r3878 - in trunk/kernel/source/linux-2.6/debian: . patches-debian
patches-debian/series
Simon Horman
horms at costa.debian.org
Mon Aug 15 09:22:29 UTC 2005
Author: horms
Date: 2005-08-15 09:22:29 +0000 (Mon, 15 Aug 2005)
New Revision: 3878
Added:
trunk/kernel/source/linux-2.6/debian/patches-debian/patch-2.6.12.5
Removed:
trunk/kernel/source/linux-2.6/debian/patches-debian/security-keys-destructor-oops.patch
trunk/kernel/source/linux-2.6/debian/patches-debian/security-keys-session-join.patch
Modified:
trunk/kernel/source/linux-2.6/debian/changelog
trunk/kernel/source/linux-2.6/debian/patches-debian/series/2.6.12-3
Log:
* Added 2.6.12.5 (Simon Horman)
- Fix BUG() is triggered by a call to set_mempolicy() with a negativ
first argument.
- [amd64] Fix a SRAT handling on systems with dual cores.
- [amd64] SMP timing problem
- [security] Zlib fixes See CAN-2005-2458, CAN-2005-2459
http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
http://bugs.gentoo.org/show_bug.cgi
- Add zlib deflateBound()
- [security] Fix error during session join. See CAN-2005-2098
- [security] Fix keyring destructor. See CAN-2005-2099
- Module per-cpu alignment cannot always be met
http://www.ussg.iu.edu/hypermail/linux/kernel/0409.0/0768.html
Closes: #323039
Modified: trunk/kernel/source/linux-2.6/debian/changelog
===================================================================
--- trunk/kernel/source/linux-2.6/debian/changelog 2005-08-15 09:21:38 UTC (rev 3877)
+++ trunk/kernel/source/linux-2.6/debian/changelog 2005-08-15 09:22:29 UTC (rev 3878)
@@ -34,20 +34,23 @@
toolchain in sid. Many thanks go to GOTO Masanori and Matthias Klose as
well as any other who worked on the biarch toolchain to make this happen.
- * [security]
- security-keys-destructor-oops.patch
- Fix keyring destructor
- See CAN-2005-2099 (Simon Horman)
+ * Added 2.6.12.5 (Simon Horman)
+ - Fix BUG() is triggered by a call to set_mempolicy() with a negativ
+ first argument.
+ - [amd64] Fix a SRAT handling on systems with dual cores.
+ - [amd64] SMP timing problem
+ - [security] Zlib fixes See CAN-2005-2458, CAN-2005-2459
+ http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
+ http://bugs.gentoo.org/show_bug.cgi
+ - Add zlib deflateBound()
+ - [security] Fix error during session join. See CAN-2005-2098
+ - [security] Fix keyring destructor. See CAN-2005-2099
+ - Module per-cpu alignment cannot always be met
+ http://www.ussg.iu.edu/hypermail/linux/kernel/0409.0/0768.html
Closes: #323039
- * [security]
- security-keys-session-join.patch
- Fix error during session join
- See CAN-2005-2098 (Simon Horman)
- Closes: #323039
+ -- Simon Horman <horms at debian.org> Mon, 15 Aug 2005 18:15:51 +0900
- -- Simon Horman <horms at debian.org> Mon, 15 Aug 2005 17:41:42 +0900
-
linux-2.6 (2.6.12-2) unstable; urgency=low
* The Kernel Team offers its condolences to the family of Jens Schmalzing
Added: trunk/kernel/source/linux-2.6/debian/patches-debian/patch-2.6.12.5
===================================================================
--- trunk/kernel/source/linux-2.6/debian/patches-debian/patch-2.6.12.5 2005-08-15 09:21:38 UTC (rev 3877)
+++ trunk/kernel/source/linux-2.6/debian/patches-debian/patch-2.6.12.5 2005-08-15 09:22:29 UTC (rev 3878)
@@ -0,0 +1,364 @@
+diff --git a/Makefile b/Makefile
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ VERSION = 2
+ PATCHLEVEL = 6
+ SUBLEVEL = 12
+-EXTRAVERSION = .4
++EXTRAVERSION = .5
+ NAME=Woozy Numbat
+
+ # *DOCUMENTATION*
+diff --git a/arch/ppc64/boot/zlib.c b/arch/ppc64/boot/zlib.c
+--- a/arch/ppc64/boot/zlib.c
++++ b/arch/ppc64/boot/zlib.c
+@@ -1307,7 +1307,7 @@ local int huft_build(
+ {
+ *t = (inflate_huft *)Z_NULL;
+ *m = 0;
+- return Z_OK;
++ return Z_DATA_ERROR;
+ }
+
+
+@@ -1351,6 +1351,7 @@ local int huft_build(
+ if ((j = *p++) != 0)
+ v[x[j]++] = i;
+ } while (++i < n);
++ n = x[g]; /* set n to length of v */
+
+
+ /* Generate the Huffman codes and for each, make the table entries */
+diff --git a/arch/x86_64/kernel/setup.c b/arch/x86_64/kernel/setup.c
+--- a/arch/x86_64/kernel/setup.c
++++ b/arch/x86_64/kernel/setup.c
+@@ -729,8 +729,6 @@ static void __init amd_detect_cmp(struct
+ int cpu = smp_processor_id();
+ int node = 0;
+ unsigned bits;
+- if (c->x86_num_cores == 1)
+- return;
+
+ bits = 0;
+ while ((1 << bits) < c->x86_num_cores)
+diff --git a/arch/x86_64/kernel/smp.c b/arch/x86_64/kernel/smp.c
+--- a/arch/x86_64/kernel/smp.c
++++ b/arch/x86_64/kernel/smp.c
+@@ -284,6 +284,71 @@ struct call_data_struct {
+ static struct call_data_struct * call_data;
+
+ /*
++ * this function sends a 'generic call function' IPI to one other CPU
++ * in the system.
