--- /dev/null
+From ce654b37f87980d95f339080e4c3bdb2370bdf22 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sat, 26 Feb 2011 22:40:19 +0200
+Subject: ext3: skip orphan cleanup on rocompat fs
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit ce654b37f87980d95f339080e4c3bdb2370bdf22 upstream.
+
+Orphan cleanup is currently executed even if the file system has some
+number of unknown ROCOMPAT features, which deletes inodes and frees
+blocks, which could be very bad for some RO_COMPAT features.
+
+This patch skips the orphan cleanup if it contains readonly compatible
+features not known by this ext3 implementation, which would prevent
+the fs from being mounted (or remounted) readwrite.
+
+Signed-off-by: Amir Goldstein <amir73il@users.sf.net>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext3/super.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/ext3/super.c
++++ b/fs/ext3/super.c
+@@ -1464,6 +1464,13 @@ static void ext3_orphan_cleanup (struct
+ return;
+ }
+
++ /* Check if feature set allows readwrite operations */
++ if (EXT3_HAS_RO_COMPAT_FEATURE(sb, ~EXT3_FEATURE_RO_COMPAT_SUPP)) {
++ ext3_msg(sb, KERN_INFO, "Skipping orphan cleanup due to "
++ "unknown ROCOMPAT features");
++ return;
++ }
++
+ if (EXT3_SB(sb)->s_mount_state & EXT3_ERROR_FS) {
+ if (es->s_last_orphan)
+ jbd_debug(1, "Errors on filesystem, "
--- /dev/null
+From d6244bc0ed0c52a795e6f4dcab3886daf3e74fac Mon Sep 17 00:00:00 2001
+From: Henry Nestler <henry.nestler@gmail.com>
+Date: Sun, 20 Feb 2011 20:50:56 +0000
+Subject: fbcon: Bugfix soft cursor detection in Tile Blitting
+
+From: Henry Nestler <henry.nestler@gmail.com>
+
+commit d6244bc0ed0c52a795e6f4dcab3886daf3e74fac upstream.
+
+Use mask 0x10 for "soft cursor" detection on in function tile_cursor.
+(Tile Blitting Operation in framebuffer console).
+
+The old mask 0x01 for vc_cursor_type detects CUR_NONE, CUR_LOWER_THIRD
+and every second mode value as "software cursor". This hides the cursor
+for these modes (cursor.mode = 0). But, only CUR_NONE or "software cursor"
+should hide the cursor.
+See also 0x10 in functions add_softcursor, bit_cursor and cw_cursor.
+
+Signed-off-by: Henry Nestler <henry.nestler@gmail.com>
+Signed-off-by: Paul Mundt <lethal@linux-sh.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/console/tileblit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/console/tileblit.c
++++ b/drivers/video/console/tileblit.c
+@@ -83,7 +83,7 @@ static void tile_cursor(struct vc_data *
+ int softback_lines, int fg, int bg)
+ {
+ struct fb_tilecursor cursor;
+- int use_sw = (vc->vc_cursor_type & 0x01);
++ int use_sw = (vc->vc_cursor_type & 0x10);
+
+ cursor.sx = vc->vc_x;
+ cursor.sy = vc->vc_y;
--- /dev/null
+From 5a02ab7c3c4580f94d13c683721039855b67cda6 Mon Sep 17 00:00:00 2001
+From: Mi Jinlong <mijinlong@cn.fujitsu.com>
+Date: Fri, 11 Mar 2011 12:13:55 +0800
+Subject: nfsd: wrong index used in inner loop
+
+From: Mi Jinlong <mijinlong@cn.fujitsu.com>
+
+commit 5a02ab7c3c4580f94d13c683721039855b67cda6 upstream.
+
+We must not use dummy for index.
+After the first index, READ32(dummy) will change dummy!!!!
+
+Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
+[bfields@redhat.com: Trond points out READ_BUF alone is sufficient.]
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs4xdr.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -1142,7 +1142,7 @@ nfsd4_decode_create_session(struct nfsd4
+
+ u32 dummy;
+ char *machine_name;
+- int i, j;
++ int i;
+ int nr_secflavs;
+
+ READ_BUF(16);
+@@ -1215,8 +1215,6 @@ nfsd4_decode_create_session(struct nfsd4
+ READ_BUF(4);
+ READ32(dummy);
+ READ_BUF(dummy * 4);
+- for (j = 0; j < dummy; ++j)
+- READ32(dummy);
+ break;
+ case RPC_AUTH_GSS:
+ dprintk("RPC_AUTH_GSS callback secflavor "
+@@ -1232,7 +1230,6 @@ nfsd4_decode_create_session(struct nfsd4
+ READ_BUF(4);
+ READ32(dummy);
+ READ_BUF(dummy);
+- p += XDR_QUADLEN(dummy);
+ break;
+ default:
+ dprintk("Illegal callback secflavor\n");
--- /dev/null
+From 0997b173609b9229ece28941c118a2a9b278796e Mon Sep 17 00:00:00 2001
+From: J. Bruce Fields <bfields@redhat.com>
+Date: Wed, 2 Mar 2011 18:01:35 -0500
+Subject: nfsd4: fix struct file leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 0997b173609b9229ece28941c118a2a9b278796e upstream.
+
+Make sure we properly reference count the struct files that a lock
+depends on, and release them when the lock stateid is released.
+
+This fixes a major leak of struct files when using locking over nfsv4.
+
+Reported-by: Rick Koshi <nfs-bug-report@more-right-rudder.com>
+Tested-by: Ivo Přikryl <prikryl@eurosat.cz>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs4state.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -397,6 +397,9 @@ static void unhash_generic_stateid(struc
+
+ static void free_generic_stateid(struct nfs4_stateid *stp)
+ {
++ int oflag = nfs4_access_bmap_to_omode(stp);
++
++ nfs4_file_put_access(stp->st_file, oflag);
+ put_nfs4_file(stp->st_file);
+ kmem_cache_free(stateid_slab, stp);
+ }
+@@ -448,11 +451,8 @@ release_stateid_lockowners(struct nfs4_s
+
+ static void release_open_stateid(struct nfs4_stateid *stp)
+ {
+- int oflag = nfs4_access_bmap_to_omode(stp);
+-
+ unhash_generic_stateid(stp);
+ release_stateid_lockowners(stp);
+- nfs4_file_put_access(stp->st_file, oflag);
+ free_generic_stateid(stp);
+ }
+
+@@ -3735,6 +3735,7 @@ alloc_init_lock_stateid(struct nfs4_stat
+ stp->st_stateid.si_stateownerid = sop->so_id;
+ stp->st_stateid.si_fileid = fp->fi_id;
+ stp->st_stateid.si_generation = 0;
++ stp->st_access_bmap = 0;
+ stp->st_deny_bmap = open_stp->st_deny_bmap;
+ stp->st_openstp = open_stp;
+
+@@ -3749,6 +3750,17 @@ check_lock_length(u64 offset, u64 length
+ LOFF_OVERFLOW(offset, length)));
+ }
+
++static void get_lock_access(struct nfs4_stateid *lock_stp, u32 access)
++{
++ struct nfs4_file *fp = lock_stp->st_file;
++ int oflag = nfs4_access_to_omode(access);
++
++ if (test_bit(access, &lock_stp->st_access_bmap))
++ return;
++ nfs4_file_get_access(fp, oflag);
++ __set_bit(access, &lock_stp->st_access_bmap);
++}
++
+ /*
+ * LOCK operation
+ */
+@@ -3846,18 +3858,16 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
+ switch (lock->lk_type) {
+ case NFS4_READ_LT:
+ case NFS4_READW_LT:
+- if (find_readable_file(lock_stp->st_file)) {
+- nfs4_get_vfs_file(rqstp, fp, &cstate->current_fh, NFS4_SHARE_ACCESS_READ);
+- filp = find_readable_file(lock_stp->st_file);
+- }
++ filp = find_readable_file(lock_stp->st_file);
++ if (filp)
++ get_lock_access(lock_stp, NFS4_SHARE_ACCESS_READ);
+ file_lock.fl_type = F_RDLCK;
+ break;
+ case NFS4_WRITE_LT:
+ case NFS4_WRITEW_LT:
+- if (find_writeable_file(lock_stp->st_file)) {
+- nfs4_get_vfs_file(rqstp, fp, &cstate->current_fh, NFS4_SHARE_ACCESS_WRITE);
+- filp = find_writeable_file(lock_stp->st_file);
+- }
++ filp = find_writeable_file(lock_stp->st_file);
++ if (filp)
++ get_lock_access(lock_stp, NFS4_SHARE_ACCESS_WRITE);
+ file_lock.fl_type = F_WRLCK;
+ break;
+ default:
--- /dev/null
+From 529d7b2a7fa31e9f7d08bc790d232c3cbe64fa24 Mon Sep 17 00:00:00 2001
+From: J. Bruce Fields <bfields@redhat.com>
+Date: Wed, 2 Mar 2011 23:48:33 -0500
+Subject: nfsd4: minor nfs4state.c reshuffling
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 529d7b2a7fa31e9f7d08bc790d232c3cbe64fa24 upstream.
+
+Minor cleanup in preparation for a bugfix--moving some code to avoid
+forward references, etc. No change in functionality.
+
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs4state.c | 125 +++++++++++++++++++++++++---------------------------
+ 1 file changed, 61 insertions(+), 64 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -316,64 +316,6 @@ static struct list_head unconf_id_hashtb
+ static struct list_head client_lru;
+ static struct list_head close_lru;
+
+-static void unhash_generic_stateid(struct nfs4_stateid *stp)
+-{
+- list_del(&stp->st_hash);
+- list_del(&stp->st_perfile);
+- list_del(&stp->st_perstateowner);
+-}
+-
+-static void free_generic_stateid(struct nfs4_stateid *stp)
+-{
+- put_nfs4_file(stp->st_file);
+- kmem_cache_free(stateid_slab, stp);
+-}
+-
+-static void release_lock_stateid(struct nfs4_stateid *stp)
+-{
+- struct file *file;
+-
+- unhash_generic_stateid(stp);
+- file = find_any_file(stp->st_file);
+- if (file)
+- locks_remove_posix(file, (fl_owner_t)stp->st_stateowner);
+- free_generic_stateid(stp);
+-}
+-
+-static void unhash_lockowner(struct nfs4_stateowner *sop)
+-{
+- struct nfs4_stateid *stp;
+-
+- list_del(&sop->so_idhash);
+- list_del(&sop->so_strhash);
+- list_del(&sop->so_perstateid);
+- while (!list_empty(&sop->so_stateids)) {
+- stp = list_first_entry(&sop->so_stateids,
+- struct nfs4_stateid, st_perstateowner);
+- release_lock_stateid(stp);
+- }
+-}
+-
+-static void release_lockowner(struct nfs4_stateowner *sop)
+-{
+- unhash_lockowner(sop);
+- nfs4_put_stateowner(sop);
+-}
+-
+-static void
+-release_stateid_lockowners(struct nfs4_stateid *open_stp)
+-{
+- struct nfs4_stateowner *lock_sop;
+-
+- while (!list_empty(&open_stp->st_lockowners)) {
+- lock_sop = list_entry(open_stp->st_lockowners.next,
+- struct nfs4_stateowner, so_perstateid);
+- /* list_del(&open_stp->st_lockowners); */
+- BUG_ON(lock_sop->so_is_open_owner);
+- release_lockowner(lock_sop);
+- }
+-}
+-
+ /*
+ * We store the NONE, READ, WRITE, and BOTH bits separately in the
+ * st_{access,deny}_bmap field of the stateid, in order to track not
+@@ -446,6 +388,64 @@ static int nfs4_access_bmap_to_omode(str
+ return nfs4_access_to_omode(access);
+ }
+
++static void unhash_generic_stateid(struct nfs4_stateid *stp)
++{
++ list_del(&stp->st_hash);
++ list_del(&stp->st_perfile);
++ list_del(&stp->st_perstateowner);
++}
++
++static void free_generic_stateid(struct nfs4_stateid *stp)
++{
++ put_nfs4_file(stp->st_file);
++ kmem_cache_free(stateid_slab, stp);
++}
++
++static void release_lock_stateid(struct nfs4_stateid *stp)
++{
++ struct file *file;
++
++ unhash_generic_stateid(stp);
++ file = find_any_file(stp->st_file);
++ if (file)
++ locks_remove_posix(file, (fl_owner_t)stp->st_stateowner);
++ free_generic_stateid(stp);
++}
++
++static void unhash_lockowner(struct nfs4_stateowner *sop)
++{
++ struct nfs4_stateid *stp;
++
++ list_del(&sop->so_idhash);
++ list_del(&sop->so_strhash);
++ list_del(&sop->so_perstateid);
++ while (!list_empty(&sop->so_stateids)) {
++ stp = list_first_entry(&sop->so_stateids,
++ struct nfs4_stateid, st_perstateowner);
++ release_lock_stateid(stp);
++ }
++}
++
++static void release_lockowner(struct nfs4_stateowner *sop)
++{
++ unhash_lockowner(sop);
++ nfs4_put_stateowner(sop);
++}
++
++static void
++release_stateid_lockowners(struct nfs4_stateid *open_stp)
++{
++ struct nfs4_stateowner *lock_sop;
++
++ while (!list_empty(&open_stp->st_lockowners)) {
++ lock_sop = list_entry(open_stp->st_lockowners.next,
++ struct nfs4_stateowner, so_perstateid);
++ /* list_del(&open_stp->st_lockowners); */
++ BUG_ON(lock_sop->so_is_open_owner);
++ release_lockowner(lock_sop);
++ }
++}
++
+ static void release_open_stateid(struct nfs4_stateid *stp)
+ {
+ int oflag = nfs4_access_bmap_to_omode(stp);
+@@ -3765,7 +3765,6 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
+ struct file_lock conflock;
+ __be32 status = 0;
+ unsigned int strhashval;
+- unsigned int cmd;
+ int err;
+
+ dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
+@@ -3852,8 +3851,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
+ filp = find_readable_file(lock_stp->st_file);
+ }
+ file_lock.fl_type = F_RDLCK;
+- cmd = F_SETLK;
+- break;
++ break;
+ case NFS4_WRITE_LT:
+ case NFS4_WRITEW_LT:
+ if (find_writeable_file(lock_stp->st_file)) {
+@@ -3861,8 +3859,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
+ filp = find_writeable_file(lock_stp->st_file);
+ }
+ file_lock.fl_type = F_WRLCK;
+- cmd = F_SETLK;
+- break;
++ break;
+ default:
+ status = nfserr_inval;
+ goto out;
+@@ -3886,7 +3883,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
+ * Note: locks.c uses the BKL to protect the inode's lock list.
+ */
+
+- err = vfs_lock_file(filp, cmd, &file_lock, &conflock);
++ err = vfs_lock_file(filp, F_SETLK, &file_lock, &conflock);
+ switch (-err) {
+ case 0: /* success! */
+ update_stateid(&lock_stp->st_stateid);
--- /dev/null
+From 5ece3cafbd88d4da5c734e1810c4a2e6474b57b2 Mon Sep 17 00:00:00 2001
+From: Mi Jinlong <mijinlong@cn.fujitsu.com>
+Date: Fri, 18 Feb 2011 09:08:31 +0800
+Subject: nfsd41: modify the members value of nfsd4_op_flags
+
+From: Mi Jinlong <mijinlong@cn.fujitsu.com>
+
+commit 5ece3cafbd88d4da5c734e1810c4a2e6474b57b2 upstream.
