From: Greg Kroah-Hartman Date: Mon, 25 Mar 2019 20:11:22 +0000 (+0900) Subject: 5.0-stable patches X-Git-Tag: v4.9.166~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3533e6ad3591ca0eadb452ce80fc8104aec6e3e8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.0-stable patches added patches: ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch ext4-fix-null-pointer-dereference-while-journal-is-aborted.patch --- diff --git a/queue-5.0/ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch b/queue-5.0/ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch new file mode 100644 index 00000000000..9353d18cc86 --- /dev/null +++ b/queue-5.0/ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch @@ -0,0 +1,70 @@ +From 674a2b27234d1b7afcb0a9162e81b2e53aeef217 Mon Sep 17 00:00:00 2001 +From: "zhangyi (F)" +Date: Sat, 23 Mar 2019 11:43:05 -0400 +Subject: ext4: brelse all indirect buffer in ext4_ind_remove_space() + +From: zhangyi (F) + +commit 674a2b27234d1b7afcb0a9162e81b2e53aeef217 upstream. + +All indirect buffers get by ext4_find_shared() should be released no +mater the branch should be freed or not. But now, we forget to release +the lower depth indirect buffers when removing space from the same +higher depth indirect block. It will lead to buffer leak and futher +more, it may lead to quota information corruption when using old quota, +consider the following case. + + - Create and mount an empty ext4 filesystem without extent and quota + features, + - quotacheck and enable the user & group quota, + - Create some files and write some data to them, and then punch hole + to some files of them, it may trigger the buffer leak problem + mentioned above. + - Disable quota and run quotacheck again, it will create two new + aquota files and write the checked quota information to them, which + probably may reuse the freed indirect block(the buffer and page + cache was not freed) as data block. + - Enable quota again, it will invoke + vfs_load_quota_inode()->invalidate_bdev() to try to clean unused + buffers and pagecache. Unfortunately, because of the buffer of quota + data block is still referenced, quota code cannot read the up to date + quota info from the device and lead to quota information corruption. + +This problem can be reproduced by xfstests generic/231 on ext3 file +system or ext4 file system without extent and quota features. + +This patch fix this problem by releasing the missing indirect buffers, +in ext4_ind_remove_space(). + +Reported-by: Hulk Robot +Signed-off-by: zhangyi (F) +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/indirect.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -1387,10 +1387,14 @@ end_range: + partial->p + 1, + partial2->p, + (chain+n-1) - partial); +- BUFFER_TRACE(partial->bh, "call brelse"); +- brelse(partial->bh); +- BUFFER_TRACE(partial2->bh, "call brelse"); +- brelse(partial2->bh); ++ while (partial > chain) { ++ BUFFER_TRACE(partial->bh, "call brelse"); ++ brelse(partial->bh); ++ } ++ while (partial2 > chain2) { ++ BUFFER_TRACE(partial2->bh, "call brelse"); ++ brelse(partial2->bh); ++ } + return 0; + } + diff --git a/queue-5.0/ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch b/queue-5.0/ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch new file mode 100644 index 00000000000..c704f0047cd --- /dev/null +++ b/queue-5.0/ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch @@ -0,0 +1,79 @@ +From 372a03e01853f860560eade508794dd274e9b390 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Thu, 14 Mar 2019 23:20:25 -0400 +Subject: ext4: fix data corruption caused by unaligned direct AIO + +From: Lukas Czerner + +commit 372a03e01853f860560eade508794dd274e9b390 upstream. + +Ext4 needs to serialize unaligned direct AIO because the zeroing of +partial blocks of two competing unaligned AIOs can result in data +corruption. + +However it decides not to serialize if the potentially unaligned aio is +past i_size with the rationale that no pending writes are possible past +i_size. Unfortunately if the i_size is not block aligned and the second +unaligned write lands past i_size, but still into the same block, it has +the potential of corrupting the previous unaligned write to the same +block. + +This is (very simplified) reproducer from Frank + + // 41472 = (10 * 4096) + 512 + // 37376 = 41472 - 4096 + + ftruncate(fd, 41472); + io_prep_pwrite(iocbs[0], fd, buf[0], 4096, 37376); + io_prep_pwrite(iocbs[1], fd, buf[1], 4096, 41472); + + io_submit(io_ctx, 1, &iocbs[1]); + io_submit(io_ctx, 1, &iocbs[2]); + + io_getevents(io_ctx, 2, 2, events, NULL); + +Without this patch the 512B range from 40960 up to the start of the +second unaligned write (41472) is going to be zeroed overwriting the data +written by the first write. This is a data corruption. + +00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +* +00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 +* +0000a000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +* +0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 + +With this patch the data corruption is avoided because we will recognize +the unaligned_aio and wait for the unwritten extent conversion. + +00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +* +00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 +* +0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 +* +0000b200 + +Reported-by: Frank Sorenson +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Fixes: e9e3bcecf44c ("ext4: serialize unaligned asynchronous DIO") +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -125,7 +125,7 @@ ext4_unaligned_aio(struct inode *inode, + struct super_block *sb = inode->i_sb; + int blockmask = sb->s_blocksize - 1; + +- if (pos >= i_size_read(inode)) ++ if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize)) + return 0; + + if ((pos | iov_iter_alignment(from)) & blockmask) diff --git a/queue-5.0/ext4-fix-null-pointer-dereference-while-journal-is-aborted.patch b/queue-5.0/ext4-fix-null-pointer-dereference-while-journal-is-aborted.patch new file mode 100644 index 00000000000..cefd7b78f2b --- /dev/null +++ b/queue-5.0/ext4-fix-null-pointer-dereference-while-journal-is-aborted.patch @@ -0,0 +1,59 @@ +From fa30dde38aa8628c73a6dded7cb0bba38c27b576 Mon Sep 17 00:00:00 2001 +From: Jiufei Xue +Date: Thu, 14 Mar 2019 23:19:22 -0400 +Subject: ext4: fix NULL pointer dereference while journal is aborted + +From: Jiufei Xue + +commit fa30dde38aa8628c73a6dded7cb0bba38c27b576 upstream. + +We see the following NULL pointer dereference while running xfstests +generic/475: +BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +PGD 8000000c84bad067 P4D 8000000c84bad067 PUD c84e62067 PMD 0 +Oops: 0000 [#1] SMP PTI +CPU: 7 PID: 9886 Comm: fsstress Kdump: loaded Not tainted 5.0.0-rc8 #10 +RIP: 0010:ext4_do_update_inode+0x4ec/0x760 +... +Call Trace: +? jbd2_journal_get_write_access+0x42/0x50 +? __ext4_journal_get_write_access+0x2c/0x70 +? ext4_truncate+0x186/0x3f0 +ext4_mark_iloc_dirty+0x61/0x80 +ext4_mark_inode_dirty+0x62/0x1b0 +ext4_truncate+0x186/0x3f0 +? unmap_mapping_pages+0x56/0x100 +ext4_setattr+0x817/0x8b0 +notify_change+0x1df/0x430 +do_truncate+0x5e/0x90 +? generic_permission+0x12b/0x1a0 + +This is triggered because the NULL pointer handle->h_transaction was +dereferenced in function ext4_update_inode_fsync_trans(). +I found that the h_transaction was set to NULL in jbd2__journal_restart +but failed to attached to a new transaction while the journal is aborted. + +Fix this by checking the handle before updating the inode. + +Fixes: b436b9bef84d ("ext4: Wait for proper transaction commit on fsync") +Signed-off-by: Jiufei Xue +Signed-off-by: Theodore Ts'o +Reviewed-by: Joseph Qi +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/ext4_jbd2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/ext4_jbd2.h ++++ b/fs/ext4/ext4_jbd2.h +@@ -384,7 +384,7 @@ static inline void ext4_update_inode_fsy + { + struct ext4_inode_info *ei = EXT4_I(inode); + +- if (ext4_handle_valid(handle)) { ++ if (ext4_handle_valid(handle) && !is_handle_aborted(handle)) { + ei->i_sync_tid = handle->h_transaction->t_tid; + if (datasync) + ei->i_datasync_tid = handle->h_transaction->t_tid; diff --git a/queue-5.0/powerpc-mm-only-define-max_physmem_bits-in-sparsemem-configurations.patch b/queue-5.0/powerpc-mm-only-define-max_physmem_bits-in-sparsemem-configurations.patch deleted file mode 100644 index 44a21cf4419..00000000000 --- a/queue-5.0/powerpc-mm-only-define-max_physmem_bits-in-sparsemem-configurations.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 8bc086899816214fbc6047c9c7e15fcab49552bf Mon Sep 17 00:00:00 2001 -From: Ben Hutchings -Date: Sun, 17 Mar 2019 01:17:56 +0000 -Subject: powerpc/mm: Only define MAX_PHYSMEM_BITS in SPARSEMEM configurations - -From: Ben Hutchings - -commit 8bc086899816214fbc6047c9c7e15fcab49552bf upstream. - -MAX_PHYSMEM_BITS only needs to be defined if CONFIG_SPARSEMEM is -enabled, and that was the case before commit 4ffe713b7587 -("powerpc/mm: Increase the max addressable memory to 2PB"). - -On 32-bit systems, where CONFIG_SPARSEMEM is not enabled, we now -define it as 46. That is larger than the real number of physical -address bits, and breaks calculations in zsmalloc: - - mm/zsmalloc.c:130:49: warning: right shift count is negative - MAX(32, (ZS_MAX_PAGES_PER_ZSPAGE << PAGE_SHIFT >> OBJ_INDEX_BITS)) - ^~ - ... - mm/zsmalloc.c:253:21: error: variably modified 'size_class' at file scope - struct size_class *size_class[ZS_SIZE_CLASSES]; - ^~~~~~~~~~ - -Fixes: 4ffe713b7587 ("powerpc/mm: Increase the max addressable memory to 2PB") -Cc: stable@vger.kernel.org # v4.20+ -Signed-off-by: Ben Hutchings -Signed-off-by: Michael Ellerman -Signed-off-by: Greg Kroah-Hartman - ---- - arch/powerpc/include/asm/mmu.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/powerpc/include/asm/mmu.h -+++ b/arch/powerpc/include/asm/mmu.h -@@ -341,7 +341,7 @@ static inline u16 get_mm_addr_key(struct - #if defined(CONFIG_SPARSEMEM_VMEMMAP) && defined(CONFIG_SPARSEMEM_EXTREME) && \ - defined (CONFIG_PPC_64K_PAGES) - #define MAX_PHYSMEM_BITS 51 --#else -+#elif defined(CONFIG_SPARSEMEM) - #define MAX_PHYSMEM_BITS 46 - #endif - diff --git a/queue-5.0/series b/queue-5.0/series index d3a0fd2fb9d..cbfb4d0566b 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -15,7 +15,6 @@ mips-loongson64-lemote-2f-add-irqf_no_suspend-to-cascade-irqaction.patch mips-ensure-elf-appended-dtb-is-relocated.patch mips-fix-kernel-crash-for-r6-in-jump-label-branch-function.patch powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch -powerpc-mm-only-define-max_physmem_bits-in-sparsemem-configurations.patch powerpc-security-fix-spectre_v2-reporting.patch net-mlx5-fix-dct-creation-bad-flow.patch scsi-core-avoid-that-a-kernel-warning-appears-during-system-resume.patch @@ -31,3 +30,6 @@ clocksource-drivers-riscv-fix-clocksource-mask.patch smb3-fix-smb3.1.1-guest-mounts-to-samba.patch alsa-hda-don-t-trigger-jackpoll_work-in-azx_resume.patch alsa-ac97-fix-of-node-refcount-unbalance.patch +ext4-fix-null-pointer-dereference-while-journal-is-aborted.patch +ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch +ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch