SHA256
1
0
forked from pool/drbd

Accepting request 1056192 from home:hmzhao:branches:network:ha-clustering:Factory

- drbd: fix build error against kernel v6.1.1 (bsc#1206791)
  * update bsc-1201335_06-bdi.patch commit log (no code change)
    + bsc-1201335_06-bdi.patch
  * update bsc-1202600_02-dax-introduce-DAX_RECOVERY_WRITE-dax-access-mode.patch (no code change)
    + bsc-1202600_02-dax-introduce-DAX_RECOVERY_WRITE-dax-access-mode.patch
  * using upstream patch to replace exist patch
    - bsc-1204596_02-drbd-stop-using-bdevname-in-drbd_report_io_error.patch
    + bsc-1204596_02-drbd-remove-usage-of-bdevname.patch
  * add new patches
    + bsc-1206791-01-drbd-add-comments-explaining-removal-of-bdi-congesti.patch
    + bsc-1206791-02-drbd-fix-static-analysis-warnings.patch
    + bsc-1206791-03-drbd-fix-warning-about-initializing-multiple-struct-.patch
    + bsc-1206791-04-blk_queue_split__no_present.patch
    + bsc-1206791-05-prandom_u32_max.patch
    + bsc-1206791-06-write_zeroes__no_capable.patch
    + bsc-1206791-07-drbd-fix-use-after-free-bugs-in-get_initial_state.patch
    + bsc-1206791-08-lib-lru_cache-Fixed-array-overflow-caused-by-incorre.patch
    + bsc-1206791-09-pmem-use-fs_dax_get_by_bdev-instead-of-dax_get_by_ho.patch

OBS-URL: https://build.opensuse.org/request/show/1056192
OBS-URL: https://build.opensuse.org/package/show/network:ha-clustering:Factory/drbd?expand=0&rev=142
This commit is contained in:
heming zhao 2023-01-05 13:24:33 +00:00 committed by Git OBS Bridge
parent 039faa1c60
commit 4e5f7cbf78
15 changed files with 933 additions and 58 deletions

View File

@ -1,4 +1,4 @@
/* this patch is related with following 3 upstream kernel commits */
/* this patch is related with following 4 upstream kernel commits */
commit 8fd6533ef3f7729e4aa29ead83844c042688615a
Author: Haowen Bai <baihaowen@meizu.com>
@ -72,6 +72,22 @@ Date: Mon Aug 9 16:17:43 2021 +0200
Link: https://lore.kernel.org/r/20210809141744.1203023-5-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
commit b807a2c5e0e2e81c96160682977c6f497cfcee96
Author: Christoph Hellwig <hch@lst.de>
Date: Thu Sep 24 08:51:29 2020 +0200
drbd: remove dead code in device_to_statistics
Ever since the switch to blk-mq, a lower device not used for VM
writeback will not be marked congested, so the check will never
trigger.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
diff -Nupr a/drbd/drbd_req.c b/drbd/drbd_req.c

View File

@ -27,7 +27,7 @@ Signed-off-by: Dan Williams <dan.j.williams@intel.com>
diff -Nupr a/drbd/drbd_dax_pmem.c b/drbd/drbd_dax_pmem.c
--- a/drbd/drbd_dax_pmem.c 2022-08-22 16:26:24.786369807 +0800
+++ b/drbd/drbd_dax_pmem.c 2022-08-22 16:26:47.706276429 +0800
@@ -86,7 +86,7 @@ static int map_superblock_for_dax(struct
@@ -39,7 +39,7 @@ static int map_superblock_for_dax(struct
int id;
id = dax_read_lock();
@ -36,7 +36,7 @@ diff -Nupr a/drbd/drbd_dax_pmem.c b/drbd/drbd_dax_pmem.c
dax_read_unlock(id);
if (len < want)
@@ -147,7 +147,7 @@ int drbd_dax_map(struct drbd_backing_dev
@@ -100,7 +100,7 @@ int drbd_dax_map(struct drbd_backing_dev
int id;
id = dax_read_lock();

View File

@ -0,0 +1,38 @@
From d9a0a8d2c02f7a8da542230bebf0045f24f0fc74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
<christoph.boehmwalder@linbit.com>
Date: Thu, 13 Oct 2022 15:00:46 +0200
Subject: [PATCH] drbd: remove usage of bdevname
See upstream commit 1b70ccecaed4 (drbd: stop using bdevname in
drbd_report_io_error)
---
drbd/drbd_req.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drbd/drbd_req.c b/drbd/drbd_req.c
index a6b9723fde42..1ee50f1c1720 100644
--- a/drbd/drbd_req.c
+++ b/drbd/drbd_req.c
@@ -868,16 +868,14 @@ static void mod_rq_state(struct drbd_request *req, struct bio_and_error *m,
static void drbd_report_io_error(struct drbd_device *device, struct drbd_request *req)
{
- char b[BDEVNAME_SIZE];
-
if (!drbd_ratelimit())
return;
- drbd_warn(device, "local %s IO error sector %llu+%u on %s\n",
+ drbd_warn(device, "local %s IO error sector %llu+%u on %pg\n",
(req->local_rq_state & RQ_WRITE) ? "WRITE" : "READ",
(unsigned long long)req->i.sector,
req->i.size >> 9,
- bdevname(device->ldev->backing_bdev, b));
+ device->ldev->backing_bdev);
}
/* Helper for HANDED_OVER_TO_NETWORK.
--
2.26.2

View File

@ -1,36 +0,0 @@
From 1b70ccecaed4c3c50239e8409156fb447f965554 Mon Sep 17 00:00:00 2001
From: Christoph Hellwig <hch@lst.de>
Date: Wed, 13 Jul 2022 07:53:11 +0200
Subject: [PATCH] drbd: stop using bdevname in drbd_report_io_error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Just use the %pg format specifier instead.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Link: https://lore.kernel.org/r/20220713055317.1888500-4-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
diff -Nupr a/drbd/drbd_req.c b/drbd/drbd_req.c
--- a/drbd/drbd_req.c 2022-10-22 19:32:24.033651322 +0800
+++ b/drbd/drbd_req.c 2022-10-22 19:33:01.433605547 +0800
@@ -745,11 +745,11 @@ static void drbd_report_io_error(struct
if (!drbd_ratelimit())
return;
- drbd_warn(device, "local %s IO error sector %llu+%u on %s\n",
+ drbd_warn(device, "local %s IO error sector %llu+%u on %pg\n",
(req->local_rq_state & RQ_WRITE) ? "WRITE" : "READ",
(unsigned long long)req->i.sector,
req->i.size >> 9,
- bdevname(device->ldev->backing_bdev, b));
+ device->ldev->backing_bdev);
}
/* Helper for HANDED_OVER_TO_NETWORK.

View File

@ -0,0 +1,52 @@
From c89bb88cde9349b11dbf255e762203c626e70d30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
<christoph.boehmwalder@linbit.com>
Date: Mon, 3 Oct 2022 14:49:55 +0200
Subject: [PATCH] drbd: add comments explaining removal of bdi congestion
The bdi congestion tracking framework was removed, so this leaves a few
confusing places where we just blindly set a "congested" flag to false.
Add some comments, briefly explaining the history of why it is like
that.
---
by heming.zhao@suse.com:
bsc-1201335_06-bdi.patch followed upstream patch b807a2c5e0e2, which
removed s->dev_lower_blocked from device_to_statistics(). But drbd main
branch latest code still keep s->dev_lower_blocked, I used this patch
to restore s->dev_lower_blocked.
---
diff --git a/drbd/drbd_nl.c b/drbd/drbd_nl.c
index 020372fdb258..6a2afd184ae6 100644
--- a/drbd/drbd_nl.c
+++ b/drbd/drbd_nl.c
@@ -5514,6 +5514,10 @@ static void device_to_statistics(struct device_statistics *s,
spin_unlock_irq(&md->uuid_lock);
s->dev_disk_flags = md->flags;
+ /* originally, this used the bdi congestion framework,
+ * but that was removed in linux 5.18.
+ * so just never report the lower device as congested. */
+ s->dev_lower_blocked = false;
put_ldev(device);
}
s->dev_size = get_capacity(device->vdisk);
diff --git a/drbd/drbd_req.c b/drbd/drbd_req.c
index e5098bf8b26c..02dbc61946ca 100644
--- a/drbd/drbd_req.c
+++ b/drbd/drbd_req.c
@@ -1275,6 +1275,9 @@ static bool remote_due_to_read_balancing(struct drbd_device *device,
switch (rbm) {
case RB_CONGESTED_REMOTE:
+ /* originally, this used the bdi congestion framework,
+ * but that was removed in linux 5.18.
+ * so just never report the lower device as congested. */
return false;
case RB_LEAST_PENDING:
return atomic_read(&device->local_cnt) >
--
2.26.2

View File

@ -0,0 +1,88 @@
From f465ef1a70c7b559fcf3924e450bc5e836e448de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
<christoph.boehmwalder@linbit.com>
Date: Mon, 3 Oct 2022 15:56:44 +0200
Subject: [PATCH] drbd: fix static analysis warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
GCC now does some pretty impressive static analysis, and it spits out
some warnings when compiling DRBD. Newer kernels "unfortunately" set
-Werror, which forces us to stop sweeping these under the rug.
This commits fixes two distinct classes of warning.
First, if a netlink field is declared with DRBD_GENLA_F_MANDATORY, it
can never be NULL. The compiler catches this and complains:
drbd_nl.c:3490:53: warning: the comparison will always evaluate
as true for the address of integrity_alg
will never be NULL [-Waddress]
3490 | if (!new_net_conf->integrity_alg != !old_net_conf->integrity_alg)
| ^
And similarly for net_conf->name. The fix is simple: just remove the
checks.
The other warning that is fixed is:
drbd_main.c:421:55: warning: unused variable ddm [-Wunused-variable]
421 | DEFINE_DYNAMIC_DEBUG_METADATA(ddm, "Bad barrier ack dump");
| ^~~
Which happens when dynamic debug is not enabled, erasing the
DYNAMIC_DEBUG_BRANCH(ddm) below.
This is easily fixed by "accessing" the declared variable by doing a
dummy cast to void.
Finally, the compiler complains that the DYNAMIC_DEBUG macros are
redefined in drbd_polymorph_printk.h, so #undef them before #defining
them.
---
drbd/drbd_nl.c | 5 +----
drbd/drbd_polymorph_printk.h | 5 ++++-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drbd/drbd_nl.c b/drbd/drbd_nl.c
index 6a2afd184ae6..de064215b638 100644
--- a/drbd/drbd_nl.c
+++ b/drbd/drbd_nl.c
@@ -3553,9 +3553,6 @@ _check_net_options(struct drbd_connection *connection, struct net_conf *old_net_
if (new_net_conf->two_primaries != old_net_conf->two_primaries)
return ERR_NEED_APV_100;
- if (!new_net_conf->integrity_alg != !old_net_conf->integrity_alg)
- return ERR_NEED_APV_100;
-
if (strcmp(new_net_conf->integrity_alg, old_net_conf->integrity_alg))
return ERR_NEED_APV_100;
}
@@ -5398,7 +5395,7 @@ static int nla_put_drbd_cfg_context(struct sk_buff *skb,
if (connection) {
nla_put_u32(skb, T_ctx_peer_node_id, connection->peer_node_id);
rcu_read_lock();
- if (connection->transport.net_conf && connection->transport.net_conf->name)
+ if (connection->transport.net_conf)
nla_put_string(skb, T_ctx_conn_name, connection->transport.net_conf->name);
rcu_read_unlock();
}
diff --git a/drbd/drbd_polymorph_printk.h b/drbd/drbd_polymorph_printk.h
index 1ce6cc2e6f74..4e7f2f17014e 100644
--- a/drbd/drbd_polymorph_printk.h
+++ b/drbd/drbd_polymorph_printk.h
@@ -2,7 +2,10 @@
#define DRBD_POLYMORPH_PRINTK_H
#if !defined(CONFIG_DYNAMIC_DEBUG)
-#define DEFINE_DYNAMIC_DEBUG_METADATA(D, F) const char *D = F
+#undef DEFINE_DYNAMIC_DEBUG_METADATA
+#undef __dynamic_pr_debug
+#undef DYNAMIC_DEBUG_BRANCH
+#define DEFINE_DYNAMIC_DEBUG_METADATA(D, F) const char *D = F; ((void)D)
#define __dynamic_pr_debug(D, F, args...) do { (void)(D); if (0) printk(F, ## args); } while(0)
#define DYNAMIC_DEBUG_BRANCH(D) false
#endif
--
2.26.2

View File

@ -0,0 +1,31 @@
From 1b4b7a945d5191225965d8e79fc6705c1b394e1d Mon Sep 17 00:00:00 2001
From: Philipp Reisner <philipp.reisner@linbit.com>
Date: Mon, 10 Oct 2022 09:20:20 +0200
Subject: [PATCH] drbd: fix warning about initializing multiple struct members
with one memset()
It comes from 6cedeb568b, November 2008
"proto version 89: support checksum based resyn"
Modern compiler warns about this and warnings might be treated as errors.
---
drbd/drbd_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drbd/drbd_main.c b/drbd/drbd_main.c
index 84040ed4bfaf..fe8cf60a85fc 100644
--- a/drbd/drbd_main.c
+++ b/drbd/drbd_main.c
@@ -1150,7 +1150,8 @@ int drbd_send_sync_param(struct drbd_peer_device *peer_device)
return -EIO;
/* initialize verify_alg and csums_alg */
- memset(p->verify_alg, 0, 2 * SHARED_SECRET_MAX);
+ memset(p->verify_alg, 0, sizeof(p->verify_alg));
+ memset(p->csums_alg, 0, sizeof(p->csums_alg));
rcu_read_lock();
nc = rcu_dereference(peer_device->connection->transport.net_conf);
--
2.26.2

View File

@ -0,0 +1,62 @@
/* This patch related with below upstream kernel commit */
commit 5a97806f7dc069d9561d9930a2ae108700e222ab
Author: Christoph Hellwig <hch@lst.de>
Date: Wed Jul 27 12:22:55 2022 -0400
block: change the blk_queue_split calling convention
The double indirect bio leads to somewhat suboptimal code generation.
Instead return the (original or split) bio, and make sure the
request_queue arguments to the lower level helpers is passed after the
bio to avoid constant reshuffling of the argument passing registers.
Also give it and the helpers used to implement it more descriptive names.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20220727162300.3089193-2-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
diff -Nupr drbd-9.0.30~1+git.8e9c0812/drbd/drbd-kernel-compat/cocci/bio_split_to_limits__yes_present.cocci b/drbd/drbd-kernel-compat/cocci/bio_split_to_limits__yes_present.cocci
--- drbd-9.0.30~1+git.8e9c0812/drbd/drbd-kernel-compat/cocci/bio_split_to_limits__yes_present.cocci 1970-01-01 08:00:00.000000000 +0800
+++ b/drbd/drbd-kernel-compat/cocci/bio_split_to_limits__yes_present.cocci 2023-01-05 09:58:43.742081303 +0800
@@ -0,0 +1,5 @@
+@@
+expression b;
+@@
+- blk_queue_split(&b)
++ bio_split_to_limits(b)
diff -Nupr drbd-9.0.30~1+git.8e9c0812/drbd/drbd-kernel-compat/gen_patch_names.c b/drbd/drbd-kernel-compat/gen_patch_names.c
--- drbd-9.0.30~1+git.8e9c0812/drbd/drbd-kernel-compat/gen_patch_names.c 2023-01-05 09:02:53.371032160 +0800
+++ b/drbd/drbd-kernel-compat/gen_patch_names.c 2023-01-05 09:59:24.921772632 +0800
@@ -92,8 +92,13 @@ int main(int argc, char **argv)
patch(1, "timer_setup", true, false,
COMPAT_HAVE_TIMER_SETUP, "present");
-#if defined(COMPAT_HAVE_BLK_QUEUE_SPLIT_BIO)
- /* "modern" version (>=5.9) with only 1 argument. nothing to do */
+#if defined(COMPAT_HAVE_BIO_SPLIT_TO_LIMITS)
+ /* since 5a97806f7dc069d9561d9930a2ae108700e222ab, blk_queue_split_bio
+ * change to bio_split_to_limits */
+ patch(1, "bio_split_to_limits", false, true,
+ YES, "present");
+#elif defined(COMPAT_HAVE_BLK_QUEUE_SPLIT_BIO)
+ /* "modern" version (>=5.9 && < v6.0-rc1) with only 1 argument. nothing to do */
#elif defined(COMPAT_HAVE_BLK_QUEUE_SPLIT_Q_BIO)
/* older version with 2 arguments */
patch(1, "blk_queue_split", false, true,
diff -Nupr a/drbd/drbd-kernel-compat/tests/have_bio_split_to_limits.c b/drbd/drbd-kernel-compat/tests/have_bio_split_to_limits.c
--- a/drbd/drbd-kernel-compat/tests/have_bio_split_to_limits.c 1970-01-01 08:00:00.000000000 +0800
+++ b/drbd/drbd-kernel-compat/tests/have_bio_split_to_limits.c 2023-01-05 10:08:37.081595899 +0800
@@ -0,0 +1,9 @@
+/* { "version": "v5.9", "commit": "f695ca3886ce72b027af7aa6040cd420cae2088c", "comment": "In 5.9, blk_queue_split lost its first parameter, since the bio can be derived from the queue", "author": "Christoph Hellwig <hch@lst.de>", "date": "Wed Jul 1 10:59:39 2020 +0200" } */
+
+
+#include <linux/blkdev.h>
+
+void dummy(struct bio *bio)
+{
+ bio_split_to_limits(bio);
+}

View File

@ -0,0 +1,116 @@
by heming.zhao@suse.com on 20220105
This is SUSE special patch, and this patch cocci codes were partly
copied from upstream kernel commit 81895a65ec63ee1daec3255dc1a06675d2fbe915
("treewide: use prandom_u32_max() when possible, part 1").
Because I don't know cocci syntax, so in drbd_state.c this patch
directly modifies prandom_u32() to prandom_u32_max(U32_MAX). All
other cases use cocci to modify.
---
diff -Nupr a/drbd/drbd-kernel-compat/cocci/prandom_u32__no_present.cocci b/drbd/drbd-kernel-compat/cocci/prandom_u32__no_present.cocci
--- a/drbd/drbd-kernel-compat/cocci/prandom_u32__no_present.cocci 2023-01-04 23:15:30.435899748 +0800
+++ b/drbd/drbd-kernel-compat/cocci/prandom_u32__no_present.cocci 2023-01-05 08:58:23.177198823 +0800
@@ -1,3 +1,76 @@
-@@ @@
-- prandom_u32()
-+ random32()
+@basic@
+expression E;
+type T;
+identifier get_random_u32 =~ "get_random_int|prandom_u32|get_random_u32";
+typedef u64;
+@@
+(
+- ((T)get_random_u32() % (E))
++ prandom_u32_max(E)
+|
+- ((T)get_random_u32() & ((E) - 1))
++ prandom_u32_max(E * XXX_MAKE_SURE_E_IS_POW2)
+|
+- ((u64)(E) * get_random_u32() >> 32)
++ prandom_u32_max(E)
+|
+- ((T)get_random_u32() & ~PAGE_MASK)
++ prandom_u32_max(PAGE_SIZE)
+)
+
+@multi_line@
+identifier get_random_u32 =~ "get_random_int|prandom_u32|get_random_u32";
+identifier RAND;
+expression E;
+@@
+
+- RAND = get_random_u32();
+ ... when != RAND
+- RAND %= (E);
++ RAND = prandom_u32_max(E);
+
+// Find a potential literal
+@literal_mask@
+expression LITERAL;
+type T;
+identifier get_random_u32 =~ "get_random_int|prandom_u32|get_random_u32";
+position p;
+@@
+
+ ((T)get_random_u32()@p & (LITERAL))
+
+// Add one to the literal.
+@script:python add_one@
+literal << literal_mask.LITERAL;
+RESULT;
+@@
+
+value = None
+if literal.startswith('0x'):
+ value = int(literal, 16)
+elif literal[0] in '123456789':
+ value = int(literal, 10)
+if value is None:
+ print("I don't know how to handle %s" % (literal))
+ cocci.include_match(False)
+elif value == 2**32 - 1 or value == 2**31 - 1 or value == 2**24 - 1 or value == 2**16 - 1 or value == 2**8 - 1:
+ print("Skipping 0x%x for cleanup elsewhere" % (value))
+ cocci.include_match(False)
+elif value & (value + 1) != 0:
+ print("Skipping 0x%x because it's not a power of two minus one" % (value))
+ cocci.include_match(False)
+elif literal.startswith('0x'):
+ coccinelle.RESULT = cocci.make_expr("0x%x" % (value + 1))
+else:
+ coccinelle.RESULT = cocci.make_expr("%d" % (value + 1))
+
+// Replace the literal mask with the calculated result.
+@plus_one@
+expression literal_mask.LITERAL;
+position literal_mask.p;
+expression add_one.RESULT;
+identifier FUNC;
+@@
+
+- (FUNC()@p & (LITERAL))
++ prandom_u32_max(RESULT)
diff -Nupr a/drbd/drbd_state.c b/drbd/drbd_state.c
--- a/drbd/drbd_state.c 2023-01-05 09:00:01.252434773 +0800
+++ b/drbd/drbd_state.c 2023-01-05 09:02:47.519078927 +0800
@@ -4488,7 +4488,7 @@ change_cluster_wide_state(bool (*change)
}
do
- reply->tid = prandom_u32();
+ reply->tid = prandom_u32_max(U32_MAX);
while (!reply->tid);
request.tid = cpu_to_be32(reply->tid);
@@ -4716,7 +4716,7 @@ retry:
*reply = (struct twopc_reply) { 0 };
do
- reply->tid = prandom_u32();
+ reply->tid = prandom_u32_max(U32_MAX);
while (!reply->tid);
request.tid = cpu_to_be32(reply->tid);

View File

@ -0,0 +1,8 @@
diff -Nupr drbd-9.0.30~1+git.8e9c0812/drbd/drbd-kernel-compat/tests/have_req_op_write_zeroes.c b/drbd/drbd-kernel-compat/tests/have_req_op_write_zeroes.c
--- drbd-9.0.30~1+git.8e9c0812/drbd/drbd-kernel-compat/tests/have_req_op_write_zeroes.c 2021-11-09 22:43:17.000000000 +0800
+++ b/drbd/drbd-kernel-compat/tests/have_req_op_write_zeroes.c 2023-01-05 10:40:17.383202903 +0800
@@ -1,3 +1,3 @@
#include <linux/blk_types.h>
-enum req_opf dummy = REQ_OP_WRITE_ZEROES;
+enum req_op dummy = REQ_OP_WRITE_ZEROES;

View File

@ -0,0 +1,391 @@
From 2573d91be862ed65781c4a37dcaaa051a905a48a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
<christoph.boehmwalder@linbit.com>
Date: Wed, 5 Oct 2022 13:36:18 +0200
Subject: [PATCH] drbd: fix use-after-free bugs in get_initial_state
See upstream commit aadb22ba2f65 ("drbd: Fix five use after free bugs
in get_initial_state").
Original message:
In get_initial_state, it calls notify_initial_state_done(skb,..) if
cb->args[5]==1. If genlmsg_put() failed in notify_initial_state_done(),
the skb will be freed by nlmsg_free(skb).
Then get_initial_state will goto out and the freed skb will be used by
return value skb->len, which is a uaf bug.
What's worse, the same problem goes even further: skb can also be
freed in the notify_*_state_change -> notify_*_state calls below.
Thus 4 additional uaf bugs happened.
My patch lets the problem callee functions: notify_initial_state_done
and notify_*_state_change return an error code if errors happen.
So that the error codes could be propagated and the uaf bugs can be avoid.
---
drbd/drbd_int.h | 10 ++++----
drbd/drbd_nl.c | 51 ++++++++++++++++++++++++----------------
drbd/drbd_state.c | 18 +++++++-------
drbd/drbd_state_change.h | 8 +++----
4 files changed, 49 insertions(+), 38 deletions(-)
diff --git a/drbd/drbd_int.h b/drbd/drbd_int.h
index fcde3b96bd6a..4bf2c6dde93d 100644
--- a/drbd/drbd_int.h
+++ b/drbd/drbd_int.h
@@ -2154,30 +2154,30 @@ extern int drbd_al_initialize(struct drbd_device *, void *);
extern struct mutex notification_mutex;
extern atomic_t drbd_genl_seq;
-extern void notify_resource_state(struct sk_buff *,
+extern int notify_resource_state(struct sk_buff *,
unsigned int,
struct drbd_resource *,
struct resource_info *,
struct rename_resource_info *,
enum drbd_notification_type);
-extern void notify_device_state(struct sk_buff *,
+extern int notify_device_state(struct sk_buff *,
unsigned int,
struct drbd_device *,
struct device_info *,
enum drbd_notification_type);
-extern void notify_connection_state(struct sk_buff *,
+extern int notify_connection_state(struct sk_buff *,
unsigned int,
struct drbd_connection *,
struct connection_info *,
enum drbd_notification_type);
-extern void notify_peer_device_state(struct sk_buff *,
+extern int notify_peer_device_state(struct sk_buff *,
unsigned int,
struct drbd_peer_device *,
struct peer_device_info *,
enum drbd_notification_type);
extern void notify_helper(enum drbd_notification_type, struct drbd_device *,
struct drbd_connection *, const char *, int);
-extern void notify_path(struct drbd_connection *, struct drbd_path *,
+extern int notify_path(struct drbd_connection *, struct drbd_path *,
enum drbd_notification_type);
extern void drbd_broadcast_peer_device_state(struct drbd_peer_device *);
diff --git a/drbd/drbd_nl.c b/drbd/drbd_nl.c
index 3dee5a1ab2eb..4418d143e09f 100644
--- a/drbd/drbd_nl.c
+++ b/drbd/drbd_nl.c
@@ -6492,7 +6492,7 @@ static int nla_put_notification_header(struct sk_buff *msg,
return drbd_notification_header_to_skb(msg, &nh, true);
}
-void notify_resource_state(struct sk_buff *skb,
+int notify_resource_state(struct sk_buff *skb,
unsigned int seq,
struct drbd_resource *resource,
struct resource_info *resource_info,
@@ -6546,16 +6546,17 @@ void notify_resource_state(struct sk_buff *skb,
if (err && err != -ESRCH)
goto failed;
}
- return;
+ return 0;
nla_put_failure:
nlmsg_free(skb);
failed:
drbd_err(resource, "Error %d while broadcasting event. Event seq:%u\n",
err, seq);
+ return err;
}
-void notify_device_state(struct sk_buff *skb,
+int notify_device_state(struct sk_buff *skb,
unsigned int seq,
struct drbd_device *device,
struct device_info *device_info,
@@ -6595,17 +6596,18 @@ void notify_device_state(struct sk_buff *skb,
if (err && err != -ESRCH)
goto failed;
}
- return;
+ return 0;
nla_put_failure:
nlmsg_free(skb);
failed:
drbd_err(device, "Error %d while broadcasting event. Event seq:%u\n",
err, seq);
+ return err;
}
/* open coded path_parms_to_skb() iterating of the list */
-void notify_connection_state(struct sk_buff *skb,
+int notify_connection_state(struct sk_buff *skb,
unsigned int seq,
struct drbd_connection *connection,
struct connection_info *connection_info,
@@ -6646,16 +6648,17 @@ void notify_connection_state(struct sk_buff *skb,
if (err && err != -ESRCH)
goto failed;
}
- return;
+ return 0;
nla_put_failure:
nlmsg_free(skb);
failed:
drbd_err(connection, "Error %d while broadcasting event. Event seq:%u\n",
err, seq);
+ return err;
}
-void notify_peer_device_state(struct sk_buff *skb,
+int notify_peer_device_state(struct sk_buff *skb,
unsigned int seq,
struct drbd_peer_device *peer_device,
struct peer_device_info *peer_device_info,
@@ -6696,13 +6699,14 @@ void notify_peer_device_state(struct sk_buff *skb,
if (err && err != -ESRCH)
goto failed;
}
- return;
+ return 0;
nla_put_failure:
nlmsg_free(skb);
failed:
drbd_err(peer_device, "Error %d while broadcasting event. Event seq:%u\n",
err, seq);
+ return err;
}
void drbd_broadcast_peer_device_state(struct drbd_peer_device *peer_device)
@@ -6714,7 +6718,7 @@ void drbd_broadcast_peer_device_state(struct drbd_peer_device *peer_device)
mutex_unlock(&notification_mutex);
}
-void notify_path_state(struct sk_buff *skb,
+int notify_path_state(struct sk_buff *skb,
unsigned int seq,
/* until we have a backpointer in drbd_path, we need an explicit connection: */
struct drbd_connection *connection,
@@ -6754,7 +6758,7 @@ void notify_path_state(struct sk_buff *skb,
if (err && err != -ESRCH)
goto failed;
}
- return;
+ return 0;
nla_put_failure:
nlmsg_free(skb);
@@ -6762,16 +6766,19 @@ failed:
/* FIXME add path specifics to our drbd_polymorph_printk.h */
drbd_err(connection, "path: Error %d while broadcasting event. Event seq:%u\n",
err, seq);
+ return err;
}
-void notify_path(struct drbd_connection *connection, struct drbd_path *path, enum drbd_notification_type type)
+int notify_path(struct drbd_connection *connection, struct drbd_path *path, enum drbd_notification_type type)
{
struct drbd_path_info path_info;
+ int err;
path_info.path_established = path->established;
mutex_lock(&notification_mutex);
- notify_path_state(NULL, 0, connection, path, &path_info, type);
+ err = notify_path_state(NULL, 0, connection, path, &path_info, type);
mutex_unlock(&notification_mutex);
+ return err;
}
@@ -6823,7 +6830,7 @@ fail:
err, seq);
}
-static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
+static int notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
{
struct drbd_genlmsghdr *dh;
int err;
@@ -6837,11 +6844,12 @@ static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
if (nla_put_notification_header(skb, NOTIFY_EXISTS))
goto nla_put_failure;
genlmsg_end(skb, dh);
- return;
+ return 0;
nla_put_failure:
nlmsg_free(skb);
pr_err("Error %d sending event. Event seq:%u\n", err, seq);
+ return err;
}
static void free_state_changes(struct list_head *list)
@@ -6869,6 +6877,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
unsigned int seq = cb->args[2];
unsigned int n;
enum drbd_notification_type flags = 0;
+ int err = 0;
/* There is no need for taking notification_mutex here: it doesn't
matter if the initial state events mix with later state change
@@ -6877,20 +6886,20 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
cb->args[5]--;
if (cb->args[5] == 1) {
- notify_initial_state_done(skb, seq);
+ err = notify_initial_state_done(skb, seq);
goto out;
}
n = cb->args[4]++;
if (cb->args[4] < cb->args[3])
flags |= NOTIFY_CONTINUES;
if (n < 1) {
- notify_resource_state_change(skb, seq, state_change,
+ err = notify_resource_state_change(skb, seq, state_change,
NOTIFY_EXISTS | flags);
goto next;
}
n--;
if (n < state_change->n_connections) {
- notify_connection_state_change(skb, seq, &state_change->connections[n],
+ err = notify_connection_state_change(skb, seq, &state_change->connections[n],
NOTIFY_EXISTS | flags);
goto next;
}
@@ -6900,7 +6909,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
struct drbd_path_info path_info;
path_info.path_established = path_state->path_established;
- notify_path_state(skb, seq,
+ err = notify_path_state(skb, seq,
path_state->connection,
path_state->path,
&path_info, NOTIFY_EXISTS | flags);
@@ -6908,13 +6917,13 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
}
n -= state_change->n_paths;
if (n < state_change->n_devices) {
- notify_device_state_change(skb, seq, &state_change->devices[n],
+ err = notify_device_state_change(skb, seq, &state_change->devices[n],
NOTIFY_EXISTS | flags);
goto next;
}
n -= state_change->n_devices;
if (n < state_change->n_devices * state_change->n_connections) {
- notify_peer_device_state_change(skb, seq, &state_change->peer_devices[n],
+ err = notify_peer_device_state_change(skb, seq, &state_change->peer_devices[n],
NOTIFY_EXISTS | flags);
goto next;
}
@@ -6930,6 +6939,8 @@ next:
cb->args[4] = 0;
}
out:
+ if (err)
+ return err;
return skb->len;
}
diff --git a/drbd/drbd_state.c b/drbd/drbd_state.c
index de53fa7a21f1..cec88b18852f 100644
--- a/drbd/drbd_state.c
+++ b/drbd/drbd_state.c
@@ -3062,7 +3062,7 @@ static union drbd_state state_change_word(struct drbd_state_change *state_change
return state;
}
-void notify_resource_state_change(struct sk_buff *skb,
+int notify_resource_state_change(struct sk_buff *skb,
unsigned int seq,
struct drbd_state_change *state_change,
enum drbd_notification_type type)
@@ -3079,10 +3079,10 @@ void notify_resource_state_change(struct sk_buff *skb,
.res_susp_quorum = state_change_is_susp_quorum(state_change, NEW),
};
- notify_resource_state(skb, seq, resource, &resource_info, NULL, type);
+ return notify_resource_state(skb, seq, resource, &resource_info, NULL, type);
}
-void notify_connection_state_change(struct sk_buff *skb,
+int notify_connection_state_change(struct sk_buff *skb,
unsigned int seq,
struct drbd_connection_state_change *connection_state_change,
enum drbd_notification_type type)
@@ -3093,10 +3093,10 @@ void notify_connection_state_change(struct sk_buff *skb,
.conn_role = connection_state_change->peer_role[NEW],
};
- notify_connection_state(skb, seq, connection, &connection_info, type);
+ return notify_connection_state(skb, seq, connection, &connection_info, type);
}
-void notify_device_state_change(struct sk_buff *skb,
+int notify_device_state_change(struct sk_buff *skb,
unsigned int seq,
struct drbd_device_state_change *device_state_change,
enum drbd_notification_type type)
@@ -3105,10 +3105,10 @@ void notify_device_state_change(struct sk_buff *skb,
struct device_info device_info;
device_state_change_to_info(&device_info, device_state_change);
- notify_device_state(skb, seq, device, &device_info, type);
+ return notify_device_state(skb, seq, device, &device_info, type);
}
-void notify_peer_device_state_change(struct sk_buff *skb,
+int notify_peer_device_state_change(struct sk_buff *skb,
unsigned int seq,
struct drbd_peer_device_state_change *state_change,
enum drbd_notification_type type)
@@ -3117,7 +3117,7 @@ void notify_peer_device_state_change(struct sk_buff *skb,
struct peer_device_info peer_device_info;
peer_device_state_change_to_info(&peer_device_info, state_change);
- notify_peer_device_state(skb, seq, peer_device, &peer_device_info, type);
+ return notify_peer_device_state(skb, seq, peer_device, &peer_device_info, type);
}
static void notify_state_change(struct drbd_state_change *state_change)
@@ -3125,7 +3125,7 @@ static void notify_state_change(struct drbd_state_change *state_change)
struct drbd_resource_state_change *resource_state_change = &state_change->resource[0];
bool resource_state_has_changed;
unsigned int n_device, n_connection, n_peer_device, n_peer_devices;
- void (*last_func)(struct sk_buff *, unsigned int, void *,
+ int (*last_func)(struct sk_buff *, unsigned int, void *,
enum drbd_notification_type) = NULL;
void *last_arg = NULL;
diff --git a/drbd/drbd_state_change.h b/drbd/drbd_state_change.h
index e60ec1b8ee6e..df23977462c1 100644
--- a/drbd/drbd_state_change.h
+++ b/drbd/drbd_state_change.h
@@ -66,19 +66,19 @@ extern struct drbd_state_change *remember_state_change(struct drbd_resource *, g
extern void copy_old_to_new_state_change(struct drbd_state_change *);
extern void forget_state_change(struct drbd_state_change *);
-extern void notify_resource_state_change(struct sk_buff *,
+extern int notify_resource_state_change(struct sk_buff *,
unsigned int,
struct drbd_state_change *,
enum drbd_notification_type type);
-extern void notify_connection_state_change(struct sk_buff *,
+extern int notify_connection_state_change(struct sk_buff *,
unsigned int,
struct drbd_connection_state_change *,
enum drbd_notification_type type);
-extern void notify_device_state_change(struct sk_buff *,
+extern int notify_device_state_change(struct sk_buff *,
unsigned int,
struct drbd_device_state_change *,
enum drbd_notification_type type);
-extern void notify_peer_device_state_change(struct sk_buff *,
+extern int notify_peer_device_state_change(struct sk_buff *,
unsigned int,
struct drbd_peer_device_state_change *,
enum drbd_notification_type type);
--
2.26.2

View File

@ -0,0 +1,36 @@
From c2a620949ed609d6e256d1ce4d671a6da6bfeac0 Mon Sep 17 00:00:00 2001
From: John Sanpe <sanpeqf@gmail.com>
Date: Sat, 23 Jul 2022 09:59:31 +0200
Subject: [PATCH] lib/lru_cache: Fixed array overflow caused by incorrect
boundary handling.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This problem occurs when malloc element failed on the first time.
At this time, the counter i is 0. When it's released, we subtract 1
in advance without checking, which will cause i to become UINT_MAX,
resulting in array overflow.
Signed-off-by: John Sanpe <sanpeqf@gmail.com>
Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
---
drbd/lru_cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drbd/lru_cache.c b/drbd/lru_cache.c
index 7e604cdc87db..fc640490607a 100644
--- a/drbd/lru_cache.c
+++ b/drbd/lru_cache.c
@@ -127,7 +127,7 @@ struct lru_cache *lc_create(const char *name, struct kmem_cache *cache,
return lc;
/* else: could not allocate all elements, give up */
- for (i--; i; i--) {
+ while (i--) {
void *p = element[i];
kmem_cache_free(cache, (unsigned char *)p - e_off);
}
--
2.26.2

View File

@ -0,0 +1,35 @@
From 998a1faccbbb7e7b6d1042e7fe841734671ee365 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
<christoph.boehmwalder@linbit.com>
Date: Wed, 6 Apr 2022 13:39:44 +0200
Subject: [PATCH] pmem: use fs_dax_get_by_bdev instead of dax_get_by_host
The {fs,}dax_get_by_host helpers went away.
---
by heming.zhao on 20230105
This patch partly refer code from drbd-9.1 branch commit
a68200c121de9e17a73a53962697fa32239e99f6
---
--- drbd-9.0.30~1+git.8e9c0812/drbd/drbd_dax_pmem.c 2023-01-05 20:50:39.022187673 +0800
+++ b/drbd/drbd_dax_pmem.c 2023-01-05 20:40:10.878947325 +0800
@@ -56,14 +56,11 @@ static int map_superblock_for_dax(struct
*/
int drbd_dax_open(struct drbd_backing_dev *bdev)
{
- const char *disk_name = bdev->md_bdev->bd_disk->disk_name;
struct dax_device *dax_dev;
int err;
+ u64 part_off;
- if (!blk_queue_dax(bdev->md_bdev->bd_disk->queue))
- return -ENODEV;
-
- dax_dev = dax_get_by_host(disk_name);
+ dax_dev = fs_dax_get_by_bdev(bdev->md_bdev, &part_off, NULL, NULL);
if (!dax_dev)
return -ENODEV;

View File

@ -1,3 +1,25 @@
-------------------------------------------------------------------
Thu Jan 5 11:13:00 UTC 2023 - Heming Zhao <heming.zhao@suse.com>
- drbd: fix build error against kernel v6.1.1 (bsc#1206791)
* update bsc-1201335_06-bdi.patch commit log (no code change)
+ bsc-1201335_06-bdi.patch
* update bsc-1202600_02-dax-introduce-DAX_RECOVERY_WRITE-dax-access-mode.patch (no code change)
+ bsc-1202600_02-dax-introduce-DAX_RECOVERY_WRITE-dax-access-mode.patch
* using upstream patch to replace exist patch
- bsc-1204596_02-drbd-stop-using-bdevname-in-drbd_report_io_error.patch
+ bsc-1204596_02-drbd-remove-usage-of-bdevname.patch
* add new patches
+ bsc-1206791-01-drbd-add-comments-explaining-removal-of-bdi-congesti.patch
+ bsc-1206791-02-drbd-fix-static-analysis-warnings.patch
+ bsc-1206791-03-drbd-fix-warning-about-initializing-multiple-struct-.patch
+ bsc-1206791-04-blk_queue_split__no_present.patch
+ bsc-1206791-05-prandom_u32_max.patch
+ bsc-1206791-06-write_zeroes__no_capable.patch
+ bsc-1206791-07-drbd-fix-use-after-free-bugs-in-get_initial_state.patch
+ bsc-1206791-08-lib-lru_cache-Fixed-array-overflow-caused-by-incorre.patch
+ bsc-1206791-09-pmem-use-fs_dax_get_by_bdev-instead-of-dax_get_by_ho.patch
-------------------------------------------------------------------
Mon Dec 5 12:47:43 UTC 2022 - Ludwig Nussel <lnussel@suse.de>

View File

@ -39,25 +39,33 @@ Patch2: bsc-1192929_01-make_block_holder_optional.patch
Patch3: bsc-1192929_02-move_kvmalloc_related_to_slab.patch
Patch4: bsc-1192929_03-polling_to_bio_base.patch
Patch5: bsc-1192929_04-pass_gend_to_blk_queue_update_readahead.patch
#Patch6: bsc-1192929_05-move_bdi_from_request_queue_to_gendisk
Patch7: bsc-1192929_06-dax_support.patch
Patch8: bsc-1192929_07-add_disk_error_handle.patch
Patch9: bsc-1192929_08-have_void_drbd_submit_bio.patch
Patch10: bsc-1192929_09-remove_bdgrab.patch
Patch11: bsc-1201335_01-compat-test-and-cocci-patch-for-bdi-in-gendisk.patch
Patch12: bsc-1201335_02-compat-only-apply-bdi-pointer-patch-if-bdi-is-in-req.patch
Patch13: bsc-1201335_03-genhd.patch
Patch14: bsc-1201335_04-bio_alloc_bioset.patch
Patch15: bsc-1201335_05-bio_alloc.patch
Patch16: bsc-1201335_06-bdi.patch
Patch17: bsc-1201335_07-write-same.patch
Patch18: bsc-1201335_08-bio_clone_fast.patch
Patch19: bsc-1202600_01-remove-QUEUE_FLAG_DISCARD.patch
Patch20: bsc-1202600_02-dax-introduce-DAX_RECOVERY_WRITE-dax-access-mode.patch
Patch21: bsc-1202600_03-block-decouple-REQ_OP_SECURE_ERASE-from-REQ_OP_DISCA.patch
Patch22: bsc-1202600_04-remove-assign_p_sizes_qlim.patch
Patch23: bsc-1204596_01-block-remove-blk_cleanup_disk.patch
Patch24: bsc-1204596_02-drbd-stop-using-bdevname-in-drbd_report_io_error.patch
Patch6: bsc-1192929_06-dax_support.patch
Patch7: bsc-1192929_07-add_disk_error_handle.patch
Patch8: bsc-1192929_08-have_void_drbd_submit_bio.patch
Patch9: bsc-1192929_09-remove_bdgrab.patch
Patch10: bsc-1201335_01-compat-test-and-cocci-patch-for-bdi-in-gendisk.patch
Patch11: bsc-1201335_02-compat-only-apply-bdi-pointer-patch-if-bdi-is-in-req.patch
Patch12: bsc-1201335_03-genhd.patch
Patch13: bsc-1201335_04-bio_alloc_bioset.patch
Patch14: bsc-1201335_05-bio_alloc.patch
Patch15: bsc-1201335_06-bdi.patch
Patch16: bsc-1201335_07-write-same.patch
Patch17: bsc-1201335_08-bio_clone_fast.patch
Patch18: bsc-1202600_01-remove-QUEUE_FLAG_DISCARD.patch
Patch19: bsc-1202600_02-dax-introduce-DAX_RECOVERY_WRITE-dax-access-mode.patch
Patch20: bsc-1202600_03-block-decouple-REQ_OP_SECURE_ERASE-from-REQ_OP_DISCA.patch
Patch21: bsc-1202600_04-remove-assign_p_sizes_qlim.patch
Patch22: bsc-1204596_01-block-remove-blk_cleanup_disk.patch
Patch23: bsc-1204596_02-drbd-remove-usage-of-bdevname.patch
Patch24: bsc-1206791-01-drbd-add-comments-explaining-removal-of-bdi-congesti.patch
Patch25: bsc-1206791-02-drbd-fix-static-analysis-warnings.patch
Patch26: bsc-1206791-03-drbd-fix-warning-about-initializing-multiple-struct-.patch
Patch27: bsc-1206791-04-blk_queue_split__no_present.patch
Patch28: bsc-1206791-05-prandom_u32_max.patch
Patch29: bsc-1206791-06-write_zeroes__no_capable.patch
Patch30: bsc-1206791-07-drbd-fix-use-after-free-bugs-in-get_initial_state.patch
Patch31: bsc-1206791-08-lib-lru_cache-Fixed-array-overflow-caused-by-incorre.patch
Patch32: bsc-1206791-09-pmem-use-fs_dax_get_by_bdev-instead-of-dax_get_by_ho.patch
Patch99: suse-coccinelle.patch
#https://github.com/openSUSE/rpmlint-checks/blob/master/KMPPolicyCheck.py
BuildRequires: coccinelle >= 1.0.8
@ -116,6 +124,14 @@ installed kernel.
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch99 -p1
mkdir source