+++ /dev/null
-From c02b50e90be9f41d6802049a1a08246e9eb1a22c Mon Sep 17 00:00:00 2001
-From: Andrea Adami <andrea.adami@gmail.com>
-Date: Tue, 8 Apr 2014 14:53:44 +0200
-Subject: ARM: pxa: hx4700.h: include "irqs.h" for PXA_NR_BUILTIN_GPIO
-
-From: Andrea Adami <andrea.adami@gmail.com>
-
-commit c02b50e90be9f41d6802049a1a08246e9eb1a22c upstream.
-
-hx4700 needs the same fix as in
-9705e74671f0e4f994d86b00cecf441917c64a66
-"ARM: pxa: fix various compilation problems"
-
-Fix build errors. Initial one is:
-/linux/arch/arm/mach-pxa/include/mach/hx4700.h:18:32: error:
- 'PXA_NR_BUILTIN_GPIO' undeclared here (not in a function)
-| #define HX4700_ASIC3_GPIO_BASE PXA_NR_BUILTIN_GPIO
-
-Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
-Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- arch/arm/mach-pxa/include/mach/hx4700.h | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/arch/arm/mach-pxa/include/mach/hx4700.h
-+++ b/arch/arm/mach-pxa/include/mach/hx4700.h
-@@ -14,6 +14,7 @@
-
- #include <linux/gpio.h>
- #include <linux/mfd/asic3.h>
-+#include "irqs.h" /* PXA_NR_BUILTIN_GPIO */
-
- #define HX4700_ASIC3_GPIO_BASE PXA_NR_BUILTIN_GPIO
- #define HX4700_EGPIO_BASE (HX4700_ASIC3_GPIO_BASE + ASIC3_NUM_GPIOS)
--- /dev/null
+From 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 12 Apr 2014 12:45:25 -0400
+Subject: ext4: use i_size_read in ext4_unaligned_aio()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 upstream.
+
+We haven't taken i_mutex yet, so we need to use i_size_read().
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -80,7 +80,7 @@ ext4_unaligned_aio(struct inode *inode,
+ size_t count = iov_length(iov, nr_segs);
+ loff_t final_size = pos + count;
+
+- if (pos >= inode->i_size)
++ if (pos >= i_size_read(inode))
+ return 0;
+
+ if ((pos & blockmask) || (final_size & blockmask))
--- /dev/null
+From 34aa8dac482f1358d59110d5e3a12f4351f6acaa Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 3 Apr 2014 14:46:49 -0700
+Subject: ocfs2: dlm: fix lock migration crash
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 34aa8dac482f1358d59110d5e3a12f4351f6acaa upstream.
+
+This issue was introduced by commit 800deef3f6f8 ("ocfs2: use
+list_for_each_entry where benefical") in 2007 where it replaced
+list_for_each with list_for_each_entry. The variable "lock" will point
+to invalid data if "tmpq" list is empty and a panic will be triggered
+due to this. Sunil advised reverting it back, but the old version was
+also not right. At the end of the outer for loop, that
+list_for_each_entry will also set "lock" to an invalid data, then in the
+next loop, if the "tmpq" list is empty, "lock" will be an stale invalid
+data and cause the panic. So reverting the list_for_each back and reset
+"lock" to NULL to fix this issue.
+
+Another concern is that this seemes can not happen because the "tmpq"
+list should not be empty. Let me describe how.
+
+old lock resource owner(node 1): migratation target(node 2):
+image there's lockres with a EX lock from node 2 in
+granted list, a NR lock from node x with convert_type
+EX in converting list.
+dlm_empty_lockres() {
+ dlm_pick_migration_target() {
+ pick node 2 as target as its lock is the first one
+ in granted list.
+ }
+ dlm_migrate_lockres() {
+ dlm_mark_lockres_migrating() {
+ res->state |= DLM_LOCK_RES_BLOCK_DIRTY;
+ wait_event(dlm->ast_wq, !dlm_lockres_is_dirty(dlm, res));
+ //after the above code, we can not dirty lockres any more,
+ // so dlm_thread shuffle list will not run
+ downconvert lock from EX to NR
+ upconvert lock from NR to EX
+<<< migration may schedule out here, then
+<<< node 2 send down convert request to convert type from EX to
+<<< NR, then send up convert request to convert type from NR to
+<<< EX, at this time, lockres granted list is empty, and two locks
+<<< in the converting list, node x up convert lock followed by
+<<< node 2 up convert lock.
+
+ // will set lockres RES_MIGRATING flag, the following
+ // lock/unlock can not run
+ dlm_lockres_release_ast(dlm, res);
+ }
+
+ dlm_send_one_lockres()
+ dlm_process_recovery_data()
+ for (i=0; i<mres->num_locks; i++)
+ if (ml->node == dlm->node_num)
+ for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) {
+ list_for_each_entry(lock, tmpq, list)
+ if (lock) break; <<< lock is invalid as grant list is empty.
+ }
+ if (lock->ml.node != ml->node)
+ BUG() >>> crash here
+ }
+
+I see the above locks status from a vmcore of our internal bug.
+
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Wengang Wang <wen.gang.wang@oracle.com>
+Cc: Sunil Mushran <sunil.mushran@gmail.com>
+Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/dlm/dlmrecovery.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/fs/ocfs2/dlm/dlmrecovery.c
++++ b/fs/ocfs2/dlm/dlmrecovery.c
+@@ -1752,13 +1752,13 @@ static int dlm_process_recovery_data(str
+ struct dlm_migratable_lockres *mres)
+ {
+ struct dlm_migratable_lock *ml;
+- struct list_head *queue;
++ struct list_head *queue, *iter;
+ struct list_head *tmpq = NULL;
+ struct dlm_lock *newlock = NULL;
+ struct dlm_lockstatus *lksb = NULL;
+ int ret = 0;
+ int i, j, bad;
+- struct dlm_lock *lock = NULL;
++ struct dlm_lock *lock;
+ u8 from = O2NM_MAX_NODES;
+ unsigned int added = 0;
+ __be64 c;
+@@ -1793,14 +1793,16 @@ static int dlm_process_recovery_data(str
+ /* MIGRATION ONLY! */
+ BUG_ON(!(mres->flags & DLM_MRES_MIGRATION));
+
++ lock = NULL;
+ spin_lock(&res->spinlock);
+ for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) {
+ tmpq = dlm_list_idx_to_ptr(res, j);
+- list_for_each_entry(lock, tmpq, list) {
+- if (lock->ml.cookie != ml->cookie)
+- lock = NULL;
+- else
++ list_for_each(iter, tmpq) {
++ lock = list_entry(iter,
++ struct dlm_lock, list);
++ if (lock->ml.cookie == ml->cookie)
+ break;
++ lock = NULL;
+ }
+ if (lock)
+ break;
--- /dev/null
+From ded2cf71419b9353060e633b59e446c42a6a2a09 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 3 Apr 2014 14:46:51 -0700
+Subject: ocfs2: dlm: fix recovery hung
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit ded2cf71419b9353060e633b59e446c42a6a2a09 upstream.
+
+There is a race window in dlm_do_recovery() between dlm_remaster_locks()
+and dlm_reset_recovery() when the recovery master nearly finish the
+recovery process for a dead node. After the master sends FINALIZE_RECO
+message in dlm_remaster_locks(), another node may become the recovery
+master for another dead node, and then send the BEGIN_RECO message to
+all the nodes included the old master, in the handler of this message
+dlm_begin_reco_handler() of old master, dlm->reco.dead_node and
+dlm->reco.new_master will be set to the second dead node and the new
+master, then in dlm_reset_recovery(), these two variables will be reset
+to default value. This will cause new recovery master can not finish
+the recovery process and hung, at last the whole cluster will hung for
+recovery.
+
+old recovery master: new recovery master:
+dlm_remaster_locks()
+ become recovery master for
+ another dead node.
+ dlm_send_begin_reco_message()
+dlm_begin_reco_handler()
+{
+ if (dlm->reco.state & DLM_RECO_STATE_FINALIZE) {
+ return -EAGAIN;
+ }
+ dlm_set_reco_master(dlm, br->node_idx);
+ dlm_set_reco_dead_node(dlm, br->dead_node);
+}
+dlm_reset_recovery()
+{
+ dlm_set_reco_dead_node(dlm, O2NM_INVALID_NODE_NUM);
+ dlm_set_reco_master(dlm, O2NM_INVALID_NODE_NUM);
+}
+ will hang in dlm_remaster_locks() for
+ request dlm locks info
+
+Before send FINALIZE_RECO message, recovery master should set
+DLM_RECO_STATE_FINALIZE for itself and clear it after the recovery done,
+this can break the race windows as the BEGIN_RECO messages will not be
+handled before DLM_RECO_STATE_FINALIZE flag is cleared.
+
+A similar race may happen between new recovery master and normal node
+which is in dlm_finalize_reco_handler(), also fix it.
+
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
+Reviewed-by: Wengang Wang <wen.gang.wang@oracle.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/dlm/dlmrecovery.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/dlm/dlmrecovery.c
++++ b/fs/ocfs2/dlm/dlmrecovery.c
+@@ -540,7 +540,10 @@ master_here:
+ /* success! see if any other nodes need recovery */
+ mlog(0, "DONE mastering recovery of %s:%u here(this=%u)!\n",
+ dlm->name, dlm->reco.dead_node, dlm->node_num);
+- dlm_reset_recovery(dlm);
++ spin_lock(&dlm->spinlock);
++ __dlm_reset_recovery(dlm);
++ dlm->reco.state &= ~DLM_RECO_STATE_FINALIZE;
++ spin_unlock(&dlm->spinlock);
+ }
+ dlm_end_recovery(dlm);
+
+@@ -698,6 +701,14 @@ static int dlm_remaster_locks(struct dlm
+ if (all_nodes_done) {
+ int ret;
+
++ /* Set this flag on recovery master to avoid
++ * a new recovery for another dead node start
++ * before the recovery is not done. That may
++ * cause recovery hung.*/
++ spin_lock(&dlm->spinlock);
++ dlm->reco.state |= DLM_RECO_STATE_FINALIZE;
++ spin_unlock(&dlm->spinlock);
++
+ /* all nodes are now in DLM_RECO_NODE_DATA_DONE state
+ * just send a finalize message to everyone and
+ * clean up */
+@@ -2872,8 +2883,8 @@ int dlm_finalize_reco_handler(struct o2n
+ BUG();
+ }
+ dlm->reco.state &= ~DLM_RECO_STATE_FINALIZE;
++ __dlm_reset_recovery(dlm);
+ spin_unlock(&dlm->spinlock);
+- dlm_reset_recovery(dlm);
+ dlm_kick_recovery_thread(dlm);
+ break;
+ default:
--- /dev/null
+From f7cf4f5bfe073ad792ab49c04f247626b3e38db6 Mon Sep 17 00:00:00 2001
+From: alex chen <alex.chen@huawei.com>
+Date: Thu, 3 Apr 2014 14:47:05 -0700
+Subject: ocfs2: do not put bh when buffer_uptodate failed
+
+From: alex chen <alex.chen@huawei.com>
+
+commit f7cf4f5bfe073ad792ab49c04f247626b3e38db6 upstream.
+
+Do not put bh when buffer_uptodate failed in ocfs2_write_block and
+ocfs2_write_super_or_backup, because it will put bh in b_end_io.
+Otherwise it will hit a warning "VFS: brelse: Trying to free free
+buffer".
+
+Signed-off-by: Alex Chen <alex.chen@huawei.com>
+Reviewed-by: Joseph Qi <joseph.qi@huawei.com>
+Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Acked-by: Joel Becker <jlbec@evilplan.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/buffer_head_io.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/ocfs2/buffer_head_io.c
++++ b/fs/ocfs2/buffer_head_io.c
+@@ -90,7 +90,6 @@ int ocfs2_write_block(struct ocfs2_super
+ * information for this bh as it's not marked locally
+ * uptodate. */
+ ret = -EIO;
+- put_bh(bh);
+ mlog_errno(ret);
+ }
+
+@@ -420,7 +419,6 @@ int ocfs2_write_super_or_backup(struct o
+
+ if (!buffer_uptodate(bh)) {
+ ret = -EIO;
+- put_bh(bh);
+ mlog_errno(ret);
+ }
+
--- /dev/null
+From f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Thu, 3 Apr 2014 14:47:07 -0700
+Subject: ocfs2: fix panic on kfree(xattr->name)
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 upstream.
+
+Commit 9548906b2bb7 ('xattr: Constify ->name member of "struct xattr"')
+missed that ocfs2 is calling kfree(xattr->name). As a result, kernel
+panic occurs upon calling kfree(xattr->name) because xattr->name refers
+static constant names. This patch removes kfree(xattr->name) from
+ocfs2_mknod() and ocfs2_symlink().
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: Tariq Saeed <tariq.x.saeed@oracle.com>
+Tested-by: Tariq Saeed <tariq.x.saeed@oracle.com>
+Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/namei.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/ocfs2/namei.c
++++ b/fs/ocfs2/namei.c
+@@ -430,7 +430,6 @@ leave:
+
+ brelse(new_fe_bh);
+ brelse(parent_fe_bh);
+- kfree(si.name);
+ kfree(si.value);
+
+ ocfs2_free_dir_lookup_result(&lookup);
+@@ -1816,7 +1815,6 @@ bail:
+
+ brelse(new_fe_bh);
+ brelse(parent_fe_bh);
+- kfree(si.name);
+ kfree(si.value);
+ ocfs2_free_dir_lookup_result(&lookup);
+ if (inode_ac)
arm-omap3-hwmod-data-correct-clock-domains-for-usb-modules.patch
arm-8027-1-fix-do_div-bug-in-big-endian-systems.patch
arm-8030-1-arm-kdump-add-arch_crash_save_vmcoreinfo.patch
-arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch
alsa-hda-enable-beep-for-asus-1015e.patch
alsa-ice1712-fix-boundary-checks-in-pcm-pointer-ops.patch
mfd-max8925-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
sh-fix-format-string-bug-in-stack-tracer.patch
mm-hugetlb-fix-softlockup-when-a-large-number-of-hugepages-are-freed.patch
hung_task-check-the-value-of-sysctl_hung_task_timeout_sec.patch
+ocfs2-dlm-fix-lock-migration-crash.patch
+ocfs2-dlm-fix-recovery-hung.patch
+ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch
+ocfs2-fix-panic-on-kfree-xattr-name.patch
+ext4-use-i_size_read-in-ext4_unaligned_aio.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
