[kernel] r13731 - in dists/lenny/linux-2.6: . debian debian/patches/bugfix/all debian/patches/features/all/xen debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Jun 5 20:57:57 UTC 2009
Author: dannf
Date: Fri Jun 5 20:57:56 2009
New Revision: 13731
Log:
merge 2.6.26-15lenny3
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
- copied unchanged from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
- copied unchanged from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-rename-cifs_strncpy_to_host-and-fix-buffer-size.patch
- copied unchanged from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/cifs-rename-cifs_strncpy_to_host-and-fix-buffer-size.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
- copied unchanged from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch
- copied unchanged from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch
dists/lenny/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch
- copied unchanged from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch
dists/lenny/linux-2.6/debian/patches/series/15lenny3
- copied unchanged from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/series/15lenny3
dists/lenny/linux-2.6/debian/patches/series/15lenny3-extra
- copied unchanged from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/series/15lenny3-extra
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Fri Jun 5 15:36:24 2009 (r13730)
+++ dists/lenny/linux-2.6/debian/changelog Fri Jun 5 20:57:56 2009 (r13731)
@@ -39,6 +39,20 @@
-- maximilian attems <maks at debian.org> Mon, 30 Mar 2009 17:11:49 +0200
+linux-2.6 (2.6.26-15lenny3) stable-security; urgency=high
+
+ [ dann frazier ]
+ * Fix selinux panic introduced by the fix for CVE-2009-1184
+ (Closes: #528860)
+ * nfs4: fix MAY_EXEC handling (CVE-2009-1630)
+ * cifs: fix several string conversion issues (CVE-2009-1633)
+
+ [ Ian Campbell ]
+ * xen: Fix missing check of interrupted code's code selector
+ (CVE-2009-1758)
+
+ -- dann frazier <dannf at debian.org> Thu, 28 May 2009 08:34:15 -0600
+
linux-2.6 (2.6.26-15lenny2) stable-security; urgency=high
* mips: implement is_compat_task macro, fixing FTBFS introduced
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch (from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch Fri Jun 5 20:57:56 2009 (r13731, copy of r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch)
@@ -0,0 +1,116 @@
+commit 27b87fe52baba0a55e9723030e76fce94fabcea4
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Tue Apr 14 11:00:53 2009 -0400
+
+ cifs: fix unicode string area word alignment in session setup
+
+ The handling of unicode string area alignment is wrong.
+ decode_unicode_ssetup improperly assumes that it will always be preceded
+ by a pad byte. This isn't the case if the string area is already
+ word-aligned.
+
+ This problem, combined with the bad buffer sizing for the serverDomain
+ string can cause memory corruption. The bad alignment can make it so
+ that the alignment of the characters is off. This can make them
+ translate to characters that are greater than 2 bytes each. If this
+ happens we can overflow the allocation.
+
+ Fix this by fixing the alignment in CIFS_SessSetup instead so we can
+ verify it against the head of the response. Also, clean up the
+ workaround for improperly terminated strings by checking for a
+ odd-length unicode buffers and then forcibly terminating them.
+
+ Finally, resize the buffer for serverDomain. Now that we've fixed
+ the alignment, it's probably fine, but a malicious server could
+ overflow it.
+
+ A better solution for handling these strings is still needed, but
+ this should be a suitable bandaid.
+
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ CC: Stable <stable at vger.kernel.org>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/sess.c linux-source-2.6.26/fs/cifs/sess.c
+--- linux-source-2.6.26.orig/fs/cifs/sess.c 2009-05-11 12:06:56.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/sess.c 2009-05-25 23:24:01.000000000 -0600
+@@ -202,27 +202,26 @@ static int decode_unicode_ssetup(char **
+ int words_left, len;
+ char *data = *pbcc_area;
+
+-
+-
+ cFYI(1, ("bleft %d", bleft));
+
+-
+- /* SMB header is unaligned, so cifs servers word align start of
+- Unicode strings */
+- data++;
+- bleft--; /* Windows servers do not always double null terminate
+- their final Unicode string - in which case we
+- now will not attempt to decode the byte of junk
+- which follows it */
++ /*
++ * Windows servers do not always double null terminate their final
++ * Unicode string. Check to see if there are an uneven number of bytes
++ * left. If so, then add an extra NULL pad byte to the end of the
++ * response.
++ *
++ * See section 2.7.2 in "Implementing CIFS" for details
++ */
++ if (bleft % 2) {
++ data[bleft] = 0;
++ ++bleft;
++ }
+
+ words_left = bleft / 2;
+
+ /* save off server operating system */
+ len = UniStrnlen((wchar_t *) data, words_left);
+
+-/* We look for obvious messed up bcc or strings in response so we do not go off
+- the end since (at least) WIN2K and Windows XP have a major bug in not null
+- terminating last Unicode string in response */
+ if (len >= words_left)
+ return rc;
+
+@@ -260,13 +259,10 @@ static int decode_unicode_ssetup(char **
+ return rc;
+
+ kfree(ses->serverDomain);
+- ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
+- if (ses->serverDomain != NULL) {
++ ses->serverDomain = kzalloc((4 * len) + 2, GFP_KERNEL);
++ if (ses->serverDomain != NULL)
+ cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
+ nls_cp);
+- ses->serverDomain[2*len] = 0;
+- ses->serverDomain[(2*len) + 1] = 0;
+- }
+ data += 2 * (len + 1);
+ words_left -= len + 1;
+
+@@ -605,12 +601,18 @@ CIFS_SessSetup(unsigned int xid, struct
+ }
+
+ /* BB check if Unicode and decode strings */
+- if (smb_buf->Flags2 & SMBFLG2_UNICODE)
++ if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
++ /* unicode string area must be word-aligned */
++ if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
++ ++bcc_ptr;
++ --bytes_remaining;
++ }
+ rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
+- ses, nls_cp);
+- else
++ ses, nls_cp);
++ } else {
+ rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
+ ses, nls_cp);
++ }
+
+ ssetup_exit:
+ if (spnego_key)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch (from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch Fri Jun 5 20:57:56 2009 (r13731, copy of r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch)
@@ -0,0 +1,27 @@
+commit 7b0c8fcff47a885743125dd843db64af41af5a61
+Author: Suresh Jayaraman <sjayaraman at suse.de>
+Date: Mon Apr 20 18:54:36 2009 +0530
+
+ cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows
+
+ Increase size of tmp_buf to possible maximum to avoid potential
+ overflows.
+
+ Pointed-out-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
+ Acked-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
+index 1a8be62..ebd0da7 100644
+--- a/fs/cifs/readdir.c
++++ b/fs/cifs/readdir.c
+@@ -1074,7 +1074,7 @@ int cifs_readdir(struct file *file, void *direntry, filldir_t filldir)
+ with the rare long characters alloc more to account for
+ such multibyte target UTF-8 characters. cifs_unicode.c,
+ which actually does the conversion, has the same limit */
+- tmp_buf = kmalloc((2 * NAME_MAX) + 4, GFP_KERNEL);
++ tmp_buf = kmalloc((4 * NAME_MAX) + 2, GFP_KERNEL);
+ for (i = 0; (i < num_to_fill) && (rc == 0); i++) {
+ if (current_entry == NULL) {
+ /* evaluate whether this case is an error */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-rename-cifs_strncpy_to_host-and-fix-buffer-size.patch (from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/cifs-rename-cifs_strncpy_to_host-and-fix-buffer-size.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-rename-cifs_strncpy_to_host-and-fix-buffer-size.patch Fri Jun 5 20:57:56 2009 (r13731, copy of r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/cifs-rename-cifs_strncpy_to_host-and-fix-buffer-size.patch)
@@ -0,0 +1,79 @@
+commit 968460ebd8006d55661dec0fb86712b40d71c413
+Author: Suresh Jayaraman <sjayaraman at suse.de>
+Date: Mon Apr 20 18:54:21 2009 +0530
+
+ cifs: Rename cifs_strncpy_to_host and fix buffer size
+
+ There is a possibility for the path_name and node_name buffers to
+ overflow if they contain charcters that are >2 bytes in the local
+ charset. Resize the buffer allocation so to avoid this possibility.
