From d14a79af20075b4fb0e204aa2d7ca292545164d2 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 22 Jun 2017 08:52:55 +0800
Subject: [PATCH] 3.18-stable patches

added patches:
	allow-stack-to-grow-up-to-address-space-limit.patch
	mm-fix-new-crash-in-unmapped_area_topdown.patch
---
 ...ck-to-grow-up-to-address-space-limit.patch | 49 ++++++++++++++++++
 ...x-new-crash-in-unmapped_area_topdown.patch | 50 +++++++++++++++++++
 queue-3.18/series                             |  2 +
 3 files changed, 101 insertions(+)
 create mode 100644 queue-3.18/allow-stack-to-grow-up-to-address-space-limit.patch
 create mode 100644 queue-3.18/mm-fix-new-crash-in-unmapped_area_topdown.patch

diff --git a/queue-3.18/allow-stack-to-grow-up-to-address-space-limit.patch b/queue-3.18/allow-stack-to-grow-up-to-address-space-limit.patch
new file mode 100644
index 00000000000..91a0f320ff1
--- /dev/null
+++ b/queue-3.18/allow-stack-to-grow-up-to-address-space-limit.patch
@@ -0,0 +1,49 @@
+From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 19 Jun 2017 17:34:05 +0200
+Subject: Allow stack to grow up to address space limit
+
+From: Helge Deller <deller@gmx.de>
+
+commit bd726c90b6b8ce87602208701b208a208e6d5600 upstream.
+
+Fix expand_upwards() on architectures with an upward-growing stack (parisc,
+metag and partly IA-64) to allow the stack to reliably grow exactly up to
+the address space limit given by TASK_SIZE.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Acked-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c |   13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2175,16 +2175,19 @@ int expand_upwards(struct vm_area_struct
+ 	if (!(vma->vm_flags & VM_GROWSUP))
+ 		return -EFAULT;
+ 
+-	/* Guard against wrapping around to address 0. */
++	/* Guard against exceeding limits of the address space. */
+ 	address &= PAGE_MASK;
+-	address += PAGE_SIZE;
+-	if (!address)
++	if (address >= TASK_SIZE)
+ 		return -ENOMEM;
++	address += PAGE_SIZE;
+ 
+ 	/* Enforce stack_guard_gap */
+ 	gap_addr = address + stack_guard_gap;
+-	if (gap_addr < address)
+-		return -ENOMEM;
++
++	/* Guard against overflow */
++	if (gap_addr < address || gap_addr > TASK_SIZE)
++		gap_addr = TASK_SIZE;
++
+ 	next = vma->vm_next;
+ 	if (next && next->vm_start < gap_addr) {
+ 		if (!(next->vm_flags & VM_GROWSUP))
diff --git a/queue-3.18/mm-fix-new-crash-in-unmapped_area_topdown.patch b/queue-3.18/mm-fix-new-crash-in-unmapped_area_topdown.patch
new file mode 100644
index 00000000000..134e83b0bbe
--- /dev/null
+++ b/queue-3.18/mm-fix-new-crash-in-unmapped_area_topdown.patch
@@ -0,0 +1,50 @@
+From f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Tue, 20 Jun 2017 02:10:44 -0700
+Subject: mm: fix new crash in unmapped_area_topdown()
+
+From: Hugh Dickins <hughd@google.com>
+
+commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream.
+
+Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
+mmap testing.  That's the VM_BUG_ON(gap_end < gap_start) at the
+end of unmapped_area_topdown().  Linus points out how MAP_FIXED
+(which does not have to respect our stack guard gap intentions)
+could result in gap_end below gap_start there.  Fix that, and
+the similar case in its alternative, unmapped_area().
+
+Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1770,7 +1770,8 @@ check_current:
+ 		/* Check if current node has a suitable gap */
+ 		if (gap_start > high_limit)
+ 			return -ENOMEM;
+-		if (gap_end >= low_limit && gap_end - gap_start >= length)
++		if (gap_end >= low_limit &&
++		    gap_end > gap_start && gap_end - gap_start >= length)
+ 			goto found;
+ 
+ 		/* Visit right subtree if it looks promising */
+@@ -1873,7 +1874,8 @@ check_current:
+ 		gap_end = vm_start_gap(vma);
+ 		if (gap_end < low_limit)
+ 			return -ENOMEM;
+-		if (gap_start <= high_limit && gap_end - gap_start >= length)
++		if (gap_start <= high_limit &&
++		    gap_end > gap_start && gap_end - gap_start >= length)
+ 			goto found;
+ 
+ 		/* Visit left subtree if it looks promising */
diff --git a/queue-3.18/series b/queue-3.18/series
index 780af286a9c..f12ace52d1c 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -30,3 +30,5 @@ swap-cond_resched-in-swap_cgroup_prepare.patch
 genirq-release-resources-in-__setup_irq-error-path.patch
 alarmtimer-rate-limit-periodic-intervals.patch
 mm-larger-stack-guard-gap-between-vmas.patch
+allow-stack-to-grow-up-to-address-space-limit.patch
+mm-fix-new-crash-in-unmapped_area_topdown.patch
-- 
2.47.3