March 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 1/2] btrfs: do not start and wait for delalloc on snapshot roots on transaction commit
by Yifan Qiao 01 Mar '24

01 Mar '24

From: Filipe Manana <fdmanana(a)suse.com> mainline inclusion from mainline-v5.11-rc1 commit 88090ad36a64af1eb5b78d26b2ccd07eedae80b5 category: bugfix bugzilla: N/A Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------------------ We do not need anymore to start writeback for delalloc of roots that are being snapshotted and wait for it to complete. This was done in commit 609e804d771f59 ("Btrfs: fix file corruption after snapshotting due to mix of buffered/DIO writes") to fix a type of file corruption where files in a snapshot end up having their i_size updated in a non-ordered way, leaving implicit file holes, when buffered IO writes that increase a file's size are followed by direct IO writes that also increase the file's size. This is not needed anymore because we now have a more generic mechanism to prevent a non-ordered i_size update since commit 9ddc959e802bf7 ("btrfs: use the file extent tree infrastructure"), which addresses this scenario involving snapshots as well. Reviewed-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> --- fs/btrfs/transaction.c | 49 ++++++------------------------------------ 1 file changed, 6 insertions(+), 43 deletions(-) diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index abd67f984fbc..2f89ac8fd5eb 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2015,10 +2015,8 @@ static void btrfs_cleanup_pending_block_groups(struct btrfs_trans_handle *trans) } } -static inline int btrfs_start_delalloc_flush(struct btrfs_trans_handle *trans) +static inline int btrfs_start_delalloc_flush(struct btrfs_fs_info *fs_info) { - struct btrfs_fs_info *fs_info = trans->fs_info; - /* * We use writeback_inodes_sb here because if we used * btrfs_start_delalloc_roots we would deadlock with fs freeze. @@ -2028,50 +2026,15 @@ static inline int btrfs_start_delalloc_flush(struct btrfs_trans_handle *trans) * from already being in a transaction and our join_transaction doesn't * have to re-take the fs freeze lock. */ - if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) { + if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) writeback_inodes_sb(fs_info->sb, WB_REASON_SYNC); - } else { - struct btrfs_pending_snapshot *pending; - struct list_head *head = &trans->transaction->pending_snapshots; - - /* - * Flush dellaloc for any root that is going to be snapshotted. - * This is done to avoid a corrupted version of files, in the - * snapshots, that had both buffered and direct IO writes (even - * if they were done sequentially) due to an unordered update of - * the inode's size on disk. - */ - list_for_each_entry(pending, head, list) { - int ret; - - ret = btrfs_start_delalloc_snapshot(pending->root); - if (ret) - return ret; - } - } return 0; } -static inline void btrfs_wait_delalloc_flush(struct btrfs_trans_handle *trans) +static inline void btrfs_wait_delalloc_flush(struct btrfs_fs_info *fs_info) { - struct btrfs_fs_info *fs_info = trans->fs_info; - - if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) { + if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1); - } else { - struct btrfs_pending_snapshot *pending; - struct list_head *head = &trans->transaction->pending_snapshots; - - /* - * Wait for any dellaloc that we started previously for the roots - * that are going to be snapshotted. This is to avoid a corrupted - * version of files in the snapshots that had both buffered and - * direct IO writes (even if they were done sequentially). - */ - list_for_each_entry(pending, head, list) - btrfs_wait_ordered_extents(pending->root, - U64_MAX, 0, U64_MAX); - } } int btrfs_commit_transaction(struct btrfs_trans_handle *trans) @@ -2209,7 +2172,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) extwriter_counter_dec(cur_trans, trans->type); - ret = btrfs_start_delalloc_flush(trans); + ret = btrfs_start_delalloc_flush(fs_info); if (ret) goto cleanup_transaction; @@ -2225,7 +2188,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) if (ret) goto cleanup_transaction; - btrfs_wait_delalloc_flush(trans); + btrfs_wait_delalloc_flush(fs_info); /* * Wait for all ordered extents started by a fast fsync that joined this -- 2.39.2

2 2

[PATCH OLK-5.10 1/2] btrfs: do not start and wait for delalloc on snapshot roots on transaction commit
by q00831684 01 Mar '24

01 Mar '24

From: Filipe Manana <fdmanana(a)suse.com> mainline inclusion from mainline-v5.11-rc1 commit 88090ad36a64af1eb5b78d26b2ccd07eedae80b5 category: bugfix bugzilla: N/A Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------------------ We do not need anymore to start writeback for delalloc of roots that are being snapshotted and wait for it to complete. This was done in commit 609e804d771f59 ("Btrfs: fix file corruption after snapshotting due to mix of buffered/DIO writes") to fix a type of file corruption where files in a snapshot end up having their i_size updated in a non-ordered way, leaving implicit file holes, when buffered IO writes that increase a file's size are followed by direct IO writes that also increase the file's size. This is not needed anymore because we now have a more generic mechanism to prevent a non-ordered i_size update since commit 9ddc959e802bf7 ("btrfs: use the file extent tree infrastructure"), which addresses this scenario involving snapshots as well. Reviewed-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> --- fs/btrfs/transaction.c | 49 ++++++------------------------------------ 1 file changed, 6 insertions(+), 43 deletions(-) diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index abd67f984fbc..2f89ac8fd5eb 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2015,10 +2015,8 @@ static void btrfs_cleanup_pending_block_groups(struct btrfs_trans_handle *trans) } } -static inline int btrfs_start_delalloc_flush(struct btrfs_trans_handle *trans) +static inline int btrfs_start_delalloc_flush(struct btrfs_fs_info *fs_info) { - struct btrfs_fs_info *fs_info = trans->fs_info; - /* * We use writeback_inodes_sb here because if we used * btrfs_start_delalloc_roots we would deadlock with fs freeze. @@ -2028,50 +2026,15 @@ static inline int btrfs_start_delalloc_flush(struct btrfs_trans_handle *trans) * from already being in a transaction and our join_transaction doesn't * have to re-take the fs freeze lock. */ - if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) { + if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) writeback_inodes_sb(fs_info->sb, WB_REASON_SYNC); - } else { - struct btrfs_pending_snapshot *pending; - struct list_head *head = &trans->transaction->pending_snapshots; - - /* - * Flush dellaloc for any root that is going to be snapshotted. - * This is done to avoid a corrupted version of files, in the - * snapshots, that had both buffered and direct IO writes (even - * if they were done sequentially) due to an unordered update of - * the inode's size on disk. - */ - list_for_each_entry(pending, head, list) { - int ret; - - ret = btrfs_start_delalloc_snapshot(pending->root); - if (ret) - return ret; - } - } return 0; } -static inline void btrfs_wait_delalloc_flush(struct btrfs_trans_handle *trans) +static inline void btrfs_wait_delalloc_flush(struct btrfs_fs_info *fs_info) { - struct btrfs_fs_info *fs_info = trans->fs_info; - - if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) { + if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1); - } else { - struct btrfs_pending_snapshot *pending; - struct list_head *head = &trans->transaction->pending_snapshots; - - /* - * Wait for any dellaloc that we started previously for the roots - * that are going to be snapshotted. This is to avoid a corrupted - * version of files in the snapshots that had both buffered and - * direct IO writes (even if they were done sequentially). - */ - list_for_each_entry(pending, head, list) - btrfs_wait_ordered_extents(pending->root, - U64_MAX, 0, U64_MAX); - } } int btrfs_commit_transaction(struct btrfs_trans_handle *trans) @@ -2209,7 +2172,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) extwriter_counter_dec(cur_trans, trans->type); - ret = btrfs_start_delalloc_flush(trans); + ret = btrfs_start_delalloc_flush(fs_info); if (ret) goto cleanup_transaction; @@ -2225,7 +2188,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) if (ret) goto cleanup_transaction; - btrfs_wait_delalloc_flush(trans); + btrfs_wait_delalloc_flush(fs_info); /* * Wait for all ordered extents started by a fast fsync that joined this -- 2.39.2

2 2

[PATCH OLK-5.10 1/2] btrfs: do not start and wait for delalloc on snapshot roots on transaction commit
by q00831684 01 Mar '24

