From: Greg Kroah-Hartman Date: Mon, 21 Apr 2014 01:29:09 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.13.11~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=28b16532e5b62f5da3290dcc1b29a10f4b839dae;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: btrfs-check-for-an-extent_op-on-the-locked-ref.patch btrfs-fix-deadlock-with-nested-trans-handles.patch ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch fs-null-dereference-in-posix_acl_to_xattr.patch jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch jffs2-fix-crash-due-to-truncation-of-csize.patch jffs2-fix-segmentation-fault-found-in-stress-test.patch jffs2-remove-from-wait-queue-after-schedule.patch --- diff --git a/queue-3.14/btrfs-check-for-an-extent_op-on-the-locked-ref.patch b/queue-3.14/btrfs-check-for-an-extent_op-on-the-locked-ref.patch new file mode 100644 index 00000000000..056e71011fc --- /dev/null +++ b/queue-3.14/btrfs-check-for-an-extent_op-on-the-locked-ref.patch @@ -0,0 +1,33 @@ +From 573a075567f0174551e2fad2a3164afd2af788f2 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 27 Mar 2014 19:41:34 -0400 +Subject: Btrfs: check for an extent_op on the locked ref + +From: Josef Bacik + +commit 573a075567f0174551e2fad2a3164afd2af788f2 upstream. + +We could have possibly added an extent_op to the locked_ref while we dropped +locked_ref->lock, so check for this case as well and loop around. Otherwise we +could lose flag updates which would lead to extent tree corruption. Thanks, + +Signed-off-by: Josef Bacik +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -2444,7 +2444,8 @@ static noinline int __btrfs_run_delayed_ + spin_unlock(&locked_ref->lock); + spin_lock(&delayed_refs->lock); + spin_lock(&locked_ref->lock); +- if (rb_first(&locked_ref->ref_root)) { ++ if (rb_first(&locked_ref->ref_root) || ++ locked_ref->extent_op) { + spin_unlock(&locked_ref->lock); + spin_unlock(&delayed_refs->lock); + continue; diff --git a/queue-3.14/btrfs-fix-deadlock-with-nested-trans-handles.patch b/queue-3.14/btrfs-fix-deadlock-with-nested-trans-handles.patch new file mode 100644 index 00000000000..35229620284 --- /dev/null +++ b/queue-3.14/btrfs-fix-deadlock-with-nested-trans-handles.patch @@ -0,0 +1,68 @@ +From 3bbb24b20a8800158c33eca8564f432dd14d0bf3 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 6 Mar 2014 19:01:07 -0500 +Subject: Btrfs: fix deadlock with nested trans handles + +From: Josef Bacik + +commit 3bbb24b20a8800158c33eca8564f432dd14d0bf3 upstream. + +Zach found this deadlock that would happen like this + +btrfs_end_transaction <- reduce trans->use_count to 0 + btrfs_run_delayed_refs + btrfs_cow_block + find_free_extent + btrfs_start_transaction <- increase trans->use_count to 1 + allocate chunk + btrfs_end_transaction <- decrease trans->use_count to 0 + btrfs_run_delayed_refs + lock tree block we are cowing above ^^ + +We need to only decrease trans->use_count if it is above 1, otherwise leave it +alone. This will make nested trans be the only ones who decrease their added +ref, and will let us get rid of the trans->use_count++ hack if we have to commit +the transaction. Thanks, + +Reported-by: Zach Brown +Signed-off-by: Josef Bacik +Tested-by: Zach Brown +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/transaction.