--- /dev/null
+From c80567c82ae4814a41287618e315a60ecf513be6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 27 Feb 2016 19:17:33 -0500
+Subject: do_last(): don't let a bogus return value from ->open() et.al. to confuse us
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c80567c82ae4814a41287618e315a60ecf513be6 upstream.
+
+... into returning a positive to path_openat(), which would interpret that
+as "symlink had been encountered" and proceed to corrupt memory, etc.
+It can only happen due to a bug in some ->open() instance or in some LSM
+hook, etc., so we report any such event *and* make sure it doesn't trick
+us into further unpleasantness.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -2917,6 +2917,10 @@ opened:
+ goto exit_fput;
+ }
+ out:
++ if (unlikely(error > 0)) {
++ WARN_ON(1);
++ error = -EINVAL;
++ }
+ if (got_write)
+ mnt_drop_write(nd->path.mnt);
+ path_put(&save_parent);
--- /dev/null
+From 59ceeaaf355fa0fb16558ef7c24413c804932ada Mon Sep 17 00:00:00 2001
+From: Simon Guinot <simon.guinot@sequanux.org>
+Date: Thu, 10 Sep 2015 00:15:18 +0200
+Subject: kernel/resource.c: fix muxed resource handling in __request_region()
+
+From: Simon Guinot <simon.guinot@sequanux.org>
+
+commit 59ceeaaf355fa0fb16558ef7c24413c804932ada upstream.
+
+In __request_region, if a conflict with a BUSY and MUXED resource is
+detected, then the caller goes to sleep and waits for the resource to be
+released. A pointer on the conflicting resource is kept. At wake-up
+this pointer is used as a parent to retry to request the region.
+
+A first problem is that this pointer might well be invalid (if for
+example the conflicting resource have already been freed). Another
+problem is that the next call to __request_region() fails to detect a
+remaining conflict. The previously conflicting resource is passed as a
+parameter and __request_region() will look for a conflict among the
+children of this resource and not at the resource itself. It is likely
+to succeed anyway, even if there is still a conflict.
+
+Instead, the parent of the conflicting resource should be passed to
+__request_region().
+
+As a fix, this patch doesn't update the parent resource pointer in the
+case we have to wait for a muxed region right after.
+
+Reported-and-tested-by: Vincent Pelletier <plr.vincent@gmail.com>
+Signed-off-by: Simon Guinot <simon.guinot@sequanux.org>
+Tested-by: Vincent Donnefort <vdonnefort@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/resource.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/resource.c
++++ b/kernel/resource.c
+@@ -961,9 +961,10 @@ struct resource * __request_region(struc
+ if (!conflict)
+ break;
+ if (conflict != parent) {
+- parent = conflict;
+- if (!(conflict->flags & IORESOURCE_BUSY))
++ if (!(conflict->flags & IORESOURCE_BUSY)) {
++ parent = conflict;
+ continue;
++ }
+ }
+ if (conflict->flags & flags & IORESOURCE_MUXED) {
+ add_wait_queue(&muxed_resource_wait, &wait);
--- /dev/null
+From d7444794a02ff655eda87e3cc54e86b940e7736f Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 19 Feb 2016 13:11:46 +0100
+Subject: KVM: async_pf: do not warn on page allocation failures
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit d7444794a02ff655eda87e3cc54e86b940e7736f upstream.
+
+In async_pf we try to allocate with NOWAIT to get an element quickly
+or fail. This code also handle failures gracefully. Lets silence
+potential page allocation failures under load.
+
+qemu-system-s39: page allocation failure: order:0,mode:0x2200000
+[...]
+Call Trace:
+([<00000000001146b8>] show_trace+0xf8/0x148)
+[<000000000011476a>] show_stack+0x62/0xe8
+[<00000000004a36b8>] dump_stack+0x70/0x98
+[<0000000000272c3a>] warn_alloc_failed+0xd2/0x148
+[<000000000027709e>] __alloc_pages_nodemask+0x94e/0xb38
+[<00000000002cd36a>] new_slab+0x382/0x400
+[<00000000002cf7ac>] ___slab_alloc.constprop.30+0x2dc/0x378
+[<00000000002d03d0>] kmem_cache_alloc+0x160/0x1d0
+[<0000000000133db4>] kvm_setup_async_pf+0x6c/0x198
+[<000000000013dee8>] kvm_arch_vcpu_ioctl_run+0xd48/0xd58
+[<000000000012fcaa>] kvm_vcpu_ioctl+0x372/0x690
+[<00000000002f66f6>] do_vfs_ioctl+0x3be/0x510
+[<00000000002f68ec>] SyS_ioctl+0xa4/0xb8
+[<0000000000781c5e>] system_call+0xd6/0x264
+[<000003ffa24fa06a>] 0x3ffa24fa06a
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/async_pf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/async_pf.c
++++ b/virt/kvm/async_pf.c
+@@ -158,7 +158,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *
+ * do alloc nowait since if we are going to sleep anyway we
+ * may as well sleep faulting in page
+ */
+- work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT);
++ work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT | __GFP_NOWARN);
+ if (!work)
+ return 0;
+
--- /dev/null
+From 50ab8ec74a153eb30db26529088bc57dd700b24c Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 8 Feb 2016 21:11:50 +0100
+Subject: nfs: fix nfs_size_to_loff_t
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 50ab8ec74a153eb30db26529088bc57dd700b24c upstream.
+
+See http: //www.infradead.org/rpr.html
+X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org
+Content-Transfer-Encoding: 8bit
+Mime-Version: 1.0
+
+We support OFFSET_MAX just fine, so don't round down below it. Also
+switch to using min_t to make the helper more readable.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Fixes: 433c92379d9c ("NFS: Clean up nfs_size_to_loff_t()")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/nfs_fs.h | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/include/linux/nfs_fs.h
++++ b/include/linux/nfs_fs.h
+@@ -578,9 +578,7 @@ static inline void nfs3_forget_cached_ac
+
+ static inline loff_t nfs_size_to_loff_t(__u64 size)
+ {
+- if (size > (__u64) OFFSET_MAX - 1)
+- return OFFSET_MAX - 1;
+- return (loff_t) size;
++ return min_t(u64, size, OFFSET_MAX);
+ }
+
+ static inline ino_t
revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch
libata-fix-sff-host-state-machine-locking-while-polling.patch
pci-aer-flush-workqueue-on-device-remove-to-avoid-use-after-free.patch
+nfs-fix-nfs_size_to_loff_t.patch
+kvm-async_pf-do-not-warn-on-page-allocation-failures.patch
+tracing-fix-showing-function-event-in-available_events.patch
+sunrpc-cache-fix-off-by-one-in-qword_get.patch
+kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch
+do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch
+xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch
--- /dev/null
+From b7052cd7bcf3c1478796e93e3dff2b44c9e82943 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 18 Feb 2016 18:55:54 +0000
+Subject: sunrpc/cache: fix off-by-one in qword_get()
+
+From: Stefan Hajnoczi <stefanha@redhat.com>
+
+commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream.
+
+The qword_get() function NUL-terminates its output buffer. If the input
+string is in hex format \xXXXX... and the same length as the output
+buffer, there is an off-by-one:
+
+ int qword_get(char **bpp, char *dest, int bufsize)
+ {
+ ...
+ while (len < bufsize) {
+ ...
+ *dest++ = (h << 4) | l;
+ len++;
+ }
+ ...
+ *dest = '\0';
+ return len;
+ }
+
+This patch ensures the NUL terminator doesn't fall outside the output
+buffer.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -1221,7 +1221,7 @@ int qword_get(char **bpp, char *dest, in
+ if (bp[0] == '\\' && bp[1] == 'x') {
+ /* HEX STRING */
+ bp += 2;
+- while (len < bufsize) {
++ while (len < bufsize - 1) {
+ int h, l;
+
+ h = hex_to_bin(bp[0]);
--- /dev/null
+From d045437a169f899dfb0f6f7ede24cc042543ced9 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Wed, 24 Feb 2016 09:04:24 -0500
+Subject: tracing: Fix showing function event in available_events
+
+From: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+
+commit d045437a169f899dfb0f6f7ede24cc042543ced9 upstream.
+
+The ftrace:function event is only displayed for parsing the function tracer
+data. It is not used to enable function tracing, and does not include an
+"enable" file in its event directory.
+
+Originally, this event was kept separate from other events because it did
+not have a ->reg parameter. But perf added a "reg" parameter for its use
+which caused issues, because it made the event available to functions where
+it was not compatible for.
+
+Commit 9b63776fa3ca9 "tracing: Do not enable function event with enable"
+added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event
+from being enabled by normal trace events. But this commit missed keeping
+the function event from being displayed by the "available_events" directory,
+which is used to show what events can be enabled by set_event.
+
+One documented way to enable all events is to:
+
+ cat available_events > set_event
+
+But because the function event is displayed in the available_events, this
+now causes an INVALID error:
+
+ cat: write error: Invalid argument
+
+Reported-by: Chunyu Hu <chuhu@redhat.com>
+Fixes: 9b63776fa3ca9 "tracing: Do not enable function event with enable"
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -602,7 +602,8 @@ t_next(struct seq_file *m, void *v, loff
+ * The ftrace subsystem is for showing formats only.
+ * They can not be enabled or disabled via the event files.
