--- /dev/null
+From dave.kleikamp@oracle.com Sun Apr 26 11:32:43 2015
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Mon, 23 Mar 2015 16:06:26 -0500
+Subject: jfs: fix readdir regression
+To: stable <stable@vger.kernel.org>
+Cc: JFS Discussion <jfs-discussion@lists.sourceforge.net>
+Message-ID: <55108052.6070603@oracle.com>
+
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+Upstream commit 44512449, "jfs: fix readdir cookie incompatibility
+with NFSv4", was backported incorrectly into the stable trees which
+used the filldir callback (rather than dir_emit). The position is
+being incorrectly passed to filldir for the . and .. entries.
+
+The still-maintained stable trees that need to be fixed are 3.2.y,
+3.4.y and 3.10.y.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=94741
+
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Cc: jfs-discussion@lists.sourceforge.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/jfs_dtree.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/jfs/jfs_dtree.c
++++ b/fs/jfs/jfs_dtree.c
+@@ -3103,7 +3103,7 @@ int jfs_readdir(struct file *filp, void
+ * self "."
+ */
+ filp->f_pos = 1;
+- if (filldir(dirent, ".", 1, 0, ip->i_ino,
++ if (filldir(dirent, ".", 1, 1, ip->i_ino,
+ DT_DIR))
+ return 0;
+ }
+@@ -3111,7 +3111,7 @@ int jfs_readdir(struct file *filp, void
+ * parent ".."
+ */
+ filp->f_pos = 2;
+- if (filldir(dirent, "..", 2, 1, PARENT(ip), DT_DIR))
++ if (filldir(dirent, "..", 2, 2, PARENT(ip), DT_DIR))
+ return 0;
+
+ /*
--- /dev/null
+From ee53664bda169f519ce3c6a22d378f0b946c8178 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Fri, 20 Dec 2013 15:10:03 +0200
+Subject: mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
+
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+
+commit ee53664bda169f519ce3c6a22d378f0b946c8178 upstream.
+
+Sasha Levin found a NULL pointer dereference that is due to a missing
+page table lock, which in turn is due to the pmd entry in question being
+a transparent huge-table entry.
+
+The code - introduced in commit 1998cc048901 ("mm: make
+madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
+for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
+turns out that that function doesn't work correctly.
+
+pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
+trigger if the transparent hugepage bit was set, but it doesn't do that
+if pmd_numa() is also set. Note that the NUMA bit only gets set on real
+NUMA machines, so people trying to reproduce this on most normal
+development systems would never actually trigger this.
+
+Fix it by removing the very subtle (and subtly incorrect) expectation,
+and instead just checking pmd_trans_huge() explicitly.
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Acked-by: Andrea Arcangeli <aarcange@redhat.com>
+[ Additionally remove the now stale test for pmd_trans_huge() inside the
+ pmd_bad() case - Linus ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Wang Long <long.wanglong@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/asm-generic/pgtable.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/include/asm-generic/pgtable.h
++++ b/include/asm-generic/pgtable.h
+@@ -550,11 +550,10 @@ static inline int pmd_none_or_trans_huge
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ barrier();
+ #endif
+- if (pmd_none(pmdval))
++ if (pmd_none(pmdval) || pmd_trans_huge(pmdval))
+ return 1;
+ if (unlikely(pmd_bad(pmdval))) {
+- if (!pmd_trans_huge(pmdval))
+- pmd_clear_bad(pmd);
++ pmd_clear_bad(pmd);
+ return 1;
+ }
+ return 0;
--- /dev/null
+From 7fd6f640f2dd17dac6ddd6702c378cb0bb9cfa11 Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Wed, 11 Mar 2015 09:19:16 -0400
+Subject: serial: 8250_dw: Fix deadlock in LCR workaround
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 7fd6f640f2dd17dac6ddd6702c378cb0bb9cfa11 upstream.
+
+Trying to write console output from within the serial console driver
+while the port->lock is held causes recursive deadlock:
+
+ CPU 0
+spin_lock_irqsave(&port->lock)
+printk()
+ console_unlock()
+ call_console_drivers()
+ serial8250_console_write()
+ spin_lock_irqsave(&port->lock)
+** DEADLOCK **
+
+The 8250_dw i/o accessors try to write a console error message if the
+LCR workaround was unsuccessful. When the port->lock is already held
+(eg., when called from serial8250_set_termios()), this deadlocks.
+
+Make the error message a FIXME until a general solution is devised.
+
+Cc: Tim Kryger <tim.kryger@gmail.com>
+Reported-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_dw.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -98,7 +98,10 @@ static void dw8250_serial_out(struct uar
+ dw8250_force_idle(p);
+ writeb(value, p->membase + (UART_LCR << p->regshift));
+ }
+- dev_err(p->dev, "Couldn't set LCR to %d\n", value);
++ /*
++ * FIXME: this deadlocks if port->lock is already held
++ * dev_err(p->dev, "Couldn't set LCR to %d\n", value);
++ */
+ }
+ }
+
+@@ -128,7 +131,10 @@ static void dw8250_serial_out32(struct u
+ dw8250_force_idle(p);
+ writel(value, p->membase + (UART_LCR << p->regshift));
+ }
+- dev_err(p->dev, "Couldn't set LCR to %d\n", value);
++ /*
++ * FIXME: this deadlocks if port->lock is already held
++ * dev_err(p->dev, "Couldn't set LCR to %d\n", value);
++ */
+ }
+ }
+
tg3-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch
ixgb-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch
benet-call-dev_kfree_skby_any-instead-of-kfree_skb.patch
+serial-8250_dw-fix-deadlock-in-lcr-workaround.patch
+jfs-fix-readdir-regression.patch
+splice-apply-generic-position-and-size-checks-to-each-write.patch
+mm-fix-null-pointer-dereference-in-madvise-madv_willneed-support.patch
--- /dev/null
+From 894c6350eaad7e613ae267504014a456e00a3e2a Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 29 Jan 2015 02:50:33 +0000
+Subject: splice: Apply generic position and size checks to each write
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
+
+We need to check the position and size of file writes against various
+limits, using generic_write_check(). This was not being done for
+the splice write path. It was fixed upstream by commit 8d0207652cbe
+("->splice_write() via ->write_iter()") but we can't apply that.
+
+CVE-2014-7822
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+[Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
+Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/file.c | 8 +++++---
+ fs/splice.c | 8 ++++++--
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2459,12 +2459,14 @@ static ssize_t ocfs2_file_splice_write(s
+ struct address_space *mapping = out->f_mapping;
+ struct inode *inode = mapping->host;
+ struct splice_desc sd = {
+- .total_len = len,
+ .flags = flags,
+- .pos = *ppos,
+ .u.file = out,
+ };
+-
++ ret = generic_write_checks(out, ppos, &len, 0);
++ if(ret)
++ return ret;
++ sd.total_len = len;
++ sd.pos = *ppos;
+
+ trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry,
+ (unsigned long long)OCFS2_I(inode)->ip_blkno,
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_in
+ struct address_space *mapping = out->f_mapping;
+ struct inode *inode = mapping->host;
+ struct splice_desc sd = {
+- .total_len = len,
+ .flags = flags,
+- .pos = *ppos,
+ .u.file = out,
+ };
+ ssize_t ret;
+
++ ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode));
++ if (ret)
++ return ret;
++ sd.total_len = len;
++ sd.pos = *ppos;
++
+ pipe_lock(pipe);
+
+ splice_from_pipe_begin(&sd);
projects / thirdparty / kernel / stable-queue.git / commitdiff