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -683,7 +683,8 @@ static int __btrfs_end_transaction(struc + int lock = (trans->type != TRANS_JOIN_NOLOCK); + int err = 0; + +- if (--trans->use_count) { ++ if (trans->use_count > 1) { ++ trans->use_count--; + trans->block_rsv = trans->orig_rsv; + return 0; + } +@@ -731,17 +732,10 @@ static int __btrfs_end_transaction(struc + } + + if (lock && ACCESS_ONCE(cur_trans->state) == TRANS_STATE_BLOCKED) { +- if (throttle) { +- /* +- * We may race with somebody else here so end up having +- * to call end_transaction on ourselves again, so inc +- * our use_count. +- */ +- trans->use_count++; ++ if (throttle) + return btrfs_commit_transaction(trans, root); +- } else { ++ else + wake_up_process(info->transaction_kthread); +- } + } + + if (trans->type & __TRANS_FREEZABLE) diff --git a/queue-3.14/ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch b/queue-3.14/ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch new file mode 100644 index 00000000000..4ff817715e7 --- /dev/null +++ b/queue-3.14/ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch @@ -0,0 +1,49 @@ +From ce37c42919608e96ade3748fe23c3062a0a966c5 Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Wed, 19 Feb 2014 18:52:39 -0500 +Subject: ext4: fix error return from ext4_ext_handle_uninitialized_extents() + +From: Eric Whitney + +commit ce37c42919608e96ade3748fe23c3062a0a966c5 upstream. + +Commit 3779473246 breaks the return of error codes from +ext4_ext_handle_uninitialized_extents() in ext4_ext_map_blocks(). A +portion of the patch assigns that function's signed integer return +value to an unsigned int. Consequently, negatively valued error codes +are lost and can be treated as a bogus allocated block count. + +Signed-off-by: Eric Whitney +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4128,7 +4128,7 @@ int ext4_ext_map_blocks(handle_t *handle + struct ext4_extent newex, *ex, *ex2; + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + ext4_fsblk_t newblock = 0; +- int free_on_err = 0, err = 0, depth; ++ int free_on_err = 0, err = 0, depth, ret; + unsigned int allocated = 0, offset = 0; + unsigned int allocated_clusters = 0; + struct ext4_allocation_request ar; +@@ -4189,9 +4189,13 @@ int ext4_ext_map_blocks(handle_t *handle + if (!ext4_ext_is_uninitialized(ex)) + goto out; + +- allocated = ext4_ext_handle_uninitialized_extents( ++ ret = ext4_ext_handle_uninitialized_extents( + handle, inode, map, path, flags, + allocated, newblock); ++ if (ret < 0) ++ err = ret; ++ else ++ allocated = ret; + goto out3; + } + } diff --git a/queue-3.14/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch b/queue-3.14/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch new file mode 100644 index 00000000000..da3e6eaff56 --- /dev/null +++ b/queue-3.14/ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch @@ -0,0 +1,64 @@ +From c06344939422bbd032ac967223a7863de57496b5 Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Thu, 13 Mar 2014 23:34:16 -0400 +Subject: ext4: fix partial cluster handling for bigalloc file systems + +From: Eric Whitney + +commit c06344939422bbd032ac967223a7863de57496b5 upstream. + +Commit 9cb00419fa, which enables