From: Greg Kroah-Hartman Date: Tue, 8 Jun 2021 14:05:51 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.272~36 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eb22ea62ccadeebb8d8b630dfa22fa2563881d79;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: btrfs-fix-error-handling-in-btrfs_del_csums.patch btrfs-fix-fsync-failure-and-transaction-abort-after-writes-to-prealloc-extents.patch btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch btrfs-mark-ordered-extent-and-inode-with-error-if-we-fail-to-finish.patch btrfs-return-errors-from-btrfs_del_csums-in-cleanup_ref_head.patch drm-amdgpu-don-t-query-ce-and-ue-errors.patch drm-amdgpu-make-sure-we-unpin-the-uvd-bo.patch nfc-fix-null-ptr-dereference-in-llcp_sock_getname-after-failed-connect.patch ocfs2-fix-data-corruption-by-fallocate.patch x86-apic-mark-_all_-legacy-interrupts-when-io-apic-is-missing.patch --- diff --git a/queue-5.4/btrfs-fix-error-handling-in-btrfs_del_csums.patch b/queue-5.4/btrfs-fix-error-handling-in-btrfs_del_csums.patch new file mode 100644 index 00000000000..9243d67c410 --- /dev/null +++ b/queue-5.4/btrfs-fix-error-handling-in-btrfs_del_csums.patch @@ -0,0 +1,93 @@ +From b86652be7c83f70bf406bed18ecf55adb9bfb91b Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 19 May 2021 10:52:45 -0400 +Subject: btrfs: fix error handling in btrfs_del_csums + +From: Josef Bacik + +commit b86652be7c83f70bf406bed18ecf55adb9bfb91b upstream. + +Error injection stress would sometimes fail with checksums on disk that +did not have a corresponding extent. This occurred because the pattern +in btrfs_del_csums was + + while (1) { + ret = btrfs_search_slot(); + if (ret < 0) + break; + } + ret = 0; +out: + btrfs_free_path(path); + return ret; + +If we got an error from btrfs_search_slot we'd clear the error because +we were breaking instead of goto out. Instead of using goto out, simply +handle the cases where we may leave a random value in ret, and get rid +of the + + ret = 0; +out: + +pattern and simply allow break to have the proper error reporting. With +this fix we properly abort the transaction and do not commit thinking we +successfully deleted the csum. + +Reviewed-by: Qu Wenruo +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file-item.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/file-item.c ++++ b/fs/btrfs/file-item.c +@@ -599,7 +599,7 @@ int btrfs_del_csums(struct btrfs_trans_h + u64 end_byte = bytenr + len; + u64 csum_end; + struct extent_buffer *leaf; +- int ret; ++ int ret = 0; + u16 csum_size = btrfs_super_csum_size(fs_info->super_copy); + int blocksize_bits = fs_info->sb->s_blocksize_bits; + +@@ -618,6 +618,7 @@ int btrfs_del_csums(struct btrfs_trans_h + path->leave_spinning = 1; + ret = btrfs_search_slot(trans, root, &key, path, -1, 1); + if (ret > 0) { ++ ret = 0; + if (path->slots[0] == 0) + break; + path->slots[0]--; +@@ -674,7 +675,7 @@ int btrfs_del_csums(struct btrfs_trans_h + ret = btrfs_del_items(trans, root, path, + path->slots[0], del_nr); + if (ret) +- goto out; ++ break; + if (key.offset == bytenr) + break; + } else if (key.offset < bytenr && csum_end > end_byte) { +@@ -718,8 +719,9 @@ int btrfs_del_csums(struct btrfs_trans_h + ret = btrfs_split_item(trans, root, path, &key, offset); + if (ret && ret != -EAGAIN) { + btrfs_abort_transaction(trans, ret); +- goto out; ++ break; + } ++ ret = 0; + + key.offset = end_byte - 1; + } else { +@@ -729,8 +731,6 @@ int btrfs_del_csums(struct btrfs_trans_h + } + btrfs_release_path(path); + } +- ret = 0; +-out: + btrfs_free_path(path); + return ret; + } diff --git a/queue-5.4/btrfs-fix-fsync-failure-and-transaction-abort-after-writes-to-prealloc-extents.patch b/queue-5.4/btrfs-fix-fsync-failure-and-transaction-abort-after-writes-to-prealloc-extents.patch new file mode 100644 index 00000000000..f1438e363b8 --- /dev/null +++ b/queue-5.4/btrfs-fix-fsync-failure-and-transaction-abort-after-writes-to-prealloc-extents.patch @@ -0,0 +1,407 @@ +From ea7036de0d36c4e6c9508f68789e9567d514333a Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 24 May 2021 11:35:53 +0100 +Subject: btrfs: fix fsync failure and transaction abort after writes to prealloc extents + +From: Filipe Manana + +commit ea7036de0d36c4e6c9508f68789e9567d514333a upstream. + +When doing a series of partial writes to different ranges of preallocated +extents with transaction commits and fsyncs in between, we can end up with +a checksum items in a log tree. This causes an fsync to fail with -EIO and +abort the transaction, turning the filesystem to RO mode, when syncing the +log. + +For this to happen, we need to have a full fsync of a file following one +or more fast fsyncs. + +The following example reproduces the problem and explains how it happens: + + $ mkfs.btrfs -f /dev/sdc + $ mount /dev/sdc /mnt + + # Create our test file with 2 preallocated extents. Leave a 1M hole + # between them to ensure that we get two file extent items that will + # never be merged into a single one. The extents are contiguous on disk, + # which will later result in the checksums for their data to be merged + # into a single checksum item in the csums btree. + # + $ xfs_io -f \ + -c "falloc 0 1M" \ + -c "falloc 3M 3M" \ + /mnt/foobar + + # Now write to the second extent and leave only 1M of it as unwritten, + # which corresponds to the file range [4M, 5M[. + # + # Then fsync the file to flush delalloc and to clear full sync flag from + # the inode, so that a future fsync will use the fast code path. + # + # After the writeback triggered by the fsync we have 3 file extent items + # that point to the second extent we previously allocated: + # + # 1) One file extent item of type BTRFS_FILE_EXTENT_REG that covers the + # file range [3M, 4M[ + # + # 2) One file extent item of type BTRFS_FILE_EXTENT_PREALLOC that covers + # the file range [4M, 5M[ + # + # 3) One file extent item of type BTRFS_FILE_EXTENT_REG that covers the + # file range [5M, 6M[ + # + # All these file extent items have a generation of 6, which is the ID of + # the transaction where they were created. The split of the original file + # extent item is done at btrfs_mark_extent_written() when ordered extents + # complete for the file ranges [3M, 4M[ and [5M, 6M[. + # + $ xfs_io -c "pwrite -S 0xab 3M 1M" \ + -c "pwrite -S 0xef 5M 1M" \ + -c "fsync" \ + /mnt/foobar + + # Commit the current transaction. This wipes out the log tree created by + # the previous fsync. + sync + + # Now write to the unwritten range of the second extent we allocated, + # corresponding to the file range [4M, 5M[, and fsync the file, which + # triggers the fast fsync code path. + # + # The fast fsync code path sees that there is a new extent map covering + # the file range [4M, 5M[ and therefore it will log a checksum item + # covering the range [1M, 2M[ of the second extent we allocated. + # + # Also, after the fsync finishes we no longer have the 3 file extent + # items that pointed to 3 sections of the second extent we allocated. + # Instead we end up with a single file extent item pointing to the whole + # extent, with a type of BTRFS_FILE_EXTENT_REG and a generation of 7 (the + # current transaction ID). This is due to the file extent item merging we + # do when completing ordered extents into ranges that point to unwritten + # (preallocated) extents. This merging is done at + # btrfs_mark_extent_written(). + # + $ xfs_io -c "pwrite -S 0xcd 4M 1M" \ + -c "fsync" \ + /mnt/foobar + + # Now do some write to our file outside the range of the second extent + # that we allocated with fallocate() and truncate the file size from 6M + # down to 5M. + # + # The truncate operation sets the full sync runtime flag on the inode, + # forcing the next fsync to use the slow code path. It also changes the + # length of the second file extent item so that it represents the file + # range [3M, 5M[ and not the range [3M, 6M[ anymore. + # + # Finally fsync the file. Since this is a fsync that triggers the slow + # code path, it will remove all items associated to the inode from the + # log tree and then it will scan for file extent items in the + # fs/subvolume tree that have a generation matching the current + # transaction ID, which is 7. This means it will log 2 file extent + # items: + # + # 1) One for the first extent we allocated, covering the file range + # [0, 1M[ + # + # 2) Another for the first 2M of the second extent we allocated, + # covering the file range [3M, 5M[ + # + # When logging the first file extent item we log a single checksum item + # that has all the checksums for the entire extent. + # + # When logging the second file extent item, we also lookup for the + # checksums that are associated with the range [0, 2M[ of the second + # extent we allocated (file range [3M, 5M[), and then we log them with + # btrfs_csum_file_blocks(). However that results in ending up with a log + # that has two checksum items with ranges that overlap: + # + # 1) One for the range [1M, 2M[ of the second extent we allocated, + # corresponding to the file range [4M, 5M[, which we logged in the + # previous fsync that used the fast code path; + # + # 2) One for the ranges [0, 1M[ and [0, 2M[ of the first and second + # extents, respectively, corresponding to the files ranges [0, 1M[ + # and [3M, 5M[. This one was added during this last fsync that uses + # the slow code path and overlaps with the previous one logged by + # the previous fast fsync. + # + # This happens because when logging the checksums for the second + # extent, we notice they start at an offset that matches the end of the + # checksums item that we logged for the first extent, and because both + # extents are contiguous on disk, btrfs_csum_file_blocks() decides to + # extend that existing checksums item and append the checksums for the + # second extent to this item. The end result is we end up with two + # checksum items in the log tree that have overlapping ranges, as + # listed before, resulting in the fsync to fail with -EIO and aborting + # the transaction, turning the filesystem into RO mode. + # + $ xfs_io -c "pwrite -S 0xff 0 1M" \ + -c "truncate 5M" \ + -c "fsync" \ + /mnt/foobar + fsync: Input/output error + +After running the example, dmesg/syslog shows the tree checker complained +about the checksum items with overlapping ranges and we aborted the +transaction: + + $ dmesg + (...) + [756289.557487] BTRFS critical (device sdc): corrupt leaf: root=18446744073709551610 block=30720000 slot=5, csum end range (16777216) goes beyond the start range (15728640) of the next csum item + [756289.560583] BTRFS info (device sdc): leaf 30720000 gen 7 total ptrs 7 free space 11677 owner 18446744073709551610 + [756289.562435] BTRFS info (device sdc): refs 2 lock_owner 0 current 2303929 + [756289.563654] item 0 key (257 1 0) itemoff 16123 itemsize 160 + [756289.564649] inode generation 6 size 5242880 mode 100600 + [756289.565636] item 1 key (257 12 256) itemoff 16107 itemsize 16 + [756289.566694] item 2 key (257 108 0) itemoff 16054 itemsize 53 + [756289.567725] extent data disk bytenr 13631488 nr 1048576 + [756289.568697] extent data offset 0 nr 1048576 ram 1048576 + [756289.569689] item 3 key (257 108 1048576) itemoff 16001 itemsize 53 + [756289.570682] extent data disk bytenr 0 nr 0 + [756289.571363] extent data offset 0 nr 2097152 ram 2097152 + [756289.572213] item 4 key (257 108 3145728) itemoff 15948 itemsize 53 + [756289.573246] extent data disk bytenr 14680064 nr 3145728 + [756289.574121] extent data offset 0 nr 2097152 ram 3145728 + [756289.574993] item 5 key (18446744073709551606 128 13631488) itemoff 12876 itemsize 3072 + [756289.576113] item 6 key (18446744073709551606 128 15728640) itemoff 11852 itemsize 1024 + [756289.577286] BTRFS error (device sdc): block=30720000 write time tree block corruption detected + [756289.578644] ------------[ cut here ]------------ + [756289.579376] WARNING: CPU: 0 PID: 2303929 at fs/btrfs/disk-io.c:465 csum_one_extent_buffer+0xed/0x100 [btrfs] + [756289.580857] Modules linked in: btrfs dm_zero dm_dust loop dm_snapshot (...) + [756289.591534] CPU: 0 PID: 2303929 Comm: xfs_io Tainted: G W 5.12.0-rc8-btrfs-next-87 #1 + [756289.592580] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 + [756289.594161] RIP: 0010:csum_one_extent_buffer+0xed/0x100 [btrfs] + [756289.595122] Code: 5d c3 e8 76 60 (...) + [756289.597509] RSP: 0018:ffffb51b416cb898 EFLAGS: 00010282 + [756289.598142] RAX: 0000000000000000 RBX: fffff02b8a365bc0 RCX: 0000000000000000 + [756289.598970] RDX: 0000000000000000 RSI: ffffffffa9112421 RDI: 00000000ffffffff + [756289.599798] RBP: ffffa06500880000 R08: 0000000000000000 R09: 0000000000000000 + [756289.600619] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 + [756289.601456] R13: ffffa0652b1d8980 R14: ffffa06500880000 R15: 0000000000000000 + [756289.602278] FS: 00007f08b23c9800(0000) GS:ffffa0682be00000(0000) knlGS:0000000000000000 + [756289.603217] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [756289.603892] CR2: 00005652f32d0138 CR3: 000000025d616003 CR4: 0000000000370ef0 + [756289.604725] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [756289.605563] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [756289.606400] Call Trace: + [756289.606704] btree_csum_one_bio+0x244/0x2b0 [btrfs] + [756289.607313] btrfs_submit_metadata_bio+0xb7/0x100 [btrfs] + [756289.608040] submit_one_bio+0x61/0x70 [btrfs] + [756289.608587] btree_write_cache_pages+0x587/0x610 [btrfs] + [756289.609258] ? free_debug_processing+0x1d5/0x240 + [756289.609812] ? __module_address+0x28/0xf0 + [756289.610298] ? lock_acquire+0x1a0/0x3e0 + [756289.610754] ? lock_acquired+0x19f/0x430 + [756289.611220] ? lock_acquire+0x1a0/0x3e0 + [756289.611675] do_writepages+0x43/0xf0 + [756289.612101] ? __filemap_fdatawrite_range+0xa4/0x100 + [756289.612800] __filemap_fdatawrite_range+0xc5/0x100 + [756289.613393] btrfs_write_marked_extents+0x68/0x160 [btrfs] + [756289.614085] btrfs_sync_log+0x21c/0xf20 [btrfs] + [756289.614661] ? finish_wait+0x90/0x90 + [756289.615096] ? __mutex_unlock_slowpath+0x45/0x2a0 + [756289.615661] ? btrfs_log_inode_parent+0x3c9/0xdc0 [btrfs] + [756289.616338] ? lock_acquire+0x1a0/0x3e0 + [756289.616801] ? lock_acquired+0x19f/0x430 + [756289.617284] ? lock_acquire+0x1a0/0x3e0 + [756289.617750] ? lock_release+0x214/0x470 + [756289.618221] ? lock_acquired+0x19f/0x430 + [756289.618704] ? dput+0x20/0x4a0 + [756289.619079] ? dput+0x20/0x4a0 + [756289.619452] ? lockref_put_or_lock+0x9/0x30 + [756289.619969] ? lock_release+0x214/0x470 + [756289.620445] ? lock_release+0x214/0x470 + [756289.620924] ? lock_release+0x214/0x470 + [756289.621415] btrfs_sync_file+0x46a/0x5b0 [btrfs] + [756289.621982] do_fsync+0x38/0x70 + [756289.622395] __x64_sys_fsync+0x10/0x20 + [756289.622907] do_syscall_64+0x33/0x80 + [756289.623438] entry_SYSCALL_64_after_hwframe+0x44/0xae + [756289.624063] RIP: 0033:0x7f08b27fbb7b + [756289.624588] Code: 0f 05 48 3d 00 (...) + [756289.626760] RSP: 002b:00007ffe2583f940 EFLAGS: 00000293 ORIG_RAX: 000000000000004a + [756289.627639] RAX: ffffffffffffffda RBX: 00005652f32cd0f0 RCX: 00007f08b27fbb7b + [756289.628464] RDX: 00005652f32cbca0 RSI: 00005652f32cd110 RDI: 0000000000000003 + [756289.629323] RBP: 00005652f32cd110 R08: 0000000000000000 R09: 00007f08b28c4be0 + [756289.630172] R10: fffffffffffff39a R11: 0000000000000293 R12: 0000000000000001 + [756289.631007] R13: 00005652f32cd0f0 R14: 0000000000000001 R15: 00005652f32cc480 + [756289.631819] irq event stamp: 0 + [756289.632188] hardirqs last enabled at (0): [<0000000000000000>] 0x0 + [756289.632911] hardirqs last disabled at (0): [] copy_process+0x879/0x1cc0 + [756289.633893] softirqs last enabled at (0): [] copy_process+0x879/0x1cc0 + [756289.634871] softirqs last disabled at (0): [<0000000000000000>] 0x0 + [756289.635606] ---[ end trace 0a039fdc16ff3fef ]--- + [756289.636179] BTRFS: error (device sdc) in btrfs_sync_log:3136: errno=-5 IO failure + [756289.637082] BTRFS info (device sdc): forced readonly + +Having checksum items covering ranges that overlap is dangerous as in some +cases it can lead to having extent ranges for which we miss checksums +after log replay or getting the wrong checksum item. There were some fixes +in the past for bugs that resulted in this problem, and were explained and +fixed by the following commits: + + 27b9a8122ff71a ("Btrfs: fix csum tree corruption, duplicate and outdated checksums") + b84b8390d6009c ("Btrfs: fix file read corruption after extent cloning and fsync") + 40e046acbd2f36 ("Btrfs: fix missing data checksums after replaying a log tree") + e289f03ea79bbc ("btrfs: fix corrupt log due to concurrent fsync of inodes with shared extents") + +Fix the issue by making btrfs_csum_file_blocks() taking into account the +start offset of the next checksum item when it decides to extend an +existing checksum item, so that it never extends the checksum to end at a +range that goes beyond the start range of the next checksum item. + +When we can not access the next checksum item without releasing the path, +simply drop the optimization of extending the previous checksum item and +fallback to inserting a new checksum item - this happens rarely and the +optimization is not significant enough for a log tree in order to justify +the extra complexity, as it would only save a few bytes (the size of a +struct btrfs_item) of leaf space. + +This behaviour is only needed when inserting into a log tree because +for the regular checksums tree we never have a case where we try to +insert a range of checksums that overlap with a range that was previously +inserted. + +A test case for fstests will follow soon. + +Reported-by: Philipp Fent +Link: https://lore.kernel.org/linux-btrfs/93c4600e-5263-5cba-adf0-6f47526e7561@in.tum.de/ +CC: stable@vger.kernel.org # 5.4+ +Tested-by: Anand Jain +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file-item.c | 98 +++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 76 insertions(+), 22 deletions(-) + +--- a/fs/btrfs/file-item.c ++++ b/fs/btrfs/file-item.c +@@ -735,6 +735,37 @@ int btrfs_del_csums(struct btrfs_trans_h + return ret; + } + ++static int find_next_csum_offset(struct btrfs_root *root, ++ struct btrfs_path *path, ++ u64 *next_offset) ++{ ++ const u32 nritems = btrfs_header_nritems(path->nodes[0]); ++ struct btrfs_key found_key; ++ int slot = path->slots[0] + 1; ++ int ret; ++ ++ if (nritems == 0 || slot >= nritems) { ++ ret = btrfs_next_leaf(root, path); ++ if (ret < 0) { ++ return ret; ++ } else if (ret > 0) { ++ *next_offset = (u64)-1; ++ return 0; ++ } ++ slot = path->slots[0]; ++ } ++ ++ btrfs_item_key_to_cpu(path->nodes[0], &found_key, slot); ++ ++ if (found_key.objectid != BTRFS_EXTENT_CSUM_OBJECTID || ++ found_key.type != BTRFS_EXTENT_CSUM_KEY) ++ *next_offset = (u64)-1; ++ else ++ *next_offset = found_key.offset; ++ ++ return 0; ++} ++ + int btrfs_csum_file_blocks(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + struct btrfs_ordered_sum *sums) +@@ -750,7 +781,6 @@ int btrfs_csum_file_blocks(struct btrfs_ + u64 total_bytes = 0; + u64 csum_offset; + u64 bytenr; +- u32 nritems; + u32 ins_size; + int index = 0; + int found_next; +@@ -793,26 +823,10 @@ again: + goto insert; + } + } else { +- int slot = path->slots[0] + 1; +- /* we didn't find a csum item, insert one */ +- nritems = btrfs_header_nritems(path->nodes[0]); +- if (!nritems || (path->slots[0] >= nritems - 1)) { +- ret = btrfs_next_leaf(root, path); +- if (ret < 0) { +- goto out; +- } else if (ret > 0) { +- found_next = 1; +- goto insert; +- } +- slot = path->slots[0]; +- } +- btrfs_item_key_to_cpu(path->nodes[0], &found_key, slot); +- if (found_key.objectid != BTRFS_EXTENT_CSUM_OBJECTID || +- found_key.type != BTRFS_EXTENT_CSUM_KEY) { +- found_next = 1; +- goto insert; +- } +- next_offset = found_key.offset; ++ /* We didn't find a csum item, insert one. */ ++ ret = find_next_csum_offset(root, path, &next_offset); ++ if (ret < 0) ++ goto out; + found_next = 1; + goto insert; + } +@@ -860,8 +874,48 @@ again: + tmp = sums->len - total_bytes; + tmp >>= fs_info->sb->s_blocksize_bits; + WARN_ON(tmp < 1); ++ extend_nr = max_t(int, 1, tmp); ++ ++ /* ++ * A log tree can already have checksum items with a subset of ++ * the checksums we are trying to log. This can happen after ++ * doing a sequence of partial writes into prealloc extents and ++ * fsyncs in between, with a full fsync logging a larger subrange ++ * of an extent for which a previous fast fsync logged a smaller ++ * subrange. And this happens in particular due to merging file ++ * extent items when we complete an ordered extent for a range ++ * covered by a prealloc extent - this is done at ++ * btrfs_mark_extent_written(). ++ * ++ * So if we try to extend the previous checksum item, which has ++ * a range that ends at the start of the range we want to insert, ++ * make sure we don't extend beyond the start offset of the next ++ * checksum item. If we are at the last item in the leaf, then ++ * forget the optimization of extending and add a new checksum ++ * item - it is not worth the complexity of releasing the path, ++ * getting the first key for the next leaf, repeat the btree ++ * search, etc, because log trees are temporary anyway and it ++ * would only save a few bytes of leaf space. ++ */ ++ if (root->root_key.objectid == BTRFS_TREE_LOG_OBJECTID) { ++ if (path->slots[0] + 1 >= ++ btrfs_header_nritems(path->nodes[0])) { ++ ret = find_next_csum_offset(root, path, &next_offset); ++ if (ret < 0) ++ goto out; ++ found_next = 1; ++ goto insert; ++ } ++ ++ ret = find_next_csum_offset(root, path, &next_offset); ++ if (ret < 0) ++ goto out; ++ ++ tmp = (next_offset - bytenr) >> fs_info->sectorsize_bits; ++ if (tmp <= INT_MAX) ++ extend_nr = min_t(int, extend_nr, tmp); ++ } + +- extend_nr = max_t(int, 1, (int)tmp); + diff = (csum_offset + extend_nr) * csum_size; + diff = min(diff, + MAX_CSUM_ITEMS(fs_info, csum_size) * csum_size); diff --git a/queue-5.4/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch b/queue-5.4/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch new file mode 100644 index 00000000000..dc27824ad9f --- /dev/null +++ b/queue-5.4/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch @@ -0,0 +1,85 @@ +From 011b28acf940eb61c000059dd9e2cfcbf52ed96b Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 19 May 2021 13:13:15 -0400 +Subject: btrfs: fixup error handling in fixup_inode_link_counts + +From: Josef Bacik + +commit 011b28acf940eb61c000059dd9e2cfcbf52ed96b upstream. + +This function has the following pattern + + while (1) { + ret = whatever(); + if (ret) + goto out; + } + ret = 0 +out: + return ret; + +However several places in this while loop we simply break; when there's +a problem, thus clearing the return value, and in one case we do a +return -EIO, and leak the memory for the path. + +Fix this by re-arranging the loop to deal with ret == 1 coming from +btrfs_search_slot, and then simply delete the + + ret = 0; +out: + +bit so everybody can break if there is an error, which will allow for +proper error handling to occur. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1775,6 +1775,7 @@ static noinline int fixup_inode_link_cou + break; + + if (ret == 1) { ++ ret = 0; + if (path->slots[0] == 0) + break; + path->slots[0]--; +@@ -1787,17 +1788,19 @@ static noinline int fixup_inode_link_cou + + ret = btrfs_del_item(trans, root, path); + if (ret) +- goto out; ++ break; + + btrfs_release_path(path); + inode = read_one_inode(root, key.offset); +- if (!inode) +- return -EIO; ++ if (!inode) { ++ ret = -EIO; ++ break; ++ } + + ret = fixup_inode_link_count(trans, root, inode); + iput(inode); + if (ret) +- goto out; ++ break; + + /* + * fixup on a directory may create new entries, +@@ -1806,8 +1809,6 @@ static noinline int fixup_inode_link_cou + */ + key.offset = (u64)-1; + } +- ret = 0; +-out: + btrfs_release_path(path); + return ret; + } diff --git a/queue-5.4/btrfs-mark-ordered-extent-and-inode-with-error-if-we-fail-to-finish.patch b/queue-5.4/btrfs-mark-ordered-extent-and-inode-with-error-if-we-fail-to-finish.patch new file mode 100644 index 00000000000..b66ac55de6b --- /dev/null +++ b/queue-5.4/btrfs-mark-ordered-extent-and-inode-with-error-if-we-fail-to-finish.patch @@ -0,0 +1,57 @@ +From d61bec08b904cf171835db98168f82bc338e92e4 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 19 May 2021 09:38:27 -0400 +Subject: btrfs: mark ordered extent and inode with error if we fail to finish + +From: Josef Bacik + +commit d61bec08b904cf171835db98168f82bc338e92e4 upstream. + +While doing error injection testing I saw that sometimes we'd get an +abort that wouldn't stop the current transaction commit from completing. +This abort was coming from finish ordered IO, but at this point in the +transaction commit we should have gotten an error and stopped. + +It turns out the abort came from finish ordered io while trying to write +out the free space cache. It occurred to me that any failure inside of +finish_ordered_io isn't actually raised to the person doing the writing, +so we could have any number of failures in this path and think the +ordered extent completed successfully and the inode was fine. + +Fix this by marking the ordered extent with BTRFS_ORDERED_IOERR, and +marking the mapping of the inode with mapping_set_error, so any callers +that simply call fdatawait will also get the error. + +With this we're seeing the IO error on the free space inode when we fail +to do the finish_ordered_io. + +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3359,6 +3359,18 @@ out: + if (ret || truncated) { + u64 start, end; + ++ /* ++ * If we failed to finish this ordered extent for any reason we ++ * need to make sure BTRFS_ORDERED_IOERR is set on the ordered ++ * extent, and mark the inode with the error if it wasn't ++ * already set. Any error during writeback would have already ++ * set the mapping error, so we need to set it if we're the ones ++ * marking this ordered extent as failed. ++ */ ++ if (ret && !test_and_set_bit(BTRFS_ORDERED_IOERR, ++ &ordered_extent->flags)) ++ mapping_set_error(ordered_extent->inode->i_mapping, -EIO); ++ + if (truncated) + start = ordered_extent->file_offset + logical_len; + else diff --git a/queue-5.4/btrfs-return-errors-from-btrfs_del_csums-in-cleanup_ref_head.patch b/queue-5.4/btrfs-return-errors-from-btrfs_del_csums-in-cleanup_ref_head.patch new file mode 100644 index 00000000000..d560ec1fe64 --- /dev/null +++ b/queue-5.4/btrfs-return-errors-from-btrfs_del_csums-in-cleanup_ref_head.patch @@ -0,0 +1,35 @@ +From 856bd270dc4db209c779ce1e9555c7641ffbc88e Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 19 May 2021 10:52:46 -0400 +Subject: btrfs: return errors from btrfs_del_csums in cleanup_ref_head + +From: Josef Bacik + +commit 856bd270dc4db209c779ce1e9555c7641ffbc88e upstream. + +We are unconditionally returning 0 in cleanup_ref_head, despite the fact +that btrfs_del_csums could fail. We need to return the error so the +transaction gets aborted properly, fix this by returning ret from +btrfs_del_csums in cleanup_ref_head. + +Reviewed-by: Qu Wenruo +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -1879,7 +1879,7 @@ static int cleanup_ref_head(struct btrfs + trace_run_delayed_ref_head(fs_info, head, 0); + btrfs_delayed_ref_unlock(head); + btrfs_put_delayed_ref_head(head); +- return 0; ++ return ret; + } + + static struct btrfs_delayed_ref_head *btrfs_obtain_ref_head( diff --git a/queue-5.4/drm-amdgpu-don-t-query-ce-and-ue-errors.patch b/queue-5.4/drm-amdgpu-don-t-query-ce-and-ue-errors.patch new file mode 100644 index 00000000000..7c5ce1ee125 --- /dev/null +++ b/queue-5.4/drm-amdgpu-don-t-query-ce-and-ue-errors.patch @@ -0,0 +1,63 @@ +From dce3d8e1d070900e0feeb06787a319ff9379212c Mon Sep 17 00:00:00 2001 +From: Luben Tuikov +Date: Wed, 12 May 2021 12:33:23 -0400 +Subject: drm/amdgpu: Don't query CE and UE errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luben Tuikov + +commit dce3d8e1d070900e0feeb06787a319ff9379212c upstream. + +On QUERY2 IOCTL don't query counts of correctable +and uncorrectable errors, since when RAS is +enabled and supported on Vega20 server boards, +this takes insurmountably long time, in O(n^3), +which slows the system down to the point of it +being unusable when we have GUI up. + +Fixes: ae363a212b14 ("drm/amdgpu: Add a new flag to AMDGPU_CTX_OP_QUERY_STATE2") +Cc: Alexander Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Luben Tuikov +Reviewed-by: Alexander Deucher +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c +@@ -351,7 +351,6 @@ static int amdgpu_ctx_query2(struct amdg + { + struct amdgpu_ctx *ctx; + struct amdgpu_ctx_mgr *mgr; +- unsigned long ras_counter; + + if (!fpriv) + return -EINVAL; +@@ -376,21 +375,6 @@ static int amdgpu_ctx_query2(struct amdg + if (atomic_read(&ctx->guilty)) + out->state.flags |= AMDGPU_CTX_QUERY2_FLAGS_GUILTY; + +- /*query ue count*/ +- ras_counter = amdgpu_ras_query_error_count(adev, false); +- /*ras counter is monotonic increasing*/ +- if (ras_counter != ctx->ras_counter_ue) { +- out->state.flags |= AMDGPU_CTX_QUERY2_FLAGS_RAS_UE; +- ctx->ras_counter_ue = ras_counter; +- } +- +- /*query ce count*/ +- ras_counter = amdgpu_ras_query_error_count(adev, true); +- if (ras_counter != ctx->ras_counter_ce) { +- out->state.flags |= AMDGPU_CTX_QUERY2_FLAGS_RAS_CE; +- ctx->ras_counter_ce = ras_counter; +- } +- + mutex_unlock(&mgr->lock); + return 0; + } diff --git a/queue-5.4/drm-amdgpu-make-sure-we-unpin-the-uvd-bo.patch b/queue-5.4/drm-amdgpu-make-sure-we-unpin-the-uvd-bo.patch new file mode 100644 index 00000000000..c96bf1fec1f --- /dev/null +++ b/queue-5.4/drm-amdgpu-make-sure-we-unpin-the-uvd-bo.patch @@ -0,0 +1,35 @@ +From 07438603a07e52f1c6aa731842bd298d2725b7be Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Fri, 28 May 2021 16:54:16 +0200 +Subject: drm/amdgpu: make sure we unpin the UVD BO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nirmoy Das + +commit 07438603a07e52f1c6aa731842bd298d2725b7be upstream. + +Releasing pinned BOs is illegal now. UVD 6 was missing from: +commit 2f40801dc553 ("drm/amdgpu: make sure we unpin the UVD BO") + +Fixes: 2f40801dc553 ("drm/amdgpu: make sure we unpin the UVD BO") +Cc: stable@vger.kernel.org +Signed-off-by: Nirmoy Das +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c +@@ -354,6 +354,7 @@ static int uvd_v6_0_enc_ring_test_ib(str + + error: + dma_fence_put(fence); ++ amdgpu_bo_unpin(bo); + amdgpu_bo_unreserve(bo); + amdgpu_bo_unref(&bo); + return r; diff --git a/queue-5.4/nfc-fix-null-ptr-dereference-in-llcp_sock_getname-after-failed-connect.patch b/queue-5.4/nfc-fix-null-ptr-dereference-in-llcp_sock_getname-after-failed-connect.patch new file mode 100644 index 00000000000..4c628ccec9a --- /dev/null +++ b/queue-5.4/nfc-fix-null-ptr-dereference-in-llcp_sock_getname-after-failed-connect.patch @@ -0,0 +1,59 @@ +From 4ac06a1e013cf5fdd963317ffd3b968560f33bba Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 31 May 2021 09:21:38 +0200 +Subject: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect + +From: Krzysztof Kozlowski + +commit 4ac06a1e013cf5fdd963317ffd3b968560f33bba upstream. + +It's possible to trigger NULL pointer dereference by local unprivileged +user, when calling getsockname() after failed bind() (e.g. the bind +fails because LLCP_SAP_MAX used as SAP): + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014 + Call Trace: + llcp_sock_getname+0xb1/0xe0 + __sys_getpeername+0x95/0xc0 + ? lockdep_hardirqs_on_prepare+0xd5/0x180 + ? syscall_enter_from_user_mode+0x1c/0x40 + __x64_sys_getpeername+0x11/0x20 + do_syscall_64+0x36/0x70 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +This can be reproduced with Syzkaller C repro (bind followed by +getpeername): +https://syzkaller.appspot.com/x/repro.c?x=14def446e00000 + +Cc: +Fixes: d646960f7986 ("NFC: Initial LLCP support") +Reported-by: syzbot+80fb126e7f7d8b1a5914@syzkaller.appspotmail.com +Reported-by: butt3rflyh4ck +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20210531072138.5219-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -110,6 +110,7 @@ static int llcp_sock_bind(struct socket + if (!llcp_sock->service_name) { + nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ++ llcp_sock->dev = NULL; + ret = -ENOMEM; + goto put_dev; + } +@@ -119,6 +120,7 @@ static int llcp_sock_bind(struct socket + llcp_sock->local = NULL; + kfree(llcp_sock->service_name); + llcp_sock->service_name = NULL; ++ llcp_sock->dev = NULL; + ret = -EADDRINUSE; + goto put_dev; + } diff --git a/queue-5.4/ocfs2-fix-data-corruption-by-fallocate.patch b/queue-5.4/ocfs2-fix-data-corruption-by-fallocate.patch new file mode 100644 index 00000000000..4aa41cfaab2 --- /dev/null +++ b/queue-5.4/ocfs2-fix-data-corruption-by-fallocate.patch @@ -0,0 +1,148 @@ +From 6bba4471f0cc1296fe3c2089b9e52442d3074b2e Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Fri, 4 Jun 2021 20:01:42 -0700 +Subject: ocfs2: fix data corruption by fallocate + +From: Junxiao Bi + +commit 6bba4471f0cc1296fe3c2089b9e52442d3074b2e upstream. + +When fallocate punches holes out of inode size, if original isize is in +the middle of last cluster, then the part from isize to the end of the +cluster will be zeroed with buffer write, at that time isize is not yet +updated to match the new size, if writeback is kicked in, it will invoke +ocfs2_writepage()->block_write_full_page() where the pages out of inode +size will be dropped. That will cause file corruption. Fix this by +zero out eof blocks when extending the inode size. + +Running the following command with qemu-image 4.2.1 can get a corrupted +coverted image file easily. + + qemu-img convert -p -t none -T none -f qcow2 $qcow_image \ + -O qcow2 -o compat=1.1 $qcow_image.conv + +The usage of fallocate in qemu is like this, it first punches holes out +of inode size, then extend the inode size. + + fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 + fallocate(11, 0, 2276196352, 65536) = 0 + +v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html +v2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/ + +Link: https://lkml.kernel.org/r/20210528210648.9124-1-junxiao.bi@oracle.com +Signed-off-by: Junxiao Bi +Reviewed-by: Joseph Qi +Cc: Jan Kara +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/file.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 50 insertions(+), 5 deletions(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -1856,6 +1856,45 @@ out: + } + + /* ++ * zero out partial blocks of one cluster. ++ * ++ * start: file offset where zero starts, will be made upper block aligned. ++ * len: it will be trimmed to the end of current cluster if "start + len" ++ * is bigger than it. ++ */ ++static int ocfs2_zeroout_partial_cluster(struct inode *inode, ++ u64 start, u64 len) ++{ ++ int ret; ++ u64 start_block, end_block, nr_blocks; ++ u64 p_block, offset; ++ u32 cluster, p_cluster, nr_clusters; ++ struct super_block *sb = inode->i_sb; ++ u64 end = ocfs2_align_bytes_to_clusters(sb, start); ++ ++ if (start + len < end) ++ end = start + len; ++ ++ start_block = ocfs2_blocks_for_bytes(sb, start); ++ end_block = ocfs2_blocks_for_bytes(sb, end); ++ nr_blocks = end_block - start_block; ++ if (!nr_blocks) ++ return 0; ++ ++ cluster = ocfs2_bytes_to_clusters(sb, start); ++ ret = ocfs2_get_clusters(inode, cluster, &p_cluster, ++ &nr_clusters, NULL); ++ if (ret) ++ return ret; ++ if (!p_cluster) ++ return 0; ++ ++ offset = start_block - ocfs2_clusters_to_blocks(sb, cluster); ++ p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset; ++ return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS); ++} ++ ++/* + * Parts of this function taken from xfs_change_file_space() + */ + static int __ocfs2_change_file_space(struct file *file, struct inode *inode, +@@ -1865,7 +1904,7 @@ static int __ocfs2_change_file_space(str + { + int ret; + s64 llen; +- loff_t size; ++ loff_t size, orig_isize; + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); + struct buffer_head *di_bh = NULL; + handle_t *handle; +@@ -1896,6 +1935,7 @@ static int __ocfs2_change_file_space(str + goto out_inode_unlock; + } + ++ orig_isize = i_size_read(inode); + switch (sr->l_whence) { + case 0: /*SEEK_SET*/ + break; +@@ -1903,7 +1943,7 @@ static int __ocfs2_change_file_space(str + sr->l_start += f_pos; + break; + case 2: /*SEEK_END*/ +- sr->l_start += i_size_read(inode); ++ sr->l_start += orig_isize; + break; + default: + ret = -EINVAL; +@@ -1957,6 +1997,14 @@ static int __ocfs2_change_file_space(str + default: + ret = -EINVAL; + } ++ ++ /* zeroout eof blocks in the cluster. */ ++ if (!ret && change_size && orig_isize < size) { ++ ret = ocfs2_zeroout_partial_cluster(inode, orig_isize, ++ size - orig_isize); ++ if (!ret) ++ i_size_write(inode, size); ++ } + up_write(&OCFS2_I(inode)->ip_alloc_sem); + if (ret) { + mlog_errno(ret); +@@ -1973,9 +2021,6 @@ static int __ocfs2_change_file_space(str + goto out_inode_unlock; + } + +- if (change_size && i_size_read(inode) < size) +- i_size_write(inode, size); +- + inode->i_ctime = inode->i_mtime = current_time(inode); + ret = ocfs2_mark_inode_dirty(handle, inode, di_bh); + if (ret < 0) diff --git a/queue-5.4/series b/queue-5.4/series index ce5a32d5e5e..132ebb6b577 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -51,3 +51,13 @@ arm-dts-imx6q-dhcom-add-pu-vdd1p1-vdd2p5-regulators.patch ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch usb-dwc2-fix-build-in-periphal-only-mode.patch pid-take-a-reference-when-initializing-cad_pid.patch +ocfs2-fix-data-corruption-by-fallocate.patch +nfc-fix-null-ptr-dereference-in-llcp_sock_getname-after-failed-connect.patch +drm-amdgpu-don-t-query-ce-and-ue-errors.patch +drm-amdgpu-make-sure-we-unpin-the-uvd-bo.patch +x86-apic-mark-_all_-legacy-interrupts-when-io-apic-is-missing.patch +btrfs-mark-ordered-extent-and-inode-with-error-if-we-fail-to-finish.patch +btrfs-fix-error-handling-in-btrfs_del_csums.patch +btrfs-return-errors-from-btrfs_del_csums-in-cleanup_ref_head.patch +btrfs-fix-fsync-failure-and-transaction-abort-after-writes-to-prealloc-extents.patch +btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch diff --git a/queue-5.4/x86-apic-mark-_all_-legacy-interrupts-when-io-apic-is-missing.patch b/queue-5.4/x86-apic-mark-_all_-legacy-interrupts-when-io-apic-is-missing.patch new file mode 100644 index 00000000000..22bb691e894 --- /dev/null +++ b/queue-5.4/x86-apic-mark-_all_-legacy-interrupts-when-io-apic-is-missing.patch @@ -0,0 +1,95 @@ +From 7d65f9e80646c595e8c853640a9d0768a33e204c Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 25 May 2021 13:08:41 +0200 +Subject: x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing + +From: Thomas Gleixner + +commit 7d65f9e80646c595e8c853640a9d0768a33e204c upstream. + +PIC interrupts do not support affinity setting and they can end up on +any online CPU. Therefore, it's required to mark the associated vectors +as system-wide reserved. Otherwise, the corresponding irq descriptors +are copied to the secondary CPUs but the vectors are not marked as +assigned or reserved. This works correctly for the IO/APIC case. + +When the IO/APIC is disabled via config, kernel command line or lack of +enumeration then all legacy interrupts are routed through the PIC, but +nothing marks them as system-wide reserved vectors. + +As a consequence, a subsequent allocation on a secondary CPU can result in +allocating one of these vectors, which triggers the BUG() in +apic_update_vector() because the interrupt descriptor slot is not empty. + +Imran tried to work around that by marking those interrupts as allocated +when a CPU comes online. But that's wrong in case that the IO/APIC is +available and one of the legacy interrupts, e.g. IRQ0, has been switched to +PIC mode because then marking them as allocated will fail as they are +already marked as system vectors. + +Stay consistent and update the legacy vectors after attempting IO/APIC +initialization and mark them as system vectors in case that no IO/APIC is +available. + +Fixes: 69cde0004a4b ("x86/vector: Use matrix allocator for vector assignment") +Reported-by: Imran Khan +Signed-off-by: Thomas Gleixner +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20210519233928.2157496-1-imran.f.khan@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/apic.h | 1 + + arch/x86/kernel/apic/apic.c | 1 + + arch/x86/kernel/apic/vector.c | 20 ++++++++++++++++++++ + 3 files changed, 22 insertions(+) + +--- a/arch/x86/include/asm/apic.h ++++ b/arch/x86/include/asm/apic.h +@@ -174,6 +174,7 @@ static inline int apic_is_clustered_box( + extern int setup_APIC_eilvt(u8 lvt_off, u8 vector, u8 msg_type, u8 mask); + extern void lapic_assign_system_vectors(void); + extern void lapic_assign_legacy_vector(unsigned int isairq, bool replace); ++extern void lapic_update_legacy_vectors(void); + extern void lapic_online(void); + extern void lapic_offline(void); + extern bool apic_needs_pit(void); +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -2579,6 +2579,7 @@ static void __init apic_bsp_setup(bool u + end_local_APIC_setup(); + irq_remap_enable_fault_handling(); + setup_IO_APIC(); ++ lapic_update_legacy_vectors(); + } + + #ifdef CONFIG_UP_LATE_INIT +--- a/arch/x86/kernel/apic/vector.c ++++ b/arch/x86/kernel/apic/vector.c +@@ -680,6 +680,26 @@ void lapic_assign_legacy_vector(unsigned + irq_matrix_assign_system(vector_matrix, ISA_IRQ_VECTOR(irq), replace); + } + ++void __init lapic_update_legacy_vectors(void) ++{ ++ unsigned int i; ++ ++ if (IS_ENABLED(CONFIG_X86_IO_APIC) && nr_ioapics > 0) ++ return; ++ ++ /* ++ * If the IO/APIC is disabled via config, kernel command line or ++ * lack of enumeration then all legacy interrupts are routed ++ * through the PIC. Make sure that they are marked as legacy ++ * vectors. PIC_CASCADE_IRQ has already been marked in ++ * lapic_assign_system_vectors(). ++ */ ++ for (i = 0; i < nr_legacy_irqs(); i++) { ++ if (i != PIC_CASCADE_IR) ++ lapic_assign_legacy_vector(i, true); ++ } ++} ++ + void __init lapic_assign_system_vectors(void) + { + unsigned int i, vector = 0;