--- /dev/null
+From 10022a6c66e199d8f61d9044543f38785713cbbd Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Wed, 20 Apr 2011 01:57:15 +0000
+Subject: can: add missing socket check in can/raw release
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 10022a6c66e199d8f61d9044543f38785713cbbd upstream.
+
+v2: added space after 'if' according code style.
+
+We can get here with a NULL socket argument passed from userspace,
+so we need to handle it accordingly.
+
+Thanks to Dave Jones pointing at this issue in net/can/bcm.c
+
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/raw.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -305,7 +305,12 @@ static int raw_init(struct sock *sk)
+ static int raw_release(struct socket *sock)
+ {
+ struct sock *sk = sock->sk;
+- struct raw_sock *ro = raw_sk(sk);
++ struct raw_sock *ro;
++
++ if (!sk)
++ return 0;
++
++ ro = raw_sk(sk);
+
+ unregister_netdevice_notifier(&ro->notifier);
+
--- /dev/null
+From c055f5b2614b4f758ae6cc86733f31fa4c2c5844 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@suse.de>
+Date: Sun, 1 May 2011 09:42:07 -0500
+Subject: [SCSI] fix oops in scsi_run_queue()
+
+From: James Bottomley <James.Bottomley@suse.de>
+
+commit c055f5b2614b4f758ae6cc86733f31fa4c2c5844 upstream.
+
+The recent commit closing the race window in device teardown:
+
+commit 86cbfb5607d4b81b1a993ff689bbd2addd5d3a9b
+Author: James Bottomley <James.Bottomley@suse.de>
+Date: Fri Apr 22 10:39:59 2011 -0500
+
+ [SCSI] put stricter guards on queue dead checks
+
+is causing a potential NULL deref in scsi_run_queue() because the
+q->queuedata may already be NULL by the time this function is called.
+Since we shouldn't be running a queue that is being torn down, simply
+add a NULL check in scsi_run_queue() to forestall this.
+
+Tested-by: Jim Schutt <jaschut@sandia.gov>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/scsi_lib.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -400,10 +400,15 @@ static inline int scsi_host_is_busy(stru
+ static void scsi_run_queue(struct request_queue *q)
+ {
+ struct scsi_device *sdev = q->queuedata;
+- struct Scsi_Host *shost = sdev->host;
++ struct Scsi_Host *shost;
+ LIST_HEAD(starved_list);
+ unsigned long flags;
+
++ /* if the device is dead, sdev will be NULL, so no queue to run */
++ if (!sdev)
++ return;
++
++ shost = sdev->host;
+ if (scsi_target(sdev)->single_lun)
+ scsi_single_lun_run(sdev);
+
--- /dev/null
+From a1fde08c74e90accd62d4cfdbf580d2ede938fe7 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 4 May 2011 21:30:28 -0700
+Subject: VM: skip the stack guard page lookup in get_user_pages only for mlock
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1fde08c74e90accd62d4cfdbf580d2ede938fe7 upstream.
+
+The logic in __get_user_pages() used to skip the stack guard page lookup
+whenever the caller wasn't interested in seeing what the actual page
+was. But Michel Lespinasse points out that there are cases where we
+don't care about the physical page itself (so 'pages' may be NULL), but
+do want to make sure a page is mapped into the virtual address space.
+
+So using the existence of the "pages" array as an indication of whether
+to look up the guard page or not isn't actually so great, and we really
+should just use the FOLL_MLOCK bit. But because that bit was only set
+for the VM_LOCKED case (and not all vma's necessarily have it, even for
+mlock()), we couldn't do that originally.
+
+Fix that by moving the VM_LOCKED check deeper into the call-chain, which
+actually simplifies many things. Now mlock() gets simpler, and we can
+also check for FOLL_MLOCK in __get_user_pages() and the code ends up
+much more straightforward.
+
+Reported-and-reviewed-by: Michel Lespinasse <walken@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/memory.c | 7 +++----
+ mm/mlock.c | 5 +----
+ 2 files changed, 4 insertions(+), 8 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1359,7 +1359,7 @@ split_fallthrough:
+ */
+ mark_page_accessed(page);
+ }
+- if (flags & FOLL_MLOCK) {
++ if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {
+ /*
+ * The preliminary mapping check is mainly to avoid the
+ * pointless overhead of lock_page on the ZERO_PAGE
+@@ -1503,10 +1503,9 @@ int __get_user_pages(struct task_struct
+ }
+
+ /*
+- * If we don't actually want the page itself,
+- * and it's the stack guard page, just skip it.
++ * For mlock, just skip the stack guard page.
+ */
+- if (!pages && stack_guard_page(vma, start))
++ if ((gup_flags & FOLL_MLOCK) && stack_guard_page(vma, start))
+ goto next_page;
+
+ do {
+--- a/mm/mlock.c
++++ b/mm/mlock.c
+@@ -162,7 +162,7 @@ static long __mlock_vma_pages_range(stru
+ VM_BUG_ON(end > vma->vm_end);
+ VM_BUG_ON(!rwsem_is_locked(&mm->mmap_sem));
+
+- gup_flags = FOLL_TOUCH;
++ gup_flags = FOLL_TOUCH | FOLL_MLOCK;
+ /*
+ * We want to touch writable mappings with a write fault in order
+ * to break COW, except for shared mappings because these don't COW
+@@ -178,9 +178,6 @@ static long __mlock_vma_pages_range(stru
+ if (vma->vm_flags & (VM_READ | VM_WRITE | VM_EXEC))
+ gup_flags |= FOLL_FORCE;
+
+- if (vma->vm_flags & VM_LOCKED)
+- gup_flags |= FOLL_MLOCK;
+-
+ return __get_user_pages(current, mm, addr, nr_pages, gup_flags,
+ NULL, NULL, nonblocking);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
