- Linux-stable-mirror - lists.linaro.org

[PATCH] media: az6007: validate I2C message length

by Nalivayko Sergey

syzbot reports a UBSAN issue as below: UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30 index 4096 is out of range for type 'unsigned char [4096]' CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0x11c/0x160 lib/ubsan.c:453 az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821 __i2c_transfer+0x6b3/0x2190 drivers/i2c/i2c-core-base.c:2259 i2c_transfer drivers/i2c/i2c-core-base.c:2315 [inline] i2c_transfer+0x1da/0x380 drivers/i2c/i2c-core-base.c:2291 i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343 i2c_master_recv include/linux/i2c.h:79 [inline] i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155 do_loop_readv_writev fs/read_write.c:845 [inline] do_loop_readv_writev fs/read_write.c:833 [inline] vfs_readv+0x6bc/0x8a0 fs/read_write.c:1018 do_preadv+0x1af/0x270 fs/read_write.c:1130 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The issue occurs because the az6007 driver does not validate the length of the received I2C message. While iterating over st->data, the index 'j' may exceed the maximum buffer size of 4096 elements. Add validation of msgs.len based on buffer length value passed to __az6007_read/write functions to prevent out-of-bounds access. Reported-by: syzbot+0192952caa411a3be209(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d8913f1760bc090ee46e\ Fixes: 71d676345698 ("[media] dvb: Add a new driver for az6007") Cc: stable(a)vger.kernel.org Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> --- drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 65ef045b74ca..c966de4ea6e1 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -770,6 +770,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W/R addr=0x%x len=%d/%d\n", addr, msgs[i].len, msgs[i + 1].len); + if (msgs[i + 1].len + 6 > ARRAY_SIZE(st->data)) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_RD; index = msgs[i].buf[0]; value = addr | (1 << 8); @@ -788,7 +792,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", addr, msgs[i].len); - if (msgs[i].len < 1) { + if (msgs[i].len < 1 || msgs[i].len - 1 > ARRAY_SIZE(st->data)) { ret = -EIO; goto err; } @@ -806,7 +810,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", addr, msgs[i].len); - if (msgs[i].len < 1) { + if (msgs[i].len < 1 || msgs[i].len + 6 > ARRAY_SIZE(st->data)) { ret = -EIO; goto err; } -- 2.39.5

4 days, 17 hours

1
0
0 0

[PATCH 5.10] ASoC: SOF: Intel: hda: Fix potential buffer overflow by snprintf()

by Alexandra Diupina

From: Takashi Iwai <tiwai(a)suse.de> commit 94c1ceb043c1a002de9649bb630c8e8347645982 upstream. snprintf() returns the would-be-filled size when the string overflows the given buffer size, hence using this value may result in the buffer overflow (although it's unrealistic). This patch replaces with a safer version, scnprintf() for papering over such a potential issue. Fixes: 29c8e4398f02 ("ASoC: SOF: Intel: hda: add extended rom status dump to error log") Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Link: https://lore.kernel.org/r/20220801165420.25978-4-tiwai@suse.de Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Alexandra Diupina <adiupina(a)astralinux.ru> --- Backport fix for CVE-2022-50050 sound/soc/sof/intel/hda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c index b4cc72483137..1d879c2b81e1 100644 --- a/sound/soc/sof/intel/hda.c +++ b/sound/soc/sof/intel/hda.c @@ -437,7 +437,7 @@ static void hda_dsp_dump_ext_rom_status(struct snd_sof_dev *sdev) for (i = 0; i < HDA_EXT_ROM_STATUS_SIZE; i++) { value = snd_sof_dsp_read(sdev, HDA_DSP_BAR, HDA_DSP_SRAM_REG_ROM_STATUS + i * 0x4); - len += snprintf(msg + len, sizeof(msg) - len, " 0x%x", value); + len += scnprintf(msg + len, sizeof(msg) - len, " 0x%x", value); } sof_dev_dbg_or_err(sdev->dev, hda->boot_iteration == HDA_FW_BOOT_ATTEMPTS, -- 2.30.2

4 days, 17 hours

1
0
0 0

[PATCH] PCI: j721e: Add config guards for Cadence Host and Endpoint library APIs

by Siddharth Vadapalli

Commit under Fixes enabled loadable module support for the driver under the assumption that it shall be the sole user of the Cadence Host and Endpoint library APIs. This assumption guarantees that we won't end up in a case where the driver is built-in and the library support is built as a loadable module. With the introduction of [1], this assumption is no longer valid. The SG2042 driver could be built as a loadable module, implying that the Cadence Host library is also selected as a loadable module. However, the pci-j721e.c driver could be built-in as indicated by CONFIG_PCI_J721E=y due to which the Cadence Endpoint library is built-in. Despite the library drivers being built as specified by their respective consumers, since the 'pci-j721e.c' driver has references to the Cadence Host library APIs as well, we run into a build error as reported at [0]. Fix this by adding config guards as a temporary workaround. The proper fix is to split the 'pci-j721e.c' driver into independent Host and Endpoint drivers as aligned at [2]. Fixes: a2790bf81f0f ("PCI: j721e: Add support to build as a loadable module") Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202511111705.MZ7ls8Hm-lkp@intel.com/ Cc: <stable(a)vger.kernel.org> [0]: https://lore.kernel.org/r/202511111705.MZ7ls8Hm-lkp@intel.com/ [1]: commit 1c72774df028 ("PCI: sg2042: Add Sophgo SG2042 PCIe driver") [2]: https://lore.kernel.org/r/37f6f8ce-12b2-44ee-a94c-f21b29c98821@app.fastmail… Suggested-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- drivers/pci/controller/cadence/pci-j721e.c | 43 +++++++++++++--------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index 5bc5ab20aa6d..67c5e02afccf 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -628,10 +628,12 @@ static int j721e_pcie_probe(struct platform_device *pdev) gpiod_set_value_cansleep(gpiod, 1); } - ret = cdns_pcie_host_setup(rc); - if (ret < 0) { - clk_disable_unprepare(pcie->refclk); - goto err_pcie_setup; + if (IS_ENABLED(CONFIG_PCI_J721E_HOST)) { + ret = cdns_pcie_host_setup(rc); + if (ret < 0) { + clk_disable_unprepare(pcie->refclk); + goto err_pcie_setup; + } } break; @@ -642,9 +644,11 @@ static int j721e_pcie_probe(struct platform_device *pdev) goto err_get_sync; } - ret = cdns_pcie_ep_setup(ep); - if (ret < 0) - goto err_pcie_setup; + if (IS_ENABLED(CONFIG_PCI_J721E_EP)) { + ret = cdns_pcie_ep_setup(ep); + if (ret < 0) + goto err_pcie_setup; + } break; } @@ -669,10 +673,11 @@ static void j721e_pcie_remove(struct platform_device *pdev) struct cdns_pcie_ep *ep; struct cdns_pcie_rc *rc; - if (pcie->mode == PCI_MODE_RC) { + if (IS_ENABLED(CONFIG_PCI_J721E_HOST) && + pcie->mode == PCI_MODE_RC) { rc = container_of(cdns_pcie, struct cdns_pcie_rc, pcie); cdns_pcie_host_disable(rc); - } else { + } else if (IS_ENABLED(CONFIG_PCI_J721E_EP)) { ep = container_of(cdns_pcie, struct cdns_pcie_ep, pcie); cdns_pcie_ep_disable(ep); } @@ -739,10 +744,12 @@ static int j721e_pcie_resume_noirq(struct device *dev) gpiod_set_value_cansleep(pcie->reset_gpio, 1); } - ret = cdns_pcie_host_link_setup(rc); - if (ret < 0) { - clk_disable_unprepare(pcie->refclk); - return ret; + if (IS_ENABLED(CONFIG_PCI_J721E_HOST)) { + ret = cdns_pcie_host_link_setup(rc); + if (ret < 0) { + clk_disable_unprepare(pcie->refclk); + return ret; + } } /* @@ -752,10 +759,12 @@ static int j721e_pcie_resume_noirq(struct device *dev) for (enum cdns_pcie_rp_bar bar = RP_BAR0; bar <= RP_NO_BAR; bar++) rc->avail_ib_bar[bar] = true; - ret = cdns_pcie_host_init(rc); - if (ret) { - clk_disable_unprepare(pcie->refclk); - return ret; + if (IS_ENABLED(CONFIG_PCI_J721E_HOST)) { + ret = cdns_pcie_host_init(rc); + if (ret) { + clk_disable_unprepare(pcie->refclk); + return ret; + } } } -- 2.51.1

4 days, 18 hours

2
1
0 0

[REGRESSION] Bluetooth adapter provided by `btusb` not recognized since v6.13.2

by incogcyberpunk＠proton.me

#regzbot introduced: v6.13.1..v6.13.2 Distro: Arch Linux Kernel: since v6.13.2 The bluetooth adapter would be recognized and the bluetooth worked flawlessly till v6.13.1 , but since the v6.13.2 , the bluetooth adapter doesn't get recognized by the bluetooth service and therefore the bluetooth functionality doesn't work . I suspect the bluetooth's driver failing to load at the kernel-level. - The output of bluetoothctl : $: bluetoothctl Agent registered [bluetoothctl]> list [bluetoothctl]> devices No default controller available [bluetoothctl]> - The output of systemctl status bluetooth.service : ● bluetooth.service - Bluetooth service Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; enabled; preset: disabled) Active: active (running) since Sat 2025-11-15 22:57:00 +0545; 1 day 8h ago Invocation: bddf190655fd4a4290d41cde594f2efa Docs: man:bluetoothd(8) Main PID: 617 (bluetoothd) Status: "Running" Tasks: 1 (limit: 18701) Memory: 2.8M (peak: 3.8M) CPU: 38ms CGroup: /system.slice/bluetooth.service └─617 /usr/lib/bluetooth/bluetoothd Nov 15 22:57:00 Incog systemd[1]: Starting Bluetooth service... Nov 15 22:57:00 Incog bluetoothd[617]: Bluetooth daemon 5.84 Nov 15 22:57:00 Incog systemd[1]: Started Bluetooth service. Nov 15 22:57:00 Incog bluetoothd[617]: Starting SDP server Nov 15 22:57:00 Incog bluetoothd[617]: Bluetooth management interface 1.23 initialized - The output of lspci is attached below . - The logs for journalctl -b for both v6.13.1 and v6.13.2 are attached below. Regards, IncogCyberpunk

4 days, 18 hours

2
2
0 0

[PATCH] mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions

by Christian Marangi

Commit 5c2f7727d437 ("mtd: mtdpart: check for subpartitions parsing result") introduced some kind of regression with parser on subpartitions where if a parser emits an error then the entire parsing process from the upper parser fails and partitions are deleted. Not checking for error in subpartitions was originally intended as special parser can emit error also in the case of the partition not correctly init (for example a wiped partition) or special case where the partition should be skipped due to some ENV variables externally provided (from bootloader for example) One example case is the TRX partition where, in the context of a wiped partition, returns a -ENOENT as the trx_magic is not found in the expected TRX header (as the partition is wiped) To better handle this and still keep some kind of error tracking (for example to catch -ENOMEM errors or -EINVAL errors), permit parser on subpartition to emit -ENOENT error, print a debug log and skip them accordingly. This results in giving better tracking of the status of the parser (instead of returning just 0, dropping any kind of signal that there is something wrong with the parser) and to some degree restore the original logic of the subpartitions parse. (worth to notice that some special partition might have all the special header present for the parser and declare 0 partition in it, this is why it would be wrong to simply return 0 in the case of a special partition that is NOT init for the scanning parser) Cc: stable(a)vger.kernel.org Fixes: 5c2f7727d437 ("mtd: mtdpart: check for subpartitions parsing result") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/mtd/mtdpart.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c index 994e8c51e674..2876501a7814 100644 --- a/drivers/mtd/mtdpart.c +++ b/drivers/mtd/mtdpart.c @@ -425,9 +425,12 @@ int add_mtd_partitions(struct mtd_info *parent, mtd_add_partition_attrs(child); - /* Look for subpartitions */ + /* Look for subpartitions (skip if no maching parser found) */ ret = parse_mtd_partitions(child, parts[i].types, NULL); - if (ret < 0) { + if (ret < 0 && ret == -ENOENT) { + pr_debug("Skip parsing subpartitions: %d\n", ret); + continue; + } else if (ret < 0) { pr_err("Failed to parse subpartitions: %d\n", ret); goto err_del_partitions; } -- 2.51.0

