From 228f13f5b39551749c6e6e5674f66bca3acb7a88 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 20 Apr 2014 18:28:35 -0700 Subject: [PATCH] 3.13-stable patches added patches: btrfs-fix-deadlock-with-nested-trans-handles.patch ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch jffs2-fix-crash-due-to-truncation-of-csize.patch jffs2-fix-segmentation-fault-found-in-stress-test.patch jffs2-remove-from-wait-queue-after-schedule.patch sparc32-fix-build-failure-for-arch_jump_label_transform.patch sparc64-don-t-treat-64-bit-syscall-return-codes-as-32-bit.patch sparc64-make-sure-pil-interrupts-are-enabled-during-hypervisor-yield.patch --- ...x-deadlock-with-nested-trans-handles.patch | 68 +++++++++++++ ...xt4_ext_handle_uninitialized_extents.patch | 49 +++++++++ ...r-handling-for-bigalloc-file-systems.patch | 64 ++++++++++++ ...al-clusters-split-across-leaf-blocks.patch | 58 +++++++++++ ...oft-lockup-in-jffs2_reserve_space_gc.patch | 73 ++++++++++++++ ...fix-crash-due-to-truncation-of-csize.patch | 81 +++++++++++++++ ...mentation-fault-found-in-stress-test.patch | 99 +++++++++++++++++++ ...emove-from-wait-queue-after-schedule.patch | 35 +++++++ queue-3.13/series | 11 +++ ...ailure-for-arch_jump_label_transform.patch | 44 +++++++++ ...4-bit-syscall-return-codes-as-32-bit.patch | 47 +++++++++ ...-are-enabled-during-hypervisor-yield.patch | 58 +++++++++++ 12 files changed, 687 insertions(+) create mode 100644 queue-3.13/btrfs-fix-deadlock-with-nested-trans-handles.patch create mode 100644 queue-3.13/ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch create mode 100644 queue-3.13/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch create mode 100644 queue-3.13/ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch create mode 100644 queue-3.13/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch create mode 100644 queue-3.13/jffs2-fix-crash-due-to-truncation-of-csize.patch create mode 100644 queue-3.13/jffs2-fix-segmentation-fault-found-in-stress-test.patch create mode 100644 queue-3.13/jffs2-remove-from-wait-queue-after-schedule.patch create mode 100644 queue-3.13/sparc32-fix-build-failure-for-arch_jump_label_transform.patch create mode 100644 queue-3.13/sparc64-don-t-treat-64-bit-syscall-return-codes-as-32-bit.patch create mode 100644 queue-3.13/sparc64-make-sure-pil-interrupts-are-enabled-during-hypervisor-yield.patch diff --git a/queue-3.13/btrfs-fix-deadlock-with-nested-trans-handles.patch b/queue-3.13/btrfs-fix-deadlock-with-nested-trans-handles.patch new file mode 100644 index 00000000000..8589a675130 --- /dev/null +++ b/queue-3.13/btrfs-fix-deadlock-with-nested-trans-handles.patch @@ -0,0 +1,68 @@ +From 3bbb24b20a8800158c33eca8564f432dd14d0bf3 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 6 Mar 2014 19:01:07 -0500 +Subject: Btrfs: fix deadlock with nested trans handles + +From: Josef Bacik + +commit 3bbb24b20a8800158c33eca8564f432dd14d0bf3 upstream. + +Zach found this deadlock that would happen like this + +btrfs_end_transaction <- reduce trans->use_count to 0 + btrfs_run_delayed_refs + btrfs_cow_block + find_free_extent + btrfs_start_transaction <- increase trans->use_count to 1 + allocate chunk + btrfs_end_transaction <- decrease trans->use_count to 0 + btrfs_run_delayed_refs + lock tree block we are cowing above ^^ + +We need to only decrease trans->use_count if it is above 1, otherwise leave it +alone. This will make nested trans be the only ones who decrease their added +ref, and will let us get rid of the trans->use_count++ hack if we have to commit +the transaction. Thanks, + +Reported-by: Zach Brown +Signed-off-by: Josef Bacik +Tested-by: Zach Brown +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/transaction.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -685,7 +685,8 @@ static int __btrfs_end_transaction(struc + int lock = (trans->type != TRANS_JOIN_NOLOCK); + int err = 0; + +- if (--trans->use_count) { ++ if (trans->use_count > 1) { ++ trans->use_count--; + trans->block_rsv = trans->orig_rsv; + return 0; + } +@@ -733,17 +734,10 @@ static int __btrfs_end_transaction(struc + } + + if (lock && ACCESS_ONCE(cur_trans->state) == TRANS_STATE_BLOCKED) { +- if (throttle) { +- /* +- * We may race with somebody else here so end up having +- * to call end_transaction on ourselves again, so inc +- * our use_count. +- */ +- trans->use_count++; ++ if (throttle) + return btrfs_commit_transaction(trans, root); +- } else { ++ else + wake_up_process(info->transaction_kthread); +- } + } + + if (trans->type & __TRANS_FREEZABLE) diff --git a/queue-3.13/ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch b/queue-3.13/ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch new file mode 100644 index 00000000000..4ff817715e7 --- /dev/null +++ b/queue-3.13/ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch @@ -0,0 +1,49 @@ +From ce37c42919608e96ade3748fe23c3062a0a966c5 Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Wed, 19 Feb 2014 18:52:39 -0500 +Subject: ext4: fix error return from ext4_ext_handle_uninitialized_extents() + +From: Eric Whitney + +commit ce37c42919608e96ade3748fe23c3062a0a966c5 upstream. + +Commit 3779473246 breaks the return of error codes from +ext4_ext_handle_uninitialized_extents() in ext4_ext_map_blocks(). A +portion of the patch assigns that function's signed integer return +value to an unsigned int. Consequently, negatively valued error codes +are lost and can be treated as a bogus allocated block count. + +Signed-off-by: Eric Whitney +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4128,7 +4128,7 @@ int ext4_ext_map_blocks(handle_t *handle + struct ext4_extent newex, *ex, *ex2; + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + ext4_fsblk_t newblock = 0; +- int free_on_err = 0, err = 0, depth; ++ int free_on_err = 0, err = 0, depth, ret; + unsigned int allocated = 0, offset = 0; + unsigned int allocated_clusters = 0; + struct ext4_allocation_request ar; +@@ -4189,9 +4189,13 @@ int ext4_ext_map_blocks(handle_t *handle + if (!ext4_ext_is_uninitialized(ex)) + goto out; + +- allocated = ext4_ext_handle_uninitialized_extents( ++ ret = ext4_ext_handle_uninitialized_extents( + handle, inode, map, path, flags, + allocated, newblock); ++ if (ret < 0) ++ err = ret; ++ else ++ allocated = ret; + goto out3; + } + } diff --git a/queue-3.13/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch b/queue-3.13/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch new file mode 100644 index 00000000000..da3e6eaff56 --- /dev/null +++ b/queue-3.13/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch @@ -0,0 +1,64 @@ +From c06344939422bbd032ac967223a7863de57496b5 Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Thu, 13 Mar 2014 23:34:16 -0400 +Subject: ext4: fix partial cluster handling for bigalloc file systems + +From: Eric Whitney + +commit c06344939422bbd032ac967223a7863de57496b5 upstream. + +Commit 9cb00419fa, which enables hole punching for bigalloc file +systems, exposed a bug introduced by commit 6ae06ff51e in an earlier +release. When run on a bigalloc file system, xfstests generic/013, 068, +075, 083, 091, 100, 112, 127, 263, 269, and 270 fail with e2fsck errors +or cause kernel error messages indicating that previously freed blocks +are being freed again. + +The latter commit optimizes the selection of the starting extent in +ext4_ext_rm_leaf() when hole punching by beginning with the extent +supplied in the path argument rather than with the last extent in the +leaf node (as is still done when truncating). However, the code in +rm_leaf that initially sets partial_cluster to track cluster sharing on +extent boundaries is only guaranteed to run if rm_leaf starts with the +last node in the leaf. Consequently, partial_cluster is not correctly +initialized when hole punching, and a cluster on the boundary of a +punched region that should be retained may instead be deallocated. + +Signed-off-by: Eric Whitney +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2585,6 +2585,27 @@ ext4_ext_rm_leaf(handle_t *handle, struc + ex_ee_block = le32_to_cpu(ex->ee_block); + ex_ee_len = ext4_ext_get_actual_len(ex); + ++ /* ++ * If we're starting with an extent other than the last one in the ++ * node, we need to see if it shares a cluster with the extent to ++ * the right (towards the end of the file). If its leftmost cluster ++ * is this extent's rightmost cluster and it is not cluster aligned, ++ * we'll mark it as a partial that is not to be deallocated. ++ */ ++ ++ if (ex != EXT_LAST_EXTENT(eh)) { ++ ext4_fsblk_t current_pblk, right_pblk; ++ long long current_cluster, right_cluster; ++ ++ current_pblk = ext4_ext_pblock(ex) + ex_ee_len - 1; ++ current_cluster = (long long)EXT4_B2C(sbi, current_pblk); ++ right_pblk = ext4_ext_pblock(ex + 1); ++ right_cluster = (long long)EXT4_B2C(sbi, right_pblk); ++ if (current_cluster == right_cluster && ++ EXT4_PBLK_COFF(sbi, right_pblk)) ++ *partial_cluster = -right_cluster; ++ } ++ + trace_ext4_ext_rm_leaf(inode, start, ex, *partial_cluster); + + while (ex >= EXT_FIRST_EXTENT(eh) && diff --git a/queue-3.13/ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch b/queue-3.13/ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch new file mode 100644 index 00000000000..326ae5b8525 --- /dev/null +++ b/queue-3.13/ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch @@ -0,0 +1,58 @@ +From ad6599ab3ac98a4474544086e048ce86ec15a4d1 Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Tue, 1 Apr 2014 19:49:30 -0400 +Subject: ext4: fix premature freeing of partial clusters split across leaf blocks + +From: Eric Whitney + +commit ad6599ab3ac98a4474544086e048ce86ec15a4d1 upstream. + +Xfstests generic/311 and shared/298 fail when run on a bigalloc file +system. Kernel error messages produced during the tests report that +blocks to be freed are already on the to-be-freed list. When e2fsck +is run at the end of the tests, it typically reports bad i_blocks and +bad free blocks counts. + +The bug that causes these failures is located in ext4_ext_rm_leaf(). +Code at the end of the function frees a partial cluster if it's not +shared with an extent remaining in the leaf. However, if all the +extents in the leaf have been removed, the code dereferences an +invalid extent pointer (off the front of the leaf) when the check for +sharing is made. This generally has the effect of unconditionally +freeing the partial cluster, which leads to the observed failures +when the partial cluster is shared with the last extent in the next +leaf. + +Fix this by attempting to free the cluster only if extents remain in +the leaf. Any remaining partial cluster will be freed if possible +when the next leaf is processed or when leaf removal is complete. + +Signed-off-by: Eric Whitney +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2731,10 +2731,15 @@ ext4_ext_rm_leaf(handle_t *handle, struc + err = ext4_ext_correct_indexes(handle, inode, path); + + /* +- * Free the partial cluster only if the current extent does not +- * reference it. Otherwise we might free used cluster. ++ * If there's a partial cluster and at least one extent remains in ++ * the leaf, free the partial cluster if it isn't shared with the ++ * current extent. If there's a partial cluster and no extents ++ * remain in the leaf, it can't be freed here. It can only be ++ * freed when it's possible to determine if it's not shared with ++ * any other extent - when the next leaf is processed or when space ++ * removal is complete. + */ +- if (*partial_cluster > 0 && ++ if (*partial_cluster > 0 && eh->eh_entries && + (EXT4_B2C(sbi, ext4_ext_pblock(ex) + ex_ee_len - 1) != + *partial_cluster)) { + int flags = get_default_free_blocks_flags(inode); diff --git a/queue-3.13/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch b/queue-3.13/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch new file mode 100644 index 00000000000..c30e22cad40 --- /dev/null +++ b/queue-3.13/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch @@ -0,0 +1,73 @@ +From 13b546d96207c131eeae15dc7b26c6e7d0f1cad7 Mon Sep 17 00:00:00 2001 +From: Li Zefan +Date: Wed, 12 Feb 2014 12:44:56 -0800 +Subject: jffs2: avoid soft-lockup in jffs2_reserve_space_gc() + +From: Li Zefan + +commit 13b546d96207c131eeae15dc7b26c6e7d0f1cad7 upstream. + +We triggered soft-lockup under stress test on 2.6.34 kernel. + +BUG: soft lockup - CPU#1 stuck for 60009ms! [lockf2.test:14488] +... +[] (jffs2_do_reserve_space+0x420/0x440 [jffs2]) +[] (jffs2_reserve_space_gc+0x34/0x78 [jffs2]) +[] (jffs2_garbage_collect_dnode.isra.3+0x264/0x478 [jffs2]) +[] (jffs2_garbage_collect_pass+0x9c0/0xe4c [jffs2]) +[] (jffs2_reserve_space+0x104/0x2a8 [jffs2]) +[] (jffs2_write_inode_range+0x5c/0x4d4 [jffs2]) +[] (jffs2_write_end+0x198/0x2c0 [jffs2]) +[] (generic_file_buffered_write+0x158/0x200) +[] (__generic_file_aio_write+0x3a4/0x414) +[] (generic_file_aio_write+0x5c/0xbc) +[] (do_sync_write+0x98/0xd4) +[] (vfs_write+0xa8/0x150) +[] (sys_write+0x3c/0xc0)] + +Fix this by adding a cond_resched() in the while loop. + +[akpm@linux-foundation.org: don't initialize `ret'] +Signed-off-by: Li Zefan +Cc: David Woodhouse +Cc: Artem Bityutskiy +Signed-off-by: Andrew Morton +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/nodemgmt.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/jffs2/nodemgmt.c ++++ b/fs/jffs2/nodemgmt.c +@@ -211,20 +211,25 @@ out: + int jffs2_reserve_space_gc(struct jffs2_sb_info *c, uint32_t minsize, + uint32_t *len, uint32_t sumsize) + { +- int ret = -EAGAIN; ++ int ret; + minsize = PAD(minsize); + + jffs2_dbg(1, "%s(): Requested 0x%x bytes\n", __func__, minsize); + +- spin_lock(&c->erase_completion_lock); +- while(ret == -EAGAIN) { ++ while (true) { ++ spin_lock(&c->erase_completion_lock); + ret = jffs2_do_reserve_space(c, minsize, len, sumsize); + if (ret) { + jffs2_dbg(1, "%s(): looping, ret is %d\n", + __func__, ret); + } ++ spin_unlock(&c->erase_completion_lock); ++ ++ if (ret == -EAGAIN) ++ cond_resched(); ++ else ++ break; + } +- spin_unlock(&c->erase_completion_lock); + if (!ret) + ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); + diff --git a/queue-3.13/jffs2-fix-crash-due-to-truncation-of-csize.patch b/queue-3.13/jffs2-fix-crash-due-to-truncation-of-csize.patch new file mode 100644 index 00000000000..e333650cb86 --- /dev/null +++ b/queue-3.13/jffs2-fix-crash-due-to-truncation-of-csize.patch @@ -0,0 +1,81 @@ +From 41bf1a24c1001f4d0d41a78e1ac575d2f14789d7 Mon Sep 17 00:00:00 2001 +From: Ajesh Kunhipurayil Vijayan +Date: Mon, 6 Jan 2014 19:06:55 +0530 +Subject: jffs2: Fix crash due to truncation of csize + +From: Ajesh Kunhipurayil Vijayan + +commit 41bf1a24c1001f4d0d41a78e1ac575d2f14789d7 upstream. + +mounting JFFS2 partition sometimes crashes with this call trace: + +[ 1322.240000] Kernel bug detected[#1]: +[ 1322.244000] Cpu 2 +[ 1322.244000] $ 0 : 0000000000000000 0000000000000018 000000003ff00070 0000000000000001 +[ 1322.252000] $ 4 : 0000000000000000 c0000000f3980150 0000000000000000 0000000000010000 +[ 1322.260000] $ 8 : ffffffffc09cd5f8 0000000000000001 0000000000000088 c0000000ed300de8 +[ 1322.268000] $12 : e5e19d9c5f613a45 ffffffffc046d464 0000000000000000 66227ba5ea67b74e +[ 1322.276000] $16 : c0000000f1769c00 c0000000ed1e0200 c0000000f3980150 0000000000000000 +[ 1322.284000] $20 : c0000000f3a80000 00000000fffffffc c0000000ed2cfbd8 c0000000f39818f0 +[ 1322.292000] $24 : 0000000000000004 0000000000000000 +[ 1322.300000] $28 : c0000000ed2c0000 c0000000ed2cfab8 0000000000010000 ffffffffc039c0b0 +[ 1322.308000] Hi : 000000000000023c +[ 1322.312000] Lo : 000000000003f802 +[ 1322.316000] epc : ffffffffc039a9f8 check_tn_node+0x88/0x3b0 +[ 1322.320000] Not tainted +[ 1322.324000] ra : ffffffffc039c0b0 jffs2_do_read_inode_internal+0x1250/0x1e48 +[ 1322.332000] Status: 5400f8e3 KX SX UX KERNEL EXL IE +[ 1322.336000] Cause : 00800034 +[ 1322.340000] PrId : 000c1004 (Netlogic XLP) +[ 1322.344000] Modules linked in: +[ 1322.348000] Process jffs2_gcd_mtd7 (pid: 264, threadinfo=c0000000ed2c0000, task=c0000000f0e68dd8, tls=0000000000000000) +[ 1322.356000] Stack : c0000000f1769e30 c0000000ed010780 c0000000ed010780 c0000000ed300000 + c0000000f1769c00 c0000000f3980150 c0000000f3a80000 00000000fffffffc + c0000000ed2cfbd8 ffffffffc039c0b0 ffffffffc09c6340 0000000000001000 + 0000000000000dec ffffffffc016c9d8 c0000000f39805a0 c0000000f3980180 + 0000008600000000 0000000000000000 0000000000000000 0000000000000000 + 0001000000000dec c0000000f1769d98 c0000000ed2cfb18 0000000000010000 + 0000000000010000 0000000000000044 c0000000f3a80000 c0000000f1769c00 + c0000000f3d207a8 c0000000f1769d98 c0000000f1769de0 ffffffffc076f9c0 + 0000000000000009 0000000000000000 0000000000000000 ffffffffc039cf90 + 0000000000000017 ffffffffc013fbdc 0000000000000001 000000010003e61c + ... +[ 1322.424000] Call Trace: +[ 1322.428000] [] check_tn_node+0x88/0x3b0 +[ 1322.432000] [] jffs2_do_read_inode_internal+0x1250/0x1e48 +[ 1322.440000] [] jffs2_do_crccheck_inode+0x70/0xd0 +[ 1322.448000] [] jffs2_garbage_collect_pass+0x160/0x870 +[ 1322.452000] [] jffs2_garbage_collect_thread+0xdc/0x1f0 +[ 1322.460000] [] kthread+0xb8/0xc0 +[ 1322.464000] [] kernel_thread_helper+0x10/0x18 +[ 1322.472000] +[ 1322.472000] +Code: 67bd0050 94a4002c 2c830001 <00038036> de050218 2403fffc 0080a82d 00431824 24630044 +[ 1322.480000] ---[ end trace b052bb90e97dfbf5 ]--- + +The variable csize in structure jffs2_tmp_dnode_info is of type uint16_t, but it +is used to hold the compressed data length(csize) which is declared as uint32_t. +So, when the value of csize exceeds 16bits, it gets truncated when assigned to +tn->csize. This is causing a kernel BUG. +Changing the definition of csize in jffs2_tmp_dnode_info to uint32_t fixes the issue. + +Signed-off-by: Ajesh Kunhipurayil Vijayan +Signed-off-by: Kamlakant Patel +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/nodelist.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jffs2/nodelist.h ++++ b/fs/jffs2/nodelist.h +@@ -231,7 +231,7 @@ struct jffs2_tmp_dnode_info + uint32_t version; + uint32_t data_crc; + uint32_t partial_crc; +- uint16_t csize; ++ uint32_t csize; + uint16_t overlapped; + }; + diff --git a/queue-3.13/jffs2-fix-segmentation-fault-found-in-stress-test.patch b/queue-3.13/jffs2-fix-segmentation-fault-found-in-stress-test.patch new file mode 100644 index 00000000000..660d094e7a1 --- /dev/null +++ b/queue-3.13/jffs2-fix-segmentation-fault-found-in-stress-test.patch @@ -0,0 +1,99 @@ +From 3367da5610c50e6b83f86d366d72b41b350b06a2 Mon Sep 17 00:00:00 2001 +From: Kamlakant Patel +Date: Mon, 6 Jan 2014 19:06:54 +0530 +Subject: jffs2: Fix segmentation fault found in stress test + +From: Kamlakant Patel + +commit 3367da5610c50e6b83f86d366d72b41b350b06a2 upstream. + +Creating a large file on a JFFS2 partition sometimes crashes with this call +trace: + +[ 306.476000] CPU 13 Unable to handle kernel paging request at virtual address c0000000dfff8002, epc == ffffffffc03a80a8, ra == ffffffffc03a8044 +[ 306.488000] Oops[#1]: +[ 306.488000] Cpu 13 +[ 306.492000] $ 0 : 0000000000000000 0000000000000000 0000000000008008 0000000000008007 +[ 306.500000] $ 4 : c0000000dfff8002 000000000000009f c0000000e0007cde c0000000ee95fa58 +[ 306.508000] $ 8 : 0000000000000001 0000000000008008 0000000000010000 ffffffffffff8002 +[ 306.516000] $12 : 0000000000007fa9 000000000000ff0e 000000000000ff0f 80e55930aebb92bb +[ 306.524000] $16 : c0000000e0000000 c0000000ee95fa5c c0000000efc80000 ffffffffc09edd70 +[ 306.532000] $20 : ffffffffc2b60000 c0000000ee95fa58 0000000000000000 c0000000efc80000 +[ 306.540000] $24 : 0000000000000000 0000000000000004 +[ 306.548000] $28 : c0000000ee950000 c0000000ee95f738 0000000000000000 ffffffffc03a8044 +[ 306.556000] Hi : 00000000000574a5 +[ 306.560000] Lo : 6193b7a7e903d8c9 +[ 306.564000] epc : ffffffffc03a80a8 jffs2_rtime_compress+0x98/0x198 +[ 306.568000] Tainted: G W +[ 306.572000] ra : ffffffffc03a8044 jffs2_rtime_compress+0x34/0x198 +[ 306.580000] Status: 5000f8e3 KX SX UX KERNEL EXL IE +[ 306.584000] Cause : 00800008 +[ 306.588000] BadVA : c0000000dfff8002 +[ 306.592000] PrId : 000c1100 (Netlogic XLP) +[ 306.596000] Modules linked in: +[ 306.596000] Process dd (pid: 170, threadinfo=c0000000ee950000, task=c0000000ee6e0858, tls=0000000000c47490) +[ 306.608000] Stack : 7c547f377ddc7ee4 7ffc7f967f5d7fae 7f617f507fc37ff4 7e7d7f817f487f5f + 7d8e7fec7ee87eb3 7e977ff27eec7f9e 7d677ec67f917f67 7f3d7e457f017ed7 + 7fd37f517f867eb2 7fed7fd17ca57e1d 7e5f7fe87f257f77 7fd77f0d7ede7fdb + 7fba7fef7e197f99 7fde7fe07ee37eb5 7f5c7f8c7fc67f65 7f457fb87f847e93 + 7f737f3e7d137cd9 7f8e7e9c7fc47d25 7dbb7fac7fb67e52 7ff17f627da97f64 + 7f6b7df77ffa7ec5 80057ef17f357fb3 7f767fa27dfc7fd5 7fe37e8e7fd07e53 + 7e227fcf7efb7fa1 7f547e787fa87fcc 7fcb7fc57f5a7ffb 7fc07f6c7ea97e80 + 7e2d7ed17e587ee0 7fb17f9d7feb7f31 7f607e797e887faa 7f757fdd7c607ff3 + 7e877e657ef37fbd 7ec17fd67fe67ff7 7ff67f797ff87dc4 7eef7f3a7c337fa6 + 7fe57fc97ed87f4b 7ebe7f097f0b8003 7fe97e2a7d997cba 7f587f987f3c7fa9 + ... +[ 306.676000] Call Trace: +[ 306.680000] [] jffs2_rtime_compress+0x98/0x198 +[ 306.684000] [] jffs2_selected_compress+0x110/0x230 +[ 306.692000] [] jffs2_compress+0x5c/0x388 +[ 306.696000] [] jffs2_write_inode_range+0xd8/0x388 +[ 306.704000] [] jffs2_write_end+0x16c/0x2d0 +[ 306.708000] [] generic_file_buffered_write+0xf8/0x2b8 +[ 306.716000] [] __generic_file_aio_write+0x1ac/0x350 +[ 306.720000] [] generic_file_aio_write+0x80/0x168 +[ 306.728000] [] do_sync_write+0x94/0xf8 +[ 306.732000] [] vfs_write+0xa4/0x1a0 +[ 306.736000] [] SyS_write+0x50/0x90 +[ 306.744000] [] handle_sys+0x180/0x1a0 +[ 306.748000] +[ 306.748000] +Code: 020b202d 0205282d 90a50000 <90840000> 14a40038 00000000 0060602d 0000282d 016c5823 +[ 306.760000] ---[ end trace 79dd088435be02d0 ]--- +Segmentation fault + +This crash is caused because the 'positions' is declared as an array of signed +short. The value of position is in the range 0..65535, and will be converted +to a negative number when the position is greater than 32767 and causes a +corruption and crash. Changing the definition to 'unsigned short' fixes this +issue + +Signed-off-by: Jayachandran C +Signed-off-by: Kamlakant Patel +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/compr_rtime.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/jffs2/compr_rtime.c ++++ b/fs/jffs2/compr_rtime.c +@@ -33,7 +33,7 @@ static int jffs2_rtime_compress(unsigned + unsigned char *cpage_out, + uint32_t *sourcelen, uint32_t *dstlen) + { +- short positions[256]; ++ unsigned short positions[256]; + int outpos = 0; + int pos=0; + +@@ -74,7 +74,7 @@ static int jffs2_rtime_decompress(unsign + unsigned char *cpage_out, + uint32_t srclen, uint32_t destlen) + { +- short positions[256]; ++ unsigned short positions[256]; + int outpos = 0; + int pos=0; + diff --git a/queue-3.13/jffs2-remove-from-wait-queue-after-schedule.patch b/queue-3.13/jffs2-remove-from-wait-queue-after-schedule.patch new file mode 100644 index 00000000000..8989a57ca8b --- /dev/null +++ b/queue-3.13/jffs2-remove-from-wait-queue-after-schedule.patch @@ -0,0 +1,35 @@ +From 3ead9578443b66ddb3d50ed4f53af8a0c0298ec5 Mon Sep 17 00:00:00 2001 +From: Li Zefan +Date: Wed, 12 Feb 2014 12:44:57 -0800 +Subject: jffs2: remove from wait queue after schedule() + +From: Li Zefan + +commit 3ead9578443b66ddb3d50ed4f53af8a0c0298ec5 upstream. + +@wait is a local variable, so if we don't remove it from the wait queue +list, later wake_up() may end up accessing invalid memory. + +This was spotted by eyes. + +Signed-off-by: Li Zefan +Cc: David Woodhouse +Cc: Artem Bityutskiy +Signed-off-by: Andrew Morton +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/nodemgmt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/jffs2/nodemgmt.c ++++ b/fs/jffs2/nodemgmt.c +@@ -179,6 +179,7 @@ int jffs2_reserve_space(struct jffs2_sb_ + spin_unlock(&c->erase_completion_lock); + + schedule(); ++ remove_wait_queue(&c->erase_wait, &wait); + } else + spin_unlock(&c->erase_completion_lock); + } else if (ret) diff --git a/queue-3.13/series b/queue-3.13/series index 2ad5e4cb757..f6d085595e7 100644 --- a/queue-3.13/series +++ b/queue-3.13/series @@ -17,3 +17,14 @@ backing_dev-fix-hung-task-on-sync.patch bdi-avoid-oops-on-device-removal.patch xfs-fix-directory-hash-ordering-bug.patch btrfs-skip-submitting-barrier-for-missing-device.patch +btrfs-fix-deadlock-with-nested-trans-handles.patch +ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch +ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch +ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch +jffs2-fix-segmentation-fault-found-in-stress-test.patch +jffs2-fix-crash-due-to-truncation-of-csize.patch +jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch +jffs2-remove-from-wait-queue-after-schedule.patch +sparc32-fix-build-failure-for-arch_jump_label_transform.patch +sparc64-don-t-treat-64-bit-syscall-return-codes-as-32-bit.patch +sparc64-make-sure-pil-interrupts-are-enabled-during-hypervisor-yield.patch diff --git a/queue-3.13/sparc32-fix-build-failure-for-arch_jump_label_transform.patch b/queue-3.13/sparc32-fix-build-failure-for-arch_jump_label_transform.patch new file mode 100644 index 00000000000..eff753ff9d9 --- /dev/null +++ b/queue-3.13/sparc32-fix-build-failure-for-arch_jump_label_transform.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Apr 20 18:26:37 PDT 2014 +From: Paul Gortmaker +Date: Thu, 13 Feb 2014 13:57:44 -0500 +Subject: sparc32: fix build failure for arch_jump_label_transform + +From: Paul Gortmaker + +[ Upstream commit 4f6500fff5f7644a03c46728fd7ef0f62fa6940b ] + +In arch/sparc/Kernel/Makefile, we see: + + obj-$(CONFIG_SPARC64) += jump_label.o + +However, the Kconfig selects HAVE_ARCH_JUMP_LABEL unconditionally +for all SPARC. This in turn leads to the following failure when +doing allmodconfig coverage builds: + +kernel/built-in.o: In function `__jump_label_update': +jump_label.c:(.text+0x8560c): undefined reference to `arch_jump_label_transform' +kernel/built-in.o: In function `arch_jump_label_transform_static': +(.text+0x85cf4): undefined reference to `arch_jump_label_transform' +make: *** [vmlinux] Error 1 + +Change HAVE_ARCH_JUMP_LABEL to be conditional on SPARC64 so that it +matches the Makefile. + +Signed-off-by: Paul Gortmaker +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -26,7 +26,7 @@ config SPARC + select RTC_DRV_M48T59 + select HAVE_DMA_ATTRS + select HAVE_DMA_API_DEBUG +- select HAVE_ARCH_JUMP_LABEL ++ select HAVE_ARCH_JUMP_LABEL if SPARC64 + select GENERIC_IRQ_SHOW + select ARCH_WANT_IPC_PARSE_VERSION + select GENERIC_PCI_IOMAP diff --git a/queue-3.13/sparc64-don-t-treat-64-bit-syscall-return-codes-as-32-bit.patch b/queue-3.13/sparc64-don-t-treat-64-bit-syscall-return-codes-as-32-bit.patch new file mode 100644 index 00000000000..b924164043b --- /dev/null +++ b/queue-3.13/sparc64-don-t-treat-64-bit-syscall-return-codes-as-32-bit.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Apr 20 18:26:37 PDT 2014 +From: Dave Kleikamp +Date: Fri, 14 Mar 2014 10:42:01 -0500 +Subject: sparc64: don't treat 64-bit syscall return codes as 32-bit + +From: Dave Kleikamp + +[ Upstream commit 1535bd8adbdedd60a0ee62e28fd5225d66434371 ] + +When checking a system call return code for an error, +linux_sparc_syscall was sign-extending the lower 32-bit value and +comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return +codes whose lower 32-bits alone would indicate a failure (such as 4G-1). +Use the whole 64-bit value to check for errors. Only the 32-bit path +should sign extend the lower 32-bit value. + +Signed-off-by: Dave Kleikamp +Acked-by: Bob Picco +Acked-by: Allen Pais +Cc: David S. Miller +Cc: sparclinux@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/syscalls.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/sparc/kernel/syscalls.S ++++ b/arch/sparc/kernel/syscalls.S +@@ -189,7 +189,8 @@ linux_sparc_syscall32: + mov %i0, %l5 ! IEU1 + 5: call %l7 ! CTI Group brk forced + srl %i5, 0, %o5 ! IEU1 +- ba,a,pt %xcc, 3f ++ ba,pt %xcc, 3f ++ sra %o0, 0, %o0 + + /* Linux native system calls enter here... */ + .align 32 +@@ -217,7 +218,6 @@ linux_sparc_syscall: + 3: stx %o0, [%sp + PTREGS_OFF + PT_V9_I0] + ret_sys_call: + ldx [%sp + PTREGS_OFF + PT_V9_TSTATE], %g3 +- sra %o0, 0, %o0 + mov %ulo(TSTATE_XCARRY | TSTATE_ICARRY), %g2 + sllx %g2, 32, %g2 + diff --git a/queue-3.13/sparc64-make-sure-pil-interrupts-are-enabled-during-hypervisor-yield.patch b/queue-3.13/sparc64-make-sure-pil-interrupts-are-enabled-during-hypervisor-yield.patch new file mode 100644 index 00000000000..bcda60d5b4e --- /dev/null +++ b/queue-3.13/sparc64-make-sure-pil-interrupts-are-enabled-during-hypervisor-yield.patch @@ -0,0 +1,58 @@ +From foo@baz Sun Apr 20 18:26:37 PDT 2014 +From: "David S. Miller" +Date: Mon, 24 Mar 2014 14:45:12 -0400 +Subject: sparc64: Make sure %pil interrupts are enabled during hypervisor yield. + +From: "David S. Miller" + +[ Upstream commit cb3042d609e30e6144024801c89be3925106752b ] + +In arch_cpu_idle() we must enable %pil based interrupts before +potentially invoking the hypervisor cpu yield call. + +As per the Hypervisor API documentation for cpu_yield: + + Interrupts which are blocked by some mechanism other that + pstate.ie (for example %pil) are not guaranteed to cause + a return from this service. + +It seems that only first generation Niagara chips are hit by this +bug. My best guess is that later chips implement this in hardware +and wake up anyways from %pil events, whereas in first generation +chips the yield is implemented completely in hypervisor code and +requires %pil to be enabled in order to wake properly from this +call. + +Fixes: 87fa05aeb3a5 ("sparc: Use generic idle loop") +Reported-by: Fabio M. Di Nitto +Reported-by: Jan Engelhardt +Tested-by: Jan Engelhardt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/process_64.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/sparc/kernel/process_64.c ++++ b/arch/sparc/kernel/process_64.c +@@ -58,9 +58,12 @@ void arch_cpu_idle(void) + { + if (tlb_type != hypervisor) { + touch_nmi_watchdog(); ++ local_irq_enable(); + } else { + unsigned long pstate; + ++ local_irq_enable(); ++ + /* The sun4v sleeping code requires that we have PSTATE.IE cleared over + * the cpu sleep hypervisor call. + */ +@@ -82,7 +85,6 @@ void arch_cpu_idle(void) + : "=&r" (pstate) + : "i" (PSTATE_IE)); + } +- local_irq_enable(); + } + + #ifdef CONFIG_HOTPLUG_CPU -- 2.47.3