- Kernel - mailweb.openeuler.org

[PATCH 1/2] xfs: always init fdblocks in mount
by Yang Yingliang 18 Mar '20

18 Mar '20

From: Zheng Bin <zhengbin13(a)huawei.com> hulk inclusion category: bugfix bugzilla: 31088 CVE: NA --------------------------- Use fuzz(hydra) to test XFS and automatically generate tmp.img(XFS v5 format, but some metadata is wrong) xfs_repair information(just one AG): agf_freeblks 0, counted 3224 in ag 0 agf_longest 0, counted 3224 in ag 0 sb_fdblocks 3228, counted 3224 Test as follows: mount tmp.img tmpdir cp file1M tmpdir sync In 4.19-stable, sync will stuck, while in linux-next, sync not stuck. The reason is same to commit d0c7feaf8767 ("xfs: add agf freeblocks verify in xfs_agf_verify"), cause agf_longest is 0, we can not block this in xfs_agf_verify. Make sure fdblocks is always inited in mount(also init ifree, icount). xfs_mountfs xfs_check_summary_counts xfs_initialize_perag_data Signed-off-by: Zheng Bin <zhengbin13(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/xfs/libxfs/xfs_ag_resv.c | 11 +++++++---- fs/xfs/xfs_mount.c | 33 --------------------------------- 2 files changed, 7 insertions(+), 37 deletions(-) diff --git a/fs/xfs/libxfs/xfs_ag_resv.c b/fs/xfs/libxfs/xfs_ag_resv.c index e2ba2a3..4f099fc 100644 --- a/fs/xfs/libxfs/xfs_ag_resv.c +++ b/fs/xfs/libxfs/xfs_ag_resv.c @@ -309,10 +309,13 @@ } #ifdef DEBUG - /* need to read in the AGF for the ASSERT below to work */ - error = xfs_alloc_pagf_init(pag->pag_mount, tp, pag->pag_agno, 0); - if (error) - return error; + if (!pag->pagf_init) { + /* need to read in the AGF for the ASSERT below to work */ + error = xfs_alloc_pagf_init(pag->pag_mount, tp, + pag->pag_agno, 0); + if (error) + return error; + } ASSERT(xfs_perag_resv(pag, XFS_AG_RESV_METADATA)->ar_reserved + xfs_perag_resv(pag, XFS_AG_RESV_RMAPBT)->ar_reserved <= diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c index 02d1509..3af91e2 100644 --- a/fs/xfs/xfs_mount.c +++ b/fs/xfs/xfs_mount.c @@ -624,39 +624,6 @@ return -EFSCORRUPTED; } - /* - * Now the log is mounted, we know if it was an unclean shutdown or - * not. If it was, with the first phase of recovery has completed, we - * have consistent AG blocks on disk. We have not recovered EFIs yet, - * but they are recovered transactionally in the second recovery phase - * later. - * - * If the log was clean when we mounted, we can check the summary - * counters. If any of them are obviously incorrect, we can recompute - * them from the AGF headers in the next step. - */ - if (XFS_LAST_UNMOUNT_WAS_CLEAN(mp) && - (mp->m_sb.sb_fdblocks > mp->m_sb.sb_dblocks || - !xfs_verify_icount(mp, mp->m_sb.sb_icount) || - mp->m_sb.sb_ifree > mp->m_sb.sb_icount)) - mp->m_flags |= XFS_MOUNT_BAD_SUMMARY; - - /* - * We can safely re-initialise incore superblock counters from the - * per-ag data. These may not be correct if the filesystem was not - * cleanly unmounted, so we waited for recovery to finish before doing - * this. - * - * If the filesystem was cleanly unmounted or the previous check did - * not flag anything weird, then we can trust the values in the - * superblock to be correct and we don't need to do anything here. - * Otherwise, recalculate the summary counters. - */ - if ((!xfs_sb_version_haslazysbcount(&mp->m_sb) || - XFS_LAST_UNMOUNT_WAS_CLEAN(mp)) && - !(mp->m_flags & XFS_MOUNT_BAD_SUMMARY)) - return 0; - return xfs_initialize_perag_data(mp, mp->m_sb.sb_agcount); } -- 1.8.3

1 1

[PATCH] xfs: devirtualize ->sf_entsize and ->sf_nextentry
by Yang Yingliang 18 Mar '20

