r2722 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf@costa.debian.org
Wed, 16 Mar 2005 02:25:54 +0100 

Author: dannf
Date: 2005-03-16 02:25:54 +0100 (Wed, 16 Mar 2005)
New Revision: 2722

Added:
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/145_insert_vm_struct-no-BUG.diff
Modified:
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
Log:
  * 145_insert_vm_struct-no-BUG.patch: [CAN-2005-0003] make insert_vm_struct
    return an error rather than BUG() (dann frazier)


Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2005-03-15 15:30:53 UTC (rev 2721)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2005-03-16 01:25:54 UTC (rev 2722)
@@ -30,15 +30,15 @@
   * 140_VM_IO.diff: [CAN-2004-1057] fix possible DoS from accessing freed
     kernel pages by flagging VM_IO where necessary.
 
-  * 141_acpi_noirq.patch: 
+  * 141_acpi_noirq.patch:
     [ACPI] Enhanced PCI probe, CONFIG_HPET_TIMER build warning fix
     (Simon Horman)
 
-  * 142_acpi_skip_timer_override.diff: 
-    [ACPI] skip_timer_override backport from 2.6 
+  * 142_acpi_skip_timer_override.diff:
+    [ACPI] skip_timer_override backport from 2.6
            including early PCI bridge detection. (Simon Horman)
 
-  * 121_drm-locking-checks-3.diff: LOCK_TEST_WITH_RETURN build cleanup 
+  * 121_drm-locking-checks-3.diff: LOCK_TEST_WITH_RETURN build cleanup
     (Simon Horman)
 
   * 143_outs.diff:
@@ -50,8 +50,11 @@
     of the clock chip on SunBlade 1500, it won't boot otherwise.
     (Jurij Smakov).
 
- -- Simon Horman <horms@debian.org>  Thu, 24 Feb 2005 15:53:42 +0900
+  * 145_insert_vm_struct-no-BUG.patch: [CAN-2005-0003] make insert_vm_struct
+    return an error rather than BUG() (dann frazier)
 
+ -- dann frazier <dannf@debian.org>  Tue, 15 Mar 2005 18:15:10 -0700
+
 kernel-source-2.4.27 (2.4.27-8) unstable; urgency=high
 
   * add dh_fixperms to the build targets to kernel-patch-debian-2.4.27

Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/145_insert_vm_struct-no-BUG.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/145_insert_vm_struct-no-BUG.diff	2005-03-15 15:30:53 UTC (rev 2721)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/145_insert_vm_struct-no-BUG.diff	2005-03-16 01:25:54 UTC (rev 2722)
@@ -0,0 +1,238 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2004/12/17 21:45:58-02:00 chrisw@osdl.org 
+#   [PATCH] Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  
+#   
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error
+#   rather than BUG().  This eliminates a user triggerable BUG() when user
+#   created a large vma that overlapped with arg pages during exec (could be
+#   triggered with a.out on i386 and x86_64 and elf on ia64).
+#   
+#   Signed-off-by: Chris Wright <chrisw@osdl.org>
+#   
+#   ===== arch/ia64/ia32/binfmt_elf32.c 1.13 vs edited =====
+# 
+# arch/ia64/ia32/binfmt_elf32.c
+#   2004/12/17 17:22:06-02:00 chrisw@osdl.org +16 -4
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().
+# 
+# arch/ia64/mm/init.c
+#   2004/12/17 15:25:47-02:00 chrisw@osdl.org +14 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). 
+# 
+# arch/s390x/kernel/exec32.c
+#   2004/12/17 15:32:42-02:00 chrisw@osdl.org +6 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  This eliminates a user triggerable BUG() when user
+# 
+# arch/x86_64/ia32/ia32_binfmt.c
+#   2004/12/17 15:34:21-02:00 chrisw@osdl.org +6 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  This eliminates a user triggerable BUG() when user
+# 
+# fs/exec.c
+#   2004/12/17 15:54:18-02:00 chrisw@osdl.org +6 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  
+# 
+# include/linux/mm.h
+#   2004/12/16 20:38:37-02:00 chrisw@osdl.org +1 -1
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().  This eliminates a user triggerable BUG() when user
+# 
+# mm/mmap.c
+#   2004/12/16 20:43:15-02:00 chrisw@osdl.org +3 -2
+#   Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG().
+# 
+
+# backported to Debian's 2.4.27 by dann frazier <dannf@debian.org>
+
+diff -urN kernel-source-2.4.27.orig/arch/ia64/ia32/binfmt_elf32.c kernel-source-2.4.27/arch/ia64/ia32/binfmt_elf32.c
+--- kernel-source-2.4.27.orig/arch/ia64/ia32/binfmt_elf32.c	2004-08-07 17:26:04.000000000 -0600
++++ kernel-source-2.4.27/arch/ia64/ia32/binfmt_elf32.c	2005-03-15 18:07:41.637013963 -0700
+@@ -95,7 +95,11 @@
+ 		vma->vm_private_data = NULL;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -117,7 +121,11 @@
+ 		vma->vm_private_data = NULL;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -164,7 +172,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -188,7 +196,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	}
+ 
+diff -urN kernel-source-2.4.27.orig/arch/ia64/mm/init.c kernel-source-2.4.27/arch/ia64/mm/init.c
+--- kernel-source-2.4.27.orig/arch/ia64/mm/init.c	2004-02-18 06:36:30.000000000 -0700
++++ kernel-source-2.4.27/arch/ia64/mm/init.c	2005-03-15 18:07:41.712209275 -0700
+@@ -105,7 +105,13 @@
+ 		vma->vm_pgoff = 0;
+ 		vma->vm_file = NULL;
+ 		vma->vm_private_data = NULL;
+-		insert_vm_struct(current->mm, vma);
++		down_write(&current->mm->mmap_sem);
++		if (insert_vm_struct(current->mm, vma)) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, vma);
++			return;
++		}
++		up_write(&current->mm->mmap_sem);
+ 	}
+ 
+ 	/* map NaT-page at address zero to speed up speculative dereferencing of NULL: */
+@@ -117,7 +123,13 @@
+ 			vma->vm_end = PAGE_SIZE;
+ 			vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT);
+ 			vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED;
+-			insert_vm_struct(current->mm, vma);
++			down_write(&current->mm->mmap_sem);
++			if (insert_vm_struct(current->mm, vma)) {
++				up_write(&current->mm->mmap_sem);
++				kmem_cache_free(vm_area_cachep, vma);
++				return;
++			}
++			up_write(&current->mm->mmap_sem);
+ 		}
+ 	}
+ }
+diff -urN kernel-source-2.4.27.orig/arch/s390x/kernel/exec32.c kernel-source-2.4.27/arch/s390x/kernel/exec32.c
+--- kernel-source-2.4.27.orig/arch/s390x/kernel/exec32.c	2001-04-11 20:02:29.000000000 -0600
++++ kernel-source-2.4.27/arch/s390x/kernel/exec32.c	2005-03-15 18:07:41.713185837 -0700
+@@ -41,7 +41,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -65,7 +65,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -urN kernel-source-2.4.27.orig/arch/x86_64/ia32/ia32_binfmt.c kernel-source-2.4.27/arch/x86_64/ia32/ia32_binfmt.c
+--- kernel-source-2.4.27.orig/arch/x86_64/ia32/ia32_binfmt.c	2003-11-28 11:26:19.000000000 -0700
++++ kernel-source-2.4.27/arch/x86_64/ia32/ia32_binfmt.c	2005-03-15 18:07:41.713185837 -0700
+@@ -225,7 +225,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -250,7 +250,11 @@
+ 		mpnt->vm_pgoff = 0;
+ 		mpnt->vm_file = NULL;
+ 		mpnt->vm_private_data = (void *) 0;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -urN kernel-source-2.4.27.orig/fs/exec.c kernel-source-2.4.27/fs/exec.c
+--- kernel-source-2.4.27.orig/fs/exec.c	2005-01-19 02:57:53.000000000 -0700
++++ kernel-source-2.4.27/fs/exec.c	2005-03-15 18:08:08.929982379 -0700
+@@ -327,7 +327,7 @@
+ {
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 
+@@ -358,7 +358,11 @@
+ 			kmem_cache_free(vm_area_cachep, mpnt);
+ 			return -ENOMEM;
+ 		}
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ 	} 
+ 
+diff -urN kernel-source-2.4.27.orig/include/linux/mm.h kernel-source-2.4.27/include/linux/mm.h
+--- kernel-source-2.4.27.orig/include/linux/mm.h	2005-01-19 02:57:58.000000000 -0700
++++ kernel-source-2.4.27/include/linux/mm.h	2005-03-15 18:07:41.750295212 -0700
+@@ -545,7 +545,7 @@
+ /* mmap.c */
+ extern void lock_vma_mappings(struct vm_area_struct *);
+ extern void unlock_vma_mappings(struct vm_area_struct *);
+-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void __insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void build_mmap_rb(struct mm_struct *);
+ extern void exit_mmap(struct mm_struct *);
+diff -urN kernel-source-2.4.27.orig/mm/mmap.c kernel-source-2.4.27/mm/mmap.c
+--- kernel-source-2.4.27.orig/mm/mmap.c	2005-01-19 02:57:58.000000000 -0700
++++ kernel-source-2.4.27/mm/mmap.c	2005-03-15 18:07:41.787404586 -0700
+@@ -1208,14 +1208,15 @@
+ 	validate_mm(mm);
+ }
+ 
+-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+ {
+ 	struct vm_area_struct * __vma, * prev;
+ 	rb_node_t ** rb_link, * rb_parent;
+ 
+ 	__vma = find_vma_prepare(mm, vma->vm_start, &prev, &rb_link, &rb_parent);
+ 	if (__vma && __vma->vm_start < vma->vm_end)
+-		BUG();
++		return -ENOMEM;
+ 	vma_link(mm, vma, prev, rb_link, rb_parent);
+ 	validate_mm(mm);
++	return 0;
+ }

Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9	2005-03-15 15:30:53 UTC (rev 2721)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9	2005-03-16 01:25:54 UTC (rev 2722)
@@ -10,3 +10,4 @@
 + 121_drm-locking-checks-3.diff
 + 143_outs.diff
 + 144_sparc64-sb1500-clock-2.4.diff
++ 145_insert_vm_struct-no-BUG.diff