From: Greg Kroah-Hartman Date: Fri, 29 Mar 2019 16:47:08 +0000 (+0100) Subject: 5.0-stable patches X-Git-Tag: v3.18.138~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c9d04a9fb5de657af8b96b2336bd4319c58b3eff;p=thirdparty%2Fkernel%2Fstable-queue.git 5.0-stable patches added patches: arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected-time.patch btrfs-avoid-possible-qgroup_rsv_size-overflow-in-btrfs_calculate_inode_block_rsv_size.patch btrfs-don-t-report-readahead-errors-and-don-t-update-statistics.patch btrfs-fix-assertion-failure-on-fsync-with-no_holes-enabled.patch btrfs-fix-bound-checking-in-qgroup_trace_new_subtree_blocks.patch btrfs-fix-incorrect-file-size-after-shrinking-truncate-and-fsync.patch btrfs-raid56-properly-unmap-parity-page-in-finish_parity_scrub.patch btrfs-remove-warn_on-in-log_dir_items.patch locks-wake-any-locks-blocked-on-request-before-deadlock-check.patch net-dsa-qca8k-remove-leftover-phy-accessors.patch nfs-fix-mount-umount-race-in-nlmclnt.patch nfs-fix-nfs4_lock_state-refcounting-in-nfs4_alloc_-lock-unlock-data.patch nfsv4.1-don-t-free-interrupted-slot-on-open.patch powerpc-bpf-fix-generation-of-load-store-dw-instructions.patch tracing-initialize-variable-in-create_dyn_event.patch vfio-ccw-only-free-cp-on-final-interrupt.patch --- diff --git a/queue-5.0/arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected-time.patch b/queue-5.0/arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected-time.patch new file mode 100644 index 00000000000..1d535caa120 --- /dev/null +++ b/queue-5.0/arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected-time.patch @@ -0,0 +1,76 @@ +From 91740fc8242b4f260cfa4d4536d8551804777fae Mon Sep 17 00:00:00 2001 +From: Kohji Okuno +Date: Tue, 26 Feb 2019 11:34:13 +0900 +Subject: ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time + +From: Kohji Okuno + +commit 91740fc8242b4f260cfa4d4536d8551804777fae upstream. + +In the current cpuidle implementation for i.MX6q, the CPU that sets +'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always +the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of +"WAIT", if the other CPU wakes up and enters IDLE state of "WFI" +istead of "WAIT", this CPU can not wake up at expired time. + Because, in the case of "WFI", the CPU must be waked up by the local +timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer +is stopped, when all CPUs execute "wfi" instruction. As a result, the +local timer interrupt is not fired. + In this situation, this CPU will wake up by IRQ different from local +timer. (e.g. broacast timer) + +So, this fix changes CPU to return to 'WAIT_CLOCKED'. + +Signed-off-by: Kohji Okuno +Fixes: e5f9dec8ff5f ("ARM: imx6q: support WAIT mode using cpuidle") +Cc: +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-imx/cpuidle-imx6q.c | 27 ++++++++++----------------- + 1 file changed, 10 insertions(+), 17 deletions(-) + +--- a/arch/arm/mach-imx/cpuidle-imx6q.c ++++ b/arch/arm/mach-imx/cpuidle-imx6q.c +@@ -16,30 +16,23 @@ + #include "cpuidle.h" + #include "hardware.h" + +-static atomic_t master = ATOMIC_INIT(0); +-static DEFINE_SPINLOCK(master_lock); ++static int num_idle_cpus = 0; ++static DEFINE_SPINLOCK(cpuidle_lock); + + static int imx6q_enter_wait(struct cpuidle_device *dev, + struct cpuidle_driver *drv, int index) + { +- if (atomic_inc_return(&master) == num_online_cpus()) { +- /* +- * With this lock, we prevent other cpu to exit and enter +- * this function again and become the master. +- */ +- if (!spin_trylock(&master_lock)) +- goto idle; ++ spin_lock(&cpuidle_lock); ++ if (++num_idle_cpus == num_online_cpus()) + imx6_set_lpm(WAIT_UNCLOCKED); +- cpu_do_idle(); +- imx6_set_lpm(WAIT_CLOCKED); +- spin_unlock(&master_lock); +- goto done; +- } ++ spin_unlock(&cpuidle_lock); + +-idle: + cpu_do_idle(); +-done: +- atomic_dec(&master); ++ ++ spin_lock(&cpuidle_lock); ++ if (num_idle_cpus-- == num_online_cpus()) ++ imx6_set_lpm(WAIT_CLOCKED); ++ spin_unlock(&cpuidle_lock); + + return index; + } diff --git a/queue-5.0/btrfs-avoid-possible-qgroup_rsv_size-overflow-in-btrfs_calculate_inode_block_rsv_size.patch b/queue-5.0/btrfs-avoid-possible-qgroup_rsv_size-overflow-in-btrfs_calculate_inode_block_rsv_size.patch new file mode 100644 index 00000000000..d4886427c89 --- /dev/null +++ b/queue-5.0/btrfs-avoid-possible-qgroup_rsv_size-overflow-in-btrfs_calculate_inode_block_rsv_size.patch @@ -0,0 +1,43 @@ +From 139a56170de67101791d6e6c8e940c6328393fe9 Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Mon, 18 Mar 2019 17:45:20 +0200 +Subject: btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size + +From: Nikolay Borisov + +commit 139a56170de67101791d6e6c8e940c6328393fe9 upstream. + +qgroup_rsv_size is calculated as the product of +outstanding_extent * fs_info->nodesize. The product is calculated with +32 bit precision since both variables are defined as u32. Yet +qgroup_rsv_size expects a 64 bit result. + +Avoid possible multiplication overflow by casting outstanding_extent to +u64. Such overflow would in the worst case (64K nodesize) require more +than 65536 extents, which is quite large and i'ts not likely that it +would happen in practice. + +Fixes-coverity-id: 1435101 +Fixes: ff6bc37eb7f6 ("btrfs: qgroup: Use independent and accurate per inode qgroup rsv") +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Qu Wenruo +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -6115,7 +6115,7 @@ static void btrfs_calculate_inode_block_ + * + * This is overestimating in most cases. + */ +- qgroup_rsv_size = outstanding_extents * fs_info->nodesize; ++ qgroup_rsv_size = (u64)outstanding_extents * fs_info->nodesize; + + spin_lock(&block_rsv->lock); + block_rsv->size = reserve_size; diff --git a/queue-5.0/btrfs-don-t-report-readahead-errors-and-don-t-update-statistics.patch b/queue-5.0/btrfs-don-t-report-readahead-errors-and-don-t-update-statistics.patch new file mode 100644 index 00000000000..65c0472aef1 --- /dev/null +++ b/queue-5.0/btrfs-don-t-report-readahead-errors-and-don-t-update-statistics.patch @@ -0,0 +1,40 @@ +From 0cc068e6ee59c1fffbfa977d8bf868b7551d80ac Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Thu, 7 Mar 2019 15:40:50 +0100 +Subject: btrfs: don't report readahead errors and don't update statistics + +From: David Sterba + +commit 0cc068e6ee59c1fffbfa977d8bf868b7551d80ac upstream. + +As readahead is an optimization, all errors are usually filtered out, +but still properly handled when the real read call is done. The commit +5e9d398240b2 ("btrfs: readpages() should submit IO as read-ahead") added +REQ_RAHEAD to readpages() because that's only used for readahead +(despite what one would expect from the callback name). + +This causes a flood of messages and inflated read error stats, so skip +reporting in case it's readahead. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202403 +Reported-by: LimeTech +Fixes: 5e9d398240b2 ("btrfs: readpages() should submit IO as read-ahead") +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6413,7 +6413,7 @@ static void btrfs_end_bio(struct bio *bi + if (bio_op(bio) == REQ_OP_WRITE) + btrfs_dev_stat_inc_and_print(dev, + BTRFS_DEV_STAT_WRITE_ERRS); +- else ++ else if (!(bio->bi_opf & REQ_RAHEAD)) + btrfs_dev_stat_inc_and_print(dev, + BTRFS_DEV_STAT_READ_ERRS); + if (bio->bi_opf & REQ_PREFLUSH) diff --git a/queue-5.0/btrfs-fix-assertion-failure-on-fsync-with-no_holes-enabled.patch b/queue-5.0/btrfs-fix-assertion-failure-on-fsync-with-no_holes-enabled.patch new file mode 100644 index 00000000000..c2fb62d67d1 --- /dev/null +++ b/queue-5.0/btrfs-fix-assertion-failure-on-fsync-with-no_holes-enabled.patch @@ -0,0 +1,114 @@ +From 0ccc3876e4b2a1559a4dbe3126dda4459d38a83b Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 19 Mar 2019 17:18:13 +0000 +Subject: Btrfs: fix assertion failure on fsync with NO_HOLES enabled + +From: Filipe Manana + +commit 0ccc3876e4b2a1559a4dbe3126dda4459d38a83b upstream. + +Back in commit a89ca6f24ffe4 ("Btrfs: fix fsync after truncate when +no_holes feature is enabled") I added an assertion that is triggered when +an inline extent is found to assert that the length of the (uncompressed) +data the extent represents is the same as the i_size of the inode, since +that is true most of the time I couldn't find or didn't remembered about +any exception at that time. Later on the assertion was expanded twice to +deal with a case of a compressed inline extent representing a range that +matches the sector size followed by an expanding truncate, and another +case where fallocate can update the i_size of the inode without adding +or updating existing extents (if the fallocate range falls entirely within +the first block of the file). These two expansion/fixes of the assertion +were done by commit 7ed586d0a8241 ("Btrfs: fix assertion on fsync of +regular file when using no-holes feature") and commit 6399fb5a0b69a +("Btrfs: fix assertion failure during fsync in no-holes mode"). +These however missed the case where an falloc expands the i_size of an +inode to exactly the sector size and inline extent exists, for example: + + $ mkfs.btrfs -f -O no-holes /dev/sdc + $ mount /dev/sdc /mnt + + $ xfs_io -f -c "pwrite -S 0xab 0 1096" /mnt/foobar + wrote 1096/1096 bytes at offset 0 + 1 KiB, 1 ops; 0.0002 sec (4.448 MiB/sec and 4255.3191 ops/sec) + + $ xfs_io -c "falloc 1096 3000" /mnt/foobar + $ xfs_io -c "fsync" /mnt/foobar + Segmentation fault + + $ dmesg + [701253.602385] assertion failed: len == i_size || (len == fs_info->sectorsize && btrfs_file_extent_compression(leaf, extent) != BTRFS_COMPRESS_NONE) || (len < i_size && i_size < fs_info->sectorsize), file: fs/btrfs/tree-log.c, line: 4727 + [701253.602962] ------------[ cut here ]------------ + [701253.603224] kernel BUG at fs/btrfs/ctree.h:3533! + [701253.603503] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI + [701253.603774] CPU: 2 PID: 7192 Comm: xfs_io Tainted: G W 5.0.0-rc8-btrfs-next-45 #1 + [701253.604054] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 + [701253.604650] RIP: 0010:assfail.constprop.23+0x18/0x1a [btrfs] + (...) + [701253.605591] RSP: 0018:ffffbb48c186bc48 EFLAGS: 00010286 + [701253.605914] RAX: 00000000000000de RBX: ffff921d0a7afc08 RCX: 0000000000000000 + [701253.606244] RDX: 0000000000000000 RSI: ffff921d36b16868 RDI: ffff921d36b16868 + [701253.606580] RBP: ffffbb48c186bcf0 R08: 0000000000000000 R09: 0000000000000000 + [701253.606913] R10: 0000000000000003 R11: 0000000000000000 R12: ffff921d05d2de18 + [701253.607247] R13: ffff921d03b54000 R14: 0000000000000448 R15: ffff921d059ecf80 + [701253.607769] FS: 00007f14da906700(0000) GS:ffff921d36b00000(0000) knlGS:0000000000000000 + [701253.608163] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [701253.608516] CR2: 000056087ea9f278 CR3: 00000002268e8001 CR4: 00000000003606e0 + [701253.608880] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [701253.609250] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [701253.609608] Call Trace: + [701253.609994] btrfs_log_inode+0xdfb/0xe40 [btrfs] + [701253.610383] btrfs_log_inode_parent+0x2be/0xa60 [btrfs] + [701253.610770] ? do_raw_spin_unlock+0x49/0xc0 + [701253.611150] btrfs_log_dentry_safe+0x4a/0x70 [btrfs] + [701253.611537] btrfs_sync_file+0x3b2/0x440 [btrfs] + [701253.612010] ? do_sysinfo+0xb0/0xf0 + [701253.612552] do_fsync+0x38/0x60 + [701253.612988] __x64_sys_fsync+0x10/0x20 + [701253.613360] do_syscall_64+0x60/0x1b0 + [701253.613733] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [701253.614103] RIP: 0033:0x7f14da4e66d0 + (...) + [701253.615250] RSP: 002b:00007fffa670fdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000004a + [701253.615647] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f14da4e66d0 + [701253.616047] RDX: 000056087ea9c260 RSI: 000056087ea9c260 RDI: 0000000000000003 + [701253.616450] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000010 + [701253.616854] R10: 000000000000009b R11: 0000000000000246 R12: 000056087ea9c260 + [701253.617257] R13: 000056087ea9c240 R14: 0000000000000000 R15: 000056087ea9dd10 + (...) + [701253.619941] ---[ end trace e088d74f132b6da5 ]--- + +Updating the assertion again to allow for this particular case would result +in a meaningless assertion, plus there is currently no risk of logging +content that would result in any corruption after a log replay if the size +of the data encoded in an inline extent is greater than the inode's i_size +(which is not currently possibe either with or without compression), +therefore just remove the assertion. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4662,15 +4662,8 @@ static int btrfs_log_trailing_hole(struc + struct btrfs_file_extent_item); + + if (btrfs_file_extent_type(leaf, extent) == +- BTRFS_FILE_EXTENT_INLINE) { +- len = btrfs_file_extent_ram_bytes(leaf, extent); +- ASSERT(len == i_size || +- (len == fs_info->sectorsize && +- btrfs_file_extent_compression(leaf, extent) != +- BTRFS_COMPRESS_NONE) || +- (len < i_size && i_size < fs_info->sectorsize)); ++ BTRFS_FILE_EXTENT_INLINE) + return 0; +- } + + len = btrfs_file_extent_num_bytes(leaf, extent); + /* Last extent goes beyond i_size, no need to log a hole. */ diff --git a/queue-5.0/btrfs-fix-bound-checking-in-qgroup_trace_new_subtree_blocks.patch b/queue-5.0/btrfs-fix-bound-checking-in-qgroup_trace_new_subtree_blocks.patch new file mode 100644 index 00000000000..4cabbe98d8a --- /dev/null +++ b/queue-5.0/btrfs-fix-bound-checking-in-qgroup_trace_new_subtree_blocks.patch @@ -0,0 +1,42 @@ +From 7ff2c2a1a71e83f74574b8001ea88deb3c166ad7 Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Mon, 18 Mar 2019 17:45:19 +0200 +Subject: btrfs: Fix bound checking in qgroup_trace_new_subtree_blocks + +From: Nikolay Borisov + +commit 7ff2c2a1a71e83f74574b8001ea88deb3c166ad7 upstream. + +If 'cur_level' is 7 then the bound checking at the top of the function +will actually pass. Later on, it's possible to dereference +ds_path->nodes[cur_level+1] which will be an out of bounds. + +The correct check will be cur_level >= BTRFS_MAX_LEVEL - 1 . + +Fixes-coverty-id: 1440918 +Fixes-coverty-id: 1440911 +Fixes: ea49f3e73c4b ("btrfs: qgroup: Introduce function to find all new tree blocks of reloc tree") +CC: stable@vger.kernel.org # 4.20+ +Reviewed-by: Qu Wenruo +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/qgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -1917,8 +1917,8 @@ static int qgroup_trace_new_subtree_bloc + int i; + + /* Level sanity check */ +- if (cur_level < 0 || cur_level >= BTRFS_MAX_LEVEL || +- root_level < 0 || root_level >= BTRFS_MAX_LEVEL || ++ if (cur_level < 0 || cur_level >= BTRFS_MAX_LEVEL - 1 || ++ root_level < 0 || root_level >= BTRFS_MAX_LEVEL - 1 || + root_level < cur_level) { + btrfs_err_rl(fs_info, + "%s: bad levels, cur_level=%d root_level=%d", diff --git a/queue-5.0/btrfs-fix-incorrect-file-size-after-shrinking-truncate-and-fsync.patch b/queue-5.0/btrfs-fix-incorrect-file-size-after-shrinking-truncate-and-fsync.patch new file mode 100644 index 00000000000..4a29f0846b8 --- /dev/null +++ b/queue-5.0/btrfs-fix-incorrect-file-size-after-shrinking-truncate-and-fsync.patch @@ -0,0 +1,98 @@ +From bf504110bc8aa05df48b0e5f0aa84bfb81e0574b Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 4 Mar 2019 14:06:12 +0000 +Subject: Btrfs: fix incorrect file size after shrinking truncate and fsync + +From: Filipe Manana + +commit bf504110bc8aa05df48b0e5f0aa84bfb81e0574b upstream. + +If we do a shrinking truncate against an inode which is already present +in the respective log tree and then rename it, as part of logging the new +name we end up logging an inode item that reflects the old size of the +file (the one which we previously logged) and not the new smaller size. +The decision to preserve the size previously logged was added by commit +1a4bcf470c886b ("Btrfs: fix fsync data loss after adding hard link to +inode") in order to avoid data loss after replaying the log. However that +decision is only needed for the case the logged inode size is smaller then +the current size of the inode, as explained in that commit's change log. +If the current size of the inode is smaller then the previously logged +size, we know a shrinking truncate happened and therefore need to use +that smaller size. + +Example to trigger the problem: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + + $ xfs_io -f -c "pwrite -S 0xab 0 8000" /mnt/foo + $ xfs_io -c "fsync" /mnt/foo + $ xfs_io -c "truncate 3000" /mnt/foo + + $ mv /mnt/foo /mnt/bar + $ xfs_io -c "fsync" /mnt/bar + + + + $ mount /dev/sdb /mnt + $ od -t x1 -A d /mnt/bar + 0000000 ab ab ab ab ab ab ab ab ab ab ab ab ab ab ab ab + * + 0008000 + +Once we rename the file, we log its name (and inode item), and because +the inode was already logged before in the current transaction, we log it +with a size of 8000 bytes because that is the size we previously logged +(with the first fsync). As part of the rename, besides logging the inode, +we do also sync the log, which is done since commit d4682ba03ef618 +("Btrfs: sync log after logging new name"), so the next fsync against our +inode is effectively a no-op, since no new changes happened since the +rename operation. Even if did not sync the log during the rename +operation, the same problem (fize size of 8000 bytes instead of 3000 +bytes) would be visible after replaying the log if the log ended up +getting synced to disk through some other means, such as for example by +fsyncing some other modified file. In the example above the fsync after +the rename operation is there just because not every filesystem may +guarantee logging/journalling the inode (and syncing the log/journal) +during the rename operation, for example it is needed for f2fs, but not +for ext4 and xfs. + +Fix this scenario by, when logging a new name (which is triggered by +rename and link operations), using the current size of the inode instead +of the previously logged inode size. + +A test case for fstests follows soon. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202695 +CC: stable@vger.kernel.org # 4.4+ +Reported-by: Seulbae Kim +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4481,6 +4481,19 @@ static int logged_inode_size(struct btrf + item = btrfs_item_ptr(path->nodes[0], path->slots[0], + struct btrfs_inode_item); + *size_ret = btrfs_inode_size(path->nodes[0], item); ++ /* ++ * If the in-memory inode's i_size is smaller then the inode ++ * size stored in the btree, return the inode's i_size, so ++ * that we get a correct inode size after replaying the log ++ * when before a power failure we had a shrinking truncate ++ * followed by addition of a new name (rename / new hard link). ++ * Otherwise return the inode size from the btree, to avoid ++ * data loss when replaying a log due to previously doing a ++ * write that expands the inode's size and logging a new name ++ * immediately after. ++ */ ++ if (*size_ret > inode->vfs_inode.i_size) ++ *size_ret = inode->vfs_inode.i_size; + } + + btrfs_release_path(path); diff --git a/queue-5.0/btrfs-raid56-properly-unmap-parity-page-in-finish_parity_scrub.patch b/queue-5.0/btrfs-raid56-properly-unmap-parity-page-in-finish_parity_scrub.patch new file mode 100644 index 00000000000..830078544d1 --- /dev/null +++ b/queue-5.0/btrfs-raid56-properly-unmap-parity-page-in-finish_parity_scrub.patch @@ -0,0 +1,57 @@ +From 3897b6f0a859288c22fb793fad11ec2327e60fcd Mon Sep 17 00:00:00 2001 +From: Andrea Righi +Date: Thu, 14 Mar 2019 08:56:28 +0100 +Subject: btrfs: raid56: properly unmap parity page in finish_parity_scrub() + +From: Andrea Righi + +commit 3897b6f0a859288c22fb793fad11ec2327e60fcd upstream. + +Parity page is incorrectly unmapped in finish_parity_scrub(), triggering +a reference counter bug on i386, i.e.: + + [ 157.662401] kernel BUG at mm/highmem.c:349! + [ 157.666725] invalid opcode: 0000 [#1] SMP PTI + +The reason is that kunmap(p_page) was completely left out, so we never +did an unmap for the p_page and the loop unmapping the rbio page was +iterating over the wrong number of stripes: unmapping should be done +with nr_data instead of rbio->real_stripes. + +Test case to reproduce the bug: + + - create a raid5 btrfs filesystem: + # mkfs.btrfs -m raid5 -d raid5 /dev/sdb /dev/sdc /dev/sdd /dev/sde + + - mount it: + # mount /dev/sdb /mnt + + - run btrfs scrub in a loop: + # while :; do btrfs scrub start -BR /mnt; done + +BugLink: https://bugs.launchpad.net/bugs/1812845 +Fixes: 5a6ac9eacb49 ("Btrfs, raid56: support parity scrub on raid56") +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Johannes Thumshirn +Signed-off-by: Andrea Righi +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/raid56.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/raid56.c ++++ b/fs/btrfs/raid56.c +@@ -2429,8 +2429,9 @@ static noinline void finish_parity_scrub + bitmap_clear(rbio->dbitmap, pagenr, 1); + kunmap(p); + +- for (stripe = 0; stripe < rbio->real_stripes; stripe++) ++ for (stripe = 0; stripe < nr_data; stripe++) + kunmap(page_in_rbio(rbio, stripe, pagenr, 0)); ++ kunmap(p_page); + } + + __free_page(p_page); diff --git a/queue-5.0/btrfs-remove-warn_on-in-log_dir_items.patch b/queue-5.0/btrfs-remove-warn_on-in-log_dir_items.patch new file mode 100644 index 00000000000..33e2cb01af5 --- /dev/null +++ b/queue-5.0/btrfs-remove-warn_on-in-log_dir_items.patch @@ -0,0 +1,50 @@ +From 2cc8334270e281815c3850c3adea363c51f21e0d Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 6 Mar 2019 17:13:04 -0500 +Subject: btrfs: remove WARN_ON in log_dir_items + +From: Josef Bacik + +commit 2cc8334270e281815c3850c3adea363c51f21e0d upstream. + +When Filipe added the recursive directory logging stuff in +2f2ff0ee5e430 ("Btrfs: fix metadata inconsistencies after directory +fsync") he specifically didn't take the directory i_mutex for the +children directories that we need to log because of lockdep. This is +generally fine, but can lead to this WARN_ON() tripping if we happen to +run delayed deletion's in between our first search and our second search +of dir_item/dir_indexes for this directory. We expect this to happen, +so the WARN_ON() isn't necessary. Drop the WARN_ON() and add a comment +so we know why this case can happen. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3517,9 +3517,16 @@ static noinline int log_dir_items(struct + } + btrfs_release_path(path); + +- /* find the first key from this transaction again */ ++ /* ++ * Find the first key from this transaction again. See the note for ++ * log_new_dir_dentries, if we're logging a directory recursively we ++ * won't be holding its i_mutex, which means we can modify the directory ++ * while we're logging it. If we remove an entry between our first ++ * search and this search we'll not find the key again and can just ++ * bail. ++ */ + ret = btrfs_search_slot(NULL, root, &min_key, path, 0, 0); +- if (WARN_ON(ret != 0)) ++ if (ret != 0) + goto done; + + /* diff --git a/queue-5.0/locks-wake-any-locks-blocked-on-request-before-deadlock-check.patch b/queue-5.0/locks-wake-any-locks-blocked-on-request-before-deadlock-check.patch new file mode 100644 index 00000000000..92f7ab15c6c --- /dev/null +++ b/queue-5.0/locks-wake-any-locks-blocked-on-request-before-deadlock-check.patch @@ -0,0 +1,54 @@ +From 945ab8f6de94430c23a82f3cf2e3f6d6f2945ff7 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 25 Mar 2019 08:15:14 -0400 +Subject: locks: wake any locks blocked on request before deadlock check + +From: Jeff Layton + +commit 945ab8f6de94430c23a82f3cf2e3f6d6f2945ff7 upstream. + +Andreas reported that he was seeing the tdbtorture test fail in some +cases with -EDEADLCK when it wasn't before. Some debugging showed that +deadlock detection was sometimes discovering the caller's lock request +itself in a dependency chain. + +While we remove the request from the blocked_lock_hash prior to +reattempting to acquire it, any locks that are blocked on that request +will still be present in the hash and will still have their fl_blocker +pointer set to the current request. + +This causes posix_locks_deadlock to find a deadlock dependency chain +when it shouldn't, as a lock request cannot block itself. + +We are going to end up waking all of those blocked locks anyway when we +go to reinsert the request back into the blocked_lock_hash, so just do +it prior to checking for deadlocks. This ensures that any lock blocked +on the current request will no longer be part of any blocked request +chain. + +URL: https://bugzilla.kernel.org/show_bug.cgi?id=202975 +Fixes: 5946c4319ebb ("fs/locks: allow a lock request to block other requests.") +Cc: stable@vger.kernel.org +Reported-by: Andreas Schneider +Signed-off-by: Neil Brown +Signed-off-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/locks.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -1160,6 +1160,11 @@ static int posix_lock_inode(struct inode + */ + error = -EDEADLK; + spin_lock(&blocked_lock_lock); ++ /* ++ * Ensure that we don't find any locks blocked on this ++ * request during deadlock detection. ++ */ ++ __locks_wake_up_blocks(request); + if (likely(!posix_locks_deadlock(request, fl))) { + error = FILE_LOCK_DEFERRED; + __locks_insert_block(fl, request, diff --git a/queue-5.0/net-dsa-qca8k-remove-leftover-phy-accessors.patch b/queue-5.0/net-dsa-qca8k-remove-leftover-phy-accessors.patch new file mode 100644 index 00000000000..a06718354ec --- /dev/null +++ b/queue-5.0/net-dsa-qca8k-remove-leftover-phy-accessors.patch @@ -0,0 +1,64 @@ +From 1eec7151ae0e134bd42e3f128066b2ff8da21393 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Fri, 22 Mar 2019 01:05:02 +0100 +Subject: net: dsa: qca8k: remove leftover phy accessors + +From: Christian Lamparter + +commit 1eec7151ae0e134bd42e3f128066b2ff8da21393 upstream. + +This belated patch implements Andrew Lunn's request of +"remove the phy_read() and phy_write() functions." + + +While seemingly harmless, this causes the switch's user +port PHYs to get registered twice. This is because the +DSA subsystem will create a slave mdio-bus not knowing +that the qca8k_phy_(read|write) accessors operate on +the external mdio-bus. So the same "bus" gets effectively +duplicated. + +Cc: stable@vger.kernel.org +Fixes: 6b93fb46480a ("net-next: dsa: add new driver for qca8xxx family") +Signed-off-by: Christian Lamparter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/dsa/qca8k.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +--- a/drivers/net/dsa/qca8k.c ++++ b/drivers/net/dsa/qca8k.c +@@ -620,22 +620,6 @@ qca8k_adjust_link(struct dsa_switch *ds, + qca8k_port_set_status(priv, port, 1); + } + +-static int +-qca8k_phy_read(struct dsa_switch *ds, int phy, int regnum) +-{ +- struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv; +- +- return mdiobus_read(priv->bus, phy, regnum); +-} +- +-static int +-qca8k_phy_write(struct dsa_switch *ds, int phy, int regnum, u16 val) +-{ +- struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv; +- +- return mdiobus_write(priv->bus, phy, regnum, val); +-} +- + static void + qca8k_get_strings(struct dsa_switch *ds, int port, u32 stringset, uint8_t *data) + { +@@ -876,8 +860,6 @@ static const struct dsa_switch_ops qca8k + .setup = qca8k_setup, + .adjust_link = qca8k_adjust_link, + .get_strings = qca8k_get_strings, +- .phy_read = qca8k_phy_read, +- .phy_write = qca8k_phy_write, + .get_ethtool_stats = qca8k_get_ethtool_stats, + .get_sset_count = qca8k_get_sset_count, + .get_mac_eee = qca8k_get_mac_eee, diff --git a/queue-5.0/nfs-fix-mount-umount-race-in-nlmclnt.patch b/queue-5.0/nfs-fix-mount-umount-race-in-nlmclnt.patch new file mode 100644 index 00000000000..b4f4bec171a --- /dev/null +++ b/queue-5.0/nfs-fix-mount-umount-race-in-nlmclnt.patch @@ -0,0 +1,48 @@ +From 4a9be28c45bf02fa0436808bb6c0baeba30e120e Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 19 Mar 2019 11:33:24 +1100 +Subject: NFS: fix mount/umount race in nlmclnt. + +From: NeilBrown + +commit 4a9be28c45bf02fa0436808bb6c0baeba30e120e upstream. + +If the last NFSv3 unmount from a given host races with a mount from the +same host, we can destroy an nlm_host that is still in use. + +Specifically nlmclnt_lookup_host() can increment h_count on +an nlm_host that nlmclnt_release_host() has just successfully called +refcount_dec_and_test() on. +Once nlmclnt_lookup_host() drops the mutex, nlm_destroy_host_lock() +will be called to destroy the nlmclnt which is now in use again. + +The cause of the problem is that the dec_and_test happens outside the +locked region. This is easily fixed by using +refcount_dec_and_mutex_lock(). + +Fixes: 8ea6ecc8b075 ("lockd: Create client-side nlm_host cache") +Cc: stable@vger.kernel.org (v2.6.38+) +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/host.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/lockd/host.c ++++ b/fs/lockd/host.c +@@ -290,12 +290,11 @@ void nlmclnt_release_host(struct nlm_hos + + WARN_ON_ONCE(host->h_server); + +- if (refcount_dec_and_test(&host->h_count)) { ++ if (refcount_dec_and_mutex_lock(&host->h_count, &nlm_host_mutex)) { + WARN_ON_ONCE(!list_empty(&host->h_lockowners)); + WARN_ON_ONCE(!list_empty(&host->h_granted)); + WARN_ON_ONCE(!list_empty(&host->h_reclaim)); + +- mutex_lock(&nlm_host_mutex); + nlm_destroy_host_locked(host); + mutex_unlock(&nlm_host_mutex); + } diff --git a/queue-5.0/nfs-fix-nfs4_lock_state-refcounting-in-nfs4_alloc_-lock-unlock-data.patch b/queue-5.0/nfs-fix-nfs4_lock_state-refcounting-in-nfs4_alloc_-lock-unlock-data.patch new file mode 100644 index 00000000000..fbb5d9f843d --- /dev/null +++ b/queue-5.0/nfs-fix-nfs4_lock_state-refcounting-in-nfs4_alloc_-lock-unlock-data.patch @@ -0,0 +1,70 @@ +From 3028efe03be9c8c4cd7923f0f3c39b2871cc8a8f Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Mon, 18 Mar 2019 17:00:28 +0000 +Subject: NFS: Fix nfs4_lock_state refcounting in nfs4_alloc_{lock,unlock}data() + +From: Catalin Marinas + +commit 3028efe03be9c8c4cd7923f0f3c39b2871cc8a8f upstream. + +Commit 7b587e1a5a6c ("NFS: use locks_copy_lock() to copy locks.") +changed the lock copying from memcpy() to the dedicated +locks_copy_lock() function. The latter correctly increments the +nfs4_lock_state.ls_count via nfs4_fl_copy_lock(), however, this refcount +has already been incremented in the nfs4_alloc_{lock,unlock}data(). +Kmemleak subsequently reports an unreferenced nfs4_lock_state object as +below (arm64 platform): + +unreferenced object 0xffff8000fce0b000 (size 256): + comm "systemd-sysuser", pid 1608, jiffies 4294892825 (age 32.348s) + hex dump (first 32 bytes): + 20 57 4c fb 00 80 ff ff 20 57 4c fb 00 80 ff ff WL..... WL..... + 00 57 4c fb 00 80 ff ff 01 00 00 00 00 00 00 00 .WL............. + backtrace: + [<000000000d15010d>] kmem_cache_alloc+0x178/0x208 + [<00000000d7c1d264>] nfs4_set_lock_state+0x124/0x1f0 + [<000000009c867628>] nfs4_proc_lock+0x90/0x478 + [<000000001686bd74>] do_setlk+0x64/0xe8 + [<00000000e01500d4>] nfs_lock+0xe8/0x1f0 + [<000000004f387d8d>] vfs_lock_file+0x18/0x40 + [<00000000656ab79b>] do_lock_file_wait+0x68/0xf8 + [<00000000f17c4a4b>] fcntl_setlk+0x224/0x280 + [<0000000052a242c6>] do_fcntl+0x418/0x730 + [<000000004f47291a>] __arm64_sys_fcntl+0x84/0xd0 + [<00000000d6856e01>] el0_svc_common+0x80/0xf0 + [<000000009c4bd1df>] el0_svc_handler+0x2c/0x80 + [<00000000b1a0d479>] el0_svc+0x8/0xc + [<0000000056c62a0f>] 0xffffffffffffffff + +This patch removes the original refcount_inc(&lsp->ls_count) that was +paired with the memcpy() lock copying. + +Fixes: 7b587e1a5a6c ("NFS: use locks_copy_lock() to copy locks.") +Cc: # 5.0.x- +Cc: NeilBrown +Signed-off-by: Catalin Marinas +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -6306,7 +6306,6 @@ static struct nfs4_unlockdata *nfs4_allo + p->arg.seqid = seqid; + p->res.seqid = seqid; + p->lsp = lsp; +- refcount_inc(&lsp->ls_count); + /* Ensure we don't close file until we're done freeing locks! */ + p->ctx = get_nfs_open_context(ctx); + p->l_ctx = nfs_get_lock_context(ctx); +@@ -6531,7 +6530,6 @@ static struct nfs4_lockdata *nfs4_alloc_ + p->res.lock_seqid = p->arg.lock_seqid; + p->lsp = lsp; + p->server = server; +- refcount_inc(&lsp->ls_count); + p->ctx = get_nfs_open_context(ctx); + locks_init_lock(&p->fl); + locks_copy_lock(&p->fl, fl); diff --git a/queue-5.0/nfsv4.1-don-t-free-interrupted-slot-on-open.patch b/queue-5.0/nfsv4.1-don-t-free-interrupted-slot-on-open.patch new file mode 100644 index 00000000000..21816ffcb5f --- /dev/null +++ b/queue-5.0/nfsv4.1-don-t-free-interrupted-slot-on-open.patch @@ -0,0 +1,34 @@ +From 0cb98abb5bd13b9a636bde603d952d722688b428 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Tue, 19 Mar 2019 12:12:13 -0400 +Subject: NFSv4.1 don't free interrupted slot on open + +From: Olga Kornievskaia + +commit 0cb98abb5bd13b9a636bde603d952d722688b428 upstream. + +Allow the async rpc task for finish and update the open state if needed, +then free the slot. Otherwise, the async rpc unable to decode the reply. + +Signed-off-by: Olga Kornievskaia +Fixes: ae55e59da0e4 ("pnfs: Don't release the sequence slot...") +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2938,7 +2938,8 @@ static int _nfs4_open_and_get_state(stru + } + + out: +- nfs4_sequence_free_slot(&opendata->o_res.seq_res); ++ if (!opendata->cancelled) ++ nfs4_sequence_free_slot(&opendata->o_res.seq_res); + return ret; + } + diff --git a/queue-5.0/powerpc-bpf-fix-generation-of-load-store-dw-instructions.patch b/queue-5.0/powerpc-bpf-fix-generation-of-load-store-dw-instructions.patch new file mode 100644 index 00000000000..60bc2c50fb8 --- /dev/null +++ b/queue-5.0/powerpc-bpf-fix-generation-of-load-store-dw-instructions.patch @@ -0,0 +1,200 @@ +From 86be36f6502c52ddb4b85938145324fd07332da1 Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Fri, 15 Mar 2019 20:21:19 +0530 +Subject: powerpc: bpf: Fix generation of load/store DW instructions + +From: Naveen N. Rao + +commit 86be36f6502c52ddb4b85938145324fd07332da1 upstream. + +Yauheni Kaliuta pointed out that PTR_TO_STACK store/load verifier test +was failing on powerpc64 BE, and rightfully indicated that the PPC_LD() +macro is not masking away the last two bits of the offset per the ISA, +resulting in the generation of 'lwa' instruction instead of the intended +'ld' instruction. + +Segher also pointed out that we can't simply mask away the last two bits +as that will result in loading/storing from/to a memory location that +was not intended. + +This patch addresses this by using ldx/stdx if the offset is not +word-aligned. We load the offset into a temporary register (TMP_REG_2) +and use that as the index register in a subsequent ldx/stdx. We fix +PPC_LD() macro to mask off the last two bits, but enhance PPC_BPF_LL() +and PPC_BPF_STL() to factor in the offset value and generate the proper +instruction sequence. We also convert all existing users of PPC_LD() and +PPC_STD() to use these macros. All existing uses of these macros have +been audited to ensure that TMP_REG_2 can be clobbered. + +Fixes: 156d0e290e96 ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF") +Cc: stable@vger.kernel.org # v4.9+ + +Reported-by: Yauheni Kaliuta +Signed-off-by: Naveen N. Rao +Signed-off-by: Daniel Borkmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/ppc-opcode.h | 2 ++ + arch/powerpc/net/bpf_jit.h | 17 +++++------------ + arch/powerpc/net/bpf_jit32.h | 4 ++++ + arch/powerpc/net/bpf_jit64.h | 20 ++++++++++++++++++++ + arch/powerpc/net/bpf_jit_comp64.c | 12 ++++++------ + 5 files changed, 37 insertions(+), 18 deletions(-) + +--- a/arch/powerpc/include/asm/ppc-opcode.h ++++ b/arch/powerpc/include/asm/ppc-opcode.h +@@ -302,6 +302,7 @@ + /* Misc instructions for BPF compiler */ + #define PPC_INST_LBZ 0x88000000 + #define PPC_INST_LD 0xe8000000 ++#define PPC_INST_LDX 0x7c00002a + #define PPC_INST_LHZ 0xa0000000 + #define PPC_INST_LWZ 0x80000000 + #define PPC_INST_LHBRX 0x7c00062c +@@ -309,6 +310,7 @@ + #define PPC_INST_STB 0x98000000 + #define PPC_INST_STH 0xb0000000 + #define PPC_INST_STD 0xf8000000 ++#define PPC_INST_STDX 0x7c00012a + #define PPC_INST_STDU 0xf8000001 + #define PPC_INST_STW 0x90000000 + #define PPC_INST_STWU 0x94000000 +--- a/arch/powerpc/net/bpf_jit.h ++++ b/arch/powerpc/net/bpf_jit.h +@@ -51,6 +51,8 @@ + #define PPC_LIS(r, i) PPC_ADDIS(r, 0, i) + #define PPC_STD(r, base, i) EMIT(PPC_INST_STD | ___PPC_RS(r) | \ + ___PPC_RA(base) | ((i) & 0xfffc)) ++#define PPC_STDX(r, base, b) EMIT(PPC_INST_STDX | ___PPC_RS(r) | \ ++ ___PPC_RA(base) | ___PPC_RB(b)) + #define PPC_STDU(r, base, i) EMIT(PPC_INST_STDU | ___PPC_RS(r) | \ + ___PPC_RA(base) | ((i) & 0xfffc)) + #define PPC_STW(r, base, i) EMIT(PPC_INST_STW | ___PPC_RS(r) | \ +@@ -65,7 +67,9 @@ + #define PPC_LBZ(r, base, i) EMIT(PPC_INST_LBZ | ___PPC_RT(r) | \ + ___PPC_RA(base) | IMM_L(i)) + #define PPC_LD(r, base, i) EMIT(PPC_INST_LD | ___PPC_RT(r) | \ +- ___PPC_RA(base) | IMM_L(i)) ++ ___PPC_RA(base) | ((i) & 0xfffc)) ++#define PPC_LDX(r, base, b) EMIT(PPC_INST_LDX | ___PPC_RT(r) | \ ++ ___PPC_RA(base) | ___PPC_RB(b)) + #define PPC_LWZ(r, base, i) EMIT(PPC_INST_LWZ | ___PPC_RT(r) | \ + ___PPC_RA(base) | IMM_L(i)) + #define PPC_LHZ(r, base, i) EMIT(PPC_INST_LHZ | ___PPC_RT(r) | \ +@@ -85,17 +89,6 @@ + ___PPC_RA(a) | ___PPC_RB(b)) + #define PPC_BPF_STDCX(s, a, b) EMIT(PPC_INST_STDCX | ___PPC_RS(s) | \ + ___PPC_RA(a) | ___PPC_RB(b)) +- +-#ifdef CONFIG_PPC64 +-#define PPC_BPF_LL(r, base, i) do { PPC_LD(r, base, i); } while(0) +-#define PPC_BPF_STL(r, base, i) do { PPC_STD(r, base, i); } while(0) +-#define PPC_BPF_STLU(r, base, i) do { PPC_STDU(r, base, i); } while(0) +-#else +-#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0) +-#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0) +-#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0) +-#endif +- + #define PPC_CMPWI(a, i) EMIT(PPC_INST_CMPWI | ___PPC_RA(a) | IMM_L(i)) + #define PPC_CMPDI(a, i) EMIT(PPC_INST_CMPDI | ___PPC_RA(a) | IMM_L(i)) + #define PPC_CMPW(a, b) EMIT(PPC_INST_CMPW | ___PPC_RA(a) | \ +--- a/arch/powerpc/net/bpf_jit32.h ++++ b/arch/powerpc/net/bpf_jit32.h +@@ -123,6 +123,10 @@ DECLARE_LOAD_FUNC(sk_load_byte_msh); + #define PPC_NTOHS_OFFS(r, base, i) PPC_LHZ_OFFS(r, base, i) + #endif + ++#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0) ++#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0) ++#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0) ++ + #define SEEN_DATAREF 0x10000 /* might call external helpers */ + #define SEEN_XREG 0x20000 /* X reg is used */ + #define SEEN_MEM 0x40000 /* SEEN_MEM+(1< MAX_TAIL_CALL_CNT) + * goto out; + */ +- PPC_LD(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx)); ++ PPC_BPF_LL(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx)); + PPC_CMPLWI(b2p[TMP_REG_1], MAX_TAIL_CALL_CNT); + PPC_BCC(COND_GT, out); + +@@ -265,7 +265,7 @@ static void bpf_jit_emit_tail_call(u32 * + /* prog = array->ptrs[index]; */ + PPC_MULI(b2p[TMP_REG_1], b2p_index, 8); + PPC_ADD(b2p[TMP_REG_1], b2p[TMP_REG_1], b2p_bpf_array); +- PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs)); ++ PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs)); + + /* + * if (prog == NULL) +@@ -275,7 +275,7 @@ static void bpf_jit_emit_tail_call(u32 * + PPC_BCC(COND_EQ, out); + + /* goto *(prog->bpf_func + prologue_size); */ +- PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func)); ++ PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func)); + #ifdef PPC64_ELF_ABI_v1 + /* skip past the function descriptor */ + PPC_ADDI(b2p[TMP_REG_1], b2p[TMP_REG_1], +@@ -606,7 +606,7 @@ bpf_alu32_trunc: + * the instructions generated will remain the + * same across all passes + */ +- PPC_STD(dst_reg, 1, bpf_jit_stack_local(ctx)); ++ PPC_BPF_STL(dst_reg, 1, bpf_jit_stack_local(ctx)); + PPC_ADDI(b2p[TMP_REG_1], 1, bpf_jit_stack_local(ctx)); + PPC_LDBRX(dst_reg, 0, b2p[TMP_REG_1]); + break; +@@ -662,7 +662,7 @@ emit_clear: + PPC_LI32(b2p[TMP_REG_1], imm); + src_reg = b2p[TMP_REG_1]; + } +- PPC_STD(src_reg, dst_reg, off); ++ PPC_BPF_STL(src_reg, dst_reg, off); + break; + + /* +@@ -709,7 +709,7 @@ emit_clear: + break; + /* dst = *(u64 *)(ul) (src + off) */ + case BPF_LDX | BPF_MEM | BPF_DW: +- PPC_LD(dst_reg, src_reg, off); ++ PPC_BPF_LL(dst_reg, src_reg, off); + break; + + /* diff --git a/queue-5.0/series b/queue-5.0/series index 11a62bb4045..7bc84152def 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -35,3 +35,19 @@ r8169-fix-cable-re-plugging-issue.patch ila-fix-rhashtable-walker-list-corruption.patch tun-add-a-missing-rcu_read_unlock-in-error-path.patch powerpc-fsl-fix-the-flush-of-branch-predictor.patch +btrfs-fix-incorrect-file-size-after-shrinking-truncate-and-fsync.patch +btrfs-remove-warn_on-in-log_dir_items.patch +btrfs-don-t-report-readahead-errors-and-don-t-update-statistics.patch +btrfs-raid56-properly-unmap-parity-page-in-finish_parity_scrub.patch +btrfs-fix-bound-checking-in-qgroup_trace_new_subtree_blocks.patch +btrfs-avoid-possible-qgroup_rsv_size-overflow-in-btrfs_calculate_inode_block_rsv_size.patch +btrfs-fix-assertion-failure-on-fsync-with-no_holes-enabled.patch +locks-wake-any-locks-blocked-on-request-before-deadlock-check.patch +tracing-initialize-variable-in-create_dyn_event.patch +arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected-time.patch +powerpc-bpf-fix-generation-of-load-store-dw-instructions.patch +vfio-ccw-only-free-cp-on-final-interrupt.patch +nfs-fix-nfs4_lock_state-refcounting-in-nfs4_alloc_-lock-unlock-data.patch +nfs-fix-mount-umount-race-in-nlmclnt.patch +nfsv4.1-don-t-free-interrupted-slot-on-open.patch +net-dsa-qca8k-remove-leftover-phy-accessors.patch diff --git a/queue-5.0/tracing-initialize-variable-in-create_dyn_event.patch b/queue-5.0/tracing-initialize-variable-in-create_dyn_event.patch new file mode 100644 index 00000000000..86740489919 --- /dev/null +++ b/queue-5.0/tracing-initialize-variable-in-create_dyn_event.patch @@ -0,0 +1,39 @@ +From 3dee10da2e9ff220e054a8f158cc296c797fbe81 Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Thu, 21 Mar 2019 23:58:20 -0700 +Subject: tracing: initialize variable in create_dyn_event() + +From: Frank Rowand + +commit 3dee10da2e9ff220e054a8f158cc296c797fbe81 upstream. + +Fix compile warning in create_dyn_event(): 'ret' may be used uninitialized +in this function [-Wuninitialized]. + +Link: http://lkml.kernel.org/r/1553237900-8555-1-git-send-email-frowand.list@gmail.com + +Cc: Masami Hiramatsu +Cc: Ingo Molnar +Cc: Tom Zanussi +Cc: Ravi Bangoria +Cc: stable@vger.kernel.org +Fixes: 5448d44c3855 ("tracing: Add unified dynamic event framework") +Signed-off-by: Frank Rowand +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_dynevent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_dynevent.c ++++ b/kernel/trace/trace_dynevent.c +@@ -74,7 +74,7 @@ int dyn_event_release(int argc, char **a + static int create_dyn_event(int argc, char **argv) + { + struct dyn_event_operations *ops; +- int ret; ++ int ret = -ENODEV; + + if (argv[0][0] == '-' || argv[0][0] == '!') + return dyn_event_release(argc, argv, NULL); diff --git a/queue-5.0/vfio-ccw-only-free-cp-on-final-interrupt.patch b/queue-5.0/vfio-ccw-only-free-cp-on-final-interrupt.patch new file mode 100644 index 00000000000..be3cbd9806c --- /dev/null +++ b/queue-5.0/vfio-ccw-only-free-cp-on-final-interrupt.patch @@ -0,0 +1,58 @@ +From 50b7f1b7236bab08ebbbecf90521e84b068d7a17 Mon Sep 17 00:00:00 2001 +From: Cornelia Huck +Date: Mon, 11 Mar 2019 10:59:53 +0100 +Subject: vfio: ccw: only free cp on final interrupt + +From: Cornelia Huck + +commit 50b7f1b7236bab08ebbbecf90521e84b068d7a17 upstream. + +When we get an interrupt for a channel program, it is not +necessarily the final interrupt; for example, the issuing +guest may request an intermediate interrupt by specifying +the program-controlled-interrupt flag on a ccw. + +We must not switch the state to idle if the interrupt is not +yet final; even more importantly, we must not free the translated +channel program if the interrupt is not yet final, or the host +can crash during cp rewind. + +Fixes: e5f84dbaea59 ("vfio: ccw: return I/O results asynchronously") +Cc: stable@vger.kernel.org # v4.12+ +Reviewed-by: Eric Farman +Signed-off-by: Cornelia Huck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/vfio_ccw_drv.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/s390/cio/vfio_ccw_drv.c ++++ b/drivers/s390/cio/vfio_ccw_drv.c +@@ -72,20 +72,24 @@ static void vfio_ccw_sch_io_todo(struct + { + struct vfio_ccw_private *private; + struct irb *irb; ++ bool is_final; + + private = container_of(work, struct vfio_ccw_private, io_work); + irb = &private->irb; + ++ is_final = !(scsw_actl(&irb->scsw) & ++ (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT)); + if (scsw_is_solicited(&irb->scsw)) { + cp_update_scsw(&private->cp, &irb->scsw); +- cp_free(&private->cp); ++ if (is_final) ++ cp_free(&private->cp); + } + memcpy(private->io_region->irb_area, irb, sizeof(*irb)); + + if (private->io_trigger) + eventfd_signal(private->io_trigger, 1); + +- if (private->mdev) ++ if (private->mdev && is_final) + private->state = VFIO_CCW_STATE_IDLE; + } +