iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/mm
History
Zhaoyang Huang 8c61291fd8 mm: fix incorrect vbq reference in purge_fragmented_block 
xa_for_each() in _vm_unmap_aliases() loops through all vbs.  However,
since commit 062eacf57ad9 ("mm: vmalloc: remove a global vmap_blocks
xarray") the vb from xarray may not be on the corresponding CPU
vmap_block_queue.  Consequently, purge_fragmented_block() might use the
wrong vbq->lock to protect the free list, leading to vbq->free breakage.

Incorrect lock protection can exhaust all vmalloc space as follows:
CPU0                                            CPU1
+--------------------------------------------+
|    +--------------------+     +-----+      |
+--> |                    |---->|     |------+
     | CPU1:vbq free_list |     | vb1 |
+--- |                    |<----|     |<-----+
|    +--------------------+     +-----+      |
+--------------------------------------------+

_vm_unmap_aliases()                             vb_alloc()
                                                new_vmap_block()
xa_for_each(&vbq->vmap_blocks, idx, vb)
--> vb in CPU1:vbq->freelist

purge_fragmented_block(vb)
spin_lock(&vbq->lock)                           spin_lock(&vbq->lock)
--> use CPU0:vbq->lock                          --> use CPU1:vbq->lock

list_del_rcu(&vb->free_list)                    list_add_tail_rcu(&vb->free_list, &vbq->free)
    __list_del(vb->prev, vb->next)
        next->prev = prev
    +--------------------+
    |                    |
    | CPU1:vbq free_list |
+---|                    |<--+
|   +--------------------+   |
+----------------------------+
                                                __list_add(new, head->prev, head)
+--------------------------------------------+
|    +--------------------+     +-----+      |
+--> |                    |---->|     |------+
     | CPU1:vbq free_list |     | vb2 |
+--- |                    |<----|     |<-----+
|    +--------------------+     +-----+      |
+--------------------------------------------+

        prev->next = next
+--------------------------------------------+
|----------------------------+               |
|    +--------------------+  |  +-----+      |
+--> |                    |--+  |     |------+
     | CPU1:vbq free_list |     | vb2 |
+--- |                    |<----|     |<-----+
|    +--------------------+     +-----+      |
+--------------------------------------------+
Here’s a list breakdown. All vbs, which were to be added to
‘prev’, cannot be used by list_for_each_entry_rcu(vb, &vbq->free,
free_list) in vb_alloc(). Thus, vmalloc space is exhausted.

This issue affects both erofs and f2fs, the stacktrace is as follows:
erofs:
[<ffffffd4ffb93ad4>] __switch_to+0x174
[<ffffffd4ffb942f0>] __schedule+0x624
[<ffffffd4ffb946f4>] schedule+0x7c
[<ffffffd4ffb947cc>] schedule_preempt_disabled+0x24
[<ffffffd4ffb962ec>] __mutex_lock+0x374
[<ffffffd4ffb95998>] __mutex_lock_slowpath+0x14
[<ffffffd4ffb95954>] mutex_lock+0x24
[<ffffffd4fef2900c>] reclaim_and_purge_vmap_areas+0x44
[<ffffffd4fef25908>] alloc_vmap_area+0x2e0
[<ffffffd4fef24ea0>] vm_map_ram+0x1b0
[<ffffffd4ff1b46f4>] z_erofs_lz4_decompress+0x278
[<ffffffd4ff1b8ac4>] z_erofs_decompress_queue+0x650
[<ffffffd4ff1b8328>] z_erofs_runqueue+0x7f4
[<ffffffd4ff1b66a8>] z_erofs_read_folio+0x104
[<ffffffd4feeb6fec>] filemap_read_folio+0x6c
[<ffffffd4feeb68c4>] filemap_fault+0x300
[<ffffffd4fef0ecac>] __do_fault+0xc8
[<ffffffd4fef0c908>] handle_mm_fault+0xb38
[<ffffffd4ffb9f008>] do_page_fault+0x288
[<ffffffd4ffb9ed64>] do_translation_fault[jt]+0x40
[<ffffffd4fec39c78>] do_mem_abort+0x58
[<ffffffd4ffb8c3e4>] el0_ia+0x70
[<ffffffd4ffb8c260>] el0t_64_sync_handler[jt]+0xb0
[<ffffffd4fec11588>] ret_to_user[jt]+0x0

f2fs:
[<ffffffd4ffb93ad4>] __switch_to+0x174
[<ffffffd4ffb942f0>] __schedule+0x624
[<ffffffd4ffb946f4>] schedule+0x7c
[<ffffffd4ffb947cc>] schedule_preempt_disabled+0x24
[<ffffffd4ffb962ec>] __mutex_lock+0x374
[<ffffffd4ffb95998>] __mutex_lock_slowpath+0x14
[<ffffffd4ffb95954>] mutex_lock+0x24
[<ffffffd4fef2900c>] reclaim_and_purge_vmap_areas+0x44
[<ffffffd4fef25908>] alloc_vmap_area+0x2e0
[<ffffffd4fef24ea0>] vm_map_ram+0x1b0
[<ffffffd4ff1a3b60>] f2fs_prepare_decomp_mem+0x144
[<ffffffd4ff1a6c24>] f2fs_alloc_dic+0x264
[<ffffffd4ff175468>] f2fs_read_multi_pages+0x428
[<ffffffd4ff17b46c>] f2fs_mpage_readpages+0x314
[<ffffffd4ff1785c4>] f2fs_readahead+0x50
[<ffffffd4feec3384>] read_pages+0x80
[<ffffffd4feec32c0>] page_cache_ra_unbounded+0x1a0
[<ffffffd4feec39e8>] page_cache_ra_order+0x274
[<ffffffd4feeb6cec>] do_sync_mmap_readahead+0x11c
[<ffffffd4feeb6764>] filemap_fault+0x1a0
[<ffffffd4ff1423bc>] f2fs_filemap_fault+0x28
[<ffffffd4fef0ecac>] __do_fault+0xc8
[<ffffffd4fef0c908>] handle_mm_fault+0xb38
[<ffffffd4ffb9f008>] do_page_fault+0x288
[<ffffffd4ffb9ed64>] do_translation_fault[jt]+0x40
[<ffffffd4fec39c78>] do_mem_abort+0x58
[<ffffffd4ffb8c3e4>] el0_ia+0x70
[<ffffffd4ffb8c260>] el0t_64_sync_handler[jt]+0xb0
[<ffffffd4fec11588>] ret_to_user[jt]+0x0

To fix this, introducee cpu within vmap_block to record which this vb
belongs to.

Link: https://lkml.kernel.org/r/20240614021352.1822225-1-zhaoyang.huang@unisoc.com
Link: https://lkml.kernel.org/r/20240607023116.1720640-1-zhaoyang.huang@unisoc.com
Fixes: fc1e0d980037 ("mm/vmalloc: prevent stale TLBs in fully utilized blocks")
Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
Suggested-by: Hailong.Liu <hailong.liu@oppo.com>
Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2024-06-24 20:52:08 -07:00
..
damon
mm/damon/core: fix return value from damos_wmark_metric_value
2024-05-11 15:41:36 -07:00
kasan
fix missing vmalloc.h includes
2024-04-25 20:55:49 -07:00
kfence
mm: introduce slabobj_ext to support slab object extensions
2024-04-25 20:55:51 -07:00
kmsan
kmsan: do not wipe out origin when doing partial unpoisoning
2024-06-05 19:19:25 -07:00
backing-dev.c
writeback: support retrieving per group debug writeback stats of bdi
2024-05-05 17:53:51 -07:00
balloon_compaction.c
bootmem_info.c
bootmem: use kmemleak_free_part_phys in put_page_bootmem
2023-10-25 16:47:13 -07:00
cma_debug.c
cma_sysfs.c
mm/cma: add sysfs file 'release_pages_success'
2024-02-22 10:24:57 -08:00
cma.c
mm/cma: drop incorrect alignment check in cma_init_reserved_mem
2024-04-25 20:56:42 -07:00
cma.h
mm/cma: add sysfs file 'release_pages_success'
2024-02-22 10:24:57 -08:00
compaction.c
memory: remove the now superfluous sentinel element from ctl_table array
2024-04-25 20:56:32 -07:00
debug_page_alloc.c
mm: page_alloc: consolidate free page accounting
2024-04-25 20:56:04 -07:00
debug_page_ref.c
debug_vm_pgtable.c
mm/debug_vm_pgtable: drop RANDOM_ORVALUE trick
2024-06-15 10:43:08 -07:00
debug.c
mm/debug: print only page mapcount (excluding folio entire mapcount) in __dump_folio()
2024-05-05 17:53:31 -07:00
dmapool_test.c
dmapool.c
mm/mempool/dmapool: remove CONFIG_DEBUG_SLAB ifdefs
2023-12-05 11:17:58 +01:00
early_ioremap.c
mm/early_ioremap.c: improve the execution efficiency of early_ioremap_setup()
2023-06-09 16:25:56 -07:00
execmem.c
mm/execmem, arch: convert remaining overrides of module_alloc to execmem
2024-05-14 00:31:43 -07:00
fadvise.c
mm: remove unnecessary pagevec includes
2023-06-23 16:59:31 -07:00
fail_page_alloc.c
mm: page_alloc: split out FAIL_PAGE_ALLOC
2023-06-09 16:25:23 -07:00
failslab.c
filemap.c
mm: fix xyz_noprof functions calling profiled functions
2024-06-05 19:19:26 -07:00
folio-compat.c
mm: remove __set_page_dirty_nobuffers()
2024-04-25 20:56:25 -07:00
gup_test.c
Merge mm-hotfixes-stable into mm-stable to pick up depended-upon changes.
2023-06-23 16:58:19 -07:00
gup_test.h
gup.c
mm/gup: fix hugepd handling in hugetlb rework
2024-05-07 10:37:01 -07:00
highmem.c
x86/kexec: use pr_err() instead of kexec_dprintk() when an error occurs
2023-12-29 12:22:28 -08:00
hmm.c
mm/treewide: replace pXd_huge() with pXd_leaf()
2024-04-25 20:55:46 -07:00
huge_memory.c
mm: huge_memory: fix misused mapping_large_folio_support() for anon folios
2024-06-15 10:43:06 -07:00
hugetlb_cgroup.c
mm/hugetlb: assert hugetlb_lock in __hugetlb_cgroup_commit_charge
2024-05-05 17:53:41 -07:00
hugetlb_vmemmap.c
memory: remove the now superfluous sentinel element from ctl_table array
2024-04-25 20:56:32 -07:00
hugetlb_vmemmap.h
mm: hugetlb_vmemmap: fix reference to nonexistent file
2023-10-25 16:47:14 -07:00
hugetlb.c
mm/hugetlb: do not call vma_add_reservation upon ENOMEM
2024-06-05 19:19:26 -07:00
hwpoison-inject.c
mm/memory-failure: convert shake_page() to shake_folio()
2024-05-05 17:53:45 -07:00
init-mm.c
mm: Deprecate pasid field
2023-12-12 10:11:32 +01:00
internal.h
Revert "mm: init_mlocked_on_free_v3"
2024-06-15 10:43:05 -07:00
interval_tree.c
io-mapping.c
ioremap.c
mm: ioremap: remove unneeded ioremap_allowed and iounmap_allowed
2023-08-18 10:12:36 -07:00
Kconfig
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
Kconfig.debug
mm/slub: unify all sl[au]b parameters with "slab_$param"
2024-01-22 10:31:08 +01:00
khugepaged.c
mm: simplify thp_vma_allowable_order
2024-05-05 17:53:53 -07:00
kmemleak.c
mm: lift gfp_kmemleak_mask() to gfp.h
2024-05-19 14:40:44 -07:00
ksm.c
mm/ksm: fix ksm_zero_pages accounting
2024-06-05 19:19:26 -07:00
list_lru.c
mm/zswap: stop lru list shrinking when encounter warm region
2024-02-22 10:24:54 -08:00
maccess.c
madvise.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
Makefile
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mapping_dirty_helpers.c
mm: fix clean_record_shared_mapping_range kernel-doc
2023-08-24 16:20:30 -07:00
memblock.c
memblock: use numa_valid_node() helper to check for invalid node ID
2024-06-16 10:17:57 +03:00
memcontrol.c
mm: shmem: fix getting incorrect lruvec when replacing a shmem folio
2024-06-15 10:43:08 -07:00
memfd.c
mm/memfd: refactor memfd_tag_pins() and memfd_wait_for_pins()
2024-03-04 17:01:21 -08:00
memory_hotplug.c
mm/hugetlb: rename dissolve_free_huge_pages() to dissolve_free_hugetlb_folios()
2024-05-05 17:53:35 -07:00
memory-failure.c
mm/memory-failure: fix handling of dissolved but not taken off from buddy pages
2024-05-24 11:55:08 -07:00
memory-tiers.c
memory tier: create CPUless memory tiers after obtaining HMAT info
2024-05-05 17:53:26 -07:00
memory.c
mm: fix possible OOB in numa_rebuild_large_mapping()
2024-06-15 10:43:07 -07:00
mempolicy.c
mm: add pmd_folio()
2024-04-25 20:56:19 -07:00
mempool.c
mm: fix xyz_noprof functions calling profiled functions
2024-06-05 19:19:26 -07:00
memremap.c
mm: convert put_devmap_managed_page_refs() to put_devmap_managed_folio_refs()
2024-05-05 17:53:49 -07:00
memtest.c
memtest: use {READ,WRITE}_ONCE in memory scanning
2024-03-13 12:12:21 -07:00
migrate_device.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
migrate.c
mm/migrate: fix kernel BUG at mm/compaction.c:2761!
2024-06-15 10:43:07 -07:00
mincore.c
mm: enable page walking API to lock vmas during the walk
2023-08-21 13:07:20 -07:00
mlock.c
mm: add pmd_folio()
2024-04-25 20:56:19 -07:00
mm_init.c
Revert "mm: init_mlocked_on_free_v3"
2024-06-15 10:43:05 -07:00
mm_slot.h
mmap_lock.c
mmap.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mmu_gather.c
mm/mmu_gather: improve cond_resched() handling with large folios and expensive page freeing
2024-02-22 15:27:17 -08:00
mmu_notifier.c
mmu_notifier: remove the .change_pte() callback
2024-04-11 13:18:36 -04:00
mmzone.c
zswap: shrink zswap pool based on memory pressure
2023-12-12 10:57:02 -08:00
mprotect.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mremap.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mseal.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
msync.c
nommu.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
oom_kill.c
memory: remove the now superfluous sentinel element from ctl_table array
2024-04-25 20:56:32 -07:00
page_alloc.c
Revert "mm: init_mlocked_on_free_v3"
2024-06-15 10:43:05 -07:00
page_counter.c
page_ext.c
mm: make page_ext_get() take a const argument
2024-04-25 20:56:14 -07:00
page_idle.c
page_io.c
mm: drop the 'anon_' prefix for swap-out mTHP counters
2024-06-05 19:19:23 -07:00
page_isolation.c
mm: page_isolation: prepare for hygienic freelists
2024-04-25 20:56:04 -07:00
page_owner.c
mm/page-owner: use gfp_nested_mask() instead of open coded masking
2024-05-19 14:40:44 -07:00
page_poison.c
mm/page_poison: replace kmap_atomic() with kmap_local_page()
2023-12-10 16:51:50 -08:00
page_reporting.c
mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER
2024-01-08 15:27:15 -08:00
