Merge pull request #1 from torvalds/master #140

sumanta23 · 2014-11-27T16:31:07Z

adding new changes

Starting with commit 0b52297 ("reset: Add support for shared reset controls") there is a reference count for reset control assertions. The goal is to allow resets to be shared by multiple devices and an assert will take effect only when all instances have asserted the reset. In order to preserve backwards-compatibility, all reset controls become exclusive by default. This is to ensure that reset_control_assert() can immediately assert in hardware. However, this new behaviour triggers the following warning in the EHCI driver for Tegra: [ 3.365019] ------------[ cut here ]------------ [ 3.369639] WARNING: CPU: 0 PID: 1 at drivers/reset/core.c:187 __of_reset_control_get+0x16c/0x23c [ 3.382151] Modules linked in: [ 3.385214] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-rc6-next-20160503 torvalds#140 [ 3.392769] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) [ 3.399046] [<c010fa50>] (unwind_backtrace) from [<c010b120>] (show_stack+0x10/0x14) [ 3.406787] [<c010b120>] (show_stack) from [<c0347dcc>] (dump_stack+0x90/0xa4) [ 3.414007] [<c0347dcc>] (dump_stack) from [<c011f4fc>] (__warn+0xe8/0x100) [ 3.420964] [<c011f4fc>] (__warn) from [<c011f5c4>] (warn_slowpath_null+0x20/0x28) [ 3.428525] [<c011f5c4>] (warn_slowpath_null) from [<c03cc8cc>] (__of_reset_control_get+0x16c/0x23c) [ 3.437648] [<c03cc8cc>] (__of_reset_control_get) from [<c0526858>] (tegra_ehci_probe+0x394/0x518) [ 3.446600] [<c0526858>] (tegra_ehci_probe) from [<c04516d8>] (platform_drv_probe+0x4c/0xb0) [ 3.455029] [<c04516d8>] (platform_drv_probe) from [<c044fe78>] (driver_probe_device+0x1ec/0x330) [ 3.463892] [<c044fe78>] (driver_probe_device) from [<c0450074>] (__driver_attach+0xb8/0xbc) [ 3.472320] [<c0450074>] (__driver_attach) from [<c044e1ec>] (bus_for_each_dev+0x68/0x9c) [ 3.480489] [<c044e1ec>] (bus_for_each_dev) from [<c044f338>] (bus_add_driver+0x1a0/0x218) [ 3.488743] [<c044f338>] (bus_add_driver) from [<c0450768>] (driver_register+0x78/0xf8) [ 3.496738] [<c0450768>] (driver_register) from [<c010178c>] (do_one_initcall+0x40/0x170) [ 3.504909] [<c010178c>] (do_one_initcall) from [<c0c00ddc>] (kernel_init_freeable+0x158/0x1f8) [ 3.513600] [<c0c00ddc>] (kernel_init_freeable) from [<c0810784>] (kernel_init+0x8/0x114) [ 3.521770] [<c0810784>] (kernel_init) from [<c0107778>] (ret_from_fork+0x14/0x3c) [ 3.529361] ---[ end trace 4bda87dbe4ecef8a ]--- The reason is that the EHCI implements three ports, each with a separate reset line. However the first port's reset also serves as a means to reset the UTMI pad for all ports. There is special code in the driver to assert and deassert this shared reset at probe time. It needs to do this regardless of which port is probed first. Unfortunately this means that if the first port is probed first, it will request its own reset line and subsequently request the same reset line again (temporarily) to perform the reset. This used to work fine before the above-mentioned commit, but now triggers the new WARN. Work around this by making sure we reuse the port's reset if it happens to be the same as the UTMI pad reset. Cc: Philipp Zabel <p.zabel@pengutronix.de> Cc: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Thierry Reding <treding@nvidia.com>

Starting with commit 0b52297 ("reset: Add support for shared reset controls") there is a reference count for reset control assertions. The goal is to allow resets to be shared by multiple devices and an assert will take effect only when all instances have asserted the reset. In order to preserve backwards-compatibility, all reset controls become exclusive by default. This is to ensure that reset_control_assert() can immediately assert in hardware. However, this new behaviour triggers the following warning in the EHCI driver for Tegra: [ 3.365019] ------------[ cut here ]------------ [ 3.369639] WARNING: CPU: 0 PID: 1 at drivers/reset/core.c:187 __of_reset_control_get+0x16c/0x23c [ 3.382151] Modules linked in: [ 3.385214] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-rc6-next-20160503 torvalds#140 [ 3.392769] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) [ 3.399046] [<c010fa50>] (unwind_backtrace) from [<c010b120>] (show_stack+0x10/0x14) [ 3.406787] [<c010b120>] (show_stack) from [<c0347dcc>] (dump_stack+0x90/0xa4) [ 3.414007] [<c0347dcc>] (dump_stack) from [<c011f4fc>] (__warn+0xe8/0x100) [ 3.420964] [<c011f4fc>] (__warn) from [<c011f5c4>] (warn_slowpath_null+0x20/0x28) [ 3.428525] [<c011f5c4>] (warn_slowpath_null) from [<c03cc8cc>] (__of_reset_control_get+0x16c/0x23c) [ 3.437648] [<c03cc8cc>] (__of_reset_control_get) from [<c0526858>] (tegra_ehci_probe+0x394/0x518) [ 3.446600] [<c0526858>] (tegra_ehci_probe) from [<c04516d8>] (platform_drv_probe+0x4c/0xb0) [ 3.455029] [<c04516d8>] (platform_drv_probe) from [<c044fe78>] (driver_probe_device+0x1ec/0x330) [ 3.463892] [<c044fe78>] (driver_probe_device) from [<c0450074>] (__driver_attach+0xb8/0xbc) [ 3.472320] [<c0450074>] (__driver_attach) from [<c044e1ec>] (bus_for_each_dev+0x68/0x9c) [ 3.480489] [<c044e1ec>] (bus_for_each_dev) from [<c044f338>] (bus_add_driver+0x1a0/0x218) [ 3.488743] [<c044f338>] (bus_add_driver) from [<c0450768>] (driver_register+0x78/0xf8) [ 3.496738] [<c0450768>] (driver_register) from [<c010178c>] (do_one_initcall+0x40/0x170) [ 3.504909] [<c010178c>] (do_one_initcall) from [<c0c00ddc>] (kernel_init_freeable+0x158/0x1f8) [ 3.513600] [<c0c00ddc>] (kernel_init_freeable) from [<c0810784>] (kernel_init+0x8/0x114) [ 3.521770] [<c0810784>] (kernel_init) from [<c0107778>] (ret_from_fork+0x14/0x3c) [ 3.529361] ---[ end trace 4bda87dbe4ecef8a ]--- The reason is that Tegra SoCs have three EHCI controllers, each with a separate reset line. However the first controller contains UTMI pads configuration registers that are shared with its siblings and that are reset as part of the first controller's reset. There is special code in the driver to assert and deassert this shared reset at probe time, and it does so irrespective of which controller is probed first to ensure that these shared registers are reset before any of the controllers are initialized. Unfortunately this means that if the first controller gets probed first, it will request its own reset line and will subsequently request the same reset line again (temporarily) to perform the reset. This used to work fine before the above-mentioned commit, but now triggers the new WARN. Work around this by making sure we reuse the controller's reset if the controller happens to be the first controller. Cc: Philipp Zabel <p.zabel@pengutronix.de> Cc: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Thierry Reding <treding@nvidia.com>

Starting with commit 0b52297 ("reset: Add support for shared reset controls") there is a reference count for reset control assertions. The goal is to allow resets to be shared by multiple devices and an assert will take effect only when all instances have asserted the reset. In order to preserve backwards-compatibility, all reset controls become exclusive by default. This is to ensure that reset_control_assert() can immediately assert in hardware. However, this new behaviour triggers the following warning in the EHCI driver for Tegra: [ 3.365019] ------------[ cut here ]------------ [ 3.369639] WARNING: CPU: 0 PID: 1 at drivers/reset/core.c:187 __of_reset_control_get+0x16c/0x23c [ 3.382151] Modules linked in: [ 3.385214] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-rc6-next-20160503 torvalds#140 [ 3.392769] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) [ 3.399046] [<c010fa50>] (unwind_backtrace) from [<c010b120>] (show_stack+0x10/0x14) [ 3.406787] [<c010b120>] (show_stack) from [<c0347dcc>] (dump_stack+0x90/0xa4) [ 3.414007] [<c0347dcc>] (dump_stack) from [<c011f4fc>] (__warn+0xe8/0x100) [ 3.420964] [<c011f4fc>] (__warn) from [<c011f5c4>] (warn_slowpath_null+0x20/0x28) [ 3.428525] [<c011f5c4>] (warn_slowpath_null) from [<c03cc8cc>] (__of_reset_control_get+0x16c/0x23c) [ 3.437648] [<c03cc8cc>] (__of_reset_control_get) from [<c0526858>] (tegra_ehci_probe+0x394/0x518) [ 3.446600] [<c0526858>] (tegra_ehci_probe) from [<c04516d8>] (platform_drv_probe+0x4c/0xb0) [ 3.455029] [<c04516d8>] (platform_drv_probe) from [<c044fe78>] (driver_probe_device+0x1ec/0x330) [ 3.463892] [<c044fe78>] (driver_probe_device) from [<c0450074>] (__driver_attach+0xb8/0xbc) [ 3.472320] [<c0450074>] (__driver_attach) from [<c044e1ec>] (bus_for_each_dev+0x68/0x9c) [ 3.480489] [<c044e1ec>] (bus_for_each_dev) from [<c044f338>] (bus_add_driver+0x1a0/0x218) [ 3.488743] [<c044f338>] (bus_add_driver) from [<c0450768>] (driver_register+0x78/0xf8) [ 3.496738] [<c0450768>] (driver_register) from [<c010178c>] (do_one_initcall+0x40/0x170) [ 3.504909] [<c010178c>] (do_one_initcall) from [<c0c00ddc>] (kernel_init_freeable+0x158/0x1f8) [ 3.513600] [<c0c00ddc>] (kernel_init_freeable) from [<c0810784>] (kernel_init+0x8/0x114) [ 3.521770] [<c0810784>] (kernel_init) from [<c0107778>] (ret_from_fork+0x14/0x3c) [ 3.529361] ---[ end trace 4bda87dbe4ecef8a ]--- The reason is that Tegra SoCs have three EHCI controllers, each with a separate reset line. However the first controller contains UTMI pads configuration registers that are shared with its siblings and that are reset as part of the first controller's reset. There is special code in the driver to assert and deassert this shared reset at probe time, and it does so irrespective of which controller is probed first to ensure that these shared registers are reset before any of the controllers are initialized. Unfortunately this means that if the first controller gets probed first, it will request its own reset line and will subsequently request the same reset line again (temporarily) to perform the reset. This used to work fine before the above-mentioned commit, but now triggers the new WARN. Work around this by making sure we reuse the controller's reset if the controller happens to be the first controller. Cc: Philipp Zabel <p.zabel@pengutronix.de> Cc: Hans de Goede <hdegoede@redhat.com> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Thierry Reding <treding@nvidia.com>

This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>

This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

…erence KASAN allocates memory from the page allocator as part of kmem_cache_free(), and that can reference current->mempolicy through any number of allocation functions. It needs to be NULL'd out before the final reference is dropped to prevent a use-after-free bug: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140 ... Call Trace: dump_stack kasan_object_err kasan_report_error __asan_report_load2_noabort alloc_pages_current <-- use after free depot_save_stack save_stack kasan_slab_free kmem_cache_free __mpol_put <-- free do_exit This patch sets current->mempolicy to NULL before dropping the final reference. Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com Fixes: cd11016 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") Signed-off-by: David Rientjes <rientjes@google.com> Reported-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> [4.6+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

…erence KASAN allocates memory from the page allocator as part of kmem_cache_free(), and that can reference current->mempolicy through any number of allocation functions. It needs to be NULL'd out before the final reference is dropped to prevent a use-after-free bug: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 ... Call Trace: dump_stack kasan_object_err kasan_report_error __asan_report_load2_noabort alloc_pages_current <-- use after free depot_save_stack save_stack kasan_slab_free kmem_cache_free __mpol_put <-- free do_exit This patch sets current->mempolicy to NULL before dropping the final reference. Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com Fixes: cd11016 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") Signed-off-by: David Rientjes <rientjes@google.com> Reported-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> [4.6+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

…erence commit c11600e upstream. KASAN allocates memory from the page allocator as part of kmem_cache_free(), and that can reference current->mempolicy through any number of allocation functions. It needs to be NULL'd out before the final reference is dropped to prevent a use-after-free bug: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140 ... Call Trace: dump_stack kasan_object_err kasan_report_error __asan_report_load2_noabort alloc_pages_current <-- use after free depot_save_stack save_stack kasan_slab_free kmem_cache_free __mpol_put <-- free do_exit This patch sets current->mempolicy to NULL before dropping the final reference. Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com Fixes: cd11016 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") Signed-off-by: David Rientjes <rientjes@google.com> Reported-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This patch adds clear interrupt to exynos4_mct_dying_cpu(). Without clearing, after turning on non boot cpu at wakeup from suspend to ram, not cleared tick interrupt occurs and it causes following null deference for MCT_INT_SPI type mct. [ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040 [ 51.257980] pgd = c0004000 [ 51.260666] [00000040] *pgd=00000000 [ 51.264222] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 51.269503] Modules linked in: [ 51.272541] CPU: 7 PID: 53 Comm: ksoftirqd/7 Tainted: G W 4.9.0-rc7-next-20161201-00007-g74076859ec44 torvalds#140 [ 51.283282] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) [ 51.289348] task: ee942d00 task.stack: ee960000 [ 51.293861] PC is at tick_periodic+0x38/0xb0 [ 51.298102] LR is at tick_handle_periodic+0x1c/0x90 [ 51.302956] pc : [<c0183358>] lr : [<c01833ec>] psr: 20000093 [ 51.302956] sp : ee961e18 ip : f0806000 fp : 00000100 [ 51.314391] r10: c0c0ef6a r9 : 0000000b r8 : eebcf080 [ 51.319591] r7 : ee961e7c r6 : 00000000 r5 : 00000007 r4 : ef013ec0 [ 51.326090] r3 : 00000000 r2 : 2e4ac000 r1 : c09ae9a8 r0 : 00000007 [ 51.332591] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none [ 51.339781] Control: 10c5387d Table: 4000406a DAC: 00000051 [ 51.345501] Process ksoftirqd/7 (pid: 53, stack limit = 0xee960210) [ 51.351740] Stack: (0xee961e18 to 0xee962000) [ 51.356073] 1e00: ef014db0 c0c03dac [ 51.364222] 1e20: 00000000 ef013ec0 ee854100 00000000 ee961e7c 00000039 ee854100 c0c0ef6a [ 51.372367] 1e40: 00000100 c055bd44 ee852840 c0164a18 00000000 00000001 ee854100 ee854100 [ 51.380512] 1e60: c0c03f24 c0b6324c c0c02080 c0c02080 40000006 c0164ac4 00000000 00000000 [ 51.388658] 1e80: 00000100 ee854100 ee854160 c0164b38 ee854100 ee854160 c0c03f24 c0167e9c [ 51.396804] 1ea0: 00000039 c0c0cbac c0c0cbac c0b6324c c0c02080 c01675e0 c0c0cc5c c0c0cc60 [ 51.404949] 1ec0: 00000000 c011fd3c 00000000 00000006 c0c02098 ee960000 c0c02080 c011ff6c [ 51.413095] 1ee0: ee961f0c c06fb4a4 ee961ee c0c47f80 0000000a ffff9ed5 c0c03900 04208040 [ 51.421240] 1f00: c0c0a174 ee960000 ee867b00 00000007 00000001 c0c0a174 00000002 00000000 [ 51.429385] 1f20: 00000000 c01200b8 ee960000 c013a50c 00000000 ee867b80 ee867b00 c013a3b0 [ 51.437530] 1f40: 00000000 00000000 00000000 c0136cbc ffffffff 00000001 00000007 ee867b00 [ 51.445676] 1f60: 00000000 00270027 dead4ead ffffffff ffffffff ee961f74 ee961f74 00000000 [ 51.453822] 1f80: 00000000 dead4ead ffffffff ffffffff ee961f90 ee961f90 ee961fac ee867b80 [ 51.461967] 1fa0: c0136be0 00000000 00000000 c0107a78 00000000 00000000 00000000 00000000 [ 51.470112] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 51.478258] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff [ 51.486409] [<c0183358>] (tick_periodic) from [<ef013ec0>] (0xef013ec0) [ 51.492990] Code: ee1d2f90 e34c30b6 e8bd4070 e7923003 (e5933040) [ 51.499057] ---[ end trace 995703fe1bede0b4 ]--- Fixes: 56a94f1 ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier") Cc: stable@vger.kernel.org #v4.2+ #v4.1.4+ #3.18.18+ #v3.16.18+ #v3.12.46+ Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com> Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

This is to temporarily address torvalds#140 Level triggered polling on POLLOUT event will always return at once and burns out the CPU. This PR changes it to event triggered epoll so only when the buffer become unfull from full, the tx thread will be unblocked. Tested by LKL_HIJACK_NET_TAP=dev_tap3 LKL_HIJACK_NET_IP=192.168.20.2 LKL_HIJACK_NET_NETMASK_LEN=24 ./bin/lkl-hijack.sh sleep 300 Signed-off-by: Yuan Liu <liuyuan@google.com>

…uspend This patch adds clear interrupt to exynos4_mct_dying_cpu(). Without clearing, after turning on non boot cpu at wakeup from suspend to ram, not cleared tick interrupt occurs and it causes following null deference for MCT_INT_SPI type mct. [ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040 [ 51.257980] pgd = c0004000 [ 51.260666] [00000040] *pgd=00000000 [ 51.264222] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 51.269503] Modules linked in: [ 51.272541] CPU: 7 PID: 53 Comm: ksoftirqd/7 Tainted: G W 4.9.0-rc7-next-20161201-00007-g74076859ec44 torvalds#140 [ 51.283282] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) [ 51.289348] task: ee942d00 task.stack: ee960000 [ 51.293861] PC is at tick_periodic+0x38/0xb0 [ 51.298102] LR is at tick_handle_periodic+0x1c/0x90 [ 51.302956] pc : [<c0183358>] lr : [<c01833ec>] psr: 20000093 [ 51.302956] sp : ee961e18 ip : f0806000 fp : 00000100 [ 51.314391] r10: c0c0ef6a r9 : 0000000b r8 : eebcf080 [ 51.319591] r7 : ee961e7c r6 : 00000000 r5 : 00000007 r4 : ef013ec0 [ 51.326090] r3 : 00000000 r2 : 2e4ac000 r1 : c09ae9a8 r0 : 00000007 [ 51.332591] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none [ 51.339781] Control: 10c5387d Table: 4000406a DAC: 00000051 [ 51.345501] Process ksoftirqd/7 (pid: 53, stack limit = 0xee960210) [ 51.351740] Stack: (0xee961e18 to 0xee962000) [ 51.356073] 1e00: ef014db0 c0c03dac [ 51.364222] 1e20: 00000000 ef013ec0 ee854100 00000000 ee961e7c 00000039 ee854100 c0c0ef6a [ 51.372367] 1e40: 00000100 c055bd44 ee852840 c0164a18 00000000 00000001 ee854100 ee854100 [ 51.380512] 1e60: c0c03f24 c0b6324c c0c02080 c0c02080 40000006 c0164ac4 00000000 00000000 [ 51.388658] 1e80: 00000100 ee854100 ee854160 c0164b38 ee854100 ee854160 c0c03f24 c0167e9c [ 51.396804] 1ea0: 00000039 c0c0cbac c0c0cbac c0b6324c c0c02080 c01675e0 c0c0cc5c c0c0cc60 [ 51.404949] 1ec0: 00000000 c011fd3c 00000000 00000006 c0c02098 ee960000 c0c02080 c011ff6c [ 51.413095] 1ee0: ee961f0c c06fb4a4 ee961ee c0c47f80 0000000a ffff9ed5 c0c03900 04208040 [ 51.421240] 1f00: c0c0a174 ee960000 ee867b00 00000007 00000001 c0c0a174 00000002 00000000 [ 51.429385] 1f20: 00000000 c01200b8 ee960000 c013a50c 00000000 ee867b80 ee867b00 c013a3b0 [ 51.437530] 1f40: 00000000 00000000 00000000 c0136cbc ffffffff 00000001 00000007 ee867b00 [ 51.445676] 1f60: 00000000 00270027 dead4ead ffffffff ffffffff ee961f74 ee961f74 00000000 [ 51.453822] 1f80: 00000000 dead4ead ffffffff ffffffff ee961f90 ee961f90 ee961fac ee867b80 [ 51.461967] 1fa0: c0136be0 00000000 00000000 c0107a78 00000000 00000000 00000000 00000000 [ 51.470112] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 51.478258] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff [ 51.486409] [<c0183358>] (tick_periodic) from [<ef013ec0>] (0xef013ec0) [ 51.492990] Code: ee1d2f90 e34c30b6 e8bd4070 e7923003 (e5933040) [ 51.499057] ---[ end trace 995703fe1bede0b4 ]--- Fixes: 56a94f1 ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier") Cc: stable@vger.kernel.org #v4.2+ #v4.1.4+ #3.18.18+ #v3.16.18+ #v3.12.46+ Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com> Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

ncsi_channel_monitor() misses stopping the channel monitor in several places that it should, causing a WARN_ON_ONCE() to trigger when the monitor is re-started later, eg: [ 459.040000] WARNING: CPU: 0 PID: 1093 at net/ncsi/ncsi-manage.c:269 ncsi_start_channel_monitor+0x7c/0x90 [ 459.040000] CPU: 0 PID: 1093 Comm: kworker/0:3 Not tainted 4.10.17-gaca2fdd #140 [ 459.040000] Hardware name: ASpeed SoC [ 459.040000] Workqueue: events ncsi_dev_work [ 459.040000] [<80010094>] (unwind_backtrace) from [<8000d950>] (show_stack+0x20/0x24) [ 459.040000] [<8000d950>] (show_stack) from [<801dbf70>] (dump_stack+0x20/0x28) [ 459.040000] [<801dbf70>] (dump_stack) from [<80018d7c>] (__warn+0xe0/0x108) [ 459.040000] [<80018d7c>] (__warn) from [<80018e70>] (warn_slowpath_null+0x30/0x38) [ 459.040000] [<80018e70>] (warn_slowpath_null) from [<803f6a08>] (ncsi_start_channel_monitor+0x7c/0x90) [ 459.040000] [<803f6a08>] (ncsi_start_channel_monitor) from [<803f7664>] (ncsi_configure_channel+0xdc/0x5fc) [ 459.040000] [<803f7664>] (ncsi_configure_channel) from [<803f8160>] (ncsi_dev_work+0xac/0x474) [ 459.040000] [<803f8160>] (ncsi_dev_work) from [<8002d244>] (process_one_work+0x1e0/0x450) [ 459.040000] [<8002d244>] (process_one_work) from [<8002d510>] (worker_thread+0x5c/0x570) [ 459.040000] [<8002d510>] (worker_thread) from [<80033614>] (kthread+0x124/0x164) [ 459.040000] [<80033614>] (kthread) from [<8000a5e8>] (ret_from_fork+0x14/0x2c) This also updates the monitor instead of just returning if ncsi_xmit_cmd() fails to send the get-link-status command so that the monitor properly times out. Fixes: e6f44ed "net/ncsi: Package and channel management" Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> Signed-off-by: David S. Miller <davem@davemloft.net>

ncsi_channel_monitor() misses stopping the channel monitor in several places that it should, causing a WARN_ON_ONCE() to trigger when the monitor is re-started later, eg: [ 459.040000] WARNING: CPU: 0 PID: 1093 at net/ncsi/ncsi-manage.c:269 ncsi_start_channel_monitor+0x7c/0x90 [ 459.040000] CPU: 0 PID: 1093 Comm: kworker/0:3 Not tainted 4.10.17-gaca2fdd torvalds#140 [ 459.040000] Hardware name: ASpeed SoC [ 459.040000] Workqueue: events ncsi_dev_work [ 459.040000] [<80010094>] (unwind_backtrace) from [<8000d950>] (show_stack+0x20/0x24) [ 459.040000] [<8000d950>] (show_stack) from [<801dbf70>] (dump_stack+0x20/0x28) [ 459.040000] [<801dbf70>] (dump_stack) from [<80018d7c>] (__warn+0xe0/0x108) [ 459.040000] [<80018d7c>] (__warn) from [<80018e70>] (warn_slowpath_null+0x30/0x38) [ 459.040000] [<80018e70>] (warn_slowpath_null) from [<803f6a08>] (ncsi_start_channel_monitor+0x7c/0x90) [ 459.040000] [<803f6a08>] (ncsi_start_channel_monitor) from [<803f7664>] (ncsi_configure_channel+0xdc/0x5fc) [ 459.040000] [<803f7664>] (ncsi_configure_channel) from [<803f8160>] (ncsi_dev_work+0xac/0x474) [ 459.040000] [<803f8160>] (ncsi_dev_work) from [<8002d244>] (process_one_work+0x1e0/0x450) [ 459.040000] [<8002d244>] (process_one_work) from [<8002d510>] (worker_thread+0x5c/0x570) [ 459.040000] [<8002d510>] (worker_thread) from [<80033614>] (kthread+0x124/0x164) [ 459.040000] [<80033614>] (kthread) from [<8000a5e8>] (ret_from_fork+0x14/0x2c) This also updates the monitor instead of just returning if ncsi_xmit_cmd() fails to send the get-link-status command so that the monitor properly times out. Fixes: e6f44ed "net/ncsi: Package and channel management" Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 0795fb2) Signed-off-by: Andrew Jeffery <andrew@aj.id.au>

[ Upstream commit e2daec4 ] I got follow issue: [ 247.381177] INFO: task kworker/u10:0:47 blocked for more than 120 seconds. [ 247.382644] Not tainted 4.19.90-dirty torvalds#140 [ 247.383502] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 247.385027] Call Trace: [ 247.388384] schedule+0xb8/0x3c0 [ 247.388966] schedule_timeout+0x2b4/0x380 [ 247.392815] wait_for_completion+0x367/0x510 [ 247.397713] flush_workqueue+0x32b/0x1340 [ 247.402700] drain_workqueue+0xda/0x3c0 [ 247.403442] destroy_workqueue+0x7b/0x690 [ 247.405014] nbd_config_put.cold+0x2f9/0x5b6 [ 247.405823] recv_work+0x1fd/0x2b0 [ 247.406485] process_one_work+0x70b/0x1610 [ 247.407262] worker_thread+0x5a9/0x1060 [ 247.408699] kthread+0x35e/0x430 [ 247.410918] ret_from_fork+0x1f/0x30 We can reproduce issue as follows: 1. Inject memory fault in nbd_start_device -1244,10 +1248,18 @@ static int nbd_start_device(struct nbd_device *nbd) nbd_dev_dbg_init(nbd); for (i = 0; i < num_connections; i++) { struct recv_thread_args *args; - - args = kzalloc(sizeof(*args), GFP_KERNEL); + + if (i == 1) { + args = NULL; + printk("%s: inject malloc error\n", __func__); + } + else + args = kzalloc(sizeof(*args), GFP_KERNEL); 2. Inject delay in recv_work -757,6 +760,8 @@ static void recv_work(struct work_struct *work) blk_mq_complete_request(blk_mq_rq_from_pdu(cmd)); } + printk("%s: comm=%s pid=%d\n", __func__, current->comm, current->pid); + mdelay(5 * 1000); nbd_config_put(nbd); atomic_dec(&config->recv_threads); wake_up(&config->recv_wq); 3. Create nbd server nbd-server 8000 /tmp/disk 4. Create nbd client nbd-client localhost 8000 /dev/nbd1 Then will trigger above issue. Reason is when add delay in recv_work, lead to release the last reference of 'nbd->config_refs'. nbd_config_put will call flush_workqueue to make all work finish. Obviously, it will lead to deadloop. To solve this issue, according to Josef's suggestion move 'recv_work' init from start device to nbd_dev_add, then destroy 'recv_work'when nbd device teardown. Signed-off-by: Ye Bin <yebin10@huawei.com> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Link: https://lore.kernel.org/r/20211102015237.2309763-5-yebin10@huawei.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>

Merge pull request #1 from torvalds/master

150dcb6

adding new changes

sumanta23 closed this Nov 27, 2014

sumanta23 reopened this Nov 27, 2014

sumanta23 closed this Nov 27, 2014

addstone mentioned this pull request Nov 12, 2017

up (#2) #487

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #1 from torvalds/master #140

Merge pull request #1 from torvalds/master #140

sumanta23 commented Nov 27, 2014

Merge pull request #1 from torvalds/master #140

Merge pull request #1 from torvalds/master #140

Conversation

sumanta23 commented Nov 27, 2014