OK, so I'm traveling, and the timing of this rc is slightly out of
kilter, but it's really just one day off (even though to me it feels
like more because I'm currently in Beijing and ahead of my usual time
zone by 15 hours).
The good news is that rc6 is smaller than rc5 was, and I think we're
back on track and rc5 really was big just due to random timing. We'll
see. Next weekend when I'm back home and do rc7, I'll see how I feel
about things. I'm still hopeful that this would be a normal release
cycle where rc7 is the last rc.
And things look fairly normal. Two thirds drivers (rdma stands out,
but there's also networking drivers, gpu, hid etc), with the rest
being the usual mixture of architecture updates (s390, mips, powerpc,
arm, xtemsa) and filesystem (some more ufs work, but also ceph,
configfs and xfs), mm, networking and tooling (perf) updates.
Go out and test,
Linus
---
Al Viro (9):
ufs: fix logics in "ufs: make fsck -f happy"
ufs: make ufs_freespace() return signed
ufs: fix reserved blocks check
ufs: fix s_size/s_dsize users
ufs_get_locked_page(): make sure we have buffer_heads
ufs: avoid grabbing ->truncate_mutex if possible
ufs: more deadlock prevention on tail unpacking
ufs_truncate_blocks(): fix the case when size is in the last direct block
Hang/soft lockup in d_invalidate with simultaneous calls
Alan Stern (2):
USB: gadget: fix GPF in gadgetfs
USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks
Alex Vesker (4):
IB/ipoib: Fix memory leaks for child interfaces priv
IB/ipoib: Limit call to free rdma_netdev for capable devices
IB/ipoib: Delete napi in device uninit default
IB/ipoib: Fix access to un-initialized napi struct
Alexander Potapenko (1):
net: don't call strlen on non-terminated string in dev_set_alias()
Alexey Kardashevskiy (1):
powerpc/debug: Add missing warn flag to WARN_ON's non-builtin path
Alexey Khoroshilov (1):
staging: iio: ad7152: Fix deadlock in ad7152_write_raw_samp_freq()
Alistair Popple (1):
powerpc/npu-dma: Remove spurious WARN_ON when a PCI device has no of_node
Andrea Arcangeli (1):
userfaultfd: shmem: handle coredumping in handle_userfault()
Andreas Pape (1):
batman-adv: fix memory leak when dropping packet from other gateway
Andrei Vagin (1):
fs: don't forget to put old mntns in mntns_install
Andy Lutomirski (2):
sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off()
firmware: dmi_scan: Make dmi_walk and dmi_walk_early return real
error codes
Antoine Tenart (1):
net: mvpp2: do not bypass the mvpp22_port_mii_set function
Arnaldo Carvalho de Melo (1):
perf evsel: Fix probing of precise_ip level for default cycles event
Arnd Bergmann (5):
[media] cec: improve MEDIA_CEC_RC dependencies
[media] cec-notifier.h: handle unreachable CONFIG_CEC_CORE
ila_xlat: add missing hash secret initialization
video: fbdev: avoid int-in-bool-context warning
video: fbdev: via: remove possibly unused variables
Arvind Yadav (2):
PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable
PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable
Ashwanth Goli (1):
net: rps: fix uninitialized symbol warning
Avraham Stern (1):
mac80211: Fix incorrect condition when checking rx timestamp
Bart Van Assche (2):
configfs: Introduce config_item_get_unless_zero()
block: Fix a blk_exit_rl() regression
Benjamin Herrenschmidt (1):
powerpc/xive: Fix offset for store EOI MMIOs
Bjørn Mork (1):
qmi_wwan: new Telewell and Sierra device IDs
Brian Foster (1):
xfs: fix spurious spin_is_locked() assert failures on non-smp kernels
Brian Norris (1):
PCI: Make error code types consistent in pci_{read,write}_config_*
Chen-Yu Tsai (2):
ARM: sunxi: h3-h5: Add PLL_PERIPH0 clock to the R_CCU
arm64: allwinner: a64: Add PLL_PERIPH0 clock to the R_CCU
Christian Borntraeger (1):
s390/kvm: do not rely on the ILC on kvm host protection fauls
Christian König (1):
drm/radeon: fix "force the UVD DPB into VRAM as well"
Christian Lamparter (2):
net: emac: fix reset timeout with AR8035 phy
net: emac: fix and unify emac_mdio functions
Christian Perle (1):
proc: snmp6: Use correct type in memset
Christoph Hellwig (1):
fs: pass on flags in compat_writev
Christophe JAILLET (2):
[media] vb2: Fix an off by one error in 'vb2_plane_vaddr'
gpu: host1x: Fix error handling
Christophe Jaillet (1):
cpuidle: dt: Add missing 'of_node_put()'
Corentin Labbe (1):
usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk
Dan Carpenter (2):
Staging: rtl8723bs: fix an error code in isFileReadable()
net/act_pedit: fix an error code
Daniel Borkmann (2):
bpf, arm64: use separate register for state in stxr
bpf, tests: fix endianness selection
David Ahern (2):
net: ipv6: Release route when device is unregistering
net: vrf: Make add_fib_rules per network namespace flag
David Miller (1):
crypto: Work around deallocated stack frame reference gcc bug on sparc.
David S. Miller (5):
net: Fix inconsistent teardown and release of private netdev state.
hsi: Fix build regression due to netdev destructor fix.
Revert "decnet: dn_rtmsg: Improve input length sanitization in
dnrmg_receive_user_skb"
net: Fix build regression in rtl8723bs staging driver.
Revert "net: fec: Add a fec_enet_clear_ethtool_stats() stub for
CONFIG_M5272"
Devesh Sharma (2):
RDMA/bnxt_re: Fixing the Control path command and response handling
RDMA/bnxt_re: Fix RQE posting logic
Dmitry Osipenko (2):
drm/tegra: Fix lockup on a use of staging API
drm/tegra: Correct idr_alloc() minimum id
Dominik Heidler (1):
l2tp: cast l2tp traffic counter to unsigned
Donald Sharp (1):
net: ipmr: Fix some mroute forwarding issues in vrf's
Eddie Wai (1):
RDMA/bnxt_re: HW workarounds for handling specific conditions
Emmanuel Grumbach (2):
mac80211: don't look at the PM bit of BAR frames
mac80211: don't send SMPS action frame in AP mode when not needed
Enric Balletbo i Serra (2):
ARM: dts: am335x-sl50: Fix card detect pin for mmc1
ARM: dts: am335x-sl50: Fix cannot claim requested pins for spi0
Fabio Estevam (2):
net: fec: Add a fec_enet_clear_ethtool_stats() stub for CONFIG_M5272
drm: mxsfb_crtc: Reset the eLCDIF controller
Felipe Balbi (1):
usb: gadget: composite: make sure to reactivate function on unbind
Feras Daoud (1):
IB/ipoib: Fix memory leak in create child syscall
Florian Fainelli (1):
net: phy: Fix MDIO_THUNDER dependencies
Hans Verkuil (2):
[media] cec: race fix: don't return -ENONET in cec_receive()
[media] media/cec.h: use IS_REACHABLE instead of IS_ENABLED
Harald Freudenberger (1):
s390/zcrypt: Fix blocking queue device after unbind/bind.
Heiner Kallweit (2):
mmc: meson-gx: work around broken SDIO with certain WiFi chips
genirq: Release resources in __setup_irq() error path
Hugh Dickins (1):
mm: larger stack guard gap, between vmas
Huy Nguyen (1):
net/mlx5: Remove several module events out of ethtool stats
Icenowy Zheng (1):
ARM: sunxi: h3/h5: fix the compatible of R_CCU
Jacob Keller (1):
i40e: fix handling of HW ATR eviction
James Morse (1):
mm/memory-failure.c: use compound_head() flags for huge pages
Jason A. Donenfeld (1):
mac80211/wpa: use constant time memory comparison for MACs
Jean Delvare (3):
firmware: dmi_scan: Look for SMBIOS 3 entry point first
firmware: dmi: Fix permissions of product_family
firmware: dmi_scan: Check DMI structure length
Jean-Baptiste Maneyrol (1):
iio: imu: inv_mpu6050: add accel lpf setting for chip >= MPU6500
Jesper Dangaard Brouer (1):
net: don't global ICMP rate limit packets originating from loopback
Jia-Ju Bai (4):
net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse
rxe: Fix a sleep-in-atomic bug in post_one_send
i40e: Fix a sleep-in-atomic bug
Jiada Wang (1):
perf tools: Fix build with ARCH=x86_64
Jiri Kosina (1):
HID: let generic driver yield control iff specific driver has been enabled
Joe Perches (2):
net: phy: add missing SPEED_14000
netconsole: Remove duplicate "netconsole: " logging prefix
Johan Hovold (2):
can: peak_usb: fix product-id endianness in error message
video: fbdev: add missing USB-descriptor endianness conversions
Johannes Berg (3):
mac80211: free netdev on dev_alloc_name() error
mac80211: remove 5/10 MHz rate code from station MLME
mac80211: set bss_info data before configuring the channel
John Allen (1):
ibmvnic: Return failure on attempted mtu change
Jonas Gorski (1):
leds: bcm6328: fix signal source assignment for leds 4 to 7
Karicheri, Muralidharan (1):
hsr: fix incorrect warning
Kees Cook (1):
objtool: Add fortify_panic as __noreturn function
Krister Johansen (1):
Fix an intermittent pr_emerg warning about lo becoming free.
Krzysztof Kozlowski (1):
PM / devfreq: exynos-ppmu: Staticize event list
Laurent Pinchart (1):
drm: dw-hdmi: Fix compilation breakage by selecting REGMAP_MMIO
Linus Torvalds (1):
Linux 4.12-rc6
Liwei Song (1):
i2c: ismt: fix wrong device address when unmap the data buffer
Luis Henriques (1):
ceph: check i_nlink while converting a file handle to dentry
Lv Zheng (1):
ACPICA: Tables: Mechanism to handle late stage acpi_get_table() imbalance
Magnus Damm (1):
net: update undefined ->ndo_change_mtu() comment
Majd Dibbiny (1):
net/mlx5: Enable 4K UAR only when page size is bigger than 4K
Marc Kleine-Budde (3):
can: dev: make can_change_state() robust to be called with cf == NULL
can: gs_usb: fix memory leak in gs_cmd_reset()
can: af_can: namespace support: fix lockdep splat: properly
initialize spin_lock
Marcin Nowakowski (7):
MIPS: perf: Remove incorrect odd/even counter handling for I6400
MIPS: mm: fixed mappings: correct initialisation
MIPS: highmem: ensure that we don't use more than one page for PTEs
MIPS: mm: adjust PKMAP location
MIPS: ftrace: fix init functions tracing
MIPS: kprobes: flush_insn_slot should flush only if probe initialised
sched/fair: Fix typo in printk message
Mario Kleiner (2):
drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions.
drm/radeon: Fix overflow of watermark calcs at > 4k resolutions.
Mario Molitor (2):
stmmac: fix ptp header for GMAC3 hw timestamp
stmmac: fix for hw timestamp of GMAC3 unit
Mark Rutland (1):
mm: numa: avoid waiting on freed migrated pages
Markus Elfring (2):
xtensa: Use seq_puts() in c_show()
xtensa: ISS: Use kmalloc_array() in simdisk_init()
Martin Blumenstingl (1):
iio: adc: meson-saradc: fix potential crash in meson_sar_adc_clear_fifo
Martin Schwidefsky (1):
s390: update defconfig
Mateusz Jurczyk (4):
decnet: dn_rtmsg: Improve input length sanitization in
dnrmg_receive_user_skb
decnet: dn_rtmsg: Improve input length sanitization in
dnrmg_receive_user_skb
af_unix: Add sockaddr length checks before accessing sa_family
in bind and connect handlers
caif: Add sockaddr length check before accessing sa_family in
connect handler
Mathieu Larouche (1):
drm/mgag200: Fix to always set HiPri for G200e4 V2
Max Filippov (2):
xtensa: reduce double exception literal reservation
xtensa: don't use linux IRQ #0
Maxime Ripard (1):
arm64: allwinner: h5: Remove syslink to shared DTSI
Michael S. Tsirkin (2):
net: fix up hash documentation
virtio_balloon: disable VIOMMU support
Michal Kalderon (1):
RDMA/qedr: Initialize byte_len in WC of READ and SEND commands
Michal Schmidt (1):
bnx2x: fix pf2vf bulletin DMA mapping leak
Mike Gerow (1):
video: fbdev: udlfb: drop log level for blanking
Milian Wolff (1):
perf unwind: Report module before querying isactivation in dwfl unwind
Mintz, Yuval (3):
net: Zero ifla_vf_info in rtnl_fill_vfinfo()
bnx2x: Allow vfs to disable txvlan offload
bnx2x: Don't post statistics to malicious VFs
Mohamad Haj Yahia (2):
net/mlx5: Fix create vport flow table flow
net/mlx5: Continue health polling until it is explicitly stopped
Netanel Belgazal (9):
net: ena: fix rare uncompleted admin command false alarm
net: ena: fix bug that might cause hang after consecutive
open/close interface.
net: ena: add missing return when ena_com_get_io_handlers() fails
net: ena: fix race condition between submit and completion admin command
net: ena: add missing unmap bars on device removal
net: ena: fix theoretical Rx hang on low memory systems
net: ena: disable admin msix while working in polling mode
net: ena: bug fix in lost tx packets detection mechanism
net: ena: update ena driver to version 1.1.7
Nicholas Bellinger (1):
configfs: Fix race between create_link and configfs_rmdir
Nicolas Dichtel (3):
openvswitch: warn about missing first netlink attribute
bonding: fix 802.3ad support for 14G speed
ethtool.h: remind to update 802.3ad when adding new speeds
Oliver Hartkopp (1):
can: enable CAN FD for virtual CAN devices by default
Oliver Neukum (1):
r8152: give the device version
Paul Burton (2):
MIPS: Fix bnezc/jialc return address calculation
MIPS: .its targets depend on vmlinux
Paul Moore (1):
selinux: fix double free in selinux_parse_opts_str()
Peter Zijlstra (1):
x86/debug: Handle early WARN_ONs proper
Phil Reid (2):
iio: buffer-dma: Add missing header buffer_impl.h
iio: buffer-dmaengine: Add missing header buffer_impl.h
Philipp Zabel (1):
[media] tc358743: fix register i2c_rd/wr function fix
Philippe Reynes (1):
net: aquantia: atlantic: remove declaration of hw_atl_utils_hw_set_power
Priyalee Kushwaha (1):
platform/x86: intel_telemetry_debugfs: fix oops when load/unload module
Rafael J. Wysocki (2):
Revert "ACPICA: Disassembler: Enhance resource descriptor detection"
Revert "cpufreq: schedutil: Reduce frequencies slower"
Raju Rangoju (1):
rdma/cxgb4: Fix memory leaks during module exit
Ram Amrani (1):
RDMA/qedr: Add 64KB PAGE_SIZE support to user-space queues
Randy Dunlap (1):
PCI: endpoint: Select CRC32 to fix test build error
Roland Dreier (1):
IB/addr: Fix setting source address in addr6_resolve()
Sean Young (1):
[media] sir_ir: infinite loop in interrupt handler
Sebastian Ott (1):
s390/vfio_ccw: make some symbols static
Selvin Xavier (2):
RDMA/bnxt_re: Dereg MR in FW before freeing the fast_reg_page_list
RDMA/bnxt_re: Remove FMR support
Somnath Kotur (1):
RDMA/bnxt_re: Add HW workaround for avoiding stall for UD QPs
Stephane Grosjean (1):
can: peak_canfd: fix uninitialized symbol warnings
Stephen Boyd (1):
tick/broadcast: Make tick_broadcast_setup_oneshot() static
Stephen Rothwell (1):
net: s390: fix up for "Fix inconsistent teardown and release of
private netdev state"
Sven Eckelmann (1):
batman-adv: Fix rx packet/bytes stats on local ARP reply
Tal Gilboa (2):
net/mlx5e: Added BW check for DIM decision mechanism
net/mlx5e: Fix wrong indications in DIM due to counter wraparound
Tayar, Tomer (1):
qed: fix dump of context data
Thibaut Collet (1):
bonding: fix 802.3ad support for 5G and 50G speeds
Thomas Gleixner (2):
alarmtimer: Prevent overflow of relative timers
alarmtimer: Rate limit periodic intervals
Thomas Petazzoni (2):
net: mvpp2: remove mvpp2_bm_cookie_{build,pool_get}
net: mvpp2: use {get, put}_cpu() instead of smp_processor_id()
Tomasz Wilczyński (1):
