--- /dev/null
+From 531c2dc70d339c5dfa8c3eb628c3459dc6f3a075 Mon Sep 17 00:00:00 2001
+From: Stephen M. Cameron <scameron@beardog.cce.hp.com>
+Date: Fri, 5 Feb 2010 13:14:04 +0100
+Subject: cciss: Make cciss_seq_show handle holes in the h->drv[] array
+
+From: Stephen M. Cameron <scameron@beardog.cce.hp.com>
+
+commit 531c2dc70d339c5dfa8c3eb628c3459dc6f3a075 upstream.
+
+It is possible (and expected) for there to be holes in the h->drv[]
+array, that is, some elements may be NULL pointers. cciss_seq_show
+needs to be made aware of this possibility to avoid an Oops.
+
+To reproduce the Oops which this fixes:
+
+1) Create two "arrays" in the Array Configuratino Utility and
+ several logical drives on each array.
+2) cat /proc/driver/cciss/cciss* in an infinite loop
+3) delete some of the logical drives in the first "array."
+
+Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/block/cciss.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -323,6 +323,9 @@ static int cciss_seq_show(struct seq_fil
+ if (*pos > h->highest_lun)
+ return 0;
+
++ if (drv == NULL) /* it's possible for h->drv[] to have holes. */
++ return 0;
++
+ if (drv->heads == 0)
+ return 0;
+
--- /dev/null
+From 557a701c16553b0b691dbb64ef30361115a80f64 Mon Sep 17 00:00:00 2001
+From: Thomas Renninger <trenn@suse.de>
+Date: Mon, 14 Dec 2009 11:44:15 +0100
+Subject: CPUFREQ: Fix use after free of struct powernow_k8_data
+
+From: Thomas Renninger <trenn@suse.de>
+
+commit 557a701c16553b0b691dbb64ef30361115a80f64 upstream.
+
+Easy fix for a regression introduced in 2.6.31.
+
+On managed CPUs the cpufreq.c core will call driver->exit(cpu) on the
+managed cpus and powernow_k8 will free the core's data.
+
+Later driver->get(cpu) function might get called trying to read out the
+current freq of a managed cpu and the NULL pointer check does not work on
+the freed object -> better set it to NULL.
+
+->get() is unsigned and must return 0 as invalid frequency.
+
+Reference:
+http://bugzilla.kernel.org/show_bug.cgi?id=14391
+
+Signed-off-by: Thomas Renninger <trenn@suse.de>
+Tested-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/cpufreq/powernow-k8.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/cpufreq/powernow-k8.c
++++ b/arch/x86/kernel/cpu/cpufreq/powernow-k8.c
+@@ -1372,6 +1372,7 @@ static int __devexit powernowk8_cpu_exit
+
+ kfree(data->powernow_table);
+ kfree(data);
++ per_cpu(powernow_data, pol->cpu) = NULL;
+
+ return 0;
+ }
+@@ -1391,7 +1392,7 @@ static unsigned int powernowk8_get(unsig
+ int err;
+
+ if (!data)
+- return -EINVAL;
++ return 0;
+
+ smp_call_function_single(cpu, query_values_on_cpu, &err, true);
+ if (err)
--- /dev/null
+From 803bf5ec259941936262d10ecc84511b76a20921 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Wed, 10 Feb 2010 13:56:42 -0800
+Subject: fs/exec.c: restrict initial stack space expansion to rlimit
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 803bf5ec259941936262d10ecc84511b76a20921 upstream.
+
+When reserving stack space for a new process, make sure we're not
+attempting to expand the stack by more than rlimit allows.
+
+This fixes a bug caused by b6a2fea39318e43fee84fa7b0b90d68bed92d2ba ("mm:
+variable length argument support") and unmasked by
+fc63cf237078c86214abcb2ee9926d8ad289da9b ("exec: setup_arg_pages() fails
+to return errors").
+
+This bug means that when limiting the stack to less the 20*PAGE_SIZE (eg.
+80K on 4K pages or 'ulimit -s 79') all processes will be killed before
+they start. This is particularly bad with 64K pages, where a ulimit below
+1280K will kill every process.
+
+To test, do:
+
+ 'ulimit -s 15; ls'
+
+before and after the patch is applied. Before it's applied, 'ls' should
+be killed. After the patch is applied, 'ls' should no longer be killed.
