This tag contains a handful of fixes that I would like to target for 5.6:
* A pair of fixes to module loading, which we hope solve the last of the issues
with module text being loaded too sparsely for our call relocations.
* A Kconfig fix that disallows selecting memory models not supported by NOMMU.
* A series of Kconfig updates to ease selecting the drivers necessary to run on
QEMU's virt platform.
* DTS updates for SiFive's HiFive Unleashed.
* A fix to our seccomp support that avoids mangling restartable syscalls.
-----BEGIN PGP SIGNATURE-----
iQJHBAABCgAxFiEEKzw3R0RoQ7JKlDp6LhMZ81+7GIkFAl5iudATHHBhbG1lckBk
YWJiZWx0LmNvbQAKCRAuExnzX7sYiUXbEACWGtDcZNmGbuZVnvqfYrA6GBYAdv24
06Rh/y+jx2nye9Od8qI/K3TUYx44ZbdwAgeclvJ2H/XiL3W05ERdh8M5rLeK28DT
Dt4xyG0FY0euWNXsUyPJLC8RAmvBR6aUnlHNbKbFYag2FpZ3Vfp8G+3x9Crj4rqw
eQDpzx/aBHRUAs3IAjS9Wz17/wOP57AIwRxIpcQ4AOy8ZhECpPdkmBXH/9nGtQ54
P5+lk59sw+KoVLo/uGyAbFINAMncfYIolcdlnH2rsNuYzeXhkoGqieMKGGwb2M5I
0zhEPSNbiTe3uEyFtuywrYjzHwlGULAhx9me5Q0qBCwyIq56n5u7FEqPp3XukXU8
OJXe/X8a8cPQn7gHaK3kffUeYUmmsgb8+Zf974B7yAiOryzn0sBpsFyV3u4uYnGq
k4u3fLcSoRNU/1AuU1J5in1IrYsia/sxbQ58tG34z3W+zNrLthet/9bgtkaDK+TF
Gm17BYPcQu0FPHa4p/smSn+AEyD3sNfZVVzBANo5qtGSkOhx9qpwM3ComrET5sDY
+F7iaOHh7zyFhLaCFQ1aLniOuJ81pKis6HcZGcdKp++mlyKyDNvwXQO6Tl9KYbZC
8cCQJysX3baILf00OpVfxV9P1oHaGhebyjHP1eWOGRonQhNI6KSUKINV2tb5vPxh
758BLES4+e7lzQ==
=3jih
-----END PGP SIGNATURE-----
Merge tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux
Pull RISC-V fixes from Palmer Dabbelt:
"This contains a handful of fixes that I would like to target for 5.6:
- A pair of fixes to module loading, which we hope solve the last of
the issues with module text being loaded too sparsely for our call
relocations.
- A Kconfig fix that disallows selecting memory models not supported
by NOMMU.
- A series of Kconfig updates to ease selecting the drivers necessary
to run on QEMU's virt platform.
- DTS updates for SiFive's HiFive Unleashed.
- A fix to our seccomp support that avoids mangling restartable
syscalls"
* tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
riscv: fix seccomp reject syscall code path
riscv: dts: Add GPIO reboot method to HiFive Unleashed DTS file
RISC-V: Select Goldfish RTC driver for QEMU virt machine
RISC-V: Select SYSCON Reboot and Poweroff for QEMU virt machine
RISC-V: Enable QEMU virt machine support in defconfigs
RISC-V: Add kconfig option for QEMU virt machine
riscv: Fix range looking for kernel image memblock
riscv: Force flat memory model with no-mmu
riscv: Change code model of module to medany to improve data accessing
riscv: avoid the PIC offset of static percpu data in module beyond 2G limits
This makes the script more convenient to run.
Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- Fixes for warnings introduced by hierarchical PSCI binding changes
- Fixes for broken doc references due to DT schema conversions
- Several grammar and typo fixes
- Fix a bunch of dtc warnings in examples
-----BEGIN PGP SIGNATURE-----
iQJEBAABCgAuFiEEktVUI4SxYhzZyEuo+vtdtY28YcMFAl5iwicQHHJvYmhAa2Vy
bmVsLm9yZwAKCRD6+121jbxhwxZQD/0VmRBeLZaCg1jiTfj2a+/AbR+x6sGh1izC
yKI/GRRpVDuyYKN4vNZrY/Z3O5wNwbxZ4mRot/R1EL0on0WPKoLTbioyFFAO3kk0
7ar6lQCKJHikAz7olT89D0vMD86KGCuUIa0Cju31SCRwdASRtgm36q7ozvs7kt9T
jkTHfH121sLrSDQCHHq1NPBct6tL6ldtfbClqNSs4HsR/9Bzvnd5Sd3hsjLcotnO
WpXezH5smBssguJJs0kHySg9gis2DCWnRkejb+7fGC7b8N/vTZA2EWierD0cvpy6
45SRfRtUeCb8OuTn2V8J8CaPmYTmwUvxrSLR/l3vyB+BvxLULsAMFH9gE5AcgHVY
eQAj2l8d+Q+bFSUaV3sKPhV3xquBTi6d26pu2uZDjK6MmeLIi3mkOW1bonD5xWbz
o7KB67g36ENwleou01AbK/bs211hSSHfqKe1pCWIKq9t7xJAkBklSfymr3kAgj9/
1mwnzwvm2dr8MWH8CNYmNcNb2NAgh2mSgS3yW6WjJcEOUeran+/kn7Ivs/fpDlxF
JUyYD+ZGQxccYn1c+urrMbzG16HjtqyV6UWUHGJxA2YGs15kSLRvEEIPRbxIsARs
YPymRSFchmggyb+CLr8XH5XxDDaHm/3ZTsqA3PgFuQopX7OdCmcb7CGGNCmvzhxk
NC5jllsiLw==
=sbhb
-----END PGP SIGNATURE-----
Merge tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
Pull devicetree fixes from Rob Herring:
"Another batch of DT fixes. I think this should be the last of it, but
sending pull requests seems to cause people to send more fixes.
Summary:
- Fixes for warnings introduced by hierarchical PSCI binding changes
- Fixes for broken doc references due to DT schema conversions
- Several grammar and typo fixes
- Fix a bunch of dtc warnings in examples"
* tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
dt-bindings: arm: Fixup the DT bindings for hierarchical PSCI states
dt-bindings: power: Extend nodename pattern for power-domain providers
MAINTAINERS: update ALLWINNER CPUFREQ DRIVER entry
dt-bindings: bus: Drop empty compatible string in example
dt-bindings: power: Convert domain-idle-states bindings to json-schema
dt-bindings: arm: Fix cpu compatibles in the hierarchical example for PSCI
dt-bindings: arm: Correct links to idle states definitions
dt-bindings: mfd: Fix typo in file name of twl-familly.txt
dt-bindings: mfd: tps65910: Improve grammar
dt-bindings: mfd: zii,rave-sp: Fix a typo ("onborad")
dt-bindings: arm: fsl: fix APF6Dev compatible
dt-bindings: Fix dtc warnings in examples
docs: dt: fix several broken doc references
docs: dt: fix several broken references due to renames
MAINTAINERS: clean up PCIE DRIVER FOR CAVIUM THUNDERX
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAl5iXe8ACgkQxWXV+ddt
WDvWGg/+LFP+Y8Qz6xHTl3vXuGJKjCr7X/MIi69r2N0JFoCUeXyOdxeSlOuNCfhb
HiLZzfA5TYoptsdLJAXQLy7nPKFCQcc+J19Mbt2+aebpdGqfgN+YZEGkltfKL8Ao
xjOGu5HROFFpNTtnwa1dYOQkyVuZ8oafuJxwVJ8T28fxepRvBbi5jmy3lb1ypL3W
NoIPBe+67g5z/W0ATFmBMF7cCbvS5gsEGWKpbbjh7r8ZHJkhUaxVU7YdxPqlXrAO
ejZfiJUwi8rTGm0zd8A5TX/wsxSeBEXolvh91k5tatTljjzROHa028KRg2voUZIW
C5/7X+Z2C3gzuT0o7TGLBOR6CkVhkSutDV8/QIE6hDjZ/aCMNi0mIFco1hG8jjd1
jQfjemjj7PWuVEnZ6EuVSoHSXjZvBvX66of40YhTQEtSaJpcZU4jP26+8cXENN6+
6WbWcQpEQbT0cp0YKWhWvAIwGMf0jmWESISeFMEaF0eQd8BtzrH1qYcs3JTmXvHC
XmC47hoEJLhjQkAgQ4oNa5PZQzR1wEfW/4FPdqlADOR2frE1wDiKdrpN/dkAYHdQ
edNlo9u0+bRWCP40p04i2IUX/aUAc+me9QxiZwxT3Fw0g5QBSE2035Ly4spvT8NZ
gIvwnq1KGxmtrJSo5Lpkv4bjHYbByYMOiGJUMOTCIEdqajFI224=
=06pr
-----END PGP SIGNATURE-----
Merge tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
Pull btrfs fix from David Sterba:
"One fixup for DIO when in use with the new checksums, a missed case
where the checksum size was still assuming u32"
* tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
btrfs: fix RAID direct I/O reads with alternate csums
-----BEGIN PGP SIGNATURE-----
iQJHBAABCAAxFiEES8DXskRxsqGE6vXTAA5oQRlWghUFAl5igvYTHGpsYXl0b25A
a2VybmVsLm9yZwAKCRAADmhBGVaCFdbFD/9ZP3XDY+ngnN5nsSYS4QuzudlncnZL
ceRLD5YykNPLOAesr7DWI8EDky+IFL5w4wRHVxAbOeHpj3haySLefV9vsM/G6sm4
CiHdikx7uls184r5WYK3jfB19UF3UIePUjTnAtxOpemjkLv58Z15nPNGGQv9lkFJ
dJbCk1kdwaEA3LYEyXiGC/ianaxLtiqBy+C0d581OZn3ty551c8vmF0Ziz5tcuot
aObPE3f8sYNxDuTDZcseRxvXUfMS1Qj/tMxeDDIXryX71zIsFbQ6PMPUNHGHGit/
uoeuprDy90mLqGuEEuUfVaXjn8zEPFlW8IHy1OJ4fFNQ0X/HYa2/CFTA2BiVrpfM
1lVYKWuMz+mCq9i8wzF/+ikQ9QVMG2cSb0i4kyuAb+RBP+PDjNTbTLjFeEIJVz6O
yN9MUXWH5XS8liFq2F5VbITwpSJEk7vxiTGDT1zU38HXFdrxL0FRC60TKhkplLzO
9xsj9jUBV/sD5ohwq9Ga+kcXOB/KA/9iW3TMfBApq7oWIxaEfW7rQ6A/O5tuF/hX
q2mwrRoEx6tpCy77KFBLT89iF0gzV3xzadwWcnpDkFC7x2OkMmZPPr2nWeJS6qbN
hPOD1fiWW/NXMXs7foQ9HZ7HdbQMDI7olnf1sjkh4pq2MKDWsJLvNB4fYwZUxhpn
8K4B+9yfIofvpg==
=H/ky
-----END PGP SIGNATURE-----
Merge tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux
Pull file locking fixes from Jeff Layton:
"Just a couple of late-breaking patches for the file locking code. The
second patch (from yangerkun) fixes a rather nasty looking potential
use-after-free that should go to stable.
The other patch could technically wait for 5.7, but it's fairly
innocuous so I figured we might as well take it"
* tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux:
locks: fix a potential use-after-free problem when wakeup a waiter
fcntl: Distribute switch variables for initialization
A selection of small fixes, mostly for drivers, that have arrived since
the merge window. None of them are earth shattering in themselves but
all useful for affected systems.
-----BEGIN PGP SIGNATURE-----
iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5iiroTHGJyb29uaWVA
a2VybmVsLm9yZwAKCRAk1otyXVSH0ALxB/0TAEys4X1IxDku7N4E9vivlTQP+Yy5
LmJ7Oc+z1aCWX3LrpMa3M9JInnY44iahjariaZgcQ9GXXTO4rEoOSTVL99fXzj0h
wRS23p+h8GNFQ0s6Bzni8HSITz+vzCUJjYQe4i8iJIpQBRIErFSrqzB4uRGd7SPI
PIgYeTSA3rFuVvdAgijRg3hPTW2rpn328G/k35JpUNo9OdZ/v6NDQl1Sbg/FedFu
iY0feUaQ1FafHGkja/+OYN43bCraDo7Fo4COyF9cHGIJ8nBzMZJumhjgei26nviM
OQ15zRewFpnLGlK8ffPykrnynOhqo3GF7JbFWvI5pga/G5XzzLY8mi19
=bFsu
-----END PGP SIGNATURE-----
Merge tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A selection of small fixes, mostly for drivers, that have arrived
since the merge window. None of them are earth shattering in
themselves but all useful for affected systems"
* tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: spi_register_controller(): free bus id on error paths
spi: bcm63xx-hsspi: Really keep pll clk enabled
spi: atmel-quadspi: fix possible MMIO window size overrun
spi/zynqmp: remove entry that causes a cs glitch
spi: pxa2xx: Add CS control clock quirk
spi: spidev: Fix CS polarity if GPIO descriptors are used
spi: qup: call spi_qup_pm_resume_runtime before suspending
spi: spi-omap2-mcspi: Support probe deferral for DMA channels
spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x
A couple of small fixes, one for a minor issue in the stm32-vrefbuf
driver and a documentation fix in the Qualcomm code.
-----BEGIN PGP SIGNATURE-----
iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5ie5ITHGJyb29uaWVA
a2VybmVsLm9yZwAKCRAk1otyXVSH0J5lB/wOdphcQj9YKbq1fO5Z2i4zROn85dbT
JREqpS5SNY+znox3WFct08L7xyrUBwFgZwzlF0KTnoBfNLznjcdY34YNSswWMZzY
vo0frRtEzdetjtQOYzuKfr+cWSozNLFCz4rGb9eMZicR28yaU+WluKlNLtwgkgq0
WEqyDZKK1KhVZYDJPVY6gb3NgTYlUvaJyRKEFGxSNHTDR9qL5koP7ym1yIqBjAu/
N596CtL8A24z9x7Wlmt2I9m13S/YXPUbDibYU10UC6amFWfsiuZ0hi577ToXvr1X
PruiRr63WgFlHGedAjsyfW1y1O9oBvGksb9rlBmwYzssgnuqV5DTuxsB
=s+Ng
-----END PGP SIGNATURE-----
Merge tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"A couple of small fixes, one for a minor issue in the stm32-vrefbuf
driver and a documentation fix in the Qualcomm code"
* tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling
regulator: qcom_spmi: Fix docs for PM8004
Fix an error return in the adt7462 driver, bad voltage limits
reported by the xdpe12284 driver, and a broken documentation
reference in the adm1177 driver documentation.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEiHPvMQj9QTOCiqgVyx8mb86fmYEFAl5idy0ACgkQyx8mb86f
mYFiRQ//Xp5JP1QMSTJqcGlM98ai/ZesCM0OB7ocBTt592T/VON8D2eEJapuECve
/065OGs1L25HBqPV+1riPUZ+Q9bkhnqyqXZuDx92ShClOpSK9Yy7GQXhXT3Y6D5g
bdrwnJK0dwGMR0nkNPKomSodeXP+qub3z5am/5QGIqfhG+ssckNhWYI7eYaKV0js
+4L/NcRAJF+hvcmeWQ+mOxKOWkcCAXYCIxo7iJWnnc3BeNplFjKRknUu9FER/bDh
gb9tJFZ7zVdH4TsPvl1axJtWYN2whTRljv/Xn5gSeJUM+0X1nrFJ2vP72nOm4goV
TZG2vTu3PZvw7uvCXC7P/q0qalgju2cdGr6b91brjrOCzxzj9uijzMGmmEG58rD2
Ls5qnWl5gyit5KuKjKyiyMzkZi0q5OycZaZeIKHenu9TqmHB1tj9h5S9EzKT+gJ/
8wWEsNR8kw73iTKtB09loxXnAUhxNtNcCzx05zPP5m+MG/iVgJslfaRRxmwnprxG
bq4VWT6DQwMCx+98olVURASkl+bIwpkKXvCMIzKRg8oAy7/WKqw0YgXZWUFop7Hi
qsWqBjjYTZfB1nz/i9gTRarpLtYAi7xQ8ib6VTP3qsOA/Nws43ffOqDqIZD5YGob
fA5Ytdk+c5cwO5Wrjsh9v7TuWpXlC+AQbZkD3icuXWlN9orD4Ck=
=AHoG
-----END PGP SIGNATURE-----
Merge tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
Pull hwmon fixes from Guenter Roeck:
"Fix an error return in the adt7462 driver, bad voltage limits reported
by the xdpe12284 driver, and a broken documentation reference in the
adm1177 driver documentation"
* tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
hwmon: (pmbus/xdpe12284) Add callback for vout limits conversion
docs: adm1177: fix a broken reference
- Fix misreporting of ASID limit when KPTI is enabled
- Fix busted NULL pointer checks for GICC structure in ACPI PMU code
- Avoid nobbling the "fsl_imx8_ddr" PMU counters when disabling them
-----BEGIN PGP SIGNATURE-----
iQFEBAABCgAuFiEEPxTL6PPUbjXGY88ct6xw3ITBYzQFAl5iMUgQHHdpbGxAa2Vy
bmVsLm9yZwAKCRC3rHDchMFjNMpPB/9OH2pp6QaosJKz6zHawyvG6K1RxCQC7TZw
PCXKWF1N9b1z/ZBq47goDC0rRxVzx+OAO9MY4DMLojWvv51GT/Z/LhrYkpXek48I
Dkfz8ZmhSyO54M8LDQQ79zKG4FzpLVsvVP2z9bMaq9Ut5BSNcKmjvY7h27/znk7N
fW0lRVBt3C7Cu5DTBqq3BN3AXEwoANb4QvqmmA6D/pZvl5MUXolulww6czknYyIE
VD7m7s6A3bPUWWVSWHuYxL9/N8fP7HbcBL09dEtIKI4n1O+mvvCx9uHxxokBGuSV
ENu7BWfm0LJ5JibbW/rSOT8u2tw4xY4njhXu06PnxWXQSF8RcaOV
=7zhy
-----END PGP SIGNATURE-----
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Pull arm64 fixes from Will Deacon:
"Here are another three arm64 fixes for 5.6, all pretty minor. Main
thing is fixing a silly bug in the fsl_imx8_ddr PMU driver where we
would zero the counters when disabling them.
- Fix misreporting of ASID limit when KPTI is enabled
- Fix busted NULL pointer checks for GICC structure in ACPI PMU code
- Avoid nobbling the "fsl_imx8_ddr" PMU counters when disabling them"
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
arm64: context: Fix ASID limit in boot messages
drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition
When syzkaller tests, there is a UAF:
BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
ffff880000100000
Read of size 2 by task syz-executor.1/16489
page:ffffea0000004000 count:0 mapcount:-127 mapping: (null)
index:0x0
page flags: 0xfffff00000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
[<ffffffffb119f309>] dump_stack+0x1e/0x20
[<ffffffffb04af957>] kasan_report+0x577/0x950
[<ffffffffb04ae652>] __asan_load2+0x62/0x80
[<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
[<ffffffffb0a39d95>] invert_screen+0xe5/0x470
[<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
[<ffffffffb0a3bfae>] tioclinux+0xee/0x490
[<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
[<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
[<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
[<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
[<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
Memory state around the buggy address:
ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
>ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff
It can be reproduce in the linux mainline by the program:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <linux/vt.h>
struct tiocl_selection {
unsigned short xs; /* X start */
unsigned short ys; /* Y start */
unsigned short xe; /* X end */
unsigned short ye; /* Y end */
unsigned short sel_mode; /* selection mode */
};
#define TIOCL_SETSEL 2
struct tiocl {
unsigned char type;
unsigned char pad;
struct tiocl_selection sel;
};
int main()
{
int fd = 0;
const char *dev = "/dev/char/4:1";
struct vt_consize v = {0};
struct tiocl tioc = {0};
fd = open(dev, O_RDWR, 0);
v.v_rows = 3346;
ioctl(fd, VT_RESIZEX, &v);
tioc.type = TIOCL_SETSEL;
ioctl(fd, TIOCLINUX, &tioc);
return 0;
}
When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.
So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.
Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:
if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
return -EINVAL;
Fixes: 0aec4867dc ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
The hierarchical topology with power-domain should be described through
child nodes, rather than as currently described in the PSCI root node. Fix
this by adding a patternProperties with a corresponding reference to the
power-domain DT binding.
Additionally, update the example to conform to the new pattern, but also to
the adjusted domain-idle-state DT binding.
Fixes: a3f048b542 ("dt: psci: Update DT bindings to support hierarchical PSCI states")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[robh: Add missing allOf, tweak power-domain node name]
Signed-off-by: Rob Herring <robh@kernel.org>
The existing binding requires the nodename to have a '@', which is a bit
limiting for the wider use case. Therefore, let's extend the pattern to
allow either '@' or '-'.
Fixes: a3f048b542 ("dt: psci: Update DT bindings to support hierarchical PSCI states")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[robh: drop example change]
Signed-off-by: Rob Herring <robh@kernel.org>
The percpu refcount protects this structure, and we can have an atomic
switch in progress when exiting. This makes it unsafe to just free the
struct normally, and can trigger the following KASAN warning:
BUG: KASAN: use-after-free in percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
Read of size 1 at addr ffff888181a19a30 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc4+ #5747
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
<IRQ>
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x3b/0x60
? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
__kasan_report.cold+0x1a/0x3d
? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
rcu_core+0x370/0x830
? percpu_ref_exit+0x50/0x50
? rcu_note_context_switch+0x7b0/0x7b0
? run_rebalance_domains+0x11d/0x140
__do_softirq+0x10a/0x3e9
irq_exit+0xd5/0xe0
smp_apic_timer_interrupt+0x86/0x200
apic_timer_interrupt+0xf/0x20
</IRQ>
RIP: 0010:default_idle+0x26/0x1f0
Fix this by punting the final exit and free of the struct to RCU, then
we know that it's safe to do so. Jann suggested the approach of using a
double rcu callback to achieve this. It's important that we do a nested
call_rcu() callback, as otherwise the free could be ordered before the
atomic switch, even if the latter was already queued.
Reported-by: syzbot+e017e49c39ab484ac87a@syzkaller.appspotmail.com
Suggested-by: Jann Horn <jannh@google.com>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
'16306a61d3b7 ("fs/locks: always delete_block after waiting.")' add the
logic to check waiter->fl_blocker without blocked_lock_lock. And it will
trigger a UAF when we try to wakeup some waiter:
Thread 1 has create a write flock a on file, and now thread 2 try to
unlock and delete flock a, thread 3 try to add flock b on the same file.
Thread2 Thread3
flock syscall(create flock b)
...flock_lock_inode_wait
flock_lock_inode(will insert
our fl_blocked_member list
to flock a's fl_blocked_requests)
sleep
flock syscall(unlock)
...flock_lock_inode_wait
locks_delete_lock_ctx
...__locks_wake_up_blocks
__locks_delete_blocks(
b->fl_blocker = NULL)
...
break by a signal
locks_delete_block
b->fl_blocker == NULL &&
list_empty(&b->fl_blocked_requests)
success, return directly
locks_free_lock b
wake_up(&b->fl_waiter)
trigger UAF
Fix it by remove this logic, and this patch may also fix CVE-2019-19769.
Cc: stable@vger.kernel.org
Fixes: 16306a61d3 ("fs/locks: always delete_block after waiting.")
Signed-off-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
slimbus addresses are 16 bit wide, masking page numbers
to wcd register at offset of 12 will limit the number for pages.
So it becomes impossible to write to page 0x10 registers.
Remove masking 0x800 (slimbus address range) from register address
and making use of window parameters in regmap config should fix it
and also will represent the registers exactly inline with Datasheet.
Remove this unnessary masking and make the registers be inline
with datasheet.
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20200306152633.25836-1-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Hi Mark
These are v2 resend of soc-pcm cleanup step5.
1) - 4) are rebased to latest for-5.7 branch.
5) - 6) are remaked of previous [6/8], [7/8] which were mistaken patch.
Kuninori Morimoto (6):
1) ASoC: soc-pcm: move dpcm_fe_dai_close()
2) ASoC: soc-pcm: add dpcm_fe_dai_cleanup()
3) ASoC: soc-pcm: use snd_soc_dai_get_pcm_stream() at dpcm_set_fe_runtime()
4) ASoC: soc-pcm: tidyup dulicate handing at dpcm_fe_dai_startup()
5) ASoC: soc-pcm: check DAI's activity more simply
6) ASoC: soc-pcm: Do Digital Mute for both CPU/Codec in same timing.
sound/soc/soc-pcm.c | 97 ++++++++++++++++++++++-----------------------
1 file changed, 47 insertions(+), 50 deletions(-)
--
2.17.1
We are currently using simple-audio-card on the Allwinner A64 SoC.
The digital audio codec there (sun8i-codec) has 3 AIFs, one each for the
CPU, the modem, and Bluetooth. Adding support for the secondary AIFs
requires adding codec2codec DAI links.
Since the modem and bt-sco codec DAI drivers only have one set of
possible PCM parameters (namely, 8kHz mono S16LE), there's no real
need for a machine driver to specify the DAI link configuration. The
parameters for these "simple" DAI links can be chosen automatically.
This series adds codec2codec DAI link support to simple-audio-card.
Codec to codec links are automatically detected when all DAIs in the
link belong to codec components.
I tried to reuse as much code as possible, so the first two patches
refactor a couple of helper functions to be more generic.
The last patch adds the new feature and its documentation.
Changes in v4:
- Rebased on top of asoc/for-next, several changes to patch 2
- Removed unused variable from patch 3
Changes in v3:
- Update use of for_each_rtd_components for v5.6
Changes in v2:
- Drop patch 1 as it was merged
- Automatically detect codec2codec links instead of using a DT property
Samuel Holland (3):
ALSA: pcm: Add a standalone version of snd_pcm_limit_hw_rates
ASoC: pcm: Export parameter intersection logic
ASoC: simple-card: Add support for codec2codec DAI links
Documentation/sound/soc/codec-to-codec.rst | 9 +++-
include/sound/pcm.h | 9 +++-
include/sound/soc.h | 3 ++
sound/core/pcm_misc.c | 18 +++----
sound/soc/generic/simple-card-utils.c | 48 ++++++++++++++++++
sound/soc/soc-pcm.c | 59 ++++++++++++++--------
6 files changed, 114 insertions(+), 32 deletions(-)
--
2.24.1
The runtime pointer has been taken in functional level so there is no need
to take it again under the if () case.
Fixes: 9d789dc047 ("ALSA: dmaengine_pcm: Consider DMA cache caused delay in pointer callback")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Link: https://lore.kernel.org/r/20200227093544.27723-1-peter.ujfalusi@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Digital Mute for CPU is done at soc_pcm_close(), and
Digital Mute for Codec is done at soc_pcm_hw_free().
It is just confusable.
This patch do Digital Mute for both CPU/Codec in same timing.
Then, it cares DAI activity
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87imjip9ty.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
soc_pcm_hw_free() want to call snd_soc_dai_digital_mute()
if it was last user of Playback or Capture.
bool playback = substream->stream == SNDRV_PCM_STREAM_PLAYBACK;
int playback_active = dai->stream_active[SNDRV_PCM_STREAM_PLAYBACK];
int capture_active = dai->stream_active[SNDRV_PCM_STREAM_CAPTURE];
if ((playback && playback_active == 1) ||
(!playback && capture_active == 1))
snd_soc_dai_digital_mute(...)
But it is same as
int active = dai->stream_active[substream->stream];
if (active == 1)
snd_soc_dai_digital_mute(...)
This patch simplify the code.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87k13yp9ub.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
error handling at dpcm_fe_dai_startup() has duplicate code.
This patch tidyup it.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Link: https://lore.kernel.org/r/87lfoep9ug.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
We already have snd_soc_dai_get_pcm_stream(),
let's use it
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Link: https://lore.kernel.org/r/87mu8up9ul.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
dpcm_fe_dai_close() and error case of dpcm_fe_dai_open()
need to do same cleanup operation.
To avoid duplicate code, this patch adds dpcm_fe_dai_cleanup()
and use it.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Link: https://lore.kernel.org/r/87o8tap9uq.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
move dpcm_fe_dai_close() next to dpcm_fe_dai_open().
This is prepare for dpcm_fe_dai_open() cleanup
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Link: https://lore.kernel.org/r/87pndqp9uv.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Following the example in cb2cf0de11 ("ASoC: soc-core: care Codec <->
Codec case by non_legacy_dai_naming"), determine if a DAI link contains
only codec DAIs by examining the non_legacy_dai_naming flag in each
DAI's component.
For now, we assume there is only one or a small set of valid PCM stream
parameters, so num_params == 1 is good enough. We also assume that the
same params are valid for all supported streams. params is set to the
subset of parameters common among all DAIs, and then the existing code
automatically chooses the highest quality of the remaining values when
the link is brought up.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Link: https://lore.kernel.org/r/20200305051143.60691-4-samuel@sholland.org
Signed-off-by: Mark Brown <broonie@kernel.org>
The logic to calculate the subset of stream parameters supported by all
DAIs associated with a PCM stream is nontrivial. Export a helper
function so it can be used to set up simple codec2codec DAI links.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Link: https://lore.kernel.org/r/20200305051143.60691-3-samuel@sholland.org
Signed-off-by: Mark Brown <broonie@kernel.org>
It can be useful to derive min/max rates of a snd_pcm_hardware without
having a snd_pcm_runtime, such as before constructing an ASoC DAI link.
Create a new helper that takes a pointer to a snd_pcm_hardware directly,
and refactor the original function as a wrapper around it, to avoid
needing to update any call sites.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200305051143.60691-2-samuel@sholland.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Looks like there are some unused headers, remove them.
Seems to be missed while moving to mfd.
Reported-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20200306132806.19684-3-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
The bfq_find_set_group() function takes as input a blkcg (which represents
a cgroup) and retrieves the corresponding bfq_group, then it updates the
bfq internal group hierarchy (see comments inside the function for why
this is needed) and finally it returns the bfq_group.
In the hierarchy update cycle, the pointer holding the correct bfq_group
that has to be returned is mistakenly used to traverse the hierarchy
bottom to top, meaning that in each iteration it gets overwritten with the
parent of the current group. Since the update cycle stops at root's
children (depth = 2), the overwrite becomes a problem only if the blkcg
describes a cgroup at a hierarchy level deeper than that (depth > 2). In
this case the root's child that happens to be also an ancestor of the
correct bfq_group is returned. The main consequence is that processes
contained in a cgroup at depth greater than 2 are wrongly placed in the
group described above by BFQ.
This commits fixes this problem by using a different bfq_group pointer in
the update cycle in order to avoid the overwrite of the variable holding
the original group reference.
Reported-by: Kwon Je Oh <kwonje.oh2@gmail.com>
Signed-off-by: Carlo Nonato <carlo.nonato95@gmail.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Merge misc fixes from Andrew Morton:
"7 fixes"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
arch/Kconfig: update HAVE_RELIABLE_STACKTRACE description
mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled
mm/z3fold.c: do not include rwlock.h directly
fat: fix uninit-memory access for partial initialized inode
mm: avoid data corruption on CoW fault into PFN-mapped VMA
mm: fix possible PMD dirty bit lost in set_pmd_migration_entry()
mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa
Since commit 3bc3206e1c ("serial: fsl_lpuart: Remove the alias node
dependence") the port line number can also be allocated by IDA, but in
case of an error the ID will no be removed again. More importantly, any
ID will be freed in remove(), even if it wasn't allocated but instead
fetched by of_alias_get_id(). If it was not allocated by IDA there will
be a warning:
WARN(1, "ida_free called for id=%d which is not allocated.\n", id);
Move the ID allocation more to the end of the probe() so that we still
can use plain return in the first error cases.
Fixes: 3bc3206e1c ("serial: fsl_lpuart: Remove the alias node dependence")
Signed-off-by: Michael Walle <michael@walle.cc>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200303174306.6015-3-michael@walle.cc
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit a659652f61.
This broke the earlycon on LS1021A processors because the order of the
earlycon_setup() functions were changed. Before the commit the normal
lpuart32_early_console_setup() was called. After the commit the
lpuart32_imx_early_console_setup() is called instead.
Fixes: a659652f61 ("tty: serial: fsl_lpuart: drop EARLYCON_DECLARE")
Signed-off-by: Michael Walle <michael@walle.cc>
Link: https://lore.kernel.org/r/20200303174306.6015-2-michael@walle.cc
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
On Apple devices the _CRS method returns an empty resource template, and
the resource settings are instead provided by the _DSM method. But
commit 33364d63c7 (serdev: Add ACPI
devices by ResourceSource field) changed the search for serdev devices
to require valid, non-empty resource template, thereby breaking Apple
devices and causing bluetooth devices to not be found.
This expands the check so that if we don't find a valid template, and
we're on an Apple machine, then just check for the device being an
immediate child of the controller and having a "baud" property.
Cc: <stable@vger.kernel.org> # 5.5
Fixes: 33364d63c7 ("serdev: Add ACPI devices by ResourceSource field")
Signed-off-by: Ronald Tschalär <ronald@innovation.ch>
Link: https://lore.kernel.org/r/20200211194723.486217-1-ronald@innovation.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
save_stack_trace_tsk_reliable() is not the only function providing the
reliable stack traces anymore. Architecture might define ARCH_STACKWALK
which provides a newer stack walking interface and has
arch_stack_walk_reliable() function. Update the description accordingly.
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Link: http://lkml.kernel.org/r/20200120154042.9934-1-mbenes@suse.cz
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Commit cd02cf1ace ("mm/hotplug: fix an imbalance with DEBUG_PAGEALLOC")
fixed memory hotplug with debug_pagealloc enabled, where onlining a page
goes through page freeing, which removes the direct mapping. Some arches
don't like when the page is not mapped in the first place, so
generic_online_page() maps it first. This is somewhat wasteful, but
better than special casing page freeing fast paths.
The commit however missed that DEBUG_PAGEALLOC configured doesn't mean
it's actually enabled. One has to test debug_pagealloc_enabled() since
031bc5743f ("mm/debug-pagealloc: make debug-pagealloc boottime
configurable"), or alternatively debug_pagealloc_enabled_static() since
8e57f8acbb ("mm, debug_pagealloc: don't rely on static keys too early"),
but this is not done.
As a result, a s390 kernel with DEBUG_PAGEALLOC configured but not enabled
will crash:
Unable to handle kernel pointer dereference in virtual kernel address space
Failing address: 0000000000000000 TEID: 0000000000000483
Fault in home space mode while using kernel ASCE.
AS:0000001ece13400b R2:000003fff7fd000b R3:000003fff7fcc007 S:000003fff7fd7000 P:000000000000013d
Oops: 0004 ilc:2 [#1] SMP
CPU: 1 PID: 26015 Comm: chmem Kdump: loaded Tainted: GX 5.3.18-5-default #1 SLE15-SP2 (unreleased)
Krnl PSW : 0704e00180000000 0000001ecd281b9e (__kernel_map_pages+0x166/0x188)
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
Krnl GPRS: 0000000000000000 0000000000000800 0000400b00000000 0000000000000100
0000000000000001 0000000000000000 0000000000000002 0000000000000100
0000001ece139230 0000001ecdd98d40 0000400b00000100 0000000000000000
000003ffa17e4000 001fffe0114f7d08 0000001ecd4d93ea 001fffe0114f7b20
Krnl Code: 0000001ecd281b8e: ec17ffff00d8 ahik %r1,%r7,-1
0000001ecd281b94: ec111dbc0355 risbg %r1,%r1,29,188,3
>0000001ecd281b9e: 94fb5006 ni 6(%r5),251
0000001ecd281ba2: 41505008 la %r5,8(%r5)
0000001ecd281ba6: ec51fffc6064 cgrj %r5,%r1,6,1ecd281b9e
0000001ecd281bac: 1a07 ar %r0,%r7
0000001ecd281bae: ec03ff584076 crj %r0,%r3,4,1ecd281a5e
Call Trace:
[<0000001ecd281b9e>] __kernel_map_pages+0x166/0x188
[<0000001ecd4d9516>] online_pages_range+0xf6/0x128
[<0000001ecd2a8186>] walk_system_ram_range+0x7e/0xd8
[<0000001ecda28aae>] online_pages+0x2fe/0x3f0
[<0000001ecd7d02a6>] memory_subsys_online+0x8e/0xc0
[<0000001ecd7add42>] device_online+0x5a/0xc8
[<0000001ecd7d0430>] state_store+0x88/0x118
[<0000001ecd5b9f62>] kernfs_fop_write+0xc2/0x200
[<0000001ecd5064b6>] vfs_write+0x176/0x1e0
[<0000001ecd50676a>] ksys_write+0xa2/0x100
[<0000001ecda315d4>] system_call+0xd8/0x2c8
Fix this by checking debug_pagealloc_enabled_static() before calling
kernel_map_pages(). Backports for kernel before 5.5 should use
debug_pagealloc_enabled() instead. Also add comments.
Fixes: cd02cf1ace ("mm/hotplug: fix an imbalance with DEBUG_PAGEALLOC")
Reported-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: <stable@vger.kernel.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Qian Cai <cai@lca.pw>
Link: http://lkml.kernel.org/r/20200224094651.18257-1-vbabka@suse.cz
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
rwlock.h should not be included directly. Instead linux/splinlock.h
should be included. One thing it does is to break the RT build.
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Vitaly Wool <vitaly.wool@konsulko.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20200224133631.1510569-1-bigeasy@linutronix.de
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
When get an error in the middle of reading an inode, some fields in the
inode might be still not initialized. And then the evict_inode path may
access those fields via iput().
To fix, this makes sure that inode fields are initialized.
Reported-by: syzbot+9d82b8de2992579da5d0@syzkaller.appspotmail.com
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/871rqnreqx.fsf@mail.parknet.co.jp
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jeff Moyer has reported that one of xfstests triggers a warning when run
on DAX-enabled filesystem:
WARNING: CPU: 76 PID: 51024 at mm/memory.c:2317 wp_page_copy+0xc40/0xd50
...
wp_page_copy+0x98c/0xd50 (unreliable)
do_wp_page+0xd8/0xad0
__handle_mm_fault+0x748/0x1b90
handle_mm_fault+0x120/0x1f0
__do_page_fault+0x240/0xd70
do_page_fault+0x38/0xd0
handle_page_fault+0x10/0x30
The warning happens on failed __copy_from_user_inatomic() which tries to
copy data into a CoW page.
This happens because of race between MADV_DONTNEED and CoW page fault:
CPU0 CPU1
handle_mm_fault()
do_wp_page()
wp_page_copy()
do_wp_page()
madvise(MADV_DONTNEED)
zap_page_range()
zap_pte_range()
ptep_get_and_clear_full()
<TLB flush>
__copy_from_user_inatomic()
sees empty PTE and fails
WARN_ON_ONCE(1)
clear_page()
The solution is to re-try __copy_from_user_inatomic() under PTL after
checking that PTE is matches the orig_pte.
The second copy attempt can still fail, like due to non-readable PTE, but
there's nothing reasonable we can do about, except clearing the CoW page.
Reported-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Tested-by: Jeff Moyer <jmoyer@redhat.com>
Cc: <stable@vger.kernel.org>
Cc: Justin He <Justin.He@arm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Link: http://lkml.kernel.org/r/20200218154151.13349-1-kirill.shutemov@linux.intel.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
In set_pmd_migration_entry(), pmdp_invalidate() is used to change PMD
atomically. But the PMD is read before that with an ordinary memory
reading. If the THP (transparent huge page) is written between the PMD
reading and pmdp_invalidate(), the PMD dirty bit may be lost, and cause
data corruption. The race window is quite small, but still possible in
theory, so need to be fixed.
The race is fixed via using the return value of pmdp_invalidate() to get
the original content of PMD, which is a read/modify/write atomic
operation. So no THP writing can occur in between.
The race has been introduced when the THP migration support is added in
the commit 616b837153 ("mm: thp: enable thp migration in generic path").
But this fix depends on the commit d52605d7cb ("mm: do not lose dirty
and accessed bits in pmdp_invalidate()"). So it's easy to be backported
after v4.16. But the race window is really small, so it may be fine not
to backport the fix at all.
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: William Kucharski <william.kucharski@oracle.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: <stable@vger.kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Link: http://lkml.kernel.org/r/20200220075220.2327056-1-ying.huang@intel.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
: A user reported a bug against a distribution kernel while running a
: proprietary workload described as "memory intensive that is not swapping"
: that is expected to apply to mainline kernels. The workload is
: read/write/modifying ranges of memory and checking the contents. They
: reported that within a few hours that a bad PMD would be reported followed
: by a memory corruption where expected data was all zeros. A partial
: report of the bad PMD looked like
:
: [ 5195.338482] ../mm/pgtable-generic.c:33: bad pmd ffff8888157ba008(000002e0396009e2)
: [ 5195.341184] ------------[ cut here ]------------
: [ 5195.356880] kernel BUG at ../mm/pgtable-generic.c:35!
: ....
: [ 5195.410033] Call Trace:
: [ 5195.410471] [<ffffffff811bc75d>] change_protection_range+0x7dd/0x930
: [ 5195.410716] [<ffffffff811d4be8>] change_prot_numa+0x18/0x30
: [ 5195.410918] [<ffffffff810adefe>] task_numa_work+0x1fe/0x310
: [ 5195.411200] [<ffffffff81098322>] task_work_run+0x72/0x90
: [ 5195.411246] [<ffffffff81077139>] exit_to_usermode_loop+0x91/0xc2
: [ 5195.411494] [<ffffffff81003a51>] prepare_exit_to_usermode+0x31/0x40
: [ 5195.411739] [<ffffffff815e56af>] retint_user+0x8/0x10
:
: Decoding revealed that the PMD was a valid prot_numa PMD and the bad PMD
: was a false detection. The bug does not trigger if automatic NUMA
: balancing or transparent huge pages is disabled.
:
: The bug is due a race in change_pmd_range between a pmd_trans_huge and
: pmd_nond_or_clear_bad check without any locks held. During the
: pmd_trans_huge check, a parallel protection update under lock can have
: cleared the PMD and filled it with a prot_numa entry between the transhuge
: check and the pmd_none_or_clear_bad check.
:
: While this could be fixed with heavy locking, it's only necessary to make
: a copy of the PMD on the stack during change_pmd_range and avoid races. A
: new helper is created for this as the check if quite subtle and the
: existing similar helpful is not suitable. This passed 154 hours of
: testing (usually triggers between 20 minutes and 24 hours) without
: detecting bad PMDs or corruption. A basic test of an autonuma-intensive
: workload showed no significant change in behaviour.
