dm-snapshot-avoid-snapshot-space-leak-on-crash.patch
dm-mpath-fix-race-condition-between-multipath_dtr-and-pg_init_done.patch
dm-thin-fix-discard-corruption.patch
+zram-fix-deadlock-bug-in-partial-read-write.patch
+zram-avoid-invalid-memory-access-in-zram_exit.patch
+zram-destroy-all-devices-on-error-recovery-path-in-zram_init.patch
+zram-avoid-access-beyond-the-zram-device.patch
+zram-allow-request-end-to-coincide-with-disksize.patch
+staging-zram-fix-access-of-null-pointer.patch
--- /dev/null
+From dccfb68c26308eb5fa3321110c9a4b51e89d67e3 Mon Sep 17 00:00:00 2001
+From: Rashika Kheria <rashika.kheria@gmail.com>
+Date: Wed, 30 Oct 2013 18:36:32 +0530
+Subject: Staging: zram: Fix access of NULL pointer
+
+From: Rashika Kheria <rashika.kheria@gmail.com>
+
+commit 46a51c80216cb891f271ad021f59009f34677499 upstream.
+
+This patch fixes the bug in reset_store caused by accessing NULL pointer.
+
+The bdev gets its value from bdget_disk() which could fail when memory
+pressure is severe and hence can return NULL because allocation of
+inode in bdget could fail.
+
+Hence, this patch introduces a check for bdev to prevent reference to a
+NULL pointer in the later part of the code. It also removes unnecessary
+check of bdev for fsync_bdev().
+
+Acked-by: Jerome Marchand <jmarchan@redhat.com>
+Signed-off-by: Rashika Kheria <rashika.kheria@gmail.com>
+Acked-by: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.2: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Jianguo Wu <wujianguo@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/zram/zram_sysfs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/zram/zram_sysfs.c
++++ b/drivers/staging/zram/zram_sysfs.c
+@@ -95,6 +95,9 @@ static ssize_t reset_store(struct device
+ zram = dev_to_zram(dev);
+ bdev = bdget_disk(zram->disk, 0);
+
++ if (!bdev)
++ return -ENOMEM;
++
+ /* Do not reset an active device! */
+ if (bdev->bd_holders)
+ return -EBUSY;
+@@ -107,8 +110,7 @@ static ssize_t reset_store(struct device
+ return -EINVAL;
+
+ /* Make sure all pending I/O is finished */
+- if (bdev)
+- fsync_bdev(bdev);
++ fsync_bdev(bdev);
+
+ down_write(&zram->init_lock);
+ if (zram->init_done)
--- /dev/null
+From 498a727b33ee121e4b57428257a05f657674af46 Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Date: Sat, 22 Jun 2013 17:21:00 +0300
+Subject: zram: allow request end to coincide with disksize
+
+From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+
+commit 75c7caf5a052ffd8db3312fa7864ee2d142890c4 upstream.
+
+Pass valid_io_request() checks if request end coincides with disksize
+(end equals bound), only fail if we attempt to read beyond the bound.
+
+mkfs.ext2 produces numerous errors:
+[ 2164.632747] quiet_error: 1 callbacks suppressed
+[ 2164.633260] Buffer I/O error on device zram0, logical block 153599
+[ 2164.633265] lost page write due to I/O error on zram0
+
+Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Jianguo Wu <wujianguo@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/zram/zram_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/zram/zram_drv.c
++++ b/drivers/staging/zram/zram_drv.c
+@@ -547,7 +547,7 @@ static inline int valid_io_request(struc
+ end = start + (bio->bi_size >> SECTOR_SHIFT);
+ bound = zram->disksize >> SECTOR_SHIFT;
+ /* out of range range */
+- if (unlikely(start >= bound || end >= bound || start > end))
++ if (unlikely(start >= bound || end > bound || start > end))
+ return 0;
+
+ /* I/O request is valid */
--- /dev/null
+From 624d1705fa1d6e4c647ca5859ecd921748bd85bf Mon Sep 17 00:00:00 2001
+From: Jiang Liu <liuj97@gmail.com>
+Date: Fri, 7 Jun 2013 00:07:26 +0800
+Subject: zram: avoid access beyond the zram device
+
+From: Jiang Liu <liuj97@gmail.com>
+
+commit 12a7ad3b810e77137d0caf97a6dd97591e075b30 upstream.
+
+Function valid_io_request() should verify the entire request are within
+the zram device address range. Otherwise it may cause invalid memory
+access when accessing/modifying zram->meta->table[index] because the
+'index' is out of range. Then it may access non-exist memory, randomly
+modify memory belong to other subsystems, which is hard to track down.
+
+Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Jianguo Wu <wujianguo@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/zram/zram_drv.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/staging/zram/zram_drv.c
++++ b/drivers/staging/zram/zram_drv.c
+@@ -535,13 +535,20 @@ out:
+ */
+ static inline int valid_io_request(struct zram *zram, struct bio *bio)
+ {
+- if (unlikely(
+- (bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) ||
+- (bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1)) ||
+- (bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))) {
++ u64 start, end, bound;
+
++ /* unaligned request */
++ if (unlikely(bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1)))
++ return 0;
++ if (unlikely(bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))
++ return 0;
++
++ start = bio->bi_sector;
++ end = start + (bio->bi_size >> SECTOR_SHIFT);
++ bound = zram->disksize >> SECTOR_SHIFT;
++ /* out of range range */
++ if (unlikely(start >= bound || end >= bound || start > end))
+ return 0;
+- }
+
+ /* I/O request is valid */
+ return 1;
--- /dev/null
+From fd162a76f16083157e32fe5f488f39a319b93fad Mon Sep 17 00:00:00 2001
+From: Jiang Liu <liuj97@gmail.com>
+Date: Fri, 7 Jun 2013 00:07:22 +0800
+Subject: zram: avoid invalid memory access in zram_exit()
+
+From: Jiang Liu <liuj97@gmail.com>
+
+commit 6030ea9b35971a4200062f010341ab832e878ac9 upstream.
+
+Memory for zram->disk object may have already been freed after returning
+from destroy_device(zram), then it's unsafe for zram_reset_device(zram)
+to access zram->disk again.
+
+We can't solve this bug by flipping the order of destroy_device(zram)
+and zram_reset_device(zram), that will cause deadlock issues to the
+zram sysfs handler.
+
+So fix it by holding an extra reference to zram->disk before calling
+destroy_device(zram).
+
+Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Jianguo Wu <wujianguo@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/zram/zram_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/zram/zram_drv.c
++++ b/drivers/staging/zram/zram_drv.c
+@@ -841,9 +841,11 @@ static void __exit zram_exit(void)
+ for (i = 0; i < num_devices; i++) {
+ zram = &zram_devices[i];
+
++ get_disk(zram->disk);
+ destroy_device(zram);
+ if (zram->init_done)
+ zram_reset_device(zram);
++ put_disk(zram->disk);
+ }
+
+ unregister_blkdev(zram_major, "zram");
--- /dev/null
+From 29c303b89a1bc8f1704ffd4c58308781c9f8f844 Mon Sep 17 00:00:00 2001
+From: Jiang Liu <liuj97@gmail.com>
+Date: Fri, 7 Jun 2013 00:07:24 +0800
+Subject: zram: destroy all devices on error recovery path in zram_init()
+
+From: Jiang Liu <liuj97@gmail.com>
+
+commit 39a9b8ac9333e4268ecff7da6c9d1ab3823ff243 upstream.
+
+On error recovery path of zram_init(), it leaks the zram device object
+causing the failure. So change create_device() to free allocated
+resources on error path.
+
+Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
+Acked-by: Minchan Kim <minchan@kernel.org>
+Acked-by: Jerome Marchand <jmarchan@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Jianguo Wu <wujianguo@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/zram/zram_drv.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/staging/zram/zram_drv.c
++++ b/drivers/staging/zram/zram_drv.c
+@@ -703,7 +703,7 @@ static const struct block_device_operati
+
+ static int create_device(struct zram *zram, int device_id)
+ {
+- int ret = 0;
++ int ret = -ENOMEM;
+
+ init_rwsem(&zram->lock);
+ init_rwsem(&zram->init_lock);
+@@ -713,7 +713,6 @@ static int create_device(struct zram *zr
+ if (!zram->queue) {
+ pr_err("Error allocating disk queue for device %d\n",
+ device_id);
+- ret = -ENOMEM;
+ goto out;
+ }
+
+@@ -723,11 +722,9 @@ static int create_device(struct zram *zr
+ /* gendisk structure */
+ zram->disk = alloc_disk(1);
+ if (!zram->disk) {
+- blk_cleanup_queue(zram->queue);
+ pr_warning("Error allocating disk structure for device %d\n",
+ device_id);
+- ret = -ENOMEM;
+- goto out;
++ goto out_free_queue;
+ }
+
+ zram->disk->major = zram_major;
+@@ -756,11 +753,17 @@ static int create_device(struct zram *zr
+ &zram_disk_attr_group);
+ if (ret < 0) {
+ pr_warning("Error creating sysfs group");
+- goto out;
++ goto out_free_disk;
+ }
+
+ zram->init_done = 0;
++ return 0;
+
++out_free_disk:
++ del_gendisk(zram->disk);
++ put_disk(zram->disk);
++out_free_queue:
++ blk_cleanup_queue(zram->queue);
+ out:
+ return ret;
+ }
--- /dev/null
+From 41247561dc218af7ab5cb4113b0c8ee1f79b75de Mon Sep 17 00:00:00 2001
+From: Minchan Kim <minchan@kernel.org>
+Date: Wed, 30 Jan 2013 11:41:39 +0900
+Subject: zram: Fix deadlock bug in partial read/write
+
+From: Minchan Kim <minchan@kernel.org>
+
+commit 7e5a5104c6af709a8d97d5f4711e7c917761d464 upstream.
+
+Now zram allocates new page with GFP_KERNEL in zram I/O path
+if IO is partial. Unfortunately, It may cause deadlock with
+reclaim path like below.
+
+write_page from fs
+fs_lock
+allocation(GFP_KERNEL)
+reclaim
+pageout
+ write_page from fs
+ fs_lock <-- deadlock
+
+This patch fixes it by using GFP_NOIO. In read path, we
+reorganize code flow so that kmap_atomic is called after the
+GFP_NOIO allocation.
+
+Acked-by: Jerome Marchand <jmarchand@redhat.com>
+Acked-by: Nitin Gupta <ngupta@vflare.org>
+[ penberg@kernel.org: don't use GFP_ATOMIC ]
+Signed-off-by: Pekka Enberg <penberg@kernel.org>
+Signed-off-by: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.2: no reordering is needed in the read path]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Jianguo Wu <wujianguo@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/zram/zram_drv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/zram/zram_drv.c
++++ b/drivers/staging/zram/zram_drv.c
+@@ -235,7 +235,7 @@ static int zram_bvec_read(struct zram *z
+
+ if (is_partial_io(bvec)) {
+ /* Use a temporary buffer to decompress the page */
+- uncmem = kmalloc(PAGE_SIZE, GFP_KERNEL);
++ uncmem = kmalloc(PAGE_SIZE, GFP_NOIO);
+ if (!uncmem) {
+ pr_info("Error allocating temp memory!\n");
+ return -ENOMEM;
+@@ -330,7 +330,7 @@ static int zram_bvec_write(struct zram *
+ * This is a partial IO. We need to read the full page
+ * before to write the changes.
+ */
+- uncmem = kmalloc(PAGE_SIZE, GFP_KERNEL);
++ uncmem = kmalloc(PAGE_SIZE, GFP_NOIO);
+ if (!uncmem) {
+ pr_info("Error allocating temp memory!\n");
+ ret = -ENOMEM;
projects / thirdparty / kernel / stable-queue.git / commitdiff
