3.13-stable patches

added patches:
	bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch

diff --git a/queue-3.13/bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch b/queue-3.13/bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch
new file mode 100644 (file)
index 0000000..dddd47c
--- /dev/null
+++ b/queue-3.13/bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch
@@ -0,0 +1,64 @@
+From 947174476701fbc84ea8c7ec9664270f9d80b076 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 28 Jan 2014 16:57:39 -0800
+Subject: bcache: fix BUG_ON due to integer overflow with GC_SECTORS_USED
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+commit 947174476701fbc84ea8c7ec9664270f9d80b076 upstream.
+
+The BUG_ON at the end of __bch_btree_mark_key can be triggered due to
+an integer overflow error:
+
+BITMASK(GC_SECTORS_USED, struct bucket, gc_mark, 2, 13);
+...
+SET_GC_SECTORS_USED(g, min_t(unsigned,
+            GC_SECTORS_USED(g) + KEY_SIZE(k),
+            (1 << 14) - 1));
+BUG_ON(!GC_SECTORS_USED(g));
+
+In bcache.h, the SECTORS_USED bitfield is defined to be 13 bits wide.
+While the SET_ code tries to ensure that the field doesn't overflow by
+clamping it to (1<<14)-1 == 16383, this is incorrect because 16383
+requires 14 bits.  Therefore, if GC_SECTORS_USED() + KEY_SIZE() =
+8192, the SET_ statement tries to store 8192 into a 13-bit field.  In
+a 13-bit field, 8192 becomes zero, thus triggering the BUG_ON.
+
+Therefore, create a field width constant and a max value constant, and
+use those to create the bitfield and check the inputs to
+SET_GC_SECTORS_USED.  Arguably the BITMASK() template ought to have
+BUG_ON checks for too-large values, but that's a separate patch.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/bcache.h |    4 +++-
+ drivers/md/bcache/btree.c  |    2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/bcache/bcache.h
++++ b/drivers/md/bcache/bcache.h
+@@ -209,7 +209,9 @@ BITMASK(GC_MARK,    struct bucket, gc_mark
+ #define GC_MARK_RECLAIMABLE   0
+ #define GC_MARK_DIRTY         1
+ #define GC_MARK_METADATA      2
+-BITMASK(GC_SECTORS_USED, struct bucket, gc_mark, 2, 13);
++#define GC_SECTORS_USED_SIZE  13
++#define MAX_GC_SECTORS_USED   (~(~0ULL << GC_SECTORS_USED_SIZE))
++BITMASK(GC_SECTORS_USED, struct bucket, gc_mark, 2, GC_SECTORS_USED_SIZE);
+ BITMASK(GC_MOVE, struct bucket, gc_mark, 15, 1);
+ 
+ #include "journal.h"
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -1163,7 +1163,7 @@ uint8_t __bch_btree_mark_key(struct cach
+               /* guard against overflow */
+               SET_GC_SECTORS_USED(g, min_t(unsigned,
+                                            GC_SECTORS_USED(g) + KEY_SIZE(k),
+-                                           (1 << 14) - 1));
++                                           MAX_GC_SECTORS_USED));
+ 
+               BUG_ON(!GC_SECTORS_USED(g));
+       }

diff --git a/queue-3.13/series b/queue-3.13/series
index fe03e66a16fac3f6fb2f508eb35cc378bf0eb224..3e688c15d40e24ac075306c2267ff854ed035a79 100644 (file)
--- a/queue-3.13/series
+++ b/queue-3.13/series
@@ -36,3 +36,4 @@ pinctrl-imx27-fix-wrong-offset-to-iconfb.patch
 pinctrl-imx27-fix-offset-calculation-in-imx_read_2bit.patch
 pinctrl-vt8500-change-devicetree-data-parsing.patch
 pinctrl-protect-pinctrl_list-add.patch
+bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch