--- /dev/null
+From 3017cd63f26fc655d56875aaf497153ba60e9edf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 26 May 2016 15:16:25 -0700
+Subject: dma-debug: avoid spinlock recursion when disabling dma-debug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 3017cd63f26fc655d56875aaf497153ba60e9edf upstream.
+
+With netconsole (at least) the pr_err("... disablingn") call can
+recurse back into the dma-debug code, where it'll try to grab
+free_entries_lock again. Avoid the problem by doing the printk after
+dropping the lock.
+
+Link: http://lkml.kernel.org/r/1463678421-18683-1-git-send-email-ville.syrjala@linux.intel.com
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/dma-debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/dma-debug.c
++++ b/lib/dma-debug.c
+@@ -657,9 +657,9 @@ static struct dma_debug_entry *dma_entry
+ spin_lock_irqsave(&free_entries_lock, flags);
+
+ if (list_empty(&free_entries)) {
+- pr_err("DMA-API: debugging out of memory - disabling\n");
+ global_disable = true;
+ spin_unlock_irqrestore(&free_entries_lock, flags);
++ pr_err("DMA-API: debugging out of memory - disabling\n");
+ return NULL;
+ }
+
--- /dev/null
+From b5cb316cdf3a3f5f6125412b0f6065185240cfdc Mon Sep 17 00:00:00 2001
+From: Nicolai Stange <nicstange@gmail.com>
+Date: Thu, 5 May 2016 17:38:03 -0400
+Subject: ext4: address UBSAN warning in mb_find_order_for_block()
+
+From: Nicolai Stange <nicstange@gmail.com>
+
+commit b5cb316cdf3a3f5f6125412b0f6065185240cfdc upstream.
+
+Currently, in mb_find_order_for_block(), there's a loop like the following:
+
+ while (order <= e4b->bd_blkbits + 1) {
+ ...
+ bb += 1 << (e4b->bd_blkbits - order);
+ }
+
+Note that the updated bb is used in the loop's next iteration only.
+
+However, at the last iteration, that is at order == e4b->bd_blkbits + 1,
+the shift count becomes negative (c.f. C99 6.5.7(3)) and UBSAN reports
+
+ UBSAN: Undefined behaviour in fs/ext4/mballoc.c:1281:11
+ shift exponent -1 is negative
+ [...]
+ Call Trace:
+ [<ffffffff818c4d35>] dump_stack+0xbc/0x117
+ [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
+ [<ffffffff819411bb>] ubsan_epilogue+0xd/0x4e
+ [<ffffffff81941cbc>] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
+ [<ffffffff81941ac1>] ? __ubsan_handle_load_invalid_value+0x158/0x158
+ [<ffffffff816e93a0>] ? ext4_mb_generate_from_pa+0x590/0x590
+ [<ffffffff816502c8>] ? ext4_read_block_bitmap_nowait+0x598/0xe80
+ [<ffffffff816e7b7e>] mb_find_order_for_block+0x1ce/0x240
+ [...]
+
+Unless compilers start to do some fancy transformations (which at least
+GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
+such calculated value of bb is never used again.
+
+Silence UBSAN by introducing another variable, bb_incr, holding the next
+increment to apply to bb and adjust that one by right shifting it by one
+position per loop iteration.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161
+
+Signed-off-by: Nicolai Stange <nicstange@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/mballoc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -1259,6 +1259,7 @@ static void ext4_mb_unload_buddy(struct
+ static int mb_find_order_for_block(struct ext4_buddy *e4b, int block)
+ {
+ int order = 1;
++ int bb_incr = 1 << (e4b->bd_blkbits - 1);
+ void *bb;
+
+ BUG_ON(e4b->bd_bitmap == e4b->bd_buddy);
+@@ -1271,7 +1272,8 @@ static int mb_find_order_for_block(struc
+ /* this block is part of buddy of order 'order' */
+ return order;
+ }
+- bb += 1 << (e4b->bd_blkbits - order);
++ bb += bb_incr;
++ bb_incr >>= 1;
+ order++;
+ }
+ return 0;
--- /dev/null
+From 7827a7f6ebfcb7f388dc47fddd48567a314701ba Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 30 Apr 2016 00:49:54 -0400
+Subject: ext4: clean up error handling when orphan list is corrupted
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 7827a7f6ebfcb7f388dc47fddd48567a314701ba upstream.
+
+Instead of just printing warning messages, if the orphan list is
+corrupted, declare the file system is corrupted. If there are any
+reserved inodes in the orphaned inode list, declare the file system
+corrupted and stop right away to avoid doing more potential damage to
+the file system.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ialloc.c | 49 ++++++++++++++++++++++---------------------------
+ 1 file changed, 22 insertions(+), 27 deletions(-)
+
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1150,25 +1150,20 @@ struct inode *ext4_orphan_get(struct sup
+ unsigned long max_ino = le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count);
+ ext4_group_t block_group;
+ int bit;
+- struct buffer_head *bitmap_bh;
++ struct buffer_head *bitmap_bh = NULL;
+ struct inode *inode = NULL;
+- long err = -EIO;
++ int err = -EFSCORRUPTED;
+
+- /* Error cases - e2fsck has already cleaned up for us */
+- if (ino > max_ino) {
+- ext4_warning(sb, "bad orphan ino %lu! e2fsck was run?", ino);
+- err = -EFSCORRUPTED;
+- goto error;
+- }
++ if (ino < EXT4_FIRST_INO(sb) || ino > max_ino)
++ goto bad_orphan;
+
+ block_group = (ino - 1) / EXT4_INODES_PER_GROUP(sb);
+ bit = (ino - 1) % EXT4_INODES_PER_GROUP(sb);
+ bitmap_bh = ext4_read_inode_bitmap(sb, block_group);
+ if (IS_ERR(bitmap_bh)) {
+- err = PTR_ERR(bitmap_bh);
+- ext4_warning(sb, "inode bitmap error %ld for orphan %lu",
+- ino, err);
+- goto error;
++ ext4_error(sb, "inode bitmap error %ld for orphan %lu",
++ ino, PTR_ERR(bitmap_bh));
++ return (struct inode *) bitmap_bh;
+ }
+
+ /* Having the inode bit set should be a 100% indicator that this
+@@ -1179,8 +1174,12 @@ struct inode *ext4_orphan_get(struct sup
+ goto bad_orphan;
+
+ inode = ext4_iget(sb, ino);
+- if (IS_ERR(inode))
+- goto iget_failed;
++ if (IS_ERR(inode)) {
++ err = PTR_ERR(inode);
++ ext4_error(sb, "couldn't read orphan inode %lu (err %d)",
++ ino, err);
++ return inode;
++ }
+
+ /*
+ * If the orphans has i_nlinks > 0 then it should be able to
+@@ -1197,29 +1196,25 @@ struct inode *ext4_orphan_get(struct sup
+ brelse(bitmap_bh);
+ return inode;
+
+-iget_failed:
+- err = PTR_ERR(inode);
+- inode = NULL;
+ bad_orphan:
+- ext4_warning(sb, "bad orphan inode %lu! e2fsck was run?", ino);
+- printk(KERN_WARNING "ext4_test_bit(bit=%d, block=%llu) = %d\n",
+- bit, (unsigned long long)bitmap_bh->b_blocknr,
+- ext4_test_bit(bit, bitmap_bh->b_data));
+- printk(KERN_WARNING "inode=%p\n", inode);
++ ext4_error(sb, "bad orphan inode %lu", ino);
++ if (bitmap_bh)
++ printk(KERN_ERR "ext4_test_bit(bit=%d, block=%llu) = %d\n",
++ bit, (unsigned long long)bitmap_bh->b_blocknr,
++ ext4_test_bit(bit, bitmap_bh->b_data));
+ if (inode) {
+- printk(KERN_WARNING "is_bad_inode(inode)=%d\n",
++ printk(KERN_ERR "is_bad_inode(inode)=%d\n",
+ is_bad_inode(inode));
+- printk(KERN_WARNING "NEXT_ORPHAN(inode)=%u\n",
++ printk(KERN_ERR "NEXT_ORPHAN(inode)=%u\n",
+ NEXT_ORPHAN(inode));
+- printk(KERN_WARNING "max_ino=%lu\n", max_ino);
+- printk(KERN_WARNING "i_nlink=%u\n", inode->i_nlink);
++ printk(KERN_ERR "max_ino=%lu\n", max_ino);
++ printk(KERN_ERR "i_nlink=%u\n", inode->i_nlink);
+ /* Avoid freeing blocks if we got a bad deleted inode */
+ if (inode->i_nlink == 0)
+ inode->i_blocks = 0;
+ iput(inode);
+ }
+ brelse(bitmap_bh);
+-error:
+ return ERR_PTR(err);
+ }
+
--- /dev/null
+From ff0bc08454917964291f72ee5b8eca66de4bc250 Mon Sep 17 00:00:00 2001
+From: Seth Forshee <seth.forshee@canonical.com>
+Date: Thu, 5 May 2016 10:52:38 -0400
+Subject: ext4: fix check of dqget() return value in ext4_ioctl_setproject()
+
+From: Seth Forshee <seth.forshee@canonical.com>
+
+commit ff0bc08454917964291f72ee5b8eca66de4bc250 upstream.
+
+A failed call to dqget() returns an ERR_PTR() and not null. Fix
+the check in ext4_ioctl_setproject() to handle this correctly.
+
+Fixes: 9b7365fc1c82 ("ext4: add FS_IOC_FSSETXATTR/FS_IOC_FSGETXATTR interface support")
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -365,7 +365,7 @@ static int ext4_ioctl_setproject(struct
+ struct dquot *transfer_to[MAXQUOTAS] = { };
+
+ transfer_to[PRJQUOTA] = dqget(sb, make_kqid_projid(kprojid));
+- if (transfer_to[PRJQUOTA]) {
++ if (!IS_ERR(transfer_to[PRJQUOTA])) {
+ err = __dquot_transfer(inode, transfer_to);
+ dqput(transfer_to[PRJQUOTA]);
+ if (err)
--- /dev/null
+From c9eb13a9105e2e418f72e46a2b6da3f49e696902 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 30 Apr 2016 00:48:54 -0400
+Subject: ext4: fix hang when processing corrupted orphaned inode list
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit c9eb13a9105e2e418f72e46a2b6da3f49e696902 upstream.
+
+If the orphaned inode list contains inode #5, ext4_iget() returns a
+bad inode (since the bootloader inode should never be referenced
+directly). Because of the bad inode, we end up processing the inode
+repeatedly and this hangs the machine.
+
+This can be reproduced via:
+
+ mke2fs -t ext4 /tmp/foo.img 100
+ debugfs -w -R "ssv last_orphan 5" /tmp/foo.img
+ mount -o loop /tmp/foo.img /mnt
+
+(But don't do this if you are using an unpatched kernel if you care
+about the system staying functional. :-)
+
+This bug was found by the port of American Fuzzy Lop into the kernel
+to find file system problems[1]. (Since it *only* happens if inode #5
+shows up on the orphan list --- 3, 7, 8, etc. won't do it, it's not
+surprising that AFL needed two hours before it found it.)
+
+[1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
+
+Reported by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ialloc.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1183,11 +1183,13 @@ struct inode *ext4_orphan_get(struct sup
+ goto iget_failed;
+
+ /*
+- * If the orphans has i_nlinks > 0 then it should be able to be
+- * truncated, otherwise it won't be removed from the orphan list
+- * during processing and an infinite loop will result.
++ * If the orphans has i_nlinks > 0 then it should be able to
++ * be truncated, otherwise it won't be removed from the orphan
++ * list during processing and an infinite loop will result.
++ * Similarly, it must not be a bad inode.
+ */
+- if (inode->i_nlink && !ext4_can_truncate(inode))
++ if ((inode->i_nlink && !ext4_can_truncate(inode)) ||
++ is_bad_inode(inode))
+ goto bad_orphan;
+
+ if (NEXT_ORPHAN(inode) > max_ino)
--- /dev/null
+From 74177f55b70e2f2be770dd28684dd6d17106a4ba Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 5 May 2016 11:10:15 -0400
+Subject: ext4: fix oops on corrupted filesystem
+
+From: Jan Kara <jack@suse.cz>
+
+commit 74177f55b70e2f2be770dd28684dd6d17106a4ba upstream.
+
+When filesystem is corrupted in the right way, it can happen
+ext4_mark_iloc_dirty() in ext4_orphan_add() returns error and we
+subsequently remove inode from the in-memory orphan list. However this
+deletion is done with list_del(&EXT4_I(inode)->i_orphan) and thus we
+leave i_orphan list_head with a stale content. Later we can look at this
+content causing list corruption, oops, or other issues. The reported
+trace looked like:
+
+WARNING: CPU: 0 PID: 46 at lib/list_debug.c:53 __list_del_entry+0x6b/0x100()
+list_del corruption, 0000000061c1d6e0->next is LIST_POISON1
+0000000000100100)
+CPU: 0 PID: 46 Comm: ext4.exe Not tainted 4.1.0-rc4+ #250
+Stack:
+ 60462947 62219960 602ede24 62219960
+ 602ede24 603ca293 622198f0 602f02eb
+ 62219950 6002c12c 62219900 601b4d6b
+Call Trace:
+ [<6005769c>] ? vprintk_emit+0x2dc/0x5c0
+ [<602ede24>] ? printk+0x0/0x94
+ [<600190bc>] show_stack+0xdc/0x1a0
+ [<602ede24>] ? printk+0x0/0x94
+ [<602ede24>] ? printk+0x0/0x94
+ [<602f02eb>] dump_stack+0x2a/0x2c
+ [<6002c12c>] warn_slowpath_common+0x9c/0xf0
+ [<601b4d6b>] ? __list_del_entry+0x6b/0x100
+ [<6002c254>] warn_slowpath_fmt+0x94/0xa0
+ [<602f4d09>] ? __mutex_lock_slowpath+0x239/0x3a0
+ [<6002c1c0>] ? warn_slowpath_fmt+0x0/0xa0
+ [<60023ebf>] ? set_signals+0x3f/0x50
+ [<600a205a>] ? kmem_cache_free+0x10a/0x180
+ [<602f4e88>] ? mutex_lock+0x18/0x30
+ [<601b4d6b>] __list_del_entry+0x6b/0x100
+ [<601177ec>] ext4_orphan_del+0x22c/0x2f0
+ [<6012f27c>] ? __ext4_journal_start_sb+0x2c/0xa0
+ [<6010b973>] ? ext4_truncate+0x383/0x390
+ [<6010bc8b>] ext4_write_begin+0x30b/0x4b0
+ [<6001bb50>] ? copy_from_user+0x0/0xb0
+ [<601aa840>] ? iov_iter_fault_in_readable+0xa0/0xc0
+ [<60072c4f>] generic_perform_write+0xaf/0x1e0
+ [<600c4166>] ? file_update_time+0x46/0x110
+ [<60072f0f>] __generic_file_write_iter+0x18f/0x1b0
+ [<6010030f>] ext4_file_write_iter+0x15f/0x470
+ [<60094e10>] ? unlink_file_vma+0x0/0x70
+ [<6009b180>] ? unlink_anon_vmas+0x0/0x260
+ [<6008f169>] ? free_pgtables+0xb9/0x100
+ [<600a6030>] __vfs_write+0xb0/0x130
+ [<600a61d5>] vfs_write+0xa5/0x170
+ [<600a63d6>] SyS_write+0x56/0xe0
+ [<6029fcb0>] ? __libc_waitpid+0x0/0xa0
+ [<6001b698>] handle_syscall+0x68/0x90
+ [<6002633d>] userspace+0x4fd/0x600
+ [<6002274f>] ? save_registers+0x1f/0x40
+ [<60028bd7>] ? arch_prctl+0x177/0x1b0
+ [<60017bd5>] fork_handler+0x85/0x90
+
+Fix the problem by using list_del_init() as we always should with
+i_orphan list.
+
+Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2828,7 +2828,7 @@ int ext4_orphan_add(handle_t *handle, st
+ * list entries can cause panics at unmount time.
+ */
+ mutex_lock(&sbi->s_orphan_lock);
+- list_del(&EXT4_I(inode)->i_orphan);
++ list_del_init(&EXT4_I(inode)->i_orphan);
+ mutex_unlock(&sbi->s_orphan_lock);
+ }
+ }
--- /dev/null
+From 935244cd54b86ca46e69bc6604d2adfb1aec2d42 Mon Sep 17 00:00:00 2001
+From: Nicolai Stange <nicstange@gmail.com>
+Date: Thu, 5 May 2016 19:46:19 -0400
+Subject: ext4: silence UBSAN in ext4_mb_init()
+
+From: Nicolai Stange <nicstange@gmail.com>
+
+commit 935244cd54b86ca46e69bc6604d2adfb1aec2d42 upstream.
+
+Currently, in ext4_mb_init(), there's a loop like the following:
+
+ do {
+ ...
+ offset += 1 << (sb->s_blocksize_bits - i);
+ i++;
+ } while (i <= sb->s_blocksize_bits + 1);
+
+Note that the updated offset is used in the loop's next iteration only.
