--- /dev/null
+From 0dd84b319352bb8ba64752d4e45396d8b13e6018 Mon Sep 17 00:00:00 2001
+From: Guoqing Jiang <guoqing.jiang@linux.dev>
+Date: Wed, 17 Aug 2022 20:05:14 +0800
+Subject: md: call __md_stop_writes in md_stop
+
+From: Guoqing Jiang <guoqing.jiang@linux.dev>
+
+commit 0dd84b319352bb8ba64752d4e45396d8b13e6018 upstream.
+
+From the link [1], we can see raid1d was running even after the path
+raid_dtr -> md_stop -> __md_stop.
+
+Let's stop write first in destructor to align with normal md-raid to
+fix the KASAN issue.
+
+[1]. https://lore.kernel.org/linux-raid/CAPhsuW5gc4AakdGNdF8ubpezAuDLFOYUO_sfMZcec6hQFm8nhg@mail.gmail.com/T/#m7f12bf90481c02c6d2da68c64aeed4779b7df74a
+
+Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop")
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -6266,6 +6266,7 @@ void md_stop(struct mddev *mddev)
+ /* stop the array and free an attached data structures.
+ * This is called from dm-raid
+ */
++ __md_stop_writes(mddev);
+ __md_stop(mddev);
+ bioset_exit(&mddev->bio_set);
+ bioset_exit(&mddev->sync_set);
--- /dev/null
+From f96f7a40874d7c746680c0b9f57cef2262ae551f Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Thu, 11 Aug 2022 12:34:34 +0200
+Subject: mm/hugetlb: fix hugetlb not supporting softdirty tracking
+
+From: David Hildenbrand <david@redhat.com>
+
+commit f96f7a40874d7c746680c0b9f57cef2262ae551f upstream.
+
+Patch series "mm/hugetlb: fix write-fault handling for shared mappings", v2.
+
+I observed that hugetlb does not support/expect write-faults in shared
+mappings that would have to map the R/O-mapped page writable -- and I
+found two case where we could currently get such faults and would
+erroneously map an anon page into a shared mapping.
+
+Reproducers part of the patches.
+
+I propose to backport both fixes to stable trees. The first fix needs a
+small adjustment.
+
+
+This patch (of 2):
+
+Staring at hugetlb_wp(), one might wonder where all the logic for shared
+mappings is when stumbling over a write-protected page in a shared
+mapping. In fact, there is none, and so far we thought we could get away
+with that because e.g., mprotect() should always do the right thing and
+map all pages directly writable.
+
+Looks like we were wrong:
+
+--------------------------------------------------------------------------
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <errno.h>
+ #include <sys/mman.h>
+
+ #define HUGETLB_SIZE (2 * 1024 * 1024u)
+
+ static void clear_softdirty(void)
+ {
+ int fd = open("/proc/self/clear_refs", O_WRONLY);
+ const char *ctrl = "4";
+ int ret;
+
+ if (fd < 0) {
+ fprintf(stderr, "open(clear_refs) failed\n");
+ exit(1);
+ }
+ ret = write(fd, ctrl, strlen(ctrl));
+ if (ret != strlen(ctrl)) {
+ fprintf(stderr, "write(clear_refs) failed\n");
+ exit(1);
+ }
+ close(fd);
+ }
+
+ int main(int argc, char **argv)
+ {
+ char *map;
+ int fd;
+
+ fd = open("/dev/hugepages/tmp", O_RDWR | O_CREAT);
+ if (!fd) {
+ fprintf(stderr, "open() failed\n");
+ return -errno;
+ }
+ if (ftruncate(fd, HUGETLB_SIZE)) {
+ fprintf(stderr, "ftruncate() failed\n");
+ return -errno;
+ }
+
+ map = mmap(NULL, HUGETLB_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
+ if (map == MAP_FAILED) {
+ fprintf(stderr, "mmap() failed\n");
+ return -errno;
+ }
+
+ *map = 0;
+
+ if (mprotect(map, HUGETLB_SIZE, PROT_READ)) {
+ fprintf(stderr, "mmprotect() failed\n");
+ return -errno;
+ }
+
+ clear_softdirty();
+
+ if (mprotect(map, HUGETLB_SIZE, PROT_READ|PROT_WRITE)) {
+ fprintf(stderr, "mmprotect() failed\n");
+ return -errno;
+ }
+
+ *map = 0;
+
+ return 0;
+ }
+--------------------------------------------------------------------------
+
+Above test fails with SIGBUS when there is only a single free hugetlb page.
+ # echo 1 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
+ # ./test
+ Bus error (core dumped)
+
+And worse, with sufficient free hugetlb pages it will map an anonymous page
+into a shared mapping, for example, messing up accounting during unmap
+and breaking MAP_SHARED semantics:
+ # echo 2 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
+ # ./test
+ # cat /proc/meminfo | grep HugePages_
+ HugePages_Total: 2
+ HugePages_Free: 1
+ HugePages_Rsvd: 18446744073709551615
+ HugePages_Surp: 0
+
+Reason in this particular case is that vma_wants_writenotify() will
+return "true", removing VM_SHARED in vma_set_page_prot() to map pages
+write-protected. Let's teach vma_wants_writenotify() that hugetlb does not
+support softdirty tracking.
+
+Link: https://lkml.kernel.org/r/20220811103435.188481-1-david@redhat.com
+Link: https://lkml.kernel.org/r/20220811103435.188481-2-david@redhat.com
+Fixes: 64e455079e1b ("mm: softdirty: enable write notifications on VMAs after VM_SOFTDIRTY cleared")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Feiner <pfeiner@google.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Cyrill Gorcunov <gorcunov@openvz.org>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: Jamie Liu <jamieliu@google.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: <stable@vger.kernel.org> [3.18+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mmap.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1693,8 +1693,12 @@ int vma_wants_writenotify(struct vm_area
+ pgprot_val(vm_pgprot_modify(vm_page_prot, vm_flags)))
+ return 0;
+
+- /* Do we need to track softdirty? */
+- if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY))
++ /*
++ * Do we need to track softdirty? hugetlb does not support softdirty
++ * tracking yet.
++ */
++ if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY) &&
++ !is_vm_hugetlb_page(vma))
+ return 1;
+
+ /* Specialty mapping? */
--- /dev/null
+From 1d258758cf06a0734482989911d184dd5837ed4e Mon Sep 17 00:00:00 2001
+From: Guoqing Jiang <guoqing.jiang@linux.dev>
+Date: Wed, 17 Aug 2022 20:05:13 +0800
+Subject: Revert "md-raid: destroy the bitmap after destroying the thread"
+
+From: Guoqing Jiang <guoqing.jiang@linux.dev>
+
+commit 1d258758cf06a0734482989911d184dd5837ed4e upstream.
+
+This reverts commit e151db8ecfb019b7da31d076130a794574c89f6f. Because it
+obviously breaks clustered raid as noticed by Neil though it fixed KASAN
+issue for dm-raid, let's revert it and fix KASAN issue in next commit.
+
+[1]. https://lore.kernel.org/linux-raid/a6657e08-b6a7-358b-2d2a-0ac37d49d23a@linux.dev/T/#m95ac225cab7409f66c295772483d091084a6d470
+
+Fixes: e151db8ecfb0 ("md-raid: destroy the bitmap after destroying the thread")
+Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -6244,11 +6244,11 @@ static void mddev_detach(struct mddev *m
+ static void __md_stop(struct mddev *mddev)
+ {
+ struct md_personality *pers = mddev->pers;
++ md_bitmap_destroy(mddev);
+ mddev_detach(mddev);
+ /* Ensure ->event_work is done */
+ if (mddev->event_work.func)
+ flush_workqueue(md_misc_wq);
+- md_bitmap_destroy(mddev);
+ spin_lock(&mddev->lock);
+ mddev->pers = NULL;
+ spin_unlock(&mddev->lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
