--- /dev/null
+From fa0e846494792e722d817b9d3d625a4ef4896c96 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <philb@gnu.org>
+Date: Wed, 24 Nov 2010 11:49:19 -0800
+Subject: econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
+
+From: Phil Blundell <philb@gnu.org>
+
+commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.
+
+Later parts of econet_sendmsg() rely on saddr != NULL, so return early
+with EINVAL if NULL was passed otherwise an oops may occur.
+
+Signed-off-by: Phil Blundell <philb@gnu.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c | 26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -296,23 +296,14 @@ static int econet_sendmsg(struct kiocb *
+
+ mutex_lock(&econet_mutex);
+
+- if (saddr == NULL) {
+- struct econet_sock *eo = ec_sk(sk);
+-
+- addr.station = eo->station;
+- addr.net = eo->net;
+- port = eo->port;
+- cb = eo->cb;
+- } else {
+- if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
+- mutex_unlock(&econet_mutex);
+- return -EINVAL;
+- }
+- addr.station = saddr->addr.station;
+- addr.net = saddr->addr.net;
+- port = saddr->port;
+- cb = saddr->cb;
+- }
++ if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
++ mutex_unlock(&econet_mutex);
++ return -EINVAL;
++ }
++ addr.station = saddr->addr.station;
++ addr.net = saddr->addr.net;
++ port = saddr->port;
++ cb = saddr->cb;
+
+ /* Look for a device with the right network number. */
+ dev = net2dev_map[addr.net];
+@@ -350,7 +341,6 @@ static int econet_sendmsg(struct kiocb *
+
+ eb = (struct ec_cb *)&skb->cb;
+
+- /* BUG: saddr may be NULL */
+ eb->cookie = saddr->cookie;
+ eb->sec = *saddr;
+ eb->sent = ec_tx_done;
--- /dev/null
+From 16c41745c7b92a243d0874f534c1655196c64b74 Mon Sep 17 00:00:00 2001
+From: Phil Blundell <philb@gnu.org>
+Date: Wed, 24 Nov 2010 11:49:53 -0800
+Subject: econet: fix CVE-2010-3850
+
+From: Phil Blundell <philb@gnu.org>
+
+commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream.
+
+Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
+
+Signed-off-by: Phil Blundell <philb@gnu.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -659,6 +659,9 @@ static int ec_dev_ioctl(struct socket *s
+ err = 0;
+ switch (cmd) {
+ case SIOCSIFADDR:
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ edev = dev->ec_ptr;
+ if (edev == NULL) {
+ /* Magic up a new one. */
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (cast PAGE_SIZE to size_t)
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/firewire/ohci.c | 35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
--- a/drivers/firewire/ohci.c
+++ b/drivers/firewire/ohci.c
-@@ -739,7 +739,7 @@ static void ar_context_tasklet(unsigned long data)
+@@ -628,7 +628,7 @@ static void ar_context_tasklet(unsigned
d = &ab->descriptor;
if (d->res_count == 0) {
dma_addr_t start_bus;
void *start;
-@@ -756,12 +756,41 @@ static void ar_context_tasklet(unsigned long data)
+@@ -645,12 +645,41 @@ static void ar_context_tasklet(unsigned
ab = ab->next;
d = &ab->descriptor;
size = buffer + PAGE_SIZE - ctx->pointer;
--- /dev/null
+From 218854af84038d828a32f061858b1902ed2beec6 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 17 Nov 2010 06:37:16 +0000
+Subject: rds: Integer overflow in RDS cmsg handling
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 218854af84038d828a32f061858b1902ed2beec6 upstream.
+
+In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
+restricted to less than UINT_MAX. This seems to need a tighter upper
+bound, since the calculation of total iov_size can overflow, resulting
+in a small sock_kmalloc() allocation. This would probably just result
+in walking off the heap and crashing when calling rds_rdma_pages() with
+a high count value. If it somehow doesn't crash here, then memory
+corruption could occur soon after.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rds/rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -447,7 +447,7 @@ static struct rds_rdma_op *rds_rdma_prep
+ goto out;
+ }
+
+- if (args->nr_local > (u64)UINT_MAX) {
++ if (args->nr_local > UIO_MAXIOV) {
+ ret = -EMSGSIZE;
+ goto out;
+ }
irda-fix-parameter-extraction-stack-overflow.patch
irda-fix-heap-memory-corruption-in-iriap.c.patch
i2c-pca-platform-change-device-name-of-request_irq.patch
-sunrpc-after-calling-xprt_release-we-must-restart-from-call_reserve.patch
microblaze-fix-build-with-make-3.82.patch
net-clear-heap-allocation-for-ethtool_grxclsrlall.patch
staging-asus_oled-fix-up-some-sysfs-attribute-permissions.patch
v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch
x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
crypto-padlock-fix-aes-cbc-handling-on-odd-block-sized-input.patch
+x86-32-separate-1-1-pagetables-from-swapper_pg_dir.patch
+x86-mm-fix-config_vmsplit_1g-and-2g_opt-trampoline.patch
+x86-32-fix-dummy-trampoline-related-inline-stubs.patch
+econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
+econet-fix-cve-2010-3850.patch
+rds-integer-overflow-in-rds-cmsg-handling.patch
net-truncate-recvfrom-and-sendto-length-to-int_max.patch
net-limit-socket-i-o-iovec-total-length-to-int_max.patch
+++ /dev/null
-From 118df3d17f11733b294ea2cd988d56ee376ef9fd Mon Sep 17 00:00:00 2001
-From: Trond Myklebust <Trond.Myklebust@netapp.com>
-Date: Sun, 24 Oct 2010 17:17:31 -0400
-Subject: SUNRPC: After calling xprt_release(), we must restart from call_reserve
-
-From: Trond Myklebust <Trond.Myklebust@netapp.com>
-
-commit 118df3d17f11733b294ea2cd988d56ee376ef9fd upstream.
-
-Rob Leslie reports seeing the following Oops after his Kerberos session
-expired.
-
-BUG: unable to handle kernel NULL pointer dereference at 00000058
-IP: [<e186ed94>] rpcauth_refreshcred+0x11/0x12c [sunrpc]
-*pde = 00000000
-Oops: 0000 [#1]
-last sysfs file: /sys/devices/platform/pc87360.26144/temp3_input
-Modules linked in: autofs4 authenc esp4 xfrm4_mode_transport ipt_LOG ipt_REJECT xt_limit xt_state ipt_REDIRECT xt_owner xt_HL xt_hl xt_tcpudp xt_mark cls_u32 cls_tcindex sch_sfq sch_htb sch_dsmark geodewdt deflate ctr twofish_generic twofish_i586 twofish_common camellia serpent blowfish cast5 cbc xcbc rmd160 sha512_generic sha1_generic hmac crypto_null af_key rpcsec_gss_krb5 nfsd exportfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc ip_gre sit tunnel4 dummy ext3 jbd nf_nat_irc nf_conntrack_irc nf_nat_ftp nf_conntrack_ftp iptable_mangle iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_filter ip_tables x_tables pc8736x_gpio nsc_gpio pc87360 hwmon_vid loop aes_i586 aes_generic sha256_generic dm_crypt cs5535_gpio serio_raw cs5535_mfgpt hifn_795x des_generic geode_rng rng_core led_class ext4 mbcache jbd2 crc16 dm_mirror dm_region_hash dm_log dm_snapshot dm_mod sd_mod crc_t10dif ide_pci_generic cs5536 amd74xx ide_core pata_cs5536 ata_generic libata usb_storage via_rhine mii scsi_mod btrfs zlib_deflate crc32c libcrc32c [last unloaded: scsi_wait_scan]
-
-Pid: 12875, comm: sudo Not tainted 2.6.36-net5501 #1 /
-EIP: 0060:[<e186ed94>] EFLAGS: 00010292 CPU: 0
-EIP is at rpcauth_refreshcred+0x11/0x12c [sunrpc]
-EAX: 00000000 EBX: defb13a0 ECX: 00000006 EDX: e18683b8
-ESI: defb13a0 EDI: 00000000 EBP: 00000000 ESP: de571d58
- DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
-Process sudo (pid: 12875, ti=de570000 task=decd1430 task.ti=de570000)
-Stack:
- e186e008 00000000 defb13a0 0000000d deda6000 e1868f22 e196f12b defb13a0
-<0> defb13d8 00000000 00000000 e186e0aa 00000000 defb13a0 de571dac 00000000
-<0> e186956c de571e34 debea5c0 de571dc8 e186967a 00000000 debea5c0 de571e34
-Call Trace:
- [<e186e008>] ? rpc_wake_up_next+0x114/0x11b [sunrpc]
- [<e1868f22>] ? call_decode+0x24a/0x5af [sunrpc]
- [<e196f12b>] ? nfs4_xdr_dec_access+0x0/0xa2 [nfs]
- [<e186e0aa>] ? __rpc_execute+0x62/0x17b [sunrpc]
- [<e186956c>] ? rpc_run_task+0x91/0x97 [sunrpc]
- [<e186967a>] ? rpc_call_sync+0x40/0x5b [sunrpc]
- [<e1969ca2>] ? nfs4_proc_access+0x10a/0x176 [nfs]
- [<e19572fa>] ? nfs_do_access+0x2b1/0x2c0 [nfs]
- [<e186ed61>] ? rpcauth_lookupcred+0x62/0x84 [sunrpc]
- [<e19573b6>] ? nfs_permission+0xad/0x13b [nfs]
- [<c0177824>] ? exec_permission+0x15/0x4b
- [<c0177fbd>] ? link_path_walk+0x4f/0x456
- [<c017867d>] ? path_walk+0x4c/0xa8
- [<c0179678>] ? do_path_lookup+0x1f/0x68
- [<c017a3fb>] ? user_path_at+0x37/0x5f
- [<c016359c>] ? handle_mm_fault+0x229/0x55b
- [<c0170a2d>] ? sys_faccessat+0x93/0x146
- [<c0170aef>] ? sys_access+0xf/0x13
- [<c02cf615>] ? syscall_call+0x7/0xb
-Code: 0f 94 c2 84 d2 74 09 8b 44 24 0c e8 6a e9 8b de 83 c4 14 89 d8 5b 5e 5f 5d c3 55 57 56 53 83 ec 1c fc 89 c6 8b 40 10 89 44 24 04 <8b> 58 58 85 db 0f 85 d4 00 00 00 0f b7 46 70 8b 56 20 89 c5 83
-EIP: [<e186ed94>] rpcauth_refreshcred+0x11/0x12c [sunrpc] SS:ESP 0068:de571d58
-CR2: 0000000000000058
-
-This appears to be caused by the function rpc_verify_header() first
-calling xprt_release(), then doing a call_refresh. If we release the
-transport slot, we should _always_ jump back to call_reserve before
-calling anything else.
-
-Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- net/sunrpc/clnt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/sunrpc/clnt.c
-+++ b/net/sunrpc/clnt.c
-@@ -1566,7 +1566,7 @@ rpc_verify_header(struct rpc_task *task)
- rpcauth_invalcred(task);
- /* Ensure we obtain a new XID! */
- xprt_release(task);
-- task->tk_action = call_refresh;
-+ task->tk_action = call_reserve;
- goto out_retry;
- case RPC_AUTH_BADCRED:
- case RPC_AUTH_BADVERF:
--- /dev/null
+From 8848a91068c018bc91f597038a0f41462a0f88a4 Mon Sep 17 00:00:00 2001
+From: H. Peter Anvin <hpa@zytor.com>
+Date: Wed, 18 Aug 2010 11:42:23 -0700
+Subject: x86-32: Fix dummy trampoline-related inline stubs
+
+From: H. Peter Anvin <hpa@zytor.com>
+
+commit 8848a91068c018bc91f597038a0f41462a0f88a4 upstream.
+
+Fix dummy inline stubs for trampoline-related functions when no
+trampolines exist (until we get rid of the no-trampoline case
+entirely.)
+
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Cc: Joerg Roedel <joerg.roedel@amd.com>
+Cc: Borislav Petkov <borislav.petkov@amd.com>
+LKML-Reference: <4C6C294D.3030404@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/trampoline.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/trampoline.h
++++ b/arch/x86/include/asm/trampoline.h
+@@ -23,8 +23,8 @@ extern unsigned long setup_trampoline(vo
+ extern void __init setup_trampoline_page_table(void);
+ extern void __init reserve_trampoline_memory(void);
+ #else
+-static inline void reserve_trampoline_memory(void) {};
+-extern void __init setup_trampoline_page_table(void) {};
++static inline void setup_trampoline_page_table(void) {}
++static inline void reserve_trampoline_memory(void) {}
+ #endif /* CONFIG_X86_TRAMPOLINE */
+
+ #endif /* __ASSEMBLY__ */
--- /dev/null
+From fd89a137924e0710078c3ae855e7cec1c43cb845 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joerg.roedel@amd.com>
+Date: Mon, 16 Aug 2010 14:38:33 +0200
+Subject: x86-32: Separate 1:1 pagetables from swapper_pg_dir
+
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+commit fd89a137924e0710078c3ae855e7cec1c43cb845 upstream.
+
+This patch fixes machine crashes which occur when heavily exercising the
+CPU hotplug codepaths on a 32-bit kernel. These crashes are caused by
+AMD Erratum 383 and result in a fatal machine check exception. Here's
+the scenario:
+
+1. On 32-bit, the swapper_pg_dir page table is used as the initial page
+table for booting a secondary CPU.
+
+2. To make this work, swapper_pg_dir needs a direct mapping of physical
+memory in it (the low mappings). By adding those low, large page (2M)
+mappings (PAE kernel), we create the necessary conditions for Erratum
+383 to occur.
+
+3. Other CPUs which do not participate in the off- and onlining game may
+use swapper_pg_dir while the low mappings are present (when leave_mm is
+called). For all steps below, the CPU referred to is a CPU that is using
+swapper_pg_dir, and not the CPU which is being onlined.
+
+4. The presence of the low mappings in swapper_pg_dir can result
+in TLB entries for addresses below __PAGE_OFFSET to be established
+speculatively. These TLB entries are marked global and large.
+
+5. When the CPU with such TLB entry switches to another page table, this
+TLB entry remains because it is global.
+
+6. The process then generates an access to an address covered by the
+above TLB entry but there is a permission mismatch - the TLB entry
+covers a large global page not accessible to userspace.
+
+7. Due to this permission mismatch a new 4kb, user TLB entry gets
+established. Further, Erratum 383 provides for a small window of time
+where both TLB entries are present. This results in an uncorrectable
+machine check exception signalling a TLB multimatch which panics the
+machine.
+
+There are two ways to fix this issue:
+
+ 1. Always do a global TLB flush when a new cr3 is loaded and the
+ old page table was swapper_pg_dir. I consider this a hack hard
+ to understand and with performance implications
+
+ 2. Do not use swapper_pg_dir to boot secondary CPUs like 64-bit
+ does.
+
+This patch implements solution 2. It introduces a trampoline_pg_dir
+which has the same layout as swapper_pg_dir with low_mappings. This page
+table is used as the initial page table of the booting CPU. Later in the
+bringup process, it switches to swapper_pg_dir and does a global TLB
+flush. This fixes the crashes in our test cases.
+
+-v2: switch to swapper_pg_dir right after entering start_secondary() so
+that we are able to access percpu data which might not be mapped in the
+trampoline page table.
+
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+LKML-Reference: <20100816123833.GB28147@aftab>
+Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/pgtable_32.h | 1 +
+ arch/x86/include/asm/trampoline.h | 3 +++
+ arch/x86/kernel/head_32.S | 8 +++++++-
+ arch/x86/kernel/setup.c | 3 +++
+ arch/x86/kernel/smpboot.c | 32 +++++++++++++-------------------
+ arch/x86/kernel/trampoline.c | 18 ++++++++++++++++++
+ 6 files changed, 45 insertions(+), 20 deletions(-)
+
+--- a/arch/x86/include/asm/pgtable_32.h
++++ b/arch/x86/include/asm/pgtable_32.h
+@@ -27,6 +27,7 @@ struct mm_struct;
+ struct vm_area_struct;
+
+ extern pgd_t swapper_pg_dir[1024];
++extern pgd_t trampoline_pg_dir[1024];
+
+ static inline void pgtable_cache_init(void) { }
+ static inline void check_pgt_cache(void) { }
+--- a/arch/x86/include/asm/trampoline.h
++++ b/arch/x86/include/asm/trampoline.h
+@@ -13,15 +13,18 @@ extern unsigned char *trampoline_base;
+
+ extern unsigned long init_rsp;
+ extern unsigned long initial_code;
++extern unsigned long initial_page_table;
+ extern unsigned long initial_gs;
+
+ #define TRAMPOLINE_SIZE roundup(trampoline_end - trampoline_data, PAGE_SIZE)
+ #define TRAMPOLINE_BASE 0x6000
+
+ extern unsigned long setup_trampoline(void);
++extern void __init setup_trampoline_page_table(void);
+ extern void __init reserve_trampoline_memory(void);
+ #else
+ static inline void reserve_trampoline_memory(void) {};
++extern void __init setup_trampoline_page_table(void) {};
+ #endif /* CONFIG_X86_TRAMPOLINE */
+
+ #endif /* __ASSEMBLY__ */
+--- a/arch/x86/kernel/head_32.S
++++ b/arch/x86/kernel/head_32.S
+@@ -324,7 +324,7 @@ ENTRY(startup_32_smp)
+ /*
+ * Enable paging
+ */
+- movl $pa(swapper_pg_dir),%eax
++ movl pa(initial_page_table), %eax
+ movl %eax,%cr3 /* set the page table pointer.. */
+ movl %cr0,%eax
+ orl $X86_CR0_PG,%eax
+@@ -604,6 +604,8 @@ ignore_int:
+ .align 4
+ ENTRY(initial_code)
+ .long i386_start_kernel
++ENTRY(initial_page_table)
++ .long pa(swapper_pg_dir)
+
+ /*
+ * BSS section
+@@ -619,6 +621,10 @@ ENTRY(swapper_pg_dir)
+ #endif
+ swapper_pg_fixmap:
+ .fill 1024,4,0
++#ifdef CONFIG_X86_TRAMPOLINE
++ENTRY(trampoline_pg_dir)
++ .fill 1024,4,0
++#endif
+ ENTRY(empty_zero_page)
+ .fill 4096,1,0
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -110,6 +110,7 @@
+ #include <asm/numa_64.h>
+ #endif
+ #include <asm/mce.h>
++#include <asm/trampoline.h>
+
+ /*
+ * end_pfn only includes RAM, while max_pfn_mapped includes all e820 entries.
+@@ -998,6 +999,8 @@ void __init setup_arch(char **cmdline_p)
+ paging_init();
+ x86_init.paging.pagetable_setup_done(swapper_pg_dir);
+
++ setup_trampoline_page_table();
++
+ tboot_probe();
+
+ #ifdef CONFIG_X86_64
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -70,7 +70,6 @@
+
+ #ifdef CONFIG_X86_32
+ u8 apicid_2_node[MAX_APICID];
+-static int low_mappings;
+ #endif
+
+ /* State of each CPU */
+@@ -292,6 +291,18 @@ notrace static void __cpuinit start_seco
+ * fragile that we want to limit the things done here to the
+ * most necessary things.
+ */
++
++#ifdef CONFIG_X86_32
++ /*
++ * Switch away from the trampoline page-table
++ *
++ * Do this before cpu_init() because it needs to access per-cpu
++ * data which may not be mapped in the trampoline page-table.
++ */
++ load_cr3(swapper_pg_dir);
++ __flush_tlb_all();
++#endif
++
+ vmi_bringup();
+ cpu_init();
+ preempt_disable();
+@@ -310,12 +321,6 @@ notrace static void __cpuinit start_seco
+ enable_8259A_irq(0);
+ }
+
+-#ifdef CONFIG_X86_32
+- while (low_mappings)
+- cpu_relax();
+- __flush_tlb_all();
+-#endif
+-
+ /* This must be done before setting cpu_online_mask */
+ set_cpu_sibling_map(raw_smp_processor_id());
+ wmb();
+@@ -741,6 +746,7 @@ do_rest:
+ #ifdef CONFIG_X86_32
+ /* Stack for startup_32 can be just as for start_secondary onwards */
+ irq_ctx_init(cpu);
++ initial_page_table = __pa(&trampoline_pg_dir);
+ #else
+ clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
+ initial_gs = per_cpu_offset(cpu);
+@@ -885,20 +891,8 @@ int __cpuinit native_cpu_up(unsigned int
+
+ per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
+
+-#ifdef CONFIG_X86_32
+- /* init low mem mapping */
+- clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
+- flush_tlb_all();
+- low_mappings = 1;
+-
+ err = do_boot_cpu(apicid, cpu);
+
+- zap_low_mappings(false);
+- low_mappings = 0;
+-#else
+- err = do_boot_cpu(apicid, cpu);
+-#endif
+ if (err) {
+ pr_debug("do_boot_cpu failed %d\n", err);
+ return -EIO;
+--- a/arch/x86/kernel/trampoline.c
++++ b/arch/x86/kernel/trampoline.c
+@@ -1,6 +1,7 @@
+ #include <linux/io.h>
+
+ #include <asm/trampoline.h>
++#include <asm/pgtable.h>
+ #include <asm/e820.h>
+
+ #if defined(CONFIG_X86_64) && defined(CONFIG_ACPI_SLEEP)
+@@ -39,3 +40,20 @@ unsigned long __trampinit setup_trampoli
+ memcpy(trampoline_base, trampoline_data, TRAMPOLINE_SIZE);
+ return virt_to_phys(trampoline_base);
+ }
++
++void __init setup_trampoline_page_table(void)
++{
++#ifdef CONFIG_X86_32
++ /* Copy kernel address range */
++ clone_pgd_range(trampoline_pg_dir + KERNEL_PGD_BOUNDARY,
++ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
++ min_t(unsigned long, KERNEL_PGD_PTRS,
++ KERNEL_PGD_BOUNDARY));
++
++ /* Initialize low mappings */
++ clone_pgd_range(trampoline_pg_dir,
++ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
++ min_t(unsigned long, KERNEL_PGD_PTRS,
++ KERNEL_PGD_BOUNDARY));
++#endif
++}
--- /dev/null
+From b7d460897739e02f186425b7276e3fdb1595cea7 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Tue, 24 Aug 2010 22:44:12 -0700
+Subject: x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline
+
+From: Hugh Dickins <hughd@google.com>
+
+commit b7d460897739e02f186425b7276e3fdb1595cea7 upstream.
+
+rc2 kernel crashes when booting second cpu on this CONFIG_VMSPLIT_2G_OPT
+laptop: whereas cloning from kernel to low mappings pgd range does need
+to limit by both KERNEL_PGD_PTRS and KERNEL_PGD_BOUNDARY, cloning kernel
+pgd range itself must not be limited by the smaller KERNEL_PGD_BOUNDARY.
+
+Signed-off-by: Hugh Dickins <hughd@google.com>
+LKML-Reference: <alpine.LSU.2.00.1008242235120.2515@sister.anvils>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Cc: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ arch/x86/kernel/trampoline.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/trampoline.c
++++ b/arch/x86/kernel/trampoline.c
+@@ -47,8 +47,7 @@ void __init setup_trampoline_page_table(
+ /* Copy kernel address range */
+ clone_pgd_range(trampoline_pg_dir + KERNEL_PGD_BOUNDARY,
+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- min_t(unsigned long, KERNEL_PGD_PTRS,
+- KERNEL_PGD_BOUNDARY));
++ KERNEL_PGD_PTRS);
+
+ /* Initialize low mappings */
+ clone_pgd_range(trampoline_pg_dir,
projects / thirdparty / kernel / stable-queue.git / commitdiff
