- Linux-stable-mirror - lists.linaro.org

[patch 05/10] mm, memcg: throttle allocators based on ancestral memory.high

by Andrew Morton

From: Chris Down <chris(a)chrisdown.name> Subject: mm, memcg: throttle allocators based on ancestral memory.high Prior to this commit, we only directly check the affected cgroup's memory.high against its usage. However, it's possible that we are being reclaimed as a result of hitting an ancestor memory.high and should be penalised based on that, instead. This patch changes memory.high overage throttling to use the largest overage in its ancestors when considering how many penalty jiffies to charge. This makes sure that we penalise poorly behaving cgroups in the same way regardless of at what level of the hierarchy memory.high was breached. Link: http://lkml.kernel.org/r/8cd132f84bd7e16cdb8fde3378cdbf05ba00d387.158403614… Fixes: 0e4b01df8659 ("mm, memcg: throttle allocators when failing reclaim over memory.high") Signed-off-by: Chris Down <chris(a)chrisdown.name> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Tejun Heo <tj(a)kernel.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Nathan Chancellor <natechancellor(a)gmail.com> Cc: Roman Gushchin <guro(a)fb.com> Cc: <stable(a)vger.kernel.org> [5.4.x+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 93 ++++++++++++++++++++++++++++------------------ 1 file changed, 58 insertions(+), 35 deletions(-) --- a/mm/memcontrol.c~mm-memcg-throttle-allocators-based-on-ancestral-memoryhigh +++ a/mm/memcontrol.c @@ -2297,28 +2297,41 @@ static void high_work_func(struct work_s #define MEMCG_DELAY_SCALING_SHIFT 14 /* - * Scheduled by try_charge() to be executed from the userland return path - * and reclaims memory over the high limit. + * Get the number of jiffies that we should penalise a mischievous cgroup which + * is exceeding its memory.high by checking both it and its ancestors. */ -void mem_cgroup_handle_over_high(void) +static unsigned long calculate_high_delay(struct mem_cgroup *memcg, + unsigned int nr_pages) { - unsigned long usage, high, clamped_high; - unsigned long pflags; - unsigned long penalty_jiffies, overage; - unsigned int nr_pages = current->memcg_nr_pages_over_high; - struct mem_cgroup *memcg; + unsigned long penalty_jiffies; + u64 max_overage = 0; - if (likely(!nr_pages)) - return; + do { + unsigned long usage, high; + u64 overage; + + usage = page_counter_read(&memcg->memory); + high = READ_ONCE(memcg->high); + + /* + * Prevent division by 0 in overage calculation by acting as if + * it was a threshold of 1 page + */ + high = max(high, 1UL); + + overage = usage - high; + overage <<= MEMCG_DELAY_PRECISION_SHIFT; + overage = div64_u64(overage, high); + + if (overage > max_overage) + max_overage = overage; + } while ((memcg = parent_mem_cgroup(memcg)) && + !mem_cgroup_is_root(memcg)); - memcg = get_mem_cgroup_from_mm(current->mm); - reclaim_high(memcg, nr_pages, GFP_KERNEL); - current->memcg_nr_pages_over_high = 0; + if (!max_overage) + return 0; /* - * memory.high is breached and reclaim is unable to keep up. Throttle - * allocators proactively to slow down excessive growth. - * * We use overage compared to memory.high to calculate the number of * jiffies to sleep (penalty_jiffies). Ideally this value should be * fairly lenient on small overages, and increasingly harsh when the @@ -2326,24 +2339,9 @@ void mem_cgroup_handle_over_high(void) * its crazy behaviour, so we exponentially increase the delay based on * overage amount. */ - - usage = page_counter_read(&memcg->memory); - high = READ_ONCE(memcg->high); - - if (usage <= high) - goto out; - - /* - * Prevent division by 0 in overage calculation by acting as if it was a - * threshold of 1 page - */ - clamped_high = max(high, 1UL); - - overage = div64_u64((u64)(usage - high) << MEMCG_DELAY_PRECISION_SHIFT, - clamped_high); - - penalty_jiffies = ((u64)overage * overage * HZ) - >> (MEMCG_DELAY_PRECISION_SHIFT + MEMCG_DELAY_SCALING_SHIFT); + penalty_jiffies = max_overage * max_overage * HZ; + penalty_jiffies >>= MEMCG_DELAY_PRECISION_SHIFT; + penalty_jiffies >>= MEMCG_DELAY_SCALING_SHIFT; /* * Factor in the task's own contribution to the overage, such that four @@ -2360,7 +2358,32 @@ void mem_cgroup_handle_over_high(void) * application moving forwards and also permit diagnostics, albeit * extremely slowly. */ - penalty_jiffies = min(penalty_jiffies, MEMCG_MAX_HIGH_DELAY_JIFFIES); + return min(penalty_jiffies, MEMCG_MAX_HIGH_DELAY_JIFFIES); +} + +/* + * Scheduled by try_charge() to be executed from the userland return path + * and reclaims memory over the high limit. + */ +void mem_cgroup_handle_over_high(void) +{ + unsigned long penalty_jiffies; + unsigned long pflags; + unsigned int nr_pages = current->memcg_nr_pages_over_high; + struct mem_cgroup *memcg; + + if (likely(!nr_pages)) + return; + + memcg = get_mem_cgroup_from_mm(current->mm); + reclaim_high(memcg, nr_pages, GFP_KERNEL); + current->memcg_nr_pages_over_high = 0; + + /* + * memory.high is breached and reclaim is unable to keep up. Throttle + * allocators proactively to slow down excessive growth. + */ + penalty_jiffies = calculate_high_delay(memcg, nr_pages); /* * Don't sleep if the amount of jiffies this memcg owes us is so low _

5 years, 7 months

1
0
0 0

[patch 04/10] mm, memcg: fix corruption on 64-bit divisor in memory.high throttling

by Andrew Morton

From: Chris Down <chris(a)chrisdown.name> Subject: mm, memcg: fix corruption on 64-bit divisor in memory.high throttling 0e4b01df8659 had a bunch of fixups to use the right division method. However, it seems that after all that it still wasn't right -- div_u64 takes a 32-bit divisor. The headroom is still large (2^32 pages), so on mundane systems you won't hit this, but this should definitely be fixed. Link: http://lkml.kernel.org/r/80780887060514967d414b3cd91f9a316a16ab98.158403614… Fixes: 0e4b01df8659 ("mm, memcg: throttle allocators when failing reclaim over memory.high") Signed-off-by: Chris Down <chris(a)chrisdown.name> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Tejun Heo <tj(a)kernel.org> Cc: Roman Gushchin <guro(a)fb.com> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Nathan Chancellor <natechancellor(a)gmail.com> Cc: <stable(a)vger.kernel.org> [5.4.x+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/memcontrol.c~mm-memcg-fix-corruption-on-64-bit-divisor-in-memoryhigh-throttling +++ a/mm/memcontrol.c @@ -2339,7 +2339,7 @@ void mem_cgroup_handle_over_high(void) */ clamped_high = max(high, 1UL); - overage = div_u64((u64)(usage - high) << MEMCG_DELAY_PRECISION_SHIFT, + overage = div64_u64((u64)(usage - high) << MEMCG_DELAY_PRECISION_SHIFT, clamped_high); penalty_jiffies = ((u64)overage * overage * HZ) _

5 years, 7 months

1
0
0 0

[patch 03/10] page-flags: fix a crash at SetPageError(THP_SWAP)

by Andrew Morton

From: Qian Cai <cai(a)lca.pw> Subject: page-flags: fix a crash at SetPageError(THP_SWAP) The commit bd4c82c22c36 ("mm, THP, swap: delay splitting THP after swapped out") supported writing THP to a swap device but forgot to upgrade an older commit df8c94d13c7e ("page-flags: define behavior of FS/IO-related flags on compound pages") which could trigger a crash during THP swapping out with DEBUG_VM_PGFLAGS=y, kernel BUG at include/linux/page-flags.h:317! page dumped because: VM_BUG_ON_PAGE(1 && PageCompound(page)) page:fffff3b2ec3a8000 refcount:512 mapcount:0 mapping:000000009eb0338c index:0x7f6e58200 head:fffff3b2ec3a8000 order:9 compound_mapcount:0 compound_pincount:0 anon flags: 0x45fffe0000d8454(uptodate|lru|workingset|owner_priv_1|writeback|head|reclaim|swapbacked) end_swap_bio_write() SetPageError(page) VM_BUG_ON_PAGE(1 && PageCompound(page)) <IRQ> bio_endio+0x297/0x560 dec_pending+0x218/0x430 [dm_mod] clone_endio+0xe4/0x2c0 [dm_mod] bio_endio+0x297/0x560 blk_update_request+0x201/0x920 scsi_end_request+0x6b/0x4b0 scsi_io_completion+0x509/0x7e0 scsi_finish_command+0x1ed/0x2a0 scsi_softirq_done+0x1c9/0x1d0 __blk_mqnterrupt+0xf/0x20 </IRQ> Fix by checking PF_NO_TAIL in those places instead. Link: http://lkml.kernel.org/r/20200310235846.1319-1-cai@lca.pw Fixes: bd4c82c22c36 ("mm, THP, swap: delay splitting THP after swapped out") Signed-off-by: Qian Cai <cai(a)lca.pw> Acked-by: "Huang, Ying" <ying.huang(a)intel.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Acked-by: Rafael Aquini <aquini(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/page-flags.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/linux/page-flags.h~page-flags-fix-a-crash-at-setpageerrorthp_swap +++ a/include/linux/page-flags.h @@ -311,7 +311,7 @@ static inline int TestClearPage##uname(s __PAGEFLAG(Locked, locked, PF_NO_TAIL) PAGEFLAG(Waiters, waiters, PF_ONLY_HEAD) __CLEARPAGEFLAG(Waiters, waiters, PF_ONLY_HEAD) -PAGEFLAG(Error, error, PF_NO_COMPOUND) TESTCLEARFLAG(Error, error, PF_NO_COMPOUND) +PAGEFLAG(Error, error, PF_NO_TAIL) TESTCLEARFLAG(Error, error, PF_NO_TAIL) PAGEFLAG(Referenced, referenced, PF_HEAD) TESTCLEARFLAG(Referenced, referenced, PF_HEAD) __SETPAGEFLAG(Referenced, referenced, PF_HEAD) _

5 years, 7 months

1
0
0 0

[patch 02/10] mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case

by Andrew Morton

From: Baoquan He <bhe(a)redhat.com> Subject: mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case In section_deactivate(), pfn_to_page() doesn't work any more after ms->section_mem_map is resetting to NULL in SPARSEMEM|!VMEMMAP case. It caused hot remove failure: kernel BUG at mm/page_alloc.c:4806! invalid opcode: 0000 [#1] SMP PTI CPU: 3 PID: 8 Comm: kworker/u16:0 Tainted: G W 5.5.0-next-20200205+ #340 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Workqueue: kacpi_hotplug acpi_hotplug_work_fn RIP: 0010:free_pages+0x85/0xa0 Call Trace: __remove_pages+0x99/0xc0 arch_remove_memory+0x23/0x4d try_remove_memory+0xc8/0x130 ? walk_memory_blocks+0x72/0xa0 __remove_memory+0xa/0x11 acpi_memory_device_remove+0x72/0x100 acpi_bus_trim+0x55/0x90 acpi_device_hotplug+0x2eb/0x3d0 acpi_hotplug_work_fn+0x1a/0x30 process_one_work+0x1a7/0x370 worker_thread+0x30/0x380 ? flush_rcu_work+0x30/0x30 kthread+0x112/0x130 ? kthread_create_on_node+0x60/0x60 ret_from_fork+0x35/0x40 Let's move the ->section_mem_map resetting after depopulate_section_memmap() to fix it. [akpm(a)linux-foundation.org: remove unneeded initialization, per David] Link: http://lkml.kernel.org/r/20200307084229.28251-2-bhe@redhat.com Fixes: ba72b4c8cf60 ("mm/sparsemem: support sub-section hotplug") Signed-off-by: Baoquan He <bhe(a)redhat.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: Pankaj Gupta <pankaj.gupta.linux(a)gmail.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Wei Yang <richardw.yang(a)linux.intel.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Mike Rapoport <rppt(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/sparse.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/mm/sparse.c~mm-hotplug-fix-hot-remove-failure-in-sparsememvmemmap-case +++ a/mm/sparse.c @@ -734,6 +734,7 @@ static void section_deactivate(unsigned struct mem_section *ms = __pfn_to_section(pfn); bool section_is_early = early_section(ms); struct page *memmap = NULL; + bool empty; unsigned long *subsection_map = ms->usage ? &ms->usage->subsection_map[0] : NULL; @@ -764,7 +765,8 @@ static void section_deactivate(unsigned * For 2/ and 3/ the SPARSEMEM_VMEMMAP={y,n} cases are unified */ bitmap_xor(subsection_map, map, subsection_map, SUBSECTIONS_PER_SECTION); - if (bitmap_empty(subsection_map, SUBSECTIONS_PER_SECTION)) { + empty = bitmap_empty(subsection_map, SUBSECTIONS_PER_SECTION); + if (empty) { unsigned long section_nr = pfn_to_section_nr(pfn); /* @@ -779,13 +781,15 @@ static void section_deactivate(unsigned ms->usage = NULL; } memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr); - ms->section_mem_map = (unsigned long)NULL; } if (section_is_early && memmap) free_map_bootmem(memmap); else depopulate_section_memmap(pfn, nr_pages, altmap); + + if (empty) + ms->section_mem_map = (unsigned long)NULL; } static struct page * __meminit section_activate(int nid, unsigned long pfn, _

5 years, 7 months

1
0
0 0

[patch 01/10] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event

by Andrew Morton

From: Chunguang Xu <brookxu(a)tencent.com> Subject: memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event An eventfd monitors multiple memory thresholds of the cgroup, closes them, the kernel deletes all events related to this eventfd. Before all events are deleted, another eventfd monitors the memory threshold of this cgroup, leading to a crash: [135.675108] BUG: kernel NULL pointer dereference, address: 0000000000000004 [135.675350] #PF: supervisor write access in kernel mode [135.675579] #PF: error_code(0x0002) - not-present page [135.675816] PGD 800000033058e067 P4D 800000033058e067 PUD 3355ce067 PMD 0 [135.676080] Oops: 0002 [#1] SMP PTI [135.676332] CPU: 2 PID: 14012 Comm: kworker/2:6 Kdump: loaded Not tainted 5.6.0-rc4 #3 [135.676610] Hardware name: LENOVO 20AWS01K00/20AWS01K00, BIOS GLET70WW (2.24 ) 05/21/2014 [135.676909] Workqueue: events memcg_event_remove [135.677192] RIP: 0010:__mem_cgroup_usage_unregister_event+0xb3/0x190 [135.677825] RSP: 0018:ffffb47e01c4fe18 EFLAGS: 00010202 [135.678186] RAX: 0000000000000001 RBX: ffff8bb223a8a000 RCX: 0000000000000001 [135.678548] RDX: 0000000000000001 RSI: ffff8bb22fb83540 RDI: 0000000000000001 [135.678912] RBP: ffffb47e01c4fe48 R08: 0000000000000000 R09: 0000000000000010 [135.679287] R10: 000000000000000c R11: 071c71c71c71c71c R12: ffff8bb226aba880 [135.679670] R13: ffff8bb223a8a480 R14: 0000000000000000 R15: 0000000000000000 [135.680066] FS: 0000000000000000(0000) GS:ffff8bb242680000(0000) knlGS:0000000000000000 [135.680475] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [135.680894] CR2: 0000000000000004 CR3: 000000032c29c003 CR4: 00000000001606e0 [135.681325] Call Trace: [135.681763]� memcg_event_remove+0x32/0x90 [135.682209]� process_one_work+0x172/0x380 [135.682657]� worker_thread+0x49/0x3f0 [135.683111]� kthread+0xf8/0x130 [135.683570]� ? max_active_store+0x80/0x80 [135.684034]� ? kthread_bind+0x10/0x10 [135.684506]� ret_from_fork+0x35/0x40 [135.689733] CR2: 0000000000000004 We can reproduce this problem in the following ways: 1. We create a new cgroup subdirectory and a new eventfd, and then we monitor multiple memory thresholds of the cgroup through this eventfd. 2. closing this eventfd, and __mem_cgroup_usage_unregister_event () will be called multiple times to delete all events related to this eventfd. The first time __mem_cgroup_usage_unregister_event() is called, the kernel will clear all items related to this eventfd in thresholds-> primary.Since there is currently only one eventfd, thresholds-> primary becomes empty, so the kernel will set thresholds-> primary and hresholds-> spare to NULL. If at this time, the user creates a new eventfd and monitor the memory threshold of this cgroup, kernel will re-initialize thresholds-> primary. Then when __mem_cgroup_usage_unregister_event () is called for the second time, because thresholds-> primary is not empty, the system will access thresholds-> spare, but thresholds-> spare is NULL, which will trigger a crash. In general, the longer it takes to delete all events related to this eventfd, the easier it is to trigger this problem. The solution is to check whether the thresholds associated with the eventfd has been cleared when deleting the event. If so, we do nothing. [akpm(a)linux-foundation.org: fix comment, per Kirill] Link: http://lkml.kernel.org/r/077a6f67-aefa-4591-efec-f2f3af2b0b02@gmail.com Fixes: 907860ed381a ("cgroups: make cftype.unregister_event() void-returning") Signed-off-by: Chunguang Xu <brookxu(a)tencent.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Vladimir Davydov <vdavydov.dev(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/mm/memcontrol.c~memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event +++ a/mm/memcontrol.c @@ -4027,7 +4027,7 @@ static void __mem_cgroup_usage_unregiste struct mem_cgroup_thresholds *thresholds; struct mem_cgroup_threshold_ary *new; unsigned long usage; - int i, j, size; + int i, j, size, entries; mutex_lock(&memcg->thresholds_lock); @@ -4047,14 +4047,20 @@ static void __mem_cgroup_usage_unregiste __mem_cgroup_threshold(memcg, type == _MEMSWAP); /* Calculate new number of threshold */ - size = 0; + size = entries = 0; for (i = 0; i < thresholds->primary->size; i++) { if (thresholds->primary->entries[i].eventfd != eventfd) size++; + else + entries++; } new = thresholds->spare; + /* If no items related to eventfd have been cleared, nothing to do */ + if (!entries) + goto unlock; + /* Set thresholds array to NULL if we don't have thresholds */ if (!size) { kfree(new); _

5 years, 7 months

1
0
0 0

[PATCHv2] exec: Fix a deadlock in ptrace

by Bernd Edlinger

This fixes a deadlock in the tracer when tracing a multi-threaded application that calls execve while more than one thread are running. I observed that when running strace on the gcc test suite, it always blocks after a while, when expect calls execve, because other threads have to be terminated. They send ptrace events, but the strace is no longer able to respond, since it is blocked in vm_access. The deadlock is always happening when strace needs to access the tracees process mmap, while another thread in the tracee starts to execve a child process, but that cannot continue until the PTRACE_EVENT_EXIT is handled and the WIFEXITED event is received: strace D 0 30614 30584 0x00000000 Call Trace: __schedule+0x3ce/0x6e0 schedule+0x5c/0xd0 schedule_preempt_disabled+0x15/0x20 __mutex_lock.isra.13+0x1ec/0x520 __mutex_lock_killable_slowpath+0x13/0x20 mutex_lock_killable+0x28/0x30 mm_access+0x27/0xa0 process_vm_rw_core.isra.3+0xff/0x550 process_vm_rw+0xdd/0xf0 __x64_sys_process_vm_readv+0x31/0x40 do_syscall_64+0x64/0x220 entry_SYSCALL_64_after_hwframe+0x44/0xa9 expect D 0 31933 30876 0x80004003 Call Trace: __schedule+0x3ce/0x6e0 schedule+0x5c/0xd0 flush_old_exec+0xc4/0x770 load_elf_binary+0x35a/0x16c0 search_binary_handler+0x97/0x1d0 __do_execve_file.isra.40+0x5d4/0x8a0 __x64_sys_execve+0x49/0x60 do_syscall_64+0x64/0x220 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The proposed solution is to have a second mutex that is used in mm_access, so it is allowed to continue while the dying threads are not yet terminated. I also took the opportunity to improve the documentation of prepare_creds, which is obviously out of sync. Signed-off-by: Bernd Edlinger <bernd.edlinger(a)hotmail.de> --- Documentation/security/credentials.rst | 18 ++++++------ fs/exec.c | 9 ++++++ include/linux/binfmts.h | 6 +++- include/linux/sched/signal.h | 1 + init/init_task.c | 1 + kernel/cred.c | 2 +- kernel/fork.c | 5 ++-- mm/process_vm_access.c | 2 +- tools/testing/selftests/ptrace/Makefile | 4 +-- tools/testing/selftests/ptrace/vmaccess.c | 46 +++++++++++++++++++++++++++++++ 10 files changed, 79 insertions(+), 15 deletions(-) create mode 100644 tools/testing/selftests/ptrace/vmaccess.c v2: adds a test case which passes when this patch is applied. diff --git a/Documentation/security/credentials.rst b/Documentation/security/credentials.rst index 282e79f..c98e0a8 100644 --- a/Documentation/security/credentials.rst +++ b/Documentation/security/credentials.rst @@ -437,9 +437,13 @@ new set of credentials by calling:: struct cred *prepare_creds(void); -this locks current->cred_replace_mutex and then allocates and constructs a -duplicate of the current process's credentials, returning with the mutex still -held if successful. It returns NULL if not successful (out of memory). +this allocates and constructs a duplicate of the current process's credentials. +It returns NULL if not successful (out of memory). + +If called from __do_execve_file, the mutex current->signal->cred_guard_mutex +is acquired before this function gets called, and the mutex +current->signal->cred_change_mutex is acquired later, while the credentials +and the process mmap are actually changed. The mutex prevents ``ptrace()`` from altering the ptrace state of a process while security checks on credentials construction and changing is taking place @@ -466,9 +470,8 @@ by calling:: This will alter various aspects of the credentials and the process, giving the LSM a chance to do likewise, then it will use ``rcu_assign_pointer()`` to -actually commit the new credentials to ``current->cred``, it will release -``current->cred_replace_mutex`` to allow ``ptrace()`` to take place, and it -will notify the scheduler and others of the changes. +actually commit the new credentials to ``current->cred``, and it will notify +the scheduler and others of the changes. This function is guaranteed to return 0, so that it can be tail-called at the end of such functions as ``sys_setresuid()``. @@ -486,8 +489,7 @@ invoked:: void abort_creds(struct cred *new); -This releases the lock on ``current->cred_replace_mutex`` that -``prepare_creds()`` got and then releases the new credentials. +This releases the new credentials. A typical credentials alteration function would look something like this:: diff --git a/fs/exec.c b/fs/exec.c index 74d88da..a6884e4 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1266,6 +1266,12 @@ int flush_old_exec(struct linux_binprm * bprm) if (retval) goto out; + retval = mutex_lock_killable(&current->signal->cred_change_mutex); + if (retval) + goto out; + + bprm->called_flush_old_exec = 1; + /* * Must be called _before_ exec_mmap() as bprm->mm is * not visibile until then. This also enables the update @@ -1420,6 +1426,8 @@ static void free_bprm(struct linux_binprm *bprm) { free_arg_pages(bprm); if (bprm->cred) { + if (bprm->called_flush_old_exec) + mutex_unlock(&current->signal->cred_change_mutex); mutex_unlock(&current->signal->cred_guard_mutex); abort_creds(bprm->cred); } @@ -1469,6 +1477,7 @@ void install_exec_creds(struct linux_binprm *bprm) * credentials; any time after this it may be unlocked. */ security_bprm_committed_creds(bprm); + mutex_unlock(&current->signal->cred_change_mutex); mutex_unlock(&current->signal->cred_guard_mutex); } EXPORT_SYMBOL(install_exec_creds); diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index b40fc63..2e1318b 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -44,7 +44,11 @@ struct linux_binprm { * exec has happened. Used to sanitize execution environment * and to set AT_SECURE auxv for glibc. */ - secureexec:1; + secureexec:1, + /* + * Set by flush_old_exec, when the cred_change_mutex is taken. + */ + called_flush_old_exec:1; #ifdef __alpha__ unsigned int taso:1; #endif diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h index 8805025..37eeabe 100644 --- a/include/linux/sched/signal.h +++ b/include/linux/sched/signal.h @@ -225,6 +225,7 @@ struct signal_struct { struct mutex cred_guard_mutex; /* guard against foreign influences on * credential calculations * (notably. ptrace) */ + struct mutex cred_change_mutex; /* guard against credentials change */ } __randomize_layout; /* diff --git a/init/init_task.c b/init/init_task.c index 9e5cbe5..6cd9a0f 100644 --- a/init/init_task.c +++ b/init/init_task.c @@ -26,6 +26,7 @@ .multiprocess = HLIST_HEAD_INIT, .rlim = INIT_RLIMITS, .cred_guard_mutex = __MUTEX_INITIALIZER(init_signals.cred_guard_mutex), + .cred_change_mutex = __MUTEX_INITIALIZER(init_signals.cred_change_mutex), #ifdef CONFIG_POSIX_TIMERS .posix_timers = LIST_HEAD_INIT(init_signals.posix_timers), .cputimer = { diff --git a/kernel/cred.c b/kernel/cred.c index 809a985..e4c78de 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -676,7 +676,7 @@ void __init cred_init(void) * * Returns the new credentials or NULL if out of memory. * - * Does not take, and does not return holding current->cred_replace_mutex. + * Does not take, and does not return holding ->cred_guard_mutex. */ struct cred *prepare_kernel_cred(struct task_struct *daemon) { diff --git a/kernel/fork.c b/kernel/fork.c index 0808095..0395154 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1224,7 +1224,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) struct mm_struct *mm; int err; - err = mutex_lock_killable(&task->signal->cred_guard_mutex); + err = mutex_lock_killable(&task->signal->cred_change_mutex); if (err) return ERR_PTR(err); @@ -1234,7 +1234,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) mmput(mm); mm = ERR_PTR(-EACCES); } - mutex_unlock(&task->signal->cred_guard_mutex); + mutex_unlock(&task->signal->cred_change_mutex); return mm; } @@ -1594,6 +1594,7 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk) sig->oom_score_adj_min = current->signal->oom_score_adj_min; mutex_init(&sig->cred_guard_mutex); + mutex_init(&sig->cred_change_mutex); return 0; } diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c index 357aa7b..b3e6eb5 100644 --- a/mm/process_vm_access.c +++ b/mm/process_vm_access.c @@ -204,7 +204,7 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter, if (!mm || IS_ERR(mm)) { rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; /* - * Explicitly map EACCES to EPERM as EPERM is a more a + * Explicitly map EACCES to EPERM as EPERM is a more * appropriate error code for process_vw_readv/writev */ if (rc == -EACCES) diff --git a/tools/testing/selftests/ptrace/Makefile b/tools/testing/selftests/ptrace/Makefile index c0b7f89..2f1f532 100644 --- a/tools/testing/selftests/ptrace/Makefile +++ b/tools/testing/selftests/ptrace/Makefile @@ -1,6 +1,6 @@ # SPDX-License-Identifier: GPL-2.0-only -CFLAGS += -iquote../../../../include/uapi -Wall +CFLAGS += -std=c99 -pthread -iquote../../../../include/uapi -Wall -TEST_GEN_PROGS := get_syscall_info peeksiginfo +TEST_GEN_PROGS := get_syscall_info peeksiginfo vmaccess include ../lib.mk diff --git a/tools/testing/selftests/ptrace/vmaccess.c b/tools/testing/selftests/ptrace/vmaccess.c new file mode 100644 index 0000000..ef08c9f --- /dev/null +++ b/tools/testing/selftests/ptrace/vmaccess.c @@ -0,0 +1,46 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (c) 2020 Bernd Edlinger <bernd.edlinger(a)hotmail.de> + * All rights reserved. + * + * Check whether /proc/$pid/mem can be accessed without causing deadlocks + * when de_thread is blocked with ->cred_guard_mutex held. + */ + +#include "../kselftest_harness.h" +#include <stdio.h> +#include <fcntl.h> +#include <pthread.h> +#include <signal.h> +#include <unistd.h> +#include <sys/ptrace.h> + +static void *thread(void *arg) +{ + ptrace(PTRACE_TRACEME, 0, 0, 0); + return NULL; +} + +TEST(vmaccess) +{ + int f, pid = fork(); + char mm[64]; + + if (!pid) { + pthread_t pt; + pthread_create(&pt, NULL, thread, NULL); + pthread_join(pt, NULL); + execlp("true", "true", NULL); + } + + sleep(1); + sprintf(mm, "/proc/%d/mem", pid); + f = open(mm, O_RDONLY); + ASSERT_LE(0, f) + close(f); + /* this is not fixed! ptrace(PTRACE_ATTACH, pid, 0,0); */ + f = kill(pid, SIGCONT); + ASSERT_EQ(0, f); +} + +TEST_HARNESS_MAIN -- 1.9.1

