From dbdcc906d978650417b076a875b0f962fcdf79dd Mon Sep 17 00:00:00 2001 From: Mikulas Patocka Date: Sun, 20 Mar 2022 17:12:46 -0400 Subject: dm ioctl: log an error if the ioctl structure is corrupted This will help triage bugs when userspace is passing invalid ioctl structure to the kernel. Signed-off-by: Mikulas Patocka [snitzer: log errors using DMERR instead of DMWARN] Signed-off-by: Mike Snitzer --- drivers/md/dm-ioctl.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'drivers/md') diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 901abd6dea41..87310fceb0d8 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -891,15 +891,21 @@ static struct hash_cell *__find_device_hash_cell(struct dm_ioctl *param) struct hash_cell *hc = NULL; if (*param->uuid) { - if (*param->name || param->dev) + if (*param->name || param->dev) { + DMERR("Invalid ioctl structure: uuid %s, name %s, dev %llx", + param->uuid, param->name, (unsigned long long)param->dev); return NULL; + } hc = __get_uuid_cell(param->uuid); if (!hc) return NULL; } else if (*param->name) { - if (param->dev) + if (param->dev) { + DMERR("Invalid ioctl structure: name %s, dev %llx", + param->name, (unsigned long long)param->dev); return NULL; + } hc = __get_name_cell(param->name); if (!hc) @@ -1851,8 +1857,11 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern if (copy_from_user(param_kernel, user, minimum_data_size)) return -EFAULT; - if (param_kernel->data_size < minimum_data_size) + if (param_kernel->data_size < minimum_data_size) { + DMERR("Invalid data size in the ioctl structure: %u", + param_kernel->data_size); return -EINVAL; + } secure_data = param_kernel->flags & DM_SECURE_DATA_FLAG; -- cgit v1.2.3 From cc09e8a9dec4f0e8299e80a7a2a8e6f54164a10b Mon Sep 17 00:00:00 2001 From: Mikulas Patocka Date: Sat, 26 Mar 2022 10:24:56 -0400 Subject: dm integrity: set journal entry unused when shrinking device Commit f6f72f32c22c ("dm integrity: don't replay journal data past the end of the device") skips journal replay if the target sector points beyond the end of the device. Unfortunatelly, it doesn't set the journal entry unused, which resulted in this BUG being triggered: BUG_ON(!journal_entry_is_unused(je)) Fix this by calling journal_entry_set_unused() for this case. Fixes: f6f72f32c22c ("dm integrity: don't replay journal data past the end of the device") Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Mikulas Patocka Tested-by: Milan Broz [snitzer: revised header] Signed-off-by: Mike Snitzer --- drivers/md/dm-integrity.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'drivers/md') diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c index c58a5111cb57..ad2d5faa2ebb 100644 --- a/drivers/md/dm-integrity.c +++ b/drivers/md/dm-integrity.c @@ -2472,9 +2472,11 @@ static void do_journal_write(struct dm_integrity_c *ic, unsigned write_start, dm_integrity_io_error(ic, "invalid sector in journal", -EIO); sec &= ~(sector_t)(ic->sectors_per_block - 1); } + if (unlikely(sec >= ic->provided_data_sectors)) { + journal_entry_set_unused(je); + continue; + } } - if (unlikely(sec >= ic->provided_data_sectors)) - continue; get_area_and_offset(ic, sec, &area, &offset); restore_last_bytes(ic, access_journal_data(ic, i, j), je); for (k = j + 1; k < ic->journal_section_entries; k++) { -- cgit v1.2.3 From aad5b23ebf21573a32b6f07644f028d64492a5d6 Mon Sep 17 00:00:00 2001 From: Mikulas Patocka Date: Mon, 28 Mar 2022 12:34:31 -0400 Subject: dm: fix dm_io and dm_target_io flags race condition on Alpha Early alpha processors cannot write a single byte or short; they read 8 bytes, modify the value in registers and write back 8 bytes. This could cause race condition in the structure dm_io - if the fields flags and io_count are modified simultaneously. Fix this bug by using 32-bit flags if we are on Alpha and if we are compiling for a processor that doesn't have the byte-word-extension. Signed-off-by: Mikulas Patocka Fixes: bd4a6dd241ae ("dm: reduce size of dm_io and dm_target_io structs") [snitzer: Jens allowed this change since Mikulas owns a relevant Alpha!] Acked-by: Jens Axboe Signed-off-by: Mike Snitzer --- drivers/md/dm-core.h | 4 ++-- include/linux/blk_types.h | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'drivers/md') diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h index 4081cb6cf7b3..4277853c7535 100644 --- a/drivers/md/dm-core.h +++ b/drivers/md/dm-core.h @@ -210,7 +210,7 @@ struct dm_table { #define DM_TIO_MAGIC 28714 struct dm_target_io { unsigned short magic; - unsigned short flags; + blk_short_t flags; unsigned int target_bio_nr; struct dm_io *io; struct dm_target *ti; @@ -244,7 +244,7 @@ static inline void dm_tio_set_flag(struct dm_target_io *tio, unsigned int bit) #define DM_IO_MAGIC 19577 struct dm_io { unsigned short magic; - unsigned short flags; + blk_short_t flags; atomic_t io_count; struct mapped_device *md; struct bio *orig_bio; diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h index dd0763a1c674..1973ef9bd40f 100644 --- a/include/linux/blk_types.h +++ b/include/linux/blk_types.h @@ -85,8 +85,10 @@ struct block_device { */ #if defined(CONFIG_ALPHA) && !defined(__alpha_bwx__) typedef u32 __bitwise blk_status_t; +typedef u32 blk_short_t; #else typedef u8 __bitwise blk_status_t; +typedef u16 blk_short_t; #endif #define BLK_STS_OK 0 #define BLK_STS_NOTSUPP ((__force blk_status_t)1) -- cgit v1.2.3 From 5291984004edfcc7510024e52eaed044573b79c7 Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Fri, 1 Apr 2022 09:47:32 -0400 Subject: dm: fix bio polling to handle possibile BLK_STS_AGAIN Expanded testing of DM's bio polling support (using more fio threads to dm-linear ontop of null_blk) exposed the possibility for polled bios to hang (repeatedly polling in io_uring) when null_blk responds with BLK_STS_AGAIN (due to lack of resources): 1) io_complete_rw_iopoll() is called from blkdev_bio_end_io_async() to notify kiocb is done, that is the completion interface between block layer and io_uring 2) io_complete_rw_iopoll() is called from io_do_iopoll() 3) dm returns BLK_STS_AGAIN for one bio (on behalf of underlying driver), then io_complete_rw_iopoll is called, but io_do_iopoll() doesn't handle -EAGAIN at all (due to logic in io_rw_should_reissue) 4) reason for dm's BLK_STS_AGAIN is underlying null_blk driver ran out of requests (easier to reproduce by setting low hw_queue_depth). 5) dm should handle BLK_STS_AGAIN for POLLED underlying IO, and may retry in dm layer. This fix adds REQ_POLLED specific BLK_STS_AGAIN handling to dm_io_complete() that clears REQ_POLLED and requeues the bio to DM using queue_io(). Fixes: b99fdcdc3636 ("dm: support bio polling") Signed-off-by: Ming Lei [snitzer: revised header, reused dm_io_complete's REQ_POLLED case] Signed-off-by: Mike Snitzer --- drivers/md/dm.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'drivers/md') diff --git a/drivers/md/dm.c b/drivers/md/dm.c index ad2e0bbeb559..3c5fad7c4ee6 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -892,13 +892,19 @@ static void dm_io_complete(struct dm_io *io) if (unlikely(wq_has_sleeper(&md->wait))) wake_up(&md->wait); - if (io_error == BLK_STS_DM_REQUEUE) { - /* - * Upper layer won't help us poll split bio, io->orig_bio - * may only reflect a subset of the pre-split original, - * so clear REQ_POLLED in case of requeue - */ - bio->bi_opf &= ~REQ_POLLED; + if (io_error == BLK_STS_DM_REQUEUE || io_error == BLK_STS_AGAIN) { + if (bio->bi_opf & REQ_POLLED) { + /* + * Upper layer won't help us poll split bio (io->orig_bio + * may only reflect a subset of the pre-split original) + * so clear REQ_POLLED in case of requeue. + */ + bio->bi_opf &= ~REQ_POLLED; + if (io_error == BLK_STS_AGAIN) { + /* io_uring doesn't handle BLK_STS_AGAIN (yet) */ + queue_io(md, bio); + } + } return; } -- cgit v1.2.3