cpufreq: conservative: Allow down_threshold to take values from 1 to 10
Ville Syrjälä (2):
drm/i915: Fix scaling check for 90/270 degree plane rotation
drm/i915: Fix SKL+ watermarks for 90/270 rotation
Vlastimil Babka (1):
x86/mm: Disable 1GB direct mappings when disabling 2MB mappings
WANG Cong (2):
igmp: acquire pmc lock for ip_mc_clear_src()
net_sched: move tcf_lock down after gen_replace_estimator()
Wei Yongjun (2):
iio: adc: mxs-lradc: Fix return value check in mxs_lradc_adc_probe()
[media] rainshadow-cec: Fix missing spin_lock_init()
Wolfram Sang (1):
i2c: rcar: use correct length when unmapping DMA
Xin Long (1):
sctp: disable BH in sctp_for_each_endpoint
YD Tseng (1):
usb: xhci: Fix USB 3.1 supported protocol parsing
Yan, Zheng (2):
ceph: use current_kernel_time() to get request time stamp
ceph: unify inode i_ctime update
Yu Zhao (1):
swap: cond_resched in swap_cgroup_prepare()
Zhang Bo (1):
Revert "leds: handle suspend/resume in heartbeat trigger"
Zhenyu Wang (1):
drm/i915: Fix GVT-g PVINFO version compatibility check
[email protected] (1):
net: rps: send out pending IPI's on CPU hotplug
stephen hemminger (3):
netvsc: fix rcu dereference warning from ethtool
netvsc: fix net poll mode
netvsc: move filter setting to rndis_device
zhongjiang (1):
mm: correct the comment when reclaimed pages exceed the scanned pages
On Mon, Jun 19, 2017 at 11:04:15PM +0800, Linus Torvalds wrote:
> And things look fairly normal. Two thirds drivers (rdma stands out,
> but there's also networking drivers, gpu, hid etc), with the rest
> being the usual mixture of architecture updates (s390, mips, powerpc,
> arm, xtemsa) and filesystem (some more ufs work, but also ceph,
> configfs and xfs), mm, networking and tooling (perf) updates.
..
> Hugh Dickins (1):
> mm: larger stack guard gap, between vmas
This seems to be buggered.
002331 00000396712307 0 2 kernel BUG at mm/mmap.c:1963!
002332 00000396712414 0 4 invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
002333 00000396712541 0 4 CPU: 0 PID: 4572 Comm: trinity-c41 Not tainted 4.12.0-rc6-think+ #1
002335 00000396712819 0 4 task: ffff8804efca37c0 task.stack: ffffc90001de4000
002336 00000396712959 0 4 RIP: 0010:unmapped_area_topdown+0xa5/0x170
002337 00000396713077 0 4 RSP: 0018:ffffc90001de7d10 EFLAGS: 00010206
002338 00000396713204 0 4 RAX: 00007f7d543d6000 RBX: 00007f7d545d7000 RCX: 0000000000000000
002339 00000396713374 0 4 RDX: 00007f7d543d6000 RSI: 0000000000201000 RDI: ffffc90001de7d50
002340 00000396713542 0 4 RBP: ffffc90001de7d38 R08: 00007f7d54673000 R09: ffff8804f3524e40
002341 00000396713709 0 4 R10: 00007f7d57977000 R11: 0000000000001000 R12: 0000000000100000
002342 00000396713876 0 4 R13: 0000000000202000 R14: 0000000000000000 R15: fffffffffff64000
002343 00000396714041 0 4 FS: 00007f7d57b66700(0000) GS:ffff880507800000(0000) knlGS:0000000000000000
002344 00000396714228 0 4 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
002345 00000396714361 0 4 CR2: 0000562d11923398 CR3: 00000004f38fa000 CR4: 00000000001407f0
002346 00000396714527 0 4 DR0: 00007f7d54a00000 DR1: 0000000000000000 DR2: 0000000000000000
002347 00000396714693 0 4 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
002348 00000396714858 0 4 Call Trace:
002349 00000396714920 0 4 arch_get_unmapped_area_topdown+0x1df/0x230
002350 00000396715045 0 4 get_unmapped_area+0x87/0x120
002351 00000396715138 0 4 do_mmap+0x131/0x430
002352 00000396715218 0 4 vm_mmap_pgoff+0xb9/0x100
002353 00000396715304 0 4 SyS_mmap_pgoff+0x111/0x240
002354 00000396715396 0 4 SyS_mmap+0x1b/0x30
002355 00000396715469 0 4 do_syscall_64+0x66/0x190
002356 00000396715555 0 4 entry_SYSCALL64_slow_path+0x25/0x25
002357 00000396715662 0 4 RIP: 0033:0x7f7d5748f43a
002358 00000396715745 0 4 RSP: 002b:00007fff1df1ee08 EFLAGS: 00000246
002359 00000396715867 0 4 ORIG_RAX: 0000000000000009
002360 00000396715955 0 4 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7d5748f43a
002361 00000396716118 0 4 RDX: 0000000000000003 RSI: 0000000000201000 RDI: 0000000000000000
002362 00000396716282 0 4 RBP: ffffffffffffffff R08: ffffffffffffffff R09: 0000000000000000
002363 00000396716444 0 4 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000000000
002364 00000396716608 0 4 R13: 0000000000201000 R14: 0000000000000022 R15: 0000000000000000
002365 00000396716773 0 4 Code:
002366 00000396716821 0 4 41
002367 00000396716864 0 4 5e
002368 00000396716905 0 4 41
002369 00000396716946 0 4 5f
002370 00000396716988 0 4 5d
002371 00000396717031 0 4 c3
002372 00000396717073 0 4 48
002373 00000396717115 0 4 39
002374 00000396717157 0 4 d8
002375 00000396717199 0 4 48
002376 00000396717240 0 4 0f
002377 00000396717281 0 4 47
002378 00000396717322 0 4 c3
002379 00000396717364 0 4 48
002380 00000396717406 0 4 29
002381 00000396717446 0 4 d0
002382 00000396717488 0 4 48
002383 00000396717531 0 4 89
002384 00000396717572 0 4 c2
