--- /dev/null
+From 045c47ca306acf30c740c285a77a4b4bda6be7c5 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
+Date: Mon, 16 Feb 2015 17:16:45 -0200
+Subject: blk-throttle: check stats_cpu before reading it from sysfs
+
+From: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
+
+commit 045c47ca306acf30c740c285a77a4b4bda6be7c5 upstream.
+
+When reading blkio.throttle.io_serviced in a recently created blkio
+cgroup, it's possible to race against the creation of a throttle policy,
+which delays the allocation of stats_cpu.
+
+Like other functions in the throttle code, just checking for a NULL
+stats_cpu prevents the following oops caused by that race.
+
+[ 1117.285199] Unable to handle kernel paging request for data at address 0x7fb4d0020
+[ 1117.285252] Faulting instruction address: 0xc0000000003efa2c
+[ 1137.733921] Oops: Kernel access of bad area, sig: 11 [#1]
+[ 1137.733945] SMP NR_CPUS=2048 NUMA PowerNV
+[ 1137.734025] Modules linked in: bridge stp llc kvm_hv kvm binfmt_misc autofs4
+[ 1137.734102] CPU: 3 PID: 5302 Comm: blkcgroup Not tainted 3.19.0 #5
+[ 1137.734132] task: c000000f1d188b00 ti: c000000f1d210000 task.ti: c000000f1d210000
+[ 1137.734167] NIP: c0000000003efa2c LR: c0000000003ef9f0 CTR: c0000000003ef980
+[ 1137.734202] REGS: c000000f1d213500 TRAP: 0300 Not tainted (3.19.0)
+[ 1137.734230] MSR: 9000000000009032 <SF,HV,EE,ME,IR,DR,RI> CR: 42008884 XER: 20000000
+[ 1137.734325] CFAR: 0000000000008458 DAR: 00000007fb4d0020 DSISR: 40000000 SOFTE: 0
+GPR00: c0000000003ed3a0 c000000f1d213780 c000000000c59538 0000000000000000
+GPR04: 0000000000000800 0000000000000000 0000000000000000 0000000000000000
+GPR08: ffffffffffffffff 00000007fb4d0020 00000007fb4d0000 c000000000780808
+GPR12: 0000000022000888 c00000000fdc0d80 0000000000000000 0000000000000000
+GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+GPR20: 000001003e120200 c000000f1d5b0cc0 0000000000000200 0000000000000000
+GPR24: 0000000000000001 c000000000c269e0 0000000000000020 c000000f1d5b0c80
+GPR28: c000000000ca3a08 c000000000ca3dec c000000f1c667e00 c000000f1d213850
+[ 1137.734886] NIP [c0000000003efa2c] .tg_prfill_cpu_rwstat+0xac/0x180
+[ 1137.734915] LR [c0000000003ef9f0] .tg_prfill_cpu_rwstat+0x70/0x180
+[ 1137.734943] Call Trace:
+[ 1137.734952] [c000000f1d213780] [d000000005560520] 0xd000000005560520 (unreliable)
+[ 1137.734996] [c000000f1d2138a0] [c0000000003ed3a0] .blkcg_print_blkgs+0xe0/0x1a0
+[ 1137.735039] [c000000f1d213960] [c0000000003efb50] .tg_print_cpu_rwstat+0x50/0x70
+[ 1137.735082] [c000000f1d2139e0] [c000000000104b48] .cgroup_seqfile_show+0x58/0x150
+[ 1137.735125] [c000000f1d213a70] [c0000000002749dc] .kernfs_seq_show+0x3c/0x50
+[ 1137.735161] [c000000f1d213ae0] [c000000000218630] .seq_read+0xe0/0x510
+[ 1137.735197] [c000000f1d213bd0] [c000000000275b04] .kernfs_fop_read+0x164/0x200
+[ 1137.735240] [c000000f1d213c80] [c0000000001eb8e0] .__vfs_read+0x30/0x80
+[ 1137.735276] [c000000f1d213cf0] [c0000000001eb9c4] .vfs_read+0x94/0x1b0
+[ 1137.735312] [c000000f1d213d90] [c0000000001ebb38] .SyS_read+0x58/0x100
+[ 1137.735349] [c000000f1d213e30] [c000000000009218] syscall_exit+0x0/0x98
+[ 1137.735383] Instruction dump:
+[ 1137.735405] 7c6307b4 7f891800 409d00b8 60000000 60420000 3d420004 392a63b0 786a1f24
+[ 1137.735471] 7d49502a e93e01c8 7d495214 7d2ad214 <7cead02a> e9090008 e9490010 e9290018
+
+And here is one code that allows to easily reproduce this, although this
+has first been found by running docker.
+
+void run(pid_t pid)
+{
+ int n;
+ int status;
+ int fd;
+ char *buffer;
+ buffer = memalign(BUFFER_ALIGN, BUFFER_SIZE);
+ n = snprintf(buffer, BUFFER_SIZE, "%d\n", pid);
+ fd = open(CGPATH "/test/tasks", O_WRONLY);
+ write(fd, buffer, n);
+ close(fd);
+ if (fork() > 0) {
+ fd = open("/dev/sda", O_RDONLY | O_DIRECT);
+ read(fd, buffer, 512);
+ close(fd);
+ wait(&status);
+ } else {
+ fd = open(CGPATH "/test/blkio.throttle.io_serviced", O_RDONLY);
+ n = read(fd, buffer, BUFFER_SIZE);
+ close(fd);
+ }
+ free(buffer);
+ exit(0);
+}
+
+void test(void)
+{
+ int status;
+ mkdir(CGPATH "/test", 0666);
+ if (fork() > 0)
+ wait(&status);
+ else
+ run(getpid());
+ rmdir(CGPATH "/test");
+}
+
+int main(int argc, char **argv)
+{
+ int i;
+ for (i = 0; i < NR_TESTS; i++)
+ test();
+ return 0;
+}
+
+Reported-by: Ricardo Marin Matinata <rmm@br.ibm.com>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-throttle.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/blk-throttle.c
++++ b/block/blk-throttle.c
+@@ -1292,6 +1292,9 @@ static u64 tg_prfill_cpu_rwstat(struct s
+ struct blkg_rwstat rwstat = { }, tmp;
+ int i, cpu;
+
++ if (tg->stats_cpu == NULL)
++ return 0;
++
+ for_each_possible_cpu(cpu) {
+ struct tg_stats_cpu *sc = per_cpu_ptr(tg->stats_cpu, cpu);
+
--- /dev/null
+From 381cf6587f8a8a8e981bc0c1aaaa8859b51dc756 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.cz>
+Date: Fri, 2 Jan 2015 18:45:16 +0100
+Subject: btrfs: fix leak of path in btrfs_find_item
+
+From: David Sterba <dsterba@suse.cz>
+
+commit 381cf6587f8a8a8e981bc0c1aaaa8859b51dc756 upstream.
+
+If btrfs_find_item is called with NULL path it allocates one locally but
+does not free it. Affected paths are inserting an orphan item for a file
+and for a subvol root.
+
+Move the path allocation to the callers.
+
+Fixes: 3f870c289900 ("btrfs: expand btrfs_find_item() to include find_orphan_item functionality")
+Signed-off-by: David Sterba <dsterba@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ctree.c | 17 ++++-------------
+ fs/btrfs/disk-io.c | 9 ++++++++-
+ fs/btrfs/tree-log.c | 11 ++++++++++-
+ 3 files changed, 22 insertions(+), 15 deletions(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -2655,32 +2655,23 @@ static int key_search(struct extent_buff
+ return 0;
+ }
+
+-int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *found_path,
++int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *path,
+ u64 iobjectid, u64 ioff, u8 key_type,
+ struct btrfs_key *found_key)
+ {
+ int ret;
+ struct btrfs_key key;
+ struct extent_buffer *eb;
+- struct btrfs_path *path;
++
++ ASSERT(path);
+
+ key.type = key_type;
+ key.objectid = iobjectid;
+ key.offset = ioff;
+
+- if (found_path == NULL) {
+- path = btrfs_alloc_path();
+- if (!path)
+- return -ENOMEM;
+- } else
+- path = found_path;
+-
+ ret = btrfs_search_slot(NULL, fs_root, &key, path, 0, 0);
+- if ((ret < 0) || (found_key == NULL)) {
+- if (path != found_path)
+- btrfs_free_path(path);
++ if ((ret < 0) || (found_key == NULL))
+ return ret;
+- }
+
+ eb = path->nodes[0];
+ if (ret && path->slots[0] >= btrfs_header_nritems(eb)) {
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1560,6 +1560,7 @@ struct btrfs_root *btrfs_get_fs_root(str
+ bool check_ref)
+ {
+ struct btrfs_root *root;
++ struct btrfs_path *path;
+ int ret;
+
+ if (location->objectid == BTRFS_ROOT_TREE_OBJECTID)
+@@ -1599,8 +1600,14 @@ again:
+ if (ret)
+ goto fail;
+
+- ret = btrfs_find_item(fs_info->tree_root, NULL, BTRFS_ORPHAN_OBJECTID,
++ path = btrfs_alloc_path();
++ if (!path) {
++ ret = -ENOMEM;
++ goto fail;
++ }
++ ret = btrfs_find_item(fs_info->tree_root, path, BTRFS_ORPHAN_OBJECTID,
+ location->objectid, BTRFS_ORPHAN_ITEM_KEY, NULL);
++ btrfs_free_path(path);
+ if (ret < 0)
+ goto fail;
+ if (ret == 0)
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1238,10 +1238,19 @@ static int insert_orphan_item(struct btr
+ struct btrfs_root *root, u64 offset)
+ {
+ int ret;
+- ret = btrfs_find_item(root, NULL, BTRFS_ORPHAN_OBJECTID,
++ struct btrfs_path *path;
++
++ path = btrfs_alloc_path();
++ if (!path)
++ return -ENOMEM;
++
++ ret = btrfs_find_item(root, path, BTRFS_ORPHAN_OBJECTID,
+ offset, BTRFS_ORPHAN_ITEM_KEY, NULL);
+ if (ret > 0)
+ ret = btrfs_insert_orphan_item(trans, root, offset);
++
++ btrfs_free_path(path);
++
+ return ret;
+ }
+
--- /dev/null
+From 5efa0490cc94aee06cd8d282683e22a8ce0a0026 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.cz>
+Date: Fri, 19 Dec 2014 18:38:47 +0100
+Subject: btrfs: set proper message level for skinny metadata
+
+From: David Sterba <dsterba@suse.cz>
+
+commit 5efa0490cc94aee06cd8d282683e22a8ce0a0026 upstream.
+
+This has been confusing people for too long, the message is really just
+informative.
+
+Signed-off-by: David Sterba <dsterba@suse.cz>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2411,7 +2411,7 @@ int open_ctree(struct super_block *sb,
+ features |= BTRFS_FEATURE_INCOMPAT_COMPRESS_LZO;
+
+ if (features & BTRFS_FEATURE_INCOMPAT_SKINNY_METADATA)
+- printk(KERN_ERR "BTRFS: has skinny extents\n");
++ printk(KERN_INFO "BTRFS: has skinny extents\n");
+
+ /*
+ * flag our filesystem as having big metadata blocks if
--- /dev/null
+From 0c510cc83bdbaac8406f4f7caef34f4da0ba35ea Mon Sep 17 00:00:00 2001
+From: Daniel J Blueman <daniel@numascale.com>
+Date: Tue, 17 Feb 2015 11:34:38 +0800
+Subject: EDAC, amd64_edac: Prevent OOPS with >16 memory controllers
+
+From: Daniel J Blueman <daniel@numascale.com>
+
+commit 0c510cc83bdbaac8406f4f7caef34f4da0ba35ea upstream.
+
+When DRAM errors occur on memory controllers after EDAC_MAX_MCS (16),
+the kernel fatally dereferences unallocated structures, see splat below;
+this occurs on at least NumaConnect systems.
+
+Fix by checking if a memory controller info structure was found.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000320
+IP: [<ffffffff819f714f>] decode_bus_error+0x2f/0x2b0
+PGD 2f8b5a3067 PUD 2f8b5a2067 PMD 0
+Oops: 0000 [#2] SMP
+Modules linked in:
+CPU: 224 PID: 11930 Comm: stream_c.exe.gn Tainted: G D 3.19.0 #1
+Hardware name: Supermicro H8QGL/H8QGL, BIOS 3.5b 01/28/2015
+task: ffff8807dbfb8c00 ti: ffff8807dd16c000 task.ti: ffff8807dd16c000
+RIP: 0010:[<ffffffff819f714f>] [<ffffffff819f714f>] decode_bus_error+0x2f/0x2b0
+RSP: 0000:ffff8907dfc03c48 EFLAGS: 00010297
+RAX: 0000000000000001 RBX: 9c67400010080a13 RCX: 0000000000001dc6
+RDX: 000000001dc61dc6 RSI: ffff8907dfc03df0 RDI: 000000000000001c
+RBP: ffff8907dfc03ce8 R08: 0000000000000000 R09: 0000000000000022
+R10: ffff891fffa30380 R11: 00000000001cfc90 R12: 0000000000000008
+R13: 0000000000000000 R14: 000000000000001c R15: 00009c6740001000
+FS: 00007fa97ee18700(0000) GS:ffff8907dfc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000320 CR3: 0000003f889b8000 CR4: 00000000000407e0
+Stack:
+ 0000000000000000 ffff8907dfc03df0 0000000000000008 9c67400010080a13
+ 000000000000001c 00009c6740001000 ffff8907dfc03c88 ffffffff810e4f9a
+ ffff8907dfc03ce8 ffffffff81b375b9 0000000000000000 0000000000000010
+Call Trace:
+ <IRQ>
+ ? vprintk_default
+ ? printk
+ amd_decode_mce
+ notifier_call_chain
+ atomic_notifier_call_chain
+ mce_log
+ machine_check_poll
+ mce_timer_fn
+ ? mce_cpu_restart
+ call_timer_fn.isra.29
+ run_timer_softirq
+ __do_softirq
+ irq_exit
+ smp_apic_timer_interrupt
+ apic_timer_interrupt
+ <EOI>
+ ? down_read_trylock
+ __do_page_fault
+ ? __schedule
+ do_page_fault
+ page_fault
+
+Signed-off-by: Daniel J Blueman <daniel@numascale.com>
+Link: http://lkml.kernel.org/r/1424144078-24589-1-git-send-email-daniel@numascale.com
+[ Boris: massage commit message ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/amd64_edac.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/edac/amd64_edac.c
++++ b/drivers/edac/amd64_edac.c
+@@ -2006,14 +2006,20 @@ static void __log_bus_error(struct mem_c
+
+ static inline void decode_bus_error(int node_id, struct mce *m)
+ {
+- struct mem_ctl_info *mci = mcis[node_id];
+- struct amd64_pvt *pvt = mci->pvt_info;
++ struct mem_ctl_info *mci;
++ struct amd64_pvt *pvt;
+ u8 ecc_type = (m->status >> 45) & 0x3;
+ u8 xec = XEC(m->status, 0x1f);
+ u16 ec = EC(m->status);
+ u64 sys_addr;
+ struct err_info err;
+
++ mci = edac_mc_find(node_id);
++ if (!mci)
++ return;
++
++ pvt = mci->pvt_info;
++
+ /* Bail out early if this was an 'observed' error */
+ if (PP(ec) == NBSL_PP_OBS)
+ return;
--- /dev/null
+From 2f97c20e5f7c3582c7310f65a04465bfb0fd0e85 Mon Sep 17 00:00:00 2001
+From: Nicolas Saenz Julienne <nicolassaenzj@gmail.com>
+Date: Thu, 19 Feb 2015 01:52:25 +0000
+Subject: gpio: tps65912: fix wrong container_of arguments
+
+From: Nicolas Saenz Julienne <nicolassaenzj@gmail.com>
+
+commit 2f97c20e5f7c3582c7310f65a04465bfb0fd0e85 upstream.
+
+The gpio_chip operations receive a pointer the gpio_chip struct which is
+contained in the driver's private struct, yet the container_of call in those
+functions point to the mfd struct defined in include/linux/mfd/tps65912.h.
+
+Signed-off-by: Nicolas Saenz Julienne <nicolassaenzj@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-tps65912.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpio-tps65912.c
++++ b/drivers/gpio/gpio-tps65912.c
+@@ -26,9 +26,12 @@ struct tps65912_gpio_data {
+ struct gpio_chip gpio_chip;
+ };
+
++#define to_tgd(gc) container_of(gc, struct tps65912_gpio_data, gpio_chip)
++
+ static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset)
+ {
+- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++ struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+ int val;
+
+ val = tps65912_reg_read(tps65912, TPS65912_GPIO1 + offset);
+@@ -42,7 +45,8 @@ static int tps65912_gpio_get(struct gpio
+ static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset,
+ int value)
+ {
+- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++ struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+
+ if (value)
+ tps65912_set_bits(tps65912, TPS65912_GPIO1 + offset,
+@@ -55,7 +59,8 @@ static void tps65912_gpio_set(struct gpi
+ static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset,
+ int value)
+ {
+- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++ struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+
+ /* Set the initial value */
+ tps65912_gpio_set(gc, offset, value);
+@@ -66,7 +71,8 @@ static int tps65912_gpio_output(struct g
+
+ static int tps65912_gpio_input(struct gpio_chip *gc, unsigned offset)
+ {
+- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++ struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+
+ return tps65912_clear_bits(tps65912, TPS65912_GPIO1 + offset,
+ GPIO_CFG_MASK);
--- /dev/null
+From 9cf75e9e4ddd587ac12e88e8751c358b7b27e95f Mon Sep 17 00:00:00 2001
+From: Hans Holmberg <hans.holmberg@intel.com>
+Date: Tue, 10 Feb 2015 09:48:27 +0100
+Subject: gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node
+
+From: Hans Holmberg <hans.holmberg@intel.com>
+
+commit 9cf75e9e4ddd587ac12e88e8751c358b7b27e95f upstream.
+
+The change:
+
+7b8792bbdffdff3abda704f89c6a45ea97afdc62
+gpiolib: of: Correct error handling in of_get_named_gpiod_flags
+
+assumed that only one gpio-chip is registred per of-node.
+Some drivers register more than one chip per of-node, so
+adjust the matching function of_gpiochip_find_and_xlate to
+not stop looking for chips if a node-match is found and
+the translation fails.
+
+Fixes: 7b8792bbdffd ("gpiolib: of: Correct error handling in of_get_named_gpiod_flags")
+Signed-off-by: Hans Holmberg <hans.holmberg@intel.com>
+Acked-by: Alexandre Courbot <acourbot@nvidia.com>
+Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Tested-by: Tyler Hall <tylerwhall@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib-of.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpiolib-of.c
++++ b/drivers/gpio/gpiolib-of.c
+@@ -45,12 +45,13 @@ static int of_gpiochip_find_and_xlate(st
+
+ ret = gc->of_xlate(gc, &gg_data->gpiospec, gg_data->flags);
+ if (ret < 0) {
+- /* We've found the gpio chip, but the translation failed.
+- * Return true to stop looking and return the translation
+- * error via out_gpio
++ /* We've found a gpio chip, but the translation failed.
++ * Store translation error in out_gpio.
++ * Return false to keep looking, as more than one gpio chip
++ * could be registered per of-node.
+ */
+ gg_data->out_gpio = ERR_PTR(ret);
+- return true;
++ return false;
+ }
+
+ gg_data->out_gpio = gpio_to_desc(ret + gc->base);
--- /dev/null
+From 164c24063a3eadee11b46575c5482b2f1417be49 Mon Sep 17 00:00:00 2001
+From: Chen Jie <chenjie6@huawei.com>
+Date: Tue, 10 Feb 2015 12:49:48 -0800
+Subject: jffs2: fix handling of corrupted summary length
+
+From: Chen Jie <chenjie6@huawei.com>
+
+commit 164c24063a3eadee11b46575c5482b2f1417be49 upstream.
+
+sm->offset maybe wrong but magic maybe right, the offset do not have CRC.
+
+Badness at c00c7580 [verbose debug info unavailable]
+NIP: c00c7580 LR: c00c718c CTR: 00000014
+REGS: df07bb40 TRAP: 0700 Not tainted (2.6.34.13-WR4.3.0.0_standard)
+MSR: 00029000 <EE,ME,CE> CR: 22084f84 XER: 00000000
+TASK = df84d6e0[908] 'mount' THREAD: df07a000
+GPR00: 00000001 df07bbf0 df84d6e0 00000000 00000001 00000000 df07bb58 00000041
+GPR08: 00000041 c0638860 00000000 00000010 22084f88 100636c8 df814ff8 00000000
+GPR16: df84d6e0 dfa558cc c05adb90 00000048 c0452d30 00000000 000240d0 000040d0
+GPR24: 00000014 c05ae734 c05be2e0 00000000 00000001 00000000 00000000 c05ae730
+NIP [c00c7580] __alloc_pages_nodemask+0x4d0/0x638
+LR [c00c718c] __alloc_pages_nodemask+0xdc/0x638
+Call Trace:
+[df07bbf0] [c00c718c] __alloc_pages_nodemask+0xdc/0x638 (unreliable)
+[df07bc90] [c00c7708] __get_free_pages+0x20/0x48
+[df07bca0] [c00f4a40] __kmalloc+0x15c/0x1ec
+[df07bcd0] [c01fc880] jffs2_scan_medium+0xa58/0x14d0
+[df07bd70] [c01ff38c] jffs2_do_mount_fs+0x1f4/0x6b4
+[df07bdb0] [c020144c] jffs2_do_fill_super+0xa8/0x260
+[df07bdd0] [c020230c] jffs2_fill_super+0x104/0x184
+[df07be00] [c0335814] get_sb_mtd_aux+0x9c/0xec
+[df07be20] [c033596c] get_sb_mtd+0x84/0x1e8
+[df07be60] [c0201ed0] jffs2_get_sb+0x1c/0x2c
+[df07be70] [c0103898] vfs_kern_mount+0x78/0x1e8
+[df07bea0] [c0103a58] do_kern_mount+0x40/0x100
+[df07bec0] [c011fe90] do_mount+0x240/0x890
+[df07bf10] [c0120570] sys_mount+0x90/0xd8
+[df07bf40] [c00110d8] ret_from_syscall+0x0/0x4
+
+=== Exception: c01 at 0xff61a34
+ LR = 0x100135f0
+Instruction dump:
+38800005 38600000 48010f41 4bfffe1c 4bfc2d15 4bfffe8c 72e90200 4082fc28
+3d20c064 39298860 8809000d 68000001 <0f000000> 2f800000 419efc0c 38000001
+mount: mounting /dev/mtdblock3 on /common failed: Input/output error
+
+Signed-off-by: Chen Jie <chenjie6@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/scan.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/jffs2/scan.c
++++ b/fs/jffs2/scan.c
+@@ -510,6 +510,10 @@ static int jffs2_scan_eraseblock (struct
+ sumlen = c->sector_size - je32_to_cpu(sm->offset);
+ sumptr = buf + buf_size - sumlen;
+
++ /* sm->offset maybe wrong but MAGIC maybe right */
++ if (sumlen > c->sector_size)
++ goto full_scan;
++
+ /* Now, make sure the summary itself is available */
+ if (sumlen > buf_size) {
+ /* Need to kmalloc for this. */
+@@ -544,6 +548,7 @@ static int jffs2_scan_eraseblock (struct
+ }
+ }
+
++full_scan:
+ buf_ofs = jeb->offset;
+
+ if (!buf_size) {
--- /dev/null
+From d1901ef099c38afd11add4cfb3312c02ef21ec4a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hodek?= <tomas.hodek@volny.cz>
+Date: Mon, 23 Feb 2015 11:00:38 +1100
+Subject: md/raid1: fix read balance when a drive is write-mostly.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hodek?= <tomas.hodek@volny.cz>
+
+commit d1901ef099c38afd11add4cfb3312c02ef21ec4a upstream.
+
+When a drive is marked write-mostly it should only be the
+target of reads if there is no other option.
+
+This behaviour was broken by
+
+commit 9dedf60313fa4dddfd5b9b226a0ef12a512bf9dc
+ md/raid1: read balance chooses idlest disk for SSD
+
+which causes a write-mostly device to be *preferred* is some cases.
+
+Restore correct behaviour by checking and setting
+best_dist_disk and best_pending_disk rather than best_disk.
+
+We only need to test one of these as they are both changed
+from -1 or >=0 at the same time.
+
+As we leave min_pending and best_dist unchanged, any non-write-mostly
+device will appear better than the write-mostly device.
+
+Reported-by: Tomáš Hodek <tomas.hodek@volny.cz>
+Reported-by: Dark Penguin <darkpenguin@yandex.ru>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Link: http://marc.info/?l=linux-raid&m=135982797322422
+Fixes: 9dedf60313fa4dddfd5b9b226a0ef12a512bf9dc
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -561,7 +561,7 @@ static int read_balance(struct r1conf *c
+ if (test_bit(WriteMostly, &rdev->flags)) {
+ /* Don't balance among write-mostly, just
+ * use the first as a last resort */
+- if (best_disk < 0) {
++ if (best_dist_disk < 0) {
+ if (is_badblock(rdev, this_sector, sectors,
+ &first_bad, &bad_sectors)) {
+ if (first_bad < this_sector)
+@@ -570,7 +570,8 @@ static int read_balance(struct r1conf *c
+ best_good_sectors = first_bad - this_sector;
+ } else
+ best_good_sectors = sectors;
+- best_disk = disk;
++ best_dist_disk = disk;
++ best_pending_disk = disk;
+ }
+ continue;
+ }
--- /dev/null
+From 26ac107378c4742978216be1005b7291b799c7b2 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Wed, 18 Feb 2015 11:35:14 +1100
+Subject: md/raid5: Fix livelock when array is both resyncing and degraded.
+
+From: NeilBrown <neilb@suse.de>
+
+commit 26ac107378c4742978216be1005b7291b799c7b2 upstream.
+
+Commit a7854487cd7128a30a7f4f5259de9f67d5efb95f:
+ md: When RAID5 is dirty, force reconstruct-write instead of read-modify-write.
+
+Causes an RCW cycle to be forced even when the array is degraded.
+A degraded array cannot support RCW as that requires reading all data
+blocks, and one may be missing.
+
+Forcing an RCW when it is not possible causes a live-lock and the code
+spins, repeatedly deciding to do something that cannot succeed.
+
+So change the condition to only force RCW on non-degraded arrays.
+
+Reported-by: Manibalan P <pmanibalan@amiindia.co.in>
+Bisected-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Tested-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Fixes: a7854487cd7128a30a7f4f5259de9f67d5efb95f
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3071,7 +3071,8 @@ static void handle_stripe_dirtying(struc
+ * generate correct data from the parity.
+ */
+ if (conf->max_degraded == 2 ||
+- (recovery_cp < MaxSector && sh->sector >= recovery_cp)) {
++ (recovery_cp < MaxSector && sh->sector >= recovery_cp &&
++ s->failed == 0)) {
+ /* Calculate the real rcw later - for now make it
+ * look like rcw is cheaper
+ */
--- /dev/null
+From c2996cb29bfb73927a79dc96e598a718e843f01a Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Tue, 24 Feb 2015 12:25:25 +0000
+Subject: metag: Fix KSTK_EIP() and KSTK_ESP() macros
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit c2996cb29bfb73927a79dc96e598a718e843f01a upstream.
+
+The KSTK_EIP() and KSTK_ESP() macros should return the user program
+counter (PC) and stack pointer (A0StP) of the given task. These are used
+to determine which VMA corresponds to the user stack in
+/proc/<pid>/maps, and for the user PC & A0StP in /proc/<pid>/stat.
+
+However for Meta the PC & A0StP from the task's kernel context are used,
+resulting in broken output. For example in following /proc/<pid>/maps
+output, the 3afff000-3b021000 VMA should be described as the stack:
+
+ # cat /proc/self/maps
+ ...
+ 100b0000-100b1000 rwxp 00000000 00:00 0 [heap]
+ 3afff000-3b021000 rwxp 00000000 00:00 0
+
+And in the following /proc/<pid>/stat output, the PC is in kernel code
+(1074234964 = 0x40078654) and the A0StP is in the kernel heap
+(1335981392 = 0x4fa17550):
+
+ # cat /proc/self/stat
+ 51 (cat) R ... 1335981392 1074234964 ...
+
+Fix the definitions of KSTK_EIP() and KSTK_ESP() to use
+task_pt_regs(tsk)->ctx rather than (tsk)->thread.kernel_context. This
+gets the registers from the user context stored after the thread info at
+the base of the kernel stack, which is from the last entry into the
+kernel from userland, regardless of where in the kernel the task may
+have been interrupted, which results in the following more correct
+/proc/<pid>/maps output:
+
+ # cat /proc/self/maps
+ ...
+ 0800b000-08070000 r-xp 00000000 00:02 207 /lib/libuClibc-0.9.34-git.so
+ ...
+ 100b0000-100b1000 rwxp 00000000 00:00 0 [heap]
+ 3afff000-3b021000 rwxp 00000000 00:00 0 [stack]
+
+And /proc/<pid>/stat now correctly reports the PC in libuClibc
+(134320308 = 0x80190b4) and the A0StP in the [stack] region (989864576 =
+0x3b002280):
+
+ # cat /proc/self/stat
+ 51 (cat) R ... 989864576 134320308 ...
+
+Reported-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
+Reported-by: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-metag@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/metag/include/asm/processor.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/metag/include/asm/processor.h
++++ b/arch/metag/include/asm/processor.h
+@@ -149,8 +149,8 @@ extern void exit_thread(void);
+
+ unsigned long get_wchan(struct task_struct *p);
+
+-#define KSTK_EIP(tsk) ((tsk)->thread.kernel_context->CurrPC)
+-#define KSTK_ESP(tsk) ((tsk)->thread.kernel_context->AX[0].U0)
++#define KSTK_EIP(tsk) (task_pt_regs(tsk)->ctx.CurrPC)
++#define KSTK_ESP(tsk) (task_pt_regs(tsk)->ctx.AX[0].U0)
+
+ #define user_stack_pointer(regs) ((regs)->ctx.AX[0].U0)
+
kvm-x86-update-masterclock-values-on-tsc-writes.patch
hx4700-regulator-declare-full-constraints.patch
arm64-compat-fix-siginfo_t-compat_siginfo_t-conversion-on-big-endian.patch
+gpiolib-of-allow-of_gpiochip_find_and_xlate-to-find-more-than-one-chip-per-node.patch
+gpio-tps65912-fix-wrong-container_of-arguments.patch
+xfs-fix-quota-type-in-quota-structures-when-reusing-quota-file.patch
+metag-fix-kstk_eip-and-kstk_esp-macros.patch
+md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch
+md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch
+edac-amd64_edac-prevent-oops-with-16-memory-controllers.patch
+jffs2-fix-handling-of-corrupted-summary-length.patch
+btrfs-set-proper-message-level-for-skinny-metadata.patch
+btrfs-fix-leak-of-path-in-btrfs_find_item.patch
+blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch
+x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch
--- /dev/null
+From 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Sat, 14 Feb 2015 09:33:50 -0800
+Subject: x86, mm/ASLR: Fix stack randomization on 64-bit systems
+
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+
+commit 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 upstream.
+
+The issue is that the stack for processes is not properly randomized on
+64 bit architectures due to an integer overflow.
+
+The affected function is randomize_stack_top() in file
+"fs/binfmt_elf.c":
+
+ static unsigned long randomize_stack_top(unsigned long stack_top)
+ {
+ unsigned int random_variable = 0;
+
+ if ((current->flags & PF_RANDOMIZE) &&
+ !(current->personality & ADDR_NO_RANDOMIZE)) {
+ random_variable = get_random_int() & STACK_RND_MASK;
+ random_variable <<= PAGE_SHIFT;
+ }
+ return PAGE_ALIGN(stack_top) + random_variable;
+ return PAGE_ALIGN(stack_top) - random_variable;
+ }
+
+Note that, it declares the "random_variable" variable as "unsigned int".
+Since the result of the shifting operation between STACK_RND_MASK (which
+is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
+
+ random_variable <<= PAGE_SHIFT;
+
+then the two leftmost bits are dropped when storing the result in the
+"random_variable". This variable shall be at least 34 bits long to hold
+the (22+12) result.
+
+These two dropped bits have an impact on the entropy of process stack.
+Concretely, the total stack entropy is reduced by four: from 2^28 to
+2^30 (One fourth of expected entropy).
+
+This patch restores back the entropy by correcting the types involved
+in the operations in the functions randomize_stack_top() and
+stack_maxrandom_size().
+
+The successful fix can be tested with:
+
+ $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
+ 7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack]
+ 7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack]
+ 7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack]
+ 7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack]
+ ...
+
+Once corrected, the leading bytes should be between 7ffc and 7fff,
+rather than always being 7fff.
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll <iripoll@upv.es>
+[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Fixes: CVE-2015-1593
+Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/mmap.c | 6 +++---
+ fs/binfmt_elf.c | 5 +++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -35,12 +35,12 @@ struct __read_mostly va_alignment va_ali
+ .flags = -1,
+ };
+
+-static unsigned int stack_maxrandom_size(void)
++static unsigned long stack_maxrandom_size(void)
+ {
+- unsigned int max = 0;
++ unsigned long max = 0;
+ if ((current->flags & PF_RANDOMIZE) &&
+ !(current->personality & ADDR_NO_RANDOMIZE)) {
+- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
++ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
+ }
+
+ return max;
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -549,11 +549,12 @@ out:
+
+ static unsigned long randomize_stack_top(unsigned long stack_top)
+ {
+- unsigned int random_variable = 0;
++ unsigned long random_variable = 0;
+
+ if ((current->flags & PF_RANDOMIZE) &&
+ !(current->personality & ADDR_NO_RANDOMIZE)) {
+- random_variable = get_random_int() & STACK_RND_MASK;
++ random_variable = (unsigned long) get_random_int();
++ random_variable &= STACK_RND_MASK;
+ random_variable <<= PAGE_SHIFT;
+ }
+ #ifdef CONFIG_STACK_GROWSUP
--- /dev/null
+From dfcc70a8c868fe03276fa59864149708fb41930b Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 23 Feb 2015 22:34:17 +1100
+Subject: xfs: Fix quota type in quota structures when reusing quota file
+
+From: Jan Kara <jack@suse.cz>
+
+commit dfcc70a8c868fe03276fa59864149708fb41930b upstream.
+
+For filesystems without separate project quota inode field in the
+superblock we just reuse project quota file for group quotas (and vice
+versa) if project quota file is allocated and we need group quota file.
+When we reuse the file, quota structures on disk suddenly have wrong
+type stored in d_flags though. Nobody really cares about this (although
+structure type reported to userspace was wrong as well) except
+that after commit 14bf61ffe6ac (quota: Switch ->get_dqblk() and
+->set_dqblk() to use bytes as space units) assertion in
+xfs_qm_scall_getquota() started to trigger on xfs/106 test (apparently I
+was testing without XFS_DEBUG so I didn't notice when submitting the
+above commit).
+
+Fix the problem by properly resetting ddq->d_flags when running quotacheck
+for a quota file.
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_qm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/xfs/xfs_qm.c
++++ b/fs/xfs/xfs_qm.c
+@@ -1108,6 +1108,11 @@ xfs_qm_reset_dqcounts(
+ */
+ xfs_dqcheck(mp, ddq, id+j, type, XFS_QMOPT_DQREPAIR,
+ "xfs_quotacheck");
++ /*
++ * Reset type in case we are reusing group quota file for
++ * project quotas or vice versa
++ */
++ ddq->d_flags = type;
+ ddq->d_bcount = 0;
+ ddq->d_icount = 0;
+ ddq->d_rtbcount = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
