diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-08-02 11:31:46 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-08-02 11:31:46 -0700 |
commit | 74d959235354de64ad327d4952c65048bd09c067 (patch) | |
tree | 50892daf724aafb6e12bc3b6fb44b420d3bc5f5d | |
parent | 7cb1509433fdaa0c402a419be9b13f94c45831a7 (diff) | |
download | stable-queue-74d959235354de64ad327d4952c65048bd09c067.tar.gz |
3.0 patches
10 files changed, 555 insertions, 0 deletions
diff --git a/queue-3.0/cciss-do-not-attempt-to-read-from-a-write-only-register.patch b/queue-3.0/cciss-do-not-attempt-to-read-from-a-write-only-register.patch new file mode 100644 index 0000000000..5b2f045149 --- /dev/null +++ b/queue-3.0/cciss-do-not-attempt-to-read-from-a-write-only-register.patch @@ -0,0 +1,32 @@ +From 07d0c38e7d84f911c72058a124c7f17b3c779a65 Mon Sep 17 00:00:00 2001 +From: "Stephen M. Cameron" <scameron@beardog.cce.hp.com> +Date: Sat, 9 Jul 2011 09:04:12 +0200 +Subject: cciss: do not attempt to read from a write-only register + +From: "Stephen M. Cameron" <scameron@beardog.cce.hp.com> + +commit 07d0c38e7d84f911c72058a124c7f17b3c779a65 upstream. + +Most smartarrays will tolerate it, but some new ones don't. + +Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com> + +Note: this is a regression caused by commit 1ddd5049 +Signed-off-by: Jens Axboe <jaxboe@fusionio.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/block/cciss.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/cciss.h ++++ b/drivers/block/cciss.h +@@ -223,7 +223,7 @@ static void SA5_submit_command( ctlr_inf + h->ctlr, c->busaddr); + #endif /* CCISS_DEBUG */ + writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET); +- readl(h->vaddr + SA5_REQUEST_PORT_OFFSET); ++ readl(h->vaddr + SA5_SCRATCHPAD_OFFSET); + h->commands_outstanding++; + if ( h->commands_outstanding > h->max_outstanding) + h->max_outstanding = h->commands_outstanding; diff --git a/queue-3.0/drivers-firmware-sigma.c-needs-module_license.patch b/queue-3.0/drivers-firmware-sigma.c-needs-module_license.patch new file mode 100644 index 0000000000..f29662ab3b --- /dev/null +++ b/queue-3.0/drivers-firmware-sigma.c-needs-module_license.patch @@ -0,0 +1,39 @@ +From 27c46a2546c75c6814562e85b751e3d64c188ad5 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap <rdunlap@xenotime.net> +Date: Mon, 25 Jul 2011 17:13:21 -0700 +Subject: drivers/firmware/sigma.c needs MODULE_LICENSE + +From: Randy Dunlap <rdunlap@xenotime.net> + +commit 27c46a2546c75c6814562e85b751e3d64c188ad5 upstream. + +Fix module tainting message: + + sigma: module license 'unspecified' taints kernel. + +Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> +Acked-by: Mike Frysinger <vapier@gentoo.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/firmware/sigma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/firmware/sigma.c ++++ b/drivers/firmware/sigma.c +@@ -11,6 +11,7 @@ + #include <linux/firmware.h> + #include <linux/kernel.h> + #include <linux/i2c.h> ++#include <linux/module.h> + #include <linux/sigma.h> + + /* Return: 0==OK, <0==error, =1 ==no more actions */ +@@ -113,3 +114,5 @@ int process_sigma_firmware(struct i2c_cl + return ret; + } + EXPORT_SYMBOL(process_sigma_firmware); ++ ++MODULE_LICENSE("GPL"); diff --git a/queue-3.0/ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch b/queue-3.0/ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch new file mode 100644 index 0000000000..35afa266ca --- /dev/null +++ b/queue-3.0/ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch @@ -0,0 +1,50 @@ +From ad95c5e9bc8b5885f94dce720137cac8fa8da4c9 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Mon, 30 May 2011 13:29:20 +0200 +Subject: ext3: Fix oops in ext3_try_to_allocate_with_rsv() + +From: Jan Kara <jack@suse.cz> + +commit ad95c5e9bc8b5885f94dce720137cac8fa8da4c9 upstream. + +Block allocation is called from two