--- /dev/null
+From 673e7bbdb3920b62cfc6c710bea626b0a9b0f43a Mon Sep 17 00:00:00 2001
+From: "U. Artie Eoff" <ullysses.a.eoff@intel.com>
+Date: Mon, 29 Sep 2014 15:49:32 -0700
+Subject: drm/i915: intel_backlight scale() math WA
+
+From: "U. Artie Eoff" <ullysses.a.eoff@intel.com>
+
+commit 673e7bbdb3920b62cfc6c710bea626b0a9b0f43a upstream.
+
+Improper truncated integer division in the scale() function causes
+actual_brightness != brightness. This (partial) work-around should be
+sufficient for a majority of use-cases, but it is by no means a complete
+solution.
+
+TODO: Determine how best to scale "user" values to "hw" values, and
+vice-versa, when the ranges are of different sizes. That would be a
+buggy scenario even with this work-around.
+
+The issue was introduced in the following (v3.17-rc1) commit:
+
+ 6dda730 drm/i915: respect the VBT minimum backlight brightness
+
+Note that for easier backporting this commit adds a duplicated macro.
+A follow-up cleanup patch rectifies this for 3.18+
+
+v2: (thanks to Chris Wilson) clarify commit message, use rounded division
+macro
+
+v3: -DIV_ROUND_CLOSEST() fails to build with CONFIG_X86_32=y. (Jani)
+ -Use DIV_ROUND_CLOSEST_ULL() instead. (Damien)
+ -v1 and v2 originally authored by Joe Konno.
+
+Signed-off-by: U. Artie Eoff <ullysses.a.eoff@intel.com>
+Reviewed-By: Joe Konno <joe.konno@intel.com>
+[danvet: Add backporting note.]
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_panel.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_panel.c
++++ b/drivers/gpu/drm/i915/intel_panel.c
+@@ -398,6 +398,9 @@ intel_panel_detect(struct drm_device *de
+ }
+ }
+
++#define DIV_ROUND_CLOSEST_ULL(ll, d) \
++({ unsigned long long _tmp = (ll)+(d)/2; do_div(_tmp, d); _tmp; })
++
+ /**
+ * scale - scale values from one range to another
+ *
+@@ -419,9 +422,8 @@ static uint32_t scale(uint32_t source_va
+ source_val = clamp(source_val, source_min, source_max);
+
+ /* avoid overflows */
+- target_val = (uint64_t)(source_val - source_min) *
+- (target_max - target_min);
+- do_div(target_val, source_max - source_min);
++ target_val = DIV_ROUND_CLOSEST_ULL((uint64_t)(source_val - source_min) *
++ (target_max - target_min), source_max - source_min);
+ target_val += target_min;
+
+ return target_val;
--- /dev/null
+From 1180e20606fd7c5d76dc5b2a1594fa51ba5a0f31 Mon Sep 17 00:00:00 2001
+From: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Date: Tue, 7 Oct 2014 18:02:52 -0300
+Subject: drm/i915: properly reenable gen8 pipe IRQs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paulo Zanoni <paulo.r.zanoni@intel.com>
+
+commit 1180e20606fd7c5d76dc5b2a1594fa51ba5a0f31 upstream.
+
+We were missing the pipe B/C vblank bits! Take a look at
+gen8_de_irq_postinstall for a comparison.
+
+This should fix a bunch of IGT tests.
+
+There are a few more things we could improve on this code, but this
+should be the minimal fix to unblock us.
+
+v2: s/extra_iir/extra_ier/ because IIR doesn't make sense (Ville)
+
+Bugzilla:https://bugs.freedesktop.org/show_bug.cgi?id=83640
+Testcase: igt/*
+Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_irq.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_irq.c
++++ b/drivers/gpu/drm/i915/i915_irq.c
+@@ -3482,12 +3482,13 @@ static void gen8_irq_reset(struct drm_de
+ void gen8_irq_power_well_post_enable(struct drm_i915_private *dev_priv)
+ {
+ unsigned long irqflags;
++ uint32_t extra_ier = GEN8_PIPE_VBLANK | GEN8_PIPE_FIFO_UNDERRUN;
+
+ spin_lock_irqsave(&dev_priv->irq_lock, irqflags);
+ GEN8_IRQ_INIT_NDX(DE_PIPE, PIPE_B, dev_priv->de_irq_mask[PIPE_B],
+- ~dev_priv->de_irq_mask[PIPE_B]);
++ ~dev_priv->de_irq_mask[PIPE_B] | extra_ier);
+ GEN8_IRQ_INIT_NDX(DE_PIPE, PIPE_C, dev_priv->de_irq_mask[PIPE_C],
+- ~dev_priv->de_irq_mask[PIPE_C]);
++ ~dev_priv->de_irq_mask[PIPE_C] | extra_ier);
+ spin_unlock_irqrestore(&dev_priv->irq_lock, irqflags);
+ }
+
--- /dev/null
+From 67e26e41ff8aa514826dae79f0b10169b5ba93b4 Mon Sep 17 00:00:00 2001
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Mon, 20 Oct 2014 15:49:33 +1000
+Subject: drm/nouveau: fix regression on agp boards
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+commit 67e26e41ff8aa514826dae79f0b10169b5ba93b4 upstream.
+
+Extends the fix in f2f9a2cbaf019481feefe231f996d3602612fa99 to also
+workaround permission issues noticed by people using AGP systems.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nouveau_chan.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_chan.c
++++ b/drivers/gpu/drm/nouveau/nouveau_chan.c
+@@ -400,15 +400,20 @@ nouveau_channel_new(struct nouveau_drm *
+ struct nouveau_channel **pchan)
+ {
+ struct nouveau_cli *cli = (void *)nvif_client(&device->base);
++ bool super;
+ int ret;
+
++ /* hack until fencenv50 is fixed, and agp access relaxed */
++ super = cli->base.super;
++ cli->base.super = true;
++
+ ret = nouveau_channel_ind(drm, device, handle, arg0, pchan);
+ if (ret) {
+ NV_PRINTK(debug, cli, "ib channel create, %d\n", ret);
+ ret = nouveau_channel_dma(drm, device, handle, pchan);
+ if (ret) {
+ NV_PRINTK(debug, cli, "dma channel create, %d\n", ret);
+- return ret;
++ goto done;
+ }
+ }
+
+@@ -416,8 +421,9 @@ nouveau_channel_new(struct nouveau_drm *
+ if (ret) {
+ NV_PRINTK(error, cli, "channel failed to initialise, %d\n", ret);
+ nouveau_channel_del(pchan);
+- return ret;
+ }
+
+- return 0;
++done:
++ cli->base.super = super;
++ return ret;
+ }
--- /dev/null
+From 4910403836ded89803fab201d4b5caaa85de3a89 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 13 Oct 2014 11:51:50 -0400
+Subject: drm/radeon: fix speaker allocation setup
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 4910403836ded89803fab201d4b5caaa85de3a89 upstream.
+
+If the sad_count is 0, set the hw to stereo and change
+the error message to a warn. A lot of monitors don't
+set the speaker allocation block.
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/dce3_1_afmt.c | 4 ++--
+ drivers/gpu/drm/radeon/dce6_afmt.c | 6 +++---
+ drivers/gpu/drm/radeon/evergreen_hdmi.c | 6 +++---
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/dce3_1_afmt.c
++++ b/drivers/gpu/drm/radeon/dce3_1_afmt.c
+@@ -49,8 +49,8 @@ static void dce3_2_afmt_write_speaker_al
+
+ sad_count = drm_edid_to_speaker_allocation(radeon_connector->edid, &sadb);
+ if (sad_count < 0) {
+- DRM_ERROR("Couldn't read Speaker Allocation Data Block: %d\n", sad_count);
+- return;
++ DRM_DEBUG("Couldn't read Speaker Allocation Data Block: %d\n", sad_count);
++ sad_count = 0;
+ }
+
+ /* program the speaker allocation */
+--- a/drivers/gpu/drm/radeon/dce6_afmt.c
++++ b/drivers/gpu/drm/radeon/dce6_afmt.c
+@@ -176,9 +176,9 @@ void dce6_afmt_write_speaker_allocation(
+ }
+
+ sad_count = drm_edid_to_speaker_allocation(radeon_connector_edid(connector), &sadb);
+- if (sad_count <= 0) {
+- DRM_ERROR("Couldn't read Speaker Allocation Data Block: %d\n", sad_count);
+- return;
++ if (sad_count < 0) {
++ DRM_DEBUG("Couldn't read Speaker Allocation Data Block: %d\n", sad_count);
++ sad_count = 0;
+ }
+
+ /* program the speaker allocation */
+--- a/drivers/gpu/drm/radeon/evergreen_hdmi.c
++++ b/drivers/gpu/drm/radeon/evergreen_hdmi.c
+@@ -118,9 +118,9 @@ static void dce4_afmt_write_speaker_allo
+ }
+
+ sad_count = drm_edid_to_speaker_allocation(radeon_connector_edid(connector), &sadb);
+- if (sad_count <= 0) {
+- DRM_ERROR("Couldn't read Speaker Allocation Data Block: %d\n", sad_count);
+- return;
++ if (sad_count < 0) {
++ DRM_DEBUG("Couldn't read Speaker Allocation Data Block: %d\n", sad_count);
++ sad_count = 0;
+ }
+
+ /* program the speaker allocation */
--- /dev/null
+From 8e66e134e20b936179ea1535dd4ed19ec4f99dba Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 15 Oct 2014 17:20:55 -0400
+Subject: drm/radeon: fix vm page table block size calculation
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 8e66e134e20b936179ea1535dd4ed19ec4f99dba upstream.
+
+The page offset is 12 bits. For example if we have an
+8 GB VM, we'd need 33 bits. The number of bits needed
+for PD + PT is 21 (33 - 12 or log2(8) + 18), not 20
+(log2(8) + 17).
+
+Noticed by Alexey during code review.
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_device.c
++++ b/drivers/gpu/drm/radeon/radeon_device.c
+@@ -1130,7 +1130,7 @@ static void radeon_check_arguments(struc
+ if (radeon_vm_block_size == -1) {
+
+ /* Total bits covered by PD + PTs */
+- unsigned bits = ilog2(radeon_vm_size) + 17;
++ unsigned bits = ilog2(radeon_vm_size) + 18;
+
+ /* Make sure the PD is 4K in size up to 8GB address space.
+ Above that split equal between PD and PTs */
--- /dev/null
+From adfed2b0587289013f8143c54913ddfd44ac1fd3 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 13 Oct 2014 13:20:02 -0400
+Subject: drm/radeon: use gart memory for DMA ring tests
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit adfed2b0587289013f8143c54913ddfd44ac1fd3 upstream.
+
+Avoids HDP cache flush issues when using vram which can
+cause ring test failures on certain boards.
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: Alexander Fyodorov <halcy@yandex.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/cik_sdma.c | 21 ++++++++++++---------
+ drivers/gpu/drm/radeon/r600_dma.c | 21 ++++++++++++---------
+ drivers/gpu/drm/radeon/radeon.h | 2 ++
+ 3 files changed, 26 insertions(+), 18 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/cik_sdma.c
++++ b/drivers/gpu/drm/radeon/cik_sdma.c
+@@ -610,16 +610,19 @@ int cik_sdma_ring_test(struct radeon_dev
+ {
+ unsigned i;
+ int r;
+- void __iomem *ptr = (void *)rdev->vram_scratch.ptr;
++ unsigned index;
+ u32 tmp;
++ u64 gpu_addr;
+
+- if (!ptr) {
+- DRM_ERROR("invalid vram scratch pointer\n");
+- return -EINVAL;
+- }
++ if (ring->idx == R600_RING_TYPE_DMA_INDEX)
++ index = R600_WB_DMA_RING_TEST_OFFSET;
++ else
++ index = CAYMAN_WB_DMA1_RING_TEST_OFFSET;
++
++ gpu_addr = rdev->wb.gpu_addr + index;
+
+ tmp = 0xCAFEDEAD;
+- writel(tmp, ptr);
++ rdev->wb.wb[index/4] = cpu_to_le32(tmp);
+
+ r = radeon_ring_lock(rdev, ring, 5);
+ if (r) {
+@@ -627,14 +630,14 @@ int cik_sdma_ring_test(struct radeon_dev
+ return r;
+ }
+ radeon_ring_write(ring, SDMA_PACKET(SDMA_OPCODE_WRITE, SDMA_WRITE_SUB_OPCODE_LINEAR, 0));
+- radeon_ring_write(ring, rdev->vram_scratch.gpu_addr & 0xfffffffc);
+- radeon_ring_write(ring, upper_32_bits(rdev->vram_scratch.gpu_addr));
++ radeon_ring_write(ring, lower_32_bits(gpu_addr));
++ radeon_ring_write(ring, upper_32_bits(gpu_addr));
+ radeon_ring_write(ring, 1); /* number of DWs to follow */
+ radeon_ring_write(ring, 0xDEADBEEF);
+ radeon_ring_unlock_commit(rdev, ring, false);
+
+ for (i = 0; i < rdev->usec_timeout; i++) {
+- tmp = readl(ptr);
++ tmp = le32_to_cpu(rdev->wb.wb[index/4]);
+ if (tmp == 0xDEADBEEF)
+ break;
+ DRM_UDELAY(1);
+--- a/drivers/gpu/drm/radeon/r600_dma.c
++++ b/drivers/gpu/drm/radeon/r600_dma.c
+@@ -232,16 +232,19 @@ int r600_dma_ring_test(struct radeon_dev
+ {
+ unsigned i;
+ int r;
+- void __iomem *ptr = (void *)rdev->vram_scratch.ptr;
++ unsigned index;
+ u32 tmp;
++ u64 gpu_addr;
+
+- if (!ptr) {
+- DRM_ERROR("invalid vram scratch pointer\n");
+- return -EINVAL;
+- }
++ if (ring->idx == R600_RING_TYPE_DMA_INDEX)
++ index = R600_WB_DMA_RING_TEST_OFFSET;
++ else
++ index = CAYMAN_WB_DMA1_RING_TEST_OFFSET;
++
++ gpu_addr = rdev->wb.gpu_addr + index;
+
+ tmp = 0xCAFEDEAD;
+- writel(tmp, ptr);
++ rdev->wb.wb[index/4] = cpu_to_le32(tmp);
+
+ r = radeon_ring_lock(rdev, ring, 4);
+ if (r) {
+@@ -249,13 +252,13 @@ int r600_dma_ring_test(struct radeon_dev
+ return r;
+ }
+ radeon_ring_write(ring, DMA_PACKET(DMA_PACKET_WRITE, 0, 0, 1));
+- radeon_ring_write(ring, rdev->vram_scratch.gpu_addr & 0xfffffffc);
+- radeon_ring_write(ring, upper_32_bits(rdev->vram_scratch.gpu_addr) & 0xff);
++ radeon_ring_write(ring, lower_32_bits(gpu_addr));
++ radeon_ring_write(ring, upper_32_bits(gpu_addr) & 0xff);
+ radeon_ring_write(ring, 0xDEADBEEF);
+ radeon_ring_unlock_commit(rdev, ring, false);
+
+ for (i = 0; i < rdev->usec_timeout; i++) {
+- tmp = readl(ptr);
++ tmp = le32_to_cpu(rdev->wb.wb[index/4]);
+ if (tmp == 0xDEADBEEF)
+ break;
+ DRM_UDELAY(1);
+--- a/drivers/gpu/drm/radeon/radeon.h
++++ b/drivers/gpu/drm/radeon/radeon.h
+@@ -1120,6 +1120,8 @@ struct radeon_wb {
+ #define R600_WB_EVENT_OFFSET 3072
+ #define CIK_WB_CP1_WPTR_OFFSET 3328
+ #define CIK_WB_CP2_WPTR_OFFSET 3584
++#define R600_WB_DMA_RING_TEST_OFFSET 3588
++#define CAYMAN_WB_DMA1_RING_TEST_OFFSET 3592
+
+ /**
+ * struct radeon_pm - power management datas
--- /dev/null
+From f4bb2981024fc91b23b4d09a8817c415396dbabb Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 5 Oct 2014 22:56:00 -0400
+Subject: ext4: add ext4_iget_normal() which is to be used for dir tree lookups
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit f4bb2981024fc91b23b4d09a8817c415396dbabb upstream.
+
+If there is a corrupted file system which has directory entries that
+point at reserved, metadata inodes, prohibit them from being used by
+treating them the same way we treat Boot Loader inodes --- that is,
+mark them to be bad inodes. This prohibits them from being opened,
+deleted, or modified via chmod, chown, utimes, etc.
+
+In particular, this prevents a corrupted file system which has a
+directory entry which points at the journal inode from being deleted
+and its blocks released, after which point Much Hilarity Ensues.
+
+Reported-by: Sami Liedes <sami.liedes@iki.fi>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4.h | 1 +
+ fs/ext4/inode.c | 7 +++++++
+ fs/ext4/namei.c | 4 ++--
+ fs/ext4/super.c | 2 +-
+ 4 files changed, 11 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -2109,6 +2109,7 @@ int do_journal_get_write_access(handle_t
+ #define CONVERT_INLINE_DATA 2
+
+ extern struct inode *ext4_iget(struct super_block *, unsigned long);
++extern struct inode *ext4_iget_normal(struct super_block *, unsigned long);
+ extern int ext4_write_inode(struct inode *, struct writeback_control *);
+ extern int ext4_setattr(struct dentry *, struct iattr *);
+ extern int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4127,6 +4127,13 @@ bad_inode:
+ return ERR_PTR(ret);
+ }
+
++struct inode *ext4_iget_normal(struct super_block *sb, unsigned long ino)
++{
++ if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO)
++ return ERR_PTR(-EIO);
++ return ext4_iget(sb, ino);
++}
++
+ static int ext4_inode_blocks_set(handle_t *handle,
+ struct ext4_inode *raw_inode,
+ struct ext4_inode_info *ei)
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1441,7 +1441,7 @@ static struct dentry *ext4_lookup(struct
+ dentry);
+ return ERR_PTR(-EIO);
+ }
+- inode = ext4_iget(dir->i_sb, ino);
++ inode = ext4_iget_normal(dir->i_sb, ino);
+ if (inode == ERR_PTR(-ESTALE)) {
+ EXT4_ERROR_INODE(dir,
+ "deleted inode referenced: %u",
+@@ -1474,7 +1474,7 @@ struct dentry *ext4_get_parent(struct de
+ return ERR_PTR(-EIO);
+ }
+
+- return d_obtain_alias(ext4_iget(child->d_inode->i_sb, ino));
++ return d_obtain_alias(ext4_iget_normal(child->d_inode->i_sb, ino));
+ }
+
+ /*
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1002,7 +1002,7 @@ static struct inode *ext4_nfs_get_inode(
+ * Currently we don't know the generation for parent directory, so
+ * a generation of 0 means "accept any"
+ */
+- inode = ext4_iget(sb, ino);
++ inode = ext4_iget_normal(sb, ino);
+ if (IS_ERR(inode))
+ return ERR_CAST(inode);
+ if (generation && inode->i_generation != generation) {
--- /dev/null
+From a0626e75954078cfacddb00a4545dde821170bc5 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 16 Sep 2014 14:34:59 -0400
+Subject: ext4: check EA value offset when loading
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+commit a0626e75954078cfacddb00a4545dde821170bc5 upstream.
+
+When loading extended attributes, check each entry's value offset to
+make sure it doesn't collide with the entries.
+
+Without this check it is easy to crash the kernel by mounting a
+malicious FS containing a file with an EA wherein e_value_offs = 0 and
+e_value_size > 0 and then deleting the EA, which corrupts the name
+list.
+
+(See the f_ea_value_crash test's FS image in e2fsprogs for an example.)
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -190,14 +190,28 @@ ext4_listxattr(struct dentry *dentry, ch
+ }
+
+ static int
+-ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end)
++ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end,
++ void *value_start)
+ {
+- while (!IS_LAST_ENTRY(entry)) {
+- struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(entry);
++ struct ext4_xattr_entry *e = entry;
++
++ while (!IS_LAST_ENTRY(e)) {
++ struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e);
+ if ((void *)next >= end)
+ return -EIO;
+- entry = next;
++ e = next;
+ }
++
++ while (!IS_LAST_ENTRY(entry)) {
++ if (entry->e_value_size != 0 &&
++ (value_start + le16_to_cpu(entry->e_value_offs) <
++ (void *)e + sizeof(__u32) ||
++ value_start + le16_to_cpu(entry->e_value_offs) +
++ le32_to_cpu(entry->e_value_size) > end))
++ return -EIO;
++ entry = EXT4_XATTR_NEXT(entry);
++ }
++
+ return 0;
+ }
+
+@@ -214,7 +228,8 @@ ext4_xattr_check_block(struct inode *ino
+ return -EIO;
+ if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh)))
+ return -EIO;
+- error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size);
++ error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size,
++ bh->b_data);
+ if (!error)
+ set_buffer_verified(bh);
+ return error;
+@@ -331,7 +346,7 @@ ext4_xattr_ibody_get(struct inode *inode
+ header = IHDR(inode, raw_inode);
+ entry = IFIRST(header);
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+- error = ext4_xattr_check_names(entry, end);
++ error = ext4_xattr_check_names(entry, end, entry);
+ if (error)
+ goto cleanup;
+ error = ext4_xattr_find_entry(&entry, name_index, name,
+@@ -463,7 +478,7 @@ ext4_xattr_ibody_list(struct dentry *den
+ raw_inode = ext4_raw_inode(&iloc);
+ header = IHDR(inode, raw_inode);
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+- error = ext4_xattr_check_names(IFIRST(header), end);
++ error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
+ if (error)
+ goto cleanup;
+ error = ext4_xattr_list_entries(dentry, IFIRST(header),
+@@ -986,7 +1001,8 @@ int ext4_xattr_ibody_find(struct inode *
+ is->s.here = is->s.first;
+ is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
+- error = ext4_xattr_check_names(IFIRST(header), is->s.end);
++ error = ext4_xattr_check_names(IFIRST(header), is->s.end,
++ IFIRST(header));
+ if (error)
+ return error;
+ /* Find the named attribute. */
--- /dev/null
+From 813d32f91333e4c33d5a19b67167c4bae42dae75 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 14 Oct 2014 02:35:49 -0400
+Subject: ext4: check s_chksum_driver when looking for bg csum presence
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+commit 813d32f91333e4c33d5a19b67167c4bae42dae75 upstream.
+
+Convert the ext4_has_group_desc_csum predicate to look for a checksum
+driver instead of the metadata_csum flag and change the bg checksum
+calculation function to look for GDT_CSUM before taking the crc16
+path.
+
+Without this patch, if we mount with ^uninit_bg,^metadata_csum and
+later metadata_csum gets turned on by accident, the block group
+checksum functions will incorrectly assume that checksumming is
+enabled (metadata_csum) but that crc16 should be used
+(!s_chksum_driver). This is totally wrong, so fix the predicate
+and the checksum formula selection.
+
+(Granted, if the metadata_csum feature bit gets enabled on a live FS
+then something underhanded is going on, but we could at least avoid
+writing garbage into the on-disk fields.)
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4.h | 4 ++--
+ fs/ext4/super.c | 4 ++++
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -2333,8 +2333,8 @@ extern int ext4_register_li_request(stru
+ static inline int ext4_has_group_desc_csum(struct super_block *sb)
+ {
+ return EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_GDT_CSUM |
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM);
++ EXT4_FEATURE_RO_COMPAT_GDT_CSUM) ||
++ (EXT4_SB(sb)->s_chksum_driver != NULL);
+ }
+
+ static inline int ext4_has_metadata_csum(struct super_block *sb)
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2025,6 +2025,10 @@ static __le16 ext4_group_desc_csum(struc
+ }
+
+ /* old crc16 code */
++ if (!(sbi->s_es->s_feature_ro_compat &
++ cpu_to_le32(EXT4_FEATURE_RO_COMPAT_GDT_CSUM)))
++ return 0;
++
+ offset = offsetof(struct ext4_group_desc, bg_checksum);
+
+ crc = crc16(~0, sbi->s_es->s_uuid, sizeof(sbi->s_es->s_uuid));
--- /dev/null
+From 279bf6d390933d5353ab298fcc306c391a961469 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 18 Sep 2014 01:12:15 -0400
+Subject: ext4: don't check quota format when there are no quota files
+
+From: Jan Kara <jack@suse.cz>
+
+commit 279bf6d390933d5353ab298fcc306c391a961469 upstream.
+
+The check whether quota format is set even though there are no
+quota files with journalled quota is pointless and it actually
+makes it impossible to turn off journalled quotas (as there's
+no way to unset journalled quota format). Just remove the check.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1712,13 +1712,6 @@ static int parse_options(char *options,
+ "not specified");
+ return 0;
+ }
+- } else {
+- if (sbi->s_jquota_fmt) {
+- ext4_msg(sb, KERN_ERR, "journaled quota format "
+- "specified with no journaling "
+- "enabled");
+- return 0;
+- }
+ }
+ #endif
+ if (test_opt(sb, DIOREAD_NOLOCK)) {
--- /dev/null
+From e2bfb088fac03c0f621886a04cffc7faa2b49b1d Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 5 Oct 2014 22:47:07 -0400
+Subject: ext4: don't orphan or truncate the boot loader inode
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit e2bfb088fac03c0f621886a04cffc7faa2b49b1d upstream.
+
+The boot loader inode (inode #5) should never be visible in the
+directory hierarchy, but it's possible if the file system is corrupted
+that there will be a directory entry that points at inode #5. In
+order to avoid accidentally trashing it, when such a directory inode
+is opened, the inode will be marked as a bad inode, so that it's not
+possible to modify (or read) the inode from userspace.
+
+Unfortunately, when we unlink this (invalid/illegal) directory entry,
+we will put the bad inode on the ophan list, and then when try to
+unlink the directory, we don't actually remove the bad inode from the
+orphan list before freeing in-memory inode structure. This means the
+in-memory orphan list is corrupted, leading to a kernel oops.
+
+In addition, avoid truncating a bad inode in ext4_destroy_inode(),
+since truncating the boot loader inode is not a smart thing to do.
+
+Reported-by: Sami Liedes <sami.liedes@iki.fi>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 7 +++----
+ fs/ext4/namei.c | 2 +-
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -224,16 +224,15 @@ void ext4_evict_inode(struct inode *inod
+ goto no_delete;
+ }
+
+- if (!is_bad_inode(inode))
+- dquot_initialize(inode);
++ if (is_bad_inode(inode))
++ goto no_delete;
++ dquot_initialize(inode);
+
+ if (ext4_should_order_data(inode))
+ ext4_begin_ordered_truncate(inode, 0);
+ truncate_inode_pages_final(&inode->i_data);
+
+ WARN_ON(atomic_read(&EXT4_I(inode)->i_ioend_count));
+- if (is_bad_inode(inode))
+- goto no_delete;
+
+ /*
+ * Protect us against freezing - iput() caller didn't have to have any
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2573,7 +2573,7 @@ int ext4_orphan_add(handle_t *handle, st
+ int err = 0, rc;
+ bool dirty = false;
+
+- if (!sbi->s_journal)
++ if (!sbi->s_journal || is_bad_inode(inode))
+ return 0;
+
+ WARN_ON_ONCE(!(inode->i_state & (I_NEW | I_FREEING)) &&
--- /dev/null
+From 98c1a7593fa355fda7f5a5940c8bf5326ca964ba Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Thu, 30 Oct 2014 10:53:16 -0400
+Subject: ext4: enable journal checksum when metadata checksum feature enabled
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+commit 98c1a7593fa355fda7f5a5940c8bf5326ca964ba upstream.
+
+If metadata checksumming is turned on for the FS, we need to tell the
+journal to use checksumming too.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3498,6 +3498,10 @@ static int ext4_fill_super(struct super_
+ #ifdef CONFIG_EXT4_FS_POSIX_ACL
+ set_opt(sb, POSIX_ACL);
+ #endif
++ /* don't forget to enable journal_csum when metadata_csum is enabled. */
++ if (ext4_has_metadata_csum(sb))
++ set_opt(sb, JOURNAL_CHECKSUM);
++
+ if ((def_mount_opts & EXT4_DEFM_JMODE) == EXT4_DEFM_JMODE_DATA)
+ set_opt(sb, JOURNAL_DATA);
+ else if ((def_mount_opts & EXT4_DEFM_JMODE) == EXT4_DEFM_JMODE_ORDERED)
--- /dev/null
+From d6320cbfc92910a3e5f10c42d98c231c98db4f60 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 1 Oct 2014 21:49:46 -0400
+Subject: ext4: fix mmap data corruption when blocksize < pagesize
+
+From: Jan Kara <jack@suse.cz>
+
+commit d6320cbfc92910a3e5f10c42d98c231c98db4f60 upstream.
+
+Use truncate_isize_extended() when hole is being created in a file so that
+->page_mkwrite() will get called for the partial tail page if it is
+mmaped (see the first patch in the series for details).
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4536,8 +4536,12 @@ int ext4_setattr(struct dentry *dentry,
+ ext4_orphan_del(NULL, inode);
+ goto err_out;
+ }
+- } else
++ } else {
++ loff_t oldsize = inode->i_size;
++
+ i_size_write(inode, attr->ia_size);
++ pagecache_isize_extended(inode, oldsize, inode->i_size);
++ }
+
+ /*
+ * Blocks are going to be removed from the inode. Wait
--- /dev/null
+From 599a9b77ab289d85c2d5c8607624efbe1f552b0f Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 30 Oct 2014 10:53:16 -0400
+Subject: ext4: fix oops when loading block bitmap failed
+
+From: Jan Kara <jack@suse.cz>
+
+commit 599a9b77ab289d85c2d5c8607624efbe1f552b0f upstream.
+
+When we fail to load block bitmap in __ext4_new_inode() we will
+dereference NULL pointer in ext4_journal_get_write_access(). So check
+for error from ext4_read_block_bitmap().
+
+Coverity-id: 989065
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ialloc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -887,6 +887,10 @@ got:
+ struct buffer_head *block_bitmap_bh;
+
+ block_bitmap_bh = ext4_read_block_bitmap(sb, group);
++ if (!block_bitmap_bh) {
++ err = -EIO;
++ goto out;
++ }
+ BUFFER_TRACE(block_bitmap_bh, "get block bitmap access");
+ err = ext4_journal_get_write_access(handle, block_bitmap_bh);
+ if (err) {
--- /dev/null
+From 9378c6768e4fca48971e7b6a9075bc006eda981d Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 30 Oct 2014 10:52:57 -0400
+Subject: ext4: fix overflow when updating superblock backups after resize
+
+From: Jan Kara <jack@suse.cz>
+
+commit 9378c6768e4fca48971e7b6a9075bc006eda981d upstream.
+
+When there are no meta block groups update_backups() will compute the
+backup block in 32-bit arithmetics thus possibly overflowing the block
+number and corrupting the filesystem. OTOH filesystems without meta
+block groups larger than 16 TB should be rare. Fix the problem by doing
+the counting in 64-bit arithmetics.
+
+Coverity-id: 741252
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1081,7 +1081,7 @@ static void update_backups(struct super_
+ break;
+
+ if (meta_bg == 0)
+- backup_block = group * bpg + blk_off;
++ backup_block = ((ext4_fsblk_t)group) * bpg + blk_off;
+ else
+ backup_block = (ext4_group_first_block_no(sb, group) +
+ ext4_bg_has_super(sb, group));
--- /dev/null
+From 0ff8947fc5f700172b37cbca811a38eb9cb81e08 Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Sat, 11 Oct 2014 19:51:17 -0400
+Subject: ext4: fix reservation overflow in ext4_da_write_begin
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit 0ff8947fc5f700172b37cbca811a38eb9cb81e08 upstream.
+
+Delalloc write journal reservations only reserve 1 credit,
+to update the inode if necessary. However, it may happen
+once in a filesystem's lifetime that a file will cross
+the 2G threshold, and require the LARGE_FILE feature to
+be set in the superblock as well, if it was not set already.
+
+This overruns the transaction reservation, and can be
+demonstrated simply on any ext4 filesystem without the LARGE_FILE
+feature already set:
+
+dd if=/dev/zero of=testfile bs=1 seek=2147483646 count=1 \
+ conv=notrunc of=testfile
+sync
+dd if=/dev/zero of=testfile bs=1 seek=2147483647 count=1 \
+ conv=notrunc of=testfile
+
+leads to:
+
+EXT4-fs: ext4_do_update_inode:4296: aborting transaction: error 28 in __ext4_handle_dirty_super
+EXT4-fs error (device loop0) in ext4_do_update_inode:4301: error 28
+EXT4-fs error (device loop0) in ext4_reserve_inode_write:4757: Readonly filesystem
+EXT4-fs error (device loop0) in ext4_dirty_inode:4876: error 28
+EXT4-fs error (device loop0) in ext4_da_write_end:2685: error 28
+
+Adjust the number of credits based on whether the flag is
+already set, and whether the current write may extend past the
+LARGE_FILE limit.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -2514,6 +2514,20 @@ static int ext4_nonda_switch(struct supe
+ return 0;
+ }
+
++/* We always reserve for an inode update; the superblock could be there too */
++static int ext4_da_write_credits(struct inode *inode, loff_t pos, unsigned len)
++{
++ if (likely(EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
++ EXT4_FEATURE_RO_COMPAT_LARGE_FILE)))
++ return 1;
++
++ if (pos + len <= 0x7fffffffULL)
++ return 1;
++
++ /* We might need to update the superblock to set LARGE_FILE */
++ return 2;
++}
++
+ static int ext4_da_write_begin(struct file *file, struct address_space *mapping,
+ loff_t pos, unsigned len, unsigned flags,
+ struct page **pagep, void **fsdata)
+@@ -2564,7 +2578,8 @@ retry_grab:
+ * of file which has an already mapped buffer.
+ */
+ retry_journal:
+- handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE, 1);
++ handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE,
++ ext4_da_write_credits(inode, pos, len));
+ if (IS_ERR(handle)) {
+ page_cache_release(page);
+ return PTR_ERR(handle);
--- /dev/null
+From 3e67cfad22230ebed85c56cbe413876f33fea82b Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Fri, 3 Oct 2014 12:47:23 -0400
+Subject: ext4: grab missed write_count for EXT4_IOC_SWAP_BOOT
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+commit 3e67cfad22230ebed85c56cbe413876f33fea82b upstream.
+
+Otherwise this provokes complain like follows:
+WARNING: CPU: 12 PID: 5795 at fs/ext4/ext4_jbd2.c:48 ext4_journal_check_start+0x4e/0xa0()
+Modules linked in: brd iTCO_wdt lpc_ich mfd_core igb ptp dm_mirror dm_region_hash dm_log dm_mod
+CPU: 12 PID: 5795 Comm: python Not tainted 3.17.0-rc2-00175-gae5344f #158
+Hardware name: Intel Corporation W2600CR/W2600CR, BIOS SE5C600.86B.99.99.x028.061320111235 06/13/2011
+ 0000000000000030 ffff8808116cfd28 ffffffff815c7dfc 0000000000000030
+ 0000000000000000 ffff8808116cfd68 ffffffff8106ce8c ffff8808116cfdc8
+ ffff880813b16000 ffff880806ad6ae8 ffffffff81202008 0000000000000000
+Call Trace:
+ [<ffffffff815c7dfc>] dump_stack+0x51/0x6d
+ [<ffffffff8106ce8c>] warn_slowpath_common+0x8c/0xc0
+ [<ffffffff81202008>] ? ext4_ioctl+0x9e8/0xeb0
+ [<ffffffff8106ceda>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff8122867e>] ext4_journal_check_start+0x4e/0xa0
+ [<ffffffff81228c10>] __ext4_journal_start_sb+0x90/0x110
+ [<ffffffff81202008>] ext4_ioctl+0x9e8/0xeb0
+ [<ffffffff8107b0bd>] ? ptrace_stop+0x24d/0x2f0
+ [<ffffffff81088530>] ? alloc_pid+0x480/0x480
+ [<ffffffff8107b1f2>] ? ptrace_do_notify+0x92/0xb0
+ [<ffffffff81186545>] do_vfs_ioctl+0x4e5/0x550
+ [<ffffffff815cdbcb>] ? _raw_spin_unlock_irq+0x2b/0x40
+ [<ffffffff81186603>] SyS_ioctl+0x53/0x80
+ [<ffffffff815ce2ce>] tracesys+0xd0/0xd5
+
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ioctl.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -532,9 +532,17 @@ group_add_out:
+ }
+
+ case EXT4_IOC_SWAP_BOOT:
++ {
++ int err;
+ if (!(filp->f_mode & FMODE_WRITE))
+ return -EBADF;
+- return swap_inode_boot_loader(sb, inode);
++ err = mnt_want_write_file(filp);
++ if (err)
++ return err;
++ err = swap_inode_boot_loader(sb, inode);
++ mnt_drop_write_file(filp);
++ return err;
++ }
+
+ case EXT4_IOC_RESIZE_FS: {
+ ext4_fsblk_t n_blocks_count;
--- /dev/null
+From aef4885ae14f1df75b58395c5314d71f613d26d9 Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Mon, 13 Oct 2014 03:42:12 -0400
+Subject: ext4: move error report out of atomic context in ext4_init_block_bitmap()
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+commit aef4885ae14f1df75b58395c5314d71f613d26d9 upstream.
+
+Error report likely result in IO so it is bad idea to do it from
+atomic context.
+
+This patch should fix following issue:
+
+BUG: sleeping function called from invalid context at include/linux/buffer_head.h:349
+in_atomic(): 1, irqs_disabled(): 0, pid: 137, name: kworker/u128:1
+5 locks held by kworker/u128:1/137:
+ #0: ("writeback"){......}, at: [<ffffffff81085618>] process_one_work+0x228/0x4d0
+ #1: ((&(&wb->dwork)->work)){......}, at: [<ffffffff81085618>] process_one_work+0x228/0x4d0
+ #2: (jbd2_handle){......}, at: [<ffffffff81242622>] start_this_handle+0x712/0x7b0
+ #3: (&ei->i_data_sem){......}, at: [<ffffffff811fa387>] ext4_map_blocks+0x297/0x430
+ #4: (&(&bgl->locks[i].lock)->rlock){......}, at: [<ffffffff811f3180>] ext4_read_block_bitmap_nowait+0x5d0/0x630
+CPU: 3 PID: 137 Comm: kworker/u128:1 Not tainted 3.17.0-rc2-00184-g82752e4 #165
+Hardware name: Intel Corporation W2600CR/W2600CR, BIOS SE5C600.86B.99.99.x028.061320111235 06/13/2011
+Workqueue: writeback bdi_writeback_workfn (flush-1:0)
+ 0000000000000411 ffff880813777288 ffffffff815c7fdc ffff880813777288
+ ffff880813a8bba0 ffff8808137772a8 ffffffff8108fb30 ffff880803e01e38
+ ffff880803e01e38 ffff8808137772c8 ffffffff811a8d53 ffff88080ecc6000
+Call Trace:
+ [<ffffffff815c7fdc>] dump_stack+0x51/0x6d
+ [<ffffffff8108fb30>] __might_sleep+0xf0/0x100
+ [<ffffffff811a8d53>] __sync_dirty_buffer+0x43/0xe0
+ [<ffffffff811a8e03>] sync_dirty_buffer+0x13/0x20
+ [<ffffffff8120f581>] ext4_commit_super+0x1d1/0x230
+ [<ffffffff8120fa03>] save_error_info+0x23/0x30
+ [<ffffffff8120fd06>] __ext4_error+0xb6/0xd0
+ [<ffffffff8120f260>] ? ext4_group_desc_csum+0x140/0x190
+ [<ffffffff811f2d8c>] ext4_read_block_bitmap_nowait+0x1dc/0x630
+ [<ffffffff8122e23a>] ext4_mb_init_cache+0x21a/0x8f0
+ [<ffffffff8113ae95>] ? lru_cache_add+0x55/0x60
+ [<ffffffff8112e16c>] ? add_to_page_cache_lru+0x6c/0x80
+ [<ffffffff8122eaa0>] ext4_mb_init_group+0x190/0x280
+ [<ffffffff8122ec51>] ext4_mb_good_group+0xc1/0x190
+ [<ffffffff8123309a>] ext4_mb_regular_allocator+0x17a/0x410
+ [<ffffffff8122c821>] ? ext4_mb_use_preallocated+0x31/0x380
+ [<ffffffff81233535>] ? ext4_mb_new_blocks+0x205/0x8e0
+ [<ffffffff8116ed5c>] ? kmem_cache_alloc+0xfc/0x180
+ [<ffffffff812335b0>] ext4_mb_new_blocks+0x280/0x8e0
+ [<ffffffff8116f2c4>] ? __kmalloc+0x144/0x1c0
+ [<ffffffff81221797>] ? ext4_find_extent+0x97/0x320
+ [<ffffffff812257f4>] ext4_ext_map_blocks+0xbc4/0x1050
+ [<ffffffff811fa387>] ? ext4_map_blocks+0x297/0x430
+ [<ffffffff811fa3ab>] ext4_map_blocks+0x2bb/0x430
+ [<ffffffff81200e43>] ? ext4_init_io_end+0x23/0x50
+ [<ffffffff811feb44>] ext4_writepages+0x564/0xaf0
+ [<ffffffff815cde3b>] ? _raw_spin_unlock+0x2b/0x40
+ [<ffffffff810ac7bd>] ? lock_release_non_nested+0x2fd/0x3c0
+ [<ffffffff811a009e>] ? writeback_sb_inodes+0x10e/0x490
+ [<ffffffff811a009e>] ? writeback_sb_inodes+0x10e/0x490
+ [<ffffffff811377e3>] do_writepages+0x23/0x40
+ [<ffffffff8119c8ce>] __writeback_single_inode+0x9e/0x280
+ [<ffffffff811a026b>] writeback_sb_inodes+0x2db/0x490
+ [<ffffffff811a0664>] wb_writeback+0x174/0x2d0
+ [<ffffffff810ac359>] ? lock_release_holdtime+0x29/0x190
+ [<ffffffff811a0863>] wb_do_writeback+0xa3/0x200
+ [<ffffffff811a0a40>] bdi_writeback_workfn+0x80/0x230
+ [<ffffffff81085618>] ? process_one_work+0x228/0x4d0
+ [<ffffffff810856cd>] process_one_work+0x2dd/0x4d0
+ [<ffffffff81085618>] ? process_one_work+0x228/0x4d0
+ [<ffffffff81085c1d>] worker_thread+0x35d/0x460
+ [<ffffffff810858c0>] ? process_one_work+0x4d0/0x4d0
+ [<ffffffff810858c0>] ? process_one_work+0x4d0/0x4d0
+ [<ffffffff8108a885>] kthread+0xf5/0x100
+ [<ffffffff810990e5>] ? local_clock+0x25/0x30
+ [<ffffffff8108a790>] ? __init_kthread_worker+0x70/0x70
+ [<ffffffff815ce2ac>] ret_from_fork+0x7c/0xb0
+ [<ffffffff8108a790>] ? __init_kthread_work
+
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/balloc.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -176,7 +176,7 @@ static unsigned int num_clusters_in_grou
+ }
+
+ /* Initializes an uninitialized block bitmap */
+-static void ext4_init_block_bitmap(struct super_block *sb,
++static int ext4_init_block_bitmap(struct super_block *sb,
+ struct buffer_head *bh,
+ ext4_group_t block_group,
+ struct ext4_group_desc *gdp)
+@@ -192,7 +192,6 @@ static void ext4_init_block_bitmap(struc
+ /* If checksum is bad mark all blocks used to prevent allocation
+ * essentially implementing a per-group read-only flag. */
+ if (!ext4_group_desc_csum_verify(sb, block_group, gdp)) {
+- ext4_error(sb, "Checksum bad for group %u", block_group);
+ grp = ext4_get_group_info(sb, block_group);
+ if (!EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
+ percpu_counter_sub(&sbi->s_freeclusters_counter,
+@@ -205,7 +204,7 @@ static void ext4_init_block_bitmap(struc
+ count);
+ }
+ set_bit(EXT4_GROUP_INFO_IBITMAP_CORRUPT_BIT, &grp->bb_state);
+- return;
++ return -EIO;
+ }
+ memset(bh->b_data, 0, sb->s_blocksize);
+
+@@ -243,6 +242,7 @@ static void ext4_init_block_bitmap(struc
+ sb->s_blocksize * 8, bh->b_data);
+ ext4_block_bitmap_csum_set(sb, block_group, gdp, bh);
+ ext4_group_desc_csum_set(sb, block_group, gdp);
++ return 0;
+ }
+
+ /* Return the number of free blocks in a block group. It is used when
+@@ -438,11 +438,15 @@ ext4_read_block_bitmap_nowait(struct sup
+ }
+ ext4_lock_group(sb, block_group);
+ if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
+- ext4_init_block_bitmap(sb, bh, block_group, desc);
++ int err;
++
++ err = ext4_init_block_bitmap(sb, bh, block_group, desc);
+ set_bitmap_uptodate(bh);
+ set_buffer_uptodate(bh);
+ ext4_unlock_group(sb, block_group);
+ unlock_buffer(bh);
++ if (err)
++ ext4_error(sb, "Checksum bad for grp %u", block_group);
+ return bh;
+ }
+ ext4_unlock_group(sb, block_group);
--- /dev/null
+From a41537e69b4aa43f0fea02498c2595a81267383b Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Thu, 30 Oct 2014 10:53:16 -0400
+Subject: ext4: prevent bugon on race between write/fcntl
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+commit a41537e69b4aa43f0fea02498c2595a81267383b upstream.
+
+O_DIRECT flags can be toggeled via fcntl(F_SETFL). But this value checked
+twice inside ext4_file_write_iter() and __generic_file_write() which
+result in BUG_ON inside ext4_direct_IO.
+
+Let's initialize iocb->private unconditionally.
+
+TESTCASE: xfstest:generic/036 https://patchwork.ozlabs.org/patch/402445/
+
+#TYPICAL STACK TRACE:
+kernel BUG at fs/ext4/inode.c:2960!
+invalid opcode: 0000 [#1] SMP
+Modules linked in: brd iTCO_wdt lpc_ich mfd_core igb ptp dm_mirror dm_region_hash dm_log dm_mod
+CPU: 6 PID: 5505 Comm: aio-dio-fcntl-r Not tainted 3.17.0-rc2-00176-gff5c017 #161
+Hardware name: Intel Corporation W2600CR/W2600CR, BIOS SE5C600.86B.99.99.x028.061320111235 06/13/2011
+task: ffff88080e95a7c0 ti: ffff88080f908000 task.ti: ffff88080f908000
+RIP: 0010:[<ffffffff811fabf2>] [<ffffffff811fabf2>] ext4_direct_IO+0x162/0x3d0
+RSP: 0018:ffff88080f90bb58 EFLAGS: 00010246
+RAX: 0000000000000400 RBX: ffff88080fdb2a28 RCX: 00000000a802c818
+RDX: 0000040000080000 RSI: ffff88080d8aeb80 RDI: 0000000000000001
+RBP: ffff88080f90bbc8 R08: 0000000000000000 R09: 0000000000001581
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff88080d8aeb80
+R13: ffff88080f90bbf8 R14: ffff88080fdb28c8 R15: ffff88080fdb2a28
+FS: 00007f23b2055700(0000) GS:ffff880818400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f23b2045000 CR3: 000000080cedf000 CR4: 00000000000407e0
+Stack:
+ ffff88080f90bb98 0000000000000000 7ffffffffffffffe ffff88080fdb2c30
+ 0000000000000200 0000000000000200 0000000000000001 0000000000000200
+ ffff88080f90bbc8 ffff88080fdb2c30 ffff88080f90be08 0000000000000200
+Call Trace:
+ [<ffffffff8112ca9d>] generic_file_direct_write+0xed/0x180
+ [<ffffffff8112f2b2>] __generic_file_write_iter+0x222/0x370
+ [<ffffffff811f495b>] ext4_file_write_iter+0x34b/0x400
+ [<ffffffff811bd709>] ? aio_run_iocb+0x239/0x410
+ [<ffffffff811bd709>] ? aio_run_iocb+0x239/0x410
+ [<ffffffff810990e5>] ? local_clock+0x25/0x30
+ [<ffffffff810abd94>] ? __lock_acquire+0x274/0x700
+ [<ffffffff811f4610>] ? ext4_unwritten_wait+0xb0/0xb0
+ [<ffffffff811bd756>] aio_run_iocb+0x286/0x410
+ [<ffffffff810990e5>] ? local_clock+0x25/0x30
+ [<ffffffff810ac359>] ? lock_release_holdtime+0x29/0x190
+ [<ffffffff811bc05b>] ? lookup_ioctx+0x4b/0xf0
+ [<ffffffff811bde3b>] do_io_submit+0x55b/0x740
+ [<ffffffff811bdcaa>] ? do_io_submit+0x3ca/0x740
+ [<ffffffff811be030>] SyS_io_submit+0x10/0x20
+ [<ffffffff815ce192>] system_call_fastpath+0x16/0x1b
+Code: 01 48 8b 80 f0 01 00 00 48 8b 18 49 8b 45 10 0f 85 f1 01 00 00 48 03 45 c8 48 3b 43 48 0f 8f e3 01 00 00 49 83 7c
+24 18 00 75 04 <0f> 0b eb fe f0 ff 83 ec 01 00 00 49 8b 44 24 18 8b 00 85 c0 89
+RIP [<ffffffff811fabf2>] ext4_direct_IO+0x162/0x3d0
+ RSP <ffff88080f90bb58>
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -137,10 +137,10 @@ ext4_file_write_iter(struct kiocb *iocb,
+ iov_iter_truncate(from, sbi->s_bitmap_maxbytes - pos);
+ }
+
++ iocb->private = &overwrite;
+ if (o_direct) {
+ blk_start_plug(&plug);
+
+- iocb->private = &overwrite;
+
+ /* check whether we do a DIO overwrite or not */
+ if (ext4_should_dioread_nolock(inode) && !aio_mutex &&
--- /dev/null
+From 9aa5d32ba269bec0e7eaba2697a986a7b0bc8528 Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Mon, 13 Oct 2014 03:36:16 -0400
+Subject: ext4: Replace open coded mdata csum feature to helper function
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+commit 9aa5d32ba269bec0e7eaba2697a986a7b0bc8528 upstream.
+
+Besides the fact that this replacement improves code readability
+it also protects from errors caused direct EXT4_S(sb)->s_es manipulation
+which may result attempt to use uninitialized csum machinery.
+
+#Testcase_BEGIN
+IMG=/dev/ram0
+MNT=/mnt
+mkfs.ext4 $IMG
+mount $IMG $MNT
+#Enable feature directly on disk, on mounted fs
+tune2fs -O metadata_csum $IMG
+# Provoke metadata update, likey result in OOPS
+touch $MNT/test
+umount $MNT
+#Testcase_END
+
+# Replacement script
+@@
+expression E;
+@@
+- EXT4_HAS_RO_COMPAT_FEATURE(E, EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)
++ ext4_has_metadata_csum(E)
+
+https://bugzilla.kernel.org/show_bug.cgi?id=82201
+
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/bitmap.c | 12 ++++--------
+ fs/ext4/ext4.h | 8 ++++++++
+ fs/ext4/extents.c | 6 ++----
+ fs/ext4/ialloc.c | 3 +--
+ fs/ext4/inline.c | 3 +--
+ fs/ext4/inode.c | 9 +++------
+ fs/ext4/ioctl.c | 3 +--
+ fs/ext4/mmp.c | 6 ++----
+ fs/ext4/namei.c | 39 +++++++++++++--------------------------
+ fs/ext4/resize.c | 3 +--
+ fs/ext4/super.c | 15 +++++----------
+ fs/ext4/xattr.c | 6 ++----
+ 12 files changed, 43 insertions(+), 70 deletions(-)
+
+--- a/fs/ext4/bitmap.c
++++ b/fs/ext4/bitmap.c
+@@ -24,8 +24,7 @@ int ext4_inode_bitmap_csum_verify(struct
+ __u32 provided, calculated;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(sb))
+ return 1;
+
+ provided = le16_to_cpu(gdp->bg_inode_bitmap_csum_lo);
+@@ -46,8 +45,7 @@ void ext4_inode_bitmap_csum_set(struct s
+ __u32 csum;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(sb))
+ return;
+
+ csum = ext4_chksum(sbi, sbi->s_csum_seed, (__u8 *)bh->b_data, sz);
+@@ -65,8 +63,7 @@ int ext4_block_bitmap_csum_verify(struct
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ int sz = EXT4_CLUSTERS_PER_GROUP(sb) / 8;
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(sb))
+ return 1;
+
+ provided = le16_to_cpu(gdp->bg_block_bitmap_csum_lo);
+@@ -91,8 +88,7 @@ void ext4_block_bitmap_csum_set(struct s
+ __u32 csum;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(sb))
+ return;
+
+ csum = ext4_chksum(sbi, sbi->s_csum_seed, (__u8 *)bh->b_data, sz);
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -2337,6 +2337,14 @@ static inline int ext4_has_group_desc_cs
+ EXT4_FEATURE_RO_COMPAT_METADATA_CSUM);
+ }
+
++static inline int ext4_has_metadata_csum(struct super_block *sb)
++{
++ WARN_ON_ONCE(EXT4_HAS_RO_COMPAT_FEATURE(sb,
++ EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) &&
++ !EXT4_SB(sb)->s_chksum_driver);
++
++ return (EXT4_SB(sb)->s_chksum_driver != NULL);
++}
+ static inline ext4_fsblk_t ext4_blocks_count(struct ext4_super_block *es)
+ {
+ return ((ext4_fsblk_t)le32_to_cpu(es->s_blocks_count_hi) << 32) |
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -73,8 +73,7 @@ static int ext4_extent_block_csum_verify
+ {
+ struct ext4_extent_tail *et;
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(inode->i_sb))
+ return 1;
+
+ et = find_ext4_extent_tail(eh);
+@@ -88,8 +87,7 @@ static void ext4_extent_block_csum_set(s
+ {
+ struct ext4_extent_tail *et;
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(inode->i_sb))
+ return;
+
+ et = find_ext4_extent_tail(eh);
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1011,8 +1011,7 @@ got:
+ spin_unlock(&sbi->s_next_gen_lock);
+
+ /* Precompute checksum seed for inode metadata */
+- if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) {
++ if (ext4_has_metadata_csum(sb)) {
+ __u32 csum;
+ __le32 inum = cpu_to_le32(inode->i_ino);
+ __le32 gen = cpu_to_le32(inode->i_generation);
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1126,8 +1126,7 @@ static int ext4_finish_convert_inline_di
+ memcpy((void *)de, buf + EXT4_INLINE_DOTDOT_SIZE,
+ inline_size - EXT4_INLINE_DOTDOT_SIZE);
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(inode->i_sb))
+ csum_size = sizeof(struct ext4_dir_entry_tail);
+
+ inode->i_size = inode->i_sb->s_blocksize;
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -83,8 +83,7 @@ static int ext4_inode_csum_verify(struct
+
+ if (EXT4_SB(inode->i_sb)->s_es->s_creator_os !=
+ cpu_to_le32(EXT4_OS_LINUX) ||
+- !EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ !ext4_has_metadata_csum(inode->i_sb))
+ return 1;
+
+ provided = le16_to_cpu(raw->i_checksum_lo);
+@@ -105,8 +104,7 @@ static void ext4_inode_csum_set(struct i
+
+ if (EXT4_SB(inode->i_sb)->s_es->s_creator_os !=
+ cpu_to_le32(EXT4_OS_LINUX) ||
+- !EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ !ext4_has_metadata_csum(inode->i_sb))
+ return;
+
+ csum = ext4_inode_csum(inode, raw, ei);
+@@ -3950,8 +3948,7 @@ struct inode *ext4_iget(struct super_blo
+ ei->i_extra_isize = 0;
+
+ /* Precompute checksum seed for inode metadata */
+- if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) {
++ if (ext4_has_metadata_csum(sb)) {
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ __u32 csum;
+ __le32 inum = cpu_to_le32(inode->i_ino);
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -331,8 +331,7 @@ flags_out:
+ if (!inode_owner_or_capable(inode))
+ return -EPERM;
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) {
++ if (ext4_has_metadata_csum(inode->i_sb)) {
+ ext4_warning(sb, "Setting inode version is not "
+ "supported with metadata_csum enabled.");
+ return -ENOTTY;
+--- a/fs/ext4/mmp.c
++++ b/fs/ext4/mmp.c
+@@ -20,8 +20,7 @@ static __le32 ext4_mmp_csum(struct super
+
+ static int ext4_mmp_csum_verify(struct super_block *sb, struct mmp_struct *mmp)
+ {
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(sb))
+ return 1;
+
+ return mmp->mmp_checksum == ext4_mmp_csum(sb, mmp);
+@@ -29,8 +28,7 @@ static int ext4_mmp_csum_verify(struct s
+
+ static void ext4_mmp_csum_set(struct super_block *sb, struct mmp_struct *mmp)
+ {
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(sb))
+ return;
+
+ mmp->mmp_checksum = ext4_mmp_csum(sb, mmp);
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -124,8 +124,7 @@ static struct buffer_head *__ext4_read_d
+ "directory leaf block found instead of index block");
+ return ERR_PTR(-EIO);
+ }
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) ||
++ if (!ext4_has_metadata_csum(inode->i_sb) ||
+ buffer_verified(bh))
+ return bh;
+
+@@ -340,8 +339,7 @@ int ext4_dirent_csum_verify(struct inode
+ {
+ struct ext4_dir_entry_tail *t;
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(inode->i_sb))
+ return 1;
+
+ t = get_dirent_tail(inode, dirent);
+@@ -362,8 +360,7 @@ static void ext4_dirent_csum_set(struct
+ {
+ struct ext4_dir_entry_tail *t;
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(inode->i_sb))
+ return;
+
+ t = get_dirent_tail(inode, dirent);
+@@ -438,8 +435,7 @@ static int ext4_dx_csum_verify(struct in
+ struct dx_tail *t;
+ int count_offset, limit, count;
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(inode->i_sb))
+ return 1;
+
+ c = get_dx_countlimit(inode, dirent, &count_offset);
+@@ -468,8 +464,7 @@ static void ext4_dx_csum_set(struct inod
+ struct dx_tail *t;
+ int count_offset, limit, count;
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(inode->i_sb))
+ return;
+
+ c = get_dx_countlimit(inode, dirent, &count_offset);
+@@ -557,8 +552,7 @@ static inline unsigned dx_root_limit(str
+ unsigned entry_space = dir->i_sb->s_blocksize - EXT4_DIR_REC_LEN(1) -
+ EXT4_DIR_REC_LEN(2) - infosize;
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(dir->i_sb))
+ entry_space -= sizeof(struct dx_tail);
+ return entry_space / sizeof(struct dx_entry);
+ }
+@@ -567,8 +561,7 @@ static inline unsigned dx_node_limit(str
+ {
+ unsigned entry_space = dir->i_sb->s_blocksize - EXT4_DIR_REC_LEN(0);
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(dir->i_sb))
+ entry_space -= sizeof(struct dx_tail);
+ return entry_space / sizeof(struct dx_entry);
+ }
+@@ -1548,8 +1541,7 @@ static struct ext4_dir_entry_2 *do_split
+ int csum_size = 0;
+ int err = 0, i;
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(dir->i_sb))
+ csum_size = sizeof(struct ext4_dir_entry_tail);
+
+ bh2 = ext4_append(handle, dir, &newblock);
+@@ -1718,8 +1710,7 @@ static int add_dirent_to_buf(handle_t *h
+ int csum_size = 0;
+ int err;
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(inode->i_sb))
+ csum_size = sizeof(struct ext4_dir_entry_tail);
+
+ if (!de) {
+@@ -1786,8 +1777,7 @@ static int make_indexed_dir(handle_t *ha
+ struct fake_dirent *fde;
+ int csum_size = 0;
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(inode->i_sb))
+ csum_size = sizeof(struct ext4_dir_entry_tail);
+
+ blocksize = dir->i_sb->s_blocksize;
+@@ -1904,8 +1894,7 @@ static int ext4_add_entry(handle_t *hand
+ ext4_lblk_t block, blocks;
+ int csum_size = 0;
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(inode->i_sb))
+ csum_size = sizeof(struct ext4_dir_entry_tail);
+
+ sb = dir->i_sb;
+@@ -2167,8 +2156,7 @@ static int ext4_delete_entry(handle_t *h
+ return err;
+ }
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(dir->i_sb))
+ csum_size = sizeof(struct ext4_dir_entry_tail);
+
+ BUFFER_TRACE(bh, "get_write_access");
+@@ -2387,8 +2375,7 @@ static int ext4_init_new_dir(handle_t *h
+ int csum_size = 0;
+ int err;
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(dir->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(dir->i_sb))
+ csum_size = sizeof(struct ext4_dir_entry_tail);
+
+ if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) {
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1212,8 +1212,7 @@ static int ext4_set_bitmap_checksums(str
+ {
+ struct buffer_head *bh;
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(sb))
+ return 0;
+
+ bh = ext4_get_bitmap(sb, group_data->inode_bitmap);
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -141,8 +141,7 @@ static __le32 ext4_superblock_csum(struc
+ static int ext4_superblock_csum_verify(struct super_block *sb,
+ struct ext4_super_block *es)
+ {
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(sb))
+ return 1;
+
+ return es->s_checksum == ext4_superblock_csum(sb, es);
+@@ -152,8 +151,7 @@ void ext4_superblock_csum_set(struct sup
+ {
+ struct ext4_super_block *es = EXT4_SB(sb)->s_es;
+
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(sb))
+ return;
+
+ es->s_checksum = ext4_superblock_csum(sb, es);
+@@ -2009,8 +2007,7 @@ static __le16 ext4_group_desc_csum(struc
+ __u16 crc = 0;
+ __le32 le_group = cpu_to_le32(block_group);
+
+- if ((sbi->s_es->s_feature_ro_compat &
+- cpu_to_le32(EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))) {
++ if (ext4_has_metadata_csum(sbi->s_sb)) {
+ /* Use new metadata_csum algorithm */
+ __le16 save_csum;
+ __u32 csum32;
+@@ -3172,8 +3169,7 @@ static int set_journal_csum_feature_set(
+ int compat, incompat;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+
+- if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM)) {
++ if (ext4_has_metadata_csum(sb)) {
+ /* journal checksum v3 */
+ compat = 0;
+ incompat = JBD2_FEATURE_INCOMPAT_CSUM_V3;
+@@ -3480,8 +3476,7 @@ static int ext4_fill_super(struct super_
+ }
+
+ /* Precompute checksum seed for all metadata */
+- if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (ext4_has_metadata_csum(sb))
+ sbi->s_csum_seed = ext4_chksum(sbi, ~0, es->s_uuid,
+ sizeof(es->s_uuid));
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -142,8 +142,7 @@ static int ext4_xattr_block_csum_verify(
+ sector_t block_nr,
+ struct ext4_xattr_header *hdr)
+ {
+- if (EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) &&
++ if (ext4_has_metadata_csum(inode->i_sb) &&
+ (hdr->h_checksum != ext4_xattr_block_csum(inode, block_nr, hdr)))
+ return 0;
+ return 1;
+@@ -153,8 +152,7 @@ static void ext4_xattr_block_csum_set(st
+ sector_t block_nr,
+ struct ext4_xattr_header *hdr)
+ {
+- if (!EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
+- EXT4_FEATURE_RO_COMPAT_METADATA_CSUM))
++ if (!ext4_has_metadata_csum(inode->i_sb))
+ return;
+
+ hdr->h_checksum = ext4_xattr_block_csum(inode, block_nr, hdr);
--- /dev/null
+From 30a6b8031fe14031ab27c1fa3483cb9780e7f63c Mon Sep 17 00:00:00 2001
+From: Brian Silverman <bsilver16384@gmail.com>
+Date: Sat, 25 Oct 2014 20:20:37 -0400
+Subject: futex: Fix a race condition between REQUEUE_PI and task death
+
+From: Brian Silverman <bsilver16384@gmail.com>
+
+commit 30a6b8031fe14031ab27c1fa3483cb9780e7f63c upstream.
+
+free_pi_state and exit_pi_state_list both clean up futex_pi_state's.
+exit_pi_state_list takes the hb lock first, and most callers of
+free_pi_state do too. requeue_pi doesn't, which means free_pi_state
+can free the pi_state out from under exit_pi_state_list. For example:
+
+task A | task B
+exit_pi_state_list |
+ pi_state = |
+ curr->pi_state_list->next |
+ | futex_requeue(requeue_pi=1)
+ | // pi_state is the same as
+ | // the one in task A
+ | free_pi_state(pi_state)
+ | list_del_init(&pi_state->list)
+ | kfree(pi_state)
+ list_del_init(&pi_state->list) |
+
+Move the free_pi_state calls in requeue_pi to before it drops the hb
+locks which it's already holding.
+
+[ tglx: Removed a pointless free_pi_state() call and the hb->lock held
+ debugging. The latter comes via a seperate patch ]
+
+Signed-off-by: Brian Silverman <bsilver16384@gmail.com>
+Cc: austin.linux@gmail.com
+Cc: darren@dvhart.com
+Cc: peterz@infradead.org
+Link: http://lkml.kernel.org/r/1414282837-23092-1-git-send-email-bsilver16384@gmail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -641,8 +641,14 @@ static struct futex_pi_state * alloc_pi_
+ return pi_state;
+ }
+
++/*
++ * Must be called with the hb lock held.
++ */
+ static void free_pi_state(struct futex_pi_state *pi_state)
+ {
++ if (!pi_state)
++ return;
++
+ if (!atomic_dec_and_test(&pi_state->refcount))
+ return;
+
+@@ -1521,15 +1527,6 @@ static int futex_requeue(u32 __user *uad
+ }
+
+ retry:
+- if (pi_state != NULL) {
+- /*
+- * We will have to lookup the pi_state again, so free this one
+- * to keep the accounting correct.
+- */
+- free_pi_state(pi_state);
+- pi_state = NULL;
+- }
+-
+ ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
+ if (unlikely(ret != 0))
+ goto out;
+@@ -1619,6 +1616,8 @@ retry_private:
+ case 0:
+ break;
+ case -EFAULT:
++ free_pi_state(pi_state);
++ pi_state = NULL;
+ double_unlock_hb(hb1, hb2);
+ hb_waiters_dec(hb2);
+ put_futex_key(&key2);
+@@ -1634,6 +1633,8 @@ retry_private:
+ * exit to complete.
+ * - The user space value changed.
+ */
++ free_pi_state(pi_state);
++ pi_state = NULL;
+ double_unlock_hb(hb1, hb2);
+ hb_waiters_dec(hb2);
+ put_futex_key(&key2);
+@@ -1710,6 +1711,7 @@ retry_private:
+ }
+
+ out_unlock:
++ free_pi_state(pi_state);
+ double_unlock_hb(hb1, hb2);
+ hb_waiters_dec(hb2);
+
+@@ -1727,8 +1729,6 @@ out_put_keys:
+ out_put_key1:
+ put_futex_key(&key1);
+ out:
+- if (pi_state != NULL)
+- free_pi_state(pi_state);
+ return ret ? ret : task_count;
+ }
+
--- /dev/null
+From 064d83892e9ba547f7d4eae22cbca066d95210ce Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 16 Sep 2014 14:43:09 -0400
+Subject: jbd2: free bh when descriptor block checksum fails
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+commit 064d83892e9ba547f7d4eae22cbca066d95210ce upstream.
+
+Free the buffer head if the journal descriptor block fails checksum
+verification.
+
+This is the jbd2 port of the e2fsprogs patch "e2fsck: free bh on csum
+verify error in do_one_pass".
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/recovery.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/jbd2/recovery.c
++++ b/fs/jbd2/recovery.c
+@@ -525,6 +525,7 @@ static int do_one_pass(journal_t *journa
+ !jbd2_descr_block_csum_verify(journal,
+ bh->b_data)) {
+ err = -EIO;
++ brelse(bh);
+ goto failed;
+ }
+
--- /dev/null
+From c572aaf46f71f63ae5914d4e194a955e0ba1b519 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
+Date: Thu, 16 Oct 2014 11:39:44 +0200
+Subject: qxl: don't create too large primary surface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
+
+commit c572aaf46f71f63ae5914d4e194a955e0ba1b519 upstream.
+
+Limit primary to qemu vgamem size, to avoid reaching
+qemu guest bug "requested primary larger than framebuffer"
+on resizing screen too large to fit.
+
+Remove unneeded and misleading variables.
+
+Related to:
+https://bugzilla.redhat.com/show_bug.cgi?id=1127552
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_display.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_display.c
++++ b/drivers/gpu/drm/qxl/qxl_display.c
+@@ -523,7 +523,6 @@ static int qxl_crtc_mode_set(struct drm_
+ struct qxl_framebuffer *qfb;
+ struct qxl_bo *bo, *old_bo = NULL;
+ struct qxl_crtc *qcrtc = to_qxl_crtc(crtc);
+- uint32_t width, height, base_offset;
+ bool recreate_primary = false;
+ int ret;
+ int surf_id;
+@@ -553,9 +552,10 @@ static int qxl_crtc_mode_set(struct drm_
+ if (qcrtc->index == 0)
+ recreate_primary = true;
+
+- width = mode->hdisplay;
+- height = mode->vdisplay;
+- base_offset = 0;
++ if (bo->surf.stride * bo->surf.height > qdev->vram_size) {
++ DRM_ERROR("Mode doesn't fit in vram size (vgamem)");
++ return -EINVAL;
++ }
+
+ ret = qxl_bo_reserve(bo, false);
+ if (ret != 0)
+@@ -569,10 +569,10 @@ static int qxl_crtc_mode_set(struct drm_
+ if (recreate_primary) {
+ qxl_io_destroy_primary(qdev);
+ qxl_io_log(qdev,
+- "recreate primary: %dx%d (was %dx%d,%d,%d)\n",
+- width, height, bo->surf.width,
+- bo->surf.height, bo->surf.stride, bo->surf.format);
+- qxl_io_create_primary(qdev, base_offset, bo);
++ "recreate primary: %dx%d,%d,%d\n",
++ bo->surf.width, bo->surf.height,
++ bo->surf.stride, bo->surf.format);
++ qxl_io_create_primary(qdev, 0, bo);
+ bo->is_primary = true;
+ }
+
mips-cp1emu-fix-isa-restrictions-for-cop1x_op-instructions.patch
mips-ftrace-fix-a-micromips-build-problem.patch
mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch
+qxl-don-t-create-too-large-primary-surface.patch
+jbd2-free-bh-when-descriptor-block-checksum-fails.patch
+ext4-check-ea-value-offset-when-loading.patch
+ext4-don-t-check-quota-format-when-there-are-no-quota-files.patch
+ext4-fix-mmap-data-corruption-when-blocksize-pagesize.patch
+ext4-grab-missed-write_count-for-ext4_ioc_swap_boot.patch
+ext4-add-ext4_iget_normal-which-is-to-be-used-for-dir-tree-lookups.patch
+ext4-don-t-orphan-or-truncate-the-boot-loader-inode.patch
+ext4-fix-reservation-overflow-in-ext4_da_write_begin.patch
+ext4-replace-open-coded-mdata-csum-feature-to-helper-function.patch
+ext4-move-error-report-out-of-atomic-context-in-ext4_init_block_bitmap.patch
+ext4-check-s_chksum_driver-when-looking-for-bg-csum-presence.patch
+ext4-fix-oops-when-loading-block-bitmap-failed.patch
+ext4-fix-overflow-when-updating-superblock-backups-after-resize.patch
+ext4-enable-journal-checksum-when-metadata-checksum-feature-enabled.patch
+ext4-prevent-bugon-on-race-between-write-fcntl.patch
+futex-fix-a-race-condition-between-requeue_pi-and-task-death.patch
+drm-nouveau-fix-regression-on-agp-boards.patch
+drm-i915-intel_backlight-scale-math-wa.patch
+drm-i915-properly-reenable-gen8-pipe-irqs.patch
+drm-radeon-fix-speaker-allocation-setup.patch
+drm-radeon-use-gart-memory-for-dma-ring-tests.patch
+drm-radeon-fix-vm-page-table-block-size-calculation.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
