[PATCH v2 0/4] md: bugfix of writing raid sysfs

[PATCH v2 0/4] md: bugfix of writing raid sysfs

[linan666]

From: Li Nan <linan122@huawei.com>

The patch series fix the bug of writing raid sysfs.

Changes in v2:
 - add patch "md/raid10: optimize check_decay_read_errors()".
 - in patch 2, return ret-value of strict_strtoul_scaled if error occurs.
 - in patch 3, optimize format.

Li Nan (4):
  md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter
  md/raid10: fix overflow in safe_delay_store
  md/raid10: fix wrong setting of max_corr_read_errors
  md/raid10: optimize check_decay_read_errors()

 drivers/md/md-bitmap.c |  2 ++
 drivers/md/md.c        | 72 +++++++++++++++++++++++++++---------------
 drivers/md/raid10.c    | 65 ++++++++++++++++++++------------------
 3 files changed, 84 insertions(+), 55 deletions(-)

-- 
2.31.1

[PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter

[linan666]

From: Li Nan <linan122@huawei.com>

If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
will return -EINVAL because "page >= bitmap->pages", but the return value
was not checked immediately in md_bitmap_get_counter() in order to set
*blocks value and slab-out-of-bounds occurs.

Return directly if err is -EINVAL.

Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
---
 drivers/md/md-bitmap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
index 920bb68156d2..0b41ef422da7 100644
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -1388,6 +1388,8 @@ __acquires(bitmap->lock)
 	int err;
 
 	err = md_bitmap_checkpage(bitmap, page, create, 0);
+	if (err == -EINVAL)
+		return NULL;
 
 	if (bitmap->bp[page].hijacked ||
 	    bitmap->bp[page].map == NULL)
-- 
2.31.1

[PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store

[linan666]

From: Li Nan <linan122@huawei.com>

There is no input check when echo md/safe_mode_delay, and overflow will
occur. There is risk of overflow in strict_strtoul_scaled(), too. Fix it
by using kstrtoul instead of parsing word one by one.

Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
Signed-off-by: Li Nan <linan122@huawei.com>
---
 drivers/md/md.c | 70 ++++++++++++++++++++++++++++++++-----------------
 1 file changed, 46 insertions(+), 24 deletions(-)

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 8e344b4b3444..fd5c3babcd6d 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3767,52 +3767,74 @@ static int analyze_sbs(struct mddev *mddev)
  */
 int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale)
 {
-	unsigned long result = 0;
-	long decimals = -1;
-	while (isdigit(*cp) || (*cp == '.' && decimals < 0)) {
-		if (*cp == '.')
-			decimals = 0;
-		else if (decimals < scale) {
-			unsigned int value;
-			value = *cp - '0';
-			result = result * 10 + value;
-			if (decimals >= 0)
-				decimals++;
-		}
-		cp++;
-	}
-	if (*cp == '\n')
-		cp++;
-	if (*cp)
+	unsigned long result = 0, decimals = 0;
+	char *pos, *str;
+	int rv;
+
+	str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL);
+	if (!str)
+		return -ENOMEM;
+	pos = strchr(str, '.');
+	if (pos) {
+		int cnt = scale;
+
+		*pos = '\0';
+		while (isdigit(*(++pos))) {
+			if (cnt) {
+				decimals = decimals * 10 + *pos - '0';
+				cnt--;
+			}
+		}
+		if (*pos == '\n')
+			pos++;
+		if (*pos) {
+			kfree(str);
+			return -EINVAL;
+		}
+		decimals *= int_pow(10, cnt);
+	}
+
+	rv = kstrtoul(str, 10, &result);
+	kfree(str);
+	if (rv)
+		return rv;
+
+	if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10, scale))
 		return -EINVAL;
-	if (decimals < 0)
-		decimals = 0;
-	*res = result * int_pow(10, scale - decimals);
-	return 0;
+	*res = result * int_pow(10, scale) + decimals;
+
+	return rv;
 }
 
 static ssize_t
 safe_delay_show(struct mddev *mddev, char *page)
 {
-	int msec = (mddev->safemode_delay*1000)/HZ;
-	return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
+	unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
+
+	return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
 }
 static ssize_t
 safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
 {
 	unsigned long msec;
+	int ret;
 
 	if (mddev_is_clustered(mddev)) {
 		pr_warn("md: Safemode is disabled for clustered mode\n");
 		return -EINVAL;
 	}
 
-	if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
+	ret = strict_strtoul_scaled(cbuf, &msec, 3);
+	if (ret < 0)
+		return ret;
+	if (msec > UINT_MAX)
 		return -EINVAL;
+
 	if (msec == 0)
 		mddev->safemode_delay = 0;
 	else {
 		unsigned long old_delay = mddev->safemode_delay;
+		/* HZ <= 1000, so new_delay < UINT_MAX, too */
 		unsigned long new_delay = (msec*HZ)/1000;
 
 		if (new_delay == 0)
-- 
2.31.1

[PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors

[linan666]

From: Li Nan <linan122@huawei.com>

max_corr_read_errors should not be negative number. Change it to
unsigned int where use it.

Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
Signed-off-by: Li Nan <linan122@huawei.com>
---
 drivers/md/md.c     | 2 +-
 drivers/md/raid10.c | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/md/md.c b/drivers/md/md.c
index fd5c3babcd6d..4a1e566d6bdc 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
 
 static ssize_t
 max_corrected_read_errors_show(struct mddev *mddev, char *page) {
-	return sprintf(page, "%d\n",
+	return sprintf(page, "%u\n",
 		       atomic_read(&mddev->max_corr_read_errors));
 }
 
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index 4fcfcb350d2b..4d615fcc6a50 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
 	int sect = 0; /* Offset from r10_bio->sector */
 	int sectors = r10_bio->sectors;
 	struct md_rdev *rdev;
-	int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
+	unsigned int max_read_errors =
+			atomic_read(&mddev->max_corr_read_errors);
 	int d = r10_bio->devs[r10_bio->read_slot].devnum;
 
 	/* still own a reference to this rdev, so it cannot
@@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
 	check_decay_read_errors(mddev, rdev);
 	atomic_inc(&rdev->read_errors);
 	if (atomic_read(&rdev->read_errors) > max_read_errors) {
-		pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
+		pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
 			  mdname(mddev), rdev->bdev,
 			  atomic_read(&rdev->read_errors), max_read_errors);
 		pr_notice("md/raid10:%s: %pg: Failing raid device\n",
-- 
2.31.1

[PATCH v2 4/4] md/raid10: optimize check_decay_read_errors()

[linan666]

From: Li Nan <linan122@huawei.com>

check_decay_read_errors() is used to handle rdev->read_errors. But
read_errors is inc and read after check_decay_read_errors() is invoked
in fix_read_error().

Put all operations of read_errors into check_decay_read_errors() and
clean up unnecessary atomic_read of read_errors.

Suggested-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Li Nan <linan122@huawei.com>
---
 drivers/md/raid10.c | 66 ++++++++++++++++++++++++---------------------
 1 file changed, 35 insertions(+), 31 deletions(-)

diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index 4d615fcc6a50..79f94882227d 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2655,39 +2655,53 @@ static void recovery_request_write(struct mddev *mddev, struct r10bio *r10_bio)
 }
 
 /*
- * Used by fix_read_error() to decay the per rdev read_errors.
+ * Used by fix_read_error() to decay the per rdev read_errors and check if
+ * read_error > max_read_errors.
  * We halve the read error count for every hour that has elapsed
  * since the last recorded read error.
  *
  */
-static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+static bool check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
 {
-	long cur_time_mon;
+	time64_t cur_time_mon = ktime_get_seconds();
 	unsigned long hours_since_last;
-	unsigned int read_errors = atomic_read(&rdev->read_errors);
-
-	cur_time_mon = ktime_get_seconds();
+	unsigned int read_errors;
+	unsigned int max_read_errors =
+			atomic_read(&mddev->max_corr_read_errors);
 
 	if (rdev->last_read_error == 0) {
 		/* first time we've seen a read error */
 		rdev->last_read_error = cur_time_mon;
-		return;
-	}
+	} else {
+		hours_since_last = (long)(cur_time_mon -
+				    rdev->last_read_error) / 3600;
 
-	hours_since_last = (long)(cur_time_mon -
-			    rdev->last_read_error) / 3600;
+		rdev->last_read_error = cur_time_mon;
 
-	rdev->last_read_error = cur_time_mon;
+		/*
+		 * if hours_since_last is > the number of bits in read_errors
+		 * just set read errors to 0. We do this to avoid
+		 * overflowing the shift of read_errors by hours_since_last.
+		 */
+		read_errors = atomic_read(&rdev->read_errors);
+		if (hours_since_last >= 8 * sizeof(read_errors))
+			atomic_set(&rdev->read_errors, 0);
+		else
+			atomic_set(&rdev->read_errors,
+				   read_errors >> hours_since_last);
+	}
 
-	/*
-	 * if hours_since_last is > the number of bits in read_errors
-	 * just set read errors to 0. We do this to avoid
-	 * overflowing the shift of read_errors by hours_since_last.
-	 */
-	if (hours_since_last >= 8 * sizeof(read_errors))
-		atomic_set(&rdev->read_errors, 0);
-	else
-		atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
+	read_errors = atomic_inc_return(&rdev->read_errors);
+	if (read_errors > max_read_errors) {
+		pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
+			  mdname(mddev), rdev->bdev, read_errors, max_read_errors);
+		pr_notice("md/raid10:%s: %pg: Failing raid device\n",
+			  mdname(mddev), rdev->bdev);
+		md_error(mddev, rdev);
+		return false;
+	}
+
+	return true;
 }
 
 static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
@@ -2727,8 +2741,6 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
 	int sect = 0; /* Offset from r10_bio->sector */
 	int sectors = r10_bio->sectors;
 	struct md_rdev *rdev;
-	unsigned int max_read_errors =
-			atomic_read(&mddev->max_corr_read_errors);
 	int d = r10_bio->devs[r10_bio->read_slot].devnum;
 
 	/* still own a reference to this rdev, so it cannot
@@ -2741,15 +2753,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
 		   more fix_read_error() attempts */
 		return;
 
-	check_decay_read_errors(mddev, rdev);
-	atomic_inc(&rdev->read_errors);
-	if (atomic_read(&rdev->read_errors) > max_read_errors) {
-		pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
-			  mdname(mddev), rdev->bdev,
-			  atomic_read(&rdev->read_errors), max_read_errors);
-		pr_notice("md/raid10:%s: %pg: Failing raid device\n",
-			  mdname(mddev), rdev->bdev);
-		md_error(mddev, rdev);
+	if (check_decay_read_errors(mddev, rdev)) {
 		r10_bio->devs[r10_bio->read_slot].bio = IO_BLOCKED;
 		return;
 	}
-- 
2.31.1

Re: [PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store

[Yu Kuai]

Hi,

在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
> From: Li Nan <linan122@huawei.com>
> 
> There is no input check when echo md/safe_mode_delay, and overflow will
> occur. There is risk of overflow in strict_strtoul_scaled(), too. Fix it
> by using kstrtoul instead of parsing word one by one.

Other than some nits below, this patch looks good to me,
feel free to add:

Reviewed-by: Yu Kuai <yukuai3@huawei.com>
> 
> Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
> Signed-off-by: Li Nan <linan122@huawei.com>
> ---
>   drivers/md/md.c | 70 ++++++++++++++++++++++++++++++++-----------------
>   1 file changed, 46 insertions(+), 24 deletions(-)
> 
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 8e344b4b3444..fd5c3babcd6d 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -3767,52 +3767,74 @@ static int analyze_sbs(struct mddev *mddev)
>    */
>   int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale)
>   {
> -	unsigned long result = 0;
> -	long decimals = -1;
> -	while (isdigit(*cp) || (*cp == '.' && decimals < 0)) {
> -		if (*cp == '.')
> -			decimals = 0;
> -		else if (decimals < scale) {
> -			unsigned int value;
> -			value = *cp - '0';
> -			result = result * 10 + value;
> -			if (decimals >= 0)
> -				decimals++;
> -		}
> -		cp++;
> -	}
> -	if (*cp == '\n')
> -		cp++;
> -	if (*cp)
> +	unsigned long result = 0, decimals = 0;
> +	char *pos, *str;
> +	int rv;
> +
> +	str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL);
> +	if (!str)
> +		return -ENOMEM;
> +	pos = strchr(str, '.');
> +	if (pos) {
> +		int cnt = scale;
> +
> +		*pos = '\0';
> +		while (isdigit(*(++pos))) {
> +			if (cnt) {
> +				decimals = decimals * 10 + *pos - '0';
> +				cnt--;
> +			}
> +		}
> +		if (*pos == '\n')
> +			pos++;
> +		if (*pos) {
> +			kfree(str);
> +			return -EINVAL;
> +		}
> +		decimals *= int_pow(10, cnt);
> +	}
> +
> +	rv = kstrtoul(str, 10, &result);
> +	kfree(str);
> +	if (rv)
> +		return rv;
> +
> +	if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10, scale))

This is correct, I guess the reason to use unsigned int is that u64/u64
will compile error in some 32-bit architecture. It's better to use
div64_u64() here.

>   		return -EINVAL;
> -	if (decimals < 0)
> -		decimals = 0;
> -	*res = result * int_pow(10, scale - decimals);
> -	return 0;
> +	*res = result * int_pow(10, scale) + decimals;
> +
> +	return rv;
>   }
>   
>   static ssize_t
>   safe_delay_show(struct mddev *mddev, char *page)
>   {
> -	int msec = (mddev->safemode_delay*1000)/HZ;
> -	return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
> +	unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
> +
> +	return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
>   }
>   static ssize_t
>   safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
>   {
>   	unsigned long msec;
> +	int ret;
>   
>   	if (mddev_is_clustered(mddev)) {
>   		pr_warn("md: Safemode is disabled for clustered mode\n");
>   		return -EINVAL;
>   	}
>   
> -	if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
> +	ret = strict_strtoul_scaled(cbuf, &msec, 3);
> +	if (ret < 0)
> +		return ret;
> +	if (msec > UINT_MAX)
>   		return -EINVAL;
> +
>   	if (msec == 0)
>   		mddev->safemode_delay = 0;
>   	else {
>   		unsigned long old_delay = mddev->safemode_delay;
> +		/* HZ <= 1000, so new_delay < UINT_MAX, too */

new_delay <= UNIT_MAX

>   		unsigned long new_delay = (msec*HZ)/1000;

There is no need do declare them as 'unsigned long', you can use
'unsigned int' directly now.

And you can also use DIV64_U64_ROUND_UP() directly here.

Thanks,
Kuai
>   
>   		if (new_delay == 0)
> 

Re: [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors

[Yu Kuai]

Hi,

在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
> From: Li Nan <linan122@huawei.com>
> 
> max_corr_read_errors should not be negative number. Change it to
> unsigned int where use it.
> 

Looks good, feel free to add:

Reviewed-by: Yu Kuai <yukuai3@huawei.com>

> Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
> Signed-off-by: Li Nan <linan122@huawei.com>
> ---
>   drivers/md/md.c     | 2 +-
>   drivers/md/raid10.c | 5 +++--
>   2 files changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index fd5c3babcd6d..4a1e566d6bdc 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
>   
>   static ssize_t
>   max_corrected_read_errors_show(struct mddev *mddev, char *page) {
> -	return sprintf(page, "%d\n",
> +	return sprintf(page, "%u\n",
>   		       atomic_read(&mddev->max_corr_read_errors));
>   }
>   
> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> index 4fcfcb350d2b..4d615fcc6a50 100644
> --- a/drivers/md/raid10.c
> +++ b/drivers/md/raid10.c
> @@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>   	int sect = 0; /* Offset from r10_bio->sector */
>   	int sectors = r10_bio->sectors;
>   	struct md_rdev *rdev;
> -	int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
> +	unsigned int max_read_errors =
> +			atomic_read(&mddev->max_corr_read_errors);
>   	int d = r10_bio->devs[r10_bio->read_slot].devnum;
>   
>   	/* still own a reference to this rdev, so it cannot
> @@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>   	check_decay_read_errors(mddev, rdev);
>   	atomic_inc(&rdev->read_errors);
>   	if (atomic_read(&rdev->read_errors) > max_read_errors) {
> -		pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
> +		pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
>   			  mdname(mddev), rdev->bdev,
>   			  atomic_read(&rdev->read_errors), max_read_errors);
>   		pr_notice("md/raid10:%s: %pg: Failing raid device\n",
> 

Re: [PATCH v2 4/4] md/raid10: optimize check_decay_read_errors()

[Yu Kuai]

Hi,

在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
> From: Li Nan <linan122@huawei.com>
> 
> check_decay_read_errors() is used to handle rdev->read_errors. But
> read_errors is inc and read after check_decay_read_errors() is invoked
> in fix_read_error().
> 
> Put all operations of read_errors into check_decay_read_errors() and
> clean up unnecessary atomic_read of read_errors.
> 
> Suggested-by: Yu Kuai <yukuai3@huawei.com>
> Signed-off-by: Li Nan <linan122@huawei.com>
> ---
>   drivers/md/raid10.c | 66 ++++++++++++++++++++++++---------------------
>   1 file changed, 35 insertions(+), 31 deletions(-)
> 
> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> index 4d615fcc6a50..79f94882227d 100644
> --- a/drivers/md/raid10.c
> +++ b/drivers/md/raid10.c
> @@ -2655,39 +2655,53 @@ static void recovery_request_write(struct mddev *mddev, struct r10bio *r10_bio)
>   }
>   
>   /*
> - * Used by fix_read_error() to decay the per rdev read_errors.
> + * Used by fix_read_error() to decay the per rdev read_errors and check if
> + * read_error > max_read_errors.
>    * We halve the read error count for every hour that has elapsed
>    * since the last recorded read error.
>    *
>    */
> -static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
> +static bool check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
>   {
> -	long cur_time_mon;
> +	time64_t cur_time_mon = ktime_get_seconds();
>   	unsigned long hours_since_last;
> -	unsigned int read_errors = atomic_read(&rdev->read_errors);
> -
> -	cur_time_mon = ktime_get_seconds();
> +	unsigned int read_errors;
> +	unsigned int max_read_errors =
> +			atomic_read(&mddev->max_corr_read_errors);
>   
>   	if (rdev->last_read_error == 0) {
>   		/* first time we've seen a read error */
>   		rdev->last_read_error = cur_time_mon;
> -		return;
> -	}

I prefer to use a goto tag here, so that following code doesn't need to
be changed. Other than that, this patch looks good to me.

Thanks,
Kuai
> +	} else {
> +		hours_since_last = (long)(cur_time_mon -
> +				    rdev->last_read_error) / 3600;
>   
> -	hours_since_last = (long)(cur_time_mon -
> -			    rdev->last_read_error) / 3600;
> +		rdev->last_read_error = cur_time_mon;
>   
> -	rdev->last_read_error = cur_time_mon;
> +		/*
> +		 * if hours_since_last is > the number of bits in read_errors
> +		 * just set read errors to 0. We do this to avoid
> +		 * overflowing the shift of read_errors by hours_since_last.
> +		 */
> +		read_errors = atomic_read(&rdev->read_errors);
> +		if (hours_since_last >= 8 * sizeof(read_errors))
> +			atomic_set(&rdev->read_errors, 0);
> +		else
> +			atomic_set(&rdev->read_errors,
> +				   read_errors >> hours_since_last);
> +	}
>   
> -	/*
> -	 * if hours_since_last is > the number of bits in read_errors
> -	 * just set read errors to 0. We do this to avoid
> -	 * overflowing the shift of read_errors by hours_since_last.
> -	 */
> -	if (hours_since_last >= 8 * sizeof(read_errors))
> -		atomic_set(&rdev->read_errors, 0);
> -	else
> -		atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
> +	read_errors = atomic_inc_return(&rdev->read_errors);
> +	if (read_errors > max_read_errors) {
> +		pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
> +			  mdname(mddev), rdev->bdev, read_errors, max_read_errors);
> +		pr_notice("md/raid10:%s: %pg: Failing raid device\n",
> +			  mdname(mddev), rdev->bdev);
> +		md_error(mddev, rdev);
> +		return false;
> +	}
> +
> +	return true;
>   }
>   
>   static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
> @@ -2727,8 +2741,6 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>   	int sect = 0; /* Offset from r10_bio->sector */
>   	int sectors = r10_bio->sectors;
>   	struct md_rdev *rdev;
> -	unsigned int max_read_errors =
> -			atomic_read(&mddev->max_corr_read_errors);
>   	int d = r10_bio->devs[r10_bio->read_slot].devnum;
>   
>   	/* still own a reference to this rdev, so it cannot
> @@ -2741,15 +2753,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>   		   more fix_read_error() attempts */
>   		return;
>   
> -	check_decay_read_errors(mddev, rdev);
> -	atomic_inc(&rdev->read_errors);
> -	if (atomic_read(&rdev->read_errors) > max_read_errors) {
> -		pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
> -			  mdname(mddev), rdev->bdev,
> -			  atomic_read(&rdev->read_errors), max_read_errors);
> -		pr_notice("md/raid10:%s: %pg: Failing raid device\n",
> -			  mdname(mddev), rdev->bdev);
> -		md_error(mddev, rdev);
> +	if (check_decay_read_errors(mddev, rdev)) {
>   		r10_bio->devs[r10_bio->read_slot].bio = IO_BLOCKED;
>   		return;
>   	}
> 

Re: [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter

[Song Liu]

On Fri, May 5, 2023 at 6:24 PM <linan666@huaweicloud.com> wrote:
>
> From: Li Nan <linan122@huawei.com>
>
> If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
> will return -EINVAL because "page >= bitmap->pages", but the return value
> was not checked immediately in md_bitmap_get_counter() in order to set
> *blocks value and slab-out-of-bounds occurs.
>
> Return directly if err is -EINVAL.
>
> Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
> Signed-off-by: Li Nan <linan122@huawei.com>
> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
> ---
>  drivers/md/md-bitmap.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
> index 920bb68156d2..0b41ef422da7 100644
> --- a/drivers/md/md-bitmap.c
> +++ b/drivers/md/md-bitmap.c
> @@ -1388,6 +1388,8 @@ __acquires(bitmap->lock)
>         int err;
>
>         err = md_bitmap_checkpage(bitmap, page, create, 0);
> +       if (err == -EINVAL)
> +               return NULL;

This logic is error prone. Since we are on it, let's fix it better.
Specifically, we can move "page >= bitmap->pages" check out
of md_bitmap_checkpage(). (and fix the call site in md_bitmap_resize
for clustered md).

Also, could you please add a mdadm test for this issue?

Thanks,
Song

>
>         if (bitmap->bp[page].hijacked ||
>             bitmap->bp[page].map == NULL)
> --
> 2.31.1
>

Re: [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors

[Song Liu]

On Fri, May 5, 2023 at 7:02 PM Yu Kuai <yukuai1@huaweicloud.com> wrote:
>
> Hi,
>
> 在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
> > From: Li Nan <linan122@huawei.com>
> >
> > max_corr_read_errors should not be negative number. Change it to
> > unsigned int where use it.
> >
>
> Looks good, feel free to add:
>
> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>
> > Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
> > Signed-off-by: Li Nan <linan122@huawei.com>

Hmm.. Does the current code break in any cases?

Thanks,
Song

> > ---
> >   drivers/md/md.c     | 2 +-
> >   drivers/md/raid10.c | 5 +++--
> >   2 files changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/md/md.c b/drivers/md/md.c
> > index fd5c3babcd6d..4a1e566d6bdc 100644
> > --- a/drivers/md/md.c
> > +++ b/drivers/md/md.c
> > @@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
> >
> >   static ssize_t
> >   max_corrected_read_errors_show(struct mddev *mddev, char *page) {
> > -     return sprintf(page, "%d\n",
> > +     return sprintf(page, "%u\n",
> >                      atomic_read(&mddev->max_corr_read_errors));
> >   }
> >
> > diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> > index 4fcfcb350d2b..4d615fcc6a50 100644
> > --- a/drivers/md/raid10.c
> > +++ b/drivers/md/raid10.c
> > @@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> >       int sect = 0; /* Offset from r10_bio->sector */
> >       int sectors = r10_bio->sectors;
> >       struct md_rdev *rdev;
> > -     int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
> > +     unsigned int max_read_errors =
> > +                     atomic_read(&mddev->max_corr_read_errors);
> >       int d = r10_bio->devs[r10_bio->read_slot].devnum;
> >
> >       /* still own a reference to this rdev, so it cannot
> > @@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
> >       check_decay_read_errors(mddev, rdev);
> >       atomic_inc(&rdev->read_errors);
> >       if (atomic_read(&rdev->read_errors) > max_read_errors) {
> > -             pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
> > +             pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
> >                         mdname(mddev), rdev->bdev,
> >                         atomic_read(&rdev->read_errors), max_read_errors);
> >               pr_notice("md/raid10:%s: %pg: Failing raid device\n",
> >
>

Re: [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors

[Yu Kuai]

Hi,

在 2023/05/13 9:08, Song Liu 写道:
> On Fri, May 5, 2023 at 7:02 PM Yu Kuai <yukuai1@huaweicloud.com> wrote:
>>
>> Hi,
>>
>> 在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
>>> From: Li Nan <linan122@huawei.com>
>>>
>>> max_corr_read_errors should not be negative number. Change it to
>>> unsigned int where use it.
>>>
>>
>> Looks good, feel free to add:
>>
>> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>>
>>> Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
>>> Signed-off-by: Li Nan <linan122@huawei.com>
> 
> Hmm.. Does the current code break in any cases?

The problem is that somewhere use unsigned value, and somewhere use
signed value, and I thinsk the only functional change is in
fix_read_error(), if max_read_errors is negative, the judgement will
always pass before this patch:

if (atomic_read(&rdev->read_errors) > max_read_errors)

Thanks,
Kuai
> 
> Thanks,
> Song
> 
>>> ---
>>>    drivers/md/md.c     | 2 +-
>>>    drivers/md/raid10.c | 5 +++--
>>>    2 files changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/md/md.c b/drivers/md/md.c
>>> index fd5c3babcd6d..4a1e566d6bdc 100644
>>> --- a/drivers/md/md.c
>>> +++ b/drivers/md/md.c
>>> @@ -4486,7 +4486,7 @@ __ATTR_PREALLOC(array_state, S_IRUGO|S_IWUSR, array_state_show, array_state_stor
>>>
>>>    static ssize_t
>>>    max_corrected_read_errors_show(struct mddev *mddev, char *page) {
>>> -     return sprintf(page, "%d\n",
>>> +     return sprintf(page, "%u\n",
>>>                       atomic_read(&mddev->max_corr_read_errors));
>>>    }
>>>
>>> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
>>> index 4fcfcb350d2b..4d615fcc6a50 100644
>>> --- a/drivers/md/raid10.c
>>> +++ b/drivers/md/raid10.c
>>> @@ -2727,7 +2727,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>>>        int sect = 0; /* Offset from r10_bio->sector */
>>>        int sectors = r10_bio->sectors;
>>>        struct md_rdev *rdev;
>>> -     int max_read_errors = atomic_read(&mddev->max_corr_read_errors);
>>> +     unsigned int max_read_errors =
>>> +                     atomic_read(&mddev->max_corr_read_errors);
>>>        int d = r10_bio->devs[r10_bio->read_slot].devnum;
>>>
>>>        /* still own a reference to this rdev, so it cannot
>>> @@ -2743,7 +2744,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
>>>        check_decay_read_errors(mddev, rdev);
>>>        atomic_inc(&rdev->read_errors);
>>>        if (atomic_read(&rdev->read_errors) > max_read_errors) {
>>> -             pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %d:max %d]\n",
>>> +             pr_notice("md/raid10:%s: %pg: Raid device exceeded read_error threshold [cur %u:max %u]\n",
>>>                          mdname(mddev), rdev->bdev,
>>>                          atomic_read(&rdev->read_errors), max_read_errors);
>>>                pr_notice("md/raid10:%s: %pg: Failing raid device\n",
>>>
>>
> .
> 

Re: [PATCH v2 3/4] md/raid10: fix wrong setting of max_corr_read_errors

[Li Nan]

在 2023/5/13 10:21, Yu Kuai 写道:
> Hi,
> 
> 在 2023/05/13 9:08, Song Liu 写道:
>> On Fri, May 5, 2023 at 7:02 PM Yu Kuai <yukuai1@huaweicloud.com> wrote:
>>>
>>> Hi,
>>>
>>> 在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
>>>> From: Li Nan <linan122@huawei.com>
>>>>
>>>> max_corr_read_errors should not be negative number. Change it to
>>>> unsigned int where use it.
>>>>
>>>
>>> Looks good, feel free to add:
>>>
>>> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>>>
>>>> Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of 
>>>> correctable read errors.")
>>>> Signed-off-by: Li Nan <linan122@huawei.com>
>>
>> Hmm.. Does the current code break in any cases?
> 
> The problem is that somewhere use unsigned value, and somewhere use
> signed value, and I thinsk the only functional change is in
> fix_read_error(), if max_read_errors is negative, the judgement will
> always pass before this patch:
> 
> if (atomic_read(&rdev->read_errors) > max_read_errors)
> 

In addition, it is confusing for users after setting a huge number to it.
   # echo 4294967295 > /sys/block/$disk/md/max_read_errors
   # cat /sys/block/$disk/md/max_read_errors
     -1

-- 
Thanks,
Nan

Re: [PATCH v2 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter

[Li Nan]

在 2023/5/13 9:05, Song Liu 写道:
> On Fri, May 5, 2023 at 6:24 PM <linan666@huaweicloud.com> wrote:
>>
>> From: Li Nan <linan122@huawei.com>
>>
>> If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
>> will return -EINVAL because "page >= bitmap->pages", but the return value
>> was not checked immediately in md_bitmap_get_counter() in order to set
>> *blocks value and slab-out-of-bounds occurs.
>>
>> Return directly if err is -EINVAL.
>>
>> Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
>> Signed-off-by: Li Nan <linan122@huawei.com>
>> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>> ---
>>   drivers/md/md-bitmap.c | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
>> index 920bb68156d2..0b41ef422da7 100644
>> --- a/drivers/md/md-bitmap.c
>> +++ b/drivers/md/md-bitmap.c
>> @@ -1388,6 +1388,8 @@ __acquires(bitmap->lock)
>>          int err;
>>
>>          err = md_bitmap_checkpage(bitmap, page, create, 0);
>> +       if (err == -EINVAL)
>> +               return NULL;
> 
> This logic is error prone. Since we are on it, let's fix it better.
> Specifically, we can move "page >= bitmap->pages" check out

I will check out it in v3.

> of md_bitmap_checkpage(). (and fix the call site in md_bitmap_resize
> for clustered md).
> 

In md_bitmap_resize(), incoming parameters "page < bitmap->counts.page" 
and do not have this problem.


> Also, could you please add a mdadm test for this issue?
> 

It's my pleasure.

> Thanks,
> Song
> 
>>
>>          if (bitmap->bp[page].hijacked ||
>>              bitmap->bp[page].map == NULL)
>> --
>> 2.31.1
>>
> .

Thanks for your suggesion.

-- 
Thanks,
Nan

Re: [PATCH v2 2/4] md/raid10: fix overflow in safe_delay_store

[Li Nan]

在 2023/5/6 10:00, Yu Kuai 写道:
> Hi,
> 
> 在 2023/05/06 9:23, linan666@huaweicloud.com 写道:
>> From: Li Nan <linan122@huawei.com>
>>
>> There is no input check when echo md/safe_mode_delay, and overflow will
>> occur. There is risk of overflow in strict_strtoul_scaled(), too. Fix it
>> by using kstrtoul instead of parsing word one by one.
> 
> Other than some nits below, this patch looks good to me,
> feel free to add:
> 
> Reviewed-by: Yu Kuai <yukuai3@huawei.com>
>>
>> Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
>> Signed-off-by: Li Nan <linan122@huawei.com>
>> ---
>>   drivers/md/md.c | 70 ++++++++++++++++++++++++++++++++-----------------
>>   1 file changed, 46 insertions(+), 24 deletions(-)
>>
>> diff --git a/drivers/md/md.c b/drivers/md/md.c
>> index 8e344b4b3444..fd5c3babcd6d 100644
>> --- a/drivers/md/md.c
>> +++ b/drivers/md/md.c
>> @@ -3767,52 +3767,74 @@ static int analyze_sbs(struct mddev *mddev)
>>    */
>>   int strict_strtoul_scaled(const char *cp, unsigned long *res, int 
>> scale)
>>   {
>> -    unsigned long result = 0;
>> -    long decimals = -1;
>> -    while (isdigit(*cp) || (*cp == '.' && decimals < 0)) {
>> -        if (*cp == '.')
>> -            decimals = 0;
>> -        else if (decimals < scale) {
>> -            unsigned int value;
>> -            value = *cp - '0';
>> -            result = result * 10 + value;
>> -            if (decimals >= 0)
>> -                decimals++;
>> -        }
>> -        cp++;
>> -    }
>> -    if (*cp == '\n')
>> -        cp++;
>> -    if (*cp)
>> +    unsigned long result = 0, decimals = 0;
>> +    char *pos, *str;
>> +    int rv;
>> +
>> +    str = kmemdup_nul(cp, strlen(cp), GFP_KERNEL);
>> +    if (!str)
>> +        return -ENOMEM;
>> +    pos = strchr(str, '.');
>> +    if (pos) {
>> +        int cnt = scale;
>> +
>> +        *pos = '\0';
>> +        while (isdigit(*(++pos))) {
>> +            if (cnt) {
>> +                decimals = decimals * 10 + *pos - '0';
>> +                cnt--;
>> +            }
>> +        }
>> +        if (*pos == '\n')
>> +            pos++;
>> +        if (*pos) {
>> +            kfree(str);
>> +            return -EINVAL;
>> +        }
>> +        decimals *= int_pow(10, cnt);
>> +    }
>> +
>> +    rv = kstrtoul(str, 10, &result);
>> +    kfree(str);
>> +    if (rv)
>> +        return rv;
>> +
>> +    if (result > (ULONG_MAX - decimals) / (unsigned int)int_pow(10, 
>> scale))
> 
> This is correct, I guess the reason to use unsigned int is that u64/u64
> will compile error in some 32-bit architecture. It's better to use
> div64_u64() here.
> 
>>           return -EINVAL;
>> -    if (decimals < 0)
>> -        decimals = 0;
>> -    *res = result * int_pow(10, scale - decimals);
>> -    return 0;
>> +    *res = result * int_pow(10, scale) + decimals;
>> +
>> +    return rv;
>>   }
>>   static ssize_t
>>   safe_delay_show(struct mddev *mddev, char *page)
>>   {
>> -    int msec = (mddev->safemode_delay*1000)/HZ;
>> -    return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
>> +    unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
>> +
>> +    return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
>>   }
>>   static ssize_t
>>   safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
>>   {
>>       unsigned long msec;
>> +    int ret;
>>       if (mddev_is_clustered(mddev)) {
>>           pr_warn("md: Safemode is disabled for clustered mode\n");
>>           return -EINVAL;
>>       }
>> -    if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
>> +    ret = strict_strtoul_scaled(cbuf, &msec, 3);
>> +    if (ret < 0)
>> +        return ret;
>> +    if (msec > UINT_MAX)
>>           return -EINVAL;
>> +
>>       if (msec == 0)
>>           mddev->safemode_delay = 0;
>>       else {
>>           unsigned long old_delay = mddev->safemode_delay;
>> +        /* HZ <= 1000, so new_delay < UINT_MAX, too */
> 
> new_delay <= UNIT_MAX
> 
>>           unsigned long new_delay = (msec*HZ)/1000;
> 
> There is no need do declare them as 'unsigned long', you can use
> 'unsigned int' directly now.
> 
> And you can also use DIV64_U64_ROUND_UP() directly here.
> 

I will fix it in v3.

> Thanks,
> Kuai
>>           if (new_delay == 0)
>>
> 
> .

-- 
Thanks,
Nan