places: ext3_get_blocks_handle() and +ext3_xattr_block_set(). These two callers are not necessarily synchronized +because xattr code holds only xattr_sem and i_mutex, and +ext3_get_blocks_handle() may hold only truncate_mutex when called from +writepage() path. Block reservation code does not expect two concurrent +allocations to happen to the same inode and thus assertions can be triggered +or reservation structure corruption can occur. + +Fix the problem by taking truncate_mutex in xattr code to serialize +allocations. + +CC: Sage Weil <sage@newdream.net> +Reported-by: Fyodor Ustinov <ufm@ufm.su> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/ext3/xattr.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/ext3/xattr.c ++++ b/fs/ext3/xattr.c +@@ -803,8 +803,16 @@ inserted: + /* We need to allocate a new block */ + ext3_fsblk_t goal = ext3_group_first_block_no(sb, + EXT3_I(inode)->i_block_group); +- ext3_fsblk_t block = ext3_new_block(handle, inode, +- goal, &error); ++ ext3_fsblk_t block; ++ ++ /* ++ * Protect us agaist concurrent allocations to the ++ * same inode from ext3_..._writepage(). Reservation ++ * code does not expect racing allocations. ++ */ ++ mutex_lock(&EXT3_I(inode)->truncate_mutex); ++ block = ext3_new_block(handle, inode, goal, &error); ++ mutex_unlock(&EXT3_I(inode)->truncate_mutex); + if (error) + goto cleanup; + ea_idebug(inode, "creating block %d", block); diff --git a/queue-3.0/ext4-fix-i_blocks-quota-accounting-when-extent-insertion-fails.patch b/queue-3.0/ext4-fix-i_blocks-quota-accounting-when-extent-insertion-fails.patch new file mode 100644 index 0000000000..e414f0599f --- /dev/null +++ b/queue-3.0/ext4-fix-i_blocks-quota-accounting-when-extent-insertion-fails.patch @@ -0,0 +1,82 @@ +From 7132de744ba76930d13033061018ddd7e3e8cd91 Mon Sep 17 00:00:00 2001 +From: Maxim Patlasov <maxim.patlasov@gmail.com> +Date: Sun, 10 Jul 2011 19:37:48 -0400 +Subject: ext4: fix i_blocks/quota accounting when extent insertion fails + +From: Maxim Patlasov <maxim.patlasov@gmail.com> + +commit 7132de744ba76930d13033061018ddd7e3e8cd91 upstream. + +The current implementation of ext4_free_blocks() always calls +dquot_free_block This looks quite sensible in the most cases: blocks +to be freed are associated with inode and were accounted in quota and +i_blocks some time ago. + +However, there is a case when blocks to free were not accounted by the +time calling ext4_free_blocks() yet: + +1. delalloc is on, write_begin pre-allocated some space in quota +2. write-back happens, ext4 allocates some blocks in ext4_ext_map_blocks() +3. then ext4_ext_map_blocks() gets an error (e.g. ENOSPC) from + ext4_ext_insert_extent() and calls ext4_free_blocks(). + +In this scenario, ext4_free_blocks() calls dquot_free_block() who, in +turn, decrements i_blocks for blocks which were not accounted yet (due +to delalloc) After clean umount, e2fsck reports something like: + +> Inode 21, i_blocks is 5080, should be 5128. Fix<y>? +because i_blocks was erroneously decremented as explained above. + +The patch fixes the problem by passing the new flag +EXT4_FREE_BLOCKS_NO_QUOT_UPDATE to ext4_free_blocks(), to request +that the dquot_free_block() call be skipped. + +Signed-off-by: Maxim Patlasov <maxim.patlasov@gmail.com> +Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/ext4/ext4.h | 1 + + fs/ext4/extents.c | 4 +++- + fs/ext4/mballoc.c | 2 +- + 3 files changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -526,6 +526,7 @@ struct ext4_new_group_data { + #define EXT4_FREE_BLOCKS_METADATA 0x0001 + #define EXT4_FREE_BLOCKS_FORGET 0x0002 + #define EXT4_FREE_BLOCKS_VALIDATED 0x0004 ++#define EXT4_FREE_BLOCKS_NO_QUOT_UPDATE 0x0008 + + /* + * ioctl commands +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3601,12 +3601,14 @@ int ext4_ext_map_blocks(handle_t *handle + + err = ext4_ext_insert_extent(handle, inode, path, &newex, flags); + if (err) { ++ int fb_flags = flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE ? ++ EXT4_FREE_BLOCKS_NO_QUOT_UPDATE : 0; + /* free data blocks we just allocated */ + /* not a good idea to call discard here directly, + * but otherwise we'd need to call it every free() */ + ext4_discard_preallocations(inode); + ext4_free_blocks(handle, inode, NULL, ext4_ext_pblock(&newex), +- ext4_ext_get_actual_len(&newex), 0); ++ ext4_ext_get_actual_len(&newex), fb_flags); + goto out2; + } + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4637,7 +4637,7 @@ do_more: + } + ext4_mark_super_dirty(sb); + error_return: +- if (freed) ++ if (freed && !(flags & EXT4_FREE_BLOCKS_NO_QUOT_UPDATE)) + dquot_free_block(inode, freed); + brelse(bitmap_bh); + ext4_std_error(sb, err); diff --git a/queue-3.0/ext4-free-allocated-and-pre-allocated-blocks-when.patch b/queue-3.0/ext4-free-allocated-and-pre-allocated-blocks-when.patch new file mode 100644 index 0000000000..97383872da --- /dev/null +++ b/queue-3.0/ext4-free-allocated-and-pre-allocated-blocks-when.patch @@ -0,0 +1,42 @@ +From 575a1d4bdfa2ea9fc10733013136145b497e1be0 Mon Sep 17 00:00:00 2001 +From: Jiaying Zhang <jiayingz@google.com> +Date: Sun, 10 Jul 2011 20:07:25 -0400 +Subject: ext4: free allocated and pre-allocated blocks when + check_eofblocks_fl fails + +From: Jiaying Zhang <jiayingz@google.com> + +commit 575a1d4bdfa2ea9fc10733013136145b497e1be0 upstream. + +Upon corrupted inode or disk failures, we may fail after we already +allocate some blocks from the inode or take some blocks from the +inode's preallocation list, but before we successfully insert the +corresponding extent to the extent tree. In this case, we should free +any allocated blocks and discard the inode's preallocated blocks +because the entries in the inode's preallocation list may be in an +inconsistent state. + +Signed-off-by: Jiaying Zhang <jiayingz@google.com> +Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/ext4/extents.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3596,10 +3596,9 @@ int ext4_ext_map_blocks(handle_t *handle + } + + err = check_eofblocks_fl(handle, inode, map->m_lblk, path, ar.len); +- if (err) +- goto out2; +- +- err = ext4_ext_insert_extent(handle, inode, path, &newex, flags); ++ if (!err) ++ err = ext4_ext_insert_extent(handle, inode, path, ++ &newex, flags); + if (err) { + int fb_flags = flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE ? + EXT4_FREE_BLOCKS_NO_QUOT_UPDATE : 0; diff --git a/queue-3.0/geode-reflect-mfgpt-dependency-on-mfd.patch b/queue-3.0/geode-reflect-mfgpt-dependency-on-mfd.patch new file mode 100644 index 0000000000..ce3ac1960a --- /dev/null +++ b/queue-3.0/geode-reflect-mfgpt-dependency-on-mfd.patch @@ -0,0 +1,43 @@ +From 703f03c896fdbd726b809066ae279df513992f0e Mon Sep 17 00:00:00 2001 +From: "Philip A. Prindeville" <philipp@redfish-solutions.com> +Date: Mon, 25 Jul 2011 17:13:05 -0700 +Subject: geode: reflect mfgpt dependency on mfd + +From: "Philip A. Prindeville" <philipp@redfish-solutions.com> + +commit 703f03c896fdbd726b809066ae279df513992f0e upstream. + +As stated in drivers/mfd/cs5535-mfd.c, the mfd driver exposes the BARs +which then make the GPIO, MFGPT, ACPI, etc. all visible to the system. + +So the dependencies of the MFGPT stuff have changed, and most people +expect Kconfig to bring in the necessary dependencies. Without them, the +module fails to load and most people don't understand why because the +details of the rewrite aren't captured anywhere most people who know to +look. + +This dependency needs to be reflected in Kconfig. + +Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com> +Acked-by: Alexandros C. Couloumbis <alex@ozo.com> +Acked-by: Andres Salomon <dilinger@queued.net> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/misc/Kconfig | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/misc/Kconfig ++++ b/drivers/misc/Kconfig +@@ -245,8 +245,7 @@ config SGI_XP + + config CS5535_MFGPT + tristate "CS5535/CS5536 Geode Multi-Function General Purpose Timer (MFGPT) support" +- depends on PCI +- depends on X86 ++ depends on PCI && X86 && MFD_CS5535 + default n + help + This driver provides access to MFGPT functionality for other diff --git a/queue-3.0/mm-backing-dev.c-reset-bdi-min_ratio-in-bdi_unregister.patch b/queue-3.0/mm-backing-dev.c-reset-bdi-min_ratio-in-bdi_unregister.patch new file mode 100644 index 0000000000..d3291d61b1 --- /dev/null +++ b/queue-3.0/mm-backing-dev.c-reset-bdi-min_ratio-in-bdi_unregister.patch @@ -0,0 +1,46 @@ +From ccb6108f5b0b541d3eb332c3a73e645c0f84278e Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra <peterz@infradead.org> +Date: Mon, 25 Jul 2011 17:11:57 -0700 +Subject: mm/backing-dev.c: reset bdi min_ratio in bdi_unregister() + +From: Peter Zijlstra <peterz@infradead.org> + +commit ccb6108f5b0b541d3eb332c3a73e645c0f84278e upstream. + +Vito said: + +: The system has many usb disks coming and going day to day, with their +: respective bdi's having min_ratio set to 1 when inserted. It works for +: some time until eventually min_ratio can no longer be set, even when the +: active set of bdi's seen in /sys/class/bdi/*/min_ratio doesn't add up to +: anywhere near 100. +: +: This then leads to an unrelated starvation problem caused by write-heavy +: fuse mounts being used atop the usb disks, a problem the min_ratio setting +: at the underlying devices bdi effectively prevents. + +Fix this leakage by resetting the bdi min_ratio when unregistering the +BDI. + +Signed-off-by: Peter Zijlstra <peterz@infradead.org> +Reported-by: Vito Caputo <lkml@pengaru.com> +Cc: Wu Fengguang <fengguang.wu@intel.com> +Cc: Miklos Szeredi <miklos@szeredi.hu> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + mm/backing-dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/backing-dev.c ++++ b/mm/backing-dev.c +@@ -606,6 +606,7 @@ static void bdi_prune_sb(struct backing_ + void bdi_unregister(struct backing_dev_info *bdi) + { + if (bdi->dev) { ++ bdi_set_min_ratio(bdi, 0); + trace_writeback_bdi_unregister(bdi); + bdi_prune_sb(bdi); + del_timer_sync(&bdi->wb.wakeup_timer); diff --git a/queue-3.0/mm-futex-fix-futex-writes-on-archs-with-sw-tracking-of-dirty-young.patch b/queue-3.0/mm-futex-fix-futex-writes-on-archs-with-sw-tracking-of-dirty-young.patch new file mode 100644 index 0000000000..4ed25598ac --- /dev/null +++ b/queue-3.0/mm-futex-fix-futex-writes-on-archs-with-sw-tracking-of-dirty-young.patch @@ -0,0 +1,176 @@ +From 2efaca927f5cd7ecd0f1554b8f9b6a9a2c329c03 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Date: Mon, 25 Jul 2011 17:12:32 -0700 +Subject: mm/futex: fix futex writes on archs with SW tracking of dirty & young + +From: Benjamin Herrenschmidt <benh@kernel.crashing.org> + +commit 2efaca927f5cd7ecd0f1554b8f9b6a9a2c329c03 upstream. + +I haven't reproduced it myself but the fail scenario is that on such +machines (notably ARM and some embedded powerpc), if you manage to hit +that futex path on a writable page whose dirty bit has gone from the PTE, +you'll livelock inside the kernel from what I can tell. + +It will go in a loop of trying the atomic access, failing, trying gup to +"fix it up", getting succcess from gup, go back to the atomic access, +failing again because dirty wasn't fixed etc... + +So I think you essentially hang in the kernel. + +The scenario is probably rare'ish because affected architecture are +embedded and tend to not swap much (if at all) so we probably rarely hit +the case where dirty is missing or young is missing, but I think Shan has +a piece of SW that can reliably reproduce it using a shared writable +mapping & fork or something like that. + +On archs who use SW tracking of dirty & young, a page without dirty is +effectively mapped read-only and a page without young unaccessible in the +PTE. + +Additionally, some architectures might lazily flush the TLB when relaxing +write protection (by doing only a local flush), and expect a fault to +invalidate the stale entry if it's still present on another processor. + +The futex code assumes that if the "in_atomic()" access -EFAULT's, it can +"fix it up" by causing get_user_pages() which would then be equivalent to +taking the fault. + +However that isn't the case. get_user_pages() will not call +handle_mm_fault() in the case where the PTE seems to have the right +permissions, regardless of the dirty and young state. It will eventually +update those bits ... in the struct page, but not in the PTE. + +Additionally, it will not handle the lazy TLB flushing that can be +required by some architectures in the fault case. + +Basically, gup is the wrong interface for the job. The patch provides a +more appropriate one which boils down to just calling handle_mm_fault() +since what we are trying to do is simulate a real page fault. + +The futex code currently attempts to write to user memory within a +pagefault disabled section, and if that fails, tries to fix it up using +get_user_pages(). + +This doesn't work on archs where the dirty and young bits are maintained +by software, since they will gate access permission in the TLB, and will +not be updated by gup(). + +In addition, there's an expectation on some archs that a spurious write +fault triggers a local TLB flush, and that is missing from the picture as +well. + +I decided that adding those "features" to gup() would be too much for this +already too complex function, and instead added a new simpler +fixup_user_fault() which is essentially a wrapper around handle_mm_fault() +which the futex code can call. + +[akpm@linux-foundation.org: coding-style fixes] +[akpm@linux-foundation.org: fix some nits Darren saw, fiddle comment layout] +Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Reported-by: Shan Hai <haishan.bai@gmail.com> +Tested-by: Shan Hai <haishan.bai@gmail.com> +Cc: David Laight <David.Laight@ACULAB.COM> +Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl> +Cc: Darren Hart <darren.hart@intel.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + include/linux/mm.h | 2 + + kernel/futex.c | 4 +-- + mm/memory.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 61 insertions(+), 3 deletions(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -985,6 +985,8 @@ int get_user_pages(struct task_struct *t + int get_user_pages_fast(unsigned long start, int nr_pages, int write, + struct page **pages); + struct page *get_dump_page(unsigned long addr); ++extern int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm, ++ unsigned long address, unsigned int fault_flags); + + extern int try_to_release_page(struct page * page, gfp_t gfp_mask); + extern void do_invalidatepage(struct page *page, unsigned long offset); +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -355,8 +355,8 @@ static int fault_in_user_writeable(u32 _ + int ret; + + down_read(&mm->mmap_sem); +- ret = get_user_pages(current, mm, (unsigned long)uaddr, +- 1, 1, 0, NULL, NULL); ++ ret = fixup_user_fault(current, mm, (unsigned long)uaddr, ++ FAULT_FLAG_WRITE); + up_read(&mm->mmap_sem); + + return ret < 0 ? ret : 0; +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1816,7 +1816,63 @@ next_page: + } + EXPORT_SYMBOL(__get_user_pages); + +-/** ++/* ++ * fixup_user_fault() - manually resolve a user page fault ++ * @tsk: the task_struct to use for page fault accounting, or ++ * NULL if faults are not to be recorded. ++ * @mm: mm_struct of target mm ++ * @address: user address ++ * @fault_flags:flags to pass down to handle_mm_fault() ++ * ++ * This is meant to be called in the specific scenario where for locking reasons ++ * we try to access user memory in atomic context (within a pagefault_disable() ++ * section), this returns -EFAULT, and we want to resolve the user fault before ++ * trying again. ++ * ++ * Typically this is meant to be used by the futex code. ++ * ++ * The main difference with get_user_pages() is that this function will ++ * unconditionally call handle_mm_fault() which will in turn perform all the ++ * necessary SW fixup of the dirty and young bits in the PTE, while ++ * handle_mm_fault() only guarantees to update these in the struct page. ++ * ++ * This is important for some architectures where those bits also gate the ++ * access permission to the page because they are maintained in software. On ++ * such architectures, gup() will not be enough to make a subsequent access ++ * succeed. ++ * ++ * This should be called with the mm_sem held for read. ++ */ ++int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm, ++ unsigned long address, unsigned int fault_flags) ++{ ++ struct vm_area_struct *vma; ++ int ret; ++ ++ vma = find_extend_vma(mm, address); ++ if (!vma || address < vma->vm_start) ++ return -EFAULT; ++ ++ ret = handle_mm_fault(mm, vma, address, fault_flags); ++ if (ret & VM_FAULT_ERROR) { ++ if (ret & VM_FAULT_OOM) ++ return -ENOMEM; ++ if (ret & (VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE)) ++ return -EHWPOISON; ++ if (ret & VM_FAULT_SIGBUS) ++ return -EFAULT; ++ BUG(); ++ } ++ if (tsk) { ++ if (ret & VM_FAULT_MAJOR) ++ tsk->maj_flt++; ++ else ++ tsk->min_flt++; ++ } ++ return 0; ++} ++ ++/* + * get_user_pages() - pin user pages in memory + * @tsk: the task_struct to use for page fault accounting, or + * NULL if faults are not to be recorded. diff --git a/queue-3.0/series b/queue-3.0/series index e1e0d80af6..f88e3b354c 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -61,3 +61,12 @@ tracing-fix-bug-when-reading-system-filters-on-module.patch tracing-have-enable-file-use-refcounts-like-the-filter.patch xz-fix-missing-linux-kernel.h-include.patch pci-ari-is-a-pcie-v2-feature.patch +cciss-do-not-attempt-to-read-from-a-write-only-register.patch +drivers-firmware-sigma.c-needs-module_license.patch +geode-reflect-mfgpt-dependency-on-mfd.patch +mm-futex-fix-futex-writes-on-archs-with-sw-tracking-of-dirty-young.patch +mm-backing-dev.c-reset-bdi-min_ratio-in-bdi_unregister.patch +xtensa-prevent-arbitrary-read-in-ptrace.patch +ext4-fix-i_blocks-quota-accounting-when-extent-insertion-fails.patch +ext4-free-allocated-and-pre-allocated-blocks-when.patch +ext3-fix-oops-in-ext3_try_to_allocate_with_rsv.patch diff --git a/queue-3.0/xtensa-prevent-arbitrary-read-in-ptrace.patch b/queue-3.0/xtensa-prevent-arbitrary-read-in-ptrace.patch new file mode 100644 index 0000000000..242f90042d --- /dev/null +++ b/queue-3.0/xtensa-prevent-arbitrary-read-in-ptrace.patch @@ -0,0 +1,36 @@ +From 0d0138ebe24b94065580bd2601f8bb7eb6152f56 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Mon, 25 Jul 2011 17:11:53 -0700 +Subject: xtensa: prevent arbitrary read in ptrace + +From: Dan Rosenberg <drosenberg@vsecurity.com> + +commit 0d0138ebe24b94065580bd2601f8bb7eb6152f56 upstream. + +Prevent an arbitrary kernel read. Check the user pointer with access_ok() +before copying data in. + +[akpm@linux-foundation.org: s/EIO/EFAULT/] +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Cc: Christian Zankel <chris@zankel.net> +Cc: Oleg Nesterov <oleg@redhat.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/xtensa/kernel/ptrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/xtensa/kernel/ptrace.c ++++ b/arch/xtensa/kernel/ptrace.c +@@ -147,6 +147,9 @@ int ptrace_setxregs(struct task_struct * + elf_xtregs_t *xtregs = uregs; + int ret = 0; + ++ if (!access_ok(VERIFY_READ, uregs, sizeof(elf_xtregs_t))) ++ return -EFAULT; ++ + #if XTENSA_HAVE_COPROCESSORS + /* Flush all coprocessors before we overwrite them. */ + coprocessor_flush_all(ti); |