From 6f7bc83068ab3288c783309409efc34f2dee85a4 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 6 Dec 2010 11:36:03 -0800
Subject: [PATCH] .32 patches

---
 ...count-when-mapping-copying-user-data.patch | 58 +++++++++++++++++++
 queue-2.6.32/series                           |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 queue-2.6.32/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch

diff --git a/queue-2.6.32/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch b/queue-2.6.32/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
new file mode 100644
index 00000000000..0ab542c8856
--- /dev/null
+++ b/queue-2.6.32/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
@@ -0,0 +1,58 @@
+From cb4644cac4a2797afc847e6c92736664d4b0ea34 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jaxboe@fusionio.com>
+Date: Wed, 10 Nov 2010 14:36:25 +0100
+Subject: bio: take care not overflow page count when mapping/copying user data
+
+From: Jens Axboe <jaxboe@fusionio.com>
+
+commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
+
+If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
+to overflow, we could end up attempting to map a huge number of
+pages. Check for this invalid input type.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/bio.c |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/fs/bio.c
++++ b/fs/bio.c
+@@ -838,6 +838,12 @@ struct bio *bio_copy_user_iov(struct req
+ 		end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ 		start = uaddr >> PAGE_SHIFT;
+ 
++		/*
++		 * Overflow, abort
++		 */
++		if (end < start)
++			return ERR_PTR(-EINVAL);
++
+ 		nr_pages += end - start;
+ 		len += iov[i].iov_len;
+ 	}
+@@ -965,6 +971,12 @@ static struct bio *__bio_map_user_iov(st
+ 		unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ 		unsigned long start = uaddr >> PAGE_SHIFT;
+ 
++		/*
++		 * Overflow, abort
++		 */
++		if (end < start)
++			return ERR_PTR(-EINVAL);
++
+ 		nr_pages += end - start;
+ 		/*
+ 		 * buffer must be aligned to at least hardsector size for now
+@@ -992,7 +1004,7 @@ static struct bio *__bio_map_user_iov(st
+ 		unsigned long start = uaddr >> PAGE_SHIFT;
+ 		const int local_nr_pages = end - start;
+ 		const int page_limit = cur_page + local_nr_pages;
+-		
++
+ 		ret = get_user_pages_fast(uaddr, local_nr_pages,
+ 				write_to_vm, &pages[cur_page]);
+ 		if (ret < local_nr_pages) {
diff --git a/queue-2.6.32/series b/queue-2.6.32/series
index dbad90c9365..83971e8fca1 100644
--- a/queue-2.6.32/series
+++ b/queue-2.6.32/series
@@ -55,3 +55,4 @@ alsa-hda-use-alienware-model-quirk-for-another-ssid.patch
 netfilter-nf_conntrack-allow-nf_ct_alloc_hashtable-to-get-highmem-pages.patch
 latencytop-fix-per-task-accumulator.patch
 mm-vfs-revalidate-page-mapping-in-do_generic_file_read.patch
+bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
-- 
2.47.3