From: Greg Kroah-Hartman Date: Thu, 22 Dec 2011 20:46:03 +0000 (-0800) Subject: 3.0 patches X-Git-Tag: v3.0.15~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aa8eb6177cd81e37b8f954e38114c172782c23c7;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0 patches added patches: nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch oom-fix-integer-overflow-of-points-in-oom_badness.patch oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch --- diff --git a/queue-3.0/nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch b/queue-3.0/nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch new file mode 100644 index 00000000000..a0546f7a153 --- /dev/null +++ b/queue-3.0/nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch @@ -0,0 +1,42 @@ +From 111d489f0fb431f4ae85d96851fbf8d3248c09d8 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 1 Dec 2011 16:37:42 -0500 +Subject: NFSv4.1: Ensure that we handle _all_ SEQUENCE status bits. + +From: Trond Myklebust + +commit 111d489f0fb431f4ae85d96851fbf8d3248c09d8 upstream. + +Currently, the code assumes that the SEQUENCE status bits are mutually +exclusive. They are not... + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4state.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1519,16 +1519,16 @@ void nfs41_handle_sequence_flag_errors(s + { + if (!flags) + return; +- else if (flags & SEQ4_STATUS_RESTART_RECLAIM_NEEDED) ++ if (flags & SEQ4_STATUS_RESTART_RECLAIM_NEEDED) + nfs41_handle_server_reboot(clp); +- else if (flags & (SEQ4_STATUS_EXPIRED_ALL_STATE_REVOKED | ++ if (flags & (SEQ4_STATUS_EXPIRED_ALL_STATE_REVOKED | + SEQ4_STATUS_EXPIRED_SOME_STATE_REVOKED | + SEQ4_STATUS_ADMIN_STATE_REVOKED | + SEQ4_STATUS_LEASE_MOVED)) + nfs41_handle_state_revoked(clp); +- else if (flags & SEQ4_STATUS_RECALLABLE_STATE_REVOKED) ++ if (flags & SEQ4_STATUS_RECALLABLE_STATE_REVOKED) + nfs41_handle_recallable_state_revoked(clp); +- else if (flags & (SEQ4_STATUS_CB_PATH_DOWN | ++ if (flags & (SEQ4_STATUS_CB_PATH_DOWN | + SEQ4_STATUS_BACKCHANNEL_FAULT | + SEQ4_STATUS_CB_PATH_DOWN_SESSION)) + nfs41_handle_cb_path_down(clp); diff --git a/queue-3.0/oom-fix-integer-overflow-of-points-in-oom_badness.patch b/queue-3.0/oom-fix-integer-overflow-of-points-in-oom_badness.patch new file mode 100644 index 00000000000..aeaa7872584 --- /dev/null +++ b/queue-3.0/oom-fix-integer-overflow-of-points-in-oom_badness.patch @@ -0,0 +1,64 @@ +From ff05b6f7ae762b6eb464183eec994b28ea09f6dd Mon Sep 17 00:00:00 2001 +From: Frantisek Hrbata +Date: Mon, 19 Dec 2011 17:11:59 -0800 +Subject: oom: fix integer overflow of points in oom_badness + +From: Frantisek Hrbata + +commit ff05b6f7ae762b6eb464183eec994b28ea09f6dd upstream. + +An integer overflow will happen on 64bit archs if task's sum of rss, +swapents and nr_ptes exceeds (2^31)/1000 value. This was introduced by +commit + +f755a04 oom: use pte pages in OOM score + +where the oom score computation was divided into several steps and it's no +longer computed as one expression in unsigned long(rss, swapents, nr_pte +are unsigned long), where the result value assigned to points(int) is in +range(1..1000). So there could be an int overflow while computing + +176 points *= 1000; + +and points may have negative value. Meaning the oom score for a mem hog task +will be one. + +196 if (points <= 0) +197 return 1; + +For example: +[ 3366] 0 3366 35390480 24303939 5 0 0 oom01 +Out of memory: Kill process 3366 (oom01) score 1 or sacrifice child + +Here the oom1 process consumes more than 24303939(rss)*4096~=92GB physical +memory, but it's oom score is one. + +In this situation the mem hog task is skipped and oom killer kills another and +most probably innocent task with oom score greater than one. + +The points variable should be of type long instead of int to prevent the +int overflow. + +Signed-off-by: Frantisek Hrbata +Acked-by: KOSAKI Motohiro +Acked-by: Oleg Nesterov +Acked-by: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/oom_kill.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -162,7 +162,7 @@ static bool oom_unkillable_task(struct t + unsigned int oom_badness(struct task_struct *p, struct mem_cgroup *mem, + const nodemask_t *nodemask, unsigned long totalpages) + { +- int points; ++ long points; + + if (oom_unkillable_task(p, mem, nodemask)) + return 0; diff --git a/queue-3.0/oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch b/queue-3.0/oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch new file mode 100644 index 00000000000..611e2c9487d --- /dev/null +++ b/queue-3.0/oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch @@ -0,0 +1,113 @@ +From 913050b91eb94f194392dd797b1ff3779f606ac0 Mon Sep 17 00:00:00 2001 +From: Robert Richter +Date: Mon, 19 Dec 2011 16:38:30 +0100 +Subject: oprofile: Fix uninitialized memory access when writing to writing to oprofilefs + +From: Robert Richter + +commit 913050b91eb94f194392dd797b1ff3779f606ac0 upstream. + +If oprofilefs_ulong_from_user() is called with count equals +zero, *val remains unchanged. Depending on the implementation it +might be uninitialized. + +Change oprofilefs_ulong_from_user()'s interface to return count +on success. Thus, we are able to return early if count equals +zero which avoids using *val uninitialized. Fixing all users of +oprofilefs_ulong_ from_user(). + +This follows write syscall implementation when count is zero: +"If count is zero ... [and if] no errors are detected, 0 will be +returned without causing any other effect." (man 2 write) + +Reported-By: Mike Waychison +Signed-off-by: Robert Richter +Cc: Andrew Morton +Cc: oprofile-list +Link: http://lkml.kernel.org/r/20111219153830.GH16765@erda.amd.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/oprofile/init.c | 2 +- + drivers/oprofile/oprofile_files.c | 7 ++++--- + drivers/oprofile/oprofilefs.c | 11 +++++++++-- + 3 files changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/s390/oprofile/init.c ++++ b/arch/s390/oprofile/init.c +@@ -90,7 +90,7 @@ static ssize_t hwsampler_write(struct fi + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&val, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + + if (oprofile_started) +--- a/drivers/oprofile/oprofile_files.c ++++ b/drivers/oprofile/oprofile_files.c +@@ -45,7 +45,7 @@ static ssize_t timeout_write(struct file + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&val, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + + retval = oprofile_set_timeout(val); +@@ -84,7 +84,7 @@ static ssize_t depth_write(struct file * + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&val, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + + retval = oprofile_set_ulong(&oprofile_backtrace_depth, val); +@@ -141,9 +141,10 @@ static ssize_t enable_write(struct file + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&val, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + ++ retval = 0; + if (val) + retval = oprofile_start(); + else +--- a/drivers/oprofile/oprofilefs.c ++++ b/drivers/oprofile/oprofilefs.c +@@ -60,6 +60,13 @@ ssize_t oprofilefs_ulong_to_user(unsigne + } + + ++/* ++ * Note: If oprofilefs_ulong_from_user() returns 0, then *val remains ++ * unchanged and might be uninitialized. This follows write syscall ++ * implementation when count is zero: "If count is zero ... [and if] ++ * no errors are detected, 0 will be returned without causing any ++ * other effect." (man 2 write) ++ */ + int oprofilefs_ulong_from_user(unsigned long *val, char const __user *buf, size_t count) + { + char tmpbuf[TMPBUFSIZE]; +@@ -79,7 +86,7 @@ int oprofilefs_ulong_from_user(unsigned + spin_lock_irqsave(&oprofilefs_lock, flags); + *val = simple_strtoul(tmpbuf, NULL, 0); + spin_unlock_irqrestore(&oprofilefs_lock, flags); +- return 0; ++ return count; + } + + +@@ -99,7 +106,7 @@ static ssize_t ulong_write_file(struct f + return -EINVAL; + + retval = oprofilefs_ulong_from_user(&value, buf, count); +- if (retval) ++ if (retval <= 0) + return retval; + + retval = oprofile_set_ulong(file->private_data, value); diff --git a/queue-3.0/selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch b/queue-3.0/selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch new file mode 100644 index 00000000000..e2879d29565 --- /dev/null +++ b/queue-3.0/selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch @@ -0,0 +1,63 @@ +From 50345f1ea9cda4618d9c26e590a97ecd4bc7ac75 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 13 Dec 2011 14:49:04 +0000 +Subject: SELinux: Fix RCU deref check warning in sel_netport_insert() + +From: David Howells + +commit 50345f1ea9cda4618d9c26e590a97ecd4bc7ac75 upstream. + +Fix the following bug in sel_netport_insert() where rcu_dereference() should +be rcu_dereference_protected() as sel_netport_lock is held. + +=================================================== +[ INFO: suspicious rcu_dereference_check() usage. ] +--------------------------------------------------- +security/selinux/netport.c:127 invoked rcu_dereference_check() without protection! + +other info that might help us debug this: + +rcu_scheduler_active = 1, debug_locks = 0 +1 lock held by ossec-rootcheck/3323: + #0: (sel_netport_lock){+.....}, at: [] sel_netport_sid+0xbb/0x226 + +stack backtrace: +Pid: 3323, comm: ossec-rootcheck Not tainted 3.1.0-rc8-fsdevel+ #1095 +Call Trace: + [] lockdep_rcu_dereference+0xa7/0xb0 + [] sel_netport_sid+0x1b7/0x226 + [] ? sel_netport_avc_callback+0xbc/0xbc + [] selinux_socket_bind+0x115/0x230 + [] ? might_fault+0x4e/0x9e + [] ? might_fault+0x97/0x9e + [] security_socket_bind+0x11/0x13 + [] sys_bind+0x56/0x95 + [] ? sysret_check+0x27/0x62 + [] ? trace_hardirqs_on_caller+0x11e/0x155 + [] ? audit_syscall_entry+0x17b/0x1ae + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b + +Signed-off-by: David Howells +Acked-by: Paul Moore +Acked-by: Eric Dumazet +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/netport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/security/selinux/netport.c ++++ b/security/selinux/netport.c +@@ -139,7 +139,9 @@ static void sel_netport_insert(struct se + if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) { + struct sel_netport *tail; + tail = list_entry( +- rcu_dereference(sel_netport_hash[idx].list.prev), ++ rcu_dereference_protected( ++ sel_netport_hash[idx].list.prev, ++ lockdep_is_held(&sel_netport_lock)), + struct sel_netport, list); + list_del_rcu(&tail->list); + call_rcu(&tail->rcu, sel_netport_free); diff --git a/queue-3.0/series b/queue-3.0/series index 6afa790749e..90884961c41 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -15,3 +15,7 @@ mxc-pwm-should-active-during-doze-wait-dbg-mode.patch input-synaptics-fix-touchpad-not-working-after-s2r-on-vostro-v13.patch percpu-fix-per_cpu_ptr_to_phys-handling-of-non-page-aligned-addresses.patch binary_sysctl-fix-memory-leak.patch +oom-fix-integer-overflow-of-points-in-oom_badness.patch +oprofile-fix-uninitialized-memory-access-when-writing-to-writing-to-oprofilefs.patch +nfsv4.1-ensure-that-we-handle-_all_-sequence-status-bits.patch +selinux-fix-rcu-deref-check-warning-in-sel_netport_insert.patch