<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/staging/erofs, branch v5.1</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>staging: erofs: fix unexpected out-of-bound data access</title>
<updated>2019-04-16T11:56:20+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-04-12T09:53:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f4e97f5d4c9ece362b9379d3158cf5e4c02404dc'/>
<id>f4e97f5d4c9ece362b9379d3158cf5e4c02404dc</id>
<content type='text'>
Unexpected out-of-bound data will be read in erofs_read_raw_page
after commit 07173c3ec276 ("block: enable multipage bvecs") since
one iovec could have multiple pages.

Let's fix as what Ming's pointed out in the previous email [1].

[1] https://lore.kernel.org/lkml/20190411080953.GE421@ming.t460p/

Suggested-by: Ming Lei &lt;ming.lei@redhat.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Fixes: 07173c3ec276 ("block: enable multipage bvecs")
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Unexpected out-of-bound data will be read in erofs_read_raw_page
after commit 07173c3ec276 ("block: enable multipage bvecs") since
one iovec could have multiple pages.

Let's fix as what Ming's pointed out in the previous email [1].

[1] https://lore.kernel.org/lkml/20190411080953.GE421@ming.t460p/

Suggested-by: Ming Lei &lt;ming.lei@redhat.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Fixes: 07173c3ec276 ("block: enable multipage bvecs")
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()</title>
<updated>2019-03-29T16:25:45+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-03-28T20:14:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=33bac912840fe64dbc15556302537dc6a17cac63'/>
<id>33bac912840fe64dbc15556302537dc6a17cac63</id>
<content type='text'>
After commit 419d6efc50e9, kernel cannot be crashed in the namei
path. However, corrupted nameoff can do harm in the process of
readdir for scenerios without dm-verity as well. Fix it now.

Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After commit 419d6efc50e9, kernel cannot be crashed in the namei
path. However, corrupted nameoff can do harm in the process of
readdir for scenerios without dm-verity as well. Fix it now.

Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: fix error handling when failed to read compresssed data</title>
<updated>2019-03-25T20:54:18+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-03-25T03:40:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b6391ac73400eff38377a4a7364bd3df5efb5178'/>
<id>b6391ac73400eff38377a4a7364bd3df5efb5178</id>
<content type='text'>
Complete read error handling paths for all three kinds of
compressed pages:

 1) For cache-managed pages, PG_uptodate will be checked since
    read_endio will unlock and SetPageUptodate for these pages;

 2) For inplaced pages, read_endio cannot SetPageUptodate directly
    since it should be used to mark the final decompressed data,
    PG_error will be set with page locked for IO error instead;

 3) For staging pages, PG_error is used, which is similar to
    what we do for inplaced pages.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Complete read error handling paths for all three kinds of
compressed pages:

 1) For cache-managed pages, PG_uptodate will be checked since
    read_endio will unlock and SetPageUptodate for these pages;

 2) For inplaced pages, read_endio cannot SetPageUptodate directly
    since it should be used to mark the final decompressed data,
    PG_error will be set with page locked for IO error instead;

 3) For staging pages, PG_error is used, which is similar to
    what we do for inplaced pages.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: fix to handle error path of erofs_vmap()</title>
<updated>2019-03-18T06:56:14+00:00</updated>
<author>
<name>Chao Yu</name>
<email>yuchao0@huawei.com</email>
</author>
<published>2019-03-11T15:10:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8bce6dcede65139a087ff240127e3f3c01363eed'/>
<id>8bce6dcede65139a087ff240127e3f3c01363eed</id>
<content type='text'>
erofs_vmap() wrapped vmap() and vm_map_ram() to return virtual
continuous memory, but both of them can failed due to a lot of
reason, previously, erofs_vmap()'s callers didn't handle them,
which can potentially cause NULL pointer access, fix it.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Fixes: 0d40d6e399c1 ("staging: erofs: add a generic z_erofs VLE decompressor")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
erofs_vmap() wrapped vmap() and vm_map_ram() to return virtual
continuous memory, but both of them can failed due to a lot of
reason, previously, erofs_vmap()'s callers didn't handle them,
which can potentially cause NULL pointer access, fix it.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Fixes: 0d40d6e399c1 ("staging: erofs: add a generic z_erofs VLE decompressor")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'for-5.1/block-20190302' of git://git.kernel.dk/linux-block</title>
<updated>2019-03-08T22:12:17+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2019-03-08T22:12:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=80201fe175cbf7f3e372f53eba0a881a702ad926'/>
<id>80201fe175cbf7f3e372f53eba0a881a702ad926</id>
<content type='text'>
Pull block layer updates from Jens Axboe:
 "Not a huge amount of changes in this round, the biggest one is that we
  finally have Mings multi-page bvec support merged. Apart from that,
  this pull request contains:

   - Small series that avoids quiescing the queue for sysfs changes that
     match what we currently have (Aleksei)

   - Series of bcache fixes (via Coly)

   - Series of lightnvm fixes (via Mathias)

   - NVMe pull request from Christoph. Nothing major, just SPDX/license
     cleanups, RR mp policy (Hannes), and little fixes (Bart,
     Chaitanya).

   - BFQ series (Paolo)

   - Save blk-mq cpu -&gt; hw queue mapping, removing a pointer indirection
     for the fast path (Jianchao)

   - fops-&gt;iopoll() added for async IO polling, this is a feature that
     the upcoming io_uring interface will use (Christoph, me)

   - Partition scan loop fixes (Dongli)

   - mtip32xx conversion from managed resource API (Christoph)

   - cdrom registration race fix (Guenter)

   - MD pull from Song, two minor fixes.

   - Various documentation fixes (Marcos)

   - Multi-page bvec feature. This brings a lot of nice improvements
     with it, like more efficient splitting, larger IOs can be supported
     without growing the bvec table size, and so on. (Ming)

   - Various little fixes to core and drivers"

* tag 'for-5.1/block-20190302' of git://git.kernel.dk/linux-block: (117 commits)
  block: fix updating bio's front segment size
  block: Replace function name in string with __func__
  nbd: propagate genlmsg_reply return code
  floppy: remove set but not used variable 'q'
  null_blk: fix checking for REQ_FUA
  block: fix NULL pointer dereference in register_disk
  fs: fix guard_bio_eod to check for real EOD errors
  blk-mq: use HCTX_TYPE_DEFAULT but not 0 to index blk_mq_tag_set-&gt;map
  block: optimize bvec iteration in bvec_iter_advance
  block: introduce mp_bvec_for_each_page() for iterating over page
  block: optimize blk_bio_segment_split for single-page bvec
  block: optimize __blk_segment_map_sg() for single-page bvec
  block: introduce bvec_nth_page()
  iomap: wire up the iopoll method
  block: add bio_set_polled() helper
  block: wire up block device iopoll method
  fs: add an iopoll method to struct file_operations
  loop: set GENHD_FL_NO_PART_SCAN after blkdev_reread_part()
  loop: do not print warn message if partition scan is successful
  block: bounce: make sure that bvec table is updated
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull block layer updates from Jens Axboe:
 "Not a huge amount of changes in this round, the biggest one is that we
  finally have Mings multi-page bvec support merged. Apart from that,
  this pull request contains:

   - Small series that avoids quiescing the queue for sysfs changes that
     match what we currently have (Aleksei)

   - Series of bcache fixes (via Coly)

   - Series of lightnvm fixes (via Mathias)

   - NVMe pull request from Christoph. Nothing major, just SPDX/license
     cleanups, RR mp policy (Hannes), and little fixes (Bart,
     Chaitanya).

   - BFQ series (Paolo)

   - Save blk-mq cpu -&gt; hw queue mapping, removing a pointer indirection
     for the fast path (Jianchao)

   - fops-&gt;iopoll() added for async IO polling, this is a feature that
     the upcoming io_uring interface will use (Christoph, me)

   - Partition scan loop fixes (Dongli)

   - mtip32xx conversion from managed resource API (Christoph)

   - cdrom registration race fix (Guenter)

   - MD pull from Song, two minor fixes.

   - Various documentation fixes (Marcos)

   - Multi-page bvec feature. This brings a lot of nice improvements
     with it, like more efficient splitting, larger IOs can be supported
     without growing the bvec table size, and so on. (Ming)

   - Various little fixes to core and drivers"

* tag 'for-5.1/block-20190302' of git://git.kernel.dk/linux-block: (117 commits)
  block: fix updating bio's front segment size
  block: Replace function name in string with __func__
  nbd: propagate genlmsg_reply return code
  floppy: remove set but not used variable 'q'
  null_blk: fix checking for REQ_FUA
  block: fix NULL pointer dereference in register_disk
  fs: fix guard_bio_eod to check for real EOD errors
  blk-mq: use HCTX_TYPE_DEFAULT but not 0 to index blk_mq_tag_set-&gt;map
  block: optimize bvec iteration in bvec_iter_advance
  block: introduce mp_bvec_for_each_page() for iterating over page
  block: optimize blk_bio_segment_split for single-page bvec
  block: optimize __blk_segment_map_sg() for single-page bvec
  block: introduce bvec_nth_page()
  iomap: wire up the iopoll method
  block: add bio_set_polled() helper
  block: wire up block device iopoll method
  fs: add an iopoll method to struct file_operations
  loop: set GENHD_FL_NO_PART_SCAN after blkdev_reread_part()
  loop: do not print warn message if partition scan is successful
  block: bounce: make sure that bvec table is updated
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: fix mis-acted TAIL merging behavior</title>
<updated>2019-02-27T14:41:57+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-02-27T05:33:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a112152f6f3a2a88caa6f414d540bd49e406af60'/>
<id>a112152f6f3a2a88caa6f414d540bd49e406af60</id>
<content type='text'>
EROFS has an optimized path called TAIL merging, which is designed
to merge multiple reads and the corresponding decompressions into
one if these requests read continuous pages almost at the same time.

In general, it behaves as follows:
 ________________________________________________________________
  ... |  TAIL  .  HEAD  |  PAGE  |  PAGE  |  TAIL    . HEAD | ...
 _____|_combined page A_|________|________|_combined page B_|____
        1  ]  -&gt;  [  2                          ]  -&gt;  [ 3
If the above three reads are requested in the order 1-2-3, it will
generate a large work chain rather than 3 individual work chains
to reduce scheduling overhead and boost up sequential read.

However, if Read 2 is processed slightly earlier than Read 1,
currently it still generates 2 individual work chains (chain 1, 2)
but it does in-place decompression for combined page A, moreover,
if chain 2 decompresses ahead of chain 1, it will be a race and
lead to corrupted decompressed page. This patch fixes it.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
EROFS has an optimized path called TAIL merging, which is designed
to merge multiple reads and the corresponding decompressions into
one if these requests read continuous pages almost at the same time.

In general, it behaves as follows:
 ________________________________________________________________
  ... |  TAIL  .  HEAD  |  PAGE  |  PAGE  |  TAIL    . HEAD | ...
 _____|_combined page A_|________|________|_combined page B_|____
        1  ]  -&gt;  [  2                          ]  -&gt;  [ 3
If the above three reads are requested in the order 1-2-3, it will
generate a large work chain rather than 3 individual work chains
to reduce scheduling overhead and boost up sequential read.

However, if Read 2 is processed slightly earlier than Read 1,
currently it still generates 2 individual work chains (chain 1, 2)
but it does in-place decompression for combined page A, moreover,
if chain 2 decompresses ahead of chain 1, it will be a race and
lead to corrupted decompressed page. This patch fixes it.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: fix illegal address access under memory pressure</title>
<updated>2019-02-27T14:41:57+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-02-27T05:33:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1e5ceeab6929585512c63d05911d6657064abf7b'/>
<id>1e5ceeab6929585512c63d05911d6657064abf7b</id>
<content type='text'>
Considering a read request with two decompressed file pages,
If a decompression work cannot be started on the previous page
due to memory pressure but in-memory LTP map lookup is done,
builder-&gt;work should be still NULL.

Moreover, if the current page also belongs to the same map,
it won't try to start the decompression work again and then
run into trouble.

This patch aims to solve the above issue only with little changes
as much as possible in order to make the fix backport easier.

kernel message is:
&lt;4&gt;[1051408.015930s]SLUB: Unable to allocate memory on node -1, gfp=0x2408040(GFP_NOFS|__GFP_ZERO)
&lt;4&gt;[1051408.015930s]  cache: erofs_compress, object size: 144, buffer size: 144, default order: 0, min order: 0
&lt;4&gt;[1051408.015930s]  node 0: slabs: 98, objs: 2744, free: 0
  * Cannot allocate the decompression work

&lt;3&gt;[1051408.015960s]erofs: z_erofs_vle_normalaccess_readpages, readahead error at page 1008 of nid 5391488
  * Note that the previous page was failed to read

&lt;0&gt;[1051408.015960s]Internal error: Accessing user space memory outside uaccess.h routines: 96000005 [#1] PREEMPT SMP
...
&lt;4&gt;[1051408.015991s]Hardware name: kirin710 (DT)
...
&lt;4&gt;[1051408.016021s]PC is at z_erofs_vle_work_add_page+0xa0/0x17c
&lt;4&gt;[1051408.016021s]LR is at z_erofs_do_read_page+0x12c/0xcf0
...
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6fb0fd4&gt;] z_erofs_vle_work_add_page+0xa0/0x17c
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6fb3814&gt;] z_erofs_vle_normalaccess_readpages+0x1a0/0x37c
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6d670b8&gt;] read_pages+0x70/0x190
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d6736c&gt;] __do_page_cache_readahead+0x194/0x1a8
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d59318&gt;] filemap_fault+0x398/0x684
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8a9e0&gt;] __do_fault+0x8c/0x138
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8f90c&gt;] handle_pte_fault+0x730/0xb7c
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8fe04&gt;] __handle_mm_fault+0xac/0xf4
&lt;4&gt;[1051408.018157s][&lt;ffffff80c6d8fec8&gt;] handle_mm_fault+0x7c/0x118
&lt;4&gt;[1051408.018157s][&lt;ffffff80c8c52998&gt;] do_page_fault+0x354/0x474
&lt;4&gt;[1051408.018157s][&lt;ffffff80c8c52af8&gt;] do_translation_fault+0x40/0x48
&lt;4&gt;[1051408.018157s][&lt;ffffff80c6c002f4&gt;] do_mem_abort+0x80/0x100
&lt;4&gt;[1051408.018310s]---[ end trace 9f4009a3283bd78b ]---

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Considering a read request with two decompressed file pages,
If a decompression work cannot be started on the previous page
due to memory pressure but in-memory LTP map lookup is done,
builder-&gt;work should be still NULL.

Moreover, if the current page also belongs to the same map,
it won't try to start the decompression work again and then
run into trouble.

This patch aims to solve the above issue only with little changes
as much as possible in order to make the fix backport easier.

kernel message is:
&lt;4&gt;[1051408.015930s]SLUB: Unable to allocate memory on node -1, gfp=0x2408040(GFP_NOFS|__GFP_ZERO)
&lt;4&gt;[1051408.015930s]  cache: erofs_compress, object size: 144, buffer size: 144, default order: 0, min order: 0
&lt;4&gt;[1051408.015930s]  node 0: slabs: 98, objs: 2744, free: 0
  * Cannot allocate the decompression work

&lt;3&gt;[1051408.015960s]erofs: z_erofs_vle_normalaccess_readpages, readahead error at page 1008 of nid 5391488
  * Note that the previous page was failed to read

&lt;0&gt;[1051408.015960s]Internal error: Accessing user space memory outside uaccess.h routines: 96000005 [#1] PREEMPT SMP
...
&lt;4&gt;[1051408.015991s]Hardware name: kirin710 (DT)
...
&lt;4&gt;[1051408.016021s]PC is at z_erofs_vle_work_add_page+0xa0/0x17c
&lt;4&gt;[1051408.016021s]LR is at z_erofs_do_read_page+0x12c/0xcf0
...
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6fb0fd4&gt;] z_erofs_vle_work_add_page+0xa0/0x17c
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6fb3814&gt;] z_erofs_vle_normalaccess_readpages+0x1a0/0x37c
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6d670b8&gt;] read_pages+0x70/0x190
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d6736c&gt;] __do_page_cache_readahead+0x194/0x1a8
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d59318&gt;] filemap_fault+0x398/0x684
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8a9e0&gt;] __do_fault+0x8c/0x138
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8f90c&gt;] handle_pte_fault+0x730/0xb7c
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8fe04&gt;] __handle_mm_fault+0xac/0xf4
&lt;4&gt;[1051408.018157s][&lt;ffffff80c6d8fec8&gt;] handle_mm_fault+0x7c/0x118
&lt;4&gt;[1051408.018157s][&lt;ffffff80c8c52998&gt;] do_page_fault+0x354/0x474
&lt;4&gt;[1051408.018157s][&lt;ffffff80c8c52af8&gt;] do_translation_fault+0x40/0x48
&lt;4&gt;[1051408.018157s][&lt;ffffff80c6c002f4&gt;] do_mem_abort+0x80/0x100
&lt;4&gt;[1051408.018310s]---[ end trace 9f4009a3283bd78b ]---

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: compressed_pages should not be accessed again after freed</title>
<updated>2019-02-27T14:41:57+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-02-27T05:33:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=af692e117cb8cd9d3d844d413095775abc1217f9'/>
<id>af692e117cb8cd9d3d844d413095775abc1217f9</id>
<content type='text'>
This patch resolves the following page use-after-free issue,
z_erofs_vle_unzip:
    ...
    for (i = 0; i &lt; nr_pages; ++i) {
        ...
        z_erofs_onlinepage_endio(page);  (1)
    }

    for (i = 0; i &lt; clusterpages; ++i) {
        page = compressed_pages[i];

        if (page-&gt;mapping == mngda)      (2)
            continue;
        /* recycle all individual staging pages */
        (void)z_erofs_gather_if_stagingpage(page_pool, page); (3)
        WRITE_ONCE(compressed_pages[i], NULL);
    }
    ...

After (1) is executed, page is freed and could be then reused, if
compressed_pages is scanned after that, it could fall info (2) or
(3) by mistake and that could finally be in a mess.

This patch aims to solve the above issue only with little changes
as much as possible in order to make the fix backport easier.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch resolves the following page use-after-free issue,
z_erofs_vle_unzip:
    ...
    for (i = 0; i &lt; nr_pages; ++i) {
        ...
        z_erofs_onlinepage_endio(page);  (1)
    }

    for (i = 0; i &lt; clusterpages; ++i) {
        page = compressed_pages[i];

        if (page-&gt;mapping == mngda)      (2)
            continue;
        /* recycle all individual staging pages */
        (void)z_erofs_gather_if_stagingpage(page_pool, page); (3)
        WRITE_ONCE(compressed_pages[i], NULL);
    }
    ...

After (1) is executed, page is freed and could be then reused, if
compressed_pages is scanned after that, it could fall info (2) or
(3) by mistake and that could finally be in a mess.

This patch aims to solve the above issue only with little changes
as much as possible in order to make the fix backport easier.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: switch to -&gt;iterate_shared()</title>
<updated>2019-02-26T10:52:46+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-02-21T02:34:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bee1568293d723caa192e200086e29fc37492583'/>
<id>bee1568293d723caa192e200086e29fc37492583</id>
<content type='text'>
After commit 6192269444eb ("introduce a parallel variant of -&gt;iterate()"),
readdir can be done without taking exclusive inode lock of course.

Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After commit 6192269444eb ("introduce a parallel variant of -&gt;iterate()"),
readdir can be done without taking exclusive inode lock of course.

Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: no need to take page lock in readdir</title>
<updated>2019-02-26T10:52:45+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-02-21T02:34:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b2bb112db116585886eccf07d7392d23e1216279'/>
<id>b2bb112db116585886eccf07d7392d23e1216279</id>
<content type='text'>
VFS will take inode_lock for readdir, therefore no need to
take page lock in readdir at all just as the majority of
other generic filesystems.

Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
VFS will take inode_lock for readdir, therefore no need to
take page lock in readdir at all just as the majority of
other generic filesystems.

Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
