--- /dev/null
+From d949d1d14fa281ace388b1de978e8f2cd52875cf Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 9 Sep 2024 21:35:58 +0900
+Subject: mm: shmem: fix data-race in shmem_getattr()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit d949d1d14fa281ace388b1de978e8f2cd52875cf upstream.
+
+I got the following KCSAN report during syzbot testing:
+
+==================================================================
+BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current
+
+write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1:
+ inode_set_ctime_to_ts include/linux/fs.h:1638 [inline]
+ inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626
+ shmem_mknod+0x117/0x180 mm/shmem.c:3443
+ shmem_create+0x34/0x40 mm/shmem.c:3497
+ lookup_open fs/namei.c:3578 [inline]
+ open_last_lookups fs/namei.c:3647 [inline]
+ path_openat+0xdbc/0x1f00 fs/namei.c:3883
+ do_filp_open+0xf7/0x200 fs/namei.c:3913
+ do_sys_openat2+0xab/0x120 fs/open.c:1416
+ do_sys_open fs/open.c:1431 [inline]
+ __do_sys_openat fs/open.c:1447 [inline]
+ __se_sys_openat fs/open.c:1442 [inline]
+ __x64_sys_openat+0xf3/0x120 fs/open.c:1442
+ x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0:
+ inode_get_ctime_nsec include/linux/fs.h:1623 [inline]
+ inode_get_ctime include/linux/fs.h:1629 [inline]
+ generic_fillattr+0x1dd/0x2f0 fs/stat.c:62
+ shmem_getattr+0x17b/0x200 mm/shmem.c:1157
+ vfs_getattr_nosec fs/stat.c:166 [inline]
+ vfs_getattr+0x19b/0x1e0 fs/stat.c:207
+ vfs_statx_path fs/stat.c:251 [inline]
+ vfs_statx+0x134/0x2f0 fs/stat.c:315
+ vfs_fstatat+0xec/0x110 fs/stat.c:341
+ __do_sys_newfstatat fs/stat.c:505 [inline]
+ __se_sys_newfstatat+0x58/0x260 fs/stat.c:499
+ __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499
+ x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+value changed: 0x2755ae53 -> 0x27ee44d3
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+==================================================================
+
+When calling generic_fillattr(), if you don't hold read lock, data-race
+will occur in inode member variables, which can cause unexpected
+behavior.
+
+Since there is no special protection when shmem_getattr() calls
+generic_fillattr(), data-race occurs by functions such as shmem_unlink()
+or shmem_mknod(). This can cause unexpected results, so commenting it out
+is not enough.
+
+Therefore, when calling generic_fillattr() from shmem_getattr(), it is
+appropriate to protect the inode using inode_lock_shared() and
+inode_unlock_shared() to prevent data-race.
+
+Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com
+Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Reported-by: syzbot <syzkaller@googlegroup.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/shmem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -1163,7 +1163,9 @@ static int shmem_getattr(struct mnt_idma
+ stat->attributes_mask |= (STATX_ATTR_APPEND |
+ STATX_ATTR_IMMUTABLE |
+ STATX_ATTR_NODUMP);
++ inode_lock_shared(inode);
+ generic_fillattr(idmap, request_mask, inode, stat);
++ inode_unlock_shared(inode);
+
+ if (shmem_huge_global_enabled(inode, 0, false, NULL, 0))
+ stat->blksize = HPAGE_PMD_SIZE;
--- /dev/null
+From 15e8156713cc38031642fafc8baf7d53f19f2e83 Mon Sep 17 00:00:00 2001
+From: Chen Ridong <chenridong@huawei.com>
+Date: Fri, 25 Oct 2024 06:09:42 +0000
+Subject: mm: shrinker: avoid memleak in alloc_shrinker_info
+
+From: Chen Ridong <chenridong@huawei.com>
+
+commit 15e8156713cc38031642fafc8baf7d53f19f2e83 upstream.
+
+A memleak was found as below:
+
+unreferenced object 0xffff8881010d2a80 (size 32):
+ comm "mkdir", pid 1559, jiffies 4294932666
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
+ backtrace (crc 2e7ef6fa):
+ [<ffffffff81372754>] __kmalloc_node_noprof+0x394/0x470
+ [<ffffffff813024ab>] alloc_shrinker_info+0x7b/0x1a0
+ [<ffffffff813b526a>] mem_cgroup_css_online+0x11a/0x3b0
+ [<ffffffff81198dd9>] online_css+0x29/0xa0
+ [<ffffffff811a243d>] cgroup_apply_control_enable+0x20d/0x360
+ [<ffffffff811a5728>] cgroup_mkdir+0x168/0x5f0
+ [<ffffffff8148543e>] kernfs_iop_mkdir+0x5e/0x90
+ [<ffffffff813dbb24>] vfs_mkdir+0x144/0x220
+ [<ffffffff813e1c97>] do_mkdirat+0x87/0x130
+ [<ffffffff813e1de9>] __x64_sys_mkdir+0x49/0x70
+ [<ffffffff81f8c928>] do_syscall_64+0x68/0x140
+ [<ffffffff8200012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+alloc_shrinker_info(), when shrinker_unit_alloc() returns an errer, the
+info won't be freed. Just fix it.
+
+Link: https://lkml.kernel.org/r/20241025060942.1049263-1-chenridong@huaweicloud.com
+Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Acked-by: Qi Zheng <zhengqi.arch@bytedance.com>
+Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Wang Weiyang <wangweiyang2@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/shrinker.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/mm/shrinker.c
++++ b/mm/shrinker.c
+@@ -76,19 +76,21 @@ void free_shrinker_info(struct mem_cgrou
+
+ int alloc_shrinker_info(struct mem_cgroup *memcg)
+ {
+- struct shrinker_info *info;
+ int nid, ret = 0;
+ int array_size = 0;
+
+ mutex_lock(&shrinker_mutex);
+ array_size = shrinker_unit_size(shrinker_nr_max);
+ for_each_node(nid) {
+- info = kvzalloc_node(sizeof(*info) + array_size, GFP_KERNEL, nid);
++ struct shrinker_info *info = kvzalloc_node(sizeof(*info) + array_size,
++ GFP_KERNEL, nid);
+ if (!info)
+ goto err;
+ info->map_nr_max = shrinker_nr_max;
+- if (shrinker_unit_alloc(info, NULL, nid))
++ if (shrinker_unit_alloc(info, NULL, nid)) {
++ kvfree(info);
+ goto err;
++ }
+ rcu_assign_pointer(memcg->nodeinfo[nid]->shrinker_info, info);
+ }
+ mutex_unlock(&shrinker_mutex);
nilfs2-fix-kernel-bug-due-to-missing-clearing-of-checked-flag.patch
nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch
risc-v-acpi-fix-early_ioremap-to-early_memremap.patch
+mm-shmem-fix-data-race-in-shmem_getattr.patch
+tools-mm-werror-fixes-in-page-types-slabinfo.patch
+mm-shrinker-avoid-memleak-in-alloc_shrinker_info.patch
--- /dev/null
+From ece5897e5a10fcd56a317e32f2dc7219f366a5a8 Mon Sep 17 00:00:00 2001
+From: Wladislav Wiebe <wladislav.kw@gmail.com>
+Date: Tue, 22 Oct 2024 19:21:13 +0200
+Subject: tools/mm: -Werror fixes in page-types/slabinfo
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wladislav Wiebe <wladislav.kw@gmail.com>
+
+commit ece5897e5a10fcd56a317e32f2dc7219f366a5a8 upstream.
+
+Commit e6d2c436ff693 ("tools/mm: allow users to provide additional
+cflags/ldflags") passes now CFLAGS to Makefile. With this, build systems
+with default -Werror enabled found:
+
+slabinfo.c:1300:25: error: ignoring return value of 'chdir'
+declared with attribute 'warn_unused_result' [-Werror=unused-result]
+ chdir("..");
+ ^~~~~~~~~~~
+page-types.c:397:35: error: format '%lu' expects argument of type
+'long unsigned int', but argument 2 has type 'uint64_t'
+{aka 'long long unsigned int'} [-Werror=format=]
+ printf("%lu\t", mapcnt0);
+ ~~^ ~~~~~~~
+..
+
+Fix page-types by using PRIu64 for uint64_t prints and check in slabinfo
+for return code on chdir("..").
+
+Link: https://lkml.kernel.org/r/c1ceb507-94bc-461c-934d-c19b77edd825@gmail.com
+Fixes: e6d2c436ff69 ("tools/mm: allow users to provide additional cflags/ldflags")
+Signed-off-by: Wladislav Wiebe <wladislav.kw@gmail.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Herton R. Krzesinski <herton@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/mm/page-types.c | 9 +++++----
+ tools/mm/slabinfo.c | 4 +++-
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/tools/mm/page-types.c
++++ b/tools/mm/page-types.c
+@@ -22,6 +22,7 @@
+ #include <time.h>
+ #include <setjmp.h>
+ #include <signal.h>
++#include <inttypes.h>
+ #include <sys/types.h>
+ #include <sys/errno.h>
+ #include <sys/fcntl.h>
+@@ -392,9 +393,9 @@ static void show_page_range(unsigned lon
+ if (opt_file)
+ printf("%lx\t", voff);
+ if (opt_list_cgroup)
+- printf("@%llu\t", (unsigned long long)cgroup0);
++ printf("@%" PRIu64 "\t", cgroup0);
+ if (opt_list_mapcnt)
+- printf("%lu\t", mapcnt0);
++ printf("%" PRIu64 "\t", mapcnt0);
+ printf("%lx\t%lx\t%s\n",
+ index, count, page_flag_name(flags0));
+ }
+@@ -420,9 +421,9 @@ static void show_page(unsigned long voff
+ if (opt_file)
+ printf("%lx\t", voffset);
+ if (opt_list_cgroup)
+- printf("@%llu\t", (unsigned long long)cgroup);
++ printf("@%" PRIu64 "\t", cgroup)
+ if (opt_list_mapcnt)
+- printf("%lu\t", mapcnt);
++ printf("%" PRIu64 "\t", mapcnt);
+
+ printf("%lx\t%s\n", offset, page_flag_name(flags));
+ }
+--- a/tools/mm/slabinfo.c
++++ b/tools/mm/slabinfo.c
+@@ -1297,7 +1297,9 @@ static void read_slab_dir(void)
+ slab->cpu_partial_free = get_obj("cpu_partial_free");
+ slab->alloc_node_mismatch = get_obj("alloc_node_mismatch");
+ slab->deactivate_bypass = get_obj("deactivate_bypass");
+- chdir("..");
++ if (chdir(".."))
++ fatal("Unable to chdir from slab ../%s\n",
++ slab->name);
+ if (slab->name[0] == ':')
+ alias_targets++;
+ slab++;
projects / thirdparty / kernel / stable-queue.git / commitdiff
