linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH AUTOSEL 6.9 01/15] fs/writeback: bail out if there is no more inodes for IO and queued once
@ 2024-05-26  9:41 Sasha Levin
  2024-05-26  9:41 ` [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk Sasha Levin
  0 siblings, 1 reply; 4+ messages in thread
From: Sasha Levin @ 2024-05-26  9:41 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Kemeng Shi, Jan Kara, Christian Brauner, Sasha Levin, viro,
	linux-fsdevel

From: Kemeng Shi <shikemeng@huaweicloud.com>

[ Upstream commit d92109891f21cf367caa2cc6dff11a4411d917f4 ]

For case there is no more inodes for IO in io list from last wb_writeback,
We may bail out early even there is inode in dirty list should be written
back. Only bail out when we queued once to avoid missing dirtied inode.

This is from code reading...

Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Link: https://lore.kernel.org/r/20240228091958.288260-3-shikemeng@huaweicloud.com
Reviewed-by: Jan Kara <jack@suse.cz>
[brauner@kernel.org: fold in memory corruption fix from Jan in [1]]
Link: https://lore.kernel.org/r/20240405132346.bid7gibby3lxxhez@quack3 [1]
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fs-writeback.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index e4f17c53ddfcf..d31853032a931 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -2069,6 +2069,7 @@ static long wb_writeback(struct bdi_writeback *wb,
 	struct inode *inode;
 	long progress;
 	struct blk_plug plug;
+	bool queued = false;
 
 	blk_start_plug(&plug);
 	for (;;) {
@@ -2111,8 +2112,10 @@ static long wb_writeback(struct bdi_writeback *wb,
 			dirtied_before = jiffies;
 
 		trace_writeback_start(wb, work);
-		if (list_empty(&wb->b_io))
+		if (list_empty(&wb->b_io)) {
 			queue_io(wb, work, dirtied_before);
+			queued = true;
+		}
 		if (work->sb)
 			progress = writeback_sb_inodes(work->sb, wb, work);
 		else
@@ -2127,7 +2130,7 @@ static long wb_writeback(struct bdi_writeback *wb,
 		 * mean the overall work is done. So we keep looping as long
 		 * as made some progress on cleaning pages or inodes.
 		 */
-		if (progress) {
+		if (progress || !queued) {
 			spin_unlock(&wb->list_lock);
 			continue;
 		}
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk
  2024-05-26  9:41 [PATCH AUTOSEL 6.9 01/15] fs/writeback: bail out if there is no more inodes for IO and queued once Sasha Levin
@ 2024-05-26  9:41 ` Sasha Levin
  2024-05-27 16:32   ` Kees Cook
  0 siblings, 1 reply; 4+ messages in thread
From: Sasha Levin @ 2024-05-26  9:41 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Kees Cook, y0un9n132, Sasha Levin, viro, brauner, linux-fsdevel,
	linux-mm

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ]

Currently the brk starts its randomization immediately after .bss,
which means there is a chance that when the random offset is 0, linear
overflows from .bss can reach into the brk area. Leave at least a single
page gap between .bss and brk (when it has not already been explicitly
relocated into the mmap range).

Reported-by:  <y0un9n132@gmail.com>
Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/
Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/binfmt_elf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 5397b552fbeb5..7862962f7a859 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1262,6 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
 		if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
 		    elf_ex->e_type == ET_DYN && !interpreter) {
 			mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
+		} else {
+			/* Otherwise leave a gap between .bss and brk. */
+			mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
 		}
 
 		mm->brk = mm->start_brk = arch_randomize_brk(mm);
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk
  2024-05-26  9:41 ` [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk Sasha Levin
@ 2024-05-27 16:32   ` Kees Cook
  2024-06-19 14:28     ` Sasha Levin
  0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2024-05-27 16:32 UTC (permalink / raw)
  To: Sasha Levin, linux-kernel, stable
  Cc: Kees Cook, y0un9n132, viro, brauner, linux-fsdevel, linux-mm

Hi,

Please don't backport this change. While it has been tested, it's a process memory layout change, and I'd like to be as conservative as possible about it. If there is fall-out, I'd prefer to keep it limited to 6.10+. :)

-Kees



On May 26, 2024 2:41:44 AM PDT, Sasha Levin <sashal@kernel.org> wrote:
>From: Kees Cook <keescook@chromium.org>
>
>[ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ]
>
>Currently the brk starts its randomization immediately after .bss,
>which means there is a chance that when the random offset is 0, linear
>overflows from .bss can reach into the brk area. Leave at least a single
>page gap between .bss and brk (when it has not already been explicitly
>relocated into the mmap range).
>
>Reported-by:  <y0un9n132@gmail.com>
>Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/
>Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org
>Signed-off-by: Kees Cook <keescook@chromium.org>
>Signed-off-by: Sasha Levin <sashal@kernel.org>
>---
> fs/binfmt_elf.c | 3 +++
> 1 file changed, 3 insertions(+)
>
>diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
>index 5397b552fbeb5..7862962f7a859 100644
>--- a/fs/binfmt_elf.c
>+++ b/fs/binfmt_elf.c
>@@ -1262,6 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
> 		if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
> 		    elf_ex->e_type == ET_DYN && !interpreter) {
> 			mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
>+		} else {
>+			/* Otherwise leave a gap between .bss and brk. */
>+			mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
> 		}
> 
> 		mm->brk = mm->start_brk = arch_randomize_brk(mm);

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk
  2024-05-27 16:32   ` Kees Cook
@ 2024-06-19 14:28     ` Sasha Levin
  0 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2024-06-19 14:28 UTC (permalink / raw)
  To: Kees Cook
  Cc: linux-kernel, stable, Kees Cook, y0un9n132, viro, brauner,
	linux-fsdevel, linux-mm

On Mon, May 27, 2024 at 09:32:13AM -0700, Kees Cook wrote:
>Hi,
>
>Please don't backport this change. While it has been tested, it's a process memory layout change, and I'd like to be as conservative as possible about it. If there is fall-out, I'd prefer to keep it limited to 6.10+. :)

I'll drop it, thanks!

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-06-19 14:28 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-26  9:41 [PATCH AUTOSEL 6.9 01/15] fs/writeback: bail out if there is no more inodes for IO and queued once Sasha Levin
2024-05-26  9:41 ` [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk Sasha Levin
2024-05-27 16:32   ` Kees Cook
2024-06-19 14:28     ` Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).