+
+The members of nfsd4_op_flags, (ALLOWED_WITHOUT_FH | ALLOWED_ON_ABSENT_FS)
+equals to ALLOWED_AS_FIRST_OP, maybe that's not what we want.
+
+OP_PUTROOTFH with op_flags = ALLOWED_WITHOUT_FH | ALLOWED_ON_ABSENT_FS,
+can't appears as the first operation with out SEQUENCE ops.
+
+This patch modify the wrong value of ALLOWED_WITHOUT_FH etc which
+was introduced by f9bb94c4.
+
+Reviewed-by: Benny Halevy <bhalevy@panasas.com>
+Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs4proc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -984,8 +984,8 @@ typedef __be32(*nfsd4op_func)(struct svc
+ void *);
+ enum nfsd4_op_flags {
+ ALLOWED_WITHOUT_FH = 1 << 0, /* No current filehandle required */
+- ALLOWED_ON_ABSENT_FS = 2 << 0, /* ops processed on absent fs */
+- ALLOWED_AS_FIRST_OP = 3 << 0, /* ops reqired first in compound */
++ ALLOWED_ON_ABSENT_FS = 1 << 1, /* ops processed on absent fs */
++ ALLOWED_AS_FIRST_OP = 1 << 2, /* ops reqired first in compound */
+ };
+
+ struct nfsd4_operation {
--- /dev/null
+From 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees.cook@canonical.com>
+Date: Wed, 23 Mar 2011 16:42:53 -0700
+Subject: proc: protect mm start_code/end_code in /proc/pid/stat
+
+From: Kees Cook <kees.cook@canonical.com>
+
+commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 upstream.
+
+While mm->start_stack was protected from cross-uid viewing (commit
+f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged
+processes")), the start_code and end_code values were not. This would
+allow the text location of a PIE binary to leak, defeating ASLR.
+
+Note that the value "1" is used instead of "0" for a protected value since
+"ps", "killall", and likely other readers of /proc/pid/stat, take
+start_code of "0" to mean a kernel thread and will misbehave. Thanks to
+Brad Spengler for pointing this out.
+
+Addresses CVE-2011-0726
+
+Signed-off-by: Kees Cook <kees.cook@canonical.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Eugene Teo <eugeneteo@kernel.sg>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/array.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -489,8 +489,8 @@ static int do_task_stat(struct seq_file
+ vsize,
+ mm ? get_mm_rss(mm) : 0,
+ rsslim,
+- mm ? mm->start_code : 0,
+- mm ? mm->end_code : 0,
++ mm ? (permitted ? mm->start_code : 1) : 0,
++ mm ? (permitted ? mm->end_code : 1) : 0,
+ (permitted && mm) ? mm->start_stack : 0,
+ esp,
+ eip,
--- /dev/null
+From 0db0c01b53a1a421513f91573241aabafb87802a Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Wed, 23 Mar 2011 16:42:50 -0700
+Subject: procfs: fix /proc/<pid>/maps heap check
+
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+
+commit 0db0c01b53a1a421513f91573241aabafb87802a upstream.
+
+The current code fails to print the "[heap]" marking if the heap is split
+into multiple mappings.
+
+Fix the check so that the marking is displayed in all possible cases:
+ 1. vma matches exactly the heap
+ 2. the heap vma is merged e.g. with bss
+ 3. the heap vma is splitted e.g. due to locked pages
+
+Test cases. In all cases, the process should have mapping(s) with
+[heap] marking:
+
+ (1) vma matches exactly the heap
+
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <sys/types.h>
+
+ int main (void)
+ {
+ if (sbrk(4096) != (void *)-1) {
+ printf("check /proc/%d/maps\n", (int)getpid());
+ while (1)
+ sleep(1);
+ }
+ return 0;
+ }
+
+ # ./test1
+ check /proc/553/maps
+ [1] + Stopped ./test1
+ # cat /proc/553/maps | head -4
+ 00008000-00009000 r-xp 00000000 01:00 3113640 /test1
+ 00010000-00011000 rw-p 00000000 01:00 3113640 /test1
+ 00011000-00012000 rw-p 00000000 00:00 0 [heap]
+ 4006f000-40070000 rw-p 00000000 00:00 0
+
+ (2) the heap vma is merged
+
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <sys/types.h>
+
+ char foo[4096] = "foo";
+ char bar[4096];
+
+ int main (void)
+ {
+ if (sbrk(4096) != (void *)-1) {
+ printf("check /proc/%d/maps\n", (int)getpid());
+ while (1)
+ sleep(1);
+ }
+ return 0;
+ }
+
+ # ./test2
+ check /proc/556/maps
+ [2] + Stopped ./test2
+ # cat /proc/556/maps | head -4
+ 00008000-00009000 r-xp 00000000 01:00 3116312 /test2
+ 00010000-00012000 rw-p 00000000 01:00 3116312 /test2
+ 00012000-00014000 rw-p 00000000 00:00 0 [heap]
+ 4004a000-4004b000 rw-p 00000000 00:00 0
+
+ (3) the heap vma is splitted (this fails without the patch)
+
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <sys/mman.h>
+ #include <sys/types.h>
+
+ int main (void)
+ {
+ if ((sbrk(4096) != (void *)-1) && !mlockall(MCL_FUTURE) &&
+ (sbrk(4096) != (void *)-1)) {
+ printf("check /proc/%d/maps\n", (int)getpid());
+ while (1)
+ sleep(1);
+ }
+ return 0;
+ }
+
+ # ./test3
+ check /proc/559/maps
+ [1] + Stopped ./test3
+ # cat /proc/559/maps|head -4
+ 00008000-00009000 r-xp 00000000 01:00 3119108 /test3
+ 00010000-00011000 rw-p 00000000 01:00 3119108 /test3
+ 00011000-00012000 rw-p 00000000 00:00 0 [heap]
+ 00012000-00013000 rw-p 00000000 00:00 0 [heap]
+
+It looks like the bug has been there forever, and since it only results in
+some information missing from a procfile, it does not fulfil the -stable
+"critical issue" criteria.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/task_mmu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -249,8 +249,8 @@ static void show_map_vma(struct seq_file
+ const char *name = arch_vma_name(vma);
+ if (!name) {
+ if (mm) {
+- if (vma->vm_start <= mm->start_brk &&
+- vma->vm_end >= mm->brk) {
++ if (vma->vm_start <= mm->brk &&
++ vma->vm_end >= mm->start_brk) {
+ name = "[heap]";
+ } else if (vma->vm_start <= mm->start_stack &&
+ vma->vm_end >= mm->start_stack) {
prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
alsa-hda-fix-internal-mic-on-dell-e5420-e5520.patch
mm-pagebuddy-and-mapcount-robustness.patch
+ext3-skip-orphan-cleanup-on-rocompat-fs.patch
+x86-fix-binutils-2.21-symbol-related-build-failures.patch
+sysctl-restrict-write-access-to-dmesg_restrict.patch
+procfs-fix-proc-pid-maps-heap-check.patch
+proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
+fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch
+nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch
+nfsd4-minor-nfs4state.c-reshuffling.patch
+nfsd4-fix-struct-file-leak.patch
+nfsd-wrong-index-used-in-inner-loop.patch
--- /dev/null
+From bfdc0b497faa82a0ba2f9dddcf109231dd519fcc Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 23 Mar 2011 16:43:11 -0700
+Subject: sysctl: restrict write access to dmesg_restrict
+
+From: Richard Weinberger <richard@nod.at>
+
+commit bfdc0b497faa82a0ba2f9dddcf109231dd519fcc upstream.
+
+When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the kernel
+ring buffer. But a root user without CAP_SYS_ADMIN is able to reset
+dmesg_restrict to 0.
+
+This is an issue when e.g. LXC (Linux Containers) are used and complete
+user space is running without CAP_SYS_ADMIN. A unprivileged and jailed
+root user can bypass the dmesg_restrict protection.
+
+With this patch writing to dmesg_restrict is only allowed when root has
+CAP_SYS_ADMIN.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Acked-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Acked-by: Serge E. Hallyn <serge@hallyn.com>
+Cc: Eric Paris <eparis@redhat.com>
+Cc: Kees Cook <kees.cook@canonical.com>
+Cc: James Morris <jmorris@namei.org>
+Cc: Eugene Teo <eugeneteo@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/sysctl.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -169,6 +169,11 @@ static int proc_taint(struct ctl_table *
+ void __user *buffer, size_t *lenp, loff_t *ppos);
+ #endif
+
++#ifdef CONFIG_PRINTK
++static int proc_dmesg_restrict(struct ctl_table *table, int write,
++ void __user *buffer, size_t *lenp, loff_t *ppos);
++#endif
++
+ #ifdef CONFIG_MAGIC_SYSRQ
+ /* Note: sysrq code uses it's own private copy */
+ static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
+@@ -713,7 +718,7 @@ static struct ctl_table kern_table[] = {
+ .data = &kptr_restrict,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec_minmax,
++ .proc_handler = proc_dmesg_restrict,
+ .extra1 = &zero,
+ .extra2 = &two,
+ },
+@@ -2397,6 +2402,17 @@ static int proc_taint(struct ctl_table *
+ return err;
+ }
+
++#ifdef CONFIG_PRINTK
++static int proc_dmesg_restrict(struct ctl_table *table, int write,
++ void __user *buffer, size_t *lenp, loff_t *ppos)
++{
++ if (write && !capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
++ return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
++}
++#endif
++
+ struct do_proc_dointvec_minmax_conv_param {
+ int *min;
+ int *max;
--- /dev/null
+From 2ae9d293b14d17f35eff624272cfecac7979a2ee Mon Sep 17 00:00:00 2001
+From: Sedat Dilek <sedat.dilek@googlemail.com>
+Date: Tue, 8 Mar 2011 22:39:24 +0100
+Subject: x86: Fix binutils-2.21 symbol related build failures
+
+From: Sedat Dilek <sedat.dilek@googlemail.com>
+
+commit 2ae9d293b14d17f35eff624272cfecac7979a2ee upstream.
+[only 1/2 of the upstream commit was needed for stable - gkh]
+
+New binutils version 2.21.0.20110302-1 started checking that the symbol
+parameter to the .size directive matches the entry name's
+symbol parameter, unearthing two mismatches:
+
+ AS arch/x86/kernel/acpi/wakeup_rm.o
+ arch/x86/kernel/acpi/wakeup_rm.S: Assembler messages:
+ arch/x86/kernel/acpi/wakeup_rm.S:12: Error: .size expression with symbol `wakeup_code_start' does not evaluate to a constant
+
+ arch/x86/kernel/entry_32.S: Assembler messages:
+ arch/x86/kernel/entry_32.S:1421: Error: .size expression with
+ symbol `apf_page_fault' does not evaluate to a constant
+
+The problem was discovered while using Debian's binutils
+(2.21.0.20110302-1) and experimenting with binutils from
+upstream.
+
+Thanks Alexander and H.J. for the vital help.
+
+Signed-off-by: Sedat Dilek <sedat.dilek@gmail.com>
+Cc: Alexander van Heukelum <heukelum@fastmail.fm>
+Cc: H.J. Lu <hjl.tools@gmail.com>
+Cc: Len Brown <len.brown@intel.com>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Rafael J. Wysocki <rjw@sisk.pl>
+LKML-Reference: <1299620364-21644-1-git-send-email-sedat.dilek@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/entry_32.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1413,7 +1413,7 @@ ENTRY(async_page_fault)
+ CFI_ADJUST_CFA_OFFSET 4
+ jmp error_code
+ CFI_ENDPROC
+-END(apf_page_fault)
++END(async_page_fault)
+ #endif
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
