Merge 4.4.231 into android-4.4-p

Changes in 4.4.231
	KVM: s390: reduce number of IO pins to 1
	spi: spidev: fix a race between spidev_release and spidev_remove
	spi: spidev: fix a potential use-after-free in spidev_release()
	scsi: mptscsih: Fix read sense data size
	net: cxgb4: fix return error value in t4_prep_fw
	smsc95xx: check return value of smsc95xx_reset
	smsc95xx: avoid memory leak in smsc95xx_bind
	ALSA: compress: fix partial_drain completion state
	arm64: kgdb: Fix single-step exception handling oops
	ALSA: opl3: fix infoleak in opl3
	ALSA: hda - let hs_mic be picked ahead of hp_mic
	ALSA: usb-audio: add quirk for MacroSilicon MS2109
	KVM: x86: bit 8 of non-leaf PDPEs is not reserved
	Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb"
	btrfs: fix fatal extent_buffer readahead vs releasepage race
	drm/radeon: fix double free
	ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE
	ARC: elf: use right ELF_ARCH
	bnxt_en: fix NULL dereference in case SR-IOV configuration fails
	ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg
	l2tp: remove skb_dst_set() from l2tp_xmit_skb()
	llc: make sure applications use ARPHRD_ETHER
	net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb
	genetlink: remove genl_bind
	tcp: make sure listeners don't initialize congestion-control state
	tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key()
	tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers
	tcp: md5: allow changing MD5 keys in all socket states
	i2c: eg20t: Load module automatically if ID matches
	Revert "usb/ehci-platform: Set PM runtime as active on resume"
	Revert "usb/xhci-plat: Set PM runtime as active on resume"
	Revert "usb/ohci-platform: Fix a warning when hibernating"
	usb: gadget: udc: atmel: fix uninitialized read in debug printk
	staging: comedi: verify array index is correct before using it
	perf stat: Zero all the 'ena' and 'run' array slot stats for interval mode
	mtd: rawnand: brcmnand: fix CS0 layout
	HID: magicmouse: do not set up autorepeat
	usb: core: Add a helper function to check the validity of EP type in URB
	ALSA: line6: Perform sanity check for each URB creation
	ALSA: usb-audio: Fix race against the error recovery URB submission
	USB: c67x00: fix use after free in c67x00_giveback_urb
	usb: chipidea: core: add wakeup support for extcon
	usb: gadget: function: fix missing spinlock in f_uac1_legacy
	USB: serial: iuu_phoenix: fix memory corruption
	USB: serial: cypress_m8: enable Simply Automated UPB PIM
	USB: serial: ch341: add new Product ID for CH340
	USB: serial: option: add GosunCn GM500 series
	USB: serial: option: add Quectel EG95 LTE modem
	virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial
	fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS
	mei: bus: don't clean driver pointer
	Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list
	uio_pdrv_genirq: fix use without device tree and no interrupt
	MIPS: Fix build for LTS kernel caused by backporting lpj adjustment
	hwmon: (emc2103) fix unable to change fan pwm1_enable attribute
	dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler
	misc: atmel-ssc: lock with mutex instead of spinlock
	sched/fair: handle case of task_h_load() returning 0
	Linux 4.4.231

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ibbd0a09b0d8d49101c674cf304c3df711e940b77

1 files changed, 24 insertions, 16 deletions

diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 2c86c472f670..42b7409d4cc5 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -4861,25 +4861,28 @@ err:
 static void check_buffer_tree_ref(struct extent_buffer *eb)
 {
 	int refs;
-	/* the ref bit is tricky.  We have to make sure it is set
-	 * if we have the buffer dirty.   Otherwise the
-	 * code to free a buffer can end up dropping a dirty
-	 * page
+	/*
+	 * The TREE_REF bit is first set when the extent_buffer is added
+	 * to the radix tree. It is also reset, if unset, when a new reference
+	 * is created by find_extent_buffer.
 	 *
-	 * Once the ref bit is set, it won't go away while the
-	 * buffer is dirty or in writeback, and it also won't
-	 * go away while we have the reference count on the
-	 * eb bumped.
+	 * It is only cleared in two cases: freeing the last non-tree
+	 * reference to the extent_buffer when its STALE bit is set or
+	 * calling releasepage when the tree reference is the only reference.
 	 *
-	 * We can't just set the ref bit without bumping the
-	 * ref on the eb because free_extent_buffer might
-	 * see the ref bit and try to clear it.  If this happens
-	 * free_extent_buffer might end up dropping our original
-	 * ref by mistake and freeing the page before we are able
-	 * to add one more ref.
+	 * In both cases, care is taken to ensure that the extent_buffer's
+	 * pages are not under io. However, releasepage can be concurrently
+	 * called with creating new references, which is prone to race
+	 * conditions between the calls to check_buffer_tree_ref in those
+	 * codepaths and clearing TREE_REF in try_release_extent_buffer.
 	 *
-	 * So bump the ref count first, then set the bit.  If someone
-	 * beat us to it, drop the ref we added.
+	 * The actual lifetime of the extent_buffer in the radix tree is
+	 * adequately protected by the refcount, but the TREE_REF bit and
+	 * its corresponding reference are not. To protect against this
+	 * class of races, we call check_buffer_tree_ref from the codepaths
+	 * which trigger io after they set eb->io_pages. Note that once io is
+	 * initiated, TREE_REF can no longer be cleared, so that is the
+	 * moment at which any such race is best fixed.
 	 */
 	refs = atomic_read(&eb->refs);
 	if (refs >= 2 && test_bit(EXTENT_BUFFER_TREE_REF, &eb->bflags))
@@ -5346,6 +5349,11 @@ int read_extent_buffer_pages(struct extent_io_tree *tree,
 	clear_bit(EXTENT_BUFFER_READ_ERR, &eb->bflags);
 	eb->read_mirror = 0;
 	atomic_set(&eb->io_pages, num_reads);
+	/*
+	 * It is possible for releasepage to clear the TREE_REF bit before we
+	 * set io_pages. See check_buffer_tree_ref for a more detailed comment.
+	 */
+	check_buffer_tree_ref(eb);
 	for (i = start_i; i < num_pages; i++) {
 		page = eb->pages[i];
 		if (!PageUptodate(page)) {