From: Greg Kroah-Hartman Date: Fri, 2 May 2014 01:48:53 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.4.89~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef470a3f3b31df906a12cfea699cb5c56fe087f2;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: iio-adc-at91_adc-repair-broken-platform_data-support.patch iio-cm32181-fix-read-integration-time-function.patch iio-cm36651-fix-i2c-client-leak-and-possible-null-pointer-dereference.patch iio-querying-buffer-scan_mask-should-return-0-1.patch nfsd4-buffer-length-check-for-suppattr_exclcreat.patch nfsd4-fix-test_stateid-error-reply-encoding.patch nfsd4-leave-reply-buffer-space-for-failed-setattr.patch nfsd4-session-needs-room-for-following-op-to-error-out.patch nfsd-revert-v2-half-of-nfsd-don-t-return-high-mode-bits.patch nfsv4-fix-a-use-after-free-problem-in-open.patch --- diff --git a/queue-3.14/iio-adc-at91_adc-repair-broken-platform_data-support.patch b/queue-3.14/iio-adc-at91_adc-repair-broken-platform_data-support.patch new file mode 100644 index 00000000000..874ab2b01ee --- /dev/null +++ b/queue-3.14/iio-adc-at91_adc-repair-broken-platform_data-support.patch @@ -0,0 +1,99 @@ +From 467a44b0372d8268ce5bd90e58bde7db51c1d476 Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Sat, 3 May 2014 16:57:00 +0100 +Subject: iio: adc: at91_adc: Repair broken platform_data support + +From: Alexandre Belloni + +commit 467a44b0372d8268ce5bd90e58bde7db51c1d476 upstream. + +Trying to use the at91_adc driver while not using device tree is ending up in a +kernel crash: + +Unable to handle kernel NULL pointer dereference at virtual address 00000004 +[...] +[] (at91_adc_probe) from [] (platform_drv_probe+0x18/0x48) +[] (platform_drv_probe) from [] (driver_probe_device+0x100/0x218) +[] (driver_probe_device) from [] (__driver_attach+0x8c/0x90) +[] (__driver_attach) from [] (bus_for_each_dev+0x58/0x88) +[] (bus_for_each_dev) from [] (bus_add_driver+0xd4/0x1d4) +[] (bus_add_driver) from [] (driver_register+0x78/0xf4) +[] (driver_register) from [] (do_one_initcall+0xe8/0x14c) +[] (do_one_initcall) from [] (kernel_init_freeable+0xec/0x1b4) +[] (kernel_init_freeable) from [] (kernel_init+0x8/0xe4) +[] (kernel_init) from [] (ret_from_fork+0x14/0x24) + +This is because the at91_adc_caps structure is mandatory but is not filled when +using platform_data. Correct that by using an id_table. It ensues that the +driver will not match "at91_adc" anymore but it was crashing anyway. + +Fixes: c46016665fff (iio: at91: ADC start-up time calculation changed since at91sam9x5) +Signed-off-by: Alexandre Belloni +Tested-by: Josh Wu +Acked-by: Josh Wu +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -765,14 +765,17 @@ static int at91_adc_probe_pdata(struct a + if (!pdata) + return -EINVAL; + ++ st->caps = (struct at91_adc_caps *) ++ platform_get_device_id(pdev)->driver_data; ++ + st->use_external = pdata->use_external_triggers; + st->vref_mv = pdata->vref; + st->channels_mask = pdata->channels_used; +- st->num_channels = pdata->num_channels; ++ st->num_channels = st->caps->num_channels; + st->startup_time = pdata->startup_time; + st->trigger_number = pdata->trigger_number; + st->trigger_list = pdata->trigger_list; +- st->registers = pdata->registers; ++ st->registers = &st->caps->registers; + + return 0; + } +@@ -1101,7 +1104,6 @@ static int at91_adc_remove(struct platfo + return 0; + } + +-#ifdef CONFIG_OF + static struct at91_adc_caps at91sam9260_caps = { + .calc_startup_ticks = calc_startup_ticks_9260, + .num_channels = 4, +@@ -1154,11 +1156,27 @@ static const struct of_device_id at91_ad + {}, + }; + MODULE_DEVICE_TABLE(of, at91_adc_dt_ids); +-#endif ++ ++static const struct platform_device_id at91_adc_ids[] = { ++ { ++ .name = "at91sam9260-adc", ++ .driver_data = (unsigned long)&at91sam9260_caps, ++ }, { ++ .name = "at91sam9g45-adc", ++ .driver_data = (unsigned long)&at91sam9g45_caps, ++ }, { ++ .name = "at91sam9x5-adc", ++ .driver_data = (unsigned long)&at91sam9x5_caps, ++ }, { ++ /* terminator */ ++ } ++}; ++MODULE_DEVICE_TABLE(platform, at91_adc_ids); + + static struct platform_driver at91_adc_driver = { + .probe = at91_adc_probe, + .remove = at91_adc_remove, ++ .id_table = at91_adc_ids, + .driver = { + .name = DRIVER_NAME, + .of_match_table = of_match_ptr(at91_adc_dt_ids), diff --git a/queue-3.14/iio-cm32181-fix-read-integration-time-function.patch b/queue-3.14/iio-cm32181-fix-read-integration-time-function.patch new file mode 100644 index 00000000000..f753a9b4134 --- /dev/null +++ b/queue-3.14/iio-cm32181-fix-read-integration-time-function.patch @@ -0,0 +1,31 @@ +From 41c897f8789d0d1039ed873ddcd0caabd5756e0f Mon Sep 17 00:00:00 2001 +From: Beomho Seo +Date: Wed, 3 Dec 2014 00:57:00 +0000 +Subject: iio: cm32181: Fix read integration time function + +From: Beomho Seo + +commit 41c897f8789d0d1039ed873ddcd0caabd5756e0f upstream. + +In read integration time function, assign 0 to val. +Because, prevent return inaccurate value when call read integration time. + +Cc: Kevin Tsai +Signed-off-by: Beomho Seo +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/cm32181.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/light/cm32181.c ++++ b/drivers/iio/light/cm32181.c +@@ -221,6 +221,7 @@ static int cm32181_read_raw(struct iio_d + *val = cm32181->calibscale; + return IIO_VAL_INT; + case IIO_CHAN_INFO_INT_TIME: ++ *val = 0; + ret = cm32181_read_als_it(cm32181, val2); + return ret; + } diff --git a/queue-3.14/iio-cm36651-fix-i2c-client-leak-and-possible-null-pointer-dereference.patch b/queue-3.14/iio-cm36651-fix-i2c-client-leak-and-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..e08b80fa0b9 --- /dev/null +++ b/queue-3.14/iio-cm36651-fix-i2c-client-leak-and-possible-null-pointer-dereference.patch @@ -0,0 +1,89 @@ +From d0a588a57c2b0748df8307a0865a1bbbf1624c53 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 18 Mar 2014 08:13:00 +0000 +Subject: iio: cm36651: Fix i2c client leak and possible NULL pointer dereference + +From: Krzysztof Kozlowski + +commit d0a588a57c2b0748df8307a0865a1bbbf1624c53 upstream. + +During probe the driver allocates dummy I2C devices (i2c_new_dummy()) +but they aren't unregistered during driver remove or probe failure. + +Additionally driver does not check the return value of i2c_new_dummy(). +In case of error (i2c_new_device(): memory allocation failure or I2C +address cannot be used) this function returns NULL which is later +dereferenced by i2c_smbus_{read,write}_data() functions. + +Fix issues by properly checking for i2c_new_dummy() return value and +unregistering I2C devices on driver remove or probe failure. + +Signed-off-by: Krzysztof Kozlowski +Acked-by: Beomho Seo +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/cm36651.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/drivers/iio/light/cm36651.c ++++ b/drivers/iio/light/cm36651.c +@@ -652,7 +652,19 @@ static int cm36651_probe(struct i2c_clie + cm36651->client = client; + cm36651->ps_client = i2c_new_dummy(client->adapter, + CM36651_I2C_ADDR_PS); ++ if (!cm36651->ps_client) { ++ dev_err(&client->dev, "%s: new i2c device failed\n", __func__); ++ ret = -ENODEV; ++ goto error_disable_reg; ++ } ++ + cm36651->ara_client = i2c_new_dummy(client->adapter, CM36651_ARA); ++ if (!cm36651->ara_client) { ++ dev_err(&client->dev, "%s: new i2c device failed\n", __func__); ++ ret = -ENODEV; ++ goto error_i2c_unregister_ps; ++ } ++ + mutex_init(&cm36651->lock); + indio_dev->dev.parent = &client->dev; + indio_dev->channels = cm36651_channels; +@@ -664,7 +676,7 @@ static int cm36651_probe(struct i2c_clie + ret = cm36651_setup_reg(cm36651); + if (ret) { + dev_err(&client->dev, "%s: register setup failed\n", __func__); +- goto error_disable_reg; ++ goto error_i2c_unregister_ara; + } + + ret = request_threaded_irq(client->irq, NULL, cm36651_irq_handler, +@@ -672,7 +684,7 @@ static int cm36651_probe(struct i2c_clie + "cm36651", indio_dev); + if (ret) { + dev_err(&client->dev, "%s: request irq failed\n", __func__); +- goto error_disable_reg; ++ goto error_i2c_unregister_ara; + } + + ret = iio_device_register(indio_dev); +@@ -685,6 +697,10 @@ static int cm36651_probe(struct i2c_clie + + error_free_irq: + free_irq(client->irq, indio_dev); ++error_i2c_unregister_ara: ++ i2c_unregister_device(cm36651->ara_client); ++error_i2c_unregister_ps: ++ i2c_unregister_device(cm36651->ps_client); + error_disable_reg: + regulator_disable(cm36651->vled_reg); + return ret; +@@ -698,6 +714,8 @@ static int cm36651_remove(struct i2c_cli + iio_device_unregister(indio_dev); + regulator_disable(cm36651->vled_reg); + free_irq(client->irq, indio_dev); ++ i2c_unregister_device(cm36651->ps_client); ++ i2c_unregister_device(cm36651->ara_client); + + return 0; + } diff --git a/queue-3.14/iio-querying-buffer-scan_mask-should-return-0-1.patch b/queue-3.14/iio-querying-buffer-scan_mask-should-return-0-1.patch new file mode 100644 index 00000000000..4ff3700c98c --- /dev/null +++ b/queue-3.14/iio-querying-buffer-scan_mask-should-return-0-1.patch @@ -0,0 +1,48 @@ +From 2076a20fc1a06f7b0333c62a2bb4eeeac7ed1bcb Mon Sep 17 00:00:00 2001 +From: Alec Berg +Date: Wed, 19 Mar 2014 18:50:00 +0000 +Subject: iio: querying buffer scan_mask should return 0/1 + +From: Alec Berg + +commit 2076a20fc1a06f7b0333c62a2bb4eeeac7ed1bcb upstream. + +Ensure that querying the IIO buffer scan_mask returns a value of +0 or 1. Currently querying the scan mask has the value returned +by test_bit(), which returns either true or false. For some +architectures test_bit() may return -1 for true, which will appear +to return an error when returning from iio_scan_mask_query(). + +Additionally, it's important for the sysfs interface to consistently +return the same thing when querying the scan_mask. + +Signed-off-by: Alec Berg +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -165,7 +165,8 @@ static ssize_t iio_scan_el_show(struct d + int ret; + struct iio_dev *indio_dev = dev_to_iio_dev(dev); + +- ret = test_bit(to_iio_dev_attr(attr)->address, ++ /* Ensure ret is 0 or 1. */ ++ ret = !!test_bit(to_iio_dev_attr(attr)->address, + indio_dev->buffer->scan_mask); + + return sprintf(buf, "%d\n", ret); +@@ -866,7 +867,8 @@ int iio_scan_mask_query(struct iio_dev * + if (!buffer->scan_mask) + return 0; + +- return test_bit(bit, buffer->scan_mask); ++ /* Ensure return value is 0 or 1. */ ++ return !!test_bit(bit, buffer->scan_mask); + }; + EXPORT_SYMBOL_GPL(iio_scan_mask_query); + diff --git a/queue-3.14/nfsd-revert-v2-half-of-nfsd-don-t-return-high-mode-bits.patch b/queue-3.14/nfsd-revert-v2-half-of-nfsd-don-t-return-high-mode-bits.patch new file mode 100644 index 00000000000..551ae224ef1 --- /dev/null +++ b/queue-3.14/nfsd-revert-v2-half-of-nfsd-don-t-return-high-mode-bits.patch @@ -0,0 +1,45 @@ +From 082f31a2169bd639785e45bf252f3d5bce0303c6 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 3 Apr 2014 15:10:35 -0400 +Subject: nfsd: revert v2 half of "nfsd: don't return high mode bits" + +From: "J. Bruce Fields" + +commit 082f31a2169bd639785e45bf252f3d5bce0303c6 upstream. + +This reverts the part of commit 6e14b46b91fee8a049b0940333ce13a820beaaa5 +that changes NFSv2 behavior. + +Mark Lord found that it broke nfs-root for Linux clients, because it +broke NFSv2. + +In fact, from RFC 1094: + + "Notice that the file type is specified both in the mode bits + and in the file type. This is really a bug in the protocol and + will be fixed in future versions." + +So NFSv2 clients really are expected to depend on the high bits of the +mode. + +Reported-by: Mark Lord +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Cc: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfsxdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfsxdr.c ++++ b/fs/nfsd/nfsxdr.c +@@ -152,7 +152,7 @@ encode_fattr(struct svc_rqst *rqstp, __b + type = (stat->mode & S_IFMT); + + *p++ = htonl(nfs_ftypes[type >> 12]); +- *p++ = htonl((u32) (stat->mode & S_IALLUGO)); ++ *p++ = htonl((u32) stat->mode); + *p++ = htonl((u32) stat->nlink); + *p++ = htonl((u32) from_kuid(&init_user_ns, stat->uid)); + *p++ = htonl((u32) from_kgid(&init_user_ns, stat->gid)); diff --git a/queue-3.14/nfsd4-buffer-length-check-for-suppattr_exclcreat.patch b/queue-3.14/nfsd4-buffer-length-check-for-suppattr_exclcreat.patch new file mode 100644 index 00000000000..3fb75c296d8 --- /dev/null +++ b/queue-3.14/nfsd4-buffer-length-check-for-suppattr_exclcreat.patch @@ -0,0 +1,31 @@ +From de3997a7eeb9ea286b15879fdf8a95aae065b4f7 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 28 Jan 2014 16:05:15 -0500 +Subject: nfsd4: buffer-length check for SUPPATTR_EXCLCREAT + +From: "J. Bruce Fields" + +commit de3997a7eeb9ea286b15879fdf8a95aae065b4f7 upstream. + +This was an omission from 8c18f2052e756e7d5dea712fc6e7ed70c00e8a39 +"nfsd41: SUPPATTR_EXCLCREAT attribute". + +Cc: Benny Halevy +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4xdr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -2483,6 +2483,8 @@ out_acl: + goto out; + } + if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) { ++ if ((buflen -= 16) < 0) ++ goto out_resource; + WRITE32(3); + WRITE32(NFSD_SUPPATTR_EXCLCREAT_WORD0); + WRITE32(NFSD_SUPPATTR_EXCLCREAT_WORD1); diff --git a/queue-3.14/nfsd4-fix-test_stateid-error-reply-encoding.patch b/queue-3.14/nfsd4-fix-test_stateid-error-reply-encoding.patch new file mode 100644 index 00000000000..20a416abdfe --- /dev/null +++ b/queue-3.14/nfsd4-fix-test_stateid-error-reply-encoding.patch @@ -0,0 +1,30 @@ +From a11fcce1544df08c723d950ff0edef3adac40405 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 3 Feb 2014 16:31:42 -0500 +Subject: nfsd4: fix test_stateid error reply encoding + +From: "J. Bruce Fields" + +commit a11fcce1544df08c723d950ff0edef3adac40405 upstream. + +If the entire operation fails then there's nothing to encode. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4xdr.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3473,6 +3473,9 @@ nfsd4_encode_test_stateid(struct nfsd4_c + struct nfsd4_test_stateid_id *stateid, *next; + __be32 *p; + ++ if (nfserr) ++ return nfserr; ++ + RESERVE_SPACE(4 + (4 * test_stateid->ts_num_ids)); + *p++ = htonl(test_stateid->ts_num_ids); + diff --git a/queue-3.14/nfsd4-leave-reply-buffer-space-for-failed-setattr.patch b/queue-3.14/nfsd4-leave-reply-buffer-space-for-failed-setattr.patch new file mode 100644 index 00000000000..44c216771a1 --- /dev/null +++ b/queue-3.14/nfsd4-leave-reply-buffer-space-for-failed-setattr.patch @@ -0,0 +1,31 @@ +From 04819bf6449094e62cebaf5199d85d68d711e667 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 3 Feb 2014 16:38:47 -0500 +Subject: nfsd4: leave reply buffer space for failed setattr + +From: "J. Bruce Fields" + +commit 04819bf6449094e62cebaf5199d85d68d711e667 upstream. + +This fixes an ommission from 18032ca062e621e15683cb61c066ef3dc5414a7b +"NFSD: Server implementation of MAC Labeling", which increased the size +of the setattr error reply without increasing COMPOUND_ERR_SLACK_SPACE. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfsd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfsd.h ++++ b/fs/nfsd/nfsd.h +@@ -282,7 +282,7 @@ void nfsd_lockd_shutdown(void); + * reason. + */ + #define COMPOUND_SLACK_SPACE 140 /* OP_GETFH */ +-#define COMPOUND_ERR_SLACK_SPACE 12 /* OP_SETATTR */ ++#define COMPOUND_ERR_SLACK_SPACE 16 /* OP_SETATTR */ + + #define NFSD_LAUNDROMAT_MINTIMEOUT 1 /* seconds */ + diff --git a/queue-3.14/nfsd4-session-needs-room-for-following-op-to-error-out.patch b/queue-3.14/nfsd4-session-needs-room-for-following-op-to-error-out.patch new file mode 100644 index 00000000000..652f0c45834 --- /dev/null +++ b/queue-3.14/nfsd4-session-needs-room-for-following-op-to-error-out.patch @@ -0,0 +1,31 @@ +From 4c69d5855a16f7378648c5733632628fa10431db Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 28 Jan 2014 16:01:04 -0500 +Subject: nfsd4: session needs room for following op to error out + +From: "J. Bruce Fields" + +commit 4c69d5855a16f7378648c5733632628fa10431db upstream. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4proc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1359,6 +1359,12 @@ nfsd4_proc_compound(struct svc_rqst *rqs + /* If op is non-idempotent */ + if (opdesc->op_flags & OP_MODIFIES_SOMETHING) { + plen = opdesc->op_rsize_bop(rqstp, op); ++ /* ++ * If there's still another operation, make sure ++ * we'll have space to at least encode an error: ++ */ ++ if (resp->opcnt < args->opcnt) ++ plen += COMPOUND_ERR_SLACK_SPACE; + op->status = nfsd4_check_resp_size(resp, plen); + } + diff --git a/queue-3.14/nfsv4-fix-a-use-after-free-problem-in-open.patch b/queue-3.14/nfsv4-fix-a-use-after-free-problem-in-open.patch new file mode 100644 index 00000000000..464e53fe301 --- /dev/null +++ b/queue-3.14/nfsv4-fix-a-use-after-free-problem-in-open.patch @@ -0,0 +1,75 @@ +From e911b8158ee1def8153849b1641b736026b036e0 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 26 Mar 2014 13:24:37 -0700 +Subject: NFSv4: Fix a use-after-free problem in open() + +From: Trond Myklebust + +commit e911b8158ee1def8153849b1641b736026b036e0 upstream. + +If we interrupt the nfs4_wait_for_completion_rpc_task() call in +nfs4_run_open_task(), then we don't prevent the RPC call from +completing. So freeing up the opendata->f_attr.mdsthreshold +in the error path in _nfs4_do_open() leads to a use-after-free +when the XDR decoder tries to decode the mdsthreshold information +from the server. + +Fixes: 82be417aa37c0 (NFSv4.1 cache mdsthreshold values on OPEN) +Tested-by: Steve Dickson +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1068,6 +1068,7 @@ static void nfs4_opendata_free(struct kr + dput(p->dentry); + nfs_sb_deactive(sb); + nfs_fattr_free_names(&p->f_attr); ++ kfree(p->f_attr.mdsthreshold); + kfree(p); + } + +@@ -2244,10 +2245,12 @@ static int _nfs4_do_open(struct inode *d + } + } + +- if (ctx_th && server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) { +- opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc(); +- if (!opendata->f_attr.mdsthreshold) +- goto err_free_label; ++ if (server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) { ++ if (!opendata->f_attr.mdsthreshold) { ++ opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc(); ++ if (!opendata->f_attr.mdsthreshold) ++ goto err_free_label; ++ } + opendata->o_arg.open_bitmap = &nfs4_pnfs_open_bitmap[0]; + } + if (dentry->d_inode != NULL) +@@ -2275,11 +2278,10 @@ static int _nfs4_do_open(struct inode *d + if (opendata->file_created) + *opened |= FILE_CREATED; + +- if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server)) ++ if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server)) { + *ctx_th = opendata->f_attr.mdsthreshold; +- else +- kfree(opendata->f_attr.mdsthreshold); +- opendata->f_attr.mdsthreshold = NULL; ++ opendata->f_attr.mdsthreshold = NULL; ++ } + + nfs4_label_free(olabel); + +@@ -2289,7 +2291,6 @@ static int _nfs4_do_open(struct inode *d + err_free_label: + nfs4_label_free(olabel); + err_opendata_put: +- kfree(opendata->f_attr.mdsthreshold); + nfs4_opendata_put(opendata); + err_put_state_owner: + nfs4_put_state_owner(sp); diff --git a/queue-3.14/series b/queue-3.14/series index 63b9e687af4..1a1049b5789 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -62,3 +62,13 @@ regulator-arizona-ldo1-correct-default-regulator-init_data.patch pci-imx6-wait-for-retraining.patch pci-mvebu-fix-potential-issue-in-range-parsing.patch usb-fix-crash-during-hotplug-of-pci-usb-controller-card.patch +iio-querying-buffer-scan_mask-should-return-0-1.patch +iio-adc-at91_adc-repair-broken-platform_data-support.patch +iio-cm32181-fix-read-integration-time-function.patch +iio-cm36651-fix-i2c-client-leak-and-possible-null-pointer-dereference.patch +nfsv4-fix-a-use-after-free-problem-in-open.patch +nfsd-revert-v2-half-of-nfsd-don-t-return-high-mode-bits.patch +nfsd4-session-needs-room-for-following-op-to-error-out.patch +nfsd4-buffer-length-check-for-suppattr_exclcreat.patch +nfsd4-fix-test_stateid-error-reply-encoding.patch +nfsd4-leave-reply-buffer-space-for-failed-setattr.patch