+ */
+- if (call->class && call->class->reg)
++ if (call->class && call->class->reg &&
++ !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE))
+ return file;
+ }
+
--- /dev/null
+From 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Thu, 11 Feb 2016 16:10:26 -0500
+Subject: xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted.
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e upstream.
+
+Occasionaly PV guests would crash with:
+
+pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16
+BUG: unable to handle kernel paging request at 0000000d1a8c0be0
+.. snip..
+ <ffffffff8139ce1b>] find_next_bit+0xb/0x10
+ [<ffffffff81387f22>] cpumask_next_and+0x22/0x40
+ [<ffffffff813c1ef8>] pci_device_probe+0xb8/0x120
+ [<ffffffff81529097>] ? driver_sysfs_add+0x77/0xa0
+ [<ffffffff815293e4>] driver_probe_device+0x1a4/0x2d0
+ [<ffffffff813c1ddd>] ? pci_match_device+0xdd/0x110
+ [<ffffffff81529657>] __device_attach_driver+0xa7/0xb0
+ [<ffffffff815295b0>] ? __driver_attach+0xa0/0xa0
+ [<ffffffff81527622>] bus_for_each_drv+0x62/0x90
+ [<ffffffff8152978d>] __device_attach+0xbd/0x110
+ [<ffffffff815297fb>] device_attach+0xb/0x10
+ [<ffffffff813b75ac>] pci_bus_add_device+0x3c/0x70
+ [<ffffffff813b7618>] pci_bus_add_devices+0x38/0x80
+ [<ffffffff813dc34e>] pcifront_scan_root+0x13e/0x1a0
+ [<ffffffff817a0692>] pcifront_backend_changed+0x262/0x60b
+ [<ffffffff814644c6>] ? xenbus_gather+0xd6/0x160
+ [<ffffffff8120900f>] ? put_object+0x2f/0x50
+ [<ffffffff81465c1d>] xenbus_otherend_changed+0x9d/0xa0
+ [<ffffffff814678ee>] backend_changed+0xe/0x10
+ [<ffffffff81463a28>] xenwatch_thread+0xc8/0x190
+ [<ffffffff810f22f0>] ? woken_wake_function+0x10/0x10
+
+which was the result of two things:
+
+When we call pci_scan_root_bus we would pass in 'sd' (sysdata)
+pointer which was an 'pcifront_sd' structure. However in the
+pci_device_add it expects that the 'sd' is 'struct sysdata' and
+sets the dev->node to what is in sd->node (offset 4):
+
+set_dev_node(&dev->dev, pcibus_to_node(bus));
+
+ __pcibus_to_node(const struct pci_bus *bus)
+{
+ const struct pci_sysdata *sd = bus->sysdata;
+
+ return sd->node;
+}
+
+However our structure was pcifront_sd which had nothing at that
+offset:
+
+struct pcifront_sd {
+ int domain; /* 0 4 */
+ /* XXX 4 bytes hole, try to pack */
+ struct pcifront_device * pdev; /* 8 8 */
+}
+
+That is an hole - filled with garbage as we used kmalloc instead of
+kzalloc (the second problem).
+
+This patch fixes the issue by:
+ 1) Use kzalloc to initialize to a well known state.
+ 2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That
+ way access to the 'node' will access the right offset.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/xen-pcifront.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/xen-pcifront.c
++++ b/drivers/pci/xen-pcifront.c
+@@ -51,7 +51,7 @@ struct pcifront_device {
+ };
+
+ struct pcifront_sd {
+- int domain;
++ struct pci_sysdata sd;
+ struct pcifront_device *pdev;
+ };
+
+@@ -65,7 +65,9 @@ static inline void pcifront_init_sd(stru
+ unsigned int domain, unsigned int bus,
+ struct pcifront_device *pdev)
+ {
+- sd->domain = domain;
++ /* Because we do not expose that information via XenBus. */
++ sd->sd.node = first_online_node;
++ sd->sd.domain = domain;
+ sd->pdev = pdev;
+ }
+
+@@ -463,8 +465,8 @@ static int pcifront_scan_root(struct pci
+ dev_info(&pdev->xdev->dev, "Creating PCI Frontend Bus %04x:%02x\n",
+ domain, bus);
+
+- bus_entry = kmalloc(sizeof(*bus_entry), GFP_KERNEL);
+- sd = kmalloc(sizeof(*sd), GFP_KERNEL);
++ bus_entry = kzalloc(sizeof(*bus_entry), GFP_KERNEL);
++ sd = kzalloc(sizeof(*sd), GFP_KERNEL);
+ if (!bus_entry || !sd) {
+ err = -ENOMEM;
+ goto err_out;
projects / thirdparty / kernel / stable-queue.git / commitdiff
