From: Greg Kroah-Hartman Date: Mon, 21 Apr 2014 01:29:39 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.13.11~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d7baa15c240a3bba61294e2a10bb3f6d04de327;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch jffs2-fix-crash-due-to-truncation-of-csize.patch jffs2-fix-segmentation-fault-found-in-stress-test.patch jffs2-remove-from-wait-queue-after-schedule.patch --- diff --git a/queue-3.4/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch b/queue-3.4/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch new file mode 100644 index 00000000000..5b104ecfb30 --- /dev/null +++ b/queue-3.4/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch @@ -0,0 +1,64 @@ +From c06344939422bbd032ac967223a7863de57496b5 Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Thu, 13 Mar 2014 23:34:16 -0400 +Subject: ext4: fix partial cluster handling for bigalloc file systems + +From: Eric Whitney + +commit c06344939422bbd032ac967223a7863de57496b5 upstream. + +Commit 9cb00419fa, which enables hole punching for bigalloc file +systems, exposed a bug introduced by commit 6ae06ff51e in an earlier +release. When run on a bigalloc file system, xfstests generic/013, 068, +075, 083, 091, 100, 112, 127, 263, 269, and 270 fail with e2fsck errors +or cause kernel error messages indicating that previously freed blocks +are being freed again. + +The latter commit optimizes the selection of the starting extent in +ext4_ext_rm_leaf() when hole punching by beginning with the extent +supplied in the path argument rather than with the last extent in the +leaf node (as is still done when truncating). However, the code in +rm_leaf that initially sets partial_cluster to track cluster sharing on +extent boundaries is only guaranteed to run if rm_leaf starts with the +last node in the leaf. Consequently, partial_cluster is not correctly +initialized when hole punching, and a cluster on the boundary of a +punched region that should be retained may instead be deallocated. + +Signed-off-by: Eric Whitney +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2372,6 +2372,27 @@ ext4_ext_rm_leaf(handle_t *handle, struc + ex_ee_block = le32_to_cpu(ex->ee_block); + ex_ee_len = ext4_ext_get_actual_len(ex); + ++ /* ++ * If we're starting with an extent other than the last one in the ++ * node, we need to see if it shares a cluster with the extent to ++ * the right (towards the end of the file). If its leftmost cluster ++ * is this extent's rightmost cluster and it is not cluster aligned, ++ * we'll mark it as a partial that is not to be deallocated. ++ */ ++ ++ if (ex != EXT_LAST_EXTENT(eh)) { ++ ext4_fsblk_t current_pblk, right_pblk; ++ long long current_cluster, right_cluster; ++ ++ current_pblk = ext4_ext_pblock(ex) + ex_ee_len - 1; ++ current_cluster = (long long)EXT4_B2C(sbi, current_pblk); ++ right_pblk = ext4_ext_pblock(ex + 1); ++ right_cluster = (long long)EXT4_B2C(sbi, right_pblk); ++ if (current_cluster == right_cluster && ++ EXT4_PBLK_COFF(sbi, right_pblk)) ++ *partial_cluster = -right_cluster; ++ } ++ + trace_ext4_ext_rm_leaf(inode, start, ex, *partial_cluster); + + while (ex >= EXT_FIRST_EXTENT(eh) && diff --git a/queue-3.4/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch b/queue-3.4/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch new file mode 100644 index 00000000000..31002c74b54 --- /dev/null +++ b/queue-3.4/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch @@ -0,0 +1,73 @@ +From 13b546d96207c131eeae15dc7b26c6e7d0f1cad7 Mon Sep 17 00:00:00 2001 +From: Li Zefan +Date: Wed, 12 Feb 2014 12:44:56 -0800 +Subject: jffs2: avoid soft-lockup in jffs2_reserve_space_gc() + +From: Li Zefan + +commit 13b546d96207c131eeae15dc7b26c6e7d0f1cad7 upstream. + +We triggered soft-lockup under stress test on 2.6.34 kernel. + +BUG: soft lockup - CPU#1 stuck for 60009ms! [lockf2.test:14488] +... +[] (jffs2_do_reserve_space+0x420/0x440 [jffs2]) +[] (jffs2_reserve_space_gc+0x34/0x78 [jffs2]) +[] (jffs2_garbage_collect_dnode.isra.3+0x264/0x478 [jffs2]) +[] (jffs2_garbage_collect_pass+0x9c0/0xe4c [jffs2]) +[] (jffs2_reserve_space+0x104/0x2a8 [jffs2]) +[] (jffs2_write_inode_range+0x5c/0x4d4 [jffs2]) +[] (jffs2_write_end+0x198/0x2c0 [jffs2]) +[] (generic_file_buffered_write+0x158/0x200) +[] (__generic_file_aio_write+0x3a4/0x414) +[] (generic_file_aio_write+0x5c/0xbc) +[] (do_sync_write+0x98/0xd4) +[] (vfs_write+0xa8/0x150) +[] (sys_write+0x3c/0xc0)] + +Fix this by adding a cond_resched() in the while loop. + +[akpm@linux-foundation.org: don't initialize `ret'] +Signed-off-by: Li Zefan +Cc: David Woodhouse +Cc: Artem Bityutskiy +Signed-off-by: Andrew Morton +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/nodemgmt.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/jffs2/nodemgmt.c ++++ b/fs/jffs2/nodemgmt.c +@@ -169,20 +169,25 @@ int jffs2_reserve_space(struct jffs2_sb_ + int jffs2_reserve_space_gc(struct jffs2_sb_info *c, uint32_t minsize, + uint32_t *len, uint32_t sumsize) + { +- int ret = -EAGAIN; ++ int ret; + minsize = PAD(minsize); + + jffs2_dbg(1, "%s(): Requested 0x%x bytes\n", __func__, minsize); + +- spin_lock(&c->erase_completion_lock); +- while(ret == -EAGAIN) { ++ while (true) { ++ spin_lock(&c->erase_completion_lock); + ret = jffs2_do_reserve_space(c, minsize, len, sumsize); + if (ret) { + jffs2_dbg(1, "%s(): looping, ret is %d\n", + __func__, ret); + } ++ spin_unlock(&c->erase_completion_lock); ++ ++ if (ret == -EAGAIN) ++ cond_resched(); ++ else ++ break; + } +- spin_unlock(&c->erase_completion_lock); + if (!ret) + ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); + diff --git a/queue-3.4/jffs2-fix-crash-due-to-truncation-of-csize.patch b/queue-3.4/jffs2-fix-crash-due-to-truncation-of-csize.patch new file mode 100644 index 00000000000..e333650cb86 --- /dev/null +++ b/queue-3.4/jffs2-fix-crash-due-to-truncation-of-csize.patch @@ -0,0 +1,81 @@ +From 41bf1a24c1001f4d0d41a78e1ac575d2f14789d7 Mon Sep 17 00:00:00 2001 +From: Ajesh Kunhipurayil Vijayan +Date: Mon, 6 Jan 2014 19:06:55 +0530 +Subject: jffs2: Fix crash due to truncation of csize + +From: Ajesh Kunhipurayil Vijayan + +commit 41bf1a24c1001f4d0d41a78e1ac575d2f14789d7 upstream. + +mounting JFFS2 partition sometimes crashes with this call trace: + +[ 1322.240000] Kernel bug detected[#1]: +[ 1322.244000] Cpu 2 +[ 1322.244000] $ 0 : 0000000000000000 0000000000000018 000000003ff00070 0000000000000001 +[ 1322.252000] $ 4 : 0000000000000000 c0000000f3980150 0000000000000000 0000000000010000 +[ 1322.260000] $ 8 : ffffffffc09cd5f8 0000000000000001 0000000000000088 c0000000ed300de8 +[ 1322.268000] $12 : e5e19d9c5f613a45 ffffffffc046d464 0000000000000000 66227ba5ea67b74e +[ 1322.276000] $16 : c0000000f1769c00 c0000000ed1e0200 c0000000f3980150 0000000000000000 +[ 1322.284000] $20 : c0000000f3a80000 00000000fffffffc c0000000ed2cfbd8 c0000000f39818f0 +[ 1322.292000] $24 : 0000000000000004 0000000000000000 +[ 1322.300000] $28 : c0000000ed2c0000 c0000000ed2cfab8 0000000000010000 ffffffffc039c0b0 +[ 1322.308000] Hi : 000000000000023c +[ 1322.312000] Lo : 000000000003f802 +[ 1322.316000] epc : ffffffffc039a9f8 check_tn_node+0x88/0x3b0 +[ 1322.320000] Not tainted +[ 1322.324000] ra : ffffffffc039c0b0 jffs2_do_read_inode_internal+0x1250/0x1e48 +[ 1322.332000] Status: 5400f8e3 KX SX UX KERNEL EXL IE +[ 1322.336000] Cause : 00800034 +[ 1322.340000] PrId : 000c1004 (Netlogic XLP) +[ 1322.344000] Modules linked in: +[ 1322.348000] Process jffs2_gcd_mtd7 (pid: 264, threadinfo=c0000000ed2c0000, task=c0000000f0e68dd8, tls=0000000000000000) +[ 1322.356000] Stack : c0000000f1769e30 c0000000ed010780 c0000000ed010780 c0000000ed300000 + c0000000f1769c00 c0000000f3980150 c0000000f3a80000 00000000fffffffc + c0000000ed2cfbd8 ffffffffc039c0b0 ffffffffc09c6340 0000000000001000 + 0000000000000dec ffffffffc016c9d8 c0000000f39805a0 c0000000f3980180 + 0000008600000000 0000000000000000 0000000000000000 0000000000000000 + 0001000000000dec c0000000f1769d98 c0000000ed2cfb18 0000000000010000 + 0000000000010000 0000000000000044 c0000000f3a80000 c0000000f1769c00 + c0000000f3d207a8 c0000000f1769d98 c0000000f1769de0 ffffffffc076f9c0 + 0000000000000009 0000000000000000 0000000000000000 ffffffffc039cf90 + 0000000000000017 ffffffffc013fbdc 0000000000000001 000000010003e61c + ... +[ 1322.424000] Call Trace: +[ 1322.428000] [] check_tn_node+0x88/0x3b0 +[ 1322.432000] [] jffs2_do_read_inode_internal+0x1250/0x1e48 +[ 1322.440000] [] jffs2_do_crccheck_inode+0x70/0xd0 +[ 1322.448000] [] jffs2_garbage_collect_pass+0x160/0x870 +[ 1322.452000] [] jffs2_garbage_collect_thread+0xdc/0x1f0 +[ 1322.460000] [] kthread+0xb8/0xc0 +[ 1322.464000] [] kernel_thread_helper+0x10/0x18 +[ 1322.472000] +[ 1322.472000] +Code: 67bd0050 94a4002c 2c830001 <00038036> de050218 2403fffc 0080a82d 00431824 24630044 +[ 1322.480000] ---[ end trace b052bb90e97dfbf5 ]--- + +The variable csize in structure jffs2_tmp_dnode_info is of type uint16_t, but it +is used to hold the compressed data length(csize) which is declared as uint32_t. +So, when the value of csize exceeds 16bits, it gets truncated when assigned to +tn->csize. This is causing a kernel BUG. +Changing the definition of csize in jffs2_tmp_dnode_info to uint32_t fixes the issue. + +Signed-off-by: Ajesh Kunhipurayil Vijayan +Signed-off-by: Kamlakant Patel +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/nodelist.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jffs2/nodelist.h ++++ b/fs/jffs2/nodelist.h +@@ -231,7 +231,7 @@ struct jffs2_tmp_dnode_info + uint32_t version; + uint32_t data_crc; + uint32_t partial_crc; +- uint16_t csize; ++ uint32_t csize; + uint16_t overlapped; + }; + diff --git a/queue-3.4/jffs2-fix-segmentation-fault-found-in-stress-test.patch b/queue-3.4/jffs2-fix-segmentation-fault-found-in-stress-test.patch new file mode 100644 index 00000000000..660d094e7a1 --- /dev/null +++ b/queue-3.4/jffs2-fix-segmentation-fault-found-in-stress-test.patch @@ -0,0 +1,99 @@ +From 3367da5610c50e6b83f86d366d72b41b350b06a2 Mon Sep 17 00:00:00 2001 +From: Kamlakant Patel +Date: Mon, 6 Jan 2014 19:06:54 +0530 +Subject: jffs2: Fix segmentation fault found in stress test + +From: Kamlakant Patel + +commit 3367da5610c50e6b83f86d366d72b41b350b06a2 upstream. + +Creating a large file on a JFFS2 partition sometimes crashes with this call +trace: + +[ 306.476000] CPU 13 Unable to handle kernel paging request at virtual address c0000000dfff8002, epc == ffffffffc03a80a8, ra == ffffffffc03a8044 +[ 306.488000] Oops[#1]: +[ 306.488000] Cpu 13 +[ 306.492000] $ 0 : 0000000000000000 0000000000000000 0000000000008008 0000000000008007 +[ 306.500000] $ 4 : c0000000dfff8002 000000000000009f c0000000e0007cde c0000000ee95fa58 +[ 306.508000] $ 8 : 0000000000000001 0000000000008008 0000000000010000 ffffffffffff8002 +[ 306.516000] $12 : 0000000000007fa9 000000000000ff0e 000000000000ff0f 80e55930aebb92bb +[ 306.524000] $16 : c0000000e0000000 c0000000ee95fa5c c0000000efc80000 ffffffffc09edd70 +[ 306.532000] $20 : ffffffffc2b60000 c0000000ee95fa58 0000000000000000 c0000000efc80000 +[ 306.540000] $24 : 0000000000000000 0000000000000004 +[ 306.548000] $28 : c0000000ee950000 c0000000ee95f738 0000000000000000 ffffffffc03a8044 +[ 306.556000] Hi : 00000000000574a5 +[ 306.560000] Lo : 6193b7a7e903d8c9 +[ 306.564000] epc : ffffffffc03a80a8 jffs2_rtime_compress+0x98/0x198 +[ 306.568000] Tainted: G W +[ 306.572000] ra : ffffffffc03a8044 jffs2_rtime_compress+0x34/0x198 +[ 306.580000] Status: 5000f8e3 KX SX UX KERNEL EXL IE +[ 306.584000] Cause : 00800008 +[ 306.588000] BadVA : c0000000dfff8002 +[ 306.592000] PrId : 000c1100 (Netlogic XLP) +[ 306.596000] Modules linked in: +[ 306.596000] Process dd (pid: 170, threadinfo=c0000000ee950000, task=c0000000ee6e0858, tls=0000000000c47490) +[ 306.608000] Stack : 7c547f377ddc7ee4 7ffc7f967f5d7fae 7f617f507fc37ff4 7e7d7f817f487f5f + 7d8e7fec7ee87eb3 7e977ff27eec7f9e 7d677ec67f917f67 7f3d7e457f017ed7 + 7fd37f517f867eb2 7fed7fd17ca57e1d 7e5f7fe87f257f77 7fd77f0d7ede7fdb + 7fba7fef7e197f99 7fde7fe07ee37eb5 7f5c7f8c7fc67f65 7f457fb87f847e93 + 7f737f3e7d137cd9 7f8e7e9c7fc47d25 7dbb7fac7fb67e52 7ff17f627da97f64 + 7f6b7df77ffa7ec5 80057ef17f357fb3 7f767fa27dfc7fd5 7fe37e8e7fd07e53 + 7e227fcf7efb7fa1 7f547e787fa87fcc 7fcb7fc57f5a7ffb 7fc07f6c7ea97e80 + 7e2d7ed17e587ee0 7fb17f9d7feb7f31 7f607e797e887faa 7f757fdd7c607ff3 + 7e877e657ef37fbd 7ec17fd67fe67ff7 7ff67f797ff87dc4 7eef7f3a7c337fa6 + 7fe57fc97ed87f4b 7ebe7f097f0b8003 7fe97e2a7d997cba 7f587f987f3c7fa9 + ... +[ 306.676000] Call Trace: +[ 306.680000] [] jffs2_rtime_compress+0x98/0x198 +[ 306.684000] [] jffs2_selected_compress+0x110/0x230 +[ 306.692000] [] jffs2_compress+0x5c/0x388 +[ 306.696000] [] jffs2_write_inode_range+0xd8/0x388 +[ 306.704000] [] jffs2_write_end+0x16c/0x2d0 +[ 306.708000] [] generic_file_buffered_write+0xf8/0x2b8 +[ 306.716000] [] __generic_file_aio_write+0x1ac/0x350 +[ 306.720000] [] generic_file_aio_write+0x80/0x168 +[ 306.728000] [] do_sync_write+0x94/0xf8 +[ 306.732000] [] vfs_write+0xa4/0x1a0 +[ 306.736000] [] SyS_write+0x50/0x90 +[ 306.744000] [] handle_sys+0x180/0x1a0 +[ 306.748000] +[ 306.748000] +Code: 020b202d 0205282d 90a50000 <90840000> 14a40038 00000000 0060602d 0000282d 016c5823 +[ 306.760000] ---[ end trace 79dd088435be02d0 ]--- +Segmentation fault + +This crash is caused because the 'positions' is declared as an array of signed +short. The value of position is in the range 0..65535, and will be converted +to a negative number when the position is greater than 32767 and causes a +corruption and crash. Changing the definition to 'unsigned short' fixes this +issue + +Signed-off-by: Jayachandran C +Signed-off-by: Kamlakant Patel +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/compr_rtime.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/jffs2/compr_rtime.c ++++ b/fs/jffs2/compr_rtime.c +@@ -33,7 +33,7 @@ static int jffs2_rtime_compress(unsigned + unsigned char *cpage_out, + uint32_t *sourcelen, uint32_t *dstlen) + { +- short positions[256]; ++ unsigned short positions[256]; + int outpos = 0; + int pos=0; + +@@ -74,7 +74,7 @@ static int jffs2_rtime_decompress(unsign + unsigned char *cpage_out, + uint32_t srclen, uint32_t destlen) + { +- short positions[256]; ++ unsigned short positions[256]; + int outpos = 0; + int pos=0; + diff --git a/queue-3.4/jffs2-remove-from-wait-queue-after-schedule.patch b/queue-3.4/jffs2-remove-from-wait-queue-after-schedule.patch new file mode 100644 index 00000000000..90785e6df76 --- /dev/null +++ b/queue-3.4/jffs2-remove-from-wait-queue-after-schedule.patch @@ -0,0 +1,35 @@ +From 3ead9578443b66ddb3d50ed4f53af8a0c0298ec5 Mon Sep 17 00:00:00 2001 +From: Li Zefan +Date: Wed, 12 Feb 2014 12:44:57 -0800 +Subject: jffs2: remove from wait queue after schedule() + +From: Li Zefan + +commit 3ead9578443b66ddb3d50ed4f53af8a0c0298ec5 upstream. + +@wait is a local variable, so if we don't remove it from the wait queue +list, later wake_up() may end up accessing invalid memory. + +This was spotted by eyes. + +Signed-off-by: Li Zefan +Cc: David Woodhouse +Cc: Artem Bityutskiy +Signed-off-by: Andrew Morton +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/nodemgmt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/jffs2/nodemgmt.c ++++ b/fs/jffs2/nodemgmt.c +@@ -139,6 +139,7 @@ int jffs2_reserve_space(struct jffs2_sb_ + spin_unlock(&c->erase_completion_lock); + + schedule(); ++ remove_wait_queue(&c->erase_wait, &wait); + } else + spin_unlock(&c->erase_completion_lock); + } else if (ret) diff --git a/queue-3.4/series b/queue-3.4/series index 7f2cd6a26f2..17e28653faa 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -20,3 +20,8 @@ sparc32-fix-build-failure-for-arch_jump_label_transform.patch sparc64-don-t-treat-64-bit-syscall-return-codes-as-32-bit.patch char-ipmi_bt_sm-fix-infinite-loop.patch bluetooth-fix-removing-long-term-key.patch +ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch +jffs2-fix-segmentation-fault-found-in-stress-test.patch +jffs2-fix-crash-due-to-truncation-of-csize.patch +jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch +jffs2-remove-from-wait-queue-after-schedule.patch