March 2020 - Linux-stable-mirror

[merged] mm-memcg-throttle-allocators-based-on-ancestral-memoryhigh.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, memcg: throttle allocators based on ancestral memory.high has been removed from the -mm tree. Its filename was mm-memcg-throttle-allocators-based-on-ancestral-memoryhigh.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Chris Down <chris(a)chrisdown.name> Subject: mm, memcg: throttle allocators based on ancestral memory.high Prior to this commit, we only directly check the affected cgroup's memory.high against its usage. However, it's possible that we are being reclaimed as a result of hitting an ancestor memory.high and should be penalised based on that, instead. This patch changes memory.high overage throttling to use the largest overage in its ancestors when considering how many penalty jiffies to charge. This makes sure that we penalise poorly behaving cgroups in the same way regardless of at what level of the hierarchy memory.high was breached. Link: http://lkml.kernel.org/r/8cd132f84bd7e16cdb8fde3378cdbf05ba00d387.158403614… Fixes: 0e4b01df8659 ("mm, memcg: throttle allocators when failing reclaim over memory.high") Signed-off-by: Chris Down <chris(a)chrisdown.name> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Tejun Heo <tj(a)kernel.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Nathan Chancellor <natechancellor(a)gmail.com> Cc: Roman Gushchin <guro(a)fb.com> Cc: <stable(a)vger.kernel.org> [5.4.x+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 93 ++++++++++++++++++++++++++++------------------ 1 file changed, 58 insertions(+), 35 deletions(-) --- a/mm/memcontrol.c~mm-memcg-throttle-allocators-based-on-ancestral-memoryhigh +++ a/mm/memcontrol.c @@ -2297,28 +2297,41 @@ static void high_work_func(struct work_s #define MEMCG_DELAY_SCALING_SHIFT 14 /* - * Scheduled by try_charge() to be executed from the userland return path - * and reclaims memory over the high limit. + * Get the number of jiffies that we should penalise a mischievous cgroup which + * is exceeding its memory.high by checking both it and its ancestors. */ -void mem_cgroup_handle_over_high(void) +static unsigned long calculate_high_delay(struct mem_cgroup *memcg, + unsigned int nr_pages) { - unsigned long usage, high, clamped_high; - unsigned long pflags; - unsigned long penalty_jiffies, overage; - unsigned int nr_pages = current->memcg_nr_pages_over_high; - struct mem_cgroup *memcg; + unsigned long penalty_jiffies; + u64 max_overage = 0; - if (likely(!nr_pages)) - return; + do { + unsigned long usage, high; + u64 overage; + + usage = page_counter_read(&memcg->memory); + high = READ_ONCE(memcg->high); + + /* + * Prevent division by 0 in overage calculation by acting as if + * it was a threshold of 1 page + */ + high = max(high, 1UL); + + overage = usage - high; + overage <<= MEMCG_DELAY_PRECISION_SHIFT; + overage = div64_u64(overage, high); + + if (overage > max_overage) + max_overage = overage; + } while ((memcg = parent_mem_cgroup(memcg)) && + !mem_cgroup_is_root(memcg)); - memcg = get_mem_cgroup_from_mm(current->mm); - reclaim_high(memcg, nr_pages, GFP_KERNEL); - current->memcg_nr_pages_over_high = 0; + if (!max_overage) + return 0; /* - * memory.high is breached and reclaim is unable to keep up. Throttle - * allocators proactively to slow down excessive growth. - * * We use overage compared to memory.high to calculate the number of * jiffies to sleep (penalty_jiffies). Ideally this value should be * fairly lenient on small overages, and increasingly harsh when the @@ -2326,24 +2339,9 @@ void mem_cgroup_handle_over_high(void) * its crazy behaviour, so we exponentially increase the delay based on * overage amount. */ - - usage = page_counter_read(&memcg->memory); - high = READ_ONCE(memcg->high); - - if (usage <= high) - goto out; - - /* - * Prevent division by 0 in overage calculation by acting as if it was a - * threshold of 1 page - */ - clamped_high = max(high, 1UL); - - overage = div64_u64((u64)(usage - high) << MEMCG_DELAY_PRECISION_SHIFT, - clamped_high); - - penalty_jiffies = ((u64)overage * overage * HZ) - >> (MEMCG_DELAY_PRECISION_SHIFT + MEMCG_DELAY_SCALING_SHIFT); + penalty_jiffies = max_overage * max_overage * HZ; + penalty_jiffies >>= MEMCG_DELAY_PRECISION_SHIFT; + penalty_jiffies >>= MEMCG_DELAY_SCALING_SHIFT; /* * Factor in the task's own contribution to the overage, such that four @@ -2360,7 +2358,32 @@ void mem_cgroup_handle_over_high(void) * application moving forwards and also permit diagnostics, albeit * extremely slowly. */ - penalty_jiffies = min(penalty_jiffies, MEMCG_MAX_HIGH_DELAY_JIFFIES); + return min(penalty_jiffies, MEMCG_MAX_HIGH_DELAY_JIFFIES); +} + +/* + * Scheduled by try_charge() to be executed from the userland return path + * and reclaims memory over the high limit. + */ +void mem_cgroup_handle_over_high(void) +{ + unsigned long penalty_jiffies; + unsigned long pflags; + unsigned int nr_pages = current->memcg_nr_pages_over_high; + struct mem_cgroup *memcg; + + if (likely(!nr_pages)) + return; + + memcg = get_mem_cgroup_from_mm(current->mm); + reclaim_high(memcg, nr_pages, GFP_KERNEL); + current->memcg_nr_pages_over_high = 0; + + /* + * memory.high is breached and reclaim is unable to keep up. Throttle + * allocators proactively to slow down excessive growth. + */ + penalty_jiffies = calculate_high_delay(memcg, nr_pages); /* * Don't sleep if the amount of jiffies this memcg owes us is so low _ Patches currently in -mm which might be from chris(a)chrisdown.name are mm-memcg-prevent-memoryhigh-load-store-tearing.patch mm-memcg-prevent-memorymax-load-tearing.patch mm-memcg-prevent-memorylow-load-store-tearing.patch mm-memcg-prevent-memorymin-load-store-tearing.patch mm-memcg-prevent-memoryswapmax-load-tearing.patch mm-memcg-prevent-mem_cgroup_protected-store-tearing.patch mm-memcg-bypass-high-reclaim-iteration-for-cgroup-hierarchy-root.patch

4 years, 9 months

1
0
0 0

[merged] mm-memcg-fix-corruption-on-64-bit-divisor-in-memoryhigh-throttling.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, memcg: fix corruption on 64-bit divisor in memory.high throttling has been removed from the -mm tree. Its filename was mm-memcg-fix-corruption-on-64-bit-divisor-in-memoryhigh-throttling.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Chris Down <chris(a)chrisdown.name> Subject: mm, memcg: fix corruption on 64-bit divisor in memory.high throttling 0e4b01df8659 had a bunch of fixups to use the right division method. However, it seems that after all that it still wasn't right -- div_u64 takes a 32-bit divisor. The headroom is still large (2^32 pages), so on mundane systems you won't hit this, but this should definitely be fixed. Link: http://lkml.kernel.org/r/80780887060514967d414b3cd91f9a316a16ab98.158403614… Fixes: 0e4b01df8659 ("mm, memcg: throttle allocators when failing reclaim over memory.high") Signed-off-by: Chris Down <chris(a)chrisdown.name> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Tejun Heo <tj(a)kernel.org> Cc: Roman Gushchin <guro(a)fb.com> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Nathan Chancellor <natechancellor(a)gmail.com> Cc: <stable(a)vger.kernel.org> [5.4.x+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/memcontrol.c~mm-memcg-fix-corruption-on-64-bit-divisor-in-memoryhigh-throttling +++ a/mm/memcontrol.c @@ -2339,7 +2339,7 @@ void mem_cgroup_handle_over_high(void) */ clamped_high = max(high, 1UL); - overage = div_u64((u64)(usage - high) << MEMCG_DELAY_PRECISION_SHIFT, + overage = div64_u64((u64)(usage - high) << MEMCG_DELAY_PRECISION_SHIFT, clamped_high); penalty_jiffies = ((u64)overage * overage * HZ) _ Patches currently in -mm which might be from chris(a)chrisdown.name are mm-memcg-prevent-memoryhigh-load-store-tearing.patch mm-memcg-prevent-memorymax-load-tearing.patch mm-memcg-prevent-memorylow-load-store-tearing.patch mm-memcg-prevent-memorymin-load-store-tearing.patch mm-memcg-prevent-memoryswapmax-load-tearing.patch mm-memcg-prevent-mem_cgroup_protected-store-tearing.patch mm-memcg-bypass-high-reclaim-iteration-for-cgroup-hierarchy-root.patch

