Jann Horn (1): fs: Use CHECK_DATA_CORRUPTION() when kernel bugs are detected
Li Nan (1): block: fix WARNING in init_blk_queue_async_dispatch
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,转换为PR失败! 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/D... 失败原因:应用补丁/补丁集失败,Patch failed at 0001 fs: Use CHECK_DATA_CORRUPTION() when kernel bugs are detected 建议解决方法:请查看失败原因, 确认补丁是否可以应用在当前期望分支的最新代码上
FeedBack: The patch(es) which you have sent to kernel@openeuler.org has been converted to PR failed! Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/D... Failed Reason: apply patch(es) failed, Patch failed at 0001 fs: Use CHECK_DATA_CORRUPTION() when kernel bugs are detected Suggest Solution: please checkout if the failed patch(es) can work on the newest codes in expected branch
From: Jann Horn jannh@google.com
mainline inclusion from mainline-v6.3-rc1 commit 47d586913f2abec4d240bae33417f537fda987ec category: performance bugzilla: https://gitee.com/openeuler/kernel/issues/IA5PIS CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Currently, filp_close() and generic_shutdown_super() use printk() to log messages when bugs are detected. This is problematic because infrastructure like syzkaller has no idea that this message indicates a bug. In addition, some people explicitly want their kernels to BUG() when kernel data corruption has been detected (CONFIG_BUG_ON_DATA_CORRUPTION). And finally, when generic_shutdown_super() detects remaining inodes on a system without CONFIG_BUG_ON_DATA_CORRUPTION, it would be nice if later accesses to a busy inode would at least crash somewhat cleanly rather than walking through freed memory.
To address all three, use CHECK_DATA_CORRUPTION() when kernel bugs are detected.
Signed-off-by: Jann Horn jannh@google.com Reviewed-by: Christian Brauner (Microsoft) brauner@kernel.org Reviewed-by: Kees Cook keescook@chromium.org Signed-off-by: Christian Brauner (Microsoft) brauner@kernel.org
Conflicts: include/linux/poison.h Signed-off-by: liwei liwei728@huawei.com --- fs/open.c | 5 +++-- fs/super.c | 21 +++++++++++++++++---- include/linux/poison.h | 3 +++ 3 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/fs/open.c b/fs/open.c index 8092178ceab0..926fd0598935 100644 --- a/fs/open.c +++ b/fs/open.c @@ -1285,8 +1285,9 @@ int filp_close(struct file *filp, fl_owner_t id) { int retval = 0;
- if (!file_count(filp)) { - printk(KERN_ERR "VFS: Close: file count is 0\n"); + if (CHECK_DATA_CORRUPTION(file_count(filp) == 0, + "VFS: Close: file count is 0 (f_op=%ps)", + filp->f_op)) { return 0; }
diff --git a/fs/super.c b/fs/super.c index db6345634f8b..db46a20da0c8 100644 --- a/fs/super.c +++ b/fs/super.c @@ -465,10 +465,23 @@ void generic_shutdown_super(struct super_block *sb) if (sop->put_super) sop->put_super(sb);
- if (!list_empty(&sb->s_inodes)) { - printk("VFS: Busy inodes after unmount of %s. " - "Self-destruct in 5 seconds. Have a nice day...\n", - sb->s_id); + if (CHECK_DATA_CORRUPTION(!list_empty(&sb->s_inodes), + "VFS: Busy inodes after unmount of %s (%s)", + sb->s_id, sb->s_type->name)) { + /* + * Adding a proper bailout path here would be hard, but + * we can at least make it more likely that a later + * iput_final() or such crashes cleanly. + */ + struct inode *inode; + + spin_lock(&sb->s_inode_list_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { + inode->i_op = VFS_PTR_POISON; + inode->i_sb = VFS_PTR_POISON; + inode->i_mapping = VFS_PTR_POISON; + } + spin_unlock(&sb->s_inode_list_lock); } } spin_lock(&sb_lock); diff --git a/include/linux/poison.h b/include/linux/poison.h index 028133fb1405..a33190e56035 100644 --- a/include/linux/poison.h +++ b/include/linux/poison.h @@ -85,4 +85,7 @@ /********** net/core/page_pool.c **********/ #define PP_SIGNATURE (0x40 + POISON_POINTER_DELTA)
+/********** VFS **********/ +#define VFS_PTR_POISON ((void *)(0xF5 + POISON_POINTER_DELTA)) + #endif
From: Li Nan linan122@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA5AEP CVE: NA
--------------------------------
WARNING will be triggered when __kmalloc greater than 1 page with GFP_NOFAIL. On system with a large number of cpus, init_blk_queue_async_dispatch() may attempt to allocate memory larger than 1 page, causing the WARING:
WARNING: CPU: 4 PID: 1 at mm/page_alloc.c:3485 get_page_from_freelist+0x115c/0x1224 Modules linked in: CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.10.0-212.0.0.112.oe2203sp4.aarch64 #1 Call trace: get_page_from_freelist+0x115c/0x1224 __alloc_pages+0x254/0x11f0 alloc_page_interleave+0x24/0xb0 alloc_pages+0xf0/0x16c kmalloc_order+0x38/0x1c0 kmalloc_order_trace+0x34/0x130 __kmalloc+0x524/0x680 init_blk_queue_async_dispatch+0xe8/0x160 blk_dev_init+0xa8/0xd0 genhd_device_init+0x64/0xb4 do_one_initcall+0x50/0x2a0 do_initcall_level+0xe4/0x110 do_initcalls+0x80/0xb8 kernel_init_freeable+0x1c8/0x254 kernel_init+0x1c/0x144 ret_from_fork+0x10/0x18
Fix it by removing flag GFP_NOFAIL and panic kernel if allocation fails.
Fixes: 204f600cbb0c ("block: support to dispatch bio asynchronously") Signed-off-by: Li Nan linan122@huawei.com --- block/blk-core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/block/blk-core.c b/block/blk-core.c index e3e2659d0673..bf3bfc3ed339 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -285,7 +285,9 @@ static void init_blk_queue_async_dispatch(void)
init_waitqueue_head(&ctl->wait); ctl->bios = kmalloc_array(nr_cpu_ids, sizeof(struct async_bio), - GFP_KERNEL | __GFP_NOFAIL); + GFP_KERNEL); + if (!ctl->bios) + panic("Failed to alloc async bio array\n"); for (i = 0; i < nr_cpu_ids; ++i) { bio_list_init(&ctl->bios[i].list); spin_lock_init(&ctl->bios[i].lock);
-
patchwork bot -
Xiongfeng Wang