page_reporting.h
page_table_check.c
mm/page_table_check: fix crash on ZONE_DEVICE
2024-06-15 10:43:04 -07:00
page_vma_mapped.c
mm: make page_mapped_in_vma conditional on CONFIG_MEMORY_FAILURE
2024-05-05 17:53:45 -07:00
page-writeback.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
pagewalk.c
mm: pagewalk: assert write mmap lock only for walking the user page tables
2023-12-10 16:51:53 -08:00
percpu-internal.h
mm: percpu: add codetag reference into pcpuobj_ext
2024-04-25 20:55:56 -07:00
percpu-km.c
percpu-stats.c
percpu-vm.c
percpu: clean up all mappings when pcpu_map_pages() fails
2024-04-25 20:55:49 -07:00
percpu.c
mm: percpu: enable per-cpu allocation tagging
2024-04-25 20:55:56 -07:00
pgalloc-track.h
pgtable-generic.c
mm: fix race between __split_huge_pmd_locked() and GUP-fast
2024-05-07 10:37:00 -07:00
process_vm_access.c
mm: fix process_vm_rw page counts
2023-12-10 16:51:39 -08:00
ptdump.c
mm: ptdump: add check_wx_pages debugfs attribute
2024-02-22 10:24:47 -08:00
readahead.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
rmap.c
mm: do not update memcg stats for NR_{FILE/SHMEM}_PMDMAPPED
2024-05-11 15:41:35 -07:00
rodata_test.c
secretmem.c
mm/secretmem: use a folio in secretmem_fault()
2023-08-21 13:38:02 -07:00
shmem_quota.c
tmpfs: fix race on handling dquot rbtree
2024-03-26 11:07:23 -07:00
shmem.c
mm: shmem: fix getting incorrect lruvec when replacing a shmem folio
2024-06-15 10:43:08 -07:00
show_mem.c
lib: add memory allocations report in show_mem()
2024-04-25 20:55:57 -07:00
shrinker_debug.c
mm: shrinker: convert shrinker_rwsem to mutex
2023-10-04 10:32:26 -07:00
shrinker.c
mm: shrinker: use kvzalloc_node() from expand_one_shrinker_info()
2024-01-05 09:58:32 -08:00
shuffle.c
shuffle.h
mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER
2024-01-08 15:27:15 -08:00
slab_common.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
slab.h
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
slub.c
codetag: avoid race at alloc_slab_obj_exts
2024-06-05 19:19:26 -07:00
sparse-vmemmap.c
mm/vmemmap: allow architectures to override how vmemmap optimization works
2023-08-18 10:12:53 -07:00
sparse.c
mm/sparse: guard the size of mem_section is power of 2
2024-05-05 17:53:40 -07:00
swap_cgroup.c
swap_slots.c
mm: swap: update get_swap_pages() to take folio order
2024-04-25 20:56:37 -07:00
swap_state.c
mm: remove struct page from get_shadow_from_swap_cache
2024-04-25 20:56:40 -07:00
swap.c
mm: add kernel-doc for folio_mark_accessed()
2024-05-05 17:53:50 -07:00
swap.h
mm/swap: fix race when skipping swapcache
2024-02-20 14:20:48 -08:00
swapfile.c
getting rid of bogus set_blocksize() uses, switching it
2024-05-21 08:34:51 -07:00
truncate.c
mm: convert pagecache_isize_extended to use a folio
2024-04-25 20:56:43 -07:00
usercopy.c
userfaultfd.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
util.c
hardening fixes for v6.10-rc5
2024-06-17 12:00:22 -07:00
vmalloc.c
mm: fix incorrect vbq reference in purge_fragmented_block
2024-06-24 20:52:08 -07:00
vmpressure.c
eventfd: simplify eventfd_signal()
2023-11-28 14:08:38 +01:00
vmscan.c
mm: drop the 'anon_' prefix for swap-out mTHP counters
2024-06-05 19:19:23 -07:00
vmstat.c
iommu: observability of the IOMMU allocations
2024-04-15 14:31:47 +02:00
workingset.c
mm: cleanup WORKINGSET_NODES in workingset
2024-05-07 10:36:59 -07:00
z3fold.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zbud.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zpool.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zsmalloc.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zswap.c
mm: zswap: remove same_filled module params
2024-05-05 17:53:38 -07:00