--- /dev/null
+From 573a075567f0174551e2fad2a3164afd2af788f2 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fb.com>
+Date: Thu, 27 Mar 2014 19:41:34 -0400
+Subject: Btrfs: check for an extent_op on the locked ref
+
+From: Josef Bacik <jbacik@fb.com>
+
+commit 573a075567f0174551e2fad2a3164afd2af788f2 upstream.
+
+We could have possibly added an extent_op to the locked_ref while we dropped
+locked_ref->lock, so check for this case as well and loop around. Otherwise we
+could lose flag updates which would lead to extent tree corruption. Thanks,
+
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -2444,7 +2444,8 @@ static noinline int __btrfs_run_delayed_
+ spin_unlock(&locked_ref->lock);
+ spin_lock(&delayed_refs->lock);
+ spin_lock(&locked_ref->lock);
+- if (rb_first(&locked_ref->ref_root)) {
++ if (rb_first(&locked_ref->ref_root) ||
++ locked_ref->extent_op) {
+ spin_unlock(&locked_ref->lock);
+ spin_unlock(&delayed_refs->lock);
+ continue;
--- /dev/null
+From 3bbb24b20a8800158c33eca8564f432dd14d0bf3 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fb.com>
+Date: Thu, 6 Mar 2014 19:01:07 -0500
+Subject: Btrfs: fix deadlock with nested trans handles
+
+From: Josef Bacik <jbacik@fb.com>
+
+commit 3bbb24b20a8800158c33eca8564f432dd14d0bf3 upstream.
+
+Zach found this deadlock that would happen like this
+
+btrfs_end_transaction <- reduce trans->use_count to 0
+ btrfs_run_delayed_refs
+ btrfs_cow_block
+ find_free_extent
+ btrfs_start_transaction <- increase trans->use_count to 1
+ allocate chunk
+ btrfs_end_transaction <- decrease trans->use_count to 0
+ btrfs_run_delayed_refs
+ lock tree block we are cowing above ^^
+
+We need to only decrease trans->use_count if it is above 1, otherwise leave it
+alone. This will make nested trans be the only ones who decrease their added
+ref, and will let us get rid of the trans->use_count++ hack if we have to commit
+the transaction. Thanks,
+
+Reported-by: Zach Brown <zab@redhat.com>
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Tested-by: Zach Brown <zab@redhat.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/transaction.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -683,7 +683,8 @@ static int __btrfs_end_transaction(struc
+ int lock = (trans->type != TRANS_JOIN_NOLOCK);
+ int err = 0;
+
+- if (--trans->use_count) {
++ if (trans->use_count > 1) {
++ trans->use_count--;
+ trans->block_rsv = trans->orig_rsv;
+ return 0;
+ }
+@@ -731,17 +732,10 @@ static int __btrfs_end_transaction(struc
+ }
+
+ if (lock && ACCESS_ONCE(cur_trans->state) == TRANS_STATE_BLOCKED) {
+- if (throttle) {
+- /*
+- * We may race with somebody else here so end up having
+- * to call end_transaction on ourselves again, so inc
+- * our use_count.
+- */
+- trans->use_count++;
++ if (throttle)
+ return btrfs_commit_transaction(trans, root);
+- } else {
++ else
+ wake_up_process(info->transaction_kthread);
+- }
+ }
+
+ if (trans->type & __TRANS_FREEZABLE)
--- /dev/null
+From ce37c42919608e96ade3748fe23c3062a0a966c5 Mon Sep 17 00:00:00 2001
+From: Eric Whitney <enwlinux@gmail.com>
+Date: Wed, 19 Feb 2014 18:52:39 -0500
+Subject: ext4: fix error return from ext4_ext_handle_uninitialized_extents()
+
+From: Eric Whitney <enwlinux@gmail.com>
+
+commit ce37c42919608e96ade3748fe23c3062a0a966c5 upstream.
+
+Commit 3779473246 breaks the return of error codes from
+ext4_ext_handle_uninitialized_extents() in ext4_ext_map_blocks(). A
+portion of the patch assigns that function's signed integer return
+value to an unsigned int. Consequently, negatively valued error codes
+are lost and can be treated as a bogus allocated block count.
+
+Signed-off-by: Eric Whitney <enwlinux@gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4128,7 +4128,7 @@ int ext4_ext_map_blocks(handle_t *handle
+ struct ext4_extent newex, *ex, *ex2;
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ ext4_fsblk_t newblock = 0;
+- int free_on_err = 0, err = 0, depth;
++ int free_on_err = 0, err = 0, depth, ret;
+ unsigned int allocated = 0, offset = 0;
+ unsigned int allocated_clusters = 0;
+ struct ext4_allocation_request ar;
+@@ -4189,9 +4189,13 @@ int ext4_ext_map_blocks(handle_t *handle
+ if (!ext4_ext_is_uninitialized(ex))
+ goto out;
+
+- allocated = ext4_ext_handle_uninitialized_extents(
++ ret = ext4_ext_handle_uninitialized_extents(
+ handle, inode, map, path, flags,
+ allocated, newblock);
++ if (ret < 0)
++ err = ret;
++ else
++ allocated = ret;
+ goto out3;
+ }
+ }
--- /dev/null
+From c06344939422bbd032ac967223a7863de57496b5 Mon Sep 17 00:00:00 2001
+From: Eric Whitney <enwlinux@gmail.com>
+Date: Thu, 13 Mar 2014 23:34:16 -0400
+Subject: ext4: fix partial cluster handling for bigalloc file systems
+
+From: Eric Whitney <enwlinux@gmail.com>
+
+commit c06344939422bbd032ac967223a7863de57496b5 upstream.
+
+Commit 9cb00419fa, which enables hole punching for bigalloc file
+systems, exposed a bug introduced by commit 6ae06ff51e in an earlier
+release. When run on a bigalloc file system, xfstests generic/013, 068,
+075, 083, 091, 100, 112, 127, 263, 269, and 270 fail with e2fsck errors
+or cause kernel error messages indicating that previously freed blocks
+are being freed again.
+
+The latter commit optimizes the selection of the starting extent in
+ext4_ext_rm_leaf() when hole punching by beginning with the extent
+supplied in the path argument rather than with the last extent in the
+leaf node (as is still done when truncating). However, the code in
+rm_leaf that initially sets partial_cluster to track cluster sharing on
+extent boundaries is only guaranteed to run if rm_leaf starts with the
+last node in the leaf. Consequently, partial_cluster is not correctly
+initialized when hole punching, and a cluster on the boundary of a
+punched region that should be retained may instead be deallocated.
+
+Signed-off-by: Eric Whitney <enwlinux@gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -2585,6 +2585,27 @@ ext4_ext_rm_leaf(handle_t *handle, struc
+ ex_ee_block = le32_to_cpu(ex->ee_block);
+ ex_ee_len = ext4_ext_get_actual_len(ex);
+
++ /*
++ * If we're starting with an extent other than the last one in the
++ * node, we need to see if it shares a cluster with the extent to
++ * the right (towards the end of the file). If its leftmost cluster
++ * is this extent's rightmost cluster and it is not cluster aligned,
++ * we'll mark it as a partial that is not to be deallocated.
++ */
++
++ if (ex != EXT_LAST_EXTENT(eh)) {
++ ext4_fsblk_t current_pblk, right_pblk;
++ long long current_cluster, right_cluster;
++
++ current_pblk = ext4_ext_pblock(ex) + ex_ee_len - 1;
++ current_cluster = (long long)EXT4_B2C(sbi, current_pblk);
++ right_pblk = ext4_ext_pblock(ex + 1);
++ right_cluster = (long long)EXT4_B2C(sbi, right_pblk);
++ if (current_cluster == right_cluster &&
++ EXT4_PBLK_COFF(sbi, right_pblk))
++ *partial_cluster = -right_cluster;
++ }
++
+ trace_ext4_ext_rm_leaf(inode, start, ex, *partial_cluster);
+
+ while (ex >= EXT_FIRST_EXTENT(eh) &&
--- /dev/null
+From ad6599ab3ac98a4474544086e048ce86ec15a4d1 Mon Sep 17 00:00:00 2001
+From: Eric Whitney <enwlinux@gmail.com>
+Date: Tue, 1 Apr 2014 19:49:30 -0400
+Subject: ext4: fix premature freeing of partial clusters split across leaf blocks
+
+From: Eric Whitney <enwlinux@gmail.com>
+
+commit ad6599ab3ac98a4474544086e048ce86ec15a4d1 upstream.
+
+Xfstests generic/311 and shared/298 fail when run on a bigalloc file
+system. Kernel error messages produced during the tests report that
+blocks to be freed are already on the to-be-freed list. When e2fsck
+is run at the end of the tests, it typically reports bad i_blocks and
+bad free blocks counts.
+
+The bug that causes these failures is located in ext4_ext_rm_leaf().
+Code at the end of the function frees a partial cluster if it's not
+shared with an extent remaining in the leaf. However, if all the
+extents in the leaf have been removed, the code dereferences an
+invalid extent pointer (off the front of the leaf) when the check for
+sharing is made. This generally has the effect of unconditionally
+freeing the partial cluster, which leads to the observed failures
+when the partial cluster is shared with the last extent in the next
+leaf.
+
+Fix this by attempting to free the cluster only if extents remain in
+the leaf. Any remaining partial cluster will be freed if possible
+when the next leaf is processed or when leaf removal is complete.
+
+Signed-off-by: Eric Whitney <enwlinux@gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -2731,10 +2731,15 @@ ext4_ext_rm_leaf(handle_t *handle, struc
+ err = ext4_ext_correct_indexes(handle, inode, path);
+
+ /*
+- * Free the partial cluster only if the current extent does not
+- * reference it. Otherwise we might free used cluster.
++ * If there's a partial cluster and at least one extent remains in
++ * the leaf, free the partial cluster if it isn't shared with the
++ * current extent. If there's a partial cluster and no extents
++ * remain in the leaf, it can't be freed here. It can only be
++ * freed when it's possible to determine if it's not shared with
++ * any other extent - when the next leaf is processed or when space
++ * removal is complete.
+ */
+- if (*partial_cluster > 0 &&
++ if (*partial_cluster > 0 && eh->eh_entries &&
+ (EXT4_B2C(sbi, ext4_ext_pblock(ex) + ex_ee_len - 1) !=
+ *partial_cluster)) {
+ int flags = get_default_free_blocks_flags(inode);
--- /dev/null
+From 47ba9734403770a4c5e685b01f0a72b835dd4fff Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 14 Feb 2014 12:05:49 +0300
+Subject: fs: NULL dereference in posix_acl_to_xattr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 47ba9734403770a4c5e685b01f0a72b835dd4fff upstream.
+
+This patch moves the dereference of "buffer" after the check for NULL.
+The only place which passes a NULL parameter is gfs2_set_acl().
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/posix_acl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/posix_acl.c
++++ b/fs/posix_acl.c
+@@ -723,7 +723,7 @@ posix_acl_to_xattr(struct user_namespace
+ void *buffer, size_t size)
+ {
+ posix_acl_xattr_header *ext_acl = (posix_acl_xattr_header *)buffer;
+- posix_acl_xattr_entry *ext_entry = ext_acl->a_entries;
++ posix_acl_xattr_entry *ext_entry;
+ int real_size, n;
+
+ real_size = posix_acl_xattr_size(acl->a_count);
+@@ -731,7 +731,8 @@ posix_acl_to_xattr(struct user_namespace
+ return real_size;
+ if (real_size > size)
+ return -ERANGE;
+-
++
++ ext_entry = ext_acl->a_entries;
+ ext_acl->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION);
+
+ for (n=0; n < acl->a_count; n++, ext_entry++) {
--- /dev/null
+From 13b546d96207c131eeae15dc7b26c6e7d0f1cad7 Mon Sep 17 00:00:00 2001
+From: Li Zefan <lizefan@huawei.com>
+Date: Wed, 12 Feb 2014 12:44:56 -0800
+Subject: jffs2: avoid soft-lockup in jffs2_reserve_space_gc()
+
+From: Li Zefan <lizefan@huawei.com>
+
+commit 13b546d96207c131eeae15dc7b26c6e7d0f1cad7 upstream.
+
+We triggered soft-lockup under stress test on 2.6.34 kernel.
+
+BUG: soft lockup - CPU#1 stuck for 60009ms! [lockf2.test:14488]
+...
+[<bf09a4d4>] (jffs2_do_reserve_space+0x420/0x440 [jffs2])
+[<bf09a528>] (jffs2_reserve_space_gc+0x34/0x78 [jffs2])
+[<bf0a1350>] (jffs2_garbage_collect_dnode.isra.3+0x264/0x478 [jffs2])
+[<bf0a2078>] (jffs2_garbage_collect_pass+0x9c0/0xe4c [jffs2])
+[<bf09a670>] (jffs2_reserve_space+0x104/0x2a8 [jffs2])
+[<bf09dc48>] (jffs2_write_inode_range+0x5c/0x4d4 [jffs2])
+[<bf097d8c>] (jffs2_write_end+0x198/0x2c0 [jffs2])
+[<c00e00a4>] (generic_file_buffered_write+0x158/0x200)
+[<c00e14f4>] (__generic_file_aio_write+0x3a4/0x414)
+[<c00e15c0>] (generic_file_aio_write+0x5c/0xbc)
+[<c012334c>] (do_sync_write+0x98/0xd4)
+[<c0123a84>] (vfs_write+0xa8/0x150)
+[<c0123d74>] (sys_write+0x3c/0xc0)]
+
+Fix this by adding a cond_resched() in the while loop.
+
+[akpm@linux-foundation.org: don't initialize `ret']
+Signed-off-by: Li Zefan <lizefan@huawei.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/nodemgmt.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/jffs2/nodemgmt.c
++++ b/fs/jffs2/nodemgmt.c
+@@ -211,20 +211,25 @@ out:
+ int jffs2_reserve_space_gc(struct jffs2_sb_info *c, uint32_t minsize,
+ uint32_t *len, uint32_t sumsize)
+ {
+- int ret = -EAGAIN;
++ int ret;
+ minsize = PAD(minsize);
+
+ jffs2_dbg(1, "%s(): Requested 0x%x bytes\n", __func__, minsize);
+
+- spin_lock(&c->erase_completion_lock);
+- while(ret == -EAGAIN) {
++ while (true) {
++ spin_lock(&c->erase_completion_lock);
+ ret = jffs2_do_reserve_space(c, minsize, len, sumsize);
+ if (ret) {
+ jffs2_dbg(1, "%s(): looping, ret is %d\n",
+ __func__, ret);
+ }
++ spin_unlock(&c->erase_completion_lock);
++
++ if (ret == -EAGAIN)
++ cond_resched();
++ else
++ break;
+ }
+- spin_unlock(&c->erase_completion_lock);
+ if (!ret)
+ ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1);
+
--- /dev/null
+From 41bf1a24c1001f4d0d41a78e1ac575d2f14789d7 Mon Sep 17 00:00:00 2001
+From: Ajesh Kunhipurayil Vijayan <ajesh@broadcom.com>
+Date: Mon, 6 Jan 2014 19:06:55 +0530
+Subject: jffs2: Fix crash due to truncation of csize
+
+From: Ajesh Kunhipurayil Vijayan <ajesh@broadcom.com>
+
+commit 41bf1a24c1001f4d0d41a78e1ac575d2f14789d7 upstream.
+
+mounting JFFS2 partition sometimes crashes with this call trace:
+
+[ 1322.240000] Kernel bug detected[#1]:
+[ 1322.244000] Cpu 2
+[ 1322.244000] $ 0 : 0000000000000000 0000000000000018 000000003ff00070 0000000000000001
+[ 1322.252000] $ 4 : 0000000000000000 c0000000f3980150 0000000000000000 0000000000010000
+[ 1322.260000] $ 8 : ffffffffc09cd5f8 0000000000000001 0000000000000088 c0000000ed300de8
+[ 1322.268000] $12 : e5e19d9c5f613a45 ffffffffc046d464 0000000000000000 66227ba5ea67b74e
+[ 1322.276000] $16 : c0000000f1769c00 c0000000ed1e0200 c0000000f3980150 0000000000000000
+[ 1322.284000] $20 : c0000000f3a80000 00000000fffffffc c0000000ed2cfbd8 c0000000f39818f0
+[ 1322.292000] $24 : 0000000000000004 0000000000000000
+[ 1322.300000] $28 : c0000000ed2c0000 c0000000ed2cfab8 0000000000010000 ffffffffc039c0b0
+[ 1322.308000] Hi : 000000000000023c
+[ 1322.312000] Lo : 000000000003f802
+[ 1322.316000] epc : ffffffffc039a9f8 check_tn_node+0x88/0x3b0
+[ 1322.320000] Not tainted
+[ 1322.324000] ra : ffffffffc039c0b0 jffs2_do_read_inode_internal+0x1250/0x1e48
+[ 1322.332000] Status: 5400f8e3 KX SX UX KERNEL EXL IE
+[ 1322.336000] Cause : 00800034
+[ 1322.340000] PrId : 000c1004 (Netlogic XLP)
+[ 1322.344000] Modules linked in:
+[ 1322.348000] Process jffs2_gcd_mtd7 (pid: 264, threadinfo=c0000000ed2c0000, task=c0000000f0e68dd8, tls=0000000000000000)
+[ 1322.356000] Stack : c0000000f1769e30 c0000000ed010780 c0000000ed010780 c0000000ed300000
+ c0000000f1769c00 c0000000f3980150 c0000000f3a80000 00000000fffffffc
+ c0000000ed2cfbd8 ffffffffc039c0b0 ffffffffc09c6340 0000000000001000
+ 0000000000000dec ffffffffc016c9d8 c0000000f39805a0 c0000000f3980180
+ 0000008600000000 0000000000000000 0000000000000000 0000000000000000
+ 0001000000000dec c0000000f1769d98 c0000000ed2cfb18 0000000000010000
+ 0000000000010000 0000000000000044 c0000000f3a80000 c0000000f1769c00
+ c0000000f3d207a8 c0000000f1769d98 c0000000f1769de0 ffffffffc076f9c0
+ 0000000000000009 0000000000000000 0000000000000000 ffffffffc039cf90
+ 0000000000000017 ffffffffc013fbdc 0000000000000001 000000010003e61c
+ ...
+[ 1322.424000] Call Trace:
+[ 1322.428000] [<ffffffffc039a9f8>] check_tn_node+0x88/0x3b0
+[ 1322.432000] [<ffffffffc039c0b0>] jffs2_do_read_inode_internal+0x1250/0x1e48
+[ 1322.440000] [<ffffffffc039cf90>] jffs2_do_crccheck_inode+0x70/0xd0
+[ 1322.448000] [<ffffffffc03a1b80>] jffs2_garbage_collect_pass+0x160/0x870
+[ 1322.452000] [<ffffffffc03a392c>] jffs2_garbage_collect_thread+0xdc/0x1f0
+[ 1322.460000] [<ffffffffc01541c8>] kthread+0xb8/0xc0
+[ 1322.464000] [<ffffffffc0106d18>] kernel_thread_helper+0x10/0x18
+[ 1322.472000]
+[ 1322.472000]
+Code: 67bd0050 94a4002c 2c830001 <00038036> de050218 2403fffc 0080a82d 00431824 24630044
+[ 1322.480000] ---[ end trace b052bb90e97dfbf5 ]---
+
+The variable csize in structure jffs2_tmp_dnode_info is of type uint16_t, but it
+is used to hold the compressed data length(csize) which is declared as uint32_t.
+So, when the value of csize exceeds 16bits, it gets truncated when assigned to
+tn->csize. This is causing a kernel BUG.
+Changing the definition of csize in jffs2_tmp_dnode_info to uint32_t fixes the issue.
+
+Signed-off-by: Ajesh Kunhipurayil Vijayan <ajesh@broadcom.com>
+Signed-off-by: Kamlakant Patel <kamlakant.patel@broadcom.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/nodelist.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jffs2/nodelist.h
++++ b/fs/jffs2/nodelist.h
+@@ -231,7 +231,7 @@ struct jffs2_tmp_dnode_info
+ uint32_t version;
+ uint32_t data_crc;
+ uint32_t partial_crc;
+- uint16_t csize;
++ uint32_t csize;
+ uint16_t overlapped;
+ };
+
--- /dev/null
+From 3367da5610c50e6b83f86d366d72b41b350b06a2 Mon Sep 17 00:00:00 2001
+From: Kamlakant Patel <kamlakant.patel@broadcom.com>
+Date: Mon, 6 Jan 2014 19:06:54 +0530
+Subject: jffs2: Fix segmentation fault found in stress test
+
+From: Kamlakant Patel <kamlakant.patel@broadcom.com>
+
+commit 3367da5610c50e6b83f86d366d72b41b350b06a2 upstream.
+
+Creating a large file on a JFFS2 partition sometimes crashes with this call
+trace:
+
+[ 306.476000] CPU 13 Unable to handle kernel paging request at virtual address c0000000dfff8002, epc == ffffffffc03a80a8, ra == ffffffffc03a8044
+[ 306.488000] Oops[#1]:
+[ 306.488000] Cpu 13
+[ 306.492000] $ 0 : 0000000000000000 0000000000000000 0000000000008008 0000000000008007
+[ 306.500000] $ 4 : c0000000dfff8002 000000000000009f c0000000e0007cde c0000000ee95fa58
+[ 306.508000] $ 8 : 0000000000000001 0000000000008008 0000000000010000 ffffffffffff8002
+[ 306.516000] $12 : 0000000000007fa9 000000000000ff0e 000000000000ff0f 80e55930aebb92bb
+[ 306.524000] $16 : c0000000e0000000 c0000000ee95fa5c c0000000efc80000 ffffffffc09edd70
+[ 306.532000] $20 : ffffffffc2b60000 c0000000ee95fa58 0000000000000000 c0000000efc80000
+[ 306.540000] $24 : 0000000000000000 0000000000000004
+[ 306.548000] $28 : c0000000ee950000 c0000000ee95f738 0000000000000000 ffffffffc03a8044
+[ 306.556000] Hi : 00000000000574a5
+[ 306.560000] Lo : 6193b7a7e903d8c9
+[ 306.564000] epc : ffffffffc03a80a8 jffs2_rtime_compress+0x98/0x198
+[ 306.568000] Tainted: G W
+[ 306.572000] ra : ffffffffc03a8044 jffs2_rtime_compress+0x34/0x198
+[ 306.580000] Status: 5000f8e3 KX SX UX KERNEL EXL IE
+[ 306.584000] Cause : 00800008
+[ 306.588000] BadVA : c0000000dfff8002
+[ 306.592000] PrId : 000c1100 (Netlogic XLP)
+[ 306.596000] Modules linked in:
+[ 306.596000] Process dd (pid: 170, threadinfo=c0000000ee950000, task=c0000000ee6e0858, tls=0000000000c47490)
+[ 306.608000] Stack : 7c547f377ddc7ee4 7ffc7f967f5d7fae 7f617f507fc37ff4 7e7d7f817f487f5f
+ 7d8e7fec7ee87eb3 7e977ff27eec7f9e 7d677ec67f917f67 7f3d7e457f017ed7
+ 7fd37f517f867eb2 7fed7fd17ca57e1d 7e5f7fe87f257f77 7fd77f0d7ede7fdb
+ 7fba7fef7e197f99 7fde7fe07ee37eb5 7f5c7f8c7fc67f65 7f457fb87f847e93
+ 7f737f3e7d137cd9 7f8e7e9c7fc47d25 7dbb7fac7fb67e52 7ff17f627da97f64
+ 7f6b7df77ffa7ec5 80057ef17f357fb3 7f767fa27dfc7fd5 7fe37e8e7fd07e53
+ 7e227fcf7efb7fa1 7f547e787fa87fcc 7fcb7fc57f5a7ffb 7fc07f6c7ea97e80
+ 7e2d7ed17e587ee0 7fb17f9d7feb7f31 7f607e797e887faa 7f757fdd7c607ff3
+ 7e877e657ef37fbd 7ec17fd67fe67ff7 7ff67f797ff87dc4 7eef7f3a7c337fa6
+ 7fe57fc97ed87f4b 7ebe7f097f0b8003 7fe97e2a7d997cba 7f587f987f3c7fa9
+ ...
+[ 306.676000] Call Trace:
+[ 306.680000] [<ffffffffc03a80a8>] jffs2_rtime_compress+0x98/0x198
+[ 306.684000] [<ffffffffc0394f10>] jffs2_selected_compress+0x110/0x230
+[ 306.692000] [<ffffffffc039508c>] jffs2_compress+0x5c/0x388
+[ 306.696000] [<ffffffffc039dc58>] jffs2_write_inode_range+0xd8/0x388
+[ 306.704000] [<ffffffffc03971bc>] jffs2_write_end+0x16c/0x2d0
+[ 306.708000] [<ffffffffc01d3d90>] generic_file_buffered_write+0xf8/0x2b8
+[ 306.716000] [<ffffffffc01d4e7c>] __generic_file_aio_write+0x1ac/0x350
+[ 306.720000] [<ffffffffc01d50a0>] generic_file_aio_write+0x80/0x168
+[ 306.728000] [<ffffffffc021f7dc>] do_sync_write+0x94/0xf8
+[ 306.732000] [<ffffffffc021ff6c>] vfs_write+0xa4/0x1a0
+[ 306.736000] [<ffffffffc02202e8>] SyS_write+0x50/0x90
+[ 306.744000] [<ffffffffc0116cc0>] handle_sys+0x180/0x1a0
+[ 306.748000]
+[ 306.748000]
+Code: 020b202d 0205282d 90a50000 <90840000> 14a40038 00000000 0060602d 0000282d 016c5823
+[ 306.760000] ---[ end trace 79dd088435be02d0 ]---
+Segmentation fault
+
+This crash is caused because the 'positions' is declared as an array of signed
+short. The value of position is in the range 0..65535, and will be converted
+to a negative number when the position is greater than 32767 and causes a
+corruption and crash. Changing the definition to 'unsigned short' fixes this
+issue
+
+Signed-off-by: Jayachandran C <jchandra@broadcom.com>
+Signed-off-by: Kamlakant Patel <kamlakant.patel@broadcom.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/compr_rtime.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/jffs2/compr_rtime.c
++++ b/fs/jffs2/compr_rtime.c
+@@ -33,7 +33,7 @@ static int jffs2_rtime_compress(unsigned
+ unsigned char *cpage_out,
+ uint32_t *sourcelen, uint32_t *dstlen)
+ {
+- short positions[256];
++ unsigned short positions[256];
+ int outpos = 0;
+ int pos=0;
+
+@@ -74,7 +74,7 @@ static int jffs2_rtime_decompress(unsign
+ unsigned char *cpage_out,
+ uint32_t srclen, uint32_t destlen)
+ {
+- short positions[256];
++ unsigned short positions[256];
+ int outpos = 0;
+ int pos=0;
+
--- /dev/null
+From 3ead9578443b66ddb3d50ed4f53af8a0c0298ec5 Mon Sep 17 00:00:00 2001
+From: Li Zefan <lizefan@huawei.com>
+Date: Wed, 12 Feb 2014 12:44:57 -0800
+Subject: jffs2: remove from wait queue after schedule()
+
+From: Li Zefan <lizefan@huawei.com>
+
+commit 3ead9578443b66ddb3d50ed4f53af8a0c0298ec5 upstream.
+
+@wait is a local variable, so if we don't remove it from the wait queue
+list, later wake_up() may end up accessing invalid memory.
+
+This was spotted by eyes.
+
+Signed-off-by: Li Zefan <lizefan@huawei.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/nodemgmt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/jffs2/nodemgmt.c
++++ b/fs/jffs2/nodemgmt.c
+@@ -179,6 +179,7 @@ int jffs2_reserve_space(struct jffs2_sb_
+ spin_unlock(&c->erase_completion_lock);
+
+ schedule();
++ remove_wait_queue(&c->erase_wait, &wait);
+ } else
+ spin_unlock(&c->erase_completion_lock);
+ } else if (ret)
bdi-avoid-oops-on-device-removal.patch
xfs-fix-directory-hash-ordering-bug.patch
btrfs-skip-submitting-barrier-for-missing-device.patch
+btrfs-fix-deadlock-with-nested-trans-handles.patch
+btrfs-check-for-an-extent_op-on-the-locked-ref.patch
+ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch
+ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch
+ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch
+fs-null-dereference-in-posix_acl_to_xattr.patch
+jffs2-fix-segmentation-fault-found-in-stress-test.patch
+jffs2-fix-crash-due-to-truncation-of-csize.patch
+jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch
+jffs2-remove-from-wait-queue-after-schedule.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
