From: Greg Kroah-Hartman Date: Sun, 26 Apr 2015 09:39:16 +0000 (+0200) Subject: 3.10-stable patches X-Git-Tag: v4.0.1~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e0c1528fdd00e93e681caeeb0a75f285f4b8adc;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: jfs-fix-readdir-regression.patch mm-fix-null-pointer-dereference-in-madvise-madv_willneed-support.patch serial-8250_dw-fix-deadlock-in-lcr-workaround.patch splice-apply-generic-position-and-size-checks-to-each-write.patch --- diff --git a/queue-3.10/jfs-fix-readdir-regression.patch b/queue-3.10/jfs-fix-readdir-regression.patch new file mode 100644 index 00000000000..673278f01e9 --- /dev/null +++ b/queue-3.10/jfs-fix-readdir-regression.patch @@ -0,0 +1,47 @@ +From dave.kleikamp@oracle.com Sun Apr 26 11:32:43 2015 +From: Dave Kleikamp +Date: Mon, 23 Mar 2015 16:06:26 -0500 +Subject: jfs: fix readdir regression +To: stable +Cc: JFS Discussion +Message-ID: <55108052.6070603@oracle.com> + +From: Dave Kleikamp + +Upstream commit 44512449, "jfs: fix readdir cookie incompatibility +with NFSv4", was backported incorrectly into the stable trees which +used the filldir callback (rather than dir_emit). The position is +being incorrectly passed to filldir for the . and .. entries. + +The still-maintained stable trees that need to be fixed are 3.2.y, +3.4.y and 3.10.y. + +https://bugzilla.kernel.org/show_bug.cgi?id=94741 + +Signed-off-by: Dave Kleikamp +Cc: jfs-discussion@lists.sourceforge.net +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dtree.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -3103,7 +3103,7 @@ int jfs_readdir(struct file *filp, void + * self "." + */ + filp->f_pos = 1; +- if (filldir(dirent, ".", 1, 0, ip->i_ino, ++ if (filldir(dirent, ".", 1, 1, ip->i_ino, + DT_DIR)) + return 0; + } +@@ -3111,7 +3111,7 @@ int jfs_readdir(struct file *filp, void + * parent ".." + */ + filp->f_pos = 2; +- if (filldir(dirent, "..", 2, 1, PARENT(ip), DT_DIR)) ++ if (filldir(dirent, "..", 2, 2, PARENT(ip), DT_DIR)) + return 0; + + /* diff --git a/queue-3.10/mm-fix-null-pointer-dereference-in-madvise-madv_willneed-support.patch b/queue-3.10/mm-fix-null-pointer-dereference-in-madvise-madv_willneed-support.patch new file mode 100644 index 00000000000..090db9119ef --- /dev/null +++ b/queue-3.10/mm-fix-null-pointer-dereference-in-madvise-madv_willneed-support.patch @@ -0,0 +1,55 @@ +From ee53664bda169f519ce3c6a22d378f0b946c8178 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Fri, 20 Dec 2013 15:10:03 +0200 +Subject: mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support + +From: "Kirill A. Shutemov" + +commit ee53664bda169f519ce3c6a22d378f0b946c8178 upstream. + +Sasha Levin found a NULL pointer dereference that is due to a missing +page table lock, which in turn is due to the pmd entry in question being +a transparent huge-table entry. + +The code - introduced in commit 1998cc048901 ("mm: make +madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks +for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it +turns out that that function doesn't work correctly. + +pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would +trigger if the transparent hugepage bit was set, but it doesn't do that +if pmd_numa() is also set. Note that the NUMA bit only gets set on real +NUMA machines, so people trying to reproduce this on most normal +development systems would never actually trigger this. + +Fix it by removing the very subtle (and subtly incorrect) expectation, +and instead just checking pmd_trans_huge() explicitly. + +Reported-by: Sasha Levin +Acked-by: Andrea Arcangeli +[ Additionally remove the now stale test for pmd_trans_huge() inside the + pmd_bad() case - Linus ] +Signed-off-by: Linus Torvalds +Cc: Wang Long +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-generic/pgtable.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/include/asm-generic/pgtable.h ++++ b/include/asm-generic/pgtable.h +@@ -550,11 +550,10 @@ static inline int pmd_none_or_trans_huge + #ifdef CONFIG_TRANSPARENT_HUGEPAGE + barrier(); + #endif +- if (pmd_none(pmdval)) ++ if (pmd_none(pmdval) || pmd_trans_huge(pmdval)) + return 1; + if (unlikely(pmd_bad(pmdval))) { +- if (!pmd_trans_huge(pmdval)) +- pmd_clear_bad(pmd); ++ pmd_clear_bad(pmd); + return 1; + } + return 0; diff --git a/queue-3.10/serial-8250_dw-fix-deadlock-in-lcr-workaround.patch b/queue-3.10/serial-8250_dw-fix-deadlock-in-lcr-workaround.patch new file mode 100644 index 00000000000..f9bfd0c003d --- /dev/null +++ b/queue-3.10/serial-8250_dw-fix-deadlock-in-lcr-workaround.patch @@ -0,0 +1,62 @@ +From 7fd6f640f2dd17dac6ddd6702c378cb0bb9cfa11 Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Wed, 11 Mar 2015 09:19:16 -0400 +Subject: serial: 8250_dw: Fix deadlock in LCR workaround + +From: Peter Hurley + +commit 7fd6f640f2dd17dac6ddd6702c378cb0bb9cfa11 upstream. + +Trying to write console output from within the serial console driver +while the port->lock is held causes recursive deadlock: + + CPU 0 +spin_lock_irqsave(&port->lock) +printk() + console_unlock() + call_console_drivers() + serial8250_console_write() + spin_lock_irqsave(&port->lock) +** DEADLOCK ** + +The 8250_dw i/o accessors try to write a console error message if the +LCR workaround was unsuccessful. When the port->lock is already held +(eg., when called from serial8250_set_termios()), this deadlocks. + +Make the error message a FIXME until a general solution is devised. + +Cc: Tim Kryger +Reported-by: Zhang Zhen +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_dw.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -98,7 +98,10 @@ static void dw8250_serial_out(struct uar + dw8250_force_idle(p); + writeb(value, p->membase + (UART_LCR << p->regshift)); + } +- dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ /* ++ * FIXME: this deadlocks if port->lock is already held ++ * dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ */ + } + } + +@@ -128,7 +131,10 @@ static void dw8250_serial_out32(struct u + dw8250_force_idle(p); + writel(value, p->membase + (UART_LCR << p->regshift)); + } +- dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ /* ++ * FIXME: this deadlocks if port->lock is already held ++ * dev_err(p->dev, "Couldn't set LCR to %d\n", value); ++ */ + } + } + diff --git a/queue-3.10/series b/queue-3.10/series index 5435a1827d0..17001939d1c 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -11,3 +11,7 @@ bnx2-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch tg3-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch ixgb-call-dev_kfree_skby_any-instead-of-dev_kfree_skb.patch benet-call-dev_kfree_skby_any-instead-of-kfree_skb.patch +serial-8250_dw-fix-deadlock-in-lcr-workaround.patch +jfs-fix-readdir-regression.patch +splice-apply-generic-position-and-size-checks-to-each-write.patch +mm-fix-null-pointer-dereference-in-madvise-madv_willneed-support.patch diff --git a/queue-3.10/splice-apply-generic-position-and-size-checks-to-each-write.patch b/queue-3.10/splice-apply-generic-position-and-size-checks-to-each-write.patch new file mode 100644 index 00000000000..e91843dc730 --- /dev/null +++ b/queue-3.10/splice-apply-generic-position-and-size-checks-to-each-write.patch @@ -0,0 +1,68 @@ +From 894c6350eaad7e613ae267504014a456e00a3e2a Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Thu, 29 Jan 2015 02:50:33 +0000 +Subject: splice: Apply generic position and size checks to each write + +From: Ben Hutchings + +commit 894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch. + +We need to check the position and size of file writes against various +limits, using generic_write_check(). This was not being done for +the splice write path. It was fixed upstream by commit 8d0207652cbe +("->splice_write() via ->write_iter()") but we can't apply that. + +CVE-2014-7822 + +Signed-off-by: Ben Hutchings +[Ben fixed it in 3.2 stable, i ported it to 3.10 stable] +Signed-off-by: Zhang Zhen +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/file.c | 8 +++++--- + fs/splice.c | 8 ++++++-- + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -2459,12 +2459,14 @@ static ssize_t ocfs2_file_splice_write(s + struct address_space *mapping = out->f_mapping; + struct inode *inode = mapping->host; + struct splice_desc sd = { +- .total_len = len, + .flags = flags, +- .pos = *ppos, + .u.file = out, + }; +- ++ ret = generic_write_checks(out, ppos, &len, 0); ++ if(ret) ++ return ret; ++ sd.total_len = len; ++ sd.pos = *ppos; + + trace_ocfs2_file_splice_write(inode, out, out->f_path.dentry, + (unsigned long long)OCFS2_I(inode)->ip_blkno, +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -1012,13 +1012,17 @@ generic_file_splice_write(struct pipe_in + struct address_space *mapping = out->f_mapping; + struct inode *inode = mapping->host; + struct splice_desc sd = { +- .total_len = len, + .flags = flags, +- .pos = *ppos, + .u.file = out, + }; + ssize_t ret; + ++ ret = generic_write_checks(out, ppos, &len, S_ISBLK(inode->i_mode)); ++ if (ret) ++ return ret; ++ sd.total_len = len; ++ sd.pos = *ppos; ++ + pipe_lock(pipe); + + splice_from_pipe_begin(&sd);