From: Gao Xiang <[email protected]>
Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with
specific aarch64 environment easily, which wasn't shown before.
After digging into that, I found that high 32 bits of page->private
was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init
behavior with specific compiler options). Actually we only use low
32 bits to keep the page information since page->private is only 4
bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup()
uses the upper 32 bits by mistake.
Let's fix it now.
Reported-by: Hongyu Jin <[email protected]>
Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <[email protected]> # 4.19+
Signed-off-by: Gao Xiang <[email protected]>
---
fs/erofs/zdata.h | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h
index 7824f5563a55..92fbc0f0ba85 100644
--- a/fs/erofs/zdata.h
+++ b/fs/erofs/zdata.h
@@ -144,22 +144,24 @@ static inline void z_erofs_onlinepage_init(struct page *page)
static inline void z_erofs_onlinepage_fixup(struct page *page,
uintptr_t index, bool down)
{
- unsigned long *p, o, v, id;
+ union z_erofs_onlinepage_converter u;
+ int orig, orig_index, val;
+
repeat:
- p = &page_private(page);
- o = READ_ONCE(*p);
+ u.v = &page_private(page);
+ orig = atomic_read(u.o);
- id = o >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
- if (id) {
+ orig_index = orig >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
+ if (orig_index) {
if (!index)
return;
- DBG_BUGON(id != index);
+ DBG_BUGON(orig_index != index);
}
- v = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
- ((o & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
- if (cmpxchg(p, o, v) != o)
+ val = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
+ ((orig & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
+ if (atomic_cmpxchg(u.o, orig, val) != orig)
goto repeat;
}
--
2.24.0
From: Gao Xiang <[email protected]>
Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with
specific aarch64 environment easily, which wasn't shown before.
After digging into that, I found that high 32 bits of page->private
was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init
behavior with specific compiler options). Actually we only use low
32 bits to keep the page information since page->private is only 4
bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup()
uses the upper 32 bits by mistake.
Let's fix it now.
Reported-by: Hongyu Jin <[email protected]>
Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <[email protected]> # 4.19+
Signed-off-by: Gao Xiang <[email protected]>
---
change since v1:
move .v assignment out since it doesn't need for every loop;
fs/erofs/zdata.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h
index 7824f5563a55..9b66c28b3ae9 100644
--- a/fs/erofs/zdata.h
+++ b/fs/erofs/zdata.h
@@ -144,22 +144,22 @@ static inline void z_erofs_onlinepage_init(struct page *page)
static inline void z_erofs_onlinepage_fixup(struct page *page,
uintptr_t index, bool down)
{
- unsigned long *p, o, v, id;
-repeat:
- p = &page_private(page);
- o = READ_ONCE(*p);
+ union z_erofs_onlinepage_converter u = { .v = &page_private(page) };
+ int orig, orig_index, val;
- id = o >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
- if (id) {
+repeat:
+ orig = atomic_read(u.o);
+ orig_index = orig >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
+ if (orig_index) {
if (!index)
return;
- DBG_BUGON(id != index);
+ DBG_BUGON(orig_index != index);
}
- v = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
- ((o & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
- if (cmpxchg(p, o, v) != o)
+ val = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
+ ((orig & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
+ if (atomic_cmpxchg(u.o, orig, val) != orig)
goto repeat;
}
--
2.24.0
Hi xiang:
Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with specific aarch64 environment easily, which wasn't shown before.
After digging into that, I found that high 32 bits of page->private was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init behavior with specific compiler options). Actually we only use low
32 bits to keep the page information since page->private is only 4 bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup() uses the upper 32 bits by mistake.
Tested-by: [email protected]
It's ok.
-----Original Message-----
From: Gao Xiang [mailto:[email protected]]
Sent: Friday, June 19, 2020 7:44 AM
To: [email protected]; Chao Yu <[email protected]>
Cc: Chao Yu <[email protected]>; Li Guifu <[email protected]>; Fang Wei <[email protected]>; LKML <[email protected]>; Gao Xiang <[email protected]>; ?????? (Hongyu Jin) <[email protected]>; [email protected]
Subject: [PATCH v2] erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup
From: Gao Xiang <[email protected]>
Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with specific aarch64 environment easily, which wasn't shown before.
After digging into that, I found that high 32 bits of page->private was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init behavior with specific compiler options). Actually we only use low
32 bits to keep the page information since page->private is only 4 bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup() uses the upper 32 bits by mistake.
Let's fix it now.
Reported-by: Hongyu Jin <[email protected]>
Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <[email protected]> # 4.19+
Signed-off-by: Gao Xiang <[email protected]>
---
change since v1:
move .v assignment out since it doesn't need for every loop;
fs/erofs/zdata.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h index 7824f5563a55..9b66c28b3ae9 100644
--- a/fs/erofs/zdata.h
+++ b/fs/erofs/zdata.h
@@ -144,22 +144,22 @@ static inline void z_erofs_onlinepage_init(struct page *page) static inline void z_erofs_onlinepage_fixup(struct page *page,
uintptr_t index, bool down)
{
-unsigned long *p, o, v, id;
-repeat:
-p = &page_private(page);
-o = READ_ONCE(*p);
+union z_erofs_onlinepage_converter u = { .v = &page_private(page) };
+int orig, orig_index, val;
-id = o >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
-if (id) {
+repeat:
+orig = atomic_read(u.o);
+orig_index = orig >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
+if (orig_index) {
if (!index)
return;
-DBG_BUGON(id != index);
+DBG_BUGON(orig_index != index);
}
-v = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
-((o & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
-if (cmpxchg(p, o, v) != o)
+val = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
+((orig & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
+if (atomic_cmpxchg(u.o, orig, val) != orig)
goto repeat;
}
--
2.24.0
________________________________
This email (including its attachments) is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you are not the intended recipient, please do not read, copy, use or disclose any part of this e-mail to others. Please notify the sender immediately and permanently delete this e-mail and any attachments if you received it in error. Internet communications cannot be guaranteed to be timely, secure, error-free or virus-free. The sender does not accept liability for any errors or omissions.
???ʼ????丽?????б??????ʣ??ܷ??ɱ???????й¶???????????ʼ???ָ?ض??ռ??ˡ??Ͻ??Ǿ???Ȩʹ?á????????????????Ʊ??ʼ????????ݡ????Ǹ??ض??ռ??ˣ??????Ķ??????ơ? ʹ?û???¶???ʼ????κ????ݡ??????ձ??ʼ???????ϵͳ????????ɾ?????ʼ??????и????????Իظ??ʼ??ķ?ʽ???̸?֪?????ˡ?????֤??????ͨ?ż?ʱ????ȫ???????????????????˶??κδ?©?????е????Ρ?
Hi xiang:
Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with
specific aarch64 environment easily, which wasn't shown before.
After digging into that, I found that high 32 bits of page->private
was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init
behavior with specific compiler options). Actually we only use low
32 bits to keep the page information since page->private is only 4
bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup()
uses the upper 32 bits by mistake.
Tested-by: [email protected]
it's ok.
________________________________________
??????: Gao Xiang <[email protected]>
????ʱ??: 2020??6??19?? 7:43
?ռ???: [email protected]; Chao Yu
????: Chao Yu; Li Guifu; Fang Wei; LKML; Gao Xiang; ?????? (Hongyu Jin); [email protected]
????: [PATCH v2] erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup
From: Gao Xiang <[email protected]>
Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with
specific aarch64 environment easily, which wasn't shown before.
After digging into that, I found that high 32 bits of page->private
was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init
behavior with specific compiler options). Actually we only use low
32 bits to keep the page information since page->private is only 4
bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup()
uses the upper 32 bits by mistake.
Let's fix it now.
Reported-by: Hongyu Jin <[email protected]>
Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <[email protected]> # 4.19+
Signed-off-by: Gao Xiang <[email protected]>
---
change since v1:
move .v assignment out since it doesn't need for every loop;
fs/erofs/zdata.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h
index 7824f5563a55..9b66c28b3ae9 100644
--- a/fs/erofs/zdata.h
+++ b/fs/erofs/zdata.h
@@ -144,22 +144,22 @@ static inline void z_erofs_onlinepage_init(struct page *page)
static inline void z_erofs_onlinepage_fixup(struct page *page,
uintptr_t index, bool down)
{
- unsigned long *p, o, v, id;
-repeat:
- p = &page_private(page);
- o = READ_ONCE(*p);
+ union z_erofs_onlinepage_converter u = { .v = &page_private(page) };
+ int orig, orig_index, val;
- id = o >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
- if (id) {
+repeat:
+ orig = atomic_read(u.o);
+ orig_index = orig >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
+ if (orig_index) {
if (!index)
return;
- DBG_BUGON(id != index);
+ DBG_BUGON(orig_index != index);
}
- v = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
- ((o & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
- if (cmpxchg(p, o, v) != o)
+ val = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
+ ((orig & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
+ if (atomic_cmpxchg(u.o, orig, val) != orig)
goto repeat;
}
--
2.24.0
________________________________
This email (including its attachments) is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you are not the intended recipient, please do not read, copy, use or disclose any part of this e-mail to others. Please notify the sender immediately and permanently delete this e-mail and any attachments if you received it in error. Internet communications cannot be guaranteed to be timely, secure, error-free or virus-free. The sender does not accept liability for any errors or omissions.
???ʼ????丽?????б??????ʣ??ܷ??ɱ???????й¶???????????ʼ???ָ?ض??ռ??ˡ??Ͻ??Ǿ???Ȩʹ?á????????????????Ʊ??ʼ????????ݡ????Ǹ??ض??ռ??ˣ??????Ķ??????ơ? ʹ?û???¶???ʼ????κ????ݡ??????ձ??ʼ???????ϵͳ????????ɾ?????ʼ??????и????????Իظ??ʼ??ķ?ʽ???̸?֪?????ˡ?????֤??????ͨ?ż?ʱ????ȫ???????????????????˶??κδ?©?????е????Ρ?
On 2020/6/19 7:43, Gao Xiang wrote:
> From: Gao Xiang <[email protected]>
>
> Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with
> specific aarch64 environment easily, which wasn't shown before.
>
> After digging into that, I found that high 32 bits of page->private
> was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init
> behavior with specific compiler options). Actually we only use low
> 32 bits to keep the page information since page->private is only 4
> bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup()
> uses the upper 32 bits by mistake.
>
> Let's fix it now.
>
> Reported-by: Hongyu Jin <[email protected]>
> Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
> Cc: <[email protected]> # 4.19+
> Signed-off-by: Gao Xiang <[email protected]>
Reviewed-by: Chao Yu <[email protected]>
Thanks,