r2296 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Joshua Kwan joshk@costa.debian.org
Fri, 14 Jan 2005 00:56:53 +0100 

Author: joshk
Date: 2005-01-14 00:56:52 +0100 (Fri, 14 Jan 2005)
New Revision: 2296

Added:
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/131_expand_stack_race.diff
Modified:
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
Log:
add CAN-2005-0001 fix

Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2005-01-13 16:45:04 UTC (rev 2295)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2005-01-13 23:56:52 UTC (rev 2296)
@@ -3,18 +3,21 @@
   * add dh_fixperms to the build targets to kernel-patch-debian-2.4.27
     to ensure that the permissions of the files in this package are
     sensible. (closes: Bug#288279) (Simon Horman)
+  * Turn a make conditional into a runtime conditional to allow debian/rules
+    prune to work. closes: #289682 (Joshua Kwan)
+
+  Patches applied:
+  
+  * 121_drm-locking-checks-1.diff, 121_drm-locking-checks-2.diff:
+    [SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056
+    (Fabio M. Di Nitto, Dann Frazier, Simon Horman). (closes: Bug#285563)
   * 122_sec_brk-locked.diff
     [SECURITY] Fix vulnerability in the ELF loader code allowing
     local attacker to execute code as root; CAN-2004-1235. This is better
     known as the "uselib() bug". (closes: #289202) (Maximilian Attems)
-  * 121_drm-locking-checks-1.diff, 121_drm-locking-checks-2.diff:
-    [SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056
-    (Fabio M. Di Nitto, Dann Frazier, Simon Horman). (closes: Bug#285563)
-  * Turn a make conditional into a runtime conditional to allow debian/rules
-    prune to work. (closes: #289682) (Joshua Kwan)
   * 123_nfs_verify_eacces.diff
     Return -EACCES instead of -ESTALE to fix some NFS data loss bugs, already
-    fixed in 2.6 but not in 2.4. (closes: #288046) (Joshua Kwan)
+    fixed in 2.6 but not in 2.4. closes: #288046 (Joshua Kwan)
   * 124_random_poolsize_overflow.diff
     [SECURITY] Fix integer overflow in random poolsize sysctl. (Simon Horman)
   * 125_moxa_bound_checking.diff
@@ -32,10 +35,11 @@
   * 130_fs_xfs_coverty.diff
     [SECURITY] Fix xfs_attrmulti_by_handle lack of bounds checking, reported
     by Coverity. (Maximilian Attems)
+  * 131_expand_stack_race.diff
+    [SECURITY] Fix expand_stack race in mm.h; see CAN-2005-0001.
 
+ -- Joshua Kwan <joshk@triplehelix.org>  Thu, 13 Jan 2005 15:57:54 -0800
 
- -- Simon Horman <horms@debian.org>  Thu, 13 Jan 2005 15:24:48 +0900
-
 kernel-source-2.4.27 (2.4.27-7) unstable; urgency=low
 
   * 113-unix-serialization.diff:

Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/131_expand_stack_race.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/131_expand_stack_race.diff	2005-01-13 16:45:04 UTC (rev 2295)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/131_expand_stack_race.diff	2005-01-13 23:56:52 UTC (rev 2296)
@@ -0,0 +1,50 @@
+# origin: bk
+# cset: 1.1571 (linux-2.4), key=41e506aaVw2bDZGKjd-_ojNQi9cf6A
+# inclusion: projected 2.4.29
+# description: CAN-2005-0001 fix
+# revision date: 2005-01-13
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/01/12 09:14:50-02:00 marcelo.tosatti@cyclades.com 
+#   [PATCH] Fix expand_stack() SMP race
+#   
+#   Description: Fix expand_stack() SMP race
+#   
+#   Two threads sharing the same VMA can race in expand_stack, resulting in incorrect VMA
+#   size accounting and possibly a "uncovered-by-VMA" pte leak.
+#   
+#   Fix is to check if the stack has already been expanded after acquiring a lock which
+#   guarantees exclusivity (page_table_lock in v2.4 and vma_anon lock in v2.6).
+# 
+# include/linux/mm.h
+#   2005/01/07 14:51:21-02:00 marcelo.tosatti@cyclades.com +10 -3
+#   Fix expand_stack() SMP race
+# 
+diff -Nru a/include/linux/mm.h b/include/linux/mm.h
+--- a/include/linux/mm.h	2005-01-13 15:58:13 -08:00
++++ b/include/linux/mm.h	2005-01-13 15:58:13 -08:00
+@@ -648,12 +648,19 @@
+ 	unsigned long grow;
+ 
+ 	/*
+-	 * vma->vm_start/vm_end cannot change under us because the caller is required
+-	 * to hold the mmap_sem in write mode. We need to get the spinlock only
+-	 * before relocating the vma range ourself.
++	 * vma->vm_start/vm_end cannot change under us because the caller
++	 * is required to hold the mmap_sem in read mode.  We need the
++	 * page_table_lock lock to serialize against concurrent expand_stacks.
+ 	 */
+ 	address &= PAGE_MASK;
+  	spin_lock(&vma->vm_mm->page_table_lock);
++
++	/* already expanded while we were spinning? */
++	if (vma->vm_start <= address) {
++		spin_unlock(&vma->vm_mm->page_table_lock);
++		return 0;
++	}
++
+ 	grow = (vma->vm_start - address) >> PAGE_SHIFT;
+ 	if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur ||
+ 	    ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) > current->rlim[RLIMIT_AS].rlim_cur) {

Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8	2005-01-13 16:45:04 UTC (rev 2295)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8	2005-01-13 23:56:52 UTC (rev 2296)
@@ -9,4 +9,4 @@
 + 128_net_fose_coverty.diff
 + 129_net_sdla_coverty.diff
 + 130_fs_xfs_coverty.diff
-
++ 131_expand_stack_race.diff