From d202f33b7051dcced1cf66dd4942ed3bc6ff7c22 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 27 Jun 2014 18:12:16 -0700 Subject: [PATCH] 3.10-stable patches added patches: btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch btrfs-fix-double-free-in-find_lock_delalloc_range.patch btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch btrfs-set-right-total-device-count-for-seeding-support.patch btrfs-use-right-type-to-get-real-comparison.patch fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch skbuff-skb_segment-orphan-frags-before-copying.patch --- ...e-update-for-btrfs-device-add-remove.patch | 76 ++++++++++++ ...ble-free-in-find_lock_delalloc_range.patch | 29 +++++ ...ng-to-handle-skinny-metadata-extents.patch | 117 ++++++++++++++++++ ...f-uninit-ret-in-end_extent_writepage.patch | 45 +++++++ ...ead-requests-before-stopping-workers.patch | 44 +++++++ ...r-flag-to-report-errors-to-userspace.patch | 34 +++++ ...when-loading-free-space-cache-failed.patch | 42 +++++++ ...in-the-presence-of-subvols-snapshots.patch | 55 ++++++++ ...tal-device-count-for-seeding-support.patch | 45 +++++++ ...se-right-type-to-get-real-comparison.patch | 31 +++++ ...or-possible-null-pointer-dereference.patch | 38 ++++++ queue-3.10/series | 12 ++ ..._segment-orphan-frags-before-copying.patch | 43 +++++++ 13 files changed, 611 insertions(+) create mode 100644 queue-3.10/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch create mode 100644 queue-3.10/btrfs-fix-double-free-in-find_lock_delalloc_range.patch create mode 100644 queue-3.10/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch create mode 100644 queue-3.10/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch create mode 100644 queue-3.10/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch create mode 100644 queue-3.10/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch create mode 100644 queue-3.10/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch create mode 100644 queue-3.10/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch create mode 100644 queue-3.10/btrfs-set-right-total-device-count-for-seeding-support.patch create mode 100644 queue-3.10/btrfs-use-right-type-to-get-real-comparison.patch create mode 100644 queue-3.10/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch create mode 100644 queue-3.10/skbuff-skb_segment-orphan-frags-before-copying.patch diff --git a/queue-3.10/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch b/queue-3.10/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch new file mode 100644 index 00000000000..84c9e22537e --- /dev/null +++ b/queue-3.10/btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch @@ -0,0 +1,76 @@ +From 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 16 Apr 2014 17:02:32 +0800 +Subject: btrfs: Add ctime/mtime update for btrfs device add/remove. + +From: Qu Wenruo + +commit 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 upstream. + +Btrfs will send uevent to udev inform the device change, +but ctime/mtime for the block device inode is not udpated, which cause +libblkid used by btrfs-progs unable to detect device change and use old +cache, causing 'btrfs dev scan; btrfs dev rmove; btrfs dev scan' give an +error message. + +Reported-by: Tsutomu Itoh +Cc: Karel Zak +Signed-off-by: Qu Wenruo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1384,6 +1384,22 @@ out: + return ret; + } + ++/* ++ * Function to update ctime/mtime for a given device path. ++ * Mainly used for ctime/mtime based probe like libblkid. ++ */ ++static void update_dev_time(char *path_name) ++{ ++ struct file *filp; ++ ++ filp = filp_open(path_name, O_RDWR, 0); ++ if (!filp) ++ return; ++ file_update_time(filp); ++ filp_close(filp, NULL); ++ return; ++} ++ + static int btrfs_rm_dev_item(struct btrfs_root *root, + struct btrfs_device *device) + { +@@ -1642,10 +1658,14 @@ int btrfs_rm_device(struct btrfs_root *r + + ret = 0; + +- /* Notify udev that device has changed */ +- if (bdev) ++ if (bdev) { ++ /* Notify udev that device has changed */ + btrfs_kobject_uevent(bdev, KOBJ_CHANGE); + ++ /* Update ctime/mtime for device path for libblkid */ ++ update_dev_time(device_path); ++ } ++ + error_brelse: + brelse(bh); + if (bdev) +@@ -2089,6 +2109,8 @@ int btrfs_init_new_device(struct btrfs_r + ret = btrfs_commit_transaction(trans, root); + } + ++ /* Update ctime/mtime for libblkid */ ++ update_dev_time(device_path); + return ret; + + error_trans: diff --git a/queue-3.10/btrfs-fix-double-free-in-find_lock_delalloc_range.patch b/queue-3.10/btrfs-fix-double-free-in-find_lock_delalloc_range.patch new file mode 100644 index 00000000000..d54e605411a --- /dev/null +++ b/queue-3.10/btrfs-fix-double-free-in-find_lock_delalloc_range.patch @@ -0,0 +1,29 @@ +From 7d78874273463a784759916fc3e0b4e2eb141c70 Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Wed, 21 May 2014 05:49:54 -0700 +Subject: Btrfs: fix double free in find_lock_delalloc_range + +From: Chris Mason + +commit 7d78874273463a784759916fc3e0b4e2eb141c70 upstream. + +We need to NULL the cached_state after freeing it, otherwise +we might free it again if find_delalloc_range doesn't find anything. + +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -1624,6 +1624,7 @@ again: + * shortening the size of the delalloc range we're searching + */ + free_extent_state(cached_state); ++ cached_state = NULL; + if (!loops) { + unsigned long offset = (*start) & (PAGE_CACHE_SIZE - 1); + max_bytes = PAGE_CACHE_SIZE - offset; diff --git a/queue-3.10/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch b/queue-3.10/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch new file mode 100644 index 00000000000..500e9a29e79 --- /dev/null +++ b/queue-3.10/btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch @@ -0,0 +1,117 @@ +From 6eda71d0c030af0fc2f68aaa676e6d445600855b Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Mon, 9 Jun 2014 10:54:07 +0800 +Subject: Btrfs: fix scrub_print_warning to handle skinny metadata extents + +From: Liu Bo + +commit 6eda71d0c030af0fc2f68aaa676e6d445600855b upstream. + +The skinny extents are intepreted incorrectly in scrub_print_warning(), +and end up hitting the BUG() in btrfs_extent_inline_ref_size. + +Reported-by: Konstantinos Skarlatos +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/backref.c | 30 +++++++++++++++++++----------- + fs/btrfs/backref.h | 4 ++-- + fs/btrfs/scrub.c | 5 +++-- + 3 files changed, 24 insertions(+), 15 deletions(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1347,9 +1347,10 @@ int extent_from_logical(struct btrfs_fs_ + * returns <0 on error + */ + static int __get_extent_inline_ref(unsigned long *ptr, struct extent_buffer *eb, +- struct btrfs_extent_item *ei, u32 item_size, +- struct btrfs_extent_inline_ref **out_eiref, +- int *out_type) ++ struct btrfs_key *key, ++ struct btrfs_extent_item *ei, u32 item_size, ++ struct btrfs_extent_inline_ref **out_eiref, ++ int *out_type) + { + unsigned long end; + u64 flags; +@@ -1359,9 +1360,16 @@ static int __get_extent_inline_ref(unsig + /* first call */ + flags = btrfs_extent_flags(eb, ei); + if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK) { +- info = (struct btrfs_tree_block_info *)(ei + 1); +- *out_eiref = +- (struct btrfs_extent_inline_ref *)(info + 1); ++ if (key->type == BTRFS_METADATA_ITEM_KEY) { ++ /* a skinny metadata extent */ ++ *out_eiref = ++ (struct btrfs_extent_inline_ref *)(ei + 1); ++ } else { ++ WARN_ON(key->type != BTRFS_EXTENT_ITEM_KEY); ++ info = (struct btrfs_tree_block_info *)(ei + 1); ++ *out_eiref = ++ (struct btrfs_extent_inline_ref *)(info + 1); ++ } + } else { + *out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1); + } +@@ -1371,7 +1379,7 @@ static int __get_extent_inline_ref(unsig + } + + end = (unsigned long)ei + item_size; +- *out_eiref = (struct btrfs_extent_inline_ref *)*ptr; ++ *out_eiref = (struct btrfs_extent_inline_ref *)(*ptr); + *out_type = btrfs_extent_inline_ref_type(eb, *out_eiref); + + *ptr += btrfs_extent_inline_ref_size(*out_type); +@@ -1390,8 +1398,8 @@ static int __get_extent_inline_ref(unsig + * <0 on error. + */ + int tree_backref_for_extent(unsigned long *ptr, struct extent_buffer *eb, +- struct btrfs_extent_item *ei, u32 item_size, +- u64 *out_root, u8 *out_level) ++ struct btrfs_key *key, struct btrfs_extent_item *ei, ++ u32 item_size, u64 *out_root, u8 *out_level) + { + int ret; + int type; +@@ -1402,8 +1410,8 @@ int tree_backref_for_extent(unsigned lon + return 1; + + while (1) { +- ret = __get_extent_inline_ref(ptr, eb, ei, item_size, +- &eiref, &type); ++ ret = __get_extent_inline_ref(ptr, eb, key, ei, item_size, ++ &eiref, &type); + if (ret < 0) + return ret; + +--- a/fs/btrfs/backref.h ++++ b/fs/btrfs/backref.h +@@ -42,8 +42,8 @@ int extent_from_logical(struct btrfs_fs_ + u64 *flags); + + int tree_backref_for_extent(unsigned long *ptr, struct extent_buffer *eb, +- struct btrfs_extent_item *ei, u32 item_size, +- u64 *out_root, u8 *out_level); ++ struct btrfs_key *key, struct btrfs_extent_item *ei, ++ u32 item_size, u64 *out_root, u8 *out_level); + + int iterate_extent_inodes(struct btrfs_fs_info *fs_info, + u64 extent_item_objectid, +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -545,8 +545,9 @@ static void scrub_print_warning(const ch + + if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK) { + do { +- ret = tree_backref_for_extent(&ptr, eb, ei, item_size, +- &ref_root, &ref_level); ++ ret = tree_backref_for_extent(&ptr, eb, &found_key, ei, ++ item_size, &ref_root, ++ &ref_level); + printk_in_rcu(KERN_WARNING + "btrfs: %s at logical %llu on dev %s, " + "sector %llu: metadata %s (level %d) in tree " diff --git a/queue-3.10/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch b/queue-3.10/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch new file mode 100644 index 00000000000..494a9f1696d --- /dev/null +++ b/queue-3.10/btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch @@ -0,0 +1,45 @@ +From 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Thu, 12 Jun 2014 00:39:58 -0500 +Subject: btrfs: fix use of uninit "ret" in end_extent_writepage() + +From: Eric Sandeen + +commit 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c upstream. + +If this condition in end_extent_writepage() is false: + + if (tree->ops && tree->ops->writepage_end_io_hook) + +we will then test an uninitialized "ret" at: + + ret = ret < 0 ? ret : -EIO; + +The test for ret is for the case where ->writepage_end_io_hook +failed, and we'd choose that ret as the error; but if +there is no ->writepage_end_io_hook, nothing sets ret. + +Initializing ret to 0 should be sufficient; if +writepage_end_io_hook wasn't set, (!uptodate) means +non-zero err was passed in, so we choose -EIO in that case. + +Signed-of-by: Eric Sandeen + +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2357,7 +2357,7 @@ int end_extent_writepage(struct page *pa + { + int uptodate = (err == 0); + struct extent_io_tree *tree; +- int ret; ++ int ret = 0; + + tree = &BTRFS_I(page->mapping->host)->io_tree; + diff --git a/queue-3.10/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch b/queue-3.10/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch new file mode 100644 index 00000000000..b9e603e34a4 --- /dev/null +++ b/queue-3.10/btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch @@ -0,0 +1,44 @@ +From de348ee022175401e77d7662b7ca6e231a94e3fd Mon Sep 17 00:00:00 2001 +From: Wang Shilong +Date: Wed, 9 Apr 2014 19:23:22 +0800 +Subject: Btrfs: make sure there are not any read requests before stopping workers + +From: Wang Shilong + +commit de348ee022175401e77d7662b7ca6e231a94e3fd upstream. + +In close_ctree(), after we have stopped all workers,there maybe still +some read requests(for example readahead) to submit and this *maybe* trigger +an oops that user reported before: + +kernel BUG at fs/btrfs/async-thread.c:619! + +By hacking codes, i can reproduce this problem with one cpu available. +We fix this potential problem by invalidating all btree inode pages before +stopping all workers. + +Thanks to Miao for pointing out this problem. + +Signed-off-by: Wang Shilong +Reviewed-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/disk-io.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3518,6 +3518,11 @@ int close_ctree(struct btrfs_root *root) + + btrfs_free_block_groups(fs_info); + ++ /* ++ * we must make sure there is not any read request to ++ * submit after we stopping all workers. ++ */ ++ invalidate_inode_pages2(fs_info->btree_inode->i_mapping); + btrfs_stop_all_workers(fs_info); + + del_fs_roots(fs_info); diff --git a/queue-3.10/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch b/queue-3.10/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch new file mode 100644 index 00000000000..69bede510bb --- /dev/null +++ b/queue-3.10/btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch @@ -0,0 +1,34 @@ +From 5dca6eea91653e9949ce6eb9e9acab6277e2f2c4 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Mon, 12 May 2014 12:47:36 +0800 +Subject: Btrfs: mark mapping with error flag to report errors to userspace + +From: Liu Bo + +commit 5dca6eea91653e9949ce6eb9e9acab6277e2f2c4 upstream. + +According to commit 865ffef3797da2cac85b3354b5b6050dc9660978 +(fs: fix fsync() error reporting), +it's not stable to just check error pages because pages can be +truncated or invalidated, we should also mark mapping with error +flag so that a later fsync can catch the error. + +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2371,6 +2371,8 @@ int end_extent_writepage(struct page *pa + if (!uptodate) { + ClearPageUptodate(page); + SetPageError(page); ++ ret = ret < 0 ? ret : -EIO; ++ mapping_set_error(page->mapping, ret); + } + return 0; + } diff --git a/queue-3.10/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch b/queue-3.10/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch new file mode 100644 index 00000000000..fa4c1369d5b --- /dev/null +++ b/queue-3.10/btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch @@ -0,0 +1,42 @@ +From 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 Mon Sep 17 00:00:00 2001 +From: Miao Xie +Date: Thu, 24 Apr 2014 13:31:55 +0800 +Subject: Btrfs: output warning instead of error when loading free space cache failed + +From: Miao Xie + +commit 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 upstream. + +If we fail to load a free space cache, we can rebuild it from the extent tree, +so it is not a serious error, we should not output a error message that +would make the users uncomfortable. This patch uses warning message instead +of it. + +Signed-off-by: Miao Xie +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/free-space-cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -835,7 +835,7 @@ int load_free_space_cache(struct btrfs_f + + if (!matched) { + __btrfs_remove_free_space_cache(ctl); +- btrfs_err(fs_info, "block group %llu has wrong amount of free space", ++ btrfs_warn(fs_info, "block group %llu has wrong amount of free space", + block_group->key.objectid); + ret = -1; + } +@@ -847,7 +847,7 @@ out: + spin_unlock(&block_group->lock); + ret = 0; + +- btrfs_err(fs_info, "failed to load free space cache for block group %llu", ++ btrfs_warn(fs_info, "failed to load free space cache for block group %llu, rebuild it now", + block_group->key.objectid); + } + diff --git a/queue-3.10/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch b/queue-3.10/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch new file mode 100644 index 00000000000..818fea6498c --- /dev/null +++ b/queue-3.10/btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch @@ -0,0 +1,55 @@ +From 1af56070e3ef9477dbc7eba3b9ad7446979c7974 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Sun, 25 May 2014 04:49:24 +0100 +Subject: Btrfs: send, don't error in the presence of subvols/snapshots + +From: Filipe Manana + +commit 1af56070e3ef9477dbc7eba3b9ad7446979c7974 upstream. + +If we are doing an incremental send and the base snapshot has a +directory with name X that doesn't exist anymore in the second +snapshot and a new subvolume/snapshot exists in the second snapshot +that has the same name as the directory (name X), the incremental +send would fail with -ENOENT error. This is because it attempts +to lookup for an inode with a number matching the objectid of a +root, which doesn't exist. + +Steps to reproduce: + + mkfs.btrfs -f /dev/sdd + mount /dev/sdd /mnt + + mkdir /mnt/testdir + btrfs subvolume snapshot -r /mnt /mnt/mysnap1 + + rmdir /mnt/testdir + btrfs subvolume create /mnt/testdir + btrfs subvolume snapshot -r /mnt /mnt/mysnap2 + + btrfs send -p /mnt/mysnap1 /mnt/mysnap2 -f /tmp/send.data + +A test case for xfstests follows. + +Reported-by: Robert White +Signed-off-by: Filipe David Borba Manana +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/send.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -1550,6 +1550,10 @@ static int lookup_dir_item_inode(struct + goto out; + } + btrfs_dir_item_key_to_cpu(path->nodes[0], di, &key); ++ if (key.type == BTRFS_ROOT_ITEM_KEY) { ++ ret = -ENOENT; ++ goto out; ++ } + *found_inode = key.objectid; + *found_type = btrfs_dir_type(path->nodes[0], di); + diff --git a/queue-3.10/btrfs-set-right-total-device-count-for-seeding-support.patch b/queue-3.10/btrfs-set-right-total-device-count-for-seeding-support.patch new file mode 100644 index 00000000000..0d8fa19f850 --- /dev/null +++ b/queue-3.10/btrfs-set-right-total-device-count-for-seeding-support.patch @@ -0,0 +1,45 @@ +From 298658414a2f0bea1f05a81876a45c1cd96aa2e0 Mon Sep 17 00:00:00 2001 +From: Wang Shilong +Date: Tue, 13 May 2014 17:05:06 +0800 +Subject: Btrfs: set right total device count for seeding support + +From: Wang Shilong + +commit 298658414a2f0bea1f05a81876a45c1cd96aa2e0 upstream. + +Seeding device support allows us to create a new filesystem +based on existed filesystem. + +However newly created filesystem's @total_devices should include seed +devices. This patch fix the following problem: + + # mkfs.btrfs -f /dev/sdb + # btrfstune -S 1 /dev/sdb + # mount /dev/sdb /mnt + # btrfs device add -f /dev/sdc /mnt --->fs_devices->total_devices = 1 + # umount /mnt + # mount /dev/sdc /mnt --->fs_devices->total_devices = 2 + +This is because we record right @total_devices in superblock, but +@fs_devices->total_devices is reset to be 0 in btrfs_prepare_sprout(). + +Fix this problem by not resetting @fs_devices->total_devices. + +Signed-off-by: Wang Shilong +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1837,7 +1837,6 @@ static int btrfs_prepare_sprout(struct b + fs_devices->seeding = 0; + fs_devices->num_devices = 0; + fs_devices->open_devices = 0; +- fs_devices->total_devices = 0; + fs_devices->seed = seed_devices; + + generate_random_uuid(fs_devices->fsid); diff --git a/queue-3.10/btrfs-use-right-type-to-get-real-comparison.patch b/queue-3.10/btrfs-use-right-type-to-get-real-comparison.patch new file mode 100644 index 00000000000..4550e2307c9 --- /dev/null +++ b/queue-3.10/btrfs-use-right-type-to-get-real-comparison.patch @@ -0,0 +1,31 @@ +From cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Sun, 8 Jun 2014 19:04:13 +0800 +Subject: Btrfs: use right type to get real comparison + +From: Liu Bo + +commit cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 upstream. + +We want to make sure the point is still within the extent item, not to verify +the memory it's pointing to. + +Signed-off-by: Liu Bo +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/backref.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1366,7 +1366,7 @@ static int __get_extent_inline_ref(unsig + *out_eiref = (struct btrfs_extent_inline_ref *)(ei + 1); + } + *ptr = (unsigned long)*out_eiref; +- if ((void *)*ptr >= (void *)ei + item_size) ++ if ((unsigned long)(*ptr) >= (unsigned long)ei + item_size) + return -ENOENT; + } + diff --git a/queue-3.10/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch b/queue-3.10/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..be5ecebd24b --- /dev/null +++ b/queue-3.10/fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 8321cf2596d283821acc466377c2b85bcd3422b7 Mon Sep 17 00:00:00 2001 +From: Rickard Strandqvist +Date: Thu, 22 May 2014 22:43:43 +0200 +Subject: fs: btrfs: volumes.c: Fix for possible null pointer dereference + +From: Rickard Strandqvist + +commit 8321cf2596d283821acc466377c2b85bcd3422b7 upstream. + +There is otherwise a risk of a possible null pointer dereference. + +Was largely found by using a static code analysis program called cppcheck. + +Signed-off-by: Rickard Strandqvist +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1628,11 +1628,12 @@ int btrfs_rm_device(struct btrfs_root *r + struct btrfs_fs_devices *fs_devices; + fs_devices = root->fs_info->fs_devices; + while (fs_devices) { +- if (fs_devices->seed == cur_devices) ++ if (fs_devices->seed == cur_devices) { ++ fs_devices->seed = cur_devices->seed; + break; ++ } + fs_devices = fs_devices->seed; + } +- fs_devices->seed = cur_devices->seed; + cur_devices->seed = NULL; + lock_chunks(root); + __btrfs_close_devices(cur_devices); diff --git a/queue-3.10/series b/queue-3.10/series index dabd57af7ac..17b12d06994 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -59,3 +59,15 @@ x86-x32-use-compat-shims-for-io_-setup-submit.patch genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch +skbuff-skb_segment-orphan-frags-before-copying.patch +btrfs-fix-double-free-in-find_lock_delalloc_range.patch +btrfs-add-ctime-mtime-update-for-btrfs-device-add-remove.patch +btrfs-output-warning-instead-of-error-when-loading-free-space-cache-failed.patch +btrfs-make-sure-there-are-not-any-read-requests-before-stopping-workers.patch +btrfs-mark-mapping-with-error-flag-to-report-errors-to-userspace.patch +btrfs-set-right-total-device-count-for-seeding-support.patch +btrfs-send-don-t-error-in-the-presence-of-subvols-snapshots.patch +fs-btrfs-volumes.c-fix-for-possible-null-pointer-dereference.patch +btrfs-use-right-type-to-get-real-comparison.patch +btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch +btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch diff --git a/queue-3.10/skbuff-skb_segment-orphan-frags-before-copying.patch b/queue-3.10/skbuff-skb_segment-orphan-frags-before-copying.patch new file mode 100644 index 00000000000..dd63c1bbc2e --- /dev/null +++ b/queue-3.10/skbuff-skb_segment-orphan-frags-before-copying.patch @@ -0,0 +1,43 @@ +From 1fd819ecb90cc9b822cd84d3056ddba315d3340f Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Mon, 10 Mar 2014 19:28:08 +0200 +Subject: skbuff: skb_segment: orphan frags before copying + +From: "Michael S. Tsirkin" + +commit 1fd819ecb90cc9b822cd84d3056ddba315d3340f upstream. + +skb_segment copies frags around, so we need +to copy them carefully to avoid accessing +user memory after reporting completion to userspace +through a callback. + +skb_segment doesn't normally happen on datapath: +TSO needs to be disabled - so disabling zero copy +in this case does not look like a big deal. + +Signed-off-by: Michael S. Tsirkin +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +[bwh: Backported to 3.2. As skb_segment() only supports page-frags *or* a + frag list, there is no need for the additional frag_skb pointer or the + preparatory renaming.] +Signed-off-by: Ben Hutchings +Cc: Eddie Chapman # backported to 3.10 +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/skbuff.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2844,6 +2844,8 @@ struct sk_buff *skb_segment(struct sk_bu + skb_shinfo(nskb)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG; + + while (pos < offset + len && i < nfrags) { ++ if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC))) ++ goto err; + *frag = skb_shinfo(skb)->frags[i]; + __skb_frag_ref(frag); + size = skb_frag_size(frag); -- 2.47.3