1. 06 Mar, 2021 7 commits
    • Sabyrzhan Tasbolatov's avatar
      fs/ext4: fix integer overflow in s_log_groups_per_flex · f91436d5
      Sabyrzhan Tasbolatov authored
      syzbot found UBSAN: shift-out-of-bounds in ext4_mb_init [1], when
      1 << sbi->s_es->s_log_groups_per_flex is bigger than UINT_MAX,
      where sbi->s_mb_prefetch is unsigned integer type.
      
      32 is the maximum allowed power of s_log_groups_per_flex. Following if
      check will also trigger UBSAN shift-out-of-bound:
      
      if (1 << sbi->s_es->s_log_groups_per_flex >= UINT_MAX) {
      
      So I'm checking it against the raw number, perhaps there is another way
      to calculate UINT_MAX max power. Also use min_t as to make sure it's
      uint type.
      
      [1] UBSAN: shift-out-of-bounds in fs/ext4/mballoc.c:2713:24
      shift exponent 60 is too large for 32-bit type 'int'
      Call Trace:
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x137/0x1be lib/dump_stack.c:120
       ubsan_epilogue lib/ubsan.c:148 [inline]
       __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395
       ext4_mb_init_backend fs/ext4/mballoc.c:2713 [inline]
       ext4_mb_init+0x19bc/0x19f0 fs/ext4/mballoc.c:2898
       ext4_fill_super+0xc2ec/0xfbe0 fs/ext4/super.c:4983
      
      Reported-by: syzbot+a8b4b0c60155e87e9484@syzkaller.appspotmail.com
      Signed-off-by: default avatarSabyrzhan Tasbolatov <snovitoll@gmail.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20210224095800.3350002-1-snovitoll@gmail.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      f91436d5
    • Jan Kara's avatar
      ext4: add reclaim checks to xattr code · 163f0ec1
      Jan Kara authored
      Syzbot is reporting that ext4 can enter fs reclaim from kvmalloc() while
      the transaction is started like:
      
        fs_reclaim_acquire+0x117/0x150 mm/page_alloc.c:4340
        might_alloc include/linux/sched/mm.h:193 [inline]
        slab_pre_alloc_hook mm/slab.h:493 [inline]
        slab_alloc_node mm/slub.c:2817 [inline]
        __kmalloc_node+0x5f/0x430 mm/slub.c:4015
        kmalloc_node include/linux/slab.h:575 [inline]
        kvmalloc_node+0x61/0xf0 mm/util.c:587
        kvmalloc include/linux/mm.h:781 [inline]
        ext4_xattr_inode_cache_find fs/ext4/xattr.c:1465 [inline]
        ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1508 [inline]
        ext4_xattr_set_entry+0x1ce6/0x3780 fs/ext4/xattr.c:1649
        ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2224
        ext4_xattr_set_handle+0x8f4/0x13e0 fs/ext4/xattr.c:2380
        ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2493
      
      This should be impossible since transaction start sets PF_MEMALLOC_NOFS.
      Add some assertions to the code to catch if something isn't working as
      expected early.
      
      Link: https://lore.kernel.org/linux-ext4/000000000000563a0205bafb7970@google.com/Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20210222171626.21884-1-jack@suse.czSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      163f0ec1
    • Eric Whitney's avatar
      ext4: shrink race window in ext4_should_retry_alloc() · efc61345
      Eric Whitney authored
      When generic/371 is run on kvm-xfstests using 5.10 and 5.11 kernels, it
      fails at significant rates on the two test scenarios that disable
      delayed allocation (ext3conv and data_journal) and force actual block
      allocation for the fallocate and pwrite functions in the test.  The
      failure rate on 5.10 for both ext3conv and data_journal on one test
      system typically runs about 85%.  On 5.11, the failure rate on ext3conv
      sometimes drops to as low as 1% while the rate on data_journal
      increases to nearly 100%.
      
      The observed failures are largely due to ext4_should_retry_alloc()
      cutting off block allocation retries when s_mb_free_pending (used to
      indicate that a transaction in progress will free blocks) is 0.
      However, free space is usually available when this occurs during runs
      of generic/371.  It appears that a thread attempting to allocate
      blocks is just missing transaction commits in other threads that
      increase the free cluster count and reset s_mb_free_pending while
      the allocating thread isn't running.  Explicitly testing for free space
      availability avoids this race.
      
      The current code uses a post-increment operator in the conditional
      expression that determines whether the retry limit has been exceeded.
      This means that the conditional expression uses the value of the
      retry counter before it's increased, resulting in an extra retry cycle.
      The current code actually retries twice before hitting its retry limit
      rather than once.
      
      Increasing the retry limit to 3 from the current actual maximum retry
      count of 2 in combination with the change described above reduces the
      observed failure rate to less that 0.1% on both ext3conv and
      data_journal with what should be limited impact on users sensitive to
      the overhead caused by retries.
      
      A per filesystem percpu counter exported via sysfs is added to allow
      users or developers to track the number of times the retry limit is
      exceeded without resorting to debugging methods.  This should provide
      some insight into worst case retry behavior.
      Signed-off-by: default avatarEric Whitney <enwlinux@gmail.com>
      Link: https://lore.kernel.org/r/20210218151132.19678-1-enwlinux@gmail.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      efc61345
    • Linus Torvalds's avatar
      Linux 5.12-rc2 · a38fd874
      Linus Torvalds authored
      a38fd874
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · f3ed4de6
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Nothing special here, though Bob's regression fixes for rxe would have
        made it before the rc cycle had there not been such strong winter
        weather!
      
         - Fix corner cases in the rxe reference counting cleanup that are
           causing regressions in blktests for SRP
      
         - Two kdoc fixes so W=1 is clean
      
         - Missing error return in error unwind for mlx5
      
         - Wrong lock type nesting in IB CM"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/rxe: Fix errant WARN_ONCE in rxe_completer()
        RDMA/rxe: Fix extra deref in rxe_rcv_mcast_pkt()
        RDMA/rxe: Fix missed IB reference counting in loopback
        RDMA/uverbs: Fix kernel-doc warning of _uverbs_alloc
        RDMA/mlx5: Set correct kernel-doc identifier
        IB/mlx5: Add missing error code
        RDMA/rxe: Fix missing kconfig dependency on CRYPTO
        RDMA/cm: Fix IRQ restore in ib_send_cm_sidr_rep
      f3ed4de6
    • Linus Torvalds's avatar
      Merge tag 'gcc-plugins-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · de5bd6c5
      Linus Torvalds authored
      Pull gcc-plugins fixes from Kees Cook:
       "Tiny gcc-plugin fixes for v5.12-rc2. These issues are small but have
        been reported a couple times now by static analyzers, so best to get
        them fixed to reduce the noise. :)
      
         - Fix coding style issues (Jason Yan)"
      
      * tag 'gcc-plugins-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        gcc-plugins: latent_entropy: remove unneeded semicolon
        gcc-plugins: structleak: remove unneeded variable 'ret'
      de5bd6c5
    • Linus Torvalds's avatar
      Merge tag 'pstore-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 8b24ef44
      Linus Torvalds authored
      Pull pstore fixes from Kees Cook:
      
       - Rate-limit ECC warnings (Dmitry Osipenko)
      
       - Fix error path check for NULL (Tetsuo Handa)
      
      * tag 'pstore-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        pstore/ram: Rate-limit "uncorrectable error in header" message
        pstore: Fix warning in pstore_kill_sb()
      8b24ef44
  2. 05 Mar, 2021 33 commits