From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 10 Oct 2013 23:56:55 +0000 (-0700)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.100~6^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e43d678985f77b3de3aabf79cf972782fbeb5746;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	btrfs-change-how-we-queue-blocks-for-backref-checking.patch
	ext4-avoid-hang-when-mounting-non-journal-filesystems-with-orphan-list.patch
	tg3-fix-length-overflow-in-vpd-firmware-parsing.patch
	tile-use-a-more-conservative-__my_cpu_offset-in-config_preempt.patch
	tools-hv-verify-origin-of-netlink-connector-message.patch
---

diff --git a/queue-3.0/btrfs-change-how-we-queue-blocks-for-backref-checking.patch b/queue-3.0/btrfs-change-how-we-queue-blocks-for-backref-checking.patch
new file mode 100644
index 00000000000..3055438e902
--- /dev/null
+++ b/queue-3.0/btrfs-change-how-we-queue-blocks-for-backref-checking.patch
@@ -0,0 +1,68 @@
+From b6c60c8018c4e9beb2f83fc82c09f9d033766571 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fusionio.com>
+Date: Tue, 30 Jul 2013 16:30:30 -0400
+Subject: Btrfs: change how we queue blocks for backref checking
+
+From: Josef Bacik <jbacik@fusionio.com>
+
+commit b6c60c8018c4e9beb2f83fc82c09f9d033766571 upstream.
+
+Previously we only added blocks to the list to have their backrefs checked if
+the level of the block is right above the one we are searching for.  This is
+because we want to make sure we don't add the entire path up to the root to the
+lists to make sure we process things one at a time.  This assumes that if any
+blocks in the path to the root are going to be not checked (shared in other
+words) then they will be in the level right above the current block on up.  This
+isn't quite right though since we can have blocks higher up the list that are
+shared because they are attached to a reloc root.  But we won't add this block
+to be checked and then later on we will BUG_ON(!upper->checked).  So instead
+keep track of wether or not we've queued a block to be checked in this current
+search, and if we haven't go ahead and queue it to be checked.  This patch fixed
+the panic I was seeing where we BUG_ON(!upper->checked).  Thanks,
+
+Signed-off-by: Josef Bacik <jbacik@fusionio.com>
+Signed-off-by: Chris Mason <chris.mason@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/relocation.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -670,6 +670,7 @@ struct backref_node *build_backref_tree(
+ 	int cowonly;
+ 	int ret;
+ 	int err = 0;
++	bool need_check = true;
+ 
+ 	path1 = btrfs_alloc_path();
+ 	path2 = btrfs_alloc_path();
+@@ -892,6 +893,7 @@ again:
+ 			cur->bytenr);
+ 
+ 		lower = cur;
++		need_check = true;
+ 		for (; level < BTRFS_MAX_LEVEL; level++) {
+ 			if (!path2->nodes[level]) {
+ 				BUG_ON(btrfs_root_bytenr(&root->root_item) !=
+@@ -935,14 +937,12 @@ again:
+ 
+ 				/*
+ 				 * add the block to pending list if we
+-				 * need check its backrefs. only block
+-				 * at 'cur->level + 1' is added to the
+-				 * tail of pending list. this guarantees
+-				 * we check backrefs from lower level
+-				 * blocks to upper level blocks.
++				 * need check its backrefs, we only do this once
++				 * while walking up a tree as we will catch
++				 * anything else later on.
+ 				 */
+-				if (!upper->checked &&
+-				    level == cur->level + 1) {
++				if (!upper->checked && need_check) {
++					need_check = false;
+ 					list_add_tail(&edge->list[UPPER],
+ 						      &list);
+ 				} else
diff --git a/queue-3.0/ext4-avoid-hang-when-mounting-non-journal-filesystems-with-orphan-list.patch b/queue-3.0/ext4-avoid-hang-when-mounting-non-journal-filesystems-with-orphan-list.patch
new file mode 100644
index 00000000000..2f94b568c70
--- /dev/null
+++ b/queue-3.0/ext4-avoid-hang-when-mounting-non-journal-filesystems-with-orphan-list.patch
@@ -0,0 +1,48 @@
+From 0e9a9a1ad619e7e987815d20262d36a2f95717ca Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 27 Dec 2012 01:42:50 -0500
+Subject: ext4: avoid hang when mounting non-journal filesystems with orphan list
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 0e9a9a1ad619e7e987815d20262d36a2f95717ca upstream.
+
+When trying to mount a file system which does not contain a journal,
+but which does have a orphan list containing an inode which needs to
+be truncated, the mount call with hang forever in
+ext4_orphan_cleanup() because ext4_orphan_del() will return
+immediately without removing the inode from the orphan list, leading
+to an uninterruptible loop in kernel code which will busy out one of
+the CPU's on the system.
+
+This can be trivially reproduced by trying to mount the file system
+found in tests/f_orphan_extents_inode/image.gz from the e2fsprogs
+source tree.  If a malicious user were to put this on a USB stick, and
+mount it on a Linux desktop which has automatic mounts enabled, this
+could be considered a potential denial of service attack.  (Not a big
+deal in practice, but professional paranoids worry about such things,
+and have even been known to allocate CVE numbers for such problems.)
+
+-js: This is a fix for CVE-2013-2015.
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Reviewed-by: Zheng Liu <wenqing.lz@taobao.com>
+Acked-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2059,7 +2059,8 @@ int ext4_orphan_del(handle_t *handle, st
+ 	int err = 0;
+ 
+ 	/* ext4_handle_valid() assumes a valid handle_t pointer */
+-	if (handle && !ext4_handle_valid(handle))
++	if (handle && !ext4_handle_valid(handle) &&
++	    !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS))
+ 		return 0;
+ 
+ 	mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
diff --git a/queue-3.0/series b/queue-3.0/series
index 5da8c671477..e2af7871670 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -30,3 +30,8 @@ kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch
 usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch
 staging-comedi-ni_65xx-bug-fix-confine-insn_bits-to-one-subdevice.patch
 acpi-ipmi-fix-atomic-context-requirement-of-ipmi_msg_handler.patch
+tile-use-a-more-conservative-__my_cpu_offset-in-config_preempt.patch
+btrfs-change-how-we-queue-blocks-for-backref-checking.patch
+ext4-avoid-hang-when-mounting-non-journal-filesystems-with-orphan-list.patch
+tg3-fix-length-overflow-in-vpd-firmware-parsing.patch
+tools-hv-verify-origin-of-netlink-connector-message.patch
diff --git a/queue-3.0/tg3-fix-length-overflow-in-vpd-firmware-parsing.patch b/queue-3.0/tg3-fix-length-overflow-in-vpd-firmware-parsing.patch
new file mode 100644
index 00000000000..80934cee75c
--- /dev/null
+++ b/queue-3.0/tg3-fix-length-overflow-in-vpd-firmware-parsing.patch
@@ -0,0 +1,53 @@
+From 715230a44310a8cf66fbfb5a46f9a62a9b2de424 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 27 Mar 2013 06:40:50 +0000
+Subject: tg3: fix length overflow in VPD firmware parsing
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream.
+
+Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
+when present") introduced VPD parsing that contained a potential length
+overflow.
+
+Limit the hardware's reported firmware string length (max 255 bytes) to
+stay inside the driver's firmware string length (32 bytes). On overflow,
+truncate the formatted firmware string instead of potentially overwriting
+portions of the tg3 struct.
+
+http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+
+-js: This fixes CVE-2013-1929.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Oded Horovitz <oded@privatecore.com>
+Reported-by: Brad Spengler <spender@grsecurity.net>
+Cc: stable@vger.kernel.org
+Cc: Matt Carlson <mcarlson@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/net/tg3.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tg3.c
++++ b/drivers/net/tg3.c
+@@ -13067,8 +13067,11 @@ static void __devinit tg3_read_vpd(struc
+ 		if (j + len > block_end)
+ 			goto partno;
+ 
+-		memcpy(tp->fw_ver, &vpd_data[j], len);
+-		strncat(tp->fw_ver, " bc ", TG3_NVM_VPD_LEN - len - 1);
++		if (len >= sizeof(tp->fw_ver))
++			len = sizeof(tp->fw_ver) - 1;
++		memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
++		snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
++			 &vpd_data[j]);
+ 	}
+ 
+ partno:
diff --git a/queue-3.0/tile-use-a-more-conservative-__my_cpu_offset-in-config_preempt.patch b/queue-3.0/tile-use-a-more-conservative-__my_cpu_offset-in-config_preempt.patch
new file mode 100644
index 00000000000..64a75e1002a
--- /dev/null
+++ b/queue-3.0/tile-use-a-more-conservative-__my_cpu_offset-in-config_preempt.patch
@@ -0,0 +1,71 @@
+From f862eefec0b68e099a9fa58d3761ffb10bad97e1 Mon Sep 17 00:00:00 2001
+From: Chris Metcalf <cmetcalf@tilera.com>
+Date: Thu, 26 Sep 2013 13:24:53 -0400
+Subject: tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT
+
+From: Chris Metcalf <cmetcalf@tilera.com>
+
+commit f862eefec0b68e099a9fa58d3761ffb10bad97e1 upstream.
+
+It turns out the kernel relies on barrier() to force a reload of the
+percpu offset value.  Since we can't easily modify the definition of
+barrier() to include "tp" as an output register, we instead provide a
+definition of __my_cpu_offset as extended assembly that includes a fake
+stack read to hazard against barrier(), forcing gcc to know that it
+must reread "tp" and recompute anything based on "tp" after a barrier.
+
+This fixes observed hangs in the slub allocator when we are looping
+on a percpu cmpxchg_double.
+
+A similar fix for ARMv7 was made in June in change 509eb76ebf97.
+
+Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/tile/include/asm/percpu.h |   34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+--- a/arch/tile/include/asm/percpu.h
++++ b/arch/tile/include/asm/percpu.h
+@@ -15,9 +15,37 @@
+ #ifndef _ASM_TILE_PERCPU_H
+ #define _ASM_TILE_PERCPU_H
+ 
+-register unsigned long __my_cpu_offset __asm__("tp");
+-#define __my_cpu_offset __my_cpu_offset
+-#define set_my_cpu_offset(tp) (__my_cpu_offset = (tp))
++register unsigned long my_cpu_offset_reg asm("tp");
++
++#ifdef CONFIG_PREEMPT
++/*
++ * For full preemption, we can't just use the register variable
++ * directly, since we need barrier() to hazard against it, causing the
++ * compiler to reload anything computed from a previous "tp" value.
++ * But we also don't want to use volatile asm, since we'd like the
++ * compiler to be able to cache the value across multiple percpu reads.
++ * So we use a fake stack read as a hazard against barrier().
++ * The 'U' constraint is like 'm' but disallows postincrement.
++ */
++static inline unsigned long __my_cpu_offset(void)
++{
++	unsigned long tp;
++	register unsigned long *sp asm("sp");
++	asm("move %0, tp" : "=r" (tp) : "U" (*sp));
++	return tp;
++}
++#define __my_cpu_offset __my_cpu_offset()
++#else
++/*
++ * We don't need to hazard against barrier() since "tp" doesn't ever
++ * change with PREEMPT_NONE, and with PREEMPT_VOLUNTARY it only
++ * changes at function call points, at which we are already re-reading
++ * the value of "tp" due to "my_cpu_offset_reg" being a global variable.
++ */
++#define __my_cpu_offset my_cpu_offset_reg
++#endif
++
++#define set_my_cpu_offset(tp) (my_cpu_offset_reg = (tp))
+ 
+ #include <asm-generic/percpu.h>
+ 
diff --git a/queue-3.0/tools-hv-verify-origin-of-netlink-connector-message.patch b/queue-3.0/tools-hv-verify-origin-of-netlink-connector-message.patch
new file mode 100644
index 00000000000..1676f84b3f2
--- /dev/null
+++ b/queue-3.0/tools-hv-verify-origin-of-netlink-connector-message.patch
@@ -0,0 +1,49 @@
+From bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c Mon Sep 17 00:00:00 2001
+From: Olaf Hering <olaf@aepfle.de>
+Date: Thu, 31 May 2012 16:40:06 +0200
+Subject: Tools: hv: verify origin of netlink connector message
+
+From: Olaf Hering <olaf@aepfle.de>
+
+commit bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c upstream.
+
+The SuSE security team suggested to use recvfrom instead of recv to be
+certain that the connector message is originated from kernel.
+
+CVE-2012-2669
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Signed-off-by: Marcus Meissner <meissner@suse.de>
+Signed-off-by: Sebastian Krahmer <krahmer@suse.de>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
+---
+ drivers/staging/hv/tools/hv_kvp_daemon.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/hv/tools/hv_kvp_daemon.c
++++ b/drivers/staging/hv/tools/hv_kvp_daemon.c
+@@ -378,14 +378,18 @@ int main(void)
+ 	pfd.fd = fd;
+ 
+ 	while (1) {
++		struct sockaddr *addr_p = (struct sockaddr *) &addr;
++		socklen_t addr_l = sizeof(addr);
+ 		pfd.events = POLLIN;
+ 		pfd.revents = 0;
+ 		poll(&pfd, 1, -1);
+ 
+-		len = recv(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0);
++		len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
++				addr_p, &addr_l);
+ 
+-		if (len < 0) {
+-			syslog(LOG_ERR, "recv failed; error:%d", len);
++		if (len < 0 || addr.nl_pid) {
++			syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
++					addr.nl_pid, errno, strerror(errno));
+ 			close(fd);
+ 			return -1;
+ 		}