* [PATCH v2 0/4] md: bugfix of writing raid sysfs
@ 2023-05-06 1:23 linan666
2023-05-06 1:23 ` [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter linan666
` (3 more replies)
0 siblings, 4 replies; 14+ messages in thread
From: linan666 @ 2023-05-06 1:23 UTC (permalink / raw)
To: song, neilb, Rob.Becker
Cc: linux-raid, linux-kernel, linan122, yukuai3, yi.zhang, houtao1,
yangerkun
From: Li Nan <linan122@huawei.com>
The patch series fix the bug of writing raid sysfs.
Changes in v2:
- add patch "md/raid10: optimize check_decay_read_errors()".
- in patch 2, return ret-value of strict_strtoul_scaled if error occurs.
- in patch 3, optimize format.
Li Nan (4):
md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter
md/raid10: fix overflow in safe_delay_store
md/raid10: fix wrong setting of max_corr_read_errors
md/raid10: optimize check_decay_read_errors()
drivers/md/md-bitmap.c | 2 ++
drivers/md/md.c | 72 +++++++++++++++++++++++++++---------------
drivers/md/raid10.c | 65 ++++++++++++++++++++------------------
3 files changed, 84 insertions(+), 55 deletions(-)
--
2.31.1
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter
2023-05-06 1:23 [PATCH v2 0/4] md: bugfix of writing raid sysfs linan666
@ 2023-05-06 1:23 ` linan666
2023-05-13 1:05 ` Song Liu
2023-05-06 1:23 ` [PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store linan666
` (2 subsequent siblings)
3 siblings, 1 reply; 14+ messages in thread
From: linan666 @ 2023-05-06 1:23 UTC (permalink / raw)
To: song, neilb, Rob.Becker
Cc: linux-raid, linux-kernel, linan122, yukuai3, yi.zhang, houtao1,
yangerkun
From: Li Nan <linan122@huawei.com>
If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
will return -EINVAL because "page >= bitmap->pages", but the return value
was not checked immediately in md_bitmap_get_counter() in order to set
*blocks value and slab-out-of-bounds occurs.
Return directly if err is -EINVAL.
Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
---
drivers/md/md-bitmap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
index 920bb68156d2..0b41ef422da7 100644
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -1388,6 +1388,8 @@ __acquires(bitmap->lock)
int err;
err = md_bitmap_checkpage(bitmap, page, create, 0);
+ if (err == -EINVAL)
+ return NULL;
if (bitmap->bp[page].hijacked ||
bitmap->bp[page].map == NULL)
--
2.31.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store
2023-05-06 1:23 [PATCH v2 0/4] md: bugfix of writing raid sysfs linan666
2023-05-06 1:23 ` [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter linan666
@ 2023-05-06 1:23 ` linan666
2023-05-06 2:00 ` Yu Kuai
2023-05-06 1:23 ` [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors linan666
2023-05-06 1:23 ` [PATCH v2 4/4] md/raid10: optimize check_decay_read_errors() linan666
3 siblings, 1 reply; 14+ messages in thread
From: linan666 @ 2023-05-06 1:23 UTC (permalink / raw)
To: song, neilb, Rob.Becker
Cc: linux-raid, linux-kernel, linan122, yukuai3, yi.zhang, houtao1,
yangerkun
From: Li Nan <linan122@huawei.com>
There is no input check when echo md/safe_mode_delay, and overflow will
occur. There is risk of overflow in strict_strtoul_scaled(), too. Fix it
by using kstrtoul instead of parsing word one by one.
Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
Signed-off-by: Li Nan <linan122@huawei.com>
---
drivers/md/md.c | 70 ++++++++++++++++++++++++++++++++-----------------
1 file changed, 46 insertions(+), 24 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 8e344b4b3444..fd5c3babcd6d 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3767,52 +3767,74 @@ static int analyze_sbs(struct mddev *mddev)
*/
int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale)
{
- unsigned long result = 0;
- long decimals = -1;
- while (isdigit(*cp) || (*cp == '.' && decimals < 0)) {
- if (*cp == '.')
- decimals = 0;
- else if (decimals < scale) {
- unsigned int value;
- value = *cp - '0';
- result = result * 10 + value;
- if (decimals >= 0)
- decimals++;
- }
- cp++;
- }
- if (*cp == '\n')
- cp++;
- if (*cp)
+ unsigned long result = 0, decimals = 0;
+ char *pos, *str;
+ int rv;
+
+ str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL);
+ if (!str)
+ return -ENOMEM;
+ pos = strchr(str, '.');
+ if (pos) {
+ int cnt = scale;
+
+ *pos = '\0';
+ while (isdigit(*(++pos))) {
+ if (cnt) {
+ decimals = decimals * 10 + *pos - '0';
+ cnt--;
+ }
+ }
+ if (*pos == '\n')
+ pos++;
+ if (*pos) {
+ kfree(str);
+ return -EINVAL;
+ }
+ decimals *= int_pow(10, cnt);
+ }
+
+ rv = kstrtoul(str, 10, &result);
+ kfree(str);
+ if (rv)
+ return rv;
+
+ if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10, scale))
return -EINVAL;
- if (decimals < 0)
- decimals = 0;
- *res = result * int_pow(10, scale - decimals);
- return 0;
+ *res = result * int_pow(10, scale) + decimals;
+
+ return rv;
}
static ssize_t
safe_delay_show(struct mddev *mddev, char *page)
{
- int msec = (mddev->safemode_delay*1000)/HZ;
- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
+ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
+
+ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
}
static ssize_t
safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
{
unsigned long msec;
+ int ret;
if (mddev_is_clustered(mddev)) {
pr_warn("md: Safemode is disabled for clustered mode\n");
return -EINVAL;
}
- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
+ ret = strict_strtoul_scaled(cbuf, &msec, 3);
+ if (ret < 0)
+ return ret;
+ if (msec > UINT_MAX)
return -EINVAL;
+
if (msec == 0)
mddev->safemode_delay = 0;
else {
unsigned long old_delay = mddev->safemode_delay;
+ /* HZ <= 1000, so new_delay < UINT_MAX, too */
unsigned long new_delay = (msec*HZ)/1000;
if (new_delay == 0)
--
2.31.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors
2023-05-06 1:23 [PATCH v2 0/4] md: bugfix of writing raid sysfs linan666
2023-05-06 1:23 ` [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter linan666
2023-05-06 1:23 ` [PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store linan666
@ 2023-05-06 1:23 ` linan666
2023-05-06 2:02 ` Yu Kuai
2023-05-06 1:23 ` [PATCH v2 4/4] md/raid10: optimize check_decay_read_errors() linan666
3 siblings, 1 reply; 14+ messages in thread
From: linan666 @ 2023-05-06 1:23 UTC (permalink / raw)
To: song, neilb, Rob.Becker
Cc: linux-raid, linux-kernel, linan122, yukuai3, yi.zhang, houtao1,
yangerkun
From: Li Nan <linan122@huawei.com>
max_corr_read_errors should not be negative number. Change it to
unsigned int where use it.
Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
Signed-off-by: Li Nan <linan122@huawei.com>
---
drivers/md/md.c | 2 +-
drivers/md/raid10.c | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index fd5c3babcd6d..4a1e566d6bdc 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
static ssize_t
max_corrected_read_errors_show(struct mddev *mddev, char *page) {
- return sprintf(page, "%d\n",
+ return sprintf(page, "%u\n",
atomic_read(&mddev->max_corr_read_errors));
}
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index 4fcfcb350d2b..4d615fcc6a50 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
int sect = 0; /* Offset from r10_bio->sector */
int sectors = r10_bio->sectors;
struct md_rdev *rdev;
- int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
+ unsigned int max_read_errors =
+ atomic_read(&mddev->max_corr_read_errors);
int d = r10_bio->devs[r10_bio->read_slot].devnum;
/* still own a reference to this rdev, so it cannot
@@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
check_decay_read_errors(mddev, rdev);
atomic_inc(&rdev->read_errors);
if (atomic_read(&rdev->read_errors) > max_read_errors) {
- pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
+ pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
mdname(mddev), rdev->bdev,
atomic_read(&rdev->read_errors), max_read_errors);
pr_notice("md/raid10:%s: %pg: Failing raid device\n",
--
2.31.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 4/4] md/raid10: optimize check_decay_read_errors()
2023-05-06 1:23 [PATCH v2 0/4] md: bugfix of writing raid sysfs linan666
` (2 preceding siblings ...)
2023-05-06 1:23 ` [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors linan666
@ 2023-05-06 1:23 ` linan666
2023-05-06 2:14 ` Yu Kuai
3 siblings, 1 reply; 14+ messages in thread
From: linan666 @ 2023-05-06 1:23 UTC (permalink / raw)
To: song, neilb, Rob.Becker
Cc: linux-raid, linux-kernel, linan122, yukuai3, yi.zhang, houtao1,
yangerkun
From: Li Nan <linan122@huawei.com>
check_decay_read_errors() is used to handle rdev->read_errors. But
read_errors is inc and read after check_decay_read_errors() is invoked
in fix_read_error().
Put all operations of read_errors into check_decay_read_errors() and
clean up unnecessary atomic_read of read_errors.
Suggested-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Li Nan <linan122@huawei.com>
---
drivers/md/raid10.c | 66 ++++++++++++++++++++++++---------------------
1 file changed, 35 insertions(+), 31 deletions(-)
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index 4d615fcc6a50..79f94882227d 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2655,39 +2655,53 @@ static void recovery_request_write(struct mddev *mddev, struct r10bio *r10_bio)
}
/*
- * Used by fix_read_error() to decay the per rdev read_errors.
+ * Used by fix_read_error() to decay the per rdev read_errors and check if
+ * read_error > max_read_errors.
* We halve the read error count for every hour that has elapsed
* since the last recorded read error.
*
*/
-static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+static bool check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
{
- long cur_time_mon;
+ time64_t cur_time_mon = ktime_get_seconds();
unsigned long hours_since_last;
- unsigned int read_errors = atomic_read(&rdev->read_errors);
-
- cur_time_mon = ktime_get_seconds();
+ unsigned int read_errors;
+ unsigned int max_read_errors =
+ atomic_read(&mddev->max_corr_read_errors);
if (rdev->last_read_error == 0) {
/* first time we've seen a read error */
rdev->last_read_error = cur_time_mon;
- return;
- }
+ } else {
+ hours_since_last = (long)(cur_time_mon -
+ rdev->last_read_error) / 3600;
- hours_since_last = (long)(cur_time_mon -
- rdev->last_read_error) / 3600;
+ rdev->last_read_error = cur_time_mon;
- rdev->last_read_error = cur_time_mon;
+ /*
+ * if hours_since_last is > the number of bits in read_errors
+ * just set read errors to 0. We do this to avoid
+ * overflowing the shift of read_errors by hours_since_last.
+ */
+ read_errors = atomic_read(&rdev->read_errors);
+ if (hours_since_last >= 8 * sizeof(read_errors))
+ atomic_set(&rdev->read_errors, 0);
+ else
+ atomic_set(&rdev->read_errors,
+ read_errors >> hours_since_last);
+ }
- /*
- * if hours_since_last is > the number of bits in read_errors
- * just set read errors to 0. We do this to avoid
- * overflowing the shift of read_errors by hours_since_last.
- */
- if (hours_since_last >= 8 * sizeof(read_errors))
- atomic_set(&rdev->read_errors, 0);
- else
- atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
+ read_errors = atomic_inc_return(&rdev->read_errors);
+ if (read_errors > max_read_errors) {
+ pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
+ mdname(mddev), rdev->bdev, read_errors, max_read_errors);
+ pr_notice("md/raid10:%s: %pg: Failing raid device\n",
+ mdname(mddev), rdev->bdev);
+ md_error(mddev, rdev);
+ return false;
+ }
+
+ return true;
}
static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
@@ -2727,8 +2741,6 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
int sect = 0; /* Offset from r10_bio->sector */
int sectors = r10_bio->sectors;
struct md_rdev *rdev;
- unsigned int max_read_errors =
- atomic_read(&mddev->max_corr_read_errors);
int d = r10_bio->devs[r10_bio->read_slot].devnum;
/* still own a reference to this rdev, so it cannot
@@ -2741,15 +2753,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
more fix_read_error() attempts */
return;
- check_decay_read_errors(mddev, rdev);
- atomic_inc(&rdev->read_errors);
- if (atomic_read(&rdev->read_errors) > max_read_errors) {
- pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
- mdname(mddev), rdev->bdev,
- atomic_read(&rdev->read_errors), max_read_errors);
- pr_notice("md/raid10:%s: %pg: Failing raid device\n",
- mdname(mddev), rdev->bdev);
- md_error(mddev, rdev);
+ if (check_decay_read_errors(mddev, rdev)) {
r10_bio->devs[r10_bio->read_slot].bio = IO_BLOCKED;
return;
}
--
2.31.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store
2023-05-06 1:23 ` [PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store linan666
@ 2023-05-06 2:00 ` Yu Kuai
2023-05-14 11:18 ` Li Nan
0 siblings, 1 reply; 14+ messages in thread
From: Yu Kuai @ 2023-05-06 2:00 UTC (permalink / raw)
To: linan666, song, neilb, Rob.Becker
Cc: linux-raid, linux-kernel, linan122, yi.zhang, houtao1, yangerkun,
yukuai (C)
Hi,
在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
> From: Li Nan <linan122@huawei.com>
>
> There is no input check when echo md/safe_mode_delay, and overflow will
> occur. There is risk of overflow in strict_strtoul_scaled(), too. Fix it
> by using kstrtoul instead of parsing word one by one.
Other than some nits below, this patch looks good to me,
feel free to add:
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>
> Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
> Signed-off-by: Li Nan <linan122@huawei.com>
> ---
> drivers/md/md.c | 70 ++++++++++++++++++++++++++++++++-----------------
> 1 file changed, 46 insertions(+), 24 deletions(-)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 8e344b4b3444..fd5c3babcd6d 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -3767,52 +3767,74 @@ static int analyze_sbs(struct mddev *mddev)
> */
> int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale)
> {
> - unsigned long result = 0;
> - long decimals = -1;
> - while (isdigit(*cp) || (*cp == '.' && decimals < 0)) {
> - if (*cp == '.')
> - decimals = 0;
> - else if (decimals < scale) {
> - unsigned int value;
> - value = *cp - '0';
> - result = result * 10 + value;
> - if (decimals >= 0)
> - decimals++;
> - }
> - cp++;
> - }
> - if (*cp == '\n')
> - cp++;
> - if (*cp)
> + unsigned long result = 0, decimals = 0;
> + char *pos, *str;
> + int rv;
> +
> + str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL);
> + if (!str)
> + return -ENOMEM;
> + pos = strchr(str, '.');
> + if (pos) {
> + int cnt = scale;
> +
> + *pos = '\0';
> + while (isdigit(*(++pos))) {
> + if (cnt) {
> + decimals = decimals * 10 + *pos - '0';
> + cnt--;
> + }
> + }
> + if (*pos == '\n')
> + pos++;
> + if (*pos) {
> + kfree(str);
> + return -EINVAL;
> + }
> + decimals *= int_pow(10, cnt);
> + }
> +
> + rv = kstrtoul(str, 10, &result);
> + kfree(str);
> + if (rv)
> + return rv;
> +
> + if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10, scale))
This is correct, I guess the reason to use unsigned int is that u64/u64
will compile error in some 32-bit architecture. It's better to use
div64_u64() here.
> return -EINVAL;
> - if (decimals < 0)
> - decimals = 0;
> - *res = result * int_pow(10, scale - decimals);
> - return 0;
> + *res = result * int_pow(10, scale) + decimals;
> +
> + return rv;
> }
>
> static ssize_t
> safe_delay_show(struct mddev *mddev, char *page)
> {
> - int msec = (mddev->safemode_delay*1000)/HZ;
> - return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
> + unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
> +
> + return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
> }
> static ssize_t
> safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
> {
> unsigned long msec;
> + int ret;
>
> if (mddev_is_clustered(mddev)) {
> pr_warn("md: Safemode is disabled for clustered mode\n");
> return -EINVAL;
> }
>
> - if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
> + ret = strict_strtoul_scaled(cbuf, &msec, 3);
> + if (ret < 0)
> + return ret;
> + if (msec > UINT_MAX)
> return -EINVAL;
> +
> if (msec == 0)
> mddev->safemode_delay = 0;
> else {
> unsigned long old_delay = mddev->safemode_delay;
> + /* HZ <= 1000, so new_delay < UINT_MAX, too */
new_delay <= UNIT_MAX
> unsigned long new_delay = (msec*HZ)/1000;
There is no need do declare them as 'unsigned long', you can use
'unsigned int' directly now.
And you can also use DIV64_U64_ROUND_UP() directly here.
Thanks,
Kuai
>
> if (new_delay == 0)
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors
2023-05-06 1:23 ` [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors linan666
@ 2023-05-06 2:02 ` Yu Kuai
2023-05-13 1:08 ` Song Liu
0 siblings, 1 reply; 14+ messages in thread
From: Yu Kuai @ 2023-05-06 2:02 UTC (permalink / raw)
To: linan666, song, neilb, Rob.Becker
Cc: linux-raid, linux-kernel, linan122, yi.zhang, houtao1, yangerkun,
yukuai (C)
Hi,
在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
> From: Li Nan <linan122@huawei.com>
>
> max_corr_read_errors should not be negative number. Change it to
> unsigned int where use it.
>
Looks good, feel free to add:
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
> Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
> Signed-off-by: Li Nan <linan122@huawei.com>
> ---
> drivers/md/md.c | 2 +-
> drivers/md/raid10.c | 5 +++--
> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index fd5c3babcd6d..4a1e566d6bdc 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
>
> static ssize_t
> max_corrected_read_errors_show(struct mddev *mddev, char *page) {
> - return sprintf(page, "%d\n",
> + return sprintf(page, "%u\n",
> atomic_read(&mddev->max_corr_read_errors));
> }
>
> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> index 4fcfcb350d2b..4d615fcc6a50 100644
> --- a/drivers/md/raid10.c
> +++ b/drivers/md/raid10.c
> @@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> int sect = 0; /* Offset from r10_bio->sector */
> int sectors = r10_bio->sectors;
> struct md_rdev *rdev;
> - int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
> + unsigned int max_read_errors =
> + atomic_read(&mddev->max_corr_read_errors);
> int d = r10_bio->devs[r10_bio->read_slot].devnum;
>
> /* still own a reference to this rdev, so it cannot
> @@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> check_decay_read_errors(mddev, rdev);
> atomic_inc(&rdev->read_errors);
> if (atomic_read(&rdev->read_errors) > max_read_errors) {
> - pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
> + pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
> mdname(mddev), rdev->bdev,
> atomic_read(&rdev->read_errors), max_read_errors);
> pr_notice("md/raid10:%s: %pg: Failing raid device\n",
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 4/4] md/raid10: optimize check_decay_read_errors()
2023-05-06 1:23 ` [PATCH v2 4/4] md/raid10: optimize check_decay_read_errors() linan666
@ 2023-05-06 2:14 ` Yu Kuai
0 siblings, 0 replies; 14+ messages in thread
From: Yu Kuai @ 2023-05-06 2:14 UTC (permalink / raw)
To: linan666, song, neilb, Rob.Becker
Cc: linux-raid, linux-kernel, linan122, yi.zhang, houtao1, yangerkun,
yukuai (C)
Hi,
在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
> From: Li Nan <linan122@huawei.com>
>
> check_decay_read_errors() is used to handle rdev->read_errors. But
> read_errors is inc and read after check_decay_read_errors() is invoked
> in fix_read_error().
>
> Put all operations of read_errors into check_decay_read_errors() and
> clean up unnecessary atomic_read of read_errors.
>
> Suggested-by: Yu Kuai <yukuai3@huawei.com>
> Signed-off-by: Li Nan <linan122@huawei.com>
> ---
> drivers/md/raid10.c | 66 ++++++++++++++++++++++++---------------------
> 1 file changed, 35 insertions(+), 31 deletions(-)
>
> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> index 4d615fcc6a50..79f94882227d 100644
> --- a/drivers/md/raid10.c
> +++ b/drivers/md/raid10.c
> @@ -2655,39 +2655,53 @@ static void recovery_request_write(struct mddev *mddev, struct r10bio *r10_bio)
> }
>
> /*
> - * Used by fix_read_error() to decay the per rdev read_errors.
> + * Used by fix_read_error() to decay the per rdev read_errors and check if
> + * read_error > max_read_errors.
> * We halve the read error count for every hour that has elapsed
> * since the last recorded read error.
> *
> */
> -static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
> +static bool check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
> {
> - long cur_time_mon;
> + time64_t cur_time_mon = ktime_get_seconds();
> unsigned long hours_since_last;
> - unsigned int read_errors = atomic_read(&rdev->read_errors);
> -
> - cur_time_mon = ktime_get_seconds();
> + unsigned int read_errors;
> + unsigned int max_read_errors =
> + atomic_read(&mddev->max_corr_read_errors);
>
> if (rdev->last_read_error == 0) {
> /* first time we've seen a read error */
> rdev->last_read_error = cur_time_mon;
> - return;
> - }
I prefer to use a goto tag here, so that following code doesn't need to
be changed. Other than that, this patch looks good to me.
Thanks,
Kuai
> + } else {
> + hours_since_last = (long)(cur_time_mon -
> + rdev->last_read_error) / 3600;
>
> - hours_since_last = (long)(cur_time_mon -
> - rdev->last_read_error) / 3600;
> + rdev->last_read_error = cur_time_mon;
>
> - rdev->last_read_error = cur_time_mon;
> + /*
> + * if hours_since_last is > the number of bits in read_errors
> + * just set read errors to 0. We do this to avoid
> + * overflowing the shift of read_errors by hours_since_last.
> + */
> + read_errors = atomic_read(&rdev->read_errors);
> + if (hours_since_last >= 8 * sizeof(read_errors))
> + atomic_set(&rdev->read_errors, 0);
> + else
> + atomic_set(&rdev->read_errors,
> + read_errors >> hours_since_last);
> + }
>
> - /*
> - * if hours_since_last is > the number of bits in read_errors
> - * just set read errors to 0. We do this to avoid
> - * overflowing the shift of read_errors by hours_since_last.
> - */
> - if (hours_since_last >= 8 * sizeof(read_errors))
> - atomic_set(&rdev->read_errors, 0);
> - else
> - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
> + read_errors = atomic_inc_return(&rdev->read_errors);
> + if (read_errors > max_read_errors) {
> + pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
> + mdname(mddev), rdev->bdev, read_errors, max_read_errors);
> + pr_notice("md/raid10:%s: %pg: Failing raid device\n",
> + mdname(mddev), rdev->bdev);
> + md_error(mddev, rdev);
> + return false;
> + }
> +
> + return true;
> }
>
> static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
> @@ -2727,8 +2741,6 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> int sect = 0; /* Offset from r10_bio->sector */
> int sectors = r10_bio->sectors;
> struct md_rdev *rdev;
> - unsigned int max_read_errors =
> - atomic_read(&mddev->max_corr_read_errors);
> int d = r10_bio->devs[r10_bio->read_slot].devnum;
>
> /* still own a reference to this rdev, so it cannot
> @@ -2741,15 +2753,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> more fix_read_error() attempts */
> return;
>
> - check_decay_read_errors(mddev, rdev);
> - atomic_inc(&rdev->read_errors);
> - if (atomic_read(&rdev->read_errors) > max_read_errors) {
> - pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
> - mdname(mddev), rdev->bdev,
> - atomic_read(&rdev->read_errors), max_read_errors);
> - pr_notice("md/raid10:%s: %pg: Failing raid device\n",
> - mdname(mddev), rdev->bdev);
> - md_error(mddev, rdev);
> + if (check_decay_read_errors(mddev, rdev)) {
> r10_bio->devs[r10_bio->read_slot].bio = IO_BLOCKED;
> return;
> }
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter
2023-05-06 1:23 ` [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter linan666
@ 2023-05-13 1:05 ` Song Liu
2023-05-14 11:15 ` Li Nan
0 siblings, 1 reply; 14+ messages in thread
From: Song Liu @ 2023-05-13 1:05 UTC (permalink / raw)
To: linan666
Cc: neilb, Rob.Becker, linux-raid, linux-kernel, linan122, yukuai3,
yi.zhang, houtao1, yangerkun
On Fri, May 5, 2023 at 6:24 PM <linan666@huaweicloud.com> wrote:
>
> From: Li Nan <linan122@huawei.com>
>
> If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
> will return -EINVAL because "page >= bitmap->pages", but the return value
> was not checked immediately in md_bitmap_get_counter() in order to set
> *blocks value and slab-out-of-bounds occurs.
>
> Return directly if err is -EINVAL.
>
> Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
> Signed-off-by: Li Nan <linan122@huawei.com>
> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
> ---
> drivers/md/md-bitmap.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
> index 920bb68156d2..0b41ef422da7 100644
> --- a/drivers/md/md-bitmap.c
> +++ b/drivers/md/md-bitmap.c
> @@ -1388,6 +1388,8 @@ __acquires(bitmap->lock)
> int err;
>
> err = md_bitmap_checkpage(bitmap, page, create, 0);
> + if (err == -EINVAL)
> + return NULL;
This logic is error prone. Since we are on it, let's fix it better.
Specifically, we can move "page >= bitmap->pages" check out
of md_bitmap_checkpage(). (and fix the call site in md_bitmap_resize
for clustered md).
Also, could you please add a mdadm test for this issue?
Thanks,
Song
>
> if (bitmap->bp[page].hijacked ||
> bitmap->bp[page].map == NULL)
> --
> 2.31.1
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors
2023-05-06 2:02 ` Yu Kuai
@ 2023-05-13 1:08 ` Song Liu
2023-05-13 2:21 ` Yu Kuai
0 siblings, 1 reply; 14+ messages in thread
From: Song Liu @ 2023-05-13 1:08 UTC (permalink / raw)
To: Yu Kuai
Cc: linan666, neilb, Rob.Becker, linux-raid, linux-kernel, linan122,
yi.zhang, houtao1, yangerkun, yukuai (C)
On Fri, May 5, 2023 at 7:02 PM Yu Kuai <yukuai1@huaweicloud.com> wrote:
>
> Hi,
>
> 在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
> > From: Li Nan <linan122@huawei.com>
> >
> > max_corr_read_errors should not be negative number. Change it to
> > unsigned int where use it.
> >
>
> Looks good, feel free to add:
>
> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>
> > Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
> > Signed-off-by: Li Nan <linan122@huawei.com>
Hmm.. Does the current code break in any cases?
Thanks,
Song
> > ---
> > drivers/md/md.c | 2 +-
> > drivers/md/raid10.c | 5 +++--
> > 2 files changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/md/md.c b/drivers/md/md.c
> > index fd5c3babcd6d..4a1e566d6bdc 100644
> > --- a/drivers/md/md.c
> > +++ b/drivers/md/md.c
> > @@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
> >
> > static ssize_t
> > max_corrected_read_errors_show(struct mddev *mddev, char *page) {
> > - return sprintf(page, "%d\n",
> > + return sprintf(page, "%u\n",
> > atomic_read(&mddev->max_corr_read_errors));
> > }
> >
> > diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> > index 4fcfcb350d2b..4d615fcc6a50 100644
> > --- a/drivers/md/raid10.c
> > +++ b/drivers/md/raid10.c
> > @@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> > int sect = 0; /* Offset from r10_bio->sector */
> > int sectors = r10_bio->sectors;
> > struct md_rdev *rdev;
> > - int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
> > + unsigned int max_read_errors =
> > + atomic_read(&mddev->max_corr_read_errors);
> > int d = r10_bio->devs[r10_bio->read_slot].devnum;
> >
> > /* still own a reference to this rdev, so it cannot
> > @@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> > check_decay_read_errors(mddev, rdev);
> > atomic_inc(&rdev->read_errors);
> > if (atomic_read(&rdev->read_errors) > max_read_errors) {
> > - pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
> > + pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
> > mdname(mddev), rdev->bdev,
> > atomic_read(&rdev->read_errors), max_read_errors);
> > pr_notice("md/raid10:%s: %pg: Failing raid device\n",
> >
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors
2023-05-13 1:08 ` Song Liu
@ 2023-05-13 2:21 ` Yu Kuai
2023-05-14 11:08 ` Li Nan
0 siblings, 1 reply; 14+ messages in thread
From: Yu Kuai @ 2023-05-13 2:21 UTC (permalink / raw)
To: Song Liu, Yu Kuai
Cc: linan666, neilb, Rob.Becker, linux-raid, linux-kernel, linan122,
yi.zhang, houtao1, yangerkun, yukuai (C)
Hi,
在 2023/05/13 9:08, Song Liu 写道:
> On Fri, May 5, 2023 at 7:02 PM Yu Kuai <yukuai1@huaweicloud.com> wrote:
>>
>> Hi,
>>
>> 在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
>>> From: Li Nan <linan122@huawei.com>
>>>
>>> max_corr_read_errors should not be negative number. Change it to
>>> unsigned int where use it.
>>>
>>
>> Looks good, feel free to add:
>>
>> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>>
>>> Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
>>> Signed-off-by: Li Nan <linan122@huawei.com>
>
> Hmm.. Does the current code break in any cases?
The problem is that somewhere use unsigned value, and somewhere use
signed value, and I thinsk the only functional change is in
fix_read_error(), if max_read_errors is negative, the judgement will
always pass before this patch:
if (atomic_read(&rdev->read_errors) > max_read_errors)
Thanks,
Kuai
>
> Thanks,
> Song
>
>>> ---
>>> drivers/md/md.c | 2 +-
>>> drivers/md/raid10.c | 5 +++--
>>> 2 files changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/md/md.c b/drivers/md/md.c
>>> index fd5c3babcd6d..4a1e566d6bdc 100644
>>> --- a/drivers/md/md.c
>>> +++ b/drivers/md/md.c
>>> @@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
>>>
>>> static ssize_t
>>> max_corrected_read_errors_show(struct mddev *mddev, char *page) {
>>> - return sprintf(page, "%d\n",
>>> + return sprintf(page, "%u\n",
>>> atomic_read(&mddev->max_corr_read_errors));
>>> }
>>>
>>> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
>>> index 4fcfcb350d2b..4d615fcc6a50 100644
>>> --- a/drivers/md/raid10.c
>>> +++ b/drivers/md/raid10.c
>>> @@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>>> int sect = 0; /* Offset from r10_bio->sector */
>>> int sectors = r10_bio->sectors;
>>> struct md_rdev *rdev;
>>> - int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
>>> + unsigned int max_read_errors =
>>> + atomic_read(&mddev->max_corr_read_errors);
>>> int d = r10_bio->devs[r10_bio->read_slot].devnum;
>>>
>>> /* still own a reference to this rdev, so it cannot
>>> @@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>>> check_decay_read_errors(mddev, rdev);
>>> atomic_inc(&rdev->read_errors);
>>> if (atomic_read(&rdev->read_errors) > max_read_errors) {
>>> - pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
>>> + pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
>>> mdname(mddev), rdev->bdev,
>>> atomic_read(&rdev->read_errors), max_read_errors);
>>> pr_notice("md/raid10:%s: %pg: Failing raid device\n",
>>>
>>
> .
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors
2023-05-13 2:21 ` Yu Kuai
@ 2023-05-14 11:08 ` Li Nan
0 siblings, 0 replies; 14+ messages in thread
From: Li Nan @ 2023-05-14 11:08 UTC (permalink / raw)
To: Yu Kuai, Song Liu
Cc: linan666, neilb, Rob.Becker, linux-raid, linux-kernel, yi.zhang,
houtao1, yangerkun, yukuai (C)
在 2023/5/13 10:21, Yu Kuai 写道:
> Hi,
>
> 在 2023/05/13 9:08, Song Liu 写道:
>> On Fri, May 5, 2023 at 7:02 PM Yu Kuai <yukuai1@huaweicloud.com> wrote:
>>>
>>> Hi,
>>>
>>> 在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
>>>> From: Li Nan <linan122@huawei.com>
>>>>
>>>> max_corr_read_errors should not be negative number. Change it to
>>>> unsigned int where use it.
>>>>
>>>
>>> Looks good, feel free to add:
>>>
>>> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>>>
>>>> Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of
>>>> correctable read errors.")
>>>> Signed-off-by: Li Nan <linan122@huawei.com>
>>
>> Hmm.. Does the current code break in any cases?
>
> The problem is that somewhere use unsigned value, and somewhere use
> signed value, and I thinsk the only functional change is in
> fix_read_error(), if max_read_errors is negative, the judgement will
> always pass before this patch:
>
> if (atomic_read(&rdev->read_errors) > max_read_errors)
>
In addition, it is confusing for users after setting a huge number to it.
# echo 4294967295 > /sys/block/$disk/md/max_read_errors
# cat /sys/block/$disk/md/max_read_errors
-1
--
Thanks,
Nan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter
2023-05-13 1:05 ` Song Liu
@ 2023-05-14 11:15 ` Li Nan
0 siblings, 0 replies; 14+ messages in thread
From: Li Nan @ 2023-05-14 11:15 UTC (permalink / raw)
To: Song Liu, linan666
Cc: neilb, linux-raid, linux-kernel, yukuai3, yi.zhang, houtao1, yangerkun
在 2023/5/13 9:05, Song Liu 写道:
> On Fri, May 5, 2023 at 6:24 PM <linan666@huaweicloud.com> wrote:
>>
>> From: Li Nan <linan122@huawei.com>
>>
>> If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
>> will return -EINVAL because "page >= bitmap->pages", but the return value
>> was not checked immediately in md_bitmap_get_counter() in order to set
>> *blocks value and slab-out-of-bounds occurs.
>>
>> Return directly if err is -EINVAL.
>>
>> Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
>> Signed-off-by: Li Nan <linan122@huawei.com>
>> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>> ---
>> drivers/md/md-bitmap.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
>> index 920bb68156d2..0b41ef422da7 100644
>> --- a/drivers/md/md-bitmap.c
>> +++ b/drivers/md/md-bitmap.c
>> @@ -1388,6 +1388,8 @@ __acquires(bitmap->lock)
>> int err;
>>
>> err = md_bitmap_checkpage(bitmap, page, create, 0);
>> + if (err == -EINVAL)
>> + return NULL;
>
> This logic is error prone. Since we are on it, let's fix it better.
> Specifically, we can move "page >= bitmap->pages" check out
I will check out it in v3.
> of md_bitmap_checkpage(). (and fix the call site in md_bitmap_resize
> for clustered md).
>
In md_bitmap_resize(), incoming parameters "page < bitmap->counts.page"
and do not have this problem.
> Also, could you please add a mdadm test for this issue?
>
It's my pleasure.
> Thanks,
> Song
>
>>
>> if (bitmap->bp[page].hijacked ||
>> bitmap->bp[page].map == NULL)
>> --
>> 2.31.1
>>
> .
Thanks for your suggesion.
--
Thanks,
Nan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store
2023-05-06 2:00 ` Yu Kuai
@ 2023-05-14 11:18 ` Li Nan
0 siblings, 0 replies; 14+ messages in thread
From: Li Nan @ 2023-05-14 11:18 UTC (permalink / raw)
To: Yu Kuai, linan666, song, neilb, Rob.Becker
Cc: linux-raid, linux-kernel, yi.zhang, houtao1, yangerkun, yukuai (C)
在 2023/5/6 10:00, Yu Kuai 写道:
> Hi,
>
> 在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
>> From: Li Nan <linan122@huawei.com>
>>
>> There is no input check when echo md/safe_mode_delay, and overflow will
>> occur. There is risk of overflow in strict_strtoul_scaled(), too. Fix it
>> by using kstrtoul instead of parsing word one by one.
