Stable Archive on lore.kernel.org
 help / color / Atom feed
* [patch 01/11] device-dax: don't leak kernel memory to user space after unloading kmem
       [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
@ 2020-05-23  5:22 ` Andrew Morton
  2020-05-23  5:22 ` [patch 03/11] rapidio: fix an error in get_user_pages_fast() error handling Andrew Morton
                   ` (7 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Andrew Morton @ 2020-05-23  5:22 UTC (permalink / raw)
  To: akpm, dan.j.williams, dave.jiang, david, linux-mm, mm-commits,
	pasha.tatashin, stable, torvalds, vishal.l.verma

From: David Hildenbrand <david@redhat.com>
Subject: device-dax: don't leak kernel memory to user space after unloading kmem

Assume we have kmem configured and loaded:
  [root@localhost ~]# cat /proc/iomem
  ...
  140000000-33fffffff : Persistent Memory$
    140000000-1481fffff : namespace0.0
    150000000-33fffffff : dax0.0
      150000000-33fffffff : System RAM

Assume we try to unload kmem. This force-unloading will work, even if
memory cannot get removed from the system.
  [root@localhost ~]# rmmod kmem
  [   86.380228] removing memory fails, because memory [0x0000000150000000-0x0000000157ffffff] is onlined
  ...
  [   86.431225] kmem dax0.0: DAX region [mem 0x150000000-0x33fffffff] cannot be hotremoved until the next reboot

Now, we can reconfigure the namespace:
  [root@localhost ~]# ndctl create-namespace --force --reconfig=namespace0.0 --mode=devdax
  [  131.409351] nd_pmem namespace0.0: could not reserve region [mem 0x140000000-0x33fffffff]dax
  [  131.410147] nd_pmem: probe of namespace0.0 failed with error -16namespace0.0 --mode=devdax
  ...

This fails as expected due to the busy memory resource, and the memory
cannot be used. However, the dax0.0 device is removed, and along its name.

The name of the memory resource now points at freed memory (name of the
device).
  [root@localhost ~]# cat /proc/iomem
  ...
  140000000-33fffffff : Persistent Memory
    140000000-1481fffff : namespace0.0
    150000000-33fffffff : �_�^7_��/_��wR��WQ���^��� ...
    150000000-33fffffff : System RAM

We have to make sure to duplicate the string.  While at it, remove the
superfluous setting of the name and fixup a stale comment.

Link: http://lkml.kernel.org/r/20200508084217.9160-2-david@redhat.com
Fixes: 9f960da72b25 ("device-dax: "Hotremove" persistent memory that is used like normal RAM")
Signed-off-by: David Hildenbrand <david@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: <stable@vger.kernel.org>	[5.3]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 drivers/dax/kmem.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/dax/kmem.c~device-dax-dont-leak-kernel-memory-to-user-space-after-unloading-kmem
+++ a/drivers/dax/kmem.c
@@ -22,6 +22,7 @@ int dev_dax_kmem_probe(struct device *de
 	resource_size_t kmem_size;
 	resource_size_t kmem_end;
 	struct resource *new_res;
+	const char *new_res_name;
 	int numa_node;
 	int rc;
 
@@ -48,11 +49,16 @@ int dev_dax_kmem_probe(struct device *de
 	kmem_size &= ~(memory_block_size_bytes() - 1);
 	kmem_end = kmem_start + kmem_size;
 
-	/* Region is permanently reserved.  Hot-remove not yet implemented. */
-	new_res = request_mem_region(kmem_start, kmem_size, dev_name(dev));
+	new_res_name = kstrdup(dev_name(dev), GFP_KERNEL);
+	if (!new_res_name)
+		return -ENOMEM;
+
+	/* Region is permanently reserved if hotremove fails. */
+	new_res = request_mem_region(kmem_start, kmem_size, new_res_name);
 	if (!new_res) {
 		dev_warn(dev, "could not reserve region [%pa-%pa]\n",
 			 &kmem_start, &kmem_end);
+		kfree(new_res_name);
 		return -EBUSY;
 	}
 
@@ -63,12 +69,12 @@ int dev_dax_kmem_probe(struct device *de
 	 * unknown to us that will break add_memory() below.
 	 */
 	new_res->flags = IORESOURCE_SYSTEM_RAM;
-	new_res->name = dev_name(dev);
 
 	rc = add_memory(numa_node, new_res->start, resource_size(new_res));
 	if (rc) {
 		release_resource(new_res);
 		kfree(new_res);
+		kfree(new_res_name);
 		return rc;
 	}
 	dev_dax->dax_kmem_res = new_res;
@@ -83,6 +89,7 @@ static int dev_dax_kmem_remove(struct de
 	struct resource *res = dev_dax->dax_kmem_res;
 	resource_size_t kmem_start = res->start;
 	resource_size_t kmem_size = resource_size(res);
+	const char *res_name = res->name;
 	int rc;
 
 	/*
@@ -102,6 +109,7 @@ static int dev_dax_kmem_remove(struct de
 	/* Release and free dax resources */
 	release_resource(res);
 	kfree(res);
+	kfree(res_name);
 	dev_dax->dax_kmem_res = NULL;
 
 	return 0;
_

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [patch 03/11] rapidio: fix an error in get_user_pages_fast() error handling
       [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
  2020-05-23  5:22 ` [patch 01/11] device-dax: don't leak kernel memory to user space after unloading kmem Andrew Morton
@ 2020-05-23  5:22 ` Andrew Morton
  2020-05-23  5:22 ` [patch 06/11] kasan: disable branch tracing for core runtime Andrew Morton
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Andrew Morton @ 2020-05-23  5:22 UTC (permalink / raw)
  To: akpm, alex.bou9, dan.carpenter, jhubbard, linux-mm, mm-commits,
	mporter, stable, sumit.semwal, torvalds

From: John Hubbard <jhubbard@nvidia.com>
Subject: rapidio: fix an error in get_user_pages_fast() error handling

In the case of get_user_pages_fast() returning fewer pages than requested,
rio_dma_transfer() does not quite do the right thing.  It attempts to
release all the pages that were requested, rather than just the pages that
were pinned.

Fix the error handling so that only the pages that were successfully
pinned are released.

Link: http://lkml.kernel.org/r/20200517235620.205225-2-jhubbard@nvidia.com
Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 drivers/rapidio/devices/rio_mport_cdev.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/rapidio/devices/rio_mport_cdev.c~rapidio-fix-an-error-in-get_user_pages_fast-error-handling
+++ a/drivers/rapidio/devices/rio_mport_cdev.c
@@ -877,6 +877,11 @@ rio_dma_transfer(struct file *filp, u32
 				rmcd_error("pinned %ld out of %ld pages",
 					   pinned, nr_pages);
 			ret = -EFAULT;
+			/*
+			 * Set nr_pages up to mean "how many pages to unpin, in
+			 * the error handler:
+			 */
+			nr_pages = pinned;
 			goto err_pg;
 		}
 
_

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [patch 06/11] kasan: disable branch tracing for core runtime
       [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
  2020-05-23  5:22 ` [patch 01/11] device-dax: don't leak kernel memory to user space after unloading kmem Andrew Morton
  2020-05-23  5:22 ` [patch 03/11] rapidio: fix an error in get_user_pages_fast() error handling Andrew Morton
@ 2020-05-23  5:22 ` Andrew Morton
  2020-05-23  5:23 ` [patch 07/11] sh: include linux/time_types.h for sockios Andrew Morton
                   ` (5 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Andrew Morton @ 2020-05-23  5:22 UTC (permalink / raw)
  To: akpm, andreyknvl, aryabinin, cai, dvyukov, elver, glider,
	linux-mm, mm-commits, rong.a.chen, stable, torvalds

From: Marco Elver <elver@google.com>
Subject: kasan: disable branch tracing for core runtime

During early boot, while KASAN is not yet initialized, it is possible to
enter reporting code-path and end up in kasan_report().  While
uninitialized, the branch there prevents generating any reports, however,
under certain circumstances when branches are being traced
(TRACE_BRANCH_PROFILING), we may recurse deep enough to cause kernel
reboots without warning.

To prevent similar issues in future, we should disable branch tracing for
the core runtime.

[elver@google.com: remove duplicate DISABLE_BRANCH_PROFILING, per Qian Cai]
  Link: https://lore.kernel.org/lkml/20200517011732.GE24705@shao2-debian/
  Link: http://lkml.kernel.org/r/20200522075207.157349-1-elver@google.com
Link: http://lkml.kernel.org/r//20200517011732.GE24705@shao2-debian/
Link: http://lkml.kernel.org/r/20200519182459.87166-1-elver@google.com
Signed-off-by: Marco Elver <elver@google.com>
Reported-by: kernel test robot <rong.a.chen@intel.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Qian Cai <cai@lca.pw>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/kasan/Makefile  |   16 ++++++++--------
 mm/kasan/generic.c |    1 -
 mm/kasan/tags.c    |    1 -
 3 files changed, 8 insertions(+), 10 deletions(-)

--- a/mm/kasan/generic.c~kasan-disable-branch-tracing-for-core-runtime
+++ a/mm/kasan/generic.c
@@ -15,7 +15,6 @@
  */
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#define DISABLE_BRANCH_PROFILING
 
 #include <linux/export.h>
 #include <linux/interrupt.h>
--- a/mm/kasan/Makefile~kasan-disable-branch-tracing-for-core-runtime
+++ a/mm/kasan/Makefile
@@ -15,14 +15,14 @@ CFLAGS_REMOVE_tags_report.o = $(CC_FLAGS
 
 # Function splitter causes unnecessary splits in __asan_load1/__asan_store1
 # see: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63533
-CFLAGS_common.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
-CFLAGS_generic.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
-CFLAGS_generic_report.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
-CFLAGS_init.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
-CFLAGS_quarantine.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
-CFLAGS_report.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
-CFLAGS_tags.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
-CFLAGS_tags_report.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
+CFLAGS_common.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) -DDISABLE_BRANCH_PROFILING
+CFLAGS_generic.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) -DDISABLE_BRANCH_PROFILING
+CFLAGS_generic_report.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) -DDISABLE_BRANCH_PROFILING
+CFLAGS_init.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) -DDISABLE_BRANCH_PROFILING
+CFLAGS_quarantine.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) -DDISABLE_BRANCH_PROFILING
+CFLAGS_report.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) -DDISABLE_BRANCH_PROFILING
+CFLAGS_tags.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) -DDISABLE_BRANCH_PROFILING
+CFLAGS_tags_report.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) -DDISABLE_BRANCH_PROFILING
 
 obj-$(CONFIG_KASAN) := common.o init.o report.o
 obj-$(CONFIG_KASAN_GENERIC) += generic.o generic_report.o quarantine.o
--- a/mm/kasan/tags.c~kasan-disable-branch-tracing-for-core-runtime
+++ a/mm/kasan/tags.c
@@ -12,7 +12,6 @@
  */
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#define DISABLE_BRANCH_PROFILING
 
 #include <linux/export.h>
 #include <linux/interrupt.h>
_

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [patch 07/11] sh: include linux/time_types.h for sockios
       [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
                   ` (2 preceding siblings ...)
  2020-05-23  5:22 ` [patch 06/11] kasan: disable branch tracing for core runtime Andrew Morton
@ 2020-05-23  5:23 ` Andrew Morton
  2020-05-23  5:23 ` [patch 09/11] sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init() Andrew Morton
                   ` (4 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Andrew Morton @ 2020-05-23  5:23 UTC (permalink / raw)
  To: akpm, arnd, dalias, davem, glaubitz, linux-mm, mm-commits,
	stable, torvalds, ysato

From: Arnd Bergmann <arnd@arndb.de>
Subject: sh: include linux/time_types.h for sockios

Using the socket ioctls on arch/sh (and only there) causes build time
problems when __kernel_old_timeval/__kernel_old_timespec are not already
visible to the compiler.

Add an explict include line for the header that defines these
structures.

Link: http://lkml.kernel.org/r/20200519131327.1836482-1-arnd@arndb.de
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Fixes: 8c709f9a0693 ("y2038: sh: remove timeval/timespec usage from headers")
Fixes: 0768e17073dc ("net: socket: implement 64-bit timestamps")
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Cc: Rich Felker <dalias@libc.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 arch/sh/include/uapi/asm/sockios.h |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/sh/include/uapi/asm/sockios.h~sh-include-linux-time_typesh-for-sockios
+++ a/arch/sh/include/uapi/asm/sockios.h
@@ -2,6 +2,8 @@
 #ifndef __ASM_SH_SOCKIOS_H
 #define __ASM_SH_SOCKIOS_H
 
+#include <linux/time_types.h>
+
 /* Socket-level I/O control calls. */
 #define FIOGETOWN	_IOR('f', 123, int)
 #define FIOSETOWN 	_IOW('f', 124, int)
_

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [patch 09/11] sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()
       [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
                   ` (3 preceding siblings ...)
  2020-05-23  5:23 ` [patch 07/11] sh: include linux/time_types.h for sockios Andrew Morton
@ 2020-05-23  5:23 ` Andrew Morton
  2020-05-23 19:01   ` Mike Rapoport
  2020-05-23  5:23 ` [patch 10/11] z3fold: fix use-after-free when freeing handles Andrew Morton
                   ` (3 subsequent siblings)
  8 siblings, 1 reply; 12+ messages in thread
From: Andrew Morton @ 2020-05-23  5:23 UTC (permalink / raw)
  To: akpm, davem, linux-mm, lkp, matorola, mm-commits, rppt, stable, torvalds

From: Mike Rapoport <rppt@linux.ibm.com>
Subject: sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()

The kbuild test robot reported the following warning:

arch/sparc/mm/srmmu.c: In function 'srmmu_nocache_init':
>> arch/sparc/mm/srmmu.c:300:9: error: variable 'pud' set but not used
>> [-Werror=unused-but-set-variable]
300 |  pud_t *pud;

This warning is caused by misprint in the page table traversal in
srmmu_nocache_init() function which accessed a PMD entry using PGD rather
than PUD.

Since sparc32 has only 3 page table levels, the PGD and PUD are
essentially the same and usage of __nocache_fix() removed the type
checking.

Use PUD for the consistency and to silence the compiler warning.

Link: http://lkml.kernel.org/r/20200520132005.GM1059226@linux.ibm.com
Fixes: 7235db268a2777bc38 ("sparc32: use pgtable-nopud instead of 4level-fixup")
Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
Reported-by: kbuild test robot <lkp@intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Anatoly Pugachev <matorola@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 arch/sparc/mm/srmmu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/sparc/mm/srmmu.c~sparc32-use-pud-rather-than-pgd-to-get-pmd-in-srmmu_nocache_init
+++ a/arch/sparc/mm/srmmu.c
@@ -333,7 +333,7 @@ static void __init srmmu_nocache_init(vo
 		pgd = pgd_offset_k(vaddr);
 		p4d = p4d_offset(__nocache_fix(pgd), vaddr);
 		pud = pud_offset(__nocache_fix(p4d), vaddr);
-		pmd = pmd_offset(__nocache_fix(pgd), vaddr);
+		pmd = pmd_offset(__nocache_fix(pud), vaddr);
 		pte = pte_offset_kernel(__nocache_fix(pmd), vaddr);
 
 		pteval = ((paddr >> 4) | SRMMU_ET_PTE | SRMMU_PRIV);
_

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [patch 10/11] z3fold: fix use-after-free when freeing handles
       [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
                   ` (4 preceding siblings ...)
  2020-05-23  5:23 ` [patch 09/11] sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init() Andrew Morton
@ 2020-05-23  5:23 ` Andrew Morton
  2020-05-25  0:08 ` + mmthp-stop-leaking-unreleased-file-pages.patch added to -mm tree Andrew Morton
                   ` (2 subsequent siblings)
  8 siblings, 0 replies; 12+ messages in thread
From: Andrew Morton @ 2020-05-23  5:23 UTC (permalink / raw)
  To: akpm, cai, linux-mm, mm-commits, shentino, stable, torvalds,
	uladzislau.rezki, vitaly.wool

From: Uladzislau Rezki <uladzislau.rezki@sony.com>
Subject: z3fold: fix use-after-free when freeing handles

free_handle() for a foreign handle may race with inter-page compaction,
what can lead to memory corruption.  To avoid that, take write lock not
read lock in free_handle to be synchronized with __release_z3fold_page().

For example KASAN can detect it:

[   33.723357] ==================================================================
[   33.723401] BUG: KASAN: use-after-free in LZ4_decompress_safe+0x2c4/0x3b8
[   33.723418] Read of size 1 at addr ffffffc976695ca3 by task GoogleApiHandle/4121
[   33.723428]
[   33.723449] CPU: 0 PID: 4121 Comm: GoogleApiHandle Tainted: P S         OE     4.19.81-perf+ #162
[   33.723461] Hardware name: Sony Mobile Communications. PDX-203(KONA) (DT)
[   33.723473] Call trace:
[   33.723495] dump_backtrace+0x0/0x288
[   33.723512] show_stack+0x14/0x20
[   33.723533] dump_stack+0xe4/0x124
[   33.723551] print_address_description+0x80/0x2e0
[   33.723566] kasan_report+0x268/0x2d0
[   33.723584] __asan_load1+0x4c/0x58
[   33.723601] LZ4_decompress_safe+0x2c4/0x3b8
[   33.723619] lz4_decompress_crypto+0x3c/0x70
[   33.723636] crypto_decompress+0x58/0x70
[   33.723656] zcomp_decompress+0xd4/0x120
...

Apart from that, initialize zhdr->mapped_count in init_z3fold_page() and
remove "newpage" variable because it is not used anywhere.

Link: http://lkml.kernel.org/r/20200520082100.28876-1-vitaly.wool@konsulko.com
Signed-off-by: Uladzislau Rezki <uladzislau.rezki@sony.com>
Signed-off-by: Vitaly Wool <vitaly.wool@konsulko.com>
Cc: Qian Cai <cai@lca.pw>
Cc: Raymond Jennings <shentino@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/z3fold.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/mm/z3fold.c~z3fold-fix-use-after-free-when-freeing-handles
+++ a/mm/z3fold.c
@@ -318,16 +318,16 @@ static inline void free_handle(unsigned
 	slots = handle_to_slots(handle);
 	write_lock(&slots->lock);
 	*(unsigned long *)handle = 0;
-	write_unlock(&slots->lock);
-	if (zhdr->slots == slots)
+	if (zhdr->slots == slots) {
+		write_unlock(&slots->lock);
 		return; /* simple case, nothing else to do */
+	}
 
 	/* we are freeing a foreign handle if we are here */
 	zhdr->foreign_handles--;
 	is_free = true;
-	read_lock(&slots->lock);
 	if (!test_bit(HANDLES_ORPHANED, &slots->pool)) {
-		read_unlock(&slots->lock);
+		write_unlock(&slots->lock);
 		return;
 	}
 	for (i = 0; i <= BUDDY_MASK; i++) {
@@ -336,7 +336,7 @@ static inline void free_handle(unsigned
 			break;
 		}
 	}
-	read_unlock(&slots->lock);
+	write_unlock(&slots->lock);
 
 	if (is_free) {
 		struct z3fold_pool *pool = slots_to_pool(slots);
@@ -422,6 +422,7 @@ static struct z3fold_header *init_z3fold
 	zhdr->start_middle = 0;
 	zhdr->cpu = -1;
 	zhdr->foreign_handles = 0;
+	zhdr->mapped_count = 0;
 	zhdr->slots = slots;
 	zhdr->pool = pool;
 	INIT_LIST_HEAD(&zhdr->buddy);
_

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [patch 09/11] sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()
  2020-05-23  5:23 ` [patch 09/11] sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init() Andrew Morton
@ 2020-05-23 19:01   ` Mike Rapoport
  2020-05-23 19:10     ` Linus Torvalds
  0 siblings, 1 reply; 12+ messages in thread
From: Mike Rapoport @ 2020-05-23 19:01 UTC (permalink / raw)
  To: Andrew Morton
  Cc: davem, linux-mm, lkp, matorola, mm-commits, stable, torvalds

On Fri, May 22, 2020 at 10:23:09PM -0700, Andrew Morton wrote:
> From: Mike Rapoport <rppt@linux.ibm.com>
> Subject: sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()
> 
> The kbuild test robot reported the following warning:
> 
> arch/sparc/mm/srmmu.c: In function 'srmmu_nocache_init':
> >> arch/sparc/mm/srmmu.c:300:9: error: variable 'pud' set but not used
> >> [-Werror=unused-but-set-variable]
> 300 |  pud_t *pud;
> 
> This warning is caused by misprint in the page table traversal in
> srmmu_nocache_init() function which accessed a PMD entry using PGD rather
> than PUD.
> 
> Since sparc32 has only 3 page table levels, the PGD and PUD are
> essentially the same and usage of __nocache_fix() removed the type
> checking.
> 
> Use PUD for the consistency and to silence the compiler warning.

Unfortunately, this fixes a compile warning but breaks the boot :(

Since pgd, p4d and pud are eesentially the same thing and pgd_offset()
and p4d_offset() are no-ops, the __nocache_fix() should be done only at
pud level.

The correcteted patch is below, boot tested with qemu-systems-sparc.

> Link: http://lkml.kernel.org/r/20200520132005.GM1059226@linux.ibm.com
> Fixes: 7235db268a2777bc38 ("sparc32: use pgtable-nopud instead of 4level-fixup")
> Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
> Reported-by: kbuild test robot <lkp@intel.com>
> Cc: David S. Miller <davem@davemloft.net>
> Cc: Anatoly Pugachev <matorola@gmail.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---

From 9b8b3214f7f079864dca0c6a7b684ab442eeb437 Mon Sep 17 00:00:00 2001
From: Mike Rapoport <rppt@linux.ibm.com>
Date: Wed, 20 May 2020 15:39:22 +0300
Subject: [PATCH] sparc32: use PUD rather than PGD to get PMD in  srmmu_nocache_init()

The kbuild test robot reported the following warning:

arch/sparc/mm/srmmu.c: In function 'srmmu_nocache_init':
>> arch/sparc/mm/srmmu.c:300:9: error: variable 'pud' set but not used
>> [-Werror=unused-but-set-variable]
300 |  pud_t *pud;

This warning is caused by misprint in the page table traversal in
srmmu_nocache_init() function which accessed a PMD entry using PGD rather
than PUD.

Since pgd, p4d and pud are eesentially the same thing and pgd_offset()
and p4d_offset() are no-ops, the __nocache_fix() should be done only at
pud level.

Remove __nocache_fix() for p4d_offset() and pud_offset() and use it only
for PUD and lower levels.

Link: http://lkml.kernel.org/r/20200520132005.GM1059226@linux.ibm.com
Fixes: 7235db268a2777bc38 ("sparc32: use pgtable-nopud instead of 4level-fixup")
Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
Reported-by: kbuild test robot <lkp@intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Anatoly Pugachev <matorola@gmail.com>
Cc: <stable@vger.kernel.org>
---
 arch/sparc/mm/srmmu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/sparc/mm/srmmu.c b/arch/sparc/mm/srmmu.c
index 6cb1ea2d2b5c..3d9690d940a3 100644
--- a/arch/sparc/mm/srmmu.c
+++ b/arch/sparc/mm/srmmu.c
@@ -302,9 +302,9 @@ static void __init srmmu_nocache_init(void)
 
 	while (vaddr < srmmu_nocache_end) {
 		pgd = pgd_offset_k(vaddr);
-		p4d = p4d_offset(__nocache_fix(pgd), vaddr);
-		pud = pud_offset(__nocache_fix(p4d), vaddr);
-		pmd = pmd_offset(__nocache_fix(pgd), vaddr);
+		p4d = p4d_offset(pgd, vaddr);
+		pud = pud_offset(p4d, vaddr);
+		pmd = pmd_offset(__nocache_fix(pud), vaddr);
 		pte = pte_offset_kernel(__nocache_fix(pmd), vaddr);
 
 		pteval = ((paddr >> 4) | SRMMU_ET_PTE | SRMMU_PRIV);
-- 
2.26.2


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [patch 09/11] sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()
  2020-05-23 19:01   ` Mike Rapoport
@ 2020-05-23 19:10     ` Linus Torvalds
  2020-05-23 19:57       ` Mike Rapoport
  0 siblings, 1 reply; 12+ messages in thread
From: Linus Torvalds @ 2020-05-23 19:10 UTC (permalink / raw)
  To: Mike Rapoport
  Cc: Andrew Morton, David Miller, Linux-MM, kernel test robot,
	Anatoly Pugachev, mm-commits, stable

On Sat, May 23, 2020 at 12:02 PM Mike Rapoport <rppt@linux.ibm.com> wrote:
>
> Unfortunately, this fixes a compile warning but breaks the boot :(

Argh. I delayed applying/merging this overnight to see if there were
any reports, but this came in after I'd already merged Andrew's
patches and pushed them out.

So it's in my tree now as commit c2bc26f7ca1f ("sparc32: use PUD
rather than PGD to get PMD in srmmu_nocache_init()")

> The correcteted patch is below, boot tested with qemu-systems-sparc.

Mind sending a patch relative to the previous one that already got merged?

Also, would it perhaps be worth it to just make __nocache_fix() not
throw the type away? IOW, make it do something like

  #define __nocache_fix(VADDR) \
        ((__typeof__(VADDR))__va(__nocache_pa(VADDR)))

or whatever? Wouldn't that show when those pgd/p4d/pud pointers get
mis-used because they don't end up dropping the type info..

              Linus

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [patch 09/11] sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()
  2020-05-23 19:10     ` Linus Torvalds
@ 2020-05-23 19:57       ` Mike Rapoport
  0 siblings, 0 replies; 12+ messages in thread
From: Mike Rapoport @ 2020-05-23 19:57 UTC (permalink / raw)
  To: Linus Torvalds
  Cc: Andrew Morton, David Miller, Linux-MM, kernel test robot,
	Anatoly Pugachev, mm-commits, stable

On Sat, May 23, 2020 at 12:10:27PM -0700, Linus Torvalds wrote:
> On Sat, May 23, 2020 at 12:02 PM Mike Rapoport <rppt@linux.ibm.com> wrote:
> >
> > Unfortunately, this fixes a compile warning but breaks the boot :(
> 
> Argh. I delayed applying/merging this overnight to see if there were
> any reports, but this came in after I'd already merged Andrew's
> patches and pushed them out.

Actually, it's really by chance I noticed it tonight, although still it
was too late :)

> So it's in my tree now as commit c2bc26f7ca1f ("sparc32: use PUD
> rather than PGD to get PMD in srmmu_nocache_init()")
>
> > The correcteted patch is below, boot tested with qemu-systems-sparc.
> 
> Mind sending a patch relative to the previous one that already got merged?
 
Sure.

> Also, would it perhaps be worth it to just make __nocache_fix() not
> throw the type away? IOW, make it do something like
> 
>   #define __nocache_fix(VADDR) \
>         ((__typeof__(VADDR))__va(__nocache_pa(VADDR)))
> 
> or whatever? Wouldn't that show when those pgd/p4d/pud pointers get
> mis-used because they don't end up dropping the type info..

Yes, I'll look into it.

>               Linus

-- 
Sincerely yours,
Mike.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* + mmthp-stop-leaking-unreleased-file-pages.patch added to -mm tree
       [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
                   ` (5 preceding siblings ...)
  2020-05-23  5:23 ` [patch 10/11] z3fold: fix use-after-free when freeing handles Andrew Morton
@ 2020-05-25  0:08 ` Andrew Morton
  2020-05-25  0:49 ` + mm-remove-vm_bug_onpageslab-from-page_mapcount.patch " Andrew Morton
  2020-05-28  0:10 ` + relay-handle-alloc_percpu-returning-null-in-relay_open.patch " Andrew Morton
  8 siblings, 0 replies; 12+ messages in thread
From: Andrew Morton @ 2020-05-25  0:08 UTC (permalink / raw)
  To: hannes, hughd, kirill.shutemov, mm-commits, riel, songliubraving, stable


The patch titled
     Subject: mm,thp: stop leaking unreleased file pages
has been added to the -mm tree.  Its filename is
     mmthp-stop-leaking-unreleased-file-pages.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/mmthp-stop-leaking-unreleased-file-pages.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/mmthp-stop-leaking-unreleased-file-pages.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Hugh Dickins <hughd@google.com>
Subject: mm,thp: stop leaking unreleased file pages

When collapse_file() calls try_to_release_page(), it has already isolated
the page: so if releasing buffers happens to fail (as it sometimes does),
remember to putback_lru_page(): otherwise that page is left unreclaimable
and unfreeable, and the file extent uncollapsible.

Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2005231837500.1766@eggly.anvils
Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: <stable@vger.kernel.org>	[5.4+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/khugepaged.c |    1 +
 1 file changed, 1 insertion(+)

--- a/mm/khugepaged.c~mmthp-stop-leaking-unreleased-file-pages
+++ a/mm/khugepaged.c
@@ -1692,6 +1692,7 @@ static void collapse_file(struct mm_stru
 		if (page_has_private(page) &&
 		    !try_to_release_page(page, GFP_KERNEL)) {
 			result = SCAN_PAGE_HAS_PRIVATE;
+			putback_lru_page(page);
 			goto out_unlock;
 		}
 
_

Patches currently in -mm which might be from hughd@google.com are

mmthp-stop-leaking-unreleased-file-pages.patch
mm-memcontrol-charge-swapin-pages-on-instantiation-fix.patch
mm-vmstat-add-events-for-pmd-based-thp-migration-without-split-fix.patch


^ permalink raw reply	[flat|nested] 12+ messages in thread

* + mm-remove-vm_bug_onpageslab-from-page_mapcount.patch added to -mm tree
       [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
                   ` (6 preceding siblings ...)
  2020-05-25  0:08 ` + mmthp-stop-leaking-unreleased-file-pages.patch added to -mm tree Andrew Morton
@ 2020-05-25  0:49 ` Andrew Morton
  2020-05-28  0:10 ` + relay-handle-alloc_percpu-returning-null-in-relay_open.patch " Andrew Morton
  8 siblings, 0 replies; 12+ messages in thread
From: Andrew Morton @ 2020-05-25  0:49 UTC (permalink / raw)
  To: hughd, khlebnikov, kirill.shutemov, mm-commits, rientjes, stable, vbabka


The patch titled
     Subject: mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()
has been added to the -mm tree.  Its filename is
     mm-remove-vm_bug_onpageslab-from-page_mapcount.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/mm-remove-vm_bug_onpageslab-from-page_mapcount.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/mm-remove-vm_bug_onpageslab-from-page_mapcount.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Subject: mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()

Replace superfluous VM_BUG_ON() with comment about correct usage.

Technically reverts commit 1d148e218a0d0566b1c06f2f45f1436d53b049b2
("mm: add VM_BUG_ON_PAGE() to page_mapcount()"), but context have changed.

Function isolate_migratepages_block() runs some checks out of lru_lock
when choose pages for migration.  After checking PageLRU() it checks extra
page references by comparing page_count() and page_mapcount().  Between
these two checks page could be removed from lru, freed and taken by slab.

As a result this race triggers VM_BUG_ON(PageSlab()) in page_mapcount().
Race window is tiny. For certain workload this happens around once a year.

 page:ffffea0105ca9380 count:1 mapcount:0 mapping:ffff88ff7712c180 index:0x0 compound_mapcount: 0
 flags: 0x500000000008100(slab|head)
 raw: 0500000000008100 dead000000000100 dead000000000200 ffff88ff7712c180
 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
 page dumped because: VM_BUG_ON_PAGE(PageSlab(page))
 ------------[ cut here ]------------
 kernel BUG at ./include/linux/mm.h:628!
 invalid opcode: 0000 [#1] SMP NOPTI
 CPU: 77 PID: 504 Comm: kcompactd1 Tainted: G        W         4.19.109-27 #1
 Hardware name: Yandex T175-N41-Y3N/MY81-EX0-Y3N, BIOS R05 06/20/2019
 RIP: 0010:isolate_migratepages_block+0x986/0x9b0

Code in isolate_migratepages_block() was added in commit 119d6d59dcc0
("mm, compaction: avoid isolating pinned pages") before adding VM_BUG_ON
into page_mapcount().

This race has been predicted in 2015 by Vlastimil Babka (see link below).

Link: http://lkml.kernel.org/r/159032779896.957378.7852761411265662220.stgit@buzz
Link: https://lore.kernel.org/lkml/557710E1.6060103@suse.cz/
Link: https://lore.kernel.org/linux-mm/158937872515.474360.5066096871639561424.stgit@buzz/T/ (v1)
Fixes: 1d148e218a0d ("mm: add VM_BUG_ON_PAGE() to page_mapcount()")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 include/linux/mm.h |   14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/include/linux/mm.h~mm-remove-vm_bug_onpageslab-from-page_mapcount
+++ a/include/linux/mm.h
@@ -782,6 +782,11 @@ static inline void *kvcalloc(size_t n, s
 
 extern void kvfree(const void *addr);
 
+/*
+ * Mapcount of compound page as a whole, not includes mapped sub-pages.
+ *
+ * Must be called only for compound pages or any their tail sub-pages.
+ */
 static inline int compound_mapcount(struct page *page)
 {
 	VM_BUG_ON_PAGE(!PageCompound(page), page);
@@ -801,10 +806,15 @@ static inline void page_mapcount_reset(s
 
 int __page_mapcount(struct page *page);
 
+/*
+ * Mapcount of 0-order page, for sub-page includes compound_mapcount().
+ *
+ * Result is undefined for pages which cannot be mapped into userspace.
+ * For example SLAB or special types of pages. See function page_has_type().
+ * They use this place in struct page differently.
+ */
 static inline int page_mapcount(struct page *page)
 {
-	VM_BUG_ON_PAGE(PageSlab(page), page);
-
 	if (unlikely(PageCompound(page)))
 		return __page_mapcount(page);
 	return atomic_read(&page->_mapcount) + 1;
_

Patches currently in -mm which might be from khlebnikov@yandex-team.ru are

mm-compaction-avoid-vm_bug_onpageslab-in-page_mapcount.patch
mm-remove-vm_bug_onpageslab-from-page_mapcount.patch
kernel-watchdog-flush-all-printk-nmi-buffers-when-hardlockup-detected.patch
doc-cgroup-update-note-about-conditions-when-oom-killer-is-invoked.patch


^ permalink raw reply	[flat|nested] 12+ messages in thread

* + relay-handle-alloc_percpu-returning-null-in-relay_open.patch added to -mm tree
       [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
                   ` (7 preceding siblings ...)
  2020-05-25  0:49 ` + mm-remove-vm_bug_onpageslab-from-page_mapcount.patch " Andrew Morton
@ 2020-05-28  0:10 ` Andrew Morton
  8 siblings, 0 replies; 12+ messages in thread
From: Andrew Morton @ 2020-05-28  0:10 UTC (permalink / raw)
  To: ajd, akash.goel, carnil, dja, linux, mm-commits, mpe, rientjes, stable


The patch titled
     Subject: kernel/relay.c: handle alloc_percpu returning NULL in relay_open
has been added to the -mm tree.  Its filename is
     relay-handle-alloc_percpu-returning-null-in-relay_open.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/relay-handle-alloc_percpu-returning-null-in-relay_open.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/relay-handle-alloc_percpu-returning-null-in-relay_open.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Daniel Axtens <dja@axtens.net>
Subject: kernel/relay.c: handle alloc_percpu returning NULL in relay_open

alloc_percpu() may return NULL, which means chan->buf may be set to NULL. 
In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an
invalid pointer:

BUG: Unable to handle kernel data access at 0x7dae0000
Faulting instruction address: 0xc0000000003f3fec
...
NIP [c0000000003f3fec] relay_open+0x29c/0x600
LR [c0000000003f3fc0] relay_open+0x270/0x600
Call Trace:
[c000000054353a70] [c0000000003f3fb4] relay_open+0x264/0x600 (unreliable)
[c000000054353b00] [c000000000451764] __blk_trace_setup+0x254/0x600
[c000000054353bb0] [c000000000451b78] blk_trace_setup+0x68/0xa0
[c000000054353c10] [c0000000010da77c] sg_ioctl+0x7bc/0x2e80
[c000000054353cd0] [c000000000758cbc] do_vfs_ioctl+0x13c/0x1300
[c000000054353d90] [c000000000759f14] ksys_ioctl+0x94/0x130
[c000000054353de0] [c000000000759ff8] sys_ioctl+0x48/0xb0
[c000000054353e20] [c00000000000bcd0] system_call+0x5c/0x68

Check if alloc_percpu returns NULL.

This was found by syzkaller both on x86 and powerpc, and the reproducer it
found on powerpc is capable of hitting the issue as an unprivileged user.

Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net
Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers")
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
Acked-by: David Rientjes <rientjes@google.com>
Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com
Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com
Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com
Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com
Cc: Akash Goel <akash.goel@intel.com>
Cc: Andrew Donnellan <ajd@linux.ibm.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Salvatore Bonaccorso <carnil@debian.org>
Cc: <stable@vger.kernel.org>	[4.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 kernel/relay.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/kernel/relay.c~relay-handle-alloc_percpu-returning-null-in-relay_open
+++ a/kernel/relay.c
@@ -581,6 +581,11 @@ struct rchan *relay_open(const char *bas
 		return NULL;
 
 	chan->buf = alloc_percpu(struct rchan_buf *);
+	if (!chan->buf) {
+		kfree(chan);
+		return NULL;
+	}
+
 	chan->version = RELAYFS_CHANNEL_VERSION;
 	chan->n_subbufs = n_subbufs;
 	chan->subbuf_size = subbuf_size;
_

Patches currently in -mm which might be from dja@axtens.net are

kasan-stop-tests-being-eliminated-as-dead-code-with-fortify_source.patch
kasan-stop-tests-being-eliminated-as-dead-code-with-fortify_source-v4.patch
stringh-fix-incompatibility-between-fortify_source-and-kasan.patch
relay-handle-alloc_percpu-returning-null-in-relay_open.patch


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, back to index

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20200522222217.ee14ad7eda7aab1e6697da6c@linux-foundation.org>
2020-05-23  5:22 ` [patch 01/11] device-dax: don't leak kernel memory to user space after unloading kmem Andrew Morton
2020-05-23  5:22 ` [patch 03/11] rapidio: fix an error in get_user_pages_fast() error handling Andrew Morton
2020-05-23  5:22 ` [patch 06/11] kasan: disable branch tracing for core runtime Andrew Morton
2020-05-23  5:23 ` [patch 07/11] sh: include linux/time_types.h for sockios Andrew Morton
2020-05-23  5:23 ` [patch 09/11] sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init() Andrew Morton
2020-05-23 19:01   ` Mike Rapoport
2020-05-23 19:10     ` Linus Torvalds
2020-05-23 19:57       ` Mike Rapoport
2020-05-23  5:23 ` [patch 10/11] z3fold: fix use-after-free when freeing handles Andrew Morton
2020-05-25  0:08 ` + mmthp-stop-leaking-unreleased-file-pages.patch added to -mm tree Andrew Morton
2020-05-25  0:49 ` + mm-remove-vm_bug_onpageslab-from-page_mapcount.patch " Andrew Morton
2020-05-28  0:10 ` + relay-handle-alloc_percpu-returning-null-in-relay_open.patch " Andrew Morton

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org
	public-inbox-index stable

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git