--- /dev/null
+From 9edbe6592ec77d0c1137399e3137141d79ea1c65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 19:12:06 +0100
+Subject: btrfs: fix a block group ref counter leak after failure to remove
+ block group
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9fecd13202f520f3f25d5b1c313adb740fe19773 ]
+
+When removing a block group, if we fail to delete the block group's item
+from the extent tree, we jump to the 'out' label and end up decrementing
+the block group's reference count once only (by 1), resulting in a counter
+leak because the block group at that point was already removed from the
+block group cache rbtree - so we have to decrement the reference count
+twice, once for the rbtree and once for our lookup at the start of the
+function.
+
+There is a second bug where if removing the free space tree entries (the
+call to remove_block_group_free_space()) fails we end up jumping to the
+'out_put_group' label but end up decrementing the reference count only
+once, when we should have done it twice, since we have already removed
+the block group from the block group cache rbtree. This happens because
+the reference count decrement for the rbtree reference happens after
+attempting to remove the free space tree entries, which is far away from
+the place where we remove the block group from the rbtree.
+
+To make things less error prone, decrement the reference count for the
+rbtree immediately after removing the block group from it. This also
+eleminates the need for two different exit labels on error, renaming
+'out_put_label' to just 'out' and removing the old 'out'.
+
+Fixes: f6033c5e333238 ("btrfs: fix block group leak when removing fails")
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 271e70c45d5bd..ec3aa76d19b7f 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -10286,7 +10286,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+ path = btrfs_alloc_path();
+ if (!path) {
+ ret = -ENOMEM;
+- goto out_put_group;
++ goto out;
+ }
+
+ /*
+@@ -10323,7 +10323,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+ ret = btrfs_orphan_add(trans, BTRFS_I(inode));
+ if (ret) {
+ btrfs_add_delayed_iput(inode);
+- goto out_put_group;
++ goto out;
+ }
+ clear_nlink(inode);
+ /* One for the block groups ref */
+@@ -10346,13 +10346,13 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+
+ ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1);
+ if (ret < 0)
+- goto out_put_group;
++ goto out;
+ if (ret > 0)
+ btrfs_release_path(path);
+ if (ret == 0) {
+ ret = btrfs_del_item(trans, tree_root, path);
+ if (ret)
+- goto out_put_group;
++ goto out;
+ btrfs_release_path(path);
+ }
+
+@@ -10361,6 +10361,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+ &fs_info->block_group_cache_tree);
+ RB_CLEAR_NODE(&block_group->cache_node);
+
++ /* Once for the block groups rbtree */
++ btrfs_put_block_group(block_group);
++
+ if (fs_info->first_logical_byte == block_group->key.objectid)
+ fs_info->first_logical_byte = (u64)-1;
+ spin_unlock(&fs_info->block_group_cache_lock);
+@@ -10494,10 +10497,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+
+ ret = remove_block_group_free_space(trans, block_group);
+ if (ret)
+- goto out_put_group;
+-
+- /* Once for the block groups rbtree */
+- btrfs_put_block_group(block_group);
++ goto out;
+
+ ret = btrfs_search_slot(trans, root, &key, path, -1, 1);
+ if (ret > 0)
+@@ -10525,10 +10525,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
+ free_extent_map(em);
+ }
+
+-out_put_group:
++out:
+ /* Once for the lookup reference */
+ btrfs_put_block_group(block_group);
+-out:
+ btrfs_free_path(path);
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From 6e2acbc40a373aa984b6ed9690afb31efd3aa0a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jun 2020 20:25:25 +0200
+Subject: EDAC/amd64: Read back the scrub rate PCI register on F15h
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit ee470bb25d0dcdf126f586ec0ae6dca66cb340a4 ]
+
+Commit:
+
+ da92110dfdfa ("EDAC, amd64_edac: Extend scrub rate support to F15hM60h")
+
+added support for F15h, model 0x60 CPUs but in doing so, missed to read
+back SCRCTRL PCI config register on F15h CPUs which are *not* model
+0x60. Add that read so that doing
+
+ $ cat /sys/devices/system/edac/mc/mc0/sdram_scrub_rate
+
+can show the previously set DRAM scrub rate.
+
+Fixes: da92110dfdfa ("EDAC, amd64_edac: Extend scrub rate support to F15hM60h")
+Reported-by: Anders Andersson <pipatron@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org> #v4.4..
+Link: https://lkml.kernel.org/r/CAKkunMbNWppx_i6xSdDHLseA2QQmGJqj_crY=NF-GZML5np4Vw@mail.gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/amd64_edac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c
+index 268ada29cd987..cbe4158531979 100644
+--- a/drivers/edac/amd64_edac.c
++++ b/drivers/edac/amd64_edac.c
+@@ -261,6 +261,8 @@ static int get_scrub_rate(struct mem_ctl_info *mci)
+
+ if (pvt->model == 0x60)
+ amd64_read_pci_cfg(pvt->F2, F15H_M60H_SCRCTRL, &scrubval);
++ else
++ amd64_read_pci_cfg(pvt->F3, SCRCTRL, &scrubval);
+ break;
+
+ case 0x17:
+--
+2.25.1
+
--- /dev/null
+From dce0923295b670d34d1ec508aa89d8c8fc0b2080 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jun 2020 20:29:59 -0700
+Subject: mm: fix swap cache node allocation mask
+
+From: Hugh Dickins <hughd@google.com>
+
+[ Upstream commit 243bce09c91b0145aeaedd5afba799d81841c030 ]
+
+Chris Murphy reports that a slightly overcommitted load, testing swap
+and zram along with i915, splats and keeps on splatting, when it had
+better fail less noisily:
+
+ gnome-shell: page allocation failure: order:0,
+ mode:0x400d0(__GFP_IO|__GFP_FS|__GFP_COMP|__GFP_RECLAIMABLE),
+ nodemask=(null),cpuset=/,mems_allowed=0
+ CPU: 2 PID: 1155 Comm: gnome-shell Not tainted 5.7.0-1.fc33.x86_64 #1
+ Call Trace:
+ dump_stack+0x64/0x88
+ warn_alloc.cold+0x75/0xd9
+ __alloc_pages_slowpath.constprop.0+0xcfa/0xd30
+ __alloc_pages_nodemask+0x2df/0x320
+ alloc_slab_page+0x195/0x310
+ allocate_slab+0x3c5/0x440
+ ___slab_alloc+0x40c/0x5f0
+ __slab_alloc+0x1c/0x30
+ kmem_cache_alloc+0x20e/0x220
+ xas_nomem+0x28/0x70
+ add_to_swap_cache+0x321/0x400
+ __read_swap_cache_async+0x105/0x240
+ swap_cluster_readahead+0x22c/0x2e0
+ shmem_swapin+0x8e/0xc0
+ shmem_swapin_page+0x196/0x740
+ shmem_getpage_gfp+0x3a2/0xa60
+ shmem_read_mapping_page_gfp+0x32/0x60
+ shmem_get_pages+0x155/0x5e0 [i915]
+ __i915_gem_object_get_pages+0x68/0xa0 [i915]
+ i915_vma_pin+0x3fe/0x6c0 [i915]
+ eb_add_vma+0x10b/0x2c0 [i915]
+ i915_gem_do_execbuffer+0x704/0x3430 [i915]
+ i915_gem_execbuffer2_ioctl+0x1ea/0x3e0 [i915]
+ drm_ioctl_kernel+0x86/0xd0 [drm]
+ drm_ioctl+0x206/0x390 [drm]
+ ksys_ioctl+0x82/0xc0
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x5b/0xf0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported on 5.7, but it goes back really to 3.1: when
+shmem_read_mapping_page_gfp() was implemented for use by i915, and
+allowed for __GFP_NORETRY and __GFP_NOWARN flags in most places, but
+missed swapin's "& GFP_KERNEL" mask for page tree node allocation in
+__read_swap_cache_async() - that was to mask off HIGHUSER_MOVABLE bits
+from what page cache uses, but GFP_RECLAIM_MASK is now what's needed.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=208085
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2006151330070.11064@eggly.anvils
+Fixes: 68da9f055755 ("tmpfs: pass gfp to shmem_getpage_gfp")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reported-by: Chris Murphy <lists@colorremedies.com>
+Analyzed-by: Vlastimil Babka <vbabka@suse.cz>
+Analyzed-by: Matthew Wilcox <willy@infradead.org>
+Tested-by: Chris Murphy <lists@colorremedies.com>
+Cc: <stable@vger.kernel.org> [3.1+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/swap_state.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mm/swap_state.c b/mm/swap_state.c
+index ecee9c6c4cc17..09731f4174c7e 100644
+--- a/mm/swap_state.c
++++ b/mm/swap_state.c
+@@ -23,6 +23,7 @@
+ #include <linux/huge_mm.h>
+
+ #include <asm/pgtable.h>
++#include "internal.h"
+
+ /*
+ * swapper_space is a fiction, retained to simplify the path through
+@@ -416,7 +417,7 @@ struct page *__read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask,
+ /*
+ * call radix_tree_preload() while we can wait.
+ */
+- err = radix_tree_maybe_preload(gfp_mask & GFP_KERNEL);
++ err = radix_tree_maybe_preload(gfp_mask & GFP_RECLAIM_MASK);
+ if (err)
+ break;
+
+--
+2.25.1
+
--- /dev/null
+btrfs-fix-a-block-group-ref-counter-leak-after-failu.patch
+mm-fix-swap-cache-node-allocation-mask.patch
+edac-amd64-read-back-the-scrub-rate-pci-register-on-.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