4 years, 9 months

1
0
0 0

[merged] page-flags-fix-a-crash-at-setpageerrorthp_swap.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: page-flags: fix a crash at SetPageError(THP_SWAP) has been removed from the -mm tree. Its filename was page-flags-fix-a-crash-at-setpageerrorthp_swap.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Qian Cai <cai(a)lca.pw> Subject: page-flags: fix a crash at SetPageError(THP_SWAP) The commit bd4c82c22c36 ("mm, THP, swap: delay splitting THP after swapped out") supported writing THP to a swap device but forgot to upgrade an older commit df8c94d13c7e ("page-flags: define behavior of FS/IO-related flags on compound pages") which could trigger a crash during THP swapping out with DEBUG_VM_PGFLAGS=y, kernel BUG at include/linux/page-flags.h:317! page dumped because: VM_BUG_ON_PAGE(1 && PageCompound(page)) page:fffff3b2ec3a8000 refcount:512 mapcount:0 mapping:000000009eb0338c index:0x7f6e58200 head:fffff3b2ec3a8000 order:9 compound_mapcount:0 compound_pincount:0 anon flags: 0x45fffe0000d8454(uptodate|lru|workingset|owner_priv_1|writeback|head|reclaim|swapbacked) end_swap_bio_write() SetPageError(page) VM_BUG_ON_PAGE(1 && PageCompound(page)) <IRQ> bio_endio+0x297/0x560 dec_pending+0x218/0x430 [dm_mod] clone_endio+0xe4/0x2c0 [dm_mod] bio_endio+0x297/0x560 blk_update_request+0x201/0x920 scsi_end_request+0x6b/0x4b0 scsi_io_completion+0x509/0x7e0 scsi_finish_command+0x1ed/0x2a0 scsi_softirq_done+0x1c9/0x1d0 __blk_mqnterrupt+0xf/0x20 </IRQ> Fix by checking PF_NO_TAIL in those places instead. Link: http://lkml.kernel.org/r/20200310235846.1319-1-cai@lca.pw Fixes: bd4c82c22c36 ("mm, THP, swap: delay splitting THP after swapped out") Signed-off-by: Qian Cai <cai(a)lca.pw> Acked-by: "Huang, Ying" <ying.huang(a)intel.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Acked-by: Rafael Aquini <aquini(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/page-flags.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/linux/page-flags.h~page-flags-fix-a-crash-at-setpageerrorthp_swap +++ a/include/linux/page-flags.h @@ -311,7 +311,7 @@ static inline int TestClearPage##uname(s __PAGEFLAG(Locked, locked, PF_NO_TAIL) PAGEFLAG(Waiters, waiters, PF_ONLY_HEAD) __CLEARPAGEFLAG(Waiters, waiters, PF_ONLY_HEAD) -PAGEFLAG(Error, error, PF_NO_COMPOUND) TESTCLEARFLAG(Error, error, PF_NO_COMPOUND) +PAGEFLAG(Error, error, PF_NO_TAIL) TESTCLEARFLAG(Error, error, PF_NO_TAIL) PAGEFLAG(Referenced, referenced, PF_HEAD) TESTCLEARFLAG(Referenced, referenced, PF_HEAD) __SETPAGEFLAG(Referenced, referenced, PF_HEAD) _ Patches currently in -mm which might be from cai(a)lca.pw are mm-disable-kcsan-for-kmemleak.patch mm-swapfile-fix-data-races-in-try_to_unuse.patch kasan-detect-negative-size-in-memory-operation-function-fix.patch mm-vmscan-fix-data-races-at-kswapd_classzone_idx.patch percpu_counter-fix-a-data-race-at-vm_committed_as.patch mm-kmemleak-silence-kcsan-splats-in-checksum.patch mm-frontswap-mark-various-intentional-data-races.patch mm-page_io-mark-various-intentional-data-races.patch mm-page_io-mark-various-intentional-data-races-v2.patch mm-swap_state-mark-various-intentional-data-races.patch mm-swapfile-fix-and-annotate-various-data-races.patch mm-swapfile-fix-and-annotate-various-data-races-v2.patch mm-page_counter-fix-various-data-races-at-memsw.patch mm-memcontrol-fix-a-data-race-in-scan-count.patch mm-list_lru-fix-a-data-race-in-list_lru_count_one.patch mm-mempool-fix-a-data-race-in-mempool_free.patch mm-util-annotate-an-data-race-at-vm_committed_as.patch mm-rmap-annotate-a-data-race-at-tlb_flush_batched.patch mm-annotate-a-data-race-in-page_zonenum.patch mm-swap-annotate-data-races-for-lru_rotate_pvecs.patch

4 years, 9 months

1
0
0 0

[merged] mm-hotplug-fix-hot-remove-failure-in-sparsememvmemmap-case.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case has been removed from the -mm tree. Its filename was mm-hotplug-fix-hot-remove-failure-in-sparsememvmemmap-case.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Baoquan He <bhe(a)redhat.com> Subject: mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case In section_deactivate(), pfn_to_page() doesn't work any more after ms->section_mem_map is resetting to NULL in SPARSEMEM|!VMEMMAP case. It caused hot remove failure: kernel BUG at mm/page_alloc.c:4806! invalid opcode: 0000 [#1] SMP PTI CPU: 3 PID: 8 Comm: kworker/u16:0 Tainted: G W 5.5.0-next-20200205+ #340 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Workqueue: kacpi_hotplug acpi_hotplug_work_fn RIP: 0010:free_pages+0x85/0xa0 Call Trace: __remove_pages+0x99/0xc0 arch_remove_memory+0x23/0x4d try_remove_memory+0xc8/0x130 ? walk_memory_blocks+0x72/0xa0 __remove_memory+0xa/0x11 acpi_memory_device_remove+0x72/0x100 acpi_bus_trim+0x55/0x90 acpi_device_hotplug+0x2eb/0x3d0 acpi_hotplug_work_fn+0x1a/0x30 process_one_work+0x1a7/0x370 worker_thread+0x30/0x380 ? flush_rcu_work+0x30/0x30 kthread+0x112/0x130 ? kthread_create_on_node+0x60/0x60 ret_from_fork+0x35/0x40 Let's move the ->section_mem_map resetting after depopulate_section_memmap() to fix it. [akpm(a)linux-foundation.org: remove unneeded initialization, per David] Link: http://lkml.kernel.org/r/20200307084229.28251-2-bhe@redhat.com Fixes: ba72b4c8cf60 ("mm/sparsemem: support sub-section hotplug") Signed-off-by: Baoquan He <bhe(a)redhat.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: Pankaj Gupta <pankaj.gupta.linux(a)gmail.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Wei Yang <richardw.yang(a)linux.intel.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Mike Rapoport <rppt(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/sparse.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/mm/sparse.c~mm-hotplug-fix-hot-remove-failure-in-sparsememvmemmap-case +++ a/mm/sparse.c @@ -734,6 +734,7 @@ static void section_deactivate(unsigned struct mem_section *ms = __pfn_to_section(pfn); bool section_is_early = early_section(ms); struct page *memmap = NULL; + bool empty; unsigned long *subsection_map = ms->usage ? &ms->usage->subsection_map[0] : NULL; @@ -764,7 +765,8 @@ static void section_deactivate(unsigned * For 2/ and 3/ the SPARSEMEM_VMEMMAP={y,n} cases are unified */ bitmap_xor(subsection_map, map, subsection_map, SUBSECTIONS_PER_SECTION); - if (bitmap_empty(subsection_map, SUBSECTIONS_PER_SECTION)) { + empty = bitmap_empty(subsection_map, SUBSECTIONS_PER_SECTION); + if (empty) { unsigned long section_nr = pfn_to_section_nr(pfn); /* @@ -779,13 +781,15 @@ static void section_deactivate(unsigned ms->usage = NULL; } memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr); - ms->section_mem_map = (unsigned long)NULL; } if (section_is_early && memmap) free_map_bootmem(memmap); else depopulate_section_memmap(pfn, nr_pages, altmap); + + if (empty) + ms->section_mem_map = (unsigned long)NULL; } static struct page * __meminit section_activate(int nid, unsigned long pfn, _ Patches currently in -mm which might be from bhe(a)redhat.com are mm-sparsec-use-kvmalloc-kvfree-to-alloc-free-memmap-for-the-classic-sparse.patch mm-sparsec-allocate-memmap-preferring-the-given-node.patch mm-hotplug-only-respect-mem=-parameter-during-boot-stage.patch mm-sparsec-introduce-new-function-fill_subsection_map.patch mm-sparsec-introduce-a-new-function-clear_subsection_map.patch mm-sparsec-only-use-subsection-map-in-vmemmap-case.patch mm-sparsec-add-note-about-only-vmemmap-supporting-sub-section-hotplug.patch mm-sparsec-move-subsection_map-related-functions-together.patch mm-sparsec-move-subsection_map-related-functions-together-fix.patch

4 years, 9 months

1
0
0 0

[merged] memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event has been removed from the -mm tree. Its filename was memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Chunguang Xu <brookxu(a)tencent.com> Subject: memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event An eventfd monitors multiple memory thresholds of the cgroup, closes them, the kernel deletes all events related to this eventfd. Before all events are deleted, another eventfd monitors the memory threshold of this cgroup, leading to a crash: [135.675108] BUG: kernel NULL pointer dereference, address: 0000000000000004 [135.675350] #PF: supervisor write access in kernel mode [135.675579] #PF: error_code(0x0002) - not-present page [135.675816] PGD 800000033058e067 P4D 800000033058e067 PUD 3355ce067 PMD 0 [135.676080] Oops: 0002 [#1] SMP PTI [135.676332] CPU: 2 PID: 14012 Comm: kworker/2:6 Kdump: loaded Not tainted 5.6.0-rc4 #3 [135.676610] Hardware name: LENOVO 20AWS01K00/20AWS01K00, BIOS GLET70WW (2.24 ) 05/21/2014 [135.676909] Workqueue: events memcg_event_remove [135.677192] RIP: 0010:__mem_cgroup_usage_unregister_event+0xb3/0x190 [135.677825] RSP: 0018:ffffb47e01c4fe18 EFLAGS: 00010202 [135.678186] RAX: 0000000000000001 RBX: ffff8bb223a8a000 RCX: 0000000000000001 [135.678548] RDX: 0000000000000001 RSI: ffff8bb22fb83540 RDI: 0000000000000001 [135.678912] RBP: ffffb47e01c4fe48 R08: 0000000000000000 R09: 0000000000000010 [135.679287] R10: 000000000000000c R11: 071c71c71c71c71c R12: ffff8bb226aba880 [135.679670] R13: ffff8bb223a8a480 R14: 0000000000000000 R15: 0000000000000000 [135.680066] FS: 0000000000000000(0000) GS:ffff8bb242680000(0000) knlGS:0000000000000000 [135.680475] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [135.680894] CR2: 0000000000000004 CR3: 000000032c29c003 CR4: 00000000001606e0 [135.681325] Call Trace: [135.681763]� memcg_event_remove+0x32/0x90 [135.682209]� process_one_work+0x172/0x380 [135.682657]� worker_thread+0x49/0x3f0 [135.683111]� kthread+0xf8/0x130 [135.683570]� ? max_active_store+0x80/0x80 [135.684034]� ? kthread_bind+0x10/0x10 [135.684506]� ret_from_fork+0x35/0x40 [135.689733] CR2: 0000000000000004 We can reproduce this problem in the following ways: 1. We create a new cgroup subdirectory and a new eventfd, and then we monitor multiple memory thresholds of the cgroup through this eventfd. 2. closing this eventfd, and __mem_cgroup_usage_unregister_event () will be called multiple times to delete all events related to this eventfd. The first time __mem_cgroup_usage_unregister_event() is called, the kernel will clear all items related to this eventfd in thresholds-> primary.Since there is currently only one eventfd, thresholds-> primary becomes empty, so the kernel will set thresholds-> primary and hresholds-> spare to NULL. If at this time, the user creates a new eventfd and monitor the memory threshold of this cgroup, kernel will re-initialize thresholds-> primary. Then when __mem_cgroup_usage_unregister_event () is called for the second time, because thresholds-> primary is not empty, the system will access thresholds-> spare, but thresholds-> spare is NULL, which will trigger a crash. In general, the longer it takes to delete all events related to this eventfd, the easier it is to trigger this problem. The solution is to check whether the thresholds associated with the eventfd has been cleared when deleting the event. If so, we do nothing. [akpm(a)linux-foundation.org: fix comment, per Kirill] Link: http://lkml.kernel.org/r/077a6f67-aefa-4591-efec-f2f3af2b0b02@gmail.com Fixes: 907860ed381a ("cgroups: make cftype.unregister_event() void-returning") Signed-off-by: Chunguang Xu <brookxu(a)tencent.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Vladimir Davydov <vdavydov.dev(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/mm/memcontrol.c~memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event +++ a/mm/memcontrol.c @@ -4027,7 +4027,7 @@ static void __mem_cgroup_usage_unregiste struct mem_cgroup_thresholds *thresholds; struct mem_cgroup_threshold_ary *new; unsigned long usage; - int i, j, size; + int i, j, size, entries; mutex_lock(&memcg->thresholds_lock); @@ -4047,14 +4047,20 @@ static void __mem_cgroup_usage_unregiste __mem_cgroup_threshold(memcg, type == _MEMSWAP); /* Calculate new number of threshold */ - size = 0; + size = entries = 0; for (i = 0; i < thresholds->primary->size; i++) { if (thresholds->primary->entries[i].eventfd != eventfd) size++; + else + entries++; } new = thresholds->spare; + /* If no items related to eventfd have been cleared, nothing to do */ + if (!entries) + goto unlock; + /* Set thresholds array to NULL if we don't have thresholds */ if (!size) { kfree(new); _ Patches currently in -mm which might be from brookxu(a)tencent.com are

4 years, 9 months

1
0
0 0

[PATCH for-rc 2/2] IB/hfi1: Call kobject_put() when kobject_init_and_add() fails

by Dennis Dalessandro

From: Kaike Wan <kaike.wan(a)intel.com> When kobject_init_and_add() returns an error in the function hfi1_create_port_files(), the function kobject_put() is not called for the corresponding kobject, which potentially leads to memory leak. This patch fixes the issue by calling kobject_put() even if kobject_init_and_add() fails. Cc: <stable(a)vger.kernel.org> Reviewed-by: Mike Marciniszyn <mike.marciniszyn(a)intel.com> Signed-off-by: Kaike Wan <kaike.wan(a)intel.com> Signed-off-by: Dennis Dalessandro <dennis.dalessandro(a)intel.com> --- drivers/infiniband/hw/hfi1/sysfs.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/infiniband/hw/hfi1/sysfs.c b/drivers/infiniband/hw/hfi1/sysfs.c index f1bcecf..074ec71 100644 --- a/drivers/infiniband/hw/hfi1/sysfs.c +++ b/drivers/infiniband/hw/hfi1/sysfs.c @@ -674,7 +674,11 @@ int hfi1_create_port_files(struct ib_device *ibdev, u8 port_num, dd_dev_err(dd, "Skipping sc2vl sysfs info, (err %d) port %u\n", ret, port_num); - goto bail; + /* + * Based on the documentation for kobject_init_and_add(), the + * caller should call kobject_put even if this call fails. + */ + goto bail_sc2vl; } kobject_uevent(&ppd->sc2vl_kobj, KOBJ_ADD); @@ -684,7 +688,7 @@ int hfi1_create_port_files(struct ib_device *ibdev, u8 port_num, dd_dev_err(dd, "Skipping sl2sc sysfs info, (err %d) port %u\n", ret, port_num); - goto bail_sc2vl; + goto bail_sl2sc; } kobject_uevent(&ppd->sl2sc_kobj, KOBJ_ADD); @@ -694,7 +698,7 @@ int hfi1_create_port_files(struct ib_device *ibdev, u8 port_num, dd_dev_err(dd, "Skipping vl2mtu sysfs info, (err %d) port %u\n", ret, port_num); - goto bail_sl2sc; + goto bail_vl2mtu; } kobject_uevent(&ppd->vl2mtu_kobj, KOBJ_ADD); @@ -704,7 +708,7 @@ int hfi1_create_port_files(struct ib_device *ibdev, u8 port_num, dd_dev_err(dd, "Skipping Congestion Control sysfs info, (err %d) port %u\n", ret, port_num); - goto bail_vl2mtu; + goto bail_cc; } kobject_uevent(&ppd->pport_cc_kobj, KOBJ_ADD); @@ -742,7 +746,6 @@ int hfi1_create_port_files(struct ib_device *ibdev, u8 port_num, kobject_put(&ppd->sl2sc_kobj); bail_sc2vl: kobject_put(&ppd->sc2vl_kobj); -bail: return ret; }

4 years, 9 months

1
1
0 0

[PATCH] drm/vboxvideo: Add missing remove_conflicting_pci_framebuffers call

by Hans de Goede

The vboxvideo driver is missing a call to remove conflicting framebuffers. Surprisingly, when using legacy BIOS booting this does not really cause any issues. But when using UEFI to boot the VM then plymouth will draw on both the efifb /dev/fb0 and /dev/drm/card0 (which has registered /dev/fb1 as fbdev emulation). VirtualBox will actual display the output of both devices (I guess it is showing whatever was drawn last), this causes weird artifacts because of pitch issues in the efifb when the VM window is not sized at 1024x768 (the window will resize to its last size once the vboxvideo driver loads, changing the pitch). Adding the missing drm_fb_helper_remove_conflicting_pci_framebuffers() call fixes this. Cc: stable(a)vger.kernel.org Fixes: 2695eae1f6d3 ("drm/vboxvideo: Switch to generic fbdev emulation") Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/gpu/drm/vboxvideo/vbox_drv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/vboxvideo/vbox_drv.c b/drivers/gpu/drm/vboxvideo/vbox_drv.c index 8512d970a09f..261255085918 100644 --- a/drivers/gpu/drm/vboxvideo/vbox_drv.c +++ b/drivers/gpu/drm/vboxvideo/vbox_drv.c @@ -76,6 +76,10 @@ static int vbox_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) if (ret) goto err_mode_fini; + ret = drm_fb_helper_remove_conflicting_pci_framebuffers(pdev, "vboxvideodrmfb"); + if (ret) + goto err_irq_fini; + ret = drm_fbdev_generic_setup(&vbox->ddev, 32); if (ret) goto err_irq_fini; -- 2.26.0.rc2

4 years, 9 months

2
6
0 0

patch "amba: Initialize dma_parms for amba devices" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled amba: Initialize dma_parms for amba devices to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 5caf6102e32ead7ed5d21b5309c1a4a7d70e6a9f Mon Sep 17 00:00:00 2001 From: Ulf Hansson <ulf.hansson(a)linaro.org> Date: Wed, 25 Mar 2020 12:34:07 +0100 Subject: amba: Initialize dma_parms for amba devices It's currently the amba driver's responsibility to initialize the pointer, dma_parms, for its corresponding struct device. The benefit with this approach allows us to avoid the initialization and to not waste memory for the struct device_dma_parameters, as this can be decided on a case by case basis. However, it has turned out that this approach is not very practical. Not only does it lead to open coding, but also to real errors. In principle callers of dma_set_max_seg_size() doesn't check the error code, but just assumes it succeeds. For these reasons, let's do the initialization from the common amba bus at the device registration point. This also follows the way the PCI devices are being managed, see pci_device_add(). Cc: <stable(a)vger.kernel.org> Cc: Russell King <linux(a)armlinux.org.uk> Suggested-by: Christoph Hellwig <hch(a)lst.de> Tested-by: Ludovic Barre <ludovic.barre(a)st.com> Reviewed-by: Linus Walleij <linus.walleij(a)linaro.org> Acked-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Link: https://lore.kernel.org/r/20200325113407.26996-3-ulf.hansson@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/amba/bus.c | 2 ++ include/linux/amba/bus.h | 1 + 2 files changed, 3 insertions(+) diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c index fe1523664816..5e61783ce92d 100644 --- a/drivers/amba/bus.c +++ b/drivers/amba/bus.c @@ -374,6 +374,8 @@ static int amba_device_try_add(struct amba_device *dev, struct resource *parent) WARN_ON(dev->irq[0] == (unsigned int)-1); WARN_ON(dev->irq[1] == (unsigned int)-1); + dev->dev.dma_parms = &dev->dma_parms; + ret = request_resource(parent, &dev->res); if (ret) goto err_out; diff --git a/include/linux/amba/bus.h b/include/linux/amba/bus.h index 26f0ecf401ea..0bbfd647f5c6 100644 --- a/include/linux/amba/bus.h +++ b/include/linux/amba/bus.h @@ -65,6 +65,7 @@ struct amba_device { struct device dev; struct resource res; struct clk *pclk; + struct device_dma_parameters dma_parms; unsigned int periphid; unsigned int cid; struct amba_cs_uci_id uci; -- 2.26.0

4 years, 9 months

1
0
0 0

patch "misc: rtsx: set correct pcr_ops for rts522A" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled misc: rtsx: set correct pcr_ops for rts522A to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 10cea23b6aae15e8324f4101d785687f2c514fe5 Mon Sep 17 00:00:00 2001 From: YueHaibing <yuehaibing(a)huawei.com> Date: Thu, 26 Mar 2020 11:26:18 +0800 Subject: misc: rtsx: set correct pcr_ops for rts522A rts522a should use rts522a_pcr_ops, which is diffrent with rts5227 in phy/hw init setting. Fixes: ce6a5acc9387 ("mfd: rtsx: Add support for rts522A") Signed-off-by: YueHaibing <yuehaibing(a)huawei.com> Cc: stable <stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20200326032618.20472-1-yuehaibing@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/misc/cardreader/rts5227.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/misc/cardreader/rts5227.c b/drivers/misc/cardreader/rts5227.c index 423fecc19fc4..3a9467aaa435 100644 --- a/drivers/misc/cardreader/rts5227.c +++ b/drivers/misc/cardreader/rts5227.c @@ -394,6 +394,7 @@ static const struct pcr_ops rts522a_pcr_ops = { void rts522a_init_params(struct rtsx_pcr *pcr) { rts5227_init_params(pcr); + pcr->ops = &rts522a_pcr_ops; pcr->tx_initial_phase = SET_CLOCK_PHASE(20, 20, 11); pcr->reg_pm_ctrl3 = RTS522A_PM_CTRL3; -- 2.26.0

4 years, 9 months

1
0
0 0

patch "staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback" added to staging-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the staging-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 1165dd73e811a07d947aee218510571f516081f6 Mon Sep 17 00:00:00 2001 From: Qiujun Huang <hqjagain(a)gmail.com> Date: Thu, 26 Mar 2020 21:18:50 +0800 Subject: staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback We can't handle the case length > WLAN_DATA_MAXLEN. Because the size of rxfrm->data is WLAN_DATA_MAXLEN(2312), and we can't read more than that. Thanks-to: Hillf Danton <hdanton(a)sina.com> Reported-and-tested-by: syzbot+7d42d68643a35f71ac8a(a)syzkaller.appspotmail.com Signed-off-by: Qiujun Huang <hqjagain(a)gmail.com> Cc: stable <stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20200326131850.17711-1-hqjagain@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/wlan-ng/hfa384x_usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c index e38acb58cd5e..fa1bf8b069fd 100644 --- a/drivers/staging/wlan-ng/hfa384x_usb.c +++ b/drivers/staging/wlan-ng/hfa384x_usb.c @@ -3376,6 +3376,8 @@ static void hfa384x_int_rxmonitor(struct wlandevice *wlandev, WLAN_HDR_A4_LEN + WLAN_DATA_MAXLEN + WLAN_CRC_LEN)) { pr_debug("overlen frm: len=%zd\n", skblen - sizeof(struct p80211_caphdr)); + + return; } skb = dev_alloc_skb(skblen); -- 2.26.0

4 years, 9 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2020