From fe27c4d03fe59763907641bde89ce42803a9954a Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 23 May 2012 22:10:00 -0700
Subject: [PATCH] 3.0-stable patches

added patches:
	isdn-gigaset-ratelimit-capi-message-dumps.patch
	vfs-make-aio-use-the-proper-rw_verify_area-area-helpers.patch
---
 ...gigaset-ratelimit-capi-message-dumps.patch |  85 ++++++++++++++
 queue-3.0/series                              |   2 +
 ...e-proper-rw_verify_area-area-helpers.patch | 106 ++++++++++++++++++
 3 files changed, 193 insertions(+)
 create mode 100644 queue-3.0/isdn-gigaset-ratelimit-capi-message-dumps.patch
 create mode 100644 queue-3.0/vfs-make-aio-use-the-proper-rw_verify_area-area-helpers.patch

diff --git a/queue-3.0/isdn-gigaset-ratelimit-capi-message-dumps.patch b/queue-3.0/isdn-gigaset-ratelimit-capi-message-dumps.patch
new file mode 100644
index 00000000000..1d3a0afdeef
--- /dev/null
+++ b/queue-3.0/isdn-gigaset-ratelimit-capi-message-dumps.patch
@@ -0,0 +1,85 @@
+From 8e618aad5348b6e6c5a90e8d97ea643197963b20 Mon Sep 17 00:00:00 2001
+From: Tilman Schmidt <tilman@imap.cc>
+Date: Wed, 25 Apr 2012 13:02:19 +0000
+Subject: isdn/gigaset: ratelimit CAPI message dumps
+
+From: Tilman Schmidt <tilman@imap.cc>
+
+commit 8e618aad5348b6e6c5a90e8d97ea643197963b20 upstream.
+
+Introduce a global ratelimit for CAPI message dumps to protect
+against possible log flood.
+Drop the ratelimit for ignored messages which is now covered by the
+global one.
+
+Signed-off-by: Tilman Schmidt <tilman@imap.cc>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/gigaset/capi.c |   22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+--- a/drivers/isdn/gigaset/capi.c
++++ b/drivers/isdn/gigaset/capi.c
+@@ -14,6 +14,7 @@
+ #include "gigaset.h"
+ #include <linux/proc_fs.h>
+ #include <linux/seq_file.h>
++#include <linux/ratelimit.h>
+ #include <linux/isdn/capilli.h>
+ #include <linux/isdn/capicmd.h>
+ #include <linux/isdn/capiutil.h>
+@@ -222,10 +223,14 @@ get_appl(struct gigaset_capi_ctr *iif, u
+ static inline void dump_cmsg(enum debuglevel level, const char *tag, _cmsg *p)
+ {
+ #ifdef CONFIG_GIGASET_DEBUG
++	/* dump at most 20 messages in 20 secs */
++	static DEFINE_RATELIMIT_STATE(msg_dump_ratelimit, 20 * HZ, 20);
+ 	_cdebbuf *cdb;
+ 
+ 	if (!(gigaset_debuglevel & level))
+ 		return;
++	if (!___ratelimit(&msg_dump_ratelimit, tag))
++		return;
+ 
+ 	cdb = capi_cmsg2str(p);
+ 	if (cdb) {
+@@ -2058,12 +2063,6 @@ static void do_reset_b3_req(struct gigas
+ }
+ 
+ /*
+- * dump unsupported/ignored messages at most twice per minute,
+- * some apps send those very frequently
+- */
+-static unsigned long ignored_msg_dump_time;
+-
+-/*
+  * unsupported CAPI message handler
+  */
+ static void do_unsupported(struct gigaset_capi_ctr *iif,
+@@ -2072,8 +2071,7 @@ static void do_unsupported(struct gigase
+ {
+ 	/* decode message */
+ 	capi_message2cmsg(&iif->acmsg, skb->data);
+-	if (printk_timed_ratelimit(&ignored_msg_dump_time, 30 * 1000))
+-		dump_cmsg(DEBUG_CMD, __func__, &iif->acmsg);
++	dump_cmsg(DEBUG_CMD, __func__, &iif->acmsg);
+ 	send_conf(iif, ap, skb, CapiMessageNotSupportedInCurrentState);
+ }
+ 
+@@ -2084,11 +2082,9 @@ static void do_nothing(struct gigaset_ca
+ 		       struct gigaset_capi_appl *ap,
+ 		       struct sk_buff *skb)
+ {
+-	if (printk_timed_ratelimit(&ignored_msg_dump_time, 30 * 1000)) {
+-		/* decode message */
+-		capi_message2cmsg(&iif->acmsg, skb->data);
+-		dump_cmsg(DEBUG_CMD, __func__, &iif->acmsg);
+-	}
++	/* decode message */
++	capi_message2cmsg(&iif->acmsg, skb->data);
++	dump_cmsg(DEBUG_CMD, __func__, &iif->acmsg);
+ 	dev_kfree_skb_any(skb);
+ }
+ 
diff --git a/queue-3.0/series b/queue-3.0/series
index 6e12eff2f87..54e8ef14bc9 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -4,3 +4,5 @@ block-don-t-mark-buffers-beyond-end-of-disk-as-mapped.patch
 parisc-fix-pa1.1-oops-on-boot.patch
 parisc-fix-crash-in-flush_icache_page_asm-on-pa1.1.patch
 parisc-fix-panic-on-prefetch-null-on-pa7300lc.patch
+isdn-gigaset-ratelimit-capi-message-dumps.patch
+vfs-make-aio-use-the-proper-rw_verify_area-area-helpers.patch
diff --git a/queue-3.0/vfs-make-aio-use-the-proper-rw_verify_area-area-helpers.patch b/queue-3.0/vfs-make-aio-use-the-proper-rw_verify_area-area-helpers.patch
new file mode 100644
index 00000000000..caa5f127943
--- /dev/null
+++ b/queue-3.0/vfs-make-aio-use-the-proper-rw_verify_area-area-helpers.patch
@@ -0,0 +1,106 @@
+From a70b52ec1aaeaf60f4739edb1b422827cb6f3893 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 21 May 2012 16:06:20 -0700
+Subject: vfs: make AIO use the proper rw_verify_area() area helpers
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a70b52ec1aaeaf60f4739edb1b422827cb6f3893 upstream.
+
+We had for some reason overlooked the AIO interface, and it didn't use
+the proper rw_verify_area() helper function that checks (for example)
+mandatory locking on the file, and that the size of the access doesn't
+cause us to overflow the provided offset limits etc.
+
+Instead, AIO did just the security_file_permission() thing (that
+rw_verify_area() also does) directly.
+
+This fixes it to do all the proper helper functions, which not only
+means that now mandatory file locking works with AIO too, we can
+actually remove lines of code.
+
+Reported-by: Manish Honap <manish_honap_vit@yahoo.co.in>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c |   30 ++++++++++++++----------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1395,6 +1395,10 @@ static ssize_t aio_setup_vectored_rw(int
+ 	if (ret < 0)
+ 		goto out;
+ 
++	ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret);
++	if (ret < 0)
++		goto out;
++
+ 	kiocb->ki_nr_segs = kiocb->ki_nbytes;
+ 	kiocb->ki_cur_seg = 0;
+ 	/* ki_nbytes/left now reflect bytes instead of segs */
+@@ -1406,11 +1410,17 @@ out:
+ 	return ret;
+ }
+ 
+-static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
++static ssize_t aio_setup_single_vector(int type, struct file * file, struct kiocb *kiocb)
+ {
++	int bytes;
++
++	bytes = rw_verify_area(type, file, &kiocb->ki_pos, kiocb->ki_left);
++	if (bytes < 0)
++		return bytes;
++
+ 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
+ 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
+-	kiocb->ki_iovec->iov_len = kiocb->ki_left;
++	kiocb->ki_iovec->iov_len = bytes;
+ 	kiocb->ki_nr_segs = 1;
+ 	kiocb->ki_cur_seg = 0;
+ 	return 0;
+@@ -1435,10 +1445,7 @@ static ssize_t aio_setup_iocb(struct kio
+ 		if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf,
+ 			kiocb->ki_left)))
+ 			break;
+-		ret = security_file_permission(file, MAY_READ);
+-		if (unlikely(ret))
+-			break;
+-		ret = aio_setup_single_vector(kiocb);
++		ret = aio_setup_single_vector(READ, file, kiocb);
+ 		if (ret)
+ 			break;
+ 		ret = -EINVAL;
+@@ -1453,10 +1460,7 @@ static ssize_t aio_setup_iocb(struct kio
+ 		if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf,
+ 			kiocb->ki_left)))
+ 			break;
+-		ret = security_file_permission(file, MAY_WRITE);
+-		if (unlikely(ret))
+-			break;
+-		ret = aio_setup_single_vector(kiocb);
++		ret = aio_setup_single_vector(WRITE, file, kiocb);
+ 		if (ret)
+ 			break;
+ 		ret = -EINVAL;
+@@ -1467,9 +1471,6 @@ static ssize_t aio_setup_iocb(struct kio
+ 		ret = -EBADF;
+ 		if (unlikely(!(file->f_mode & FMODE_READ)))
+ 			break;
+-		ret = security_file_permission(file, MAY_READ);
+-		if (unlikely(ret))
+-			break;
+ 		ret = aio_setup_vectored_rw(READ, kiocb, compat);
+ 		if (ret)
+ 			break;
+@@ -1481,9 +1482,6 @@ static ssize_t aio_setup_iocb(struct kio
+ 		ret = -EBADF;
+ 		if (unlikely(!(file->f_mode & FMODE_WRITE)))
+ 			break;
+-		ret = security_file_permission(file, MAY_WRITE);
+-		if (unlikely(ret))
+-			break;
+ 		ret = aio_setup_vectored_rw(WRITE, kiocb, compat);
+ 		if (ret)
+ 			break;
-- 
2.47.3