From af11d2151ee2bae2f1155d7b21182968039f06e0 Mon Sep 17 00:00:00 2001 From: David Runge Date: Tue, 18 Jun 2019 09:00:38 +0200 Subject: PKGBUILD: Adding bcache_fix.patch to circumenvent bcache related filesystem corruption, when building the kernel with gcc >= 9.0.0. --- .SRCINFO | 4 +- PKGBUILD | 4 +- bcache_fix.patch | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 bcache_fix.patch diff --git a/.SRCINFO b/.SRCINFO index ff0b585..7a88c1a 100644 --- a/.SRCINFO +++ b/.SRCINFO @@ -1,6 +1,6 @@ pkgbase = linux-rt-lts pkgver = 4.19.50_rt22 - pkgrel = 1 + pkgrel = 2 url = https://git.archlinux.org/linux.git/log/?h=v arch = x86_64 license = GPL2 @@ -16,6 +16,7 @@ pkgbase = linux-rt-lts source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.50-rt22.patch.xz source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.50-rt22.patch.sign source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + source = bcache_fix.patch source = config source = 60-linux-rt-lts.hook source = 90-linux-rt-lts.hook @@ -31,6 +32,7 @@ pkgbase = linux-rt-lts sha256sums = fc842d2e108cd4f21c168de3e3e75f41e43e519dd4dffbc3230bed67e9d24b89 sha256sums = SKIP sha256sums = 75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc + sha256sums = fe00e6f26f167b2041f4e60588cc60ab8169f26efb4a7c47ee7d60320e4ca27d sha256sums = 203221ce5e835e55f87585340ca7e50b3a8eefbb58161570479a1cf88963e2b7 sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 diff --git a/PKGBUILD b/PKGBUILD index 0c07dc7..406f255 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -11,7 +11,7 @@ pkgbase=linux-rt-lts # Build kernel with a different name _pkgver=4.19.50 _rtpatchver=rt22 pkgver=${_pkgver}_${_rtpatchver} -pkgrel=1 +pkgrel=2 arch=('x86_64') url="https://git.archlinux.org/linux.git/log/?h=v$_srcver" license=('GPL2') @@ -24,6 +24,7 @@ source=( "https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-${_pkgver}-${_rtpatchver}.patch.xz" "https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-${_pkgver}-${_rtpatchver}.patch.sign" 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + bcache_fix.patch config # the main kernel config file 60-${pkgbase}.hook # pacman hook for depmod 90-${pkgbase}.hook # pacman hook for initramfs regeneration @@ -42,6 +43,7 @@ sha256sums=('a9987423918abd20ee68d6e9b14b7225eaca8a586bf75fb56c49f6e1e47ce01e' 'fc842d2e108cd4f21c168de3e3e75f41e43e519dd4dffbc3230bed67e9d24b89' 'SKIP' '75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc' + 'fe00e6f26f167b2041f4e60588cc60ab8169f26efb4a7c47ee7d60320e4ca27d' '203221ce5e835e55f87585340ca7e50b3a8eefbb58161570479a1cf88963e2b7' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' diff --git a/bcache_fix.patch b/bcache_fix.patch new file mode 100644 index 0000000..f5c94a5 --- /dev/null +++ b/bcache_fix.patch @@ -0,0 +1,129 @@ +From 9e50f5f4ef401c4a5cd286ee3218fcc625ef6f77 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 10 Jun 2019 06:13:34 +0800 +Subject: bcache: fix stack corruption by PRECEDING_KEY() + +Recently people report bcache code compiled with gcc9 is broken, one of +the buggy behavior I observe is that two adjacent 4KB I/Os should merge +into one but they don't. Finally it turns out to be a stack corruption +caused by macro PRECEDING_KEY(). + +See how PRECEDING_KEY() is defined in bset.h, +437 #define PRECEDING_KEY(_k) \ +438 ({ \ +439 struct bkey *_ret = NULL; \ +440 \ +441 if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \ +442 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \ +443 \ +444 if (!_ret->low) \ +445 _ret->high--; \ +446 _ret->low--; \ +447 } \ +448 \ +449 _ret; \ +450 }) + +At line 442, _ret points to address of a on-stack variable combined by +KEY(), the life range of this on-stack variable is in line 442-446, +once _ret is returned to bch_btree_insert_key(), the returned address +points to an invalid stack address and this address is overwritten in +the following called bch_btree_iter_init(). Then argument 'search' of +bch_btree_iter_init() points to some address inside stackframe of +bch_btree_iter_init(), exact address depends on how the compiler +allocates stack space. Now the stack is corrupted. + +Fixes: 0eacac22034c ("bcache: PRECEDING_KEY()") +Signed-off-by: Coly Li +Reviewed-by: Rolf Fokkens +Reviewed-by: Pierre JUHEN +Tested-by: Shenghui Wang +Tested-by: Pierre JUHEN +Cc: Kent Overstreet +Cc: Nix +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +--- + drivers/md/bcache/bset.c | 16 +++++++++++++--- + drivers/md/bcache/bset.h | 34 ++++++++++++++++++++-------------- + 2 files changed, 33 insertions(+), 17 deletions(-) + +diff --git a/drivers/md/bcache/bset.c b/drivers/md/bcache/bset.c +index 8f07fa6e1739..268f1b685084 100644 +--- a/drivers/md/bcache/bset.c ++++ b/drivers/md/bcache/bset.c +@@ -887,12 +887,22 @@ unsigned int bch_btree_insert_key(struct btree_keys *b, struct bkey *k, + struct bset *i = bset_tree_last(b)->data; + struct bkey *m, *prev = NULL; + struct btree_iter iter; ++ struct bkey preceding_key_on_stack = ZERO_KEY; ++ struct bkey *preceding_key_p = &preceding_key_on_stack; + + BUG_ON(b->ops->is_extents && !KEY_SIZE(k)); + +- m = bch_btree_iter_init(b, &iter, b->ops->is_extents +- ? PRECEDING_KEY(&START_KEY(k)) +- : PRECEDING_KEY(k)); ++ /* ++ * If k has preceding key, preceding_key_p will be set to address ++ * of k's preceding key; otherwise preceding_key_p will be set ++ * to NULL inside preceding_key(). ++ */ ++ if (b->ops->is_extents) ++ preceding_key(&START_KEY(k), &preceding_key_p); ++ else ++ preceding_key(k, &preceding_key_p); ++ ++ m = bch_btree_iter_init(b, &iter, preceding_key_p); + + if (b->ops->insert_fixup(b, k, &iter, replace_key)) + return status; +diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h +index bac76aabca6d..c71365e7c1fa 100644 +--- a/drivers/md/bcache/bset.h ++++ b/drivers/md/bcache/bset.h +@@ -434,20 +434,26 @@ static inline bool bch_cut_back(const struct bkey *where, struct bkey *k) + return __bch_cut_back(where, k); + } + +-#define PRECEDING_KEY(_k) \ +-({ \ +- struct bkey *_ret = NULL; \ +- \ +- if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \ +- _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \ +- \ +- if (!_ret->low) \ +- _ret->high--; \ +- _ret->low--; \ +- } \ +- \ +- _ret; \ +-}) ++/* ++ * Pointer '*preceding_key_p' points to a memory object to store preceding ++ * key of k. If the preceding key does not exist, set '*preceding_key_p' to ++ * NULL. So the caller of preceding_key() needs to take care of memory ++ * which '*preceding_key_p' pointed to before calling preceding_key(). ++ * Currently the only caller of preceding_key() is bch_btree_insert_key(), ++ * and it points to an on-stack variable, so the memory release is handled ++ * by stackframe itself. ++ */ ++static inline void preceding_key(struct bkey *k, struct bkey **preceding_key_p) ++{ ++ if (KEY_INODE(k) || KEY_OFFSET(k)) { ++ (**preceding_key_p) = KEY(KEY_INODE(k), KEY_OFFSET(k), 0); ++ if (!(*preceding_key_p)->low) ++ (*preceding_key_p)->high--; ++ (*preceding_key_p)->low--; ++ } else { ++ (*preceding_key_p) = NULL; ++ } ++} + + static inline bool bch_ptr_invalid(struct btree_keys *b, const struct bkey *k) + { +-- +cgit v1.2.1-1-g437b + + -- cgit v1.2.3