- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 1/2] io_uring: fix soft lockup when call __io_remove_buffers
by Yang Yingliang 09 Dec '21

09 Dec '21

From: Ye Bin <yebin10(a)huawei.com> mainline inclusion from mainline-v5.16-rc3 commit 1d0254e6b47e73222fd3d6ae95cccbaafe5b3ecf category: bugfix bugzilla: 185746 CVE: NA ----------------------------------------------- I got issue as follows: [ 567.094140] __io_remove_buffers: [1]start ctx=0xffff8881067bf000 bgid=65533 buf=0xffff8881fefe1680 [ 594.360799] watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [kworker/u32:5:108] [ 594.364987] Modules linked in: [ 594.365405] irq event stamp: 604180238 [ 594.365906] hardirqs last enabled at (604180237): [<ffffffff93fec9bd>] _raw_spin_unlock_irqrestore+0x2d/0x50 [ 594.367181] hardirqs last disabled at (604180238): [<ffffffff93fbbadb>] sysvec_apic_timer_interrupt+0xb/0xc0 [ 594.368420] softirqs last enabled at (569080666): [<ffffffff94200654>] __do_softirq+0x654/0xa9e [ 594.369551] softirqs last disabled at (569080575): [<ffffffff913e1d6a>] irq_exit_rcu+0x1ca/0x250 [ 594.370692] CPU: 2 PID: 108 Comm: kworker/u32:5 Tainted: G L 5.15.0-next-20211112+ #88 [ 594.371891] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 594.373604] Workqueue: events_unbound io_ring_exit_work [ 594.374303] RIP: 0010:_raw_spin_unlock_irqrestore+0x33/0x50 [ 594.375037] Code: 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 55 f5 55 fd 48 89 ef e8 ed a7 56 fd 80 e7 02 74 06 e8 43 13 7b fd fb bf 01 00 00 00 <e8> f8 78 474 [ 594.377433] RSP: 0018:ffff888101587a70 EFLAGS: 00000202 [ 594.378120] RAX: 0000000024030f0d RBX: 0000000000000246 RCX: 1ffffffff2f09106 [ 594.379053] RDX: 0000000000000000 RSI: ffffffff9449f0e0 RDI: 0000000000000001 [ 594.379991] RBP: ffffffff9586cdc0 R08: 0000000000000001 R09: fffffbfff2effcab [ 594.380923] R10: ffffffff977fe557 R11: fffffbfff2effcaa R12: ffff8881b8f3def0 [ 594.381858] R13: 0000000000000246 R14: ffff888153a8b070 R15: 0000000000000000 [ 594.382787] FS: 0000000000000000(0000) GS:ffff888399c00000(0000) knlGS:0000000000000000 [ 594.383851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 594.384602] CR2: 00007fcbe71d2000 CR3: 00000000b4216000 CR4: 00000000000006e0 [ 594.385540] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 594.386474] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 594.387403] Call Trace: [ 594.387738] <TASK> [ 594.388042] find_and_remove_object+0x118/0x160 [ 594.389321] delete_object_full+0xc/0x20 [ 594.389852] kfree+0x193/0x470 [ 594.390275] __io_remove_buffers.part.0+0xed/0x147 [ 594.390931] io_ring_ctx_free+0x342/0x6a2 [ 594.392159] io_ring_exit_work+0x41e/0x486 [ 594.396419] process_one_work+0x906/0x15a0 [ 594.399185] worker_thread+0x8b/0xd80 [ 594.400259] kthread+0x3bf/0x4a0 [ 594.401847] ret_from_fork+0x22/0x30 [ 594.402343] </TASK> Message from syslogd@localhost at Nov 13 09:09:54 ... kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [kworker/u32:5:108] [ 596.793660] __io_remove_buffers: [2099199]start ctx=0xffff8881067bf000 bgid=65533 buf=0xffff8881fefe1680 We can reproduce this issue by follow syzkaller log: r0 = syz_io_uring_setup(0x401, &(0x7f0000000300), &(0x7f0000003000/0x2000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000000280)=<r1=>0x0, &(0x7f0000000380)=<r2=>0x0) sendmsg$ETHTOOL_MSG_FEATURES_SET(0xffffffffffffffff, &(0x7f0000003080)={0x0, 0x0, &(0x7f0000003040)={&(0x7f0000000040)=ANY=[], 0x18}}, 0x0) syz_io_uring_submit(r1, r2, &(0x7f0000000240)=@IORING_OP_PROVIDE_BUFFERS={0x1f, 0x5, 0x0, 0x401, 0x1, 0x0, 0x100, 0x0, 0x1, {0xfffd}}, 0x0) io_uring_enter(r0, 0x3a2d, 0x0, 0x0, 0x0, 0x0) The reason above issue is 'buf->list' has 2,100,000 nodes, occupied cpu lead to soft lockup. To solve this issue, we need add schedule point when do while loop in '__io_remove_buffers'. After add schedule point we do regression, get follow data. [ 240.141864] __io_remove_buffers: [1]start ctx=0xffff888170603000 bgid=65533 buf=0xffff8881116fcb00 [ 268.408260] __io_remove_buffers: [1]start ctx=0xffff8881b92d2000 bgid=65533 buf=0xffff888130c83180 [ 275.899234] __io_remove_buffers: [2099199]start ctx=0xffff888170603000 bgid=65533 buf=0xffff8881116fcb00 [ 296.741404] __io_remove_buffers: [1]start ctx=0xffff8881b659c000 bgid=65533 buf=0xffff8881010fe380 [ 305.090059] __io_remove_buffers: [2099199]start ctx=0xffff8881b92d2000 bgid=65533 buf=0xffff888130c83180 [ 325.415746] __io_remove_buffers: [1]start ctx=0xffff8881b92d1000 bgid=65533 buf=0xffff8881a17d8f00 [ 333.160318] __io_remove_buffers: [2099199]start ctx=0xffff8881b659c000 bgid=65533 buf=0xffff8881010fe380 ... Fixes:8bab4c09f24e("io_uring: allow conditional reschedule for intensive iterators") Signed-off-by: Ye Bin <yebin10(a)huawei.com> Link: https://lore.kernel.org/r/20211122024737.2198530-1-yebin10@huawei.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> conflicts: fs/io_uring.c Signed-off-by: Ye Bin <yebin10(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/io_uring.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index d07388600bbed..f3b5f9d670df3 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -3462,6 +3462,7 @@ static int __io_remove_buffers(struct io_ring_ctx *ctx, struct io_buffer *buf, kfree(nxt); if (++i == nbufs) return i; + cond_resched(); } i++; kfree(buf); -- 2.25.1

