From patchwork Sat Nov 20 00:43:15 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629915
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 31122C433FE
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:43:43 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A82916B0072; Fri, 19 Nov 2021 19:43:27 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A32CE6B0073; Fri, 19 Nov 2021 19:43:27 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8F8756B0074; Fri, 19 Nov 2021 19:43:27 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0192.hostedemail.com
 [216.40.44.192])
	by kanga.kvack.org (Postfix) with ESMTP id 827666B0072
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:27 -0500 (EST)
Received: from smtpin06.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 479128CA2E
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:17 +0000 (UTC)
X-FDA: 78827459634.06.3316977
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf04.hostedemail.com (Postfix) with ESMTP id 2CBE95000300
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:15 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id D96A061A86;
	Sat, 20 Nov 2021 00:43:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637368996;
	bh=2PQW+cdaN3G/EGtGuHO4fMMzrcTBi6OEz3+gQLOt9F0=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=fEf9uizsMrmiHNmKLET/EihaVTp53d1J5XE74V+C9xjFHLe0da2lv0vWjLQAu295V
	 mGDSWg0m/fJQal/RWuqWc0BRZwxJSa/qWJ8QsS8srB9vk1t6ekX5SmpSv1h6llgkOB
	 AdYu8TXID5pZGQ7TI3dgNm0vIn2Lu3PB2n3opvts=
Date: Fri, 19 Nov 2021 16:43:15 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, hyc.lee@gmail.com, linkinjeon@kernel.org,
 linux-mm@kvack.org, mm-commits@vger.kernel.org, smfrench@gmail.com,
 stfrench@microsoft.com, torvalds@linux-foundation.org,
 willy@infradead.org
Subject: [patch 01/15] mm/swap.c:put_pages_list(): reinitialise
 the page list
Message-ID: <20211120004315.e4FX_Mwps%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Stat-Signature: s6rkpc5pc5w84adq3okdw7addq1h54bi
X-Rspamd-Queue-Id: 2CBE95000300
X-Rspamd-Server: rspam07
Authentication-Results: imf04.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=fEf9uizs;
	spf=pass (imf04.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org;
	dmarc=none
X-HE-Tag: 1637368995-720109
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Matthew Wilcox <willy@infradead.org>
Subject: mm/swap.c:put_pages_list(): reinitialise the page list

While free_unref_page_list() puts pages onto the CPU local LRU list, it
does not remove them from the list they were passed in on.  That makes the
list_head appear to be non-empty, and would lead to various corruption
problems if we didn't have an assertion that the list was empty.

Reinitialise the list after calling free_unref_page_list() to avoid this
problem.

Link: https://lkml.kernel.org/r/YYp40A2lNrxaZji8@casper.infradead.org
Fixes: 988c69f1bc23 ("mm: optimise put_pages_list()")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Steve French <stfrench@microsoft.com>
Reported-by: Namjae Jeon <linkinjeon@kernel.org>
Tested-by: Steve French <stfrench@microsoft.com>
Tested-by: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Hyeoncheol Lee <hyc.lee@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/swap.c |    1 +
 1 file changed, 1 insertion(+)

--- a/mm/swap.c~hitting-bug_on-trap-in-read_pages-mm-optimise-put_pages_list
+++ a/mm/swap.c
@@ -156,6 +156,7 @@ void put_pages_list(struct list_head *pa
 	}
 
 	free_unref_page_list(pages);
+	INIT_LIST_HEAD(pages);
 }
 EXPORT_SYMBOL(put_pages_list);
 

From patchwork Sat Nov 20 00:43:18 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629917
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7DF86C433EF
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:44:13 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 098216B0073; Fri, 19 Nov 2021 19:43:31 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0472E6B0074; Fri, 19 Nov 2021 19:43:30 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E4FA16B0075; Fri, 19 Nov 2021 19:43:30 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0204.hostedemail.com
 [216.40.44.204])
	by kanga.kvack.org (Postfix) with ESMTP id D72666B0073
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:30 -0500 (EST)
Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 98426184956CF
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:20 +0000 (UTC)
X-FDA: 78827459760.14.7FB2E28
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf14.hostedemail.com (Postfix) with ESMTP id 7378960019B0
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:19 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 13A116137B;
	Sat, 20 Nov 2021 00:43:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637368999;
	bh=vOWTynVx4zwicGyvUxV2nN/kGrMICANjdSzlNaICxKg=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=FspD0Ml5ZNR1EYPRgaxswa4a/Kj8UfHTc8PKBUN+UOd1TL8OMnhQ9hGwDAwNvjZNy
	 17sZNs8wz1UG+jG//NLCWLONl9qsYr06wlbiykPPBJwlVFRQDs8ho2DO8cVaAtiowv
	 Zede4B0slOzMlEZRnOZf7EtPX3OjZt6aFzHcFvCE=
Date: Fri, 19 Nov 2021 16:43:18 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, alexander.mikhalitsyn@virtuozzo.com,
 avagin@gmail.com, dave@stgolabs.net, ebiederm@xmission.com,
 gregkh@linuxfoundation.org, linux-mm@kvack.org,
 manfred@colorfullife.com, mm-commits@vger.kernel.org,
 ptikhomirov@virtuozzo.com, stable@vger.kernel.org,
 torvalds@linux-foundation.org, vvs@virtuozzo.com
Subject: [patch 02/15] ipc: WARN if trying to remove ipc object
 which is absent
Message-ID: <20211120004318.MW2qxdhTI%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Server: rspam11
X-Rspamd-Queue-Id: 7378960019B0
X-Stat-Signature: p161rnn5h4ic1satuscgj5p9cm99p1ei
Authentication-Results: imf14.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=FspD0Ml5;
	spf=pass (imf14.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org;
	dmarc=none
X-HE-Tag: 1637368999-75480
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Subject: ipc: WARN if trying to remove ipc object which is absent

Patch series "shm: shm_rmid_forced feature fixes".

Some time ago I met kernel crash after CRIU restore procedure,
fortunately, it was CRIU restore, so, I had dump files and could do
restore many times and crash reproduced easily.  After some investigation
I've constructed the minimal reproducer.  It was found that it's
use-after-free and it happens only if sysctl kernel.shm_rmid_forced = 1.

The key of the problem is that the exit_shm() function not handles shp's
object destroy when task->sysvshm.shm_clist contains items from different
IPC namespaces.  In most cases this list will contain only items from one
IPC namespace.

Why this list may contain object from different namespaces?  Function
exit_shm() designed to clean up this list always when process leaves IPC
namespace.  But we made a mistake a long time ago and not add exit_shm()
call into setns() syscall procedures.  1st second idea was just to add
this call to setns() syscall but it's obviously changes semantics of
setns() syscall and that's userspace-visible change.  So, I gave up this
idea.

First real attempt to address the issue was just to omit forced destroy if
we meet shp object not from current task IPC namespace [1].  But that was
not the best idea because task->sysvshm.shm_clist was protected by rwsem
which belongs to current task IPC namespace.  It means that list
corruption may occur.

Second approach is just extend exit_shm() to properly handle shp's from
different IPC namespaces [2].  This is really non-trivial thing, I've put
a lot of effort into that but not believed that it's possible to make it
fully safe, clean and clear.

Thanks to the efforts of Manfred Spraul working an elegant solution was
designed.  Thanks a lot, Manfred!

Eric also suggested the way to address the issue in ("[RFC][PATCH] shm: In
shm_exit destroy all created and never attached segments") Eric's idea was
to maintain a list of shm_clists one per IPC namespace, use lock-less
lists.  But there is some extra memory consumption-related concerns.

Alternative solution which was suggested by me was implemented in ("shm:
reset shm_clist on setns but omit forced shm destroy") Idea is pretty
simple, we add exit_shm() syscall to setns() but DO NOT destroy shm
segments even if sysctl kernel.shm_rmid_forced = 1, we just clean up the
task->sysvshm.shm_clist list.  This chages semantics of setns() syscall a
little bit but in comparision to "naive" solution when we just add
exit_shm() without any special exclusions this looks like a safer option.

[1] https://lkml.org/lkml/2021/7/6/1108
[2] https://lkml.org/lkml/2021/7/14/736


This patch (of 2):

Let's produce a warning if we trying to remove non-existing IPC object
from IPC namespace kht/idr structures.

This allows to catch possible bugs when ipc_rmid() function was called
with inconsistent struct ipc_ids*, struct kern_ipc_perm* arguments.

Link: https://lkml.kernel.org/r/20211027224348.611025-1-alexander.mikhalitsyn@virtuozzo.com
Link: https://lkml.kernel.org/r/20211027224348.611025-2-alexander.mikhalitsyn@virtuozzo.com
Co-developed-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Cc: Vasily Averin <vvs@virtuozzo.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 ipc/util.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/ipc/util.c~ipc-warn-if-trying-to-remove-ipc-object-which-is-absent
+++ a/ipc/util.c
@@ -447,8 +447,8 @@ static int ipcget_public(struct ipc_name
 static void ipc_kht_remove(struct ipc_ids *ids, struct kern_ipc_perm *ipcp)
 {
 	if (ipcp->key != IPC_PRIVATE)
-		rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode,
-				       ipc_kht_params);
+		WARN_ON_ONCE(rhashtable_remove_fast(&ids->key_ht, &ipcp->khtnode,
+				       ipc_kht_params));
 }
 
 /**
@@ -498,7 +498,7 @@ void ipc_rmid(struct ipc_ids *ids, struc
 {
 	int idx = ipcid_to_idx(ipcp->id);
 
-	idr_remove(&ids->ipcs_idr, idx);
+	WARN_ON_ONCE(idr_remove(&ids->ipcs_idr, idx) != ipcp);
 	ipc_kht_remove(ids, ipcp);
 	ids->in_use--;
 	ipcp->deleted = true;

From patchwork Sat Nov 20 00:43:21 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629919
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D8B67C433EF
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:44:45 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 6B18F6B0074; Fri, 19 Nov 2021 19:43:34 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6617E6B0075; Fri, 19 Nov 2021 19:43:34 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4E5F66B0078; Fri, 19 Nov 2021 19:43:34 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0087.hostedemail.com
 [216.40.44.87])
	by kanga.kvack.org (Postfix) with ESMTP id 401256B0074
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:34 -0500 (EST)
Received: from smtpin23.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 09A0C8B338
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:24 +0000 (UTC)
X-FDA: 78827459928.23.6A6E898
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf15.hostedemail.com (Postfix) with ESMTP id 1C7F1D0000A8
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:20 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 5B0FD61A86;
	Sat, 20 Nov 2021 00:43:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369002;
	bh=r5PPrQ9116eOm+JtIKsyUHaSbVhtvUCjSFHuDCAYFhU=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=gzlSO1pN1tvnc5tnXuT3Apm/O9NWaW9tXE70NaNdQLprZChnZd6YJK3SkS6USnPG6
	 /t6nyd3rO9lyvYP2VPWBOChuZtV1LAer8KPKpk18UUpuic6WTttNBR7i6A6ldtY7PE
	 75QseZAel6WzAwy7D6wNAogmgzWRANECQcHUBZBI=
Date: Fri, 19 Nov 2021 16:43:21 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, alexander.mikhalitsyn@virtuozzo.com,
 avagin@gmail.com, dave@stgolabs.net, ebiederm@xmission.com,
 gregkh@linuxfoundation.org, linux-mm@kvack.org,
 manfred@colorfullife.com, mm-commits@vger.kernel.org,
 ptikhomirov@virtuozzo.com, stable@vger.kernel.org,
 torvalds@linux-foundation.org, vvs@virtuozzo.com
Subject: [patch 03/15] shm: extend forced shm destroy to support
 objects from several IPC nses
Message-ID: <20211120004321.YHiCm7p-A%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Stat-Signature: hjostfd5x4rcj3mtjeoie3oaerrz8jrx
Authentication-Results: imf15.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=gzlSO1pN;
	dmarc=none;
	spf=pass (imf15.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: 1C7F1D0000A8
X-HE-Tag: 1637369000-492022
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Subject: shm: extend forced shm destroy to support objects from several IPC nses

Currently, exit_shm function not designed to work properly when
task->sysvshm.shm_clist holds shm objects from different IPC namespaces.

This is a real pain when sysctl kernel.shm_rmid_forced = 1, because it
leads to use-after-free (reproducer exists).

That particular patch is attempt to fix the problem by extending exit_shm
mechanism to handle shm's destroy from several IPC ns'es.

To achieve that we do several things:

1. add namespace (non-refcounted) pointer to the struct shmid_kernel

2. during new shm object creation (newseg()/shmget syscall) we
   initialize this pointer by current task IPC ns

3. exit_shm() fully reworked such that it traverses over all shp's in
   task->sysvshm.shm_clist and gets IPC namespace not from current task as
   it was before but from shp's object itself, then call shm_destroy(shp,
   ns).

Note.  We need to be really careful here, because as it was said before
(1), our pointer to IPC ns non-refcnt'ed.  To be on the safe side we using
special helper get_ipc_ns_not_zero() which allows to get IPC ns refcounter
only if IPC ns not in the "state of destruction".

Q/A

Q: Why we can access shp->ns memory using non-refcounted pointer?
A: Because shp object lifetime is always shorther
than IPC namespace lifetime, so, if we get shp object from the
task->sysvshm.shm_clist while holding task_lock(task) nobody can
steal our namespace.

Q: Does this patch change semantics of unshare/setns/clone syscalls?
A: Not. It's just fixes non-covered case when process may leave
IPC namespace without getting task->sysvshm.shm_clist list cleaned up.

Link: https://lkml.kernel.org/r/67bb03e5-f79c-1815-e2bf-949c67047418@colorfullife.com
Link: https://lkml.kernel.org/r/20211109151501.4921-1-manfred@colorfullife.com
Fixes: ab602f79915 ("shm: make exit_shm work proportional to task activity")
Co-developed-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Cc: Vasily Averin <vvs@virtuozzo.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 include/linux/ipc_namespace.h |   15 ++
 include/linux/sched/task.h    |    2 
 ipc/shm.c                     |  189 ++++++++++++++++++++++++--------
 3 files changed, 159 insertions(+), 47 deletions(-)

--- a/include/linux/ipc_namespace.h~shm-extend-forced-shm-destroy-to-support-objects-from-several-ipc-nses-simplified
+++ a/include/linux/ipc_namespace.h
@@ -131,6 +131,16 @@ static inline struct ipc_namespace *get_
 	return ns;
 }
 
+static inline struct ipc_namespace *get_ipc_ns_not_zero(struct ipc_namespace *ns)
+{
+	if (ns) {
+		if (refcount_inc_not_zero(&ns->ns.count))
+			return ns;
+	}
+
+	return NULL;
+}
+
 extern void put_ipc_ns(struct ipc_namespace *ns);
 #else
 static inline struct ipc_namespace *copy_ipcs(unsigned long flags,
@@ -146,6 +156,11 @@ static inline struct ipc_namespace *get_
 {
 	return ns;
 }
+
+static inline struct ipc_namespace *get_ipc_ns_not_zero(struct ipc_namespace *ns)
+{
+	return ns;
+}
 
 static inline void put_ipc_ns(struct ipc_namespace *ns)
 {
--- a/include/linux/sched/task.h~shm-extend-forced-shm-destroy-to-support-objects-from-several-ipc-nses-simplified
+++ a/include/linux/sched/task.h
@@ -158,7 +158,7 @@ static inline struct vm_struct *task_sta
  * Protects ->fs, ->files, ->mm, ->group_info, ->comm, keyring
  * subscriptions and synchronises with wait4().  Also used in procfs.  Also
  * pins the final release of task.io_context.  Also protects ->cpuset and
- * ->cgroup.subsys[]. And ->vfork_done.
+ * ->cgroup.subsys[]. And ->vfork_done. And ->sysvshm.shm_clist.
  *
  * Nests both inside and outside of read_lock(&tasklist_lock).
  * It must not be nested with write_lock_irq(&tasklist_lock),
--- a/ipc/shm.c~shm-extend-forced-shm-destroy-to-support-objects-from-several-ipc-nses-simplified
+++ a/ipc/shm.c
@@ -62,9 +62,18 @@ struct shmid_kernel /* private to the ke
 	struct pid		*shm_lprid;
 	struct ucounts		*mlock_ucounts;
 
-	/* The task created the shm object.  NULL if the task is dead. */
+	/*
+	 * The task created the shm object, for
+	 * task_lock(shp->shm_creator)
+	 */
 	struct task_struct	*shm_creator;
-	struct list_head	shm_clist;	/* list by creator */
+
+	/*
+	 * List by creator. task_lock(->shm_creator) required for read/write.
+	 * If list_empty(), then the creator is dead already.
+	 */
+	struct list_head	shm_clist;
+	struct ipc_namespace	*ns;
 } __randomize_layout;
 
 /* shm_mode upper byte flags */
@@ -115,6 +124,7 @@ static void do_shm_rmid(struct ipc_names
 	struct shmid_kernel *shp;
 
 	shp = container_of(ipcp, struct shmid_kernel, shm_perm);
+	WARN_ON(ns != shp->ns);
 
 	if (shp->shm_nattch) {
 		shp->shm_perm.mode |= SHM_DEST;
@@ -225,10 +235,43 @@ static void shm_rcu_free(struct rcu_head
 	kfree(shp);
 }
 
-static inline void shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *s)
+/*
+ * It has to be called with shp locked.
+ * It must be called before ipc_rmid()
+ */
+static inline void shm_clist_rm(struct shmid_kernel *shp)
+{
+	struct task_struct *creator;
+
+	/* ensure that shm_creator does not disappear */
+	rcu_read_lock();
+
+	/*
+	 * A concurrent exit_shm may do a list_del_init() as well.
+	 * Just do nothing if exit_shm already did the work
+	 */
+	if (!list_empty(&shp->shm_clist)) {
+		/*
+		 * shp->shm_creator is guaranteed to be valid *only*
+		 * if shp->shm_clist is not empty.
+		 */
+		creator = shp->shm_creator;
+
+		task_lock(creator);
+		/*
+		 * list_del_init() is a nop if the entry was already removed
+		 * from the list.
+		 */
+		list_del_init(&shp->shm_clist);
+		task_unlock(creator);
+	}
+	rcu_read_unlock();
+}
+
+static inline void shm_rmid(struct shmid_kernel *s)
 {
-	list_del(&s->shm_clist);
-	ipc_rmid(&shm_ids(ns), &s->shm_perm);
+	shm_clist_rm(s);
+	ipc_rmid(&shm_ids(s->ns), &s->shm_perm);
 }
 
 
@@ -283,7 +326,7 @@ static void shm_destroy(struct ipc_names
 	shm_file = shp->shm_file;
 	shp->shm_file = NULL;
 	ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT;
-	shm_rmid(ns, shp);
+	shm_rmid(shp);
 	shm_unlock(shp);
 	if (!is_file_hugepages(shm_file))
 		shmem_lock(shm_file, 0, shp->mlock_ucounts);
@@ -303,10 +346,10 @@ static void shm_destroy(struct ipc_names
  *
  * 2) sysctl kernel.shm_rmid_forced is set to 1.
  */
-static bool shm_may_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
+static bool shm_may_destroy(struct shmid_kernel *shp)
 {
 	return (shp->shm_nattch == 0) &&
-	       (ns->shm_rmid_forced ||
+	       (shp->ns->shm_rmid_forced ||
 		(shp->shm_perm.mode & SHM_DEST));
 }
 
@@ -337,7 +380,7 @@ static void shm_close(struct vm_area_str
 	ipc_update_pid(&shp->shm_lprid, task_tgid(current));
 	shp->shm_dtim = ktime_get_real_seconds();
 	shp->shm_nattch--;
-	if (shm_may_destroy(ns, shp))
+	if (shm_may_destroy(shp))
 		shm_destroy(ns, shp);
 	else
 		shm_unlock(shp);
@@ -358,10 +401,10 @@ static int shm_try_destroy_orphaned(int
 	 *
 	 * As shp->* are changed under rwsem, it's safe to skip shp locking.
 	 */
-	if (shp->shm_creator != NULL)
+	if (!list_empty(&shp->shm_clist))
 		return 0;
 
-	if (shm_may_destroy(ns, shp)) {
+	if (shm_may_destroy(shp)) {
 		shm_lock_by_ptr(shp);
 		shm_destroy(ns, shp);
 	}
@@ -379,48 +422,97 @@ void shm_destroy_orphaned(struct ipc_nam
 /* Locking assumes this will only be called with task == current */
 void exit_shm(struct task_struct *task)
 {
-	struct ipc_namespace *ns = task->nsproxy->ipc_ns;
-	struct shmid_kernel *shp, *n;
+	for (;;) {
+		struct shmid_kernel *shp;
+		struct ipc_namespace *ns;
 
-	if (list_empty(&task->sysvshm.shm_clist))
-		return;
+		task_lock(task);
+
+		if (list_empty(&task->sysvshm.shm_clist)) {
+			task_unlock(task);
+			break;
+		}
+
+		shp = list_first_entry(&task->sysvshm.shm_clist, struct shmid_kernel,
+				shm_clist);
 
-	/*
-	 * If kernel.shm_rmid_forced is not set then only keep track of
-	 * which shmids are orphaned, so that a later set of the sysctl
-	 * can clean them up.
-	 */
-	if (!ns->shm_rmid_forced) {
-		down_read(&shm_ids(ns).rwsem);
-		list_for_each_entry(shp, &task->sysvshm.shm_clist, shm_clist)
-			shp->shm_creator = NULL;
 		/*
-		 * Only under read lock but we are only called on current
-		 * so no entry on the list will be shared.
+		 * 1) Get pointer to the ipc namespace. It is worth to say
+		 * that this pointer is guaranteed to be valid because
+		 * shp lifetime is always shorter than namespace lifetime
+		 * in which shp lives.
+		 * We taken task_lock it means that shp won't be freed.
 		 */
-		list_del(&task->sysvshm.shm_clist);
-		up_read(&shm_ids(ns).rwsem);
-		return;
-	}
+		ns = shp->ns;
 
-	/*
-	 * Destroy all already created segments, that were not yet mapped,
-	 * and mark any mapped as orphan to cover the sysctl toggling.
-	 * Destroy is skipped if shm_may_destroy() returns false.
-	 */
-	down_write(&shm_ids(ns).rwsem);
-	list_for_each_entry_safe(shp, n, &task->sysvshm.shm_clist, shm_clist) {
-		shp->shm_creator = NULL;
+		/*
+		 * 2) If kernel.shm_rmid_forced is not set then only keep track of
+		 * which shmids are orphaned, so that a later set of the sysctl
+		 * can clean them up.
+		 */
+		if (!ns->shm_rmid_forced)
+			goto unlink_continue;
 
-		if (shm_may_destroy(ns, shp)) {
-			shm_lock_by_ptr(shp);
-			shm_destroy(ns, shp);
+		/*
+		 * 3) get a reference to the namespace.
+		 *    The refcount could be already 0. If it is 0, then
+		 *    the shm objects will be free by free_ipc_work().
+		 */
+		ns = get_ipc_ns_not_zero(ns);
+		if (!ns) {
+unlink_continue:
+			list_del_init(&shp->shm_clist);
+			task_unlock(task);
+			continue;
 		}
-	}
 
-	/* Remove the list head from any segments still attached. */
-	list_del(&task->sysvshm.shm_clist);
-	up_write(&shm_ids(ns).rwsem);
+		/*
+		 * 4) get a reference to shp.
+		 *   This cannot fail: shm_clist_rm() is called before
+		 *   ipc_rmid(), thus the refcount cannot be 0.
+		 */
+		WARN_ON(!ipc_rcu_getref(&shp->shm_perm));
+
+		/*
+		 * 5) unlink the shm segment from the list of segments
+		 *    created by current.
+		 *    This must be done last. After unlinking,
+		 *    only the refcounts obtained above prevent IPC_RMID
+		 *    from destroying the segment or the namespace.
+		 */
+		list_del_init(&shp->shm_clist);
+
+		task_unlock(task);
+
+		/*
+		 * 6) we have all references
+		 *    Thus lock & if needed destroy shp.
+		 */
+		down_write(&shm_ids(ns).rwsem);
+		shm_lock_by_ptr(shp);
+		/*
+		 * rcu_read_lock was implicitly taken in shm_lock_by_ptr, it's
+		 * safe to call ipc_rcu_putref here
+		 */
+		ipc_rcu_putref(&shp->shm_perm, shm_rcu_free);
+
+		if (ipc_valid_object(&shp->shm_perm)) {
+			if (shm_may_destroy(shp))
+				shm_destroy(ns, shp);
+			else
+				shm_unlock(shp);
+		} else {
+			/*
+			 * Someone else deleted the shp from namespace
+			 * idr/kht while we have waited.
+			 * Just unlock and continue.
+			 */
+			shm_unlock(shp);
+		}
+
+		up_write(&shm_ids(ns).rwsem);
+		put_ipc_ns(ns); /* paired with get_ipc_ns_not_zero */
+	}
 }
 
 static vm_fault_t shm_fault(struct vm_fault *vmf)
@@ -676,7 +768,11 @@ static int newseg(struct ipc_namespace *
 	if (error < 0)
 		goto no_id;
 
+	shp->ns = ns;
+
+	task_lock(current);
 	list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
+	task_unlock(current);
 
 	/*
 	 * shmid gets reported as "inode#" in /proc/pid/maps.
@@ -1567,7 +1663,8 @@ out_nattch:
 	down_write(&shm_ids(ns).rwsem);
 	shp = shm_lock(ns, shmid);
 	shp->shm_nattch--;
-	if (shm_may_destroy(ns, shp))
+
+	if (shm_may_destroy(shp))
 		shm_destroy(ns, shp);
 	else
 		shm_unlock(shp);

From patchwork Sat Nov 20 00:43:25 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629921
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6FB2DC433F5
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:45:19 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 812226B0075; Fri, 19 Nov 2021 19:43:37 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 7BFD46B0078; Fri, 19 Nov 2021 19:43:37 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6AF526B007B; Fri, 19 Nov 2021 19:43:37 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0212.hostedemail.com
 [216.40.44.212])
	by kanga.kvack.org (Postfix) with ESMTP id 5E4166B0075
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:37 -0500 (EST)
Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 22DE68D6C7
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:27 +0000 (UTC)
X-FDA: 78827460054.14.D5A55ED
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf10.hostedemail.com (Postfix) with ESMTP id 5B64560019B7
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:25 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 89B2061AF0;
	Sat, 20 Nov 2021 00:43:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369005;
	bh=GL74/S4haXPlH+wyDOeXx8kOaAMCi5FrhWBhq1KdbW0=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=kFytvkne3bvoFWqbejtFGKrs8GlThh9czttXj9wwiV7plmQFPn6bV00k6Fery6Cqx
	 opUcrczuuLOCpqgYO2zxD2blpxO+k4goMzXvmwRLdNskc42lJXP09+aH6YDShwxbnC
	 nW3/1DA5dWvb7ziuaeIwrDbv+rDM5XtTHhFGEzWM=
Date: Fri, 19 Nov 2021 16:43:25 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, cl@linux.com, iamjoonsoo.kim@lge.com,
 jhubbard@nvidia.com, linux-mm@kvack.org, mm-commits@vger.kernel.org,
 penberg@kernel.org, rientjes@google.com, torvalds@linux-foundation.org,
 vbabka@suse.cz, yeyunfeng@huawei.com
Subject: [patch 04/15] mm: emit the "free" trace report before
 freeing memory in kmem_cache_free()
Message-ID: <20211120004325.Y4vOrn1WT%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: 5B64560019B7
X-Stat-Signature: d97j7bfirfh1f77x6gnhtekn8zhfj71s
Authentication-Results: imf10.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=kFytvkne;
	dmarc=none;
	spf=pass (imf10.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org
X-HE-Tag: 1637369005-433385
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Yunfeng Ye <yeyunfeng@huawei.com>
Subject: mm: emit the "free" trace report before freeing memory in kmem_cache_free()

After the memory is freed, it can be immediately allocated by other CPUs,
before the "free" trace report has been emitted.  This causes inaccurate
traces.

For example, if the following sequence of events occurs:

    CPU 0                 CPU 1

  (1) alloc xxxxxx
  (2) free  xxxxxx
                         (3) alloc xxxxxx
                         (4) free  xxxxxx

Then they will be inaccurately reported via tracing, so that they appear
to have happened in this order:

    CPU 0                 CPU 1

  (1) alloc xxxxxx
                         (2) alloc xxxxxx
  (3) free  xxxxxx
                         (4) free  xxxxxx

This makes it look like CPU 1 somehow managed to allocate memory that CPU
0 still had allocated for itself.

In order to avoid this, emit the "free xxxxxx" tracing report just before
the actual call to free the memory, instead of just after it.

Link: https://lkml.kernel.org/r/374eb75d-7404-8721-4e1e-65b0e5b17279@huawei.com
Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: John Hubbard <jhubbard@nvidia.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/slab.c |    3 +--
 mm/slob.c |    3 +--
 mm/slub.c |    2 +-
 3 files changed, 3 insertions(+), 5 deletions(-)

--- a/mm/slab.c~mm-emit-the-free-trace-report-before-freeing-memory-in-kmem_cache_free
+++ a/mm/slab.c
@@ -3733,14 +3733,13 @@ void kmem_cache_free(struct kmem_cache *
 	if (!cachep)
 		return;
 
+	trace_kmem_cache_free(_RET_IP_, objp, cachep->name);
 	local_irq_save(flags);
 	debug_check_no_locks_freed(objp, cachep->object_size);
 	if (!(cachep->flags & SLAB_DEBUG_OBJECTS))
 		debug_check_no_obj_freed(objp, cachep->object_size);
 	__cache_free(cachep, objp, _RET_IP_);
 	local_irq_restore(flags);
-
-	trace_kmem_cache_free(_RET_IP_, objp, cachep->name);
 }
 EXPORT_SYMBOL(kmem_cache_free);
 
--- a/mm/slob.c~mm-emit-the-free-trace-report-before-freeing-memory-in-kmem_cache_free
+++ a/mm/slob.c
@@ -666,6 +666,7 @@ static void kmem_rcu_free(struct rcu_hea
 void kmem_cache_free(struct kmem_cache *c, void *b)
 {
 	kmemleak_free_recursive(b, c->flags);
+	trace_kmem_cache_free(_RET_IP_, b, c->name);
 	if (unlikely(c->flags & SLAB_TYPESAFE_BY_RCU)) {
 		struct slob_rcu *slob_rcu;
 		slob_rcu = b + (c->size - sizeof(struct slob_rcu));
@@ -674,8 +675,6 @@ void kmem_cache_free(struct kmem_cache *
 	} else {
 		__kmem_cache_free(b, c->size);
 	}
-
-	trace_kmem_cache_free(_RET_IP_, b, c->name);
 }
 EXPORT_SYMBOL(kmem_cache_free);
 
--- a/mm/slub.c~mm-emit-the-free-trace-report-before-freeing-memory-in-kmem_cache_free
+++ a/mm/slub.c
@@ -3526,8 +3526,8 @@ void kmem_cache_free(struct kmem_cache *
 	s = cache_from_obj(s, x);
 	if (!s)
 		return;
-	slab_free(s, virt_to_head_page(x), x, NULL, 1, _RET_IP_);
 	trace_kmem_cache_free(_RET_IP_, x, s->name);
+	slab_free(s, virt_to_head_page(x), x, NULL, 1, _RET_IP_);
 }
 EXPORT_SYMBOL(kmem_cache_free);
 

From patchwork Sat Nov 20 00:43:28 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629923
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 405BDC433F5
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:45:52 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 68A9A6B0078; Fri, 19 Nov 2021 19:43:40 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 639D56B007B; Fri, 19 Nov 2021 19:43:40 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 529176B007D; Fri, 19 Nov 2021 19:43:40 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0188.hostedemail.com
 [216.40.44.188])
	by kanga.kvack.org (Postfix) with ESMTP id 44F7D6B0078
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:40 -0500 (EST)
Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 0A7A38190501
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:30 +0000 (UTC)
X-FDA: 78827460180.04.4ECD6EA
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf13.hostedemail.com (Postfix) with ESMTP id 52EC810529B2
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:28 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id B37F661B1B;
	Sat, 20 Nov 2021 00:43:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369009;
	bh=w4Gqj6gB4x23MZz1h6PoQLudENfzvVA6v09Dq9JsJsE=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=fBYXKk5/Tfy+eH5k7cpKL4AK6FZiXeDe7eacYaJGAlj6GQshu5AkJlzfJDzfwgUnv
	 bzARdR/pIoBO1xOozzqe8ipiA5ApuEZi0f/iUTSkBWEZcRmQx0pYVcREK7pMq77mFp
	 V4Gg/FE0/N6hXxoVv37BQCYjD5VHHhC/Xr7ogIkM=
Date: Fri, 19 Nov 2021 16:43:28 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, bcain@codeaurora.org, linux-mm@kvack.org,
 mm-commits@vger.kernel.org, nathan@kernel.org, ndesaulniers@google.com,
 stable@vger.kernel.org, torvalds@linux-foundation.org
Subject: [patch 05/15] hexagon: export raw I/O routines for
 modules
Message-ID: <20211120004328.PW1DgeT_0%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: 52EC810529B2
X-Stat-Signature: 4611yoefmkbbd8j5cgbriinaa8bwfmmj
Authentication-Results: imf13.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b="fBYXKk5/";
	dmarc=none;
	spf=pass (imf13.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org
X-HE-Tag: 1637369008-756619
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Nathan Chancellor <nathan@kernel.org>
Subject: hexagon: export raw I/O routines for modules

Patch series "Fixes for ARCH=hexagon allmodconfig", v2.

This series fixes some issues noticed with ARCH=hexagon allmodconfig.


This patch (of 3):

When building ARCH=hexagon allmodconfig, the following errors occur:

ERROR: modpost: "__raw_readsl" [drivers/i3c/master/svc-i3c-master.ko] undefined!
ERROR: modpost: "__raw_writesl" [drivers/i3c/master/dw-i3c-master.ko] undefined!
ERROR: modpost: "__raw_readsl" [drivers/i3c/master/dw-i3c-master.ko] undefined!
ERROR: modpost: "__raw_writesl" [drivers/i3c/master/i3c-master-cdns.ko] undefined!
ERROR: modpost: "__raw_readsl" [drivers/i3c/master/i3c-master-cdns.ko] undefined!

Export these symbols so that modules can use them without any errors.

Link: https://lkml.kernel.org/r/20211115174250.1994179-1-nathan@kernel.org
Link: https://lkml.kernel.org/r/20211115174250.1994179-2-nathan@kernel.org
Fixes: 013bf24c3829 ("Hexagon: Provide basic implementation and/or stubs for I/O routines.")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Brian Cain <bcain@codeaurora.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 arch/hexagon/lib/io.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/hexagon/lib/io.c~hexagon-export-raw-i-o-routines-for-modules
+++ a/arch/hexagon/lib/io.c
@@ -27,6 +27,7 @@ void __raw_readsw(const void __iomem *ad
 		*dst++ = *src;
 
 }
+EXPORT_SYMBOL(__raw_readsw);
 
 /*
  * __raw_writesw - read words a short at a time
@@ -47,6 +48,7 @@ void __raw_writesw(void __iomem *addr, c
 
 
 }
+EXPORT_SYMBOL(__raw_writesw);
 
 /*  Pretty sure len is pre-adjusted for the length of the access already */
 void __raw_readsl(const void __iomem *addr, void *data, int len)
@@ -62,6 +64,7 @@ void __raw_readsl(const void __iomem *ad
 
 
 }
+EXPORT_SYMBOL(__raw_readsl);
 
 void __raw_writesl(void __iomem *addr, const void *data, int len)
 {
@@ -76,3 +79,4 @@ void __raw_writesl(void __iomem *addr, c
 
 
 }
+EXPORT_SYMBOL(__raw_writesl);

From patchwork Sat Nov 20 00:43:31 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629925
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0816FC433F5
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:46:25 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8D43A6B007B; Fri, 19 Nov 2021 19:43:43 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 85CD06B007D; Fri, 19 Nov 2021 19:43:43 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 724B26B007E; Fri, 19 Nov 2021 19:43:43 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0225.hostedemail.com
 [216.40.44.225])
	by kanga.kvack.org (Postfix) with ESMTP id 64B816B007B
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:43 -0500 (EST)
Received: from smtpin23.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 25E19180D0EBF
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:33 +0000 (UTC)
X-FDA: 78827460306.23.8E563B1
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf05.hostedemail.com (Postfix) with ESMTP id EFC8D5092ED2
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:29 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id B4AAB61B1E;
	Sat, 20 Nov 2021 00:43:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369012;
	bh=xMjIQD4MwcekqVfKiwFUZHTMOPa5XSNmyxkKGcinTBs=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=PWBfJ/ETCv+9JyvyqAyWe9+xybqBwCDVn7cSzku0Sztvj8R/14wDq8591zAz/u19A
	 WTfyFJ9rCMPtF4w7TRYGo7lFHssQq3bwHDe2+ts81l0/ejJyI4jrxF9ItLO9WWHBOo
	 eSq3FLV0NeaKInOaOTJci951PXrkTfh8QE7NdSlk=
Date: Fri, 19 Nov 2021 16:43:31 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, bcain@codeaurora.org, linux-mm@kvack.org,
 mm-commits@vger.kernel.org, nathan@kernel.org, ndesaulniers@google.com,
 stable@vger.kernel.org, torvalds@linux-foundation.org
Subject: [patch 06/15] hexagon: clean up timer-regs.h
Message-ID: <20211120004331.IgOitkTLn%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: EFC8D5092ED2
X-Stat-Signature: 53y1u6cn6dozfzjyk4qnsur3hgrkr7ec
Authentication-Results: imf05.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b="PWBfJ/ET";
	spf=pass (imf05.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org;
	dmarc=none
X-HE-Tag: 1637369009-224234
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Nathan Chancellor <nathan@kernel.org>
Subject: hexagon: clean up timer-regs.h

When building allmodconfig, there is a warning about TIMER_ENABLE being
redefined:

 drivers/clocksource/timer-oxnas-rps.c:39:9: error: 'TIMER_ENABLE' macro redefined [-Werror,-Wmacro-redefined]
 #define TIMER_ENABLE            BIT(7)
         ^
 ./arch/hexagon/include/asm/timer-regs.h:13:9: note: previous definition is here
 #define TIMER_ENABLE            0
         ^
 1 error generated.

The values in this header are only used in one file each, if they are
used at all. Remove the header and sink all of the constants into their
respective files.

TCX0_CLK_RATE is only used in arch/hexagon/include/asm/timex.h

TIMER_ENABLE, RTOS_TIMER_INT, RTOS_TIMER_REGS_ADDR are only used in
arch/hexagon/kernel/time.c.

SLEEP_CLK_RATE and TIMER_CLR_ON_MATCH have both been unused since the
file's introduction in commit 71e4a47f32f4 ("Hexagon: Add time and timer
functions").

TIMER_ENABLE is redefined as BIT(0) so the shift is moved into the
definition, rather than its use.

Link: https://lkml.kernel.org/r/20211115174250.1994179-3-nathan@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Brian Cain <bcain@codeaurora.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 arch/hexagon/include/asm/timer-regs.h |   26 ------------------------
 arch/hexagon/include/asm/timex.h      |    3 --
 arch/hexagon/kernel/time.c            |   12 +++++++++--
 3 files changed, 11 insertions(+), 30 deletions(-)

--- a/arch/hexagon/include/asm/timer-regs.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0-only */
-/*
- * Timer support for Hexagon
- *
- * Copyright (c) 2010-2011, The Linux Foundation. All rights reserved.
- */
-
-#ifndef _ASM_TIMER_REGS_H
-#define _ASM_TIMER_REGS_H
-
-/*  This stuff should go into a platform specific file  */
-#define TCX0_CLK_RATE		19200
-#define TIMER_ENABLE		0
-#define TIMER_CLR_ON_MATCH	1
-
-/*
- * 8x50 HDD Specs 5-8.  Simulator co-sim not fixed until
- * release 1.1, and then it's "adjustable" and probably not defaulted.
- */
-#define RTOS_TIMER_INT		3
-#ifdef CONFIG_HEXAGON_COMET
-#define RTOS_TIMER_REGS_ADDR	0xAB000000UL
-#endif
-#define SLEEP_CLK_RATE		32000
-
-#endif
--- a/arch/hexagon/include/asm/timex.h~hexagon-clean-up-timer-regsh
+++ a/arch/hexagon/include/asm/timex.h
@@ -7,11 +7,10 @@
 #define _ASM_TIMEX_H
 
 #include <asm-generic/timex.h>
-#include <asm/timer-regs.h>
 #include <asm/hexagon_vm.h>
 
 /* Using TCX0 as our clock.  CLOCK_TICK_RATE scheduled to be removed. */
-#define CLOCK_TICK_RATE              TCX0_CLK_RATE
+#define CLOCK_TICK_RATE              19200
 
 #define ARCH_HAS_READ_CURRENT_TIMER
 
--- a/arch/hexagon/kernel/time.c~hexagon-clean-up-timer-regsh
+++ a/arch/hexagon/kernel/time.c
@@ -17,9 +17,10 @@
 #include <linux/of_irq.h>
 #include <linux/module.h>
 
-#include <asm/timer-regs.h>
 #include <asm/hexagon_vm.h>
 
+#define TIMER_ENABLE		BIT(0)
+
 /*
  * For the clocksource we need:
  *	pcycle frequency (600MHz)
@@ -33,6 +34,13 @@ cycles_t	pcycle_freq_mhz;
 cycles_t	thread_freq_mhz;
 cycles_t	sleep_clk_freq;
 
+/*
+ * 8x50 HDD Specs 5-8.  Simulator co-sim not fixed until
+ * release 1.1, and then it's "adjustable" and probably not defaulted.
+ */
+#define RTOS_TIMER_INT		3
+#define RTOS_TIMER_REGS_ADDR	0xAB000000UL
+
 static struct resource rtos_timer_resources[] = {
 	{
 		.start	= RTOS_TIMER_REGS_ADDR,
@@ -80,7 +88,7 @@ static int set_next_event(unsigned long
 	iowrite32(0, &rtos_timer->clear);
 
 	iowrite32(delta, &rtos_timer->match);
-	iowrite32(1 << TIMER_ENABLE, &rtos_timer->enable);
+	iowrite32(TIMER_ENABLE, &rtos_timer->enable);
 	return 0;
 }
 

From patchwork Sat Nov 20 00:43:34 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629927
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C6281C433F5
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:46:57 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 6FED06B007D; Fri, 19 Nov 2021 19:43:46 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6AE776B007E; Fri, 19 Nov 2021 19:43:46 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 59E0F6B0080; Fri, 19 Nov 2021 19:43:46 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0030.hostedemail.com
 [216.40.44.30])
	by kanga.kvack.org (Postfix) with ESMTP id 4B0FC6B007D
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:46 -0500 (EST)
Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id F1449808B22F
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:35 +0000 (UTC)
X-FDA: 78827460390.12.C4A49FB
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf12.hostedemail.com (Postfix) with ESMTP id ABD8A10003C0
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:35 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id A424A61AF0;
	Sat, 20 Nov 2021 00:43:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369014;
	bh=tMNLFfV/KMZC4YmuPsP3uEz2qUZXkYL23K7bwo/3G0Y=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=WNwyDBwJd58E50Q4APb63ez/U1aVAoOtY7luPrMOTcrUxyAD4FTdg9BGNEDmvCg9D
	 7/oFX/TVs1fsh+mLpGq4aG4R3pTKaIXpK3KipPoWJf77fQuin/tfkz+0PeRM81vSGN
	 1bCZBx+MQywc+qF4MNij4qQDdRAmzmiQ2obGb6IU=
Date: Fri, 19 Nov 2021 16:43:34 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, bcain@codeaurora.org, linux-mm@kvack.org,
 mm-commits@vger.kernel.org, nathan@kernel.org, ndesaulniers@google.com,
 torvalds@linux-foundation.org
Subject: [patch 07/15] hexagon: ignore vmlinux.lds
Message-ID: <20211120004334.-vNbCj_MF%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Stat-Signature: rf5aftw36moc11m8whe37ixtwtm9uy98
Authentication-Results: imf12.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=WNwyDBwJ;
	dmarc=none;
	spf=pass (imf12.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: ABD8A10003C0
X-HE-Tag: 1637369015-378013
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Nathan Chancellor <nathan@kernel.org>
Subject: hexagon: ignore vmlinux.lds

After building allmodconfig, there is an untracked vmlinux.lds file in
arch/hexagon/kernel:

$ git ls-files . --exclude-standard --others
arch/hexagon/kernel/vmlinux.lds

Ignore it as all other architectures have.

Link: https://lkml.kernel.org/r/20211115174250.1994179-4-nathan@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Cc: Brian Cain <bcain@codeaurora.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 arch/hexagon/kernel/.gitignore |    1 +
 1 file changed, 1 insertion(+)

--- /dev/null
+++ a/arch/hexagon/kernel/.gitignore
@@ -0,0 +1 @@
+vmlinux.lds

From patchwork Sat Nov 20 00:43:37 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629929
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EB232C433F5
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:47:30 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 997CA6B007E; Fri, 19 Nov 2021 19:43:49 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 946F06B0080; Fri, 19 Nov 2021 19:43:49 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8352A6B0081; Fri, 19 Nov 2021 19:43:49 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0095.hostedemail.com
 [216.40.44.95])
	by kanga.kvack.org (Postfix) with ESMTP id 74BEB6B007E
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:49 -0500 (EST)
Received: from smtpin06.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 33C7E89558
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:39 +0000 (UTC)
X-FDA: 78827460558.06.8B740D5
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf18.hostedemail.com (Postfix) with ESMTP id 159514002088
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:37 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id B48176137B;
	Sat, 20 Nov 2021 00:43:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369018;
	bh=AQ5tlSpHHH8OIRqYCVH8VZh2bPmobVgNxO6sRajN5eY=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=JdLn7IqyymouIK14Ddqjv0m8YtVB6/TRqj4luEsBm13oasqzfiVSpvZHUJ6yf2OZ1
	 1Ucj2pCX4V4pC+QeHJ98wvmY/8obOc60QrzYcnsV7a8zvWMBpcZNfK8s4sF7rjwDh1
	 haBGOwECIISotm7z4yNHdghbS/M6KpO9mAuvPX0Y=
Date: Fri, 19 Nov 2021 16:43:37 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, catalin.marinas@arm.com, cl@linux.com,
 glommer@parallels.com, gregkh@linuxfoundation.org,
 iamjoonsoo.kim@lge.com, linux-mm@kvack.org, mm-commits@vger.kernel.org,
 penberg@kernel.org, rientjes@google.com, rkovhaev@gmail.com,
 songmuchun@bytedance.com, stable@vger.kernel.org,
 torvalds@linux-foundation.org, vbabka@suse.cz
Subject: [patch 08/15] mm: kmemleak: slob: respect
 SLAB_NOLEAKTRACE flag
Message-ID: <20211120004337.1cGvw42-J%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Server: rspam08
X-Rspamd-Queue-Id: 159514002088
X-Stat-Signature: zrk9z3i5wcg4s94cxxwf9gpohm6fjymc
Authentication-Results: imf18.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=JdLn7Iqy;
	dmarc=none;
	spf=pass (imf18.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org
X-HE-Tag: 1637369017-519922
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Rustam Kovhaev <rkovhaev@gmail.com>
Subject: mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag

When kmemleak is enabled for SLOB, system does not boot and does not print
anything to the console.  At the very early stage in the boot process we
hit infinite recursion from kmemleak_init() and eventually kernel crashes.

kmemleak_init() specifies SLAB_NOLEAKTRACE for KMEM_CACHE(), but
kmem_cache_create_usercopy() removes it because CACHE_CREATE_MASK is not
valid for SLOB.

Let's fix CACHE_CREATE_MASK and make kmemleak work with SLOB

Link: https://lkml.kernel.org/r/20211115020850.3154366-1-rkovhaev@gmail.com
Fixes: d8843922fba4 ("slab: Ignore internal flags in cache creation")
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Muchun Song <songmuchun@bytedance.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Glauber Costa <glommer@parallels.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/slab.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/slab.h~mm-kmemleak-slob-respect-slab_noleaktrace-flag
+++ a/mm/slab.h
@@ -147,7 +147,7 @@ static inline slab_flags_t kmem_cache_fl
 #define SLAB_CACHE_FLAGS (SLAB_NOLEAKTRACE | SLAB_RECLAIM_ACCOUNT | \
 			  SLAB_TEMPORARY | SLAB_ACCOUNT)
 #else
-#define SLAB_CACHE_FLAGS (0)
+#define SLAB_CACHE_FLAGS (SLAB_NOLEAKTRACE)
 #endif
 
 /* Common flags available with current configuration */

From patchwork Sat Nov 20 00:43:40 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629931
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8542CC433F5
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:48:03 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id C7D436B0080; Fri, 19 Nov 2021 19:43:52 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C2C376B0081; Fri, 19 Nov 2021 19:43:52 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B1BE86B0082; Fri, 19 Nov 2021 19:43:52 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0201.hostedemail.com
 [216.40.44.201])
	by kanga.kvack.org (Postfix) with ESMTP id A46566B0080
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:52 -0500 (EST)
Received: from smtpin10.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 6FA89181CAC43
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:42 +0000 (UTC)
X-FDA: 78827460726.10.46CE1AE
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf09.hostedemail.com (Postfix) with ESMTP id D3CDF300011E
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:39 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id EA0F961A86;
	Sat, 20 Nov 2021 00:43:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369021;
	bh=O/JdrIesE0G8FKH3RyIHlFgd93mrEsm4ABmBxynphyc=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=Cl66eE4fBES2VmTsmX/0RQ0vri64kTgW1OiFbVN7ktfhwEvnXP+fOlpsPSb4G1bza
	 ySzLTMN74T22TH94pP5xeMwMNiclr8HsWP81dpxiEyBpcodFFMtj4wYFtyWxTyY6bN
	 jOkKw0As/ysYrwYGDjHfa/y0ov/7ERFbApIAotIc=
Date: Fri, 19 Nov 2021 16:43:40 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, almasrymina@google.com,
 linmiaohe@huawei.com, linux-mm@kvack.org, mhocko@suse.com,
 mike.kravetz@oracle.com, minhquangbui99@gmail.com,
 mm-commits@vger.kernel.org, songmuchun@bytedance.com,
 torvalds@linux-foundation.org
Subject: [patch 09/15] hugetlb: fix hugetlb cgroup refcounting
 during mremap
Message-ID: <20211120004340.S1hmWsXgy%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: D3CDF300011E
X-Stat-Signature: 4xwd93f9qtb7isusg16cqi8t76k3ea7b
Authentication-Results: imf09.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=Cl66eE4f;
	dmarc=none;
	spf=pass (imf09.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org
X-HE-Tag: 1637369019-54160
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Bui Quang Minh <minhquangbui99@gmail.com>
Subject: hugetlb: fix hugetlb cgroup refcounting during mremap

When hugetlb_vm_op_open() is called during copy_vma(), we may take the
reference to resv_map->css.  Later, when clearing the reservation pointer
of old_vma after transferring it to new_vma, we forget to drop the
reference to resv_map->css.  This leads to a reference leak of css.

Fixes this by adding a check to drop reservation css reference in
clear_vma_resv_huge_pages()

Link: https://lkml.kernel.org/r/20211113154412.91134-1-minhquangbui99@gmail.com
Fixes: 550a7d60bd5e35 ("mm, hugepages: add mremap() support for hugepage backed vma")
Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Muchun Song <songmuchun@bytedance.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 include/linux/hugetlb_cgroup.h |   12 ++++++++++++
 mm/hugetlb.c                   |    4 +++-
 2 files changed, 15 insertions(+), 1 deletion(-)

--- a/include/linux/hugetlb_cgroup.h~hugetlb-fix-hugetlb-cgroup-refcounting-during-mremap
+++ a/include/linux/hugetlb_cgroup.h
@@ -128,6 +128,13 @@ static inline void resv_map_dup_hugetlb_
 		css_get(resv_map->css);
 }
 
+static inline void resv_map_put_hugetlb_cgroup_uncharge_info(
+						struct resv_map *resv_map)
+{
+	if (resv_map->css)
+		css_put(resv_map->css);
+}
+
 extern int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
 					struct hugetlb_cgroup **ptr);
 extern int hugetlb_cgroup_charge_cgroup_rsvd(int idx, unsigned long nr_pages,
@@ -210,6 +217,11 @@ static inline void resv_map_dup_hugetlb_
 						struct resv_map *resv_map)
 {
 }
+
+static inline void resv_map_put_hugetlb_cgroup_uncharge_info(
+						struct resv_map *resv_map)
+{
+}
 
 static inline int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
 					       struct hugetlb_cgroup **ptr)
--- a/mm/hugetlb.c~hugetlb-fix-hugetlb-cgroup-refcounting-during-mremap
+++ a/mm/hugetlb.c
@@ -1037,8 +1037,10 @@ void clear_vma_resv_huge_pages(struct vm
 	 */
 	struct resv_map *reservations = vma_resv_map(vma);
 
-	if (reservations && is_vma_resv_set(vma, HPAGE_RESV_OWNER))
+	if (reservations && is_vma_resv_set(vma, HPAGE_RESV_OWNER)) {
+		resv_map_put_hugetlb_cgroup_uncharge_info(reservations);
 		kref_put(&reservations->refs, resv_map_release);
+	}
 
 	reset_vma_resv_huge_pages(vma);
 }

From patchwork Sat Nov 20 00:43:43 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629933
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3674AC433EF
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:48:36 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id BE0EA6B0081; Fri, 19 Nov 2021 19:43:55 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B90536B0082; Fri, 19 Nov 2021 19:43:55 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A7FEC6B0083; Fri, 19 Nov 2021 19:43:55 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0044.hostedemail.com
 [216.40.44.44])
	by kanga.kvack.org (Postfix) with ESMTP id 9A8386B0081
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:55 -0500 (EST)
Received: from smtpin02.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 64BD780CD15F
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:45 +0000 (UTC)
X-FDA: 78827460810.02.30CB92E
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf07.hostedemail.com (Postfix) with ESMTP id 0251310002C8
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:42 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 00E0361AF0;
	Sat, 20 Nov 2021 00:43:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369024;
	bh=PFGDFAEfjl7jEKR11Yq/J+ibTmrUmQSFCxGQ51lNk84=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=eTMr4uf8Z0tJNfmS5Uqj7/JRU3mtaA9waxcAnCxKh94wtWruGHWA8qcxNF0dBxYd4
	 4aUnFqTgnOiOv3qObBwgfrNCGzp0OXq0FWGYurZyntWU5dmqh6iuObQspr+QABfTbA
	 rin+dYlzhOElqwqTa+yrJRNakvq2nxJv1UKl3Pzw=
Date: Fri, 19 Nov 2021 16:43:43 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, almasrymina@google.com,
 jthoughton@google.com, linux-mm@kvack.org, mike.kravetz@oracle.com,
 mm-commits@vger.kernel.org, stable@vger.kernel.org,
 torvalds@linux-foundation.org, weixugc@google.com
Subject: [patch 10/15] hugetlb, userfaultfd: fix reservation
 restore on userfaultfd error
Message-ID: <20211120004343.akzlmXMvc%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Server: rspam12
X-Rspamd-Queue-Id: 0251310002C8
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=eTMr4uf8;
	dmarc=none;
	spf=pass (imf07.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org
X-Stat-Signature: exopc6p1f7xxka3c6b8j7fu9qnrqnkhy
X-HE-Tag: 1637369022-444789
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Mina Almasry <almasrymina@google.com>
Subject: hugetlb, userfaultfd: fix reservation restore on userfaultfd error

Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we
bail out using "goto out_release_unlock;" in the cases where idx >= size,
or !huge_pte_none(), the code will detect that new_pagecache_page ==
false, and so call restore_reserve_on_error().  In this case I see
restore_reserve_on_error() delete the reservation, and the following call
to remove_inode_hugepages() will increment h->resv_hugepages causing a
100% reproducible leak.

We should treat the is_continue case similar to adding a page into the
pagecache and set new_pagecache_page to true, to indicate that there is no
reservation to restore on the error path, and we need not call
restore_reserve_on_error().  Rename new_pagecache_page to
page_in_pagecache to make that clear.

Link: https://lkml.kernel.org/r/20211117193825.378528-1-almasrymina@google.com
Fixes: c7b1850dfb41 ("hugetlb: don't pass page cache pages to restore_reserve_on_error")
Signed-off-by: Mina Almasry <almasrymina@google.com>
Reported-by: James Houghton <jthoughton@google.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Wei Xu <weixugc@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/hugetlb.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/mm/hugetlb.c~hugetlb-userfaultfd-fix-reservation-restore-on-userfaultfd-error
+++ a/mm/hugetlb.c
@@ -5736,13 +5736,14 @@ int hugetlb_mcopy_atomic_pte(struct mm_s
 	int ret = -ENOMEM;
 	struct page *page;
 	int writable;
-	bool new_pagecache_page = false;
+	bool page_in_pagecache = false;
 
 	if (is_continue) {
 		ret = -EFAULT;
 		page = find_lock_page(mapping, idx);
 		if (!page)
 			goto out;
+		page_in_pagecache = true;
 	} else if (!*pagep) {
 		/* If a page already exists, then it's UFFDIO_COPY for
 		 * a non-missing case. Return -EEXIST.
@@ -5830,7 +5831,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_s
 		ret = huge_add_to_page_cache(page, mapping, idx);
 		if (ret)
 			goto out_release_nounlock;
-		new_pagecache_page = true;
+		page_in_pagecache = true;
 	}
 
 	ptl = huge_pte_lockptr(h, dst_mm, dst_pte);
@@ -5894,7 +5895,7 @@ out_release_unlock:
 	if (vm_shared || is_continue)
 		unlock_page(page);
 out_release_nounlock:
-	if (!new_pagecache_page)
+	if (!page_in_pagecache)
 		restore_reserve_on_error(h, dst_vma, dst_addr, page);
 	put_page(page);
 	goto out;

From patchwork Sat Nov 20 00:43:46 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629935
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 10FA8C433F5
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:49:09 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id DDEBB6B0082; Fri, 19 Nov 2021 19:43:58 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D8BDE6B0083; Fri, 19 Nov 2021 19:43:58 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C7BA16B0085; Fri, 19 Nov 2021 19:43:58 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0250.hostedemail.com
 [216.40.44.250])
	by kanga.kvack.org (Postfix) with ESMTP id BA9B26B0082
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:43:58 -0500 (EST)
Received: from smtpin23.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 82FA2181B048C
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:48 +0000 (UTC)
X-FDA: 78827460936.23.AAF377C
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf15.hostedemail.com (Postfix) with ESMTP id B2CCED0000A8
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:45 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 0A4316137B;
	Sat, 20 Nov 2021 00:43:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369027;
	bh=YQCDfguLNjM5kMCoiYTU0Dw3Z+Q5SerasjidDCmpaHw=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=b6nAFp/FH9AS2/05mW1dyslYcxwW7CakBFOGfM7PERPO5AGhn1uwvjRVcSVKmP9AD
	 KxjemqsaLyyfDCmD4xRoaaXz3GLycTrePy99ouOhfVb1a+ayC1z0Y+mOqr+gCl1wxa
	 czM34+sVk9oTJKDhb7Fk15zNB35lXsRP2tU+NF1A=
Date: Fri, 19 Nov 2021 16:43:46 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, andreyknvl@gmail.com, dvyukov@google.com,
 elver@google.com, glider@google.com, keescook@chromium.org,
 linux-mm@kvack.org, mm-commits@vger.kernel.org, ryabinin.a.a@gmail.com,
 torvalds@linux-foundation.org
Subject: [patch 11/15] kasan: test: silence intentional read
 overflow warnings
Message-ID: <20211120004346.6GSSdDImN%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Queue-Id: B2CCED0000A8
X-Stat-Signature: f8ytnz3qub5yrth1xpmktp76nrchk8bs
Authentication-Results: imf15.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b="b6nAFp/F";
	dmarc=none;
	spf=pass (imf15.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org
X-Rspamd-Server: rspam02
X-HE-Tag: 1637369025-986706
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Kees Cook <keescook@chromium.org>
Subject: kasan: test: silence intentional read overflow warnings

As done in commit d73dad4eb5ad ("kasan: test: bypass __alloc_size checks")
for __write_overflow warnings, also silence some more cases that trip the
__read_overflow warnings seen in 5.16-rc1[1]:

In file included from /kisskb/src/include/linux/string.h:253,
                 from /kisskb/src/include/linux/bitmap.h:10,
                 from /kisskb/src/include/linux/cpumask.h:12,
                 from /kisskb/src/include/linux/mm_types_task.h:14,
                 from /kisskb/src/include/linux/mm_types.h:5,
                 from /kisskb/src/include/linux/page-flags.h:13,
                 from /kisskb/src/arch/arm64/include/asm/mte.h:14,
                 from /kisskb/src/arch/arm64/include/asm/pgtable.h:12,
                 from /kisskb/src/include/linux/pgtable.h:6,
                 from /kisskb/src/include/linux/kasan.h:29,
                 from /kisskb/src/lib/test_kasan.c:10:
In function 'memcmp',
    inlined from 'kasan_memcmp' at /kisskb/src/lib/test_kasan.c:897:2:
/kisskb/src/include/linux/fortify-string.h:263:25: error: call to '__read_overflow' declared with attribute error: detected read beyond size of object (1st parameter)
  263 |                         __read_overflow();
      |                         ^~~~~~~~~~~~~~~~~
In function 'memchr',
    inlined from 'kasan_memchr' at /kisskb/src/lib/test_kasan.c:872:2:
/kisskb/src/include/linux/fortify-string.h:277:17: error: call to '__read_overflow' declared with attribute error: detected read beyond size of object (1st parameter)
  277 |                 __read_overflow();
      |                 ^~~~~~~~~~~~~~~~~

[1] http://kisskb.ellerman.id.au/kisskb/buildresult/14660585/log/

Link: https://lkml.kernel.org/r/20211116004111.3171781-1-keescook@chromium.org
Fixes: d73dad4eb5ad ("kasan: test: bypass __alloc_size checks")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Marco Elver <elver@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 lib/test_kasan.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/lib/test_kasan.c~kasan-test-silence-intentional-read-overflow-warnings
+++ a/lib/test_kasan.c
@@ -869,6 +869,7 @@ static void kasan_memchr(struct kunit *t
 	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
 
+	OPTIMIZER_HIDE_VAR(size);
 	KUNIT_EXPECT_KASAN_FAIL(test,
 		kasan_ptr_result = memchr(ptr, '1', size + 1));
 
@@ -894,6 +895,7 @@ static void kasan_memcmp(struct kunit *t
 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
 	memset(arr, 0, sizeof(arr));
 
+	OPTIMIZER_HIDE_VAR(size);
 	KUNIT_EXPECT_KASAN_FAIL(test,
 		kasan_int_result = memcmp(ptr, arr, size+1));
 	kfree(ptr);

From patchwork Sat Nov 20 00:43:49 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629937
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2A7DCC433F5
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:49:42 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 9BE2D6B0083; Fri, 19 Nov 2021 19:44:01 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 96E006B0085; Fri, 19 Nov 2021 19:44:01 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8353A6B0087; Fri, 19 Nov 2021 19:44:01 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0171.hostedemail.com
 [216.40.44.171])
	by kanga.kvack.org (Postfix) with ESMTP id 75D426B0083
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:44:01 -0500 (EST)
Received: from smtpin13.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 470A989558
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:51 +0000 (UTC)
X-FDA: 78827461062.13.6B00BFC
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf05.hostedemail.com (Postfix) with ESMTP id 43DD15092EE4
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:48 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 1496E61A07;
	Sat, 20 Nov 2021 00:43:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369030;
	bh=3zIXQHUAdko0JzwPReohAQ9tWI0lXL0OyFB88zx9MB0=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=v+0xaKRNnQ7F7lcZO+zj9DuE6k0TNFJLqqRBIqzP4GuXsxejcY4GKWDAfQgDtFsD3
	 vh5n//0jxobX5cw8HVUaeoNyaT/GHoYMTEvy6lNYeiaS59hkH8/0fZ8MmMtxUca8nH
	 DJ1rV+y538SqiYq6CEyYRB0q+v5szgLY+6SyMpE8=
Date: Fri, 19 Nov 2021 16:43:49 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, linux-mm@kvack.org,
 mm-commits@vger.kernel.org, sj@kernel.org, stable@vger.kernel.org,
 torvalds@linux-foundation.org
Subject: [patch 12/15] mm/damon/dbgfs: use '__GFP_NOWARN' for
 user-specified size buffer allocation
Message-ID: <20211120004349.yLSlmi7Jb%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Stat-Signature: tgk1cqns1d8ot635orxgqtu88ct8sqwp
X-Rspamd-Queue-Id: 43DD15092EE4
X-Rspamd-Server: rspam07
Authentication-Results: imf05.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=v+0xaKRN;
	spf=pass (imf05.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org;
	dmarc=none
X-HE-Tag: 1637369028-779471
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: SeongJae Park <sj@kernel.org>
Subject: mm/damon/dbgfs: use '__GFP_NOWARN' for user-specified size buffer allocation

Patch series "DAMON fixes".


This patch (of 2):

DAMON users can trigger below warning in '__alloc_pages()' by invoking
write() to some DAMON debugfs files with arbitrarily high count argument,
because DAMON debugfs interface allocates some buffers based on the
user-specified 'count'.

        if (unlikely(order >= MAX_ORDER)) {
                WARN_ON_ONCE(!(gfp & __GFP_NOWARN));
                return NULL;
        }

Because the DAMON debugfs interface code checks failure of the
'kmalloc()', this commit simply suppresses the warnings by adding
'__GFP_NOWARN' flag.

Link: https://lkml.kernel.org/r/20211110145758.16558-1-sj@kernel.org
Link: https://lkml.kernel.org/r/20211110145758.16558-2-sj@kernel.org
Fixes: 4bc05954d007 ("mm/damon: implement a debugfs-based user space interface")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/damon/dbgfs.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/mm/damon/dbgfs.c~mm-damon-dbgfs-use-__gfp_nowarn-for-user-specified-size-buffer-allocation
+++ a/mm/damon/dbgfs.c
@@ -32,7 +32,7 @@ static char *user_input_str(const char _
 	if (*ppos)
 		return ERR_PTR(-EINVAL);
 
-	kbuf = kmalloc(count + 1, GFP_KERNEL);
+	kbuf = kmalloc(count + 1, GFP_KERNEL | __GFP_NOWARN);
 	if (!kbuf)
 		return ERR_PTR(-ENOMEM);
 
@@ -133,7 +133,7 @@ static ssize_t dbgfs_schemes_read(struct
 	char *kbuf;
 	ssize_t len;
 
-	kbuf = kmalloc(count, GFP_KERNEL);
+	kbuf = kmalloc(count, GFP_KERNEL | __GFP_NOWARN);
 	if (!kbuf)
 		return -ENOMEM;
 
@@ -452,7 +452,7 @@ static ssize_t dbgfs_init_regions_read(s
 	char *kbuf;
 	ssize_t len;
 
-	kbuf = kmalloc(count, GFP_KERNEL);
+	kbuf = kmalloc(count, GFP_KERNEL | __GFP_NOWARN);
 	if (!kbuf)
 		return -ENOMEM;
 
@@ -578,7 +578,7 @@ static ssize_t dbgfs_kdamond_pid_read(st
 	char *kbuf;
 	ssize_t len;
 
-	kbuf = kmalloc(count, GFP_KERNEL);
+	kbuf = kmalloc(count, GFP_KERNEL | __GFP_NOWARN);
 	if (!kbuf)
 		return -ENOMEM;
 

From patchwork Sat Nov 20 00:43:52 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629939
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0C29BC433EF
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:50:15 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8FA7D6B0085; Fri, 19 Nov 2021 19:44:04 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8AAAC6B0087; Fri, 19 Nov 2021 19:44:04 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 799716B0088; Fri, 19 Nov 2021 19:44:04 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0087.hostedemail.com
 [216.40.44.87])
	by kanga.kvack.org (Postfix) with ESMTP id 6CBA06B0085
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:44:04 -0500 (EST)
Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 4255B1849B229
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:54 +0000 (UTC)
X-FDA: 78827461188.14.05DA165
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf05.hostedemail.com (Postfix) with ESMTP id 41AC75092ED1
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:51 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id EB5D161A07;
	Sat, 20 Nov 2021 00:43:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369033;
	bh=qf3iadlSg2k12B5DqrvmmY/Fm1Ggd5KqM/KQJdUpLzw=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=PbZQT7Y/EtGMxQw3xtK/0Kvu4xX7Tqoj7QvAiPGW/tvLrhsw/z/isp1G0n41BxMax
	 lu52qvQt1oJqYFJoG1cuv0VY0RF+hf4ACfAxHMQbIOKPa9K8vmgywkGeX+jSOmwbqU
	 dmXQSODTrahU/ufLLCZ7jTo7ZEDpGpGEr1WrvhxI=
Date: Fri, 19 Nov 2021 16:43:52 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, linux-mm@kvack.org,
 mm-commits@vger.kernel.org, sj@kernel.org, stable@vger.kernel.org,
 torvalds@linux-foundation.org
Subject: [patch 13/15] mm/damon/dbgfs: fix missed use of
 damon_dbgfs_lock
Message-ID: <20211120004352.cP--sDA9q%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Server: rspam11
X-Rspamd-Queue-Id: 41AC75092ED1
X-Stat-Signature: eeo1gbhi5aftaxcrru3tnq69nji3cfyi
Authentication-Results: imf05.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b="PbZQT7Y/";
	spf=pass (imf05.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org;
	dmarc=none
X-HE-Tag: 1637369031-444308
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: SeongJae Park <sj@kernel.org>
Subject: mm/damon/dbgfs: fix missed use of damon_dbgfs_lock

DAMON debugfs is supposed to protect dbgfs_ctxs, dbgfs_nr_ctxs, and
dbgfs_dirs using damon_dbgfs_lock.  However, some of the code is accessing
the variables without the protection.  This commit fixes it by protecting
all such accesses.

Link: https://lkml.kernel.org/r/20211110145758.16558-3-sj@kernel.org
Fixes: 75c1c2b53c78 ("mm/damon/dbgfs: support multiple contexts")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/damon/dbgfs.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/mm/damon/dbgfs.c~mm-damon-dbgfs-fix-missed-use-of-damon_dbgfs_lock
+++ a/mm/damon/dbgfs.c
@@ -877,12 +877,14 @@ static ssize_t dbgfs_monitor_on_write(st
 		return -EINVAL;
 	}
 
+	mutex_lock(&damon_dbgfs_lock);
 	if (!strncmp(kbuf, "on", count)) {
 		int i;
 
 		for (i = 0; i < dbgfs_nr_ctxs; i++) {
 			if (damon_targets_empty(dbgfs_ctxs[i])) {
 				kfree(kbuf);
+				mutex_unlock(&damon_dbgfs_lock);
 				return -EINVAL;
 			}
 		}
@@ -892,6 +894,7 @@ static ssize_t dbgfs_monitor_on_write(st
 	} else {
 		ret = -EINVAL;
 	}
+	mutex_unlock(&damon_dbgfs_lock);
 
 	if (!ret)
 		ret = count;
@@ -944,15 +947,16 @@ static int __init __damon_dbgfs_init(voi
 
 static int __init damon_dbgfs_init(void)
 {
-	int rc;
+	int rc = -ENOMEM;
 
+	mutex_lock(&damon_dbgfs_lock);
 	dbgfs_ctxs = kmalloc(sizeof(*dbgfs_ctxs), GFP_KERNEL);
 	if (!dbgfs_ctxs)
-		return -ENOMEM;
+		goto out;
 	dbgfs_ctxs[0] = dbgfs_new_ctx();
 	if (!dbgfs_ctxs[0]) {
 		kfree(dbgfs_ctxs);
-		return -ENOMEM;
+		goto out;
 	}
 	dbgfs_nr_ctxs = 1;
 
@@ -963,6 +967,8 @@ static int __init damon_dbgfs_init(void)
 		pr_err("%s: dbgfs init failed\n", __func__);
 	}
 
+out:
+	mutex_unlock(&damon_dbgfs_lock);
 	return rc;
 }
 

From patchwork Sat Nov 20 00:43:55 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629941
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8FF1BC433EF
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:50:47 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B933A6B0087; Fri, 19 Nov 2021 19:44:07 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B415D6B0088; Fri, 19 Nov 2021 19:44:07 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A09716B0089; Fri, 19 Nov 2021 19:44:07 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0004.hostedemail.com
 [216.40.44.4])
	by kanga.kvack.org (Postfix) with ESMTP id 9363E6B0087
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:44:07 -0500 (EST)
Received: from smtpin08.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 5DCB88CA2E
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:57 +0000 (UTC)
X-FDA: 78827461314.08.7D20DEE
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf06.hostedemail.com (Postfix) with ESMTP id 9C47D801A8B8
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:55 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id DD56261A07;
	Sat, 20 Nov 2021 00:43:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369036;
	bh=kpDpwTBVeKup3eHAtT2yi5lkPw6vsjOEwl/p8uhLNuA=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=i+rwDxr8s0x3sw8exxbUkbDXVjBEunkeFxEvbT2uU5k+qjZwHoN18gWJCFxuCJmXv
	 Ld7rZUky6EUlOKzdkZv5GYOkkueyOOIKaFOrbxOSPB2770O5DXFM5XMQZNQBiUPtQd
	 63t5qjRzrEjztWUkoBzteoERXYfaccsNh95Yst78=
Date: Fri, 19 Nov 2021 16:43:55 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, ardb@kernel.org, linus.walleij@linaro.org,
 linux-mm@kvack.org, mm-commits@vger.kernel.org,
 quanyang.wang@windriver.com, rmk+kernel@armlinux.org.uk,
 stable@vger.kernel.org, tglx@linutronix.de,
 torvalds@linux-foundation.org
Subject: [patch 14/15] kmap_local: don't assume kmap PTEs are
 linear arrays in memory
Message-ID: <20211120004355.3d5IhALrg%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: 9C47D801A8B8
X-Stat-Signature: gtwjmbucomo3fs7ceug71twhg6cs3qjf
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=i+rwDxr8;
	spf=pass (imf06.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org;
	dmarc=none
X-HE-Tag: 1637369035-55028
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Ard Biesheuvel <ardb@kernel.org>
Subject: kmap_local: don't assume kmap PTEs are linear arrays in memory

The kmap_local conversion broke the ARM architecture, because the new code
assumes that all PTEs used for creating kmaps form a linear array in
memory, and uses array indexing to look up the kmap PTE belonging to a
certain kmap index.

On ARM, this cannot work, not only because the PTE pages may be
non-adjacent in memory, but also because ARM/!LPAE interleaves hardware
entries and extended entries (carrying software-only bits) in a way that
is not compatible with array indexing.

Fortunately, this only seems to affect configurations with more than 8
CPUs, due to the way the per-CPU kmap slots are organized in memory.

Work around this by permitting an architecture to set a Kconfig symbol
that signifies that the kmap PTEs do not form a lineary array in memory,
and so the only way to locate the appropriate one is to walk the page
tables.

Link: https://lore.kernel.org/linux-arm-kernel/20211026131249.3731275-1-ardb@kernel.org/
Link: https://lkml.kernel.org/r/20211116094737.7391-1-ardb@kernel.org
Fixes: 2a15ba82fa6c ("ARM: highmem: Switch to generic kmap atomic")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reported-by: Quanyang Wang <quanyang.wang@windriver.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 arch/arm/Kconfig |    1 +
 mm/Kconfig       |    3 +++
 mm/highmem.c     |   32 +++++++++++++++++++++-----------
 3 files changed, 25 insertions(+), 11 deletions(-)

--- a/arch/arm/Kconfig~kmap_local-dont-assume-kmap-ptes-are-linear-arrays-in-memory
+++ a/arch/arm/Kconfig
@@ -1463,6 +1463,7 @@ config HIGHMEM
 	bool "High Memory Support"
 	depends on MMU
 	select KMAP_LOCAL
+	select KMAP_LOCAL_NON_LINEAR_PTE_ARRAY
 	help
 	  The address space of ARM processors is only 4 Gigabytes large
 	  and it has to accommodate user address space, kernel address
--- a/mm/highmem.c~kmap_local-dont-assume-kmap-ptes-are-linear-arrays-in-memory
+++ a/mm/highmem.c
@@ -503,16 +503,22 @@ static inline int kmap_local_calc_idx(in
 
 static pte_t *__kmap_pte;
 
-static pte_t *kmap_get_pte(void)
+static pte_t *kmap_get_pte(unsigned long vaddr, int idx)
 {
+	if (IS_ENABLED(CONFIG_KMAP_LOCAL_NON_LINEAR_PTE_ARRAY))
+		/*
+		 * Set by the arch if __kmap_pte[-idx] does not produce
+		 * the correct entry.
+		 */
+		return virt_to_kpte(vaddr);
 	if (!__kmap_pte)
 		__kmap_pte = virt_to_kpte(__fix_to_virt(FIX_KMAP_BEGIN));
-	return __kmap_pte;
+	return &__kmap_pte[-idx];
 }
 
 void *__kmap_local_pfn_prot(unsigned long pfn, pgprot_t prot)
 {
-	pte_t pteval, *kmap_pte = kmap_get_pte();
+	pte_t pteval, *kmap_pte;
 	unsigned long vaddr;
 	int idx;
 
@@ -524,9 +530,10 @@ void *__kmap_local_pfn_prot(unsigned lon
 	preempt_disable();
 	idx = arch_kmap_local_map_idx(kmap_local_idx_push(), pfn);
 	vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
-	BUG_ON(!pte_none(*(kmap_pte - idx)));
+	kmap_pte = kmap_get_pte(vaddr, idx);
+	BUG_ON(!pte_none(*kmap_pte));
 	pteval = pfn_pte(pfn, prot);
-	arch_kmap_local_set_pte(&init_mm, vaddr, kmap_pte - idx, pteval);
+	arch_kmap_local_set_pte(&init_mm, vaddr, kmap_pte, pteval);
 	arch_kmap_local_post_map(vaddr, pteval);
 	current->kmap_ctrl.pteval[kmap_local_idx()] = pteval;
 	preempt_enable();
@@ -559,7 +566,7 @@ EXPORT_SYMBOL(__kmap_local_page_prot);
 void kunmap_local_indexed(void *vaddr)
 {
 	unsigned long addr = (unsigned long) vaddr & PAGE_MASK;
-	pte_t *kmap_pte = kmap_get_pte();
+	pte_t *kmap_pte;
 	int idx;
 
 	if (addr < __fix_to_virt(FIX_KMAP_END) ||
@@ -584,8 +591,9 @@ void kunmap_local_indexed(void *vaddr)
 	idx = arch_kmap_local_unmap_idx(kmap_local_idx(), addr);
 	WARN_ON_ONCE(addr != __fix_to_virt(FIX_KMAP_BEGIN + idx));
 
+	kmap_pte = kmap_get_pte(addr, idx);
 	arch_kmap_local_pre_unmap(addr);
-	pte_clear(&init_mm, addr, kmap_pte - idx);
+	pte_clear(&init_mm, addr, kmap_pte);
 	arch_kmap_local_post_unmap(addr);
 	current->kmap_ctrl.pteval[kmap_local_idx()] = __pte(0);
 	kmap_local_idx_pop();
@@ -607,7 +615,7 @@ EXPORT_SYMBOL(kunmap_local_indexed);
 void __kmap_local_sched_out(void)
 {
 	struct task_struct *tsk = current;
-	pte_t *kmap_pte = kmap_get_pte();
+	pte_t *kmap_pte;
 	int i;
 
 	/* Clear kmaps */
@@ -634,8 +642,9 @@ void __kmap_local_sched_out(void)
 		idx = arch_kmap_local_map_idx(i, pte_pfn(pteval));
 
 		addr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
+		kmap_pte = kmap_get_pte(addr, idx);
 		arch_kmap_local_pre_unmap(addr);
-		pte_clear(&init_mm, addr, kmap_pte - idx);
+		pte_clear(&init_mm, addr, kmap_pte);
 		arch_kmap_local_post_unmap(addr);
 	}
 }
@@ -643,7 +652,7 @@ void __kmap_local_sched_out(void)
 void __kmap_local_sched_in(void)
 {
 	struct task_struct *tsk = current;
-	pte_t *kmap_pte = kmap_get_pte();
+	pte_t *kmap_pte;
 	int i;
 
 	/* Restore kmaps */
@@ -663,7 +672,8 @@ void __kmap_local_sched_in(void)
 		/* See comment in __kmap_local_sched_out() */
 		idx = arch_kmap_local_map_idx(i, pte_pfn(pteval));
 		addr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
-		set_pte_at(&init_mm, addr, kmap_pte - idx, pteval);
+		kmap_pte = kmap_get_pte(addr, idx);
+		set_pte_at(&init_mm, addr, kmap_pte, pteval);
 		arch_kmap_local_post_map(addr, pteval);
 	}
 }
--- a/mm/Kconfig~kmap_local-dont-assume-kmap-ptes-are-linear-arrays-in-memory
+++ a/mm/Kconfig
@@ -890,6 +890,9 @@ config MAPPING_DIRTY_HELPERS
 config KMAP_LOCAL
 	bool
 
+config KMAP_LOCAL_NON_LINEAR_PTE_ARRAY
+	bool
+
 # struct io_mapping based helper.  Selected by drivers that need them
 config IO_MAPPING
 	bool

From patchwork Sat Nov 20 00:43:58 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12629943
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 48D7BC433EF
	for <linux-mm@archiver.kernel.org>; Sat, 20 Nov 2021 00:51:20 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B442C6B0088; Fri, 19 Nov 2021 19:44:10 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id AF3726B0089; Fri, 19 Nov 2021 19:44:10 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9E38D6B008A; Fri, 19 Nov 2021 19:44:10 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0097.hostedemail.com
 [216.40.44.97])
	by kanga.kvack.org (Postfix) with ESMTP id 9094C6B0088
	for <linux-mm@kvack.org>; Fri, 19 Nov 2021 19:44:10 -0500 (EST)
Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 5B2188CE3F
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:44:00 +0000 (UTC)
X-FDA: 78827461440.29.613827E
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf31.hostedemail.com (Postfix) with ESMTP id 3520E1052983
	for <linux-mm@kvack.org>; Sat, 20 Nov 2021 00:43:57 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 0170D61A86;
	Sat, 20 Nov 2021 00:43:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1637369039;
	bh=UAr7Q/5h2/Uck3swGjAInJ+tTo4aGlSu0RjHHUlzxoc=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=pAhzlG9e76LG6n4GOP7TuNPBssnGg9LtoOogVr1N7Y0dG/tEGq/JnTIg6Y7VKRn2s
	 BjZY+PZkSCULBq+TxnIyOLjxleGl7xwXuqDTxPmzuJadgEllS3WImWf7yBrHL6EiFH
	 85GEolhuIWImeaXAwZxBlkr2oHErR/6yAWHqFStQ=
Date: Fri, 19 Nov 2021 16:43:58 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, bhe@redhat.com, david@redhat.com,
 dyoung@redhat.com, linux-mm@kvack.org, mm-commits@vger.kernel.org,
 prudo@redhat.com, stable@vger.kernel.org, torvalds@linux-foundation.org,
 vgoyal@redhat.com
Subject: [patch 15/15] proc/vmcore: fix clearing user buffer by
 properly using clear_user()
Message-ID: <20211120004358.K3wyLJN5Y%akpm@linux-foundation.org>
In-Reply-To: <20211119164248.50feee07c5d2cc6cc4addf97@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Stat-Signature: gufnkib4iis1i3qyu839gukzaedngzc7
Authentication-Results: imf31.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=pAhzlG9e;
	dmarc=none;
	spf=pass (imf31.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: 3520E1052983
X-HE-Tag: 1637369037-438609
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: David Hildenbrand <david@redhat.com>
Subject: proc/vmcore: fix clearing user buffer by properly using clear_user()

To clear a user buffer we cannot simply use memset, we have to use
clear_user().  With a virtio-mem device that registers a vmcore_cb and has
some logically unplugged memory inside an added Linux memory block, I can
easily trigger a BUG by copying the vmcore via "cp":

[   11.327580] systemd[1]: Starting Kdump Vmcore Save Service...
[   11.339697] kdump[420]: Kdump is using the default log level(3).
[   11.370964] kdump[453]: saving to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/
[   11.373997] kdump[458]: saving vmcore-dmesg.txt to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/
[   11.385357] kdump[465]: saving vmcore-dmesg.txt complete
[   11.386722] kdump[467]: saving vmcore
[   16.531275] BUG: unable to handle page fault for address: 00007f2374e01000
[   16.531705] #PF: supervisor write access in kernel mode
[   16.532037] #PF: error_code(0x0003) - permissions violation
[   16.532396] PGD 7a523067 P4D 7a523067 PUD 7a528067 PMD 7a525067 PTE 800000007048f867
[   16.532872] Oops: 0003 [#1] PREEMPT SMP NOPTI
[   16.533154] CPU: 0 PID: 468 Comm: cp Not tainted 5.15.0+ #6
[   16.533513] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014
[   16.534198] RIP: 0010:read_from_oldmem.part.0.cold+0x1d/0x86
[   16.534552] Code: ff ff ff e8 05 ff fe ff e9 b9 e9 7f ff 48 89 de 48 c7 c7 38 3b 60 82 e8 f1 fe fe ff 83 fd 08 72 3c 49 8d 7d 08 4c 89 e9 89 e8 <49> c7 45 00 00 00 00 00 49 c7 44 05 f8 00 00 00 00 48 83 e7 f81
[   16.535670] RSP: 0018:ffffc9000073be08 EFLAGS: 00010212
[   16.535998] RAX: 0000000000001000 RBX: 00000000002fd000 RCX: 00007f2374e01000
[   16.536441] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00007f2374e01008
[   16.536878] RBP: 0000000000001000 R08: 0000000000000000 R09: ffffc9000073bc50
[   16.537315] R10: ffffc9000073bc48 R11: ffffffff829461a8 R12: 000000000000f000
[   16.537755] R13: 00007f2374e01000 R14: 0000000000000000 R15: ffff88807bd421e8
[   16.538200] FS:  00007f2374e12140(0000) GS:ffff88807f000000(0000) knlGS:0000000000000000
[   16.538696] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   16.539055] CR2: 00007f2374e01000 CR3: 000000007a4aa000 CR4: 0000000000350eb0
[   16.539510] Call Trace:
[   16.539679]  <TASK>
[   16.539828]  read_vmcore+0x236/0x2c0
[   16.540063]  ? enqueue_hrtimer+0x2f/0x80
[   16.540323]  ? inode_security+0x22/0x60
[   16.540572]  proc_reg_read+0x55/0xa0
[   16.540807]  vfs_read+0x95/0x190
[   16.541022]  ksys_read+0x4f/0xc0
[   16.541238]  do_syscall_64+0x3b/0x90
[   16.541475]  entry_SYSCALL_64_after_hwframe+0x44/0xae

Some x86-64 CPUs have a CPU feature called "Supervisor Mode Access
Prevention (SMAP)", which is used to detect wrong access from the kernel
to user buffers like this: SMAP triggers a permissions violation on wrong
access.  In the x86-64 variant of clear_user(), SMAP is properly handled
via clac()+stac().

To fix, properly use clear_user() when we're dealing with a user buffer.

Link: https://lkml.kernel.org/r/20211112092750.6921-1-david@redhat.com
Fixes: 997c136f518c ("fs/proc/vmcore.c: add hook to read_from_oldmem() to check for non-ram pages")
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Philipp Rudo <prudo@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 fs/proc/vmcore.c |   20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

--- a/fs/proc/vmcore.c~proc-vmcore-fix-clearing-user-buffer-by-properly-using-clear_user
+++ a/fs/proc/vmcore.c
@@ -154,9 +154,13 @@ ssize_t read_from_oldmem(char *buf, size
 			nr_bytes = count;
 
 		/* If pfn is not ram, return zeros for sparse dump files */
-		if (!pfn_is_ram(pfn))
-			memset(buf, 0, nr_bytes);
-		else {
+		if (!pfn_is_ram(pfn)) {
+			tmp = 0;
+			if (!userbuf)
+				memset(buf, 0, nr_bytes);
+			else if (clear_user(buf, nr_bytes))
+				tmp = -EFAULT;
+		} else {
 			if (encrypted)
 				tmp = copy_oldmem_page_encrypted(pfn, buf,
 								 nr_bytes,
@@ -165,12 +169,12 @@ ssize_t read_from_oldmem(char *buf, size
 			else
 				tmp = copy_oldmem_page(pfn, buf, nr_bytes,
 						       offset, userbuf);
-
-			if (tmp < 0) {
-				up_read(&vmcore_cb_rwsem);
-				return tmp;
-			}
 		}
+		if (tmp < 0) {
+			up_read(&vmcore_cb_rwsem);
+			return tmp;
+		}
+
 		*ppos += nr_bytes;
 		count -= nr_bytes;
 		buf += nr_bytes;