Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-09-05 13:43:37 +0200
committerTakashi Iwai <tiwai@suse.de>2019-09-05 13:43:37 +0200
commit425001822331d64d02a175222bda8af3d1fa03c5 (patch)
treee6ec32d2d24b0a33edaf4a3a7e8f6002314f75c0
parent51371b7091eed11d771c7ae2da7018fe49bf8e3d (diff)
parentcfb980a9aec86717124f68da199cfc994a228f55 (diff)
Merge branch 'users/jthumshirn/SLE15/for-next' into SLE15
Pull btrfs fixes from Johannes Thumshirn
-rw-r--r--patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch89
-rw-r--r--patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch141
-rw-r--r--patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch176
-rw-r--r--patches.suse/btrfs-remove-bug-in-add_data_reference.patch35
-rw-r--r--patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch32
-rw-r--r--patches.suse/btrfs-remove-bug-in-print_extent_item.patch36
-rw-r--r--patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch54
-rw-r--r--series.conf7
8 files changed, 570 insertions, 0 deletions
diff --git a/patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch b/patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch
new file mode 100644
index 0000000000..c90a95e8e3
--- /dev/null
+++ b/patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch
@@ -0,0 +1,89 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:18 -0600
+Subject: Btrfs: add a helper to retrive extent inline ref type
+Git-commit: 167ce953ca55bdee20fe56c3c0fa51002435f745
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+An invalid value of extent inline ref type may be read from a
+malicious image which may force btrfs to crash.
+
+This adds a helper which does sanity check for the ref type, so we can
+know if it's sane, return he type, otherwise return an error.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ minimal tweak const types, causing warnings due to other cleanup patches ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/ctree.h | 11 +++++++++++
+ fs/btrfs/extent-tree.c | 37 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 48 insertions(+)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2587,6 +2587,17 @@ static inline gfp_t btrfs_alloc_write_ma
+
+ /* extent-tree.c */
+
++enum btrfs_inline_ref_type {
++ BTRFS_REF_TYPE_INVALID = 0,
++ BTRFS_REF_TYPE_BLOCK = 1,
++ BTRFS_REF_TYPE_DATA = 2,
++ BTRFS_REF_TYPE_ANY = 3,
++};
++
++int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
++ struct btrfs_extent_inline_ref *iref,
++ enum btrfs_inline_ref_type is_data);
++
+ u64 btrfs_csum_bytes_to_leaves(struct btrfs_fs_info *fs_info, u64 csum_bytes);
+
+ static inline u64 btrfs_calc_trans_metadata_size(struct btrfs_fs_info *fs_info,
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1147,6 +1147,43 @@ static int convert_extent_item_v0(struct
+ }
+ #endif
+
++/*
++ * is_data == BTRFS_REF_TYPE_BLOCK, tree block type is required,
++ * is_data == BTRFS_REF_TYPE_DATA, data type is requried,
++ * is_data == BTRFS_REF_TYPE_ANY, either type is OK.
