<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/mm, branch v4.4.162</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>mm/vmstat.c: fix outdated vmstat_text</title>
<updated>2018-10-20T07:52:34+00:00</updated>
<author>
<name>Jann Horn</name>
<email>jannh@google.com</email>
</author>
<published>2018-10-05T22:52:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0f0ad8d548588419b5f1b8ca36673af32d3dafdf'/>
<id>0f0ad8d548588419b5f1b8ca36673af32d3dafdf</id>
<content type='text'>
commit 28e2c4bb99aa40f9d5f07ac130cbc4da0ea93079 upstream.

7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely") removed the
VMACACHE_FULL_FLUSHES statistics, but didn't remove the corresponding
entry in vmstat_text.  This causes an out-of-bounds access in
vmstat_show().

Luckily this only affects kernels with CONFIG_DEBUG_VM_VMACACHE=y, which
is probably very rare.

Link: http://lkml.kernel.org/r/20181001143138.95119-1-jannh@google.com
Fixes: 7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely")
Signed-off-by: Jann Horn &lt;jannh@google.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Acked-by: Michal Hocko &lt;mhocko@suse.com&gt;
Acked-by: Roman Gushchin &lt;guro@fb.com&gt;
Cc: Davidlohr Bueso &lt;dave@stgolabs.net&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: Christoph Lameter &lt;clameter@sgi.com&gt;
Cc: Kemi Wang &lt;kemi.wang@intel.com&gt;
Cc: Andy Lutomirski &lt;luto@kernel.org&gt;
Cc: Ingo Molnar &lt;mingo@kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 28e2c4bb99aa40f9d5f07ac130cbc4da0ea93079 upstream.

7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely") removed the
VMACACHE_FULL_FLUSHES statistics, but didn't remove the corresponding
entry in vmstat_text.  This causes an out-of-bounds access in
vmstat_show().

Luckily this only affects kernels with CONFIG_DEBUG_VM_VMACACHE=y, which
is probably very rare.

Link: http://lkml.kernel.org/r/20181001143138.95119-1-jannh@google.com
Fixes: 7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely")
Signed-off-by: Jann Horn &lt;jannh@google.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Acked-by: Michal Hocko &lt;mhocko@suse.com&gt;
Acked-by: Roman Gushchin &lt;guro@fb.com&gt;
Cc: Davidlohr Bueso &lt;dave@stgolabs.net&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: Christoph Lameter &lt;clameter@sgi.com&gt;
Cc: Kemi Wang &lt;kemi.wang@intel.com&gt;
Cc: Andy Lutomirski &lt;luto@kernel.org&gt;
Cc: Ingo Molnar &lt;mingo@kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly</title>
<updated>2018-10-13T07:11:31+00:00</updated>
<author>
<name>Jann Horn</name>
<email>jannh@google.com</email>
</author>
<published>2018-10-05T22:52:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c6f1725b9cbd208c469142ebfc5bff476352cc08'/>
<id>c6f1725b9cbd208c469142ebfc5bff476352cc08</id>
<content type='text'>
commit 58bc4c34d249bf1bc50730a9a209139347cfacfe upstream.

5dd0b16cdaff ("mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even
on UP") made the availability of the NR_TLB_REMOTE_FLUSH* counters inside
the kernel unconditional to reduce #ifdef soup, but (either to avoid
showing dummy zero counters to userspace, or because that code was missed)
didn't update the vmstat_array, meaning that all following counters would
be shown with incorrect values.

This only affects kernel builds with
CONFIG_VM_EVENT_COUNTERS=y &amp;&amp; CONFIG_DEBUG_TLBFLUSH=y &amp;&amp; CONFIG_SMP=n.

Link: http://lkml.kernel.org/r/20181001143138.95119-2-jannh@google.com
Fixes: 5dd0b16cdaff ("mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even on UP")
Signed-off-by: Jann Horn &lt;jannh@google.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Acked-by: Michal Hocko &lt;mhocko@suse.com&gt;
Acked-by: Roman Gushchin &lt;guro@fb.com&gt;
Cc: Davidlohr Bueso &lt;dave@stgolabs.net&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: Christoph Lameter &lt;clameter@sgi.com&gt;
Cc: Kemi Wang &lt;kemi.wang@intel.com&gt;
Cc: Andy Lutomirski &lt;luto@kernel.org&gt;
Cc: Ingo Molnar &lt;mingo@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 58bc4c34d249bf1bc50730a9a209139347cfacfe upstream.

5dd0b16cdaff ("mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even
on UP") made the availability of the NR_TLB_REMOTE_FLUSH* counters inside
the kernel unconditional to reduce #ifdef soup, but (either to avoid
showing dummy zero counters to userspace, or because that code was missed)
didn't update the vmstat_array, meaning that all following counters would
be shown with incorrect values.

This only affects kernel builds with
CONFIG_VM_EVENT_COUNTERS=y &amp;&amp; CONFIG_DEBUG_TLBFLUSH=y &amp;&amp; CONFIG_SMP=n.

Link: http://lkml.kernel.org/r/20181001143138.95119-2-jannh@google.com
Fixes: 5dd0b16cdaff ("mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even on UP")
Signed-off-by: Jann Horn &lt;jannh@google.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Acked-by: Michal Hocko &lt;mhocko@suse.com&gt;
Acked-by: Roman Gushchin &lt;guro@fb.com&gt;
Cc: Davidlohr Bueso &lt;dave@stgolabs.net&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: Christoph Lameter &lt;clameter@sgi.com&gt;
Cc: Kemi Wang &lt;kemi.wang@intel.com&gt;
Cc: Andy Lutomirski &lt;luto@kernel.org&gt;
Cc: Ingo Molnar &lt;mingo@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mm: madvise(MADV_DODUMP): allow hugetlbfs pages</title>
<updated>2018-10-10T06:52:11+00:00</updated>
<author>
<name>Daniel Black</name>
<email>daniel@linux.ibm.com</email>
</author>
<published>2018-10-05T22:52:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=82660490d5e81b95bb74e7cc0811f3ea6559d9ad'/>
<id>82660490d5e81b95bb74e7cc0811f3ea6559d9ad</id>
<content type='text'>
commit d41aa5252394c065d1f04d1ceea885b70d00c9c6 upstream.

Reproducer, assuming 2M of hugetlbfs available:

Hugetlbfs mounted, size=2M and option user=testuser

  # mount | grep ^hugetlbfs
  hugetlbfs on /dev/hugepages type hugetlbfs (rw,pagesize=2M,user=dan)
  # sysctl vm.nr_hugepages=1
  vm.nr_hugepages = 1
  # grep Huge /proc/meminfo
  AnonHugePages:         0 kB
  ShmemHugePages:        0 kB
  HugePages_Total:       1
  HugePages_Free:        1
  HugePages_Rsvd:        0
  HugePages_Surp:        0
  Hugepagesize:       2048 kB
  Hugetlb:            2048 kB

Code:

  #include &lt;sys/mman.h&gt;
  #include &lt;stddef.h&gt;
  #define SIZE 2*1024*1024
  int main()
  {
    void *ptr;
    ptr = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_HUGETLB | MAP_ANONYMOUS, -1, 0);
    madvise(ptr, SIZE, MADV_DONTDUMP);
    madvise(ptr, SIZE, MADV_DODUMP);
  }

Compile and strace:

  mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_HUGETLB, -1, 0) = 0x7ff7c9200000
  madvise(0x7ff7c9200000, 2097152, MADV_DONTDUMP) = 0
  madvise(0x7ff7c9200000, 2097152, MADV_DODUMP) = -1 EINVAL (Invalid argument)

hugetlbfs pages have VM_DONTEXPAND in the VmFlags driver pages based on
author testing with analysis from Florian Weimer[1].

The inclusion of VM_DONTEXPAND into the VM_SPECIAL defination was a
consequence of the large useage of VM_DONTEXPAND in device drivers.

A consequence of [2] is that VM_DONTEXPAND marked pages are unable to be
marked DODUMP.

A user could quite legitimately madvise(MADV_DONTDUMP) their hugetlbfs
memory for a while and later request that madvise(MADV_DODUMP) on the same
memory.  We correct this omission by allowing madvice(MADV_DODUMP) on
hugetlbfs pages.

[1] https://stackoverflow.com/questions/52548260/madvisedodump-on-the-same-ptr-size-as-a-successful-madvisedontdump-fails-wit
[2] commit 0103bd16fb90 ("mm: prepare VM_DONTDUMP for using in drivers")

Link: http://lkml.kernel.org/r/20180930054629.29150-1-daniel@linux.ibm.com
Link: https://lists.launchpad.net/maria-discuss/msg05245.html
Fixes: 0103bd16fb90 ("mm: prepare VM_DONTDUMP for using in drivers")
Reported-by: Kenneth Penza &lt;kpenza@gmail.com&gt;
Signed-off-by: Daniel Black &lt;daniel@linux.ibm.com&gt;
Reviewed-by: Mike Kravetz &lt;mike.kravetz@oracle.com&gt;
Cc: Konstantin Khlebnikov &lt;khlebnikov@openvz.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d41aa5252394c065d1f04d1ceea885b70d00c9c6 upstream.

Reproducer, assuming 2M of hugetlbfs available:

Hugetlbfs mounted, size=2M and option user=testuser

  # mount | grep ^hugetlbfs
  hugetlbfs on /dev/hugepages type hugetlbfs (rw,pagesize=2M,user=dan)
  # sysctl vm.nr_hugepages=1
  vm.nr_hugepages = 1
  # grep Huge /proc/meminfo
  AnonHugePages:         0 kB
  ShmemHugePages:        0 kB
  HugePages_Total:       1
  HugePages_Free:        1
  HugePages_Rsvd:        0
  HugePages_Surp:        0
  Hugepagesize:       2048 kB
  Hugetlb:            2048 kB

Code:

  #include &lt;sys/mman.h&gt;
  #include &lt;stddef.h&gt;
  #define SIZE 2*1024*1024
  int main()
  {
    void *ptr;
    ptr = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_HUGETLB | MAP_ANONYMOUS, -1, 0);
    madvise(ptr, SIZE, MADV_DONTDUMP);
    madvise(ptr, SIZE, MADV_DODUMP);
  }

Compile and strace:

  mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_HUGETLB, -1, 0) = 0x7ff7c9200000
  madvise(0x7ff7c9200000, 2097152, MADV_DONTDUMP) = 0
  madvise(0x7ff7c9200000, 2097152, MADV_DODUMP) = -1 EINVAL (Invalid argument)

hugetlbfs pages have VM_DONTEXPAND in the VmFlags driver pages based on
author testing with analysis from Florian Weimer[1].

The inclusion of VM_DONTEXPAND into the VM_SPECIAL defination was a
consequence of the large useage of VM_DONTEXPAND in device drivers.

A consequence of [2] is that VM_DONTEXPAND marked pages are unable to be
marked DODUMP.

A user could quite legitimately madvise(MADV_DONTDUMP) their hugetlbfs
memory for a while and later request that madvise(MADV_DODUMP) on the same
memory.  We correct this omission by allowing madvice(MADV_DODUMP) on
hugetlbfs pages.

[1] https://stackoverflow.com/questions/52548260/madvisedodump-on-the-same-ptr-size-as-a-successful-madvisedontdump-fails-wit
[2] commit 0103bd16fb90 ("mm: prepare VM_DONTDUMP for using in drivers")

Link: http://lkml.kernel.org/r/20180930054629.29150-1-daniel@linux.ibm.com
Link: https://lists.launchpad.net/maria-discuss/msg05245.html
Fixes: 0103bd16fb90 ("mm: prepare VM_DONTDUMP for using in drivers")
Reported-by: Kenneth Penza &lt;kpenza@gmail.com&gt;
Signed-off-by: Daniel Black &lt;daniel@linux.ibm.com&gt;
Reviewed-by: Mike Kravetz &lt;mike.kravetz@oracle.com&gt;
Cc: Konstantin Khlebnikov &lt;khlebnikov@openvz.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>slub: make -&gt;cpu_partial unsigned int</title>
<updated>2018-10-10T06:52:08+00:00</updated>
<author>
<name>Alexey Dobriyan</name>
<email>adobriyan@gmail.com</email>
</author>
<published>2018-04-05T23:21:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=de2aac8ee0fb52a743a854d781e4b4a32600fa8a'/>
<id>de2aac8ee0fb52a743a854d781e4b4a32600fa8a</id>
<content type='text'>
commit e5d9998f3e09359b372a037a6ac55ba235d95d57 upstream.

	/*
	 * cpu_partial determined the maximum number of objects
	 * kept in the per cpu partial lists of a processor.
	 */

Can't be negative.

Link: http://lkml.kernel.org/r/20180305200730.15812-15-adobriyan@gmail.com
Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Acked-by: Christoph Lameter &lt;cl@linux.com&gt;
Cc: Pekka Enberg &lt;penberg@kernel.org&gt;
Cc: David Rientjes &lt;rientjes@google.com&gt;
Cc: Joonsoo Kim &lt;iamjoonsoo.kim@lge.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: zhong jiang &lt;zhongjiang@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e5d9998f3e09359b372a037a6ac55ba235d95d57 upstream.

	/*
	 * cpu_partial determined the maximum number of objects
	 * kept in the per cpu partial lists of a processor.
	 */

Can't be negative.

Link: http://lkml.kernel.org/r/20180305200730.15812-15-adobriyan@gmail.com
Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Acked-by: Christoph Lameter &lt;cl@linux.com&gt;
Cc: Pekka Enberg &lt;penberg@kernel.org&gt;
Cc: David Rientjes &lt;rientjes@google.com&gt;
Cc: Joonsoo Kim &lt;iamjoonsoo.kim@lge.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: zhong jiang &lt;zhongjiang@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mm: shmem.c: Correctly annotate new inodes for lockdep</title>
<updated>2018-09-29T10:08:52+00:00</updated>
<author>
<name>Joel Fernandes (Google)</name>
<email>joel@joelfernandes.org</email>
</author>
<published>2018-09-20T19:22:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4da7f35b06702b1bc011270f15084a574ac76e1f'/>
<id>4da7f35b06702b1bc011270f15084a574ac76e1f</id>
<content type='text'>
commit b45d71fb89ab8adfe727b9d0ee188ed58582a647 upstream.

Directories and inodes don't necessarily need to be in the same lockdep
class.  For ex, hugetlbfs splits them out too to prevent false positives
in lockdep.  Annotate correctly after new inode creation.  If its a
directory inode, it will be put into a different class.

This should fix a lockdep splat reported by syzbot:

