r2296 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Joshua Kwan
joshk@costa.debian.org
Fri, 14 Jan 2005 00:56:53 +0100
Author: joshk
Date: 2005-01-14 00:56:52 +0100 (Fri, 14 Jan 2005)
New Revision: 2296
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/131_expand_stack_race.diff
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
Log:
add CAN-2005-0001 fix
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-13 16:45:04 UTC (rev 2295)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-13 23:56:52 UTC (rev 2296)
@@ -3,18 +3,21 @@
* add dh_fixperms to the build targets to kernel-patch-debian-2.4.27
to ensure that the permissions of the files in this package are
sensible. (closes: Bug#288279) (Simon Horman)
+ * Turn a make conditional into a runtime conditional to allow debian/rules
+ prune to work. closes: #289682 (Joshua Kwan)
+
+ Patches applied:
+
+ * 121_drm-locking-checks-1.diff, 121_drm-locking-checks-2.diff:
+ [SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056
+ (Fabio M. Di Nitto, Dann Frazier, Simon Horman). (closes: Bug#285563)
* 122_sec_brk-locked.diff
[SECURITY] Fix vulnerability in the ELF loader code allowing
local attacker to execute code as root; CAN-2004-1235. This is better
known as the "uselib() bug". (closes: #289202) (Maximilian Attems)
- * 121_drm-locking-checks-1.diff, 121_drm-locking-checks-2.diff:
- [SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056
- (Fabio M. Di Nitto, Dann Frazier, Simon Horman). (closes: Bug#285563)
- * Turn a make conditional into a runtime conditional to allow debian/rules
- prune to work. (closes: #289682) (Joshua Kwan)
* 123_nfs_verify_eacces.diff
Return -EACCES instead of -ESTALE to fix some NFS data loss bugs, already
- fixed in 2.6 but not in 2.4. (closes: #288046) (Joshua Kwan)
+ fixed in 2.6 but not in 2.4. closes: #288046 (Joshua Kwan)
* 124_random_poolsize_overflow.diff
[SECURITY] Fix integer overflow in random poolsize sysctl. (Simon Horman)
* 125_moxa_bound_checking.diff
@@ -32,10 +35,11 @@
* 130_fs_xfs_coverty.diff
[SECURITY] Fix xfs_attrmulti_by_handle lack of bounds checking, reported
by Coverity. (Maximilian Attems)
+ * 131_expand_stack_race.diff
+ [SECURITY] Fix expand_stack race in mm.h; see CAN-2005-0001.
+ -- Joshua Kwan <joshk@triplehelix.org> Thu, 13 Jan 2005 15:57:54 -0800
- -- Simon Horman <horms@debian.org> Thu, 13 Jan 2005 15:24:48 +0900
-
kernel-source-2.4.27 (2.4.27-7) unstable; urgency=low
* 113-unix-serialization.diff:
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/131_expand_stack_race.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/131_expand_stack_race.diff 2005-01-13 16:45:04 UTC (rev 2295)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/131_expand_stack_race.diff 2005-01-13 23:56:52 UTC (rev 2296)
@@ -0,0 +1,50 @@
+# origin: bk
+# cset: 1.1571 (linux-2.4), key=41e506aaVw2bDZGKjd-_ojNQi9cf6A
+# inclusion: projected 2.4.29
+# description: CAN-2005-0001 fix
+# revision date: 2005-01-13
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/12 09:14:50-02:00 marcelo.tosatti@cyclades.com
+# [PATCH] Fix expand_stack() SMP race
+#
+# Description: Fix expand_stack() SMP race
+#
+# Two threads sharing the same VMA can race in expand_stack, resulting in incorrect VMA
+# size accounting and possibly a "uncovered-by-VMA" pte leak.
+#
+# Fix is to check if the stack has already been expanded after acquiring a lock which
+# guarantees exclusivity (page_table_lock in v2.4 and vma_anon lock in v2.6).
+#
+# include/linux/mm.h
+# 2005/01/07 14:51:21-02:00 marcelo.tosatti@cyclades.com +10 -3
+# Fix expand_stack() SMP race
+#
+diff -Nru a/include/linux/mm.h b/include/linux/mm.h
+--- a/include/linux/mm.h 2005-01-13 15:58:13 -08:00
++++ b/include/linux/mm.h 2005-01-13 15:58:13 -08:00
+@@ -648,12 +648,19 @@
+ unsigned long grow;
+
+ /*
+- * vma->vm_start/vm_end cannot change under us because the caller is required
+- * to hold the mmap_sem in write mode. We need to get the spinlock only
+- * before relocating the vma range ourself.
++ * vma->vm_start/vm_end cannot change under us because the caller
++ * is required to hold the mmap_sem in read mode. We need the
++ * page_table_lock lock to serialize against concurrent expand_stacks.
+ */
+ address &= PAGE_MASK;
+ spin_lock(&vma->vm_mm->page_table_lock);
++
++ /* already expanded while we were spinning? */
++ if (vma->vm_start <= address) {
++ spin_unlock(&vma->vm_mm->page_table_lock);
++ return 0;
++ }
++
+ grow = (vma->vm_start - address) >> PAGE_SHIFT;
+ if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur ||
+ ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) > current->rlim[RLIMIT_AS].rlim_cur) {
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8 2005-01-13 16:45:04 UTC (rev 2295)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8 2005-01-13 23:56:52 UTC (rev 2296)
@@ -9,4 +9,4 @@
+ 128_net_fose_coverty.diff
+ 129_net_sdla_coverty.diff
+ 130_fs_xfs_coverty.diff
-
++ 131_expand_stack_race.diff