From: Sasha Levin Date: Sun, 23 Aug 2020 01:16:35 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.4.234~60 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b330d149b87823982faccdbcfc700808ca30a4fc;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch b/queue-4.19/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch new file mode 100644 index 00000000000..55c9afe29ee --- /dev/null +++ b/queue-4.19/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch @@ -0,0 +1,67 @@ +From 0db9ad5a756184317f060b473533cab82170767f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 11:12:46 -0400 +Subject: btrfs: don't show full path of bind mounts in subvol= + +From: Josef Bacik + +[ Upstream commit 3ef3959b29c4a5bd65526ab310a1a18ae533172a ] + +Chris Murphy reported a problem where rpm ostree will bind mount a bunch +of things for whatever voodoo it's doing. But when it does this +/proc/mounts shows something like + + /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 + /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo/bar 0 0 + +Despite subvolid=256 being subvol=/foo. This is because we're just +spitting out the dentry of the mount point, which in the case of bind +mounts is the source path for the mountpoint. Instead we should spit +out the path to the actual subvol. Fix this by looking up the name for +the subvolid we have mounted. With this fix the same test looks like +this + + /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 + /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 + +Reported-by: Chris Murphy +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/super.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index 3e6e21a7c5e6f..4d2810a32b4a9 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1282,6 +1282,7 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) + { + struct btrfs_fs_info *info = btrfs_sb(dentry->d_sb); + const char *compress_type; ++ const char *subvol_name; + + if (btrfs_test_opt(info, DEGRADED)) + seq_puts(seq, ",degraded"); +@@ -1366,8 +1367,13 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) + seq_puts(seq, ",ref_verify"); + seq_printf(seq, ",subvolid=%llu", + BTRFS_I(d_inode(dentry))->root->root_key.objectid); +- seq_puts(seq, ",subvol="); +- seq_dentry(seq, dentry, " \t\n\\"); ++ subvol_name = btrfs_get_subvol_name_from_objectid(info, ++ BTRFS_I(d_inode(dentry))->root->root_key.objectid); ++ if (!IS_ERR(subvol_name)) { ++ seq_puts(seq, ",subvol="); ++ seq_escape(seq, subvol_name, " \t\n\\"); ++ kfree(subvol_name); ++ } + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.19/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch b/queue-4.19/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch new file mode 100644 index 00000000000..68ebe3bb0d7 --- /dev/null +++ b/queue-4.19/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch @@ -0,0 +1,107 @@ +From 6b700d1726ecc543b9286a02b786d4ba96b899cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2020 14:56:12 +0100 +Subject: btrfs: export helpers for subvolume name/id resolution + +From: Marcos Paulo de Souza + +[ Upstream commit c0c907a47dccf2cf26251a8fb4a8e7a3bf79ce84 ] + +The functions will be used outside of export.c and super.c to allow +resolving subvolume name from a given id, eg. for subvolume deletion by +id ioctl. + +Signed-off-by: Marcos Paulo de Souza +Reviewed-by: David Sterba +[ split from the next patch ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 2 ++ + fs/btrfs/export.c | 8 ++++---- + fs/btrfs/export.h | 5 +++++ + fs/btrfs/super.c | 8 ++++---- + 4 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 15cb96ad15d8c..554727d82d432 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -3271,6 +3271,8 @@ void btrfs_sysfs_remove_mounted(struct btrfs_fs_info *fs_info); + int btrfs_parse_options(struct btrfs_fs_info *info, char *options, + unsigned long new_flags); + int btrfs_sync_fs(struct super_block *sb, int wait); ++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, ++ u64 subvol_objectid); + + static inline __printf(2, 3) __cold + void btrfs_no_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...) +diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c +index 1f3755b3a37ae..665ec85cb09b8 100644 +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -57,9 +57,9 @@ static int btrfs_encode_fh(struct inode *inode, u32 *fh, int *max_len, + return type; + } + +-static struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, +- u64 root_objectid, u32 generation, +- int check_generation) ++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, ++ u64 root_objectid, u32 generation, ++ int check_generation) + { + struct btrfs_fs_info *fs_info = btrfs_sb(sb); + struct btrfs_root *root; +@@ -152,7 +152,7 @@ static struct dentry *btrfs_fh_to_dentry(struct super_block *sb, struct fid *fh, + return btrfs_get_dentry(sb, objectid, root_objectid, generation, 1); + } + +-static struct dentry *btrfs_get_parent(struct dentry *child) ++struct dentry *btrfs_get_parent(struct dentry *child) + { + struct inode *dir = d_inode(child); + struct btrfs_fs_info *fs_info = btrfs_sb(dir->i_sb); +diff --git a/fs/btrfs/export.h b/fs/btrfs/export.h +index 57488ecd7d4ef..f32f4113c976a 100644 +--- a/fs/btrfs/export.h ++++ b/fs/btrfs/export.h +@@ -18,4 +18,9 @@ struct btrfs_fid { + u64 parent_root_objectid; + } __attribute__ ((packed)); + ++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, ++ u64 root_objectid, u32 generation, ++ int check_generation); ++struct dentry *btrfs_get_parent(struct dentry *child); ++ + #endif +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index ed539496089f1..3e6e21a7c5e6f 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1000,8 +1000,8 @@ out: + return error; + } + +-static char *get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, +- u64 subvol_objectid) ++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, ++ u64 subvol_objectid) + { + struct btrfs_root *root = fs_info->tree_root; + struct btrfs_root *fs_root; +@@ -1412,8 +1412,8 @@ static struct dentry *mount_subvol(const char *subvol_name, u64 subvol_objectid, + goto out; + } + } +- subvol_name = get_subvol_name_from_objectid(btrfs_sb(mnt->mnt_sb), +- subvol_objectid); ++ subvol_name = btrfs_get_subvol_name_from_objectid( ++ btrfs_sb(mnt->mnt_sb), subvol_objectid); + if (IS_ERR(subvol_name)) { + root = ERR_CAST(subvol_name); + subvol_name = NULL; +-- +2.25.1 + diff --git a/queue-4.19/btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch b/queue-4.19/btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch new file mode 100644 index 00000000000..d944d6f6ebc --- /dev/null +++ b/queue-4.19/btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch @@ -0,0 +1,109 @@ +From 7a17f9be6b8a112f55032069d951914fa2cf9bcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 16:39:26 +0800 +Subject: btrfs: inode: fix NULL pointer dereference if inode doesn't need + compression + +From: Qu Wenruo + +[ Upstream commit 1e6e238c3002ea3611465ce5f32777ddd6a40126 ] + +[BUG] +There is a bug report of NULL pointer dereference caused in +compress_file_extent(): + + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Workqueue: btrfs-delalloc btrfs_delalloc_helper [btrfs] + NIP [c008000006dd4d34] compress_file_range.constprop.41+0x75c/0x8a0 [btrfs] + LR [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs] + Call Trace: + [c000000c69093b00] [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs] (unreliable) + [c000000c69093bd0] [c008000006dd4ebc] async_cow_start+0x44/0xa0 [btrfs] + [c000000c69093c10] [c008000006e14824] normal_work_helper+0xdc/0x598 [btrfs] + [c000000c69093c80] [c0000000001608c0] process_one_work+0x2c0/0x5b0 + [c000000c69093d10] [c000000000160c38] worker_thread+0x88/0x660 + [c000000c69093db0] [c00000000016b55c] kthread+0x1ac/0x1c0 + [c000000c69093e20] [c00000000000b660] ret_from_kernel_thread+0x5c/0x7c + ---[ end trace f16954aa20d822f6 ]--- + +[CAUSE] +For the following execution route of compress_file_range(), it's +possible to hit NULL pointer dereference: + + compress_file_extent() + |- pages = NULL; + |- start = async_chunk->start = 0; + |- end = async_chunk = 4095; + |- nr_pages = 1; + |- inode_need_compress() == false; <<< Possible, see later explanation + | Now, we have nr_pages = 1, pages = NULL + |- cont: + |- ret = cow_file_range_inline(); + |- if (ret <= 0) { + |- for (i = 0; i < nr_pages; i++) { + |- WARN_ON(pages[i]->mapping); <<< Crash + +To enter above call execution branch, we need the following race: + + Thread 1 (chattr) | Thread 2 (writeback) +--------------------------+------------------------------ + | btrfs_run_delalloc_range + | |- inode_need_compress = true + | |- cow_file_range_async() +btrfs_ioctl_set_flag() | +|- binode_flags |= | + BTRFS_INODE_NOCOMPRESS | + | compress_file_range() + | |- inode_need_compress = false + | |- nr_page = 1 while pages = NULL + | | Then hit the crash + +[FIX] +This patch will fix it by checking @pages before doing accessing it. +This patch is only designed as a hot fix and easy to backport. + +More elegant fix may make btrfs only check inode_need_compress() once to +avoid such race, but that would be another story. + +Reported-by: Luciano Chavez +Fixes: 4d3a800ebb12 ("btrfs: merge nr_pages input and output parameter in compress_pages") +CC: stable@vger.kernel.org # 4.14.x: cecc8d9038d16: btrfs: Move free_pages_out label in inline extent handling branch in compress_file_range +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 8507192cd6449..bdfe159a60da6 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -629,11 +629,18 @@ cont: + page_error_op | + PAGE_END_WRITEBACK); + +- for (i = 0; i < nr_pages; i++) { +- WARN_ON(pages[i]->mapping); +- put_page(pages[i]); ++ /* ++ * Ensure we only free the compressed pages if we have ++ * them allocated, as we can still reach here with ++ * inode_need_compress() == false. ++ */ ++ if (pages) { ++ for (i = 0; i < nr_pages; i++) { ++ WARN_ON(pages[i]->mapping); ++ put_page(pages[i]); ++ } ++ kfree(pages); + } +- kfree(pages); + + return; + } +-- +2.25.1 + diff --git a/queue-4.19/btrfs-move-free_pages_out-label-in-inline-extent-han.patch b/queue-4.19/btrfs-move-free_pages_out-label-in-inline-extent-han.patch new file mode 100644 index 00000000000..2f1ec3f2b4c --- /dev/null +++ b/queue-4.19/btrfs-move-free_pages_out-label-in-inline-extent-han.patch @@ -0,0 +1,59 @@ +From cb8f203913edf450bee82e1187168a458998e8f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jul 2019 14:41:45 +0300 +Subject: btrfs: Move free_pages_out label in inline extent handling branch in + compress_file_range + +From: Nikolay Borisov + +[ Upstream commit cecc8d9038d164eda61fbcd72520975a554ea63e ] + +This label is only executed if compress_file_range fails to create an +inline extent. So move its code in the semantically related inline +extent handling branch. No functional changes. + +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 1656ef0e959f0..8507192cd6449 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -628,7 +628,14 @@ cont: + PAGE_SET_WRITEBACK | + page_error_op | + PAGE_END_WRITEBACK); +- goto free_pages_out; ++ ++ for (i = 0; i < nr_pages; i++) { ++ WARN_ON(pages[i]->mapping); ++ put_page(pages[i]); ++ } ++ kfree(pages); ++ ++ return; + } + } + +@@ -706,13 +713,6 @@ cleanup_and_bail_uncompressed: + *num_added += 1; + + return; +- +-free_pages_out: +- for (i = 0; i < nr_pages; i++) { +- WARN_ON(pages[i]->mapping); +- put_page(pages[i]); +- } +- kfree(pages); + } + + static void free_async_extent_pages(struct async_extent *async_extent) +-- +2.25.1 + diff --git a/queue-4.19/btrfs-sysfs-use-nofs-for-device-creation.patch b/queue-4.19/btrfs-sysfs-use-nofs-for-device-creation.patch new file mode 100644 index 00000000000..1a086923d98 --- /dev/null +++ b/queue-4.19/btrfs-sysfs-use-nofs-for-device-creation.patch @@ -0,0 +1,190 @@ +From 143b6a0ce035046e3b2ee2f52a0f733ea8ca10c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 10:17:50 -0400 +Subject: btrfs: sysfs: use NOFS for device creation + +From: Josef Bacik + +Dave hit this splat during testing btrfs/078: + + ====================================================== + WARNING: possible circular locking dependency detected + 5.8.0-rc6-default+ #1191 Not tainted + ------------------------------------------------------ + kswapd0/75 is trying to acquire lock: + ffffa040e9d04ff8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + + but task is already holding lock: + ffffffff8b0c8040 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #2 (fs_reclaim){+.+.}-{0:0}: + __lock_acquire+0x56f/0xaa0 + lock_acquire+0xa3/0x440 + fs_reclaim_acquire.part.0+0x25/0x30 + __kmalloc_track_caller+0x49/0x330 + kstrdup+0x2e/0x60 + __kernfs_new_node.constprop.0+0x44/0x250 + kernfs_new_node+0x25/0x50 + kernfs_create_link+0x34/0xa0 + sysfs_do_create_link_sd+0x5e/0xd0 + btrfs_sysfs_add_devices_dir+0x65/0x100 [btrfs] + btrfs_init_new_device+0x44c/0x12b0 [btrfs] + btrfs_ioctl+0xc3c/0x25c0 [btrfs] + ksys_ioctl+0x68/0xa0 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x50/0xe0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + -> #1 (&fs_info->chunk_mutex){+.+.}-{3:3}: + __lock_acquire+0x56f/0xaa0 + lock_acquire+0xa3/0x440 + __mutex_lock+0xa0/0xaf0 + btrfs_chunk_alloc+0x137/0x3e0 [btrfs] + find_free_extent+0xb44/0xfb0 [btrfs] + btrfs_reserve_extent+0x9b/0x180 [btrfs] + btrfs_alloc_tree_block+0xc1/0x350 [btrfs] + alloc_tree_block_no_bg_flush+0x4a/0x60 [btrfs] + __btrfs_cow_block+0x143/0x7a0 [btrfs] + btrfs_cow_block+0x15f/0x310 [btrfs] + push_leaf_right+0x150/0x240 [btrfs] + split_leaf+0x3cd/0x6d0 [btrfs] + btrfs_search_slot+0xd14/0xf70 [btrfs] + btrfs_insert_empty_items+0x64/0xc0 [btrfs] + __btrfs_commit_inode_delayed_items+0xb2/0x840 [btrfs] + btrfs_async_run_delayed_root+0x10e/0x1d0 [btrfs] + btrfs_work_helper+0x2f9/0x650 [btrfs] + process_one_work+0x22c/0x600 + worker_thread+0x50/0x3b0 + kthread+0x137/0x150 + ret_from_fork+0x1f/0x30 + + -> #0 (&delayed_node->mutex){+.+.}-{3:3}: + check_prev_add+0x98/0xa20 + validate_chain+0xa8c/0x2a00 + __lock_acquire+0x56f/0xaa0 + lock_acquire+0xa3/0x440 + __mutex_lock+0xa0/0xaf0 + __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + btrfs_evict_inode+0x3bf/0x560 [btrfs] + evict+0xd6/0x1c0 + dispose_list+0x48/0x70 + prune_icache_sb+0x54/0x80 + super_cache_scan+0x121/0x1a0 + do_shrink_slab+0x175/0x420 + shrink_slab+0xb1/0x2e0 + shrink_node+0x192/0x600 + balance_pgdat+0x31f/0x750 + kswapd+0x206/0x510 + kthread+0x137/0x150 + ret_from_fork+0x1f/0x30 + + other info that might help us debug this: + + Chain exists of: + &delayed_node->mutex --> &fs_info->chunk_mutex --> fs_reclaim + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(fs_reclaim); + lock(&fs_info->chunk_mutex); + lock(fs_reclaim); + lock(&delayed_node->mutex); + + *** DEADLOCK *** + + 3 locks held by kswapd0/75: + #0: ffffffff8b0c8040 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30 + #1: ffffffff8b0b50b8 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x54/0x2e0 + #2: ffffa040e057c0e8 (&type->s_umount_key#26){++++}-{3:3}, at: trylock_super+0x16/0x50 + + stack backtrace: + CPU: 2 PID: 75 Comm: kswapd0 Not tainted 5.8.0-rc6-default+ #1191 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014 + Call Trace: + dump_stack+0x78/0xa0 + check_noncircular+0x16f/0x190 + check_prev_add+0x98/0xa20 + validate_chain+0xa8c/0x2a00 + __lock_acquire+0x56f/0xaa0 + lock_acquire+0xa3/0x440 + ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + __mutex_lock+0xa0/0xaf0 + ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + ? __lock_acquire+0x56f/0xaa0 + ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + ? lock_acquire+0xa3/0x440 + ? btrfs_evict_inode+0x138/0x560 [btrfs] + ? btrfs_evict_inode+0x2fe/0x560 [btrfs] + ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + btrfs_evict_inode+0x3bf/0x560 [btrfs] + evict+0xd6/0x1c0 + dispose_list+0x48/0x70 + prune_icache_sb+0x54/0x80 + super_cache_scan+0x121/0x1a0 + do_shrink_slab+0x175/0x420 + shrink_slab+0xb1/0x2e0 + shrink_node+0x192/0x600 + balance_pgdat+0x31f/0x750 + kswapd+0x206/0x510 + ? _raw_spin_unlock_irqrestore+0x3e/0x50 + ? finish_wait+0x90/0x90 + ? balance_pgdat+0x750/0x750 + kthread+0x137/0x150 + ? kthread_stop+0x2a0/0x2a0 + ret_from_fork+0x1f/0x30 + +This is because we're holding the chunk_mutex while adding this device +and adding its sysfs entries. We actually hold different locks in +different places when calling this function, the dev_replace semaphore +for instance in dev replace, so instead of moving this call around +simply wrap it's operations in NOFS. + +CC: stable@vger.kernel.org # 4.14+ +Reported-by: David Sterba +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +--- + fs/btrfs/sysfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c +index aefb0169d46d7..afec808a763b1 100644 +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + #include "ctree.h" + #include "disk-io.h" +@@ -766,7 +767,9 @@ int btrfs_sysfs_add_device_link(struct btrfs_fs_devices *fs_devices, + { + int error = 0; + struct btrfs_device *dev; ++ unsigned int nofs_flag; + ++ nofs_flag = memalloc_nofs_save(); + list_for_each_entry(dev, &fs_devices->devices, dev_list) { + struct hd_struct *disk; + struct kobject *disk_kobj; +@@ -785,6 +788,7 @@ int btrfs_sysfs_add_device_link(struct btrfs_fs_devices *fs_devices, + if (error) + break; + } ++ memalloc_nofs_restore(nofs_flag); + + return error; + } +-- +2.25.1 + diff --git a/queue-4.19/drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch b/queue-4.19/drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch new file mode 100644 index 00000000000..12eafeafc50 --- /dev/null +++ b/queue-4.19/drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch @@ -0,0 +1,83 @@ +From bb8be1977a416b4885bbf0d77288ccae94ff5d50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 16:49:11 +0100 +Subject: drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() + +From: Chris Wilson + +[ Upstream commit 119c53d2d4044c59c450c4f5a568d80b9d861856 ] + +drm_gem_dumb_map_offset() now exists and does everything +vgem_gem_dump_map does and *ought* to do. + +In particular, vgem_gem_dumb_map() was trying to reject mmapping an +imported dmabuf by checking the existence of obj->filp. Unfortunately, +we always allocated an obj->filp, even if unused for an imported dmabuf. +Instead, the drm_gem_dumb_map_offset(), since commit 90378e589192 +("drm/gem: drm_gem_dumb_map_offset(): reject dma-buf"), uses the +obj->import_attach to reject such invalid mmaps. + +This prevents vgem from allowing userspace mmapping the dumb handle and +attempting to incorrectly fault in remote pages belonging to another +device, where there may not even be a struct page. + +v2: Use the default drm_gem_dumb_map_offset() callback + +Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces") +Signed-off-by: Chris Wilson +Reviewed-by: Daniel Vetter +Cc: # v4.13+ +Link: https://patchwork.freedesktop.org/patch/msgid/20200708154911.21236-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vgem/vgem_drv.c | 27 --------------------------- + 1 file changed, 27 deletions(-) + +diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c +index 4709f08f39e49..1c1a435d354bc 100644 +--- a/drivers/gpu/drm/vgem/vgem_drv.c ++++ b/drivers/gpu/drm/vgem/vgem_drv.c +@@ -219,32 +219,6 @@ static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev, + return 0; + } + +-static int vgem_gem_dumb_map(struct drm_file *file, struct drm_device *dev, +- uint32_t handle, uint64_t *offset) +-{ +- struct drm_gem_object *obj; +- int ret; +- +- obj = drm_gem_object_lookup(file, handle); +- if (!obj) +- return -ENOENT; +- +- if (!obj->filp) { +- ret = -EINVAL; +- goto unref; +- } +- +- ret = drm_gem_create_mmap_offset(obj); +- if (ret) +- goto unref; +- +- *offset = drm_vma_node_offset_addr(&obj->vma_node); +-unref: +- drm_gem_object_put_unlocked(obj); +- +- return ret; +-} +- + static struct drm_ioctl_desc vgem_ioctls[] = { + DRM_IOCTL_DEF_DRV(VGEM_FENCE_ATTACH, vgem_fence_attach_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), + DRM_IOCTL_DEF_DRV(VGEM_FENCE_SIGNAL, vgem_fence_signal_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), +@@ -438,7 +412,6 @@ static struct drm_driver vgem_driver = { + .fops = &vgem_driver_fops, + + .dumb_create = vgem_gem_dumb_create, +- .dumb_map_offset = vgem_gem_dumb_map, + + .prime_handle_to_fd = drm_gem_prime_handle_to_fd, + .prime_fd_to_handle = drm_gem_prime_fd_to_handle, +-- +2.25.1 + diff --git a/queue-4.19/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch b/queue-4.19/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch new file mode 100644 index 00000000000..ad8dec0afd8 --- /dev/null +++ b/queue-4.19/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch @@ -0,0 +1,51 @@ +From a4ac88ba85a777def653bcc65ab7a96f4f0028e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 17:42:02 -0700 +Subject: khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() + +From: Hugh Dickins + +[ Upstream commit f3f99d63a8156c7a4a6b20aac22b53c5579c7dc1 ] + +syzbot crashes on the VM_BUG_ON_MM(khugepaged_test_exit(mm), mm) in +__khugepaged_enter(): yes, when one thread is about to dump core, has set +core_state, and is waiting for others, another might do something calling +__khugepaged_enter(), which now crashes because I lumped the core_state +test (known as "mmget_still_valid") into khugepaged_test_exit(). I still +think it's best to lump them together, so just in this exceptional case, +check mm->mm_users directly instead of khugepaged_test_exit(). + +Fixes: bbe98f9cadff ("khugepaged: khugepaged_test_exit() check mmget_still_valid()") +Reported-by: syzbot +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Acked-by: Yang Shi +Cc: "Kirill A. Shutemov" +Cc: Andrea Arcangeli +Cc: Song Liu +Cc: Mike Kravetz +Cc: Eric Dumazet +Cc: [4.8+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008141503370.18085@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index fbb3ac9ce0869..f37be43f8caeb 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -427,7 +427,7 @@ int __khugepaged_enter(struct mm_struct *mm) + return -ENOMEM; + + /* __khugepaged_exit() must not run from under us */ +- VM_BUG_ON_MM(khugepaged_test_exit(mm), mm); ++ VM_BUG_ON_MM(atomic_read(&mm->mm_users) == 0, mm); + if (unlikely(test_and_set_bit(MMF_VM_HUGEPAGE, &mm->flags))) { + free_mm_slot(mm_slot); + return 0; +-- +2.25.1 + diff --git a/queue-4.19/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch b/queue-4.19/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch new file mode 100644 index 00000000000..66d0183448c --- /dev/null +++ b/queue-4.19/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch @@ -0,0 +1,60 @@ +From fd371da9fd45165f512a1d17d0ce95910a5d7cf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 23:26:25 -0700 +Subject: khugepaged: khugepaged_test_exit() check mmget_still_valid() + +From: Hugh Dickins + +[ Upstream commit bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 ] + +Move collapse_huge_page()'s mmget_still_valid() check into +khugepaged_test_exit() itself. collapse_huge_page() is used for anon THP +only, and earned its mmget_still_valid() check because it inserts a huge +pmd entry in place of the page table's pmd entry; whereas +collapse_file()'s retract_page_tables() or collapse_pte_mapped_thp() +merely clears the page table's pmd entry. But core dumping without mmap +lock must have been as open to mistaking a racily cleared pmd entry for a +page table at physical page 0, as exit_mmap() was. And we certainly have +no interest in mapping as a THP once dumping core. + +Fixes: 59ea6d06cfa9 ("coredump: fix race condition between collapse_huge_page() and core dumping") +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Cc: Andrea Arcangeli +Cc: Song Liu +Cc: Mike Kravetz +Cc: Kirill A. Shutemov +Cc: [4.8+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021217020.27773@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 483c4573695a9..fbb3ac9ce0869 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -394,7 +394,7 @@ static void insert_to_mm_slots_hash(struct mm_struct *mm, + + static inline int khugepaged_test_exit(struct mm_struct *mm) + { +- return atomic_read(&mm->mm_users) == 0; ++ return atomic_read(&mm->mm_users) == 0 || !mmget_still_valid(mm); + } + + static bool hugepage_vma_check(struct vm_area_struct *vma, +@@ -1005,9 +1005,6 @@ static void collapse_huge_page(struct mm_struct *mm, + * handled by the anon_vma lock + PG_lock. + */ + down_write(&mm->mmap_sem); +- result = SCAN_ANY_PROCESS; +- if (!mmget_still_valid(mm)) +- goto out; + result = hugepage_vma_revalidate(mm, address, &vma); + if (result) + goto out; +-- +2.25.1 + diff --git a/queue-4.19/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch b/queue-4.19/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch new file mode 100644 index 00000000000..2c68becb284 --- /dev/null +++ b/queue-4.19/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch @@ -0,0 +1,52 @@ +From 72d90cd20c235d5f5ebe3befb9ea9790a8d7dd25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 22:11:23 +0900 +Subject: perf probe: Fix memory leakage when the probe point is not found + +From: Masami Hiramatsu + +[ Upstream commit 12d572e785b15bc764e956caaa8a4c846fd15694 ] + +Fix the memory leakage in debuginfo__find_trace_events() when the probe +point is not found in the debuginfo. If there is no probe point found in +the debuginfo, debuginfo__find_probes() will NOT return -ENOENT, but 0. + +Thus the caller of debuginfo__find_probes() must check the tf.ntevs and +release the allocated memory for the array of struct probe_trace_event. + +The current code releases the memory only if the debuginfo__find_probes() +hits an error but not checks tf.ntevs. In the result, the memory allocated +on *tevs are not released if tf.ntevs == 0. + +This fixes the memory leakage by checking tf.ntevs == 0 in addition to +ret < 0. + +Fixes: ff741783506c ("perf probe: Introduce debuginfo to encapsulate dwarf information") +Signed-off-by: Masami Hiramatsu +Reviewed-by: Srikar Dronamraju +Cc: Andi Kleen +Cc: Oleg Nesterov +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/159438668346.62703.10887420400718492503.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-finder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index 60169196b9481..4da4ec2552463 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1351,7 +1351,7 @@ int debuginfo__find_trace_events(struct debuginfo *dbg, + tf.ntevs = 0; + + ret = debuginfo__find_probes(dbg, &tf.pf); +- if (ret < 0) { ++ if (ret < 0 || tf.ntevs == 0) { + for (i = 0; i < tf.ntevs; i++) + clear_probe_trace_event(&tf.tevs[i]); + zfree(tevs); +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..cde58cf4813 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,9 @@ +drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch +perf-probe-fix-memory-leakage-when-the-probe-point-i.patch +khugepaged-khugepaged_test_exit-check-mmget_still_va.patch +khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch +btrfs-export-helpers-for-subvolume-name-id-resolutio.patch +btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch +btrfs-move-free_pages_out-label-in-inline-extent-han.patch +btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch +btrfs-sysfs-use-nofs-for-device-creation.patch