[request for 3.10 inclusion][PATCH 0/3] Address 3 CVEs

[request for 3.10 inclusion][PATCH 0/3] Address 3 CVEs

[Sheng Yong]

Hi, Greg

PATCH 1 fixes CVE-2015-3339, link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3339
PATCH 2 fixes CVE-2015-2666, link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2666
PATCH 3 fixes CVE-2014-9710, link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9710

PATCH 1 and 3 are merged into 3.12-stable, if you would like to cherry
pick them from 3.12-stable, the commits are (both of them can be applied
directly):

5176b77f1aacdc560eaeac4685ade444bb814689 fs: take i_mutex during prepare_binprm for set[ug]id executables
c5988181af3b41381c4d20e08ca6852f99f95417 x86/microcode/intel: Guard against stack overflow in the loader

Thanks,
Sheng

Sheng Yong (3):
  fs: take i_mutex during prepare_binprm for set[ug]id executables
  x86/microcode/intel: Guard against stack overflow in the loader
  Btrfs: make xattr replace operations atomic

 arch/x86/kernel/microcode_intel_early.c |   2 +-
 fs/btrfs/ctree.c                        |   2 +-
 fs/btrfs/ctree.h                        |   5 +
 fs/btrfs/dir-item.c                     |  10 +-
 fs/btrfs/xattr.c                        | 159 ++++++++++++++++++++------------
 fs/exec.c                               |  79 +++++++++-------
 6 files changed, 160 insertions(+), 97 deletions(-)

-- 
1.8.3.4

[request for 3.10 inclusion][PATCH 1/3] fs: take i_mutex during prepare_binprm for set[ug]id executables

[Sheng Yong]

From: Jann Horn <jann@thejh.net>

commit 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 upstream.

This prevents a race between chown() and execve(), where chowning a
setuid-user binary to root would momentarily make the binary setuid
root.

This patch was mostly written by Linus Torvalds.

Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[shengyong: backport to 3.10
 - FIX: CVE-2015-3339
 - adjust context
 - task_no_new_privs() was added in commit 1d4457f ('sched: move no_new_privs
   into new atomic flags), which is not availiable in 3.10-stable, so we
   still use task_struct->no_new_privs
 - READ_ONCE() was added in v3.19, so use ACCESS_ONCE instead of READ_ONCE
]
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
---
 fs/exec.c | 79 ++++++++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 48 insertions(+), 31 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index dd6aa61..8507abd 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1265,6 +1265,53 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
 	return res;
 }
 
+static void bprm_fill_uid(struct linux_binprm *bprm)
+{
+	struct inode *inode;
+	unsigned int mode;
+	kuid_t uid;
+	kgid_t gid;
+
+	/* clear any previous set[ug]id data from a previous binary */
+	bprm->cred->euid = current_euid();
+	bprm->cred->egid = current_egid();
+
+	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
+		return;
+
+	if (current->no_new_privs)
+		return;
+
+	inode = file_inode(bprm->file);
+	mode = ACCESS_ONCE(inode->i_mode);
+	if (!(mode & (S_ISUID|S_ISGID)))
+		return;
+
+	/* Be careful if suid/sgid is set */
+	mutex_lock(&inode->i_mutex);
+
+	/* reload atomically mode/uid/gid now that lock held */
+	mode = inode->i_mode;
+	uid = inode->i_uid;
+	gid = inode->i_gid;
+	mutex_unlock(&inode->i_mutex);
+
+	/* We ignore suid/sgid if there are no mappings for them in the ns */
+	if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
+		 !kgid_has_mapping(bprm->cred->user_ns, gid))
+		return;
+
+	if (mode & S_ISUID) {
+		bprm->per_clear |= PER_CLEAR_ON_SETID;
+		bprm->cred->euid = uid;
+	}
+
+	if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+		bprm->per_clear |= PER_CLEAR_ON_SETID;
+		bprm->cred->egid = gid;
+	}
+}
+
 /* 
  * Fill the binprm structure from the inode. 
  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
@@ -1273,39 +1320,9 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
  */
 int prepare_binprm(struct linux_binprm *bprm)
 {
-	umode_t mode;
-	struct inode * inode = file_inode(bprm->file);
 	int retval;
 
-	mode = inode->i_mode;
-	if (bprm->file->f_op == NULL)
-		return -EACCES;
-
-	/* clear any previous set[ug]id data from a previous binary */
-	bprm->cred->euid = current_euid();
-	bprm->cred->egid = current_egid();
-
-	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
-	    !current->no_new_privs &&
-	    kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
-	    kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
-		/* Set-uid? */
-		if (mode & S_ISUID) {
-			bprm->per_clear |= PER_CLEAR_ON_SETID;
-			bprm->cred->euid = inode->i_uid;
-		}
-
-		/* Set-gid? */
-		/*
-		 * If setgid is set but no group execute bit then this
-		 * is a candidate for mandatory locking, not a setgid
-		 * executable.
-		 */
-		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
-			bprm->per_clear |= PER_CLEAR_ON_SETID;
-			bprm->cred->egid = inode->i_gid;
-		}
-	}
+	bprm_fill_uid(bprm);
 
 	/* fill in binprm security blob */
 	retval = security_bprm_set_creds(bprm);
-- 
1.8.3.4

[request for 3.10 inclusion][PATCH 2/3] x86/microcode/intel: Guard against stack overflow in the loader

[Sheng Yong]

From: Quentin Casasnovas <quentin.casasnovas@oracle.com>

commit f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4 upstream.

mc_saved_tmp is a static array allocated on the stack, we need to make
sure mc_saved_count stays within its bounds, otherwise we're overflowing
the stack in _save_mc(). A specially crafted microcode header could lead
to a kernel crash or potentially kernel execution.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com
Signed-off-by: Borislav Petkov <bp@suse.de>
[shengyong: backport to 3.10
 - FIX: CVE-2015-2666
 - arch/x86/kernel/microcode_intel_early.c was git-mv'ed to
   arch/x86/kernel/cpu/micro/intel_early.c in v3.14-rc1, so we change the
   same function in the original file
]
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
---
 arch/x86/kernel/microcode_intel_early.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/microcode_intel_early.c b/arch/x86/kernel/microcode_intel_early.c
index 2e9e128..a883942 100644
--- a/arch/x86/kernel/microcode_intel_early.c
+++ b/arch/x86/kernel/microcode_intel_early.c
@@ -321,7 +321,7 @@ get_matching_model_microcode(int cpu, unsigned long start,
 	unsigned int mc_saved_count = mc_saved_data->mc_saved_count;
 	int i;
 
-	while (leftover) {
+	while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {
 		mc_header = (struct microcode_header_intel *)ucode_ptr;
 
 		mc_size = get_totalsize(mc_header);
-- 
1.8.3.4

[request for 3.10 inclusion][PATCH 3/3] Btrfs: make xattr replace operations atomic

[Sheng Yong]

From: Filipe Manana <fdmanana@suse.com>

commit 5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 upstream.

Replacing a xattr consists of doing a lookup for its existing value, delete
the current value from the respective leaf, release the search path and then
finally insert the new value. This leaves a time window where readers (getxattr,
listxattrs) won't see any value for the xattr. Xattrs are used to store ACLs,
so this has security implications.

This change also fixes 2 other existing issues which were:

*) Deleting the old xattr value without verifying first if the new xattr will
   fit in the existing leaf item (in case multiple xattrs are packed in the
   same item due to name hash collision);

*) Returning -EEXIST when the flag XATTR_CREATE is given and the xattr doesn't
   exist but we have have an existing item that packs muliple xattrs with
   the same name hash as the input xattr. In this case we should return ENOSPC.

A test case for xfstests follows soon.

