Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2018-11-02 07:01:40 +0100
committerKernel Build Daemon <kbuild@suse.de>2018-11-02 07:01:40 +0100
commit9188d06a552385cb05ba716eb2ecdab8ef23a666 (patch)
treec20a3fd42e17879b9a7f348627110f3ee52fcca6
parent45884c0c5e1310ca3c8d69237f6316691b3fc830 (diff)
parentad55b3696a576584e3b87e5a22c8f5678d0617ec (diff)
Merge branch 'SLE15' into SLE15-AZURE
-rw-r--r--patches.drivers/edac-raise-the-maximum-number-of-memory-controllers.patch58
-rw-r--r--patches.fixes/0002-nfs41-do-not-return-ENOMEM-on-LAYOUTUNAVAILABLE.patch2
-rw-r--r--patches.fixes/Don-t-leak-MNT_INTERNAL-away-from-internal-mounts.patch35
-rw-r--r--patches.fixes/RAID10-BUG_ON-in-raise_barrier-when-force-is-true-an.patch55
-rw-r--r--patches.fixes/VFS-close-race-between-getcwd-and-d_move.patch111
-rw-r--r--patches.fixes/autofs-fix-autofs_sbi-does-not-check-super-block-typ.patch53
-rw-r--r--patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch82
-rw-r--r--patches.fixes/autofs-mount-point-create-should-honour-passed-in-mo.patch38
-rw-r--r--patches.fixes/badblocks-fix-wrong-return-value-in-badblocks_set-if.patch35
-rw-r--r--patches.fixes/d-lookup-fairness.fix5
-rw-r--r--patches.fixes/do-d_instantiate-unlock_new_inode-combinations-safel.patch457
-rw-r--r--patches.fixes/f2fs-call-unlock_new_inode-before-d_instantiate.patch77
-rw-r--r--patches.fixes/fs-dcache-Avoid-livelock-between-d_alloc_parallel-an.patch79
-rw-r--r--patches.fixes/fs-dcache-Use-READ_ONCE-when-accessing-i_dir_seq.patch31
-rw-r--r--patches.fixes/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_.patch56
-rw-r--r--patches.fixes/getname_kernel-needs-to-make-sure-that-name-iname-in.patch32
-rw-r--r--patches.fixes/lockd-fix-list_add-double-add-caused-by-legacy-signa.patch82
-rw-r--r--patches.fixes/make-sure-that-__dentry_kill-always-invalidates-d_se.patch49
-rw-r--r--patches.fixes/md-fix-NULL-dereference-of-mddev-pers-in-remove_and_.patch71
-rw-r--r--patches.fixes/md-raid1-add-error-handling-of-read-error-from-FailF.patch37
-rw-r--r--patches.fixes/md-raid10-fix-that-replacement-cannot-complete-recov.patch53
-rw-r--r--patches.fixes/md-raid5-cache-disable-reshape-completely.patch66
-rw-r--r--patches.fixes/md-raid5-fix-data-corruption-of-replacements-after-o.patch75
-rw-r--r--patches.fixes/pipe-match-pipe_max_size-data-type-with-procfs.patch107
-rw-r--r--patches.fixes/race-of-lockd-inetaddr-notifiers-vs-nlmsvc_rqst-chan.patch96
-rw-r--r--patches.fixes/vfs-fix-freeze-protection-in-mnt_want_write_file-for.patch49
-rw-r--r--patches.suse/pipe-avoid-round_pipe_size-nr_pages-overflow-on-32-b.patch2
-rw-r--r--series.conf24
28 files changed, 1834 insertions, 83 deletions
diff --git a/patches.drivers/edac-raise-the-maximum-number-of-memory-controllers.patch b/patches.drivers/edac-raise-the-maximum-number-of-memory-controllers.patch
new file mode 100644
index 0000000000..d3f053d96b
--- /dev/null
+++ b/patches.drivers/edac-raise-the-maximum-number-of-memory-controllers.patch
@@ -0,0 +1,58 @@
+From: Justin Ernst <justin.ernst@hpe.com>
+Date: Tue, 25 Sep 2018 09:34:49 -0500
+Subject: EDAC: Raise the maximum number of memory controllers
+Git-commit: 6b58859419554fb824e09cfdd73151a195473cbc
+Patch-mainline: v4.20-rc1
+References: bsc#1113780
+
+We observe an oops in the skx_edac module during boot:
+
+ EDAC MC0: Giving out device to module skx_edac controller Skylake Socket#0 IMC#0
+ EDAC MC1: Giving out device to module skx_edac controller Skylake Socket#0 IMC#1
+ EDAC MC2: Giving out device to module skx_edac controller Skylake Socket#1 IMC#0
+ ...
+ EDAC MC13: Giving out device to module skx_edac controller Skylake Socket#0 IMC#1
+ EDAC MC14: Giving out device to module skx_edac controller Skylake Socket#1 IMC#0
+ EDAC MC15: Giving out device to module skx_edac controller Skylake Socket#1 IMC#1
+ Too many memory controllers: 16
+ EDAC MC: Removed device 0 for skx_edac Skylake Socket#0 IMC#0
+
+We observe there are two memory controllers per socket, with a limit
+of 16. Raise the maximum number of memory controllers from 16 to 2 *
+MAX_NUMNODES (1024).
+
+[ bp: This is just a band-aid fix until we've sorted out the whole issue
+ with the bus_type association and handling in EDAC and can get rid of
+ this arbitrary limit. ]
+
+Signed-off-by: Justin Ernst <justin.ernst@hpe.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Russ Anderson <russ.anderson@hpe.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180925143449.284634-1-justin.ernst@hpe.com
+---
+ include/linux/edac.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/edac.h b/include/linux/edac.h
+index a45ce1f84bfc..1d0c9ea8825d 100644
+--- a/include/linux/edac.h
++++ b/include/linux/edac.h
+@@ -17,6 +17,7 @@
+ #include <linux/completion.h>
+ #include <linux/workqueue.h>
+ #include <linux/debugfs.h>
++#include <linux/numa.h>
+
+ #define EDAC_DEVICE_NAME_LEN 31
+
+@@ -672,6 +673,6 @@ struct mem_ctl_info {
+ /*
+ * Maximum number of memory controllers in the coherent fabric.
+ */
+-#define EDAC_MAX_MCS 16
++#define EDAC_MAX_MCS 2 * MAX_NUMNODES
+
+ #endif
+
diff --git a/patches.fixes/0002-nfs41-do-not-return-ENOMEM-on-LAYOUTUNAVAILABLE.patch b/patches.fixes/0002-nfs41-do-not-return-ENOMEM-on-LAYOUTUNAVAILABLE.patch
index e18ce45dd4..0fd9c33bcd 100644
--- a/patches.fixes/0002-nfs41-do-not-return-ENOMEM-on-LAYOUTUNAVAILABLE.patch
+++ b/patches.fixes/0002-nfs41-do-not-return-ENOMEM-on-LAYOUTUNAVAILABLE.patch
@@ -3,7 +3,7 @@ Date: Tue, 16 Jan 2018 22:38:50 +0100
Subject: [PATCH] nfs41: do not return ENOMEM on LAYOUTUNAVAILABLE
Git-commit: 7ff4cff637aa0bd2abbd81f53b2a6206c50afd95
Patch-mainline: v4.16
-References: git-fixes
+References: git-fixes, bsc#1103925
A pNFS server may return LAYOUTUNAVAILABLE error on LAYOUTGET for files
which don't have any layout. In this situation pnfs_update_layout
diff --git a/patches.fixes/Don-t-leak-MNT_INTERNAL-away-from-internal-mounts.patch b/patches.fixes/Don-t-leak-MNT_INTERNAL-away-from-internal-mounts.patch
new file mode 100644
index 0000000000..6152c87022
--- /dev/null
+++ b/patches.fixes/Don-t-leak-MNT_INTERNAL-away-from-internal-mounts.patch
@@ -0,0 +1,35 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 19 Apr 2018 22:03:08 -0400
+Subject: [PATCH] Don't leak MNT_INTERNAL away from internal mounts
+Git-commit: 16a34adb9392b2fe4195267475ab5b472e55292c
+Patch-mainline: v4.17
+References: git-fixes
+
+We want it only for the stuff created by SB_KERNMOUNT mounts, *not* for
+their copies. As it is, creating a deep stack of bindings of /proc/*/ns/*
+somewhere in a new namespace and exiting yields a stack overflow.
+
+Cc: stable@kernel.org
+Reported-by: Alexander Aring <aring@mojatatu.com>
+Bisected-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Tested-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Tested-by: Alexander Aring <aring@mojatatu.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/namespace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1038,7 +1038,8 @@ static struct mount *clone_mnt(struct mo
+ goto out_free;
+ }
+
+- mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
++ mnt->mnt.mnt_flags = old->mnt.mnt_flags;
++ mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);
+ /* Don't allow unprivileged users to change mount flags */
+ if (flag & CL_UNPRIVILEGED) {
+ mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
diff --git a/patches.fixes/RAID10-BUG_ON-in-raise_barrier-when-force-is-true-an.patch b/patches.fixes/RAID10-BUG_ON-in-raise_barrier-when-force-is-true-an.patch
new file mode 100644
index 0000000000..675f6ecf94
--- /dev/null
+++ b/patches.fixes/RAID10-BUG_ON-in-raise_barrier-when-force-is-true-an.patch
@@ -0,0 +1,55 @@
+From: Xiao Ni <xni@redhat.com>
+Date: Thu, 30 Aug 2018 15:57:09 +0800
+Subject: [PATCH] RAID10 BUG_ON in raise_barrier when force is true and
+ conf->barrier is 0
+Git-commit: 1d0ffd264204eba1861865560f1f7f7a92919384
+Patch-mainline: v4.19
+References: git-fixes
+
+In raid10 reshape_request it gets max_sectors in read_balance. If the underlayer disks
+have bad blocks, the max_sectors is less than last. It will call goto read_more many
+times. It calls raise_barrier(conf, sectors_done != 0) every time. In this condition
+sectors_done is not 0. So the value passed to the argument force of raise_barrier is
+true.
+
+In raise_barrier it checks conf->barrier when force is true. If force is true and
+conf->barrier is 0, it panic. In this case reshape_request submits bio to under layer
+disks. And in the callback function of the bio it calls lower_barrier. If the bio
+finishes before calling raise_barrier again, it can trigger the BUG_ON.
+
+Add one pair of raise_barrier/lower_barrier to fix this bug.
+
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Suggested-by: Neil Brown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ drivers/md/raid10.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -4566,11 +4566,12 @@ static sector_t reshape_request(struct m
+ allow_barrier(conf);
+ }
+
++ raise_barrier(conf, 0);
+ read_more:
+ /* Now schedule reads for blocks from sector_nr to last */
+ r10_bio = raid10_alloc_init_r10buf(conf);
+ r10_bio->state = 0;
+- raise_barrier(conf, sectors_done != 0);
++ raise_barrier(conf, 1);
+ atomic_set(&r10_bio->remaining, 0);
+ r10_bio->mddev = mddev;
+ r10_bio->sector = sector_nr;
+@@ -4666,6 +4667,8 @@ read_more:
+ if (sector_nr <= last)
+ goto read_more;
+
++ lower_barrier(conf);
++
+ /* Now that we have done the whole section we can
+ * update reshape_progress
+ */
diff --git a/patches.fixes/VFS-close-race-between-getcwd-and-d_move.patch b/patches.fixes/VFS-close-race-between-getcwd-and-d_move.patch
new file mode 100644
index 0000000000..ebda5682f4
--- /dev/null
+++ b/patches.fixes/VFS-close-race-between-getcwd-and-d_move.patch
@@ -0,0 +1,111 @@
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 10 Nov 2017 15:45:41 +1100
+Subject: [PATCH] VFS: close race between getcwd() and d_move()
+Git-commit: 61647823aa920e395afcce4b57c32afb51456cab
+Patch-mainline: v4.16
+References: git-fixes
+
+d_move() will call __d_drop() and then __d_rehash()
+on the dentry being moved. This creates a small window
+when the dentry appears to be unhashed. Many tests
+of d_unhashed() are made under ->d_lock and so are safe
+from racing with this window, but some aren't.
+In particular, getcwd() calls d_unlinked() (which calls
+d_unhashed()) without d_lock protection, so it can race.
+
+This races has been seen in practice with lustre, which uses d_move() as
+part of name lookup. See:
+ https://jira.hpdd.intel.com/browse/LU-9735
+It could race with a regular rename(), and result in ENOENT instead
+of either the 'before' or 'after' name.
+
+The race can be demonstrated with a simple program which
+has two threads, one renaming a directory back and forth
+while another calls getcwd() within that directory: it should never
+fail, but does. See:
+ https://patchwork.kernel.org/patch/9455345/
+
+We could fix this race by taking d_lock and rechecking when
+d_unhashed() reports true. Alternately when can remove the window,
+which is the approach this patch takes.
+
+___d_drop() is introduce which does *not* clear d_hash.pprev
+so the dentry still appears to be hashed. __d_drop() calls
+___d_drop(), then clears d_hash.pprev.
+__d_move() now uses ___d_drop() and only clears d_hash.pprev
+when not rehashing.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/dcache.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -463,9 +463,11 @@ static void dentry_lru_add(struct dentry
+ * d_drop() is used mainly for stuff that wants to invalidate a dentry for some
+ * reason (NFS timeouts or autofs deletes).
+ *
+- * __d_drop requires dentry->d_lock.
++ * __d_drop requires dentry->d_lock
++ * ___d_drop doesn't mark dentry as "unhashed"
++ * (dentry->d_hash.pprev will be LIST_POISON2, not NULL).
+ */
+-void __d_drop(struct dentry *dentry)
++static void ___d_drop(struct dentry *dentry)
+ {
+ if (!d_unhashed(dentry)) {
+ struct hlist_bl_head *b;
+@@ -481,12 +483,17 @@ void __d_drop(struct dentry *dentry)
+
+ hlist_bl_lock(b);
+ __hlist_bl_del(&dentry->d_hash);
+- dentry->d_hash.pprev = NULL;
+ hlist_bl_unlock(b);
+ /* After this call, in-progress rcu-walk path lookup will fail. */
+ write_seqcount_invalidate(&dentry->d_seq);
+ }
+ }
++
++void __d_drop(struct dentry *dentry)
++{
++ ___d_drop(dentry);
++ dentry->d_hash.pprev = NULL;
++}
+ EXPORT_SYMBOL(__d_drop);
+
+ void d_drop(struct dentry *dentry)
+@@ -2377,7 +2384,7 @@ EXPORT_SYMBOL(d_delete);
+ static void __d_rehash(struct dentry *entry)
+ {
+ struct hlist_bl_head *b = d_hash(entry->d_name.hash);
+- BUG_ON(!d_unhashed(entry));
++
+ hlist_bl_lock(b);
+ hlist_bl_add_head_rcu(&entry->d_hash, b);
+ hlist_bl_unlock(b);
+@@ -2814,9 +2821,9 @@ static void __d_move(struct dentry *dent
+ write_seqcount_begin_nested(&target->d_seq, DENTRY_D_LOCK_NESTED);
+
+ /* unhash both */
+- /* __d_drop does write_seqcount_barrier, but they're OK to nest. */
+- __d_drop(dentry);
+- __d_drop(target);
++ /* ___d_drop does write_seqcount_barrier, but they're OK to nest. */
++ ___d_drop(dentry);
++ ___d_drop(target);
+
+ /* Switch the names.. */
+ if (exchange)
+@@ -2828,6 +2835,8 @@ static void __d_move(struct dentry *dent
+ __d_rehash(dentry);
+ if (exchange)
+ __d_rehash(target);
++ else
++ target->d_hash.pprev = NULL;
+
+ /* ... and switch them in the tree */
+ if (IS_ROOT(dentry)) {
diff --git a/patches.fixes/autofs-fix-autofs_sbi-does-not-check-super-block-typ.patch b/patches.fixes/autofs-fix-autofs_sbi-does-not-check-super-block-typ.patch
new file mode 100644
index 0000000000..26b827607b
--- /dev/null
+++ b/patches.fixes/autofs-fix-autofs_sbi-does-not-check-super-block-typ.patch
@@ -0,0 +1,53 @@
+From: Ian Kent <raven@themaw.net>
+Date: Tue, 21 Aug 2018 21:51:45 -0700
+Subject: [PATCH] autofs: fix autofs_sbi() does not check super block type
+Git-commit: 0633da48f0793aeba27f82d30605624416723a91
+Patch-mainline: v4.19
+References: git-fixes
+
+autofs_sbi() does not check the superblock magic number to verify it has
+been given an autofs super block.
+
+Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto.themaw.net
+Reported-by: <syzbot+87c3c541582e56943277@syzkaller.appspotmail.com>
+Signed-off-by: Ian Kent <raven@themaw.net>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/autofs4/autofs_i.h | 4 +++-
+ fs/autofs4/inode.c | 1 -
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/autofs4/autofs_i.h
++++ b/fs/autofs4/autofs_i.h
+@@ -15,6 +15,7 @@
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
+ #include <linux/completion.h>
++#include <linux/magic.h>
+
+ /* This is the range of ioctl() numbers we claim as ours */
+ #define AUTOFS_IOC_FIRST AUTOFS_IOC_READY
+@@ -124,7 +125,8 @@ struct autofs_sb_info {
+
+ static inline struct autofs_sb_info *autofs4_sbi(struct super_block *sb)
+ {
+- return (struct autofs_sb_info *)(sb->s_fs_info);
++ return sb->s_magic != AUTOFS_SUPER_MAGIC ?
++ NULL : (struct autofs_sb_info *)(sb->s_fs_info);
+ }
+
+ static inline struct autofs_info *autofs4_dentry_ino(struct dentry *dentry)
+--- a/fs/autofs4/inode.c
++++ b/fs/autofs4/inode.c
+@@ -14,7 +14,6 @@
+ #include <linux/pagemap.h>
+ #include <linux/parser.h>
+ #include <linux/bitops.h>
+-#include <linux/magic.h>
+ #include "autofs_i.h"
+ #include <linux/module.h>
+
diff --git a/patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch b/patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch
new file mode 100644
index 0000000000..a61bf32f1a
--- /dev/null
+++ b/patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch
@@ -0,0 +1,82 @@
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Fri, 13 Jul 2018 16:58:59 -0700
+Subject: [PATCH] autofs: fix slab out of bounds read in getname_kernel()
+Git-commit: 02f51d45937f7bc7f4dee21e9f85b2d5eac37104
+Patch-mainline: v4.18
+References: git-fixes
+
+The autofs subsystem does not check that the "path" parameter is present
+for all cases where it is required when it is passed in via the "param"
+struct.
+
+In particular it isn't checked for the AUTOFS_DEV_IOCTL_OPENMOUNT_CMD
+ioctl command.
+
+To solve it, modify validate_dev_ioctl(function to check that a path has
+been provided for ioctl commands that require it.
+
+Link: http://lkml.kernel.org/r/153060031527.26631.18306637892746301555.stgit@pluto.themaw.net
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Signed-off-by: Ian Kent <raven@themaw.net>
+Reported-by: syzbot+60c837b428dc84e83a93@syzkaller.appspotmail.com
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/autofs4/dev-ioctl.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/fs/autofs4/dev-ioctl.c
++++ b/fs/autofs4/dev-ioctl.c
+@@ -148,6 +148,15 @@ static int validate_dev_ioctl(int cmd, s
+ cmd);
+ goto out;
+ }
++ } else {
++ unsigned int inr = _IOC_NR(cmd);
++
++ if (inr == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD ||
++ inr == AUTOFS_DEV_IOCTL_REQUESTER_CMD ||
++ inr == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD) {
++ err = -EINVAL;
++ goto out;
++ }
+ }
+
+ err = 0;
+@@ -289,7 +298,8 @@ static int autofs_dev_ioctl_openmount(st
+ dev_t devid;
+ int err, fd;
+
+- /* param->path has already been checked */
++ /* param->path has been checked in validate_dev_ioctl() */
++
+ if (!param->openmount.devid)
+ return -EINVAL;
+
+@@ -451,10 +461,7 @@ static int autofs_dev_ioctl_requester(st
+ dev_t devid;
+ int err = -ENOENT;
+
+- if (param->size <= sizeof(*param)) {
+- err = -EINVAL;
+- goto out;
+- }
++ /* param->path has been checked in validate_dev_ioctl() */
+
+ devid = sbi->sb->s_dev;
+
+@@ -539,10 +546,7 @@ static int autofs_dev_ioctl_ismountpoint
+ unsigned int devid, magic;
+ int err = -ENOENT;
+
+- if (param->size <= sizeof(*param)) {
+- err = -EINVAL;
+- goto out;
+- }
++ /* param->path has been checked in validate_dev_ioctl() */
+
+ name = param->path;
+ type = param->ismountpoint.in.type;
diff --git a/patches.fixes/autofs-mount-point-create-should-honour-passed-in-mo.patch b/patches.fixes/autofs-mount-point-create-should-honour-passed-in-mo.patch
new file mode 100644
index 0000000000..8510ff19e6
--- /dev/null
+++ b/patches.fixes/autofs-mount-point-create-should-honour-passed-in-mo.patch
@@ -0,0 +1,38 @@
+From: Ian Kent <raven@themaw.net>
+Date: Fri, 20 Apr 2018 14:55:59 -0700
+Subject: [PATCH] autofs: mount point create should honour passed in mode
+Git-commit: 1e6306652ba18723015d1b4967fe9de55f042499
+Patch-mainline: v4.17
+References: git-fixes
+
+The autofs file system mkdir inode operation blindly sets the created
+directory mode to S_IFDIR | 0555, ingoring the passed in mode, which can
+cause selinux dac_override denials.
+
+But the function also checks if the caller is the daemon (as no-one else
+should be able to do anything here) so there's no point in not honouring
+the passed in mode, allowing the daemon to set appropriate mode when
+required.
+
+Link: http://lkml.kernel.org/r/152361593601.8051.14014139124905996173.stgit@pluto.themaw.net
+Signed-off-by: Ian Kent <raven@themaw.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/autofs4/root.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/autofs4/root.c
++++ b/fs/autofs4/root.c
+@@ -749,7 +749,7 @@ static int autofs4_dir_mkdir(struct inod
+
+ autofs4_del_active(dentry);
+
+- inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555);
++ inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode);
+ if (!inode)
+ return -ENOMEM;
+ d_add(dentry, inode);
diff --git a/patches.fixes/badblocks-fix-wrong-return-value-in-badblocks_set-if.patch b/patches.fixes/badblocks-fix-wrong-return-value-in-badblocks_set-if.patch
new file mode 100644
index 0000000000..fef348c457
--- /dev/null
+++ b/patches.fixes/badblocks-fix-wrong-return-value-in-badblocks_set-if.patch
@@ -0,0 +1,35 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 3 Nov 2017 11:24:44 -0600
+Subject: [PATCH] badblocks: fix wrong return value in badblocks_set if
+ badblocks are disabled
+Git-commit: 39b4954c0a1556f8f7f1fdcf59a227117fcd8a0b
+Patch-mainline: v4.15
+References: git-fixes
+
+MD's rdev_set_badblocks() expects that badblocks_set() returns 1 if
+badblocks are disabled, otherwise, rdev_set_badblocks() will record
+superblock changes and return success in that case and md will fail to
+report an IO error which it should.
+
+This bug has existed since badblocks were introduced in commit
+9e0e252a048b ("badblocks: Add core badblock management code").
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Acked-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+
+---
+ block/badblocks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/badblocks.c
++++ b/block/badblocks.c
+@@ -178,7 +178,7 @@ int badblocks_set(struct badblocks *bb,
+
+ if (bb->shift < 0)
+ /* badblocks are disabled */
+- return 0;
++ return 1;
+
+ if (bb->shift) {
+ /* round the start down, and the end up */
diff --git a/patches.fixes/d-lookup-fairness.fix b/patches.fixes/d-lookup-fairness.fix
index 7324a19541..72d4f15408 100644
--- a/patches.fixes/d-lookup-fairness.fix
+++ b/patches.fixes/d-lookup-fairness.fix
@@ -33,7 +33,7 @@ Signed-off-by: NeilBrown <neilb@suse.com>
static inline struct hlist_bl_head *in_lookup_hash(const struct dentry *parent,
unsigned int hash)
{
-@@ -479,10 +481,14 @@ void __d_drop(struct dentry *dentry)
+@@ -479,9 +481,13 @@ static void ___d_drop(struct dentry *den
else
b = d_hash(dentry->d_name.hash);
@@ -41,14 +41,13 @@ Signed-off-by: NeilBrown <neilb@suse.com>
+ spin_lock(&s_anon_lock);
hlist_bl_lock(b);
__hlist_bl_del(&dentry->d_hash);
- dentry->d_hash.pprev = NULL;
hlist_bl_unlock(b);
+ if (b == &dentry->d_sb->s_anon)
+ spin_unlock(&s_anon_lock);
/* After this call, in-progress rcu-walk path lookup will fail. */
write_seqcount_invalidate(&dentry->d_seq);
}
-@@ -1961,9 +1967,11 @@ static struct dentry *__d_obtain_alias(s
+@@ -2000,9 +2006,11 @@ static struct dentry *__d_obtain_alias(s
spin_lock(&tmp->d_lock);
__d_set_inode_and_type(tmp, inode, add_flags);
hlist_add_head(&tmp->d_u.d_alias, &inode->i_dentry);
diff --git a/patches.fixes/do-d_instantiate-unlock_new_inode-combinations-safel.patch b/patches.fixes/do-d_instantiate-unlock_new_inode-combinations-safel.patch
new file mode 100644
index 0000000000..693501049a
--- /dev/null
+++ b/patches.fixes/do-d_instantiate-unlock_new_inode-combinations-safel.patch
@@ -0,0 +1,457 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 4 May 2018 08:23:01 -0400
+Subject: [PATCH] do d_instantiate/unlock_new_inode combinations safely
+Git-commit: 1e2e547a93a00ebc21582c06ca3c6cfea2a309ee
+Patch-mainline: v4.17
+References: git-fixes
+
+For anything NFS-exported we do _not_ want to unlock new inode
+before it has grown an alias; original set of fixes got the
+ordering right, but missed the nasty complication in case of
+lockdep being enabled - unlock_new_inode() does
+ lockdep_annotate_inode_mutex_key(inode)
+which can only be done before anyone gets a chance to touch
+->i_mutex. Unfortunately, flipping the order and doing
+unlock_new_inode() before d_instantiate() opens a window when
+mkdir can race with open-by-fhandle on a guessed fhandle, leading
+to multiple aliases for a directory inode and all the breakage
+that follows from that.
+
+ Correct solution: a new primitive (d_instantiate_new())
+combining these two in the right order - lockdep annotate, then
+d_instantiate(), then the rest of unlock_new_inode(). All
+combinations of d_instantiate() with unlock_new_inode() should
+be converted to that.
+
+Cc: stable@kernel.org # 2.6.29 and later
+Tested-by: Mike Marshall <hubcap@omnibond.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/btrfs/inode.c | 16 ++++------------
+ fs/dcache.c | 22 ++++++++++++++++++++++
+ fs/ecryptfs/inode.c | 3 +--
+ fs/ext2/namei.c | 6 ++----
+ fs/ext4/namei.c | 6 ++----
+ fs/f2fs/namei.c | 12 ++++--------
+ fs/jffs2/dir.c | 12 ++++--------
+ fs/jfs/namei.c | 12 ++++--------
+ fs/nilfs2/namei.c | 6 ++----
+ fs/orangefs/namei.c | 9 +++------
+ fs/reiserfs/namei.c | 12 ++++--------
+ fs/udf/namei.c | 6 ++----
+ fs/ufs/namei.c | 6 ++----
+ include/linux/dcache.h | 1 +
+ 14 files changed, 57 insertions(+), 72 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6574,8 +6574,7 @@ static int btrfs_mknod(struct inode *dir
+ goto out_unlock_inode;
+ } else {
+ btrfs_update_inode(trans, root, inode);
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ }
+
+ out_unlock:
+@@ -6652,8 +6651,7 @@ static int btrfs_create(struct inode *di
+ goto out_unlock_inode;
+
+ BTRFS_I(inode)->io_tree.ops = &btrfs_extent_io_ops;
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+
+ out_unlock:
+ btrfs_end_transaction(trans);
+@@ -6800,12 +6798,7 @@ static int btrfs_mkdir(struct inode *dir
+ if (err)
+ goto out_fail_inode;
+
+- d_instantiate(dentry, inode);
+- /*
+- * mkdir is special. We're unlocking after we call d_instantiate
+- * to avoid a race with nfsd calling d_instantiate.
+- */
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+ drop_on_err = 0;
+
+ out_fail:
+@@ -10467,8 +10460,7 @@ static int btrfs_symlink(struct inode *d
+ goto out_unlock_inode;
+ }
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+
+ out_unlock:
+ btrfs_end_transaction(trans);
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1863,6 +1863,28 @@ void d_instantiate(struct dentry *entry,
+ }
+ EXPORT_SYMBOL(d_instantiate);
+
++/*
++ * This should be equivalent to d_instantiate() + unlock_new_inode(),
++ * with lockdep-related part of unlock_new_inode() done before
++ * anything else. Use that instead of open-coding d_instantiate()/
++ * unlock_new_inode() combinations.
++ */
++void d_instantiate_new(struct dentry *entry, struct inode *inode)
++{
++ BUG_ON(!hlist_unhashed(&entry->d_u.d_alias));
++ BUG_ON(!inode);
++ lockdep_annotate_inode_mutex_key(inode);
++ security_d_instantiate(entry, inode);
++ spin_lock(&inode->i_lock);
++ __d_instantiate(entry, inode);
++ WARN_ON(!(inode->i_state & I_NEW));
++ inode->i_state &= ~I_NEW;
++ smp_mb();
++ wake_up_bit(&inode->i_state, __I_NEW);
++ spin_unlock(&inode->i_lock);
++}
++EXPORT_SYMBOL(d_instantiate_new);
++
+ /**
+ * d_instantiate_no_diralias - instantiate a non-aliased dentry
+ * @entry: dentry to complete
+--- a/fs/ecryptfs/inode.c
++++ b/fs/ecryptfs/inode.c
+@@ -283,8 +283,7 @@ ecryptfs_create(struct inode *directory_
+ iget_failed(ecryptfs_inode);
+ goto out;
+ }
+- unlock_new_inode(ecryptfs_inode);
+- d_instantiate(ecryptfs_dentry, ecryptfs_inode);
++ d_instantiate_new(ecryptfs_dentry, ecryptfs_inode);
+ out:
+ return rc;
+ }
+--- a/fs/ext2/namei.c
++++ b/fs/ext2/namei.c
+@@ -40,8 +40,7 @@ static inline int ext2_add_nondir(struct
+ {
+ int err = ext2_add_link(dentry, inode);
+ if (!err) {
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ return 0;
+ }
+ inode_dec_link_count(inode);
+@@ -254,8 +253,7 @@ static int ext2_mkdir(struct inode * dir
+ if (err)
+ goto out_fail;
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ out:
+ return err;
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2385,8 +2385,7 @@ static int ext4_add_nondir(handle_t *han
+ int err = ext4_add_entry(handle, dentry, inode);
+ if (!err) {
+ ext4_mark_inode_dirty(handle, inode);
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ return 0;
+ }
+ drop_nlink(inode);
+@@ -2625,8 +2624,7 @@ out_clear_inode:
+ err = ext4_mark_inode_dirty(handle, dir);
+ if (err)
+ goto out_clear_inode;
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ if (IS_DIRSYNC(dir))
+ ext4_handle_sync(handle);
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -156,8 +156,7 @@ static int f2fs_create(struct inode *dir
+
+ alloc_nid_done(sbi, ino);
+
+- d_instantiate(dentry, inode);
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+
+ if (IS_DIRSYNC(dir))
+ f2fs_sync_fs(sbi->sb, 1);
+@@ -463,8 +462,7 @@ static int f2fs_symlink(struct inode *di
+ err = page_symlink(inode, disk_link.name, disk_link.len);
+
+ err_out:
+- d_instantiate(dentry, inode);
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+
+ /*
+ * Let's flush symlink data in order to avoid broken symlink as much as
+@@ -518,8 +516,7 @@ static int f2fs_mkdir(struct inode *dir,
+
+ alloc_nid_done(sbi, inode->i_ino);
+
+- d_instantiate(dentry, inode);
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+
+ if (IS_DIRSYNC(dir))
+ f2fs_sync_fs(sbi->sb, 1);
+@@ -563,8 +560,7 @@ static int f2fs_mknod(struct inode *dir,
+
+ alloc_nid_done(sbi, inode->i_ino);
+
+- d_instantiate(dentry, inode);
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+
+ if (IS_DIRSYNC(dir))
+ f2fs_sync_fs(sbi->sb, 1);
+--- a/fs/jffs2/dir.c
++++ b/fs/jffs2/dir.c
+@@ -209,8 +209,7 @@ static int jffs2_create(struct inode *di
+ __func__, inode->i_ino, inode->i_mode, inode->i_nlink,
+ f->inocache->pino_nlink, inode->i_mapping->nrpages);
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ return 0;
+
+ fail:
+@@ -430,8 +429,7 @@ static int jffs2_symlink (struct inode *
+ mutex_unlock(&dir_f->sem);
+ jffs2_complete_reservation(c);
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ return 0;
+
+ fail:
+@@ -575,8 +573,7 @@ static int jffs2_mkdir (struct inode *di
+ mutex_unlock(&dir_f->sem);
+ jffs2_complete_reservation(c);
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ return 0;
+
+ fail:
+@@ -747,8 +744,7 @@ static int jffs2_mknod (struct inode *di
+ mutex_unlock(&dir_f->sem);
+ jffs2_complete_reservation(c);
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ return 0;
+
+ fail:
+--- a/fs/jfs/namei.c
++++ b/fs/jfs/namei.c
+@@ -178,8 +178,7 @@ static int jfs_create(struct inode *dip,
+ unlock_new_inode(ip);
+ iput(ip);
+ } else {
+- unlock_new_inode(ip);
+- d_instantiate(dentry, ip);
++ d_instantiate_new(dentry, ip);
+ }
+
+ out2:
+@@ -313,8 +312,7 @@ static int jfs_mkdir(struct inode *dip,
+ unlock_new_inode(ip);
+ iput(ip);
+ } else {
+- unlock_new_inode(ip);
+- d_instantiate(dentry, ip);
++ d_instantiate_new(dentry, ip);
+ }
+
+ out2:
+@@ -1059,8 +1057,7 @@ static int jfs_symlink(struct inode *dip
+ unlock_new_inode(ip);
+ iput(ip);
+ } else {
+- unlock_new_inode(ip);
+- d_instantiate(dentry, ip);
++ d_instantiate_new(dentry, ip);
+ }
+
+ out2:
+@@ -1447,8 +1444,7 @@ static int jfs_mknod(struct inode *dir,
+ unlock_new_inode(ip);
+ iput(ip);
+ } else {
+- unlock_new_inode(ip);
+- d_instantiate(dentry, ip);
++ d_instantiate_new(dentry, ip);
+ }
+
+ out1:
+--- a/fs/nilfs2/namei.c
++++ b/fs/nilfs2/namei.c
+@@ -46,8 +46,7 @@ static inline int nilfs_add_nondir(struc
+ int err = nilfs_add_link(dentry, inode);
+
+ if (!err) {
+- d_instantiate(dentry, inode);
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+ return 0;
