From 869551b72d94e05d6d7c1b8b10b4232f9f5866ae Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 30 Jul 2015 17:46:06 -0700 Subject: [PATCH] 3.14-stable patches added patches: acpica-tables-fix-an-issue-that-facs-initialization-is-performed-twice.patch btrfs-fix-memory-leak-in-the-extent_same-ioctl.patch btrfs-use-kmem_cache_free-when-freeing-entry-in-inode-cache.patch crush-fix-a-bug-in-tree-bucket-decode.patch fuse-initialize-fc-release-before-calling-it.patch --- ...cs-initialization-is-performed-twice.patch | 55 +++++++++++++++++++ ...memory-leak-in-the-extent_same-ioctl.patch | 53 ++++++++++++++++++ ...ee-when-freeing-entry-in-inode-cache.patch | 44 +++++++++++++++ ...rush-fix-a-bug-in-tree-bucket-decode.patch | 36 ++++++++++++ ...tialize-fc-release-before-calling-it.patch | 41 ++++++++++++++ queue-3.14/series | 5 ++ 6 files changed, 234 insertions(+) create mode 100644 queue-3.14/acpica-tables-fix-an-issue-that-facs-initialization-is-performed-twice.patch create mode 100644 queue-3.14/btrfs-fix-memory-leak-in-the-extent_same-ioctl.patch create mode 100644 queue-3.14/btrfs-use-kmem_cache_free-when-freeing-entry-in-inode-cache.patch create mode 100644 queue-3.14/crush-fix-a-bug-in-tree-bucket-decode.patch create mode 100644 queue-3.14/fuse-initialize-fc-release-before-calling-it.patch diff --git a/queue-3.14/acpica-tables-fix-an-issue-that-facs-initialization-is-performed-twice.patch b/queue-3.14/acpica-tables-fix-an-issue-that-facs-initialization-is-performed-twice.patch new file mode 100644 index 00000000000..a7e374eac83 --- /dev/null +++ b/queue-3.14/acpica-tables-fix-an-issue-that-facs-initialization-is-performed-twice.patch @@ -0,0 +1,55 @@ +From c04be18448355441a0c424362df65b6422e27bda Mon Sep 17 00:00:00 2001 +From: Lv Zheng +Date: Wed, 1 Jul 2015 14:43:26 +0800 +Subject: ACPICA: Tables: Fix an issue that FACS initialization is performed twice + +From: Lv Zheng + +commit c04be18448355441a0c424362df65b6422e27bda upstream. + +ACPICA commit 90f5332a15e9d9ba83831ca700b2b9f708274658 + +This patch adds a new FACS initialization flag for acpi_tb_initialize(). +acpi_enable_subsystem() might be invoked several times in OS bootup process, +and we don't want FACS initialization to be invoked twice. Lv Zheng. + +Link: https://github.com/acpica/acpica/commit/90f5332a +Signed-off-by: Lv Zheng +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpica/utxfinit.c | 10 ++++++---- + include/acpi/actypes.h | 1 + + 2 files changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/acpica/utxfinit.c ++++ b/drivers/acpi/acpica/utxfinit.c +@@ -175,10 +175,12 @@ acpi_status __init acpi_enable_subsystem + * Obtain a permanent mapping for the FACS. This is required for the + * Global Lock and the Firmware Waking Vector + */ +- status = acpi_tb_initialize_facs(); +- if (ACPI_FAILURE(status)) { +- ACPI_WARNING((AE_INFO, "Could not map the FACS table")); +- return_ACPI_STATUS(status); ++ if (!(flags & ACPI_NO_FACS_INIT)) { ++ status = acpi_tb_initialize_facs(); ++ if (ACPI_FAILURE(status)) { ++ ACPI_WARNING((AE_INFO, "Could not map the FACS table")); ++ return_ACPI_STATUS(status); ++ } + } + #endif /* !ACPI_REDUCED_HARDWARE */ + +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -561,6 +561,7 @@ typedef u64 acpi_integer; + #define ACPI_NO_ACPI_ENABLE 0x10 + #define ACPI_NO_DEVICE_INIT 0x20 + #define ACPI_NO_OBJECT_INIT 0x40 ++#define ACPI_NO_FACS_INIT 0x80 + + /* + * Initialization state diff --git a/queue-3.14/btrfs-fix-memory-leak-in-the-extent_same-ioctl.patch b/queue-3.14/btrfs-fix-memory-leak-in-the-extent_same-ioctl.patch new file mode 100644 index 00000000000..641c040d5ba --- /dev/null +++ b/queue-3.14/btrfs-fix-memory-leak-in-the-extent_same-ioctl.patch @@ -0,0 +1,53 @@ +From 497b4050e0eacd4c746dd396d14916b1e669849d Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 3 Jul 2015 08:36:11 +0100 +Subject: Btrfs: fix memory leak in the extent_same ioctl + +From: Filipe Manana + +commit 497b4050e0eacd4c746dd396d14916b1e669849d upstream. + +We were allocating memory with memdup_user() but we were never releasing +that memory. This affected pretty much every call to the ioctl, whether +it deduplicated extents or not. + +This issue was reported on IRC by Julian Taylor and on the mailing list +by Marcel Ritter, credit goes to them for finding the issue. + +Reported-by: Julian Taylor +Reported-by: Marcel Ritter +Signed-off-by: Filipe Manana +Reviewed-by: Mark Fasheh +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2743,7 +2743,7 @@ out_unlock: + static long btrfs_ioctl_file_extent_same(struct file *file, + struct btrfs_ioctl_same_args __user *argp) + { +- struct btrfs_ioctl_same_args *same; ++ struct btrfs_ioctl_same_args *same = NULL; + struct btrfs_ioctl_same_extent_info *info; + struct inode *src = file_inode(file); + u64 off; +@@ -2773,6 +2773,7 @@ static long btrfs_ioctl_file_extent_same + + if (IS_ERR(same)) { + ret = PTR_ERR(same); ++ same = NULL; + goto out; + } + +@@ -2843,6 +2844,7 @@ static long btrfs_ioctl_file_extent_same + + out: + mnt_drop_write_file(file); ++ kfree(same); + return ret; + } + diff --git a/queue-3.14/btrfs-use-kmem_cache_free-when-freeing-entry-in-inode-cache.patch b/queue-3.14/btrfs-use-kmem_cache_free-when-freeing-entry-in-inode-cache.patch new file mode 100644 index 00000000000..ecaf9d1caa2 --- /dev/null +++ b/queue-3.14/btrfs-use-kmem_cache_free-when-freeing-entry-in-inode-cache.patch @@ -0,0 +1,44 @@ +From c3f4a1685bb87e59c886ee68f7967eae07d4dffa Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Sat, 13 Jun 2015 06:52:56 +0100 +Subject: Btrfs: use kmem_cache_free when freeing entry in inode cache + +From: Filipe Manana + +commit c3f4a1685bb87e59c886ee68f7967eae07d4dffa upstream. + +The free space entries are allocated using kmem_cache_zalloc(), +through __btrfs_add_free_space(), therefore we should use +kmem_cache_free() and not kfree() to avoid any confusion and +any potential problem. Looking at the kfree() definition at +mm/slab.c it has the following comment: + + /* + * (...) + * + * Don't free memory not originally allocated by kmalloc() + * or you will run into trouble. + */ + +So better be safe and use kmem_cache_free(). + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode-map.