--- /dev/null
+From d0ffb805b729322626639336986bc83fc2e60871 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin (Intel)" <hpa@zytor.com>
+Date: Mon, 22 Oct 2018 09:19:05 -0700
+Subject: arch/alpha, termios: implement BOTHER, IBSHIFT and termios2
+
+From: H. Peter Anvin (Intel) <hpa@zytor.com>
+
+commit d0ffb805b729322626639336986bc83fc2e60871 upstream.
+
+Alpha has had c_ispeed and c_ospeed, but still set speeds in c_cflags
+using arbitrary flags. Because BOTHER is not defined, the general
+Linux code doesn't allow setting arbitrary baud rates, and because
+CBAUDEX == 0, we can have an array overrun of the baud_rate[] table in
+drivers/tty/tty_baudrate.c if (c_cflags & CBAUD) == 037.
+
+Resolve both problems by #defining BOTHER to 037 on Alpha.
+
+However, userspace still needs to know if setting BOTHER is actually
+safe given legacy kernels (does anyone actually care about that on
+Alpha anymore?), so enable the TCGETS2/TCSETS*2 ioctls on Alpha, even
+though they use the same structure. Define struct termios2 just for
+compatibility; it is the exact same structure as struct termios. In a
+future patchset, this will be cleaned up so the uapi headers are
+usable from libc.
+
+Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Eugene Syromiatnikov <esyr@redhat.com>
+Cc: <linux-alpha@vger.kernel.org>
+Cc: <linux-serial@vger.kernel.org>
+Cc: Johan Hovold <johan@kernel.org>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/include/asm/termios.h | 8 +++++++-
+ arch/alpha/include/uapi/asm/ioctls.h | 5 +++++
+ arch/alpha/include/uapi/asm/termbits.h | 17 +++++++++++++++++
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+--- a/arch/alpha/include/asm/termios.h
++++ b/arch/alpha/include/asm/termios.h
+@@ -73,9 +73,15 @@
+ })
+
+ #define user_termios_to_kernel_termios(k, u) \
+- copy_from_user(k, u, sizeof(struct termios))
++ copy_from_user(k, u, sizeof(struct termios2))
+
+ #define kernel_termios_to_user_termios(u, k) \
++ copy_to_user(u, k, sizeof(struct termios2))
++
++#define user_termios_to_kernel_termios_1(k, u) \
++ copy_from_user(k, u, sizeof(struct termios))
++
++#define kernel_termios_to_user_termios_1(u, k) \
+ copy_to_user(u, k, sizeof(struct termios))
+
+ #endif /* _ALPHA_TERMIOS_H */
+--- a/arch/alpha/include/uapi/asm/ioctls.h
++++ b/arch/alpha/include/uapi/asm/ioctls.h
+@@ -32,6 +32,11 @@
+ #define TCXONC _IO('t', 30)
+ #define TCFLSH _IO('t', 31)
+
++#define TCGETS2 _IOR('T', 42, struct termios2)
++#define TCSETS2 _IOW('T', 43, struct termios2)
++#define TCSETSW2 _IOW('T', 44, struct termios2)
++#define TCSETSF2 _IOW('T', 45, struct termios2)
++
+ #define TIOCSWINSZ _IOW('t', 103, struct winsize)
+ #define TIOCGWINSZ _IOR('t', 104, struct winsize)
+ #define TIOCSTART _IO('t', 110) /* start output, like ^Q */
+--- a/arch/alpha/include/uapi/asm/termbits.h
++++ b/arch/alpha/include/uapi/asm/termbits.h
+@@ -26,6 +26,19 @@ struct termios {
+ speed_t c_ospeed; /* output speed */
+ };
+
++/* Alpha has identical termios and termios2 */
++
++struct termios2 {
++ tcflag_t c_iflag; /* input mode flags */
++ tcflag_t c_oflag; /* output mode flags */
++ tcflag_t c_cflag; /* control mode flags */
++ tcflag_t c_lflag; /* local mode flags */
++ cc_t c_cc[NCCS]; /* control characters */
++ cc_t c_line; /* line discipline (== c_cc[19]) */
++ speed_t c_ispeed; /* input speed */
++ speed_t c_ospeed; /* output speed */
++};
++
+ /* Alpha has matching termios and ktermios */
+
+ struct ktermios {
+@@ -148,6 +161,7 @@ struct ktermios {
+ #define B3000000 00034
+ #define B3500000 00035
+ #define B4000000 00036
++#define BOTHER 00037
+
+ #define CSIZE 00001400
+ #define CS5 00000000
+@@ -165,6 +179,9 @@ struct ktermios {
+ #define CMSPAR 010000000000 /* mark or space (stick) parity */
+ #define CRTSCTS 020000000000 /* flow control */
+
++#define CIBAUD 07600000
++#define IBSHIFT 16
++
+ /* c_lflag bits */
+ #define ISIG 0x00000080
+ #define ICANON 0x00000100
--- /dev/null
+From 506481b20e818db40b6198815904ecd2d6daee64 Mon Sep 17 00:00:00 2001
+From: Robbie Ko <robbieko@synology.com>
+Date: Tue, 30 Oct 2018 18:04:04 +0800
+Subject: Btrfs: fix cur_offset in the error case for nocow
+
+From: Robbie Ko <robbieko@synology.com>
+
+commit 506481b20e818db40b6198815904ecd2d6daee64 upstream.
+
+When the cow_file_range fails, the related resources are unlocked
+according to the range [start..end), so the unlock cannot be repeated in
+run_delalloc_nocow.
+
+In some cases (e.g. cur_offset <= end && cow_start != -1), cur_offset is
+not updated correctly, so move the cur_offset update before
+cow_file_range.
+
+ kernel BUG at mm/page-writeback.c:2663!
+ Internal error: Oops - BUG: 0 [#1] SMP
+ CPU: 3 PID: 31525 Comm: kworker/u8:7 Tainted: P O
+ Hardware name: Realtek_RTD1296 (DT)
+ Workqueue: writeback wb_workfn (flush-btrfs-1)
+ task: ffffffc076db3380 ti: ffffffc02e9ac000 task.ti: ffffffc02e9ac000
+ PC is at clear_page_dirty_for_io+0x1bc/0x1e8
+ LR is at clear_page_dirty_for_io+0x14/0x1e8
+ pc : [<ffffffc00033c91c>] lr : [<ffffffc00033c774>] pstate: 40000145
+ sp : ffffffc02e9af4f0
+ Process kworker/u8:7 (pid: 31525, stack limit = 0xffffffc02e9ac020)
+ Call trace:
+ [<ffffffc00033c91c>] clear_page_dirty_for_io+0x1bc/0x1e8
+ [<ffffffbffc514674>] extent_clear_unlock_delalloc+0x1e4/0x210 [btrfs]
+ [<ffffffbffc4fb168>] run_delalloc_nocow+0x3b8/0x948 [btrfs]
+ [<ffffffbffc4fb948>] run_delalloc_range+0x250/0x3a8 [btrfs]
+ [<ffffffbffc514c0c>] writepage_delalloc.isra.21+0xbc/0x1d8 [btrfs]
+ [<ffffffbffc516048>] __extent_writepage+0xe8/0x248 [btrfs]
+ [<ffffffbffc51630c>] extent_write_cache_pages.isra.17+0x164/0x378 [btrfs]
+ [<ffffffbffc5185a8>] extent_writepages+0x48/0x68 [btrfs]
+ [<ffffffbffc4f5828>] btrfs_writepages+0x20/0x30 [btrfs]
+ [<ffffffc00033d758>] do_writepages+0x30/0x88
+ [<ffffffc0003ba0f4>] __writeback_single_inode+0x34/0x198
+ [<ffffffc0003ba6c4>] writeback_sb_inodes+0x184/0x3c0
+ [<ffffffc0003ba96c>] __writeback_inodes_wb+0x6c/0xc0
+ [<ffffffc0003bac20>] wb_writeback+0x1b8/0x1c0
+ [<ffffffc0003bb0f0>] wb_workfn+0x150/0x250
+ [<ffffffc0002b0014>] process_one_work+0x1dc/0x388
+ [<ffffffc0002b02f0>] worker_thread+0x130/0x500
+ [<ffffffc0002b6344>] kthread+0x10c/0x110
+ [<ffffffc000284590>] ret_from_fork+0x10/0x40
+ Code: d503201f a9025bb5 a90363b7 f90023b9 (d4210000)
+
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Robbie Ko <robbieko@synology.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1565,12 +1565,11 @@ out_check:
+ }
+ btrfs_release_path(path);
+
+- if (cur_offset <= end && cow_start == (u64)-1) {
++ if (cur_offset <= end && cow_start == (u64)-1)
+ cow_start = cur_offset;
+- cur_offset = end;
+- }
+
+ if (cow_start != (u64)-1) {
++ cur_offset = end;
+ ret = cow_file_range(inode, locked_page, cow_start, end, end,
+ page_started, nr_written, 1, NULL);
+ if (ret)
--- /dev/null
+From ac765f83f1397646c11092a032d4f62c3d478b81 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 5 Nov 2018 11:14:17 +0000
+Subject: Btrfs: fix data corruption due to cloning of eof block
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit ac765f83f1397646c11092a032d4f62c3d478b81 upstream.
+
+We currently allow cloning a range from a file which includes the last
+block of the file even if the file's size is not aligned to the block
+size. This is fine and useful when the destination file has the same size,
+but when it does not and the range ends somewhere in the middle of the
+destination file, it leads to corruption because the bytes between the EOF
+and the end of the block have undefined data (when there is support for
+discard/trimming they have a value of 0x00).
+
+Example:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ export foo_size=$((256 * 1024 + 100))
+ $ xfs_io -f -c "pwrite -S 0x3c 0 $foo_size" /mnt/foo
+ $ xfs_io -f -c "pwrite -S 0xb5 0 1M" /mnt/bar
+
+ $ xfs_io -c "reflink /mnt/foo 0 512K $foo_size" /mnt/bar
+
+ $ od -A d -t x1 /mnt/bar
+ 0000000 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5
+ *
+ 0524288 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c
+ *
+ 0786528 3c 3c 3c 3c 00 00 00 00 00 00 00 00 00 00 00 00
+ 0786544 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ *
+ 0790528 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5
+ *
+ 1048576
+
+The bytes in the range from 786532 (512Kb + 256Kb + 100 bytes) to 790527
+(512Kb + 256Kb + 4Kb - 1) got corrupted, having now a value of 0x00 instead
+of 0xb5.
+
+This is similar to the problem we had for deduplication that got recently
+fixed by commit de02b9f6bb65 ("Btrfs: fix data corruption when
+deduplicating between different files").
+
+Fix this by not allowing such operations to be performed and return the
+errno -EINVAL to user space. This is what XFS is doing as well at the VFS
+level. This change however now makes us return -EINVAL instead of
+-EOPNOTSUPP for cases where the source range maps to an inline extent and
+the destination range's end is smaller then the destination file's size,
+since the detection of inline extents is done during the actual process of
+dropping file extent items (at __btrfs_drop_extents()). Returning the
+-EINVAL error is done early on and solely based on the input parameters
+(offsets and length) and destination file's size. This makes us consistent
+with XFS and anyone else supporting cloning since this case is now checked
+at a higher level in the VFS and is where the -EINVAL will be returned
+from starting with kernel 4.20 (the VFS changed was introduced in 4.20-rc1
+by commit 07d19dc9fbe9 ("vfs: avoid problematic remapping requests into
+partial EOF block"). So this change is more geared towards stable kernels,
+as it's unlikely the new VFS checks get removed intentionally.
+
+A test case for fstests follows soon, as well as an update to filter
+existing tests that expect -EOPNOTSUPP to accept -EINVAL as well.
+
+CC: <stable@vger.kernel.org> # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ioctl.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3909,9 +3909,17 @@ static noinline int btrfs_clone_files(st
+ goto out_unlock;
+ if (len == 0)
+ olen = len = src->i_size - off;
+- /* if we extend to eof, continue to block boundary */
+- if (off + len == src->i_size)
++ /*
++ * If we extend to eof, continue to block boundary if and only if the
++ * destination end offset matches the destination file's size, otherwise
++ * we would be corrupting data by placing the eof block into the middle
++ * of a file.
++ */
++ if (off + len == src->i_size) {
++ if (!IS_ALIGNED(len, bs) && destoff + len < inode->i_size)
++ goto out_unlock;
+ len = ALIGN(src->i_size, bs) - off;
++ }
+
+ if (len == 0) {
+ ret = 0;
--- /dev/null
+From 11023d3f5fdf89bba5e1142127701ca6e6014587 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 5 Nov 2018 11:14:05 +0000
+Subject: Btrfs: fix infinite loop on inode eviction after deduplication of eof block
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 11023d3f5fdf89bba5e1142127701ca6e6014587 upstream.
+
+If we attempt to deduplicate the last block of a file A into the middle of
+a file B, and file A's size is not a multiple of the block size, we end
+rounding the deduplication length to 0 bytes, to avoid the data corruption
+issue fixed by commit de02b9f6bb65 ("Btrfs: fix data corruption when
+deduplicating between different files"). However a length of zero will
+cause the insertion of an extent state with a start value greater (by 1)
+then the end value, leading to a corrupt extent state that will trigger a
+warning and cause chaos such as an infinite loop during inode eviction.
+Example trace:
+
+ [96049.833585] ------------[ cut here ]------------
+ [96049.833714] WARNING: CPU: 0 PID: 24448 at fs/btrfs/extent_io.c:436 insert_state+0x101/0x120 [btrfs]
+ [96049.833767] CPU: 0 PID: 24448 Comm: xfs_io Not tainted 4.19.0-rc7-btrfs-next-39 #1
+ [96049.833768] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
+ [96049.833780] RIP: 0010:insert_state+0x101/0x120 [btrfs]
+ [96049.833783] RSP: 0018:ffffafd2c3707af0 EFLAGS: 00010282
+ [96049.833785] RAX: 0000000000000000 RBX: 000000000004dfff RCX: 0000000000000006
+ [96049.833786] RDX: 0000000000000007 RSI: ffff99045c143230 RDI: ffff99047b2168a0
+ [96049.833787] RBP: ffff990457851cd0 R08: 0000000000000001 R09: 0000000000000000
+ [96049.833787] R10: ffffafd2c3707ab8 R11: 0000000000000000 R12: ffff9903b93b12c8
+ [96049.833788] R13: 000000000004e000 R14: ffffafd2c3707b80 R15: ffffafd2c3707b78
+ [96049.833790] FS: 00007f5c14e7d700(0000) GS:ffff99047b200000(0000) knlGS:0000000000000000
+ [96049.833791] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [96049.833792] CR2: 00007f5c146abff8 CR3: 0000000115f4c004 CR4: 00000000003606f0
+ [96049.833795] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [96049.833796] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [96049.833796] Call Trace:
+ [96049.833809] __set_extent_bit+0x46c/0x6a0 [btrfs]
+ [96049.833823] lock_extent_bits+0x6b/0x210 [btrfs]
+ [96049.833831] ? _raw_spin_unlock+0x24/0x30
+ [96049.833841] ? test_range_bit+0xdf/0x130 [btrfs]
+ [96049.833853] lock_extent_range+0x8e/0x150 [btrfs]
+ [96049.833864] btrfs_double_extent_lock+0x78/0xb0 [btrfs]
+ [96049.833875] btrfs_extent_same_range+0x14e/0x550 [btrfs]
+ [96049.833885] ? rcu_read_lock_sched_held+0x3f/0x70
+ [96049.833890] ? __kmalloc_node+0x2b0/0x2f0
+ [96049.833899] ? btrfs_dedupe_file_range+0x19a/0x280 [btrfs]
+ [96049.833909] btrfs_dedupe_file_range+0x270/0x280 [btrfs]
+ [96049.833916] vfs_dedupe_file_range_one+0xd9/0xe0
+ [96049.833919] vfs_dedupe_file_range+0x131/0x1b0
+ [96049.833924] do_vfs_ioctl+0x272/0x6e0
+ [96049.833927] ? __fget+0x113/0x200
+ [96049.833931] ksys_ioctl+0x70/0x80
+ [96049.833933] __x64_sys_ioctl+0x16/0x20
+ [96049.833937] do_syscall_64+0x60/0x1b0
+ [96049.833939] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [96049.833941] RIP: 0033:0x7f5c1478ddd7
+ [96049.833943] RSP: 002b:00007ffe15b196a8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+ [96049.833945] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1478ddd7
+ [96049.833946] RDX: 00005625ece322d0 RSI: 00000000c0189436 RDI: 0000000000000004
+ [96049.833947] RBP: 0000000000000000 R08: 00007f5c14a46f48 R09: 0000000000000040
+ [96049.833948] R10: 0000000000000541 R11: 0000000000000202 R12: 0000000000000000
+ [96049.833949] R13: 0000000000000000 R14: 0000000000000004 R15: 00005625ece322d0
+ [96049.833954] irq event stamp: 6196
+ [96049.833956] hardirqs last enabled at (6195): [<ffffffff91b00663>] console_unlock+0x503/0x640
+ [96049.833958] hardirqs last disabled at (6196): [<ffffffff91a037dd>] trace_hardirqs_off_thunk+0x1a/0x1c
+ [96049.833959] softirqs last enabled at (6114): [<ffffffff92600370>] __do_softirq+0x370/0x421
+ [96049.833964] softirqs last disabled at (6095): [<ffffffff91a8dd4d>] irq_exit+0xcd/0xe0
+ [96049.833965] ---[ end trace db7b05f01b7fa10c ]---
+ [96049.935816] R13: 0000000000000000 R14: 00005562e5259240 R15: 00007ffff092b910
+ [96049.935822] irq event stamp: 6584
+ [96049.935823] hardirqs last enabled at (6583): [<ffffffff91b00663>] console_unlock+0x503/0x640
+ [96049.935825] hardirqs last disabled at (6584): [<ffffffff91a037dd>] trace_hardirqs_off_thunk+0x1a/0x1c
+ [96049.935827] softirqs last enabled at (6328): [<ffffffff92600370>] __do_softirq+0x370/0x421
+ [96049.935828] softirqs last disabled at (6313): [<ffffffff91a8dd4d>] irq_exit+0xcd/0xe0
+ [96049.935829] ---[ end trace db7b05f01b7fa123 ]---
+ [96049.935840] ------------[ cut here ]------------
+ [96049.936065] WARNING: CPU: 1 PID: 24463 at fs/btrfs/extent_io.c:436 insert_state+0x101/0x120 [btrfs]
+ [96049.936107] CPU: 1 PID: 24463 Comm: umount Tainted: G W 4.19.0-rc7-btrfs-next-39 #1
+ [96049.936108] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
+ [96049.936117] RIP: 0010:insert_state+0x101/0x120 [btrfs]
+ [96049.936119] RSP: 0018:ffffafd2c3637bc0 EFLAGS: 00010282
+ [96049.936120] RAX: 0000000000000000 RBX: 000000000004dfff RCX: 0000000000000006
+ [96049.936121] RDX: 0000000000000007 RSI: ffff990445cf88e0 RDI: ffff99047b2968a0
+ [96049.936122] RBP: ffff990457851cd0 R08: 0000000000000001 R09: 0000000000000000
+ [96049.936123] R10: ffffafd2c3637b88 R11: 0000000000000000 R12: ffff9904574301e8
+ [96049.936124] R13: 000000000004e000 R14: ffffafd2c3637c50 R15: ffffafd2c3637c48
+ [96049.936125] FS: 00007fe4b87e72c0(0000) GS:ffff99047b280000(0000) knlGS:0000000000000000
+ [96049.936126] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [96049.936128] CR2: 00005562e52618d8 CR3: 00000001151c8005 CR4: 00000000003606e0
+ [96049.936129] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [96049.936131] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [96049.936131] Call Trace:
+ [96049.936141] __set_extent_bit+0x46c/0x6a0 [btrfs]
+ [96049.936154] lock_extent_bits+0x6b/0x210 [btrfs]
+ [96049.936167] btrfs_evict_inode+0x1e1/0x5a0 [btrfs]
+ [96049.936172] evict+0xbf/0x1c0
+ [96049.936174] dispose_list+0x51/0x80
+ [96049.936176] evict_inodes+0x193/0x1c0
+ [96049.936180] generic_shutdown_super+0x3f/0x110
+ [96049.936182] kill_anon_super+0xe/0x30
+ [96049.936189] btrfs_kill_super+0x13/0x100 [btrfs]
+ [96049.936191] deactivate_locked_super+0x3a/0x70
+ [96049.936193] cleanup_mnt+0x3b/0x80
+ [96049.936195] task_work_run+0x93/0xc0
+ [96049.936198] exit_to_usermode_loop+0xfa/0x100
+ [96049.936201] do_syscall_64+0x17f/0x1b0
+ [96049.936202] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [96049.936204] RIP: 0033:0x7fe4b80cfb37
+ [96049.936206] RSP: 002b:00007ffff092b688 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+ [96049.936207] RAX: 0000000000000000 RBX: 00005562e5259060 RCX: 00007fe4b80cfb37
+ [96049.936208] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00005562e525faa0
+ [96049.936209] RBP: 00005562e525faa0 R08: 00005562e525f770 R09: 0000000000000015
+ [96049.936210] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007fe4b85d1e64
+ [96049.936211] R13: 0000000000000000 R14: 00005562e5259240 R15: 00007ffff092b910
+ [96049.936211] R13: 0000000000000000 R14: 00005562e5259240 R15: 00007ffff092b910
+ [96049.936216] irq event stamp: 6616
+ [96049.936219] hardirqs last enabled at (6615): [<ffffffff91b00663>] console_unlock+0x503/0x640
+ [96049.936219] hardirqs last disabled at (6616): [<ffffffff91a037dd>] trace_hardirqs_off_thunk+0x1a/0x1c
+ [96049.936222] softirqs last enabled at (6328): [<ffffffff92600370>] __do_softirq+0x370/0x421
+ [96049.936222] softirqs last disabled at (6313): [<ffffffff91a8dd4d>] irq_exit+0xcd/0xe0
+ [96049.936223] ---[ end trace db7b05f01b7fa124 ]---
+
+The second stack trace, from inode eviction, is repeated forever due to
+the infinite loop during eviction.
+
+This is the same type of problem fixed way back in 2015 by commit
+113e8283869b ("Btrfs: fix inode eviction infinite loop after extent_same
+ioctl") and commit ccccf3d67294 ("Btrfs: fix inode eviction infinite loop
+after cloning into it").
+
+So fix this by returning immediately if the deduplication range length
+gets rounded down to 0 bytes, as there is nothing that needs to be done in
+such case.
+
+Example reproducer:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ xfs_io -f -c "pwrite -S 0xe6 0 100" /mnt/foo
+ $ xfs_io -f -c "pwrite -S 0xe6 0 1M" /mnt/bar
+
+ # Unmount the filesystem and mount it again so that we start without any
+ # extent state records when we ask for the deduplication.
+ $ umount /mnt
+ $ mount /dev/sdb /mnt
+
+ $ xfs_io -c "dedupe /mnt/foo 0 500K 100" /mnt/bar
+
+ # This unmount triggers the infinite loop.
+ $ umount /mnt
+
+A test case for fstests will follow soon.
+
+Fixes: de02b9f6bb65 ("Btrfs: fix data corruption when deduplicating between different files")
+CC: <stable@vger.kernel.org> # 4.19+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ioctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3178,6 +3178,8 @@ static int btrfs_extent_same(struct inod
+ const u64 sz = BTRFS_I(src)->root->fs_info->sectorsize;
+
+ len = round_down(i_size_read(src), sz) - loff;
++ if (len == 0)
++ return 0;
+ olen = len;
+ }
+ }
--- /dev/null
+From fcd5e74288f7d36991b1f0fb96b8c57079645e38 Mon Sep 17 00:00:00 2001
+From: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Date: Wed, 24 Oct 2018 20:24:03 +0800
+Subject: btrfs: fix pinned underflow after transaction aborted
+
+From: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+
+commit fcd5e74288f7d36991b1f0fb96b8c57079645e38 upstream.
+
+When running generic/475, we may get the following warning in dmesg:
+
+[ 6902.102154] WARNING: CPU: 3 PID: 18013 at fs/btrfs/extent-tree.c:9776 btrfs_free_block_groups+0x2af/0x3b0 [btrfs]
+[ 6902.109160] CPU: 3 PID: 18013 Comm: umount Tainted: G W O 4.19.0-rc8+ #8
+[ 6902.110971] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+[ 6902.112857] RIP: 0010:btrfs_free_block_groups+0x2af/0x3b0 [btrfs]
+[ 6902.118921] RSP: 0018:ffffc9000459bdb0 EFLAGS: 00010286
+[ 6902.120315] RAX: ffff880175050bb0 RBX: ffff8801124a8000 RCX: 0000000000170007
+[ 6902.121969] RDX: 0000000000000002 RSI: 0000000000170007 RDI: ffffffff8125fb74
+[ 6902.123716] RBP: ffff880175055d10 R08: 0000000000000000 R09: 0000000000000000
+[ 6902.125417] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880175055d88
+[ 6902.127129] R13: ffff880175050bb0 R14: 0000000000000000 R15: dead000000000100
+[ 6902.129060] FS: 00007f4507223780(0000) GS:ffff88017ba00000(0000) knlGS:0000000000000000
+[ 6902.130996] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 6902.132558] CR2: 00005623599cac78 CR3: 000000014b700001 CR4: 00000000003606e0
+[ 6902.134270] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 6902.135981] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 6902.137836] Call Trace:
+[ 6902.138939] close_ctree+0x171/0x330 [btrfs]
+[ 6902.140181] ? kthread_stop+0x146/0x1f0
+[ 6902.141277] generic_shutdown_super+0x6c/0x100
+[ 6902.142517] kill_anon_super+0x14/0x30
+[ 6902.143554] btrfs_kill_super+0x13/0x100 [btrfs]
+[ 6902.144790] deactivate_locked_super+0x2f/0x70
+[ 6902.146014] cleanup_mnt+0x3b/0x70
+[ 6902.147020] task_work_run+0x9e/0xd0
+[ 6902.148036] do_syscall_64+0x470/0x600
+[ 6902.149142] ? trace_hardirqs_off_thunk+0x1a/0x1c
+[ 6902.150375] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 6902.151640] RIP: 0033:0x7f45077a6a7b
+[ 6902.157324] RSP: 002b:00007ffd589f3e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+[ 6902.159187] RAX: 0000000000000000 RBX: 000055e8eec732b0 RCX: 00007f45077a6a7b
+[ 6902.160834] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055e8eec73490
+[ 6902.162526] RBP: 0000000000000000 R08: 000055e8eec734b0 R09: 00007ffd589f26c0
+[ 6902.164141] R10: 0000000000000000 R11: 0000000000000246 R12: 000055e8eec73490
+[ 6902.165815] R13: 00007f4507ac61a4 R14: 0000000000000000 R15: 00007ffd589f40d8
+[ 6902.167553] irq event stamp: 0
+[ 6902.168998] hardirqs last enabled at (0): [<0000000000000000>] (null)
+[ 6902.170731] hardirqs last disabled at (0): [<ffffffff810cd810>] copy_process.part.55+0x3b0/0x1f00
+[ 6902.172773] softirqs last enabled at (0): [<ffffffff810cd810>] copy_process.part.55+0x3b0/0x1f00
+[ 6902.174671] softirqs last disabled at (0): [<0000000000000000>] (null)
+[ 6902.176407] ---[ end trace 463138c2986b275c ]---
+[ 6902.177636] BTRFS info (device dm-3): space_info 4 has 273465344 free, is not full
+[ 6902.179453] BTRFS info (device dm-3): space_info total=276824064, used=4685824, pinned=18446744073708158976, reserved=0, may_use=0, readonly=65536
+
+In the above line there's "pinned=18446744073708158976" which is an
+unsigned u64 value of -1392640, an obvious underflow.
+
+When transaction_kthread is running cleanup_transaction(), another
+fsstress is running btrfs_commit_transaction(). The
+btrfs_finish_extent_commit() may get the same range as
+btrfs_destroy_pinned_extent() got, which causes the pinned underflow.
+
+Fixes: d4b450cd4b33 ("Btrfs: fix race between transaction commit and empty block group removal")
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -4428,13 +4428,23 @@ static int btrfs_destroy_pinned_extent(s
+ unpin = pinned_extents;
+ again:
+ while (1) {
++ /*
++ * The btrfs_finish_extent_commit() may get the same range as
++ * ours between find_first_extent_bit and clear_extent_dirty.
++ * Hence, hold the unused_bg_unpin_mutex to avoid double unpin
++ * the same extent range.
++ */
++ mutex_lock(&fs_info->unused_bg_unpin_mutex);
+ ret = find_first_extent_bit(unpin, 0, &start, &end,
+ EXTENT_DIRTY, NULL);
+- if (ret)
++ if (ret) {
++ mutex_unlock(&fs_info->unused_bg_unpin_mutex);
+ break;
++ }
+
+ clear_extent_dirty(unpin, start, end);
+ btrfs_error_unpin_extent_range(fs_info, start, end);
++ mutex_unlock(&fs_info->unused_bg_unpin_mutex);
+ cond_resched();
+ }
+
--- /dev/null
+From 35b69a420bfb56b7b74cb635ea903db05e357bec Mon Sep 17 00:00:00 2001
+From: Michael Kelley <mikelley@microsoft.com>
+Date: Sun, 4 Nov 2018 03:48:54 +0000
+Subject: clockevents/drivers/i8253: Add support for PIT shutdown quirk
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+commit 35b69a420bfb56b7b74cb635ea903db05e357bec upstream.
+
+Add support for platforms where pit_shutdown() doesn't work because of a
+quirk in the PIT emulation. On these platforms setting the counter register
+to zero causes the PIT to start running again, negating the shutdown.
+
+Provide a global variable that controls whether the counter register is
+zero'ed, which platform specific code can override.
+
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "devel@linuxdriverproject.org" <devel@linuxdriverproject.org>
+Cc: "daniel.lezcano@linaro.org" <daniel.lezcano@linaro.org>
+Cc: "virtualization@lists.linux-foundation.org" <virtualization@lists.linux-foundation.org>
+Cc: "jgross@suse.com" <jgross@suse.com>
+Cc: "akataria@vmware.com" <akataria@vmware.com>
+Cc: "olaf@aepfle.de" <olaf@aepfle.de>
+Cc: "apw@canonical.com" <apw@canonical.com>
+Cc: vkuznets <vkuznets@redhat.com>
+Cc: "jasowang@redhat.com" <jasowang@redhat.com>
+Cc: "marcelo.cerri@canonical.com" <marcelo.cerri@canonical.com>
+Cc: KY Srinivasan <kys@microsoft.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1541303219-11142-2-git-send-email-mikelley@microsoft.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clocksource/i8253.c | 14 ++++++++++++--
+ include/linux/i8253.h | 1 +
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/clocksource/i8253.c
++++ b/drivers/clocksource/i8253.c
+@@ -20,6 +20,13 @@
+ DEFINE_RAW_SPINLOCK(i8253_lock);
+ EXPORT_SYMBOL(i8253_lock);
+
++/*
++ * Handle PIT quirk in pit_shutdown() where zeroing the counter register
++ * restarts the PIT, negating the shutdown. On platforms with the quirk,
++ * platform specific code can set this to false.
++ */
++bool i8253_clear_counter_on_shutdown __ro_after_init = true;
++
+ #ifdef CONFIG_CLKSRC_I8253
+ /*
+ * Since the PIT overflows every tick, its not very useful
+@@ -109,8 +116,11 @@ static int pit_shutdown(struct clock_eve
+ raw_spin_lock(&i8253_lock);
+
+ outb_p(0x30, PIT_MODE);
+- outb_p(0, PIT_CH0);
+- outb_p(0, PIT_CH0);
++
++ if (i8253_clear_counter_on_shutdown) {
++ outb_p(0, PIT_CH0);
++ outb_p(0, PIT_CH0);
++ }
+
+ raw_spin_unlock(&i8253_lock);
+ return 0;
+--- a/include/linux/i8253.h
++++ b/include/linux/i8253.h
+@@ -21,6 +21,7 @@
+ #define PIT_LATCH ((PIT_TICK_RATE + HZ/2) / HZ)
+
+ extern raw_spinlock_t i8253_lock;
++extern bool i8253_clear_counter_on_shutdown;
+ extern struct clock_event_device i8253_clockevent;
+ extern void clockevent_i8253_init(bool oneshot);
+
--- /dev/null
+From 1823342a1f2b47a4e6f5667f67cd28ab6bc4d6cd Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sun, 1 Jul 2018 13:56:54 -0700
+Subject: configfs: replace strncpy with memcpy
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 1823342a1f2b47a4e6f5667f67cd28ab6bc4d6cd upstream.
+
+gcc 8.1.0 complains:
+
+fs/configfs/symlink.c:67:3: warning:
+ 'strncpy' output truncated before terminating nul copying as many
+ bytes from a string as its length
+fs/configfs/symlink.c: In function 'configfs_get_link':
+fs/configfs/symlink.c:63:13: note: length computed here
+
+Using strncpy() is indeed less than perfect since the length of data to
+be copied has already been determined with strlen(). Replace strncpy()
+with memcpy() to address the warning and optimize the code a little.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu@cybertrust.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/configfs/symlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/configfs/symlink.c
++++ b/fs/configfs/symlink.c
+@@ -64,7 +64,7 @@ static void fill_item_path(struct config
+
+ /* back up enough to print this bus id with '/' */
+ length -= cur;
+- strncpy(buffer + length,config_item_name(p),cur);
++ memcpy(buffer + length, config_item_name(p), cur);
+ *(buffer + --length) = '/';
+ }
+ }
--- /dev/null
+From f43f39958beb206b53292801e216d9b8a660f087 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sat, 3 Nov 2018 14:56:00 -0700
+Subject: crypto: user - fix leaking uninitialized memory to userspace
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit f43f39958beb206b53292801e216d9b8a660f087 upstream.
+
+All bytes of the NETLINK_CRYPTO report structures must be initialized,
+since they are copied to userspace. The change from strncpy() to
+strlcpy() broke this. As a minimal fix, change it back.
+
+Fixes: 4473710df1f8 ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME expansion")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/crypto_user.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/crypto/crypto_user.c
++++ b/crypto/crypto_user.c
+@@ -83,7 +83,7 @@ static int crypto_report_cipher(struct s
+ {
+ struct crypto_report_cipher rcipher;
+
+- strlcpy(rcipher.type, "cipher", sizeof(rcipher.type));
++ strncpy(rcipher.type, "cipher", sizeof(rcipher.type));
+
+ rcipher.blocksize = alg->cra_blocksize;
+ rcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
+@@ -102,7 +102,7 @@ static int crypto_report_comp(struct sk_
+ {
+ struct crypto_report_comp rcomp;
+
+- strlcpy(rcomp.type, "compression", sizeof(rcomp.type));
++ strncpy(rcomp.type, "compression", sizeof(rcomp.type));
+ if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
+ sizeof(struct crypto_report_comp), &rcomp))
+ goto nla_put_failure;
+@@ -116,7 +116,7 @@ static int crypto_report_acomp(struct sk
+ {
+ struct crypto_report_acomp racomp;
+
+- strlcpy(racomp.type, "acomp", sizeof(racomp.type));
++ strncpy(racomp.type, "acomp", sizeof(racomp.type));
+
+ if (nla_put(skb, CRYPTOCFGA_REPORT_ACOMP,
+ sizeof(struct crypto_report_acomp), &racomp))
+@@ -131,7 +131,7 @@ static int crypto_report_akcipher(struct
+ {
+ struct crypto_report_akcipher rakcipher;
+
+- strlcpy(rakcipher.type, "akcipher", sizeof(rakcipher.type));
++ strncpy(rakcipher.type, "akcipher", sizeof(rakcipher.type));
+
+ if (nla_put(skb, CRYPTOCFGA_REPORT_AKCIPHER,
+ sizeof(struct crypto_report_akcipher), &rakcipher))
+@@ -146,7 +146,7 @@ static int crypto_report_kpp(struct sk_b
+ {
+ struct crypto_report_kpp rkpp;
+
+- strlcpy(rkpp.type, "kpp", sizeof(rkpp.type));
++ strncpy(rkpp.type, "kpp", sizeof(rkpp.type));
+
+ if (nla_put(skb, CRYPTOCFGA_REPORT_KPP,
+ sizeof(struct crypto_report_kpp), &rkpp))
+@@ -160,10 +160,10 @@ nla_put_failure:
+ static int crypto_report_one(struct crypto_alg *alg,
+ struct crypto_user_alg *ualg, struct sk_buff *skb)
+ {
+- strlcpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
+- strlcpy(ualg->cru_driver_name, alg->cra_driver_name,
++ strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
++ strncpy(ualg->cru_driver_name, alg->cra_driver_name,
+ sizeof(ualg->cru_driver_name));
+- strlcpy(ualg->cru_module_name, module_name(alg->cra_module),
++ strncpy(ualg->cru_module_name, module_name(alg->cra_module),
+ sizeof(ualg->cru_module_name));
+
+ ualg->cru_type = 0;
+@@ -176,7 +176,7 @@ static int crypto_report_one(struct cryp
+ if (alg->cra_flags & CRYPTO_ALG_LARVAL) {
+ struct crypto_report_larval rl;
+
+- strlcpy(rl.type, "larval", sizeof(rl.type));
++ strncpy(rl.type, "larval", sizeof(rl.type));
+ if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL,
+ sizeof(struct crypto_report_larval), &rl))
+ goto nla_put_failure;
--- /dev/null
+From 61a9c11e5e7a0dab5381afa5d9d4dd5ebf18f7a0 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Sat, 3 Nov 2018 16:50:08 -0400
+Subject: ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 61a9c11e5e7a0dab5381afa5d9d4dd5ebf18f7a0 upstream.
+
+Fixes: 01f795f9e0d6 ("ext4: add online resizing support for meta_bg ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.7
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -901,6 +901,7 @@ static int add_new_gdb_meta_bg(struct su
+ sizeof(struct buffer_head *),
+ GFP_NOFS);
+ if (!n_group_desc) {
++ brelse(gdb_bh);
+ err = -ENOMEM;
+ ext4_warning(sb, "not enough memory for %lu groups",
+ gdb_num + 1);
+@@ -916,8 +917,6 @@ static int add_new_gdb_meta_bg(struct su
+ kvfree(o_group_desc);
+ BUFFER_TRACE(gdb_bh, "get_write_access");
+ err = ext4_journal_get_write_access(handle, gdb_bh);
+- if (unlikely(err))
+- brelse(gdb_bh);
+ return err;
+ }
+
--- /dev/null
+From cea5794122125bf67559906a0762186cf417099c Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Sat, 3 Nov 2018 16:22:10 -0400
+Subject: ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit cea5794122125bf67559906a0762186cf417099c upstream.
+
+Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...")
+Cc: stable@kernel.org # 3.3
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -444,16 +444,18 @@ static int set_flexbg_block_bitmap(struc
+
+ BUFFER_TRACE(bh, "get_write_access");
+ err = ext4_journal_get_write_access(handle, bh);
+- if (err)
++ if (err) {
++ brelse(bh);
+ return err;
++ }
+ ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block,
+ block - start, count2);
+ ext4_set_bits(bh->b_data, block - start, count2);
+
+ err = ext4_handle_dirty_metadata(handle, NULL, bh);
++ brelse(bh);
+ if (unlikely(err))
+ return err;
+- brelse(bh);
+ }
+
+ return 0;
--- /dev/null
+From ea0abbb648452cdb6e1734b702b6330a7448fcf8 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Sat, 3 Nov 2018 17:11:19 -0400
+Subject: ext4: add missing brelse() update_backups()'s error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit ea0abbb648452cdb6e1734b702b6330a7448fcf8 upstream.
+
+Fixes: ac27a0ec112a ("ext4: initial copy of files from ext3")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.19
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1097,8 +1097,10 @@ static void update_backups(struct super_
+ backup_block, backup_block -
+ ext4_group_first_block_no(sb, group));
+ BUFFER_TRACE(bh, "get_write_access");
+- if ((err = ext4_journal_get_write_access(handle, bh)))
++ if ((err = ext4_journal_get_write_access(handle, bh))) {
++ brelse(bh);
+ break;
++ }
+ lock_buffer(bh);
+ memcpy(bh->b_data, data, size);
+ if (rest)
--- /dev/null
+From feaf264ce7f8d54582e2f66eb82dd9dd124c94f3 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 6 Nov 2018 17:01:36 -0500
+Subject: ext4: avoid buffer leak in ext4_orphan_add() after prior errors
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit feaf264ce7f8d54582e2f66eb82dd9dd124c94f3 upstream.
+
+Fixes: d745a8c20c1f ("ext4: reduce contention on s_orphan_lock")
+Fixes: 6e3617e579e0 ("ext4: Handle non empty on-disk orphan link")
+Cc: Dmitry Monakhov <dmonakhov@gmail.com>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.34
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2820,7 +2820,9 @@ int ext4_orphan_add(handle_t *handle, st
+ list_del_init(&EXT4_I(inode)->i_orphan);
+ mutex_unlock(&sbi->s_orphan_lock);
+ }
+- }
++ } else
++ brelse(iloc.bh);
++
+ jbd_debug(4, "superblock will point to %lu\n", inode->i_ino);
+ jbd_debug(4, "orphan inode %lu will point to %d\n",
+ inode->i_ino, NEXT_ORPHAN(inode));
--- /dev/null
+From a6758309a005060b8297a538a457c88699cb2520 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 6 Nov 2018 16:49:50 -0500
+Subject: ext4: avoid buffer leak on shutdown in ext4_mark_iloc_dirty()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit a6758309a005060b8297a538a457c88699cb2520 upstream.
+
+ext4_mark_iloc_dirty() callers expect that it releases iloc->bh
+even if it returns an error.
+
+Fixes: 0db1ff222d40 ("ext4: add shutdown bit and check for it")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 4.11
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5671,9 +5671,10 @@ int ext4_mark_iloc_dirty(handle_t *handl
+ {
+ int err = 0;
+
+- if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb))))
++ if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb)))) {
++ put_bh(iloc->bh);
+ return -EIO;
+-
++ }
+ if (IS_I_VERSION(inode))
+ inode_inc_iversion(inode);
+
--- /dev/null
+From 4f32c38b4662312dd3c5f113d8bdd459887fb773 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 6 Nov 2018 17:18:17 -0500
+Subject: ext4: avoid possible double brelse() in add_new_gdb() on error path
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 4f32c38b4662312dd3c5f113d8bdd459887fb773 upstream.
+
+Fixes: b40971426a83 ("ext4: add error checking to calls to ...")
+Reported-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.38
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -846,6 +846,7 @@ static int add_new_gdb(handle_t *handle,
+ err = ext4_handle_dirty_metadata(handle, NULL, gdb_bh);
+ if (unlikely(err)) {
+ ext4_std_error(sb, err);
++ iloc.bh = NULL;
+ goto exit_inode;
+ }
+ brelse(dind);
--- /dev/null
+From 9e4028935cca3f9ef9b6a90df9da6f1f94853536 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Sat, 3 Nov 2018 16:13:17 -0400
+Subject: ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 9e4028935cca3f9ef9b6a90df9da6f1f94853536 upstream.
+
+Currently bh is set to NULL only during first iteration of for cycle,
+then this pointer is not cleared after end of using.
+Therefore rollback after errors can lead to extra brelse(bh) call,
+decrements bh counter and later trigger an unexpected warning in __brelse()
+
+Patch moves brelse() calls in body of cycle to exclude requirement of
+brelse() call in rollback.
+
+Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -592,7 +592,6 @@ handle_bb:
+ bh = bclean(handle, sb, block);
+ if (IS_ERR(bh)) {
+ err = PTR_ERR(bh);
+- bh = NULL;
+ goto out;
+ }
+ overhead = ext4_group_overhead_blocks(sb, group);
+@@ -604,9 +603,9 @@ handle_bb:
+ ext4_mark_bitmap_end(group_data[i].blocks_count,
+ sb->s_blocksize * 8, bh->b_data);
+ err = ext4_handle_dirty_metadata(handle, NULL, bh);
++ brelse(bh);
+ if (err)
+ goto out;
+- brelse(bh);
+
+ handle_ib:
+ if (bg_flags[i] & EXT4_BG_INODE_UNINIT)
+@@ -621,18 +620,16 @@ handle_ib:
+ bh = bclean(handle, sb, block);
+ if (IS_ERR(bh)) {
+ err = PTR_ERR(bh);
+- bh = NULL;
+ goto out;
+ }
+
+ ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
+ sb->s_blocksize * 8, bh->b_data);
+ err = ext4_handle_dirty_metadata(handle, NULL, bh);
++ brelse(bh);
+ if (err)
+ goto out;
+- brelse(bh);
+ }
+- bh = NULL;
+
+ /* Mark group tables in block bitmap */
+ for (j = 0; j < GROUP_TABLE_COUNT; j++) {
+@@ -663,7 +660,6 @@ handle_ib:
+ }
+
+ out:
+- brelse(bh);
+ err2 = ext4_journal_stop(handle);
+ if (err2 && !err)
+ err = err2;
--- /dev/null
+From de59fae0043f07de5d25e02ca360f7d57bfa5866 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 7 Nov 2018 22:36:23 -0500
+Subject: ext4: fix buffer leak in __ext4_read_dirblock() on error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit de59fae0043f07de5d25e02ca360f7d57bfa5866 upstream.
+
+Fixes: dc6982ff4db1 ("ext4: refactor code to read directory blocks ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.9
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -125,6 +125,7 @@ static struct buffer_head *__ext4_read_d
+ if (!is_dx_block && type == INDEX) {
+ ext4_error_inode(inode, func, line, block,
+ "directory leaf block found instead of index block");
++ brelse(bh);
+ return ERR_PTR(-EFSCORRUPTED);
+ }
+ if (!ext4_has_metadata_csum(inode->i_sb) ||
--- /dev/null
+From 53692ec074d00589c2cf1d6d17ca76ad0adce6ec Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 7 Nov 2018 11:14:35 -0500
+Subject: ext4: fix buffer leak in ext4_expand_extra_isize_ea() on error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 53692ec074d00589c2cf1d6d17ca76ad0adce6ec upstream.
+
+Fixes: de05ca852679 ("ext4: move call to ext4_error() into ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 4.17
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -2707,7 +2707,6 @@ int ext4_expand_extra_isize_ea(struct in
+ struct ext4_inode *raw_inode, handle_t *handle)
+ {
+ struct ext4_xattr_ibody_header *header;
+- struct buffer_head *bh;
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ static unsigned int mnt_count;
+ size_t min_offs;
+@@ -2748,13 +2747,17 @@ retry:
+ * EA block can hold new_extra_isize bytes.
+ */
+ if (EXT4_I(inode)->i_file_acl) {
++ struct buffer_head *bh;
++
+ bh = sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl);
+ error = -EIO;
+ if (!bh)
+ goto cleanup;
+ error = ext4_xattr_check_block(inode, bh);
+- if (error)
++ if (error) {
++ brelse(bh);
+ goto cleanup;
++ }
+ base = BHDR(bh);
+ end = bh->b_data + bh->b_size;
+ min_offs = end - base;
--- /dev/null
+From ecaaf408478b6fb4d9986f9b6652f3824e374f4c Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 7 Nov 2018 11:01:33 -0500
+Subject: ext4: fix buffer leak in ext4_xattr_get_block() on error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit ecaaf408478b6fb4d9986f9b6652f3824e374f4c upstream.
+
+Fixes: dec214d00e0d ("ext4: xattr inode deduplication")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 4.13
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -2281,8 +2281,10 @@ static struct buffer_head *ext4_xattr_ge
+ if (!bh)
+ return ERR_PTR(-EIO);
+ error = ext4_xattr_check_block(inode, bh);
+- if (error)
++ if (error) {
++ brelse(bh);
+ return ERR_PTR(error);
++ }
+ return bh;
+ }
+
--- /dev/null
+From 6bdc9977fcdedf47118d2caf7270a19f4b6d8a8f Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 7 Nov 2018 11:10:21 -0500
+Subject: ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 6bdc9977fcdedf47118d2caf7270a19f4b6d8a8f upstream.
+
+Fixes: 3f2571c1f91f ("ext4: factor out xattr moving")
+Fixes: 6dd4ee7cab7e ("ext4: Expand extra_inodes space per ...")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.23
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -2626,6 +2626,8 @@ out:
+ kfree(buffer);
+ if (is)
+ brelse(is->iloc.bh);
++ if (bs)
++ brelse(bs->bh);
+ kfree(is);
+ kfree(bs);
+
--- /dev/null
+From f348e2241fb73515d65b5d77dd9c174128a7fbf2 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 6 Nov 2018 16:16:01 -0500
+Subject: ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit f348e2241fb73515d65b5d77dd9c174128a7fbf2 upstream.
+
+Fixes: 117fff10d7f1 ("ext4: grow the s_flex_groups array as needed ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.7
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1992,7 +1992,7 @@ retry:
+
+ err = ext4_alloc_flex_bg_array(sb, n_group + 1);
+ if (err)
+- return err;
++ goto out;
+
+ err = ext4_mb_alloc_groupinfo(sb, n_group + 1);
+ if (err)
--- /dev/null
+From db6aee62406d9fbb53315fcddd81f1dc271d49fa Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 6 Nov 2018 16:20:40 -0500
+Subject: ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit db6aee62406d9fbb53315fcddd81f1dc271d49fa upstream.
+
+Fixes: 1c6bd7173d66 ("ext4: convert file system to meta_bg if needed ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.7
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -2028,6 +2028,10 @@ retry:
+ n_blocks_count_retry = 0;
+ free_flex_gd(flex_gd);
+ flex_gd = NULL;
++ if (resize_inode) {
++ iput(resize_inode);
++ resize_inode = NULL;
++ }
+ goto retry;
+ }
+
--- /dev/null
+From af18e35bfd01e6d65a5e3ef84ffe8b252d1628c5 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 7 Nov 2018 10:56:28 -0500
+Subject: ext4: fix possible leak of s_journal_flag_rwsem in error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit af18e35bfd01e6d65a5e3ef84ffe8b252d1628c5 upstream.
+
+Fixes: c8585c6fcaf2 ("ext4: fix races between changing inode journal ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 4.7
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4442,6 +4442,7 @@ failed_mount6:
+ percpu_counter_destroy(&sbi->s_freeinodes_counter);
+ percpu_counter_destroy(&sbi->s_dirs_counter);
+ percpu_counter_destroy(&sbi->s_dirtyclusters_counter);
++ percpu_free_rwsem(&sbi->s_journal_flag_rwsem);
+ failed_mount5:
+ ext4_ext_release(sb);
+ ext4_release_system_zone(sb);
--- /dev/null
+From 9e463084cdb22e0b56b2dfbc50461020409a5fd3 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 7 Nov 2018 10:32:53 -0500
+Subject: ext4: fix possible leak of sbi->s_group_desc_leak in error path
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 9e463084cdb22e0b56b2dfbc50461020409a5fd3 upstream.
+
+Fixes: bfe0a5f47ada ("ext4: add more mount time checks of the superblock")
+Reported-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 4.18
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4012,6 +4012,14 @@ static int ext4_fill_super(struct super_
+ sbi->s_groups_count = blocks_count;
+ sbi->s_blockfile_groups = min_t(ext4_group_t, sbi->s_groups_count,
+ (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
++ if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
++ le32_to_cpu(es->s_inodes_count)) {
++ ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
++ le32_to_cpu(es->s_inodes_count),
++ ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
++ ret = -EINVAL;
++ goto failed_mount;
++ }
+ db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
+ EXT4_DESC_PER_BLOCK(sb);
+ if (ext4_has_feature_meta_bg(sb)) {
+@@ -4031,14 +4039,6 @@ static int ext4_fill_super(struct super_
+ ret = -ENOMEM;
+ goto failed_mount;
+ }
+- if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
+- le32_to_cpu(es->s_inodes_count)) {
+- ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
+- le32_to_cpu(es->s_inodes_count),
+- ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
+- ret = -EINVAL;
+- goto failed_mount;
+- }
+
+ bgl_lock_init(sbi->s_blockgroup_lock);
+
--- /dev/null
+From eb6984fa4ce2837dcb1f66720a600f31b0bb3739 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Fri, 9 Nov 2018 11:34:40 -0500
+Subject: ext4: missing !bh check in ext4_xattr_inode_write()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit eb6984fa4ce2837dcb1f66720a600f31b0bb3739 upstream.
+
+According to Ted Ts'o ext4_getblk() called in ext4_xattr_inode_write()
+should not return bh = NULL
+
+The only time that bh could be NULL, then, would be in the case of
+something really going wrong; a programming error elsewhere (perhaps a
+wild pointer dereference) or I/O error causing on-disk file system
+corruption (although that would be highly unlikely given that we had
+*just* allocated the blocks and so the metadata blocks in question
+probably would still be in the cache).
+
+Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 4.13
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1387,6 +1387,12 @@ retry:
+ bh = ext4_getblk(handle, ea_inode, block, 0);
+ if (IS_ERR(bh))
+ return PTR_ERR(bh);
++ if (!bh) {
++ WARN_ON_ONCE(1);
++ EXT4_ERROR_INODE(ea_inode,
++ "ext4_getblk() return bh = NULL");
++ return -EFSCORRUPTED;
++ }
+ ret = ext4_journal_get_write_access(handle, bh);
+ if (ret)
+ goto out;
--- /dev/null
+From 45ae932d246f721e6584430017176cbcadfde610 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 7 Nov 2018 11:07:01 -0500
+Subject: ext4: release bs.bh before re-using in ext4_xattr_block_find()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 45ae932d246f721e6584430017176cbcadfde610 upstream.
+
+bs.bh was taken in previous ext4_xattr_block_find() call,
+it should be released before re-using
+
+Fixes: 7e01c8e5420b ("ext3/4: fix uninitialized bs in ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.26
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -2404,6 +2404,8 @@ retry_inode:
+ error = ext4_xattr_block_set(handle, inode, &i, &bs);
+ } else if (error == -ENOSPC) {
+ if (EXT4_I(inode)->i_file_acl && !bs.s.base) {
++ brelse(bs.bh);
++ bs.bh = NULL;
+ error = ext4_xattr_block_find(inode, &i, &bs);
+ if (error)
+ goto cleanup;
--- /dev/null
+From 7fabaf303458fcabb694999d6fa772cc13d4e217 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 9 Nov 2018 15:52:16 +0100
+Subject: fuse: fix leaked notify reply
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 7fabaf303458fcabb694999d6fa772cc13d4e217 upstream.
+
+fuse_request_send_notify_reply() may fail if the connection was reset for
+some reason (e.g. fs was unmounted). Don't leak request reference in this
+case. Besides leaking memory, this resulted in fc->num_waiting not being
+decremented and hence fuse_wait_aborted() left in a hanging and unkillable
+state.
+
+Fixes: 2d45ba381a74 ("fuse: add retrieve request")
+Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests")
+Reported-and-tested-by: syzbot+6339eda9cb4ebbc4c37b@syzkaller.appspotmail.com
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Cc: <stable@vger.kernel.org> #v2.6.36
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1721,8 +1721,10 @@ static int fuse_retrieve(struct fuse_con
+ req->in.args[1].size = total_len;
+
+ err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
+- if (err)
++ if (err) {
+ fuse_retrieve_end(fc, req);
++ fuse_put_request(fc, req);
++ }
+
+ return err;
+ }
--- /dev/null
+From ebacb81273599555a7a19f7754a1451206a5fc4f Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Fri, 9 Nov 2018 14:51:46 +0100
+Subject: fuse: fix use-after-free in fuse_direct_IO()
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit ebacb81273599555a7a19f7754a1451206a5fc4f upstream.
+
+In async IO blocking case the additional reference to the io is taken for
+it to survive fuse_aio_complete(). In non blocking case this additional
+reference is not needed, however we still reference io to figure out
+whether to wait for completion or not. This is wrong and will lead to
+use-after-free. Fix it by storing blocking information in separate
+variable.
+
+This was spotted by KASAN when running generic/208 fstest.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Reported-by: Zorro Lang <zlang@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv")
+Cc: <stable@vger.kernel.org> # v4.6
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -2912,10 +2912,12 @@ fuse_direct_IO(struct kiocb *iocb, struc
+ }
+
+ if (io->async) {
++ bool blocking = io->blocking;
++
+ fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
+
+ /* we have a non-extending, async request, so return */
+- if (!io->blocking)
++ if (!blocking)
+ return -EIOCBQUEUED;
+
+ wait_for_completion(&wait);
--- /dev/null
+From 10283ea525d30f2e99828978fd04d8427876a7ad Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 5 Nov 2018 22:57:24 +0000
+Subject: gfs2: Put bitmap buffers in put_super
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 10283ea525d30f2e99828978fd04d8427876a7ad upstream.
+
+gfs2_put_super calls gfs2_clear_rgrpd to destroy the gfs2_rgrpd objects
+attached to the resource group glocks. That function should release the
+buffers attached to the gfs2_bitmap objects (bi_bh), but the call to
+gfs2_rgrp_brelse for doing that is missing.
+
+When gfs2_releasepage later runs across these buffers which are still
+referenced, it refuses to free them. This causes the pages the buffers
+are attached to to remain referenced as well. With enough mount/unmount
+cycles, the system will eventually run out of memory.
+
+Fix this by adding the missing call to gfs2_rgrp_brelse in
+gfs2_clear_rgrpd.
+
+(Also fix a gfs2_rgrp_relse -> gfs2_rgrp_brelse typo in a comment.)
+
+Fixes: 39b0f1e92908 ("GFS2: Don't brelse rgrp buffer_heads every allocation")
+Cc: stable@vger.kernel.org # v4.2+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/rgrp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -706,6 +706,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *s
+
+ if (gl) {
+ glock_clear_object(gl, rgd);
++ gfs2_rgrp_brelse(rgd);
+ gfs2_glock_put(gl);
+ }
+
+@@ -1115,7 +1116,7 @@ static u32 count_unlinked(struct gfs2_rg
+ * @rgd: the struct gfs2_rgrpd describing the RG to read in
+ *
+ * Read in all of a Resource Group's header and bitmap blocks.
+- * Caller must eventually call gfs2_rgrp_relse() to free the bitmaps.
++ * Caller must eventually call gfs2_rgrp_brelse() to free the bitmaps.
+ *
+ * Returns: errno
+ */
--- /dev/null
+From 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri, 16 Nov 2018 15:08:04 -0800
+Subject: hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf upstream.
+
+This bug has been experienced several times by the Oracle DB team. The
+BUG is in remove_inode_hugepages() as follows:
+
+ /*
+ * If page is mapped, it was faulted in after being
+ * unmapped in caller. Unmap (again) now after taking
+ * the fault mutex. The mutex will prevent faults
+ * until we finish removing the page.
+ *
+ * This race can only happen in the hole punch case.
+ * Getting here in a truncate operation is a bug.
+ */
+ if (unlikely(page_mapped(page))) {
+ BUG_ON(truncate_op);
+
+In this case, the elevated map count is not the result of a race.
+Rather it was incorrectly incremented as the result of a bug in the huge
+pmd sharing code. Consider the following:
+
+ - Process A maps a hugetlbfs file of sufficient size and alignment
+ (PUD_SIZE) that a pmd page could be shared.
+
+ - Process B maps the same hugetlbfs file with the same size and
+ alignment such that a pmd page is shared.
+
+ - Process B then calls mprotect() to change protections for the mapping
+ with the shared pmd. As a result, the pmd is 'unshared'.
+
+ - Process B then calls mprotect() again to chage protections for the
+ mapping back to their original value. pmd remains unshared.
+
+ - Process B then forks and process C is created. During the fork
+ process, we do dup_mm -> dup_mmap -> copy_page_range to copy page
+ tables. Copying page tables for hugetlb mappings is done in the
+ routine copy_hugetlb_page_range.
+
+In copy_hugetlb_page_range(), the destination pte is obtained by:
+
+ dst_pte = huge_pte_alloc(dst, addr, sz);
+
+If pmd sharing is possible, the returned pointer will be to a pte in an
+existing page table. In the situation above, process C could share with
+either process A or process B. Since process A is first in the list,
+the returned pte is a pointer to a pte in process A's page table.
+
+However, the check for pmd sharing in copy_hugetlb_page_range is:
+
+ /* If the pagetables are shared don't copy or take references */
+ if (dst_pte == src_pte)
+ continue;
+
+Since process C is sharing with process A instead of process B, the
+above test fails. The code in copy_hugetlb_page_range which follows
+assumes dst_pte points to a huge_pte_none pte. It copies the pte entry
+from src_pte to dst_pte and increments this map count of the associated
+page. This is how we end up with an elevated map count.
+
+To solve, check the dst_pte entry for huge_pte_none. If !none, this
+implies PMD sharing so do not copy.
+
+Link: http://lkml.kernel.org/r/20181105212315.14125-1-mike.kravetz@oracle.com
+Fixes: c5c99429fa57 ("fix hugepages leak due to pagetable page sharing")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Prakash Sangappa <prakash.sangappa@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3211,7 +3211,7 @@ static int is_hugetlb_entry_hwpoisoned(p
+ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
+ struct vm_area_struct *vma)
+ {
+- pte_t *src_pte, *dst_pte, entry;
++ pte_t *src_pte, *dst_pte, entry, dst_entry;
+ struct page *ptepage;
+ unsigned long addr;
+ int cow;
+@@ -3239,15 +3239,30 @@ int copy_hugetlb_page_range(struct mm_st
+ break;
+ }
+
+- /* If the pagetables are shared don't copy or take references */
+- if (dst_pte == src_pte)
++ /*
++ * If the pagetables are shared don't copy or take references.
++ * dst_pte == src_pte is the common case of src/dest sharing.
++ *
++ * However, src could have 'unshared' and dst shares with
++ * another vma. If dst_pte !none, this implies sharing.
++ * Check here before taking page table lock, and once again
++ * after taking the lock below.
++ */
++ dst_entry = huge_ptep_get(dst_pte);
++ if ((dst_pte == src_pte) || !huge_pte_none(dst_entry))
+ continue;
+
+ dst_ptl = huge_pte_lock(h, dst, dst_pte);
+ src_ptl = huge_pte_lockptr(h, src, src_pte);
+ spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);
+ entry = huge_ptep_get(src_pte);
+- if (huge_pte_none(entry)) { /* skip none entry */
++ dst_entry = huge_ptep_get(dst_pte);
++ if (huge_pte_none(entry) || !huge_pte_none(dst_entry)) {
++ /*
++ * Skip if src entry none. Also, skip in the
++ * unlikely case dst entry !none as this implies
++ * sharing with another vma.
++ */
+ ;
+ } else if (unlikely(is_hugetlb_entry_migration(entry) ||
+ is_hugetlb_entry_hwpoisoned(entry))) {
--- /dev/null
+From 568fb6f42ac6851320adaea25f8f1b94de14e40a Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Thu, 27 Sep 2018 17:17:57 +0000
+Subject: kdb: print real address of pointers instead of hashed addresses
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 568fb6f42ac6851320adaea25f8f1b94de14e40a upstream.
+
+Since commit ad67b74d2469 ("printk: hash addresses printed with %p"),
+all pointers printed with %p are printed with hashed addresses
+instead of real addresses in order to avoid leaking addresses in
+dmesg and syslog. But this applies to kdb too, with is unfortunate:
+
+ Entering kdb (current=0x(ptrval), pid 329) due to Keyboard Entry
+ kdb> ps
+ 15 sleeping system daemon (state M) processes suppressed,
+ use 'ps A' to see all.
+ Task Addr Pid Parent [*] cpu State Thread Command
+ 0x(ptrval) 329 328 1 0 R 0x(ptrval) *sh
+
+ 0x(ptrval) 1 0 0 0 S 0x(ptrval) init
+ 0x(ptrval) 3 2 0 0 D 0x(ptrval) rcu_gp
+ 0x(ptrval) 4 2 0 0 D 0x(ptrval) rcu_par_gp
+ 0x(ptrval) 5 2 0 0 D 0x(ptrval) kworker/0:0
+ 0x(ptrval) 6 2 0 0 D 0x(ptrval) kworker/0:0H
+ 0x(ptrval) 7 2 0 0 D 0x(ptrval) kworker/u2:0
+ 0x(ptrval) 8 2 0 0 D 0x(ptrval) mm_percpu_wq
+ 0x(ptrval) 10 2 0 0 D 0x(ptrval) rcu_preempt
+
+The whole purpose of kdb is to debug, and for debugging real addresses
+need to be known. In addition, data displayed by kdb doesn't go into
+dmesg.
+
+This patch replaces all %p by %px in kdb in order to display real
+addresses.
+
+Fixes: ad67b74d2469 ("printk: hash addresses printed with %p")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/debug/kdb/kdb_main.c | 14 +++++++-------
+ kernel/debug/kdb/kdb_support.c | 12 ++++++------
+ 2 files changed, 13 insertions(+), 13 deletions(-)
+
+--- a/kernel/debug/kdb/kdb_main.c
++++ b/kernel/debug/kdb/kdb_main.c
+@@ -1182,7 +1182,7 @@ static int kdb_local(kdb_reason_t reason
+ if (reason == KDB_REASON_DEBUG) {
+ /* special case below */
+ } else {
+- kdb_printf("\nEntering kdb (current=0x%p, pid %d) ",
++ kdb_printf("\nEntering kdb (current=0x%px, pid %d) ",
+ kdb_current, kdb_current ? kdb_current->pid : 0);
+ #if defined(CONFIG_SMP)
+ kdb_printf("on processor %d ", raw_smp_processor_id());
+@@ -1198,7 +1198,7 @@ static int kdb_local(kdb_reason_t reason
+ */
+ switch (db_result) {
+ case KDB_DB_BPT:
+- kdb_printf("\nEntering kdb (0x%p, pid %d) ",
++ kdb_printf("\nEntering kdb (0x%px, pid %d) ",
+ kdb_current, kdb_current->pid);
+ #if defined(CONFIG_SMP)
+ kdb_printf("on processor %d ", raw_smp_processor_id());
+@@ -2037,7 +2037,7 @@ static int kdb_lsmod(int argc, const cha
+ if (mod->state == MODULE_STATE_UNFORMED)
+ continue;
+
+- kdb_printf("%-20s%8u 0x%p ", mod->name,
++ kdb_printf("%-20s%8u 0x%px ", mod->name,
+ mod->core_layout.size, (void *)mod);
+ #ifdef CONFIG_MODULE_UNLOAD
+ kdb_printf("%4d ", module_refcount(mod));
+@@ -2048,7 +2048,7 @@ static int kdb_lsmod(int argc, const cha
+ kdb_printf(" (Loading)");
+ else
+ kdb_printf(" (Live)");
+- kdb_printf(" 0x%p", mod->core_layout.base);
++ kdb_printf(" 0x%px", mod->core_layout.base);
+
+ #ifdef CONFIG_MODULE_UNLOAD
+ {
+@@ -2330,7 +2330,7 @@ void kdb_ps1(const struct task_struct *p
+ return;
+
+ cpu = kdb_process_cpu(p);
+- kdb_printf("0x%p %8d %8d %d %4d %c 0x%p %c%s\n",
++ kdb_printf("0x%px %8d %8d %d %4d %c 0x%px %c%s\n",
+ (void *)p, p->pid, p->parent->pid,
+ kdb_task_has_cpu(p), kdb_process_cpu(p),
+ kdb_task_state_char(p),
+@@ -2343,7 +2343,7 @@ void kdb_ps1(const struct task_struct *p
+ } else {
+ if (KDB_TSK(cpu) != p)
+ kdb_printf(" Error: does not match running "
+- "process table (0x%p)\n", KDB_TSK(cpu));
++ "process table (0x%px)\n", KDB_TSK(cpu));
+ }
+ }
+ }
+@@ -2722,7 +2722,7 @@ int kdb_register_flags(char *cmd,
+ for_each_kdbcmd(kp, i) {
+ if (kp->cmd_name && (strcmp(kp->cmd_name, cmd) == 0)) {
+ kdb_printf("Duplicate kdb command registered: "
+- "%s, func %p help %s\n", cmd, func, help);
++ "%s, func %px help %s\n", cmd, func, help);
+ return 1;
+ }
+ }
+--- a/kernel/debug/kdb/kdb_support.c
++++ b/kernel/debug/kdb/kdb_support.c
+@@ -40,7 +40,7 @@
+ int kdbgetsymval(const char *symname, kdb_symtab_t *symtab)
+ {
+ if (KDB_DEBUG(AR))
+- kdb_printf("kdbgetsymval: symname=%s, symtab=%p\n", symname,
++ kdb_printf("kdbgetsymval: symname=%s, symtab=%px\n", symname,
+ symtab);
+ memset(symtab, 0, sizeof(*symtab));
+ symtab->sym_start = kallsyms_lookup_name(symname);
+@@ -88,7 +88,7 @@ int kdbnearsym(unsigned long addr, kdb_s
+ char *knt1 = NULL;
+
+ if (KDB_DEBUG(AR))
+- kdb_printf("kdbnearsym: addr=0x%lx, symtab=%p\n", addr, symtab);
++ kdb_printf("kdbnearsym: addr=0x%lx, symtab=%px\n", addr, symtab);
+ memset(symtab, 0, sizeof(*symtab));
+
+ if (addr < 4096)
+@@ -149,7 +149,7 @@ int kdbnearsym(unsigned long addr, kdb_s
+ symtab->mod_name = "kernel";
+ if (KDB_DEBUG(AR))
+ kdb_printf("kdbnearsym: returns %d symtab->sym_start=0x%lx, "
+- "symtab->mod_name=%p, symtab->sym_name=%p (%s)\n", ret,
++ "symtab->mod_name=%px, symtab->sym_name=%px (%s)\n", ret,
+ symtab->sym_start, symtab->mod_name, symtab->sym_name,
+ symtab->sym_name);
+
+@@ -887,13 +887,13 @@ void debug_kusage(void)
+ __func__, dah_first);
+ if (dah_first) {
+ h_used = (struct debug_alloc_header *)debug_alloc_pool;
+- kdb_printf("%s: h_used %p size %d\n", __func__, h_used,
++ kdb_printf("%s: h_used %px size %d\n", __func__, h_used,
+ h_used->size);
+ }
+ do {
+ h_used = (struct debug_alloc_header *)
+ ((char *)h_free + dah_overhead + h_free->size);
+- kdb_printf("%s: h_used %p size %d caller %p\n",
++ kdb_printf("%s: h_used %px size %d caller %px\n",
+ __func__, h_used, h_used->size, h_used->caller);
+ h_free = (struct debug_alloc_header *)
+ (debug_alloc_pool + h_free->next);
+@@ -902,7 +902,7 @@ void debug_kusage(void)
+ ((char *)h_free + dah_overhead + h_free->size);
+ if ((char *)h_used - debug_alloc_pool !=
+ sizeof(debug_alloc_pool_aligned))
+- kdb_printf("%s: h_used %p size %d caller %p\n",
++ kdb_printf("%s: h_used %px size %d caller %px\n",
+ __func__, h_used, h_used->size, h_used->caller);
+ out:
+ spin_unlock(&dap_lock);
--- /dev/null
+From dded2e159208a9edc21dd5c5f583afa28d378d39 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Thu, 27 Sep 2018 17:17:49 +0000
+Subject: kdb: use correct pointer when 'btc' calls 'btt'
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit dded2e159208a9edc21dd5c5f583afa28d378d39 upstream.
+
+On a powerpc 8xx, 'btc' fails as follows:
+
+Entering kdb (current=0x(ptrval), pid 282) due to Keyboard Entry
+kdb> btc
+btc: cpu status: Currently on cpu 0
+Available cpus: 0
+kdb_getarea: Bad address 0x0
+
+when booting the kernel with 'debug_boot_weak_hash', it fails as well
+
+Entering kdb (current=0xba99ad80, pid 284) due to Keyboard Entry
+kdb> btc
+btc: cpu status: Currently on cpu 0
+Available cpus: 0
+kdb_getarea: Bad address 0xba99ad80
+
+On other platforms, Oopses have been observed too, see
+https://github.com/linuxppc/linux/issues/139
+
+This is due to btc calling 'btt' with %p pointer as an argument.
+
+This patch replaces %p by %px to get the real pointer value as
+expected by 'btt'
+
+Fixes: ad67b74d2469 ("printk: hash addresses printed with %p")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/debug/kdb/kdb_bt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/debug/kdb/kdb_bt.c
++++ b/kernel/debug/kdb/kdb_bt.c
+@@ -179,14 +179,14 @@ kdb_bt(int argc, const char **argv)
+ kdb_printf("no process for cpu %ld\n", cpu);
+ return 0;
+ }
+- sprintf(buf, "btt 0x%p\n", KDB_TSK(cpu));
++ sprintf(buf, "btt 0x%px\n", KDB_TSK(cpu));
+ kdb_parse(buf);
+ return 0;
+ }
+ kdb_printf("btc: cpu status: ");
+ kdb_parse("cpu\n");
+ for_each_online_cpu(cpu) {
+- sprintf(buf, "btt 0x%p\n", KDB_TSK(cpu));
++ sprintf(buf, "btt 0x%px\n", KDB_TSK(cpu));
+ kdb_parse(buf);
+ touch_nmi_watchdog();
+ }
--- /dev/null
+From 1c23b4108d716cc848b38532063a8aca4f86add8 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 16 Nov 2018 15:08:35 -0800
+Subject: lib/ubsan.c: don't mark __ubsan_handle_builtin_unreachable as noreturn
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 1c23b4108d716cc848b38532063a8aca4f86add8 upstream.
+
+gcc-8 complains about the prototype for this function:
+
+ lib/ubsan.c:432:1: error: ignoring attribute 'noreturn' in declaration of a built-in function '__ubsan_handle_builtin_unreachable' because it conflicts with attribute 'const' [-Werror=attributes]
+
+This is actually a GCC's bug. In GCC internals
+__ubsan_handle_builtin_unreachable() declared with both 'noreturn' and
+'const' attributes instead of only 'noreturn':
+
+ https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84210
+
+Workaround this by removing the noreturn attribute.
+
+[aryabinin: add information about GCC bug in changelog]
+Link: http://lkml.kernel.org/r/20181107144516.4587-1-aryabinin@virtuozzo.com
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Acked-by: Olof Johansson <olof@lixom.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/ubsan.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/lib/ubsan.c
++++ b/lib/ubsan.c
+@@ -451,8 +451,7 @@ void __ubsan_handle_shift_out_of_bounds(
+ EXPORT_SYMBOL(__ubsan_handle_shift_out_of_bounds);
+
+
+-void __noreturn
+-__ubsan_handle_builtin_unreachable(struct unreachable_data *data)
++void __ubsan_handle_builtin_unreachable(struct unreachable_data *data)
+ {
+ unsigned long flags;
+
--- /dev/null
+From 873d7bcfd066663e3e50113dc4a0de19289b6354 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Fri, 16 Nov 2018 15:08:11 -0800
+Subject: mm/swapfile.c: use kvzalloc for swap_info_struct allocation
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 873d7bcfd066663e3e50113dc4a0de19289b6354 upstream.
+
+Commit a2468cc9bfdf ("swap: choose swap device according to numa node")
+changed 'avail_lists' field of 'struct swap_info_struct' to an array.
+In popular linux distros it increased size of swap_info_struct up to 40
+Kbytes and now swap_info_struct allocation requires order-4 page.
+Switch to kvzmalloc allows to avoid unexpected allocation failures.
+
+Link: http://lkml.kernel.org/r/fc23172d-3c75-21e2-d551-8b1808cbe593@virtuozzo.com
+Fixes: a2468cc9bfdf ("swap: choose swap device according to numa node")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Acked-by: Aaron Lu <aaron.lu@intel.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/swapfile.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -2830,7 +2830,7 @@ static struct swap_info_struct *alloc_sw
+ unsigned int type;
+ int i;
+
+- p = kzalloc(sizeof(*p), GFP_KERNEL);
++ p = kvzalloc(sizeof(*p), GFP_KERNEL);
+ if (!p)
+ return ERR_PTR(-ENOMEM);
+
+@@ -2841,7 +2841,7 @@ static struct swap_info_struct *alloc_sw
+ }
+ if (type >= MAX_SWAPFILES) {
+ spin_unlock(&swap_lock);
+- kfree(p);
++ kvfree(p);
+ return ERR_PTR(-EPERM);
+ }
+ if (type >= nr_swapfiles) {
+@@ -2855,7 +2855,7 @@ static struct swap_info_struct *alloc_sw
+ smp_wmb();
+ nr_swapfiles++;
+ } else {
+- kfree(p);
++ kvfree(p);
+ p = swap_info[type];
+ /*
+ * Do not memset this entry: a racing procfs swap_next()
--- /dev/null
+From df7342b240185d58d3d9665c0bbf0a0f5570ec29 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 25 Oct 2018 09:04:18 -0500
+Subject: mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit df7342b240185d58d3d9665c0bbf0a0f5570ec29 upstream.
+
+Jonathan Calmels from NVIDIA reported that he's able to bypass the
+mount visibility security check in place in the Linux kernel by using
+a combination of the unbindable property along with the private mount
+propagation option to allow a unprivileged user to see a path which
+was purposefully hidden by the root user.
+
+Reproducer:
+ # Hide a path to all users using a tmpfs
+ root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
+ root@castiana:~#
+
+ # As an unprivileged user, unshare user namespace and mount namespace
+ stgraber@castiana:~$ unshare -U -m -r
+
+ # Confirm the path is still not accessible
+ root@castiana:~# ls /sys/devices/
+
+ # Make /sys recursively unbindable and private
+ root@castiana:~# mount --make-runbindable /sys
+ root@castiana:~# mount --make-private /sys
+
+ # Recursively bind-mount the rest of /sys over to /mnnt
+ root@castiana:~# mount --rbind /sys/ /mnt
+
+ # Access our hidden /sys/device as an unprivileged user
+ root@castiana:~# ls /mnt/devices/
+ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe
+ LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system
+ tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
+
+Solve this by teaching copy_tree to fail if a mount turns out to be
+both unbindable and locked.
+
+Cc: stable@vger.kernel.org
+Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
+Reported-by: Jonathan Calmels <jcalmels@nvidia.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1814,8 +1814,14 @@ struct mount *copy_tree(struct mount *mn
+ for (s = r; s; s = next_mnt(s, r)) {
+ if (!(flag & CL_COPY_UNBINDABLE) &&
+ IS_MNT_UNBINDABLE(s)) {
+- s = skip_mnt_tree(s);
+- continue;
++ if (s->mnt.mnt_flags & MNT_LOCKED) {
++ /* Both unbindable and locked. */
++ q = ERR_PTR(-EPERM);
++ goto out;
++ } else {
++ s = skip_mnt_tree(s);
++ continue;
++ }
+ }
+ if (!(flag & CL_COPY_MNT_NS_FILE) &&
+ is_mnt_ns_file(s->mnt.mnt_root)) {
--- /dev/null
+From 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 25 Oct 2018 12:05:11 -0500
+Subject: mount: Prevent MNT_DETACH from disconnecting locked mounts
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 upstream.
+
+Timothy Baldwin <timbaldwin@fastmail.co.uk> wrote:
+> As per mount_namespaces(7) unprivileged users should not be able to look under mount points:
+>
+> Mounts that come as a single unit from more privileged mount are locked
+> together and may not be separated in a less privileged mount namespace.
+>
+> However they can:
+>
+> 1. Create a mount namespace.
+> 2. In the mount namespace open a file descriptor to the parent of a mount point.
+> 3. Destroy the mount namespace.
+> 4. Use the file descriptor to look under the mount point.
+>
+> I have reproduced this with Linux 4.16.18 and Linux 4.18-rc8.
+>
+> The setup:
+>
+> $ sudo sysctl kernel.unprivileged_userns_clone=1
+> kernel.unprivileged_userns_clone = 1
+> $ mkdir -p A/B/Secret
+> $ sudo mount -t tmpfs hide A/B
+>
+>
+> "Secret" is indeed hidden as expected:
+>
+> $ ls -lR A
+> A:
+> total 0
+> drwxrwxrwt 2 root root 40 Feb 12 21:08 B
+>
+> A/B:
+> total 0
+>
+>
+> The attack revealing "Secret":
+>
+> $ unshare -Umr sh -c "exec unshare -m ls -lR /proc/self/fd/4/ 4<A"
+> /proc/self/fd/4/:
+> total 0
+> drwxr-xr-x 3 root root 60 Feb 12 21:08 B
+>
+> /proc/self/fd/4/B:
+> total 0
+> drwxr-xr-x 2 root root 40 Feb 12 21:08 Secret
+>
+> /proc/self/fd/4/B/Secret:
+> total 0
+
+I tracked this down to put_mnt_ns running passing UMOUNT_SYNC and
+disconnecting all of the mounts in a mount namespace. Fix this by
+factoring drop_mounts out of drop_collected_mounts and passing
+0 instead of UMOUNT_SYNC.
+
+There are two possible behavior differences that result from this.
+- No longer setting UMOUNT_SYNC will no longer set MNT_SYNC_UMOUNT on
+ the vfsmounts being unmounted. This effects the lazy rcu walk by
+ kicking the walk out of rcu mode and forcing it to be a non-lazy
+ walk.
+- No longer disconnecting locked mounts will keep some mounts around
+ longer as they stay because the are locked to other mounts.
+
+There are only two users of drop_collected mounts: audit_tree.c and
+put_mnt_ns.
+
+In audit_tree.c the mounts are private and there are no rcu lazy walks
+only calls to iterate_mounts. So the changes should have no effect
+except for a small timing effect as the connected mounts are disconnected.
+
+In put_mnt_ns there may be references from process outside the mount
+namespace to the mounts. So the mounts remaining connected will
+be the bug fix that is needed. That rcu walks are allowed to continue
+appears not to be a problem especially as the rcu walk change was about
+an implementation detail not about semantics.
+
+Cc: stable@vger.kernel.org
+Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
+Reported-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
+Tested-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1874,7 +1874,7 @@ void drop_collected_mounts(struct vfsmou
+ {
+ namespace_lock();
+ lock_mount_hash();
+- umount_tree(real_mount(mnt), UMOUNT_SYNC);
++ umount_tree(real_mount(mnt), 0);
+ unlock_mount_hash();
+ namespace_unlock();
+ }
--- /dev/null
+From 25d202ed820ee347edec0bf3bf553544556bf64b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 22 Oct 2018 10:21:38 -0500
+Subject: mount: Retest MNT_LOCKED in do_umount
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 25d202ed820ee347edec0bf3bf553544556bf64b upstream.
+
+It was recently pointed out that the one instance of testing MNT_LOCKED
+outside of the namespace_sem is in ksys_umount.
+
+Fix that by adding a test inside of do_umount with namespace_sem and
+the mount_lock held. As it helps to fail fails the existing test is
+maintained with an additional comment pointing out that it may be racy
+because the locks are not held.
+
+Cc: stable@vger.kernel.org
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1625,8 +1625,13 @@ static int do_umount(struct mount *mnt,
+
+ namespace_lock();
+ lock_mount_hash();
+- event++;
+
++ /* Recheck MNT_LOCKED with the locks held */
++ retval = -EINVAL;
++ if (mnt->mnt.mnt_flags & MNT_LOCKED)
++ goto out;
++
++ event++;
+ if (flags & MNT_DETACH) {
+ if (!list_empty(&mnt->mnt_list))
+ umount_tree(mnt, UMOUNT_PROPAGATE);
+@@ -1640,6 +1645,7 @@ static int do_umount(struct mount *mnt,
+ retval = 0;
+ }
+ }
++out:
+ unlock_mount_hash();
+ namespace_unlock();
+ return retval;
+@@ -1730,7 +1736,7 @@ SYSCALL_DEFINE2(umount, char __user *, n
+ goto dput_and_out;
+ if (!check_mnt(mnt))
+ goto dput_and_out;
+- if (mnt->mnt.mnt_flags & MNT_LOCKED)
++ if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
+ goto dput_and_out;
+ retval = -EPERM;
+ if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
--- /dev/null
+From 01310bb7c9c98752cc763b36532fab028e0f8f81 Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Thu, 8 Nov 2018 11:11:36 -0500
+Subject: nfsd: COPY and CLONE operations require the saved filehandle to be set
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit 01310bb7c9c98752cc763b36532fab028e0f8f81 upstream.
+
+Make sure we have a saved filehandle, otherwise we'll oops with a null
+pointer dereference in nfs4_preprocess_stateid_op().
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4proc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1049,6 +1049,9 @@ nfsd4_verify_copy(struct svc_rqst *rqstp
+ {
+ __be32 status;
+
++ if (!cstate->save_fh.fh_dentry)
++ return nfserr_nofilehandle;
++
+ status = nfs4_preprocess_stateid_op(rqstp, cstate, &cstate->save_fh,
+ src_stateid, RD_STATE, src, NULL);
+ if (status) {
--- /dev/null
+From 7ce9a992ffde8ce93d5ae5767362a5c7389ae895 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@linux-mips.org>
+Date: Mon, 5 Nov 2018 03:48:25 +0000
+Subject: rtc: hctosys: Add missing range error reporting
+
+From: Maciej W. Rozycki <macro@linux-mips.org>
+
+commit 7ce9a992ffde8ce93d5ae5767362a5c7389ae895 upstream.
+
+Fix an issue with the 32-bit range error path in `rtc_hctosys' where no
+error code is set and consequently the successful preceding call result
+from `rtc_read_time' is propagated to `rtc_hctosys_ret'. This in turn
+makes any subsequent call to `hctosys_show' incorrectly report in sysfs
+that the system time has been set from this RTC while it has not.
+
+Set the error to ERANGE then if we can't express the result due to an
+overflow.
+
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Fixes: b3a5ac42ab18 ("rtc: hctosys: Ensure system time doesn't overflow time_t")
+Cc: stable@vger.kernel.org # 4.17+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/hctosys.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/hctosys.c
++++ b/drivers/rtc/hctosys.c
+@@ -50,8 +50,10 @@ static int __init rtc_hctosys(void)
+ tv64.tv_sec = rtc_tm_to_time64(&tm);
+
+ #if BITS_PER_LONG == 32
+- if (tv64.tv_sec > INT_MAX)
++ if (tv64.tv_sec > INT_MAX) {
++ err = -ERANGE;
+ goto err_read;
++ }
+ #endif
+
+ err = do_settimeofday64(&tv64);
arm-8809-1-proc-v7-fix-thumb-annotation-of-cpu_v7_hvc_switch_mm.patch
mtd-docg3-don-t-set-conflicting-bch_const_params-option.patch
of-numa-validate-some-distance-map-rules.patch
+x86-cpu-vmware-do-not-trace-vmware_sched_clock.patch
+x86-hyper-v-enable-pit-shutdown-quirk.patch
+termios-tty-tty_baudrate.c-fix-buffer-overrun.patch
+arch-alpha-termios-implement-bother-ibshift-and-termios2.patch
+watchdog-core-add-missing-prototypes-for-weak-functions.patch
+btrfs-fix-pinned-underflow-after-transaction-aborted.patch
+btrfs-fix-cur_offset-in-the-error-case-for-nocow.patch
+btrfs-fix-infinite-loop-on-inode-eviction-after-deduplication-of-eof-block.patch
+btrfs-fix-data-corruption-due-to-cloning-of-eof-block.patch
+clockevents-drivers-i8253-add-support-for-pit-shutdown-quirk.patch
+ext4-add-missing-brelse-update_backups-s-error-path.patch
+ext4-add-missing-brelse-in-set_flexbg_block_bitmap-s-error-path.patch
+ext4-add-missing-brelse-add_new_gdb_meta_bg-s-error-path.patch
+ext4-avoid-potential-extra-brelse-in-setup_new_flex_group_blocks.patch
+ext4-missing-bh-check-in-ext4_xattr_inode_write.patch
+ext4-fix-possible-inode-leak-in-the-retry-loop-of-ext4_resize_fs.patch
+ext4-avoid-buffer-leak-on-shutdown-in-ext4_mark_iloc_dirty.patch
+ext4-avoid-buffer-leak-in-ext4_orphan_add-after-prior-errors.patch
+ext4-fix-missing-cleanup-if-ext4_alloc_flex_bg_array-fails-while-resizing.patch
+ext4-avoid-possible-double-brelse-in-add_new_gdb-on-error-path.patch
+ext4-fix-possible-leak-of-sbi-s_group_desc_leak-in-error-path.patch
+ext4-fix-possible-leak-of-s_journal_flag_rwsem-in-error-path.patch
+ext4-fix-buffer-leak-in-ext4_xattr_get_block-on-error-path.patch
+ext4-release-bs.bh-before-re-using-in-ext4_xattr_block_find.patch
+ext4-fix-buffer-leak-in-ext4_xattr_move_to_block-on-error-path.patch
+ext4-fix-buffer-leak-in-ext4_expand_extra_isize_ea-on-error-path.patch
+ext4-fix-buffer-leak-in-__ext4_read_dirblock-on-error-path.patch
+mount-retest-mnt_locked-in-do_umount.patch
+mount-don-t-allow-copying-mnt_unbindable-mnt_locked-mounts.patch
+mount-prevent-mnt_detach-from-disconnecting-locked-mounts.patch
+kdb-use-correct-pointer-when-btc-calls-btt.patch
+kdb-print-real-address-of-pointers-instead-of-hashed-addresses.patch
+sunrpc-correct-the-computation-for-page_ptr-when-truncating.patch
+nfsd-copy-and-clone-operations-require-the-saved-filehandle-to-be-set.patch
+rtc-hctosys-add-missing-range-error-reporting.patch
+fuse-fix-use-after-free-in-fuse_direct_io.patch
+fuse-fix-leaked-notify-reply.patch
+configfs-replace-strncpy-with-memcpy.patch
+gfs2-put-bitmap-buffers-in-put_super.patch
+crypto-user-fix-leaking-uninitialized-memory-to-userspace.patch
+lib-ubsan.c-don-t-mark-__ubsan_handle_builtin_unreachable-as-noreturn.patch
+hugetlbfs-fix-kernel-bug-at-fs-hugetlbfs-inode.c-444.patch
+mm-swapfile.c-use-kvzalloc-for-swap_info_struct-allocation.patch
--- /dev/null
+From 5d7a5bcb67c70cbc904057ef52d3fcfeb24420bb Mon Sep 17 00:00:00 2001
+From: Frank Sorenson <sorenson@redhat.com>
+Date: Tue, 30 Oct 2018 15:10:40 -0500
+Subject: sunrpc: correct the computation for page_ptr when truncating
+
+From: Frank Sorenson <sorenson@redhat.com>
+
+commit 5d7a5bcb67c70cbc904057ef52d3fcfeb24420bb upstream.
+
+When truncating the encode buffer, the page_ptr is getting
+advanced, causing the next page to be skipped while encoding.
+The page is still included in the response, so the response
+contains a page of bogus data.
+
+We need to adjust the page_ptr backwards to ensure we encode
+the next page into the correct place.
+
+We saw this triggered when concurrent directory modifications caused
+nfsd4_encode_direct_fattr() to return nfserr_noent, and the resulting
+call to xdr_truncate_encode() corrupted the READDIR reply.
+
+Signed-off-by: Frank Sorenson <sorenson@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xdr.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/sunrpc/xdr.c
++++ b/net/sunrpc/xdr.c
+@@ -639,11 +639,10 @@ void xdr_truncate_encode(struct xdr_stre
+ WARN_ON_ONCE(xdr->iov);
+ return;
+ }
+- if (fraglen) {
++ if (fraglen)
+ xdr->end = head->iov_base + head->iov_len;
+- xdr->page_ptr--;
+- }
+ /* (otherwise assume xdr->end is already set) */
++ xdr->page_ptr--;
+ head->iov_len = len;
+ buf->len = len;
+ xdr->p = head->iov_base + head->iov_len;
--- /dev/null
+From 991a25194097006ec1e0d2e0814ff920e59e3465 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa@zytor.com>
+Date: Mon, 22 Oct 2018 09:19:04 -0700
+Subject: termios, tty/tty_baudrate.c: fix buffer overrun
+
+From: H. Peter Anvin <hpa@zytor.com>
+
+commit 991a25194097006ec1e0d2e0814ff920e59e3465 upstream.
+
+On architectures with CBAUDEX == 0 (Alpha and PowerPC), the code in tty_baudrate.c does
+not do any limit checking on the tty_baudrate[] array, and in fact a
+buffer overrun is possible on both architectures. Add a limit check to
+prevent that situation.
+
+This will be followed by a much bigger cleanup/simplification patch.
+
+Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+Requested-by: Cc: Johan Hovold <johan@kernel.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Eugene Syromiatnikov <esyr@redhat.com>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_baudrate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/tty_baudrate.c
++++ b/drivers/tty/tty_baudrate.c
+@@ -76,7 +76,7 @@ speed_t tty_termios_baud_rate(struct kte
+ else
+ cbaud += 15;
+ }
+- return baud_table[cbaud];
++ return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
+ }
+ EXPORT_SYMBOL(tty_termios_baud_rate);
+
+@@ -112,7 +112,7 @@ speed_t tty_termios_input_baud_rate(stru
+ else
+ cbaud += 15;
+ }
+- return baud_table[cbaud];
++ return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
+ #else
+ return tty_termios_baud_rate(termios);
+ #endif
--- /dev/null
+From 81bd415c91eb966118d773dddf254aebf3022411 Mon Sep 17 00:00:00 2001
+From: Mathieu Malaterre <malat@debian.org>
+Date: Wed, 6 Jun 2018 21:42:32 +0200
+Subject: watchdog/core: Add missing prototypes for weak functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mathieu Malaterre <malat@debian.org>
+
+commit 81bd415c91eb966118d773dddf254aebf3022411 upstream.
+
+The split out of the hard lockup detector exposed two new weak functions,
+but no prototypes for them, which triggers the build warning:
+
+ kernel/watchdog.c:109:12: warning: no previous prototype for ‘watchdog_nmi_enable’ [-Wmissing-prototypes]
+ kernel/watchdog.c:115:13: warning: no previous prototype for ‘watchdog_nmi_disable’ [-Wmissing-prototypes]
+
+Add the prototypes.
+
+Fixes: 73ce0511c436 ("kernel/watchdog.c: move hardlockup detector to separate file")
+Signed-off-by: Mathieu Malaterre <malat@debian.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Babu Moger <babu.moger@oracle.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180606194232.17653-1-malat@debian.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/nmi.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/nmi.h
++++ b/include/linux/nmi.h
+@@ -113,6 +113,8 @@ static inline int hardlockup_detector_pe
+ void watchdog_nmi_stop(void);
+ void watchdog_nmi_start(void);
+ int watchdog_nmi_probe(void);
++int watchdog_nmi_enable(unsigned int cpu);
++void watchdog_nmi_disable(unsigned int cpu);
+
+ /**
+ * touch_nmi_watchdog - restart NMI watchdog timeout.
--- /dev/null
+From 15035388439f892017d38b05214d3cda6578af64 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 9 Nov 2018 15:22:07 -0500
+Subject: x86/cpu/vmware: Do not trace vmware_sched_clock()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 15035388439f892017d38b05214d3cda6578af64 upstream.
+
+When running function tracing on a Linux guest running on VMware
+Workstation, the guest would crash. This is due to tracing of the
+sched_clock internal call of the VMware vmware_sched_clock(), which
+causes an infinite recursion within the tracing code (clock calls must
+not be traced).
+
+Make vmware_sched_clock() not traced by ftrace.
+
+Fixes: 80e9a4f21fd7c ("x86/vmware: Add paravirt sched clock")
+Reported-by: GwanYeong Kim <gy741.kim@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+CC: Alok Kataria <akataria@vmware.com>
+CC: GwanYeong Kim <gy741.kim@gmail.com>
+CC: "H. Peter Anvin" <hpa@zytor.com>
+CC: Ingo Molnar <mingo@kernel.org>
+Cc: stable@vger.kernel.org
+CC: Thomas Gleixner <tglx@linutronix.de>
+CC: virtualization@lists.linux-foundation.org
+CC: x86-ml <x86@kernel.org>
+Link: http://lkml.kernel.org/r/20181109152207.4d3e7d70@gandalf.local.home
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/vmware.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/vmware.c
++++ b/arch/x86/kernel/cpu/vmware.c
+@@ -77,7 +77,7 @@ static __init int setup_vmw_sched_clock(
+ }
+ early_param("no-vmw-sched-clock", setup_vmw_sched_clock);
+
+-static unsigned long long vmware_sched_clock(void)
++static unsigned long long notrace vmware_sched_clock(void)
+ {
+ unsigned long long ns;
+
--- /dev/null
+From 1de72c706488b7be664a601cf3843bd01e327e58 Mon Sep 17 00:00:00 2001
+From: Michael Kelley <mikelley@microsoft.com>
+Date: Sun, 4 Nov 2018 03:48:57 +0000
+Subject: x86/hyper-v: Enable PIT shutdown quirk
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+commit 1de72c706488b7be664a601cf3843bd01e327e58 upstream.
+
+Hyper-V emulation of the PIT has a quirk such that the normal PIT shutdown
+path doesn't work, because clearing the counter register restarts the
+timer.
+
+Disable the counter clearing on PIT shutdown.
+
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "devel@linuxdriverproject.org" <devel@linuxdriverproject.org>
+Cc: "daniel.lezcano@linaro.org" <daniel.lezcano@linaro.org>
+Cc: "virtualization@lists.linux-foundation.org" <virtualization@lists.linux-foundation.org>
+Cc: "jgross@suse.com" <jgross@suse.com>
+Cc: "akataria@vmware.com" <akataria@vmware.com>
+Cc: "olaf@aepfle.de" <olaf@aepfle.de>
+Cc: "apw@canonical.com" <apw@canonical.com>
+Cc: vkuznets <vkuznets@redhat.com>
+Cc: "jasowang@redhat.com" <jasowang@redhat.com>
+Cc: "marcelo.cerri@canonical.com" <marcelo.cerri@canonical.com>
+Cc: KY Srinivasan <kys@microsoft.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1541303219-11142-3-git-send-email-mikelley@microsoft.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mshyperv.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/x86/kernel/cpu/mshyperv.c
++++ b/arch/x86/kernel/cpu/mshyperv.c
+@@ -20,6 +20,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/irq.h>
+ #include <linux/kexec.h>
++#include <linux/i8253.h>
+ #include <asm/processor.h>
+ #include <asm/hypervisor.h>
+ #include <asm/hyperv.h>
+@@ -243,6 +244,16 @@ static void __init ms_hyperv_init_platfo
+ if (efi_enabled(EFI_BOOT))
+ x86_platform.get_nmi_reason = hv_get_nmi_reason;
+
++ /*
++ * Hyper-V VMs have a PIT emulation quirk such that zeroing the
++ * counter register during PIT shutdown restarts the PIT. So it
++ * continues to interrupt @18.2 HZ. Setting i8253_clear_counter
++ * to false tells pit_shutdown() not to zero the counter so that
++ * the PIT really is shutdown. Generation 2 VMs don't have a PIT,
++ * and setting this value has no effect.
++ */
++ i8253_clear_counter_on_shutdown = false;
++
+ #if IS_ENABLED(CONFIG_HYPERV)
+ /*
+ * Setup the hook to get control post apic initialization.
projects / thirdparty / kernel / stable-queue.git / commitdiff
