From 75fb523a227b95e6b699d686938c82f493129246 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 29 May 2020 11:05:02 -0400 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...ace-between-read_waiter-and-read_cop.patch | 126 ++++++++++++++++++ ...-fix-null-pointer-check-in-cifs_read.patch | 36 +++++ ...quota_unhold-if-quotas-are-not-locke.patch | 46 +++++++ queue-4.4/series | 4 + ...y-fix-redundant-initialization-warni.patch | 63 +++++++++ 5 files changed, 275 insertions(+) create mode 100644 queue-4.4/cachefiles-fix-race-between-read_waiter-and-read_cop.patch create mode 100644 queue-4.4/cifs-fix-null-pointer-check-in-cifs_read.patch create mode 100644 queue-4.4/gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch create mode 100644 queue-4.4/usb-gadget-legacy-fix-redundant-initialization-warni.patch diff --git a/queue-4.4/cachefiles-fix-race-between-read_waiter-and-read_cop.patch b/queue-4.4/cachefiles-fix-race-between-read_waiter-and-read_cop.patch new file mode 100644 index 00000000000..5aa04004979 --- /dev/null +++ b/queue-4.4/cachefiles-fix-race-between-read_waiter-and-read_cop.patch @@ -0,0 +1,126 @@ +From c960127f69d861cbe86d5803c3aaafb669d7fe8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 08:50:22 -0400 +Subject: cachefiles: Fix race between read_waiter and read_copier involving + op->to_do + +From: Lei Xue + +[ Upstream commit 7bb0c5338436dae953622470d52689265867f032 ] + +There is a potential race in fscache operation enqueuing for reading and +copying multiple pages from cachefiles to netfs. The problem can be seen +easily on a heavy loaded system (for example many processes reading files +continually on an NFS share covered by fscache triggered this problem within +a few minutes). + +The race is due to cachefiles_read_waiter() adding the op to the monitor +to_do list and then then drop the object->work_lock spinlock before +completing fscache_enqueue_operation(). Once the lock is dropped, +cachefiles_read_copier() grabs the op, completes processing it, and +makes it through fscache_retrieval_complete() which sets the op->state to +the final state of FSCACHE_OP_ST_COMPLETE(4). When cachefiles_read_waiter() +finally gets through the remainder of fscache_enqueue_operation() +it sees the invalid state, and hits the ASSERTCMP and the following +oops is seen: +[ 2259.612361] FS-Cache: +[ 2259.614785] FS-Cache: Assertion failed +[ 2259.618639] FS-Cache: 4 == 5 is false +[ 2259.622456] ------------[ cut here ]------------ +[ 2259.627190] kernel BUG at fs/fscache/operation.c:70! +... +[ 2259.791675] RIP: 0010:[] [] fscache_enqueue_operation+0xff/0x170 [fscache] +[ 2259.802059] RSP: 0000:ffffa0263d543be0 EFLAGS: 00010046 +[ 2259.807521] RAX: 0000000000000019 RBX: ffffa01a4d390480 RCX: 0000000000000006 +[ 2259.814847] RDX: 0000000000000000 RSI: 0000000000000046 RDI: ffffa0263d553890 +[ 2259.822176] RBP: ffffa0263d543be8 R08: 0000000000000000 R09: ffffa0263c2d8708 +[ 2259.829502] R10: 0000000000001e7f R11: 0000000000000000 R12: ffffa01a4d390480 +[ 2259.844483] R13: ffff9fa9546c5920 R14: ffffa0263d543c80 R15: ffffa0293ff9bf10 +[ 2259.859554] FS: 00007f4b6efbd700(0000) GS:ffffa0263d540000(0000) knlGS:0000000000000000 +[ 2259.875571] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2259.889117] CR2: 00007f49e1624ff0 CR3: 0000012b38b38000 CR4: 00000000007607e0 +[ 2259.904015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 2259.918764] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 2259.933449] PKRU: 55555554 +[ 2259.943654] Call Trace: +[ 2259.953592] +[ 2259.955577] [] cachefiles_read_waiter+0x92/0xf0 [cachefiles] +[ 2259.978039] [] __wake_up_common+0x82/0x120 +[ 2259.991392] [] __wake_up_common_lock+0x83/0xc0 +[ 2260.004930] [] ? task_rq_unlock+0x20/0x20 +[ 2260.017863] [] __wake_up+0x13/0x20 +[ 2260.030230] [] __wake_up_bit+0x50/0x70 +[ 2260.042535] [] unlock_page+0x2b/0x30 +[ 2260.054495] [] page_endio+0x29/0x90 +[ 2260.066184] [] mpage_end_io+0x51/0x80 + +CPU1 +cachefiles_read_waiter() + 20 static int cachefiles_read_waiter(wait_queue_entry_t *wait, unsigned mode, + 21 int sync, void *_key) + 22 { +... + 61 spin_lock(&object->work_lock); + 62 list_add_tail(&monitor->op_link, &op->to_do); + 63 spin_unlock(&object->work_lock); + + 64 + 65 fscache_enqueue_retrieval(op); +182 static inline void fscache_enqueue_retrieval(struct fscache_retrieval *op) +183 { +184 fscache_enqueue_operation(&op->op); +185 } + 58 void fscache_enqueue_operation(struct fscache_operation *op) + 59 { + 60 struct fscache_cookie *cookie = op->object->cookie; + 61 + 62 _enter("{OBJ%x OP%x,%u}", + 63 op->object->debug_id, op->debug_id, atomic_read(&op->usage)); + 64 + 65 ASSERT(list_empty(&op->pend_link)); + 66 ASSERT(op->processor != NULL); + 67 ASSERT(fscache_object_is_available(op->object)); + 68 ASSERTCMP(atomic_read(&op->usage), >, 0); + + +CPU2 +cachefiles_read_copier() +168 while (!list_empty(&op->to_do)) { +... +202 fscache_end_io(op, monitor->netfs_page, error); +203 put_page(monitor->netfs_page); +204 fscache_retrieval_complete(op, 1); + +CPU1 + 58 void fscache_enqueue_operation(struct fscache_operation *op) + 59 { +... + 69 ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS, + 70 op->state, ==, FSCACHE_OP_ST_CANCELLED); + +Signed-off-by: Lei Xue +Signed-off-by: Dave Wysochanski +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/rdwr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c +index c05ab2ec0fef..5df898fd0a0a 100644 +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -64,9 +64,9 @@ static int cachefiles_read_waiter(wait_queue_t *wait, unsigned mode, + object = container_of(op->op.object, struct cachefiles_object, fscache); + spin_lock(&object->work_lock); + list_add_tail(&monitor->op_link, &op->to_do); ++ fscache_enqueue_retrieval(op); + spin_unlock(&object->work_lock); + +- fscache_enqueue_retrieval(op); + fscache_put_retrieval(op); + return 0; + } +-- +2.25.1 + diff --git a/queue-4.4/cifs-fix-null-pointer-check-in-cifs_read.patch b/queue-4.4/cifs-fix-null-pointer-check-in-cifs_read.patch new file mode 100644 index 00000000000..afb0638e916 --- /dev/null +++ b/queue-4.4/cifs-fix-null-pointer-check-in-cifs_read.patch @@ -0,0 +1,36 @@ +From 547990139c1f78072ff92b07ef0394aa096e19b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 10:27:16 -0500 +Subject: cifs: Fix null pointer check in cifs_read + +From: Steve French + +[ Upstream commit 9bd21d4b1a767c3abebec203342f3820dcb84662 ] + +Coverity scan noted a redundant null check + +Coverity-id: 728517 +Reported-by: Coverity +Signed-off-by: Steve French +Reviewed-by: Shyam Prasad N +Signed-off-by: Sasha Levin +--- + fs/cifs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 2ffdaedca7e9..b5a05092f862 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3230,7 +3230,7 @@ cifs_read(struct file *file, char *read_data, size_t read_size, loff_t *offset) + * than it negotiated since it will refuse the read + * then. + */ +- if ((tcon->ses) && !(tcon->ses->capabilities & ++ if (!(tcon->ses->capabilities & + tcon->ses->server->vals->cap_large_files)) { + current_read_size = min_t(uint, + current_read_size, CIFSMaxBufSize); +-- +2.25.1 + diff --git a/queue-4.4/gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch b/queue-4.4/gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch new file mode 100644 index 00000000000..d092dfa63a2 --- /dev/null +++ b/queue-4.4/gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch @@ -0,0 +1,46 @@ +From fedc1bb981a00fb58d2ba949c690b23bd8dac8ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 11:55:03 -0500 +Subject: gfs2: don't call quota_unhold if quotas are not locked + +From: Bob Peterson + +[ Upstream commit c9cb9e381985bbbe8acd2695bbe6bd24bf06b81c ] + +Before this patch, function gfs2_quota_unlock checked if quotas are +turned off, and if so, it branched to label out, which called +gfs2_quota_unhold. With the new system of gfs2_qa_get and put, we +no longer want to call gfs2_quota_unhold or we won't balance our +gets and puts. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/quota.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c +index 3a31226531ea..4af00ed4960a 100644 +--- a/fs/gfs2/quota.c ++++ b/fs/gfs2/quota.c +@@ -1080,7 +1080,7 @@ void gfs2_quota_unlock(struct gfs2_inode *ip) + int found; + + if (!test_and_clear_bit(GIF_QD_LOCKED, &ip->i_flags)) +- goto out; ++ return; + + for (x = 0; x < ip->i_res->rs_qa_qd_num; x++) { + struct gfs2_quota_data *qd; +@@ -1117,7 +1117,6 @@ void gfs2_quota_unlock(struct gfs2_inode *ip) + qd_unlock(qda[x]); + } + +-out: + gfs2_quota_unhold(ip); + } + +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 86b3a62428f..007301518b3 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -6,3 +6,7 @@ net-sun-fix-missing-release-regions-in-cas_init_one.patch net-mlx4_core-fix-a-memory-leak-bug.patch uapi-fix-linux-if_pppol2tp.h-userspace-compilation-errors.patch ib-cma-fix-reference-count-leak-when-no-ipv4-addresses-are-set.patch +gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch +cachefiles-fix-race-between-read_waiter-and-read_cop.patch +usb-gadget-legacy-fix-redundant-initialization-warni.patch +cifs-fix-null-pointer-check-in-cifs_read.patch diff --git a/queue-4.4/usb-gadget-legacy-fix-redundant-initialization-warni.patch b/queue-4.4/usb-gadget-legacy-fix-redundant-initialization-warni.patch new file mode 100644 index 00000000000..ec9fb9678d4 --- /dev/null +++ b/queue-4.4/usb-gadget-legacy-fix-redundant-initialization-warni.patch @@ -0,0 +1,63 @@ +From bcf0e505bfe3163936cb3f5488c2339dbddc682f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 22:16:51 +0900 +Subject: usb: gadget: legacy: fix redundant initialization warnings + +From: Masahiro Yamada + +[ Upstream commit d13cce757954fa663c69845611957396843ed87a ] + +Fix the following cppcheck warnings: + +drivers/usb/gadget/legacy/inode.c:1364:8: style: Redundant initialization for 'value'. The initialized value is overwritten$ + value = -EOPNOTSUPP; + ^ +drivers/usb/gadget/legacy/inode.c:1331:15: note: value is initialized + int value = -EOPNOTSUPP; + ^ +drivers/usb/gadget/legacy/inode.c:1364:8: note: value is overwritten + value = -EOPNOTSUPP; + ^ +drivers/usb/gadget/legacy/inode.c:1817:8: style: Redundant initialization for 'value'. The initialized value is overwritten$ + value = -EINVAL; + ^ +drivers/usb/gadget/legacy/inode.c:1787:18: note: value is initialized + ssize_t value = len, length = len; + ^ +drivers/usb/gadget/legacy/inode.c:1817:8: note: value is overwritten + value = -EINVAL; + ^ +Acked-by: Alan Stern +Reported-by: kbuild test robot +Signed-off-by: Masahiro Yamada +Signed-off-by: Felipe Balbi + +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/inode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index 81f3c9cb333c..b95900168a6b 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1360,7 +1360,6 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + + req->buf = dev->rbuf; + req->context = NULL; +- value = -EOPNOTSUPP; + switch (ctrl->bRequest) { + + case USB_REQ_GET_DESCRIPTOR: +@@ -1806,7 +1805,7 @@ static ssize_t + dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr) + { + struct dev_data *dev = fd->private_data; +- ssize_t value = len, length = len; ++ ssize_t value, length = len; + unsigned total; + u32 tag; + char *kbuf; +-- +2.25.1 + -- 2.47.3