diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-30 08:45:00 +0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-30 08:45:00 +0800 |
commit | 41b98f9b9a40d88a7c76d672f50e862bbd8812e3 (patch) | |
tree | 324e4d33c2703c5c9621847fbad4cce704f16a98 | |
parent | a891019fea65bc9119dba4b400171b357852ff4f (diff) | |
download | stable-queue-41b98f9b9a40d88a7c76d672f50e862bbd8812e3.tar.gz |
.38 patches
-rw-r--r-- | queue-2.6.38/iwlwifi-fix-bugs-in-change_interface.patch | 50 | ||||
-rw-r--r-- | queue-2.6.38/libata-use-maximum-write-same-length-to-report-discard-size.patch | 38 | ||||
-rw-r--r-- | queue-2.6.38/mac80211-fix-a-few-rcu-issues.patch | 51 | ||||
-rw-r--r-- | queue-2.6.38/nl80211-fix-set_key-regression-with-some-drivers.patch | 51 | ||||
-rw-r--r-- | queue-2.6.38/series | 9 | ||||
-rw-r--r-- | queue-2.6.38/wire-up-clock_adjtime-syscall.patch | 40 | ||||
-rw-r--r-- | queue-2.6.38/wire-up-fanotify-syscalls.patch | 57 | ||||
-rw-r--r-- | queue-2.6.38/wire-up-syncfs-syscall.patch | 40 | ||||
-rw-r--r-- | queue-2.6.38/wire-up-the-fhandle-syscalls.patch | 42 | ||||
-rw-r--r-- | queue-2.6.38/x86-64-bit-fix-copy__user-checks-for-the.patch | 118 |
10 files changed, 496 insertions, 0 deletions
diff --git a/queue-2.6.38/iwlwifi-fix-bugs-in-change_interface.patch b/queue-2.6.38/iwlwifi-fix-bugs-in-change_interface.patch new file mode 100644 index 0000000000..9601207769 --- /dev/null +++ b/queue-2.6.38/iwlwifi-fix-bugs-in-change_interface.patch @@ -0,0 +1,50 @@ +From a2b76b3b31568da9d281a393845f17689594ccdf Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Tue, 29 Mar 2011 06:29:37 -0700 +Subject: iwlwifi: fix bugs in change_interface + +From: Johannes Berg <johannes.berg@intel.com> + +commit a2b76b3b31568da9d281a393845f17689594ccdf upstream. + +If change_interface gets invoked during a firmware +restart, it may crash; prevent that from happening +by checking if ctx->vif is assigned. + +Additionally, in my initial commit I forgot to set +the vif->p2p variable correctly, so fix that too. + +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/wireless/iwlwifi/iwl-core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/iwl-core.c ++++ b/drivers/net/wireless/iwlwifi/iwl-core.c +@@ -1879,6 +1879,15 @@ int iwl_mac_change_interface(struct ieee + + mutex_lock(&priv->mutex); + ++ if (!ctx->vif || !iwl_is_ready_rf(priv)) { ++ /* ++ * Huh? But wait ... this can maybe happen when ++ * we're in the middle of a firmware restart! ++ */ ++ err = -EBUSY; ++ goto out; ++ } ++ + interface_modes = ctx->interface_modes | ctx->exclusive_interface_modes; + + if (!(interface_modes & BIT(newtype))) { +@@ -1906,6 +1915,7 @@ int iwl_mac_change_interface(struct ieee + /* success */ + iwl_teardown_interface(priv, vif, true); + vif->type = newtype; ++ vif->p2p = newp2p; + err = iwl_setup_interface(priv, ctx); + WARN_ON(err); + /* diff --git a/queue-2.6.38/libata-use-maximum-write-same-length-to-report-discard-size.patch b/queue-2.6.38/libata-use-maximum-write-same-length-to-report-discard-size.patch new file mode 100644 index 0000000000..47496548c1 --- /dev/null +++ b/queue-2.6.38/libata-use-maximum-write-same-length-to-report-discard-size.patch @@ -0,0 +1,38 @@ +From 5f4e206666f834340b69ddb43f86de3851c8675a Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" <martin.petersen@oracle.com> +Date: Tue, 17 May 2011 22:13:23 -0400 +Subject: libata: Use Maximum Write Same Length to report discard size + limit + +From: "Martin K. Petersen" <martin.petersen@oracle.com> + +commit 5f4e206666f834340b69ddb43f86de3851c8675a upstream. + +Previously we used Maximum Unmap LBA Count in the Block Limits VPD to +signal the maximum number of sectors we could handle in a single Write +Same command. + +Starting with SBC3r26 the Block Limits VPD has an explicit limit on the +number of blocks in a Write Same. This means we can stop abusing a field +related to the Unmap command and let our SAT use the proper value in the +VPD (Maximum Write Same Length). + +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Jeff Garzik <jgarzik@pobox.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/ata/libata-scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2127,7 +2127,7 @@ static unsigned int ata_scsiop_inq_b0(st + * with the unmap bit set. + */ + if (ata_id_has_trim(args->id)) { +- put_unaligned_be32(65535 * 512 / 8, &rbuf[20]); ++ put_unaligned_be64(65535 * 512 / 8, &rbuf[36]); + put_unaligned_be32(1, &rbuf[28]); + } + diff --git a/queue-2.6.38/mac80211-fix-a-few-rcu-issues.patch b/queue-2.6.38/mac80211-fix-a-few-rcu-issues.patch new file mode 100644 index 0000000000..83946df640 --- /dev/null +++ b/queue-2.6.38/mac80211-fix-a-few-rcu-issues.patch @@ -0,0 +1,51 @@ +From a3836e02ba4c50db958d32d710b226f2408623dc Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Thu, 12 May 2011 15:11:37 +0200 +Subject: mac80211: fix a few RCU issues + +From: Johannes Berg <johannes.berg@intel.com> + +commit a3836e02ba4c50db958d32d710b226f2408623dc upstream. + +A few configuration functions correctly do +rcu_read_lock() but don't correctly reference +some pointers protected by RCU. Fix that. + +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/mac80211/cfg.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -228,11 +228,11 @@ static int ieee80211_get_key(struct wiph + goto out; + + if (pairwise) +- key = sta->ptk; ++ key = rcu_dereference(sta->ptk); + else if (key_idx < NUM_DEFAULT_KEYS) +- key = sta->gtk[key_idx]; ++ key = rcu_dereference(sta->gtk[key_idx]); + } else +- key = sdata->keys[key_idx]; ++ key = rcu_dereference(sdata->keys[key_idx]); + + if (!key) + goto out; +@@ -904,8 +904,10 @@ static int ieee80211_change_mpath(struct + static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop, + struct mpath_info *pinfo) + { +- if (mpath->next_hop) +- memcpy(next_hop, mpath->next_hop->sta.addr, ETH_ALEN); ++ struct sta_info *next_hop_sta = rcu_dereference(mpath->next_hop); ++ ++ if (next_hop_sta) ++ memcpy(next_hop, next_hop_sta->sta.addr, ETH_ALEN); + else + memset(next_hop, 0, ETH_ALEN); + diff --git a/queue-2.6.38/nl80211-fix-set_key-regression-with-some-drivers.patch b/queue-2.6.38/nl80211-fix-set_key-regression-with-some-drivers.patch new file mode 100644 index 0000000000..02bb0a1827 --- /dev/null +++ b/queue-2.6.38/nl80211-fix-set_key-regression-with-some-drivers.patch @@ -0,0 +1,51 @@ +From 0e579d6a8f4aea346da818f13ee71401c125e639 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni.malinen@atheros.com> +Date: Tue, 3 May 2011 22:45:16 -0700 +Subject: nl80211: Fix set_key regression with some drivers + +From: Jouni Malinen <jouni.malinen@atheros.com> + +commit 0e579d6a8f4aea346da818f13ee71401c125e639 upstream. + +Commit dbd2fd656f2060abfd3a16257f8b51ec60f6d2ed added a mechanism for +user space to indicate whether a default key is being configured for +only unicast or only multicast frames instead of all frames. This +commit added a driver capability flag for indicating whether separate +default keys are supported and validation of the set_key command based +on that capability. + +However, this single capability flag is not enough to cover possible +difference based on mode (AP/IBSS/STA) and the way this change was +introduced resulted in a regression with drivers that do not indicate +the new capability (i.e.., more or less any non-mac80211 driver using +cfg80211) when using a recent wpa_supplicant snapshot. + +Fix the regression by removing the new check which is not strictly +speaking needed. The new separate default key functionality is needed +only for RSN IBSS which has a separate capability indication. + +Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/wireless/nl80211.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -1679,14 +1679,6 @@ static int nl80211_set_key(struct sk_buf + if (err) + goto out; + +- if (!(rdev->wiphy.flags & +- WIPHY_FLAG_SUPPORTS_SEPARATE_DEFAULT_KEYS)) { +- if (!key.def_uni || !key.def_multi) { +- err = -EOPNOTSUPP; +- goto out; +- } +- } +- + err = rdev->ops->set_default_key(&rdev->wiphy, dev, key.idx, + key.def_uni, key.def_multi); + diff --git a/queue-2.6.38/series b/queue-2.6.38/series index 172ebfbde6..2e495eb5ce 100644 --- a/queue-2.6.38/series +++ b/queue-2.6.38/series @@ -29,3 +29,12 @@ block-add-proper-state-guards-to-__elv_next_request.patch block-always-allocate-genhd-ev-if-check_events-is.patch mtd-mtdconcat-fix-nand-oob-write.patch mtd-return-badblockbits-back.patch +x86-64-bit-fix-copy__user-checks-for-the.patch +libata-use-maximum-write-same-length-to-report-discard-size.patch +iwlwifi-fix-bugs-in-change_interface.patch +nl80211-fix-set_key-regression-with-some-drivers.patch +mac80211-fix-a-few-rcu-issues.patch +wire-up-fanotify-syscalls.patch +wire-up-clock_adjtime-syscall.patch +wire-up-the-fhandle-syscalls.patch +wire-up-syncfs-syscall.patch diff --git a/queue-2.6.38/wire-up-clock_adjtime-syscall.patch b/queue-2.6.38/wire-up-clock_adjtime-syscall.patch new file mode 100644 index 0000000000..6cc64bc46b --- /dev/null +++ b/queue-2.6.38/wire-up-clock_adjtime-syscall.patch @@ -0,0 +1,40 @@ +From c3f957a22eca106bd28136943305b390b4337ebf Mon Sep 17 00:00:00 2001 +From: James Bottomley <James.Bottomley@HansenPartnership.com> +Date: Fri, 15 Apr 2011 08:55:45 -0700 +Subject: [PARISC] wire up clock_adjtime syscall + +From: James Bottomley <James.Bottomley@HansenPartnership.com> + +commit c3f957a22eca106bd28136943305b390b4337ebf upstream. + +Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/parisc/include/asm/unistd.h | 3 ++- + arch/parisc/kernel/syscall_table.S | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/unistd.h ++++ b/arch/parisc/include/asm/unistd.h +@@ -816,8 +816,9 @@ + #define __NR_prlimit64 (__NR_Linux + 321) + #define __NR_fanotify_init (__NR_Linux + 322) + #define __NR_fanotify_mark (__NR_Linux + 323) ++#define __NR_clock_adjtime (__NR_Linux + 324) + +-#define __NR_Linux_syscalls (__NR_fanotify_mark + 1) ++#define __NR_Linux_syscalls (__NR_clock_adjtime + 1) + + + #define __IGNORE_select /* newselect */ +--- a/arch/parisc/kernel/syscall_table.S ++++ b/arch/parisc/kernel/syscall_table.S +@@ -422,6 +422,7 @@ + ENTRY_SAME(prlimit64) + ENTRY_SAME(fanotify_init) + ENTRY_COMP(fanotify_mark) ++ ENTRY_COMP(clock_adjtime) + + /* Nothing yet */ + diff --git a/queue-2.6.38/wire-up-fanotify-syscalls.patch b/queue-2.6.38/wire-up-fanotify-syscalls.patch new file mode 100644 index 0000000000..89d54cd30a --- /dev/null +++ b/queue-2.6.38/wire-up-fanotify-syscalls.patch @@ -0,0 +1,57 @@ +From 1824074b07ee66fa0f714e08579ad85075132d7b Mon Sep 17 00:00:00 2001 +From: James Bottomley <James.Bottomley@HansenPartnership.com> +Date: Fri, 15 Apr 2011 08:55:44 -0700 +Subject: [PARISC] wire up fanotify syscalls + +From: James Bottomley <James.Bottomley@HansenPartnership.com> + +commit 1824074b07ee66fa0f714e08579ad85075132d7b upstream. + +Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/parisc/include/asm/unistd.h | 4 +++- + arch/parisc/kernel/sys_parisc32.c | 8 ++++++++ + arch/parisc/kernel/syscall_table.S | 2 ++ + 3 files changed, 13 insertions(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/unistd.h ++++ b/arch/parisc/include/asm/unistd.h +@@ -814,8 +814,10 @@ + #define __NR_recvmmsg (__NR_Linux + 319) + #define __NR_accept4 (__NR_Linux + 320) + #define __NR_prlimit64 (__NR_Linux + 321) ++#define __NR_fanotify_init (__NR_Linux + 322) ++#define __NR_fanotify_mark (__NR_Linux + 323) + +-#define __NR_Linux_syscalls (__NR_prlimit64 + 1) ++#define __NR_Linux_syscalls (__NR_fanotify_mark + 1) + + + #define __IGNORE_select /* newselect */ +--- a/arch/parisc/kernel/sys_parisc32.c ++++ b/arch/parisc/kernel/sys_parisc32.c +@@ -228,3 +228,11 @@ asmlinkage long compat_sys_fallocate(int + return sys_fallocate(fd, mode, ((loff_t)offhi << 32) | offlo, + ((loff_t)lenhi << 32) | lenlo); + } ++ ++asmlinkage long compat_sys_fanotify_mark(int fan_fd, int flags, u32 mask_hi, ++ u32 mask_lo, int fd, ++ const char __user *pathname) ++{ ++ return sys_fanotify_mark(fan_fd, flags, ((u64)mask_hi << 32) | mask_lo, ++ fd, pathname); ++} +--- a/arch/parisc/kernel/syscall_table.S ++++ b/arch/parisc/kernel/syscall_table.S +@@ -420,6 +420,8 @@ + ENTRY_COMP(recvmmsg) + ENTRY_SAME(accept4) /* 320 */ + ENTRY_SAME(prlimit64) ++ ENTRY_SAME(fanotify_init) ++ ENTRY_COMP(fanotify_mark) + + /* Nothing yet */ + diff --git a/queue-2.6.38/wire-up-syncfs-syscall.patch b/queue-2.6.38/wire-up-syncfs-syscall.patch new file mode 100644 index 0000000000..c27390594b --- /dev/null +++ b/queue-2.6.38/wire-up-syncfs-syscall.patch @@ -0,0 +1,40 @@ +From 2e7bad5f34b5beed47542490c760ed26574e38ba Mon Sep 17 00:00:00 2001 +From: James Bottomley <James.Bottomley@HansenPartnership.com> +Date: Fri, 15 Apr 2011 08:55:47 -0700 +Subject: [PARISC] wire up syncfs syscall + +From: James Bottomley <James.Bottomley@HansenPartnership.com> + +commit 2e7bad5f34b5beed47542490c760ed26574e38ba upstream. + +Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/parisc/include/asm/unistd.h | 3 ++- + arch/parisc/kernel/syscall_table.S | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/unistd.h ++++ b/arch/parisc/include/asm/unistd.h +@@ -819,8 +819,9 @@ + #define __NR_clock_adjtime (__NR_Linux + 324) + #define __NR_name_to_handle_at (__NR_Linux + 325) + #define __NR_open_by_handle_at (__NR_Linux + 326) ++#define __NR_syncfs (__NR_Linux + 327) + +-#define __NR_Linux_syscalls (__NR_open_by_handle_at + 1) ++#define __NR_Linux_syscalls (__NR_syncfs + 1) + + + #define __IGNORE_select /* newselect */ +--- a/arch/parisc/kernel/syscall_table.S ++++ b/arch/parisc/kernel/syscall_table.S +@@ -425,6 +425,7 @@ + ENTRY_COMP(clock_adjtime) + ENTRY_SAME(name_to_handle_at) /* 325 */ + ENTRY_COMP(open_by_handle_at) ++ ENTRY_SAME(syncfs) + + /* Nothing yet */ + diff --git a/queue-2.6.38/wire-up-the-fhandle-syscalls.patch b/queue-2.6.38/wire-up-the-fhandle-syscalls.patch new file mode 100644 index 0000000000..cf63043f32 --- /dev/null +++ b/queue-2.6.38/wire-up-the-fhandle-syscalls.patch @@ -0,0 +1,42 @@ +From a71aae4cec120ee85cf32608fca40a4605461214 Mon Sep 17 00:00:00 2001 +From: James Bottomley <James.Bottomley@HansenPartnership.com> +Date: Fri, 15 Apr 2011 08:55:46 -0700 +Subject: [PARISC] wire up the fhandle syscalls + +From: James Bottomley <James.Bottomley@HansenPartnership.com> + +commit a71aae4cec120ee85cf32608fca40a4605461214 upstream. + +Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/parisc/include/asm/unistd.h | 4 +++- + arch/parisc/kernel/syscall_table.S | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/unistd.h ++++ b/arch/parisc/include/asm/unistd.h +@@ -817,8 +817,10 @@ + #define __NR_fanotify_init (__NR_Linux + 322) + #define __NR_fanotify_mark (__NR_Linux + 323) + #define __NR_clock_adjtime (__NR_Linux + 324) ++#define __NR_name_to_handle_at (__NR_Linux + 325) ++#define __NR_open_by_handle_at (__NR_Linux + 326) + +-#define __NR_Linux_syscalls (__NR_clock_adjtime + 1) ++#define __NR_Linux_syscalls (__NR_open_by_handle_at + 1) + + + #define __IGNORE_select /* newselect */ +--- a/arch/parisc/kernel/syscall_table.S ++++ b/arch/parisc/kernel/syscall_table.S +@@ -423,6 +423,8 @@ + ENTRY_SAME(fanotify_init) + ENTRY_COMP(fanotify_mark) + ENTRY_COMP(clock_adjtime) ++ ENTRY_SAME(name_to_handle_at) /* 325 */ ++ ENTRY_COMP(open_by_handle_at) + + /* Nothing yet */ + diff --git a/queue-2.6.38/x86-64-bit-fix-copy__user-checks-for-the.patch b/queue-2.6.38/x86-64-bit-fix-copy__user-checks-for-the.patch new file mode 100644 index 0000000000..4c0ce526aa --- /dev/null +++ b/queue-2.6.38/x86-64-bit-fix-copy__user-checks-for-the.patch @@ -0,0 +1,118 @@ +From 26afb7c661080ae3f1f13ddf7f0c58c4f931c22b Mon Sep 17 00:00:00 2001 +From: Jiri Olsa <jolsa@redhat.com> +Date: Thu, 12 May 2011 16:30:30 +0200 +Subject: x86, 64-bit: Fix copy_[to/from]_user() checks for the + userspace address limit + +From: Jiri Olsa <jolsa@redhat.com> + +commit 26afb7c661080ae3f1f13ddf7f0c58c4f931c22b upstream. + +As reported in BZ #30352: + + https://bugzilla.kernel.org/show_bug.cgi?id=30352 + +there's a kernel bug related to reading the last allowed page on x86_64. + +The _copy_to_user() and _copy_from_user() functions use the following +check for address limit: + + if (buf + size >= limit) + fail(); + +while it should be more permissive: + + if (buf + size > limit) + fail(); + +That's because the size represents the number of bytes being +read/write from/to buf address AND including the buf address. +So the copy function will actually never touch the limit +address even if "buf + size == limit". + +Following program fails to use the last page as buffer +due to the wrong limit check: + + #include <sys/mman.h> + #include <sys/socket.h> + #include <assert.h> + + #define PAGE_SIZE (4096) + #define LAST_PAGE ((void*)(0x7fffffffe000)) + + int main() + { + int fds[2], err; + void * ptr = mmap(LAST_PAGE, PAGE_SIZE, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + assert(ptr == LAST_PAGE); + err = socketpair(AF_LOCAL, SOCK_STREAM, 0, fds); + assert(err == 0); + err = send(fds[0], ptr, PAGE_SIZE, 0); + perror("send"); + assert(err == PAGE_SIZE); + err = recv(fds[1], ptr, PAGE_SIZE, MSG_WAITALL); + perror("recv"); + assert(err == PAGE_SIZE); + return 0; + } + +The other place checking the addr limit is the access_ok() function, +which is working properly. There's just a misleading comment +for the __range_not_ok() macro - which this patch fixes as well. + +The last page of the user-space address range is a guard page and +Brian Gerst observed that the guard page itself due to an erratum on K8 cpus +(#121 Sequential Execution Across Non-Canonical Boundary Causes Processor +Hang). + +However, the test code is using the last valid page before the guard page. +The bug is that the last byte before the guard page can't be read +because of the off-by-one error. The guard page is left in place. + +This bug would normally not show up because the last page is +part of the process stack and never accessed via syscalls. + +Signed-off-by: Jiri Olsa <jolsa@redhat.com> +Acked-by: Brian Gerst <brgerst@gmail.com> +Acked-by: Linus Torvalds <torvalds@linux-foundation.org> +Link: http://lkml.kernel.org/r/1305210630-7136-1-git-send-email-jolsa@redhat.com +Signed-off-by: Ingo Molnar <mingo@elte.hu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/x86/include/asm/uaccess.h | 2 +- + arch/x86/lib/copy_user_64.S | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -42,7 +42,7 @@ + * Returns 0 if the range is valid, nonzero otherwise. + * + * This is equivalent to the following test: +- * (u33)addr + (u33)size >= (u33)current->addr_limit.seg (u65 for x86_64) ++ * (u33)addr + (u33)size > (u33)current->addr_limit.seg (u65 for x86_64) + * + * This needs 33-bit (65-bit for x86_64) arithmetic. We have a carry... + */ +--- a/arch/x86/lib/copy_user_64.S ++++ b/arch/x86/lib/copy_user_64.S +@@ -72,7 +72,7 @@ ENTRY(_copy_to_user) + addq %rdx,%rcx + jc bad_to_user + cmpq TI_addr_limit(%rax),%rcx +- jae bad_to_user ++ ja bad_to_user + ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string + CFI_ENDPROC + ENDPROC(_copy_to_user) +@@ -85,7 +85,7 @@ ENTRY(_copy_from_user) + addq %rdx,%rcx + jc bad_from_user + cmpq TI_addr_limit(%rax),%rcx +- jae bad_from_user ++ ja bad_from_user + ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string + CFI_ENDPROC + ENDPROC(_copy_from_user) |