tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'mm-hotfixes-stable-2024-09-19-00-31' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Pull misc hotfixes from Andrew Morton:
"12 hotfixes, 11 of which are cc:stable.

Four fixes for longstanding ocfs2 issues and the remainder address
random MM things"

* tag 'mm-hotfixes-stable-2024-09-19-00-31' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
mm/madvise: process_madvise() drop capability check if same mm
mm/huge_memory: ensure huge_zero_folio won't have large_rmappable flag set
mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway
mm: change vmf_anon_prepare() to __vmf_anon_prepare()
resource: fix region_intersects() vs add_memory_driver_managed()
zsmalloc: use unique zsmalloc caches names
mm/damon/vaddr: protect vma traversal in __damon_va_thre_regions() with rcu read lock
mm: vmscan.c: fix OOM on swap stress test
ocfs2: cancel dqi_sync_work before freeing oinfo
ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
ocfs2: remove unreasonable unlock in ocfs2_read_blocks
ocfs2: fix null-ptr-deref when journal load failed.

Linus Torvalds 839c4f59 a1d1eb2f

+117 -32
+2 -2
fs/ocfs2/buffer_head_io.c
··· 235 235 if (bhs[i] == NULL) { 236 236 bhs[i] = sb_getblk(sb, block++); 237 237 if (bhs[i] == NULL) { 238 - ocfs2_metadata_cache_io_unlock(ci); 239 238 status = -ENOMEM; 240 239 mlog_errno(status); 241 240 /* Don't forget to put previous bh! */ ··· 388 389 /* Always set the buffer in the cache, even if it was 389 390 * a forced read, or read-ahead which hasn't yet 390 391 * completed. */ 391 - ocfs2_set_buffer_uptodate(ci, bh); 392 + if (bh) 393 + ocfs2_set_buffer_uptodate(ci, bh); 392 394 } 393 395 ocfs2_metadata_cache_io_unlock(ci); 394 396
+4 -3
fs/ocfs2/journal.c
··· 1055 1055 if (!igrab(inode)) 1056 1056 BUG(); 1057 1057 1058 - num_running_trans = atomic_read(&(osb->journal->j_num_trans)); 1058 + num_running_trans = atomic_read(&(journal->j_num_trans)); 1059 1059 trace_ocfs2_journal_shutdown(num_running_trans); 1060 1060 1061 1061 /* Do a commit_cache here. It will flush our journal, *and* ··· 1074 1074 osb->commit_task = NULL; 1075 1075 } 1076 1076 1077 - BUG_ON(atomic_read(&(osb->journal->j_num_trans)) != 0); 1077 + BUG_ON(atomic_read(&(journal->j_num_trans)) != 0); 1078 1078 1079 - if (ocfs2_mount_local(osb)) { 1079 + if (ocfs2_mount_local(osb) && 1080 + (journal->j_journal->j_flags & JBD2_LOADED)) { 1080 1081 jbd2_journal_lock_updates(journal->j_journal); 1081 1082 status = jbd2_journal_flush(journal->j_journal, 0); 1082 1083 jbd2_journal_unlock_updates(journal->j_journal);
+6 -2
fs/ocfs2/quota_local.c
··· 692 692 int status; 693 693 struct buffer_head *bh = NULL; 694 694 struct ocfs2_quota_recovery *rec; 695 - int locked = 0; 695 + int locked = 0, global_read = 0; 696 696 697 697 info->dqi_max_spc_limit = 0x7fffffffffffffffLL; 698 698 info->dqi_max_ino_limit = 0x7fffffffffffffffLL; ··· 700 700 if (!oinfo) { 701 701 mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota" 702 702 " info."); 703 + status = -ENOMEM; 703 704 goto out_err; 704 705 } 705 706 info->dqi_priv = oinfo; ··· 713 712 status = ocfs2_global_read_info(sb, type); 714 713 if (status < 0) 715 714 goto out_err; 715 + global_read = 1; 716 716 717 717 status = ocfs2_inode_lock(lqinode, &oinfo->dqi_lqi_bh, 1); 718 718 if (status < 0) { ··· 784 782 if (locked) 785 783 ocfs2_inode_unlock(lqinode, 1); 786 784 ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk); 785 + if (global_read) 786 + cancel_delayed_work_sync(&oinfo->dqi_sync_work); 787 787 kfree(oinfo); 788 788 } 789 789 brelse(bh); 790 - return -1; 790 + return status; 791 791 } 792 792 793 793 /* Write local info to quota file */
+50 -8
kernel/resource.c
··· 540 540 size_t size, unsigned long flags, 541 541 unsigned long desc) 542 542 { 543 - struct resource res; 543 + resource_size_t ostart, oend; 544 544 int type = 0; int other = 0; 545 - struct resource *p; 545 + struct resource *p, *dp; 546 + bool is_type, covered; 547 + struct resource res; 546 548 547 549 res.start = start; 548 550 res.end = start + size - 1; 549 551 550 552 for (p = parent->child; p ; p = p->sibling) { 551 - bool is_type = (((p->flags & flags) == flags) && 552 - ((desc == IORES_DESC_NONE) || 553 - (desc == p->desc))); 554 - 555 - if (resource_overlaps(p, &res)) 556 - is_type ? type++ : other++; 553 + if (!resource_overlaps(p, &res)) 554 + continue; 555 + is_type = (p->flags & flags) == flags && 556 + (desc == IORES_DESC_NONE || desc == p->desc); 557 + if (is_type) { 558 + type++; 559 + continue; 560 + } 561 + /* 562 + * Continue to search in descendant resources as if the 563 + * matched descendant resources cover some ranges of 'p'. 564 + * 565 + * |------------- "CXL Window 0" ------------| 566 + * |-- "System RAM" --| 567 + * 568 + * will behave similar as the following fake resource 569 + * tree when searching "System RAM". 570 + * 571 + * |-- "System RAM" --||-- "CXL Window 0a" --| 572 + */ 573 + covered = false; 574 + ostart = max(res.start, p->start); 575 + oend = min(res.end, p->end); 576 + for_each_resource(p, dp, false) { 577 + if (!resource_overlaps(dp, &res)) 578 + continue; 579 + is_type = (dp->flags & flags) == flags && 580 + (desc == IORES_DESC_NONE || desc == dp->desc); 581 + if (is_type) { 582 + type++; 583 + /* 584 + * Range from 'ostart' to 'dp->start' 585 + * isn't covered by matched resource. 586 + */ 587 + if (dp->start > ostart) 588 + break; 589 + if (dp->end >= oend) { 590 + covered = true; 591 + break; 592 + } 593 + /* Remove covered range */ 594 + ostart = max(ostart, dp->end + 1); 595 + } 596 + } 597 + if (!covered) 598 + other++; 557 599 } 558 600 559 601 if (type == 0)
+2
mm/damon/vaddr.c
··· 126 126 * If this is too slow, it can be optimised to examine the maple 127 127 * tree gaps. 128 128 */ 129 + rcu_read_lock(); 129 130 for_each_vma(vmi, vma) { 130 131 unsigned long gap; 131 132 ··· 147 146 next: 148 147 prev = vma; 149 148 } 149 + rcu_read_unlock(); 150 150 151 151 if (!sz_range(&second_gap) || !sz_range(&first_gap)) 152 152 return -EINVAL;
+2
mm/huge_memory.c
··· 220 220 count_vm_event(THP_ZERO_PAGE_ALLOC_FAILED); 221 221 return false; 222 222 } 223 + /* Ensure zero folio won't have large_rmappable flag set. */ 224 + folio_clear_large_rmappable(zero_folio); 223 225 preempt_disable(); 224 226 if (cmpxchg(&huge_zero_folio, NULL, zero_folio)) { 225 227 preempt_enable();
+18 -2
mm/hugetlb.c
··· 6048 6048 * When the original hugepage is shared one, it does not have 6049 6049 * anon_vma prepared. 6050 6050 */ 6051 - ret = vmf_anon_prepare(vmf); 6051 + ret = __vmf_anon_prepare(vmf); 6052 6052 if (unlikely(ret)) 6053 6053 goto out_release_all; 6054 6054 ··· 6247 6247 } 6248 6248 6249 6249 if (!(vma->vm_flags & VM_MAYSHARE)) { 6250 - ret = vmf_anon_prepare(vmf); 6250 + ret = __vmf_anon_prepare(vmf); 6251 6251 if (unlikely(ret)) 6252 6252 goto out; 6253 6253 } ··· 6378 6378 folio_unlock(folio); 6379 6379 out: 6380 6380 hugetlb_vma_unlock_read(vma); 6381 + 6382 + /* 6383 + * We must check to release the per-VMA lock. __vmf_anon_prepare() is 6384 + * the only way ret can be set to VM_FAULT_RETRY. 6385 + */ 6386 + if (unlikely(ret & VM_FAULT_RETRY)) 6387 + vma_end_read(vma); 6388 + 6381 6389 mutex_unlock(&hugetlb_fault_mutex_table[hash]); 6382 6390 return ret; 6383 6391 ··· 6607 6599 } 6608 6600 out_mutex: 6609 6601 hugetlb_vma_unlock_read(vma); 6602 + 6603 + /* 6604 + * We must check to release the per-VMA lock. __vmf_anon_prepare() in 6605 + * hugetlb_wp() is the only way ret can be set to VM_FAULT_RETRY. 6606 + */ 6607 + if (unlikely(ret & VM_FAULT_RETRY)) 6608 + vma_end_read(vma); 6609 + 6610 6610 mutex_unlock(&hugetlb_fault_mutex_table[hash]); 6611 6611 /* 6612 6612 * Generally it's safe to hold refcount during waiting page lock. But
+10 -1
mm/internal.h
··· 310 310 wake_up(wqh); 311 311 } 312 312 313 - vm_fault_t vmf_anon_prepare(struct vm_fault *vmf); 313 + vm_fault_t __vmf_anon_prepare(struct vm_fault *vmf); 314 + static inline vm_fault_t vmf_anon_prepare(struct vm_fault *vmf) 315 + { 316 + vm_fault_t ret = __vmf_anon_prepare(vmf); 317 + 318 + if (unlikely(ret & VM_FAULT_RETRY)) 319 + vma_end_read(vmf->vma); 320 + return ret; 321 + } 322 + 314 323 vm_fault_t do_swap_page(struct vm_fault *vmf); 315 324 void folio_rotate_reclaimable(struct folio *folio); 316 325 bool __folio_end_writeback(struct folio *folio);
+1 -1
mm/madvise.c
··· 1527 1527 * Require CAP_SYS_NICE for influencing process performance. Note that 1528 1528 * only non-destructive hints are currently supported. 1529 1529 */ 1530 - if (!capable(CAP_SYS_NICE)) { 1530 + if (mm != current->mm && !capable(CAP_SYS_NICE)) { 1531 1531 ret = -EPERM; 1532 1532 goto release_mm; 1533 1533 }
+3 -5
mm/memory.c
··· 3276 3276 } 3277 3277 3278 3278 /** 3279 - * vmf_anon_prepare - Prepare to handle an anonymous fault. 3279 + * __vmf_anon_prepare - Prepare to handle an anonymous fault. 3280 3280 * @vmf: The vm_fault descriptor passed from the fault handler. 3281 3281 * 3282 3282 * When preparing to insert an anonymous page into a VMA from a ··· 3290 3290 * Return: 0 if fault handling can proceed. Any other value should be 3291 3291 * returned to the caller. 3292 3292 */ 3293 - vm_fault_t vmf_anon_prepare(struct vm_fault *vmf) 3293 + vm_fault_t __vmf_anon_prepare(struct vm_fault *vmf) 3294 3294 { 3295 3295 struct vm_area_struct *vma = vmf->vma; 3296 3296 vm_fault_t ret = 0; ··· 3298 3298 if (likely(vma->anon_vma)) 3299 3299 return 0; 3300 3300 if (vmf->flags & FAULT_FLAG_VMA_LOCK) { 3301 - if (!mmap_read_trylock(vma->vm_mm)) { 3302 - vma_end_read(vma); 3301 + if (!mmap_read_trylock(vma->vm_mm)) 3303 3302 return VM_FAULT_RETRY; 3304 - } 3305 3303 } 3306 3304 if (__anon_vma_prepare(vma)) 3307 3305 ret = VM_FAULT_OOM;
+1 -1
mm/vmscan.c
··· 4300 4300 } 4301 4301 4302 4302 /* ineligible */ 4303 - if (zone > sc->reclaim_idx) { 4303 + if (!folio_test_lru(folio) || zone > sc->reclaim_idx) { 4304 4304 gen = folio_inc_gen(lruvec, folio, false); 4305 4305 list_move_tail(&folio->lru, &lrugen->folios[gen][type][zone]); 4306 4306 return true;
+18 -7
mm/zsmalloc.c
··· 54 54 #include <linux/vmalloc.h> 55 55 #include <linux/preempt.h> 56 56 #include <linux/spinlock.h> 57 + #include <linux/sprintf.h> 57 58 #include <linux/shrinker.h> 58 59 #include <linux/types.h> 59 60 #include <linux/debugfs.h> ··· 294 293 295 294 static int create_cache(struct zs_pool *pool) 296 295 { 297 - pool->handle_cachep = kmem_cache_create("zs_handle", ZS_HANDLE_SIZE, 298 - 0, 0, NULL); 299 - if (!pool->handle_cachep) 300 - return 1; 296 + char *name; 301 297 302 - pool->zspage_cachep = kmem_cache_create("zspage", sizeof(struct zspage), 303 - 0, 0, NULL); 298 + name = kasprintf(GFP_KERNEL, "zs_handle-%s", pool->name); 299 + if (!name) 300 + return -ENOMEM; 301 + pool->handle_cachep = kmem_cache_create(name, ZS_HANDLE_SIZE, 302 + 0, 0, NULL); 303 + kfree(name); 304 + if (!pool->handle_cachep) 305 + return -EINVAL; 306 + 307 + name = kasprintf(GFP_KERNEL, "zspage-%s", pool->name); 308 + if (!name) 309 + return -ENOMEM; 310 + pool->zspage_cachep = kmem_cache_create(name, sizeof(struct zspage), 311 + 0, 0, NULL); 312 + kfree(name); 304 313 if (!pool->zspage_cachep) { 305 314 kmem_cache_destroy(pool->handle_cachep); 306 315 pool->handle_cachep = NULL; 307 - return 1; 316 + return -EINVAL; 308 317 } 309 318 310 319 return 0;