1. 02 Jul, 2020 1 commit
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.8-2020-07-01' of git://git.kernel.dk/linux-block · c93493b7
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "One fix in here, for a regression in 5.7 where a task is waiting in
        the kernel for a condition, but that condition won't become true until
        task_work is run. And the task_work can't be run exactly because the
        task is waiting in the kernel, so we'll never make any progress.
      
        One example of that is registering an eventfd and queueing io_uring
        work, and then the task goes and waits in eventfd read with the
        expectation that it'll get woken (and read an event) when the io_uring
        request completes. The io_uring request is finished through task_work,
        which won't get run while the task is looping in eventfd read"
      
      * tag 'io_uring-5.8-2020-07-01' of git://git.kernel.dk/linux-block:
        io_uring: use signal based task_work running
        task_work: teach task_work_add() to do signal_wake_up()
      c93493b7
  2. 01 Jul, 2020 1 commit
  3. 30 Jun, 2020 5 commits
    • Linus Torvalds's avatar
      Merge tag 'exfat-for-5.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat · edb543cf
      Linus Torvalds authored
      Pull exfat fixes from Namjae Jeon:
      
       - Zero out unused characters of FileName field to avoid a complaint
         from some fsck tool.
      
       - Fix memory leak on error paths.
      
       - Fix unnecessary VOL_DIRTY set when calling rmdir on non-empty
         directory.
      
       - Call sync_filesystem() for read-only remount (Fix generic/452 test in
         xfstests)
      
       - Add own fsync() to flush dirty metadata.
      
      * tag 'exfat-for-5.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat:
        exfat: flush dirty metadata in fsync
        exfat: move setting VOL_DIRTY over exfat_remove_entries()
        exfat: call sync_filesystem for read-only remount
        exfat: add missing brelse() calls on error paths
        exfat: Set the unused characters of FileName field to the value 0000h
      edb543cf
    • Linus Torvalds's avatar
      Merge tag 'fixes-v5.8-rc3-a' of... · 615bc218
      Linus Torvalds authored
      Merge tag 'fixes-v5.8-rc3-a' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
      
      Pull security subsystem fixes from James Morris:
       "Two simple fixes for v5.8:
      
         - Fix hook iteration and default value for inode_copy_up_xattr
           (KP Singh)
      
         - Fix the key_permission LSM hook function type (Sami Tolvanen)"
      
      * tag 'fixes-v5.8-rc3-a' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        security: Fix hook iteration and default value for inode_copy_up_xattr
        security: fix the key_permission LSM hook function type
      615bc218
    • Linus Torvalds's avatar
      Merge tag 'integrity-v5.8-fix-2' of... · b13f40bc
      Linus Torvalds authored
      Merge tag 'integrity-v5.8-fix-2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
      
      Pull integrity updates from Mimi Zohar:
       "Include PCRs 8 & 9 in per TPM 2.0 bank boot_aggregate calculation.
      
        Prior to Linux 5.8 the SHA1 "boot_aggregate" value was padded with 0's
        and extended into the other TPM 2.0 banks.
      
        Included in the Linux 5.8 open window, TPM 2.0 PCR bank specific
        "boot_aggregate" values (PCRs 0  - 7) are calculated and extended into the TPM banks.
      
        Distro releases are now shipping grub2 with TPM support, which extend
        PCRs 8 & 9. I'd like for PCRs 8 & 9 to be included in the new
        "boot_aggregate" calculations.
      
        For backwards compatibility, if the hash is SHA1, these new PCRs are
        not included in the boot aggregate"
      
      * tag 'integrity-v5.8-fix-2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
        ima: extend boot_aggregate with kernel measurements
      b13f40bc
    • Jens Axboe's avatar
      io_uring: use signal based task_work running · ce593a6c
      Jens Axboe authored
      Since 5.7, we've been using task_work to trigger async running of
      requests in the context of the original task. This generally works
      great, but there's a case where if the task is currently blocked
      in the kernel waiting on a condition to become true, it won't process
      task_work. Even though the task is woken, it just checks whatever
      condition it's waiting on, and goes back to sleep if it's still false.
      
      This is a problem if that very condition only becomes true when that
      task_work is run. An example of that is the task registering an eventfd
      with io_uring, and it's now blocked waiting on an eventfd read. That
      read could depend on a completion event, and that completion event
      won't get trigged until task_work has been run.
      
      Use the TWA_SIGNAL notification for task_work, so that we ensure that
      the task always runs the work when queued.
      
      Cc: stable@vger.kernel.org # v5.7
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      ce593a6c
    • Oleg Nesterov's avatar
      task_work: teach task_work_add() to do signal_wake_up() · e91b4816
      Oleg Nesterov authored
      So that the target task will exit the wait_event_interruptible-like
      loop and call task_work_run() asap.
      
      The patch turns "bool notify" into 0,TWA_RESUME,TWA_SIGNAL enum, the
      new TWA_SIGNAL flag implies signal_wake_up().  However, it needs to
      avoid the race with recalc_sigpending(), so the patch also adds the
      new JOBCTL_TASK_WORK bit included in JOBCTL_PENDING_MASK.
      
      TODO: once this patch is merged we need to change all current users
      of task_work_add(notify = true) to use TWA_RESUME.
      
      Cc: stable@vger.kernel.org # v5.7
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      e91b4816
  4. 29 Jun, 2020 16 commits
  5. 28 Jun, 2020 17 commits
    • Linus Torvalds's avatar
      Linux 5.8-rc3 · 9ebcfadb
      Linus Torvalds authored
      9ebcfadb
    • Linus Torvalds's avatar
      Merge tag 'arm-omap-fixes-5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · f7db192b
      Linus Torvalds authored
      Pull ARM OMAP fixes from Arnd Bergmann:
       "The OMAP developers are particularly active at hunting down
        regressions, so this is a separate branch with OMAP specific
        fixes for v5.8:
      
        As Tony explains
          "The recent display subsystem (DSS) related platform data changes
           caused display related regressions for suspend and resume. Looks
           like I only tested suspend and resume before dropping the legacy
           platform data, and forgot to test it after dropping it. Turns out
           the main issue was that we no longer have platform code calling
           pm_runtime_suspend for DSS like we did for the legacy platform data
           case, and that fix is still being discussed on the dri-devel list
           and will get merged separately. The DSS related testing exposed a
           pile other other display related issues that also need fixing
           though":
      
         - Fix ti-sysc optional clock handling and reset status checks for
           devices that reset automatically in idle like DSS
      
         - Ignore ti-sysc clockactivity bit unless separately requested to
           avoid unexpected performance issues
      
         - Init ti-sysc framedonetv_irq to true and disable for am4
      
         - Avoid duplicate DSS reset for legacy mode with dts data
      
         - Remove LCD timings for am4 as they cause warnings now that we're
           using generic panels
      
        Other OMAP changes from Tony include:
      
         - Fix omap_prm reset deassert as we still have drivers setting the
           pm_runtime_irq_safe() flag
      
         - Flush posted write for ti-sysc enable and disable
      
         - Fix droid4 spi related errors with spi flags
      
         - Fix am335x USB range and a typo for softreset
      
         - Fix dra7 timer nodes for clocks for IPU and DSP
      
         - Drop duplicate mailboxes after mismerge for dra7
      
         - Prevent pocketgeagle header line signal from accidentally setting
           micro-SD write protection signal by removing the default mux
      
         - Fix NFSroot flakeyness after resume for duover by switching the
           smsc911x gpio interrupt to back to level sensitive
      
         - Fix regression for omap4 clockevent source after recent system
           timer changes
      
         - Yet another ethernet regression fix for the "rgmii" vs "rgmii-rxid"
           phy-mode
      
         - One patch to convert am3/am4 DT files to use the regular sdhci-omap
           driver instead of the old hsmmc driver, this was meant for the
           merge window but got lost in the process"
      
      * tag 'arm-omap-fixes-5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (21 commits)
        ARM: dts: am5729: beaglebone-ai: fix rgmii phy-mode
        ARM: dts: Fix omap4 system timer source clocks
        ARM: dts: Fix duovero smsc interrupt for suspend
        ARM: dts: am335x-pocketbeagle: Fix mmc0 Write Protect
        Revert "bus: ti-sysc: Increase max softreset wait"
        ARM: dts: am437x-epos-evm: remove lcd timings
        ARM: dts: am437x-gp-evm: remove lcd timings
        ARM: dts: am437x-sk-evm: remove lcd timings
        ARM: dts: dra7-evm-common: Fix duplicate mailbox nodes
        ARM: dts: dra7: Fix timer nodes properly for timer_sys_ck clocks
        ARM: dts: Fix am33xx.dtsi ti,sysc-mask wrong softreset flag
        ARM: dts: Fix am33xx.dtsi USB ranges length
        bus: ti-sysc: Increase max softreset wait
        ARM: OMAP2+: Fix legacy mode dss_reset
        bus: ti-sysc: Fix uninitialized framedonetv_irq
        bus: ti-sysc: Ignore clockactivity unless specified as a quirk
        bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit
        ARM: dts: omap4-droid4: Fix spi configuration and increase rate
        bus: ti-sysc: Flush posted write on enable and disable
        soc: ti: omap-prm: use atomic iopoll instead of sleeping one
        ...
      f7db192b
    • Linus Torvalds's avatar
      Merge tag 'arm-fixes-5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · e44b59cd
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "Here are a couple of bug fixes, mostly for devicetree files
      
        NXP i.MX:
         - Use correct voltage on some i.MX8M board device trees to avoid
           hardware damage
         - Code fixes for a compiler warning and incorrect reference counting,
           both harmless.
         - Fix the i.MX8M SoC driver to correctly identify imx8mp
         - Fix watchdog configuration in imx6ul-kontron device tree.
      
        Broadcom:
         - A small regression fix for the Raspberry-Pi firmware driver
         - A Kconfig change to use the correct timer driver on Northstar
         - A DT fix for the Luxul XWC-2000 machine
         - Two more DT fixes for NSP SoCs
      
        STmicroelectronics STI
         - Revert one broken patch for L2 cache configuration
      
        ARM Versatile Express:
         - Fix a regression by reverting a broken DT cleanup
      
        TEE drivers:
         - MAINTAINERS: change tee mailing list"
      
      * tag 'arm-fixes-5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        Revert "ARM: sti: Implement dummy L2 cache's write_sec"
        soc: imx8m: fix build warning
        ARM: imx6: add missing put_device() call in imx6q_suspend_init()
        ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
        soc: imx8m: Correct i.MX8MP UID fuse offset
        ARM: dts: imx6ul-kontron: Change WDOG_ANY signal from push-pull to open-drain
        ARM: dts: imx6ul-kontron: Move watchdog from Kontron i.MX6UL/ULL board to SoM
        arm64: dts: imx8mm-beacon: Fix voltages on LDO1 and LDO2
        arm64: dts: imx8mn-ddr4-evk: correct ldo1/ldo2 voltage range
        arm64: dts: imx8mm-evk: correct ldo1/ldo2 voltage range
        ARM: dts: NSP: Correct FA2 mailbox node
        ARM: bcm2835: Fix integer overflow in rpi_firmware_print_firmware_revision()
        MAINTAINERS: change tee mailing list
        ARM: dts: NSP: Disable PL330 by default, add dma-coherent property
        ARM: bcm: Select ARM_TIMER_SP804 for ARCH_BCM_NSP
        ARM: dts: BCM5301X: Add missing memory "device_type" for Luxul XWC-2000
        arm: dts: vexpress: Move mcc node back into motherboard node
      e44b59cd
    • Linus Torvalds's avatar
      Merge tag 'timers-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 668f532d
      Linus Torvalds authored
      Pull timer fix from Ingo Molnar:
       "A single DocBook fix"
      
      * tag 'timers-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        timekeeping: Fix kerneldoc system_device_crosststamp & al
      668f532d
    • Linus Torvalds's avatar
      Merge tag 'perf-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ae71d4bf
      Linus Torvalds authored
      Pull perf fix from Ingo Molnar:
       "A single Kbuild dependency fix"
      
      * tag 'perf-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/rapl: Fix RAPL config variable bug
      ae71d4bf
    • Linus Torvalds's avatar
      Merge tag 'efi-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · bc53f67d
      Linus Torvalds authored
      Pull EFI fixes from Ingo Molnar:
      
       - Fix build regression on v4.8 and older
      
       - Robustness fix for TPM log parsing code
      
       - kobject refcount fix for the ESRT parsing code
      
       - Two efivarfs fixes to make it behave more like an ordinary file
         system
      
       - Style fixup for zero length arrays
      
       - Fix a regression in path separator handling in the initrd loader
      
       - Fix a missing prototype warning
      
       - Add some kerneldoc headers for newly introduced stub routines
      
       - Allow support for SSDT overrides via EFI variables to be disabled
      
       - Report CPU mode and MMU state upon entry for 32-bit ARM
      
       - Use the correct stack pointer alignment when entering from mixed mode
      
      * tag 'efi-urgent-2020-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        efi/libstub: arm: Print CPU boot mode and MMU state at boot
        efi/libstub: arm: Omit arch specific config table matching array on arm64
        efi/x86: Setup stack correctly for efi_pe_entry
        efi: Make it possible to disable efivar_ssdt entirely
        efi/libstub: Descriptions for stub helper functions
        efi/libstub: Fix path separator regression
        efi/libstub: Fix missing-prototype warning for skip_spaces()
        efi: Replace zero-length array and use struct_size() helper
        efivarfs: Don't return -EINTR when rate-limiting reads
        efivarfs: Update inode modification time for successful writes
        efi/esrt: Fix reference count leak in esre_create_sysfs_entry.
        efi/tpm: Verify event log header before parsing
        efi/x86: Fix build with gcc 4
      bc53f67d
    • Linus Torvalds's avatar
      Merge tag 'sched_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 91a9a90d
      Linus Torvalds authored
      Pull scheduler fixes from Borislav Petkov:
       "The most anticipated fix in this pull request is probably the horrible
        build fix for the RANDSTRUCT fail that didn't make -rc2. Also included
        is the cleanup that removes those BUILD_BUG_ON()s and replaces it with
        ugly unions.
      
        Also included is the try_to_wake_up() race fix that was first
        triggered by Paul's RCU-torture runs, but was independently hit by
        Dave Chinner's fstest runs as well"
      
      * tag 'sched_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/cfs: change initial value of runnable_avg
        smp, irq_work: Continue smp_call_function*() and irq_work*() integration
        sched/core: s/WF_ON_RQ/WQ_ON_CPU/
        sched/core: Fix ttwu() race
        sched/core: Fix PI boosting between RT and DEADLINE tasks
        sched/deadline: Initialize ->dl_boosted
        sched/core: Check cpus_mask, not cpus_ptr in __set_cpus_allowed_ptr(), to fix mask corruption
        sched/core: Fix CONFIG_GCC_PLUGIN_RANDSTRUCT build fail
      91a9a90d
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 098c7938
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
      
       - AMD Memory bandwidth counter width fix, by Babu Moger.
      
       - Use the proper length type in the 32-bit truncate() syscall variant,
         by Jiri Slaby.
      
       - Reinit IA32_FEAT_CTL during wakeup to fix the case where after
         resume, VMXON would #GP due to VMX not being properly enabled, by
         Sean Christopherson.
      
       - Fix a static checker warning in the resctrl code, by Dan Carpenter.
      
       - Add a CR4 pinning mask for bits which cannot change after boot, by
         Kees Cook.
      
       - Align the start of the loop of __clear_user() to 16 bytes, to improve
         performance on AMD zen1 and zen2 microarchitectures, by Matt Fleming.
      
      * tag 'x86_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/asm/64: Align start of __clear_user() loop to 16-bytes
        x86/cpu: Use pinning mask for CR4 bits needing to be 0
        x86/resctrl: Fix a NULL vs IS_ERR() static checker warning in rdt_cdp_peer_get()
        x86/cpu: Reinitialize IA32_FEAT_CTL MSR on BSP during wakeup
        syscalls: Fix offset type of ksys_ftruncate()
        x86/resctrl: Fix memory bandwidth counter width for AMD
      098c7938
    • Linus Torvalds's avatar
      Merge tag 'rcu_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c141b30e
      Linus Torvalds authored
      Pull RCU-vs-KCSAN fixes from Borislav Petkov:
       "A single commit that uses "arch_" atomic operations to avoid the
        instrumentation that comes with the non-"arch_" versions.
      
        In preparation for that commit, it also has another commit that makes
        these "arch_" atomic operations available to generic code.
      
        Without these commits, KCSAN uses can see pointless errors"
      
      * tag 'rcu_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        rcu: Fixup noinstr warnings
        locking/atomics: Provide the arch_atomic_ interface to generic code
      c141b30e
    • Linus Torvalds's avatar
      Merge tag 'objtool_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7ecb59a5
      Linus Torvalds authored
      Pull objtool fixes from Borislav Petkov:
       "Three fixes from Peter Zijlstra suppressing KCOV instrumentation in
        noinstr sections.
      
        Peter Zijlstra says:
          "Address KCOV vs noinstr. There is no function attribute to
           selectively suppress KCOV instrumentation, instead teach objtool
           to NOP out the calls in noinstr functions"
      
        This cures a bunch of KCOV crashes (as used by syzcaller)"
      
      * tag 'objtool_urgent_for_5.8_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Fix noinstr vs KCOV
        objtool: Provide elf_write_{insn,reloc}()
        objtool: Clean up elf_write() condition
      7ecb59a5
    • Linus Torvalds's avatar
      Merge tag 'x86_entry_for_5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · a358505d
      Linus Torvalds authored
      Pull x86 entry fixes from Borislav Petkov:
       "This is the x86/entry urgent pile which has accumulated since the
        merge window.
      
        It is not the smallest but considering the almost complete entry core
        rewrite, the amount of fixes to follow is somewhat higher than usual,
        which is to be expected.
      
        Peter Zijlstra says:
         'These patches address a number of instrumentation issues that were
          found after the x86/entry overhaul. When combined with rcu/urgent
          and objtool/urgent, these patches make UBSAN/KASAN/KCSAN happy
          again.
      
          Part of making this all work is bumping the minimum GCC version for
          KASAN builds to gcc-8.3, the reason for this is that the
          __no_sanitize_address function attribute is broken in GCC releases
          before that.
      
          No known GCC version has a working __no_sanitize_undefined, however
          because the only noinstr violation that results from this happens
          when an UB is found, we treat it like WARN. That is, we allow it to
          violate the noinstr rules in order to get the warning out'"
      
      * tag 'x86_entry_for_5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/entry: Fix #UD vs WARN more
        x86/entry: Increase entry_stack size to a full page
        x86/entry: Fixup bad_iret vs noinstr
        objtool: Don't consider vmlinux a C-file
        kasan: Fix required compiler version
        compiler_attributes.h: Support no_sanitize_undefined check with GCC 4
        x86/entry, bug: Comment the instrumentation_begin() usage for WARN()
        x86/entry, ubsan, objtool: Whitelist __ubsan_handle_*()
        x86/entry, cpumask: Provide non-instrumented variant of cpu_is_offline()
        compiler_types.h: Add __no_sanitize_{address,undefined} to noinstr
        kasan: Bump required compiler version
        x86, kcsan: Add __no_kcsan to noinstr
        kcsan: Remove __no_kcsan_or_inline
        x86, kcsan: Remove __no_kcsan_or_inline usage
      a358505d
    • Vincent Guittot's avatar
      sched/cfs: change initial value of runnable_avg · e21cf434
      Vincent Guittot authored
      Some performance regression on reaim benchmark have been raised with
        commit 070f5e86 ("sched/fair: Take into account runnable_avg to classify group")
      
      The problem comes from the init value of runnable_avg which is initialized
      with max value. This can be a problem if the newly forked task is finally
      a short task because the group of CPUs is wrongly set to overloaded and
      tasks are pulled less agressively.
      
      Set initial value of runnable_avg equals to util_avg to reflect that there
      is no waiting time so far.
      
      Fixes: 070f5e86 ("sched/fair: Take into account runnable_avg to classify group")
      Reported-by: default avatarkernel test robot <rong.a.chen@intel.com>
      Signed-off-by: default avatarVincent Guittot <vincent.guittot@linaro.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/20200624154422.29166-1-vincent.guittot@linaro.org
      e21cf434
    • Peter Zijlstra's avatar
      smp, irq_work: Continue smp_call_function*() and irq_work*() integration · 8c4890d1
      Peter Zijlstra authored
      Instead of relying on BUG_ON() to ensure the various data structures
      line up, use a bunch of horrible unions to make it all automatic.
      
      Much of the union magic is to ensure irq_work and smp_call_function do
      not (yet) see the members of their respective data structures change
      name.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Reviewed-by: default avatarFrederic Weisbecker <frederic@kernel.org>
      Link: https://lkml.kernel.org/r/20200622100825.844455025@infradead.org
      8c4890d1
    • Peter Zijlstra's avatar
      sched/core: s/WF_ON_RQ/WQ_ON_CPU/ · 739f70b4
      Peter Zijlstra authored
      Use a better name for this poorly named flag, to avoid confusion...
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Acked-by: default avatarMel Gorman <mgorman@suse.de>
      Link: https://lkml.kernel.org/r/20200622100825.785115830@infradead.org
      739f70b4
    • Peter Zijlstra's avatar
      sched/core: Fix ttwu() race · b6e13e85
      Peter Zijlstra authored
      Paul reported rcutorture occasionally hitting a NULL deref:
      
        sched_ttwu_pending()
          ttwu_do_wakeup()
            check_preempt_curr() := check_preempt_wakeup()
              find_matching_se()
                is_same_group()
                  if (se->cfs_rq == pse->cfs_rq) <-- *BOOM*
      
      Debugging showed that this only appears to happen when we take the new
      code-path from commit:
      
        2ebb1771 ("sched/core: Offload wakee task activation if it the wakee is descheduling")
      
      and only when @cpu == smp_processor_id(). Something which should not
      be possible, because p->on_cpu can only be true for remote tasks.
      Similarly, without the new code-path from commit:
      
        c6e7bd7a ("sched/core: Optimize ttwu() spinning on p->on_cpu")
      
      this would've unconditionally hit:
      
        smp_cond_load_acquire(&p->on_cpu, !VAL);
      
      and if: 'cpu == smp_processor_id() && p->on_cpu' is possible, this
      would result in an instant live-lock (with IRQs disabled), something
      that hasn't been reported.
      
      The NULL deref can be explained however if the task_cpu(p) load at the
      beginning of try_to_wake_up() returns an old value, and this old value
      happens to be smp_processor_id(). Further assume that the p->on_cpu
      load accurately returns 1, it really is still running, just not here.
      
      Then, when we enqueue the task locally, we can crash in exactly the
      observed manner because p->se.cfs_rq != rq->cfs_rq, because p's cfs_rq
      is from the wrong CPU, therefore we'll iterate into the non-existant
      parents and NULL deref.
      
      The closest semi-plausible scenario I've managed to contrive is
      somewhat elaborate (then again, actual reproduction takes many CPU
      hours of rcutorture, so it can't be anything obvious):
      
      					X->cpu = 1
      					rq(1)->curr = X
      
      	CPU0				CPU1				CPU2
      
      					// switch away from X
      					LOCK rq(1)->lock
      					smp_mb__after_spinlock
      					dequeue_task(X)
      					  X->on_rq = 9
      					switch_to(Z)
      					  X->on_cpu = 0
      					UNLOCK rq(1)->lock
      
      									// migrate X to cpu 0
      									LOCK rq(1)->lock
      									dequeue_task(X)
      									set_task_cpu(X, 0)
      									  X->cpu = 0
      									UNLOCK rq(1)->lock
      
      									LOCK rq(0)->lock
      									enqueue_task(X)
      									  X->on_rq = 1
      									UNLOCK rq(0)->lock
      
      	// switch to X
      	LOCK rq(0)->lock
      	smp_mb__after_spinlock
      	switch_to(X)
      	  X->on_cpu = 1
      	UNLOCK rq(0)->lock
      
      	// X goes sleep
      	X->state = TASK_UNINTERRUPTIBLE
      	smp_mb();			// wake X
      					ttwu()
      					  LOCK X->pi_lock
      					  smp_mb__after_spinlock
      
      					  if (p->state)
      
      					  cpu = X->cpu; // =? 1
      
      					  smp_rmb()
      
      	// X calls schedule()
      	LOCK rq(0)->lock
      	smp_mb__after_spinlock
      	dequeue_task(X)
      	  X->on_rq = 0
      
      					  if (p->on_rq)
      
      					  smp_rmb();
      
      					  if (p->on_cpu && ttwu_queue_wakelist(..)) [*]
      
      					  smp_cond_load_acquire(&p->on_cpu, !VAL)
      
      					  cpu = select_task_rq(X, X->wake_cpu, ...)
      					  if (X->cpu != cpu)
      	switch_to(Y)
      	  X->on_cpu = 0
      	UNLOCK rq(0)->lock
      
      However I'm having trouble convincing myself that's actually possible
      on x86_64 -- after all, every LOCK implies an smp_mb() there, so if ttwu
      observes ->state != RUNNING, it must also observe ->cpu != 1.
      
      (Most of the previous ttwu() races were found on very large PowerPC)
      
      Nevertheless, this fully explains the observed failure case.
      
      Fix it by ordering the task_cpu(p) load after the p->on_cpu load,
      which is easy since nothing actually uses @cpu before this.
      
      Fixes: c6e7bd7a ("sched/core: Optimize ttwu() spinning on p->on_cpu")
      Reported-by: default avatarPaul E. McKenney <paulmck@kernel.org>
      Tested-by: default avatarPaul E. McKenney <paulmck@kernel.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Link: https://lkml.kernel.org/r/20200622125649.GC576871@hirez.programming.kicks-ass.net
      b6e13e85
    • Juri Lelli's avatar
      sched/core: Fix PI boosting between RT and DEADLINE tasks · 740797ce
      Juri Lelli authored
      syzbot reported the following warning:
      
       WARNING: CPU: 1 PID: 6351 at kernel/sched/deadline.c:628
       enqueue_task_dl+0x22da/0x38a0 kernel/sched/deadline.c:1504
      
      At deadline.c:628 we have:
      
       623 static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se)
       624 {
       625 	struct dl_rq *dl_rq = dl_rq_of_se(dl_se);
       626 	struct rq *rq = rq_of_dl_rq(dl_rq);
       627
       628 	WARN_ON(dl_se->dl_boosted);
       629 	WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline));
              [...]
           }
      
      Which means that setup_new_dl_entity() has been called on a task
      currently boosted. This shouldn't happen though, as setup_new_dl_entity()
      is only called when the 'dynamic' deadline of the new entity
      is in the past w.r.t. rq_clock and boosted tasks shouldn't verify this
      condition.
      
      Digging through the PI code I noticed that what above might in fact happen
      if an RT tasks blocks on an rt_mutex hold by a DEADLINE task. In the
      first branch of boosting conditions we check only if a pi_task 'dynamic'
      deadline is earlier than mutex holder's and in this case we set mutex
      holder to be dl_boosted. However, since RT 'dynamic' deadlines are only
      initialized if such tasks get boosted at some point (or if they become
      DEADLINE of course), in general RT 'dynamic' deadlines are usually equal
      to 0 and this verifies the aforementioned condition.
      
      Fix it by checking that the potential donor task is actually (even if
      temporary because in turn boosted) running at DEADLINE priority before
      using its 'dynamic' deadline value.
      
      Fixes: 2d3d891d ("sched/deadline: Add SCHED_DEADLINE inheritance logic")
      Reported-by: syzbot+119ba87189432ead09b4@syzkaller.appspotmail.com
      Signed-off-by: default avatarJuri Lelli <juri.lelli@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Reviewed-by: default avatarDaniel Bristot de Oliveira <bristot@redhat.com>
      Tested-by: default avatarDaniel Wagner <dwagner@suse.de>
      Link: https://lkml.kernel.org/r/20181119153201.GB2119@localhost.localdomain
      740797ce
    • Juri Lelli's avatar
      sched/deadline: Initialize ->dl_boosted · ce9bc3b2
      Juri Lelli authored
      syzbot reported the following warning triggered via SYSC_sched_setattr():
      
        WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 setup_new_dl_entity /kernel/sched/deadline.c:594 [inline]
        WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 enqueue_dl_entity /kernel/sched/deadline.c:1370 [inline]
        WARNING: CPU: 0 PID: 6973 at kernel/sched/deadline.c:593 enqueue_task_dl+0x1c17/0x2ba0 /kernel/sched/deadline.c:1441
      
      This happens because the ->dl_boosted flag is currently not initialized by
      __dl_clear_params() (unlike the other flags) and setup_new_dl_entity()
      rightfully complains about it.
      
      Initialize dl_boosted to 0.
      
      Fixes: 2d3d891d ("sched/deadline: Add SCHED_DEADLINE inheritance logic")
      Reported-by: syzbot+5ac8bac25f95e8b221e7@syzkaller.appspotmail.com
      Signed-off-by: default avatarJuri Lelli <juri.lelli@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Tested-by: default avatarDaniel Wagner <dwagner@suse.de>
      Link: https://lkml.kernel.org/r/20200617072919.818409-1-juri.lelli@redhat.com
      ce9bc3b2