[kernel] r15143 - in dists/lenny/linux-2.6: . debian debian/config debian/patches/bugfix/all debian/patches/bugfix/powerpc debian/patches/bugfix/sparc debian/patches/bugfix/x86 debian/patches/features/all/openvz debian/patches/features/all/vserver debian/patches/features/all/xen debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Feb 11 04:19:08 UTC 2010
Author: dannf
Date: Thu Feb 11 04:19:04 2010
New Revision: 15143
Log:
merge in 2.6.26-21lenny[1-3]
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/cdc_ether-Partially-revert-usbnet-Set-link-down-init.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/cdc_ether-Partially-revert-usbnet-Set-link-down-init.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-potential-crash-with-sys_move_pages.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/fix-potential-crash-with-sys_move_pages.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-perms.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-perms.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-util.c-sched.h.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/mm-util.c-sched.h.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/split-flush_old_exec-into-two-functions.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/split-flush_old_exec-into-two-functions.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/untangle-the-do_mremap-mess-ppc64-fix.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/untangle-the-do_mremap-mess-ppc64-fix.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/untangle-the-do_mremap-mess-xen.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/untangle-the-do_mremap-mess-xen.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/untangle-the-do_mremap-mess.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/untangle-the-do_mremap-mess.patch
dists/lenny/linux-2.6/debian/patches/bugfix/powerpc/powerpc-tif_abi_pending-bit-removal.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/powerpc/powerpc-tif_abi_pending-bit-removal.patch
dists/lenny/linux-2.6/debian/patches/bugfix/sparc/sparc-tif_abi_pending-bit-removal.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/sparc/sparc-tif_abi_pending-bit-removal.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/check-cpl-level-during-priv-instruction-emulation.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/check-cpl-level-during-priv-instruction-emulation.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/fix-popf-emulation.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/fix-popf-emulation.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/get-rid-of-TIF_ABI_PENDING-bit.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/get-rid-of-TIF_ABI_PENDING-bit.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-add-kvm_rw_guest_virt.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-add-kvm_rw_guest_virt.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-check-IOPL-level-during-io-instruction-emulation.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-check-IOPL-level-during-io-instruction-emulation.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-emulator-fix-popf-emulation.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-emulator-fix-popf-emulation.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-fix-memory-access-during-x86-emulation.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-fix-memory-access-during-x86-emulation.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-pit-control-word-is-write-only.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-pit-control-word-is-write-only.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-remove-vmap-usage.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-remove-vmap-usage.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-use-kvm_rw_guest_virt-for-segment-descriptors.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-use-kvm_rw_guest_virt-for-segment-descriptors.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/remove-TIF_ABI-bit.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/features/all/openvz/remove-TIF_ABI-bit.patch
dists/lenny/linux-2.6/debian/patches/features/all/xen/get-rid-of-TIF_ABI_PENDING-bit.patch
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/features/all/xen/get-rid-of-TIF_ABI_PENDING-bit.patch
dists/lenny/linux-2.6/debian/patches/series/21lenny1
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny1
dists/lenny/linux-2.6/debian/patches/series/21lenny2
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny2
dists/lenny/linux-2.6/debian/patches/series/21lenny2-extra
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny2-extra
dists/lenny/linux-2.6/debian/patches/series/21lenny3
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny3
dists/lenny/linux-2.6/debian/patches/series/21lenny3-extra
- copied unchanged from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny3-extra
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/config/defines
dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Thu Feb 11 02:16:55 2010 (r15142)
+++ dists/lenny/linux-2.6/debian/changelog Thu Feb 11 04:19:04 2010 (r15143)
@@ -26,6 +26,50 @@
-- maximilian attems <maks at debian.org> Mon, 28 Dec 2009 23:44:19 +0100
+linux-2.6 (2.6.26-21lenny3) stable-security; urgency=high
+
+ * Additional fixes for CVE-2010-0307
+ * Build fix for CVE-2010-0291 change on powerpc64
+ * KVM: PIT: control word is write-only (CVE-2010-0309)
+ * connector: Delete buggy notification code. (CVE-2010-0410)
+ * Fix potential crash with sys_move_pages (CVE-2010-0415)
+ * KVM: emulator privilege escalation (CVE-2010-0298)
+ * KVM: emulator privilege escalation IOPL/CPL level check (CVE-2010-0306)
+
+ -- dann frazier <dannf at debian.org> Tue, 09 Feb 2010 22:28:22 -0700
+
+linux-2.6 (2.6.26-21lenny2) stable-security; urgency=high
+
+ [ dann frazier ]
+ * Fix build failure on hppa & mipsen due to missing #include
+ * Port CVE-2010-0291 fix to xen featureset
+
+ [ Ben Hutchings ]
+ * cdc_ether: Do not set link down initially; not all devices send link
+ change interrupts (Closes: #567689)
+
+ [ dann frazier ]
+ * Split 'flush_old_exec' into two functions (CVE-2010-0307)
+
+ -- dann frazier <dannf at debian.org> Mon, 01 Feb 2010 23:47:42 -0700
+
+linux-2.6 (2.6.26-21lenny1) stable-security; urgency=high
+
+ [ dann frazier ]
+ * mac80211: fix spurious delBA handling (CVE-2009-4027)
+ * e1000: enhance frame fragment detection (CVE-2009-4536)
+ * e1000e: enhance frame fragment detection (CVE-2009-4538)
+ * Fix several issues with mmap/mremap (CVE-2010-0291)
+ * [SCSI] megaraid_sas: remove sysfs poll_mode_io world writeable
+ permissions (CVE-2009-3939)
+
+ [ Ben Hutchings ]
+ * kernel/signal.c: fix kernel information leak with print-fatal-signals=1
+ (CVE-2010-0003)
+ * netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
+
+ -- dann frazier <dannf at debian.org> Fri, 29 Jan 2010 17:20:16 -0700
+
linux-2.6 (2.6.26-21) stable; urgency=high
[ Ben Hutchings ]
Modified: dists/lenny/linux-2.6/debian/config/defines
==============================================================================
--- dists/lenny/linux-2.6/debian/config/defines Thu Feb 11 02:16:55 2010 (r15142)
+++ dists/lenny/linux-2.6/debian/config/defines Thu Feb 11 04:19:04 2010 (r15143)
@@ -1,5 +1,6 @@
[abi]
abiname: 2
+ignore-changes: gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs
[base]
arches:
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/cdc_ether-Partially-revert-usbnet-Set-link-down-init.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/cdc_ether-Partially-revert-usbnet-Set-link-down-init.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/cdc_ether-Partially-revert-usbnet-Set-link-down-init.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/cdc_ether-Partially-revert-usbnet-Set-link-down-init.patch)
@@ -0,0 +1,36 @@
+From ee3585e8db845cba146ecfd829b8c37f1447e1a7 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 28 Jan 2010 23:11:20 +0000
+Subject: [PATCH] cdc_ether: Partially revert "usbnet: Set link down initially ..."
+
+Commit 37e8273cd30592d3a82bcb70cbb1bdc4eaeb6b71 ("usbnet: Set link down
+initially for drivers that update link state") changed the initial link
+state in cdc_ether and other drivers based on the understanding that the
+devices they support generate link change interrupts. However, this is
+optional in the CDC Ethernet protocol, and two users have reported in
+<http://bugzilla.kernel.org/show_bug.cgi?id=14791> that the link state
+for their devices remains down. Therefore, revert the change in
+cdc_ether.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Tested-by: Avi Rozen <avi.rozen at gmail.com>
+---
+ drivers/net/usb/cdc_ether.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
+index 21e183a..4f27f02 100644
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -419,7 +419,7 @@ static int cdc_manage_power(struct usbnet *dev, int on)
+
+ static const struct driver_info cdc_info = {
+ .description = "CDC Ethernet Device",
+- .flags = FLAG_ETHER | FLAG_LINK_INTR,
++ .flags = FLAG_ETHER,
+ // .check_connect = cdc_check_connect,
+ .bind = cdc_bind,
+ .unbind = usbnet_cdc_unbind,
+--
+1.6.6
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/connector-delete-buggy-notification-code.patch)
@@ -0,0 +1,331 @@
+From f98bfbd78c37c5946cc53089da32a5f741efdeb7 Mon Sep 17 00:00:00 2001
+From: Evgeniy Polyakov <zbr at ioremap.net>
+Date: Tue, 2 Feb 2010 15:58:48 -0800
+Subject: connector: Delete buggy notification code.
+
+From: Evgeniy Polyakov <zbr at ioremap.net>
+
+commit f98bfbd78c37c5946cc53089da32a5f741efdeb7 upstream.
+
+On Tue, Feb 02, 2010 at 02:57:14PM -0800, Greg KH (gregkh at suse.de) wrote:
+> > There are at least two ways to fix it: using a big cannon and a small
+> > one. The former way is to disable notification registration, since it is
+> > not used by anyone at all. Second way is to check whether calling
+> > process is root and its destination group is -1 (kind of priveledged
+> > one) before command is dispatched to workqueue.
+>
+> Well if no one is using it, removing it makes the most sense, right?
+>
+> No objection from me, care to make up a patch either way for this?
+
+Getting it is not used, let's drop support for notifications about
+(un)registered events from connector.
+Another option was to check credentials on receiving, but we can always
+restore it without bugs if needed, but genetlink has a wider code base
+and none complained, that userspace can not get notification when some
+other clients were (un)registered.
+
+Kudos for Sebastian Krahmer <krahmer at suse.de>, who found a bug in the
+code.
+
+Signed-off-by: Evgeniy Polyakov <zbr at ioremap.net>
+Acked-by: Greg Kroah-Hartman <gregkh at suse.de>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/connector/connector.c | 175 ------------------------------------------
+ include/linux/connector.h | 32 -------
+ 2 files changed, 207 deletions(-)
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/connector/connector.c linux-source-2.6.26/drivers/connector/connector.c
+--- linux-source-2.6.26.orig/drivers/connector/connector.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/connector/connector.c 2010-02-04 20:33:57.000000000 -0700
+@@ -36,17 +36,6 @@ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Evgeniy Polyakov <johnpol at 2ka.mipt.ru>");
+ MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector.");
+
+-static u32 cn_idx = CN_IDX_CONNECTOR;
+-static u32 cn_val = CN_VAL_CONNECTOR;
+-
+-module_param(cn_idx, uint, 0);
+-module_param(cn_val, uint, 0);
+-MODULE_PARM_DESC(cn_idx, "Connector's main device idx.");
+-MODULE_PARM_DESC(cn_val, "Connector's main device val.");
+-
+-static DEFINE_MUTEX(notify_lock);
+-static LIST_HEAD(notify_list);
+-
+ static struct cn_dev cdev;
+
+ static int cn_already_initialized;
+@@ -215,54 +204,6 @@ static void cn_rx_skb(struct sk_buff *__
+ }
+
+ /*
+- * Notification routing.
+- *
+- * Gets id and checks if there are notification request for it's idx
+- * and val. If there are such requests notify the listeners with the
+- * given notify event.
+- *
+- */
+-static void cn_notify(struct cb_id *id, u32 notify_event)
+-{
+- struct cn_ctl_entry *ent;
+-
+- mutex_lock(¬ify_lock);
+- list_for_each_entry(ent, ¬ify_list, notify_entry) {
+- int i;
+- struct cn_notify_req *req;
+- struct cn_ctl_msg *ctl = ent->msg;
+- int idx_found, val_found;
+-
+- idx_found = val_found = 0;
+-
+- req = (struct cn_notify_req *)ctl->data;
+- for (i = 0; i < ctl->idx_notify_num; ++i, ++req) {
+- if (id->idx >= req->first &&
+- id->idx < req->first + req->range) {
+- idx_found = 1;
+- break;
+- }
+- }
+-
+- for (i = 0; i < ctl->val_notify_num; ++i, ++req) {
+- if (id->val >= req->first &&
+- id->val < req->first + req->range) {
+- val_found = 1;
+- break;
+- }
+- }
+-
+- if (idx_found && val_found) {
+- struct cn_msg m = { .ack = notify_event, };
+-
+- memcpy(&m.id, id, sizeof(m.id));
+- cn_netlink_send(&m, ctl->group, GFP_KERNEL);
+- }
+- }
+- mutex_unlock(¬ify_lock);
+-}
+-
+-/*
+ * Callback add routing - adds callback with given ID and name.
+ * If there is registered callback with the same ID it will not be added.
+ *
+@@ -280,8 +221,6 @@ int cn_add_callback(struct cb_id *id, ch
+ if (err)
+ return err;
+
+- cn_notify(id, 0);
+-
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(cn_add_callback);
+@@ -299,112 +238,9 @@ void cn_del_callback(struct cb_id *id)
+ struct cn_dev *dev = &cdev;
+
+ cn_queue_del_callback(dev->cbdev, id);
+- cn_notify(id, 1);
+ }
+ EXPORT_SYMBOL_GPL(cn_del_callback);
+
+-/*
+- * Checks two connector's control messages to be the same.
+- * Returns 1 if they are the same or if the first one is corrupted.
+- */
+-static int cn_ctl_msg_equals(struct cn_ctl_msg *m1, struct cn_ctl_msg *m2)
+-{
+- int i;
+- struct cn_notify_req *req1, *req2;
+-
+- if (m1->idx_notify_num != m2->idx_notify_num)
+- return 0;
+-
+- if (m1->val_notify_num != m2->val_notify_num)
+- return 0;
+-
+- if (m1->len != m2->len)
+- return 0;
+-
+- if ((m1->idx_notify_num + m1->val_notify_num) * sizeof(*req1) !=
+- m1->len)
+- return 1;
+-
+- req1 = (struct cn_notify_req *)m1->data;
+- req2 = (struct cn_notify_req *)m2->data;
+-
+- for (i = 0; i < m1->idx_notify_num; ++i) {
+- if (req1->first != req2->first || req1->range != req2->range)
+- return 0;
+- req1++;
+- req2++;
+- }
+-
+- for (i = 0; i < m1->val_notify_num; ++i) {
+- if (req1->first != req2->first || req1->range != req2->range)
+- return 0;
+- req1++;
+- req2++;
+- }
+-
+- return 1;
+-}
+-
+-/*
+- * Main connector device's callback.
+- *
+- * Used for notification of a request's processing.
+- */
+-static void cn_callback(void *data)
+-{
+- struct cn_msg *msg = data;
+- struct cn_ctl_msg *ctl;
+- struct cn_ctl_entry *ent;
+- u32 size;
+-
+- if (msg->len < sizeof(*ctl))
+- return;
+-
+- ctl = (struct cn_ctl_msg *)msg->data;
+-
+- size = (sizeof(*ctl) + ((ctl->idx_notify_num +
+- ctl->val_notify_num) *
+- sizeof(struct cn_notify_req)));
+-
+- if (msg->len != size)
+- return;
+-
+- if (ctl->len + sizeof(*ctl) != msg->len)
+- return;
+-
+- /*
+- * Remove notification.
+- */
+- if (ctl->group == 0) {
+- struct cn_ctl_entry *n;
+-
+- mutex_lock(¬ify_lock);
+- list_for_each_entry_safe(ent, n, ¬ify_list, notify_entry) {
+- if (cn_ctl_msg_equals(ent->msg, ctl)) {
+- list_del(&ent->notify_entry);
+- kfree(ent);
+- }
+- }
+- mutex_unlock(¬ify_lock);
+-
+- return;
+- }
+-
+- size += sizeof(*ent);
+-
+- ent = kzalloc(size, GFP_KERNEL);
+- if (!ent)
+- return;
+-
+- ent->msg = (struct cn_ctl_msg *)(ent + 1);
+-
+- memcpy(ent->msg, ctl, size - sizeof(*ent));
+-
+- mutex_lock(¬ify_lock);
+- list_add(&ent->notify_entry, ¬ify_list);
+- mutex_unlock(¬ify_lock);
+-}
+-
+ static int cn_proc_show(struct seq_file *m, void *v)
+ {
+ struct cn_queue_dev *dev = cdev.cbdev;
+@@ -442,11 +278,8 @@ static const struct file_operations cn_f
+ static int __devinit cn_init(void)
+ {
+ struct cn_dev *dev = &cdev;
+- int err;
+
+ dev->input = cn_rx_skb;
+- dev->id.idx = cn_idx;
+- dev->id.val = cn_val;
+
+ dev->nls = netlink_kernel_create(&init_net, NETLINK_CONNECTOR,
+ CN_NETLINK_USERS + 0xf,
+@@ -462,14 +295,6 @@ static int __devinit cn_init(void)
+
+ cn_already_initialized = 1;
+
+- err = cn_add_callback(&dev->id, "connector", &cn_callback);
+- if (err) {
+- cn_already_initialized = 0;
+- cn_queue_free_dev(dev->cbdev);
+- netlink_kernel_release(dev->nls);
+- return -EINVAL;
+- }
+-
+ proc_net_fops_create(&init_net, "connector", S_IRUGO, &cn_file_ops);
+
+ return 0;
+@@ -483,7 +308,6 @@ static void __devexit cn_fini(void)
+
+ proc_net_remove(&init_net, "connector");
+
+- cn_del_callback(&dev->id);
+ cn_queue_free_dev(dev->cbdev);
+ netlink_kernel_release(dev->nls);
+ }
+diff -urpN linux-source-2.6.26.orig/include/linux/connector.h linux-source-2.6.26/include/linux/connector.h
+--- linux-source-2.6.26.orig/include/linux/connector.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/connector.h 2010-02-04 20:31:20.000000000 -0700
+@@ -24,9 +24,6 @@
+
+ #include <asm/types.h>
+
+-#define CN_IDX_CONNECTOR 0xffffffff
+-#define CN_VAL_CONNECTOR 0xffffffff
+-
+ /*
+ * Process Events connector unique ids -- used for message routing
+ */
+@@ -68,30 +65,6 @@ struct cn_msg {
+ __u8 data[0];
+ };
+
+-/*
+- * Notify structure - requests notification about
+- * registering/unregistering idx/val in range [first, first+range].
+- */
+-struct cn_notify_req {
+- __u32 first;
+- __u32 range;
+-};
+-
+-/*
+- * Main notification control message
+- * *_notify_num - number of appropriate cn_notify_req structures after
+- * this struct.
+- * group - notification receiver's idx.
+- * len - total length of the attached data.
+- */
+-struct cn_ctl_msg {
+- __u32 idx_notify_num;
+- __u32 val_notify_num;
+- __u32 group;
+- __u32 len;
+- __u8 data[0];
+-};
+-
+ #ifdef __KERNEL__
+
+ #include <asm/atomic.h>
+@@ -141,11 +114,6 @@ struct cn_callback_entry {
+ u32 seq, group;
+ };
+
+-struct cn_ctl_entry {
+- struct list_head notify_entry;
+- struct cn_ctl_msg *msg;
+-};
+-
+ struct cn_dev {
+ struct cb_id id;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/e1000-enhance-frame-fragment-detection.patch)
@@ -0,0 +1,70 @@
+commit 40a14deaf411592b57cb0720f0e8004293ab9865
+Author: Jesse Brandeburg <jesse.brandeburg at intel.com>
+Date: Tue Jan 19 14:15:38 2010 +0000
+
+ e1000: enhance frame fragment detection
+
+ Originally From: Neil Horman <nhorman at tuxdriver.com>
+ Modified by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+
+ Hey all-
+ A security discussion was recently given:
+ http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html
+ And a patch that I submitted awhile back was brought up. Apparently some of
+ their testing revealed that they were able to force a buffer fragment in e1000
+ in which the trailing fragment was greater than 4 bytes. As a result the
+ fragment check I introduced failed to detect the fragement and a partial
+ invalid frame was passed up into the network stack. I've written this patch
+ to correct it. I'm in the process of testing it now, but it makes good
+ logical sense to me. Effectively it maintains a per-adapter state variable
+ which detects a non-EOP frame, and discards it and subsequent non-EOP frames
+ leading up to _and_ _including_ the next positive-EOP frame (as it is by
+ definition the last fragment). This should prevent any and all partial frames
+ from entering the network stack from e1000.
+
+ Signed-off-by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+ Acked-by: Neil Horman <nhorman at tuxdriver.com>
+ Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/e1000/e1000_main.c linux-source-2.6.26/drivers/net/e1000/e1000_main.c
+--- linux-source-2.6.26.orig/drivers/net/e1000/e1000_main.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000/e1000_main.c 2010-01-22 15:43:22.000000000 -0700
+@@ -4241,13 +4241,22 @@ e1000_clean_rx_irq(struct e1000_adapter
+
+ length = le16_to_cpu(rx_desc->length);
+ /* !EOP means multiple descriptors were used to store a single
+- * packet, also make sure the frame isn't just CRC only */
+- if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) {
++ * packet, if thats the case we need to toss it. In fact, we
++ * to toss every packet with the EOP bit clear and the next
++ * frame that _does_ have the EOP bit set, as it is by
++ * definition only a frame fragment
++ */
++ if (unlikely(!(status & E1000_RXD_STAT_EOP)))
++ adapter->discarding = true;
++
++ if (adapter->discarding) {
+ /* All receives must fit into a single buffer */
+ E1000_DBG("%s: Receive packet consumed multiple"
+ " buffers\n", netdev->name);
+ /* recycle */
+ buffer_info->skb = skb;
++ if (status & E1000_RXD_STAT_EOP)
++ adapter->discarding = false;
+ goto next_desc;
+ }
+
+--- linux-source-2.6.26/drivers/net/e1000/e1000.h.orig 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/net/e1000/e1000.h 2010-01-26 09:55:11.000000000 -0700
+@@ -342,6 +342,8 @@ struct e1000_adapter {
+ bool quad_port_a;
+ unsigned long flags;
+ u32 eeprom_wol;
++
++ bool discarding;
+ };
+
+ enum e1000_state_t {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/e1000e-enhance-frame-fragment-detection.patch)
@@ -0,0 +1,111 @@
+commit b94b50289622e816adc9f94111cfc2679c80177c
+Author: Jesse Brandeburg <jesse.brandeburg at intel.com>
+Date: Tue Jan 19 14:15:59 2010 +0000
+
+ e1000e: enhance frame fragment detection
+
+ Originally patched by Neil Horman <nhorman at tuxdriver.com>
+
+ e1000e could with a jumbo frame enabled interface, and packet split disabled,
+ receive a packet that would overflow a single rx buffer. While in practice
+ very hard to craft a packet that could abuse this, it is possible.
+
+ this is related to CVE-2009-4538
+
+ Signed-off-by: Jesse Brandeburg <jesse.brandeburg at intel.com>
+ CC: Neil Horman <nhorman at tuxdriver.com>
+ Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher at intel.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c linux-source-2.6.26/drivers/net/e1000e/netdev.c
+--- linux-source-2.6.26.orig/drivers/net/e1000e/netdev.c 2009-12-26 01:14:57.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000e/netdev.c 2010-01-22 16:16:43.000000000 -0700
+@@ -482,14 +482,24 @@ static bool e1000_clean_rx_irq(struct e1
+
+ length = le16_to_cpu(rx_desc->length);
+
+- /* !EOP means multiple descriptors were used to store a single
+- * packet, also make sure the frame isn't just CRC only */
+- if (!(status & E1000_RXD_STAT_EOP) || (length <= 4)) {
++ /*
++ * !EOP means multiple descriptors were used to store a single
++ * packet, if that's the case we need to toss it. In fact, we
++ * need to toss every packet with the EOP bit clear and the
++ * next frame that _does_ have the EOP bit set, as it is by
++ * definition only a frame fragment
++ */
++ if (unlikely(!(status & E1000_RXD_STAT_EOP)))
++ adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++ if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ /* All receives must fit into a single buffer */
+ ndev_dbg(netdev, "%s: Receive packet consumed "
+ "multiple buffers\n", netdev->name);
+ /* recycle */
+ buffer_info->skb = skb;
++ if (status & E1000_RXD_STAT_EOP)
++ adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ goto next_desc;
+ }
+
+@@ -748,10 +758,16 @@ static bool e1000_clean_rx_irq_ps(struct
+ PCI_DMA_FROMDEVICE);
+ buffer_info->dma = 0;
+
+- if (!(staterr & E1000_RXD_STAT_EOP)) {
++ /* see !EOP comment in other rx routine */
++ if (!(staterr & E1000_RXD_STAT_EOP))
++ adapter->flags2 |= FLAG2_IS_DISCARDING;
++
++ if (adapter->flags2 & FLAG2_IS_DISCARDING) {
+ ndev_dbg(netdev, "%s: Packet Split buffers didn't pick "
+ "up the full packet\n", netdev->name);
+ dev_kfree_skb_irq(skb);
++ if (staterr & E1000_RXD_STAT_EOP)
++ adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+ goto next_desc;
+ }
+
+@@ -1111,6 +1127,7 @@ static void e1000_clean_rx_ring(struct e
+
+ rx_ring->next_to_clean = 0;
+ rx_ring->next_to_use = 0;
++ adapter->flags2 &= ~FLAG2_IS_DISCARDING;
+
+ writel(0, adapter->hw.hw_addr + rx_ring->head);
+ writel(0, adapter->hw.hw_addr + rx_ring->tail);
+@@ -4727,6 +4744,7 @@ static int __devinit e1000_probe(struct
+ adapter->ei = ei;
+ adapter->pba = ei->pba;
+ adapter->flags = ei->flags;
++ adapter->flags2 = ei->flags2;
+ adapter->hw.adapter = adapter;
+ adapter->hw.mac.type = ei->mac;
+ adapter->msg_enable = (1 << NETIF_MSG_DRV | NETIF_MSG_PROBE) - 1;
+--- linux-source-2.6.26.orig/drivers/net/e1000e/e1000.h 2009-12-26 01:14:57.000000000 -0700
++++ linux-source-2.6.26/drivers/net/e1000e/e1000.h 2010-01-26 11:17:32.000000000 -0700
+@@ -298,11 +298,13 @@ struct e1000_adapter {
+ unsigned long led_status;
+
+ unsigned int flags;
++ unsigned int flags2;
+ };
+
+ struct e1000_info {
+ enum e1000_mac_type mac;
+ unsigned int flags;
++ unsigned int flags2;
+ u32 pba;
+ s32 (*get_variants)(struct e1000_adapter *);
+ struct e1000_mac_operations *mac_ops;
+@@ -343,6 +345,8 @@ struct e1000_info {
+ #define FLAG_RX_RESTART_NOW (1 << 30)
+ #define FLAG_MSI_TEST_FAILED (1 << 31)
+
++#define FLAG2_IS_DISCARDING (1 << 2)
++
+ #define E1000_RX_DESC_PS(R, i) \
+ (&(((union e1000_rx_desc_packet_split *)((R).desc))[i]))
+ #define E1000_GET_DESC(R, i, type) (&(((struct type *)((R).desc))[i]))
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-potential-crash-with-sys_move_pages.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/fix-potential-crash-with-sys_move_pages.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-potential-crash-with-sys_move_pages.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/fix-potential-crash-with-sys_move_pages.patch)
@@ -0,0 +1,32 @@
+commit 6f5a55f1a6c5abee15a0e878e5c74d9f1569b8b0
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri Feb 5 16:16:50 2010 -0800
+
+ Fix potential crash with sys_move_pages
+
+ We incorrectly depended on the 'node_state/node_isset()' functions
+ testing the node range, rather than checking it explicitly. That's not
+ reliable, even if it might often happen to work. So do the proper
+ explicit test.
+
+ Reported-by: Marcus Meissner <meissner at suse.de>
+ Acked-and-tested-by: Brice Goglin <Brice.Goglin at inria.fr>
+ Acked-by: Hugh Dickins <hugh.dickins at tiscali.co.uk>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/mm/migrate.c linux-source-2.6.26/mm/migrate.c
+--- linux-source-2.6.26.orig/mm/migrate.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/mm/migrate.c 2010-02-08 13:21:04.000000000 -0700
+@@ -1040,6 +1040,9 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
+ goto out;
+
+ err = -ENODEV;
++ if (node < 0 || node >= MAX_NUMNODES)
++ goto out;
++
+ if (!node_state(node, N_HIGH_MEMORY))
+ goto out;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/mac80211-fix-spurious-delBA-handling.patch)
@@ -0,0 +1,120 @@
+commit 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7
+Author: Johannes Berg <johannes at sipsolutions.net>
+Date: Sun Nov 22 12:28:41 2009 +0100
+
+ mac80211: fix spurious delBA handling
+
+ Lennert Buytenhek noticed that delBA handling in mac80211
+ was broken and has remotely triggerable problems, some of
+ which are due to some code shuffling I did that ended up
+ changing the order in which things were done -- this was
+
+ commit d75636ef9c1af224f1097941879d5a8db7cd04e5
+ Author: Johannes Berg <johannes at sipsolutions.net>
+ Date: Tue Feb 10 21:25:53 2009 +0100
+
+ mac80211: RX aggregation: clean up stop session
+
+ and other parts were already present in the original
+
+ commit d92684e66091c0f0101819619b315b4bb8b5bcc5
+ Author: Ron Rindjunsky <ron.rindjunsky at intel.com>
+ Date: Mon Jan 28 14:07:22 2008 +0200
+
+ mac80211: A-MPDU Tx add delBA from recipient support
+
+ The first problem is that I moved a BUG_ON before various
+ checks -- thereby making it possible to hit. As the comment
+ indicates, the BUG_ON can be removed since the ampdu_action
+ callback must already exist when the state is != IDLE.
+
+ The second problem isn't easily exploitable but there's a
+ race condition due to unconditionally setting the state to
+ OPERATIONAL when a delBA frame is received, even when no
+ aggregation session was ever initiated. All the drivers
+ accept stopping the session even then, but that opens a
+ race window where crashes could happen before the driver
+ accepts it. Right now, a WARN_ON may happen with non-HT
+ drivers, while the race opens only for HT drivers.
+
+ For this case, there are two things necessary to fix it:
+ 1) don't process spurious delBA frames, and be more careful
+ about the session state; don't drop the lock
+
+ 2) HT drivers need to be prepared to handle a session stop
+ even before the session was really started -- this is
+ true for all drivers (that support aggregation) but
+ iwlwifi which can be fixed easily. The other HT drivers
+ (ath9k and ar9170) are behaving properly already.
+
+ Reported-by: Lennert Buytenhek <buytenh at marvell.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Johannes Berg <johannes at sipsolutions.net>
+ Signed-off-by: John W. Linville <linville at tuxdriver.com>
+
+Second case backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/wireless/iwlwifi/iwl-4965.c linux-source-2.6.26/drivers/net/wireless/iwlwifi/iwl-4965.c
+--- linux-source-2.6.26.orig/drivers/net/wireless/iwlwifi/iwl-4965.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/net/wireless/iwlwifi/iwl-4965.c 2010-01-19 21:54:16.000000000 -0700
+@@ -4842,8 +4842,16 @@ static int iwl4965_mac_ht_tx_agg_stop(st
+ if (sta_id == IWL_INVALID_STATION)
+ return -ENXIO;
+
++ if (priv->stations[sta_id].tid[tid].agg.state ==
++ IWL_EMPTYING_HW_QUEUE_ADDBA) {
++ IWL_DEBUG_HT("AGG stop before setup done\n");
++ ieee80211_stop_tx_ba_cb_irqsafe(priv->hw, da, tid);
++ priv->stations[sta_id].tid[tid].agg.state = IWL_AGG_OFF;
++ return 0;
++ }
++
+ if (priv->stations[sta_id].tid[tid].agg.state != IWL_AGG_ON)
+- IWL_WARNING("Stopping AGG while state not IWL_AGG_ON\n");
++ IWL_WARNING("Stopping AGG while state not ON or starting\n");
+
+ tid_data = &priv->stations[sta_id].tid[tid];
+ ssn = (tid_data->seq_number & IEEE80211_SCTL_SEQ) >> 4;
+diff -urpN linux-source-2.6.26.orig/include/net/mac80211.h linux-source-2.6.26/include/net/mac80211.h
+--- linux-source-2.6.26.orig/include/net/mac80211.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/net/mac80211.h 2010-01-19 21:46:53.000000000 -0700
+@@ -957,6 +957,12 @@ enum ieee80211_filter_flags {
+ *
+ * These flags are used with the ampdu_action() callback in
+ * &struct ieee80211_ops to indicate which action is needed.
++ *
++ * Note that drivers MUST be able to deal with a TX aggregation
++ * session being stopped even before they OK'ed starting it by
++ * calling ieee80211_start_tx_ba_cb(_irqsafe), because the peer
++ * might receive the addBA frame and send a delBA right away!
++ *
+ * @IEEE80211_AMPDU_RX_START: start Rx aggregation
+ * @IEEE80211_AMPDU_RX_STOP: stop Rx aggregation
+ * @IEEE80211_AMPDU_TX_START: start Tx aggregation
+--- linux-source-2.6.26.orig/net/mac80211/mlme.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/mac80211/mlme.c 2010-01-20 17:29:08.000000000 -0700
+@@ -1597,11 +1597,20 @@
+ WLAN_BACK_INITIATOR, 0);
+ else { /* WLAN_BACK_RECIPIENT */
+ spin_lock_bh(&sta->ampdu_mlme.ampdu_tx);
+- sta->ampdu_mlme.tid_state_tx[tid] =
+- HT_AGG_STATE_OPERATIONAL;
++ if (sta->ampdu_mlme.tid_state_tx[tid] & HT_ADDBA_REQUESTED_MSK) {
++ u8 *state = &sta->ampdu_mlme.tid_state_tx[tid];
++
++ if (*state == HT_AGG_STATE_OPERATIONAL)
++ sta->ampdu_mlme.tid_state_tx[tid] = 0;
++
++ *state = HT_AGG_STATE_REQ_STOP_BA_MSK |
++ (WLAN_BACK_RECIPIENT << HT_AGG_STATE_INITIATOR_SHIFT);
++
++ if (local->ops->ampdu_action)
++ local->ops->ampdu_action(&local->hw, IEEE80211_AMPDU_TX_STOP,
++ sta->addr, tid, NULL);
++ }
+ spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
+- ieee80211_stop_tx_ba_session(&local->hw, sta->addr, tid,
+- WLAN_BACK_RECIPIENT);
+ }
+ rcu_read_unlock();
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-perms.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-perms.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-perms.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-perms.patch)
@@ -0,0 +1,30 @@
+commit bb7d3f24c71e528989501617651b669fbed798cb
+Author: Bryn M. Reeves <bmr at redhat.com>
+Date: Thu Nov 12 18:31:54 2009 +0000
+
+ [SCSI] megaraid_sas: remove sysfs poll_mode_io world writeable permissions
+
+ /sys/bus/pci/drivers/megaraid_sas/poll_mode_io defaults to being
+ world-writable, which seems bad (letting any user affect kernel driver
+ behavior).
+
+ This turns off group and user write permissions, so that on typical
+ production systems only root can write to it.
+
+ Signed-off-by: Bryn M. Reeves <bmr at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/scsi/megaraid/megaraid_sas.c linux-source-2.6.26/drivers/scsi/megaraid/megaraid_sas.c
+--- linux-source-2.6.26.orig/drivers/scsi/megaraid/megaraid_sas.c 2009-12-26 01:14:58.000000000 -0700
++++ linux-source-2.6.26/drivers/scsi/megaraid/megaraid_sas.c 2010-01-29 16:58:48.000000000 -0700
+@@ -3347,7 +3347,7 @@ out:
+ return retval;
+ }
+
+-static DRIVER_ATTR(poll_mode_io, S_IRUGO|S_IWUGO,
++static DRIVER_ATTR(poll_mode_io, S_IRUGO|S_IWUSR,
+ megasas_sysfs_show_poll_mode_io,
+ megasas_sysfs_set_poll_mode_io);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-util.c-sched.h.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/mm-util.c-sched.h.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-util.c-sched.h.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/mm-util.c-sched.h.patch)
@@ -0,0 +1,30 @@
+commit 3b8f14b41026fb7d7e9a4af2a4128a702d07ad26
+Author: Adrian Bunk <bunk at kernel.org>
+Date: Sat Jul 26 15:22:28 2008 -0700
+
+ mm/util.c must #include <linux/sched.h>
+
+ mm/util.c: In function 'arch_pick_mmap_layout':
+ mm/util.c:144: error: dereferencing pointer to incomplete type
+ mm/util.c:145: error: 'arch_get_unmapped_area' undeclared (first use in this function)
+ mm/util.c:145: error: (Each undeclared identifier is reported only once
+ mm/util.c:145: error: for each function it appears in.)
+ mm/util.c:146: error: 'arch_unmap_area' undeclared (first use in this function)
+
+ Signed-off-by: Adrian Bunk <bunk at kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/mm/util.c linux-source-2.6.26/mm/util.c
+--- linux-source-2.6.26.orig/mm/util.c 2010-01-29 17:50:35.000000000 -0700
++++ linux-source-2.6.26/mm/util.c 2010-01-31 15:41:53.000000000 -0700
+@@ -6,6 +6,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/mman.h>
+ #include <linux/file.h>
++#include <linux/sched.h>
+ #include <asm/uaccess.h>
+
+ /**
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch)
@@ -0,0 +1,47 @@
+From f21c582a940198ef810e7744c9f91cdafd1a6ed5 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fwestphal at astaro.com>
+Date: Fri, 8 Jan 2010 17:31:24 +0100
+Subject: [PATCH] netfilter: ebtables: enforce CAP_NET_ADMIN
+
+commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
+
+normal users are currently allowed to set/modify ebtables rules.
+Restrict it to processes with CAP_NET_ADMIN.
+
+Note that this cannot be reproduced with unmodified ebtables binary
+because it uses SOCK_RAW.
+
+Signed-off-by: Florian Westphal <fwestphal at astaro.com>
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/bridge/netfilter/ebtables.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 32afff8..d6beca9 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1436,6 +1436,9 @@ static int do_ebt_set_ctl(struct sock *sk,
+ {
+ int ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ switch(cmd) {
+ case EBT_SO_SET_ENTRIES:
+ ret = do_replace(user, len);
+@@ -1455,6 +1458,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ struct ebt_replace tmp;
+ struct ebt_table *t;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (copy_from_user(&tmp, user, sizeof(tmp)))
+ return -EFAULT;
+
+--
+1.6.6
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch)
@@ -0,0 +1,52 @@
+From e3f94f64a91768da5b136b22dc5faa2447ec2ac8 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <andi at firstfloor.org>
+Date: Fri, 8 Jan 2010 14:42:52 -0800
+Subject: [PATCH] kernel/signal.c: fix kernel information leak with print-fatal-signals=1
+
+commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream.
+
+When print-fatal-signals is enabled it's possible to dump any memory
+reachable by the kernel to the log by simply jumping to that address from
+user space.
+
+Or crash the system if there's some hardware with read side effects.
+
+The fatal signals handler will dump 16 bytes at the execution address,
+which is fully controlled by ring 3.
+
+In addition when something jumps to a unmapped address there will be up to
+16 additional useless page faults, which might be potentially slow (and at
+least is not very efficient)
+
+Fortunately this option is off by default and only there on i386.
+
+But fix it by checking for kernel addresses and also stopping when there's
+a page fault.
+
+Signed-off-by: Andi Kleen <ak at linux.intel.com>
+Cc: Ingo Molnar <mingo at elte.hu>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ kernel/signal.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index de2b649..efcdc95 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -884,7 +884,8 @@ static void print_fatal_signal(struct pt_regs *regs, int signr)
+ for (i = 0; i < 16; i++) {
+ unsigned char insn;
+
+- __get_user(insn, (unsigned char *)(regs->ip + i));
++ if (get_user(insn, (unsigned char *)(regs->ip + i)))
++ break;
+ printk("%02x ", insn);
+ }
+ }
+--
+1.6.6
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/split-flush_old_exec-into-two-functions.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/split-flush_old_exec-into-two-functions.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/split-flush_old_exec-into-two-functions.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/split-flush_old_exec-into-two-functions.patch)
@@ -0,0 +1,241 @@
+commit 221af7f87b97431e3ee21ce4b0e77d5411cf1549
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Thu Jan 28 22:14:42 2010 -0800
+
+ Split 'flush_old_exec' into two functions
+
+ 'flush_old_exec()' is the point of no return when doing an execve(), and
+ it is pretty badly misnamed. It doesn't just flush the old executable
+ environment, it also starts up the new one.
+
+ Which is very inconvenient for things like setting up the new
+ personality, because we want the new personality to affect the starting
+ of the new environment, but at the same time we do _not_ want the new
+ personality to take effect if flushing the old one fails.
+
+ As a result, the x86-64 '32-bit' personality is actually done using this
+ insane "I'm going to change the ABI, but I haven't done it yet" bit
+ (TIF_ABI_PENDING), with SET_PERSONALITY() not actually setting the
+ personality, but just the "pending" bit, so that "flush_thread()" can do
+ the actual personality magic.
+
+ This patch in no way changes any of that insanity, but it does split the
+ 'flush_old_exec()' function up into a preparatory part that can fail
+ (still called flush_old_exec()), and a new part that will actually set
+ up the new exec environment (setup_new_exec()). All callers are changed
+ to trivially comply with the new world order.
+
+ Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/sh/kernel/process_64.c linux-source-2.6.26/arch/sh/kernel/process_64.c
+--- linux-source-2.6.26.orig/arch/sh/kernel/process_64.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/sh/kernel/process_64.c 2010-02-01 15:30:45.000000000 -0700
+@@ -448,7 +448,7 @@ void exit_thread(void)
+ void flush_thread(void)
+ {
+
+- /* Called by fs/exec.c (flush_old_exec) to remove traces of a
++ /* Called by fs/exec.c (setup_new_exec) to remove traces of a
+ * previously running executable. */
+ #ifdef CONFIG_SH_FPU
+ if (last_task_used_math == current) {
+diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32_aout.c linux-source-2.6.26/arch/x86/ia32/ia32_aout.c
+--- linux-source-2.6.26.orig/arch/x86/ia32/ia32_aout.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/x86/ia32/ia32_aout.c 2010-02-01 15:30:45.000000000 -0700
+@@ -306,15 +306,17 @@ static int load_aout_binary(struct linux
+ if (retval)
+ return retval;
+
+- regs->cs = __USER32_CS;
+- regs->r8 = regs->r9 = regs->r10 = regs->r11 = regs->r12 =
+- regs->r13 = regs->r14 = regs->r15 = 0;
+-
+ /* OK, This is the point of no return */
+ set_personality(PER_LINUX);
+ set_thread_flag(TIF_IA32);
+ clear_thread_flag(TIF_ABI_PENDING);
+
++ setup_new_exec(bprm);
++
++ regs->cs = __USER32_CS;
++ regs->r8 = regs->r9 = regs->r10 = regs->r11 = regs->r12 =
++ regs->r13 = regs->r14 = regs->r15 = 0;
++
+ current->mm->end_code = ex.a_text +
+ (current->mm->start_code = N_TXTADDR(ex));
+ current->mm->end_data = ex.a_data +
+diff -urpN linux-source-2.6.26.orig/fs/binfmt_aout.c linux-source-2.6.26/fs/binfmt_aout.c
+--- linux-source-2.6.26.orig/fs/binfmt_aout.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/binfmt_aout.c 2010-02-01 15:30:45.000000000 -0700
+@@ -310,6 +310,7 @@ static int load_aout_binary(struct linux
+ #else
+ set_personality(PER_LINUX);
+ #endif
++ setup_new_exec(bprm);
+
+ current->mm->end_code = ex.a_text +
+ (current->mm->start_code = N_TXTADDR(ex));
+diff -urpN linux-source-2.6.26.orig/fs/binfmt_elf.c linux-source-2.6.26/fs/binfmt_elf.c
+--- linux-source-2.6.26.orig/fs/binfmt_elf.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/binfmt_elf.c 2010-02-01 15:32:24.000000000 -0700
+@@ -635,27 +635,6 @@ static int load_elf_binary(struct linux_
+ if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
+ goto out_free_interp;
+
+- /*
+- * The early SET_PERSONALITY here is so that the lookup
+- * for the interpreter happens in the namespace of the
+- * to-be-execed image. SET_PERSONALITY can select an
+- * alternate root.
+- *
+- * However, SET_PERSONALITY is NOT allowed to switch
+- * this task into the new images's memory mapping
+- * policy - that is, TASK_SIZE must still evaluate to
+- * that which is appropriate to the execing application.
+- * This is because exit_mmap() needs to have TASK_SIZE
+- * evaluate to the size of the old image.
+- *
+- * So if (say) a 64-bit application is execing a 32-bit
+- * application it is the architecture's responsibility
+- * to defer changing the value of TASK_SIZE until the
+- * switch really is going to happen - do this in
+- * flush_thread(). - akpm
+- */
+- SET_PERSONALITY(loc->elf_ex, 0);
+-
+ interpreter = open_exec(elf_interpreter);
+ retval = PTR_ERR(interpreter);
+ if (IS_ERR(interpreter))
+@@ -703,9 +682,6 @@ static int load_elf_binary(struct linux_
+ /* Verify the interpreter has a valid arch */
+ if (!elf_check_arch(&loc->interp_elf_ex))
+ goto out_free_dentry;
+- } else {
+- /* Executables without an interpreter also need a personality */
+- SET_PERSONALITY(loc->elf_ex, 0);
+ }
+
+ /* Flush all traces of the currently running executable */
+@@ -725,7 +701,8 @@ static int load_elf_binary(struct linux_
+
+ if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
+ current->flags |= PF_RANDOMIZE;
+- arch_pick_mmap_layout(current->mm);
++
++ setup_new_exec(bprm);
+
+ /* Do this so that we can load the interpreter, if need be. We will
+ change some of these later */
+diff -urpN linux-source-2.6.26.orig/fs/binfmt_elf_fdpic.c linux-source-2.6.26/fs/binfmt_elf_fdpic.c
+--- linux-source-2.6.26.orig/fs/binfmt_elf_fdpic.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/binfmt_elf_fdpic.c 2010-02-01 15:33:17.000000000 -0700
+@@ -315,6 +315,9 @@ static int load_elf_fdpic_binary(struct
+ * defunct, deceased, etc. after this point we have to exit via
+ * error_kill */
+ set_personality(PER_LINUX_FDPIC);
++
++ setup_new_exec(bprm);
++
+ set_binfmt(&elf_fdpic_format);
+
+ current->mm->start_code = 0;
+diff -urpN linux-source-2.6.26.orig/fs/binfmt_flat.c linux-source-2.6.26/fs/binfmt_flat.c
+--- linux-source-2.6.26.orig/fs/binfmt_flat.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/binfmt_flat.c 2010-02-01 15:30:49.000000000 -0700
+@@ -510,6 +510,7 @@ static int load_flat_file(struct linux_b
+
+ /* OK, This is the point of no return */
+ set_personality(PER_LINUX_32BIT);
++ setup_new_exec(bprm);
+ }
+
+ /*
+diff -urpN linux-source-2.6.26.orig/fs/binfmt_som.c linux-source-2.6.26/fs/binfmt_som.c
+--- linux-source-2.6.26.orig/fs/binfmt_som.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/binfmt_som.c 2010-02-01 15:30:49.000000000 -0700
+@@ -234,6 +234,7 @@ load_som_binary(struct linux_binprm * bp
+ /* OK, This is the point of no return */
+ current->flags &= ~PF_FORKNOEXEC;
+ current->personality = PER_HPUX;
++ setup_new_exec(bprm);
+
+ /* Set the task size for HP-UX processes such that
+ * the gateway page is outside the address space.
+diff -urpN linux-source-2.6.26.orig/fs/exec.c linux-source-2.6.26/fs/exec.c
+--- linux-source-2.6.26.orig/fs/exec.c 2010-01-29 17:50:35.000000000 -0700
++++ linux-source-2.6.26/fs/exec.c 2010-02-01 15:30:49.000000000 -0700
+@@ -948,9 +948,7 @@ void set_task_comm(struct task_struct *t
+
+ int flush_old_exec(struct linux_binprm * bprm)
+ {
+- char * name;
+- int i, ch, retval;
+- char tcomm[sizeof(current->comm)];
++ int retval;
+
+ /*
+ * Make sure we have a private signal table and that
+@@ -970,6 +968,20 @@ int flush_old_exec(struct linux_binprm *
+ goto out;
+
+ bprm->mm = NULL; /* We're using it now */
++ return 0;
++
++out:
++ return retval;
++}
++EXPORT_SYMBOL(flush_old_exec);
++
++void setup_new_exec(struct linux_binprm * bprm)
++{
++ int i, ch;
++ char * name;
++ char tcomm[sizeof(current->comm)];
++
++ arch_pick_mmap_layout(current->mm);
+
+ /* This is the point of no return */
+ current->sas_ss_sp = current->sas_ss_size = 0;
+@@ -1018,14 +1030,8 @@ int flush_old_exec(struct linux_binprm *
+
+ flush_signal_handlers(current, 0);
+ flush_old_files(current->files);
+-
+- return 0;
+-
+-out:
+- return retval;
+ }
+-
+-EXPORT_SYMBOL(flush_old_exec);
++EXPORT_SYMBOL(setup_new_exec);
+
+ /*
+ * Fill the binprm structure from the inode.
+diff -urpN linux-source-2.6.26.orig/include/linux/binfmts.h linux-source-2.6.26/include/linux/binfmts.h
+--- linux-source-2.6.26.orig/include/linux/binfmts.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/binfmts.h 2010-02-01 15:30:49.000000000 -0700
+@@ -80,6 +80,7 @@ extern int prepare_binprm(struct linux_b
+ extern int __must_check remove_arg_zero(struct linux_binprm *);
+ extern int search_binary_handler(struct linux_binprm *,struct pt_regs *);
+ extern int flush_old_exec(struct linux_binprm * bprm);
++extern void setup_new_exec(struct linux_binprm * bprm);
+
+ extern int suid_dumpable;
+ #define SUID_DUMP_DISABLE 0 /* No setuid dumping */
+diff -urpN linux-source-2.6.26.orig/include/linux/sched.h linux-source-2.6.26/include/linux/sched.h
+--- linux-source-2.6.26.orig/include/linux/sched.h 2010-01-29 17:50:35.000000000 -0700
++++ linux-source-2.6.26/include/linux/sched.h 2010-02-01 15:30:49.000000000 -0700
+@@ -1153,7 +1153,7 @@ struct task_struct {
+ char comm[TASK_COMM_LEN]; /* executable name excluding path
+ - access with [gs]et_task_comm (which lock
+ it with task_lock())
+- - initialized normally by flush_old_exec */
++ - initialized normally by setup_new_exec */
+ /* file system info */
+ int link_count, total_link_count;
+ #ifdef CONFIG_SYSVIPC
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/untangle-the-do_mremap-mess-ppc64-fix.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/untangle-the-do_mremap-mess-ppc64-fix.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/untangle-the-do_mremap-mess-ppc64-fix.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/untangle-the-do_mremap-mess-ppc64-fix.patch)
@@ -0,0 +1,10 @@
+--- a/include/asm-powerpc/hugetlb.h 2010-02-05 16:18:25.000000000 -0700
++++ b/include/asm-powerpc/hugetlb.h 2010-02-05 16:17:35.000000000 -0700
+@@ -1,6 +1,7 @@
+ #ifndef _ASM_POWERPC_HUGETLB_H
+ #define _ASM_POWERPC_HUGETLB_H
+
++#include <linux/mm.h>
+ #include <asm/page.h>
+
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/untangle-the-do_mremap-mess-xen.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/untangle-the-do_mremap-mess-xen.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/untangle-the-do_mremap-mess-xen.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/untangle-the-do_mremap-mess-xen.patch)
@@ -0,0 +1,12 @@
+diff -urpN a/arch/x86/ia32/ia32entry-xen.S b/arch/x86/ia32/ia32entry-xen.S
+--- a/arch/x86/ia32/ia32entry-xen.S 2010-01-31 22:52:27.000000000 -0700
++++ b/arch/x86/ia32/ia32entry-xen.S 2010-01-31 22:55:26.000000000 -0700
+@@ -537,7 +537,7 @@ ia32_sys_call_table:
+ .quad quiet_ni_syscall /* streams2 */
+ .quad stub32_vfork /* 190 */
+ .quad compat_sys_getrlimit
+- .quad sys32_mmap2
++ .quad sys_mmap_pgoff
+ .quad sys32_truncate64
+ .quad sys32_ftruncate64
+ .quad sys32_stat64 /* 195 */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/untangle-the-do_mremap-mess.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/untangle-the-do_mremap-mess.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/untangle-the-do_mremap-mess.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/all/untangle-the-do_mremap-mess.patch)
@@ -0,0 +1,2321 @@
+diff -urpN linux-source-2.6.26.orig/arch/alpha/kernel/osf_sys.c linux-source-2.6.26/arch/alpha/kernel/osf_sys.c
+--- linux-source-2.6.26.orig/arch/alpha/kernel/osf_sys.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/arch/alpha/kernel/osf_sys.c 2010-01-22 17:15:05.000000000 -0700
+@@ -178,25 +178,18 @@ SYSCALL_DEFINE6(osf_mmap, unsigned long,
+ unsigned long, prot, unsigned long, flags, unsigned long, fd,
+ unsigned long, off)
+ {
+- struct file *file = NULL;
+- unsigned long ret = -EBADF;
++ unsigned long ret = -EINVAL;
+
+ #if 0
+ if (flags & (_MAP_HASSEMAPHORE | _MAP_INHERIT | _MAP_UNALIGNED))
+ printk("%s: unimplemented OSF mmap flags %04lx\n",
+ current->comm, flags);
+ #endif
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- down_write(¤t->mm->mmap_sem);
+- ret = do_mmap(file, addr, len, prot, flags, off);
+- up_write(¤t->mm->mmap_sem);
+- if (file)
+- fput(file);
++ if ((off + PAGE_ALIGN(len)) < off)
++ goto out;
++ if (off & ~PAGE_MASK)
++ goto out;
++ ret = sys_mmap_pgoff(addr, len, prot, flags, fd, off >> PAGE_SHIFT);
+ out:
+ return ret;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/arm/kernel/calls.S linux-source-2.6.26/arch/arm/kernel/calls.S
+--- linux-source-2.6.26.orig/arch/arm/kernel/calls.S 2009-12-26 01:14:55.000000000 -0700
++++ linux-source-2.6.26/arch/arm/kernel/calls.S 2010-01-22 17:15:05.000000000 -0700
+@@ -172,7 +172,7 @@
+ /* 160 */ CALL(sys_sched_get_priority_min)
+ CALL(sys_sched_rr_get_interval)
+ CALL(sys_nanosleep)
+- CALL(sys_arm_mremap)
++ CALL(sys_mremap)
+ CALL(sys_setresuid16)
+ /* 165 */ CALL(sys_getresuid16)
+ CALL(sys_ni_syscall) /* vm86 */
+diff -urpN linux-source-2.6.26.orig/arch/arm/kernel/entry-common.S linux-source-2.6.26/arch/arm/kernel/entry-common.S
+--- linux-source-2.6.26.orig/arch/arm/kernel/entry-common.S 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/arm/kernel/entry-common.S 2010-01-22 17:15:05.000000000 -0700
+@@ -344,12 +344,12 @@ sys_mmap2:
+ tst r5, #PGOFF_MASK
+ moveq r5, r5, lsr #PAGE_SHIFT - 12
+ streq r5, [sp, #4]
+- beq do_mmap2
++ beq sys_mmap_pgoff
+ mov r0, #-EINVAL
+ mov pc, lr
+ #else
+ str r5, [sp, #4]
+- b do_mmap2
++ b sys_mmap_pgoff
+ #endif
+
+ ENTRY(pabort_ifar)
+diff -urpN linux-source-2.6.26.orig/arch/arm/kernel/sys_arm.c linux-source-2.6.26/arch/arm/kernel/sys_arm.c
+--- linux-source-2.6.26.orig/arch/arm/kernel/sys_arm.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/arm/kernel/sys_arm.c 2010-01-22 17:15:05.000000000 -0700
+@@ -30,41 +30,6 @@
+
+ #include <asm/uaccess.h>
+
+-extern unsigned long do_mremap(unsigned long addr, unsigned long old_len,
+- unsigned long new_len, unsigned long flags,
+- unsigned long new_addr);
+-
+-/* common code for old and new mmaps */
+-inline long do_mmap2(
+- unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- int error = -EINVAL;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- if (flags & MAP_FIXED && addr < FIRST_USER_ADDRESS)
+- goto out;
+-
+- error = -EBADF;
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ struct mmap_arg_struct {
+ unsigned long addr;
+ unsigned long len;
+@@ -86,29 +51,11 @@ asmlinkage int old_mmap(struct mmap_arg_
+ if (a.offset & ~PAGE_MASK)
+ goto out;
+
+- error = do_mmap2(a.addr, a.len, a.prot, a.flags, a.fd, a.offset >> PAGE_SHIFT);
++ error = sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd, a.offset >> PAGE_SHIFT);
+ out:
+ return error;
+ }
+
+-asmlinkage unsigned long
+-sys_arm_mremap(unsigned long addr, unsigned long old_len,
+- unsigned long new_len, unsigned long flags,
+- unsigned long new_addr)
+-{
+- unsigned long ret = -EINVAL;
+-
+- if (flags & MREMAP_FIXED && new_addr < FIRST_USER_ADDRESS)
+- goto out;
+-
+- down_write(¤t->mm->mmap_sem);
+- ret = do_mremap(addr, old_len, new_len, flags, new_addr);
+- up_write(¤t->mm->mmap_sem);
+-
+-out:
+- return ret;
+-}
+-
+ /*
+ * Perform the select(nd, in, out, ex, tv) and mmap() system
+ * calls.
+diff -urpN linux-source-2.6.26.orig/arch/arm/mm/mmap.c linux-source-2.6.26/arch/arm/mm/mmap.c
+--- linux-source-2.6.26.orig/arch/arm/mm/mmap.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/arm/mm/mmap.c 2010-01-22 17:15:05.000000000 -0700
+@@ -52,7 +52,8 @@ arch_get_unmapped_area(struct file *filp
+ * We enforce the MAP_FIXED case.
+ */
+ if (flags & MAP_FIXED) {
+- if (aliasing && flags & MAP_SHARED && addr & (SHMLBA - 1))
++ if (aliasing && flags & MAP_SHARED &&
++ (addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))
+ return -EINVAL;
+ return addr;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/avr32/kernel/sys_avr32.c linux-source-2.6.26/arch/avr32/kernel/sys_avr32.c
+--- linux-source-2.6.26.orig/arch/avr32/kernel/sys_avr32.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/avr32/kernel/sys_avr32.c 2010-01-24 23:11:18.000000000 -0700
+@@ -5,38 +5,8 @@
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+-#include <linux/errno.h>
+-#include <linux/fs.h>
+-#include <linux/file.h>
+-#include <linux/mm.h>
+ #include <linux/unistd.h>
+
+-#include <asm/mman.h>
+-#include <asm/uaccess.h>
+-
+-asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, off_t offset)
+-{
+- int error = -EBADF;
+- struct file *file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- return error;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, offset);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+- return error;
+-}
+-
+ int kernel_execve(const char *file, char **argv, char **envp)
+ {
+ register long scno asm("r8") = __NR_execve;
+diff -urpN linux-source-2.6.26.orig/arch/avr32/kernel/syscall-stubs.S linux-source-2.6.26/arch/avr32/kernel/syscall-stubs.S
+--- linux-source-2.6.26.orig/arch/avr32/kernel/syscall-stubs.S 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/avr32/kernel/syscall-stubs.S 2010-01-24 23:11:51.000000000 -0700
+@@ -61,7 +61,7 @@ __sys_execve:
+ __sys_mmap2:
+ pushm lr
+ st.w --sp, ARG6
+- rcall sys_mmap2
++ call sys_mmap_pgoff
+ sub sp, -4
+ popm pc
+
+diff -urpN linux-source-2.6.26.orig/arch/blackfin/kernel/sys_bfin.c linux-source-2.6.26/arch/blackfin/kernel/sys_bfin.c
+--- linux-source-2.6.26.orig/arch/blackfin/kernel/sys_bfin.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/blackfin/kernel/sys_bfin.c 2010-01-24 23:12:46.000000000 -0700
+@@ -45,39 +45,6 @@
+ #include <asm/cacheflush.h>
+ #include <asm/dma.h>
+
+-/* common code for old and new mmaps */
+-static inline long
+-do_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- int error = -EBADF;
+- struct file *file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+- out:
+- return error;
+-}
+-
+-asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- return do_mmap2(addr, len, prot, flags, fd, pgoff);
+-}
+-
+ asmlinkage int sys_getpagesize(void)
+ {
+ return PAGE_SIZE;
+diff -urpN linux-source-2.6.26.orig/arch/blackfin/mach-common/entry.S linux-source-2.6.26/arch/blackfin/mach-common/entry.S
+--- linux-source-2.6.26.orig/arch/blackfin/mach-common/entry.S 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/blackfin/mach-common/entry.S 2010-01-22 17:15:08.000000000 -0700
+@@ -1220,7 +1220,7 @@ ENTRY(_sys_call_table)
+ .long _sys_ni_syscall /* streams2 */
+ .long _sys_vfork /* 190 */
+ .long _sys_getrlimit
+- .long _sys_mmap2
++ .long _sys_mmap_pgoff
+ .long _sys_truncate64
+ .long _sys_ftruncate64
+ .long _sys_stat64 /* 195 */
+diff -urpN linux-source-2.6.26.orig/arch/cris/kernel/sys_cris.c linux-source-2.6.26/arch/cris/kernel/sys_cris.c
+--- linux-source-2.6.26.orig/arch/cris/kernel/sys_cris.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/cris/kernel/sys_cris.c 2010-01-22 17:15:08.000000000 -0700
+@@ -27,31 +27,6 @@
+ #include <asm/uaccess.h>
+ #include <asm/segment.h>
+
+-/* common code for old and new mmaps */
+-static inline long
+-do_mmap2(unsigned long addr, unsigned long len, unsigned long prot,
+- unsigned long flags, unsigned long fd, unsigned long pgoff)
+-{
+- int error = -EBADF;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ asmlinkage unsigned long old_mmap(unsigned long __user *args)
+ {
+ unsigned long buffer[6];
+@@ -64,7 +39,7 @@ asmlinkage unsigned long old_mmap(unsign
+ if (buffer[5] & ~PAGE_MASK) /* verify that offset is on page boundary */
+ goto out;
+
+- err = do_mmap2(buffer[0], buffer[1], buffer[2], buffer[3],
++ err = sys_mmap_pgoff(buffer[0], buffer[1], buffer[2], buffer[3],
+ buffer[4], buffer[5] >> PAGE_SHIFT);
+ out:
+ return err;
+@@ -74,7 +49,8 @@ asmlinkage long
+ sys_mmap2(unsigned long addr, unsigned long len, unsigned long prot,
+ unsigned long flags, unsigned long fd, unsigned long pgoff)
+ {
+- return do_mmap2(addr, len, prot, flags, fd, pgoff);
++ /* bug(?): 8Kb pages here */
++ return sys_mmap_pgoff(addr, len, prot, flags, fd, pgoff);
+ }
+
+ /*
+diff -urpN linux-source-2.6.26.orig/arch/frv/kernel/sys_frv.c linux-source-2.6.26/arch/frv/kernel/sys_frv.c
+--- linux-source-2.6.26.orig/arch/frv/kernel/sys_frv.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/frv/kernel/sys_frv.c 2010-01-24 23:15:23.000000000 -0700
+@@ -32,16 +32,6 @@ asmlinkage long sys_mmap2(unsigned long
+ unsigned long prot, unsigned long flags,
+ unsigned long fd, unsigned long pgoff)
+ {
+- int error = -EBADF;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+ /* As with sparc32, make sure the shift for mmap2 is constant
+ (12), no matter what PAGE_SIZE we have.... */
+
+@@ -50,62 +40,9 @@ asmlinkage long sys_mmap2(unsigned long
+ if (pgoff & ((1<<(PAGE_SHIFT-12))-1))
+ return -EINVAL;
+
+- pgoff >>= (PAGE_SHIFT - 12);
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+-#if 0 /* DAVIDM - do we want this */
+-struct mmap_arg_struct64 {
+- __u32 addr;
+- __u32 len;
+- __u32 prot;
+- __u32 flags;
+- __u64 offset; /* 64 bits */
+- __u32 fd;
+-};
+-
+-asmlinkage long sys_mmap64(struct mmap_arg_struct64 *arg)
+-{
+- int error = -EFAULT;
+- struct file * file = NULL;
+- struct mmap_arg_struct64 a;
+- unsigned long pgoff;
+-
+- if (copy_from_user(&a, arg, sizeof(a)))
+- return -EFAULT;
+-
+- if ((long)a.offset & ~PAGE_MASK)
+- return -EINVAL;
+-
+- pgoff = a.offset >> PAGE_SHIFT;
+- if ((a.offset >> PAGE_SHIFT) != pgoff)
+- return -EINVAL;
+-
+- if (!(a.flags & MAP_ANONYMOUS)) {
+- error = -EBADF;
+- file = fget(a.fd);
+- if (!file)
+- goto out;
+- }
+- a.flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, a.addr, a.len, a.prot, a.flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+- if (file)
+- fput(file);
+-out:
+- return error;
++ return sys_mmap_pgoff(addr, len, prot, flags, fd,
++ pgoff >> (PAGE_SHIFT - 12));
+ }
+-#endif
+
+ /*
+ * sys_ipc() is the de-multiplexer for the SysV IPC calls..
+diff -urpN linux-source-2.6.26.orig/arch/h8300/kernel/syscalls.S linux-source-2.6.26/arch/h8300/kernel/syscalls.S
+--- linux-source-2.6.26.orig/arch/h8300/kernel/syscalls.S 2009-12-26 01:14:55.000000000 -0700
++++ linux-source-2.6.26/arch/h8300/kernel/syscalls.S 2010-01-22 17:15:08.000000000 -0700
+@@ -206,7 +206,7 @@ SYMBOL_NAME_LABEL(sys_call_table)
+ .long SYMBOL_NAME(sys_ni_syscall) /* streams2 */
+ .long SYMBOL_NAME(sys_vfork) /* 190 */
+ .long SYMBOL_NAME(sys_getrlimit)
+- .long SYMBOL_NAME(sys_mmap2)
++ .long SYMBOL_NAME(sys_mmap_pgoff)
+ .long SYMBOL_NAME(sys_truncate64)
+ .long SYMBOL_NAME(sys_ftruncate64)
+ .long SYMBOL_NAME(sys_stat64) /* 195 */
+diff -urpN linux-source-2.6.26.orig/arch/h8300/kernel/sys_h8300.c linux-source-2.6.26/arch/h8300/kernel/sys_h8300.c
+--- linux-source-2.6.26.orig/arch/h8300/kernel/sys_h8300.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/h8300/kernel/sys_h8300.c 2010-01-22 17:15:08.000000000 -0700
+@@ -27,39 +27,6 @@
+ #include <asm/traps.h>
+ #include <asm/unistd.h>
+
+-/* common code for old and new mmaps */
+-static inline long do_mmap2(
+- unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- int error = -EBADF;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+-asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- return do_mmap2(addr, len, prot, flags, fd, pgoff);
+-}
+-
+ /*
+ * Perform the select(nd, in, out, ex, tv) and mmap() system
+ * calls. Linux/m68k cloned Linux/i386, which didn't use to be able to
+@@ -88,58 +55,12 @@ asmlinkage int old_mmap(struct mmap_arg_
+ if (a.offset & ~PAGE_MASK)
+ goto out;
+
+- a.flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- error = do_mmap2(a.addr, a.len, a.prot, a.flags, a.fd, a.offset >> PAGE_SHIFT);
++ error = sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd,
++ a.offset >> PAGE_SHIFT);
+ out:
+ return error;
+ }
+
+-#if 0 /* DAVIDM - do we want this */
+-struct mmap_arg_struct64 {
+- __u32 addr;
+- __u32 len;
+- __u32 prot;
+- __u32 flags;
+- __u64 offset; /* 64 bits */
+- __u32 fd;
+-};
+-
+-asmlinkage long sys_mmap64(struct mmap_arg_struct64 *arg)
+-{
+- int error = -EFAULT;
+- struct file * file = NULL;
+- struct mmap_arg_struct64 a;
+- unsigned long pgoff;
+-
+- if (copy_from_user(&a, arg, sizeof(a)))
+- return -EFAULT;
+-
+- if ((long)a.offset & ~PAGE_MASK)
+- return -EINVAL;
+-
+- pgoff = a.offset >> PAGE_SHIFT;
+- if ((a.offset >> PAGE_SHIFT) != pgoff)
+- return -EINVAL;
+-
+- if (!(a.flags & MAP_ANONYMOUS)) {
+- error = -EBADF;
+- file = fget(a.fd);
+- if (!file)
+- goto out;
+- }
+- a.flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, a.addr, a.len, a.prot, a.flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-#endif
+-
+ struct sel_arg_struct {
+ unsigned long n;
+ fd_set *inp, *outp, *exp;
+diff -urpN linux-source-2.6.26.orig/arch/ia64/ia32/sys_ia32.c linux-source-2.6.26/arch/ia64/ia32/sys_ia32.c
+--- linux-source-2.6.26.orig/arch/ia64/ia32/sys_ia32.c 2009-12-26 01:14:55.000000000 -0700
++++ linux-source-2.6.26/arch/ia64/ia32/sys_ia32.c 2010-01-22 17:15:08.000000000 -0700
+@@ -893,6 +893,9 @@ ia32_do_mmap (struct file *file, unsigne
+
+ prot = get_prot32(prot);
+
++ /*if (flags & MAP_HUGETLB)
++ return -ENOMEM;*/
++
+ #if PAGE_SHIFT > IA32_PAGE_SHIFT
+ mutex_lock(&ia32_mmap_mutex);
+ {
+diff -urpN linux-source-2.6.26.orig/arch/ia64/kernel/sys_ia64.c linux-source-2.6.26/arch/ia64/kernel/sys_ia64.c
+--- linux-source-2.6.26.orig/arch/ia64/kernel/sys_ia64.c 2009-12-26 01:14:55.000000000 -0700
++++ linux-source-2.6.26/arch/ia64/kernel/sys_ia64.c 2010-01-22 17:15:08.000000000 -0700
+@@ -100,51 +100,7 @@ sys_getpagesize (void)
+ asmlinkage unsigned long
+ ia64_brk (unsigned long brk)
+ {
+- unsigned long rlim, retval, newbrk, oldbrk;
+- struct mm_struct *mm = current->mm;
+-
+- /*
+- * Most of this replicates the code in sys_brk() except for an additional safety
+- * check and the clearing of r8. However, we can't call sys_brk() because we need
+- * to acquire the mmap_sem before we can do the test...
+- */
+- down_write(&mm->mmap_sem);
+-
+- if (brk < mm->end_code)
+- goto out;
+- newbrk = PAGE_ALIGN(brk);
+- oldbrk = PAGE_ALIGN(mm->brk);
+- if (oldbrk == newbrk)
+- goto set_brk;
+-
+- /* Always allow shrinking brk. */
+- if (brk <= mm->brk) {
+- if (!do_munmap(mm, newbrk, oldbrk-newbrk))
+- goto set_brk;
+- goto out;
+- }
+-
+- /* Check against unimplemented/unmapped addresses: */
+- if ((newbrk - oldbrk) > RGN_MAP_LIMIT || REGION_OFFSET(newbrk) > RGN_MAP_LIMIT)
+- goto out;
+-
+- /* Check against rlimit.. */
+- rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
+- if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
+- goto out;
+-
+- /* Check against existing mmap mappings. */
+- if (find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE))
+- goto out;
+-
+- /* Ok, looks good - let it rip. */
+- if (do_brk(oldbrk, newbrk-oldbrk) != oldbrk)
+- goto out;
+-set_brk:
+- mm->brk = brk;
+-out:
+- retval = mm->brk;
+- up_write(&mm->mmap_sem);
++ unsigned long retval = sys_brk(brk);
+ force_successful_syscall_return();
+ return retval;
+ }
+@@ -185,39 +141,6 @@ int ia64_mmap_check(unsigned long addr,
+ return 0;
+ }
+
+-static inline unsigned long
+-do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, unsigned long pgoff)
+-{
+- struct file *file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- return -EBADF;
+-
+- if (!file->f_op || !file->f_op->mmap) {
+- addr = -ENODEV;
+- goto out;
+- }
+- }
+-
+- /* Careful about overflows.. */
+- len = PAGE_ALIGN(len);
+- if (!len || len > TASK_SIZE) {
+- addr = -EINVAL;
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+-out: if (file)
+- fput(file);
+- return addr;
+-}
+-
+ /*
+ * mmap2() is like mmap() except that the offset is expressed in units
+ * of PAGE_SIZE (instead of bytes). This allows to mmap2() (pieces
+@@ -226,7 +149,7 @@ out: if (file)
+ asmlinkage unsigned long
+ sys_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, long pgoff)
+ {
+- addr = do_mmap2(addr, len, prot, flags, fd, pgoff);
++ addr = sys_mmap_pgoff(addr, len, prot, flags, fd, pgoff);
+ if (!IS_ERR((void *) addr))
+ force_successful_syscall_return();
+ return addr;
+@@ -238,7 +161,7 @@ sys_mmap (unsigned long addr, unsigned l
+ if (offset_in_page(off) != 0)
+ return -EINVAL;
+
+- addr = do_mmap2(addr, len, prot, flags, fd, off >> PAGE_SHIFT);
++ addr = sys_mmap_pgoff(addr, len, prot, flags, fd, off >> PAGE_SHIFT);
+ if (!IS_ERR((void *) addr))
+ force_successful_syscall_return();
+ return addr;
+diff -urpN linux-source-2.6.26.orig/arch/m32r/kernel/syscall_table.S linux-source-2.6.26/arch/m32r/kernel/syscall_table.S
+--- linux-source-2.6.26.orig/arch/m32r/kernel/syscall_table.S 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/m32r/kernel/syscall_table.S 2010-01-22 17:15:08.000000000 -0700
+@@ -191,7 +191,7 @@ ENTRY(sys_call_table)
+ .long sys_ni_syscall /* streams2 */
+ .long sys_vfork /* 190 */
+ .long sys_getrlimit
+- .long sys_mmap2
++ .long sys_mmap_pgoff
+ .long sys_truncate64
+ .long sys_ftruncate64
+ .long sys_stat64 /* 195 */
+diff -urpN linux-source-2.6.26.orig/arch/m32r/kernel/sys_m32r.c linux-source-2.6.26/arch/m32r/kernel/sys_m32r.c
+--- linux-source-2.6.26.orig/arch/m32r/kernel/sys_m32r.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/m32r/kernel/sys_m32r.c 2010-01-22 17:15:08.000000000 -0700
+@@ -76,30 +76,6 @@ asmlinkage int sys_tas(int __user *addr)
+ return oldval;
+ }
+
+-asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- int error = -EBADF;
+- struct file *file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ /*
+ * sys_ipc() is the de-multiplexer for the SysV IPC calls..
+ *
+diff -urpN linux-source-2.6.26.orig/arch/m68k/kernel/sys_m68k.c linux-source-2.6.26/arch/m68k/kernel/sys_m68k.c
+--- linux-source-2.6.26.orig/arch/m68k/kernel/sys_m68k.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/m68k/kernel/sys_m68k.c 2010-01-22 17:15:08.000000000 -0700
+@@ -30,37 +30,16 @@
+ #include <asm/page.h>
+ #include <asm/unistd.h>
+
+-/* common code for old and new mmaps */
+-static inline long do_mmap2(
+- unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- int error = -EBADF;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags,
+ unsigned long fd, unsigned long pgoff)
+ {
+- return do_mmap2(addr, len, prot, flags, fd, pgoff);
++ /*
++ * This is wrong for sun3 - there PAGE_SIZE is 8Kb,
++ * so we need to shift the argument down by 1; m68k mmap64(3)
++ * (in libc) expects the last argument of mmap2 in 4Kb units.
++ */
++ return sys_mmap_pgoff(addr, len, prot, flags, fd, pgoff);
+ }
+
+ /*
+@@ -91,57 +70,11 @@ asmlinkage int old_mmap(struct mmap_arg_
+ if (a.offset & ~PAGE_MASK)
+ goto out;
+
+- a.flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- error = do_mmap2(a.addr, a.len, a.prot, a.flags, a.fd, a.offset >> PAGE_SHIFT);
+-out:
+- return error;
+-}
+-
+-#if 0
+-struct mmap_arg_struct64 {
+- __u32 addr;
+- __u32 len;
+- __u32 prot;
+- __u32 flags;
+- __u64 offset; /* 64 bits */
+- __u32 fd;
+-};
+-
+-asmlinkage long sys_mmap64(struct mmap_arg_struct64 *arg)
+-{
+- int error = -EFAULT;
+- struct file * file = NULL;
+- struct mmap_arg_struct64 a;
+- unsigned long pgoff;
+-
+- if (copy_from_user(&a, arg, sizeof(a)))
+- return -EFAULT;
+-
+- if ((long)a.offset & ~PAGE_MASK)
+- return -EINVAL;
+-
+- pgoff = a.offset >> PAGE_SHIFT;
+- if ((a.offset >> PAGE_SHIFT) != pgoff)
+- return -EINVAL;
+-
+- if (!(a.flags & MAP_ANONYMOUS)) {
+- error = -EBADF;
+- file = fget(a.fd);
+- if (!file)
+- goto out;
+- }
+- a.flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, a.addr, a.len, a.prot, a.flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+- if (file)
+- fput(file);
++ error = sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd,
++ a.offset >> PAGE_SHIFT);
+ out:
+ return error;
+ }
+-#endif
+
+ struct sel_arg_struct {
+ unsigned long n;
+diff -urpN linux-source-2.6.26.orig/arch/m68knommu/kernel/syscalltable.S linux-source-2.6.26/arch/m68knommu/kernel/syscalltable.S
+--- linux-source-2.6.26.orig/arch/m68knommu/kernel/syscalltable.S 2009-12-26 01:14:55.000000000 -0700
++++ linux-source-2.6.26/arch/m68knommu/kernel/syscalltable.S 2010-01-22 17:15:08.000000000 -0700
+@@ -210,7 +210,7 @@ ENTRY(sys_call_table)
+ .long sys_ni_syscall /* streams2 */
+ .long sys_vfork /* 190 */
+ .long sys_getrlimit
+- .long sys_mmap2
++ .long sys_mmap_pgoff
+ .long sys_truncate64
+ .long sys_ftruncate64
+ .long sys_stat64 /* 195 */
+diff -urpN linux-source-2.6.26.orig/arch/m68knommu/kernel/sys_m68k.c linux-source-2.6.26/arch/m68knommu/kernel/sys_m68k.c
+--- linux-source-2.6.26.orig/arch/m68knommu/kernel/sys_m68k.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/m68knommu/kernel/sys_m68k.c 2010-01-22 17:15:08.000000000 -0700
+@@ -28,39 +28,6 @@
+ #include <asm/cacheflush.h>
+ #include <asm/unistd.h>
+
+-/* common code for old and new mmaps */
+-static inline long do_mmap2(
+- unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- int error = -EBADF;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+-asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- return do_mmap2(addr, len, prot, flags, fd, pgoff);
+-}
+-
+ /*
+ * Perform the select(nd, in, out, ex, tv) and mmap() system
+ * calls. Linux/m68k cloned Linux/i386, which didn't use to be able to
+@@ -89,9 +56,8 @@ asmlinkage int old_mmap(struct mmap_arg_
+ if (a.offset & ~PAGE_MASK)
+ goto out;
+
+- a.flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- error = do_mmap2(a.addr, a.len, a.prot, a.flags, a.fd, a.offset >> PAGE_SHIFT);
++ error = sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd,
++ a.offset >> PAGE_SHIFT);
+ out:
+ return error;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/mips/kernel/linux32.c linux-source-2.6.26/arch/mips/kernel/linux32.c
+--- linux-source-2.6.26.orig/arch/mips/kernel/linux32.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/arch/mips/kernel/linux32.c 2010-01-22 17:15:08.000000000 -0700
+@@ -104,28 +104,13 @@ SYSCALL_DEFINE6(32_mmap2, unsigned long,
+ unsigned long, prot, unsigned long, flags, unsigned long, fd,
+ unsigned long, pgoff)
+ {
+- struct file * file = NULL;
+ unsigned long error;
+
+ error = -EINVAL;
+ if (pgoff & (~PAGE_MASK >> 12))
+ goto out;
+- pgoff >>= PAGE_SHIFT-12;
+-
+- if (!(flags & MAP_ANONYMOUS)) {
+- error = -EBADF;
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+- if (file)
+- fput(file);
+-
++ error = sys_mmap_pgoff(addr, len, prot, flags, fd,
++ pgoff >> (PAGE_SHIFT-12));
+ out:
+ return error;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/mips/kernel/syscall.c linux-source-2.6.26/arch/mips/kernel/syscall.c
+--- linux-source-2.6.26.orig/arch/mips/kernel/syscall.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/arch/mips/kernel/syscall.c 2010-01-22 17:15:08.000000000 -0700
+@@ -92,7 +92,8 @@ unsigned long arch_get_unmapped_area(str
+ * We do not accept a shared mapping if it would violate
+ * cache aliasing constraints.
+ */
+- if ((flags & MAP_SHARED) && (addr & shm_align_mask))
++ if ((flags & MAP_SHARED) &&
++ ((addr - (pgoff << PAGE_SHIFT)) & shm_align_mask))
+ return -EINVAL;
+ return addr;
+ }
+@@ -128,31 +129,6 @@ unsigned long arch_get_unmapped_area(str
+ }
+ }
+
+-/* common code for old and new mmaps */
+-static inline unsigned long
+-do_mmap2(unsigned long addr, unsigned long len, unsigned long prot,
+- unsigned long flags, unsigned long fd, unsigned long pgoff)
+-{
+- unsigned long error = -EBADF;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
+ unsigned long, prot, unsigned long, flags, unsigned long,
+ fd, off_t, offset)
+@@ -163,7 +139,7 @@ SYSCALL_DEFINE6(mips_mmap, unsigned long
+ if (offset & ~PAGE_MASK)
+ goto out;
+
+- result = do_mmap2(addr, len, prot, flags, fd, offset >> PAGE_SHIFT);
++ result = sys_mmap_pgoff(addr, len, prot, flags, fd, offset >> PAGE_SHIFT);
+
+ out:
+ return result;
+@@ -176,7 +152,7 @@ SYSCALL_DEFINE6(mips_mmap2, unsigned lon
+ if (pgoff & (~PAGE_MASK >> 12))
+ return -EINVAL;
+
+- return do_mmap2(addr, len, prot, flags, fd, pgoff >> (PAGE_SHIFT-12));
++ return sys_mmap_pgoff(addr, len, prot, flags, fd, pgoff >> (PAGE_SHIFT-12));
+ }
+
+ save_static_function(sys_fork);
+diff -urpN linux-source-2.6.26.orig/arch/mn10300/kernel/entry.S linux-source-2.6.26/arch/mn10300/kernel/entry.S
+--- linux-source-2.6.26.orig/arch/mn10300/kernel/entry.S 2009-12-26 01:14:55.000000000 -0700
++++ linux-source-2.6.26/arch/mn10300/kernel/entry.S 2010-01-22 17:15:08.000000000 -0700
+@@ -580,7 +580,7 @@ ENTRY(sys_call_table)
+ .long sys_ni_syscall /* reserved for streams2 */
+ .long sys_vfork /* 190 */
+ .long sys_getrlimit
+- .long sys_mmap2
++ .long sys_mmap_pgoff
+ .long sys_truncate64
+ .long sys_ftruncate64
+ .long sys_stat64 /* 195 */
+diff -urpN linux-source-2.6.26.orig/arch/mn10300/kernel/sys_mn10300.c linux-source-2.6.26/arch/mn10300/kernel/sys_mn10300.c
+--- linux-source-2.6.26.orig/arch/mn10300/kernel/sys_mn10300.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/mn10300/kernel/sys_mn10300.c 2010-01-22 17:15:08.000000000 -0700
+@@ -26,47 +26,13 @@
+
+ #include <asm/uaccess.h>
+
+-#define MIN_MAP_ADDR PAGE_SIZE /* minimum fixed mmap address */
+-
+-/*
+- * memory mapping syscall
+- */
+-asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- struct file *file = NULL;
+- long error = -EINVAL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- if (flags & MAP_FIXED && addr < MIN_MAP_ADDR)
+- goto out;
+-
+- error = -EBADF;
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ asmlinkage long old_mmap(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags,
+ unsigned long fd, unsigned long offset)
+ {
+ if (offset & ~PAGE_MASK)
+ return -EINVAL;
+- return sys_mmap2(addr, len, prot, flags, fd, offset >> PAGE_SHIFT);
++ return sys_mmap_pgoff(addr, len, prot, flags, fd, offset >> PAGE_SHIFT);
+ }
+
+ struct sel_arg_struct {
+diff -urpN linux-source-2.6.26.orig/arch/parisc/kernel/sys_parisc.c linux-source-2.6.26/arch/parisc/kernel/sys_parisc.c
+--- linux-source-2.6.26.orig/arch/parisc/kernel/sys_parisc.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/parisc/kernel/sys_parisc.c 2010-01-22 17:15:08.000000000 -0700
+@@ -110,37 +110,14 @@ unsigned long arch_get_unmapped_area(str
+ return addr;
+ }
+
+-static unsigned long do_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags, unsigned long fd,
+- unsigned long pgoff)
+-{
+- struct file * file = NULL;
+- unsigned long error = -EBADF;
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file != NULL)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ asmlinkage unsigned long sys_mmap2(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags, unsigned long fd,
+ unsigned long pgoff)
+ {
+ /* Make sure the shift for mmap2 is constant (12), no matter what PAGE_SIZE
+ we have. */
+- return do_mmap2(addr, len, prot, flags, fd, pgoff >> (PAGE_SHIFT - 12));
++ return sys_mmap_pgoff(addr, len, prot, flags, fd,
++ pgoff >> (PAGE_SHIFT - 12));
+ }
+
+ asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len,
+@@ -148,7 +125,8 @@ asmlinkage unsigned long sys_mmap(unsign
+ unsigned long offset)
+ {
+ if (!(offset & ~PAGE_MASK)) {
+- return do_mmap2(addr, len, prot, flags, fd, offset >> PAGE_SHIFT);
++ return sys_mmap_pgoff(addr, len, prot, flags, fd,
++ offset >> PAGE_SHIFT);
+ } else {
+ return -EINVAL;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/powerpc/kernel/syscalls.c linux-source-2.6.26/arch/powerpc/kernel/syscalls.c
+--- linux-source-2.6.26.orig/arch/powerpc/kernel/syscalls.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/powerpc/kernel/syscalls.c 2010-01-22 17:15:08.000000000 -0700
+@@ -140,7 +140,6 @@ static inline unsigned long do_mmap2(uns
+ unsigned long prot, unsigned long flags,
+ unsigned long fd, unsigned long off, int shift)
+ {
+- struct file * file = NULL;
+ unsigned long ret = -EINVAL;
+
+ if (shift) {
+@@ -148,20 +147,8 @@ static inline unsigned long do_mmap2(uns
+ goto out;
+ off >>= shift;
+ }
+-
+- ret = -EBADF;
+- if (!(flags & MAP_ANONYMOUS)) {
+- if (!(file = fget(fd)))
+- goto out;
+- }
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+
+- down_write(¤t->mm->mmap_sem);
+- ret = do_mmap_pgoff(file, addr, len, prot, flags, off);
+- up_write(¤t->mm->mmap_sem);
+- if (file)
+- fput(file);
++ ret = sys_mmap_pgoff(addr, len, prot, flags, fd, off);
+ out:
+ return ret;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/s390/kernel/compat_linux.c linux-source-2.6.26/arch/s390/kernel/compat_linux.c
+--- linux-source-2.6.26.orig/arch/s390/kernel/compat_linux.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/s390/kernel/compat_linux.c 2010-01-22 17:15:08.000000000 -0700
+@@ -843,38 +843,6 @@ struct mmap_arg_struct_emu31 {
+ u32 offset;
+ };
+
+-/* common code for old and new mmaps */
+-static inline long do_mmap2(
+- unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- struct file * file = NULL;
+- unsigned long error = -EBADF;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- if (!IS_ERR((void *) error) && error + len >= 0x80000000ULL) {
+- /* Result is out of bounds. */
+- do_munmap(current->mm, addr, len);
+- error = -ENOMEM;
+- }
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+-
+ asmlinkage unsigned long
+ old32_mmap(struct mmap_arg_struct_emu31 __user *arg)
+ {
+@@ -888,7 +856,8 @@ old32_mmap(struct mmap_arg_struct_emu31
+ if (a.offset & ~PAGE_MASK)
+ goto out;
+
+- error = do_mmap2(a.addr, a.len, a.prot, a.flags, a.fd, a.offset >> PAGE_SHIFT);
++ error = sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd,
++ a.offset >> PAGE_SHIFT);
+ out:
+ return error;
+ }
+@@ -901,7 +870,7 @@ sys32_mmap2(struct mmap_arg_struct_emu31
+
+ if (copy_from_user(&a, arg, sizeof(a)))
+ goto out;
+- error = do_mmap2(a.addr, a.len, a.prot, a.flags, a.fd, a.offset);
++ error = sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd, a.offset);
+ out:
+ return error;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/s390/kernel/sys_s390.c linux-source-2.6.26/arch/s390/kernel/sys_s390.c
+--- linux-source-2.6.26.orig/arch/s390/kernel/sys_s390.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/arch/s390/kernel/sys_s390.c 2010-01-22 17:15:08.000000000 -0700
+@@ -33,32 +33,6 @@
+ #include <asm/uaccess.h>
+ #include "entry.h"
+
+-/* common code for old and new mmaps */
+-static inline long do_mmap2(
+- unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- long error = -EBADF;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ /*
+ * Perform the select(nd, in, out, ex, tv) and mmap() system
+ * calls. Linux for S/390 isn't able to handle more than 5
+@@ -82,7 +56,7 @@ SYSCALL_DEFINE1(mmap2, struct mmap_arg_s
+
+ if (copy_from_user(&a, arg, sizeof(a)))
+ goto out;
+- error = do_mmap2(a.addr, a.len, a.prot, a.flags, a.fd, a.offset);
++ error = sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd, a.offset);
+ out:
+ return error;
+ }
+@@ -99,7 +73,7 @@ SYSCALL_DEFINE1(s390_old_mmap, struct mm
+ if (a.offset & ~PAGE_MASK)
+ goto out;
+
+- error = do_mmap2(a.addr, a.len, a.prot, a.flags, a.fd, a.offset >> PAGE_SHIFT);
++ error = sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd, a.offset >> PAGE_SHIFT);
+ out:
+ return error;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/sh/kernel/sys_sh.c linux-source-2.6.26/arch/sh/kernel/sys_sh.c
+--- linux-source-2.6.26.orig/arch/sh/kernel/sys_sh.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/sh/kernel/sys_sh.c 2010-01-24 23:18:02.000000000 -0700
+@@ -49,7 +49,8 @@ unsigned long arch_get_unmapped_area(str
+ /* We do not accept a shared mapping if it would violate
+ * cache aliasing constraints.
+ */
+- if ((flags & MAP_SHARED) && (addr & shm_align_mask))
++ if ((flags & MAP_SHARED) &&
++ ((addr - (pgoff << PAGE_SHIFT)) & shm_align_mask))
+ return -EINVAL;
+ return addr;
+ }
+@@ -117,44 +118,20 @@ full_search:
+ }
+ #endif /* CONFIG_MMU */
+
+-static inline long
+-do_mmap2(unsigned long addr, unsigned long len, unsigned long prot,
+- unsigned long flags, int fd, unsigned long pgoff)
+-{
+- int error = -EBADF;
+- struct file *file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ asmlinkage int old_mmap(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags,
+ int fd, unsigned long off)
+ {
+ if (off & ~PAGE_MASK)
+ return -EINVAL;
+- return do_mmap2(addr, len, prot, flags, fd, off>>PAGE_SHIFT);
++ return sys_mmap_pgoff(addr, len, prot, flags, fd, off>>PAGE_SHIFT);
+ }
+
+ asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags,
+ unsigned long fd, unsigned long pgoff)
+ {
+- return do_mmap2(addr, len, prot, flags, fd, pgoff);
++ return sys_mmap_pgoff(addr, len, prot, flags, fd, pgoff);
+ }
+
+ /*
+diff -urpN linux-source-2.6.26.orig/arch/sparc/kernel/sys_sparc.c linux-source-2.6.26/arch/sparc/kernel/sys_sparc.c
+--- linux-source-2.6.26.orig/arch/sparc/kernel/sys_sparc.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/sparc/kernel/sys_sparc.c 2010-01-24 22:45:57.000000000 -0700
+@@ -45,7 +45,8 @@ unsigned long arch_get_unmapped_area(str
+ /* We do not accept a shared mapping if it would violate
+ * cache aliasing constraints.
+ */
+- if ((flags & MAP_SHARED) && (addr & (SHMLBA - 1)))
++ if ((flags & MAP_SHARED) &&
++ ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
+ return -EINVAL;
+ return addr;
+ }
+@@ -79,15 +80,6 @@ unsigned long arch_get_unmapped_area(str
+ }
+ }
+
+-asmlinkage unsigned long sparc_brk(unsigned long brk)
+-{
+- if(ARCH_SUN4C_SUN4) {
+- if ((brk & 0xe0000000) != (current->mm->brk & 0xe0000000))
+- return current->mm->brk;
+- }
+- return sys_brk(brk);
+-}
+-
+ /*
+ * sys_pipe() is the normal C calling standard for creating
+ * a pipe. It's not the way unix traditionally does this, though.
+@@ -234,31 +226,6 @@ int sparc_mmap_check(unsigned long addr,
+ }
+
+ /* Linux version of mmap */
+-static unsigned long do_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags, unsigned long fd,
+- unsigned long pgoff)
+-{
+- struct file * file = NULL;
+- unsigned long retval = -EBADF;
+-
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- len = PAGE_ALIGN(len);
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+-
+- down_write(¤t->mm->mmap_sem);
+- retval = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return retval;
+-}
+
+ asmlinkage unsigned long sys_mmap2(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags, unsigned long fd,
+@@ -266,14 +233,16 @@ asmlinkage unsigned long sys_mmap2(unsig
+ {
+ /* Make sure the shift for mmap2 is constant (12), no matter what PAGE_SIZE
+ we have. */
+- return do_mmap2(addr, len, prot, flags, fd, pgoff >> (PAGE_SHIFT - 12));
++ return sys_mmap_pgoff(addr, len, prot, flags, fd,
++ pgoff >> (PAGE_SHIFT - 12));
+ }
+
+ asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags, unsigned long fd,
+ unsigned long off)
+ {
+- return do_mmap2(addr, len, prot, flags, fd, off >> PAGE_SHIFT);
++ /* no alignment check? */
++ return sys_mmap_pgoff(addr, len, prot, flags, fd, off >> PAGE_SHIFT);
+ }
+
+ long sparc_remap_file_pages(unsigned long start, unsigned long size,
+@@ -287,27 +256,6 @@ long sparc_remap_file_pages(unsigned lon
+ (pgoff >> (PAGE_SHIFT - 12)), flags);
+ }
+
+-extern unsigned long do_mremap(unsigned long addr,
+- unsigned long old_len, unsigned long new_len,
+- unsigned long flags, unsigned long new_addr);
+-
+-asmlinkage unsigned long sparc_mremap(unsigned long addr,
+- unsigned long old_len, unsigned long new_len,
+- unsigned long flags, unsigned long new_addr)
+-{
+- unsigned long ret = -EINVAL;
+-
+- if (unlikely(sparc_mmap_check(addr, old_len)))
+- goto out;
+- if (unlikely(sparc_mmap_check(new_addr, new_len)))
+- goto out;
+- down_write(¤t->mm->mmap_sem);
+- ret = do_mremap(addr, old_len, new_len, flags, new_addr);
+- up_write(¤t->mm->mmap_sem);
+-out:
+- return ret;
+-}
+-
+ /* we come to here via sys_nis_syscall so it can setup the regs argument */
+ asmlinkage unsigned long
+ c_sys_nis_syscall (struct pt_regs *regs)
+diff -urpN linux-source-2.6.26.orig/arch/sparc/kernel/systbls.S linux-source-2.6.26/arch/sparc/kernel/systbls.S
+--- linux-source-2.6.26.orig/arch/sparc/kernel/systbls.S 2009-12-26 01:14:55.000000000 -0700
++++ linux-source-2.6.26/arch/sparc/kernel/systbls.S 2010-01-24 22:58:13.000000000 -0700
+@@ -19,7 +19,7 @@ sys_call_table:
+ /*0*/ .long sys_restart_syscall, sys_exit, sys_fork, sys_read, sys_write
+ /*5*/ .long sys_open, sys_close, sys_wait4, sys_creat, sys_link
+ /*10*/ .long sys_unlink, sunos_execv, sys_chdir, sys_chown16, sys_mknod
+-/*15*/ .long sys_chmod, sys_lchown16, sparc_brk, sys_nis_syscall, sys_lseek
++/*15*/ .long sys_chmod, sys_lchown16, sys_brk, sys_nis_syscall, sys_lseek
+ /*20*/ .long sys_getpid, sys_capget, sys_capset, sys_setuid16, sys_getuid16
+ /*25*/ .long sys_vmsplice, sys_ptrace, sys_alarm, sys_sigaltstack, sys_pause
+ /*30*/ .long sys_utime, sys_lchown, sys_fchown, sys_access, sys_nice
+@@ -67,7 +67,7 @@ sys_call_table:
+ /*235*/ .long sys_fstatfs64, sys_llseek, sys_mlock, sys_munlock, sys_mlockall
+ /*240*/ .long sys_munlockall, sys_sched_setparam, sys_sched_getparam, sys_sched_setscheduler, sys_sched_getscheduler
+ /*245*/ .long sys_sched_yield, sys_sched_get_priority_max, sys_sched_get_priority_min, sys_sched_rr_get_interval, sys_nanosleep
+-/*250*/ .long sparc_mremap, sys_sysctl, sys_getsid, sys_fdatasync, sys_nfsservctl
++/*250*/ .long sys_mremap, sys_sysctl, sys_getsid, sys_fdatasync, sys_nfsservctl
+ /*255*/ .long sys_sync_file_range, sys_clock_settime, sys_clock_gettime, sys_clock_getres, sys_clock_nanosleep
+ /*260*/ .long sys_sched_getaffinity, sys_sched_setaffinity, sys_timer_settime, sys_timer_gettime, sys_timer_getoverrun
+ /*265*/ .long sys_timer_delete, sys_timer_create, sys_nis_syscall, sys_io_setup, sys_io_destroy
+diff -urpN linux-source-2.6.26.orig/arch/sparc64/kernel/sys_sparc.c linux-source-2.6.26/arch/sparc64/kernel/sys_sparc.c
+--- linux-source-2.6.26.orig/arch/sparc64/kernel/sys_sparc.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/arch/sparc64/kernel/sys_sparc.c 2010-01-24 22:50:20.000000000 -0700
+@@ -316,10 +316,14 @@ bottomup:
+ unsigned long get_fb_unmapped_area(struct file *filp, unsigned long orig_addr, unsigned long len, unsigned long pgoff, unsigned long flags)
+ {
+ unsigned long align_goal, addr = -ENOMEM;
++ unsigned long (*get_area)(struct file *, unsigned long,
++ unsigned long, unsigned long, unsigned long);
++
++ get_area = current->mm->get_unmapped_area;
+
+ if (flags & MAP_FIXED) {
+ /* Ok, don't mess with it. */
+- return get_unmapped_area(NULL, orig_addr, len, pgoff, flags);
++ return get_area(NULL, orig_addr, len, pgoff, flags);
+ }
+ flags &= ~MAP_SHARED;
+
+@@ -332,7 +336,7 @@ unsigned long get_fb_unmapped_area(struc
+ align_goal = (64UL * 1024);
+
+ do {
+- addr = get_unmapped_area(NULL, orig_addr, len + (align_goal - PAGE_SIZE), pgoff, flags);
++ addr = get_area(NULL, orig_addr, len + (align_goal - PAGE_SIZE), pgoff, flags);
+ if (!(addr & ~PAGE_MASK)) {
+ addr = (addr + (align_goal - 1UL)) & ~(align_goal - 1UL);
+ break;
+@@ -350,7 +354,7 @@ unsigned long get_fb_unmapped_area(struc
+ * be obtained.
+ */
+ if (addr & ~PAGE_MASK)
+- addr = get_unmapped_area(NULL, orig_addr, len, pgoff, flags);
++ addr = get_area(NULL, orig_addr, len, pgoff, flags);
+
+ return addr;
+ }
+@@ -397,18 +401,6 @@ void arch_pick_mmap_layout(struct mm_str
+ }
+ }
+
+-SYSCALL_DEFINE1(sparc_brk, unsigned long, brk)
+-{
+- /* People could try to be nasty and use ta 0x6d in 32bit programs */
+- if (test_thread_flag(TIF_32BIT) && brk >= STACK_TOP32)
+- return current->mm->brk;
+-
+- if (unlikely(straddles_64bit_va_hole(current->mm->brk, brk)))
+- return current->mm->brk;
+-
+- return sys_brk(brk);
+-}
+-
+ /*
+ * sys_pipe() is the normal C calling standard for creating
+ * a pipe. It's not the way unix traditionally does this, though.
+@@ -566,23 +558,13 @@ SYSCALL_DEFINE6(mmap, unsigned long, add
+ unsigned long, prot, unsigned long, flags, unsigned long, fd,
+ unsigned long, off)
+ {
+- struct file * file = NULL;
+- unsigned long retval = -EBADF;
+-
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- len = PAGE_ALIGN(len);
++ unsigned long retval = -EINVAL;
+
+- down_write(¤t->mm->mmap_sem);
+- retval = do_mmap(file, addr, len, prot, flags, off);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
++ if ((off + PAGE_ALIGN(len)) < off)
++ goto out;
++ if (off & ~PAGE_MASK)
++ goto out;
++ retval = sys_mmap_pgoff(addr, len, prot, flags, fd, off >> PAGE_SHIFT);
+ out:
+ return retval;
+ }
+@@ -612,12 +594,6 @@ SYSCALL_DEFINE5(64_mremap, unsigned long
+
+ if (test_thread_flag(TIF_32BIT))
+ goto out;
+- if (unlikely(new_len >= VA_EXCLUDE_START))
+- goto out;
+- if (unlikely(sparc64_mmap_check(addr, old_len)))
+- goto out;
+- if (unlikely(sparc64_mmap_check(new_addr, new_len)))
+- goto out;
+
+ down_write(¤t->mm->mmap_sem);
+ ret = do_mremap(addr, old_len, new_len, flags, new_addr);
+diff -urpN linux-source-2.6.26.orig/arch/sparc64/kernel/systbls.h linux-source-2.6.26/arch/sparc64/kernel/systbls.h
+--- linux-source-2.6.26.orig/arch/sparc64/kernel/systbls.h 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/arch/sparc64/kernel/systbls.h 2010-01-24 23:00:08.000000000 -0700
+@@ -8,7 +8,6 @@
+ #include <asm/signal.h>
+
+ extern asmlinkage unsigned long sys_getpagesize(void);
+-extern asmlinkage unsigned long sparc_brk(unsigned long brk);
+ extern asmlinkage long sparc_pipe(struct pt_regs *regs);
+ extern asmlinkage long sys_ipc(unsigned int call, int first,
+ unsigned long second,
+diff -urpN linux-source-2.6.26.orig/arch/sparc64/kernel/systbls.S linux-source-2.6.26/arch/sparc64/kernel/systbls.S
+--- linux-source-2.6.26.orig/arch/sparc64/kernel/systbls.S 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/arch/sparc64/kernel/systbls.S 2010-01-24 22:59:03.000000000 -0700
+@@ -21,7 +21,7 @@ sys_call_table32:
+ /*0*/ .word sys_restart_syscall, sys32_exit, sys_fork, sys_read, sys_write
+ /*5*/ .word sys32_open, sys_close, sys32_wait4, sys32_creat, sys_link
+ /*10*/ .word sys_unlink, sunos_execv, sys_chdir, sys32_chown16, sys32_mknod
+-/*15*/ .word sys_chmod, sys32_lchown16, sys_sparc_brk, sys32_perfctr, sys32_lseek
++/*15*/ .word sys_chmod, sys_lchown16, sys_brk, sys32_perfctr, sys32_lseek
+ /*20*/ .word sys_getpid, sys_capget, sys_capset, sys32_setuid16, sys32_getuid16
+ /*25*/ .word sys32_vmsplice, compat_sys_ptrace, sys_alarm, sys32_sigaltstack, sys32_pause
+ /*30*/ .word compat_sys_utime, sys_lchown, sys_fchown, sys32_access, sys32_nice
+@@ -94,7 +94,7 @@ sys_call_table:
+ /*0*/ .word sys_restart_syscall, sparc_exit, sys_fork, sys_read, sys_write
+ /*5*/ .word sys_open, sys_close, sys_wait4, sys_creat, sys_link
+ /*10*/ .word sys_unlink, sys_nis_syscall, sys_chdir, sys_chown, sys_mknod
+-/*15*/ .word sys_chmod, sys_lchown, sys_sparc_brk, sys_perfctr, sys_lseek
++/*15*/ .word sys_chmod, sys_lchown, sys_brk, sys_perfctr, sys_lseek
+ /*20*/ .word sys_getpid, sys_capget, sys_capset, sys_setuid, sys_getuid
+ /*25*/ .word sys_vmsplice, sys_ptrace, sys_alarm, sys_sigaltstack, sys_nis_syscall
+ /*30*/ .word sys_utime, sys_nis_syscall, sys_nis_syscall, sys_access, sys_nice
+diff -urpN linux-source-2.6.26.orig/arch/um/include/sysdep-i386/syscalls.h linux-source-2.6.26/arch/um/include/sysdep-i386/syscalls.h
+--- linux-source-2.6.26.orig/arch/um/include/sysdep-i386/syscalls.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/um/include/sysdep-i386/syscalls.h 2010-01-22 17:30:51.000000000 -0700
+@@ -20,7 +20,3 @@ extern syscall_handler_t *sys_call_table
+ #define EXECUTE_SYSCALL(syscall, regs) \
+ ((long (*)(struct syscall_args)) \
+ (*sys_call_table[syscall]))(SYSCALL_ARGS(®s->regs))
+-
+-extern long sys_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff);
+diff -urpN linux-source-2.6.26.orig/arch/um/kernel/syscall.c linux-source-2.6.26/arch/um/kernel/syscall.c
+--- linux-source-2.6.26.orig/arch/um/kernel/syscall.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/um/kernel/syscall.c 2010-01-22 17:15:08.000000000 -0700
+@@ -8,6 +8,7 @@
+ #include "linux/mm.h"
+ #include "linux/sched.h"
+ #include "linux/utsname.h"
++#include "linux/syscalls.h"
+ #include "asm/current.h"
+ #include "asm/mman.h"
+ #include "asm/uaccess.h"
+@@ -36,31 +37,6 @@ long sys_vfork(void)
+ return ret;
+ }
+
+-/* common code for old and new mmaps */
+-long sys_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- long error = -EBADF;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+- out:
+- return error;
+-}
+-
+ long old_mmap(unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags,
+ unsigned long fd, unsigned long offset)
+@@ -69,7 +45,7 @@ long old_mmap(unsigned long addr, unsign
+ if (offset & ~PAGE_MASK)
+ goto out;
+
+- err = sys_mmap2(addr, len, prot, flags, fd, offset >> PAGE_SHIFT);
++ err = sys_mmap_pgoff(addr, len, prot, flags, fd, offset >> PAGE_SHIFT);
+ out:
+ return err;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.26/arch/x86/ia32/ia32entry.S
+--- linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S 2009-12-26 01:14:58.000000000 -0700
++++ linux-source-2.6.26/arch/x86/ia32/ia32entry.S 2010-01-22 17:15:08.000000000 -0700
+@@ -600,7 +600,7 @@ ia32_sys_call_table:
+ .quad quiet_ni_syscall /* streams2 */
+ .quad stub32_vfork /* 190 */
+ .quad compat_sys_getrlimit
+- .quad sys32_mmap2
++ .quad sys_mmap_pgoff
+ .quad sys32_truncate64
+ .quad sys32_ftruncate64
+ .quad sys32_stat64 /* 195 */
+diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/sys_ia32.c linux-source-2.6.26/arch/x86/ia32/sys_ia32.c
+--- linux-source-2.6.26.orig/arch/x86/ia32/sys_ia32.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/x86/ia32/sys_ia32.c 2010-01-22 17:15:08.000000000 -0700
+@@ -199,9 +199,6 @@ struct mmap_arg_struct {
+ asmlinkage long sys32_mmap(struct mmap_arg_struct __user *arg)
+ {
+ struct mmap_arg_struct a;
+- struct file *file = NULL;
+- unsigned long retval;
+- struct mm_struct *mm ;
+
+ if (copy_from_user(&a, arg, sizeof(a)))
+ return -EFAULT;
+@@ -209,22 +206,8 @@ asmlinkage long sys32_mmap(struct mmap_a
+ if (a.offset & ~PAGE_MASK)
+ return -EINVAL;
+
+- if (!(a.flags & MAP_ANONYMOUS)) {
+- file = fget(a.fd);
+- if (!file)
+- return -EBADF;
+- }
+-
+- mm = current->mm;
+- down_write(&mm->mmap_sem);
+- retval = do_mmap_pgoff(file, a.addr, a.len, a.prot, a.flags,
++ return sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd,
+ a.offset>>PAGE_SHIFT);
+- if (file)
+- fput(file);
+-
+- up_write(&mm->mmap_sem);
+-
+- return retval;
+ }
+
+ asmlinkage long sys32_mprotect(unsigned long start, size_t len,
+@@ -670,30 +653,6 @@ asmlinkage long sys32_sendfile(int out_f
+ return ret;
+ }
+
+-asmlinkage long sys32_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- struct mm_struct *mm = current->mm;
+- unsigned long error;
+- struct file *file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- return -EBADF;
+- }
+-
+- down_write(&mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(&mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+- return error;
+-}
+-
+ asmlinkage long sys32_olduname(struct oldold_utsname __user *name)
+ {
+ char *arch = "x86_64";
+diff -urpN linux-source-2.6.26.orig/arch/x86/kernel/syscall_table_32.S linux-source-2.6.26/arch/x86/kernel/syscall_table_32.S
+--- linux-source-2.6.26.orig/arch/x86/kernel/syscall_table_32.S 2009-12-26 01:14:55.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kernel/syscall_table_32.S 2010-01-22 17:15:08.000000000 -0700
+@@ -191,7 +191,7 @@ ENTRY(sys_call_table)
+ .long sys_ni_syscall /* reserved for streams2 */
+ .long sys_vfork /* 190 */
+ .long sys_getrlimit
+- .long sys_mmap2
++ .long sys_mmap_pgoff
+ .long sys_truncate64
+ .long sys_ftruncate64
+ .long sys_stat64 /* 195 */
+diff -urpN linux-source-2.6.26.orig/arch/x86/kernel/sys_i386_32.c linux-source-2.6.26/arch/x86/kernel/sys_i386_32.c
+--- linux-source-2.6.26.orig/arch/x86/kernel/sys_i386_32.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/x86/kernel/sys_i386_32.c 2010-01-22 17:15:08.000000000 -0700
+@@ -22,31 +22,6 @@
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
+
+-asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- int error = -EBADF;
+- struct file *file = NULL;
+- struct mm_struct *mm = current->mm;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(&mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(&mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ /*
+ * Perform the select(nd, in, out, ex, tv) and mmap() system
+ * calls. Linux/i386 didn't use to be able to handle more than
+@@ -75,7 +50,7 @@ asmlinkage int old_mmap(struct mmap_arg_
+ if (a.offset & ~PAGE_MASK)
+ goto out;
+
+- err = sys_mmap2(a.addr, a.len, a.prot, a.flags,
++ err = sys_mmap_pgoff(a.addr, a.len, a.prot, a.flags,
+ a.fd, a.offset >> PAGE_SHIFT);
+ out:
+ return err;
+diff -urpN linux-source-2.6.26.orig/arch/x86/kernel/sys_x86_64.c linux-source-2.6.26/arch/x86/kernel/sys_x86_64.c
+--- linux-source-2.6.26.orig/arch/x86/kernel/sys_x86_64.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/x86/kernel/sys_x86_64.c 2010-01-22 17:27:43.000000000 -0700
+@@ -21,26 +21,11 @@ asmlinkage long sys_mmap(unsigned long a
+ unsigned long fd, unsigned long off)
+ {
+ long error;
+- struct file * file;
+-
+ error = -EINVAL;
+ if (off & ~PAGE_MASK)
+ goto out;
+
+- error = -EBADF;
+- file = NULL;
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, off >> PAGE_SHIFT);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
++ error = sys_mmap_pgoff(addr, len, prot, flags, fd, off >> PAGE_SHIFT);
+ out:
+ return error;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/xtensa/kernel/syscall.c linux-source-2.6.26/arch/xtensa/kernel/syscall.c
+--- linux-source-2.6.26.orig/arch/xtensa/kernel/syscall.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/xtensa/kernel/syscall.c 2010-01-22 17:15:08.000000000 -0700
+@@ -57,31 +57,6 @@ asmlinkage long xtensa_pipe(int __user *
+ return error;
+ }
+
+-
+-asmlinkage long xtensa_mmap2(unsigned long addr, unsigned long len,
+- unsigned long prot, unsigned long flags,
+- unsigned long fd, unsigned long pgoff)
+-{
+- int error = -EBADF;
+- struct file * file = NULL;
+-
+- flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+- if (!(flags & MAP_ANONYMOUS)) {
+- file = fget(fd);
+- if (!file)
+- goto out;
+- }
+-
+- down_write(¤t->mm->mmap_sem);
+- error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+- up_write(¤t->mm->mmap_sem);
+-
+- if (file)
+- fput(file);
+-out:
+- return error;
+-}
+-
+ asmlinkage long xtensa_shmat(int shmid, char __user *shmaddr, int shmflg)
+ {
+ unsigned long ret;
+diff -urpN linux-source-2.6.26.orig/include/asm-arm/mman.h linux-source-2.6.26/include/asm-arm/mman.h
+--- linux-source-2.6.26.orig/include/asm-arm/mman.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-arm/mman.h 2010-01-22 17:15:05.000000000 -0700
+@@ -1,4 +1,7 @@
+ #ifndef __ARM_MMAN_H__
++
++#define arch_mmap_check(addr, len, flags) \
++ (((flags) & MAP_FIXED && (addr) < FIRST_USER_ADDRESS) ? -EINVAL : 0)
+ #define __ARM_MMAN_H__
+
+ #include <asm-generic/mman.h>
+diff -urpN linux-source-2.6.26.orig/include/asm-mn10300/mman.h linux-source-2.6.26/include/asm-mn10300/mman.h
+--- linux-source-2.6.26.orig/include/asm-mn10300/mman.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-mn10300/mman.h 2010-01-22 17:15:08.000000000 -0700
+@@ -1,4 +1,9 @@
+ /* MN10300 Constants for mmap and co.
++
++#define MIN_MAP_ADDR PAGE_SIZE /* minimum fixed mmap address */
++
++#define arch_mmap_check(addr, len, flags) \
++ (((flags) & MAP_FIXED && (addr) < MIN_MAP_ADDR) ? -EINVAL : 0)
+ *
+ * Copyright (C) 2007 Matsushita Electric Industrial Co., Ltd.
+ * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
+diff -urpN linux-source-2.6.26.orig/include/asm-xtensa/syscall.h linux-source-2.6.26/include/asm-xtensa/syscall.h
+--- linux-source-2.6.26.orig/include/asm-xtensa/syscall.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-xtensa/syscall.h 2010-01-22 17:15:08.000000000 -0700
+@@ -13,8 +13,6 @@ struct sigaction;
+ asmlinkage long xtensa_execve(char*, char**, char**, struct pt_regs*);
+ asmlinkage long xtensa_clone(unsigned long, unsigned long, struct pt_regs*);
+ asmlinkage long xtensa_pipe(int __user *);
+-asmlinkage long xtensa_mmap2(unsigned long, unsigned long, unsigned long,
+- unsigned long, unsigned long, unsigned long);
+ asmlinkage long xtensa_ptrace(long, long, long, long);
+ asmlinkage long xtensa_sigreturn(struct pt_regs*);
+ asmlinkage long xtensa_rt_sigreturn(struct pt_regs*);
+diff -urpN linux-source-2.6.26.orig/include/asm-xtensa/unistd.h linux-source-2.6.26/include/asm-xtensa/unistd.h
+--- linux-source-2.6.26.orig/include/asm-xtensa/unistd.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-xtensa/unistd.h 2010-01-22 17:15:08.000000000 -0700
+@@ -189,7 +189,7 @@ __SYSCALL( 79, sys_fremovexattr, 2)
+ /* File Map / Shared Memory Operations */
+
+ #define __NR_mmap2 80
+-__SYSCALL( 80, xtensa_mmap2, 6)
++__SYSCALL( 80, sys_mmap_pgoff, 6)
+ #define __NR_munmap 81
+ __SYSCALL( 81, sys_munmap, 2)
+ #define __NR_mprotect 82
+diff -urpN linux-source-2.6.26.orig/include/linux/syscalls.h linux-source-2.6.26/include/linux/syscalls.h
+--- linux-source-2.6.26.orig/include/linux/syscalls.h 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/include/linux/syscalls.h 2010-01-22 17:33:52.000000000 -0700
+@@ -686,6 +686,10 @@ asmlinkage long sys_ppoll(struct pollfd
+ asmlinkage long sys_pipe2(int __user *, int);
+ asmlinkage long sys_pipe(int __user *);
+
++asmlinkage long sys_mmap_pgoff(unsigned long addr, unsigned long len,
++ unsigned long prot, unsigned long flags,
++ unsigned long fd, unsigned long pgoff);
++
+ int kernel_execve(const char *filename, char *const argv[], char *const envp[]);
+
+ #endif
+diff -urpN linux-source-2.6.26.orig/ipc/shm.c linux-source-2.6.26/ipc/shm.c
+--- linux-source-2.6.26.orig/ipc/shm.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/ipc/shm.c 2010-01-22 17:18:51.000000000 -0700
+@@ -304,28 +304,28 @@ static unsigned long shm_get_unmapped_ar
+ unsigned long flags)
+ {
+ struct shm_file_data *sfd = shm_file_data(file);
+- return get_unmapped_area(sfd->file, addr, len, pgoff, flags);
+-}
+-
+-int is_file_shm_hugepages(struct file *file)
+-{
+- int ret = 0;
+-
+- if (file->f_op == &shm_file_operations) {
+- struct shm_file_data *sfd;
+- sfd = shm_file_data(file);
+- ret = is_file_hugepages(sfd->file);
+- }
+- return ret;
++ return sfd->file->f_op->get_unmapped_area(sfd->file, addr, len,
++ pgoff, flags);
+ }
+
+ static const struct file_operations shm_file_operations = {
+ .mmap = shm_mmap,
+ .fsync = shm_fsync,
+ .release = shm_release,
++};
++
++static const struct file_operations shm_file_operations_huge = {
++ .mmap = shm_mmap,
++ .fsync = shm_fsync,
++ .release = shm_release,
+ .get_unmapped_area = shm_get_unmapped_area,
+ };
+
++int is_file_shm_hugepages(struct file *file)
++{
++ return file->f_op == &shm_file_operations_huge;
++}
++
+ static struct vm_operations_struct shm_vm_ops = {
+ .open = shm_open, /* callback for a new vm-area open */
+ .close = shm_close, /* callback for when the vm-area is released */
+@@ -898,7 +898,10 @@ long do_shmat(int shmid, char __user *sh
+ if (!sfd)
+ goto out_put_dentry;
+
+- file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations);
++ file = alloc_file(path.mnt, path.dentry, f_mode,
++ is_file_hugepages(shp->shm_file) ?
++ &shm_file_operations_huge :
++ &shm_file_operations);
+ if (!file)
+ goto out_free;
+
+diff -urpN linux-source-2.6.26.orig/mm/mmap.c linux-source-2.6.26/mm/mmap.c
+--- linux-source-2.6.26.orig/mm/mmap.c 2009-12-26 01:14:57.000000000 -0700
++++ linux-source-2.6.26/mm/mmap.c 2010-01-22 17:15:08.000000000 -0700
+@@ -932,13 +932,9 @@ unsigned long do_mmap_pgoff(struct file
+ if (!(flags & MAP_FIXED))
+ addr = round_hint_to_min(addr);
+
+- error = arch_mmap_check(addr, len, flags);
+- if (error)
+- return error;
+-
+ /* Careful about overflows.. */
+ len = PAGE_ALIGN(len);
+- if (!len || len > TASK_SIZE)
++ if (!len)
+ return -ENOMEM;
+
+ /* offset overflow? */
+@@ -1429,6 +1425,14 @@ get_unmapped_area(struct file *file, uns
+ unsigned long (*get_area)(struct file *, unsigned long,
+ unsigned long, unsigned long, unsigned long);
+
++ unsigned long error = arch_mmap_check(addr, len, flags);
++ if (error)
++ return error;
++
++ /* Careful about overflows.. */
++ if (len > TASK_SIZE)
++ return -ENOMEM;
++
+ get_area = current->mm->get_unmapped_area;
+ if (file && file->f_op && file->f_op->get_unmapped_area)
+ get_area = file->f_op->get_unmapped_area;
+@@ -1956,20 +1960,14 @@ unsigned long do_brk(unsigned long addr,
+ if (!len)
+ return addr;
+
+- if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+- return -EINVAL;
+-
+- if (is_hugepage_only_range(mm, addr, len))
+- return -EINVAL;
+-
+ error = security_file_mmap(NULL, 0, 0, 0, addr, 1);
+ if (error)
+ return error;
+
+ flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
+
+- error = arch_mmap_check(addr, len, flags);
+- if (error)
++ error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
++ if (error & ~PAGE_MASK)
+ return error;
+
+ /*
+diff -urpN linux-source-2.6.26.orig/mm/mremap.c linux-source-2.6.26/mm/mremap.c
+--- linux-source-2.6.26.orig/mm/mremap.c 2009-12-26 01:14:56.000000000 -0700
++++ linux-source-2.6.26/mm/mremap.c 2010-01-22 17:15:08.000000000 -0700
+@@ -239,6 +239,137 @@ static unsigned long move_vma(struct vm_
+ return new_addr;
+ }
+
++static struct vm_area_struct *vma_to_resize(unsigned long addr,
++ unsigned long old_len, unsigned long new_len, unsigned long *p)
++{
++ struct mm_struct *mm = current->mm;
++ struct vm_area_struct *vma = find_vma(mm, addr);
++
++ if (!vma || vma->vm_start > addr)
++ goto Efault;
++
++ if (is_vm_hugetlb_page(vma))
++ goto Einval;
++
++ /* We can't remap across vm area boundaries */
++ if (old_len > vma->vm_end - addr)
++ goto Efault;
++
++ if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
++ if (new_len > old_len)
++ goto Efault;
++ }
++
++ if (vma->vm_flags & VM_LOCKED) {
++ unsigned long locked, lock_limit;
++ locked = mm->locked_vm << PAGE_SHIFT;
++ lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
++ locked += new_len - old_len;
++ if (locked > lock_limit && !capable(CAP_IPC_LOCK))
++ goto Eagain;
++ }
++
++ if (!may_expand_vm(mm, (new_len - old_len) >> PAGE_SHIFT))
++ goto Enomem;
++
++ if (vma->vm_flags & VM_ACCOUNT) {
++ unsigned long charged = (new_len - old_len) >> PAGE_SHIFT;
++ if (security_vm_enough_memory(charged))
++ goto Efault;
++ *p = charged;
++ }
++
++ return vma;
++
++Efault: /* very odd choice for most of the cases, but... */
++ return ERR_PTR(-EFAULT);
++Einval:
++ return ERR_PTR(-EINVAL);
++Enomem:
++ return ERR_PTR(-ENOMEM);
++Eagain:
++ return ERR_PTR(-EAGAIN);
++}
++
++static unsigned long mremap_to(unsigned long addr,
++ unsigned long old_len, unsigned long new_addr,
++ unsigned long new_len)
++{
++ struct mm_struct *mm = current->mm;
++ struct vm_area_struct *vma;
++ unsigned long ret = -EINVAL;
++ unsigned long charged = 0;
++ unsigned long map_flags;
++
++ if (new_addr & ~PAGE_MASK)
++ goto out;
++
++ if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
++ goto out;
++
++ /* Check if the location we're moving into overlaps the
++ * old location at all, and fail if it does.
++ */
++ if ((new_addr <= addr) && (new_addr+new_len) > addr)
++ goto out;
++
++ if ((addr <= new_addr) && (addr+old_len) > new_addr)
++ goto out;
++
++ ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
++ if (ret)
++ goto out;
++
++ ret = do_munmap(mm, new_addr, new_len);
++ if (ret)
++ goto out;
++
++ if (old_len >= new_len) {
++ ret = do_munmap(mm, addr+new_len, old_len - new_len);
++ if (ret && old_len != new_len)
++ goto out;
++ old_len = new_len;
++ }
++
++ vma = vma_to_resize(addr, old_len, new_len, &charged);
++ if (IS_ERR(vma)) {
++ ret = PTR_ERR(vma);
++ goto out;
++ }
++
++ map_flags = MAP_FIXED;
++ if (vma->vm_flags & VM_MAYSHARE)
++ map_flags |= MAP_SHARED;
++
++ ret = get_unmapped_area(vma->vm_file, new_addr, new_len, vma->vm_pgoff +
++ ((addr - vma->vm_start) >> PAGE_SHIFT),
++ map_flags);
++ if (ret & ~PAGE_MASK)
++ goto out1;
++
++ ret = move_vma(vma, addr, old_len, new_len, new_addr);
++ if (!(ret & ~PAGE_MASK))
++ goto out;
++out1:
++ vm_unacct_memory(charged);
++
++out:
++ return ret;
++}
++
++static int vma_expandable(struct vm_area_struct *vma, unsigned long delta)
++{
++ unsigned long end = vma->vm_end + delta;
++ if (end < vma->vm_end) /* overflow */
++ return 0;
++ if (vma->vm_next && vma->vm_next->vm_start < end) /* intersection */
++ return 0;
++ if (get_unmapped_area(NULL, vma->vm_start, end - vma->vm_start,
++ 0, MAP_FIXED) & ~PAGE_MASK)
++ return 0;
++ return 1;
++}
++
+ /*
+ * Expand (or shrink) an existing mapping, potentially moving it at the
+ * same time (controlled by the MREMAP_MAYMOVE flag and available VM space)
+@@ -272,32 +403,10 @@ unsigned long do_mremap(unsigned long ad
+ if (!new_len)
+ goto out;
+
+- /* new_addr is only valid if MREMAP_FIXED is specified */
+ if (flags & MREMAP_FIXED) {
+- if (new_addr & ~PAGE_MASK)
+- goto out;
+- if (!(flags & MREMAP_MAYMOVE))
+- goto out;
+-
+- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
+- goto out;
+-
+- /* Check if the location we're moving into overlaps the
+- * old location at all, and fail if it does.
+- */
+- if ((new_addr <= addr) && (new_addr+new_len) > addr)
+- goto out;
+-
+- if ((addr <= new_addr) && (addr+old_len) > new_addr)
+- goto out;
+-
+- ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
+- if (ret)
+- goto out;
+-
+- ret = do_munmap(mm, new_addr, new_len);
+- if (ret)
+- goto out;
++ if (flags & MREMAP_MAYMOVE)
++ ret = mremap_to(addr, old_len, new_addr, new_len);
++ goto out;
+ }
+
+ /*
+@@ -310,60 +419,23 @@ unsigned long do_mremap(unsigned long ad
+ if (ret && old_len != new_len)
+ goto out;
+ ret = addr;
+- if (!(flags & MREMAP_FIXED) || (new_addr == addr))
+- goto out;
+- old_len = new_len;
++ goto out;
+ }
+
+ /*
+- * Ok, we need to grow.. or relocate.
++ * Ok, we need to grow..
+ */
+- ret = -EFAULT;
+- vma = find_vma(mm, addr);
+- if (!vma || vma->vm_start > addr)
++ vma = vma_to_resize(addr, old_len, new_len, &charged);
++ if (IS_ERR(vma)) {
++ ret = PTR_ERR(vma);
+ goto out;
+- if (is_vm_hugetlb_page(vma)) {
+- ret = -EINVAL;
+- goto out;
+- }
+- /* We can't remap across vm area boundaries */
+- if (old_len > vma->vm_end - addr)
+- goto out;
+- if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
+- if (new_len > old_len)
+- goto out;
+- }
+- if (vma->vm_flags & VM_LOCKED) {
+- unsigned long locked, lock_limit;
+- locked = mm->locked_vm << PAGE_SHIFT;
+- lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
+- locked += new_len - old_len;
+- ret = -EAGAIN;
+- if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+- goto out;
+- }
+- if (!may_expand_vm(mm, (new_len - old_len) >> PAGE_SHIFT)) {
+- ret = -ENOMEM;
+- goto out;
+- }
+-
+- if (vma->vm_flags & VM_ACCOUNT) {
+- charged = (new_len - old_len) >> PAGE_SHIFT;
+- if (security_vm_enough_memory(charged))
+- goto out_nc;
+ }
+
+ /* old_len exactly to the end of the area..
+- * And we're not relocating the area.
+ */
+- if (old_len == vma->vm_end - addr &&
+- !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
+- (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
+- unsigned long max_addr = TASK_SIZE;
+- if (vma->vm_next)
+- max_addr = vma->vm_next->vm_start;
++ if (old_len == vma->vm_end - addr) {
+ /* can we just expand the current mapping? */
+- if (max_addr - addr >= new_len) {
++ if (vma_expandable(vma, new_len - old_len)) {
+ int pages = (new_len - old_len) >> PAGE_SHIFT;
+
+ vma_adjust(vma, vma->vm_start,
+@@ -387,28 +459,27 @@ unsigned long do_mremap(unsigned long ad
+ */
+ ret = -ENOMEM;
+ if (flags & MREMAP_MAYMOVE) {
+- if (!(flags & MREMAP_FIXED)) {
+- unsigned long map_flags = 0;
+- if (vma->vm_flags & VM_MAYSHARE)
+- map_flags |= MAP_SHARED;
+-
+- new_addr = get_unmapped_area(vma->vm_file, 0, new_len,
+- vma->vm_pgoff, map_flags);
+- if (new_addr & ~PAGE_MASK) {
+- ret = new_addr;
+- goto out;
+- }
+-
+- ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
+- if (ret)
+- goto out;
++ unsigned long map_flags = 0;
++ if (vma->vm_flags & VM_MAYSHARE)
++ map_flags |= MAP_SHARED;
++
++ new_addr = get_unmapped_area(vma->vm_file, 0, new_len,
++ vma->vm_pgoff +
++ ((addr - vma->vm_start) >> PAGE_SHIFT),
++ map_flags);
++ if (new_addr & ~PAGE_MASK) {
++ ret = new_addr;
++ goto out;
+ }
++
++ ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
++ if (ret)
++ goto out;
+ ret = move_vma(vma, addr, old_len, new_len, new_addr);
+ }
+ out:
+ if (ret & ~PAGE_MASK)
+ vm_unacct_memory(charged);
+-out_nc:
+ return ret;
+ }
+
+diff -urpN linux-source-2.6.26.orig/mm/util.c linux-source-2.6.26/mm/util.c
+--- linux-source-2.6.26.orig/mm/util.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/mm/util.c 2010-01-22 17:29:51.000000000 -0700
+@@ -2,6 +2,10 @@
+ #include <linux/string.h>
+ #include <linux/module.h>
+ #include <linux/err.h>
++#include <linux/hugetlb.h>
++#include <linux/syscalls.h>
++#include <linux/mman.h>
++#include <linux/file.h>
+ #include <asm/uaccess.h>
+
+ /**
+@@ -136,3 +140,30 @@ char *strndup_user(const char __user *s,
+ return p;
+ }
+ EXPORT_SYMBOL(strndup_user);
++
++SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,
++ unsigned long, prot, unsigned long, flags,
++ unsigned long, fd, unsigned long, pgoff)
++{
++ struct file * file = NULL;
++ unsigned long retval = -EBADF;
++
++ if (!(flags & MAP_ANONYMOUS)) {
++ /*if (unlikely(flags & MAP_HUGETLB))
++ return -EINVAL;*/
++ file = fget(fd);
++ if (!file)
++ goto out;
++ }
++
++ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
++
++ down_write(¤t->mm->mmap_sem);
++ retval = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
++ up_write(¤t->mm->mmap_sem);
++
++ if (file)
++ fput(file);
++out:
++ return retval;
++}
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/powerpc/powerpc-tif_abi_pending-bit-removal.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/powerpc/powerpc-tif_abi_pending-bit-removal.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/powerpc/powerpc-tif_abi_pending-bit-removal.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/powerpc/powerpc-tif_abi_pending-bit-removal.patch)
@@ -0,0 +1,85 @@
+From 94f28da8409c6059135e89ac64a0839993124155 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab at linux-m68k.org>
+Date: Sat, 30 Jan 2010 10:20:59 +0000
+Subject: powerpc: TIF_ABI_PENDING bit removal
+
+From: Andreas Schwab <schwab at linux-m68k.org>
+
+commit 94f28da8409c6059135e89ac64a0839993124155 upstream.
+
+Here are the powerpc bits to remove TIF_ABI_PENDING now that
+set_personality() is called at the appropriate place in exec.
+
+Signed-off-by: Andreas Schwab <schwab at linux-m68k.org>
+Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/powerpc/include/asm/elf.h | 8 ++------
+ arch/powerpc/include/asm/thread_info.h | 2 --
+ arch/powerpc/kernel/process.c | 12 ------------
+ 3 files changed, 2 insertions(+), 20 deletions(-)
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/powerpc/kernel/process.c linux-source-2.6.26/arch/powerpc/kernel/process.c
+--- linux-source-2.6.26.orig/arch/powerpc/kernel/process.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/arch/powerpc/kernel/process.c 2010-02-04 17:44:40.000000000 -0700
+@@ -501,18 +501,6 @@ void exit_thread(void)
+
+ void flush_thread(void)
+ {
+-#ifdef CONFIG_PPC64
+- struct thread_info *t = current_thread_info();
+-
+- if (test_ti_thread_flag(t, TIF_ABI_PENDING)) {
+- clear_ti_thread_flag(t, TIF_ABI_PENDING);
+- if (test_ti_thread_flag(t, TIF_32BIT))
+- clear_ti_thread_flag(t, TIF_32BIT);
+- else
+- set_ti_thread_flag(t, TIF_32BIT);
+- }
+-#endif
+-
+ discard_lazy_cpu_state();
+
+ if (current->thread.dabr) {
+diff -urpN linux-source-2.6.26.orig/include/asm-powerpc/elf.h linux-source-2.6.26/include/asm-powerpc/elf.h
+--- linux-source-2.6.26.orig/include/asm-powerpc/elf.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-powerpc/elf.h 2010-02-04 17:46:53.000000000 -0700
+@@ -248,14 +248,10 @@ extern int dump_task_altivec(struct task
+ #ifdef __powerpc64__
+ # define SET_PERSONALITY(ex, ibcs2) \
+ do { \
+- unsigned long new_flags = 0; \
+ if ((ex).e_ident[EI_CLASS] == ELFCLASS32) \
+- new_flags = _TIF_32BIT; \
+- if ((current_thread_info()->flags & _TIF_32BIT) \
+- != new_flags) \
+- set_thread_flag(TIF_ABI_PENDING); \
++ set_thread_flag(TIF_32BIT); \
+ else \
+- clear_thread_flag(TIF_ABI_PENDING); \
++ clear_thread_flag(TIF_32BIT); \
+ if (personality(current->personality) != PER_LINUX32) \
+ set_personality(PER_LINUX); \
+ } while (0)
+diff -urpN linux-source-2.6.26.orig/include/asm-powerpc/thread_info.h linux-source-2.6.26/include/asm-powerpc/thread_info.h
+--- linux-source-2.6.26.orig/include/asm-powerpc/thread_info.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-powerpc/thread_info.h 2010-02-04 17:47:46.000000000 -0700
+@@ -119,7 +119,6 @@ static inline struct thread_info *curren
+ #define TIF_RESTORE_SIGMASK 13 /* Restore signal mask in do_signal */
+ #define TIF_FREEZE 14 /* Freezing for suspend */
+ #define TIF_RUNLATCH 15 /* Is the runlatch enabled? */
+-#define TIF_ABI_PENDING 16 /* 32/64 bit switch needed */
+
+ /* as above, but as bit values */
+ #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
+@@ -137,7 +136,6 @@ static inline struct thread_info *curren
+ #define _TIF_RESTORE_SIGMASK (1<<TIF_RESTORE_SIGMASK)
+ #define _TIF_FREEZE (1<<TIF_FREEZE)
+ #define _TIF_RUNLATCH (1<<TIF_RUNLATCH)
+-#define _TIF_ABI_PENDING (1<<TIF_ABI_PENDING)
+ #define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP)
+
+ #define _TIF_USER_WORK_MASK ( _TIF_SIGPENDING | \
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/sparc/sparc-tif_abi_pending-bit-removal.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/sparc/sparc-tif_abi_pending-bit-removal.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/sparc/sparc-tif_abi_pending-bit-removal.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/sparc/sparc-tif_abi_pending-bit-removal.patch)
@@ -0,0 +1,91 @@
+From 94673e968cbcce07fa78dac4b0ae05d24b5816e1 Mon Sep 17 00:00:00 2001
+From: David Miller <davem at davemloft.net>
+Date: Thu, 28 Jan 2010 21:42:02 -0800
+Subject: sparc: TIF_ABI_PENDING bit removal
+
+From: David Miller <davem at davemloft.net>
+
+commit 94673e968cbcce07fa78dac4b0ae05d24b5816e1 upstream.
+
+Here are the sparc bits to remove TIF_ABI_PENDING now that
+set_personality() is called at the appropriate place in exec.
+
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/sparc/include/asm/elf_64.h | 13 +++----------
+ arch/sparc/include/asm/thread_info_64.h | 4 +---
+ arch/sparc/kernel/process_64.c | 8 --------
+ 3 files changed, 4 insertions(+), 21 deletions(-)
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/sparc64/kernel/process.c linux-source-2.6.26/arch/sparc64/kernel/process.c
+--- linux-source-2.6.26.orig/arch/sparc64/kernel/process.c 2010-02-01 23:54:25.000000000 -0700
++++ linux-source-2.6.26/arch/sparc64/kernel/process.c 2010-02-04 18:02:44.000000000 -0700
+@@ -468,14 +468,6 @@ void flush_thread(void)
+ struct thread_info *t = current_thread_info();
+ struct mm_struct *mm;
+
+- if (test_ti_thread_flag(t, TIF_ABI_PENDING)) {
+- clear_ti_thread_flag(t, TIF_ABI_PENDING);
+- if (test_ti_thread_flag(t, TIF_32BIT))
+- clear_ti_thread_flag(t, TIF_32BIT);
+- else
+- set_ti_thread_flag(t, TIF_32BIT);
+- }
+-
+ mm = t->task->mm;
+ if (mm)
+ tsb_context_switch(mm);
+diff -urpN linux-source-2.6.26.orig/include/asm-sparc64/elf.h linux-source-2.6.26/include/asm-sparc64/elf.h
+--- linux-source-2.6.26.orig/include/asm-sparc64/elf.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-sparc64/elf.h 2010-02-04 17:59:00.000000000 -0700
+@@ -196,17 +196,10 @@ static inline unsigned int sparc64_elf_h
+ #define ELF_PLATFORM (NULL)
+
+ #define SET_PERSONALITY(ex, ibcs2) \
+-do { unsigned long new_flags = current_thread_info()->flags; \
+- new_flags &= _TIF_32BIT; \
+- if ((ex).e_ident[EI_CLASS] == ELFCLASS32) \
+- new_flags |= _TIF_32BIT; \
++do { if ((ex).e_ident[EI_CLASS] == ELFCLASS32) \
++ set_thread_flag(TIF_32BIT); \
+ else \
+- new_flags &= ~_TIF_32BIT; \
+- if ((current_thread_info()->flags & _TIF_32BIT) \
+- != new_flags) \
+- set_thread_flag(TIF_ABI_PENDING); \
+- else \
+- clear_thread_flag(TIF_ABI_PENDING); \
++ clear_thread_flag(TIF_32BIT); \
+ /* flush_thread will update pgd cache */ \
+ if (ibcs2) \
+ set_personality(PER_SVR4); \
+diff -urpN linux-source-2.6.26.orig/include/asm-sparc64/thread_info.h linux-source-2.6.26/include/asm-sparc64/thread_info.h
+--- linux-source-2.6.26.orig/include/asm-sparc64/thread_info.h 2010-02-04 17:45:17.000000000 -0700
++++ linux-source-2.6.26/include/asm-sparc64/thread_info.h 2010-02-04 18:00:37.000000000 -0700
+@@ -227,12 +227,11 @@ register struct thread_info *current_thr
+ /* flag bit 8 is available */
+ #define TIF_SECCOMP 9 /* secure computing */
+ #define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */
+-/* flag bit 11 is available */
+ /* NOTE: Thread flags >= 12 should be ones we have no interest
+ * in using in assembly, else we can't use the mask as
+ * an immediate value in instructions such as andcc.
+ */
+-#define TIF_ABI_PENDING 12
++/* flag bit 12 is available */
+ #define TIF_MEMDIE 13
+ #define TIF_POLLING_NRFLAG 14
+
+@@ -244,7 +243,6 @@ register struct thread_info *current_thr
+ #define _TIF_32BIT (1<<TIF_32BIT)
+ #define _TIF_SECCOMP (1<<TIF_SECCOMP)
+ #define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
+-#define _TIF_ABI_PENDING (1<<TIF_ABI_PENDING)
+ #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
+
+ #define _TIF_USER_WORK_MASK ((0xff << TI_FLAG_WSAVED_SHIFT) | \
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/check-cpl-level-during-priv-instruction-emulation.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/check-cpl-level-during-priv-instruction-emulation.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/check-cpl-level-during-priv-instruction-emulation.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/check-cpl-level-during-priv-instruction-emulation.patch)
@@ -0,0 +1,250 @@
+Subject: [KVM 5.5/5.4.z Embargoed 7/7 v2] Check CPL level
+ during privilege instruction emulation.
+
+Add CPL checking in case emulator is tricked into emulating
+privilege instruction.
+
+Signed-off-by: Gleb Natapov <gleb at redhat.com>
+---
+ arch/x86/kvm/x86_emulate.c | 137 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 137 insertions(+), 0 deletions(-)
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c linux-source-2.6.26/arch/x86/kvm/x86_emulate.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c 2010-02-04 22:20:07.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/x86_emulate.c 2010-02-04 22:21:53.000000000 -0700
+@@ -1725,6 +1725,14 @@ special_insn:
+ c->dst.type = OP_NONE; /* Disable writeback. */
+ break;
+ case 0xf4: /* hlt */
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
+ ctxt->vcpu->arch.halt_request = 1;
+ break;
+ case 0xf5: /* cmc */
+@@ -1791,6 +1799,11 @@ twobyte_insn:
+ if (c->modrm_mod != 3 || c->modrm_rm != 1)
+ goto cannot_emulate;
+
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ rc = kvm_fix_hypercall(ctxt->vcpu);
+ if (rc)
+ goto done;
+@@ -1801,6 +1814,16 @@ twobyte_insn:
+ c->dst.type = OP_NONE;
+ break;
+ case 2: /* lgdt */
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ rc = read_descriptor(ctxt, ops, c->src.ptr,
+ &size, &address, c->op_bytes);
+ if (rc)
+@@ -1811,11 +1834,26 @@ twobyte_insn:
+ break;
+ case 3: /* lidt/vmmcall */
+ if (c->modrm_mod == 3 && c->modrm_rm == 1) {
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ rc = kvm_fix_hypercall(ctxt->vcpu);
+ if (rc)
+ goto done;
+ kvm_emulate_hypercall(ctxt->vcpu);
+ } else {
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ rc = read_descriptor(ctxt, ops, c->src.ptr,
+ &size, &address,
+ c->op_bytes);
+@@ -1831,11 +1869,26 @@ twobyte_insn:
+ c->dst.val = realmode_get_cr(ctxt->vcpu, 0);
+ break;
+ case 6: /* lmsw */
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ realmode_lmsw(ctxt->vcpu, (u16)c->src.val,
+ &ctxt->eflags);
+ c->dst.type = OP_NONE;
+ break;
+ case 7: /* invlpg*/
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ emulate_invlpg(ctxt->vcpu, memop);
+ /* Disable writeback. */
+ c->dst.type = OP_NONE;
+@@ -1845,23 +1898,67 @@ twobyte_insn:
+ }
+ break;
+ case 0x06:
++ if (c->lock_prefix) {
++ if (ctxt->mode == X86EMUL_MODE_REAL ||
++ !(ctxt->vcpu->arch.cr0 & X86_CR0_PE))
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ else
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ emulate_clts(ctxt->vcpu);
+ c->dst.type = OP_NONE;
+ break;
+ case 0x08: /* invd */
+ case 0x09: /* wbinvd */
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
+ case 0x0d: /* GrpP (prefetch) */
+ case 0x18: /* Grp16 (prefetch/nop) */
+ c->dst.type = OP_NONE;
+ break;
+ case 0x20: /* mov cr, reg */
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ if (c->modrm_mod != 3)
+ goto cannot_emulate;
++
+ c->regs[c->modrm_rm] =
+ realmode_get_cr(ctxt->vcpu, c->modrm_reg);
+ c->dst.type = OP_NONE; /* no writeback */
+ break;
+ case 0x21: /* mov from dr to reg */
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ if (c->modrm_mod != 3)
+ goto cannot_emulate;
+ rc = emulator_get_dr(ctxt, c->modrm_reg, &c->regs[c->modrm_rm]);
+@@ -1870,6 +1967,16 @@ twobyte_insn:
+ c->dst.type = OP_NONE; /* no writeback */
+ break;
+ case 0x22: /* mov reg, cr */
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ if (c->modrm_mod != 3)
+ goto cannot_emulate;
+ realmode_set_cr(ctxt->vcpu,
+@@ -1877,6 +1984,16 @@ twobyte_insn:
+ c->dst.type = OP_NONE;
+ break;
+ case 0x23: /* mov from reg to dr */
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ if (c->modrm_mod != 3)
+ goto cannot_emulate;
+ rc = emulator_set_dr(ctxt, c->modrm_reg,
+@@ -1887,6 +2004,16 @@ twobyte_insn:
+ break;
+ case 0x30:
+ /* wrmsr */
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ msr_data = (u32)c->regs[VCPU_REGS_RAX]
+ | ((u64)c->regs[VCPU_REGS_RDX] << 32);
+ rc = kvm_set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data);
+@@ -1899,6 +2026,16 @@ twobyte_insn:
+ break;
+ case 0x32:
+ /* rdmsr */
++ if (c->lock_prefix) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
++ if (kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ rc = kvm_get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data);
+ if (rc) {
+ kvm_inject_gp(ctxt->vcpu, 0);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/fix-popf-emulation.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/fix-popf-emulation.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/fix-popf-emulation.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/fix-popf-emulation.patch)
@@ -0,0 +1,96 @@
+Subject: [KVM 5.5/5.4.z Embargoed 6/7 v2] Fix popf emulation.
+
+POPF behaves differently depending on current CPU mode. Emulate correct
+logic to prevent guest from changing flags that it can't change
+otherwise.
+
+Signed-off-by: Gleb Natapov <gleb at redhat.com>
+---
+ arch/x86/kvm/x86_emulate.c | 57 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 56 insertions(+), 1 deletions(-)
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c linux-source-2.6.26/arch/x86/kvm/x86_emulate.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c 2010-02-04 22:17:43.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/x86_emulate.c 2010-02-04 22:20:07.000000000 -0700
+@@ -287,8 +287,18 @@ static u16 group2_table[] = {
+ };
+
+ /* EFLAGS bit definitions. */
++#define EFLG_ID (1<<21)
++#define EFLG_VIP (1<<20)
++#define EFLG_VIF (1<<19)
++#define EFLG_AC (1<<18)
++#define EFLG_VM (1<<17)
++#define EFLG_RF (1<<16)
++#define EFLG_IOPL (3<<12)
++#define EFLG_NT (1<<14)
+ #define EFLG_OF (1<<11)
+ #define EFLG_DF (1<<10)
++#define EFLG_IF (1<<9)
++#define EFLG_TF (1<<8)
+ #define EFLG_SF (1<<7)
+ #define EFLG_ZF (1<<6)
+ #define EFLG_AF (1<<4)
+@@ -1077,6 +1087,48 @@ static inline void emulate_push(struct x
+ c->regs[VCPU_REGS_RSP]);
+ }
+
++static int emulate_popf(struct x86_emulate_ctxt *ctxt,
++ struct x86_emulate_ops *ops,
++ void *dest, int len)
++{
++ struct decode_cache *c = &ctxt->decode;
++ int rc;
++ unsigned long val, change_mask;
++ int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
++ int cpl = kvm_x86_ops->get_cpl(ctxt->vcpu);
++
++ rc = ops->read_emulated(register_address(c, ctxt->ss_base,
++ c->regs[VCPU_REGS_RSP]),
++ &val, c->src.bytes, ctxt->vcpu);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++
++ register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.bytes);
++
++ change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
++ | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
++
++ if (ctxt->vcpu->arch.cr0 & X86_CR0_PE) {
++ if (cpl == 0)
++ change_mask |= EFLG_IOPL;
++ if (cpl <= iopl)
++ change_mask |= EFLG_IF;
++ } else if (ctxt->eflags & EFLG_VM) {
++ if (iopl < 3) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ return X86EMUL_PROPAGATE_FAULT;
++ }
++ change_mask |= EFLG_IF;
++ }
++ else /* real mode */
++ change_mask |= (EFLG_IOPL | EFLG_IF);
++
++ *(unsigned long*)dest =
++ (ctxt->eflags & ~change_mask) | (val & change_mask);
++
++ return rc;
++}
++
+ static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
+ struct x86_emulate_ops *ops)
+ {
+@@ -1533,7 +1585,10 @@ special_insn:
+ c->dst.type = OP_REG;
+ c->dst.ptr = (unsigned long *) &ctxt->eflags;
+ c->dst.bytes = c->op_bytes;
+- goto pop_instruction;
++ rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ goto done;
++ break;
+ case 0xa0 ... 0xa1: /* mov */
+ c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
+ c->dst.val = c->src.val;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/get-rid-of-TIF_ABI_PENDING-bit.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/get-rid-of-TIF_ABI_PENDING-bit.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/get-rid-of-TIF_ABI_PENDING-bit.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/get-rid-of-TIF_ABI_PENDING-bit.patch)
@@ -0,0 +1,107 @@
+commit 05d43ed8a89c159ff641d472f970e3f1baa66318
+Author: H. Peter Anvin <hpa at zytor.com>
+Date: Thu Jan 28 22:14:43 2010 -0800
+
+ x86: get rid of the insane TIF_ABI_PENDING bit
+
+ Now that the previous commit made it possible to do the personality
+ setting at the point of no return, we do just that for ELF binaries.
+ And suddenly all the reasons for that insane TIF_ABI_PENDING bit go
+ away, and we can just make SET_PERSONALITY() just do the obvious thing
+ for a 32-bit compat process.
+
+ Everything becomes much more straightforward this way.
+
+ Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32_aout.c linux-source-2.6.26/arch/x86/ia32/ia32_aout.c
+--- linux-source-2.6.26.orig/arch/x86/ia32/ia32_aout.c 2010-02-01 15:30:45.000000000 -0700
++++ linux-source-2.6.26/arch/x86/ia32/ia32_aout.c 2010-02-01 21:55:11.000000000 -0700
+@@ -309,7 +309,6 @@ static int load_aout_binary(struct linux
+ /* OK, This is the point of no return */
+ set_personality(PER_LINUX);
+ set_thread_flag(TIF_IA32);
+- clear_thread_flag(TIF_ABI_PENDING);
+
+ setup_new_exec(bprm);
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kernel/process_64.c linux-source-2.6.26/arch/x86/kernel/process_64.c
+--- linux-source-2.6.26.orig/arch/x86/kernel/process_64.c 2010-01-29 17:50:35.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kernel/process_64.c 2010-02-01 22:09:43.000000000 -0700
+@@ -273,15 +273,6 @@ void flush_thread(void)
+ {
+ struct task_struct *tsk = current;
+
+- if (test_tsk_thread_flag(tsk, TIF_ABI_PENDING)) {
+- clear_tsk_thread_flag(tsk, TIF_ABI_PENDING);
+- if (test_tsk_thread_flag(tsk, TIF_IA32)) {
+- clear_tsk_thread_flag(tsk, TIF_IA32);
+- } else {
+- set_tsk_thread_flag(tsk, TIF_IA32);
+- current_thread_info()->status |= TS_COMPAT;
+- }
+- }
+ clear_tsk_thread_flag(tsk, TIF_DEBUG);
+
+ tsk->thread.debugreg0 = 0;
+@@ -731,6 +722,17 @@ asmlinkage long sys_vfork(struct pt_regs
+ NULL, NULL);
+ }
+
++void set_personality_ia32(void)
++{
++ /* inherit personality from parent */
++
++ /* Make sure to be in 32bit mode */
++ set_thread_flag(TIF_IA32);
++
++ /* Prepare the first "return" to user space */
++ current_thread_info()->status |= TS_COMPAT;
++}
++
+ unsigned long get_wchan(struct task_struct *p)
+ {
+ unsigned long stack;
+diff -urpN linux-source-2.6.26.orig/include/asm-x86/elf.h linux-source-2.6.26/include/asm-x86/elf.h
+--- linux-source-2.6.26.orig/include/asm-x86/elf.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-x86/elf.h 2010-02-01 22:08:07.000000000 -0700
+@@ -185,14 +185,8 @@ do { \
+ set_fs(USER_DS); \
+ } while (0)
+
+-#define COMPAT_SET_PERSONALITY(ex, ibcs2) \
+-do { \
+- if (test_thread_flag(TIF_IA32)) \
+- clear_thread_flag(TIF_ABI_PENDING); \
+- else \
+- set_thread_flag(TIF_ABI_PENDING); \
+- current->personality |= force_personality32; \
+-} while (0)
++void set_personality_ia32(void);
++#define COMPAT_SET_PERSONALITY(ex, ibcs2) set_personality_ia32()
+
+ #define COMPAT_ELF_PLATFORM ("i686")
+
+diff -urpN linux-source-2.6.26.orig/include/asm-x86/thread_info_64.h linux-source-2.6.26/include/asm-x86/thread_info_64.h
+--- linux-source-2.6.26.orig/include/asm-x86/thread_info_64.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-x86/thread_info_64.h 2010-02-01 21:56:33.000000000 -0700
+@@ -114,7 +114,6 @@ static inline struct thread_info *stack_
+ /* 16 free */
+ #define TIF_IA32 17 /* 32bit process */
+ #define TIF_FORK 18 /* ret_from_fork */
+-#define TIF_ABI_PENDING 19
+ #define TIF_MEMDIE 20
+ #define TIF_DEBUG 21 /* uses debug registers */
+ #define TIF_IO_BITMAP 22 /* uses I/O bitmap */
+@@ -136,7 +135,6 @@ static inline struct thread_info *stack_
+ #define _TIF_HRTICK_RESCHED (1 << TIF_HRTICK_RESCHED)
+ #define _TIF_IA32 (1 << TIF_IA32)
+ #define _TIF_FORK (1 << TIF_FORK)
+-#define _TIF_ABI_PENDING (1 << TIF_ABI_PENDING)
+ #define _TIF_DEBUG (1 << TIF_DEBUG)
+ #define _TIF_IO_BITMAP (1 << TIF_IO_BITMAP)
+ #define _TIF_FREEZE (1 << TIF_FREEZE)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-add-kvm_rw_guest_virt.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-add-kvm_rw_guest_virt.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-add-kvm_rw_guest_virt.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-add-kvm_rw_guest_virt.patch)
@@ -0,0 +1,142 @@
+Subject: [KVM 5.5/5.4.z Embargoed 1/7 v2] KVM: introduce
+ kvm_read_guest_virt, kvm_write_guest_virt
+
+From: Izik Eidus <ieidus at redhat.com>
+
+This commit change the name of emulator_read_std into kvm_read_guest_virt,
+and add new function name kvm_write_guest_virt that allow writing into a
+guest virtual address.
+
+Signed-off-by: Izik Eidus <ieidus at redhat.com>
+Signed-off-by: Avi Kivity <avi at redhat.com>
+Signed-off-by: Gleb Natapov <gleb at redhat.com>
+---
+ arch/x86/include/asm/kvm_host.h | 4 ---
+ arch/x86/kvm/x86.c | 56 +++++++++++++++++++++++++++++---------
+ 2 files changed, 42 insertions(+), 18 deletions(-)
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86.c linux-source-2.6.26/arch/x86/kvm/x86.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86.c 2010-02-01 23:54:25.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/x86.c 2010-02-04 21:39:17.000000000 -0700
+@@ -1807,10 +1807,8 @@ static struct kvm_io_device *vcpu_find_m
+ return dev;
+ }
+
+-int emulator_read_std(unsigned long addr,
+- void *val,
+- unsigned int bytes,
+- struct kvm_vcpu *vcpu)
++int kvm_read_guest_virt(gva_t addr, void *val, unsigned int bytes,
++ struct kvm_vcpu *vcpu)
+ {
+ void *data = val;
+ int r = X86EMUL_CONTINUE;
+@@ -1818,27 +1816,57 @@ int emulator_read_std(unsigned long addr
+ while (bytes) {
+ gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, addr);
+ unsigned offset = addr & (PAGE_SIZE-1);
+- unsigned tocopy = min(bytes, (unsigned)PAGE_SIZE - offset);
++ unsigned toread = min(bytes, (unsigned)PAGE_SIZE - offset);
+ int ret;
+
+ if (gpa == UNMAPPED_GVA) {
+ r = X86EMUL_PROPAGATE_FAULT;
+ goto out;
+ }
+- ret = kvm_read_guest(vcpu->kvm, gpa, data, tocopy);
++ ret = kvm_read_guest(vcpu->kvm, gpa, data, toread);
+ if (ret < 0) {
+ r = X86EMUL_UNHANDLEABLE;
+ goto out;
+ }
+
+- bytes -= tocopy;
+- data += tocopy;
+- addr += tocopy;
++ bytes -= toread;
++ data += toread;
++ addr += toread;
+ }
+ out:
+ return r;
+ }
+-EXPORT_SYMBOL_GPL(emulator_read_std);
++
++int kvm_write_guest_virt(gva_t addr, void *val, unsigned int bytes,
++ struct kvm_vcpu *vcpu)
++{
++ void *data = val;
++ int r = X86EMUL_CONTINUE;
++
++ while (bytes) {
++ gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, addr);
++ unsigned offset = addr & (PAGE_SIZE-1);
++ unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset);
++ int ret;
++
++ if (gpa == UNMAPPED_GVA) {
++ r = X86EMUL_PROPAGATE_FAULT;
++ goto out;
++ }
++ ret = kvm_write_guest(vcpu->kvm, gpa, data, towrite);
++ if (ret < 0) {
++ r = X86EMUL_UNHANDLEABLE;
++ goto out;
++ }
++
++ bytes -= towrite;
++ data += towrite;
++ addr += towrite;
++ }
++out:
++ return r;
++}
++
+
+ static int emulator_read_emulated(unsigned long addr,
+ void *val,
+@@ -1860,8 +1888,8 @@ static int emulator_read_emulated(unsign
+ if ((gpa & PAGE_MASK) == APIC_DEFAULT_PHYS_BASE)
+ goto mmio;
+
+- if (emulator_read_std(addr, val, bytes, vcpu)
+- == X86EMUL_CONTINUE)
++ if (kvm_read_guest_virt(addr, val, bytes, vcpu)
++ == X86EMUL_CONTINUE)
+ return X86EMUL_CONTINUE;
+ if (gpa == UNMAPPED_GVA)
+ return X86EMUL_PROPAGATE_FAULT;
+@@ -2065,7 +2093,7 @@ void kvm_report_emulation_failure(struct
+ if (reported)
+ return;
+
+- emulator_read_std(rip_linear, (void *)opcodes, 4, vcpu);
++ kvm_read_guest_virt(rip_linear, (void *)opcodes, 4, vcpu);
+
+ printk(KERN_ERR "emulation failed (%s) rip %lx %02x %02x %02x %02x\n",
+ context, rip, opcodes[0], opcodes[1], opcodes[2], opcodes[3]);
+@@ -2074,7 +2102,7 @@ void kvm_report_emulation_failure(struct
+ EXPORT_SYMBOL_GPL(kvm_report_emulation_failure);
+
+ static struct x86_emulate_ops emulate_ops = {
+- .read_std = emulator_read_std,
++ .read_std = kvm_read_guest_virt,
+ .read_emulated = emulator_read_emulated,
+ .write_emulated = emulator_write_emulated,
+ .cmpxchg_emulated = emulator_cmpxchg_emulated,
+diff -urpN linux-source-2.6.26.orig/include/asm-x86/kvm_host.h linux-source-2.6.26/include/asm-x86/kvm_host.h
+--- linux-source-2.6.26.orig/include/asm-x86/kvm_host.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-x86/kvm_host.h 2010-02-04 21:39:17.000000000 -0700
+@@ -517,10 +517,6 @@ void kvm_inject_page_fault(struct kvm_vc
+
+ void fx_init(struct kvm_vcpu *vcpu);
+
+-int emulator_read_std(unsigned long addr,
+- void *val,
+- unsigned int bytes,
+- struct kvm_vcpu *vcpu);
+ int emulator_write_emulated(unsigned long addr,
+ const void *val,
+ unsigned int bytes,
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-check-IOPL-level-during-io-instruction-emulation.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-check-IOPL-level-during-io-instruction-emulation.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-check-IOPL-level-during-io-instruction-emulation.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-check-IOPL-level-during-io-instruction-emulation.patch)
@@ -0,0 +1,186 @@
+Subject: [KVM 5.5/5.4.z Embargoed 5/7 v2] Check IOPL level
+ during io instruction emulation.
+
+Make emulator check that vcpu is allowed to execute IN, INS, OUT,
+OUTS, CLI, STI.
+
+Signed-off-by: Gleb Natapov <gleb at redhat.com>
+---
+ arch/x86/include/asm/kvm_host.h | 1 +
+ arch/x86/kvm/x86.c | 77 ++++++++++++++++++++++++++++++++-------
+ arch/x86/kvm/x86_emulate.c | 18 +++++++---
+ 3 files changed, 77 insertions(+), 19 deletions(-)
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+--- a/arch/x86/kvm/x86.c 2010-02-05 11:15:02.000000000 -0700
++++ b/arch/x86/kvm/x86.c 2010-02-05 11:19:28.000000000 -0700
+@@ -2375,11 +2375,68 @@ static struct kvm_io_device *vcpu_find_p
+ return kvm_io_bus_find_dev(&vcpu->kvm->pio_bus, addr);
+ }
+
++static void get_segment(struct kvm_vcpu *vcpu,
++ struct kvm_segment *var, int seg)
++{
++ kvm_x86_ops->get_segment(vcpu, var, seg);
++}
++
++bool kvm_check_iopl(struct kvm_vcpu *vcpu)
++{
++ int iopl;
++ if (!(vcpu->arch.cr0 & X86_CR0_PE))
++ return false;
++ if (kvm_x86_ops->get_rflags(vcpu) & X86_EFLAGS_VM)
++ return true;
++ iopl = (kvm_x86_ops->get_rflags(vcpu) & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
++ return kvm_x86_ops->get_cpl(vcpu) > iopl;
++}
++
++bool kvm_check_io_port_access_allowed(struct kvm_vcpu *vcpu, u16 port, u16 len)
++{
++ struct kvm_segment tr_seg;
++ int r;
++ u16 io_bitmap_ptr;
++ u8 perm, bit_idx = port & 0x7;
++ unsigned mask = (1 << len) - 1;
++
++ get_segment(vcpu, &tr_seg, VCPU_SREG_TR);
++ if (tr_seg.unusable)
++ return false;
++ if (tr_seg.limit < 103)
++ return false;
++ r = kvm_read_guest_virt_system(tr_seg.base + 102, &io_bitmap_ptr, 2,
++ vcpu, NULL);
++ if (r != X86EMUL_CONTINUE)
++ return false;
++ if (io_bitmap_ptr + port/8 >= tr_seg.limit)
++ return false;
++ r = kvm_read_guest_virt_system(tr_seg.base + io_bitmap_ptr + port/8,
++ &perm, 1, vcpu, NULL);
++ if (r != X86EMUL_CONTINUE)
++ return false;
++ if ((perm >> bit_idx) & mask)
++ return false;
++ return true;
++}
++
+ int kvm_emulate_pio(struct kvm_vcpu *vcpu, struct kvm_run *run, int in,
+ int size, unsigned port)
+ {
+ struct kvm_io_device *pio_dev;
+
++ if (in)
++ KVMTRACE_2D(IO_READ, vcpu, port, (u32)size, handler);
++ else
++ KVMTRACE_2D(IO_WRITE, vcpu, port, (u32)size, handler);
++
++ if (kvm_check_iopl(vcpu)) {
++ if (!kvm_check_io_port_access_allowed(vcpu, port, size)) {
++ kvm_inject_gp(vcpu, 0);
++ return 1;
++ }
++ }
++
+ vcpu->run->exit_reason = KVM_EXIT_IO;
+ vcpu->run->io.direction = in ? KVM_EXIT_IO_IN : KVM_EXIT_IO_OUT;
+ vcpu->run->io.size = vcpu->arch.pio.size = size;
+@@ -2391,13 +2448,6 @@ int kvm_emulate_pio(struct kvm_vcpu *vcp
+ vcpu->arch.pio.down = 0;
+ vcpu->arch.pio.rep = 0;
+
+- if (vcpu->run->io.direction == KVM_EXIT_IO_IN)
+- KVMTRACE_2D(IO_READ, vcpu, vcpu->run->io.port, (u32)size,
+- handler);
+- else
+- KVMTRACE_2D(IO_WRITE, vcpu, vcpu->run->io.port, (u32)size,
+- handler);
+-
+ kvm_x86_ops->cache_regs(vcpu);
+ memcpy(vcpu->arch.pio_data, &vcpu->arch.regs[VCPU_REGS_RAX], 4);
+ kvm_x86_ops->decache_regs(vcpu);
+@@ -2422,6 +2472,18 @@ int kvm_emulate_pio_string(struct kvm_vc
+ int ret = 0;
+ struct kvm_io_device *pio_dev;
+
++ if (in)
++ KVMTRACE_2D(IO_READ, vcpu, port, (u32)size, handler);
++ else
++ KVMTRACE_2D(IO_WRITE, vcpu, port, (u32)size, handler);
++
++ if (kvm_check_iopl(vcpu)) {
++ if (!kvm_check_io_port_access_allowed(vcpu, port, size)) {
++ kvm_inject_gp(vcpu, 0);
++ return 1;
++ }
++ }
++
+ vcpu->run->exit_reason = KVM_EXIT_IO;
+ vcpu->run->io.direction = in ? KVM_EXIT_IO_IN : KVM_EXIT_IO_OUT;
+ vcpu->run->io.size = vcpu->arch.pio.size = size;
+@@ -2433,13 +2495,6 @@ int kvm_emulate_pio_string(struct kvm_vc
+ vcpu->arch.pio.down = down;
+ vcpu->arch.pio.rep = rep;
+
+- if (vcpu->run->io.direction == KVM_EXIT_IO_IN)
+- KVMTRACE_2D(IO_READ, vcpu, vcpu->run->io.port, (u32)size,
+- handler);
+- else
+- KVMTRACE_2D(IO_WRITE, vcpu, vcpu->run->io.port, (u32)size,
+- handler);
+-
+ if (!count) {
+ kvm_x86_ops->skip_emulated_instruction(vcpu);
+ return 1;
+@@ -3129,12 +3184,6 @@ int kvm_arch_vcpu_ioctl_set_regs(struct
+ return 0;
+ }
+
+-static void get_segment(struct kvm_vcpu *vcpu,
+- struct kvm_segment *var, int seg)
+-{
+- kvm_x86_ops->get_segment(vcpu, var, seg);
+-}
+-
+ void kvm_get_cs_db_l_bits(struct kvm_vcpu *vcpu, int *db, int *l)
+ {
+ struct kvm_segment cs;
+diff -urpN a/arch/x86/kvm/x86_emulate.c b/arch/x86/kvm/x86_emulate.c
+--- a/arch/x86/kvm/x86_emulate.c 2010-02-05 11:15:02.000000000 -0700
++++ b/arch/x86/kvm/x86_emulate.c 2010-02-05 11:17:56.000000000 -0700
+@@ -1685,12 +1685,20 @@ special_insn:
+ c->dst.type = OP_NONE; /* Disable writeback. */
+ break;
+ case 0xfa: /* cli */
+- ctxt->eflags &= ~X86_EFLAGS_IF;
+- c->dst.type = OP_NONE; /* Disable writeback. */
++ if (kvm_check_iopl(ctxt->vcpu))
++ kvm_inject_gp(ctxt->vcpu, 0);
++ else {
++ ctxt->eflags &= ~X86_EFLAGS_IF;
++ c->dst.type = OP_NONE; /* Disable writeback. */
++ }
+ break;
+ case 0xfb: /* sti */
+- ctxt->eflags |= X86_EFLAGS_IF;
+- c->dst.type = OP_NONE; /* Disable writeback. */
++ if (kvm_check_iopl(ctxt->vcpu))
++ kvm_inject_gp(ctxt->vcpu, 0);
++ else {
++ ctxt->eflags |= X86_EFLAGS_IF;
++ c->dst.type = OP_NONE; /* Disable writeback. */
++ }
+ break;
+ case 0xfe ... 0xff: /* Grp4/Grp5 */
+ rc = emulate_grp45(ctxt, ops);
+diff -urpN a/include/asm-x86/kvm_host.h b/include/asm-x86/kvm_host.h
+--- a/include/asm-x86/kvm_host.h 2010-02-05 11:15:02.000000000 -0700
++++ b/include/asm-x86/kvm_host.h 2010-02-05 11:17:56.000000000 -0700
+@@ -548,6 +548,7 @@ void kvm_enable_tdp(void);
+
+ int load_pdptrs(struct kvm_vcpu *vcpu, unsigned long cr3);
+ int complete_pio(struct kvm_vcpu *vcpu);
++bool kvm_check_iopl(struct kvm_vcpu *vcpu);
+
+ static inline struct kvm_mmu_page *page_header(hpa_t shadow_page)
+ {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-emulator-fix-popf-emulation.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-emulator-fix-popf-emulation.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-emulator-fix-popf-emulation.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-emulator-fix-popf-emulation.patch)
@@ -0,0 +1,25 @@
+commit 2b48cc75b21431037d6f902b9d583b1aff198490
+Author: Avi Kivity <avi at redhat.com>
+Date: Sat Nov 29 20:36:13 2008 +0200
+
+ KVM: x86 emulator: fix popf emulation
+
+ Set operand type and size to get correct writeback behavior.
+
+ Signed-off-by: Avi Kivity <avi at redhat.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c linux-source-2.6.26/arch/x86/kvm/x86_emulate.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c 2010-02-04 22:07:32.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/x86_emulate.c 2010-02-04 22:17:43.000000000 -0700
+@@ -1530,7 +1530,9 @@ special_insn:
+ emulate_push(ctxt);
+ break;
+ case 0x9d: /* popf */
++ c->dst.type = OP_REG;
+ c->dst.ptr = (unsigned long *) &ctxt->eflags;
++ c->dst.bytes = c->op_bytes;
+ goto pop_instruction;
+ case 0xa0 ... 0xa1: /* mov */
+ c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-fix-memory-access-during-x86-emulation.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-fix-memory-access-during-x86-emulation.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-fix-memory-access-during-x86-emulation.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-fix-memory-access-during-x86-emulation.patch)
@@ -0,0 +1,511 @@
+Subject: [KVM 5.5/5.4.z Embargoed 4/7 v2] KVM: fix memory
+ access during x86 emulation.
+
+Currently when x86 emulator needs to access memory, page walk is done with
+broadest permission possible, so if emulated instruction was executed
+by userspace process it can still access kernel memory. Fix that by
+providing correct memory access to page walker during emulation.
+
+Signed-off-by: Gleb Natapov <gleb at redhat.com>
+---
+ arch/x86/include/asm/kvm_host.h | 7 ++-
+ arch/x86/include/asm/kvm_x86_emulate.h | 14 +++-
+ arch/x86/kvm/mmu.c | 16 ++--
+ arch/x86/kvm/mmu.h | 6 ++
+ arch/x86/kvm/paging_tmpl.h | 11 ++-
+ arch/x86/kvm/x86.c | 131 ++++++++++++++++++++++++-------
+ arch/x86/kvm/x86_emulate.c | 6 +-
+ 7 files changed, 143 insertions(+), 48 deletions(-)
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/mmu.c linux-source-2.6.26/arch/x86/kvm/mmu.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/mmu.c 2010-02-01 23:54:20.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/mmu.c 2010-02-04 21:52:09.000000000 -0700
+@@ -119,11 +119,6 @@ static int dbg = 1;
+ #define PT64_PERM_MASK (PT_PRESENT_MASK | PT_WRITABLE_MASK | PT_USER_MASK \
+ | PT64_NX_MASK)
+
+-#define PFERR_PRESENT_MASK (1U << 0)
+-#define PFERR_WRITE_MASK (1U << 1)
+-#define PFERR_USER_MASK (1U << 2)
+-#define PFERR_FETCH_MASK (1U << 4)
+-
+ #define PT_DIRECTORY_LEVEL 2
+ #define PT_PAGE_TABLE_LEVEL 1
+
+@@ -1007,7 +1002,7 @@ struct page *gva_to_page(struct kvm_vcpu
+ {
+ struct page *page;
+
+- gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, gva);
++ gpa_t gpa = kvm_mmu_gva_to_gpa_read(vcpu, gva, NULL);
+
+ if (gpa == UNMAPPED_GVA)
+ return NULL;
+@@ -1304,8 +1299,11 @@ static void mmu_alloc_roots(struct kvm_v
+ vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+ }
+
+-static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t vaddr)
++static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t vaddr,
++ u32 access, u32 *error)
+ {
++ if (error)
++ *error = 0;
+ return vaddr;
+ }
+
+@@ -1785,7 +1783,7 @@ int kvm_mmu_unprotect_page_virt(struct k
+ gpa_t gpa;
+ int r;
+
+- gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, gva);
++ gpa = kvm_mmu_gva_to_gpa_read(vcpu, gva, NULL);
+
+ spin_lock(&vcpu->kvm->mmu_lock);
+ r = kvm_mmu_unprotect_page(vcpu->kvm, gpa >> PAGE_SHIFT);
+@@ -2218,7 +2216,7 @@ static void audit_mappings_page(struct k
+
+ audit_mappings_page(vcpu, ent, va, level - 1);
+ } else {
+- gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, va);
++ gpa_t gpa = kvm_mmu_gva_to_gpa_system(vcpu, va, NULL);
+ hpa_t hpa = (hpa_t)gpa_to_pfn(vcpu, gpa) << PAGE_SHIFT;
+
+ if (is_shadow_present_pte(ent)
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/mmu.h linux-source-2.6.26/arch/x86/kvm/mmu.h
+--- linux-source-2.6.26.orig/arch/x86/kvm/mmu.h 2010-02-04 22:01:28.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/mmu.h 2010-02-04 22:01:53.000000000 -0700
+@@ -36,6 +36,12 @@
+ #define PT32_ROOT_LEVEL 2
+ #define PT32E_ROOT_LEVEL 3
+
++#define PFERR_PRESENT_MASK (1U << 0)
++#define PFERR_WRITE_MASK (1U << 1)
++#define PFERR_USER_MASK (1U << 2)
++#define PFERR_RSVD_MASK (1U << 3)
++#define PFERR_FETCH_MASK (1U << 4)
++
+ static inline void kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
+ {
+ if (unlikely(vcpu->kvm->arch.n_free_mmu_pages < KVM_MIN_FREE_MMU_PAGES))
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/paging_tmpl.h linux-source-2.6.26/arch/x86/kvm/paging_tmpl.h
+--- linux-source-2.6.26.orig/arch/x86/kvm/paging_tmpl.h 2010-02-01 23:54:20.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/paging_tmpl.h 2010-02-04 21:52:09.000000000 -0700
+@@ -441,18 +441,23 @@ static int FNAME(page_fault)(struct kvm_
+ return write_pt;
+ }
+
+-static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t vaddr)
++static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t vaddr, u32 access,
++ u32 *error)
+ {
+ struct guest_walker walker;
+ gpa_t gpa = UNMAPPED_GVA;
+ int r;
+
+- r = FNAME(walk_addr)(&walker, vcpu, vaddr, 0, 0, 0);
++ r = FNAME(walk_addr)(&walker, vcpu, vaddr,
++ !!(access & PFERR_WRITE_MASK),
++ !!(access & PFERR_USER_MASK),
++ !!(access & PFERR_FETCH_MASK));
+
+ if (r) {
+ gpa = gfn_to_gpa(walker.gfn);
+ gpa |= vaddr & ~PAGE_MASK;
+- }
++ } else if(error)
++ *error = walker.error_code;
+
+ return gpa;
+ }
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86.c linux-source-2.6.26/arch/x86/kvm/x86.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86.c 2010-02-04 21:49:22.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/x86.c 2010-02-04 21:59:53.000000000 -0700
+@@ -1807,14 +1807,41 @@ static struct kvm_io_device *vcpu_find_m
+ return dev;
+ }
+
+-int kvm_read_guest_virt(gva_t addr, void *val, unsigned int bytes,
+- struct kvm_vcpu *vcpu)
++gpa_t kvm_mmu_gva_to_gpa_read(struct kvm_vcpu *vcpu, gva_t gva, u32 *error)
++{
++ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
++ return vcpu->arch.mmu.gva_to_gpa(vcpu, gva, access, error);
++}
++
++ gpa_t kvm_mmu_gva_to_gpa_fetch(struct kvm_vcpu *vcpu, gva_t gva, u32 *error)
++{
++ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
++ access |= PFERR_FETCH_MASK;
++ return vcpu->arch.mmu.gva_to_gpa(vcpu, gva, access, error);
++}
++
++gpa_t kvm_mmu_gva_to_gpa_write(struct kvm_vcpu *vcpu, gva_t gva, u32 *error)
++{
++ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
++ access |= PFERR_WRITE_MASK;
++ return vcpu->arch.mmu.gva_to_gpa(vcpu, gva, access, error);
++}
++
++/* uses this to access any guet's mapped memory without checking CPL */
++gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva, u32 *error)
++{
++ return vcpu->arch.mmu.gva_to_gpa(vcpu, gva, 0, error);
++}
++
++static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
++ struct kvm_vcpu *vcpu, u32 access,
++ u32 *error)
+ {
+ void *data = val;
+ int r = X86EMUL_CONTINUE;
+
+ while (bytes) {
+- gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, addr);
++ gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, addr, access, error);
+ unsigned offset = addr & (PAGE_SIZE-1);
+ unsigned toread = min(bytes, (unsigned)PAGE_SIZE - offset);
+ int ret;
+@@ -1837,14 +1864,37 @@ out:
+ return r;
+ }
+
++/* used for instruction fetching */
++static int kvm_fetch_guest_virt(gva_t addr, void *val, unsigned int bytes,
++ struct kvm_vcpu *vcpu, u32 *error)
++{
++ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
++ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu,
++ access | PFERR_FETCH_MASK, error);
++}
++
++static int kvm_read_guest_virt(gva_t addr, void *val, unsigned int bytes,
++ struct kvm_vcpu *vcpu, u32 *error)
++{
++ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
++ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
++ error);
++}
++
++static int kvm_read_guest_virt_system(gva_t addr, void *val, unsigned int bytes,
++ struct kvm_vcpu *vcpu, u32 *error)
++{
++ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, error);
++}
++
+ int kvm_write_guest_virt(gva_t addr, void *val, unsigned int bytes,
+- struct kvm_vcpu *vcpu)
++ struct kvm_vcpu *vcpu, u32 *error)
+ {
+ void *data = val;
+ int r = X86EMUL_CONTINUE;
+
+ while (bytes) {
+- gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, addr);
++ gpa_t gpa = kvm_mmu_gva_to_gpa_write(vcpu, addr, error);
+ unsigned offset = addr & (PAGE_SIZE-1);
+ unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset);
+ int ret;
+@@ -1875,6 +1925,7 @@ static int emulator_read_emulated(unsign
+ {
+ struct kvm_io_device *mmio_dev;
+ gpa_t gpa;
++ u32 error_code;
+
+ if (vcpu->mmio_read_completed) {
+ memcpy(val, vcpu->mmio_data, bytes);
+@@ -1882,17 +1933,20 @@ static int emulator_read_emulated(unsign
+ return X86EMUL_CONTINUE;
+ }
+
+- gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, addr);
++ gpa = kvm_mmu_gva_to_gpa_read(vcpu, addr, &error_code);
++
++ if (gpa == UNMAPPED_GVA) {
++ kvm_inject_page_fault(vcpu, addr, error_code);
++ return X86EMUL_PROPAGATE_FAULT;
++ }
+
+ /* For APIC access vmexit */
+ if ((gpa & PAGE_MASK) == APIC_DEFAULT_PHYS_BASE)
+ goto mmio;
+
+- if (kvm_read_guest_virt(addr, val, bytes, vcpu)
++ if (kvm_read_guest_virt(addr, val, bytes, vcpu, NULL)
+ == X86EMUL_CONTINUE)
+ return X86EMUL_CONTINUE;
+- if (gpa == UNMAPPED_GVA)
+- return X86EMUL_PROPAGATE_FAULT;
+
+ mmio:
+ /*
+@@ -1934,11 +1988,12 @@ static int emulator_write_emulated_onepa
+ {
+ struct kvm_io_device *mmio_dev;
+ gpa_t gpa;
++ u32 error_code;
+
+- gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, addr);
++ gpa = kvm_mmu_gva_to_gpa_write(vcpu, addr, &error_code);
+
+ if (gpa == UNMAPPED_GVA) {
+- kvm_inject_page_fault(vcpu, addr, 2);
++ kvm_inject_page_fault(vcpu, addr, error_code);
+ return X86EMUL_PROPAGATE_FAULT;
+ }
+
+@@ -2012,7 +2067,7 @@ static int emulator_cmpxchg_emulated(uns
+ char *kaddr;
+ u64 val;
+
+- gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, addr);
++ gpa = kvm_mmu_gva_to_gpa_write(vcpu, addr, NULL);
+
+ if (gpa == UNMAPPED_GVA ||
+ (gpa & PAGE_MASK) == APIC_DEFAULT_PHYS_BASE)
+@@ -2093,7 +2148,7 @@ void kvm_report_emulation_failure(struct
+ if (reported)
+ return;
+
+- kvm_read_guest_virt(rip_linear, (void *)opcodes, 4, vcpu);
++ kvm_read_guest_virt(rip_linear, (void *)opcodes, 4, vcpu, NULL);
+
+ printk(KERN_ERR "emulation failed (%s) rip %lx %02x %02x %02x %02x\n",
+ context, rip, opcodes[0], opcodes[1], opcodes[2], opcodes[3]);
+@@ -2103,6 +2158,7 @@ EXPORT_SYMBOL_GPL(kvm_report_emulation_f
+
+ static struct x86_emulate_ops emulate_ops = {
+ .read_std = kvm_read_guest_virt,
++ .fetch = kvm_fetch_guest_virt,
+ .read_emulated = emulator_read_emulated,
+ .write_emulated = emulator_write_emulated,
+ .cmpxchg_emulated = emulator_cmpxchg_emulated,
+@@ -2217,12 +2273,17 @@ static int pio_copy_data(struct kvm_vcpu
+ gva_t q = vcpu->arch.pio.guest_gva;
+ unsigned bytes;
+ int ret;
++ u32 error_code;
+
+ bytes = vcpu->arch.pio.size * vcpu->arch.pio.cur_count;
+ if (vcpu->arch.pio.in)
+- ret = kvm_write_guest_virt(q, p, bytes, vcpu);
++ ret = kvm_write_guest_virt(q, p, bytes, vcpu, &error_code);
+ else
+- ret = kvm_read_guest_virt(q, p, bytes, vcpu);
++ ret = kvm_read_guest_virt(q, p, bytes, vcpu, &error_code);
++
++ if (ret == X86EMUL_PROPAGATE_FAULT)
++ kvm_inject_page_fault(vcpu, q, error_code);
++
+ return ret;
+ }
+
+@@ -2243,7 +2304,7 @@ int complete_pio(struct kvm_vcpu *vcpu)
+ r = pio_copy_data(vcpu);
+ if (r) {
+ kvm_x86_ops->cache_regs(vcpu);
+- return r;
++ goto out;
+ }
+ }
+
+@@ -2266,7 +2327,7 @@ int complete_pio(struct kvm_vcpu *vcpu)
+ }
+
+ kvm_x86_ops->decache_regs(vcpu);
+-
++ out:
+ io->count -= io->cur_count;
+ io->cur_count = 0;
+
+@@ -2411,10 +2472,8 @@ int kvm_emulate_pio_string(struct kvm_vc
+ if (!vcpu->arch.pio.in) {
+ /* string PIO write */
+ ret = pio_copy_data(vcpu);
+- if (ret == X86EMUL_PROPAGATE_FAULT) {
+- kvm_inject_gp(vcpu, 0);
++ if (ret == X86EMUL_PROPAGATE_FAULT)
+ return 1;
+- }
+ if (ret == 0 && pio_dev) {
+ pio_string_write(pio_dev, vcpu);
+ complete_pio(vcpu);
+@@ -3220,7 +3279,7 @@ static int load_guest_segment_descriptor
+ kvm_queue_exception_e(vcpu, GP_VECTOR, selector & 0xfffc);
+ return 1;
+ }
+- return kvm_read_guest_virt(dtable.base + index*8, seg_desc, sizeof(*seg_desc), vcpu);
++ return kvm_read_guest_virt(dtable.base + index*8, seg_desc, sizeof(*seg_desc), vcpu, NULL);
+ }
+
+ /* allowed just for 8 bytes segments */
+@@ -3234,10 +3293,22 @@ static int save_guest_segment_descriptor
+
+ if (dtable.limit < index * 8 + 7)
+ return 1;
+- return kvm_write_guest_virt(dtable.base + index*8, seg_desc, sizeof(*seg_desc), vcpu);
++ return kvm_write_guest_virt(dtable.base + index*8, seg_desc, sizeof(*seg_desc), vcpu, NULL);
++}
++
++static gpa_t get_tss_base_addr_read(struct kvm_vcpu *vcpu,
++ struct desc_struct *seg_desc)
++{
++ u32 base_addr;
++
++ base_addr = seg_desc->base0;
++ base_addr |= (seg_desc->base1 << 16);
++ base_addr |= (seg_desc->base2 << 24);
++
++ return kvm_mmu_gva_to_gpa_read(vcpu, base_addr, NULL);
+ }
+
+-static u32 get_tss_base_addr(struct kvm_vcpu *vcpu,
++static gpa_t get_tss_base_addr_write(struct kvm_vcpu *vcpu,
+ struct desc_struct *seg_desc)
+ {
+ u32 base_addr;
+@@ -3246,7 +3317,7 @@ static u32 get_tss_base_addr(struct kvm_
+ base_addr |= (seg_desc->base1 << 16);
+ base_addr |= (seg_desc->base2 << 24);
+
+- return vcpu->arch.mmu.gva_to_gpa(vcpu, base_addr);
++ return kvm_mmu_gva_to_gpa_write(vcpu, base_addr, NULL);
+ }
+
+ static u16 get_segment_selector(struct kvm_vcpu *vcpu, int seg)
+@@ -3422,7 +3493,7 @@ int kvm_task_switch_16(struct kvm_vcpu *
+ sizeof tss_segment_16))
+ goto out;
+
+- if (kvm_read_guest(vcpu->kvm, get_tss_base_addr(vcpu, nseg_desc),
++ if (kvm_read_guest(vcpu->kvm, get_tss_base_addr_read(vcpu, nseg_desc),
+ &tss_segment_16, sizeof tss_segment_16))
+ goto out;
+
+@@ -3451,7 +3522,7 @@ int kvm_task_switch_32(struct kvm_vcpu *
+ sizeof tss_segment_32))
+ goto out;
+
+- if (kvm_read_guest(vcpu->kvm, get_tss_base_addr(vcpu, nseg_desc),
++ if (kvm_read_guest(vcpu->kvm, get_tss_base_addr_read(vcpu, nseg_desc),
+ &tss_segment_32, sizeof tss_segment_32))
+ goto out;
+
+@@ -3472,7 +3543,7 @@ int kvm_task_switch(struct kvm_vcpu *vcp
+ u32 old_tss_base = get_segment_base(vcpu, VCPU_SREG_TR);
+ u16 old_tss_sel = get_segment_selector(vcpu, VCPU_SREG_TR);
+
+- old_tss_base = vcpu->arch.mmu.gva_to_gpa(vcpu, old_tss_base);
++ old_tss_base = kvm_mmu_gva_to_gpa_write(vcpu, old_tss_base, NULL);
+
+ /* FIXME: Handle errors. Failure to read either TSS or their
+ * descriptors should generate a pagefault.
+@@ -3666,7 +3737,7 @@ int kvm_arch_vcpu_ioctl_translate(struct
+
+ vcpu_load(vcpu);
+ down_read(&vcpu->kvm->slots_lock);
+- gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, vaddr);
++ gpa = kvm_mmu_gva_to_gpa_system(vcpu, vaddr, NULL);
+ up_read(&vcpu->kvm->slots_lock);
+ tr->physical_address = gpa;
+ tr->valid = gpa != UNMAPPED_GVA;
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c linux-source-2.6.26/arch/x86/kvm/x86_emulate.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c 2010-02-01 23:54:26.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/x86_emulate.c 2010-02-04 21:52:09.000000000 -0700
+@@ -528,7 +528,7 @@ static int do_fetch_insn_byte(struct x86
+
+ if (linear < fc->start || linear >= fc->end) {
+ size = min(15UL, PAGE_SIZE - offset_in_page(linear));
+- rc = ops->read_std(linear, fc->data, size, ctxt->vcpu);
++ rc = ops->fetch(linear, fc->data, size, ctxt->vcpu, NULL);
+ if (rc)
+ return rc;
+ fc->start = linear;
+@@ -583,11 +583,11 @@ static int read_descriptor(struct x86_em
+ op_bytes = 3;
+ *address = 0;
+ rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
+- ctxt->vcpu);
++ ctxt->vcpu, NULL);
+ if (rc)
+ return rc;
+ rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
+- ctxt->vcpu);
++ ctxt->vcpu, NULL);
+ return rc;
+ }
+
+@@ -1137,7 +1137,7 @@ static inline int emulate_grp1a(struct x
+
+ rc = ops->read_std(register_address(c, ctxt->ss_base,
+ c->regs[VCPU_REGS_RSP]),
+- &c->dst.val, c->dst.bytes, ctxt->vcpu);
++ &c->dst.val, c->dst.bytes, ctxt->vcpu, NULL);
+ if (rc != 0)
+ return rc;
+
+@@ -1463,7 +1463,7 @@ special_insn:
+ pop_instruction:
+ if ((rc = ops->read_std(register_address(c, ctxt->ss_base,
+ c->regs[VCPU_REGS_RSP]), c->dst.ptr,
+- c->op_bytes, ctxt->vcpu)) != 0)
++ c->op_bytes, ctxt->vcpu, NULL)) != 0)
+ goto done;
+
+ register_address_increment(c, &c->regs[VCPU_REGS_RSP],
+diff -urpN linux-source-2.6.26.orig/include/asm-x86/kvm_host.h linux-source-2.6.26/include/asm-x86/kvm_host.h
+--- linux-source-2.6.26.orig/include/asm-x86/kvm_host.h 2010-02-04 21:39:17.000000000 -0700
++++ linux-source-2.6.26/include/asm-x86/kvm_host.h 2010-02-04 21:52:49.000000000 -0700
+@@ -201,7 +201,8 @@ struct kvm_mmu {
+ void (*new_cr3)(struct kvm_vcpu *vcpu);
+ int (*page_fault)(struct kvm_vcpu *vcpu, gva_t gva, u32 err);
+ void (*free)(struct kvm_vcpu *vcpu);
+- gpa_t (*gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t gva);
++ gpa_t (*gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t gva, u32 access,
++ u32 *error);
+ void (*prefetch_page)(struct kvm_vcpu *vcpu,
+ struct kvm_mmu_page *page);
+ hpa_t root_hpa;
+@@ -532,6 +533,11 @@ void __kvm_mmu_free_some_pages(struct kv
+ int kvm_mmu_load(struct kvm_vcpu *vcpu);
+ void kvm_mmu_unload(struct kvm_vcpu *vcpu);
+
++gpa_t kvm_mmu_gva_to_gpa_read(struct kvm_vcpu *vcpu, gva_t gva, u32 *error);
++gpa_t kvm_mmu_gva_to_gpa_fetch(struct kvm_vcpu *vcpu, gva_t gva, u32 *error);
++gpa_t kvm_mmu_gva_to_gpa_write(struct kvm_vcpu *vcpu, gva_t gva, u32 *error);
++gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva, u32 *error);
++
+ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu);
+
+ int kvm_fix_hypercall(struct kvm_vcpu *vcpu);
+diff -urpN linux-source-2.6.26.orig/include/asm-x86/kvm_x86_emulate.h linux-source-2.6.26/include/asm-x86/kvm_x86_emulate.h
+--- linux-source-2.6.26.orig/include/asm-x86/kvm_x86_emulate.h 2010-02-01 23:54:26.000000000 -0700
++++ linux-source-2.6.26/include/asm-x86/kvm_x86_emulate.h 2010-02-04 21:52:09.000000000 -0700
+@@ -54,13 +54,23 @@ struct x86_emulate_ctxt;
+ struct x86_emulate_ops {
+ /*
+ * read_std: Read bytes of standard (non-emulated/special) memory.
+- * Used for instruction fetch, stack operations, and others.
++ * Used for descriptor reading.
+ * @addr: [IN ] Linear address from which to read.
+ * @val: [OUT] Value read from memory, zero-extended to 'u_long'.
+ * @bytes: [IN ] Number of bytes to read from memory.
+ */
+ int (*read_std)(unsigned long addr, void *val,
+- unsigned int bytes, struct kvm_vcpu *vcpu);
++ unsigned int bytes, struct kvm_vcpu *vcpu, u32 *error);
++
++ /*
++ * fetch: Read bytes of standard (non-emulated/special) memory.
++ * Used for instruction fetch.
++ * @addr: [IN ] Linear address from which to read.
++ * @val: [OUT] Value read from memory, zero-extended to 'u_long'.
++ * @bytes: [IN ] Number of bytes to read from memory.
++ */
++ int (*fetch)(unsigned long addr, void *val,
++ unsigned int bytes, struct kvm_vcpu *vcpu, u32 *error);
+
+ /*
+ * read_emulated: Read bytes from emulated/special memory area.
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-pit-control-word-is-write-only.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-pit-control-word-is-write-only.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-pit-control-word-is-write-only.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-pit-control-word-is-write-only.patch)
@@ -0,0 +1,27 @@
+commit 336f40a728b9a4a5db5e1df5c89852c79ff95604
+Author: Marcelo Tosatti <mtosatti at redhat.com>
+Date: Fri Jan 29 17:28:41 2010 -0200
+
+ KVM: PIT: control word is write-only
+
+ PIT control word (address 0x43) is write-only, reads are undefined.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index caad189..6a74246 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -467,6 +467,9 @@ static int pit_ioport_read(struct kvm_io_device *this,
+ return -EOPNOTSUPP;
+
+ addr &= KVM_PIT_CHANNEL_MASK;
++ if (addr == 3)
++ return;
++
+ s = &pit_state->channels[addr];
+
+ mutex_lock(&pit_state->lock);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-remove-vmap-usage.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-remove-vmap-usage.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-remove-vmap-usage.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-remove-vmap-usage.patch)
@@ -0,0 +1,152 @@
+Subject: [KVM 5.5/5.4.z Embargoed 2/7 v2] KVM: remove the vmap
+ usage
+
+From: Izik Eidus <ieidus at redhat.com>
+
+vmap() on guest pages hides those pages from the Linux mm for an extended
+(userspace determined) amount of time. Get rid of it.
+
+Signed-off-by: Izik Eidus <ieidus at redhat.com>
+Signed-off-by: Avi Kivity <avi at redhat.com>
+Signed-off-by: Gleb Natapov <gleb at redhat.com>
+---
+ arch/x86/kvm/x86.c | 62 +++++++++-----------------------------------
+ include/linux/kvm_types.h | 3 +-
+ 2 files changed, 14 insertions(+), 51 deletions(-)
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86.c linux-source-2.6.26/arch/x86/kvm/x86.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86.c 2010-02-04 21:39:17.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/x86.c 2010-02-04 21:45:21.000000000 -0700
+@@ -2211,40 +2211,19 @@ int emulate_instruction(struct kvm_vcpu
+ }
+ EXPORT_SYMBOL_GPL(emulate_instruction);
+
+-static void free_pio_guest_pages(struct kvm_vcpu *vcpu)
+-{
+- int i;
+-
+- for (i = 0; i < ARRAY_SIZE(vcpu->arch.pio.guest_pages); ++i)
+- if (vcpu->arch.pio.guest_pages[i]) {
+- kvm_release_page_dirty(vcpu->arch.pio.guest_pages[i]);
+- vcpu->arch.pio.guest_pages[i] = NULL;
+- }
+-}
+-
+ static int pio_copy_data(struct kvm_vcpu *vcpu)
+ {
+ void *p = vcpu->arch.pio_data;
+- void *q;
++ gva_t q = vcpu->arch.pio.guest_gva;
+ unsigned bytes;
+- int nr_pages = vcpu->arch.pio.guest_pages[1] ? 2 : 1;
++ int ret;
+
+- q = vmap(vcpu->arch.pio.guest_pages, nr_pages, VM_READ|VM_WRITE,
+- PAGE_KERNEL);
+- if (!q) {
+- free_pio_guest_pages(vcpu);
+- return -ENOMEM;
+- }
+- q += vcpu->arch.pio.guest_page_offset;
+ bytes = vcpu->arch.pio.size * vcpu->arch.pio.cur_count;
+ if (vcpu->arch.pio.in)
+- memcpy(q, p, bytes);
++ ret = kvm_write_guest_virt(q, p, bytes, vcpu);
+ else
+- memcpy(p, q, bytes);
+- q -= vcpu->arch.pio.guest_page_offset;
+- vunmap(q);
+- free_pio_guest_pages(vcpu);
+- return 0;
++ ret = kvm_read_guest_virt(q, p, bytes, vcpu);
++ return ret;
+ }
+
+ int complete_pio(struct kvm_vcpu *vcpu)
+@@ -2349,7 +2328,6 @@ int kvm_emulate_pio(struct kvm_vcpu *vcp
+ vcpu->arch.pio.in = in;
+ vcpu->arch.pio.string = 0;
+ vcpu->arch.pio.down = 0;
+- vcpu->arch.pio.guest_page_offset = 0;
+ vcpu->arch.pio.rep = 0;
+
+ if (vcpu->run->io.direction == KVM_EXIT_IO_IN)
+@@ -2380,9 +2358,7 @@ int kvm_emulate_pio_string(struct kvm_vc
+ gva_t address, int rep, unsigned port)
+ {
+ unsigned now, in_page;
+- int i, ret = 0;
+- int nr_pages = 1;
+- struct page *page;
++ int ret = 0;
+ struct kvm_io_device *pio_dev;
+
+ vcpu->run->exit_reason = KVM_EXIT_IO;
+@@ -2394,7 +2370,6 @@ int kvm_emulate_pio_string(struct kvm_vc
+ vcpu->arch.pio.in = in;
+ vcpu->arch.pio.string = 1;
+ vcpu->arch.pio.down = down;
+- vcpu->arch.pio.guest_page_offset = offset_in_page(address);
+ vcpu->arch.pio.rep = rep;
+
+ if (vcpu->run->io.direction == KVM_EXIT_IO_IN)
+@@ -2414,15 +2389,8 @@ int kvm_emulate_pio_string(struct kvm_vc
+ else
+ in_page = offset_in_page(address) + size;
+ now = min(count, (unsigned long)in_page / size);
+- if (!now) {
+- /*
+- * String I/O straddles page boundary. Pin two guest pages
+- * so that we satisfy atomicity constraints. Do just one
+- * transaction to avoid complexity.
+- */
+- nr_pages = 2;
++ if (!now)
+ now = 1;
+- }
+ if (down) {
+ /*
+ * String I/O in reverse. Yuck. Kill the guest, fix later.
+@@ -2437,21 +2405,17 @@ int kvm_emulate_pio_string(struct kvm_vc
+ if (vcpu->arch.pio.cur_count == vcpu->arch.pio.count)
+ kvm_x86_ops->skip_emulated_instruction(vcpu);
+
+- for (i = 0; i < nr_pages; ++i) {
+- page = gva_to_page(vcpu, address + i * PAGE_SIZE);
+- vcpu->arch.pio.guest_pages[i] = page;
+- if (!page) {
+- kvm_inject_gp(vcpu, 0);
+- free_pio_guest_pages(vcpu);
+- return 1;
+- }
+- }
++ vcpu->arch.pio.guest_gva = address;
+
+ pio_dev = vcpu_find_pio_dev(vcpu, port);
+ if (!vcpu->arch.pio.in) {
+ /* string PIO write */
+ ret = pio_copy_data(vcpu);
+- if (ret >= 0 && pio_dev) {
++ if (ret == X86EMUL_PROPAGATE_FAULT) {
++ kvm_inject_gp(vcpu, 0);
++ return 1;
++ }
++ if (ret == 0 && pio_dev) {
+ pio_string_write(pio_dev, vcpu);
+ complete_pio(vcpu);
+ if (vcpu->arch.pio.count == 0)
+diff -urpN linux-source-2.6.26.orig/include/linux/kvm_types.h linux-source-2.6.26/include/linux/kvm_types.h
+--- linux-source-2.6.26.orig/include/linux/kvm_types.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/kvm_types.h 2010-02-04 21:45:22.000000000 -0700
+@@ -43,8 +43,7 @@ typedef hfn_t pfn_t;
+ struct kvm_pio_request {
+ unsigned long count;
+ int cur_count;
+- struct page *guest_pages[2];
+- unsigned guest_page_offset;
++ gva_t guest_gva;
+ int in;
+ int port;
+ int size;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-use-kvm_rw_guest_virt-for-segment-descriptors.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-use-kvm_rw_guest_virt-for-segment-descriptors.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-use-kvm_rw_guest_virt-for-segment-descriptors.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/bugfix/x86/kvm-use-kvm_rw_guest_virt-for-segment-descriptors.patch)
@@ -0,0 +1,57 @@
+Subject: [KVM 5.5/5.4.z Embargoed 3/7 v2] KVM: Use kvm_{read,
+ write}_guest_virt() to read and write segment descriptors
+
+From: Mikhail Ershov <Mike.Ershov at gmail.com>
+
+Segment descriptors tables can be placed on two non-contiguous pages.
+This patch makes reading segment descriptors by linear address.
+
+Signed-off-by: Mikhail Ershov <Mike.Ershov at gmail.com>
+Signed-off-by: Avi Kivity <avi at redhat.com>
+Signed-off-by: Gleb Natapov <gleb at redhat.com>
+---
+ arch/x86/kvm/x86.c | 10 ++--------
+ 1 files changed, 2 insertions(+), 8 deletions(-)
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86.c linux-source-2.6.26/arch/x86/kvm/x86.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86.c 2010-02-04 21:39:17.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kvm/x86.c 2010-02-04 21:49:22.000000000 -0700
+@@ -3247,7 +3211,6 @@ static void get_segment_descritptor_dtab
+ static int load_guest_segment_descriptor(struct kvm_vcpu *vcpu, u16 selector,
+ struct desc_struct *seg_desc)
+ {
+- gpa_t gpa;
+ struct descriptor_table dtable;
+ u16 index = selector >> 3;
+
+@@ -3257,16 +3220,13 @@ static int load_guest_segment_descriptor
+ kvm_queue_exception_e(vcpu, GP_VECTOR, selector & 0xfffc);
+ return 1;
+ }
+- gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, dtable.base);
+- gpa += index * 8;
+- return kvm_read_guest(vcpu->kvm, gpa, seg_desc, 8);
++ return kvm_read_guest_virt(dtable.base + index*8, seg_desc, sizeof(*seg_desc), vcpu);
+ }
+
+ /* allowed just for 8 bytes segments */
+ static int save_guest_segment_descriptor(struct kvm_vcpu *vcpu, u16 selector,
+ struct desc_struct *seg_desc)
+ {
+- gpa_t gpa;
+ struct descriptor_table dtable;
+ u16 index = selector >> 3;
+
+@@ -3274,9 +3234,7 @@ static int save_guest_segment_descriptor
+
+ if (dtable.limit < index * 8 + 7)
+ return 1;
+- gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, dtable.base);
+- gpa += index * 8;
+- return kvm_write_guest(vcpu->kvm, gpa, seg_desc, 8);
++ return kvm_write_guest_virt(dtable.base + index*8, seg_desc, sizeof(*seg_desc), vcpu);
+ }
+
+ static u32 get_tss_base_addr(struct kvm_vcpu *vcpu,
Modified: dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Thu Feb 11 02:16:55 2010 (r15142)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Thu Feb 11 04:19:04 2010 (r15143)
@@ -996,19 +996,6 @@
}
}
}
-diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
-index 1eda194..e93e7d3 100644
---- a/arch/ia64/kernel/sys_ia64.c
-+++ b/arch/ia64/kernel/sys_ia64.c
-@@ -204,7 +204,7 @@ do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, un
-
- /* Careful about overflows.. */
- len = PAGE_ALIGN(len);
-- if (!len || len > TASK_SIZE) {
-+ if (len > TASK_SIZE) {
- addr = -EINVAL;
- goto out;
- }
diff --git a/arch/ia64/kernel/time.c b/arch/ia64/kernel/time.c
index aad1b7b..9194bf5 100644
--- a/arch/ia64/kernel/time.c
@@ -7878,7 +7865,7 @@
tsk->group_leader = tsk;
leader->group_leader = tsk;
-@@ -964,12 +994,10 @@ int flush_old_exec(struct linux_binprm * bprm)
+@@ -963,11 +993,10 @@ int flush_old_exec(struct linux_binprm *
/*
* Release all of the old mmap stuff
*/
@@ -7888,10 +7875,9 @@
goto out;
- bprm->mm = NULL; /* We're using it now */
--
- /* This is the point of no return */
- current->sas_ss_sp = current->sas_ss_size = 0;
+ return 0;
+ out:
@@ -1275,6 +1303,10 @@ int do_execve(char * filename,
struct files_struct *displaced;
int retval;
@@ -30496,8 +30482,8 @@
else
user_shm_unlock(shp->shm_file->f_path.dentry->d_inode->i_size,
shp->mlock_user);
-@@ -319,12 +337,13 @@ int is_file_shm_hugepages(struct file *file)
- return ret;
+@@ -308,11 +326,12 @@ static unsigned long shm_get_unmapped_ar
+ pgoff, flags);
}
-static const struct file_operations shm_file_operations = {
@@ -30505,12 +30491,11 @@
.mmap = shm_mmap,
.fsync = shm_fsync,
.release = shm_release,
- .get_unmapped_area = shm_get_unmapped_area,
};
+EXPORT_SYMBOL_GPL(shm_file_operations);
- static struct vm_operations_struct shm_vm_ops = {
- .open = shm_open, /* callback for a new vm-area open */
+ static const struct file_operations shm_file_operations_huge = {
+ .mmap = shm_mmap,
@@ -349,11 +368,12 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
key_t key = params->key;
int shmflg = params->flg;
@@ -67782,10 +67767,10 @@
}
/*
-@@ -364,7 +376,15 @@ unsigned long do_mremap(unsigned long addr,
- max_addr = vma->vm_next->vm_start;
+@@ -436,7 +448,15 @@ unsigned long do_mremap(unsigned long ad
+ if (old_len == vma->vm_end - addr) {
/* can we just expand the current mapping? */
- if (max_addr - addr >= new_len) {
+ if (vma_expandable(vma, new_len - old_len)) {
- int pages = (new_len - old_len) >> PAGE_SHIFT;
+ unsigned long len;
+ int pages;
Copied: dists/lenny/linux-2.6/debian/patches/features/all/openvz/remove-TIF_ABI-bit.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/features/all/openvz/remove-TIF_ABI-bit.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/remove-TIF_ABI-bit.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/features/all/openvz/remove-TIF_ABI-bit.patch)
@@ -0,0 +1,12 @@
+diff -urpN a/kernel/cpt/cpt_process.c b/kernel/cpt/cpt_process.c
+--- a/kernel/cpt/cpt_process.c 2010-02-09 12:02:40.000000000 -0700
++++ b/kernel/cpt/cpt_process.c 2010-02-09 12:13:10.000000000 -0700
+@@ -941,7 +941,7 @@ static int dump_one_process(cpt_object_t
+ v->cpt_64bit = 0;
+ #ifdef CONFIG_X86_64
+ /* Clear x86_64 specific flags */
+- v->cpt_thrflags &= ~(_TIF_FORK|_TIF_ABI_PENDING|_TIF_IA32);
++ v->cpt_thrflags &= ~(_TIF_FORK|_TIF_IA32);
+ if (!(task_thread_info(tsk)->flags & _TIF_IA32)) {
+ ctx->tasks64++;
+ v->cpt_64bit = 1;
Modified: dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Thu Feb 11 02:16:55 2010 (r15142)
+++ dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Thu Feb 11 04:19:04 2010 (r15143)
@@ -26003,16 +26003,16 @@
if (new_len > old_len)
make_pages_present(new_addr + old_len,
new_addr + new_len);
-@@ -341,6 +342,9 @@ unsigned long do_mremap(unsigned long ad
- ret = -EAGAIN;
+@@ -267,6 +268,9 @@ static struct vm_area_struct *vma_to_res
+ locked += new_len - old_len;
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
- goto out;
+ goto Eagain;
+ if (!vx_vmlocked_avail(current->mm,
+ (new_len - old_len) >> PAGE_SHIFT))
-+ goto out;
++ goto Einval;
}
- if (!may_expand_vm(mm, (new_len - old_len) >> PAGE_SHIFT)) {
- ret = -ENOMEM;
+
+ if (!may_expand_vm(mm, (new_len - old_len) >> PAGE_SHIFT))
@@ -369,10 +373,10 @@ unsigned long do_mremap(unsigned long ad
vma_adjust(vma, vma->vm_start,
addr + new_len, vma->vm_pgoff, NULL);
Copied: dists/lenny/linux-2.6/debian/patches/features/all/xen/get-rid-of-TIF_ABI_PENDING-bit.patch (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/features/all/xen/get-rid-of-TIF_ABI_PENDING-bit.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/features/all/xen/get-rid-of-TIF_ABI_PENDING-bit.patch Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/features/all/xen/get-rid-of-TIF_ABI_PENDING-bit.patch)
@@ -0,0 +1,37 @@
+diff -urpN a/arch/x86/kernel/process_64-xen.c b/arch/x86/kernel/process_64-xen.c
+--- a/arch/x86/kernel/process_64-xen.c 2010-02-09 22:08:25.000000000 -0700
++++ b/arch/x86/kernel/process_64-xen.c 2010-02-09 22:24:52.000000000 -0700
+@@ -280,15 +280,6 @@ void flush_thread(void)
+ {
+ struct task_struct *tsk = current;
+
+- if (test_tsk_thread_flag(tsk, TIF_ABI_PENDING)) {
+- clear_tsk_thread_flag(tsk, TIF_ABI_PENDING);
+- if (test_tsk_thread_flag(tsk, TIF_IA32)) {
+- clear_tsk_thread_flag(tsk, TIF_IA32);
+- } else {
+- set_tsk_thread_flag(tsk, TIF_IA32);
+- current_thread_info()->status |= TS_COMPAT;
+- }
+- }
+ clear_tsk_thread_flag(tsk, TIF_DEBUG);
+
+ tsk->thread.debugreg0 = 0;
+@@ -782,6 +773,17 @@ asmlinkage long sys_vfork(struct pt_regs
+ NULL, NULL);
+ }
+
++void set_personality_ia32(void)
++{
++ /* inherit personality from parent */
++
++ /* Make sure to be in 32bit mode */
++ set_thread_flag(TIF_IA32);
++
++ /* Prepare the first "return" to user space */
++ current_thread_info()->status |= TS_COMPAT;
++}
++
+ unsigned long get_wchan(struct task_struct *p)
+ {
+ unsigned long stack;
Copied: dists/lenny/linux-2.6/debian/patches/series/21lenny1 (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/21lenny1 Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny1)
@@ -0,0 +1,7 @@
++ bugfix/all/mac80211-fix-spurious-delBA-handling.patch
++ bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
++ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
++ bugfix/all/e1000-enhance-frame-fragment-detection.patch
++ bugfix/all/e1000e-enhance-frame-fragment-detection.patch
++ bugfix/all/untangle-the-do_mremap-mess.patch
++ bugfix/all/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-perms.patch
Copied: dists/lenny/linux-2.6/debian/patches/series/21lenny2 (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny2)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/21lenny2 Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny2)
@@ -0,0 +1,3 @@
++ bugfix/all/mm-util.c-sched.h.patch
++ bugfix/all/cdc_ether-Partially-revert-usbnet-Set-link-down-init.patch
++ bugfix/all/split-flush_old_exec-into-two-functions.patch
Copied: dists/lenny/linux-2.6/debian/patches/series/21lenny2-extra (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny2-extra)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/21lenny2-extra Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny2-extra)
@@ -0,0 +1 @@
++ bugfix/all/untangle-the-do_mremap-mess-xen.patch featureset=xen
Copied: dists/lenny/linux-2.6/debian/patches/series/21lenny3 (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny3)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/21lenny3 Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny3)
@@ -0,0 +1,15 @@
++ bugfix/x86/get-rid-of-TIF_ABI_PENDING-bit.patch
++ bugfix/powerpc/powerpc-tif_abi_pending-bit-removal.patch
++ bugfix/sparc/sparc-tif_abi_pending-bit-removal.patch
++ bugfix/x86/kvm-pit-control-word-is-write-only.patch
++ bugfix/all/connector-delete-buggy-notification-code.patch
++ bugfix/all/fix-potential-crash-with-sys_move_pages.patch
++ bugfix/all/untangle-the-do_mremap-mess-ppc64-fix.patch
++ bugfix/x86/kvm-add-kvm_rw_guest_virt.patch
++ bugfix/x86/kvm-remove-vmap-usage.patch
++ bugfix/x86/kvm-use-kvm_rw_guest_virt-for-segment-descriptors.patch
++ bugfix/x86/kvm-fix-memory-access-during-x86-emulation.patch
++ bugfix/x86/kvm-check-IOPL-level-during-io-instruction-emulation.patch
++ bugfix/x86/kvm-emulator-fix-popf-emulation.patch
++ bugfix/x86/fix-popf-emulation.patch
++ bugfix/x86/check-cpl-level-during-priv-instruction-emulation.patch
Copied: dists/lenny/linux-2.6/debian/patches/series/21lenny3-extra (from r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny3-extra)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/21lenny3-extra Thu Feb 11 04:19:04 2010 (r15143, copy of r15142, releases/linux-2.6/2.6.26-21lenny3/debian/patches/series/21lenny3-extra)
@@ -0,0 +1,2 @@
++ features/all/openvz/remove-TIF_ABI-bit.patch featureset=openvz
++ features/all/xen/get-rid-of-TIF_ABI_PENDING-bit.patch featureset=xen
More information about the Kernel-svn-changes
mailing list