From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 18 Aug 2013 18:28:22 +0000 (-0700)
Subject: 3.10-stable patches
X-Git-Tag: v3.0.92~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=90f2f836f45fef8471b60e9b33d5c980705416ab;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	cpuset-fix-the-return-value-of-cpuset_write_u64.patch
	jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch
---

diff --git a/queue-3.10/cpuset-fix-the-return-value-of-cpuset_write_u64.patch b/queue-3.10/cpuset-fix-the-return-value-of-cpuset_write_u64.patch
new file mode 100644
index 00000000000..887e3b4321a
--- /dev/null
+++ b/queue-3.10/cpuset-fix-the-return-value-of-cpuset_write_u64.patch
@@ -0,0 +1,40 @@
+From a903f0865a190f8778c73df1a810ea6e25e5d7cf Mon Sep 17 00:00:00 2001
+From: Li Zefan <lizefan@huawei.com>
+Date: Tue, 13 Aug 2013 10:05:59 +0800
+Subject: cpuset: fix the return value of cpuset_write_u64()
+
+From: Li Zefan <lizefan@huawei.com>
+
+commit a903f0865a190f8778c73df1a810ea6e25e5d7cf upstream.
+
+Writing to this file always returns -ENODEV:
+
+  # echo 1 > cpuset.memory_pressure_enabled
+  -bash: echo: write error: No such device
+
+Signed-off-by: Li Zefan <lizefan@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cpuset.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -1502,11 +1502,13 @@ static int cpuset_write_u64(struct cgrou
+ {
+ 	struct cpuset *cs = cgroup_cs(cgrp);
+ 	cpuset_filetype_t type = cft->private;
+-	int retval = -ENODEV;
++	int retval = 0;
+ 
+ 	mutex_lock(&cpuset_mutex);
+-	if (!is_cpuset_online(cs))
++	if (!is_cpuset_online(cs)) {
++		retval = -ENODEV;
+ 		goto out_unlock;
++	}
+ 
+ 	switch (type) {
+ 	case FILE_CPU_EXCLUSIVE:
diff --git a/queue-3.10/jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch b/queue-3.10/jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch
new file mode 100644
index 00000000000..710d8dc18ac
--- /dev/null
+++ b/queue-3.10/jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch
@@ -0,0 +1,47 @@
+From 91aa11fae1cf8c2fd67be0609692ea9741cdcc43 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 12 Aug 2013 09:53:28 -0400
+Subject: jbd2: Fix use after free after error in jbd2_journal_dirty_metadata()
+
+From: Jan Kara <jack@suse.cz>
+
+commit 91aa11fae1cf8c2fd67be0609692ea9741cdcc43 upstream.
+
+When jbd2_journal_dirty_metadata() returns error,
+__ext4_handle_dirty_metadata() stops the handle. However callers of this
+function do not count with that fact and still happily used now freed
+handle. This use after free can result in various issues but very likely
+we oops soon.
+
+The motivation of adding __ext4_journal_stop() into
+__ext4_handle_dirty_metadata() in commit 9ea7a0df seems to be only to
+improve error reporting. So replace __ext4_journal_stop() with
+ext4_journal_abort_handle() which was there before that commit and add
+WARN_ON_ONCE() to dump stack to provide useful information.
+
+Reported-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4_jbd2.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/ext4_jbd2.c
++++ b/fs/ext4/ext4_jbd2.c
+@@ -219,10 +219,10 @@ int __ext4_handle_dirty_metadata(const c
+ 	set_buffer_prio(bh);
+ 	if (ext4_handle_valid(handle)) {
+ 		err = jbd2_journal_dirty_metadata(handle, bh);
+-		if (err) {
+-			/* Errors can only happen if there is a bug */
+-			handle->h_err = err;
+-			__ext4_journal_stop(where, line, handle);
++		/* Errors can only happen if there is a bug */
++		if (WARN_ON_ONCE(err)) {
++			ext4_journal_abort_handle(where, line, __func__, bh,
++						  handle, err);
+ 		}
+ 	} else {
+ 		if (inode)
diff --git a/queue-3.10/series b/queue-3.10/series
index 6c2e34dbcff..89a08c4afb5 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -41,3 +41,5 @@ arm-7809-1-perf-fix-event-validation-for-software-group-leaders.patch
 m68k-truncate-base-in-do_div.patch
 m68k-atari-aranym-fix-natfeat-module-support.patch
 s390-fix-broken-build.patch
+jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch
+cpuset-fix-the-return-value-of-cpuset_write_u64.patch