+
+ Also, as pointed out by Jeff Layton, it would be appropriate to
+ rename the function to cifs_strlcpy_to_host to reflect the fact
+ that the copied string is always NULL terminated.
+
+ Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
+ Acked-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/cifssmb.c linux-source-2.6.26/fs/cifs/cifssmb.c
+--- linux-source-2.6.26.orig/fs/cifs/cifssmb.c 2009-05-11 12:06:53.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/cifssmb.c 2009-05-25 23:30:32.000000000 -0600
+@@ -88,29 +88,29 @@ static struct {
+ * on failure - errno
+ */
+ static int
+-cifs_strncpy_to_host(char **dst, const char *src, const int maxlen,
++cifs_strlcpy_to_host(char **dst, const char *src, const int maxlen,
+ const bool is_unicode, const struct nls_table *nls_codepage)
+ {
+ int plen;
+
+ if (is_unicode) {
+ plen = UniStrnlen((wchar_t *)src, maxlen);
+- *dst = kmalloc(plen + 2, GFP_KERNEL);
++ *dst = kmalloc((4 * plen) + 2, GFP_KERNEL);
+ if (!*dst)
+- goto cifs_strncpy_to_host_ErrExit;
++ goto cifs_strlcpy_to_host_ErrExit;
+ cifs_strfromUCS_le(*dst, (__le16 *)src, plen, nls_codepage);
++ (*dst)[plen] = 0;
++ (*dst)[plen+1] = 0; /* needed for Unicode */
+ } else {
+ plen = strnlen(src, maxlen);
+ *dst = kmalloc(plen + 2, GFP_KERNEL);
+ if (!*dst)
+- goto cifs_strncpy_to_host_ErrExit;
+- strncpy(*dst, src, plen);
++ goto cifs_strlcpy_to_host_ErrExit;
++ strlcpy(*dst, src, plen);
+ }
+- (*dst)[plen] = 0;
+- (*dst)[plen+1] = 0; /* harmless for ASCII case, needed for Unicode */
+ return 0;
+
+-cifs_strncpy_to_host_ErrExit:
++cifs_strlcpy_to_host_ErrExit:
+ cERROR(1, ("Failed to allocate buffer for string\n"));
+ return -ENOMEM;
+ }
+@@ -3966,7 +3966,7 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS
+ /* copy DfsPath */
+ temp = (char *)ref + le16_to_cpu(ref->DfsPathOffset);
+ max_len = data_end - temp;
+- rc = cifs_strncpy_to_host(&(node->path_name), temp,
++ rc = cifs_strlcpy_to_host(&(node->path_name), temp,
+ max_len, is_unicode, nls_codepage);
+ if (rc)
+ goto parse_DFS_referrals_exit;
+@@ -3974,7 +3974,7 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS
+ /* copy link target UNC */
+ temp = (char *)ref + le16_to_cpu(ref->NetworkAddressOffset);
+ max_len = data_end - temp;
+- rc = cifs_strncpy_to_host(&(node->node_name), temp,
++ rc = cifs_strlcpy_to_host(&(node->node_name), temp,
+ max_len, is_unicode, nls_codepage);
+ if (rc)
+ goto parse_DFS_referrals_exit;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch (from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch Fri Jun 5 20:57:56 2009 (r13731, copy of r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch)
@@ -0,0 +1,38 @@
+commit 7ee2cb7f32b299c2b06a31fde155457203e4b7dd
+Author: Frank Filz <ffilzlnx at us.ibm.com>
+Date: Mon May 18 17:41:40 2009 -0400
+
+ nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission.
+
+ The problem is that permission checking is skipped if atomic open is
+ possible, but when exec opens a file, it just opens it O_READONLY which
+ means EXEC permission will not be checked at that time.
