--- /dev/null
+From b6c60c8018c4e9beb2f83fc82c09f9d033766571 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fusionio.com>
+Date: Tue, 30 Jul 2013 16:30:30 -0400
+Subject: Btrfs: change how we queue blocks for backref checking
+
+From: Josef Bacik <jbacik@fusionio.com>
+
+commit b6c60c8018c4e9beb2f83fc82c09f9d033766571 upstream.
+
+Previously we only added blocks to the list to have their backrefs checked if
+the level of the block is right above the one we are searching for. This is
+because we want to make sure we don't add the entire path up to the root to the
+lists to make sure we process things one at a time. This assumes that if any
+blocks in the path to the root are going to be not checked (shared in other
+words) then they will be in the level right above the current block on up. This
+isn't quite right though since we can have blocks higher up the list that are
+shared because they are attached to a reloc root. But we won't add this block
+to be checked and then later on we will BUG_ON(!upper->checked). So instead
+keep track of wether or not we've queued a block to be checked in this current
+search, and if we haven't go ahead and queue it to be checked. This patch fixed
+the panic I was seeing where we BUG_ON(!upper->checked). Thanks,
+
+Signed-off-by: Josef Bacik <jbacik@fusionio.com>
+Signed-off-by: Chris Mason <chris.mason@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/relocation.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -670,6 +670,7 @@ struct backref_node *build_backref_tree(
+ int cowonly;
+ int ret;
+ int err = 0;
++ bool need_check = true;
+
+ path1 = btrfs_alloc_path();
+ path2 = btrfs_alloc_path();
+@@ -892,6 +893,7 @@ again:
+ cur->bytenr);
+
+ lower = cur;
++ need_check = true;
+ for (; level < BTRFS_MAX_LEVEL; level++) {
+ if (!path2->nodes[level]) {
+ BUG_ON(btrfs_root_bytenr(&root->root_item) !=
+@@ -935,14 +937,12 @@ again:
+
+ /*
+ * add the block to pending list if we
+- * need check its backrefs. only block
+- * at 'cur->level + 1' is added to the
+- * tail of pending list. this guarantees
+- * we check backrefs from lower level
+- * blocks to upper level blocks.
++ * need check its backrefs, we only do this once
++ * while walking up a tree as we will catch
++ * anything else later on.
+ */
+- if (!upper->checked &&
+- level == cur->level + 1) {
++ if (!upper->checked && need_check) {
++ need_check = false;
+ list_add_tail(&edge->list[UPPER],
+ &list);
+ } else
--- /dev/null
+From 0e9a9a1ad619e7e987815d20262d36a2f95717ca Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 27 Dec 2012 01:42:50 -0500
+Subject: ext4: avoid hang when mounting non-journal filesystems with orphan list
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 0e9a9a1ad619e7e987815d20262d36a2f95717ca upstream.
+
+When trying to mount a file system which does not contain a journal,
+but which does have a orphan list containing an inode which needs to
+be truncated, the mount call with hang forever in
+ext4_orphan_cleanup() because ext4_orphan_del() will return
+immediately without removing the inode from the orphan list, leading
+to an uninterruptible loop in kernel code which will busy out one of
+the CPU's on the system.
+
+This can be trivially reproduced by trying to mount the file system
+found in tests/f_orphan_extents_inode/image.gz from the e2fsprogs
+source tree. If a malicious user were to put this on a USB stick, and
+mount it on a Linux desktop which has automatic mounts enabled, this
+could be considered a potential denial of service attack. (Not a big
+deal in practice, but professional paranoids worry about such things,
+and have even been known to allocate CVE numbers for such problems.)
+
+-js: This is a fix for CVE-2013-2015.
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Reviewed-by: Zheng Liu <wenqing.lz@taobao.com>
+Acked-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2059,7 +2059,8 @@ int ext4_orphan_del(handle_t *handle, st
+ int err = 0;
+
+ /* ext4_handle_valid() assumes a valid handle_t pointer */
+- if (handle && !ext4_handle_valid(handle))
++ if (handle && !ext4_handle_valid(handle) &&
++ !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS))
+ return 0;
+
+ mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch
staging-comedi-ni_65xx-bug-fix-confine-insn_bits-to-one-subdevice.patch
acpi-ipmi-fix-atomic-context-requirement-of-ipmi_msg_handler.patch
+tile-use-a-more-conservative-__my_cpu_offset-in-config_preempt.patch
+btrfs-change-how-we-queue-blocks-for-backref-checking.patch
+ext4-avoid-hang-when-mounting-non-journal-filesystems-with-orphan-list.patch
+tg3-fix-length-overflow-in-vpd-firmware-parsing.patch
+tools-hv-verify-origin-of-netlink-connector-message.patch
--- /dev/null
+From 715230a44310a8cf66fbfb5a46f9a62a9b2de424 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 27 Mar 2013 06:40:50 +0000
+Subject: tg3: fix length overflow in VPD firmware parsing
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream.
+
+Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
+when present") introduced VPD parsing that contained a potential length
+overflow.
+
+Limit the hardware's reported firmware string length (max 255 bytes) to
+stay inside the driver's firmware string length (32 bytes). On overflow,
+truncate the formatted firmware string instead of potentially overwriting
+portions of the tg3 struct.
+
+http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+
+-js: This fixes CVE-2013-1929.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Oded Horovitz <oded@privatecore.com>
+Reported-by: Brad Spengler <spender@grsecurity.net>
+Cc: stable@vger.kernel.org
+Cc: Matt Carlson <mcarlson@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/net/tg3.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tg3.c
++++ b/drivers/net/tg3.c
+@@ -13067,8 +13067,11 @@ static void __devinit tg3_read_vpd(struc
+ if (j + len > block_end)
+ goto partno;
+
+- memcpy(tp->fw_ver, &vpd_data[j], len);
+- strncat(tp->fw_ver, " bc ", TG3_NVM_VPD_LEN - len - 1);
++ if (len >= sizeof(tp->fw_ver))
++ len = sizeof(tp->fw_ver) - 1;
++ memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
++ snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
++ &vpd_data[j]);
+ }
+
+ partno:
--- /dev/null
+From f862eefec0b68e099a9fa58d3761ffb10bad97e1 Mon Sep 17 00:00:00 2001
+From: Chris Metcalf <cmetcalf@tilera.com>
+Date: Thu, 26 Sep 2013 13:24:53 -0400
+Subject: tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT
+
+From: Chris Metcalf <cmetcalf@tilera.com>
+
+commit f862eefec0b68e099a9fa58d3761ffb10bad97e1 upstream.
+
+It turns out the kernel relies on barrier() to force a reload of the
+percpu offset value. Since we can't easily modify the definition of
+barrier() to include "tp" as an output register, we instead provide a
+definition of __my_cpu_offset as extended assembly that includes a fake
+stack read to hazard against barrier(), forcing gcc to know that it
+must reread "tp" and recompute anything based on "tp" after a barrier.
+
+This fixes observed hangs in the slub allocator when we are looping
+on a percpu cmpxchg_double.
+
+A similar fix for ARMv7 was made in June in change 509eb76ebf97.
+
+Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/tile/include/asm/percpu.h | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+--- a/arch/tile/include/asm/percpu.h
++++ b/arch/tile/include/asm/percpu.h
+@@ -15,9 +15,37 @@
+ #ifndef _ASM_TILE_PERCPU_H
+ #define _ASM_TILE_PERCPU_H
+
+-register unsigned long __my_cpu_offset __asm__("tp");
+-#define __my_cpu_offset __my_cpu_offset
+-#define set_my_cpu_offset(tp) (__my_cpu_offset = (tp))
++register unsigned long my_cpu_offset_reg asm("tp");
++
++#ifdef CONFIG_PREEMPT
++/*
++ * For full preemption, we can't just use the register variable
++ * directly, since we need barrier() to hazard against it, causing the
++ * compiler to reload anything computed from a previous "tp" value.
++ * But we also don't want to use volatile asm, since we'd like the
++ * compiler to be able to cache the value across multiple percpu reads.
++ * So we use a fake stack read as a hazard against barrier().
++ * The 'U' constraint is like 'm' but disallows postincrement.
++ */
++static inline unsigned long __my_cpu_offset(void)
++{
++ unsigned long tp;
++ register unsigned long *sp asm("sp");
++ asm("move %0, tp" : "=r" (tp) : "U" (*sp));
++ return tp;
++}
++#define __my_cpu_offset __my_cpu_offset()
++#else
++/*
++ * We don't need to hazard against barrier() since "tp" doesn't ever
++ * change with PREEMPT_NONE, and with PREEMPT_VOLUNTARY it only
++ * changes at function call points, at which we are already re-reading
++ * the value of "tp" due to "my_cpu_offset_reg" being a global variable.
++ */
++#define __my_cpu_offset my_cpu_offset_reg
++#endif
++
++#define set_my_cpu_offset(tp) (my_cpu_offset_reg = (tp))
+
+ #include <asm-generic/percpu.h>
+
--- /dev/null
+From bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c Mon Sep 17 00:00:00 2001
+From: Olaf Hering <olaf@aepfle.de>
+Date: Thu, 31 May 2012 16:40:06 +0200
+Subject: Tools: hv: verify origin of netlink connector message
+
+From: Olaf Hering <olaf@aepfle.de>
+
+commit bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c upstream.
+
+The SuSE security team suggested to use recvfrom instead of recv to be
+certain that the connector message is originated from kernel.
+
+CVE-2012-2669
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Signed-off-by: Marcus Meissner <meissner@suse.de>
+Signed-off-by: Sebastian Krahmer <krahmer@suse.de>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
+---
+ drivers/staging/hv/tools/hv_kvp_daemon.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/hv/tools/hv_kvp_daemon.c
++++ b/drivers/staging/hv/tools/hv_kvp_daemon.c
+@@ -378,14 +378,18 @@ int main(void)
+ pfd.fd = fd;
+
+ while (1) {
++ struct sockaddr *addr_p = (struct sockaddr *) &addr;
++ socklen_t addr_l = sizeof(addr);
+ pfd.events = POLLIN;
+ pfd.revents = 0;
+ poll(&pfd, 1, -1);
+
+- len = recv(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0);
++ len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
++ addr_p, &addr_l);
+
+- if (len < 0) {
+- syslog(LOG_ERR, "recv failed; error:%d", len);
++ if (len < 0 || addr.nl_pid) {
++ syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
++ addr.nl_pid, errno, strerror(errno));
+ close(fd);
+ return -1;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
