summarylogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.SRCINFO4
-rw-r--r--0003-bcache-fix-stack-corruption-by-PRECEDING_KEY.patch128
-rw-r--r--PKGBUILD6
3 files changed, 135 insertions, 3 deletions
diff --git a/.SRCINFO b/.SRCINFO
index dc356fd2e19..205beb795bc 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
pkgbase = linux-ck
pkgver = 5.1.10
- pkgrel = 1
+ pkgrel = 2
url = https://wiki.archlinux.org/index.php/Linux-ck
arch = x86_64
license = GPL2
@@ -19,6 +19,7 @@ pkgbase = linux-ck
source = http://ck.kolivas.org/patches/5.0/5.1/5.1-ck1/patch-5.1-ck1.xz
source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
source = 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
+ source = 0003-bcache-fix-stack-corruption-by-PRECEDING_KEY.patch
validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
sha256sums = 39063041532579cb7e9fab5837313a8e6639c1c583cd39c72b313b3abfa9fbcf
@@ -31,6 +32,7 @@ pkgbase = linux-ck
sha256sums = f8d18a34f6b17ec8e5f2a7354383ca627e0fd00b5578c1ee7d9808a34f33c724
sha256sums = 91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3
sha256sums = 63e4378e69e2f23ed87af32a4951477a6d82d4ac0de2295db46502c8120da9d9
+ sha256sums = 0c6fcda6bf2d56358b557c1b8a0de6e1e40cc75df161eb2daf6841652cd431de
pkgname = linux-ck
pkgdesc = The Linux-ck kernel and modules with the ck1 patchset featuring MuQSS CPU scheduler v0.192
diff --git a/0003-bcache-fix-stack-corruption-by-PRECEDING_KEY.patch b/0003-bcache-fix-stack-corruption-by-PRECEDING_KEY.patch
new file mode 100644
index 00000000000..812a5cd7b97
--- /dev/null
+++ b/0003-bcache-fix-stack-corruption-by-PRECEDING_KEY.patch
@@ -0,0 +1,128 @@
+From 9e50f5f4ef401c4a5cd286ee3218fcc625ef6f77 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Mon, 10 Jun 2019 06:13:34 +0800
+Subject: [PATCH 3/4] bcache: fix stack corruption by PRECEDING_KEY()
+
+Recently people report bcache code compiled with gcc9 is broken, one of
+the buggy behavior I observe is that two adjacent 4KB I/Os should merge
+into one but they don't. Finally it turns out to be a stack corruption
+caused by macro PRECEDING_KEY().
+
+See how PRECEDING_KEY() is defined in bset.h,
+437 #define PRECEDING_KEY(_k) \
+438 ({ \
+439 struct bkey *_ret = NULL; \
+440 \
+441 if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \
+442 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \
+443 \
+444 if (!_ret->low) \
+445 _ret->high--; \
+446 _ret->low--; \
+447 } \
+448 \
+449 _ret; \
+450 })
+
+At line 442, _ret points to address of a on-stack variable combined by
+KEY(), the life range of this on-stack variable is in line 442-446,
+once _ret is returned to bch_btree_insert_key(), the returned address
+points to an invalid stack address and this address is overwritten in
+the following called bch_btree_iter_init(). Then argument 'search' of
+bch_btree_iter_init() points to some address inside stackframe of
+bch_btree_iter_init(), exact address depends on how the compiler
+allocates stack space. Now the stack is corrupted.
+
+Fixes: 0eacac22034c ("bcache: PRECEDING_KEY()")
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Rolf Fokkens <rolf@rolffokkens.nl>
+Reviewed-by: Pierre JUHEN <pierre.juhen@orange.fr>
+Tested-by: Shenghui Wang <shhuiw@foxmail.com>
+Tested-by: Pierre JUHEN <pierre.juhen@orange.fr>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Cc: Nix <nix@esperi.org.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ drivers/md/bcache/bset.c | 16 +++++++++++++---
+ drivers/md/bcache/bset.h | 34 ++++++++++++++++++++--------------
+ 2 files changed, 33 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/md/bcache/bset.c b/drivers/md/bcache/bset.c
+index 8f07fa6e1739..268f1b685084 100644
+--- a/drivers/md/bcache/bset.c
++++ b/drivers/md/bcache/bset.c
+@@ -887,12 +887,22 @@ unsigned int bch_btree_insert_key(struct btree_keys *b, struct bkey *k,
+ struct bset *i = bset_tree_last(b)->data;
+ struct bkey *m, *prev = NULL;
+ struct btree_iter iter;
++ struct bkey preceding_key_on_stack = ZERO_KEY;
++ struct bkey *preceding_key_p = &preceding_key_on_stack;
+
+ BUG_ON(b->ops->is_extents && !KEY_SIZE(k));
+
+- m = bch_btree_iter_init(b, &iter, b->ops->is_extents
+- ? PRECEDING_KEY(&START_KEY(k))
+- : PRECEDING_KEY(k));
++ /*
++ * If k has preceding key, preceding_key_p will be set to address
++ * of k's preceding key; otherwise preceding_key_p will be set
++ * to NULL inside preceding_key().
++ */
++ if (b->ops->is_extents)
++ preceding_key(&START_KEY(k), &preceding_key_p);
++ else
++ preceding_key(k, &preceding_key_p);
++
++ m = bch_btree_iter_init(b, &iter, preceding_key_p);
+
+ if (b->ops->insert_fixup(b, k, &iter, replace_key))
+ return status;
+diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h
+index bac76aabca6d..c71365e7c1fa 100644
+--- a/drivers/md/bcache/bset.h
++++ b/drivers/md/bcache/bset.h
+@@ -434,20 +434,26 @@ static inline bool bch_cut_back(const struct bkey *where, struct bkey *k)
+ return __bch_cut_back(where, k);
+ }
+
+-#define PRECEDING_KEY(_k) \
+-({ \
+- struct bkey *_ret = NULL; \
+- \
+- if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \
+- _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \
+- \
+- if (!_ret->low) \
+- _ret->high--; \
+- _ret->low--; \
+- } \
+- \
+- _ret; \
+-})
++/*
++ * Pointer '*preceding_key_p' points to a memory object to store preceding
++ * key of k. If the preceding key does not exist, set '*preceding_key_p' to
++ * NULL. So the caller of preceding_key() needs to take care of memory
++ * which '*preceding_key_p' pointed to before calling preceding_key().
++ * Currently the only caller of preceding_key() is bch_btree_insert_key(),
++ * and it points to an on-stack variable, so the memory release is handled
++ * by stackframe itself.
++ */
++static inline void preceding_key(struct bkey *k, struct bkey **preceding_key_p)
++{
++ if (KEY_INODE(k) || KEY_OFFSET(k)) {
++ (**preceding_key_p) = KEY(KEY_INODE(k), KEY_OFFSET(k), 0);
++ if (!(*preceding_key_p)->low)
++ (*preceding_key_p)->high--;
++ (*preceding_key_p)->low--;
++ } else {
++ (*preceding_key_p) = NULL;
++ }
++}
+
+ static inline bool bch_ptr_invalid(struct btree_keys *b, const struct bkey *k)
+ {
+--
+2.22.0
+
diff --git a/PKGBUILD b/PKGBUILD
index abe6ad5e065..fbcecfd3948 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -63,7 +63,7 @@ _localmodcfg=
pkgbase=linux-ck
_srcver=5.1.10-arch1
pkgver=${_srcver%-*}
-pkgrel=1
+pkgrel=2
_ckpatchversion=1
arch=(x86_64)
url="https://wiki.archlinux.org/index.php/Linux-ck"
@@ -82,6 +82,7 @@ source=(
"http://ck.kolivas.org/patches/5.0/5.1/5.1-ck${_ckpatchversion}/$_ckpatch.xz"
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
+ 0003-bcache-fix-stack-corruption-by-PRECEDING_KEY.patch
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -96,7 +97,8 @@ sha256sums=('39063041532579cb7e9fab5837313a8e6639c1c583cd39c72b313b3abfa9fbcf'
'226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d'
'f8d18a34f6b17ec8e5f2a7354383ca627e0fd00b5578c1ee7d9808a34f33c724'
'91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3'
- '63e4378e69e2f23ed87af32a4951477a6d82d4ac0de2295db46502c8120da9d9')
+ '63e4378e69e2f23ed87af32a4951477a6d82d4ac0de2295db46502c8120da9d9'
+ '0c6fcda6bf2d56358b557c1b8a0de6e1e40cc75df161eb2daf6841652cd431de')
_kernelname=${pkgbase#linux}
: ${_kernelname:=-ARCH}