From: Greg Kroah-Hartman Date: Thu, 11 Jul 2013 20:19:00 +0000 (-0700) Subject: 3.9-stable patches X-Git-Tag: v3.0.86~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=048717b5e8ecf25ce6a15e7d4e8df002da49f993;p=thirdparty%2Fkernel%2Fstable-queue.git 3.9-stable patches added patches: block-do-not-pass-disk-names-as-format-strings.patch ceph-fix-sleeping-function-called-from-invalid-context.patch charger-manager-ensure-event-is-not-used-as-format-string.patch crypto-sanitize-argument-for-format-string.patch drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch futex-take-hugepages-into-account-when-generating-futex_key.patch hpfs-better-test-for-errors.patch libceph-fix-null-pointer-dereference-in-auth-client-code.patch maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch module-do-percpu-allocation-after-uniqueness-check.-no-really.patch revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch --- diff --git a/queue-3.9/block-do-not-pass-disk-names-as-format-strings.patch b/queue-3.9/block-do-not-pass-disk-names-as-format-strings.patch new file mode 100644 index 00000000000..fe9c5c52844 --- /dev/null +++ b/queue-3.9/block-do-not-pass-disk-names-as-format-strings.patch @@ -0,0 +1,62 @@ +From ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 3 Jul 2013 15:01:14 -0700 +Subject: block: do not pass disk names as format strings + +From: Kees Cook + +commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream. + +Disk names may contain arbitrary strings, so they must not be +interpreted as format strings. It seems that only md allows arbitrary +strings to be used for disk names, but this could allow for a local +memory corruption from uid 0 into ring 0. + +CVE-2013-2851 + +Signed-off-by: Kees Cook +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + block/genhd.c | 2 +- + drivers/block/nbd.c | 3 ++- + drivers/scsi/osd/osd_uld.c | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -512,7 +512,7 @@ static void register_disk(struct gendisk + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_devi + else + blk_queue_flush(nbd->disk->queue, 0); + +- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); ++ thread = kthread_create(nbd_thread, nbd, "%s", ++ nbd->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&nbd->tx_lock); + return PTR_ERR(thread); +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; diff --git a/queue-3.9/ceph-fix-sleeping-function-called-from-invalid-context.patch b/queue-3.9/ceph-fix-sleeping-function-called-from-invalid-context.patch new file mode 100644 index 00000000000..864da9eff3c --- /dev/null +++ b/queue-3.9/ceph-fix-sleeping-function-called-from-invalid-context.patch @@ -0,0 +1,75 @@ +From a1dc1937337a93e699eaa56968b7de6e1a9e77cf Mon Sep 17 00:00:00 2001 +From: majianpeng +Date: Wed, 19 Jun 2013 14:58:10 +0800 +Subject: ceph: fix sleeping function called from invalid context. + +From: majianpeng + +commit a1dc1937337a93e699eaa56968b7de6e1a9e77cf upstream. + +[ 1121.231883] BUG: sleeping function called from invalid context at kernel/rwsem.c:20 +[ 1121.231935] in_atomic(): 1, irqs_disabled(): 0, pid: 9831, name: mv +[ 1121.231971] 1 lock held by mv/9831: +[ 1121.231973] #0: (&(&ci->i_ceph_lock)->rlock){+.+...},at:[] ceph_getxattr+0x58/0x1d0 [ceph] +[ 1121.231998] CPU: 3 PID: 9831 Comm: mv Not tainted 3.10.0-rc6+ #215 +[ 1121.232000] Hardware name: To Be Filled By O.E.M. To Be Filled By +O.E.M./To be filled by O.E.M., BIOS 080015 11/09/2011 +[ 1121.232027] ffff88006d355a80 ffff880092f69ce0 ffffffff8168348c ffff880092f69cf8 +[ 1121.232045] ffffffff81070435 ffff88006d355a20 ffff880092f69d20 ffffffff816899ba +[ 1121.232052] 0000000300000004 ffff8800b76911d0 ffff88006d355a20 ffff880092f69d68 +[ 1121.232056] Call Trace: +[ 1121.232062] [] dump_stack+0x19/0x1b +[ 1121.232067] [] __might_sleep+0xe5/0x110 +[ 1121.232071] [] down_read+0x2a/0x98 +[ 1121.232080] [] ceph_vxattrcb_layout+0x60/0xf0 [ceph] +[ 1121.232088] [] ceph_getxattr+0x9f/0x1d0 [ceph] +[ 1121.232093] [] vfs_getxattr+0xa8/0xd0 +[ 1121.232097] [] getxattr+0xab/0x1c0 +[ 1121.232100] [] ? final_putname+0x22/0x50 +[ 1121.232104] [] ? kmem_cache_free+0xb0/0x260 +[ 1121.232107] [] ? final_putname+0x22/0x50 +[ 1121.232110] [] ? trace_hardirqs_on+0xd/0x10 +[ 1121.232114] [] ? sysret_check+0x1b/0x56 +[ 1121.232120] [] SyS_fgetxattr+0x6c/0xc0 +[ 1121.232125] [] system_call_fastpath+0x16/0x1b +[ 1121.232129] BUG: scheduling while atomic: mv/9831/0x10000002 +[ 1121.232154] 1 lock held by mv/9831: +[ 1121.232156] #0: (&(&ci->i_ceph_lock)->rlock){+.+...}, at: +[] ceph_getxattr+0x58/0x1d0 [ceph] + +I think move the ci->i_ceph_lock down is safe because we can't free +ceph_inode_info at there. + +Signed-off-by: Jianpeng Ma +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/xattr.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -675,17 +675,18 @@ ssize_t ceph_getxattr(struct dentry *den + if (!ceph_is_valid_xattr(name)) + return -ENODATA; + +- spin_lock(&ci->i_ceph_lock); +- dout("getxattr %p ver=%lld index_ver=%lld\n", inode, +- ci->i_xattrs.version, ci->i_xattrs.index_version); + + /* let's see if a virtual xattr was requested */ + vxattr = ceph_match_vxattr(inode, name); + if (vxattr && !(vxattr->exists_cb && !vxattr->exists_cb(ci))) { + err = vxattr->getxattr_cb(ci, value, size); +- goto out; ++ return err; + } + ++ spin_lock(&ci->i_ceph_lock); ++ dout("getxattr %p ver=%lld index_ver=%lld\n", inode, ++ ci->i_xattrs.version, ci->i_xattrs.index_version); ++ + if (__ceph_caps_issued_mask(ci, CEPH_CAP_XATTR_SHARED, 1) && + (ci->i_xattrs.index_version >= ci->i_xattrs.version)) { + goto get_xattr; diff --git a/queue-3.9/charger-manager-ensure-event-is-not-used-as-format-string.patch b/queue-3.9/charger-manager-ensure-event-is-not-used-as-format-string.patch new file mode 100644 index 00000000000..9658fc88741 --- /dev/null +++ b/queue-3.9/charger-manager-ensure-event-is-not-used-as-format-string.patch @@ -0,0 +1,34 @@ +From 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 6 Jun 2013 13:52:21 -0700 +Subject: charger-manager: Ensure event is not used as format string + +From: Kees Cook + +commit 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 upstream. + +The exposed interface for cm_notify_event() could result in the event msg +string being parsed as a format string. Make sure it is only used as a +literal string. + +Signed-off-by: Kees Cook +Cc: Anton Vorontsov +Cc: David Woodhouse +Signed-off-by: Anton Vorontsov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/charger-manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/charger-manager.c ++++ b/drivers/power/charger-manager.c +@@ -450,7 +450,7 @@ static void uevent_notify(struct charger + strncpy(env_str, event, UEVENT_BUF_SIZE); + kobject_uevent(&cm->dev->kobj, KOBJ_CHANGE); + +- dev_info(cm->dev, event); ++ dev_info(cm->dev, "%s", event); + } + + /** diff --git a/queue-3.9/crypto-sanitize-argument-for-format-string.patch b/queue-3.9/crypto-sanitize-argument-for-format-string.patch new file mode 100644 index 00000000000..063f72fac0c --- /dev/null +++ b/queue-3.9/crypto-sanitize-argument-for-format-string.patch @@ -0,0 +1,35 @@ +From 1c8fca1d92e14859159a82b8a380d220139b7344 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 3 Jul 2013 15:01:15 -0700 +Subject: crypto: sanitize argument for format string + +From: Kees Cook + +commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream. + +The template lookup interface does not provide a way to use format +strings, so make sure that the interface cannot be abused accidentally. + +Signed-off-by: Kees Cook +Cc: Herbert Xu +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algapi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -495,7 +495,8 @@ static struct crypto_template *__crypto_ + + struct crypto_template *crypto_lookup_template(const char *name) + { +- return try_then_request_module(__crypto_lookup_template(name), name); ++ return try_then_request_module(__crypto_lookup_template(name), "%s", ++ name); + } + EXPORT_SYMBOL_GPL(crypto_lookup_template); + diff --git a/queue-3.9/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch b/queue-3.9/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch new file mode 100644 index 00000000000..41d2d9d6c52 --- /dev/null +++ b/queue-3.9/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch @@ -0,0 +1,51 @@ +From 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 Mon Sep 17 00:00:00 2001 +From: Jonathan Salwan +Date: Wed, 3 Jul 2013 15:01:13 -0700 +Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware + +From: Jonathan Salwan + +commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream. + +In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory +area with kmalloc in line 2885. + + 2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); + 2886 if (cgc->buffer == NULL) + 2887 return -ENOMEM; + +In line 2908 we can find the copy_to_user function: + + 2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) + +The cgc->buffer is never cleaned and initialized before this function. +If ret = 0 with the previous basic block, it's possible to display some +memory bytes in kernel space from userspace. + +When we read a block from the disk it normally fills the ->buffer but if +the drive is malfunctioning there is a chance that it would only be +partially filled. The result is an leak information to userspace. + +Signed-off-by: Dan Carpenter +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Jonathan Salwan +Cc: Luis Henriques +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + diff --git a/queue-3.9/futex-take-hugepages-into-account-when-generating-futex_key.patch b/queue-3.9/futex-take-hugepages-into-account-when-generating-futex_key.patch new file mode 100644 index 00000000000..1fd209fa8ab --- /dev/null +++ b/queue-3.9/futex-take-hugepages-into-account-when-generating-futex_key.patch @@ -0,0 +1,149 @@ +From 13d60f4b6ab5b702dc8d2ee20999f98a93728aec Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Tue, 25 Jun 2013 21:19:31 +0800 +Subject: futex: Take hugepages into account when generating futex_key + +From: Zhang Yi + +commit 13d60f4b6ab5b702dc8d2ee20999f98a93728aec upstream. + +The futex_keys of process shared futexes are generated from the page +offset, the mapping host and the mapping index of the futex user space +address. This should result in an unique identifier for each futex. + +Though this is not true when futexes are located in different subpages +of an hugepage. The reason is, that the mapping index for all those +futexes evaluates to the index of the base page of the hugetlbfs +mapping. So a futex at offset 0 of the hugepage mapping and another +one at offset PAGE_SIZE of the same hugepage mapping have identical +futex_keys. This happens because the futex code blindly uses +page->index. + +Steps to reproduce the bug: + +1. Map a file from hugetlbfs. Initialize pthread_mutex1 at offset 0 + and pthread_mutex2 at offset PAGE_SIZE of the hugetlbfs + mapping. + + The mutexes must be initialized as PTHREAD_PROCESS_SHARED because + PTHREAD_PROCESS_PRIVATE mutexes are not affected by this issue as + their keys solely depend on the user space address. + +2. Lock mutex1 and mutex2 + +3. Create thread1 and in the thread function lock mutex1, which + results in thread1 blocking on the locked mutex1. + +4. Create thread2 and in the thread function lock mutex2, which + results in thread2 blocking on the locked mutex2. + +5. Unlock mutex2. Despite the fact that mutex2 got unlocked, thread2 + still blocks on mutex2 because the futex_key points to mutex1. + +To solve this issue we need to take the normal page index of the page +which contains the futex into account, if the futex is in an hugetlbfs +mapping. In other words, we calculate the normal page mapping index of +the subpage in the hugetlbfs mapping. + +Mappings which are not based on hugetlbfs are not affected and still +use page->index. + +Thanks to Mel Gorman who provided a patch for adding proper evaluation +functions to the hugetlbfs code to avoid exposing hugetlbfs specific +details to the futex code. + +[ tglx: Massaged changelog ] + +Signed-off-by: Zhang Yi +Reviewed-by: Jiang Biao +Tested-by: Ma Chenggong +Reviewed-by: 'Mel Gorman' +Acked-by: 'Darren Hart' +Cc: 'Peter Zijlstra' +Link: http://lkml.kernel.org/r/000101ce71a6%24a83c5880%24f8b50980%24@com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/hugetlb.h | 16 ++++++++++++++++ + kernel/futex.c | 3 ++- + mm/hugetlb.c | 17 +++++++++++++++++ + 3 files changed, 35 insertions(+), 1 deletion(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -354,6 +354,17 @@ static inline int hstate_index(struct hs + return h - hstates; + } + ++pgoff_t __basepage_index(struct page *page); ++ ++/* Return page->index in PAGE_SIZE units */ ++static inline pgoff_t basepage_index(struct page *page) ++{ ++ if (!PageCompound(page)) ++ return page->index; ++ ++ return __basepage_index(page); ++} ++ + #else /* CONFIG_HUGETLB_PAGE */ + struct hstate {}; + #define alloc_huge_page_node(h, nid) NULL +@@ -374,6 +385,11 @@ static inline unsigned int pages_per_hug + } + #define hstate_index_to_shift(index) 0 + #define hstate_index(h) 0 ++ ++static inline pgoff_t basepage_index(struct page *page) ++{ ++ return page->index; ++} + #endif /* CONFIG_HUGETLB_PAGE */ + + #endif /* _LINUX_HUGETLB_H */ +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -61,6 +61,7 @@ + #include + #include + #include ++#include + + #include + +@@ -365,7 +366,7 @@ again: + } else { + key->both.offset |= FUT_OFF_INODE; /* inode-based key */ + key->shared.inode = page_head->mapping->host; +- key->shared.pgoff = page_head->index; ++ key->shared.pgoff = basepage_index(page); + } + + get_futex_key_refs(key); +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -690,6 +690,23 @@ int PageHuge(struct page *page) + } + EXPORT_SYMBOL_GPL(PageHuge); + ++pgoff_t __basepage_index(struct page *page) ++{ ++ struct page *page_head = compound_head(page); ++ pgoff_t index = page_index(page_head); ++ unsigned long compound_idx; ++ ++ if (!PageHuge(page_head)) ++ return page_index(page); ++ ++ if (compound_order(page_head) >= MAX_ORDER) ++ compound_idx = page_to_pfn(page) - page_to_pfn(page_head); ++ else ++ compound_idx = page - page_head; ++ ++ return (index << compound_order(page_head)) + compound_idx; ++} ++ + static struct page *alloc_fresh_huge_page_node(struct hstate *h, int nid) + { + struct page *page; diff --git a/queue-3.9/hpfs-better-test-for-errors.patch b/queue-3.9/hpfs-better-test-for-errors.patch new file mode 100644 index 00000000000..e9566d12454 --- /dev/null +++ b/queue-3.9/hpfs-better-test-for-errors.patch @@ -0,0 +1,54 @@ +From 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 4 Jul 2013 18:42:29 +0200 +Subject: hpfs: better test for errors + +From: Mikulas Patocka + +commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream. + +The test if bitmap access is out of bound could errorneously pass if the +device size is divisible by 16384 sectors and we are asking for one bitmap +after the end. + +Check for invalid size in the superblock. Invalid size could cause integer +overflows in the rest of the code. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hpfs/map.c | 3 ++- + fs/hpfs/super.c | 8 +++++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/hpfs/map.c ++++ b/fs/hpfs/map.c +@@ -17,7 +17,8 @@ __le32 *hpfs_map_bitmap(struct super_blo + struct quad_buffer_head *qbh, char *id) + { + secno sec; +- if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) { ++ unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14; ++ if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) { + hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id); + return NULL; + } +--- a/fs/hpfs/super.c ++++ b/fs/hpfs/super.c +@@ -558,7 +558,13 @@ static int hpfs_fill_super(struct super_ + sbi->sb_cp_table = NULL; + sbi->sb_c_bitmap = -1; + sbi->sb_max_fwd_alloc = 0xffffff; +- ++ ++ if (sbi->sb_fs_size >= 0x80000000) { ++ hpfs_error(s, "invalid size in superblock: %08x", ++ (unsigned)sbi->sb_fs_size); ++ goto bail4; ++ } ++ + /* Load bitmap directory */ + if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps)))) + goto bail4; diff --git a/queue-3.9/libceph-fix-null-pointer-dereference-in-auth-client-code.patch