+
+ This problem is observed by the following sequence (executed as root):
+
+ mount -t nfs4 server:/ /mnt4
+ echo "ls" >/mnt4/foo
+ chmod 744 /mnt4/foo
+ su guest -c "mnt4/foo"
+
+ Signed-off-by: Frank Filz <ffilzlnx at us.ibm.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Cc: stable at kernel.org
+ Tested-by: Eugene Teo <eugeneteo at kernel.sg>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/nfs/dir.c linux-source-2.6.26/fs/nfs/dir.c
+--- linux-source-2.6.26.orig/fs/nfs/dir.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/nfs/dir.c 2009-05-24 14:36:52.000000000 -0600
+@@ -1949,7 +1949,8 @@ int nfs_permission(struct inode *inode,
+ /* NFSv4 has atomic_open... */
+ if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN)
+ && nd != NULL
+- && (nd->flags & LOOKUP_OPEN))
++ && (nd->flags & LOOKUP_OPEN)
++ && !(mask & MAY_EXEC))
+ goto out;
+ break;
+ case S_IFDIR:
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch (from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch Fri Jun 5 20:57:56 2009 (r13731, copy of r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch)
@@ -0,0 +1,62 @@
+This should fix the problem you are seeing with the Debian 2.6.26 kernels ...
+let me know if you have any problems/questions.
+
+Good luck.
+
+---------- Forwarded Message ----------
+
+Subject: [PATCH] SELinux: BUG in SELinux compat_net code
+Date: Tuesday 19 May 2009
+From: Eric Paris <eparis at redhat.com>
+To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
+selinux at vger.kernel.org
+
+This patch is not applicable to Linus's tree as the code in question has
+been removed for 2.6.30. I'm sending in case any of the stable
+maintainers would like to push to their branches (which I think anything
+pre 2.6.30 would like to do).
+
+Ubuntu users were experiencing a kernel panic when they enabled SELinux
+due to an old bug in our handling of the compatibility mode network
+controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
+Most distros have not used the compat_net code since the new code was
+introduced and so noone has hit this problem before. Ubuntu is the only
+distro I know that enabled that legacy cruft by default. But, I was ask
+to look at it and found that the above patch changed a call to
+avc_has_perm from if(send_perm) to if(!send_perm) in
+selinux_ip_postroute_iptables_compat(). The result is that users who
+turn on SELinux and have compat_net set can (and oftern will) BUG() in
+avc_has_perm_noaudit since they are requesting 0 permissions.
+
+This patch corrects that accidental bug introduction.
+
+Signed-off-by: Eric Paris <eparis at redhat.com>
+
+---
+
+ security/selinux/hooks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff -up linux-source-2.6.28/security/selinux/hooks.c.pre.send linux-
+source-2.6.28/security/selinux/hooks.c
+--- linux-source-2.6.28/security/selinux/hooks.c.pre.send 2009-05-18
+13:23:16.043632602 -0400
++++ linux-source-2.6.28/security/selinux/hooks.c 2009-05-18 13:23:27.899632772
+-0400
+@@ -4561,7 +4561,7 @@ static int selinux_ip_postroute_iptables
+ if (err)
+ return err;
+
+- if (send_perm != 0)
++ if (!send_perm)
+ return 0;
+
+ err = sel_netport_sid(sk->sk_protocol,
+
+
+
+-------------------------------------------------------
+--
+paul moore
+linux @ hp
+
Copied: dists/lenny/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch (from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch Fri Jun 5 20:57:56 2009 (r13731, copy of r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch)
@@ -0,0 +1,89 @@
+
+# HG changeset patch
+# User Keir Fraser <keir.fraser at citrix.com>
+# Date 1242292120 -3600
+# Node ID 9b945480054430882b60bb5e5f660822a1c07b70
+# Parent 271d9b9bee40657b1714b2bb62531e989c7b5813
+xen/i386: hypervisor_callback adjustments
+
+The missing check of the interrupted code's code selector in
+hypervisor_callback() allowed a user mode application to oops (and
+perhaps crash) the kernel.
+
+Further adjustments:
+- the 'main' critical region does not include the jmp following the
+ disabling of interrupts [ijc: removed from backport]
+- the sysexit_[se]crit range checks got broken at some point - the
+ sysexit ciritcal region is always at higher addresses than the
+ 'main'
+ one, yielding the check pointless (but consuming execution time);
+ since the supervisor mode kernel isn't actively used afaict, I moved
+ that code into an #ifdef using a hypothetical config option
+- the use of a numeric label across more than 300 lines of code always
+ seemed pretty fragile to me, so the patch replaces this with a local
+ named label
+- streamlined the critical_region_fixup code to eliminate a branch
+ [ijc: removed from backport]
+
+Signed-off-by: Jan Beulich <jbeulich at novell.com>
+
+Backported to Debian's 2.6.26 and reduced to minimal fix by
+dann frazier <dannf at debian.org> and Ian Campbell <ijc at hellion.org.uk>
+
+--- a/arch/x86/kernel/entry_32-xen.S Thu May 14 10:08:10 2009 +0100
++++ b/arch/x86/kernel/entry_32-xen.S Thu May 14 10:08:40 2009 +0100
+@@ -522,7 +522,7 @@
+ .previous
+ 14: __DISABLE_INTERRUPTS
+ TRACE_IRQS_OFF
+- jmp 11f
++ jmp .Ldo_upcall
+ ecrit: /**** END OF CRITICAL REGION ****/
+
+ CFI_RESTORE_STATE
+@@ -795,17 +795,23 @@
+ pushl %eax
+ CFI_ADJUST_CFA_OFFSET 4
+ SAVE_ALL
++ testb $2,PT_CS(%esp)
+ movl PT_EIP(%esp),%eax
++ jnz .Ldo_upcall
+ cmpl $scrit,%eax
+- jb 11f
++ jb 0f
+ cmpl $ecrit,%eax
+ jb critical_region_fixup
++0:
++#ifdef CONFIG_XEN_SUPERVISOR_MODE_KERNEL
+ cmpl $sysexit_scrit,%eax
+- jb 11f
++ jb .Ldo_upcall
+ cmpl $sysexit_ecrit,%eax
+- ja 11f
++ ja .Ldo_upcall
+ addl $PT_OLDESP,%esp # Remove eflags...ebx from stack frame.
+-11: push %esp
++#endif
++.Ldo_upcall:
++ push %esp
+ CFI_ADJUST_CFA_OFFSET 4
+ call evtchn_do_upcall
+ add $4,%esp
+@@ -835,7 +841,7 @@
+ movl %eax,(%edi)
+ loop 16b
+ 17: movl %edi,%esp # final %edi is top of merged stack
+- jmp 11b
++ jmp .Ldo_upcall
+
+ .section .rodata,"a"
+ critical_fixup_table:
+@@ -854,7 +860,7 @@
+ .byte 0x28,0x28,0x28 # add $4,%esp
+ .byte 0x2c # iret
+ .byte 0xff,0xff,0xff,0xff # movb $1,1(%esi)
+- .byte 0x00,0x00 # jmp 11b
++ .byte 0x00,0x00 # jmp .Ldo_upcall
+ .previous
+
+ # Hypervisor uses this for application faults while it executes.
Copied: dists/lenny/linux-2.6/debian/patches/series/15lenny3 (from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/series/15lenny3)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/15lenny3 Fri Jun 5 20:57:56 2009 (r13731, copy of r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/series/15lenny3)
@@ -0,0 +1,5 @@
++ bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch
++ bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
++ bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
++ bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
++ bugfix/all/cifs-rename-cifs_strncpy_to_host-and-fix-buffer-size.patch
Copied: dists/lenny/linux-2.6/debian/patches/series/15lenny3-extra (from r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/series/15lenny3-extra)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/15lenny3-extra Fri Jun 5 20:57:56 2009 (r13731, copy of r13730, releases/linux-2.6/2.6.26-15lenny3/debian/patches/series/15lenny3-extra)
@@ -0,0 +1 @@
++ features/all/xen/i386-hypervisor_callback-adjustments.patch featureset=xen
More information about the Kernel-svn-changes
mailing list