[kernel/f14] Fix address wrapping in stack expansion code.

[Chuck Ebbert]

commit fcf92486278252f98ab7c203c7e9510009ed9324
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Sat May 21 13:13:37 2011 -0400

    Fix address wrapping in stack expansion code.

 kernel.spec                                   |    7 +++
 vm-fix-vm_pgoff-wrap-in-stack-expansion.patch |   50 +++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 105effc..2c15112 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -855,6 +855,9 @@ Patch13970: cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
 # cve-2011-1770
 Patch13980: dccp-handle-invalid-feature-options-length.patch
 
+# the rest of the pgoff wrap fix
+Patch13990: vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1609,6 +1612,9 @@ ApplyPatch cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
 # cve-2011-1770
 ApplyPatch dccp-handle-invalid-feature-options-length.patch
 
+# the rest of the pgoff wrap fix
+ApplyPatch vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2198,6 +2204,7 @@ fi
 * Fri May 20 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.35.13-92
 - Add the rest of the fix for bug #704059
 - dccp: handle invalid feature options length (CVE-2011-1770)
+- Fix address wrapping in stack expansion code.
 
 * Wed May 18 2011 Chuck Ebbert <cebbert at redhat.com>
 - Fix cifs bug in 2.6.35.13 with old Windows servers (#704125)
diff --git a/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch b/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
new file mode 100644
index 0000000..da1ddfd
--- /dev/null
+++ b/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
@@ -0,0 +1,50 @@
+From a626ca6a656450e9f4df91d0dda238fff23285f4 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed, 13 Apr 2011 08:07:28 -0700
+Subject: vm: fix vm_pgoff wrap in stack expansion
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds at linux-foundation.org>
+
+commit a626ca6a656450e9f4df91d0dda238fff23285f4 upstream.
+
+Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
+the case of a expanding mapping causing vm_pgoff wrapping when you used
+mremap.  But there was another case where we expand mappings hiding in
+plain sight: the automatic stack expansion.
+
+This fixes that case too.
+
+This one also found by Robert Święcki, using his nasty system call
+fuzzer tool.  Good job.
+
+Reported-and-tested-by: Robert Święcki <robert at swiecki.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ mm/mmap.c |   13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1814,10 +1814,13 @@ static int expand_downwards(struct vm_ar
+ 		size = vma->vm_end - address;
+ 		grow = (vma->vm_start - address) >> PAGE_SHIFT;
+ 
+-		error = acct_stack_growth(vma, size, grow);
+-		if (!error) {
+-			vma->vm_start = address;
+-			vma->vm_pgoff -= grow;
++		error = -ENOMEM;
++		if (grow <= vma->vm_pgoff) {
++			error = acct_stack_growth(vma, size, grow);
++			if (!error) {
++				vma->vm_start = address;
++				vma->vm_pgoff -= grow;
++			}
+ 		}
+ 	}
+ 	vma_unlock_anon_vma(vma);