>
> Other than some nits below, this patch looks good to me,
> feel free to add:
>
> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>>
>> Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
>> Signed-off-by: Li Nan <linan122@huawei.com>
>> ---
>> drivers/md/md.c | 70 ++++++++++++++++++++++++++++++++-----------------
>> 1 file changed, 46 insertions(+), 24 deletions(-)
>>
>> diff --git a/drivers/md/md.c b/drivers/md/md.c
>> index 8e344b4b3444..fd5c3babcd6d 100644
>> --- a/drivers/md/md.c
>> +++ b/drivers/md/md.c
>> @@ -3767,52 +3767,74 @@ static int analyze_sbs(struct mddev *mddev)
>> */
>> int strict_strtoul_scaled(const char *cp, unsigned long *res, int
>> scale)
>> {
>> - unsigned long result = 0;
>> - long decimals = -1;
>> - while (isdigit(*cp) || (*cp == '.' && decimals < 0)) {
>> - if (*cp == '.')
>> - decimals = 0;
>> - else if (decimals < scale) {
>> - unsigned int value;
>> - value = *cp - '0';
>> - result = result * 10 + value;
>> - if (decimals >= 0)
>> - decimals++;
>> - }
>> - cp++;
>> - }
>> - if (*cp == '\n')
>> - cp++;
>> - if (*cp)
>> + unsigned long result = 0, decimals = 0;
>> + char *pos, *str;
>> + int rv;
>> +
>> + str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL);
>> + if (!str)
>> + return -ENOMEM;
>> + pos = strchr(str, '.');
>> + if (pos) {
>> + int cnt = scale;
>> +
>> + *pos = '\0';
>> + while (isdigit(*(++pos))) {
>> + if (cnt) {
>> + decimals = decimals * 10 + *pos - '0';
>> + cnt--;
>> + }
>> + }
>> + if (*pos == '\n')
>> + pos++;
>> + if (*pos) {
>> + kfree(str);
>> + return -EINVAL;
>> + }
>> + decimals *= int_pow(10, cnt);
>> + }
>> +
>> + rv = kstrtoul(str, 10, &result);
>> + kfree(str);
>> + if (rv)
>> + return rv;
>> +
>> + if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10,
>> scale))
>
> This is correct, I guess the reason to use unsigned int is that u64/u64
> will compile error in some 32-bit architecture. It's better to use
> div64_u64() here.
>
>> return -EINVAL;
>> - if (decimals < 0)
>> - decimals = 0;
>> - *res = result * int_pow(10, scale - decimals);
>> - return 0;
>> + *res = result * int_pow(10, scale) + decimals;
>> +
>> + return rv;
>> }
>> static ssize_t
>> safe_delay_show(struct mddev *mddev, char *page)
>> {
>> - int msec = (mddev->safemode_delay*1000)/HZ;
>> - return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
>> + unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
>> +
>> + return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
>> }
>> static ssize_t
>> safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
>> {
>> unsigned long msec;
>> + int ret;
>> if (mddev_is_clustered(mddev)) {
>> pr_warn("md: Safemode is disabled for clustered mode\n");
>> return -EINVAL;
>> }
>> - if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
>> + ret = strict_strtoul_scaled(cbuf, &msec, 3);
>> + if (ret < 0)
>> + return ret;
>> + if (msec > UINT_MAX)
>> return -EINVAL;
>> +
>> if (msec == 0)
>> mddev->safemode_delay = 0;
>> else {
>> unsigned long old_delay = mddev->safemode_delay;
>> + /* HZ <= 1000, so new_delay < UINT_MAX, too */
>
> new_delay <= UNIT_MAX
>
>> unsigned long new_delay = (msec*HZ)/1000;
>
> There is no need do declare them as 'unsigned long', you can use
> 'unsigned int' directly now.
>
> And you can also use DIV64_U64_ROUND_UP() directly here.
>
I will fix it in v3.
> Thanks,
> Kuai
>> if (new_delay == 0)
>>
>
> .
--
Thanks,
Nan
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2023-05-14 11:18 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-06 1:23 [PATCH v2 0/4] md: bugfix of writing raid sysfs linan666
2023-05-06 1:23 ` [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter linan666
2023-05-13 1:05 ` Song Liu
2023-05-14 11:15 ` Li Nan
2023-05-06 1:23 ` [PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store linan666
2023-05-06 2:00 ` Yu Kuai
2023-05-14 11:18 ` Li Nan
2023-05-06 1:23 ` [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors linan666
2023-05-06 2:02 ` Yu Kuai
2023-05-13 1:08 ` Song Liu
2023-05-13 2:21 ` Yu Kuai
2023-05-14 11:08 ` Li Nan
2023-05-06 1:23 ` [PATCH v2 4/4] md/raid10: optimize check_decay_read_errors() linan666
2023-05-06 2:14 ` Yu Kuai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).