hole punching for bigalloc file +systems, exposed a bug introduced by commit 6ae06ff51e in an earlier +release. When run on a bigalloc file system, xfstests generic/013, 068, +075, 083, 091, 100, 112, 127, 263, 269, and 270 fail with e2fsck errors +or cause kernel error messages indicating that previously freed blocks +are being freed again. + +The latter commit optimizes the selection of the starting extent in +ext4_ext_rm_leaf() when hole punching by beginning with the extent +supplied in the path argument rather than with the last extent in the +leaf node (as is still done when truncating). However, the code in +rm_leaf that initially sets partial_cluster to track cluster sharing on +extent boundaries is only guaranteed to run if rm_leaf starts with the +last node in the leaf. Consequently, partial_cluster is not correctly +initialized when hole punching, and a cluster on the boundary of a +punched region that should be retained may instead be deallocated. + +Signed-off-by: Eric Whitney +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2585,6 +2585,27 @@ ext4_ext_rm_leaf(handle_t *handle, struc + ex_ee_block = le32_to_cpu(ex->ee_block); + ex_ee_len = ext4_ext_get_actual_len(ex); + ++ /* ++ * If we're starting with an extent other than the last one in the ++ * node, we need to see if it shares a cluster with the extent to ++ * the right (towards the end of the file). If its leftmost cluster ++ * is this extent's rightmost cluster and it is not cluster aligned, ++ * we'll mark it as a partial that is not to be deallocated. ++ */ ++ ++ if (ex != EXT_LAST_EXTENT(eh)) { ++ ext4_fsblk_t current_pblk, right_pblk; ++ long long current_cluster, right_cluster; ++ ++ current_pblk = ext4_ext_pblock(ex) + ex_ee_len - 1; ++ current_cluster = (long long)EXT4_B2C(sbi, current_pblk); ++ right_pblk = ext4_ext_pblock(ex + 1); ++ right_cluster = (long long)EXT4_B2C(sbi, right_pblk); ++ if (current_cluster == right_cluster && ++ EXT4_PBLK_COFF(sbi, right_pblk)) ++ *partial_cluster = -right_cluster; ++ } ++ + trace_ext4_ext_rm_leaf(inode, start, ex, *partial_cluster); + + while (ex >= EXT_FIRST_EXTENT(eh) && diff --git a/queue-3.14/ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch b/queue-3.14/ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch new file mode 100644 index 00000000000..326ae5b8525 --- /dev/null +++ b/queue-3.14/ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch @@ -0,0 +1,58 @@ +From ad6599ab3ac98a4474544086e048ce86ec15a4d1 Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Tue, 1 Apr 2014 19:49:30 -0400 +Subject: ext4: fix premature freeing of partial clusters split across leaf blocks + +From: Eric Whitney + +commit ad6599ab3ac98a4474544086e048ce86ec15a4d1 upstream. + +Xfstests generic/311 and shared/298 fail when run on a bigalloc file +system. Kernel error messages produced during the tests report that +blocks to be freed are already on the to-be-freed list. When e2fsck +is run at the end of the tests, it typically reports bad i_blocks and +bad free blocks counts. + +The bug that causes these failures is located in ext4_ext_rm_leaf(). +Code at the end of the function frees a partial cluster if it's not +shared with an extent remaining in the leaf. However, if all the +extents in the leaf have been removed, the code dereferences an +invalid extent pointer (off the front of the leaf) when the check for +sharing is made. This generally has the effect of unconditionally +freeing the partial cluster, which leads to the observed failures +when the partial cluster is shared with the last extent in the next +leaf. + +Fix this by attempting to free the cluster only if extents remain in +the leaf. Any remaining partial cluster will be freed if possible +when the next leaf is processed or when leaf removal is complete. + +Signed-off-by: Eric Whitney +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2731,10 +2731,15 @@ ext4_ext_rm_leaf(handle_t *handle, struc + err = ext4_ext_correct_indexes(handle, inode, path); + + /* +- * Free the partial cluster only if the current extent does not +- * reference it. Otherwise we might free used cluster. ++ * If there's a partial cluster and at least one extent remains in ++ * the leaf, free the partial cluster if it isn't shared with the ++ * current extent. If there's a partial cluster and no extents ++ * remain in the leaf, it can't be freed here. It can only be ++ * freed when it's possible to determine if it's not shared with ++ * any other extent - when the next leaf is processed or when space ++ * removal is complete. + */ +- if (*partial_cluster > 0 && ++ if (*partial_cluster > 0 && eh->eh_entries && + (EXT4_B2C(sbi, ext4_ext_pblock(ex) + ex_ee_len - 1) != + *partial_cluster)) { + int flags = get_default_free_blocks_flags(inode); diff --git a/queue-3.14/fs-null-dereference-in-posix_acl_to_xattr.patch b/queue-3.14/fs-null-dereference-in-posix_acl_to_xattr.patch new file mode 100644 index 00000000000..bcd9372c2b5 --- /dev/null +++ b/queue-3.14/fs-null-dereference-in-posix_acl_to_xattr.patch @@ -0,0 +1,41 @@ +From 47ba9734403770a4c5e685b01f0a72b835dd4fff Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 14 Feb 2014 12:05:49 +0300 +Subject: fs: NULL dereference in posix_acl_to_xattr() + +From: Dan Carpenter + +commit 47ba9734403770a4c5e685b01f0a72b835dd4fff upstream. + +This patch moves the dereference of "buffer" after the check for NULL. +The only place which passes a NULL parameter is gfs2_set_acl(). + +Signed-off-by: Dan Carpenter +Signed-off-by: Steven Whitehouse +Signed-off-by: Greg Kroah-Hartman + +--- + fs/posix_acl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -723,7 +723,7 @@ posix_acl_to_xattr(struct user_namespace + void *buffer, size_t size) + { + posix_acl_xattr_header *ext_acl = (posix_acl_xattr_header *)buffer; +- posix_acl_xattr_entry *ext_entry = ext_acl->a_entries; ++ posix_acl_xattr_entry *ext_entry; + int real_size, n; + + real_size = posix_acl_xattr_size(acl->a_count); +@@ -731,7 +731,8 @@ posix_acl_to_xattr(struct user_namespace + return real_size; + if (real_size > size) + return -ERANGE; +- ++ ++ ext_entry = ext_acl->a_entries; + ext_acl->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION); + + for (n=0; n < acl->a_count; n++, ext_entry++) { diff --git a/queue-3.14/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch b/queue-3.14/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch new file mode 100644 index 00000000000..c30e22cad40 --- /dev/null +++ b/queue-3.14/jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch @@ -0,0 +1,73 @@ +From 13b546d96207c131eeae15dc7b26c6e7d0f1cad7 Mon Sep 17 00:00:00 2001 +From: Li Zefan +Date: Wed, 12 Feb 2014 12:44:56 -0800 +Subject: jffs2: avoid soft-lockup in jffs2_reserve_space_gc() + +From: Li Zefan + +commit 13b546d96207c131eeae15dc7b26c6e7d0f1cad7 upstream. + +We triggered soft-lockup under stress test on 2.6.34 kernel. + +BUG: soft lockup - CPU#1 stuck for 60009ms! [lockf2.test:14488] +... +[] (jffs2_do_reserve_space+0x420/0x440 [jffs2]) +[] (jffs2_reserve_space_gc+0x34/0x78 [jffs2]) +[] (jffs2_garbage_collect_dnode.isra.3+0x264/0x478 [jffs2]) +[] (jffs2_garbage_collect_pass+0x9c0/0xe4c [jffs2]) +[] (jffs2_reserve_space+0x104/0x2a8 [jffs2]) +[] (jffs2_write_inode_range+0x5c/0x4d4 [jffs2]) +[] (jffs2_write_end+0x198/0x2c0 [jffs2]) +[] (generic_file_buffered_write+0x158/0x200) +[] (__generic_file_aio_write+0x3a4/0x414) +[] (generic_file_aio_write+0x5c/0xbc) +[] (do_sync_write+0x98/0xd4) +[] (vfs_write+0xa8/0x150) +[] (sys_write+0x3c/0xc0)] + +Fix this by adding a cond_resched() in the while loop. + +[akpm@linux-foundation.org: don't initialize `ret'] +Signed-off-by: Li Zefan +Cc: David Woodhouse +Cc: Artem Bityutskiy +Signed-off-by: Andrew Morton +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/nodemgmt.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/jffs2/nodemgmt.c ++++ b/fs/jffs2/nodemgmt.c +@@ -211,20 +211,25 @@ out: + int jffs2_reserve_space_gc(struct jffs2_sb_info *c, uint32_t minsize, + uint32_t *len, uint32_t sumsize) + { +- int ret = -EAGAIN; ++ int ret; + minsize = PAD(minsize); + + jffs2_dbg(1, "%s(): Requested 0x%x bytes\n", __func__, minsize); + +- spin_lock(&c->erase_completion_lock); +- while(ret == -EAGAIN) { ++ while (true) { ++ spin_lock(&c->erase_completion_lock); + ret = jffs2_do_reserve_space(c, minsize, len, sumsize); + if (ret) { + jffs2_dbg(1, "%s(): looping, ret is %d\n", + __func__, ret); + } ++ spin_unlock(&c->erase_completion_lock); ++ ++ if (ret == -EAGAIN) ++ cond_resched(); ++ else ++ break; + } +- spin_unlock(&c->erase_completion_lock); + if (!ret) + ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); + diff --git a/queue-3.14/jffs2-fix-crash-due-to-truncation-of-csize.patch b/queue-3.14/jffs2-fix-crash-due-to-truncation-of-csize.patch new file mode 100644 index 00000000000..e333650cb86 --- /dev/null +++ b/queue-3.14/jffs2-fix-crash-due-to-truncation-of-csize.patch @@ -0,0 +1,81 @@ +From 41bf1a24c1001f4d0d41a78e1ac575d2f14789d7 Mon Sep 17 00:00:00 2001 +From: Ajesh Kunhipurayil Vijayan +Date: Mon, 6 Jan 2014 19:06:55 +0530 +Subject: jffs2: Fix crash due to truncation of csize + +From: Ajesh Kunhipurayil Vijayan + +commit 41bf1a24c1001f4d0d41a78e1ac575d2f14789d7 upstream. + +mounting JFFS2 partition sometimes crashes with this call trace: + +[ 1322.240000] Kernel bug detected[#1]: +[ 1322.244000] Cpu 2 +[ 1322.244000] $ 0 : 0000000000000000 0000000000000018 000000003ff00070 0000000000000001 +[ 1322.252000] $ 4 : 0000000000000000 c0000000f3980150 0000000000000000 0000000000010000 +[ 1322.260000] $ 8 : ffffffffc09cd5f8 0000000000000001 0000000000000088 c0000000ed300de8 +[ 1322.268000] $12 : e5e19d9c5f613a45 ffffffffc046d464 0000000000000000 66227ba5ea67b74e +[ 1322.276000] $16 : c0000000f1769c00 c0000000ed1e0200 c0000000f3980150 0000000000000000 +[ 1322.284000] $20 : c0000000f3a80000 00000000fffffffc c0000000ed2cfbd8 c0000000f39818f0 +[ 1322.292000] $24 : 0000000000000004 0000000000000000 +[ 1322.300000] $28 : c0000000ed2c0000 c0000000ed2cfab8 0000000000010000 ffffffffc039c0b0 +[ 1322.308000] Hi : 000000000000023c +[ 1322.312000] Lo : 000000000003f802 +[ 1322.316000] epc : ffffffffc039a9f8 check_tn_node+0x88/0x3b0 +[ 1322.320000] Not tainted +[ 1322.324000] ra : ffffffffc039c0b0 jffs2_do_read_inode_internal+0x1250/0x1e48 +[ 1322.332000] Status: 5400f8e3 KX SX UX KERNEL EXL IE +[ 1322.336000] Cause : 00800034 +[ 1322.340000] PrId : 000c1004 (Netlogic XLP) +[ 1322.344000] Modules linked in: +[ 1322.348000] Process jffs2_gcd_mtd7 (pid: 264, threadinfo=c0000000ed2c0000, task=c0000000f0e68dd8, tls=0000000000000000) +[ 1322.356000] Stack : c0000000f1769e30 c0000000ed010780 c0000000ed010780 c0000000ed300000 + c0000000f1769c00 c0000000f3980150 c0000000f3a80000 00000000fffffffc + c0000000ed2cfbd8 ffffffffc039c0b0 ffffffffc09c6340 0000000000001000 + 0000000000000dec ffffffffc016c9d8 c0000000f39805a0 c0000000f3980180 + 0000008600000000 0000000000000000 0000000000000000 0000000000000000 + 0001000000000dec c0000000f1769d98 c0000000ed2cfb18 0000000000010000 + 0000000000010000 0000000000000044 c0000000f3a80000 c0000000f1769c00 + c0000000f3d207a8 c0000000f1769d98 c0000000f1769de0 ffffffffc076f9c0 + 0000000000000009 0000000000000000 0000000000000000 ffffffffc039cf90 + 0000000000000017 ffffffffc013fbdc 0000000000000001 000000010003e61c + ... +[ 1322.424000] Call Trace: +[ 1322.428000] [] check_tn_node+0x88/0x3b0 +[ 1322.432000] [] jffs2_do_read_inode_internal+0x1250/0x1e48 +[ 1322.440000] [] jffs2_do_crccheck_inode+0x70/0xd0 +[ 1322.448000] [] jffs2_garbage_collect_pass+0x160/0x870 +[ 1322.452000] [] jffs2_garbage_collect_thread+0xdc/0x1f0 +[ 1322.460000] [] kthread+0xb8/0xc0 +[ 1322.464000] [] kernel_thread_helper+0x10/0x18 +[ 1322.472000] +[ 1322.472000] +Code: 67bd0050 94a4002c 2c830001 <00038036> de050218 2403fffc 0080a82d 00431824 24630044 +[ 1322.480000] ---[ end trace b052bb90e97dfbf5 ]--- + +The variable csize in structure jffs2_tmp_dnode_info is of type uint16_t, but it +is used to hold the compressed data length(csize) which is declared as uint32_t. +So, when the value of csize exceeds 16bits, it gets truncated when assigned to +tn->csize. This is causing a kernel BUG. +Changing the definition of csize in jffs2_tmp_dnode_info to uint32_t fixes the issue. + +Signed-off-by: Ajesh Kunhipurayil Vijayan +Signed-off-by: Kamlakant Patel +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/nodelist.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jffs2/nodelist.h ++++ b/fs/jffs2/nodelist.h +@@ -231,7 +231,7 @@ struct jffs2_tmp_dnode_info + uint32_t version; + uint32_t data_crc; + uint32_t partial_crc; +- uint16_t csize; ++ uint32_t csize; + uint16_t overlapped; + }; + diff --git a/queue-3.14/jffs2-fix-segmentation-fault-found-in-stress-test.patch b/queue-3.14/jffs2-fix-segmentation-fault-found-in-stress-test.patch new file mode 100644 index 00000000000..660d094e7a1 --- /dev/null +++ b/queue-3.14/jffs2-fix-segmentation-fault-found-in-stress-test.patch @@ -0,0 +1,99 @@ +From 3367da5610c50e6b83f86d366d72b41b350b06a2 Mon Sep 17 00:00:00 2001 +From: Kamlakant Patel +Date: Mon, 6 Jan 2014 19:06:54 +0530 +Subject: jffs2: Fix segmentation fault found in stress test + +From: Kamlakant Patel + +commit 3367da5610c50e6b83f86d366d72b41b350b06a2 upstream. + +Creating a large file on a JFFS2 partition sometimes crashes with this call +trace: + +[ 306.476000] CPU 13 Unable to handle kernel paging request at virtual address c0000000dfff8002, epc == ffffffffc03a80a8, ra == ffffffffc03a8044 +[ 306.488000] Oops[#1]: +[ 306.488000] Cpu 13 +[ 306.492000] $ 0 : 0000000000000000 0000000000000000 0000000000008008 0000000000008007 +[ 306.500000] $ 4 : c0000000dfff8002 000000000000009f c0000000e0007cde c0000000ee95fa58 +[ 306.508000] $ 8 : 0000000000000001 0000000000008008 0000000000010000 ffffffffffff8002 +[ 306.516000] $12 : 0000000000007fa9 000000000000ff0e 000000000000ff0f 80e55930aebb92bb +[ 306.524000] $16 : c0000000e0000000 c0000000ee95fa5c c0000000efc80000 ffffffffc09edd70 +[ 306.532000] $20 : ffffffffc2b60000 c0000000ee95fa58 0000000000000000 c0000000efc80000 +[ 306.540000] $24 : 0000000000000000 0000000000000004 +[ 306.548000] $28 : c0000000ee950000 c0000000ee95f738 0000000000000000 ffffffffc03a8044 +[ 306.556000] Hi : 00000000000574a5 +[ 306.560000] Lo : 6193b7a7e903d8c9 +[ 306.564000] epc : ffffffffc03a80a8 jffs2_rtime_compress+0x98/0x198 +[ 306.568000] Tainted: G W +[ 306.572000] ra : ffffffffc03a8044 jffs2_rtime_compress+0x34/0x198 +[ 306.580000] Status: 5000f8e3 KX SX UX KERNEL EXL IE +[ 306.584000] Cause : 00800008 +[ 306.588000] BadVA : c0000000dfff8002 +[ 306.592000] PrId : 000c1100 (Netlogic XLP) +[ 306.596000] Modules linked in: +[ 306.596000] Process dd (pid: 170, threadinfo=c0000000ee950000, task=c0000000ee6e0858, tls=0000000000c47490) +[ 306.608000] Stack : 7c547f377ddc7ee4 7ffc7f967f5d7fae 7f617f507fc37ff4 7e7d7f817f487f5f + 7d8e7fec7ee87eb3 7e977ff27eec7f9e 7d677ec67f917f67 7f3d7e457f017ed7 + 7fd37f517f867eb2 7fed7fd17ca57e1d 7e5f7fe87f257f77 7fd77f0d7ede7fdb + 7fba7fef7e197f99 7fde7fe07ee37eb5 7f5c7f8c7fc67f65 7f457fb87f847e93 + 7f737f3e7d137cd9 7f8e7e9c7fc47d25 7dbb7fac7fb67e52 7ff17f627da97f64 + 7f6b7df77ffa7ec5 80057ef17f357fb3 7f767fa27dfc7fd5 7fe37e8e7fd07e53 + 7e227fcf7efb7fa1 7f547e787fa87fcc 7fcb7fc57f5a7ffb 7fc07f6c7ea97e80 + 7e2d7ed17e587ee0 7fb17f9d7feb7f31 7f607e797e887faa 7f757fdd7c607ff3 + 7e877e657ef37fbd 7ec17fd67fe67ff7 7ff67f797ff87dc4 7eef7f3a7c337fa6 + 7fe57fc97ed87f4b 7ebe7f097f0b8003 7fe97e2a7d997cba 7f587f987f3c7fa9 + ... +[ 306.676000] Call Trace: +[ 306.680000] [] jffs2_rtime_compress+0x98/0x198 +[ 306.684000] [] jffs2_selected_compress+0x110/0x230 +[ 306.692000] [] jffs2_compress+0x5c/0x388 +[ 306.696000] [] jffs2_write_inode_range+0xd8/0x388 +[ 306.704000] [] jffs2_write_end+0x16c/0x2d0 +[ 306.708000] [] generic_file_buffered_write+0xf8/0x2b8 +[ 306.716000] [] __generic_file_aio_write+0x1ac/0x350 +[ 306.720000] [] generic_file_aio_write+0x80/0x168 +[ 306.728000] [] do_sync_write+0x94/0xf8 +[ 306.732000] [] vfs_write+0xa4/0x1a0 +[ 306.736000] [] SyS_write+0x50/0x90 +[ 306.744000] [] handle_sys+0x180/0x1a0 +[ 306.748000] +[ 306.748000] +Code: 020b202d 0205282d 90a50000 <90840000> 14a40038 00000000 0060602d 0000282d 016c5823 +[ 306.760000] ---[ end trace 79dd088435be02d0 ]--- +Segmentation fault + +This crash is caused because the 'positions' is declared as an array of signed +short. The value of position is in the range 0..65535, and will be converted +to a negative number when the position is greater than 32767 and causes a +corruption and crash. Changing the definition to 'unsigned short' fixes this +issue + +Signed-off-by: Jayachandran C +Signed-off-by: Kamlakant Patel +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/compr_rtime.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/jffs2/compr_rtime.c ++++ b/fs/jffs2/compr_rtime.c +@@ -33,7 +33,7 @@ static int jffs2_rtime_compress(unsigned + unsigned char *cpage_out, + uint32_t *sourcelen, uint32_t *dstlen) + { +- short positions[256]; ++ unsigned short positions[256]; + int outpos = 0; + int pos=0; + +@@ -74,7 +74,7 @@ static int jffs2_rtime_decompress(unsign + unsigned char *cpage_out, + uint32_t srclen, uint32_t destlen) + { +- short positions[256]; ++ unsigned short positions[256]; + int outpos = 0; + int pos=0; + diff --git a/queue-3.14/jffs2-remove-from-wait-queue-after-schedule.patch b/queue-3.14/jffs2-remove-from-wait-queue-after-schedule.patch new file mode 100644 index 00000000000..8989a57ca8b --- /dev/null +++ b/queue-3.14/jffs2-remove-from-wait-queue-after-schedule.patch @@ -0,0 +1,35 @@ +From 3ead9578443b66ddb3d50ed4f53af8a0c0298ec5 Mon Sep 17 00:00:00 2001 +From: Li Zefan +Date: Wed, 12 Feb 2014 12:44:57 -0800 +Subject: jffs2: remove from wait queue after schedule() + +From: Li Zefan + +commit 3ead9578443b66ddb3d50ed4f53af8a0c0298ec5 upstream. + +@wait is a local variable, so if we don't remove it from the wait queue +list, later wake_up() may end up accessing invalid memory. + +This was spotted by eyes. + +Signed-off-by: Li Zefan +Cc: David Woodhouse +Cc: Artem Bityutskiy +Signed-off-by: Andrew Morton +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/nodemgmt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/jffs2/nodemgmt.c ++++ b/fs/jffs2/nodemgmt.c +@@ -179,6 +179,7 @@ int jffs2_reserve_space(struct jffs2_sb_ + spin_unlock(&c->erase_completion_lock); + + schedule(); ++ remove_wait_queue(&c->erase_wait, &wait); + } else + spin_unlock(&c->erase_completion_lock); + } else if (ret) diff --git a/queue-3.14/series b/queue-3.14/series index 487b8a451a1..e9a71066f39 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -20,3 +20,13 @@ backing_dev-fix-hung-task-on-sync.patch bdi-avoid-oops-on-device-removal.patch xfs-fix-directory-hash-ordering-bug.patch btrfs-skip-submitting-barrier-for-missing-device.patch +btrfs-fix-deadlock-with-nested-trans-handles.patch +btrfs-check-for-an-extent_op-on-the-locked-ref.patch +ext4-fix-error-return-from-ext4_ext_handle_uninitialized_extents.patch +ext4-fix-partial-cluster-handling-for-bigalloc-file-systems.patch +ext4-fix-premature-freeing-of-partial-clusters-split-across-leaf-blocks.patch +fs-null-dereference-in-posix_acl_to_xattr.patch +jffs2-fix-segmentation-fault-found-in-stress-test.patch +jffs2-fix-crash-due-to-truncation-of-csize.patch +jffs2-avoid-soft-lockup-in-jffs2_reserve_space_gc.patch +jffs2-remove-from-wait-queue-after-schedule.patch