From: Greg Kroah-Hartman Date: Wed, 4 Jun 2014 23:54:40 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.14.6~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=deeac749839b196aee713abfeb3c612bd5f2ad57;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: staging-zram-fix-access-of-null-pointer.patch zram-allow-request-end-to-coincide-with-disksize.patch zram-avoid-access-beyond-the-zram-device.patch zram-avoid-invalid-memory-access-in-zram_exit.patch zram-destroy-all-devices-on-error-recovery-path-in-zram_init.patch zram-fix-deadlock-bug-in-partial-read-write.patch --- diff --git a/queue-3.4/series b/queue-3.4/series index 1db0b9672b5..78b5e3b3505 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -99,3 +99,9 @@ nfsd-nfsd_open-when-dentry_open-returns-an-error-do-not-propagate-as-struct-file dm-snapshot-avoid-snapshot-space-leak-on-crash.patch dm-mpath-fix-race-condition-between-multipath_dtr-and-pg_init_done.patch dm-thin-fix-discard-corruption.patch +zram-fix-deadlock-bug-in-partial-read-write.patch +zram-avoid-invalid-memory-access-in-zram_exit.patch +zram-destroy-all-devices-on-error-recovery-path-in-zram_init.patch +zram-avoid-access-beyond-the-zram-device.patch +zram-allow-request-end-to-coincide-with-disksize.patch +staging-zram-fix-access-of-null-pointer.patch diff --git a/queue-3.4/staging-zram-fix-access-of-null-pointer.patch b/queue-3.4/staging-zram-fix-access-of-null-pointer.patch new file mode 100644 index 00000000000..427ae5cca36 --- /dev/null +++ b/queue-3.4/staging-zram-fix-access-of-null-pointer.patch @@ -0,0 +1,54 @@ +From dccfb68c26308eb5fa3321110c9a4b51e89d67e3 Mon Sep 17 00:00:00 2001 +From: Rashika Kheria +Date: Wed, 30 Oct 2013 18:36:32 +0530 +Subject: Staging: zram: Fix access of NULL pointer + +From: Rashika Kheria + +commit 46a51c80216cb891f271ad021f59009f34677499 upstream. + +This patch fixes the bug in reset_store caused by accessing NULL pointer. + +The bdev gets its value from bdget_disk() which could fail when memory +pressure is severe and hence can return NULL because allocation of +inode in bdget could fail. + +Hence, this patch introduces a check for bdev to prevent reference to a +NULL pointer in the later part of the code. It also removes unnecessary +check of bdev for fsync_bdev(). + +Acked-by: Jerome Marchand +Signed-off-by: Rashika Kheria +Acked-by: Minchan Kim +Signed-off-by: Greg Kroah-Hartman +[bwh: Backported to 3.2: adjust filename] +Signed-off-by: Ben Hutchings +Cc: Jianguo Wu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/zram/zram_sysfs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/zram/zram_sysfs.c ++++ b/drivers/staging/zram/zram_sysfs.c +@@ -95,6 +95,9 @@ static ssize_t reset_store(struct device + zram = dev_to_zram(dev); + bdev = bdget_disk(zram->disk, 0); + ++ if (!bdev) ++ return -ENOMEM; ++ + /* Do not reset an active device! */ + if (bdev->bd_holders) + return -EBUSY; +@@ -107,8 +110,7 @@ static ssize_t reset_store(struct device + return -EINVAL; + + /* Make sure all pending I/O is finished */ +- if (bdev) +- fsync_bdev(bdev); ++ fsync_bdev(bdev); + + down_write(&zram->init_lock); + if (zram->init_done) diff --git a/queue-3.4/zram-allow-request-end-to-coincide-with-disksize.patch b/queue-3.4/zram-allow-request-end-to-coincide-with-disksize.patch new file mode 100644 index 00000000000..12bb9ccea60 --- /dev/null +++ b/queue-3.4/zram-allow-request-end-to-coincide-with-disksize.patch @@ -0,0 +1,38 @@ +From 498a727b33ee121e4b57428257a05f657674af46 Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Sat, 22 Jun 2013 17:21:00 +0300 +Subject: zram: allow request end to coincide with disksize + +From: Sergey Senozhatsky + +commit 75c7caf5a052ffd8db3312fa7864ee2d142890c4 upstream. + +Pass valid_io_request() checks if request end coincides with disksize +(end equals bound), only fail if we attempt to read beyond the bound. + +mkfs.ext2 produces numerous errors: +[ 2164.632747] quiet_error: 1 callbacks suppressed +[ 2164.633260] Buffer I/O error on device zram0, logical block 153599 +[ 2164.633265] lost page write due to I/O error on zram0 + +Signed-off-by: Sergey Senozhatsky +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Ben Hutchings +Cc: Jianguo