Thanks to Alexandre Oliva for reporting the non-atomicity of the xattr replace
implementation.

Reported-by: Alexandre Oliva <oliva@gnu.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
[shengyong: backport to 3.10
 - FIX: CVE-2014-9710
 - adjust context
 - ASSERT() was added v3.12, so we do check with if statement
 - set the first parameter of btrfs_item_nr() as NULL, because it is not
   used, and is removed in v3.13
]
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
---
 fs/btrfs/ctree.c    |   2 +-
 fs/btrfs/ctree.h    |   5 ++
 fs/btrfs/dir-item.c |  10 +---
 fs/btrfs/xattr.c    | 159 +++++++++++++++++++++++++++++++++-------------------
 4 files changed, 111 insertions(+), 65 deletions(-)

diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index 7fb054b..82f14a1 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -2769,7 +2769,7 @@ done:
 	 */
 	if (!p->leave_spinning)
 		btrfs_set_path_blocking(p);
-	if (ret < 0)
+	if (ret < 0 && !p->skip_release_on_error)
 		btrfs_release_path(p);
 	return ret;
 }
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index d6dd49b..c19444e 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -586,6 +586,7 @@ struct btrfs_path {
 	unsigned int skip_locking:1;
 	unsigned int leave_spinning:1;
 	unsigned int search_commit_root:1;
+	unsigned int skip_release_on_error:1;
 };
 
 /*
@@ -3406,6 +3407,10 @@ struct btrfs_dir_item *btrfs_lookup_xattr(struct btrfs_trans_handle *trans,
 int verify_dir_item(struct btrfs_root *root,
 		    struct extent_buffer *leaf,
 		    struct btrfs_dir_item *dir_item);
+struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_root *root,
+						 struct btrfs_path *path,
+						 const char *name,
+						 int name_len);
 
 /* orphan.c */
 int btrfs_insert_orphan_item(struct btrfs_trans_handle *trans,
diff --git a/fs/btrfs/dir-item.c b/fs/btrfs/dir-item.c
index 79e594e..6f61b9b 100644
--- a/fs/btrfs/dir-item.c
+++ b/fs/btrfs/dir-item.c
@@ -21,10 +21,6 @@
 #include "hash.h"
 #include "transaction.h"
 
-static struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_root *root,
-			      struct btrfs_path *path,
-			      const char *name, int name_len);
-
 /*
  * insert a name into a directory, doing overflow properly if there is a hash
  * collision.  data_size indicates how big the item inserted should be.  On
@@ -383,9 +379,9 @@ struct btrfs_dir_item *btrfs_lookup_xattr(struct btrfs_trans_handle *trans,
  * this walks through all the entries in a dir item and finds one
  * for a specific name.
  */
-static struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_root *root,
-			      struct btrfs_path *path,
-			      const char *name, int name_len)
+struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_root *root,
+						 struct btrfs_path *path,
+						 const char *name, int name_len)
 {
 	struct btrfs_dir_item *dir_item;
 	unsigned long name_ptr;
diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c
index 05740b9..9cf20d6 100644
--- a/fs/btrfs/xattr.c
+++ b/fs/btrfs/xattr.c
@@ -27,6 +27,7 @@
 #include "transaction.h"
 #include "xattr.h"
 #include "disk-io.h"
+#include "locking.h"
 
 
 ssize_t __btrfs_getxattr(struct inode *inode, const char *name,
@@ -89,7 +90,7 @@ static int do_setxattr(struct btrfs_trans_handle *trans,
 		       struct inode *inode, const char *name,
 		       const void *value, size_t size, int flags)
 {
-	struct btrfs_dir_item *di;
+	struct btrfs_dir_item *di = NULL;
 	struct btrfs_root *root = BTRFS_I(inode)->root;
 	struct btrfs_path *path;
 	size_t name_len = strlen(name);
@@ -101,84 +102,128 @@ static int do_setxattr(struct btrfs_trans_handle *trans,
 	path = btrfs_alloc_path();
 	if (!path)
 		return -ENOMEM;
+	path->skip_release_on_error = 1;
+
+	if (!value) {
+		di = btrfs_lookup_xattr(trans, root, path, btrfs_ino(inode),
+					name, name_len, -1);
+		if (!di && (flags & XATTR_REPLACE))
+			ret = -ENODATA;
+		else if (di)
+			ret = btrfs_delete_one_dir_name(trans, root, path, di);
+		goto out;
+	}
 
+	/*
+	 * For a replace we can't just do the insert blindly.
+	 * Do a lookup first (read-only btrfs_search_slot), and return if xattr
+	 * doesn't exist. If it exists, fall down below to the insert/replace
+	 * path - we can't race with a concurrent xattr delete, because the VFS
+	 * locks the inode's i_mutex before calling setxattr or removexattr.
+	 */
 	if (flags & XATTR_REPLACE) {
-		di = btrfs_lookup_xattr(trans, root, path, btrfs_ino(inode), name,
-					name_len, -1);
-		if (IS_ERR(di)) {
-			ret = PTR_ERR(di);
-			goto out;
-		} else if (!di) {
+		if(!mutex_is_locked(&inode->i_mutex)) {
+			pr_err("BTRFS: assertion failed: %s, file: %s, line: %d",
+			       "mutex_is_locked(&inode->i_mutex)", __FILE__,
+			       __LINE__);
+			BUG();
+		}
+		di = btrfs_lookup_xattr(NULL, root, path, btrfs_ino(inode),
+					name, name_len, 0);
+		if (!di) {
 			ret = -ENODATA;
 			goto out;
 		}
-		ret = btrfs_delete_one_dir_name(trans, root, path, di);
-		if (ret)
-			goto out;
 		btrfs_release_path(path);
+		di = NULL;
+	}
 
+	ret = btrfs_insert_xattr_item(trans, root, path, btrfs_ino(inode),
+				      name, name_len, value, size);
+	if (ret == -EOVERFLOW) {
 		/*
-		 * remove the attribute
+		 * We have an existing item in a leaf, split_leaf couldn't
+		 * expand it. That item might have or not a dir_item that
+		 * matches our target xattr, so lets check.
 		 */
-		if (!value)
-			goto out;
-	} else {
-		di = btrfs_lookup_xattr(NULL, root, path, btrfs_ino(inode),
-					name, name_len, 0);
-		if (IS_ERR(di)) {
-			ret = PTR_ERR(di);
+		ret = 0;
+		btrfs_assert_tree_locked(path->nodes[0]);
+		di = btrfs_match_dir_item_name(root, path, name, name_len);
+		if (!di && !(flags & XATTR_REPLACE)) {
+			ret = -ENOSPC;
 			goto out;
 		}
-		if (!di && !value)
-			goto out;
-		btrfs_release_path(path);
+	} else if (ret == -EEXIST) {
+		ret = 0;
+		di = btrfs_match_dir_item_name(root, path, name, name_len);
+		if(!di) { /* logic error */
+			pr_err("BTRFS: assertion failed: %s, file: %s, line: %d",
+			       "di", __FILE__, __LINE__);
+			BUG();
+		}
+	} else if (ret) {
+		goto out;
 	}
 
-again:
-	ret = btrfs_insert_xattr_item(trans, root, path, btrfs_ino(inode),
-				      name, name_len, value, size);
-	/*
-	 * If we're setting an xattr to a new value but the new value is say
-	 * exactly BTRFS_MAX_XATTR_SIZE, we could end up with EOVERFLOW getting
-	 * back from split_leaf.  This is because it thinks we'll be extending
-	 * the existing item size, but we're asking for enough space to add the
-	 * item itself.  So if we get EOVERFLOW just set ret to EEXIST and let
-	 * the rest of the function figure it out.
-	 */
-	if (ret == -EOVERFLOW)
+	if (di && (flags & XATTR_CREATE)) {
 		ret = -EEXIST;
+		goto out;
+	}
 
-	if (ret == -EEXIST) {
-		if (flags & XATTR_CREATE)
-			goto out;
+	if (di) {
 		/*
-		 * We can't use the path we already have since we won't have the
-		 * proper locking for a delete, so release the path and
-		 * re-lookup to delete the thing.
+		 * We're doing a replace, and it must be atomic, that is, at
+		 * any point in time we have either the old or the new xattr
+		 * value in the tree. We don't want readers (getxattr and
+		 * listxattrs) to miss a value, this is specially important
+		 * for ACLs.
 		 */
-		btrfs_release_path(path);
-		di = btrfs_lookup_xattr(trans, root, path, btrfs_ino(inode),
-					name, name_len, -1);
-		if (IS_ERR(di)) {
-			ret = PTR_ERR(di);
-			goto out;
-		} else if (!di) {
-			/* Shouldn't happen but just in case... */
-			btrfs_release_path(path);
-			goto again;
+		const int slot = path->slots[0];
+		struct extent_buffer *leaf = path->nodes[0];
+		const u16 old_data_len = btrfs_dir_data_len(leaf, di);
+		const u32 item_size = btrfs_item_size_nr(leaf, slot);
+		const u32 data_size = sizeof(*di) + name_len + size;
+		struct btrfs_item *item;
+		unsigned long data_ptr;
+		char *ptr;
+
+		if (size > old_data_len) {
+			if (btrfs_leaf_free_space(root, leaf) <
+			    (size - old_data_len)) {
+				ret = -ENOSPC;
+				goto out;
+			}
 		}
 
-		ret = btrfs_delete_one_dir_name(trans, root, path, di);
-		if (ret)
-			goto out;
+		if (old_data_len + name_len + sizeof(*di) == item_size) {
+			/* No other xattrs packed in the same leaf item. */
+			if (size > old_data_len)
+				btrfs_extend_item(root, path,
+						  size - old_data_len);
+			else if (size < old_data_len)
+				btrfs_truncate_item(root, path, data_size, 1);
+		} else {
+			/* There are other xattrs packed in the same item. */
+			ret = btrfs_delete_one_dir_name(trans, root, path, di);
+			if (ret)
+				goto out;
+			btrfs_extend_item(root, path, data_size);
+		}
 
+		item = btrfs_item_nr(NULL, slot);
+		ptr = btrfs_item_ptr(leaf, slot, char);
+		ptr += btrfs_item_size(leaf, item) - data_size;
+		di = (struct btrfs_dir_item *)ptr;
+		btrfs_set_dir_data_len(leaf, di, size);
+		data_ptr = ((unsigned long)(di + 1)) + name_len;
+		write_extent_buffer(leaf, value, data_ptr, size);
+		btrfs_mark_buffer_dirty(leaf);
+	} else {
 		/*
-		 * We have a value to set, so go back and try to insert it now.
+		 * Insert, and we had space for the xattr, so path->slots[0] is
+		 * where our xattr dir_item is and btrfs_insert_xattr_item()
+		 * filled it.
 		 */
-		if (value) {
-			btrfs_release_path(path);
-			goto again;
-		}
 	}
 out:
 	btrfs_free_path(path);
-- 
1.8.3.4

Re: [request for 3.10 inclusion][PATCH 0/3] Address 3 CVEs

[Sheng Yong]

Ping.

thanks,
Sheng

On 6/3/2015 10:09 AM, Sheng Yong wrote:
> Hi, Greg
> 
> PATCH 1 fixes CVE-2015-3339, link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3339
> PATCH 2 fixes CVE-2015-2666, link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2666
> PATCH 3 fixes CVE-2014-9710, link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9710
> 
> PATCH 1 and 3 are merged into 3.12-stable, if you would like to cherry
> pick them from 3.12-stable, the commits are (both of them can be applied
> directly):
> 
> 5176b77f1aacdc560eaeac4685ade444bb814689 fs: take i_mutex during prepare_binprm for set[ug]id executables
> c5988181af3b41381c4d20e08ca6852f99f95417 x86/microcode/intel: Guard against stack overflow in the loader
> 
> Thanks,
> Sheng
> 
> Sheng Yong (3):
>   fs: take i_mutex during prepare_binprm for set[ug]id executables
>   x86/microcode/intel: Guard against stack overflow in the loader
>   Btrfs: make xattr replace operations atomic
> 
>  arch/x86/kernel/microcode_intel_early.c |   2 +-
>  fs/btrfs/ctree.c                        |   2 +-
>  fs/btrfs/ctree.h                        |   5 +
>  fs/btrfs/dir-item.c                     |  10 +-
>  fs/btrfs/xattr.c                        | 159 ++++++++++++++++++++------------
>  fs/exec.c                               |  79 +++++++++-------
>  6 files changed, 160 insertions(+), 97 deletions(-)
> 

--
To unsubscribe from this list: send the line "unsubscribe stable" in

Re: [request for 3.10 inclusion][PATCH 3/3] Btrfs: make xattr replace operations atomic

[Greg KH]

On Wed, Jun 03, 2015 at 02:09:27AM +0000, Sheng Yong wrote:
> From: Filipe Manana <fdmanana@suse.com>
> 
> commit 5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 upstream.
> 
> Replacing a xattr consists of doing a lookup for its existing value, delete
> the current value from the respective leaf, release the search path and then
> finally insert the new value. This leaves a time window where readers (getxattr,
> listxattrs) won't see any value for the xattr. Xattrs are used to store ACLs,
> so this has security implications.
> 
> This change also fixes 2 other existing issues which were:
> 
> *) Deleting the old xattr value without verifying first if the new xattr will
>    fit in the existing leaf item (in case multiple xattrs are packed in the
>    same item due to name hash collision);
> 
> *) Returning -EEXIST when the flag XATTR_CREATE is given and the xattr doesn't
>    exist but we have have an existing item that packs muliple xattrs with
>    the same name hash as the input xattr. In this case we should return ENOSPC.
> 
> A test case for xfstests follows soon.
> 
> Thanks to Alexandre Oliva for reporting the non-atomicity of the xattr replace
> implementation.
> 
> Reported-by: Alexandre Oliva <oliva@gnu.org>
> Signed-off-by: Filipe Manana <fdmanana@suse.com>
> Signed-off-by: Chris Mason <clm@fb.com>
> [shengyong: backport to 3.10
>  - FIX: CVE-2014-9710
>  - adjust context
>  - ASSERT() was added v3.12, so we do check with if statement
>  - set the first parameter of btrfs_item_nr() as NULL, because it is not
>    used, and is removed in v3.13
> ]
> Signed-off-by: Sheng Yong <shengyong1@huawei.com>

Thanks, I've also added this to 3.14-stable.

greg k-h

Re: [request for 3.10 inclusion][PATCH 0/3] Address 3 CVEs

[Greg KH]

On Wed, Jun 03, 2015 at 02:09:24AM +0000, Sheng Yong wrote:
> Hi, Greg
> 
> PATCH 1 fixes CVE-2015-3339, link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3339
> PATCH 2 fixes CVE-2015-2666, link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2666
> PATCH 3 fixes CVE-2014-9710, link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9710
> 
> PATCH 1 and 3 are merged into 3.12-stable, if you would like to cherry
> pick them from 3.12-stable, the commits are (both of them can be applied
> directly):
> 
> 5176b77f1aacdc560eaeac4685ade444bb814689 fs: take i_mutex during prepare_binprm for set[ug]id executables
> c5988181af3b41381c4d20e08ca6852f99f95417 x86/microcode/intel: Guard against stack overflow in the loader

All 3 now applied, thanks.

greg k-h