++ */
++int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
++ struct btrfs_extent_inline_ref *iref,
++ enum btrfs_inline_ref_type is_data)
++{
++ int type = btrfs_extent_inline_ref_type(eb, iref);
++
++ if (type == BTRFS_TREE_BLOCK_REF_KEY ||
++ type == BTRFS_SHARED_BLOCK_REF_KEY ||
++ type == BTRFS_SHARED_DATA_REF_KEY ||
++ type == BTRFS_EXTENT_DATA_REF_KEY) {
++ if (is_data == BTRFS_REF_TYPE_BLOCK) {
++ if (type == BTRFS_TREE_BLOCK_REF_KEY ||
++ type == BTRFS_SHARED_BLOCK_REF_KEY)
++ return type;
++ } else if (is_data == BTRFS_REF_TYPE_DATA) {
++ if (type == BTRFS_EXTENT_DATA_REF_KEY ||
++ type == BTRFS_SHARED_DATA_REF_KEY)
++ return type;
++ } else {
++ ASSERT(is_data == BTRFS_REF_TYPE_ANY);
++ return type;
++ }
++ }
++
++ btrfs_print_leaf(eb->fs_info, (struct extent_buffer *) eb);
++ btrfs_err(eb->fs_info, "eb %llu invalid extent inline ref type %d",
++ eb->start, type);
++ WARN_ON(1);
++
++ return BTRFS_REF_TYPE_INVALID;
++}
++
+ static u64 hash_extent_data_ref(u64 root_objectid, u64 owner, u64 offset)
+ {
+ u32 high_crc = ~(u32)0;
diff --git a/patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch b/patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch
new file mode 100644
index 0000000000..d9970fdd51
--- /dev/null
+++ b/patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch
@@ -0,0 +1,141 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:24 -0600
+Subject: Btrfs: add one more sanity check for shared ref type
+Git-commit: 64ecdb647ddb83dcff9c8e2a5c40119f171ea004
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Every shared ref has a parent tree block, which can be get from
+btrfs_extent_inline_ref_offset(). And the tree block must be aligned
+to the nodesize, so we'd know this inline ref is not valid if this
+block's bytenr is not aligned to the nodesize, in which case, most
+likely the ref type has been misused.
+
+This adds the above mentioned check and also updates
+print_extent_item() called by btrfs_print_leaf() to point out the
+invalid ref while printing the tree structure.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/extent-tree.c | 29 +++++++++++++++++++++++++----
+ fs/btrfs/print-tree.c | 27 +++++++++++++++++++++------
+ 2 files changed, 46 insertions(+), 10 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 51a691532fd8..96e49fd5b888 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1158,19 +1158,40 @@ int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
+ enum btrfs_inline_ref_type is_data)
+ {
+ int type = btrfs_extent_inline_ref_type(eb, iref);
++ u64 offset = btrfs_extent_inline_ref_offset(eb, iref);
+
+ if (type == BTRFS_TREE_BLOCK_REF_KEY ||
+ type == BTRFS_SHARED_BLOCK_REF_KEY ||
+ type == BTRFS_SHARED_DATA_REF_KEY ||
+ type == BTRFS_EXTENT_DATA_REF_KEY) {
+ if (is_data == BTRFS_REF_TYPE_BLOCK) {
+- if (type == BTRFS_TREE_BLOCK_REF_KEY ||
+- type == BTRFS_SHARED_BLOCK_REF_KEY)
++ if (type == BTRFS_TREE_BLOCK_REF_KEY)
+ return type;
++ if (type == BTRFS_SHARED_BLOCK_REF_KEY) {
++ ASSERT(eb->fs_info);
++ /*
++ * Every shared one has parent tree
++ * block, which must be aligned to
++ * nodesize.
++ */
++ if (offset &&
++ IS_ALIGNED(offset, eb->fs_info->nodesize))
++ return type;
++ }
+ } else if (is_data == BTRFS_REF_TYPE_DATA) {
+- if (type == BTRFS_EXTENT_DATA_REF_KEY ||
+- type == BTRFS_SHARED_DATA_REF_KEY)
++ if (type == BTRFS_EXTENT_DATA_REF_KEY)
+ return type;
++ if (type == BTRFS_SHARED_DATA_REF_KEY) {
++ ASSERT(eb->fs_info);
++ /*
++ * Every shared one has parent tree
++ * block, which must be aligned to
++ * nodesize.
++ */
++ if (offset &&
++ IS_ALIGNED(offset, eb->fs_info->nodesize))
++ return type;
++ }
+ } else {
+ ASSERT(is_data == BTRFS_REF_TYPE_ANY);
+ return type;
+diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c
+index c1acbdcb476c..569205e651c7 100644
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -44,7 +44,7 @@ static void print_dev_item(struct extent_buffer *eb,
+ static void print_extent_data_ref(struct extent_buffer *eb,
+ struct btrfs_extent_data_ref *ref)
+ {
+- pr_info("\t\textent data backref root %llu objectid %llu offset %llu count %u\n",
++ pr_cont("extent data backref root %llu objectid %llu offset %llu count %u\n",
+ btrfs_extent_data_ref_root(eb, ref),
+ btrfs_extent_data_ref_objectid(eb, ref),
+ btrfs_extent_data_ref_offset(eb, ref),
+@@ -63,6 +63,7 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ u32 item_size = btrfs_item_size_nr(eb, slot);
+ u64 flags;
+ u64 offset;
++ int ref_index = 0;
+
+ if (item_size < sizeof(*ei)) {
+ #ifdef BTRFS_COMPAT_EXTENT_TREE_V0
+@@ -104,12 +105,20 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+ type = btrfs_extent_inline_ref_type(eb, iref);
+ offset = btrfs_extent_inline_ref_offset(eb, iref);
++ pr_info("\t\tref#%d: ", ref_index++);
+ switch (type) {
+ case BTRFS_TREE_BLOCK_REF_KEY:
+- pr_info("\t\ttree block backref root %llu\n", offset);
++ pr_cont("tree block backref root %llu\n", offset);
+ break;
+ case BTRFS_SHARED_BLOCK_REF_KEY:
+- pr_info("\t\tshared block backref parent %llu\n", offset);
++ pr_cont("shared block backref parent %llu\n", offset);
++ /*
++ * offset is supposed to be a tree block which
++ * must be aligned to nodesize.
++ */
++ if (!IS_ALIGNED(offset, eb->fs_info->nodesize))
++ pr_info("\t\t\t(parent %llu is NOT ALIGNED to nodesize %llu)\n",
++ offset, (unsigned long long)eb->fs_info->nodesize);
+ break;
+ case BTRFS_EXTENT_DATA_REF_KEY:
+ dref = (struct btrfs_extent_data_ref *)(&iref->offset);
+@@ -117,12 +126,18 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ break;
+ case BTRFS_SHARED_DATA_REF_KEY:
+ sref = (struct btrfs_shared_data_ref *)(iref + 1);
+- pr_info("\t\tshared data backref parent %llu count %u\n",
++ pr_cont("shared data backref parent %llu count %u\n",
+ offset, btrfs_shared_data_ref_count(eb, sref));
++ /*
++ * offset is supposed to be a tree block which
++ * must be aligned to nodesize.
++ */
++ if (!IS_ALIGNED(offset, eb->fs_info->nodesize))
++ pr_info("\t\t\t(parent %llu is NOT ALIGNED to nodesize %llu)\n",
++ offset, (unsigned long long)eb->fs_info->nodesize);
+ break;
+ default:
+- btrfs_err(eb->fs_info,
+- "extent %llu has invalid ref type %d",
++ pr_cont("(extent %llu has INVALID ref type %d)\n",
+ eb->start, type);
+ return;
+ }
+
diff --git a/patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch b/patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch
new file mode 100644
index 0000000000..48bb420eed
--- /dev/null
+++ b/patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch
@@ -0,0 +1,176 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:19 -0600
+Subject: Btrfs: convert to use btrfs_get_extent_inline_ref_type
+Git-commit: 3de28d579edbd35294bf44aee8402c804331bc37
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Since we have a helper which can do sanity check, this converts all
+btrfs_extent_inline_ref_type to it.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/backref.c | 11 +++++++++--
+ fs/btrfs/extent-tree.c | 36 ++++++++++++++++++++++++++++++------
+ fs/btrfs/relocation.c | 13 +++++++++++--
+ 3 files changed, 50 insertions(+), 10 deletions(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index 6bae986bfcfb..b517ef1477ea 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -929,7 +929,11 @@ static int add_inline_refs(const struct btrfs_fs_info *fs_info,
+ int type;
+
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- type = btrfs_extent_inline_ref_type(leaf, iref);
++ type = btrfs_get_extent_inline_ref_type(leaf, iref,
++ BTRFS_REF_TYPE_ANY);
++ if (type == BTRFS_REF_TYPE_INVALID)
++ return -EINVAL;
++
+ offset = btrfs_extent_inline_ref_offset(leaf, iref);
+
+ switch (type) {
+@@ -1776,7 +1780,10 @@ static int get_extent_inline_ref(unsigned long *ptr,
+
+ end = (unsigned long)ei + item_size;
+ *out_eiref = (struct btrfs_extent_inline_ref *)(*ptr);
+- *out_type = btrfs_extent_inline_ref_type(eb, *out_eiref);
++ *out_type = btrfs_get_extent_inline_ref_type(eb, *out_eiref,
++ BTRFS_REF_TYPE_ANY);
++ if (*out_type == BTRFS_REF_TYPE_INVALID)
++ return -EINVAL;
+
+ *ptr += btrfs_extent_inline_ref_size(*out_type);
+ WARN_ON(*ptr > end);
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 794b06dd824a..51a691532fd8 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1454,12 +1454,18 @@ static noinline u32 extent_data_ref_count(struct btrfs_path *path,
+ struct btrfs_extent_data_ref *ref1;
+ struct btrfs_shared_data_ref *ref2;
+ u32 num_refs = 0;
++ int type;
+
+ leaf = path->nodes[0];
+ btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
+ if (iref) {
+- if (btrfs_extent_inline_ref_type(leaf, iref) ==
+- BTRFS_EXTENT_DATA_REF_KEY) {
++ /*
++ * If type is invalid, we should have bailed out earlier than
++ * this call.
++ */
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, BTRFS_REF_TYPE_DATA);
++ ASSERT(type != BTRFS_REF_TYPE_INVALID);
++ if (type == BTRFS_EXTENT_DATA_REF_KEY) {
+ ref1 = (struct btrfs_extent_data_ref *)(&iref->offset);
+ num_refs = btrfs_extent_data_ref_count(leaf, ref1);
+ } else {
+@@ -1620,6 +1626,7 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ int ret;
+ int err = 0;
+ bool skinny_metadata = btrfs_fs_incompat(fs_info, SKINNY_METADATA);
++ int needed;
+
+ key.objectid = bytenr;
+ key.type = BTRFS_EXTENT_ITEM_KEY;
+@@ -1711,6 +1718,11 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ BUG_ON(ptr > end);
+ }
+
++ if (owner >= BTRFS_FIRST_FREE_OBJECTID)
++ needed = BTRFS_REF_TYPE_DATA;
++ else
++ needed = BTRFS_REF_TYPE_BLOCK;
++
+ err = -ENOENT;
+ while (1) {
+ if (ptr >= end) {
+@@ -1718,7 +1730,12 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ break;
+ }
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- type = btrfs_extent_inline_ref_type(leaf, iref);
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, needed);
++ if (type == BTRFS_REF_TYPE_INVALID) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ if (want < type)
+ break;
+ if (want > type) {
+@@ -1910,7 +1927,12 @@ void update_inline_extent_backref(struct btrfs_fs_info *fs_info,
+ if (extent_op)
+ __run_delayed_extent_op(extent_op, leaf, ei);
+
+- type = btrfs_extent_inline_ref_type(leaf, iref);
++ /*
++ * If type is invalid, we should have bailed out after
++ * lookup_inline_extent_backref().
++ */
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, BTRFS_REF_TYPE_ANY);
++ ASSERT(type != BTRFS_REF_TYPE_INVALID);
+
+ if (type == BTRFS_EXTENT_DATA_REF_KEY) {
+ dref = (struct btrfs_extent_data_ref *)(&iref->offset);
+@@ -3195,6 +3217,7 @@ static noinline int check_committed_ref(struct btrfs_root *root,
+ struct btrfs_extent_item *ei;
+ struct btrfs_key key;
+ u32 item_size;
++ int type;
+ int ret;
+
+ key.objectid = bytenr;
+@@ -3236,8 +3259,9 @@ static noinline int check_committed_ref(struct btrfs_root *root,
+ goto out;
+
+ iref = (struct btrfs_extent_inline_ref *)(ei + 1);
+- if (btrfs_extent_inline_ref_type(leaf, iref) !=
+- BTRFS_EXTENT_DATA_REF_KEY)
++
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, BTRFS_REF_TYPE_DATA);
++ if (type != BTRFS_EXTENT_DATA_REF_KEY)
+ goto out;
+
+ ref = (struct btrfs_extent_data_ref *)(&iref->offset);
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 1a532bb72eab..96f816aa9ed3 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -799,9 +799,17 @@ struct backref_node *build_backref_tree(struct reloc_control *rc,
+ if (ptr < end) {
+ /* update key for inline back ref */
+ struct btrfs_extent_inline_ref *iref;
++ int type;
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- key.type = btrfs_extent_inline_ref_type(eb, iref);
++ type = btrfs_get_extent_inline_ref_type(eb, iref,
++ BTRFS_REF_TYPE_BLOCK);
++ if (type == BTRFS_REF_TYPE_INVALID) {
++ err = -EINVAL;
++ goto out;
++ }
++ key.type = type;
+ key.offset = btrfs_extent_inline_ref_offset(eb, iref);
++
+ WARN_ON(key.type != BTRFS_TREE_BLOCK_REF_KEY &&
+ key.type != BTRFS_SHARED_BLOCK_REF_KEY);
+ }
+@@ -3753,7 +3761,8 @@ int add_data_references(struct reloc_control *rc,
+
+ while (ptr < end) {
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- key.type = btrfs_extent_inline_ref_type(eb, iref);
++ key.type = btrfs_get_extent_inline_ref_type(eb, iref,
++ BTRFS_REF_TYPE_DATA);
+ if (key.type == BTRFS_SHARED_DATA_REF_KEY) {
+ key.offset = btrfs_extent_inline_ref_offset(eb, iref);
+ ret = __add_tree_block(rc, key.offset, blocksize,
+
diff --git a/patches.suse/btrfs-remove-bug-in-add_data_reference.patch b/patches.suse/btrfs-remove-bug-in-add_data_reference.patch
new file mode 100644
index 0000000000..21948a230e
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug-in-add_data_reference.patch
@@ -0,0 +1,35 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:22 -0600
+Subject: Btrfs: remove BUG() in add_data_reference
+Git-commit: b14c55a191263889c379aeee85223bb72501824d
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Now that we have a helper to report invalid value of extent inline ref
+type, we need to quit gracefully instead of throwing out a kernel panic.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/relocation.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 96f816aa9ed3..1c086d0667be 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -3772,7 +3772,10 @@ int add_data_references(struct reloc_control *rc,
+ ret = find_data_references(rc, extent_key,
+ eb, dref, blocks);
+ } else {
+- BUG();
++ ret = -EINVAL;
++ btrfs_err(rc->extent_root->fs_info,
++ "extent %llu slot %d has an invalid inline ref type",
++ eb->start, path->slots[0]);
+ }
+ if (ret) {
+ err = ret;
+
diff --git a/patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch b/patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch
new file mode 100644
index 0000000000..5e664614b4
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch
@@ -0,0 +1,32 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:20 -0600
+Subject: Btrfs: remove BUG() in btrfs_extent_inline_ref_size
+Git-commit: 4335958de2a43c6790c7f6aa0682aa7189983fa4
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Now that btrfs_get_extent_inline_ref_type() can report if type is a
+valid one and all callers can gracefully deal with that, we don't need
+to crash here.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/ctree.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 542db9d0dbcd..b7cfc74c1757 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1804,7 +1804,6 @@ static inline u32 btrfs_extent_inline_ref_size(int type)
+ if (type == BTRFS_EXTENT_DATA_REF_KEY)
+ return sizeof(struct btrfs_extent_data_ref) +
+ offsetof(struct btrfs_extent_inline_ref, offset);
+- BUG();
+ return 0;
+ }
+
+
diff --git a/patches.suse/btrfs-remove-bug-in-print_extent_item.patch b/patches.suse/btrfs-remove-bug-in-print_extent_item.patch
new file mode 100644
index 0000000000..25e39229ee
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug-in-print_extent_item.patch
@@ -0,0 +1,36 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:21 -0600
+Subject: Btrfs: remove BUG() in print_extent_item
+Git-commit: 07638ea5987e51715b35eb5a9a9e908f18ffabf7
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+btrfs_print_leaf() is used in btrfs_get_extent_inline_ref_type, so
+here we really want to print the invalid value of ref type instead of
+causing a kernel panic.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/print-tree.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c
+index 6e7a8c40dcd9..c1acbdcb476c 100644
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -121,7 +121,10 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ offset, btrfs_shared_data_ref_count(eb, sref));
+ break;
+ default:
+- BUG();
++ btrfs_err(eb->fs_info,
++ "extent %llu has invalid ref type %d",
++ eb->start, type);
++ return;
+ }
+ ptr += btrfs_extent_inline_ref_size(type);
+ }
+
diff --git a/patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch b/patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch
new file mode 100644
index 0000000000..0e045736ec
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch
@@ -0,0 +1,54 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:23 -0600
+Subject: Btrfs: remove BUG_ON in __add_tree_block
+Git-commit: cdccee993f2f3466f69a358daec19de744a02f92
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+The BUG_ON() can be triggered when the caller is processing an invalid
+extent inline ref, e.g.
+
+a shared data ref is offered instead of an extent data ref, such that
+it tries to find a non-existent tree block and then btrfs_search_slot
+returns 1 for no such item.
+
+This replaces the BUG_ON() with a WARN() followed by calling
+btrfs_print_leaf() to show more details about what's going on and
+returning -EINVAL to upper callers.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/relocation.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -32,6 +32,7 @@
+ #include "free-space-cache.h"
+ #include "inode-map.h"
+ #include "qgroup.h"
++#include "print-tree.h"
+
+ /*
+ * backref_node, mapping_node and tree_block start with this
+@@ -3485,7 +3486,16 @@ again:
+ goto again;
+ }
+ }
+- BUG_ON(ret);
++ if (ret) {
++ ASSERT(ret == 1);
++ btrfs_print_leaf(fs_info, path->nodes[0]);
++ btrfs_err(fs_info,
++ "tree block extent item (%llu) is not found in extent tree",
++ bytenr);
++ WARN_ON(1);
++ ret = -EINVAL;
++ goto out;
++ }
+
+ ret = add_tree_block(rc, &key, path, blocks);
+ out:
diff --git a/series.conf b/series.conf
index cbb01fdf9e..6df3dfee74 100644
--- a/series.conf
+++ b/series.conf
@@ -6810,6 +6810,13 @@
patches.suse/0001-Btrfs-fix-assertion-failure-during-fsync-in-no-holes.patch
patches.suse/btrfs-incremental-send-fix-emission-of-invalid-clone-operations.patch
patches.suse/btrfs-preserve-i_mode-if-_btrfs_set_acl-fails.patch
+ patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch
+ patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch
+ patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch
+ patches.suse/btrfs-remove-bug-in-print_extent_item.patch
+ patches.suse/btrfs-remove-bug-in-add_data_reference.patch
+ patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch
+ patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch
patches.suse/svcrdma-Limit-RQ-depth.patch
patches.suse/rdma-core-Add-rdma_rw_mr_payload.patch
patches.suse/svcrdma-Estimate-Send-Queue-depth-properly.patch