Wu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/zram/zram_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/zram/zram_drv.c ++++ b/drivers/staging/zram/zram_drv.c +@@ -547,7 +547,7 @@ static inline int valid_io_request(struc + end = start + (bio->bi_size >> SECTOR_SHIFT); + bound = zram->disksize >> SECTOR_SHIFT; + /* out of range range */ +- if (unlikely(start >= bound || end >= bound || start > end)) ++ if (unlikely(start >= bound || end > bound || start > end)) + return 0; + + /* I/O request is valid */ diff --git a/queue-3.4/zram-avoid-access-beyond-the-zram-device.patch b/queue-3.4/zram-avoid-access-beyond-the-zram-device.patch new file mode 100644 index 00000000000..fb5980e014f --- /dev/null +++ b/queue-3.4/zram-avoid-access-beyond-the-zram-device.patch @@ -0,0 +1,53 @@ +From 624d1705fa1d6e4c647ca5859ecd921748bd85bf Mon Sep 17 00:00:00 2001 +From: Jiang Liu +Date: Fri, 7 Jun 2013 00:07:26 +0800 +Subject: zram: avoid access beyond the zram device + +From: Jiang Liu + +commit 12a7ad3b810e77137d0caf97a6dd97591e075b30 upstream. + +Function valid_io_request() should verify the entire request are within +the zram device address range. Otherwise it may cause invalid memory +access when accessing/modifying zram->meta->table[index] because the +'index' is out of range. Then it may access non-exist memory, randomly +modify memory belong to other subsystems, which is hard to track down. + +Signed-off-by: Jiang Liu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Ben Hutchings +Cc: Jianguo Wu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/zram/zram_drv.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/staging/zram/zram_drv.c ++++ b/drivers/staging/zram/zram_drv.c +@@ -535,13 +535,20 @@ out: + */ + static inline int valid_io_request(struct zram *zram, struct bio *bio) + { +- if (unlikely( +- (bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) || +- (bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1)) || +- (bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))) { ++ u64 start, end, bound; + ++ /* unaligned request */ ++ if (unlikely(bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1))) ++ return 0; ++ if (unlikely(bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1))) ++ return 0; ++ ++ start = bio->bi_sector; ++ end = start + (bio->bi_size >> SECTOR_SHIFT); ++ bound = zram->disksize >> SECTOR_SHIFT; ++ /* out of range range */ ++ if (unlikely(start >= bound || end >= bound || start > end)) + return 0; +- } + + /* I/O request is valid */ + return 1; diff --git a/queue-3.4/zram-avoid-invalid-memory-access-in-zram_exit.patch b/queue-3.4/zram-avoid-invalid-memory-access-in-zram_exit.patch new file mode 100644 index 00000000000..45cee3eb5ce --- /dev/null +++ b/queue-3.4/zram-avoid-invalid-memory-access-in-zram_exit.patch @@ -0,0 +1,45 @@ +From fd162a76f16083157e32fe5f488f39a319b93fad Mon Sep 17 00:00:00 2001 +From: Jiang Liu +Date: Fri, 7 Jun 2013 00:07:22 +0800 +Subject: zram: avoid invalid memory access in zram_exit() + +From: Jiang Liu + +commit 6030ea9b35971a4200062f010341ab832e878ac9 upstream. + +Memory for zram->disk object may have already been freed after returning +from destroy_device(zram), then it's unsafe for zram_reset_device(zram) +to access zram->disk again. + +We can't solve this bug by flipping the order of destroy_device(zram) +and zram_reset_device(zram), that will cause deadlock issues to the +zram sysfs handler. + +So fix it by holding an extra reference to zram->disk before calling +destroy_device(zram). + +Signed-off-by: Jiang Liu +Signed-off-by: Greg Kroah-Hartman +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings +Cc: Jianguo Wu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/zram/zram_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/zram/zram_drv.c ++++ b/drivers/staging/zram/zram_drv.c +@@ -841,9 +841,11 @@ static void __exit zram_exit(void) + for (i = 0; i < num_devices; i++) { + zram = &zram_devices[i]; + ++ get_disk(zram->disk); + destroy_device(zram); + if (zram->init_done) + zram_reset_device(zram); ++ put_disk(zram->disk); + } + + unregister_blkdev(zram_major, "zram"); diff --git a/queue-3.4/zram-destroy-all-devices-on-error-recovery-path-in-zram_init.patch b/queue-3.4/zram-destroy-all-devices-on-error-recovery-path-in-zram_init.patch new file mode 100644 index 00000000000..126fa07ad50 --- /dev/null +++ b/queue-3.4/zram-destroy-all-devices-on-error-recovery-path-in-zram_init.patch @@ -0,0 +1,77 @@ +From 29c303b89a1bc8f1704ffd4c58308781c9f8f844 Mon Sep 17 00:00:00 2001 +From: Jiang Liu +Date: Fri, 7 Jun 2013 00:07:24 +0800 +Subject: zram: destroy all devices on error recovery path in zram_init() + +From: Jiang Liu + +commit 39a9b8ac9333e4268ecff7da6c9d1ab3823ff243 upstream. + +On error recovery path of zram_init(), it leaks the zram device object +causing the failure. So change create_device() to free allocated +resources on error path. + +Signed-off-by: Jiang Liu +Acked-by: Minchan Kim +Acked-by: Jerome Marchand +Signed-off-by: Greg Kroah-Hartman +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings +Cc: Jianguo Wu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/zram/zram_drv.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/staging/zram/zram_drv.c ++++ b/drivers/staging/zram/zram_drv.c +@@ -703,7 +703,7 @@ static const struct block_device_operati + + static int create_device(struct zram *zram, int device_id) + { +- int ret = 0; ++ int ret = -ENOMEM; + + init_rwsem(&zram->lock); + init_rwsem(&zram->init_lock); +@@ -713,7 +713,6 @@ static int create_device(struct zram *zr + if (!zram->queue) { + pr_err("Error allocating disk queue for device %d\n", + device_id); +- ret = -ENOMEM; + goto out; + } + +@@ -723,11 +722,9 @@ static int create_device(struct zram *zr + /* gendisk structure */ + zram->disk = alloc_disk(1); + if (!zram->disk) { +- blk_cleanup_queue(zram->queue); + pr_warning("Error allocating disk structure for device %d\n", + device_id); +- ret = -ENOMEM; +- goto out; ++ goto out_free_queue; + } + + zram->disk->major = zram_major; +@@ -756,11 +753,17 @@ static int create_device(struct zram *zr + &zram_disk_attr_group); + if (ret < 0) { + pr_warning("Error creating sysfs group"); +- goto out; ++ goto out_free_disk; + } + + zram->init_done = 0; ++ return 0; + ++out_free_disk: ++ del_gendisk(zram->disk); ++ put_disk(zram->disk); ++out_free_queue: ++ blk_cleanup_queue(zram->queue); + out: + return ret; + } diff --git a/queue-3.4/zram-fix-deadlock-bug-in-partial-read-write.patch b/queue-3.4/zram-fix-deadlock-bug-in-partial-read-write.patch new file mode 100644 index 00000000000..e7a76c34c2c --- /dev/null +++ b/queue-3.4/zram-fix-deadlock-bug-in-partial-read-write.patch @@ -0,0 +1,60 @@ +From 41247561dc218af7ab5cb4113b0c8ee1f79b75de Mon Sep 17 00:00:00 2001 +From: Minchan Kim +Date: Wed, 30 Jan 2013 11:41:39 +0900 +Subject: zram: Fix deadlock bug in partial read/write + +From: Minchan Kim + +commit 7e5a5104c6af709a8d97d5f4711e7c917761d464 upstream. + +Now zram allocates new page with GFP_KERNEL in zram I/O path +if IO is partial. Unfortunately, It may cause deadlock with +reclaim path like below. + +write_page from fs +fs_lock +allocation(GFP_KERNEL) +reclaim +pageout + write_page from fs + fs_lock <-- deadlock + +This patch fixes it by using GFP_NOIO. In read path, we +reorganize code flow so that kmap_atomic is called after the +GFP_NOIO allocation. + +Acked-by: Jerome Marchand +Acked-by: Nitin Gupta +[ penberg@kernel.org: don't use GFP_ATOMIC ] +Signed-off-by: Pekka Enberg +Signed-off-by: Minchan Kim +Signed-off-by: Greg Kroah-Hartman +[bwh: Backported to 3.2: no reordering is needed in the read path] +Signed-off-by: Ben Hutchings +Cc: Jianguo Wu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/zram/zram_drv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/zram/zram_drv.c ++++ b/drivers/staging/zram/zram_drv.c +@@ -235,7 +235,7 @@ static int zram_bvec_read(struct zram *z + + if (is_partial_io(bvec)) { + /* Use a temporary buffer to decompress the page */ +- uncmem = kmalloc(PAGE_SIZE, GFP_KERNEL); ++ uncmem = kmalloc(PAGE_SIZE, GFP_NOIO); + if (!uncmem) { + pr_info("Error allocating temp memory!\n"); + return -ENOMEM; +@@ -330,7 +330,7 @@ static int zram_bvec_write(struct zram * + * This is a partial IO. We need to read the full page + * before to write the changes. + */ +- uncmem = kmalloc(PAGE_SIZE, GFP_KERNEL); ++ uncmem = kmalloc(PAGE_SIZE, GFP_NOIO); + if (!uncmem) { + pr_info("Error allocating temp memory!\n"); + ret = -ENOMEM;