From: Greg Kroah-Hartman Date: Fri, 12 Feb 2010 20:58:10 +0000 (-0800) Subject: more .31 patches stashed away X-Git-Tag: v2.6.32.9~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f514b1574a253492c6ae70e99d7ecc0bf46601f7;p=thirdparty%2Fkernel%2Fstable-queue.git more .31 patches stashed away --- diff --git a/queue-2.6.31/cciss-make-cciss_seq_show-handle-holes-in-the-h-drv-array.patch b/queue-2.6.31/cciss-make-cciss_seq_show-handle-holes-in-the-h-drv-array.patch new file mode 100644 index 00000000000..22c94e67224 --- /dev/null +++ b/queue-2.6.31/cciss-make-cciss_seq_show-handle-holes-in-the-h-drv-array.patch @@ -0,0 +1,40 @@ +From 531c2dc70d339c5dfa8c3eb628c3459dc6f3a075 Mon Sep 17 00:00:00 2001 +From: Stephen M. Cameron +Date: Fri, 5 Feb 2010 13:14:04 +0100 +Subject: cciss: Make cciss_seq_show handle holes in the h->drv[] array + +From: Stephen M. Cameron + +commit 531c2dc70d339c5dfa8c3eb628c3459dc6f3a075 upstream. + +It is possible (and expected) for there to be holes in the h->drv[] +array, that is, some elements may be NULL pointers. cciss_seq_show +needs to be made aware of this possibility to avoid an Oops. + +To reproduce the Oops which this fixes: + +1) Create two "arrays" in the Array Configuratino Utility and + several logical drives on each array. +2) cat /proc/driver/cciss/cciss* in an infinite loop +3) delete some of the logical drives in the first "array." + +Signed-off-by: Stephen M. Cameron +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/cciss.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/cciss.c ++++ b/drivers/block/cciss.c +@@ -323,6 +323,9 @@ static int cciss_seq_show(struct seq_fil + if (*pos > h->highest_lun) + return 0; + ++ if (drv == NULL) /* it's possible for h->drv[] to have holes. */ ++ return 0; ++ + if (drv->heads == 0) + return 0; + diff --git a/queue-2.6.31/cpufreq-fix-use-after-free-of-struct-powernow_k8_data.patch b/queue-2.6.31/cpufreq-fix-use-after-free-of-struct-powernow_k8_data.patch new file mode 100644 index 00000000000..584a5b24681 --- /dev/null +++ b/queue-2.6.31/cpufreq-fix-use-after-free-of-struct-powernow_k8_data.patch @@ -0,0 +1,51 @@ +From 557a701c16553b0b691dbb64ef30361115a80f64 Mon Sep 17 00:00:00 2001 +From: Thomas Renninger +Date: Mon, 14 Dec 2009 11:44:15 +0100 +Subject: CPUFREQ: Fix use after free of struct powernow_k8_data + +From: Thomas Renninger + +commit 557a701c16553b0b691dbb64ef30361115a80f64 upstream. + +Easy fix for a regression introduced in 2.6.31. + +On managed CPUs the cpufreq.c core will call driver->exit(cpu) on the +managed cpus and powernow_k8 will free the core's data. + +Later driver->get(cpu) function might get called trying to read out the +current freq of a managed cpu and the NULL pointer check does not work on +the freed object -> better set it to NULL. + +->get() is unsigned and must return 0 as invalid frequency. + +Reference: +http://bugzilla.kernel.org/show_bug.cgi?id=14391 + +Signed-off-by: Thomas Renninger +Tested-by: Michal Schmidt +Signed-off-by: Dave Jones +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/cpufreq/powernow-k8.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/cpufreq/powernow-k8.c ++++ b/arch/x86/kernel/cpu/cpufreq/powernow-k8.c +@@ -1372,6 +1372,7 @@ static int __devexit powernowk8_cpu_exit + + kfree(data->powernow_table); + kfree(data); ++ per_cpu(powernow_data, pol->cpu) = NULL; + + return 0; + } +@@ -1391,7 +1392,7 @@ static unsigned int powernowk8_get(unsig + int err; + + if (!data) +- return -EINVAL; ++ return 0; + + smp_call_function_single(cpu, query_values_on_cpu, &err, true); + if (err) diff --git a/queue-2.6.31/fs-exec.c-restrict-initial-stack-space-expansion-to-rlimit.patch b/queue-2.6.31/fs-exec.c-restrict-initial-stack-space-expansion-to-rlimit.patch new file mode 100644 index 00000000000..f6f3d87d1ab --- /dev/null +++ b/queue-2.6.31/fs-exec.c-restrict-initial-stack-space-expansion-to-rlimit.patch @@ -0,0 +1,93 @@ +From 803bf5ec259941936262d10ecc84511b76a20921 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Wed, 10 Feb 2010 13:56:42 -0800 +Subject: fs/exec.c: restrict initial stack space expansion to rlimit + +From: Michael Neuling + +commit 803bf5ec259941936262d10ecc84511b76a20921 upstream. + +When reserving stack space for a new process, make sure we're not +attempting to expand the stack by more than rlimit allows. + +This fixes a bug caused by b6a2fea39318e43fee84fa7b0b90d68bed92d2ba ("mm: +variable length argument support") and unmasked by +fc63cf237078c86214abcb2ee9926d8ad289da9b ("exec: setup_arg_pages() fails +to return errors"). + +This bug means that when limiting the stack to less the 20*PAGE_SIZE (eg. +80K on 4K pages or 'ulimit -s 79') all processes will be killed before +they start. This is particularly bad with 64K pages, where a ulimit below +1280K will kill every process. + +To test, do: + + 'ulimit -s 15; ls' + +before and after the patch is applied. Before it's applied, 'ls' should +be killed. After the patch is applied, 'ls' should no longer be killed. + +A stack limit of 15KB since it's small enough to trigger 20*PAGE_SIZE. +Also 15KB not a multiple of PAGE_SIZE, which is a trickier case to handle +correctly with this code. + +4K pages should be fine to test with. + +[kosaki.motohiro@jp.fujitsu.com: cleanup] +[akpm@linux-foundation.org: cleanup cleanup] +Signed-off-by: Michael Neuling +Signed-off-by: KOSAKI Motohiro +Cc: Americo Wang +Cc: Anton Blanchard +Cc: Oleg Nesterov +Cc: James Morris +Cc: Ingo Molnar +Cc: Serge Hallyn +Cc: Benjamin Herrenschmidt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -570,6 +570,9 @@ int setup_arg_pages(struct linux_binprm + struct vm_area_struct *prev = NULL; + unsigned long vm_flags; + unsigned long stack_base; ++ unsigned long stack_size; ++ unsigned long stack_expand; ++ unsigned long rlim_stack; + + #ifdef CONFIG_STACK_GROWSUP + /* Limit stack size to 1GB */ +@@ -628,10 +631,24 @@ int setup_arg_pages(struct linux_binprm + } + } + ++ stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE; ++ stack_size = vma->vm_end - vma->vm_start; ++ /* ++ * Align this down to a page boundary as expand_stack ++ * will align it up. ++ */ ++ rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK; ++ rlim_stack = min(rlim_stack, stack_size); + #ifdef CONFIG_STACK_GROWSUP +- stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE; ++ if (stack_size + stack_expand > rlim_stack) ++ stack_base = vma->vm_start + rlim_stack; ++ else ++ stack_base = vma->vm_end + stack_expand; + #else +- stack_base = vma->vm_start - EXTRA_STACK_VM_PAGES * PAGE_SIZE; ++ if (stack_size + stack_expand > rlim_stack) ++ stack_base = vma->vm_end - rlim_stack; ++ else ++ stack_base = vma->vm_start - stack_expand; + #endif + ret = expand_stack(vma, stack_base); + if (ret) diff --git a/queue-2.6.31/resource-add-helpers-for-fetching-rlimits.patch b/queue-2.6.31/resource-add-helpers-for-fetching-rlimits.patch new file mode 100644 index 00000000000..7e61cd5d616 --- /dev/null +++ b/queue-2.6.31/resource-add-helpers-for-fetching-rlimits.patch @@ -0,0 +1,59 @@ +From 3e10e716abf3c71bdb5d86b8f507f9e72236c9cd Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Thu, 19 Nov 2009 17:16:37 +0100 +Subject: resource: add helpers for fetching rlimits + +From: Jiri Slaby + +commit 3e10e716abf3c71bdb5d86b8f507f9e72236c9cd upstream. + +We want to be sure that compiler fetches the limit variable only +once, so add helpers for fetching current and maximal resource +limits which do that. + +Add them to sched.h (instead of resource.h) due to circular dependency + sched.h->resource.h->task_struct +Alternative would be to create a separate res_access.h or similar. + +Signed-off-by: Jiri Slaby +Cc: James Morris +Cc: Heiko Carstens +Cc: Andrew Morton +Cc: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sched.h | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -2485,6 +2485,28 @@ static inline void mm_init_owner(struct + + #define TASK_STATE_TO_CHAR_STR "RSDTtZX" + ++static inline unsigned long task_rlimit(const struct task_struct *tsk, ++ unsigned int limit) ++{ ++ return ACCESS_ONCE(tsk->signal->rlim[limit].rlim_cur); ++} ++ ++static inline unsigned long task_rlimit_max(const struct task_struct *tsk, ++ unsigned int limit) ++{ ++ return ACCESS_ONCE(tsk->signal->rlim[limit].rlim_max); ++} ++ ++static inline unsigned long rlimit(unsigned int limit) ++{ ++ return task_rlimit(current, limit); ++} ++ ++static inline unsigned long rlimit_max(unsigned int limit) ++{ ++ return task_rlimit_max(current, limit); ++} ++ + #endif /* __KERNEL__ */ + + #endif diff --git a/queue-2.6.31/series b/queue-2.6.31/series index 9de22a3ab56..1bbc57f2747 100644 --- a/queue-2.6.31/series +++ b/queue-2.6.31/series @@ -4,6 +4,10 @@ futex-handle-user-space-corruption-gracefully.patch futex_lock_pi-key-refcnt-fix.patch security-selinux-fix-update_rlimit_cpu-parameter.patch ubi-fix-volume-creation-input-checking.patch +cciss-make-cciss_seq_show-handle-holes-in-the-h-drv-array.patch +cpufreq-fix-use-after-free-of-struct-powernow_k8_data.patch +resource-add-helpers-for-fetching-rlimits.patch +fs-exec.c-restrict-initial-stack-space-expansion-to-rlimit.patch # needs more to be added first fix-race-in-tty_fasync-properly.patch