1 1

[PATCH openEuler-1.0-LTS] block: Fix fsync always failed if once failed
by Yang Yingliang 09 Dec '21

09 Dec '21

From: Ye Bin <yebin10(a)huawei.com> mainline inclusion from mainline-v5.17 commit 8a7518931baa8ea023700987f3db31cb0a80610b category: bugfix bugzilla: 185819 CVE: NA ----------------------------------------------- We do test with inject error fault base on v4.19, after test some time we found sync /dev/sda always failed. [root@localhost] sync /dev/sda sync: error syncing '/dev/sda': Input/output error scsi log as follows: [19069.812296] sd 0:0:0:0: [sda] tag#64 Send: scmd 0x00000000d03a0b6b [19069.812302] sd 0:0:0:0: [sda] tag#64 CDB: Synchronize Cache(10) 35 00 00 00 00 00 00 00 00 00 [19069.812533] sd 0:0:0:0: [sda] tag#64 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK [19069.812536] sd 0:0:0:0: [sda] tag#64 CDB: Synchronize Cache(10) 35 00 00 00 00 00 00 00 00 00 [19069.812539] sd 0:0:0:0: [sda] tag#64 scsi host busy 1 failed 0 [19069.812542] sd 0:0:0:0: Notifying upper driver of completion (result 0) [19069.812546] sd 0:0:0:0: [sda] tag#64 sd_done: completed 0 of 0 bytes [19069.812549] sd 0:0:0:0: [sda] tag#64 0 sectors total, 0 bytes done. [19069.812564] print_req_error: I/O error, dev sda, sector 0 ftrace log as follows: rep-306069 [007] .... 19654.923315: block_bio_queue: 8,0 FWS 0 + 0 [rep] rep-306069 [007] .... 19654.923333: block_getrq: 8,0 FWS 0 + 0 [rep] kworker/7:1H-250 [007] .... 19654.923352: block_rq_issue: 8,0 FF 0 () 0 + 0 [kworker/7:1H] <idle>-0 [007] ..s. 19654.923562: block_rq_complete: 8,0 FF () 18446744073709551615 + 0 [0] <idle>-0 [007] d.s. 19654.923576: block_rq_complete: 8,0 WS () 0 + 0 [-5] As 8d6996630c03 introduce 'fq->rq_status', this data only update when 'flush_rq' reference count isn't zero. If flush request once failed and record error code in 'fq->rq_status'. If there is no chance to update 'fq->rq_status',then do fsync will always failed. To address this issue reset 'fq->rq_status' after return error code to upper layer. Fixes: 8d6996630c03("block: fix null pointer dereference in blk_mq_rq_timed_out()") Signed-off-by: Ye Bin <yebin10(a)huawei.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20211129012659.1553733-1-yebin10@huawei.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> conflicts: block/blk-flush.c Signed-off-by: Ye Bin <yebin10(a)huawei.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- block/blk-flush.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/block/blk-flush.c b/block/blk-flush.c index 022a2bbb012d7..c1bfcde165af5 100644 --- a/block/blk-flush.c +++ b/block/blk-flush.c @@ -245,8 +245,10 @@ static void flush_end_io(struct request *flush_rq, blk_status_t error) * avoiding use-after-free. */ WRITE_ONCE(flush_rq->state, MQ_RQ_IDLE); - if (fq->rq_status != BLK_STS_OK) + if (fq->rq_status != BLK_STS_OK) { error = fq->rq_status; + fq->rq_status = BLK_STS_OK; + } hctx = blk_mq_map_queue(q, flush_rq->mq_ctx->cpu); if (!q->elevator) { -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 1/3] blk-mq: factor out some helps to quiesce/unquiesce queue
by Yang Yingliang 09 Dec '21

