From: Greg Kroah-Hartman Date: Thu, 22 Dec 2011 20:46:07 +0000 (-0800) Subject: 3.1 patches X-Git-Tag: v3.0.15~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5b93da5bff765f3a308d054ce7b7db1dc064564b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.1 patches added patches: nfs-fix-a-regression-in-nfs_file_llseek.patch nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch oom-fix-integer-overflow-of-points-in-oom_badness.patch oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch sunrpc-ensure-we-always-bump-the-backlog-queue-in-xprt_free_slot.patch --- diff --git a/queue-3.1/nfs-fix-a-regression-in-nfs_file_llseek.patch b/queue-3.1/nfs-fix-a-regression-in-nfs_file_llseek.patch new file mode 100644 index 00000000000..a3b7f870516 --- /dev/null +++ b/queue-3.1/nfs-fix-a-regression-in-nfs_file_llseek.patch @@ -0,0 +1,34 @@ +From 6c52961743f38747401b47127b82159ab6d8a7a4 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 15 Dec 2011 18:38:10 -0500 +Subject: NFS: Fix a regression in nfs_file_llseek() + +From: Trond Myklebust + +commit 6c52961743f38747401b47127b82159ab6d8a7a4 upstream. + +After commit 06222e491e663dac939f04b125c9dc52126a75c4 (fs: handle +SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek) +the behaviour of llseek() was changed so that it always revalidates +the file size. The bug appears to be due to a logic error in the +afore-mentioned commit, which always evaluates to 'true'. + +Reported-by: Roel Kluin +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -191,7 +191,7 @@ static loff_t nfs_file_llseek(struct fil + * origin == SEEK_END || SEEK_DATA || SEEK_HOLE => we must revalidate + * the cached file length + */ +- if (origin != SEEK_SET || origin != SEEK_CUR) { ++ if (origin != SEEK_SET && origin != SEEK_CUR) { + struct inode *inode = filp->f_mapping->host; + + int retval = nfs_revalidate_file_size(inode, filp); diff --git a/queue-3.1/nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch b/queue-3.1/nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch new file mode 100644 index 00000000000..b2450bc5cf1 --- /dev/null +++ b/queue-3.1/nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch @@ -0,0 +1,42 @@ +From 111d489f0fb431f4ae85d96851fbf8d3248c09d8 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 1 Dec 2011 16:37:42 -0500 +Subject: NFSv4.1: Ensure that we handle _all_ SEQUENCE status bits. + +From: Trond Myklebust + +commit 111d489f0fb431f4ae85d96851fbf8d3248c09d8 upstream. + +Currently, the code assumes that the SEQUENCE status bits are mutually +exclusive. They are not... + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4state.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1525,16 +1525,16 @@ void nfs41_handle_sequence_flag_errors(s + { + if (!flags) + return; +- else if (flags & SEQ4_STATUS_RESTART_RECLAIM_NEEDED) ++ if (flags & SEQ4_STATUS_RESTART_RECLAIM_NEEDED) + nfs41_handle_server_reboot(clp); +- else if (flags & (SEQ4_STATUS_EXPIRED_ALL_STATE_REVOKED | ++ if (flags & (SEQ4_STATUS_EXPIRED_ALL_STATE_REVOKED | + SEQ4_STATUS_EXPIRED_SOME_STATE_REVOKED | + SEQ4_STATUS_ADMIN_STATE_REVOKED | + SEQ4_STATUS_LEASE_MOVED)) + nfs41_handle_state_revoked(clp); +- else if (flags & SEQ4_STATUS_RECALLABLE_STATE_REVOKED) ++ if (flags & SEQ4_STATUS_RECALLABLE_STATE_REVOKED) + nfs41_handle_recallable_state_revoked(clp); +- else if (flags & (SEQ4_STATUS_CB_PATH_DOWN | ++ if (flags & (SEQ4_STATUS_CB_PATH_DOWN | + SEQ4_STATUS_BACKCHANNEL_FAULT | + SEQ4_STATUS_CB_PATH_DOWN_SESSION)) + nfs41_handle_cb_path_down(clp); diff --git a/queue-3.1/oom-fix-integer-overflow-of-points-in-oom_badness.patch b/queue-3.1/oom-fix-integer-overflow-of-points-in-oom_badness.patch new file mode 100644 index 00000000000..aeaa7872584 --- /dev/null +++ b/queue-3.1/oom-fix-integer-overflow-of-points-in-oom_badness.patch @@ -0,0 +1,64 @@ +From ff05b6f7ae762b6eb464183eec994b28ea09f6dd Mon Sep 17 00:00:00 2001 +From: Frantisek Hrbata +Date: Mon, 19 Dec 2011 17:11:59 -0800 +Subject: oom: fix integer overflow of points in oom_badness + +From: Frantisek Hrbata + +commit ff05b6f7ae762b6eb464183eec994b28ea09f6dd upstream. + +An integer overflow will happen on 64bit archs if task's sum of rss, +swapents and nr_ptes exceeds (2^31)/1000 value. This was introduced by +commit + +f755a04 oom: use pte pages in OOM score + +where the oom score computation was divided into several steps and it's no +longer computed as one expression in unsigned long(rss, swapents, nr_pte +are unsigned long), where the result value assigned to points(int) is in +range(1..1000). So there could be an int overflow while computing + +176 points *= 1000; + +and points may have negative value. Meaning the oom score for a mem hog task +will be one. + +196 if (points <= 0) +197 return 1; + +For example: +[ 3366] 0 3366 35390480 24303939 5 0 0 oom01 +Out of memory: Kill process 3366 (oom01) score 1 or sacrifice child + +Here the oom1 process consumes more than 24303939(rss)*4096~=92GB physical +memory, but it's oom score is one. + +In this situation the mem hog task is skipped and oom killer kills another and +most probably innocent task with oom score greater than one. + +The points variable should be of type long instead of int to prevent the +int overflow. + +Signed-off-by: Frantisek Hrbata +Acked-by: KOSAKI Motohiro +Acked-by: Oleg Nesterov +Acked-by: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/oom_kill.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -162,7 +162,7 @@ static bool oom_unkillable_task(struct t + unsigned int oom_badness(struct task_struct *p, struct mem_cgroup *mem, + const nodemask_t *nodemask, unsigned long totalpages) + { +- int points; ++ long points; + + if (oom_unkillable_task(p, mem, nodemask)) + return 0; diff --git a/queue-3.1/oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch b/queue-3.1/oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch new file mode 100644 index 00000000000..7245021357a --- /dev/null +++ b/queue-3.1/oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch @@ -0,0 +1,113 @@ +From 913050b91eb94f194392dd797b1ff3779f606ac0 Mon Sep 17 00:00:00 2001 +From: Robert Richter +Date: Mon, 19 Dec 2011 16:38:30 +0100 +Subject: oprofile: Fix uninitialized memory access when writing to writing to oprofilefs + +From: Robert Richter + +commit 913050b91eb94f194392dd797b1ff3779f606ac0 upstream. + +If oprofilefs_ulong_from_user() is called with count equals +zero, *val remains unchanged. Depending on the implementation it +might be uninitialized. + +Change oprofilefs_ulong_from_user()'s interface to return count +on success. Thus, we are able to return early if count equals +zero which avoids using *val uninitialized. Fixing all users of +oprofilefs_ulong_ from_user(). + +This follows write syscall implementation when count is zero: +"If count is zero ... [and if] no errors are detected, 0 will be +returned without causing any other effect." (man 2 write) + +Reported-By: Mike Waychison +Signed-off-by: Robert Richter +Cc: Andrew Morton +Cc: oprofile-list +Link: http://lkml.kernel.org/r/20111219153830.GH16765@erda.amd.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/oprofile/init.c | 2 +- + drivers/oprofile/oprofile_files.c | 7 ++++--- + drivers/oprofile/oprofilefs.c | 11 +++++++++-- + 3 files changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/s390/oprofile/init.c ++++ b/arch/s390/oprofile/init.c +@@ -88,7 +88,7 @@ static ssize_t hwsampler_write(struct fi + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&val, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + + if (oprofile_started) +--- a/drivers/oprofile/oprofile_files.c ++++ b/drivers/oprofile/oprofile_files.c +@@ -45,7 +45,7 @@ static ssize_t timeout_write(struct file + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&val, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + + retval = oprofile_set_timeout(val); +@@ -84,7 +84,7 @@ static ssize_t depth_write(struct file * + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&val, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + + retval = oprofile_set_ulong(&oprofile_backtrace_depth, val); +@@ -141,9 +141,10 @@ static ssize_t enable_write(struct file + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&val, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + ++ retval = 0; + if (val) + retval = oprofile_start(); + else +--- a/drivers/oprofile/oprofilefs.c ++++ b/drivers/oprofile/oprofilefs.c +@@ -60,6 +60,13 @@ ssize_t oprofilefs_ulong_to_user(unsigne + } + + ++/* ++ * Note: If oprofilefs_ulong_from_user() returns 0, then *val remains ++ * unchanged and might be uninitialized. This follows write syscall ++ * implementation when count is zero: "If count is zero ... [and if] ++ * no errors are detected, 0 will be returned without causing any ++ * other effect." (man 2 write) ++ */ + int oprofilefs_ulong_from_user(unsigned long *val, char const __user *buf, size_t count) + { + char tmpbuf[TMPBUFSIZE]; +@@ -79,7 +86,7 @@ int oprofilefs_ulong_from_user(unsigned + spin_lock_irqsave(&oprofilefs_lock, flags); + *val = simple_strtoul(tmpbuf, NULL, 0); + spin_unlock_irqrestore(&oprofilefs_lock, flags); +- return 0; ++ return count; + } + + +@@ -99,7 +106,7 @@ static ssize_t ulong_write_file(struct f + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&value, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + + retval = oprofile_set_ulong(file->private_data, value); diff --git a/queue-3.1/selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch b/queue-3.1/selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch new file mode 100644 index 00000000000..ed167b24b09 --- /dev/null +++ b/queue-3.1/selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch @@ -0,0 +1,63 @@ +From 50345f1ea9cda4618d9c26e590a97ecd4bc7ac75 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 13 Dec 2011 14:49:04 +0000 +Subject: SELinux: Fix RCU deref check warning in sel_netport_insert() + +From: David Howells + +commit 50345f1ea9cda4618d9c26e590a97ecd4bc7ac75 upstream. + +Fix the following bug in sel_netport_insert() where rcu_dereference() should +be rcu_dereference_protected() as sel_netport_lock is held. + +=================================================== +[ INFO: suspicious rcu_dereference_check() usage. ] +--------------------------------------------------- +security/selinux/netport.c:127 invoked rcu_dereference_check() without protection! + +other info that might help us debug this: + +rcu_scheduler_active = 1, debug_locks = 0 +1 lock held by ossec-rootcheck/3323: + #0: (sel_netport_lock){+.....}, at: [] sel_netport_sid+0xbb/0x226 + +stack backtrace: +Pid: 3323, comm: ossec-rootcheck Not tainted 3.1.0-rc8-fsdevel+ #1095 +Call Trace: + [] lockdep_rcu_dereference+0xa7/0xb0 + [] sel_netport_sid+0x1b7/0x226 + [] ? sel_netport_avc_callback+0xbc/0xbc + [] selinux_socket_bind+0x115/0x230 + [] ? might_fault+0x4e/0x9e + [] ? might_fault+0x97/0x9e + [] security_socket_bind+0x11/0x13 + [] sys_bind+0x56/0x95 + [] ? sysret_check+0x27/0x62 + [] ? trace_hardirqs_on_caller+0x11e/0x155 + [] ? audit_syscall_entry+0x17b/0x1ae + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b + +Signed-off-by: David Howells +Acked-by: Paul Moore +Acked-by: Eric Dumazet +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/netport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/security/selinux/netport.c ++++ b/security/selinux/netport.c +@@ -123,7 +123,9 @@ static void sel_netport_insert(struct se + if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) { + struct sel_netport *tail; + tail = list_entry( +- rcu_dereference(sel_netport_hash[idx].list.prev), ++ rcu_dereference_protected( ++ sel_netport_hash[idx].list.prev, ++ lockdep_is_held(&sel_netport_lock)), + struct sel_netport, list); + list_del_rcu(&tail->list); + kfree_rcu(tail, rcu); diff --git a/queue-3.1/series b/queue-3.1/series index 096bf3721cc..70ef70c1e44 100644 --- a/queue-3.1/series +++ b/queue-3.1/series @@ -20,3 +20,9 @@ input-synaptics-fix-touchpad-not-working-after-s2r-on-vostro-v13.patch percpu-fix-per_cpu_ptr_to_phys-handling-of-non-page-aligned-addresses.patch ib-mlx4-fix-shutdown-crash-accessing-a-non-existent-bitmap.patch binary_sysctl-fix-memory-leak.patch +oom-fix-integer-overflow-of-points-in-oom_badness.patch +oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch +sunrpc-ensure-we-always-bump-the-backlog-queue-in-xprt_free_slot.patch +nfs-fix-a-regression-in-nfs_file_llseek.patch +nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch +selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch diff --git a/queue-3.1/sunrpc-ensure-we-always-bump-the-backlog-queue-in-xprt_free_slot.patch b/queue-3.1/sunrpc-ensure-we-always-bump-the-backlog-queue-in-xprt_free_slot.patch new file mode 100644 index 00000000000..089ec904873 --- /dev/null +++ b/queue-3.1/sunrpc-ensure-we-always-bump-the-backlog-queue-in-xprt_free_slot.patch @@ -0,0 +1,40 @@ +From c25573b5134294c0be82bfaecc6d08136835b271 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 1 Dec 2011 14:16:17 -0500 +Subject: SUNRPC: Ensure we always bump the backlog queue in xprt_free_slot + +From: Trond Myklebust + +commit c25573b5134294c0be82bfaecc6d08136835b271 upstream. + +Whenever we free a slot, we know that the resulting xprt->num_reqs will +be less than xprt->max_reqs, so we know that we can release at least one +backlogged rpc_task. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprt.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -995,13 +995,11 @@ out_init_req: + + static void xprt_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req) + { +- if (xprt_dynamic_free_slot(xprt, req)) +- return; +- +- memset(req, 0, sizeof(*req)); /* mark unused */ +- + spin_lock(&xprt->reserve_lock); +- list_add(&req->rq_list, &xprt->free); ++ if (!xprt_dynamic_free_slot(xprt, req)) { ++ memset(req, 0, sizeof(*req)); /* mark unused */ ++ list_add(&req->rq_list, &xprt->free); ++ } + rpc_wake_up_next(&xprt->backlog); + spin_unlock(&xprt->reserve_lock); + }