+
+A stack limit of 15KB since it's small enough to trigger 20*PAGE_SIZE.
+Also 15KB not a multiple of PAGE_SIZE, which is a trickier case to handle
+correctly with this code.
+
+4K pages should be fine to test with.
+
+[kosaki.motohiro@jp.fujitsu.com: cleanup]
+[akpm@linux-foundation.org: cleanup cleanup]
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Cc: Americo Wang <xiyou.wangcong@gmail.com>
+Cc: Anton Blanchard <anton@samba.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: James Morris <jmorris@namei.org>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Serge Hallyn <serue@us.ibm.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/exec.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -570,6 +570,9 @@ int setup_arg_pages(struct linux_binprm
+ struct vm_area_struct *prev = NULL;
+ unsigned long vm_flags;
+ unsigned long stack_base;
++ unsigned long stack_size;
++ unsigned long stack_expand;
++ unsigned long rlim_stack;
+
+ #ifdef CONFIG_STACK_GROWSUP
+ /* Limit stack size to 1GB */
+@@ -628,10 +631,24 @@ int setup_arg_pages(struct linux_binprm
+ }
+ }
+
++ stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
++ stack_size = vma->vm_end - vma->vm_start;
++ /*
++ * Align this down to a page boundary as expand_stack
++ * will align it up.
++ */
++ rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK;
++ rlim_stack = min(rlim_stack, stack_size);
+ #ifdef CONFIG_STACK_GROWSUP
+- stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
++ if (stack_size + stack_expand > rlim_stack)
++ stack_base = vma->vm_start + rlim_stack;
++ else
++ stack_base = vma->vm_end + stack_expand;
+ #else
+- stack_base = vma->vm_start - EXTRA_STACK_VM_PAGES * PAGE_SIZE;
++ if (stack_size + stack_expand > rlim_stack)
++ stack_base = vma->vm_end - rlim_stack;
++ else
++ stack_base = vma->vm_start - stack_expand;
+ #endif
+ ret = expand_stack(vma, stack_base);
+ if (ret)
--- /dev/null
+From 3e10e716abf3c71bdb5d86b8f507f9e72236c9cd Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Thu, 19 Nov 2009 17:16:37 +0100
+Subject: resource: add helpers for fetching rlimits
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 3e10e716abf3c71bdb5d86b8f507f9e72236c9cd upstream.
+
+We want to be sure that compiler fetches the limit variable only
+once, so add helpers for fetching current and maximal resource
+limits which do that.
+
+Add them to sched.h (instead of resource.h) due to circular dependency
+ sched.h->resource.h->task_struct
+Alternative would be to create a separate res_access.h or similar.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: James Morris <jmorris@namei.org>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/sched.h | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -2485,6 +2485,28 @@ static inline void mm_init_owner(struct
+
+ #define TASK_STATE_TO_CHAR_STR "RSDTtZX"
+
++static inline unsigned long task_rlimit(const struct task_struct *tsk,
++ unsigned int limit)
++{
++ return ACCESS_ONCE(tsk->signal->rlim[limit].rlim_cur);
++}
++
++static inline unsigned long task_rlimit_max(const struct task_struct *tsk,
++ unsigned int limit)
++{
++ return ACCESS_ONCE(tsk->signal->rlim[limit].rlim_max);
++}
++
++static inline unsigned long rlimit(unsigned int limit)
++{
++ return task_rlimit(current, limit);
++}
++
++static inline unsigned long rlimit_max(unsigned int limit)
++{
++ return task_rlimit_max(current, limit);
++}
++
+ #endif /* __KERNEL__ */
+
+ #endif
futex_lock_pi-key-refcnt-fix.patch
security-selinux-fix-update_rlimit_cpu-parameter.patch
ubi-fix-volume-creation-input-checking.patch
+cciss-make-cciss_seq_show-handle-holes-in-the-h-drv-array.patch
+cpufreq-fix-use-after-free-of-struct-powernow_k8_data.patch
+resource-add-helpers-for-fetching-rlimits.patch
+fs-exec.c-restrict-initial-stack-space-expansion-to-rlimit.patch
# needs more to be added first
fix-race-in-tty_fasync-properly.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
