From b279beed7026144fd868ee9631ac7c37773e29ca Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 3 May 2014 14:46:27 -0400 Subject: [PATCH] 3.10-stable patches added patches: ext4-fibmap-ioctl-causes-bug_on-due-to-handle-ext_max_blocks.patch ext4-fix-jbd2-warning-under-heavy-xattr-load.patch ext4-use-i_size_read-in-ext4_unaligned_aio.patch ocfs2-dlm-fix-lock-migration-crash.patch ocfs2-dlm-fix-recovery-hung.patch ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch ocfs2-fix-panic-on-kfree-xattr-name.patch --- ...clude-irqs.h-for-pxa_nr_builtin_gpio.patch | 37 ----- ...-bug_on-due-to-handle-ext_max_blocks.patch | 41 ++++++ ...-jbd2-warning-under-heavy-xattr-load.patch | 131 ++++++++++++++++++ ...se-i_size_read-in-ext4_unaligned_aio.patch | 29 ++++ .../ocfs2-dlm-fix-lock-migration-crash.patch | 119 ++++++++++++++++ queue-3.10/ocfs2-dlm-fix-recovery-hung.patch | 103 ++++++++++++++ ...t-put-bh-when-buffer_uptodate-failed.patch | 45 ++++++ .../ocfs2-fix-panic-on-kfree-xattr-name.patch | 47 +++++++ queue-3.10/series | 8 +- 9 files changed, 522 insertions(+), 38 deletions(-) delete mode 100644 queue-3.10/arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch create mode 100644 queue-3.10/ext4-fibmap-ioctl-causes-bug_on-due-to-handle-ext_max_blocks.patch create mode 100644 queue-3.10/ext4-fix-jbd2-warning-under-heavy-xattr-load.patch create mode 100644 queue-3.10/ext4-use-i_size_read-in-ext4_unaligned_aio.patch create mode 100644 queue-3.10/ocfs2-dlm-fix-lock-migration-crash.patch create mode 100644 queue-3.10/ocfs2-dlm-fix-recovery-hung.patch create mode 100644 queue-3.10/ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch create mode 100644 queue-3.10/ocfs2-fix-panic-on-kfree-xattr-name.patch diff --git a/queue-3.10/arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch b/queue-3.10/arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch deleted file mode 100644 index 98a71aa205f..00000000000 --- a/queue-3.10/arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c02b50e90be9f41d6802049a1a08246e9eb1a22c Mon Sep 17 00:00:00 2001 -From: Andrea Adami -Date: Tue, 8 Apr 2014 14:53:44 +0200 -Subject: ARM: pxa: hx4700.h: include "irqs.h" for PXA_NR_BUILTIN_GPIO - -From: Andrea Adami - -commit c02b50e90be9f41d6802049a1a08246e9eb1a22c upstream. - -hx4700 needs the same fix as in -9705e74671f0e4f994d86b00cecf441917c64a66 -"ARM: pxa: fix various compilation problems" - -Fix build errors. Initial one is: -/linux/arch/arm/mach-pxa/include/mach/hx4700.h:18:32: error: - 'PXA_NR_BUILTIN_GPIO' undeclared here (not in a function) -| #define HX4700_ASIC3_GPIO_BASE PXA_NR_BUILTIN_GPIO - -Signed-off-by: Andrea Adami -Signed-off-by: Linus Walleij -Signed-off-by: Arnd Bergmann -Signed-off-by: Greg Kroah-Hartman - ---- - arch/arm/mach-pxa/include/mach/hx4700.h | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/arm/mach-pxa/include/mach/hx4700.h -+++ b/arch/arm/mach-pxa/include/mach/hx4700.h -@@ -14,6 +14,7 @@ - - #include - #include -+#include "irqs.h" /* PXA_NR_BUILTIN_GPIO */ - - #define HX4700_ASIC3_GPIO_BASE PXA_NR_BUILTIN_GPIO - #define HX4700_EGPIO_BASE (HX4700_ASIC3_GPIO_BASE + ASIC3_NUM_GPIOS) diff --git a/queue-3.10/ext4-fibmap-ioctl-causes-bug_on-due-to-handle-ext_max_blocks.patch b/queue-3.10/ext4-fibmap-ioctl-causes-bug_on-due-to-handle-ext_max_blocks.patch new file mode 100644 index 00000000000..5a48140c37c --- /dev/null +++ b/queue-3.10/ext4-fibmap-ioctl-causes-bug_on-due-to-handle-ext_max_blocks.patch @@ -0,0 +1,41 @@ +From 4adb6ab3e0fa71363a5ef229544b2d17de6600d7 Mon Sep 17 00:00:00 2001 +From: Kazuya Mio +Date: Mon, 7 Apr 2014 10:53:28 -0400 +Subject: ext4: FIBMAP ioctl causes BUG_ON due to handle EXT_MAX_BLOCKS + +From: Kazuya Mio + +commit 4adb6ab3e0fa71363a5ef229544b2d17de6600d7 upstream. + +When we try to get 2^32-1 block of the file which has the extent +(ee_block=2^32-2, ee_len=1) with FIBMAP ioctl, it causes BUG_ON +in ext4_ext_put_gap_in_cache(). + +To avoid the problem, ext4_map_blocks() needs to check the file logical block +number. ext4_ext_put_gap_in_cache() called via ext4_map_blocks() cannot +handle 2^32-1 because the maximum file logical block number is 2^32-2. + +Note that ext4_ind_map_blocks() returns -EIO when the block number is invalid. +So ext4_map_blocks() should also return the same errno. + +Signed-off-by: Kazuya Mio +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -574,6 +574,10 @@ int ext4_map_blocks(handle_t *handle, st + "logical block %lu\n", inode->i_ino, flags, map->m_len, + (unsigned long) map->m_lblk); + ++ /* We can handle the block number less than EXT_MAX_BLOCKS */ ++ if (unlikely(map->m_lblk >= EXT_MAX_BLOCKS)) ++ return -EIO; ++ + /* Lookup extent status tree firstly */ + if (ext4_es_lookup_extent(inode, map->m_lblk, &es)) { + if (ext4_es_is_written(&es) || ext4_es_is_unwritten(&es)) { diff --git a/queue-3.10/ext4-fix-jbd2-warning-under-heavy-xattr-load.patch b/queue-3.10/ext4-fix-jbd2-warning-under-heavy-xattr-load.patch new file mode 100644 index 00000000000..1975a32f1e0 --- /dev/null +++ b/queue-3.10/ext4-fix-jbd2-warning-under-heavy-xattr-load.patch @@ -0,0 +1,131 @@ +From ec4cb1aa2b7bae18dd8164f2e9c7c51abcf61280 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 7 Apr 2014 10:54:21 -0400 +Subject: ext4: fix jbd2 warning under heavy xattr load + +From: Jan Kara + +commit ec4cb1aa2b7bae18dd8164f2e9c7c51abcf61280 upstream. + +When heavily exercising xattr code the assertion that +jbd2_journal_dirty_metadata() shouldn't return error was triggered: + +WARNING: at /srv/autobuild-ceph/gitbuilder.git/build/fs/jbd2/transaction.c:1237 +jbd2_journal_dirty_metadata+0x1ba/0x260() + +CPU: 0 PID: 8877 Comm: ceph-osd Tainted: G W 3.10.0-ceph-00049-g68d04c9 #1 +Hardware name: Dell Inc. PowerEdge R410/01V648, BIOS 1.6.3 02/07/2011 + ffffffff81a1d3c8 ffff880214469928 ffffffff816311b0 ffff880214469968 + ffffffff8103fae0 ffff880214469958 ffff880170a9dc30 ffff8802240fbe80 + 0000000000000000 ffff88020b366000 ffff8802256e7510 ffff880214469978 +Call Trace: + [] dump_stack+0x19/0x1b + [] warn_slowpath_common+0x70/0xa0 + [] warn_slowpath_null+0x1a/0x20 + [] jbd2_journal_dirty_metadata+0x1ba/0x260 + [] __ext4_handle_dirty_metadata+0xa3/0x140 + [] ext4_xattr_release_block+0x103/0x1f0 + [] ext4_xattr_block_set+0x1e0/0x910 + [] ext4_xattr_set_handle+0x38b/0x4a0 + [] ? trace_hardirqs_on+0xd/0x10 + [] ext4_xattr_set+0xc2/0x140 + [] ext4_xattr_user_set+0x47/0x50 + [] generic_setxattr+0x6e/0x90 + [] __vfs_setxattr_noperm+0x7b/0x1c0 + [] vfs_setxattr+0xc4/0xd0 + [] setxattr+0x13e/0x1e0 + [] ? __sb_start_write+0xe7/0x1b0 + [] ? mnt_want_write_file+0x28/0x60 + [] ? fget_light+0x3c/0x130 + [] ? mnt_want_write_file+0x28/0x60 + [] ? __mnt_want_write+0x58/0x70 + [] SyS_fsetxattr+0xbe/0x100 + [] system_call_fastpath+0x16/0x1b + +The reason for the warning is that buffer_head passed into +jbd2_journal_dirty_metadata() didn't have journal_head attached. This is +caused by the following race of two ext4_xattr_release_block() calls: + +CPU1 CPU2 +ext4_xattr_release_block() ext4_xattr_release_block() +lock_buffer(bh); +/* False */ +if (BHDR(bh)->h_refcount == cpu_to_le32(1)) +} else { + le32_add_cpu(&BHDR(bh)->h_refcount, -1); + unlock_buffer(bh); + lock_buffer(bh); + /* True */ + if (BHDR(bh)->h_refcount == cpu_to_le32(1)) + get_bh(bh); + ext4_free_blocks() + ... + jbd2_journal_forget() + jbd2_journal_unfile_buffer() + -> JH is gone + error = ext4_handle_dirty_xattr_block(handle, inode, bh); + -> triggers the warning + +We fix the problem by moving ext4_handle_dirty_xattr_block() under the +buffer lock. Sadly this cannot be done in nojournal mode as that +function can call sync_dirty_buffer() which would deadlock. Luckily in +nojournal mode the race is harmless (we only dirty already freed buffer) +and thus for nojournal mode we leave the dirtying outside of the buffer +lock. + +Reported-by: Sage Weil +Signed-off-by: Jan Kara +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -517,8 +517,8 @@ static void ext4_xattr_update_super_bloc + } + + /* +- * Release the xattr block BH: If the reference count is > 1, decrement +- * it; otherwise free the block. ++ * Release the xattr block BH: If the reference count is > 1, decrement it; ++ * otherwise free the block. + */ + static void + ext4_xattr_release_block(handle_t *handle, struct inode *inode, +@@ -538,16 +538,31 @@ ext4_xattr_release_block(handle_t *handl + if (ce) + mb_cache_entry_free(ce); + get_bh(bh); ++ unlock_buffer(bh); + ext4_free_blocks(handle, inode, bh, 0, 1, + EXT4_FREE_BLOCKS_METADATA | + EXT4_FREE_BLOCKS_FORGET); +- unlock_buffer(bh); + } else { + le32_add_cpu(&BHDR(bh)->h_refcount, -1); + if (ce) + mb_cache_entry_release(ce); ++ /* ++ * Beware of this ugliness: Releasing of xattr block references ++ * from different inodes can race and so we have to protect ++ * from a race where someone else frees the block (and releases ++ * its journal_head) before we are done dirtying the buffer. In ++ * nojournal mode this race is harmless and we actually cannot ++ * call ext4_handle_dirty_xattr_block() with locked buffer as ++ * that function can call sync_dirty_buffer() so for that case ++ * we handle the dirtying after unlocking the buffer. ++ */ ++ if (ext4_handle_valid(handle)) ++ error = ext4_handle_dirty_xattr_block(handle, inode, ++ bh); + unlock_buffer(bh); +- error = ext4_handle_dirty_xattr_block(handle, inode, bh); ++ if (!ext4_handle_valid(handle)) ++ error = ext4_handle_dirty_xattr_block(handle, inode, ++ bh); + if (IS_SYNC(inode)) + ext4_handle_sync(handle); + dquot_free_block(inode, EXT4_C2B(EXT4_SB(inode->i_sb), 1)); diff --git a/queue-3.10/ext4-use-i_size_read-in-ext4_unaligned_aio.patch b/queue-3.10/ext4-use-i_size_read-in-ext4_unaligned_aio.patch new file mode 100644 index 00000000000..aef179d3d7a --- /dev/null +++ b/queue-3.10/ext4-use-i_size_read-in-ext4_unaligned_aio.patch @@ -0,0 +1,29 @@ +From 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 12 Apr 2014 12:45:25 -0400 +Subject: ext4: use i_size_read in ext4_unaligned_aio() + +From: Theodore Ts'o + +commit 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 upstream. + +We haven't taken i_mutex yet, so we need to use i_size_read(). + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -82,7 +82,7 @@ ext4_unaligned_aio(struct inode *inode, + size_t count = iov_length(iov, nr_segs); + loff_t final_size = pos + count; + +- if (pos >= inode->i_size) ++ if (pos >= i_size_read(inode)) + return 0; + + if ((pos & blockmask) || (final_size & blockmask)) diff --git a/queue-3.10/ocfs2-dlm-fix-lock-migration-crash.patch b/queue-3.10/ocfs2-dlm-fix-lock-migration-crash.patch new file mode 100644 index 00000000000..7546582962c --- /dev/null +++ b/queue-3.10/ocfs2-dlm-fix-lock-migration-crash.patch @@ -0,0 +1,119 @@ +From 34aa8dac482f1358d59110d5e3a12f4351f6acaa Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Thu, 3 Apr 2014 14:46:49 -0700 +Subject: ocfs2: dlm: fix lock migration crash + +From: Junxiao Bi + +commit 34aa8dac482f1358d59110d5e3a12f4351f6acaa upstream. + +This issue was introduced by commit 800deef3f6f8 ("ocfs2: use +list_for_each_entry where benefical") in 2007 where it replaced +list_for_each with list_for_each_entry. The variable "lock" will point +to invalid data if "tmpq" list is empty and a panic will be triggered +due to this. Sunil advised reverting it back, but the old version was +also not right. At the end of the outer for loop, that +list_for_each_entry will also set "lock" to an invalid data, then in the +next loop, if the "tmpq" list is empty, "lock" will be an stale invalid +data and cause the panic. So reverting the list_for_each back and reset +"lock" to NULL to fix this issue. + +Another concern is that this seemes can not happen because the "tmpq" +list should not be empty. Let me describe how. + +old lock resource owner(node 1): migratation target(node 2): +image there's lockres with a EX lock from node 2 in +granted list, a NR lock from node x with convert_type +EX in converting list. +dlm_empty_lockres() { + dlm_pick_migration_target() { + pick node 2 as target as its lock is the first one + in granted list. + } + dlm_migrate_lockres() { + dlm_mark_lockres_migrating() { + res->state |= DLM_LOCK_RES_BLOCK_DIRTY; + wait_event(dlm->ast_wq, !dlm_lockres_is_dirty(dlm, res)); + //after the above code, we can not dirty lockres any more, + // so dlm_thread shuffle list will not run + downconvert lock from EX to NR + upconvert lock from NR to EX +<<< migration may schedule out here, then +<<< node 2 send down convert request to convert type from EX to +<<< NR, then send up convert request to convert type from NR to +<<< EX, at this time, lockres granted list is empty, and two locks +<<< in the converting list, node x up convert lock followed by +<<< node 2 up convert lock. + + // will set lockres RES_MIGRATING flag, the following + // lock/unlock can not run + dlm_lockres_release_ast(dlm, res); + } + + dlm_send_one_lockres() + dlm_process_recovery_data() + for (i=0; inum_locks; i++) + if (ml->node == dlm->node_num) + for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) { + list_for_each_entry(lock, tmpq, list) + if (lock) break; <<< lock is invalid as grant list is empty. + } + if (lock->ml.node != ml->node) + BUG() >>> crash here + } + +I see the above locks status from a vmcore of our internal bug. + +Signed-off-by: Junxiao Bi +Reviewed-by: Wengang Wang +Cc: Sunil Mushran +Reviewed-by: Srinivas Eeda +Cc: Joel Becker +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlm/dlmrecovery.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -1751,13 +1751,13 @@ static int dlm_process_recovery_data(str + struct dlm_migratable_lockres *mres) + { + struct dlm_migratable_lock *ml; +- struct list_head *queue; ++ struct list_head *queue, *iter; + struct list_head *tmpq = NULL; + struct dlm_lock *newlock = NULL; + struct dlm_lockstatus *lksb = NULL; + int ret = 0; + int i, j, bad; +- struct dlm_lock *lock = NULL; ++ struct dlm_lock *lock; + u8 from = O2NM_MAX_NODES; + unsigned int added = 0; + __be64 c; +@@ -1792,14 +1792,16 @@ static int dlm_process_recovery_data(str + /* MIGRATION ONLY! */ + BUG_ON(!(mres->flags & DLM_MRES_MIGRATION)); + ++ lock = NULL; + spin_lock(&res->spinlock); + for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) { + tmpq = dlm_list_idx_to_ptr(res, j); +- list_for_each_entry(lock, tmpq, list) { +- if (lock->ml.cookie != ml->cookie) +- lock = NULL; +- else ++ list_for_each(iter, tmpq) { ++ lock = list_entry(iter, ++ struct dlm_lock, list); ++ if (lock->ml.cookie == ml->cookie) + break; ++ lock = NULL; + } + if (lock) + break; diff --git a/queue-3.10/ocfs2-dlm-fix-recovery-hung.patch b/queue-3.10/ocfs2-dlm-fix-recovery-hung.patch new file mode 100644 index 00000000000..d2d97aaf601 --- /dev/null +++ b/queue-3.10/ocfs2-dlm-fix-recovery-hung.patch @@ -0,0 +1,103 @@ +From ded2cf71419b9353060e633b59e446c42a6a2a09 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Thu, 3 Apr 2014 14:46:51 -0700 +Subject: ocfs2: dlm: fix recovery hung + +From: Junxiao Bi + +commit ded2cf71419b9353060e633b59e446c42a6a2a09 upstream. + +There is a race window in dlm_do_recovery() between dlm_remaster_locks() +and dlm_reset_recovery() when the recovery master nearly finish the +recovery process for a dead node. After the master sends FINALIZE_RECO +message in dlm_remaster_locks(), another node may become the recovery +master for another dead node, and then send the BEGIN_RECO message to +all the nodes included the old master, in the handler of this message +dlm_begin_reco_handler() of old master, dlm->reco.dead_node and +dlm->reco.new_master will be set to the second dead node and the new +master, then in dlm_reset_recovery(), these two variables will be reset +to default value. This will cause new recovery master can not finish +the recovery process and hung, at last the whole cluster will hung for +recovery. + +old recovery master: new recovery master: +dlm_remaster_locks() + become recovery master for + another dead node. + dlm_send_begin_reco_message() +dlm_begin_reco_handler() +{ + if (dlm->reco.state & DLM_RECO_STATE_FINALIZE) { + return -EAGAIN; + } + dlm_set_reco_master(dlm, br->node_idx); + dlm_set_reco_dead_node(dlm, br->dead_node); +} +dlm_reset_recovery() +{ + dlm_set_reco_dead_node(dlm, O2NM_INVALID_NODE_NUM); + dlm_set_reco_master(dlm, O2NM_INVALID_NODE_NUM); +} + will hang in dlm_remaster_locks() for + request dlm locks info + +Before send FINALIZE_RECO message, recovery master should set +DLM_RECO_STATE_FINALIZE for itself and clear it after the recovery done, +this can break the race windows as the BEGIN_RECO messages will not be +handled before DLM_RECO_STATE_FINALIZE flag is cleared. + +A similar race may happen between new recovery master and normal node +which is in dlm_finalize_reco_handler(), also fix it. + +Signed-off-by: Junxiao Bi +Reviewed-by: Srinivas Eeda +Reviewed-by: Wengang Wang +Cc: Joel Becker +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlm/dlmrecovery.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -540,7 +540,10 @@ master_here: + /* success! see if any other nodes need recovery */ + mlog(0, "DONE mastering recovery of %s:%u here(this=%u)!\n", + dlm->name, dlm->reco.dead_node, dlm->node_num); +- dlm_reset_recovery(dlm); ++ spin_lock(&dlm->spinlock); ++ __dlm_reset_recovery(dlm); ++ dlm->reco.state &= ~DLM_RECO_STATE_FINALIZE; ++ spin_unlock(&dlm->spinlock); + } + dlm_end_recovery(dlm); + +@@ -698,6 +701,14 @@ static int dlm_remaster_locks(struct dlm + if (all_nodes_done) { + int ret; + ++ /* Set this flag on recovery master to avoid ++ * a new recovery for another dead node start ++ * before the recovery is not done. That may ++ * cause recovery hung.*/ ++ spin_lock(&dlm->spinlock); ++ dlm->reco.state |= DLM_RECO_STATE_FINALIZE; ++ spin_unlock(&dlm->spinlock); ++ + /* all nodes are now in DLM_RECO_NODE_DATA_DONE state + * just send a finalize message to everyone and + * clean up */ +@@ -2869,8 +2880,8 @@ int dlm_finalize_reco_handler(struct o2n + BUG(); + } + dlm->reco.state &= ~DLM_RECO_STATE_FINALIZE; ++ __dlm_reset_recovery(dlm); + spin_unlock(&dlm->spinlock); +- dlm_reset_recovery(dlm); + dlm_kick_recovery_thread(dlm); + break; + default: diff --git a/queue-3.10/ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch b/queue-3.10/ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch new file mode 100644 index 00000000000..4c585622bef --- /dev/null +++ b/queue-3.10/ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch @@ -0,0 +1,45 @@ +From f7cf4f5bfe073ad792ab49c04f247626b3e38db6 Mon Sep 17 00:00:00 2001 +From: alex chen +Date: Thu, 3 Apr 2014 14:47:05 -0700 +Subject: ocfs2: do not put bh when buffer_uptodate failed + +From: alex chen + +commit f7cf4f5bfe073ad792ab49c04f247626b3e38db6 upstream. + +Do not put bh when buffer_uptodate failed in ocfs2_write_block and +ocfs2_write_super_or_backup, because it will put bh in b_end_io. +Otherwise it will hit a warning "VFS: brelse: Trying to free free +buffer". + +Signed-off-by: Alex Chen +Reviewed-by: Joseph Qi +Reviewed-by: Srinivas Eeda +Cc: Mark Fasheh +Acked-by: Joel Becker +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/buffer_head_io.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -90,7 +90,6 @@ int ocfs2_write_block(struct ocfs2_super + * information for this bh as it's not marked locally + * uptodate. */ + ret = -EIO; +- put_bh(bh); + mlog_errno(ret); + } + +@@ -420,7 +419,6 @@ int ocfs2_write_super_or_backup(struct o + + if (!buffer_uptodate(bh)) { + ret = -EIO; +- put_bh(bh); + mlog_errno(ret); + } + diff --git a/queue-3.10/ocfs2-fix-panic-on-kfree-xattr-name.patch b/queue-3.10/ocfs2-fix-panic-on-kfree-xattr-name.patch new file mode 100644 index 00000000000..91c22a28ce7 --- /dev/null +++ b/queue-3.10/ocfs2-fix-panic-on-kfree-xattr-name.patch @@ -0,0 +1,47 @@ +From f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 3 Apr 2014 14:47:07 -0700 +Subject: ocfs2: fix panic on kfree(xattr->name) + +From: Tetsuo Handa + +commit f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 upstream. + +Commit 9548906b2bb7 ('xattr: Constify ->name member of "struct xattr"') +missed that ocfs2 is calling kfree(xattr->name). As a result, kernel +panic occurs upon calling kfree(xattr->name) because xattr->name refers +static constant names. This patch removes kfree(xattr->name) from +ocfs2_mknod() and ocfs2_symlink(). + +Signed-off-by: Tetsuo Handa +Reported-by: Tariq Saeed +Tested-by: Tariq Saeed +Reviewed-by: Srinivas Eeda +Cc: Joel Becker +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/namei.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -430,7 +430,6 @@ leave: + + brelse(new_fe_bh); + brelse(parent_fe_bh); +- kfree(si.name); + kfree(si.value); + + ocfs2_free_dir_lookup_result(&lookup); +@@ -1817,7 +1816,6 @@ bail: + + brelse(new_fe_bh); + brelse(parent_fe_bh); +- kfree(si.name); + kfree(si.value); + ocfs2_free_dir_lookup_result(&lookup); + if (inode_ac) diff --git a/queue-3.10/series b/queue-3.10/series index fa931cc89fc..34f5c81df5d 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -12,7 +12,6 @@ arm-8007-1-remove-extraneous-kcmp-syscall-ignore.patch arm-8027-1-fix-do_div-bug-in-big-endian-systems.patch arm-8030-1-arm-kdump-add-arch_crash_save_vmcoreinfo.patch arm-mvebu-ensure-the-mdio-node-has-a-clock-reference-on-armada-370-xp.patch -arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch arm-7728-1-mm-use-phys_addr_t-properly-for-ioremap-functions.patch alsa-hda-enable-beep-for-asus-1015e.patch alsa-ice1712-fix-boundary-checks-in-pcm-pointer-ops.patch @@ -80,3 +79,10 @@ mm-try_to_unmap_cluster-should-lock_page-before-mlocking.patch mm-hugetlb-fix-softlockup-when-a-large-number-of-hugepages-are-freed.patch mm-vmscan-do-not-swap-anon-pages-just-because-free-file-is-low.patch hung_task-check-the-value-of-sysctl_hung_task_timeout_sec.patch +ocfs2-dlm-fix-lock-migration-crash.patch +ocfs2-dlm-fix-recovery-hung.patch +ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch +ocfs2-fix-panic-on-kfree-xattr-name.patch +ext4-fibmap-ioctl-causes-bug_on-due-to-handle-ext_max_blocks.patch +ext4-fix-jbd2-warning-under-heavy-xattr-load.patch +ext4-use-i_size_read-in-ext4_unaligned_aio.patch -- 2.47.3