--- /dev/null
+From 0db9ad5a756184317f060b473533cab82170767f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jul 2020 11:12:46 -0400
+Subject: btrfs: don't show full path of bind mounts in subvol=
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 3ef3959b29c4a5bd65526ab310a1a18ae533172a ]
+
+Chris Murphy reported a problem where rpm ostree will bind mount a bunch
+of things for whatever voodoo it's doing. But when it does this
+/proc/mounts shows something like
+
+ /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0
+ /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo/bar 0 0
+
+Despite subvolid=256 being subvol=/foo. This is because we're just
+spitting out the dentry of the mount point, which in the case of bind
+mounts is the source path for the mountpoint. Instead we should spit
+out the path to the actual subvol. Fix this by looking up the name for
+the subvolid we have mounted. With this fix the same test looks like
+this
+
+ /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0
+ /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo 0 0
+
+Reported-by: Chris Murphy <chris@colorremedies.com>
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/super.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
+index 3e6e21a7c5e6f..4d2810a32b4a9 100644
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1282,6 +1282,7 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry)
+ {
+ struct btrfs_fs_info *info = btrfs_sb(dentry->d_sb);
+ const char *compress_type;
++ const char *subvol_name;
+
+ if (btrfs_test_opt(info, DEGRADED))
+ seq_puts(seq, ",degraded");
+@@ -1366,8 +1367,13 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry)
+ seq_puts(seq, ",ref_verify");
+ seq_printf(seq, ",subvolid=%llu",
+ BTRFS_I(d_inode(dentry))->root->root_key.objectid);
+- seq_puts(seq, ",subvol=");
+- seq_dentry(seq, dentry, " \t\n\\");
++ subvol_name = btrfs_get_subvol_name_from_objectid(info,
++ BTRFS_I(d_inode(dentry))->root->root_key.objectid);
++ if (!IS_ERR(subvol_name)) {
++ seq_puts(seq, ",subvol=");
++ seq_escape(seq, subvol_name, " \t\n\\");
++ kfree(subvol_name);
++ }
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 6b700d1726ecc543b9286a02b786d4ba96b899cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Feb 2020 14:56:12 +0100
+Subject: btrfs: export helpers for subvolume name/id resolution
+
+From: Marcos Paulo de Souza <mpdesouza@suse.com>
+
+[ Upstream commit c0c907a47dccf2cf26251a8fb4a8e7a3bf79ce84 ]
+
+The functions will be used outside of export.c and super.c to allow
+resolving subvolume name from a given id, eg. for subvolume deletion by
+id ioctl.
+
+Signed-off-by: Marcos Paulo de Souza <mpdesouza@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ split from the next patch ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.h | 2 ++
+ fs/btrfs/export.c | 8 ++++----
+ fs/btrfs/export.h | 5 +++++
+ fs/btrfs/super.c | 8 ++++----
+ 4 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 15cb96ad15d8c..554727d82d432 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -3271,6 +3271,8 @@ void btrfs_sysfs_remove_mounted(struct btrfs_fs_info *fs_info);
+ int btrfs_parse_options(struct btrfs_fs_info *info, char *options,
+ unsigned long new_flags);
+ int btrfs_sync_fs(struct super_block *sb, int wait);
++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info,
++ u64 subvol_objectid);
+
+ static inline __printf(2, 3) __cold
+ void btrfs_no_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...)
+diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c
+index 1f3755b3a37ae..665ec85cb09b8 100644
+--- a/fs/btrfs/export.c
++++ b/fs/btrfs/export.c
+@@ -57,9 +57,9 @@ static int btrfs_encode_fh(struct inode *inode, u32 *fh, int *max_len,
+ return type;
+ }
+
+-static struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid,
+- u64 root_objectid, u32 generation,
+- int check_generation)
++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid,
++ u64 root_objectid, u32 generation,
++ int check_generation)
+ {
+ struct btrfs_fs_info *fs_info = btrfs_sb(sb);
+ struct btrfs_root *root;
+@@ -152,7 +152,7 @@ static struct dentry *btrfs_fh_to_dentry(struct super_block *sb, struct fid *fh,
+ return btrfs_get_dentry(sb, objectid, root_objectid, generation, 1);
+ }
+
+-static struct dentry *btrfs_get_parent(struct dentry *child)
++struct dentry *btrfs_get_parent(struct dentry *child)
+ {
+ struct inode *dir = d_inode(child);
+ struct btrfs_fs_info *fs_info = btrfs_sb(dir->i_sb);
+diff --git a/fs/btrfs/export.h b/fs/btrfs/export.h
+index 57488ecd7d4ef..f32f4113c976a 100644
+--- a/fs/btrfs/export.h
++++ b/fs/btrfs/export.h
+@@ -18,4 +18,9 @@ struct btrfs_fid {
+ u64 parent_root_objectid;
+ } __attribute__ ((packed));
+
++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid,
++ u64 root_objectid, u32 generation,
++ int check_generation);
++struct dentry *btrfs_get_parent(struct dentry *child);
++
+ #endif
+diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
+index ed539496089f1..3e6e21a7c5e6f 100644
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1000,8 +1000,8 @@ out:
+ return error;
+ }
+
+-static char *get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info,
+- u64 subvol_objectid)
++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info,
++ u64 subvol_objectid)
+ {
+ struct btrfs_root *root = fs_info->tree_root;
+ struct btrfs_root *fs_root;
+@@ -1412,8 +1412,8 @@ static struct dentry *mount_subvol(const char *subvol_name, u64 subvol_objectid,
+ goto out;
+ }
+ }
+- subvol_name = get_subvol_name_from_objectid(btrfs_sb(mnt->mnt_sb),
+- subvol_objectid);
++ subvol_name = btrfs_get_subvol_name_from_objectid(
++ btrfs_sb(mnt->mnt_sb), subvol_objectid);
+ if (IS_ERR(subvol_name)) {
+ root = ERR_CAST(subvol_name);
+ subvol_name = NULL;
+--
+2.25.1
+
--- /dev/null
+From 7a17f9be6b8a112f55032069d951914fa2cf9bcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 16:39:26 +0800
+Subject: btrfs: inode: fix NULL pointer dereference if inode doesn't need
+ compression
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 1e6e238c3002ea3611465ce5f32777ddd6a40126 ]
+
+[BUG]
+There is a bug report of NULL pointer dereference caused in
+compress_file_extent():
+
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+ Workqueue: btrfs-delalloc btrfs_delalloc_helper [btrfs]
+ NIP [c008000006dd4d34] compress_file_range.constprop.41+0x75c/0x8a0 [btrfs]
+ LR [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs]
+ Call Trace:
+ [c000000c69093b00] [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs] (unreliable)
+ [c000000c69093bd0] [c008000006dd4ebc] async_cow_start+0x44/0xa0 [btrfs]
+ [c000000c69093c10] [c008000006e14824] normal_work_helper+0xdc/0x598 [btrfs]
+ [c000000c69093c80] [c0000000001608c0] process_one_work+0x2c0/0x5b0
+ [c000000c69093d10] [c000000000160c38] worker_thread+0x88/0x660
+ [c000000c69093db0] [c00000000016b55c] kthread+0x1ac/0x1c0
+ [c000000c69093e20] [c00000000000b660] ret_from_kernel_thread+0x5c/0x7c
+ ---[ end trace f16954aa20d822f6 ]---
+
+[CAUSE]
+For the following execution route of compress_file_range(), it's
+possible to hit NULL pointer dereference:
+
+ compress_file_extent()
+ |- pages = NULL;
+ |- start = async_chunk->start = 0;
+ |- end = async_chunk = 4095;
+ |- nr_pages = 1;
+ |- inode_need_compress() == false; <<< Possible, see later explanation
+ | Now, we have nr_pages = 1, pages = NULL
+ |- cont:
+ |- ret = cow_file_range_inline();
+ |- if (ret <= 0) {
+ |- for (i = 0; i < nr_pages; i++) {
+ |- WARN_ON(pages[i]->mapping); <<< Crash
+
+To enter above call execution branch, we need the following race:
+
+ Thread 1 (chattr) | Thread 2 (writeback)
+--------------------------+------------------------------
+ | btrfs_run_delalloc_range
+ | |- inode_need_compress = true
+ | |- cow_file_range_async()
+btrfs_ioctl_set_flag() |
+|- binode_flags |= |
+ BTRFS_INODE_NOCOMPRESS |
+ | compress_file_range()
+ | |- inode_need_compress = false
+ | |- nr_page = 1 while pages = NULL
+ | | Then hit the crash
+
+[FIX]
+This patch will fix it by checking @pages before doing accessing it.
+This patch is only designed as a hot fix and easy to backport.
+
+More elegant fix may make btrfs only check inode_need_compress() once to
+avoid such race, but that would be another story.
+
+Reported-by: Luciano Chavez <chavez@us.ibm.com>
+Fixes: 4d3a800ebb12 ("btrfs: merge nr_pages input and output parameter in compress_pages")
+CC: stable@vger.kernel.org # 4.14.x: cecc8d9038d16: btrfs: Move free_pages_out label in inline extent handling branch in compress_file_range
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 8507192cd6449..bdfe159a60da6 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -629,11 +629,18 @@ cont:
+ page_error_op |
+ PAGE_END_WRITEBACK);
+
+- for (i = 0; i < nr_pages; i++) {
+- WARN_ON(pages[i]->mapping);
+- put_page(pages[i]);
++ /*
++ * Ensure we only free the compressed pages if we have
++ * them allocated, as we can still reach here with
++ * inode_need_compress() == false.
++ */
++ if (pages) {
++ for (i = 0; i < nr_pages; i++) {
++ WARN_ON(pages[i]->mapping);
++ put_page(pages[i]);
++ }
++ kfree(pages);
+ }
+- kfree(pages);
+
+ return;
+ }
+--
+2.25.1
+
--- /dev/null
+From cb8f203913edf450bee82e1187168a458998e8f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2019 14:41:45 +0300
+Subject: btrfs: Move free_pages_out label in inline extent handling branch in
+ compress_file_range
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+[ Upstream commit cecc8d9038d164eda61fbcd72520975a554ea63e ]
+
+This label is only executed if compress_file_range fails to create an
+inline extent. So move its code in the semantically related inline
+extent handling branch. No functional changes.
+
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 1656ef0e959f0..8507192cd6449 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -628,7 +628,14 @@ cont:
+ PAGE_SET_WRITEBACK |
+ page_error_op |
+ PAGE_END_WRITEBACK);
+- goto free_pages_out;
++
++ for (i = 0; i < nr_pages; i++) {
++ WARN_ON(pages[i]->mapping);
++ put_page(pages[i]);
++ }
++ kfree(pages);
++
++ return;
+ }
+ }
+
+@@ -706,13 +713,6 @@ cleanup_and_bail_uncompressed:
+ *num_added += 1;
+
+ return;
+-
+-free_pages_out:
+- for (i = 0; i < nr_pages; i++) {
+- WARN_ON(pages[i]->mapping);
+- put_page(pages[i]);
+- }
+- kfree(pages);
+ }
+
+ static void free_async_extent_pages(struct async_extent *async_extent)
+--
+2.25.1
+
--- /dev/null
+From 143b6a0ce035046e3b2ee2f52a0f733ea8ca10c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 10:17:50 -0400
+Subject: btrfs: sysfs: use NOFS for device creation
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+Dave hit this splat during testing btrfs/078:
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 5.8.0-rc6-default+ #1191 Not tainted
+ ------------------------------------------------------
+ kswapd0/75 is trying to acquire lock:
+ ffffa040e9d04ff8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs]
+
+ but task is already holding lock:
+ ffffffff8b0c8040 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #2 (fs_reclaim){+.+.}-{0:0}:
+ __lock_acquire+0x56f/0xaa0
+ lock_acquire+0xa3/0x440
+ fs_reclaim_acquire.part.0+0x25/0x30
+ __kmalloc_track_caller+0x49/0x330
+ kstrdup+0x2e/0x60
+ __kernfs_new_node.constprop.0+0x44/0x250
+ kernfs_new_node+0x25/0x50
+ kernfs_create_link+0x34/0xa0
+ sysfs_do_create_link_sd+0x5e/0xd0
+ btrfs_sysfs_add_devices_dir+0x65/0x100 [btrfs]
+ btrfs_init_new_device+0x44c/0x12b0 [btrfs]
+ btrfs_ioctl+0xc3c/0x25c0 [btrfs]
+ ksys_ioctl+0x68/0xa0
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x50/0xe0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ -> #1 (&fs_info->chunk_mutex){+.+.}-{3:3}:
+ __lock_acquire+0x56f/0xaa0
+ lock_acquire+0xa3/0x440
+ __mutex_lock+0xa0/0xaf0
+ btrfs_chunk_alloc+0x137/0x3e0 [btrfs]
+ find_free_extent+0xb44/0xfb0 [btrfs]
+ btrfs_reserve_extent+0x9b/0x180 [btrfs]
+ btrfs_alloc_tree_block+0xc1/0x350 [btrfs]
+ alloc_tree_block_no_bg_flush+0x4a/0x60 [btrfs]
+ __btrfs_cow_block+0x143/0x7a0 [btrfs]
+ btrfs_cow_block+0x15f/0x310 [btrfs]
+ push_leaf_right+0x150/0x240 [btrfs]
+ split_leaf+0x3cd/0x6d0 [btrfs]
+ btrfs_search_slot+0xd14/0xf70 [btrfs]
+ btrfs_insert_empty_items+0x64/0xc0 [btrfs]
+ __btrfs_commit_inode_delayed_items+0xb2/0x840 [btrfs]
+ btrfs_async_run_delayed_root+0x10e/0x1d0 [btrfs]
+ btrfs_work_helper+0x2f9/0x650 [btrfs]
+ process_one_work+0x22c/0x600
+ worker_thread+0x50/0x3b0
+ kthread+0x137/0x150
+ ret_from_fork+0x1f/0x30
+
+ -> #0 (&delayed_node->mutex){+.+.}-{3:3}:
+ check_prev_add+0x98/0xa20
+ validate_chain+0xa8c/0x2a00
+ __lock_acquire+0x56f/0xaa0
+ lock_acquire+0xa3/0x440
+ __mutex_lock+0xa0/0xaf0
+ __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs]
+ btrfs_evict_inode+0x3bf/0x560 [btrfs]
+ evict+0xd6/0x1c0
+ dispose_list+0x48/0x70
+ prune_icache_sb+0x54/0x80
+ super_cache_scan+0x121/0x1a0
+ do_shrink_slab+0x175/0x420
+ shrink_slab+0xb1/0x2e0
+ shrink_node+0x192/0x600
+ balance_pgdat+0x31f/0x750
+ kswapd+0x206/0x510
+ kthread+0x137/0x150
+ ret_from_fork+0x1f/0x30
+
+ other info that might help us debug this:
+
+ Chain exists of:
+ &delayed_node->mutex --> &fs_info->chunk_mutex --> fs_reclaim
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(fs_reclaim);
+ lock(&fs_info->chunk_mutex);
+ lock(fs_reclaim);
+ lock(&delayed_node->mutex);
+
+ *** DEADLOCK ***
+
+ 3 locks held by kswapd0/75:
+ #0: ffffffff8b0c8040 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30
+ #1: ffffffff8b0b50b8 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x54/0x2e0
+ #2: ffffa040e057c0e8 (&type->s_umount_key#26){++++}-{3:3}, at: trylock_super+0x16/0x50
+
+ stack backtrace:
+ CPU: 2 PID: 75 Comm: kswapd0 Not tainted 5.8.0-rc6-default+ #1191
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014
+ Call Trace:
+ dump_stack+0x78/0xa0
+ check_noncircular+0x16f/0x190
+ check_prev_add+0x98/0xa20
+ validate_chain+0xa8c/0x2a00
+ __lock_acquire+0x56f/0xaa0
+ lock_acquire+0xa3/0x440
+ ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs]
+ __mutex_lock+0xa0/0xaf0
+ ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs]
+ ? __lock_acquire+0x56f/0xaa0
+ ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs]
+ ? lock_acquire+0xa3/0x440
+ ? btrfs_evict_inode+0x138/0x560 [btrfs]
+ ? btrfs_evict_inode+0x2fe/0x560 [btrfs]
+ ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs]
+ __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs]
+ btrfs_evict_inode+0x3bf/0x560 [btrfs]
+ evict+0xd6/0x1c0
+ dispose_list+0x48/0x70
+ prune_icache_sb+0x54/0x80
+ super_cache_scan+0x121/0x1a0
+ do_shrink_slab+0x175/0x420
+ shrink_slab+0xb1/0x2e0
+ shrink_node+0x192/0x600
+ balance_pgdat+0x31f/0x750
+ kswapd+0x206/0x510
+ ? _raw_spin_unlock_irqrestore+0x3e/0x50
+ ? finish_wait+0x90/0x90
+ ? balance_pgdat+0x750/0x750
+ kthread+0x137/0x150
+ ? kthread_stop+0x2a0/0x2a0
+ ret_from_fork+0x1f/0x30
+
+This is because we're holding the chunk_mutex while adding this device
+and adding its sysfs entries. We actually hold different locks in
+different places when calling this function, the dev_replace semaphore
+for instance in dev replace, so instead of moving this call around
+simply wrap it's operations in NOFS.
+
+CC: stable@vger.kernel.org # 4.14+
+Reported-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/sysfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c
+index aefb0169d46d7..afec808a763b1 100644
+--- a/fs/btrfs/sysfs.c
++++ b/fs/btrfs/sysfs.c
+@@ -10,6 +10,7 @@
+ #include <linux/kobject.h>
+ #include <linux/bug.h>
+ #include <linux/debugfs.h>
++#include <linux/sched/mm.h>
+
+ #include "ctree.h"
+ #include "disk-io.h"
+@@ -766,7 +767,9 @@ int btrfs_sysfs_add_device_link(struct btrfs_fs_devices *fs_devices,
+ {
+ int error = 0;
+ struct btrfs_device *dev;
++ unsigned int nofs_flag;
+
++ nofs_flag = memalloc_nofs_save();
+ list_for_each_entry(dev, &fs_devices->devices, dev_list) {
+ struct hd_struct *disk;
+ struct kobject *disk_kobj;
+@@ -785,6 +788,7 @@ int btrfs_sysfs_add_device_link(struct btrfs_fs_devices *fs_devices,
+ if (error)
+ break;
+ }
++ memalloc_nofs_restore(nofs_flag);
+
+ return error;
+ }
+--
+2.25.1
+
--- /dev/null
+From bb8be1977a416b4885bbf0d77288ccae94ff5d50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 16:49:11 +0100
+Subject: drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset()
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+[ Upstream commit 119c53d2d4044c59c450c4f5a568d80b9d861856 ]
+
+drm_gem_dumb_map_offset() now exists and does everything
+vgem_gem_dump_map does and *ought* to do.
+
+In particular, vgem_gem_dumb_map() was trying to reject mmapping an
+imported dmabuf by checking the existence of obj->filp. Unfortunately,
+we always allocated an obj->filp, even if unused for an imported dmabuf.
+Instead, the drm_gem_dumb_map_offset(), since commit 90378e589192
+("drm/gem: drm_gem_dumb_map_offset(): reject dma-buf"), uses the
+obj->import_attach to reject such invalid mmaps.
+
+This prevents vgem from allowing userspace mmapping the dumb handle and
+attempting to incorrectly fault in remote pages belonging to another
+device, where there may not even be a struct page.
+
+v2: Use the default drm_gem_dumb_map_offset() callback
+
+Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: <stable@vger.kernel.org> # v4.13+
+Link: https://patchwork.freedesktop.org/patch/msgid/20200708154911.21236-1-chris@chris-wilson.co.uk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vgem/vgem_drv.c | 27 ---------------------------
+ 1 file changed, 27 deletions(-)
+
+diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
+index 4709f08f39e49..1c1a435d354bc 100644
+--- a/drivers/gpu/drm/vgem/vgem_drv.c
++++ b/drivers/gpu/drm/vgem/vgem_drv.c
+@@ -219,32 +219,6 @@ static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
+ return 0;
+ }
+
+-static int vgem_gem_dumb_map(struct drm_file *file, struct drm_device *dev,
+- uint32_t handle, uint64_t *offset)
+-{
+- struct drm_gem_object *obj;
+- int ret;
+-
+- obj = drm_gem_object_lookup(file, handle);
+- if (!obj)
+- return -ENOENT;
+-
+- if (!obj->filp) {
+- ret = -EINVAL;
+- goto unref;
+- }
+-
+- ret = drm_gem_create_mmap_offset(obj);
+- if (ret)
+- goto unref;
+-
+- *offset = drm_vma_node_offset_addr(&obj->vma_node);
+-unref:
+- drm_gem_object_put_unlocked(obj);
+-
+- return ret;
+-}
+-
+ static struct drm_ioctl_desc vgem_ioctls[] = {
+ DRM_IOCTL_DEF_DRV(VGEM_FENCE_ATTACH, vgem_fence_attach_ioctl, DRM_AUTH|DRM_RENDER_ALLOW),
+ DRM_IOCTL_DEF_DRV(VGEM_FENCE_SIGNAL, vgem_fence_signal_ioctl, DRM_AUTH|DRM_RENDER_ALLOW),
+@@ -438,7 +412,6 @@ static struct drm_driver vgem_driver = {
+ .fops = &vgem_driver_fops,
+
+ .dumb_create = vgem_gem_dumb_create,
+- .dumb_map_offset = vgem_gem_dumb_map,
+
+ .prime_handle_to_fd = drm_gem_prime_handle_to_fd,
+ .prime_fd_to_handle = drm_gem_prime_fd_to_handle,
+--
+2.25.1
+
--- /dev/null
+From a4ac88ba85a777def653bcc65ab7a96f4f0028e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 17:42:02 -0700
+Subject: khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter()
+
+From: Hugh Dickins <hughd@google.com>
+
+[ Upstream commit f3f99d63a8156c7a4a6b20aac22b53c5579c7dc1 ]
+
+syzbot crashes on the VM_BUG_ON_MM(khugepaged_test_exit(mm), mm) in
+__khugepaged_enter(): yes, when one thread is about to dump core, has set
+core_state, and is waiting for others, another might do something calling
+__khugepaged_enter(), which now crashes because I lumped the core_state
+test (known as "mmget_still_valid") into khugepaged_test_exit(). I still
+think it's best to lump them together, so just in this exceptional case,
+check mm->mm_users directly instead of khugepaged_test_exit().
+
+Fixes: bbe98f9cadff ("khugepaged: khugepaged_test_exit() check mmget_still_valid()")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Yang Shi <shy828301@gmail.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: <stable@vger.kernel.org> [4.8+]
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008141503370.18085@eggly.anvils
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index fbb3ac9ce0869..f37be43f8caeb 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -427,7 +427,7 @@ int __khugepaged_enter(struct mm_struct *mm)
+ return -ENOMEM;
+
+ /* __khugepaged_exit() must not run from under us */
+- VM_BUG_ON_MM(khugepaged_test_exit(mm), mm);
++ VM_BUG_ON_MM(atomic_read(&mm->mm_users) == 0, mm);
+ if (unlikely(test_and_set_bit(MMF_VM_HUGEPAGE, &mm->flags))) {
+ free_mm_slot(mm_slot);
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From fd371da9fd45165f512a1d17d0ce95910a5d7cf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 23:26:25 -0700
+Subject: khugepaged: khugepaged_test_exit() check mmget_still_valid()
+
+From: Hugh Dickins <hughd@google.com>
+
+[ Upstream commit bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 ]
+
+Move collapse_huge_page()'s mmget_still_valid() check into
+khugepaged_test_exit() itself. collapse_huge_page() is used for anon THP
+only, and earned its mmget_still_valid() check because it inserts a huge
+pmd entry in place of the page table's pmd entry; whereas
+collapse_file()'s retract_page_tables() or collapse_pte_mapped_thp()
+merely clears the page table's pmd entry. But core dumping without mmap
+lock must have been as open to mistaking a racily cleared pmd entry for a
+page table at physical page 0, as exit_mmap() was. And we certainly have
+no interest in mapping as a THP once dumping core.
+
+Fixes: 59ea6d06cfa9 ("coredump: fix race condition between collapse_huge_page() and core dumping")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: <stable@vger.kernel.org> [4.8+]
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021217020.27773@eggly.anvils
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 483c4573695a9..fbb3ac9ce0869 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -394,7 +394,7 @@ static void insert_to_mm_slots_hash(struct mm_struct *mm,
+
+ static inline int khugepaged_test_exit(struct mm_struct *mm)
+ {
+- return atomic_read(&mm->mm_users) == 0;
++ return atomic_read(&mm->mm_users) == 0 || !mmget_still_valid(mm);
+ }
+
+ static bool hugepage_vma_check(struct vm_area_struct *vma,
+@@ -1005,9 +1005,6 @@ static void collapse_huge_page(struct mm_struct *mm,
+ * handled by the anon_vma lock + PG_lock.
+ */
+ down_write(&mm->mmap_sem);
+- result = SCAN_ANY_PROCESS;
+- if (!mmget_still_valid(mm))
+- goto out;
+ result = hugepage_vma_revalidate(mm, address, &vma);
+ if (result)
+ goto out;
+--
+2.25.1
+
--- /dev/null
+From 72d90cd20c235d5f5ebe3befb9ea9790a8d7dd25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 22:11:23 +0900
+Subject: perf probe: Fix memory leakage when the probe point is not found
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 12d572e785b15bc764e956caaa8a4c846fd15694 ]
+
+Fix the memory leakage in debuginfo__find_trace_events() when the probe
+point is not found in the debuginfo. If there is no probe point found in
+the debuginfo, debuginfo__find_probes() will NOT return -ENOENT, but 0.
+
+Thus the caller of debuginfo__find_probes() must check the tf.ntevs and
+release the allocated memory for the array of struct probe_trace_event.
+
+The current code releases the memory only if the debuginfo__find_probes()
+hits an error but not checks tf.ntevs. In the result, the memory allocated
+on *tevs are not released if tf.ntevs == 0.
+
+This fixes the memory leakage by checking tf.ntevs == 0 in addition to
+ret < 0.
+
+Fixes: ff741783506c ("perf probe: Introduce debuginfo to encapsulate dwarf information")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/159438668346.62703.10887420400718492503.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-finder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index 60169196b9481..4da4ec2552463 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1351,7 +1351,7 @@ int debuginfo__find_trace_events(struct debuginfo *dbg,
+ tf.ntevs = 0;
+
+ ret = debuginfo__find_probes(dbg, &tf.pf);
+- if (ret < 0) {
++ if (ret < 0 || tf.ntevs == 0) {
+ for (i = 0; i < tf.ntevs; i++)
+ clear_probe_trace_event(&tf.tevs[i]);
+ zfree(tevs);
+--
+2.25.1
+
--- /dev/null
+drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch
+perf-probe-fix-memory-leakage-when-the-probe-point-i.patch
+khugepaged-khugepaged_test_exit-check-mmget_still_va.patch
+khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch
+btrfs-export-helpers-for-subvolume-name-id-resolutio.patch
+btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch
+btrfs-move-free_pages_out-label-in-inline-extent-han.patch
+btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch
+btrfs-sysfs-use-nofs-for-device-creation.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
