From: Greg Kroah-Hartman Date: Mon, 29 Aug 2022 08:17:34 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.10.140~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a1c228773f39b86491b105693eff2aeb887f9195;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: md-call-__md_stop_writes-in-md_stop.patch mm-hugetlb-fix-hugetlb-not-supporting-softdirty-tracking.patch revert-md-raid-destroy-the-bitmap-after-destroying-the-thread.patch --- diff --git a/queue-5.10/md-call-__md_stop_writes-in-md_stop.patch b/queue-5.10/md-call-__md_stop_writes-in-md_stop.patch new file mode 100644 index 00000000000..c719f32a9f4 --- /dev/null +++ b/queue-5.10/md-call-__md_stop_writes-in-md_stop.patch @@ -0,0 +1,36 @@ +From 0dd84b319352bb8ba64752d4e45396d8b13e6018 Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Wed, 17 Aug 2022 20:05:14 +0800 +Subject: md: call __md_stop_writes in md_stop + +From: Guoqing Jiang + +commit 0dd84b319352bb8ba64752d4e45396d8b13e6018 upstream. + +From the link [1], we can see raid1d was running even after the path +raid_dtr -> md_stop -> __md_stop. + +Let's stop write first in destructor to align with normal md-raid to +fix the KASAN issue. + +[1]. https://lore.kernel.org/linux-raid/CAPhsuW5gc4AakdGNdF8ubpezAuDLFOYUO_sfMZcec6hQFm8nhg@mail.gmail.com/T/#m7f12bf90481c02c6d2da68c64aeed4779b7df74a + +Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop") +Reported-by: Mikulas Patocka +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6299,6 +6299,7 @@ void md_stop(struct mddev *mddev) + /* stop the array and free an attached data structures. + * This is called from dm-raid + */ ++ __md_stop_writes(mddev); + __md_stop(mddev); + bioset_exit(&mddev->bio_set); + bioset_exit(&mddev->sync_set); diff --git a/queue-5.10/mm-hugetlb-fix-hugetlb-not-supporting-softdirty-tracking.patch b/queue-5.10/mm-hugetlb-fix-hugetlb-not-supporting-softdirty-tracking.patch new file mode 100644 index 00000000000..eb8de7f8898 --- /dev/null +++ b/queue-5.10/mm-hugetlb-fix-hugetlb-not-supporting-softdirty-tracking.patch @@ -0,0 +1,163 @@ +From f96f7a40874d7c746680c0b9f57cef2262ae551f Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 11 Aug 2022 12:34:34 +0200 +Subject: mm/hugetlb: fix hugetlb not supporting softdirty tracking + +From: David Hildenbrand + +commit f96f7a40874d7c746680c0b9f57cef2262ae551f upstream. + +Patch series "mm/hugetlb: fix write-fault handling for shared mappings", v2. + +I observed that hugetlb does not support/expect write-faults in shared +mappings that would have to map the R/O-mapped page writable -- and I +found two case where we could currently get such faults and would +erroneously map an anon page into a shared mapping. + +Reproducers part of the patches. + +I propose to backport both fixes to stable trees. The first fix needs a +small adjustment. + + +This patch (of 2): + +Staring at hugetlb_wp(), one might wonder where all the logic for shared +mappings is when stumbling over a write-protected page in a shared +mapping. In fact, there is none, and so far we thought we could get away +with that because e.g., mprotect() should always do the right thing and +map all pages directly writable. + +Looks like we were wrong: + +-------------------------------------------------------------------------- + #include + #include + #include + #include + #include + #include + #include + + #define HUGETLB_SIZE (2 * 1024 * 1024u) + + static void clear_softdirty(void) + { + int fd = open("/proc/self/clear_refs", O_WRONLY); + const char *ctrl = "4"; + int ret; + + if (fd < 0) { + fprintf(stderr, "open(clear_refs) failed\n"); + exit(1); + } + ret = write(fd, ctrl, strlen(ctrl)); + if (ret != strlen(ctrl)) { + fprintf(stderr, "write(clear_refs) failed\n"); + exit(1); + } + close(fd); + } + + int main(int argc, char **argv) + { + char *map; + int fd; + + fd = open("/dev/hugepages/tmp", O_RDWR | O_CREAT); + if (!fd) { + fprintf(stderr, "open() failed\n"); + return -errno; + } + if (ftruncate(fd, HUGETLB_SIZE)) { + fprintf(stderr, "ftruncate() failed\n"); + return -errno; + } + + map = mmap(NULL, HUGETLB_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); + if (map == MAP_FAILED) { + fprintf(stderr, "mmap() failed\n"); + return -errno; + } + + *map = 0; + + if (mprotect(map, HUGETLB_SIZE, PROT_READ)) { + fprintf(stderr, "mmprotect() failed\n"); + return -errno; + } + + clear_softdirty(); + + if (mprotect(map, HUGETLB_SIZE, PROT_READ|PROT_WRITE)) { + fprintf(stderr, "mmprotect() failed\n"); + return -errno; + } + + *map = 0; + + return 0; + } +-------------------------------------------------------------------------- + +Above test fails with SIGBUS when there is only a single free hugetlb page. + # echo 1 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages + # ./test + Bus error (core dumped) + +And worse, with sufficient free hugetlb pages it will map an anonymous page +into a shared mapping, for example, messing up accounting during unmap +and breaking MAP_SHARED semantics: + # echo 2 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages + # ./test + # cat /proc/meminfo | grep HugePages_ + HugePages_Total: 2 + HugePages_Free: 1 + HugePages_Rsvd: 18446744073709551615 + HugePages_Surp: 0 + +Reason in this particular case is that vma_wants_writenotify() will +return "true", removing VM_SHARED in vma_set_page_prot() to map pages +write-protected. Let's teach vma_wants_writenotify() that hugetlb does not +support softdirty tracking. + +Link: https://lkml.kernel.org/r/20220811103435.188481-1-david@redhat.com +Link: https://lkml.kernel.org/r/20220811103435.188481-2-david@redhat.com +Fixes: 64e455079e1b ("mm: softdirty: enable write notifications on VMAs after VM_SOFTDIRTY cleared") +Signed-off-by: David Hildenbrand +Reviewed-by: Mike Kravetz +Cc: Peter Feiner +Cc: Kirill A. Shutemov +Cc: Cyrill Gorcunov +Cc: Pavel Emelyanov +Cc: Jamie Liu +Cc: Hugh Dickins +Cc: Naoya Horiguchi +Cc: Bjorn Helgaas +Cc: Muchun Song +Cc: Peter Xu +Cc: [3.18+] +Signed-off-by: Andrew Morton +Signed-off-by: David Hildenbrand +Signed-off-by: Greg Kroah-Hartman +--- + mm/mmap.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1694,8 +1694,12 @@ int vma_wants_writenotify(struct vm_area + pgprot_val(vm_pgprot_modify(vm_page_prot, vm_flags))) + return 0; + +- /* Do we need to track softdirty? */ +- if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY)) ++ /* ++ * Do we need to track softdirty? hugetlb does not support softdirty ++ * tracking yet. ++ */ ++ if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY) && ++ !is_vm_hugetlb_page(vma)) + return 1; + + /* Specialty mapping? */ diff --git a/queue-5.10/revert-md-raid-destroy-the-bitmap-after-destroying-the-thread.patch b/queue-5.10/revert-md-raid-destroy-the-bitmap-after-destroying-the-thread.patch new file mode 100644 index 00000000000..89bd169d602 --- /dev/null +++ b/queue-5.10/revert-md-raid-destroy-the-bitmap-after-destroying-the-thread.patch @@ -0,0 +1,38 @@ +From 1d258758cf06a0734482989911d184dd5837ed4e Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Wed, 17 Aug 2022 20:05:13 +0800 +Subject: Revert "md-raid: destroy the bitmap after destroying the thread" + +From: Guoqing Jiang + +commit 1d258758cf06a0734482989911d184dd5837ed4e upstream. + +This reverts commit e151db8ecfb019b7da31d076130a794574c89f6f. Because it +obviously breaks clustered raid as noticed by Neil though it fixed KASAN +issue for dm-raid, let's revert it and fix KASAN issue in next commit. + +[1]. https://lore.kernel.org/linux-raid/a6657e08-b6a7-358b-2d2a-0ac37d49d23a@linux.dev/T/#m95ac225cab7409f66c295772483d091084a6d470 + +Fixes: e151db8ecfb0 ("md-raid: destroy the bitmap after destroying the thread") +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6278,11 +6278,11 @@ static void mddev_detach(struct mddev *m + static void __md_stop(struct mddev *mddev) + { + struct md_personality *pers = mddev->pers; ++ md_bitmap_destroy(mddev); + mddev_detach(mddev); + /* Ensure ->event_work is done */ + if (mddev->event_work.func) + flush_workqueue(md_misc_wq); +- md_bitmap_destroy(mddev); + spin_lock(&mddev->lock); + mddev->pers = NULL; + spin_unlock(&mddev->lock); diff --git a/queue-5.10/series b/queue-5.10/series index c9543a3a251..a663c3152e4 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -73,3 +73,6 @@ asm-generic-sections-refactor-memory_intersects.patch s390-fix-double-free-of-gs-and-ri-cbs-on-fork-failure.patch acpi-processor-remove-freq-qos-request-for-all-cpus.patch xen-privcmd-fix-error-exit-of-privcmd_ioctl_dm_op.patch +mm-hugetlb-fix-hugetlb-not-supporting-softdirty-tracking.patch +revert-md-raid-destroy-the-bitmap-after-destroying-the-thread.patch +md-call-__md_stop_writes-in-md_stop.patch