July 2023 - Linux-stable-mirror

[merged mm-hotfixes-stable] revert-um-use-swap-to-make-code-cleaner.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: Revert "um: Use swap() to make code cleaner" has been removed from the -mm tree. Its filename was revert-um-use-swap-to-make-code-cleaner.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Subject: Revert "um: Use swap() to make code cleaner" Date: Mon, 24 Jul 2023 17:31:31 +0300 This reverts commit 9b0da3f22307af693be80f5d3a89dc4c7f360a85. The sigio.c is clearly user space code which is handled by arch/um/scripts/Makefile.rules (see USER_OBJS rule). The above mentioned commit simply broke this agreement, we may not use Linux kernel internal headers in them without thorough thinking. Hence, revert the wrong commit. Link: https://lkml.kernel.org/r/20230724143131.30090-1-andriy.shevchenko@linux.in… Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202307212304.cH79zJp1-lkp@intel.com/ Cc: Anton Ivanov <anton.ivanov(a)cambridgegreys.com> Cc: Herve Codina <herve.codina(a)bootlin.com> Cc: Jason A. Donenfeld <Jason(a)zx2c4.com> Cc: Johannes Berg <johannes(a)sipsolutions.net> Cc: Rasmus Villemoes <linux(a)rasmusvillemoes.dk> Cc: Richard Weinberger <richard(a)nod.at> Cc: Yang Guang <yang.guang5(a)zte.com.cn> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/um/os-Linux/sigio.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/arch/um/os-Linux/sigio.c~revert-um-use-swap-to-make-code-cleaner +++ a/arch/um/os-Linux/sigio.c @@ -3,7 +3,6 @@ * Copyright (C) 2002 - 2008 Jeff Dike (jdike(a){addtoit,linux.intel}.com) */ -#include <linux/minmax.h> #include <unistd.h> #include <errno.h> #include <fcntl.h> @@ -51,7 +50,7 @@ static struct pollfds all_sigio_fds; static int write_sigio_thread(void *unused) { - struct pollfds *fds; + struct pollfds *fds, tmp; struct pollfd *p; int i, n, respond_fd; char c; @@ -78,7 +77,9 @@ static int write_sigio_thread(void *unus "write_sigio_thread : " "read on socket failed, " "err = %d\n", errno); - swap(current_poll, next_poll); + tmp = current_poll; + current_poll = next_poll; + next_poll = tmp; respond_fd = sigio_private[1]; } else { _ Patches currently in -mm which might be from andriy.shevchenko(a)linux.intel.com are kernelh-split-out-count_args-and-concatenate-to-argsh.patch x86-asm-replace-custom-count_args-concatenate-implementations.patch arm64-smccc-replace-custom-count_args-concatenate-implementations.patch genetlink-replace-custom-concatenate-implementation.patch

1 year, 10 months

1
0
0 0

[PATCH] firmware: Fix an NULL vs IS_ERR() bug in probe

by Dinh Nguyen

From: Wang Ming <machel(a)vivo.com> The devm_memremap() function returns error pointers. It never returns NULL. Fix the check. Fixes: 7ca5ce896524 ("firmware: add Intel Stratix10 service layer driver") Cc: stable(a)vger.kernel.org Signed-off-by: Wang Ming <machel(a)vivo.com> Signed-off-by: Dinh Nguyen <dinguyen(a)kernel.org> --- drivers/firmware/stratix10-svc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c index 260695a8a9e6..c693da60e9a9 100644 --- a/drivers/firmware/stratix10-svc.c +++ b/drivers/firmware/stratix10-svc.c @@ -774,7 +774,7 @@ svc_create_memory_pool(struct platform_device *pdev, paddr = begin; size = end - begin; va = devm_memremap(dev, paddr, size, MEMREMAP_WC); - if (!va) { + if (IS_ERR(va)) { dev_err(dev, "fail to remap shared memory\n"); return ERR_PTR(-EINVAL); } -- 2.25.1

1 year, 10 months

1
0
0 0

[PATCH v1] usb: typec: bus: verify partner exists in typec_altmode_attention

by RD Babiera

Some usb hubs will negotiate DisplayPort Alt mode with the device but will then negotiate a data role swap after entering the alt mode. The data role swap causes the device to unregister all alt modes, however the usb hub will still send Attention messages even after failing to reregister the Alt Mode. type_altmode_attention currently does not verify whether or not a device's altmode partner exists, which results in a NULL pointer error when dereferencing the typec_altmode and typec_altmode_ops belonging to the altmode partner. This patch verifies the presence of a device's altmode partner before sending the Attention message to the Alt Mode driver. It also changes the return type from void to int so errors can be logged at the tcpm level. Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") Cc: stable(a)vger.kernel.org Signed-off-by: RD Babiera <rdbabiera(a)google.com> --- drivers/usb/typec/bus.c | 12 ++++++++++-- drivers/usb/typec/tcpm/tcpm.c | 5 ++++- include/linux/usb/typec_altmode.h | 2 +- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/usb/typec/bus.c b/drivers/usb/typec/bus.c index fe5b9a2e61f5..2f1823e16b3b 100644 --- a/drivers/usb/typec/bus.c +++ b/drivers/usb/typec/bus.c @@ -183,12 +183,20 @@ EXPORT_SYMBOL_GPL(typec_altmode_exit); * * Notifies the partner of @adev about Attention command. */ -void typec_altmode_attention(struct typec_altmode *adev, u32 vdo) +int typec_altmode_attention(struct typec_altmode *adev, u32 vdo) { - struct typec_altmode *pdev = &to_altmode(adev)->partner->adev; + struct altmode *partner = to_altmode(adev)->partner; + struct typec_altmode *pdev = &partner->adev; + + if (!partner || !pdev) + return -ENODEV; if (pdev->ops && pdev->ops->attention) pdev->ops->attention(pdev, vdo); + else + return -EOPNOTSUPP; + + return 0; } EXPORT_SYMBOL_GPL(typec_altmode_attention); diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 829d75ebab42..be37a662e54d 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -1791,6 +1791,7 @@ static void tcpm_handle_vdm_request(struct tcpm_port *port, u32 p[PD_MAX_PAYLOAD]; u32 response[8] = { }; int i, rlen = 0; + int ret; for (i = 0; i < cnt; i++) p[i] = le32_to_cpu(payload[i]); @@ -1877,7 +1878,9 @@ static void tcpm_handle_vdm_request(struct tcpm_port *port, } break; case ADEV_ATTENTION: - typec_altmode_attention(adev, p[1]); + ret = typec_altmode_attention(adev, p[1]); + if (ret) + tcpm_log(port, "altmode_attention failed ret:%d", ret); break; } } diff --git a/include/linux/usb/typec_altmode.h b/include/linux/usb/typec_altmode.h index 350d49012659..28aeef8f9e7b 100644 --- a/include/linux/usb/typec_altmode.h +++ b/include/linux/usb/typec_altmode.h @@ -67,7 +67,7 @@ struct typec_altmode_ops { int typec_altmode_enter(struct typec_altmode *altmode, u32 *vdo); int typec_altmode_exit(struct typec_altmode *altmode); -void typec_altmode_attention(struct typec_altmode *altmode, u32 vdo); +int typec_altmode_attention(struct typec_altmode *altmode, u32 vdo); int typec_altmode_vdm(struct typec_altmode *altmode, const u32 header, const u32 *vdo, int count); int typec_altmode_notify(struct typec_altmode *altmode, unsigned long conf, base-commit: fdf0eaf11452d72945af31804e2a1048ee1b574c -- 2.41.0.487.g6d72f3e995-goog

1 year, 10 months

2
2
0 0

[PATCH 4/4] vdpa: Enable strict validation for netlinks ops

by Dragos Tatulea

The previous patches added the missing nla policies that were required for validation to work. Now strict validation on netlink ops can be enabled. This patch does it. Signed-off-by: Dragos Tatulea <dtatulea(a)nvidia.com> Cc: stable(a)vger.kernel.org --- drivers/vdpa/vdpa.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c index f2f654fd84e5..a7612e0783b3 100644 --- a/drivers/vdpa/vdpa.c +++ b/drivers/vdpa/vdpa.c @@ -1257,37 +1257,31 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = { static const struct genl_ops vdpa_nl_ops[] = { { .cmd = VDPA_CMD_MGMTDEV_GET, - .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, .doit = vdpa_nl_cmd_mgmtdev_get_doit, .dumpit = vdpa_nl_cmd_mgmtdev_get_dumpit, }, { .cmd = VDPA_CMD_DEV_NEW, - .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, .doit = vdpa_nl_cmd_dev_add_set_doit, .flags = GENL_ADMIN_PERM, }, { .cmd = VDPA_CMD_DEV_DEL, - .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, .doit = vdpa_nl_cmd_dev_del_set_doit, .flags = GENL_ADMIN_PERM, }, { .cmd = VDPA_CMD_DEV_GET, - .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, .doit = vdpa_nl_cmd_dev_get_doit, .dumpit = vdpa_nl_cmd_dev_get_dumpit, }, { .cmd = VDPA_CMD_DEV_CONFIG_GET, - .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, .doit = vdpa_nl_cmd_dev_config_get_doit, .dumpit = vdpa_nl_cmd_dev_config_get_dumpit, }, { .cmd = VDPA_CMD_DEV_VSTATS_GET, - .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, .doit = vdpa_nl_cmd_dev_stats_get_doit, .flags = GENL_ADMIN_PERM, }, -- 2.41.0

1 year, 10 months

1
0
0 0

[PATCH 3/4] vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check

by Dragos Tatulea

From: Lin Ma <linma(a)zju.edu.cn> The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdpa_nl_ops. That is to say, the missing part in vdpa_nl_policy may lead to illegal nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. This patch adds the missing nla_policy for vdpa max vqp attr to avoid such bugs. Fixes: ad69dd0bf26b ("vdpa: Introduce query of device config layout") Signed-off-by: Lin Ma <linma(a)zju.edu.cn> Cc: stable(a)vger.kernel.org --- drivers/vdpa/vdpa.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c index 75f1df2b9d2a..f2f654fd84e5 100644 --- a/drivers/vdpa/vdpa.c +++ b/drivers/vdpa/vdpa.c @@ -1247,6 +1247,7 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = { [VDPA_ATTR_MGMTDEV_DEV_NAME] = { .type = NLA_STRING }, [VDPA_ATTR_DEV_NAME] = { .type = NLA_STRING }, [VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR, + [VDPA_ATTR_DEV_NET_CFG_MAX_VQP] = { .type = NLA_U16 }, /* virtio spec 1.1 section 5.1.4.1 for valid MTU range */ [VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68), [VDPA_ATTR_DEV_QUEUE_INDEX] = { .type = NLA_U32 }, -- 2.41.0

1 year, 10 months

1
0
0 0

[PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check

by Dragos Tatulea

From: Lin Ma <linma(a)zju.edu.cn> The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdpa_nl_ops. That is to say, the missing part in vdpa_nl_policy may lead to illegal nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. This patch adds the missing nla_policy for vdpa features attr to avoid such bugs. Fixes: 90fea5a800c3 ("vdpa: device feature provisioning") Signed-off-by: Lin Ma <linma(a)zju.edu.cn> Cc: stable(a)vger.kernel.org --- drivers/vdpa/vdpa.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c index 965e32529eb8..3ad355a2208a 100644 --- a/drivers/vdpa/vdpa.c +++ b/drivers/vdpa/vdpa.c @@ -1249,6 +1249,7 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = { [VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR, /* virtio spec 1.1 section 5.1.4.1 for valid MTU range */ [VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68), + [VDPA_ATTR_DEV_FEATURES] = { .type = NLA_U64 }, }; static const struct genl_ops vdpa_nl_ops[] = { -- 2.41.0

1 year, 10 months

1
0
0 0

[PATCH 4.14] net/sched: cls_fw: Fix improper refcount update leads to use-after-free

by SeongJae Park

From: M A Ramdhan <ramdhan(a)starlabs.sg> [ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ] In the event of a failure in tcf_change_indev(), fw_set_parms() will immediately return an error after incrementing or decrementing reference counter in tcf_bind_filter(). If attacker can control reference counter to zero and make reference freed, leading to use after free. In order to prevent this, move the point of possible failure above the point where the TC_FW_CLASSID is handled. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: M A Ramdhan <ramdhan(a)starlabs.sg> Signed-off-by: M A Ramdhan <ramdhan(a)starlabs.sg> Acked-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Reviewed-by: Pedro Tammela <pctammela(a)mojatatu.com> Message-ID: <20230705161530.52003-1-ramdhan(a)starlabs.sg> Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: SeongJae Park <sj(a)kernel.org> --- net/sched/cls_fw.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c index 7f45e5ab8afcd..e63f9c2e37e50 100644 --- a/net/sched/cls_fw.c +++ b/net/sched/cls_fw.c @@ -225,11 +225,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, if (err < 0) return err; - if (tb[TCA_FW_CLASSID]) { - f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); - tcf_bind_filter(tp, &f->res, base); - } - #ifdef CONFIG_NET_CLS_IND if (tb[TCA_FW_INDEV]) { int ret; @@ -248,6 +243,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, } else if (head->mask != 0xFFFFFFFF) return err; + if (tb[TCA_FW_CLASSID]) { + f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); + tcf_bind_filter(tp, &f->res, base); + } + return 0; } -- 2.40.1

1 year, 10 months

1
0
0 0

+ mm-memory-failure-avoid-false-hwpoison-page-mapped-error-info.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: memory-failure: avoid false hwpoison page mapped error info has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-memory-failure-avoid-false-hwpoison-page-mapped-error-info.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Miaohe Lin <linmiaohe(a)huawei.com> Subject: mm: memory-failure: avoid false hwpoison page mapped error info Date: Thu, 27 Jul 2023 19:56:42 +0800 folio->_mapcount is overloaded in SLAB, so folio_mapped() has to be done after folio_test_slab() is checked. Otherwise slab folio might be treated as a mapped folio leading to false 'Someone maps the hwpoison page' error info. Link: https://lkml.kernel.org/r/20230727115643.639741-4-linmiaohe@huawei.com Fixes: 230ac719c500 ("mm/hwpoison: don't try to unpoison containment-failed pages") Signed-off-by: Miaohe Lin <linmiaohe(a)huawei.com> Reviewed-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Acked-by: Naoya Horiguchi <naoya.horiguchi(a)nec.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory-failure.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/mm/memory-failure.c~mm-memory-failure-avoid-false-hwpoison-page-mapped-error-info +++ a/mm/memory-failure.c @@ -2499,6 +2499,13 @@ int unpoison_memory(unsigned long pfn) goto unlock_mutex; } + if (folio_test_slab(folio) || PageTable(&folio->page) || folio_test_reserved(folio)) + goto unlock_mutex; + + /* + * Note that folio->_mapcount is overloaded in SLAB, so the simple test + * in folio_mapped() has to be done after folio_test_slab() is checked. + */ if (folio_mapped(folio)) { unpoison_pr_info("Unpoison: Someone maps the hwpoison page %#lx\n", pfn, &unpoison_rs); @@ -2511,9 +2518,6 @@ int unpoison_memory(unsigned long pfn) goto unlock_mutex; } - if (folio_test_slab(folio) || PageTable(&folio->page) || folio_test_reserved(folio)) - goto unlock_mutex; - ghp = get_hwpoison_page(p, MF_UNPOISON); if (!ghp) { if (PageHuge(p)) { _ Patches currently in -mm which might be from linmiaohe(a)huawei.com are mm-swapfile-fix-wrong-swap-entry-type-for-hwpoisoned-swapcache-page.patch mm-memory-failure-fix-potential-unexpected-return-value-from-unpoison_memory.patch mm-memory-failure-avoid-false-hwpoison-page-mapped-error-info.patch mm-memory-failure-add-pageoffline-check.patch mm-mm_initc-update-obsolete-comment-in-get_pfn_range_for_nid.patch mm-memory-failure-fix-unexpected-return-value-in-soft_offline_page.patch mm-memory-failure-fix-potential-page-refcnt-leak-in-memory_failure.patch mm-memory-failure-remove-unneeded-page-state-check-in-shake_page.patch memory-tier-use-helper-function-destroy_memory_type.patch mm-memory-failure-remove-unneeded-inline-annotation.patch mm-mm_initc-remove-obsolete-macro-hash_small.patch mm-page_alloc-avoid-false-page-outside-zone-error-info.patch memory-tier-rename-destroy_memory_type-to-put_memory_type.patch mm-remove-obsolete-comment-above-struct-per_cpu_pages.patch mm-memcg-minor-cleanup-for-mem_cgroup_id_max.patch mm-memory-failure-remove-unneeded-pagehuge-check.patch mm-memory-failure-ensure-moving-hwpoison-flag-to-the-raw-error-pages.patch mm-memory-failure-dont-account-hwpoison_filter-filtered-pages.patch mm-memory-failure-use-local-variable-huge-to-check-hugetlb-page.patch mm-memory-failure-remove-unneeded-header-files.patch mm-memory-failure-minor-cleanup-for-comments-and-codestyle.patch mm-memory-failure-fetch-compound-head-after-extra-page-refcnt-is-held.patch mm-memory-failure-fix-race-window-when-trying-to-get-hugetlb-folio.patch mm-huge_memory-use-rmap_none-when-calling-page_add_anon_rmap.patch mm-memcg-fix-obsolete-comment-above-mem_cgroup_max_reclaim_loops.patch mm-memcg-minor-cleanup-for-mc_handle_present_pte.patch memory-tier-use-helper-macro-__attr_rw.patch mm-fix-obsolete-function-name-above-debug_pagealloc_enabled_static.patch mm-mprotect-fix-obsolete-function-name-in-change_pte_range.patch mm-memcg-fix-obsolete-function-name-in-mem_cgroup_protection.patch

1 year, 10 months

1
0
0 0

+ mm-memory-failure-fix-potential-unexpected-return-value-from-unpoison_memory.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: memory-failure: fix potential unexpected return value from unpoison_memory() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-memory-failure-fix-potential-unexpected-return-value-from-unpoison_memory.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Miaohe Lin <linmiaohe(a)huawei.com> Subject: mm: memory-failure: fix potential unexpected return value from unpoison_memory() Date: Thu, 27 Jul 2023 19:56:41 +0800 If unpoison_memory() fails to clear page hwpoisoned flag, return value ret is expected to be -EBUSY. But when get_hwpoison_page() returns 1 and fails to clear page hwpoisoned flag due to races, return value will be unexpected 1 leading to users being confused. And there's a code smell that the variable "ret" is used not only to save the return value of unpoison_memory(), but also the return value from get_hwpoison_page(). Make a further cleanup by using another auto-variable solely to save the return value of get_hwpoison_page() as suggested by Naoya. Link: https://lkml.kernel.org/r/20230727115643.639741-3-linmiaohe@huawei.com Fixes: bf181c582588 ("mm/hwpoison: fix unpoison_memory()") Signed-off-by: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Naoya Horiguchi <naoya.horiguchi(a)nec.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory-failure.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) --- a/mm/memory-failure.c~mm-memory-failure-fix-potential-unexpected-return-value-from-unpoison_memory +++ a/mm/memory-failure.c @@ -2466,7 +2466,7 @@ int unpoison_memory(unsigned long pfn) { struct folio *folio; struct page *p; - int ret = -EBUSY; + int ret = -EBUSY, ghp; unsigned long count = 1; bool huge = false; static DEFINE_RATELIMIT_STATE(unpoison_rs, DEFAULT_RATELIMIT_INTERVAL, @@ -2514,29 +2514,28 @@ int unpoison_memory(unsigned long pfn) if (folio_test_slab(folio) || PageTable(&folio->page) || folio_test_reserved(folio)) goto unlock_mutex; - ret = get_hwpoison_page(p, MF_UNPOISON); - if (!ret) { + ghp = get_hwpoison_page(p, MF_UNPOISON); + if (!ghp) { if (PageHuge(p)) { huge = true; count = folio_free_raw_hwp(folio, false); - if (count == 0) { - ret = -EBUSY; + if (count == 0) goto unlock_mutex; - } } ret = folio_test_clear_hwpoison(folio) ? 0 : -EBUSY; - } else if (ret < 0) { - if (ret == -EHWPOISON) { + } else if (ghp < 0) { + if (ghp == -EHWPOISON) { ret = put_page_back_buddy(p) ? 0 : -EBUSY; - } else + } else { + ret = ghp; unpoison_pr_info("Unpoison: failed to grab page %#lx\n", pfn, &unpoison_rs); + } } else { if (PageHuge(p)) { huge = true; count = folio_free_raw_hwp(folio, false); if (count == 0) { - ret = -EBUSY; folio_put(folio); goto unlock_mutex; } _ Patches currently in -mm which might be from linmiaohe(a)huawei.com are mm-swapfile-fix-wrong-swap-entry-type-for-hwpoisoned-swapcache-page.patch mm-memory-failure-fix-potential-unexpected-return-value-from-unpoison_memory.patch mm-memory-failure-avoid-false-hwpoison-page-mapped-error-info.patch mm-memory-failure-add-pageoffline-check.patch mm-mm_initc-update-obsolete-comment-in-get_pfn_range_for_nid.patch mm-memory-failure-fix-unexpected-return-value-in-soft_offline_page.patch mm-memory-failure-fix-potential-page-refcnt-leak-in-memory_failure.patch mm-memory-failure-remove-unneeded-page-state-check-in-shake_page.patch memory-tier-use-helper-function-destroy_memory_type.patch mm-memory-failure-remove-unneeded-inline-annotation.patch mm-mm_initc-remove-obsolete-macro-hash_small.patch mm-page_alloc-avoid-false-page-outside-zone-error-info.patch memory-tier-rename-destroy_memory_type-to-put_memory_type.patch mm-remove-obsolete-comment-above-struct-per_cpu_pages.patch mm-memcg-minor-cleanup-for-mem_cgroup_id_max.patch mm-memory-failure-remove-unneeded-pagehuge-check.patch mm-memory-failure-ensure-moving-hwpoison-flag-to-the-raw-error-pages.patch mm-memory-failure-dont-account-hwpoison_filter-filtered-pages.patch mm-memory-failure-use-local-variable-huge-to-check-hugetlb-page.patch mm-memory-failure-remove-unneeded-header-files.patch mm-memory-failure-minor-cleanup-for-comments-and-codestyle.patch mm-memory-failure-fetch-compound-head-after-extra-page-refcnt-is-held.patch mm-memory-failure-fix-race-window-when-trying-to-get-hugetlb-folio.patch mm-huge_memory-use-rmap_none-when-calling-page_add_anon_rmap.patch mm-memcg-fix-obsolete-comment-above-mem_cgroup_max_reclaim_loops.patch mm-memcg-minor-cleanup-for-mc_handle_present_pte.patch memory-tier-use-helper-macro-__attr_rw.patch mm-fix-obsolete-function-name-above-debug_pagealloc_enabled_static.patch mm-mprotect-fix-obsolete-function-name-in-change_pte_range.patch mm-memcg-fix-obsolete-function-name-in-mem_cgroup_protection.patch

1 year, 10 months

1
0
0 0

+ mm-swapfile-fix-wrong-swap-entry-type-for-hwpoisoned-swapcache-page.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/swapfile: fix wrong swap entry type for hwpoisoned swapcache page has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-swapfile-fix-wrong-swap-entry-type-for-hwpoisoned-swapcache-page.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Miaohe Lin <linmiaohe(a)huawei.com> Subject: mm/swapfile: fix wrong swap entry type for hwpoisoned swapcache page Date: Thu, 27 Jul 2023 19:56:40 +0800 Patch series "A few fixup patches for mm", v2. This series contains a few fixup patches to fix potential unexpected return value, fix wrong swap entry type for hwpoisoned swapcache page and so on. More details can be found in the respective changelogs. This patch (of 4): Hwpoisoned dirty swap cache page is kept in the swap cache and there's simple interception code in do_swap_page() to catch it. But when trying to swapoff, unuse_pte() will wrongly install a general sense of "future accesses are invalid" swap entry for hwpoisoned swap cache page due to unaware of such type of page. The user will receive SIGBUS signal without expected BUS_MCEERR_AR payload. BTW, typo 'hwposioned' is fixed. Link: https://lkml.kernel.org/r/20230727115643.639741-1-linmiaohe@huawei.com Link: https://lkml.kernel.org/r/20230727115643.639741-2-linmiaohe@huawei.com Fixes: 6b970599e807 ("mm: hwpoison: support recovery from ksm_might_need_to_copy()") Signed-off-by: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Naoya Horiguchi <naoya.horiguchi(a)nec.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/ksm.c | 2 ++ mm/swapfile.c | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) --- a/mm/ksm.c~mm-swapfile-fix-wrong-swap-entry-type-for-hwpoisoned-swapcache-page +++ a/mm/ksm.c @@ -2784,6 +2784,8 @@ struct page *ksm_might_need_to_copy(stru anon_vma->root == vma->anon_vma->root) { return page; /* still no need to copy it */ } + if (PageHWPoison(page)) + return ERR_PTR(-EHWPOISON); if (!PageUptodate(page)) return page; /* let do_swap_page report the error */ --- a/mm/swapfile.c~mm-swapfile-fix-wrong-swap-entry-type-for-hwpoisoned-swapcache-page +++ a/mm/swapfile.c @@ -1746,7 +1746,7 @@ static int unuse_pte(struct vm_area_stru struct page *swapcache; spinlock_t *ptl; pte_t *pte, new_pte, old_pte; - bool hwposioned = false; + bool hwpoisoned = PageHWPoison(page); int ret = 1; swapcache = page; @@ -1754,7 +1754,7 @@ static int unuse_pte(struct vm_area_stru if (unlikely(!page)) return -ENOMEM; else if (unlikely(PTR_ERR(page) == -EHWPOISON)) - hwposioned = true; + hwpoisoned = true; pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl); if (unlikely(!pte || !pte_same_as_swp(ptep_get(pte), @@ -1765,11 +1765,11 @@ static int unuse_pte(struct vm_area_stru old_pte = ptep_get(pte); - if (unlikely(hwposioned || !PageUptodate(page))) { + if (unlikely(hwpoisoned || !PageUptodate(page))) { swp_entry_t swp_entry; dec_mm_counter(vma->vm_mm, MM_SWAPENTS); - if (hwposioned) { + if (hwpoisoned) { swp_entry = make_hwpoison_entry(swapcache); page = swapcache; } else { _ Patches currently in -mm which might be from linmiaohe(a)huawei.com are mm-swapfile-fix-wrong-swap-entry-type-for-hwpoisoned-swapcache-page.patch mm-memory-failure-fix-potential-unexpected-return-value-from-unpoison_memory.patch mm-memory-failure-avoid-false-hwpoison-page-mapped-error-info.patch mm-memory-failure-add-pageoffline-check.patch mm-mm_initc-update-obsolete-comment-in-get_pfn_range_for_nid.patch mm-memory-failure-fix-unexpected-return-value-in-soft_offline_page.patch mm-memory-failure-fix-potential-page-refcnt-leak-in-memory_failure.patch mm-memory-failure-remove-unneeded-page-state-check-in-shake_page.patch memory-tier-use-helper-function-destroy_memory_type.patch mm-memory-failure-remove-unneeded-inline-annotation.patch mm-mm_initc-remove-obsolete-macro-hash_small.patch mm-page_alloc-avoid-false-page-outside-zone-error-info.patch memory-tier-rename-destroy_memory_type-to-put_memory_type.patch mm-remove-obsolete-comment-above-struct-per_cpu_pages.patch mm-memcg-minor-cleanup-for-mem_cgroup_id_max.patch mm-memory-failure-remove-unneeded-pagehuge-check.patch mm-memory-failure-ensure-moving-hwpoison-flag-to-the-raw-error-pages.patch mm-memory-failure-dont-account-hwpoison_filter-filtered-pages.patch mm-memory-failure-use-local-variable-huge-to-check-hugetlb-page.patch mm-memory-failure-remove-unneeded-header-files.patch mm-memory-failure-minor-cleanup-for-comments-and-codestyle.patch mm-memory-failure-fetch-compound-head-after-extra-page-refcnt-is-held.patch mm-memory-failure-fix-race-window-when-trying-to-get-hugetlb-folio.patch mm-huge_memory-use-rmap_none-when-calling-page_add_anon_rmap.patch mm-memcg-fix-obsolete-comment-above-mem_cgroup_max_reclaim_loops.patch mm-memcg-minor-cleanup-for-mc_handle_present_pte.patch memory-tier-use-helper-macro-__attr_rw.patch mm-fix-obsolete-function-name-above-debug_pagealloc_enabled_static.patch mm-mprotect-fix-obsolete-function-name-in-change_pte_range.patch mm-memcg-fix-obsolete-function-name-in-mem_cgroup_protection.patch

1 year, 10 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2023