- Sep 20, 2017
-
-
Sherry Yang authored
Binder driver allocates buffer meta data in a region that is mapped in user space. These meta data contain pointers in the kernel. This patch allocates buffer meta data on the kernel heap that is not mapped in user space, and uses a pointer to refer to the data mapped. Also move alloc->buffers initialization from mmap to init since it's now used even when mmap failed or was not called. Bug: 36007193 Change-Id: Id5136048bdb7b796f59de066de7ea7df410498f5 Signed-off-by: Sherry Yang <sherryy@android.com>
-
Sherry Yang authored
Bug: 36007193 Change-Id: I422dce84afde3d2138a6d976593b109a9cc49003 Signed-off-by: Sherry Yang <sherryy@android.com>
-
Joel Fernandes authored
Certain usecases like camera are constantly allocating and freeing binder buffers beyond the first 4k resulting in mmap_sem contention. If we expand the allocated range from 4k to something higher, we can reduce the contention. Tests show that 6 pages is enough to cause very little update_page_range operations and reduces contention. Bug: 36727951 Change-Id: I28bc3fb9b33c764c257e28487712fce2a3c1078b Reported-by: Tim Murray <timmurray@google.com> Signed-off-by: Joel Fernandes <joelaf@google.com> Pre-allocate 1 instead of 6 pages as in the original patch, as we use this pre-allocated page to prevent the first page from getting unpinned after removing the buffer headers, rather than pinning pages to speedup larger transactions. Change-Id: I7c3e4884a9538ecfd86601d31c5bcfd6611d37a4 Signed-off-by: Sherry Yang <sherryy@android.com>
-
Seunghun Lee authored
This patch fixes "Missing a blank line after declarations" warnings. Bug: 36007193 Signed-off-by: Seunghun Lee <waydi1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 10f62861) Change-Id: I5ca007ae5463dfc6b053ab44927b84aea6bee9b3
-
Karthik Nayak authored
As per checkpatch warning, removed an unnecessary else statement proceeding an if statement with a return. Bug: 36007193 Change-Id: I21010094c291d9e4f4e92bdae30db42ca21f4094 Signed-off-by: Karthik Nayak <karthik.188@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9a5b16fce4b6aee861b603d79f2bf237ee7e2f88)
-
Andrew Morton authored
To test whether an address is aligned to PAGE_SIZE. Cc: HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com>, Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 0fa73b86) Bug: 36007193 Change-Id: I7e912bb0dbd8c9737fb13c5b48acb54ee39dd5fc
-
- Sep 14, 2017
-
-
Steve Pfetsch authored
November 2017.1 Bug: 65558908 Change-Id: Iaaf7b25adb498bf26a6059e00ff978a50068e26e Signed-off-by: Steve Pfetsch <spfetsch@google.com>
-
Steve Pfetsch authored
November 2017.1 Bug: 65558908 Change-Id: I1e61ece3bb2a4b7f88517b0ccfb00c0392c44d48 Signed-off-by: Steve Pfetsch <spfetsch@google.com>
-
Steve Pfetsch authored
November 2017.1 Bug: 65558908 Change-Id: Ic45e38d36adb71c9d5600b86f07e8735ce31c2fe Signed-off-by: Steve Pfetsch <spfetsch@google.com>
-
- Sep 12, 2017
-
-
Liangliang Lu authored
Get and delete operation on variables "list_elem" are not atomic. Multiple threads may get the same "list_elem", may lead to race conditions. Add mutex in rmnet_ctl_open to resolve current potential race condition between test_bit and set_bit. Bug: 64441352 Change-Id: I00c4e2fd4854ee17a13a0757da98c46a78eee4cb Signed-off-by: Liangliang Lu <luliang@codeaurora.org>
-
Jonathan Solnit authored
Add mutex protection to avoid simultaneous access the same memory by multiple threads. Bug: 64440043 CRs-Fixed: 2013494 Change-Id: I440ea633ceb7312637c9a3b29d22236166d21a39 Signed-off-by: kunleiz <kunleiz@codeaurora.org> Signed-off-by: Jonathan Solnit <jsolnit@google.com>
-
Yuan Zhao authored
the spec says the frame size will not be greater than 14, but this have a security hole when somebody sends a message with a size greater than 14. So need check up-boud of the CEC frame size. Bug: 64438726 Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f Signed-off-by: Yuan Zhao <yzhao@codeaurora.org>
-
Jonathan Solnit authored