Although Mel withdrew the patch on the face of LKML comment
https://lkml.org/lkml/2017/4/10/922 the race window aforementioned is
still open, and we have reports of Linpack test reporting bad residuals
after the bad PMD warning is observed. In addition to that, bad
rss-counter and non-zero pgtables assertions are triggered on mm teardown
for the task hitting the bad PMD.
host kernel: mm/pgtable-generic.c:40: bad pmd 00000000b3152f68(8000000d2d2008e7)
....
host kernel: BUG: Bad rss-counter state mm:00000000b583043d idx:1 val:512
host kernel: BUG: non-zero pgtables_bytes on freeing mm: 4096
The issue is observed on a v4.18-based distribution kernel, but the race
window is expected to be applicable to mainline kernels, as well.
[akpm@linux-foundation.org: fix comment typo, per Rafael]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Rafael Aquini <aquini@redhat.com>
Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Cc: <stable@vger.kernel.org>
Cc: Zi Yan <zi.yan@cs.rutgers.edu>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@suse.com>
Link: http://lkml.kernel.org/r/20200216191800.22423-1-aquini@redhat.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Revert a problematic commit from the 5.3 development
cycle (Brendan Higgins).
-----BEGIN PGP SIGNATURE-----
iQJGBAABCAAwFiEE4fcc61cGeeHD/fCwgsRv/nhiVHEFAl5iIf0SHHJqd0Byand5
c29ja2kubmV0AAoJEILEb/54YlRxFMEQAIF33vTkF9Jaj2ZMqLr3L0dSmtnvxvxk
iYGpUIkFA9rIOrh+tBsgS3CekyiBAVNU+4Rmv5kWjVVwFNIRjJbFHK3CNF6IcKrN
/MGk4VJJwSjify0XjuZVFL3rQSURKkLAnyOug7oW7oorpxCVEGeIS9KCtQ9gsonb
NrlH/I43cM063LGz3ilBh80A6NvvzMSgkmoMyODSA8faVvrR7D87NkcGTdPge2q/
3qrI+kkBdmchYR/hLlZtC2HAEv2I+B49ewec9BN4cB8LCDxe68psEyLfxGTdNIWh
SNXL9DSboF8IbBKkg6CHAXztqUKJggIrjjvFUEOCvtf7oAKCYqshDw69FwnaFsTr
+V4jaBquqmvMb1saKUaB4Oh+puHpQRKWjXjgF6OSJzbxGA0WzxG3LPZoWKIlj9P6
Oz5f1QrE4RzVoQ0pA6vUTWWFPnPgo78KcmWoGzQlCnu4iLBYM3VdaBmU5a0gvWVB
24807O0/OzfQKcA1e5iHu7b0rgNaeJqCq0df60OPTtZq1OvYbp1xG8ogckMdsOmE
FQHvB92wVNyeQC2/urRrlF5VHxBmw3+O0G9diL5UFlH7haXvowGb8PlI1HNwEzMF
YTleQfdaKjI2GW9+56y5oKwAhAmHPUHkpPY19wj1zgPdDqaDuecLNxlfEwkYO3tY
g3HRhfyQcmJ0
=knd+
-----END PGP SIGNATURE-----
Merge tag 'devprop-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull device properties framework fix from Rafael Wysocki:
"Revert a problematic commit from the 5.3 development cycle (Brendan
Higgins)"
* tag 'devprop-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
Revert "software node: Simplify software_node_release() function"
Fix Sphinx format warinings in an ACPI fan document added
recently (Randy Dunlap).
-----BEGIN PGP SIGNATURE-----
iQJGBAABCAAwFiEE4fcc61cGeeHD/fCwgsRv/nhiVHEFAl5iIZASHHJqd0Byand5
c29ja2kubmV0AAoJEILEb/54YlRxxfsQAI+MIL4xLajSLgxu+2vUPC6MZi2zwyM2
Gg8W1IquAVhcTO9RS1JgrLDeVPAE/CFWXGsm1S9V8zvlZMw1vtmwsp94beuKjJuS
SOS6YsQKBVsrT2oB3gTtJAN2098QDrTZcb7a0D1cmnHNpE5gmjau8YmnS/VNjHsn
QXmH/qDnrgr/J9JI3xc+3bALC+QetPjHZOKGJJG/AmH3bG8PZ1flEoCG6lvFBDWw
obIgfmOB2uU54SFbS9LMAWjN13XA7D8RV910J0SEyYmhzu4z3nix3TKyQPJnTn8W
mNKeTG3qX+Fim3FTKSfc0xhg2yO0pNXtohc+a3HGfZpWSi8Ek6VhVmv6A2WOajet
3X7NmhfhO4Q8sEcz2rrc7Lh2N/fjWXGXua8R68KLBtQ/X1xTnZx+0UmsNwFMLN1a
sg3aclKnsfOtn+OX3NXrbm+J1NA3SXZ/5MTdtUsHzac0t2/N8xMaKK0fXNElF1e4
n1bQhIMh/YnN/5FA304mGVqUZlCdZV+1AU7+Z/uRHS5TrVyNxPt5YFPugcGNBpX+
Yj7R9iq4OspTa+fZn7Hbe4TQSqPCok1gK7ZMew4sAyaqNZoENKOkuGgPMc1Za1nb
1Qi7gyinjz22PVL8TDvETyR6vpydBp+V0ZpcxgVdRykzms4/40AWdc7YGSD3gPIq
UwYqASaJdyR6
=OM5C
-----END PGP SIGNATURE-----
Merge tag 'acpi-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull ACPI documentation fix from Rafael Wysocki:
"Fix Sphinx format warinings in an ACPI fan document added recently
(Randy Dunlap)"
* tag 'acpi-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
Documentation/admin-guide/acpi: fix fan_performance_states.rst warnings
dma-buf:
- fix memory leak
core:
- shmem object mmap fix.
ttm:
- Fix fence leak in ttm_buffer_object_transfer().
amdgpu:
- Gfx reset fix for gfx9, 10
- Fix for gfx10
- DP MST fix
- DCC fix
- Renoir power fixes
- Navi power fix
i915:
- Break up long lists of object reclaim with cond_resched()
- PSR probe fix
- TGL workarounds
- Selftest return value fix
- Drop timeline mutex while waiting for retirement
- Wait for OA configuration completion before writes to OA buffer
virtio:
- Fix resource id creation race in virtio.
- mmap fixes
sun4i:
- Fixes for sun4i VI layer format support.
kirin:
- kirin: Revert "Fix for hikey620 display offset problem"
exynos:
- fix a kernel oops problem in case that driver is loaded as module.
- fix a regulator warning issue when I2C DDC adapter cannot be gathered.
- print out an error message only in error case excepting -EPROBE_DEFER.
mediatek:
- overlay, cursor and gce fixes.
