From 38cf2b9a630bc041bb45a80cb074c8398d034b46 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 3 Jun 2015 14:29:22 +0900
Subject: [PATCH] 3.10-stable patches

added patches:
	md-raid5-don-t-record-new-size-if-resize_stripes-fails.patch
	svcrpc-fix-potential-gssx_accept_sec_context-decoding-failures.patch
---
 ...ord-new-size-if-resize_stripes-fails.patch | 40 ++++++++
 queue-3.10/series                             |  2 +
 ...accept_sec_context-decoding-failures.patch | 92 +++++++++++++++++++
 3 files changed, 134 insertions(+)
 create mode 100644 queue-3.10/md-raid5-don-t-record-new-size-if-resize_stripes-fails.patch
 create mode 100644 queue-3.10/svcrpc-fix-potential-gssx_accept_sec_context-decoding-failures.patch

diff --git a/queue-3.10/md-raid5-don-t-record-new-size-if-resize_stripes-fails.patch b/queue-3.10/md-raid5-don-t-record-new-size-if-resize_stripes-fails.patch
new file mode 100644
index 00000000000..914f9284838
--- /dev/null
+++ b/queue-3.10/md-raid5-don-t-record-new-size-if-resize_stripes-fails.patch
@@ -0,0 +1,40 @@
+From 6e9eac2dcee5e19f125967dd2be3e36558c42fff Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Fri, 8 May 2015 18:19:34 +1000
+Subject: md/raid5: don't record new size if resize_stripes fails.
+
+From: NeilBrown <neilb@suse.de>
+
+commit 6e9eac2dcee5e19f125967dd2be3e36558c42fff upstream.
+
+If any memory allocation in resize_stripes fails we will return
+-ENOMEM, but in some cases we update conf->pool_size anyway.
+
+This means that if we try again, the allocations will be assumed
+to be larger than they are, and badness results.
+
+So only update pool_size if there is no error.
+
+This bug was introduced in 2.6.17 and the patch is suitable for
+-stable.
+
+Fixes: ad01c9e3752f ("[PATCH] md: Allow stripes to be expanded in preparation for expanding an array")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -1701,7 +1701,8 @@ static int resize_stripes(struct r5conf
+ 
+ 	conf->slab_cache = sc;
+ 	conf->active_name = 1-conf->active_name;
+-	conf->pool_size = newsize;
++	if (!err)
++		conf->pool_size = newsize;
+ 	return err;
+ }
+ 
diff --git a/queue-3.10/series b/queue-3.10/series
index c27081c6dff..1bc98730e94 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -37,3 +37,5 @@ rt2x00-add-new-rt2800usb-device-dwa-130.patch
 crypto-s390-ghash-fix-incorrect-ghash-icv-buffer-handling.patch
 arm-dts-imx27-only-map-4-kbyte-for-fec-registers.patch
 arm-fix-missing-syscall-trace-exit.patch
+svcrpc-fix-potential-gssx_accept_sec_context-decoding-failures.patch
+md-raid5-don-t-record-new-size-if-resize_stripes-fails.patch
diff --git a/queue-3.10/svcrpc-fix-potential-gssx_accept_sec_context-decoding-failures.patch b/queue-3.10/svcrpc-fix-potential-gssx_accept_sec_context-decoding-failures.patch
new file mode 100644
index 00000000000..b1fcd31fec1
--- /dev/null
+++ b/queue-3.10/svcrpc-fix-potential-gssx_accept_sec_context-decoding-failures.patch
@@ -0,0 +1,92 @@
+From 9507271d960a1911a51683888837d75c171cd91f Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Tue, 28 Apr 2015 16:29:53 -0400
+Subject: svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit 9507271d960a1911a51683888837d75c171cd91f upstream.
+
+In an environment where the KDC is running Active Directory, the
+exported composite name field returned in the context could be large
+enough to span a page boundary.  Attaching a scratch buffer to the
+decoding xdr_stream helps deal with those cases.
+
+The case where we saw this was actually due to behavior that's been
+fixed in newer gss-proxy versions, but we're fixing it here too.
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/gss_rpc_xdr.c |   23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
+@@ -794,20 +794,26 @@ int gssx_dec_accept_sec_context(struct r
+ {
+ 	u32 value_follows;
+ 	int err;
++	struct page *scratch;
++
++	scratch = alloc_page(GFP_KERNEL);
++	if (!scratch)
++		return -ENOMEM;
++	xdr_set_scratch_buffer(xdr, page_address(scratch), PAGE_SIZE);
+ 
+ 	/* res->status */
+ 	err = gssx_dec_status(xdr, &res->status);
+ 	if (err)
+-		return err;
++		goto out_free;
+ 
+ 	/* res->context_handle */
+ 	err = gssx_dec_bool(xdr, &value_follows);
+ 	if (err)
+-		return err;
++		goto out_free;
+ 	if (value_follows) {
+ 		err = gssx_dec_ctx(xdr, res->context_handle);
+ 		if (err)
+-			return err;
++			goto out_free;
+ 	} else {
+ 		res->context_handle = NULL;
+ 	}
+@@ -815,11 +821,11 @@ int gssx_dec_accept_sec_context(struct r
+ 	/* res->output_token */
+ 	err = gssx_dec_bool(xdr, &value_follows);
+ 	if (err)
+-		return err;
++		goto out_free;
+ 	if (value_follows) {
+ 		err = gssx_dec_buffer(xdr, res->output_token);
+ 		if (err)
+-			return err;
++			goto out_free;
+ 	} else {
+ 		res->output_token = NULL;
+ 	}
+@@ -827,14 +833,17 @@ int gssx_dec_accept_sec_context(struct r
+ 	/* res->delegated_cred_handle */
+ 	err = gssx_dec_bool(xdr, &value_follows);
+ 	if (err)
+-		return err;
++		goto out_free;
+ 	if (value_follows) {
+ 		/* we do not support upcall servers sending this data. */
+-		return -EINVAL;
++		err = -EINVAL;
++		goto out_free;
+ 	}
+ 
+ 	/* res->options */
+ 	err = gssx_dec_option_array(xdr, &res->options);
+ 
++out_free:
++	__free_page(scratch);
+ 	return err;
+ }
-- 
2.47.3