+
+However, at the last iteration, that is at i == sb->s_blocksize_bits + 1,
+the shift count becomes equal to (unsigned)-1 > 31 (c.f. C99 6.5.7(3))
+and UBSAN reports
+
+ UBSAN: Undefined behaviour in fs/ext4/mballoc.c:2621:15
+ shift exponent 4294967295 is too large for 32-bit type 'int'
+ [...]
+ Call Trace:
+ [<ffffffff818c4d25>] dump_stack+0xbc/0x117
+ [<ffffffff818c4c69>] ? _atomic_dec_and_lock+0x169/0x169
+ [<ffffffff819411ab>] ubsan_epilogue+0xd/0x4e
+ [<ffffffff81941cac>] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
+ [<ffffffff81941ab1>] ? __ubsan_handle_load_invalid_value+0x158/0x158
+ [<ffffffff814b6dc1>] ? kmem_cache_alloc+0x101/0x390
+ [<ffffffff816fc13b>] ? ext4_mb_init+0x13b/0xfd0
+ [<ffffffff814293c7>] ? create_cache+0x57/0x1f0
+ [<ffffffff8142948a>] ? create_cache+0x11a/0x1f0
+ [<ffffffff821c2168>] ? mutex_lock+0x38/0x60
+ [<ffffffff821c23ab>] ? mutex_unlock+0x1b/0x50
+ [<ffffffff814c26ab>] ? put_online_mems+0x5b/0xc0
+ [<ffffffff81429677>] ? kmem_cache_create+0x117/0x2c0
+ [<ffffffff816fcc49>] ext4_mb_init+0xc49/0xfd0
+ [...]
+
+Observe that the mentioned shift exponent, 4294967295, equals (unsigned)-1.
+
+Unless compilers start to do some fancy transformations (which at least
+GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
+such calculated value of offset is never used again.
+
+Silence UBSAN by introducing another variable, offset_incr, holding the
+next increment to apply to offset and adjust that one by right shifting it
+by one position per loop iteration.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161
+
+Signed-off-by: Nicolai Stange <nicstange@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/mballoc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -2578,7 +2578,7 @@ int ext4_mb_init(struct super_block *sb)
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ unsigned i, j;
+- unsigned offset;
++ unsigned offset, offset_incr;
+ unsigned max;
+ int ret;
+
+@@ -2607,11 +2607,13 @@ int ext4_mb_init(struct super_block *sb)
+
+ i = 1;
+ offset = 0;
++ offset_incr = 1 << (sb->s_blocksize_bits - 1);
+ max = sb->s_blocksize << 2;
+ do {
+ sbi->s_mb_offsets[i] = offset;
+ sbi->s_mb_maxs[i] = max;
+- offset += 1 << (sb->s_blocksize_bits - i);
++ offset += offset_incr;
++ offset_incr = offset_incr >> 1;
+ max = max >> 1;
+ i++;
+ } while (i <= sb->s_blocksize_bits + 1);
--- /dev/null
+From c87bf431448b404a6ef5fbabd74c0e3e42157a7f Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 25 Apr 2016 17:35:30 +0200
+Subject: gcov: disable tree-loop-im to reduce stack usage
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit c87bf431448b404a6ef5fbabd74c0e3e42157a7f upstream.
+
+Enabling CONFIG_GCOV_PROFILE_ALL produces us a lot of warnings like
+
+lib/lz4/lz4hc_compress.c: In function 'lz4_compresshcctx':
+lib/lz4/lz4hc_compress.c:514:1: warning: the frame size of 1504 bytes is larger than 1024 bytes [-Wframe-larger-than=]
+
+After some investigation, I found that this behavior started with gcc-4.9,
+and opened https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69702.
+A suggested workaround for it is to use the -fno-tree-loop-im
+flag that turns off one of the optimization stages in gcc, so the
+code runs a little slower but does not use excessive amounts
+of stack.
+
+We could make this conditional on the gcc version, but I could not
+find an easy way to do this in Kbuild and the benefit would be
+fairly small, given that most of the gcc version in production are
+affected now.
+
+I'm marking this for 'stable' backports because it addresses a bug
+with code generation in gcc that exists in all kernel versions
+with the affected gcc releases.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
+Signed-off-by: Michal Marek <mmarek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -364,7 +364,7 @@ AFLAGS_MODULE =
+ LDFLAGS_MODULE =
+ CFLAGS_KERNEL =
+ AFLAGS_KERNEL =
+-CFLAGS_GCOV = -fprofile-arcs -ftest-coverage
++CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im
+
+
+ # Use USERINCLUDE when you must reference the UAPI directories only.
--- /dev/null
+From 0798d3c022dc63eb0ec02b511e1f76ca8411ef8e Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Fri, 27 May 2016 14:27:38 -0700
+Subject: mm: thp: avoid false positive VM_BUG_ON_PAGE in page_move_anon_rmap()
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit 0798d3c022dc63eb0ec02b511e1f76ca8411ef8e upstream.
+
+If page_move_anon_rmap() is refiling a pmd-splitted THP mapped in a tail
+page from a pte, the "address" must be THP aligned in order for the
+page->index bugcheck to pass in the CONFIG_DEBUG_VM=y builds.
+
+Link: http://lkml.kernel.org/r/1464253620-106404-1-git-send-email-kirill.shutemov@linux.intel.com
+Fixes: 6d0a07edd17c ("mm: thp: calculate the mapcount correctly for THP pages during WP faults")
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/rmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -1112,6 +1112,8 @@ void page_move_anon_rmap(struct page *pa
+
+ VM_BUG_ON_PAGE(!PageLocked(page), page);
+ VM_BUG_ON_VMA(!anon_vma, vma);
++ if (IS_ENABLED(CONFIG_DEBUG_VM) && PageTransHuge(page))
++ address &= HPAGE_PMD_MASK;
+ VM_BUG_ON_PAGE(page->index != linear_page_index(vma, address), page);
+
+ anon_vma = (void *) anon_vma + PAGE_MAPPING_ANON;
--- /dev/null
+From ade8febde0271513360bac44883dbebad44276c3 Mon Sep 17 00:00:00 2001
+From: Weston Andros Adamson <dros@monkey.org>
+Date: Wed, 25 May 2016 10:07:23 -0400
+Subject: nfs: avoid race that crashes nfs_init_commit
+
+From: Weston Andros Adamson <dros@monkey.org>
+
+commit ade8febde0271513360bac44883dbebad44276c3 upstream.
+
+Since the patch "NFS: Allow multiple commit requests in flight per file"
+we can run multiple simultaneous commits on the same inode. This
+introduced a race over collecting pages to commit that made it possible
+to call nfs_init_commit() with an empty list - which causes crashes like
+the one below.
+
+The fix is to catch this race and avoid calling nfs_init_commit and
+initiate_commit when there is no work to do.
+
+Here is the crash:
+
+[600522.076832] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
+[600522.078475] IP: [<ffffffffa0479e72>] nfs_init_commit+0x22/0x130 [nfs]
+[600522.078745] PGD 4272b1067 PUD 4272cb067 PMD 0
+[600522.078972] Oops: 0000 [#1] SMP
+[600522.079204] Modules linked in: nfsv3 nfs_layout_flexfiles rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache dcdbas ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw vmw_vsock_vmci_transport vsock bonding ipmi_devintf ipmi_msghandler coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ppdev vmw_balloon parport_pc parport acpi_cpufreq vmw_vmci i2c_piix4 shpchp nfsd auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c vmwgfx drm_kms_helper ttm drm crc32c_intel serio_raw vmxnet3
+[600522.081380] vmw_pvscsi ata_generic pata_acpi
+[600522.081809] CPU: 3 PID: 15667 Comm: /usr/bin/python Not tainted 4.1.9-100.pd.88.el7.x86_64 #1
+[600522.082281] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2014
+[600522.082814] task: ffff8800bbbfa780 ti: ffff88042ae84000 task.ti: ffff88042ae84000
+[600522.083378] RIP: 0010:[<ffffffffa0479e72>] [<ffffffffa0479e72>] nfs_init_commit+0x22/0x130 [nfs]
+[600522.083973] RSP: 0018:ffff88042ae87438 EFLAGS: 00010246
+[600522.084571] RAX: 0000000000000000 RBX: ffff880003485e40 RCX: ffff88042ae87588
+[600522.085188] RDX: 0000000000000000 RSI: ffff88042ae874b0 RDI: ffff880003485e40
+[600522.085756] RBP: ffff88042ae87448 R08: ffff880003486010 R09: ffff88042ae874b0
+[600522.086332] R10: 0000000000000000 R11: 0000000000000005 R12: ffff88042ae872d0
+[600522.086905] R13: ffff88042ae874b0 R14: ffff880003485e40 R15: ffff88042704c840
+[600522.087484] FS: 00007f4728ff2740(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
+[600522.088070] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[600522.088663] CR2: 0000000000000040 CR3: 000000042b6aa000 CR4: 00000000001406e0
+[600522.089327] Stack:
+[600522.089926] 0000000000000001 ffff88042ae87588 ffff88042ae874f8 ffffffffa04f09fa
+[600522.090549] 0000000000017840 0000000000017840 ffff88042ae87588 ffff8803258d9930
+[600522.091169] ffff88042ae87578 ffffffffa0563d80 0000000000000000 ffff88042704c840
+[600522.091789] Call Trace:
+[600522.092420] [<ffffffffa04f09fa>] pnfs_generic_commit_pagelist+0x1da/0x320 [nfsv4]
+[600522.093052] [<ffffffffa0563d80>] ? ff_layout_commit_prepare_v3+0x30/0x30 [nfs_layout_flexfiles]
+[600522.093696] [<ffffffffa0562645>] ff_layout_commit_pagelist+0x15/0x20 [nfs_layout_flexfiles]
+[600522.094359] [<ffffffffa047bc78>] nfs_generic_commit_list+0xe8/0x120 [nfs]
+[600522.095032] [<ffffffffa047bd6a>] nfs_commit_inode+0xba/0x110 [nfs]
+[600522.095719] [<ffffffffa046ac54>] nfs_release_page+0x44/0xd0 [nfs]
+[600522.096410] [<ffffffff811a8122>] try_to_release_page+0x32/0x50
+[600522.097109] [<ffffffff811bd4f1>] shrink_page_list+0x961/0xb30
+[600522.097812] [<ffffffff811bdced>] shrink_inactive_list+0x1cd/0x550
+[600522.098530] [<ffffffff811bea65>] shrink_lruvec+0x635/0x840
+[600522.099250] [<ffffffff811bed60>] shrink_zone+0xf0/0x2f0
+[600522.099974] [<ffffffff811bf312>] do_try_to_free_pages+0x192/0x470
+[600522.100709] [<ffffffff811bf6ca>] try_to_free_pages+0xda/0x170
+[600522.101464] [<ffffffff811b2198>] __alloc_pages_nodemask+0x588/0x970
+[600522.102235] [<ffffffff811fbbd5>] alloc_pages_vma+0xb5/0x230
+[600522.103000] [<ffffffff813a1589>] ? cpumask_any_but+0x39/0x50
+[600522.103774] [<ffffffff811d6115>] wp_page_copy.isra.55+0x95/0x490
+[600522.104558] [<ffffffff810e3438>] ? __wake_up+0x48/0x60
+[600522.105357] [<ffffffff811d7d3b>] do_wp_page+0xab/0x4f0
+[600522.106137] [<ffffffff810a1bbb>] ? release_task+0x36b/0x470
+[600522.106902] [<ffffffff8126dbd7>] ? eventfd_ctx_read+0x67/0x1c0
+[600522.107659] [<ffffffff811da2a8>] handle_mm_fault+0xc78/0x1900
+[600522.108431] [<ffffffff81067ef1>] __do_page_fault+0x181/0x420
+[600522.109173] [<ffffffff811446a6>] ? __audit_syscall_exit+0x1e6/0x280
+[600522.109893] [<ffffffff810681c0>] do_page_fault+0x30/0x80
+[600522.110594] [<ffffffff81024f36>] ? syscall_trace_leave+0xc6/0x120
+[600522.111288] [<ffffffff81790a58>] page_fault+0x28/0x30
+[600522.111947] Code: 5d c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 4c 8d 87 d0 01 00 00 48 89 e5 53 48 89 fb 48 83 ec 08 4c 8b 0e 49 8b 41 18 4c 39 ce <48> 8b 40 40 4c 8b 50 30 74 24 48 8b 87 d0 01 00 00 48 8b 7e 08
+[600522.113343] RIP [<ffffffffa0479e72>] nfs_init_commit+0x22/0x130 [nfs]
+[600522.114003] RSP <ffff88042ae87438>
+[600522.114636] CR2: 0000000000000040
+
+Fixes: af7cf057 (NFS: Allow multiple commit requests in flight per file)
+Signed-off-by: Weston Andros Adamson <dros@primarydata.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs_nfs.c | 28 ++++++++++++++++++++++++++++
+ fs/nfs/write.c | 4 ++++
+ 2 files changed, 32 insertions(+)
+
+--- a/fs/nfs/pnfs_nfs.c
++++ b/fs/nfs/pnfs_nfs.c
+@@ -246,6 +246,23 @@ void pnfs_fetch_commit_bucket_list(struc
+
+ }
+
++/* Helper function for pnfs_generic_commit_pagelist to catch an empty
++ * page list. This can happen when two commits race. */
++static bool
++pnfs_generic_commit_cancel_empty_pagelist(struct list_head *pages,
++ struct nfs_commit_data *data,
++ struct nfs_commit_info *cinfo)
++{
++ if (list_empty(pages)) {
++ if (atomic_dec_and_test(&cinfo->mds->rpcs_out))
++ wake_up_atomic_t(&cinfo->mds->rpcs_out);
++ nfs_commitdata_release(data);
++ return true;
++ }
++
++ return false;
++}
++
+ /* This follows nfs_commit_list pretty closely */
+ int
+ pnfs_generic_commit_pagelist(struct inode *inode, struct list_head *mds_pages,
+@@ -280,6 +297,11 @@ pnfs_generic_commit_pagelist(struct inod
+ list_for_each_entry_safe(data, tmp, &list, pages) {
+ list_del_init(&data->pages);
+ if (data->ds_commit_index < 0) {
++ /* another commit raced with us */
++ if (pnfs_generic_commit_cancel_empty_pagelist(mds_pages,
++ data, cinfo))
++ continue;
++
+ nfs_init_commit(data, mds_pages, NULL, cinfo);
+ nfs_initiate_commit(NFS_CLIENT(inode), data,
+ NFS_PROTO(data->inode),
+@@ -288,6 +310,12 @@ pnfs_generic_commit_pagelist(struct inod
+ LIST_HEAD(pages);
+
+ pnfs_fetch_commit_bucket_list(&pages, data, cinfo);
++
++ /* another commit raced with us */
++ if (pnfs_generic_commit_cancel_empty_pagelist(&pages,
++ data, cinfo))
++ continue;
++
+ nfs_init_commit(data, &pages, data->lseg, cinfo);
+ initiate_commit(data, how);
+ }
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1709,6 +1709,10 @@ nfs_commit_list(struct inode *inode, str
+ {
+ struct nfs_commit_data *data;
+
++ /* another commit raced with us */
++ if (list_empty(head))
++ return 0;
++
+ data = nfs_commitdata_alloc();
+
+ if (!data)
--- /dev/null
+From 3a17fb329da68cb00558721aff876a80bba2fdb9 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 20 May 2016 23:09:49 +0200
+Subject: PM / sleep: Handle failures in device_suspend_late() consistently
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 3a17fb329da68cb00558721aff876a80bba2fdb9 upstream.
+
+Grygorii Strashko reports:
+
+ The PM runtime will be left disabled for the device if its
+ .suspend_late() callback fails and async suspend is not allowed
+ for this device. In this case device will not be added in
+ dpm_late_early_list and dpm_resume_early() will ignore this
+ device, as result PM runtime will be disabled for it forever
+ (side effect: after 8 subsequent failures for the same device
+ the PM runtime will be reenabled due to disable_depth overflow).
+
+To fix this problem, add devices to dpm_late_early_list regardless
+of whether or not device_suspend_late() returns errors for them.
+
+That will ensure failures in there to be handled consistently for
+all devices regardless of their async suspend/resume status.
+
+Reported-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1267,14 +1267,15 @@ int dpm_suspend_late(pm_message_t state)
+ error = device_suspend_late(dev);
+
+ mutex_lock(&dpm_list_mtx);
++ if (!list_empty(&dev->power.entry))
++ list_move(&dev->power.entry, &dpm_late_early_list);
++
+ if (error) {
+ pm_dev_err(dev, state, " late", error);
+ dpm_save_failed_dev(dev_name(dev));
+ put_device(dev);
+ break;
+ }
+- if (!list_empty(&dev->power.entry))
+- list_move(&dev->power.entry, &dpm_late_early_list);
+ put_device(dev);
+
+ if (async_error)
--- /dev/null
+From 65a9f31c5042e5bb50d30ed8ae374044be561054 Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Sat, 14 May 2016 20:09:52 -0700
+Subject: scripts/package/Makefile: rpmbuild add support of RPMOPTS
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit 65a9f31c5042e5bb50d30ed8ae374044be561054 upstream.
+
+After commit 21a59991ce0c ("scripts/package/Makefile: rpmbuild is needed
+for rpm targets"), it is no longer possible to specify RPMOPTS.
