From 908365a46b7d405c188bcd37884eab3bc0eb0c9e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 26 Apr 2010 15:33:03 -0700
Subject: [PATCH] .32 patch and fixes

---
 ...ore-x86-make-list_poison-less-deadly.patch | 81 +++++++++++++++++++
 ..._futex_key-when-backed-by-huge-pages.patch |  2 +-
 .../memcg-fix-prepare-migration.patch         |  2 +-
 queue-2.6.32/series                           |  1 +
 4 files changed, 84 insertions(+), 2 deletions(-)
 create mode 100644 queue-2.6.32/core-x86-make-list_poison-less-deadly.patch

diff --git a/queue-2.6.32/core-x86-make-list_poison-less-deadly.patch b/queue-2.6.32/core-x86-make-list_poison-less-deadly.patch
new file mode 100644
index 00000000000..078d1cf648d
--- /dev/null
+++ b/queue-2.6.32/core-x86-make-list_poison-less-deadly.patch
@@ -0,0 +1,81 @@
+From a29815a333c6c6e677294bbe5958e771d0aad3fd Mon Sep 17 00:00:00 2001
+From: Avi Kivity <avi@qumranet.com>
+Date: Sun, 10 Jan 2010 16:28:09 +0200
+Subject: core, x86: make LIST_POISON less deadly
+
+From: Avi Kivity <avi@qumranet.com>
+
+commit a29815a333c6c6e677294bbe5958e771d0aad3fd upstream.
+
+The list macros use LIST_POISON1 and LIST_POISON2 as undereferencable
+pointers in order to trap erronous use of freed list_heads.  Unfortunately
+userspace can arrange for those pointers to actually be dereferencable,
+potentially turning an oops to an expolit.
+
+To avoid this allow architectures (currently x86_64 only) to override
+the default values for these pointers with truly-undereferencable values.
+This is easy on x86_64 as the virtual address space is large and contains
+areas that cannot be mapped.
+
+Other 64-bit architectures will likely find similar unmapped ranges.
+
+[ingo: switch to 0xdead000000000000 as the unmapped area]
+[ingo: add comments, cleanup]
+[jaswinder: eliminate sparse warnings]
+
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/Kconfig       |    5 +++++
+ include/linux/poison.h |   16 ++++++++++++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1236,6 +1236,11 @@ config ARCH_MEMORY_PROBE
+ 	def_bool X86_64
+ 	depends on MEMORY_HOTPLUG
+ 
++config ILLEGAL_POINTER_VALUE
++       hex
++       default 0 if X86_32
++       default 0xdead000000000000 if X86_64
++
+ source "mm/Kconfig"
+ 
+ config HIGHPTE
+--- a/include/linux/poison.h
++++ b/include/linux/poison.h
+@@ -2,13 +2,25 @@
+ #define _LINUX_POISON_H
+ 
+ /********** include/linux/list.h **********/
++
++/*
++ * Architectures might want to move the poison pointer offset
++ * into some well-recognized area such as 0xdead000000000000,
++ * that is also not mappable by user-space exploits:
++ */
++#ifdef CONFIG_ILLEGAL_POINTER_VALUE
++# define POISON_POINTER_DELTA _AC(CONFIG_ILLEGAL_POINTER_VALUE, UL)
++#else
++# define POISON_POINTER_DELTA 0
++#endif
++
+ /*
+  * These are non-NULL pointers that will result in page faults
+  * under normal circumstances, used to verify that nobody uses
+  * non-initialized list entries.
+  */
+-#define LIST_POISON1  ((void *) 0x00100100)
+-#define LIST_POISON2  ((void *) 0x00200200)
++#define LIST_POISON1  ((void *) 0x00100100 + POISON_POINTER_DELTA)
++#define LIST_POISON2  ((void *) 0x00200200 + POISON_POINTER_DELTA)
+ 
+ /********** include/linux/timer.h **********/
+ /*
diff --git a/queue-2.6.32/hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch b/queue-2.6.32/hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch
index 2486a20544c..8dc7a9a6f81 100644
--- a/queue-2.6.32/hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch
+++ b/queue-2.6.32/hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch
@@ -38,7 +38,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
 
 --- a/include/linux/poison.h
 +++ b/include/linux/poison.h
-@@ -36,6 +36,15 @@
+@@ -48,6 +48,15 @@
  #define POISON_FREE	0x6b	/* for use-after-free poisoning */
  #define	POISON_END	0xa5	/* end-byte of poisoning */
  
diff --git a/queue-2.6.32/memcg-fix-prepare-migration.patch b/queue-2.6.32/memcg-fix-prepare-migration.patch
index 040d652f41f..a16dab06bc1 100644
--- a/queue-2.6.32/memcg-fix-prepare-migration.patch
+++ b/queue-2.6.32/memcg-fix-prepare-migration.patch
@@ -44,7 +44,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
 +	*ptr = mem;
  	if (mem) {
 -		ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, &mem, false,
-+		ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, ptr, false
++		ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, ptr, false,
  						page);
  		css_put(&mem->css);
  	}
diff --git a/queue-2.6.32/series b/queue-2.6.32/series
index 85e1b0c4388..0a64af83579 100644
--- a/queue-2.6.32/series
+++ b/queue-2.6.32/series
@@ -9,6 +9,7 @@ w1-w1-temp-fix-negative-termperature-calculation.patch
 memcg-fix-prepare-migration.patch
 mac80211-remove-bogus-tx-agg-state-assignment.patch
 flex_array-fix-the-panic-when-calling-flex_array_alloc-without-__gfp_zero.patch
+core-x86-make-list_poison-less-deadly.patch
 hugetlb-fix-infinite-loop-in-get_futex_key-when-backed-by-huge-pages.patch
 reiserfs-fix-permissions-on-.reiserfs_priv.patch
 reiserfs-fix-corruption-during-shrinking-of-xattrs.patch
-- 
2.47.3