When the Camera application exercises the V4L2 ioctl operations, CPP driver would attempt to the copy user space buffer contents into the internal kernel buffer. If an invalid length of the user space buffer is passed onto the driver, it could trigger buffer overflow condition. Thus, fix this by copying user space buffer contents into kernel space buffer of the driver for further processing, only after checking for proper length of user space buffer. Bug: 64433362 CRs-fixed: 2025367 Change-Id: I85cf4a961884c7bb0d036299b886044aef7baf7c Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org> Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org> Signed-off-by: Jonathan Solnit <jsolnit@google.com>
-
Arend van Spriel authored
commit 8f44c9a4 upstream. The lower level nl80211 code in cfg80211 ensures that "len" is between 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from "len" so thats's max of 2280. However, the action_frame->data[] buffer is only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can overflow. memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], le16_to_cpu(action_frame->len)); (cherry picked from commit ae10cf5c) Bug: 64258073 Fixes: 18e2f61d ("brcmfmac: P2P action frame tx.") Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Iec2e6c99d113ef95127525a92336b6ccdbd10cb8
-
Weiyin Jiang authored
Return error code directly to avoid further integer overflow leading to buffer overflow. Bug: 62952032 Change-Id: I8b74efda227726494724f4387c45b5b6fa04637b CRs-Fixed: 2077909 Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org> Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org>
-
Sunil Khatri authored
event->handle pointer can be used after free due to the race condition between kgsl_sync_callback and kgsl_sync_fence_async_cancel. Protect the event->handle with a spinlock to avoid concurrent access issues. Bug: 62949902 Change-Id: I3719e401af9ece82ac68b72f2aef784c7fdc1104 Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
-
Dennis Cagle authored
This fix removes dependency between real time message mask table and build time message mask table. Also this fix synchronizes retrieval and modification of real time message mask table CRs-Fixed: 2015227 Bug: 62378962 Change-Id: Id0a0964337ec4645d7061fc35120dfa061a990ff Signed-off-by: Gopikrishna Mogasati <gmogas@codeaurora.org> Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org> Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org> (cherry picked from commit ec46adf67ac36ab39feff508f6ec42cb703b8571)
-
Peter Zijlstra authored
Di Shen reported a race between two concurrent sys_perf_event_open() calls where both try and move the same pre-existing software group into a hardware context. The problem is exactly that described in commit: f63a8daa ("perf: Fix event->ctx locking") ... where, while we wait for a ctx->mutex acquisition, the event->ctx relation can have changed under us. That very same commit failed to recognise sys_perf_event_context() as an external access vector to the events and thereby didn't apply the established locking rules correctly. So while one sys_perf_event_open() call is stuck waiting on mutex_lock_double(), the other (which owns said locks) moves the group about. So by the time the former sys_perf_event_open() acquires the locks, the context we've acquired is stale (and possibly dead). Apply the established locking rules as per perf_event_ctx_lock_nested() to the mutex_lock_double() for the 'move_group' case. This obviously means we need to validate state after we acquire the locks. Reported-by: Di Shen (Keen Lab) Tested-by: John Dias <joaodias@google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Min Chong <mchong@google.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Stephane Eranian <eranian@google.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vince Weaver <vincent.weaver@maine.edu> Fixes: f63a8daa ("perf: Fix event->ctx locking") Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net Signed-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> Bug: 37901413 (cherry picked from commit 321027c1) Change-Id: I3a86d12e94410cc16450500b66c7944ea318597f
-
Srinivas Dasari authored
Buffer overread may happen as nl80211_set_station() reads 4 bytes from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without validating the size of data received when userspace sends less than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE. Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid the buffer overread. Fixes: 3b1c5a53 ("{cfg,nl}80211: mesh power mode primitives and userspace access") Cc: stable@vger.kernel.org Bug: 36819059 Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git Git-commit: 8feb69c7 Change-Id: Ie20993309501fd242782311b9fe787931f716116 CRs-Fixed: 2055013 Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
-
Srinivas Dasari authored
nla policy checks for only maximum length of the attribute data when the attribute type is NLA_BINARY. If userspace sends less data than specified, the wireless drivers may access illegal memory. When type is NLA_UNSPEC, nla policy check ensures that userspace sends minimum specified length number of bytes. Remove type assignment to NLA_BINARY from nla_policy of NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum WLAN_PMKID_LEN bytes are received from userspace with NL80211_ATTR_PMKID. Fixes: 67fbb16b ("nl80211: PMKSA caching support") Cc: stable@vger.kernel.org Bug: 36818836 Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git Git-commit: 9361df14 Change-Id: I5feb729a9ef48f67c4ee460e7e133d5fc8cecd4f CRs-Fixed: 2061676 Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
-
Haibin Liu authored
Issue: the invalid slave_info is used by msm_sensor_driver_probe. This cause crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG repeatedly. Fix: 1) avoid the same msm_sd_subdev added into the ordered_sd_list. 2) enlarge the buffer size for i2c addr and data. Bug: 36492827 Change-Id: Idffcd3b82b9590dbfdcaf14b80668cc894178f54 Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
-
Alok Kediya authored
- num of stream comes from userspace and used without any bound check.It may result to overflow update_info. CRs-Fixed: 2006829 Bug: 36232584 Change-Id: I8226e8f7081b28108dbed738ea4579e2051a85f2 Signed-off-by: Alok Kediya <kediya@codeaurora.org>
-
Robb Glasser authored
When the device descriptor is closed, the `substream->runtime` pointer is freed. But another thread may be in the ioctl handler, case SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which calls snd_pcm_info() which accesses the now freed `substream->runtime`. Bug: 36006981 Signed-off-by: Robb Glasser <rglasser@google.com> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> Change-Id: I445d24bc21dc0af6d9522a8daabe64969042236a
-
Jianqiang Zhao authored
Change-Id: I9c7c759c99e21cad9a7f9a09128122bf6ae11302 Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com> Bug: 36006779
-
Oleg Nesterov authored
This was reported many times, and this was even mentioned in commit 52ee2dfd "pids: refactor vnr/nr_ns helpers to make them safe" but somehow nobody bothered to fix the obvious problem: task_tgid_nr_ns() is not safe because task->group_leader points to nowhere after the exiting task passes exit_notify(), rcu_read_lock() can not help. We really need to change __unhash_process() to nullify group_leader, parent, and real_parent, but this needs some cleanups. Until then we can turn task_tgid_nr_ns() into another user of __task_pid_nr_ns() and fix the problem. Reported-by: Troy Kensinger <tkensinger@google.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> (url: https://patchwork.kernel.org/patch/9913055/) Bug: 31495866 Change-Id: I5e67b02a77e805f71fa3a787249f13c1310f02e2
-
- Sep 11, 2017
-
-
Chenbo Feng authored
Retrieve socket uid from the sk_uid field added to struct sk instead of read it from sk->socket->file. It prevent the packet been dropped when the socket file doesn't exist. Bug: 37524657 Signed-off-by: Chenbo Feng <fengc@google.com> Change-Id: I502f4e3819a59eb7367d62350a1e1d7d6e5891db
-
- Sep 09, 2017
-
-
Daniel Rosenberg authored
This moves the code to adjust the gid/uid of lower filesystem files under the mount flag derive_gid. Signed-off-by: Daniel Rosenberg <drosen@google.com> Change-Id: I44eaad4ef67c7fcfda3b6ea3502afab94442610c Bug: 63245673
-
- Sep 08, 2017
-
-
Daniel Rosenberg authored
Fix double free on error paths Signed-off-by: Daniel Rosenberg <drosen@google.com> Change-Id: I1c25a175e87e5dd5cafcdcf9d78bf4c0dc3f88ef Bug: 65386954 Fixes: aa6d3ace42f9 ("mnt: Add filesystem private data to mount points")
-
Ajay Dudani authored
ARCH=um kernels seems to be stricter about this than ARCH=arm64 kernels, export cache_firmware & uncache_firmware routines only when CONFIG_CACHE_FW is enabled. Bug: 38289596 Change-Id: Ib3bd9b0ede9b6f1a08b5e0e51d117cc43153795f Signed-off-by: Ajay Dudani <adudani@google.com>
-
- Sep 07, 2017
-
-
Julien Grall authored
The loop that browses the array compat_hwcap_str will stop when a NULL is encountered, however NULL is missing at the end of array. This will lead to overrun until a NULL is found somewhere in the following memory. In reality, this works out because the compat_hwcap2_str array tends to follow immediately in memory, and that *is* terminated correctly. Furthermore, the unsigned int compat_elf_hwcap is checked before printing each capability, so we end up doing the right thing because the size of the two arrays is less than 32. Still, this is an obvious mistake and should be fixed. Note for backporting: commit 12d11817 ("arm64: Move /proc/cpuinfo handling code") moved this code in v4.4. Prior to that commit, the same change should be made in arch/arm64/kernel/setup.c. Bug: 37430238 Fixes: 44b82b77 "arm64: Fix up /proc/cpuinfo" Cc: <stable@vger.kernel.org> # v3.19+ (but see note above prior to v4.4) Signed-off-by: Julien Grall <julien.grall@arm.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: David Lin <dtwlin@google.com>
-
- Sep 06, 2017
-
-
Ajay Dudani authored
Because firmware caching generates uevent messages that are sent over a netlink socket, it can prevent suspend on many platforms. It's also not always useful, so make it a configurable option. Bug: 38289596 Change-Id: I1c62227129590f564b127de6dbcaf0001b2c22ad Signed-off-by: Ajay Dudani <adudani@google.com>
-
- Sep 05, 2017
-
-
Badhri Jagan Sridharan authored
commit 8835ba4a upstream. An attack has become available which pretends to be a quirky device circumventing normal sanity checks and crashes the kernel by an insufficient number of interfaces. This patch adds a check to the code path for quirky devices. BUG: 28242610 Signed-off-by: Oliver Neukum <ONeukum@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com> Change-Id: I9a5f7f3c704b65e866335054f470451fcfae9d1c
-
Badhri Jagan Sridharan authored
commit 4ec0ef3a upstream. The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87 BUG: 28242610 Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com> Change-Id: If5161c23928e9ef77cb3359cba9b36622b1908df
-
Badhri Jagan Sridharan authored
commit 0b818e39 upstream. Attacks that trick drivers into passing a NULL pointer to usb_driver_claim_interface() using forged descriptors are known. This thwarts them by sanity checking. BUG: 28242610 Signed-off-by: Oliver Neukum <ONeukum@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com> Change-Id: Ib43ec5edb156985a9db941785a313f6801df092a
-
Badhri Jagan Sridharan authored
commit 4e9a0b05 upstream. An attack using the lack of sanity checking in probe is known. This patch checks for the existence of a second port. CVE-2016-3136 BUG: 28242610 Signed-off-by: Oliver Neukum <ONeukum@suse.com> [johan: add error message ] Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com> Change-Id: I284ad648c2087c34a098d67e0cc6d948a568413c
-
Badhri Jagan Sridharan authored
commit c55aee1b upstream. An attack using missing endpoints exists. CVE-2016-3137 BUG: 28242610 Signed-off-by: Oliver Neukum <ONeukum@suse.com> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com> Change-Id: I1cc7957a5924175d24f12fdc41162ece67c907e5
-
Badhri Jagan Sridharan authored
The powermate driver expects at least one valid USB endpoint in its probe function. If given malicious descriptors that specify 0 for the number of endpoints, it will crash. Validate the number of endpoints on the interface before using them. The full report for this issue can be found here: http://seclists.org/bugtraq/2016/Mar/85 BUG: 28242610 Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com> Change-Id: I1cb956a35f3bba73324240d5bd0a029f49d3c456
-
- Aug 30, 2017
-
-
Shuzhen Wang authored
When system is loaded, NEW_SESSION may take longer than 5 second to return. Increase the timeout accordingly. Test: Camera CTS Bug: 62393979 Change-Id: Id4e0b7e7dfb5f7706457cbefb9fd22ecc7173a03 Signed-off-by: Shuzhen Wang <shuzhenwang@google.com>
-
- Aug 28, 2017
-
-
Mikulas Patocka authored
dm_bufio_shrink_count() is called from do_shrink_slab to find out how many freeable objects are there. The reported value doesn't have to be precise, so we don't need to take the dm-bufio lock. Suggested-by: David Rientjes <rientjes@google.com> Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com> Bug: 64122284 Change-Id: Id2c3446e03e865f424be8666b1ee0822b9e33a63 (cherry picked from commit d12067f4) Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
-
Douglas Anderson authored
We've seen in-field reports showing _lots_ (18 in one case, 41 in another) of tasks all sitting there blocked on: mutex_lock+0x4c/0x68 dm_bufio_shrink_count+0x38/0x78 shrink_slab.part.54.constprop.65+0x100/0x464 shrink_zone+0xa8/0x198 In the two cases analyzed, we see one task that looks like this: Workqueue: kverityd verity_prefetch_io __switch_to+0x9c/0xa8 __schedule+0x440/0x6d8 schedule+0x94/0xb4 schedule_timeout+0x204/0x27c schedule_timeout_uninterruptible+0x44/0x50 wait_iff_congested+0x9c/0x1f0 shrink_inactive_list+0x3a0/0x4cc shrink_lruvec+0x418/0x5cc shrink_zone+0x88/0x198 try_to_free_pages+0x51c/0x588 __alloc_pages_nodemask+0x648/0xa88 __get_free_pages+0x34/0x7c alloc_buffer+0xa4/0x144 __bufio_new+0x84/0x278 dm_bufio_prefetch+0x9c/0x154 verity_prefetch_io+0xe8/0x10c process_one_work+0x240/0x424 worker_thread+0x2fc/0x424 kthread+0x10c/0x114 ...and that looks to be the one holding the mutex. The problem has been reproduced on fairly easily: 0. Be running Chrome OS w/ verity enabled on the root filesystem 1. Pick test patch: http://crosreview.com/412360 2. Install launchBalloons.sh and balloon.arm from http://crbug.com/468342 ...that's just a memory stress test app. 3. On a 4GB rk3399 machine, run nice ./launchBalloons.sh 4 900 100000 ...that tries to eat 4 * 900 MB of memory and keep accessing. 4. Login to the Chrome web browser and restore many tabs With that, I've seen printouts like: DOUG: long bufio 90758 ms ...and stack trace always show's we're in dm_bufio_prefetch(). The problem is that we try to allocate memory with GFP_NOIO while we're holding the dm_bufio lock. Instead we should be using GFP_NOWAIT. Using GFP_NOIO can cause us to sleep while holding the lock and that causes the above problems. The current behavior explained by David Rientjes: It will still try reclaim initially because __GFP_WAIT (or __GFP_KSWAPD_RECLAIM) is set by GFP_NOIO. This is the cause of contention on dm_bufio_lock() that the thread holds. You want to pass GFP_NOWAIT instead of GFP_NOIO to alloc_buffer() when holding a mutex that can be contended by a concurrent slab shrinker (if count_objects didn't use a trylock, this pattern would trivially deadlock). This change significantly increases responsiveness of the system while in this state. It makes a real difference because it unblocks kswapd. In the bug report analyzed, kswapd was hung: kswapd0 D ffffffc000204fd8 0 72 2 0x00000000 Call trace: [<ffffffc000204fd8>] __switch_to+0x9c/0xa8 [<ffffffc00090b794>] __schedule+0x440/0x6d8 [<ffffffc00090bac0>] schedule+0x94/0xb4 [<ffffffc00090be44>] schedule_preempt_disabled+0x28/0x44 [<ffffffc00090d900>] __mutex_lock_slowpath+0x120/0x1ac [<ffffffc00090d9d8>] mutex_lock+0x4c/0x68 [<ffffffc000708e7c>] dm_bufio_shrink_count+0x38/0x78 [<ffffffc00030b268>] shrink_slab.part.54.constprop.65+0x100/0x464 [<ffffffc00030dbd8>] shrink_zone+0xa8/0x198 [<ffffffc00030e578>] balance_pgdat+0x328/0x508 [<ffffffc00030eb7c>] kswapd+0x424/0x51c [<ffffffc00023f06c>] kthread+0x10c/0x114 [<ffffffc000203dd0>] ret_from_fork+0x10/0x40 By unblocking kswapd memory pressure should be reduced. Suggested-by: David Rientjes <rientjes@google.com> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Mike Snitzer <snitzer@redhat.com> Bug: 64122284 Change-Id: I1ce9367c921d7ab07ca9e3d403c95cd0d333915c (cherry picked from commit 9ea61cac) Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
-