18 Mar '20

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-5.5-rc1 commit 50f6bb6b7aea8177110e55355c455f18912a7a73 category: bugfix bugzilla: 31596 CVE: NA --------------------------- Just check for file-type enabled directories directly. Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <darrick.wong(a)oracle.com> Signed-off-by: Darrick J. Wong <darrick.wong(a)oracle.com> Conflicts: fs/xfs/libxfs/xfs_dir2_priv.h fs/xfs/libxfs/xfs_dir2_sf.c fs/xfs/xfs_dir2_readdir.c [zb: since patch 84915e1bdddf, 707e0ddaf67e, e91ec882af21, 04df34ac6494 not merged, adjust code] Signed-off-by: Zheng Bin <zhengbin13(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/xfs/libxfs/xfs_da_format.c | 48 --------------------- fs/xfs/libxfs/xfs_dir2.h | 4 -- fs/xfs/libxfs/xfs_dir2_block.c | 2 +- fs/xfs/libxfs/xfs_dir2_priv.h | 2 + fs/xfs/libxfs/xfs_dir2_sf.c | 96 +++++++++++++++++++++++++----------------- fs/xfs/xfs_dir2_readdir.c | 7 +-- 6 files changed, 64 insertions(+), 95 deletions(-) diff --git a/fs/xfs/libxfs/xfs_da_format.c b/fs/xfs/libxfs/xfs_da_format.c index b39053d..39c2610 100644 --- a/fs/xfs/libxfs/xfs_da_format.c +++ b/fs/xfs/libxfs/xfs_da_format.c @@ -18,48 +18,6 @@ #include "xfs_dir2_priv.h" /* - * Shortform directory ops - */ -static int -xfs_dir2_sf_entsize( - struct xfs_dir2_sf_hdr *hdr, - int len) -{ - int count = sizeof(struct xfs_dir2_sf_entry); /* namelen + offset */ - - count += len; /* name */ - count += hdr->i8count ? XFS_INO64_SIZE : XFS_INO32_SIZE; /* ino # */ - return count; -} - -static int -xfs_dir3_sf_entsize( - struct xfs_dir2_sf_hdr *hdr, - int len) -{ - return xfs_dir2_sf_entsize(hdr, len) + sizeof(uint8_t); -} - -static struct xfs_dir2_sf_entry * -xfs_dir2_sf_nextentry( - struct xfs_dir2_sf_hdr *hdr, - struct xfs_dir2_sf_entry *sfep) -{ - return (struct xfs_dir2_sf_entry *) - ((char *)sfep + xfs_dir2_sf_entsize(hdr, sfep->namelen)); -} - -static struct xfs_dir2_sf_entry * -xfs_dir3_sf_nextentry( - struct xfs_dir2_sf_hdr *hdr, - struct xfs_dir2_sf_entry *sfep) -{ - return (struct xfs_dir2_sf_entry *) - ((char *)sfep + xfs_dir3_sf_entsize(hdr, sfep->namelen)); -} - - -/* * For filetype enabled shortform directories, the file type field is stored at * the end of the name. Because it's only a single byte, endian conversion is * not necessary. For non-filetype enable directories, the type is always @@ -692,8 +650,6 @@ } static const struct xfs_dir_ops xfs_dir2_ops = { - .sf_entsize = xfs_dir2_sf_entsize, - .sf_nextentry = xfs_dir2_sf_nextentry, .sf_get_ftype = xfs_dir2_sfe_get_ftype, .sf_put_ftype = xfs_dir2_sfe_put_ftype, .sf_get_ino = xfs_dir2_sfe_get_ino, @@ -742,8 +698,6 @@ }; static const struct xfs_dir_ops xfs_dir2_ftype_ops = { - .sf_entsize = xfs_dir3_sf_entsize, - .sf_nextentry = xfs_dir3_sf_nextentry, .sf_get_ftype = xfs_dir3_sfe_get_ftype, .sf_put_ftype = xfs_dir3_sfe_put_ftype, .sf_get_ino = xfs_dir3_sfe_get_ino, @@ -792,8 +746,6 @@ }; static const struct xfs_dir_ops xfs_dir3_ops = { - .sf_entsize = xfs_dir3_sf_entsize, - .sf_nextentry = xfs_dir3_sf_nextentry, .sf_get_ftype = xfs_dir3_sfe_get_ftype, .sf_put_ftype = xfs_dir3_sfe_put_ftype, .sf_get_ino = xfs_dir3_sfe_get_ino, diff --git a/fs/xfs/libxfs/xfs_dir2.h b/fs/xfs/libxfs/xfs_dir2.h index c3e3f6b..155bae5 100644 --- a/fs/xfs/libxfs/xfs_dir2.h +++ b/fs/xfs/libxfs/xfs_dir2.h @@ -30,10 +30,6 @@ * directory operations vector for encode/decode routines */ struct xfs_dir_ops { - int (*sf_entsize)(struct xfs_dir2_sf_hdr *hdr, int len); - struct xfs_dir2_sf_entry * - (*sf_nextentry)(struct xfs_dir2_sf_hdr *hdr, - struct xfs_dir2_sf_entry *sfep); uint8_t (*sf_get_ftype)(struct xfs_dir2_sf_entry *sfep); void (*sf_put_ftype)(struct xfs_dir2_sf_entry *sfep, uint8_t ftype); diff --git a/fs/xfs/libxfs/xfs_dir2_block.c b/fs/xfs/libxfs/xfs_dir2_block.c index 30ed591..fdcf6aa 100644 --- a/fs/xfs/libxfs/xfs_dir2_block.c +++ b/fs/xfs/libxfs/xfs_dir2_block.c @@ -1235,7 +1235,7 @@ static int xfs_dir2_block_lookup_int(xfs_da_args_t *args, struct xfs_buf **bpp, if (++i == sfp->count) sfep = NULL; else - sfep = dp->d_ops->sf_nextentry(sfp, sfep); + sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep); } /* Done with the temporary buffer */ kmem_free(sfp); diff --git a/fs/xfs/libxfs/xfs_dir2_priv.h b/fs/xfs/libxfs/xfs_dir2_priv.h index 59f9fb2..655fb33 100644 --- a/fs/xfs/libxfs/xfs_dir2_priv.h +++ b/fs/xfs/libxfs/xfs_dir2_priv.h @@ -108,6 +108,8 @@ extern int xfs_dir2_free_read(struct xfs_trans *tp, struct xfs_inode *dp, xfs_dablk_t fbno, struct xfs_buf **bpp); /* xfs_dir2_sf.c */ +struct xfs_dir2_sf_entry *xfs_dir2_sf_nextentry(struct xfs_mount *mp, + struct xfs_dir2_sf_hdr *hdr, struct xfs_dir2_sf_entry *sfep); extern int xfs_dir2_block_sfsize(struct xfs_inode *dp, struct xfs_dir2_data_hdr *block, struct xfs_dir2_sf_hdr *sfhp); extern int xfs_dir2_block_to_sf(struct xfs_da_args *args, struct xfs_buf *bp, diff --git a/fs/xfs/libxfs/xfs_dir2_sf.c b/fs/xfs/libxfs/xfs_dir2_sf.c index 585dfdb..716c8c5 100644 --- a/fs/xfs/libxfs/xfs_dir2_sf.c +++ b/fs/xfs/libxfs/xfs_dir2_sf.c @@ -40,6 +40,31 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, static void xfs_dir2_sf_toino4(xfs_da_args_t *args); static void xfs_dir2_sf_toino8(xfs_da_args_t *args); +static int +xfs_dir2_sf_entsize( + struct xfs_mount *mp, + struct xfs_dir2_sf_hdr *hdr, + int len) +{ + int count = len; + + count += sizeof(struct xfs_dir2_sf_entry); /* namelen + offset */ + count += hdr->i8count ? XFS_INO64_SIZE : XFS_INO32_SIZE; /* ino # */ + + if (xfs_sb_version_hasftype(&mp->m_sb)) + count += sizeof(uint8_t); + return count; +} + +struct xfs_dir2_sf_entry * +xfs_dir2_sf_nextentry( + struct xfs_mount *mp, + struct xfs_dir2_sf_hdr *hdr, + struct xfs_dir2_sf_entry *sfep) +{ + return (void *)sfep + xfs_dir2_sf_entsize(mp, hdr, sfep->namelen); +} + /* * Given a block directory (dp/block), calculate its size as a shortform (sf) * directory and a header for the sf directory, if it will fit it the @@ -222,7 +247,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, dp->d_ops->sf_put_ftype(sfep, dp->d_ops->data_get_ftype(dep)); - sfep = dp->d_ops->sf_nextentry(sfp, sfep); + sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep); } ptr += dp->d_ops->data_entsize(dep->namelen); } @@ -294,7 +319,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, /* * Compute entry (and change in) size. */ - incr_isize = dp->d_ops->sf_entsize(sfp, args->namelen); + incr_isize = xfs_dir2_sf_entsize(dp->i_mount, sfp, args->namelen); objchange = 0; /* @@ -367,18 +392,17 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, xfs_dir2_data_aoff_t offset, /* offset to use for new ent */ int new_isize) /* new directory size */ { + struct xfs_inode *dp = args->dp; + struct xfs_mount *mp = dp->i_mount; int byteoff; /* byte offset in sf dir */ - xfs_inode_t *dp; /* incore directory inode */ xfs_dir2_sf_hdr_t *sfp; /* shortform structure */ - dp = args->dp; - sfp = (xfs_dir2_sf_hdr_t *)dp->i_df.if_u1.if_data; byteoff = (int)((char *)sfep - (char *)sfp); /* * Grow the in-inode space. */ - xfs_idata_realloc(dp, dp->d_ops->sf_entsize(sfp, args->namelen), + xfs_idata_realloc(dp, xfs_dir2_sf_entsize(mp, sfp, args->namelen), XFS_DATA_FORK); /* * Need to set up again due to realloc of the inode data. @@ -419,9 +443,10 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, int objchange, /* changing inode number size */ int new_isize) /* new directory size */ { + struct xfs_inode *dp = args->dp; + struct xfs_mount *mp = dp->i_mount; int add_datasize; /* data size need for new ent */ char *buf; /* buffer for old */ - xfs_inode_t *dp; /* incore directory inode */ int eof; /* reached end of old dir */ int nbytes; /* temp for byte copies */ xfs_dir2_data_aoff_t new_offset; /* next offset value */ @@ -435,8 +460,6 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, /* * Copy the old directory to the stack buffer. */ - dp = args->dp; - sfp = (xfs_dir2_sf_hdr_t *)dp->i_df.if_u1.if_data; old_isize = (int)dp->i_d.di_size; buf = kmem_alloc(old_isize, KM_SLEEP); @@ -453,7 +476,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, eof = (char *)oldsfep == &buf[old_isize]; !eof; offset = new_offset + dp->d_ops->data_entsize(oldsfep->namelen), - oldsfep = dp->d_ops->sf_nextentry(oldsfp, oldsfep), + oldsfep = xfs_dir2_sf_nextentry(mp, oldsfp, oldsfep), eof = (char *)oldsfep == &buf[old_isize]) { new_offset = xfs_dir2_sf_get_offset(oldsfep); if (offset + add_datasize <= new_offset) @@ -491,7 +514,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, * If there's more left to copy, do that. */ if (!eof) { - sfep = dp->d_ops->sf_nextentry(sfp, sfep); + sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep); memcpy(sfep, oldsfep, old_isize - nbytes); } kmem_free(buf); @@ -513,7 +536,8 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, xfs_dir2_sf_entry_t **sfepp, /* out(1): new entry ptr */ xfs_dir2_data_aoff_t *offsetp) /* out(1): new offset */ { - xfs_inode_t *dp; /* incore directory inode */ + struct xfs_inode *dp = args->dp; + struct xfs_mount *mp = dp->i_mount; int holefit; /* found hole it will fit in */ int i; /* entry number */ xfs_dir2_data_aoff_t offset; /* data block offset */ @@ -522,8 +546,6 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, int size; /* entry's data size */ int used; /* data bytes used */ - dp = args->dp; - sfp = (xfs_dir2_sf_hdr_t *)dp->i_df.if_u1.if_data; size = dp->d_ops->data_entsize(args->namelen); offset = dp->d_ops->data_first_offset; @@ -539,7 +561,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, holefit = offset + size <= xfs_dir2_sf_get_offset(sfep); offset = xfs_dir2_sf_get_offset(sfep) + dp->d_ops->data_entsize(sfep->namelen); - sfep = dp->d_ops->sf_nextentry(sfp, sfep); + sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep); } /* * Calculate data bytes used excluding the new entry, if this @@ -598,7 +620,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, for (i = 0, sfep = xfs_dir2_sf_firstentry(sfp); i < sfp->count; - i++, sfep = dp->d_ops->sf_nextentry(sfp, sfep)) { + i++, sfep = xfs_dir2_sf_nextentry(dp->i_mount, sfp, sfep)) { ASSERT(xfs_dir2_sf_get_offset(sfep) >= offset); ino = dp->d_ops->sf_get_ino(sfp, sfep); i8count += ino > XFS_DIR2_MAX_SHORT_INUM; @@ -683,7 +705,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, * within the data buffer. The next entry starts after the * name component, so nextentry is an acceptable test. */ - next_sfep = dops->sf_nextentry(sfp, sfep); + next_sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep); if (endp < (char *)next_sfep) return __this_address; @@ -782,7 +804,8 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, xfs_dir2_sf_lookup( xfs_da_args_t *args) /* operation arguments */ { - xfs_inode_t *dp; /* incore directory inode */ + struct xfs_inode *dp = args->dp; + struct xfs_mount *mp = dp->i_mount; int i; /* entry index */ int error; xfs_dir2_sf_entry_t *sfep; /* shortform directory entry */ @@ -793,7 +816,6 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, trace_xfs_dir2_sf_lookup(args); xfs_dir2_sf_check(args); - dp = args->dp; ASSERT(dp->i_df.if_flags & XFS_IFINLINE); /* @@ -831,7 +853,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, */ ci_sfep = NULL; for (i = 0, sfep = xfs_dir2_sf_firstentry(sfp); i < sfp->count; - i++, sfep = dp->d_ops->sf_nextentry(sfp, sfep)) { + i++, sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep)) { /* * Compare name and if it's an exact match, return the inode * number. If it's the first case-insensitive match, store the @@ -867,8 +889,9 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, xfs_dir2_sf_removename( xfs_da_args_t *args) { + struct xfs_inode *dp = args->dp; + struct xfs_mount *mp = dp->i_mount; int byteoff; /* offset of removed entry */ - xfs_inode_t *dp; /* incore directory inode */ int entsize; /* this entry's size */ int i; /* shortform entry index */ int newsize; /* new inode size */ @@ -878,8 +901,6 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, trace_xfs_dir2_sf_removename(args); - dp = args->dp; - ASSERT(dp->i_df.if_flags & XFS_IFINLINE); oldsize = (int)dp->i_d.di_size; /* @@ -898,7 +919,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, * Find the one we're deleting. */ for (i = 0, sfep = xfs_dir2_sf_firstentry(sfp); i < sfp->count; - i++, sfep = dp->d_ops->sf_nextentry(sfp, sfep)) { + i++, sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep)) { if (xfs_da_compname(args, sfep->name, sfep->namelen) == XFS_CMP_EXACT) { ASSERT(dp->d_ops->sf_get_ino(sfp, sfep) == @@ -915,7 +936,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, * Calculate sizes. */ byteoff = (int)((char *)sfep - (char *)sfp); - entsize = dp->d_ops->sf_entsize(sfp, args->namelen); + entsize = xfs_dir2_sf_entsize(mp, sfp, args->namelen); newsize = oldsize - entsize; /* * Copy the part if any after the removed entry, sliding it down. @@ -954,7 +975,8 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, xfs_dir2_sf_replace( xfs_da_args_t *args) /* operation arguments */ { - xfs_inode_t *dp; /* incore directory inode */ + struct xfs_inode *dp = args->dp; + struct xfs_mount *mp = dp->i_mount; int i; /* entry index */ xfs_ino_t ino=0; /* entry old inode number */ int i8elevated; /* sf_toino8 set i8count=1 */ @@ -963,8 +985,6 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, trace_xfs_dir2_sf_replace(args); - dp = args->dp; - ASSERT(dp->i_df.if_flags & XFS_IFINLINE); /* * Bail out if the shortform directory is way too small. @@ -1020,7 +1040,7 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, */ else { for (i = 0, sfep = xfs_dir2_sf_firstentry(sfp); i < sfp->count; - i++, sfep = dp->d_ops->sf_nextentry(sfp, sfep)) { + i++, sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep)) { if (xfs_da_compname(args, sfep->name, sfep->namelen) == XFS_CMP_EXACT) { ino = dp->d_ops->sf_get_ino(sfp, sfep); @@ -1079,8 +1099,9 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, xfs_dir2_sf_toino4( xfs_da_args_t *args) /* operation arguments */ { + struct xfs_inode *dp = args->dp; + struct xfs_mount *mp = dp->i_mount; char *buf; /* old dir's buffer */ - xfs_inode_t *dp; /* incore directory inode */ int i; /* entry index */ int newsize; /* new inode size */ xfs_dir2_sf_entry_t *oldsfep; /* old sf entry */ @@ -1091,8 +1112,6 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, trace_xfs_dir2_sf_toino4(args); - dp = args->dp; - /* * Copy the old directory to the buffer. * Then nuke it from the inode, and add the new buffer to the inode. @@ -1126,8 +1145,8 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, for (i = 0, sfep = xfs_dir2_sf_firstentry(sfp), oldsfep = xfs_dir2_sf_firstentry(oldsfp); i < sfp->count; - i++, sfep = dp->d_ops->sf_nextentry(sfp, sfep), - oldsfep = dp->d_ops->sf_nextentry(oldsfp, oldsfep)) { + i++, sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep), + oldsfep = xfs_dir2_sf_nextentry(mp, oldsfp, oldsfep)) { sfep->namelen = oldsfep->namelen; memcpy(sfep->offset, oldsfep->offset, sizeof(sfep->offset)); memcpy(sfep->name, oldsfep->name, sfep->namelen); @@ -1152,8 +1171,9 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, xfs_dir2_sf_toino8( xfs_da_args_t *args) /* operation arguments */ { + struct xfs_inode *dp = args->dp; + struct xfs_mount *mp = dp->i_mount; char *buf; /* old dir's buffer */ - xfs_inode_t *dp; /* incore directory inode */ int i; /* entry index */ int newsize; /* new inode size */ xfs_dir2_sf_entry_t *oldsfep; /* old sf entry */ @@ -1164,8 +1184,6 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, trace_xfs_dir2_sf_toino8(args); - dp = args->dp; - /* * Copy the old directory to the buffer. * Then nuke it from the inode, and add the new buffer to the inode. @@ -1199,8 +1217,8 @@ static int xfs_dir2_sf_addname_pick(xfs_da_args_t *args, int objchange, for (i = 0, sfep = xfs_dir2_sf_firstentry(sfp), oldsfep = xfs_dir2_sf_firstentry(oldsfp); i < sfp->count; - i++, sfep = dp->d_ops->sf_nextentry(sfp, sfep), - oldsfep = dp->d_ops->sf_nextentry(oldsfp, oldsfep)) { + i++, sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep), + oldsfep = xfs_dir2_sf_nextentry(mp, oldsfp, oldsfep)) { sfep->namelen = oldsfep->namelen; memcpy(sfep->offset, oldsfep->offset, sizeof(sfep->offset)); memcpy(sfep->name, oldsfep->name, sfep->namelen); diff --git a/fs/xfs/xfs_dir2_readdir.c b/fs/xfs/xfs_dir2_readdir.c index 5142e64..2ae98c2 100644 --- a/fs/xfs/xfs_dir2_readdir.c +++ b/fs/xfs/xfs_dir2_readdir.c @@ -50,6 +50,7 @@ { int i; /* shortform entry number */ struct xfs_inode *dp = args->dp; /* incore directory inode */ + struct xfs_mount *mp = dp->i_mount; xfs_dir2_dataptr_t off; /* current entry's offset */ xfs_dir2_sf_entry_t *sfep; /* shortform directory entry */ xfs_dir2_sf_hdr_t *sfp; /* shortform structure */ @@ -111,7 +112,7 @@ xfs_dir2_sf_get_offset(sfep)); if (ctx->pos > off) { - sfep = dp->d_ops->sf_nextentry(sfp, sfep); + sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep); continue; } @@ -119,9 +120,9 @@ filetype = dp->d_ops->sf_get_ftype(sfep); ctx->pos = off & 0x7fffffff; if (!dir_emit(ctx, (char *)sfep->name, sfep->namelen, ino, - xfs_dir3_get_dtype(dp->i_mount, filetype))) + xfs_dir3_get_dtype(mp, filetype))) return 0; - sfep = dp->d_ops->sf_nextentry(sfp, sfep); + sfep = xfs_dir2_sf_nextentry(mp, sfp, sfep); } ctx->pos = xfs_dir2_db_off_to_dataptr(geo, geo->datablk + 1, 0) & -- 1.8.3

1 0

[PATCH 1/2] block: delete part_round_stats and switch to less precise counting
by Yang Yingliang 18 Mar '20

18 Mar '20

From: Mikulas Patocka <mpatocka(a)redhat.com> mainline inclusion from mainline-5.0-rc1 commit 5b18b5a737600fd20ba2045f320d5926ebbf341a category: bugfix bugzilla: 31388 CVE: NA --------------------------- We want to convert to per-cpu in_flight counters. The function part_round_stats needs the in_flight counter every jiffy, it would be too costly to sum all the percpu variables every jiffy, so it must be deleted. part_round_stats is used to calculate two counters - time_in_queue and io_ticks. time_in_queue can be calculated without part_round_stats, by adding the duration of the I/O when the I/O ends (the value is almost as exact as the previously calculated value, except that time for in-progress I/Os is not counted). io_ticks can be approximated by increasing the value when I/O is started or ended and the jiffies value has changed. If the I/Os take less than a jiffy, the value is as exact as the previously calculated value. If the I/Os take more than a jiffy, io_ticks can drift behind the previously calculated value. Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)redhat.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflict: block/bio.c block/blk-core.c block/blk-merge.c block/genhd.c include/linux/genhd.h Signed-off-by: Yufen Yu <yuyufen(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- block/bio.c | 23 ++++++++++++++++++++--- block/blk-core.c | 6 ++++-- block/blk-merge.c | 1 - block/genhd.c | 4 ---- block/partition-generic.c | 4 ---- include/linux/genhd.h | 1 + 6 files changed, 25 insertions(+), 14 deletions(-) diff --git a/block/bio.c b/block/bio.c index 3d7570553..48a8cf5 100644 --- a/block/bio.c +++ b/block/bio.c @@ -1668,13 +1668,28 @@ void bio_check_pages_dirty(struct bio *bio) } EXPORT_SYMBOL_GPL(bio_check_pages_dirty); +void update_io_ticks(int cpu, struct hd_struct *part, unsigned long now) +{ + unsigned long stamp; +again: + stamp = READ_ONCE(part->stamp); + if (unlikely(stamp != now)) { + if (likely(cmpxchg(&part->stamp, stamp, now) == stamp)) + __part_stat_add(cpu, part, io_ticks, 1); + } + if (part->partno) { + part = &part_to_disk(part)->part0; + goto again; + } +} + void generic_start_io_acct(struct request_queue *q, int op, unsigned long sectors, struct hd_struct *part) { const int sgrp = op_stat_group(op); int cpu = part_stat_lock(); - part_round_stats(q, cpu, part); + update_io_ticks(cpu, part, jiffies); part_stat_inc(cpu, part, ios[sgrp]); part_stat_add(cpu, part, sectors[sgrp], sectors); part_inc_in_flight(q, part, op_is_write(op)); @@ -1686,12 +1701,14 @@ void generic_start_io_acct(struct request_queue *q, int op, void generic_end_io_acct(struct request_queue *q, int req_op, struct hd_struct *part, unsigned long start_time) { - unsigned long duration = jiffies - start_time; + unsigned long now = jiffies; + unsigned long duration = now - start_time; const int sgrp = op_stat_group(req_op); int cpu = part_stat_lock(); + update_io_ticks(cpu, part, now); part_stat_add(cpu, part, nsecs[sgrp], jiffies_to_nsecs(duration)); - part_round_stats(q, cpu, part); + part_stat_add(cpu, part, time_in_queue, duration); part_dec_in_flight(q, part, op_is_write(req_op)); part_stat_unlock(); diff --git a/block/blk-core.c b/block/blk-core.c index b64dec2..d9e3ee6 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -2740,9 +2740,10 @@ void blk_account_io_done(struct request *req, u64 now) cpu = part_stat_lock(); part = req->part; + update_io_ticks(cpu, part, jiffies); part_stat_inc(cpu, part, ios[sgrp]); part_stat_add(cpu, part, nsecs[sgrp], now - req->start_time_ns); - part_round_stats(req->q, cpu, part); + part_stat_add(cpu, part, time_in_queue, nsecs_to_jiffies64(now - req->start_time_ns)); part_dec_in_flight(req->q, part, rq_data_dir(req)); hd_struct_put(part); @@ -2790,11 +2791,12 @@ void blk_account_io_start(struct request *rq, bool new_io) part_stat_inc(cpu, part, merges[rw]); } else { part = disk_map_sector_rcu(rq->rq_disk, blk_rq_pos(rq)); - part_round_stats(rq->q, cpu, part); part_inc_in_flight(rq->q, part, rw); rq->part = part; } + update_io_ticks(cpu, part, jiffies); + part_stat_unlock(); } diff --git a/block/blk-merge.c b/block/blk-merge.c index 7efa8c3..044bff9 100644 --- a/block/blk-merge.c +++ b/block/blk-merge.c @@ -656,7 +656,6 @@ static void blk_account_io_merge(struct request *req) cpu = part_stat_lock(); part = req->part; - part_round_stats(req->q, cpu, part); part_dec_in_flight(req->q, part, rq_data_dir(req)); hd_struct_put(part); diff --git a/block/genhd.c b/block/genhd.c index ff9d46d..862a2f3 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -1342,7 +1342,6 @@ static int diskstats_show(struct seq_file *seqf, void *v) struct hd_struct *hd; char buf[BDEVNAME_SIZE]; unsigned int inflight[2]; - int cpu; /* if (&disk_to_dev(gp)->kobj.entry == block_class.devices.next) @@ -1354,9 +1353,6 @@ static int diskstats_show(struct seq_file *seqf, void *v) disk_part_iter_init(&piter, gp, DISK_PITER_INCL_EMPTY_PART0); while ((hd = disk_part_iter_next(&piter))) { - cpu = part_stat_lock(); - part_round_stats(gp->queue, cpu, hd); - part_stat_unlock(); part_in_flight(gp->queue, hd, inflight); seq_printf(seqf, "%4d %7d %s " "%lu %lu %lu %u " diff --git a/block/partition-generic.c b/block/partition-generic.c index 8ad6dca..d86d794 100644 --- a/block/partition-generic.c +++ b/block/partition-generic.c @@ -121,11 +121,7 @@ ssize_t part_stat_show(struct device *dev, struct hd_struct *p = dev_to_part(dev); struct request_queue *q = part_to_disk(p)->queue; unsigned int inflight[2]; - int cpu; - cpu = part_stat_lock(); - part_round_stats(q, cpu, p); - part_stat_unlock(); part_in_flight(q, p, inflight); return sprintf(buf, "%8lu %8lu %8llu %8u " diff --git a/include/linux/genhd.h b/include/linux/genhd.h index df0d01d..666b23a 100644 --- a/include/linux/genhd.h +++ b/include/linux/genhd.h @@ -422,6 +422,7 @@ static inline void free_part_info(struct hd_struct *part) /* block/blk-core.c */ extern void part_round_stats(struct request_queue *q, int cpu, struct hd_struct *part); +void update_io_ticks(int cpu, struct hd_struct *part, unsigned long now); /* block/genhd.c */ extern void device_add_disk(struct device *parent, struct gendisk *disk); -- 1.8.3

1 1

[PATCH] CIFS: Fix bug which the return value by asynchronous read is error
by Yang Yingliang 18 Mar '20

18 Mar '20

From: Yilu Lin <linyilu(a)huawei.com> hulk inclusion category: bugfix bugzilla: 31384 CVE: NA ------------------------------------------------- This patch is used to fix the bug in collect_uncached_read_data() that rc is automatically converted from a signed number to an unsigned number when the CIFS asynchronous read fails. It will cause ctx->rc is error. Example: Share a directory and create a file on the Windows OS. Mount the directory to the Linux OS using CIFS. On the CIFS client of the Linux OS, invoke the pread interface to deliver the read request. The size of the read length plus offset of the read request is greater than the maximum file size. In this case, the CIFS server on the Windows OS returns a failure message (for example, the return value of smb2.nt_status is STATUS_INVALID_PARAMETER). After receiving the response message, the CIFS client parses smb2.nt_status to STATUS_INVALID_PARAMETER and converts it to the Linux error code (rdata->result=-22). Then the CIFS client invokes the collect_uncached_read_data function to assign the value of rdata->result to rc, that is, rc=rdata->result=-22. The type of the ctx->total_len variable is unsigned integer, the type of the rc variable is integer, and the type of the ctx->rc variable is ssize_t. Therefore, during the ternary operation, the value of rc is automatically converted to an unsigned number. The final result is ctx->rc=4294967274. However, the expected result is ctx->rc=-22. https://patchwork.kernel.org/patch/11444477/ Signed-off-by: Yilu Lin <linyilu(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/cifs/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/cifs/file.c b/fs/cifs/file.c index e92513e..23b1098 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -3347,7 +3347,7 @@ ssize_t cifs_user_writev(struct kiocb *iocb, struct iov_iter *from) if (rc == -ENODATA) rc = 0; - ctx->rc = (rc == 0) ? ctx->total_len : rc; + ctx->rc = (rc == 0) ? (ssize_t)ctx->total_len : rc; mutex_unlock(&ctx->aio_mutex); -- 1.8.3

