iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dfd2bf4367
linux/drivers/md
History
Gui-Dong Han dfd2bf4367 md/raid5: fix atomicity violation in raid5_cache_count 
In raid5_cache_count():
    if (conf->max_nr_stripes < conf->min_nr_stripes)
        return 0;
    return conf->max_nr_stripes - conf->min_nr_stripes;
The current check is ineffective, as the values could change immediately
after being checked.

In raid5_set_cache_size():
    ...
    conf->min_nr_stripes = size;
    ...
    while (size > conf->max_nr_stripes)
        conf->min_nr_stripes = conf->max_nr_stripes;
    ...

Due to intermediate value updates in raid5_set_cache_size(), concurrent
execution of raid5_cache_count() and raid5_set_cache_size() may lead to
inconsistent reads of conf->max_nr_stripes and conf->min_nr_stripes.
The current checks are ineffective as values could change immediately
after being checked, raising the risk of conf->min_nr_stripes exceeding
conf->max_nr_stripes and potentially causing an integer overflow.

This possible bug is found by an experimental static analysis tool
developed by our team. This tool analyzes the locking APIs to extract
function pairs that can be concurrently executed, and then analyzes the
instructions in the paired functions to identify possible concurrency bugs
including data races and atomicity violations. The above possible bug is
reported when our tool analyzes the source code of Linux 6.2.

To resolve this issue, it is suggested to introduce local variables
'min_stripes' and 'max_stripes' in raid5_cache_count() to ensure the
values remain stable throughout the check. Adding locks in
raid5_cache_count() fails to resolve atomicity violations, as
raid5_set_cache_size() may hold intermediate values of
conf->min_nr_stripes while unlocked. With this patch applied, our tool no
longer reports the bug, with the kernel configuration allyesconfig for
x86_64. Due to the lack of associated hardware, we cannot test the patch
in runtime testing, and just verify it according to the code logic.