++ */
++static void __smp_call_function_single (int cpu, void (*func) (void *info), void *info,
++ int nonatomic, int wait)
++{
++ struct call_data_struct data;
++ int cpus = 1;
++
++ data.func = func;
++ data.info = info;
++ atomic_set(&data.started, 0);
++ data.wait = wait;
++ if (wait)
++ atomic_set(&data.finished, 0);
++
++ call_data = &data;
++ wmb();
++ /* Send a message to all other CPUs and wait for them to respond */
++ send_IPI_mask(cpumask_of_cpu(cpu), CALL_FUNCTION_VECTOR);
++
++ /* Wait for response */
++ while (atomic_read(&data.started) != cpus)
++ cpu_relax();
++
++ if (!wait)
++ return;
++
++ while (atomic_read(&data.finished) != cpus)
++ cpu_relax();
++}
++
++/*
++ * Run a function on another CPU
++ * <func> The function to run. This must be fast and non-blocking.
++ * <info> An arbitrary pointer to pass to the function.
++ * <nonatomic> Currently unused.
++ * <wait> If true, wait until function has completed on other CPUs.
++ * [RETURNS] 0 on success, else a negative status code.
++ *
++ * Does not return until the remote CPU is nearly ready to execute <func>
++ * or is or has executed.
++ */
++
++int smp_call_function_single (int cpu, void (*func) (void *info), void *info,
++ int nonatomic, int wait)
++{
++
++ int me = get_cpu(); /* prevent preemption and reschedule on another processor */
++
++ if (cpu == me) {
++ printk("%s: trying to call self\n", __func__);
++ put_cpu();
++ return -EBUSY;
++ }
++ spin_lock_bh(&call_lock);
++
++ __smp_call_function_single(cpu, func,info,nonatomic,wait);
++
++ spin_unlock_bh(&call_lock);
++ put_cpu();
++ return 0;
++}
++
++/*
+ * this function sends a 'generic call function' IPI to all other CPUs
+ * in the system.
+ */
+diff --git a/arch/x86_64/kernel/smpboot.c b/arch/x86_64/kernel/smpboot.c
+--- a/arch/x86_64/kernel/smpboot.c
++++ b/arch/x86_64/kernel/smpboot.c
+@@ -202,9 +202,6 @@ static __cpuinit void sync_master(void *
+ {
+ unsigned long flags, i;
+
+- if (smp_processor_id() != boot_cpu_id)
+- return;
+-
+ go[MASTER] = 0;
+
+ local_irq_save(flags);
+@@ -253,7 +250,7 @@ get_delta(long *rt, long *master)
+ return tcenter - best_tm;
+ }
+
+-static __cpuinit void sync_tsc(void)
++static __cpuinit void sync_tsc(unsigned int master)
+ {
+ int i, done = 0;
+ long delta, adj, adjust_latency = 0;
+@@ -267,9 +264,17 @@ static __cpuinit void sync_tsc(void)
+ } t[NUM_ROUNDS] __cpuinitdata;
+ #endif
+
++ printk(KERN_INFO "CPU %d: Syncing TSC to CPU %u.\n",
++ smp_processor_id(), master);
++
+ go[MASTER] = 1;
+
+- smp_call_function(sync_master, NULL, 1, 0);
++ /* It is dangerous to broadcast IPI as cpus are coming up,
++ * as they may not be ready to accept them. So since
++ * we only need to send the ipi to the boot cpu direct
++ * the message, and avoid the race.
++ */
++ smp_call_function_single(master, sync_master, NULL, 1, 0);
+
+ while (go[MASTER]) /* wait for master to be ready */
+ no_cpu_relax();
+@@ -313,16 +318,14 @@ static __cpuinit void sync_tsc(void)
+ printk(KERN_INFO
+ "CPU %d: synchronized TSC with CPU %u (last diff %ld cycles, "
+ "maxerr %lu cycles)\n",
+- smp_processor_id(), boot_cpu_id, delta, rt);
++ smp_processor_id(), master, delta, rt);
+ }
+
+ static void __cpuinit tsc_sync_wait(void)
+ {
+ if (notscsync || !cpu_has_tsc)
+ return;
+- printk(KERN_INFO "CPU %d: Syncing TSC to CPU %u.\n", smp_processor_id(),
+- boot_cpu_id);
+- sync_tsc();
++ sync_tsc(0);
+ }
+
+ static __init int notscsync_setup(char *s)
+diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c
+--- a/fs/isofs/compress.c
++++ b/fs/isofs/compress.c
+@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *
+ cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
+ brelse(bh);
+
++ if (cstart > cend)
++ goto eio;
++
+ csize = cend-cstart;
+
++ if (csize > deflateBound(1UL << zisofs_block_shift))
++ goto eio;
++
+ /* Now page[] contains an array of pages, any of which can be NULL,
+ and the locks on which we hold. We should now read the data and
+ release the pages. If the pages are NULL the decompressed data
+diff --git a/include/asm-x86_64/smp.h b/include/asm-x86_64/smp.h
+--- a/include/asm-x86_64/smp.h
++++ b/include/asm-x86_64/smp.h
+@@ -46,6 +46,8 @@ extern int pic_mode;
+ extern int smp_num_siblings;
+ extern void smp_flush_tlb(void);
+ extern void smp_message_irq(int cpl, void *dev_id, struct pt_regs *regs);
++extern int smp_call_function_single (int cpuid, void (*func) (void *info), void *info,
++ int retry, int wait);
+ extern void smp_send_reschedule(int cpu);
+ extern void smp_invalidate_rcv(void); /* Process an NMI */
+ extern void zap_low_mappings(void);
+diff --git a/include/linux/zlib.h b/include/linux/zlib.h
+--- a/include/linux/zlib.h
++++ b/include/linux/zlib.h
+@@ -506,6 +506,11 @@ extern int zlib_deflateReset (z_streamp
+ stream state was inconsistent (such as zalloc or state being NULL).
+ */
+
++static inline unsigned long deflateBound(unsigned long s)
++{
++ return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
++}
++
+ extern int zlib_deflateParams (z_streamp strm, int level, int strategy);
+ /*
+ Dynamically update the compression level and compression strategy. The
+diff --git a/kernel/module.c b/kernel/module.c
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -249,13 +249,18 @@ static inline unsigned int block_size(in
+ /* Created by linker magic */
+ extern char __per_cpu_start[], __per_cpu_end[];
+
+-static void *percpu_modalloc(unsigned long size, unsigned long align)
++static void *percpu_modalloc(unsigned long size, unsigned long align,
++ const char *name)
+ {
+ unsigned long extra;
+ unsigned int i;
+ void *ptr;
+
+- BUG_ON(align > SMP_CACHE_BYTES);
++ if (align > SMP_CACHE_BYTES) {
++ printk(KERN_WARNING "%s: per-cpu alignment %li > %i\n",
++ name, align, SMP_CACHE_BYTES);
++ align = SMP_CACHE_BYTES;
++ }
+
+ ptr = __per_cpu_start;
+ for (i = 0; i < pcpu_num_used; ptr += block_size(pcpu_size[i]), i++) {
+@@ -347,7 +352,8 @@ static int percpu_modinit(void)
+ }
+ __initcall(percpu_modinit);
+ #else /* ... !CONFIG_SMP */
+-static inline void *percpu_modalloc(unsigned long size, unsigned long align)
++static inline void *percpu_modalloc(unsigned long size, unsigned long align,
++ const char *name)
+ {
+ return NULL;
+ }
+@@ -1554,7 +1560,8 @@ static struct module *load_module(void _
+ if (pcpuindex) {
+ /* We have a special allocation for this section. */
+ percpu = percpu_modalloc(sechdrs[pcpuindex].sh_size,
