- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6 v2] fs:/dcache.c: fix negative dentry limit not complete problem
by Long Li 29 Jan '24

29 Jan '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8JH5M CVE: NA -------------------------------- Restrictions of negative dentry can avoid softlock when too many dentry in memory, but restrictions before do not always take effect. For example, removing files which has been created would not enter retain_dentry(), because the dentry of file maybe has been added to lru list of superblock, it caused that fast_dput() reutrn true in last dput(). So, add restriction logic for the file which has been added to the lru list in fast_dput(), it prevents the negative dentry exceeding the limit when deleting existing file. Factor out negative dentry limit logic into limit_negative_dentry(), make the code more clean. Fixes: f3de89fc28ba ("fs/dcache.c: avoid softlock since too many negative dentry") Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/dcache.c | 70 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 22 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index c27aa8ff78f4..ab5f8e954978 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -675,10 +675,36 @@ static inline struct dentry *lock_parent(struct dentry *dentry) return __lock_parent(dentry); } -static inline bool retain_dentry(struct dentry *dentry) +/* + * Return true if dentry is negative and exceed negative dentry limit. + */ +static inline bool limit_negative_dentry(struct dentry *dentry) { struct dentry *parent; + parent = dentry->d_parent; + if (unlikely(!parent)) + return false; + + WARN_ON((atomic_read(&parent->d_neg_dnum) < 0)); + if (!dentry->d_inode) { + if (!(dentry->d_flags & DCACHE_NEGATIVE_ACCOUNT)) { + unsigned int flags = READ_ONCE(dentry->d_flags); + + flags |= DCACHE_NEGATIVE_ACCOUNT; + WRITE_ONCE(dentry->d_flags, flags); + atomic_inc(&parent->d_neg_dnum); + } + + if (atomic_read(&parent->d_neg_dnum) >= NEG_DENTRY_LIMIT) + return true; + } + + return false; +} + +static inline bool retain_dentry(struct dentry *dentry) +{ WARN_ON(d_in_lookup(dentry)); /* Unreachable? Get rid of it */ @@ -696,27 +722,9 @@ static inline bool retain_dentry(struct dentry *dentry) if (unlikely(dentry->d_flags & DCACHE_DONTCACHE)) return false; - if (unlikely(!dentry->d_parent)) - goto noparent; - - parent = dentry->d_parent; - /* Return false if it's negative */ - WARN_ON((atomic_read(&parent->d_neg_dnum) < 0)); - if (!dentry->d_inode) { - if (!(dentry->d_flags & DCACHE_NEGATIVE_ACCOUNT)) { - unsigned int flags = READ_ONCE(dentry->d_flags); - - flags |= DCACHE_NEGATIVE_ACCOUNT; - WRITE_ONCE(dentry->d_flags, flags); - atomic_inc(&parent->d_neg_dnum); - } - } - - if (!dentry->d_inode && - atomic_read(&parent->d_neg_dnum) >= NEG_DENTRY_LIMIT) + if (unlikely(limit_negative_dentry(dentry))) return false; -noparent: /* retain; LRU fodder */ dentry->d_lockref.count--; if (unlikely(!(dentry->d_flags & DCACHE_LRU_LIST))) @@ -872,8 +880,25 @@ static inline bool fast_dput(struct dentry *dentry) DCACHE_DISCONNECTED | DCACHE_DONTCACHE; /* Nothing to do? Dropping the reference was all we needed? */ - if (d_flags == (DCACHE_REFERENCED | DCACHE_LRU_LIST) && !d_unhashed(dentry)) - return true; + if (d_flags == (DCACHE_REFERENCED | DCACHE_LRU_LIST) && !d_unhashed(dentry)) { + /* + * If the dentry is not negative dentry, return true directly, + * avoid holding dentry lock in the fast put path. + */ + if (dentry->d_inode) + return true; + /* + * If dentry is negative and need to be limitted, it maybe need + * to be killed, so shouldn't fast put and retain in memory. + */ + spin_lock(&dentry->d_lock); + if (likely(!limit_negative_dentry(dentry))) { + spin_unlock(&dentry->d_lock); + return true; + } + + goto dentry_locked; + } /* * Not the fast normal case? Get the lock. We've already decremented @@ -882,6 +907,7 @@ static inline bool fast_dput(struct dentry *dentry) */ spin_lock(&dentry->d_lock); +dentry_locked: /* * Did somebody else grab a reference to it in the meantime, and * we're no longer the last user after all? Alternatively, somebody -- 2.31.1

1 0

[PATCH OLK-5.10] net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
by Dong Chenchen 29 Jan '24

29 Jan '24

From: Sharath Srinivasan <sharath.srinivasan(a)oracle.com> mainline inclusion from mainline-v6.7 commit 13e788deb7348cc88df34bed736c3b3b9927ea52 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YC9I CVE: CVE-2024-23849 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Syzcaller UBSAN crash occurs in rds_cmsg_recv(), which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1), but with array size of 4 (RDS_RX_MAX_TRACES). Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from trace.rx_trace_pos[i] in rds_recv_track_latency(), with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the off-by-one bounds check in rds_recv_track_latency() to prevent a potential crash in rds_cmsg_recv(). Found by syzcaller: ================================================================= UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39 index 4 is out of range for type 'u64 [4]' CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348 rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585 rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0xe2/0x160 net/socket.c:1066 __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246 __do_sys_recvfrom net/socket.c:2264 [inline] __se_sys_recvfrom net/socket.c:2260 [inline] __x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b ================================================================== Fixes: 3289025aedc0 ("RDS: add receive message trace used by application") Reported-by: Chenyuan Yang <chenyuan0y(a)gmail.com> Closes: https://lore.kernel.org/linux-rdma/CALGdzuoVdq-wtQ4Az9iottBqC5cv9ZhcE5q8N7L… Signed-off-by: Sharath Srinivasan <sharath.srinivasan(a)oracle.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/rds/af_rds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c index b239120dd9ca..0ec0ae148349 100644 --- a/net/rds/af_rds.c +++ b/net/rds/af_rds.c @@ -419,7 +419,7 @@ static int rds_recv_track_latency(struct rds_sock *rs, sockptr_t optval, rs->rs_rx_traces = trace.rx_traces; for (i = 0; i < rs->rs_rx_traces; i++) { - if (trace.rx_trace_pos[i] > RDS_MSG_RX_DGRAM_TRACE_MAX) { + if (trace.rx_trace_pos[i] >= RDS_MSG_RX_DGRAM_TRACE_MAX) { rs->rs_rx_traces = 0; return -EFAULT; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS] fs:/dcache.c: fix negative dentry limit not complete problem
by Long Li 29 Jan '24

29 Jan '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8WPQW CVE: NA -------------------------------- Restrictions of negative dentry can avoid softlock when too many dentry in memory, but restrictions before do not always take effect. For example, removing files which has been created would not enter retain_dentry(), because the dentry of file maybe has been added to lru list of superblock, it caused that fast_dput() reutrn true in last dput(). So, add restriction logic for the file which has been added to the lru list in fast_dput(), it prevents the negative dentry exceeding the limit when deleting existing file. Factor out negative dentry limit logic into limit_negative_dentry(), make the code more clean. Fixes: c44e1f780873 ("fs/dcache.c: avoid softlock since too many negative dentry") Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/dcache.c | 70 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 22 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index f5b78cc80a00..3cf6fadd5550 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -647,10 +647,36 @@ static inline struct dentry *lock_parent(struct dentry *dentry) return __lock_parent(dentry); } -static inline bool retain_dentry(struct dentry *dentry) +/* + * Return true if dentry is negative and exceed negative dentry limit. + */ +static inline bool limit_negative_dentry(struct dentry *dentry) { struct dentry *parent; + parent = dentry->d_parent; + if (unlikely(!parent)) + return false; + + WARN_ON((atomic_read(&parent->d_neg_dnum) < 0)); + if (!dentry->d_inode) { + if (!(dentry->d_flags & DCACHE_NEGATIVE_ACCOUNT)) { + unsigned int flags = READ_ONCE(dentry->d_flags); + + flags |= DCACHE_NEGATIVE_ACCOUNT; + WRITE_ONCE(dentry->d_flags, flags); + atomic_inc(&parent->d_neg_dnum); + } + + if (atomic_read(&parent->d_neg_dnum) >= NEG_DENTRY_LIMIT) + return true; + } + + return false; +} + +static inline bool retain_dentry(struct dentry *dentry) +{ WARN_ON(d_in_lookup(dentry)); /* Unreachable? Get rid of it */ @@ -668,27 +694,9 @@ static inline bool retain_dentry(struct dentry *dentry) if (unlikely(dentry->d_flags & DCACHE_DONTCACHE)) return false; - if (unlikely(!dentry->d_parent)) - goto noparent; - - parent = dentry->d_parent; - /* Return false if it's negative */ - WARN_ON((atomic_read(&parent->d_neg_dnum) < 0)); - if (!dentry->d_inode) { - if (!(dentry->d_flags & DCACHE_NEGATIVE_ACCOUNT)) { - unsigned int flags = READ_ONCE(dentry->d_flags); - - flags |= DCACHE_NEGATIVE_ACCOUNT; - WRITE_ONCE(dentry->d_flags, flags); - atomic_inc(&parent->d_neg_dnum); - } - } - - if (!dentry->d_inode && - atomic_read(&parent->d_neg_dnum) >= NEG_DENTRY_LIMIT) + if (unlikely(limit_negative_dentry(dentry))) return false; -noparent: /* retain; LRU fodder */ dentry->d_lockref.count--; if (unlikely(!(dentry->d_flags & DCACHE_LRU_LIST))) @@ -837,8 +845,25 @@ static inline bool fast_dput(struct dentry *dentry) d_flags &= DCACHE_REFERENCED | DCACHE_LRU_LIST | DCACHE_DISCONNECTED; /* Nothing to do? Dropping the reference was all we needed? */ - if (d_flags == (DCACHE_REFERENCED | DCACHE_LRU_LIST) && !d_unhashed(dentry)) - return true; + if (d_flags == (DCACHE_REFERENCED | DCACHE_LRU_LIST) && !d_unhashed(dentry)) { + /* + * If the dentry is not negative dentry, return true directly, + * avoid holding dentry lock in the fast put path. + */ + if (dentry->d_inode) + return true; + /* + * If dentry is negative and need to be limitted, it maybe need + * to be killed, so shouldn't fast put and retain in memory. + */ + spin_lock(&dentry->d_lock); + if (likely(!limit_negative_dentry(dentry))) { + spin_unlock(&dentry->d_lock); + return true; + } + + goto dentry_locked; + } /* * Not the fast normal case? Get the lock. We've already decremented @@ -847,6 +872,7 @@ static inline bool fast_dput(struct dentry *dentry) */ spin_lock(&dentry->d_lock); +dentry_locked: /* * Did somebody else grab a reference to it in the meantime, and * we're no longer the last user after all? Alternatively, somebody -- 2.31.1

1 0

[PATCH openEuler-1.0-LTS] net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
by Dong Chenchen 29 Jan '24

29 Jan '24

From: Sharath Srinivasan <sharath.srinivasan(a)oracle.com> mainline inclusion from mainline-v6.7 commit 13e788deb7348cc88df34bed736c3b3b9927ea52 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YC9I CVE: CVE-2024-23849 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Syzcaller UBSAN crash occurs in rds_cmsg_recv(), which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1), but with array size of 4 (RDS_RX_MAX_TRACES). Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from trace.rx_trace_pos[i] in rds_recv_track_latency(), with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the off-by-one bounds check in rds_recv_track_latency() to prevent a potential crash in rds_cmsg_recv(). Found by syzcaller: ================================================================= UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39 index 4 is out of range for type 'u64 [4]' CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348 rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585 rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0xe2/0x160 net/socket.c:1066 __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246 __do_sys_recvfrom net/socket.c:2264 [inline] __se_sys_recvfrom net/socket.c:2260 [inline] __x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b ================================================================== Fixes: 3289025aedc0 ("RDS: add receive message trace used by application") Reported-by: Chenyuan Yang <chenyuan0y(a)gmail.com> Closes: https://lore.kernel.org/linux-rdma/CALGdzuoVdq-wtQ4Az9iottBqC5cv9ZhcE5q8N7L… Signed-off-by: Sharath Srinivasan <sharath.srinivasan(a)oracle.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/rds/af_rds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c index cd7e01ea8144..5eb71d276706 100644 --- a/net/rds/af_rds.c +++ b/net/rds/af_rds.c @@ -385,7 +385,7 @@ static int rds_recv_track_latency(struct rds_sock *rs, char __user *optval, rs->rs_rx_traces = trace.rx_traces; for (i = 0; i < rs->rs_rx_traces; i++) { - if (trace.rx_trace_pos[i] > RDS_MSG_RX_DGRAM_TRACE_MAX) { + if (trace.rx_trace_pos[i] >= RDS_MSG_RX_DGRAM_TRACE_MAX) { rs->rs_rx_traces = 0; return -EFAULT; } -- 2.25.1

1 0

[PATCH OLK-6.6] kabi: net: reserve space for net related structure
by Zhengchao Shao 29 Jan '24

29 Jan '24

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8ZMS7 ---------------------------------------------------- Reserve some fields beforehand for net related structures prone to change. Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- include/linux/netlink.h | 5 +++++ include/net/cfg802154.h | 5 +++++ include/net/netns/conntrack.h | 4 ++++ include/net/netns/core.h | 6 ++++++ include/net/xfrm.h | 8 ++++++++ 5 files changed, 28 insertions(+) diff --git a/include/linux/netlink.h b/include/linux/netlink.h index 75d7de34c908..4111d53f4656 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h @@ -8,6 +8,7 @@ #include <linux/export.h> #include <net/scm.h> #include <uapi/linux/netlink.h> +#include <linux/kabi.h> struct net; @@ -88,6 +89,10 @@ struct netlink_ext_ack { u8 cookie[NETLINK_MAX_COOKIE_LEN]; u8 cookie_len; char _msg_buf[NETLINK_MAX_FMTMSG_LEN]; + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) }; /* Always use this macro, this allows later putting the diff --git a/include/net/cfg802154.h b/include/net/cfg802154.h index f79ce133e51a..61aabd82b789 100644 --- a/include/net/cfg802154.h +++ b/include/net/cfg802154.h @@ -16,6 +16,8 @@ #include <net/nl802154.h> +#include <linux/kabi.h> + struct wpan_phy; struct wpan_phy_cca; struct cfg802154_scan_request; @@ -242,6 +244,9 @@ struct wpan_phy { */ enum ieee802154_filtering_level filtering; + KABI_RESERVE(1) + KABI_RESERVE(2) + char priv[] __aligned(NETDEV_ALIGN); }; diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index 1f463b3957c7..308c54643b3a 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h @@ -14,6 +14,7 @@ #include <linux/netfilter/nf_conntrack_sctp.h> #endif #include <linux/seqlock.h> +#include <linux/kabi.h> struct ctl_table_header; struct nf_conntrack_ecache; @@ -31,6 +32,9 @@ struct nf_tcp_net { #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) unsigned int offload_timeout; #endif + + KABI_RESERVE(1) + KABI_RESERVE(2) }; enum udp_conntrack { diff --git a/include/net/netns/core.h b/include/net/netns/core.h index a91ef9f8de60..dfb54998c497 100644 --- a/include/net/netns/core.h +++ b/include/net/netns/core.h @@ -3,6 +3,7 @@ #define __NETNS_CORE_H__ #include <linux/types.h> +#include <linux/kabi.h> struct ctl_table_header; struct prot_inuse; @@ -22,6 +23,11 @@ struct netns_core { #if IS_ENABLED(CONFIG_RPS) && IS_ENABLED(CONFIG_SYSCTL) struct cpumask *rps_default_mask; #endif + + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) }; #endif diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 363c7d510554..9eff85ef369c 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -32,6 +32,8 @@ #include <net/snmp.h> #endif +#include <linux/kabi.h> + #define XFRM_PROTO_ESP 50 #define XFRM_PROTO_AH 51 #define XFRM_PROTO_COMP 108 @@ -289,6 +291,9 @@ struct xfrm_state { /* Private data of this transformer, format is opaque, * interpreted by xfrm_type methods. */ void *data; + + KABI_RESERVE(1) + KABI_RESERVE(2) }; static inline struct net *xs_net(struct xfrm_state *x) @@ -549,6 +554,9 @@ struct xfrm_policy { struct rcu_head rcu; struct xfrm_dev_offload xdo; + + KABI_RESERVE(1) + KABI_RESERVE(2) }; static inline struct net *xp_net(const struct xfrm_policy *xp) -- 2.34.1

1 0

[PATCH OLK-5.10 v2 0/2] fs:/dcache.c: fix negative dentry limit not complete problem
by Long Li 29 Jan '24

29 Jan '24

In this patch set, it revert "fs:/dcache.c: fix negative dentry limit not complete problem" in patch 1/2 and rewrite this patch in patch 2/2. Long Li (2): Revert "fs:/dcache.c: fix negative dentry limit not complete problem" fs:/dcache.c: fix negative dentry limit not complete problem fs/dcache.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) -- 2.31.1

1 2

[PATCH OLK-6.6 v4 0/2] KABI reservation for IMA and crypto
by GUO Zihua 29 Jan '24

29 Jan '24

KABI reservation for IMA and crypto module. v4: Fixed remaining merge marks. v3: Reserve one more u64 for crypto related structs. v2: Changed reservation ordering, and more reservation. GUO Zihua (2): crypto: kabi: KABI reservation for crypto ima: kabi: KABI reservation for IMA include/crypto/aead.h | 7 +++++++ include/crypto/akcipher.h | 7 +++++++ include/crypto/algapi.h | 7 +++++++ include/crypto/cryptd.h | 3 +++ include/crypto/hash.h | 9 +++++++++ include/crypto/if_alg.h | 9 +++++++++ include/crypto/public_key.h | 5 +++++ include/crypto/rng.h | 5 +++++ include/crypto/skcipher.h | 7 +++++++ include/linux/crypto.h | 5 +++++ include/linux/fs.h | 2 ++ include/linux/kernel_read_file.h | 3 +++ include/linux/kexec.h | 5 +++++ include/linux/user_namespace.h | 3 +++ 14 files changed, 77 insertions(+) -- 2.34.1

2 3

[PATCH OLK-6.6 v2] kabi: reserve space for cpu cgroup and cpuset cgroup related structures
by Xiang Yang 29 Jan '24

29 Jan '24

From: Lu Jialin <lujialin4(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8SWPP --------------------------------------------- We reserve some fields beforehand for cpu cgroup and cpuset related structures prone to change, therefore, we can hot add/change features of cpu cgroup cpuset and cgroup with this enhancement. After reserving, normally cache does not matter as the reserved fields are not accessed at all. Signed-off-by: Lu Jialin <lujialin4(a)huawei.com> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- kernel/cgroup/cpuset.c | 6 ++++++ kernel/sched/sched.h | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c index cfdca8aeabda..ea78008dd899 100644 --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -43,6 +43,7 @@ #include <linux/sched/isolation.h> #include <linux/cgroup.h> #include <linux/wait.h> +#include <linux/kabi.h> DEFINE_STATIC_KEY_FALSE(cpusets_pre_enable_key); DEFINE_STATIC_KEY_FALSE(cpusets_enabled_key); @@ -186,6 +187,11 @@ struct cpuset { /* Handle for cpuset.cpus.partition */ struct cgroup_file partition_file; + + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) }; /* diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h index 88dbcbe3d7c1..938d4d6cc6f2 100644 --- a/kernel/sched/sched.h +++ b/kernel/sched/sched.h @@ -68,6 +68,7 @@ #include <linux/wait_api.h> #include <linux/wait_bit.h> #include <linux/workqueue_api.h> +#include <linux/kabi.h> #include <trace/events/power.h> #include <trace/events/sched.h> @@ -455,6 +456,11 @@ struct task_group { #if defined(CONFIG_QOS_SCHED_SMART_GRID) && !defined(__GENKSYMS__) struct auto_affinity *auto_affinity; #endif + + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) }; #ifdef CONFIG_FAIR_GROUP_SCHED -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS v2] fs:/dcache.c: fix negative dentry limit not complete problem
by Long Li 29 Jan '24

29 Jan '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8WPQW CVE: NA -------------------------------- Restrictions of negative dentry can avoid softlock when too many dentry in memory, but restrictions before do not always take effect. For example, removing files which has been created would not enter retain_dentry(), because the dentry of file maybe has been added to lru list of superblock, it caused that fast_dput() reutrn true in last dput(). So, add restriction logic for the file which has been added to the lru list in fast_dput(), it prevents the negative dentry exceeding the limit when deleting existing file. Factor out negative dentry limit logic into limit_negative_dentry(), make the code more clean. Fixes: 7ba5d5d0e8b5 ("fs/dcache.c: avoid softlock since too many negative dentry") Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/dcache.c | 70 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 22 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index ef1641398eda..2a7eaac0c3ef 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -636,10 +636,36 @@ static inline struct dentry *lock_parent(struct dentry *dentry) return __lock_parent(dentry); } -static inline bool retain_dentry(struct dentry *dentry) +/* + * Return true if dentry is negative and exceed negative dentry limit. + */ +static inline bool limit_negative_dentry(struct dentry *dentry) { struct dentry *parent; + parent = dentry->d_parent; + if (unlikely(!parent)) + return false; + + WARN_ON((atomic_read(&parent->d_neg_dnum) < 0)); + if (!dentry->d_inode) { + if (!(dentry->d_flags & DCACHE_NEGATIVE_ACCOUNT)) { + unsigned int flags = READ_ONCE(dentry->d_flags); + + flags |= DCACHE_NEGATIVE_ACCOUNT; + WRITE_ONCE(dentry->d_flags, flags); + atomic_inc(&parent->d_neg_dnum); + } + + if (atomic_read(&parent->d_neg_dnum) >= NEG_DENTRY_LIMIT) + return true; + } + + return false; +} + +static inline bool retain_dentry(struct dentry *dentry) +{ WARN_ON(d_in_lookup(dentry)); /* Unreachable? Get rid of it */ @@ -654,27 +680,9 @@ static inline bool retain_dentry(struct dentry *dentry) return false; } - if (unlikely(!dentry->d_parent)) - goto noparent; - - parent = dentry->d_parent; - /* Return false if it's negative */ - WARN_ON((atomic_read(&parent->d_neg_dnum) < 0)); - if (!dentry->d_inode) { - if (!(dentry->d_flags & DCACHE_NEGATIVE_ACCOUNT)) { - unsigned flags = READ_ONCE(dentry->d_flags); - - flags |= DCACHE_NEGATIVE_ACCOUNT; - WRITE_ONCE(dentry->d_flags, flags); - atomic_inc(&parent->d_neg_dnum); - } - } - - if (!dentry->d_inode && - atomic_read(&parent->d_neg_dnum) >= NEG_DENTRY_LIMIT) + if (unlikely(limit_negative_dentry(dentry))) return false; -noparent: /* retain; LRU fodder */ dentry->d_lockref.count--; if (unlikely(!(dentry->d_flags & DCACHE_LRU_LIST))) @@ -808,8 +816,25 @@ static inline bool fast_dput(struct dentry *dentry) d_flags &= DCACHE_REFERENCED | DCACHE_LRU_LIST | DCACHE_DISCONNECTED; /* Nothing to do? Dropping the reference was all we needed? */ - if (d_flags == (DCACHE_REFERENCED | DCACHE_LRU_LIST) && !d_unhashed(dentry)) - return true; + if (d_flags == (DCACHE_REFERENCED | DCACHE_LRU_LIST) && !d_unhashed(dentry)) { + /* + * If the dentry is not negative dentry, return true directly, + * avoid holding dentry lock in the fast put path. + */ + if (dentry->d_inode) + return true; + /* + * If dentry is negative and need to be limitted, it maybe need + * to be killed, so shouldn't fast put and retain in memory. + */ + spin_lock(&dentry->d_lock); + if (likely(!limit_negative_dentry(dentry))) { + spin_unlock(&dentry->d_lock); + return true; + } + + goto dentry_locked; + } /* * Not the fast normal case? Get the lock. We've already decremented @@ -818,6 +843,7 @@ static inline bool fast_dput(struct dentry *dentry) */ spin_lock(&dentry->d_lock); +dentry_locked: /* * Did somebody else grab a reference to it in the meantime, and * we're no longer the last user after all? Alternatively, somebody -- 2.31.1

1 0

[openeuler:openEuler-1.0-LTS 6076/21575] net/ipv4/tcp_metrics.o: warning: objtool: tcp_metrics_nl_cmd_get() falls through to next function tcp_metrics_nl_dump()
by kernel test robot 29 Jan '24

29 Jan '24

First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: e0207e2784d0f836e732608faf1a6966546a8eb3 commit: d2bc250666ee233e0ee440ab9de9255dffa9af7f [6076/21575] objtool: Fix function fallthrough detection config: x86_64-randconfig-001-20240125 (attached as .config) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (attached as reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202401260200.WMl341pL-lkp@intel.com/ All warnings (new ones prefixed by >>): >> net/ipv4/tcp_metrics.o: warning: objtool: tcp_metrics_nl_cmd_get() falls through to next function tcp_metrics_nl_dump() >> net/ipv4/tcp_metrics.o: warning: objtool: tcp_metrics_nl_cmd_del() falls through to next function tcp_metrics_fill_info() -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0