From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 28 Jun 2014 01:14:34 +0000 (-0700)
Subject: 3.4-stable patches
X-Git-Tag: v3.4.96~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a629df57d7b6d70a253228dfc97f43c790b606d7;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch
	btrfs-use-right-type-to-get-real-comparison.patch
	fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch
---

diff --git a/queue-3.4/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch b/queue-3.4/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch
new file mode 100644
index 00000000000..0e5e1c82ca1
--- /dev/null
+++ b/queue-3.4/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch
@@ -0,0 +1,45 @@
+From 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Thu, 12 Jun 2014 00:39:58 -0500
+Subject: btrfs: fix use of uninit "ret" in end_extent_writepage()
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c upstream.
+
+If this condition in end_extent_writepage() is false:
+
+	if (tree->ops && tree->ops->writepage_end_io_hook)
+
+we will then test an uninitialized "ret" at:
+
+	ret = ret < 0 ? ret : -EIO;
+
+The test for ret is for the case where ->writepage_end_io_hook
+failed, and we'd choose that ret as the error; but if
+there is no ->writepage_end_io_hook, nothing sets ret.
+
+Initializing ret to 0 should be sufficient; if
+writepage_end_io_hook wasn't set, (!uptodate) means
+non-zero err was passed in, so we choose -EIO in that case.
+
+Signed-of-by: Eric Sandeen <sandeen@redhat.com>
+
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent_io.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2245,7 +2245,7 @@ int end_extent_writepage(struct page *pa
+ {
+ 	int uptodate = (err == 0);
+ 	struct extent_io_tree *tree;
+-	int ret;
++	int ret = 0;
+ 
+ 	tree = &BTRFS_I(page->mapping->host)->io_tree;
+ 
diff --git a/queue-3.4/btrfs-use-right-type-to-get-real-comparison.patch b/queue-3.4/btrfs-use-right-type-to-get-real-comparison.patch
new file mode 100644
index 00000000000..a44faa74a88
--- /dev/null
+++ b/queue-3.4/btrfs-use-right-type-to-get-real-comparison.patch
@@ -0,0 +1,31 @@
+From cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Sun, 8 Jun 2014 19:04:13 +0800
+Subject: Btrfs: use right type to get real comparison
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 upstream.
+
+We want to make sure the point is still within the extent item, not to verify
+the memory it's pointing to.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/backref.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -1033,7 +1033,7 @@ static int __get_extent_inline_ref(unsig
+ 			*out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1);
+ 		}
+ 		*ptr = (unsigned long)*out_eiref;
+-		if ((void *)*ptr >= (void *)ei + item_size)
++		if ((unsigned long)(*ptr) >= (unsigned long)ei + item_size)
+ 			return -ENOENT;
+ 	}
+ 
diff --git a/queue-3.4/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch b/queue-3.4/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch
new file mode 100644
index 00000000000..300f313c9b4
--- /dev/null
+++ b/queue-3.4/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch
@@ -0,0 +1,38 @@
+From 8321cf2596d283821acc466377c2b85bcd3422b7 Mon Sep 17 00:00:00 2001
+From: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+Date: Thu, 22 May 2014 22:43:43 +0200
+Subject: fs: btrfs: volumes.c: Fix for possible null pointer dereference
+
+From: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+
+commit 8321cf2596d283821acc466377c2b85bcd3422b7 upstream.
+
+There is otherwise a risk of a possible null pointer dereference.
+
+Was largely found by using a static code analysis program called cppcheck.
+
+Signed-off-by: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/volumes.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1446,11 +1446,12 @@ int btrfs_rm_device(struct btrfs_root *r
+ 		struct btrfs_fs_devices *fs_devices;
+ 		fs_devices = root->fs_info->fs_devices;
+ 		while (fs_devices) {
+-			if (fs_devices->seed == cur_devices)
++			if (fs_devices->seed == cur_devices) {
++				fs_devices->seed = cur_devices->seed;
+ 				break;
++			}
+ 			fs_devices = fs_devices->seed;
+ 		}
+-		fs_devices->seed = cur_devices->seed;
+ 		cur_devices->seed = NULL;
+ 		lock_chunks(root);
+ 		__btrfs_close_devices(cur_devices);
diff --git a/queue-3.4/series b/queue-3.4/series
index dcae2e80673..f117b44eaf3 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -36,3 +36,6 @@ skbuff-add-an-api-to-orphan-frags.patch
 skbuff-export-skb_copy_ubufs.patch
 skbuff-skb_segment-orphan-frags-before-copying.patch
 btrfs-fix-double-free-in-find_lock_delalloc_range.patch
+fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch
+btrfs-use-right-type-to-get-real-comparison.patch
+btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch