From 73554d94eea503b1d6c190878149b09d402e3d72 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 15 Jan 2019 09:43:34 +0100 Subject: [PATCH] 4.14-stable patches added patches: drm-amdgpu-validate-user-gem-object-size.patch drm-amdgpu-validate-user-pitch-alignment.patch drm-fb-helper-partially-bring-back-workaround-for-bugs-of-sdl-1.2.patch ext4-avoid-kernel-warning-when-writing-the-superblock-to-a-dead-device.patch ext4-fix-a-potential-fiemap-page-fault-deadlock-w-inline_data.patch ext4-make-sure-enough-credits-are-reserved-for-dioread_nolock-writes.patch ext4-track-writeback-errors-using-the-generic-tracking-infrastructure.patch ext4-use-ext4_write_inode-when-fsyncing-w-o-a-journal.patch rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch --- ...amdgpu-validate-user-gem-object-size.patch | 54 +++++ ...amdgpu-validate-user-pitch-alignment.patch | 46 ++++ ...-back-workaround-for-bugs-of-sdl-1.2.patch | 218 ++++++++++++++++++ ...ting-the-superblock-to-a-dead-device.patch | 42 ++++ ...ap-page-fault-deadlock-w-inline_data.patch | 46 ++++ ...e-reserved-for-dioread_nolock-writes.patch | 44 ++++ ...-the-generic-tracking-infrastructure.patch | 33 +++ ...te_inode-when-fsyncing-w-o-a-journal.patch | 53 +++++ ...nmap-if-rbd_dev_flag_removing-is-set.patch | 60 +++++ queue-4.14/series | 9 + 10 files changed, 605 insertions(+) create mode 100644 queue-4.14/drm-amdgpu-validate-user-gem-object-size.patch create mode 100644 queue-4.14/drm-amdgpu-validate-user-pitch-alignment.patch create mode 100644 queue-4.14/drm-fb-helper-partially-bring-back-workaround-for-bugs-of-sdl-1.2.patch create mode 100644 queue-4.14/ext4-avoid-kernel-warning-when-writing-the-superblock-to-a-dead-device.patch create mode 100644 queue-4.14/ext4-fix-a-potential-fiemap-page-fault-deadlock-w-inline_data.patch create mode 100644 queue-4.14/ext4-make-sure-enough-credits-are-reserved-for-dioread_nolock-writes.patch create mode 100644 queue-4.14/ext4-track-writeback-errors-using-the-generic-tracking-infrastructure.patch create mode 100644 queue-4.14/ext4-use-ext4_write_inode-when-fsyncing-w-o-a-journal.patch create mode 100644 queue-4.14/rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch diff --git a/queue-4.14/drm-amdgpu-validate-user-gem-object-size.patch b/queue-4.14/drm-amdgpu-validate-user-gem-object-size.patch new file mode 100644 index 00000000000..268a6ceabec --- /dev/null +++ b/queue-4.14/drm-amdgpu-validate-user-gem-object-size.patch @@ -0,0 +1,54 @@ +From c4a32b266da7bb702e60381ca0c35eaddbc89a6c Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Mon, 7 Jan 2019 15:51:15 -0700 +Subject: drm/amdgpu: validate user GEM object size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Zhao + +commit c4a32b266da7bb702e60381ca0c35eaddbc89a6c upstream. + +When creating frame buffer, userspace may request to attach to a +previously allocated GEM object that is smaller than what GPU +requires. Validation must be done to prevent out-of-bound DMA, +otherwise it could be exploited to reveal sensitive data. + +This fix is not done in a common code path because individual +driver might have different requirement. + +Cc: stable@vger.kernel.org # v4.2+ +Reviewed-by: Michel Dänzer +Signed-off-by: Yu Zhao +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -526,6 +526,7 @@ amdgpu_user_framebuffer_create(struct dr + struct drm_gem_object *obj; + struct amdgpu_framebuffer *amdgpu_fb; + int ret; ++ int height; + struct amdgpu_device *adev = dev->dev_private; + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); + int pitch = mode_cmd->pitches[0] / cpp; +@@ -550,6 +551,13 @@ amdgpu_user_framebuffer_create(struct dr + return ERR_PTR(-EINVAL); + } + ++ height = ALIGN(mode_cmd->height, 8); ++ if (obj->size < pitch * height) { ++ DRM_DEBUG_KMS("Invalid GEM size: expecting >= %d but got %zu\n", ++ pitch * height, obj->size); ++ return ERR_PTR(-EINVAL); ++ } ++ + amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL); + if (amdgpu_fb == NULL) { + drm_gem_object_put_unlocked(obj); diff --git a/queue-4.14/drm-amdgpu-validate-user-pitch-alignment.patch b/queue-4.14/drm-amdgpu-validate-user-pitch-alignment.patch new file mode 100644 index 00000000000..d6b1002d2bd --- /dev/null +++ b/queue-4.14/drm-amdgpu-validate-user-pitch-alignment.patch @@ -0,0 +1,46 @@ +From 89f23b6efef554766177bf51aa754bce14c3e7da Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Mon, 7 Jan 2019 15:51:14 -0700 +Subject: drm/amdgpu: validate user pitch alignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Zhao + +commit 89f23b6efef554766177bf51aa754bce14c3e7da upstream. + +Userspace may request pitch alignment that is not supported by GPU. +Some requests 32, but GPU ignores it and uses default 64 when cpp is +4. If GEM object is allocated based on the smaller alignment, GPU +DMA will go out of bound. + +Cc: stable@vger.kernel.org # v4.2+ +Reviewed-by: Michel Dänzer +Signed-off-by: Yu Zhao +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -526,6 +526,16 @@ amdgpu_user_framebuffer_create(struct dr + struct drm_gem_object *obj; + struct amdgpu_framebuffer *amdgpu_fb; + int ret; ++ struct amdgpu_device *adev = dev->dev_private; ++ int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); ++ int pitch = mode_cmd->pitches[0] / cpp; ++ ++ pitch = amdgpu_align_pitch(adev, pitch, cpp, false); ++ if (mode_cmd->pitches[0] != pitch) { ++ DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n", ++ pitch, mode_cmd->pitches[0]); ++ return ERR_PTR(-EINVAL); ++ } + + obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]); + if (obj == NULL) { diff --git a/queue-4.14/drm-fb-helper-partially-bring-back-workaround-for-bugs-of-sdl-1.2.patch b/queue-4.14/drm-fb-helper-partially-bring-back-workaround-for-bugs-of-sdl-1.2.patch new file mode 100644 index 00000000000..d53366907bc --- /dev/null +++ b/queue-4.14/drm-fb-helper-partially-bring-back-workaround-for-bugs-of-sdl-1.2.patch @@ -0,0 +1,218 @@ +From 62d85b3bf9d978ed4b6b2aeef5cf0ccf1423906e Mon Sep 17 00:00:00 2001 +From: Ivan Mironov +Date: Tue, 8 Jan 2019 12:23:52 +0500 +Subject: drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2 + +From: Ivan Mironov + +commit 62d85b3bf9d978ed4b6b2aeef5cf0ccf1423906e upstream. + +SDL 1.2 sets all fields related to the pixel format to zero in some +cases[1]. Prior to commit db05c48197759 ("drm: fb-helper: Reject all +pixel format changing requests"), there was an unintentional workaround +for this that existed for more than a decade. First in device-specific DRM +drivers, then here in drm_fb_helper.c. + +Previous code containing this workaround just ignores pixel format fields +from userspace code. Not a good thing either, as this way, driver may +silently use pixel format different from what client actually requested, +and this in turn will lead to displaying garbage on the screen. I think +that returning EINVAL to userspace in this particular case is the right +option, so I decided to left code from problematic commit untouched +instead of just reverting it entirely. + +Here is the steps required to reproduce this problem exactly: + 1) Compile fceux[2] with SDL 1.2.15 and without GTK or OpenGL + support. SDL should be compiled with fbdev support (which is + on by default). + 2) Create /etc/fb.modes with following contents (values seems + not used, and just required to trigger problematic code in + SDL): + + mode "test" + geometry 1 1 1 1 1 + timings 1 1 1 1 1 1 1 + endmode + + 3) Create ~/.fceux/fceux.cfg with following contents: + + SDL.Hotkeys.Quit = 27 + SDL.DoubleBuffering = 1 + + 4) Ensure that screen resolution is at least 1280x960 (e.g. + append "video=Virtual-1:1280x960-32" to the kernel cmdline + for qemu/QXL). + + 5) Try to run fceux on VT with some ROM file[3]: + + # ./fceux color_test.nes + +[1] SDL 1.2.15 source code, src/video/fbcon/SDL_fbvideo.c, + FB_SetVideoMode() +[2] http://www.fceux.com +[3] Example ROM: https://github.com/bokuweb/rustynes/blob/master/roms/color_test.nes + +Reported-by: saahriktu +Suggested-by: saahriktu +Cc: stable@vger.kernel.org +Fixes: db05c48197759 ("drm: fb-helper: Reject all pixel format changing requests") +Signed-off-by: Ivan Mironov +[danvet: Delete misleading comment.] +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20190108072353.28078-2-mironov.ivan@gmail.com +Link: https://patchwork.freedesktop.org/patch/msgid/20190108072353.28078-2-mironov.ivan@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_fb_helper.c | 126 +++++++++++++++++++++++----------------- + 1 file changed, 73 insertions(+), 53 deletions(-) + +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -1509,6 +1509,64 @@ static bool drm_fb_pixel_format_equal(co + var_1->transp.msb_right == var_2->transp.msb_right; + } + ++static void drm_fb_helper_fill_pixel_fmt(struct fb_var_screeninfo *var, ++ u8 depth) ++{ ++ switch (depth) { ++ case 8: ++ var->red.offset = 0; ++ var->green.offset = 0; ++ var->blue.offset = 0; ++ var->red.length = 8; /* 8bit DAC */ ++ var->green.length = 8; ++ var->blue.length = 8; ++ var->transp.offset = 0; ++ var->transp.length = 0; ++ break; ++ case 15: ++ var->red.offset = 10; ++ var->green.offset = 5; ++ var->blue.offset = 0; ++ var->red.length = 5; ++ var->green.length = 5; ++ var->blue.length = 5; ++ var->transp.offset = 15; ++ var->transp.length = 1; ++ break; ++ case 16: ++ var->red.offset = 11; ++ var->green.offset = 5; ++ var->blue.offset = 0; ++ var->red.length = 5; ++ var->green.length = 6; ++ var->blue.length = 5; ++ var->transp.offset = 0; ++ break; ++ case 24: ++ var->red.offset = 16; ++ var->green.offset = 8; ++ var->blue.offset = 0; ++ var->red.length = 8; ++ var->green.length = 8; ++ var->blue.length = 8; ++ var->transp.offset = 0; ++ var->transp.length = 0; ++ break; ++ case 32: ++ var->red.offset = 16; ++ var->green.offset = 8; ++ var->blue.offset = 0; ++ var->red.length = 8; ++ var->green.length = 8; ++ var->blue.length = 8; ++ var->transp.offset = 24; ++ var->transp.length = 8; ++ break; ++ default: ++ break; ++ } ++} ++ + /** + * drm_fb_helper_check_var - implementation for &fb_ops.fb_check_var + * @var: screeninfo to check +@@ -1539,6 +1597,20 @@ int drm_fb_helper_check_var(struct fb_va + } + + /* ++ * Workaround for SDL 1.2, which is known to be setting all pixel format ++ * fields values to zero in some cases. We treat this situation as a ++ * kind of "use some reasonable autodetected values". ++ */ ++ if (!var->red.offset && !var->green.offset && ++ !var->blue.offset && !var->transp.offset && ++ !var->red.length && !var->green.length && ++ !var->blue.length && !var->transp.length && ++ !var->red.msb_right && !var->green.msb_right && ++ !var->blue.msb_right && !var->transp.msb_right) { ++ drm_fb_helper_fill_pixel_fmt(var, fb->format->depth); ++ } ++ ++ /* + * drm fbdev emulation doesn't support changing the pixel format at all, + * so reject all pixel format changing requests. + */ +@@ -1848,59 +1920,7 @@ void drm_fb_helper_fill_var(struct fb_in + info->var.yoffset = 0; + info->var.activate = FB_ACTIVATE_NOW; + +- switch (fb->format->depth) { +- case 8: +- info->var.red.offset = 0; +- info->var.green.offset = 0; +- info->var.blue.offset = 0; +- info->var.red.length = 8; /* 8bit DAC */ +- info->var.green.length = 8; +- info->var.blue.length = 8; +- info->var.transp.offset = 0; +- info->var.transp.length = 0; +- break; +- case 15: +- info->var.red.offset = 10; +- info->var.green.offset = 5; +- info->var.blue.offset = 0; +- info->var.red.length = 5; +- info->var.green.length = 5; +- info->var.blue.length = 5; +- info->var.transp.offset = 15; +- info->var.transp.length = 1; +- break; +- case 16: +- info->var.red.offset = 11; +- info->var.green.offset = 5; +- info->var.blue.offset = 0; +- info->var.red.length = 5; +- info->var.green.length = 6; +- info->var.blue.length = 5; +- info->var.transp.offset = 0; +- break; +- case 24: +- info->var.red.offset = 16; +- info->var.green.offset = 8; +- info->var.blue.offset = 0; +- info->var.red.length = 8; +- info->var.green.length = 8; +- info->var.blue.length = 8; +- info->var.transp.offset = 0; +- info->var.transp.length = 0; +- break; +- case 32: +- info->var.red.offset = 16; +- info->var.green.offset = 8; +- info->var.blue.offset = 0; +- info->var.red.length = 8; +- info->var.green.length = 8; +- info->var.blue.length = 8; +- info->var.transp.offset = 24; +- info->var.transp.length = 8; +- break; +- default: +- break; +- } ++ drm_fb_helper_fill_pixel_fmt(&info->var, fb->format->depth); + + info->var.xres = fb_width; + info->var.yres = fb_height; diff --git a/queue-4.14/ext4-avoid-kernel-warning-when-writing-the-superblock-to-a-dead-device.patch b/queue-4.14/ext4-avoid-kernel-warning-when-writing-the-superblock-to-a-dead-device.patch new file mode 100644 index 00000000000..3727b6360a0 --- /dev/null +++ b/queue-4.14/ext4-avoid-kernel-warning-when-writing-the-superblock-to-a-dead-device.patch @@ -0,0 +1,42 @@ +From e86807862e6880809f191c4cea7f88a489f0ed34 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 30 Dec 2018 23:20:39 -0500 +Subject: ext4: avoid kernel warning when writing the superblock to a dead device + +From: Theodore Ts'o + +commit e86807862e6880809f191c4cea7f88a489f0ed34 upstream. + +The xfstests generic/475 test switches the underlying device with +dm-error while running a stress test. This results in a large number +of file system errors, and since we can't lock the buffer head when +marking the superblock dirty in the ext4_grp_locked_error() case, it's +possible the superblock to be !buffer_uptodate() without +buffer_write_io_error() being true. + +We need to set buffer_uptodate() before we call mark_buffer_dirty() or +this will trigger a WARN_ON. It's safe to do this since the +superblock must have been properly read into memory or the mount would +have been successful. So if buffer_uptodate() is not set, we can +safely assume that this happened due to a failed attempt to write the +superblock. + +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4844,7 +4844,7 @@ static int ext4_commit_super(struct supe + ext4_superblock_csum_set(sb); + if (sync) + lock_buffer(sbh); +- if (buffer_write_io_error(sbh)) { ++ if (buffer_write_io_error(sbh) || !buffer_uptodate(sbh)) { + /* + * Oh, dear. A previous attempt to write the + * superblock failed. This could happen because the diff --git a/queue-4.14/ext4-fix-a-potential-fiemap-page-fault-deadlock-w-inline_data.patch b/queue-4.14/ext4-fix-a-potential-fiemap-page-fault-deadlock-w-inline_data.patch new file mode 100644 index 00000000000..4b46e968163 --- /dev/null +++ b/queue-4.14/ext4-fix-a-potential-fiemap-page-fault-deadlock-w-inline_data.patch @@ -0,0 +1,46 @@ +From 2b08b1f12cd664dc7d5c84ead9ff25ae97ad5491 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 25 Dec 2018 00:56:33 -0500 +Subject: ext4: fix a potential fiemap/page fault deadlock w/ inline_data + +From: Theodore Ts'o + +commit 2b08b1f12cd664dc7d5c84ead9ff25ae97ad5491 upstream. + +The ext4_inline_data_fiemap() function calls fiemap_fill_next_extent() +while still holding the xattr semaphore. This is not necessary and it +triggers a circular lockdep warning. This is because +fiemap_fill_next_extent() could trigger a page fault when it writes +into page which triggers a page fault. If that page is mmaped from +the inline file in question, this could very well result in a +deadlock. + +This problem can be reproduced using generic/519 with a file system +configuration which has the inline_data feature enabled. + +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1864,12 +1864,12 @@ int ext4_inline_data_fiemap(struct inode + physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data; + physical += offsetof(struct ext4_inode, i_block); + +- if (physical) +- error = fiemap_fill_next_extent(fieinfo, start, physical, +- inline_len, flags); + brelse(iloc.bh); + out: + up_read(&EXT4_I(inode)->xattr_sem); ++ if (physical) ++ error = fiemap_fill_next_extent(fieinfo, start, physical, ++ inline_len, flags); + return (error < 0 ? error : 0); + } + diff --git a/queue-4.14/ext4-make-sure-enough-credits-are-reserved-for-dioread_nolock-writes.patch b/queue-4.14/ext4-make-sure-enough-credits-are-reserved-for-dioread_nolock-writes.patch new file mode 100644 index 00000000000..94da4d7386f --- /dev/null +++ b/queue-4.14/ext4-make-sure-enough-credits-are-reserved-for-dioread_nolock-writes.patch @@ -0,0 +1,44 @@ +From 812c0cab2c0dfad977605dbadf9148490ca5d93f Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 24 Dec 2018 20:27:08 -0500 +Subject: ext4: make sure enough credits are reserved for dioread_nolock writes + +From: Theodore Ts'o + +commit 812c0cab2c0dfad977605dbadf9148490ca5d93f upstream. + +There are enough credits reserved for most dioread_nolock writes; +however, if the extent tree is sufficiently deep, and/or quota is +enabled, the code was not allowing for all eventualities when +reserving journal credits for the unwritten extent conversion. + +This problem can be seen using xfstests ext4/034: + + WARNING: CPU: 1 PID: 257 at fs/ext4/ext4_jbd2.c:271 __ext4_handle_dirty_metadata+0x10c/0x180 + Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work + RIP: 0010:__ext4_handle_dirty_metadata+0x10c/0x180 + ... + EXT4-fs: ext4_free_blocks:4938: aborting transaction: error 28 in __ext4_handle_dirty_metadata + EXT4: jbd2_journal_dirty_metadata failed: handle type 11 started at line 4921, credits 4/0, errcode -28 + EXT4-fs error (device dm-1) in ext4_free_blocks:4950: error 28 + +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2776,7 +2776,8 @@ static int ext4_writepages(struct addres + * We may need to convert up to one extent per block in + * the page and we may dirty the inode. + */ +- rsv_blocks = 1 + (PAGE_SIZE >> inode->i_blkbits); ++ rsv_blocks = 1 + ext4_chunk_trans_blocks(inode, ++ PAGE_SIZE >> inode->i_blkbits); + } + + /* diff --git a/queue-4.14/ext4-track-writeback-errors-using-the-generic-tracking-infrastructure.patch b/queue-4.14/ext4-track-writeback-errors-using-the-generic-tracking-infrastructure.patch new file mode 100644 index 00000000000..a0acd73fb6d --- /dev/null +++ b/queue-4.14/ext4-track-writeback-errors-using-the-generic-tracking-infrastructure.patch @@ -0,0 +1,33 @@ +From 95cb67138746451cc84cf8e516e14989746e93b0 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 31 Dec 2018 00:11:07 -0500 +Subject: ext4: track writeback errors using the generic tracking infrastructure + +From: Theodore Ts'o + +commit 95cb67138746451cc84cf8e516e14989746e93b0 upstream. + +We already using mapping_set_error() in fs/ext4/page_io.c, so all we +need to do is to use file_check_and_advance_wb_err() when handling +fsync() requests in ext4_sync_file(). + +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/fsync.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ext4/fsync.c ++++ b/fs/ext4/fsync.c +@@ -164,6 +164,9 @@ int ext4_sync_file(struct file *file, lo + ret = err; + } + out: ++ err = file_check_and_advance_wb_err(file); ++ if (ret == 0) ++ ret = err; + trace_ext4_sync_file_exit(inode, ret); + return ret; + } diff --git a/queue-4.14/ext4-use-ext4_write_inode-when-fsyncing-w-o-a-journal.patch b/queue-4.14/ext4-use-ext4_write_inode-when-fsyncing-w-o-a-journal.patch new file mode 100644 index 00000000000..666a1fd8a60 --- /dev/null +++ b/queue-4.14/ext4-use-ext4_write_inode-when-fsyncing-w-o-a-journal.patch @@ -0,0 +1,53 @@ +From ad211f3e94b314a910d4af03178a0b52a7d1ee0a Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 31 Dec 2018 00:10:48 -0500 +Subject: ext4: use ext4_write_inode() when fsyncing w/o a journal + +From: Theodore Ts'o + +commit ad211f3e94b314a910d4af03178a0b52a7d1ee0a upstream. + +In no-journal mode, we previously used __generic_file_fsync() in +no-journal mode. This triggers a lockdep warning, and in addition, +it's not safe to depend on the inode writeback mechanism in the case +ext4. We can solve both problems by calling ext4_write_inode() +directly. + +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/fsync.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/ext4/fsync.c ++++ b/fs/ext4/fsync.c +@@ -116,8 +116,16 @@ int ext4_sync_file(struct file *file, lo + goto out; + } + ++ ret = file_write_and_wait_range(file, start, end); ++ if (ret) ++ return ret; ++ + if (!journal) { +- ret = __generic_file_fsync(file, start, end, datasync); ++ struct writeback_control wbc = { ++ .sync_mode = WB_SYNC_ALL ++ }; ++ ++ ret = ext4_write_inode(inode, &wbc); + if (!ret) + ret = ext4_sync_parent(inode); + if (test_opt(inode->i_sb, BARRIER)) +@@ -125,9 +133,6 @@ int ext4_sync_file(struct file *file, lo + goto out; + } + +- ret = file_write_and_wait_range(file, start, end); +- if (ret) +- return ret; + /* + * data=writeback,ordered: + * The caller's filemap_fdatawrite()/wait will sync the data. diff --git a/queue-4.14/rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch b/queue-4.14/rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch new file mode 100644 index 00000000000..506b7e05f3f --- /dev/null +++ b/queue-4.14/rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch @@ -0,0 +1,60 @@ +From 85f5a4d666fd9be73856ed16bb36c5af5b406b29 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Tue, 8 Jan 2019 19:47:38 +0100 +Subject: rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set + +From: Ilya Dryomov + +commit 85f5a4d666fd9be73856ed16bb36c5af5b406b29 upstream. + +There is a window between when RBD_DEV_FLAG_REMOVING is set and when +the device is removed from rbd_dev_list. During this window, we set +"already" and return 0. + +Returning 0 from write(2) can confuse userspace tools because +0 indicates that nothing was written. In particular, "rbd unmap" +will retry the write multiple times a second: + + 10:28:05.463299 write(4, "0", 1) = 0 + 10:28:05.463509 write(4, "0", 1) = 0 + 10:28:05.463720 write(4, "0", 1) = 0 + 10:28:05.463942 write(4, "0", 1) = 0 + 10:28:05.464155 write(4, "0", 1) = 0 + +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Dryomov +Tested-by: Dongsheng Yang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/rbd.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -6308,7 +6308,6 @@ static ssize_t do_rbd_remove(struct bus_ + struct list_head *tmp; + int dev_id; + char opt_buf[6]; +- bool already = false; + bool force = false; + int ret; + +@@ -6341,13 +6340,13 @@ static ssize_t do_rbd_remove(struct bus_ + spin_lock_irq(&rbd_dev->lock); + if (rbd_dev->open_count && !force) + ret = -EBUSY; +- else +- already = test_and_set_bit(RBD_DEV_FLAG_REMOVING, +- &rbd_dev->flags); ++ else if (test_and_set_bit(RBD_DEV_FLAG_REMOVING, ++ &rbd_dev->flags)) ++ ret = -EINPROGRESS; + spin_unlock_irq(&rbd_dev->lock); + } + spin_unlock(&rbd_dev_list_lock); +- if (ret < 0 || already) ++ if (ret) + return ret; + + if (force) { diff --git a/queue-4.14/series b/queue-4.14/series index ddf3a0ebc13..2bc06e22582 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -16,3 +16,12 @@ mm-memcg-fix-reclaim-deadlock-with-writeback.patch acpi-power-skip-duplicate-power-resource-references-in-_prx.patch acpi-pmic-xpower-fix-ts-pin-current-source-handling.patch i2c-dev-prevent-adapter-retries-and-timeout-being-set-as-minus-value.patch +drm-fb-helper-partially-bring-back-workaround-for-bugs-of-sdl-1.2.patch +drm-amdgpu-validate-user-pitch-alignment.patch +drm-amdgpu-validate-user-gem-object-size.patch +rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch +ext4-make-sure-enough-credits-are-reserved-for-dioread_nolock-writes.patch +ext4-fix-a-potential-fiemap-page-fault-deadlock-w-inline_data.patch +ext4-avoid-kernel-warning-when-writing-the-superblock-to-a-dead-device.patch +ext4-use-ext4_write_inode-when-fsyncing-w-o-a-journal.patch +ext4-track-writeback-errors-using-the-generic-tracking-infrastructure.patch -- 2.47.3