From: Li Nan <[email protected]>
The patch series fix the bug of writing raid sysfs.
Changes in v2:
- add patch "md/raid10: optimize check_decay_read_errors()".
- in patch 2, return ret-value of strict_strtoul_scaled if error occurs.
- in patch 3, optimize format.
Li Nan (4):
md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter
md/raid10: fix overflow in safe_delay_store
md/raid10: fix wrong setting of max_corr_read_errors
md/raid10: optimize check_decay_read_errors()
drivers/md/md-bitmap.c | 2 ++
drivers/md/md.c | 72 +++++++++++++++++++++++++++---------------
drivers/md/raid10.c | 65 ++++++++++++++++++++------------------
3 files changed, 84 insertions(+), 55 deletions(-)
--
2.31.1
From: Li Nan <[email protected]>
max_corr_read_errors should not be negative number. Change it to
unsigned int where use it.
Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
Signed-off-by: Li Nan <[email protected]>
---
drivers/md/md.c | 2 +-
drivers/md/raid10.c | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index fd5c3babcd6d..4a1e566d6bdc 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
static ssize_t
max_corrected_read_errors_show(struct mddev *mddev, char *page) {
- return sprintf(page, "%d\n",
+ return sprintf(page, "%u\n",
atomic_read(&mddev->max_corr_read_errors));
}
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index 4fcfcb350d2b..4d615fcc6a50 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
int sect = 0; /* Offset from r10_bio->sector */
int sectors = r10_bio->sectors;
struct md_rdev *rdev;
- int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
+ unsigned int max_read_errors =
+ atomic_read(&mddev->max_corr_read_errors);
int d = r10_bio->devs[r10_bio->read_slot].devnum;
/* still own a reference to this rdev, so it cannot
@@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
check_decay_read_errors(mddev, rdev);
atomic_inc(&rdev->read_errors);
if (atomic_read(&rdev->read_errors) > max_read_errors) {
- pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
+ pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
mdname(mddev), rdev->bdev,
atomic_read(&rdev->read_errors), max_read_errors);
pr_notice("md/raid10:%s: %pg: Failing raid device\n",
--
2.31.1
From: Li Nan <[email protected]>
If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
will return -EINVAL because "page >= bitmap->pages", but the return value
was not checked immediately in md_bitmap_get_counter() in order to set
*blocks value and slab-out-of-bounds occurs.
Return directly if err is -EINVAL.
Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
Signed-off-by: Li Nan <[email protected]>
Reviewed-by: Yu Kuai <[email protected]>
---
drivers/md/md-bitmap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
index 920bb68156d2..0b41ef422da7 100644
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -1388,6 +1388,8 @@ __acquires(bitmap->lock)
int err;
err = md_bitmap_checkpage(bitmap, page, create, 0);
+ if (err == -EINVAL)
+ return NULL;
if (bitmap->bp[page].hijacked ||
bitmap->bp[page].map == NULL)
--
2.31.1
From: Li Nan <[email protected]>
There is no input check when echo md/safe_mode_delay, and overflow will
occur. There is risk of overflow in strict_strtoul_scaled(), too. Fix it
by using kstrtoul instead of parsing word one by one.
Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
Signed-off-by: Li Nan <[email protected]>
---
drivers/md/md.c | 70 ++++++++++++++++++++++++++++++++-----------------
1 file changed, 46 insertions(+), 24 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 8e344b4b3444..fd5c3babcd6d 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3767,52 +3767,74 @@ static int analyze_sbs(struct mddev *mddev)
*/
int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale)
{
- unsigned long result = 0;
- long decimals = -1;
- while (isdigit(*cp) || (*cp == '.' && decimals < 0)) {
- if (*cp == '.')
- decimals = 0;
- else if (decimals < scale) {
- unsigned int value;
- value = *cp - '0';
- result = result * 10 + value;
- if (decimals >= 0)
- decimals++;
- }
- cp++;
- }
- if (*cp == '\n')
- cp++;
- if (*cp)
+ unsigned long result = 0, decimals = 0;
+ char *pos, *str;
+ int rv;
+
+ str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL);
+ if (!str)
+ return -ENOMEM;
+ pos = strchr(str, '.');
+ if (pos) {
+ int cnt = scale;
+
+ *pos = '\0';
+ while (isdigit(*(++pos))) {
+ if (cnt) {
+ decimals = decimals * 10 + *pos - '0';
+ cnt--;
+ }
+ }
+ if (*pos == '\n')
+ pos++;
+ if (*pos) {
+ kfree(str);
+ return -EINVAL;
+ }
+ decimals *= int_pow(10, cnt);
+ }
+
+ rv = kstrtoul(str, 10, &result);
+ kfree(str);
+ if (rv)
+ return rv;
+
+ if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10, scale))
return -EINVAL;
- if (decimals < 0)
- decimals = 0;
- *res = result * int_pow(10, scale - decimals);
- return 0;
+ *res = result * int_pow(10, scale) + decimals;
+
+ return rv;
}
static ssize_t
safe_delay_show(struct mddev *mddev, char *page)
{
- int msec = (mddev->safemode_delay*1000)/HZ;
- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
+ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
+
+ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
}
static ssize_t
safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
{
unsigned long msec;
+ int ret;
if (mddev_is_clustered(mddev)) {
pr_warn("md: Safemode is disabled for clustered mode\n");
return -EINVAL;
}
- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
+ ret = strict_strtoul_scaled(cbuf, &msec, 3);
+ if (ret < 0)
+ return ret;
+ if (msec > UINT_MAX)
return -EINVAL;
+
if (msec == 0)
mddev->safemode_delay = 0;
else {
unsigned long old_delay = mddev->safemode_delay;
+ /* HZ <= 1000, so new_delay < UINT_MAX, too */
unsigned long new_delay = (msec*HZ)/1000;
if (new_delay == 0)
--
2.31.1
Hi,
?? 2023/05/06 9:23, [email protected] д??:
> From: Li Nan <[email protected]>
>
> max_corr_read_errors should not be negative number. Change it to
> unsigned int where use it.
>
Looks good, feel free to add:
Reviewed-by: Yu Kuai <[email protected]>
> Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
> Signed-off-by: Li Nan <[email protected]>
> ---
> drivers/md/md.c | 2 +-
> drivers/md/raid10.c | 5 +++--
> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index fd5c3babcd6d..4a1e566d6bdc 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
>
> static ssize_t
> max_corrected_read_errors_show(struct mddev *mddev, char *page) {
> - return sprintf(page, "%d\n",
> + return sprintf(page, "%u\n",
> atomic_read(&mddev->max_corr_read_errors));
> }
>
> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> index 4fcfcb350d2b..4d615fcc6a50 100644
> --- a/drivers/md/raid10.c
> +++ b/drivers/md/raid10.c
> @@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> int sect = 0; /* Offset from r10_bio->sector */
> int sectors = r10_bio->sectors;
> struct md_rdev *rdev;
> - int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
> + unsigned int max_read_errors =
> + atomic_read(&mddev->max_corr_read_errors);
> int d = r10_bio->devs[r10_bio->read_slot].devnum;
>
> /* still own a reference to this rdev, so it cannot
> @@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> check_decay_read_errors(mddev, rdev);
> atomic_inc(&rdev->read_errors);
> if (atomic_read(&rdev->read_errors) > max_read_errors) {
> - pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
> + pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
> mdname(mddev), rdev->bdev,
> atomic_read(&rdev->read_errors), max_read_errors);
> pr_notice("md/raid10:%s: %pg: Failing raid device\n",
>
Hi,
?? 2023/05/06 9:23, [email protected] д??:
> From: Li Nan <[email protected]>
>
> There is no input check when echo md/safe_mode_delay, and overflow will
> occur. There is risk of overflow in strict_strtoul_scaled(), too. Fix it
> by using kstrtoul instead of parsing word one by one.
Other than some nits below, this patch looks good to me,
feel free to add:
Reviewed-by: Yu Kuai <[email protected]>
>
> Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
> Signed-off-by: Li Nan <[email protected]>
> ---
> drivers/md/md.c | 70 ++++++++++++++++++++++++++++++++-----------------
> 1 file changed, 46 insertions(+), 24 deletions(-)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 8e344b4b3444..fd5c3babcd6d 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -3767,52 +3767,74 @@ static int analyze_sbs(struct mddev *mddev)
> */
> int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale)
> {
> - unsigned long result = 0;
> - long decimals = -1;
> - while (isdigit(*cp) || (*cp == '.' && decimals < 0)) {
> - if (*cp == '.')
> - decimals = 0;
> - else if (decimals < scale) {
> - unsigned int value;
> - value = *cp - '0';
> - result = result * 10 + value;
> - if (decimals >= 0)
> - decimals++;
> - }
> - cp++;
> - }
> - if (*cp == '\n')
> - cp++;
> - if (*cp)
> + unsigned long result = 0, decimals = 0;
> + char *pos, *str;
> + int rv;
> +
> + str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL);
> + if (!str)
> + return -ENOMEM;
> + pos = strchr(str, '.');
> + if (pos) {
> + int cnt = scale;
> +
> + *pos = '\0';
> + while (isdigit(*(++pos))) {
> + if (cnt) {
> + decimals = decimals * 10 + *pos - '0';
> + cnt--;
> + }
> + }
> + if (*pos == '\n')
> + pos++;
> + if (*pos) {
> + kfree(str);
> + return -EINVAL;
> + }
> + decimals *= int_pow(10, cnt);
> + }
> +
> + rv = kstrtoul(str, 10, &result);
> + kfree(str);
> + if (rv)
> + return rv;
> +
> + if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10, scale))
This is correct, I guess the reason to use unsigned int is that u64/u64
will compile error in some 32-bit architecture. It's better to use
div64_u64() here.
> return -EINVAL;
> - if (decimals < 0)
> - decimals = 0;
> - *res = result * int_pow(10, scale - decimals);
> - return 0;
> + *res = result * int_pow(10, scale) + decimals;
> +
> + return rv;
> }
>
> static ssize_t
> safe_delay_show(struct mddev *mddev, char *page)
> {
> - int msec = (mddev->safemode_delay*1000)/HZ;
> - return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
> + unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
> +
> + return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
> }
> static ssize_t
> safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
> {
> unsigned long msec;
> + int ret;
>
> if (mddev_is_clustered(mddev)) {
> pr_warn("md: Safemode is disabled for clustered mode\n");
> return -EINVAL;
> }
>
> - if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
> + ret = strict_strtoul_scaled(cbuf, &msec, 3);
> + if (ret < 0)
> + return ret;
> + if (msec > UINT_MAX)
> return -EINVAL;
> +
> if (msec == 0)
> mddev->safemode_delay = 0;
> else {
> unsigned long old_delay = mddev->safemode_delay;
> + /* HZ <= 1000, so new_delay < UINT_MAX, too */
new_delay <= UNIT_MAX
> unsigned long new_delay = (msec*HZ)/1000;
There is no need do declare them as 'unsigned long', you can use
'unsigned int' directly now.
And you can also use DIV64_U64_ROUND_UP() directly here.
Thanks,
Kuai
>
> if (new_delay == 0)
>
On Fri, May 5, 2023 at 6:24 PM <[email protected]> wrote:
>
> From: Li Nan <[email protected]>
>
> If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
> will return -EINVAL because "page >= bitmap->pages", but the return value
> was not checked immediately in md_bitmap_get_counter() in order to set
> *blocks value and slab-out-of-bounds occurs.
>
> Return directly if err is -EINVAL.
>
> Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
> Signed-off-by: Li Nan <[email protected]>
> Reviewed-by: Yu Kuai <[email protected]>
> ---
> drivers/md/md-bitmap.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
> index 920bb68156d2..0b41ef422da7 100644
> --- a/drivers/md/md-bitmap.c
> +++ b/drivers/md/md-bitmap.c
> @@ -1388,6 +1388,8 @@ __acquires(bitmap->lock)
> int err;
>
> err = md_bitmap_checkpage(bitmap, page, create, 0);
> + if (err == -EINVAL)
> + return NULL;
This logic is error prone. Since we are on it, let's fix it better.
Specifically, we can move "page >= bitmap->pages" check out
of md_bitmap_checkpage(). (and fix the call site in md_bitmap_resize
for clustered md).
Also, could you please add a mdadm test for this issue?
Thanks,
Song
>
> if (bitmap->bp[page].hijacked ||
> bitmap->bp[page].map == NULL)
> --
> 2.31.1
>
On Fri, May 5, 2023 at 7:02 PM Yu Kuai <[email protected]> wrote:
>
> Hi,
>
> 在 2023/05/06 9:23, [email protected] 写道:
> > From: Li Nan <[email protected]>
> >
> > max_corr_read_errors should not be negative number. Change it to
> > unsigned int where use it.
> >
>
> Looks good, feel free to add:
>
> Reviewed-by: Yu Kuai <[email protected]>
>
> > Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
> > Signed-off-by: Li Nan <[email protected]>
Hmm.. Does the current code break in any cases?
Thanks,
Song
> > ---
> > drivers/md/md.c | 2 +-
> > drivers/md/raid10.c | 5 +++--
> > 2 files changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/md/md.c b/drivers/md/md.c
> > index fd5c3babcd6d..4a1e566d6bdc 100644
> > --- a/drivers/md/md.c
> > +++ b/drivers/md/md.c
> > @@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
> >
> > static ssize_t
> > max_corrected_read_errors_show(struct mddev *mddev, char *page) {
> > - return sprintf(page, "%d\n",
> > + return sprintf(page, "%u\n",
> > atomic_read(&mddev->max_corr_read_errors));
> > }
> >
> > diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> > index 4fcfcb350d2b..4d615fcc6a50 100644
> > --- a/drivers/md/raid10.c
> > +++ b/drivers/md/raid10.c
> > @@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> > int sect = 0; /* Offset from r10_bio->sector */
> > int sectors = r10_bio->sectors;
> > struct md_rdev *rdev;
> > - int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
> > + unsigned int max_read_errors =
> > + atomic_read(&mddev->max_corr_read_errors);
> > int d = r10_bio->devs[r10_bio->read_slot].devnum;
> >
> > /* still own a reference to this rdev, so it cannot
> > @@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> > check_decay_read_errors(mddev, rdev);
> > atomic_inc(&rdev->read_errors);
> > if (atomic_read(&rdev->read_errors) > max_read_errors) {
> > - pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
> > + pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
> > mdname(mddev), rdev->bdev,
> > atomic_read(&rdev->read_errors), max_read_errors);
> > pr_notice("md/raid10:%s: %pg: Failing raid device\n",
> >
>
Hi,
在 2023/05/13 9:08, Song Liu 写道:
> On Fri, May 5, 2023 at 7:02 PM Yu Kuai <[email protected]> wrote:
>>
>> Hi,
>>
>> 在 2023/05/06 9:23, [email protected] 写道:
>>> From: Li Nan <[email protected]>
>>>
>>> max_corr_read_errors should not be negative number. Change it to
>>> unsigned int where use it.
>>>
>>
>> Looks good, feel free to add:
>>
>> Reviewed-by: Yu Kuai <[email protected]>
>>
>>> Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
>>> Signed-off-by: Li Nan <[email protected]>
>
> Hmm.. Does the current code break in any cases?
The problem is that somewhere use unsigned value, and somewhere use
signed value, and I thinsk the only functional change is in
fix_read_error(), if max_read_errors is negative, the judgement will
always pass before this patch:
if (atomic_read(&rdev->read_errors) > max_read_errors)
Thanks,
Kuai
>
> Thanks,
> Song
>
>>> ---
>>> drivers/md/md.c | 2 +-
>>> drivers/md/raid10.c | 5 +++--
>>> 2 files changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/md/md.c b/drivers/md/md.c
>>> index fd5c3babcd6d..4a1e566d6bdc 100644
>>> --- a/drivers/md/md.c
>>> +++ b/drivers/md/md.c
>>> @@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
>>>
>>> static ssize_t
>>> max_corrected_read_errors_show(struct mddev *mddev, char *page) {
>>> - return sprintf(page, "%d\n",
>>> + return sprintf(page, "%u\n",
>>> atomic_read(&mddev->max_corr_read_errors));
>>> }
>>>
>>> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
>>> index 4fcfcb350d2b..4d615fcc6a50 100644
>>> --- a/drivers/md/raid10.c
>>> +++ b/drivers/md/raid10.c
>>> @@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>>> int sect = 0; /* Offset from r10_bio->sector */
>>> int sectors = r10_bio->sectors;
>>> struct md_rdev *rdev;
>>> - int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
>>> + unsigned int max_read_errors =
>>> + atomic_read(&mddev->max_corr_read_errors);
>>> int d = r10_bio->devs[r10_bio->read_slot].devnum;
>>>
>>> /* still own a reference to this rdev, so it cannot
>>> @@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>>> check_decay_read_errors(mddev, rdev);
>>> atomic_inc(&rdev->read_errors);
>>> if (atomic_read(&rdev->read_errors) > max_read_errors) {
>>> - pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
>>> + pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
>>> mdname(mddev), rdev->bdev,
>>> atomic_read(&rdev->read_errors), max_read_errors);
>>> pr_notice("md/raid10:%s: %pg: Failing raid device\n",
>>>
>>
> .
