1. 26 Jul, 2019 20 commits
  2. 21 Jul, 2019 20 commits
    • Greg Kroah-Hartman's avatar
      Linux 5.1.19 · 0d4f1b2a
      Greg Kroah-Hartman authored
      0d4f1b2a
    • Jiri Slaby's avatar
      x86/entry/32: Fix ENDPROC of common_spurious · 0e921583
      Jiri Slaby authored
      [ Upstream commit 1cbec37b ]
      
      common_spurious is currently ENDed erroneously. common_interrupt is used
      in its ENDPROC. So fix this mistake.
      
      Found by my asm macros rewrite patchset.
      
      Fixes: f8a8fe61 ("x86/irq: Seperate unused system vectors from spurious entry again")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190709063402.19847-1-jslaby@suse.czSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      0e921583
    • Haren Myneni's avatar
      crypto/NX: Set receive window credits to max number of CRBs in RxFIFO · 845912c3
      Haren Myneni authored
      commit e52d484d upstream.
      
      System gets checkstop if RxFIFO overruns with more requests than the
      maximum possible number of CRBs in FIFO at the same time. The max number
      of requests per window is controlled by window credits. So find max
      CRBs from FIFO size and set it to receive window credits.
      
      Fixes: b0d6c9ba ("crypto/nx: Add P9 NX support for 842 compression engine")
      CC: stable@vger.kernel.org # v4.14+
      Signed-off-by: default avatarHaren Myneni <haren@us.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      845912c3
    • Christophe Leroy's avatar
      crypto: talitos - fix hash on SEC1. · 5b7e0364
      Christophe Leroy authored
      commit 58cdbc6d upstream.
      
      On SEC1, hash provides wrong result when performing hashing in several
      steps with input data SG list has more than one element. This was
      detected with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS:
      
      [   44.185947] alg: hash: md5-talitos test failed (wrong result) on test vector 6, cfg="random: may_sleep use_finup src_divs=[<reimport>25.88%@+8063, <flush>24.19%@+9588, 28.63%@+16333, <reimport>4.60%@+6756, 16.70%@+16281] dst_divs=[71.61%@alignmask+16361, 14.36%@+7756, 14.3%@+"
      [   44.325122] alg: hash: sha1-talitos test failed (wrong result) on test vector 3, cfg="random: inplace use_final src_divs=[<flush,nosimd>16.56%@+16378, <reimport>52.0%@+16329, 21.42%@alignmask+16380, 10.2%@alignmask+16380] iv_offset=39"
      [   44.493500] alg: hash: sha224-talitos test failed (wrong result) on test vector 4, cfg="random: use_final nosimd src_divs=[<reimport>52.27%@+7401, <reimport>17.34%@+16285, <flush>17.71%@+26, 12.68%@+10644] iv_offset=43"
      [   44.673262] alg: hash: sha256-talitos test failed (wrong result) on test vector 4, cfg="random: may_sleep use_finup src_divs=[<reimport>60.6%@+12790, 17.86%@+1329, <reimport>12.64%@alignmask+16300, 8.29%@+15, 0.40%@+13506, <reimport>0.51%@+16322, <reimport>0.24%@+16339] dst_divs"
      
      This is due to two issues:
      - We have an overlap between the buffer used for copying the input
      data (SEC1 doesn't do scatter/gather) and the chained descriptor.
      - Data copy is wrong when the previous hash left less than one
      blocksize of data to hash, implying a complement of the previous
      block with a few bytes from the new request.
      
      Fix it by:
      - Moving the second descriptor after the buffer, as moving the buffer
      after the descriptor would make it more complex for other cipher
      operations (AEAD, ABLKCIPHER)
      - Skip the bytes taken from the new request to complete the previous
      one by moving the SG list forward.
      
      Fixes: 37b5e889 ("crypto: talitos - chain in buffered data for ahash on SEC1")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b7e0364
    • Christophe Leroy's avatar
      crypto: talitos - move struct talitos_edesc into talitos.h · 5da29258
      Christophe Leroy authored
      commit d44769e4 upstream.
      
      Moves struct talitos_edesc into talitos.h so that it can be used
      from any place in talitos.c
      
      It will be required for next patch ("crypto: talitos - fix hash
      on SEC1")
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5da29258
    • Julian Wiedmann's avatar
      s390/qdio: don't touch the dsci in tiqdio_add_input_queues() · 9ca71f3d
      Julian Wiedmann authored
      commit ac6639cd upstream.
      
      Current code sets the dsci to 0x00000080. Which doesn't make any sense,
      as the indicator area is located in the _left-most_ byte.
      
      Worse: if the dsci is the _shared_ indicator, this potentially clears
      the indication of activity for a _different_ device.
      tiqdio_thinint_handler() will then have no reason to call that device's
      IRQ handler, and the device ends up stalling.
      
      Fixes: d0c9d4a8 ("[S390] qdio: set correct bit in dsci")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ca71f3d
    • Julian Wiedmann's avatar
      s390/qdio: (re-)initialize tiqdio list entries · 1f5dcaa9
      Julian Wiedmann authored
      commit e54e4785 upstream.
      
      When tiqdio_remove_input_queues() removes a queue from the tiq_list as
      part of qdio_shutdown(), it doesn't re-initialize the queue's list entry
      and the prev/next pointers go stale.
      
      If a subsequent qdio_establish() fails while sending the ESTABLISH cmd,
      it calls qdio_shutdown() again in QDIO_IRQ_STATE_ERR state and
      tiqdio_remove_input_queues() will attempt to remove the queue entry a
      second time. This dereferences the stale pointers, and bad things ensue.
      Fix this by re-initializing the list entry after removing it from the
      list.
      
      For good practice also initialize the list entry when the queue is first
      allocated, and remove the quirky checks that papered over this omission.
      Note that prior to
      commit e5218134 ("s390/qdio: fix access to uninitialized qdio_q fields"),
      these checks were bogus anyway.
      
      setup_queues_misc() clears the whole queue struct, and thus needs to
      re-init the prev/next pointers as well.
      
      Fixes: 779e6e1c ("[S390] qdio: new qdio driver.")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f5dcaa9
    • Heiko Carstens's avatar
      s390: fix stfle zero padding · d6e7f5e8
      Heiko Carstens authored
      commit 4f18d869 upstream.
      
      The stfle inline assembly returns the number of double words written
      (condition code 0) or the double words it would have written
      (condition code 3), if the memory array it got as parameter would have
      been large enough.
      
      The current stfle implementation assumes that the array is always
      large enough and clears those parts of the array that have not been
      written to with a subsequent memset call.
      
      If however the array is not large enough memset will get a negative
      length parameter, which means that memset clears memory until it gets
      an exception and the kernel crashes.
      
      To fix this simply limit the maximum length. Move also the inline
      assembly to an extra function to avoid clobbering of register 0, which
      might happen because of the added min_t invocation together with code
      instrumentation.
      
      The bug was introduced with commit 14375bc4 ("[S390] cleanup
      facility list handling") but was rather harmless, since it would only
      write to a rather large array. It became a potential problem with
      commit 3ab121ab ("[S390] kernel: Add z/VM LGR detection"). Since
      then it writes to an array with only four double words, while some
      machines already deliver three double words. As soon as machines have
      a facility bit within the fifth double a crash on IPL would happen.
      
      Fixes: 14375bc4 ("[S390] cleanup facility list handling")
      Cc: <stable@vger.kernel.org> # v2.6.37+
      Reviewed-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6e7f5e8
    • Arnd Bergmann's avatar
      ARC: hide unused function unw_hdr_alloc · d6d65a2f
      Arnd Bergmann authored
      commit fd5de272 upstream.
      
      As kernelci.org reports, this function is not used in
      vdk_hs38_defconfig:
      
      arch/arc/kernel/unwind.c:188:14: warning: 'unw_hdr_alloc' defined but not used [-Wunused-function]
      
      Fixes: bc79c9a7 ("ARC: dw2 unwind: Reinstante unwinding out of modules")
      Link: https://kernelci.org/build/id/5d1cae3f59b514300340c132/logs/
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6d65a2f
    • Thomas Gleixner's avatar
      x86/irq: Seperate unused system vectors from spurious entry again · 4ac89364
      Thomas Gleixner authored
      commit f8a8fe61 upstream.
      
      Quite some time ago the interrupt entry stubs for unused vectors in the
      system vector range got removed and directly mapped to the spurious
      interrupt vector entry point.
      
      Sounds reasonable, but it's subtly broken. The spurious interrupt vector
      entry point pushes vector number 0xFF on the stack which makes the whole
      logic in __smp_spurious_interrupt() pointless.
      
      As a consequence any spurious interrupt which comes from a vector != 0xFF
      is treated as a real spurious interrupt (vector 0xFF) and not
      acknowledged. That subsequently stalls all interrupt vectors of equal and
      lower priority, which brings the system to a grinding halt.
      
      This can happen because even on 64-bit the system vector space is not
      guaranteed to be fully populated. A full compile time handling of the
      unused vectors is not possible because quite some of them are conditonally
      populated at runtime.
      
      Bring the entry stubs back, which wastes 160 bytes if all stubs are unused,
      but gains the proper handling back. There is no point to selectively spare
      some of the stubs which are known at compile time as the required code in
      the IDT management would be way larger and convoluted.
      
      Do not route the spurious entries through common_interrupt and do_IRQ() as
      the original code did. Route it to smp_spurious_interrupt() which evaluates
      the vector number and acts accordingly now that the real vector numbers are
      handed in.
      
      Fixup the pr_warn so the actual spurious vector (0xff) is clearly
      distiguished from the other vectors and also note for the vectored case
      whether it was pending in the ISR or not.
      
       "Spurious APIC interrupt (vector 0xFF) on CPU#0, should never happen."
       "Spurious interrupt vector 0xed on CPU#1. Acked."
       "Spurious interrupt vector 0xee on CPU#1. Not pending!."
      
      Fixes: 2414e021 ("x86: Avoid building unused IRQ entry stubs")
      Reported-by: default avatarJan Kiszka <jan.kiszka@siemens.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Jan Beulich <jbeulich@suse.com>
      Link: https://lkml.kernel.org/r/20190628111440.550568228@linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ac89364
    • Thomas Gleixner's avatar
      x86/irq: Handle spurious interrupt after shutdown gracefully · 3fa8d2a7
      Thomas Gleixner authored
      commit b7107a67 upstream.
      
      Since the rework of the vector management, warnings about spurious
      interrupts have been reported. Robert provided some more information and
      did an initial analysis. The following situation leads to these warnings:
      
         CPU 0                  CPU 1               IO_APIC
      
                                                    interrupt is raised
                                                    sent to CPU1
      			  Unable to handle
      			  immediately
      			  (interrupts off,
      			   deep idle delay)
         mask()
         ...
         free()
           shutdown()
           synchronize_irq()
           clear_vector()
                                do_IRQ()
                                  -> vector is clear
      
      Before the rework the vector entries of legacy interrupts were statically
      assigned and occupied precious vector space while most of them were
      unused. Due to that the above situation was handled silently because the
      vector was handled and the core handler of the assigned interrupt
      descriptor noticed that it is shut down and returned.
      
      While this has been usually observed with legacy interrupts, this situation
      is not limited to them. Any other interrupt source, e.g. MSI, can cause the
      same issue.
      
      After adding proper synchronization for level triggered interrupts, this
      can only happen for edge triggered interrupts where the IO-APIC obviously
      cannot provide information about interrupts in flight.
      
      While the spurious warning is actually harmless in this case it worries
      users and driver developers.
      
      Handle it gracefully by marking the vector entry as VECTOR_SHUTDOWN instead
      of VECTOR_UNUSED when the vector is freed up.
      
      If that above late handling happens the spurious detector will not complain
      and switch the entry to VECTOR_UNUSED. Any subsequent spurious interrupt on
      that line will trigger the spurious warning as before.
      
      Fixes: 464d1230 ("x86/vector: Switch IOAPIC to global reservation mode")
      Reported-by: default avatarRobert Hodaszi <Robert.Hodaszi@digi.com>
      Signed-off-by: Thomas Gleixner <tglx@linutronix.de>-
      Tested-by: default avatarRobert Hodaszi <Robert.Hodaszi@digi.com>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: https://lkml.kernel.org/r/20190628111440.459647741@linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3fa8d2a7
    • Thomas Gleixner's avatar
      x86/ioapic: Implement irq_get_irqchip_state() callback · 557f2d49
      Thomas Gleixner authored
      commit dfe0cf8b upstream.
      
      When an interrupt is shut down in free_irq() there might be an inflight
      interrupt pending in the IO-APIC remote IRR which is not yet serviced. That
      means the interrupt has been sent to the target CPUs local APIC, but the
      target CPU is in a state which delays the servicing.
      
      So free_irq() would proceed to free resources and to clear the vector
      because synchronize_hardirq() does not see an interrupt handler in
      progress.
      
      That can trigger a spurious interrupt warning, which is harmless and just
      confuses users, but it also can leave the remote IRR in a stale state
      because once the handler is invoked the interrupt resources might be freed
      already and therefore acknowledgement is not possible anymore.
      
      Implement the irq_get_irqchip_state() callback for the IO-APIC irq chip. The
      callback is invoked from free_irq() via __synchronize_hardirq(). Check the
      remote IRR bit of the interrupt and return 'in flight' if it is set and the
      interrupt is configured in level mode. For edge mode the remote IRR has no
      meaning.
      
      As this is only meaningful for level triggered interrupts this won't cure
      the potential spurious interrupt warning for edge triggered interrupts, but
      the edge trigger case does not result in stale hardware state. This has to
      be addressed at the vector/interrupt entry level seperately.
      
      Fixes: 464d1230 ("x86/vector: Switch IOAPIC to global reservation mode")
      Reported-by: default avatarRobert Hodaszi <Robert.Hodaszi@digi.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: https://lkml.kernel.org/r/20190628111440.370295517@linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      557f2d49
    • Thomas Gleixner's avatar
      genirq: Add optional hardware synchronization for shutdown · b9926c40
      Thomas Gleixner authored
      commit 62e04686 upstream.
      
      free_irq() ensures that no hardware interrupt handler is executing on a
      different CPU before actually releasing resources and deactivating the
      interrupt completely in a domain hierarchy.
      
      But that does not catch the case where the interrupt is on flight at the
      hardware level but not yet serviced by the target CPU. That creates an
      interesing race condition:
      
         CPU 0                  CPU 1               IRQ CHIP
      
                                                    interrupt is raised
                                                    sent to CPU1
      			  Unable to handle
      			  immediately
      			  (interrupts off,
      			   deep idle delay)
         mask()
         ...
         free()
           shutdown()
           synchronize_irq()
           release_resources()
                                do_IRQ()
                                  -> resources are not available
      
      That might be harmless and just trigger a spurious interrupt warning, but
      some interrupt chips might get into a wedged state.
      
      Utilize the existing irq_get_irqchip_state() callback for the
      synchronization in free_irq().
      
      synchronize_hardirq() is not using this mechanism as it might actually
      deadlock unter certain conditions, e.g. when called with interrupts
      disabled and the target CPU is the one on which the synchronization is
      invoked. synchronize_irq() uses it because that function cannot be called
      from non preemtible contexts as it might sleep.
      
      No functional change intended and according to Marc the existing GIC
      implementations where the driver supports the callback should be able
      to cope with that core change. Famous last words.
      
      Fixes: 464d1230 ("x86/vector: Switch IOAPIC to global reservation mode")
      Reported-by: default avatarRobert Hodaszi <Robert.Hodaszi@digi.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Tested-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Link: https://lkml.kernel.org/r/20190628111440.279463375@linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9926c40
    • Thomas Gleixner's avatar
      genirq: Fix misleading synchronize_irq() documentation · cd022296
      Thomas Gleixner authored
      commit 1d21f2af upstream.
      
      The function might sleep, so it cannot be called from interrupt
      context. Not even with care.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: https://lkml.kernel.org/r/20190628111440.189241552@linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd022296
    • Thomas Gleixner's avatar
      genirq: Delay deactivation in free_irq() · 284f5105
      Thomas Gleixner authored
      commit 4001d8e8 upstream.
      
      When interrupts are shutdown, they are immediately deactivated in the
      irqdomain hierarchy. While this looks obviously correct there is a subtle
      issue:
      
      There might be an interrupt in flight when free_irq() is invoking the
      shutdown. This is properly handled at the irq descriptor / primary handler
      level, but the deactivation might completely disable resources which are
      required to acknowledge the interrupt.
      
      Split the shutdown code and deactivate the interrupt after synchronization
      in free_irq(). Fixup all other usage sites where this is not an issue to
      invoke the combined shutdown_and_deactivate() function instead.
      
      This still might be an issue if the interrupt in flight servicing is
      delayed on a remote CPU beyond the invocation of synchronize_irq(), but
      that cannot be handled at that level and needs to be handled in the
      synchronize_irq() context.
      
      Fixes: f8264e34 ("irqdomain: Introduce new interfaces to support hierarchy irqdomains")
      Reported-by: default avatarRobert Hodaszi <Robert.Hodaszi@digi.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Link: https://lkml.kernel.org/r/20190628111440.098196390@linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      284f5105
    • Vinod Koul's avatar
      linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL · cbf12566
      Vinod Koul authored
      [ Upstream commit 8f9fab48 ]
      
      DIV_ROUND_UP_ULL adds the two arguments and then invokes
      DIV_ROUND_DOWN_ULL.  But on a 32bit system the addition of two 32 bit
      values can overflow.  DIV_ROUND_DOWN_ULL does it correctly and stashes
      the addition into a unsigned long long so cast the result to unsigned
      long long here to avoid the overflow condition.
      
      [akpm@linux-foundation.org: DIV_ROUND_UP_ULL must be an rval]
      Link: http://lkml.kernel.org/r/20190625100518.30753-1-vkoul@kernel.orgSigned-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cbf12566
    • Andrea Arcangeli's avatar
      fork,memcg: alloc_thread_stack_node needs to set tsk->stack · e97fe6ea
      Andrea Arcangeli authored
      [ Upstream commit 1bf4580e ]
      
      Commit 5eed6f1d ("fork,memcg: fix crash in free_thread_stack on
      memcg charge fail") corrected two instances, but there was a third
      instance of this bug.
      
      Without setting tsk->stack, if memcg_charge_kernel_stack fails, it'll
      execute free_thread_stack() on a dangling pointer.
      
      Enterprise kernels are compiled with VMAP_STACK=y so this isn't
      critical, but custom VMAP_STACK=n builds should have some performance
      advantage, with the drawback of risking to fail fork because compaction
      didn't succeed.  So as long as VMAP_STACK=n is a supported option it's
      worth fixing it upstream.
      
      Link: http://lkml.kernel.org/r/20190619011450.28048-1-aarcange@redhat.com
      Fixes: 9b6f7e16 ("mm: rework memcg kernel stack accounting")
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Reviewed-by: default avatarRik van Riel <riel@surriel.com>
      Acked-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e97fe6ea
    • Yafang Shao's avatar
      mm/oom_kill.c: fix uninitialized oc->constraint · 1451f564
      Yafang Shao authored
      [ Upstream commit 432b1de0 ]
      
      In dump_oom_summary() oc->constraint is used to show oom_constraint_text,
      but it hasn't been set before.  So the value of it is always the default
      value 0.  We should inititialize it before.
      
      Bellow is the output when memcg oom occurs,
      
      before this patch:
        oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null), cpuset=/,mems_allowed=0,oom_memcg=/foo,task_memcg=/foo,task=bash,pid=7997,uid=0
      
      after this patch:
        oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null), cpuset=/,mems_allowed=0,oom_memcg=/foo,task_memcg=/foo,task=bash,pid=13681,uid=0
      
      Link: http://lkml.kernel.org/r/1560522038-15879-1-git-send-email-laoar.shao@gmail.com
      Fixes: ef8444ea ("mm, oom: reorganize the oom report in dump_header")
      Signed-off-by: default avatarYafang Shao <laoar.shao@gmail.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Wind Yu <yuzhoujian@didichuxing.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1451f564
    • Nicolas Boichat's avatar
      pinctrl: mediatek: Update cur_mask in mask/mask ops · 056432be
      Nicolas Boichat authored
      [ Upstream commit 9d957a95 ]
      
      During suspend/resume, mtk_eint_mask may be called while
      wake_mask is active. For example, this happens if a wake-source
      with an active interrupt handler wakes the system:
      irq/pm.c:irq_pm_check_wakeup would disable the interrupt, so
      that it can be handled later on in the resume flow.
      
      However, this may happen before mtk_eint_do_resume is called:
      in this case, wake_mask is loaded, and cur_mask is restored
      from an older copy, re-enabling the interrupt, and causing
      an interrupt storm (especially for level interrupts).
      
      Step by step, for a line that has both wake and interrupt enabled:
       1. cur_mask[irq] = 1; wake_mask[irq] = 1; EINT_EN[irq] = 1 (interrupt
          enabled at hardware level)
       2. System suspends, resumes due to that line (at this stage EINT_EN
          == wake_mask)
       3. irq_pm_check_wakeup is called, and disables the interrupt =>
          EINT_EN[irq] = 0, but we still have cur_mask[irq] = 1
       4. mtk_eint_do_resume is called, and restores EINT_EN = cur_mask, so
          it reenables EINT_EN[irq] = 1 => interrupt storm as the driver
          is not yet ready to handle the interrupt.
      
      This patch fixes the issue in step 3, by recording all mask/unmask
      changes in cur_mask. This also avoids the need to read the current
      mask in eint_do_suspend, and we can remove mtk_eint_chip_read_mask
      function.
      
      The interrupt will be re-enabled properly later on, sometimes after
      mtk_eint_do_resume, when the driver is ready to handle it.
      
      Fixes: 58a5e1b6 ("pinctrl: mediatek: Implement wake handler and suspend resume")
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Acked-by: default avatarSean Wang <sean.wang@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      056432be
    • Eiichi Tsukata's avatar
      cpu/hotplug: Fix out-of-bounds read when setting fail state · 2970a554
      Eiichi Tsukata authored
      [ Upstream commit 33d4a5a7 ]
      
      Setting invalid value to /sys/devices/system/cpu/cpuX/hotplug/fail
      can control `struct cpuhp_step *sp` address, results in the following
      global-out-of-bounds read.
      
      Reproducer:
      
        # echo -2 > /sys/devices/system/cpu/cpu0/hotplug/fail
      
      KASAN report:
      
        BUG: KASAN: global-out-of-bounds in write_cpuhp_fail+0x2cd/0x2e0
        Read of size 8 at addr ffffffff89734438 by task bash/1941
      
        CPU: 0 PID: 1941 Comm: bash Not tainted 5.2.0-rc6+ #31
        Call Trace:
         write_cpuhp_fail+0x2cd/0x2e0
         dev_attr_store+0x58/0x80
         sysfs_kf_write+0x13d/0x1a0
         kernfs_fop_write+0x2bc/0x460
         vfs_write+0x1e1/0x560
         ksys_write+0x126/0x250
         do_syscall_64+0xc1/0x390
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7f05e4f4c970
      
        The buggy address belongs to the variable:
         cpu_hotplug_lock+0x98/0xa0
      
        Memory state around the buggy address:
         ffffffff89734300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
         ffffffff89734380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
        >ffffffff89734400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
                                                ^
         ffffffff89734480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         ffffffff89734500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      
      Add a sanity check for the value written from user space.
      
      Fixes: 1db49484 ("smp/hotplug: Hotplug state fail injection")
      Signed-off-by: default avatarEiichi Tsukata <devel@etsukata.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: peterz@infradead.org
      Link: https://lkml.kernel.org/r/20190627024732.31672-1-devel@etsukata.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      2970a554