From: Greg Kroah-Hartman Date: Mon, 15 Nov 2021 14:02:11 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.4.160~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b09165bcf8add981dbc6c43d84eeabe035fc474d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: 9p-net-fix-missing-error-check-in-p9_check_errors.patch memcg-prohibit-unconditional-exceeding-the-limit-of-dying-tasks.patch mm-filemap.c-remove-bogus-vm_bug_on.patch --- diff --git a/queue-5.15/9p-net-fix-missing-error-check-in-p9_check_errors.patch b/queue-5.15/9p-net-fix-missing-error-check-in-p9_check_errors.patch new file mode 100644 index 00000000000..397064cf7f7 --- /dev/null +++ b/queue-5.15/9p-net-fix-missing-error-check-in-p9_check_errors.patch @@ -0,0 +1,29 @@ +From 27eb4c3144f7a5ebef3c9a261d80cb3e1fa784dc Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Tue, 2 Nov 2021 19:47:47 +0900 +Subject: 9p/net: fix missing error check in p9_check_errors + +From: Dominique Martinet + +commit 27eb4c3144f7a5ebef3c9a261d80cb3e1fa784dc upstream. + +Link: https://lkml.kernel.org/r/99338965-d36c-886e-cd0e-1d8fff2b4746@gmail.com +Reported-by: syzbot+06472778c97ed94af66d@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/client.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -541,6 +541,8 @@ static int p9_check_errors(struct p9_cli + kfree(ename); + } else { + err = p9pdu_readf(&req->rc, c->proto_version, "d", &ecode); ++ if (err) ++ goto out_err; + err = -ecode; + + p9_debug(P9_DEBUG_9P, "<<< RLERROR (%d)\n", -ecode); diff --git a/queue-5.15/memcg-prohibit-unconditional-exceeding-the-limit-of-dying-tasks.patch b/queue-5.15/memcg-prohibit-unconditional-exceeding-the-limit-of-dying-tasks.patch new file mode 100644 index 00000000000..11e34011ec4 --- /dev/null +++ b/queue-5.15/memcg-prohibit-unconditional-exceeding-the-limit-of-dying-tasks.patch @@ -0,0 +1,143 @@ +From a4ebf1b6ca1e011289677239a2a361fde4a88076 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Fri, 5 Nov 2021 13:38:09 -0700 +Subject: memcg: prohibit unconditional exceeding the limit of dying tasks + +From: Vasily Averin + +commit a4ebf1b6ca1e011289677239a2a361fde4a88076 upstream. + +Memory cgroup charging allows killed or exiting tasks to exceed the hard +limit. It is assumed that the amount of the memory charged by those +tasks is bound and most of the memory will get released while the task +is exiting. This is resembling a heuristic for the global OOM situation +when tasks get access to memory reserves. There is no global memory +shortage at the memcg level so the memcg heuristic is more relieved. + +The above assumption is overly optimistic though. E.g. vmalloc can +scale to really large requests and the heuristic would allow that. We +used to have an early break in the vmalloc allocator for killed tasks +but this has been reverted by commit b8c8a338f75e ("Revert "vmalloc: +back off when the current task is killed""). There are likely other +similar code paths which do not check for fatal signals in an +allocation&charge loop. Also there are some kernel objects charged to a +memcg which are not bound to a process life time. + +It has been observed that it is not really hard to trigger these +bypasses and cause global OOM situation. + +One potential way to address these runaways would be to limit the amount +of excess (similar to the global OOM with limited oom reserves). This +is certainly possible but it is not really clear how much of an excess +is desirable and still protects from global OOMs as that would have to +consider the overall memcg configuration. + +This patch is addressing the problem by removing the heuristic +altogether. Bypass is only allowed for requests which either cannot +fail or where the failure is not desirable while excess should be still +limited (e.g. atomic requests). Implementation wise a killed or dying +task fails to charge if it has passed the OOM killer stage. That should +give all forms of reclaim chance to restore the limit before the failure +(ENOMEM) and tell the caller to back off. + +In addition, this patch renames should_force_charge() helper to +task_is_dying() because now its use is not associated witch forced +charging. + +This patch depends on pagefault_out_of_memory() to not trigger +out_of_memory(), because then a memcg failure can unwind to VM_FAULT_OOM +and cause a global OOM killer. + +Link: https://lkml.kernel.org/r/8f5cebbb-06da-4902-91f0-6566fc4b4203@virtuozzo.com +Signed-off-by: Vasily Averin +Suggested-by: Michal Hocko +Acked-by: Michal Hocko +Cc: Johannes Weiner +Cc: Vladimir Davydov +Cc: Roman Gushchin +Cc: Uladzislau Rezki +Cc: Vlastimil Babka +Cc: Shakeel Butt +Cc: Mel Gorman +Cc: Tetsuo Handa +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 27 ++++++++------------------- + 1 file changed, 8 insertions(+), 19 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -239,7 +239,7 @@ enum res_type { + iter != NULL; \ + iter = mem_cgroup_iter(NULL, iter, NULL)) + +-static inline bool should_force_charge(void) ++static inline bool task_is_dying(void) + { + return tsk_is_oom_victim(current) || fatal_signal_pending(current) || + (current->flags & PF_EXITING); +@@ -1575,7 +1575,7 @@ static bool mem_cgroup_out_of_memory(str + * A few threads which were not waiting at mutex_lock_killable() can + * fail to bail out. Therefore, check again after holding oom_lock. + */ +- ret = should_force_charge() || out_of_memory(&oc); ++ ret = task_is_dying() || out_of_memory(&oc); + + unlock: + mutex_unlock(&oom_lock); +@@ -2530,6 +2530,7 @@ static int try_charge_memcg(struct mem_c + struct page_counter *counter; + enum oom_status oom_status; + unsigned long nr_reclaimed; ++ bool passed_oom = false; + bool may_swap = true; + bool drained = false; + unsigned long pflags; +@@ -2565,15 +2566,6 @@ retry: + goto force; + + /* +- * Unlike in global OOM situations, memcg is not in a physical +- * memory shortage. Allow dying and OOM-killed tasks to +- * bypass the last charges so that they can exit quickly and +- * free their memory. +- */ +- if (unlikely(should_force_charge())) +- goto force; +- +- /* + * Prevent unbounded recursion when reclaim operations need to + * allocate memory. This might exceed the limits temporarily, + * but we prefer facilitating memory reclaim and getting back +@@ -2630,8 +2622,9 @@ retry: + if (gfp_mask & __GFP_RETRY_MAYFAIL) + goto nomem; + +- if (fatal_signal_pending(current)) +- goto force; ++ /* Avoid endless loop for tasks bypassed by the oom killer */ ++ if (passed_oom && task_is_dying()) ++ goto nomem; + + /* + * keep retrying as long as the memcg oom killer is able to make +@@ -2640,14 +2633,10 @@ retry: + */ + oom_status = mem_cgroup_oom(mem_over_limit, gfp_mask, + get_order(nr_pages * PAGE_SIZE)); +- switch (oom_status) { +- case OOM_SUCCESS: ++ if (oom_status == OOM_SUCCESS) { ++ passed_oom = true; + nr_retries = MAX_RECLAIM_RETRIES; + goto retry; +- case OOM_FAILED: +- goto force; +- default: +- goto nomem; + } + nomem: + if (!(gfp_mask & __GFP_NOFAIL)) diff --git a/queue-5.15/mm-filemap.c-remove-bogus-vm_bug_on.patch b/queue-5.15/mm-filemap.c-remove-bogus-vm_bug_on.patch new file mode 100644 index 00000000000..6cd2398d365 --- /dev/null +++ b/queue-5.15/mm-filemap.c-remove-bogus-vm_bug_on.patch @@ -0,0 +1,37 @@ +From d417b49fff3e2f21043c834841e8623a6098741d Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Fri, 5 Nov 2021 13:37:10 -0700 +Subject: mm/filemap.c: remove bogus VM_BUG_ON + +From: Matthew Wilcox (Oracle) + +commit d417b49fff3e2f21043c834841e8623a6098741d upstream. + +It is not safe to check page->index without holding the page lock. It +can be changed if the page is moved between the swap cache and the page +cache for a shmem file, for example. There is a VM_BUG_ON below which +checks page->index is correct after taking the page lock. + +Link: https://lkml.kernel.org/r/20210818144932.940640-1-willy@infradead.org +Fixes: 5c211ba29deb ("mm: add and use find_lock_entries") +Signed-off-by: Matthew Wilcox (Oracle) +Reported-by: +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2093,7 +2093,6 @@ unsigned find_lock_entries(struct addres + if (!xa_is_value(page)) { + if (page->index < start) + goto put; +- VM_BUG_ON_PAGE(page->index != xas.xa_index, page); + if (page->index + thp_nr_pages(page) - 1 > end) + goto put; + if (!trylock_page(page)) diff --git a/queue-5.15/series b/queue-5.15/series index cef108f5bd3..2067060f265 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -874,3 +874,6 @@ dmaengine-ti-k3-udma-set-bchan-to-null-if-a-channel-request-fail.patch dmaengine-ti-k3-udma-set-r-tchan-or-rflow-to-null-if-request-fail.patch dmaengine-bestcomm-fix-system-boot-lockups.patch net-neigh-enable-state-migration-between-nud_permane.patch +9p-net-fix-missing-error-check-in-p9_check_errors.patch +mm-filemap.c-remove-bogus-vm_bug_on.patch +memcg-prohibit-unconditional-exceeding-the-limit-of-dying-tasks.patch