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/inode-map.c ++++ b/fs/btrfs/inode-map.c +@@ -281,7 +281,7 @@ void btrfs_unpin_free_ino(struct btrfs_r + __btrfs_add_free_space(ctl, info->offset, count); + free: + rb_erase(&info->offset_index, rbroot); +- kfree(info); ++ kmem_cache_free(btrfs_free_space_cachep, info); + } + } + diff --git a/queue-3.14/crush-fix-a-bug-in-tree-bucket-decode.patch b/queue-3.14/crush-fix-a-bug-in-tree-bucket-decode.patch new file mode 100644 index 00000000000..550cdea3a0d --- /dev/null +++ b/queue-3.14/crush-fix-a-bug-in-tree-bucket-decode.patch @@ -0,0 +1,36 @@ +From 82cd003a77173c91b9acad8033fb7931dac8d751 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 29 Jun 2015 19:30:23 +0300 +Subject: crush: fix a bug in tree bucket decode + +From: Ilya Dryomov + +commit 82cd003a77173c91b9acad8033fb7931dac8d751 upstream. + +struct crush_bucket_tree::num_nodes is u8, so ceph_decode_8_safe() +should be used. -Wconversion catches this, but I guess it went +unnoticed in all the noise it spews. The actual problem (at least for +common crushmaps) isn't the u32 -> u8 truncation though - it's the +advancement by 4 bytes instead of 1 in the crushmap buffer. + +Fixes: http://tracker.ceph.com/issues/2759 + +Signed-off-by: Ilya Dryomov +Reviewed-by: Josh Durgin +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/osdmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -89,7 +89,7 @@ static int crush_decode_tree_bucket(void + { + int j; + dout("crush_decode_tree_bucket %p to %p\n", *p, end); +- ceph_decode_32_safe(p, end, b->num_nodes, bad); ++ ceph_decode_8_safe(p, end, b->num_nodes, bad); + b->node_weights = kcalloc(b->num_nodes, sizeof(u32), GFP_NOFS); + if (b->node_weights == NULL) + return -ENOMEM; diff --git a/queue-3.14/fuse-initialize-fc-release-before-calling-it.patch b/queue-3.14/fuse-initialize-fc-release-before-calling-it.patch new file mode 100644 index 00000000000..8b2f77421d5 --- /dev/null +++ b/queue-3.14/fuse-initialize-fc-release-before-calling-it.patch @@ -0,0 +1,41 @@ +From 0ad0b3255a08020eaf50e34ef0d6df5bdf5e09ed Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 1 Jul 2015 16:25:55 +0200 +Subject: fuse: initialize fc->release before calling it + +From: Miklos Szeredi + +commit 0ad0b3255a08020eaf50e34ef0d6df5bdf5e09ed upstream. + +fc->release is called from fuse_conn_put() which was used in the error +cleanup before fc->release was initialized. + +[Jeremiah Mahler : assign fc->release after calling +fuse_conn_init(fc) instead of before.] + +Signed-off-by: Miklos Szeredi +Fixes: a325f9b92273 ("fuse: update fuse_conn_init() and separate out fuse_conn_kill()") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -1026,6 +1026,7 @@ static int fuse_fill_super(struct super_ + goto err_fput; + + fuse_conn_init(fc); ++ fc->release = fuse_free_conn; + + fc->dev = sb->s_dev; + fc->sb = sb; +@@ -1040,7 +1041,6 @@ static int fuse_fill_super(struct super_ + fc->dont_mask = 1; + sb->s_flags |= MS_POSIXACL; + +- fc->release = fuse_free_conn; + fc->flags = d.flags; + fc->user_id = d.user_id; + fc->group_id = d.group_id; diff --git a/queue-3.14/series b/queue-3.14/series index b2113da17c4..b85d829c038 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -90,3 +90,8 @@ tracing-have-branch-tracer-use-recursive-field-of-task-struct.patch dmaengine-mv_xor-bug-fix-for-racing-condition-in-descriptors-cleanup.patch hwmon-mcp3021-fix-broken-output-scaling.patch md-fix-a-build-warning.patch +btrfs-use-kmem_cache_free-when-freeing-entry-in-inode-cache.patch +btrfs-fix-memory-leak-in-the-extent_same-ioctl.patch +fuse-initialize-fc-release-before-calling-it.patch +crush-fix-a-bug-in-tree-bucket-decode.patch +acpica-tables-fix-an-issue-that-facs-initialization-is-performed-twice.patch -- 2.47.3