+For example, we can no longer able to control _topdir using the following
+make command.
+make RPMOPTS="--define '_topdir /home/xyz/workspace/'" binrpm-pkg
+
+Fixes: 21a59991ce0c ("scripts/package/Makefile: rpmbuild is needed for rpm targets")
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Michal Marek <mmarek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/package/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/scripts/package/Makefile
++++ b/scripts/package/Makefile
+@@ -52,7 +52,7 @@ rpm-pkg rpm: FORCE
+ $(call cmd,src_tar,$(KERNELPATH),kernel.spec)
+ $(CONFIG_SHELL) $(srctree)/scripts/mkversion > $(objtree)/.tmp_version
+ mv -f $(objtree)/.tmp_version $(objtree)/.version
+- rpmbuild --target $(UTS_MACHINE) -ta $(KERNELPATH).tar.gz
++ rpmbuild $(RPMOPTS) --target $(UTS_MACHINE) -ta $(KERNELPATH).tar.gz
+ rm $(KERNELPATH).tar.gz kernel.spec
+
+ # binrpm-pkg
+@@ -63,7 +63,7 @@ binrpm-pkg: FORCE
+ $(CONFIG_SHELL) $(srctree)/scripts/mkversion > $(objtree)/.tmp_version
+ mv -f $(objtree)/.tmp_version $(objtree)/.version
+
+- rpmbuild --define "_builddir $(objtree)" --target \
++ rpmbuild $(RPMOPTS) --define "_builddir $(objtree)" --target \
+ $(UTS_MACHINE) -bb $(objtree)/binkernel.spec
+ rm binkernel.spec
+
drm-i915-don-t-leave-old-junk-in-ilk-active-watermarks-on-readout.patch
drm-i915-fix-watermarks-for-vlv-chv.patch
drm-imx-match-imx-ipuv3-crtc-components-using-device-node-in-platform-data.patch
+ext4-fix-hang-when-processing-corrupted-orphaned-inode-list.patch
+ext4-clean-up-error-handling-when-orphan-list-is-corrupted.patch
+ext4-fix-check-of-dqget-return-value-in-ext4_ioctl_setproject.patch
+ext4-fix-oops-on-corrupted-filesystem.patch
+ext4-address-ubsan-warning-in-mb_find_order_for_block.patch
+ext4-silence-ubsan-in-ext4_mb_init.patch
+nfs-avoid-race-that-crashes-nfs_init_commit.patch
+pm-sleep-handle-failures-in-device_suspend_late-consistently.patch
+dma-debug-avoid-spinlock-recursion-when-disabling-dma-debug.patch
+scripts-package-makefile-rpmbuild-add-support-of-rpmopts.patch
+mm-thp-avoid-false-positive-vm_bug_on_page-in-page_move_anon_rmap.patch
+gcov-disable-tree-loop-im-to-reduce-stack-usage.patch
+xfs-disallow-rw-remount-on-fs-with-unknown-ro-compat-features.patch
+xfs-don-t-wrap-growfs-agfl-indexes.patch
+xfs-xfs_iflush_cluster-fails-to-abort-on-error.patch
+xfs-fix-inode-validity-check-in-xfs_iflush_cluster.patch
+xfs-skip-stale-inodes-in-xfs_iflush_cluster.patch
--- /dev/null
+From d0a58e833931234c44e515b5b8bede32bd4e6eed Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Wed, 6 Apr 2016 07:05:41 +1000
+Subject: xfs: disallow rw remount on fs with unknown ro-compat features
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit d0a58e833931234c44e515b5b8bede32bd4e6eed upstream.
+
+Today, a kernel which refuses to mount a filesystem read-write
+due to unknown ro-compat features can still transition to read-write
+via the remount path. The old kernel is most likely none the wiser,
+because it's unaware of the new feature, and isn't using it. However,
+writing to the filesystem may well corrupt metadata related to that
+new feature, and moving to a newer kernel which understand the feature
+will have problems.
+
+Right now the only ro-compat feature we have is the free inode btree,
+which showed up in v3.16. It would be good to push this back to
+all the active stable kernels, I think, so that if anyone is using
+newer mkfs (which enables the finobt feature) with older kernel
+releases, they'll be protected.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Bill O'Donnell <billodo@redhat.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_super.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/xfs/xfs_super.c
++++ b/fs/xfs/xfs_super.c
+@@ -1233,6 +1233,16 @@ xfs_fs_remount(
+ return -EINVAL;
+ }
+
++ if (XFS_SB_VERSION_NUM(sbp) == XFS_SB_VERSION_5 &&
++ xfs_sb_has_ro_compat_feature(sbp,
++ XFS_SB_FEAT_RO_COMPAT_UNKNOWN)) {
++ xfs_warn(mp,
++"ro->rw transition prohibited on unknown (0x%x) ro-compat filesystem",
++ (sbp->sb_features_ro_compat &
++ XFS_SB_FEAT_RO_COMPAT_UNKNOWN));
++ return -EINVAL;
++ }
++
+ mp->m_flags &= ~XFS_MOUNT_RDONLY;
+
+ /*
--- /dev/null
+From ad747e3b299671e1a53db74963cc6c5f6cdb9f6d Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Wed, 6 Apr 2016 07:06:20 +1000
+Subject: xfs: Don't wrap growfs AGFL indexes
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit ad747e3b299671e1a53db74963cc6c5f6cdb9f6d upstream.
+
+Commit 96f859d ("libxfs: pack the agfl header structure so
+XFS_AGFL_SIZE is correct") allowed the freelist to use the empty
+slot at the end of the freelist on 64 bit systems that was not
+being used due to sizeof() rounding up the structure size.
+
+This has caused versions of xfs_repair prior to 4.5.0 (which also
+has the fix) to report this as a corruption once the filesystem has
+been grown. Older kernels can also have problems (seen from a whacky
+container/vm management environment) mounting filesystems grown on a
+system with a newer kernel than the vm/container it is deployed on.
+
+To avoid this problem, change the initial free list indexes not to
+wrap across the end of the AGFL, hence avoiding the initialisation
+of agf_fllast to the last index in the AGFL.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_fsops.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/xfs/xfs_fsops.c
++++ b/fs/xfs/xfs_fsops.c
+@@ -243,8 +243,8 @@ xfs_growfs_data_private(
+ agf->agf_roots[XFS_BTNUM_CNTi] = cpu_to_be32(XFS_CNT_BLOCK(mp));
+ agf->agf_levels[XFS_BTNUM_BNOi] = cpu_to_be32(1);
+ agf->agf_levels[XFS_BTNUM_CNTi] = cpu_to_be32(1);
+- agf->agf_flfirst = 0;
+- agf->agf_fllast = cpu_to_be32(XFS_AGFL_SIZE(mp) - 1);
++ agf->agf_flfirst = cpu_to_be32(1);
++ agf->agf_fllast = 0;
+ agf->agf_flcount = 0;
+ tmpsize = agsize - XFS_PREALLOC_BLOCKS(mp);
+ agf->agf_freeblks = cpu_to_be32(tmpsize);
--- /dev/null
+From 51b07f30a71c27405259a0248206ed4e22adbee2 Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Wed, 18 May 2016 13:54:22 +1000
+Subject: xfs: fix inode validity check in xfs_iflush_cluster
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit 51b07f30a71c27405259a0248206ed4e22adbee2 upstream.
+
+Some careless idiot(*) wrote crap code in commit 1a3e8f3 ("xfs:
+convert inode cache lookups to use RCU locking") back in late 2010,
+and so xfs_iflush_cluster checks the wrong inode for whether it is
+still valid under RCU protection. Fix it to lock and check the
+correct inode.
+
+(*) Careless-idiot: Dave Chinner <dchinner@redhat.com>
+
+Discovered-by: Brain Foster <bfoster@redhat.com>
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -3225,13 +3225,13 @@ xfs_iflush_cluster(
+ * We need to check under the i_flags_lock for a valid inode
+ * here. Skip it if it is not valid or the wrong inode.
+ */
+- spin_lock(&ip->i_flags_lock);
+- if (!ip->i_ino ||
++ spin_lock(&iq->i_flags_lock);
++ if (!iq->i_ino ||
+ (XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) {
+- spin_unlock(&ip->i_flags_lock);
++ spin_unlock(&iq->i_flags_lock);
+ continue;
+ }
+- spin_unlock(&ip->i_flags_lock);
++ spin_unlock(&iq->i_flags_lock);
+
+ /*
+ * Do an un-protected check to see if the inode is dirty and
--- /dev/null
+From 7d3aa7fe970791f1a674b14572a411accf2f4d4e Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Wed, 18 May 2016 13:54:23 +1000
+Subject: xfs: skip stale inodes in xfs_iflush_cluster
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit 7d3aa7fe970791f1a674b14572a411accf2f4d4e upstream.
+
+We don't write back stale inodes so we should skip them in
+xfs_iflush_cluster, too.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -3227,6 +3227,7 @@ xfs_iflush_cluster(
+ */
+ spin_lock(&iq->i_flags_lock);
+ if (!iq->i_ino ||
++ __xfs_iflags_test(iq, XFS_ISTALE) ||
+ (XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) {
+ spin_unlock(&iq->i_flags_lock);
+ continue;
--- /dev/null
+From b1438f477934f5a4d5a44df26f3079a7575d5946 Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Wed, 18 May 2016 13:53:42 +1000
+Subject: xfs: xfs_iflush_cluster fails to abort on error
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit b1438f477934f5a4d5a44df26f3079a7575d5946 upstream.
+
+When a failure due to an inode buffer occurs, the error handling
+fails to abort the inode writeback correctly. This can result in the
+inode being reclaimed whilst still in the AIL, leading to
+use-after-free situations as well as filesystems that cannot be
+unmounted as the inode log items left in the AIL never get removed.
+
+Fix this by ensuring fatal errors from xfs_imap_to_bp() result in
+the inode flush being aborted correctly.
+
+Reported-by: Shyam Kaushik <shyam@zadarastorage.com>
+Diagnosed-by: Shyam Kaushik <shyam@zadarastorage.com>
+Tested-by: Shyam Kaushik <shyam@zadarastorage.com>
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_inode.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -3347,7 +3347,7 @@ xfs_iflush(
+ struct xfs_buf **bpp)
+ {
+ struct xfs_mount *mp = ip->i_mount;
+- struct xfs_buf *bp;
++ struct xfs_buf *bp = NULL;
+ struct xfs_dinode *dip;
+ int error;
+
+@@ -3389,14 +3389,22 @@ xfs_iflush(
+ }
+
+ /*
+- * Get the buffer containing the on-disk inode.
++ * Get the buffer containing the on-disk inode. We are doing a try-lock
++ * operation here, so we may get an EAGAIN error. In that case, we
++ * simply want to return with the inode still dirty.
++ *
++ * If we get any other error, we effectively have a corruption situation
++ * and we cannot flush the inode, so we treat it the same as failing
++ * xfs_iflush_int().
+ */
+ error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK,
+ 0);
+- if (error || !bp) {
++ if (error == -EAGAIN) {
+ xfs_ifunlock(ip);
+ return error;
+ }
++ if (error)
++ goto corrupt_out;
+
+ /*
+ * First flush out the inode that xfs_iflush was called with.
+@@ -3424,7 +3432,8 @@ xfs_iflush(
+ return 0;
+
+ corrupt_out:
+- xfs_buf_relse(bp);
++ if (bp)
++ xfs_buf_relse(bp);
+ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+ cluster_corrupt_out:
+ error = -EFSCORRUPTED;
projects / thirdparty / kernel / stable-queue.git / commitdiff
