From: Greg Kroah-Hartman Date: Thu, 11 Jul 2013 21:30:04 +0000 (-0700) Subject: 3.9-stable patches X-Git-Tag: v3.0.86~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5306c05e4af018170104b9eed1b1561031b088c5;p=thirdparty%2Fkernel%2Fstable-queue.git 3.9-stable patches added patches: kvm-vmx-mark-unusable-segment-as-nonpresent.patch nfsd4-fix-decoding-of-compounds-across-page-boundaries.patch revert-memcg-avoid-dangling-reference-count-in-creation-failure.patch scsi-sd-fix-parsing-of-temporary-cache-mode-prefix.patch --- diff --git a/queue-3.9/kvm-vmx-mark-unusable-segment-as-nonpresent.patch b/queue-3.9/kvm-vmx-mark-unusable-segment-as-nonpresent.patch new file mode 100644 index 00000000000..5ae03b38d2d --- /dev/null +++ b/queue-3.9/kvm-vmx-mark-unusable-segment-as-nonpresent.patch @@ -0,0 +1,52 @@ +From 03617c188f41eeeb4223c919ee7e66e5a114f2c6 Mon Sep 17 00:00:00 2001 +From: Gleb Natapov +Date: Fri, 28 Jun 2013 13:17:18 +0300 +Subject: KVM: VMX: mark unusable segment as nonpresent + +From: Gleb Natapov + +commit 03617c188f41eeeb4223c919ee7e66e5a114f2c6 upstream. + +Some userspaces do not preserve unusable property. Since usable +segment has to be present according to VMX spec we can use present +property to amend userspace bug by making unusable segment always +nonpresent. vmx_segment_access_rights() already marks nonpresent segment +as unusable. + +Reported-by: Stefan Pietsch +Tested-by: Stefan Pietsch +Signed-off-by: Gleb Natapov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -3259,15 +3259,22 @@ static void vmx_get_segment(struct kvm_v + var->limit = vmx_read_guest_seg_limit(vmx, seg); + var->selector = vmx_read_guest_seg_selector(vmx, seg); + ar = vmx_read_guest_seg_ar(vmx, seg); ++ var->unusable = (ar >> 16) & 1; + var->type = ar & 15; + var->s = (ar >> 4) & 1; + var->dpl = (ar >> 5) & 3; +- var->present = (ar >> 7) & 1; ++ /* ++ * Some userspaces do not preserve unusable property. Since usable ++ * segment has to be present according to VMX spec we can use present ++ * property to amend userspace bug by making unusable segment always ++ * nonpresent. vmx_segment_access_rights() already marks nonpresent ++ * segment as unusable. ++ */ ++ var->present = !var->unusable; + var->avl = (ar >> 12) & 1; + var->l = (ar >> 13) & 1; + var->db = (ar >> 14) & 1; + var->g = (ar >> 15) & 1; +- var->unusable = (ar >> 16) & 1; + } + + static u64 vmx_get_segment_base(struct kvm_vcpu *vcpu, int seg) diff --git a/queue-3.9/nfsd4-fix-decoding-of-compounds-across-page-boundaries.patch b/queue-3.9/nfsd4-fix-decoding-of-compounds-across-page-boundaries.patch new file mode 100644 index 00000000000..1b279e6e380 --- /dev/null +++ b/queue-3.9/nfsd4-fix-decoding-of-compounds-across-page-boundaries.patch @@ -0,0 +1,37 @@ +From 247500820ebd02ad87525db5d9b199e5b66f6636 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 21 Jun 2013 11:48:11 -0400 +Subject: nfsd4: fix decoding of compounds across page boundaries + +From: "J. Bruce Fields" + +commit 247500820ebd02ad87525db5d9b199e5b66f6636 upstream. + +A freebsd NFSv4.0 client was getting rare IO errors expanding a tarball. +A network trace showed the server returning BAD_XDR on the final getattr +of a getattr+write+getattr compound. The final getattr started on a +page boundary. + +I believe the Linux client ignores errors on the post-write getattr, and +that that's why we haven't seen this before. + +Reported-by: Rick Macklem +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -162,8 +162,8 @@ static __be32 *read_buf(struct nfsd4_com + */ + memcpy(p, argp->p, avail); + /* step to next page */ +- argp->p = page_address(argp->pagelist[0]); + argp->pagelist++; ++ argp->p = page_address(argp->pagelist[0]); + if (argp->pagelen < PAGE_SIZE) { + argp->end = argp->p + (argp->pagelen>>2); + argp->pagelen = 0; diff --git a/queue-3.9/revert-memcg-avoid-dangling-reference-count-in-creation-failure.patch b/queue-3.9/revert-memcg-avoid-dangling-reference-count-in-creation-failure.patch new file mode 100644 index 00000000000..ef930b2cc8f --- /dev/null +++ b/queue-3.9/revert-memcg-avoid-dangling-reference-count-in-creation-failure.patch @@ -0,0 +1,41 @@ +From fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Mon, 8 Jul 2013 16:00:27 -0700 +Subject: Revert "memcg: avoid dangling reference count in creation failure" + +From: Michal Hocko + +commit fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 upstream. + +This reverts commit e4715f01be697a. + +mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops +an additional reference from all parents so the additional +mem_cgrroup_put(parent) potentially causes use-after-free. + +Signed-off-by: Michal Hocko +Signed-off-by: Li Zefan +Acked-by: KAMEZAWA Hiroyuki +Cc: Hugh Dickins +Cc: Tejun Heo +Cc: Glauber Costa +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -6186,8 +6186,6 @@ mem_cgroup_css_online(struct cgroup *con + * call __mem_cgroup_free, so return directly + */ + mem_cgroup_put(memcg); +- if (parent->use_hierarchy) +- mem_cgroup_put(parent); + } + return error; + } diff --git a/queue-3.9/scsi-sd-fix-parsing-of-temporary-cache-mode-prefix.patch b/queue-3.9/scsi-sd-fix-parsing-of-temporary-cache-mode-prefix.patch new file mode 100644 index 00000000000..069143df365 --- /dev/null +++ b/queue-3.9/scsi-sd-fix-parsing-of-temporary-cache-mode-prefix.patch @@ -0,0 +1,34 @@ +From 2ee3e26c673e75c05ef8b914f54fadee3d7b9c88 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Mon, 27 May 2013 19:07:19 +0100 +Subject: SCSI: sd: Fix parsing of 'temporary ' cache mode prefix + +From: Ben Hutchings + +commit 2ee3e26c673e75c05ef8b914f54fadee3d7b9c88 upstream. + +Commit 39c60a0948cc '[SCSI] sd: fix array cache flushing bug causing +performance problems' added temp as a pointer to "temporary " and used +sizeof(temp) - 1 as its length. But sizeof(temp) is the size of the +pointer, not the size of the string constant. Change temp to a static +array so that sizeof() does what was intended. + +Signed-off-by: Ben Hutchings +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -142,7 +142,7 @@ sd_store_cache_type(struct device *dev, + char *buffer_data; + struct scsi_mode_data data; + struct scsi_sense_hdr sshdr; +- const char *temp = "temporary "; ++ static const char temp[] = "temporary "; + int len; + + if (sdp->type != TYPE_DISK) diff --git a/queue-3.9/series b/queue-3.9/series index 2dd4049b103..d8a202a696d 100644 --- a/queue-3.9/series +++ b/queue-3.9/series @@ -9,3 +9,7 @@ crypto-sanitize-argument-for-format-string.patch maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch futex-take-hugepages-into-account-when-generating-futex_key.patch revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch +nfsd4-fix-decoding-of-compounds-across-page-boundaries.patch +kvm-vmx-mark-unusable-segment-as-nonpresent.patch +scsi-sd-fix-parsing-of-temporary-cache-mode-prefix.patch +revert-memcg-avoid-dangling-reference-count-in-creation-failure.patch