From ca5407455ef0c030a3b7e70efe696d9d16643d5e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 22 Jun 2018 06:24:28 +0900 Subject: [PATCH] 4.9-stable patches added patches: alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch alsa-hda-realtek-new-codec-support-for-alc257.patch btrfs-fix-clone-vs-chattr-nodatasum-race.patch btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch driver-core-don-t-ignore-class_dir_create_and_add-failure.patch ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch --- ...-led-support-for-hp-elitebook-830-g5.patch | 32 +++++++ ...nd-led-support-for-hp-probook-640-g4.patch | 32 +++++++ ...failure-in-snd_hda_attach_pcm_stream.patch | 46 ++++++++++ ...realtek-new-codec-support-for-alc257.patch | 69 +++++++++++++++ ...s-fix-clone-vs-chattr-nodatasum-race.patch | 67 +++++++++++++++ ...-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch | 83 +++++++++++++++++++ ...t-use-inode-pages-for-device-replace.patch | 67 +++++++++++++++ ...ore-class_dir_create_and_add-failure.patch | 79 ++++++++++++++++++ ...r-inode-count-overflow-during-resize.patch | 37 +++++++++ ...gth-detection-in-ext4_ind_map_blocks.patch | 52 ++++++++++++ ..._hole-even-if-no-blocks-are-released.patch | 77 +++++++++++++++++ queue-4.9/series | 11 +++ 12 files changed, 652 insertions(+) create mode 100644 queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch create mode 100644 queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch create mode 100644 queue-4.9/alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch create mode 100644 queue-4.9/alsa-hda-realtek-new-codec-support-for-alc257.patch create mode 100644 queue-4.9/btrfs-fix-clone-vs-chattr-nodatasum-race.patch create mode 100644 queue-4.9/btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch create mode 100644 queue-4.9/btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch create mode 100644 queue-4.9/driver-core-don-t-ignore-class_dir_create_and_add-failure.patch create mode 100644 queue-4.9/ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch create mode 100644 queue-4.9/ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch create mode 100644 queue-4.9/ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch diff --git a/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch b/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch new file mode 100644 index 00000000000..aeb1ad4e789 --- /dev/null +++ b/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch @@ -0,0 +1,32 @@ +From 2861751f67b91e1d24e68010ced96614fb3140f4 Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Tue, 12 Jun 2018 07:10:59 +0200 +Subject: ALSA: hda: add dock and led support for HP EliteBook 830 G5 + +From: Dennis Wassenberg + +commit 2861751f67b91e1d24e68010ced96614fb3140f4 upstream. + +This patch adds missing initialisation for HP 2013 UltraSlim Dock +Line-In/Out PINs and activates keyboard mute/micmute leds +for HP EliteBook 830 G5 + +Signed-off-by: Dennis Wassenberg +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -851,6 +851,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN), diff --git a/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch b/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch new file mode 100644 index 00000000000..87844fd9870 --- /dev/null +++ b/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch @@ -0,0 +1,32 @@ +From 7eef32c1ef895a3a96463f9cbd04203007cd5555 Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Tue, 12 Jun 2018 07:11:11 +0200 +Subject: ALSA: hda: add dock and led support for HP ProBook 640 G4 + +From: Dennis Wassenberg + +commit 7eef32c1ef895a3a96463f9cbd04203007cd5555 upstream. + +This patch adds missing initialisation for HP 2013 UltraSlim Dock +Line-In/Out PINs and activates keyboard mute/micmute leds +for HP ProBook 640 G4 + +Signed-off-by: Dennis Wassenberg +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -852,6 +852,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN), diff --git a/queue-4.9/alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch b/queue-4.9/alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch new file mode 100644 index 00000000000..98c8552ce58 --- /dev/null +++ b/queue-4.9/alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch @@ -0,0 +1,46 @@ +From a3aa60d511746bd6c0d0366d4eb90a7998bcde8b Mon Sep 17 00:00:00 2001 +From: Bo Chen +Date: Thu, 31 May 2018 15:35:18 -0700 +Subject: ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() + +From: Bo Chen + +commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream. + +When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is +created without setting its operators via 'snd_pcm_set_ops()'. Following +operations on the new pcm instance can trigger kernel null pointer dereferences +and cause kernel oops. + +This bug was found with my work on building a gray-box fault-injection tool for +linux-kernel-module binaries. A kernel null pointer dereference was confirmed +from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in +file 'sound/core/pcm_native.c'. + +This patch fixes the bug by calling 'snd_device_free()' in the error handling +path of 'kzalloc()', which removes the new pcm instance from the snd card before +returns with an error code. + +Signed-off-by: Bo Chen +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -748,8 +748,10 @@ int snd_hda_attach_pcm_stream(struct hda + return err; + strlcpy(pcm->name, cpcm->name, sizeof(pcm->name)); + apcm = kzalloc(sizeof(*apcm), GFP_KERNEL); +- if (apcm == NULL) ++ if (apcm == NULL) { ++ snd_device_free(chip->card, pcm); + return -ENOMEM; ++ } + apcm->chip = chip; + apcm->pcm = pcm; + apcm->codec = codec; diff --git a/queue-4.9/alsa-hda-realtek-new-codec-support-for-alc257.patch b/queue-4.9/alsa-hda-realtek-new-codec-support-for-alc257.patch new file mode 100644 index 00000000000..052faab4023 --- /dev/null +++ b/queue-4.9/alsa-hda-realtek-new-codec-support-for-alc257.patch @@ -0,0 +1,69 @@ +From f429e7e494afaded76e62c6f98211a635aa03098 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Tue, 5 Dec 2017 15:38:24 +0800 +Subject: ALSA: hda/realtek - New codec support for ALC257 + +From: Kailang Yang + +commit f429e7e494afaded76e62c6f98211a635aa03098 upstream. + +Add new support for ALC257 codec. + +[ It's supposed to be almost equivalent with other ALC25x variants, + just adding another type and id -- tiwai ] + +Signed-off-by: Kailang Yang +Cc: +Signed-off-by: Takashi Iwai +Tested-by: Pali Rohár +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -333,6 +333,7 @@ static void alc_fill_eapd_coef(struct hd + case 0x10ec0236: + case 0x10ec0255: + case 0x10ec0256: ++ case 0x10ec0257: + case 0x10ec0282: + case 0x10ec0283: + case 0x10ec0286: +@@ -2663,6 +2664,7 @@ enum { + ALC269_TYPE_ALC298, + ALC269_TYPE_ALC255, + ALC269_TYPE_ALC256, ++ ALC269_TYPE_ALC257, + ALC269_TYPE_ALC225, + ALC269_TYPE_ALC294, + ALC269_TYPE_ALC700, +@@ -2695,6 +2697,7 @@ static int alc269_parse_auto_config(stru + case ALC269_TYPE_ALC298: + case ALC269_TYPE_ALC255: + case ALC269_TYPE_ALC256: ++ case ALC269_TYPE_ALC257: + case ALC269_TYPE_ALC225: + case ALC269_TYPE_ALC294: + case ALC269_TYPE_ALC700: +@@ -6375,6 +6378,10 @@ static int patch_alc269(struct hda_codec + spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ + alc_update_coef_idx(codec, 0x36, 1 << 13, 1 << 5); /* Switch pcbeep path to Line in path*/ + break; ++ case 0x10ec0257: ++ spec->codec_variant = ALC269_TYPE_ALC257; ++ spec->gen.mixer_nid = 0; ++ break; + case 0x10ec0225: + case 0x10ec0295: + case 0x10ec0299: +@@ -7361,6 +7368,7 @@ static const struct hda_device_id snd_hd + HDA_CODEC_ENTRY(0x10ec0236, "ALC236", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0255, "ALC255", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0256, "ALC256", patch_alc269), ++ HDA_CODEC_ENTRY(0x10ec0257, "ALC257", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0260, "ALC260", patch_alc260), + HDA_CODEC_ENTRY(0x10ec0262, "ALC262", patch_alc262), + HDA_CODEC_ENTRY(0x10ec0267, "ALC267", patch_alc268), diff --git a/queue-4.9/btrfs-fix-clone-vs-chattr-nodatasum-race.patch b/queue-4.9/btrfs-fix-clone-vs-chattr-nodatasum-race.patch new file mode 100644 index 00000000000..78d207db475 --- /dev/null +++ b/queue-4.9/btrfs-fix-clone-vs-chattr-nodatasum-race.patch @@ -0,0 +1,67 @@ +From b5c40d598f5408bd0ca22dfffa82f03cd9433f23 Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Tue, 22 May 2018 15:02:12 -0700 +Subject: Btrfs: fix clone vs chattr NODATASUM race + +From: Omar Sandoval + +commit b5c40d598f5408bd0ca22dfffa82f03cd9433f23 upstream. + +In btrfs_clone_files(), we must check the NODATASUM flag while the +inodes are locked. Otherwise, it's possible that btrfs_ioctl_setflags() +will change the flags after we check and we can end up with a party +checksummed file. + +The race window is only a few instructions in size, between the if and +the locks which is: + +3834 if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode)) +3835 return -EISDIR; + +where the setflags must be run and toggle the NODATASUM flag (provided +the file size is 0). The clone will block on the inode lock, segflags +takes the inode lock, changes flags, releases log and clone continues. + +Not impossible but still needs a lot of bad luck to hit unintentionally. + +Fixes: 0e7b824c4ef9 ("Btrfs: don't make a file partly checksummed through file clone") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Omar Sandoval +Reviewed-by: Nikolay Borisov +Reviewed-by: David Sterba +[ update changelog ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3887,11 +3887,6 @@ static noinline int btrfs_clone_files(st + src->i_sb != inode->i_sb) + return -EXDEV; + +- /* don't make the dst file partly checksummed */ +- if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) != +- (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) +- return -EINVAL; +- + if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode)) + return -EISDIR; + +@@ -3901,6 +3896,13 @@ static noinline int btrfs_clone_files(st + inode_lock(src); + } + ++ /* don't make the dst file partly checksummed */ ++ if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) != ++ (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ + /* determine range to clone */ + ret = -EINVAL; + if (off + len > src->i_size || off + len < off) diff --git a/queue-4.9/btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch b/queue-4.9/btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch new file mode 100644 index 00000000000..b673916d80a --- /dev/null +++ b/queue-4.9/btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch @@ -0,0 +1,83 @@ +From fd4e994bd1f9dc9628e168a7f619bf69f6984635 Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Tue, 22 May 2018 15:44:01 -0700 +Subject: Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() + +From: Omar Sandoval + +commit fd4e994bd1f9dc9628e168a7f619bf69f6984635 upstream. + +If we have invalid flags set, when we error out we must drop our writer +counter and free the buffer we allocated for the arguments. This bug is +trivially reproduced with the following program on 4.7+: + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + int main(int argc, char **argv) + { + struct btrfs_ioctl_vol_args_v2 vol_args = { + .flags = UINT64_MAX, + }; + int ret; + int fd; + + if (argc != 2) { + fprintf(stderr, "usage: %s PATH\n", argv[0]); + return EXIT_FAILURE; + } + + fd = open(argv[1], O_WRONLY); + if (fd == -1) { + perror("open"); + return EXIT_FAILURE; + } + + ret = ioctl(fd, BTRFS_IOC_RM_DEV_V2, &vol_args); + if (ret == -1) + perror("ioctl"); + + close(fd); + return EXIT_SUCCESS; + } + +When unmounting the filesystem, we'll hit the +WARN_ON(mnt_get_writers(mnt)) in cleanup_mnt() and also may prevent the +filesystem to be remounted read-only as the writer count will stay +lifted. + +Fixes: 6b526ed70cf1 ("btrfs: introduce device delete by devid") +CC: stable@vger.kernel.org # 4.9+ +Signed-off-by: Omar Sandoval +Reviewed-by: Su Yue +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2708,8 +2708,10 @@ static long btrfs_ioctl_rm_dev_v2(struct + } + + /* Check for compatibility reject unknown flags */ +- if (vol_args->flags & ~BTRFS_VOL_ARG_V2_FLAGS_SUPPORTED) +- return -EOPNOTSUPP; ++ if (vol_args->flags & ~BTRFS_VOL_ARG_V2_FLAGS_SUPPORTED) { ++ ret = -EOPNOTSUPP; ++ goto out; ++ } + + if (atomic_xchg(&root->fs_info->mutually_exclusive_operation_running, + 1)) { diff --git a/queue-4.9/btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch b/queue-4.9/btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch new file mode 100644 index 00000000000..53294d807b6 --- /dev/null +++ b/queue-4.9/btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch @@ -0,0 +1,67 @@ +From ac0b4145d662a3b9e34085dea460fb06ede9b69b Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 5 Jun 2018 12:36:56 +0800 +Subject: btrfs: scrub: Don't use inode pages for device replace + +From: Qu Wenruo + +commit ac0b4145d662a3b9e34085dea460fb06ede9b69b upstream. + +[BUG] +Btrfs can create compressed extent without checksum (even though it +shouldn't), and if we then try to replace device containing such extent, +the result device will contain all the uncompressed data instead of the +compressed one. + +Test case already submitted to fstests: +https://patchwork.kernel.org/patch/10442353/ + +[CAUSE] +When handling compressed extent without checksum, device replace will +goe into copy_nocow_pages() function. + +In that function, btrfs will get all inodes referring to this data +extents and then use find_or_create_page() to get pages direct from that +inode. + +The problem here is, pages directly from inode are always uncompressed. +And for compressed data extent, they mismatch with on-disk data. +Thus this leads to corrupted compressed data extent written to replace +device. + +[FIX] +In this attempt, we could just remove the "optimization" branch, and let +unified scrub_pages() to handle it. + +Although scrub_pages() won't bother reusing page cache, it will be a +little slower, but it does the correct csum checking and won't cause +such data corruption caused by "optimization". + +Note about the fix: this is the minimal fix that can be backported to +older stable trees without conflicts. The whole callchain from +copy_nocow_pages() can be deleted, and will be in followup patches. + +Fixes: ff023aac3119 ("Btrfs: add code to scrub to copy read data to another disk") +CC: stable@vger.kernel.org # 4.4+ +Reported-by: James Harvey +Reviewed-by: James Harvey +Signed-off-by: Qu Wenruo +[ remove code removal, add note why ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/scrub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -2519,7 +2519,7 @@ static int scrub_extent(struct scrub_ctx + have_csum = scrub_find_csum(sctx, logical, csum); + if (have_csum == 0) + ++sctx->stat.no_csum; +- if (sctx->is_dev_replace && !have_csum) { ++ if (0 && sctx->is_dev_replace && !have_csum) { + ret = copy_nocow_pages(sctx, logical, l, + mirror_num, + physical_for_dev_replace); diff --git a/queue-4.9/driver-core-don-t-ignore-class_dir_create_and_add-failure.patch b/queue-4.9/driver-core-don-t-ignore-class_dir_create_and_add-failure.patch new file mode 100644 index 00000000000..33aee2aa98b --- /dev/null +++ b/queue-4.9/driver-core-don-t-ignore-class_dir_create_and_add-failure.patch @@ -0,0 +1,79 @@ +From 84d0c27d6233a9ba0578b20f5a09701eb66cee42 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 7 May 2018 19:10:31 +0900 +Subject: driver core: Don't ignore class_dir_create_and_add() failure. + +From: Tetsuo Handa + +commit 84d0c27d6233a9ba0578b20f5a09701eb66cee42 upstream. + +syzbot is hitting WARN() at kernfs_add_one() [1]. +This is because kernfs_create_link() is confused by previous device_add() +call which continued without setting dev->kobj.parent field when +get_device_parent() failed by memory allocation fault injection. +Fix this by propagating the error from class_dir_create_and_add() to +the calllers of get_device_parent(). + +[1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de6529116f + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Cc: Greg Kroah-Hartman +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -759,7 +759,7 @@ class_dir_create_and_add(struct class *c + + dir = kzalloc(sizeof(*dir), GFP_KERNEL); + if (!dir) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + dir->class = class; + kobject_init(&dir->kobj, &class_dir_ktype); +@@ -769,7 +769,7 @@ class_dir_create_and_add(struct class *c + retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name); + if (retval < 0) { + kobject_put(&dir->kobj); +- return NULL; ++ return ERR_PTR(retval); + } + return &dir->kobj; + } +@@ -1076,6 +1076,10 @@ int device_add(struct device *dev) + + parent = get_device(dev->parent); + kobj = get_device_parent(dev, parent); ++ if (IS_ERR(kobj)) { ++ error = PTR_ERR(kobj); ++ goto parent_error; ++ } + if (kobj) + dev->kobj.parent = kobj; + +@@ -1174,6 +1178,7 @@ done: + kobject_del(&dev->kobj); + Error: + cleanup_glue_dir(dev, glue_dir); ++parent_error: + put_device(parent); + name_error: + kfree(dev->p); +@@ -1991,6 +1996,11 @@ int device_move(struct device *dev, stru + device_pm_lock(); + new_parent = get_device(new_parent); + new_parent_kobj = get_device_parent(dev, new_parent); ++ if (IS_ERR(new_parent_kobj)) { ++ error = PTR_ERR(new_parent_kobj); ++ put_device(new_parent); ++ goto out; ++ } + + pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev), + __func__, new_parent ? dev_name(new_parent) : ""); diff --git a/queue-4.9/ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch b/queue-4.9/ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch new file mode 100644 index 00000000000..4b63f9f7544 --- /dev/null +++ b/queue-4.9/ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch @@ -0,0 +1,37 @@ +From 4f2f76f751433908364ccff82f437a57d0e6e9b7 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 25 May 2018 12:51:25 -0400 +Subject: ext4: fix fencepost error in check for inode count overflow during resize + +From: Jan Kara + +commit 4f2f76f751433908364ccff82f437a57d0e6e9b7 upstream. + +ext4_resize_fs() has an off-by-one bug when checking whether growing of +a filesystem will not overflow inode count. As a result it allows a +filesystem with 8192 inodes per group to grow to 64TB which overflows +inode count to 0 and makes filesystem unusable. Fix it. + +Cc: stable@vger.kernel.org +Fixes: 3f8a6411fbada1fa482276591e037f3b1adcf55b +Reported-by: Jaco Kroon +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1903,7 +1903,7 @@ retry: + return 0; + + n_group = ext4_get_group_number(sb, n_blocks_count - 1); +- if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { ++ if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { + ext4_warning(sb, "resize would cause inodes_count overflow"); + return -EINVAL; + } diff --git a/queue-4.9/ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch b/queue-4.9/ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch new file mode 100644 index 00000000000..ac1d8068a74 --- /dev/null +++ b/queue-4.9/ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch @@ -0,0 +1,52 @@ +From 2ee3ee06a8fd792765fa3267ddf928997797eec5 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Sat, 12 May 2018 19:55:00 -0400 +Subject: ext4: fix hole length detection in ext4_ind_map_blocks() + +From: Jan Kara + +commit 2ee3ee06a8fd792765fa3267ddf928997797eec5 upstream. + +When ext4_ind_map_blocks() computes a length of a hole, it doesn't count +with the fact that mapped offset may be somewhere in the middle of the +completely empty subtree. In such case it will return too large length +of the hole which then results in lseek(SEEK_DATA) to end up returning +an incorrect offset beyond the end of the hole. + +Fix the problem by correctly taking offset within a subtree into account +when computing a length of a hole. + +Fixes: facab4d9711e7aa3532cb82643803e8f1b9518e8 +CC: stable@vger.kernel.org +Reported-by: Jeff Mahoney +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/indirect.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -560,10 +560,16 @@ int ext4_ind_map_blocks(handle_t *handle + unsigned epb = inode->i_sb->s_blocksize / sizeof(u32); + int i; + +- /* Count number blocks in a subtree under 'partial' */ +- count = 1; +- for (i = 0; partial + i != chain + depth - 1; i++) +- count *= epb; ++ /* ++ * Count number blocks in a subtree under 'partial'. At each ++ * level we count number of complete empty subtrees beyond ++ * current offset and then descend into the subtree only ++ * partially beyond current offset. ++ */ ++ count = 0; ++ for (i = partial - chain + 1; i < depth; i++) ++ count = count * epb + (epb - offsets[i] - 1); ++ count++; + /* Fill in size of a hole we found */ + map->m_pblk = 0; + map->m_len = min_t(unsigned int, map->m_len, count); diff --git a/queue-4.9/ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch b/queue-4.9/ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch new file mode 100644 index 00000000000..7356a293a63 --- /dev/null +++ b/queue-4.9/ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch @@ -0,0 +1,77 @@ +From eee597ac931305eff3d3fd1d61d6aae553bc0984 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Sun, 13 May 2018 19:28:35 -0400 +Subject: ext4: update mtime in ext4_punch_hole even if no blocks are released + +From: Lukas Czerner + +commit eee597ac931305eff3d3fd1d61d6aae553bc0984 upstream. + +Currently in ext4_punch_hole we're going to skip the mtime update if +there are no actual blocks to release. However we've actually modified +the file by zeroing the partial block so the mtime should be updated. + +Moreover the sync and datasync handling is skipped as well, which is +also wrong. Fix it. + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Reported-by: Joe Habermann +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 40 ++++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4038,28 +4038,28 @@ int ext4_punch_hole(struct inode *inode, + EXT4_BLOCK_SIZE_BITS(sb); + stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb); + +- /* If there are no blocks to remove, return now */ +- if (first_block >= stop_block) +- goto out_stop; +- +- down_write(&EXT4_I(inode)->i_data_sem); +- ext4_discard_preallocations(inode); +- +- ret = ext4_es_remove_extent(inode, first_block, +- stop_block - first_block); +- if (ret) { +- up_write(&EXT4_I(inode)->i_data_sem); +- goto out_stop; +- } ++ /* If there are blocks to remove, do it */ ++ if (stop_block > first_block) { ++ ++ down_write(&EXT4_I(inode)->i_data_sem); ++ ext4_discard_preallocations(inode); + +- if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) +- ret = ext4_ext_remove_space(inode, first_block, +- stop_block - 1); +- else +- ret = ext4_ind_remove_space(handle, inode, first_block, +- stop_block); ++ ret = ext4_es_remove_extent(inode, first_block, ++ stop_block - first_block); ++ if (ret) { ++ up_write(&EXT4_I(inode)->i_data_sem); ++ goto out_stop; ++ } ++ ++ if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) ++ ret = ext4_ext_remove_space(inode, first_block, ++ stop_block - 1); ++ else ++ ret = ext4_ind_remove_space(handle, inode, first_block, ++ stop_block); + +- up_write(&EXT4_I(inode)->i_data_sem); ++ up_write(&EXT4_I(inode)->i_data_sem); ++ } + if (IS_SYNC(inode)) + ext4_handle_sync(handle); + diff --git a/queue-4.9/series b/queue-4.9/series index 9e9f39afecf..27814347d51 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -16,3 +16,14 @@ bonding-re-evaluate-force_primary-when-the-primary-slave-name-changes.patch ipv6-allow-pmtu-exceptions-to-local-routes.patch net-sched-act_simple-fix-parsing-of-tca_def_data.patch tcp-verify-the-checksum-of-the-first-data-segment-in-a-new-connection.patch +alsa-hda-realtek-new-codec-support-for-alc257.patch +ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch +ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch +ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch +driver-core-don-t-ignore-class_dir_create_and_add-failure.patch +btrfs-fix-clone-vs-chattr-nodatasum-race.patch +btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch +btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch +alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch +alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch +alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch -- 2.47.3