From: Gao Xiang <hsiangkao@aol.com> To: linux-erofs@lists.ozlabs.org, Chao Yu <yuchao0@huawei.com> Cc: Chao Yu <chao@kernel.org>, Li Guifu <bluce.liguifu@huawei.com>, Fang Wei <fangwei1@huawei.com>, LKML <linux-kernel@vger.kernel.org>, Gao Xiang <hsiangkao@redhat.com>, Hongyu Jin <hongyu.jin@unisoc.com>, stable@vger.kernel.org Subject: [PATCH v2] erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup Date: Fri, 19 Jun 2020 07:43:49 +0800 [thread overview] Message-ID: <20200618234349.22553-1-hsiangkao@aol.com> (raw) In-Reply-To: <20200618111936.19845-1-hsiangkao@aol.com> From: Gao Xiang <hsiangkao@redhat.com> Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with specific aarch64 environment easily, which wasn't shown before. After digging into that, I found that high 32 bits of page->private was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init behavior with specific compiler options). Actually we only use low 32 bits to keep the page information since page->private is only 4 bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup() uses the upper 32 bits by mistake. Let's fix it now. Reported-by: Hongyu Jin <hongyu.jin@unisoc.com> Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") Cc: <stable@vger.kernel.org> # 4.19+ Signed-off-by: Gao Xiang <hsiangkao@redhat.com> --- change since v1: move .v assignment out since it doesn't need for every loop; fs/erofs/zdata.h | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h index 7824f5563a55..9b66c28b3ae9 100644 --- a/fs/erofs/zdata.h +++ b/fs/erofs/zdata.h @@ -144,22 +144,22 @@ static inline void z_erofs_onlinepage_init(struct page *page) static inline void z_erofs_onlinepage_fixup(struct page *page, uintptr_t index, bool down) { - unsigned long *p, o, v, id; -repeat: - p = &page_private(page); - o = READ_ONCE(*p); + union z_erofs_onlinepage_converter u = { .v = &page_private(page) }; + int orig, orig_index, val; - id = o >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT; - if (id) { +repeat: + orig = atomic_read(u.o); + orig_index = orig >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT; + if (orig_index) { if (!index) return; - DBG_BUGON(id != index); + DBG_BUGON(orig_index != index); } - v = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) | - ((o & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down); - if (cmpxchg(p, o, v) != o) + val = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) | + ((orig & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down); + if (atomic_cmpxchg(u.o, orig, val) != orig) goto repeat; } -- 2.24.0
WARNING: multiple messages have this Message-ID (diff)
From: Gao Xiang via Linux-erofs <linux-erofs@lists.ozlabs.org> To: linux-erofs@lists.ozlabs.org, Chao Yu <yuchao0@huawei.com> Cc: LKML <linux-kernel@vger.kernel.org>, Hongyu Jin <hongyu.jin@unisoc.com>, stable@vger.kernel.org Subject: [PATCH v2] erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup Date: Fri, 19 Jun 2020 07:43:49 +0800 [thread overview] Message-ID: <20200618234349.22553-1-hsiangkao@aol.com> (raw) In-Reply-To: <20200618111936.19845-1-hsiangkao@aol.com> From: Gao Xiang <hsiangkao@redhat.com> Hongyu reported "id != index" in z_erofs_onlinepage_fixup() with specific aarch64 environment easily, which wasn't shown before. After digging into that, I found that high 32 bits of page->private was set to 0xaaaaaaaa rather than 0 (due to z_erofs_onlinepage_init behavior with specific compiler options). Actually we only use low 32 bits to keep the page information since page->private is only 4 bytes on most 32-bit platforms. However z_erofs_onlinepage_fixup() uses the upper 32 bits by mistake. Let's fix it now. Reported-by: Hongyu Jin <hongyu.jin@unisoc.com> Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") Cc: <stable@vger.kernel.org> # 4.19+ Signed-off-by: Gao Xiang <hsiangkao@redhat.com> --- change since v1: move .v assignment out since it doesn't need for every loop; fs/erofs/zdata.h | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h index 7824f5563a55..9b66c28b3ae9 100644 --- a/fs/erofs/zdata.h +++ b/fs/erofs/zdata.h @@ -144,22 +144,22 @@ static inline void z_erofs_onlinepage_init(struct page *page) static inline void z_erofs_onlinepage_fixup(struct page *page, uintptr_t index, bool down) { - unsigned long *p, o, v, id; -repeat: - p = &page_private(page); - o = READ_ONCE(*p); + union z_erofs_onlinepage_converter u = { .v = &page_private(page) }; + int orig, orig_index, val; - id = o >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT; - if (id) { +repeat: + orig = atomic_read(u.o); + orig_index = orig >> Z_EROFS_ONLINEPAGE_INDEX_SHIFT; + if (orig_index) { if (!index) return; - DBG_BUGON(id != index); + DBG_BUGON(orig_index != index); } - v = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) | - ((o & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down); - if (cmpxchg(p, o, v) != o) + val = (index << Z_EROFS_ONLINEPAGE_INDEX_SHIFT) | + ((orig & Z_EROFS_ONLINEPAGE_COUNT_MASK) + (unsigned int)down); + if (atomic_cmpxchg(u.o, orig, val) != orig) goto repeat; } -- 2.24.0
next prev parent reply other threads:[~2020-06-18 23:44 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <20200618111936.19845-1-hsiangkao.ref@aol.com> 2020-06-18 11:19 ` [PATCH] erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup Gao Xiang 2020-06-18 11:19 ` Gao Xiang via Linux-erofs 2020-06-18 23:43 ` Gao Xiang [this message] 2020-06-18 23:43 ` [PATCH v2] " Gao Xiang via Linux-erofs 2020-06-19 9:00 ` 金红宇 (Hongyu Jin) 2020-06-19 9:00 ` 金红宇 (Hongyu Jin) 2020-06-19 9:13 ` 金红宇 (Hongyu Jin) 2020-06-19 9:13 ` 金红宇 (Hongyu Jin) 2020-06-24 1:42 ` Chao Yu 2020-06-24 1:42 ` Chao Yu
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200618234349.22553-1-hsiangkao@aol.com \ --to=hsiangkao@aol.com \ --cc=bluce.liguifu@huawei.com \ --cc=chao@kernel.org \ --cc=fangwei1@huawei.com \ --cc=hongyu.jin@unisoc.com \ --cc=hsiangkao@redhat.com \ --cc=linux-erofs@lists.ozlabs.org \ --cc=linux-kernel@vger.kernel.org \ --cc=stable@vger.kernel.org \ --cc=yuchao0@huawei.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.