3.4-stable patches

added patches:
	btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch
	btrfs-use-right-type-to-get-real-comparison.patch
	fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch

diff --git a/queue-3.4/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch b/queue-3.4/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch
new file mode 100644 (file)
index 0000000..0e5e1c8
--- /dev/null
+++ b/queue-3.4/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch
@@ -0,0 +1,45 @@
+From 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Thu, 12 Jun 2014 00:39:58 -0500
+Subject: btrfs: fix use of uninit "ret" in end_extent_writepage()
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c upstream.
+
+If this condition in end_extent_writepage() is false:
+
+       if (tree->ops && tree->ops->writepage_end_io_hook)
+
+we will then test an uninitialized "ret" at:
+
+       ret = ret < 0 ? ret : -EIO;
+
+The test for ret is for the case where ->writepage_end_io_hook
+failed, and we'd choose that ret as the error; but if
+there is no ->writepage_end_io_hook, nothing sets ret.
+
+Initializing ret to 0 should be sufficient; if
+writepage_end_io_hook wasn't set, (!uptodate) means
+non-zero err was passed in, so we choose -EIO in that case.
+
+Signed-of-by: Eric Sandeen <sandeen@redhat.com>
+
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent_io.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2245,7 +2245,7 @@ int end_extent_writepage(struct page *pa
+ {
+       int uptodate = (err == 0);
+       struct extent_io_tree *tree;
+-      int ret;
++      int ret = 0;
+ 
+       tree = &BTRFS_I(page->mapping->host)->io_tree;
+ 

diff --git a/queue-3.4/btrfs-use-right-type-to-get-real-comparison.patch b/queue-3.4/btrfs-use-right-type-to-get-real-comparison.patch
new file mode 100644 (file)
index 0000000..a44faa7
--- /dev/null
+++ b/queue-3.4/btrfs-use-right-type-to-get-real-comparison.patch
@@ -0,0 +1,31 @@
+From cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Sun, 8 Jun 2014 19:04:13 +0800
+Subject: Btrfs: use right type to get real comparison
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 upstream.
+
+We want to make sure the point is still within the extent item, not to verify
+the memory it's pointing to.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/backref.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -1033,7 +1033,7 @@ static int __get_extent_inline_ref(unsig
+                       *out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1);
+               }
+               *ptr = (unsigned long)*out_eiref;
+-              if ((void *)*ptr >= (void *)ei + item_size)
++              if ((unsigned long)(*ptr) >= (unsigned long)ei + item_size)
+                       return -ENOENT;
+       }
+ 

diff --git a/queue-3.4/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch b/queue-3.4/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..300f313
--- /dev/null
+++ b/queue-3.4/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch
@@ -0,0 +1,38 @@
+From 8321cf2596d283821acc466377c2b85bcd3422b7 Mon Sep 17 00:00:00 2001
+From: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+Date: Thu, 22 May 2014 22:43:43 +0200
+Subject: fs: btrfs: volumes.c: Fix for possible null pointer dereference
+
+From: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+
+commit 8321cf2596d283821acc466377c2b85bcd3422b7 upstream.
+
+There is otherwise a risk of a possible null pointer dereference.
+
+Was largely found by using a static code analysis program called cppcheck.
+
+Signed-off-by: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/volumes.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1446,11 +1446,12 @@ int btrfs_rm_device(struct btrfs_root *r
+               struct btrfs_fs_devices *fs_devices;
+               fs_devices = root->fs_info->fs_devices;
+               while (fs_devices) {
+-                      if (fs_devices->seed == cur_devices)
++                      if (fs_devices->seed == cur_devices) {
++                              fs_devices->seed = cur_devices->seed;
+                               break;
++                      }
+                       fs_devices = fs_devices->seed;
+               }
+-              fs_devices->seed = cur_devices->seed;
+               cur_devices->seed = NULL;
+               lock_chunks(root);
+               __btrfs_close_devices(cur_devices);

diff --git a/queue-3.4/series b/queue-3.4/series
index dcae2e80673ddbea944379cfc423c36b847fa644..f117b44eaf3732c38198a4aabfa8ed7a3247fd2e 100644 (file)
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -36,3 +36,6 @@ skbuff-add-an-api-to-orphan-frags.patch
 skbuff-export-skb_copy_ubufs.patch
 skbuff-skb_segment-orphan-frags-before-copying.patch
 btrfs-fix-double-free-in-find_lock_delalloc_range.patch
+fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch
+btrfs-use-right-type-to-get-real-comparison.patch
+btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch