From: Greg Kroah-Hartman Date: Tue, 20 May 2025 09:09:48 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.15.184~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=62e75bcb10aacbd8e6f8eed512c87b4bcae55df2;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch --- diff --git a/queue-6.6/mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch b/queue-6.6/mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch new file mode 100644 index 0000000000..7c7c9468bf --- /dev/null +++ b/queue-6.6/mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch @@ -0,0 +1,154 @@ +From fefc075182275057ce607effaa3daa9e6e3bdc73 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Tue, 6 May 2025 16:32:07 +0300 +Subject: mm/page_alloc: fix race condition in unaccepted memory handling + +From: Kirill A. Shutemov + +commit fefc075182275057ce607effaa3daa9e6e3bdc73 upstream. + +The page allocator tracks the number of zones that have unaccepted memory +using static_branch_enc/dec() and uses that static branch in hot paths to +determine if it needs to deal with unaccepted memory. + +Borislav and Thomas pointed out that the tracking is racy: operations on +static_branch are not serialized against adding/removing unaccepted pages +to/from the zone. + +Sanity checks inside static_branch machinery detects it: + +WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0 + +The comment around the WARN() explains the problem: + + /* + * Warn about the '-1' case though; since that means a + * decrement is concurrent with a first (0->1) increment. IOW + * people are trying to disable something that wasn't yet fully + * enabled. This suggests an ordering problem on the user side. + */ + +The effect of this static_branch optimization is only visible on +microbenchmark. + +Instead of adding more complexity around it, remove it altogether. + +Link: https://lkml.kernel.org/r/20250506133207.1009676-1-kirill.shutemov@linux.intel.com +Signed-off-by: Kirill A. Shutemov +Fixes: dcdfdd40fa82 ("mm: Add support for unaccepted memory") +Link: https://lore.kernel.org/all/20250506092445.GBaBnVXXyvnazly6iF@fat_crate.local +Reported-by: Borislav Petkov +Tested-by: Borislav Petkov (AMD) +Reported-by: Thomas Gleixner +Cc: Vlastimil Babka +Cc: Suren Baghdasaryan +Cc: Michal Hocko +Cc: Brendan Jackman +Cc: Johannes Weiner +Cc: [6.5+] +Signed-off-by: Andrew Morton +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 27 --------------------------- + 1 file changed, 27 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -303,7 +303,6 @@ EXPORT_SYMBOL(nr_online_nodes); + static bool page_contains_unaccepted(struct page *page, unsigned int order); + static void accept_page(struct page *page, unsigned int order); + static bool cond_accept_memory(struct zone *zone, unsigned int order); +-static inline bool has_unaccepted_memory(void); + static bool __free_unaccepted(struct page *page); + + int page_group_by_mobility_disabled __read_mostly; +@@ -6586,9 +6585,6 @@ bool has_managed_dma(void) + + #ifdef CONFIG_UNACCEPTED_MEMORY + +-/* Counts number of zones with unaccepted pages. */ +-static DEFINE_STATIC_KEY_FALSE(zones_with_unaccepted_pages); +- + static bool lazy_accept = true; + + static int __init accept_memory_parse(char *p) +@@ -6624,7 +6620,6 @@ static bool try_to_accept_memory_one(str + { + unsigned long flags; + struct page *page; +- bool last; + + spin_lock_irqsave(&zone->lock, flags); + page = list_first_entry_or_null(&zone->unaccepted_pages, +@@ -6635,7 +6630,6 @@ static bool try_to_accept_memory_one(str + } + + list_del(&page->lru); +- last = list_empty(&zone->unaccepted_pages); + + __mod_zone_freepage_state(zone, -MAX_ORDER_NR_PAGES, MIGRATE_MOVABLE); + __mod_zone_page_state(zone, NR_UNACCEPTED, -MAX_ORDER_NR_PAGES); +@@ -6645,9 +6639,6 @@ static bool try_to_accept_memory_one(str + + __free_pages_ok(page, MAX_ORDER, FPI_TO_TAIL); + +- if (last) +- static_branch_dec(&zones_with_unaccepted_pages); +- + return true; + } + +@@ -6656,9 +6647,6 @@ static bool cond_accept_memory(struct zo + long to_accept, wmark; + bool ret = false; + +- if (!has_unaccepted_memory()) +- return false; +- + if (list_empty(&zone->unaccepted_pages)) + return false; + +@@ -6688,30 +6676,20 @@ static bool cond_accept_memory(struct zo + return ret; + } + +-static inline bool has_unaccepted_memory(void) +-{ +- return static_branch_unlikely(&zones_with_unaccepted_pages); +-} +- + static bool __free_unaccepted(struct page *page) + { + struct zone *zone = page_zone(page); + unsigned long flags; +- bool first = false; + + if (!lazy_accept) + return false; + + spin_lock_irqsave(&zone->lock, flags); +- first = list_empty(&zone->unaccepted_pages); + list_add_tail(&page->lru, &zone->unaccepted_pages); + __mod_zone_freepage_state(zone, MAX_ORDER_NR_PAGES, MIGRATE_MOVABLE); + __mod_zone_page_state(zone, NR_UNACCEPTED, MAX_ORDER_NR_PAGES); + spin_unlock_irqrestore(&zone->lock, flags); + +- if (first) +- static_branch_inc(&zones_with_unaccepted_pages); +- + return true; + } + +@@ -6730,11 +6708,6 @@ static bool cond_accept_memory(struct zo + { + return false; + } +- +-static inline bool has_unaccepted_memory(void) +-{ +- return false; +-} + + static bool __free_unaccepted(struct page *page) + { diff --git a/queue-6.6/series b/queue-6.6/series index 0997ab5260..05e9748ef9 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -101,3 +101,4 @@ dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_alloc.patch dmaengine-idxd-fix-memory-leak-in-error-handling-path-of-idxd_pci_probe.patch dmaengine-idxd-refactor-remove-call-with-idxd_cleanup-helper.patch x86-its-fix-build-error-for-its_static_thunk.patch +mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch