--- /dev/null
+From 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <quwenruo@cn.fujitsu.com>
+Date: Wed, 16 Apr 2014 17:02:32 +0800
+Subject: btrfs: Add ctime/mtime update for btrfs device add/remove.
+
+From: Qu Wenruo <quwenruo@cn.fujitsu.com>
+
+commit 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 upstream.
+
+Btrfs will send uevent to udev inform the device change,
+but ctime/mtime for the block device inode is not udpated, which cause
+libblkid used by btrfs-progs unable to detect device change and use old
+cache, causing 'btrfs dev scan; btrfs dev rmove; btrfs dev scan' give an
+error message.
+
+Reported-by: Tsutomu Itoh <t-itoh@jp.fujitsu.com>
+Cc: Karel Zak <kzak@redhat.com>
+Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/volumes.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1384,6 +1384,22 @@ out:
+ return ret;
+ }
+
++/*
++ * Function to update ctime/mtime for a given device path.
++ * Mainly used for ctime/mtime based probe like libblkid.
++ */
++static void update_dev_time(char *path_name)
++{
++ struct file *filp;
++
++ filp = filp_open(path_name, O_RDWR, 0);
++ if (!filp)
++ return;
++ file_update_time(filp);
++ filp_close(filp, NULL);
++ return;
++}
++
+ static int btrfs_rm_dev_item(struct btrfs_root *root,
+ struct btrfs_device *device)
+ {
+@@ -1642,10 +1658,14 @@ int btrfs_rm_device(struct btrfs_root *r
+
+ ret = 0;
+
+- /* Notify udev that device has changed */
+- if (bdev)
++ if (bdev) {
++ /* Notify udev that device has changed */
+ btrfs_kobject_uevent(bdev, KOBJ_CHANGE);
+
++ /* Update ctime/mtime for device path for libblkid */
++ update_dev_time(device_path);
++ }
++
+ error_brelse:
+ brelse(bh);
+ if (bdev)
+@@ -2089,6 +2109,8 @@ int btrfs_init_new_device(struct btrfs_r
+ ret = btrfs_commit_transaction(trans, root);
+ }
+
++ /* Update ctime/mtime for libblkid */
++ update_dev_time(device_path);
+ return ret;
+
+ error_trans:
--- /dev/null
+From 7d78874273463a784759916fc3e0b4e2eb141c70 Mon Sep 17 00:00:00 2001
+From: Chris Mason <clm@fb.com>
+Date: Wed, 21 May 2014 05:49:54 -0700
+Subject: Btrfs: fix double free in find_lock_delalloc_range
+
+From: Chris Mason <clm@fb.com>
+
+commit 7d78874273463a784759916fc3e0b4e2eb141c70 upstream.
+
+We need to NULL the cached_state after freeing it, otherwise
+we might free it again if find_delalloc_range doesn't find anything.
+
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent_io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -1624,6 +1624,7 @@ again:
+ * shortening the size of the delalloc range we're searching
+ */
+ free_extent_state(cached_state);
++ cached_state = NULL;
+ if (!loops) {
+ unsigned long offset = (*start) & (PAGE_CACHE_SIZE - 1);
+ max_bytes = PAGE_CACHE_SIZE - offset;
--- /dev/null
+From 6eda71d0c030af0fc2f68aaa676e6d445600855b Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Mon, 9 Jun 2014 10:54:07 +0800
+Subject: Btrfs: fix scrub_print_warning to handle skinny metadata extents
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 6eda71d0c030af0fc2f68aaa676e6d445600855b upstream.
+
+The skinny extents are intepreted incorrectly in scrub_print_warning(),
+and end up hitting the BUG() in btrfs_extent_inline_ref_size.
+
+Reported-by: Konstantinos Skarlatos <k.skarlatos@gmail.com>
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/backref.c | 30 +++++++++++++++++++-----------
+ fs/btrfs/backref.h | 4 ++--
+ fs/btrfs/scrub.c | 5 +++--
+ 3 files changed, 24 insertions(+), 15 deletions(-)
+
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -1347,9 +1347,10 @@ int extent_from_logical(struct btrfs_fs_
+ * returns <0 on error
+ */
+ static int __get_extent_inline_ref(unsigned long *ptr, struct extent_buffer *eb,
+- struct btrfs_extent_item *ei, u32 item_size,
+- struct btrfs_extent_inline_ref **out_eiref,
+- int *out_type)
++ struct btrfs_key *key,
++ struct btrfs_extent_item *ei, u32 item_size,
++ struct btrfs_extent_inline_ref **out_eiref,
++ int *out_type)
+ {
+ unsigned long end;
+ u64 flags;
+@@ -1359,9 +1360,16 @@ static int __get_extent_inline_ref(unsig
+ /* first call */
+ flags = btrfs_extent_flags(eb, ei);
+ if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK) {
+- info = (struct btrfs_tree_block_info *)(ei + 1);
+- *out_eiref =
+- (struct btrfs_extent_inline_ref *)(info + 1);
++ if (key->type == BTRFS_METADATA_ITEM_KEY) {
++ /* a skinny metadata extent */
++ *out_eiref =
++ (struct btrfs_extent_inline_ref *)(ei + 1);
++ } else {
++ WARN_ON(key->type != BTRFS_EXTENT_ITEM_KEY);
++ info = (struct btrfs_tree_block_info *)(ei + 1);
++ *out_eiref =
++ (struct btrfs_extent_inline_ref *)(info + 1);
++ }
+ } else {
+ *out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1);
+ }
+@@ -1371,7 +1379,7 @@ static int __get_extent_inline_ref(unsig
+ }
+
+ end = (unsigned long)ei + item_size;
+- *out_eiref = (struct btrfs_extent_inline_ref *)*ptr;
++ *out_eiref = (struct btrfs_extent_inline_ref *)(*ptr);
+ *out_type = btrfs_extent_inline_ref_type(eb, *out_eiref);
+
+ *ptr += btrfs_extent_inline_ref_size(*out_type);
+@@ -1390,8 +1398,8 @@ static int __get_extent_inline_ref(unsig
+ * <0 on error.
+ */
+ int tree_backref_for_extent(unsigned long *ptr, struct extent_buffer *eb,
+- struct btrfs_extent_item *ei, u32 item_size,
+- u64 *out_root, u8 *out_level)
++ struct btrfs_key *key, struct btrfs_extent_item *ei,
++ u32 item_size, u64 *out_root, u8 *out_level)
+ {
+ int ret;
+ int type;
+@@ -1402,8 +1410,8 @@ int tree_backref_for_extent(unsigned lon
+ return 1;
+
+ while (1) {
+- ret = __get_extent_inline_ref(ptr, eb, ei, item_size,
+- &eiref, &type);
++ ret = __get_extent_inline_ref(ptr, eb, key, ei, item_size,
++ &eiref, &type);
+ if (ret < 0)
+ return ret;
+
+--- a/fs/btrfs/backref.h
++++ b/fs/btrfs/backref.h
+@@ -42,8 +42,8 @@ int extent_from_logical(struct btrfs_fs_
+ u64 *flags);
+
+ int tree_backref_for_extent(unsigned long *ptr, struct extent_buffer *eb,
+- struct btrfs_extent_item *ei, u32 item_size,
+- u64 *out_root, u8 *out_level);
++ struct btrfs_key *key, struct btrfs_extent_item *ei,
++ u32 item_size, u64 *out_root, u8 *out_level);
+
+ int iterate_extent_inodes(struct btrfs_fs_info *fs_info,
+ u64 extent_item_objectid,
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -545,8 +545,9 @@ static void scrub_print_warning(const ch
+
+ if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK) {
+ do {
+- ret = tree_backref_for_extent(&ptr, eb, ei, item_size,
+- &ref_root, &ref_level);
++ ret = tree_backref_for_extent(&ptr, eb, &found_key, ei,
++ item_size, &ref_root,
++ &ref_level);
+ printk_in_rcu(KERN_WARNING
+ "btrfs: %s at logical %llu on dev %s, "
+ "sector %llu: metadata %s (level %d) in tree "
--- /dev/null
+From 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Thu, 12 Jun 2014 00:39:58 -0500
+Subject: btrfs: fix use of uninit "ret" in end_extent_writepage()
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c upstream.
+
+If this condition in end_extent_writepage() is false:
+
+ if (tree->ops && tree->ops->writepage_end_io_hook)
+
+we will then test an uninitialized "ret" at:
+
+ ret = ret < 0 ? ret : -EIO;
+
+The test for ret is for the case where ->writepage_end_io_hook
+failed, and we'd choose that ret as the error; but if
+there is no ->writepage_end_io_hook, nothing sets ret.
+
+Initializing ret to 0 should be sufficient; if
+writepage_end_io_hook wasn't set, (!uptodate) means
+non-zero err was passed in, so we choose -EIO in that case.
+
+Signed-of-by: Eric Sandeen <sandeen@redhat.com>
+
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2357,7 +2357,7 @@ int end_extent_writepage(struct page *pa
+ {
+ int uptodate = (err == 0);
+ struct extent_io_tree *tree;
+- int ret;
++ int ret = 0;
+
+ tree = &BTRFS_I(page->mapping->host)->io_tree;
+
--- /dev/null
+From de348ee022175401e77d7662b7ca6e231a94e3fd Mon Sep 17 00:00:00 2001
+From: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
+Date: Wed, 9 Apr 2014 19:23:22 +0800
+Subject: Btrfs: make sure there are not any read requests before stopping workers
+
+From: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
+
+commit de348ee022175401e77d7662b7ca6e231a94e3fd upstream.
+
+In close_ctree(), after we have stopped all workers,there maybe still
+some read requests(for example readahead) to submit and this *maybe* trigger
+an oops that user reported before:
+
+kernel BUG at fs/btrfs/async-thread.c:619!
+
+By hacking codes, i can reproduce this problem with one cpu available.
+We fix this potential problem by invalidating all btree inode pages before
+stopping all workers.
+
+Thanks to Miao for pointing out this problem.
+
+Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.cz>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3518,6 +3518,11 @@ int close_ctree(struct btrfs_root *root)
+
+ btrfs_free_block_groups(fs_info);
+
++ /*
++ * we must make sure there is not any read request to
++ * submit after we stopping all workers.
++ */
++ invalidate_inode_pages2(fs_info->btree_inode->i_mapping);
+ btrfs_stop_all_workers(fs_info);
+
+ del_fs_roots(fs_info);
--- /dev/null
+From 5dca6eea91653e9949ce6eb9e9acab6277e2f2c4 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Mon, 12 May 2014 12:47:36 +0800
+Subject: Btrfs: mark mapping with error flag to report errors to userspace
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 5dca6eea91653e9949ce6eb9e9acab6277e2f2c4 upstream.
+
+According to commit 865ffef3797da2cac85b3354b5b6050dc9660978
+(fs: fix fsync() error reporting),
+it's not stable to just check error pages because pages can be
+truncated or invalidated, we should also mark mapping with error
+flag so that a later fsync can catch the error.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent_io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2371,6 +2371,8 @@ int end_extent_writepage(struct page *pa
+ if (!uptodate) {
+ ClearPageUptodate(page);
+ SetPageError(page);
++ ret = ret < 0 ? ret : -EIO;
++ mapping_set_error(page->mapping, ret);
+ }
+ return 0;
+ }
--- /dev/null
+From 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 Mon Sep 17 00:00:00 2001
+From: Miao Xie <miaox@cn.fujitsu.com>
+Date: Thu, 24 Apr 2014 13:31:55 +0800
+Subject: Btrfs: output warning instead of error when loading free space cache failed
+
+From: Miao Xie <miaox@cn.fujitsu.com>
+
+commit 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 upstream.
+
+If we fail to load a free space cache, we can rebuild it from the extent tree,
+so it is not a serious error, we should not output a error message that
+would make the users uncomfortable. This patch uses warning message instead
+of it.
+
+Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/free-space-cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/free-space-cache.c
++++ b/fs/btrfs/free-space-cache.c
+@@ -835,7 +835,7 @@ int load_free_space_cache(struct btrfs_f
+
+ if (!matched) {
+ __btrfs_remove_free_space_cache(ctl);
+- btrfs_err(fs_info, "block group %llu has wrong amount of free space",
++ btrfs_warn(fs_info, "block group %llu has wrong amount of free space",
+ block_group->key.objectid);
+ ret = -1;
+ }
+@@ -847,7 +847,7 @@ out:
+ spin_unlock(&block_group->lock);
+ ret = 0;
+
+- btrfs_err(fs_info, "failed to load free space cache for block group %llu",
++ btrfs_warn(fs_info, "failed to load free space cache for block group %llu, rebuild it now",
+ block_group->key.objectid);
+ }
+
--- /dev/null
+From 1af56070e3ef9477dbc7eba3b9ad7446979c7974 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@gmail.com>
+Date: Sun, 25 May 2014 04:49:24 +0100
+Subject: Btrfs: send, don't error in the presence of subvols/snapshots
+
+From: Filipe Manana <fdmanana@gmail.com>
+
+commit 1af56070e3ef9477dbc7eba3b9ad7446979c7974 upstream.
+
+If we are doing an incremental send and the base snapshot has a
+directory with name X that doesn't exist anymore in the second
+snapshot and a new subvolume/snapshot exists in the second snapshot
+that has the same name as the directory (name X), the incremental
+send would fail with -ENOENT error. This is because it attempts
+to lookup for an inode with a number matching the objectid of a
+root, which doesn't exist.
+
+Steps to reproduce:
+
+ mkfs.btrfs -f /dev/sdd
+ mount /dev/sdd /mnt
+
+ mkdir /mnt/testdir
+ btrfs subvolume snapshot -r /mnt /mnt/mysnap1
+
+ rmdir /mnt/testdir
+ btrfs subvolume create /mnt/testdir
+ btrfs subvolume snapshot -r /mnt /mnt/mysnap2
+
+ btrfs send -p /mnt/mysnap1 /mnt/mysnap2 -f /tmp/send.data
+
+A test case for xfstests follows.
+
+Reported-by: Robert White <rwhite@pobox.com>
+Signed-off-by: Filipe David Borba Manana <fdmanana@gmail.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/send.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -1550,6 +1550,10 @@ static int lookup_dir_item_inode(struct
+ goto out;
+ }
+ btrfs_dir_item_key_to_cpu(path->nodes[0], di, &key);
++ if (key.type == BTRFS_ROOT_ITEM_KEY) {
++ ret = -ENOENT;
++ goto out;
++ }
+ *found_inode = key.objectid;
+ *found_type = btrfs_dir_type(path->nodes[0], di);
+
--- /dev/null
+From 298658414a2f0bea1f05a81876a45c1cd96aa2e0 Mon Sep 17 00:00:00 2001
+From: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
+Date: Tue, 13 May 2014 17:05:06 +0800
+Subject: Btrfs: set right total device count for seeding support
+
+From: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
+
+commit 298658414a2f0bea1f05a81876a45c1cd96aa2e0 upstream.
+
+Seeding device support allows us to create a new filesystem
+based on existed filesystem.
+
+However newly created filesystem's @total_devices should include seed
+devices. This patch fix the following problem:
+
+ # mkfs.btrfs -f /dev/sdb
+ # btrfstune -S 1 /dev/sdb
+ # mount /dev/sdb /mnt
+ # btrfs device add -f /dev/sdc /mnt --->fs_devices->total_devices = 1
+ # umount /mnt
+ # mount /dev/sdc /mnt --->fs_devices->total_devices = 2
+
+This is because we record right @total_devices in superblock, but
+@fs_devices->total_devices is reset to be 0 in btrfs_prepare_sprout().
+
+Fix this problem by not resetting @fs_devices->total_devices.
+
+Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/volumes.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1837,7 +1837,6 @@ static int btrfs_prepare_sprout(struct b
+ fs_devices->seeding = 0;
+ fs_devices->num_devices = 0;
+ fs_devices->open_devices = 0;
+- fs_devices->total_devices = 0;
+ fs_devices->seed = seed_devices;
+
+ generate_random_uuid(fs_devices->fsid);
--- /dev/null
+From cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Sun, 8 Jun 2014 19:04:13 +0800
+Subject: Btrfs: use right type to get real comparison
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 upstream.
+
+We want to make sure the point is still within the extent item, not to verify
+the memory it's pointing to.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/backref.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -1366,7 +1366,7 @@ static int __get_extent_inline_ref(unsig
+ *out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1);
+ }
+ *ptr = (unsigned long)*out_eiref;
+- if ((void *)*ptr >= (void *)ei + item_size)
++ if ((unsigned long)(*ptr) >= (unsigned long)ei + item_size)
+ return -ENOENT;
+ }
+
--- /dev/null
+From 8321cf2596d283821acc466377c2b85bcd3422b7 Mon Sep 17 00:00:00 2001
+From: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+Date: Thu, 22 May 2014 22:43:43 +0200
+Subject: fs: btrfs: volumes.c: Fix for possible null pointer dereference
+
+From: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+
+commit 8321cf2596d283821acc466377c2b85bcd3422b7 upstream.
+
+There is otherwise a risk of a possible null pointer dereference.
+
+Was largely found by using a static code analysis program called cppcheck.
+
+Signed-off-by: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/volumes.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1628,11 +1628,12 @@ int btrfs_rm_device(struct btrfs_root *r
+ struct btrfs_fs_devices *fs_devices;
+ fs_devices = root->fs_info->fs_devices;
+ while (fs_devices) {
+- if (fs_devices->seed == cur_devices)
++ if (fs_devices->seed == cur_devices) {
++ fs_devices->seed = cur_devices->seed;
+ break;
++ }
+ fs_devices = fs_devices->seed;
+ }
+- fs_devices->seed = cur_devices->seed;
+ cur_devices->seed = NULL;
+ lock_chunks(root);
+ __btrfs_close_devices(cur_devices);
genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch
aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch
aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch
+skbuff-skb_segment-orphan-frags-before-copying.patch
+btrfs-fix-double-free-in-find_lock_delalloc_range.patch
+btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch
+btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch
+btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch
+btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch
+btrfs-set-right-total-device-count-for-seeding-support.patch
+btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch
+fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch
+btrfs-use-right-type-to-get-real-comparison.patch
+btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch
+btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch
--- /dev/null
+From 1fd819ecb90cc9b822cd84d3056ddba315d3340f Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Mon, 10 Mar 2014 19:28:08 +0200
+Subject: skbuff: skb_segment: orphan frags before copying
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+commit 1fd819ecb90cc9b822cd84d3056ddba315d3340f upstream.
+
+skb_segment copies frags around, so we need
+to copy them carefully to avoid accessing
+user memory after reporting completion to userspace
+through a callback.
+
+skb_segment doesn't normally happen on datapath:
+TSO needs to be disabled - so disabling zero copy
+in this case does not look like a big deal.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.2. As skb_segment() only supports page-frags *or* a
+ frag list, there is no need for the additional frag_skb pointer or the
+ preparatory renaming.]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Eddie Chapman <eddie@ehuk.net> # backported to 3.10
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skbuff.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2844,6 +2844,8 @@ struct sk_buff *skb_segment(struct sk_bu
+ skb_shinfo(nskb)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
+
+ while (pos < offset + len && i < nfrags) {
++ if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC)))
++ goto err;
+ *frag = skb_shinfo(skb)->frags[i];
+ __skb_frag_ref(frag);
+ size = skb_frag_size(frag);
projects / thirdparty / kernel / stable-queue.git / commitdiff