>
在 2023/5/13 10:21, Yu Kuai 写道:
> Hi,
>
> 在 2023/05/13 9:08, Song Liu 写道:
>> On Fri, May 5, 2023 at 7:02 PM Yu Kuai <[email protected]> wrote:
>>>
>>> Hi,
>>>
>>> 在 2023/05/06 9:23, [email protected] 写道:
>>>> From: Li Nan <[email protected]>
>>>>
>>>> max_corr_read_errors should not be negative number. Change it to
>>>> unsigned int where use it.
>>>>
>>>
>>> Looks good, feel free to add:
>>>
>>> Reviewed-by: Yu Kuai <[email protected]>
>>>
>>>> Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of
>>>> correctable read errors.")
>>>> Signed-off-by: Li Nan <[email protected]>
>>
>> Hmm.. Does the current code break in any cases?
>
> The problem is that somewhere use unsigned value, and somewhere use
> signed value, and I thinsk the only functional change is in
> fix_read_error(), if max_read_errors is negative, the judgement will
> always pass before this patch:
>
> if (atomic_read(&rdev->read_errors) > max_read_errors)
>
In addition, it is confusing for users after setting a huge number to it.
# echo 4294967295 > /sys/block/$disk/md/max_read_errors
# cat /sys/block/$disk/md/max_read_errors
-1
--
Thanks,
Nan
在 2023/5/6 10:00, Yu Kuai 写道:
> Hi,
>
> 在 2023/05/06 9:23, [email protected] 写道:
>> From: Li Nan <[email protected]>
>>
>> There is no input check when echo md/safe_mode_delay, and overflow will
>> occur. There is risk of overflow in strict_strtoul_scaled(), too. Fix it
>> by using kstrtoul instead of parsing word one by one.
>
> Other than some nits below, this patch looks good to me,
> feel free to add:
>
> Reviewed-by: Yu Kuai <[email protected]>
>>
>> Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
>> Signed-off-by: Li Nan <[email protected]>
>> ---
>> drivers/md/md.c | 70 ++++++++++++++++++++++++++++++++-----------------
>> 1 file changed, 46 insertions(+), 24 deletions(-)
>>
>> diff --git a/drivers/md/md.c b/drivers/md/md.c
>> index 8e344b4b3444..fd5c3babcd6d 100644
>> --- a/drivers/md/md.c
>> +++ b/drivers/md/md.c
>> @@ -3767,52 +3767,74 @@ static int analyze_sbs(struct mddev *mddev)
>> */
>> int strict_strtoul_scaled(const char *cp, unsigned long *res, int
>> scale)
>> {
>> - unsigned long result = 0;
>> - long decimals = -1;
>> - while (isdigit(*cp) || (*cp == '.' && decimals < 0)) {
>> - if (*cp == '.')