Fixes: edbe83ab4c ("md/raid5: allow the stripe_cache to grow and shrink.")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <2045gemini@gmail.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20240112071017.16313-1-2045gemini@gmail.com
Signed-off-by: Song Liu <song@kernel.org>
2024-02-27 14:25:34 -08:00
..
bcache bcache: pass queue_limits to blk_mq_alloc_disk 2024-02-19 16:58:24 -07:00
persistent-data dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client 2023-06-16 18:24:13 -04:00
dm-audit.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-audit.h dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
dm-bio-prison-v1.c dm: Annotate struct dm_bio_prison with __counted_by 2023-10-02 09:48:53 -07:00
dm-bio-prison-v1.h dm bio prison v1: add dm_cell_key_has_valid_range 2023-03-30 15:57:51 -04:00
dm-bio-prison-v2.c dm: address space issues relative to switch/while/for/... 2023-02-14 14:23:06 -05:00
dm-bio-prison-v2.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-bio-record.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-bufio.c mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-01-08 15:27:15 -08:00
dm-builtin.c dm: adjust EXPORT_SYMBOL() to follow functions immediately 2023-02-14 14:23:07 -05:00
dm-cache-background-tracker.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-background-tracker.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-block-types.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-cache-metadata.c Many singleton patches against the MM code. The patch series which are 2023-11-02 19:38:47 -10:00
dm-cache-metadata.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-policy-internal.h dm: add missing empty lines 2023-02-14 14:23:06 -05:00
dm-cache-policy-smq.c dm cache policy smq: ensure IO doesn't prevent cleaner policy progress 2023-07-25 11:55:50 -04:00
dm-cache-policy.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-policy.h dm: address indent/space issues 2023-02-14 14:23:06 -05:00
dm-cache-target.c block: replace fmode_t with a block-specific type for block open flags 2023-06-12 08:04:05 -06:00
dm-clone-metadata.c
dm-clone-metadata.h
dm-clone-target.c block: replace fmode_t with a block-specific type for block open flags 2023-06-12 08:04:05 -06:00
dm-core.h dm: limit the number of targets and parameter size area 2024-01-30 14:05:02 -05:00
dm-crypt.c dm-crypt, dm-verity: disable tasklets 2024-02-02 12:33:50 -05:00
dm-delay.c dm-delay: avoid duplicate logic 2023-11-17 14:41:14 -05:00
dm-dust.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-ebs-target.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-era-target.c block: replace fmode_t with a block-specific type for block open flags 2023-06-12 08:04:05 -06:00
dm-exception-store.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-exception-store.h dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-flakey.c mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-01-08 15:27:15 -08:00
dm-ima.c dm: avoid inline filenames 2023-02-14 14:23:07 -05:00
dm-ima.h dm: avoid inline filenames 2023-02-14 14:23:07 -05:00
dm-init.c dm: open code dm_get_dev_t in dm_init_init 2023-06-05 10:57:40 -06:00
dm-integrity.c dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata() 2023-12-18 13:11:05 -05:00
dm-io-rewind.c dm: avoid void function return statements 2023-02-14 14:23:07 -05:00
dm-io-tracker.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-io.c dm: remove unnecessary (void*) conversions 2023-04-11 12:01:01 -04:00
dm-ioctl.c dm: limit the number of targets and parameter size area 2024-01-30 14:05:02 -05:00
dm-kcopyd.c block: remove support for the host aware zone model 2023-12-19 20:17:43 -07:00
dm-linear.c dm: shortcut the calls to linear_map and stripe_map 2023-10-06 19:09:25 -04:00
dm-log-userspace-base.c dm log userspace: replace deprecated strncpy with strscpy 2023-10-23 13:02:48 -04:00
dm-log-userspace-transfer.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-log-userspace-transfer.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-log-writes.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-log.c dm: remove unnecessary (void*) conversions 2023-04-11 12:01:01 -04:00
dm-mpath.c dm: push error reporting down to dm_register_target() 2023-04-11 12:01:01 -04:00
dm-mpath.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-path-selector.c dm: adjust EXPORT_SYMBOL() to follow functions immediately 2023-02-14 14:23:07 -05:00
dm-path-selector.h dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-ps-historical-service-time.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-ps-io-affinity.c dm: address space issues relative to switch/while/for/... 2023-02-14 14:23:06 -05:00
dm-ps-queue-length.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-ps-round-robin.c dm: correct block comments format. 2023-02-14 14:23:06 -05:00
dm-ps-service-time.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-raid1.c dm: remove unnecessary (void*) conversions 2023-04-11 12:01:01 -04:00
dm-raid.c dm-raid: delay flushing event_work() after reconfig_mutex is released 2023-12-18 13:05:21 -05:00
dm-region-hash.c dm: correct block comments format. 2023-02-14 14:23:06 -05:00
dm-rq.c dm: avoid using symbolic permissions 2023-02-14 14:23:07 -05:00
dm-rq.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-snap-persistent.c dm: remove unnecessary (void*) conversions 2023-04-11 12:01:01 -04:00
dm-snap-transient.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-snap.c block: replace fmode_t with a block-specific type for block open flags 2023-06-12 08:04:05 -06:00
dm-stats.c dm stats: limit the number of entries 2024-01-30 14:06:44 -05:00
dm-stats.h dm stats: check for and propagate alloc_percpu failure 2023-03-16 13:37:06 -04:00
dm-stripe.c - Update DM core to directly call the map function for both the linear 2023-11-01 12:55:54 -10:00
dm-switch.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-sysfs.c dm sysfs: make kobj_type structure constant 2023-02-14 14:23:08 -05:00
dm-table.c dm: limit the number of targets and parameter size area 2024-01-30 14:05:02 -05:00
dm-target.c dm error: Add support for zoned block devices 2023-10-31 11:06:21 -04:00
dm-thin-metadata.c - Update DM crypt to allocate compound pages if possible. 2023-06-30 12:16:00 -07:00
dm-thin-metadata.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-thin.c - Update DM crypt to allocate compound pages if possible. 2023-06-30 12:16:00 -07:00
dm-uevent.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-uevent.h dm: fix undue/missing spaces 2023-02-14 14:23:06 -05:00
dm-unstripe.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-verity-fec.c dm-verity: align struct dm_verity_fec_io properly 2023-11-29 12:58:06 -05:00
dm-verity-fec.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-verity-loadpin.c dm: verity-loadpin: Add NULL pointer check for 'bdev' parameter 2023-06-28 10:43:04 -07:00
dm-verity-target.c dm-crypt, dm-verity: disable tasklets 2024-02-02 12:33:50 -05:00
dm-verity-verify-sig.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-verity-verify-sig.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-verity.h dm-crypt, dm-verity: disable tasklets 2024-02-02 12:33:50 -05:00
dm-writecache.c dm writecache: allow allocations larger than 2GiB 2024-01-30 14:07:30 -05:00
dm-zero.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-zone.c dm zone: Use the bitmap API to allocate bitmaps 2023-06-16 18:24:13 -04:00
dm-zoned-metadata.c block: remove gfp_flags from blkdev_zone_mgmt 2024-02-12 08:41:16 -07:00
dm-zoned-reclaim.c dm kcopyd: avoid useless atomic operations 2021-06-04 12:07:24 -04:00
dm-zoned-target.c block: remove support for the host aware zone model 2023-12-19 20:17:43 -07:00
dm-zoned.h dm/dm-zoned: Use the enum req_op type 2022-07-14 12:14:31 -06:00
dm.c block: pass a queue_limits argument to blk_alloc_disk 2024-02-19 16:58:23 -07:00
dm.h dm: shortcut the calls to linear_map and stripe_map 2023-10-06 19:09:25 -04:00
Kconfig for-6.8/block-2024-01-08 2024-01-11 13:58:04 -08:00
Makefile md: Remove deprecated CONFIG_MD_FAULTY 2023-12-19 10:37:50 -08:00
md-autodetect.c md: Remove deprecated CONFIG_MD_LINEAR 2023-12-19 10:16:51 -08:00
md-bitmap.c md/md-bitmap: fix incorrect usage for sb_index 2024-02-26 13:34:44 -08:00
md-bitmap.h md-bitmap: don't use ->index for pages backing the bitmap file 2023-07-27 00:13:29 -07:00
md-cluster.c md-cluster: check for timeout while a new disk adding 2023-10-12 09:16:19 -07:00
md-cluster.h
md.c md: check mddev->pers before calling md_set_readonly() 2024-02-26 10:22:22 -08:00
md.h md: remove flag RemoveSynchronized 2023-11-27 15:49:04 -08:00
raid0.c md: raid0: account for split bio in iostat accounting 2023-08-17 21:11:31 -07:00
raid0.h md/raid0: add discard support for the 'original' layout 2023-06-30 15:43:50 -07:00
raid1-10.c md: factor out a helper exceed_read_errors() to check read_errors 2023-12-15 15:22:15 -08:00
raid1.c md: fix a suspicious RCU usage warning 2024-01-24 22:58:00 -08:00
raid1.h md/raid1: switch to use md_account_bio() for io accounting 2023-07-27 00:13:29 -07:00
raid5-cache.c md/raid5: remove rcu protection to access rdev from conf 2023-11-27 15:49:05 -08:00
raid5-log.h md/raid5-ppl: Drop unused argument from ppl_handle_flush_request() 2022-08-02 17:14:31 -06:00
raid5-ppl.c md/raid5: remove rcu protection to access rdev from conf 2023-11-27 15:49:05 -08:00
raid5.c md/raid5: fix atomicity violation in raid5_cache_count 2024-02-27 14:25:34 -08:00
raid5.h md/raid5: remove rcu protection to access rdev from conf 2023-11-27 15:49:05 -08:00
raid10.c md: factor out a helper exceed_read_errors() to check read_errors 2023-12-15 15:22:15 -08:00
raid10.h md/raid10: switch to use md_account_bio() for io accounting 2023-07-27 00:13:29 -07:00