--- /dev/null
+From cebbert@redhat.com Fri Oct 9 15:38:12 2009
+From: Chuck Ebbert <cebbert@redhat.com>
+Date: Wed, 7 Oct 2009 17:35:46 -0400
+Subject: eCryptfs: Prevent lower dentry from going negative during unlink (CVE-2009-2908)
+To: stable@kernel.org
+Message-ID: <20091007173546.68f05507@katamari.usersys.redhat.com>
+
+
+From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+
+commit 9c2d2056647790c5034d722bd24e9d913ebca73c upstream.
+
+When calling vfs_unlink() on the lower dentry, d_delete() turns the
+dentry into a negative dentry when the d_count is 1. This eventually
+caused a NULL pointer deref when a read() or write() was done and the
+negative dentry's d_inode was dereferenced in
+ecryptfs_read_update_atime() or ecryptfs_getxattr().
+
+Placing mutt's tmpdir in an eCryptfs mount is what initially triggered
+the oops and I was able to reproduce it with the following sequence:
+
+open("/tmp/upper/foo", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600) = 3
+link("/tmp/upper/foo", "/tmp/upper/bar") = 0
+unlink("/tmp/upper/foo") = 0
+open("/tmp/upper/bar", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 4
+unlink("/tmp/upper/bar") = 0
+write(4, "eCryptfs test\n"..., 14 <unfinished ...>
++++ killed by SIGKILL +++
+
+https://bugs.launchpad.net/ecryptfs/+bug/387073
+
+Reported-by: Loïc Minier <loic.minier@canonical.com>
+Cc: Serge Hallyn <serue@us.ibm.com>
+Cc: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
+Cc: ecryptfs-devel@lists.launchpad.net
+Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/inode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ecryptfs/inode.c
++++ b/fs/ecryptfs/inode.c
+@@ -443,6 +443,7 @@ static int ecryptfs_unlink(struct inode
+ struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir);
+ struct dentry *lower_dir_dentry;
+
++ dget(lower_dentry);
+ lower_dir_dentry = lock_parent(lower_dentry);
+ rc = vfs_unlink(lower_dir_inode, lower_dentry);
+ if (rc) {
+@@ -456,6 +457,7 @@ static int ecryptfs_unlink(struct inode
+ d_drop(dentry);
+ out_unlock:
+ unlock_dir(lower_dir_dentry);
++ dput(lower_dentry);
+ return rc;
+ }
+
--- /dev/null
+From d8100c3abfd32986a8820ce4e614b0223a2d22a9 Mon Sep 17 00:00:00 2001
+From: Thomas Mingarelli <Thomas.Mingarelli@hp.com>
+Date: Tue, 3 Mar 2009 00:17:16 +0000
+Subject: [WATCHDOG] hpwdt.c: Add new HP BMC controller.
+
+From: Thomas Mingarelli <Thomas.Mingarelli@hp.com>
+
+commit d8100c3abfd32986a8820ce4e614b0223a2d22a9 upstream.
+
+Add the PCI-ID for the upcoming new BMC controller for HP hardware.
+
+Signed-off-by: Thomas Mingarelli <Thomas.Mingarelli@hp.com>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/watchdog/hpwdt.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/watchdog/hpwdt.c
++++ b/drivers/watchdog/hpwdt.c
+@@ -47,6 +47,7 @@
+ #define PCI_BIOS32_PARAGRAPH_LEN 16
+ #define PCI_ROM_BASE1 0x000F0000
+ #define ROM_SIZE 0x10000
++#define HPWDT_VERSION "1.01"
+
+ struct bios32_service_dir {
+ u32 signature;
+@@ -130,12 +131,8 @@ static void *cru_rom_addr;
+ static struct cmn_registers cmn_regs;
+
+ static struct pci_device_id hpwdt_devices[] = {
+- {
+- .vendor = PCI_VENDOR_ID_COMPAQ,
+- .device = 0xB203,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- },
++ { PCI_DEVICE(PCI_VENDOR_ID_COMPAQ, 0xB203) },
++ { PCI_DEVICE(PCI_VENDOR_ID_HP, 0x3306) },
+ {0}, /* terminate list */
+ };
+ MODULE_DEVICE_TABLE(pci, hpwdt_devices);
+@@ -704,10 +701,11 @@ static int __devinit hpwdt_init_one(stru
+ }
+
+ printk(KERN_INFO
+- "hp Watchdog Timer Driver: 1.00"
++ "hp Watchdog Timer Driver: %s"
+ ", timer margin: %d seconds (nowayout=%d)"
+ ", allow kernel dump: %s (default = 0/OFF).\n",
+- soft_margin, nowayout, (allow_kdump == 0) ? "OFF" : "ON");
++ HPWDT_VERSION, soft_margin, nowayout,
++ (allow_kdump == 0) ? "OFF" : "ON");
+
+ return 0;
+
+@@ -757,6 +755,7 @@ static int __init hpwdt_init(void)
+ MODULE_AUTHOR("Tom Mingarelli");
+ MODULE_DESCRIPTION("hp watchdog driver");
+ MODULE_LICENSE("GPL");
++MODULE_VERSION(HPWDT_VERSION);
+ MODULE_ALIAS_MISCDEV(WATCHDOG_MINOR);
+
+ module_param(soft_margin, int, 0);
--- /dev/null
+From cebbert@redhat.com Fri Oct 9 15:40:17 2009
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Wed, 7 Oct 2009 17:40:32 -0400
+Subject: KVM: x86: Disallow hypercalls for guest callers in rings > 0 [CVE-2009-3290]
+To: stable@kernel.org
+Message-ID: <20091007174032.17897459@katamari.usersys.redhat.com>
+
+
+From: Jan Kiszka <jan.kiszka@siemens.com>
+
+[ backport to 2.6.27 by Chuck Ebbert <cebbert@redhat.com> ]
+
+commit 07708c4af1346ab1521b26a202f438366b7bcffd upstream.
+
+So far unprivileged guest callers running in ring 3 can issue, e.g., MMU
+hypercalls. Normally, such callers cannot provide any hand-crafted MMU
+command structure as it has to be passed by its physical address, but
+they can still crash the guest kernel by passing random addresses.
+
+To close the hole, this patch considers hypercalls valid only if issued
+from guest ring 0. This may still be relaxed on a per-hypercall base in
+the future once required.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86.c | 6 ++++++
+ include/linux/kvm_para.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2571,6 +2571,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ a3 &= 0xFFFFFFFF;
+ }
+
++ if (kvm_x86_ops->get_cpl(vcpu) != 0) {
++ ret = -KVM_EPERM;
++ goto out;
++ }
++
+ switch (nr) {
+ case KVM_HC_VAPIC_POLL_IRQ:
+ ret = 0;
+@@ -2582,6 +2587,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ ret = -KVM_ENOSYS;
+ break;
+ }
++out:
+ vcpu->arch.regs[VCPU_REGS_RAX] = ret;
+ kvm_x86_ops->decache_regs(vcpu);
+ ++vcpu->stat.hypercalls;
+--- a/include/linux/kvm_para.h
++++ b/include/linux/kvm_para.h
+@@ -13,6 +13,7 @@
+ #define KVM_ENOSYS 1000
+ #define KVM_EFAULT EFAULT
+ #define KVM_E2BIG E2BIG
++#define KVM_EPERM EPERM
+
+ #define KVM_HC_VAPIC_POLL_IRQ 1
+ #define KVM_HC_MMU_OP 2
--- /dev/null
+From b607bd900051efc3308c4edc65dd98b34b230021 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <khali@linux-fr.org>
+Date: Fri, 2 Oct 2009 09:55:19 -0700
+Subject: net: Fix wrong sizeof
+
+From: Jean Delvare <khali@linux-fr.org>
+
+commit b607bd900051efc3308c4edc65dd98b34b230021 upstream.
+
+Which is why I have always preferred sizeof(struct foo) over
+sizeof(var).
