--- /dev/null
+From ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 3 Jul 2013 15:01:14 -0700
+Subject: block: do not pass disk names as format strings
+
+From: Kees Cook <keescook@chromium.org>
+
+commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream.
+
+Disk names may contain arbitrary strings, so they must not be
+interpreted as format strings. It seems that only md allows arbitrary
+strings to be used for disk names, but this could allow for a local
+memory corruption from uid 0 into ring 0.
+
+CVE-2013-2851
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/genhd.c | 2 +-
+ drivers/block/nbd.c | 3 ++-
+ drivers/scsi/osd/osd_uld.c | 2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -512,7 +512,7 @@ static void register_disk(struct gendisk
+
+ ddev->parent = disk->driverfs_dev;
+
+- dev_set_name(ddev, disk->disk_name);
++ dev_set_name(ddev, "%s", disk->disk_name);
+
+ /* delay uevents, until we scanned partition table */
+ dev_set_uevent_suppress(ddev, 1);
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_devi
+ else
+ blk_queue_flush(nbd->disk->queue, 0);
+
+- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
++ thread = kthread_create(nbd_thread, nbd, "%s",
++ nbd->disk->disk_name);
+ if (IS_ERR(thread)) {
+ mutex_lock(&nbd->tx_lock);
+ return PTR_ERR(thread);
+--- a/drivers/scsi/osd/osd_uld.c
++++ b/drivers/scsi/osd/osd_uld.c
+@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
+ oud->class_dev.class = &osd_uld_class;
+ oud->class_dev.parent = dev;
+ oud->class_dev.release = __remove;
+- error = dev_set_name(&oud->class_dev, disk->disk_name);
++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
+ if (error) {
+ OSD_ERR("dev_set_name failed => %d\n", error);
+ goto err_put_cdev;
--- /dev/null
+From a1dc1937337a93e699eaa56968b7de6e1a9e77cf Mon Sep 17 00:00:00 2001
+From: majianpeng <majianpeng@gmail.com>
+Date: Wed, 19 Jun 2013 14:58:10 +0800
+Subject: ceph: fix sleeping function called from invalid context.
+
+From: majianpeng <majianpeng@gmail.com>
+
+commit a1dc1937337a93e699eaa56968b7de6e1a9e77cf upstream.
+
+[ 1121.231883] BUG: sleeping function called from invalid context at kernel/rwsem.c:20
+[ 1121.231935] in_atomic(): 1, irqs_disabled(): 0, pid: 9831, name: mv
+[ 1121.231971] 1 lock held by mv/9831:
+[ 1121.231973] #0: (&(&ci->i_ceph_lock)->rlock){+.+...},at:[<ffffffffa02bbd38>] ceph_getxattr+0x58/0x1d0 [ceph]
+[ 1121.231998] CPU: 3 PID: 9831 Comm: mv Not tainted 3.10.0-rc6+ #215
+[ 1121.232000] Hardware name: To Be Filled By O.E.M. To Be Filled By
+O.E.M./To be filled by O.E.M., BIOS 080015 11/09/2011
+[ 1121.232027] ffff88006d355a80 ffff880092f69ce0 ffffffff8168348c ffff880092f69cf8
+[ 1121.232045] ffffffff81070435 ffff88006d355a20 ffff880092f69d20 ffffffff816899ba
+[ 1121.232052] 0000000300000004 ffff8800b76911d0 ffff88006d355a20 ffff880092f69d68
+[ 1121.232056] Call Trace:
+[ 1121.232062] [<ffffffff8168348c>] dump_stack+0x19/0x1b
+[ 1121.232067] [<ffffffff81070435>] __might_sleep+0xe5/0x110
+[ 1121.232071] [<ffffffff816899ba>] down_read+0x2a/0x98
+[ 1121.232080] [<ffffffffa02baf70>] ceph_vxattrcb_layout+0x60/0xf0 [ceph]
+[ 1121.232088] [<ffffffffa02bbd7f>] ceph_getxattr+0x9f/0x1d0 [ceph]
+[ 1121.232093] [<ffffffff81188d28>] vfs_getxattr+0xa8/0xd0
+[ 1121.232097] [<ffffffff8118900b>] getxattr+0xab/0x1c0
+[ 1121.232100] [<ffffffff811704f2>] ? final_putname+0x22/0x50
+[ 1121.232104] [<ffffffff81155f80>] ? kmem_cache_free+0xb0/0x260
+[ 1121.232107] [<ffffffff811704f2>] ? final_putname+0x22/0x50
+[ 1121.232110] [<ffffffff8109e63d>] ? trace_hardirqs_on+0xd/0x10
+[ 1121.232114] [<ffffffff816957a7>] ? sysret_check+0x1b/0x56
+[ 1121.232120] [<ffffffff81189c9c>] SyS_fgetxattr+0x6c/0xc0
+[ 1121.232125] [<ffffffff81695782>] system_call_fastpath+0x16/0x1b
+[ 1121.232129] BUG: scheduling while atomic: mv/9831/0x10000002
+[ 1121.232154] 1 lock held by mv/9831:
+[ 1121.232156] #0: (&(&ci->i_ceph_lock)->rlock){+.+...}, at:
+[<ffffffffa02bbd38>] ceph_getxattr+0x58/0x1d0 [ceph]
+
+I think move the ci->i_ceph_lock down is safe because we can't free
+ceph_inode_info at there.
+
+Signed-off-by: Jianpeng Ma <majianpeng@gmail.com>
+Reviewed-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/xattr.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -675,17 +675,18 @@ ssize_t ceph_getxattr(struct dentry *den
+ if (!ceph_is_valid_xattr(name))
+ return -ENODATA;
+
+- spin_lock(&ci->i_ceph_lock);
+- dout("getxattr %p ver=%lld index_ver=%lld\n", inode,
+- ci->i_xattrs.version, ci->i_xattrs.index_version);
+
+ /* let's see if a virtual xattr was requested */
+ vxattr = ceph_match_vxattr(inode, name);
+ if (vxattr && !(vxattr->exists_cb && !vxattr->exists_cb(ci))) {
+ err = vxattr->getxattr_cb(ci, value, size);
+- goto out;
++ return err;
+ }
+
++ spin_lock(&ci->i_ceph_lock);
++ dout("getxattr %p ver=%lld index_ver=%lld\n", inode,
++ ci->i_xattrs.version, ci->i_xattrs.index_version);
++
+ if (__ceph_caps_issued_mask(ci, CEPH_CAP_XATTR_SHARED, 1) &&
+ (ci->i_xattrs.index_version >= ci->i_xattrs.version)) {
+ goto get_xattr;
--- /dev/null
+From 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 6 Jun 2013 13:52:21 -0700
+Subject: charger-manager: Ensure event is not used as format string
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 upstream.
+
+The exposed interface for cm_notify_event() could result in the event msg
+string being parsed as a format string. Make sure it is only used as a
+literal string.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Anton Vorontsov <cbou@mail.ru>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Signed-off-by: Anton Vorontsov <anton@enomsg.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/charger-manager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/charger-manager.c
++++ b/drivers/power/charger-manager.c
+@@ -450,7 +450,7 @@ static void uevent_notify(struct charger
+ strncpy(env_str, event, UEVENT_BUF_SIZE);
+ kobject_uevent(&cm->dev->kobj, KOBJ_CHANGE);
+
+- dev_info(cm->dev, event);
++ dev_info(cm->dev, "%s", event);
+ }
+
+ /**
--- /dev/null
+From 1c8fca1d92e14859159a82b8a380d220139b7344 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 3 Jul 2013 15:01:15 -0700
+Subject: crypto: sanitize argument for format string
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream.
+
+The template lookup interface does not provide a way to use format
+strings, so make sure that the interface cannot be abused accidentally.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algapi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -495,7 +495,8 @@ static struct crypto_template *__crypto_
+
+ struct crypto_template *crypto_lookup_template(const char *name)
+ {
+- return try_then_request_module(__crypto_lookup_template(name), name);
++ return try_then_request_module(__crypto_lookup_template(name), "%s",
++ name);
+ }
+ EXPORT_SYMBOL_GPL(crypto_lookup_template);
+
--- /dev/null
+From 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 Mon Sep 17 00:00:00 2001
+From: Jonathan Salwan <jonathan.salwan@gmail.com>
+Date: Wed, 3 Jul 2013 15:01:13 -0700
+Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
+
+From: Jonathan Salwan <jonathan.salwan@gmail.com>
+
+commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream.
+
+In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
+area with kmalloc in line 2885.
+
+ 2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
+ 2886 if (cgc->buffer == NULL)
+ 2887 return -ENOMEM;
+
+In line 2908 we can find the copy_to_user function:
+
+ 2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
+
+The cgc->buffer is never cleaned and initialized before this function.
+If ret = 0 with the previous basic block, it's possible to display some
+memory bytes in kernel space from userspace.
+
+When we read a block from the disk it normally fills the ->buffer but if
+the drive is malfunctioning there is a chance that it would only be
+partially filled. The result is an leak information to userspace.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jonathan Salwan <jonathan.salwan@gmail.com>
+Cc: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cdrom/cdrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read
+ if (lba < 0)
+ return -EINVAL;
+
+- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
+ if (cgc->buffer == NULL)
+ return -ENOMEM;
+
--- /dev/null
+From 13d60f4b6ab5b702dc8d2ee20999f98a93728aec Mon Sep 17 00:00:00 2001
+From: Zhang Yi <wetpzy@gmail.com>
+Date: Tue, 25 Jun 2013 21:19:31 +0800
+Subject: futex: Take hugepages into account when generating futex_key
+
+From: Zhang Yi <wetpzy@gmail.com>
+
+commit 13d60f4b6ab5b702dc8d2ee20999f98a93728aec upstream.
+
+The futex_keys of process shared futexes are generated from the page
+offset, the mapping host and the mapping index of the futex user space
+address. This should result in an unique identifier for each futex.
+
+Though this is not true when futexes are located in different subpages
+of an hugepage. The reason is, that the mapping index for all those
+futexes evaluates to the index of the base page of the hugetlbfs
+mapping. So a futex at offset 0 of the hugepage mapping and another
+one at offset PAGE_SIZE of the same hugepage mapping have identical
+futex_keys. This happens because the futex code blindly uses
+page->index.
+
+Steps to reproduce the bug:
+
+1. Map a file from hugetlbfs. Initialize pthread_mutex1 at offset 0
+ and pthread_mutex2 at offset PAGE_SIZE of the hugetlbfs
+ mapping.
+
+ The mutexes must be initialized as PTHREAD_PROCESS_SHARED because
+ PTHREAD_PROCESS_PRIVATE mutexes are not affected by this issue as
+ their keys solely depend on the user space address.
+
+2. Lock mutex1 and mutex2
+
+3. Create thread1 and in the thread function lock mutex1, which
+ results in thread1 blocking on the locked mutex1.
+
+4. Create thread2 and in the thread function lock mutex2, which
+ results in thread2 blocking on the locked mutex2.
+
+5. Unlock mutex2. Despite the fact that mutex2 got unlocked, thread2
+ still blocks on mutex2 because the futex_key points to mutex1.
+
+To solve this issue we need to take the normal page index of the page
+which contains the futex into account, if the futex is in an hugetlbfs
+mapping. In other words, we calculate the normal page mapping index of
+the subpage in the hugetlbfs mapping.
+
+Mappings which are not based on hugetlbfs are not affected and still
+use page->index.
+
+Thanks to Mel Gorman who provided a patch for adding proper evaluation
+functions to the hugetlbfs code to avoid exposing hugetlbfs specific
+details to the futex code.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Zhang Yi <zhang.yi20@zte.com.cn>
+Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Tested-by: Ma Chenggong <ma.chenggong@zte.com.cn>
+Reviewed-by: 'Mel Gorman' <mgorman@suse.de>
+Acked-by: 'Darren Hart' <dvhart@linux.intel.com>
+Cc: 'Peter Zijlstra' <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/000101ce71a6%24a83c5880%24f8b50980%24@com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/hugetlb.h | 16 ++++++++++++++++
+ kernel/futex.c | 3 ++-
+ mm/hugetlb.c | 17 +++++++++++++++++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -358,6 +358,17 @@ static inline int hstate_index(struct hs
+ return h - hstates;
+ }
+
++pgoff_t __basepage_index(struct page *page);
++
++/* Return page->index in PAGE_SIZE units */
++static inline pgoff_t basepage_index(struct page *page)
++{
++ if (!PageCompound(page))
++ return page->index;
++
++ return __basepage_index(page);
++}
++
+ #else /* CONFIG_HUGETLB_PAGE */
+ struct hstate {};
+ #define alloc_huge_page_node(h, nid) NULL
+@@ -378,6 +389,11 @@ static inline unsigned int pages_per_hug
+ }
+ #define hstate_index_to_shift(index) 0
+ #define hstate_index(h) 0
++
++static inline pgoff_t basepage_index(struct page *page)
++{
++ return page->index;
++}
+ #endif /* CONFIG_HUGETLB_PAGE */
+
+ #endif /* _LINUX_HUGETLB_H */
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -61,6 +61,7 @@
+ #include <linux/nsproxy.h>
+ #include <linux/ptrace.h>
+ #include <linux/sched/rt.h>
++#include <linux/hugetlb.h>
+
+ #include <asm/futex.h>
+
+@@ -365,7 +366,7 @@ again:
+ } else {
+ key->both.offset |= FUT_OFF_INODE; /* inode-based key */
+ key->shared.inode = page_head->mapping->host;
+- key->shared.pgoff = page_head->index;
++ key->shared.pgoff = basepage_index(page);
+ }
+
+ get_futex_key_refs(key);
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -690,6 +690,23 @@ int PageHuge(struct page *page)
+ }
+ EXPORT_SYMBOL_GPL(PageHuge);
+
++pgoff_t __basepage_index(struct page *page)
++{
++ struct page *page_head = compound_head(page);
++ pgoff_t index = page_index(page_head);
++ unsigned long compound_idx;
++
++ if (!PageHuge(page_head))
++ return page_index(page);
++
++ if (compound_order(page_head) >= MAX_ORDER)
++ compound_idx = page_to_pfn(page) - page_to_pfn(page_head);
++ else
++ compound_idx = page - page_head;
++
++ return (index << compound_order(page_head)) + compound_idx;
++}
++
+ static struct page *alloc_fresh_huge_page_node(struct hstate *h, int nid)
+ {
+ struct page *page;
--- /dev/null
+From 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+Date: Thu, 4 Jul 2013 18:42:29 +0200
+Subject: hpfs: better test for errors
+
+From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+
+commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream.
+
+The test if bitmap access is out of bound could errorneously pass if the
+device size is divisible by 16384 sectors and we are asking for one bitmap
+after the end.
+
+Check for invalid size in the superblock. Invalid size could cause integer
+overflows in the rest of the code.
+
+Signed-off-by: Mikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hpfs/map.c | 3 ++-
+ fs/hpfs/super.c | 8 +++++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/hpfs/map.c
++++ b/fs/hpfs/map.c
+@@ -17,7 +17,8 @@ __le32 *hpfs_map_bitmap(struct super_blo
+ struct quad_buffer_head *qbh, char *id)
+ {
+ secno sec;
+- if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) {
++ unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14;
++ if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) {
+ hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id);
+ return NULL;
+ }
+--- a/fs/hpfs/super.c
++++ b/fs/hpfs/super.c
+@@ -558,7 +558,13 @@ static int hpfs_fill_super(struct super_
+ sbi->sb_cp_table = NULL;
+ sbi->sb_c_bitmap = -1;
+ sbi->sb_max_fwd_alloc = 0xffffff;
+-
++
++ if (sbi->sb_fs_size >= 0x80000000) {
++ hpfs_error(s, "invalid size in superblock: %08x",
++ (unsigned)sbi->sb_fs_size);
++ goto bail4;
++ }
++
+ /* Load bitmap directory */
+ if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps))))
+ goto bail4;
--- /dev/null
+From 8b8cf8917f9b5d74e04f281272d8719ce335a497 Mon Sep 17 00:00:00 2001
+From: Josh Durgin <josh.durgin@inktank.com>
+Date: Fri, 28 Jun 2013 13:13:16 -0700
+Subject: libceph: fix invalid unsigned->signed conversion for timespec encoding
+
+From: Josh Durgin <josh.durgin@inktank.com>
+
+commit 8b8cf8917f9b5d74e04f281272d8719ce335a497 upstream.
+
+__kernel_time_t is a long, which cannot hold a U32_MAX on 32-bit
+architectures. Just drop this check as it has limited value.
+
+This fixes a crash like:
+
+[ 957.905812] kernel BUG at /srv/autobuild-ceph/gitbuilder.git/build/include/linux/ceph/decode.h:164!
+[ 957.914849] Internal error: Oops - BUG: 0 [#1] SMP ARM
+[ 957.919978] Modules linked in: rbd libceph libcrc32c ipmi_devintf ipmi_si ipmi_msghandler nfsd nfs_acl auth_rpcgss nfs fscache lockd sunrpc
+[ 957.932547] CPU: 1 Tainted: G W (3.9.0-ceph-19bb6a83-highbank #1)
+[ 957.939881] PC is at ceph_osdc_build_request+0x8c/0x4f8 [libceph]
+[ 957.945967] LR is at 0xec520904
+[ 957.949103] pc : [<bf13e76c>] lr : [<ec520904>] psr: 20000153
+[ 957.949103] sp : ec753df8 ip : 00000001 fp : ec53e100
+[ 957.960571] r10: ebef25c0 r9 : ec5fa400 r8 : ecbcc000
+[ 957.965788] r7 : 00000000 r6 : 00000000 r5 : ffffffff r4 : 00000020
+[ 957.972307] r3 : 51cc8143 r2 : ec520900 r1 : ec753e58 r0 : ec520908
+[ 957.978827] Flags: nzCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment user
+[ 957.986039] Control: 10c5387d Table: 2c59c04a DAC: 00000015
+[ 957.991777] Process rbd (pid: 2138, stack limit = 0xec752238)
+[ 957.997514] Stack: (0xec753df8 to 0xec754000)
+[ 958.001864] 3de0: 00000001 00000001
+[ 958.010032] 3e00: 00000001 bf139744 ecbcc000 ec55a0a0 00000024 00000000 ebef25c0 fffffffe
+[ 958.018204] 3e20: ffffffff 00000000 00000000 00000001 ec5fa400 ebef25c0 ec53e100 bf166b68
+[ 958.026377] 3e40: 00000000 0000220f fffffffe ffffffff ec753e58 bf13ff24 51cc8143 05b25ed2
+[ 958.034548] 3e60: 00000001 00000000 00000000 bf1688d4 00000001 00000000 00000000 00000000
+[ 958.042720] 3e80: 00000001 00000060 ec5fa400 ed53d200 ed439600 ed439300 00000001 00000060
+[ 958.050888] 3ea0: ec5fa400 ed53d200 00000000 bf16a320 00000000 ec53e100 00000040 ec753eb8
+[ 958.059059] 3ec0: ec51df00 ed53d7c0 ed53d200 ed53d7c0 00000000 ed53d7c0 ec5fa400 bf16ed70
+[ 958.067230] 3ee0: 00000000 00000060 00000002 ed53d200 00000000 bf16acf4 ed53d7c0 ec752000
+[ 958.075402] 3f00: ed980e50 e954f5d8 00000000 00000060 ed53d240 ed53d258 ec753f80 c04f44a8
+[ 958.083574] 3f20: edb7910c ec664700 01ade920 c02e4c44 00000060 c016b3dc ec51de40 01adfb84
+[ 958.091745] 3f40: 00000060 ec752000 ec753f80 ec752000 00000060 c0108444 00000007 ec51de48
+[ 958.099914] 3f60: ed0eb8c0 00000000 00000000 ec51de40 01adfb84 00000001 00000060 c0108858
+[ 958.108085] 3f80: 00000000 00000000 51cc8143 00000060 01adfb84 00000007 00000004 c000dd68
+[ 958.116257] 3fa0: 00000000 c000dbc0 00000060 01adfb84 00000007 01adfb84 00000060 01adfb80
+[ 958.124429] 3fc0: 00000060 01adfb84 00000007 00000004 beded1a8 00000000 01adf2f0 01ade920
+[ 958.132599] 3fe0: 00000000 beded180 b6811324 b6811334 800f0010 00000007 2e7f5821 2e7f5c21
+[ 958.140815] [<bf13e76c>] (ceph_osdc_build_request+0x8c/0x4f8 [libceph]) from [<bf166b68>] (rbd_osd_req_format_write+0x50/0x7c [rbd])
+[ 958.152739] [<bf166b68>] (rbd_osd_req_format_write+0x50/0x7c [rbd]) from [<bf1688d4>] (rbd_dev_header_watch_sync+0xe0/0x204 [rbd])
+[ 958.164486] [<bf1688d4>] (rbd_dev_header_watch_sync+0xe0/0x204 [rbd]) from [<bf16a320>] (rbd_dev_image_probe+0x23c/0x850 [rbd])
+[ 958.175967] [<bf16a320>] (rbd_dev_image_probe+0x23c/0x850 [rbd]) from [<bf16acf4>] (rbd_add+0x3c0/0x918 [rbd])
+[ 958.185975] [<bf16acf4>] (rbd_add+0x3c0/0x918 [rbd]) from [<c02e4c44>] (bus_attr_store+0x20/0x2c)
+[ 958.194850] [<c02e4c44>] (bus_attr_store+0x20/0x2c) from [<c016b3dc>] (sysfs_write_file+0x168/0x198)
+[ 958.203984] [<c016b3dc>] (sysfs_write_file+0x168/0x198) from [<c0108444>] (vfs_write+0x9c/0x170)
+[ 958.212768] [<c0108444>] (vfs_write+0x9c/0x170) from [<c0108858>] (sys_write+0x3c/0x70)
+[ 958.220768] [<c0108858>] (sys_write+0x3c/0x70) from [<c000dbc0>] (ret_fast_syscall+0x0/0x30)
+[ 958.229199] Code: e59d1058 e5913000 e3530000 ba000114 (e7f001f2)
+
+Signed-off-by: Josh Durgin <josh.durgin@inktank.com>
+Reviewed-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/ceph/decode.h | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/include/linux/ceph/decode.h
++++ b/include/linux/ceph/decode.h
+@@ -160,11 +160,6 @@ static inline void ceph_decode_timespec(
+ static inline void ceph_encode_timespec(struct ceph_timespec *tv,
+ const struct timespec *ts)
+ {
+- BUG_ON(ts->tv_sec < 0);
+- BUG_ON(ts->tv_sec > (__kernel_time_t)U32_MAX);
+- BUG_ON(ts->tv_nsec < 0);
+- BUG_ON(ts->tv_nsec > (long)U32_MAX);
+-
+ tv->tv_sec = cpu_to_le32((u32)ts->tv_sec);
+ tv->tv_nsec = cpu_to_le32((u32)ts->tv_nsec);
+ }
--- /dev/null
+From 2cb33cac622afde897aa02d3dcd9fbba8bae839e Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 20 Jun 2013 13:13:59 -0700
+Subject: libceph: Fix NULL pointer dereference in auth client code
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream.
+
+A malicious monitor can craft an auth reply message that could cause a
+NULL function pointer dereference in the client's kernel.
+
+To prevent this, the auth_none protocol handler needs an empty
+ceph_auth_client_ops->build_request() function.
+
+CVE-2013-1059
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Reported-by: Chanam Park <chanam.park@hkpco.kr>
+Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
+Reviewed-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/auth_none.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ceph/auth_none.c
++++ b/net/ceph/auth_none.c
+@@ -39,6 +39,11 @@ static int should_authenticate(struct ce
+ return xi->starting;
+ }
+
++static int build_request(struct ceph_auth_client *ac, void *buf, void *end)
++{
++ return 0;
++}
++
+ /*
+ * the generic auth code decode the global_id, and we carry no actual
+ * authenticate state, so nothing happens here.
+@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops
+ .destroy = destroy,
+ .is_authenticated = is_authenticated,
+ .should_authenticate = should_authenticate,
++ .build_request = build_request,
+ .handle_reply = handle_reply,
+ .create_authorizer = ceph_auth_none_create_authorizer,
+ .destroy_authorizer = ceph_auth_none_destroy_authorizer,
--- /dev/null
+From 7b175c46720f8e6b92801bb634c93d1016f80c62 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 18 Jun 2013 12:58:12 -0700
+Subject: MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream.
+
+This hopefully will help point developers to the proper way that patches
+should be submitted for inclusion in the stable kernel releases.
+
+Reported-by: David Howells <dhowells@redhat.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ MAINTAINERS | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -7667,6 +7667,7 @@ STABLE BRANCH
+ M: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ L: stable@vger.kernel.org
+ S: Supported
++F: Documentation/stable_kernel_rules.txt
+
+ STAGING SUBSYSTEM
+ M: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
--- /dev/null
+From 8d8022e8aba85192e937f1f0f7450e256d66ae5c Mon Sep 17 00:00:00 2001
+From: Rusty Russell <rusty@rustcorp.com.au>
+Date: Wed, 3 Jul 2013 10:06:28 +0930
+Subject: module: do percpu allocation after uniqueness check. No, really!
+
+From: Rusty Russell <rusty@rustcorp.com.au>
+
+commit 8d8022e8aba85192e937f1f0f7450e256d66ae5c upstream.
+
+v3.8-rc1-5-g1fb9341 was supposed to stop parallel kvm loads exhausting
+percpu memory on large machines:
+
+ Now we have a new state MODULE_STATE_UNFORMED, we can insert the
+ module into the list (and thus guarantee its uniqueness) before we
+ allocate the per-cpu region.
+
+In my defence, it didn't actually say the patch did this. Just that
+we "can".
+
+This patch actually *does* it.
+
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Tested-by: Jim Hull <jim.hull@hp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/module.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -2927,7 +2927,6 @@ static struct module *layout_and_allocat
+ {
+ /* Module within temporary copy. */
+ struct module *mod;
+- Elf_Shdr *pcpusec;
+ int err;
+
+ mod = setup_load_info(info, flags);
+@@ -2942,17 +2941,10 @@ static struct module *layout_and_allocat
+ err = module_frob_arch_sections(info->hdr, info->sechdrs,
+ info->secstrings, mod);
+ if (err < 0)
+- goto out;
++ return ERR_PTR(err);
+
+- pcpusec = &info->sechdrs[info->index.pcpu];
+- if (pcpusec->sh_size) {
+- /* We have a special allocation for this section. */
+- err = percpu_modalloc(mod,
+- pcpusec->sh_size, pcpusec->sh_addralign);
+- if (err)
+- goto out;
+- pcpusec->sh_flags &= ~(unsigned long)SHF_ALLOC;
+- }
++ /* We will do a special allocation for per-cpu sections later. */
++ info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC;
+
+ /* Determine total sizes, and put offsets in sh_entsize. For now
+ this is done generically; there doesn't appear to be any
+@@ -2963,17 +2955,22 @@ static struct module *layout_and_allocat
+ /* Allocate and move to the final place */
+ err = move_module(mod, info);
+ if (err)
+- goto free_percpu;
++ return ERR_PTR(err);
+
+ /* Module has been copied to its final place now: return it. */
+ mod = (void *)info->sechdrs[info->index.mod].sh_addr;
+ kmemleak_load_module(mod, info);
+ return mod;
++}
+
+-free_percpu:
+- percpu_modfree(mod);
+-out:
+- return ERR_PTR(err);
++static int alloc_module_percpu(struct module *mod, struct load_info *info)
++{
++ Elf_Shdr *pcpusec = &info->sechdrs[info->index.pcpu];
++ if (!pcpusec->sh_size)
++ return 0;
++
++ /* We have a special allocation for this section. */
++ return percpu_modalloc(mod, pcpusec->sh_size, pcpusec->sh_addralign);
+ }
+
+ /* mod is no longer valid after this! */
+@@ -3237,6 +3234,11 @@ static int load_module(struct load_info
+ }
+ #endif
+
++ /* To avoid stressing percpu allocator, do this once we're unique. */
++ err = alloc_module_percpu(mod, info);
++ if (err)
++ goto unlink_mod;
++
+ /* Now module is in final location, initialize linked lists, etc. */
+ err = module_unload_init(mod);
+ if (err)
--- /dev/null
+From 828c6a102b1f2b8583fadc0e779c46b31d448f0b Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 30 Jun 2013 09:03:06 -0700
+Subject: Revert "serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 828c6a102b1f2b8583fadc0e779c46b31d448f0b upstream.
+
+This reverts commit 8d2f8cd424ca0b99001f3ff4f5db87c4e525f366.
+
+As reported by Stefan, this device already works with the parport_serial
+driver, so the 8250_pci driver should not also try to grab it as well.
+
+Reported-by: Stefan Seyfried <stefan.seyfried@googlemail.com>
+Cc: Wang YanQing <udknight@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -4797,10 +4797,6 @@ static struct pci_device_id serial_pci_t
+ PCI_VENDOR_ID_IBM, 0x0299,
+ 0, 0, pbn_b0_bt_2_115200 },
+
+- { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835,
+- 0x1000, 0x0012,
+- 0, 0, pbn_b0_bt_2_115200 },
+-
+ { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9901,
+ 0xA000, 0x1000,
+ 0, 0, pbn_b0_1_115200 },
--- /dev/null
+libceph-fix-null-pointer-dereference-in-auth-client-code.patch
+ceph-fix-sleeping-function-called-from-invalid-context.patch
+libceph-fix-invalid-unsigned-signed-conversion-for-timespec-encoding.patch
+drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch
+module-do-percpu-allocation-after-uniqueness-check.-no-really.patch
+charger-manager-ensure-event-is-not-used-as-format-string.patch
+hpfs-better-test-for-errors.patch
+block-do-not-pass-disk-names-as-format-strings.patch
+crypto-sanitize-argument-for-format-string.patch
+maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch
+futex-take-hugepages-into-account-when-generating-futex_key.patch
+tty-reset-itty-for-other-pty.patch
+revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch
--- /dev/null
+From 64e377dcd7d75c241d614458e9619d3445de44ef Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Sat, 15 Jun 2013 09:01:00 -0400
+Subject: tty: Reset itty for other pty
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 64e377dcd7d75c241d614458e9619d3445de44ef upstream.
+
+Commit 19ffd68f816878aed456d5e87697f43bd9e3bd2b
+('pty: Remove redundant itty reset') introduced a regression
+whereby the other pty's linkage is not cleared on teardown.
+This triggers a false positive diagnostic in testing.
+
+Properly reset the itty linkage.
+
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1618,6 +1618,8 @@ static void release_tty(struct tty_struc
+ tty_free_termios(tty);
+ tty_driver_remove_tty(tty->driver, tty);
+ tty->port->itty = NULL;
++ if (tty->link)
++ tty->link->port->itty = NULL;
+ cancel_work_sync(&tty->port->buf.work);
+
+ if (tty->link)
projects / thirdparty / kernel / stable-queue.git / commitdiff
