On 3/27/26 10:38, Vasileios Almpanis wrote: > Reviewed-by: Vasileios Almpanis <vasileios.almpanis.virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <[email protected]> > > On 3/26/26 6:50 PM, Konstantin Khorenko wrote: >> GCC's GCOV instrumentation can merge global branch counters with loop >> induction variables as an optimization. In inflate_fast(), the inner >> copy loops get transformed so that the GCOV counter value is loaded >> multiple times to compute the loop base address, start index, and end >> bound. Since GCOV counters are global (not per-CPU), concurrent >> execution on different CPUs causes the counter to change between loads, >> producing inconsistent values and out-of-bounds memory writes. >> >> The crash manifests during IPComp (IP Payload Compression) processing >> when inflate_fast() runs concurrently on multiple CPUs: >> >> BUG: unable to handle page fault for address: ffffd0a3c0902ffa >> RIP: inflate_fast+1431 >> Call Trace: >> zlib_inflate >> __deflate_decompress >> crypto_comp_decompress >> ipcomp_decompress [xfrm_ipcomp] >> ipcomp_input [xfrm_ipcomp] >> xfrm_input >> >> At the crash point, the compiler generated three loads from the same >> global GCOV counter (__gcov0.inflate_fast+216) to compute base, start, >> and end for an indexed loop. Another CPU modified the counter between >> loads, making the values inconsistent — the write went 3.4 MB past a >> 65 KB buffer. >> >> Add -fprofile-update=atomic to zlib Makefiles. This tells GCC that >> GCOV counters may be concurrently accessed, causing counter updates to >> use atomic instructions (lock addq) instead of plain load/store. This >> prevents the compiler from merging counters with loop induction >> variables. The flag is scoped to zlib only to avoid unnecessary >> overhead in the rest of the kernel. >> >> https://virtuozzo.atlassian.net/browse/VSTOR-127788 >> >> Feature: fix selftests >> Signed-off-by: Konstantin Khorenko <[email protected]> >> --- >> lib/zlib_deflate/Makefile | 6 ++++++ >> lib/zlib_dfltcc/Makefile | 6 ++++++ >> lib/zlib_inflate/Makefile | 7 +++++++ >> 3 files changed, 19 insertions(+) >> >> diff --git a/lib/zlib_deflate/Makefile b/lib/zlib_deflate/Makefile >> index 2622e03c0b942..dc0b3e5660e9e 100644 >> --- a/lib/zlib_deflate/Makefile >> +++ b/lib/zlib_deflate/Makefile >> @@ -7,6 +7,12 @@ >> # decompression code. >> # >> +# Force atomic GCOV counter updates to prevent GCC from merging global >> +# counters with loop induction variables (see lib/zlib_inflate/Makefile). >> +ifdef CONFIG_GCOV_KERNEL >> +ccflags-y += -fprofile-update=atomic >> +endif >> + >> obj-$(CONFIG_ZLIB_DEFLATE) += zlib_deflate.o >> zlib_deflate-objs := deflate.o deftree.o deflate_syms.o >> diff --git a/lib/zlib_dfltcc/Makefile b/lib/zlib_dfltcc/Makefile >> index 66e1c96387c40..fb08749d2ee7b 100644 >> --- a/lib/zlib_dfltcc/Makefile >> +++ b/lib/zlib_dfltcc/Makefile >> @@ -6,6 +6,12 @@ >> # This is the code for s390 zlib hardware support. >> # >> +# Force atomic GCOV counter updates to prevent GCC from merging global >> +# counters with loop induction variables (see lib/zlib_inflate/Makefile). >> +ifdef CONFIG_GCOV_KERNEL >> +ccflags-y += -fprofile-update=atomic >> +endif >> + >> obj-$(CONFIG_ZLIB_DFLTCC) += zlib_dfltcc.o >> zlib_dfltcc-objs := dfltcc.o dfltcc_deflate.o dfltcc_inflate.o >> diff --git a/lib/zlib_inflate/Makefile b/lib/zlib_inflate/Makefile >> index 27327d3e9f541..8707c649adda5 100644 >> --- a/lib/zlib_inflate/Makefile >> +++ b/lib/zlib_inflate/Makefile >> @@ -14,6 +14,13 @@ >> # uncompression can be done without blocking on allocation). >> # >> +# Force atomic GCOV counter updates to prevent GCC from merging global >> +# counters with loop induction variables — concurrent inflate_fast() >> +# execution on multiple CPUs causes out-of-bounds writes otherwise. >> +ifdef CONFIG_GCOV_KERNEL >> +ccflags-y += -fprofile-update=atomic >> +endif >> + >> obj-$(CONFIG_ZLIB_INFLATE) += zlib_inflate.o >> zlib_inflate-objs := inffast.o inflate.o infutil.o \ -- Best regards, Pavel Tikhomirov Senior Software Developer, Virtuozzo. _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
