mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-04 16:15:11 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/md
History
Coly Li a75d830333 bcache: fix stack corruption by PRECEDING_KEY() 
commit 31b90956b1 upstream.

Recently people report bcache code compiled with gcc9 is broken, one of
the buggy behavior I observe is that two adjacent 4KB I/Os should merge
into one but they don't. Finally it turns out to be a stack corruption
caused by macro PRECEDING_KEY().

See how PRECEDING_KEY() is defined in bset.h,
437 #define PRECEDING_KEY(_k)                                       \
438 ({                                                              \
439         struct bkey *_ret = NULL;                               \
440                                                                 \
441         if (KEY_INODE(_k) || KEY_OFFSET(_k)) {                  \
442                 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0);  \
443                                                                 \
444                 if (!_ret->low)                                 \
445                         _ret->high--;                           \
446                 _ret->low--;                                    \
447         }                                                       \
448                                                                 \
449         _ret;                                                   \
450 })

At line 442, _ret points to address of a on-stack variable combined by
KEY(), the life range of this on-stack variable is in line 442-446,
once _ret is returned to bch_btree_insert_key(), the returned address
points to an invalid stack address and this address is overwritten in
the following called bch_btree_iter_init(). Then argument 'search' of
bch_btree_iter_init() points to some address inside stackframe of
bch_btree_iter_init(), exact address depends on how the compiler
allocates stack space. Now the stack is corrupted.

Fixes: 0eacac2203 ("bcache: PRECEDING_KEY()")
Signed-off-by: Coly Li <colyli@suse.de>
Reviewed-by: Rolf Fokkens <rolf@rolffokkens.nl>
Reviewed-by: Pierre JUHEN <pierre.juhen@orange.fr>
Tested-by: Shenghui Wang <shhuiw@foxmail.com>
Tested-by: Pierre JUHEN <pierre.juhen@orange.fr>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Nix <nix@esperi.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-19 08:20:55 +02:00
..
bcache bcache: fix stack corruption by PRECEDING_KEY() 2019-06-19 08:20:55 +02:00
persistent-data dm btree: fix serious bug in btree_split_beneath() 2018-01-23 19:58:18 +01:00
bitmap.c md: free unused memory after bitmap resize 2017-12-17 15:08:00 +01:00
bitmap.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dm-bio-prison-v1.c dm bio prison: use rb_entry() rather than container_of() 2017-06-19 11:03:50 -04:00
dm-bio-prison-v1.h block: switch bios to blk_status_t 2017-06-09 09:27:32 -06:00
dm-bio-prison-v2.c dm bio prison: use rb_entry() rather than container_of() 2017-06-19 11:03:50 -04:00
dm-bio-prison-v2.h dm bio prison v2: new interface for the bio prison 2017-03-07 11:30:16 -05:00
dm-bio-record.h block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
dm-bufio.c dm bufio: avoid false-positive Wmaybe-uninitialized warning 2018-03-15 10:54:33 +01:00
dm-bufio.h dm integrity: optimize writing dm-bufio buffers that are partially changed 2017-08-28 11:47:17 -04:00
dm-builtin.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dm-cache-background-tracker.c dm cache: handle kmalloc failure allocating background_tracker struct 2017-05-17 09:44:53 -04:00
dm-cache-background-tracker.h dm cache: significant rework to leverage dm-bio-prison-v2 2017-03-07 13:28:31 -05:00
dm-cache-block-types.h
dm-cache-metadata.c dm cache metadata: Fix loading discard bitset 2019-05-25 18:25:32 +02:00
dm-cache-metadata.h dm cache: significant rework to leverage dm-bio-prison-v2 2017-03-07 13:28:31 -05:00
dm-cache-policy-internal.h dm cache: significant rework to leverage dm-bio-prison-v2 2017-03-07 13:28:31 -05:00
dm-cache-policy-smq.c dm cache policy smq: don't do any writebacks unless IDLE 2017-05-14 21:54:33 -04:00
dm-cache-policy.c
dm-cache-policy.h dm cache: significant rework to leverage dm-bio-prison-v2 2017-03-07 13:28:31 -05:00
dm-cache-target.c dm cache: destroy migration_cache if cache target registration failed 2018-10-18 09:16:24 +02:00
dm-core.h dm: allocate struct mapped_device with kvzalloc 2017-11-30 08:40:43 +00:00
dm-crypt.c dm: disable CRYPTO_TFM_REQ_MAY_SLEEP to fix a GFP_KERNEL recursion deadlock 2019-04-20 09:15:08 +02:00
dm-delay.c dm delay: fix a crash when invalid device is specified 2019-05-25 18:25:33 +02:00
dm-era-target.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
dm-exception-store.c
dm-exception-store.h
dm-flakey.c dm linear: fix linear_end_io conditional definition 2018-10-18 09:16:24 +02:00
dm-integrity.c dm integrity: change memcmp to strncmp in dm_integrity_ctr 2019-05-02 09:40:32 +02:00
dm-io.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
dm-ioctl.c dm ioctl: harden copy_params()'s copy_from_user() from malicious users 2018-11-13 11:15:10 -08:00
dm-kcopyd.c dm kcopyd: Fix bug causing workqueue stalls 2019-01-26 09:37:05 +01:00
dm-linear.c dm linear: fix linear_end_io conditional definition 2018-10-18 09:16:24 +02:00
dm-log-userspace-base.c
dm-log-userspace-transfer.c
dm-log-userspace-transfer.h
dm-log-writes.c - Some request-based DM core and DM multipath fixes and cleanups 2017-09-14 13:43:16 -07:00
dm-log.c
dm-mpath.c dm mpath: return DM_MAPIO_REQUEUE on blk-mq rq allocation failure 2018-04-26 11:02:07 +02:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h
dm-queue-length.c
dm-raid.c dm raid: fix rebuild of specific devices by updating superblock 2018-10-10 08:54:24 +02:00
dm-raid1.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
dm-region-hash.c
dm-round-robin.c
dm-rq.c dm rq: do not update rq partially in each ending bio 2017-08-28 10:23:28 -04:00
dm-rq.h dm rq: do not update rq partially in each ending bio 2017-08-28 10:23:28 -04:00
dm-service-time.c
dm-snap-persistent.c dm: make flush bios explicitly sync 2017-05-31 10:50:23 -04:00
dm-snap-transient.c
dm-snap.c dm snapshot: Fix excessive memory usage and workqueue stalls 2019-01-26 09:37:05 +01:00
dm-stats.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dm-stats.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dm-stripe.c - Some request-based DM core and DM multipath fixes and cleanups 2017-09-14 13:43:16 -07:00
dm-switch.c - Some request-based DM core and DM multipath fixes and cleanups 2017-09-14 13:43:16 -07:00
dm-sysfs.c
dm-table.c dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors 2019-04-17 08:37:55 +02:00
dm-target.c dm: don't return errnos from ->map 2017-06-09 09:27:32 -06:00
dm-thin-metadata.c dm thin: fix passdown_double_checking_shared_status() 2019-01-31 08:13:45 +01:00
dm-thin-metadata.h dm thin: fix passdown_double_checking_shared_status() 2019-01-31 08:13:45 +01:00
dm-thin.c dm thin: add sanity checks to thin-pool and external snapshot creation 2019-04-05 22:31:28 +02:00
dm-uevent.c
dm-uevent.h
dm-verity-fec.c dm verity fec: fix GFP flags used with mempool_alloc() 2017-07-26 15:55:44 -04:00
dm-verity-fec.h dm verity fec: limit error correction recursion 2017-03-16 09:37:31 -04:00
dm-verity-target.c dm verity: fix crash on bufio buffer that was allocated with vmalloc 2019-01-13 10:01:04 +01:00
dm-verity.h dm verity: switch to using asynchronous hash crypto API 2017-04-24 15:37:04 -04:00
dm-zero.c dm: don't return errnos from ->map 2017-06-09 09:27:32 -06:00
dm-zoned-metadata.c dm zoned: Fix zone report handling 2019-05-25 18:25:33 +02:00
dm-zoned-reclaim.c dm zoned: use GFP_NOIO in I/O path 2017-07-26 15:55:43 -04:00
dm-zoned-target.c dm zoned: Fix target BIO completion handling 2019-01-13 10:01:04 +01:00
dm-zoned.h dm zoned: drive-managed zoned block device target 2017-06-19 11:05:20 -04:00
dm.c dm: fix report zone remapping to account for partition offset 2018-10-18 09:16:24 +02:00
dm.h dm: introduce enum dm_queue_mode to cleanup related code 2017-04-27 17:08:44 -04:00
faulty.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
Kconfig dm zoned: drive-managed zoned block device target 2017-06-19 11:05:20 -04:00
linear.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
linear.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
md-cluster.c md-cluster: clear another node's suspend_area after the copy is finished 2018-10-03 17:00:47 -07:00
md-cluster.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
md.c md: add mddev->pers to avoid potential NULL pointer dereference 2019-05-25 18:25:18 +02:00
md.h md: remove special meaning of ->quiesce(.., 2) 2018-07-08 15:30:50 +02:00
multipath.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
multipath.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raid0.c md: remove special meaning of ->quiesce(.., 2) 2018-07-08 15:30:50 +02:00
raid0.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raid1-10.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raid1.c md/raid1: don't clear bitmap bits on interrupted recovery. 2019-02-20 10:20:54 +01:00
raid1.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raid5-cache.c md/raid5: fix 'out of memory' during raid cache recovery 2019-02-06 17:31:37 +01:00
raid5-log.h md/raid5-cache: disable reshape completely 2018-10-10 08:54:20 +02:00
raid5-ppl.c raid5-ppl: check recovery_offset when performing ppl recovery 2017-12-20 10:10:36 +01:00
raid5.c md/raid: raid5 preserve the writeback action after the parity check 2019-05-25 18:25:37 +02:00
raid5.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raid10.c md: Fix failed allocation of md_register_thread 2019-03-23 14:35:30 +01:00
raid10.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00