hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICLINL CVE: NA -------------------------------- This reverts commit 33ba377620edc34fbccd07c7181c282eb0e71c46. There is a wrong adapt for commit ("dm-bufio: don't schedule in atomic context"). Function __try_evict_buffer can return false, `freed` may keep no change for a long time and so softlockup happened. The fix tag for commit ("dm-bufio: don't schedule in atomic context") is totally wrong, it's commit b32d45824aa7 ("dm bufio: Add DM_BUFIO_CLIENT_NO_SLEEP flag") that first introduce sleep in atomic bug, and has not been backport, so revert this wrong adapt patch to fix the softlockup. Moreover, calling dm_bufio_unlock() in __scan() may also cause a UAF vulnerability. Before releasing the lock, tmp retains a pointer to a dm_buffer obtained from the LRU linked list. After releasing the lock, this dm_buffer might be freed. When the process is rescheduled and reacquires the lock to access this dm_buffer, a UAF is triggered. In versions incorporating commit 450e8dee51aa ("dm bufio: improve concurrent IO performance"), releasing the lock in __scan() no longer risks UAF because the resource acquisition mechanism has been modified: no volatile pointers are held before context switching, eliminating post-resumption access to potentially freed resources. Fixes: 33ba377620ed ("dm-bufio: don't schedule in atomic context") Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com> --- drivers/md/dm-bufio.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c index 4016d2c191ce..0b41e1db4de9 100644 --- a/drivers/md/dm-bufio.c +++ b/drivers/md/dm-bufio.c @@ -63,8 +63,6 @@ #define LIST_DIRTY 1 #define LIST_SIZE 2 -#define SCAN_RESCHED_CYCLE 16 - /* * Linking of buffers: * All buffers are linked to cache_hash with their hash_list field. @@ -1601,12 +1599,7 @@ static unsigned long __scan(struct dm_bufio_client *c, unsigned long nr_to_scan, freed++; if (!--nr_to_scan || ((count - freed) <= retain_target)) return freed; - - if (unlikely(freed % SCAN_RESCHED_CYCLE == 0)) { - dm_bufio_unlock(c); - cond_resched(); - dm_bufio_lock(c); - } + cond_resched(); } } return freed; -- 2.31.1