Steven Rostedt (VMware)'s avatar
      extable: Consolidate *kernel_text_address() functions · 9aadde91
      Steven Rostedt (VMware) authored
      The functionality between kernel_text_address() and _kernel_text_address()
      is the same except that _kernel_text_address() does a little more (that
      function needs a rename, but that can be done another time). Instead of
      having duplicate code in both, simply have _kernel_text_address() calls
      kernel_text_address() instead.
      
      This is marked for stable because there's an RCU bug that can happen if
      one of these functions gets called while RCU is not watching. That fix
      depends on this fix to keep from having to write the fix twice.
      
      Cc: stable@vger.kernel.org
      Fixes: 0be964be ("module: Sanitize RCU usage and locking")
      Acked-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      9aadde91
    • Paul E. McKenney's avatar
      rcu: Allow for page faults in NMI handlers · 28585a83
      Paul E. McKenney authored
      A number of architecture invoke rcu_irq_enter() on exception entry in
      order to allow RCU read-side critical sections in the exception handler
      when the exception is from an idle or nohz_full CPU.  This works, at
      least unless the exception happens in an NMI handler.  In that case,
      rcu_nmi_enter() would already have exited the extended quiescent state,
      which would mean that rcu_irq_enter() would (incorrectly) cause RCU
      to think that it is again in an extended quiescent state.  This will
      in turn result in lockdep splats in response to later RCU read-side
      critical sections.
      
      This commit therefore causes rcu_irq_enter() and rcu_irq_exit() to
      take no action if there is an rcu_nmi_enter() in effect, thus avoiding
      the unscheduled return to RCU quiescent state.  This in turn should
      make the kernel safe for on-demand RCU voyeurism.
      
      Link: http://lkml.kernel.org/r/20170922211022.GA18084@linux.vnet.ibm.com
      
      Cc: stable@vger.kernel.org
      Fixes: 0be964be ("module: Sanitize RCU usage and locking")
      Reported-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      28585a83
  2. 19 Sep, 2017 3 commits
  3. 07 Sep, 2017 1 commit
  4. 05 Sep, 2017 2 commits
    • Chunyu Hu's avatar
      tracing: Fix clear of RECORDED_TGID flag when disabling trace event · 7685ab6c
      Chunyu Hu authored
      When disabling one trace event, the RECORDED_TGID flag in the event
      file is not correctly cleared. It's clearing RECORDED_CMD flag when
      it should clear RECORDED_TGID flag.
      
      Link: http://lkml.kernel.org/r/1504589806-8425-1-git-send-email-chuhu@redhat.com
      
      Cc: Joel Fernandes <joelaf@google.com>
      Cc: stable@vger.kernel.org
      Fixes: d914ba37 ("tracing: Add support for recording tgid of tasks")
      Signed-off-by: default avatarChunyu Hu <chuhu@redhat.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      7685ab6c
    • Steven Rostedt (VMware)'s avatar
      tracing: Add barrier to trace_printk() buffer nesting modification · 3d9622c1
      Steven Rostedt (VMware) authored
      trace_printk() uses 4 buffers, one for each context (normal, softirq, irq
      and NMI), such that it does not need to worry about one context preempting
      the other. There's a nesting counter that gets incremented to figure out
      which buffer to use. If the context gets preempted by another context which
      calls trace_printk() it will increment the counter and use the next buffer,
      and restore the counter when it is finished.
      
      The problem is that gcc may optimize the modification of the buffer nesting
      counter and it may not be incremented in memory before the buffer is used.
      If this happens, and the context gets interrupted by another context, it
      could pick the same buffer and corrupt the one that is being used.
      
      Compiler barriers need to be added after the nesting variable is incremented
      and before it is decremented to prevent usage of the context buffers by more
      than one context at the same time.
      
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: stable@vger.kernel.org
      Fixes: e2ace001 ("tracing: Choose static tp_printk buffer by explicit nesting count")
      Hat-tip-to: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      3d9622c1
  5. 01 Sep, 2017 2 commits
    • Steven Rostedt (VMware)'s avatar
      ftrace: Fix memleak when unregistering dynamic ops when tracing disabled · edb096e0
      Steven Rostedt (VMware) authored
      If function tracing is disabled by the user via the function-trace option or
      the proc sysctl file, and a ftrace_ops that was allocated on the heap is
      unregistered, then the shutdown code exits out without doing the proper
      clean up. This was found via kmemleak and running the ftrace selftests, as
      one of the tests unregisters with function tracing disabled.
      
       # cat kmemleak
      unreferenced object 0xffffffffa0020000 (size 4096):
        comm "swapper/0", pid 1, jiffies 4294668889 (age 569.209s)
        hex dump (first 32 bytes):
          55 ff 74 24 10 55 48 89 e5 ff 74 24 18 55 48 89  U.t$.UH...t$.UH.
          e5 48 81 ec a8 00 00 00 48 89 44 24 50 48 89 4c  .H......H.D$PH.L
        backtrace:
          [<ffffffff81d64665>] kmemleak_vmalloc+0x85/0xf0
          [<ffffffff81355631>] __vmalloc_node_range+0x281/0x3e0
          [<ffffffff8109697f>] module_alloc+0x4f/0x90
          [<ffffffff81091170>] arch_ftrace_update_trampoline+0x160/0x420
          [<ffffffff81249947>] ftrace_startup+0xe7/0x300
          [<ffffffff81249bd2>] register_ftrace_function+0x72/0x90
          [<ffffffff81263786>] trace_selftest_ops+0x204/0x397
          [<ffffffff82bb8971>] trace_selftest_startup_function+0x394/0x624
          [<ffffffff81263a75>] run_tracer_selftest+0x15c/0x1d7
          [<ffffffff82bb83f1>] init_trace_selftests+0x75/0x192
          [<ffffffff81002230>] do_one_initcall+0x90/0x1e2
          [<ffffffff82b7d620>] kernel_init_freeable+0x350/0x3fe
          [<ffffffff81d61ec3>] kernel_init+0x13/0x122
          [<ffffffff81d72c6a>] ret_from_fork+0x2a/0x40
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      Cc: stable@vger.kernel.org
      Fixes: 12cce594 ("ftrace/x86: Allow !CONFIG_PREEMPT dynamic ops to use allocated trampolines")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      edb096e0
    • Steven Rostedt (VMware)'s avatar
      ftrace: Fix selftest goto location on error · 46320a6a
      Steven Rostedt (VMware) authored
      In the second iteration of trace_selftest_ops(), the error goto label is
      wrong in the case where trace_selftest_test_global_cnt is off. In the
      case of error, it leaks the dynamic ops that was allocated.
      
      Cc: stable@vger.kernel.org
      Fixes: 95950c2e ("ftrace: Add self-tests for multiple function trace users")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      46320a6a
  6. 31 Aug, 2017 3 commits
    • Steven Rostedt (VMware)'s avatar
      ftrace: Zero out ftrace hashes when a module is removed · 2a5bfe47
      Steven Rostedt (VMware) authored
      When a ftrace filter has a module function, and that module is removed, the
      filter still has its address as being enabled. This can cause interesting
      side effects. Nothing dangerous, but unwanted functions can be traced
      because of it.
      
       # cd /sys/kernel/tracing
       # echo ':mod:snd_seq' > set_ftrace_filter
       # cat set_ftrace_filter
      snd_use_lock_sync_helper [snd_seq]
      check_event_type_and_length [snd_seq]
      snd_seq_ioctl_pversion [snd_seq]
      snd_seq_ioctl_client_id [snd_seq]
      snd_seq_ioctl_get_queue_tempo [snd_seq]
      update_timestamp_of_queue [snd_seq]
      snd_seq_ioctl_get_queue_status [snd_seq]
      snd_seq_set_queue_tempo [snd_seq]
      snd_seq_ioctl_set_queue_tempo [snd_seq]
      snd_seq_ioctl_get_queue_timer [snd_seq]
      seq_free_client1 [snd_seq]
      [..]
       # rmmod snd_seq
       # cat set_ftrace_filter
      
       # modprobe kvm
       # cat set_ftrace_filter
      kvm_set_cr4 [kvm]
      kvm_emulate_hypercall [kvm]
      kvm_set_dr [kvm]
      
      This is because removing the snd_seq module after it was being filtered,
      left the address of the snd_seq functions in the hash. When the kvm module
      was loaded, some of its functions were loaded at the same address as the
      snd_seq module. This would enable them to be filtered and traced.
      
      Now we don't want to clear the hash completely. That would cause removing a
      module where only its functions are filtered, to cause the tracing to enable
      all functions, as an empty filter means to trace all functions. Instead,
      just set the hash ip address to zero. Then it will never match any function.
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      2a5bfe47
    • Steven Rostedt (VMware)'s avatar
      tracing: Only have rmmod clear buffers that its events were active in · 065e63f9
      Steven Rostedt (VMware) authored
      Currently, when a module event is enabled, when that module is removed, it
      clears all ring buffers. This is to prevent another module from being loaded
      and having one of its trace event IDs from reusing a trace event ID of the
      removed module. This could cause undesirable effects as the trace event of
      the new module would be using its own processing algorithms to process raw
      data of another event. To prevent this, when a module is loaded, if any of
      its events have been used (signified by the WAS_ENABLED event call flag,
      which is never cleared), all ring buffers are cleared, just in case any one
      of them contains event data of the removed event.
      
      The problem is, there's no reason to clear all ring buffers if only one (or
      less than all of them) uses one of the events. Instead, only clear the ring
      buffers that recorded the events of a module that is being removed.
      
      To do this, instead of keeping the WAS_ENABLED flag with the trace event
      call, move it to the per instance (per ring buffer) event file descriptor.
      The event file descriptor maps each event to a separate ring buffer
      instance. Then when the module is removed, only the ring buffers that
      activated one of the module's events get cleared. The rest are not touched.
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      065e63f9
    • Zev Weiss's avatar
      ftrace: Fix debug preempt config name in stack_tracer_{en,dis}able · 60361e12
      Zev Weiss authored
      stack_tracer_disable()/stack_tracer_enable() had been using the wrong
      name for the config symbol to enable their preempt-debugging checks --
      fix with a word swap.
      
      Link: http://lkml.kernel.org/r/20170831154036.4xldyakmmhuts5x7@hatter.bewilderbeest.net
      
      Cc: stable@vger.kernel.org
      Fixes: 8aaf1ee7 ("tracing: Rename trace_active to disable_stack_tracer and inline its modification")
      Signed-off-by: default avatarZev Weiss <zev@bewilderbeest.net>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      60361e12
  7. 28 Aug, 2017 5 commits
    • Linus Torvalds's avatar
      Linux 4.13-rc7 · cc4a41fe
      Linus Torvalds authored
      cc4a41fe
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v4.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 2c25833c
      Linus Torvalds authored
      Pull IOMMU fix from Joerg Roedel:
       "Another fix, this time in common IOMMU sysfs code.
      
        In the conversion from the old iommu sysfs-code to the
        iommu_device_register interface, I missed to update the release path
        for the struct device associated with an IOMMU. It freed the 'struct
        device', which was a pointer before, but is now embedded in another
        struct.
      
        Freeing from the middle of allocated memory had all kinds of nasty
        side effects when an IOMMU was unplugged. Unfortunatly nobody
        unplugged and IOMMU until now, so this was not discovered earlier. The
        fix is to make the 'struct device' a pointer again"
      
      * tag 'iommu-fixes-v4.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu: Fix wrong freeing of iommu_device->dev
      2c25833c
    • Linus Torvalds's avatar
      Merge tag 'char-misc-4.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 80f73b2d
      Linus Torvalds authored
      Pull char/misc fix from Greg KH:
       "Here is a single misc driver fix for 4.13-rc7. It resolves a reported
        problem in the Android binder driver due to previous patches in
        4.13-rc.
      
        It's been in linux-next with no reported issues"
      
      * tag 'char-misc-4.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        ANDROID: binder: fix proc->tsk check.
      80f73b2d
    • Linus Torvalds's avatar
      Merge tag 'staging-4.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · c3c16263
      Linus Torvalds authored
      Pull staging/iio fixes from Greg KH:
       "Here are few small staging driver fixes, and some more IIO driver
        fixes for 4.13-rc7. Nothing major, just resolutions for some reported
        problems.
      
        All of these have been in linux-next with no reported problems"
      
      * tag 'staging-4.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        iio: magnetometer: st_magn: remove ihl property for LSM303AGR
        iio: magnetometer: st_magn: fix status register address for LSM303AGR
        iio: hid-sensor-trigger: Fix the race with user space powering up sensors
        iio: trigger: stm32-timer: fix get trigger mode
        iio: imu: adis16480: Fix acceleration scale factor for adis16480
        PATCH] iio: Fix some documentation warnings
        staging: rtl8188eu: add RNX-N150NUB support
        Revert "staging: fsl-mc: be consistent when checking strcmp() return"
        iio: adc: stm32: fix common clock rate
        iio: adc: ina219: Avoid underflow for sleeping time
        iio: trigger: stm32-timer: add enable attribute
        iio: trigger: stm32-timer: fix get/set down count direction
        iio: trigger: stm32-timer: fix write_raw return value
        iio: trigger: stm32-timer: fix quadrature mode get routine
        iio: bmp280: properly initialize device for humidity reading
      c3c16263
    • Linus Torvalds's avatar
      Merge tag 'ntb-4.13-bugfixes' of git://github.com/jonmason/ntb · fff4e7a0
      Linus Torvalds authored
      Pull NTB fixes from Jon Mason:
       "NTB bug fixes to address an incorrect ntb_mw_count reference in the
        NTB transport, improperly bringing down the link if SPADs are
        corrupted, and an out-of-order issue regarding link negotiation and
        data passing"
      
      * tag 'ntb-4.13-bugfixes' of git://github.com/jonmason/ntb:
        ntb: ntb_test: ensure the link is up before trying to configure the mws
        ntb: transport shouldn't disable link due to bogus values in SPADs
        ntb: use correct mw_count function in ntb_tool and ntb_transport
      fff4e7a0
  8. 27 Aug, 2017 3 commits
    • Linus Torvalds's avatar
      Avoid page waitqueue race leaving possible page locker waiting · a8b169af
      Linus Torvalds authored
      The "lock_page_killable()" function waits for exclusive access to the
      page lock bit using the WQ_FLAG_EXCLUSIVE bit in the waitqueue entry
      set.
      
      That means that if it gets woken up, other waiters may have been
      skipped.
      
      That, in turn, means that if it sees the page being unlocked, it *must*
      take that lock and return success, even if a lethal signal is also
      pending.
      
      So instead of checking for lethal signals first, we need to check for
      them after we've checked the actual bit that we were waiting for.  Even
      if that might then delay the killing of the process.
      
      This matches the order of the old "wait_on_bit_lock()" infrastructure
      that the page locking used to use (and is still used in a few other
      areas).
      
      Note that if we still return an error after having unsuccessfully tried
      to acquire the page lock, that is ok: that means that some other thread
      was able to get ahead of us and lock the page, and when that other
      thread then unlocks the page, the wakeup event will be repeated.  So any
      other pending waiters will now get properly woken up.
      
      Fixes: 62906027 ("mm: add PageWaiters indicating tasks are waiting for a page bit")
      Cc: Nick Piggin <npiggin@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Andi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a8b169af
    • Linus Torvalds's avatar
      Minor page waitqueue cleanups · 3510ca20
      Linus Torvalds authored
      Tim Chen and Kan Liang have been battling a customer load that shows
      extremely long page wakeup lists.  The cause seems to be constant NUMA
      migration of a hot page that is shared across a lot of threads, but the
      actual root cause for the exact behavior has not been found.
      
      Tim has a patch that batches the wait list traversal at wakeup time, so
      that we at least don't get long uninterruptible cases where we traverse
      and wake up thousands of processes and get nasty latency spikes.  That
      is likely 4.14 material, but we're still discussing the page waitqueue
      specific parts of it.
      
      In the meantime, I've tried to look at making the page wait queues less
      expensive, and failing miserably.  If you have thousands of threads
      waiting for the same page, it will be painful.  We'll need to try to
      figure out the NUMA balancing issue some day, in addition to avoiding
      the excessive spinlock hold times.
      
      That said, having tried to rewrite the page wait queues, I can at least
      fix up some of the braindamage in the current situation. In particular:
      
       (a) we don't want to continue walking the page wait list if the bit
           we're waiting for already got set again (which seems to be one of
           the patterns of the bad load).  That makes no progress and just
           causes pointless cache pollution chasing the pointers.
      
       (b) we don't want to put the non-locking waiters always on the front of
           the queue, and the locking waiters always on the back.  Not only is
           that unfair, it means that we wake up thousands of reading threads
           that will just end up being blocked by the writer later anyway.
      
      Also add a comment about the layout of 'struct wait_page_key' - there is
      an external user of it in the cachefiles code that means that it has to
      match the layout of 'struct wait_bit_key' in the two first members.  It
      so happens to match, because 'struct page *' and 'unsigned long *' end
      up having the same values simply because the page flags are the first
      member in struct page.
      
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Kan Liang <kan.liang@intel.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Christopher Lameter <cl@linux.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3510ca20
    • Linus Torvalds's avatar
      Clarify (and fix) MAX_LFS_FILESIZE macros · 0cc3b0ec
      Linus Torvalds authored
      We have a MAX_LFS_FILESIZE macro that is meant to be filled in by
      filesystems (and other IO targets) that know they are 64-bit clean and
      don't have any 32-bit limits in their IO path.
      
      It turns out that our 32-bit value for that limit was bogus.  On 32-bit,
      the VM layer is limited by the page cache to only 32-bit index values,
      but our logic for that was confusing and actually wrong.  We used to
      define that value to
      
      	(((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)
      
      which is actually odd in several ways: it limits the index to 31 bits,
      and then it limits files so that they can't have data in that last byte
      of a page that has the highest 31-bit index (ie page index 0x7fffffff).
      
      Neither of those limitations make sense.  The index is actually the full
      32 bit unsigned value, and we can use that whole full page.  So the
      maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG".
      
      However, we do wan tto avoid the maximum index, because we have code
      that iterates over the page indexes, and we don't want that code to
      overflow.  So the maximum size of a file on a 32-bit host should
      actually be one page less than the full 32-bit index.
      
      So the actual limit is ULONG_MAX << PAGE_SHIFT.  That means that we will
      not actually be using the page of that last index (ULONG_MAX), but we
      can grow a file up to that limit.
      
      The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug
      Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5
      volume.  It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one
      byte less), but the actual true VM limit is one page less than 16TiB.
      
      This was invisible until commit c2a9737f ("vfs,mm: fix a dead loop
      in truncate_inode_pages_range()"), which started applying that
      MAX_LFS_FILESIZE limit to block devices too.
      
      NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is
      actually just the offset type itself (loff_t), which is signed.  But for
      clarity, on 64-bit, just use the maximum signed value, and don't make
      people have to count the number of 'f' characters in the hex constant.
      
      So just use LLONG_MAX for the 64-bit case.  That was what the value had
      been before too, just written out as a hex constant.
      
      Fixes: c2a9737f ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
      Reported-and-tested-by: default avatarDoug Nazar <nazard@nazar.ca>
      Cc: Andreas Dilger <adilger@dilger.ca>
      Cc: Mark Fasheh <mfasheh@versity.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Dave Kleikamp <shaggy@kernel.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0cc3b0ec
  9. 26 Aug, 2017 13 commits
  10. 25 Aug, 2017 6 commits