--- /dev/null
+From w@1wt.eu Fri Sep 9 16:26:43 2016
+From: Willy Tarreau <w@1wt.eu>
+Date: Sat, 27 Aug 2016 11:31:35 +0200
+Subject: fix d_walk()/non-delayed __d_free() race
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Jiri Slaby <jslaby@suse.cz>
+Cc: Jari Ruusu <jariruusu@users.sourceforge.net>, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>, Ben Hutchings <ben@decadent.org.uk>
+Message-ID: <20160827093135.GA28378@1wt.eu>
+Content-Disposition: inline
+
+From: Willy Tarreau <w@1wt.eu>
+
+I checked Jari's explanation below and found that v3.14.77 and v3.12.62
+are missing the same fix as 3.10. In fact Al's original commit 3d56c25
+("fix d_walk()/non-delayed __d_free() race") used to mention to check
+this __d_materialise_dentry() function in the Cc: stable line, but this
+got lost during the backports.
+
+Normally all of our 3 kernels need to apply the following patch that
+Ben correctly put in 3.16 and 3.2. I'm fixing the backport in 3.10.103
+right now.
+
+On Mon, Aug 22, 2016 at 04:56:57PM +0300, Jari Ruusu wrote:
+> This patch for 3.10 branch appears to be missing one important
+>
+> + dentry->d_flags |= DCACHE_RCUACCESS;
+>
+> in fs/dcache.c __d_materialise_dentry() function. When Ben Hutchings
+> backported Al Viro's original fix to stable branches that he maintains,
+> he added that one additional line to both 3.2 and 3.16 branches. Please
+> consider including that additional one line fix for 3.10 stable branch
+> also.
+>
+>
+> Ben Hutchings said this on his 3.2.82-rc1 patch:
+> [bwh: Backported to 3.2:
+> - Adjust context
+> - Also set the flag in __d_materialise_dentry())]
+>
+> http://marc.info/?l=linux-kernel&m=147117565612275&w=2
+>
+>
+> Ben Hutchings said this on his 3.16.37-rc1 patch:
+> [bwh: Backported to 3.16:
+> - Adjust context
+> - Also set the flag in __d_materialise_dentry())]
+>
+> http://marc.info/?l=linux-kernel&m=147117433412006&w=2
+>
+>
+> Also mentioned by Sasha Levin on 3.18 and 4.1 commits:
+> Cc: stable@vger.kernel.org # v3.2+ (and watch out for __d_materialise_dentry())
+>
+> http://marc.info/?l=linux-stable-commits&m=146648034410827&w=2
+> http://marc.info/?l=linux-stable-commits&m=146647471009771&w=2
+
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2652,6 +2652,7 @@ static void __d_materialise_dentry(struc
+ switch_names(dentry, anon);
+ swap(dentry->d_name.hash, anon->d_name.hash);
+
++ dentry->d_flags |= DCACHE_RCUACCESS;
+ dentry->d_parent = dentry;
+ list_del_init(&dentry->d_child);
+ anon->d_parent = dparent;
--- /dev/null
+From ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 26 Feb 2016 15:19:28 -0800
+Subject: mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+commit ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 upstream.
+
+pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were
+introduced to locklessy (but atomically) detect when a pmd is a regular
+(stable) pmd or when the pmd is unstable and can infinitely transition
+from pmd_none() and pmd_trans_huge() from under us, while only holding
+the mmap_sem for reading (for writing not).
+
+While holding the mmap_sem only for reading, MADV_DONTNEED can run from
+under us and so before we can assume the pmd to be a regular stable pmd
+we need to compare it against pmd_none() and pmd_trans_huge() in an
+atomic way, with pmd_trans_unstable(). The old pmd_trans_huge() left a
+tiny window for a race.
+
+Useful applications are unlikely to notice the difference as doing
+MADV_DONTNEED concurrently with a page fault would lead to undefined
+behavior.
+
+[js] 3.12 backport: no pmd_devmap in 3.12 yet.
+
+[akpm@linux-foundation.org: tidy up comment grammar/layout]
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reported-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ mm/memory.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -3770,8 +3770,18 @@ static int __handle_mm_fault(struct mm_s
+ if (unlikely(pmd_none(*pmd)) &&
+ unlikely(__pte_alloc(mm, vma, pmd, address)))
+ return VM_FAULT_OOM;
+- /* if an huge pmd materialized from under us just retry later */
+- if (unlikely(pmd_trans_huge(*pmd)))
++ /*
++ * If a huge pmd materialized under us just retry later. Use
++ * pmd_trans_unstable() instead of pmd_trans_huge() to ensure the pmd
++ * didn't become pmd_trans_huge under us and then back to pmd_none, as
++ * a result of MADV_DONTNEED running immediately after a huge pmd fault
++ * in a different thread of this mm, in turn leading to a misleading
++ * pmd_trans_huge() retval. All we have to ensure is that it is a
++ * regular pmd that we can walk with pte_offset_map() and we can do that
++ * through an atomic read in C, which is what pmd_trans_unstable()
++ * provides.
++ */
++ if (unlikely(pmd_trans_unstable(pmd)))
+ return 0;
+ /*
+ * A regular pmd is established and it can't morph into a huge pmd
--- /dev/null
+From 4116def2337991b39919f3b448326e21c40e0dbb Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Thu, 2 Jun 2016 04:11:20 -0400
+Subject: rds: fix an infoleak in rds_inc_info_copy
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit 4116def2337991b39919f3b448326e21c40e0dbb upstream.
+
+The last field "flags" of object "minfo" is not initialized.
+Copying this object out may leak kernel stack data.
+Assign 0 to it to avoid leak.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/recv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -543,5 +543,7 @@ void rds_inc_info_copy(struct rds_incomi
+ minfo.fport = inc->i_hdr.h_dport;
+ }
+
++ minfo.flags = 0;
++
+ rds_info_copy(iter, &minfo, sizeof(minfo));
+ }
--- /dev/null
+From 532c34b5fbf1687df63b3fcd5b2846312ac943c6 Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Mon, 25 Apr 2016 17:54:28 +0200
+Subject: s390/sclp_ctl: fix potential information leak with /dev/sclp
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream.
+
+The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
+retrieve the sclp request from user space. The first copy_from_user
+fetches the length of the request which is stored in the first two
+bytes of the request. The second copy_from_user gets the complete
+sclp request, but this copies the length field a second time.
+A malicious user may have changed the length in the meantime.
+
+Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
+Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/char/sclp_ctl.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/s390/char/sclp_ctl.c
++++ b/drivers/s390/char/sclp_ctl.c
+@@ -56,6 +56,7 @@ static int sclp_ctl_ioctl_sccb(void __us
+ {
+ struct sclp_ctl_sccb ctl_sccb;
+ struct sccb_header *sccb;
++ unsigned long copied;
+ int rc;
+
+ if (copy_from_user(&ctl_sccb, user_area, sizeof(ctl_sccb)))
+@@ -65,14 +66,15 @@ static int sclp_ctl_ioctl_sccb(void __us
+ sccb = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
+ if (!sccb)
+ return -ENOMEM;
+- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sizeof(*sccb))) {
++ copied = PAGE_SIZE -
++ copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), PAGE_SIZE);
++ if (offsetof(struct sccb_header, length) +
++ sizeof(sccb->length) > copied || sccb->length > copied) {
+ rc = -EFAULT;
+ goto out_free;
+ }
+- if (sccb->length > PAGE_SIZE || sccb->length < 8)
+- return -EINVAL;
+- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sccb->length)) {
+- rc = -EFAULT;
++ if (sccb->length < 8) {
++ rc = -EINVAL;
+ goto out_free;
+ }
+ rc = sclp_sync_request(ctl_sccb.cmdw, sccb);
alsa-oxygen-fix-logical-not-parentheses-warning.patch
stb6100-fix-buffer-length-check-in-stb6100_write_reg_range.patch
ext4-validate-that-metadata-blocks-do-not-overlap-superblock.patch
+staging-comedi-ni_mio_common-fix-wrong-insn_write-handler.patch
+rds-fix-an-infoleak-in-rds_inc_info_copy.patch
+s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch
+fix-d_walk-non-delayed-__d_free-race.patch
+mm-thp-fix-smp-race-condition-between-thp-page-fault-and-madv_dontneed.patch
--- /dev/null
+From abbotti@mev.co.uk Fri Sep 9 16:17:25 2016
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 7 Sep 2016 15:33:12 +0100
+Subject: staging: comedi: ni_mio_common: fix wrong insn_write handler
+To: stable@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Ben Hutchings <ben@decadent.org.uk>, Ian Abbott <abbotti@mev.co.uk>
+Message-ID: <20160907143312.19224-1-abbotti@mev.co.uk>
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 5ca05345c56cb979e1a25ab6146437002f95cac8 upstream.
+
+For counter subdevices, the `s->insn_write` handler is being set to the
+wrong function, `ni_tio_insn_read()`. It should be
+`ni_tio_insn_write()`.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Reported-by: Éric Piel <piel@delmic.com>
+Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a proper comedi (*insn_write)")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/ni_mio_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -4404,7 +4404,7 @@ static int ni_E_init(struct comedi_devic
+ else
+ s->maxdata = 0xffffff;
+ s->insn_read = ni_tio_insn_read;
+- s->insn_write = ni_tio_insn_read;
++ s->insn_write = ni_tio_insn_write;
+ s->insn_config = ni_tio_insn_config;
+ #ifdef PCIDMA
+ s->subdev_flags |= SDF_CMD_READ /* | SDF_CMD_WRITE */;
projects / thirdparty / kernel / stable-queue.git / commitdiff