09 Dec '21

From: Yu Kuai <yukuai3(a)huawei.com> hulk inclusion category: bugfix bugzilla: 173974 CVE: NA --------------------------- Prepare to support concurrent quiesce queue between drivers and block layer, no functional changes. Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- block/blk-mq.c | 58 ++++++++++++++++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 18 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index ef62a83314a5d..f9b4b73a2f38d 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -211,32 +211,29 @@ void blk_mq_unfreeze_queue(struct request_queue *q) } EXPORT_SYMBOL_GPL(blk_mq_unfreeze_queue); +static void __blk_mq_quiesce_queue_nowait(struct request_queue *q, + unsigned int flag) +{ + blk_queue_flag_set(flag, q); +} + /* * FIXME: replace the scsi_internal_device_*block_nowait() calls in the * mpt3sas driver such that this function can be removed. */ void blk_mq_quiesce_queue_nowait(struct request_queue *q) { - blk_queue_flag_set(QUEUE_FLAG_QUIESCED, q); + __blk_mq_quiesce_queue_nowait(q, QUEUE_FLAG_QUIESCED); } EXPORT_SYMBOL_GPL(blk_mq_quiesce_queue_nowait); -/** - * blk_mq_quiesce_queue() - wait until all ongoing dispatches have finished - * @q: request queue. - * - * Note: this function does not prevent that the struct request end_io() - * callback function is invoked. Once this function is returned, we make - * sure no dispatch can happen until the queue is unquiesced via - * blk_mq_unquiesce_queue(). - */ -void blk_mq_quiesce_queue(struct request_queue *q) +static void __blk_mq_quiesce_queue(struct request_queue *q, unsigned int flag) { struct blk_mq_hw_ctx *hctx; unsigned int i; bool rcu = false; - blk_mq_quiesce_queue_nowait(q); + __blk_mq_quiesce_queue_nowait(q, flag); queue_for_each_hw_ctx(q, hctx, i) { if (hctx->flags & BLK_MQ_F_BLOCKING) @@ -247,15 +244,30 @@ void blk_mq_quiesce_queue(struct request_queue *q) if (rcu) synchronize_rcu(); } + +/** + * blk_mq_quiesce_queue() - wait until all ongoing dispatches have finished + * @q: request queue. + * + * Note: this function does not prevent that the struct request end_io() + * callback function is invoked. Once this function is returned, we make + * sure no dispatch can happen until the queue is unquiesced via + * blk_mq_unquiesce_queue(). + */ +void blk_mq_quiesce_queue(struct request_queue *q) +{ + __blk_mq_quiesce_queue(q, QUEUE_FLAG_QUIESCED); +} EXPORT_SYMBOL_GPL(blk_mq_quiesce_queue); -bool blk_mq_quiesce_queue_without_rcu(struct request_queue *q) +static bool __blk_mq_quiesce_queue_without_rcu(struct request_queue *q, + unsigned int flag) { struct blk_mq_hw_ctx *hctx; unsigned int i; bool rcu = false; - blk_mq_quiesce_queue_nowait(q); + __blk_mq_quiesce_queue_nowait(q, flag); queue_for_each_hw_ctx(q, hctx, i) { if (hctx->flags & BLK_MQ_F_BLOCKING) @@ -265,8 +277,21 @@ bool blk_mq_quiesce_queue_without_rcu(struct request_queue *q) } return rcu; } + +bool blk_mq_quiesce_queue_without_rcu(struct request_queue *q) +{ + return __blk_mq_quiesce_queue_without_rcu(q, QUEUE_FLAG_QUIESCED); +} EXPORT_SYMBOL_GPL(blk_mq_quiesce_queue_without_rcu); +static void __blk_mq_unquiesce_queue(struct request_queue *q, unsigned int flag) +{ + blk_queue_flag_clear(flag, q); + + /* dispatch requests which are inserted during quiescing */ + blk_mq_run_hw_queues(q, true); +} + /* * blk_mq_unquiesce_queue() - counterpart of blk_mq_quiesce_queue() * @q: request queue. @@ -276,10 +301,7 @@ EXPORT_SYMBOL_GPL(blk_mq_quiesce_queue_without_rcu); */ void blk_mq_unquiesce_queue(struct request_queue *q) { - blk_queue_flag_clear(QUEUE_FLAG_QUIESCED, q); - - /* dispatch requests which are inserted during quiescing */ - blk_mq_run_hw_queues(q, true); + __blk_mq_unquiesce_queue(q, QUEUE_FLAG_QUIESCED); } EXPORT_SYMBOL_GPL(blk_mq_unquiesce_queue); -- 2.25.1

1 2

[PATCH openEuler-1.0-LTS 0/6] Add the no_hash_pointers startup parameter
by He Jinjin 09 Dec '21

09 Dec '21

The address printed by %p in the kernel will expose the kernel address information, which is extremely unsafe. So Linux v4.15 limited the information printed by %p which will print a hashed value. This patchset add no_hash_pointers startup parameter which can disable the restriction that %P only prints hashed values, so that %P can print the actual address in the kernel. I patched this function and the test modules associated with this and passed these tests after recompiling. Tobin C. Harding (3): lib/test_printf: Add empty module_exit function kselftest: Add test module framework header lib: Use new kselftest header Timur Tabi(3): kselftest: add support for skipped tests lib: use KSTM_MODULE_GLOBALS macro in kselftest drivers lib/vsprintf: no_hash_pointers prints all addresses as unhashed .../admin-guide/kernel-parameters.txt | 15 +++ Documentation/dev-tools/kselftest.rst | 94 +++++++++++++++++- lib/test_bitmap.c | 23 +---- lib/test_printf.c | 29 +++--- lib/vsprintf.c | 36 ++++++- tools/testing/selftests/kselftest_module.h | 54 ++++++++++ 6 files changed, 215 insertions(+), 36 deletions(-) create mode 100644 tools/testing/selftests/kselftest_module.h -- 2.30.0

1 6

[PATCH openEuler-1.0-LTS 0/6] Add the no_hash_pointers startup parameter
by He Jinjin 09 Dec '21

09 Dec '21

The address printed by %p in the kernel will expose the kernel address information, which is extremely unsafe. So Linux v4.15 limited the information printed by %p which will print a hashed value. This patchset add no_hash_pointers startup parameter which can disable the restriction that %P only prints hashed values, so that %P can print the actual address in the kernel. I patched this function and the test modules associated with this and passed these tests after recompiling. Tobin C. Harding (3): lib/test_printf: Add empty module_exit function kselftest: Add test module framework header lib: Use new kselftest header Timur Tabi(3): kselftest: add support for skipped tests lib: use KSTM_MODULE_GLOBALS macro in kselftest drivers lib/vsprintf: no_hash_pointers prints all addresses as unhashed .../admin-guide/kernel-parameters.txt | 15 +++ Documentation/dev-tools/kselftest.rst | 94 +++++++++++++++++- lib/test_bitmap.c | 23 +---- lib/test_printf.c | 29 +++--- lib/vsprintf.c | 36 ++++++- tools/testing/selftests/kselftest_module.h | 54 ++++++++++ 6 files changed, 215 insertions(+), 36 deletions(-) create mode 100644 tools/testing/selftests/kselftest_module.h -- 2.30.0

1 6

[PATCH OLK-5.10 0/2] Add the function to modify the reboot mode
by Hongyu Li 09 Dec '21

09 Dec '21

The current kernel needs to provide the reboot mode in the boot parameter. However, we can not know this in advance. The kernel should have a method to set the reboot options when the system is booted. This patchset add handles in the <sysfs>/kernel/reboot to read reboot configuration and rewrite it. Therefore users can change the reboot mode as they want. Matteo Croce (1): reboot: allow to specify reboot mode via sysfs Nathan Chancellor (1): reboot: Fix variable assignments in type_store Documentation/ABI/testing/sysfs-kernel-reboot | 32 +++ kernel/reboot.c | 206 ++++++++++++++++++ 2 files changed, 238 insertions(+) create mode 100644 Documentation/ABI/testing/sysfs-kernel-reboot -- 2.17.1

1 0

[PATCH OLK-5.10 0/2] Add the function to modify the reboot mode
by Hongyu Li 09 Dec '21

09 Dec '21

The current kernel needs to provide the reboot mode in the boot parameter. However, we can not know this in advance. The kernel should have a method to set the reboot options when the system is booted. This patchset add handles in the <sysfs>/kernel/reboot to read reboot configuration and rewrite it. Therefore users can change the reboot mode as they want. Matteo Croce (1): reboot: allow to specify reboot mode via sysfs Nathan Chancellor (1): reboot: Fix variable assignments in type_store Documentation/ABI/testing/sysfs-kernel-reboot | 32 +++ kernel/reboot.c | 206 ++++++++++++++++++ 2 files changed, 238 insertions(+) create mode 100644 Documentation/ABI/testing/sysfs-kernel-reboot -- 2.17.1

1 0

[PATCH openEuler-1.0-LTS 1/2] bfq: Remove merged request already in bfq_requests_merged()
by Yang Yingliang 09 Dec '21

09 Dec '21

From: Jan Kara <jack(a)suse.cz> mainline inclusion from mainline-v5.14-rc1 commit a921c655f2033dd1ce1379128efe881dda23ea37 category: bugfix bugzilla: 185777, 185811 CVE: NA Currently, bfq does very little in bfq_requests_merged() and handles all the request cleanup in bfq_finish_requeue_request() called from blk_mq_free_request(). That is currently safe only because blk_mq_free_request() is called shortly after bfq_requests_merged() while bfqd->lock is still held. However to fix a lock inversion between bfqd->lock and ioc->lock, we need to call blk_mq_free_request() after dropping bfqd->lock. That would mean that already merged request could be seen by other processes inside bfq queues and possibly dispatched to the device which is wrong. So move cleanup of the request from bfq_finish_requeue_request() to bfq_requests_merged(). Acked-by: Paolo Valente <paolo.valente(a)linaro.org> Signed-off-by: Jan Kara <jack(a)suse.cz> Link: https://lore.kernel.org/r/20210623093634.27879-2-jack@suse.cz Signed-off-by: Jens Axboe <axboe(a)kernel.dk> conflict: in bfq_finish_requeue_request, 4.19 not have bfq_update_inject_limit branch; Signed-off-by: zhangwensheng <zhangwensheng5(a)huawei.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- block/bfq-iosched.c | 41 +++++++++++++---------------------------- 1 file changed, 13 insertions(+), 28 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index 7d77de9a0f5c0..5452d892480ba 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -1937,7 +1937,7 @@ static void bfq_requests_merged(struct request_queue *q, struct request *rq, *next_bfqq = bfq_init_rq(next); if (!bfqq) - return; + goto remove; /* * If next and rq belong to the same bfq_queue and next is older @@ -1960,6 +1960,14 @@ static void bfq_requests_merged(struct request_queue *q, struct request *rq, bfqq->next_rq = rq; bfqg_stats_update_io_merged(bfqq_group(bfqq), next->cmd_flags); +remove: + /* Merged request may be in the IO scheduler. Remove it. */ + if (!RB_EMPTY_NODE(&next->rb_node)) { + bfq_remove_request(next->q, next); + if (next_bfqq) + bfqg_stats_update_io_remove(bfqq_group(next_bfqq), + next->cmd_flags); + } } /* Must be called with bfqq != NULL */ @@ -4876,6 +4884,7 @@ static void bfq_finish_requeue_request(struct request *rq) { struct bfq_queue *bfqq = RQ_BFQQ(rq); struct bfq_data *bfqd; + unsigned long flags; /* * rq either is not associated with any icq, or is an already @@ -4893,36 +4902,12 @@ static void bfq_finish_requeue_request(struct request *rq) rq->io_start_time_ns, rq->cmd_flags); + spin_lock_irqsave(&bfqd->lock, flags); if (likely(rq->rq_flags & RQF_STARTED)) { - unsigned long flags; - - spin_lock_irqsave(&bfqd->lock, flags); - bfq_completed_request(bfqq, bfqd); - bfq_finish_requeue_request_body(bfqq); - - spin_unlock_irqrestore(&bfqd->lock, flags); - } else { - /* - * Request rq may be still/already in the scheduler, - * in which case we need to remove it (this should - * never happen in case of requeue). And we cannot - * defer such a check and removal, to avoid - * inconsistencies in the time interval from the end - * of this function to the start of the deferred work. - * This situation seems to occur only in process - * context, as a consequence of a merge. In the - * current version of the code, this implies that the - * lock is held. - */ - - if (!RB_EMPTY_NODE(&rq->rb_node)) { - bfq_remove_request(rq->q, rq); - bfqg_stats_update_io_remove(bfqq_group(bfqq), - rq->cmd_flags); - } - bfq_finish_requeue_request_body(bfqq); } + bfq_finish_requeue_request_body(bfqq); + spin_unlock_irqrestore(&bfqd->lock, flags); /* * Reset private fields. In case of a requeue, this allows -- 2.25.1

1 1

[PATCH openEuler-1.0-LTS] md: fix a warning caused by a race between concurrent md_ioctl()s
by Yang Yingliang 09 Dec '21

09 Dec '21

From: "Dae R. Jeong" <dae.r.jeong(a)kaist.ac.kr> mainline inclusion from mainline-v5.11-rc1 commit c731b84b51bf7fe83448bea8f56a6d55006b0615 category: bugfix bugzilla: 185833 CVE: NA ----------------------------------------------- Syzkaller reports a warning as belows. WARNING: CPU: 0 PID: 9647 at drivers/md/md.c:7169 ... Call Trace: ... RIP: 0010:md_ioctl+0x4017/0x5980 drivers/md/md.c:7169 RSP: 0018:ffff888096027950 EFLAGS: 00010293 RAX: ffff88809322c380 RBX: 0000000000000932 RCX: ffffffff84e266f2 RDX: 0000000000000000 RSI: ffffffff84e299f7 RDI: 0000000000000007 RBP: ffff888096027bc0 R08: ffff88809322c380 R09: ffffed101341a482 R10: ffff888096027940 R11: ffff88809a0d240f R12: 0000000000000932 R13: ffff8880a2c14100 R14: ffff88809a0d2268 R15: ffff88809a0d2408 __blkdev_driver_ioctl block/ioctl.c:304 [inline] blkdev_ioctl+0xece/0x1c10 block/ioctl.c:606 block_ioctl+0xee/0x130 fs/block_dev.c:1930 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe This is caused by a race between two concurrenct md_ioctl()s closing the array. CPU1 (md_ioctl()) CPU2 (md_ioctl()) ------ ------ set_bit(MD_CLOSING, &mddev->flags); did_set_md_closing = true; WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags)); if(did_set_md_closing) clear_bit(MD_CLOSING, &mddev->flags); Fix the warning by returning immediately if the MD_CLOSING bit is set in &mddev->flags which indicates that the array is being closed. Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop") Reported-by: syzbot+1e46a0864c1a6e9bd3d8(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Dae R. Jeong <dae.r.jeong(a)kaist.ac.kr> Signed-off-by: Song Liu <songliubraving(a)fb.com> Signed-off-by: Ye Bin <yebin10(a)huawei.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/md/md.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/md/md.c b/drivers/md/md.c index 8a2656cf7127d..409ec5ffd28d3 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -7306,8 +7306,11 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, err = -EBUSY; goto out; } - WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags)); - set_bit(MD_CLOSING, &mddev->flags); + if (test_and_set_bit(MD_CLOSING, &mddev->flags)) { + mutex_unlock(&mddev->open_mutex); + err = -EBUSY; + goto out; + } did_set_md_closing = true; mutex_unlock(&mddev->open_mutex); sync_blockdev(bdev); -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 1/2] net: hns3: fix race condition in debugfs
by Yang Yingliang 09 Dec '21

09 Dec '21

From: Yonglong Liu <liuyonglong(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4LD5U CVE: NA ---------------------------- When multiple users access debugfs at the same time, the process of alloc and release memory becomes disordered, causing the kernel crash like this: [763845.759089] PC is at kfree+0x19c/0x1a0 [763845.759100] LR is at kvfree+0x3c/0x58 [763845.759103] pc : [<ffff00000828878c>] lr : [<ffff00000823432c>] pstate: 60400009 [763845.759105] sp : ffff00003744fc90 [763845.759108] x29: ffff00003744fc90 x28: ffff8027dc87b800 [763845.759115] x27: ffff0000088a1000 x26: ffff000002970f48 [763845.759121] x25: ffff802502600000 x24: 00000000000000af [763845.759127] x23: 0000000000010000 x22: 0000000013dc0000 [763845.759133] x21: ffff00000823432c x20: ffff802502600000 [763845.759139] x19: ffff802502600000 x18: 0000ffffdaa06b10 [763845.759145] x17: 00000000004201c8 x16: ffff0000082b2b10 [763845.759151] x15: 000000000003013f x14: 0000ffffa462ffe0 [763845.759157] x13: ffffffffffffffff x12: 0433526ae61f3300 [763845.759163] x11: ffff000009694b30 x10: 0000000000000001 [763845.759169] x9 : 000000000007b224 x8 : ffff000009719edc [763845.759175] x7 : ffff7fe009409800 x6 : 00000045757af8cf [763845.759181] x5 : ffff8027fced69f0 x4 : 0000000000000000 [763845.759187] x3 : 0000000000000000 x2 : 0433526ae61f3300 [763845.759192] x1 : 0000000000000000 x0 : dead000000000100 [763845.759200] Process cat (pid: 57988, stack limit = 0xffff000037440000) [763845.759203] Call trace: [763845.759207] Exception stack(0xffff00003744fb50 to 0xffff00003744fc90) [763845.759211] fb40: dead000000000100 0000000000000000 [768745.759215] fb60: 0433526ae61f3300 0000000000000000 0000000000000000 ffff8027fced69f0 [763845.759219] fb80: 00000045757af8cf ffff7fe009409800 ffff000009719edc 000000000007b224 [763845.759222] fba0: 0000000000000001 ffff000009694b30 0433526ae61f3300 ffffffffffffffff [763845.759226] fbc0: 0000ffffa462ffe0 000000000003013f ffff0000082b2b10 00000000004201c8 [763845.759231] fbe0: 0000ffffdaa06b10 ffff802502600000 ffff802502600000 ffff00000823432c [763845.759235] fc00: 0000000013dc0000 0000000000010000 00000000000000af ffff802502600000 [763845.759238] fc20: ffff000002970f48 ffff0000088a1000 ffff8027dc87b800 ffff00003744fc90 [763845.759243] fc40: ffff00000823432c ffff00003744fc90 ffff00000828878c 0000000060400009 [763845.759247] fc60: ffff00003744feb0 0000000013dc0000 0000ffffffffffff 0000000000000023 [763845.759250] fc80: ffff00003744fc90 ffff00000828878c [763845.759259] [<ffff00000828878c>] kfree+0x19c/0x1a0 [763845.759263] [<ffff00000823432c>] kvfree+0x3c/0x58 [763845.759306] [<ffff00000295ab94>] hns3_dbg_read+0x94/0x240 [hns3] [763845.759318] [<ffff000008359550>] full_proxy_read+0x60/0x90 [763845.759324] [<ffff0000082b22a4>] __vfs_read+0x58/0x178 [763845.759327] [<ffff0000082b2454>] vfs_read+0x90/0x14c [763845.759332] [<ffff0000082b2b70>] SyS_read+0x60/0xc0 This patch adds a mutex lock to fix the race condition, and need to call hns3_dbg_read_cmd() function when buffer is NULL to avoid reading empty data. Fixes: c91910efc03a ("net: hns3: refactor the debugfs process") Signed-off-by: Yonglong Liu <liuyonglong(a)huawei.com> Reviewed-by: li yongxin <liyongxin1(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/net/ethernet/hisilicon/hns3/hnae3.h | 1 + .../ethernet/hisilicon/hns3/hns3_debugfs.c | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h index c9ac1e7cf4492..048de5b367c19 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h +++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h @@ -764,6 +764,7 @@ struct hnae3_handle { u8 netdev_flags; struct dentry *hnae3_dbgfs; + struct mutex dbgfs_lock; /* Network interface message level enabled bits */ u32 msg_enable; diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c index 7f3b7084e382f..c68e5f3d0ba52 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c @@ -807,6 +807,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, if (ret) return ret; + mutex_lock(&handle->dbgfs_lock); save_buf = &hns3_dbg_cmd[index].buf; if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state) || @@ -819,15 +820,15 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, read_buf = *save_buf; } else { read_buf = kvzalloc(hns3_dbg_cmd[index].buf_len, GFP_KERNEL); - if (!read_buf) - return -ENOMEM; + if (!read_buf) { + ret = -ENOMEM; + goto out; + } /* save the buffer addr until the last read operation */ *save_buf = read_buf; - } - /* get data ready for the first time to read */ - if (!*ppos) { + /* get data ready for the first time to read */ ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd, read_buf, hns3_dbg_cmd[index].buf_len); if (ret) @@ -836,8 +837,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, size = simple_read_from_buffer(buffer, count, ppos, read_buf, strlen(read_buf)); - if (size > 0) + if (size > 0) { + mutex_unlock(&handle->dbgfs_lock); return size; + } out: /* free the buffer for the last read operation */ @@ -846,6 +849,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, *save_buf = NULL; } + mutex_unlock(&handle->dbgfs_lock); return ret; } @@ -916,6 +920,7 @@ int hns3_dbg_init(struct hnae3_handle *handle) debugfs_create_dir(hns3_dbg_dentry[i].name, handle->hnae3_dbgfs); + mutex_init(&handle->dbgfs_lock); for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++) { if (!hns3_dbg_cmd[i].init) { dev_err(&handle->pdev->dev, @@ -936,6 +941,7 @@ int hns3_dbg_init(struct hnae3_handle *handle) return 0; out: + mutex_destroy(&handle->dbgfs_lock); debugfs_remove_recursive(handle->hnae3_dbgfs); handle->hnae3_dbgfs = NULL; return ret; @@ -951,6 +957,7 @@ void hns3_dbg_uninit(struct hnae3_handle *handle) hns3_dbg_cmd[i].buf = NULL; } + mutex_destroy(&handle->dbgfs_lock); debugfs_remove_recursive(handle->hnae3_dbgfs); handle->hnae3_dbgfs = NULL; } -- 2.25.1

1 1