From 1e19e4629010a837c73ac1d7e22f0cbb9819fa4c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 27 Jun 2014 18:13:16 -0700 Subject: [PATCH] 3.15-stable patches added patches: aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch arm64-mm-remove-broken-operator-from-pmd_mknotpresent.patch arm64-uid16-fix-__kernel_old_-gid-uid-_t-definitions.patch btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch btrfs-allocate-raid-type-kobjects-dynamically.patch btrfs-don-t-check-nodes-for-extent-items.patch btrfs-fix-double-free-in-find_lock_delalloc_range.patch btrfs-fix-leaf-corruption-caused-by-enospc-while-hole-punching.patch btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch btrfs-read-inode-size-after-acquiring-the-mutex-when-punching-a-hole.patch btrfs-send-account-for-orphan-directories-when-building-path-strings.patch btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch btrfs-send-use-the-right-limits-for-xattr-names-and-values.patch btrfs-set-right-total-device-count-for-seeding-support.patch btrfs-use-right-type-to-get-real-comparison.patch cifs-fix-memory-leaks-in-smb2_open.patch f2fs-submit-bio-at-the-reclaim-path.patch fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch revert-drm-radeon-use-variable-uvd-clocks.patch revert-offb-add-palette-hack-for-little-endian.patch x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch x86-x32-use-compat-shims-for-io_-setup-submit.patch --- ...-when-events-are-reaped-by-userspace.patch | 45 ++++ ...-in-io_getevents-introduced-in-v3.10.patch | 42 ++++ ...ebu-dt-fix-openblocks-ax3-4-ram-size.patch | 75 ++++++ ...arch_has_dma_get_required_mask-macro.patch | 32 +++ ...roken-operator-from-pmd_mknotpresent.patch | 33 +++ ...__kernel_old_-gid-uid-_t-definitions.patch | 51 +++++ ...e-update-for-btrfs-device-add-remove.patch | 76 ++++++ ...ocate-raid-type-kobjects-dynamically.patch | 179 +++++++++++++++ ...s-don-t-check-nodes-for-extent-items.patch | 40 ++++ ...ble-free-in-find_lock_delalloc_range.patch | 29 +++ ...caused-by-enospc-while-hole-punching.patch | 167 ++++++++++++++ ...nter-crash-of-deleting-a-seed-device.patch | 43 ++++ ...ng-to-handle-skinny-metadata-extents.patch | 117 ++++++++++ ...f-uninit-ret-in-end_extent_writepage.patch | 45 ++++ ...ead-requests-before-stopping-workers.patch | 44 ++++ ...r-flag-to-report-errors-to-userspace.patch | 34 +++ ...when-loading-free-space-cache-failed.patch | 42 ++++ ...iring-the-mutex-when-punching-a-hole.patch | 41 ++++ ...rectories-when-building-path-strings.patch | 97 ++++++++ ...in-the-presence-of-subvols-snapshots.patch | 55 +++++ ...ht-limits-for-xattr-names-and-values.patch | 81 +++++++ ...tal-device-count-for-seeding-support.patch | 45 ++++ ...se-right-type-to-get-real-comparison.patch | 31 +++ .../cifs-fix-memory-leaks-in-smb2_open.patch | 57 +++++ .../f2fs-submit-bio-at-the-reclaim-path.patch | 37 +++ ...or-possible-null-pointer-dereference.patch | 38 +++ ...interrupt-detection-of-threaded-irqs.patch | 216 ++++++++++++++++++ ...t-drm-radeon-use-variable-uvd-clocks.patch | 55 +++++ ...b-add-palette-hack-for-little-endian.patch | 55 +++++ queue-3.15/series | 31 +++ ...move-filter-for-espfix32-due-to-race.patch | 37 +++ ...se-compat-shims-for-io_-setup-submit.patch | 57 +++++ 32 files changed, 2027 insertions(+) create mode 100644 queue-3.15/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch create mode 100644 queue-3.15/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch create mode 100644 queue-3.15/arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch create mode 100644 queue-3.15/arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch create mode 100644 queue-3.15/arm64-mm-remove-broken-operator-from-pmd_mknotpresent.patch create mode 100644 queue-3.15/arm64-uid16-fix-__kernel_old_-gid-uid-_t-definitions.patch create mode 100644 queue-3.15/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch create mode 100644 queue-3.15/btrfs-allocate-raid-type-kobjects-dynamically.patch create mode 100644 queue-3.15/btrfs-don-t-check-nodes-for-extent-items.patch create mode 100644 queue-3.15/btrfs-fix-double-free-in-find_lock_delalloc_range.patch create mode 100644 queue-3.15/btrfs-fix-leaf-corruption-caused-by-enospc-while-hole-punching.patch create mode 100644 queue-3.15/btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch create mode 100644 queue-3.15/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch create mode 100644 queue-3.15/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch create mode 100644 queue-3.15/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch create mode 100644 queue-3.15/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch create mode 100644 queue-3.15/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch create mode 100644 queue-3.15/btrfs-read-inode-size-after-acquiring-the-mutex-when-punching-a-hole.patch create mode 100644 queue-3.15/btrfs-send-account-for-orphan-directories-when-building-path-strings.patch create mode 100644 queue-3.15/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch create mode 100644 queue-3.15/btrfs-send-use-the-right-limits-for-xattr-names-and-values.patch create mode 100644 queue-3.15/btrfs-set-right-total-device-count-for-seeding-support.patch create mode 100644 queue-3.15/btrfs-use-right-type-to-get-real-comparison.patch create mode 100644 queue-3.15/cifs-fix-memory-leaks-in-smb2_open.patch create mode 100644 queue-3.15/f2fs-submit-bio-at-the-reclaim-path.patch create mode 100644 queue-3.15/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch create mode 100644 queue-3.15/genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch create mode 100644 queue-3.15/revert-drm-radeon-use-variable-uvd-clocks.patch create mode 100644 queue-3.15/revert-offb-add-palette-hack-for-little-endian.patch create mode 100644 queue-3.15/x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch create mode 100644 queue-3.15/x86-x32-use-compat-shims-for-io_-setup-submit.patch diff --git a/queue-3.15/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch b/queue-3.15/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch new file mode 100644 index 00000000000..5ad5541a2f1 --- /dev/null +++ b/queue-3.15/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch @@ -0,0 +1,45 @@ +From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001 +From: Benjamin LaHaise +Date: Tue, 24 Jun 2014 13:12:55 -0400 +Subject: aio: fix aio request leak when events are reaped by userspace + +From: Benjamin LaHaise + +commit f8567a3845ac05bb28f3c1b478ef752762bd39ef upstream. + +The aio cleanups and optimizations by kmo that were merged into the 3.10 +tree added a regression for userspace event reaping. Specifically, the +reference counts are not decremented if the event is reaped in userspace, +leading to the application being unable to submit further aio requests. +This patch applies to 3.12+. A separate backport is required for 3.10/3.11. +This issue was uncovered as part of CVE-2014-0206. + +Signed-off-by: Benjamin LaHaise +Cc: Kent Overstreet +Cc: Mateusz Guzik +Cc: Petr Matousek +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, lo + + /* everything turned out well, dispose of the aiocb. */ + kiocb_free(iocb); ++ put_reqs_available(ctx, 1); + + /* + * We have to order our ring_info tail store above and test +@@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct + flush_dcache_page(ctx->ring_pages[0]); + + pr_debug("%li h%u t%u\n", ret, head, tail); +- +- put_reqs_available(ctx, ret); + out: + mutex_unlock(&ctx->ring_lock); + diff --git a/queue-3.15/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch b/queue-3.15/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch new file mode 100644 index 00000000000..927cb0d585f --- /dev/null +++ b/queue-3.15/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch @@ -0,0 +1,42 @@ +From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001 +From: Benjamin LaHaise +Date: Tue, 24 Jun 2014 13:32:51 -0400 +Subject: aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 + +From: Benjamin LaHaise + +commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream. + +A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 +by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to +aio_read_events_ring() failed to correctly limit the index into +ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of +an arbitrary page with a copy_to_user() to copy the contents into userspace. +This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and +Petr for disclosing this issue. + +This patch applies to v3.12+. A separate backport is needed for 3.10/3.11. + +Signed-off-by: Benjamin LaHaise +Cc: Mateusz Guzik +Cc: Petr Matousek +Cc: Kent Overstreet +Cc: Jeff Moyer +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1063,6 +1063,9 @@ static long aio_read_events_ring(struct + if (head == tail) + goto out; + ++ head %= ctx->nr_events; ++ tail %= ctx->nr_events; ++ + while (ret < nr) { + long avail; + struct io_event *ev; diff --git a/queue-3.15/arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch b/queue-3.15/arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch new file mode 100644 index 00000000000..040d10fa112 --- /dev/null +++ b/queue-3.15/arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch @@ -0,0 +1,75 @@ +From e47043aea3853a74a9aa5726a1faa916d7462ab7 Mon Sep 17 00:00:00 2001 +From: Jason Cooper +Date: Wed, 4 Jun 2014 13:41:20 +0000 +Subject: ARM: mvebu: DT: fix OpenBlocks AX3-4 RAM size + +From: Jason Cooper + +commit e47043aea3853a74a9aa5726a1faa916d7462ab7 upstream. + +The OpenBlocks AX3-4 has a non-DT bootloader. It also comes with 1GB of +soldered on RAM, and a DIMM slot for expansion. + +Unfortunately, atags_to_fdt() doesn't work in big-endian mode, so we see +the following failure when attempting to boot a big-endian kernel: + + 686 slab pages + 17 pages shared + 0 pages swap cached + [ pid ] uid tgid total_vm rss nr_ptes swapents oom_score_adj name + Kernel panic - not syncing: Out of memory and no killable processes... + + CPU: 1 PID: 351 Comm: kworker/u4:0 Not tainted 3.15.0-rc8-next-20140603 #1 + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (dump_stack+0x78/0x94) + [] (dump_stack) from [] (panic+0x90/0x21c) + [] (panic) from [] (out_of_memory+0x320/0x340) + [] (out_of_memory) from [] (__alloc_pages_nodemask+0x874/0x930) + [] (__alloc_pages_nodemask) from [] (handle_mm_fault+0x744/0x96c) + [] (handle_mm_fault) from [] (__get_user_pages+0xd0/0x4c0) + [] (__get_user_pages) from [] (get_arg_page+0x54/0xbc) + [] (get_arg_page) from [] (copy_strings+0x278/0x29c) + [] (copy_strings) from [] (copy_strings_kernel+0x20/0x28) + [] (copy_strings_kernel) from [] (do_execve+0x3a8/0x4c8) + [] (do_execve) from [] (____call_usermodehelper+0x15c/0x194) + [] (____call_usermodehelper) from [] (ret_from_fork+0x14/0x3c) + CPU0: stopping + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.15.0-rc8-next-20140603 #1 + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (dump_stack+0x78/0x94) + [] (dump_stack) from [] (handle_IPI+0x138/0x174) + [] (handle_IPI) from [] (armada_370_xp_handle_irq+0xb0/0xcc) + [] (armada_370_xp_handle_irq) from [] (__irq_svc+0x40/0x50) + Exception stack(0xc0b6bf68 to 0xc0b6bfb0) + bf60: e9fad598 00000000 00f509a3 00000000 c0b6a000 c0b724c4 + bf80: c0b72458 c0b6a000 00000000 00000000 c0b66da0 c0b6a000 00000000 c0b6bfb0 + bfa0: c027bb94 c027bb24 60000313 ffffffff + [] (__irq_svc) from [] (cpu_startup_entry+0x54/0x214) + [] (cpu_startup_entry) from [] (start_kernel+0x318/0x37c) + [] (start_kernel) from [<00208078>] (0x208078) + ---[ end Kernel panic - not syncing: Out of memory and no killable processes... + +A similar failure will also occur if ARM_ATAG_DTB_COMPAT isn't selected. + +Fix this by setting a sane default (1 GB) in the dts file. + +Signed-off-by: Jason Cooper +Tested-by: Kevin Hilman +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/armada-xp-openblocks-ax3-4.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/armada-xp-openblocks-ax3-4.dts ++++ b/arch/arm/boot/dts/armada-xp-openblocks-ax3-4.dts +@@ -25,7 +25,7 @@ + + memory { + device_type = "memory"; +- reg = <0 0x00000000 0 0xC0000000>; /* 3 GB */ ++ reg = <0 0x00000000 0 0x40000000>; /* 1 GB soldered on */ + }; + + soc { diff --git a/queue-3.15/arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch b/queue-3.15/arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch new file mode 100644 index 00000000000..6b3a39980d1 --- /dev/null +++ b/queue-3.15/arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch @@ -0,0 +1,32 @@ +From f3a183cb422574014538017b5b291a416396f97e Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Fri, 6 Jun 2014 23:07:16 +0100 +Subject: arm64/dma: Removing ARCH_HAS_DMA_GET_REQUIRED_MASK macro + +From: Suravee Suthikulpanit + +commit f3a183cb422574014538017b5b291a416396f97e upstream. + +Arm64 does not define dma_get_required_mask() function. +Therefore, it should not define the ARCH_HAS_DMA_GET_REQUIRED_MASK. +This causes build errors in some device drivers (e.g. mpt2sas) + +Signed-off-by: Suravee Suthikulpanit +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/dma-mapping.h | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/arm64/include/asm/dma-mapping.h ++++ b/arch/arm64/include/asm/dma-mapping.h +@@ -26,8 +26,6 @@ + #include + #include + +-#define ARCH_HAS_DMA_GET_REQUIRED_MASK +- + #define DMA_ERROR_CODE (~(dma_addr_t)0) + extern struct dma_map_ops *dma_ops; + extern struct dma_map_ops coherent_swiotlb_dma_ops; diff --git a/queue-3.15/arm64-mm-remove-broken-operator-from-pmd_mknotpresent.patch b/queue-3.15/arm64-mm-remove-broken-operator-from-pmd_mknotpresent.patch new file mode 100644 index 00000000000..a9a15d65275 --- /dev/null +++ b/queue-3.15/arm64-mm-remove-broken-operator-from-pmd_mknotpresent.patch @@ -0,0 +1,33 @@ +From e3a920afc3482e954834a4ed95908c4bc5e4c000 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 18 Jun 2014 14:06:27 +0100 +Subject: arm64: mm: remove broken &= operator from pmd_mknotpresent + +From: Will Deacon + +commit e3a920afc3482e954834a4ed95908c4bc5e4c000 upstream. + +This should be a plain old '&' and could easily lead to undefined +behaviour if the target of a pmd_mknotpresent invocation was the same +as the parameter. + +Fixes: 9c7e535fcc17 (arm64: mm: Route pmd thp functions through pte equivalents) +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -253,7 +253,7 @@ static inline pmd_t pte_pmd(pte_t pte) + #define pmd_mkwrite(pmd) pte_pmd(pte_mkwrite(pmd_pte(pmd))) + #define pmd_mkdirty(pmd) pte_pmd(pte_mkdirty(pmd_pte(pmd))) + #define pmd_mkyoung(pmd) pte_pmd(pte_mkyoung(pmd_pte(pmd))) +-#define pmd_mknotpresent(pmd) (__pmd(pmd_val(pmd) &= ~PMD_TYPE_MASK)) ++#define pmd_mknotpresent(pmd) (__pmd(pmd_val(pmd) & ~PMD_TYPE_MASK)) + + #define __HAVE_ARCH_PMD_WRITE + #define pmd_write(pmd) pte_write(pmd_pte(pmd)) diff --git a/queue-3.15/arm64-uid16-fix-__kernel_old_-gid-uid-_t-definitions.patch b/queue-3.15/arm64-uid16-fix-__kernel_old_-gid-uid-_t-definitions.patch new file mode 100644 index 00000000000..c093728814d --- /dev/null +++ b/queue-3.15/arm64-uid16-fix-__kernel_old_-gid-uid-_t-definitions.patch @@ -0,0 +1,51 @@ +From 34c65c43f1518bf85f93526ad373adc6a683b4c5 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 2 Jun 2014 11:47:29 +0100 +Subject: arm64: uid16: fix __kernel_old_{gid,uid}_t definitions + +From: Will Deacon + +commit 34c65c43f1518bf85f93526ad373adc6a683b4c5 upstream. + +Whilst native arm64 applications don't have the 16-bit UID/GID syscalls +wired up, compat tasks can still access them. The 16-bit wrappers for +these syscalls use __kernel_old_uid_t and __kernel_old_gid_t, which must +be 16-bit data types to maintain compatibility with the 16-bit UIDs used +by compat applications. + +This patch defines 16-bit __kernel_old_{gid,uid}_t types for arm64 +instead of using the 32-bit types provided by asm-generic. + +Signed-off-by: Will Deacon +Acked-by: Arnd Bergmann +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/Kbuild | 1 - + arch/arm64/include/uapi/asm/posix_types.h | 10 ++++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/Kbuild ++++ b/arch/arm64/include/asm/Kbuild +@@ -30,7 +30,6 @@ generic-y += msgbuf.h + generic-y += mutex.h + generic-y += pci.h + generic-y += poll.h +-generic-y += posix_types.h + generic-y += preempt.h + generic-y += resource.h + generic-y += rwsem.h +--- /dev/null ++++ b/arch/arm64/include/uapi/asm/posix_types.h +@@ -0,0 +1,10 @@ ++#ifndef __ASM_POSIX_TYPES_H ++#define __ASM_POSIX_TYPES_H ++ ++typedef unsigned short __kernel_old_uid_t; ++typedef unsigned short __kernel_old_gid_t; ++#define __kernel_old_uid_t __kernel_old_uid_t ++ ++#include ++ ++#endif /* __ASM_POSIX_TYPES_H */ diff --git a/queue-3.15/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch b/queue-3.15/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch new file mode 100644 index 00000000000..f461275cbf4 --- /dev/null +++ b/queue-3.15/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch @@ -0,0 +1,76 @@ +From 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 16 Apr 2014 17:02:32 +0800 +Subject: btrfs: Add ctime/mtime update for btrfs device add/remove. + +From: Qu Wenruo + +commit 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 upstream. + +Btrfs will send uevent to udev inform the device change, +but ctime/mtime for the block device inode is not udpated, which cause +libblkid used by btrfs-progs unable to detect device change and use old +cache, causing 'btrfs dev scan; btrfs dev rmove; btrfs dev scan' give an +error message. + +Reported-by: Tsutomu Itoh +Cc: Karel Zak +Signed-off-by: Qu Wenruo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1452,6 +1452,22 @@ out: + return ret; + } + ++/* ++ * Function to update ctime/mtime for a given device path. ++ * Mainly used for ctime/mtime based probe like libblkid. ++ */ ++static void update_dev_time(char *path_name) ++{ ++ struct file *filp; ++ ++ filp = filp_open(path_name, O_RDWR, 0); ++ if (!filp) ++ return; ++ file_update_time(filp); ++ filp_close(filp, NULL); ++ return; ++} ++ + static int btrfs_rm_dev_item(struct btrfs_root *root, + struct btrfs_device *device) + { +@@ -1704,10 +1720,14 @@ int btrfs_rm_device(struct btrfs_root *r + + ret = 0; + +- /* Notify udev that device has changed */ +- if (bdev) ++ if (bdev) { ++ /* Notify udev that device has changed */ + btrfs_kobject_uevent(bdev, KOBJ_CHANGE); + ++ /* Update ctime/mtime for device path for libblkid */ ++ update_dev_time(device_path); ++ } ++ + error_brelse: + brelse(bh); + if (bdev) +@@ -2146,6 +2166,8 @@ int btrfs_init_new_device(struct btrfs_r + ret = btrfs_commit_transaction(trans, root); + } + ++ /* Update ctime/mtime for libblkid */ ++ update_dev_time(device_path); + return ret; + + error_trans: diff --git a/queue-3.15/btrfs-allocate-raid-type-kobjects-dynamically.patch b/queue-3.15/btrfs-allocate-raid-type-kobjects-dynamically.patch new file mode 100644 index 00000000000..b0d95b47bdd --- /dev/null +++ b/queue-3.15/btrfs-allocate-raid-type-kobjects-dynamically.patch @@ -0,0 +1,179 @@ +From c1895442be01c58449e3bf9272f22062a670e08f Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 27 May 2014 12:59:57 -0400 +Subject: btrfs: allocate raid type kobjects dynamically + +From: Jeff Mahoney + +commit c1895442be01c58449e3bf9272f22062a670e08f upstream. + +We are currently allocating space_info objects in an array when we +allocate space_info. When a user does something like: + +# btrfs balance start -mconvert=raid1 -dconvert=raid1 /mnt +# btrfs balance start -mconvert=single -dconvert=single /mnt -f +# btrfs balance start -mconvert=raid1 -dconvert=raid1 / + +We can end up with memory corruption since the kobject hasn't +been reinitialized properly and the name pointer was left set. + +The rationale behind allocating them statically was to avoid +creating a separate kobject container that just contained the +raid type. It used the index in the array to determine the index. + +Ultimately, though, this wastes more memory than it saves in all +but the most complex scenarios and introduces kobject lifetime +questions. + +This patch