Patch "md/raid5: fix atomicity violation in raid5_cache_count" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    md/raid5: fix atomicity violation in raid5_cache_count

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     md-raid5-fix-atomicity-violation-in-raid5_cache_coun.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 099fe23afbbc96faf0ea00b971e79d4cb6e0b705
Author: Gui-Dong Han <2045gemini@xxxxxxxxx>
Date:   Fri Jan 12 15:10:17 2024 +0800

    md/raid5: fix atomicity violation in raid5_cache_count
    
    [ Upstream commit dfd2bf436709b2bccb78c2dda550dde93700efa7 ]
    
    In raid5_cache_count():
        if (conf->max_nr_stripes < conf->min_nr_stripes)
            return 0;
        return conf->max_nr_stripes - conf->min_nr_stripes;
    The current check is ineffective, as the values could change immediately
    after being checked.
    
    In raid5_set_cache_size():
        ...
        conf->min_nr_stripes = size;
        ...
        while (size > conf->max_nr_stripes)
            conf->min_nr_stripes = conf->max_nr_stripes;
        ...
    
    Due to intermediate value updates in raid5_set_cache_size(), concurrent
    execution of raid5_cache_count() and raid5_set_cache_size() may lead to
    inconsistent reads of conf->max_nr_stripes and conf->min_nr_stripes.
    The current checks are ineffective as values could change immediately
    after being checked, raising the risk of conf->min_nr_stripes exceeding
    conf->max_nr_stripes and potentially causing an integer overflow.
    
    This possible bug is found by an experimental static analysis tool
    developed by our team. This tool analyzes the locking APIs to extract
    function pairs that can be concurrently executed, and then analyzes the
    instructions in the paired functions to identify possible concurrency bugs
    including data races and atomicity violations. The above possible bug is
    reported when our tool analyzes the source code of Linux 6.2.
    
    To resolve this issue, it is suggested to introduce local variables
    'min_stripes' and 'max_stripes' in raid5_cache_count() to ensure the
    values remain stable throughout the check. Adding locks in
    raid5_cache_count() fails to resolve atomicity violations, as
    raid5_set_cache_size() may hold intermediate values of
    conf->min_nr_stripes while unlocked. With this patch applied, our tool no
    longer reports the bug, with the kernel configuration allyesconfig for
    x86_64. Due to the lack of associated hardware, we cannot test the patch
    in runtime testing, and just verify it according to the code logic.
    
    Fixes: edbe83ab4c27 ("md/raid5: allow the stripe_cache to grow and shrink.")
    Cc: stable@xxxxxxxxxxxxxxx
    Signed-off-by: Gui-Dong Han <2045gemini@xxxxxxxxx>
    Reviewed-by: Yu Kuai <yukuai3@xxxxxxxxxx>
    Signed-off-by: Song Liu <song@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240112071017.16313-1-2045gemini@xxxxxxxxx
    Signed-off-by: Song Liu <song@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index e4564ca1f2434..8cf2317857e0a 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -2420,7 +2420,7 @@ static int grow_one_stripe(struct r5conf *conf, gfp_t gfp)
 	atomic_inc(&conf->active_stripes);
 
 	raid5_release_stripe(sh);
-	conf->max_nr_stripes++;
+	WRITE_ONCE(conf->max_nr_stripes, conf->max_nr_stripes + 1);
 	return 1;
 }
 
@@ -2717,7 +2717,7 @@ static int drop_one_stripe(struct r5conf *conf)
 	shrink_buffers(sh);
 	free_stripe(conf->slab_cache, sh);
 	atomic_dec(&conf->active_stripes);
-	conf->max_nr_stripes--;
+	WRITE_ONCE(conf->max_nr_stripes, conf->max_nr_stripes - 1);
 	return 1;
 }
 
@@ -6891,7 +6891,7 @@ raid5_set_cache_size(struct mddev *mddev, int size)
 	if (size <= 16 || size > 32768)
 		return -EINVAL;
 
-	conf->min_nr_stripes = size;
+	WRITE_ONCE(conf->min_nr_stripes, size);
 	mutex_lock(&conf->cache_size_mutex);
 	while (size < conf->max_nr_stripes &&
 	       drop_one_stripe(conf))
@@ -6903,7 +6903,7 @@ raid5_set_cache_size(struct mddev *mddev, int size)
 	mutex_lock(&conf->cache_size_mutex);
 	while (size > conf->max_nr_stripes)
 		if (!grow_one_stripe(conf, GFP_KERNEL)) {
-			conf->min_nr_stripes = conf->max_nr_stripes;
+			WRITE_ONCE(conf->min_nr_stripes, conf->max_nr_stripes);
 			result = -ENOMEM;
 			break;
 		}
@@ -7468,11 +7468,13 @@ static unsigned long raid5_cache_count(struct shrinker *shrink,
 				       struct shrink_control *sc)
 {
 	struct r5conf *conf = container_of(shrink, struct r5conf, shrinker);
+	int max_stripes = READ_ONCE(conf->max_nr_stripes);
+	int min_stripes = READ_ONCE(conf->min_nr_stripes);
 
-	if (conf->max_nr_stripes < conf->min_nr_stripes)
+	if (max_stripes < min_stripes)
 		/* unlikely, but not impossible */
 		return 0;
-	return conf->max_nr_stripes - conf->min_nr_stripes;
+	return max_stripes - min_stripes;
 }
 
 static struct r5conf *setup_conf(struct mddev *mddev)




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux