--- /dev/null
+From 985ddc2c3df5413ddbd285719d52d339d7530197 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2020 18:59:30 +0800
+Subject: jbd2: do not clear the BH_Mapped flag when forgetting a metadata
+ buffer
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit c96dceeabf765d0b1b1f29c3bf50a5c01315b820 ]
+
+Commit 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from
+an older transaction") set the BH_Freed flag when forgetting a metadata
+buffer which belongs to the committing transaction, it indicate the
+committing process clear dirty bits when it is done with the buffer. But
+it also clear the BH_Mapped flag at the same time, which may trigger
+below NULL pointer oops when block_size < PAGE_SIZE.
+
+rmdir 1 kjournald2 mkdir 2
+ jbd2_journal_commit_transaction
+ commit transaction N
+jbd2_journal_forget
+set_buffer_freed(bh1)
+ jbd2_journal_commit_transaction
+ commit transaction N+1
+ ...
+ clear_buffer_mapped(bh1)
+ ext4_getblk(bh2 ummapped)
+ ...
+ grow_dev_page
+ init_page_buffers
+ bh1->b_private=NULL
+ bh2->b_private=NULL
+ jbd2_journal_put_journal_head(jh1)
+ __journal_remove_journal_head(hb1)
+ jh1 is NULL and trigger oops
+
+*) Dir entry block bh1 and bh2 belongs to one page, and the bh2 has
+ already been unmapped.
+
+For the metadata buffer we forgetting, we should always keep the mapped
+flag and clear the dirty flags is enough, so this patch pick out the
+these buffers and keep their BH_Mapped flag.
+
+Link: https://lore.kernel.org/r/20200213063821.30455-3-yi.zhang@huawei.com
+Fixes: 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from an older transaction")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 3fe9b7c27ce82..c321fa06081ce 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -980,12 +980,29 @@ void jbd2_journal_commit_transaction(journal_t *journal)
+ * pagesize and it is attached to the last partial page.
+ */
+ if (buffer_freed(bh) && !jh->b_next_transaction) {
++ struct address_space *mapping;
++
+ clear_buffer_freed(bh);
+ clear_buffer_jbddirty(bh);
+- clear_buffer_mapped(bh);
+- clear_buffer_new(bh);
+- clear_buffer_req(bh);
+- bh->b_bdev = NULL;
++
++ /*
++ * Block device buffers need to stay mapped all the
++ * time, so it is enough to clear buffer_jbddirty and
++ * buffer_freed bits. For the file mapping buffers (i.e.
++ * journalled data) we need to unmap buffer and clear
++ * more bits. We also need to be careful about the check
++ * because the data page mapping can get cleared under
++ * out hands, which alse need not to clear more bits
++ * because the page and buffers will be freed and can
++ * never be reused once we are done with them.
++ */
++ mapping = READ_ONCE(bh->b_page->mapping);
++ if (mapping && !sb_is_blkdev_sb(mapping->host->i_sb)) {
++ clear_buffer_mapped(bh);
++ clear_buffer_new(bh);
++ clear_buffer_req(bh);
++ bh->b_bdev = NULL;
++ }
+ }
+
+ if (buffer_jbddirty(bh)) {
+--
+2.20.1
+
--- /dev/null
+From 32b8069036845e8918fc0b7ae36f04335149c049 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2020 18:59:29 +0800
+Subject: jbd2: move the clearing of b_modified flag to the
+ journal_unmap_buffer()
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit 6a66a7ded12baa6ebbb2e3e82f8cb91382814839 ]
+
+There is no need to delay the clearing of b_modified flag to the
+transaction committing time when unmapping the journalled buffer, so
+just move it to the journal_unmap_buffer().
+
+Link: https://lore.kernel.org/r/20200213063821.30455-2-yi.zhang@huawei.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c | 43 +++++++++++++++----------------------------
+ fs/jbd2/transaction.c | 10 ++++++----
+ 2 files changed, 21 insertions(+), 32 deletions(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 020bd7a0d8e03..3fe9b7c27ce82 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -971,34 +971,21 @@ void jbd2_journal_commit_transaction(journal_t *journal)
+ * it. */
+
+ /*
+- * A buffer which has been freed while still being journaled by
+- * a previous transaction.
+- */
+- if (buffer_freed(bh)) {
+- /*
+- * If the running transaction is the one containing
+- * "add to orphan" operation (b_next_transaction !=
+- * NULL), we have to wait for that transaction to
+- * commit before we can really get rid of the buffer.
+- * So just clear b_modified to not confuse transaction
+- * credit accounting and refile the buffer to
+- * BJ_Forget of the running transaction. If the just
+- * committed transaction contains "add to orphan"
+- * operation, we can completely invalidate the buffer
+- * now. We are rather through in that since the
+- * buffer may be still accessible when blocksize <
+- * pagesize and it is attached to the last partial
+- * page.
+- */
+- jh->b_modified = 0;
+- if (!jh->b_next_transaction) {
+- clear_buffer_freed(bh);
+- clear_buffer_jbddirty(bh);
+- clear_buffer_mapped(bh);
+- clear_buffer_new(bh);
+- clear_buffer_req(bh);
+- bh->b_bdev = NULL;
+- }
++ * A buffer which has been freed while still being journaled
++ * by a previous transaction, refile the buffer to BJ_Forget of
++ * the running transaction. If the just committed transaction
++ * contains "add to orphan" operation, we can completely
++ * invalidate the buffer now. We are rather through in that
++ * since the buffer may be still accessible when blocksize <
++ * pagesize and it is attached to the last partial page.
++ */
++ if (buffer_freed(bh) && !jh->b_next_transaction) {
++ clear_buffer_freed(bh);
++ clear_buffer_jbddirty(bh);
++ clear_buffer_mapped(bh);
++ clear_buffer_new(bh);
++ clear_buffer_req(bh);
++ bh->b_bdev = NULL;
+ }
+
+ if (buffer_jbddirty(bh)) {
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index 911ff18249b75..97ffe12a22624 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -2228,14 +2228,16 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh,
+ return -EBUSY;
+ }
+ /*
+- * OK, buffer won't be reachable after truncate. We just set
+- * j_next_transaction to the running transaction (if there is
+- * one) and mark buffer as freed so that commit code knows it
+- * should clear dirty bits when it is done with the buffer.
++ * OK, buffer won't be reachable after truncate. We just clear
++ * b_modified to not confuse transaction credit accounting, and
++ * set j_next_transaction to the running transaction (if there
++ * is one) and mark buffer as freed so that commit code knows
++ * it should clear dirty bits when it is done with the buffer.
+ */
+ set_buffer_freed(bh);
+ if (journal->j_running_transaction && buffer_jbddirty(bh))
+ jh->b_next_transaction = journal->j_running_transaction;
++ jh->b_modified = 0;
+ jbd2_journal_put_journal_head(jh);
+ spin_unlock(&journal->j_list_lock);
+ jbd_unlock_bh_state(bh);
+--
+2.20.1
+
--- /dev/null
+From 73752ca2b178c46d690ea8e70c475fac720b468a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2020 09:37:42 -0800
+Subject: KVM: x86/mmu: Fix struct guest_walker arrays for 5-level paging
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+[ Upstream commit f6ab0107a4942dbf9a5cf0cca3f37e184870a360 ]
+
+Define PT_MAX_FULL_LEVELS as PT64_ROOT_MAX_LEVEL, i.e. 5, to fix shadow
+paging for 5-level guest page tables. PT_MAX_FULL_LEVELS is used to
+size the arrays that track guest pages table information, i.e. using a
+"max levels" of 4 causes KVM to access garbage beyond the end of an
+array when querying state for level 5 entries. E.g. FNAME(gpte_changed)
+will read garbage and most likely return %true for a level 5 entry,
+soft-hanging the guest because FNAME(fetch) will restart the guest
+instead of creating SPTEs because it thinks the guest PTE has changed.
+
+Note, KVM doesn't yet support 5-level nested EPT, so PT_MAX_FULL_LEVELS
+gets to stay "4" for the PTTYPE_EPT case.
+
+Fixes: 855feb673640 ("KVM: MMU: Add 5 level EPT & Shadow page table support.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
+index 100ae4fabf170..61f10a4fd8074 100644
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -36,7 +36,7 @@
+ #define PT_GUEST_ACCESSED_SHIFT PT_ACCESSED_SHIFT
+ #define PT_HAVE_ACCESSED_DIRTY(mmu) true
+ #ifdef CONFIG_X86_64
+- #define PT_MAX_FULL_LEVELS 4
++ #define PT_MAX_FULL_LEVELS PT64_ROOT_MAX_LEVEL
+ #define CMPXCHG cmpxchg
+ #else
+ #define CMPXCHG cmpxchg64
+--
+2.20.1
+
perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload.patch
hwmon-pmbus-ltc2978-fix-pmbus-polling-of-mfr_common-definitions.patch
nfsv4.1-make-cachethis-no-for-writes.patch
+jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch
+jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch
+kvm-x86-mmu-fix-struct-guest_walker-arrays-for-5-lev.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