5 years, 7 months

10
186
0 0

[nacked] mm-hugetlb-fix-a-addressing-exception-caused-by-huge_pte_offset.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/hugetlb.c: fix an address exception caused by huge_pte_offset() has been removed from the -mm tree. Its filename was mm-hugetlb-fix-a-addressing-exception-caused-by-huge_pte_offset.patch This patch was dropped because it was nacked ------------------------------------------------------ From: Longpeng <longpeng2(a)huawei.com> Subject: mm/hugetlb.c: fix an address exception caused by huge_pte_offset() Our machine encountered a panic(addressing exception) after running for a long time. The calltrace is: RIP: 0010:[<ffffffff9dff0587>] [<ffffffff9dff0587>] hugetlb_fault+0x307/0xbe0 RSP: 0018:ffff9567fc27f808 EFLAGS: 00010286 RAX: e800c03ff1258d48 RBX: ffffd3bb003b69c0 RCX: e800c03ff1258d48 RDX: 17ff3fc00eda72b7 RSI: 00003ffffffff000 RDI: e800c03ff1258d48 RBP: ffff9567fc27f8c8 R08: e800c03ff1258d48 R09: 0000000000000080 R10: ffffaba0704c22a8 R11: 0000000000000001 R12: ffff95c87b4b60d8 R13: 00005fff00000000 R14: 0000000000000000 R15: ffff9567face8074 FS: 00007fe2d9ffb700(0000) GS:ffff956900e40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffd3bb003b69c0 CR3: 000000be67374000 CR4: 00000000003627e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: [<ffffffff9df9b71b>] ? unlock_page+0x2b/0x30 [<ffffffff9dff04a2>] ? hugetlb_fault+0x222/0xbe0 [<ffffffff9dff1405>] follow_hugetlb_page+0x175/0x540 [<ffffffff9e15b825>] ? cpumask_next_and+0x35/0x50 [<ffffffff9dfc7230>] __get_user_pages+0x2a0/0x7e0 [<ffffffff9dfc648d>] __get_user_pages_unlocked+0x15d/0x210 [<ffffffffc068cfc5>] __gfn_to_pfn_memslot+0x3c5/0x460 [kvm] [<ffffffffc06b28be>] try_async_pf+0x6e/0x2a0 [kvm] [<ffffffffc06b4b41>] tdp_page_fault+0x151/0x2d0 [kvm] [<ffffffffc075731c>] ? vmx_vcpu_run+0x2ec/0xc80 [kvm_intel] [<ffffffffc0757328>] ? vmx_vcpu_run+0x2f8/0xc80 [kvm_intel] [<ffffffffc06abc11>] kvm_mmu_page_fault+0x31/0x140 [kvm] [<ffffffffc074d1ae>] handle_ept_violation+0x9e/0x170 [kvm_intel] [<ffffffffc075579c>] vmx_handle_exit+0x2bc/0xc70 [kvm_intel] [<ffffffffc074f1a0>] ? __vmx_complete_interrupts.part.73+0x80/0xd0 [kvm_intel] [<ffffffffc07574c0>] ? vmx_vcpu_run+0x490/0xc80 [kvm_intel] [<ffffffffc069f3be>] vcpu_enter_guest+0x7be/0x13a0 [kvm] [<ffffffffc06cf53e>] ? kvm_check_async_pf_completion+0x8e/0xb0 [kvm] [<ffffffffc06a6f90>] kvm_arch_vcpu_ioctl_run+0x330/0x490 [kvm] [<ffffffffc068d919>] kvm_vcpu_ioctl+0x309/0x6d0 [kvm] [<ffffffff9deaa8c2>] ? dequeue_signal+0x32/0x180 [<ffffffff9deae34d>] ? do_sigtimedwait+0xcd/0x230 [<ffffffff9e03aed0>] do_vfs_ioctl+0x3f0/0x540 [<ffffffff9e03b0c1>] SyS_ioctl+0xa1/0xc0 [<ffffffff9e53879b>] system_call_fastpath+0x22/0x27 The kernel we used is older, but we think the latest kernel also has this bug after digging into this problem. For 1G hugepages, huge_pte_offset() wants to return NULL or pudp, but it may return a wrong 'pmdp' if there is a race. Please look at the following code snippet: ... pud = pud_offset(p4d, addr); if (sz != PUD_SIZE && pud_none(*pud)) return NULL; /* hugepage or swap? */ if (pud_huge(*pud) || !pud_present(*pud)) return (pte_t *)pud; pmd = pmd_offset(pud, addr); if (sz != PMD_SIZE && pmd_none(*pmd)) return NULL; /* hugepage or swap? */ if (pmd_huge(*pmd) || !pmd_present(*pmd)) return (pte_t *)pmd; ... The following sequence would trigger this bug: 1. CPU0: sz = PUD_SIZE and *pud = 0 , continue 1. CPU0: "pud_huge(*pud)" is false 2. CPU1: calling hugetlb_no_page and set *pud to xxxx8e7(PRESENT) 3. CPU0: "!pud_present(*pud)" is false, continue 4. CPU0: pmd = pmd_offset(pud, addr) and maybe return a wrong pmdp However, we want CPU0 to return NULL or pudp. We can avoid this race by reading the pud only once. What's more, we also use READ_ONCE to access the entries for safety (i.e. avoid the compilier mischief) Link: http://lkml.kernel.org/r/1582342427-230392-1-git-send-email-longpeng2@huawe… Signed-off-by: Longpeng <longpeng2(a)huawei.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Sean Christopherson <sean.j.christopherson(a)intel.com> Cc: Mike Kravetz <mike.kravetz(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) --- a/mm/hugetlb.c~mm-hugetlb-fix-a-addressing-exception-caused-by-huge_pte_offset +++ a/mm/hugetlb.c @@ -4910,28 +4910,30 @@ pte_t *huge_pte_offset(struct mm_struct { pgd_t *pgd; p4d_t *p4d; - pud_t *pud; - pmd_t *pmd; + pud_t *pud, pud_entry; + pmd_t *pmd, pmd_entry; pgd = pgd_offset(mm, addr); - if (!pgd_present(*pgd)) + if (!pgd_present(READ_ONCE(*pgd))) return NULL; p4d = p4d_offset(pgd, addr); - if (!p4d_present(*p4d)) + if (!p4d_present(READ_ONCE(*p4d))) return NULL; pud = pud_offset(p4d, addr); - if (sz != PUD_SIZE && pud_none(*pud)) + pud_entry = READ_ONCE(*pud); + if (sz != PUD_SIZE && pud_none(pud_entry)) return NULL; /* hugepage or swap? */ - if (pud_huge(*pud) || !pud_present(*pud)) + if (pud_huge(pud_entry) || !pud_present(pud_entry)) return (pte_t *)pud; pmd = pmd_offset(pud, addr); - if (sz != PMD_SIZE && pmd_none(*pmd)) + pmd_entry = READ_ONCE(*pmd); + if (sz != PMD_SIZE && pmd_none(pmd_entry)) return NULL; /* hugepage or swap? */ - if (pmd_huge(*pmd) || !pmd_present(*pmd)) + if (pmd_huge(pmd_entry) || !pmd_present(pmd_entry)) return (pte_t *)pmd; return NULL; _ Patches currently in -mm which might be from longpeng2(a)huawei.com are

5 years, 7 months

1
0
0 0

Re: [PATCH v2] mm/hugetlb: fix a addressing exception caused by huge_pte_offset()

by Qian Cai

> On Feb 21, 2020, at 10:34 PM, Longpeng(Mike) <longpeng2(a)huawei.com> wrote: > > diff --git a/mm/hugetlb.c b/mm/hugetlb.c > index dd8737a..90daf37 100644 > --- a/mm/hugetlb.c > +++ b/mm/hugetlb.c > @@ -4910,28 +4910,30 @@ pte_t *huge_pte_offset(struct mm_struct *mm, > { > pgd_t *pgd; > p4d_t *p4d; > - pud_t *pud; > - pmd_t *pmd; > + pud_t *pud, pud_entry; > + pmd_t *pmd, pmd_entry; > > pgd = pgd_offset(mm, addr); > - if (!pgd_present(*pgd)) > + if (!pgd_present(READ_ONCE(*pgd))) > return NULL; > p4d = p4d_offset(pgd, addr); > - if (!p4d_present(*p4d)) > + if (!p4d_present(READ_ONCE(*p4d))) > return NULL; What’s the point of READ_ONCE() on those two places?

5 years, 7 months

5
6
0 0

Handling of patches missing in stable releases based on Fixes: tags

by Guenter Roeck

Hi, we now have a script that identifies patches in stable releases which were later fixed upstream, but the fix was not applied to the respective stable releases. We identify such patches based on Fixes: tags in the upstream kernel. Example: Upstream commit c54c7374ff4 ("drm/dp_mst: Skip validating ports during destruction, just ref") was applied to v4.4.y as commit 05d994f68019. It was later reverted upstream with commit 9765635b307, but the revert has (at least not yet) found its way into v4.4.y. This is an easy example, where the revert should (or at least I think it should) be applied to v4.4.y (and possibly to later kernels - I didn't check). A more tricky patch is commit 3ef240eaff36 ("futex: Prevent exit livelock") in v5.4.y, which was later fixed upstream with commit 51bfb1d11d6 ("futex: Fix kernel-doc notation warning"). I am not entirely sure what to do with that, given that it only fixes documentation (though that may of course also be valuable). How should we handle this ? Would it be ok to send half-automated requests to the stable mailing list, for example with basic test results ? Thanks, Guenter

5 years, 7 months

2
1
0 0

[PATCH 5.4 00/60] 5.4.27-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.27 release. There are 60 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 21 Mar 2020 12:37:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.27-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.27-rc1 Matteo Croce <mcroce(a)redhat.com> ipv4: ensure rcu_read_lock() in cipso_v4_error() Ard Biesheuvel <ardb(a)kernel.org> ARM: 8961/2: Fix Kbuild issue caused by per-task stack protector GCC plugin Tony Fischetti <tony.fischetti(a)gmail.com> HID: add ALWAYS_POLL quirk to lenovo pixart mouse Chen-Tsung Hsieh <chentsung(a)chromium.org> HID: google: add moonball USB id Jann Horn <jannh(a)google.com> mm: slub: add missing TID bump in kmem_cache_alloc_bulk() Kees Cook <keescook(a)chromium.org> ARM: 8958/1: rename missed uaccess .fixup section Florian Fainelli <f.fainelli(a)gmail.com> ARM: 8957/1: VDSO: Match ARMv8 timer in cntvct_functional() Carl Huang <cjhuang(a)codeaurora.org> net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue Ming Lei <ming.lei(a)redhat.com> blk-mq: insert flush request to the front of dispatch queue Qian Cai <cai(a)lca.pw> jbd2: fix data races at struct journal_head Alex Maftei (amaftei) <amaftei(a)solarflare.com> sfc: fix timestamp reconstruction at 16-bit rollover points Taehee Yoo <ap420073(a)gmail.com> net: rmnet: fix packet forwarding in rmnet bridge mode Taehee Yoo <ap420073(a)gmail.com> net: rmnet: fix bridge mode bugs Taehee Yoo <ap420073(a)gmail.com> net: rmnet: use upper/lower device infrastructure Taehee Yoo <ap420073(a)gmail.com> net: rmnet: do not allow to change mux id if mux id is duplicated Taehee Yoo <ap420073(a)gmail.com> net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device() Taehee Yoo <ap420073(a)gmail.com> net: rmnet: fix suspicious RCU usage Taehee Yoo <ap420073(a)gmail.com> net: rmnet: fix NULL pointer dereference in rmnet_changelink() Taehee Yoo <ap420073(a)gmail.com> net: rmnet: fix NULL pointer dereference in rmnet_newlink() Luo bin <luobin9(a)huawei.com> hinic: fix a bug of rss configuration Luo bin <luobin9(a)huawei.com> hinic: fix a bug of setting hw_ioctxt Luo bin <luobin9(a)huawei.com> hinic: fix a irq affinity bug Antoine Tenart <antoine.tenart(a)bootlin.com> net: phy: mscc: fix firmware paths yangerkun <yangerkun(a)huawei.com> slip: not call free_netdev before rtnl_unlock in slip_open Linus Torvalds <torvalds(a)linux-foundation.org> signal: avoid double atomic counter increments for user accounting Masahiro Yamada <masahiroy(a)kernel.org> kbuild: add dt_binding_check to PHONY in a correct place Masahiro Yamada <masahiroy(a)kernel.org> kbuild: add dtbs_check to PHONY Monk Liu <Monk.Liu(a)amd.com> drm/amdgpu: fix memory leak during TDR test(v2) Ming Lei <ming.lei(a)redhat.com> blk-mq: insert passthrough request into hctx->dispatch directly Esben Haabendal <esben(a)geanix.com> net: ll_temac: Handle DMA halt condition caused by buffer underrun Esben Haabendal <esben(a)geanix.com> net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure Esben Haabendal <esben(a)geanix.com> net: ll_temac: Add more error handling of dma_map_single() calls Esben Haabendal <esben(a)geanix.com> net: ll_temac: Fix race condition causing TX hang Madhuparna Bhowmik <madhuparnabhowmik10(a)gmail.com> mac80211: rx: avoid RCU list traversal under mutex Marek Vasut <marex(a)denx.de> net: ks8851-ml: Fix IRQ handling and locking Daniele Palmas <dnlplm(a)gmail.com> net: usb: qmi_wwan: restore mtu min/max values after raw_ip switch Igor Druzhinin <igor.druzhinin(a)citrix.com> scsi: libfc: free response frame from GPN_ID Johannes Berg <johannes.berg(a)intel.com> cfg80211: check reg_rule for NULL in handle_channel_custom() Tom Zanussi <zanussi(a)kernel.org> tracing: Fix number printing bug in print_synth_event() Michael Ellerman <mpe(a)ellerman.id.au> selftests/rseq: Fix out-of-tree compilation Nathan Chancellor <natechancellor(a)gmail.com> MIPS: vdso: Wrap -mexplicit-relocs in cc-option Hanno Zulla <kontakt(a)hanno.de> HID: hid-bigbenff: fix race condition for scheduled work during removal Hanno Zulla <kontakt(a)hanno.de> HID: hid-bigbenff: call hid_hw_stop() in case of error Hanno Zulla <kontakt(a)hanno.de> HID: hid-bigbenff: fix general protection fault caused by double kfree Victor Kamensky <kamensky(a)cisco.com> mips: vdso: add build time check that no 'jalr t9' calls left Paul Burton <paulburton(a)kernel.org> MIPS: Disable VDSO time functionality on microMIPS Victor Kamensky <kamensky(a)cisco.com> mips: vdso: fix 'jalr t9' crash in vdso code Kai-Heng Feng <kai.heng.feng(a)canonical.com> HID: i2c-hid: add Trekstor Surfbook E11B to descriptor override Mika Westerberg <mika.westerberg(a)linux.intel.com> ACPI: watchdog: Set default timeout in probe Mansour Behabadi <mansour(a)oxplot.com> HID: apple: Add support for recent firmware on Magic Keyboards Jean Delvare <jdelvare(a)suse.de> ACPI: watchdog: Allow disabling WDAT at boot Ulf Hansson <ulf.hansson(a)linaro.org> mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for erase/trim/discard Ulf Hansson <ulf.hansson(a)linaro.org> mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for eMMC sleep command Ulf Hansson <ulf.hansson(a)linaro.org> mmc: sdhci-omap: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY Ulf Hansson <ulf.hansson(a)linaro.org> mmc: sdhci-tegra: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY Ulf Hansson <ulf.hansson(a)linaro.org> mmc: core: Allow host controllers to require R1B for CMD6 Ulf Hansson <ulf.hansson(a)linaro.org> mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch() Felix Kuehling <Felix.Kuehling(a)amd.com> drm/amdgpu: Fix TLB invalidation request when using semaphore Cong Wang <xiyou.wangcong(a)gmail.com> netfilter: xt_hashlimit: unregister proc file before releasing mutex Florian Westphal <fw(a)strlen.de> netfilter: hashlimit: do not use indirect calls during gc ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 4 + Makefile | 7 +- arch/arm/Makefile | 4 +- arch/arm/boot/compressed/Makefile | 4 +- arch/arm/kernel/vdso.c | 2 + arch/arm/lib/copy_from_user.S | 2 +- arch/mips/vdso/Makefile | 28 ++- block/blk-flush.c | 2 +- block/blk-mq-sched.c | 44 ++++- block/blk-mq.c | 18 +- block/blk-mq.h | 3 +- drivers/acpi/acpi_watchdog.c | 12 +- drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 5 +- drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 8 +- drivers/gpu/drm/amd/powerplay/smu_v11_0.c | 6 +- drivers/hid/hid-apple.c | 3 +- drivers/hid/hid-bigbenff.c | 31 ++- drivers/hid/hid-google-hammer.c | 2 + drivers/hid/hid-ids.h | 2 + drivers/hid/hid-quirks.c | 1 + drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 8 + drivers/mmc/core/core.c | 5 +- drivers/mmc/core/mmc.c | 7 +- drivers/mmc/core/mmc_ops.c | 27 ++- drivers/mmc/host/sdhci-omap.c | 3 + drivers/mmc/host/sdhci-tegra.c | 3 + drivers/net/ethernet/huawei/hinic/hinic_hw_dev.c | 1 + drivers/net/ethernet/huawei/hinic/hinic_hw_dev.h | 2 +- drivers/net/ethernet/huawei/hinic/hinic_hw_if.h | 1 + drivers/net/ethernet/huawei/hinic/hinic_hw_qp.h | 1 + drivers/net/ethernet/huawei/hinic/hinic_main.c | 3 +- drivers/net/ethernet/huawei/hinic/hinic_rx.c | 5 +- drivers/net/ethernet/micrel/ks8851_mll.c | 14 +- drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 186 +++++++++--------- drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h | 3 +- .../net/ethernet/qualcomm/rmnet/rmnet_handlers.c | 7 +- drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c | 8 - drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.h | 1 - drivers/net/ethernet/sfc/ptp.c | 38 +++- drivers/net/ethernet/xilinx/ll_temac.h | 4 + drivers/net/ethernet/xilinx/ll_temac_main.c | 209 +++++++++++++++++---- drivers/net/phy/mscc.c | 4 +- drivers/net/slip/slip.c | 3 + drivers/net/usb/qmi_wwan.c | 3 + drivers/scsi/libfc/fc_disc.c | 2 + drivers/watchdog/wdat_wdt.c | 23 +++ fs/jbd2/transaction.c | 8 +- include/linux/mmc/host.h | 1 + kernel/signal.c | 23 ++- kernel/trace/trace_events_hist.c | 32 +++- mm/slub.c | 9 + net/ipv4/cipso_ipv4.c | 7 +- net/mac80211/rx.c | 2 +- net/netfilter/xt_hashlimit.c | 36 +--- net/qrtr/qrtr.c | 2 +- net/wireless/reg.c | 2 +- tools/testing/selftests/rseq/Makefile | 2 +- 57 files changed, 615 insertions(+), 268 deletions(-)

5 years, 7 months

3
67
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror