From: Greg Kroah-Hartman Date: Sat, 28 Jul 2018 08:10:17 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.17.12~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c545368aa72510340235cf5ff0fbb2252b7405c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: arm64-fix-vmemmap-build_bug_on-triggering-on-vmemmap-setups.patch delayacct-fix-crash-in-delayacct_blkio_end-after-delayacct-init-failure.patch drm-i915-glk-add-quirk-for-glk-nuc-hdmi-port-issues.patch input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330.patch input-elan_i2c-add-another-acpi-id-for-lenovo-ideapad-330-15ast.patch input-i8042-add-lenovo-lavie-z-to-the-i8042-reset-list.patch kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch kvm-mm-account-shadow-page-tables-to-kmemcg.patch mm-disallow-mappings-that-conflict-for-devm_memremap_pages.patch tracing-fix-double-free-of-event_trigger_data.patch tracing-fix-possible-double-free-in-event_enable_trigger_func.patch tracing-kprobes-fix-trace_probe-flags-on-enable_trace_kprobe-failure.patch tracing-quiet-gcc-warning-about-maybe-unused-link-variable.patch --- diff --git a/queue-4.17/arm64-fix-vmemmap-build_bug_on-triggering-on-vmemmap-setups.patch b/queue-4.17/arm64-fix-vmemmap-build_bug_on-triggering-on-vmemmap-setups.patch new file mode 100644 index 00000000000..e09efb173d9 --- /dev/null +++ b/queue-4.17/arm64-fix-vmemmap-build_bug_on-triggering-on-vmemmap-setups.patch @@ -0,0 +1,83 @@ +From 7b0eb6b41a08fa1fa0d04b1c53becd62b5fbfaee Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Mon, 23 Jul 2018 10:18:23 -0400 +Subject: arm64: fix vmemmap BUILD_BUG_ON() triggering on !vmemmap setups + +From: Johannes Weiner + +commit 7b0eb6b41a08fa1fa0d04b1c53becd62b5fbfaee upstream. + +Arnd reports the following arm64 randconfig build error with the PSI +patches that add another page flag: + + /git/arm-soc/arch/arm64/mm/init.c: In function 'mem_init': + /git/arm-soc/include/linux/compiler.h:357:38: error: call to + '__compiletime_assert_618' declared with attribute error: BUILD_BUG_ON + failed: sizeof(struct page) > (1 << STRUCT_PAGE_MAX_SHIFT) + +The additional page flag causes other information stored in +page->flags to get bumped into their own struct page member: + + #if SECTIONS_WIDTH+ZONES_WIDTH+NODES_SHIFT+LAST_CPUPID_SHIFT <= + BITS_PER_LONG - NR_PAGEFLAGS + #define LAST_CPUPID_WIDTH LAST_CPUPID_SHIFT + #else + #define LAST_CPUPID_WIDTH 0 + #endif + + #if defined(CONFIG_NUMA_BALANCING) && LAST_CPUPID_WIDTH == 0 + #define LAST_CPUPID_NOT_IN_PAGE_FLAGS + #endif + +which in turn causes the struct page size to exceed the size set in +STRUCT_PAGE_MAX_SHIFT. This value is an an estimate used to size the +VMEMMAP page array according to address space and struct page size. + +However, the check is performed - and triggers here - on a !VMEMMAP +config, which consumes an additional 22 page bits for the sparse +section id. When VMEMMAP is enabled, those bits are returned, cpupid +doesn't need its own member, and the page passes the VMEMMAP check. + +Restrict that check to the situation it was meant to check: that we +are sizing the VMEMMAP page array correctly. + +Says Arnd: + + Further experiments show that the build error already existed before, + but was only triggered with larger values of CONFIG_NR_CPU and/or + CONFIG_NODES_SHIFT that might be used in actual configurations but + not in randconfig builds. + + With longer CPU and node masks, I could recreate the problem with + kernels as old as linux-4.7 when arm64 NUMA support got added. + +Reported-by: Arnd Bergmann +Tested-by: Arnd Bergmann +Cc: stable@vger.kernel.org +Fixes: 1a2db300348b ("arm64, numa: Add NUMA support for arm64 platforms.") +Fixes: 3e1907d5bf5a ("arm64: mm: move vmemmap region right below the linear region") +Signed-off-by: Johannes Weiner +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -611,11 +611,13 @@ void __init mem_init(void) + BUILD_BUG_ON(TASK_SIZE_32 > TASK_SIZE_64); + #endif + ++#ifdef CONFIG_SPARSEMEM_VMEMMAP + /* + * Make sure we chose the upper bound of sizeof(struct page) +- * correctly. ++ * correctly when sizing the VMEMMAP array. + */ + BUILD_BUG_ON(sizeof(struct page) > (1 << STRUCT_PAGE_MAX_SHIFT)); ++#endif + + if (PAGE_SIZE >= 16384 && get_num_physpages() <= 128) { + extern int sysctl_overcommit_memory; diff --git a/queue-4.17/delayacct-fix-crash-in-delayacct_blkio_end-after-delayacct-init-failure.patch b/queue-4.17/delayacct-fix-crash-in-delayacct_blkio_end-after-delayacct-init-failure.patch new file mode 100644 index 00000000000..dd5ea9304c9 --- /dev/null +++ b/queue-4.17/delayacct-fix-crash-in-delayacct_blkio_end-after-delayacct-init-failure.patch @@ -0,0 +1,78 @@ +From b512719f771a82180211c9a315b8a7f628832b3d Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 26 Jul 2018 16:37:08 -0700 +Subject: delayacct: fix crash in delayacct_blkio_end() after delayacct init failure + +From: Tejun Heo + +commit b512719f771a82180211c9a315b8a7f628832b3d upstream. + +While forking, if delayacct init fails due to memory shortage, it +continues expecting all delayacct users to check task->delays pointer +against NULL before dereferencing it, which all of them used to do. + +Commit c96f5471ce7d ("delayacct: Account blkio completion on the correct +task"), while updating delayacct_blkio_end() to take the target task +instead of always using %current, made the function test NULL on +%current->delays and then continue to operated on @p->delays. If +%current succeeded init while @p didn't, it leads to the following +crash. + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 + IP: __delayacct_blkio_end+0xc/0x40 + PGD 8000001fd07e1067 P4D 8000001fd07e1067 PUD 1fcffbb067 PMD 0 + Oops: 0000 [#1] SMP PTI + CPU: 4 PID: 25774 Comm: QIOThread0 Not tainted 4.16.0-9_fbk1_rc2_1180_g6b593215b4d7 #9 + RIP: 0010:__delayacct_blkio_end+0xc/0x40 + Call Trace: + try_to_wake_up+0x2c0/0x600 + autoremove_wake_function+0xe/0x30 + __wake_up_common+0x74/0x120 + wake_up_page_bit+0x9c/0xe0 + mpage_end_io+0x27/0x70 + blk_update_request+0x78/0x2c0 + scsi_end_request+0x2c/0x1e0 + scsi_io_completion+0x20b/0x5f0 + blk_mq_complete_request+0xa2/0x100 + ata_scsi_qc_complete+0x79/0x400 + ata_qc_complete_multiple+0x86/0xd0 + ahci_handle_port_interrupt+0xc9/0x5c0 + ahci_handle_port_intr+0x54/0xb0 + ahci_single_level_irq_intr+0x3b/0x60 + __handle_irq_event_percpu+0x43/0x190 + handle_irq_event_percpu+0x20/0x50 + handle_irq_event+0x2a/0x50 + handle_edge_irq+0x80/0x1c0 + handle_irq+0xaf/0x120 + do_IRQ+0x41/0xc0 + common_interrupt+0xf/0xf + +Fix it by updating delayacct_blkio_end() check @p->delays instead. + +Link: http://lkml.kernel.org/r/20180724175542.GP1934745@devbig577.frc2.facebook.com +Fixes: c96f5471ce7d ("delayacct: Account blkio completion on the correct task") +Signed-off-by: Tejun Heo +Reported-by: Dave Jones +Debugged-by: Dave Jones +Reviewed-by: Andrew Morton +Cc: Josh Snyder +Cc: [4.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/delayacct.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/delayacct.h ++++ b/include/linux/delayacct.h +@@ -124,7 +124,7 @@ static inline void delayacct_blkio_start + + static inline void delayacct_blkio_end(struct task_struct *p) + { +- if (current->delays) ++ if (p->delays) + __delayacct_blkio_end(p); + delayacct_clear_flag(DELAYACCT_PF_BLKIO); + } diff --git a/queue-4.17/drm-i915-glk-add-quirk-for-glk-nuc-hdmi-port-issues.patch b/queue-4.17/drm-i915-glk-add-quirk-for-glk-nuc-hdmi-port-issues.patch new file mode 100644 index 00000000000..b5c6623a50b --- /dev/null +++ b/queue-4.17/drm-i915-glk-add-quirk-for-glk-nuc-hdmi-port-issues.patch @@ -0,0 +1,140 @@ +From 0ca9488193e61ec5f31a631d8147f74525629e8a Mon Sep 17 00:00:00 2001 +From: Clint Taylor +Date: Tue, 10 Jul 2018 13:02:05 -0700 +Subject: drm/i915/glk: Add Quirk for GLK NUC HDMI port issues. + +From: Clint Taylor + +commit 0ca9488193e61ec5f31a631d8147f74525629e8a upstream. + +On GLK NUC platforms the HDMI retiming buffer needs additional disabled +time to correctly sync to a faster incoming signal. + +When measured on a scope the highspeed lines of the HDMI clock turn off + for ~400uS during a normal resolution change. The HDMI retimer on the + GLK NUC appears to require at least a full frame of quiet time before a +new faster clock can be correctly sync'd. Wait 100ms due to msleep +inaccuracies while waiting for a completed frame. Add a quirk to the +driver for GLK boards that use ITE66317 HDMI retimers. + +V2: Add more devices to the quirk list +V3: Delay increased to 100ms, check to confirm crtc type is HDMI. +V4: crtc type check extended to include _DDI and whitespace fixes +v5: Fix white spaces, remove the macro for delay. Revert the crtc type + check introduced in v4. + +Cc: Imre Deak +Cc: # v4.14+ +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105887 +Signed-off-by: Clint Taylor +Tested-by: Daniel Scheller +Signed-off-by: Radhakrishna Sripada +Signed-off-by: Imre Deak +Reviewed-by: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/20180710200205.1478-1-radhakrishna.sripada@intel.com +(cherry picked from commit 90c3e2198777aaa355b6994a31a79c636c8d4306) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_drv.h | 1 + + drivers/gpu/drm/i915/intel_ddi.c | 13 +++++++++++-- + drivers/gpu/drm/i915/intel_display.c | 21 ++++++++++++++++++++- + drivers/gpu/drm/i915/intel_drv.h | 3 +-- + 4 files changed, 33 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -804,6 +804,7 @@ enum intel_sbi_destination { + #define QUIRK_BACKLIGHT_PRESENT (1<<3) + #define QUIRK_PIN_SWIZZLED_PAGES (1<<5) + #define QUIRK_INCREASE_T12_DELAY (1<<6) ++#define QUIRK_INCREASE_DDI_DISABLED_TIME (1<<7) + + struct intel_fbdev; + struct intel_fbc_work; +--- a/drivers/gpu/drm/i915/intel_ddi.c ++++ b/drivers/gpu/drm/i915/intel_ddi.c +@@ -1605,15 +1605,24 @@ void intel_ddi_enable_transcoder_func(co + I915_WRITE(TRANS_DDI_FUNC_CTL(cpu_transcoder), temp); + } + +-void intel_ddi_disable_transcoder_func(struct drm_i915_private *dev_priv, +- enum transcoder cpu_transcoder) ++void intel_ddi_disable_transcoder_func(const struct intel_crtc_state *crtc_state) + { ++ struct intel_crtc *crtc = to_intel_crtc(crtc_state->base.crtc); ++ struct drm_i915_private *dev_priv = to_i915(crtc->base.dev); ++ enum transcoder cpu_transcoder = crtc_state->cpu_transcoder; + i915_reg_t reg = TRANS_DDI_FUNC_CTL(cpu_transcoder); + uint32_t val = I915_READ(reg); + + val &= ~(TRANS_DDI_FUNC_ENABLE | TRANS_DDI_PORT_MASK | TRANS_DDI_DP_VC_PAYLOAD_ALLOC); + val |= TRANS_DDI_PORT_NONE; + I915_WRITE(reg, val); ++ ++ if (dev_priv->quirks & QUIRK_INCREASE_DDI_DISABLED_TIME && ++ intel_crtc_has_type(crtc_state, INTEL_OUTPUT_HDMI)) { ++ DRM_DEBUG_KMS("Quirk Increase DDI disabled time\n"); ++ /* Quirk time at 100ms for reliable operation */ ++ msleep(100); ++ } + } + + int intel_ddi_toggle_hdcp_signalling(struct intel_encoder *intel_encoder, +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -5685,7 +5685,7 @@ static void haswell_crtc_disable(struct + intel_ddi_set_vc_payload_alloc(intel_crtc->config, false); + + if (!transcoder_is_dsi(cpu_transcoder)) +- intel_ddi_disable_transcoder_func(dev_priv, cpu_transcoder); ++ intel_ddi_disable_transcoder_func(old_crtc_state); + + if (INTEL_GEN(dev_priv) >= 9) + skylake_scaler_disable(intel_crtc); +@@ -14388,6 +14388,18 @@ static void quirk_increase_t12_delay(str + DRM_INFO("Applying T12 delay quirk\n"); + } + ++/* ++ * GeminiLake NUC HDMI outputs require additional off time ++ * this allows the onboard retimer to correctly sync to signal ++ */ ++static void quirk_increase_ddi_disabled_time(struct drm_device *dev) ++{ ++ struct drm_i915_private *dev_priv = to_i915(dev); ++ ++ dev_priv->quirks |= QUIRK_INCREASE_DDI_DISABLED_TIME; ++ DRM_INFO("Applying Increase DDI Disabled quirk\n"); ++} ++ + struct intel_quirk { + int device; + int subsystem_vendor; +@@ -14474,6 +14486,13 @@ static struct intel_quirk intel_quirks[] + + /* Toshiba Satellite P50-C-18C */ + { 0x191B, 0x1179, 0xF840, quirk_increase_t12_delay }, ++ ++ /* GeminiLake NUC */ ++ { 0x3185, 0x8086, 0x2072, quirk_increase_ddi_disabled_time }, ++ { 0x3184, 0x8086, 0x2072, quirk_increase_ddi_disabled_time }, ++ /* ASRock ITX*/ ++ { 0x3185, 0x1849, 0x2212, quirk_increase_ddi_disabled_time }, ++ { 0x3184, 0x1849, 0x2212, quirk_increase_ddi_disabled_time }, + }; + + static void intel_init_quirks(struct drm_device *dev) +--- a/drivers/gpu/drm/i915/intel_drv.h ++++ b/drivers/gpu/drm/i915/intel_drv.h +@@ -1368,8 +1368,7 @@ void hsw_fdi_link_train(struct intel_crt + void intel_ddi_init(struct drm_i915_private *dev_priv, enum port port); + bool intel_ddi_get_hw_state(struct intel_encoder *encoder, enum pipe *pipe); + void intel_ddi_enable_transcoder_func(const struct intel_crtc_state *crtc_state); +-void intel_ddi_disable_transcoder_func(struct drm_i915_private *dev_priv, +- enum transcoder cpu_transcoder); ++void intel_ddi_disable_transcoder_func(const struct intel_crtc_state *crtc_state); + void intel_ddi_enable_pipe_clock(const struct intel_crtc_state *crtc_state); + void intel_ddi_disable_pipe_clock(const struct intel_crtc_state *crtc_state); + struct intel_encoder * diff --git a/queue-4.17/input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330.patch b/queue-4.17/input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330.patch new file mode 100644 index 00000000000..bc7605acfe1 --- /dev/null +++ b/queue-4.17/input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330.patch @@ -0,0 +1,31 @@ +From 938f45008d8bc391593c97508bc798cc95a52b9b Mon Sep 17 00:00:00 2001 +From: Donald Shanty III +Date: Wed, 4 Jul 2018 15:50:47 +0000 +Subject: Input: elan_i2c - add ACPI ID for lenovo ideapad 330 + +From: Donald Shanty III + +commit 938f45008d8bc391593c97508bc798cc95a52b9b upstream. + +This allows Elan driver to bind to the touchpad found in Lenovo Ideapad 330 +series laptops. + +Signed-off-by: Donald Shanty III +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1264,6 +1264,7 @@ static const struct acpi_device_id elan_ + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, + { "ELAN0618", 0 }, ++ { "ELAN061D", 0 }, + { "ELAN1000", 0 }, + { } + }; diff --git a/queue-4.17/input-elan_i2c-add-another-acpi-id-for-lenovo-ideapad-330-15ast.patch b/queue-4.17/input-elan_i2c-add-another-acpi-id-for-lenovo-ideapad-330-15ast.patch new file mode 100644 index 00000000000..1ed8957f6a6 --- /dev/null +++ b/queue-4.17/input-elan_i2c-add-another-acpi-id-for-lenovo-ideapad-330-15ast.patch @@ -0,0 +1,32 @@ +From 6f88a6439da5d94de334a341503bc2c7f4a7ea7f Mon Sep 17 00:00:00 2001 +From: KT Liao +Date: Mon, 16 Jul 2018 12:10:03 +0000 +Subject: Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST + +From: KT Liao + +commit 6f88a6439da5d94de334a341503bc2c7f4a7ea7f upstream. + +Add ELAN0622 to ACPI mapping table to support Elan touchpad found in +Ideapad 330-15AST. + +Signed-off-by: KT Liao +Reported-by: Anant Shende +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1265,6 +1265,7 @@ static const struct acpi_device_id elan_ + { "ELAN0612", 0 }, + { "ELAN0618", 0 }, + { "ELAN061D", 0 }, ++ { "ELAN0622", 0 }, + { "ELAN1000", 0 }, + { } + }; diff --git a/queue-4.17/input-i8042-add-lenovo-lavie-z-to-the-i8042-reset-list.patch b/queue-4.17/input-i8042-add-lenovo-lavie-z-to-the-i8042-reset-list.patch new file mode 100644 index 00000000000..4c5c7277326 --- /dev/null +++ b/queue-4.17/input-i8042-add-lenovo-lavie-z-to-the-i8042-reset-list.patch @@ -0,0 +1,40 @@ +From 384cf4285b34e08917e3e66603382f2b0c4f6e1b Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 18 Jul 2018 17:24:35 +0000 +Subject: Input: i8042 - add Lenovo LaVie Z to the i8042 reset list + +From: Chen-Yu Tsai + +commit 384cf4285b34e08917e3e66603382f2b0c4f6e1b upstream. + +The Lenovo LaVie Z laptop requires i8042 to be reset in order to +consistently detect its Elantech touchpad. The nomux and kbdreset +quirks are not sufficient. + +It's possible the other LaVie Z models from NEC require this as well. + +Cc: stable@vger.kernel.org +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -527,6 +527,13 @@ static const struct dmi_system_id __init + DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"), + }, + }, ++ { ++ /* Lenovo LaVie Z */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"), ++ }, ++ }, + { } + }; + diff --git a/queue-4.17/kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch b/queue-4.17/kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch new file mode 100644 index 00000000000..0003c467c37 --- /dev/null +++ b/queue-4.17/kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch @@ -0,0 +1,80 @@ +From 3e536e222f2930534c252c1cc7ae799c725c5ff9 Mon Sep 17 00:00:00 2001 +From: Snild Dolkow +Date: Thu, 26 Jul 2018 09:15:39 +0200 +Subject: kthread, tracing: Don't expose half-written comm when creating kthreads + +From: Snild Dolkow + +commit 3e536e222f2930534c252c1cc7ae799c725c5ff9 upstream. + +There is a window for racing when printing directly to task->comm, +allowing other threads to see a non-terminated string. The vsnprintf +function fills the buffer, counts the truncated chars, then finally +writes the \0 at the end. + + creator other + vsnprintf: + fill (not terminated) + count the rest trace_sched_waking(p): + ... memcpy(comm, p->comm, TASK_COMM_LEN) + write \0 + +The consequences depend on how 'other' uses the string. In our case, +it was copied into the tracing system's saved cmdlines, a buffer of +adjacent TASK_COMM_LEN-byte buffers (note the 'n' where 0 should be): + + crash-arm64> x/1024s savedcmd->saved_cmdlines | grep 'evenk' + 0xffffffd5b3818640: "irq/497-pwr_evenkworker/u16:12" + +...and a strcpy out of there would cause stack corruption: + + [224761.522292] Kernel panic - not syncing: stack-protector: + Kernel stack is corrupted in: ffffff9bf9783c78 + + crash-arm64> kbt | grep 'comm\|trace_print_context' + #6 0xffffff9bf9783c78 in trace_print_context+0x18c(+396) + comm (char [16]) = "irq/497-pwr_even" + + crash-arm64> rd 0xffffffd4d0e17d14 8 + ffffffd4d0e17d14: 2f71726900000000 5f7277702d373934 ....irq/497-pwr_ + ffffffd4d0e17d24: 726f776b6e657665 3a3631752f72656b evenkworker/u16: + ffffffd4d0e17d34: f9780248ff003231 cede60e0ffffff9b 12..H.x......`.. + ffffffd4d0e17d44: cede60c8ffffffd4 00000fffffffffd4 .....`.......... + +The workaround in e09e28671 (use strlcpy in __trace_find_cmdline) was +likely needed because of this same bug. + +Solved by vsnprintf:ing to a local buffer, then using set_task_comm(). +This way, there won't be a window where comm is not terminated. + +Link: http://lkml.kernel.org/r/20180726071539.188015-1-snild@sony.com + +Cc: stable@vger.kernel.org +Fixes: bc0c38d139ec7 ("ftrace: latency tracer infrastructure") +Reviewed-by: Steven Rostedt (VMware) +Signed-off-by: Snild Dolkow +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kthread.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -319,8 +319,14 @@ struct task_struct *__kthread_create_on_ + task = create->result; + if (!IS_ERR(task)) { + static const struct sched_param param = { .sched_priority = 0 }; ++ char name[TASK_COMM_LEN]; + +- vsnprintf(task->comm, sizeof(task->comm), namefmt, args); ++ /* ++ * task is already visible to other tasks, so updating ++ * COMM must be protected. ++ */ ++ vsnprintf(name, sizeof(name), namefmt, args); ++ set_task_comm(task, name); + /* + * root may have changed our (kthreadd's) priority or CPU mask. + * The kernel thread should not inherit these properties. diff --git a/queue-4.17/kvm-mm-account-shadow-page-tables-to-kmemcg.patch b/queue-4.17/kvm-mm-account-shadow-page-tables-to-kmemcg.patch new file mode 100644 index 00000000000..71d51517e73 --- /dev/null +++ b/queue-4.17/kvm-mm-account-shadow-page-tables-to-kmemcg.patch @@ -0,0 +1,48 @@ +From d97e5e6160c0e0a23963ec198c7cb1c69e6bf9e8 Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Thu, 26 Jul 2018 16:37:45 -0700 +Subject: kvm, mm: account shadow page tables to kmemcg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shakeel Butt + +commit d97e5e6160c0e0a23963ec198c7cb1c69e6bf9e8 upstream. + +The size of kvm's shadow page tables corresponds to the size of the +guest virtual machines on the system. Large VMs can spend a significant +amount of memory as shadow page tables which can not be left as system +memory overhead. So, account shadow page tables to the kmemcg. + +[shakeelb@google.com: replace (GFP_KERNEL|__GFP_ACCOUNT) with GFP_KERNEL_ACCOUNT] + Link: http://lkml.kernel.org/r/20180629140224.205849-1-shakeelb@google.com +Link: http://lkml.kernel.org/r/20180627181349.149778-1-shakeelb@google.com +Signed-off-by: Shakeel Butt +Cc: Michal Hocko +Cc: Johannes Weiner +Cc: Vladimir Davydov +Cc: Paolo Bonzini +Cc: Greg Thelen +Cc: Radim Krčmář +Cc: Peter Feiner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -891,7 +891,7 @@ static int mmu_topup_memory_cache_page(s + if (cache->nobjs >= min) + return 0; + while (cache->nobjs < ARRAY_SIZE(cache->objects)) { +- page = (void *)__get_free_page(GFP_KERNEL); ++ page = (void *)__get_free_page(GFP_KERNEL_ACCOUNT); + if (!page) + return -ENOMEM; + cache->objects[cache->nobjs++] = page; diff --git a/queue-4.17/mm-disallow-mappings-that-conflict-for-devm_memremap_pages.patch b/queue-4.17/mm-disallow-mappings-that-conflict-for-devm_memremap_pages.patch new file mode 100644 index 00000000000..5369b5848d9 --- /dev/null +++ b/queue-4.17/mm-disallow-mappings-that-conflict-for-devm_memremap_pages.patch @@ -0,0 +1,88 @@ +From 15d36fecd0bdc7510b70a0e5ec6671140b3fce0c Mon Sep 17 00:00:00 2001 +From: Dave Jiang +Date: Thu, 26 Jul 2018 16:37:15 -0700 +Subject: mm: disallow mappings that conflict for devm_memremap_pages() + +From: Dave Jiang + +commit 15d36fecd0bdc7510b70a0e5ec6671140b3fce0c upstream. + +When pmem namespaces created are smaller than section size, this can +cause an issue during removal and gpf was observed: + + general protection fault: 0000 1 SMP PTI + CPU: 36 PID: 3941 Comm: ndctl Tainted: G W 4.14.28-1.el7uek.x86_64 #2 + task: ffff88acda150000 task.stack: ffffc900233a4000 + RIP: 0010:__put_page+0x56/0x79 + Call Trace: + devm_memremap_pages_release+0x155/0x23a + release_nodes+0x21e/0x260 + devres_release_all+0x3c/0x48 + device_release_driver_internal+0x15c/0x207 + device_release_driver+0x12/0x14 + unbind_store+0xba/0xd8 + drv_attr_store+0x27/0x31 + sysfs_kf_write+0x3f/0x46 + kernfs_fop_write+0x10f/0x18b + __vfs_write+0x3a/0x16d + vfs_write+0xb2/0x1a1 + SyS_write+0x55/0xb9 + do_syscall_64+0x79/0x1ae + entry_SYSCALL_64_after_hwframe+0x3d/0x0 + +Add code to check whether we have a mapping already in the same section +and prevent additional mappings from being created if that is the case. + +Link: http://lkml.kernel.org/r/152909478401.50143.312364396244072931.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Dave Jiang +Cc: Dan Williams +Cc: Robert Elliott +Cc: Jeff Moyer +Cc: Matthew Wilcox +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/memremap.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/kernel/memremap.c ++++ b/kernel/memremap.c +@@ -348,10 +348,27 @@ void *devm_memremap_pages(struct device + unsigned long pfn, pgoff, order; + pgprot_t pgprot = PAGE_KERNEL; + int error, nid, is_ram; ++ struct dev_pagemap *conflict_pgmap; + + align_start = res->start & ~(SECTION_SIZE - 1); + align_size = ALIGN(res->start + resource_size(res), SECTION_SIZE) + - align_start; ++ align_end = align_start + align_size - 1; ++ ++ conflict_pgmap = get_dev_pagemap(PHYS_PFN(align_start), NULL); ++ if (conflict_pgmap) { ++ dev_WARN(dev, "Conflicting mapping in same section\n"); ++ put_dev_pagemap(conflict_pgmap); ++ return ERR_PTR(-ENOMEM); ++ } ++ ++ conflict_pgmap = get_dev_pagemap(PHYS_PFN(align_end), NULL); ++ if (conflict_pgmap) { ++ dev_WARN(dev, "Conflicting mapping in same section\n"); ++ put_dev_pagemap(conflict_pgmap); ++ return ERR_PTR(-ENOMEM); ++ } ++ + is_ram = region_intersects(align_start, align_size, + IORESOURCE_SYSTEM_RAM, IORES_DESC_NONE); + +@@ -371,7 +388,6 @@ void *devm_memremap_pages(struct device + + mutex_lock(&pgmap_lock); + error = 0; +- align_end = align_start + align_size - 1; + + foreach_order_pgoff(res, order, pgoff) { + error = __radix_tree_insert(&pgmap_radix, diff --git a/queue-4.17/series b/queue-4.17/series index 47ad375b4d8..8296a65a4c7 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -1 +1,14 @@ spi-spi-s3c64xx-fix-system-resume-support.patch +input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330.patch +input-i8042-add-lenovo-lavie-z-to-the-i8042-reset-list.patch +input-elan_i2c-add-another-acpi-id-for-lenovo-ideapad-330-15ast.patch +mm-disallow-mappings-that-conflict-for-devm_memremap_pages.patch +kvm-mm-account-shadow-page-tables-to-kmemcg.patch +delayacct-fix-crash-in-delayacct_blkio_end-after-delayacct-init-failure.patch +tracing-fix-double-free-of-event_trigger_data.patch +tracing-fix-possible-double-free-in-event_enable_trigger_func.patch +kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch +tracing-kprobes-fix-trace_probe-flags-on-enable_trace_kprobe-failure.patch +tracing-quiet-gcc-warning-about-maybe-unused-link-variable.patch +arm64-fix-vmemmap-build_bug_on-triggering-on-vmemmap-setups.patch +drm-i915-glk-add-quirk-for-glk-nuc-hdmi-port-issues.patch diff --git a/queue-4.17/tracing-fix-double-free-of-event_trigger_data.patch b/queue-4.17/tracing-fix-double-free-of-event_trigger_data.patch new file mode 100644 index 00000000000..8f5fbd1cf6f --- /dev/null +++ b/queue-4.17/tracing-fix-double-free-of-event_trigger_data.patch @@ -0,0 +1,112 @@ +From 1863c387259b629e4ebfb255495f67cd06aa229b Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Tue, 24 Jul 2018 19:13:31 -0400 +Subject: tracing: Fix double free of event_trigger_data + +From: Steven Rostedt (VMware) + +commit 1863c387259b629e4ebfb255495f67cd06aa229b upstream. + +Running the following: + + # cd /sys/kernel/debug/tracing + # echo 500000 > buffer_size_kb +[ Or some other number that takes up most of memory ] + # echo snapshot > events/sched/sched_switch/trigger + +Triggers the following bug: + + ------------[ cut here ]------------ + kernel BUG at mm/slub.c:296! + invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI + CPU: 6 PID: 6878 Comm: bash Not tainted 4.18.0-rc6-test+ #1066 + Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016 + RIP: 0010:kfree+0x16c/0x180 + Code: 05 41 0f b6 72 51 5b 5d 41 5c 4c 89 d7 e9 ac b3 f8 ff 48 89 d9 48 89 da 41 b8 01 00 00 00 5b 5d 41 5c 4c 89 d6 e9 f4 f3 ff ff <0f> 0b 0f 0b 48 8b 3d d9 d8 f9 00 e9 c1 fe ff ff 0f 1f 40 00 0f 1f + RSP: 0018:ffffb654436d3d88 EFLAGS: 00010246 + RAX: ffff91a9d50f3d80 RBX: ffff91a9d50f3d80 RCX: ffff91a9d50f3d80 + RDX: 00000000000006a4 RSI: ffff91a9de5a60e0 RDI: ffff91a9d9803500 + RBP: ffffffff8d267c80 R08: 00000000000260e0 R09: ffffffff8c1a56be + R10: fffff0d404543cc0 R11: 0000000000000389 R12: ffffffff8c1a56be + R13: ffff91a9d9930e18 R14: ffff91a98c0c2890 R15: ffffffff8d267d00 + FS: 00007f363ea64700(0000) GS:ffff91a9de580000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055c1cacc8e10 CR3: 00000000d9b46003 CR4: 00000000001606e0 + Call Trace: + event_trigger_callback+0xee/0x1d0 + event_trigger_write+0xfc/0x1a0 + __vfs_write+0x33/0x190 + ? handle_mm_fault+0x115/0x230 + ? _cond_resched+0x16/0x40 + vfs_write+0xb0/0x190 + ksys_write+0x52/0xc0 + do_syscall_64+0x5a/0x160 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f363e16ab50 + Code: 73 01 c3 48 8b 0d 38 83 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 79 db 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e e3 01 00 48 89 04 24 + RSP: 002b:00007fff9a4c6378 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f363e16ab50 + RDX: 0000000000000009 RSI: 000055c1cacc8e10 RDI: 0000000000000001 + RBP: 000055c1cacc8e10 R08: 00007f363e435740 R09: 00007f363ea64700 + R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000009 + R13: 0000000000000001 R14: 00007f363e4345e0 R15: 00007f363e4303c0 + Modules linked in: ip6table_filter ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_seq snd_seq_device i915 snd_pcm snd_timer i2c_i801 snd soundcore i2c_algo_bit drm_kms_helper +86_pkg_temp_thermal video kvm_intel kvm irqbypass wmi e1000e + ---[ end trace d301afa879ddfa25 ]--- + +The cause is because the register_snapshot_trigger() call failed to +allocate the snapshot buffer, and then called unregister_trigger() +which freed the data that was passed to it. Then on return to the +function that called register_snapshot_trigger(), as it sees it +failed to register, it frees the trigger_data again and causes +a double free. + +By calling event_trigger_init() on the trigger_data (which only ups +the reference counter for it), and then event_trigger_free() afterward, +the trigger_data would not get freed by the registering trigger function +as it would only up and lower the ref count for it. If the register +trigger function fails, then the event_trigger_free() called after it +will free the trigger data normally. + +Link: http://lkml.kernel.org/r/20180724191331.738eb819@gandalf.local.home + +Cc: stable@vger.kerne.org +Fixes: 93e31ffbf417 ("tracing: Add 'snapshot' event trigger command") +Reported-by: Masami Hiramatsu +Reviewed-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_trigger.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -681,6 +681,8 @@ event_trigger_callback(struct event_comm + goto out_free; + + out_reg: ++ /* Up the trigger_data count to make sure reg doesn't free it on failure */ ++ event_trigger_init(trigger_ops, trigger_data); + ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file); + /* + * The above returns on success the # of functions enabled, +@@ -688,11 +690,13 @@ event_trigger_callback(struct event_comm + * Consider no functions a failure too. + */ + if (!ret) { ++ cmd_ops->unreg(glob, trigger_ops, trigger_data, file); + ret = -ENOENT; +- goto out_free; +- } else if (ret < 0) +- goto out_free; +- ret = 0; ++ } else if (ret > 0) ++ ret = 0; ++ ++ /* Down the counter of trigger_data or free it if not used anymore */ ++ event_trigger_free(trigger_ops, trigger_data); + out: + return ret; + diff --git a/queue-4.17/tracing-fix-possible-double-free-in-event_enable_trigger_func.patch b/queue-4.17/tracing-fix-possible-double-free-in-event_enable_trigger_func.patch new file mode 100644 index 00000000000..6c4303a78fc --- /dev/null +++ b/queue-4.17/tracing-fix-possible-double-free-in-event_enable_trigger_func.patch @@ -0,0 +1,60 @@ +From 15cc78644d0075e76d59476a4467e7143860f660 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 25 Jul 2018 16:02:06 -0400 +Subject: tracing: Fix possible double free in event_enable_trigger_func() + +From: Steven Rostedt (VMware) + +commit 15cc78644d0075e76d59476a4467e7143860f660 upstream. + +There was a case that triggered a double free in event_trigger_callback() +due to the called reg() function freeing the trigger_data and then it +getting freed again by the error return by the caller. The solution there +was to up the trigger_data ref count. + +Code inspection found that event_enable_trigger_func() has the same issue, +but is not as easy to trigger (requires harder to trigger failures). It +needs to be solved slightly different as it needs more to clean up when the +reg() function fails. + +Link: http://lkml.kernel.org/r/20180725124008.7008e586@gandalf.local.home + +Cc: stable@vger.kernel.org +Fixes: 7862ad1846e99 ("tracing: Add 'enable_event' and 'disable_event' event trigger commands") +Reivewed-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_trigger.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -1422,6 +1422,9 @@ int event_enable_trigger_func(struct eve + goto out; + } + ++ /* Up the trigger_data count to make sure nothing frees it on failure */ ++ event_trigger_init(trigger_ops, trigger_data); ++ + if (trigger) { + number = strsep(&trigger, ":"); + +@@ -1472,6 +1475,7 @@ int event_enable_trigger_func(struct eve + goto out_disable; + /* Just return zero, not the number of enabled functions */ + ret = 0; ++ event_trigger_free(trigger_ops, trigger_data); + out: + return ret; + +@@ -1482,7 +1486,7 @@ int event_enable_trigger_func(struct eve + out_free: + if (cmd_ops->set_filter) + cmd_ops->set_filter(NULL, trigger_data, NULL); +- kfree(trigger_data); ++ event_trigger_free(trigger_ops, trigger_data); + kfree(enable_data); + goto out; + } diff --git a/queue-4.17/tracing-kprobes-fix-trace_probe-flags-on-enable_trace_kprobe-failure.patch b/queue-4.17/tracing-kprobes-fix-trace_probe-flags-on-enable_trace_kprobe-failure.patch new file mode 100644 index 00000000000..435ec2aa959 --- /dev/null +++ b/queue-4.17/tracing-kprobes-fix-trace_probe-flags-on-enable_trace_kprobe-failure.patch @@ -0,0 +1,63 @@ +From 57ea2a34adf40f3a6e88409aafcf803b8945619a Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Wed, 25 Jul 2018 16:20:38 +0200 +Subject: tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure + +From: Artem Savkov + +commit 57ea2a34adf40f3a6e88409aafcf803b8945619a upstream. + +If enable_trace_kprobe fails to enable the probe in enable_k(ret)probe +it returns an error, but does not unset the tp flags it set previously. +This results in a probe being considered enabled and failures like being +unable to remove the probe through kprobe_events file since probes_open() +expects every probe to be disabled. + +Link: http://lkml.kernel.org/r/20180725102826.8300-1-asavkov@redhat.com +Link: http://lkml.kernel.org/r/20180725142038.4765-1-asavkov@redhat.com + +Cc: Ingo Molnar +Cc: stable@vger.kernel.org +Fixes: 41a7dd420c57 ("tracing/kprobes: Support ftrace_event_file base multibuffer") +Acked-by: Masami Hiramatsu +Reviewed-by: Josh Poimboeuf +Signed-off-by: Artem Savkov +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_kprobe.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -400,11 +400,10 @@ static struct trace_kprobe *find_trace_k + static int + enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file) + { ++ struct event_file_link *link; + int ret = 0; + + if (file) { +- struct event_file_link *link; +- + link = kmalloc(sizeof(*link), GFP_KERNEL); + if (!link) { + ret = -ENOMEM; +@@ -424,6 +423,16 @@ enable_trace_kprobe(struct trace_kprobe + else + ret = enable_kprobe(&tk->rp.kp); + } ++ ++ if (ret) { ++ if (file) { ++ list_del_rcu(&link->list); ++ kfree(link); ++ tk->tp.flags &= ~TP_FLAG_TRACE; ++ } else { ++ tk->tp.flags &= ~TP_FLAG_PROFILE; ++ } ++ } + out: + return ret; + } diff --git a/queue-4.17/tracing-quiet-gcc-warning-about-maybe-unused-link-variable.patch b/queue-4.17/tracing-quiet-gcc-warning-about-maybe-unused-link-variable.patch new file mode 100644 index 00000000000..77ce24ed277 --- /dev/null +++ b/queue-4.17/tracing-quiet-gcc-warning-about-maybe-unused-link-variable.patch @@ -0,0 +1,53 @@ +From 2519c1bbe38d7acacc9aacba303ca6f97482ed53 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 25 Jul 2018 22:28:56 -0400 +Subject: tracing: Quiet gcc warning about maybe unused link variable + +From: Steven Rostedt (VMware) + +commit 2519c1bbe38d7acacc9aacba303ca6f97482ed53 upstream. + +Commit 57ea2a34adf4 ("tracing/kprobes: Fix trace_probe flags on +enable_trace_kprobe() failure") added an if statement that depends on another +if statement that gcc doesn't see will initialize the "link" variable and +gives the warning: + + "warning: 'link' may be used uninitialized in this function" + +It is really a false positive, but to quiet the warning, and also to make +sure that it never actually is used uninitialized, initialize the "link" +variable to NULL and add an if (!WARN_ON_ONCE(!link)) where the compiler +thinks it could be used uninitialized. + +Cc: stable@vger.kernel.org +Fixes: 57ea2a34adf4 ("tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure") +Reported-by: kbuild test robot +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_kprobe.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -400,7 +400,7 @@ static struct trace_kprobe *find_trace_k + static int + enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file) + { +- struct event_file_link *link; ++ struct event_file_link *link = NULL; + int ret = 0; + + if (file) { +@@ -426,7 +426,9 @@ enable_trace_kprobe(struct trace_kprobe + + if (ret) { + if (file) { +- list_del_rcu(&link->list); ++ /* Notice the if is true on not WARN() */ ++ if (!WARN_ON_ONCE(!link)) ++ list_del_rcu(&link->list); + kfree(link); + tk->tp.flags &= ~TP_FLAG_TRACE; + } else {