1 0

[PATCH 1/2] net/hinic: slove the problem that VF may be disconnected when vm reboot and receive lots of broadcast packets.
by Yang Yingliang 18 Mar '20

18 Mar '20

From: Shaozhengchao <shaozhengchao(a)huawei.com> driver inclusion category:bugfix bugzilla:4472 CVE:NA ----------------------------------------------------------------------- slove the problem that VF may be disconnected when vm reboot and receive lots of broadcast packets. When vm is rebooting, VF receives lots of broadcast packects and VF may be disconnected. VF receives broadcast packect and VF driver will clear INTR_ON flag in setting msix process. Then VF driver will not enable interrupt if INTR_ON flag is set. As a result, VF will not process any hadware interrpt. In order to solve this problem, VF driver should be enable the interrpt first and then set msix state. Signed-off-by: Shaozhengchao <shaozhengchao(a)huawei.com> Reviewed-by: Luoshaokai <luoshaokai(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/net/ethernet/huawei/hinic/hinic_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c index 9b53a6f..b6da9fe 100644 --- a/drivers/net/ethernet/huawei/hinic/hinic_main.c +++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c @@ -759,6 +759,8 @@ static int hinic_qps_irq_init(struct hinic_nic_dev *nic_dev) goto req_tx_irq_err; } + set_bit(HINIC_INTR_ON, &irq_cfg->intr_flag); + err = hinic_request_irq(irq_cfg, q_id); if (err) { nicif_err(nic_dev, drv, nic_dev->netdev, "Failed to request Rx irq\n"); @@ -768,7 +770,6 @@ static int hinic_qps_irq_init(struct hinic_nic_dev *nic_dev) hinic_set_msix_state(nic_dev->hwdev, irq_cfg->msix_entry_idx, HINIC_MSIX_ENABLE); - set_bit(HINIC_INTR_ON, &irq_cfg->intr_flag); } INIT_DELAYED_WORK(&nic_dev->moderation_task, -- 1.8.3

1 1

[PATCH] openeuler/config: disable CONFIG_EFI_VARS
by Yang Yingliang 18 Mar '20

18 Mar '20

From: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> hulk inclusion category: config bugzilla: 31390 CVE: NA Accessing sysfs-efivars interface '/sys/firmware/efi/vars' may have some problem. We can access the new efivarfs interface '/sys/firmware/efi/efivars' instead. So disable CONFIG_EFI_VARS and keep CONFIG_EFIVAR_FS enabled. Link: https://gitee.com/openeuler/kernel/issues/I1BN57 Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> Reviewed-by: Xie XiuQi <xiexiuqi(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- arch/arm64/configs/openeuler_defconfig | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index a024ce2..9e6f560 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -580,10 +580,8 @@ CONFIG_HAVE_ARM_SMCCC=y # # EFI (Extensible Firmware Interface) Support # -CONFIG_EFI_VARS=y +#CONFIG_EFI_VARS is not set CONFIG_EFI_ESRT=y -CONFIG_EFI_VARS_PSTORE=y -CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_PARAMS_FROM_FDT=y CONFIG_EFI_RUNTIME_WRAPPERS=y CONFIG_EFI_ARMSTUB=y -- 1.8.3

1 0

[PATCH] pagecache: support percpu refcount to imporve performance
by Yang Yingliang 17 Mar '20

17 Mar '20

From: Yunfeng Ye <yeyunfeng(a)huawei.com> euleros inclusion category: feature feature: pagecache percpu refcount bugzilla: 31398 CVE: NA ------------------------------------------------- The pagecache manages the file physical pages, and the life cycle of page is managed by atomic counting. With the increasing number of cpu cores, the cost of atomic counting is very large when reading file pagecaches at large concurrent. For example, when running nginx http application, the biggest hotspot is found in the atomic operation of find_get_entry(): 11.94% [kernel] [k] find_get_entry 7.45% [kernel] [k] do_tcp_sendpages 6.12% [kernel] [k] generic_file_buffered_read So we using the percpu refcount mechanism to fix this problem. and the test result show that the read performance of nginx http can be improved by 100%： worker original(requests/sec) percpu(requests/sec) imporve 64 759656.87 1627088.95 114.2% Notes: we use page->lru to save percpu information, so the pages with percpu attribute will not be recycled by memory recycling process, we should avoid grow the file size unlimited. Signed-off-by: Yunfeng Ye <yeyunfeng(a)huawei.com> Reviewed-by: Kefeng Wang <wangkefeng.wang(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/fcntl.c | 20 ++++++++++++ include/linux/mm.h | 23 +++++++++++++ include/linux/page-flags.h | 2 ++ include/linux/page_ref.h | 11 +++++++ include/linux/pagemap.h | 24 ++++++++++++++ include/trace/events/mmflags.h | 3 +- include/uapi/linux/fcntl.h | 2 ++ mm/filemap.c | 74 ++++++++++++++++++++++++++++++++++++++++-- mm/swap.c | 2 ++ 9 files changed, 158 insertions(+), 3 deletions(-) diff --git a/fs/fcntl.c b/fs/fcntl.c index 4137d96..0c70a8e 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -29,6 +29,7 @@ #include <linux/poll.h> #include <asm/siginfo.h> #include <linux/uaccess.h> +#include <linux/pagemap.h> #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME) @@ -319,6 +320,22 @@ static long fcntl_rw_hint(struct file *file, unsigned int cmd, } } +static long fcntl_mapping_percpu(struct file *filp, unsigned int cmd, + unsigned long arg) +{ + struct address_space *mapping = filp->f_mapping; + unsigned long flag = arg; + + if (!mapping) + return -EINVAL; + + if (flag) + mapping_set_percpu_ref(mapping); + else + mapping_clear_percpu_ref(mapping); + return 0; +} + static long do_fcntl(int fd, unsigned int cmd, unsigned long arg, struct file *filp) { @@ -426,6 +443,9 @@ static long do_fcntl(int fd, unsigned int cmd, unsigned long arg, case F_SET_FILE_RW_HINT: err = fcntl_rw_hint(filp, cmd, arg); break; + case F_MAPPING_PERCPU: + err = fcntl_mapping_percpu(filp, cmd, arg); + break; default: break; } diff --git a/include/linux/mm.h b/include/linux/mm.h index 65d91b1..0e173a4 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -528,6 +528,10 @@ static inline int pgd_devmap(pgd_t pgd) static inline int put_page_testzero(struct page *page) { VM_BUG_ON_PAGE(page_ref_count(page) == 0, page); + if (PagePercpuRef(page)) { + percpu_ref_put(page_percpu_ref(page)); + return 0; + } return page_ref_dec_and_test(page); } @@ -539,6 +543,10 @@ static inline int put_page_testzero(struct page *page) */ static inline int get_page_unless_zero(struct page *page) { + if (PagePercpuRef(page)) { + percpu_ref_get(page_percpu_ref(page)); + return true; + } return page_ref_add_unless(page, 1, 0); } @@ -928,6 +936,11 @@ static inline bool is_device_public_page(const struct page *page) static inline void get_page(struct page *page) { page = compound_head(page); + + if (PagePercpuRef(page)) { + percpu_ref_get(page_percpu_ref(page)); + return; + } /* * Getting a normal page or the head of a compound page * requires to already have an elevated page->_refcount. @@ -939,6 +952,11 @@ static inline void get_page(struct page *page) static inline __must_check bool try_get_page(struct page *page) { page = compound_head(page); + + if (PagePercpuRef(page)) { + percpu_ref_get(page_percpu_ref(page)); + return true; + } if (WARN_ON_ONCE(page_ref_count(page) <= 0)) return false; page_ref_inc(page); @@ -949,6 +967,11 @@ static inline void put_page(struct page *page) { page = compound_head(page); + if (PagePercpuRef(page)) { + percpu_ref_put(page_percpu_ref(page)); + return; + } + /* * For devmap managed pages we need to catch refcount transition from * 2 to 1, when refcount reach one it means the page is free and we diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h index 3f066ce..7eb776a 100644 --- a/include/linux/page-flags.h +++ b/include/linux/page-flags.h @@ -101,6 +101,7 @@ enum pageflags { PG_young, PG_idle, #endif + PG_percpu_ref, __NR_PAGEFLAGS, /* Filesystems */ @@ -385,6 +386,7 @@ static inline bool set_hwpoison_free_buddy_page(struct page *page) TESTCLEARFLAG(Young, young, PF_ANY) PAGEFLAG(Idle, idle, PF_ANY) #endif +PAGEFLAG(PercpuRef, percpu_ref, PF_ANY) /* * On an anonymous page mapped into a user virtual memory area, diff --git a/include/linux/page_ref.h b/include/linux/page_ref.h index 14d14be..3deab40 100644 --- a/include/linux/page_ref.h +++ b/include/linux/page_ref.h @@ -180,4 +180,15 @@ static inline void page_ref_unfreeze(struct page *page, int count) __page_ref_unfreeze(page, count); } +static inline struct percpu_ref *page_percpu_ref(struct page *page) +{ + return *(struct percpu_ref **)&page->lru; +} + +static inline void page_set_percpu_ref(struct page *page, + struct percpu_ref *ref) +{ + *(struct percpu_ref **)&page->lru = ref; +} + #endif diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h index 520627f..e889d99 100644 --- a/include/linux/pagemap.h +++ b/include/linux/pagemap.h @@ -29,6 +29,7 @@ enum mapping_flags { AS_EXITING = 4, /* final truncate in progress */ /* writeback related tags are not used */ AS_NO_WRITEBACK_TAGS = 5, + AS_PERCPU_REF = 6, /* percpu ref counter for special inode */ }; /** @@ -97,6 +98,21 @@ static inline int mapping_use_writeback_tags(struct address_space *mapping) return !test_bit(AS_NO_WRITEBACK_TAGS, &mapping->flags); } +static inline void mapping_set_percpu_ref(struct address_space *mapping) +{ + set_bit(AS_PERCPU_REF, &mapping->flags); +} + +static inline void mapping_clear_percpu_ref(struct address_space *mapping) +{ + clear_bit(AS_PERCPU_REF, &mapping->flags); +} + +static inline int mapping_percpu_ref(struct address_space *mapping) +{ + return test_bit(AS_PERCPU_REF, &mapping->flags); +} + static inline gfp_t mapping_gfp_mask(struct address_space * mapping) { return mapping->gfp_mask; @@ -170,6 +186,10 @@ static inline int page_cache_get_speculative(struct page *page) # ifdef CONFIG_PREEMPT_COUNT VM_BUG_ON(!in_atomic() && !irqs_disabled()); # endif + if (PagePercpuRef(page)) { + percpu_ref_get(page_percpu_ref(page)); + return 1; + } /* * Preempt must be disabled here - we rely on rcu_read_lock doing * this for us. @@ -183,6 +203,10 @@ static inline int page_cache_get_speculative(struct page *page) page_ref_inc(page); #else + if (PagePercpuRef(page)) { + percpu_ref_get(page_percpu_ref(page)); + return 1; + } if (unlikely(!get_page_unless_zero(page))) { /* * Either the page has been freed, or will be freed. diff --git a/include/trace/events/mmflags.h b/include/trace/events/mmflags.h index a81cffb..2994f1c 100644 --- a/include/trace/events/mmflags.h +++ b/include/trace/events/mmflags.h @@ -104,7 +104,8 @@ IF_HAVE_PG_UNCACHED(PG_uncached, "uncached" ) \ IF_HAVE_PG_HWPOISON(PG_hwpoison, "hwpoison" ) \ IF_HAVE_PG_IDLE(PG_young, "young" ) \ -IF_HAVE_PG_IDLE(PG_idle, "idle" ) +IF_HAVE_PG_IDLE(PG_idle, "idle"), \ + {1UL << PG_percpu_ref, "percpu_ref" } #define show_page_flags(flags) \ (flags) ? __print_flags(flags, "|", \ diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 6448cdd..6dcddf7 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -53,6 +53,8 @@ #define F_GET_FILE_RW_HINT (F_LINUX_SPECIFIC_BASE + 13) #define F_SET_FILE_RW_HINT (F_LINUX_SPECIFIC_BASE + 14) +#define F_MAPPING_PERCPU (F_LINUX_SPECIFIC_BASE + 15) + /* * Valid hint values for F_{GET,SET}_RW_HINT. 0 is "not set", or can be * used to clear any hints previously set. diff --git a/mm/filemap.c b/mm/filemap.c index c56c419..8a8bf78 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -48,6 +48,66 @@ #include <asm/mman.h> +struct percpu_page { + struct percpu_ref ref; + struct page *page; +}; + +static void free_page_ref(struct percpu_ref *ref) +{ + struct percpu_page *p = (struct percpu_page *)ref; + struct page *page = p->page; + + percpu_ref_exit(ref); + kfree(page_percpu_ref(page)); + page_set_percpu_ref(page, NULL); + + ClearPagePercpuRef(page); + /* really free the page */ + put_page(page); +} + +static void page_cache_init(struct address_space *mapping, struct page *page) +{ + struct percpu_page *p; + + if (!mapping_percpu_ref(mapping)) + return; + + p = kzalloc(sizeof(struct percpu_page), GFP_KERNEL); + if (!p) + return; + if (percpu_ref_init(&p->ref, free_page_ref, 0, GFP_KERNEL)) + goto err; + + p->page = page; + page_set_percpu_ref(page, &p->ref); + SetPagePercpuRef(page); + get_page(page); + return; +err: + kfree(p); +} + +static void page_cache_exit(struct page *page) +{ + if (!PagePercpuRef(page)) + return; + + put_page(page); + ClearPagePercpuRef(page); + percpu_ref_exit(page_percpu_ref(page)); + kfree(page_percpu_ref(page)); + page_set_percpu_ref(page, NULL); +} + +static void page_cache_kill(struct page *page) +{ + if (!PagePercpuRef(page)) + return; + percpu_ref_kill(page_percpu_ref(page)); +} + /* * Shared mappings implemented 30.11.1994. It's not fully working yet, * though. @@ -264,6 +324,7 @@ void __delete_from_page_cache(struct page *page, void *shadow) unaccount_page_cache_page(mapping, page); page_cache_tree_delete(mapping, page, shadow); + page_cache_kill(page); } static void page_cache_free_page(struct address_space *mapping, @@ -384,8 +445,10 @@ void delete_from_page_cache_batch(struct address_space *mapping, page_cache_tree_delete_batch(mapping, pvec); xa_unlock_irqrestore(&mapping->i_pages, flags); - for (i = 0; i < pagevec_count(pvec); i++) + for (i = 0; i < pagevec_count(pvec); i++) { + page_cache_kill(pvec->pages[i]); page_cache_free_page(mapping, pvec->pages[i]); + } } int filemap_check_errors(struct address_space *mapping) @@ -966,7 +1029,8 @@ int add_to_page_cache_lru(struct page *page, struct address_space *mapping, workingset_activation(page); } else ClearPageActive(page); - lru_cache_add(page); + if (!PagePercpuRef(page)) + lru_cache_add(page); } return ret; } @@ -1630,8 +1694,10 @@ struct page *pagecache_get_page(struct address_space *mapping, pgoff_t offset, if (fgp_flags & FGP_ACCESSED) __SetPageReferenced(page); + page_cache_init(mapping, page); err = add_to_page_cache_lru(page, mapping, offset, gfp_mask); if (unlikely(err)) { + page_cache_exit(page); put_page(page); page = NULL; if (err == -EEXIST) @@ -2320,9 +2386,11 @@ static ssize_t generic_file_buffered_read(struct kiocb *iocb, error = -ENOMEM; goto out; } + page_cache_init(mapping, page); error = add_to_page_cache_lru(page, mapping, index, mapping_gfp_constraint(mapping, GFP_KERNEL)); if (error) { + page_cache_exit(page); put_page(page); if (error == -EEXIST) { error = 0; @@ -2837,8 +2905,10 @@ static struct page *do_read_cache_page(struct address_space *mapping, page = __page_cache_alloc(gfp); if (!page) return ERR_PTR(-ENOMEM); + page_cache_init(mapping, page); err = add_to_page_cache_lru(page, mapping, index, gfp); if (unlikely(err)) { + page_cache_exit(page); put_page(page); if (err == -EEXIST) goto repeat; diff --git a/mm/swap.c b/mm/swap.c index 45fdbfb..320ac35 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -372,6 +372,8 @@ static void __lru_cache_activate_page(struct page *page) void mark_page_accessed(struct page *page) { page = compound_head(page); + if (PagePercpuRef(page)) + return; if (!PageActive(page) && !PageUnevictable(page) && PageReferenced(page)) { -- 1.8.3

1 0

[PATCH] arm64: mm: support setting page attributes for debugging
by Yang Yingliang 17 Mar '20

17 Mar '20

From: Yunfeng Ye <yeyunfeng(a)huawei.com> euleros inclusion category: feature feature: Memory debug feature ------------------------------------------------- When pagealloc debug is enabled, block mappings or contiguous hints are no longer used for linear address area. Therefore, support setting page attributes in this case is useful for debugging memory corruption problems. Signed-off-by: Yunfeng Ye <yeyunfeng(a)huawei.com> Reviewed-by: Kefeng Wang <wangkefeng.wang(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- arch/arm64/mm/pageattr.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/arm64/mm/pageattr.c b/arch/arm64/mm/pageattr.c index a5635937..3e398d0 100644 --- a/arch/arm64/mm/pageattr.c +++ b/arch/arm64/mm/pageattr.c @@ -87,8 +87,16 @@ static int change_memory_common(unsigned long addr, int numpages, area = find_vm_area((void *)addr); if (!area || end > (unsigned long)area->addr + area->size || - !(area->flags & VM_ALLOC)) + !(area->flags & VM_ALLOC)) { + /* + * When pagealloc debug is enabled, the linear address is + * mapped with NO_BLOCK_MAPPINGS and NO_CONT_MAPPINGS flags. + */ + if (numpages && debug_pagealloc_enabled()) + return __change_memory_common(start, size, + set_mask, clear_mask); return -EINVAL; + } if (!numpages) return 0; -- 1.8.3

1 0

[PATCH] staging: android: ashmem: Disallow ashmem memory from being remapped
by Yang Yingliang 16 Mar '20

16 Mar '20

From: Suren Baghdasaryan <surenb(a)google.com> commit 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 upstream. When ashmem file is mmapped, the resulting vma->vm_file points to the backing shmem file with the generic fops that do not check ashmem permissions like fops of ashmem do. If an mremap is done on the ashmem region, then the permission checks will be skipped. Fix that by disallowing mapping operation on the backing shmem file. Reported-by: Jann Horn <jannh(a)google.com> Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Cc: stable <stable(a)vger.kernel.org> # 4.4,4.9,4.14,4.18,5.4 Signed-off-by: Todd Kjos <tkjos(a)google.com> Reviewed-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Link: https://lore.kernel.org/r/20200127235616.48920-1-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/staging/android/ashmem.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index be81533..e3df4bf 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -350,8 +350,23 @@ static inline vm_flags_t calc_vm_may_flags(unsigned long prot) _calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC); } +static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma) +{ + /* do not allow to mmap ashmem backing shmem file directly */ + return -EPERM; +} + +static unsigned long +ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr, + unsigned long len, unsigned long pgoff, + unsigned long flags) +{ + return current->mm->get_unmapped_area(file, addr, len, pgoff, flags); +} + static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) { + static struct file_operations vmfile_fops; struct ashmem_area *asma = file->private_data; int ret = 0; @@ -392,6 +407,19 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) } vmfile->f_mode |= FMODE_LSEEK; asma->file = vmfile; + /* + * override mmap operation of the vmfile so that it can't be + * remapped which would lead to creation of a new vma with no + * asma permission checks. Have to override get_unmapped_area + * as well to prevent VM_BUG_ON check for f_ops modification. + */ + if (!vmfile_fops.mmap) { + vmfile_fops = *vmfile->f_op; + vmfile_fops.mmap = ashmem_vmfile_mmap; + vmfile_fops.get_unmapped_area = + ashmem_vmfile_get_unmapped_area; + } + vmfile->f_op = &vmfile_fops; } get_file(asma->file); -- 1.8.3

1 0

[PATCH 0/2] more fixes about CVE-2020-8648
by Yang Yingliang 16 Mar '20

16 Mar '20

Jiri Slaby (2): vt: selection, push console lock down vt: selection, push sel_lock up drivers/tty/vt/selection.c | 27 ++++++++++++++++++--------- drivers/tty/vt/vt.c | 2 -- 2 files changed, 18 insertions(+), 11 deletions(-) -- 1.8.3

1 2