From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 2 Aug 2016 07:03:26 +0000 (+0200)
Subject: 3.14-stable patches
X-Git-Tag: v3.14.75~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2062d042b3e3cdae3b00af87431d1d7efdd0e04c;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	arc-unwind-warn-only-once-if-dw2_unwind-is-disabled.patch
	fs-nilfs2-fix-potential-underflow-in-call-to-crc32_le.patch
	xen-pciback-fix-conf_space-read-write-overlap-check.patch
---

diff --git a/queue-3.14/arc-unwind-warn-only-once-if-dw2_unwind-is-disabled.patch b/queue-3.14/arc-unwind-warn-only-once-if-dw2_unwind-is-disabled.patch
new file mode 100644
index 00000000000..4dd167511fd
--- /dev/null
+++ b/queue-3.14/arc-unwind-warn-only-once-if-dw2_unwind-is-disabled.patch
@@ -0,0 +1,41 @@
+From 9bd54517ee86cb164c734f72ea95aeba4804f10b Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
+Date: Thu, 23 Jun 2016 11:00:39 +0300
+Subject: arc: unwind: warn only once if DW2_UNWIND is disabled
+
+From: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
+
+commit 9bd54517ee86cb164c734f72ea95aeba4804f10b upstream.
+
+If CONFIG_ARC_DW2_UNWIND is disabled every time arc_unwind_core()
+gets called following message gets printed in debug console:
+----------------->8---------------
+CONFIG_ARC_DW2_UNWIND needs to be enabled
+----------------->8---------------
+
+That message makes sense if user indeed wants to see a backtrace or
+get nice function call-graphs in perf but what if user disabled
+unwinder for the purpose? Why pollute his debug console?
+
+So instead we'll warn user about possibly missing feature once and
+let him decide if that was what he or she really wanted.
+
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/kernel/stacktrace.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/kernel/stacktrace.c
++++ b/arch/arc/kernel/stacktrace.c
+@@ -131,7 +131,7 @@ arc_unwind_core(struct task_struct *tsk,
+ 	 * prelogue is setup (callee regs saved and then fp set and not other
+ 	 * way around
+ 	 */
+-	pr_warn("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
++	pr_warn_once("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
+ 	return 0;
+ 
+ #endif
diff --git a/queue-3.14/fs-nilfs2-fix-potential-underflow-in-call-to-crc32_le.patch b/queue-3.14/fs-nilfs2-fix-potential-underflow-in-call-to-crc32_le.patch
new file mode 100644
index 00000000000..7233448cea0
--- /dev/null
+++ b/queue-3.14/fs-nilfs2-fix-potential-underflow-in-call-to-crc32_le.patch
@@ -0,0 +1,59 @@
+From 63d2f95d63396059200c391ca87161897b99e74a Mon Sep 17 00:00:00 2001
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Date: Fri, 24 Jun 2016 14:50:18 -0700
+Subject: fs/nilfs2: fix potential underflow in call to crc32_le
+
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+
+commit 63d2f95d63396059200c391ca87161897b99e74a upstream.
+
+The value `bytes' comes from the filesystem which is about to be
+mounted.  We cannot trust that the value is always in the range we
+expect it to be.
+
+Check its value before using it to calculate the length for the crc32_le
+call.  It value must be larger (or equal) sumoff + 4.
+
+This fixes a kernel bug when accidentially mounting an image file which
+had the nilfs2 magic value 0x3434 at the right offset 0x406 by chance.
+The bytes 0x01 0x00 were stored at 0x408 and were interpreted as a
+s_bytes value of 1.  This caused an underflow when substracting sumoff +
+4 (20) in the call to crc32_le.
+
+  BUG: unable to handle kernel paging request at ffff88021e600000
+  IP:  crc32_le+0x36/0x100
+  ...
+  Call Trace:
+    nilfs_valid_sb.part.5+0x52/0x60 [nilfs2]
+    nilfs_load_super_block+0x142/0x300 [nilfs2]
+    init_nilfs+0x60/0x390 [nilfs2]
+    nilfs_mount+0x302/0x520 [nilfs2]
+    mount_fs+0x38/0x160
+    vfs_kern_mount+0x67/0x110
+    do_mount+0x269/0xe00
+    SyS_mount+0x9f/0x100
+    entry_SYSCALL_64_fastpath+0x16/0x71
+
+Link: http://lkml.kernel.org/r/1466778587-5184-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp
+Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Tested-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nilfs2/the_nilfs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -431,7 +431,7 @@ static int nilfs_valid_sb(struct nilfs_s
+ 	if (!sbp || le16_to_cpu(sbp->s_magic) != NILFS_SUPER_MAGIC)
+ 		return 0;
+ 	bytes = le16_to_cpu(sbp->s_bytes);
+-	if (bytes > BLOCK_SIZE)
++	if (bytes < sumoff + 4 || bytes > BLOCK_SIZE)
+ 		return 0;
+ 	crc = crc32_le(le32_to_cpu(sbp->s_crc_seed), (unsigned char *)sbp,
+ 		       sumoff);
diff --git a/queue-3.14/series b/queue-3.14/series
index e69de29bb2d..2fbab0e1ddc 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -0,0 +1,3 @@
+fs-nilfs2-fix-potential-underflow-in-call-to-crc32_le.patch
+arc-unwind-warn-only-once-if-dw2_unwind-is-disabled.patch
+xen-pciback-fix-conf_space-read-write-overlap-check.patch
diff --git a/queue-3.14/xen-pciback-fix-conf_space-read-write-overlap-check.patch b/queue-3.14/xen-pciback-fix-conf_space-read-write-overlap-check.patch
new file mode 100644
index 00000000000..331f342203b
--- /dev/null
+++ b/queue-3.14/xen-pciback-fix-conf_space-read-write-overlap-check.patch
@@ -0,0 +1,55 @@
+From 02ef871ecac290919ea0c783d05da7eedeffc10e Mon Sep 17 00:00:00 2001
+From: Andrey Grodzovsky <andrey2805@gmail.com>
+Date: Tue, 21 Jun 2016 14:26:36 -0400
+Subject: xen/pciback: Fix conf_space read/write overlap check.
+
+From: Andrey Grodzovsky <andrey2805@gmail.com>
+
+commit 02ef871ecac290919ea0c783d05da7eedeffc10e upstream.
+
+Current overlap check is evaluating to false a case where a filter
+field is fully contained (proper subset) of a r/w request.  This
+change applies classical overlap check instead to include all the
+scenarios.
+
+More specifically, for (Hilscher GmbH CIFX 50E-DP(M/S)) device driver
+the logic is such that the entire confspace is read and written in 4
+byte chunks. In this case as an example, CACHE_LINE_SIZE,
+LATENCY_TIMER and PCI_BIST are arriving together in one call to
+xen_pcibk_config_write() with offset == 0xc and size == 4.  With the
+exsisting overlap check the LATENCY_TIMER field (offset == 0xd, length
+== 1) is fully contained in the write request and hence is excluded
+from write, which is incorrect.
+
+Signed-off-by: Andrey Grodzovsky <andrey2805@gmail.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Jan Beulich <JBeulich@suse.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-pciback/conf_space.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/xen/xen-pciback/conf_space.c
++++ b/drivers/xen/xen-pciback/conf_space.c
+@@ -183,8 +183,7 @@ int xen_pcibk_config_read(struct pci_dev
+ 		field_start = OFFSET(cfg_entry);
+ 		field_end = OFFSET(cfg_entry) + field->size;
+ 
+-		if ((req_start >= field_start && req_start < field_end)
+-		    || (req_end > field_start && req_end <= field_end)) {
++		 if (req_end > field_start && field_end > req_start) {
+ 			err = conf_space_read(dev, cfg_entry, field_start,
+ 					      &tmp_val);
+ 			if (err)
+@@ -230,8 +229,7 @@ int xen_pcibk_config_write(struct pci_de
+ 		field_start = OFFSET(cfg_entry);
+ 		field_end = OFFSET(cfg_entry) + field->size;
+ 
+-		if ((req_start >= field_start && req_start < field_end)
+-		    || (req_end > field_start && req_end <= field_end)) {
++		 if (req_end > field_start && field_end > req_start) {
+ 			tmp_val = 0;
+ 
+ 			err = xen_pcibk_config_read(dev, field_start,