--- /dev/null
+From 00540e5d54be972a94a3b2ce6da8621bebe731a2 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri, 12 Jun 2009 10:04:01 +0200
+Subject: lockdep: Select frame pointers on x86
+
+From: Peter Zijlstra <a.p.zijlstra@chello.nl>
+
+commit 00540e5d54be972a94a3b2ce6da8621bebe731a2 upstream.
+
+x86 stack traces are a piece of crap without frame pointers, and its not
+like the 'performance gain' of not having stack pointers matters when you
+selected lockdep.
+
+Reported-by: Andrew Morton <akpm@linux-foundation.org>
+LKML-Reference: <new-submission>
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ lib/Kconfig.debug | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -402,7 +402,7 @@ config LOCKDEP
+ bool
+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
+ select STACKTRACE
+- select FRAME_POINTER if !X86 && !MIPS && !PPC
++ select FRAME_POINTER if !MIPS && !PPC
+ select KALLSYMS
+ select KALLSYMS_ALL
+
--- /dev/null
+From 5ee58d7e6ad019675b4090582aec4fa1180d8703 Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Fri, 5 Jun 2009 08:21:50 -0400
+Subject: mac80211: fix minstrel single-rate memory corruption
+
+From: Bob Copeland <me@bobcopeland.com>
+
+commit 5ee58d7e6ad019675b4090582aec4fa1180d8703 upstream.
+
+The minstrel rate controller periodically looks up rate indexes in
+a sampling table. When accessing a specific row and column, minstrel
+correctly does a bounds check which, on the surface, appears to handle
+the case where mi->n_rates < 2. However, mi->sample_idx is actually
+defined as an unsigned, so the right hand side is taken to be a huge
+positive number when negative, and the check will always fail.
+
+Consequently, the RC will overrun the array and cause random memory
+corruption when communicating with a peer that has only a single rate.
+The max value of mi->sample_idx is around 25 so casting to int should
+have no ill effects.
+
+Without the change, uptime is a few minutes under load with an AP
+that has a single hard-coded rate, and both the AP and STA could
+potentially crash. With the change, both lasted 12 hours with a
+steady load.
+
+Thanks to Ognjen Maric for providing the single-rate clue so I could
+reproduce this.
+
+This fixes http://bugzilla.kernel.org/show_bug.cgi?id=12490 on the
+regression list (also http://bugzilla.kernel.org/show_bug.cgi?id=13000).
+
+Reported-by: Sergey S. Kostyliov <rathamahata@gmail.com>
+Reported-by: Ognjen Maric <ognjen.maric@gmail.com>
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/rc80211_minstrel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rc80211_minstrel.c
++++ b/net/mac80211/rc80211_minstrel.c
+@@ -216,7 +216,7 @@ minstrel_get_next_sample(struct minstrel
+ unsigned int sample_ndx;
+ sample_ndx = SAMPLE_TBL(mi, mi->sample_idx, mi->sample_column);
+ mi->sample_idx++;
+- if (mi->sample_idx > (mi->n_rates - 2)) {
++ if ((int) mi->sample_idx > (mi->n_rates - 2)) {
+ mi->sample_idx = 0;
+ mi->sample_column++;
+ if (mi->sample_column >= SAMPLE_COLUMNS)
--- /dev/null
+From 8eeee4e2f04fc551f50c9d9847da2d73d7d33728 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Wed, 17 Jun 2009 00:27:10 +0200
+Subject: send_sigio_to_task: sanitize the usage of fown->signum
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 8eeee4e2f04fc551f50c9d9847da2d73d7d33728 upstream.
+
+send_sigio_to_task() reads fown->signum several times, we can race with
+F_SETSIG which changes ->signum lockless. In theory, this can fool
+security checks or we can call group_send_sig_info() with the wrong
+->si_signo which does not match "int sig".
+
+Change the code to cache ->signum.
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/fcntl.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -428,14 +428,20 @@ static inline int sigio_perm(struct task
+ }
+
+ static void send_sigio_to_task(struct task_struct *p,
+- struct fown_struct *fown,
++ struct fown_struct *fown,
+ int fd,
+ int reason)
+ {
+- if (!sigio_perm(p, fown, fown->signum))
++ /*
++ * F_SETSIG can change ->signum lockless in parallel, make
++ * sure we read it once and use the same value throughout.
++ */
++ int signum = ACCESS_ONCE(fown->signum);
++
++ if (!sigio_perm(p, fown, signum))
+ return;
+
+- switch (fown->signum) {
++ switch (signum) {
+ siginfo_t si;
+ default:
+ /* Queue a rt signal with the appropriate fd as its
+@@ -444,7 +450,7 @@ static void send_sigio_to_task(struct ta
+ delivered even if we can't queue. Failure to
+ queue in this case _should_ be reported; we fall
+ back to SIGIO in that case. --sct */
+- si.si_signo = fown->signum;
++ si.si_signo = signum;
+ si.si_errno = 0;
+ si.si_code = reason;
+ /* Make sure we are called with one of the POLL_*
+@@ -456,7 +462,7 @@ static void send_sigio_to_task(struct ta
+ else
+ si.si_band = band_table[reason - POLL_IN];
+ si.si_fd = fd;
+- if (!group_send_sig_info(fown->signum, &si, p))
++ if (!group_send_sig_info(signum, &si, p))
+ break;
+ /* fall-through: fall back on the old plain SIGIO signal */
+ case 0:
floppy-provide-a-pnp-device-table-in-the-module.patch
ib-mlx4-add-strong-ordering-to-local-inval-and-fast-reg-work-requests.patch
x86-handle-initrd-that-extends-into-unusable-memory.patch
+lockdep-select-frame-pointers-on-x86.patch
+mac80211-fix-minstrel-single-rate-memory-corruption.patch
+shift-current_cred-from-__f_setown-to-f_modown.patch
+send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch
--- /dev/null
+From 2f38d70fb4e97e7d00e12eaac45790cf6ebd7b22 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Tue, 16 Jun 2009 22:07:46 +0200
+Subject: shift current_cred() from __f_setown() to f_modown()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 2f38d70fb4e97e7d00e12eaac45790cf6ebd7b22 upstream.
+
+Shift current_cred() from __f_setown() to f_modown(). This reduces
+the number of arguments and saves 48 bytes from fs/fcntl.o.
+
+[ Note: this doesn't clear euid/uid when pid is set to NULL. But if
+ f_owner.pid == NULL we never use f_owner.uid/euid. Otherwise we'd
+ have a bug anyway: we must not send signals if pid was reset to NULL. ]
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/fcntl.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -198,15 +198,19 @@ static int setfl(int fd, struct file * f
+ }
+
+ static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
+- uid_t uid, uid_t euid, int force)
++ int force)
+ {
+ write_lock_irq(&filp->f_owner.lock);
+ if (force || !filp->f_owner.pid) {
+ put_pid(filp->f_owner.pid);
+ filp->f_owner.pid = get_pid(pid);
+ filp->f_owner.pid_type = type;
+- filp->f_owner.uid = uid;
+- filp->f_owner.euid = euid;
++
++ if (pid) {
++ const struct cred *cred = current_cred();
++ filp->f_owner.uid = cred->uid;
++ filp->f_owner.euid = cred->euid;
++ }
+ }
+ write_unlock_irq(&filp->f_owner.lock);
+ }
+@@ -214,14 +218,13 @@ static void f_modown(struct file *filp,
+ int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
+ int force)
+ {
+- const struct cred *cred = current_cred();
+ int err;
+-
++
+ err = security_file_set_fowner(filp);
+ if (err)
+ return err;
+
+- f_modown(filp, pid, type, cred->uid, cred->euid, force);
++ f_modown(filp, pid, type, force);
+ return 0;
+ }
+ EXPORT_SYMBOL(__f_setown);
+@@ -247,7 +250,7 @@ EXPORT_SYMBOL(f_setown);
+
+ void f_delown(struct file *filp)
+ {
+- f_modown(filp, NULL, PIDTYPE_PID, 0, 0, 1);
++ f_modown(filp, NULL, PIDTYPE_PID, 1);
+ }
+
+ pid_t f_getown(struct file *filp)
projects / thirdparty / kernel / stable-queue.git / commitdiff
