--- /dev/null
+From 1739f09e33d8f66bf48ddbc3eca615574da6c4f6 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Wed, 13 Nov 2013 15:20:04 -0500
+Subject: ftrace/x86: Load ftrace_ops in parameter not the variable holding it
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 1739f09e33d8f66bf48ddbc3eca615574da6c4f6 upstream.
+
+Function tracing callbacks expect to have the ftrace_ops that registered it
+passed to them, not the address of the variable that holds the ftrace_ops
+that registered it.
+
+Use a mov instead of a lea to store the ftrace_ops into the parameter
+of the function tracing callback.
+
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Reviewed-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
+Link: http://lkml.kernel.org/r/20131113152004.459787f9@gandalf.local.home
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/entry_32.S | 4 ++--
+ arch/x86/kernel/entry_64.S | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1075,7 +1075,7 @@ ENTRY(ftrace_caller)
+ pushl $0 /* Pass NULL as regs pointer */
+ movl 4*4(%esp), %eax
+ movl 0x4(%ebp), %edx
+- leal function_trace_op, %ecx
++ movl function_trace_op, %ecx
+ subl $MCOUNT_INSN_SIZE, %eax
+
+ .globl ftrace_call
+@@ -1133,7 +1133,7 @@ ENTRY(ftrace_regs_caller)
+ movl 12*4(%esp), %eax /* Load ip (1st parameter) */
+ subl $MCOUNT_INSN_SIZE, %eax /* Adjust ip */
+ movl 0x4(%ebp), %edx /* Load parent ip (2nd parameter) */
+- leal function_trace_op, %ecx /* Save ftrace_pos in 3rd parameter */
++ movl function_trace_op, %ecx /* Save ftrace_pos in 3rd parameter */
+ pushl %esp /* Save pt_regs as 4th parameter */
+
+ GLOBAL(ftrace_regs_call)
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -88,7 +88,7 @@ END(function_hook)
+ MCOUNT_SAVE_FRAME \skip
+
+ /* Load the ftrace_ops into the 3rd parameter */
+- leaq function_trace_op, %rdx
++ movq function_trace_op(%rip), %rdx
+
+ /* Load ip into the first parameter */
+ movq RIP(%rsp), %rdi
--- /dev/null
+From 3f9aec7610b39521c7c69d754de7265f6994c194 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <khali@linux-fr.org>
+Date: Tue, 14 Jan 2014 15:59:55 +0100
+Subject: hwmon: (coretemp) Fix truncated name of alarm attributes
+
+From: Jean Delvare <khali@linux-fr.org>
+
+commit 3f9aec7610b39521c7c69d754de7265f6994c194 upstream.
+
+When the core number exceeds 9, the size of the buffer storing the
+alarm attribute name is insufficient and the attribute name is
+truncated. This causes libsensors to skip these attributes as the
+truncated name is not recognized.
+
+Reported-by: Andreas Hollmann <hollmann@in.tum.de>
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/coretemp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -52,7 +52,7 @@ MODULE_PARM_DESC(tjmax, "TjMax value in
+
+ #define BASE_SYSFS_ATTR_NO 2 /* Sysfs Base attr no for coretemp */
+ #define NUM_REAL_CORES 32 /* Number of Real cores per cpu */
+-#define CORETEMP_NAME_LENGTH 17 /* String Length of attrs */
++#define CORETEMP_NAME_LENGTH 19 /* String Length of attrs */
+ #define MAX_CORE_ATTRS 4 /* Maximum no of basic attrs */
+ #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1)
+ #define MAX_CORE_DATA (NUM_REAL_CORES + BASE_SYSFS_ATTR_NO)
--- /dev/null
+From 3dc91d4338d698ce77832985f9cb183d8eeaf6be Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 9 Jan 2014 21:46:34 -0500
+Subject: SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 3dc91d4338d698ce77832985f9cb183d8eeaf6be upstream.
+
+While running stress tests on adding and deleting ftrace instances I hit
+this bug:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ IP: selinux_inode_permission+0x85/0x160
+ PGD 63681067 PUD 7ddbe067 PMD 0
+ Oops: 0000 [#1] PREEMPT
+ CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20
+ Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006
+ task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000
+ RIP: 0010:[<ffffffff812d8bc5>] [<ffffffff812d8bc5>] selinux_inode_permission+0x85/0x160
+ RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840
+ RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000
+ RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54
+ R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000
+ R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000
+ FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
+ CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0
+ Call Trace:
+ security_inode_permission+0x1c/0x30
+ __inode_permission+0x41/0xa0
+ inode_permission+0x18/0x50
+ link_path_walk+0x66/0x920
+ path_openat+0xa6/0x6c0
+ do_filp_open+0x43/0xa0
+ do_sys_open+0x146/0x240
+ SyS_open+0x1e/0x20
+ system_call_fastpath+0x16/0x1b
+ Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff
+ RIP selinux_inode_permission+0x85/0x160
+ CR2: 0000000000000020
+
+Investigating, I found that the inode->i_security was NULL, and the
+dereference of it caused the oops.
+
+in selinux_inode_permission():
+
+ isec = inode->i_security;
+
+ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
+
+Note, the crash came from stressing the deletion and reading of debugfs
+files. I was not able to recreate this via normal files. But I'm not
+sure they are safe. It may just be that the race window is much harder
+to hit.
+
+What seems to have happened (and what I have traced), is the file is
+being opened at the same time the file or directory is being deleted.
+As the dentry and inode locks are not held during the path walk, nor is
+the inodes ref counts being incremented, there is nothing saving these
+structures from being discarded except for an rcu_read_lock().
+
+The rcu_read_lock() protects against freeing of the inode, but it does
+not protect freeing of the inode_security_struct. Now if the freeing of
+the i_security happens with a call_rcu(), and the i_security field of
+the inode is not changed (it gets freed as the inode gets freed) then
+there will be no issue here. (Linus Torvalds suggested not setting the
+field to NULL such that we do not need to check if it is NULL in the
+permission check).
+
+Note, this is a hack, but it fixes the problem at hand. A real fix is
+to restructure the destroy_inode() to call all the destructor handlers
+from the RCU callback. But that is a major job to do, and requires a
+lot of work. For now, we just band-aid this bug with this fix (it
+works), and work on a more maintainable solution in the future.
+
+Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home
+Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home
+
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c | 20 ++++++++++++++++++--
+ security/selinux/include/objsec.h | 5 ++++-
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -219,6 +219,14 @@ static int inode_alloc_security(struct i
+ return 0;
+ }
+
++static void inode_free_rcu(struct rcu_head *head)
++{
++ struct inode_security_struct *isec;
++
++ isec = container_of(head, struct inode_security_struct, rcu);
++ kmem_cache_free(sel_inode_cache, isec);
++}
++
+ static void inode_free_security(struct inode *inode)
+ {
+ struct inode_security_struct *isec = inode->i_security;
+@@ -229,8 +237,16 @@ static void inode_free_security(struct i
+ list_del_init(&isec->list);
+ spin_unlock(&sbsec->isec_lock);
+
+- inode->i_security = NULL;
+- kmem_cache_free(sel_inode_cache, isec);
++ /*
++ * The inode may still be referenced in a path walk and
++ * a call to selinux_inode_permission() can be made
++ * after inode_free_security() is called. Ideally, the VFS
++ * wouldn't do this, but fixing that is a much harder
++ * job. For now, simply free the i_security via RCU, and
++ * leave the current inode->i_security pointer intact.
++ * The inode will be freed after the RCU grace period too.
++ */
++ call_rcu(&isec->rcu, inode_free_rcu);
+ }
+
+ static int file_alloc_security(struct file *file)
+--- a/security/selinux/include/objsec.h
++++ b/security/selinux/include/objsec.h
+@@ -38,7 +38,10 @@ struct task_security_struct {
+
+ struct inode_security_struct {
+ struct inode *inode; /* back pointer to inode object */
+- struct list_head list; /* list of inode_security_struct */
++ union {
++ struct list_head list; /* list of inode_security_struct */
++ struct rcu_head rcu; /* for freeing the inode_security_struct */
++ };
+ u32 task_sid; /* SID of creating task */
+ u32 sid; /* SID of this object */
+ u16 sclass; /* security class of this object */
mm-memory-failure.c-recheck-pagehuge-after-hugetlb-page-migrate-successfully.patch
staging-comedi-addi_apci_1032-fix-subdevice-type-flags-bug.patch
staging-comedi-adl_pci9111-fix-incorrect-irq-passed-to-request_irq.patch
+vfs-in-d_path-don-t-call-d_dname-on-a-mount-point.patch
+hwmon-coretemp-fix-truncated-name-of-alarm-attributes.patch
+writeback-fix-data-corruption-on-nfs.patch
+selinux-fix-possible-null-pointer-dereference-in-selinux_inode_permission.patch
+ftrace-x86-load-ftrace_ops-in-parameter-not-the-variable-holding-it.patch
--- /dev/null
+From f48cfddc6729ef133933062320039808bafa6f45 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Fri, 8 Nov 2013 16:31:29 -0800
+Subject: vfs: In d_path don't call d_dname on a mount point
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit f48cfddc6729ef133933062320039808bafa6f45 upstream.
+
+Aditya Kali (adityakali@google.com) wrote:
+> Commit bf056bfa80596a5d14b26b17276a56a0dcb080e5:
+> "proc: Fix the namespace inode permission checks." converted
+> the namespace files into symlinks. The same commit changed
+> the way namespace bind mounts appear in /proc/mounts:
+> $ mount --bind /proc/self/ns/ipc /mnt/ipc
+> Originally:
+> $ cat /proc/mounts | grep ipc
+> proc /mnt/ipc proc rw,nosuid,nodev,noexec 0 0
+>
+> After commit bf056bfa80596a5d14b26b17276a56a0dcb080e5:
+> $ cat /proc/mounts | grep ipc
+> proc ipc:[4026531839] proc rw,nosuid,nodev,noexec 0 0
+>
+> This breaks userspace which expects the 2nd field in
+> /proc/mounts to be a valid path.
+
+The symlink /proc/<pid>/ns/{ipc,mnt,net,pid,user,uts} point to
+dentries allocated with d_alloc_pseudo that we can mount, and
+that have interesting names printed out with d_dname.
+
+When these files are bind mounted /proc/mounts is not currently
+displaying the mount point correctly because d_dname is called instead
+of just displaying the path where the file is mounted.
+
+Solve this by adding an explicit check to distinguish mounted pseudo
+inodes and unmounted pseudo inodes. Unmounted pseudo inodes always
+use mount of their filesstem as the mnt_root in their path making
+these two cases easy to distinguish.
+
+Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+Reported-by: Aditya Kali <adityakali@google.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2686,8 +2686,13 @@ char *d_path(const struct path *path, ch
+ * thus don't need to be hashed. They also don't need a name until a
+ * user wants to identify the object in /proc/pid/fd/. The little hack
+ * below allows us to generate a name for these objects on demand:
++ *
++ * Some pseudo inodes are mountable. When they are mounted
++ * path->dentry == path->mnt->mnt_root. In that case don't call d_dname
++ * and instead have d_path return the mounted path.
+ */
+- if (path->dentry->d_op && path->dentry->d_op->d_dname)
++ if (path->dentry->d_op && path->dentry->d_op->d_dname &&
++ (!IS_ROOT(path->dentry) || path->dentry != path->mnt->mnt_root))
+ return path->dentry->d_op->d_dname(path->dentry, buf, buflen);
+
+ get_fs_root(current->fs, &root);
--- /dev/null
+From f9b0e058cbd04ada76b13afffa7e1df830543c24 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Sat, 14 Dec 2013 04:21:26 +0800
+Subject: writeback: Fix data corruption on NFS
+
+From: Jan Kara <jack@suse.cz>
+
+commit f9b0e058cbd04ada76b13afffa7e1df830543c24 upstream.
+
+Commit 4f8ad655dbc8 "writeback: Refactor writeback_single_inode()" added
+a condition to skip clean inode. However this is wrong in WB_SYNC_ALL
+mode because there we also want to wait for outstanding writeback on
+possibly clean inode. This was causing occasional data corruption issues
+on NFS because it uses sync_inode() to make sure all outstanding writes
+are flushed to the server before truncating the inode and with
+sync_inode() returning prematurely file was sometimes extended back
+by an outstanding write after it was truncated.
+
+So modify the test to also check for pages under writeback in
+WB_SYNC_ALL mode.
+
+Fixes: 4f8ad655dbc82cf05d2edc11e66b78a42d38bf93
+Reported-and-tested-by: Dan Duval <dan.duval@oracle.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fs-writeback.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -505,13 +505,16 @@ writeback_single_inode(struct inode *ino
+ }
+ WARN_ON(inode->i_state & I_SYNC);
+ /*
+- * Skip inode if it is clean. We don't want to mess with writeback
+- * lists in this function since flusher thread may be doing for example
+- * sync in parallel and if we move the inode, it could get skipped. So
+- * here we make sure inode is on some writeback list and leave it there
+- * unless we have completely cleaned the inode.
++ * Skip inode if it is clean and we have no outstanding writeback in
++ * WB_SYNC_ALL mode. We don't want to mess with writeback lists in this
++ * function since flusher thread may be doing for example sync in
++ * parallel and if we move the inode, it could get skipped. So here we
++ * make sure inode is on some writeback list and leave it there unless
++ * we have completely cleaned the inode.
+ */
+- if (!(inode->i_state & I_DIRTY))
++ if (!(inode->i_state & I_DIRTY) &&
++ (wbc->sync_mode != WB_SYNC_ALL ||
++ !mapping_tagged(inode->i_mapping, PAGECACHE_TAG_WRITEBACK)))
+ goto out;
+ inode->i_state |= I_SYNC;
+ spin_unlock(&inode->i_lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