allocates the kobjects dynamically instead. Note that +we also remove the kobject_get/put of the parent kobject since +kobject_add and kobject_del do that internally. + +Signed-off-by: Jeff Mahoney +Reported-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ctree.h | 8 +++++++- + fs/btrfs/extent-tree.c | 39 ++++++++++++++++++++++++++------------- + fs/btrfs/sysfs.c | 5 +++-- + 3 files changed, 36 insertions(+), 16 deletions(-) + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1113,6 +1113,12 @@ struct btrfs_qgroup_limit_item { + __le64 rsv_excl; + } __attribute__ ((__packed__)); + ++/* For raid type sysfs entries */ ++struct raid_kobject { ++ int raid_type; ++ struct kobject kobj; ++}; ++ + struct btrfs_space_info { + spinlock_t lock; + +@@ -1163,7 +1169,7 @@ struct btrfs_space_info { + wait_queue_head_t wait; + + struct kobject kobj; +- struct kobject block_group_kobjs[BTRFS_NR_RAID_TYPES]; ++ struct kobject *block_group_kobjs[BTRFS_NR_RAID_TYPES]; + }; + + #define BTRFS_BLOCK_RSV_GLOBAL 1 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -3401,10 +3401,8 @@ static int update_space_info(struct btrf + return ret; + } + +- for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) { ++ for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) + INIT_LIST_HEAD(&found->block_groups[i]); +- kobject_init(&found->block_group_kobjs[i], &btrfs_raid_ktype); +- } + init_rwsem(&found->groups_sem); + spin_lock_init(&found->lock); + found->flags = flags & BTRFS_BLOCK_GROUP_TYPE_MASK; +@@ -8327,8 +8325,9 @@ int btrfs_free_block_groups(struct btrfs + list_del(&space_info->list); + for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) { + struct kobject *kobj; +- kobj = &space_info->block_group_kobjs[i]; +- if (kobj->parent) { ++ kobj = space_info->block_group_kobjs[i]; ++ space_info->block_group_kobjs[i] = NULL; ++ if (kobj) { + kobject_del(kobj); + kobject_put(kobj); + } +@@ -8352,17 +8351,26 @@ static void __link_block_group(struct bt + up_write(&space_info->groups_sem); + + if (first) { +- struct kobject *kobj = &space_info->block_group_kobjs[index]; ++ struct raid_kobject *rkobj; + int ret; + +- kobject_get(&space_info->kobj); /* put in release */ +- ret = kobject_add(kobj, &space_info->kobj, "%s", +- get_raid_name(index)); ++ rkobj = kzalloc(sizeof(*rkobj), GFP_NOFS); ++ if (!rkobj) ++ goto out_err; ++ rkobj->raid_type = index; ++ kobject_init(&rkobj->kobj, &btrfs_raid_ktype); ++ ret = kobject_add(&rkobj->kobj, &space_info->kobj, ++ "%s", get_raid_name(index)); + if (ret) { +- pr_warn("BTRFS: failed to add kobject for block cache. ignoring.\n"); +- kobject_put(&space_info->kobj); ++ kobject_put(&rkobj->kobj); ++ goto out_err; + } ++ space_info->block_group_kobjs[index] = &rkobj->kobj; + } ++ ++ return; ++out_err: ++ pr_warn("BTRFS: failed to add kobject for block cache. ignoring.\n"); + } + + static struct btrfs_block_group_cache * +@@ -8697,6 +8705,7 @@ int btrfs_remove_block_group(struct btrf + struct btrfs_root *tree_root = root->fs_info->tree_root; + struct btrfs_key key; + struct inode *inode; ++ struct kobject *kobj = NULL; + int ret; + int index; + int factor; +@@ -8796,11 +8805,15 @@ int btrfs_remove_block_group(struct btrf + */ + list_del_init(&block_group->list); + if (list_empty(&block_group->space_info->block_groups[index])) { +- kobject_del(&block_group->space_info->block_group_kobjs[index]); +- kobject_put(&block_group->space_info->block_group_kobjs[index]); ++ kobj = block_group->space_info->block_group_kobjs[index]; ++ block_group->space_info->block_group_kobjs[index] = NULL; + clear_avail_alloc_bits(root->fs_info, block_group->flags); + } + up_write(&block_group->space_info->groups_sem); ++ if (kobj) { ++ kobject_del(kobj); ++ kobject_put(kobj); ++ } + + if (block_group->cached == BTRFS_CACHE_STARTED) + wait_block_group_cache_done(block_group); +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -254,6 +254,7 @@ static ssize_t global_rsv_reserved_show( + BTRFS_ATTR(global_rsv_reserved, 0444, global_rsv_reserved_show); + + #define to_space_info(_kobj) container_of(_kobj, struct btrfs_space_info, kobj) ++#define to_raid_kobj(_kobj) container_of(_kobj, struct raid_kobject, kobj) + + static ssize_t raid_bytes_show(struct kobject *kobj, + struct kobj_attribute *attr, char *buf); +@@ -266,7 +267,7 @@ static ssize_t raid_bytes_show(struct ko + { + struct btrfs_space_info *sinfo = to_space_info(kobj->parent); + struct btrfs_block_group_cache *block_group; +- int index = kobj - sinfo->block_group_kobjs; ++ int index = to_raid_kobj(kobj)->raid_type; + u64 val = 0; + + down_read(&sinfo->groups_sem); +@@ -288,7 +289,7 @@ static struct attribute *raid_attributes + + static void release_raid_kobj(struct kobject *kobj) + { +- kobject_put(kobj->parent); ++ kfree(to_raid_kobj(kobj)); + } + + struct kobj_type btrfs_raid_ktype = { diff --git a/queue-3.15/btrfs-don-t-check-nodes-for-extent-items.patch b/queue-3.15/btrfs-don-t-check-nodes-for-extent-items.patch new file mode 100644 index 00000000000..92667c466fa --- /dev/null +++ b/queue-3.15/btrfs-don-t-check-nodes-for-extent-items.patch @@ -0,0 +1,40 @@ +From 8a56457f5f8fa7c2698ffae8545214c5b96a2cb5 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 5 Jun 2014 16:08:45 -0400 +Subject: Btrfs: don't check nodes for extent items + +From: Josef Bacik + +commit 8a56457f5f8fa7c2698ffae8545214c5b96a2cb5 upstream. + +The backref code was looking at nodes as well as leaves when we tried to +populate extent item entries. This is not good, and although we go away with it +for the most part because we'd skip where disk_bytenr != random_memory, +sometimes random_memory would match and suddenly boom. This fixes that problem. +Thanks, + +Signed-off-by: Josef Bacik +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/backref.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -984,11 +984,12 @@ again: + goto out; + } + if (ref->count && ref->parent) { +- if (extent_item_pos && !ref->inode_list) { ++ if (extent_item_pos && !ref->inode_list && ++ ref->level == 0) { + u32 bsz; + struct extent_buffer *eb; + bsz = btrfs_level_size(fs_info->extent_root, +- info_level); ++ ref->level); + eb = read_tree_block(fs_info->extent_root, + ref->parent, bsz, 0); + if (!eb || !extent_buffer_uptodate(eb)) { diff --git a/queue-3.15/btrfs-fix-double-free-in-find_lock_delalloc_range.patch b/queue-3.15/btrfs-fix-double-free-in-find_lock_delalloc_range.patch new file mode 100644 index 00000000000..c64e790754e --- /dev/null +++ b/queue-3.15/btrfs-fix-double-free-in-find_lock_delalloc_range.patch @@ -0,0 +1,29 @@ +From 7d78874273463a784759916fc3e0b4e2eb141c70 Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Wed, 21 May 2014 05:49:54 -0700 +Subject: Btrfs: fix double free in find_lock_delalloc_range + +From: Chris Mason + +commit 7d78874273463a784759916fc3e0b4e2eb141c70 upstream. + +We need to NULL the cached_state after freeing it, otherwise +we might free it again if find_delalloc_range doesn't find anything. + +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -1693,6 +1693,7 @@ again: + * shortening the size of the delalloc range we're searching + */ + free_extent_state(cached_state); ++ cached_state = NULL; + if (!loops) { + max_bytes = PAGE_CACHE_SIZE; + loops = 1; diff --git a/queue-3.15/btrfs-fix-leaf-corruption-caused-by-enospc-while-hole-punching.patch b/queue-3.15/btrfs-fix-leaf-corruption-caused-by-enospc-while-hole-punching.patch new file mode 100644 index 00000000000..e114a159560 --- /dev/null +++ b/queue-3.15/btrfs-fix-leaf-corruption-caused-by-enospc-while-hole-punching.patch @@ -0,0 +1,167 @@ +From fc19c5e73645f95d3eca12b4e91e7b56faf1e4a4 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 29 Apr 2014 13:18:40 +0100 +Subject: Btrfs: fix leaf corruption caused by ENOSPC while hole punching + +From: Filipe Manana + +commit fc19c5e73645f95d3eca12b4e91e7b56faf1e4a4 upstream. + +While running a stress test with multiple threads writing to the same btrfs +file system, I ended up with a situation where a leaf was corrupted in that +it had 2 file extent item keys that had the same exact key. I was able to +detect this quickly thanks to the following patch which triggers an assertion +as soon as a leaf is marked dirty if there are duplicated keys or out of order +keys: + + Btrfs: check if items are ordered when a leaf is marked dirty + (https://patchwork.kernel.org/patch/3955431/) + +Basically while running the test, I got the following in dmesg: + + [28877.415877] WARNING: CPU: 2 PID: 10706 at fs/btrfs/file.c:553 btrfs_drop_extent_cache+0x435/0x440 [btrfs]() + (...) + [28877.415917] Call Trace: + [28877.415922] [] dump_stack+0x4e/0x68 + [28877.415926] [] warn_slowpath_common+0x8c/0xc0 + [28877.415929] [] warn_slowpath_null+0x1a/0x20 + [28877.415944] [] btrfs_drop_extent_cache+0x435/0x440 [btrfs] + [28877.415949] [] ? kmem_cache_alloc+0xfe/0x1c0 + [28877.415962] [] fill_holes+0x229/0x3e0 [btrfs] + [28877.415972] [] ? block_rsv_add_bytes+0x55/0x80 [btrfs] + [28877.415984] [] btrfs_fallocate+0xb6b/0xc20 [btrfs] + (...) + [29854.132560] BTRFS critical (device sdc): corrupt leaf, bad key order: block=955232256,root=1, slot=24 + [29854.132565] BTRFS info (device sdc): leaf 955232256 total ptrs 40 free space 778 + (...) + [29854.132637] item 23 key (3486 108 667648) itemoff 2694 itemsize 53 + [29854.132638] extent data disk bytenr 14574411776 nr 286720 + [29854.132639] extent data offset 0 nr 286720 ram 286720 + [29854.132640] item 24 key (3486 108 954368) itemoff 2641 itemsize 53 + [29854.132641] extent data disk bytenr 0 nr 0 + [29854.132643] extent data offset 0 nr 0 ram 0 + [29854.132644] item 25 key (3486 108 954368) itemoff 2588 itemsize 53 + [29854.132645] extent data disk bytenr 8699670528 nr 77824 + [29854.132646] extent data offset 0 nr 77824 ram 77824 + [29854.132647] item 26 key (3486 108 1146880) itemoff 2535 itemsize 53 + [29854.132648] extent data disk bytenr 8699670528 nr 77824 + [29854.132649] extent data offset 0 nr 77824 ram 77824 + (...) + [29854.132707] kernel BUG at fs/btrfs/ctree.h:3901! + (...) + [29854.132771] Call Trace: + [29854.132779] [] setup_items_for_insert+0x2dc/0x400 [btrfs] + [29854.132791] [] __btrfs_drop_extents+0xba7/0xdd0 [btrfs] + [29854.132794] [] ? trace_hardirqs_on_caller+0x16/0x1d0 + [29854.132797] [] ? trace_hardirqs_on+0xd/0x10 + [29854.132800] [] ? kmem_cache_alloc+0xfe/0x1c0 + [29854.132810] [] insert_reserved_file_extent.constprop.66+0xab/0x310 [btrfs] + [29854.132820] [] __btrfs_prealloc_file_range+0x116/0x340 [btrfs] + [29854.132830] [] btrfs_prealloc_file_range+0x23/0x30 [btrfs] + (...) + +So this is caused by getting an -ENOSPC error while punching a file hole, more +specifically, we get -ENOSPC error from __btrfs_drop_extents in the while loop +of file.c:btrfs_punch_hole() when it's unable to modify the btree to delete one +or more file extent items due to lack of enough free space. When this happens, +in btrfs_punch_hole(), we attempt to reclaim free space by switching our transaction +block reservation object to root->fs_info->trans_block_rsv, end our transaction and +start a new transaction basically - and, we keep increasing our current offset +(cur_offset) as long as it's smaller than the end of the target range (lockend) - +this makes use leave the loop with cur_offset == drop_end which in turn makes us +call fill_holes() for inserting a file extent item that represents a 0 bytes range +hole (and this insertion succeeds, as in the meanwhile more space became available). + +This 0 bytes file hole extent item is a problem because any subsequent caller of +__btrfs_drop_extents (regular file writes, or fallocate calls for e.g.), with a +start file offset that is equal to the offset of the hole, will not remove this +extent item due to the following conditional in the while loop of +__btrfs_drop_extents: + + if (extent_end <= search_start) { + path->slots[0]++; + goto next_slot; + } + +This later makes the call to setup_items_for_insert() (at the very end of +__btrfs_drop_extents), insert a new file extent item with the same offset as +the 0 bytes file hole extent item that follows it. Needless is to say that this +causes chaos, either when reading the leaf from disk (btree_readpage_end_io_hook), +where we perform leaf sanity checks or in subsequent operations that manipulate +file extent items, as in the fallocate call as shown by the dmesg trace above. + +Without my other patch to perform the leaf sanity checks once a leaf is marked +as dirty (if the integrity checker is enabled), it would have been much harder +to debug this issue. + +This change might fix a few similar issues reported by users in the mailing +list regarding assertion failures in btrfs_set_item_key_safe calls performed +by __btrfs_drop_extents, such as the following report: + + http://comments.gmane.org/gmane.comp.file-systems.btrfs/32938 + +Asking fill_holes() to create a 0 bytes wide file hole item also produced the +first warning in the trace above, as we passed a range to btrfs_drop_extent_cache +that has an end smaller (by -1) than its start. + +On 3.14 kernels this issue manifests itself through leaf corruption, as we get +duplicated file extent item keys in a leaf when calling setup_items_for_insert(), +but on older kernels, setup_items_for_insert() isn't called by __btrfs_drop_extents(), +instead we have callers of __btrfs_drop_extents(), namely the functions +inode.c:insert_inline_extent() and inode.c:insert_reserved_file_extent(), calling +btrfs_insert_empty_item() to insert the new file extent item, which would fail with +error -EEXIST, instead of inserting a duplicated key - which is still a serious +issue as it would make all similar file extent item replace operations keep +failing if they target the same file range. + +Signed-off-by: Filipe David Borba Manana +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/file.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -780,6 +780,18 @@ next_slot: + extent_end = search_start; + } + ++ /* ++ * Don't skip extent items representing 0 byte lengths. They ++ * used to be created (bug) if while punching holes we hit ++ * -ENOSPC condition. So if we find one here, just ensure we ++ * delete it, otherwise we would insert a new file extent item ++ * with the same key (offset) as that 0 bytes length file ++ * extent item in the call to setup_items_for_insert() later ++ * in this function. ++ */ ++ if (extent_end == key.offset && extent_end >= search_start) ++ goto delete_extent_item; ++ + if (extent_end <= search_start) { + path->slots[0]++; + goto next_slot; +@@ -893,6 +905,7 @@ next_slot: + * | ------ extent ------ | + */ + if (start <= key.offset && end >= extent_end) { ++delete_extent_item: + if (del_nr == 0) { + del_slot = path->slots[0]; + del_nr = 1; +@@ -2347,7 +2360,12 @@ static int btrfs_punch_hole(struct inode + } + + trans->block_rsv = &root->fs_info->trans_block_rsv; +- if (cur_offset < ino_size) { ++ /* ++ * Don't insert file hole extent item if it's for a range beyond eof ++ * (because it's useless) or if it represents a 0 bytes range (when ++ * cur_offset == drop_end). ++ */ ++ if (cur_offset < ino_size && cur_offset < drop_end) { + ret = fill_holes(trans, inode, path, cur_offset, drop_end); + if (ret) { + err = ret; diff --git a/queue-3.15/btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch b/queue-3.15/btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch new file mode 100644 index 00000000000..d9312338de4 --- /dev/null +++ b/queue-3.15/btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch @@ -0,0 +1,43 @@ +From 29cc83f69c8338ff8fd1383c9be263d4bdf52d73 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Sun, 11 May 2014 23:14:59 +0800 +Subject: Btrfs: fix NULL pointer crash of deleting a seed device + +From: Liu Bo + +commit 29cc83f69c8338ff8fd1383c9be263d4bdf52d73 upstream. + +Same as normal devices, seed devices should be initialized with +fs_info->dev_root as well, otherwise we'll get a NULL pointer crash. + +Cc: Chris Murphy +Reported-by: Chris Murphy +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6080,10 +6080,14 @@ void btrfs_init_devices_late(struct btrf + struct btrfs_fs_devices *fs_devices = fs_info->fs_devices; + struct btrfs_device *device; + +- mutex_lock(&fs_devices->device_list_mutex); +- list_for_each_entry(device, &fs_devices->devices, dev_list) +- device->dev_root = fs_info->dev_root; +- mutex_unlock(&fs_devices->device_list_mutex); ++ while (fs_devices) { ++ mutex_lock(&fs_devices->device_list_mutex); ++ list_for_each_entry(device, &fs_devices->devices, dev_list) ++ device->dev_root = fs_info->dev_root; ++ mutex_unlock(&fs_devices->device_list_mutex); ++ ++ fs_devices = fs_devices->seed; ++ } + } + + static void __btrfs_reset_dev_stats(struct btrfs_device *dev) diff --git a/queue-3.15/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch b/queue-3.15/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch new file mode 100644 index 00000000000..4cbf41375ea --- /dev/null +++ b/queue-3.15/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch @@ -0,0 +1,117 @@ +From 6eda71d0c030af0fc2f68aaa676e6d445600855b Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Mon, 9 Jun 2014 10:54:07 +0800 +Subject: Btrfs: fix scrub_print_warning to handle skinny metadata extents + +From: Liu Bo + +commit 6eda71d0c030af0fc2f68aaa676e6d445600855b upstream. + +The skinny extents are intepreted incorrectly in scrub_print_warning(), +and end up hitting the BUG() in btrfs_extent_inline_ref_size. + +Reported-by: Konstantinos Skarlatos +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/backref.c | 30 +++++++++++++++++++----------- + fs/btrfs/backref.h | 4 ++-- + fs/btrfs/scrub.c | 5 +++-- + 3 files changed, 24 insertions(+), 15 deletions(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1405,9 +1405,10 @@ int extent_from_logical(struct btrfs_fs_ + * returns <0 on error + */ + static int __get_extent_inline_ref(unsigned long *ptr, struct extent_buffer *eb, +- struct btrfs_extent_item *ei, u32 item_size, +- struct btrfs_extent_inline_ref **out_eiref, +- int *out_type) ++ struct btrfs_key *key, ++ struct btrfs_extent_item *ei, u32 item_size, ++ struct btrfs_extent_inline_ref **out_eiref, ++ int *out_type) + { + unsigned long end; + u64 flags; +@@ -1417,9 +1418,16 @@ static int __get_extent_inline_ref(unsig + /* first call */ + flags = btrfs_extent_flags(eb, ei); + if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK) { +- info = (struct btrfs_tree_block_info *)(ei + 1); +- *out_eiref = +- (struct btrfs_extent_inline_ref *)(info + 1); ++ if (key->type == BTRFS_METADATA_ITEM_KEY) { ++ /* a skinny metadata extent */ ++ *out_eiref = ++ (struct btrfs_extent_inline_ref *)(ei + 1); ++ } else { ++ WARN_ON(key->type != BTRFS_EXTENT_ITEM_KEY); ++ info = (struct btrfs_tree_block_info *)(ei + 1); ++ *out_eiref = ++ (struct btrfs_extent_inline_ref *)(info + 1); ++ } + } else { + *out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1); + } +@@ -1429,7 +1437,7 @@ static int __get_extent_inline_ref(unsig + } + + end = (unsigned long)ei + item_size; +- *out_eiref = (struct btrfs_extent_inline_ref *)*ptr; ++ *out_eiref = (struct btrfs_extent_inline_ref *)(*ptr); + *out_type = btrfs_extent_inline_ref_type(eb, *out_eiref); + + *ptr += btrfs_extent_inline_ref_size(*out_type); +@@ -1448,8 +1456,8 @@ static int __get_extent_inline_ref(unsig + * <0 on error. + */ + int tree_backref_for_extent(unsigned long *ptr, struct extent_buffer *eb, +- struct btrfs_extent_item *ei, u32 item_size, +- u64 *out_root, u8 *out_level) ++ struct btrfs_key *key, struct btrfs_extent_item *ei, ++ u32 item_size, u64 *out_root, u8 *out_level) + { + int ret; + int type; +@@ -1460,8 +1468,8 @@ int tree_backref_for_extent(unsigned lon + return 1; + + while (1) { +- ret = __get_extent_inline_ref(ptr, eb, ei, item_size, +- &eiref, &type); ++ ret = __get_extent_inline_ref(ptr, eb, key, ei, item_size, ++ &eiref, &type); + if (ret < 0) + return ret; + +--- a/fs/btrfs/backref.h ++++ b/fs/btrfs/backref.h +@@ -40,8 +40,8 @@ int extent_from_logical(struct btrfs_fs_ + u64 *flags); + + int tree_backref_for_extent(unsigned long *ptr, struct extent_buffer *eb, +- struct btrfs_extent_item *ei, u32 item_size, +- u64 *out_root, u8 *out_level); ++ struct btrfs_key *key, struct btrfs_extent_item *ei, ++ u32 item_size, u64 *out_root, u8 *out_level); + + int iterate_extent_inodes(struct btrfs_fs_info *fs_info, + u64 extent_item_objectid, +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -588,8 +588,9 @@ static void scrub_print_warning(const ch + + if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK) { + do { +- ret = tree_backref_for_extent(&ptr, eb, ei, item_size, +- &ref_root, &ref_level); ++ ret = tree_backref_for_extent(&ptr, eb, &found_key, ei, ++ item_size, &ref_root, ++ &ref_level); + printk_in_rcu(KERN_WARNING + "BTRFS: %s at logical %llu on dev %s, " + "sector %llu: metadata %s (level %d) in tree " diff --git a/queue-3.15/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch b/queue-3.15/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch new file mode 100644 index 00000000000..5c54912d526 --- /dev/null +++ b/queue-3.15/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch @@ -0,0 +1,45 @@ +From 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Thu, 12 Jun 2014 00:39:58 -0500 +Subject: btrfs: fix use of uninit "ret" in end_extent_writepage() + +From: Eric Sandeen + +commit 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c upstream. + +If this condition in end_extent_writepage() is false: + + if (tree->ops && tree->ops->writepage_end_io_hook) + +we will then test an uninitialized "ret" at: + + ret = ret < 0 ? ret : -EIO; + +The test for ret is for the case where ->writepage_end_io_hook +failed, and we'd choose that ret as the error; but if +there is no ->writepage_end_io_hook, nothing sets ret. + +Initializing ret to 0 should be sufficient; if +writepage_end_io_hook wasn't set, (!uptodate) means +non-zero err was passed in, so we choose -EIO in that case. + +Signed-of-by: Eric Sandeen + +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2354,7 +2354,7 @@ int end_extent_writepage(struct page *pa + { + int uptodate = (err == 0); + struct extent_io_tree *tree; +- int ret; ++ int ret = 0; + + tree = &BTRFS_I(page->mapping->host)->io_tree; + diff --git a/queue-3.15/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch b/queue-3.15/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch new file mode 100644 index 00000000000..d7954cdefe5 --- /dev/null +++ b/queue-3.15/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch @@ -0,0 +1,44 @@ +From de348ee022175401e77d7662b7ca6e231a94e3fd Mon Sep 17 00:00:00 2001 +From: Wang Shilong +Date: Wed, 9 Apr 2014 19:23:22 +0800 +Subject: Btrfs: make sure there are not any read requests before stopping workers + +From: Wang Shilong + +commit de348ee022175401e77d7662b7ca6e231a94e3fd upstream. + +In close_ctree(), after we have stopped all workers,there maybe still +some read requests(for example readahead) to submit and this *maybe* trigger +an oops that user reported before: + +kernel BUG at fs/btrfs/async-thread.c:619! + +By hacking codes, i can reproduce this problem with one cpu available. +We fix this potential problem by invalidating all btree inode pages before +stopping all workers. + +Thanks to Miao for pointing out this problem. + +Signed-off-by: Wang Shilong +Reviewed-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/disk-io.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3633,6 +3633,11 @@ int close_ctree(struct btrfs_root *root) + + btrfs_free_block_groups(fs_info); + ++ /* ++ * we must make sure there is not any read request to ++ * submit after we stopping all workers. ++ */ ++ invalidate_inode_pages2(fs_info->btree_inode->i_mapping); + btrfs_stop_all_workers(fs_info); + + free_root_pointers(fs_info, 1); diff --git a/queue-3.15/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch b/queue-3.15/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch new file mode 100644 index 00000000000..cd05a5b6c0e --- /dev/null +++ b/queue-3.15/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch @@ -0,0 +1,34 @@ +From 5dca6eea91653e9949ce6eb9e9acab6277e2f2c4 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Mon, 12 May 2014 12:47:36 +0800 +Subject: Btrfs: mark mapping with error flag to report errors to userspace + +From: Liu Bo + +commit 5dca6eea91653e9949ce6eb9e9acab6277e2f2c4 upstream. + +According to commit 865ffef3797da2cac85b3354b5b6050dc9660978 +(fs: fix fsync() error reporting), +it's not stable to just check error pages because pages can be +truncated or invalidated, we should also mark mapping with error +flag so that a later fsync can catch the error. + +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2368,6 +2368,8 @@ int end_extent_writepage(struct page *pa + if (!uptodate) { + ClearPageUptodate(page); + SetPageError(page); ++ ret = ret < 0 ? ret : -EIO; ++ mapping_set_error(page->mapping, ret); + } + return 0; + } diff --git a/queue-3.15/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch b/queue-3.15/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch new file mode 100644 index 00000000000..2e370f6ebcc --- /dev/null +++ b/queue-3.15/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch @@ -0,0 +1,42 @@ +From 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 Mon Sep 17 00:00:00 2001 +From: Miao Xie +Date: Thu, 24 Apr 2014 13:31:55 +0800 +Subject: Btrfs: output warning instead of error when loading free space cache failed + +From: Miao Xie + +commit 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 upstream. + +If we fail to load a free space cache, we can rebuild it from the extent tree, +so it is not a serious error, we should not output a error message that +would make the users uncomfortable. This patch uses warning message instead +of it. + +Signed-off-by: Miao Xie +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/free-space-cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -831,7 +831,7 @@ int load_free_space_cache(struct btrfs_f + + if (!matched) { + __btrfs_remove_free_space_cache(ctl); +- btrfs_err(fs_info, "block group %llu has wrong amount of free space", ++ btrfs_warn(fs_info, "block group %llu has wrong amount of free space", + block_group->key.objectid); + ret = -1; + } +@@ -843,7 +843,7 @@ out: + spin_unlock(&block_group->lock); + ret = 0; + +- btrfs_err(fs_info, "failed to load free space cache for block group %llu", ++ btrfs_warn(fs_info, "failed to load free space cache for block group %llu, rebuild it now", + block_group->key.objectid); + } + diff --git a/queue-3.15/btrfs-read-inode-size-after-acquiring-the-mutex-when-punching-a-hole.patch b/queue-3.15/btrfs-read-inode-size-after-acquiring-the-mutex-when-punching-a-hole.patch new file mode 100644 index 00000000000..e3a4b47b055 --- /dev/null +++ b/queue-3.15/btrfs-read-inode-size-after-acquiring-the-mutex-when-punching-a-hole.patch @@ -0,0 +1,41 @@ +From a1a50f60a6bf4f861eb94793420274bc1ccd409a Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Sat, 26 Apr 2014 01:35:31 +0100 +Subject: Btrfs: read inode size after acquiring the mutex when punching a hole + +From: Filipe Manana + +commit a1a50f60a6bf4f861eb94793420274bc1ccd409a upstream. + +In a previous change, commit 12870f1c9b2de7d475d22e73fd7db1b418599725, +I accidentally moved the roundup of inode->i_size to outside of the +critical section delimited by the inode mutex, which is not atomic and +not correct since the size can be changed by other task before we acquire +the mutex. Therefore fix it. + +Signed-off-by: Filipe David Borba Manana +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2200,13 +2200,14 @@ static int btrfs_punch_hole(struct inode + bool same_page = ((offset >> PAGE_CACHE_SHIFT) == + ((offset + len - 1) >> PAGE_CACHE_SHIFT)); + bool no_holes = btrfs_fs_incompat(root->fs_info, NO_HOLES); +- u64 ino_size = round_up(inode->i_size, PAGE_CACHE_SIZE); ++ u64 ino_size; + + ret = btrfs_wait_ordered_range(inode, offset, len); + if (ret) + return ret; + + mutex_lock(&inode->i_mutex); ++ ino_size = round_up(inode->i_size, PAGE_CACHE_SIZE); + /* + * We needn't truncate any page which is beyond the end of the file + * because we are sure there is no data there. diff --git a/queue-3.15/btrfs-send-account-for-orphan-directories-when-building-path-strings.patch b/queue-3.15/btrfs-send-account-for-orphan-directories-when-building-path-strings.patch new file mode 100644 index 00000000000..5ebb39ecd80 --- /dev/null +++ b/queue-3.15/btrfs-send-account-for-orphan-directories-when-building-path-strings.patch @@ -0,0 +1,97 @@ +From c992ec94f24c3e7135d6c23860615f269f0b1d87 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Sat, 22 Mar 2014 17:15:24 +0000 +Subject: Btrfs: send, account for orphan directories when building path strings + +From: Filipe Manana + +commit c992ec94f24c3e7135d6c23860615f269f0b1d87 upstream. + +If we have directories with a pending move/rename operation, we must take into +account any orphan directories that got created before executing the pending +move/rename. Those orphan directories are directories with an inode number higher +then the current send progress and that don't exist in the parent snapshot, they +are created before current progress reaches their inode number, with a generated +name of the form oN-M-I and at the root of the filesystem tree, and later when +progress matches their inode number, moved/renamed to their final location. + +Reproducer: + + $ mkfs.btrfs -f /dev/sdd + $ mount /dev/sdd /mnt + + $ mkdir -p /mnt/a/b/c/d + $ mkdir /mnt/a/b/e + $ mv /mnt/a/b/c /mnt/a/b/e/CC + $ mkdir /mnt/a/b/e/CC/d/f + $ mkdir /mnt/a/g + + $ btrfs subvolume snapshot -r /mnt /mnt/snap1 + $ btrfs send /mnt/snap1 -f /tmp/base.send + + $ mkdir /mnt/a/g/h + $ mv /mnt/a/b/e /mnt/a/g/h/EE + $ mv /mnt/a/g/h/EE/CC/d /mnt/a/g/h/EE/DD + + $ btrfs subvolume snapshot -r /mnt /mnt/snap2 + $ btrfs send -p /mnt/snap1 /mnt/snap2 -f /tmp/incremental.send + +The second receive command failed with the following error: + + ERROR: rename a/b/e/CC/d -> o264-7-0/EE/DD failed. No such file or directory + +A test case for xfstests follows soon. + +Signed-off-by: Filipe David Borba Manana +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/send.c | 33 +++++++++------------------------ + 1 file changed, 9 insertions(+), 24 deletions(-) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -3054,33 +3054,18 @@ static int apply_dir_move(struct send_ct + if (ret < 0) + goto out; + +- if (parent_ino == sctx->cur_ino) { +- /* child only renamed, not moved */ +- ASSERT(parent_gen == sctx->cur_inode_gen); +- ret = get_cur_path(sctx, sctx->cur_ino, sctx->cur_inode_gen, +- from_path); +- if (ret < 0) +- goto out; +- ret = fs_path_add_path(from_path, name); +- if (ret < 0) +- goto out; +- } else { +- /* child moved and maybe renamed too */ +- sctx->send_progress = pm->ino; +- ret = get_cur_path(sctx, pm->ino, pm->gen, from_path); +- if (ret < 0) +- goto out; +- } ++ ret = get_cur_path(sctx, parent_ino, parent_gen, ++ from_path); ++ if (ret < 0) ++ goto out; ++ ret = fs_path_add_path(from_path, name); ++ if (ret < 0) ++ goto out; + +- fs_path_free(name); ++ fs_path_reset(name); ++ to_path = name; + name = NULL; + +- to_path = fs_path_alloc(); +- if (!to_path) { +- ret = -ENOMEM; +- goto out; +- } +- + sctx->send_progress = sctx->cur_ino + 1; + ret = get_cur_path(sctx, pm->ino, pm->gen, to_path); + if (ret < 0) diff --git a/queue-3.15/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch b/queue-3.15/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch new file mode 100644 index 00000000000..10b2e9ffbb8 --- /dev/null +++ b/queue-3.15/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch @@ -0,0 +1,55 @@ +From 1af56070e3ef9477dbc7eba3b9ad7446979c7974 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Sun, 25 May 2014 04:49:24 +0100 +Subject: Btrfs: send, don't error in the presence of subvols/snapshots + +From: Filipe Manana + +commit 1af56070e3ef9477dbc7eba3b9ad7446979c7974 upstream. + +If we are doing an incremental send and the base snapshot has a +directory with name X that doesn't exist anymore in the second +snapshot and a new subvolume/snapshot exists in the second snapshot +that has the same name as the directory (name X), the incremental +send would fail with -ENOENT error. This is because it attempts +to lookup for an inode with a number matching the objectid of a +root, which doesn't exist. + +Steps to reproduce: + + mkfs.btrfs -f /dev/sdd + mount /dev/sdd /mnt + + mkdir /mnt/testdir + btrfs subvolume snapshot -r /mnt /mnt/mysnap1 + + rmdir /mnt/testdir + btrfs subvolume create /mnt/testdir + btrfs subvolume snapshot -r /mnt /mnt/mysnap2 + + btrfs send -p /mnt/mysnap1 /mnt/mysnap2 -f /tmp/send.data + +A test case for xfstests follows. + +Reported-by: Robert White +Signed-off-by: Filipe David Borba Manana +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/send.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -1628,6 +1628,10 @@ static int lookup_dir_item_inode(struct + goto out; + } + btrfs_dir_item_key_to_cpu(path->nodes[0], di, &key); ++ if (key.type == BTRFS_ROOT_ITEM_KEY) { ++ ret = -ENOENT; ++ goto out; ++ } + *found_inode = key.objectid; + *found_type = btrfs_dir_type(path->nodes[0], di); + diff --git a/queue-3.15/btrfs-send-use-the-right-limits-for-xattr-names-and-values.patch b/queue-3.15/btrfs-send-use-the-right-limits-for-xattr-names-and-values.patch new file mode 100644 index 00000000000..47aa48d8aaf --- /dev/null +++ b/queue-3.15/btrfs-send-use-the-right-limits-for-xattr-names-and-values.patch @@ -0,0 +1,81 @@ +From 7e3ae33efad1490d01040f552ef50e58ed6376ca Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 23 May 2014 20:15:16 +0100 +Subject: Btrfs: send, use the right limits for xattr names and values + +From: Filipe Manana + +commit 7e3ae33efad1490d01040f552ef50e58ed6376ca upstream. + +We were limiting the sum of the xattr name and value lengths to PATH_MAX, +which is not correct, specially on filesystems created with btrfs-progs +v3.12 or higher, where the default leaf size is max(16384, PAGE_SIZE), or +systems with page sizes larger than 4096 bytes. + +Xattrs have their own specific maximum name and value lengths, which depend +on the leaf size, therefore use these limits to be able to send xattrs with +sizes larger than PATH_MAX. + +A test case for xfstests follows. + +Signed-off-by: Filipe David Borba Manana +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/send.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -975,7 +975,7 @@ static int iterate_dir_item(struct btrfs + struct btrfs_dir_item *di; + struct btrfs_key di_key; + char *buf = NULL; +- const int buf_len = PATH_MAX; ++ int buf_len; + u32 name_len; + u32 data_len; + u32 cur; +@@ -985,6 +985,11 @@ static int iterate_dir_item(struct btrfs + int num; + u8 type; + ++ if (found_key->type == BTRFS_XATTR_ITEM_KEY) ++ buf_len = BTRFS_MAX_XATTR_SIZE(root); ++ else ++ buf_len = PATH_MAX; ++ + buf = kmalloc(buf_len, GFP_NOFS); + if (!buf) { + ret = -ENOMEM; +@@ -1006,12 +1011,23 @@ static int iterate_dir_item(struct btrfs + type = btrfs_dir_type(eb, di); + btrfs_dir_item_key_to_cpu(eb, di, &di_key); + +- /* +- * Path too long +- */ +- if (name_len + data_len > buf_len) { +- ret = -ENAMETOOLONG; +- goto out; ++ if (type == BTRFS_FT_XATTR) { ++ if (name_len > XATTR_NAME_MAX) { ++ ret = -ENAMETOOLONG; ++ goto out; ++ } ++ if (name_len + data_len > buf_len) { ++ ret = -E2BIG; ++ goto out; ++ } ++ } else { ++ /* ++ * Path too long ++ */ ++ if (name_len + data_len > buf_len) { ++ ret = -ENAMETOOLONG; ++ goto out; ++ } + } + + read_extent_buffer(eb, buf, (unsigned long)(di + 1), diff --git a/queue-3.15/btrfs-set-right-total-device-count-for-seeding-support.patch b/queue-3.15/btrfs-set-right-total-device-count-for-seeding-support.patch new file mode 100644 index 00000000000..9bd33459472 --- /dev/null +++ b/queue-3.15/btrfs-set-right-total-device-count-for-seeding-support.patch @@ -0,0 +1,45 @@ +From 298658414a2f0bea1f05a81876a45c1cd96aa2e0 Mon Sep 17 00:00:00 2001 +From: Wang Shilong +Date: Tue, 13 May 2014 17:05:06 +0800 +Subject: Btrfs: set right total device count for seeding support + +From: Wang Shilong + +commit 298658414a2f0bea1f05a81876a45c1cd96aa2e0 upstream. + +Seeding device support allows us to create a new filesystem +based on existed filesystem. + +However newly created filesystem's @total_devices should include seed +devices. This patch fix the following problem: + + # mkfs.btrfs -f /dev/sdb + # btrfstune -S 1 /dev/sdb + # mount /dev/sdb /mnt + # btrfs device add -f /dev/sdc /mnt --->fs_devices->total_devices = 1 + # umount /mnt + # mount /dev/sdc /mnt --->fs_devices->total_devices = 2 + +This is because we record right @total_devices in superblock, but +@fs_devices->total_devices is reset to be 0 in btrfs_prepare_sprout(). + +Fix this problem by not resetting @fs_devices->total_devices. + +Signed-off-by: Wang Shilong +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1903,7 +1903,6 @@ static int btrfs_prepare_sprout(struct b + fs_devices->seeding = 0; + fs_devices->num_devices = 0; + fs_devices->open_devices = 0; +- fs_devices->total_devices = 0; + fs_devices->seed = seed_devices; + + generate_random_uuid(fs_devices->fsid); diff --git a/queue-3.15/btrfs-use-right-type-to-get-real-comparison.patch b/queue-3.15/btrfs-use-right-type-to-get-real-comparison.patch new file mode 100644 index 00000000000..53dc23b3db1 --- /dev/null +++ b/queue-3.15/btrfs-use-right-type-to-get-real-comparison.patch @@ -0,0 +1,31 @@ +From cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Sun, 8 Jun 2014 19:04:13 +0800 +Subject: Btrfs: use right type to get real comparison + +From: Liu Bo + +commit cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 upstream. + +We want to make sure the point is still within the extent item, not to verify +the memory it's pointing to. + +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/backref.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1424,7 +1424,7 @@ static int __get_extent_inline_ref(unsig + *out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1); + } + *ptr = (unsigned long)*out_eiref; +- if ((void *)*ptr >= (void *)ei + item_size) ++ if ((unsigned long)(*ptr) >= (unsigned long)ei + item_size) + return -ENOENT; + } + diff --git a/queue-3.15/cifs-fix-memory-leaks-in-smb2_open.patch b/queue-3.15/cifs-fix-memory-leaks-in-smb2_open.patch new file mode 100644 index 00000000000..49862c7e001 --- /dev/null +++ b/queue-3.15/cifs-fix-memory-leaks-in-smb2_open.patch @@ -0,0 +1,57 @@ +From 663a962151593c69374776e8651238d0da072459 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Sat, 24 May 2014 16:42:02 +0400 +Subject: CIFS: Fix memory leaks in SMB2_open + +From: Pavel Shilovsky + +commit 663a962151593c69374776e8651238d0da072459 upstream. + +Signed-off-by: Pavel Shilovsky +Reviewed-by: Shirish Pargaonkar +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1089,6 +1089,7 @@ SMB2_open(const unsigned int xid, struct + int rc = 0; + unsigned int num_iovecs = 2; + __u32 file_attributes = 0; ++ char *dhc_buf = NULL, *lc_buf = NULL; + + cifs_dbg(FYI, "create/open\n"); + +@@ -1155,6 +1156,7 @@ SMB2_open(const unsigned int xid, struct + kfree(copy_path); + return rc; + } ++ lc_buf = iov[num_iovecs-1].iov_base; + } + + if (*oplock == SMB2_OPLOCK_LEVEL_BATCH) { +@@ -1169,9 +1171,10 @@ SMB2_open(const unsigned int xid, struct + if (rc) { + cifs_small_buf_release(req); + kfree(copy_path); +- kfree(iov[num_iovecs-1].iov_base); ++ kfree(lc_buf); + return rc; + } ++ dhc_buf = iov[num_iovecs-1].iov_base; + } + + rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0); +@@ -1203,6 +1206,8 @@ SMB2_open(const unsigned int xid, struct + *oplock = rsp->OplockLevel; + creat_exit: + kfree(copy_path); ++ kfree(lc_buf); ++ kfree(dhc_buf); + free_rsp_buf(resp_buftype, rsp); + return rc; + } diff --git a/queue-3.15/f2fs-submit-bio-at-the-reclaim-path.patch b/queue-3.15/f2fs-submit-bio-at-the-reclaim-path.patch new file mode 100644 index 00000000000..22f1c09312f --- /dev/null +++ b/queue-3.15/f2fs-submit-bio-at-the-reclaim-path.patch @@ -0,0 +1,37 @@ +From 2aea39eca6b68d6ae7eb545332df0695f56a3d3f Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Thu, 24 Apr 2014 09:49:52 +0900 +Subject: f2fs: submit bio at the reclaim path + +From: Jaegeuk Kim + +commit 2aea39eca6b68d6ae7eb545332df0695f56a3d3f upstream. + +If f2fs_write_data_page is called through the reclaim path, we should submit +the bio right away. + +This patch resolves the following issue that Marc Dietrich reported. +"It took me a while to bisect a problem which causes my ARM (tegra2) netbook to +frequently stall for 5-10 seconds when I enable EXA acceleration (opentegra +experimental ddx)." +And this patch fixes that. + +Reported-by: Marc Dietrich +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/data.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -835,6 +835,8 @@ out: + unlock_page(page); + if (need_balance_fs) + f2fs_balance_fs(sbi); ++ if (wbc->for_reclaim) ++ f2fs_submit_merged_bio(sbi, DATA, WRITE); + return 0; + + redirty_out: diff --git a/queue-3.15/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch b/queue-3.15/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..a8fbfd74149 --- /dev/null +++ b/queue-3.15/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 8321cf2596d283821acc466377c2b85bcd3422b7 Mon Sep 17 00:00:00 2001 +From: Rickard Strandqvist +Date: Thu, 22 May 2014 22:43:43 +0200 +Subject: fs: btrfs: volumes.c: Fix for possible null pointer dereference + +From: Rickard Strandqvist + +commit 8321cf2596d283821acc466377c2b85bcd3422b7 upstream. + +There is otherwise a risk of a possible null pointer dereference. + +Was largely found by using a static code analysis program called cppcheck. + +Signed-off-by: Rickard Strandqvist +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1690,11 +1690,12 @@ int btrfs_rm_device(struct btrfs_root *r + struct btrfs_fs_devices *fs_devices; + fs_devices = root->fs_info->fs_devices; + while (fs_devices) { +- if (fs_devices->seed == cur_devices) ++ if (fs_devices->seed == cur_devices) { ++ fs_devices->seed = cur_devices->seed; + break; ++ } + fs_devices = fs_devices->seed; + } +- fs_devices->seed = cur_devices->seed; + cur_devices->seed = NULL; + lock_chunks(root); + __btrfs_close_devices(cur_devices); diff --git a/queue-3.15/genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch b/queue-3.15/genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch new file mode 100644 index 00000000000..1d76cb87584 --- /dev/null +++ b/queue-3.15/genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch @@ -0,0 +1,216 @@ +From 1e77d0a1ed7417d2a5a52a7b8d32aea1833faa6c Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 7 Mar 2013 14:53:45 +0100 +Subject: genirq: Sanitize spurious interrupt detection of threaded irqs + +From: Thomas Gleixner + +commit 1e77d0a1ed7417d2a5a52a7b8d32aea1833faa6c upstream. + +Till reported that the spurious interrupt detection of threaded +interrupts is broken in two ways: + +- note_interrupt() is called for each action thread of a shared + interrupt line. That's wrong as we are only interested whether none + of the device drivers felt responsible for the interrupt, but by + calling multiple times for a single interrupt line we account + IRQ_NONE even if one of the drivers felt responsible. + +- note_interrupt() when called from the thread handler is not + serialized. That leaves the members of irq_desc which are used for + the spurious detection unprotected. + +To solve this we need to defer the spurious detection of a threaded +interrupt to the next hardware interrupt context where we have +implicit serialization. + +If note_interrupt is called with action_ret == IRQ_WAKE_THREAD, we +check whether the previous interrupt requested a deferred check. If +not, we request a deferred check for the next hardware interrupt and +return. + +If set, we check whether one of the interrupt threads signaled +success. Depending on this information we feed the result into the +spurious detector. + +If one primary handler of a shared interrupt returns IRQ_HANDLED we +disable the deferred check of irq threads on the same line, as we have +found at least one device driver who cared. + +Reported-by: Till Straumann +Signed-off-by: Thomas Gleixner +Tested-by: Austin Schuh +Cc: Oliver Hartkopp +Cc: Wolfgang Grandegger +Cc: Pavel Pisa +Cc: Marc Kleine-Budde +Cc: linux-can@vger.kernel.org +Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1303071450130.22263@ionos +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/irqdesc.h | 4 + + kernel/irq/manage.c | 4 - + kernel/irq/spurious.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++-- + 3 files changed, 108 insertions(+), 6 deletions(-) + +--- a/include/linux/irqdesc.h ++++ b/include/linux/irqdesc.h +@@ -27,6 +27,8 @@ struct irq_desc; + * @irq_count: stats field to detect stalled irqs + * @last_unhandled: aging timer for unhandled count + * @irqs_unhandled: stats field for spurious unhandled interrupts ++ * @threads_handled: stats field for deferred spurious detection of threaded handlers ++ * @threads_handled_last: comparator field for deferred spurious detection of theraded handlers + * @lock: locking for SMP + * @affinity_hint: hint to user space for preferred irq affinity + * @affinity_notify: context for notification of affinity changes +@@ -52,6 +54,8 @@ struct irq_desc { + unsigned int irq_count; /* For detecting broken IRQs */ + unsigned long last_unhandled; /* Aging timer for unhandled count */ + unsigned int irqs_unhandled; ++ atomic_t threads_handled; ++ int threads_handled_last; + raw_spinlock_t lock; + struct cpumask *percpu_enabled; + #ifdef CONFIG_SMP +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -886,8 +886,8 @@ static int irq_thread(void *data) + irq_thread_check_affinity(desc, action); + + action_ret = handler_fn(desc, action); +- if (!noirqdebug) +- note_interrupt(action->irq, desc, action_ret); ++ if (action_ret == IRQ_HANDLED) ++ atomic_inc(&desc->threads_handled); + + wake_threads_waitq(desc); + } +--- a/kernel/irq/spurious.c ++++ b/kernel/irq/spurious.c +@@ -270,6 +270,8 @@ try_misrouted_irq(unsigned int irq, stru + return action && (action->flags & IRQF_IRQPOLL); + } + ++#define SPURIOUS_DEFERRED 0x80000000 ++ + void note_interrupt(unsigned int irq, struct irq_desc *desc, + irqreturn_t action_ret) + { +@@ -277,15 +279,111 @@ void note_interrupt(unsigned int irq, st + irq_settings_is_polled(desc)) + return; + +- /* we get here again via the threaded handler */ +- if (action_ret == IRQ_WAKE_THREAD) +- return; +- + if (bad_action_ret(action_ret)) { + report_bad_irq(irq, desc, action_ret); + return; + } + ++ /* ++ * We cannot call note_interrupt from the threaded handler ++ * because we need to look at the compound of all handlers ++ * (primary and threaded). Aside of that in the threaded ++ * shared case we have no serialization against an incoming ++ * hardware interrupt while we are dealing with a threaded ++ * result. ++ * ++ * So in case a thread is woken, we just note the fact and ++ * defer the analysis to the next hardware interrupt. ++ * ++ * The threaded handlers store whether they sucessfully ++ * handled an interrupt and we check whether that number ++ * changed versus the last invocation. ++ * ++ * We could handle all interrupts with the delayed by one ++ * mechanism, but for the non forced threaded case we'd just ++ * add pointless overhead to the straight hardirq interrupts ++ * for the sake of a few lines less code. ++ */ ++ if (action_ret & IRQ_WAKE_THREAD) { ++ /* ++ * There is a thread woken. Check whether one of the ++ * shared primary handlers returned IRQ_HANDLED. If ++ * not we defer the spurious detection to the next ++ * interrupt. ++ */ ++ if (action_ret == IRQ_WAKE_THREAD) { ++ int handled; ++ /* ++ * We use bit 31 of thread_handled_last to ++ * denote the deferred spurious detection ++ * active. No locking necessary as ++ * thread_handled_last is only accessed here ++ * and we have the guarantee that hard ++ * interrupts are not reentrant. ++ */ ++ if (!(desc->threads_handled_last & SPURIOUS_DEFERRED)) { ++ desc->threads_handled_last |= SPURIOUS_DEFERRED; ++ return; ++ } ++ /* ++ * Check whether one of the threaded handlers ++ * returned IRQ_HANDLED since the last ++ * interrupt happened. ++ * ++ * For simplicity we just set bit 31, as it is ++ * set in threads_handled_last as well. So we ++ * avoid extra masking. And we really do not ++ * care about the high bits of the handled ++ * count. We just care about the count being ++ * different than the one we saw before. ++ */ ++ handled = atomic_read(&desc->threads_handled); ++ handled |= SPURIOUS_DEFERRED; ++ if (handled != desc->threads_handled_last) { ++ action_ret = IRQ_HANDLED; ++ /* ++ * Note: We keep the SPURIOUS_DEFERRED ++ * bit set. We are handling the ++ * previous invocation right now. ++ * Keep it for the current one, so the ++ * next hardware interrupt will ++ * account for it. ++ */ ++ desc->threads_handled_last = handled; ++ } else { ++ /* ++ * None of the threaded handlers felt ++ * responsible for the last interrupt ++ * ++ * We keep the SPURIOUS_DEFERRED bit ++ * set in threads_handled_last as we ++ * need to account for the current ++ * interrupt as well. ++ */ ++ action_ret = IRQ_NONE; ++ } ++ } else { ++ /* ++ * One of the primary handlers returned ++ * IRQ_HANDLED. So we don't care about the ++ * threaded handlers on the same line. Clear ++ * the deferred detection bit. ++ * ++ * In theory we could/should check whether the ++ * deferred bit is set and take the result of ++ * the previous run into account here as ++ * well. But it's really not worth the ++ * trouble. If every other interrupt is ++ * handled we never trigger the spurious ++ * detector. And if this is just the one out ++ * of 100k unhandled ones which is handled ++ * then we merily delay the spurious detection ++ * by one hard interrupt. Not a real problem. ++ */ ++ desc->threads_handled_last &= ~SPURIOUS_DEFERRED; ++ } ++ } ++ + if (unlikely(action_ret == IRQ_NONE)) { + /* + * If we are seeing only the odd spurious IRQ caused by diff --git a/queue-3.15/revert-drm-radeon-use-variable-uvd-clocks.patch b/queue-3.15/revert-drm-radeon-use-variable-uvd-clocks.patch new file mode 100644 index 00000000000..4ba54ced47a --- /dev/null +++ b/queue-3.15/revert-drm-radeon-use-variable-uvd-clocks.patch @@ -0,0 +1,55 @@ +From 0690a229c69f40a6c9c459ab455c85df49822525 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Sat, 7 Jun 2014 11:31:25 -0400 +Subject: Revert "drm/radeon: use variable UVD clocks" + +From: Alex Deucher + +commit 0690a229c69f40a6c9c459ab455c85df49822525 upstream. + +This caused reduced performance for some users with advanced post +processing enabled. We need a better method to pick the +UVD state based on the amount of post processing required or tune +the advanced post processing to fit within the lower power state +envelope. + +This reverts commit 14a9579ddbf15dd1992a9481a4ec80b0b91656d5. + +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_pm.c | 3 +++ + drivers/gpu/drm/radeon/radeon_uvd.c | 3 ++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_pm.c ++++ b/drivers/gpu/drm/radeon/radeon_pm.c +@@ -984,6 +984,8 @@ void radeon_dpm_enable_uvd(struct radeon + if (enable) { + mutex_lock(&rdev->pm.mutex); + rdev->pm.dpm.uvd_active = true; ++ /* disable this for now */ ++#if 0 + if ((rdev->pm.dpm.sd == 1) && (rdev->pm.dpm.hd == 0)) + dpm_state = POWER_STATE_TYPE_INTERNAL_UVD_SD; + else if ((rdev->pm.dpm.sd == 2) && (rdev->pm.dpm.hd == 0)) +@@ -993,6 +995,7 @@ void radeon_dpm_enable_uvd(struct radeon + else if ((rdev->pm.dpm.sd == 0) && (rdev->pm.dpm.hd == 2)) + dpm_state = POWER_STATE_TYPE_INTERNAL_UVD_HD2; + else ++#endif + dpm_state = POWER_STATE_TYPE_INTERNAL_UVD; + rdev->pm.dpm.state = dpm_state; + mutex_unlock(&rdev->pm.mutex); +--- a/drivers/gpu/drm/radeon/radeon_uvd.c ++++ b/drivers/gpu/drm/radeon/radeon_uvd.c +@@ -812,7 +812,8 @@ void radeon_uvd_note_usage(struct radeon + (rdev->pm.dpm.hd != hd)) { + rdev->pm.dpm.sd = sd; + rdev->pm.dpm.hd = hd; +- streams_changed = true; ++ /* disable this for now */ ++ /*streams_changed = true;*/ + } + } + diff --git a/queue-3.15/revert-offb-add-palette-hack-for-little-endian.patch b/queue-3.15/revert-offb-add-palette-hack-for-little-endian.patch new file mode 100644 index 00000000000..a2661784731 --- /dev/null +++ b/queue-3.15/revert-offb-add-palette-hack-for-little-endian.patch @@ -0,0 +1,55 @@ +From 68986c9f0f4552c34c248501eb0c690553866d6e Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Mon, 16 Jun 2014 19:40:20 +1000 +Subject: Revert "offb: Add palette hack for little endian" + +From: Benjamin Herrenschmidt + +commit 68986c9f0f4552c34c248501eb0c690553866d6e upstream. + +This reverts commit e1edf18b20076da83dd231dbd2146cbbc31c0b14. + +This patch was a misguided attempt at fixing offb for LE ppc64 +kernels on BE qemu but is just wrong ... it breaks real LE/LE +setups, LE with real HW, and existing mixed endian systems +that did the fight thing with the appropriate device-tree +property. Bad reviewing on my part, sorry. + +The right fix is to either make qemu change its endian when +the guest changes endian (working on that) or to use the +existing foreign endian support. + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/offb.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/drivers/video/fbdev/offb.c ++++ b/drivers/video/fbdev/offb.c +@@ -91,15 +91,6 @@ extern boot_infos_t *boot_infos; + #define AVIVO_DC_LUTB_WHITE_OFFSET_GREEN 0x6cd4 + #define AVIVO_DC_LUTB_WHITE_OFFSET_RED 0x6cd8 + +-#define FB_RIGHT_POS(p, bpp) (fb_be_math(p) ? 0 : (32 - (bpp))) +- +-static inline u32 offb_cmap_byteswap(struct fb_info *info, u32 value) +-{ +- u32 bpp = info->var.bits_per_pixel; +- +- return cpu_to_be32(value) >> FB_RIGHT_POS(info, bpp); +-} +- + /* + * Set a single color register. The values supplied are already + * rounded down to the hardware's capabilities (according to the +@@ -129,7 +120,7 @@ static int offb_setcolreg(u_int regno, u + mask <<= info->var.transp.offset; + value |= mask; + } +- pal[regno] = offb_cmap_byteswap(info, value); ++ pal[regno] = value; + return 0; + } + diff --git a/queue-3.15/series b/queue-3.15/series index bc8e595c816..7eb42e2ff27 100644 --- a/queue-3.15/series +++ b/queue-3.15/series @@ -98,3 +98,34 @@ target-report-correct-response-length-for-some-commands.patch scsi_cmnd-introduce-scsi_transfer_length-helper.patch libiscsi-iser-adjust-data_length-to-include-protection-information.patch target-sbc-loopback-adjust-command-data-length-in-case-pi-exists-on-the-wire.patch +f2fs-submit-bio-at-the-reclaim-path.patch +arm-mvebu-dt-fix-openblocks-ax3-4-ram-size.patch +arm64-uid16-fix-__kernel_old_-gid-uid-_t-definitions.patch +arm64-dma-removing-arch_has_dma_get_required_mask-macro.patch +arm64-mm-remove-broken-operator-from-pmd_mknotpresent.patch +x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch +x86-x32-use-compat-shims-for-io_-setup-submit.patch +revert-drm-radeon-use-variable-uvd-clocks.patch +revert-offb-add-palette-hack-for-little-endian.patch +genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch +aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch +aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch +cifs-fix-memory-leaks-in-smb2_open.patch +btrfs-fix-leaf-corruption-caused-by-enospc-while-hole-punching.patch +btrfs-fix-double-free-in-find_lock_delalloc_range.patch +btrfs-read-inode-size-after-acquiring-the-mutex-when-punching-a-hole.patch +btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch +btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch +btrfs-send-account-for-orphan-directories-when-building-path-strings.patch +btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch +btrfs-fix-null-pointer-crash-of-deleting-a-seed-device.patch +btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch +btrfs-set-right-total-device-count-for-seeding-support.patch +btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch +btrfs-send-use-the-right-limits-for-xattr-names-and-values.patch +btrfs-allocate-raid-type-kobjects-dynamically.patch +fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch +btrfs-don-t-check-nodes-for-extent-items.patch +btrfs-use-right-type-to-get-real-comparison.patch +btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch +btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch diff --git a/queue-3.15/x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch b/queue-3.15/x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch new file mode 100644 index 00000000000..c6f4b044113 --- /dev/null +++ b/queue-3.15/x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch @@ -0,0 +1,37 @@ +From 246f2d2ee1d715e1077fc47d61c394569c8ee692 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" +Date: Wed, 30 Apr 2014 14:03:25 -0700 +Subject: x86-32, espfix: Remove filter for espfix32 due to race + +From: "H. Peter Anvin" + +commit 246f2d2ee1d715e1077fc47d61c394569c8ee692 upstream. + +It is not safe to use LAR to filter when to go down the espfix path, +because the LDT is per-process (rather than per-thread) and another +thread might change the descriptors behind our back. Fortunately it +is always *safe* (if a bit slow) to go down the espfix path, and a +32-bit LDT stack segment is extremely rare. + +Signed-off-by: H. Peter Anvin +Link: http://lkml.kernel.org/r/1398816946-3351-1-git-send-email-hpa@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/entry_32.S | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -551,11 +551,6 @@ ENTRY(iret_exc) + + CFI_RESTORE_STATE + ldt_ss: +- larl PT_OLDSS(%esp), %eax +- jnz restore_nocheck +- testl $0x00400000, %eax # returning to 32bit stack? +- jnz restore_nocheck # allright, normal return +- + #ifdef CONFIG_PARAVIRT + /* + * The kernel can't run on a non-flat stack if paravirt mode diff --git a/queue-3.15/x86-x32-use-compat-shims-for-io_-setup-submit.patch b/queue-3.15/x86-x32-use-compat-shims-for-io_-setup-submit.patch new file mode 100644 index 00000000000..5a4965e0c1e --- /dev/null +++ b/queue-3.15/x86-x32-use-compat-shims-for-io_-setup-submit.patch @@ -0,0 +1,57 @@ +From 7fd44dacdd803c0bbf38bf478d51d280902bb0f1 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sun, 4 May 2014 20:43:15 -0400 +Subject: x86, x32: Use compat shims for io_{setup,submit} + +From: Mike Frysinger + +commit 7fd44dacdd803c0bbf38bf478d51d280902bb0f1 upstream. + +The io_setup takes a pointer to a context id of type aio_context_t. +This in turn is typed to a __kernel_ulong_t. We could tweak the +exported headers to define this as a 64bit quantity for specific +ABIs, but since we already have a 32bit compat shim for the x86 ABI, +let's just re-use that logic. The libaio package is also written to +expect this as a pointer type, so a compat shim would simplify that. + +The io_submit func operates on an array of pointers to iocb structs. +Padding out the array to be 64bit aligned is a huge pain, so convert +it over to the existing compat shim too. + +We don't convert io_getevents to the compat func as its only purpose +is to handle the timespec struct, and the x32 ABI uses 64bit times. + +With this change, the libaio package can now pass its testsuite when +built for the x32 ABI. + +Signed-off-by: Mike Frysinger +Link: http://lkml.kernel.org/r/1399250595-5005-1-git-send-email-vapier@gentoo.org +Cc: H.J. Lu +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/syscalls/syscall_64.tbl | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/syscalls/syscall_64.tbl ++++ b/arch/x86/syscalls/syscall_64.tbl +@@ -212,10 +212,10 @@ + 203 common sched_setaffinity sys_sched_setaffinity + 204 common sched_getaffinity sys_sched_getaffinity + 205 64 set_thread_area +-206 common io_setup sys_io_setup ++206 64 io_setup sys_io_setup + 207 common io_destroy sys_io_destroy + 208 common io_getevents sys_io_getevents +-209 common io_submit sys_io_submit ++209 64 io_submit sys_io_submit + 210 common io_cancel sys_io_cancel + 211 64 get_thread_area + 212 common lookup_dcookie sys_lookup_dcookie +@@ -359,3 +359,5 @@ + 540 x32 process_vm_writev compat_sys_process_vm_writev + 541 x32 setsockopt compat_sys_setsockopt + 542 x32 getsockopt compat_sys_getsockopt ++543 x32 io_setup compat_sys_io_setup ++544 x32 io_submit compat_sys_io_submit -- 2.47.3