4 days, 18 hours

2
4
0 0

[PATCH] can: rcar_canfd: Fix controller mode setting for RZ/G2L SoCs

by Biju

From: Biju Das <biju.das.jz(a)bp.renesas.com> The commit 5cff263606a1 ("can: rcar_canfd: Fix controller mode setting") applies to all SoCs except the RZ/G2L family of SoCs. As per RZ/G2L hardware manual "Figure 28.16 CAN Setting Procedure after the MCU is Reset" CAN mode needs to be set before channel reset. Add the mode_before_ch_rst variable to struct rcar_canfd_hw_info to handle this difference. The above commit also breaks CANFD functionality on RZ/G3E. Adapt this change to RZ/G3E, as well as it works ok by following the initialisation sequence of RZ/G2L. Fixes: 5cff263606a1 ("can: rcar_canfd: Fix controller mode setting") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- drivers/net/can/rcar/rcar_canfd.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/rcar/rcar_canfd.c b/drivers/net/can/rcar/rcar_canfd.c index 49ab65274b51..1724fa5dace6 100644 --- a/drivers/net/can/rcar/rcar_canfd.c +++ b/drivers/net/can/rcar/rcar_canfd.c @@ -444,6 +444,7 @@ struct rcar_canfd_hw_info { unsigned ch_interface_mode:1; /* Has channel interface mode */ unsigned shared_can_regs:1; /* Has shared classical can registers */ unsigned external_clk:1; /* Has external clock */ + unsigned mode_before_ch_rst:1; /* Has set mode before channel reset */ }; /* Channel priv data */ @@ -615,6 +616,7 @@ static const struct rcar_canfd_hw_info rcar_gen3_hw_info = { .ch_interface_mode = 0, .shared_can_regs = 0, .external_clk = 1, + .mode_before_ch_rst = 0, }; static const struct rcar_canfd_hw_info rcar_gen4_hw_info = { @@ -632,6 +634,7 @@ static const struct rcar_canfd_hw_info rcar_gen4_hw_info = { .ch_interface_mode = 1, .shared_can_regs = 1, .external_clk = 1, + .mode_before_ch_rst = 0, }; static const struct rcar_canfd_hw_info rzg2l_hw_info = { @@ -649,6 +652,7 @@ static const struct rcar_canfd_hw_info rzg2l_hw_info = { .ch_interface_mode = 0, .shared_can_regs = 0, .external_clk = 1, + .mode_before_ch_rst = 1, }; static const struct rcar_canfd_hw_info r9a09g047_hw_info = { @@ -666,6 +670,7 @@ static const struct rcar_canfd_hw_info r9a09g047_hw_info = { .ch_interface_mode = 1, .shared_can_regs = 1, .external_clk = 0, + .mode_before_ch_rst = 1, }; /* Helper functions */ @@ -806,6 +811,10 @@ static int rcar_canfd_reset_controller(struct rcar_canfd_global *gpriv) /* Reset Global error flags */ rcar_canfd_write(gpriv->base, RCANFD_GERFL, 0x0); + /* RZ/G2L SoC needs setting the mode before channel reset */ + if (gpriv->info->mode_before_ch_rst) + rcar_canfd_set_mode(gpriv); + /* Transition all Channels to reset mode */ for_each_set_bit(ch, &gpriv->channels_mask, gpriv->info->max_channels) { rcar_canfd_clear_bit(gpriv->base, @@ -826,7 +835,8 @@ static int rcar_canfd_reset_controller(struct rcar_canfd_global *gpriv) } /* Set the controller into appropriate mode */ - rcar_canfd_set_mode(gpriv); + if (!gpriv->info->mode_before_ch_rst) + rcar_canfd_set_mode(gpriv); return 0; } -- 2.43.0

