--- /dev/null
+From 6c52961743f38747401b47127b82159ab6d8a7a4 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Thu, 15 Dec 2011 18:38:10 -0500
+Subject: NFS: Fix a regression in nfs_file_llseek()
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 6c52961743f38747401b47127b82159ab6d8a7a4 upstream.
+
+After commit 06222e491e663dac939f04b125c9dc52126a75c4 (fs: handle
+SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek)
+the behaviour of llseek() was changed so that it always revalidates
+the file size. The bug appears to be due to a logic error in the
+afore-mentioned commit, which always evaluates to 'true'.
+
+Reported-by: Roel Kluin <roel.kluin@gmail.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -191,7 +191,7 @@ static loff_t nfs_file_llseek(struct fil
+ * origin == SEEK_END || SEEK_DATA || SEEK_HOLE => we must revalidate
+ * the cached file length
+ */
+- if (origin != SEEK_SET || origin != SEEK_CUR) {
++ if (origin != SEEK_SET && origin != SEEK_CUR) {
+ struct inode *inode = filp->f_mapping->host;
+
+ int retval = nfs_revalidate_file_size(inode, filp);
--- /dev/null
+From 111d489f0fb431f4ae85d96851fbf8d3248c09d8 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Thu, 1 Dec 2011 16:37:42 -0500
+Subject: NFSv4.1: Ensure that we handle _all_ SEQUENCE status bits.
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 111d489f0fb431f4ae85d96851fbf8d3248c09d8 upstream.
+
+Currently, the code assumes that the SEQUENCE status bits are mutually
+exclusive. They are not...
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/nfs4state.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1525,16 +1525,16 @@ void nfs41_handle_sequence_flag_errors(s
+ {
+ if (!flags)
+ return;
+- else if (flags & SEQ4_STATUS_RESTART_RECLAIM_NEEDED)
++ if (flags & SEQ4_STATUS_RESTART_RECLAIM_NEEDED)
+ nfs41_handle_server_reboot(clp);
+- else if (flags & (SEQ4_STATUS_EXPIRED_ALL_STATE_REVOKED |
++ if (flags & (SEQ4_STATUS_EXPIRED_ALL_STATE_REVOKED |
+ SEQ4_STATUS_EXPIRED_SOME_STATE_REVOKED |
+ SEQ4_STATUS_ADMIN_STATE_REVOKED |
+ SEQ4_STATUS_LEASE_MOVED))
+ nfs41_handle_state_revoked(clp);
+- else if (flags & SEQ4_STATUS_RECALLABLE_STATE_REVOKED)
++ if (flags & SEQ4_STATUS_RECALLABLE_STATE_REVOKED)
+ nfs41_handle_recallable_state_revoked(clp);
+- else if (flags & (SEQ4_STATUS_CB_PATH_DOWN |
++ if (flags & (SEQ4_STATUS_CB_PATH_DOWN |
+ SEQ4_STATUS_BACKCHANNEL_FAULT |
+ SEQ4_STATUS_CB_PATH_DOWN_SESSION))
+ nfs41_handle_cb_path_down(clp);
--- /dev/null
+From ff05b6f7ae762b6eb464183eec994b28ea09f6dd Mon Sep 17 00:00:00 2001
+From: Frantisek Hrbata <fhrbata@redhat.com>
+Date: Mon, 19 Dec 2011 17:11:59 -0800
+Subject: oom: fix integer overflow of points in oom_badness
+
+From: Frantisek Hrbata <fhrbata@redhat.com>
+
+commit ff05b6f7ae762b6eb464183eec994b28ea09f6dd upstream.
+
+An integer overflow will happen on 64bit archs if task's sum of rss,
+swapents and nr_ptes exceeds (2^31)/1000 value. This was introduced by
+commit
+
+f755a04 oom: use pte pages in OOM score
+
+where the oom score computation was divided into several steps and it's no
+longer computed as one expression in unsigned long(rss, swapents, nr_pte
+are unsigned long), where the result value assigned to points(int) is in
+range(1..1000). So there could be an int overflow while computing
+
+176 points *= 1000;
+
+and points may have negative value. Meaning the oom score for a mem hog task
+will be one.
+
+196 if (points <= 0)
+197 return 1;
+
+For example:
+[ 3366] 0 3366 35390480 24303939 5 0 0 oom01
+Out of memory: Kill process 3366 (oom01) score 1 or sacrifice child
+
+Here the oom1 process consumes more than 24303939(rss)*4096~=92GB physical
+memory, but it's oom score is one.
+
+In this situation the mem hog task is skipped and oom killer kills another and
+most probably innocent task with oom score greater than one.
+
+The points variable should be of type long instead of int to prevent the
+int overflow.
