Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-3.14.y 2016-09-11T08:00:18Z 2016-09-11T08:00:18Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2016-09-11T08:00:18Z urn:sha1:b65f2f457c49b2cfd7967c34b7a0b04c25587f13 2016-09-11T07:59:59Z Andrea Arcangeli aarcange@redhat.com 2016-02-26T23:19:28Z urn:sha1:09a2499466dc69d1e54e8e879d4591cdd0ca17c8 commit ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 upstream. pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were introduced to locklessy (but atomically) detect when a pmd is a regular (stable) pmd or when the pmd is unstable and can infinitely transition from pmd_none() and pmd_trans_huge() from under us, while only holding the mmap_sem for reading (for writing not). While holding the mmap_sem only for reading, MADV_DONTNEED can run from under us and so before we can assume the pmd to be a regular stable pmd we need to compare it against pmd_none() and pmd_trans_huge() in an atomic way, with pmd_trans_unstable(). The old pmd_trans_huge() left a tiny window for a race. Useful applications are unlikely to notice the difference as doing MADV_DONTNEED concurrently with a page fault would lead to undefined behavior. [js] 3.12 backport: no pmd_devmap in 3.12 yet. [akpm@linux-foundation.org: tidy up comment grammar/layout] Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> Reported-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-11T07:59:58Z Willy Tarreau w@1wt.eu 2016-08-27T09:31:35Z urn:sha1:7cac57a69919afdf3bdda5242afdd535b2d9a2b0 I checked Jari's explanation below and found that v3.14.77 and v3.12.62 are missing the same fix as 3.10. In fact Al's original commit 3d56c25 ("fix d_walk()/non-delayed __d_free() race") used to mention to check this __d_materialise_dentry() function in the Cc: stable line, but this got lost during the backports. Normally all of our 3 kernels need to apply the following patch that Ben correctly put in 3.16 and 3.2. I'm fixing the backport in 3.10.103 right now. On Mon, Aug 22, 2016 at 04:56:57PM +0300, Jari Ruusu wrote: > This patch for 3.10 branch appears to be missing one important > > + dentry->d_flags |= DCACHE_RCUACCESS; > > in fs/dcache.c __d_materialise_dentry() function. When Ben Hutchings > backported Al Viro's original fix to stable branches that he maintains, > he added that one additional line to both 3.2 and 3.16 branches. Please > consider including that additional one line fix for 3.10 stable branch > also. > > > Ben Hutchings said this on his 3.2.82-rc1 patch: > [bwh: Backported to 3.2: > - Adjust context > - Also set the flag in __d_materialise_dentry())] > > http://marc.info/?l=linux-kernel&m=147117565612275&w=2 > > > Ben Hutchings said this on his 3.16.37-rc1 patch: > [bwh: Backported to 3.16: > - Adjust context > - Also set the flag in __d_materialise_dentry())] > > http://marc.info/?l=linux-kernel&m=147117433412006&w=2 > > > Also mentioned by Sasha Levin on 3.18 and 4.1 commits: > Cc: stable@vger.kernel.org # v3.2+ (and watch out for __d_materialise_dentry()) > > http://marc.info/?l=linux-stable-commits&m=146648034410827&w=2 > http://marc.info/?l=linux-stable-commits&m=146647471009771&w=2 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-11T07:59:58Z Martin Schwidefsky schwidefsky@de.ibm.com 2016-04-25T15:54:28Z urn:sha1:78a4260f1fad5cfc6ad7cf6e01a93a2fed0d0e3e commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream. The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to retrieve the sclp request from user space. The first copy_from_user fetches the length of the request which is stored in the first two bytes of the request. The second copy_from_user gets the complete sclp request, but this copies the length field a second time. A malicious user may have changed the length in the meantime. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-11T07:59:58Z Kangjie Lu kangjielu@gmail.com 2016-06-02T08:11:20Z urn:sha1:d57906c6850c5bb9a93841da3deb6df53135d133 commit 4116def2337991b39919f3b448326e21c40e0dbb upstream. The last field "flags" of object "minfo" is not initialized. Copying this object out may leak kernel stack data. Assign 0 to it to avoid leak. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-11T07:59:58Z Ian Abbott abbotti@mev.co.uk 2016-09-07T14:33:12Z urn:sha1:f842188c4f4f63a5b6fb59f45ac121162c0ab4c4 commit 5ca05345c56cb979e1a25ab6146437002f95cac8 upstream. For counter subdevices, the `s->insn_write` handler is being set to the wrong function, `ni_tio_insn_read()`. It should be `ni_tio_insn_write()`. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Reported-by: Éric Piel <piel@delmic.com> Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a proper comedi (*insn_write)") Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-11T07:59:58Z Theodore Ts'o tytso@mit.edu 2016-08-01T04:51:02Z urn:sha1:553a1f6d027a8e0c59ca7bbe0f26a25d1881cfef commit 829fa70dddadf9dd041d62b82cd7cea63943899d upstream. A number of fuzzing failures seem to be caused by allocation bitmaps or other metadata blocks being pointed at the superblock. This can cause kernel BUG or WARNings once the superblock is overwritten, so validate the group descriptor blocks to make sure this doesn't happen. Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-11T07:59:58Z Alexander Shiyan shc_work@mail.ru 2014-02-26T02:41:14Z urn:sha1:a6e226c25157082a043cce63d14ecab68fdcc433 commit 7e6bd12fb77b0067df13fb3ba3fadbdff2945396 upstream. We are checking sizeof() the wrong variable! Signed-off-by: Alexander Shiyan <shc_work@mail.ru> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-11T07:59:58Z Tomer Barletz barletz@gmail.com 2015-08-02T09:08:57Z urn:sha1:7ae8ffd384be9159cf057affd17caf2a687f493f commit 8ec7cfce3762299ae289c384e281b2f4010ae231 upstream. This fixes the following warning, that is seen with gcc 5.1: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]. Signed-off-by: Tomer Barletz <barletz@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-11T07:59:58Z James C Boyd jcboyd.dev@gmail.com 2015-05-27T22:09:06Z urn:sha1:ac98961e44fa5df4383f0a60f0c4923f368da1d8 commit 09a5c34e8d6b05663ec4c3d22b1fbd9fec89aaf9 upstream. GCC reports a -Wlogical-not-parentheses warning here; therefore add parentheses to shut it up and to express our intent more. Signed-off-by: James C Boyd <jcboyd.dev@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>