1. 24 Jul, 2019 1 commit
    • Linus Torvalds's avatar
      access: avoid the RCU grace period for the temporary subjective credentials · d7852fbd
      Linus Torvalds authored
      It turns out that 'access()' (and 'faccessat()') can cause a lot of RCU
      work because it installs a temporary credential that gets allocated and
      freed for each system call.
      
      The allocation and freeing overhead is mostly benign, but because
      credentials can be accessed under the RCU read lock, the freeing
      involves a RCU grace period.
      
      Which is not a huge deal normally, but if you have a lot of access()
      calls, this causes a fair amount of seconday damage: instead of having a
      nice alloc/free patterns that hits in hot per-CPU slab caches, you have
      all those delayed free's, and on big machines with hundreds of cores,
      the RCU overhead can end up being enormous.
      
      But it turns out that all of this is entirely unnecessary.  Exactly
      because access() only installs the credential as the thread-local
      subjective credential, the temporary cred pointer doesn't actually need
      to be RCU free'd at all.  Once we're done using it, we can just free it
      synchronously and avoid all the RCU overhead.
      
      So add a 'non_rcu' flag to 'struct cred', which can be set by users that
      know they only use it in non-RCU context (there are other potential
      users for this).  We can make it a union with the rcu freeing list head
      that we need for the RCU case, so this doesn't need any extra storage.
      
      Note that this also makes 'get_current_cred()' clear the new non_rcu
      flag, in case we have filesystems that take a long-term reference to the
      cred and then expect the RCU delayed freeing afterwards.  It's not
      entirely clear that this is required, but it makes for clear semantics:
      the subjective cred remains non-RCU as long as you only access it
      synchronously using the thread-local accessors, but you _can_ use it as
      a generic cred if you want to.
      
      It is possible that we should just remove the whole RCU markings for
      ->cred entirely.  Only ->real_cred is really supposed to be accessed
      through RCU, and the long-term cred copies that nfs uses might want to
      explicitly re-enable RCU freeing if required, rather than have
      get_current_cred() do it implicitly.
      
      But this is a "minimal semantic changes" change for the immediate
      problem.
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarPaul E. McKenney <paulmck@linux.ibm.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Jan Glauber <jglauber@marvell.com>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: Jayachandran Chandrasekharan Nair <jnair@marvell.com>
      Cc: Greg KH <greg@kroah.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Miklos Szeredi <miklos@szeredi.hu>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d7852fbd
  2. 07 Jul, 2019 1 commit
  3. 06 Jul, 2019 11 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190706' of git://git.kernel.dk/linux-block · 46713c3d
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Just a single fix for a patch from Greg KH, which reportedly break
        block debugfs locations for certain setups. Trivial enough that I
        think we should include it now, rather than wait and release 5.2 with
        it, since it's a regression in this series"
      
      * tag 'for-linus-20190706' of git://git.kernel.dk/linux-block:
        blk-mq: fix up placement of debugfs directory of queue files
      46713c3d
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · bcc0e65f
      Linus Torvalds authored
      Pull MIPS fixes from Paul Burton:
       "A few more MIPS fixes:
      
         - Fix a silly typo in virt_addr_valid which led to completely bogus
           behavior (that happened to stop tripping up hardened usercopy
           despite being broken).
      
         - Fix UART parity setup on AR933x systems.
      
         - A build fix for non-Linux build machines.
      
         - Have the 'all' make target build DTBs, primarily to fit in with the
           behavior of scripts/package/builddeb.
      
         - Handle an execution hazard in TLB exceptions that use KScratch
           registers, which could inadvertently clobber the $1 register on
           some generally higher-end out-of-order CPUs.
      
         - A MAINTAINERS update to fix the path to the NAND driver for Ingenic
           systems"
      
      * tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MAINTAINERS: Correct path to moved files
        MIPS: Add missing EHB in mtc0 -> mfc0 sequence.
        MIPS: have "plain" make calls build dtbs for selected platforms
        MIPS: fix build on non-linux hosts
        MIPS: ath79: fix ar933x uart parity mode
        MIPS: Fix bounds check virt_addr_valid
      bcc0e65f
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma · 2692982b
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
      
       - bam_dma fix for completed descriptor count
      
       - fix for imx-sdma remove BD_INTR for channel0 and use-after-free on
         probe error path
      
       - endian bug fix in jz4780 IRQ handler
      
      * tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: qcom: bam_dma: Fix completed descriptors count
        dmaengine: imx-sdma: remove BD_INTR for channel0
        dmaengine: imx-sdma: fix use-after-free on probe error path
        dmaengine: jz4780: Fix an endian bug in IRQ handler
      2692982b
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 4f8b4909
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Two iscsi fixes.
      
        One for an oops in the client which can be triggered by the server
        authentication protocol and the other in the target code which causes
        data corruption"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported
        scsi: target/iblock: Fix overrun in WRITE SAME emulation
      4f8b4909
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · ceacbc0e
      Linus Torvalds authored
      Pull vfs fixlet from Al Viro:
       "Fix bogus default y in Kconfig (VALIDATE_FS_PARSER)
      
        That thing should not be turned on by default, especially since it's
        not quiet in case it finds no problems. Geert has sent the obvious fix
        quite a few times, but it fell through the cracks"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fs: VALIDATE_FS_PARSER should default to n
      ceacbc0e
    • Greg Kroah-Hartman's avatar
      blk-mq: fix up placement of debugfs directory of queue files · 7e41c3c9
      Greg Kroah-Hartman authored
      When the blk-mq debugfs file creation logic was "cleaned up" it was
      cleaned up too much, causing the queue file to not be created in the
      correct location.  Turns out the check for the directory being present
      is needed as if that has not happened yet, the files should not be
      created, and the function will be called later on in the initialization
      code so that the files can be created in the correct location.
      
      Fixes: 6cfc0081 ("blk-mq: no need to check return value of debugfs_create functions")
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Cc: linux-block@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      7e41c3c9
    • Linus Torvalds's avatar
      Revert "mm: page cache: store only head pages in i_pages" · 69bf4b6b
      Linus Torvalds authored
      This reverts commit 5fd4ca2d.
      
      Mikhail Gavrilov reports that it causes the VM_BUG_ON_PAGE() in
      __delete_from_swap_cache() to trigger:
      
         page:ffffd6d34dff0000 refcount:1 mapcount:1 mapping:ffff97812323a689 index:0xfecec363
         anon
         flags: 0x17fffe00080034(uptodate|lru|active|swapbacked)
         raw: 0017fffe00080034 ffffd6d34c67c508 ffffd6d3504b8d48 ffff97812323a689
         raw: 00000000fecec363 0000000000000000 0000000100000000 ffff978433ace000
         page dumped because: VM_BUG_ON_PAGE(entry != page)
         page->mem_cgroup:ffff978433ace000
         ------------[ cut here ]------------
         kernel BUG at mm/swap_state.c:170!
         invalid opcode: 0000 [#1] SMP NOPTI
         CPU: 1 PID: 221 Comm: kswapd0 Not tainted 5.2.0-0.rc2.git0.1.fc31.x86_64 #1
         Hardware name: System manufacturer System Product Name/ROG STRIX X470-I GAMING, BIOS 2202 04/11/2019
         RIP: 0010:__delete_from_swap_cache+0x20d/0x240
         Code: 30 65 48 33 04 25 28 00 00 00 75 4a 48 83 c4 38 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c6 2f dc 0f 8a 48 89 c7 e8 93 1b fd ff <0f> 0b 48 c7 c6 a8 74 0f 8a e8 85 1b fd ff 0f 0b 48 c7 c6 a8 7d 0f
         RSP: 0018:ffffa982036e7980 EFLAGS: 00010046
         RAX: 0000000000000021 RBX: 0000000000000040 RCX: 0000000000000006
         RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffff97843d657900
         RBP: 0000000000000001 R08: ffffa982036e7835 R09: 0000000000000535
         R10: ffff97845e21a46c R11: ffffa982036e7835 R12: ffff978426387120
         R13: 0000000000000000 R14: ffffd6d34dff0040 R15: ffffd6d34dff0000
         FS:  0000000000000000(0000) GS:ffff97843d640000(0000) knlGS:0000000000000000
         CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
         CR2: 00002cba88ef5000 CR3: 000000078a97c000 CR4: 00000000003406e0
         Call Trace:
          delete_from_swap_cache+0x46/0xa0
          try_to_free_swap+0xbc/0x110
          swap_writepage+0x13/0x70
          pageout.isra.0+0x13c/0x350
          shrink_page_list+0xc14/0xdf0
          shrink_inactive_list+0x1e5/0x3c0
          shrink_node_memcg+0x202/0x760
          shrink_node+0xe0/0x470
          balance_pgdat+0x2d1/0x510
          kswapd+0x220/0x420
          kthread+0xfb/0x130
          ret_from_fork+0x22/0x40
      
      and it's not immediately obvious why it happens.  It's too late in the
      rc cycle to do anything but revert for now.
      
      Link: https://lore.kernel.org/lkml/CABXGCsN9mYmBD-4GaaeW_NrDu+FDXLzr_6x+XNxfmFV6QkYCDg@mail.gmail.com/Reported-and-bisected-by: default avatarMikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
      Suggested-by: default avatarJan Kara <jack@suse.cz>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Kirill Shutemov <kirill@shutemov.name>
      Cc: William Kucharski <william.kucharski@oracle.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      69bf4b6b
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 9fdb86c8
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "x86 bugfix patches and one compilation fix for ARM"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: arm64/sve: Fix vq_present() macro to yield a bool
        KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC
        KVM: nVMX: Change KVM_STATE_NESTED_EVMCS to signal vmcs12 is copied from eVMCS
        KVM: nVMX: Allow restore nested-state to enable eVMCS when vCPU in SMM
        KVM: x86: degrade WARN to pr_warn_ratelimited
      9fdb86c8
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 0e63665a
      Linus Torvalds authored
      Pull mtf fixes from Miquel Raynal:
      
       - Fix the memory organization structure of a Macronix SPI-NAND chip.
      
       - Fix a build dependency wrongly described.
      
       - Fix the sunxi NAND driver for A23/A33 SoCs by (a) reverting the
         faulty commit introducing broken DMA support and (b) applying another
         commit bringing working DMA support.
      
      * tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: rawnand: sunxi: Add A23/A33 DMA support with extra MBUS configuration
        Revert "mtd: rawnand: sunxi: Add A23/A33 DMA support"
        mtd: rawnand: ingenic: Fix ingenic_ecc dependency
        mtd: spinand: Fix max_bad_eraseblocks_per_lun info in memorg
      0e63665a
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 881ed91f
      Linus Torvalds authored
      Pull i2c fixlet from Wolfram Sang:
       "I2C has a MAINTAINERS update which will be benfitial for developers,
        so let's add it right away"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: tegra: Add Dmitry as a reviewer
      881ed91f
    • Linus Torvalds's avatar
      Merge tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux · a8f46b5a
      Linus Torvalds authored
      Pull nfsd fixes from Bruce Fields:
       "Two more quick bugfixes for nfsd: fixing a regression causing mount
        failures on high-memory machines and fixing the DRC over RDMA"
      
      * tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux:
        nfsd: Fix overflow causing non-working mounts on 1 TB machines
        svcrdma: Ignore source port when computing DRC hash
      a8f46b5a
  4. 05 Jul, 2019 21 commits
  5. 04 Jul, 2019 6 commits
    • Linus Torvalds's avatar
      Merge tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · c212ddae
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Here are a collection of small fixes for:
      
         - A race with ASoC HD-audio registration
      
         - LINE6 usb-audio memory overwrite by malformed descriptor
      
         - FireWire MIDI handling
      
         - Missing cast for bit shifts in a few USB-audio quirks
      
         - The wrong function calls in minor OSS sequencer code paths
      
         - A couple of HD-audio quirks"
      
      * tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: line6: Fix write on zero-sized buffer
        ALSA: hda: Fix widget_mutex incomplete protection
        ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
        ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
        ALSA: hda/realtek - Change front mic location for Lenovo M710q
        ALSA: usb-audio: fix sign unintended sign extension on left shifts
        ALSA: hda/realtek: Add quirks for several Clevo notebook barebones
      c212ddae
    • Jann Horn's avatar
      ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME · 6994eefb
      Jann Horn authored
      Fix two issues:
      
      When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
      reference to the parent's objective credentials, then give that pointer
      to get_cred().  However, the object lifetime rules for things like
      struct cred do not permit unconditionally turning an RCU reference into
      a stable reference.
      
      PTRACE_TRACEME records the parent's credentials as if the parent was
      acting as the subject, but that's not the case.  If a malicious
      unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
      at a later point, the parent process becomes attacker-controlled
      (because it drops privileges and calls execve()), the attacker ends up
      with control over two processes with a privileged ptrace relationship,
      which can be abused to ptrace a suid binary and obtain root privileges.
      
      Fix both of these by always recording the credentials of the process
      that is requesting the creation of the ptrace relationship:
      current_cred() can't change under us, and current is the proper subject
      for access control.
      
      This change is theoretically userspace-visible, but I am not aware of
      any code that it will actually break.
      
      Fixes: 64b875f7 ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6994eefb
    • Robert Beckett's avatar
      drm/imx: only send event on crtc disable if kept disabled · 5aeab2bf
      Robert Beckett authored
      The event will be sent as part of the vblank enable during the modeset
      if the crtc is not being kept disabled.
      
      Fixes: 5f2f9115 ("drm/imx: atomic phase 3 step 1: Use atomic configuration")
      Signed-off-by: default avatarRobert Beckett <bob.beckett@collabora.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      5aeab2bf
    • Robert Beckett's avatar
      drm/imx: notify drm core before sending event during crtc disable · 78c68e8f
      Robert Beckett authored
      Notify drm core before sending pending events during crtc disable.
      This fixes the first event after disable having an old stale timestamp
      by having drm_crtc_vblank_off update the timestamp to now.
      
      This was seen while debugging weston log message:
      Warning: computed repaint delay is insane: -8212 msec
      
      This occurred due to:
      1. driver starts up
      2. fbcon comes along and restores fbdev, enabling vblank
      3. vblank_disable_fn fires via timer disabling vblank, keeping vblank
      seq number and time set at current value
      (some time later)
      4. weston starts and does a modeset
      5. atomic commit disables crtc while it does the modeset
      6. ipu_crtc_atomic_disable sends vblank with old seq number and time
      
      Fixes: a4744786 ("drm/imx: fix crtc vblank state regression")
      Signed-off-by: default avatarRobert Beckett <bob.beckett@collabora.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      78c68e8f
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 550d1f5b
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "This includes three fixes:
      
         - Fix a deadlock from a previous fix to keep module loading and
           function tracing text modifications from stepping on each other
           (this has a few patches to help document the issue in comments)
      
         - Fix a crash when the snapshot buffer gets out of sync with the main
           ring buffer
      
         - Fix a memory leak when reading the memory logs"
      
      * tag 'trace-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare()
        tracing/snapshot: Resize spare buffer if size changed
        tracing: Fix memory leak in tracing_err_log_open()
        ftrace/x86: Add a comment to why we take text_mutex in ftrace_arch_code_modify_prepare()
        ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()
      550d1f5b
    • Dave Airlie's avatar
      Merge branch 'etnaviv/fixes' of https://git.pengutronix.de/git/lst/linux into drm-fixes · b5252bdf
      Dave Airlie authored
      Fix a kernel nullptr deref on module
      unload when any etnaviv GPU failed to initialize properly.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Lucas Stach <l.stach@pengutronix.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/1561974148.2321.1.camel@pengutronix.de
      b5252bdf