From: Gao Xiang <hsiangkao@aol.com>
To: linux-erofs@lists.ozlabs.org, Chao Yu <yuchao0@huawei.com>
Cc: Chao Yu <chao@kernel.org>, Li Guifu <bluce.liguifu@huawei.com>,
Fang Wei <fangwei1@huawei.com>,
LKML <linux-kernel@vger.kernel.org>,
Gao Xiang <hsiangkao@redhat.com>,
Hongyu Jin <hongyu.jin@unisoc.com>,
stable@vger.kernel.org
Subject: [PATCH v2] erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup
Date: Fri, 19 Jun 2020 07:43:49 +0800 [thread overview]
Message-ID: <20200618234349.22553-1-hsiangkao@aol.com> (raw)
In-Reply-To: <20200618111936.19845-1-hsiangkao@aol.com>
From: Gao Xiang <hsiangkao@redhat.com>
Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with
specific aarch64 environment easily, which wasn't shown before.
After digging into that, I found that high 32 bits of page->private
was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init
behavior with specific compiler options). Actually we only use low
32 bits to keep the page information since page->private is only 4
bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup()
uses the upper 32 bits by mistake.
Let's fix it now.
Reported-by: Hongyu Jin <hongyu.jin@unisoc.com>
Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
---
change since v1:
move .v assignment out since it doesn't need for every loop;
fs/erofs/zdata.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h
index 7824f5563a55..9b66c28b3ae9 100644
--- a/fs/erofs/zdata.h
+++ b/fs/erofs/zdata.h
@@ -144,22 +144,22 @@ static inline void z_erofs_onlinepage_init(struct page *page)
static inline void z_erofs_onlinepage_fixup(struct page *page,
uintptr_t index, bool down)
{
- unsigned long *p, o, v, id;
-repeat:
- p = &page_private(page);
- o = READ_ONCE(*p);
+ union z_erofs_onlinepage_converter u = { .v = &page_private(page) };
+ int orig, orig_index, val;
- id = o >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
- if (id) {
+repeat:
+ orig = atomic_read(u.o);
+ orig_index = orig >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
+ if (orig_index) {
if (!index)
return;
- DBG_BUGON(id != index);
+ DBG_BUGON(orig_index != index);
}
- v = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
- ((o & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
- if (cmpxchg(p, o, v) != o)
+ val = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
+ ((orig & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
+ if (atomic_cmpxchg(u.o, orig, val) != orig)
goto repeat;
}
--
2.24.0
WARNING: multiple messages have this Message-ID (diff)
From: Gao Xiang via Linux-erofs <linux-erofs@lists.ozlabs.org>
To: linux-erofs@lists.ozlabs.org, Chao Yu <yuchao0@huawei.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
Hongyu Jin <hongyu.jin@unisoc.com>,
stable@vger.kernel.org
Subject: [PATCH v2] erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup
Date: Fri, 19 Jun 2020 07:43:49 +0800 [thread overview]
Message-ID: <20200618234349.22553-1-hsiangkao@aol.com> (raw)
In-Reply-To: <20200618111936.19845-1-hsiangkao@aol.com>
From: Gao Xiang <hsiangkao@redhat.com>
Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with
specific aarch64 environment easily, which wasn't shown before.
After digging into that, I found that high 32 bits of page->private
was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init
behavior with specific compiler options). Actually we only use low
32 bits to keep the page information since page->private is only 4
bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup()
uses the upper 32 bits by mistake.
Let's fix it now.
Reported-by: Hongyu Jin <hongyu.jin@unisoc.com>
Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
---
change since v1:
move .v assignment out since it doesn't need for every loop;
fs/erofs/zdata.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h
index 7824f5563a55..9b66c28b3ae9 100644
--- a/fs/erofs/zdata.h
+++ b/fs/erofs/zdata.h
@@ -144,22 +144,22 @@ static inline void z_erofs_onlinepage_init(struct page *page)
static inline void z_erofs_onlinepage_fixup(struct page *page,
uintptr_t index, bool down)
{
- unsigned long *p, o, v, id;
-repeat:
- p = &page_private(page);
- o = READ_ONCE(*p);
+ union z_erofs_onlinepage_converter u = { .v = &page_private(page) };
+ int orig, orig_index, val;
- id = o >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
- if (id) {
+repeat:
+ orig = atomic_read(u.o);
+ orig_index = orig >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT;
+ if (orig_index) {
if (!index)
return;
- DBG_BUGON(id != index);
+ DBG_BUGON(orig_index != index);
}
- v = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
- ((o & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
- if (cmpxchg(p, o, v) != o)
+ val = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) |
+ ((orig & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down);
+ if (atomic_cmpxchg(u.o, orig, val) != orig)
goto repeat;
}
--
2.24.0
next prev parent reply other threads:[~2020-06-18 23:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200618111936.19845-1-hsiangkao.ref@aol.com>
2020-06-18 11:19 ` [PATCH] erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup Gao Xiang
2020-06-18 11:19 ` Gao Xiang via Linux-erofs
2020-06-18 23:43 ` Gao Xiang [this message]
2020-06-18 23:43 ` [PATCH v2] " Gao Xiang via Linux-erofs
2020-06-19 9:00 ` 金红宇 (Hongyu Jin)
2020-06-19 9:00 ` 金红宇 (Hongyu Jin)
2020-06-19 9:13 ` 金红宇 (Hongyu Jin)
2020-06-19 9:13 ` 金红宇 (Hongyu Jin)
2020-06-24 1:42 ` Chao Yu
2020-06-24 1:42 ` Chao Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618234349.22553-1-hsiangkao@aol.com \
--to=hsiangkao@aol.com \
--cc=bluce.liguifu@huawei.com \
--cc=chao@kernel.org \
--cc=fangwei1@huawei.com \
--cc=hongyu.jin@unisoc.com \
--cc=hsiangkao@redhat.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuchao0@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.