From: Greg Kroah-Hartman Date: Sat, 3 May 2014 18:47:39 +0000 (-0400) Subject: 3.4-stable patches X-Git-Tag: v3.4.89~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cd5a9268c5eb7049d37a3b1d183e119d3d89c0e3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: ext4-use-i_size_read-in-ext4_unaligned_aio.patch ocfs2-dlm-fix-lock-migration-crash.patch ocfs2-dlm-fix-recovery-hung.patch ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch ocfs2-fix-panic-on-kfree-xattr-name.patch --- diff --git a/queue-3.4/arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch b/queue-3.4/arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch deleted file mode 100644 index 98a71aa205f..00000000000 --- a/queue-3.4/arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c02b50e90be9f41d6802049a1a08246e9eb1a22c Mon Sep 17 00:00:00 2001 -From: Andrea Adami -Date: Tue, 8 Apr 2014 14:53:44 +0200 -Subject: ARM: pxa: hx4700.h: include "irqs.h" for PXA_NR_BUILTIN_GPIO - -From: Andrea Adami - -commit c02b50e90be9f41d6802049a1a08246e9eb1a22c upstream. - -hx4700 needs the same fix as in -9705e74671f0e4f994d86b00cecf441917c64a66 -"ARM: pxa: fix various compilation problems" - -Fix build errors. Initial one is: -/linux/arch/arm/mach-pxa/include/mach/hx4700.h:18:32: error: - 'PXA_NR_BUILTIN_GPIO' undeclared here (not in a function) -| #define HX4700_ASIC3_GPIO_BASE PXA_NR_BUILTIN_GPIO - -Signed-off-by: Andrea Adami -Signed-off-by: Linus Walleij -Signed-off-by: Arnd Bergmann -Signed-off-by: Greg Kroah-Hartman - ---- - arch/arm/mach-pxa/include/mach/hx4700.h | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/arm/mach-pxa/include/mach/hx4700.h -+++ b/arch/arm/mach-pxa/include/mach/hx4700.h -@@ -14,6 +14,7 @@ - - #include - #include -+#include "irqs.h" /* PXA_NR_BUILTIN_GPIO */ - - #define HX4700_ASIC3_GPIO_BASE PXA_NR_BUILTIN_GPIO - #define HX4700_EGPIO_BASE (HX4700_ASIC3_GPIO_BASE + ASIC3_NUM_GPIOS) diff --git a/queue-3.4/ext4-use-i_size_read-in-ext4_unaligned_aio.patch b/queue-3.4/ext4-use-i_size_read-in-ext4_unaligned_aio.patch new file mode 100644 index 00000000000..67f5dc9aa6a --- /dev/null +++ b/queue-3.4/ext4-use-i_size_read-in-ext4_unaligned_aio.patch @@ -0,0 +1,29 @@ +From 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 12 Apr 2014 12:45:25 -0400 +Subject: ext4: use i_size_read in ext4_unaligned_aio() + +From: Theodore Ts'o + +commit 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 upstream. + +We haven't taken i_mutex yet, so we need to use i_size_read(). + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -80,7 +80,7 @@ ext4_unaligned_aio(struct inode *inode, + size_t count = iov_length(iov, nr_segs); + loff_t final_size = pos + count; + +- if (pos >= inode->i_size) ++ if (pos >= i_size_read(inode)) + return 0; + + if ((pos & blockmask) || (final_size & blockmask)) diff --git a/queue-3.4/ocfs2-dlm-fix-lock-migration-crash.patch b/queue-3.4/ocfs2-dlm-fix-lock-migration-crash.patch new file mode 100644 index 00000000000..71dcb10ec45 --- /dev/null +++ b/queue-3.4/ocfs2-dlm-fix-lock-migration-crash.patch @@ -0,0 +1,119 @@ +From 34aa8dac482f1358d59110d5e3a12f4351f6acaa Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Thu, 3 Apr 2014 14:46:49 -0700 +Subject: ocfs2: dlm: fix lock migration crash + +From: Junxiao Bi + +commit 34aa8dac482f1358d59110d5e3a12f4351f6acaa upstream. + +This issue was introduced by commit 800deef3f6f8 ("ocfs2: use +list_for_each_entry where benefical") in 2007 where it replaced +list_for_each with list_for_each_entry. The variable "lock" will point +to invalid data if "tmpq" list is empty and a panic will be triggered +due to this. Sunil advised reverting it back, but the old version was +also not right. At the end of the outer for loop, that +list_for_each_entry will also set "lock" to an invalid data, then in the +next loop, if the "tmpq" list is empty, "lock" will be an stale invalid +data and cause the panic. So reverting the list_for_each back and reset +"lock" to NULL to fix this issue. + +Another concern is that this seemes can not happen because the "tmpq" +list should not be empty. Let me describe how. + +old lock resource owner(node 1): migratation target(node 2): +image there's lockres with a EX lock from node 2 in +granted list, a NR lock from node x with convert_type +EX in converting list. +dlm_empty_lockres() { + dlm_pick_migration_target() { + pick node 2 as target as its lock is the first one + in granted list. + } + dlm_migrate_lockres() { + dlm_mark_lockres_migrating() { + res->state |= DLM_LOCK_RES_BLOCK_DIRTY; + wait_event(dlm->ast_wq, !dlm_lockres_is_dirty(dlm, res)); + //after the above code, we can not dirty lockres any more, + // so dlm_thread shuffle list will not run + downconvert lock from EX to NR + upconvert lock from NR to EX +<<< migration may schedule out here, then +<<< node 2 send down convert request to convert type from EX to +<<< NR, then send up convert request to convert type from NR to +<<< EX, at this time, lockres granted list is empty, and two locks +<<< in the converting list, node x up convert lock followed by +<<< node 2 up convert lock. + + // will set lockres RES_MIGRATING flag, the following + // lock/unlock can not run + dlm_lockres_release_ast(dlm, res); + } + + dlm_send_one_lockres() + dlm_process_recovery_data() + for (i=0; inum_locks; i++) + if (ml->node == dlm->node_num) + for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) { + list_for_each_entry(lock, tmpq, list) + if (lock) break; <<< lock is invalid as grant list is empty. + } + if (lock->ml.node != ml->node) + BUG() >>> crash here + } + +I see the above locks status from a vmcore of our internal bug. + +Signed-off-by: Junxiao Bi +Reviewed-by: Wengang Wang +Cc: Sunil Mushran +Reviewed-by: Srinivas Eeda +Cc: Joel Becker +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlm/dlmrecovery.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -1752,13 +1752,13 @@ static int dlm_process_recovery_data(str + struct dlm_migratable_lockres *mres) + { + struct dlm_migratable_lock *ml; +- struct list_head *queue; ++ struct list_head *queue, *iter; + struct list_head *tmpq = NULL; + struct dlm_lock *newlock = NULL; + struct dlm_lockstatus *lksb = NULL; + int ret = 0; + int i, j, bad; +- struct dlm_lock *lock = NULL; ++ struct dlm_lock *lock; + u8 from = O2NM_MAX_NODES; + unsigned int added = 0; + __be64 c; +@@ -1793,14 +1793,16 @@ static int dlm_process_recovery_data(str + /* MIGRATION ONLY! */ + BUG_ON(!(mres->flags & DLM_MRES_MIGRATION)); + ++ lock = NULL; + spin_lock(&res->spinlock); + for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) { + tmpq = dlm_list_idx_to_ptr(res, j); +- list_for_each_entry(lock, tmpq, list) { +- if (lock->ml.cookie != ml->cookie) +- lock = NULL; +- else ++ list_for_each(iter, tmpq) { ++ lock = list_entry(iter, ++ struct dlm_lock, list); ++ if (lock->ml.cookie == ml->cookie) + break; ++ lock = NULL; + } + if (lock) + break; diff --git a/queue-3.4/ocfs2-dlm-fix-recovery-hung.patch b/queue-3.4/ocfs2-dlm-fix-recovery-hung.patch new file mode 100644 index 00000000000..6eb20c4d88d --- /dev/null +++ b/queue-3.4/ocfs2-dlm-fix-recovery-hung.patch @@ -0,0 +1,103 @@ +From ded2cf71419b9353060e633b59e446c42a6a2a09 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Thu, 3 Apr 2014 14:46:51 -0700 +Subject: ocfs2: dlm: fix recovery hung + +From: Junxiao Bi + +commit ded2cf71419b9353060e633b59e446c42a6a2a09 upstream. + +There is a race window in dlm_do_recovery() between dlm_remaster_locks() +and dlm_reset_recovery() when the recovery master nearly finish the +recovery process for a dead node. After the master sends FINALIZE_RECO +message in dlm_remaster_locks(), another node may become the recovery +master for another dead node, and then send the BEGIN_RECO message to +all the nodes included the old master, in the handler of this message +dlm_begin_reco_handler() of old master, dlm->reco.dead_node and +dlm->reco.new_master will be set to the second dead node and the new +master, then in dlm_reset_recovery(), these two variables will be reset +to default value. This will cause new recovery master can not finish +the recovery process and hung, at last the whole cluster will hung for +recovery. + +old recovery master: new recovery master: +dlm_remaster_locks() + become recovery master for + another dead node. + dlm_send_begin_reco_message() +dlm_begin_reco_handler() +{ + if (dlm->reco.state & DLM_RECO_STATE_FINALIZE) { + return -EAGAIN; + } + dlm_set_reco_master(dlm, br->node_idx); + dlm_set_reco_dead_node(dlm, br->dead_node); +} +dlm_reset_recovery() +{ + dlm_set_reco_dead_node(dlm, O2NM_INVALID_NODE_NUM); + dlm_set_reco_master(dlm, O2NM_INVALID_NODE_NUM); +} + will hang in dlm_remaster_locks() for + request dlm locks info + +Before send FINALIZE_RECO message, recovery master should set +DLM_RECO_STATE_FINALIZE for itself and clear it after the recovery done, +this can break the race windows as the BEGIN_RECO messages will not be +handled before DLM_RECO_STATE_FINALIZE flag is cleared. + +A similar race may happen between new recovery master and normal node +which is in dlm_finalize_reco_handler(), also fix it. + +Signed-off-by: Junxiao Bi +Reviewed-by: Srinivas Eeda +Reviewed-by: Wengang Wang +Cc: Joel Becker +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlm/dlmrecovery.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -540,7 +540,10 @@ master_here: + /* success! see if any other nodes need recovery */ + mlog(0, "DONE mastering recovery of %s:%u here(this=%u)!\n", + dlm->name, dlm->reco.dead_node, dlm->node_num); +- dlm_reset_recovery(dlm); ++ spin_lock(&dlm->spinlock); ++ __dlm_reset_recovery(dlm); ++ dlm->reco.state &= ~DLM_RECO_STATE_FINALIZE; ++ spin_unlock(&dlm->spinlock); + } + dlm_end_recovery(dlm); + +@@ -698,6 +701,14 @@ static int dlm_remaster_locks(struct dlm + if (all_nodes_done) { + int ret; + ++ /* Set this flag on recovery master to avoid ++ * a new recovery for another dead node start ++ * before the recovery is not done. That may ++ * cause recovery hung.*/ ++ spin_lock(&dlm->spinlock); ++ dlm->reco.state |= DLM_RECO_STATE_FINALIZE; ++ spin_unlock(&dlm->spinlock); ++ + /* all nodes are now in DLM_RECO_NODE_DATA_DONE state + * just send a finalize message to everyone and + * clean up */ +@@ -2872,8 +2883,8 @@ int dlm_finalize_reco_handler(struct o2n + BUG(); + } + dlm->reco.state &= ~DLM_RECO_STATE_FINALIZE; ++ __dlm_reset_recovery(dlm); + spin_unlock(&dlm->spinlock); +- dlm_reset_recovery(dlm); + dlm_kick_recovery_thread(dlm); + break; + default: diff --git a/queue-3.4/ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch b/queue-3.4/ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch new file mode 100644 index 00000000000..4c585622bef --- /dev/null +++ b/queue-3.4/ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch @@ -0,0 +1,45 @@ +From f7cf4f5bfe073ad792ab49c04f247626b3e38db6 Mon Sep 17 00:00:00 2001 +From: alex chen +Date: Thu, 3 Apr 2014 14:47:05 -0700 +Subject: ocfs2: do not put bh when buffer_uptodate failed + +From: alex chen + +commit f7cf4f5bfe073ad792ab49c04f247626b3e38db6 upstream. + +Do not put bh when buffer_uptodate failed in ocfs2_write_block and +ocfs2_write_super_or_backup, because it will put bh in b_end_io. +Otherwise it will hit a warning "VFS: brelse: Trying to free free +buffer". + +Signed-off-by: Alex Chen +Reviewed-by: Joseph Qi +Reviewed-by: Srinivas Eeda +Cc: Mark Fasheh +Acked-by: Joel Becker +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/buffer_head_io.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -90,7 +90,6 @@ int ocfs2_write_block(struct ocfs2_super + * information for this bh as it's not marked locally + * uptodate. */ + ret = -EIO; +- put_bh(bh); + mlog_errno(ret); + } + +@@ -420,7 +419,6 @@ int ocfs2_write_super_or_backup(struct o + + if (!buffer_uptodate(bh)) { + ret = -EIO; +- put_bh(bh); + mlog_errno(ret); + } + diff --git a/queue-3.4/ocfs2-fix-panic-on-kfree-xattr-name.patch b/queue-3.4/ocfs2-fix-panic-on-kfree-xattr-name.patch new file mode 100644 index 00000000000..64f766109f8 --- /dev/null +++ b/queue-3.4/ocfs2-fix-panic-on-kfree-xattr-name.patch @@ -0,0 +1,47 @@ +From f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 3 Apr 2014 14:47:07 -0700 +Subject: ocfs2: fix panic on kfree(xattr->name) + +From: Tetsuo Handa + +commit f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 upstream. + +Commit 9548906b2bb7 ('xattr: Constify ->name member of "struct xattr"') +missed that ocfs2 is calling kfree(xattr->name). As a result, kernel +panic occurs upon calling kfree(xattr->name) because xattr->name refers +static constant names. This patch removes kfree(xattr->name) from +ocfs2_mknod() and ocfs2_symlink(). + +Signed-off-by: Tetsuo Handa +Reported-by: Tariq Saeed +Tested-by: Tariq Saeed +Reviewed-by: Srinivas Eeda +Cc: Joel Becker +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/namei.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -430,7 +430,6 @@ leave: + + brelse(new_fe_bh); + brelse(parent_fe_bh); +- kfree(si.name); + kfree(si.value); + + ocfs2_free_dir_lookup_result(&lookup); +@@ -1816,7 +1815,6 @@ bail: + + brelse(new_fe_bh); + brelse(parent_fe_bh); +- kfree(si.name); + kfree(si.value); + ocfs2_free_dir_lookup_result(&lookup); + if (inode_ac) diff --git a/queue-3.4/series b/queue-3.4/series index c4c4aba0e37..5d621d07173 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -3,7 +3,6 @@ arm-omap2-intc-acknowledge-stuck-active-interrupts.patch arm-omap3-hwmod-data-correct-clock-domains-for-usb-modules.patch arm-8027-1-fix-do_div-bug-in-big-endian-systems.patch arm-8030-1-arm-kdump-add-arch_crash_save_vmcoreinfo.patch -arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch alsa-hda-enable-beep-for-asus-1015e.patch alsa-ice1712-fix-boundary-checks-in-pcm-pointer-ops.patch mfd-max8925-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch @@ -37,3 +36,8 @@ usb-unbind-all-interfaces-before-rebinding-any.patch sh-fix-format-string-bug-in-stack-tracer.patch mm-hugetlb-fix-softlockup-when-a-large-number-of-hugepages-are-freed.patch hung_task-check-the-value-of-sysctl_hung_task_timeout_sec.patch +ocfs2-dlm-fix-lock-migration-crash.patch +ocfs2-dlm-fix-recovery-hung.patch +ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch +ocfs2-fix-panic-on-kfree-xattr-name.patch +ext4-use-i_size_read-in-ext4_unaligned_aio.patch