From: Zqiang
There is a small race window when a delayed work is being canceled and
the work still might be queued from the timer_fn:
CPU0CPU1
kthread_cancel_delayed_work_sync()
__kthread_cancel_work_sync()
__kthread_cancel_work()
From: Zqiang
When queue delayed work to worker, at some point after that the timer_fn
will be call, add work to worker's work_list, at this time, the work may
be cancel, so add "work->canceling" check current work status.
Signed-off-by: Zqiang
---
v1->v2:
Change description information.
From: Zqiang
When queue delayed work to worker, at some point after that the timer_fn
will be call, add work to worker's work_list, at this time, the work may
be cancel, so add "queuing_blocked" check current work status.
Signed-off-by: Zqiang
---
kernel/kthread.c | 3 ++-
1 file changed, 2
From: Zqiang
Due to CPU hotplug, it may never be online after it's offline,
some objects in percpu pool is never free. in order to avoid
this happening, install CPU hotplug callback, call this callback
func to free objects in percpu pool when CPU going offline.
Signed-off-by: Zqiang
Acked-by:
From: Zqiang
Due to CPU hotplug, it may never be online after it's offline,
some objects in percpu pool is never free. in order to avoid
this happening, install CPU hotplug callback, call this callback
func to free objects in percpu pool when CPU going offline.
Signed-off-by: Zqiang
Acked-by:
From: Zqiang
When the btrfs fill super error, we should first close devices and
then call deactivate_locked_super func to free fs_info.
Signed-off-by: Zqiang
---
fs/btrfs/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index
From: Zqiang
When the btrfs fill super error, we should first close devices and
then call deactivate_locked_super func to free fs_info.
Signed-off-by: Zqiang
---
fs/btrfs/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index
From: Zqiang
Due to CPU hotplug, it may never be online after it's offline,
some objects in percpu pool is never free. in order to avoid
this happening, install CPU hotplug callback, call this callback
func to free objects in percpu pool when CPU going offline.
Signed-off-by: Zqiang
---
From: Zqiang
Due to cpu hotplug, it may never be online after it's offline,
some objects in percpu pool is never free, in order to avoid
this happening, install cpu hotplug callback, call this callback
func to free objects in percpu pool when cpu going offline.
Signed-off-by: Zqiang
---
From: Zqiang
When a cpu going offline, we should free objects in "percpu_obj_pool"
free_objs list which corresponding to this cpu.
Signed-off-by: Zqiang
---
include/linux/cpuhotplug.h | 1 +
lib/debugobjects.c | 23 +++
2 files changed, 24 insertions(+)
diff
From: Zqiang
Due to cpu hotplug. some cpu may be offline after call "kfree_call_rcu"
func, if the shrinker is triggered at this time, we should drain each
possible cpu "krcp".
Signed-off-by: Zqiang
---
kernel/rcu/tree.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git
From: Zqiang
Because the last member of the "nvdimm_firmware_attributes" array
was not assigned a null ptr, when traversal of "grp->attrs" array
is out of bounds in "create_files" func.
func:
create_files:
->for (i = 0, attr = grp->attrs; *attr && !error; i++, attr++)
From: Zqiang
Because the last member of the "nvdimm_firmware_attributes" array
was not assigned a null ptr, when traversal of "group" array is out of
bounds in "internal_create_groups" func.
internal_create_groups:
->for (i = 0; groups[i]; i++)
->...
BUG: KASAN:
From: Zhang Qiang
There is a potential race window,when a task acquire "src->list_mutex"
write sem,traverse the linked list to find "subs" objects through
parameter "info" in snd_seq_port_disconnect and then release this
write sem, before this task acquire write sem again,this write sem
may be
From: Zhang Qiang
The pool is being destroyed, all page which in the pool,
should be free. if some page is still be use by somebody,
we should not just output error logs, also should also add
a warning message.
Signed-off-by: Zhang Qiang
---
mm/dmapool.c | 2 +-
1 file changed, 1
From: Zhang Qiang
for example:
node0
cpu0cpu1
slab_dead_cpu
>mutex_lock(_mutex)
>cpuup_canceledslab_dead_cpu
>mask = cpumask_of_node(node)
From: Zhang Qiang
Due to cpu hotplug, the "cpuup_canceled" func be called, it's currently
manipulating the alien cache for the canceled cpu's node and this node
may be the same as the node which node's alien cache being operated in
the "__cache_free_alien" func, so we should add a protect for
From: Zhang Qiang
We should add node spinlock protect "n->alien" which may be
assigned to NULL in cpuup_canceled func. cause address access
exception.
Fixes: 18bf854117c6 ("slab: use get_node() and kmem_cache_node() functions")
Signed-off-by: Zhang Qiang
---
mm/slab.c | 7 +--
1 file
From: Zhang Qiang
When the mdsc ptr is free, we should assign "thefsc->mdsc" a null ptr,
in ceph_mdsc_init func.
CPU: 0 PID: 15653 Comm: syz-executor.3 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Call Trace:
From: Zhang Qiang
When traversing "pool->page" linked list, to prevent possible
other path operations this list, causing it to be destroyed, we
should add lock protect for this list in dma_pool_destroy func.
Signed-off-by: Zhang Qiang
---
mm/dmapool.c | 11 +--
1 file changed, 9
From: Zhang Qiang
CPU: 0 PID: 6801 Comm: syz-executor201 Not tainted 5.8.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
From: Zhang Qiang
CPU: 0 PID: 6801 Comm: syz-executor201 Not tainted 5.8.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
From: Zhang Qiang
Before the work is put into the queue of the worker thread,
the state of the worker thread needs to be detected,because
the worker thread may be in the destruction state at this time.
Signed-off-by: Zhang Qiang
Suggested-by: Petr Mladek
Reviewed-by: Petr Mladek
---
v1->v2:
From: Zhang Qiang
Add a missing spinlock protection for play_queue, because
the play_queue may be destroyed when the "playback_work"
work func and "f_audio_out_ep_complete" callback func
operate this paly_queue at the same time.
Fixes: c6994e6f067cf ("USB: gadget: add USB Audio Gadget driver")
From: Zhang Qiang
Add a missing spinlock protection for play_queue, because
the play_queue may be destroyed when the "playback_work"
work func and "f_audio_out_ep_complete" callback func
operate this paly_queue at the same time.
Cc: stable
Signed-off-by: Zhang Qiang
---
v1->v2->v3:
Add
From: Zhang Qiang
Add a missing spinlock protection to the add operation of the play_queue
in "f_audio_out_ep_complete" function.
Signed-off-by: Zhang Qiang
---
v1->v2:
Add missing changelog.
drivers/usb/gadget/function/f_uac1_legacy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git
From: Zhang Qiang
Add a missing spinlock protection to the add operation of the
"audio->play_queue"
in "f_audio_out_ep_complete" function.
Signed-off-by: Zhang Qiang
---
v1->v2:
Add changelog text.
drivers/usb/gadget/function/f_uac1_legacy.c | 2 ++
1 file changed, 2 insertions(+)
diff
From: Zhang Qiang
Signed-off-by: Zhang Qiang
---
drivers/usb/gadget/function/f_uac1_legacy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/gadget/function/f_uac1_legacy.c
b/drivers/usb/gadget/function/f_uac1_legacy.c
index 349deae7cabd..e2d7f69128a0 100644
---
From: Zhang Qiang
Before the work is put into the queue of the worker thread,
the state of the worker thread needs to be detected,because
the worker thread may be in the destruction state at this time.
Signed-off-by: Zhang Qiang
Suggested-by: Petr Mladek
Reviewed-by: Petr Mladek
---
v1->v2:
From: Zhang Qiang
The "queuing_blocked" func should print warning message and
returns true when the worker being destroyed.
Suggested-by: Petr Mladek
Signed-off-by: Zhang Qiang
---
v1->v2:
Add warning information for condition "!worker->task"
kernel/kthread.c | 3 +++
1 file changed, 3
From: Zhang Qiang
The queuing_blocked func should returns true when the worker
being destroyed.
Signed-off-by: Zhang Qiang
---
kernel/kthread.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/kthread.c b/kernel/kthread.c
index 1166f2043e67..2ca711d0e78a 100644
---
From: Zhang Qiang
When canceling a work, if it is found that the work is in
the cancelling state, we should directly exit the cancelled
operation.
Signed-off-by: Zhang Qiang
---
kernel/kthread.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/kthread.c b/kernel/kthread.c
index
From: Zhang Qiang
When canceling a work, if it is found that the work is in
the cancelling state, we should directly exit the cancelled
operation.
Signed-off-by: Zhang Qiang
---
kernel/kthread.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/kthread.c b/kernel/kthread.c
index
From: Zqiang
Remove WQ_FLAG_EXCLUSIVE from "wq_entry.flags", using function
__add_wait_queue_entry_tail_exclusive substitution.
Signed-off-by: Zqiang
---
kernel/locking/percpu-rwsem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/locking/percpu-rwsem.c
From: Zqiang
After the device is disconnected from the host side, the interface of
the device is reset. If the userspace operates the device again,
an error code should be returned.
Signed-off-by: Zqiang
---
drivers/usb/gadget/function/f_printer.c | 36 +
1 file
From: Zqiang
After the interface of gadget printer device was disabled,
We should not continue operate the device.
Signed-off-by: Zqiang
---
drivers/usb/gadget/function/f_printer.c | 36 +
1 file changed, 36 insertions(+)
diff --git
From: Zqiang
BUG: memory leak
unreferenced object 0x888055046e00 (size 256):
comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
hex dump (first 32 bytes):
00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U..Z.
f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff
From: Zqiang
Increase the reference count of the printer dev through kref to avoid
being released by other tasks when in use.
BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180
kernel/locking/lockdep.c:3831
Read of size 8 at addr 8880683b0018 by task syz-executor.0/3377
CPU: 1 PID:
From: Zqiang
Fix this by increase object reference count.
BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180
kernel/locking/lockdep.c:3831
Read of size 8 at addr 8880683b0018 by task syz-executor.0/3377
CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1
Hardware name: QEMU
From: Zqiang
Fix this by increase object reference count.
BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180
kernel/locking/lockdep.c:3831
Read of size 8 at addr 8880683b0018 by task syz-executor.0/3377
CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1
Hardware name: QEMU
From: Zqiang
BUG: memory leak
unreferenced object 0x888055046e00 (size 256):
comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
hex dump (first 32 bytes):
00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U..Z.
f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff
From: Zqiang
BUG: memory leak
unreferenced object 0x888055046e00 (size 256):
comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
hex dump (first 32 bytes):
00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U..Z.
f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff
From: Zqiang
BUG: memory leak
unreferenced object 0x888055046e00 (size 256):
comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
hex dump (first 32 bytes):
00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U..Z.
f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff
From: Zhang Qiang
The data structure member "wq->rescuer" was reset to a null pointer
in one if branch. It was passed to a call of the function "kfree"
in the callback function "rcu_free_wq" (which was eventually executed).
The function "kfree" does not perform more meaningful data processing
From: Zhang Qiang
The data structure member "wq->rescuer" was reset to a null pointer
in one if branch. It was passed to a call of the function "kfree"
in the callback function "rcu_free_wq" (which was eventually executed).
The function "kfree" does not perform more meaningful data processing
From: Zhang Qiang
The data structure member "wq->rescuer" was reset to a null pointer
in one if branch. It was passed to a call of the function "kfree"
in the callback function "rcu_free_wq" (which was eventually executed).
The function "kfree" does not perform more meaningful data processing
From: Zhang Qiang
The data structure member "wq->rescuer" was reset to a null pointer
in one if branch. It was passed to a call of the function "kfree"
in the callback function "rcu_free_wq" (which was eventually executed).
The function "kfree" does not perform more meaningful data processing
From: Zhang Qiang
The callback function "rcu_free_wq" could be called after memory
was released for "wq->rescuer" already and assignment is empty. so
remove unnecessary kfree(NULL).
Fixes: def98c84b6cd ("workqueue: Fix spurious sanity check failures in
destroy_workqueue()")
Fixes: 8efe1223d73c
From: Zhang Qiang
The callback function "rcu_free_wq" could be called after memory
was released for "rescuer" already, Thus delete a misplaced call
of the function "kfree".
Fixes: 6ba94429c8e7 ("workqueue: Reorder sysfs code")
Signed-off-by: Zhang Qiang
---
v1->v2->v3:
Only commit
From: Zhang Qiang
The duplicate memory release should be deleted from the implementation
of the callback function "rcu_free_wq".
Fixes: 6ba94429c8e7 ("workqueue: Reorder sysfs code")
Signed-off-by: Zhang Qiang
---
kernel/workqueue.c | 1 -
1 file changed, 1 deletion(-)
diff --git
From: Zhang Qiang
When destroy_workqueue if rescuer worker exist,wq->rescuer pointer be
kfree. if sanity checks passed. the func call_rcu(>rcu, rcu_free_wq)
will be called if the wq->flags & WQ_UNBOUND is false,in rcu_free_wq
func wq->rescuer pointer was kfree again.
Signed-off-by: Zhang Qiang
From: Zhang Qiang
Use task_pid_nr(t) function instead of t->pid when printing
task pid.
Signed-off-by: Zhang Qiang
---
kernel/hung_task.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/hung_task.c b/kernel/hung_task.c
index 14a625c16cb3..0a77f6af6909 100644
---
From: Zhang Qiang
Use task_pid_nr(t) function instead of t->pid when printing
task pid
Signed-off-by: Zhang Qiang
---
kernel/hung_task.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/hung_task.c b/kernel/hung_task.c
index 14a625c16cb3..f397beb8c9e1 100644
---
From: Zhang Qiang
Add priority judgment to determine whether to borrow time from neighbors,
ensure that the rt_runntime of rt_rq with higher priority tasks is not
reduced
Signed-off-by: Zhang Qiang
---
kernel/sched/rt.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git
54 matches
Mail list logo
