Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-02-22 14:06:25 +0100
committerTakashi Iwai <tiwai@suse.de>2019-02-22 14:06:25 +0100
commit10d91b9b69d979998bf314325d5256ebad2db425 (patch)
treebfdd3ef06a19b63416cd5793116a5fdb3b359a18
parentaa68258786068eda4ccfdd775a89aaca6fc71a08 (diff)
parent44fe0626006cf7b62cb963a3d788ecaa8b8085d3 (diff)
Merge branch 'users/mgorman/SLE15/for-next' into SLE15
Pull mm fixes from Mel Gorman
-rw-r--r--blacklist.conf5
-rw-r--r--patches.suse/mm-do-not-drop-unused-pages-when-userfaultd-is-running.patch69
-rw-r--r--patches.suse/mm-hmm-hmm_pfns_bad-was-accessing-wrong-struct.patch43
-rw-r--r--patches.suse/mm-ksm.c-ignore-STABLE_FLAG-of-rmap_item-address-in-rmap_walk_ksm.patch161
-rw-r--r--patches.suse/mm-use-swp_offset-as-key-in-shmem_replace_page.patch60
-rw-r--r--patches.suse/mmap-introduce-sane-default-mmap-limits.patch125
-rw-r--r--series.conf5
7 files changed, 468 insertions, 0 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 5d1d8d4b80..367d8586a2 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -966,3 +966,8 @@ cf48bf9eee42061c0dbe06ba3e26244dd933cab1 # asus-wmi: already cherry-picked
8099b047ecc431518b9bb6bdbba3549bbecdc343 # exec: reverted below due to regression
cb5b020a8d38f77209d0472a0fea755299a8ec78 # exec: reverting the above
ea6eb5e7d15e1838de335609994b4546e2abcaaf # cosmetic fix
+5d03a6613957785e94af7a4a6212ad4af66aa5c2 # z3fold does not have compaction support backported
+6098d7e136692f9c6e23ae362c62ec822343e4d5 # z3fold does not have per-cpu buddies support backported
+7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 # Alternative SLE-specific fix merged due to KABI hazards
+6ab7d47bcbf0144a8cb81536c2cead4cde18acfe # Alpha is not supported
+379b03b7fa05f7db521b7732a52692448a3c34fe # Underlying problem reverted in bnc#1107078
diff --git a/patches.suse/mm-do-not-drop-unused-pages-when-userfaultd-is-running.patch b/patches.suse/mm-do-not-drop-unused-pages-when-userfaultd-is-running.patch
new file mode 100644
index 0000000000..002f549bd5
--- /dev/null
+++ b/patches.suse/mm-do-not-drop-unused-pages-when-userfaultd-is-running.patch
@@ -0,0 +1,69 @@
+From af845ec01b33054b3771b700aebe4c5bc870dd9e Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 13 Jul 2018 16:58:52 -0700
+Subject: [PATCH] mm: do not drop unused pages when userfaultd is running
+
+References: git fixes (mm/userfaultfd)
+Patch-mainline: v4.18
+Git-commit: bce73e4842390f7b7309c8e253e139db71288ac3
+
+KVM guests on s390 can notify the host of unused pages. This can result
+in pte_unused callbacks to be true for KVM guest memory.
+
+If a page is unused (checked with pte_unused) we might drop this page
+instead of paging it. This can have side-effects on userfaultd, when
+the page in question was already migrated:
+
+The next access of that page will trigger a fault and a user fault
+instead of faulting in a new and empty zero page. As QEMU does not
+expect a userfault on an already migrated page this migration will fail.
+
+The most straightforward solution is to ignore the pte_unused hint if a
+userfault context is active for this VMA.
+
+Link: http://lkml.kernel.org/r/20180703171854.63981-1-borntraeger@de.ibm.com
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: Janosch Frank <frankja@linux.ibm.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Cornelia Huck <cohuck@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Mel Gorman <mgorman@suse.de>
+---
+ mm/rmap.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/mm/rmap.c b/mm/rmap.c
+index 604fefd499f0..91f9df2567f1 100644
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -64,6 +64,7 @@
+ #include <linux/backing-dev.h>
+ #include <linux/page_idle.h>
+ #include <linux/memremap.h>
++#include <linux/userfaultfd_k.h>
+
+ #include <asm/tlbflush.h>
+
+@@ -1492,11 +1493,16 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
+
+ pteval = swp_entry_to_pte(make_hwpoison_entry(subpage));
+ set_pte_at(mm, address, pvmw.pte, pteval);
+- } else if (pte_unused(pteval)) {
++ } else if (pte_unused(pteval) && !userfaultfd_armed(vma)) {
+ /*
+ * The guest indicated that the page content is of no
+ * interest anymore. Simply discard the pte, vmscan
+ * will take care of the rest.
++ * A future reference will then fault in a new zero
++ * page. When userfaultfd is active, we must not drop
++ * this page though, as its main user (postcopy
++ * migration) will not expect userfaults on already
++ * copied pages.
+ */
+ dec_mm_counter(mm, mm_counter(page));
+ } else if (IS_ENABLED(CONFIG_MIGRATION) &&
diff --git a/patches.suse/mm-hmm-hmm_pfns_bad-was-accessing-wrong-struct.patch b/patches.suse/mm-hmm-hmm_pfns_bad-was-accessing-wrong-struct.patch
new file mode 100644
index 0000000000..bba6fbae4c
--- /dev/null
+++ b/patches.suse/mm-hmm-hmm_pfns_bad-was-accessing-wrong-struct.patch
@@ -0,0 +1,43 @@
+From 0c1c6a1ae6f50ac1ddebc82b572378365afa7636 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= <jglisse@redhat.com>
+Date: Tue, 10 Apr 2018 16:28:27 -0700
+Subject: [PATCH] mm/hmm: hmm_pfns_bad() was accessing wrong struct
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+References: git fixes (mm/hmm)
+Patch-mainline: v4.17
+Git-commit: c719547f032d4610c7a20900baacae26d0b1ff3e
+
+The private field of mm_walk struct point to an hmm_vma_walk struct and
+not to the hmm_range struct desired. Fix to get proper struct pointer.
+
+Link: http://lkml.kernel.org/r/20180323005527.758-6-jglisse@redhat.com
+Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
+Cc: Evgeny Baskakov <ebaskakov@nvidia.com>
+Cc: Ralph Campbell <rcampbell@nvidia.com>
+Cc: Mark Hairgrove <mhairgrove@nvidia.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Mel Gorman <mgorman@suse.de>
+---
+ mm/hmm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mm/hmm.c b/mm/hmm.c
+index 0feb4188f68a..f09dc7f10563 100644
+--- a/mm/hmm.c
++++ b/mm/hmm.c
+@@ -277,7 +277,8 @@ static int hmm_pfns_bad(unsigned long addr,
+ unsigned long end,
+ struct mm_walk *walk)
+ {
+- struct hmm_range *range = walk->private;
++ struct hmm_vma_walk *hmm_vma_walk = walk->private;
++ struct hmm_range *range = hmm_vma_walk->range;
+ hmm_pfn_t *pfns = range->pfns;
+ unsigned long i;
+
diff --git a/patches.suse/mm-ksm.c-ignore-STABLE_FLAG-of-rmap_item-address-in-rmap_walk_ksm.patch b/patches.suse/mm-ksm.c-ignore-STABLE_FLAG-of-rmap_item-address-in-rmap_walk_ksm.patch
new file mode 100644
index 0000000000..5aaf265e1a
--- /dev/null
+++ b/patches.suse/mm-ksm.c-ignore-STABLE_FLAG-of-rmap_item-address-in-rmap_walk_ksm.patch
@@ -0,0 +1,161 @@
+From 12e0a6ded710447b2041db06e06b2613ec1f2622 Mon Sep 17 00:00:00 2001
+From: Jia He <jia.he@hxt-semitech.com>
+Date: Thu, 14 Jun 2018 15:26:14 -0700
+Subject: [PATCH] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in
+ rmap_walk_ksm()
+
+References: git fixes (mm/ksm)
+Patch-mainline: v4.18
+Git-commit: 1105a2fc022f3c7482e32faf516e8bc44095f778
+
+In our armv8a server(QDF2400), I noticed lots of WARN_ON caused by
+PAGE_SIZE unaligned for rmap_item->address under memory pressure
+tests(start 20 guests and run memhog in the host).
+
+ WARNING: CPU: 4 PID: 4641 at virt/kvm/arm/mmu.c:1826 kvm_age_hva_handler+0xc0/0xc8
+ CPU: 4 PID: 4641 Comm: memhog Tainted: G W 4.17.0-rc3+ #8
+ Call trace:
+ kvm_age_hva_handler+0xc0/0xc8
+ handle_hva_to_gpa+0xa8/0xe0
+ kvm_age_hva+0x4c/0xe8
+ kvm_mmu_notifier_clear_flush_young+0x54/0x98
+ __mmu_notifier_clear_flush_young+0x6c/0xa0
+ page_referenced_one+0x154/0x1d8
+ rmap_walk_ksm+0x12c/0x1d0
+ rmap_walk+0x94/0xa0
+ page_referenced+0x194/0x1b0
+ shrink_page_list+0x674/0xc28
+ shrink_inactive_list+0x26c/0x5b8
+ shrink_node_memcg+0x35c/0x620
+ shrink_node+0x100/0x430
+ do_try_to_free_pages+0xe0/0x3a8
+ try_to_free_pages+0xe4/0x230
+ __alloc_pages_nodemask+0x564/0xdc0
+ alloc_pages_vma+0x90/0x228
+ do_anonymous_page+0xc8/0x4d0
+ __handle_mm_fault+0x4a0/0x508
+ handle_mm_fault+0xf8/0x1b0
+ do_page_fault+0x218/0x4b8
+ do_translation_fault+0x90/0xa0
+ do_mem_abort+0x68/0xf0
+ el0_da+0x24/0x28
+
+In rmap_walk_ksm, the rmap_item->address might still have the
+STABLE_FLAG, then the start and end in handle_hva_to_gpa might not be
+PAGE_SIZE aligned. Thus it will cause exceptions in handle_hva_to_gpa
+on arm64.
+
+This patch fixes it by ignoring (not removing) the low bits of address
+when doing rmap_walk_ksm.
+
+IMO, it should be backported to stable tree. the storm of WARN_ONs is
+very easy for me to reproduce. More than that, I watched a panic (not
+reproducible) as follows:
+
+ page:ffff7fe003742d80 count:-4871 mapcount:-2126053375 mapping: (null) index:0x0
+ flags: 0x1fffc00000000000()
+ raw: 1fffc00000000000 0000000000000000 0000000000000000 ffffecf981470000
+ raw: dead000000000100 dead000000000200 ffff8017c001c000 0000000000000000
+ page dumped because: nonzero _refcount
+ CPU: 29 PID: 18323 Comm: qemu-kvm Tainted: G W 4.14.15-5.hxt.aarch64 #1
+ Hardware name: <snip for confidential issues>
+ Call trace:
+ dump_backtrace+0x0/0x22c
+ show_stack+0x24/0x2c
+ dump_stack+0x8c/0xb0
+ bad_page+0xf4/0x154
+ free_pages_check_bad+0x90/0x9c
+ free_pcppages_bulk+0x464/0x518
+ free_hot_cold_page+0x22c/0x300
+ __put_page+0x54/0x60
+ unmap_stage2_range+0x170/0x2b4
+ kvm_unmap_hva_handler+0x30/0x40
+ handle_hva_to_gpa+0xb0/0xec
+ kvm_unmap_hva_range+0x5c/0xd0
+
+I even injected a fault on purpose in kvm_unmap_hva_range by seting
+size=size-0x200, the call trace is similar as above. So I thought the
+panic is similarly caused by the root cause of WARN_ON.
+
+Andrea said:
+
+: It looks a straightforward safe fix, on x86 hva_to_gfn_memslot would
+: zap those bits and hide the misalignment caused by the low metadata
+: bits being erroneously left set in the address, but the arm code
+: notices when that's the last page in the memslot and the hva_end is
+: getting aligned and the size is below one page.
+:
+: I think the problem triggers in the addr += PAGE_SIZE of
+: unmap_stage2_ptes that never matches end because end is aligned but
+: addr is not.
+:
+: } while (pte++, addr += PAGE_SIZE, addr != end);
+:
+: x86 again only works on hva_start/hva_end after converting it to
+: gfn_start/end and that being in pfn units the bits are zapped before
+: they risk to cause trouble.
+
+Jia He said:
+
+: I've tested by myself in arm64 server (QDF2400,46 cpus,96G mem) Without
+: this patch, the WARN_ON is very easy for reproducing. After this patch, I
+: have run the same benchmarch for a whole day without any WARN_ONs
+
+Link: http://lkml.kernel.org/r/1525403506-6750-1-git-send-email-hejianet@gmail.com
+Signed-off-by: Jia He <jia.he@hxt-semitech.com>
+Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+Tested-by: Jia He <hejianet@gmail.com>
+Cc: Suzuki K Poulose <Suzuki.Poulose@arm.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Cc: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Mel Gorman <mgorman@suse.de>
+---
+ mm/ksm.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/mm/ksm.c b/mm/ksm.c
+index 85e8c5fc95e6..c78d14460552 100644
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -183,6 +183,8 @@ struct rmap_item {
+ #define SEQNR_MASK 0x0ff /* low bits of unstable tree seqnr */
+ #define UNSTABLE_FLAG 0x100 /* is a node of the unstable tree */
+ #define STABLE_FLAG 0x200 /* is listed from the stable tree */
++#define KSM_FLAG_MASK (SEQNR_MASK|UNSTABLE_FLAG|STABLE_FLAG)
++ /* to mask all the flags */
+
+ /* The stable and unstable tree heads */
+ static struct rb_root one_stable_tree[1] = { RB_ROOT };
+@@ -1973,10 +1975,15 @@ void rmap_walk_ksm(struct page *page, struct rmap_walk_control *rwc)
+ anon_vma_lock_read(anon_vma);
+ anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root,
+ 0, ULONG_MAX) {
++ unsigned long addr;
++
+ cond_resched();
+ vma = vmac->vma;
+- if (rmap_item->address < vma->vm_start ||
+- rmap_item->address >= vma->vm_end)
++
++ /* Ignore the stable/unstable/sqnr flags */
++ addr = rmap_item->address & ~KSM_FLAG_MASK;
++
++ if (addr < vma->vm_start || addr >= vma->vm_end)
+ continue;
+ /*
+ * Initially we examine only the vma which covers this
+@@ -1990,8 +1997,7 @@ void rmap_walk_ksm(struct page *page, struct rmap_walk_control *rwc)
+ if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
+ continue;
+
+- if (!rwc->rmap_one(page, vma,
+- rmap_item->address, rwc->arg)) {
++ if (!rwc->rmap_one(page, vma, addr, rwc->arg)) {
+ anon_vma_unlock_read(anon_vma);
+ return;
+ }
diff --git a/patches.suse/mm-use-swp_offset-as-key-in-shmem_replace_page.patch b/patches.suse/mm-use-swp_offset-as-key-in-shmem_replace_page.patch
new file mode 100644
index 0000000000..2aad3f7804
--- /dev/null
+++ b/patches.suse/mm-use-swp_offset-as-key-in-shmem_replace_page.patch
@@ -0,0 +1,60 @@
+From e2221e5d0fbaf7fa96d5238fe321a7811cee86c0 Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Fri, 30 Nov 2018 14:09:03 -0800
+Subject: [PATCH] mm: use swp_offset as key in shmem_replace_page()
+
+References: git fixes (mm/shmem)
+Patch-mainline: v4.20
+Git-commit: c1cb20d43728aa9b5393bd8d489bc85c142949b2
+
+We changed the key of swap cache tree from swp_entry_t.val to
+swp_offset. We need to do so in shmem_replace_page() as well.
+
+Hugh said:
+ "shmem_replace_page() has been wrong since the day I wrote it: good
+ enough to work on swap "type" 0, which is all most people ever use
+ (especially those few who need shmem_replace_page() at all), but
+ broken once there are any non-0 swp_type bits set in the higher order
+ bits"
+
+Link: http://lkml.kernel.org/r/20181121215442.138545-1-yuzhao@google.com
+Fixes: f6ab1f7f6b2d ("mm, swap: use offset of swap entry as key of swap cache")
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Reviewed-by: Matthew Wilcox <willy@infradead.org>
+Acked-by: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org> [4.9+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Mel Gorman <mgorman@suse.de>
+---
+ mm/shmem.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 3f5af65d76bc..e5a01786f187 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -1530,11 +1530,13 @@ static int shmem_replace_page(struct page **pagep, gfp_t gfp,
+ {
+ struct page *oldpage, *newpage;
+ struct address_space *swap_mapping;
++ swp_entry_t entry;
+ pgoff_t swap_index;
+ int error;
+
+ oldpage = *pagep;
+- swap_index = page_private(oldpage);
++ entry.val = page_private(oldpage);
++ swap_index = swp_offset(entry);
+ swap_mapping = page_mapping(oldpage);
+
+ /*
+@@ -1553,7 +1555,7 @@ static int shmem_replace_page(struct page **pagep, gfp_t gfp,
+ __SetPageLocked(newpage);
+ __SetPageSwapBacked(newpage);
+ SetPageUptodate(newpage);
+- set_page_private(newpage, swap_index);
++ set_page_private(newpage, entry.val);
+ SetPageSwapCache(newpage);
+
+ /*
diff --git a/patches.suse/mmap-introduce-sane-default-mmap-limits.patch b/patches.suse/mmap-introduce-sane-default-mmap-limits.patch
new file mode 100644
index 0000000000..bad4d9c98f
--- /dev/null
+++ b/patches.suse/mmap-introduce-sane-default-mmap-limits.patch
@@ -0,0 +1,125 @@
+From e644b2e60125426eb47eb60d479d249104284ef7 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 11 May 2018 09:52:01 -0700
+Subject: [PATCH] mmap: introduce sane default mmap limits
+
+References: git fixes (mm/mmap)
+Patch-mainline: v4.17
+Git-commit: be83bbf806822b1b89e0a0f23cd87cddc409e429
+
+The internal VM "mmap()" interfaces are based on the mmap target doing
+everything using page indexes rather than byte offsets, because
+traditionally (ie 32-bit) we had the situation that the byte offset
+didn't fit in a register. So while the mmap virtual address was limited
+by the word size of the architecture, the backing store was not.
+
+So we're basically passing "pgoff" around as a page index, in order to
+be able to describe backing store locations that are much bigger than
+the word size (think files larger than 4GB etc).
+
+But while this all makes a ton of sense conceptually, we've been dogged
+by various drivers that don't really understand this, and internally
+work with byte offsets, and then try to work with the page index by
+turning it into a byte offset with "pgoff << PAGE_SHIFT".
+
+Which obviously can overflow.
+
+Adding the size of the mapping to it to get the byte offset of the end
+of the backing store just exacerbates the problem, and if you then use
+this overflow-prone value to check various limits of your device driver
+mmap capability, you're just setting yourself up for problems.
+
+The correct thing for drivers to do is to do their limit math in page
+indices, the way the interface is designed. Because the generic mmap
+code _does_ test that the index doesn't overflow, since that's what the
+mmap code really cares about.
+
+HOWEVER.
+
+Finding and fixing various random drivers is a sisyphean task, so let's
+just see if we can just make the core mmap() code do the limiting for
+us. Realistically, the only "big" backing stores we need to care about
+are regular files and block devices, both of which are known to do this
+properly, and which have nice well-defined limits for how much data they
+can access.
+
+So let's special-case just those two known cases, and then limit other
+random mmap users to a backing store that still fits in "unsigned long".
+Realistically, that's not much of a limit at all on 64-bit, and on
+32-bit architectures the only worry might be the GPU drivers, which can
+have big physical address spaces.
+
+To make it possible for drivers like that to say that they are 64-bit
+clean, this patch does repurpose the "FMODE_UNSIGNED_OFFSET" bit in the
+file flags to allow drivers to mark their file descriptors as safe in
+the full 64-bit mmap address space.
+
+[ The timing for doing this is less than optimal, and this should really
+ go in a merge window. But realistically, this needs wide testing more
+ than it needs anything else, and being main-line is the only way to do
+ that.
+
+ So the earlier the better, even if it's outside the proper development
+ cycle - Linus ]
+
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Mel Gorman <mgorman@suse.de>
+---
+ mm/mmap.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index b62900b4d095..39b871be9a6e 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1315,6 +1315,35 @@ static inline int mlock_future_check(struct mm_struct *mm,
+ return 0;
+ }
+
++static inline u64 file_mmap_size_max(struct file *file, struct inode *inode)
++{
++ if (S_ISREG(inode->i_mode))
++ return inode->i_sb->s_maxbytes;
++
++ if (S_ISBLK(inode->i_mode))
++ return MAX_LFS_FILESIZE;
++
++ /* Special "we do even unsigned file positions" case */
++ if (file->f_mode & FMODE_UNSIGNED_OFFSET)
++ return 0;
++
++ /* Yes, random drivers might want more. But I'm tired of buggy drivers */
++ return ULONG_MAX;
++}
++
++static inline bool file_mmap_ok(struct file *file, struct inode *inode,
++ unsigned long pgoff, unsigned long len)
++{
++ u64 maxsize = file_mmap_size_max(file, inode);
++
++ if (maxsize && len > maxsize)
++ return false;
++ maxsize -= len;
++ if (pgoff > maxsize >> PAGE_SHIFT)
++ return false;
++ return true;
++}
++
+ /*
+ * The caller must hold down_write(&current->mm->mmap_sem).
+ */
+@@ -1389,6 +1418,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
+ struct inode *inode = file_inode(file);
+ unsigned long flags_mask;
+
++ if (!file_mmap_ok(file, inode, pgoff, len))
++ return -EOVERFLOW;
++
+ flags_mask = LEGACY_MAP_MASK | file->f_op->mmap_supported_flags;
+
+ switch (flags & MAP_TYPE) {
diff --git a/series.conf b/series.conf
index 880a5a2193..ca58cd4d59 100644
--- a/series.conf
+++ b/series.conf
@@ -15410,6 +15410,7 @@
patches.suse/ceph-quota-cache-inode-pointer-in-ceph_snap_realm.patch
patches.suse/ceph-quota-add-counter-for-snaprealms-with-quota.patch
patches.suse/quota-report-root-dir-quota-usage-in-statfs.patch
+ patches.suse/mm-hmm-hmm_pfns_bad-was-accessing-wrong-struct.patch
patches.suse/sched-numa-avoid-trapping-faults-and-attempting-migration-of-file-backed-dirty-pages.patch
patches.fixes/memcg-thp-do-not-invoke-oom-killer-on-thp-charges.patch
patches.fixes/mm-ksm-c-fix-inconsistent-accounting-of-zero-pages.patch
@@ -15877,6 +15878,7 @@
patches.drm/drm-vc4-Fix-scaling-of-uni-planar-formats
patches.drm/drm-nouveau-Fix-deadlock-in-nv50_mstm_register_conne
patches.fixes/cpufreq-schedutil-Avoid-using-invalid-next_freq.patch
+ patches.suse/mmap-introduce-sane-default-mmap-limits.patch
patches.arch/x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap
patches.fixes/tracing-Fix-regex_match_front-to-not-over-compare-th.patch
patches.arch/powerpc-pseries-Fix-CONFIG_NUMA-n-build.patch
@@ -17174,6 +17176,7 @@
patches.fixes/ceph-fix-use-after-free-in-ceph_statfs.patch
patches.fixes/ceph-fix-alignment-of-rasize.patch
patches.fixes/rbd-flush-rbd_dev-watch_dwork-after-watch-is-unregistered.patch
+ patches.suse/mm-ksm.c-ignore-STABLE_FLAG-of-rmap_item-address-in-rmap_walk_ksm.patch
patches.fixes/mm-fix-devmem_is_allowed-for-sub-page-System-RAM-int.patch
patches.suse/mremap-Remove-LATENCY_LIMIT-from-mremap-to-reduce-the-number-of-TLB-shootdowns.patch
patches.drm/Revert-drm-amdgpu-Add-an-ATPX-quirk-for-hybrid-lapto.patch
@@ -17476,6 +17479,7 @@
patches.drivers/IB-hfi1-Fix-incorrect-mixing-of-ERR_PTR-and-NULL-ret.patch
patches.drivers/RDMA-mlx5-Fix-memory-leak-in-mlx5_ib_create_srq-erro.patch
patches.drivers/i2c-tegra-Fix-NACK-error-handling
+ patches.suse/mm-do-not-drop-unused-pages-when-userfaultd-is-running.patch
patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch
patches.fixes/reiserfs-fix-buffer-overflow-with-long-warning-messa.patch
patches.arch/ARM-pxa-irq-fix-handling-of-ICMR-registers-in-suspen.patch
@@ -19747,6 +19751,7 @@
patches.fixes/fscache-fix-race-between-enablement-and-dropping-of-.patch
patches.fixes/ACPI-IORT-Fix-iort_get_platform_device_domain-uninit.patch
patches.fixes/mm-cleancache-fix-corruption-on-missed-inode-invalid.patch
+ patches.suse/mm-use-swp_offset-as-key-in-shmem_replace_page.patch
patches.fixes/hfs-do-not-free-node-before-using.patch
patches.fixes/hfsplus-do-not-free-node-before-using.patch
patches.fixes/userfaultfd-use-enoent-instead-of-efault-if-the-atomic-copy-user-fails.patch