>> - decimals = 0;
>> - else if (decimals < scale) {
>> - unsigned int value;
>> - value = *cp - '0';
>> - result = result * 10 + value;
>> - if (decimals >= 0)
>> - decimals++;
>> - }
>> - cp++;
>> - }
>> - if (*cp == '\n')
>> - cp++;
>> - if (*cp)
>> + unsigned long result = 0, decimals = 0;
>> + char *pos, *str;
>> + int rv;
>> +
>> + str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL);
>> + if (!str)
>> + return -ENOMEM;
>> + pos = strchr(str, '.');
>> + if (pos) {
>> + int cnt = scale;
>> +
>> + *pos = '\0';
>> + while (isdigit(*(++pos))) {
>> + if (cnt) {
>> + decimals = decimals * 10 + *pos - '0';
>> + cnt--;
>> + }
>> + }
>> + if (*pos == '\n')
>> + pos++;
>> + if (*pos) {
>> + kfree(str);
>> + return -EINVAL;
>> + }
>> + decimals *= int_pow(10, cnt);
>> + }
>> +
>> + rv = kstrtoul(str, 10, &result);
>> + kfree(str);
>> + if (rv)
>> + return rv;
>> +
>> + if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10,
>> scale))
>
> This is correct, I guess the reason to use unsigned int is that u64/u64
> will compile error in some 32-bit architecture. It's better to use
> div64_u64() here.
>
>> return -EINVAL;
>> - if (decimals < 0)
>> - decimals = 0;
>> - *res = result * int_pow(10, scale - decimals);
>> - return 0;
>> + *res = result * int_pow(10, scale) + decimals;
>> +
>> + return rv;
>> }
>> static ssize_t
>> safe_delay_show(struct mddev *mddev, char *page)
>> {
>> - int msec = (mddev->safemode_delay*1000)/HZ;
>> - return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
>> + unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
>> +
>> + return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
>> }
>> static ssize_t
>> safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
>> {
>> unsigned long msec;
>> + int ret;
>> if (mddev_is_clustered(mddev)) {
>> pr_warn("md: Safemode is disabled for clustered mode\n");
>> return -EINVAL;
>> }
>> - if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
>> + ret = strict_strtoul_scaled(cbuf, &msec, 3);
>> + if (ret < 0)
>> + return ret;
>> + if (msec > UINT_MAX)
>> return -EINVAL;
>> +
>> if (msec == 0)
>> mddev->safemode_delay = 0;
>> else {
>> unsigned long old_delay = mddev->safemode_delay;
>> + /* HZ <= 1000, so new_delay < UINT_MAX, too */
>
> new_delay <= UNIT_MAX
>
>> unsigned long new_delay = (msec*HZ)/1000;
>
> There is no need do declare them as 'unsigned long', you can use
> 'unsigned int' directly now.
>
> And you can also use DIV64_U64_ROUND_UP() directly here.
>
I will fix it in v3.
> Thanks,
> Kuai
>> if (new_delay == 0)
>>
>
> .
--
Thanks,
Nan
在 2023/5/13 9:05, Song Liu 写道:
> On Fri, May 5, 2023 at 6:24 PM <[email protected]> wrote:
>>
>> From: Li Nan <[email protected]>
>>
>> If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
>> will return -EINVAL because "page >= bitmap->pages", but the return value
>> was not checked immediately in md_bitmap_get_counter() in order to set
>> *blocks value and slab-out-of-bounds occurs.
>>
>> Return directly if err is -EINVAL.
>>
>> Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
>> Signed-off-by: Li Nan <[email protected]>
>> Reviewed-by: Yu Kuai <[email protected]>
>> ---
>> drivers/md/md-bitmap.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
>> index 920bb68156d2..0b41ef422da7 100644
>> --- a/drivers/md/md-bitmap.c
>> +++ b/drivers/md/md-bitmap.c
>> @@ -1388,6 +1388,8 @@ __acquires(bitmap->lock)
>> int err;
>>
>> err = md_bitmap_checkpage(bitmap, page, create, 0);
>> + if (err == -EINVAL)
>> + return NULL;
>
> This logic is error prone. Since we are on it, let's fix it better.
> Specifically, we can move "page >= bitmap->pages" check out
I will check out it in v3.
> of md_bitmap_checkpage(). (and fix the call site in md_bitmap_resize
> for clustered md).
>
In md_bitmap_resize(), incoming parameters "page < bitmap->counts.page"
and do not have this problem.
> Also, could you please add a mdadm test for this issue?
>
It's my pleasure.
> Thanks,
> Song
>
>>
>> if (bitmap->bp[page].hijacked ||
>> bitmap->bp[page].map == NULL)
>> --
>> 2.31.1
>>
> .
Thanks for your suggesion.
--
Thanks,
Nan