01 Mar '24

From: Filipe Manana <fdmanana(a)suse.com> mainline inclusion from mainline-v5.11-rc1 commit 88090ad36a64af1eb5b78d26b2ccd07eedae80b5 category: bugfix bugzilla: N/A Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------------------ We do not need anymore to start writeback for delalloc of roots that are being snapshotted and wait for it to complete. This was done in commit 609e804d771f59 ("Btrfs: fix file corruption after snapshotting due to mix of buffered/DIO writes") to fix a type of file corruption where files in a snapshot end up having their i_size updated in a non-ordered way, leaving implicit file holes, when buffered IO writes that increase a file's size are followed by direct IO writes that also increase the file's size. This is not needed anymore because we now have a more generic mechanism to prevent a non-ordered i_size update since commit 9ddc959e802bf7 ("btrfs: use the file extent tree infrastructure"), which addresses this scenario involving snapshots as well. Reviewed-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> --- fs/btrfs/transaction.c | 49 ++++++------------------------------------ 1 file changed, 6 insertions(+), 43 deletions(-) diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index abd67f984fbc..2f89ac8fd5eb 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2015,10 +2015,8 @@ static void btrfs_cleanup_pending_block_groups(struct btrfs_trans_handle *trans) } } -static inline int btrfs_start_delalloc_flush(struct btrfs_trans_handle *trans) +static inline int btrfs_start_delalloc_flush(struct btrfs_fs_info *fs_info) { - struct btrfs_fs_info *fs_info = trans->fs_info; - /* * We use writeback_inodes_sb here because if we used * btrfs_start_delalloc_roots we would deadlock with fs freeze. @@ -2028,50 +2026,15 @@ static inline int btrfs_start_delalloc_flush(struct btrfs_trans_handle *trans) * from already being in a transaction and our join_transaction doesn't * have to re-take the fs freeze lock. */ - if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) { + if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) writeback_inodes_sb(fs_info->sb, WB_REASON_SYNC); - } else { - struct btrfs_pending_snapshot *pending; - struct list_head *head = &trans->transaction->pending_snapshots; - - /* - * Flush dellaloc for any root that is going to be snapshotted. - * This is done to avoid a corrupted version of files, in the - * snapshots, that had both buffered and direct IO writes (even - * if they were done sequentially) due to an unordered update of - * the inode's size on disk. - */ - list_for_each_entry(pending, head, list) { - int ret; - - ret = btrfs_start_delalloc_snapshot(pending->root); - if (ret) - return ret; - } - } return 0; } -static inline void btrfs_wait_delalloc_flush(struct btrfs_trans_handle *trans) +static inline void btrfs_wait_delalloc_flush(struct btrfs_fs_info *fs_info) { - struct btrfs_fs_info *fs_info = trans->fs_info; - - if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) { + if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1); - } else { - struct btrfs_pending_snapshot *pending; - struct list_head *head = &trans->transaction->pending_snapshots; - - /* - * Wait for any dellaloc that we started previously for the roots - * that are going to be snapshotted. This is to avoid a corrupted - * version of files in the snapshots that had both buffered and - * direct IO writes (even if they were done sequentially). - */ - list_for_each_entry(pending, head, list) - btrfs_wait_ordered_extents(pending->root, - U64_MAX, 0, U64_MAX); - } } int btrfs_commit_transaction(struct btrfs_trans_handle *trans) @@ -2209,7 +2172,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) extwriter_counter_dec(cur_trans, trans->type); - ret = btrfs_start_delalloc_flush(trans); + ret = btrfs_start_delalloc_flush(fs_info); if (ret) goto cleanup_transaction; @@ -2225,7 +2188,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) if (ret) goto cleanup_transaction; - btrfs_wait_delalloc_flush(trans); + btrfs_wait_delalloc_flush(fs_info); /* * Wait for all ordered extents started by a fast fsync that joined this -- 2.39.2

2 3

[openeuler:OLK-5.10 7311/30000] kernel/workqueue.o: warning: objtool: pwq_dec_nr_in_flight()+0x441: unreachable instruction
by kernel test robot 01 Mar '24

01 Mar '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: ebba55154f6b47b476dbcd26c12f31ead8bcd4c6 commit: 003a421b04ba85abaf24a92736dc47f76fda0803 [7311/30000] disable OPTIMIZE_INLINING by default config: x86_64-buildonly-randconfig-001-20240226 (https://download.01.org/0day-ci/archive/20240301/202403011347.BSVD2waD-lkp@…) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240301/202403011347.BSVD2waD-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202403011347.BSVD2waD-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/workqueue.o: warning: objtool: pwq_dec_nr_in_flight()+0x441: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH v1 OLK-6.6 0/4] kworker: Fix the problem of ipsan performance degradation on ARM architecture
by jiangdongxu 01 Mar '24

01 Mar '24

From: shaodenghui <shaodenghui(a)huawei.com> When the current downstream FS tests IPSAN, it is found that the performance on ARM is much worse than that on X86, and the test data of IPSAN fluctuates greatly. After analysis, the reason is that when iscsi issues IO, the task is sent to kworker for processing by iscsi_xmitworker. The workqueue created by iscsi can automatically identify the CPU of the soft interrupt currently processed by iscsi, and automatically schedule the workqueue to the corresponding NUMA node. shaodenghui (3): iscsi: add member for NUMA aware order workqueue workqueue: implement NUMA affinity for single thread workqueue iscsi: use dynamic single thread workqueue to improve performance drivers/scsi/iscsi_tcp.c | 9 +++++++++ drivers/scsi/libiscsi.c | 17 ++++++++++++----- include/linux/workqueue.h | 1 + include/scsi/libiscsi.h | 1 + kernel/workqueue.c | 15 ++++++++++----- 5 files changed, 33 insertions(+), 10 deletions(-) -- 2.33.0

2 5

[PATCH v1 OLK-6.6 0/4] kworker: Fix the problem of ipsan performance degradation on ARM architecture
by jiangdongxu 01 Mar '24

01 Mar '24

From: shaodenghui <shaodenghui(a)huawei.com> When the current downstream FS tests IPSAN, it is found that the performance on ARM is much worse than that on X86, and the test data of IPSAN fluctuates greatly. After analysis, the reason is that when iscsi issues IO, the task is sent to kworker for processing by iscsi_xmitworker. The workqueue created by iscsi can automatically identify the CPU of the soft interrupt currently processed by iscsi, and automatically schedule the workqueue to the corresponding NUMA node. shaodenghui (3): iscsi: add member for NUMA aware order workqueue workqueue: implement NUMA affinity for single thread workqueue iscsi: use dynamic single thread workqueue to improve performance drivers/scsi/iscsi_tcp.c | 9 +++++++++ drivers/scsi/libiscsi.c | 17 ++++++++++++----- include/linux/workqueue.h | 1 + include/scsi/libiscsi.h | 1 + kernel/workqueue.c | 15 ++++++++++----- 5 files changed, 33 insertions(+), 10 deletions(-) -- 2.33.0

2 5

[openeuler:OLK-5.10 28950/30000] drivers/misc/virt_plat_dev.c:37:43: error: implicit declaration of function 'vp_get_irq_domain'; did you mean 'dev_get_msi_domain'?
by kernel test robot 01 Mar '24

01 Mar '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: ebba55154f6b47b476dbcd26c12f31ead8bcd4c6 commit: e4c0f18287a89cbdf34dffd6ac672d89e8add238 [28950/30000] virt_plat_dev: Register the virt platform device driver config: arm64-randconfig-001-20240301 (https://download.01.org/0day-ci/archive/20240301/202403011204.70tyD7AH-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240301/202403011204.70tyD7AH-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202403011204.70tyD7AH-lkp@intel.com/ All error/warnings (new ones prefixed by >>): drivers/misc/virt_plat_dev.c: In function 'virt_device_probe': >> drivers/misc/virt_plat_dev.c:37:43: error: implicit declaration of function 'vp_get_irq_domain'; did you mean 'dev_get_msi_domain'? [-Werror=implicit-function-declaration] 37 | struct irq_domain *vp_irqdomain = vp_get_irq_domain(); | ^~~~~~~~~~~~~~~~~ | dev_get_msi_domain >> drivers/misc/virt_plat_dev.c:37:43: warning: initialization of 'struct irq_domain *' from 'int' makes pointer from integer without a cast [-Wint-conversion] cc1: some warnings being treated as errors vim +37 drivers/misc/virt_plat_dev.c 31 32 static int virt_device_probe(struct platform_device *pdev) 33 { 34 struct msi_desc *desc; 35 unsigned int *drvdata = dev_get_drvdata(&pdev->dev); 36 unsigned int nvec = *drvdata; > 37 struct irq_domain *vp_irqdomain = vp_get_irq_domain(); 38 int ret; 39 40 if (!vp_irqdomain) 41 return -ENXIO; 42 43 virtdev_info("Allocate platform msi irqs nvecs: %d\n", nvec); 44 dev_set_msi_domain(&pdev->dev, vp_irqdomain); 45 46 ret = platform_msi_domain_alloc_irqs(&pdev->dev, nvec, 47 virt_write_msi_msg); 48 if (ret) { 49 pr_err("Allocate platform msi irqs failed %d\n", ret); 50 goto error; 51 } 52 53 virtdev_info("Allocate platform msi irqs succeed\n"); 54 for_each_msi_entry(desc, &pdev->dev) { 55 virtdev_info("Request irq %d\n", desc->irq); 56 ret = request_irq(desc->irq, virt_irq_handle, 0, 57 "virt_dev_host", pdev); 58 if (ret) { 59 pr_err("Request irq %d failed %d\n", desc->irq, ret); 60 goto error_free_irqs; 61 } 62 } 63 64 virtdev_info("Init virtual platform device driver successfully.\n"); 65 return 0; 66 67 error_free_irqs: 68 for_each_msi_entry(desc, &pdev->dev) 69 free_irq(desc->irq, pdev); 70 71 platform_msi_domain_free_irqs(&pdev->dev); 72 error: 73 return ret; 74 } 75 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] i2c: Fix a potential use after free
by Liu Chuang 01 Mar '24

01 Mar '24

From: Xu Wang <vulab(a)iscas.ac.cn> stable inclusion from stable-v4.19.307 commit 23a191b132cd87f746c62f3dc27da33683d85829 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I946KM CVE: CVE-2019-25162 Reference: https://git.kernel.org/stable/c/23a191b132cd87f746c62f3dc27da33683d85829 --------------------------------------------------------------- [ Upstream commit e4c72c06c367758a14f227c847f9d623f1994ecf ] Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. Fixes: 611e12ea0f12 ("i2c: core: manage i2c bus device refcount in i2c_[get|put]_adapter") Signed-off-by: Xu Wang <vulab(a)iscas.ac.cn> [wsa: added comment to the code, added Fixes tag] Signed-off-by: Wolfram Sang <wsa(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/i2c/i2c-core-base.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c index 2a43f4e46af0..9079be0d51d1 100644 --- a/drivers/i2c/i2c-core-base.c +++ b/drivers/i2c/i2c-core-base.c @@ -2273,8 +2273,9 @@ void i2c_put_adapter(struct i2c_adapter *adap) if (!adap) return; - put_device(&adap->dev); module_put(adap->owner); + /* Should be last, otherwise we risk use-after-free with 'adap' */ + put_device(&adap->dev); } EXPORT_SYMBOL(i2c_put_adapter); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] openvswitch: fix stack OOB read while fragmenting IPv4 packets
by Ziyang Xuan 01 Mar '24

01 Mar '24

From: Davide Caratti <dcaratti(a)redhat.com> stable inclusion from stable-v4.19.191 commit df9e900de24637be41879e2c50afb713ec4e8b2e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I949B7 CVE: CVE-2021-46955 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7c0ea5930c1c211931819d83cfb157bff1539a4c upstream. running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below. Fixes: d52e5a7e7ca4 ("ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmt") Cc: <stable(a)vger.kernel.org> Acked-by: Eelco Chaudron <echaudro(a)redhat.com> Signed-off-by: Davide Caratti <dcaratti(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/openvswitch/actions.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c index 9c68f3370302..7ac5f75e06a9 100644 --- a/net/openvswitch/actions.c +++ b/net/openvswitch/actions.c @@ -892,17 +892,17 @@ static void ovs_fragment(struct net *net, struct vport *vport, } if (key->eth.type == htons(ETH_P_IP)) { - struct dst_entry ovs_dst; + struct rtable ovs_rt = { 0 }; unsigned long orig_dst; prepare_frag(vport, skb, orig_network_offset, ovs_key_mac_proto(key)); - dst_init(&ovs_dst, &ovs_dst_ops, NULL, 1, + dst_init(&ovs_rt.dst, &ovs_dst_ops, NULL, 1, DST_OBSOLETE_NONE, DST_NOCOUNT); - ovs_dst.dev = vport->dev; + ovs_rt.dst.dev = vport->dev; orig_dst = skb->_skb_refdst; - skb_dst_set_noref(skb, &ovs_dst); + skb_dst_set_noref(skb, &ovs_rt.dst); IPCB(skb)->frag_max_size = mru; ip_do_fragment(net, skb->sk, skb, ovs_vport_output); -- 2.25.1

2 1

[PATCH OLK-5.10 0/8] arm64: String function updates
by liwei 01 Mar '24

01 Mar '24

Robin Murphy (4): arm64: Add assembly annotations for weak-PI-alias madness arm64: Import latest memcpy()/memmove() implementation arm64: Better optimised memchr() arm64: Rewrite __arch_clear_user() Sam Tebbs (4): arm64: Import latest version of Cortex Strings' memcmp arm64: Import latest version of Cortex Strings' strcmp arm64: Import updated version of Cortex Strings' strlen arm64: Import latest version of Cortex Strings' strncmp arch/arm64/include/asm/linkage.h | 8 + arch/arm64/lib/Makefile | 8 +- arch/arm64/lib/clear_user.S | 47 ++-- arch/arm64/lib/memchr.S | 65 ++++- arch/arm64/lib/memcmp.S | 346 +++++++++----------------- arch/arm64/lib/memcpy.S | 272 +++++++++++++++++---- arch/arm64/lib/memmove.S | 189 -------------- arch/arm64/lib/strcmp.S | 289 +++++++++------------- arch/arm64/lib/strlen.S | 258 +++++++++++++------- arch/arm64/lib/strncmp.S | 406 ++++++++++++++----------------- 10 files changed, 918 insertions(+), 970 deletions(-) delete mode 100644 arch/arm64/lib/memmove.S -- 2.25.1

2 9