Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.4.96 2014-07-01T03:05:38+00:00 2014-07-01T03:05:38+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2014-07-01T03:05:38+00:00 urn:sha1:3e3d5f6146c3f684f4b7bd71feffc31e1c668754 2014-07-01T03:01:34+00:00 Andy Lutomirski luto@amacapital.net 2014-06-23T21:22:15+00:00 urn:sha1:d3007333170435135f0620fb52386aad3fb2a14f commit 554086d85e71f30abe46fc014fea31929a7c6a8a upstream. The bad syscall nr paths are their own incomprehensible route through the entry control flow. Rearrange them to work just like syscalls that return -ENOSYS. This fixes an OOPS in the audit code when fast-path auditing is enabled and sysenter gets a bad syscall nr (CVE-2014-4508). This has probably been broken since Linux 2.6.27: af0575bba0 i386 syscall audit fast-path Cc: Roland McGrath <roland@redhat.com> Reported-by: Toralf Förster <toralf.foerster@gmx.de> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-07-01T03:01:33+00:00 Roger Quadros rogerq@ti.com 2013-12-18T10:10:10+00:00 urn:sha1:3b0d0894ebaede13481207275e075f2975fb30a3 commit e5e4746510d140261918aecce2e5e3aa4456f7e9 upstream. Without a timetout some tests e.g. test_halt() can remain stuck forever. Signed-off-by: Roger Quadros <rogerq@ti.com> Reviewed-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-07-01T03:01:33+00:00 Eric Sandeen sandeen@redhat.com 2014-06-12T05:39:58+00:00 urn:sha1:e18bac2cae5d6efa474611a2dc825b7749760af4 commit 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c upstream. If this condition in end_extent_writepage() is false: if (tree->ops && tree->ops->writepage_end_io_hook) we will then test an uninitialized "ret" at: ret = ret < 0 ? ret : -EIO; The test for ret is for the case where ->writepage_end_io_hook failed, and we'd choose that ret as the error; but if there is no ->writepage_end_io_hook, nothing sets ret. Initializing ret to 0 should be sufficient; if writepage_end_io_hook wasn't set, (!uptodate) means non-zero err was passed in, so we choose -EIO in that case. Signed-of-by: Eric Sandeen <sandeen@redhat.com> Signed-off-by: Chris Mason <clm@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-07-01T03:01:33+00:00 Liu Bo bo.li.liu@oracle.com 2014-06-08T11:04:13+00:00 urn:sha1:64b84ef0258d03d80d2581b7f44b7630e945e612 commit cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 upstream. We want to make sure the point is still within the extent item, not to verify the memory it's pointing to. Signed-off-by: Liu Bo <bo.li.liu@oracle.com> Signed-off-by: Chris Mason <clm@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-07-01T03:01:33+00:00 Rickard Strandqvist rickard_strandqvist@spectrumdigital.se 2014-05-22T20:43:43+00:00 urn:sha1:8f1dd63b01d0ab74032c77cad7a664da8a59dc2c commit 8321cf2596d283821acc466377c2b85bcd3422b7 upstream. There is otherwise a risk of a possible null pointer dereference. Was largely found by using a static code analysis program called cppcheck. Signed-off-by: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se> Signed-off-by: Chris Mason <clm@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-07-01T03:01:33+00:00 Chris Mason clm@fb.com 2014-05-21T12:49:54+00:00 urn:sha1:a25ebe211246ea835f165c371d744f2d65260d64 commit 7d78874273463a784759916fc3e0b4e2eb141c70 upstream. We need to NULL the cached_state after freeing it, otherwise we might free it again if find_delalloc_range doesn't find anything. Signed-off-by: Chris Mason <clm@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-07-01T03:01:33+00:00 Michael S. Tsirkin mst@redhat.com 2014-03-10T17:28:08+00:00 urn:sha1:2edae61bce495df81c58eb0b93faac301de849c7 commit 1fd819ecb90cc9b822cd84d3056ddba315d3340f upstream. skb_segment copies frags around, so we need to copy them carefully to avoid accessing user memory after reporting completion to userspace through a callback. skb_segment doesn't normally happen on datapath: TSO needs to be disabled - so disabling zero copy in this case does not look like a big deal. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backported to 3.2. As skb_segment() only supports page-frags *or* a frag list, there is no need for the additional frag_skb pointer or the preparatory renaming.] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-07-01T03:01:33+00:00 Michael S. Tsirkin mst@redhat.com 2012-07-20T09:23:20+00:00 urn:sha1:2f3ca8e5606f49ff02a0133fdbe2e6b852cb1e64 commit dcc0fb782b3a6e2abfeaaeb45dd88ed09596be0f upstream. Export skb_copy_ubufs so that modules can orphan frags. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-07-01T03:01:33+00:00 Michael S. Tsirkin mst@redhat.com 2012-07-20T09:23:07+00:00 urn:sha1:1f29351617ffe827edf80ffdfdef2da3a2494f96 commit a353e0ce0fd42d8859260666d1e9b10f2abd4698 upstream. Many places do if ((skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY)) skb_copy_ubufs(skb, gfp_mask); to copy and invoke frag destructors if necessary. Add an inline helper for this. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>