--- /dev/null
+From ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 3 Jul 2013 15:01:14 -0700
+Subject: block: do not pass disk names as format strings
+
+From: Kees Cook <keescook@chromium.org>
+
+commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream.
+
+Disk names may contain arbitrary strings, so they must not be
+interpreted as format strings. It seems that only md allows arbitrary
+strings to be used for disk names, but this could allow for a local
+memory corruption from uid 0 into ring 0.
+
+CVE-2013-2851
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/genhd.c | 2 +-
+ drivers/block/nbd.c | 3 ++-
+ drivers/scsi/osd/osd_uld.c | 2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -512,7 +512,7 @@ static void register_disk(struct gendisk
+
+ ddev->parent = disk->driverfs_dev;
+
+- dev_set_name(ddev, disk->disk_name);
++ dev_set_name(ddev, "%s", disk->disk_name);
+
+ /* delay uevents, until we scanned partition table */
+ dev_set_uevent_suppress(ddev, 1);
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_devi
+ else
+ blk_queue_flush(nbd->disk->queue, 0);
+
+- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
++ thread = kthread_create(nbd_thread, nbd, "%s",
++ nbd->disk->disk_name);
+ if (IS_ERR(thread)) {
+ mutex_lock(&nbd->tx_lock);
+ return PTR_ERR(thread);
+--- a/drivers/scsi/osd/osd_uld.c
++++ b/drivers/scsi/osd/osd_uld.c
+@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
+ oud->class_dev.class = &osd_uld_class;
+ oud->class_dev.parent = dev;
+ oud->class_dev.release = __remove;
+- error = dev_set_name(&oud->class_dev, disk->disk_name);
++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
+ if (error) {
+ OSD_ERR("dev_set_name failed => %d\n", error);
+ goto err_put_cdev;
--- /dev/null
+From a1dc1937337a93e699eaa56968b7de6e1a9e77cf Mon Sep 17 00:00:00 2001
+From: majianpeng <majianpeng@gmail.com>
+Date: Wed, 19 Jun 2013 14:58:10 +0800
+Subject: ceph: fix sleeping function called from invalid context.
+
+From: majianpeng <majianpeng@gmail.com>
+
+commit a1dc1937337a93e699eaa56968b7de6e1a9e77cf upstream.
+
+[ 1121.231883] BUG: sleeping function called from invalid context at kernel/rwsem.c:20
+[ 1121.231935] in_atomic(): 1, irqs_disabled(): 0, pid: 9831, name: mv
+[ 1121.231971] 1 lock held by mv/9831:
+[ 1121.231973] #0: (&(&ci->i_ceph_lock)->rlock){+.+...},at:[<ffffffffa02bbd38>] ceph_getxattr+0x58/0x1d0 [ceph]
+[ 1121.231998] CPU: 3 PID: 9831 Comm: mv Not tainted 3.10.0-rc6+ #215
+[ 1121.232000] Hardware name: To Be Filled By O.E.M. To Be Filled By
+O.E.M./To be filled by O.E.M., BIOS 080015 11/09/2011
+[ 1121.232027] ffff88006d355a80 ffff880092f69ce0 ffffffff8168348c ffff880092f69cf8
+[ 1121.232045] ffffffff81070435 ffff88006d355a20 ffff880092f69d20 ffffffff816899ba
+[ 1121.232052] 0000000300000004 ffff8800b76911d0 ffff88006d355a20 ffff880092f69d68
+[ 1121.232056] Call Trace:
+[ 1121.232062] [<ffffffff8168348c>] dump_stack+0x19/0x1b
+[ 1121.232067] [<ffffffff81070435>] __might_sleep+0xe5/0x110
+[ 1121.232071] [<ffffffff816899ba>] down_read+0x2a/0x98
+[ 1121.232080] [<ffffffffa02baf70>] ceph_vxattrcb_layout+0x60/0xf0 [ceph]
+[ 1121.232088] [<ffffffffa02bbd7f>] ceph_getxattr+0x9f/0x1d0 [ceph]
+[ 1121.232093] [<ffffffff81188d28>] vfs_getxattr+0xa8/0xd0
+[ 1121.232097] [<ffffffff8118900b>] getxattr+0xab/0x1c0
+[ 1121.232100] [<ffffffff811704f2>] ? final_putname+0x22/0x50
+[ 1121.232104] [<ffffffff81155f80>] ? kmem_cache_free+0xb0/0x260
+[ 1121.232107] [<ffffffff811704f2>] ? final_putname+0x22/0x50
+[ 1121.232110] [<ffffffff8109e63d>] ? trace_hardirqs_on+0xd/0x10
+[ 1121.232114] [<ffffffff816957a7>] ? sysret_check+0x1b/0x56
+[ 1121.232120] [<ffffffff81189c9c>] SyS_fgetxattr+0x6c/0xc0
+[ 1121.232125] [<ffffffff81695782>] system_call_fastpath+0x16/0x1b
+[ 1121.232129] BUG: scheduling while atomic: mv/9831/0x10000002
+[ 1121.232154] 1 lock held by mv/9831:
+[ 1121.232156] #0: (&(&ci->i_ceph_lock)->rlock){+.+...}, at:
+[<ffffffffa02bbd38>] ceph_getxattr+0x58/0x1d0 [ceph]
+
+I think move the ci->i_ceph_lock down is safe because we can't free
+ceph_inode_info at there.
+
+Signed-off-by: Jianpeng Ma <majianpeng@gmail.com>
+Reviewed-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/xattr.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -675,17 +675,18 @@ ssize_t ceph_getxattr(struct dentry *den
+ if (!ceph_is_valid_xattr(name))
+ return -ENODATA;
+
+- spin_lock(&ci->i_ceph_lock);
+- dout("getxattr %p ver=%lld index_ver=%lld\n", inode,
+- ci->i_xattrs.version, ci->i_xattrs.index_version);
+
+ /* let's see if a virtual xattr was requested */
+ vxattr = ceph_match_vxattr(inode, name);
+ if (vxattr && !(vxattr->exists_cb && !vxattr->exists_cb(ci))) {
+ err = vxattr->getxattr_cb(ci, value, size);
+- goto out;
++ return err;
+ }
+
++ spin_lock(&ci->i_ceph_lock);
++ dout("getxattr %p ver=%lld index_ver=%lld\n", inode,
++ ci->i_xattrs.version, ci->i_xattrs.index_version);
++
+ if (__ceph_caps_issued_mask(ci, CEPH_CAP_XATTR_SHARED, 1) &&
+ (ci->i_xattrs.index_version >= ci->i_xattrs.version)) {
+ goto get_xattr;
--- /dev/null
+From 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 6 Jun 2013 13:52:21 -0700
+Subject: charger-manager: Ensure event is not used as format string
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 upstream.
+
+The exposed interface for cm_notify_event() could result in the event msg
+string being parsed as a format string. Make sure it is only used as a
+literal string.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Anton Vorontsov <cbou@mail.ru>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Signed-off-by: Anton Vorontsov <anton@enomsg.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/charger-manager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/charger-manager.c
++++ b/drivers/power/charger-manager.c
+@@ -450,7 +450,7 @@ static void uevent_notify(struct charger
+ strncpy(env_str, event, UEVENT_BUF_SIZE);
+ kobject_uevent(&cm->dev->kobj, KOBJ_CHANGE);
+
+- dev_info(cm->dev, event);
++ dev_info(cm->dev, "%s", event);
+ }
+
+ /**
--- /dev/null
+From 1c8fca1d92e14859159a82b8a380d220139b7344 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 3 Jul 2013 15:01:15 -0700
+Subject: crypto: sanitize argument for format string
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream.
+
+The template lookup interface does not provide a way to use format
+strings, so make sure that the interface cannot be abused accidentally.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algapi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -495,7 +495,8 @@ static struct crypto_template *__crypto_
+
+ struct crypto_template *crypto_lookup_template(const char *name)
+ {
+- return try_then_request_module(__crypto_lookup_template(name), name);
++ return try_then_request_module(__crypto_lookup_template(name), "%s",
++ name);
+ }
+ EXPORT_SYMBOL_GPL(crypto_lookup_template);
+
--- /dev/null
+From 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 Mon Sep 17 00:00:00 2001
+From: Jonathan Salwan <jonathan.salwan@gmail.com>
+Date: Wed, 3 Jul 2013 15:01:13 -0700
+Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
+
+From: Jonathan Salwan <jonathan.salwan@gmail.com>
+
+commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream.
+
+In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
+area with kmalloc in line 2885.
+
+ 2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
+ 2886 if (cgc->buffer == NULL)
+ 2887 return -ENOMEM;
+
+In line 2908 we can find the copy_to_user function:
+
+ 2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
+
+The cgc->buffer is never cleaned and initialized before this function.
+If ret = 0 with the previous basic block, it's possible to display some
+memory bytes in kernel space from userspace.
+
+When we read a block from the disk it normally fills the ->buffer but if
+the drive is malfunctioning there is a chance that it would only be
+partially filled. The result is an leak information to userspace.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jonathan Salwan <jonathan.salwan@gmail.com>
+Cc: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cdrom/cdrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read
+ if (lba < 0)
+ return -EINVAL;
+
+- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
+ if (cgc->buffer == NULL)
+ return -ENOMEM;
+
--- /dev/null
+From 13d60f4b6ab5b702dc8d2ee20999f98a93728aec Mon Sep 17 00:00:00 2001
+From: Zhang Yi <wetpzy@gmail.com>
+Date: Tue, 25 Jun 2013 21:19:31 +0800
+Subject: futex: Take hugepages into account when generating futex_key
+
+From: Zhang Yi <wetpzy@gmail.com>
+
+commit 13d60f4b6ab5b702dc8d2ee20999f98a93728aec upstream.
+
+The futex_keys of process shared futexes are generated from the page
+offset, the mapping host and the mapping index of the futex user space
+address. This should result in an unique identifier for each futex.
+
+Though this is not true when futexes are located in different subpages
+of an hugepage. The reason is, that the mapping index for all those
+futexes evaluates to the index of the base page of the hugetlbfs
+mapping. So a futex at offset 0 of the hugepage mapping and another
+one at offset PAGE_SIZE of the same hugepage mapping have identical
+futex_keys. This happens because the futex code blindly uses
+page->index.
+
+Steps to reproduce the bug:
+
+1. Map a file from hugetlbfs. Initialize pthread_mutex1 at offset 0
+ and pthread_mutex2 at offset PAGE_SIZE of the hugetlbfs
+ mapping.
+
+ The mutexes must be initialized as PTHREAD_PROCESS_SHARED because
+ PTHREAD_PROCESS_PRIVATE mutexes are not affected by this issue as
+ their keys solely depend on the user space address.
+
+2. Lock mutex1 and mutex2
+
+3. Create thread1 and in the thread function lock mutex1, which
+ results in thread1 blocking on the locked mutex1.
+
+4. Create thread2 and in the thread function lock mutex2, which
+ results in thread2 blocking on the locked mutex2.
+
+5. Unlock mutex2. Despite the fact that mutex2 got unlocked, thread2
+ still blocks on mutex2 because the futex_key points to mutex1.
+
+To solve this issue we need to take the normal page index of the page
+which contains the futex into account, if the futex is in an hugetlbfs
+mapping. In other words, we calculate the normal page mapping index of
+the subpage in the hugetlbfs mapping.
+
+Mappings which are not based on hugetlbfs are not affected and still
+use page->index.
+
+Thanks to Mel Gorman who provided a patch for adding proper evaluation
+functions to the hugetlbfs code to avoid exposing hugetlbfs specific
+details to the futex code.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Zhang Yi <zhang.yi20@zte.com.cn>
+Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Tested-by: Ma Chenggong <ma.chenggong@zte.com.cn>
+Reviewed-by: 'Mel Gorman' <mgorman@suse.de>
+Acked-by: 'Darren Hart' <dvhart@linux.intel.com>
+Cc: 'Peter Zijlstra' <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/000101ce71a6%24a83c5880%24f8b50980%24@com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/hugetlb.h | 16 ++++++++++++++++
+ kernel/futex.c | 3 ++-
+ mm/hugetlb.c | 17 +++++++++++++++++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -354,6 +354,17 @@ static inline int hstate_index(struct hs
+ return h - hstates;
+ }
+
++pgoff_t __basepage_index(struct page *page);
++
++/* Return page->index in PAGE_SIZE units */
++static inline pgoff_t basepage_index(struct page *page)
++{
++ if (!PageCompound(page))
++ return page->index;
++
++ return __basepage_index(page);
++}
++
+ #else /* CONFIG_HUGETLB_PAGE */
+ struct hstate {};
+ #define alloc_huge_page_node(h, nid) NULL
+@@ -374,6 +385,11 @@ static inline unsigned int pages_per_hug
+ }
+ #define hstate_index_to_shift(index) 0
+ #define hstate_index(h) 0
++
++static inline pgoff_t basepage_index(struct page *page)
++{
++ return page->index;
++}
+ #endif /* CONFIG_HUGETLB_PAGE */
+
+ #endif /* _LINUX_HUGETLB_H */
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -61,6 +61,7 @@
+ #include <linux/nsproxy.h>
+ #include <linux/ptrace.h>
+ #include <linux/sched/rt.h>
++#include <linux/hugetlb.h>
+
+ #include <asm/futex.h>
+
+@@ -365,7 +366,7 @@ again:
+ } else {
+ key->both.offset |= FUT_OFF_INODE; /* inode-based key */
+ key->shared.inode = page_head->mapping->host;
+- key->shared.pgoff = page_head->index;
++ key->shared.pgoff = basepage_index(page);
+ }
+
+ get_futex_key_refs(key);
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -690,6 +690,23 @@ int PageHuge(struct page *page)
+ }
+ EXPORT_SYMBOL_GPL(PageHuge);
+
++pgoff_t __basepage_index(struct page *page)
++{
++ struct page *page_head = compound_head(page);
++ pgoff_t index = page_index(page_head);
++ unsigned long compound_idx;
++
++ if (!PageHuge(page_head))
++ return page_index(page);
++
++ if (compound_order(page_head) >= MAX_ORDER)
++ compound_idx = page_to_pfn(page) - page_to_pfn(page_head);
++ else
++ compound_idx = page - page_head;
++
++ return (index << compound_order(page_head)) + compound_idx;
++}
++
+ static struct page *alloc_fresh_huge_page_node(struct hstate *h, int nid)
+ {
+ struct page *page;
--- /dev/null
+From 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+Date: Thu, 4 Jul 2013 18:42:29 +0200
+Subject: hpfs: better test for errors
+
+From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+
+commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream.
+
+The test if bitmap access is out of bound could errorneously pass if the
+device size is divisible by 16384 sectors and we are asking for one bitmap
+after the end.
+
+Check for invalid size in the superblock. Invalid size could cause integer
+overflows in the rest of the code.
+
+Signed-off-by: Mikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hpfs/map.c | 3 ++-
+ fs/hpfs/super.c | 8 +++++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/hpfs/map.c
++++ b/fs/hpfs/map.c
+@@ -17,7 +17,8 @@ __le32 *hpfs_map_bitmap(struct super_blo
+ struct quad_buffer_head *qbh, char *id)
+ {
+ secno sec;
+- if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) {
++ unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14;
++ if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) {
+ hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id);
+ return NULL;
+ }
+--- a/fs/hpfs/super.c
++++ b/fs/hpfs/super.c
+@@ -558,7 +558,13 @@ static int hpfs_fill_super(struct super_
+ sbi->sb_cp_table = NULL;
+ sbi->sb_c_bitmap = -1;
+ sbi->sb_max_fwd_alloc = 0xffffff;
+-
++
++ if (sbi->sb_fs_size >= 0x80000000) {
++ hpfs_error(s, "invalid size in superblock: %08x",
++ (unsigned)sbi->sb_fs_size);
++ goto bail4;
++ }
++
+ /* Load bitmap directory */
+ if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps))))
+ goto bail4;
--- /dev/null
+From 2cb33cac622afde897aa02d3dcd9fbba8bae839e Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 20 Jun 2013 13:13:59 -0700
+Subject: libceph: Fix NULL pointer dereference in auth client code
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream.
+
+A malicious monitor can craft an auth reply message that could cause a
+NULL function pointer dereference in the client's kernel.
+
+To prevent this, the auth_none protocol handler needs an empty
+ceph_auth_client_ops->build_request() function.
+
+CVE-2013-1059
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Reported-by: Chanam Park <chanam.park@hkpco.kr>
+Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
+Reviewed-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/auth_none.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ceph/auth_none.c
++++ b/net/ceph/auth_none.c
+@@ -39,6 +39,11 @@ static int should_authenticate(struct ce
+ return xi->starting;
+ }
+
++static int build_request(struct ceph_auth_client *ac, void *buf, void *end)
++{
++ return 0;
++}
++
+ /*
+ * the generic auth code decode the global_id, and we carry no actual
+ * authenticate state, so nothing happens here.
+@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops
+ .destroy = destroy,
+ .is_authenticated = is_authenticated,
+ .should_authenticate = should_authenticate,
++ .build_request = build_request,
+ .handle_reply = handle_reply,
+ .create_authorizer = ceph_auth_none_create_authorizer,
+ .destroy_authorizer = ceph_auth_none_destroy_authorizer,
--- /dev/null
+From 7b175c46720f8e6b92801bb634c93d1016f80c62 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 18 Jun 2013 12:58:12 -0700
+Subject: MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream.
+
+This hopefully will help point developers to the proper way that patches
+should be submitted for inclusion in the stable kernel releases.
+
+Reported-by: David Howells <dhowells@redhat.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ MAINTAINERS | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -7512,6 +7512,7 @@ STABLE BRANCH
+ M: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ L: stable@vger.kernel.org
+ S: Supported
++F: Documentation/stable_kernel_rules.txt
+
+ STAGING SUBSYSTEM
+ M: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
--- /dev/null
+From 8d8022e8aba85192e937f1f0f7450e256d66ae5c Mon Sep 17 00:00:00 2001
+From: Rusty Russell <rusty@rustcorp.com.au>
+Date: Wed, 3 Jul 2013 10:06:28 +0930
+Subject: module: do percpu allocation after uniqueness check. No, really!
+
+From: Rusty Russell <rusty@rustcorp.com.au>
+
+commit 8d8022e8aba85192e937f1f0f7450e256d66ae5c upstream.
+
+v3.8-rc1-5-g1fb9341 was supposed to stop parallel kvm loads exhausting
+percpu memory on large machines:
+
+ Now we have a new state MODULE_STATE_UNFORMED, we can insert the
+ module into the list (and thus guarantee its uniqueness) before we
+ allocate the per-cpu region.
+
+In my defence, it didn't actually say the patch did this. Just that
+we "can".
+
+This patch actually *does* it.
+
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Tested-by: Jim Hull <jim.hull@hp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/module.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -2939,7 +2939,6 @@ static struct module *layout_and_allocat
+ {
+ /* Module within temporary copy. */
+ struct module *mod;
+- Elf_Shdr *pcpusec;
+ int err;
+
+ mod = setup_load_info(info, flags);
+@@ -2954,17 +2953,10 @@ static struct module *layout_and_allocat
+ err = module_frob_arch_sections(info->hdr, info->sechdrs,
+ info->secstrings, mod);
+ if (err < 0)
+- goto out;
++ return ERR_PTR(err);
+
+- pcpusec = &info->sechdrs[info->index.pcpu];
+- if (pcpusec->sh_size) {
+- /* We have a special allocation for this section. */
+- err = percpu_modalloc(mod,
+- pcpusec->sh_size, pcpusec->sh_addralign);
+- if (err)
+- goto out;
+- pcpusec->sh_flags &= ~(unsigned long)SHF_ALLOC;
+- }
++ /* We will do a special allocation for per-cpu sections later. */
++ info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC;
+
+ /* Determine total sizes, and put offsets in sh_entsize. For now
+ this is done generically; there doesn't appear to be any
+@@ -2975,17 +2967,22 @@ static struct module *layout_and_allocat
+ /* Allocate and move to the final place */
+ err = move_module(mod, info);
+ if (err)
+- goto free_percpu;
++ return ERR_PTR(err);
+
+ /* Module has been copied to its final place now: return it. */
+ mod = (void *)info->sechdrs[info->index.mod].sh_addr;
+ kmemleak_load_module(mod, info);
+ return mod;
++}
+
+-free_percpu:
+- percpu_modfree(mod);
+-out:
+- return ERR_PTR(err);
++static int alloc_module_percpu(struct module *mod, struct load_info *info)
++{
++ Elf_Shdr *pcpusec = &info->sechdrs[info->index.pcpu];
++ if (!pcpusec->sh_size)
++ return 0;
++
++ /* We have a special allocation for this section. */
++ return percpu_modalloc(mod, pcpusec->sh_size, pcpusec->sh_addralign);
+ }
+
+ /* mod is no longer valid after this! */
+@@ -3249,6 +3246,11 @@ static int load_module(struct load_info
+ }
+ #endif
+
++ /* To avoid stressing percpu allocator, do this once we're unique. */
++ err = alloc_module_percpu(mod, info);
++ if (err)
++ goto unlink_mod;
++
+ /* Now module is in final location, initialize linked lists, etc. */
+ err = module_unload_init(mod);
+ if (err)
--- /dev/null
+From 828c6a102b1f2b8583fadc0e779c46b31d448f0b Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 30 Jun 2013 09:03:06 -0700
+Subject: Revert "serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 828c6a102b1f2b8583fadc0e779c46b31d448f0b upstream.
+
+This reverts commit 8d2f8cd424ca0b99001f3ff4f5db87c4e525f366.
+
+As reported by Stefan, this device already works with the parport_serial
+driver, so the 8250_pci driver should not also try to grab it as well.
+
+Reported-by: Stefan Seyfried <stefan.seyfried@googlemail.com>
+Cc: Wang YanQing <udknight@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -4797,10 +4797,6 @@ static struct pci_device_id serial_pci_t
+ PCI_VENDOR_ID_IBM, 0x0299,
+ 0, 0, pbn_b0_bt_2_115200 },
+
+- { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835,
+- 0x1000, 0x0012,
+- 0, 0, pbn_b0_bt_2_115200 },
+-
+ { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9901,
+ 0xA000, 0x1000,
+ 0, 0, pbn_b0_1_115200 },
--- /dev/null
+libceph-fix-null-pointer-dereference-in-auth-client-code.patch
+ceph-fix-sleeping-function-called-from-invalid-context.patch
+drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch
+module-do-percpu-allocation-after-uniqueness-check.-no-really.patch
+charger-manager-ensure-event-is-not-used-as-format-string.patch
+hpfs-better-test-for-errors.patch
+block-do-not-pass-disk-names-as-format-strings.patch
+crypto-sanitize-argument-for-format-string.patch
+maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch
+futex-take-hugepages-into-account-when-generating-futex_key.patch
+revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