002385 00000396717614 0 4 48
002386 00000396717655 0 4 2b
002387 00000396717698 0 4 57
002388 00000396717740 0 4 28
002389 00000396717783 0 4 48
002390 00000396717824 0 4 21
002391 00000396717866 0 4 d1
002392 00000396717907 0 4 48
002393 00000396717949 0 4 29
002394 00000396717991 0 4 c8
002395 00000396724995 0 4 49
002396 00000396732015 0 4 39
002397 00000396738940 0 4 c3
002398 00000396745778 0 4 0f
002399 00000396752557 0 4 87
002400 00000396759235 0 4 b9
002401 00000396765848 0 4 00
002402 00000396772375 0 4 00
002403 00000396778850 0 4 00
002404 00000396785258 0 4 49
002405 00000396791610 0 4 39
002406 00000396797894 0 4 c0
002407 00000396804063 0 4 76
002408 00000396810171 0 4 d0
002409 00000396816203 0 4 <0f>
002410 00000396822145 0 4 0b
002411 00000396827995 0 4 4c
002412 00000396833761 0 4 8b
002413 00000396839447 0 4 25
002414 00000396845083 0 4 12
002415 00000396850686 0 4 3b
002416 00000396856194 0 4 e6
002417 00000396861646 0 4 00
002418 00000396867062 0 4 4e
002419 00000396872403 0 4 8d
002420 00000396877681 0 4 2c
002421 00000396882901 0 4 1e
002422 00000396888058 0 4 49
002423 00000396893130 0 4 83
002424 00000396898193 0 4 e9
002425 00000396903159 0 4 20
002426 00000396907926 0 4 45
002427 00000396912488 0 4 31
002428 00000396916874 0 4 f6
002429 00000396921024 0 4 4d
002430 00000396924964 0 1 RIP: unmapped_area_topdown+0xa5/0x170 RSP: ffffc90001de7d10
That's this...
1963: VM_BUG_ON(gap_end < gap_start);
On Tue, Jun 20, 2017 at 8:26 AM, Dave Jones <[email protected]> wrote:
> > Hugh Dickins (1):
> > mm: larger stack guard gap, between vmas
>
> This seems to be buggered.
>
> 002331 00000396712307 0 2 kernel BUG at mm/mmap.c:1963!
> 002332 00000396712414 0 4 invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
> 002333 00000396712541 0 4 CPU: 0 PID: 4572 Comm: trinity-c41 Not tainted 4.12.0-rc6-think+ #1
> 002336 00000396712959 0 4 RIP: 0010:unmapped_area_topdown+0xa5/0x170
Dave, do you have instructions for Hugh to recreate that with trinity
(or perhaps some way to generate a test-case from trinity?). Or does
it trigger easily by just running trinity?
I'm in China right now, and will be traveling again this afternoon, so
I probably can't look at it myself until later, but hopefully Hugh has
the cycles to follow up in it..
Hugh? The changes to unmapped_area_topdown() look trivial, but
obviously there's something wrong there. The code decodes to
49 39 c0 cmp %rax,%r8
76 d0 jbe 0xfffffffffffffffb
* 0f 0b ud2 <-- trapping instruction
so from the
VM_BUG_ON(gap_end < gap_start);
we have gap_start/end in %r8 and %rax respectively, which are:
R08: 00007f7d54673000
RAX: 00007f7d543d6000
so yes, gap_start is bigger than gap_end there by quite a degree (more
than the 1MB of the gap size unless I looked at it wrong).
Hmm. Maybe it's this:
/* Check if current node has a suitable gap */
gap_end = vm_start_gap(vma);
if (gap_end < low_limit)
return -ENOMEM;
if (gap_start <= high_limit && gap_end - gap_start >= length)
goto found;
where it used to be that gap_end was guaranteed to be after gap_start,
but that's no longer true. We have
gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
gap_end = vm_start_gap(vma);
and by using MAP_FIXED, you can end up in the situation that
"vma->vm_prev" is closer to vma than the gap size.
So now gap_end - gap_start will underflow, and then the logic that
does "goto found" thinks it found a hole that is larger than
"length", when in actual fact it found a "negative-size" hole.
So maybe that "goto found" condition should have an additional test
for "gap_end > gap_start"?
Or maybe I'm just hallucinating and missed something. Hugh, Oleg,
Michal, can you take another look and double-check this logic?
Linus
On Tue, Jun 20, 2017 at 10:32:00AM +0800, Linus Torvalds wrote:
> On Tue, Jun 20, 2017 at 8:26 AM, Dave Jones <[email protected]> wrote:
> > > Hugh Dickins (1):
> > > mm: larger stack guard gap, between vmas
> >
> > This seems to be buggered.
> >
> > 002331 00000396712307 0 2 kernel BUG at mm/mmap.c:1963!
> > 002332 00000396712414 0 4 invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
> > 002333 00000396712541 0 4 CPU: 0 PID: 4572 Comm: trinity-c41 Not tainted 4.12.0-rc6-think+ #1
> > 002336 00000396712959 0 4 RIP: 0010:unmapped_area_topdown+0xa5/0x170
>
> Dave, do you have instructions for Hugh to recreate that with trinity
> (or perhaps some way to generate a test-case from trinity?). Or does
> it trigger easily by just running trinity?
trinity -c mmap hits it instantly for me. I'm using latest -git version,
but afair, even the older versions would hit this.
> I'm in China right now, and will be traveling again this afternoon, so
> I probably can't look at it myself until later, but hopefully Hugh has
> the cycles to follow up in it..
I'll figure out the exact params in the morning if no-one has it figured
out overnight.
Dave
On Tue, 20 Jun 2017, Linus Torvalds wrote:
> On Tue, Jun 20, 2017 at 8:26 AM, Dave Jones <[email protected]> wrote:
> > > Hugh Dickins (1):
> > > mm: larger stack guard gap, between vmas
> >
> > This seems to be buggered.
> >
> > 002331 00000396712307 0 2 kernel BUG at mm/mmap.c:1963!
> > 002332 00000396712414 0 4 invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
> > 002333 00000396712541 0 4 CPU: 0 PID: 4572 Comm: trinity-c41 Not tainted 4.12.0-rc6-think+ #1
> > 002336 00000396712959 0 4 RIP: 0010:unmapped_area_topdown+0xa5/0x170
>
> Dave, do you have instructions for Hugh to recreate that with trinity
> (or perhaps some way to generate a test-case from trinity?). Or does
> it trigger easily by just running trinity?
>
> I'm in China right now, and will be traveling again this afternoon, so
> I probably can't look at it myself until later, but hopefully Hugh has
> the cycles to follow up in it..
>
> Hugh? The changes to unmapped_area_topdown() look trivial, but
> obviously there's something wrong there. The code decodes to
>
> 49 39 c0 cmp %rax,%r8
> 76 d0 jbe 0xfffffffffffffffb
> * 0f 0b ud2 <-- trapping instruction
>
> so from the
>
> VM_BUG_ON(gap_end < gap_start);
>
> we have gap_start/end in %r8 and %rax respectively, which are:
>
> R08: 00007f7d54673000
> RAX: 00007f7d543d6000
>
> so yes, gap_start is bigger than gap_end there by quite a degree (more
> than the 1MB of the gap size unless I looked at it wrong).
>
> Hmm. Maybe it's this:
>
> /* Check if current node has a suitable gap */
> gap_end = vm_start_gap(vma);
> if (gap_end < low_limit)
> return -ENOMEM;
> if (gap_start <= high_limit && gap_end - gap_start >= length)
> goto found;
>
> where it used to be that gap_end was guaranteed to be after gap_start,
> but that's no longer true. We have
>
> gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
> gap_end = vm_start_gap(vma);
>
> and by using MAP_FIXED, you can end up in the situation that
> "vma->vm_prev" is closer to vma than the gap size.
>
> So now gap_end - gap_start will underflow, and then the logic that
> does "goto found" thinks it found a hole that is larger than
> "length", when in actual fact it found a "negative-size" hole.
>
> So maybe that "goto found" condition should have an additional test
> for "gap_end > gap_start"?
>
> Or maybe I'm just hallucinating and missed something. Hugh, Oleg,
> Michal, can you take another look and double-check this logic?
My first impression is that you've got right to the heart of it,
before I even started looking. I'll go over that area more carefully
now, in case there are other such instances, and post a test patch
for Dave perhaps to try - but probably he's shut down now, so I'll
then grab a trinity, and see what luck I have with it.
Hugh
On Mon, Jun 19, 2017 at 08:12:12PM -0700, Hugh Dickins wrote:
> for Dave perhaps to try - but probably he's shut down now, so I'll
> then grab a trinity, and see what luck I have with it.
Almost shutdown, but not quite. Coincidentally, coverity just finished
the rc6 run, and barfed this up.. related ?
*** CID 1412907: Control flow issues (DEADCODE)
/include/linux/mm.h: 2243 in vm_end_gap()
2237
2238 static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
2239 {
2240 unsigned long vm_end = vma->vm_end;
2241
2242 if (vma->vm_flags & VM_GROWSUP) {
>>> CID 1412907: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "vm_end += stack_guard_gap;".
2243 vm_end += stack_guard_gap;
2244 if (vm_end < vma->vm_end)
2245 vm_end = -PAGE_SIZE;
2246 }
2247 return vm_end;
2248 }
I hacked up this harness to try and narrow it down more..
#!/bin/bash
. scripts/taint.sh
while [ 1 ];
do
./trinity -a64 -C1 -c mmap -N1 --enable-fds=testfile
check_tainted
done
Run that for a little while and eventually you'll get a single syscall trigger
that looks like this..
Trinity v1.7-255-gf21c0a62f708 Dave Jones <[email protected]>
shm:0x7f3e43c11000-0x7f3e5080dd00 (4 pages)
Enabled fd provider testfile
[main] Done parsing arguments.
[main] shm is at 0x7f3e43c11000
[main] Initial random seed: 3122467917
[main] 32-bit syscalls: all disabled.. 64-bit syscalls: 1 enabled, 332 disabled.
freeing 0x5575fa29c9c0
[main] Using pid_max = 32768
Logging to 192.168.0.135
socket buffer size set to: 1000000. (res:Success)
Sending hello to logging server.
Waiting for reply from logging server.
Got reply from server. Logging enabled.
[main] start: 0x7f3e43c0f000 size:4KB name: anon(PROT_READ | PROT_WRITE)
[main] start: 0x7f3e43c0e000 size:4KB name: anon(PROT_READ)
[main] start: 0x7f3e43c0d000 size:4KB name: anon(PROT_WRITE)
[main] start: 0x7f3e43b02000 size:1MB name: anon(PROT_READ | PROT_WRITE)
[main] start: 0x7f3e4199d000 size:1MB name: anon(PROT_READ)
[main] start: 0x7f3e4189d000 size:1MB name: anon(PROT_WRITE)
[main] start: 0x7f3e4169d000 size:2MB name: anon(PROT_READ | PROT_WRITE)
[main] start: 0x7f3e4149d000 size:2MB name: anon(PROT_READ)
[main] start: 0x7f3e4129d000 size:2MB name: anon(PROT_WRITE)
[main] start: 0x7f3e43c0c000 size:4KB name: anon(PROT_READ | PROT_WRITE)
[main] start: 0x7f3e43c0b000 size:4KB name: anon(PROT_READ)
[main] start: 0x7f3e43b01000 size:4KB name: anon(PROT_WRITE)
[main] sysv_shm: id:9240858 size:4096 flags:7b0 ptr:(nil)
[main] sysv_shm: id:9273627 size:24576 flags:17b0 ptr:(nil)
[main] testfile fd:5 filename:trinity-testfile1 flags:4040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e43afe000 size:4KB name: trinity-testfile1
[main] testfile fd:6 filename:trinity-testfile2 flags:40 fopened:0 fcntl_flags:0
[main] start: 0x40ab6000 size:4KB name: trinity-testfile2
[main] testfile fd:7 filename:trinity-testfile3 flags:2 fopened:1 fcntl_flags:40000
[main] start: 0x7f3e43afd000 size:4KB name: trinity-testfile3
[main] testfile fd:8 filename:trinity-testfile4 flags:2 fopened:1 fcntl_flags:40800
[main] start: 0x7f3e43afc000 size:4KB name: trinity-testfile4
[main] testfile fd:9 filename:trinity-testfile1 flags:2 fopened:1 fcntl_flags:40000
[main] start: 0x7f3e43afb000 size:4KB name: trinity-testfile1
[main] testfile fd:10 filename:trinity-testfile2 flags:2 fopened:1 fcntl_flags:42c00
[main] start: 0x7f3e43afa000 size:4KB name: trinity-testfile2
[main] testfile fd:11 filename:trinity-testfile3 flags:40 fopened:0 fcntl_flags:0
[main] start: 0x7f3e43af9000 size:4KB name: trinity-testfile3
[main] testfile fd:12 filename:trinity-testfile4 flags:2 fopened:1 fcntl_flags:44800
[main] start: 0x7f3e43af8000 size:4KB name: trinity-testfile4
[main] testfile fd:13 filename:trinity-testfile1 flags:40 fopened:0 fcntl_flags:0
[main] start: 0x7f3e4129c000 size:4KB name: trinity-testfile1
[main] testfile fd:14 filename:trinity-testfile2 flags:4040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e4129b000 size:4KB name: trinity-testfile2
[main] testfile fd:15 filename:trinity-testfile3 flags:5040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e4129a000 size:4KB name: trinity-testfile3
[main] testfile fd:16 filename:trinity-testfile4 flags:2 fopened:1 fcntl_flags:6c00
[main] start: 0x7f3e41299000 size:4KB name: trinity-testfile4
[main] testfile fd:17 filename:trinity-testfile1 flags:2 fopened:1 fcntl_flags:0
[main] start: 0x7f3e41298000 size:4KB name: trinity-testfile1
[main] testfile fd:18 filename:trinity-testfile2 flags:101040 fopened:0 fcntl_flags:0
[main] start: 0x41dc0000 size:4KB name: trinity-testfile2
[main] testfile fd:19 filename:trinity-testfile3 flags:101040 fopened:0 fcntl_flags:0
G[main] start: 0x7f3e41297000 size:4KB name: trinity-testfile3
[main] testfile fd:20 filename:trinity-testfile4 flags:5040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e41296000 size:4KB name: trinity-testfile4
[main] testfile fd:21 filename:trinity-testfile1 flags:5040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e41295000 size:4KB name: trinity-testfile1
[main] testfile fd:22 filename:trinity-testfile2 flags:101040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e41294000 size:4KB name: trinity-testfile2
[main] testfile fd:23 filename:trinity-testfile3 flags:2 fopened:1 fcntl_flags:4000
[main] start: 0x7f3e41293000 size:4KB name: trinity-testfile3
[main] testfile fd:24 filename:trinity-testfile4 flags:101040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e41292000 size:4KB name: trinity-testfile4
[main] Enabled 1/14 fd providers. initialized:1.
[main] Error opening tracing_on : Permission denied
[child0:2875] start: 0x7f3e43c0f000 size:4KB name: anon(PROT_READ | PROT_WRITE)
[child0:2875] start: 0x7f3e43c0e000 size:4KB name: anon(PROT_READ)
[child0:2875] start: 0x7f3e43c0d000 size:4KB name: anon(PROT_WRITE)
[child0:2875] start: 0x7f3e43b02000 size:1MB name: anon(PROT_READ | PROT_WRITE)
[child0:2875] start: 0x7f3e4199d000 size:1MB name: anon(PROT_READ)
[child0:2875] start: 0x7f3e4189d000 size:1MB name: anon(PROT_WRITE)
[child0:2875] start: 0x7f3e4169d000 size:2MB name: anon(PROT_READ | PROT_WRITE)
[child0:2875] start: 0x7f3e4149d000 size:2MB name: anon(PROT_READ)
[child0:2875] start: 0x7f3e4129d000 size:2MB name: anon(PROT_WRITE)
[child0:2875] start: 0x7f3e43c0c000 size:4KB name: anon(PROT_READ | PROT_WRITE)
[child0:2875] start: 0x7f3e43c0b000 size:4KB name: anon(PROT_READ)
[child0:2875] start: 0x7f3e43b01000 size:4KB name: anon(PROT_WRITE)
[child0:2875] [0] mmap(addr=0, len=0x200000, prot=0x9[PROT_READ|PROT_SEM], flags=0x2, fd=22, off=4096) [main] trace_fd was -1
[main] kernel became tainted! (128/0) Last seed was 3122467917
trinity: Detected kernel tainting. Last seed was 3122467917
args from that case in case it's interesting was..
RAX: 0000000000000000 RBX: 0000000000000004 RCX: ffff8805079e2ef8
RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff880507ddc448
RBP: ffffc9000026bd50 R08: ffffffffffffffff R09: 000000000000000b
R10: ffffc9000026bd20 R11: 0000000000000000 R12: ffff880507ddc440
R13: ffff880507ddc448 R14: 0000000000000004 R15: ffffc9000026bd88
Doing just that mmap by itself doesn't trigger it, so it must rely on the placement
of the earlier static mmaps trinity does on startup (see near top)
and that's where I've run out of steam for the night.
Dave
On Mon, 19 Jun 2017, Hugh Dickins wrote:
> On Tue, 20 Jun 2017, Linus Torvalds wrote:
> > On Tue, Jun 20, 2017 at 8:26 AM, Dave Jones <[email protected]> wrote:
> > > > Hugh Dickins (1):
> > > > mm: larger stack guard gap, between vmas
> > >
> > > This seems to be buggered.
...
> >
> > So maybe that "goto found" condition should have an additional test
> > for "gap_end > gap_start"?
> >
> > Or maybe I'm just hallucinating and missed something. Hugh, Oleg,
> > Michal, can you take another look and double-check this logic?
>
> My first impression is that you've got right to the heart of it,
> before I even started looking. I'll go over that area more carefully
> now, in case there are other such instances, and post a test patch
> for Dave perhaps to try - but probably he's shut down now, so I'll
> then grab a trinity, and see what luck I have with it.
I've added nothing to your understanding: apart from general unease
about whether MAP_FIXED can push us into corners I hadn't expected.
I had originally wanted to add some more checks into DEBUG_VM_RB's
browse_rb(); but realized then that MAP_FIXED is perfectly entitled
to burst through the usual stack gaps I'd wanted to check there.
And I wonder if trinity will discover more issues with those final
adjustments at the end of unmapped_area[_topdowni](). But enough
of deliberation, I'll get my trinity and try out the patch you
suggested below. After a break.
Hugh
---
mm/mmap.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- 4.12-rc6/mm/mmap.c 2017-06-19 09:06:10.035407505 -0700
+++ linux/mm/mmap.c 2017-06-19 21:09:28.616707311 -0700
@@ -1817,7 +1817,8 @@ unsigned long unmapped_area(struct vm_un
/* Check if current node has a suitable gap */
if (gap_start > high_limit)
return -ENOMEM;
- if (gap_end >= low_limit && gap_end - gap_start >= length)
+ if (gap_end >= low_limit &&
+ gap_end > gap_start && gap_end - gap_start >= length)
goto found;
/* Visit right subtree if it looks promising */
@@ -1920,7 +1921,8 @@ unsigned long unmapped_area_topdown(stru
gap_end = vm_start_gap(vma);
if (gap_end < low_limit)
return -ENOMEM;
- if (gap_start <= high_limit && gap_end - gap_start >= length)
+ if (gap_start <= high_limit &&
+ gap_end > gap_start && gap_end - gap_start >= length)
goto found;
/* Visit left subtree if it looks promising */
On Mon, 19 Jun 2017, Dave Jones wrote:
>
> I hacked up this harness to try and narrow it down more..
>
> #!/bin/bash
>
> . scripts/taint.sh
>
> while [ 1 ];
> do
> ./trinity -a64 -C1 -c mmap -N1 --enable-fds=testfile
> check_tainted
> done
Very helpful reproducer, thank you Dave: I tried a couple of times,
and it crashed in about 3 minutes each time. And good news is that
the check that Linus suggested does indeed fix it. I'm anxious to
send the patch in now, so have only tested about half an hour on
x86_64 and half an hour x86_32 so far, just to make sure that at
least there isn't something too embarrassing just around this first
corner (some of the time with ulimit -s at default 8192, some of
the time unlimited, since that affects layout decisions). I'll
send in the patch now - many thanks for catching this so quickly.
Hugh
On Tue, Jun 20, 2017 at 4:42 AM, Dave Jones <[email protected]> wrote:
> Almost shutdown, but not quite. Coincidentally, coverity just finished
> the rc6 run, and barfed this up.. related ?
>
> *** CID 1412907: Control flow issues (DEADCODE)
> /include/linux/mm.h: 2243 in vm_end_gap()
> 2237
> 2238 static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
> 2239 {
> 2240 unsigned long vm_end = vma->vm_end;
> 2241
> 2242 if (vma->vm_flags & VM_GROWSUP) {
>>>> CID 1412907: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "vm_end += stack_guard_gap;".
> 2243 vm_end += stack_guard_gap;
> 2244 if (vm_end < vma->vm_end)
> 2245 vm_end = -PAGE_SIZE;
> 2246 }
> 2247 return vm_end;
> 2248 }
I suspect this is because coverity can tell we do not use VM_GROWSUP
in x86. I assume it would say the corresponding thing about the
VM_GROWSDOWN code in vm_start_gap() on those architectures with upward
growing stacks.
-apw
On Tue, Jun 20, 2017 at 02:05:53AM -0700, Hugh Dickins wrote:
> On Mon, 19 Jun 2017, Dave Jones wrote:
> >
> > I hacked up this harness to try and narrow it down more..
> >
> > #!/bin/bash
> >
> > . scripts/taint.sh
> >
> > while [ 1 ];
> > do
> > ./trinity -a64 -C1 -c mmap -N1 --enable-fds=testfile
> > check_tainted
> > done
>
> Very helpful reproducer, thank you Dave: I tried a couple of times,
> and it crashed in about 3 minutes each time. And good news is that
> the check that Linus suggested does indeed fix it. I'm anxious to
> send the patch in now, so have only tested about half an hour on
> x86_64 and half an hour x86_32 so far, just to make sure that at
> least there isn't something too embarrassing just around this first
> corner (some of the time with ulimit -s at default 8192, some of
> the time unlimited, since that affects layout decisions). I'll
> send in the patch now - many thanks for catching this so quickly.
Confirming that the patch seems to be doing the job for me too.
I'll leave it run for the morning, but initial results look good.
thanks,
Dave