`
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJeYbXXAAoJEAx081l5xIa+QtoQAJNMM9HBThWZjX+j/+LX1MUg
xW6ZqOmYjL/FfViSEpASLJuIz9+JF6/FK8RtuzbcsoPesLhfGtsQiM83FN+6KKs8
4kUa+ahh4+xuz4Q1mPJWH4kb0NpmHhNbuN1z/6fQwwYUYS3ltL21vR/6KE8x2FXu
rOmrcTVjiMvDjc0d8uN0GBEBON7Sf7EG2wZ0EN2uNR0lEzBSYczXRioDBC9Pj/Va
MGc4WzULJppTyvbUxnbtHYKXZfOHvW5pcKAR3utJQi1oJRKmNjm76lzNr5r4t7v3
IEhpe5UfjY01CUhpBWfwUa4ZuESKS9gFNlHN6rqADrdngyn8zDBFFd07B3MCg651
VURASTcyw7yJgVAhMRyxjcj76GYYm7AX1vyN6tkbBcY+yt2ZYdCYQh5k17U2FYeR
fn/15SuRqa06p2+cHfyEVNQBwtZ2l10SyJHBTOMlgN5V0AH+itU+2t03SmhuEQaG
CeiOVJJtJFWyvvwzDeqGf6YqTTicyqciviRVrkLL2KlnoCzTamZosv8aWzKtQKEj
TKcDp5Toc0TK3EMtPYRwuXGkWr+0WB8PuNYmouhauPMm+cgHO2F4JtgJfPspbw+l
BOks64uQQNGhfyjfpcaWjIxnyC5dtGJoGhsiP8OQF38utUwZlkOh1/90hcUapocQ
E4FC8X8mAckSRce9/fca
=ckrX
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2020-03-06' of git://anongit.freedesktop.org/drm/drm
Pull drm fixes from Dave Airlie:
"Weekly fixes round, looks like a few people woke up, got a bunch of
fixes across the drivers. Bit bigger than I'd like but they all seem
fine and hopefully it quiets down now.
sun4i, kirin, mediatek and exynos on the ARM side. virtio-gpu and core
have some mmap fixes, and there is a dma-buf leak. one ttm fence leak
is also fixed.
Otherwise it's mostly amdgpu and i915.
One of the i915 fixes is for a very long latency I was seeing (using
latencytop) running gnome-shell locally when using firefox and eating
nearly all my RAM, it really helps with desktop responsiveness esp
when firefox is chewing a lot.
dma-buf:
- fix memory leak
core:
- shmem object mmap fix.
ttm:
- Fix fence leak in ttm_buffer_object_transfer().
amdgpu:
- Gfx reset fix for gfx9, 10
- Fix for gfx10
- DP MST fix
- DCC fix
- Renoir power fixes
- Navi power fix
i915:
- Break up long lists of object reclaim with cond_resched()
- PSR probe fix
- TGL workarounds
- Selftest return value fix
- Drop timeline mutex while waiting for retirement
- Wait for OA configuration completion before writes to OA buffer
virtio:
- Fix resource id creation race in virtio.
- mmap fixes
sun4i:
- Fixes for sun4i VI layer format support.
kirin:
- kirin: Revert "Fix for hikey620 display offset problem"
exynos:
- fix a kernel oops problem in case that driver is loaded as module.
- fix a regulator warning issue when I2C DDC adapter cannot be gathered.
- print out an error message only in error case excepting -EPROBE_DEFER.
mediatek:
- overlay, cursor and gce fixes"
`
* tag 'drm-fixes-2020-03-06' of git://anongit.freedesktop.org/drm/drm: (38 commits)
drm/amdgpu/display: navi1x copy dcn watermark clock settings to smu resume from s3 (v2)
drm/amd/powerplay: map mclk to fclk for COMBINATIONAL_BYPASS case
drm/amd/powerplay: fix pre-check condition for setting clock range
drm/amd/display: fix dcc swath size calculations on dcn1
drm/amd/display: Clear link settings on MST disable connector
drm/amdgpu: disable 3D pipe 1 on Navi1x
drm/amdgpu: clean wptr on wb when gpu recovery
drm: kirin: Revert "Fix for hikey620 display offset problem"
drm/i915/gt: Drop the timeline->mutex as we wait for retirement
drm/i915/perf: Reintroduce wait on OA configuration completion
drm/sun4i: Fix DE2 VI layer format support
drm/sun4i: Add separate DE3 VI layer formats
drm/sun4i: de2/de3: Remove unsupported VI layer formats
drm/i915/selftests: Fix return in assert_mmap_offset()
drm/i915: Protect i915_request_await_start from early waits
drm/i915/tgl: Add Wa_1608008084
drm/i915/tgl: Add Wa_22010178259:tgl
drm/i915: Program MBUS with rmw during initialization
drm/i915/psr: Force PSR probe only after full initialization
drm/i915/gem: Break up long lists of object reclaim
...
Commit ee88f4ebe5 ("ALSA: mips: Use managed buffer allocation") removed
superfluous hw_params/hw_free callbacks, but forgot to remove them where
they were used.
Fixes: ee88f4ebe5 ("ALSA: mips: Use managed buffer allocation")
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Link: https://lore.kernel.org/r/20200306105837.31523-1-tsbogend@alpha.franken.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
- Break up long lists of object reclaim with cond_resched()
- PSR probe fix
- TGL workarounds
- Selftest return value fix
- Drop timeline mutex while waiting for retirement
- Wait for OA configuration completion before writes to OA buffer
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFWWmW3ewYy4RJOWc05gHnSar7m8FAl5g1ecACgkQ05gHnSar
7m/y3A/8DTpsr/iCkp2z0RfTzl7n0Miw4DSJ53ma4xjV8oVUji2cZVQu3W+lb/4Q
VBvLt6LIGDwe/v0gi4IuJaBKnRjfi4UXntb4Np9k75Mol5FPKdGIgan38SSIv1f4
7a8a+EG773sYETHmHhbt5wHDTTfTNHrjoit/KnkeT0gRZaUlpcmLHKWBiLrwVwvO
NP4eOL++k7OzXH8+osk2C5oYxf3YeQn+nkt9qlnLqcLjW3ZNoXDlc5Zmhk1ZB7tx
Ij+LBM2jslpl8cKi2potrfw2W5Q28XzQt9AzAXQRCSR0CHqZMTlXxOTjhsMEh2pp
aDkvcrApi73lt6OsspxbflcmfwM5oTU+xSiIbRu07ZJ2FFC2PSMzGaaOZihjNIeU
XtdGs/95rl38qU42+0epImt/Wz8WAparNymUa1KAfe1XRpDg72EpCXJmESoxm15z
jRLZm4jvcxoYtet2fAk5W9nmaIzD7pLgO2cXHWYXMEpyw5Ts+BJyWnJFlfTIlOpL
qv9AjuryPgEVVN1/q/WZzD3GKeFeEODiPgZjx/OF/DXG7rkfKwLuecnoFzuHUbJh
YNJtE+2stqq6LkGsaS1pE6FkSsjNBvQ9z5EZaIBZKfWau1tRF38iON3e1VA+v78Z
z0diCC3pjRCjnilVbmiiF1HMiiftNBHRWGwK1tDklAm2GMcmf7U=
=kXvj
-----END PGP SIGNATURE-----
Merge tag 'drm-intel-fixes-2020-03-05' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
drm/i915 fixes for v5.6-rc5:
- Break up long lists of object reclaim with cond_resched()
- PSR probe fix
- TGL workarounds
- Selftest return value fix
- Drop timeline mutex while waiting for retirement
- Wait for OA configuration completion before writes to OA buffer
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/87eeu7nl6z.fsf@intel.com
