.32 patch and fixes

diff --git a/queue-2.6.32/core-x86-make-list_poison-less-deadly.patch b/queue-2.6.32/core-x86-make-list_poison-less-deadly.patch
new file mode 100644 (file)
index 0000000..078d1cf
--- /dev/null
+++ b/queue-2.6.32/core-x86-make-list_poison-less-deadly.patch
@@ -0,0 +1,81 @@
+From a29815a333c6c6e677294bbe5958e771d0aad3fd Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@qumranet.com>
+Date: Sun, 10 Jan 2010 16:28:09 +0200
+Subject: core, x86: make LIST_POISON less deadly
+
+From: Avi Kivity <avi@qumranet.com>
+
+commit a29815a333c6c6e677294bbe5958e771d0aad3fd upstream.
+
+The list macros use LIST_POISON1 and LIST_POISON2 as undereferencable
+pointers in order to trap erronous use of freed list_heads.  Unfortunately
+userspace can arrange for those pointers to actually be dereferencable,
+potentially turning an oops to an expolit.
+
+To avoid this allow architectures (currently x86_64 only) to override
+the default values for these pointers with truly-undereferencable values.
+This is easy on x86_64 as the virtual address space is large and contains
+areas that cannot be mapped.
+
+Other 64-bit architectures will likely find similar unmapped ranges.
+
+[ingo: switch to 0xdead000000000000 as the unmapped area]
+[ingo: add comments, cleanup]
+[jaswinder: eliminate sparse warnings]
+
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/Kconfig       |    5 +++++
+ include/linux/poison.h |   16 ++++++++++++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1236,6 +1236,11 @@ config ARCH_MEMORY_PROBE
+       def_bool X86_64
+       depends on MEMORY_HOTPLUG
+ 
++config ILLEGAL_POINTER_VALUE
++       hex
++       default 0 if X86_32
++       default 0xdead000000000000 if X86_64
++
+ source "mm/Kconfig"
+ 
+ config HIGHPTE
+--- a/include/linux/poison.h
++++ b/include/linux/poison.h
+@@ -2,13 +2,25 @@
+ #define _LINUX_POISON_H
+ 
+ /********** include/linux/list.h **********/
++
++/*
++ * Architectures might want to move the poison pointer offset
++ * into some well-recognized area such as 0xdead000000000000,
++ * that is also not mappable by user-space exploits:
++ */
++#ifdef CONFIG_ILLEGAL_POINTER_VALUE
++# define POISON_POINTER_DELTA _AC(CONFIG_ILLEGAL_POINTER_VALUE, UL)
++#else
++# define POISON_POINTER_DELTA 0
++#endif
++
+ /*
+  * These are non-NULL pointers that will result in page faults
+  * under normal circumstances, used to verify that nobody uses
+  * non-initialized list entries.
+  */
+-#define LIST_POISON1  ((void *) 0x00100100)
+-#define LIST_POISON2  ((void *) 0x00200200)
++#define LIST_POISON1  ((void *) 0x00100100 + POISON_POINTER_DELTA)
++#define LIST_POISON2  ((void *) 0x00200200 + POISON_POINTER_DELTA)
+ 
+ /********** include/linux/timer.h **********/
+ /*

diff --git a/queue-2.6.32/hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch b/queue-2.6.32/hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch
index 2486a20544c9f34816318a9bfe7999f4d31691ed..8dc7a9a6f8139dc02dcaf989543255c81fbe3d70 100644 (file)
--- a/queue-2.6.32/hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch
+++ b/queue-2.6.32/hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch
@@ -38,7 +38,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
 
 --- a/include/linux/poison.h
 +++ b/include/linux/poison.h
-@@ -36,6 +36,15 @@
+@@ -48,6 +48,15 @@
  #define POISON_FREE   0x6b    /* for use-after-free poisoning */
  #define       POISON_END      0xa5    /* end-byte of poisoning */
  

diff --git a/queue-2.6.32/memcg-fix-prepare-migration.patch b/queue-2.6.32/memcg-fix-prepare-migration.patch
index 040d652f41f7d811320cfe2ac00793b95ba88dc9..a16dab06bc17076641bee4c0f457849994067fbe 100644 (file)
--- a/queue-2.6.32/memcg-fix-prepare-migration.patch
+++ b/queue-2.6.32/memcg-fix-prepare-migration.patch
@@ -44,7 +44,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
 +      *ptr = mem;
        if (mem) {
 -              ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, &mem, false,
-+              ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, ptr, false
++              ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, ptr, false,
                                                page);
                css_put(&mem->css);
        }

diff --git a/queue-2.6.32/series b/queue-2.6.32/series
index 85e1b0c4388de82b4d8a4fa02bf1f140b30d6c1d..0a64af83579552caacb2a92a8f3d1482b93e9029 100644 (file)
--- a/queue-2.6.32/series
+++ b/queue-2.6.32/series
@@ -9,6 +9,7 @@ w1-w1-temp-fix-negative-termperature-calculation.patch
 memcg-fix-prepare-migration.patch
 mac80211-remove-bogus-tx-agg-state-assignment.patch
 flex_array-fix-the-panic-when-calling-flex_array_alloc-without-__gfp_zero.patch
+core-x86-make-list_poison-less-deadly.patch
 hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch
 reiserfs-fix-permissions-on-.reiserfs_priv.patch
 reiserfs-fix-corruption-during-shrinking-of-xattrs.patch