All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Levin, Alexander (Sasha Levin)" <alexander.levin@verizon.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	"Levin, Alexander (Sasha Levin)" <alexander.levin@verizon.com>
Subject: [PATCH for v4.9 LTS 031/111] shmem: fix sleeping from atomic context
Date: Sun, 4 Jun 2017 08:12:07 +0000	[thread overview]
Message-ID: <20170604081123.19462-31-alexander.levin@verizon.com> (raw)
In-Reply-To: <20170604081123.19462-1-alexander.levin@verizon.com>

From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>

[ Upstream commit 253fd0f02040a19c6fe80e4171659fa3482a422d ]

Syzkaller fuzzer managed to trigger this:

    BUG: sleeping function called from invalid context at mm/shmem.c:852
    in_atomic(): 1, irqs_disabled(): 0, pid: 529, name: khugepaged
    3 locks held by khugepaged/529:
     #0:  (shrinker_rwsem){++++..}, at: [<ffffffff818d7ef1>] shrink_slab.part.59+0x121/0xd30 mm/vmscan.c:451
     #1:  (&type->s_umount_key#29){++++..}, at: [<ffffffff81a63630>] trylock_super+0x20/0x100 fs/super.c:392
     #2:  (&(&sbinfo->shrinklist_lock)->rlock){+.+.-.}, at: [<ffffffff818fd83e>] spin_lock include/linux/spinlock.h:302 [inline]
     #2:  (&(&sbinfo->shrinklist_lock)->rlock){+.+.-.}, at: [<ffffffff818fd83e>] shmem_unused_huge_shrink+0x28e/0x1490 mm/shmem.c:427
    CPU: 2 PID: 529 Comm: khugepaged Not tainted 4.10.0-rc5+ #201
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Call Trace:
       shmem_undo_range+0xb20/0x2710 mm/shmem.c:852
       shmem_truncate_range+0x27/0xa0 mm/shmem.c:939
       shmem_evict_inode+0x35f/0xca0 mm/shmem.c:1030
       evict+0x46e/0x980 fs/inode.c:553
       iput_final fs/inode.c:1515 [inline]
       iput+0x589/0xb20 fs/inode.c:1542
       shmem_unused_huge_shrink+0xbad/0x1490 mm/shmem.c:446
       shmem_unused_huge_scan+0x10c/0x170 mm/shmem.c:512
       super_cache_scan+0x376/0x450 fs/super.c:106
       do_shrink_slab mm/vmscan.c:378 [inline]
       shrink_slab.part.59+0x543/0xd30 mm/vmscan.c:481
       shrink_slab mm/vmscan.c:2592 [inline]
       shrink_node+0x2c7/0x870 mm/vmscan.c:2592
       shrink_zones mm/vmscan.c:2734 [inline]
       do_try_to_free_pages+0x369/0xc80 mm/vmscan.c:2776
       try_to_free_pages+0x3c6/0x900 mm/vmscan.c:2982
       __perform_reclaim mm/page_alloc.c:3301 [inline]
       __alloc_pages_direct_reclaim mm/page_alloc.c:3322 [inline]
       __alloc_pages_slowpath+0xa24/0x1c30 mm/page_alloc.c:3683
       __alloc_pages_nodemask+0x544/0xae0 mm/page_alloc.c:3848
       __alloc_pages include/linux/gfp.h:426 [inline]
       __alloc_pages_node include/linux/gfp.h:439 [inline]
       khugepaged_alloc_page+0xc2/0x1b0 mm/khugepaged.c:750
       collapse_huge_page+0x182/0x1fe0 mm/khugepaged.c:955
       khugepaged_scan_pmd+0xfdf/0x12a0 mm/khugepaged.c:1208
       khugepaged_scan_mm_slot mm/khugepaged.c:1727 [inline]
       khugepaged_do_scan mm/khugepaged.c:1808 [inline]
       khugepaged+0xe9b/0x1590 mm/khugepaged.c:1853
       kthread+0x326/0x3f0 kernel/kthread.c:227
       ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430

The iput() from atomic context was a bad idea: if after igrab() somebody
else calls iput() and we left with the last inode reference, our iput()
would lead to inode eviction and therefore sleeping.

This patch should fix the situation.

Link: http://lkml.kernel.org/r/20170131093141.GA15899@node.shutemov.name
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
---
 mm/shmem.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/mm/shmem.c b/mm/shmem.c
index 9d32e1cb9f38..d99cfb6eb03a 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -412,6 +412,7 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
 		struct shrink_control *sc, unsigned long nr_to_split)
 {
 	LIST_HEAD(list), *pos, *next;
+	LIST_HEAD(to_remove);
 	struct inode *inode;
 	struct shmem_inode_info *info;
 	struct page *page;
@@ -438,9 +439,8 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
 		/* Check if there's anything to gain */
 		if (round_up(inode->i_size, PAGE_SIZE) ==
 				round_up(inode->i_size, HPAGE_PMD_SIZE)) {
-			list_del_init(&info->shrinklist);
+			list_move(&info->shrinklist, &to_remove);
 			removed++;
-			iput(inode);
 			goto next;
 		}
 
@@ -451,6 +451,13 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
 	}
 	spin_unlock(&sbinfo->shrinklist_lock);
 
+	list_for_each_safe(pos, next, &to_remove) {
+		info = list_entry(pos, struct shmem_inode_info, shrinklist);
+		inode = &info->vfs_inode;
+		list_del_init(&info->shrinklist);
+		iput(inode);
+	}
+
 	list_for_each_safe(pos, next, &list) {
 		int ret;
 
-- 
2.11.0

  parent reply	other threads:[~2017-06-04  8:12 UTC|newest]

Thread overview: 86+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-04  8:11 [PATCH for v4.9 LTS 001/111] ibmvnic: Fix endian errors in error reporting output Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 002/111] ibmvnic: Fix endian error when requesting device capabilities Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 003/111] net: xilinx_emaclite: fix freezes due to unordered I/O Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 004/111] net: xilinx_emaclite: fix receive buffer overflow Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 005/111] tools lib bpf: Sync {tools,}/include/uapi/linux/bpf.h Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 006/111] bpf: kernel header files need to be copied into the tools directory Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 007/111] tcp: tcp_probe: use spin_lock_bh() Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 008/111] ipv6: Handle IPv4-mapped src to in6addr_any dst Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 009/111] ipv6: Inhibit IPv4-mapped src address on the wire Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 010/111] tipc: Fix tipc_sk_reinit race conditions Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 011/111] gfs2: Use rhashtable walk interface in glock_hash_walk Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 012/111] NET: Fix /proc/net/arp for AX.25 Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 013/111] ibmvnic: Call napi_disable instead of napi_enable in failure path Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 014/111] ibmvnic: Initialize completion variables before starting work Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 015/111] NET: mkiss: Fix panic Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 016/111] net: hns: Fix the device being used for dma mapping during TX Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 017/111] sierra_net: Skip validating irrelevant fields for IDLE LSIs Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 018/111] sierra_net: Add support for IPv6 and Dual-Stack Link Sense Indications Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 020/111] i2c: piix4: Fix request_region size Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 019/111] i2c: piix4: Request the SMBUS semaphore inside the mutex Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 021/111] powerpc/powernv: Properly set "host-ipi" on IPIs Levin, Alexander (Sasha Levin)
2017-06-04  8:11 ` [PATCH for v4.9 LTS 022/111] kernel/ucount.c: mark user_header with kmemleak_ignore() Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 023/111] net: thunderx: Fix PHY autoneg for SGMII QLM mode Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 024/111] ipv6: addrconf: fix generation of new temporary addresses Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 025/111] mm: fix KPF_SWAPCACHE in /proc/kpageflags Levin, Alexander (Sasha Levin)
2017-06-04 22:42   ` Hugh Dickins
2017-06-05 12:00     ` Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 027/111] ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 026/111] vfio/spapr_tce: Set window when adding additional groups to container Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 028/111] ARM: defconfigs: make NF_CT_PROTO_SCTP and NF_CT_PROTO_UDPLITE built-in Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 029/111] PM / runtime: Avoid false-positive warnings from might_sleep_if() Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 030/111] jump label: pass kbuild_cflags when checking for asm goto support Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` Levin, Alexander (Sasha Levin) [this message]
2017-06-04  8:12 ` [PATCH for v4.9 LTS 032/111] kasan: respect /proc/sys/kernel/traceoff_on_warning Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 033/111] log2: make order_base_2() behave correctly on const input value zero Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 034/111] ethtool: do not vzalloc(0) on registers dump Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 035/111] net: phy: Fix lack of reference count on PHY driver Levin, Alexander (Sasha Levin)
2017-06-04 17:17   ` Florian Fainelli
2017-06-05 12:15     ` Levin, Alexander (Sasha Levin)
2017-06-05 16:56       ` Florian Fainelli
2017-06-05 19:58         ` Levin, Alexander (Sasha Levin)
2017-06-05 22:21           ` Florian Fainelli
2017-06-06  0:33           ` Florian Fainelli
2017-06-06  1:16             ` Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 036/111] drm/radeon: Fix vram_size/visible values in DRM_RADEON_GEM_INFO ioctl Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 037/111] net: fix ndo_features_check/ndo_fix_features comment ordering Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 039/111] fscache: Fix dead object requeue Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 038/111] scsi: mpt3sas: Force request partial completion alignment Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 041/111] FS-Cache: Initialise stores_lock in netfs cookie Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 040/111] fscache: Clear outstanding writes when disabling a cookie Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 042/111] ipv6: fix flow labels when the traffic class is non-0 Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 043/111] drm/nouveau: prevent userspace from deleting client object Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 044/111] drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 045/111] sparc64: Handle PIO & MEM non-resumable errors Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 046/111] sparc64: Zero pages on allocation for mondo and error queues Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 047/111] net/mlx4_core: Avoid command timeouts during VF driver device shutdown Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 048/111] gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 049/111] net: ethtool: add support for 2500BaseT and 5000BaseT link modes Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 050/111] pinctrl: baytrail: Rectify debounce support (part 2) Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 051/111] [media] cec: fix wrong last_la determination Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 052/111] drm: Add fake controlD* symlinks for backwards compat Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 053/111] drm: prevent double-(un)registration for connectors Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 054/111] drm: Don't race connector registration Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 055/111] pinctrl: berlin-bg4ct: fix the value for "sd1a" of pin SCRD0_CRD_PRES Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 056/111] net: adaptec: starfire: add checks for dma mapping errors Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 057/111] drm/i915: Check for NULL i915_vma in intel_unpin_fb_obj() Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 059/111] net/mlx5: Return EOPNOTSUPP when failing to get steering name-space Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 058/111] net/mlx5: E-Switch, Err when retrieving steering name-space fails Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 060/111] parisc, parport_gsc: Fixes for printk continuation lines Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 061/111] net: phy: micrel: add support for KSZ8795 Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 062/111] ARM64: dts: amlogic: Add Meson GX dtsi from GXBB Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 064/111] ARM64: dts: meson-gxbb-odroidc2: fix GbE tx link breakage Levin, Alexander (Sasha Levin)
2017-06-04 20:45   ` Jerome Brunet
2017-06-05 12:20     ` Levin, Alexander (Sasha Levin)
2017-06-11 14:31     ` Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 063/111] ARM64: dts: meson-gx: Add firmware reserved memory zones Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 065/111] gtp: add genl family modules alias Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 067/111] drm/nouveau: Rename acpi_work to hpd_work Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 066/111] drm/nouveau: Intercept ACPI_VIDEO_NOTIFY_PROBE Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 069/111] drm/nouveau: Don't enabling polling twice on runtime resume Levin, Alexander (Sasha Levin)
2017-06-04  8:57   ` Lukas Wunner
2017-06-05 12:23     ` Levin, Alexander (Sasha Levin)
2017-06-11 14:31     ` Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 068/111] drm/nouveau: Handle fbcon suspend/resume in seperate worker Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 070/111] drm/ast: Fixed system hanged if disable P2A Levin, Alexander (Sasha Levin)
2017-06-04  8:12 ` [PATCH for v4.9 LTS 071/111] ravb: unmap descriptors when freeing rings Levin, Alexander (Sasha Levin)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170604081123.19462-31-alexander.levin@verizon.com \
    --to=alexander.levin@verizon.com \
    --cc=akpm@linux-foundation.org \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.