&gt; ======================================================
&gt; WARNING: possible circular locking dependency detected
&gt; 4.18.0-rc8-next-20180810+ #36 Not tainted
&gt; ------------------------------------------------------
&gt; syz-executor900/4483 is trying to acquire lock:
&gt; 00000000d2bfc8fe (&amp;sb-&gt;s_type-&gt;i_mutex_key#9){++++}, at: inode_lock
&gt; include/linux/fs.h:765 [inline]
&gt; 00000000d2bfc8fe (&amp;sb-&gt;s_type-&gt;i_mutex_key#9){++++}, at:
&gt; shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
&gt;
&gt; but task is already holding lock:
&gt; 0000000025208078 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630
&gt; drivers/staging/android/ashmem.c:448
&gt;
&gt; which lock already depends on the new lock.
&gt;
&gt; -&gt; #2 (ashmem_mutex){+.+.}:
&gt;        __mutex_lock_common kernel/locking/mutex.c:925 [inline]
&gt;        __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073
&gt;        mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088
&gt;        ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361
&gt;        call_mmap include/linux/fs.h:1844 [inline]
&gt;        mmap_region+0xf27/0x1c50 mm/mmap.c:1762
&gt;        do_mmap+0xa10/0x1220 mm/mmap.c:1535
&gt;        do_mmap_pgoff include/linux/mm.h:2298 [inline]
&gt;        vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357
&gt;        ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585
&gt;        __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
&gt;        __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
&gt;        __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
&gt;        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
&gt;        entry_SYSCALL_64_after_hwframe+0x49/0xbe
&gt;
&gt; -&gt; #1 (&amp;mm-&gt;mmap_sem){++++}:
&gt;        __might_fault+0x155/0x1e0 mm/memory.c:4568
&gt;        _copy_to_user+0x30/0x110 lib/usercopy.c:25
&gt;        copy_to_user include/linux/uaccess.h:155 [inline]
&gt;        filldir+0x1ea/0x3a0 fs/readdir.c:196
&gt;        dir_emit_dot include/linux/fs.h:3464 [inline]
&gt;        dir_emit_dots include/linux/fs.h:3475 [inline]
&gt;        dcache_readdir+0x13a/0x620 fs/libfs.c:193
&gt;        iterate_dir+0x48b/0x5d0 fs/readdir.c:51
&gt;        __do_sys_getdents fs/readdir.c:231 [inline]
&gt;        __se_sys_getdents fs/readdir.c:212 [inline]
&gt;        __x64_sys_getdents+0x29f/0x510 fs/readdir.c:212
&gt;        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
&gt;        entry_SYSCALL_64_after_hwframe+0x49/0xbe
&gt;
&gt; -&gt; #0 (&amp;sb-&gt;s_type-&gt;i_mutex_key#9){++++}:
&gt;        lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
&gt;        down_write+0x8f/0x130 kernel/locking/rwsem.c:70
&gt;        inode_lock include/linux/fs.h:765 [inline]
&gt;        shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
&gt;        ashmem_shrink_scan+0x236/0x630 drivers/staging/android/ashmem.c:455
&gt;        ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797
&gt;        vfs_ioctl fs/ioctl.c:46 [inline]
&gt;        file_ioctl fs/ioctl.c:501 [inline]
&gt;        do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
&gt;        ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
&gt;        __do_sys_ioctl fs/ioctl.c:709 [inline]
&gt;        __se_sys_ioctl fs/ioctl.c:707 [inline]
&gt;        __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
&gt;        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
&gt;        entry_SYSCALL_64_after_hwframe+0x49/0xbe
&gt;
&gt; other info that might help us debug this:
&gt;
&gt; Chain exists of:
&gt;   &amp;sb-&gt;s_type-&gt;i_mutex_key#9 --&gt; &amp;mm-&gt;mmap_sem --&gt; ashmem_mutex
&gt;
&gt;  Possible unsafe locking scenario:
&gt;
&gt;        CPU0                    CPU1
&gt;        ----                    ----
&gt;   lock(ashmem_mutex);
&gt;                                lock(&amp;mm-&gt;mmap_sem);
&gt;                                lock(ashmem_mutex);
&gt;   lock(&amp;sb-&gt;s_type-&gt;i_mutex_key#9);
&gt;
&gt;  *** DEADLOCK ***
&gt;
&gt; 1 lock held by syz-executor900/4483:
&gt;  #0: 0000000025208078 (ashmem_mutex){+.+.}, at:
&gt; ashmem_shrink_scan+0xb4/0x630 drivers/staging/android/ashmem.c:448

Link: http://lkml.kernel.org/r/20180821231835.166639-1-joel@joelfernandes.org
Signed-off-by: Joel Fernandes (Google) &lt;joel@joelfernandes.org&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Reviewed-by: NeilBrown &lt;neilb@suse.com&gt;
Suggested-by: NeilBrown &lt;neilb@suse.com&gt;
Cc: Matthew Wilcox &lt;willy@infradead.org&gt;
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: Hugh Dickins &lt;hughd@google.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b45d71fb89ab8adfe727b9d0ee188ed58582a647 upstream.

Directories and inodes don't necessarily need to be in the same lockdep
class.  For ex, hugetlbfs splits them out too to prevent false positives
in lockdep.  Annotate correctly after new inode creation.  If its a
directory inode, it will be put into a different class.

This should fix a lockdep splat reported by syzbot:

&gt; ======================================================
&gt; WARNING: possible circular locking dependency detected
&gt; 4.18.0-rc8-next-20180810+ #36 Not tainted
&gt; ------------------------------------------------------
&gt; syz-executor900/4483 is trying to acquire lock:
&gt; 00000000d2bfc8fe (&amp;sb-&gt;s_type-&gt;i_mutex_key#9){++++}, at: inode_lock
&gt; include/linux/fs.h:765 [inline]
&gt; 00000000d2bfc8fe (&amp;sb-&gt;s_type-&gt;i_mutex_key#9){++++}, at:
&gt; shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
&gt;
&gt; but task is already holding lock:
&gt; 0000000025208078 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630
&gt; drivers/staging/android/ashmem.c:448
&gt;
&gt; which lock already depends on the new lock.
&gt;
&gt; -&gt; #2 (ashmem_mutex){+.+.}:
&gt;        __mutex_lock_common kernel/locking/mutex.c:925 [inline]
&gt;        __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073
&gt;        mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088
&gt;        ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361
&gt;        call_mmap include/linux/fs.h:1844 [inline]
&gt;        mmap_region+0xf27/0x1c50 mm/mmap.c:1762
&gt;        do_mmap+0xa10/0x1220 mm/mmap.c:1535
&gt;        do_mmap_pgoff include/linux/mm.h:2298 [inline]
&gt;        vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357
&gt;        ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585
&gt;        __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
&gt;        __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
&gt;        __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
&gt;        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
&gt;        entry_SYSCALL_64_after_hwframe+0x49/0xbe
&gt;
&gt; -&gt; #1 (&amp;mm-&gt;mmap_sem){++++}:
&gt;        __might_fault+0x155/0x1e0 mm/memory.c:4568
&gt;        _copy_to_user+0x30/0x110 lib/usercopy.c:25
&gt;        copy_to_user include/linux/uaccess.h:155 [inline]
&gt;        filldir+0x1ea/0x3a0 fs/readdir.c:196
&gt;        dir_emit_dot include/linux/fs.h:3464 [inline]
&gt;        dir_emit_dots include/linux/fs.h:3475 [inline]
&gt;        dcache_readdir+0x13a/0x620 fs/libfs.c:193
&gt;        iterate_dir+0x48b/0x5d0 fs/readdir.c:51
&gt;        __do_sys_getdents fs/readdir.c:231 [inline]
&gt;        __se_sys_getdents fs/readdir.c:212 [inline]
&gt;        __x64_sys_getdents+0x29f/0x510 fs/readdir.c:212
&gt;        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
&gt;        entry_SYSCALL_64_after_hwframe+0x49/0xbe
&gt;
&gt; -&gt; #0 (&amp;sb-&gt;s_type-&gt;i_mutex_key#9){++++}:
&gt;        lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
&gt;        down_write+0x8f/0x130 kernel/locking/rwsem.c:70
&gt;        inode_lock include/linux/fs.h:765 [inline]
&gt;        shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
&gt;        ashmem_shrink_scan+0x236/0x630 drivers/staging/android/ashmem.c:455
&gt;        ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797
&gt;        vfs_ioctl fs/ioctl.c:46 [inline]
&gt;        file_ioctl fs/ioctl.c:501 [inline]
&gt;        do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
&gt;        ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
&gt;        __do_sys_ioctl fs/ioctl.c:709 [inline]
&gt;        __se_sys_ioctl fs/ioctl.c:707 [inline]
&gt;        __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
&gt;        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
&gt;        entry_SYSCALL_64_after_hwframe+0x49/0xbe
&gt;
&gt; other info that might help us debug this:
&gt;
&gt; Chain exists of:
&gt;   &amp;sb-&gt;s_type-&gt;i_mutex_key#9 --&gt; &amp;mm-&gt;mmap_sem --&gt; ashmem_mutex
&gt;
&gt;  Possible unsafe locking scenario:
&gt;
&gt;        CPU0                    CPU1
&gt;        ----                    ----
&gt;   lock(ashmem_mutex);
&gt;                                lock(&amp;mm-&gt;mmap_sem);
&gt;                                lock(ashmem_mutex);
&gt;   lock(&amp;sb-&gt;s_type-&gt;i_mutex_key#9);
&gt;
&gt;  *** DEADLOCK ***
&gt;
&gt; 1 lock held by syz-executor900/4483:
&gt;  #0: 0000000025208078 (ashmem_mutex){+.+.}, at:
&gt; ashmem_shrink_scan+0xb4/0x630 drivers/staging/android/ashmem.c:448

Link: http://lkml.kernel.org/r/20180821231835.166639-1-joel@joelfernandes.org
Signed-off-by: Joel Fernandes (Google) &lt;joel@joelfernandes.org&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Reviewed-by: NeilBrown &lt;neilb@suse.com&gt;
Suggested-by: NeilBrown &lt;neilb@suse.com&gt;
Cc: Matthew Wilcox &lt;willy@infradead.org&gt;
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: Hugh Dickins &lt;hughd@google.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mm: get rid of vmacache_flush_all() entirely</title>
<updated>2018-09-19T20:49:00+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2018-09-13T09:57:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=88d6918401a4ecdc50fe77df3e1e77c1e49d8579'/>
<id>88d6918401a4ecdc50fe77df3e1e77c1e49d8579</id>
<content type='text'>
commit 7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 upstream.

Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too.  It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit.  That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.

So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too.  Win-win.

[ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics
  also just goes away entirely with this ]

Reported-by: Jann Horn &lt;jannh@google.com&gt;
Suggested-by: Will Deacon &lt;will.deacon@arm.com&gt;
Acked-by: Davidlohr Bueso &lt;dave@stgolabs.net&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 upstream.

Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too.  It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit.  That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.

So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too.  Win-win.

[ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics
  also just goes away entirely with this ]

Reported-by: Jann Horn &lt;jannh@google.com&gt;
Suggested-by: Will Deacon &lt;will.deacon@arm.com&gt;
Acked-by: Davidlohr Bueso &lt;dave@stgolabs.net&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Fixes: Commit cdbf92675fad ("mm: numa: avoid waiting on freed migrated pages")</title>
<updated>2018-09-15T07:40:40+00:00</updated>
<author>
<name>Chas Williams</name>
<email>chas3@att.com</email>
</author>
<published>2018-09-06T15:11:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e72977e87482759dba7181e0ec210c2db00c6124'/>
<id>e72977e87482759dba7181e0ec210c2db00c6124</id>
<content type='text'>
Commit cdbf92675fad ("mm: numa: avoid waiting on freed migrated pages")
was an incomplete backport of the upstream commit.  It is necessary to
always reset page_nid before attempting any early exit.

The original commit conflicted due to lack of commit 82b0f8c39a38
("mm: join struct fault_env and vm_fault") in 4.9 so it wasn't a clean
application, and the change must have just gotten lost in the noise.

Signed-off-by: Chas Williams &lt;chas3@att.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit cdbf92675fad ("mm: numa: avoid waiting on freed migrated pages")
was an incomplete backport of the upstream commit.  It is necessary to
always reset page_nid before attempting any early exit.

The original commit conflicted due to lack of commit 82b0f8c39a38
("mm: join struct fault_env and vm_fault") in 4.9 so it wasn't a clean
application, and the change must have just gotten lost in the noise.

Signed-off-by: Chas Williams &lt;chas3@att.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mm/fadvise.c: fix signed overflow UBSAN complaint</title>
<updated>2018-09-15T07:40:38+00:00</updated>
<author>
<name>Andrey Ryabinin</name>
<email>aryabinin@virtuozzo.com</email>
</author>
<published>2018-08-17T22:46:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4ca3b3df6d52aff8b42271a23d7f2218672cfbf8'/>
<id>4ca3b3df6d52aff8b42271a23d7f2218672cfbf8</id>
<content type='text'>
[ Upstream commit a718e28f538441a3b6612da9ff226973376cdf0f ]

Signed integer overflow is undefined according to the C standard.  The
overflow in ksys_fadvise64_64() is deliberate, but since it is signed
overflow, UBSAN complains:

	UBSAN: Undefined behaviour in mm/fadvise.c:76:10
	signed integer overflow:
	4 + 9223372036854775805 cannot be represented in type 'long long int'

Use unsigned types to do math.  Unsigned overflow is defined so UBSAN
will not complain about it.  This patch doesn't change generated code.

[akpm@linux-foundation.org: add comment explaining the casts]
Link: http://lkml.kernel.org/r/20180629184453.7614-1-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin &lt;aryabinin@virtuozzo.com&gt;
Reported-by: &lt;icytxw@gmail.com&gt;
Reviewed-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Cc: Alexander Potapenko &lt;glider@google.com&gt;
Cc: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a718e28f538441a3b6612da9ff226973376cdf0f ]

Signed integer overflow is undefined according to the C standard.  The
overflow in ksys_fadvise64_64() is deliberate, but since it is signed
overflow, UBSAN complains:

	UBSAN: Undefined behaviour in mm/fadvise.c:76:10
	signed integer overflow:
	4 + 9223372036854775805 cannot be represented in type 'long long int'

Use unsigned types to do math.  Unsigned overflow is defined so UBSAN
will not complain about it.  This patch doesn't change generated code.

[akpm@linux-foundation.org: add comment explaining the casts]
Link: http://lkml.kernel.org/r/20180629184453.7614-1-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin &lt;aryabinin@virtuozzo.com&gt;
Reported-by: &lt;icytxw@gmail.com&gt;
Reviewed-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Cc: Alexander Potapenko &lt;glider@google.com&gt;
Cc: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mm/tlb: Remove tlb_remove_table() non-concurrent condition</title>
<updated>2018-09-09T18:04:34+00:00</updated>
<author>
<name>Peter Zijlstra</name>
<email>peterz@infradead.org</email>
</author>
<published>2018-08-22T15:30:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=70201a4e368833c15625d8dc32fd9c0286a12b58'/>
<id>70201a4e368833c15625d8dc32fd9c0286a12b58</id>
<content type='text'>
commit a6f572084fbee8b30f91465f4a085d7a90901c57 upstream.

Will noted that only checking mm_users is incorrect; we should also
check mm_count in order to cover CPUs that have a lazy reference to
this mm (and could do speculative TLB operations).

If removing this turns out to be a performance issue, we can
re-instate a more complete check, but in tlb_table_flush() eliding the
call_rcu_sched().

Fixes: 267239116987 ("mm, powerpc: move the RCU page-table freeing into generic code")
Reported-by: Will Deacon &lt;will.deacon@arm.com&gt;
Signed-off-by: Peter Zijlstra (Intel) &lt;peterz@infradead.org&gt;
Acked-by: Rik van Riel &lt;riel@surriel.com&gt;
Acked-by: Will Deacon &lt;will.deacon@arm.com&gt;
Cc: Nicholas Piggin &lt;npiggin@gmail.com&gt;
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Martin Schwidefsky &lt;schwidefsky@de.ibm.com&gt;
Cc: Michael Ellerman &lt;mpe@ellerman.id.au&gt;
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a6f572084fbee8b30f91465f4a085d7a90901c57 upstream.

Will noted that only checking mm_users is incorrect; we should also
check mm_count in order to cover CPUs that have a lazy reference to
this mm (and could do speculative TLB operations).

If removing this turns out to be a performance issue, we can
re-instate a more complete check, but in tlb_table_flush() eliding the
call_rcu_sched().

Fixes: 267239116987 ("mm, powerpc: move the RCU page-table freeing into generic code")
Reported-by: Will Deacon &lt;will.deacon@arm.com&gt;
Signed-off-by: Peter Zijlstra (Intel) &lt;peterz@infradead.org&gt;
Acked-by: Rik van Riel &lt;riel@surriel.com&gt;
Acked-by: Will Deacon &lt;will.deacon@arm.com&gt;
Cc: Nicholas Piggin &lt;npiggin@gmail.com&gt;
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Martin Schwidefsky &lt;schwidefsky@de.ibm.com&gt;
Cc: Michael Ellerman &lt;mpe@ellerman.id.au&gt;
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mm/memory.c: check return value of ioremap_prot</title>
<updated>2018-09-05T07:18:36+00:00</updated>
<author>
<name>jie@chenjie6@huwei.com</name>
<email>jie@chenjie6@huwei.com</email>
</author>
<published>2018-08-11T00:23:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fbee7b5b8c28ed02b6d6603eef27730c148a4481'/>
<id>fbee7b5b8c28ed02b6d6603eef27730c148a4481</id>
<content type='text'>
[ Upstream commit 24eee1e4c47977bdfb71d6f15f6011e7b6188d04 ]

ioremap_prot() can return NULL which could lead to an oops.

Link: http://lkml.kernel.org/r/1533195441-58594-1-git-send-email-chenjie6@huawei.com
Signed-off-by: chen jie &lt;chenjie6@huawei.com&gt;
Reviewed-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Cc: Li Zefan &lt;lizefan@huawei.com&gt;
Cc: chenjie &lt;chenjie6@huawei.com&gt;
Cc: Yang Shi &lt;shy828301@gmail.com&gt;
Cc: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 24eee1e4c47977bdfb71d6f15f6011e7b6188d04 ]

ioremap_prot() can return NULL which could lead to an oops.

Link: http://lkml.kernel.org/r/1533195441-58594-1-git-send-email-chenjie6@huawei.com
Signed-off-by: chen jie &lt;chenjie6@huawei.com&gt;
Reviewed-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Cc: Li Zefan &lt;lizefan@huawei.com&gt;
Cc: chenjie &lt;chenjie6@huawei.com&gt;
Cc: Yang Shi &lt;shy828301@gmail.com&gt;
Cc: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
