1. 23 Feb, 2019 3 commits
  2. 22 Feb, 2019 3 commits
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-02-22' of git://anongit.freedesktop.org/drm/drm · 6ee2846c
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "This contains a single i915 tiled display fix, and a set of
        amdgpu/radeon fixes.
      
        i915:
      
         - tiled display fix
      
        amdgpu/radeon:
      
         - runtime PM fix
      
         - bulk moves disable (fix is too large for 5.0)
      
         - a set of display fixes that are all cc'ed stable so we didn't want
           to leave them until -next"
      
      * tag 'drm-fixes-2019-02-22' of git://anongit.freedesktop.org/drm/drm:
        drm/amdgpu: disable bulk moves for now
        drm/amd/display: set clocks to 0 on suspend on dce80
        drm/amd/display: fix optimize_bandwidth func pointer for dce80
        drm/amd/display: Fix negative cursor pos programming
        drm/i915/fbdev: Actually configure untiled displays
        drm/amd/display: Raise dispclk value for dce11
        drm/amd/display: Fix MST reboot/poweroff sequence
        drm/amdgpu: Update sdma golden setting for vega20
        drm/amdgpu: Set DPM_FLAG_NEVER_SKIP when enabling PM-runtime
        gpu: drm: radeon: Set DPM_FLAG_NEVER_SKIP when enabling PM-runtime
      6ee2846c
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 168bd298
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Small set of three regression fixing patches, things are looking
        pretty good here.
      
         - Fix cxgb4 to work again with non-4k page sizes
      
         - NULL pointer oops in SRP during sg_reset"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        iw_cxgb4: cq/qp mask depends on bar2 pages in a host page
        cxgb4: Export sge_host_page_size to ulds
        RDMA/srp: Rework SCSI device reset handling
      168bd298
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · a3504f7a
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A few more fixes for clk drivers causing regressions this release.
      
        Two Allwinner index fixes for A31 and V3 and two Microchip AT91 fixes
        for an incorrect clk parent linkage and a miscalculated number of
        clks"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: at91: fix masterck name
        clk: at91: fix at91sam9x5 peripheral clock number
        clk: sunxi: A31: Fix wrong AHB gate number
        clk: sunxi-ng: v3s: Fix TCON reset de-assert bit
      a3504f7a
  3. 21 Feb, 2019 34 commits
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-5.0' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 019276ed
      Dave Airlie authored
      A bit bigger than normal for this week due to fixes for some long
      standing display issues that are bound for stable.  These changes would
      be going to stable anyway, so I figured it was better via 5.0 than 5.1.
      - Several display fixes
      - Fix PX systems due to core changes in runtime pm
      - Disable bulk moves.  They are fixed in 5.1, but fix is too invasive for 5.0
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190220225715.3240-1-alexander.deucher@amd.com
      019276ed
    • Vineet Gupta's avatar
      ARCv2: don't assume core 0x54 has dual issue · 7b2e932f
      Vineet Gupta authored
      The first release of core4 (0x54) was dual issue only (HS4x).
      Newer releases allow hardware to be configured as single issue (HS3x)
      or dual issue.
      
      Prevent accessing a HS4x only aux register in HS3x, which otherwise
      leads to illegal instruction exceptions
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      7b2e932f
    • Helge Deller's avatar
      CREDITS/MAINTAINERS: Retire parisc-linux.org email domain · 71d73a0b
      Helge Deller authored
      Retire the parisc-linux.org email domain and provide alternative email
      addresses for the remaining users, as agreed upon with them.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      71d73a0b
    • Dmitry V. Levin's avatar
      parisc: Fix ptrace syscall number modification · b7dc5a07
      Dmitry V. Levin authored
      Commit 910cd32e ("parisc: Fix and enable seccomp filter support")
      introduced a regression in ptrace-based syscall tampering: when tracer
      changes syscall number to -1, the kernel fails to initialize %r28 with
      -ENOSYS and subsequently fails to return the error code of the failed
      syscall to userspace.
      
      This erroneous behaviour could be observed with a simple strace syscall
      fault injection command which is expected to print something like this:
      
      $ strace -a0 -ewrite -einject=write:error=enospc echo hello
      write(1, "hello\n", 6) = -1 ENOSPC (No space left on device) (INJECTED)
      write(2, "echo: ", 6) = -1 ENOSPC (No space left on device) (INJECTED)
      write(2, "write error", 11) = -1 ENOSPC (No space left on device) (INJECTED)
      write(2, "\n", 1) = -1 ENOSPC (No space left on device) (INJECTED)
      +++ exited with 1 +++
      
      After commit 910cd32e it loops printing
      something like this instead:
      
      write(1, "hello\n", 6../strace: Failed to tamper with process 12345: unexpectedly got no error (return value 0, error 0)
      ) = 0 (INJECTED)
      
      This bug was found by strace test suite.
      
      Fixes: 910cd32e ("parisc: Fix and enable seccomp filter support")
      Cc: stable@vger.kernel.org # v4.5+
      Signed-off-by: default avatarDmitry V. Levin <ldv@altlinux.org>
      Tested-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      b7dc5a07
    • Alexey Brodkin's avatar
      ARC: define ARCH_SLAB_MINALIGN = 8 · b6835ea7
      Alexey Brodkin authored
      The default value of ARCH_SLAB_MINALIGN in "include/linux/slab.h" is
      "__alignof__(unsigned long long)" which for ARC unexpectedly turns out
      to be 4. This is not a compiler bug, but as defined by ARC ABI [1]
      
      Thus slab allocator would allocate a struct which is 32-bit aligned,
      which is generally OK even if struct has long long members.
      There was however potetial problem when it had any atomic64_t which
      use LLOCKD/SCONDD instructions which are required by ISA to take
      64-bit addresses. This is the problem we ran into
      
      [    4.015732] EXT4-fs (mmcblk0p2): re-mounted. Opts: (null)
      [    4.167881] Misaligned Access
      [    4.172356] Path: /bin/busybox.nosuid
      [    4.176004] CPU: 2 PID: 171 Comm: rm Not tainted 4.19.14-yocto-standard #1
      [    4.182851]
      [    4.182851] [ECR   ]: 0x000d0000 => Check Programmer's Manual
      [    4.190061] [EFA   ]: 0xbeaec3fc
      [    4.190061] [BLINK ]: ext4_delete_entry+0x210/0x234
      [    4.190061] [ERET  ]: ext4_delete_entry+0x13e/0x234
      [    4.202985] [STAT32]: 0x80080002 : IE K
      [    4.207236] BTA: 0x9009329c   SP: 0xbe5b1ec4  FP: 0x00000000
      [    4.212790] LPS: 0x9074b118  LPE: 0x9074b120 LPC: 0x00000000
      [    4.218348] r00: 0x00000040  r01: 0x00000021 r02: 0x00000001
      ...
      ...
      [    4.270510] Stack Trace:
      [    4.274510]   ext4_delete_entry+0x13e/0x234
      [    4.278695]   ext4_rmdir+0xe0/0x238
      [    4.282187]   vfs_rmdir+0x50/0xf0
      [    4.285492]   do_rmdir+0x9e/0x154
      [    4.288802]   EV_Trap+0x110/0x114
      
      The fix is to make sure slab allocations are 64-bit aligned.
      
      Do note that atomic64_t is __attribute__((aligned(8)) which means gcc
      does generate 64-bit aligned references, relative to beginning of
      container struct. However the issue is if the container itself is not
      64-bit aligned, atomic64_t ends up unaligned which is what this patch
      ensures.
      
      [1] https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/wiki/files/ARCv2_ABI.pdfSigned-off-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      Cc: <stable@vger.kernel.org> # 4.8+
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      [vgupta: reworked changelog, added dependency on LL64+LLSC]
      b6835ea7
    • Eugeniy Paltsev's avatar
      ARC: enable uboot support unconditionally · 493a2f81
      Eugeniy Paltsev authored
      After reworking U-boot args handling code and adding paranoid
      arguments check we can eliminate CONFIG_ARC_UBOOT_SUPPORT and
      enable uboot support unconditionally.
      
      For JTAG case we can assume that core registers will come up
      reset value of 0 or in worst case we rely on user passing
      '-on=clear_regs' to Metaware debugger.
      
      Cc: stable@vger.kernel.org
      Tested-by: default avatarCorentin LABBE <clabbe@baylibre.com>
      Signed-off-by: default avatarEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      493a2f81
    • Eugeniy Paltsev's avatar
      ARC: U-boot: check arguments paranoidly · a66f2e57
      Eugeniy Paltsev authored
      Handle U-boot arguments paranoidly:
       * don't allow to pass unknown tag.
       * try to use external device tree blob only if corresponding tag
         (TAG_DTB) is set.
       * don't check uboot_tag if kernel build with no ARC_UBOOT_SUPPORT.
      
      NOTE:
      If U-boot args are invalid we skip them and try to use embedded device
      tree blob. We can't panic on invalid U-boot args as we really pass
      invalid args due to bug in U-boot code.
      This happens if we don't provide external DTB to U-boot and
      don't set 'bootargs' U-boot environment variable (which is default
      case at least for HSDK board) In that case we will pass
      {r0 = 1 (bootargs in r2); r1 = 0; r2 = 0;} to linux which is invalid.
      
      While I'm at it refactor U-boot arguments handling code.
      
      Cc: stable@vger.kernel.org
      Tested-by: default avatarCorentin LABBE <clabbe@baylibre.com>
      Signed-off-by: default avatarEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      a66f2e57
    • Vineet Gupta's avatar
      ARCv2: support manual regfile save on interrupts · e494239a
      Vineet Gupta authored
      There's a hardware bug which affects the HSDK platform, triggered by
      micro-ops for auto-saving regfile on taken interrupt. The workaround is
      to inhibit autosave.
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      e494239a
    • Vineet Gupta's avatar
      ARC: uacces: remove lp_start, lp_end from clobber list · d5e3c55e
      Vineet Gupta authored
      Newer ARC gcc handles lp_start, lp_end in a different way and doesn't
      like them in the clobber list.
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      d5e3c55e
    • Eugeniy Paltsev's avatar
      ARC: fix actionpoints configuration detection · cdf92962
      Eugeniy Paltsev authored
      Fix reversed logic while actionpoints configuration (full/min)
      detection.
      
      Fixies: 7dd380c3 ("ARC: boot log: print Action point details")
      Signed-off-by: default avatarEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      cdf92962
    • Eugeniy Paltsev's avatar
      ARCv2: lib: memcpy: fix doing prefetchw outside of buffer · f8a15f97
      Eugeniy Paltsev authored
      ARCv2 optimized memcpy uses PREFETCHW instruction for prefetching the
      next cache line but doesn't ensure that the line is not past the end of
      the buffer. PRETECHW changes the line ownership and marks it dirty,
      which can cause data corruption if this area is used for DMA IO.
      
      Fix the issue by avoiding the PREFETCHW. This leads to performance
      degradation but it is OK as we'll introduce new memcpy implementation
      optimized for unaligned memory access using.
      
      We also cut off all PREFETCH instructions at they are quite useless
      here:
       * we call PREFETCH right before LOAD instruction call.
       * we copy 16 or 32 bytes of data (depending on CONFIG_ARC_HAS_LL64)
         in a main logical loop. so we call PREFETCH 4 times (or 2 times)
         for each L1 cache line (in case of 64B L1 cache Line which is
         default case). Obviously this is not optimal.
      Signed-off-by: default avatarEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      f8a15f97
    • Eugeniy Paltsev's avatar
      ARCv2: Enable unaligned access in early ASM code · 252f6e8e
      Eugeniy Paltsev authored
      It is currently done in arc_init_IRQ() which might be too late
      considering gcc 7.3.1 onwards (GNU 2018.03) generates unaligned
      memory accesses by default
      
      Cc: stable@vger.kernel.org #4.4+
      Signed-off-by: default avatarEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      [vgupta: rewrote changelog]
      252f6e8e
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-5.0-rc8' of git://github.com/ceph/ceph-client · 8a61716f
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "Two bug fixes for old issues, both marked for stable"
      
      * tag 'ceph-for-5.0-rc8' of git://github.com/ceph/ceph-client:
        ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
        libceph: handle an empty authorize reply
      8a61716f
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · d6622d91
      Linus Torvalds authored
      Pull late arm64 fixes from Will Deacon:
       "Three small arm64 fixes for 5.0.
      
        They fix a build breakage with clang introduced in 4.20, an oversight
        in our sigframe restoration relating to the SSBS bit and a boot fix
        for systems with newer revisions of our interrupt controller.
      
        Summary:
      
         - Fix handling of PSTATE.SSBS bit in sigreturn()
      
         - Fix version checking of the GIC during early boot
      
         - Fix clang builds failing due to use of NEON in the crypto code"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: Relax GIC version check during early boot
        arm64/neon: Disable -Wincompatible-pointer-types when building with Clang
        arm64: fix SSBS sanitization
      d6622d91
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 7c903253
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "23 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (23 commits)
        mm, memory_hotplug: fix off-by-one in is_pageblock_removable
        mm: don't let userspace spam allocations warnings
        slub: fix a crash with SLUB_DEBUG + KASAN_SW_TAGS
        kasan, slab: remove redundant kasan_slab_alloc hooks
        kasan, slab: make freelist stored without tags
        kasan, slab: fix conflicts with CONFIG_HARDENED_USERCOPY
        kasan: prevent tracing of tags.c
        kasan: fix random seed generation for tag-based mode
        tmpfs: fix link accounting when a tmpfile is linked in
        psi: avoid divide-by-zero crash inside virtual machines
        mm: handle lru_add_drain_all for UP properly
        mm, page_alloc: fix a division by zero error when boosting watermarks v2
        mm/debug.c: fix __dump_page() for poisoned pages
        proc, oom: do not report alien mms when setting oom_score_adj
        slub: fix SLAB_CONSISTENCY_CHECKS + KASAN_SW_TAGS
        kasan, slub: fix more conflicts with CONFIG_SLAB_FREELIST_HARDENED
        kasan, slub: fix conflicts with CONFIG_SLAB_FREELIST_HARDENED
        kasan, slub: move kasan_poison_slab hook before page_address
        kmemleak: account for tagged pointers when calculating pointer range
        kasan, kmemleak: pass tagged pointers to kmemleak
        ...
      7c903253
    • Michal Hocko's avatar
      mm, memory_hotplug: fix off-by-one in is_pageblock_removable · 891cb2a7
      Michal Hocko authored
      Rong Chen has reported the following boot crash:
      
          PGD 0 P4D 0
          Oops: 0000 [#1] PREEMPT SMP PTI
          CPU: 1 PID: 239 Comm: udevd Not tainted 5.0.0-rc4-00149-gefad4e47 #1
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
          RIP: 0010:page_mapping+0x12/0x80
          Code: 5d c3 48 89 df e8 0e ad 02 00 85 c0 75 da 89 e8 5b 5d c3 0f 1f 44 00 00 53 48 89 fb 48 8b 43 08 48 8d 50 ff a8 01 48 0f 45 da <48> 8b 53 08 48 8d 42 ff 83 e2 01 48 0f 44 c3 48 83 38 ff 74 2f 48
          RSP: 0018:ffff88801fa87cd8 EFLAGS: 00010202
          RAX: ffffffffffffffff RBX: fffffffffffffffe RCX: 000000000000000a
          RDX: fffffffffffffffe RSI: ffffffff820b9a20 RDI: ffff88801e5c0000
          RBP: 6db6db6db6db6db7 R08: ffff88801e8bb000 R09: 0000000001b64d13
          R10: ffff88801fa87cf8 R11: 0000000000000001 R12: ffff88801e640000
          R13: ffffffff820b9a20 R14: ffff88801f145258 R15: 0000000000000001
          FS:  00007fb2079817c0(0000) GS:ffff88801dd00000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 0000000000000006 CR3: 000000001fa82000 CR4: 00000000000006a0
          Call Trace:
           __dump_page+0x14/0x2c0
           is_mem_section_removable+0x24c/0x2c0
           removable_show+0x87/0xa0
           dev_attr_show+0x25/0x60
           sysfs_kf_seq_show+0xba/0x110
           seq_read+0x196/0x3f0
           __vfs_read+0x34/0x180
           vfs_read+0xa0/0x150
           ksys_read+0x44/0xb0
           do_syscall_64+0x5e/0x4a0
           entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      and bisected it down to commit efad4e47 ("mm, memory_hotplug:
      is_mem_section_removable do not pass the end of a zone").
      
      The reason for the crash is that the mapping is garbage for poisoned
      (uninitialized) page.  This shouldn't happen as all pages in the zone's
      boundary should be initialized.
      
      Later debugging revealed that the actual problem is an off-by-one when
      evaluating the end_page.  'start_pfn + nr_pages' resp 'zone_end_pfn'
      refers to a pfn after the range and as such it might belong to a
      differen memory section.
      
      This along with CONFIG_SPARSEMEM then makes the loop condition
      completely bogus because a pointer arithmetic doesn't work for pages
      from two different sections in that memory model.
      
      Fix the issue by reworking is_pageblock_removable to be pfn based and
      only use struct page where necessary.  This makes the code slightly
      easier to follow and we will remove the problematic pointer arithmetic
      completely.
      
      Link: http://lkml.kernel.org/r/20190218181544.14616-1-mhocko@kernel.org
      Fixes: efad4e47 ("mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone")
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reported-by: <rong.a.chen@intel.com>
      Tested-by: <rong.a.chen@intel.com>
      Acked-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Reviewed-by: default avatarOscar Salvador <osalvador@suse.de>
      Cc: Matthew Wilcox <willy@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      891cb2a7
    • Daniel Vetter's avatar
      mm: don't let userspace spam allocations warnings · 6c8fcc09
      Daniel Vetter authored
      memdump_user usually gets fed unchecked userspace input.  Blasting a
      full backtrace into dmesg every time is a bit excessive - I'm not sure
      on the kernel rule in general, but at least in drm we're trying not to
      let unpriviledge userspace spam the logs freely.  Definitely not entire
      warning backtraces.
      
      It also means more filtering for our CI, because our testsuite exercises
      these corner cases and so hits these a lot.
      
      Link: http://lkml.kernel.org/r/20190220204058.11676-1-daniel.vetter@ffwll.chSigned-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
      Cc: Roman Gushchin <guro@fb.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Jan Stancek <jstancek@redhat.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: "Michael S. Tsirkin" <mst@redhat.com>
      Cc: Huang Ying <ying.huang@intel.com>
      Cc: Bartosz Golaszewski <brgl@bgdev.pl>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6c8fcc09
    • Qian Cai's avatar
      slub: fix a crash with SLUB_DEBUG + KASAN_SW_TAGS · 6373dca1
      Qian Cai authored
      In process_slab(), "p = get_freepointer()" could return a tagged
      pointer, but "addr = page_address()" always return a native pointer.  As
      the result, slab_index() is messed up here,
      
          return (p - addr) / s->size;
      
      All other callers of slab_index() have the same situation where "addr"
      is from page_address(), so just need to untag "p".
      
          # cat /sys/kernel/slab/hugetlbfs_inode_cache/alloc_calls
      
          Unable to handle kernel paging request at virtual address 2bff808aa4856d48
          Mem abort info:
            ESR = 0x96000007
            Exception class = DABT (current EL), IL = 32 bits
            SET = 0, FnV = 0
            EA = 0, S1PTW = 0
          Data abort info:
            ISV = 0, ISS = 0x00000007
            CM = 0, WnR = 0
          swapper pgtable: 64k pages, 48-bit VAs, pgdp = 0000000002498338
          [2bff808aa4856d48] pgd=00000097fcfd0003, pud=00000097fcfd0003, pmd=00000097fca30003, pte=00e8008b24850712
          Internal error: Oops: 96000007 [#1] SMP
          CPU: 3 PID: 79210 Comm: read_all Tainted: G             L    5.0.0-rc7+ #84
          Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.0.6 07/10/2018
          pstate: 00400089 (nzcv daIf +PAN -UAO)
          pc : get_map+0x78/0xec
          lr : get_map+0xa0/0xec
          sp : aeff808989e3f8e0
          x29: aeff808989e3f940 x28: ffff800826200000
          x27: ffff100012d47000 x26: 9700000000002500
          x25: 0000000000000001 x24: 52ff8008200131f8
          x23: 52ff8008200130a0 x22: 52ff800820013098
          x21: ffff800826200000 x20: ffff100013172ba0
          x19: 2bff808a8971bc00 x18: ffff1000148f5538
          x17: 000000000000001b x16: 00000000000000ff
          x15: ffff1000148f5000 x14: 00000000000000d2
          x13: 0000000000000001 x12: 0000000000000000
          x11: 0000000020000002 x10: 2bff808aa4856d48
          x9 : 0000020000000000 x8 : 68ff80082620ebb0
          x7 : 0000000000000000 x6 : ffff1000105da1dc
          x5 : 0000000000000000 x4 : 0000000000000000
          x3 : 0000000000000010 x2 : 2bff808a8971bc00
          x1 : ffff7fe002098800 x0 : ffff80082620ceb0
          Process read_all (pid: 79210, stack limit = 0x00000000f65b9361)
          Call trace:
           get_map+0x78/0xec
           process_slab+0x7c/0x47c
           list_locations+0xb0/0x3c8
           alloc_calls_show+0x34/0x40
           slab_attr_show+0x34/0x48
           sysfs_kf_seq_show+0x2e4/0x570
           kernfs_seq_show+0x12c/0x1a0
           seq_read+0x48c/0xf84
           kernfs_fop_read+0xd4/0x448
           __vfs_read+0x94/0x5d4
           vfs_read+0xcc/0x194
           ksys_read+0x6c/0xe8
           __arm64_sys_read+0x68/0xb0
           el0_svc_handler+0x230/0x3bc
           el0_svc+0x8/0xc
          Code: d3467d2a 9ac92329 8b0a0e6a f9800151 (c85f7d4b)
          ---[ end trace a383a9a44ff13176 ]---
          Kernel panic - not syncing: Fatal exception
          SMP: stopping secondary CPUs
          SMP: failed to stop secondary CPUs 1-7,32,40,127
          Kernel Offset: disabled
          CPU features: 0x002,20000c18
          Memory Limit: none
          ---[ end Kernel panic - not syncing: Fatal exception ]---
      
      Link: http://lkml.kernel.org/r/20190220020251.82039-1-cai@lca.pwSigned-off-by: default avatarQian Cai <cai@lca.pw>
      Reviewed-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6373dca1
    • Andrey Konovalov's avatar
      kasan, slab: remove redundant kasan_slab_alloc hooks · 557ea253
      Andrey Konovalov authored
      kasan_slab_alloc() calls in kmem_cache_alloc() and kmem_cache_alloc_node()
      are redundant as they are already called via slab_alloc/slab_alloc_node()->
      slab_post_alloc_hook()->kasan_slab_alloc().  Remove them.
      
      Link: http://lkml.kernel.org/r/4ca1655cdcfc4379c49c50f7bf80f81c4ad01485.1550602886.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarQian Cai <cai@lca.pw>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      557ea253
    • Andrey Konovalov's avatar
      kasan, slab: make freelist stored without tags · 51dedad0
      Andrey Konovalov authored
      Similarly to "kasan, slub: move kasan_poison_slab hook before
      page_address", move kasan_poison_slab() before alloc_slabmgmt(), which
      calls page_address(), to make page_address() return value to be
      non-tagged.  This, combined with calling kasan_reset_tag() for off-slab
      slab management object, leads to freelist being stored non-tagged.
      
      Link: http://lkml.kernel.org/r/dfb53b44a4d00de3879a05a9f04c1f55e584f7a1.1550602886.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarQian Cai <cai@lca.pw>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      51dedad0
    • Andrey Konovalov's avatar
      kasan, slab: fix conflicts with CONFIG_HARDENED_USERCOPY · 219667c2
      Andrey Konovalov authored
      Similarly to commit 96fedce2 ("kasan: make tag based mode work with
      CONFIG_HARDENED_USERCOPY"), we need to reset pointer tags in
      __check_heap_object() in mm/slab.c before doing any pointer math.
      
      Link: http://lkml.kernel.org/r/9a5c0f958db10e69df5ff9f2b997866b56b7effc.1550602886.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarQian Cai <cai@lca.pw>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      219667c2
    • Andrey Konovalov's avatar
      kasan: prevent tracing of tags.c · dc15a8a2
      Andrey Konovalov authored
      Similarly to commit 0d0c8de8 ("kasan: mark file common so ftrace
      doesn't trace it") add the -pg flag to mm/kasan/tags.c to prevent
      conflicts with tracing.
      
      Link: http://lkml.kernel.org/r/9c4c3ce5ccfb894c7fe66d91de7c1da2787b4da4.1550602886.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Reported-by: default avatarQian Cai <cai@lca.pw>
      Tested-by: default avatarQian Cai <cai@lca.pw>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      dc15a8a2
    • Andrey Konovalov's avatar
      kasan: fix random seed generation for tag-based mode · 3f41b609
      Andrey Konovalov authored
      There are two issues with assigning random percpu seeds right now:
      
      1. We use for_each_possible_cpu() to iterate over cpus, but cpumask is
         not set up yet at the moment of kasan_init(), and thus we only set
         the seed for cpu #0.
      
      2. A call to get_random_u32() always returns the same number and produces
         a message in dmesg, since the random subsystem is not yet initialized.
      
      Fix 1 by calling kasan_init_tags() after cpumask is set up.
      
      Fix 2 by using get_cycles() instead of get_random_u32(). This gives us
      lower quality random numbers, but it's good enough, as KASAN is meant to
      be used as a debugging tool and not a mitigation.
      
      Link: http://lkml.kernel.org/r/1f815cc914b61f3516ed4cc9bfd9eeca9bd5d9de.1550677973.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3f41b609
    • Darrick J. Wong's avatar
      tmpfs: fix link accounting when a tmpfile is linked in · 1062af92
      Darrick J. Wong authored
      tmpfs has a peculiarity of accounting hard links as if they were
      separate inodes: so that when the number of inodes is limited, as it is
      by default, a user cannot soak up an unlimited amount of unreclaimable
      dcache memory just by repeatedly linking a file.
      
      But when v3.11 added O_TMPFILE, and the ability to use linkat() on the
      fd, we missed accommodating this new case in tmpfs: "df -i" shows that
      an extra "inode" remains accounted after the file is unlinked and the fd
      closed and the actual inode evicted.  If a user repeatedly links
      tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they
      are deleted.
      
      Just skip the extra reservation from shmem_link() in this case: there's
      a sense in which this first link of a tmpfile is then cheaper than a
      hard link of another file, but the accounting works out, and there's
      still good limiting, so no need to do anything more complicated.
      
      Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils
      Fixes: f4e0c30c ("allow the temp files created by open() to be linked to")
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Reported-by: default avatarMatej Kupljen <matej.kupljen@gmail.com>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1062af92
    • Johannes Weiner's avatar
      psi: avoid divide-by-zero crash inside virtual machines · 4e37504d
      Johannes Weiner authored
      We've been seeing hard-to-trigger psi crashes when running inside VM
      instances:
      
          divide error: 0000 [#1] SMP PTI
          Modules linked in: [...]
          CPU: 0 PID: 212 Comm: kworker/0:2 Not tainted 4.16.18-119_fbk9_3817_gfe944c98d695 #119
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
          Workqueue: events psi_clock
          RIP: 0010:psi_update_stats+0x270/0x490
          RSP: 0018:ffffc90001117e10 EFLAGS: 00010246
          RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8800a35a13f8
          RDX: 0000000000000000 RSI: ffff8800a35a1340 RDI: 0000000000000000
          RBP: 0000000000000658 R08: ffff8800a35a1470 R09: 0000000000000000
          R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
          R13: 0000000000000000 R14: 0000000000000000 R15: 00000000000f8502
          FS:  0000000000000000(0000) GS:ffff88023fc00000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 00007fbe370fa000 CR3: 00000000b1e3a000 CR4: 00000000000006f0
          DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
          DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
          Call Trace:
           psi_clock+0x12/0x50
           process_one_work+0x1e0/0x390
           worker_thread+0x2b/0x3c0
           ? rescuer_thread+0x330/0x330
           kthread+0x113/0x130
           ? kthread_create_worker_on_cpu+0x40/0x40
           ? SyS_exit_group+0x10/0x10
           ret_from_fork+0x35/0x40
          Code: 48 0f 47 c7 48 01 c2 45 85 e4 48 89 16 0f 85 e6 00 00 00 4c 8b 49 10 4c 8b 51 08 49 69 d9 f2 07 00 00 48 6b c0 64 4c 8b 29 31 d2 <48> f7 f7 49 69 d5 8d 06 00 00 48 89 c5 4c 69 f0 00 98 0b 00 48
      
      The Code-line points to `period` being 0 inside update_stats(), and we
      divide by that when calculating that period's pressure percentage.
      
      The elapsed period should never be 0.  The reason this can happen is due
      to an off-by-one in the idle time / missing period calculation combined
      with a coarse sched_clock() in the virtual machine.
      
      The target time for aggregation is advanced into the future on a fixed
      grid to prevent clock drift.  So when an aggregation runs after some idle
      period, we can not just set it to "now + psi_period", but have to
      calculate the downtime and advance the target time relative to itself.
      
      However, if the aggregator was disabled exactly one psi_period (ns), we
      drop one idle period in the calculation due to a > when we should do >=.
      In that case, next_update will be advanced from 'now - psi_period' to
      'now' when it should be moved to 'now + psi_period'.  The run finishes
      with last_update == next_update == sched_clock().
      
      With hardware clocks, this exact nanosecond match isn't likely in the
      first place; but if it does happen, the clock will still have moved on and
      the period non-zero by the time the worker runs.  A pointlessly short
      period, but besides the extra work, no harm no foul.  However, a slow
      sched_clock() like we have on VMs might not have advanced either by the
      time the worker runs again.  And when we calculate the elapsed period, the
      result, our pressure divisor, will be 0.  Ouch.
      
      Fix this by correctly handling the situation when the elapsed time between
      aggregation runs is precisely two periods, and advance the expiration
      timestamp correctly to period into the future.
      
      Link: http://lkml.kernel.org/r/20190214193157.15788-1-hannes@cmpxchg.orgSigned-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Reported-by: Łukasz Siudut <lsiudut@fb.com
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4e37504d
    • Michal Hocko's avatar
      mm: handle lru_add_drain_all for UP properly · 6ea183d6
      Michal Hocko authored
      Since for_each_cpu(cpu, mask) added by commit 2d3854a3
      ("cpumask: introduce new API, without changing anything") did not
      evaluate the mask argument if NR_CPUS == 1 due to CONFIG_SMP=n,
      lru_add_drain_all() is hitting WARN_ON() at __flush_work() added by
      commit 4d43d395 ("workqueue: Try to catch flush_work() without
      INIT_WORK().") by unconditionally calling flush_work() [1].
      
      Workaround this issue by using CONFIG_SMP=n specific lru_add_drain_all
      implementation.  There is no real need to defer the implementation to
      the workqueue as the draining is going to happen on the local cpu.  So
      alias lru_add_drain_all to lru_add_drain which does all the necessary
      work.
      
      [akpm@linux-foundation.org: fix various build warnings]
      [1] https://lkml.kernel.org/r/18a30387-6aa5-6123-e67c-57579ecc3f38@roeck-us.net
      Link: http://lkml.kernel.org/r/20190213124334.GH4525@dhcp22.suse.czSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Debugged-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Tejun Heo <tj@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6ea183d6
    • Mel Gorman's avatar
      mm, page_alloc: fix a division by zero error when boosting watermarks v2 · 94b3334c
      Mel Gorman authored
      Yury Norov reported that an arm64 KVM instance could not boot since
      after v5.0-rc1 and could addressed by reverting the patches
      
        1c30844d ("mm: reclaim small amounts of memory when an external
        73444bc4 ("mm, page_alloc: do not wake kswapd with zone lock held")
      
      The problem is that a division by zero error is possible if boosting
      occurs very early in boot if the system has very little memory.  This
      patch avoids the division by zero error.
      
      Link: http://lkml.kernel.org/r/20190213143012.GT9565@techsingularity.net
      Fixes: 1c30844d ("mm: reclaim small amounts of memory when an external fragmentation event occurs")
      Signed-off-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Reported-by: default avatarYury Norov <yury.norov@gmail.com>
      Tested-by: default avatarYury Norov <yury.norov@gmail.com>
      Tested-by: default avatarWill Deacon <will.deacon@arm.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      94b3334c
    • Robin Murphy's avatar
      mm/debug.c: fix __dump_page() for poisoned pages · 311ade0e
      Robin Murphy authored
      Evaluating page_mapping() on a poisoned page ends up dereferencing junk
      and making PF_POISONED_CHECK() considerably crashier than intended:
      
          Unable to handle kernel NULL pointer dereference at virtual address 0000000000000006
          Mem abort info:
            ESR = 0x96000005
            Exception class = DABT (current EL), IL = 32 bits
            SET = 0, FnV = 0
            EA = 0, S1PTW = 0
          Data abort info:
            ISV = 0, ISS = 0x00000005
            CM = 0, WnR = 0
          user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c2f6ac38
          [0000000000000006] pgd=0000000000000000, pud=0000000000000000
          Internal error: Oops: 96000005 [#1] PREEMPT SMP
          Modules linked in:
          CPU: 2 PID: 491 Comm: bash Not tainted 5.0.0-rc1+ #1
          Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Dec 17 2018
          pstate: 00000005 (nzcv daif -PAN -UAO)
          pc : page_mapping+0x18/0x118
          lr : __dump_page+0x1c/0x398
          Process bash (pid: 491, stack limit = 0x000000004ebd4ecd)
          Call trace:
           page_mapping+0x18/0x118
           __dump_page+0x1c/0x398
           dump_page+0xc/0x18
           remove_store+0xbc/0x120
           dev_attr_store+0x18/0x28
           sysfs_kf_write+0x40/0x50
           kernfs_fop_write+0x130/0x1d8
           __vfs_write+0x30/0x180
           vfs_write+0xb4/0x1a0
           ksys_write+0x60/0xd0
           __arm64_sys_write+0x18/0x20
           el0_svc_common+0x94/0xf8
           el0_svc_handler+0x68/0x70
           el0_svc+0x8/0xc
          Code: f9400401 d1000422 f240003f 9a801040 (f9400402)
          ---[ end trace cdb5eb5bf435cecb ]---
      
      Fix that by not inspecting the mapping until we've determined that it's
      likely to be valid.  Now the above condition still ends up stopping the
      kernel, but in the correct manner:
      
          page:ffffffbf20000000 is uninitialized and poisoned
          raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
          raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
          page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
          ------------[ cut here ]------------
          kernel BUG at ./include/linux/mm.h:1006!
          Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
          Modules linked in:
          CPU: 1 PID: 483 Comm: bash Not tainted 5.0.0-rc1+ #3
          Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Dec 17 2018
          pstate: 40000005 (nZcv daif -PAN -UAO)
          pc : remove_store+0xbc/0x120
          lr : remove_store+0xbc/0x120
          ...
      
      Link: http://lkml.kernel.org/r/03b53ee9d7e76cda4b9b5e1e31eea080db033396.1550071778.git.robin.murphy@arm.com
      Fixes: 1c6fb1d8 ("mm: print more information about mapping in __dump_page")
      Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      311ade0e
    • Michal Hocko's avatar
      proc, oom: do not report alien mms when setting oom_score_adj · b2b46993
      Michal Hocko authored
      Tetsuo has reported that creating a thousands of processes sharing MM
      without SIGHAND (aka alien threads) and setting
      /proc/<pid>/oom_score_adj will swamp the kernel log and takes ages [1]
      to finish.  This is especially worrisome that all that printing is done
      under RCU lock and this can potentially trigger RCU stall or softlockup
      detector.
      
      The primary reason for the printk was to catch potential users who might
      depend on the behavior prior to 44a70ade ("mm, oom_adj: make sure
      processes sharing mm have same view of oom_score_adj") but after more
      than 2 years without a single report I guess it is safe to simply remove
      the printk altogether.
      
      The next step should be moving oom_score_adj over to the mm struct and
      remove all the tasks crawling as suggested by [2]
      
      [1] http://lkml.kernel.org/r/97fce864-6f75-bca5-14bc-12c9f890e740@i-love.sakura.ne.jp
      [2] http://lkml.kernel.org/r/20190117155159.GA4087@dhcp22.suse.cz
      
      Link: http://lkml.kernel.org/r/20190212102129.26288-1-mhocko@kernel.orgSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reported-by: default avatarTetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Yong-Taek Lee <ytk.lee@samsung.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b2b46993
    • Qian Cai's avatar
      slub: fix SLAB_CONSISTENCY_CHECKS + KASAN_SW_TAGS · 338cfaad
      Qian Cai authored
      Enabling SLUB_DEBUG's SLAB_CONSISTENCY_CHECKS with KASAN_SW_TAGS
      triggers endless false positives during boot below due to
      check_valid_pointer() checks tagged pointers which have no addresses
      that is valid within slab pages:
      
        BUG radix_tree_node (Tainted: G    B            ): Freelist Pointer check fails
        -----------------------------------------------------------------------------
      
        INFO: Slab objects=69 used=69 fp=0x          (null) flags=0x7ffffffc000200
        INFO: Object @offset=15060037153926966016 fp=0x
      
        Redzone: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 18 6b 06 00 08 80 ff d0  .........k......
        Object : 18 6b 06 00 08 80 ff d0 00 00 00 00 00 00 00 00  .k..............
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Object : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        Redzone: bb bb bb bb bb bb bb bb                          ........
        Padding: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
        CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B             5.0.0-rc5+ #18
        Call trace:
          dump_backtrace+0x0/0x450
          show_stack+0x20/0x2c
          __dump_stack+0x20/0x28
          dump_stack+0xa0/0xfc
          print_trailer+0x1bc/0x1d0
          object_err+0x40/0x50
          alloc_debug_processing+0xf0/0x19c
          ___slab_alloc+0x554/0x704
          kmem_cache_alloc+0x2f8/0x440
          radix_tree_node_alloc+0x90/0x2fc
          idr_get_free+0x1e8/0x6d0
          idr_alloc_u32+0x11c/0x2a4
          idr_alloc+0x74/0xe0
          worker_pool_assign_id+0x5c/0xbc
          workqueue_init_early+0x49c/0xd50
          start_kernel+0x52c/0xac4
        FIX radix_tree_node: Marking all objects used
      
      Link: http://lkml.kernel.org/r/20190209044128.3290-1-cai@lca.pwSigned-off-by: default avatarQian Cai <cai@lca.pw>
      Reviewed-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      338cfaad
    • Andrey Konovalov's avatar
      kasan, slub: fix more conflicts with CONFIG_SLAB_FREELIST_HARDENED · d36a63a9
      Andrey Konovalov authored
      When CONFIG_KASAN_SW_TAGS is enabled, ptr_addr might be tagged.  Normally,
      this doesn't cause any issues, as both set_freepointer() and
      get_freepointer() are called with a pointer with the same tag.  However,
      there are some issues with CONFIG_SLUB_DEBUG code.  For example, when
      __free_slub() iterates over objects in a cache, it passes untagged
      pointers to check_object().  check_object() in turns calls
      get_freepointer() with an untagged pointer, which causes the freepointer
      to be restored incorrectly.
      
      Add kasan_reset_tag to freelist_ptr(). Also add a detailed comment.
      
      Link: http://lkml.kernel.org/r/bf858f26ef32eb7bd24c665755b3aee4bc58d0e4.1550103861.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Reported-by: default avatarQian Cai <cai@lca.pw>
      Tested-by: default avatarQian Cai <cai@lca.pw>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d36a63a9
    • Andrey Konovalov's avatar
      kasan, slub: fix conflicts with CONFIG_SLAB_FREELIST_HARDENED · 18e50661
      Andrey Konovalov authored
      CONFIG_SLAB_FREELIST_HARDENED hashes freelist pointer with the address of
      the object where the pointer gets stored.  With tag based KASAN we don't
      account for that when building freelist, as we call set_freepointer() with
      the first argument untagged.  This patch changes the code to properly
      propagate tags throughout the loop.
      
      Link: http://lkml.kernel.org/r/3df171559c52201376f246bf7ce3184fe21c1dc7.1549921721.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Reported-by: default avatarQian Cai <cai@lca.pw>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      18e50661
    • Andrey Konovalov's avatar
      kasan, slub: move kasan_poison_slab hook before page_address · a7101224
      Andrey Konovalov authored
      With tag based KASAN page_address() looks at the page flags to see whether
      the resulting pointer needs to have a tag set.  Since we don't want to set
      a tag when page_address() is called on SLAB pages, we call
      page_kasan_tag_reset() in kasan_poison_slab().  However in allocate_slab()
      page_address() is called before kasan_poison_slab().  Fix it by changing
      the order.
      
      [andreyknvl@google.com: fix compilation error when CONFIG_SLUB_DEBUG=n]
        Link: http://lkml.kernel.org/r/ac27cc0bbaeb414ed77bcd6671a877cf3546d56e.1550066133.git.andreyknvl@google.com
      Link: http://lkml.kernel.org/r/cd895d627465a3f1c712647072d17f10883be2a1.1549921721.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Qian Cai <cai@lca.pw>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a7101224
    • Andrey Konovalov's avatar
      kmemleak: account for tagged pointers when calculating pointer range · a2f77575
      Andrey Konovalov authored
      kmemleak keeps two global variables, min_addr and max_addr, which store
      the range of valid (encountered by kmemleak) pointer values, which it
      later uses to speed up pointer lookup when scanning blocks.
      
      With tagged pointers this range will get bigger than it needs to be.  This
      patch makes kmemleak untag pointers before saving them to min_addr and
      max_addr and when performing a lookup.
      
      Link: http://lkml.kernel.org/r/16e887d442986ab87fe87a755815ad92fa431a5f.1550066133.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarQian Cai <cai@lca.pw>
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Evgeniy Stepanov <eugenis@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a2f77575