4.11.6-301.fc26.gnu

2 files changed, 59 insertions, 2 deletions

diff --git a/freed-ora/current/f26/kernel.spec b/freed-ora/current/f26/kernel.spec
index c8366fa26..fc69e0b1b 100644
--- a/freed-ora/current/f26/kernel.spec
+++ b/freed-ora/current/f26/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 300
+%global baserelease 301
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -711,6 +711,7 @@ Patch683: RFC-audit-fix-a-race-condition-with-the-auditd-tracking-code.patch
 
 # CVE-2017-1000364 rhbz 1462819 1461333
 Patch684: mm-larger-stack-guard-gap-between-vmas.patch
+Patch685: mm-fix-new-crash-in-unmapped_area_topdown.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2373,7 +2374,10 @@ fi
 #
 #
 %changelog
-* Thu Jun 22 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+* Tue Jun 20 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.6-301
+- bump and build
+
+* Tue Jun 20 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre Thu Jun 22
 - GNU Linux-libre 4.11.6-gnu.
 
 * Mon Jun 19 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.6-300
diff --git a/freed-ora/current/f26/mm-fix-new-crash-in-unmapped_area_topdown.patch b/freed-ora/current/f26/mm-fix-new-crash-in-unmapped_area_topdown.patch
new file mode 100644
index 000000000..20da9556f
--- /dev/null
+++ b/freed-ora/current/f26/mm-fix-new-crash-in-unmapped_area_topdown.patch
@@ -0,0 +1,53 @@
+From patchwork Tue Jun 20 09:10:44 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: mm: fix new crash in unmapped_area_topdown()
+From: Hugh Dickins <hughd@google.com>
+X-Patchwork-Id: 9798991
+Message-Id: <alpine.LSU.2.11.1706200206210.10925@eggly.anvils>
+To: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Dave Jones <davej@codemonkey.org.uk>, Oleg Nesterov <oleg@redhat.com>,
+ Michal Hocko <mhocko@suse.com>, linux-kernel@vger.kernel.org,
+ linux-mm@kvack.org
+Date: Tue, 20 Jun 2017 02:10:44 -0700 (PDT)
+
+Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
+mmap testing.  That's the VM_BUG_ON(gap_end < gap_start) at the
+end of unmapped_area_topdown().  Linus points out how MAP_FIXED
+(which does not have to respect our stack guard gap intentions)
+could result in gap_end below gap_start there.  Fix that, and
+the similar case in its alternative, unmapped_area().
+
+Cc: stable@vger.kernel.org
+Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+---
+
+ mm/mmap.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- 4.12-rc6/mm/mmap.c	2017-06-19 09:06:10.035407505 -0700
++++ linux/mm/mmap.c	2017-06-19 21:09:28.616707311 -0700
+@@ -1817,7 +1817,8 @@ unsigned long unmapped_area(struct vm_un
+ 		/* Check if current node has a suitable gap */
+ 		if (gap_start > high_limit)
+ 			return -ENOMEM;
+-		if (gap_end >= low_limit && gap_end - gap_start >= length)
++		if (gap_end >= low_limit &&
++		    gap_end > gap_start && gap_end - gap_start >= length)
+ 			goto found;
+ 
+ 		/* Visit right subtree if it looks promising */
+@@ -1920,7 +1921,8 @@ unsigned long unmapped_area_topdown(stru
+ 		gap_end = vm_start_gap(vma);
+ 		if (gap_end < low_limit)
+ 			return -ENOMEM;
+-		if (gap_start <= high_limit && gap_end - gap_start >= length)
++		if (gap_start <= high_limit &&
++		    gap_end > gap_start && gap_end - gap_start >= length)
+ 			goto found;
+ 
+ 		/* Visit left subtree if it looks promising */