From: Greg Kroah-Hartman Date: Mon, 19 Nov 2018 13:00:02 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.3~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=021b145f042d5f00ff67e9cd0da2d16a42c62a9f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: arch-alpha-termios-implement-bother-ibshift-and-termios2.patch arm-cpuidle-don-t-register-the-driver-when-back-end-init-returns-enxio.patch btrfs-fix-cur_offset-in-the-error-case-for-nocow.patch btrfs-fix-data-corruption-due-to-cloning-of-eof-block.patch btrfs-fix-infinite-loop-on-inode-eviction-after-deduplication-of-eof-block.patch btrfs-fix-missing-data-checksums-after-a-ranged-fsync-msync.patch btrfs-fix-pinned-underflow-after-transaction-aborted.patch btrfs-tree-checker-fix-misleading-group-system-information.patch clockevents-drivers-i8253-add-support-for-pit-shutdown-quirk.patch crypto-user-fix-leaking-uninitialized-memory-to-userspace.patch ext4-add-missing-brelse-add_new_gdb_meta_bg-s-error-path.patch ext4-add-missing-brelse-in-set_flexbg_block_bitmap-s-error-path.patch ext4-add-missing-brelse-update_backups-s-error-path.patch ext4-avoid-buffer-leak-in-ext4_orphan_add-after-prior-errors.patch ext4-avoid-buffer-leak-on-shutdown-in-ext4_mark_iloc_dirty.patch ext4-avoid-possible-double-brelse-in-add_new_gdb-on-error-path.patch ext4-avoid-potential-extra-brelse-in-setup_new_flex_group_blocks.patch ext4-fix-buffer-leak-in-__ext4_read_dirblock-on-error-path.patch ext4-fix-buffer-leak-in-ext4_expand_extra_isize_ea-on-error-path.patch ext4-fix-buffer-leak-in-ext4_xattr_get_block-on-error-path.patch ext4-fix-buffer-leak-in-ext4_xattr_move_to_block-on-error-path.patch ext4-fix-missing-cleanup-if-ext4_alloc_flex_bg_array-fails-while-resizing.patch ext4-fix-possible-inode-leak-in-the-retry-loop-of-ext4_resize_fs.patch ext4-fix-possible-leak-of-s_journal_flag_rwsem-in-error-path.patch ext4-fix-possible-leak-of-sbi-s_group_desc_leak-in-error-path.patch ext4-missing-bh-check-in-ext4_xattr_inode_write.patch ext4-release-bs.bh-before-re-using-in-ext4_xattr_block_find.patch fanotify-fix-handling-of-events-on-child-sub-directory.patch fuse-fix-leaked-notify-reply.patch fuse-fix-possibly-missed-wake-up-after-abort.patch fuse-fix-use-after-free-in-fuse_direct_io.patch gfs2-fix-metadata-read-ahead-during-truncate-2.patch gfs2-put-bitmap-buffers-in-put_super.patch hugetlbfs-fix-kernel-bug-at-fs-hugetlbfs-inode.c-444.patch kdb-print-real-address-of-pointers-instead-of-hashed-addresses.patch kdb-use-correct-pointer-when-btc-calls-btt.patch lib-ubsan.c-don-t-mark-__ubsan_handle_builtin_unreachable-as-noreturn.patch libata-blacklist-samsung-mz7td256hafv-000l9-ssd.patch mm-swapfile.c-use-kvzalloc-for-swap_info_struct-allocation.patch mnt-fix-__detach_mounts-infinite-loop.patch mount-don-t-allow-copying-mnt_unbindable-mnt_locked-mounts.patch mount-prevent-mnt_detach-from-disconnecting-locked-mounts.patch mount-retest-mnt_locked-in-do_umount.patch nfsd-copy-and-clone-operations-require-the-saved-filehandle-to-be-set.patch nfsv4-don-t-exit-the-state-manager-without-clearing-nfs4clnt_manager_running.patch rtc-hctosys-add-missing-range-error-reporting.patch selinux-check-length-properly-in-sctp-bind-hook.patch sunrpc-correct-the-computation-for-page_ptr-when-truncating.patch termios-tty-tty_baudrate.c-fix-buffer-overrun.patch uapi-fix-linux-kfd_ioctl.h-userspace-compilation-errors.patch watchdog-core-add-missing-prototypes-for-weak-functions.patch x86-cpu-vmware-do-not-trace-vmware_sched_clock.patch x86-hyper-v-enable-pit-shutdown-quirk.patch --- diff --git a/queue-4.19/arch-alpha-termios-implement-bother-ibshift-and-termios2.patch b/queue-4.19/arch-alpha-termios-implement-bother-ibshift-and-termios2.patch new file mode 100644 index 00000000000..844f8282a0c --- /dev/null +++ b/queue-4.19/arch-alpha-termios-implement-bother-ibshift-and-termios2.patch @@ -0,0 +1,121 @@ +From d0ffb805b729322626639336986bc83fc2e60871 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin (Intel)" +Date: Mon, 22 Oct 2018 09:19:05 -0700 +Subject: arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 + +From: H. Peter Anvin (Intel) + +commit d0ffb805b729322626639336986bc83fc2e60871 upstream. + +Alpha has had c_ispeed and c_ospeed, but still set speeds in c_cflags +using arbitrary flags. Because BOTHER is not defined, the general +Linux code doesn't allow setting arbitrary baud rates, and because +CBAUDEX == 0, we can have an array overrun of the baud_rate[] table in +drivers/tty/tty_baudrate.c if (c_cflags & CBAUD) == 037. + +Resolve both problems by #defining BOTHER to 037 on Alpha. + +However, userspace still needs to know if setting BOTHER is actually +safe given legacy kernels (does anyone actually care about that on +Alpha anymore?), so enable the TCGETS2/TCSETS*2 ioctls on Alpha, even +though they use the same structure. Define struct termios2 just for +compatibility; it is the exact same structure as struct termios. In a +future patchset, this will be cleaned up so the uapi headers are +usable from libc. + +Signed-off-by: H. Peter Anvin (Intel) +Cc: Jiri Slaby +Cc: Al Viro +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Cc: Matt Turner +Cc: Thomas Gleixner +Cc: Kate Stewart +Cc: Philippe Ombredanne +Cc: Eugene Syromiatnikov +Cc: +Cc: +Cc: Johan Hovold +Cc: Alan Cox +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/include/asm/termios.h | 8 +++++++- + arch/alpha/include/uapi/asm/ioctls.h | 5 +++++ + arch/alpha/include/uapi/asm/termbits.h | 17 +++++++++++++++++ + 3 files changed, 29 insertions(+), 1 deletion(-) + +--- a/arch/alpha/include/asm/termios.h ++++ b/arch/alpha/include/asm/termios.h +@@ -73,9 +73,15 @@ + }) + + #define user_termios_to_kernel_termios(k, u) \ +- copy_from_user(k, u, sizeof(struct termios)) ++ copy_from_user(k, u, sizeof(struct termios2)) + + #define kernel_termios_to_user_termios(u, k) \ ++ copy_to_user(u, k, sizeof(struct termios2)) ++ ++#define user_termios_to_kernel_termios_1(k, u) \ ++ copy_from_user(k, u, sizeof(struct termios)) ++ ++#define kernel_termios_to_user_termios_1(u, k) \ + copy_to_user(u, k, sizeof(struct termios)) + + #endif /* _ALPHA_TERMIOS_H */ +--- a/arch/alpha/include/uapi/asm/ioctls.h ++++ b/arch/alpha/include/uapi/asm/ioctls.h +@@ -32,6 +32,11 @@ + #define TCXONC _IO('t', 30) + #define TCFLSH _IO('t', 31) + ++#define TCGETS2 _IOR('T', 42, struct termios2) ++#define TCSETS2 _IOW('T', 43, struct termios2) ++#define TCSETSW2 _IOW('T', 44, struct termios2) ++#define TCSETSF2 _IOW('T', 45, struct termios2) ++ + #define TIOCSWINSZ _IOW('t', 103, struct winsize) + #define TIOCGWINSZ _IOR('t', 104, struct winsize) + #define TIOCSTART _IO('t', 110) /* start output, like ^Q */ +--- a/arch/alpha/include/uapi/asm/termbits.h ++++ b/arch/alpha/include/uapi/asm/termbits.h +@@ -26,6 +26,19 @@ struct termios { + speed_t c_ospeed; /* output speed */ + }; + ++/* Alpha has identical termios and termios2 */ ++ ++struct termios2 { ++ tcflag_t c_iflag; /* input mode flags */ ++ tcflag_t c_oflag; /* output mode flags */ ++ tcflag_t c_cflag; /* control mode flags */ ++ tcflag_t c_lflag; /* local mode flags */ ++ cc_t c_cc[NCCS]; /* control characters */ ++ cc_t c_line; /* line discipline (== c_cc[19]) */ ++ speed_t c_ispeed; /* input speed */ ++ speed_t c_ospeed; /* output speed */ ++}; ++ + /* Alpha has matching termios and ktermios */ + + struct ktermios { +@@ -152,6 +165,7 @@ struct ktermios { + #define B3000000 00034 + #define B3500000 00035 + #define B4000000 00036 ++#define BOTHER 00037 + + #define CSIZE 00001400 + #define CS5 00000000 +@@ -169,6 +183,9 @@ struct ktermios { + #define CMSPAR 010000000000 /* mark or space (stick) parity */ + #define CRTSCTS 020000000000 /* flow control */ + ++#define CIBAUD 07600000 ++#define IBSHIFT 16 ++ + /* c_lflag bits */ + #define ISIG 0x00000080 + #define ICANON 0x00000100 diff --git a/queue-4.19/arm-cpuidle-don-t-register-the-driver-when-back-end-init-returns-enxio.patch b/queue-4.19/arm-cpuidle-don-t-register-the-driver-when-back-end-init-returns-enxio.patch new file mode 100644 index 00000000000..a456377a131 --- /dev/null +++ b/queue-4.19/arm-cpuidle-don-t-register-the-driver-when-back-end-init-returns-enxio.patch @@ -0,0 +1,71 @@ +From 763f191af51f127cf8e69cd361f50bf6180768a5 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Thu, 1 Nov 2018 13:22:38 +0100 +Subject: ARM: cpuidle: Don't register the driver when back-end init returns -ENXIO + +From: Ulf Hansson + +commit 763f191af51f127cf8e69cd361f50bf6180768a5 upstream. + +There's no point to register the cpuidle driver for the current CPU, when +the initialization of the arch specific back-end data fails by returning +-ENXIO. + +Instead, let's re-order the sequence to its original flow, by first trying +to initialize the back-end part and then act accordingly on the returned +error code. Additionally, let's print the error message, no matter of what +error code that was returned. + +Fixes: a0d46a3dfdc3 (ARM: cpuidle: Register per cpuidle device) +Signed-off-by: Ulf Hansson +Reviewed-by: Daniel Lezcano +Cc: 4.19+ # v4.19+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/cpuidle-arm.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +--- a/drivers/cpuidle/cpuidle-arm.c ++++ b/drivers/cpuidle/cpuidle-arm.c +@@ -103,13 +103,6 @@ static int __init arm_idle_init_cpu(int + goto out_kfree_drv; + } + +- ret = cpuidle_register_driver(drv); +- if (ret) { +- if (ret != -EBUSY) +- pr_err("Failed to register cpuidle driver\n"); +- goto out_kfree_drv; +- } +- + /* + * Call arch CPU operations in order to initialize + * idle states suspend back-end specific data +@@ -117,15 +110,20 @@ static int __init arm_idle_init_cpu(int + ret = arm_cpuidle_init(cpu); + + /* +- * Skip the cpuidle device initialization if the reported ++ * Allow the initialization to continue for other CPUs, if the reported + * failure is a HW misconfiguration/breakage (-ENXIO). + */ +- if (ret == -ENXIO) +- return 0; +- + if (ret) { + pr_err("CPU %d failed to init idle CPU ops\n", cpu); +- goto out_unregister_drv; ++ ret = ret == -ENXIO ? 0 : ret; ++ goto out_kfree_drv; ++ } ++ ++ ret = cpuidle_register_driver(drv); ++ if (ret) { ++ if (ret != -EBUSY) ++ pr_err("Failed to register cpuidle driver\n"); ++ goto out_kfree_drv; + } + + dev = kzalloc(sizeof(*dev), GFP_KERNEL); diff --git a/queue-4.19/btrfs-fix-cur_offset-in-the-error-case-for-nocow.patch b/queue-4.19/btrfs-fix-cur_offset-in-the-error-case-for-nocow.patch new file mode 100644 index 00000000000..a1c81387e7b --- /dev/null +++ b/queue-4.19/btrfs-fix-cur_offset-in-the-error-case-for-nocow.patch @@ -0,0 +1,77 @@ +From 506481b20e818db40b6198815904ecd2d6daee64 Mon Sep 17 00:00:00 2001 +From: Robbie Ko +Date: Tue, 30 Oct 2018 18:04:04 +0800 +Subject: Btrfs: fix cur_offset in the error case for nocow + +From: Robbie Ko + +commit 506481b20e818db40b6198815904ecd2d6daee64 upstream. + +When the cow_file_range fails, the related resources are unlocked +according to the range [start..end), so the unlock cannot be repeated in +run_delalloc_nocow. + +In some cases (e.g. cur_offset <= end && cow_start != -1), cur_offset is +not updated correctly, so move the cur_offset update before +cow_file_range. + + kernel BUG at mm/page-writeback.c:2663! + Internal error: Oops - BUG: 0 [#1] SMP + CPU: 3 PID: 31525 Comm: kworker/u8:7 Tainted: P O + Hardware name: Realtek_RTD1296 (DT) + Workqueue: writeback wb_workfn (flush-btrfs-1) + task: ffffffc076db3380 ti: ffffffc02e9ac000 task.ti: ffffffc02e9ac000 + PC is at clear_page_dirty_for_io+0x1bc/0x1e8 + LR is at clear_page_dirty_for_io+0x14/0x1e8 + pc : [] lr : [] pstate: 40000145 + sp : ffffffc02e9af4f0 + Process kworker/u8:7 (pid: 31525, stack limit = 0xffffffc02e9ac020) + Call trace: + [] clear_page_dirty_for_io+0x1bc/0x1e8 + [] extent_clear_unlock_delalloc+0x1e4/0x210 [btrfs] + [] run_delalloc_nocow+0x3b8/0x948 [btrfs] + [] run_delalloc_range+0x250/0x3a8 [btrfs] + [] writepage_delalloc.isra.21+0xbc/0x1d8 [btrfs] + [] __extent_writepage+0xe8/0x248 [btrfs] + [] extent_write_cache_pages.isra.17+0x164/0x378 [btrfs] + [] extent_writepages+0x48/0x68 [btrfs] + [] btrfs_writepages+0x20/0x30 [btrfs] + [] do_writepages+0x30/0x88 + [] __writeback_single_inode+0x34/0x198 + [] writeback_sb_inodes+0x184/0x3c0 + [] __writeback_inodes_wb+0x6c/0xc0 + [] wb_writeback+0x1b8/0x1c0 + [] wb_workfn+0x150/0x250 + [] process_one_work+0x1dc/0x388 + [] worker_thread+0x130/0x500 + [] kthread+0x10c/0x110 + [] ret_from_fork+0x10/0x40 + Code: d503201f a9025bb5 a90363b7 f90023b9 (d4210000) + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Signed-off-by: Robbie Ko +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1532,12 +1532,11 @@ out_check: + } + btrfs_release_path(path); + +- if (cur_offset <= end && cow_start == (u64)-1) { ++ if (cur_offset <= end && cow_start == (u64)-1) + cow_start = cur_offset; +- cur_offset = end; +- } + + if (cow_start != (u64)-1) { ++ cur_offset = end; + ret = cow_file_range(inode, locked_page, cow_start, end, end, + page_started, nr_written, 1, NULL); + if (ret) diff --git a/queue-4.19/btrfs-fix-data-corruption-due-to-cloning-of-eof-block.patch b/queue-4.19/btrfs-fix-data-corruption-due-to-cloning-of-eof-block.patch new file mode 100644 index 00000000000..afaa36b1fce --- /dev/null +++ b/queue-4.19/btrfs-fix-data-corruption-due-to-cloning-of-eof-block.patch @@ -0,0 +1,98 @@ +From ac765f83f1397646c11092a032d4f62c3d478b81 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 5 Nov 2018 11:14:17 +0000 +Subject: Btrfs: fix data corruption due to cloning of eof block + +From: Filipe Manana + +commit ac765f83f1397646c11092a032d4f62c3d478b81 upstream. + +We currently allow cloning a range from a file which includes the last +block of the file even if the file's size is not aligned to the block +size. This is fine and useful when the destination file has the same size, +but when it does not and the range ends somewhere in the middle of the +destination file, it leads to corruption because the bytes between the EOF +and the end of the block have undefined data (when there is support for +discard/trimming they have a value of 0x00). + +Example: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + + $ export foo_size=$((256 * 1024 + 100)) + $ xfs_io -f -c "pwrite -S 0x3c 0 $foo_size" /mnt/foo + $ xfs_io -f -c "pwrite -S 0xb5 0 1M" /mnt/bar + + $ xfs_io -c "reflink /mnt/foo 0 512K $foo_size" /mnt/bar + + $ od -A d -t x1 /mnt/bar + 0000000 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 + * + 0524288 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c + * + 0786528 3c 3c 3c 3c 00 00 00 00 00 00 00 00 00 00 00 00 + 0786544 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + * + 0790528 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 + * + 1048576 + +The bytes in the range from 786532 (512Kb + 256Kb + 100 bytes) to 790527 +(512Kb + 256Kb + 4Kb - 1) got corrupted, having now a value of 0x00 instead +of 0xb5. + +This is similar to the problem we had for deduplication that got recently +fixed by commit de02b9f6bb65 ("Btrfs: fix data corruption when +deduplicating between different files"). + +Fix this by not allowing such operations to be performed and return the +errno -EINVAL to user space. This is what XFS is doing as well at the VFS +level. This change however now makes us return -EINVAL instead of +-EOPNOTSUPP for cases where the source range maps to an inline extent and +the destination range's end is smaller then the destination file's size, +since the detection of inline extents is done during the actual process of +dropping file extent items (at __btrfs_drop_extents()). Returning the +-EINVAL error is done early on and solely based on the input parameters +(offsets and length) and destination file's size. This makes us consistent +with XFS and anyone else supporting cloning since this case is now checked +at a higher level in the VFS and is where the -EINVAL will be returned +from starting with kernel 4.20 (the VFS changed was introduced in 4.20-rc1 +by commit 07d19dc9fbe9 ("vfs: avoid problematic remapping requests into +partial EOF block"). So this change is more geared towards stable kernels, +as it's unlikely the new VFS checks get removed intentionally. + +A test case for fstests follows soon, as well as an update to filter +existing tests that expect -EOPNOTSUPP to accept -EINVAL as well. + +CC: # 4.4+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -4280,9 +4280,17 @@ static noinline int btrfs_clone_files(st + goto out_unlock; + if (len == 0) + olen = len = src->i_size - off; +- /* if we extend to eof, continue to block boundary */ +- if (off + len == src->i_size) ++ /* ++ * If we extend to eof, continue to block boundary if and only if the ++ * destination end offset matches the destination file's size, otherwise ++ * we would be corrupting data by placing the eof block into the middle ++ * of a file. ++ */ ++ if (off + len == src->i_size) { ++ if (!IS_ALIGNED(len, bs) && destoff + len < inode->i_size) ++ goto out_unlock; + len = ALIGN(src->i_size, bs) - off; ++ } + + if (len == 0) { + ret = 0; diff --git a/queue-4.19/btrfs-fix-infinite-loop-on-inode-eviction-after-deduplication-of-eof-block.patch b/queue-4.19/btrfs-fix-infinite-loop-on-inode-eviction-after-deduplication-of-eof-block.patch new file mode 100644 index 00000000000..095d1c08943 --- /dev/null +++ b/queue-4.19/btrfs-fix-infinite-loop-on-inode-eviction-after-deduplication-of-eof-block.patch @@ -0,0 +1,176 @@ +From 11023d3f5fdf89bba5e1142127701ca6e6014587 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 5 Nov 2018 11:14:05 +0000 +Subject: Btrfs: fix infinite loop on inode eviction after deduplication of eof block + +From: Filipe Manana + +commit 11023d3f5fdf89bba5e1142127701ca6e6014587 upstream. + +If we attempt to deduplicate the last block of a file A into the middle of +a file B, and file A's size is not a multiple of the block size, we end +rounding the deduplication length to 0 bytes, to avoid the data corruption +issue fixed by commit de02b9f6bb65 ("Btrfs: fix data corruption when +deduplicating between different files"). However a length of zero will +cause the insertion of an extent state with a start value greater (by 1) +then the end value, leading to a corrupt extent state that will trigger a +warning and cause chaos such as an infinite loop during inode eviction. +Example trace: + + [96049.833585] ------------[ cut here ]------------ + [96049.833714] WARNING: CPU: 0 PID: 24448 at fs/btrfs/extent_io.c:436 insert_state+0x101/0x120 [btrfs] + [96049.833767] CPU: 0 PID: 24448 Comm: xfs_io Not tainted 4.19.0-rc7-btrfs-next-39 #1 + [96049.833768] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 + [96049.833780] RIP: 0010:insert_state+0x101/0x120 [btrfs] + [96049.833783] RSP: 0018:ffffafd2c3707af0 EFLAGS: 00010282 + [96049.833785] RAX: 0000000000000000 RBX: 000000000004dfff RCX: 0000000000000006 + [96049.833786] RDX: 0000000000000007 RSI: ffff99045c143230 RDI: ffff99047b2168a0 + [96049.833787] RBP: ffff990457851cd0 R08: 0000000000000001 R09: 0000000000000000 + [96049.833787] R10: ffffafd2c3707ab8 R11: 0000000000000000 R12: ffff9903b93b12c8 + [96049.833788] R13: 000000000004e000 R14: ffffafd2c3707b80 R15: ffffafd2c3707b78 + [96049.833790] FS: 00007f5c14e7d700(0000) GS:ffff99047b200000(0000) knlGS:0000000000000000 + [96049.833791] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [96049.833792] CR2: 00007f5c146abff8 CR3: 0000000115f4c004 CR4: 00000000003606f0 + [96049.833795] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [96049.833796] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [96049.833796] Call Trace: + [96049.833809] __set_extent_bit+0x46c/0x6a0 [btrfs] + [96049.833823] lock_extent_bits+0x6b/0x210 [btrfs] + [96049.833831] ? _raw_spin_unlock+0x24/0x30 + [96049.833841] ? test_range_bit+0xdf/0x130 [btrfs] + [96049.833853] lock_extent_range+0x8e/0x150 [btrfs] + [96049.833864] btrfs_double_extent_lock+0x78/0xb0 [btrfs] + [96049.833875] btrfs_extent_same_range+0x14e/0x550 [btrfs] + [96049.833885] ? rcu_read_lock_sched_held+0x3f/0x70 + [96049.833890] ? __kmalloc_node+0x2b0/0x2f0 + [96049.833899] ? btrfs_dedupe_file_range+0x19a/0x280 [btrfs] + [96049.833909] btrfs_dedupe_file_range+0x270/0x280 [btrfs] + [96049.833916] vfs_dedupe_file_range_one+0xd9/0xe0 + [96049.833919] vfs_dedupe_file_range+0x131/0x1b0 + [96049.833924] do_vfs_ioctl+0x272/0x6e0 + [96049.833927] ? __fget+0x113/0x200 + [96049.833931] ksys_ioctl+0x70/0x80 + [96049.833933] __x64_sys_ioctl+0x16/0x20 + [96049.833937] do_syscall_64+0x60/0x1b0 + [96049.833939] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [96049.833941] RIP: 0033:0x7f5c1478ddd7 + [96049.833943] RSP: 002b:00007ffe15b196a8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 + [96049.833945] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1478ddd7 + [96049.833946] RDX: 00005625ece322d0 RSI: 00000000c0189436 RDI: 0000000000000004 + [96049.833947] RBP: 0000000000000000 R08: 00007f5c14a46f48 R09: 0000000000000040 + [96049.833948] R10: 0000000000000541 R11: 0000000000000202 R12: 0000000000000000 + [96049.833949] R13: 0000000000000000 R14: 0000000000000004 R15: 00005625ece322d0 + [96049.833954] irq event stamp: 6196 + [96049.833956] hardirqs last enabled at (6195): [] console_unlock+0x503/0x640 + [96049.833958] hardirqs last disabled at (6196): [] trace_hardirqs_off_thunk+0x1a/0x1c + [96049.833959] softirqs last enabled at (6114): [] __do_softirq+0x370/0x421 + [96049.833964] softirqs last disabled at (6095): [] irq_exit+0xcd/0xe0 + [96049.833965] ---[ end trace db7b05f01b7fa10c ]--- + [96049.935816] R13: 0000000000000000 R14: 00005562e5259240 R15: 00007ffff092b910 + [96049.935822] irq event stamp: 6584 + [96049.935823] hardirqs last enabled at (6583): [] console_unlock+0x503/0x640 + [96049.935825] hardirqs last disabled at (6584): [] trace_hardirqs_off_thunk+0x1a/0x1c + [96049.935827] softirqs last enabled at (6328): [] __do_softirq+0x370/0x421 + [96049.935828] softirqs last disabled at (6313): [] irq_exit+0xcd/0xe0 + [96049.935829] ---[ end trace db7b05f01b7fa123 ]--- + [96049.935840] ------------[ cut here ]------------ + [96049.936065] WARNING: CPU: 1 PID: 24463 at fs/btrfs/extent_io.c:436 insert_state+0x101/0x120 [btrfs] + [96049.936107] CPU: 1 PID: 24463 Comm: umount Tainted: G W 4.19.0-rc7-btrfs-next-39 #1 + [96049.936108] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 + [96049.936117] RIP: 0010:insert_state+0x101/0x120 [btrfs] + [96049.936119] RSP: 0018:ffffafd2c3637bc0 EFLAGS: 00010282 + [96049.936120] RAX: 0000000000000000 RBX: 000000000004dfff RCX: 0000000000000006 + [96049.936121] RDX: 0000000000000007 RSI: ffff990445cf88e0 RDI: ffff99047b2968a0 + [96049.936122] RBP: ffff990457851cd0 R08: 0000000000000001 R09: 0000000000000000 + [96049.936123] R10: ffffafd2c3637b88 R11: 0000000000000000 R12: ffff9904574301e8 + [96049.936124] R13: 000000000004e000 R14: ffffafd2c3637c50 R15: ffffafd2c3637c48 + [96049.936125] FS: 00007fe4b87e72c0(0000) GS:ffff99047b280000(0000) knlGS:0000000000000000 + [96049.936126] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [96049.936128] CR2: 00005562e52618d8 CR3: 00000001151c8005 CR4: 00000000003606e0 + [96049.936129] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [96049.936131] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [96049.936131] Call Trace: + [96049.936141] __set_extent_bit+0x46c/0x6a0 [btrfs] + [96049.936154] lock_extent_bits+0x6b/0x210 [btrfs] + [96049.936167] btrfs_evict_inode+0x1e1/0x5a0 [btrfs] + [96049.936172] evict+0xbf/0x1c0 + [96049.936174] dispose_list+0x51/0x80 + [96049.936176] evict_inodes+0x193/0x1c0 + [96049.936180] generic_shutdown_super+0x3f/0x110 + [96049.936182] kill_anon_super+0xe/0x30 + [96049.936189] btrfs_kill_super+0x13/0x100 [btrfs] + [96049.936191] deactivate_locked_super+0x3a/0x70 + [96049.936193] cleanup_mnt+0x3b/0x80 + [96049.936195] task_work_run+0x93/0xc0 + [96049.936198] exit_to_usermode_loop+0xfa/0x100 + [96049.936201] do_syscall_64+0x17f/0x1b0 + [96049.936202] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [96049.936204] RIP: 0033:0x7fe4b80cfb37 + [96049.936206] RSP: 002b:00007ffff092b688 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 + [96049.936207] RAX: 0000000000000000 RBX: 00005562e5259060 RCX: 00007fe4b80cfb37 + [96049.936208] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00005562e525faa0 + [96049.936209] RBP: 00005562e525faa0 R08: 00005562e525f770 R09: 0000000000000015 + [96049.936210] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007fe4b85d1e64 + [96049.936211] R13: 0000000000000000 R14: 00005562e5259240 R15: 00007ffff092b910 + [96049.936211] R13: 0000000000000000 R14: 00005562e5259240 R15: 00007ffff092b910 + [96049.936216] irq event stamp: 6616 + [96049.936219] hardirqs last enabled at (6615): [] console_unlock+0x503/0x640 + [96049.936219] hardirqs last disabled at (6616): [] trace_hardirqs_off_thunk+0x1a/0x1c + [96049.936222] softirqs last enabled at (6328): [] __do_softirq+0x370/0x421 + [96049.936222] softirqs last disabled at (6313): [] irq_exit+0xcd/0xe0 + [96049.936223] ---[ end trace db7b05f01b7fa124 ]--- + +The second stack trace, from inode eviction, is repeated forever due to +the infinite loop during eviction. + +This is the same type of problem fixed way back in 2015 by commit +113e8283869b ("Btrfs: fix inode eviction infinite loop after extent_same +ioctl") and commit ccccf3d67294 ("Btrfs: fix inode eviction infinite loop +after cloning into it"). + +So fix this by returning immediately if the deduplication range length +gets rounded down to 0 bytes, as there is nothing that needs to be done in +such case. + +Example reproducer: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + + $ xfs_io -f -c "pwrite -S 0xe6 0 100" /mnt/foo + $ xfs_io -f -c "pwrite -S 0xe6 0 1M" /mnt/bar + + # Unmount the filesystem and mount it again so that we start without any + # extent state records when we ask for the deduplication. + $ umount /mnt + $ mount /dev/sdb /mnt + + $ xfs_io -c "dedupe /mnt/foo 0 500K 100" /mnt/bar + + # This unmount triggers the infinite loop. + $ umount /mnt + +A test case for fstests will follow soon. + +Fixes: de02b9f6bb65 ("Btrfs: fix data corruption when deduplicating between different files") +CC: # 4.19+ +Reviewed-by: Nikolay Borisov +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3489,6 +3489,8 @@ static int btrfs_extent_same_range(struc + const u64 sz = BTRFS_I(src)->root->fs_info->sectorsize; + + len = round_down(i_size_read(src), sz) - loff; ++ if (len == 0) ++ return 0; + olen = len; + } + } diff --git a/queue-4.19/btrfs-fix-missing-data-checksums-after-a-ranged-fsync-msync.patch b/queue-4.19/btrfs-fix-missing-data-checksums-after-a-ranged-fsync-msync.patch new file mode 100644 index 00000000000..ac118aef9fb --- /dev/null +++ b/queue-4.19/btrfs-fix-missing-data-checksums-after-a-ranged-fsync-msync.patch @@ -0,0 +1,129 @@ +From 008c6753f7e070c77c70d708a6bf0255b4381763 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 29 Oct 2018 09:42:06 +0000 +Subject: Btrfs: fix missing data checksums after a ranged fsync (msync) + +From: Filipe Manana + +commit 008c6753f7e070c77c70d708a6bf0255b4381763 upstream. + +Recently we got a massive simplification for fsync, where for the fast +path we no longer log new extents while their respective ordered extents +are still running. + +However that simplification introduced a subtle regression for the case +where we use a ranged fsync (msync). Consider the following example: + + CPU 0 CPU 1 + + mmap write to range [2Mb, 4Mb[ + mmap write to range [512Kb, 1Mb[ + msync range [512K, 1Mb[ + --> triggers fast fsync + (BTRFS_INODE_NEEDS_FULL_SYNC + not set) + --> creates extent map A for this + range and adds it to list of + modified extents + --> starts ordered extent A for + this range + --> waits for it to complete + + writeback triggered for range + [2Mb, 4Mb[ + --> create extent map B and + adds it to the list of + modified extents + --> creates ordered extent B + + --> start looking for and logging + modified extents + --> logs extent maps A and B + --> finds checksums for extent A + in the csum tree, but not for + extent B + fsync (msync) finishes + + --> ordered extent B + finishes and its + checksums are added + to the csum tree + + + +After replaying the log, we have the extent covering the range [2Mb, 4Mb[ +but do not have the data checksum items covering that file range. + +This happens because at the very beginning of an fsync (btrfs_sync_file()) +we start and wait for IO in the given range [512Kb, 1Mb[ and therefore +wait for any ordered extents in that range to complete before we start +logging the extents. However if right before we start logging the extent +in our range [512Kb, 1Mb[, writeback is started for any other dirty range, +such as the range [2Mb, 4Mb[ due to memory pressure or a concurrent fsync +or msync (btrfs_sync_file() starts writeback before acquiring the inode's +lock), an ordered extent is created for that other range and a new extent +map is created to represent that range and added to the inode's list of +modified extents. + +That means that we will see that other extent in that list when collecting +extents for logging (done at btrfs_log_changed_extents()) and log the +extent before the respective ordered extent finishes - namely before the +checksum items are added to the checksums tree, which is where +log_extent_csums() looks for the checksums, therefore making us log an +extent without logging its checksums. Before that massive simplification +of fsync, this wasn't a problem because besides looking for checkums in +the checksums tree, we also looked for them in any ordered extent still +running. + +The consequence of data checksums missing for a file range is that users +attempting to read the affected file range will get -EIO errors and dmesg +reports the following: + + [10188.358136] BTRFS info (device sdc): no csum found for inode 297 start 57344 + [10188.359278] BTRFS warning (device sdc): csum failed root 5 ino 297 off 57344 csum 0x98f94189 expected csum 0x00000000 mirror 1 + +So fix this by skipping extents outside of our logging range at +btrfs_log_changed_extents() and leaving them on the list of modified +extents so that any subsequent ranged fsync may collect them if needed. +Also, if we find a hole extent outside of the range still log it, just +to prevent having gaps between extent items after replaying the log, +otherwise fsck will complain when we are not using the NO_HOLES feature +(fstest btrfs/056 triggers such case). + +Fixes: e7175a692765 ("btrfs: remove the wait ordered logic in the log_one_extent path") +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4399,6 +4399,23 @@ static int btrfs_log_changed_extents(str + logged_end = end; + + list_for_each_entry_safe(em, n, &tree->modified_extents, list) { ++ /* ++ * Skip extents outside our logging range. It's important to do ++ * it for correctness because if we don't ignore them, we may ++ * log them before their ordered extent completes, and therefore ++ * we could log them without logging their respective checksums ++ * (the checksum items are added to the csum tree at the very ++ * end of btrfs_finish_ordered_io()). Also leave such extents ++ * outside of our range in the list, since we may have another ++ * ranged fsync in the near future that needs them. If an extent ++ * outside our range corresponds to a hole, log it to avoid ++ * leaving gaps between extents (fsck will complain when we are ++ * not using the NO_HOLES feature). ++ */ ++ if ((em->start > end || em->start + em->len <= start) && ++ em->block_start != EXTENT_MAP_HOLE) ++ continue; ++ + list_del_init(&em->list); + /* + * Just an arbitrary number, this can be really CPU intensive diff --git a/queue-4.19/btrfs-fix-pinned-underflow-after-transaction-aborted.patch b/queue-4.19/btrfs-fix-pinned-underflow-after-transaction-aborted.patch new file mode 100644 index 00000000000..5a1fad5fcd2 --- /dev/null +++ b/queue-4.19/btrfs-fix-pinned-underflow-after-transaction-aborted.patch @@ -0,0 +1,101 @@ +From fcd5e74288f7d36991b1f0fb96b8c57079645e38 Mon Sep 17 00:00:00 2001 +From: Lu Fengqi +Date: Wed, 24 Oct 2018 20:24:03 +0800 +Subject: btrfs: fix pinned underflow after transaction aborted + +From: Lu Fengqi + +commit fcd5e74288f7d36991b1f0fb96b8c57079645e38 upstream. + +When running generic/475, we may get the following warning in dmesg: + +[ 6902.102154] WARNING: CPU: 3 PID: 18013 at fs/btrfs/extent-tree.c:9776 btrfs_free_block_groups+0x2af/0x3b0 [btrfs] +[ 6902.109160] CPU: 3 PID: 18013 Comm: umount Tainted: G W O 4.19.0-rc8+ #8 +[ 6902.110971] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +[ 6902.112857] RIP: 0010:btrfs_free_block_groups+0x2af/0x3b0 [btrfs] +[ 6902.118921] RSP: 0018:ffffc9000459bdb0 EFLAGS: 00010286 +[ 6902.120315] RAX: ffff880175050bb0 RBX: ffff8801124a8000 RCX: 0000000000170007 +[ 6902.121969] RDX: 0000000000000002 RSI: 0000000000170007 RDI: ffffffff8125fb74 +[ 6902.123716] RBP: ffff880175055d10 R08: 0000000000000000 R09: 0000000000000000 +[ 6902.125417] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880175055d88 +[ 6902.127129] R13: ffff880175050bb0 R14: 0000000000000000 R15: dead000000000100 +[ 6902.129060] FS: 00007f4507223780(0000) GS:ffff88017ba00000(0000) knlGS:0000000000000000 +[ 6902.130996] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6902.132558] CR2: 00005623599cac78 CR3: 000000014b700001 CR4: 00000000003606e0 +[ 6902.134270] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 6902.135981] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 6902.137836] Call Trace: +[ 6902.138939] close_ctree+0x171/0x330 [btrfs] +[ 6902.140181] ? kthread_stop+0x146/0x1f0 +[ 6902.141277] generic_shutdown_super+0x6c/0x100 +[ 6902.142517] kill_anon_super+0x14/0x30 +[ 6902.143554] btrfs_kill_super+0x13/0x100 [btrfs] +[ 6902.144790] deactivate_locked_super+0x2f/0x70 +[ 6902.146014] cleanup_mnt+0x3b/0x70 +[ 6902.147020] task_work_run+0x9e/0xd0 +[ 6902.148036] do_syscall_64+0x470/0x600 +[ 6902.149142] ? trace_hardirqs_off_thunk+0x1a/0x1c +[ 6902.150375] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 6902.151640] RIP: 0033:0x7f45077a6a7b +[ 6902.157324] RSP: 002b:00007ffd589f3e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 +[ 6902.159187] RAX: 0000000000000000 RBX: 000055e8eec732b0 RCX: 00007f45077a6a7b +[ 6902.160834] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055e8eec73490 +[ 6902.162526] RBP: 0000000000000000 R08: 000055e8eec734b0 R09: 00007ffd589f26c0 +[ 6902.164141] R10: 0000000000000000 R11: 0000000000000246 R12: 000055e8eec73490 +[ 6902.165815] R13: 00007f4507ac61a4 R14: 0000000000000000 R15: 00007ffd589f40d8 +[ 6902.167553] irq event stamp: 0 +[ 6902.168998] hardirqs last enabled at (0): [<0000000000000000>] (null) +[ 6902.170731] hardirqs last disabled at (0): [] copy_process.part.55+0x3b0/0x1f00 +[ 6902.172773] softirqs last enabled at (0): [] copy_process.part.55+0x3b0/0x1f00 +[ 6902.174671] softirqs last disabled at (0): [<0000000000000000>] (null) +[ 6902.176407] ---[ end trace 463138c2986b275c ]--- +[ 6902.177636] BTRFS info (device dm-3): space_info 4 has 273465344 free, is not full +[ 6902.179453] BTRFS info (device dm-3): space_info total=276824064, used=4685824, pinned=18446744073708158976, reserved=0, may_use=0, readonly=65536 + +In the above line there's "pinned=18446744073708158976" which is an +unsigned u64 value of -1392640, an obvious underflow. + +When transaction_kthread is running cleanup_transaction(), another +fsstress is running btrfs_commit_transaction(). The +btrfs_finish_extent_commit() may get the same range as +btrfs_destroy_pinned_extent() got, which causes the pinned underflow. + +Fixes: d4b450cd4b33 ("Btrfs: fix race between transaction commit and empty block group removal") +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Josef Bacik +Signed-off-by: Lu Fengqi +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/disk-io.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4359,13 +4359,23 @@ static int btrfs_destroy_pinned_extent(s + unpin = pinned_extents; + again: + while (1) { ++ /* ++ * The btrfs_finish_extent_commit() may get the same range as ++ * ours between find_first_extent_bit and clear_extent_dirty. ++ * Hence, hold the unused_bg_unpin_mutex to avoid double unpin ++ * the same extent range. ++ */ ++ mutex_lock(&fs_info->unused_bg_unpin_mutex); + ret = find_first_extent_bit(unpin, 0, &start, &end, + EXTENT_DIRTY, NULL); +- if (ret) ++ if (ret) { ++ mutex_unlock(&fs_info->unused_bg_unpin_mutex); + break; ++ } + + clear_extent_dirty(unpin, start, end); + btrfs_error_unpin_extent_range(fs_info, start, end); ++ mutex_unlock(&fs_info->unused_bg_unpin_mutex); + cond_resched(); + } + diff --git a/queue-4.19/btrfs-tree-checker-fix-misleading-group-system-information.patch b/queue-4.19/btrfs-tree-checker-fix-misleading-group-system-information.patch new file mode 100644 index 00000000000..0c6e3fd7223 --- /dev/null +++ b/queue-4.19/btrfs-tree-checker-fix-misleading-group-system-information.patch @@ -0,0 +1,38 @@ +From 761333f2f50ccc887aa9957ae829300262c0d15b Mon Sep 17 00:00:00 2001 +From: Shaokun Zhang +Date: Mon, 5 Nov 2018 18:49:09 +0800 +Subject: btrfs: tree-checker: Fix misleading group system information + +From: Shaokun Zhang + +commit 761333f2f50ccc887aa9957ae829300262c0d15b upstream. + +block_group_err shows the group system as a decimal value with a '0x' +prefix, which is somewhat misleading. + +Fix it to print hexadecimal, as was intended. + +Fixes: fce466eab7ac6 ("btrfs: tree-checker: Verify block_group_item") +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Nikolay Borisov +Reviewed-by: Qu Wenruo +Signed-off-by: Shaokun Zhang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -440,7 +440,7 @@ static int check_block_group_item(struct + type != (BTRFS_BLOCK_GROUP_METADATA | + BTRFS_BLOCK_GROUP_DATA)) { + block_group_err(fs_info, leaf, slot, +-"invalid type, have 0x%llx (%lu bits set) expect either 0x%llx, 0x%llx, 0x%llu or 0x%llx", ++"invalid type, have 0x%llx (%lu bits set) expect either 0x%llx, 0x%llx, 0x%llx or 0x%llx", + type, hweight64(type), + BTRFS_BLOCK_GROUP_DATA, BTRFS_BLOCK_GROUP_METADATA, + BTRFS_BLOCK_GROUP_SYSTEM, diff --git a/queue-4.19/clockevents-drivers-i8253-add-support-for-pit-shutdown-quirk.patch b/queue-4.19/clockevents-drivers-i8253-add-support-for-pit-shutdown-quirk.patch new file mode 100644 index 00000000000..d2a10acbb56 --- /dev/null +++ b/queue-4.19/clockevents-drivers-i8253-add-support-for-pit-shutdown-quirk.patch @@ -0,0 +1,79 @@ +From 35b69a420bfb56b7b74cb635ea903db05e357bec Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Sun, 4 Nov 2018 03:48:54 +0000 +Subject: clockevents/drivers/i8253: Add support for PIT shutdown quirk + +From: Michael Kelley + +commit 35b69a420bfb56b7b74cb635ea903db05e357bec upstream. + +Add support for platforms where pit_shutdown() doesn't work because of a +quirk in the PIT emulation. On these platforms setting the counter register +to zero causes the PIT to start running again, negating the shutdown. + +Provide a global variable that controls whether the counter register is +zero'ed, which platform specific code can override. + +Signed-off-by: Michael Kelley +Signed-off-by: Thomas Gleixner +Cc: "gregkh@linuxfoundation.org" +Cc: "devel@linuxdriverproject.org" +Cc: "daniel.lezcano@linaro.org" +Cc: "virtualization@lists.linux-foundation.org" +Cc: "jgross@suse.com" +Cc: "akataria@vmware.com" +Cc: "olaf@aepfle.de" +Cc: "apw@canonical.com" +Cc: vkuznets +Cc: "jasowang@redhat.com" +Cc: "marcelo.cerri@canonical.com" +Cc: KY Srinivasan +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1541303219-11142-2-git-send-email-mikelley@microsoft.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clocksource/i8253.c | 14 ++++++++++++-- + include/linux/i8253.h | 1 + + 2 files changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/clocksource/i8253.c ++++ b/drivers/clocksource/i8253.c +@@ -20,6 +20,13 @@ + DEFINE_RAW_SPINLOCK(i8253_lock); + EXPORT_SYMBOL(i8253_lock); + ++/* ++ * Handle PIT quirk in pit_shutdown() where zeroing the counter register ++ * restarts the PIT, negating the shutdown. On platforms with the quirk, ++ * platform specific code can set this to false. ++ */ ++bool i8253_clear_counter_on_shutdown __ro_after_init = true; ++ + #ifdef CONFIG_CLKSRC_I8253 + /* + * Since the PIT overflows every tick, its not very useful +@@ -109,8 +116,11 @@ static int pit_shutdown(struct clock_eve + raw_spin_lock(&i8253_lock); + + outb_p(0x30, PIT_MODE); +- outb_p(0, PIT_CH0); +- outb_p(0, PIT_CH0); ++ ++ if (i8253_clear_counter_on_shutdown) { ++ outb_p(0, PIT_CH0); ++ outb_p(0, PIT_CH0); ++ } + + raw_spin_unlock(&i8253_lock); + return 0; +--- a/include/linux/i8253.h ++++ b/include/linux/i8253.h +@@ -21,6 +21,7 @@ + #define PIT_LATCH ((PIT_TICK_RATE + HZ/2) / HZ) + + extern raw_spinlock_t i8253_lock; ++extern bool i8253_clear_counter_on_shutdown; + extern struct clock_event_device i8253_clockevent; + extern void clockevent_i8253_init(bool oneshot); + diff --git a/queue-4.19/crypto-user-fix-leaking-uninitialized-memory-to-userspace.patch b/queue-4.19/crypto-user-fix-leaking-uninitialized-memory-to-userspace.patch new file mode 100644 index 00000000000..0b4c985613e --- /dev/null +++ b/queue-4.19/crypto-user-fix-leaking-uninitialized-memory-to-userspace.patch @@ -0,0 +1,93 @@ +From f43f39958beb206b53292801e216d9b8a660f087 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 3 Nov 2018 14:56:00 -0700 +Subject: crypto: user - fix leaking uninitialized memory to userspace + +From: Eric Biggers + +commit f43f39958beb206b53292801e216d9b8a660f087 upstream. + +All bytes of the NETLINK_CRYPTO report structures must be initialized, +since they are copied to userspace. The change from strncpy() to +strlcpy() broke this. As a minimal fix, change it back. + +Fixes: 4473710df1f8 ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME expansion") +Cc: # v4.12+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/crypto_user.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -83,7 +83,7 @@ static int crypto_report_cipher(struct s + { + struct crypto_report_cipher rcipher; + +- strlcpy(rcipher.type, "cipher", sizeof(rcipher.type)); ++ strncpy(rcipher.type, "cipher", sizeof(rcipher.type)); + + rcipher.blocksize = alg->cra_blocksize; + rcipher.min_keysize = alg->cra_cipher.cia_min_keysize; +@@ -102,7 +102,7 @@ static int crypto_report_comp(struct sk_ + { + struct crypto_report_comp rcomp; + +- strlcpy(rcomp.type, "compression", sizeof(rcomp.type)); ++ strncpy(rcomp.type, "compression", sizeof(rcomp.type)); + if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, + sizeof(struct crypto_report_comp), &rcomp)) + goto nla_put_failure; +@@ -116,7 +116,7 @@ static int crypto_report_acomp(struct sk + { + struct crypto_report_acomp racomp; + +- strlcpy(racomp.type, "acomp", sizeof(racomp.type)); ++ strncpy(racomp.type, "acomp", sizeof(racomp.type)); + + if (nla_put(skb, CRYPTOCFGA_REPORT_ACOMP, + sizeof(struct crypto_report_acomp), &racomp)) +@@ -131,7 +131,7 @@ static int crypto_report_akcipher(struct + { + struct crypto_report_akcipher rakcipher; + +- strlcpy(rakcipher.type, "akcipher", sizeof(rakcipher.type)); ++ strncpy(rakcipher.type, "akcipher", sizeof(rakcipher.type)); + + if (nla_put(skb, CRYPTOCFGA_REPORT_AKCIPHER, + sizeof(struct crypto_report_akcipher), &rakcipher)) +@@ -146,7 +146,7 @@ static int crypto_report_kpp(struct sk_b + { + struct crypto_report_kpp rkpp; + +- strlcpy(rkpp.type, "kpp", sizeof(rkpp.type)); ++ strncpy(rkpp.type, "kpp", sizeof(rkpp.type)); + + if (nla_put(skb, CRYPTOCFGA_REPORT_KPP, + sizeof(struct crypto_report_kpp), &rkpp)) +@@ -160,10 +160,10 @@ nla_put_failure: + static int crypto_report_one(struct crypto_alg *alg, + struct crypto_user_alg *ualg, struct sk_buff *skb) + { +- strlcpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name)); +- strlcpy(ualg->cru_driver_name, alg->cra_driver_name, ++ strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name)); ++ strncpy(ualg->cru_driver_name, alg->cra_driver_name, + sizeof(ualg->cru_driver_name)); +- strlcpy(ualg->cru_module_name, module_name(alg->cra_module), ++ strncpy(ualg->cru_module_name, module_name(alg->cra_module), + sizeof(ualg->cru_module_name)); + + ualg->cru_type = 0; +@@ -176,7 +176,7 @@ static int crypto_report_one(struct cryp + if (alg->cra_flags & CRYPTO_ALG_LARVAL) { + struct crypto_report_larval rl; + +- strlcpy(rl.type, "larval", sizeof(rl.type)); ++ strncpy(rl.type, "larval", sizeof(rl.type)); + if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL, + sizeof(struct crypto_report_larval), &rl)) + goto nla_put_failure; diff --git a/queue-4.19/ext4-add-missing-brelse-add_new_gdb_meta_bg-s-error-path.patch b/queue-4.19/ext4-add-missing-brelse-add_new_gdb_meta_bg-s-error-path.patch new file mode 100644 index 00000000000..20f22e1a315 --- /dev/null +++ b/queue-4.19/ext4-add-missing-brelse-add_new_gdb_meta_bg-s-error-path.patch @@ -0,0 +1,38 @@ +From 61a9c11e5e7a0dab5381afa5d9d4dd5ebf18f7a0 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Sat, 3 Nov 2018 16:50:08 -0400 +Subject: ext4: add missing brelse() add_new_gdb_meta_bg()'s error path + +From: Vasily Averin + +commit 61a9c11e5e7a0dab5381afa5d9d4dd5ebf18f7a0 upstream. + +Fixes: 01f795f9e0d6 ("ext4: add online resizing support for meta_bg ...") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 3.7 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -926,6 +926,7 @@ static int add_new_gdb_meta_bg(struct su + sizeof(struct buffer_head *), + GFP_NOFS); + if (!n_group_desc) { ++ brelse(gdb_bh); + err = -ENOMEM; + ext4_warning(sb, "not enough memory for %lu groups", + gdb_num + 1); +@@ -941,8 +942,6 @@ static int add_new_gdb_meta_bg(struct su + kvfree(o_group_desc); + BUFFER_TRACE(gdb_bh, "get_write_access"); + err = ext4_journal_get_write_access(handle, gdb_bh); +- if (unlikely(err)) +- brelse(gdb_bh); + return err; + } + diff --git a/queue-4.19/ext4-add-missing-brelse-in-set_flexbg_block_bitmap-s-error-path.patch b/queue-4.19/ext4-add-missing-brelse-in-set_flexbg_block_bitmap-s-error-path.patch new file mode 100644 index 00000000000..26801117a91 --- /dev/null +++ b/queue-4.19/ext4-add-missing-brelse-in-set_flexbg_block_bitmap-s-error-path.patch @@ -0,0 +1,42 @@ +From cea5794122125bf67559906a0762186cf417099c Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Sat, 3 Nov 2018 16:22:10 -0400 +Subject: ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path + +From: Vasily Averin + +commit cea5794122125bf67559906a0762186cf417099c upstream. + +Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...") +Cc: stable@kernel.org # 3.3 +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -459,16 +459,18 @@ static int set_flexbg_block_bitmap(struc + + BUFFER_TRACE(bh, "get_write_access"); + err = ext4_journal_get_write_access(handle, bh); +- if (err) ++ if (err) { ++ brelse(bh); + return err; ++ } + ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", + first_cluster, first_cluster - start, count2); + ext4_set_bits(bh->b_data, first_cluster - start, count2); + + err = ext4_handle_dirty_metadata(handle, NULL, bh); ++ brelse(bh); + if (unlikely(err)) + return err; +- brelse(bh); + } + + return 0; diff --git a/queue-4.19/ext4-add-missing-brelse-update_backups-s-error-path.patch b/queue-4.19/ext4-add-missing-brelse-update_backups-s-error-path.patch new file mode 100644 index 00000000000..e50f4d2d19e --- /dev/null +++ b/queue-4.19/ext4-add-missing-brelse-update_backups-s-error-path.patch @@ -0,0 +1,33 @@ +From ea0abbb648452cdb6e1734b702b6330a7448fcf8 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Sat, 3 Nov 2018 17:11:19 -0400 +Subject: ext4: add missing brelse() update_backups()'s error path + +From: Vasily Averin + +commit ea0abbb648452cdb6e1734b702b6330a7448fcf8 upstream. + +Fixes: ac27a0ec112a ("ext4: initial copy of files from ext3") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 2.6.19 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1124,8 +1124,10 @@ static void update_backups(struct super_ + backup_block, backup_block - + ext4_group_first_block_no(sb, group)); + BUFFER_TRACE(bh, "get_write_access"); +- if ((err = ext4_journal_get_write_access(handle, bh))) ++ if ((err = ext4_journal_get_write_access(handle, bh))) { ++ brelse(bh); + break; ++ } + lock_buffer(bh); + memcpy(bh->b_data, data, size); + if (rest) diff --git a/queue-4.19/ext4-avoid-buffer-leak-in-ext4_orphan_add-after-prior-errors.patch b/queue-4.19/ext4-avoid-buffer-leak-in-ext4_orphan_add-after-prior-errors.patch new file mode 100644 index 00000000000..50682258453 --- /dev/null +++ b/queue-4.19/ext4-avoid-buffer-leak-in-ext4_orphan_add-after-prior-errors.patch @@ -0,0 +1,34 @@ +From feaf264ce7f8d54582e2f66eb82dd9dd124c94f3 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 6 Nov 2018 17:01:36 -0500 +Subject: ext4: avoid buffer leak in ext4_orphan_add() after prior errors + +From: Vasily Averin + +commit feaf264ce7f8d54582e2f66eb82dd9dd124c94f3 upstream. + +Fixes: d745a8c20c1f ("ext4: reduce contention on s_orphan_lock") +Fixes: 6e3617e579e0 ("ext4: Handle non empty on-disk orphan link") +Cc: Dmitry Monakhov +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 2.6.34 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/namei.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2811,7 +2811,9 @@ int ext4_orphan_add(handle_t *handle, st + list_del_init(&EXT4_I(inode)->i_orphan); + mutex_unlock(&sbi->s_orphan_lock); + } +- } ++ } else ++ brelse(iloc.bh); ++ + jbd_debug(4, "superblock will point to %lu\n", inode->i_ino); + jbd_debug(4, "orphan inode %lu will point to %d\n", + inode->i_ino, NEXT_ORPHAN(inode)); diff --git a/queue-4.19/ext4-avoid-buffer-leak-on-shutdown-in-ext4_mark_iloc_dirty.patch b/queue-4.19/ext4-avoid-buffer-leak-on-shutdown-in-ext4_mark_iloc_dirty.patch new file mode 100644 index 00000000000..d10423b852d --- /dev/null +++ b/queue-4.19/ext4-avoid-buffer-leak-on-shutdown-in-ext4_mark_iloc_dirty.patch @@ -0,0 +1,37 @@ +From a6758309a005060b8297a538a457c88699cb2520 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 6 Nov 2018 16:49:50 -0500 +Subject: ext4: avoid buffer leak on shutdown in ext4_mark_iloc_dirty() + +From: Vasily Averin + +commit a6758309a005060b8297a538a457c88699cb2520 upstream. + +ext4_mark_iloc_dirty() callers expect that it releases iloc->bh +even if it returns an error. + +Fixes: 0db1ff222d40 ("ext4: add shutdown bit and check for it") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 4.11 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5804,9 +5804,10 @@ int ext4_mark_iloc_dirty(handle_t *handl + { + int err = 0; + +- if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb)))) ++ if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb)))) { ++ put_bh(iloc->bh); + return -EIO; +- ++ } + if (IS_I_VERSION(inode)) + inode_inc_iversion(inode); + diff --git a/queue-4.19/ext4-avoid-possible-double-brelse-in-add_new_gdb-on-error-path.patch b/queue-4.19/ext4-avoid-possible-double-brelse-in-add_new_gdb-on-error-path.patch new file mode 100644 index 00000000000..e3a2e156643 --- /dev/null +++ b/queue-4.19/ext4-avoid-possible-double-brelse-in-add_new_gdb-on-error-path.patch @@ -0,0 +1,29 @@ +From 4f32c38b4662312dd3c5f113d8bdd459887fb773 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 6 Nov 2018 17:18:17 -0500 +Subject: ext4: avoid possible double brelse() in add_new_gdb() on error path + +From: Theodore Ts'o + +commit 4f32c38b4662312dd3c5f113d8bdd459887fb773 upstream. + +Fixes: b40971426a83 ("ext4: add error checking to calls to ...") +Reported-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 2.6.38 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -871,6 +871,7 @@ static int add_new_gdb(handle_t *handle, + err = ext4_handle_dirty_metadata(handle, NULL, gdb_bh); + if (unlikely(err)) { + ext4_std_error(sb, err); ++ iloc.bh = NULL; + goto exit_inode; + } + brelse(dind); diff --git a/queue-4.19/ext4-avoid-potential-extra-brelse-in-setup_new_flex_group_blocks.patch b/queue-4.19/ext4-avoid-potential-extra-brelse-in-setup_new_flex_group_blocks.patch new file mode 100644 index 00000000000..60ff8360c09 --- /dev/null +++ b/queue-4.19/ext4-avoid-potential-extra-brelse-in-setup_new_flex_group_blocks.patch @@ -0,0 +1,76 @@ +From 9e4028935cca3f9ef9b6a90df9da6f1f94853536 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Sat, 3 Nov 2018 16:13:17 -0400 +Subject: ext4: avoid potential extra brelse in setup_new_flex_group_blocks() + +From: Vasily Averin + +commit 9e4028935cca3f9ef9b6a90df9da6f1f94853536 upstream. + +Currently bh is set to NULL only during first iteration of for cycle, +then this pointer is not cleared after end of using. +Therefore rollback after errors can lead to extra brelse(bh) call, +decrements bh counter and later trigger an unexpected warning in __brelse() + +Patch moves brelse() calls in body of cycle to exclude requirement of +brelse() call in rollback. + +Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 3.3+ +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -607,7 +607,6 @@ handle_bb: + bh = bclean(handle, sb, block); + if (IS_ERR(bh)) { + err = PTR_ERR(bh); +- bh = NULL; + goto out; + } + overhead = ext4_group_overhead_blocks(sb, group); +@@ -620,9 +619,9 @@ handle_bb: + ext4_mark_bitmap_end(EXT4_B2C(sbi, group_data[i].blocks_count), + sb->s_blocksize * 8, bh->b_data); + err = ext4_handle_dirty_metadata(handle, NULL, bh); ++ brelse(bh); + if (err) + goto out; +- brelse(bh); + + handle_ib: + if (bg_flags[i] & EXT4_BG_INODE_UNINIT) +@@ -637,18 +636,16 @@ handle_ib: + bh = bclean(handle, sb, block); + if (IS_ERR(bh)) { + err = PTR_ERR(bh); +- bh = NULL; + goto out; + } + + ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), + sb->s_blocksize * 8, bh->b_data); + err = ext4_handle_dirty_metadata(handle, NULL, bh); ++ brelse(bh); + if (err) + goto out; +- brelse(bh); + } +- bh = NULL; + + /* Mark group tables in block bitmap */ + for (j = 0; j < GROUP_TABLE_COUNT; j++) { +@@ -687,7 +684,6 @@ handle_ib: + } + + out: +- brelse(bh); + err2 = ext4_journal_stop(handle); + if (err2 && !err) + err = err2; diff --git a/queue-4.19/ext4-fix-buffer-leak-in-__ext4_read_dirblock-on-error-path.patch b/queue-4.19/ext4-fix-buffer-leak-in-__ext4_read_dirblock-on-error-path.patch new file mode 100644 index 00000000000..27d626cd9c6 --- /dev/null +++ b/queue-4.19/ext4-fix-buffer-leak-in-__ext4_read_dirblock-on-error-path.patch @@ -0,0 +1,29 @@ +From de59fae0043f07de5d25e02ca360f7d57bfa5866 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Wed, 7 Nov 2018 22:36:23 -0500 +Subject: ext4: fix buffer leak in __ext4_read_dirblock() on error path + +From: Vasily Averin + +commit de59fae0043f07de5d25e02ca360f7d57bfa5866 upstream. + +Fixes: dc6982ff4db1 ("ext4: refactor code to read directory blocks ...") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 3.9 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/namei.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -126,6 +126,7 @@ static struct buffer_head *__ext4_read_d + if (!is_dx_block && type == INDEX) { + ext4_error_inode(inode, func, line, block, + "directory leaf block found instead of index block"); ++ brelse(bh); + return ERR_PTR(-EFSCORRUPTED); + } + if (!ext4_has_metadata_csum(inode->i_sb) || diff --git a/queue-4.19/ext4-fix-buffer-leak-in-ext4_expand_extra_isize_ea-on-error-path.patch b/queue-4.19/ext4-fix-buffer-leak-in-ext4_expand_extra_isize_ea-on-error-path.patch new file mode 100644 index 00000000000..8743d032450 --- /dev/null +++ b/queue-4.19/ext4-fix-buffer-leak-in-ext4_expand_extra_isize_ea-on-error-path.patch @@ -0,0 +1,48 @@ +From 53692ec074d00589c2cf1d6d17ca76ad0adce6ec Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Wed, 7 Nov 2018 11:14:35 -0500 +Subject: ext4: fix buffer leak in ext4_expand_extra_isize_ea() on error path + +From: Vasily Averin + +commit 53692ec074d00589c2cf1d6d17ca76ad0adce6ec upstream. + +Fixes: de05ca852679 ("ext4: move call to ext4_error() into ...") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 4.17 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2708,7 +2708,6 @@ int ext4_expand_extra_isize_ea(struct in + struct ext4_inode *raw_inode, handle_t *handle) + { + struct ext4_xattr_ibody_header *header; +- struct buffer_head *bh; + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + static unsigned int mnt_count; + size_t min_offs; +@@ -2749,13 +2748,17 @@ retry: + * EA block can hold new_extra_isize bytes. + */ + if (EXT4_I(inode)->i_file_acl) { ++ struct buffer_head *bh; ++ + bh = sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl); + error = -EIO; + if (!bh) + goto cleanup; + error = ext4_xattr_check_block(inode, bh); +- if (error) ++ if (error) { ++ brelse(bh); + goto cleanup; ++ } + base = BHDR(bh); + end = bh->b_data + bh->b_size; + min_offs = end - base; diff --git a/queue-4.19/ext4-fix-buffer-leak-in-ext4_xattr_get_block-on-error-path.patch b/queue-4.19/ext4-fix-buffer-leak-in-ext4_xattr_get_block-on-error-path.patch new file mode 100644 index 00000000000..80f5aa36ebc --- /dev/null +++ b/queue-4.19/ext4-fix-buffer-leak-in-ext4_xattr_get_block-on-error-path.patch @@ -0,0 +1,33 @@ +From ecaaf408478b6fb4d9986f9b6652f3824e374f4c Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Wed, 7 Nov 2018 11:01:33 -0500 +Subject: ext4: fix buffer leak in ext4_xattr_get_block() on error path + +From: Vasily Averin + +commit ecaaf408478b6fb4d9986f9b6652f3824e374f4c upstream. + +Fixes: dec214d00e0d ("ext4: xattr inode deduplication") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 4.13 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2282,8 +2282,10 @@ static struct buffer_head *ext4_xattr_ge + if (!bh) + return ERR_PTR(-EIO); + error = ext4_xattr_check_block(inode, bh); +- if (error) ++ if (error) { ++ brelse(bh); + return ERR_PTR(error); ++ } + return bh; + } + diff --git a/queue-4.19/ext4-fix-buffer-leak-in-ext4_xattr_move_to_block-on-error-path.patch b/queue-4.19/ext4-fix-buffer-leak-in-ext4_xattr_move_to_block-on-error-path.patch new file mode 100644 index 00000000000..ab64816ba17 --- /dev/null +++ b/queue-4.19/ext4-fix-buffer-leak-in-ext4_xattr_move_to_block-on-error-path.patch @@ -0,0 +1,32 @@ +From 6bdc9977fcdedf47118d2caf7270a19f4b6d8a8f Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Wed, 7 Nov 2018 11:10:21 -0500 +Subject: ext4: fix buffer leak in ext4_xattr_move_to_block() on error path + +From: Vasily Averin + +commit 6bdc9977fcdedf47118d2caf7270a19f4b6d8a8f upstream. + +Fixes: 3f2571c1f91f ("ext4: factor out xattr moving") +Fixes: 6dd4ee7cab7e ("ext4: Expand extra_inodes space per ...") +Reviewed-by: Jan Kara +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 2.6.23 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2627,6 +2627,8 @@ out: + kfree(buffer); + if (is) + brelse(is->iloc.bh); ++ if (bs) ++ brelse(bs->bh); + kfree(is); + kfree(bs); + diff --git a/queue-4.19/ext4-fix-missing-cleanup-if-ext4_alloc_flex_bg_array-fails-while-resizing.patch b/queue-4.19/ext4-fix-missing-cleanup-if-ext4_alloc_flex_bg_array-fails-while-resizing.patch new file mode 100644 index 00000000000..a00a1dadc34 --- /dev/null +++ b/queue-4.19/ext4-fix-missing-cleanup-if-ext4_alloc_flex_bg_array-fails-while-resizing.patch @@ -0,0 +1,30 @@ +From f348e2241fb73515d65b5d77dd9c174128a7fbf2 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 6 Nov 2018 16:16:01 -0500 +Subject: ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing + +From: Vasily Averin + +commit f348e2241fb73515d65b5d77dd9c174128a7fbf2 upstream. + +Fixes: 117fff10d7f1 ("ext4: grow the s_flex_groups array as needed ...") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 3.7 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -2022,7 +2022,7 @@ retry: + + err = ext4_alloc_flex_bg_array(sb, n_group + 1); + if (err) +- return err; ++ goto out; + + err = ext4_mb_alloc_groupinfo(sb, n_group + 1); + if (err) diff --git a/queue-4.19/ext4-fix-possible-inode-leak-in-the-retry-loop-of-ext4_resize_fs.patch b/queue-4.19/ext4-fix-possible-inode-leak-in-the-retry-loop-of-ext4_resize_fs.patch new file mode 100644 index 00000000000..5e1d271aa42 --- /dev/null +++ b/queue-4.19/ext4-fix-possible-inode-leak-in-the-retry-loop-of-ext4_resize_fs.patch @@ -0,0 +1,32 @@ +From db6aee62406d9fbb53315fcddd81f1dc271d49fa Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 6 Nov 2018 16:20:40 -0500 +Subject: ext4: fix possible inode leak in the retry loop of ext4_resize_fs() + +From: Vasily Averin + +commit db6aee62406d9fbb53315fcddd81f1dc271d49fa upstream. + +Fixes: 1c6bd7173d66 ("ext4: convert file system to meta_bg if needed ...") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 3.7 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -2058,6 +2058,10 @@ retry: + n_blocks_count_retry = 0; + free_flex_gd(flex_gd); + flex_gd = NULL; ++ if (resize_inode) { ++ iput(resize_inode); ++ resize_inode = NULL; ++ } + goto retry; + } + diff --git a/queue-4.19/ext4-fix-possible-leak-of-s_journal_flag_rwsem-in-error-path.patch b/queue-4.19/ext4-fix-possible-leak-of-s_journal_flag_rwsem-in-error-path.patch new file mode 100644 index 00000000000..2937887ab31 --- /dev/null +++ b/queue-4.19/ext4-fix-possible-leak-of-s_journal_flag_rwsem-in-error-path.patch @@ -0,0 +1,29 @@ +From af18e35bfd01e6d65a5e3ef84ffe8b252d1628c5 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Wed, 7 Nov 2018 10:56:28 -0500 +Subject: ext4: fix possible leak of s_journal_flag_rwsem in error path + +From: Vasily Averin + +commit af18e35bfd01e6d65a5e3ef84ffe8b252d1628c5 upstream. + +Fixes: c8585c6fcaf2 ("ext4: fix races between changing inode journal ...") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 4.7 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4509,6 +4509,7 @@ failed_mount6: + percpu_counter_destroy(&sbi->s_freeinodes_counter); + percpu_counter_destroy(&sbi->s_dirs_counter); + percpu_counter_destroy(&sbi->s_dirtyclusters_counter); ++ percpu_free_rwsem(&sbi->s_journal_flag_rwsem); + failed_mount5: + ext4_ext_release(sb); + ext4_release_system_zone(sb); diff --git a/queue-4.19/ext4-fix-possible-leak-of-sbi-s_group_desc_leak-in-error-path.patch b/queue-4.19/ext4-fix-possible-leak-of-sbi-s_group_desc_leak-in-error-path.patch new file mode 100644 index 00000000000..78c57863475 --- /dev/null +++ b/queue-4.19/ext4-fix-possible-leak-of-sbi-s_group_desc_leak-in-error-path.patch @@ -0,0 +1,51 @@ +From 9e463084cdb22e0b56b2dfbc50461020409a5fd3 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 7 Nov 2018 10:32:53 -0500 +Subject: ext4: fix possible leak of sbi->s_group_desc_leak in error path + +From: Theodore Ts'o + +commit 9e463084cdb22e0b56b2dfbc50461020409a5fd3 upstream. + +Fixes: bfe0a5f47ada ("ext4: add more mount time checks of the superblock") +Reported-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 4.18 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4074,6 +4074,14 @@ static int ext4_fill_super(struct super_ + sbi->s_groups_count = blocks_count; + sbi->s_blockfile_groups = min_t(ext4_group_t, sbi->s_groups_count, + (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb))); ++ if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) != ++ le32_to_cpu(es->s_inodes_count)) { ++ ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu", ++ le32_to_cpu(es->s_inodes_count), ++ ((u64)sbi->s_groups_count * sbi->s_inodes_per_group)); ++ ret = -EINVAL; ++ goto failed_mount; ++ } + db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) / + EXT4_DESC_PER_BLOCK(sb); + if (ext4_has_feature_meta_bg(sb)) { +@@ -4093,14 +4101,6 @@ static int ext4_fill_super(struct super_ + ret = -ENOMEM; + goto failed_mount; + } +- if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) != +- le32_to_cpu(es->s_inodes_count)) { +- ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu", +- le32_to_cpu(es->s_inodes_count), +- ((u64)sbi->s_groups_count * sbi->s_inodes_per_group)); +- ret = -EINVAL; +- goto failed_mount; +- } + + bgl_lock_init(sbi->s_blockgroup_lock); + diff --git a/queue-4.19/ext4-missing-bh-check-in-ext4_xattr_inode_write.patch b/queue-4.19/ext4-missing-bh-check-in-ext4_xattr_inode_write.patch new file mode 100644 index 00000000000..a2763d25bc3 --- /dev/null +++ b/queue-4.19/ext4-missing-bh-check-in-ext4_xattr_inode_write.patch @@ -0,0 +1,44 @@ +From eb6984fa4ce2837dcb1f66720a600f31b0bb3739 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Fri, 9 Nov 2018 11:34:40 -0500 +Subject: ext4: missing !bh check in ext4_xattr_inode_write() + +From: Vasily