1. 17 May, 2023 6 commits
    • Ryusuke Konishi's avatar
      nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() · 9b5a04ac
      Ryusuke Konishi authored
      During unmount process of nilfs2, nothing holds nilfs_root structure after
      nilfs2 detaches its writer in nilfs_detach_log_writer().  However, since
      nilfs_evict_inode() uses nilfs_root for some cleanup operations, it may
      cause use-after-free read if inodes are left in "garbage_list" and
      released by nilfs_dispose_list() at the end of nilfs_detach_log_writer().
      
      Fix this issue by modifying nilfs_evict_inode() to only clear inode
      without additional metadata changes that use nilfs_root if the file system
      is degraded to read-only or the writer is detached.
      
      Link: https://lkml.kernel.org/r/20230509152956.8313-1-konishi.ryusuke@gmail.comSigned-off-by: default avatarRyusuke Konishi <konishi.ryusuke@gmail.com>
      Reported-by: syzbot+78d4495558999f55d1da@syzkaller.appspotmail.com
      Closes: https://lkml.kernel.org/r/00000000000099e5ac05fb1c3b85@google.comTested-by: default avatarRyusuke Konishi <konishi.ryusuke@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      9b5a04ac
    • Domenico Cerasuolo's avatar
      mm: fix zswap writeback race condition · 04fc7816
      Domenico Cerasuolo authored
      The zswap writeback mechanism can cause a race condition resulting in
      memory corruption, where a swapped out page gets swapped in with data that
      was written to a different page.
      
      The race unfolds like this:
      1. a page with data A and swap offset X is stored in zswap
      2. page A is removed off the LRU by zpool driver for writeback in
         zswap-shrink work, data for A is mapped by zpool driver
      3. user space program faults and invalidates page entry A, offset X is
         considered free
      4. kswapd stores page B at offset X in zswap (zswap could also be
         full, if so, page B would then be IOed to X, then skip step 5.)
      5. entry A is replaced by B in tree->rbroot, this doesn't affect the
         local reference held by zswap-shrink work
      6. zswap-shrink work writes back A at X, and frees zswap entry A
      7. swapin of slot X brings A in memory instead of B
      
      The fix:
      Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW),
      zswap-shrink work just checks that the local zswap_entry reference is
      still the same as the one in the tree.  If it's not the same it means that
      it's either been invalidated or replaced, in both cases the writeback is
      aborted because the local entry contains stale data.
      
      Reproducer:
      I originally found this by running `stress` overnight to validate my work
      on the zswap writeback mechanism, it manifested after hours on my test
      machine.  The key to make it happen is having zswap writebacks, so
      whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do
      the trick.
      
      In order to reproduce this faster on a vm, I setup a system with ~100M of
      available memory and a 500M swap file, then running `stress --vm 1
      --vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens
      of minutes.  One can speed things up even more by swinging
      /sys/module/zswap/parameters/max_pool_percent up and down between, say, 20
      and 1; this makes it reproduce in tens of seconds.  It's crucial to set
      `--vm-stride` to something other than 4096 otherwise `stress` won't
      realize that memory has been corrupted because all pages would have the
      same data.
      
      Link: https://lkml.kernel.org/r/20230503151200.19707-1-cerasuolodomenico@gmail.comSigned-off-by: default avatarDomenico Cerasuolo <cerasuolodomenico@gmail.com>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Reviewed-by: default avatarChris Li (Google) <chrisl@kernel.org>
      Cc: Dan Streetman <ddstreet@ieee.org>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Minchan Kim <minchan@kernel.org>
      Cc: Nitin Gupta <ngupta@vflare.org>
      Cc: Seth Jennings <sjenning@redhat.com>
      Cc: Vitaly Wool <vitaly.wool@konsulko.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      04fc7816
    • Michael Ellerman's avatar
      mm: kfence: fix false positives on big endian · 7581495a
      Michael Ellerman authored
      Since commit 1ba3cbf3 ("mm: kfence: improve the performance of
      __kfence_alloc() and __kfence_free()"), kfence reports failures in random
      places at boot on big endian machines.
      
      The problem is that the new KFENCE_CANARY_PATTERN_U64 encodes the address
      of each byte in its value, so it needs to be byte swapped on big endian
      machines.
      
      The compiler is smart enough to do the le64_to_cpu() at compile time, so
      there is no runtime overhead.
      
      Link: https://lkml.kernel.org/r/20230505035127.195387-1-mpe@ellerman.id.au
      Fixes: 1ba3cbf3 ("mm: kfence: improve the performance of __kfence_alloc() and __kfence_free()")
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Reviewed-by: default avatarAlexander Potapenko <glider@google.com>
      Reviewed-by: default avatarMarco Elver <elver@google.com>
      Cc: Peng Zhang <zhangpeng.00@bytedance.com>
      Cc: David Laight <David.Laight@ACULAB.COM>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      7581495a
    • Nhat Pham's avatar
      zsmalloc: move LRU update from zs_map_object() to zs_malloc() · d461aac9
      Nhat Pham authored
      Under memory pressure, we sometimes observe the following crash:
      
      [ 5694.832838] ------------[ cut here ]------------
      [ 5694.842093] list_del corruption, ffff888014b6a448->next is LIST_POISON1 (dead000000000100)
      [ 5694.858677] WARNING: CPU: 33 PID: 418824 at lib/list_debug.c:47 __list_del_entry_valid+0x42/0x80
      [ 5694.961820] CPU: 33 PID: 418824 Comm: fuse_counters.s Kdump: loaded Tainted: G S                5.19.0-0_fbk3_rc3_hoangnhatpzsdynshrv41_10870_g85a9558a25de #1
      [ 5694.990194] Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM16 05/24/2021
      [ 5695.007072] RIP: 0010:__list_del_entry_valid+0x42/0x80
      [ 5695.017351] Code: 08 48 83 c2 22 48 39 d0 74 24 48 8b 10 48 39 f2 75 2c 48 8b 51 08 b0 01 48 39 f2 75 34 c3 48 c7 c7 55 d7 78 82 e8 4e 45 3b 00 <0f> 0b eb 31 48 c7 c7 27 a8 70 82 e8 3e 45 3b 00 0f 0b eb 21 48 c7
      [ 5695.054919] RSP: 0018:ffffc90027aef4f0 EFLAGS: 00010246
      [ 5695.065366] RAX: 41fe484987275300 RBX: ffff888008988180 RCX: 0000000000000000
      [ 5695.079636] RDX: ffff88886006c280 RSI: ffff888860060480 RDI: ffff888860060480
      [ 5695.093904] RBP: 0000000000000002 R08: 0000000000000000 R09: ffffc90027aef370
      [ 5695.108175] R10: 0000000000000000 R11: ffffffff82fdf1c0 R12: 0000000010000002
      [ 5695.122447] R13: ffff888014b6a448 R14: ffff888014b6a420 R15: 00000000138dc240
      [ 5695.136717] FS:  00007f23a7d3f740(0000) GS:ffff888860040000(0000) knlGS:0000000000000000
      [ 5695.152899] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 5695.164388] CR2: 0000560ceaab6ac0 CR3: 000000001c06c001 CR4: 00000000007706e0
      [ 5695.178659] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 5695.192927] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 5695.207197] PKRU: 55555554
      [ 5695.212602] Call Trace:
      [ 5695.217486]  <TASK>
      [ 5695.221674]  zs_map_object+0x91/0x270
      [ 5695.229000]  zswap_frontswap_store+0x33d/0x870
      [ 5695.237885]  ? do_raw_spin_lock+0x5d/0xa0
      [ 5695.245899]  __frontswap_store+0x51/0xb0
      [ 5695.253742]  swap_writepage+0x3c/0x60
      [ 5695.261063]  shrink_page_list+0x738/0x1230
      [ 5695.269255]  shrink_lruvec+0x5ec/0xcd0
      [ 5695.276749]  ? shrink_slab+0x187/0x5f0
      [ 5695.284240]  ? mem_cgroup_iter+0x6e/0x120
      [ 5695.292255]  shrink_node+0x293/0x7b0
      [ 5695.299402]  do_try_to_free_pages+0xea/0x550
      [ 5695.307940]  try_to_free_pages+0x19a/0x490
      [ 5695.316126]  __folio_alloc+0x19ff/0x3e40
      [ 5695.323971]  ? __filemap_get_folio+0x8a/0x4e0
      [ 5695.332681]  ? walk_component+0x2a8/0xb50
      [ 5695.340697]  ? generic_permission+0xda/0x2a0
      [ 5695.349231]  ? __filemap_get_folio+0x8a/0x4e0
      [ 5695.357940]  ? walk_component+0x2a8/0xb50
      [ 5695.365955]  vma_alloc_folio+0x10e/0x570
      [ 5695.373796]  ? walk_component+0x52/0xb50
      [ 5695.381634]  wp_page_copy+0x38c/0xc10
      [ 5695.388953]  ? filename_lookup+0x378/0xbc0
      [ 5695.397140]  handle_mm_fault+0x87f/0x1800
      [ 5695.405157]  do_user_addr_fault+0x1bd/0x570
      [ 5695.413520]  exc_page_fault+0x5d/0x110
      [ 5695.421017]  asm_exc_page_fault+0x22/0x30
      
      After some investigation, I have found the following issue: unlike other
      zswap backends, zsmalloc performs the LRU list update at the object
      mapping time, rather than when the slot for the object is allocated.
      This deviation was discussed and agreed upon during the review process
      of the zsmalloc writeback patch series:
      
      https://lore.kernel.org/lkml/Y3flcAXNxxrvy3ZH@cmpxchg.org/
      
      Unfortunately, this introduces a subtle bug that occurs when there is a
      concurrent store and reclaim, which interleave as follows:
      
      zswap_frontswap_store()            shrink_worker()
        zs_malloc()                        zs_zpool_shrink()
          spin_lock(&pool->lock)             zs_reclaim_page()
          zspage = find_get_zspage()
          spin_unlock(&pool->lock)
                                               spin_lock(&pool->lock)
                                               zspage = list_first_entry(&pool->lru)
                                               list_del(&zspage->lru)
                                                 zspage->lru.next = LIST_POISON1
                                                 zspage->lru.prev = LIST_POISON2
                                               spin_unlock(&pool->lock)
        zs_map_object()
          spin_lock(&pool->lock)
          if (!list_empty(&zspage->lru))
            list_del(&zspage->lru)
              CHECK_DATA_CORRUPTION(next == LIST_POISON1) /* BOOM */
      
      With the current upstream code, this issue rarely happens. zswap only
      triggers writeback when the pool is already full, at which point all
      further store attempts are short-circuited. This creates an implicit
      pseudo-serialization between reclaim and store. I am working on a new
      zswap shrinking mechanism, which makes interleaving reclaim and store
      more likely, exposing this bug.
      
      zbud and z3fold do not have this problem, because they perform the LRU
      list update in the alloc function, while still holding the pool's lock.
      This patch fixes the aforementioned bug by moving the LRU update back to
      zs_malloc(), analogous to zbud and z3fold.
      
      Link: https://lkml.kernel.org/r/20230505185054.2417128-1-nphamcs@gmail.com
      Fixes: 64f768c6 ("zsmalloc: add a LRU to zs_pool to keep track of zspages in LRU order")
      Signed-off-by: default avatarNhat Pham <nphamcs@gmail.com>
      Suggested-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Reviewed-by: default avatarSergey Senozhatsky <senozhatsky@chromium.org>
      Acked-by: default avatarMinchan Kim <minchan@kernel.org>
      Cc: Dan Streetman <ddstreet@ieee.org>
      Cc: Nitin Gupta <ngupta@vflare.org>
      Cc: Seth Jennings <sjenning@redhat.com>
      Cc: Vitaly Wool <vitaly.wool@konsulko.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      d461aac9
    • Joan Bruguera Micó's avatar
      mm: shrinkers: fix race condition on debugfs cleanup · 26e239b3
      Joan Bruguera Micó authored
      When something registers and unregisters many shrinkers, such as:
          for x in $(seq 10000); do unshare -Ui true; done
      
      Sometimes the following error is printed to the kernel log:
          debugfs: Directory '...' with parent 'shrinker' already present!
      
      This occurs since commit badc28d4 ("mm: shrinkers: fix deadlock in
      shrinker debugfs") / v6.2: Since the call to `debugfs_remove_recursive`
      was moved outside the `shrinker_rwsem`/`shrinker_mutex` lock, but the call
      to `ida_free` stayed inside, a newly registered shrinker can be
      re-assigned that ID and attempt to create the debugfs directory before the
      directory from the previous shrinker has been removed.
      
      The locking changes in commit f95bdb70 ("mm: vmscan: make global slab
      shrink lockless") made the race condition more likely, though it existed
      before then.
      
      Commit badc28d4 ("mm: shrinkers: fix deadlock in shrinker debugfs")
      could be reverted since the issue is addressed should no longer occur
      since the count and scan operations are lockless since commit 20cd1892
      ("mm: shrinkers: make count and scan in shrinker debugfs lockless"). 
      However, since this is a contended lock, prefer instead moving `ida_free`
      outside the lock to avoid the race.
      
      Link: https://lkml.kernel.org/r/20230503013232.299211-1-joanbrugueram@gmail.com
      Fixes: badc28d4 ("mm: shrinkers: fix deadlock in shrinker debugfs")
      Signed-off-by: default avatarJoan Bruguera Micó <joanbrugueram@gmail.com>
      Cc: Qi Zheng <zhengqi.arch@bytedance.com>
      Cc: Roman Gushchin <roman.gushchin@linux.dev>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      26e239b3
    • Peng Zhang's avatar
      maple_tree: make maple state reusable after mas_empty_area() · 0257d990
      Peng Zhang authored
      Make mas->min and mas->max point to a node range instead of a leaf entry
      range.  This allows mas to still be usable after mas_empty_area() returns.
      Users would get unexpected results from other operations on the maple
      state after calling the affected function.
      
      For example, x86 MAP_32BIT mmap() acts as if there is no suitable gap when
      there should be one.
      
      Link: https://lkml.kernel.org/r/20230505145829.74574-1-zhangpeng.00@bytedance.com
      Fixes: 54a611b6 ("Maple Tree: add new data structure")
      Signed-off-by: default avatarPeng Zhang <zhangpeng.00@bytedance.com>
      Reported-by: default avatar"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
      Reported-by: default avatarTad <support@spotco.us>
      Reported-by: default avatarMichael Keyes <mgkeyes@vigovproductions.net>
        Link: https://lore.kernel.org/linux-mm/32f156ba80010fd97dbaf0a0cdfc84366608624d.camel@intel.com/
        Link: https://lore.kernel.org/linux-mm/e6108286ac025c268964a7ead3aab9899f9bc6e9.camel@spotco.us/Reviewed-by: default avatarLiam R. Howlett <Liam.Howlett@oracle.com>
      Tested-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      0257d990
  2. 07 May, 2023 8 commits
    • Linus Torvalds's avatar
      Linux 6.4-rc1 · ac9a7868
      Linus Torvalds authored
      ac9a7868
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-for-v6.4-3-2023-05-06' of... · f085df1b
      Linus Torvalds authored
      Merge tag 'perf-tools-for-v6.4-3-2023-05-06' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
      
      Pull perf tool updates from Arnaldo Carvalho de Melo:
       "Third version of perf tool updates, with the build problems with with
        using a 'vmlinux.h' generated from the main build fixed, and the bpf
        skeleton build disabled by default.
      
        Build:
      
         - Require libtraceevent to build, one can disable it using
           NO_LIBTRACEEVENT=1.
      
           It is required for tools like 'perf sched', 'perf kvm', 'perf
           trace', etc.
      
           libtraceevent is available in most distros so installing
           'libtraceevent-devel' should be a one-time event to continue
           building perf as usual.
      
           Using NO_LIBTRACEEVENT=1 produces tooling that is functional and
           sufficient for lots of users not interested in those libtraceevent
           dependent features.
      
         - Allow Python support in 'perf script' when libtraceevent isn't
           linked, as not all features requires it, for instance Intel PT does
           not use tracepoints.
      
         - Error if the python interpreter needed for jevents to work isn't
           available and NO_JEVENTS=1 isn't set, preventing a build without
           support for JSON vendor events, which is a rare but possible
           condition. The two check error messages:
      
              $(error ERROR: No python interpreter needed for jevents generation. Install python or build with NO_JEVENTS=1.)
              $(error ERROR: Python interpreter needed for jevents generation too old (older than 3.6). Install a newer python or build with NO_JEVENTS=1.)
      
         - Make libbpf 1.0 the minimum required when building with out of
           tree, distro provided libbpf.
      
         - Use libsdtc++'s and LLVM's libcxx's __cxa_demangle, a portable C++
           demangler, add 'perf test' entry for it.
      
         - Make binutils libraries opt in, as distros disable building with it
           due to licensing, they were used for C++ demangling, for instance.
      
         - Switch libpfm4 to opt-out rather than opt-in, if libpfm-devel (or
           equivalent) isn't installed, we'll just have a build warning:
      
             Makefile.config:1144: libpfm4 not found, disables libpfm4 support. Please install libpfm4-dev
      
         - Add a feature test for scandirat(), that is not implemented so far
           in musl and uclibc, disabling features that need it, such as
           scanning for tracepoints in /sys/kernel/tracing/events.
      
        perf BPF filters:
      
         - New feature where BPF can be used to filter samples, for instance:
      
            $ sudo ./perf record -e cycles --filter 'period > 1000' true
            $ sudo ./perf script
                 perf-exec 2273949 546850.708501:       5029 cycles:  ffffffff826f9e25 finish_wait+0x5 ([kernel.kallsyms])
                 perf-exec 2273949 546850.708508:      32409 cycles:  ffffffff826f9e25 finish_wait+0x5 ([kernel.kallsyms])
                 perf-exec 2273949 546850.708526:     143369 cycles:  ffffffff82b4cdbf xas_start+0x5f ([kernel.kallsyms])
                 perf-exec 2273949 546850.708600:     372650 cycles:  ffffffff8286b8f7 __pagevec_lru_add+0x117 ([kernel.kallsyms])
                 perf-exec 2273949 546850.708791:     482953 cycles:  ffffffff829190de __mod_memcg_lruvec_state+0x4e ([kernel.kallsyms])
                      true 2273949 546850.709036:     501985 cycles:  ffffffff828add7c tlb_gather_mmu+0x4c ([kernel.kallsyms])
                      true 2273949 546850.709292:     503065 cycles:      7f2446d97c03 _dl_map_object_deps+0x973 (/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2)
      
         - In addition to 'period' (PERF_SAMPLE_PERIOD), the other
           PERF_SAMPLE_ can be used for filtering, and also some other sample
           accessible values, from tools/perf/Documentation/perf-record.txt:
      
              Essentially the BPF filter expression is:
      
              <term> <operator> <value> (("," | "||") <term> <operator> <value>)*
      
           The <term> can be one of:
              ip, id, tid, pid, cpu, time, addr, period, txn, weight, phys_addr,
              code_pgsz, data_pgsz, weight1, weight2, weight3, ins_lat, retire_lat,
              p_stage_cyc, mem_op, mem_lvl, mem_snoop, mem_remote, mem_lock,
              mem_dtlb, mem_blk, mem_hops
      
           The <operator> can be one of:
              ==, !=, >, >=, <, <=, &
      
           The <value> can be one of:
              <number> (for any term)
              na, load, store, pfetch, exec (for mem_op)
              l1, l2, l3, l4, cxl, io, any_cache, lfb, ram, pmem (for mem_lvl)
              na, none, hit, miss, hitm, fwd, peer (for mem_snoop)
              remote (for mem_remote)
              na, locked (for mem_locked)
              na, l1_hit, l1_miss, l2_hit, l2_miss, any_hit, any_miss, walk, fault (for mem_dtlb)
              na, by_data, by_addr (for mem_blk)
              hops0, hops1, hops2, hops3 (for mem_hops)
      
        perf lock contention:
      
         - Show lock type with address.
      
         - Track and show mmap_lock, siglock and per-cpu rq_lock with address.
           This is done for mmap_lock by following the current->mm pointer:
      
            $ sudo ./perf lock con -abl -- sleep 10
             contended   total wait     max wait     avg wait            address   symbol
             ...
                 16344    312.30 ms      2.22 ms     19.11 us   ffff8cc702595640
                 17686    310.08 ms      1.49 ms     17.53 us   ffff8cc7025952c0
                     3     84.14 ms     45.79 ms     28.05 ms   ffff8cc78114c478   mmap_lock
                  3557     76.80 ms     68.75 us     21.59 us   ffff8cc77ca3af58
                     1     68.27 ms     68.27 ms     68.27 ms   ffff8cda745dfd70
                     9     54.53 ms      7.96 ms      6.06 ms   ffff8cc7642a48b8   mmap_lock
                 14629     44.01 ms     60.00 us      3.01 us   ffff8cc7625f9ca0
                  3481     42.63 ms    140.71 us     12.24 us   ffffffff937906ac   vmap_area_lock
                 16194     38.73 ms     42.15 us      2.39 us   ffff8cd397cbc560
                    11     38.44 ms     10.39 ms      3.49 ms   ffff8ccd6d12fbb8   mmap_lock
                     1      5.43 ms      5.43 ms      5.43 ms   ffff8cd70018f0d8
                  1674      5.38 ms    422.93 us      3.21 us   ffffffff92e06080   tasklist_lock
                   581      4.51 ms    130.68 us      7.75 us   ffff8cc9b1259058
                     5      3.52 ms      1.27 ms    703.23 us   ffff8cc754510070
                   112      3.47 ms     56.47 us     31.02 us   ffff8ccee38b3120
                   381      3.31 ms     73.44 us      8.69 us   ffffffff93790690   purge_vmap_area_lock
                   255      3.19 ms     36.35 us     12.49 us   ffff8d053ce30c80
      
         - Update default map size to 16384.
      
         - Allocate single letter option -M for --map-nr-entries, as it is
           proving being frequently used.
      
         - Fix struct rq lock access for older kernels with BPF's CO-RE
           (Compile once, run everywhere).
      
         - Fix problems found with MSAn.
      
        perf report/top:
      
         - Add inline information when using --call-graph=fp or lbr, as was
           already done to the --call-graph=dwarf callchain mode.
      
         - Improve the 'srcfile' sort key performance by really using an
           optimization introduced in 6.2 for the 'srcline' sort key that
           avoids calling addr2line for comparision with each sample.
      
        perf sched:
      
         - Make 'perf sched latency/map/replay' to use "sched:sched_waking"
           instead of "sched:sched_waking", consistent with 'perf record'
           since d566a9c2 ("perf sched: Prefer sched_waking event when it
           exists").
      
        perf ftrace:
      
         - Make system wide the default target for latency subcommand, run the
           following command then generate some network traffic and press
           control+C:
      
             # perf ftrace latency -T __kfree_skb
           ^C
               DURATION     |      COUNT | GRAPH                                          |
                0 - 1    us |         27 | #############                                  |
                1 - 2    us |         22 | ###########                                    |
                2 - 4    us |          8 | ####                                           |
                4 - 8    us |          5 | ##                                             |
                8 - 16   us |         24 | ############                                   |
               16 - 32   us |          2 | #                                              |
               32 - 64   us |          1 |                                                |
               64 - 128  us |          0 |                                                |
              128 - 256  us |          0 |                                                |
              256 - 512  us |          0 |                                                |
              512 - 1024 us |          0 |                                                |
                1 - 2    ms |          0 |                                                |
                2 - 4    ms |          0 |                                                |
                4 - 8    ms |          0 |                                                |
                8 - 16   ms |          0 |                                                |
               16 - 32   ms |          0 |                                                |
               32 - 64   ms |          0 |                                                |
               64 - 128  ms |          0 |                                                |
              128 - 256  ms |          0 |                                                |
              256 - 512  ms |          0 |                                                |
              512 - 1024 ms |          0 |                                                |
                1 - ...   s |          0 |                                                |
             #
      
        perf top:
      
         - Add --branch-history (LBR: Last Branch Record) option, just like
           already available for 'perf record'.
      
         - Fix segfault in thread__comm_len() where thread->comm was being
           used outside thread->comm_lock.
      
        perf annotate:
      
         - Allow configuring objdump and addr2line in ~/.perfconfig., so that
           you can use alternative binaries, such as llvm's.
      
        perf kvm:
      
         - Add TUI mode for 'perf kvm stat report'.
      
        Reference counting:
      
         - Add reference count checking infrastructure to check for use after
           free, done to the 'cpumap', 'namespaces', 'maps' and 'map' structs,
           more to come.
      
           To build with it use -DREFCNT_CHECKING=1 in the make command line
           to build tools/perf. Documented at:
      
             https://perf.wiki.kernel.org/index.php/Reference_Count_Checking
      
         - The above caught, for instance, fix, present in this series:
      
              - Fix maps use after put in 'perf test "Share thread maps"':
      
                'maps' is copied from leader, but the leader is put on line 79
                and then 'maps' is used to read the reference count below - so
                a use after put, with the put of maps happening within
                thread__put.
      
           Fixed by reversing the order of puts so that the leader is put
           last.
      
         - Also several fixes were made to places where reference counts were
           not being held.
      
         - Make this one of the tests in 'make -C tools/perf build-test' to
           regularly build test it and to make sure no direct access to the
           reference counted structs are made, doing that via accessors to
           check the validity of the struct pointer.
      
        ARM64:
      
         - Fix 'perf report' segfault when filtering coresight traces by
           sparse lists of CPUs.
      
         - Add support for 'simd' as a sort field for 'perf report', to show
           ARM's NEON SIMD's predicate flags: "partial" and "empty".
      
        arm64 vendor events:
      
         - Add N1 metrics.
      
        Intel vendor events:
      
         - Add graniterapids, grandridge and sierraforrest events.
      
         - Refresh events for: alderlake, aldernaken, broadwell, broadwellde,
           broadwellx, cascadelakx, haswell, haswellx, icelake, icelakex,
           jaketown, meteorlake, knightslanding, sandybridge, sapphirerapids,
           silvermont, skylake, tigerlake and westmereep-dp
      
         - Refresh metrics for alderlake-n, broadwell, broadwellde,
           broadwellx, haswell, haswellx, icelakex, ivybridge, ivytown and
           skylakex.
      
        perf stat:
      
         - Implement --topdown using JSON metrics.
      
         - Add TopdownL1 JSON metric as a default if present, but disable it
           for now for some Intel hybrid architectures, a series of patches
           addressing this is being reviewed and will be submitted for v6.5.
      
         - Use metrics for --smi-cost.
      
         - Update topdown documentation.
      
        Vendor events (JSON) infrastructure:
      
         - Add support for computing and printing metric threshold values. For
           instance, here is one found in thesapphirerapids json file:
      
             {
                 "BriefDescription": "Percentage of cycles spent in System Management Interrupts.",
                 "MetricExpr": "((msr@aperf@ - cycles) / msr@aperf@ if msr@smi@ > 0 else 0)",
                 "MetricGroup": "smi",
                 "MetricName": "smi_cycles",
                 "MetricThreshold": "smi_cycles > 0.1",
                 "ScaleUnit": "100%"
             },
      
         - Test parsing metric thresholds with the fake PMU in 'perf test
           pmu-events'.
      
         - Support for printing metric thresholds in 'perf list'.
      
         - Add --metric-no-threshold option to 'perf stat'.
      
         - Add rand (reverse and) and has_pmem (optane memory) support to
           metrics.
      
         - Sort list of input files to avoid depending on the order from
           readdir() helping in obtaining reproducible builds.
      
        S/390:
      
         - Add common metrics: - CPI (cycles per instruction), prbstate (ratio
           of instructions executed in problem state compared to total number
           of instructions), l1mp (Level one instruction and data cache misses
           per 100 instructions).
      
         - Add cache metrics for z13, z14, z15 and z16.
      
         - Add metric for TLB and cache.
      
        ARM:
      
         - Add raw decoding for SPE (Statistical Profiling Extension) v1.3 MTE
           (Memory Tagging Extension) and MOPS (Memory Operations) load/store.
      
        Intel PT hardware tracing:
      
         - Add event type names UINTR (User interrupt delivered) and UIRET
           (Exiting from user interrupt routine), documented in table 32-50
           "CFE Packet Type and Vector Fields Details" in the Intel Processor
           Trace chapter of The Intel SDM Volume 3 version 078.
      
         - Add support for new branch instructions ERETS and ERETU.
      
         - Fix CYC timestamps after standalone CBR
      
        ARM CoreSight hardware tracing:
      
         - Allow user to override timestamp and contextid settings.
      
         - Fix segfault in dso lookup.
      
         - Fix timeless decode mode detection.
      
         - Add separate decode paths for timeless and per-thread modes.
      
        auxtrace:
      
         - Fix address filter entire kernel size.
      
        Miscellaneous:
      
         - Fix use-after-free and unaligned bugs in the PLT handling routines.
      
         - Use zfree() to reduce chances of use after free.
      
         - Add missing 0x prefix for addresses printed in hexadecimal in 'perf
           probe'.
      
         - Suppress massive unsupported target platform errors in the unwind
           code.
      
         - Fix return incorrect build_id size in elf_read_build_id().
      
         - Fix 'perf scripts intel-pt-events.py' IPC output for Python 2 .
      
         - Add missing new parameter in kfree_skb tracepoint to the python
           scripts using it.
      
         - Add 'perf bench syscall fork' benchmark.
      
         - Add support for printing PERF_MEM_LVLNUM_UNC (Uncached access) in
           'perf mem'.
      
         - Fix wrong size expectation for perf test 'Setup struct
           perf_event_attr' caused by the patch adding
           perf_event_attr::config3.
      
         - Fix some spelling mistakes"
      
      * tag 'perf-tools-for-v6.4-3-2023-05-06' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: (365 commits)
        Revert "perf build: Make BUILD_BPF_SKEL default, rename to NO_BPF_SKEL"
        Revert "perf build: Warn for BPF skeletons if endian mismatches"
        perf metrics: Fix SEGV with --for-each-cgroup
        perf bpf skels: Stop using vmlinux.h generated from BTF, use subset of used structs + CO-RE
        perf stat: Separate bperf from bpf_profiler
        perf test record+probe_libc_inet_pton: Fix call chain match on x86_64
        perf test record+probe_libc_inet_pton: Fix call chain match on s390
        perf tracepoint: Fix memory leak in is_valid_tracepoint()
        perf cs-etm: Add fix for coresight trace for any range of CPUs
        perf build: Fix unescaped # in perf build-test
        perf unwind: Suppress massive unsupported target platform errors
        perf script: Add new parameter in kfree_skb tracepoint to the python scripts using it
        perf script: Print raw ip instead of binary offset for callchain
        perf symbols: Fix return incorrect build_id size in elf_read_build_id()
        perf list: Modify the warning message about scandirat(3)
        perf list: Fix memory leaks in print_tracepoint_events()
        perf lock contention: Rework offset calculation with BPF CO-RE
        perf lock contention: Fix struct rq lock access
        perf stat: Disable TopdownL1 on hybrid
        perf stat: Avoid SEGV on counter->name
        ...
      f085df1b
    • Linus Torvalds's avatar
      Merge tag 'core-debugobjects-2023-05-06' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 17784de6
      Linus Torvalds authored
      Pull debugobjects fix from Thomas Gleixner:
       "A single fix for debugobjects:
      
        The recent fix to ensure atomicity of lookup and allocation
        inadvertently broke the pool refill mechanism, so that debugobject
        OOMs now in certain situations. The reason is that the functions which
        got updated no longer invoke debug_objecs_init(), which is now the
        only place to care about refilling the tracking object pool.
      
        Restore the original behaviour by adding explicit refill opportunities
        to those places"
      
      * tag 'core-debugobjects-2023-05-06' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        debugobject: Ensure pool refill (again)
      17784de6
    • Linus Torvalds's avatar
      Merge tag 'v6.4-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 6f69c981
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
      
       - A long-standing bug in crypto_engine
      
       - A buggy but harmless check in the sun8i-ss driver
      
       - A regression in the CRYPTO_USER interface
      
      * tag 'v6.4-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: api - Fix CRYPTO_USER checks for report function
        crypto: engine - fix crypto_queue backlog handling
        crypto: sun8i-ss - Fix a test in sun8i_ss_setup_ivs()
      6f69c981
    • Linus Torvalds's avatar
      Merge tag '6.4-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · 63342b1d
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "smb3 client fixes, mostly DFS or reconnect related:
      
         - Two DFS connection sharing fixes
      
         - DFS refresh fix
      
         - Reconnect fix
      
         - Two potential use after free fixes
      
         - Also print prefix patch in mount debug msg
      
         - Two small cleanup fixes"
      
      * tag '6.4-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: Remove unneeded semicolon
        cifs: fix sharing of DFS connections
        cifs: avoid potential races when handling multiple dfs tcons
        cifs: protect access of TCP_Server_Info::{origin,leaf}_fullpath
        cifs: fix potential race when tree connecting ipc
        cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname
        cifs: print smb3_fs_context::source when mounting
        cifs: protect session status check in smb2_reconnect()
        SMB3.1.1: correct definition for app_instance_id create contexts
      63342b1d
    • Linus Torvalds's avatar
      Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · d6b8a8c4
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A couple more patches that would be good to get into -rc1:
      
         - Revert an i.MX patch that's causing video failures because division
           math goes sideways
      
         - Fix a clang + W=1 build isue where FIELD_PREP() is taking a 32-bit
           variable instead of the usual u64 type
      
         - Fix a Kconfig bug in the StarFive JH7110 clk config that selects a
           reset controller when it can't be selected"
      
      * tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: starfive: Fix RESET_STARFIVE_JH7110 can't be selected in a specified case
        clk: sp7021: Adjust width of _m in HWM_FIELD_PREP()
        Revert "clk: imx: composite-8m: Add support to determine_rate"
      d6b8a8c4
    • Linus Torvalds's avatar
      Merge tag 'mailbox-v6.4' of git://git.linaro.org/landing-teams/working/fujitsu/integration · 1c1094e4
      Linus Torvalds authored
      Pull mailbox updates from Jassi Brar:
      
       - mailbox api: allow direct registration to a channel and convert omap
         and pcc to use mbox_bind_client
      
       - omap and hi6220 : use of_property_read_bool
      
       - test: fix double-free and use spinlock header
      
       - rockchip and bcm-pdc: drop of_match_ptr
      
       - mpfs: change config symbol
      
       - mediatek gce: support MT6795
      
       - qcom apcs: consolidate of_device_id and support IPQ9574
      
      * tag 'mailbox-v6.4' of git://git.linaro.org/landing-teams/working/fujitsu/integration:
        dt-bindings: mailbox: qcom: add compatible for IPQ9574 SoC
        mailbox: qcom-apcs-ipc: do not grow the of_device_id
        dt-bindings: mailbox: qcom,apcs-kpss-global: use fallbacks for few variants
        dt-bindings: mailbox: mediatek,gce-mailbox: Add support for MT6795
        mailbox: mpfs: convert SOC_MICROCHIP_POLARFIRE to ARCH_MICROCHIP_POLARFIRE
        mailbox: bcm-pdc: drop of_match_ptr for ID table
        mailbox: rockchip: drop of_match_ptr for ID table
        mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()
        mailbox: mailbox-test: Explicitly include header for spinlock support
        mailbox: Use of_property_read_bool() for boolean properties
        mailbox: pcc: Use mbox_bind_client
        mailbox: omap: Use mbox_bind_client
        mailbox: Allow direct registration to a channel
      1c1094e4
    • Linus Torvalds's avatar
      Merge tag 'for-6.4/io_uring-2023-05-07' of git://git.kernel.dk/linux · 03e5cb7b
      Linus Torvalds authored
      Pull more io_uring updates from Jens Axboe:
       "Nothing major in here, just two different parts:
      
         - A small series from Breno that enables passing the full SQE down
           for ->uring_cmd().
      
           This is a prerequisite for enabling full network socket operations.
           Queued up a bit late because of some stylistic concerns that got
           resolved, would be nice to have this in 6.4-rc1 so the dependent
           work will be easier to handle for 6.5.
      
         - Fix for the huge page coalescing, which was a regression introduced
           in the 6.3 kernel release (Tobias)"
      
      * tag 'for-6.4/io_uring-2023-05-07' of git://git.kernel.dk/linux:
        io_uring: Remove unnecessary BUILD_BUG_ON
        io_uring: Pass whole sqe to commands
        io_uring: Create a helper to return the SQE size
        io_uring/rsrc: check for nonconsecutive pages
      03e5cb7b
  3. 06 May, 2023 26 commits