+- sechdrs[pcpuindex].sh_addralign);
++ sechdrs[pcpuindex].sh_addralign,
++ mod->name);
+ if (!percpu) {
+ err = -ENOMEM;
+ goto free_mod;
+diff --git a/lib/inflate.c b/lib/inflate.c
+--- a/lib/inflate.c
++++ b/lib/inflate.c
+@@ -326,7 +326,7 @@ DEBG("huft1 ");
+ {
+ *t = (struct huft *)NULL;
+ *m = 0;
+- return 0;
++ return 2;
+ }
+
+ DEBG("huft2 ");
+@@ -374,6 +374,7 @@ DEBG("huft5 ");
+ if ((j = *p++) != 0)
+ v[x[j]++] = i;
+ } while (++i < n);
++ n = x[g]; /* set n to length of v */
+
+ DEBG("h6 ");
+
+@@ -410,12 +411,13 @@ DEBG1("1 ");
+ DEBG1("2 ");
+ f -= a + 1; /* deduct codes from patterns left */
+ xp = c + k;
+- while (++j < z) /* try smaller tables up to z bits */
+- {
+- if ((f <<= 1) <= *++xp)
+- break; /* enough codes to use up j bits */
+- f -= *xp; /* else deduct codes from patterns */
+- }
++ if (j < z)
++ while (++j < z) /* try smaller tables up to z bits */
++ {
++ if ((f <<= 1) <= *++xp)
++ break; /* enough codes to use up j bits */
++ f -= *xp; /* else deduct codes from patterns */
++ }
+ }
+ DEBG1("3 ");
+ z = 1 << j; /* table entries for j-bit table */
+diff --git a/lib/zlib_inflate/inftrees.c b/lib/zlib_inflate/inftrees.c
+--- a/lib/zlib_inflate/inftrees.c
++++ b/lib/zlib_inflate/inftrees.c
+@@ -141,7 +141,7 @@ static int huft_build(
+ {
+ *t = NULL;
+ *m = 0;
+- return Z_OK;
++ return Z_DATA_ERROR;
+ }
+
+
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -409,7 +409,7 @@ asmlinkage long sys_set_mempolicy(int mo
+ struct mempolicy *new;
+ DECLARE_BITMAP(nodes, MAX_NUMNODES);
+
+- if (mode > MPOL_MAX)
++ if (mode < 0 || mode > MPOL_MAX)
+ return -EINVAL;
+ err = get_nodes(nodes, nmask, maxnode, mode);
+ if (err)
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -188,7 +188,11 @@ static void keyring_destroy(struct key *
+
+ if (keyring->description) {
+ write_lock(&keyring_name_lock);
+- list_del(&keyring->type_data.link);
++
++ if (keyring->type_data.link.next != NULL &&
++ !list_empty(&keyring->type_data.link))
++ list_del(&keyring->type_data.link);
++
+ write_unlock(&keyring_name_lock);
+ }
+
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -641,7 +641,7 @@ long join_session_keyring(const char *na
+ keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL);
+ if (IS_ERR(keyring)) {
+ ret = PTR_ERR(keyring);
+- goto error;
++ goto error2;
+ }
+ }
+ else if (IS_ERR(keyring)) {
+-
+To unsubscribe from this list: send the line "unsubscribe linux-kernel-announce" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
Deleted: trunk/kernel/source/linux-2.6/debian/patches-debian/security-keys-destructor-oops.patch
===================================================================
--- trunk/kernel/source/linux-2.6/debian/patches-debian/security-keys-destructor-oops.patch 2005-08-15 09:21:38 UTC (rev 3877)
+++ trunk/kernel/source/linux-2.6/debian/patches-debian/security-keys-destructor-oops.patch 2005-08-15 09:22:29 UTC (rev 3878)
@@ -1,55 +0,0 @@
-commit 94efe72f762e2c147d8146d637d5ece5614c8d94
-tree 002e4719541ad838342e01a5f8ff63ae0a618b29
-parent bcf945d36fa0598f41ac4ad46a9dc43135460263
-author David Howells <dhowells at redhat.com> 1123186027 -0700
-committer Linus Torvalds <torvalds at g5.osdl.org> 1123186274 -0700
-
-[PATCH] Destruction of failed keyring oopses
-
-The attached patch makes sure that a keyring that failed to instantiate
-properly is destroyed without oopsing [CAN-2005-2099].
-
-The problem occurs in three stages:
-
- (1) The key allocator initialises the type-specific data to all zeroes. In
- the case of a keyring, this will become a link in the keyring name list
- when the keyring is instantiated.
-
- (2) If a user (any user) attempts to add a keyring with anything other than
- an empty payload, the keyring instantiation function will fail with an
- error and won't add the keyring to the name list.
-
- (3) The keyring's destructor then sees that the keyring has a description
- (name) and tries to remove the keyring from the name list, which oopses
- because the link pointers are both zero.
-
-This bug permits any user to take down a box trivially.
-
-Signed-Off-By: David Howells <dhowells at redhat.com>
-Signed-off-by: Andrew Morton <akpm at osdl.org>
-Signed-off-by: Linus Torvalds <torvalds at osdl.org>
-
-I:100644 100644 a1f6bac647a1c3a673bfbb2b4b03d0556cc9be88 9c208c756df8136cbaa0a06f5442af60c712ae6d M security/keys/keyring.c
-
-Key:
-S: Skipped
-I: Included Included verbatim
-D: Deleted Manually deleted by subsequent user edit
-R: Revised Manually revised by subsequent user edit
-
-diff --git a/security/keys/keyring.c b/security/keys/keyring.c
---- a/security/keys/keyring.c
-+++ b/security/keys/keyring.c
-@@ -201,7 +201,11 @@ static void keyring_destroy(struct key *
-
- if (keyring->description) {
- write_lock(&keyring_name_lock);
-- list_del(&keyring->type_data.link);
-+
-+ if (keyring->type_data.link.next != NULL &&
-+ !list_empty(&keyring->type_data.link))
-+ list_del(&keyring->type_data.link);
-+
- write_unlock(&keyring_name_lock);
- }
-
Deleted: trunk/kernel/source/linux-2.6/debian/patches-debian/security-keys-session-join.patch
===================================================================
--- trunk/kernel/source/linux-2.6/debian/patches-debian/security-keys-session-join.patch 2005-08-15 09:21:38 UTC (rev 3877)
+++ trunk/kernel/source/linux-2.6/debian/patches-debian/security-keys-session-join.patch 2005-08-15 09:22:29 UTC (rev 3878)
@@ -1,54 +0,0 @@
-commit bcf945d36fa0598f41ac4ad46a9dc43135460263
-tree 7a2aa188442bf863f20055a001baf85143d7a5b9
-parent 6fb0caa42308923d9e4ed7b36ec077b97c107e24
-author David Howells <dhowells at redhat.com> 1123186026 -0700
-committer Linus Torvalds <torvalds at g5.osdl.org> 1123186274 -0700
-
-[PATCH] Error during attempt to join key management session can leave semaphore pinned
-
-The attached patch prevents an error during the key session joining operation
-from hanging future joins in the D state [CAN-2005-2098].
-
-The problem is that the error handling path for the KEYCTL_JOIN_SESSION_KEYRING
-operation has one error path that doesn't release the session management
-semaphore. Further attempts to get the semaphore will then sleep for ever in
-the D state.
-
-This can happen in four situations, all involving an attempt to allocate a new
-session keyring:
-
- (1) ENOMEM.
-
- (2) The users key quota being reached.
-
- (3) A keyring name that is an empty string.
-
- (4) A keyring name that is too long.
-
-Any user may attempt this operation, and so any user can cause the problem to
-occur.
-
-Signed-Off-By: David Howells <dhowells at redhat.com>
-Signed-off-by: Andrew Morton <akpm at osdl.org>
-Signed-off-by: Linus Torvalds <torvalds at osdl.org>
-
-I:100644 100644 9b0369c5a223acbf951178e87ebbb0789458b507 c089f78fb94ec170dbd042f08a4a61b9915c526e M security/keys/process_keys.c
-
-Key:
-S: Skipped
-I: Included Included verbatim
-D: Deleted Manually deleted by subsequent user edit
-R: Revised Manually revised by subsequent user edit
-
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -678,7 +678,7 @@ long join_session_keyring(const char *na
- keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL);
- if (IS_ERR(keyring)) {
- ret = PTR_ERR(keyring);
-- goto error;
-+ goto error2;
- }
- }
- else if (IS_ERR(keyring)) {
Modified: trunk/kernel/source/linux-2.6/debian/patches-debian/series/2.6.12-3
===================================================================
--- trunk/kernel/source/linux-2.6/debian/patches-debian/series/2.6.12-3 2005-08-15 09:21:38 UTC (rev 3877)
+++ trunk/kernel/source/linux-2.6/debian/patches-debian/series/2.6.12-3 2005-08-15 09:22:29 UTC (rev 3878)
@@ -1,2 +1 @@
-+ security-keys-destructor-oops.patch
-+ security-keys-session-join.patch
++ patch-2.6.12.5
More information about the Kernel-svn-changes
mailing list