4 days, 19 hours

4
6
0 0

[PATCH] PCI: cadence: Kconfig: change PCIE_CADENCE configs from tristate to bool

by Siddharth Vadapalli

The drivers associated with the PCIE_CADENCE, PCIE_CADENCE_HOST AND PCIE_CADENCE_EP configs are used by multiple vendor drivers and serve as a library of helpers. Since the vendor drivers could individually be built as built-in or as loadable modules, it is possible to select a build configuration wherein a vendor driver is built-in while the library is built as a loadable module. This will result in a build error as reported in the 'Closes' link below. Address the build error by changing the library configs to be 'bool' instead of 'tristate'. Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202511111705.MZ7ls8Hm-lkp@intel.com/ Fixes: 1c72774df028 ("PCI: sg2042: Add Sophgo SG2042 PCIe driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- drivers/pci/controller/cadence/Kconfig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/pci/controller/cadence/Kconfig b/drivers/pci/controller/cadence/Kconfig index 02a639e55fd8..980da64ce730 100644 --- a/drivers/pci/controller/cadence/Kconfig +++ b/drivers/pci/controller/cadence/Kconfig @@ -4,16 +4,16 @@ menu "Cadence-based PCIe controllers" depends on PCI config PCIE_CADENCE - tristate + bool config PCIE_CADENCE_HOST - tristate + bool depends on OF select IRQ_DOMAIN select PCIE_CADENCE config PCIE_CADENCE_EP - tristate + bool depends on OF depends on PCI_ENDPOINT select PCIE_CADENCE -- 2.51.1

4 days, 20 hours

4
11
0 0

[PATCH 6.12.y] mm, percpu: do not consider sleepable allocations atomic

by mambaxin＠163.com

From: Michal Hocko <mhocko(a)suse.com> [ Upstream commit 9a5b183941b52f84c0f9e5f27ce44e99318c9e0f ] 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") has fixed a reclaim recursion for scoped GFP_NOFS context. It has done that by avoiding taking pcpu_alloc_mutex. This is a correct solution as the worker context with full GFP_KERNEL allocation/reclaim power and which is using the same lock cannot block the NOFS pcpu_alloc caller. On the other hand this is a very conservative approach that could lead to failures because pcpu_alloc lockless implementation is quite limited. We have a bug report about premature failures when scsi array of 193 devices is scanned. Sometimes (not consistently) the scanning aborts because the iscsid daemon fails to create the queue for a random scsi device during the scan. iscsid itself is running with PR_SET_IO_FLUSHER set so all allocations from this process context are GFP_NOIO. This in turn makes any pcpu_alloc lockless (without pcpu_alloc_mutex) which leads to pre-mature failures. It has turned out that iscsid has worked around this by dropping PR_SET_IO_FLUSHER (https://github.com/open-iscsi/open-iscsi/pull/382) when scanning host. But we can do better in this case on the kernel side and use pcpu_alloc_mutex for NOIO resp. NOFS constrained allocation scopes too. We just need the WQ worker to never trigger IO/FS reclaim. Achieve that by enforcing scoped GFP_NOIO for the whole execution of pcpu_balance_workfn (this will imply NOFS constrain as well). This will remove the dependency chain and preserve the full allocation power of the pcpu_alloc call. While at it make is_atomic really test for blockable allocations. Link: https://lkml.kernel.org/r/20250206122633.167896-1-mhocko@kernel.org Fixes: 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") Signed-off-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Filipe David Manana <fdmanana(a)suse.com> Cc: Tejun Heo <tj(a)kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: chenxin <chenxinxin(a)xiaomi.com> --- mm/percpu.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/percpu.c b/mm/percpu.c index fb0307723da6..44764720b6d8 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -1758,7 +1758,7 @@ void __percpu *pcpu_alloc_noprof(size_t size, size_t align, bool reserved, gfp = current_gfp_context(gfp); /* whitelisted flags that can be passed to the backing allocators */ pcpu_gfp = gfp & (GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN); - is_atomic = (gfp & GFP_KERNEL) != GFP_KERNEL; + is_atomic = !gfpflags_allow_blocking(gfp); do_warn = !(gfp & __GFP_NOWARN); /* @@ -2203,7 +2203,12 @@ static void pcpu_balance_workfn(struct work_struct *work) * to grow other chunks. This then gives pcpu_reclaim_populated() time * to move fully free chunks to the active list to be freed if * appropriate. + * + * Enforce GFP_NOIO allocations because we have pcpu_alloc users + * constrained to GFP_NOIO/NOFS contexts and they could form lock + * dependency through pcpu_alloc_mutex */ + unsigned int flags = memalloc_noio_save(); mutex_lock(&pcpu_alloc_mutex); spin_lock_irq(&pcpu_lock); @@ -2214,6 +2219,7 @@ static void pcpu_balance_workfn(struct work_struct *work) spin_unlock_irq(&pcpu_lock); mutex_unlock(&pcpu_alloc_mutex); + memalloc_noio_restore(flags); } /** -- 2.50.1

4 days, 20 hours

1
0
0 0

[PATCH 6.6.y] mm, percpu: do not consider sleepable allocations atomic

by mambaxin＠163.com

From: Michal Hocko <mhocko(a)suse.com> [ Upstream commit 9a5b183941b52f84c0f9e5f27ce44e99318c9e0f ] 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") has fixed a reclaim recursion for scoped GFP_NOFS context. It has done that by avoiding taking pcpu_alloc_mutex. This is a correct solution as the worker context with full GFP_KERNEL allocation/reclaim power and which is using the same lock cannot block the NOFS pcpu_alloc caller. On the other hand this is a very conservative approach that could lead to failures because pcpu_alloc lockless implementation is quite limited. We have a bug report about premature failures when scsi array of 193 devices is scanned. Sometimes (not consistently) the scanning aborts because the iscsid daemon fails to create the queue for a random scsi device during the scan. iscsid itself is running with PR_SET_IO_FLUSHER set so all allocations from this process context are GFP_NOIO. This in turn makes any pcpu_alloc lockless (without pcpu_alloc_mutex) which leads to pre-mature failures. It has turned out that iscsid has worked around this by dropping PR_SET_IO_FLUSHER (https://github.com/open-iscsi/open-iscsi/pull/382) when scanning host. But we can do better in this case on the kernel side and use pcpu_alloc_mutex for NOIO resp. NOFS constrained allocation scopes too. We just need the WQ worker to never trigger IO/FS reclaim. Achieve that by enforcing scoped GFP_NOIO for the whole execution of pcpu_balance_workfn (this will imply NOFS constrain as well). This will remove the dependency chain and preserve the full allocation power of the pcpu_alloc call. While at it make is_atomic really test for blockable allocations. Link: https://lkml.kernel.org/r/20250206122633.167896-1-mhocko@kernel.org Fixes: 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") Signed-off-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Filipe David Manana <fdmanana(a)suse.com> Cc: Tejun Heo <tj(a)kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: chenxin <chenxinxin(a)xiaomi.com> --- mm/percpu.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/percpu.c b/mm/percpu.c index 38d5121c2b65..54c2988a7496 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -1734,7 +1734,7 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved, gfp = current_gfp_context(gfp); /* whitelisted flags that can be passed to the backing allocators */ pcpu_gfp = gfp & (GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN); - is_atomic = (gfp & GFP_KERNEL) != GFP_KERNEL; + is_atomic = !gfpflags_allow_blocking(gfp); do_warn = !(gfp & __GFP_NOWARN); /* @@ -2231,7 +2231,12 @@ static void pcpu_balance_workfn(struct work_struct *work) * to grow other chunks. This then gives pcpu_reclaim_populated() time * to move fully free chunks to the active list to be freed if * appropriate. + * + * Enforce GFP_NOIO allocations because we have pcpu_alloc users + * constrained to GFP_NOIO/NOFS contexts and they could form lock + * dependency through pcpu_alloc_mutex */ + unsigned int flags = memalloc_noio_save(); mutex_lock(&pcpu_alloc_mutex); spin_lock_irq(&pcpu_lock); @@ -2242,6 +2247,7 @@ static void pcpu_balance_workfn(struct work_struct *work) spin_unlock_irq(&pcpu_lock); mutex_unlock(&pcpu_alloc_mutex); + memalloc_noio_restore(flags); } /** -- 2.50.1

4 days, 20 hours

1
0
0 0

[PATCH 6.1.y] mm, percpu: do not consider sleepable allocations atomic

by mambaxin＠163.com

From: Michal Hocko <mhocko(a)suse.com> [ Upstream commit 9a5b183941b52f84c0f9e5f27ce44e99318c9e0f ] 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") has fixed a reclaim recursion for scoped GFP_NOFS context. It has done that by avoiding taking pcpu_alloc_mutex. This is a correct solution as the worker context with full GFP_KERNEL allocation/reclaim power and which is using the same lock cannot block the NOFS pcpu_alloc caller. On the other hand this is a very conservative approach that could lead to failures because pcpu_alloc lockless implementation is quite limited. We have a bug report about premature failures when scsi array of 193 devices is scanned. Sometimes (not consistently) the scanning aborts because the iscsid daemon fails to create the queue for a random scsi device during the scan. iscsid itself is running with PR_SET_IO_FLUSHER set so all allocations from this process context are GFP_NOIO. This in turn makes any pcpu_alloc lockless (without pcpu_alloc_mutex) which leads to pre-mature failures. It has turned out that iscsid has worked around this by dropping PR_SET_IO_FLUSHER (https://github.com/open-iscsi/open-iscsi/pull/382) when scanning host. But we can do better in this case on the kernel side and use pcpu_alloc_mutex for NOIO resp. NOFS constrained allocation scopes too. We just need the WQ worker to never trigger IO/FS reclaim. Achieve that by enforcing scoped GFP_NOIO for the whole execution of pcpu_balance_workfn (this will imply NOFS constrain as well). This will remove the dependency chain and preserve the full allocation power of the pcpu_alloc call. While at it make is_atomic really test for blockable allocations. Link: https://lkml.kernel.org/r/20250206122633.167896-1-mhocko@kernel.org Fixes: 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") Signed-off-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Filipe David Manana <fdmanana(a)suse.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: chenxin <chenxinxin(a)xiaomi.com> --- mm/percpu.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/percpu.c b/mm/percpu.c index 39e645dfd46c..651101c895ed 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -1737,7 +1737,7 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved, gfp = current_gfp_context(gfp); /* whitelisted flags that can be passed to the backing allocators */ pcpu_gfp = gfp & (GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN); - is_atomic = (gfp & GFP_KERNEL) != GFP_KERNEL; + is_atomic = !gfpflags_allow_blocking(gfp); do_warn = !(gfp & __GFP_NOWARN); /* @@ -2237,7 +2237,12 @@ static void pcpu_balance_workfn(struct work_struct *work) * to grow other chunks. This then gives pcpu_reclaim_populated() time * to move fully free chunks to the active list to be freed if * appropriate. + * + * Enforce GFP_NOIO allocations because we have pcpu_alloc users + * constrained to GFP_NOIO/NOFS contexts and they could form lock + * dependency through pcpu_alloc_mutex */ + unsigned int flags = memalloc_noio_save(); mutex_lock(&pcpu_alloc_mutex); spin_lock_irq(&pcpu_lock); @@ -2248,6 +2253,7 @@ static void pcpu_balance_workfn(struct work_struct *work) spin_unlock_irq(&pcpu_lock); mutex_unlock(&pcpu_alloc_mutex); + memalloc_noio_restore(flags); } /** -- 2.50.1

4 days, 20 hours

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror