- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] spi: use generic driver_override infrastructure
by Zhang Yuwei 11 May '26

11 May '26

From: Danilo Krummrich <dakr(a)kernel.org> mainline inclusion from mainline-v7.0-rc6 commit cc34d77dd48708d810c12bfd6f5bf03304f6c824 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14224 CVE: CVE-2026-31487 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1] Also note that we do not enable the driver_override feature of struct bus_type, as SPI - in contrast to most other buses - passes "" to sysfs_emit() when the driver_override pointer is NULL. Thus, printing "\n" instead of "(null)\n". Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1] Reported-by: Gui-Dong Han <hanguidong02(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789 Fixes: 5039563e7c25 ("spi: Add driver_override SPI device attribute") Signed-off-by: Danilo Krummrich <dakr(a)kernel.org> Link: https://patch.msgid.link/20260324005919.2408620-12-dakr@kernel.org Signed-off-by: Mark Brown <broonie(a)kernel.org> Conflicts: include/linux/spi/spi.h drivers/spi/spi.c [commit 702ca0269ed56 merged] Signed-off-by: Zhang Yuwei <zhangyuwei20(a)huawei.com> --- drivers/spi/spi.c | 19 +++++++------------ include/linux/spi/spi.h | 5 ----- 2 files changed, 7 insertions(+), 17 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 2ca4ea45e3b2..b9774bcaa678 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -49,7 +49,6 @@ static void spidev_release(struct device *dev) struct spi_device *spi = to_spi_device(dev); spi_controller_put(spi->controller); - kfree(spi->driver_override); free_percpu(spi->pcpu_statistics); kfree(spi); } @@ -72,10 +71,9 @@ static ssize_t driver_override_store(struct device *dev, struct device_attribute *a, const char *buf, size_t count) { - struct spi_device *spi = to_spi_device(dev); int ret; - ret = driver_set_override(dev, &spi->driver_override, buf, count); + ret = __device_set_driver_override(dev, buf, count); if (ret) return ret; @@ -85,13 +83,8 @@ static ssize_t driver_override_store(struct device *dev, static ssize_t driver_override_show(struct device *dev, struct device_attribute *a, char *buf) { - const struct spi_device *spi = to_spi_device(dev); - ssize_t len; - - device_lock(dev); - len = sysfs_emit(buf, "%s\n", spi->driver_override ? : ""); - device_unlock(dev); - return len; + guard(spinlock)(&dev->driver_override.lock); + return sysfs_emit(buf, "%s\n", dev->driver_override.name ?: ""); } static DEVICE_ATTR_RW(driver_override); @@ -377,10 +370,12 @@ static int spi_match_device(struct device *dev, struct device_driver *drv) { const struct spi_device *spi = to_spi_device(dev); const struct spi_driver *sdrv = to_spi_driver(drv); + int ret; /* Check override first, and if set, only use the named driver */ - if (spi->driver_override) - return strcmp(spi->driver_override, drv->name) == 0; + ret = device_match_driver_override(dev, drv); + if (ret >= 0) + return ret; /* Attempt an OF style match */ if (of_driver_match_device(dev, drv)) diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h index e5baf43bcfbb..3f6ca8052f63 100644 --- a/include/linux/spi/spi.h +++ b/include/linux/spi/spi.h @@ -153,10 +153,6 @@ extern void spi_transfer_cs_change_delay_exec(struct spi_message *msg, * @modalias: Name of the driver to use with this device, or an alias * for that name. This appears in the sysfs "modalias" attribute * for driver coldplugging, and in uevents used for hotplugging - * @driver_override: If the name of a driver is written to this attribute, then - * the device will bind to the named driver and only the named driver. - * Do not set directly, because core frees it; use driver_set_override() to - * set or clear it. * @cs_gpiod: GPIO descriptor of the chipselect line (optional, NULL when * not using a GPIO line) * @word_delay: delay to be inserted between consecutive @@ -212,7 +208,6 @@ struct spi_device { void *controller_state; void *controller_data; char modalias[SPI_NAME_SIZE]; - const char *driver_override; struct gpio_desc *cs_gpiod; /* Chip select GPIO descriptor */ struct spi_delay word_delay; /* Inter-word delay */ /* CS delays */ -- 2.22.0

2 1

[PATCH OLK-6.6] module: Fix kernel panic when a symbol st_shndx is out of bounds
by Zhang Yuwei 11 May '26

11 May '26

From: Ihor Solodrai <ihor.solodrai(a)linux.dev> stable inclusion from stable-v6.6.131 commit 082f15d2887329e0f43fd3727e69365f5bfe5d2c category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14254 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f9d69d5e7bde2295eb7488a56f094ac8f5383b92 ] The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai… Signed-off-by: Ihor Solodrai <ihor.solodrai(a)linux.dev> Reviewed-by: Daniel Gomez <da.gomez(a)samsung.com> Reviewed-by: Petr Pavlu <petr.pavlu(a)suse.com> Signed-off-by: Sami Tolvanen <samitolvanen(a)google.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yuan Can <yuancan(a)huawei.com> --- kernel/module/main.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/module/main.c b/kernel/module/main.c index 5bb35a5fe2d0..280a94fe0e87 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -1430,6 +1430,13 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) break; default: + if (sym[i].st_shndx >= info->hdr->e_shnum) { + pr_err("%s: Symbol %s has an invalid section index %u (max %u)\n", + mod->name, name, sym[i].st_shndx, info->hdr->e_shnum - 1); + ret = -ENOEXEC; + break; + } + /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); -- 2.22.0

2 1

[PATCH OLK-5.10] module: Fix kernel panic when a symbol st_shndx is out of bounds
by Zhang Yuwei 11 May '26

11 May '26

From: Ihor Solodrai <ihor.solodrai(a)linux.dev> mainline inclusion from mainline-v7.0-rc3 commit f9d69d5e7bde2295eb7488a56f094ac8f5383b92 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14254 CVE: CVE-2026-31521 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai… Signed-off-by: Ihor Solodrai <ihor.solodrai(a)linux.dev> Reviewed-by: Daniel Gomez <da.gomez(a)samsung.com> Reviewed-by: Petr Pavlu <petr.pavlu(a)suse.com> Signed-off-by: Sami Tolvanen <samitolvanen(a)google.com> Conflicts: kernel/module/main.c kernel/module.c [commit cfc1d277891eb merged] Signed-off-by: Zhang Yuwei <zhangyuwei20(a)huawei.com> --- kernel/module.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/module.c b/kernel/module.c index 57b34c32a916..834258c5b9c5 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2421,6 +2421,13 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) break; default: + if (sym[i].st_shndx >= info->hdr->e_shnum) { + pr_err("%s: Symbol %s has an invalid section index %u (max %u)\n", + mod->name, name, sym[i].st_shndx, info->hdr->e_shnum - 1); + ret = -ENOEXEC; + break; + } + /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); -- 2.22.0

2 1

[PATCH OLK-6.6] module: Fix kernel panic when a symbol st_shndx is out of bounds
by Zhang Yuwei 11 May '26

11 May '26

From: Ihor Solodrai <ihor.solodrai(a)linux.dev> stable inclusion from stable-v6.6.131 commit 082f15d2887329e0f43fd3727e69365f5bfe5d2c category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9037 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f9d69d5e7bde2295eb7488a56f094ac8f5383b92 ] The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai… Signed-off-by: Ihor Solodrai <ihor.solodrai(a)linux.dev> Reviewed-by: Daniel Gomez <da.gomez(a)samsung.com> Reviewed-by: Petr Pavlu <petr.pavlu(a)suse.com> Signed-off-by: Sami Tolvanen <samitolvanen(a)google.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yuan Can <yuancan(a)huawei.com> --- kernel/module/main.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/module/main.c b/kernel/module/main.c index 5bb35a5fe2d0..280a94fe0e87 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -1430,6 +1430,13 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) break; default: + if (sym[i].st_shndx >= info->hdr->e_shnum) { + pr_err("%s: Symbol %s has an invalid section index %u (max %u)\n", + mod->name, name, sym[i].st_shndx, info->hdr->e_shnum - 1); + ret = -ENOEXEC; + break; + } + /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); -- 2.22.0

2 1

[PATCH OLK-5.10 0/4] *** fix CVE-2026-31527 ***
by Lin Ruifeng 11 May '26

11 May '26

*** fix CVE-2026-31527 *** Danilo Krummrich (3): driver core: generalize driver_override in struct device hwmon: axi-fan: don't use driver_override as IRQ name driver core: platform: use generic driver_override infrastructure Lin Ruifeng (1): driver/core: Fix kabi broken of platform_device/device/bus_type drivers/base/bus.c | 49 +++++++++++++++++++++++- drivers/base/core.c | 2 + drivers/base/dd.c | 60 ++++++++++++++++++++++++++++++ drivers/base/platform.c | 57 +++------------------------- drivers/hwmon/axi-fan-control.c | 2 +- drivers/slimbus/qcom-ngd-ctrl.c | 12 +++++- include/linux/device.h | 66 +++++++++++++++++++++++++++++++++ include/linux/device/bus.h | 4 ++ include/linux/platform_device.h | 3 +- sound/soc/samsung/i2s.c | 6 ++- 10 files changed, 204 insertions(+), 57 deletions(-) -- 2.43.0

2 6

[PATCH OLK-5.10] ALSA: fireworks: bound device-supplied status before string array lookup
by Lin Ruifeng 11 May '26

11 May '26

From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> stable inclusion from stable-v6.12.83 commit e103f98f6615ed2934e9cf340654f0cad9eb8a8a category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14361 CVE: CVE-2026-31619 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 07704bbf36f57e4379e4cadf96410dab14621e3b upstream. The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status value outside that range goes off into the weeds when looking at the %s value. Even worse, the status could return EFR_STATUS_INCOMPLETE which is 0x80000000, and is obviously not in that array of potential strings. Fix this up by properly bounding the index against the array size and printing "unknown" if it's not recognized. Cc: Clemens Ladisch <clemens(a)ladisch.de> Cc: Takashi Sakamoto <o-takashi(a)sakamocchi.jp> Cc: Jaroslav Kysela <perex(a)perex.cz> Cc: Takashi Iwai <tiwai(a)suse.com> Fixes: bde8a8f23bbe ("ALSA: fireworks: Add transaction and some commands") Cc: stable <stable(a)kernel.org> Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Reviewed-by: Takashi Sakamoto <o-takashi(a)sakamocchi.jp> Link: https://patch.msgid.link/2026040953-astute-camera-1aa1@gregkh Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Lin Ruifeng <linruifeng4(a)huawei.com> --- sound/firewire/fireworks/fireworks_command.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sound/firewire/fireworks/fireworks_command.c b/sound/firewire/fireworks/fireworks_command.c index 7e255fc2c6e4..f309f15df669 100644 --- a/sound/firewire/fireworks/fireworks_command.c +++ b/sound/firewire/fireworks/fireworks_command.c @@ -151,10 +151,13 @@ efw_transaction(struct snd_efw *efw, unsigned int category, (be32_to_cpu(header->category) != category) || (be32_to_cpu(header->command) != command) || (be32_to_cpu(header->status) != EFR_STATUS_OK)) { + u32 st = be32_to_cpu(header->status); + dev_err(&efw->unit->device, "EFW command failed [%u/%u]: %s\n", be32_to_cpu(header->category), be32_to_cpu(header->command), - efr_status_names[be32_to_cpu(header->status)]); + st < ARRAY_SIZE(efr_status_names) ? + efr_status_names[st] : "unknown"); err = -EIO; goto end; } -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] pstore: ram_core: fix incorrect success return when vmap() fails
by Luo Gengkun 11 May '26

11 May '26

From: Ruipeng Qi <ruipengqi3(a)gmail.com> stable inclusion from stable-v5.10.252 commit d47234840aeb4182ed3ee795c578b1dfa9cbd25b category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14671 CVE: CVE-2026-43124 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- [ Upstream commit 05363abc7625cf18c96e67f50673cd07f11da5e9 ] In persistent_ram_vmap(), vmap() may return NULL on failure. If offset is non-zero, adding offset_in_page(start) causes the function to return a non-NULL pointer even though the mapping failed. persistent_ram_buffer_map() therefore incorrectly returns success. Subsequent access to prz->buffer may dereference an invalid address and cause crashes. Add proper NULL checking for vmap() failures. Signed-off-by: Ruipeng Qi <ruipengqi3(a)gmail.com> Link: https://patch.msgid.link/20260203020358.3315299-1-ruipengqi3@gmail.com Signed-off-by: Kees Cook <kees(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- fs/pstore/ram_core.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c index 588392e6f531..749a9fa36b62 100644 --- a/fs/pstore/ram_core.c +++ b/fs/pstore/ram_core.c @@ -433,6 +433,13 @@ static void *persistent_ram_vmap(phys_addr_t start, size_t size, vaddr = vmap(pages, page_count, VM_MAP | VM_IOREMAP, prot); kfree(pages); + /* + * vmap() may fail and return NULL. Do not add the offset in this + * case, otherwise a NULL mapping would appear successful. + */ + if (!vaddr) + return NULL; + /* * Since vmap() uses page granularity, we must add the offset * into the page here, to get the byte granularity address -- 2.34.1

2 2

[PATCH OLK-6.6 0/4] *** fix CVE-2026-31527 ***
by Lin Ruifeng 11 May '26

11 May '26

*** fix CVE-2026-31527 *** Danilo Krummrich (3): driver core: generalize driver_override in struct device hwmon: axi-fan: don't use driver_override as IRQ name driver core: platform: use generic driver_override infrastructure Lin Ruifeng (1): driver/core: Fix kabi broken of platform_device/bus_type/device drivers/base/bus.c | 43 ++++++++++++++++++++++- drivers/base/core.c | 2 ++ drivers/base/dd.c | 60 +++++++++++++++++++++++++++++++++ drivers/base/platform.c | 37 +++----------------- drivers/bus/simple-pm-bus.c | 4 +-- drivers/clk/imx/clk-scu.c | 3 +- drivers/hwmon/axi-fan-control.c | 2 +- drivers/slimbus/qcom-ngd-ctrl.c | 6 ++-- include/linux/device.h | 57 +++++++++++++++++++++++++++++++ include/linux/device/bus.h | 5 ++- include/linux/platform_device.h | 7 ++-- sound/soc/samsung/i2s.c | 6 ++-- 12 files changed, 181 insertions(+), 51 deletions(-) -- 2.43.0

2 5

[openEuler-1.0-LTS] pstore: ram_core: fix incorrect success return when vmap() fails
by Luo Gengkun 11 May '26

11 May '26

From: Ruipeng Qi <ruipengqi3(a)gmail.com> stable inclusion from stable-v5.10.252 commit d47234840aeb4182ed3ee795c578b1dfa9cbd25b category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14671 CVE: CVE-2026-43124 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- [ Upstream commit 05363abc7625cf18c96e67f50673cd07f11da5e9 ] In persistent_ram_vmap(), vmap() may return NULL on failure. If offset is non-zero, adding offset_in_page(start) causes the function to return a non-NULL pointer even though the mapping failed. persistent_ram_buffer_map() therefore incorrectly returns success. Subsequent access to prz->buffer may dereference an invalid address and cause crashes. Add proper NULL checking for vmap() failures. Signed-off-by: Ruipeng Qi <ruipengqi3(a)gmail.com> Link: https://patch.msgid.link/20260203020358.3315299-1-ruipengqi3@gmail.com Signed-off-by: Kees Cook <kees(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- fs/pstore/ram_core.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c index 588392e6f531..749a9fa36b62 100644 --- a/fs/pstore/ram_core.c +++ b/fs/pstore/ram_core.c @@ -433,6 +433,13 @@ static void *persistent_ram_vmap(phys_addr_t start, size_t size, vaddr = vmap(pages, page_count, VM_MAP | VM_IOREMAP, prot); kfree(pages); + /* + * vmap() may fail and return NULL. Do not add the offset in this + * case, otherwise a NULL mapping would appear successful. + */ + if (!vaddr) + return NULL; + /* * Since vmap() uses page granularity, we must add the offset * into the page here, to get the byte granularity address -- 2.34.1

1 0

[PATCH OLK-6.6] mm/numa_remote: avoid numa_remote lock when onlining pre-onlined memory
by Jinjiang Tu 11 May '26

11 May '26

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9122 ---------------------------------------- When onlining pre-onlined memory, numa_remote lock is held to check if the memory range is pre-onlined. However, it may lead to unstable performance when the lock is contended. So, don't check it in add_memory_remote(), only check it in numa_remote_undo_fake_online(). Fixes: c855b296345e ("mm/numa_remote: undo isolation of remote memory asynchronously") Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- drivers/base/numa_remote.c | 56 ++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 33 deletions(-) diff --git a/drivers/base/numa_remote.c b/drivers/base/numa_remote.c index f53d1dcab2ce..fed37dc20391 100644 --- a/drivers/base/numa_remote.c +++ b/drivers/base/numa_remote.c @@ -30,6 +30,7 @@ static nodemask_t numa_nodes_remote; struct undo_fake_online_control { u64 start; u64 size; + int nid; struct llist_node llist; }; @@ -283,17 +284,14 @@ static void numa_remote_online_pages(unsigned long start_pfn, unsigned long end_ * Undo fake-online a remote node. Have to be called in preonline mode then * the memory on the node can be allocated. */ -static int __ref numa_remote_undo_fake_online(u64 start, u64 size) +static int __ref numa_remote_undo_fake_online(u64 start, u64 size, int nid) { unsigned long start_pfn = PFN_DOWN(start); unsigned long end_pfn = PFN_DOWN(start + size); unsigned long nr_pages = end_pfn - start_pfn; - struct zone *zone; - int nid; int ret = 0; mem_hotplug_begin(); - /* Re-check whether all memory block are pre-online. */ if (!check_memory_block_pre_online(start, size, true)) { ret = -EINVAL; goto out; @@ -304,8 +302,6 @@ static int __ref numa_remote_undo_fake_online(u64 start, u64 size) goto out; } - zone = page_zone(phys_to_page(start)); - nid = zone_to_nid(zone); if (!check_memory_block_nid(start, size, nid)) { ret = -EINVAL; goto out; @@ -328,6 +324,8 @@ static int __ref numa_remote_undo_fake_online(u64 start, u64 size) out: atomic_long_add(-nr_pages, &undo_fake_online_pages_node[nid]); mem_hotplug_done(); + if (unlikely(ret)) + pr_warn("online memory [%llx, %llx) failed: %d\n", start, start + size, ret); return ret; } @@ -362,7 +360,7 @@ static void undo_fake_online_work_fn(struct work_struct *work) node = node->next; mutex_lock(&numa_remote_lock); - numa_remote_undo_fake_online(uic->start, uic->size); + numa_remote_undo_fake_online(uic->start, uic->size, uic->nid); mutex_unlock(&numa_remote_lock); kfree(uic); } @@ -454,43 +452,37 @@ int add_memory_remote(int nid, u64 start, u64 size, int flags) if (flags == (MEMORY_KEEP_ISOLATED | MEMORY_DIRECT_ONLINE)) return NUMA_NO_NODE; - if (flags & (MEMORY_KEEP_ISOLATED | MEMORY_DIRECT_ONLINE)) { - numa_remote_wait_undo_fake_online(); - down_write(&numa_remote_state_lock); - } - mutex_lock(&numa_remote_lock); - - if (numa_remote_preonline_mode && !flags) { + /* Online pre-onlined memory. To avoid grabbing numa_rmeote + * lock and leading to unstable performance, don't check if + * [start, start + size) is pre-onelined, check it in the + * async work. + */ + if (!flags) { struct undo_fake_online_control *uic; if (check_hotplug_memory_range(start, size)) - goto out; - /* Check whether all memory block are pre-online. */ - if (!check_memory_block_pre_online(start, size, true)) - goto out; + return NUMA_NO_NODE; - real_nid = (nid == NUMA_NO_NODE) ? - page_to_nid(phys_to_page(start)) : nid; - if (!check_memory_block_nid(start, size, real_nid)) { - real_nid = NUMA_NO_NODE; - goto out; - } + if (nid == NUMA_NO_NODE) + return NUMA_NO_NODE; uic = kzalloc(sizeof(struct undo_fake_online_control), GFP_KERNEL); - if (!uic) { - real_nid = NUMA_NO_NODE; - goto out; - } + if (!uic) + return NUMA_NO_NODE; - atomic_long_add(size / PAGE_SIZE, &undo_fake_online_pages_node[real_nid]); + atomic_long_add(size / PAGE_SIZE, &undo_fake_online_pages_node[nid]); uic->start = start; uic->size = size; + uic->nid = nid; if (llist_add(&uic->llist, &undo_fake_online_list)) schedule_work(&undo_fake_online_work); - goto out; + return nid; } + numa_remote_wait_undo_fake_online(); + down_write(&numa_remote_state_lock); + mutex_lock(&numa_remote_lock); lock_device_hotplug(); real_nid = (nid == NUMA_NO_NODE) ? find_unused_remote_node() : nid; @@ -505,10 +497,8 @@ int add_memory_remote(int nid, u64 start, u64 size, int flags) unlock: unlock_device_hotplug(); -out: mutex_unlock(&numa_remote_lock); - if (flags & (MEMORY_KEEP_ISOLATED | MEMORY_DIRECT_ONLINE)) - up_write(&numa_remote_state_lock); + up_write(&numa_remote_state_lock); return real_nid; } EXPORT_SYMBOL_GPL(add_memory_remote); -- 2.43.0

2 1