commit b65f2f457c49b2cfd7967c34b7a0b04c25587f13 Author: Greg Kroah-Hartman Date: Sun Sep 11 10:00:18 2016 +0200 Linux 3.14.79 commit 09a2499466dc69d1e54e8e879d4591cdd0ca17c8 Author: Andrea Arcangeli Date: Fri Feb 26 15:19:28 2016 -0800 mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED commit ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 upstream. pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were introduced to locklessy (but atomically) detect when a pmd is a regular (stable) pmd or when the pmd is unstable and can infinitely transition from pmd_none() and pmd_trans_huge() from under us, while only holding the mmap_sem for reading (for writing not). While holding the mmap_sem only for reading, MADV_DONTNEED can run from under us and so before we can assume the pmd to be a regular stable pmd we need to compare it against pmd_none() and pmd_trans_huge() in an atomic way, with pmd_trans_unstable(). The old pmd_trans_huge() left a tiny window for a race. Useful applications are unlikely to notice the difference as doing MADV_DONTNEED concurrently with a page fault would lead to undefined behavior. [js] 3.12 backport: no pmd_devmap in 3.12 yet. [akpm@linux-foundation.org: tidy up comment grammar/layout] Signed-off-by: Andrea Arcangeli Reported-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Vlastimil Babka Signed-off-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman commit 7cac57a69919afdf3bdda5242afdd535b2d9a2b0 Author: Willy Tarreau Date: Sat Aug 27 11:31:35 2016 +0200 fix d_walk()/non-delayed __d_free() race I checked Jari's explanation below and found that v3.14.77 and v3.12.62 are missing the same fix as 3.10. In fact Al's original commit 3d56c25 ("fix d_walk()/non-delayed __d_free() race") used to mention to check this __d_materialise_dentry() function in the Cc: stable line, but this got lost during the backports. Normally all of our 3 kernels need to apply the following patch that Ben correctly put in 3.16 and 3.2. I'm fixing the backport in 3.10.103 right now. On Mon, Aug 22, 2016 at 04:56:57PM +0300, Jari Ruusu wrote: > This patch for 3.10 branch appears to be missing one important > > + dentry->d_flags |= DCACHE_RCUACCESS; > > in fs/dcache.c __d_materialise_dentry() function. When Ben Hutchings > backported Al Viro's original fix to stable branches that he maintains, > he added that one additional line to both 3.2 and 3.16 branches. Please > consider including that additional one line fix for 3.10 stable branch > also. > > > Ben Hutchings said this on his 3.2.82-rc1 patch: > [bwh: Backported to 3.2: > - Adjust context > - Also set the flag in __d_materialise_dentry())] > > http://marc.info/?l=linux-kernel&m=147117565612275&w=2 > > > Ben Hutchings said this on his 3.16.37-rc1 patch: > [bwh: Backported to 3.16: > - Adjust context > - Also set the flag in __d_materialise_dentry())] > > http://marc.info/?l=linux-kernel&m=147117433412006&w=2 > > > Also mentioned by Sasha Levin on 3.18 and 4.1 commits: > Cc: stable@vger.kernel.org # v3.2+ (and watch out for __d_materialise_dentry()) > > http://marc.info/?l=linux-stable-commits&m=146648034410827&w=2 > http://marc.info/?l=linux-stable-commits&m=146647471009771&w=2 Signed-off-by: Greg Kroah-Hartman commit 78a4260f1fad5cfc6ad7cf6e01a93a2fed0d0e3e Author: Martin Schwidefsky Date: Mon Apr 25 17:54:28 2016 +0200 s390/sclp_ctl: fix potential information leak with /dev/sclp commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream. The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to retrieve the sclp request from user space. The first copy_from_user fetches the length of the request which is stored in the first two bytes of the request. The second copy_from_user gets the complete sclp request, but this copies the length field a second time. A malicious user may have changed the length in the meantime. Reported-by: Pengfei Wang Reviewed-by: Michael Holzheu Signed-off-by: Martin Schwidefsky Signed-off-by: Juerg Haefliger Signed-off-by: Greg Kroah-Hartman commit d57906c6850c5bb9a93841da3deb6df53135d133 Author: Kangjie Lu Date: Thu Jun 2 04:11:20 2016 -0400 rds: fix an infoleak in rds_inc_info_copy commit 4116def2337991b39919f3b448326e21c40e0dbb upstream. The last field "flags" of object "minfo" is not initialized. Copying this object out may leak kernel stack data. Assign 0 to it to avoid leak. Signed-off-by: Kangjie Lu Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Juerg Haefliger Signed-off-by: Greg Kroah-Hartman commit f842188c4f4f63a5b6fb59f45ac121162c0ab4c4 Author: Ian Abbott Date: Wed Sep 7 15:33:12 2016 +0100 staging: comedi: ni_mio_common: fix wrong insn_write handler commit 5ca05345c56cb979e1a25ab6146437002f95cac8 upstream. For counter subdevices, the `s->insn_write` handler is being set to the wrong function, `ni_tio_insn_read()`. It should be `ni_tio_insn_write()`. Signed-off-by: Ian Abbott Reported-by: Éric Piel Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a proper comedi (*insn_write)") Signed-off-by: Greg Kroah-Hartman commit 553a1f6d027a8e0c59ca7bbe0f26a25d1881cfef Author: Theodore Ts'o Date: Mon Aug 1 00:51:02 2016 -0400 ext4: validate that metadata blocks do not overlap superblock commit 829fa70dddadf9dd041d62b82cd7cea63943899d upstream. A number of fuzzing failures seem to be caused by allocation bitmaps or other metadata blocks being pointed at the superblock. This can cause kernel BUG or WARNings once the superblock is overwritten, so validate the group descriptor blocks to make sure this doesn't happen. Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit a6e226c25157082a043cce63d14ecab68fdcc433 Author: Alexander Shiyan Date: Tue Feb 25 23:41:14 2014 -0300 stb6100: fix buffer length check in stb6100_write_reg_range() commit 7e6bd12fb77b0067df13fb3ba3fadbdff2945396 upstream. We are checking sizeof() the wrong variable! Signed-off-by: Alexander Shiyan Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit 7ae8ffd384be9159cf057affd17caf2a687f493f Author: Tomer Barletz Date: Sun Aug 2 02:08:57 2015 -0700 ALSA: oxygen: Fix logical-not-parentheses warning commit 8ec7cfce3762299ae289c384e281b2f4010ae231 upstream. This fixes the following warning, that is seen with gcc 5.1: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]. Signed-off-by: Tomer Barletz Signed-off-by: Takashi Iwai Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit ac98961e44fa5df4383f0a60f0c4923f368da1d8 Author: James C Boyd Date: Wed May 27 17:09:06 2015 -0500 HID: hid-input: Add parentheses to quell gcc warning commit 09a5c34e8d6b05663ec4c3d22b1fbd9fec89aaf9 upstream. GCC reports a -Wlogical-not-parentheses warning here; therefore add parentheses to shut it up and to express our intent more. Signed-off-by: James C Boyd Signed-off-by: Jiri Kosina Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit 399a950315eb2de1db72a2f01cf41ccf59541996 Author: Tim Gardner Date: Fri Oct 30 12:22:58 2015 -0600 be2iscsi: Fix bogus WARN_ON length check commit dd29dae00d39186890a5eaa2fe4ad8768bfd41a9 upstream. drivers/scsi/be2iscsi/be_main.c: In function 'be_sgl_create_contiguous': drivers/scsi/be2iscsi/be_main.c:3187:18: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] WARN_ON(!length > 0); gcc version 5.2.1 Signed-off-by: Tim Gardner Cc: Jayamohan Kallickal Cc: Minh Tran Cc: John Soni Jose Cc: "James E.J. Bottomley" Reported-by: Joel Stanley Reviewed-by: Manoj Kumar Signed-off-by: Martin K. Petersen Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit bf9f0884fe92f1ed70575ab71d1c4113728a12b4 Author: Greg Kroah-Hartman Date: Fri Sep 9 13:32:42 2016 +0200 Revert "can: fix handling of unmodifiable configuration options fix" This reverts commit 6f8f768a3586b6fbd50e249e7fe4f964a6994685 which was bce271f255dae8335dc4d2ee2c4531e09cc67f5a upstream. It was applied incorrectly, and isn't needed for 3.14-stable. Reported-by: Willy Tarreau Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org