[kernel] r13885 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jul 6 04:17:09 UTC 2009 

Author: dannf
Date: Mon Jul  6 04:17:07 2009
New Revision: 13885

Log:
splice: fix deadlock in ocfs2 (CVE-2009-1961)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch
      - copied, changed from r13882, dists/lenny/linux-2.6/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Mon Jul  6 04:03:07 2009	(r13884)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Jul  6 04:17:07 2009	(r13885)
@@ -6,6 +6,7 @@
   * cifs: fix several string conversion issues (CVE-2009-1633)
   * [sparc64] Fix crash when reading /proc/iomem w/ heap memory checking
     (CVE-2009-1914)
+  * splice: fix deadlock in ocfs2 (CVE-2009-1961)
 
  -- dann frazier <dannf at debian.org>  Sat, 06 Jun 2009 09:49:28 -0600
 

Copied and modified: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch (from r13882, dists/lenny/linux-2.6/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch)
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch	Sun Jul  5 21:39:24 2009	(r13882, copy source)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ocfs2-splice-deadlock.patch	Mon Jul  6 04:17:07 2009	(r13885)
@@ -33,12 +33,12 @@
     Cc: stable at kernel.org
     Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
 
-Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
 
-diff -urpN linux-source-2.6.26.orig/fs/ocfs2/file.c linux-source-2.6.26/fs/ocfs2/file.c
---- linux-source-2.6.26.orig/fs/ocfs2/file.c	2008-07-13 15:51:29.000000000 -0600
-+++ linux-source-2.6.26/fs/ocfs2/file.c	2009-06-09 00:15:54.000000000 -0600
-@@ -2089,7 +2089,7 @@ static ssize_t ocfs2_file_splice_write(s
+diff -urpN linux-source-2.6.24.orig/fs/ocfs2/file.c linux-source-2.6.24/fs/ocfs2/file.c
+--- linux-source-2.6.24.orig/fs/ocfs2/file.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/fs/ocfs2/file.c	2009-07-05 21:37:39.000000000 -0600
+@@ -2056,7 +2056,7 @@ static ssize_t ocfs2_file_splice_write(s
  		   out->f_path.dentry->d_name.len,
  		   out->f_path.dentry->d_name.name);
  
@@ -47,7 +47,7 @@
  
  	ret = ocfs2_rw_lock(inode, 1);
  	if (ret < 0) {
-@@ -2104,12 +2104,16 @@ static ssize_t ocfs2_file_splice_write(s
+@@ -2071,12 +2071,16 @@ static ssize_t ocfs2_file_splice_write(s
  		goto out_unlock;
  	}
  
@@ -65,10 +65,10 @@
  
  	mlog_exit(ret);
  	return ret;
-diff -urpN linux-source-2.6.26.orig/fs/splice.c linux-source-2.6.26/fs/splice.c
---- linux-source-2.6.26.orig/fs/splice.c	2009-05-11 12:06:55.000000000 -0600
-+++ linux-source-2.6.26/fs/splice.c	2009-06-09 00:17:13.000000000 -0600
-@@ -726,10 +726,19 @@ ssize_t splice_from_pipe(struct pipe_ino
+diff -urpN linux-source-2.6.24.orig/fs/splice.c linux-source-2.6.24/fs/splice.c
+--- linux-source-2.6.24.orig/fs/splice.c	2008-10-10 00:11:29.000000000 -0600
++++ linux-source-2.6.24/fs/splice.c	2009-07-05 21:35:23.000000000 -0600
+@@ -738,10 +738,19 @@ ssize_t splice_from_pipe(struct pipe_ino
  	 * ->commit_write. Most of the time, these expect i_mutex to
  	 * be held. Since this may result in an ABBA deadlock with
  	 * pipe->inode, we have to order lock acquiry here.
@@ -90,24 +90,3 @@
  
  	return ret;
  }
-@@ -820,11 +829,17 @@ generic_file_splice_write(struct pipe_in
- 	};
- 	ssize_t ret;
- 
--	inode_double_lock(inode, pipe->inode);
-+	WARN_ON(S_ISFIFO(inode->i_mode));
-+	mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
- 	ret = remove_suid(out->f_path.dentry);
--	if (likely(!ret))
-+	if (likely(!ret)) {
-+		if (pipe->inode)
-+			mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
- 		ret = __splice_from_pipe(pipe, &sd, pipe_to_file);
--	inode_double_unlock(inode, pipe->inode);
-+		if (pipe->inode)
-+			mutex_unlock(&pipe->inode->i_mutex);
-+	}
-+	mutex_unlock(&inode->i_mutex);
- 	if (ret > 0) {
- 		unsigned long nr_pages;
- 

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.2	Mon Jul  6 04:03:07 2009	(r13884)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.2	Mon Jul  6 04:17:07 2009	(r13885)
@@ -6,3 +6,4 @@
 + features/ich10-raid-mode-sata-controller-ids.patch
 + bugfix/all/stable/2.6.24.6.patch
 + bugfix/all/stable/2.6.24.7.patch
++ bugfix/all/ocfs2-splice-deadlock.patch

More information about the Kernel-svn-changes mailing list