From bb969ba44057b36113bcbe3b83771d338cc94906 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 23 Dec 2019 12:19:53 -0500 Subject: [PATCH] 4.14-stable patches added patches: alsa-hda-ca0132-avoid-endless-loop.patch alsa-hda-ca0132-keep-power-on-during-processing-dsp-response.patch alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to-use-after-free-issues.patch btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch btrfs-skip-log-replay-on-orphaned-roots.patch --- .../alsa-hda-ca0132-avoid-endless-loop.patch | 42 +++++++ ...er-on-during-processing-dsp-response.patch | 41 +++++++ ...e-info-leaks-from-pcm-stream-buffers.patch | 43 +++++++ ...l-synchronize_srcu-in-inode_tree_del.patch | 65 ++++++++++ ...-root-if-we-fail-to-read-the-fs-root.patch | 37 ++++++ ...k-the-subvol_sem-for-rename-exchange.patch | 49 ++++++++ ...-that-leads-to-use-after-free-issues.patch | 112 ++++++++++++++++++ ...le-enoent-in-btrfs_uuid_tree_iterate.patch | 37 ++++++ ...fs-skip-log-replay-on-orphaned-roots.patch | 78 ++++++++++++ queue-4.14/series | 9 ++ 10 files changed, 513 insertions(+) create mode 100644 queue-4.14/alsa-hda-ca0132-avoid-endless-loop.patch create mode 100644 queue-4.14/alsa-hda-ca0132-keep-power-on-during-processing-dsp-response.patch create mode 100644 queue-4.14/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch create mode 100644 queue-4.14/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch create mode 100644 queue-4.14/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch create mode 100644 queue-4.14/btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch create mode 100644 queue-4.14/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to-use-after-free-issues.patch create mode 100644 queue-4.14/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch create mode 100644 queue-4.14/btrfs-skip-log-replay-on-orphaned-roots.patch diff --git a/queue-4.14/alsa-hda-ca0132-avoid-endless-loop.patch b/queue-4.14/alsa-hda-ca0132-avoid-endless-loop.patch new file mode 100644 index 00000000000..a9fc1fd3632 --- /dev/null +++ b/queue-4.14/alsa-hda-ca0132-avoid-endless-loop.patch @@ -0,0 +1,42 @@ +From cb04fc3b6b076f67d228a0b7d096c69ad486c09c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 13 Dec 2019 09:51:10 +0100 +Subject: ALSA: hda/ca0132 - Avoid endless loop + +From: Takashi Iwai + +commit cb04fc3b6b076f67d228a0b7d096c69ad486c09c upstream. + +Introduce a timeout to dspio_clear_response_queue() so that it won't +be caught in an endless loop even if the hardware doesn't respond +properly. + +Fixes: a73d511c4867 ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection") +Cc: +Link: https://lore.kernel.org/r/20191213085111.22855-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1300,13 +1300,14 @@ struct scp_msg { + + static void dspio_clear_response_queue(struct hda_codec *codec) + { ++ unsigned long timeout = jiffies + msecs_to_jiffies(1000); + unsigned int dummy = 0; +- int status = -1; ++ int status; + + /* clear all from the response queue */ + do { + status = dspio_read(codec, &dummy); +- } while (status == 0); ++ } while (status == 0 && time_before(jiffies, timeout)); + } + + static int dspio_get_response_data(struct hda_codec *codec) diff --git a/queue-4.14/alsa-hda-ca0132-keep-power-on-during-processing-dsp-response.patch b/queue-4.14/alsa-hda-ca0132-keep-power-on-during-processing-dsp-response.patch new file mode 100644 index 00000000000..d4ccb181992 --- /dev/null +++ b/queue-4.14/alsa-hda-ca0132-keep-power-on-during-processing-dsp-response.patch @@ -0,0 +1,41 @@ +From 377bc0cfabce0244632dada19060839ced4e6949 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 13 Dec 2019 09:51:09 +0100 +Subject: ALSA: hda/ca0132 - Keep power on during processing DSP response + +From: Takashi Iwai + +commit 377bc0cfabce0244632dada19060839ced4e6949 upstream. + +We need to keep power on while processing the DSP response via unsol +event. Each snd_hda_codec_read() call does the power management, so +it should work normally, but still it's safer to keep the power up for +the whole function. + +Fixes: a73d511c4867 ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection") +Cc: +Link: https://lore.kernel.org/r/20191213085111.22855-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4424,12 +4424,14 @@ static void ca0132_process_dsp_response( + struct ca0132_spec *spec = codec->spec; + + codec_dbg(codec, "ca0132_process_dsp_response\n"); ++ snd_hda_power_up_pm(codec); + if (spec->wait_scp) { + if (dspio_get_response_data(codec) >= 0) + spec->wait_scp = 0; + } + + dspio_clear_response_queue(codec); ++ snd_hda_power_down_pm(codec); + } + + static void hp_callback(struct hda_codec *codec, struct hda_jack_callback *cb) diff --git a/queue-4.14/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch b/queue-4.14/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch new file mode 100644 index 00000000000..676e8c9ae11 --- /dev/null +++ b/queue-4.14/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch @@ -0,0 +1,43 @@ +From add9d56d7b3781532208afbff5509d7382fb6efe Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 11 Dec 2019 16:57:42 +0100 +Subject: ALSA: pcm: Avoid possible info leaks from PCM stream buffers + +From: Takashi Iwai + +commit add9d56d7b3781532208afbff5509d7382fb6efe upstream. + +The current PCM code doesn't initialize explicitly the buffers +allocated for PCM streams, hence it might leak some uninitialized +kernel data or previous stream contents by mmapping or reading the +buffer before actually starting the stream. + +Since this is a common problem, this patch simply adds the clearance +of the buffer data at hw_params callback. Although this does only +zero-clear no matter which format is used, which doesn't mean the +silence for some formats, but it should be OK because the intention is +just to clear the previous data on the buffer. + +Reported-by: Lionel Koenig +Cc: +Link: https://lore.kernel.org/r/20191211155742.3213-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_native.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -720,6 +720,10 @@ static int snd_pcm_hw_params(struct snd_ + while (runtime->boundary * 2 <= LONG_MAX - runtime->buffer_size) + runtime->boundary *= 2; + ++ /* clear the buffer for avoiding possible kernel info leaks */ ++ if (runtime->dma_area && !substream->ops->copy_user) ++ memset(runtime->dma_area, 0, runtime->dma_bytes); ++ + snd_pcm_timer_resolution_change(substream); + snd_pcm_set_state(substream, SNDRV_PCM_STATE_SETUP); + diff --git a/queue-4.14/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch b/queue-4.14/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch new file mode 100644 index 00000000000..a2b637c0cb6 --- /dev/null +++ b/queue-4.14/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch @@ -0,0 +1,65 @@ +From f72ff01df9cf5db25c76674cac16605992d15467 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Tue, 19 Nov 2019 13:59:35 -0500 +Subject: btrfs: do not call synchronize_srcu() in inode_tree_del + +From: Josef Bacik + +commit f72ff01df9cf5db25c76674cac16605992d15467 upstream. + +Testing with the new fsstress uncovered a pretty nasty deadlock with +lookup and snapshot deletion. + +Process A +unlink + -> final iput + -> inode_tree_del + -> synchronize_srcu(subvol_srcu) + +Process B +btrfs_lookup <- srcu_read_lock() acquired here + -> btrfs_iget + -> find inode that has I_FREEING set + -> __wait_on_freeing_inode() + +We're holding the srcu_read_lock() while doing the iget in order to make +sure our fs root doesn't go away, and then we are waiting for the inode +to finish freeing. However because the free'ing process is doing a +synchronize_srcu() we deadlock. + +Fix this by dropping the synchronize_srcu() in inode_tree_del(). We +don't need people to stop accessing the fs root at this point, we're +only adding our empty root to the dead roots list. + +A larger much more invasive fix is forthcoming to address how we deal +with fs roots, but this fixes the immediate problem. + +Fixes: 76dda93c6ae2 ("Btrfs: add snapshot/subvolume destroy ioctl") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -5729,7 +5729,6 @@ static void inode_tree_add(struct inode + + static void inode_tree_del(struct inode *inode) + { +- struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb); + struct btrfs_root *root = BTRFS_I(inode)->root; + int empty = 0; + +@@ -5742,7 +5741,6 @@ static void inode_tree_del(struct inode + spin_unlock(&root->inode_lock); + + if (empty && btrfs_root_refs(&root->root_item) == 0) { +- synchronize_srcu(&fs_info->subvol_srcu); + spin_lock(&root->inode_lock); + empty = RB_EMPTY_ROOT(&root->inode_tree); + spin_unlock(&root->inode_lock); diff --git a/queue-4.14/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch b/queue-4.14/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch new file mode 100644 index 00000000000..7d1d6151e10 --- /dev/null +++ b/queue-4.14/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch @@ -0,0 +1,37 @@ +From ca1aa2818a53875cfdd175fb5e9a2984e997cce9 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 6 Dec 2019 09:37:18 -0500 +Subject: btrfs: do not leak reloc root if we fail to read the fs root + +From: Josef Bacik + +commit ca1aa2818a53875cfdd175fb5e9a2984e997cce9 upstream. + +If we fail to read the fs root corresponding with a reloc root we'll +just break out and free the reloc roots. But we remove our current +reloc_root from this list higher up, which means we'll leak this +reloc_root. Fix this by adding ourselves back to the reloc_roots list +so we are properly cleaned up. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Reviewed-by: Johannes Thumshirn +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/relocation.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -4587,6 +4587,7 @@ int btrfs_recover_relocation(struct btrf + fs_root = read_fs_root(fs_info, reloc_root->root_key.offset); + if (IS_ERR(fs_root)) { + err = PTR_ERR(fs_root); ++ list_add_tail(&reloc_root->root_list, &reloc_roots); + goto out_free; + } + diff --git a/queue-4.14/btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch b/queue-4.14/btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch new file mode 100644 index 00000000000..aba6189e658 --- /dev/null +++ b/queue-4.14/btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch @@ -0,0 +1,49 @@ +From 943eb3bf25f4a7b745dd799e031be276aa104d82 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Tue, 19 Nov 2019 13:59:20 -0500 +Subject: btrfs: don't double lock the subvol_sem for rename exchange + +From: Josef Bacik + +commit 943eb3bf25f4a7b745dd799e031be276aa104d82 upstream. + +If we're rename exchanging two subvols we'll try to lock this lock +twice, which is bad. Just lock once if either of the ino's are subvols. + +Fixes: cdd1fedf8261 ("btrfs: add support for RENAME_EXCHANGE and RENAME_WHITEOUT") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -9820,9 +9820,8 @@ static int btrfs_rename_exchange(struct + return -EXDEV; + + /* close the race window with snapshot create/destroy ioctl */ +- if (old_ino == BTRFS_FIRST_FREE_OBJECTID) +- down_read(&fs_info->subvol_sem); +- if (new_ino == BTRFS_FIRST_FREE_OBJECTID) ++ if (old_ino == BTRFS_FIRST_FREE_OBJECTID || ++ new_ino == BTRFS_FIRST_FREE_OBJECTID) + down_read(&fs_info->subvol_sem); + + /* +@@ -10014,9 +10013,8 @@ out_fail: + ret2 = btrfs_end_transaction(trans); + ret = ret ? ret : ret2; + out_notrans: +- if (new_ino == BTRFS_FIRST_FREE_OBJECTID) +- up_read(&fs_info->subvol_sem); +- if (old_ino == BTRFS_FIRST_FREE_OBJECTID) ++ if (new_ino == BTRFS_FIRST_FREE_OBJECTID || ++ old_ino == BTRFS_FIRST_FREE_OBJECTID) + up_read(&fs_info->subvol_sem); + + return ret; diff --git a/queue-4.14/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to-use-after-free-issues.patch b/queue-4.14/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to-use-after-free-issues.patch new file mode 100644 index 00000000000..9b3264705e0 --- /dev/null +++ b/queue-4.14/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to-use-after-free-issues.patch @@ -0,0 +1,112 @@ +From 6609fee8897ac475378388238456c84298bff802 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 6 Dec 2019 12:27:39 +0000 +Subject: Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues + +From: Filipe Manana + +commit 6609fee8897ac475378388238456c84298bff802 upstream. + +When a tree mod log user no longer needs to use the tree it calls +btrfs_put_tree_mod_seq() to remove itself from the list of users and +delete all no longer used elements of the tree's red black tree, which +should be all elements with a sequence number less then our equals to +the caller's sequence number. However the logic is broken because it +can delete and free elements from the red black tree that have a +sequence number greater then the caller's sequence number: + +1) At a point in time we have sequence numbers 1, 2, 3 and 4 in the + tree mod log; + +2) The task which got assigned the sequence number 1 calls + btrfs_put_tree_mod_seq(); + +3) Sequence number 1 is deleted from the list of sequence numbers; + +4) The current minimum sequence number is computed to be the sequence + number 2; + +5) A task using sequence number 2 is at tree_mod_log_rewind() and gets + a pointer to one of its elements from the red black tree through + a call to tree_mod_log_search(); + +6) The task with sequence number 1 iterates the red black tree of tree + modification elements and deletes (and frees) all elements with a + sequence number less then or equals to 2 (the computed minimum sequence + number) - it ends up only leaving elements with sequence numbers of 3 + and 4; + +7) The task with sequence number 2 now uses the pointer to its element, + already freed by the other task, at __tree_mod_log_rewind(), resulting + in a use-after-free issue. When CONFIG_DEBUG_PAGEALLOC=y it produces + a trace like the following: + + [16804.546854] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI + [16804.547451] CPU: 0 PID: 28257 Comm: pool Tainted: G W 5.4.0-rc8-btrfs-next-51 #1 + [16804.548059] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 + [16804.548666] RIP: 0010:rb_next+0x16/0x50 + (...) + [16804.550581] RSP: 0018:ffffb948418ef9b0 EFLAGS: 00010202 + [16804.551227] RAX: 6b6b6b6b6b6b6b6b RBX: ffff90e0247f6600 RCX: 6b6b6b6b6b6b6b6b + [16804.551873] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff90e0247f6600 + [16804.552504] RBP: ffff90dffe0d4688 R08: 0000000000000001 R09: 0000000000000000 + [16804.553136] R10: ffff90dffa4a0040 R11: 0000000000000000 R12: 000000000000002e + [16804.553768] R13: ffff90e0247f6600 R14: 0000000000001663 R15: ffff90dff77862b8 + [16804.554399] FS: 00007f4b197ae700(0000) GS:ffff90e036a00000(0000) knlGS:0000000000000000 + [16804.555039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [16804.555683] CR2: 00007f4b10022000 CR3: 00000002060e2004 CR4: 00000000003606f0 + [16804.556336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [16804.556968] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [16804.557583] Call Trace: + [16804.558207] __tree_mod_log_rewind+0xbf/0x280 [btrfs] + [16804.558835] btrfs_search_old_slot+0x105/0xd00 [btrfs] + [16804.559468] resolve_indirect_refs+0x1eb/0xc70 [btrfs] + [16804.560087] ? free_extent_buffer.part.19+0x5a/0xc0 [btrfs] + [16804.560700] find_parent_nodes+0x388/0x1120 [btrfs] + [16804.561310] btrfs_check_shared+0x115/0x1c0 [btrfs] + [16804.561916] ? extent_fiemap+0x59d/0x6d0 [btrfs] + [16804.562518] extent_fiemap+0x59d/0x6d0 [btrfs] + [16804.563112] ? __might_fault+0x11/0x90 + [16804.563706] do_vfs_ioctl+0x45a/0x700 + [16804.564299] ksys_ioctl+0x70/0x80 + [16804.564885] ? trace_hardirqs_off_thunk+0x1a/0x20 + [16804.565461] __x64_sys_ioctl+0x16/0x20 + [16804.566020] do_syscall_64+0x5c/0x250 + [16804.566580] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [16804.567153] RIP: 0033:0x7f4b1ba2add7 + (...) + [16804.568907] RSP: 002b:00007f4b197adc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [16804.569513] RAX: ffffffffffffffda RBX: 00007f4b100210d8 RCX: 00007f4b1ba2add7 + [16804.570133] RDX: 00007f4b100210d8 RSI: 00000000c020660b RDI: 0000000000000003 + [16804.570726] RBP: 000055de05a6cfe0 R08: 0000000000000000 R09: 00007f4b197add44 + [16804.571314] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4b197add48 + [16804.571905] R13: 00007f4b197add40 R14: 00007f4b100210d0 R15: 00007f4b197add50 + (...) + [16804.575623] ---[ end trace 87317359aad4ba50 ]--- + +Fix this by making btrfs_put_tree_mod_seq() skip deletion of elements that +have a sequence number equals to the computed minimum sequence number, and +not just elements with a sequence number greater then that minimum. + +Fixes: bd989ba359f2ac ("Btrfs: add tree modification log functions") +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ctree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -427,7 +427,7 @@ void btrfs_put_tree_mod_seq(struct btrfs + for (node = rb_first(tm_root); node; node = next) { + next = rb_next(node); + tm = rb_entry(node, struct tree_mod_elem, node); +- if (tm->seq > min_seq) ++ if (tm->seq >= min_seq) + continue; + rb_erase(node, tm_root); + kfree(tm); diff --git a/queue-4.14/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch b/queue-4.14/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch new file mode 100644 index 00000000000..b762fbb75fe --- /dev/null +++ b/queue-4.14/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch @@ -0,0 +1,37 @@ +From 714cd3e8cba6841220dce9063a7388a81de03825 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 6 Dec 2019 11:39:00 -0500 +Subject: btrfs: handle ENOENT in btrfs_uuid_tree_iterate + +From: Josef Bacik + +commit 714cd3e8cba6841220dce9063a7388a81de03825 upstream. + +If we get an -ENOENT back from btrfs_uuid_iter_rem when iterating the +uuid tree we'll just continue and do btrfs_next_item(). However we've +done a btrfs_release_path() at this point and no longer have a valid +path. So increment the key and go back and do a normal search. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Reviewed-by: Johannes Thumshirn +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/uuid-tree.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/uuid-tree.c ++++ b/fs/btrfs/uuid-tree.c +@@ -336,6 +336,8 @@ again_search_slot: + } + if (ret < 0 && ret != -ENOENT) + goto out; ++ key.offset++; ++ goto again_search_slot; + } + item_size -= sizeof(subid_le); + offset += sizeof(subid_le); diff --git a/queue-4.14/btrfs-skip-log-replay-on-orphaned-roots.patch b/queue-4.14/btrfs-skip-log-replay-on-orphaned-roots.patch new file mode 100644 index 00000000000..c160c8ae913 --- /dev/null +++ b/queue-4.14/btrfs-skip-log-replay-on-orphaned-roots.patch @@ -0,0 +1,78 @@ +From 9bc574de590510eff899c3ca8dbaf013566b5efe Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 6 Dec 2019 09:37:17 -0500 +Subject: btrfs: skip log replay on orphaned roots + +From: Josef Bacik + +commit 9bc574de590510eff899c3ca8dbaf013566b5efe upstream. + +My fsstress modifications coupled with generic/475 uncovered a failure +to mount and replay the log if we hit a orphaned root. We do not want +to replay the log for an orphan root, but it's completely legitimate to +have an orphaned root with a log attached. Fix this by simply skipping +replaying the log. We still need to pin it's root node so that we do +not overwrite it while replaying other logs, as we re-read the log root +at every stage of the replay. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6018,9 +6018,28 @@ again: + wc.replay_dest = btrfs_read_fs_root_no_name(fs_info, &tmp_key); + if (IS_ERR(wc.replay_dest)) { + ret = PTR_ERR(wc.replay_dest); ++ ++ /* ++ * We didn't find the subvol, likely because it was ++ * deleted. This is ok, simply skip this log and go to ++ * the next one. ++ * ++ * We need to exclude the root because we can't have ++ * other log replays overwriting this log as we'll read ++ * it back in a few more times. This will keep our ++ * block from being modified, and we'll just bail for ++ * each subsequent pass. ++ */ ++ if (ret == -ENOENT) ++ ret = btrfs_pin_extent_for_log_replay(fs_info, ++ log->node->start, ++ log->node->len); + free_extent_buffer(log->node); + free_extent_buffer(log->commit_root); + kfree(log); ++ ++ if (!ret) ++ goto next; + btrfs_handle_fs_error(fs_info, ret, + "Couldn't read target root for tree log recovery."); + goto error; +@@ -6052,7 +6071,6 @@ again: + &root->highest_objectid); + } + +- key.offset = found_key.offset - 1; + wc.replay_dest->log_root = NULL; + free_extent_buffer(log->node); + free_extent_buffer(log->commit_root); +@@ -6060,9 +6078,10 @@ again: + + if (ret) + goto error; +- ++next: + if (found_key.offset == 0) + break; ++ key.offset = found_key.offset - 1; + } + btrfs_release_path(path); + diff --git a/queue-4.14/series b/queue-4.14/series index 679e04df185..065ae8f1943 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,3 +1,12 @@ +btrfs-don-t-double-lock-the-subvol_sem-for-rename-exchange.patch +btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch +btrfs-skip-log-replay-on-orphaned-roots.patch +btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch +btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch +btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to-use-after-free-issues.patch +alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch +alsa-hda-ca0132-keep-power-on-during-processing-dsp-response.patch +alsa-hda-ca0132-avoid-endless-loop.patch drm-mst-fix-query_payload-ack-reply-struct.patch drm-bridge-analogix-anx78xx-silence-eprobe_defer-war.patch iio-light-bh1750-resolve-compiler-warning-and-make-c.patch -- 2.47.3