--- /dev/null
+From dgibson@ozlabs.org Thu Jul 17 22:56:01 2008
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Fri, 18 Jul 2008 15:55:49 +1000
+Subject: Correct hash flushing from huge_ptep_set_wrprotect()
+To: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Greg KH <greg@kroah.com>, Linus Torvalds <torvalds@linux-foundation.org>, stable <stable@kernel.org>, Andy Whitcroft <apw@shadowen.org>
+Message-ID: <20080718055549.GL18748@yookeroo.seuss>
+Content-Disposition: inline
+
+From: David Gibson <david@gibson.dropbear.id.au>
+
+Correct hash flushing from huge_ptep_set_wrprotect() [stable tree version]
+
+A fix for incorrect flushing of the hash page table at fork() for
+hugepages was recently committed as
+86df86424939d316b1f6cfac1b6204f0c7dee317. Without this fix, a process
+can make a MAP_PRIVATE hugepage mapping, then fork() and have writes
+to the mapping after the fork() pollute the child's version.
+
+Unfortunately this bug also exists in the stable branch. In fact in
+that case copy_hugetlb_page_range() from mm/hugetlb.c calls
+ptep_set_wrprotect() directly, the hugepage variant hook
+huge_ptep_set_wrprotect() doesn't even exist.
+
+The patch below is a port of the fix to the stable25/master branch.
+It introduces a huge_ptep_set_wrprotect() call, but this is #defined
+to be equal to ptep_set_wrprotect() unless the arch defines its own
+version and sets __HAVE_ARCH_HUGE_PTEP_SET_WRPROTECT.
+
+This arch preprocessor flag is kind of nasty, but it seems the sanest
+way to introduce this fix with minimum risk of breaking other archs
+for whom prep_set_wprotect() is suitable for hugepages.
+
+Signed-off-by: Andy Whitcroft <apw@shadowen.org>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/asm-powerpc/pgtable-ppc64.h | 11 +++++++++++
+ mm/hugetlb.c | 6 +++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/include/asm-powerpc/pgtable-ppc64.h
++++ b/include/asm-powerpc/pgtable-ppc64.h
+@@ -311,6 +311,17 @@ static inline void ptep_set_wrprotect(st
+ old = pte_update(mm, addr, ptep, _PAGE_RW, 0);
+ }
+
++#define __HAVE_ARCH_HUGE_PTEP_SET_WRPROTECT
++static inline void huge_ptep_set_wrprotect(struct mm_struct *mm,
++ unsigned long addr, pte_t *ptep)
++{
++ unsigned long old;
++
++ if ((pte_val(*ptep) & _PAGE_RW) == 0)
++ return;
++ old = pte_update(mm, addr, ptep, _PAGE_RW, 1);
++}
++
+ /*
+ * We currently remove entries from the hashtable regardless of whether
+ * the entry was young or dirty. The generic routines only flush if the
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -738,6 +738,10 @@ static void set_huge_ptep_writable(struc
+ }
+
+
++#ifndef __HAVE_ARCH_HUGE_PTEP_SET_WRPROTECT
++#define huge_ptep_set_wrprotect ptep_set_wrprotect
++#endif
++
+ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
+ struct vm_area_struct *vma)
+ {
+@@ -764,7 +768,7 @@ int copy_hugetlb_page_range(struct mm_st
+ spin_lock(&src->page_table_lock);
+ if (!pte_none(*src_pte)) {
+ if (cow)
+- ptep_set_wrprotect(src, addr, src_pte);
++ huge_ptep_set_wrprotect(src, addr, src_pte);
+ entry = *src_pte;
+ ptepage = pte_page(entry);
+ get_page(ptepage);
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Jul 17 05:08:03 2008
+From: Patrick McHardy <kaber@trash.net>
+Date: Thu, 17 Jul 2008 14:07:47 +0200
+Subject: netfilter -stable: nf_conntrack_tcp: fix endless loop
+To: stable@kernel.org
+Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>, "David S. Miller" <davem@davemloft.net>
+Message-ID: <487F3613.6040708@trash.net>
+
+
+From: Patrick McHardy <kaber@trash.net>
+
+netfilter: nf_conntrack_tcp: fix endless loop
+
+Upstream commit 6b69fe0:
+
+When a conntrack entry is destroyed in process context and destruction
+is interrupted by packet processing and the packet is an attempt to
+reopen a closed connection, TCP conntrack tries to kill the old entry
+itself and returns NF_REPEAT to pass the packet through the hook
+again. This may lead to an endless loop: TCP conntrack repeatedly
+finds the old entry, but can not kill it itself since destruction
+is already in progress, but destruction in process context can not
+complete since TCP conntrack is keeping the CPU busy.
+
+Drop the packet in TCP conntrack if we can't kill the connection
+ourselves to avoid this.
+
+Reported by: hemao77@gmail.com [ Kernel bugzilla #11058 ]
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -845,9 +845,15 @@ static int tcp_packet(struct nf_conn *ct
+ /* Attempt to reopen a closed/aborted connection.
+ * Delete this connection and look up again. */
+ write_unlock_bh(&tcp_lock);
+- if (del_timer(&ct->timeout))
++ /* Only repeat if we can actually remove the timer.
++ * Destruction may already be in progress in process
++ * context and we must give it a chance to terminate.
++ */
++ if (del_timer(&ct->timeout)) {
+ ct->timeout.function((unsigned long)ct);
+- return -NF_REPEAT;
++ return -NF_REPEAT;
++ }
++ return -NF_DROP;
+ }
+ /* Fall through */
+ case TCP_CONNTRACK_IGNORE:
projects / thirdparty / kernel / stable-queue.git / commitdiff
