--- /dev/null
+From 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc Mon Sep 17 00:00:00 2001
+From: Dave Jones <davej@redhat.com>
+Date: Thu, 10 Oct 2013 20:05:35 -0400
+Subject: ext4: fix memory leak in xattr
+
+From: Dave Jones <davej@redhat.com>
+
+commit 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc upstream.
+
+If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
+potentionally return from the function without having freed these
+allocations. If we don't do the return, we over-write the previous
+allocation pointers, so we leak either way.
+
+Spotted with Coverity.
+
+[ Fixed by tytso to set is and bs to NULL after freeing these
+ pointers, in case in the retry loop we later end up triggering an
+ error causing a jump to cleanup, at which point we could have a double
+ free bug. -- Ted ]
+
+Signed-off-by: Dave Jones <davej@fedoraproject.org>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Reviewed-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1271,6 +1271,8 @@ retry:
+ s_min_extra_isize) {
+ tried_min_extra_isize++;
+ new_extra_isize = s_min_extra_isize;
++ kfree(is); is = NULL;
++ kfree(bs); bs = NULL;
+ goto retry;
+ }
+ error = -1;
--- /dev/null
+From 59b33f148cc08fb33cbe823fca1e34f7f023765e Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 1 Oct 2013 21:54:46 +0200
+Subject: parisc: fix interruption handler to respect pagefault_disable()
+
+From: Helge Deller <deller@gmx.de>
+
+commit 59b33f148cc08fb33cbe823fca1e34f7f023765e upstream.
+
+Running an "echo t > /proc/sysrq-trigger" crashes the parisc kernel. The
+problem is, that in print_worker_info() we try to read the workqueue info via
+the probe_kernel_read() functions which use pagefault_disable() to avoid
+crashes like this:
+ probe_kernel_read(&pwq, &worker->current_pwq, sizeof(pwq));
+ probe_kernel_read(&wq, &pwq->wq, sizeof(wq));
+ probe_kernel_read(name, wq->name, sizeof(name) - 1);
+
+The problem here is, that the first probe_kernel_read(&pwq) might return zero
+in pwq and as such the following probe_kernel_reads() try to access contents of
+the page zero which is read protected and generate a kernel segfault.
+
+With this patch we fix the interruption handler to call parisc_terminate()
+directly only if pagefault_disable() was not called (in which case
+preempt_count()==0). Otherwise we hand over to the pagefault handler which
+will try to look up the faulting address in the fixup tables.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/traps.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/parisc/kernel/traps.c
++++ b/arch/parisc/kernel/traps.c
+@@ -811,14 +811,14 @@ void notrace handle_interruption(int cod
+ else {
+
+ /*
+- * The kernel should never fault on its own address space.
++ * The kernel should never fault on its own address space,
++ * unless pagefault_disable() was called before.
+ */
+
+- if (fault_space == 0)
++ if (fault_space == 0 && !in_atomic())
+ {
+ pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC);
+ parisc_terminate("Kernel Fault", regs, code, fault_address);
+-
+ }
+ }
+
--- /dev/null
+From 47d06e532e95b71c0db3839ebdef3fe8812fca2c Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 10 Sep 2013 10:52:35 -0400
+Subject: random: run random_int_secret_init() run after all late_initcalls
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 47d06e532e95b71c0db3839ebdef3fe8812fca2c upstream.
+
+The some platforms (e.g., ARM) initializes their clocks as
+late_initcalls for some unknown reason. So make sure
+random_int_secret_init() is run after all of the late_initcalls are
+run.
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 3 +--
+ include/linux/random.h | 1 +
+ init/main.c | 2 ++
+ 3 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1435,12 +1435,11 @@ ctl_table random_table[] = {
+
+ static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
+
+-static int __init random_int_secret_init(void)
++int random_int_secret_init(void)
+ {
+ get_random_bytes(random_int_secret, sizeof(random_int_secret));
+ return 0;
+ }
+-late_initcall(random_int_secret_init);
+
+ /*
+ * Get a random word for internal kernel use only. Similar to urandom but
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -56,6 +56,7 @@ extern void add_interrupt_randomness(int
+ extern void get_random_bytes(void *buf, int nbytes);
+ extern void get_random_bytes_arch(void *buf, int nbytes);
+ void generate_random_uuid(unsigned char uuid_out[16]);
++extern int random_int_secret_init(void);
+
+ #ifndef MODULE
+ extern const struct file_operations random_fops, urandom_fops;
+--- a/init/main.c
++++ b/init/main.c
+@@ -68,6 +68,7 @@
+ #include <linux/shmem_fs.h>
+ #include <linux/slab.h>
+ #include <linux/perf_event.h>
++#include <linux/random.h>
+
+ #include <asm/io.h>
+ #include <asm/bugs.h>
+@@ -717,6 +718,7 @@ static void __init do_basic_setup(void)
+ init_irq_proc();
+ do_ctors();
+ do_initcalls();
++ random_int_secret_init();
+ }
+
+ static void __init do_pre_smp_initcalls(void)
--- /dev/null
+random-run-random_int_secret_init-run-after-all-late_initcalls.patch
+vfs-allow-o_path-file-descriptors-for-fstatfs.patch
+ext4-fix-memory-leak-in-xattr.patch
+parisc-fix-interruption-handler-to-respect-pagefault_disable.patch
--- /dev/null
+From 9d05746e7b16d8565dddbe3200faa1e669d23bbf Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 30 Sep 2013 08:35:10 -0700
+Subject: vfs: allow O_PATH file descriptors for fstatfs()
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9d05746e7b16d8565dddbe3200faa1e669d23bbf upstream.
+
+Olga reported that file descriptors opened with O_PATH do not work with
+fstatfs(), found during further development of ksh93's thread support.
+
+There is no reason to not allow O_PATH file descriptors here (fstatfs is
+very much a path operation), so use "fdget_raw()". See commit
+55815f70147d ("vfs: make O_PATH file descriptors usable for 'fstat()'")
+for a very similar issue reported for fstat() by the same team.
+
+Reported-and-tested-by: ольга крыжановская <olga.kryzhanovska@gmail.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/statfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/statfs.c
++++ b/fs/statfs.c
+@@ -86,7 +86,7 @@ int user_statfs(const char __user *pathn
+
+ int fd_statfs(int fd, struct kstatfs *st)
+ {
+- struct file *file = fget(fd);
++ struct file *file = fget_raw(fd);
+ int error = -EBADF;
+ if (file) {
+ error = vfs_statfs(&file->f_path, st);
projects / thirdparty / kernel / stable-queue.git / commitdiff
