--- /dev/null
+From 650768c512faba8070bf4cfbb28c95eb5cd203f3 Mon Sep 17 00:00:00 2001
+From: Dev Jain <dev.jain@arm.com>
+Date: Tue, 27 May 2025 13:56:33 +0530
+Subject: arm64: Restrict pagetable teardown to avoid false warning
+
+From: Dev Jain <dev.jain@arm.com>
+
+commit 650768c512faba8070bf4cfbb28c95eb5cd203f3 upstream.
+
+Commit 9c006972c3fe ("arm64: mmu: drop pXd_present() checks from
+pXd_free_pYd_table()") removes the pxd_present() checks because the
+caller checks pxd_present(). But, in case of vmap_try_huge_pud(), the
+caller only checks pud_present(); pud_free_pmd_page() recurses on each
+pmd through pmd_free_pte_page(), wherein the pmd may be none. Thus it is
+possible to hit a warning in the latter, since pmd_none => !pmd_table().
+Thus, add a pmd_present() check in pud_free_pmd_page().
+
+This problem was found by code inspection.
+
+Fixes: 9c006972c3fe ("arm64: mmu: drop pXd_present() checks from pXd_free_pYd_table()")
+Cc: stable@vger.kernel.org
+Reported-by: Ryan Roberts <ryan.roberts@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Dev Jain <dev.jain@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
+Link: https://lore.kernel.org/r/20250527082633.61073-1-dev.jain@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/mmu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -1041,7 +1041,8 @@ int pud_free_pmd_page(pud_t *pudp, unsig
+ next = addr;
+ end = addr + PUD_SIZE;
+ do {
+- pmd_free_pte_page(pmdp, next);
++ if (pmd_present(READ_ONCE(*pmdp)))
++ pmd_free_pte_page(pmdp, next);
+ } while (pmdp++, next += PMD_SIZE, next != end);
+
+ pud_clear(pudp);
--- /dev/null
+From 7081929ab2572920e94d70be3d332e5c9f97095a Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Thu, 4 Jan 2024 11:48:46 -0800
+Subject: btrfs: don't abort filesystem when attempting to snapshot deleted subvolume
+
+From: Omar Sandoval <osandov@fb.com>
+
+commit 7081929ab2572920e94d70be3d332e5c9f97095a upstream.
+
+If the source file descriptor to the snapshot ioctl refers to a deleted
+subvolume, we get the following abort:
+
+ BTRFS: Transaction aborted (error -2)
+ WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]
+ Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c
+ CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
+ RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]
+ RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282
+ RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027
+ RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840
+ RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998
+ R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe
+ R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80
+ FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0
+ Call Trace:
+ <TASK>
+ ? create_pending_snapshot+0x1040/0x1190 [btrfs]
+ ? __warn+0x81/0x130
+ ? create_pending_snapshot+0x1040/0x1190 [btrfs]
+ ? report_bug+0x171/0x1a0
+ ? handle_bug+0x3a/0x70
+ ? exc_invalid_op+0x17/0x70
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? create_pending_snapshot+0x1040/0x1190 [btrfs]
+ ? create_pending_snapshot+0x1040/0x1190 [btrfs]
+ create_pending_snapshots+0x92/0xc0 [btrfs]
+ btrfs_commit_transaction+0x66b/0xf40 [btrfs]
+ btrfs_mksubvol+0x301/0x4d0 [btrfs]
+ btrfs_mksnapshot+0x80/0xb0 [btrfs]
+ __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]
+ btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]
+ btrfs_ioctl+0x8a6/0x2650 [btrfs]
+ ? kmem_cache_free+0x22/0x340
+ ? do_sys_openat2+0x97/0xe0
+ __x64_sys_ioctl+0x97/0xd0
+ do_syscall_64+0x46/0xf0
+ entry_SYSCALL_64_after_hwframe+0x6e/0x76
+ RIP: 0033:0x7fe20abe83af
+ RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af
+ RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003
+ RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+ BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry
+ BTRFS info (device vdc: state EA): forced readonly
+ BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.
+ BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry
+
+This happens because create_pending_snapshot() initializes the new root
+item as a copy of the source root item. This includes the refs field,
+which is 0 for a deleted subvolume. The call to btrfs_insert_root()
+therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then
+finds the root and returns -ENOENT if refs == 0, which causes
+create_pending_snapshot() to abort.
+
+Fix it by checking the source root's refs before attempting the
+snapshot, but after locking subvol_sem to avoid racing with deletion.
+
+CC: stable@vger.kernel.org # 4.14+
+Reviewed-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 92a7cc425223
+ btrfs: rename BTRFS_ROOT_REF_COWS to BTRFS_ROOT_SHAREABLE ]
+Signed-off-by: Larry Bassel <larry.bassel@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -793,6 +793,9 @@ static int create_snapshot(struct btrfs_
+ if (!test_bit(BTRFS_ROOT_REF_COWS, &root->state))
+ return -EINVAL;
+
++ if (btrfs_root_refs(&root->root_item) == 0)
++ return -ENOENT;
++
+ if (atomic_read(&root->nr_swapfiles)) {
+ btrfs_warn(fs_info,
+ "cannot snapshot subvolume with active swapfile");
projects / thirdparty / kernel / stable-queue.git / commitdiff
