From 6287cc6b07368465d633b1d1b3a98aaab58b4784 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 12 Jun 2014 15:27:53 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	staging-zram-fix-memory-leak-by-refcount-mismatch.patch
	zram-protect-sysfs-handler-from-invalid-memory-access.patch
---
 queue-3.4/series                              |  2 +
 ...fix-memory-leak-by-refcount-mismatch.patch | 70 +++++++++++++++++++
 ...s-handler-from-invalid-memory-access.patch | 45 ++++++++++++
 3 files changed, 117 insertions(+)
 create mode 100644 queue-3.4/staging-zram-fix-memory-leak-by-refcount-mismatch.patch
 create mode 100644 queue-3.4/zram-protect-sysfs-handler-from-invalid-memory-access.patch

diff --git a/queue-3.4/series b/queue-3.4/series
index f4f1adef1f5..3f8fe3d9797 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -1,3 +1,5 @@
 mlx4_en-don-t-use-napi_synchronize-inside-mlx4_en_netpoll.patch
 netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch
 powerpc-fix-64-bit-builds-with-binutils-2.24.patch
+zram-protect-sysfs-handler-from-invalid-memory-access.patch
+staging-zram-fix-memory-leak-by-refcount-mismatch.patch
diff --git a/queue-3.4/staging-zram-fix-memory-leak-by-refcount-mismatch.patch b/queue-3.4/staging-zram-fix-memory-leak-by-refcount-mismatch.patch
new file mode 100644
index 00000000000..2920a87e8ab
--- /dev/null
+++ b/queue-3.4/staging-zram-fix-memory-leak-by-refcount-mismatch.patch
@@ -0,0 +1,70 @@
+From 1b672224d128ec2570eb37572ff803cfe452b4f7 Mon Sep 17 00:00:00 2001
+From: Rashika Kheria <rashika.kheria@gmail.com>
+Date: Sun, 10 Nov 2013 22:13:53 +0530
+Subject: Staging: zram: Fix memory leak by refcount mismatch
+
+From: Rashika Kheria <rashika.kheria@gmail.com>
+
+commit 1b672224d128ec2570eb37572ff803cfe452b4f7 upstream.
+
+As suggested by Minchan Kim and Jerome Marchand "The code in reset_store
+get the block device (bdget_disk()) but it does not put it (bdput()) when
+it's done using it. The usage count is therefore incremented but never
+decremented."
+
+This patch also puts bdput() for all error cases.
+
+Acked-by: Minchan Kim <minchan@kernel.org>
+Acked-by: Jerome Marchand <jmarchan@redhat.com>
+Signed-off-by: Rashika Kheria <rashika.kheria@gmail.com>
+[bwh: Backported to 3.2: adjust filename, context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+[wyj: Backported to 3.4: adjust context]
+Signed-off-by: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/zram/zram_sysfs.c |   19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/staging/zram/zram_sysfs.c
++++ b/drivers/staging/zram/zram_sysfs.c
+@@ -99,18 +99,23 @@ static ssize_t reset_store(struct device
+ 		return -ENOMEM;
+ 
+ 	/* Do not reset an active device! */
+-	if (bdev->bd_holders)
+-		return -EBUSY;
++	if (bdev->bd_holders) {
++		ret = -EBUSY;
++		goto out;
++	}
+ 
+ 	ret = kstrtou16(buf, 10, &do_reset);
+ 	if (ret)
+-		return ret;
++		goto out;
+ 
+-	if (!do_reset)
+-		return -EINVAL;
++	if (!do_reset) {
++		ret = -EINVAL;
++		goto out;
++	}
+ 
+ 	/* Make sure all pending I/O is finished */
+ 	fsync_bdev(bdev);
++	bdput(bdev);
+ 
+ 	down_write(&zram->init_lock);
+ 	if (zram->init_done)
+@@ -118,6 +123,10 @@ static ssize_t reset_store(struct device
+ 	up_write(&zram->init_lock);
+ 
+ 	return len;
++
++out:
++	bdput(bdev);
++	return ret;
+ }
+ 
+ static ssize_t num_reads_show(struct device *dev,
diff --git a/queue-3.4/zram-protect-sysfs-handler-from-invalid-memory-access.patch b/queue-3.4/zram-protect-sysfs-handler-from-invalid-memory-access.patch
new file mode 100644
index 00000000000..b1e91896e6f
--- /dev/null
+++ b/queue-3.4/zram-protect-sysfs-handler-from-invalid-memory-access.patch
@@ -0,0 +1,45 @@
+From 5863e10b441e7ea4b492f930f1be180a97d026f3 Mon Sep 17 00:00:00 2001
+From: Jiang Liu <liuj97@gmail.com>
+Date: Fri, 7 Jun 2013 00:07:27 +0800
+Subject: zram: protect sysfs handler from invalid memory access
+
+From: Jiang Liu <liuj97@gmail.com>
+
+commit 5863e10b441e7ea4b492f930f1be180a97d026f3 upstream.
+
+Use zram->init_lock to protect access to zram->meta, otherwise it
+may cause invalid memory access if zram->meta has been freed by
+zram_reset_device().
+
+This issue may be triggered by:
+Thread 1:
+while true; do cat mem_used_total; done
+Thread 2:
+while true; do echo 8M > disksize; echo 1 > reset; done
+
+Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
+Acked-by: Minchan Kim <minchan@kernel.org>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+[wyj: Backported to 3.4: adjust context]
+Signed-off-by: Yijing Wang <wangyijing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/zram/zram_sysfs.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/zram/zram_sysfs.c
++++ b/drivers/staging/zram/zram_sysfs.c
+@@ -188,10 +188,12 @@ static ssize_t mem_used_total_show(struc
+ 	u64 val = 0;
+ 	struct zram *zram = dev_to_zram(dev);
+ 
++	down_read(&zram->init_lock);
+ 	if (zram->init_done) {
+ 		val = zs_get_total_size_bytes(zram->mem_pool) +
+ 			((u64)(zram->stats.pages_expand) << PAGE_SHIFT);
+ 	}
++	up_read(&zram->init_lock);
+ 
+ 	return sprintf(buf, "%llu\n", val);
+ }
-- 
2.47.3