+ }
+ inode_dec_link_count(inode);
+@@ -243,8 +242,7 @@ static int nilfs_mkdir(struct inode *dir
+ goto out_fail;
+
+ nilfs_mark_inode_dirty(inode);
+- d_instantiate(dentry, inode);
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+ out:
+ if (!err)
+ err = nilfs_transaction_commit(dir->i_sb);
+--- a/fs/orangefs/namei.c
++++ b/fs/orangefs/namei.c
+@@ -70,8 +70,7 @@ static int orangefs_create(struct inode
+ get_khandle_from_ino(inode),
+ dentry);
+
+- d_instantiate(dentry, inode);
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+ orangefs_set_timeout(dentry);
+ ORANGEFS_I(inode)->getattr_time = jiffies - 1;
+ ORANGEFS_I(inode)->getattr_mask = STATX_BASIC_STATS;
+@@ -319,8 +318,7 @@ static int orangefs_symlink(struct inode
+ "Assigned symlink inode new number of %pU\n",
+ get_khandle_from_ino(inode));
+
+- d_instantiate(dentry, inode);
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+ orangefs_set_timeout(dentry);
+ ORANGEFS_I(inode)->getattr_time = jiffies - 1;
+ ORANGEFS_I(inode)->getattr_mask = STATX_BASIC_STATS;
+@@ -384,8 +382,7 @@ static int orangefs_mkdir(struct inode *
+ "Assigned dir inode new number of %pU\n",
+ get_khandle_from_ino(inode));
+
+- d_instantiate(dentry, inode);
+- unlock_new_inode(inode);
++ d_instantiate_new(dentry, inode);
+ orangefs_set_timeout(dentry);
+ ORANGEFS_I(inode)->getattr_time = jiffies - 1;
+ ORANGEFS_I(inode)->getattr_mask = STATX_BASIC_STATS;
+--- a/fs/reiserfs/namei.c
++++ b/fs/reiserfs/namei.c
+@@ -687,8 +687,7 @@ static int reiserfs_create(struct inode
+ reiserfs_update_inode_transaction(inode);
+ reiserfs_update_inode_transaction(dir);
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ retval = journal_end(&th);
+
+ out_failed:
+@@ -771,8 +770,7 @@ static int reiserfs_mknod(struct inode *
+ goto out_failed;
+ }
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ retval = journal_end(&th);
+
+ out_failed:
+@@ -871,8 +869,7 @@ static int reiserfs_mkdir(struct inode *
+ /* the above add_entry did not update dir's stat data */
+ reiserfs_update_sd(&th, dir);
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ retval = journal_end(&th);
+ out_failed:
+ reiserfs_write_unlock(dir->i_sb);
+@@ -1187,8 +1184,7 @@ static int reiserfs_symlink(struct inode
+ goto out_failed;
+ }
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ retval = journal_end(&th);
+ out_failed:
+ reiserfs_write_unlock(parent_dir->i_sb);
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -621,8 +621,7 @@ static int udf_add_nondir(struct dentry
+ if (fibh.sbh != fibh.ebh)
+ brelse(fibh.ebh);
+ brelse(fibh.sbh);
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+
+ return 0;
+ }
+@@ -732,8 +731,7 @@ static int udf_mkdir(struct inode *dir,
+ inc_nlink(dir);
+ dir->i_ctime = dir->i_mtime = current_time(dir);
+ mark_inode_dirty(dir);
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ if (fibh.sbh != fibh.ebh)
+ brelse(fibh.ebh);
+ brelse(fibh.sbh);
+--- a/fs/ufs/namei.c
++++ b/fs/ufs/namei.c
+@@ -38,8 +38,7 @@ static inline int ufs_add_nondir(struct
+ {
+ int err = ufs_add_link(dentry, inode);
+ if (!err) {
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ return 0;
+ }
+ inode_dec_link_count(inode);
+@@ -192,8 +191,7 @@ static int ufs_mkdir(struct inode * dir,
+ if (err)
+ goto out_fail;
+
+- unlock_new_inode(inode);
+- d_instantiate(dentry, inode);
++ d_instantiate_new(dentry, inode);
+ return 0;
+
+ out_fail:
+--- a/include/linux/dcache.h
++++ b/include/linux/dcache.h
+@@ -220,6 +220,7 @@ extern seqlock_t rename_lock;
+ * These are the low-level FS interfaces to the dcache..
+ */
+ extern void d_instantiate(struct dentry *, struct inode *);
++extern void d_instantiate_new(struct dentry *, struct inode *);
+ extern struct dentry * d_instantiate_unique(struct dentry *, struct inode *);
+ extern int d_instantiate_no_diralias(struct dentry *, struct inode *);
+ extern void __d_drop(struct dentry *dentry);
diff --git a/patches.fixes/f2fs-call-unlock_new_inode-before-d_instantiate.patch b/patches.fixes/f2fs-call-unlock_new_inode-before-d_instantiate.patch
deleted file mode 100644
index 73a00fe999..0000000000
--- a/patches.fixes/f2fs-call-unlock_new_inode-before-d_instantiate.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From ab3835aae642a602d98505afbfceb37707bf3ffe Mon Sep 17 00:00:00 2001
-From: Eric Biggers <ebiggers@google.com>
-Date: Wed, 18 Apr 2018 15:48:42 -0700
-Subject: [PATCH] f2fs: call unlock_new_inode() before d_instantiate()
-Git-commit: ab3835aae642a602d98505afbfceb37707bf3ffe
-Patch-mainline: v4.18-rc1
-References: bsc#1101837
-
-xfstest generic/429 sometimes hangs on f2fs, caused by a thread being
-unable to take a directory's i_rwsem for write in vfs_rmdir(). In the
-test, one thread repeatedly creates and removes a directory, and other
-threads repeatedly look up a file in the directory. The bug is that
-f2fs_mkdir() calls d_instantiate() before unlock_new_inode(), resulting
-in the directory inode being exposed to lookups before it has been fully
-initialized. And with CONFIG_DEBUG_LOCK_ALLOC, unlock_new_inode()
-reinitializes ->i_rwsem, corrupting its state when it is already held.
-
-Fix it by calling unlock_new_inode() before d_instantiate(). This
-matches what other filesystems do.
-
-Fixes: 57397d86c62d ("f2fs: add inode operations for special inodes")
-Signed-off-by: Eric Biggers <ebiggers@google.com>
-Reviewed-by: Chao Yu <yuchao0@huawei.com>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Acked-by: Jan Kara <jack@suse.cz>
-
----
- fs/f2fs/namei.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
-index d5098efe577c..3a7ed962d2f7 100644
---- a/fs/f2fs/namei.c
-+++ b/fs/f2fs/namei.c
-@@ -294,8 +294,8 @@ static int f2fs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
-
- alloc_nid_done(sbi, ino);
-
-- d_instantiate(dentry, inode);
- unlock_new_inode(inode);
-+ d_instantiate(dentry, inode);
-
- if (IS_DIRSYNC(dir))
- f2fs_sync_fs(sbi->sb, 1);
-@@ -597,8 +597,8 @@ static int f2fs_symlink(struct inode *dir, struct dentry *dentry,
- err = page_symlink(inode, disk_link.name, disk_link.len);
-
- err_out:
-- d_instantiate(dentry, inode);
- unlock_new_inode(inode);
-+ d_instantiate(dentry, inode);
-
- /*
- * Let's flush symlink data in order to avoid broken symlink as much as
-@@ -661,8 +661,8 @@ static int f2fs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
-
- alloc_nid_done(sbi, inode->i_ino);
-
-- d_instantiate(dentry, inode);
- unlock_new_inode(inode);
-+ d_instantiate(dentry, inode);
-
- if (IS_DIRSYNC(dir))
- f2fs_sync_fs(sbi->sb, 1);
-@@ -713,8 +713,8 @@ static int f2fs_mknod(struct inode *dir, struct dentry *dentry,
-
- alloc_nid_done(sbi, inode->i_ino);
-
-- d_instantiate(dentry, inode);
- unlock_new_inode(inode);
-+ d_instantiate(dentry, inode);
-
- if (IS_DIRSYNC(dir))
- f2fs_sync_fs(sbi->sb, 1);
---
-2.16.4
-
diff --git a/patches.fixes/fs-dcache-Avoid-livelock-between-d_alloc_parallel-an.patch b/patches.fixes/fs-dcache-Avoid-livelock-between-d_alloc_parallel-an.patch
new file mode 100644
index 0000000000..300f0ed811
--- /dev/null
+++ b/patches.fixes/fs-dcache-Avoid-livelock-between-d_alloc_parallel-an.patch
@@ -0,0 +1,79 @@
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 19 Feb 2018 14:55:54 +0000
+Subject: [PATCH] fs: dcache: Avoid livelock between d_alloc_parallel and
+ __d_add
+Git-commit: 015555fd4d2930bc0c86952c46ad88b3392f66e4
+Patch-mainline: v4.16
+References: git-fixes
+
+If d_alloc_parallel runs concurrently with __d_add, it is possible for
+d_alloc_parallel to continuously retry whilst i_dir_seq has been
+incremented to an odd value by __d_add:
+
+Cpu0:
+__d_add
+ n = start_dir_add(dir);
+ cmpxchg(&dir->i_dir_seq, n, n + 1) == n
+
+Cpu1:
+d_alloc_parallel
+Retry: seq = smp_load_acquire(&parent->d_inode->i_dir_seq) & ~1;
+ hlist_bl_lock(b);
+ bit_spin_lock(0, (unsigned long *)b); // Always succeeds
+
+Cpu0: __d_lookup_done(dentry)
+ hlist_bl_lock
+ bit_spin_lock(0, (unsigned long *)b); // Never succeeds
+
+Cpu1: if (unlikely(parent->d_inode->i_dir_seq != seq)) {
+ hlist_bl_unlock(b);
+ goto retry;
+ }
+
+Since the simple bit_spin_lock used to implement hlist_bl_lock does not
+provide any fairness guarantees, then CPU1 can starve CPU0 of the lock
+and prevent it from reaching end_dir_add(dir), therefore CPU1 cannot
+exit its retry loop because the sequence number always has the bottom
+bit set.
+
+This patch resolves the livelock by not taking hlist_bl_lock in
+d_alloc_parallel if the sequence counter is odd, since any subsequent
+masked comparison with i_dir_seq will fail anyway.
+
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Reported-by: Naresh Madhusudana <naresh.madhusudana@arm.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Matthew Wilcox <mawilcox@microsoft.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/dcache.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2464,7 +2464,7 @@ struct dentry *d_alloc_parallel(struct d
+
+ retry:
+ rcu_read_lock();
+- seq = smp_load_acquire(&parent->d_inode->i_dir_seq) & ~1;
++ seq = smp_load_acquire(&parent->d_inode->i_dir_seq);
+ r_seq = read_seqbegin(&rename_lock);
+ dentry = __d_lookup_rcu(parent, name, &d_seq);
+ if (unlikely(dentry)) {
+@@ -2485,6 +2485,12 @@ retry:
+ rcu_read_unlock();
+ goto retry;
+ }
++
++ if (unlikely(seq & 1)) {
++ rcu_read_unlock();
++ goto retry;
++ }
++
+ hlist_bl_lock(b);
+ if (unlikely(parent->d_inode->i_dir_seq != seq)) {
+ hlist_bl_unlock(b);
diff --git a/patches.fixes/fs-dcache-Use-READ_ONCE-when-accessing-i_dir_seq.patch b/patches.fixes/fs-dcache-Use-READ_ONCE-when-accessing-i_dir_seq.patch
new file mode 100644
index 0000000000..fa3b0ec32d
--- /dev/null
+++ b/patches.fixes/fs-dcache-Use-READ_ONCE-when-accessing-i_dir_seq.patch
@@ -0,0 +1,31 @@
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 19 Feb 2018 14:55:55 +0000
+Subject: [PATCH] fs: dcache: Use READ_ONCE when accessing i_dir_seq
+Git-commit: 8cc07c808c9d595e81cbe5aad419b7769eb2e5c9
+Patch-mainline: v4.16
+References: git-fixes
+
+i_dir_seq is subject to concurrent modification by a cmpxchg or
+store-release operation, so ensure that the relaxed access in
+d_alloc_parallel uses READ_ONCE.
+
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/dcache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2492,7 +2492,7 @@ retry:
+ }
+
+ hlist_bl_lock(b);
+- if (unlikely(parent->d_inode->i_dir_seq != seq)) {
++ if (unlikely(READ_ONCE(parent->d_inode->i_dir_seq) != seq)) {
+ hlist_bl_unlock(b);
+ rcu_read_unlock();
+ goto retry;
diff --git a/patches.fixes/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_.patch b/patches.fixes/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_.patch
new file mode 100644
index 0000000000..b31b3b20a6
--- /dev/null
+++ b/patches.fixes/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_.patch
@@ -0,0 +1,56 @@
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 17 Aug 2018 15:44:34 -0700
+Subject: [PATCH] fs/dcache.c: fix kmemcheck splat at
+ take_dentry_name_snapshot()
+Git-commit: 6cd00a01f0c1ae6a852b09c59b8dd55cc6c35d1d
+Patch-mainline: v4.19
+References: git-fixes
+
+Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes
+are initialized at __d_alloc(), we can't copy the whole size
+unconditionally.
+
+ WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50)
+ 636f6e66696766732e746d70000000000010000000000000020000000188ffff
+ i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u
+ ^
+ RIP: 0010:take_dentry_name_snapshot+0x28/0x50
+ RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246
+ RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002
+ RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60
+ RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001
+ R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00
+ R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000
+ FS: 00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0
+ take_dentry_name_snapshot+0x28/0x50
+ vfs_rename+0x128/0x870
+ SyS_rename+0x3b2/0x3d0
+ entry_SYSCALL_64_fastpath+0x1a/0xa4
+ 0xffffffffffffffff
+
+Link: http://lkml.kernel.org/r/201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Vegard Nossum <vegard.nossum@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/dcache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -288,7 +288,8 @@ void take_dentry_name_snapshot(struct na
+ spin_unlock(&dentry->d_lock);
+ name->name = p->name;
+ } else {
+- memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN);
++ memcpy(name->inline_name, dentry->d_iname,
++ dentry->d_name.len + 1);
+ spin_unlock(&dentry->d_lock);
+ name->name = name->inline_name;
+ }
diff --git a/patches.fixes/getname_kernel-needs-to-make-sure-that-name-iname-in.patch b/patches.fixes/getname_kernel-needs-to-make-sure-that-name-iname-in.patch
new file mode 100644
index 0000000000..76b6586a0d
--- /dev/null
+++ b/patches.fixes/getname_kernel-needs-to-make-sure-that-name-iname-in.patch
@@ -0,0 +1,32 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 8 Apr 2018 11:57:10 -0400
+Subject: [PATCH] getname_kernel() needs to make sure that ->name != ->iname in
+ long case
+Git-commit: 30ce4d1903e1d8a7ccd110860a5eef3c638ed8be
+Patch-mainline: v4.17
+References: git-fixes
+
+missed it in "kill struct filename.separate" several years ago.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -221,9 +221,10 @@ getname_kernel(const char * filename)
+ if (len <= EMBEDDED_NAME_MAX) {
+ result->name = (char *)result->iname;
+ } else if (len <= PATH_MAX) {
++ const size_t size = offsetof(struct filename, iname[1]);
+ struct filename *tmp;
+
+- tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
++ tmp = kmalloc(size, GFP_KERNEL);
+ if (unlikely(!tmp)) {
+ __putname(result);
+ return ERR_PTR(-ENOMEM);
diff --git a/patches.fixes/lockd-fix-list_add-double-add-caused-by-legacy-signa.patch b/patches.fixes/lockd-fix-list_add-double-add-caused-by-legacy-signa.patch
new file mode 100644
index 0000000000..fed74317b3
--- /dev/null
+++ b/patches.fixes/lockd-fix-list_add-double-add-caused-by-legacy-signa.patch
@@ -0,0 +1,82 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 13 Nov 2017 07:25:40 +0300
+Subject: [PATCH] lockd: fix "list_add double add" caused by legacy signal
+ interface
+Git-commit: 81833de1a46edce9ca20cfe079872ac1c20ef359
+Patch-mainline: v4.15
+References: git-fixes
+
+restart_grace() uses hardcoded init_net.
+It can cause to "list_add double add" in following scenario:
+
+1) nfsd and lockd was started in several net namespaces
+2) nfsd in init_net was stopped (lockd was not stopped because
+ it have users from another net namespaces)
+3) lockd got signal, called restart_grace() -> set_grace_period()
+ and enabled lock_manager in hardcoded init_net.
+4) nfsd in init_net is started again,
+ its lockd_up() calls set_grace_period() and tries to add
+ lock_manager into init_net 2nd time.
+
+Jeff Layton suggest:
+"Make it safe to call locks_start_grace multiple times on the same
+lock_manager. If it's already on the global grace_list, then don't try
+to add it again. (But we don't intentionally add twice, so for now we
+WARN about that case.)
+
+With this change, we also need to ensure that the nfsd4 lock manager
+initializes the list before we call locks_start_grace. While we're at
+it, move the rest of the nfsd_net initialization into
+nfs4_state_create_net. I see no reason to have it spread over two
+functions like it is today."
+
+Suggested patch was updated to generate warning in described situation.
+
+Suggested-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/nfs_common/grace.c | 6 +++++-
+ fs/nfsd/nfs4state.c | 7 ++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs_common/grace.c
++++ b/fs/nfs_common/grace.c
+@@ -30,7 +30,11 @@ locks_start_grace(struct net *net, struc
+ struct list_head *grace_list = net_generic(net, grace_net_id);
+
+ spin_lock(&grace_lock);
+- list_add(&lm->list, grace_list);
++ if (list_empty(&lm->list))
++ list_add(&lm->list, grace_list);
++ else
++ WARN(1, "double list_add attempt detected in net %x %s\n",
++ net->ns.inum, (net == &init_net) ? "(init_net)" : "");
+ spin_unlock(&grace_lock);
+ }
+ EXPORT_SYMBOL_GPL(locks_start_grace);
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -6963,6 +6963,10 @@ static int nfs4_state_create_net(struct
+ INIT_LIST_HEAD(&nn->sessionid_hashtbl[i]);
+ nn->conf_name_tree = RB_ROOT;
+ nn->unconf_name_tree = RB_ROOT;
++ nn->boot_time = get_seconds();
++ nn->grace_ended = false;
++ nn->nfsd4_manager.block_opens = true;
++ INIT_LIST_HEAD(&nn->nfsd4_manager.list);
+ INIT_LIST_HEAD(&nn->client_lru);
+ INIT_LIST_HEAD(&nn->close_lru);
+ INIT_LIST_HEAD(&nn->del_recall_lru);
+@@ -7022,9 +7026,6 @@ nfs4_state_start_net(struct net *net)
+ ret = nfs4_state_create_net(net);
+ if (ret)
+ return ret;
+- nn->boot_time = get_seconds();
+- nn->grace_ended = false;
+- nn->nfsd4_manager.block_opens = true;
+ locks_start_grace(net, &nn->nfsd4_manager);
+ nfsd4_client_tracking_init(net);
+ printk(KERN_INFO "NFSD: starting %ld-second grace period (net %p)\n",
diff --git a/patches.fixes/make-sure-that-__dentry_kill-always-invalidates-d_se.patch b/patches.fixes/make-sure-that-__dentry_kill-always-invalidates-d_se.patch
new file mode 100644
index 0000000000..96bc7d39f0
--- /dev/null
+++ b/patches.fixes/make-sure-that-__dentry_kill-always-invalidates-d_se.patch
@@ -0,0 +1,49 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 9 Aug 2018 10:15:54 -0400
+Subject: [PATCH] make sure that __dentry_kill() always invalidates d_seq,
+ unhashed or not
+Git-commit: 4c0d7cd5c8416b1ef41534d19163cb07ffaa03ab
+Patch-mainline: v4.18
+References: git-fixes
+
+RCU pathwalk relies upon the assumption that anything that changes
+->d_inode of a dentry will invalidate its ->d_seq. That's almost
+true - the one exception is that the final dput() of already unhashed
+dentry does *not* touch ->d_seq at all. Unhashing does, though,
+so for anything we'd found by RCU dcache lookup we are fine.
+Unfortunately, we can *start* with an unhashed dentry or jump into
+it.
+
+We could try and be careful in the (few) places where that could
+happen. Or we could just make the final dput() invalidate the damn
+thing, unhashed or not. The latter is much simpler and easier to
+backport, so let's do it that way.
+
+Reported-by: "Dae R. Jeong" <threeearcat@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/dcache.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -355,14 +355,11 @@ static void dentry_unlink_inode(struct d
+ __releases(dentry->d_inode->i_lock)
+ {
+ struct inode *inode = dentry->d_inode;
+- bool hashed = !d_unhashed(dentry);
+
+- if (hashed)
+- raw_write_seqcount_begin(&dentry->d_seq);
++ raw_write_seqcount_begin(&dentry->d_seq);
+ __d_clear_type_and_inode(dentry);
+ hlist_del_init(&dentry->d_u.d_alias);
+- if (hashed)
+- raw_write_seqcount_end(&dentry->d_seq);
++ raw_write_seqcount_end(&dentry->d_seq);
+ spin_unlock(&dentry->d_lock);
+ spin_unlock(&inode->i_lock);
+ if (!inode->i_nlink)
diff --git a/patches.fixes/md-fix-NULL-dereference-of-mddev-pers-in-remove_and_.patch b/patches.fixes/md-fix-NULL-dereference-of-mddev-pers-in-remove_and_.patch
new file mode 100644
index 0000000000..33a9f296a2
--- /dev/null
+++ b/patches.fixes/md-fix-NULL-dereference-of-mddev-pers-in-remove_and_.patch
@@ -0,0 +1,71 @@
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Fri, 4 May 2018 18:08:10 +0800
+Subject: [PATCH] md: fix NULL dereference of mddev->pers in
+ remove_and_add_spares()
+Git-commit: c42a0e2675721e1444f56e6132a07b7b1ec169ac
+Patch-mainline: v4.18
+References: git-fixes
+
+We met NULL pointer BUG as follow:
+
+[ 151.760358] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
+[ 151.761340] PGD 80000001011eb067 P4D 80000001011eb067 PUD 1011ea067 PMD 0
+[ 151.762039] Oops: 0000 [#1] SMP PTI
+[ 151.762406] Modules linked in:
+[ 151.762723] CPU: 2 PID: 3561 Comm: mdadm-test Kdump: loaded Not tainted 4.17.0-rc1+ #238
+[ 151.763542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014
+[ 151.764432] RIP: 0010:remove_and_add_spares.part.56+0x13c/0x3a0
+[ 151.765061] RSP: 0018:ffffc90001d7fcd8 EFLAGS: 00010246
+[ 151.765590] RAX: 0000000000000000 RBX: ffff88013601d600 RCX: 0000000000000000
+[ 151.766306] RDX: 0000000000000000 RSI: ffff88013601d600 RDI: ffff880136187000
+[ 151.767014] RBP: ffff880136187018 R08: 0000000000000003 R09: 0000000000000051
+[ 151.767728] R10: ffffc90001d7fed8 R11: 0000000000000000 R12: ffff88013601d600
+[ 151.768447] R13: ffff8801298b1300 R14: ffff880136187000 R15: 0000000000000000
+[ 151.769160] FS: 00007f2624276700(0000) GS:ffff88013ae80000(0000) knlGS:0000000000000000
+[ 151.769971] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 151.770554] CR2: 0000000000000060 CR3: 0000000111aac000 CR4: 00000000000006e0
+[ 151.771272] Call Trace:
+[ 151.771542] md_ioctl+0x1df2/0x1e10
+[ 151.771906] ? __switch_to+0x129/0x440
+[ 151.772295] ? __schedule+0x244/0x850
+[ 151.772672] blkdev_ioctl+0x4bd/0x970
+[ 151.773048] block_ioctl+0x39/0x40
+[ 151.773402] do_vfs_ioctl+0xa4/0x610
+[ 151.773770] ? dput.part.23+0x87/0x100
+[ 151.774151] ksys_ioctl+0x70/0x80
+[ 151.774493] __x64_sys_ioctl+0x16/0x20
+[ 151.774877] do_syscall_64+0x5b/0x180
+[ 151.775258] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+For raid6, when two disk of the array are offline, two spare disks can
+be added into the array. Before spare disks recovery completing,
+system reboot and mdadm thinks it is ok to restart the degraded
+array by md_ioctl(). Since disks in raid6 is not only_parity(),
+raid5_run() will abort, when there is no PPL feature or not setting
+'start_dirty_degraded' parameter. Therefore, mddev->pers is NULL.
+
+But, mddev->raid_disks has been set and it will not be cleared when
+raid5_run abort. md_ioctl() can execute cmd 'HOT_REMOVE_DISK' to
+remove a disk by mdadm, which will cause NULL pointer dereference
+in remove_and_add_spares() finally.
+
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ drivers/md/md.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -6538,6 +6538,9 @@ static int hot_remove_disk(struct mddev
+ char b[BDEVNAME_SIZE];
+ struct md_rdev *rdev;
+
++ if (!mddev->pers)
++ return -ENODEV;
++
+ rdev = find_rdev(mddev, dev);
+ if (!rdev)
+ return -ENXIO;
diff --git a/patches.fixes/md-raid1-add-error-handling-of-read-error-from-FailF.patch b/patches.fixes/md-raid1-add-error-handling-of-read-error-from-FailF.patch
new file mode 100644
index 0000000000..b5184c1d82
--- /dev/null
+++ b/patches.fixes/md-raid1-add-error-handling-of-read-error-from-FailF.patch
@@ -0,0 +1,37 @@
+From: Gioh Kim <gi-oh.kim@profitbricks.com>
+Date: Wed, 2 May 2018 13:08:11 +0200
+Subject: [PATCH] md/raid1: add error handling of read error from FailFast
+ device
+Git-commit: b33d10624fdc15cdf1495f3f00481afccec76783
+Patch-mainline: v4.18
+References: git-fixes
+
+Current handle_read_error() function calls fix_read_error()
+only if md device is RW and rdev does not include FailFast flag.
+It does not handle a read error from a RW device including
+FailFast flag.
+
+I am not sure it is intended. But I found that write IO error
+sets rdev faulty. The md module should handle the read IO error and
+write IO error equally. So I think read IO error should set rdev faulty.
+
+Signed-off-by: Gioh Kim <gi-oh.kim@profitbricks.com>
+Reviewed-by: Jack Wang <jinpu.wang@profitbricks.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ drivers/md/raid1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -2475,6 +2475,8 @@ static void handle_read_error(struct r1c
+ fix_read_error(conf, r1_bio->read_disk,
+ r1_bio->sector, r1_bio->sectors);
+ unfreeze_array(conf);
++ } else if (mddev->ro == 0 && test_bit(FailFast, &rdev->flags)) {
++ md_error(mddev, rdev);
+ } else {
+ r1_bio->bios[r1_bio->read_disk] = IO_BLOCKED;
+ }
diff --git a/patches.fixes/md-raid10-fix-that-replacement-cannot-complete-recov.patch b/patches.fixes/md-raid10-fix-that-replacement-cannot-complete-recov.patch
new file mode 100644
index 0000000000..a064e6228e
--- /dev/null
+++ b/patches.fixes/md-raid10-fix-that-replacement-cannot-complete-recov.patch
@@ -0,0 +1,53 @@
+From: BingJing Chang <bingjingc@synology.com>
+Date: Thu, 28 Jun 2018 18:40:11 +0800
+Subject: [PATCH] md/raid10: fix that replacement cannot complete recovery
+ after reassemble
+Git-commit: bda3153998f3eb2cafa4a6311971143628eacdbc
+Patch-mainline: v4.18
+References: git-fixes
+
+During assemble, the spare marked for replacement is not checked.
+conf->fullsync cannot be updated to be 1. As a result, recovery will
+treat it as a clean array. All recovering sectors are skipped. Original
+device is replaced with the not-recovered spare.
+
+mdadm -C /dev/md0 -l10 -n4 -pn2 /dev/loop[0123]
+mdadm /dev/md0 -a /dev/loop4
+mdadm /dev/md0 --replace /dev/loop0
+mdadm -S /dev/md0 # stop array during recovery
+
+mdadm -A /dev/md0 /dev/loop[01234]
+
+After reassemble, you can see recovery go on, but it completes
+immediately. In fact, recovery is not actually processed.
+
+To solve this problem, we just add the missing logics for replacment
+spares. (In raid1.c or raid5.c, they have already been checked.)
+
+Reported-by: Alex Chen <alexchen@synology.com>
+Reviewed-by: Alex Wu <alexwu@synology.com>
+Reviewed-by: Chung-Chiang Cheng <cccheng@synology.com>
+Signed-off-by: BingJing Chang <bingjingc@synology.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ drivers/md/raid10.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -3926,6 +3926,13 @@ static int raid10_run(struct mddev *mdde
+ disk->rdev->saved_raid_disk < 0)
+ conf->fullsync = 1;
+ }
++
++ if (disk->replacement &&
++ !test_bit(In_sync, &disk->replacement->flags) &&
++ disk->replacement->saved_raid_disk < 0) {
++ conf->fullsync = 1;
++ }
++
+ disk->recovery_disabled = mddev->recovery_disabled - 1;
+ }
+
diff --git a/patches.fixes/md-raid5-cache-disable-reshape-completely.patch b/patches.fixes/md-raid5-cache-disable-reshape-completely.patch
new file mode 100644
index 0000000000..6cb93b3f27
--- /dev/null
+++ b/patches.fixes/md-raid5-cache-disable-reshape-completely.patch
@@ -0,0 +1,66 @@
+From: Shaohua Li <shli@fb.com>
+Date: Wed, 29 Aug 2018 11:05:42 -0700
+Subject: [PATCH] md/raid5-cache: disable reshape completely
+Git-commit: e254de6bcf3f5b6e78a92ac95fb91acef8adfe1a
+Patch-mainline: v4.19
+References: git-fixes
+
+We don't support reshape yet if an array supports log device. Previously we
+determine the fact by checking ->log. However, ->log could be NULL after a log
+device is removed, but the array is still marked to support log device. Don't
+allow reshape in this case too. User can disable log device support by setting
+'consistency_policy' to 'resync' then do reshape.
+
+Reported-by: Xiao Ni <xni@redhat.com>
+Tested-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ drivers/md/raid5-log.h | 5 +++++
+ drivers/md/raid5.c | 6 +++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/raid5-log.h
++++ b/drivers/md/raid5-log.h
+@@ -44,6 +44,11 @@ extern int ppl_modify_log(struct r5conf
+ extern void ppl_quiesce(struct r5conf *conf, int quiesce);
+ extern int ppl_handle_flush_request(struct r5l_log *log, struct bio *bio);
+
++static inline bool raid5_has_log(struct r5conf *conf)
++{
++ return test_bit(MD_HAS_JOURNAL, &conf->mddev->flags);
++}
++
+ static inline bool raid5_has_ppl(struct r5conf *conf)
+ {
+ return test_bit(MD_HAS_PPL, &conf->mddev->flags);
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -736,7 +736,7 @@ static bool stripe_can_batch(struct stri
+ {
+ struct r5conf *conf = sh->raid_conf;
+
+- if (conf->log || raid5_has_ppl(conf))
++ if (raid5_has_log(conf) || raid5_has_ppl(conf))
+ return false;
+ return test_bit(STRIPE_BATCH_READY, &sh->state) &&
+ !test_bit(STRIPE_BITMAP_PENDING, &sh->state) &&
+@@ -7731,7 +7731,7 @@ static int raid5_resize(struct mddev *md
+ sector_t newsize;
+ struct r5conf *conf = mddev->private;
+
+- if (conf->log || raid5_has_ppl(conf))
++ if (raid5_has_log(conf) || raid5_has_ppl(conf))
+ return -EINVAL;
+ sectors &= ~((sector_t)conf->chunk_sectors - 1);
+ newsize = raid5_size(mddev, sectors, mddev->raid_disks);
+@@ -7782,7 +7782,7 @@ static int check_reshape(struct mddev *m
+ {
+ struct r5conf *conf = mddev->private;
+
+- if (conf->log || raid5_has_ppl(conf))
++ if (raid5_has_log(conf) || raid5_has_ppl(conf))
+ return -EINVAL;
+ if (mddev->delta_disks == 0 &&
+ mddev->new_layout == mddev->layout &&
diff --git a/patches.fixes/md-raid5-fix-data-corruption-of-replacements-after-o.patch b/patches.fixes/md-raid5-fix-data-corruption-of-replacements-after-o.patch
new file mode 100644
index 0000000000..956bb99e51
--- /dev/null
+++ b/patches.fixes/md-raid5-fix-data-corruption-of-replacements-after-o.patch
@@ -0,0 +1,75 @@
+From: BingJing Chang <bingjingc@synology.com>
+Date: Wed, 1 Aug 2018 17:08:36 +0800
+Subject: [PATCH] md/raid5: fix data corruption of replacements after originals
+ dropped
+Git-commit: d63e2fc804c46e50eee825c5d3a7228e07048b47
+Patch-mainline: v4.19
+References: git-fixes
+
+During raid5 replacement, the stripes can be marked with R5_NeedReplace
+flag. Data can be read from being-replaced devices and written to
+replacing spares without reading all other devices. (It's 'replace'
+mode. s.replacing = 1) If a being-replaced device is dropped, the
+replacement progress will be interrupted and resumed with pure recovery
+mode. However, existing stripes before being interrupted cannot read
+from the dropped device anymore. It prints lots of WARN_ON messages.
+And it results in data corruption because existing stripes write
+problematic data into its replacement device and update the progress.
+
+\# Erase disks (1MB + 2GB)
+dd if=/dev/zero of=/dev/sda bs=1MB count=2049
+dd if=/dev/zero of=/dev/sdb bs=1MB count=2049
+dd if=/dev/zero of=/dev/sdc bs=1MB count=2049
+dd if=/dev/zero of=/dev/sdd bs=1MB count=2049
+mdadm -C /dev/md0 -amd -R -l5 -n3 -x0 /dev/sd[abc] -z 2097152
+\# Ensure array stores non-zero data
+dd if=/root/data_4GB.iso of=/dev/md0 bs=1MB
+\# Start replacement
+mdadm /dev/md0 -a /dev/sdd
+mdadm /dev/md0 --replace /dev/sda
+
+Then, Hot-plug out /dev/sda during recovery, and wait for recovery done.
+echo check > /sys/block/md0/md/sync_action
+cat /sys/block/md0/md/mismatch_cnt # it will be greater than 0.
+
+Soon after you hot-plug out /dev/sda, you will see many WARN_ON
+messages. The replacement recovery will be interrupted shortly. After
+the recovery finishes, it will result in data corruption.
+
+Actually, it's just an unhandled case of replacement. In commit
+<f94c0b6658c7> (md/raid5: fix interaction of 'replace' and 'recovery'.),
+if a NeedReplace device is not UPTODATE then that is an error, the
+commit just simply print WARN_ON but also mark these corrupted stripes
+with R5_WantReplace. (it means it's ready for writes.)
+
+To fix this case, we can leverage 'sync and replace' mode mentioned in
+commit <9a3e1101b827> (md/raid5: detect and handle replacements during
+recovery.). We can add logics to detect and use 'sync and replace' mode
+for these stripes.
+
+Reported-by: Alex Chen <alexchen@synology.com>
+Reviewed-by: Alex Wu <alexwu@synology.com>
+Reviewed-by: Chung-Chiang Cheng <cccheng@synology.com>
+Signed-off-by: BingJing Chang <bingjingc@synology.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ drivers/md/raid5.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -4516,6 +4516,12 @@ static void analyse_stripe(struct stripe
+ s->failed++;
+ if (rdev && !test_bit(Faulty, &rdev->flags))
+ do_recovery = 1;
++ else if (!rdev) {
++ rdev = rcu_dereference(
++ conf->disks[i].replacement);
++ if (rdev && !test_bit(Faulty, &rdev->flags))
++ do_recovery = 1;
++ }
+ }
+
+ if (test_bit(R5_InJournal, &dev->flags))
diff --git a/patches.fixes/pipe-match-pipe_max_size-data-type-with-procfs.patch b/patches.fixes/pipe-match-pipe_max_size-data-type-with-procfs.patch
new file mode 100644
index 0000000000..9fdb14d12b
--- /dev/null
+++ b/patches.fixes/pipe-match-pipe_max_size-data-type-with-procfs.patch
@@ -0,0 +1,107 @@
+From: Joe Lawrence <joe.lawrence@redhat.com>
+Date: Fri, 17 Nov 2017 15:29:17 -0800
+Subject: [PATCH] pipe: match pipe_max_size data type with procfs
+Git-commit: 98159d977f71c3b3dee898d1c34e56f520b094e7
+Patch-mainline: v4.15
+References: git-fixes
+
+Patch series "A few round_pipe_size() and pipe-max-size fixups", v3.
+
+While backporting Michael's "pipe: fix limit handling" patchset to a
+distro-kernel, Mikulas noticed that current upstream pipe limit handling
+contains a few problems:
+
+ 1 - procfs signed wrap: echo'ing a large number into
+ /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
+ negative value.
+
+ 2 - round_pipe_size() nr_pages overflow on 32bit: this would
+ subsequently try roundup_pow_of_two(0), which is undefined.
+
+ 3 - visible non-rounded pipe-max-size value: there is no mutual
+ exclusion or protection between the time pipe_max_size is assigned
+ a raw value from proc_dointvec_minmax() and when it is rounded.
+
+ 4 - unsigned long -> unsigned int conversion makes for potential odd
+ return errors from do_proc_douintvec_minmax_conv() and
+ do_proc_dopipe_max_size_conv().
+
+This version underwent the same testing as v1:
+https://marc.info/?l=linux-kernel&m=150643571406022&w=2
+
+This patch (of 4):
+
+pipe_max_size is defined as an unsigned int:
+
+ unsigned int pipe_max_size = 1048576;
+
+but its procfs/sysctl representation is an integer:
+
+ static struct ctl_table fs_table[] = {
+ ...
+ {
+ .procname = "pipe-max-size",
+ .data = &pipe_max_size,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &pipe_proc_fn,
+ .extra1 = &pipe_min_size,
+ },
+ ...
+
+that is signed:
+
+ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
+ size_t *lenp, loff_t *ppos)
+ {
+ ...
+ ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
+
+This leads to signed results via procfs for large values of pipe_max_size:
+
+ % echo 2147483647 >/proc/sys/fs/pipe-max-size
+ % cat /proc/sys/fs/pipe-max-size
+ -2147483648
+
+Use unsigned operations on this variable to avoid such negative values.
+
+Link: http://lkml.kernel.org/r/1507658689-11669-2-git-send-email-joe.lawrence@redhat.com
+Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Michael Kerrisk <mtk.manpages@gmail.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/pipe.c | 2 +-
+ kernel/sysctl.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -1125,7 +1125,7 @@ int pipe_proc_fn(struct ctl_table *table
+ {
+ int ret;
+
+- ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
++ ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
+ if (ret < 0 || !write)
+ return ret;
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -1821,7 +1821,7 @@ static struct ctl_table fs_table[] = {
+ {
+ .procname = "pipe-max-size",
+ .data = &pipe_max_size,
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(pipe_max_size),
+ .mode = 0644,
+ .proc_handler = &pipe_proc_fn,
+ .extra1 = &pipe_min_size,
diff --git a/patches.fixes/race-of-lockd-inetaddr-notifiers-vs-nlmsvc_rqst-chan.patch b/patches.fixes/race-of-lockd-inetaddr-notifiers-vs-nlmsvc_rqst-chan.patch
new file mode 100644
index 0000000000..e1ab63885f
--- /dev/null
+++ b/patches.fixes/race-of-lockd-inetaddr-notifiers-vs-nlmsvc_rqst-chan.patch
@@ -0,0 +1,96 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Fri, 10 Nov 2017 10:19:26 +0300
+Subject: [PATCH] race of lockd inetaddr notifiers vs nlmsvc_rqst change
+Git-commit: 6b18dd1c03e07262ea0866084856b2a3c5ba8d09
+Patch-mainline: v4.15
+References: git-fixes
+
+lockd_inet[6]addr_event use nlmsvc_rqst without taken nlmsvc_mutex,
+nlmsvc_rqst can be changed during execution of notifiers and crash the host.
+
+Patch enables access to nlmsvc_rqst only when it was correctly initialized
+and delays its cleanup until notifiers are no longer in use.
+
+Note that nlmsvc_rqst can be temporally set to ERR_PTR, so the "if
+(nlmsvc_rqst)" check in notifiers is insufficient on its own.
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Tested-by: Scott Mayhew <smayhew@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/lockd/svc.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/fs/lockd/svc.c
++++ b/fs/lockd/svc.c
+@@ -57,6 +57,9 @@ static struct task_struct *nlmsvc_task;
+ static struct svc_rqst *nlmsvc_rqst;
+ unsigned long nlmsvc_timeout;
+
++atomic_t nlm_ntf_refcnt = ATOMIC_INIT(0);
++DECLARE_WAIT_QUEUE_HEAD(nlm_ntf_wq);
++
+ unsigned int lockd_net_id;
+
+ /*
+@@ -292,7 +295,8 @@ static int lockd_inetaddr_event(struct n
+ struct in_ifaddr *ifa = (struct in_ifaddr *)ptr;
+ struct sockaddr_in sin;
+
+- if (event != NETDEV_DOWN)
++ if ((event != NETDEV_DOWN) ||
++ !atomic_inc_not_zero(&nlm_ntf_refcnt))
+ goto out;
+
+ if (nlmsvc_rqst) {
+@@ -303,6 +307,8 @@ static int lockd_inetaddr_event(struct n
+ svc_age_temp_xprts_now(nlmsvc_rqst->rq_server,
+ (struct sockaddr *)&sin);
+ }
++ atomic_dec(&nlm_ntf_refcnt);
++ wake_up(&nlm_ntf_wq);
+
+ out:
+ return NOTIFY_DONE;
+@@ -319,7 +325,8 @@ static int lockd_inet6addr_event(struct
+ struct inet6_ifaddr *ifa = (struct inet6_ifaddr *)ptr;
+ struct sockaddr_in6 sin6;
+
+- if (event != NETDEV_DOWN)
++ if ((event != NETDEV_DOWN) ||
++ !atomic_inc_not_zero(&nlm_ntf_refcnt))
+ goto out;
+
+ if (nlmsvc_rqst) {
+@@ -331,6 +338,8 @@ static int lockd_inet6addr_event(struct
+ svc_age_temp_xprts_now(nlmsvc_rqst->rq_server,
+ (struct sockaddr *)&sin6);
+ }
++ atomic_dec(&nlm_ntf_refcnt);
++ wake_up(&nlm_ntf_wq);
+
+ out:
+ return NOTIFY_DONE;
+@@ -347,10 +356,12 @@ static void lockd_unregister_notifiers(v
+ #if IS_ENABLED(CONFIG_IPV6)
+ unregister_inet6addr_notifier(&lockd_inet6addr_notifier);
+ #endif
++ wait_event(nlm_ntf_wq, atomic_read(&nlm_ntf_refcnt) == 0);
+ }
+
+ static void lockd_svc_exit_thread(void)
+ {
++ atomic_dec(&nlm_ntf_refcnt);
+ lockd_unregister_notifiers();
+ svc_exit_thread(nlmsvc_rqst);
+ }
+@@ -375,6 +386,7 @@ static int lockd_start_svc(struct svc_se
+ goto out_rqst;
+ }
+
++ atomic_inc(&nlm_ntf_refcnt);
+ svc_sock_update_bufs(serv);
+ serv->sv_maxconn = nlm_max_connections;
+
diff --git a/patches.fixes/vfs-fix-freeze-protection-in-mnt_want_write_file-for.patch b/patches.fixes/vfs-fix-freeze-protection-in-mnt_want_write_file-for.patch
new file mode 100644
index 0000000000..21df29be45
--- /dev/null
+++ b/patches.fixes/vfs-fix-freeze-protection-in-mnt_want_write_file-for.patch
@@ -0,0 +1,49 @@
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 18 Jul 2018 15:44:43 +0200
+Subject: [PATCH] vfs: fix freeze protection in mnt_want_write_file() for
+ overlayfs
+Git-commit: a6795a585929d94ca3e931bc8518f8deb8bbe627
+Patch-mainline: v4.19
+References: git-fixes
+
+The underlying real file used by overlayfs still contains the overlay path.
+This results in mnt_want_write_file() calls by the filesystem getting
+freeze protection on the wrong inode (the overlayfs one instead of the real
+one).
+
+Fix by using file_inode(file)->i_sb instead of file->f_path.mnt->mnt_sb.
+
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/namespace.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -441,10 +441,10 @@ int mnt_want_write_file(struct file *fil
+ {
+ int ret;
+
+- sb_start_write(file->f_path.mnt->mnt_sb);
++ sb_start_write(file_inode(file)->i_sb);
+ ret = __mnt_want_write_file(file);
+ if (ret)
+- sb_end_write(file->f_path.mnt->mnt_sb);
++ sb_end_write(file_inode(file)->i_sb);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(mnt_want_write_file);
+@@ -486,7 +486,8 @@ void __mnt_drop_write_file(struct file *
+
+ void mnt_drop_write_file(struct file *file)
+ {
+- mnt_drop_write(file->f_path.mnt);
++ __mnt_drop_write_file(file);
++ sb_end_write(file_inode(file)->i_sb);
+ }
+ EXPORT_SYMBOL(mnt_drop_write_file);
+
diff --git a/patches.suse/pipe-avoid-round_pipe_size-nr_pages-overflow-on-32-b.patch b/patches.suse/pipe-avoid-round_pipe_size-nr_pages-overflow-on-32-b.patch
index 1171350f17..98b98d5a82 100644
--- a/patches.suse/pipe-avoid-round_pipe_size-nr_pages-overflow-on-32-b.patch
+++ b/patches.suse/pipe-avoid-round_pipe_size-nr_pages-overflow-on-32-b.patch
@@ -95,7 +95,7 @@ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+ unsigned int rounded_pipe_max_size;
int ret;
- ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
+ ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
if (ret < 0 || !write)
return ret;
diff --git a/series.conf b/series.conf
index 718d10ac8b..592cbcb60e 100644
--- a/series.conf
+++ b/series.conf
@@ -8338,6 +8338,7 @@
patches.suse/0071-md-remove-redundant-variable-q.patch
patches.drivers/0005-md-cluster-update-document-for-raid10.patch
patches.suse/0072-md-don-t-check-MD_SB_CHANGE_CLEAN-in-md_allow_write.patch
+ patches.fixes/badblocks-fix-wrong-return-value-in-badblocks_set-if.patch
patches.suse/0073-md-be-cautious-about-using-curr_resync_completed-for.patch
patches.suse/0074-md-bitmap-clear-BITMAP_WRITE_ERROR-bit-before-writin.patch
patches.suse/0075-md-release-allocated-bitset-sync_set.patch
@@ -10038,6 +10039,7 @@
patches.suse/0001-epoll-avoid-calling-ep_call_nested-from-ep_poll_safe.patch
patches.suse/0001-epoll-remove-ep_call_nested-from-ep_eventpoll_poll.patch
patches.fixes/0001-autofs-don-t-fail-mount-for-transient-error.patch
+ patches.fixes/pipe-match-pipe_max_size-data-type-with-procfs.patch
patches.suse/pipe-avoid-round_pipe_size-nr_pages-overflow-on-32-b.patch
patches.fixes/nilfs2-fix-race-condition-that-causes-file-system-co.patch
patches.fixes/nilfs2-remove-inode-i_version-initialization.patch
@@ -10261,6 +10263,8 @@
patches.suse/btrfs-incremental-send-fix-wrong-unlink-path-after-renaming-file.patch
patches.fixes/0004-lockd-lost-rollback-of-set_grace_period-in-lockd_dow.patch
patches.fixes/0005-nfsd-fix-panic-in-posix_unblock_lock-called-from-nfs.patch
+ patches.fixes/race-of-lockd-inetaddr-notifiers-vs-nlmsvc_rqst-chan.patch
+ patches.fixes/lockd-fix-list_add-double-add-caused-by-legacy-signa.patch
patches.fixes/mm-memory_hotplug-do-not-back-off-draining-pcp-free-.patch
patches.fixes/mm-oom_reaper-gather-each-vma-to-prevent-leaking-TLB.patch
patches.fixes/mm-cma-fix-alloc_contig_range-ret-code-potential-lea.patch
@@ -12262,6 +12266,7 @@
patches.suse/mm-pin-address_space-before-dereferencing-it-while-isolating-an-LRU-page.patch
patches.fixes/mm-fadvise-discard-partial-page-if-endbyte-is-also-E.patch
patches.suse/mm-numa-do-not-trap-faults-on-shared-data-section-pages.patch
+ patches.fixes/VFS-close-race-between-getcwd-and-d_move.patch
patches.fixes/errseq-Add-to-documentation-tree.patch
patches.arch/s390-fix-handling-of-1-in-set-fs-id16-syscalls.patch
patches.fixes/0001-typec-tcpm-fusb302-Resolve-out-of-order-messaging-ev.patch
@@ -13798,6 +13803,8 @@
patches.drivers/ASoC-sgtl5000-Fix-suspend-resume
patches.drivers/ASoC-wm_adsp-For-TLV-controls-only-register-TLV-get-
patches.fixes/lock_parent-needs-to-recheck-if-dentry-got-__dentry_.patch
+ patches.fixes/fs-dcache-Avoid-livelock-between-d_alloc_parallel-an.patch
+ patches.fixes/fs-dcache-Use-READ_ONCE-when-accessing-i_dir_seq.patch
patches.fixes/0005-fs-Teach-path_connected-to-handle-nfs-filesystems-wi.patch
patches.drivers/drm-amdgpu-fix-prime-teardown-order
patches.drivers/drm-radeon-fix-prime-teardown-order
@@ -14966,6 +14973,7 @@
patches.suse/msft-hv-1652-x86-hyper-v-define-struct-hv_enlightened_vmcs-and-cl.patch
patches.suse/msft-hv-1653-x86-hyper-v-detect-nested-features.patch
patches.arch/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state
+ patches.fixes/getname_kernel-needs-to-make-sure-that-name-iname-in.patch
patches.suse/net-fool-proof-dev_valid_name.patch
patches.suse/ip_tunnel-better-validate-user-provided-tunnel-names.patch
patches.suse/ipv6-sit-better-validate-user-provided-tunnel-names.patch
@@ -15191,6 +15199,7 @@
patches.fixes/jffs2_kill_sb-deal-with-failed-allocations.patch
patches.fixes/orangefs_kill_sb-deal-with-allocation-failures.patch
patches.fixes/rpc_pipefs-fix-double-dput.patch
+ patches.fixes/Don-t-leak-MNT_INTERNAL-away-from-internal-mounts.patch
patches.drivers/ibmvnic-Define-vnic_login_client_data-name-field-as-.patch
patches.suse/tcp-md5-reject-TCP_MD5SIG-or-TCP_MD5SIG_EXT-on-estab.patch
patches.suse/net-validate-attribute-sizes-in-neigh_dump_table.patch
@@ -15216,6 +15225,7 @@
patches.suse/0219-md-raid1-exit-sync-request-if-MD_RECOVERY_INTR-is-se.patch
patches.suse/0220-raid1-copy-write-hint-from-master-bio-to-behind-bio.patch
patches.drivers/mmc-sdhci-pci-Only-do-AMD-tuning-for-HS200
+ patches.fixes/autofs-mount-point-create-should-honour-passed-in-mo.patch
patches.fixes/0001-kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch
patches.fixes/mm-filemap.c-fix-NULL-pointer-in-page_cache_tree_ins.patch
patches.drivers/0014-arm64-kasan-avoid-pfn_to_nid-before-page-array-is-in.patch
@@ -15707,6 +15717,7 @@
patches.suse/bpf-prevent-memory-disambiguation-attack.patch
patches.fixes/0001-iov_iter-fix-return-type-of-_pipe_get_pages.patch
patches.fixes/0002-iov_iter-fix-memory-leak-in-pipe_get_pages_alloc.patch
+ patches.fixes/do-d_instantiate-unlock_new_inode-combinations-safel.patch
patches.fixes/fs-don-t-scan-the-inode-cache-before-SB_BORN-is-set.patch
patches.fixes/affs_lookup-close-a-race-with-affs_remove_link.patch
patches.fixes/befs_lookup-use-d_splice_alias.patch
@@ -16470,6 +16481,8 @@
patches.drivers/iio-tsl2583-correct-values-in-integration_time_avail
patches.drivers/0001-raid10-check-bio-in-r10buf_pool_free-to-void-NULL-po.patch
patches.drivers/0001-md-fix-two-problems-with-setting-the-re-add-device-s.patch
+ patches.fixes/md-fix-NULL-dereference-of-mddev-pers-in-remove_and_.patch
+ patches.fixes/md-raid1-add-error-handling-of-read-error-from-FailF.patch
patches.drivers/clk-qcom-Base-rcg-parent-rate-off-plan-frequency
patches.drivers/clk-imx7d-fix-mipi-dphy-div-parent
patches.drivers/clk-mvebu-use-correct-bit-for-98DX3236-NAND
@@ -16678,7 +16691,6 @@
patches.drivers/backlight-max8925_bl-Fix-Device-Tree-node-lookup
patches.drivers/backlight-tps65217_bl-Fix-Device-Tree-node-lookup
patches.drivers/backlight-as3711_bl-Fix-Device-Tree-node-leaks
- patches.fixes/f2fs-call-unlock_new_inode-before-d_instantiate.patch
patches.fixes/watchdog-da9063-Fix-setting-changing-timeout.patch
patches.fixes/watchdog-da9063-Fix-updating-timeout-value.patch
patches.fixes/watchdog-da9063-Fix-timeout-handling-during-probe.patch
@@ -16936,6 +16948,7 @@
patches.drivers/qed-Fix-setting-of-incorrect-eswitch-mode.patch
patches.drivers/qed-Fix-use-of-incorrect-size-in-memcpy-call.patch
patches.drivers/qede-Adverstise-software-timestamp-caps-when-PHC-is-.patch
+ patches.fixes/md-raid10-fix-that-replacement-cannot-complete-recov.patch
patches.suse/userfaultfd-hugetlbfs-fix-userfaultfd_huge_must_wait-pte-access.patch
patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch
patches.drivers/0001-drm-udl-fix-display-corruption-of-the-last-line.patch
@@ -17011,6 +17024,7 @@
patches.drivers/IB-hfi1-Fix-incorrect-mixing-of-ERR_PTR-and-NULL-ret.patch
patches.drivers/RDMA-mlx5-Fix-memory-leak-in-mlx5_ib_create_srq-erro.patch
patches.drivers/i2c-tegra-Fix-NACK-error-handling
+ patches.fixes/autofs-fix-slab-out-of-bounds-read-in-getname_kernel.patch
patches.fixes/reiserfs-fix-buffer-overflow-with-long-warning-messa.patch
patches.arch/ARM-pxa-irq-fix-handling-of-ICMR-registers-in-suspen.patch
patches.arch/ARM-DRA7-OMAP5-Enable-ACTLR-0-Enable-invalidates-of-.patch
@@ -17254,6 +17268,7 @@
patches.fixes/root-dentries-need-RCU-delayed-freeing.patch
patches.fixes/fix-mntputmntput-race.patch
patches.fixes/fix-__legitimize_mntmntput-race.patch
+ patches.fixes/make-sure-that-__dentry_kill-always-invalidates-d_se.patch
patches.fixes/init-rename-and-re-order-boot_cpu_state_init.patch
patches.drivers/scsi-qla2xxx-fix-memory-leak-for-allocating-abort-iocb.patch
patches.fixes/debugobjects-Make-stack-check-warning-more-informati.patch
@@ -17410,6 +17425,7 @@
patches.suse/0001-md-cluster-clear-another-node-s-suspend_area-after-t.patch
patches.suse/0002-md-cluster-show-array-s-status-more-accurate.patch
patches.suse/0003-md-cluster-don-t-send-msg-if-array-is-closing.patch
+ patches.fixes/md-raid5-fix-data-corruption-of-replacements-after-o.patch
patches.arch/0001-x86-init-fix-build-with-CONFIG_SWAP-n.patch
patches.drivers/spi-cadence-Change-usleep_range-to-udelay-for-atomic.patch
patches.drivers/spi-davinci-fix-a-NULL-pointer-dereference.patch
@@ -17736,6 +17752,7 @@
patches.drivers/IB-mlx4-Use-4K-pages-for-kernel-QP-s-WQE-buffer.patch
patches.drivers/IB-IPoIB-Set-ah-valid-flag-in-multicast-send-flow.patch
patches.fixes/dax-remove-VM_MIXEDMAP-for-fsdax-and-device-dax.patch
+ patches.fixes/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_.patch
patches.suse/mm-page_alloc-double-zone-s-batchsize.patch
patches.fixes/net-9p-fix-error-path-of-p9_virtio_probe.patch
patches.fixes/net-9p-client.c-version-pointer-uninitialized.patch
@@ -17863,6 +17880,7 @@
patches.drivers/power-generic-adc-battery-fix-out-of-bounds-write-wh
patches.drivers/power-generic-adc-battery-check-for-duplicate-proper
patches.drivers/power-supply-max77693_charger-fix-unintentional-fall
+ patches.fixes/vfs-fix-freeze-protection-in-mnt_want_write_file-for.patch
patches.fixes/fuse-fix-double-request_end.patch
patches.fixes/fuse-fix-unlocked-access-to-processing-queue.patch
patches.fixes/fuse-umount-should-wait-for-all-requests.patch
@@ -17872,6 +17890,7 @@
patches.fixes/fuse-Add-missed-unlock_page-to-fuse_readpages_fill.patch
patches.drivers/PM-sleep-wakeup-Fix-build-error-caused-by-missing-SR
patches.suse/0001-ACPICA-Reference-Counts-increase-max-to-0x4000-for-l.patch
+ patches.fixes/autofs-fix-autofs_sbi-does-not-check-super-block-typ.patch
patches.fixes/lib-test_hexdump.c-fix-failure-on-big-endian-cpu.patch
patches.fixes/hfsplus-don-t-return-0-when-fill_super-failed.patch
patches.fixes/reiserfs-fix-broken-xattr-handling-heap-corruption-b.patch
@@ -18045,6 +18064,8 @@
patches.drivers/ALSA-hda-Fix-cancel_work_sync-stall-from-jackpoll-wo.patch
patches.arch/acpi-bus-only-call-dmi_check_system-on-x86.patch
patches.fixes/ceph-avoid-a-use-after-free-in-ceph_destroy_options.patch
+ patches.fixes/md-raid5-cache-disable-reshape-completely.patch
+ patches.fixes/RAID10-BUG_ON-in-raise_barrier-when-force-is-true-an.patch
patches.suse/0001-md-cluster-release-RESYNC-lock-after-the-last-resync.patch
patches.drivers/i2c-uniphier-issue-STOP-only-for-last-message-or-I2C.patch
patches.drivers/i2c-uniphier-f-issue-STOP-only-for-last-message-or-I.patch
@@ -18326,6 +18347,7 @@
patches.fixes/nvdimm-split-label-init-out-from-the-logic-for-getting-config-data.patch
patches.fixes/nvdimm-use-namespace-index-data-to-reduce-number-of-label-reads-needed.patch
patches.fixes/libnvdimm-label-fix-sparse-warning.patch
+ patches.drivers/edac-raise-the-maximum-number-of-memory-controllers.patch
patches.drivers/PCI-ASPM-Fix-link_state-teardown-on-device-removal.patch
patches.drivers/scsi-qla2xxx-Fix-process-response-queue-for-ISP26XX-.patch
patches.drivers/scsi-qla2xxx-Fix-incorrect-port-speed-being-set-for-.patch