June 2024 - Linux-stable-mirror

[PATCH 6.8.y-and-older] ALSA: timer: Set lower bound of start tick time

by Takashi Iwai

commit 4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e upstream. Currently ALSA timer doesn't have the lower limit of the start tick time, and it allows a very small size, e.g. 1 tick with 1ns resolution for hrtimer. Such a situation may lead to an unexpected RCU stall, where the callback repeatedly queuing the expire update, as reported by fuzzer. This patch introduces a sanity check of the timer start tick time, so that the system returns an error when a too small start size is set. As of this patch, the lower limit is hard-coded to 100us, which is small enough but can still work somehow. [ backport note: the error handling is changed, as the original commit is based on the recent cleanup with guard() in commit beb45974dd49 -- tiwai ] Reported-by: syzbot+43120c2af6ca2938cc38(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/000000000000fa00a1061740ab6d@google.com Cc: <stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20240514182745.4015-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- Greg, this is an alternative fix to the original cherry-pick; apply to 6.8.y and older stable kernels. Thanks! sound/core/timer.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sound/core/timer.c b/sound/core/timer.c index e6e551d4a29e..a0b515981ee9 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -553,6 +553,16 @@ static int snd_timer_start1(struct snd_timer_instance *timeri, goto unlock; } + /* check the actual time for the start tick; + * bail out as error if it's way too low (< 100us) + */ + if (start) { + if ((u64)snd_timer_hw_resolution(timer) * ticks < 100000) { + result = -EINVAL; + goto unlock; + } + } + if (start) timeri->ticks = timeri->cticks = ticks; else if (!timeri->cticks) -- 2.43.0

10 months, 3 weeks

2
1
0 0

[PATCH 5.10/5.15/6.1] clk: mediatek: Add memory allocation fail handling in clk_mt2712_top_init_early()

by Aleksandr Mishin

No upstream commit exists for this commit. The issue was introduced with commit e2f744a82d72 ("clk: mediatek: Add MT2712 clock support") In case of memory allocation fail in clk_mt2712_top_init_early() 'top_clk_data' will be set to NULL and later dereferenced without check. Fix this bug by adding NULL-return check. Upstream branch code has been significantly refactored and can't be backported directly. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> --- drivers/clk/mediatek/clk-mt2712.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/clk/mediatek/clk-mt2712.c b/drivers/clk/mediatek/clk-mt2712.c index a0f0c9ed48d1..1830bae661dc 100644 --- a/drivers/clk/mediatek/clk-mt2712.c +++ b/drivers/clk/mediatek/clk-mt2712.c @@ -1277,6 +1277,11 @@ static void clk_mt2712_top_init_early(struct device_node *node) if (!top_clk_data) { top_clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK); + if (!top_clk_data) { + pr_err("%s(): could not register clock provider: %d\n", + __func__, -ENOMEM); + return; + } for (i = 0; i < CLK_TOP_NR_CLK; i++) top_clk_data->hws[i] = ERR_PTR(-EPROBE_DEFER); -- 2.30.2

10 months, 3 weeks

2
2
0 0

[PATCH 5.10/5.15/6.1] clk: mediatek: mt8183: Add memory

by Aleksandr Mishin

No upstream commit exists for this commit. The issue was introduced with commit c93d059a8045 ("clk: mediatek: mt8183: Register 13MHz clock earlier for clocksource") In case of memory allocation fail in clk_mt8183_top_init_early() 'top_clk_data' will be set to NULL and later dereferenced without check. Fix this bug by adding NULL-return check. Upstream branch code has been significantly refactored and can't be backported directly. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> --- drivers/clk/mediatek/clk-mt8183.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/clk/mediatek/clk-mt8183.c b/drivers/clk/mediatek/clk-mt8183.c index 78620244144e..8377a877d9e3 100644 --- a/drivers/clk/mediatek/clk-mt8183.c +++ b/drivers/clk/mediatek/clk-mt8183.c @@ -1185,6 +1185,11 @@ static void clk_mt8183_top_init_early(struct device_node *node) int i; top_clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK); + if (!top_clk_data) { + pr_err("%s(): could not register clock provider: %d\n", + __func__, -ENOMEM); + return; + } for (i = 0; i < CLK_TOP_NR_CLK; i++) top_clk_data->hws[i] = ERR_PTR(-EPROBE_DEFER); -- 2.30.2

10 months, 3 weeks

2
2
0 0

[PATCH stable 6.9] vxlan: Fix regression when dropping packets due to invalid src addresses

by Daniel Borkmann

[ Upstream commit 1cd4bc987abb2823836cbb8f887026011ccddc8a ] Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") has recently been added to vxlan mainly in the context of source address snooping/learning so that when it is enabled, an entry in the FDB is not being created for an invalid address for the corresponding tunnel endpoint. Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in that it passed through whichever macs were set in the L2 header. It turns out that this change in behavior breaks setups, for example, Cilium with netkit in L3 mode for Pods as well as tunnel mode has been passing before the change in f58f45c1e5b9 for both vxlan and geneve. After mentioned change it is only passing for geneve as in case of vxlan packets are dropped due to vxlan_set_mac() returning false as source and destination macs are zero which for E/W traffic via tunnel is totally fine. Fix it by only opting into the is_valid_ether_addr() check in vxlan_set_mac() when in fact source address snooping/learning is actually enabled in vxlan. This is done by moving the check into vxlan_snoop(). With this change, the Cilium connectivity test suite passes again for both tunnel flavors. Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Cc: David Bauer <mail(a)david-bauer.net> Cc: Ido Schimmel <idosch(a)nvidia.com> Cc: Nikolay Aleksandrov <razor(a)blackwall.org> Cc: Martin KaFai Lau <martin.lau(a)kernel.org> Reviewed-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Nikolay Aleksandrov <razor(a)blackwall.org> Reviewed-by: David Bauer <mail(a)david-bauer.net> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> --- drivers/net/vxlan/vxlan_core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c index 3a9148fb1422..eccf09c81df2 100644 --- a/drivers/net/vxlan/vxlan_core.c +++ b/drivers/net/vxlan/vxlan_core.c @@ -1446,6 +1446,10 @@ static bool vxlan_snoop(struct net_device *dev, struct vxlan_fdb *f; u32 ifindex = 0; + /* Ignore packets from invalid src-address */ + if (!is_valid_ether_addr(src_mac)) + return true; + #if IS_ENABLED(CONFIG_IPV6) if (src_ip->sa.sa_family == AF_INET6 && (ipv6_addr_type(&src_ip->sin6.sin6_addr) & IPV6_ADDR_LINKLOCAL)) @@ -1615,10 +1619,6 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan, if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)) return false; - /* Ignore packets from invalid src-address */ - if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) - return false; - /* Get address from the outer IP header */ if (vxlan_get_sk_family(vs) == AF_INET) { saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr; -- 2.34.1

10 months, 3 weeks

1
0
0 0

[PATCH v2] mpt3sas: Avoid test/set_bit() operating in non-allocated memory

by Breno Leitao

There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965 For full log, please look at [1]. Make the allocation at least the size of sizeof(unsigned long) so that set_bit() and test_bit() have sufficient room for read/write operations without overwriting unallocated memory. [1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/ Fixes: c696f7b83ede ("scsi: mpt3sas: Implement device_remove_in_progress check in IOCTL path") Cc: stable(a)vger.kernel.org Suggested-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Breno Leitao <leitao(a)debian.org> --- Changelog: v2: * Do the same protection in krealloc() in _base_check_ioc_facts_changes, as suggested by Keith. --- drivers/scsi/mpt3sas/mpt3sas_base.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 258647fc6bdd..cc17204721c2 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -8512,6 +8512,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc) ioc->pd_handles_sz = (ioc->facts.MaxDevHandle / 8); if (ioc->facts.MaxDevHandle % 8) ioc->pd_handles_sz++; + /* pd_handles_sz should have, at least, the minimal room + * for set_bit()/test_bit(), otherwise out-of-memory touch + * may occur + */ + ioc->pd_handles_sz = ALIGN(ioc->pd_handles_sz, sizeof(unsigned long)); + ioc->pd_handles = kzalloc(ioc->pd_handles_sz, GFP_KERNEL); if (!ioc->pd_handles) { @@ -8529,6 +8535,12 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc) ioc->pend_os_device_add_sz = (ioc->facts.MaxDevHandle / 8); if (ioc->facts.MaxDevHandle % 8) ioc->pend_os_device_add_sz++; + + /* pend_os_device_add_sz should have, at least, the minimal room + * for set_bit()/test_bit(), otherwise out-of-memory may occur + */ + ioc->pend_os_device_add_sz = ALIGN(ioc->pend_os_device_add_sz, + sizeof(unsigned long)); ioc->pend_os_device_add = kzalloc(ioc->pend_os_device_add_sz, GFP_KERNEL); if (!ioc->pend_os_device_add) { @@ -8820,6 +8832,11 @@ _base_check_ioc_facts_changes(struct MPT3SAS_ADAPTER *ioc) if (ioc->facts.MaxDevHandle % 8) pd_handles_sz++; + /* pd_handles should have, at least, the minimal room + * for set_bit()/test_bit(), otherwise out-of-memory touch + * may occur + */ + pd_handles_sz = ALIGN(pd_handles_sz, sizeof(unsigned long)); pd_handles = krealloc(ioc->pd_handles, pd_handles_sz, GFP_KERNEL); if (!pd_handles) { -- 2.43.0

10 months, 3 weeks

4
3
0 0

[PATCH v3 5.10/5.15] ata: libata-scsi: check cdb length for VARIABLE_LENGTH_CMD commands

by Mikhail Ukhin

No upstream commit exists for this patch. Fuzzing of 5.10 stable branch reports a slab-out-of-bounds error in ata_scsi_pass_thru. The error is fixed in 5.18 by commit ce70fd9a551a ("scsi: core: Remove the cmd field from struct scsi_request") upstream. Backporting this commit would require significant changes to the code so it is bettter to use a simple fix for that particular error. The problem is that the length of the received SCSI command is not validated if scsi_op == VARIABLE_LENGTH_CMD. It can lead to out-of-bounds reading if the user sends a request with SCSI command of length less than 32. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Signed-off-by: Artem Sadovnikov <ancowi69(a)gmail.com> Signed-off-by: Mikhail Ivanov <iwanov-23(a)bk.ru> Signed-off-by: Mikhail Ukhin <mish.uxin2012(a)yandex.ru> --- v2: The new addresses were added and the text was updated. v3: Checking has been moved to the function ata_scsi_var_len_cdb_xlat at the request of Damien Le Moal drivers/ata/libata-scsi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index dfa090ccd21c..38488bd813d1 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3948,7 +3948,11 @@ static unsigned int ata_scsi_var_len_cdb_xlat(struct ata_queued_cmd *qc) struct scsi_cmnd *scmd = qc->scsicmd; const u8 *cdb = scmd->cmnd; const u16 sa = get_unaligned_be16(&cdb[8]); + u8 scsi_op = scmd->cmnd[0]; + if (scsi_op == VARIABLE_LENGTH_CMD && scmd->cmd_len < 32) + return 1; + /* * if service action represents a ata pass-thru(32) command, * then pass it to ata_scsi_pass_thru handler. -- 2.25.1

10 months, 3 weeks

2
1
0 0

[PATCH] KVM: arm64: Disassociate vcpus from redistributor region on teardown

by Marc Zyngier

When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu. Fixes: e5a35635464b ("kvm: arm64: vgic-v3: Introduce vgic_v3_free_redist_region()") Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kvm/vgic/vgic-init.c | 2 +- arch/arm64/kvm/vgic/vgic-mmio-v3.c | 15 +++++++++++++-- arch/arm64/kvm/vgic/vgic.h | 2 +- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kvm/vgic/vgic-init.c b/arch/arm64/kvm/vgic/vgic-init.c index 8f5b7a3e7009..7f68cf58b978 100644 --- a/arch/arm64/kvm/vgic/vgic-init.c +++ b/arch/arm64/kvm/vgic/vgic-init.c @@ -391,7 +391,7 @@ static void kvm_vgic_dist_destroy(struct kvm *kvm) if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) { list_for_each_entry_safe(rdreg, next, &dist->rd_regions, list) - vgic_v3_free_redist_region(rdreg); + vgic_v3_free_redist_region(kvm, rdreg); INIT_LIST_HEAD(&dist->rd_regions); } else { dist->vgic_cpu_base = VGIC_ADDR_UNDEF; diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c index a3983a631b5a..9e50928f5d7d 100644 --- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c +++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c @@ -919,8 +919,19 @@ static int vgic_v3_alloc_redist_region(struct kvm *kvm, uint32_t index, return ret; } -void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg) +void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg) { + struct kvm_vcpu *vcpu; + unsigned long c; + + lockdep_assert_held(&kvm->arch.config_lock); + + /* Garbage collect the region */ + kvm_for_each_vcpu(c, vcpu, kvm) { + if (vcpu->arch.vgic_cpu.rdreg == rdreg) + vcpu->arch.vgic_cpu.rdreg = NULL; + } + list_del(&rdreg->list); kfree(rdreg); } @@ -945,7 +956,7 @@ int vgic_v3_set_redist_base(struct kvm *kvm, u32 index, u64 addr, u32 count) mutex_lock(&kvm->arch.config_lock); rdreg = vgic_v3_rdist_region_from_index(kvm, index); - vgic_v3_free_redist_region(rdreg); + vgic_v3_free_redist_region(kvm, rdreg); mutex_unlock(&kvm->arch.config_lock); return ret; } diff --git a/arch/arm64/kvm/vgic/vgic.h b/arch/arm64/kvm/vgic/vgic.h index 6106ebd5ba42..03d356a12377 100644 --- a/arch/arm64/kvm/vgic/vgic.h +++ b/arch/arm64/kvm/vgic/vgic.h @@ -316,7 +316,7 @@ vgic_v3_rd_region_size(struct kvm *kvm, struct vgic_redist_region *rdreg) struct vgic_redist_region *vgic_v3_rdist_region_from_index(struct kvm *kvm, u32 index); -void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg); +void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg); bool vgic_v3_rdist_overlap(struct kvm *kvm, gpa_t base, size_t size); -- 2.39.2

10 months, 3 weeks

2
2
0 0

[PATCH v2 0/2] arm64: dts: qcom: switch RB1 and RB2 platforms to i2c2-gpio

by Dmitry Baryshkov

On the Qualcomm RB1 and RB2 platforms the I2C bus connected to the LT9611UXC bridge under some circumstances can go into a state when all transfers timeout. This causes both issues with fetching of EDID and with updating of the bridge's firmware. While we are debugging the issue, switch corresponding I2C bus to use i2c-gpio driver. While using i2c-gpio no communication issues are observed. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> --- Changes in v2: - Fixed i2c node names to fix DT validation issues (Rob) - Link to v1: https://lore.kernel.org/r/20240604-rb12-i2c2g-pio-v1-0-f323907179d9@linaro.… --- Dmitry Baryshkov (2): arm64: dts: qcom: qrb2210-rb1: switch I2C2 to i2c-gpio arm64: dts: qcom: qrb4210-rb2: switch I2C2 to i2c-gpio arch/arm64/boot/dts/qcom/qrb2210-rb1.dts | 13 ++++++++++++- arch/arm64/boot/dts/qcom/qrb4210-rb2.dts | 13 ++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) --- base-commit: 0e1980c40b6edfa68b6acf926bab22448a6e40c9 change-id: 20240604-rb12-i2c2g-pio-f6035fa8e022 Best regards, -- Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>

10 months, 3 weeks

3
5
0 0

[merged mm-hotfixes-stable] nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop-on-i-o-errors.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors has been removed from the -mm tree. Its filename was nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop-on-i-o-errors.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors Date: Tue, 4 Jun 2024 22:42:55 +0900 The error handling in nilfs_empty_dir() when a directory folio/page read fails is incorrect, as in the old ext2 implementation, and if the folio/page cannot be read or nilfs_check_folio() fails, it will falsely determine the directory as empty and corrupt the file system. In addition, since nilfs_empty_dir() does not immediately return on a failed folio/page read, but continues to loop, this can cause a long loop with I/O if i_size of the directory's inode is also corrupted, causing the log writer thread to wait and hang, as reported by syzbot. Fix these issues by making nilfs_empty_dir() immediately return a false value (0) if it fails to get a directory folio/page. Link: https://lkml.kernel.org/r/20240604134255.7165-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+c8166c541d3971bf6c87(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c8166c541d3971bf6c87 Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/nilfs2/dir.c~nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop-on-i-o-errors +++ a/fs/nilfs2/dir.c @@ -607,7 +607,7 @@ int nilfs_empty_dir(struct inode *inode) kaddr = nilfs_get_folio(inode, i, &folio); if (IS_ERR(kaddr)) - continue; + return 0; de = (struct nilfs_dir_entry *)kaddr; kaddr += nilfs_last_byte(inode, i) - NILFS_DIR_REC_LEN(1); _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are

10 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-do-not-call-vma_add_reservation-upon-enomem.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb: do not call vma_add_reservation upon ENOMEM has been removed from the -mm tree. Its filename was mm-hugetlb-do-not-call-vma_add_reservation-upon-enomem.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Oscar Salvador <osalvador(a)suse.de> Subject: mm/hugetlb: do not call vma_add_reservation upon ENOMEM Date: Tue, 28 May 2024 22:53:23 +0200 sysbot reported a splat [1] on __unmap_hugepage_range(). This is because vma_needs_reservation() can return -ENOMEM if allocate_file_region_entries() fails to allocate the file_region struct for the reservation. Check for that and do not call vma_add_reservation() if that is the case, otherwise region_abort() and region_del() will see that we do not have any file_regions. If we detect that vma_needs_reservation() returned -ENOMEM, we clear the hugetlb_restore_reserve flag as if this reservation was still consumed, so free_huge_folio() will not increment the resv count. [1] https://lore.kernel.org/linux-mm/0000000000004096100617c58d54@google.com/T/… Link: https://lkml.kernel.org/r/20240528205323.20439-1-osalvador@suse.de Fixes: df7a6d1f6405 ("mm/hugetlb: restore the reservation if needed") Signed-off-by: Oscar Salvador <osalvador(a)suse.de> Reported-and-tested-by: syzbot+d3fe2dc5ffe9380b714b(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/0000000000004096100617c58d54@google.com/ Cc: Breno Leitao <leitao(a)debian.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) --- a/mm/hugetlb.c~mm-hugetlb-do-not-call-vma_add_reservation-upon-enomem +++ a/mm/hugetlb.c @@ -5768,8 +5768,20 @@ void __unmap_hugepage_range(struct mmu_g * do_exit() will not see it, and will keep the reservation * forever. */ - if (adjust_reservation && vma_needs_reservation(h, vma, address)) - vma_add_reservation(h, vma, address); + if (adjust_reservation) { + int rc = vma_needs_reservation(h, vma, address); + + if (rc < 0) + /* Pressumably allocate_file_region_entries failed + * to allocate a file_region struct. Clear + * hugetlb_restore_reserve so that global reserve + * count will not be incremented by free_huge_folio. + * Act as if we consumed the reservation. + */ + folio_clear_hugetlb_restore_reserve(page_folio(page)); + else if (rc) + vma_add_reservation(h, vma, address); + } tlb_remove_page_size(tlb, page, huge_page_size(h)); /* _ Patches currently in -mm which might be from osalvador(a)suse.de are mm-hugetlb-drop-node_alloc_noretry-from-alloc_fresh_hugetlb_folio.patch arch-x86-do-not-explicitly-clear-reserved-flag-in-free_pagetable.patch

10 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror June 2024