--- /dev/null
+From 9951379b0ca88c95876ad9778b9099e19a95d566 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Sat, 9 Feb 2019 12:52:53 +0800
+Subject: bcache: never writeback a discard operation
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit 9951379b0ca88c95876ad9778b9099e19a95d566 upstream.
+
+Some users see panics like the following when performing fstrim on a
+bcached volume:
+
+[ 529.803060] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+[ 530.183928] #PF error: [normal kernel read fault]
+[ 530.412392] PGD 8000001f42163067 P4D 8000001f42163067 PUD 1f42168067 PMD 0
+[ 530.750887] Oops: 0000 [#1] SMP PTI
+[ 530.920869] CPU: 10 PID: 4167 Comm: fstrim Kdump: loaded Not tainted 5.0.0-rc1+ #3
+[ 531.290204] Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 12/27/2015
+[ 531.693137] RIP: 0010:blk_queue_split+0x148/0x620
+[ 531.922205] Code: 60 38 89 55 a0 45 31 db 45 31 f6 45 31 c9 31 ff 89 4d 98 85 db 0f 84 7f 04 00 00 44 8b 6d 98 4c 89 ee 48 c1 e6 04 49 03 70 78 <8b> 46 08 44 8b 56 0c 48
+8b 16 44 29 e0 39 d8 48 89 55 a8 0f 47 c3
+[ 532.838634] RSP: 0018:ffffb9b708df39b0 EFLAGS: 00010246
+[ 533.093571] RAX: 00000000ffffffff RBX: 0000000000046000 RCX: 0000000000000000
+[ 533.441865] RDX: 0000000000000200 RSI: 0000000000000000 RDI: 0000000000000000
+[ 533.789922] RBP: ffffb9b708df3a48 R08: ffff940d3b3fdd20 R09: 0000000000000000
+[ 534.137512] R10: ffffb9b708df3958 R11: 0000000000000000 R12: 0000000000000000
+[ 534.485329] R13: 0000000000000000 R14: 0000000000000000 R15: ffff940d39212020
+[ 534.833319] FS: 00007efec26e3840(0000) GS:ffff940d1f480000(0000) knlGS:0000000000000000
+[ 535.224098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 535.504318] CR2: 0000000000000008 CR3: 0000001f4e256004 CR4: 00000000001606e0
+[ 535.851759] Call Trace:
+[ 535.970308] ? mempool_alloc_slab+0x15/0x20
+[ 536.174152] ? bch_data_insert+0x42/0xd0 [bcache]
+[ 536.403399] blk_mq_make_request+0x97/0x4f0
+[ 536.607036] generic_make_request+0x1e2/0x410
+[ 536.819164] submit_bio+0x73/0x150
+[ 536.980168] ? submit_bio+0x73/0x150
+[ 537.149731] ? bio_associate_blkg_from_css+0x3b/0x60
+[ 537.391595] ? _cond_resched+0x1a/0x50
+[ 537.573774] submit_bio_wait+0x59/0x90
+[ 537.756105] blkdev_issue_discard+0x80/0xd0
+[ 537.959590] ext4_trim_fs+0x4a9/0x9e0
+[ 538.137636] ? ext4_trim_fs+0x4a9/0x9e0
+[ 538.324087] ext4_ioctl+0xea4/0x1530
+[ 538.497712] ? _copy_to_user+0x2a/0x40
+[ 538.679632] do_vfs_ioctl+0xa6/0x600
+[ 538.853127] ? __do_sys_newfstat+0x44/0x70
+[ 539.051951] ksys_ioctl+0x6d/0x80
+[ 539.212785] __x64_sys_ioctl+0x1a/0x20
+[ 539.394918] do_syscall_64+0x5a/0x110
+[ 539.568674] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+We have observed it where both:
+1) LVM/devmapper is involved (bcache backing device is LVM volume) and
+2) writeback cache is involved (bcache cache_mode is writeback)
+
+On one machine, we can reliably reproduce it with:
+
+ # echo writeback > /sys/block/bcache0/bcache/cache_mode
+ (not sure whether above line is required)
+ # mount /dev/bcache0 /test
+ # for i in {0..10}; do
+ file="$(mktemp /test/zero.XXX)"
+ dd if=/dev/zero of="$file" bs=1M count=256
+ sync
+ rm $file
+ done
+ # fstrim -v /test
+
+Observing this with tracepoints on, we see the following writes:
+
+fstrim-18019 [022] .... 91107.302026: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 4260112 + 196352 hit 0 bypass 1
+fstrim-18019 [022] .... 91107.302050: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 4456464 + 262144 hit 0 bypass 1
+fstrim-18019 [022] .... 91107.302075: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 4718608 + 81920 hit 0 bypass 1
+fstrim-18019 [022] .... 91107.302094: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 5324816 + 180224 hit 0 bypass 1
+fstrim-18019 [022] .... 91107.302121: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 5505040 + 262144 hit 0 bypass 1
+fstrim-18019 [022] .... 91107.302145: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 5767184 + 81920 hit 0 bypass 1
+fstrim-18019 [022] .... 91107.308777: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 6373392 + 180224 hit 1 bypass 0
+<crash>
+
+Note the final one has different hit/bypass flags.
+
+This is because in should_writeback(), we were hitting a case where
+the partial stripe condition was returning true and so
+should_writeback() was returning true early.
+
+If that hadn't been the case, it would have hit the would_skip test, and
+as would_skip == s->iop.bypass == true, should_writeback() would have
+returned false.
+
+Looking at the git history from 'commit 72c270612bd3 ("bcache: Write out
+full stripes")', it looks like the idea was to optimise for raid5/6:
+
+ * If a stripe is already dirty, force writes to that stripe to
+ writeback mode - to help build up full stripes of dirty data
+
+To fix this issue, make sure that should_writeback() on a discard op
+never returns true.
+
+More details of debugging:
+https://www.spinics.net/lists/linux-bcache/msg06996.html
+
+Previous reports:
+ - https://bugzilla.kernel.org/show_bug.cgi?id=201051
+ - https://bugzilla.kernel.org/show_bug.cgi?id=196103
+ - https://www.spinics.net/lists/linux-bcache/msg06885.html
+
+(Coly Li: minor modification to follow maximum 75 chars per line rule)
+
+Cc: Kent Overstreet <koverstreet@google.com>
+Cc: stable@vger.kernel.org
+Fixes: 72c270612bd3 ("bcache: Write out full stripes")
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/writeback.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/md/bcache/writeback.h
++++ b/drivers/md/bcache/writeback.h
+@@ -68,6 +68,9 @@ static inline bool should_writeback(stru
+ in_use > CUTOFF_WRITEBACK_SYNC)
+ return false;
+
++ if (bio_op(bio) == REQ_OP_DISCARD)
++ return false;
++
+ if (dc->partial_stripes_expensive &&
+ bcache_dev_stripe_dirty(dc, bio->bi_iter.bi_sector,
+ bio_sectors(bio)))
--- /dev/null
+From 8127d82705998568b52ac724e28e00941538083d Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Fri, 15 Feb 2019 16:08:25 -0500
+Subject: NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 8127d82705998568b52ac724e28e00941538083d upstream.
+
+If the I/O completion failed with a fatal error, then we should just
+exit nfs_pageio_complete_mirror() rather than try to recoalesce.
+
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v4.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pagelist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1200,7 +1200,7 @@ static void nfs_pageio_complete_mirror(s
+ desc->pg_mirror_idx = mirror_idx;
+ for (;;) {
+ nfs_pageio_doio(desc);
+- if (!mirror->pg_recoalesce)
++ if (desc->pg_error < 0 || !mirror->pg_recoalesce)
+ break;
+ if (!nfs_do_recoalesce(desc))
+ break;
--- /dev/null
+From 4d91969ed4dbcefd0e78f77494f0cb8fada9048a Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Fri, 15 Feb 2019 14:59:52 -0500
+Subject: NFS: Fix an I/O request leakage in nfs_do_recoalesce
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 4d91969ed4dbcefd0e78f77494f0cb8fada9048a upstream.
+
+Whether we need to exit early, or just reprocess the list, we
+must not lost track of the request which failed to get recoalesced.
+
+Fixes: 03d5eb65b538 ("NFS: Fix a memory leak in nfs_do_recoalesce")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v4.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pagelist.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1079,7 +1079,6 @@ static int nfs_do_recoalesce(struct nfs_
+ struct nfs_page *req;
+
+ req = list_first_entry(&head, struct nfs_page, wb_list);
+- nfs_list_remove_request(req);
+ if (__nfs_pageio_add_request(desc, req))
+ continue;
+ if (desc->pg_error < 0) {
--- /dev/null
+From f57dcf4c72113c745d83f1c65f7291299f65c14f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 13 Feb 2019 09:21:38 -0500
+Subject: NFS: Fix I/O request leakages
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit f57dcf4c72113c745d83f1c65f7291299f65c14f upstream.
+
+When we fail to add the request to the I/O queue, we currently leave it
+to the caller to free the failed request. However since some of the
+requests that fail are actually created by nfs_pageio_add_request()
+itself, and are not passed back the caller, this leads to a leakage
+issue, which can again cause page locks to leak.
+
+This commit addresses the leakage by freeing the created requests on
+error, using desc->pg_completion_ops->error_cleanup()
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Fixes: a7d42ddb30997 ("nfs: add mirroring support to pgio layer")
+Cc: stable@vger.kernel.org # v4.0: c18b96a1b862: nfs: clean up rest of reqs
+Cc: stable@vger.kernel.org # v4.0: d600ad1f2bdb: NFS41: pop some layoutget
+Cc: stable@vger.kernel.org # v4.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pagelist.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -975,6 +975,17 @@ static void nfs_pageio_doio(struct nfs_p
+ }
+ }
+
++static void
++nfs_pageio_cleanup_request(struct nfs_pageio_descriptor *desc,
++ struct nfs_page *req)
++{
++ LIST_HEAD(head);
++
++ nfs_list_remove_request(req);
++ nfs_list_add_request(req, &head);
++ desc->pg_completion_ops->error_cleanup(&head);
++}
++
+ /**
+ * nfs_pageio_add_request - Attempt to coalesce a request into a page list.
+ * @desc: destination io descriptor
+@@ -1012,10 +1023,8 @@ static int __nfs_pageio_add_request(stru
+ nfs_page_group_unlock(req);
+ desc->pg_moreio = 1;
+ nfs_pageio_doio(desc);
+- if (desc->pg_error < 0)
+- return 0;
+- if (mirror->pg_recoalesce)
+- return 0;
++ if (desc->pg_error < 0 || mirror->pg_recoalesce)
++ goto out_cleanup_subreq;
+ /* retry add_request for this subreq */
+ nfs_page_group_lock(req, false);
+ continue;
+@@ -1048,6 +1057,10 @@ err_ptr:
+ desc->pg_error = PTR_ERR(subreq);
+ nfs_page_group_unlock(req);
+ return 0;
++out_cleanup_subreq:
++ if (req != subreq)
++ nfs_pageio_cleanup_request(desc, subreq);
++ return 0;
+ }
+
+ static int nfs_do_recoalesce(struct nfs_pageio_descriptor *desc)
+@@ -1141,11 +1154,14 @@ int nfs_pageio_add_request(struct nfs_pa
+ if (nfs_pgio_has_mirroring(desc))
+ desc->pg_mirror_idx = midx;
+ if (!nfs_pageio_add_request_mirror(desc, dupreq))
+- goto out_failed;
++ goto out_cleanup_subreq;
+ }
+
+ return 1;
+
++out_cleanup_subreq:
++ if (req != dupreq)
++ nfs_pageio_cleanup_request(desc, dupreq);
+ out_failed:
+ /*
+ * We might have failed before sending any reqs over wire.
--- /dev/null
+From b602345da6cbb135ba68cf042df8ec9a73da7981 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Mon, 4 Mar 2019 14:08:22 +1100
+Subject: nfsd: fix memory corruption caused by readdir
+
+From: NeilBrown <neilb@suse.com>
+
+commit b602345da6cbb135ba68cf042df8ec9a73da7981 upstream.
+
+If the result of an NFSv3 readdir{,plus} request results in the
+"offset" on one entry having to be split across 2 pages, and is sized
+so that the next directory entry doesn't fit in the requested size,
+then memory corruption can happen.
+
+When encode_entry() is called after encoding the last entry that fits,
+it notices that ->offset and ->offset1 are set, and so stores the
+offset value in the two pages as required. It clears ->offset1 but
+*does not* clear ->offset.
+
+Normally this omission doesn't matter as encode_entry_baggage() will
+be called, and will set ->offset to a suitable value (not on a page
+boundary).
+But in the case where cd->buflen < elen and nfserr_toosmall is
+returned, ->offset is not reset.
+
+This means that nfsd3proc_readdirplus will see ->offset with a value 4
+bytes before the end of a page, and ->offset1 set to NULL.
+It will try to write 8bytes to ->offset.
+If we are lucky, the next page will be read-only, and the system will
+ BUG: unable to handle kernel paging request at...
+
+If we are unlucky, some innocent page will have the first 4 bytes
+corrupted.
+
+nfsd3proc_readdir() doesn't even check for ->offset1, it just blindly
+writes 8 bytes to the offset wherever it is.
+
+Fix this by clearing ->offset after it is used, and copying the
+->offset handling code from nfsd3_proc_readdirplus into
+nfsd3_proc_readdir.
+
+(Note that the commit hash in the Fixes tag is from the 'history'
+ tree - this bug predates git).
+
+Fixes: 0b1d57cf7654 ("[PATCH] kNFSd: Fix nfs3 dentry encoding")
+Fixes-URL: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/?id=0b1d57cf7654
+Cc: stable@vger.kernel.org (v2.6.12+)
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs3proc.c | 16 ++++++++++++++--
+ fs/nfsd/nfs3xdr.c | 1 +
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs3proc.c
++++ b/fs/nfsd/nfs3proc.c
+@@ -431,8 +431,19 @@ nfsd3_proc_readdir(struct svc_rqst *rqst
+ &resp->common, nfs3svc_encode_entry);
+ memcpy(resp->verf, argp->verf, 8);
+ resp->count = resp->buffer - argp->buffer;
+- if (resp->offset)
+- xdr_encode_hyper(resp->offset, argp->cookie);
++ if (resp->offset) {
++ loff_t offset = argp->cookie;
++
++ if (unlikely(resp->offset1)) {
++ /* we ended up with offset on a page boundary */
++ *resp->offset = htonl(offset >> 32);
++ *resp->offset1 = htonl(offset & 0xffffffff);
++ resp->offset1 = NULL;
++ } else {
++ xdr_encode_hyper(resp->offset, offset);
++ }
++ resp->offset = NULL;
++ }
+
+ RETURN_STATUS(nfserr);
+ }
+@@ -500,6 +511,7 @@ nfsd3_proc_readdirplus(struct svc_rqst *
+ } else {
+ xdr_encode_hyper(resp->offset, offset);
+ }
++ resp->offset = NULL;
+ }
+
+ RETURN_STATUS(nfserr);
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -899,6 +899,7 @@ encode_entry(struct readdir_cd *ccd, con
+ } else {
+ xdr_encode_hyper(cd->offset, offset64);
+ }
++ cd->offset = NULL;
+ }
+
+ /*
--- /dev/null
+From dd838821f0a29781b185cd8fb8e48d5c177bd838 Mon Sep 17 00:00:00 2001
+From: Yihao Wu <wuyihao@linux.alibaba.com>
+Date: Wed, 6 Mar 2019 21:03:50 +0800
+Subject: nfsd: fix wrong check in write_v4_end_grace()
+
+From: Yihao Wu <wuyihao@linux.alibaba.com>
+
+commit dd838821f0a29781b185cd8fb8e48d5c177bd838 upstream.
+
+Commit 62a063b8e7d1 "nfsd4: fix crash on writing v4_end_grace before
+nfsd startup" is trying to fix a NULL dereference issue, but it
+mistakenly checks if the nfsd server is started. So fix it.
+
+Fixes: 62a063b8e7d1 "nfsd4: fix crash on writing v4_end_grace before nfsd startup"
+Cc: stable@vger.kernel.org
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Signed-off-by: Yihao Wu <wuyihao@linux.alibaba.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfsctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1103,7 +1103,7 @@ static ssize_t write_v4_end_grace(struct
+ case 'Y':
+ case 'y':
+ case '1':
+- if (nn->nfsd_serv)
++ if (!nn->nfsd_serv)
+ return -EBUSY;
+ nfsd4_end_grace(nn);
+ break;
--- /dev/null
+From 1fad17fb1bbcd73159c2b992668a6957ecc5af8a Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 8 Mar 2019 15:23:11 +0530
+Subject: PM / wakeup: Rework wakeup source timer cancellation
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 1fad17fb1bbcd73159c2b992668a6957ecc5af8a upstream.
+
+If wakeup_source_add() is called right after wakeup_source_remove()
+for the same wakeup source, timer_setup() may be called for a
+potentially scheduled timer which is incorrect.
+
+To avoid that, move the wakeup source timer cancellation from
+wakeup_source_drop() to wakeup_source_remove().
+
+Moreover, make wakeup_source_remove() clear the timer function after
+canceling the timer to let wakeup_source_not_registered() treat
+unregistered wakeup sources in the same way as the ones that have
+never been registered.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: 4.4+ <stable@vger.kernel.org> # 4.4+
+[ rjw: Subject, changelog, merged two patches together ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/wakeup.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/power/wakeup.c
++++ b/drivers/base/power/wakeup.c
+@@ -113,7 +113,6 @@ void wakeup_source_drop(struct wakeup_so
+ if (!ws)
+ return;
+
+- del_timer_sync(&ws->timer);
+ __pm_relax(ws);
+ }
+ EXPORT_SYMBOL_GPL(wakeup_source_drop);
+@@ -201,6 +200,13 @@ void wakeup_source_remove(struct wakeup_
+ list_del_rcu(&ws->entry);
+ spin_unlock_irqrestore(&events_lock, flags);
+ synchronize_srcu(&wakeup_srcu);
++
++ del_timer_sync(&ws->timer);
++ /*
++ * Clear timer.function to make wakeup_source_not_registered() treat
++ * this wakeup source as not registered.
++ */
++ ws->timer.function = NULL;
+ }
+ EXPORT_SYMBOL_GPL(wakeup_source_remove);
+
powerpc-ptrace-simplify-vr_get-set-to-avoid-gcc-warning.patch
arm-s3c24xx-fix-boolean-expressions-in-osiris_dvs_notify.patch
dm-fix-to_sector-for-32bit.patch
+nfs-fix-i-o-request-leakages.patch
+nfs-fix-an-i-o-request-leakage-in-nfs_do_recoalesce.patch
+nfs-don-t-recoalesce-on-error-in-nfs_pageio_complete_mirror.patch
+nfsd-fix-memory-corruption-caused-by-readdir.patch
+nfsd-fix-wrong-check-in-write_v4_end_grace.patch
+pm-wakeup-rework-wakeup-source-timer-cancellation.patch
+bcache-never-writeback-a-discard-operation.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