+
+Signed-off-by: Frantisek Hrbata <fhrbata@redhat.com>
+Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/oom_kill.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -162,7 +162,7 @@ static bool oom_unkillable_task(struct t
+ unsigned int oom_badness(struct task_struct *p, struct mem_cgroup *mem,
+ const nodemask_t *nodemask, unsigned long totalpages)
+ {
+- int points;
++ long points;
+
+ if (oom_unkillable_task(p, mem, nodemask))
+ return 0;
--- /dev/null
+From 913050b91eb94f194392dd797b1ff3779f606ac0 Mon Sep 17 00:00:00 2001
+From: Robert Richter <robert.richter@amd.com>
+Date: Mon, 19 Dec 2011 16:38:30 +0100
+Subject: oprofile: Fix uninitialized memory access when writing to writing to oprofilefs
+
+From: Robert Richter <robert.richter@amd.com>
+
+commit 913050b91eb94f194392dd797b1ff3779f606ac0 upstream.
+
+If oprofilefs_ulong_from_user() is called with count equals
+zero, *val remains unchanged. Depending on the implementation it
+might be uninitialized.
+
+Change oprofilefs_ulong_from_user()'s interface to return count
+on success. Thus, we are able to return early if count equals
+zero which avoids using *val uninitialized. Fixing all users of
+oprofilefs_ulong_ from_user().
+
+This follows write syscall implementation when count is zero:
+"If count is zero ... [and if] no errors are detected, 0 will be
+returned without causing any other effect." (man 2 write)
+
+Reported-By: Mike Waychison <mikew@google.com>
+Signed-off-by: Robert Richter <robert.richter@amd.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: oprofile-list <oprofile-list@lists.sourceforge.net>
+Link: http://lkml.kernel.org/r/20111219153830.GH16765@erda.amd.com
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/s390/oprofile/init.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 7 ++++---
+ drivers/oprofile/oprofilefs.c | 11 +++++++++--
+ 3 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/arch/s390/oprofile/init.c
++++ b/arch/s390/oprofile/init.c
+@@ -88,7 +88,7 @@ static ssize_t hwsampler_write(struct fi
+ return -EINVAL;
+
+ retval = oprofilefs_ulong_from_user(&val, buf, count);
+- if (retval)
++ if (retval <= 0)
+ return retval;
+
+ if (oprofile_started)
+--- a/drivers/oprofile/oprofile_files.c
++++ b/drivers/oprofile/oprofile_files.c
+@@ -45,7 +45,7 @@ static ssize_t timeout_write(struct file
+ return -EINVAL;
+
+ retval = oprofilefs_ulong_from_user(&val, buf, count);
+- if (retval)
++ if (retval <= 0)
+ return retval;
+
+ retval = oprofile_set_timeout(val);
+@@ -84,7 +84,7 @@ static ssize_t depth_write(struct file *
+ return -EINVAL;
+
+ retval = oprofilefs_ulong_from_user(&val, buf, count);
+- if (retval)
++ if (retval <= 0)
+ return retval;
+
+ retval = oprofile_set_ulong(&oprofile_backtrace_depth, val);
+@@ -141,9 +141,10 @@ static ssize_t enable_write(struct file
+ return -EINVAL;
+
+ retval = oprofilefs_ulong_from_user(&val, buf, count);
+- if (retval)
++ if (retval <= 0)
+ return retval;
+
++ retval = 0;
+ if (val)
+ retval = oprofile_start();
+ else
+--- a/drivers/oprofile/oprofilefs.c
++++ b/drivers/oprofile/oprofilefs.c
+@@ -60,6 +60,13 @@ ssize_t oprofilefs_ulong_to_user(unsigne
+ }
+
+
++/*
++ * Note: If oprofilefs_ulong_from_user() returns 0, then *val remains
++ * unchanged and might be uninitialized. This follows write syscall
++ * implementation when count is zero: "If count is zero ... [and if]
++ * no errors are detected, 0 will be returned without causing any
++ * other effect." (man 2 write)
++ */
+ int oprofilefs_ulong_from_user(unsigned long *val, char const __user *buf, size_t count)
+ {
+ char tmpbuf[TMPBUFSIZE];
+@@ -79,7 +86,7 @@ int oprofilefs_ulong_from_user(unsigned
+ spin_lock_irqsave(&oprofilefs_lock, flags);
+ *val = simple_strtoul(tmpbuf, NULL, 0);
+ spin_unlock_irqrestore(&oprofilefs_lock, flags);
+- return 0;
++ return count;
+ }
+
+
+@@ -99,7 +106,7 @@ static ssize_t ulong_write_file(struct f
+ return -EINVAL;
+
+ retval = oprofilefs_ulong_from_user(&value, buf, count);
+- if (retval)
++ if (retval <= 0)
+ return retval;
+
+ retval = oprofile_set_ulong(file->private_data, value);
--- /dev/null
+From 50345f1ea9cda4618d9c26e590a97ecd4bc7ac75 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 13 Dec 2011 14:49:04 +0000
+Subject: SELinux: Fix RCU deref check warning in sel_netport_insert()
+
+From: David Howells <dhowells@redhat.com>
+
+commit 50345f1ea9cda4618d9c26e590a97ecd4bc7ac75 upstream.
+
+Fix the following bug in sel_netport_insert() where rcu_dereference() should
+be rcu_dereference_protected() as sel_netport_lock is held.
+
+===================================================
+[ INFO: suspicious rcu_dereference_check() usage. ]
+---------------------------------------------------
+security/selinux/netport.c:127 invoked rcu_dereference_check() without protection!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 1, debug_locks = 0
+1 lock held by ossec-rootcheck/3323:
+ #0: (sel_netport_lock){+.....}, at: [<ffffffff8117d775>] sel_netport_sid+0xbb/0x226
+
+stack backtrace:
+Pid: 3323, comm: ossec-rootcheck Not tainted 3.1.0-rc8-fsdevel+ #1095
+Call Trace:
+ [<ffffffff8105cfb7>] lockdep_rcu_dereference+0xa7/0xb0
+ [<ffffffff8117d871>] sel_netport_sid+0x1b7/0x226
+ [<ffffffff8117d6ba>] ? sel_netport_avc_callback+0xbc/0xbc
+ [<ffffffff8117556c>] selinux_socket_bind+0x115/0x230
+ [<ffffffff810a5388>] ? might_fault+0x4e/0x9e
+ [<ffffffff810a53d1>] ? might_fault+0x97/0x9e
+ [<ffffffff81171cf4>] security_socket_bind+0x11/0x13
+ [<ffffffff812ba967>] sys_bind+0x56/0x95
+ [<ffffffff81380dac>] ? sysret_check+0x27/0x62
+ [<ffffffff8105b767>] ? trace_hardirqs_on_caller+0x11e/0x155
+ [<ffffffff81076fcd>] ? audit_syscall_entry+0x17b/0x1ae
+ [<ffffffff811b5eae>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff81380d7b>] system_call_fastpath+0x16/0x1b
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: James Morris <jmorris@namei.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/selinux/netport.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/netport.c
++++ b/security/selinux/netport.c
+@@ -123,7 +123,9 @@ static void sel_netport_insert(struct se
+ if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) {
+ struct sel_netport *tail;
+ tail = list_entry(
+- rcu_dereference(sel_netport_hash[idx].list.prev),
++ rcu_dereference_protected(
++ sel_netport_hash[idx].list.prev,
++ lockdep_is_held(&sel_netport_lock)),
+ struct sel_netport, list);
+ list_del_rcu(&tail->list);
+ kfree_rcu(tail, rcu);
percpu-fix-per_cpu_ptr_to_phys-handling-of-non-page-aligned-addresses.patch
ib-mlx4-fix-shutdown-crash-accessing-a-non-existent-bitmap.patch
binary_sysctl-fix-memory-leak.patch
+oom-fix-integer-overflow-of-points-in-oom_badness.patch
+oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch
+sunrpc-ensure-we-always-bump-the-backlog-queue-in-xprt_free_slot.patch
+nfs-fix-a-regression-in-nfs_file_llseek.patch
+nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch
+selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch
--- /dev/null
+From c25573b5134294c0be82bfaecc6d08136835b271 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Thu, 1 Dec 2011 14:16:17 -0500
+Subject: SUNRPC: Ensure we always bump the backlog queue in xprt_free_slot
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit c25573b5134294c0be82bfaecc6d08136835b271 upstream.
+
+Whenever we free a slot, we know that the resulting xprt->num_reqs will
+be less than xprt->max_reqs, so we know that we can release at least one
+backlogged rpc_task.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sunrpc/xprt.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/net/sunrpc/xprt.c
++++ b/net/sunrpc/xprt.c
+@@ -995,13 +995,11 @@ out_init_req:
+
+ static void xprt_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req)
+ {
+- if (xprt_dynamic_free_slot(xprt, req))
+- return;
+-
+- memset(req, 0, sizeof(*req)); /* mark unused */
+-
+ spin_lock(&xprt->reserve_lock);
+- list_add(&req->rq_list, &xprt->free);
++ if (!xprt_dynamic_free_slot(xprt, req)) {
++ memset(req, 0, sizeof(*req)); /* mark unused */
++ list_add(&req->rq_list, &xprt->free);
++ }
+ rpc_wake_up_next(&xprt->backlog);
+ spin_unlock(&xprt->reserve_lock);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
