linux-stable.git/include/linux, branch linux-2.6.32.y Linux kernel stable tree readv/writev: do the same MAX_RW_COUNT truncation that read/write does 2016-03-12T13:25:41+00:00 Linus Torvalds torvalds@linux-foundation.org 2010-10-29T17:36:49+00:00 adfdad98d876fc9e43746522d6329d482edca6b3 commit 435f49a518c78eec8e2edbbadd912737246cbe20 upstream. We used to protect against overflow, but rather than return an error, do what read/write does, namely to limit the total size to MAX_RW_COUNT. This is not only more consistent, but it also means that any broken low-level read/write routine that still keeps counts in 'int' can't break. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Willy Tarreau <w@1wt.eu> 
commit 435f49a518c78eec8e2edbbadd912737246cbe20 upstream.

We used to protect against overflow, but rather than return an error, do
what read/write does, namely to limit the total size to MAX_RW_COUNT.
This is not only more consistent, but it also means that any broken
low-level read/write routine that still keeps counts in 'int' can't
break.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
mm: add SECTION_ALIGN_UP() and SECTION_ALIGN_DOWN() macro 2016-01-29T21:12:58+00:00 Daniel Kiper dkiper@net-space.pl 2011-05-25T00:12:51+00:00 73734375c75ef304e2b4629bc48af9031be6f672 commit a539f3533b78e39a22723d6d3e1e11b6c14454d9 upstream. Add SECTION_ALIGN_UP() and SECTION_ALIGN_DOWN() macro which aligns given pfn to upper section and lower section boundary accordingly. Required for the latest memory hotplug support for the Xen balloon driver. Signed-off-by: Daniel Kiper <dkiper@net-space.pl> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> David Rientjes <rientjes@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> [wt: only needed for next patch] Signed-off-by: Willy Tarreau <w@1wt.eu> 
commit a539f3533b78e39a22723d6d3e1e11b6c14454d9 upstream.

Add SECTION_ALIGN_UP() and SECTION_ALIGN_DOWN() macro which aligns given
pfn to upper section and lower section boundary accordingly.

Required for the latest memory hotplug support for the Xen balloon driver.

Signed-off-by: Daniel Kiper <dkiper@net-space.pl>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: only needed for next patch]
Signed-off-by: Willy Tarreau <w@1wt.eu>
ses: fix additional element traversal bug 2016-01-29T21:12:52+00:00 James Bottomley James.Bottomley@HansenPartnership.com 2015-12-11T17:16:38+00:00 d4b6a10d1fc87c0078f6d9b107d91029bff6cc8a commit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream. KASAN found that our additional element processing scripts drop off the end of the VPD page into unallocated space. The reason is that not every element has additional information but our traversal routines think they do, leading to them expecting far more additional information than is present. Fix this by adding a gate to the traversal routine so that it only processes elements that are expected to have additional information (list is in SES-2 section 6.1.13.1: Additional Element Status diagnostic page overview) Reported-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> (cherry picked from commit 344d6d02690a650607e6372bce8fe40e647a51b5) Signed-off-by: Willy Tarreau <w@1wt.eu> 
commit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream.

KASAN found that our additional element processing scripts drop off
the end of the VPD page into unallocated space.  The reason is that
not every element has additional information but our traversal
routines think they do, leading to them expecting far more additional
information than is present.  Fix this by adding a gate to the
traversal routine so that it only processes elements that are expected
to have additional information (list is in SES-2 section 6.1.13.1:
Additional Element Status diagnostic page overview)

Reported-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit 344d6d02690a650607e6372bce8fe40e647a51b5)
Signed-off-by: Willy Tarreau <w@1wt.eu>
Revert "net: add length argument to skb_copy_and_csum_datagram_iovec" 2016-01-29T21:12:40+00:00 Willy Tarreau w@1wt.eu 2016-01-23T10:16:20+00:00 d699b47f3c87c2fb30ed548ffacae85cebf2cafe This reverts commit c507639ba963bb47e3f515670a7cace76af76ab6. As reported by Michal Kubecek, this fix doesn't handle truncated reads correctly. Next patch from Eric fixes it better. Signed-off-by: Willy Tarreau <w@1wt.eu> 
This reverts commit c507639ba963bb47e3f515670a7cace76af76ab6.
As reported by Michal Kubecek, this fix doesn't handle truncated
reads correctly. Next patch from Eric fixes it better.

Signed-off-by: Willy Tarreau <w@1wt.eu>
net: add length argument to skb_copy_and_csum_datagram_iovec 2015-12-05T23:49:13+00:00 Sabrina Dubroca sd@queasysnail.net 2015-10-15T12:25:03+00:00 c507639ba963bb47e3f515670a7cace76af76ab6 Without this length argument, we can read past the end of the iovec in memcpy_toiovec because we have no way of knowing the total length of the iovec's buffers. This is needed for stable kernels where 89c22d8c3b27 ("net: Fix skb csum races when peeking") has been backported but that don't have the ioviter conversion, which is almost all the stable trees <= 3.18. This also fixes a kernel crash for NFS servers when the client uses -onfsvers=3,proto=udp to mount the export. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org> [bwh: Backported to 3.2: adjust context in include/linux/skbuff.h] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> (cherry picked from commit 127500d724f8c43f452610c9080444eedb5eaa6c) Signed-off-by: Willy Tarreau <w@1wt.eu> 
Without this length argument, we can read past the end of the iovec in
memcpy_toiovec because we have no way of knowing the total length of the
iovec's buffers.

This is needed for stable kernels where 89c22d8c3b27 ("net: Fix skb
csum races when peeking") has been backported but that don't have the
ioviter conversion, which is almost all the stable trees <= 3.18.

This also fixes a kernel crash for NFS servers when the client uses
 -onfsvers=3,proto=udp to mount the export.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
[bwh: Backported to 3.2: adjust context in include/linux/skbuff.h]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit 127500d724f8c43f452610c9080444eedb5eaa6c)

Signed-off-by: Willy Tarreau <w@1wt.eu>
security: add cred argument to security_capable() 2015-12-05T23:49:09+00:00 Chris Wright chrisw@sous-sol.org 2011-02-10T06:11:51+00:00 ddf5836aa820bf3b8c59ea3cca77881b41ca8d82 commit 6037b715d6fab139742c3df8851db4c823081561 upstream. Expand security_capable() to include cred, so that it can be usable in a wider range of call sites. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> [wt: needed by next patch only] Signed-off-by: Willy Tarreau <w@1wt.eu> 
commit 6037b715d6fab139742c3df8851db4c823081561 upstream.

Expand security_capable() to include cred, so that it can be usable in a
wider range of call sites.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
[wt: needed by next patch only]
Signed-off-by: Willy Tarreau <w@1wt.eu>
nfs: increase size of EXCHANGE_ID name string buffer 2015-09-18T11:52:12+00:00 Jeff Layton jlayton@poochiereds.net 2015-06-09T23:43:56+00:00 d2d8cee6fdfec9355f41e35ab6a06d085f23ec58 commit 764ad8ba8cd4c6f836fca9378f8c5121aece0842 upstream. The current buffer is much too small if you have a relatively long hostname. Bring it up to the size of the one that SETCLIENTID has. Reported-by: Michael Skralivetsky <michael.skralivetsky@primarydata.com> Signed-off-by: Jeff Layton <jeff.layton@primarydata.com> Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> (cherry picked from commit ef24842ca0c24ef7223a0853f7603b1afe7deb11) Signed-off-by: Willy Tarreau <w@1wt.eu> 
commit 764ad8ba8cd4c6f836fca9378f8c5121aece0842 upstream.

The current buffer is much too small if you have a relatively long
hostname. Bring it up to the size of the one that SETCLIENTID has.

Reported-by: Michael Skralivetsky <michael.skralivetsky@primarydata.com>
Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit ef24842ca0c24ef7223a0853f7603b1afe7deb11)

Signed-off-by: Willy Tarreau <w@1wt.eu>
include/linux/sched.h: don't use task->pid/tgid in same_thread_group/has_group_leader_pid 2015-09-18T11:52:05+00:00 Oleg Nesterov oleg@redhat.com 2013-09-11T21:20:06+00:00 4a6f3fd6d64c09e7056822efd3d89de10dcd2ad1 commit e1403b8edf669ff49bbdf602cc97fefa2760cb15 upstream. task_struct->pid/tgid should go away. 1. Change same_thread_group() to use task->signal for comparison. 2. Change has_group_leader_pid(task) to compare task_pid(task) with signal->leader_pid. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: Michal Hocko <mhocko@suse.cz> Cc: Sergey Dyasly <dserrg@gmail.com> Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@elte.hu> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: Sheng Yong <shengyong1@huawei.com> (cherry picked from commit a7b4d51399316329b6a3d9eaeab224d83eeebe67) Signed-off-by: Willy Tarreau <w@1wt.eu> 
commit e1403b8edf669ff49bbdf602cc97fefa2760cb15 upstream.

task_struct->pid/tgid should go away.

1. Change same_thread_group() to use task->signal for comparison.

2. Change has_group_leader_pid(task) to compare task_pid(task) with
   signal->leader_pid.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Sergey Dyasly <dserrg@gmail.com>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Sheng Yong <shengyong1@huawei.com>
(cherry picked from commit a7b4d51399316329b6a3d9eaeab224d83eeebe67)

Signed-off-by: Willy Tarreau <w@1wt.eu>
lib/lzo: Update LZO compression to current upstream version 2014-11-23T09:55:51+00:00 Markus F.X.J. Oberhumer markus@oberhumer.com 2012-08-13T15:25:44+00:00 bf1d894fed5852708a989a0a3f5df1a169a06afc This commit updates the kernel LZO code to the current upsteam version which features a significant speed improvement - benchmarking the Calgary and Silesia test corpora typically shows a doubled performance in both compression and decompression on modern i386/x86_64/powerpc machines. Signed-off-by: Markus F.X.J. Oberhumer <markus@oberhumer.com> (cherry picked from commit 8b975bd3f9089f8ee5d7bbfd798537b992bbc7e7) [wt: this update was only needed to apply the following security fixes] Signed-off-by: Willy Tarreau <w@1wt.eu> 
This commit updates the kernel LZO code to the current upsteam version
which features a significant speed improvement - benchmarking the Calgary
and Silesia test corpora typically shows a doubled performance in
both compression and decompression on modern i386/x86_64/powerpc machines.

Signed-off-by: Markus F.X.J. Oberhumer <markus@oberhumer.com>
(cherry picked from commit 8b975bd3f9089f8ee5d7bbfd798537b992bbc7e7)
[wt: this update was only needed to apply the following security fixes]
Signed-off-by: Willy Tarreau <w@1wt.eu>
ptrace,x86: force IRET path after a ptrace_stop() 2014-11-23T09:55:37+00:00 Tejun Heo tj@kernel.org 2014-07-03T19:43:15+00:00 a3b45048ba450a3f94e5f1a8c616a0925a0da07a [ Upstream commit b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a ] The 'sysret' fastpath does not correctly restore even all regular registers, much less any segment registers or reflags values. That is very much part of why it's faster than 'iret'. Normally that isn't a problem, because the normal ptrace() interface catches the process using the signal handler infrastructure, which always returns with an iret. However, some paths can get caught using ptrace_event() instead of the signal path, and for those we need to make sure that we aren't going to return to user space using 'sysret'. Otherwise the modifications that may have been done to the register set by the tracer wouldn't necessarily take effect. Fix it by forcing IRET path by setting TIF_NOTIFY_RESUME from arch_ptrace_stop_needed() which is invoked from ptrace_stop(). Signed-off-by: Tejun Heo <tj@kernel.org> Reported-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Oleg Nesterov <oleg@redhat.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> [wt: fixes CVE-2014-4699] Signed-off-by: Willy Tarreau <w@1wt.eu> 
[ Upstream commit b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a ]

The 'sysret' fastpath does not correctly restore even all regular
registers, much less any segment registers or reflags values.  That is
very much part of why it's faster than 'iret'.

Normally that isn't a problem, because the normal ptrace() interface
catches the process using the signal handler infrastructure, which
always returns with an iret.

However, some paths can get caught using ptrace_event() instead of the
signal path, and for those we need to make sure that we aren't going to
return to user space using 'sysret'.  Otherwise the modifications that
may have been done to the register set by the tracer wouldn't
necessarily take effect.

Fix it by forcing IRET path by setting TIF_NOTIFY_RESUME from
arch_ptrace_stop_needed() which is invoked from ptrace_stop().

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: fixes CVE-2014-4699]
Signed-off-by: Willy Tarreau <w@1wt.eu>