From faa5ce1136f34d87f783879c7c24e9c921e40fa9 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Jul 2013 21:57:02 -0700
Subject: [PATCH] 3.10-stable patches

added patches:
	mac80211-close-ap_vlan-interfaces-before-unregistering-all.patch
	printk-fix-rq-lock-vs-logbuf_lock-unlock-lock-inversion.patch
	svcrpc-fix-failures-to-handle-1-uid-s.patch
	svcrpc-fix-handling-of-too-short-rpc-s.patch
	uprobes-fix-return-value-in-error-handling-path.patch
---
 ...-interfaces-before-unregistering-all.patch | 46 +++++++++++++++++
 ...vs-logbuf_lock-unlock-lock-inversion.patch | 40 +++++++++++++++
 queue-3.10/series                             |  5 ++
 ...vcrpc-fix-failures-to-handle-1-uid-s.patch | 41 +++++++++++++++
 ...crpc-fix-handling-of-too-short-rpc-s.patch | 50 +++++++++++++++++++
 ...-return-value-in-error-handling-path.patch | 46 +++++++++++++++++
 6 files changed, 228 insertions(+)
 create mode 100644 queue-3.10/mac80211-close-ap_vlan-interfaces-before-unregistering-all.patch
 create mode 100644 queue-3.10/printk-fix-rq-lock-vs-logbuf_lock-unlock-lock-inversion.patch
 create mode 100644 queue-3.10/svcrpc-fix-failures-to-handle-1-uid-s.patch
 create mode 100644 queue-3.10/svcrpc-fix-handling-of-too-short-rpc-s.patch
 create mode 100644 queue-3.10/uprobes-fix-return-value-in-error-handling-path.patch

diff --git a/queue-3.10/mac80211-close-ap_vlan-interfaces-before-unregistering-all.patch b/queue-3.10/mac80211-close-ap_vlan-interfaces-before-unregistering-all.patch
new file mode 100644
index 00000000000..13f9b06de8b
--- /dev/null
+++ b/queue-3.10/mac80211-close-ap_vlan-interfaces-before-unregistering-all.patch
@@ -0,0 +1,46 @@
+From 4c8a9d4bfaf7dbc7d2168494904d79d22cc01db7 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 24 May 2013 01:06:09 +0200
+Subject: mac80211: close AP_VLAN interfaces before unregistering all
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 4c8a9d4bfaf7dbc7d2168494904d79d22cc01db7 upstream.
+
+Since Eric's commit efe117ab8 ("Speedup ieee80211_remove_interfaces")
+there's a bug in mac80211 when it unregisters with AP_VLAN interfaces
+up. If the AP_VLAN interface was registered after the AP it belongs
+to (which is the typical case) and then we get into this code path,
+unregister_netdevice_many() will crash because it isn't prepared to
+deal with interfaces being closed in the middle of it. Exactly this
+happens though, because we iterate the list, find the AP master this
+AP_VLAN belongs to and dev_close() the dependent VLANs. After this,
+unregister_netdevice_many() won't pick up the fact that the AP_VLAN
+is already down and will do it again, causing a crash.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1726,6 +1726,15 @@ void ieee80211_remove_interfaces(struct
+ 		if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+ 			dev_close(sdata->dev);
+ 
++	/*
++	 * Close all AP_VLAN interfaces first, as otherwise they
++	 * might be closed while the AP interface they belong to
++	 * is closed, causing unregister_netdevice_many() to crash.
++	 */
++	list_for_each_entry(sdata, &local->interfaces, list)
++		if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
++			dev_close(sdata->dev);
++
+ 	mutex_lock(&local->iflist_mtx);
+ 	list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
+ 		list_del(&sdata->list);
diff --git a/queue-3.10/printk-fix-rq-lock-vs-logbuf_lock-unlock-lock-inversion.patch b/queue-3.10/printk-fix-rq-lock-vs-logbuf_lock-unlock-lock-inversion.patch
new file mode 100644
index 00000000000..5c1fd7293b4
--- /dev/null
+++ b/queue-3.10/printk-fix-rq-lock-vs-logbuf_lock-unlock-lock-inversion.patch
@@ -0,0 +1,40 @@
+From dbda92d16f8655044e082930e4e9d244b87fde77 Mon Sep 17 00:00:00 2001
+From: "Bu, Yitian" <ybu@qti.qualcomm.com>
+Date: Mon, 18 Feb 2013 12:53:37 +0000
+Subject: printk: Fix rq->lock vs logbuf_lock unlock lock inversion
+
+From: "Bu, Yitian" <ybu@qti.qualcomm.com>
+
+commit dbda92d16f8655044e082930e4e9d244b87fde77 upstream.
+
+commit 07354eb1a74d1 ("locking printk: Annotate logbuf_lock as raw")
+reintroduced a lock inversion problem which was fixed in commit
+0b5e1c5255 ("printk: Release console_sem after logbuf_lock"). This
+happened probably when fixing up patch rejects.
+
+Restore the ordering and unlock logbuf_lock before releasing
+console_sem.
+
+Signed-off-by: ybu <ybu@qti.qualcomm.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Link: http://lkml.kernel.org/r/E807E903FE6CBE4D95E420FBFCC273B827413C@nasanexd01h.na.qualcomm.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/printk.c
++++ b/kernel/printk.c
+@@ -1369,9 +1369,9 @@ static int console_trylock_for_printk(un
+ 		}
+ 	}
+ 	logbuf_cpu = UINT_MAX;
++	raw_spin_unlock(&logbuf_lock);
+ 	if (wake)
+ 		up(&console_sem);
+-	raw_spin_unlock(&logbuf_lock);
+ 	return retval;
+ }
+ 
diff --git a/queue-3.10/series b/queue-3.10/series
index e76fa54d2c8..2bffb0229b5 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -69,3 +69,8 @@ sunrpc-pipefs-mount-notification-optimization-for-dying-clients.patch
 sunrpc-fix-races-on-pipefs-umount-notifications.patch
 virtio_balloon-leak_balloon-only-tell-host-if-we-got-pages-deflated.patch
 b43-ensue-that-bcma-is-y-when-b43-is-y.patch
+mac80211-close-ap_vlan-interfaces-before-unregistering-all.patch
+printk-fix-rq-lock-vs-logbuf_lock-unlock-lock-inversion.patch
+uprobes-fix-return-value-in-error-handling-path.patch
+svcrpc-fix-failures-to-handle-1-uid-s.patch
+svcrpc-fix-handling-of-too-short-rpc-s.patch
diff --git a/queue-3.10/svcrpc-fix-failures-to-handle-1-uid-s.patch b/queue-3.10/svcrpc-fix-failures-to-handle-1-uid-s.patch
new file mode 100644
index 00000000000..297b1659507
--- /dev/null
+++ b/queue-3.10/svcrpc-fix-failures-to-handle-1-uid-s.patch
@@ -0,0 +1,41 @@
+From 0979292bfa301cb87d936b69af428090d2feea1b Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 8 Jul 2013 13:44:45 -0400
+Subject: svcrpc: fix failures to handle -1 uid's
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 0979292bfa301cb87d936b69af428090d2feea1b upstream.
+
+As of f025adf191924e3a75ce80e130afcd2485b53bb8 "sunrpc: Properly decode
+kuids and kgids in RPC_AUTH_UNIX credentials" any rpc containing a -1
+(0xffff) uid or gid would fail with a badcred error.
+
+Commit afe3c3fd5392b2f0066930abc5dbd3f4b14a0f13 "svcrpc: fix failures to
+handle -1 uid's and gid's" fixed part of the problem, but overlooked the
+gid upcall--the kernel can request supplementary gid's for the -1 uid,
+but mountd's attempt write a response will get -EINVAL.
+
+Symptoms were nfsd failing to reply to the first attempt to use a newly
+negotiated krb5 context.
+
+Reported-by: Sven Geggus <lists@fuchsschwanzdomain.de>
+Tested-by: Sven Geggus <lists@fuchsschwanzdomain.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/svcauth_unix.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/sunrpc/svcauth_unix.c
++++ b/net/sunrpc/svcauth_unix.c
+@@ -493,8 +493,6 @@ static int unix_gid_parse(struct cache_d
+ 	if (rv)
+ 		return -EINVAL;
+ 	uid = make_kuid(&init_user_ns, id);
+-	if (!uid_valid(uid))
+-		return -EINVAL;
+ 	ug.uid = uid;
+ 
+ 	expiry = get_expiry(&mesg);
diff --git a/queue-3.10/svcrpc-fix-handling-of-too-short-rpc-s.patch b/queue-3.10/svcrpc-fix-handling-of-too-short-rpc-s.patch
new file mode 100644
index 00000000000..1893561bcdc
--- /dev/null
+++ b/queue-3.10/svcrpc-fix-handling-of-too-short-rpc-s.patch
@@ -0,0 +1,50 @@
+From cf3aa02cb4a0c5af5557dd47f15a08a7df33182a Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Wed, 26 Jun 2013 11:09:06 -0400
+Subject: svcrpc: fix handling of too-short rpc's
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit cf3aa02cb4a0c5af5557dd47f15a08a7df33182a upstream.
+
+If we detect that an rpc is too short, we abort and close the
+connection.  Except, there's a bug here: we're leaving sk_datalen
+nonzero without leaving any pages in the sk_pages array.  The most
+likely result of the inconsistency is a subsequent crash in
+svc_tcp_clear_pages.
+
+Also demote the BUG_ON in svc_tcp_clear_pages to a WARN.
+
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/svcsock.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -917,7 +917,10 @@ static void svc_tcp_clear_pages(struct s
+ 	len = svsk->sk_datalen;
+ 	npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ 	for (i = 0; i < npages; i++) {
+-		BUG_ON(svsk->sk_pages[i] == NULL);
++		if (svsk->sk_pages[i] == NULL) {
++			WARN_ON_ONCE(1);
++			continue;
++		}
+ 		put_page(svsk->sk_pages[i]);
+ 		svsk->sk_pages[i] = NULL;
+ 	}
+@@ -1092,8 +1095,10 @@ static int svc_tcp_recvfrom(struct svc_r
+ 		goto err_noclose;
+ 	}
+ 
+-	if (svc_sock_reclen(svsk) < 8)
++	if (svc_sock_reclen(svsk) < 8) {
++		svsk->sk_datalen = 0;
+ 		goto err_delete; /* client is nuts. */
++	}
+ 
+ 	rqstp->rq_arg.len = svsk->sk_datalen;
+ 	rqstp->rq_arg.page_base = 0;
diff --git a/queue-3.10/uprobes-fix-return-value-in-error-handling-path.patch b/queue-3.10/uprobes-fix-return-value-in-error-handling-path.patch
new file mode 100644
index 00000000000..a51edb6bf24
--- /dev/null
+++ b/queue-3.10/uprobes-fix-return-value-in-error-handling-path.patch
@@ -0,0 +1,46 @@
+From fa44063f9ef163c3a4c8d8c0465bb8a056b42035 Mon Sep 17 00:00:00 2001
+From: "zhangwei(Jovi)" <jovi.zhangwei@huawei.com>
+Date: Thu, 13 Jun 2013 14:21:51 +0800
+Subject: uprobes: Fix return value in error handling path
+
+From: "zhangwei(Jovi)" <jovi.zhangwei@huawei.com>
+
+commit fa44063f9ef163c3a4c8d8c0465bb8a056b42035 upstream.
+
+When wrong argument is passed into uprobe_events it does not return
+an error:
+
+[root@jovi tracing]# echo 'p:myprobe /bin/bash' > uprobe_events
+[root@jovi tracing]#
+
+The proper response is:
+
+[root@jovi tracing]# echo 'p:myprobe /bin/bash' > uprobe_events
+-bash: echo: write error: Invalid argument
+
+Link: http://lkml.kernel.org/r/51B964FF.5000106@huawei.com
+
+Signed-off-by: zhangwei(Jovi) <jovi.zhangwei@huawei.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: <srikar@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_uprobe.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -283,8 +283,10 @@ static int create_trace_uprobe(int argc,
+ 		return -EINVAL;
+ 	}
+ 	arg = strchr(argv[1], ':');
+-	if (!arg)
++	if (!arg) {
++		ret = -EINVAL;
+ 		goto fail_address_parse;
++	}
+ 
+ 	*arg++ = '\0';
+ 	filename = argv[1];
-- 
2.47.3