From db4e1c94f51d21729da2c0d5a26140c8267e540a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Jun 2020 13:39:27 +0200 Subject: [PATCH] 4.4-stable patches added patches: drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch tracing-fix-event-trigger-to-accept-redundant-spaces.patch --- ..._div-check-in-ni_init_smc_spll_table.patch | 33 +++++++ ...ot-waiting-for-direct-io-compeletion.patch | 92 +++++++++++++++++++ ...rruption-if-the-mirror-count-changes.patch | 54 +++++++++++ queue-4.4/series | 6 ++ ...-rollback-in-rpc_gssd_dummy_populate.patch | 32 +++++++ ...bbuf-parameter-of-xdr_buf_subsegment.patch | 54 +++++++++++ ...t-trigger-to-accept-redundant-spaces.patch | 87 ++++++++++++++++++ 7 files changed, 358 insertions(+) create mode 100644 queue-4.4/drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch create mode 100644 queue-4.4/nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch create mode 100644 queue-4.4/pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch create mode 100644 queue-4.4/sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch create mode 100644 queue-4.4/sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch create mode 100644 queue-4.4/tracing-fix-event-trigger-to-accept-redundant-spaces.patch diff --git a/queue-4.4/drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch b/queue-4.4/drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch new file mode 100644 index 00000000000..c4799e35e62 --- /dev/null +++ b/queue-4.4/drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch @@ -0,0 +1,33 @@ +From 35f760b44b1b9cb16a306bdcc7220fbbf78c4789 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Mon, 22 Jun 2020 23:31:22 +0300 +Subject: drm/radeon: fix fb_div check in ni_init_smc_spll_table() + +From: Denis Efremov + +commit 35f760b44b1b9cb16a306bdcc7220fbbf78c4789 upstream. + +clk_s is checked twice in a row in ni_init_smc_spll_table(). +fb_div should be checked instead. + +Fixes: 69e0b57a91ad ("drm/radeon/kms: add dpm support for cayman (v5)") +Cc: stable@vger.kernel.org +Signed-off-by: Denis Efremov +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/ni_dpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/ni_dpm.c ++++ b/drivers/gpu/drm/radeon/ni_dpm.c +@@ -2128,7 +2128,7 @@ static int ni_init_smc_spll_table(struct + if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT)) + ret = -EINVAL; + +- if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT)) ++ if (fb_div & ~(SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_SHIFT)) + ret = -EINVAL; + + if (clk_v & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_SHIFT)) diff --git a/queue-4.4/nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch b/queue-4.4/nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch new file mode 100644 index 00000000000..c67aeea425f --- /dev/null +++ b/queue-4.4/nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch @@ -0,0 +1,92 @@ +From d03727b248d0dae6199569a8d7b629a681154633 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Wed, 24 Jun 2020 13:54:08 -0400 +Subject: NFSv4 fix CLOSE not waiting for direct IO compeletion + +From: Olga Kornievskaia + +commit d03727b248d0dae6199569a8d7b629a681154633 upstream. + +Figuring out the root case for the REMOVE/CLOSE race and +suggesting the solution was done by Neil Brown. + +Currently what happens is that direct IO calls hold a reference +on the open context which is decremented as an asynchronous task +in the nfs_direct_complete(). Before reference is decremented, +control is returned to the application which is free to close the +file. When close is being processed, it decrements its reference +on the open_context but since directIO still holds one, it doesn't +sent a close on the wire. It returns control to the application +which is free to do other operations. For instance, it can delete a +file. Direct IO is finally releasing its reference and triggering +an asynchronous close. Which races with the REMOVE. On the server, +REMOVE can be processed before the CLOSE, failing the REMOVE with +EACCES as the file is still opened. + +Signed-off-by: Olga Kornievskaia +Suggested-by: Neil Brown +CC: stable@vger.kernel.org +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/direct.c | 13 +++++++++---- + fs/nfs/file.c | 1 + + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -385,8 +385,6 @@ static void nfs_direct_complete(struct n + if (write) + nfs_zap_mapping(inode, inode->i_mapping); + +- inode_dio_end(inode); +- + if (dreq->iocb) { + long res = (long) dreq->error; + if (!res) +@@ -396,7 +394,10 @@ static void nfs_direct_complete(struct n + + complete_all(&dreq->completion); + ++ igrab(inode); + nfs_direct_req_release(dreq); ++ inode_dio_end(inode); ++ iput(inode); + } + + static void nfs_direct_readpage_release(struct nfs_page *req) +@@ -537,8 +538,10 @@ static ssize_t nfs_direct_read_schedule_ + * generic layer handle the completion. + */ + if (requested_bytes == 0) { +- inode_dio_end(inode); ++ igrab(inode); + nfs_direct_req_release(dreq); ++ inode_dio_end(inode); ++ iput(inode); + return result < 0 ? result : -EIO; + } + +@@ -939,8 +942,10 @@ static ssize_t nfs_direct_write_schedule + * generic layer handle the completion. + */ + if (requested_bytes == 0) { +- inode_dio_end(inode); ++ igrab(inode); + nfs_direct_req_release(dreq); ++ inode_dio_end(inode); ++ iput(inode); + return result < 0 ? result : -EIO; + } + +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -82,6 +82,7 @@ nfs_file_release(struct inode *inode, st + dprintk("NFS: release(%pD2)\n", filp); + + nfs_inc_stats(inode, NFSIOS_VFSRELEASE); ++ inode_dio_wait(inode); + nfs_file_clear_open_context(filp); + return 0; + } diff --git a/queue-4.4/pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch b/queue-4.4/pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch new file mode 100644 index 00000000000..ed0bcc19f51 --- /dev/null +++ b/queue-4.4/pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch @@ -0,0 +1,54 @@ +From 8b04013737341442ed914b336cde866b902664ae Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 22 Jun 2020 15:04:15 -0400 +Subject: pNFS/flexfiles: Fix list corruption if the mirror count changes + +From: Trond Myklebust + +commit 8b04013737341442ed914b336cde866b902664ae upstream. + +If the mirror count changes in the new layout we pick up inside +ff_layout_pg_init_write(), then we can end up adding the +request to the wrong mirror and corrupting the mirror->pg_list. + +Fixes: d600ad1f2bdb ("NFS41: pop some layoutget errors to application") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -855,9 +855,8 @@ ff_layout_pg_init_write(struct nfs_pagei + goto out_mds; + + /* Use a direct mapping of ds_idx to pgio mirror_idx */ +- if (WARN_ON_ONCE(pgio->pg_mirror_count != +- FF_LAYOUT_MIRROR_COUNT(pgio->pg_lseg))) +- goto out_mds; ++ if (pgio->pg_mirror_count != FF_LAYOUT_MIRROR_COUNT(pgio->pg_lseg)) ++ goto out_eagain; + + for (i = 0; i < pgio->pg_mirror_count; i++) { + ds = nfs4_ff_layout_prepare_ds(pgio->pg_lseg, i, true); +@@ -869,11 +868,15 @@ ff_layout_pg_init_write(struct nfs_pagei + } + + return; +- ++out_eagain: ++ pnfs_generic_pg_cleanup(pgio); ++ pgio->pg_error = -EAGAIN; ++ return; + out_mds: + pnfs_put_lseg(pgio->pg_lseg); + pgio->pg_lseg = NULL; + nfs_pageio_reset_write_mds(pgio); ++ pgio->pg_error = -EAGAIN; + } + + static unsigned int diff --git a/queue-4.4/series b/queue-4.4/series index 34ecf121df6..066f5711490 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -124,3 +124,9 @@ ocfs2-load-global_inode_alloc.patch ocfs2-fix-value-of-ocfs2_invalid_slot.patch ocfs2-fix-panic-on-nfs-server-over-ocfs2.patch arm64-perf-report-the-pc-value-in-regs_abi_32-mode.patch +tracing-fix-event-trigger-to-accept-redundant-spaces.patch +drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch +sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch +sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch +pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch +nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch diff --git a/queue-4.4/sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch b/queue-4.4/sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch new file mode 100644 index 00000000000..74390cf708b --- /dev/null +++ b/queue-4.4/sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch @@ -0,0 +1,32 @@ +From b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Mon, 1 Jun 2020 11:54:57 +0300 +Subject: sunrpc: fixed rollback in rpc_gssd_dummy_populate() + +From: Vasily Averin + +commit b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 upstream. + +__rpc_depopulate(gssd_dentry) was lost on error path + +cc: stable@vger.kernel.org +Fixes: commit 4b9a445e3eeb ("sunrpc: create a new dummy pipe for gssd to hold open") +Signed-off-by: Vasily Averin +Reviewed-by: Jeff Layton +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/rpc_pipe.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -1347,6 +1347,7 @@ rpc_gssd_dummy_populate(struct dentry *r + q.len = strlen(gssd_dummy_clnt_dir[0].name); + clnt_dentry = d_hash_and_lookup(gssd_dentry, &q); + if (!clnt_dentry) { ++ __rpc_depopulate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1); + pipe_dentry = ERR_PTR(-ENOENT); + goto out; + } diff --git a/queue-4.4/sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch b/queue-4.4/sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch new file mode 100644 index 00000000000..dc0b987566b --- /dev/null +++ b/queue-4.4/sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch @@ -0,0 +1,54 @@ +From 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Thu, 25 Jun 2020 11:32:34 -0400 +Subject: SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() + +From: Chuck Lever + +commit 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 upstream. + +@subbuf is an output parameter of xdr_buf_subsegment(). A survey of +call sites shows that @subbuf is always uninitialized before +xdr_buf_segment() is invoked by callers. + +There are some execution paths through xdr_buf_subsegment() that do +not set all of the fields in @subbuf, leaving some pointer fields +containing garbage addresses. Subsequent processing of that buffer +then results in a page fault. + +Signed-off-by: Chuck Lever +Cc: +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xdr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sunrpc/xdr.c ++++ b/net/sunrpc/xdr.c +@@ -1031,6 +1031,7 @@ xdr_buf_subsegment(struct xdr_buf *buf, + base = 0; + } else { + base -= buf->head[0].iov_len; ++ subbuf->head[0].iov_base = buf->head[0].iov_base; + subbuf->head[0].iov_len = 0; + } + +@@ -1043,6 +1044,8 @@ xdr_buf_subsegment(struct xdr_buf *buf, + base = 0; + } else { + base -= buf->page_len; ++ subbuf->pages = buf->pages; ++ subbuf->page_base = 0; + subbuf->page_len = 0; + } + +@@ -1054,6 +1057,7 @@ xdr_buf_subsegment(struct xdr_buf *buf, + base = 0; + } else { + base -= buf->tail[0].iov_len; ++ subbuf->tail[0].iov_base = buf->tail[0].iov_base; + subbuf->tail[0].iov_len = 0; + } + diff --git a/queue-4.4/tracing-fix-event-trigger-to-accept-redundant-spaces.patch b/queue-4.4/tracing-fix-event-trigger-to-accept-redundant-spaces.patch new file mode 100644 index 00000000000..0037b3b1f09 --- /dev/null +++ b/queue-4.4/tracing-fix-event-trigger-to-accept-redundant-spaces.patch @@ -0,0 +1,87 @@ +From 6784beada631800f2c5afd567e5628c843362cee Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sat, 20 Jun 2020 12:46:03 +0900 +Subject: tracing: Fix event trigger to accept redundant spaces + +From: Masami Hiramatsu + +commit 6784beada631800f2c5afd567e5628c843362cee upstream. + +Fix the event trigger to accept redundant spaces in +the trigger input. + +For example, these return -EINVAL + +echo " traceon" > events/ftrace/print/trigger +echo "traceon if common_pid == 0" > events/ftrace/print/trigger +echo "disable_event:kmem:kmalloc " > events/ftrace/print/trigger + +But these are hard to find what is wrong. + +To fix this issue, use skip_spaces() to remove spaces +in front of actual tokens, and set NULL if there is no +token. + +Link: http://lkml.kernel.org/r/159262476352.185015.5261566783045364186.stgit@devnote2 + +Cc: Tom Zanussi +Cc: stable@vger.kernel.org +Fixes: 85f2b08268c0 ("tracing: Add basic event trigger framework") +Reviewed-by: Tom Zanussi +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_trigger.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -204,11 +204,17 @@ static int event_trigger_regex_open(stru + + static int trigger_process_regex(struct trace_event_file *file, char *buff) + { +- char *command, *next = buff; ++ char *command, *next; + struct event_command *p; + int ret = -EINVAL; + ++ next = buff = skip_spaces(buff); + command = strsep(&next, ": \t"); ++ if (next) { ++ next = skip_spaces(next); ++ if (!*next) ++ next = NULL; ++ } + command = (command[0] != '!') ? command : command + 1; + + mutex_lock(&trigger_cmd_mutex); +@@ -615,8 +621,14 @@ event_trigger_callback(struct event_comm + int ret; + + /* separate the trigger from the filter (t:n [if filter]) */ +- if (param && isdigit(param[0])) ++ if (param && isdigit(param[0])) { + trigger = strsep(¶m, " \t"); ++ if (param) { ++ param = skip_spaces(param); ++ if (!*param) ++ param = NULL; ++ } ++ } + + trigger_ops = cmd_ops->get_trigger_ops(cmd, trigger); + +@@ -1185,6 +1197,11 @@ event_enable_trigger_func(struct event_c + trigger = strsep(¶m, " \t"); + if (!trigger) + return -EINVAL; ++ if (param) { ++ param = skip_spaces(param); ++ if (!*param) ++ param = NULL; ++ } + + system = strsep(&trigger, ":"); + if (!trigger) -- 2.47.3