From b74f2b857a8533fdf5c3eab78bcd2389dba3098d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 18 Feb 2020 13:17:22 -0500 Subject: [PATCH] fixes for 4.19 Signed-off-by: Sasha Levin --- ...r-the-bh_mapped-flag-when-forgetting.patch | 95 ++++++++++++++++ ...earing-of-b_modified-flag-to-the-jou.patch | 107 ++++++++++++++++++ ...struct-guest_walker-arrays-for-5-lev.patch | 46 ++++++++ queue-4.19/series | 3 + 4 files changed, 251 insertions(+) create mode 100644 queue-4.19/jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch create mode 100644 queue-4.19/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch create mode 100644 queue-4.19/kvm-x86-mmu-fix-struct-guest_walker-arrays-for-5-lev.patch diff --git a/queue-4.19/jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch b/queue-4.19/jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch new file mode 100644 index 00000000000..4e315061f74 --- /dev/null +++ b/queue-4.19/jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch @@ -0,0 +1,95 @@ +From 985ddc2c3df5413ddbd285719d52d339d7530197 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2020 18:59:30 +0800 +Subject: jbd2: do not clear the BH_Mapped flag when forgetting a metadata + buffer + +From: zhangyi (F) + +[ Upstream commit c96dceeabf765d0b1b1f29c3bf50a5c01315b820 ] + +Commit 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from +an older transaction") set the BH_Freed flag when forgetting a metadata +buffer which belongs to the committing transaction, it indicate the +committing process clear dirty bits when it is done with the buffer. But +it also clear the BH_Mapped flag at the same time, which may trigger +below NULL pointer oops when block_size < PAGE_SIZE. + +rmdir 1 kjournald2 mkdir 2 + jbd2_journal_commit_transaction + commit transaction N +jbd2_journal_forget +set_buffer_freed(bh1) + jbd2_journal_commit_transaction + commit transaction N+1 + ... + clear_buffer_mapped(bh1) + ext4_getblk(bh2 ummapped) + ... + grow_dev_page + init_page_buffers + bh1->b_private=NULL + bh2->b_private=NULL + jbd2_journal_put_journal_head(jh1) + __journal_remove_journal_head(hb1) + jh1 is NULL and trigger oops + +*) Dir entry block bh1 and bh2 belongs to one page, and the bh2 has + already been unmapped. + +For the metadata buffer we forgetting, we should always keep the mapped +flag and clear the dirty flags is enough, so this patch pick out the +these buffers and keep their BH_Mapped flag. + +Link: https://lore.kernel.org/r/20200213063821.30455-3-yi.zhang@huawei.com +Fixes: 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from an older transaction") +Reviewed-by: Jan Kara +Signed-off-by: zhangyi (F) +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 3fe9b7c27ce82..c321fa06081ce 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -980,12 +980,29 @@ void jbd2_journal_commit_transaction(journal_t *journal) + * pagesize and it is attached to the last partial page. + */ + if (buffer_freed(bh) && !jh->b_next_transaction) { ++ struct address_space *mapping; ++ + clear_buffer_freed(bh); + clear_buffer_jbddirty(bh); +- clear_buffer_mapped(bh); +- clear_buffer_new(bh); +- clear_buffer_req(bh); +- bh->b_bdev = NULL; ++ ++ /* ++ * Block device buffers need to stay mapped all the ++ * time, so it is enough to clear buffer_jbddirty and ++ * buffer_freed bits. For the file mapping buffers (i.e. ++ * journalled data) we need to unmap buffer and clear ++ * more bits. We also need to be careful about the check ++ * because the data page mapping can get cleared under ++ * out hands, which alse need not to clear more bits ++ * because the page and buffers will be freed and can ++ * never be reused once we are done with them. ++ */ ++ mapping = READ_ONCE(bh->b_page->mapping); ++ if (mapping && !sb_is_blkdev_sb(mapping->host->i_sb)) { ++ clear_buffer_mapped(bh); ++ clear_buffer_new(bh); ++ clear_buffer_req(bh); ++ bh->b_bdev = NULL; ++ } + } + + if (buffer_jbddirty(bh)) { +-- +2.20.1 + diff --git a/queue-4.19/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch b/queue-4.19/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch new file mode 100644 index 00000000000..e646fa2dde1 --- /dev/null +++ b/queue-4.19/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch @@ -0,0 +1,107 @@ +From 32b8069036845e8918fc0b7ae36f04335149c049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2020 18:59:29 +0800 +Subject: jbd2: move the clearing of b_modified flag to the + journal_unmap_buffer() + +From: zhangyi (F) + +[ Upstream commit 6a66a7ded12baa6ebbb2e3e82f8cb91382814839 ] + +There is no need to delay the clearing of b_modified flag to the +transaction committing time when unmapping the journalled buffer, so +just move it to the journal_unmap_buffer(). + +Link: https://lore.kernel.org/r/20200213063821.30455-2-yi.zhang@huawei.com +Reviewed-by: Jan Kara +Signed-off-by: zhangyi (F) +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 43 +++++++++++++++---------------------------- + fs/jbd2/transaction.c | 10 ++++++---- + 2 files changed, 21 insertions(+), 32 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 020bd7a0d8e03..3fe9b7c27ce82 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -971,34 +971,21 @@ void jbd2_journal_commit_transaction(journal_t *journal) + * it. */ + + /* +- * A buffer which has been freed while still being journaled by +- * a previous transaction. +- */ +- if (buffer_freed(bh)) { +- /* +- * If the running transaction is the one containing +- * "add to orphan" operation (b_next_transaction != +- * NULL), we have to wait for that transaction to +- * commit before we can really get rid of the buffer. +- * So just clear b_modified to not confuse transaction +- * credit accounting and refile the buffer to +- * BJ_Forget of the running transaction. If the just +- * committed transaction contains "add to orphan" +- * operation, we can completely invalidate the buffer +- * now. We are rather through in that since the +- * buffer may be still accessible when blocksize < +- * pagesize and it is attached to the last partial +- * page. +- */ +- jh->b_modified = 0; +- if (!jh->b_next_transaction) { +- clear_buffer_freed(bh); +- clear_buffer_jbddirty(bh); +- clear_buffer_mapped(bh); +- clear_buffer_new(bh); +- clear_buffer_req(bh); +- bh->b_bdev = NULL; +- } ++ * A buffer which has been freed while still being journaled ++ * by a previous transaction, refile the buffer to BJ_Forget of ++ * the running transaction. If the just committed transaction ++ * contains "add to orphan" operation, we can completely ++ * invalidate the buffer now. We are rather through in that ++ * since the buffer may be still accessible when blocksize < ++ * pagesize and it is attached to the last partial page. ++ */ ++ if (buffer_freed(bh) && !jh->b_next_transaction) { ++ clear_buffer_freed(bh); ++ clear_buffer_jbddirty(bh); ++ clear_buffer_mapped(bh); ++ clear_buffer_new(bh); ++ clear_buffer_req(bh); ++ bh->b_bdev = NULL; + } + + if (buffer_jbddirty(bh)) { +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index 911ff18249b75..97ffe12a22624 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -2228,14 +2228,16 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh, + return -EBUSY; + } + /* +- * OK, buffer won't be reachable after truncate. We just set +- * j_next_transaction to the running transaction (if there is +- * one) and mark buffer as freed so that commit code knows it +- * should clear dirty bits when it is done with the buffer. ++ * OK, buffer won't be reachable after truncate. We just clear ++ * b_modified to not confuse transaction credit accounting, and ++ * set j_next_transaction to the running transaction (if there ++ * is one) and mark buffer as freed so that commit code knows ++ * it should clear dirty bits when it is done with the buffer. + */ + set_buffer_freed(bh); + if (journal->j_running_transaction && buffer_jbddirty(bh)) + jh->b_next_transaction = journal->j_running_transaction; ++ jh->b_modified = 0; + jbd2_journal_put_journal_head(jh); + spin_unlock(&journal->j_list_lock); + jbd_unlock_bh_state(bh); +-- +2.20.1 + diff --git a/queue-4.19/kvm-x86-mmu-fix-struct-guest_walker-arrays-for-5-lev.patch b/queue-4.19/kvm-x86-mmu-fix-struct-guest_walker-arrays-for-5-lev.patch new file mode 100644 index 00000000000..4f373bcbb15 --- /dev/null +++ b/queue-4.19/kvm-x86-mmu-fix-struct-guest_walker-arrays-for-5-lev.patch @@ -0,0 +1,46 @@ +From 73752ca2b178c46d690ea8e70c475fac720b468a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2020 09:37:42 -0800 +Subject: KVM: x86/mmu: Fix struct guest_walker arrays for 5-level paging + +From: Sean Christopherson + +[ Upstream commit f6ab0107a4942dbf9a5cf0cca3f37e184870a360 ] + +Define PT_MAX_FULL_LEVELS as PT64_ROOT_MAX_LEVEL, i.e. 5, to fix shadow +paging for 5-level guest page tables. PT_MAX_FULL_LEVELS is used to +size the arrays that track guest pages table information, i.e. using a +"max levels" of 4 causes KVM to access garbage beyond the end of an +array when querying state for level 5 entries. E.g. FNAME(gpte_changed) +will read garbage and most likely return %true for a level 5 entry, +soft-hanging the guest because FNAME(fetch) will restart the guest +instead of creating SPTEs because it thinks the guest PTE has changed. + +Note, KVM doesn't yet support 5-level nested EPT, so PT_MAX_FULL_LEVELS +gets to stay "4" for the PTTYPE_EPT case. + +Fixes: 855feb673640 ("KVM: MMU: Add 5 level EPT & Shadow page table support.") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/paging_tmpl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h +index 100ae4fabf170..61f10a4fd8074 100644 +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -36,7 +36,7 @@ + #define PT_GUEST_ACCESSED_SHIFT PT_ACCESSED_SHIFT + #define PT_HAVE_ACCESSED_DIRTY(mmu) true + #ifdef CONFIG_X86_64 +- #define PT_MAX_FULL_LEVELS 4 ++ #define PT_MAX_FULL_LEVELS PT64_ROOT_MAX_LEVEL + #define CMPXCHG cmpxchg + #else + #define CMPXCHG cmpxchg64 +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index c89ee3685b5..add90138081 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -33,3 +33,6 @@ s390-time-fix-clk-type-in-get_tod_clock.patch perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload.patch hwmon-pmbus-ltc2978-fix-pmbus-polling-of-mfr_common-definitions.patch nfsv4.1-make-cachethis-no-for-writes.patch +jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch +jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch +kvm-x86-mmu-fix-struct-guest_walker-arrays-for-5-lev.patch -- 2.47.3