b/queue-3.9/libceph-fix-null-pointer-dereference-in-auth-client-code.patch new file mode 100644 index 00000000000..d445460c629 --- /dev/null +++ b/queue-3.9/libceph-fix-null-pointer-dereference-in-auth-client-code.patch @@ -0,0 +1,49 @@ +From 2cb33cac622afde897aa02d3dcd9fbba8bae839e Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 20 Jun 2013 13:13:59 -0700 +Subject: libceph: Fix NULL pointer dereference in auth client code + +From: Tyler Hicks + +commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream. + +A malicious monitor can craft an auth reply message that could cause a +NULL function pointer dereference in the client's kernel. + +To prevent this, the auth_none protocol handler needs an empty +ceph_auth_client_ops->build_request() function. + +CVE-2013-1059 + +Signed-off-by: Tyler Hicks +Reported-by: Chanam Park +Reviewed-by: Seth Arnold +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/auth_none.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ceph/auth_none.c ++++ b/net/ceph/auth_none.c +@@ -39,6 +39,11 @@ static int should_authenticate(struct ce + return xi->starting; + } + ++static int build_request(struct ceph_auth_client *ac, void *buf, void *end) ++{ ++ return 0; ++} ++ + /* + * the generic auth code decode the global_id, and we carry no actual + * authenticate state, so nothing happens here. +@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops + .destroy = destroy, + .is_authenticated = is_authenticated, + .should_authenticate = should_authenticate, ++ .build_request = build_request, + .handle_reply = handle_reply, + .create_authorizer = ceph_auth_none_create_authorizer, + .destroy_authorizer = ceph_auth_none_destroy_authorizer, diff --git a/queue-3.9/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch b/queue-3.9/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch new file mode 100644 index 00000000000..db02a5c9436 --- /dev/null +++ b/queue-3.9/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch @@ -0,0 +1,30 @@ +From 7b175c46720f8e6b92801bb634c93d1016f80c62 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 18 Jun 2013 12:58:12 -0700 +Subject: MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information + +From: Greg Kroah-Hartman + +commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream. + +This hopefully will help point developers to the proper way that patches +should be submitted for inclusion in the stable kernel releases. + +Reported-by: David Howells +Acked-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + MAINTAINERS | 1 + + 1 file changed, 1 insertion(+) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -7512,6 +7512,7 @@ STABLE BRANCH + M: Greg Kroah-Hartman + L: stable@vger.kernel.org + S: Supported ++F: Documentation/stable_kernel_rules.txt + + STAGING SUBSYSTEM + M: Greg Kroah-Hartman diff --git a/queue-3.9/module-do-percpu-allocation-after-uniqueness-check.-no-really.patch b/queue-3.9/module-do-percpu-allocation-after-uniqueness-check.-no-really.patch new file mode 100644 index 00000000000..a36059c2124 --- /dev/null +++ b/queue-3.9/module-do-percpu-allocation-after-uniqueness-check.-no-really.patch @@ -0,0 +1,100 @@ +From 8d8022e8aba85192e937f1f0f7450e256d66ae5c Mon Sep 17 00:00:00 2001 +From: Rusty Russell +Date: Wed, 3 Jul 2013 10:06:28 +0930 +Subject: module: do percpu allocation after uniqueness check. No, really! + +From: Rusty Russell + +commit 8d8022e8aba85192e937f1f0f7450e256d66ae5c upstream. + +v3.8-rc1-5-g1fb9341 was supposed to stop parallel kvm loads exhausting +percpu memory on large machines: + + Now we have a new state MODULE_STATE_UNFORMED, we can insert the + module into the list (and thus guarantee its uniqueness) before we + allocate the per-cpu region. + +In my defence, it didn't actually say the patch did this. Just that +we "can". + +This patch actually *does* it. + +Signed-off-by: Rusty Russell +Tested-by: Jim Hull +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/module.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2939,7 +2939,6 @@ static struct module *layout_and_allocat + { + /* Module within temporary copy. */ + struct module *mod; +- Elf_Shdr *pcpusec; + int err; + + mod = setup_load_info(info, flags); +@@ -2954,17 +2953,10 @@ static struct module *layout_and_allocat + err = module_frob_arch_sections(info->hdr, info->sechdrs, + info->secstrings, mod); + if (err < 0) +- goto out; ++ return ERR_PTR(err); + +- pcpusec = &info->sechdrs[info->index.pcpu]; +- if (pcpusec->sh_size) { +- /* We have a special allocation for this section. */ +- err = percpu_modalloc(mod, +- pcpusec->sh_size, pcpusec->sh_addralign); +- if (err) +- goto out; +- pcpusec->sh_flags &= ~(unsigned long)SHF_ALLOC; +- } ++ /* We will do a special allocation for per-cpu sections later. */ ++ info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; + + /* Determine total sizes, and put offsets in sh_entsize. For now + this is done generically; there doesn't appear to be any +@@ -2975,17 +2967,22 @@ static struct module *layout_and_allocat + /* Allocate and move to the final place */ + err = move_module(mod, info); + if (err) +- goto free_percpu; ++ return ERR_PTR(err); + + /* Module has been copied to its final place now: return it. */ + mod = (void *)info->sechdrs[info->index.mod].sh_addr; + kmemleak_load_module(mod, info); + return mod; ++} + +-free_percpu: +- percpu_modfree(mod); +-out: +- return ERR_PTR(err); ++static int alloc_module_percpu(struct module *mod, struct load_info *info) ++{ ++ Elf_Shdr *pcpusec = &info->sechdrs[info->index.pcpu]; ++ if (!pcpusec->sh_size) ++ return 0; ++ ++ /* We have a special allocation for this section. */ ++ return percpu_modalloc(mod, pcpusec->sh_size, pcpusec->sh_addralign); + } + + /* mod is no longer valid after this! */ +@@ -3249,6 +3246,11 @@ static int load_module(struct load_info + } + #endif + ++ /* To avoid stressing percpu allocator, do this once we're unique. */ ++ err = alloc_module_percpu(mod, info); ++ if (err) ++ goto unlink_mod; ++ + /* Now module is in final location, initialize linked lists, etc. */ + err = module_unload_init(mod); + if (err) diff --git a/queue-3.9/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch b/queue-3.9/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch new file mode 100644 index 00000000000..c08c7c95c63 --- /dev/null +++ b/queue-3.9/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch @@ -0,0 +1,35 @@ +From 828c6a102b1f2b8583fadc0e779c46b31d448f0b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 30 Jun 2013 09:03:06 -0700 +Subject: Revert "serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller" + +From: Greg Kroah-Hartman + +commit 828c6a102b1f2b8583fadc0e779c46b31d448f0b upstream. + +This reverts commit 8d2f8cd424ca0b99001f3ff4f5db87c4e525f366. + +As reported by Stefan, this device already works with the parport_serial +driver, so the 8250_pci driver should not also try to grab it as well. + +Reported-by: Stefan Seyfried +Cc: Wang YanQing +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -4797,10 +4797,6 @@ static struct pci_device_id serial_pci_t + PCI_VENDOR_ID_IBM, 0x0299, + 0, 0, pbn_b0_bt_2_115200 }, + +- { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835, +- 0x1000, 0x0012, +- 0, 0, pbn_b0_bt_2_115200 }, +- + { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9901, + 0xA000, 0x1000, + 0, 0, pbn_b0_1_115200 }, diff --git a/queue-3.9/series b/queue-3.9/series new file mode 100644 index 00000000000..2dd4049b103 --- /dev/null +++ b/queue-3.9/series @@ -0,0 +1,11 @@ +libceph-fix-null-pointer-dereference-in-auth-client-code.patch +ceph-fix-sleeping-function-called-from-invalid-context.patch +drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch +module-do-percpu-allocation-after-uniqueness-check.-no-really.patch +charger-manager-ensure-event-is-not-used-as-format-string.patch +hpfs-better-test-for-errors.patch +block-do-not-pass-disk-names-as-format-strings.patch +crypto-sanitize-argument-for-format-string.patch +maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch +futex-take-hugepages-into-account-when-generating-futex_key.patch +revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch