1. 12 Oct, 2022 2 commits
    • SeongJae Park's avatar
      mm/damon/core: initialize damon_target->list in damon_new_target() · b1f44cda
      SeongJae Park authored
      'struct damon_target' creation function, 'damon_new_target()' is not
      initializing its '->list' field, unlike other DAMON structs creator
      functions such as 'damon_new_region()'.  Normal users of
      'damon_new_target()' initializes the field by adding the target to DAMON
      context's targets list, but some code could access the uninitialized
      field.
      
      This commit avoids the case by initializing the field in
      'damon_new_target()'.
      
      Link: https://lkml.kernel.org/r/20221002193130.8227-1-sj@kernel.org
      Fixes: f23b8eee ("mm/damon/core: implement region-based sampling")
      Signed-off-by: default avatarSeongJae Park <sj@kernel.org>
      Reported-by: default avatarHyeonggon Yoo <42.hyeyoo@gmail.com>
      Tested-by: default avatarHyeonggon Yoo <42.hyeyoo@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      b1f44cda
    • Baolin Wang's avatar
      mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page · fac35ba7
      Baolin Wang authored
      On some architectures (like ARM64), it can support CONT-PTE/PMD size
      hugetlb, which means it can support not only PMD/PUD size hugetlb (2M and
      1G), but also CONT-PTE/PMD size(64K and 32M) if a 4K page size specified.
      
      So when looking up a CONT-PTE size hugetlb page by follow_page(), it will
      use pte_offset_map_lock() to get the pte entry lock for the CONT-PTE size
      hugetlb in follow_page_pte().  However this pte entry lock is incorrect
      for the CONT-PTE size hugetlb, since we should use huge_pte_lock() to get
      the correct lock, which is mm->page_table_lock.
      
      That means the pte entry of the CONT-PTE size hugetlb under current pte
      lock is unstable in follow_page_pte(), we can continue to migrate or
      poison the pte entry of the CONT-PTE size hugetlb, which can cause some
      potential race issues, even though they are under the 'pte lock'.
      
      For example, suppose thread A is trying to look up a CONT-PTE size hugetlb
      page by move_pages() syscall under the lock, however antoher thread B can
      migrate the CONT-PTE hugetlb page at the same time, which will cause
      thread A to get an incorrect page, if thread A also wants to do page
      migration, then data inconsistency error occurs.
      
      Moreover we have the same issue for CONT-PMD size hugetlb in
      follow_huge_pmd().
      
      To fix above issues, rename the follow_huge_pmd() as follow_huge_pmd_pte()
      to handle PMD and PTE level size hugetlb, which uses huge_pte_lock() to
      get the correct pte entry lock to make the pte entry stable.
      
      Mike said:
      
      Support for CONT_PMD/_PTE was added with bb9dd3df ("arm64: hugetlb:
      refactor find_num_contig()").  Patch series "Support for contiguous pte
      hugepages", v4.  However, I do not believe these code paths were
      executed until migration support was added with 5480280d ("arm64/mm:
      enable HugeTLB migration for contiguous bit HugeTLB pages") I would go
      with 5480280d for the Fixes: targe.
      
      Link: https://lkml.kernel.org/r/635f43bdd85ac2615a58405da82b4d33c6e5eb05.1662017562.git.baolin.wang@linux.alibaba.com
      Fixes: 5480280d ("arm64/mm: enable HugeTLB migration for contiguous bit HugeTLB pages")
      Signed-off-by: default avatarBaolin Wang <baolin.wang@linux.alibaba.com>
      Suggested-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Reviewed-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Muchun Song <songmuchun@bytedance.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      fac35ba7
  2. 01 Oct, 2022 3 commits
  3. 26 Sep, 2022 11 commits
  4. 11 Sep, 2022 15 commits
  5. 28 Aug, 2022 9 commits
    • Linus Torvalds's avatar
      Linux 6.0-rc3 · b90cb105
      Linus Torvalds authored
      b90cb105
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2022-08-28' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm · b467192e
      Linus Torvalds authored
      Pull more hotfixes from Andrew Morton:
       "Seventeen hotfixes.  Mostly memory management things.
      
        Ten patches are cc:stable, addressing pre-6.0 issues"
      
      * tag 'mm-hotfixes-stable-2022-08-28' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
        .mailmap: update Luca Ceresoli's e-mail address
        mm/mprotect: only reference swap pfn page if type match
        squashfs: don't call kmalloc in decompressors
        mm/damon/dbgfs: avoid duplicate context directory creation
        mailmap: update email address for Colin King
        asm-generic: sections: refactor memory_intersects
        bootmem: remove the vmemmap pages from kmemleak in put_page_bootmem
        ocfs2: fix freeing uninitialized resource on ocfs2_dlm_shutdown
        Revert "memcg: cleanup racy sum avoidance code"
        mm/zsmalloc: do not attempt to free IS_ERR handle
        binder_alloc: add missing mmap_lock calls when using the VMA
        mm: re-allow pinning of zero pfns (again)
        vmcoreinfo: add kallsyms_num_syms symbol
        mailmap: update Guilherme G. Piccoli's email addresses
        writeback: avoid use-after-free after removing device
        shmem: update folio if shmem_replace_page() updates the page
        mm/hugetlb: avoid corrupting page->mapping in hugetlb_mcopy_atomic_pte
      b467192e
    • Linus Torvalds's avatar
      Merge tag 'bitmap-6.0-rc3' of github.com:/norov/linux · 373eff57
      Linus Torvalds authored
      Pull bitmap fixes from Yury Norov:
       "Fix the reported issues, and implements the suggested improvements,
        for the version of the cpumask tests [1] that was merged with commit
        c41e8866 ("lib/test: introduce cpumask KUnit test suite").
      
        These changes include fixes for the tests, and better alignment with
        the KUnit style guidelines"
      
      * tag 'bitmap-6.0-rc3' of github.com:/norov/linux:
        lib/cpumask_kunit: add tests file to MAINTAINERS
        lib/cpumask_kunit: log mask contents
        lib/test_cpumask: follow KUnit style guidelines
        lib/test_cpumask: fix cpu_possible_mask last test
        lib/test_cpumask: drop cpu_possible_mask full test
      373eff57
    • Luca Ceresoli's avatar
      .mailmap: update Luca Ceresoli's e-mail address · 0ebafe2e
      Luca Ceresoli authored
      My Bootlin address is preferred from now on.
      
      Link: https://lkml.kernel.org/r/20220826130515.3011951-1-luca.ceresoli@bootlin.comSigned-off-by: default avatarLuca Ceresoli <luca.ceresoli@bootlin.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Atish Patra <atishp@atishpatra.org>
      Cc: Hans Verkuil <hverkuil-cisco@xs4all.nl>
      Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      0ebafe2e
    • Peter Xu's avatar
      mm/mprotect: only reference swap pfn page if type match · 3d2f78f0
      Peter Xu authored
      Yu Zhao reported a bug after the commit "mm/swap: Add swp_offset_pfn() to
      fetch PFN from swap entry" added a check in swp_offset_pfn() for swap type [1]:
      
        kernel BUG at include/linux/swapops.h:117!
        CPU: 46 PID: 5245 Comm: EventManager_De Tainted: G S         O L 6.0.0-dbg-DEV #2
        RIP: 0010:pfn_swap_entry_to_page+0x72/0xf0
        Code: c6 48 8b 36 48 83 fe ff 74 53 48 01 d1 48 83 c1 08 48 8b 09 f6
        c1 01 75 7b 66 90 48 89 c1 48 8b 09 f6 c1 01 74 74 5d c3 eb 9e <0f> 0b
        48 ba ff ff ff ff 03 00 00 00 eb ae a9 ff 0f 00 00 75 13 48
        RSP: 0018:ffffa59e73fabb80 EFLAGS: 00010282
        RAX: 00000000ffffffe8 RBX: 0c00000000000000 RCX: ffffcd5440000000
        RDX: 1ffffffffff7a80a RSI: 0000000000000000 RDI: 0c0000000000042b
        RBP: ffffa59e73fabb80 R08: ffff9965ca6e8bb8 R09: 0000000000000000
        R10: ffffffffa5a2f62d R11: 0000030b372e9fff R12: ffff997b79db5738
        R13: 000000000000042b R14: 0c0000000000042b R15: 1ffffffffff7a80a
        FS:  00007f549d1bb700(0000) GS:ffff99d3cf680000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000440d035b3180 CR3: 0000002243176004 CR4: 00000000003706e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         <TASK>
         change_pte_range+0x36e/0x880
         change_p4d_range+0x2e8/0x670
         change_protection_range+0x14e/0x2c0
         mprotect_fixup+0x1ee/0x330
         do_mprotect_pkey+0x34c/0x440
         __x64_sys_mprotect+0x1d/0x30
      
      It triggers because pfn_swap_entry_to_page() could be called upon e.g. a
      genuine swap entry.
      
      Fix it by only calling it when it's a write migration entry where the page*
      is used.
      
      [1] https://lore.kernel.org/lkml/CAOUHufaVC2Za-p8m0aiHw6YkheDcrO-C3wRGixwDS32VTS+k1w@mail.gmail.com/
      
      Link: https://lkml.kernel.org/r/20220823221138.45602-1-peterx@redhat.com
      Fixes: 6c287605 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive")
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Reported-by: default avatarYu Zhao <yuzhao@google.com>
      Tested-by: default avatarYu Zhao <yuzhao@google.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Cc: "Huang, Ying" <ying.huang@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      3d2f78f0
    • Phillip Lougher's avatar
      squashfs: don't call kmalloc in decompressors · 1f13dff0
      Phillip Lougher authored
      The decompressors may be called while in an atomic section.  So move the
      kmalloc() out of this path, and into the "page actor" init function.
      
      This fixes a regression introduced by commit
      f268eedd ("squashfs: extend "page actor" to handle missing pages")
      
      Link: https://lkml.kernel.org/r/20220822215430.15933-1-phillip@squashfs.org.uk
      Fixes: f268eedd ("squashfs: extend "page actor" to handle missing pages")
      Reported-by: default avatarChris Murphy <lists@colorremedies.com>
      Signed-off-by: default avatarPhillip Lougher <phillip@squashfs.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      1f13dff0
    • Badari Pulavarty's avatar
      mm/damon/dbgfs: avoid duplicate context directory creation · d26f6070
      Badari Pulavarty authored
      When user tries to create a DAMON context via the DAMON debugfs interface
      with a name of an already existing context, the context directory creation
      fails but a new context is created and added in the internal data
      structure, due to absence of the directory creation success check.  As a
      result, memory could leak and DAMON cannot be turned on.  An example test
      case is as below:
      
          # cd /sys/kernel/debug/damon/
          # echo "off" >  monitor_on
          # echo paddr > target_ids
          # echo "abc" > mk_context
          # echo "abc" > mk_context
          # echo $$ > abc/target_ids
          # echo "on" > monitor_on  <<< fails
      
      Return value of 'debugfs_create_dir()' is expected to be ignored in
      general, but this is an exceptional case as DAMON feature is depending
      on the debugfs functionality and it has the potential duplicate name
      issue.  This commit therefore fixes the issue by checking the directory
      creation failure and immediately return the error in the case.
      
      Link: https://lkml.kernel.org/r/20220821180853.2400-1-sj@kernel.org
      Fixes: 75c1c2b5 ("mm/damon/dbgfs: support multiple contexts")
      Signed-off-by: default avatarBadari Pulavarty <badari.pulavarty@intel.com>
      Signed-off-by: default avatarSeongJae Park <sj@kernel.org>
      Cc: <stable@vger.kernel.org>	[ 5.15.x]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      d26f6070
    • Colin Ian King's avatar
      mailmap: update email address for Colin King · ac733f65
      Colin Ian King authored
      Colin King is working on kernel janitorial fixes in his spare time and
      using his Intel email is confusing.  Use his gmail account as the default
      email address.
      
      Link: https://lkml.kernel.org/r/20220817212753.101109-1-colin.i.king@gmail.comSigned-off-by: default avatarColin Ian King <colin.i.king@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      ac733f65
    • Quanyang Wang's avatar
      asm-generic: sections: refactor memory_intersects · 0c7d7cc2
      Quanyang Wang authored
      There are two problems with the current code of memory_intersects:
      
      First, it doesn't check whether the region (begin, end) falls inside the
      region (virt, vend), that is (virt < begin && vend > end).
      
      The second problem is if vend is equal to begin, it will return true but
      this is wrong since vend (virt + size) is not the last address of the
      memory region but (virt + size -1) is.  The wrong determination will
      trigger the misreporting when the function check_for_illegal_area calls
      memory_intersects to check if the dma region intersects with stext region.
      
      The misreporting is as below (stext is at 0x80100000):
       WARNING: CPU: 0 PID: 77 at kernel/dma/debug.c:1073 check_for_illegal_area+0x130/0x168
       DMA-API: chipidea-usb2 e0002000.usb: device driver maps memory from kernel text or rodata [addr=800f0000] [len=65536]
       Modules linked in:
       CPU: 1 PID: 77 Comm: usb-storage Not tainted 5.19.0-yocto-standard #5
       Hardware name: Xilinx Zynq Platform
        unwind_backtrace from show_stack+0x18/0x1c
        show_stack from dump_stack_lvl+0x58/0x70
        dump_stack_lvl from __warn+0xb0/0x198
        __warn from warn_slowpath_fmt+0x80/0xb4
        warn_slowpath_fmt from check_for_illegal_area+0x130/0x168
        check_for_illegal_area from debug_dma_map_sg+0x94/0x368
        debug_dma_map_sg from __dma_map_sg_attrs+0x114/0x128
        __dma_map_sg_attrs from dma_map_sg_attrs+0x18/0x24
        dma_map_sg_attrs from usb_hcd_map_urb_for_dma+0x250/0x3b4
        usb_hcd_map_urb_for_dma from usb_hcd_submit_urb+0x194/0x214
        usb_hcd_submit_urb from usb_sg_wait+0xa4/0x118
        usb_sg_wait from usb_stor_bulk_transfer_sglist+0xa0/0xec
        usb_stor_bulk_transfer_sglist from usb_stor_bulk_srb+0x38/0x70
        usb_stor_bulk_srb from usb_stor_Bulk_transport+0x150/0x360
        usb_stor_Bulk_transport from usb_stor_invoke_transport+0x38/0x440
        usb_stor_invoke_transport from usb_stor_control_thread+0x1e0/0x238
        usb_stor_control_thread from kthread+0xf8/0x104
        kthread from ret_from_fork+0x14/0x2c
      
      Refactor memory_intersects to fix the two problems above.
      
      Before the 1d7db834 ("dma-debug: use memory_intersects()
      directly"), memory_intersects is called only by printk_late_init:
      
      printk_late_init -> init_section_intersects ->memory_intersects.
      
      There were few places where memory_intersects was called.
      
      When commit 1d7db834 ("dma-debug: use memory_intersects()
      directly") was merged and CONFIG_DMA_API_DEBUG is enabled, the DMA
      subsystem uses it to check for an illegal area and the calltrace above
      is triggered.
      
      [akpm@linux-foundation.org: fix nearby comment typo]
      Link: https://lkml.kernel.org/r/20220819081145.948016-1-quanyang.wang@windriver.com
      Fixes: 97955936 ("asm/sections: add helpers to check for section data")
      Signed-off-by: default avatarQuanyang Wang <quanyang.wang@windriver.com>
      Cc: Ard Biesheuvel <ardb@kernel.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Thierry Reding <treding@nvidia.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      0c7d7cc2