Averin + +commit eb6984fa4ce2837dcb1f66720a600f31b0bb3739 upstream. + +According to Ted Ts'o ext4_getblk() called in ext4_xattr_inode_write() +should not return bh = NULL + +The only time that bh could be NULL, then, would be in the case of +something really going wrong; a programming error elsewhere (perhaps a +wild pointer dereference) or I/O error causing on-disk file system +corruption (although that would be highly unlikely given that we had +*just* allocated the blocks and so the metadata blocks in question +probably would still be in the cache). + +Fixes: e50e5129f384 ("ext4: xattr-in-inode support") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 4.13 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1388,6 +1388,12 @@ retry: + bh = ext4_getblk(handle, ea_inode, block, 0); + if (IS_ERR(bh)) + return PTR_ERR(bh); ++ if (!bh) { ++ WARN_ON_ONCE(1); ++ EXT4_ERROR_INODE(ea_inode, ++ "ext4_getblk() return bh = NULL"); ++ return -EFSCORRUPTED; ++ } + ret = ext4_journal_get_write_access(handle, bh); + if (ret) + goto out; diff --git a/queue-4.19/ext4-release-bs.bh-before-re-using-in-ext4_xattr_block_find.patch b/queue-4.19/ext4-release-bs.bh-before-re-using-in-ext4_xattr_block_find.patch new file mode 100644 index 00000000000..9e76b3a87e5 --- /dev/null +++ b/queue-4.19/ext4-release-bs.bh-before-re-using-in-ext4_xattr_block_find.patch @@ -0,0 +1,33 @@ +From 45ae932d246f721e6584430017176cbcadfde610 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Wed, 7 Nov 2018 11:07:01 -0500 +Subject: ext4: release bs.bh before re-using in ext4_xattr_block_find() + +From: Vasily Averin + +commit 45ae932d246f721e6584430017176cbcadfde610 upstream. + +bs.bh was taken in previous ext4_xattr_block_find() call, +it should be released before re-using + +Fixes: 7e01c8e5420b ("ext3/4: fix uninitialized bs in ...") +Signed-off-by: Vasily Averin +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 2.6.26 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2405,6 +2405,8 @@ retry_inode: + error = ext4_xattr_block_set(handle, inode, &i, &bs); + } else if (error == -ENOSPC) { + if (EXT4_I(inode)->i_file_acl && !bs.s.base) { ++ brelse(bs.bh); ++ bs.bh = NULL; + error = ext4_xattr_block_find(inode, &i, &bs); + if (error) + goto cleanup; diff --git a/queue-4.19/fanotify-fix-handling-of-events-on-child-sub-directory.patch b/queue-4.19/fanotify-fix-handling-of-events-on-child-sub-directory.patch new file mode 100644 index 00000000000..da99a9a8f5e --- /dev/null +++ b/queue-4.19/fanotify-fix-handling-of-events-on-child-sub-directory.patch @@ -0,0 +1,84 @@ +From b469e7e47c8a075cc08bcd1e85d4365134bdcdd5 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Tue, 30 Oct 2018 20:29:53 +0200 +Subject: fanotify: fix handling of events on child sub-directory + +From: Amir Goldstein + +commit b469e7e47c8a075cc08bcd1e85d4365134bdcdd5 upstream. + +When an event is reported on a sub-directory and the parent inode has +a mark mask with FS_EVENT_ON_CHILD|FS_ISDIR, the event will be sent to +fsnotify() even if the event type is not in the parent mark mask +(e.g. FS_OPEN). + +Further more, if that event happened on a mount or a filesystem with +a mount/sb mark that does have that event type in their mask, the "on +child" event will be reported on the mount/sb mark. That is not +desired, because user will get a duplicate event for the same action. + +Note that the event reported on the victim inode is never merged with +the event reported on the parent inode, because of the check in +should_merge(): old_fsn->inode == new_fsn->inode. + +Fix this by looking for a match of an actual event type (i.e. not just +FS_ISDIR) in parent's inode mark mask and by not reporting an "on child" +event to group if event type is only found on mount/sb marks. + +[backport hint: The bug seems to have always been in fanotify, but this + patch will only apply cleanly to v4.19.y] + +Cc: # v4.19 +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/fanotify/fanotify.c | 10 +++++----- + fs/notify/fsnotify.c | 7 +++++-- + 2 files changed, 10 insertions(+), 7 deletions(-) + +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -115,12 +115,12 @@ static bool fanotify_should_send_event(s + continue; + mark = iter_info->marks[type]; + /* +- * if the event is for a child and this inode doesn't care about +- * events on the child, don't send it! ++ * If the event is for a child and this mark doesn't care about ++ * events on a child, don't send it! + */ +- if (type == FSNOTIFY_OBJ_TYPE_INODE && +- (event_mask & FS_EVENT_ON_CHILD) && +- !(mark->mask & FS_EVENT_ON_CHILD)) ++ if (event_mask & FS_EVENT_ON_CHILD && ++ (type != FSNOTIFY_OBJ_TYPE_INODE || ++ !(mark->mask & FS_EVENT_ON_CHILD))) + continue; + + marks_mask |= mark->mask; +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -161,9 +161,9 @@ int __fsnotify_parent(const struct path + parent = dget_parent(dentry); + p_inode = parent->d_inode; + +- if (unlikely(!fsnotify_inode_watches_children(p_inode))) ++ if (unlikely(!fsnotify_inode_watches_children(p_inode))) { + __fsnotify_update_child_dentry_flags(p_inode); +- else if (p_inode->i_fsnotify_mask & mask) { ++ } else if (p_inode->i_fsnotify_mask & mask & ALL_FSNOTIFY_EVENTS) { + struct name_snapshot name; + + /* we are notifying a parent so come up with the new mask which +@@ -360,6 +360,9 @@ int fsnotify(struct inode *to_tell, __u3 + iter_info.marks[FSNOTIFY_OBJ_TYPE_VFSMOUNT] = + fsnotify_first_mark(&mnt->mnt_fsnotify_marks); + } ++ /* An event "on child" is not intended for a mount/sb mark */ ++ if (mask & FS_EVENT_ON_CHILD) ++ mnt_or_sb_mask = 0; + + /* + * We need to merge inode & vfsmount mark lists so that inode mark diff --git a/queue-4.19/fuse-fix-leaked-notify-reply.patch b/queue-4.19/fuse-fix-leaked-notify-reply.patch new file mode 100644 index 00000000000..e460b89a9c2 --- /dev/null +++ b/queue-4.19/fuse-fix-leaked-notify-reply.patch @@ -0,0 +1,40 @@ +From 7fabaf303458fcabb694999d6fa772cc13d4e217 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 9 Nov 2018 15:52:16 +0100 +Subject: fuse: fix leaked notify reply + +From: Miklos Szeredi + +commit 7fabaf303458fcabb694999d6fa772cc13d4e217 upstream. + +fuse_request_send_notify_reply() may fail if the connection was reset for +some reason (e.g. fs was unmounted). Don't leak request reference in this +case. Besides leaking memory, this resulted in fc->num_waiting not being +decremented and hence fuse_wait_aborted() left in a hanging and unkillable +state. + +Fixes: 2d45ba381a74 ("fuse: add retrieve request") +Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests") +Reported-and-tested-by: syzbot+6339eda9cb4ebbc4c37b@syzkaller.appspotmail.com +Signed-off-by: Miklos Szeredi +Cc: #v2.6.36 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1724,8 +1724,10 @@ static int fuse_retrieve(struct fuse_con + req->in.args[1].size = total_len; + + err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique); +- if (err) ++ if (err) { + fuse_retrieve_end(fc, req); ++ fuse_put_request(fc, req); ++ } + + return err; + } diff --git a/queue-4.19/fuse-fix-possibly-missed-wake-up-after-abort.patch b/queue-4.19/fuse-fix-possibly-missed-wake-up-after-abort.patch new file mode 100644 index 00000000000..809237ce2d9 --- /dev/null +++ b/queue-4.19/fuse-fix-possibly-missed-wake-up-after-abort.patch @@ -0,0 +1,60 @@ +From 2d84a2d19b6150c6dbac1e6ebad9c82e4c123772 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 9 Nov 2018 15:52:16 +0100 +Subject: fuse: fix possibly missed wake-up after abort + +From: Miklos Szeredi + +commit 2d84a2d19b6150c6dbac1e6ebad9c82e4c123772 upstream. + +In current fuse_drop_waiting() implementation it's possible that +fuse_wait_aborted() will not be woken up in the unlikely case that +fuse_abort_conn() + fuse_wait_aborted() runs in between checking +fc->connected and calling atomic_dec(&fc->num_waiting). + +Do the atomic_dec_and_test() unconditionally, which also provides the +necessary barrier against reordering with the fc->connected check. + +The explicit smp_mb() in fuse_wait_aborted() is not actually needed, since +the spin_unlock() in fuse_abort_conn() provides the necessary RELEASE +barrier after resetting fc->connected. However, this is not a performance +sensitive path, and adding the explicit barrier makes it easier to +document. + +Signed-off-by: Miklos Szeredi +Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests") +Cc: #v4.19 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -129,9 +129,13 @@ static bool fuse_block_alloc(struct fuse + + static void fuse_drop_waiting(struct fuse_conn *fc) + { +- if (fc->connected) { +- atomic_dec(&fc->num_waiting); +- } else if (atomic_dec_and_test(&fc->num_waiting)) { ++ /* ++ * lockess check of fc->connected is okay, because atomic_dec_and_test() ++ * provides a memory barrier mached with the one in fuse_wait_aborted() ++ * to ensure no wake-up is missed. ++ */ ++ if (atomic_dec_and_test(&fc->num_waiting) && ++ !READ_ONCE(fc->connected)) { + /* wake up aborters */ + wake_up_all(&fc->blocked_waitq); + } +@@ -2167,6 +2171,8 @@ EXPORT_SYMBOL_GPL(fuse_abort_conn); + + void fuse_wait_aborted(struct fuse_conn *fc) + { ++ /* matches implicit memory barrier in fuse_drop_waiting() */ ++ smp_mb(); + wait_event(fc->blocked_waitq, atomic_read(&fc->num_waiting) == 0); + } + diff --git a/queue-4.19/fuse-fix-use-after-free-in-fuse_direct_io.patch b/queue-4.19/fuse-fix-use-after-free-in-fuse_direct_io.patch new file mode 100644 index 00000000000..567a5b9d38a --- /dev/null +++ b/queue-4.19/fuse-fix-use-after-free-in-fuse_direct_io.patch @@ -0,0 +1,45 @@ +From ebacb81273599555a7a19f7754a1451206a5fc4f Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 9 Nov 2018 14:51:46 +0100 +Subject: fuse: fix use-after-free in fuse_direct_IO() + +From: Lukas Czerner + +commit ebacb81273599555a7a19f7754a1451206a5fc4f upstream. + +In async IO blocking case the additional reference to the io is taken for +it to survive fuse_aio_complete(). In non blocking case this additional +reference is not needed, however we still reference io to figure out +whether to wait for completion or not. This is wrong and will lead to +use-after-free. Fix it by storing blocking information in separate +variable. + +This was spotted by KASAN when running generic/208 fstest. + +Signed-off-by: Lukas Czerner +Reported-by: Zorro Lang +Signed-off-by: Miklos Szeredi +Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv") +Cc: # v4.6 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -2913,10 +2913,12 @@ fuse_direct_IO(struct kiocb *iocb, struc + } + + if (io->async) { ++ bool blocking = io->blocking; ++ + fuse_aio_complete(io, ret < 0 ? ret : 0, -1); + + /* we have a non-extending, async request, so return */ +- if (!io->blocking) ++ if (!blocking) + return -EIOCBQUEUED; + + wait_for_completion(&wait); diff --git a/queue-4.19/gfs2-fix-metadata-read-ahead-during-truncate-2.patch b/queue-4.19/gfs2-fix-metadata-read-ahead-during-truncate-2.patch new file mode 100644 index 00000000000..cbe7372519b --- /dev/null +++ b/queue-4.19/gfs2-fix-metadata-read-ahead-during-truncate-2.patch @@ -0,0 +1,50 @@ +From e7445ceddfc220c1aede6d42758a5acb8844e9c3 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Thu, 8 Nov 2018 20:14:29 +0000 +Subject: gfs2: Fix metadata read-ahead during truncate (2) + +From: Andreas Gruenbacher + +commit e7445ceddfc220c1aede6d42758a5acb8844e9c3 upstream. + +The previous attempt to fix for metadata read-ahead during truncate was +incorrect: for files with a height > 2 (1006989312 bytes with a block +size of 4096 bytes), read-ahead requests were not being issued for some +of the indirect blocks discovered while walking the metadata tree, +leading to significant slow-downs when deleting large files. Fix that. + +In addition, only issue read-ahead requests in the first pass through +the meta-data tree, while deallocating data blocks. + +Fixes: c3ce5aa9b0 ("gfs2: Fix metadata read-ahead during truncate") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/bmap.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1908,10 +1908,16 @@ static int punch_hole(struct gfs2_inode + if (ret < 0) + goto out; + +- /* issue read-ahead on metadata */ +- if (mp.mp_aheight > 1) { +- for (; ret > 1; ret--) { +- metapointer_range(&mp, mp.mp_aheight - ret, ++ /* On the first pass, issue read-ahead on metadata. */ ++ if (mp.mp_aheight > 1 && strip_h == ip->i_height - 1) { ++ unsigned int height = mp.mp_aheight - 1; ++ ++ /* No read-ahead for data blocks. */ ++ if (mp.mp_aheight - 1 == strip_h) ++ height--; ++ ++ for (; height >= mp.mp_aheight - ret; height--) { ++ metapointer_range(&mp, height, + start_list, start_aligned, + end_list, end_aligned, + &start, &end); diff --git a/queue-4.19/gfs2-put-bitmap-buffers-in-put_super.patch b/queue-4.19/gfs2-put-bitmap-buffers-in-put_super.patch new file mode 100644 index 00000000000..ca8ad124f2b --- /dev/null +++ b/queue-4.19/gfs2-put-bitmap-buffers-in-put_super.patch @@ -0,0 +1,52 @@ +From 10283ea525d30f2e99828978fd04d8427876a7ad Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 5 Nov 2018 22:57:24 +0000 +Subject: gfs2: Put bitmap buffers in put_super + +From: Andreas Gruenbacher + +commit 10283ea525d30f2e99828978fd04d8427876a7ad upstream. + +gfs2_put_super calls gfs2_clear_rgrpd to destroy the gfs2_rgrpd objects +attached to the resource group glocks. That function should release the +buffers attached to the gfs2_bitmap objects (bi_bh), but the call to +gfs2_rgrp_brelse for doing that is missing. + +When gfs2_releasepage later runs across these buffers which are still +referenced, it refuses to free them. This causes the pages the buffers +are attached to to remain referenced as well. With enough mount/unmount +cycles, the system will eventually run out of memory. + +Fix this by adding the missing call to gfs2_rgrp_brelse in +gfs2_clear_rgrpd. + +(Also fix a gfs2_rgrp_relse -> gfs2_rgrp_brelse typo in a comment.) + +Fixes: 39b0f1e92908 ("GFS2: Don't brelse rgrp buffer_heads every allocation") +Cc: stable@vger.kernel.org # v4.2+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/rgrp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -725,6 +725,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *s + + if (gl) { + glock_clear_object(gl, rgd); ++ gfs2_rgrp_brelse(rgd); + gfs2_glock_put(gl); + } + +@@ -1141,7 +1142,7 @@ static u32 count_unlinked(struct gfs2_rg + * @rgd: the struct gfs2_rgrpd describing the RG to read in + * + * Read in all of a Resource Group's header and bitmap blocks. +- * Caller must eventually call gfs2_rgrp_relse() to free the bitmaps. ++ * Caller must eventually call gfs2_rgrp_brelse() to free the bitmaps. + * + * Returns: errno + */ diff --git a/queue-4.19/hugetlbfs-fix-kernel-bug-at-fs-hugetlbfs-inode.c-444.patch b/queue-4.19/hugetlbfs-fix-kernel-bug-at-fs-hugetlbfs-inode.c-444.patch new file mode 100644 index 00000000000..0abe3fb1d49 --- /dev/null +++ b/queue-4.19/hugetlbfs-fix-kernel-bug-at-fs-hugetlbfs-inode.c-444.patch @@ -0,0 +1,133 @@ +From 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Fri, 16 Nov 2018 15:08:04 -0800 +Subject: hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! + +From: Mike Kravetz + +commit 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf upstream. + +This bug has been experienced several times by the Oracle DB team. The +BUG is in remove_inode_hugepages() as follows: + + /* + * If page is mapped, it was faulted in after being + * unmapped in caller. Unmap (again) now after taking + * the fault mutex. The mutex will prevent faults + * until we finish removing the page. + * + * This race can only happen in the hole punch case. + * Getting here in a truncate operation is a bug. + */ + if (unlikely(page_mapped(page))) { + BUG_ON(truncate_op); + +In this case, the elevated map count is not the result of a race. +Rather it was incorrectly incremented as the result of a bug in the huge +pmd sharing code. Consider the following: + + - Process A maps a hugetlbfs file of sufficient size and alignment + (PUD_SIZE) that a pmd page could be shared. + + - Process B maps the same hugetlbfs file with the same size and + alignment such that a pmd page is shared. + + - Process B then calls mprotect() to change protections for the mapping + with the shared pmd. As a result, the pmd is 'unshared'. + + - Process B then calls mprotect() again to chage protections for the + mapping back to their original value. pmd remains unshared. + + - Process B then forks and process C is created. During the fork + process, we do dup_mm -> dup_mmap -> copy_page_range to copy page + tables. Copying page tables for hugetlb mappings is done in the + routine copy_hugetlb_page_range. + +In copy_hugetlb_page_range(), the destination pte is obtained by: + + dst_pte = huge_pte_alloc(dst, addr, sz); + +If pmd sharing is possible, the returned pointer will be to a pte in an +existing page table. In the situation above, process C could share with +either process A or process B. Since process A is first in the list, +the returned pte is a pointer to a pte in process A's page table. + +However, the check for pmd sharing in copy_hugetlb_page_range is: + + /* If the pagetables are shared don't copy or take references */ + if (dst_pte == src_pte) + continue; + +Since process C is sharing with process A instead of process B, the +above test fails. The code in copy_hugetlb_page_range which follows +assumes dst_pte points to a huge_pte_none pte. It copies the pte entry +from src_pte to dst_pte and increments this map count of the associated +page. This is how we end up with an elevated map count. + +To solve, check the dst_pte entry for huge_pte_none. If !none, this +implies PMD sharing so do not copy. + +Link: http://lkml.kernel.org/r/20181105212315.14125-1-mike.kravetz@oracle.com +Fixes: c5c99429fa57 ("fix hugepages leak due to pagetable page sharing") +Signed-off-by: Mike Kravetz +Reviewed-by: Naoya Horiguchi +Cc: Michal Hocko +Cc: Hugh Dickins +Cc: Andrea Arcangeli +Cc: "Kirill A . Shutemov" +Cc: Davidlohr Bueso +Cc: Prakash Sangappa +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3233,7 +3233,7 @@ static int is_hugetlb_entry_hwpoisoned(p + int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src, + struct vm_area_struct *vma) + { +- pte_t *src_pte, *dst_pte, entry; ++ pte_t *src_pte, *dst_pte, entry, dst_entry; + struct page *ptepage; + unsigned long addr; + int cow; +@@ -3261,15 +3261,30 @@ int copy_hugetlb_page_range(struct mm_st + break; + } + +- /* If the pagetables are shared don't copy or take references */ +- if (dst_pte == src_pte) ++ /* ++ * If the pagetables are shared don't copy or take references. ++ * dst_pte == src_pte is the common case of src/dest sharing. ++ * ++ * However, src could have 'unshared' and dst shares with ++ * another vma. If dst_pte !none, this implies sharing. ++ * Check here before taking page table lock, and once again ++ * after taking the lock below. ++ */ ++ dst_entry = huge_ptep_get(dst_pte); ++ if ((dst_pte == src_pte) || !huge_pte_none(dst_entry)) + continue; + + dst_ptl = huge_pte_lock(h, dst, dst_pte); + src_ptl = huge_pte_lockptr(h, src, src_pte); + spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING); + entry = huge_ptep_get(src_pte); +- if (huge_pte_none(entry)) { /* skip none entry */ ++ dst_entry = huge_ptep_get(dst_pte); ++ if (huge_pte_none(entry) || !huge_pte_none(dst_entry)) { ++ /* ++ * Skip if src entry none. Also, skip in the ++ * unlikely case dst entry !none as this implies ++ * sharing with another vma. ++ */ + ; + } else if (unlikely(is_hugetlb_entry_migration(entry) || + is_hugetlb_entry_hwpoisoned(entry))) { diff --git a/queue-4.19/kdb-print-real-address-of-pointers-instead-of-hashed-addresses.patch b/queue-4.19/kdb-print-real-address-of-pointers-instead-of-hashed-addresses.patch new file mode 100644 index 00000000000..1230f286f04 --- /dev/null +++ b/queue-4.19/kdb-print-real-address-of-pointers-instead-of-hashed-addresses.patch @@ -0,0 +1,167 @@ +From 568fb6f42ac6851320adaea25f8f1b94de14e40a Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 27 Sep 2018 17:17:57 +0000 +Subject: kdb: print real address of pointers instead of hashed addresses + +From: Christophe Leroy + +commit 568fb6f42ac6851320adaea25f8f1b94de14e40a upstream. + +Since commit ad67b74d2469 ("printk: hash addresses printed with %p"), +all pointers printed with %p are printed with hashed addresses +instead of real addresses in order to avoid leaking addresses in +dmesg and syslog. But this applies to kdb too, with is unfortunate: + + Entering kdb (current=0x(ptrval), pid 329) due to Keyboard Entry + kdb> ps + 15 sleeping system daemon (state M) processes suppressed, + use 'ps A' to see all. + Task Addr Pid Parent [*] cpu State Thread Command + 0x(ptrval) 329 328 1 0 R 0x(ptrval) *sh + + 0x(ptrval) 1 0 0 0 S 0x(ptrval) init + 0x(ptrval) 3 2 0 0 D 0x(ptrval) rcu_gp + 0x(ptrval) 4 2 0 0 D 0x(ptrval) rcu_par_gp + 0x(ptrval) 5 2 0 0 D 0x(ptrval) kworker/0:0 + 0x(ptrval) 6 2 0 0 D 0x(ptrval) kworker/0:0H + 0x(ptrval) 7 2 0 0 D 0x(ptrval) kworker/u2:0 + 0x(ptrval) 8 2 0 0 D 0x(ptrval) mm_percpu_wq + 0x(ptrval) 10 2 0 0 D 0x(ptrval) rcu_preempt + +The whole purpose of kdb is to debug, and for debugging real addresses +need to be known. In addition, data displayed by kdb doesn't go into +dmesg. + +This patch replaces all %p by %px in kdb in order to display real +addresses. + +Fixes: ad67b74d2469 ("printk: hash addresses printed with %p") +Cc: +Signed-off-by: Christophe Leroy +Signed-off-by: Daniel Thompson +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/debug/kdb/kdb_main.c | 14 +++++++------- + kernel/debug/kdb/kdb_support.c | 12 ++++++------ + 2 files changed, 13 insertions(+), 13 deletions(-) + +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1192,7 +1192,7 @@ static int kdb_local(kdb_reason_t reason + if (reason == KDB_REASON_DEBUG) { + /* special case below */ + } else { +- kdb_printf("\nEntering kdb (current=0x%p, pid %d) ", ++ kdb_printf("\nEntering kdb (current=0x%px, pid %d) ", + kdb_current, kdb_current ? kdb_current->pid : 0); + #if defined(CONFIG_SMP) + kdb_printf("on processor %d ", raw_smp_processor_id()); +@@ -1208,7 +1208,7 @@ static int kdb_local(kdb_reason_t reason + */ + switch (db_result) { + case KDB_DB_BPT: +- kdb_printf("\nEntering kdb (0x%p, pid %d) ", ++ kdb_printf("\nEntering kdb (0x%px, pid %d) ", + kdb_current, kdb_current->pid); + #if defined(CONFIG_SMP) + kdb_printf("on processor %d ", raw_smp_processor_id()); +@@ -2048,7 +2048,7 @@ static int kdb_lsmod(int argc, const cha + if (mod->state == MODULE_STATE_UNFORMED) + continue; + +- kdb_printf("%-20s%8u 0x%p ", mod->name, ++ kdb_printf("%-20s%8u 0x%px ", mod->name, + mod->core_layout.size, (void *)mod); + #ifdef CONFIG_MODULE_UNLOAD + kdb_printf("%4d ", module_refcount(mod)); +@@ -2059,7 +2059,7 @@ static int kdb_lsmod(int argc, const cha + kdb_printf(" (Loading)"); + else + kdb_printf(" (Live)"); +- kdb_printf(" 0x%p", mod->core_layout.base); ++ kdb_printf(" 0x%px", mod->core_layout.base); + + #ifdef CONFIG_MODULE_UNLOAD + { +@@ -2341,7 +2341,7 @@ void kdb_ps1(const struct task_struct *p + return; + + cpu = kdb_process_cpu(p); +- kdb_printf("0x%p %8d %8d %d %4d %c 0x%p %c%s\n", ++ kdb_printf("0x%px %8d %8d %d %4d %c 0x%px %c%s\n", + (void *)p, p->pid, p->parent->pid, + kdb_task_has_cpu(p), kdb_process_cpu(p), + kdb_task_state_char(p), +@@ -2354,7 +2354,7 @@ void kdb_ps1(const struct task_struct *p + } else { + if (KDB_TSK(cpu) != p) + kdb_printf(" Error: does not match running " +- "process table (0x%p)\n", KDB_TSK(cpu)); ++ "process table (0x%px)\n", KDB_TSK(cpu)); + } + } + } +@@ -2692,7 +2692,7 @@ int kdb_register_flags(char *cmd, + for_each_kdbcmd(kp, i) { + if (kp->cmd_name && (strcmp(kp->cmd_name, cmd) == 0)) { + kdb_printf("Duplicate kdb command registered: " +- "%s, func %p help %s\n", cmd, func, help); ++ "%s, func %px help %s\n", cmd, func, help); + return 1; + } + } +--- a/kernel/debug/kdb/kdb_support.c ++++ b/kernel/debug/kdb/kdb_support.c +@@ -40,7 +40,7 @@ + int kdbgetsymval(const char *symname, kdb_symtab_t *symtab) + { + if (KDB_DEBUG(AR)) +- kdb_printf("kdbgetsymval: symname=%s, symtab=%p\n", symname, ++ kdb_printf("kdbgetsymval: symname=%s, symtab=%px\n", symname, + symtab); + memset(symtab, 0, sizeof(*symtab)); + symtab->sym_start = kallsyms_lookup_name(symname); +@@ -88,7 +88,7 @@ int kdbnearsym(unsigned long addr, kdb_s + char *knt1 = NULL; + + if (KDB_DEBUG(AR)) +- kdb_printf("kdbnearsym: addr=0x%lx, symtab=%p\n", addr, symtab); ++ kdb_printf("kdbnearsym: addr=0x%lx, symtab=%px\n", addr, symtab); + memset(symtab, 0, sizeof(*symtab)); + + if (addr < 4096) +@@ -149,7 +149,7 @@ int kdbnearsym(unsigned long addr, kdb_s + symtab->mod_name = "kernel"; + if (KDB_DEBUG(AR)) + kdb_printf("kdbnearsym: returns %d symtab->sym_start=0x%lx, " +- "symtab->mod_name=%p, symtab->sym_name=%p (%s)\n", ret, ++ "symtab->mod_name=%px, symtab->sym_name=%px (%s)\n", ret, + symtab->sym_start, symtab->mod_name, symtab->sym_name, + symtab->sym_name); + +@@ -887,13 +887,13 @@ void debug_kusage(void) + __func__, dah_first); + if (dah_first) { + h_used = (struct debug_alloc_header *)debug_alloc_pool; +- kdb_printf("%s: h_used %p size %d\n", __func__, h_used, ++ kdb_printf("%s: h_used %px size %d\n", __func__, h_used, + h_used->size); + } + do { + h_used = (struct debug_alloc_header *) + ((char *)h_free + dah_overhead + h_free->size); +- kdb_printf("%s: h_used %p size %d caller %p\n", ++ kdb_printf("%s: h_used %px size %d caller %px\n", + __func__, h_used, h_used->size, h_used->caller); + h_free = (struct debug_alloc_header *) + (debug_alloc_pool + h_free->next); +@@ -902,7 +902,7 @@ void debug_kusage(void) + ((char *)h_free + dah_overhead + h_free->size); + if ((char *)h_used - debug_alloc_pool != + sizeof(debug_alloc_pool_aligned)) +- kdb_printf("%s: h_used %p size %d caller %p\n", ++ kdb_printf("%s: h_used %px size %d caller %px\n", + __func__, h_used, h_used->size, h_used->caller); + out: + spin_unlock(&dap_lock); diff --git a/queue-4.19/kdb-use-correct-pointer-when-btc-calls-btt.patch b/queue-4.19/kdb-use-correct-pointer-when-btc-calls-btt.patch new file mode 100644 index 00000000000..6f4d14ffa98 --- /dev/null +++ b/queue-4.19/kdb-use-correct-pointer-when-btc-calls-btt.patch @@ -0,0 +1,63 @@ +From dded2e159208a9edc21dd5c5f583afa28d378d39 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 27 Sep 2018 17:17:49 +0000 +Subject: kdb: use correct pointer when 'btc' calls 'btt' + +From: Christophe Leroy + +commit dded2e159208a9edc21dd5c5f583afa28d378d39 upstream. + +On a powerpc 8xx, 'btc' fails as follows: + +Entering kdb (current=0x(ptrval), pid 282) due to Keyboard Entry +kdb> btc +btc: cpu status: Currently on cpu 0 +Available cpus: 0 +kdb_getarea: Bad address 0x0 + +when booting the kernel with 'debug_boot_weak_hash', it fails as well + +Entering kdb (current=0xba99ad80, pid 284) due to Keyboard Entry +kdb> btc +btc: cpu status: Currently on cpu 0 +Available cpus: 0 +kdb_getarea: Bad address 0xba99ad80 + +On other platforms, Oopses have been observed too, see +https://github.com/linuxppc/linux/issues/139 + +This is due to btc calling 'btt' with %p pointer as an argument. + +This patch replaces %p by %px to get the real pointer value as +expected by 'btt' + +Fixes: ad67b74d2469 ("printk: hash addresses printed with %p") +Cc: +Signed-off-by: Christophe Leroy +Reviewed-by: Daniel Thompson +Signed-off-by: Daniel Thompson +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/debug/kdb/kdb_bt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/debug/kdb/kdb_bt.c ++++ b/kernel/debug/kdb/kdb_bt.c +@@ -179,14 +179,14 @@ kdb_bt(int argc, const char **argv) + kdb_printf("no process for cpu %ld\n", cpu); + return 0; + } +- sprintf(buf, "btt 0x%p\n", KDB_TSK(cpu)); ++ sprintf(buf, "btt 0x%px\n", KDB_TSK(cpu)); + kdb_parse(buf); + return 0; + } + kdb_printf("btc: cpu status: "); + kdb_parse("cpu\n"); + for_each_online_cpu(cpu) { +- sprintf(buf, "btt 0x%p\n", KDB_TSK(cpu)); ++ sprintf(buf, "btt 0x%px\n", KDB_TSK(cpu)); + kdb_parse(buf); + touch_nmi_watchdog(); + } diff --git a/queue-4.19/lib-ubsan.c-don-t-mark-__ubsan_handle_builtin_unreachable-as-noreturn.patch b/queue-4.19/lib-ubsan.c-don-t-mark-__ubsan_handle_builtin_unreachable-as-noreturn.patch new file mode 100644 index 00000000000..c3b61e65330 --- /dev/null +++ b/queue-4.19/lib-ubsan.c-don-t-mark-__ubsan_handle_builtin_unreachable-as-noreturn.patch @@ -0,0 +1,47 @@ +From 1c23b4108d716cc848b38532063a8aca4f86add8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 16 Nov 2018 15:08:35 -0800 +Subject: lib/ubsan.c: don't mark __ubsan_handle_builtin_unreachable as noreturn + +From: Arnd Bergmann + +commit 1c23b4108d716cc848b38532063a8aca4f86add8 upstream. + +gcc-8 complains about the prototype for this function: + + lib/ubsan.c:432:1: error: ignoring attribute 'noreturn' in declaration of a built-in function '__ubsan_handle_builtin_unreachable' because it conflicts with attribute 'const' [-Werror=attributes] + +This is actually a GCC's bug. In GCC internals +__ubsan_handle_builtin_unreachable() declared with both 'noreturn' and +'const' attributes instead of only 'noreturn': + + https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84210 + +Workaround this by removing the noreturn attribute. + +[aryabinin: add information about GCC bug in changelog] +Link: http://lkml.kernel.org/r/20181107144516.4587-1-aryabinin@virtuozzo.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Andrey Ryabinin +Acked-by: Olof Johansson +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/ubsan.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/lib/ubsan.c ++++ b/lib/ubsan.c +@@ -427,8 +427,7 @@ void __ubsan_handle_shift_out_of_bounds( + EXPORT_SYMBOL(__ubsan_handle_shift_out_of_bounds); + + +-void __noreturn +-__ubsan_handle_builtin_unreachable(struct unreachable_data *data) ++void __ubsan_handle_builtin_unreachable(struct unreachable_data *data) + { + unsigned long flags; + diff --git a/queue-4.19/libata-blacklist-samsung-mz7td256hafv-000l9-ssd.patch b/queue-4.19/libata-blacklist-samsung-mz7td256hafv-000l9-ssd.patch new file mode 100644 index 00000000000..3ec46424385 --- /dev/null +++ b/queue-4.19/libata-blacklist-samsung-mz7td256hafv-000l9-ssd.patch @@ -0,0 +1,35 @@ +From 410b5c7b48368317af95f0113692561d01d8144e Mon Sep 17 00:00:00 2001 +From: Diego Viola +Date: Mon, 12 Nov 2018 17:22:52 -0200 +Subject: libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD + +From: Diego Viola + +commit 410b5c7b48368317af95f0113692561d01d8144e upstream. + +med_power_with_dipm still causes freezes after updating the firmware to +the latest version (DXT04L5Q). + +Set model_rev to NULL and blacklist the device. + +Cc: stable@vger.kernel.org +Signed-off-by: Diego Viola +Reviewed-by: Hans de Goede +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4553,7 +4553,7 @@ static const struct ata_blacklist_entry + /* These specific Samsung models/firmware-revs do not handle LPM well */ + { "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, }, + { "SAMSUNG SSD PM830 mSATA *", "CXM13D1Q", ATA_HORKAGE_NOLPM, }, +- { "SAMSUNG MZ7TD256HAFV-000L9", "DXT02L5Q", ATA_HORKAGE_NOLPM, }, ++ { "SAMSUNG MZ7TD256HAFV-000L9", NULL, ATA_HORKAGE_NOLPM, }, + + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500IT_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | diff --git a/queue-4.19/mm-swapfile.c-use-kvzalloc-for-swap_info_struct-allocation.patch b/queue-4.19/mm-swapfile.c-use-kvzalloc-for-swap_info_struct-allocation.patch new file mode 100644 index 00000000000..64076952eff --- /dev/null +++ b/queue-4.19/mm-swapfile.c-use-kvzalloc-for-swap_info_struct-allocation.patch @@ -0,0 +1,60 @@ +From 873d7bcfd066663e3e50113dc4a0de19289b6354 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Fri, 16 Nov 2018 15:08:11 -0800 +Subject: mm/swapfile.c: use kvzalloc for swap_info_struct allocation + +From: Vasily Averin + +commit 873d7bcfd066663e3e50113dc4a0de19289b6354 upstream. + +Commit a2468cc9bfdf ("swap: choose swap device according to numa node") +changed 'avail_lists' field of 'struct swap_info_struct' to an array. +In popular linux distros it increased size of swap_info_struct up to 40 +Kbytes and now swap_info_struct allocation requires order-4 page. +Switch to kvzmalloc allows to avoid unexpected allocation failures. + +Link: http://lkml.kernel.org/r/fc23172d-3c75-21e2-d551-8b1808cbe593@virtuozzo.com +Fixes: a2468cc9bfdf ("swap: choose swap device according to numa node") +Signed-off-by: Vasily Averin +Acked-by: Aaron Lu +Acked-by: Michal Hocko +Reviewed-by: Andrew Morton +Cc: Huang Ying +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/swapfile.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2820,7 +2820,7 @@ static struct swap_info_struct *alloc_sw + unsigned int type; + int i; + +- p = kzalloc(sizeof(*p), GFP_KERNEL); ++ p = kvzalloc(sizeof(*p), GFP_KERNEL); + if (!p) + return ERR_PTR(-ENOMEM); + +@@ -2831,7 +2831,7 @@ static struct swap_info_struct *alloc_sw + } + if (type >= MAX_SWAPFILES) { + spin_unlock(&swap_lock); +- kfree(p); ++ kvfree(p); + return ERR_PTR(-EPERM); + } + if (type >= nr_swapfiles) { +@@ -2845,7 +2845,7 @@ static struct swap_info_struct *alloc_sw + smp_wmb(); + nr_swapfiles++; + } else { +- kfree(p); ++ kvfree(p); + p = swap_info[type]; + /* + * Do not memset this entry: a racing procfs swap_next() diff --git a/queue-4.19/mnt-fix-__detach_mounts-infinite-loop.patch b/queue-4.19/mnt-fix-__detach_mounts-infinite-loop.patch new file mode 100644 index 00000000000..39b9bba7219 --- /dev/null +++ b/queue-4.19/mnt-fix-__detach_mounts-infinite-loop.patch @@ -0,0 +1,77 @@ +From 1e9c75fb9c47a75a9aec0cd17db5f6dc36b58e00 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Wed, 3 Oct 2018 10:18:33 -0400 +Subject: mnt: fix __detach_mounts infinite loop + +From: Benjamin Coddington + +commit 1e9c75fb9c47a75a9aec0cd17db5f6dc36b58e00 upstream. + +Since commit ff17fa561a04 ("d_invalidate(): unhash immediately") +immediately unhashes the dentry, we'll never return the mountpoint in +lookup_mountpoint(), which can lead to an unbreakable loop in +d_invalidate(). + +I have reports of NFS clients getting into this condition after the server +removes an export of an existing mount created through follow_automount(), +but I suspect there are various other ways to produce this problem if we +hunt down users of d_invalidate(). For example, it is possible to get into +this state by using XFS' d_invalidate() call in xfs_vn_unlink(): + +truncate -s 100m img{1,2} + +mkfs.xfs -q -n version=ci img1 +mkfs.xfs -q -n version=ci img2 + +mkdir -p /mnt/xfs +mount img1 /mnt/xfs + +mkdir /mnt/xfs/sub1 +mount img2 /mnt/xfs/sub1 + +cat > /mnt/xfs/sub1/foo & +umount -l /mnt/xfs/sub1 +mount img2 /mnt/xfs/sub1 + +mount --make-private /mnt/xfs + +mkdir /mnt/xfs/sub2 +mount --move /mnt/xfs/sub1 /mnt/xfs/sub2 +rmdir /mnt/xfs/sub1 + +Fix this by moving the check for an unlinked dentry out of the +detach_mounts() path. + +Fixes: ff17fa561a04 ("d_invalidate(): unhash immediately") +Cc: stable@vger.kernel.org +Reviewed-by: "Eric W. Biederman" +Signed-off-by: Benjamin Coddington +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namespace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -695,9 +695,6 @@ static struct mountpoint *lookup_mountpo + + hlist_for_each_entry(mp, chain, m_hash) { + if (mp->m_dentry == dentry) { +- /* might be worth a WARN_ON() */ +- if (d_unlinked(dentry)) +- return ERR_PTR(-ENOENT); + mp->m_count++; + return mp; + } +@@ -711,6 +708,9 @@ static struct mountpoint *get_mountpoint + int ret; + + if (d_mountpoint(dentry)) { ++ /* might be worth a WARN_ON() */ ++ if (d_unlinked(dentry)) ++ return ERR_PTR(-ENOENT); + mountpoint: + read_seqlock_excl(&mount_lock); + mp = lookup_mountpoint(dentry); diff --git a/queue-4.19/mount-don-t-allow-copying-mnt_unbindable-mnt_locked-mounts.patch b/queue-4.19/mount-don-t-allow-copying-mnt_unbindable-mnt_locked-mounts.patch new file mode 100644 index 00000000000..bd1c187d71c --- /dev/null +++ b/queue-4.19/mount-don-t-allow-copying-mnt_unbindable-mnt_locked-mounts.patch @@ -0,0 +1,71 @@ +From df7342b240185d58d3d9665c0bbf0a0f5570ec29 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 25 Oct 2018 09:04:18 -0500 +Subject: mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts + +From: Eric W. Biederman + +commit df7342b240185d58d3d9665c0bbf0a0f5570ec29 upstream. + +Jonathan Calmels from NVIDIA reported that he's able to bypass the +mount visibility security check in place in the Linux kernel by using +a combination of the unbindable property along with the private mount +propagation option to allow a unprivileged user to see a path which +was purposefully hidden by the root user. + +Reproducer: + # Hide a path to all users using a tmpfs + root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ + root@castiana:~# + + # As an unprivileged user, unshare user namespace and mount namespace + stgraber@castiana:~$ unshare -U -m -r + + # Confirm the path is still not accessible + root@castiana:~# ls /sys/devices/ + + # Make /sys recursively unbindable and private + root@castiana:~# mount --make-runbindable /sys + root@castiana:~# mount --make-private /sys + + # Recursively bind-mount the rest of /sys over to /mnnt + root@castiana:~# mount --rbind /sys/ /mnt + + # Access our hidden /sys/device as an unprivileged user + root@castiana:~# ls /mnt/devices/ + breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe + LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system + tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual + +Solve this by teaching copy_tree to fail if a mount turns out to be +both unbindable and locked. + +Cc: stable@vger.kernel.org +Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users") +Reported-by: Jonathan Calmels +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namespace.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1734,8 +1734,14 @@ struct mount *copy_tree(struct mount *mn + for (s = r; s; s = next_mnt(s, r)) { + if (!(flag & CL_COPY_UNBINDABLE) && + IS_MNT_UNBINDABLE(s)) { +- s = skip_mnt_tree(s); +- continue; ++ if (s->mnt.mnt_flags & MNT_LOCKED) { ++ /* Both unbindable and locked. */ ++ q = ERR_PTR(-EPERM); ++ goto out; ++ } else { ++ s = skip_mnt_tree(s); ++ continue; ++ } + } + if (!(flag & CL_COPY_MNT_NS_FILE) && + is_mnt_ns_file(s->mnt.mnt_root)) { diff --git a/queue-4.19/mount-prevent-mnt_detach-from-disconnecting-locked-mounts.patch b/queue-4.19/mount-prevent-mnt_detach-from-disconnecting-locked-mounts.patch new file mode 100644 index 00000000000..fc2f190e7cd --- /dev/null +++ b/queue-4.19/mount-prevent-mnt_detach-from-disconnecting-locked-mounts.patch @@ -0,0 +1,105 @@ +From 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 25 Oct 2018 12:05:11 -0500 +Subject: mount: Prevent MNT_DETACH from disconnecting locked mounts + +From: Eric W. Biederman + +commit 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 upstream. + +Timothy Baldwin wrote: +> As per mount_namespaces(7) unprivileged users should not be able to look under mount points: +> +> Mounts that come as a single unit from more privileged mount are locked +> together and may not be separated in a less privileged mount namespace. +> +> However they can: +> +> 1. Create a mount namespace. +> 2. In the mount namespace open a file descriptor to the parent of a mount point. +> 3. Destroy the mount namespace. +> 4. Use the file descriptor to look under the mount point. +> +> I have reproduced this with Linux 4.16.18 and Linux 4.18-rc8. +> +> The setup: +> +> $ sudo sysctl kernel.unprivileged_userns_clone=1 +> kernel.unprivileged_userns_clone = 1 +> $ mkdir -p A/B/Secret +> $ sudo mount -t tmpfs hide A/B +> +> +> "Secret" is indeed hidden as expected: +> +> $ ls -lR A +> A: +> total 0 +> drwxrwxrwt 2 root root 40 Feb 12 21:08 B +> +> A/B: +> total 0 +> +> +> The attack revealing "Secret": +> +> $ unshare -Umr sh -c "exec unshare -m ls -lR /proc/self/fd/4/ 4 /proc/self/fd/4/: +> total 0 +> drwxr-xr-x 3 root root 60 Feb 12 21:08 B +> +> /proc/self/fd/4/B: +> total 0 +> drwxr-xr-x 2 root root 40 Feb 12 21:08 Secret +> +> /proc/self/fd/4/B/Secret: +> total 0 + +I tracked this down to put_mnt_ns running passing UMOUNT_SYNC and +disconnecting all of the mounts in a mount namespace. Fix this by +factoring drop_mounts out of drop_collected_mounts and passing +0 instead of UMOUNT_SYNC. + +There are two possible behavior differences that result from this. +- No longer setting UMOUNT_SYNC will no longer set MNT_SYNC_UMOUNT on + the vfsmounts being unmounted. This effects the lazy rcu walk by + kicking the walk out of rcu mode and forcing it to be a non-lazy + walk. +- No longer disconnecting locked mounts will keep some mounts around + longer as they stay because the are locked to other mounts. + +There are only two users of drop_collected mounts: audit_tree.c and +put_mnt_ns. + +In audit_tree.c the mounts are private and there are no rcu lazy walks +only calls to iterate_mounts. So the changes should have no effect +except for a small timing effect as the connected mounts are disconnected. + +In put_mnt_ns there may be references from process outside the mount +namespace to the mounts. So the mounts remaining connected will +be the bug fix that is needed. That rcu walks are allowed to continue +appears not to be a problem especially as the rcu walk change was about +an implementation detail not about semantics. + +Cc: stable@vger.kernel.org +Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users") +Reported-by: Timothy Baldwin +Tested-by: Timothy Baldwin +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1794,7 +1794,7 @@ void drop_collected_mounts(struct vfsmou + { + namespace_lock(); + lock_mount_hash(); +- umount_tree(real_mount(mnt), UMOUNT_SYNC); ++ umount_tree(real_mount(mnt), 0); + unlock_mount_hash(); + namespace_unlock(); + } diff --git a/queue-4.19/mount-retest-mnt_locked-in-do_umount.patch b/queue-4.19/mount-retest-mnt_locked-in-do_umount.patch new file mode 100644 index 00000000000..e0429334af5 --- /dev/null +++ b/queue-4.19/mount-retest-mnt_locked-in-do_umount.patch @@ -0,0 +1,61 @@ +From 25d202ed820ee347edec0bf3bf553544556bf64b Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 22 Oct 2018 10:21:38 -0500 +Subject: mount: Retest MNT_LOCKED in do_umount + +From: Eric W. Biederman + +commit 25d202ed820ee347edec0bf3bf553544556bf64b upstream. + +It was recently pointed out that the one instance of testing MNT_LOCKED +outside of the namespace_sem is in ksys_umount. + +Fix that by adding a test inside of do_umount with namespace_sem and +the mount_lock held. As it helps to fail fails the existing test is +maintained with an additional comment pointing out that it may be racy +because the locks are not held. + +Cc: stable@vger.kernel.org +Reported-by: Al Viro +Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namespace.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1540,8 +1540,13 @@ static int do_umount(struct mount *mnt, + + namespace_lock(); + lock_mount_hash(); +- event++; + ++ /* Recheck MNT_LOCKED with the locks held */ ++ retval = -EINVAL; ++ if (mnt->mnt.mnt_flags & MNT_LOCKED) ++ goto out; ++ ++ event++; + if (flags & MNT_DETACH) { + if (!list_empty(&mnt->mnt_list)) + umount_tree(mnt, UMOUNT_PROPAGATE); +@@ -1555,6 +1560,7 @@ static int do_umount(struct mount *mnt, + retval = 0; + } + } ++out: + unlock_mount_hash(); + namespace_unlock(); + return retval; +@@ -1645,7 +1651,7 @@ int ksys_umount(char __user *name, int f + goto dput_and_out; + if (!check_mnt(mnt)) + goto dput_and_out; +- if (mnt->mnt.mnt_flags & MNT_LOCKED) ++ if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */ + goto dput_and_out; + retval = -EPERM; + if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN)) diff --git a/queue-4.19/nfsd-copy-and-clone-operations-require-the-saved-filehandle-to-be-set.patch b/queue-4.19/nfsd-copy-and-clone-operations-require-the-saved-filehandle-to-be-set.patch new file mode 100644 index 00000000000..38c145a2b26 --- /dev/null +++ b/queue-4.19/nfsd-copy-and-clone-operations-require-the-saved-filehandle-to-be-set.patch @@ -0,0 +1,33 @@ +From 01310bb7c9c98752cc763b36532fab028e0f8f81 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Thu, 8 Nov 2018 11:11:36 -0500 +Subject: nfsd: COPY and CLONE operations require the saved filehandle to be set + +From: Scott Mayhew + +commit 01310bb7c9c98752cc763b36532fab028e0f8f81 upstream. + +Make sure we have a saved filehandle, otherwise we'll oops with a null +pointer dereference in nfs4_preprocess_stateid_op(). + +Signed-off-by: Scott Mayhew +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4proc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1037,6 +1037,9 @@ nfsd4_verify_copy(struct svc_rqst *rqstp + { + __be32 status; + ++ if (!cstate->save_fh.fh_dentry) ++ return nfserr_nofilehandle; ++ + status = nfs4_preprocess_stateid_op(rqstp, cstate, &cstate->save_fh, + src_stateid, RD_STATE, src, NULL); + if (status) { diff --git a/queue-4.19/nfsv4-don-t-exit-the-state-manager-without-clearing-nfs4clnt_manager_running.patch b/queue-4.19/nfsv4-don-t-exit-the-state-manager-without-clearing-nfs4clnt_manager_running.patch new file mode 100644 index 00000000000..cc3b2e866f8 --- /dev/null +++ b/queue-4.19/nfsv4-don-t-exit-the-state-manager-without-clearing-nfs4clnt_manager_running.patch @@ -0,0 +1,49 @@ +From 21a446cf186570168b7281b154b1993968598aca Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 5 Nov 2018 11:10:50 -0500 +Subject: NFSv4: Don't exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING + +From: Trond Myklebust + +commit 21a446cf186570168b7281b154b1993968598aca upstream. + +If we exit the NFSv4 state manager due to a umount, then we can end up +leaving the NFS4CLNT_MANAGER_RUNNING flag set. If another mount causes +the nfs4_client to be rereferenced before it is destroyed, then we end +up never being able to recover state. + +Fixes: 47c2199b6eb5 ("NFSv4.1: Ensure state manager thread dies on last ...") +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org # v4.15+ +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4state.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -2583,11 +2583,12 @@ static void nfs4_state_manager(struct nf + nfs4_clear_state_manager_bit(clp); + /* Did we race with an attempt to give us more work? */ + if (clp->cl_state == 0) +- break; ++ return; + if (test_and_set_bit(NFS4CLNT_MANAGER_RUNNING, &clp->cl_state) != 0) +- break; ++ return; + } while (refcount_read(&clp->cl_count) > 1); +- return; ++ goto out_drain; ++ + out_error: + if (strlen(section)) + section_sep = ": "; +@@ -2595,6 +2596,7 @@ out_error: + " with error %d\n", section_sep, section, + clp->cl_hostname, -status); + ssleep(1); ++out_drain: + nfs4_end_drain_session(clp); + nfs4_clear_state_manager_bit(clp); + } diff --git a/queue-4.19/rtc-hctosys-add-missing-range-error-reporting.patch b/queue-4.19/rtc-hctosys-add-missing-range-error-reporting.patch new file mode 100644 index 00000000000..ee8f51380c9 --- /dev/null +++ b/queue-4.19/rtc-hctosys-add-missing-range-error-reporting.patch @@ -0,0 +1,42 @@ +From 7ce9a992ffde8ce93d5ae5767362a5c7389ae895 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Mon, 5 Nov 2018 03:48:25 +0000 +Subject: rtc: hctosys: Add missing range error reporting + +From: Maciej W. Rozycki + +commit 7ce9a992ffde8ce93d5ae5767362a5c7389ae895 upstream. + +Fix an issue with the 32-bit range error path in `rtc_hctosys' where no +error code is set and consequently the successful preceding call result +from `rtc_read_time' is propagated to `rtc_hctosys_ret'. This in turn +makes any subsequent call to `hctosys_show' incorrectly report in sysfs +that the system time has been set from this RTC while it has not. + +Set the error to ERANGE then if we can't express the result due to an +overflow. + +Signed-off-by: Maciej W. Rozycki +Fixes: b3a5ac42ab18 ("rtc: hctosys: Ensure system time doesn't overflow time_t") +Cc: stable@vger.kernel.org # 4.17+ +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/hctosys.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/rtc/hctosys.c ++++ b/drivers/rtc/hctosys.c +@@ -50,8 +50,10 @@ static int __init rtc_hctosys(void) + tv64.tv_sec = rtc_tm_to_time64(&tm); + + #if BITS_PER_LONG == 32 +- if (tv64.tv_sec > INT_MAX) ++ if (tv64.tv_sec > INT_MAX) { ++ err = -ERANGE; + goto err_read; ++ } + #endif + + err = do_settimeofday64(&tv64); diff --git a/queue-4.19/selinux-check-length-properly-in-sctp-bind-hook.patch b/queue-4.19/selinux-check-length-properly-in-sctp-bind-hook.patch new file mode 100644 index 00000000000..8e0ef46da67 --- /dev/null +++ b/queue-4.19/selinux-check-length-properly-in-sctp-bind-hook.patch @@ -0,0 +1,41 @@ +From c138325fb8713472d5a0c3c7258b9131bab40725 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Tue, 13 Nov 2018 16:16:08 +0100 +Subject: selinux: check length properly in SCTP bind hook + +From: Ondrej Mosnacek + +commit c138325fb8713472d5a0c3c7258b9131bab40725 upstream. + +selinux_sctp_bind_connect() must verify if the address buffer has +sufficient length before accessing the 'sa_family' field. See +__sctp_connect() for a similar check. + +The length of the whole address ('len') is already checked in the +callees. + +Reported-by: Qian Cai +Fixes: d452930fd3b9 ("selinux: Add SCTP support") +Cc: # 4.17+ +Cc: Richard Haines +Signed-off-by: Ondrej Mosnacek +Tested-by: Qian Cai +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/hooks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -5318,6 +5318,9 @@ static int selinux_sctp_bind_connect(str + addr_buf = address; + + while (walk_size < addrlen) { ++ if (walk_size + sizeof(sa_family_t) > addrlen) ++ return -EINVAL; ++ + addr = addr_buf; + switch (addr->sa_family) { + case AF_UNSPEC: diff --git a/queue-4.19/series b/queue-4.19/series index a0828353c1b..6cec08a42ef 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -115,3 +115,56 @@ perf-callchain-honour-the-ordering-of-perf_context_-user-kernel-etc.patch perf-intel-pt-bts-calculate-cpumode-for-synthesized-samples.patch perf-intel-pt-insert-callchain-context-into-synthesized-callchains.patch of-numa-validate-some-distance-map-rules.patch +x86-cpu-vmware-do-not-trace-vmware_sched_clock.patch +x86-hyper-v-enable-pit-shutdown-quirk.patch +termios-tty-tty_baudrate.c-fix-buffer-overrun.patch +arch-alpha-termios-implement-bother-ibshift-and-termios2.patch +watchdog-core-add-missing-prototypes-for-weak-functions.patch +btrfs-fix-pinned-underflow-after-transaction-aborted.patch +btrfs-fix-missing-data-checksums-after-a-ranged-fsync-msync.patch +btrfs-fix-cur_offset-in-the-error-case-for-nocow.patch +btrfs-fix-infinite-loop-on-inode-eviction-after-deduplication-of-eof-block.patch +btrfs-fix-data-corruption-due-to-cloning-of-eof-block.patch +btrfs-tree-checker-fix-misleading-group-system-information.patch +clockevents-drivers-i8253-add-support-for-pit-shutdown-quirk.patch +ext4-add-missing-brelse-update_backups-s-error-path.patch +ext4-add-missing-brelse-in-set_flexbg_block_bitmap-s-error-path.patch +ext4-add-missing-brelse-add_new_gdb_meta_bg-s-error-path.patch +ext4-avoid-potential-extra-brelse-in-setup_new_flex_group_blocks.patch +ext4-missing-bh-check-in-ext4_xattr_inode_write.patch +ext4-fix-possible-inode-leak-in-the-retry-loop-of-ext4_resize_fs.patch +ext4-avoid-buffer-leak-on-shutdown-in-ext4_mark_iloc_dirty.patch +ext4-avoid-buffer-leak-in-ext4_orphan_add-after-prior-errors.patch +ext4-fix-missing-cleanup-if-ext4_alloc_flex_bg_array-fails-while-resizing.patch +ext4-avoid-possible-double-brelse-in-add_new_gdb-on-error-path.patch +ext4-fix-possible-leak-of-sbi-s_group_desc_leak-in-error-path.patch +ext4-fix-possible-leak-of-s_journal_flag_rwsem-in-error-path.patch +ext4-fix-buffer-leak-in-ext4_xattr_get_block-on-error-path.patch +ext4-release-bs.bh-before-re-using-in-ext4_xattr_block_find.patch +ext4-fix-buffer-leak-in-ext4_xattr_move_to_block-on-error-path.patch +ext4-fix-buffer-leak-in-ext4_expand_extra_isize_ea-on-error-path.patch +ext4-fix-buffer-leak-in-__ext4_read_dirblock-on-error-path.patch +mount-retest-mnt_locked-in-do_umount.patch +mount-don-t-allow-copying-mnt_unbindable-mnt_locked-mounts.patch +mount-prevent-mnt_detach-from-disconnecting-locked-mounts.patch +mnt-fix-__detach_mounts-infinite-loop.patch +uapi-fix-linux-kfd_ioctl.h-userspace-compilation-errors.patch +arm-cpuidle-don-t-register-the-driver-when-back-end-init-returns-enxio.patch +kdb-use-correct-pointer-when-btc-calls-btt.patch +kdb-print-real-address-of-pointers-instead-of-hashed-addresses.patch +sunrpc-correct-the-computation-for-page_ptr-when-truncating.patch +nfsv4-don-t-exit-the-state-manager-without-clearing-nfs4clnt_manager_running.patch +nfsd-copy-and-clone-operations-require-the-saved-filehandle-to-be-set.patch +rtc-hctosys-add-missing-range-error-reporting.patch +fuse-fix-use-after-free-in-fuse_direct_io.patch +fuse-fix-leaked-notify-reply.patch +fuse-fix-possibly-missed-wake-up-after-abort.patch +selinux-check-length-properly-in-sctp-bind-hook.patch +gfs2-put-bitmap-buffers-in-put_super.patch +gfs2-fix-metadata-read-ahead-during-truncate-2.patch +libata-blacklist-samsung-mz7td256hafv-000l9-ssd.patch +fanotify-fix-handling-of-events-on-child-sub-directory.patch +crypto-user-fix-leaking-uninitialized-memory-to-userspace.patch +lib-ubsan.c-don-t-mark-__ubsan_handle_builtin_unreachable-as-noreturn.patch +hugetlbfs-fix-kernel-bug-at-fs-hugetlbfs-inode.c-444.patch +mm-swapfile.c-use-kvzalloc-for-swap_info_struct-allocation.patch diff --git a/queue-4.19/sunrpc-correct-the-computation-for-page_ptr-when-truncating.patch b/queue-4.19/sunrpc-correct-the-computation-for-page_ptr-when-truncating.patch new file mode 100644 index 00000000000..124b8fb3892 --- /dev/null +++ b/queue-4.19/sunrpc-correct-the-computation-for-page_ptr-when-truncating.patch @@ -0,0 +1,46 @@ +From 5d7a5bcb67c70cbc904057ef52d3fcfeb24420bb Mon Sep 17 00:00:00 2001 +From: Frank Sorenson +Date: Tue, 30 Oct 2018 15:10:40 -0500 +Subject: sunrpc: correct the computation for page_ptr when truncating + +From: Frank Sorenson + +commit 5d7a5bcb67c70cbc904057ef52d3fcfeb24420bb upstream. + +When truncating the encode buffer, the page_ptr is getting +advanced, causing the next page to be skipped while encoding. +The page is still included in the response, so the response +contains a page of bogus data. + +We need to adjust the page_ptr backwards to ensure we encode +the next page into the correct place. + +We saw this triggered when concurrent directory modifications caused +nfsd4_encode_direct_fattr() to return nfserr_noent, and the resulting +call to xdr_truncate_encode() corrupted the READDIR reply. + +Signed-off-by: Frank Sorenson +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xdr.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/sunrpc/xdr.c ++++ b/net/sunrpc/xdr.c +@@ -639,11 +639,10 @@ void xdr_truncate_encode(struct xdr_stre + WARN_ON_ONCE(xdr->iov); + return; + } +- if (fraglen) { ++ if (fraglen) + xdr->end = head->iov_base + head->iov_len; +- xdr->page_ptr--; +- } + /* (otherwise assume xdr->end is already set) */ ++ xdr->page_ptr--; + head->iov_len = len; + buf->len = len; + xdr->p = head->iov_base + head->iov_len; diff --git a/queue-4.19/termios-tty-tty_baudrate.c-fix-buffer-overrun.patch b/queue-4.19/termios-tty-tty_baudrate.c-fix-buffer-overrun.patch new file mode 100644 index 00000000000..b7dc6d1b9fb --- /dev/null +++ b/queue-4.19/termios-tty-tty_baudrate.c-fix-buffer-overrun.patch @@ -0,0 +1,55 @@ +From 991a25194097006ec1e0d2e0814ff920e59e3465 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" +Date: Mon, 22 Oct 2018 09:19:04 -0700 +Subject: termios, tty/tty_baudrate.c: fix buffer overrun + +From: H. Peter Anvin + +commit 991a25194097006ec1e0d2e0814ff920e59e3465 upstream. + +On architectures with CBAUDEX == 0 (Alpha and PowerPC), the code in tty_baudrate.c does +not do any limit checking on the tty_baudrate[] array, and in fact a +buffer overrun is possible on both architectures. Add a limit check to +prevent that situation. + +This will be followed by a much bigger cleanup/simplification patch. + +Signed-off-by: H. Peter Anvin (Intel) +Requested-by: Cc: Johan Hovold +Cc: Jiri Slaby +Cc: Al Viro +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Cc: Matt Turner +Cc: Thomas Gleixner +Cc: Kate Stewart +Cc: Philippe Ombredanne +Cc: Eugene Syromiatnikov +Cc: Alan Cox +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_baudrate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/tty_baudrate.c ++++ b/drivers/tty/tty_baudrate.c +@@ -77,7 +77,7 @@ speed_t tty_termios_baud_rate(struct kte + else + cbaud += 15; + } +- return baud_table[cbaud]; ++ return cbaud >= n_baud_table ? 0 : baud_table[cbaud]; + } + EXPORT_SYMBOL(tty_termios_baud_rate); + +@@ -113,7 +113,7 @@ speed_t tty_termios_input_baud_rate(stru + else + cbaud += 15; + } +- return baud_table[cbaud]; ++ return cbaud >= n_baud_table ? 0 : baud_table[cbaud]; + #else /* IBSHIFT */ + return tty_termios_baud_rate(termios); + #endif /* IBSHIFT */ diff --git a/queue-4.19/uapi-fix-linux-kfd_ioctl.h-userspace-compilation-errors.patch b/queue-4.19/uapi-fix-linux-kfd_ioctl.h-userspace-compilation-errors.patch new file mode 100644 index 00000000000..cb4d32a5b86 --- /dev/null +++ b/queue-4.19/uapi-fix-linux-kfd_ioctl.h-userspace-compilation-errors.patch @@ -0,0 +1,49 @@ +From aba118389a6fb2ad7958de0f37b5869852bd38cf Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Thu, 1 Nov 2018 14:03:08 +0300 +Subject: uapi: fix linux/kfd_ioctl.h userspace compilation errors + +From: Dmitry V. Levin + +commit aba118389a6fb2ad7958de0f37b5869852bd38cf upstream. + +Consistently use types provided by via +to fix the following linux/kfd_ioctl.h userspace compilation errors: + +/usr/include/linux/kfd_ioctl.h:250:2: error: unknown type name 'uint32_t' + uint32_t reset_type; +/usr/include/linux/kfd_ioctl.h:251:2: error: unknown type name 'uint32_t' + uint32_t reset_cause; +/usr/include/linux/kfd_ioctl.h:252:2: error: unknown type name 'uint32_t' + uint32_t memory_lost; +/usr/include/linux/kfd_ioctl.h:253:2: error: unknown type name 'uint32_t' + uint32_t gpu_id; + +Fixes: 0c119abad7f0d ("drm/amd: Add kfd ioctl defines for hw_exception event") +Cc: # v4.19 +Signed-off-by: Dmitry V. Levin +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/kfd_ioctl.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/uapi/linux/kfd_ioctl.h ++++ b/include/uapi/linux/kfd_ioctl.h +@@ -247,10 +247,10 @@ struct kfd_hsa_memory_exception_data { + + /* hw exception data */ + struct kfd_hsa_hw_exception_data { +- uint32_t reset_type; +- uint32_t reset_cause; +- uint32_t memory_lost; +- uint32_t gpu_id; ++ __u32 reset_type; ++ __u32 reset_cause; ++ __u32 memory_lost; ++ __u32 gpu_id; + }; + + /* Event data */ diff --git a/queue-4.19/watchdog-core-add-missing-prototypes-for-weak-functions.patch b/queue-4.19/watchdog-core-add-missing-prototypes-for-weak-functions.patch new file mode 100644 index 00000000000..c005a820bba --- /dev/null +++ b/queue-4.19/watchdog-core-add-missing-prototypes-for-weak-functions.patch @@ -0,0 +1,43 @@ +From 81bd415c91eb966118d773dddf254aebf3022411 Mon Sep 17 00:00:00 2001 +From: Mathieu Malaterre +Date: Wed, 6 Jun 2018 21:42:32 +0200 +Subject: watchdog/core: Add missing prototypes for weak functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mathieu Malaterre + +commit 81bd415c91eb966118d773dddf254aebf3022411 upstream. + +The split out of the hard lockup detector exposed two new weak functions, +but no prototypes for them, which triggers the build warning: + + kernel/watchdog.c:109:12: warning: no previous prototype for ‘watchdog_nmi_enable’ [-Wmissing-prototypes] + kernel/watchdog.c:115:13: warning: no previous prototype for ‘watchdog_nmi_disable’ [-Wmissing-prototypes] + +Add the prototypes. + +Fixes: 73ce0511c436 ("kernel/watchdog.c: move hardlockup detector to separate file") +Signed-off-by: Mathieu Malaterre +Signed-off-by: Thomas Gleixner +Cc: Babu Moger +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20180606194232.17653-1-malat@debian.org +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nmi.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -119,6 +119,8 @@ static inline int hardlockup_detector_pe + void watchdog_nmi_stop(void); + void watchdog_nmi_start(void); + int watchdog_nmi_probe(void); ++int watchdog_nmi_enable(unsigned int cpu); ++void watchdog_nmi_disable(unsigned int cpu); + + /** + * touch_nmi_watchdog - restart NMI watchdog timeout. diff --git a/queue-4.19/x86-cpu-vmware-do-not-trace-vmware_sched_clock.patch b/queue-4.19/x86-cpu-vmware-do-not-trace-vmware_sched_clock.patch new file mode 100644 index 00000000000..275f123a2f8 --- /dev/null +++ b/queue-4.19/x86-cpu-vmware-do-not-trace-vmware_sched_clock.patch @@ -0,0 +1,47 @@ +From 15035388439f892017d38b05214d3cda6578af64 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 9 Nov 2018 15:22:07 -0500 +Subject: x86/cpu/vmware: Do not trace vmware_sched_clock() + +From: Steven Rostedt (VMware) + +commit 15035388439f892017d38b05214d3cda6578af64 upstream. + +When running function tracing on a Linux guest running on VMware +Workstation, the guest would crash. This is due to tracing of the +sched_clock internal call of the VMware vmware_sched_clock(), which +causes an infinite recursion within the tracing code (clock calls must +not be traced). + +Make vmware_sched_clock() not traced by ftrace. + +Fixes: 80e9a4f21fd7c ("x86/vmware: Add paravirt sched clock") +Reported-by: GwanYeong Kim +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Borislav Petkov +CC: Alok Kataria +CC: GwanYeong Kim +CC: "H. Peter Anvin" +CC: Ingo Molnar +Cc: stable@vger.kernel.org +CC: Thomas Gleixner +CC: virtualization@lists.linux-foundation.org +CC: x86-ml +Link: http://lkml.kernel.org/r/20181109152207.4d3e7d70@gandalf.local.home +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/vmware.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/vmware.c ++++ b/arch/x86/kernel/cpu/vmware.c +@@ -77,7 +77,7 @@ static __init int setup_vmw_sched_clock( + } + early_param("no-vmw-sched-clock", setup_vmw_sched_clock); + +-static unsigned long long vmware_sched_clock(void) ++static unsigned long long notrace vmware_sched_clock(void) + { + unsigned long long ns; + diff --git a/queue-4.19/x86-hyper-v-enable-pit-shutdown-quirk.patch b/queue-4.19/x86-hyper-v-enable-pit-shutdown-quirk.patch new file mode 100644 index 00000000000..27b0a1c046e --- /dev/null +++ b/queue-4.19/x86-hyper-v-enable-pit-shutdown-quirk.patch @@ -0,0 +1,64 @@ +From 1de72c706488b7be664a601cf3843bd01e327e58 Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Sun, 4 Nov 2018 03:48:57 +0000 +Subject: x86/hyper-v: Enable PIT shutdown quirk + +From: Michael Kelley + +commit 1de72c706488b7be664a601cf3843bd01e327e58 upstream. + +Hyper-V emulation of the PIT has a quirk such that the normal PIT shutdown +path doesn't work, because clearing the counter register restarts the +timer. + +Disable the counter clearing on PIT shutdown. + +Signed-off-by: Michael Kelley +Signed-off-by: Thomas Gleixner +Cc: "gregkh@linuxfoundation.org" +Cc: "devel@linuxdriverproject.org" +Cc: "daniel.lezcano@linaro.org" +Cc: "virtualization@lists.linux-foundation.org" +Cc: "jgross@suse.com" +Cc: "akataria@vmware.com" +Cc: "olaf@aepfle.de" +Cc: "apw@canonical.com" +Cc: vkuznets +Cc: "jasowang@redhat.com" +Cc: "marcelo.cerri@canonical.com" +Cc: KY Srinivasan +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1541303219-11142-3-git-send-email-mikelley@microsoft.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mshyperv.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/x86/kernel/cpu/mshyperv.c ++++ b/arch/x86/kernel/cpu/mshyperv.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -285,6 +286,16 @@ static void __init ms_hyperv_init_platfo + if (efi_enabled(EFI_BOOT)) + x86_platform.get_nmi_reason = hv_get_nmi_reason; + ++ /* ++ * Hyper-V VMs have a PIT emulation quirk such that zeroing the ++ * counter register during PIT shutdown restarts the PIT. So it ++ * continues to interrupt @18.2 HZ. Setting i8253_clear_counter ++ * to false tells pit_shutdown() not to zero the counter so that ++ * the PIT really is shutdown. Generation 2 VMs don't have a PIT, ++ * and setting this value has no effect. ++ */ ++ i8253_clear_counter_on_shutdown = false; ++ + #if IS_ENABLED(CONFIG_HYPERV) + /* + * Setup the hook to get control post apic initialization.