From: Greg Kroah-Hartman Date: Sat, 28 Jun 2014 01:12:24 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.4.96~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d3af8bc5717936f7f7669ddce3257d425cb00676;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch btrfs-allocate-raid-type-kobjects-dynamically.patch btrfs-don-t-check-nodes-for-extent-items.patch btrfs-fix-double-free-in-find_lock_delalloc_range.patch btrfs-fix-lockdep-warning-with-reclaim-lock-inversion.patch btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch btrfs-set-right-total-device-count-for-seeding-support.patch btrfs-use-right-type-to-get-real-comparison.patch cifs-fix-memory-leaks-in-smb2_open.patch fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch x86-x32-use-compat-shims-for-io_-setup-submit.patch --- diff --git a/queue-3.14/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch b/queue-3.14/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch new file mode 100644 index 00000000000..1266d219465 --- /dev/null +++ b/queue-3.14/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch @@ -0,0 +1,45 @@ +From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001 +From: Benjamin LaHaise +Date: Tue, 24 Jun 2014 13:12:55 -0400 +Subject: aio: fix aio request leak when events are reaped by userspace + +From: Benjamin LaHaise + +commit f8567a3845ac05bb28f3c1b478ef752762bd39ef upstream. + +The aio cleanups and optimizations by kmo that were merged into the 3.10 +tree added a regression for userspace event reaping. Specifically, the +reference counts are not decremented if the event is reaped in userspace, +leading to the application being unable to submit further aio requests. +This patch applies to 3.12+. A separate backport is required for 3.10/3.11. +This issue was uncovered as part of CVE-2014-0206. + +Signed-off-by: Benjamin LaHaise +Cc: Kent Overstreet +Cc: Mateusz Guzik +Cc: Petr Matousek +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1007,6 +1007,7 @@ void aio_complete(struct kiocb *iocb, lo + + /* everything turned out well, dispose of the aiocb. */ + kiocb_free(iocb); ++ put_reqs_available(ctx, 1); + + /* + * We have to order our ring_info tail store above and test +@@ -1086,8 +1087,6 @@ static long aio_read_events_ring(struct + flush_dcache_page(ctx->ring_pages[0]); + + pr_debug("%li h%u t%u\n", ret, head, tail); +- +- put_reqs_available(ctx, ret); + out: + mutex_unlock(&ctx->ring_lock); + diff --git a/queue-3.14/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch b/queue-3.14/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch new file mode 100644 index 00000000000..b68c1d6df44 --- /dev/null +++ b/queue-3.14/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch @@ -0,0 +1,42 @@ +From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001 +From: Benjamin LaHaise +Date: Tue, 24 Jun 2014 13:32:51 -0400 +Subject: aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 + +From: Benjamin LaHaise + +commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream. + +A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 +by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to +aio_read_events_ring() failed to correctly limit the index into +ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of +an arbitrary page with a copy_to_user() to copy the contents into userspace. +This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and +Petr for disclosing this issue. + +This patch applies to v3.12+. A separate backport is needed for 3.10/3.11. + +Signed-off-by: Benjamin LaHaise +Cc: Mateusz Guzik +Cc: Petr Matousek +Cc: Kent Overstreet +Cc: Jeff Moyer +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1049,6 +1049,9 @@ static long aio_read_events_ring(struct + if (head == tail) + goto out; + ++ head %= ctx->nr_events; ++ tail %= ctx->nr_events; ++ + while (ret < nr) { + long avail; + struct io_event *ev; diff --git a/queue-3.14/arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch b/queue-3.14/arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch new file mode 100644 index 00000000000..c9274806244 --- /dev/null +++ b/queue-3.14/arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch @@ -0,0 +1,75 @@ +From e47043aea3853a74a9aa5726a1faa916d7462ab7 Mon Sep 17 00:00:00 2001 +From: Jason Cooper +Date: Wed, 4 Jun 2014 13:41:20 +0000 +Subject: ARM: mvebu: DT: fix OpenBlocks AX3-4 RAM size + +From: Jason Cooper + +commit e47043aea3853a74a9aa5726a1faa916d7462ab7 upstream. + +The OpenBlocks AX3-4 has a non-DT bootloader. It also comes with 1GB of +soldered on RAM, and a DIMM slot for expansion. + +Unfortunately, atags_to_fdt() doesn't work in big-endian mode, so we see +the following failure when attempting to boot a big-endian kernel: + + 686 slab pages + 17 pages shared + 0 pages swap cached + [ pid ] uid tgid total_vm rss nr_ptes swapents oom_score_adj name + Kernel panic - not syncing: Out of memory and no killable processes... + + CPU: 1 PID: 351 Comm: kworker/u4:0 Not tainted 3.15.0-rc8-next-20140603 #1 + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (dump_stack+0x78/0x94) + [] (dump_stack) from [] (panic+0x90/0x21c) + [] (panic) from [] (out_of_memory+0x320/0x340) + [] (out_of_memory) from [] (__alloc_pages_nodemask+0x874/0x930) + [] (__alloc_pages_nodemask) from [] (handle_mm_fault+0x744/0x96c) + [] (handle_mm_fault) from [] (__get_user_pages+0xd0/0x4c0) + [] (__get_user_pages) from [] (get_arg_page+0x54/0xbc) + [] (get_arg_page) from [] (copy_strings+0x278/0x29c) + [] (copy_strings) from [] (copy_strings_kernel+0x20/0x28) + [] (copy_strings_kernel) from [] (do_execve+0x3a8/0x4c8) + [] (do_execve) from [] (____call_usermodehelper+0x15c/0x194) + [] (____call_usermodehelper) from [] (ret_from_fork+0x14/0x3c) + CPU0: stopping + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.15.0-rc8-next-20140603 #1 + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (dump_stack+0x78/0x94) + [] (dump_stack) from [] (handle_IPI+0x138/0x174) + [] (handle_IPI) from [] (armada_370_xp_handle_irq+0xb0/0xcc) + [] (armada_370_xp_handle_irq) from [] (__irq_svc+0x40/0x50) + Exception stack(0xc0b6bf68 to 0xc0b6bfb0) + bf60: e9fad598 00000000 00f509a3 00000000 c0b6a000 c0b724c4 + bf80: c0b72458 c0b6a000 00000000 00000000 c0b66da0 c0b6a000 00000000 c0b6bfb0 + bfa0: c027bb94 c027bb24 60000313 ffffffff + [] (__irq_svc) from [] (cpu_startup_entry+0x54/0x214) + [] (cpu_startup_entry) from [] (start_kernel+0x318/0x37c) + [] (start_kernel) from [<00208078>] (0x208078) + ---[ end Kernel panic - not syncing: Out of memory and no killable processes... + +A similar failure will also occur if ARM_ATAG_DTB_COMPAT isn't selected. + +Fix this by setting a sane default (1 GB) in the dts file. + +Signed-off-by: Jason Cooper +Tested-by: Kevin Hilman +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/armada-xp-openblocks-ax3-4.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/armada-xp-openblocks-ax3-4.dts ++++ b/arch/arm/boot/dts/armada-xp-openblocks-ax3-4.dts +@@ -23,7 +23,7 @@ + + memory { + device_type = "memory"; +- reg = <0 0x00000000 0 0xC0000000>; /* 3 GB */ ++ reg = <0 0x00000000 0 0x40000000>; /* 1 GB soldered on */ + }; + + soc { diff --git a/queue-3.14/arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch b/queue-3.14/arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch new file mode 100644 index 00000000000..b52ea2d955e --- /dev/null +++ b/queue-3.14/arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch @@ -0,0 +1,32 @@ +From f3a183cb422574014538017b5b291a416396f97e Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Fri, 6 Jun 2014 23:07:16 +0100 +Subject: arm64/dma: Removing ARCH_HAS_DMA_GET_REQUIRED_MASK macro + +From: Suravee Suthikulpanit + +commit f3a183cb422574014538017b5b291a416396f97e upstream. + +Arm64 does not define dma_get_required_mask() function. +Therefore, it should not define the ARCH_HAS_DMA_GET_REQUIRED_MASK. +This causes build errors in some device drivers (e.g. mpt2sas) + +Signed-off-by: Suravee Suthikulpanit +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/dma-mapping.h | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/arm64/include/asm/dma-mapping.h ++++ b/arch/arm64/include/asm/dma-mapping.h +@@ -26,8 +26,6 @@ + #include + #include + +-#define ARCH_HAS_DMA_GET_REQUIRED_MASK +- + #define DMA_ERROR_CODE (~(dma_addr_t)0) + extern struct dma_map_ops *dma_ops; + diff --git a/queue-3.14/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch b/queue-3.14/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch new file mode 100644 index 00000000000..96ad64053eb --- /dev/null +++ b/queue-3.14/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch @@ -0,0 +1,76 @@ +From 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 16 Apr 2014 17:02:32 +0800 +Subject: btrfs: Add ctime/mtime update for btrfs device add/remove. + +From: Qu Wenruo + +commit 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 upstream. + +Btrfs will send uevent to udev inform the device change, +but ctime/mtime for the block device inode is not udpated, which cause +libblkid used by btrfs-progs unable to detect device change and use old +cache, causing 'btrfs dev scan; btrfs dev rmove; btrfs dev scan' give an +error message. + +Reported-by: Tsutomu Itoh +Cc: Karel Zak +Signed-off-by: Qu Wenruo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1438,6 +1438,22 @@ out: + return ret; + } + ++/* ++ * Function to update ctime/mtime for a given device path. ++ * Mainly used for ctime/mtime based probe like libblkid. ++ */ ++static void update_dev_time(char *path_name) ++{ ++ struct file *filp; ++ ++ filp = filp_open(path_name, O_RDWR, 0); ++ if (!filp) ++ return; ++ file_update_time(filp); ++ filp_close(filp, NULL); ++ return; ++} ++ + static int btrfs_rm_dev_item(struct btrfs_root *root, + struct btrfs_device *device) + { +@@ -1690,10 +1706,14 @@ int btrfs_rm_device(struct btrfs_root *r + + ret = 0; + +- /* Notify udev that device has changed */ +- if (bdev) ++ if (bdev) { ++ /* Notify udev that device has changed */ + btrfs_kobject_uevent(bdev, KOBJ_CHANGE); + ++ /* Update ctime/mtime for device path for libblkid */ ++ update_dev_time(device_path); ++ } ++ + error_brelse: + brelse(bh); + if (bdev) +@@ -2132,6 +2152,8 @@ int btrfs_init_new_device(struct btrfs_r + ret = btrfs_commit_transaction(trans, root); + } + ++ /* Update ctime/mtime for libblkid */ ++ update_dev_time(device_path); + return ret; + + error_trans: diff --git a/queue-3.14/btrfs-allocate-raid-type-kobjects-dynamically.patch b/queue-3.14/btrfs-allocate-raid-type-kobjects-dynamically.patch new file mode 100644 index 00000000000..1ddb612e3fb --- /dev/null +++ b/queue-3.14/btrfs-allocate-raid-type-kobjects-dynamically.patch @@ -0,0 +1,179 @@ +From c1895442be01c58449e3bf9272f22062a670e08f Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 27 May 2014 12:59:57 -0400 +Subject: btrfs: allocate raid type kobjects dynamically + +From: Jeff Mahoney + +commit c1895442be01c58449e3bf9272f22062a670e08f upstream. + +We are currently allocating space_info objects in an array when we +allocate space_info. When a user does something like: + +# btrfs balance start -mconvert=raid1 -dconvert=raid1 /mnt +# btrfs balance start -mconvert=single -dconvert=single /mnt -f +# btrfs balance start -mconvert=raid1 -dconvert=raid1 / + +We can end up with memory corruption since the kobject hasn't +been reinitialized properly and the name pointer was left set. + +The rationale behind allocating them statically was to avoid +creating a separate kobject container that just contained the +raid type. It used the index in the array to determine the index. + +Ultimately, though, this wastes more memory than it saves in all +but the most complex scenarios and introduces kobject lifetime +questions. + +This patch allocates the kobjects dynamically instead. Note that +we also remove the kobject_get/put of the parent kobject since +kobject_add and kobject_del do that internally. + +Signed-off-by: Jeff Mahoney +Reported-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ctree.h | 8 +++++++- + fs/btrfs/extent-tree.c | 39 ++++++++++++++++++++++++++------------- + fs/btrfs/sysfs.c | 5 +++-- + 3 files changed, 36 insertions(+), 16 deletions(-) + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1104,6 +1104,12 @@ struct btrfs_qgroup_limit_item { + __le64 rsv_excl; + } __attribute__ ((__packed__)); + ++/* For raid type sysfs entries */ ++struct raid_kobject { ++ int raid_type; ++ struct kobject kobj; ++}; ++ + struct btrfs_space_info { + spinlock_t lock; + +@@ -1154,7 +1160,7 @@ struct btrfs_space_info { + wait_queue_head_t wait; + + struct kobject kobj; +- struct kobject block_group_kobjs[BTRFS_NR_RAID_TYPES]; ++ struct kobject *block_group_kobjs[BTRFS_NR_RAID_TYPES]; + }; + + #define BTRFS_BLOCK_RSV_GLOBAL 1 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -3400,10 +3400,8 @@ static int update_space_info(struct btrf + return ret; + } + +- for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) { ++ for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) + INIT_LIST_HEAD(&found->block_groups[i]); +- kobject_init(&found->block_group_kobjs[i], &btrfs_raid_ktype); +- } + init_rwsem(&found->groups_sem); + spin_lock_init(&found->lock); + found->flags = flags & BTRFS_BLOCK_GROUP_TYPE_MASK; +@@ -8328,8 +8326,9 @@ int btrfs_free_block_groups(struct btrfs + list_del(&space_info->list); + for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) { + struct kobject *kobj; +- kobj = &space_info->block_group_kobjs[i]; +- if (kobj->parent) { ++ kobj = space_info->block_group_kobjs[i]; ++ space_info->block_group_kobjs[i] = NULL; ++ if (kobj) { + kobject_del(kobj); + kobject_put(kobj); + } +@@ -8353,17 +8352,26 @@ static void __link_block_group(struct bt + up_write(&space_info->groups_sem); + + if (first) { +- struct kobject *kobj = &space_info->block_group_kobjs[index]; ++ struct raid_kobject *rkobj; + int ret; + +- kobject_get(&space_info->kobj); /* put in release */ +- ret = kobject_add(kobj, &space_info->kobj, "%s", +- get_raid_name(index)); ++ rkobj = kzalloc(sizeof(*rkobj), GFP_NOFS); ++ if (!rkobj) ++ goto out_err; ++ rkobj->raid_type = index; ++ kobject_init(&rkobj->kobj, &btrfs_raid_ktype); ++ ret = kobject_add(&rkobj->kobj, &space_info->kobj, ++ "%s", get_raid_name(index)); + if (ret) { +- pr_warn("BTRFS: failed to add kobject for block cache. ignoring.\n"); +- kobject_put(&space_info->kobj); ++ kobject_put(&rkobj->kobj); ++ goto out_err; + } ++ space_info->block_group_kobjs[index] = &rkobj->kobj; + } ++ ++ return; ++out_err: ++ pr_warn("BTRFS: failed to add kobject for block cache. ignoring.\n"); + } + + static struct btrfs_block_group_cache * +@@ -8698,6 +8706,7 @@ int btrfs_remove_block_group(struct btrf + struct btrfs_root *tree_root = root->fs_info->tree_root; + struct btrfs_key key; + struct inode *inode; ++ struct kobject *kobj = NULL; + int ret; + int index; + int factor; +@@ -8797,11 +8806,15 @@ int btrfs_remove_block_group(struct btrf + */ + list_del_init(&block_group->list); + if (list_empty(&block_group->space_info->block_groups[index])) { +- kobject_del(&block_group->space_info->block_group_kobjs[index]); +- kobject_put(&block_group->space_info->block_group_kobjs[index]); ++ kobj = block_group->space_info->block_group_kobjs[index]; ++ block_group->space_info->block_group_kobjs[index] = NULL; + clear_avail_alloc_bits(root->fs_info, block_group->flags); + } + up_write(&block_group->space_info->groups_sem); ++ if (kobj) { ++ kobject_del(kobj); ++ kobject_put(kobj); ++ } + + if (block_group->cached == BTRFS_CACHE_STARTED) + wait_block_group_cache_done(block_group); +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -253,6 +253,7 @@ static ssize_t global_rsv_reserved_show( + BTRFS_ATTR(global_rsv_reserved, 0444, global_rsv_reserved_show); + + #define to_space_info(_kobj) container_of(_kobj, struct btrfs_space_info, kobj) ++#define to_raid_kobj(_kobj) container_of(_kobj, struct raid_kobject, kobj) + + static ssize_t raid_bytes_show(struct kobject *kobj, + struct kobj_attribute *attr, char *buf); +@@ -265,7 +266,7 @@ static ssize_t raid_bytes_show(struct ko + { + struct btrfs_space_info *sinfo = to_space_info(kobj->parent); + struct btrfs_block_group_cache *block_group; +- int index = kobj - sinfo->block_group_kobjs; ++ int index = to_raid_kobj(kobj)->raid_type; + u64 val = 0; + + down_read(&sinfo->groups_sem); +@@ -287,7 +288,7 @@ static struct attribute *raid_attributes + + static void release_raid_kobj(struct kobject *kobj) + { +- kobject_put(kobj->parent); ++ kfree(to_raid_kobj(kobj)); + } + + struct kobj_type btrfs_raid_ktype = { diff --git a/queue-3.14/btrfs-don-t-check-nodes-for-extent-items.patch b/queue-3.14/btrfs-don-t-check-nodes-for-extent-items.patch new file mode 100644 index 00000000000..524de9c9f37 --- /dev/null +++ b/queue-3.14/btrfs-don-t-check-nodes-for-extent-items.patch @@ -0,0 +1,40 @@ +From 8a56457f5f8fa7c2698ffae8545214c5b96a2cb5 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 5 Jun 2014 16:08:45 -0400 +Subject: Btrfs: don't check nodes for extent items + +From: Josef Bacik + +commit 8a56457f5f8fa7c2698ffae8545214c5b96a2cb5 upstream. + +The backref code was looking at nodes as well as leaves when we tried to +populate extent item entries. This is not good, and although we go away with it +for the most part because we'd skip where disk_bytenr != random_memory, +sometimes random_memory would match and suddenly boom. This fixes that problem. +Thanks, + +Signed-off-by: Josef Bacik +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/backref.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -972,11 +972,12 @@ again: + goto out; + } + if (ref->count && ref->parent) { +- if (extent_item_pos && !ref->inode_list) { ++ if (extent_item_pos && !ref->inode_list && ++ ref->level == 0) { + u32 bsz; + struct extent_buffer *eb; + bsz = btrfs_level_size(fs_info->extent_root, +- info_level); ++ ref->level); + eb = read_tree_block(fs_info->extent_root, + ref->parent, bsz, 0); + if (!eb || !extent_buffer_uptodate(eb)) { diff --git a/queue-3.14/btrfs-fix-double-free-in-find_lock_delalloc_range.patch b/queue-3.14/btrfs-fix-double-free-in-find_lock_delalloc_range.patch new file mode 100644 index 00000000000..73bc2eef571 --- /dev/null +++ b/queue-3.14/btrfs-fix-double-free-in-find_lock_delalloc_range.patch @@ -0,0 +1,29 @@ +From 7d78874273463a784759916fc3e0b4e2eb141c70 Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Wed, 21 May 2014 05:49:54 -0700 +Subject: Btrfs: fix double free in find_lock_delalloc_range + +From: Chris Mason + +commit 7d78874273463a784759916fc3e0b4e2eb141c70 upstream. + +We need to NULL the cached_state after freeing it, otherwise +we might free it again if find_delalloc_range doesn't find anything. + +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -1686,6 +1686,7 @@ again: + * shortening the size of the delalloc range we're searching + */ + free_extent_state(cached_state); ++ cached_state = NULL; + if (!loops) { + max_bytes = PAGE_CACHE_SIZE; + loops = 1; diff --git a/queue-3.14/btrfs-fix-lockdep-warning-with-reclaim-lock-inversion.patch b/queue-3.14/btrfs-fix-lockdep-warning-with-reclaim-lock-inversion.patch new file mode 100644 index 00000000000..201313f0311 --- /dev/null +++ b/queue-3.14/btrfs-fix-lockdep-warning-with-reclaim-lock-inversion.patch @@ -0,0 +1,79 @@ +From ed55b6ac077fe7f9c6490ff55172c4b563562d7c Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Wed, 26 Mar 2014 14:11:26 -0400 +Subject: btrfs: fix lockdep warning with reclaim lock inversion + +From: Jeff Mahoney + +commit ed55b6ac077fe7f9c6490ff55172c4b563562d7c upstream. + +When encountering memory pressure, testers have run into the following +lockdep warning. It was caused by __link_block_group calling kobject_add +with the groups_sem held. kobject_add calls kvasprintf with GFP_KERNEL, +which gets us into reclaim context. The kobject doesn't actually need +to be added under the lock -- it just needs to ensure that it's only +added for the first block group to be linked. + +========================================================= +[ INFO: possible irq lock inversion dependency detected ] +3.14.0-rc8-default #1 Not tainted +--------------------------------------------------------- +kswapd0/169 just changed the state of lock: + (&delayed_node->mutex){+.+.-.}, at: [] __btrfs_release_delayed_node+0x3a/0x200 [btrfs] +but this lock took another, RECLAIM_FS-unsafe lock in the past: + (&found->groups_sem){+++++.} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: + Possible interrupt unsafe locking scenario: + CPU0 CPU1 + ---- ---- + lock(&found->groups_sem); + local_irq_disable(); + lock(&delayed_node->mutex); + lock(&found->groups_sem); + + lock(&delayed_node->mutex); + + *** DEADLOCK *** +2 locks held by kswapd0/169: + #0: (shrinker_rwsem){++++..}, at: [] shrink_slab+0x3a/0x160 + #1: (&type->s_umount_key#27){++++..}, at: [] grab_super_passive+0x3f/0x90 + +Signed-off-by: Jeff Mahoney +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -8344,9 +8344,15 @@ static void __link_block_group(struct bt + struct btrfs_block_group_cache *cache) + { + int index = get_block_group_index(cache); ++ bool first = false; + + down_write(&space_info->groups_sem); +- if (list_empty(&space_info->block_groups[index])) { ++ if (list_empty(&space_info->block_groups[index])) ++ first = true; ++ list_add_tail(&cache->list, &space_info->block_groups[index]); ++ up_write(&space_info->groups_sem); ++ ++ if (first) { + struct kobject *kobj = &space_info->block_group_kobjs[index]; + int ret; + +@@ -8358,8 +8364,6 @@ static void __link_block_group(struct bt + kobject_put(&space_info->kobj); + } + } +- list_add_tail(&cache->list, &space_info->block_groups[index]); +- up_write(&space_info->groups_sem); + } + + static struct btrfs_block_group_cache * diff --git a/queue-3.14/btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch b/queue-3.14/btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch new file mode 100644 index 00000000000..aa3cbd1fb0b --- /dev/null +++ b/queue-3.14/btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch @@ -0,0 +1,43 @@ +From 29cc83f69c8338ff8fd1383c9be263d4bdf52d73 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Sun, 11 May 2014 23:14:59 +0800 +Subject: Btrfs: fix NULL pointer crash of deleting a seed device + +From: Liu Bo + +commit 29cc83f69c8338ff8fd1383c9be263d4bdf52d73 upstream. + +Same as normal devices, seed devices should be initialized with +fs_info->dev_root as well, otherwise we'll get a NULL pointer crash. + +Cc: Chris Murphy +Reported-by: Chris Murphy +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6057,10 +6057,14 @@ void btrfs_init_devices_late(struct btrf + struct btrfs_fs_devices *fs_devices = fs_info->fs_devices; + struct btrfs_device *device; + +- mutex_lock(&fs_devices->device_list_mutex); +- list_for_each_entry(device, &fs_devices->devices, dev_list) +- device->dev_root = fs_info->dev_root; +- mutex_unlock(&fs_devices->device_list_mutex); ++ while (fs_devices) { ++ mutex_lock(&fs_devices->device_list_mutex); ++ list_for_each_entry(device, &fs_devices->devices, dev_list) ++ device->dev_root = fs_info->dev_root; ++ mutex_unlock(&fs_devices->device_list_mutex); ++ ++ fs_devices = fs_devices->seed; ++ } + } + + static void __btrfs_reset_dev_stats(struct btrfs_device *dev) diff --git a/queue-3.14/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch b/queue-3.14/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch new file mode 100644 index 00000000000..ccd8bb8aa3a --- /dev/null +++ b/queue-3.14/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch @@ -0,0 +1,117 @@ +From 6eda71d0c030af0fc2f68aaa676e6d445600855b Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Mon, 9 Jun 2014 10:54:07 +0800 +Subject: Btrfs: fix scrub_print_warning to handle skinny metadata extents + +From: Liu Bo + +commit 6eda71d0c030af0fc2f68aaa676e6d445600855b upstream. + +The skinny extents are intepreted incorrectly in scrub_print_warning(), +and end up hitting the BUG() in btrfs_extent_inline_ref_size. + +Reported-by: Konstantinos Skarlatos +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/backref.c | 30 +++++++++++++++++++----------- + fs/btrfs/backref.h | 4 ++-- + fs/btrfs/scrub.c | 5 +++-- + 3 files changed, 24 insertions(+), 15 deletions(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1412,9 +1412,10 @@ int extent_from_logical(struct btrfs_fs_ + * returns <0 on error + */ + static int __get_extent_inline_ref(unsigned long *ptr, struct extent_buffer *eb, +- struct btrfs_extent_item *ei, u32 item_size, +- struct btrfs_extent_inline_ref **out_eiref, +- int *out_type) ++ struct btrfs_key *key, ++ struct btrfs_extent_item *ei, u32 item_size, ++ struct btrfs_extent_inline_ref **out_eiref, ++ int *out_type) + { + unsigned long end; + u64 flags; +@@ -1424,9 +1425,16 @@ static int __get_extent_inline_ref(unsig + /* first call */ + flags = btrfs_extent_flags(eb, ei); + if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK) { +- info = (struct btrfs_tree_block_info *)(ei + 1); +- *out_eiref = +- (struct btrfs_extent_inline_ref *)(info + 1); ++ if (key->type == BTRFS_METADATA_ITEM_KEY) { ++ /* a skinny metadata extent */ ++ *out_eiref = ++ (struct btrfs_extent_inline_ref *)(ei + 1); ++ } else { ++ WARN_ON(key->type != BTRFS_EXTENT_ITEM_KEY); ++ info = (struct btrfs_tree_block_info *)(ei + 1); ++ *out_eiref = ++ (struct btrfs_extent_inline_ref *)(info + 1); ++ } + } else { + *out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1); + } +@@ -1436,7 +1444,7 @@ static int __get_extent_inline_ref(unsig + } + + end = (unsigned long)ei + item_size; +- *out_eiref = (struct btrfs_extent_inline_ref *)*ptr; ++ *out_eiref = (struct btrfs_extent_inline_ref *)(*ptr); + *out_type = btrfs_extent_inline_ref_type(eb, *out_eiref); + + *ptr += btrfs_extent_inline_ref_size(*out_type); +@@ -1455,8 +1463,8 @@ static int __get_extent_inline_ref(unsig + * <0 on error. + */ + int tree_backref_for_extent(unsigned long *ptr, struct extent_buffer *eb, +- struct btrfs_extent_item *ei, u32 item_size, +- u64 *out_root, u8 *out_level) ++ struct btrfs_key *key, struct btrfs_extent_item *ei, ++ u32 item_size, u64 *out_root, u8 *out_level) + { + int ret; + int type; +@@ -1467,8 +1475,8 @@ int tree_backref_for_extent(unsigned lon + return 1; + + while (1) { +- ret = __get_extent_inline_ref(ptr, eb, ei, item_size, +- &eiref, &type); ++ ret = __get_extent_inline_ref(ptr, eb, key, ei, item_size, ++ &eiref, &type); + if (ret < 0) + return ret; + +--- a/fs/btrfs/backref.h ++++ b/fs/btrfs/backref.h +@@ -40,8 +40,8 @@ int extent_from_logical(struct btrfs_fs_ + u64 *flags); + + int tree_backref_for_extent(unsigned long *ptr, struct extent_buffer *eb, +- struct btrfs_extent_item *ei, u32 item_size, +- u64 *out_root, u8 *out_level); ++ struct btrfs_key *key, struct btrfs_extent_item *ei, ++ u32 item_size, u64 *out_root, u8 *out_level); + + int iterate_extent_inodes(struct btrfs_fs_info *fs_info, + u64 extent_item_objectid, +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -577,8 +577,9 @@ static void scrub_print_warning(const ch + + if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK) { + do { +- ret = tree_backref_for_extent(&ptr, eb, ei, item_size, +- &ref_root, &ref_level); ++ ret = tree_backref_for_extent(&ptr, eb, &found_key, ei, ++ item_size, &ref_root, ++ &ref_level); + printk_in_rcu(KERN_WARNING + "BTRFS: %s at logical %llu on dev %s, " + "sector %llu: metadata %s (level %d) in tree " diff --git a/queue-3.14/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch b/queue-3.14/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch new file mode 100644 index 00000000000..19d5c1ddbd8 --- /dev/null +++ b/queue-3.14/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch @@ -0,0 +1,45 @@ +From 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Thu, 12 Jun 2014 00:39:58 -0500 +Subject: btrfs: fix use of uninit "ret" in end_extent_writepage() + +From: Eric Sandeen + +commit 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c upstream. + +If this condition in end_extent_writepage() is false: + + if (tree->ops && tree->ops->writepage_end_io_hook) + +we will then test an uninitialized "ret" at: + + ret = ret < 0 ? ret : -EIO; + +The test for ret is for the case where ->writepage_end_io_hook +failed, and we'd choose that ret as the error; but if +there is no ->writepage_end_io_hook, nothing sets ret. + +Initializing ret to 0 should be sufficient; if +writepage_end_io_hook wasn't set, (!uptodate) means +non-zero err was passed in, so we choose -EIO in that case. + +Signed-of-by: Eric Sandeen + +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2347,7 +2347,7 @@ int end_extent_writepage(struct page *pa + { + int uptodate = (err == 0); + struct extent_io_tree *tree; +- int ret; ++ int ret = 0; + + tree = &BTRFS_I(page->mapping->host)->io_tree; + diff --git a/queue-3.14/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch b/queue-3.14/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch new file mode 100644 index 00000000000..4dd49bf43ef --- /dev/null +++ b/queue-3.14/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch @@ -0,0 +1,44 @@ +From de348ee022175401e77d7662b7ca6e231a94e3fd Mon Sep 17 00:00:00 2001 +From: Wang Shilong +Date: Wed, 9 Apr 2014 19:23:22 +0800 +Subject: Btrfs: make sure there are not any read requests before stopping workers + +From: Wang Shilong + +commit de348ee022175401e77d7662b7ca6e231a94e3fd upstream. + +In close_ctree(), after we have stopped all workers,there maybe still +some read requests(for example readahead) to submit and this *maybe* trigger +an oops that user reported before: + +kernel BUG at fs/btrfs/async-thread.c:619! + +By hacking codes, i can reproduce this problem with one cpu available. +We fix this potential problem by invalidating all btree inode pages before +stopping all workers. + +Thanks to Miao for pointing out this problem. + +Signed-off-by: Wang Shilong +Reviewed-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/disk-io.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3598,6 +3598,11 @@ int close_ctree(struct btrfs_root *root) + + btrfs_free_block_groups(fs_info); + ++ /* ++ * we must make sure there is not any read request to ++ * submit after we stopping all workers. ++ */ ++ invalidate_inode_pages2(fs_info->btree_inode->i_mapping); + btrfs_stop_all_workers(fs_info); + + free_root_pointers(fs_info, 1); diff --git a/queue-3.14/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch b/queue-3.14/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch new file mode 100644 index 00000000000..ec708c72f6b --- /dev/null +++ b/queue-3.14/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch @@ -0,0 +1,34 @@ +From 5dca6eea91653e9949ce6eb9e9acab6277e2f2c4 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Mon, 12 May 2014 12:47:36 +0800 +Subject: Btrfs: mark mapping with error flag to report errors to userspace + +From: Liu Bo + +commit 5dca6eea91653e9949ce6eb9e9acab6277e2f2c4 upstream. + +According to commit 865ffef3797da2cac85b3354b5b6050dc9660978 +(fs: fix fsync() error reporting), +it's not stable to just check error pages because pages can be +truncated or invalidated, we should also mark mapping with error +flag so that a later fsync can catch the error. + +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2361,6 +2361,8 @@ int end_extent_writepage(struct page *pa + if (!uptodate) { + ClearPageUptodate(page); + SetPageError(page); ++ ret = ret < 0 ? ret : -EIO; ++ mapping_set_error(page->mapping, ret); + } + return 0; + } diff --git a/queue-3.14/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch b/queue-3.14/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch new file mode 100644 index 00000000000..2e370f6ebcc --- /dev/null +++ b/queue-3.14/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch @@ -0,0 +1,42 @@ +From 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 Mon Sep 17 00:00:00 2001 +From: Miao Xie +Date: Thu, 24 Apr 2014 13:31:55 +0800 +Subject: Btrfs: output warning instead of error when loading free space cache failed + +From: Miao Xie + +commit 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 upstream. + +If we fail to load a free space cache, we can rebuild it from the extent tree, +so it is not a serious error, we should not output a error message that +would make the users uncomfortable. This patch uses warning message instead +of it. + +Signed-off-by: Miao Xie +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/free-space-cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -831,7 +831,7 @@ int load_free_space_cache(struct btrfs_f + + if (!matched) { + __btrfs_remove_free_space_cache(ctl); +- btrfs_err(fs_info, "block group %llu has wrong amount of free space", ++ btrfs_warn(fs_info, "block group %llu has wrong amount of free space", + block_group->key.objectid); + ret = -1; + } +@@ -843,7 +843,7 @@ out: + spin_unlock(&block_group->lock); + ret = 0; + +- btrfs_err(fs_info, "failed to load free space cache for block group %llu", ++ btrfs_warn(fs_info, "failed to load free space cache for block group %llu, rebuild it now", + block_group->key.objectid); + } + diff --git a/queue-3.14/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch b/queue-3.14/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch new file mode 100644 index 00000000000..cb2c705ef6c --- /dev/null +++ b/queue-3.14/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch @@ -0,0 +1,55 @@ +From 1af56070e3ef9477dbc7eba3b9ad7446979c7974 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Sun, 25 May 2014 04:49:24 +0100 +Subject: Btrfs: send, don't error in the presence of subvols/snapshots + +From: Filipe Manana + +commit 1af56070e3ef9477dbc7eba3b9ad7446979c7974 upstream. + +If we are doing an incremental send and the base snapshot has a +directory with name X that doesn't exist anymore in the second +snapshot and a new subvolume/snapshot exists in the second snapshot +that has the same name as the directory (name X), the incremental +send would fail with -ENOENT error. This is because it attempts +to lookup for an inode with a number matching the objectid of a +root, which doesn't exist. + +Steps to reproduce: + + mkfs.btrfs -f /dev/sdd + mount /dev/sdd /mnt + + mkdir /mnt/testdir + btrfs subvolume snapshot -r /mnt /mnt/mysnap1 + + rmdir /mnt/testdir + btrfs subvolume create /mnt/testdir + btrfs subvolume snapshot -r /mnt /mnt/mysnap2 + + btrfs send -p /mnt/mysnap1 /mnt/mysnap2 -f /tmp/send.data + +A test case for xfstests follows. + +Reported-by: Robert White +Signed-off-by: Filipe David Borba Manana +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/send.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -1589,6 +1589,10 @@ static int lookup_dir_item_inode(struct + goto out; + } + btrfs_dir_item_key_to_cpu(path->nodes[0], di, &key); ++ if (key.type == BTRFS_ROOT_ITEM_KEY) { ++ ret = -ENOENT; ++ goto out; ++ } + *found_inode = key.objectid; + *found_type = btrfs_dir_type(path->nodes[0], di); + diff --git a/queue-3.14/btrfs-set-right-total-device-count-for-seeding-support.patch b/queue-3.14/btrfs-set-right-total-device-count-for-seeding-support.patch new file mode 100644 index 00000000000..5fbd6822da6 --- /dev/null +++ b/queue-3.14/btrfs-set-right-total-device-count-for-seeding-support.patch @@ -0,0 +1,45 @@ +From 298658414a2f0bea1f05a81876a45c1cd96aa2e0 Mon Sep 17 00:00:00 2001 +From: Wang Shilong +Date: Tue, 13 May 2014 17:05:06 +0800 +Subject: Btrfs: set right total device count for seeding support + +From: Wang Shilong + +commit 298658414a2f0bea1f05a81876a45c1cd96aa2e0 upstream. + +Seeding device support allows us to create a new filesystem +based on existed filesystem. + +However newly created filesystem's @total_devices should include seed +devices. This patch fix the following problem: + + # mkfs.btrfs -f /dev/sdb + # btrfstune -S 1 /dev/sdb + # mount /dev/sdb /mnt + # btrfs device add -f /dev/sdc /mnt --->fs_devices->total_devices = 1 + # umount /mnt + # mount /dev/sdc /mnt --->fs_devices->total_devices = 2 + +This is because we record right @total_devices in superblock, but +@fs_devices->total_devices is reset to be 0 in btrfs_prepare_sprout(). + +Fix this problem by not resetting @fs_devices->total_devices. + +Signed-off-by: Wang Shilong +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1889,7 +1889,6 @@ static int btrfs_prepare_sprout(struct b + fs_devices->seeding = 0; + fs_devices->num_devices = 0; + fs_devices->open_devices = 0; +- fs_devices->total_devices = 0; + fs_devices->seed = seed_devices; + + generate_random_uuid(fs_devices->fsid); diff --git a/queue-3.14/btrfs-use-right-type-to-get-real-comparison.patch b/queue-3.14/btrfs-use-right-type-to-get-real-comparison.patch new file mode 100644 index 00000000000..f852035ecb8 --- /dev/null +++ b/queue-3.14/btrfs-use-right-type-to-get-real-comparison.patch @@ -0,0 +1,31 @@ +From cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Sun, 8 Jun 2014 19:04:13 +0800 +Subject: Btrfs: use right type to get real comparison + +From: Liu Bo + +commit cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 upstream. + +We want to make sure the point is still within the extent item, not to verify +the memory it's pointing to. + +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/backref.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1431,7 +1431,7 @@ static int __get_extent_inline_ref(unsig + *out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1); + } + *ptr = (unsigned long)*out_eiref; +- if ((void *)*ptr >= (void *)ei + item_size) ++ if ((unsigned long)(*ptr) >= (unsigned long)ei + item_size) + return -ENOENT; + } + diff --git a/queue-3.14/cifs-fix-memory-leaks-in-smb2_open.patch b/queue-3.14/cifs-fix-memory-leaks-in-smb2_open.patch new file mode 100644 index 00000000000..49862c7e001 --- /dev/null +++ b/queue-3.14/cifs-fix-memory-leaks-in-smb2_open.patch @@ -0,0 +1,57 @@ +From 663a962151593c69374776e8651238d0da072459 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Sat, 24 May 2014 16:42:02 +0400 +Subject: CIFS: Fix memory leaks in SMB2_open + +From: Pavel Shilovsky + +commit 663a962151593c69374776e8651238d0da072459 upstream. + +Signed-off-by: Pavel Shilovsky +Reviewed-by: Shirish Pargaonkar +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1089,6 +1089,7 @@ SMB2_open(const unsigned int xid, struct + int rc = 0; + unsigned int num_iovecs = 2; + __u32 file_attributes = 0; ++ char *dhc_buf = NULL, *lc_buf = NULL; + + cifs_dbg(FYI, "create/open\n"); + +@@ -1155,6 +1156,7 @@ SMB2_open(const unsigned int xid, struct + kfree(copy_path); + return rc; + } ++ lc_buf = iov[num_iovecs-1].iov_base; + } + + if (*oplock == SMB2_OPLOCK_LEVEL_BATCH) { +@@ -1169,9 +1171,10 @@ SMB2_open(const unsigned int xid, struct + if (rc) { + cifs_small_buf_release(req); + kfree(copy_path); +- kfree(iov[num_iovecs-1].iov_base); ++ kfree(lc_buf); + return rc; + } ++ dhc_buf = iov[num_iovecs-1].iov_base; + } + + rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0); +@@ -1203,6 +1206,8 @@ SMB2_open(const unsigned int xid, struct + *oplock = rsp->OplockLevel; + creat_exit: + kfree(copy_path); ++ kfree(lc_buf); ++ kfree(dhc_buf); + free_rsp_buf(resp_buftype, rsp); + return rc; + } diff --git a/queue-3.14/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch b/queue-3.14/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..5563e84bbbe --- /dev/null +++ b/queue-3.14/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 8321cf2596d283821acc466377c2b85bcd3422b7 Mon Sep 17 00:00:00 2001 +From: Rickard Strandqvist +Date: Thu, 22 May 2014 22:43:43 +0200 +Subject: fs: btrfs: volumes.c: Fix for possible null pointer dereference + +From: Rickard Strandqvist + +commit 8321cf2596d283821acc466377c2b85bcd3422b7 upstream. + +There is otherwise a risk of a possible null pointer dereference. + +Was largely found by using a static code analysis program called cppcheck. + +Signed-off-by: Rickard Strandqvist +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1676,11 +1676,12 @@ int btrfs_rm_device(struct btrfs_root *r + struct btrfs_fs_devices *fs_devices; + fs_devices = root->fs_info->fs_devices; + while (fs_devices) { +- if (fs_devices->seed == cur_devices) ++ if (fs_devices->seed == cur_devices) { ++ fs_devices->seed = cur_devices->seed; + break; ++ } + fs_devices = fs_devices->seed; + } +- fs_devices->seed = cur_devices->seed; + cur_devices->seed = NULL; + lock_chunks(root); + __btrfs_close_devices(cur_devices); diff --git a/queue-3.14/genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch b/queue-3.14/genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch new file mode 100644 index 00000000000..75e7003d617 --- /dev/null +++ b/queue-3.14/genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch @@ -0,0 +1,216 @@ +From 1e77d0a1ed7417d2a5a52a7b8d32aea1833faa6c Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 7 Mar 2013 14:53:45 +0100 +Subject: genirq: Sanitize spurious interrupt detection of threaded irqs + +From: Thomas Gleixner + +commit 1e77d0a1ed7417d2a5a52a7b8d32aea1833faa6c upstream. + +Till reported that the spurious interrupt detection of threaded +interrupts is broken in two ways: + +- note_interrupt() is called for each action thread of a shared + interrupt line. That's wrong as we are only interested whether none + of the device drivers felt responsible for the interrupt, but by + calling multiple times for a single interrupt line we account + IRQ_NONE even if one of the drivers felt responsible. + +- note_interrupt() when called from the thread handler is not + serialized. That leaves the members of irq_desc which are used for + the spurious detection unprotected. + +To solve this we need to defer the spurious detection of a threaded +interrupt to the next hardware interrupt context where we have +implicit serialization. + +If note_interrupt is called with action_ret == IRQ_WAKE_THREAD, we +check whether the previous interrupt requested a deferred check. If +not, we request a deferred check for the next hardware interrupt and +return. + +If set, we check whether one of the interrupt threads signaled +success. Depending on this information we feed the result into the +spurious detector. + +If one primary handler of a shared interrupt returns IRQ_HANDLED we +disable the deferred check of irq threads on the same line, as we have +found at least one device driver who cared. + +Reported-by: Till Straumann +Signed-off-by: Thomas Gleixner +Tested-by: Austin Schuh +Cc: Oliver Hartkopp +Cc: Wolfgang Grandegger +Cc: Pavel Pisa +Cc: Marc Kleine-Budde +Cc: linux-can@vger.kernel.org +Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1303071450130.22263@ionos +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/irqdesc.h | 4 + + kernel/irq/manage.c | 4 - + kernel/irq/spurious.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++-- + 3 files changed, 108 insertions(+), 6 deletions(-) + +--- a/include/linux/irqdesc.h ++++ b/include/linux/irqdesc.h +@@ -27,6 +27,8 @@ struct irq_desc; + * @irq_count: stats field to detect stalled irqs + * @last_unhandled: aging timer for unhandled count + * @irqs_unhandled: stats field for spurious unhandled interrupts ++ * @threads_handled: stats field for deferred spurious detection of threaded handlers ++ * @threads_handled_last: comparator field for deferred spurious detection of theraded handlers + * @lock: locking for SMP + * @affinity_hint: hint to user space for preferred irq affinity + * @affinity_notify: context for notification of affinity changes +@@ -52,6 +54,8 @@ struct irq_desc { + unsigned int irq_count; /* For detecting broken IRQs */ + unsigned long last_unhandled; /* Aging timer for unhandled count */ + unsigned int irqs_unhandled; ++ atomic_t threads_handled; ++ int threads_handled_last; + raw_spinlock_t lock; + struct cpumask *percpu_enabled; + #ifdef CONFIG_SMP +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -856,8 +856,8 @@ static int irq_thread(void *data) + irq_thread_check_affinity(desc, action); + + action_ret = handler_fn(desc, action); +- if (!noirqdebug) +- note_interrupt(action->irq, desc, action_ret); ++ if (action_ret == IRQ_HANDLED) ++ atomic_inc(&desc->threads_handled); + + wake_threads_waitq(desc); + } +--- a/kernel/irq/spurious.c ++++ b/kernel/irq/spurious.c +@@ -270,6 +270,8 @@ try_misrouted_irq(unsigned int irq, stru + return action && (action->flags & IRQF_IRQPOLL); + } + ++#define SPURIOUS_DEFERRED 0x80000000 ++ + void note_interrupt(unsigned int irq, struct irq_desc *desc, + irqreturn_t action_ret) + { +@@ -277,15 +279,111 @@ void note_interrupt(unsigned int irq, st + irq_settings_is_polled(desc)) + return; + +- /* we get here again via the threaded handler */ +- if (action_ret == IRQ_WAKE_THREAD) +- return; +- + if (bad_action_ret(action_ret)) { + report_bad_irq(irq, desc, action_ret); + return; + } + ++ /* ++ * We cannot call note_interrupt from the threaded handler ++ * because we need to look at the compound of all handlers ++ * (primary and threaded). Aside of that in the threaded ++ * shared case we have no serialization against an incoming ++ * hardware interrupt while we are dealing with a threaded ++ * result. ++ * ++ * So in case a thread is woken, we just note the fact and ++ * defer the analysis to the next hardware interrupt. ++ * ++ * The threaded handlers store whether they sucessfully ++ * handled an interrupt and we check whether that number ++ * changed versus the last invocation. ++ * ++ * We could handle all interrupts with the delayed by one ++ * mechanism, but for the non forced threaded case we'd just ++ * add pointless overhead to the straight hardirq interrupts ++ * for the sake of a few lines less code. ++ */ ++ if (action_ret & IRQ_WAKE_THREAD) { ++ /* ++ * There is a thread woken. Check whether one of the ++ * shared primary handlers returned IRQ_HANDLED. If ++ * not we defer the spurious detection to the next ++ * interrupt. ++ */ ++ if (action_ret == IRQ_WAKE_THREAD) { ++ int handled; ++ /* ++ * We use bit 31 of thread_handled_last to ++ * denote the deferred spurious detection ++ * active. No locking necessary as ++ * thread_handled_last is only accessed here ++ * and we have the guarantee that hard ++ * interrupts are not reentrant. ++ */ ++ if (!(desc->threads_handled_last & SPURIOUS_DEFERRED)) { ++ desc->threads_handled_last |= SPURIOUS_DEFERRED; ++ return; ++ } ++ /* ++ * Check whether one of the threaded handlers ++ * returned IRQ_HANDLED since the last ++ * interrupt happened. ++ * ++ * For simplicity we just set bit 31, as it is ++ * set in threads_handled_last as well. So we ++ * avoid extra masking. And we really do not ++ * care about the high bits of the handled ++ * count. We just care about the count being ++ * different than the one we saw before. ++ */ ++ handled = atomic_read(&desc->threads_handled); ++ handled |= SPURIOUS_DEFERRED; ++ if (handled != desc->threads_handled_last) { ++ action_ret = IRQ_HANDLED; ++ /* ++ * Note: We keep the SPURIOUS_DEFERRED ++ * bit set. We are handling the ++ * previous invocation right now. ++ * Keep it for the current one, so the ++ * next hardware interrupt will ++ * account for it. ++ */ ++ desc->threads_handled_last = handled; ++ } else { ++ /* ++ * None of the threaded handlers felt ++ * responsible for the last interrupt ++ * ++ * We keep the SPURIOUS_DEFERRED bit ++ * set in threads_handled_last as we ++ * need to account for the current ++ * interrupt as well. ++ */ ++ action_ret = IRQ_NONE; ++ } ++ } else { ++ /* ++ * One of the primary handlers returned ++ * IRQ_HANDLED. So we don't care about the ++ * threaded handlers on the same line. Clear ++ * the deferred detection bit. ++ * ++ * In theory we could/should check whether the ++ * deferred bit is set and take the result of ++ * the previous run into account here as ++ * well. But it's really not worth the ++ * trouble. If every other interrupt is ++ * handled we never trigger the spurious ++ * detector. And if this is just the one out ++ * of 100k unhandled ones which is handled ++ * then we merily delay the spurious detection ++ * by one hard interrupt. Not a real problem. ++ */ ++ desc->threads_handled_last &= ~SPURIOUS_DEFERRED; ++ } ++ } ++ + if (unlikely(action_ret == IRQ_NONE)) { + /* + * If we are seeing only the odd spurious IRQ caused by diff --git a/queue-3.14/series b/queue-3.14/series index c795c2ccf55..6d6398580fc 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -80,3 +80,26 @@ target-iscsi-fix-sendtargets-response-pdu-for-iser-transport.patch target-report-correct-response-length-for-some-commands.patch target-explicitly-clear-ramdisk_mcp-backend-pages.patch scsi-fix-spurious-request-sense-in-error-handling.patch +arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch +arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch +x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch +x86-x32-use-compat-shims-for-io_-setup-submit.patch +genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch +aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch +aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch +cifs-fix-memory-leaks-in-smb2_open.patch +btrfs-fix-double-free-in-find_lock_delalloc_range.patch +btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch +btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch +btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch +btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch +btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch +btrfs-set-right-total-device-count-for-seeding-support.patch +btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch +fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch +btrfs-don-t-check-nodes-for-extent-items.patch +btrfs-use-right-type-to-get-real-comparison.patch +btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch +btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch +btrfs-fix-lockdep-warning-with-reclaim-lock-inversion.patch +btrfs-allocate-raid-type-kobjects-dynamically.patch diff --git a/queue-3.14/x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch b/queue-3.14/x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch new file mode 100644 index 00000000000..c6f4b044113 --- /dev/null +++ b/queue-3.14/x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch @@ -0,0 +1,37 @@ +From 246f2d2ee1d715e1077fc47d61c394569c8ee692 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" +Date: Wed, 30 Apr 2014 14:03:25 -0700 +Subject: x86-32, espfix: Remove filter for espfix32 due to race + +From: "H. Peter Anvin" + +commit 246f2d2ee1d715e1077fc47d61c394569c8ee692 upstream. + +It is not safe to use LAR to filter when to go down the espfix path, +because the LDT is per-process (rather than per-thread) and another +thread might change the descriptors behind our back. Fortunately it +is always *safe* (if a bit slow) to go down the espfix path, and a +32-bit LDT stack segment is extremely rare. + +Signed-off-by: H. Peter Anvin +Link: http://lkml.kernel.org/r/1398816946-3351-1-git-send-email-hpa@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/entry_32.S | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -551,11 +551,6 @@ ENTRY(iret_exc) + + CFI_RESTORE_STATE + ldt_ss: +- larl PT_OLDSS(%esp), %eax +- jnz restore_nocheck +- testl $0x00400000, %eax # returning to 32bit stack? +- jnz restore_nocheck # allright, normal return +- + #ifdef CONFIG_PARAVIRT + /* + * The kernel can't run on a non-flat stack if paravirt mode diff --git a/queue-3.14/x86-x32-use-compat-shims-for-io_-setup-submit.patch b/queue-3.14/x86-x32-use-compat-shims-for-io_-setup-submit.patch new file mode 100644 index 00000000000..6d2e46875eb --- /dev/null +++ b/queue-3.14/x86-x32-use-compat-shims-for-io_-setup-submit.patch @@ -0,0 +1,57 @@ +From 7fd44dacdd803c0bbf38bf478d51d280902bb0f1 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sun, 4 May 2014 20:43:15 -0400 +Subject: x86, x32: Use compat shims for io_{setup,submit} + +From: Mike Frysinger + +commit 7fd44dacdd803c0bbf38bf478d51d280902bb0f1 upstream. + +The io_setup takes a pointer to a context id of type aio_context_t. +This in turn is typed to a __kernel_ulong_t. We could tweak the +exported headers to define this as a 64bit quantity for specific +ABIs, but since we already have a 32bit compat shim for the x86 ABI, +let's just re-use that logic. The libaio package is also written to +expect this as a pointer type, so a compat shim would simplify that. + +The io_submit func operates on an array of pointers to iocb structs. +Padding out the array to be 64bit aligned is a huge pain, so convert +it over to the existing compat shim too. + +We don't convert io_getevents to the compat func as its only purpose +is to handle the timespec struct, and the x32 ABI uses 64bit times. + +With this change, the libaio package can now pass its testsuite when +built for the x32 ABI. + +Signed-off-by: Mike Frysinger +Link: http://lkml.kernel.org/r/1399250595-5005-1-git-send-email-vapier@gentoo.org +Cc: H.J. Lu +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/syscalls/syscall_64.tbl | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/syscalls/syscall_64.tbl ++++ b/arch/x86/syscalls/syscall_64.tbl +@@ -212,10 +212,10 @@ + 203 common sched_setaffinity sys_sched_setaffinity + 204 common sched_getaffinity sys_sched_getaffinity + 205 64 set_thread_area +-206 common io_setup sys_io_setup ++206 64 io_setup sys_io_setup + 207 common io_destroy sys_io_destroy + 208 common io_getevents sys_io_getevents +-209 common io_submit sys_io_submit ++209 64 io_submit sys_io_submit + 210 common io_cancel sys_io_cancel + 211 64 get_thread_area + 212 common lookup_dcookie sys_lookup_dcookie +@@ -358,3 +358,5 @@ + 540 x32 process_vm_writev compat_sys_process_vm_writev + 541 x32 setsockopt compat_sys_setsockopt + 542 x32 getsockopt compat_sys_getsockopt ++543 x32 io_setup compat_sys_io_setup ++544 x32 io_submit compat_sys_io_submit