+
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Acked-by: Randy Dunlap <rdunlap@xenotime.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/iseries_veth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/iseries_veth.c
++++ b/drivers/net/iseries_veth.c
+@@ -495,7 +495,7 @@ static void veth_take_cap_ack(struct vet
+ cnx->remote_lp);
+ } else {
+ memcpy(&cnx->cap_ack_event, event,
+- sizeof(&cnx->cap_ack_event));
++ sizeof(cnx->cap_ack_event));
+ cnx->state |= VETH_STATE_GOTCAPACK;
+ veth_kick_statemachine(cnx);
+ }
--- /dev/null
+net-fix-wrong-sizeof.patch
+x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
+x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
+ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
+x86-increase-min_gap-to-include-randomized-stack.patch
+kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
+hpwdt.c-add-new-hp-bmc-controller.patch
+time-catch-xtime_nsec-underflows-and-fix-them.patch
--- /dev/null
+From 6c9bacb41c10ba84ff68f238e234d96f35fb64f7 Mon Sep 17 00:00:00 2001
+From: john stultz <johnstul@us.ibm.com>
+Date: Mon, 1 Dec 2008 18:34:41 -0800
+Subject: time: catch xtime_nsec underflows and fix them
+
+From: john stultz <johnstul@us.ibm.com>
+
+commit 6c9bacb41c10ba84ff68f238e234d96f35fb64f7 upstream.
+
+Impact: fix time warp bug
+
+Alex Shi, along with Yanmin Zhang have been noticing occasional time
+inconsistencies recently. Through their great diagnosis, they found that
+the xtime_nsec value used in update_wall_time was occasionally going
+negative. After looking through the code for awhile, I realized we have
+the possibility for an underflow when three conditions are met in
+update_wall_time():
+
+ 1) We have accumulated a second's worth of nanoseconds, so we
+ incremented xtime.tv_sec and appropriately decrement xtime_nsec.
+ (This doesn't cause xtime_nsec to go negative, but it can cause it
+ to be small).
+
+ 2) The remaining offset value is large, but just slightly less then
+ cycle_interval.
+
+ 3) clocksource_adjust() is speeding up the clock, causing a
+ corrective amount (compensating for the increase in the multiplier
+ being multiplied against the unaccumulated offset value) to be
+ subtracted from xtime_nsec.
+
+This can cause xtime_nsec to underflow.
+
+Unfortunately, since we notify the NTP subsystem via second_overflow()
+whenever we accumulate a full second, and this effects the error
+accumulation that has already occured, we cannot simply revert the
+accumulated second from xtime nor move the second accumulation to after
+the clocksource_adjust call without a change in behavior.
+
+This leaves us with (at least) two options:
+
+1) Simply return from clocksource_adjust() without making a change if we
+ notice the adjustment would cause xtime_nsec to go negative.
+
+This would work, but I'm concerned that if a large adjustment was needed
+(due to the error being large), it may be possible to get stuck with an
+ever increasing error that becomes too large to correct (since it may
+always force xtime_nsec negative). This may just be paranoia on my part.
+
+2) Catch xtime_nsec if it is negative, then add back the amount its
+ negative to both xtime_nsec and the error.
+
+This second method is consistent with how we've handled earlier rounding
+issues, and also has the benefit that the error being added is always in
+the oposite direction also always equal or smaller then the correction
+being applied. So the risk of a corner case where things get out of
+control is lessened.
+
+This patch fixes bug 11970, as tested by Yanmin Zhang
+http://bugzilla.kernel.org/show_bug.cgi?id=11970
+
+Reported-by: alex.shi@intel.com
+Signed-off-by: John Stultz <johnstul@us.ibm.com>
+Acked-by: "Zhang, Yanmin" <yanmin_zhang@linux.intel.com>
+Tested-by: "Zhang, Yanmin" <yanmin_zhang@linux.intel.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/timekeeping.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -477,6 +477,28 @@ void update_wall_time(void)
+ /* correct the clock when NTP error is too big */
+ clocksource_adjust(offset);
+
++ /*
++ * Since in the loop above, we accumulate any amount of time
++ * in xtime_nsec over a second into xtime.tv_sec, its possible for
++ * xtime_nsec to be fairly small after the loop. Further, if we're
++ * slightly speeding the clocksource up in clocksource_adjust(),
++ * its possible the required corrective factor to xtime_nsec could
++ * cause it to underflow.
++ *
++ * Now, we cannot simply roll the accumulated second back, since
++ * the NTP subsystem has been notified via second_overflow. So
++ * instead we push xtime_nsec forward by the amount we underflowed,
++ * and add that amount into the error.
++ *
++ * We'll correct this error next time through this function, when
++ * xtime_nsec is not as small.
++ */
++ if (unlikely((s64)clock->xtime_nsec < 0)) {
++ s64 neg = -(s64)clock->xtime_nsec;
++ clock->xtime_nsec = 0;
++ clock->error += neg << (NTP_SCALE_SHIFT - clock->shift);
++ }
++
+ /* store full nanoseconds into xtime */
+ xtime.tv_nsec = (s64)clock->xtime_nsec >> clock->shift;
+ clock->xtime_nsec -= (s64)xtime.tv_nsec << clock->shift;
--- /dev/null
+From cebbert@redhat.com Fri Oct 9 15:36:28 2009
+From: Jan Beulich <jbeulich@novell.com>
+Date: Wed, 7 Oct 2009 17:33:08 -0400
+Subject: x86-64: slightly stream-line 32-bit syscall entry code
+To: stable@kernel.org
+Cc: Jan Beulich <jbeulich@novell.com>
+Message-ID: <20091007173308.1e56746f@katamari.usersys.redhat.com>
+
+From: Jan Beulich <jbeulich@novell.com>
+
+commit 295286a89107c353b9677bc604361c537fd6a1c0 upstream
+
+x86-64: slightly stream-line 32-bit syscall entry code
+
+[ required for following patch to apply properly ]
+
+Avoid updating registers or memory twice as well as needlessly loading
+or copying registers.
+
+Signed-off-by: Jan Beulich <jbeulich@novell.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/ia32/ia32entry.S | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -39,11 +39,11 @@
+ .endm
+
+ /* clobbers %eax */
+- .macro CLEAR_RREGS
++ .macro CLEAR_RREGS _r9=rax
+ xorl %eax,%eax
+ movq %rax,R11(%rsp)
+ movq %rax,R10(%rsp)
+- movq %rax,R9(%rsp)
++ movq %\_r9,R9(%rsp)
+ movq %rax,R8(%rsp)
+ .endm
+
+@@ -52,11 +52,10 @@
+ * We don't reload %eax because syscall_trace_enter() returned
+ * the value it wants us to use in the table lookup.
+ */
+- .macro LOAD_ARGS32 offset
+- movl \offset(%rsp),%r11d
+- movl \offset+8(%rsp),%r10d
++ .macro LOAD_ARGS32 offset, _r9=0
++ .if \_r9
+ movl \offset+16(%rsp),%r9d
+- movl \offset+24(%rsp),%r8d
++ .endif
+ movl \offset+40(%rsp),%ecx
+ movl \offset+48(%rsp),%edx
+ movl \offset+56(%rsp),%esi
+@@ -145,7 +144,7 @@ ENTRY(ia32_sysenter_target)
+ SAVE_ARGS 0,0,1
+ /* no need to do an access_ok check here because rbp has been
+ 32bit zero extended */
+-1: movl (%rbp),%r9d
++1: movl (%rbp),%ebp
+ .section __ex_table,"a"
+ .quad 1b,ia32_badarg
+ .previous
+@@ -157,7 +156,7 @@ ENTRY(ia32_sysenter_target)
+ cmpl $(IA32_NR_syscalls-1),%eax
+ ja ia32_badsys
+ sysenter_do_call:
+- IA32_ARG_FIXUP 1
++ IA32_ARG_FIXUP
+ sysenter_dispatch:
+ call *ia32_sys_call_table(,%rax,8)
+ movq %rax,RAX-ARGOFFSET(%rsp)
+@@ -234,20 +233,17 @@ sysexit_audit:
+ #endif
+
+ sysenter_tracesys:
+- xchgl %r9d,%ebp
+ #ifdef CONFIG_AUDITSYSCALL
+ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
+ jz sysenter_auditsys
+ #endif
+ SAVE_REST
+ CLEAR_RREGS
+- movq %r9,R9(%rsp)
+ movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
+ RESTORE_REST
+- xchgl %ebp,%r9d
+ cmpl $(IA32_NR_syscalls-1),%eax
+ ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
+ jmp sysenter_do_call
+@@ -314,9 +310,9 @@ ENTRY(ia32_cstar_target)
+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ CFI_REMEMBER_STATE
+ jnz cstar_tracesys
+-cstar_do_call:
+ cmpl $IA32_NR_syscalls-1,%eax
+ ja ia32_badsys
++cstar_do_call:
+ IA32_ARG_FIXUP 1
+ cstar_dispatch:
+ call *ia32_sys_call_table(,%rax,8)
+@@ -357,15 +353,13 @@ cstar_tracesys:
+ #endif
+ xchgl %r9d,%ebp
+ SAVE_REST
+- CLEAR_RREGS
+- movq %r9,R9(%rsp)
++ CLEAR_RREGS r9
+ movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+- LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
++ LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
+ RESTORE_REST
+ xchgl %ebp,%r9d
+- movl RSP-ARGOFFSET(%rsp), %r8d
+ cmpl $(IA32_NR_syscalls-1),%eax
+ ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
+ jmp cstar_do_call
--- /dev/null
+From cebbert@redhat.com Fri Oct 9 15:37:09 2009
+From: Jan Beulich <JBeulich@novell.com>
+Date: Wed, 7 Oct 2009 17:34:09 -0400
+Subject: x86: Don't leak 64-bit kernel register values to 32-bit processes
+To: stable@kernel.org
+Cc: Jan Beulich <jbeulich@novell.com>
+Message-ID: <20091007173409.2d4978d9@katamari.usersys.redhat.com>
+
+From: Jan Beulich <JBeulich@novell.com>
+
+commit 24e35800cdc4350fc34e2bed37b608a9e13ab3b6 upstream
+
+x86: Don't leak 64-bit kernel register values to 32-bit processes
+
+While 32-bit processes can't directly access R8...R15, they can
+gain access to these registers by temporarily switching themselves
+into 64-bit mode.
+
+Therefore, registers not preserved anyway by called C functions
+(i.e. R8...R11) must be cleared prior to returning to user mode.
+
+Signed-off-by: Jan Beulich <jbeulich@novell.com>
+LKML-Reference: <4AC34D73020000780001744A@vpn.id2.novell.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/ia32/ia32entry.S | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -21,8 +21,8 @@
+ #define __AUDIT_ARCH_LE 0x40000000
+
+ #ifndef CONFIG_AUDITSYSCALL
+-#define sysexit_audit int_ret_from_sys_call
+-#define sysretl_audit int_ret_from_sys_call
++#define sysexit_audit ia32_ret_from_sys_call
++#define sysretl_audit ia32_ret_from_sys_call
+ #endif
+
+ #define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8)
+@@ -39,12 +39,12 @@
+ .endm
+
+ /* clobbers %eax */
+- .macro CLEAR_RREGS _r9=rax
++ .macro CLEAR_RREGS offset=0, _r9=rax
+ xorl %eax,%eax
+- movq %rax,R11(%rsp)
+- movq %rax,R10(%rsp)
+- movq %\_r9,R9(%rsp)
+- movq %rax,R8(%rsp)
++ movq %rax,\offset+R11(%rsp)
++ movq %rax,\offset+R10(%rsp)
++ movq %\_r9,\offset+R9(%rsp)
++ movq %rax,\offset+R8(%rsp)
+ .endm
+
+ /*
+@@ -172,6 +172,10 @@ sysexit_from_sys_call:
+ movl RIP-R11(%rsp),%edx /* User %eip */
+ CFI_REGISTER rip,rdx
+ RESTORE_ARGS 1,24,1,1,1,1
++ xorq %r8,%r8
++ xorq %r9,%r9
++ xorq %r10,%r10
++ xorq %r11,%r11
+ popfq
+ CFI_ADJUST_CFA_OFFSET -8
+ /*CFI_RESTORE rflags*/
+@@ -202,7 +206,7 @@ sysexit_from_sys_call:
+
+ .macro auditsys_exit exit,ebpsave=RBP
+ testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
+- jnz int_ret_from_sys_call
++ jnz ia32_ret_from_sys_call
+ TRACE_IRQS_ON
+ sti
+ movl %eax,%esi /* second arg, syscall return value */
+@@ -218,8 +222,9 @@ sysexit_from_sys_call:
+ cli
+ TRACE_IRQS_OFF
+ testl %edi,TI_flags(%r10)
+- jnz int_with_check
+- jmp \exit
++ jz \exit
++ CLEAR_RREGS -ARGOFFSET
++ jmp int_with_check
+ .endm
+
+ sysenter_auditsys:
+@@ -329,6 +334,9 @@ sysretl_from_sys_call:
+ CFI_REGISTER rip,rcx
+ movl EFLAGS-ARGOFFSET(%rsp),%r11d
+ /*CFI_REGISTER rflags,r11*/
++ xorq %r10,%r10
++ xorq %r9,%r9
++ xorq %r8,%r8
+ TRACE_IRQS_ON
+ movl RSP-ARGOFFSET(%rsp),%esp
+ CFI_RESTORE rsp
+@@ -353,7 +361,7 @@ cstar_tracesys:
+ #endif
+ xchgl %r9d,%ebp
+ SAVE_REST
+- CLEAR_RREGS r9
++ CLEAR_RREGS 0, r9
+ movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+@@ -425,6 +433,8 @@ ia32_do_call:
+ call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
+ ia32_sysret:
+ movq %rax,RAX-ARGOFFSET(%rsp)
++ia32_ret_from_sys_call:
++ CLEAR_RREGS -ARGOFFSET
+ jmp int_ret_from_sys_call
+
+ ia32_tracesys:
+@@ -442,8 +452,8 @@ END(ia32_syscall)
+
+ ia32_badsys:
+ movq $0,ORIG_RAX-ARGOFFSET(%rsp)
+- movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
+- jmp int_ret_from_sys_call
++ movq $-ENOSYS,%rax
++ jmp ia32_sysret
+
+ quiet_ni_syscall:
+ movq $-ENOSYS,%rax
--- /dev/null
+From cebbert@redhat.com Fri Oct 9 15:39:43 2009
+From: Michal Hocko <mhocko@suse.cz>
+Date: Wed, 7 Oct 2009 17:38:24 -0400
+Subject: x86: Increase MIN_GAP to include randomized stack
+To: stable@kernel.org
+Message-ID: <20091007173824.5a9bce1f@katamari.usersys.redhat.com>
+
+From: Michal Hocko <mhocko@suse.cz>
+
+[ trivial backport to 2.6.27: Chuck Ebbert <cebbert@redhat.com> ]
+
+commit 80938332d8cf652f6b16e0788cf0ca136befe0b5 upstream.
+
+Currently we are not including randomized stack size when calculating
+mmap_base address in arch_pick_mmap_layout for topdown case. This might
+cause that mmap_base starts in the stack reserved area because stack is
+randomized by 1GB for 64b (8MB for 32b) and the minimum gap is 128MB.
+
+If the stack really grows down to mmap_base then we can get silent mmap
+region overwrite by the stack values.
+
+Let's include maximum stack randomization size into MIN_GAP which is
+used as the low bound for the gap in mmap.
+
+Signed-off-by: Michal Hocko <mhocko@suse.cz>
+LKML-Reference: <1252400515-6866-1-git-send-email-mhocko@suse.cz>
+Acked-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ arch/x86/mm/mmap.c | 17 +++++++++++++++--
+ include/asm-x86/elf.h | 2 ++
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -29,13 +29,26 @@
+ #include <linux/random.h>
+ #include <linux/limits.h>
+ #include <linux/sched.h>
++#include <asm/elf.h>
++
++static unsigned int stack_maxrandom_size(void)
++{
++ unsigned int max = 0;
++ if ((current->flags & PF_RANDOMIZE) &&
++ !(current->personality & ADDR_NO_RANDOMIZE)) {
++ max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
++ }
++
++ return max;
++}
++
+
+ /*
+ * Top of mmap area (just below the process stack).
+ *
+- * Leave an at least ~128 MB hole.
++ * Leave an at least ~128 MB hole with possible stack randomization.
+ */
+-#define MIN_GAP (128*1024*1024)
++#define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
+ #define MAX_GAP (TASK_SIZE/6*5)
+
+ /*
+--- a/include/asm-x86/elf.h
++++ b/include/asm-x86/elf.h
+@@ -287,6 +287,8 @@ do { \
+
+ #ifdef CONFIG_X86_32
+
++#define STACK_RND_MASK (0x7ff)
++
+ #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO))
+
+ #define ARCH_DLINFO ARCH_DLINFO_IA32(vdso_enabled)
projects / thirdparty / kernel / stable-queue.git / commitdiff
