If do_journal_release() races with do_journal_end() which requeues
delayed works for transaction flushing, we can leave work items for
flushing outstanding transactions queued while freeing them. That
results in use after free and possible crash in run_timers_softirq().

Fix the problem by not requeueing works if superblock is being shut down
(MS_ACTIVE not set) and using cancel_delayed_work_sync() in
do_journal_release().

CC: stable@vger.kernel.org
Signed-off-by: NJan Kara <jack@suse.cz>

Commits f1f007c3 (reiserfs: balance_leaf refactor, pull out
balance_leaf_insert_left) and cf22df18 (reiserfs: balance_leaf
refactor, pull out balance_leaf_paste_left) missed that the `body'
pointer was getting repositioned. Subsequent users of the pointer
would expect it to be repositioned, and as a result, parts of the
tree would get overwritten. The most common observed corruption
is indirect block pointers being overwritten.

Since the body value isn't actually used anymore in the called routines,
we can pass back the offset it should be shifted. We constify the body
and ih pointers in the balance_leaf as a mostly-free preventative measure.

Cc: <stable@vger.kernel.org> # 3.16
Reported-and-tested-by: NJeff Chua <jeff.chua.linux@gmail.com>
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

iter_file_splice_write() - a ->splice_write() instance that gathers the
pipe buffers, builds a bio_vec-based iov_iter covering those and feeds
it to ->write_iter().  A bunch of simple cases coverted to that...

[AV: fixed the braino spotted by Cyrill]
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

There was a bug in debug printout when CONFIG_REISERFS_CHECK was
enabled so one of the assertions in do_balan.c didn't compile. Fix it.

Fixes: 0080e9f9Signed-off-by: NJan Kara <jack@suse.cz>

__constant_cpu_to_le32 converted to cpu_to_le32
Signed-off-by: NFabian Frederick <fabf@skynet.be>
Cc: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

-Trivial code clean-up
-Fix endif }; (coccinelle warning)
Signed-off-by: NFabian Frederick <fabf@skynet.be>
Cc: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Prior to commit 0e4f6a79 (Fix reiserfs_file_release()), reiserfs
truncates serialized on i_mutex. They mostly still do, with the exception
of reiserfs_file_release. That blocks out other writers via the tailpack
mutex and the inode openers counter adjusted in reiserfs_file_open.

However, NFS will call reiserfs_setattr without having called ->open, so
we end up with a race when nfs is calling ->setattr while another
process is releasing the file. Ultimately, it triggers the
BUG_ON(inode->i_size != new_file_size) check in maybe_indirect_to_direct.

The solution is to pull the lock into reiserfs_setattr to encompass the
truncate_setsize call as well.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NJan Kara <jack@suse.cz>

__constant_cpu_to_le32 converted to cpu_to_le32

Cc: reiserfs-devel@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: NFabian Frederick <fabf@skynet.be>
Signed-off-by: NJan Kara <jack@suse.cz>

Splut up balance_leaf_when_delete into:
balance_leaf_when_delete_del
balance_leaf_when_cut
balance_leaf_when_delete_left

Also reformat to adhere to CodingStyle.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

Split out balance_leaf_finish_node_dirent from balance_leaf_paste_finish_node.

Also reformat to adhere to CodingStyle.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

Break up balance_leaf_paste_new_nodes into:
balance_leaf_paste_new_nodes_shift
balance_leaf_paste_new_nodes_shift_dirent
balance_leaf_paste_new_nodes_whole

and keep balance_leaf_paste_new_nodes as a handler to select which
is appropriate.

Also reformat to adhere to CodingStyle.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

Break up balance_leaf_paste_right into:
balance_leaf_paste_right_shift
balance_leaf_paste_right_shift_dirent
balance_leaf_paste_right_whole

and keep balance_leaf_paste_right as a handler to select which is appropriate.

Also reformat to adhere to CodingStyle.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

Reformat balance_leaf_insert_right to adhere to CodingStyle.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

Break up balance_leaf_paste_left into:
balance_leaf_paste_left_shift
balance_leaf_paste_left_shift_dirent
balance_leaf_paste_left_whole

and keep balance_leaf_paste_left as a handler to select which is appropriate.

Also reformat to adhere to CodingStyle.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

Reformat balance_leaf_insert_left to adhere to CodingStyle.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

Break out the code that splits paste/insert for each phase.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch factors out a new balance_leaf_finish_node_paste from the code
in balance_leaf responsible for pasting new content into existing items
held in S[0].
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch factors out a new balance_leaf_finish_node_insert from the code
in balance_leaf responsible for inserting new items into S[0]

It has not been reformatted yet.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch factors out a new balance_leaf_new_nodes_insert from the code
in balance_leaf responsible for pasting new content into existing items
that may have been shifted into new nodes in the tree.

It has not been reformatted yet.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch factors out a new balance_leaf_new_nodes_insert from the code
in balance_leaf responsible for inserting new items into new nodes in
the tree.

It has not been reformatted yet.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch factors out a new balance_leaf_paste_right from the code in
balance_leaf responsible for pasting new contents into an existing item
located in the node to the right of S[0] in the tree.

It has not been reformatted yet.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch factors out a new balance_leaf_insert_right from the code in
balance_leaf responsible for inserting new items into the node to
the right of S[0] in the tree.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch factors out a new balance_leaf_paste_left from the code in
balance_leaf responsible for pasting new content into an existing item
located in the node to the left of S[0] in the tree.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch factors out a new balance_leaf_insert_left from the code in
balance_leaf responsible for inserting new items into the node to
the left of S[0] in the tree.

It is not yet formatted correctly.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch pushes the rest of the state variables in balance_leaf into
the tree_balance structure so we can use them when we split balance_leaf
into separate functions.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

The comments in balance_leaf are as bad as the code. This patch shifts
them around to fit in 80 columns and be easier to read.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

The hash detection code uses long ugly macros multiple times to get the same
value. This patch cleans it up to be easier to read.

[JK: Fixed up path leak in find_hash_out()]
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

all callers have iov_length(iter->iov, iter->nr_segs) == iov_iter_count(iter)
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

unmodified, for now
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

The reiserfs code is littered with extra parens in places where the authors
may not have been certain about precedence of & vs ->. This patch cleans them
out.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch moves reiserfs closer to adhering to the style rules by
removing leading whitespace from labels.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

make_empty_dir_item_v1 and make_empty_dir_item also needed a bit of cleanup
but it's clearer to use separate pointers rather than the array positions
for just two items.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

journal_join is always called with a block count of 1. Let's just get
rid of the argument.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

journal_mark_dirty doesn't need a separate sb argument; It's provided
by the transaction handle.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

journal_end doesn't need a separate sb argument; it's provided by the
transaction handle.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

journal_end takes a block count argument but doesn't actually use it
for anything. We can remove it.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>

This patch reformats comments in the reiserfs code to fit in 80 columns and
to follow the style rules.

There is no functional change but it helps make my eyes bleed less.
Signed-off-by: NJeff Mahoney <jeffm@suse.com>
Signed-off-by: NJan Kara <jack@suse.cz>