--- /dev/null
+From 674a2b27234d1b7afcb0a9162e81b2e53aeef217 Mon Sep 17 00:00:00 2001
+From: "zhangyi (F)" <yi.zhang@huawei.com>
+Date: Sat, 23 Mar 2019 11:43:05 -0400
+Subject: ext4: brelse all indirect buffer in ext4_ind_remove_space()
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+commit 674a2b27234d1b7afcb0a9162e81b2e53aeef217 upstream.
+
+All indirect buffers get by ext4_find_shared() should be released no
+mater the branch should be freed or not. But now, we forget to release
+the lower depth indirect buffers when removing space from the same
+higher depth indirect block. It will lead to buffer leak and futher
+more, it may lead to quota information corruption when using old quota,
+consider the following case.
+
+ - Create and mount an empty ext4 filesystem without extent and quota
+ features,
+ - quotacheck and enable the user & group quota,
+ - Create some files and write some data to them, and then punch hole
+ to some files of them, it may trigger the buffer leak problem
+ mentioned above.
+ - Disable quota and run quotacheck again, it will create two new
+ aquota files and write the checked quota information to them, which
+ probably may reuse the freed indirect block(the buffer and page
+ cache was not freed) as data block.
+ - Enable quota again, it will invoke
+ vfs_load_quota_inode()->invalidate_bdev() to try to clean unused
+ buffers and pagecache. Unfortunately, because of the buffer of quota
+ data block is still referenced, quota code cannot read the up to date
+ quota info from the device and lead to quota information corruption.
+
+This problem can be reproduced by xfstests generic/231 on ext3 file
+system or ext4 file system without extent and quota features.
+
+This patch fix this problem by releasing the missing indirect buffers,
+in ext4_ind_remove_space().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/indirect.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/indirect.c
++++ b/fs/ext4/indirect.c
+@@ -1387,10 +1387,14 @@ end_range:
+ partial->p + 1,
+ partial2->p,
+ (chain+n-1) - partial);
+- BUFFER_TRACE(partial->bh, "call brelse");
+- brelse(partial->bh);
+- BUFFER_TRACE(partial2->bh, "call brelse");
+- brelse(partial2->bh);
++ while (partial > chain) {
++ BUFFER_TRACE(partial->bh, "call brelse");
++ brelse(partial->bh);
++ }
++ while (partial2 > chain2) {
++ BUFFER_TRACE(partial2->bh, "call brelse");
++ brelse(partial2->bh);
++ }
+ return 0;
+ }
+
--- /dev/null
+From 372a03e01853f860560eade508794dd274e9b390 Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Thu, 14 Mar 2019 23:20:25 -0400
+Subject: ext4: fix data corruption caused by unaligned direct AIO
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 372a03e01853f860560eade508794dd274e9b390 upstream.
+
+Ext4 needs to serialize unaligned direct AIO because the zeroing of
+partial blocks of two competing unaligned AIOs can result in data
+corruption.
+
+However it decides not to serialize if the potentially unaligned aio is
+past i_size with the rationale that no pending writes are possible past
+i_size. Unfortunately if the i_size is not block aligned and the second
+unaligned write lands past i_size, but still into the same block, it has
+the potential of corrupting the previous unaligned write to the same
+block.
+
+This is (very simplified) reproducer from Frank
+
+ // 41472 = (10 * 4096) + 512
+ // 37376 = 41472 - 4096
+
+ ftruncate(fd, 41472);
+ io_prep_pwrite(iocbs[0], fd, buf[0], 4096, 37376);
+ io_prep_pwrite(iocbs[1], fd, buf[1], 4096, 41472);
+
+ io_submit(io_ctx, 1, &iocbs[1]);
+ io_submit(io_ctx, 1, &iocbs[2]);
+
+ io_getevents(io_ctx, 2, 2, events, NULL);
+
+Without this patch the 512B range from 40960 up to the start of the
+second unaligned write (41472) is going to be zeroed overwriting the data
+written by the first write. This is a data corruption.
+
+00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+*
+00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
+*
+0000a000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+*
+0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
+
+With this patch the data corruption is avoided because we will recognize
+the unaligned_aio and wait for the unwritten extent conversion.
+
+00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+*
+00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
+*
+0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
+*
+0000b200
+
+Reported-by: Frank Sorenson <fsorenso@redhat.com>
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Fixes: e9e3bcecf44c ("ext4: serialize unaligned asynchronous DIO")
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -125,7 +125,7 @@ ext4_unaligned_aio(struct inode *inode,
+ struct super_block *sb = inode->i_sb;
+ int blockmask = sb->s_blocksize - 1;
+
+- if (pos >= i_size_read(inode))
++ if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize))
+ return 0;
+
+ if ((pos | iov_iter_alignment(from)) & blockmask)
--- /dev/null
+From fa30dde38aa8628c73a6dded7cb0bba38c27b576 Mon Sep 17 00:00:00 2001
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Date: Thu, 14 Mar 2019 23:19:22 -0400
+Subject: ext4: fix NULL pointer dereference while journal is aborted
+
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+
+commit fa30dde38aa8628c73a6dded7cb0bba38c27b576 upstream.
+
+We see the following NULL pointer dereference while running xfstests
+generic/475:
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+PGD 8000000c84bad067 P4D 8000000c84bad067 PUD c84e62067 PMD 0
+Oops: 0000 [#1] SMP PTI
+CPU: 7 PID: 9886 Comm: fsstress Kdump: loaded Not tainted 5.0.0-rc8 #10
+RIP: 0010:ext4_do_update_inode+0x4ec/0x760
+...
+Call Trace:
+? jbd2_journal_get_write_access+0x42/0x50
+? __ext4_journal_get_write_access+0x2c/0x70
+? ext4_truncate+0x186/0x3f0
+ext4_mark_iloc_dirty+0x61/0x80
+ext4_mark_inode_dirty+0x62/0x1b0
+ext4_truncate+0x186/0x3f0
+? unmap_mapping_pages+0x56/0x100
+ext4_setattr+0x817/0x8b0
+notify_change+0x1df/0x430
+do_truncate+0x5e/0x90
+? generic_permission+0x12b/0x1a0
+
+This is triggered because the NULL pointer handle->h_transaction was
+dereferenced in function ext4_update_inode_fsync_trans().
+I found that the h_transaction was set to NULL in jbd2__journal_restart
+but failed to attached to a new transaction while the journal is aborted.
+
+Fix this by checking the handle before updating the inode.
+
+Fixes: b436b9bef84d ("ext4: Wait for proper transaction commit on fsync")
+Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4_jbd2.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/ext4_jbd2.h
++++ b/fs/ext4/ext4_jbd2.h
+@@ -384,7 +384,7 @@ static inline void ext4_update_inode_fsy
+ {
+ struct ext4_inode_info *ei = EXT4_I(inode);
+
+- if (ext4_handle_valid(handle)) {
++ if (ext4_handle_valid(handle) && !is_handle_aborted(handle)) {
+ ei->i_sync_tid = handle->h_transaction->t_tid;
+ if (datasync)
+ ei->i_datasync_tid = handle->h_transaction->t_tid;
+++ /dev/null
-From 8bc086899816214fbc6047c9c7e15fcab49552bf Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Sun, 17 Mar 2019 01:17:56 +0000
-Subject: powerpc/mm: Only define MAX_PHYSMEM_BITS in SPARSEMEM configurations
-
-From: Ben Hutchings <ben@decadent.org.uk>
-
-commit 8bc086899816214fbc6047c9c7e15fcab49552bf upstream.
-
-MAX_PHYSMEM_BITS only needs to be defined if CONFIG_SPARSEMEM is
-enabled, and that was the case before commit 4ffe713b7587
-("powerpc/mm: Increase the max addressable memory to 2PB").
-
-On 32-bit systems, where CONFIG_SPARSEMEM is not enabled, we now
-define it as 46. That is larger than the real number of physical
-address bits, and breaks calculations in zsmalloc:
-
- mm/zsmalloc.c:130:49: warning: right shift count is negative
- MAX(32, (ZS_MAX_PAGES_PER_ZSPAGE << PAGE_SHIFT >> OBJ_INDEX_BITS))
- ^~
- ...
- mm/zsmalloc.c:253:21: error: variably modified 'size_class' at file scope
- struct size_class *size_class[ZS_SIZE_CLASSES];
- ^~~~~~~~~~
-
-Fixes: 4ffe713b7587 ("powerpc/mm: Increase the max addressable memory to 2PB")
-Cc: stable@vger.kernel.org # v4.20+
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- arch/powerpc/include/asm/mmu.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/powerpc/include/asm/mmu.h
-+++ b/arch/powerpc/include/asm/mmu.h
-@@ -341,7 +341,7 @@ static inline u16 get_mm_addr_key(struct
- #if defined(CONFIG_SPARSEMEM_VMEMMAP) && defined(CONFIG_SPARSEMEM_EXTREME) && \
- defined (CONFIG_PPC_64K_PAGES)
- #define MAX_PHYSMEM_BITS 51
--#else
-+#elif defined(CONFIG_SPARSEMEM)
- #define MAX_PHYSMEM_BITS 46
- #endif
-
mips-ensure-elf-appended-dtb-is-relocated.patch
mips-fix-kernel-crash-for-r6-in-jump-label-branch-function.patch
powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch
-powerpc-mm-only-define-max_physmem_bits-in-sparsemem-configurations.patch
powerpc-security-fix-spectre_v2-reporting.patch
net-mlx5-fix-dct-creation-bad-flow.patch
scsi-core-avoid-that-a-kernel-warning-appears-during-system-resume.patch
smb3-fix-smb3.1.1-guest-mounts-to-samba.patch
alsa-hda-don-t-trigger-jackpoll_work-in-azx_resume.patch
alsa-ac97-fix-of-node-refcount-unbalance.patch
+ext4-fix-null-pointer-dereference-while-journal-is-aborted.patch
+ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch
+ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch