3.4-stable patches

added patches:
	btrfs-fix-double-free-in-find_lock_delalloc_range.patch
	skbuff-add-an-api-to-orphan-frags.patch
	skbuff-export-skb_copy_ubufs.patch
	skbuff-skb_segment-orphan-frags-before-copying.patch

diff --git a/queue-3.4/btrfs-fix-double-free-in-find_lock_delalloc_range.patch b/queue-3.4/btrfs-fix-double-free-in-find_lock_delalloc_range.patch
new file mode 100644 (file)
index 0000000..15ba1f7
--- /dev/null
+++ b/queue-3.4/btrfs-fix-double-free-in-find_lock_delalloc_range.patch
@@ -0,0 +1,29 @@
+From 7d78874273463a784759916fc3e0b4e2eb141c70 Mon Sep 17 00:00:00 2001
+From: Chris Mason <clm@fb.com>
+Date: Wed, 21 May 2014 05:49:54 -0700
+Subject: Btrfs: fix double free in find_lock_delalloc_range
+
+From: Chris Mason <clm@fb.com>
+
+commit 7d78874273463a784759916fc3e0b4e2eb141c70 upstream.
+
+We need to NULL the cached_state after freeing it, otherwise
+we might free it again if find_delalloc_range doesn't find anything.
+
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent_io.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -1551,6 +1551,7 @@ again:
+                * shortening the size of the delalloc range we're searching
+                */
+               free_extent_state(cached_state);
++              cached_state = NULL;
+               if (!loops) {
+                       unsigned long offset = (*start) & (PAGE_CACHE_SIZE - 1);
+                       max_bytes = PAGE_CACHE_SIZE - offset;

diff --git a/queue-3.4/series b/queue-3.4/series
index e4848faf4d18361db99af992d234b310ca3b342e..dcae2e80673ddbea944379cfc423c36b847fa644 100644 (file)
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -32,3 +32,7 @@ target-explicitly-clear-ramdisk_mcp-backend-pages.patch
 x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch
 x86-x32-use-compat-shims-for-io_-setup-submit.patch
 genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch
+skbuff-add-an-api-to-orphan-frags.patch
+skbuff-export-skb_copy_ubufs.patch
+skbuff-skb_segment-orphan-frags-before-copying.patch
+btrfs-fix-double-free-in-find_lock_delalloc_range.patch

diff --git a/queue-3.4/skbuff-add-an-api-to-orphan-frags.patch b/queue-3.4/skbuff-add-an-api-to-orphan-frags.patch
new file mode 100644 (file)
index 0000000..b95836d
--- /dev/null
+++ b/queue-3.4/skbuff-add-an-api-to-orphan-frags.patch
@@ -0,0 +1,48 @@
+From a353e0ce0fd42d8859260666d1e9b10f2abd4698 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Fri, 20 Jul 2012 09:23:07 +0000
+Subject: skbuff: add an api to orphan frags
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+commit a353e0ce0fd42d8859260666d1e9b10f2abd4698 upstream.
+
+Many places do
+       if ((skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY))
+               skb_copy_ubufs(skb, gfp_mask);
+to copy and invoke frag destructors if necessary.
+Add an inline helper for this.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/skbuff.h |   16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1674,6 +1674,22 @@ static inline void skb_orphan(struct sk_
+ }
+ 
+ /**
++ *    skb_orphan_frags - orphan the frags contained in a buffer
++ *    @skb: buffer to orphan frags from
++ *    @gfp_mask: allocation mask for replacement pages
++ *
++ *    For each frag in the SKB which needs a destructor (i.e. has an
++ *    owner) create a copy of that frag and release the original
++ *    page by calling the destructor.
++ */
++static inline int skb_orphan_frags(struct sk_buff *skb, gfp_t gfp_mask)
++{
++      if (likely(!(skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY)))
++              return 0;
++      return skb_copy_ubufs(skb, gfp_mask);
++}
++
++/**
+  *    __skb_queue_purge - empty a list
+  *    @list: list to empty
+  *

diff --git a/queue-3.4/skbuff-export-skb_copy_ubufs.patch b/queue-3.4/skbuff-export-skb_copy_ubufs.patch
new file mode 100644 (file)
index 0000000..7784214
--- /dev/null
+++ b/queue-3.4/skbuff-export-skb_copy_ubufs.patch
@@ -0,0 +1,30 @@
+From dcc0fb782b3a6e2abfeaaeb45dd88ed09596be0f Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Fri, 20 Jul 2012 09:23:20 +0000
+Subject: skbuff: export skb_copy_ubufs
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+commit dcc0fb782b3a6e2abfeaaeb45dd88ed09596be0f upstream.
+
+Export skb_copy_ubufs so that modules can orphan frags.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skbuff.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -733,7 +733,7 @@ int skb_copy_ubufs(struct sk_buff *skb,
+       skb_shinfo(skb)->tx_flags &= ~SKBTX_DEV_ZEROCOPY;
+       return 0;
+ }
+-
++EXPORT_SYMBOL_GPL(skb_copy_ubufs);
+ 
+ /**
+  *    skb_clone       -       duplicate an sk_buff

diff --git a/queue-3.4/skbuff-skb_segment-orphan-frags-before-copying.patch b/queue-3.4/skbuff-skb_segment-orphan-frags-before-copying.patch
new file mode 100644 (file)
index 0000000..2a6697d
--- /dev/null
+++ b/queue-3.4/skbuff-skb_segment-orphan-frags-before-copying.patch
@@ -0,0 +1,43 @@
+From 1fd819ecb90cc9b822cd84d3056ddba315d3340f Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Mon, 10 Mar 2014 19:28:08 +0200
+Subject: skbuff: skb_segment: orphan frags before copying
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+commit 1fd819ecb90cc9b822cd84d3056ddba315d3340f upstream.
+
+skb_segment copies frags around, so we need
+to copy them carefully to avoid accessing
+user memory after reporting completion to userspace
+through a callback.
+
+skb_segment doesn't normally happen on datapath:
+TSO needs to be disabled - so disabling zero copy
+in this case does not look like a big deal.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.2.  As skb_segment() only supports page-frags *or* a
+ frag list, there is no need for the additional frag_skb pointer or the
+ preparatory renaming.]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skbuff.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2777,6 +2777,9 @@ struct sk_buff *skb_segment(struct sk_bu
+                                                skb_put(nskb, hsize), hsize);
+ 
+               while (pos < offset + len && i < nfrags) {
++                      if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC)))
++                              goto err;
++
+                       *frag = skb_shinfo(skb)->frags[i];
+                       __skb_frag_ref(frag);
+                       size = skb_frag_size(frag);