[kernel] r13201 - in dists/lenny/linux-2.6/debian: . patches/features/all/openvz patches/series
Maximilian Attems
maks at alioth.debian.org
Sun Mar 22 21:13:03 UTC 2009
Author: maks
Date: Sun Mar 22 21:13:00 2009
New Revision: 13201
Log:
openvz add several stable proposed patches
this sixth serie are selected ABI breaker from 0049-0075.
we should now be resynced with openvz upstream 2.6.26 tree.
Reported-by: Kir Kolyshkin <kir at openvz.org>
Tested-by: Ola Lundqvist <ola at inguza.com>
Added:
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0050-nfs-Fix-access-to-freed-memory.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0051-NFS-NFS-super-blocks-in-different-VEs-should-be-dif.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0054-ve-sanitize-capability-checks-for-namespaces-creati.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0056-nfs-Fix-nfs_match_client.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0057-Add-do_ve_enter_hook.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0058-Add-kthread_create_ve-and-kthread_run_ve-functio.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0060-nfs-use-kthread_run_ve-to-start-lockd.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0072-pidns-lost-task-debug-print-uses-wrong-prototype.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0073-pidns-zap-ve-process-only-when-killing-ve-s-init-pi.patch
dists/lenny/linux-2.6/debian/patches/features/all/openvz/0075-bc-fix-permissions-on-proc-bc.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/14-extra
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog (original)
+++ dists/lenny/linux-2.6/debian/changelog Sun Mar 22 21:13:00 2009
@@ -104,6 +104,17 @@
* [openvz] 6b9fe02 netns: enable cross-ve Unix sockets.
* [openvz] 1acba85 netfilter: Fix NULL dereference in nf_nat_setup_info.
* [openvz] b405aed netfilter: Add check to the nat hooks.
+ * [openvz] b8b70c7 nfs: Fix access to freed memory.
+ * [openvz] 840ea01 NFS: NFS super blocks in different VEs should be
+ different.
+ * [openvz] 14131d2 ve: sanitize capability checks for namespaces creation.
+ * [openvz] 39bb1ee nfs: Fix nfs_match_client().
+ * [openvz] 32e9103 Add do_ve_enter_hook.
+ * [openvz] d4988b6 Add kthread_create_ve() and kthread_run_ve() functions.
+ * [openvz] ba0ce90 nfs: use kthread_run_ve to start lockd.
+ * [openvz] 672ab37 pidns: lost task debug print uses wrong prototype.
+ * [openvz] d876c93 pidns: zap ve process only when killing ve's init pid-ns.
+ * [openvz] 9abe1a6 bc: fix permissions on /proc/bc.
-- dann frazier <dannf at debian.org> Sun, 22 Mar 2009 14:09:23 -0600
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0050-nfs-Fix-access-to-freed-memory.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0050-nfs-Fix-access-to-freed-memory.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,79 @@
+From b8b70c37c8b114780a02492703c9682d8b09a14b Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Wed, 24 Dec 2008 20:32:43 +0300
+Subject: [PATCH] nfs: Fix access to freed memory
+
+rpc_shutdown_client() frees xprt, so we can't use this xprt.
+So move put_ve() to xprt::destroy level.
+
+Bug https://bugzilla.sw.ru/show_bug.cgi?id=265628
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ net/sunrpc/clnt.c | 2 --
+ net/sunrpc/xprt.c | 2 +-
+ net/sunrpc/xprtrdma/transport.c | 1 +
+ net/sunrpc/xprtsock.c | 1 +
+ 4 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index f303e1d..b6f53f1 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -324,7 +324,6 @@ struct rpc_clnt *rpc_create(struct rpc_create_args *args)
+ xprt = xprt_create_transport(&xprtargs);
+ if (IS_ERR(xprt))
+ return (struct rpc_clnt *)xprt;
+- xprt->owner_env = get_ve(get_exec_env());
+
+ /*
+ * By default, kernel RPC client connects from a reserved port.
+@@ -346,7 +345,6 @@ struct rpc_clnt *rpc_create(struct rpc_create_args *args)
+ int err = rpc_ping(clnt, RPC_TASK_SOFT);
+ if (err != 0) {
+ rpc_shutdown_client(clnt);
+- put_ve(xprt->owner_env);
+ return ERR_PTR(err);
+ }
+ }
+diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
+index 831ad1b..23ce2ce 100644
+--- a/net/sunrpc/xprt.c
++++ b/net/sunrpc/xprt.c
+@@ -1056,7 +1056,7 @@ found:
+ xprt->last_used = jiffies;
+ xprt->cwnd = RPC_INITCWND;
+ xprt->bind_index = 0;
+- xprt->owner_env = get_exec_env();
++ xprt->owner_env = get_ve(get_exec_env());
+
+ rpc_init_wait_queue(&xprt->binding, "xprt_binding");
+ rpc_init_wait_queue(&xprt->pending, "xprt_pending");
+diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c
+index a564c1a..77714e3 100644
+--- a/net/sunrpc/xprtrdma/transport.c
++++ b/net/sunrpc/xprtrdma/transport.c
+@@ -286,6 +286,7 @@ xprt_rdma_destroy(struct rpc_xprt *xprt)
+
+ kfree(xprt->slot);
+ xprt->slot = NULL;
++ put_ve(xprt->owner_env);
+ kfree(xprt);
+
+ dprintk("RPC: %s: returning\n", __func__);
+diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
+index 7ade3e3..27e62dd 100644
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -816,6 +816,7 @@ static void xs_destroy(struct rpc_xprt *xprt)
+ xs_close(xprt);
+ xs_free_peer_addresses(xprt);
+ kfree(xprt->slot);
++ put_ve(xprt->owner_env);
+ kfree(xprt);
+ module_put(THIS_MODULE);
+ }
+--
+1.6.0.6
+
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0051-NFS-NFS-super-blocks-in-different-VEs-should-be-dif.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0051-NFS-NFS-super-blocks-in-different-VEs-should-be-dif.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,36 @@
+From 840ea01d953ca0ad7629ea66ca0f50685ca06921 Mon Sep 17 00:00:00 2001
+From: Denis Lunev <den at openvz.org>
+Date: Mon, 29 Dec 2008 20:34:32 +0300
+Subject: [PATCH] NFS: NFS super blocks in different VEs should be different
+
+NFS: NFS super blocks in different VEs should be different
+
+Teach nfs_compare_super to this
+
+Bug #265926
+
+Signed-off-by: Denis V. Lunev <den at openvz.org>
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ fs/nfs/super.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index cb4e28a..cf38e22 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1619,6 +1619,10 @@ static int nfs_compare_super(struct super_block *sb, void *data)
+ struct nfs_server *server = sb_mntdata->server, *old = NFS_SB(sb);
+ int mntflags = sb_mntdata->mntflags;
+
++ if (!ve_accessible_strict(old->client->cl_xprt->owner_env,
++ get_exec_env()))
++ return 0;
++
+ if (!nfs_compare_super_address(old, server))
+ return 0;
+ /* Note: NFS_MOUNT_UNSHARED == NFS4_MOUNT_UNSHARED */
+--
+1.6.0.6
+
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0054-ve-sanitize-capability-checks-for-namespaces-creati.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0054-ve-sanitize-capability-checks-for-namespaces-creati.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,167 @@
+From 14131d2abbd2554276fe4488e3403d4c0a747cdf Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov at openvz.org>
+Date: Fri, 9 Jan 2009 12:18:20 +0300
+Subject: [PATCH] ve: sanitize capability checks for namespaces creation
+
+The existing hard checking for namespaces mask is too bad. The
+intention was to ban namespaces creation for containers, but
+there aready exists a proper security mechanism to govern this
+question.
+
+Switch to existing capability-driven policy, thus allowing for
+namespaces creation from the HN.
+
+http://bugzilla.openvz.org/show_bug.cgi?id=1113
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ include/linux/nsproxy.h | 2 +-
+ include/linux/sched.h | 4 ----
+ kernel/fork.c | 15 +--------------
+ kernel/nsproxy.c | 7 +++----
+ kernel/ve/vecalls.c | 5 +++--
+ 5 files changed, 8 insertions(+), 25 deletions(-)
+
+diff --git a/include/linux/nsproxy.h b/include/linux/nsproxy.h
+index dd6d50f..e707e2c 100644
+--- a/include/linux/nsproxy.h
++++ b/include/linux/nsproxy.h
+@@ -62,7 +62,7 @@ static inline struct nsproxy *task_nsproxy(struct task_struct *tsk)
+ return rcu_dereference(tsk->nsproxy);
+ }
+
+-int copy_namespaces(unsigned long flags, struct task_struct *tsk);
++int copy_namespaces(unsigned long flags, struct task_struct *tsk, int force_admin);
+ void exit_task_namespaces(struct task_struct *tsk);
+ void switch_task_namespaces(struct task_struct *tsk, struct nsproxy *new);
+ void free_nsproxy(struct nsproxy *ns);
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index 272da80..ab38d35 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -29,10 +29,6 @@
+ #define CLONE_NEWNET 0x40000000 /* New network namespace */
+ #define CLONE_IO 0x80000000 /* Clone io context */
+
+-/* mask of clones which are disabled in OpenVZ VEs */
+-#define CLONE_NAMESPACES_MASK (CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER | \
+- CLONE_NEWPID | CLONE_NEWNET)
+-
+ /*
+ * Scheduling policies
+ */
+diff --git a/kernel/fork.c b/kernel/fork.c
+index f366869..2cd4ab7 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -917,13 +917,8 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+ struct task_struct *p;
+ int cgroup_callbacks_done = 0;
+
+-#ifdef CONFIG_VE
+- if (clone_flags & CLONE_NAMESPACES_MASK)
+- return ERR_PTR(-EINVAL);
+-#else
+ if ((clone_flags & (CLONE_NEWNS|CLONE_FS)) == (CLONE_NEWNS|CLONE_FS))
+ return ERR_PTR(-EINVAL);
+-#endif
+
+ /*
+ * Thread groups must share signals as well, and detached threads
+@@ -1099,7 +1094,7 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+ goto bad_fork_cleanup_signal;
+ if ((retval = copy_keys(clone_flags, p)))
+ goto bad_fork_cleanup_mm;
+- if ((retval = copy_namespaces(clone_flags, p)))
++ if ((retval = copy_namespaces(clone_flags, p, 0)))
+ goto bad_fork_cleanup_keys;
+ if ((retval = copy_io(clone_flags, p)))
+ goto bad_fork_cleanup_namespaces;
+@@ -1651,10 +1646,6 @@ asmlinkage long sys_unshare(unsigned long unshare_flags)
+ CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|
+ CLONE_NEWNET))
+ goto bad_unshare_out;
+-#ifdef CONFIG_VE
+- if (unshare_flags & CLONE_NAMESPACES_MASK)
+- goto bad_unshare_out;
+-#endif
+
+ /*
+ * CLONE_NEWIPC must also detach from the undolist: after switching
+@@ -1673,11 +1664,9 @@ asmlinkage long sys_unshare(unsigned long unshare_flags)
+ goto bad_unshare_cleanup_sigh;
+ if ((err = unshare_fd(unshare_flags, &new_fd)))
+ goto bad_unshare_cleanup_vm;
+-#ifndef CONFIG_VE
+ if ((err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy,
+ new_fs)))
+ goto bad_unshare_cleanup_fd;
+-#endif
+
+ if (new_fs || new_mm || new_fd || do_sysvsem || new_nsproxy) {
+ if (do_sysvsem) {
+@@ -1721,9 +1710,7 @@ asmlinkage long sys_unshare(unsigned long unshare_flags)
+ if (new_nsproxy)
+ put_nsproxy(new_nsproxy);
+
+-#ifndef CONFIG_VE
+ bad_unshare_cleanup_fd:
+-#endif
+ if (new_fd)
+ put_files_struct(new_fd);
+
+diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
+index 1c0848f..49ff461 100644
+--- a/kernel/nsproxy.c
++++ b/kernel/nsproxy.c
+@@ -127,7 +127,8 @@ out_ns:
+ * called from clone. This now handles copy for nsproxy and all
+ * namespaces therein.
+ */
+-int copy_namespaces(unsigned long flags, struct task_struct *tsk)
++int copy_namespaces(unsigned long flags, struct task_struct *tsk,
++ int force_admin)
+ {
+ struct nsproxy *old_ns = tsk->nsproxy;
+ struct nsproxy *new_ns;
+@@ -142,12 +143,10 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk)
+ CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET)))
+ return 0;
+
+-#ifndef CONFIG_VE
+- if (!capable(CAP_SYS_ADMIN)) {
++ if (!capable(CAP_SYS_ADMIN) && !force_admin) {
+ err = -EPERM;
+ goto out;
+ }
+-#endif
+
+ /*
+ * CLONE_NEWIPC must detach from the undolist: after switching
+diff --git a/kernel/ve/vecalls.c b/kernel/ve/vecalls.c
+index 4a4a24b..33e3ab1 100644
+--- a/kernel/ve/vecalls.c
++++ b/kernel/ve/vecalls.c
+@@ -680,7 +680,8 @@ static inline int init_ve_namespaces(struct ve_struct *ve,
+ tsk = current;
+ cur = tsk->nsproxy;
+
+- err = copy_namespaces(CLONE_NAMESPACES_MASK & ~CLONE_NEWNET, tsk);
++ err = copy_namespaces(CLONE_NEWUTS | CLONE_NEWIPC
++ | CLONE_NEWUSER | CLONE_NEWPID, tsk, 1);
+ if (err < 0)
+ return err;
+
+@@ -723,7 +724,7 @@ static int init_ve_netns(struct ve_struct *ve, struct nsproxy **old)
+ tsk = current;
+ cur = tsk->nsproxy;
+
+- err = copy_namespaces(CLONE_NEWNET, tsk);
++ err = copy_namespaces(CLONE_NEWNET, tsk, 1);
+ if (err < 0)
+ return err;
+
+--
+1.6.0.6
+
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0056-nfs-Fix-nfs_match_client.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0056-nfs-Fix-nfs_match_client.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,33 @@
+From 39bb1ee59237272cd20e1f8696cefbd6a787cfc8 Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Mon, 12 Jan 2009 17:29:54 +0300
+Subject: [PATCH] nfs: Fix nfs_match_client()
+
+nfs_match_client() can return nfs_client from other VE.
+
+Bug https://bugzilla.sw.ru/show_bug.cgi?id=266951
+
+Original-patch-by: Denis Lunev <den at openvz.org>
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ fs/nfs/client.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/fs/nfs/client.c b/fs/nfs/client.c
+index 3366257..d773ed5 100644
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -343,6 +343,9 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat
+ if (clp->cl_cons_state < 0)
+ continue;
+
++ if (!ve_accessible_strict(clp->owner_env, ve))
++ continue;
++
+ /* Different NFS versions cannot share the same nfs_client */
+ if (clp->rpc_ops != data->rpc_ops)
+ continue;
+--
+1.6.0.6
+
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0057-Add-do_ve_enter_hook.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0057-Add-do_ve_enter_hook.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,70 @@
+From 32e9103ae0ca45d00f252a0e39cfa2d7a3ec2731 Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Tue, 13 Jan 2009 18:23:53 +0300
+Subject: [PATCH] Add do_ve_enter_hook
+
+We will call this hook to enter to VE.
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ include/linux/ve.h | 2 ++
+ kernel/ve/ve.c | 3 +++
+ kernel/ve/vecalls.c | 7 +++++++
+ 3 files changed, 12 insertions(+), 0 deletions(-)
+
+diff --git a/include/linux/ve.h b/include/linux/ve.h
+index f55f43e..fbd203c 100644
+--- a/include/linux/ve.h
++++ b/include/linux/ve.h
+@@ -336,6 +336,8 @@ extern spinlock_t ve_cleanup_lock;
+ extern struct list_head ve_cleanup_list;
+ extern struct task_struct *ve_cleanup_thread;
+
++extern int (*do_ve_enter_hook)(struct ve_struct *ve, unsigned int flags);
++
+ extern unsigned long long ve_relative_clock(struct timespec * ts);
+
+ #ifdef CONFIG_FAIRSCHED
+diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
+index 0248f38..fdedf8c 100644
+--- a/kernel/ve/ve.c
++++ b/kernel/ve/ve.c
+@@ -85,6 +85,9 @@ void do_env_free(struct ve_struct *env)
+ EXPORT_SYMBOL(do_env_free);
+ #endif
+
++int (*do_ve_enter_hook)(struct ve_struct *ve, unsigned int flags);
++EXPORT_SYMBOL(do_ve_enter_hook);
++
+ #if defined(CONFIG_VE_ETHDEV) || defined(CONFIG_VE_ETHDEV_MODULE)
+ INIT_KSYM_MODULE(vzethdev);
+ INIT_KSYM_CALL(int, veth_open, (struct net_device *dev));
+diff --git a/kernel/ve/vecalls.c b/kernel/ve/vecalls.c
+index 33e3ab1..376bbfb 100644
+--- a/kernel/ve/vecalls.c
++++ b/kernel/ve/vecalls.c
+@@ -2397,6 +2397,12 @@ static int __init vecalls_init(void)
+ if (err < 0)
+ goto out_ioctls;
+
++ /* We can easy dereference this hook if VE is running
++ * because in this case vzmon refcount > 0
++ */
++ do_ve_enter_hook = do_env_enter;
++
++
+ return 0;
+
+ out_ioctls:
+@@ -2413,6 +2419,7 @@ out_vzmond:
+
+ static void vecalls_exit(void)
+ {
++ do_ve_enter_hook = NULL;
+ fini_vecalls_ioctls();
+ fini_vecalls_proc();
+ fini_vecalls_symbols();
+--
+1.6.2
+
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0058-Add-kthread_create_ve-and-kthread_run_ve-functio.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0058-Add-kthread_create_ve-and-kthread_run_ve-functio.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,156 @@
+From d4988b6efbdfb1b2416288c362d60351e1c5e5ff Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Tue, 13 Jan 2009 19:49:02 +0300
+Subject: [PATCH] Add kthread_create_ve() and kthread_run_ve() functions #2
+
+These functions are like kthread_create() and kthread_run()
+but create threads in VE context.
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ include/linux/kthread.h | 23 ++++++++++++++++++++++-
+ kernel/kthread.c | 30 ++++++++++++++++++++++++------
+ 2 files changed, 46 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/kthread.h b/include/linux/kthread.h
+index 00dd957..f71c55a 100644
+--- a/include/linux/kthread.h
++++ b/include/linux/kthread.h
+@@ -4,10 +4,20 @@
+ #include <linux/err.h>
+ #include <linux/sched.h>
+
+-struct task_struct *kthread_create(int (*threadfn)(void *data),
++struct task_struct *kthread_create_ve(struct ve_struct *ve,
++ int (*threadfn)(void *data),
+ void *data,
+ const char namefmt[], ...);
+
++
++#define kthread_create(threadfn, data, namefmt, ...) \
++({ \
++ struct task_struct *__k \
++ = kthread_create_ve(get_ve0(), threadfn, data, namefmt, \
++ ## __VA_ARGS__); \
++ __k; \
++})
++
+ /**
+ * kthread_run - create and wake a thread.
+ * @threadfn: the function to run until signal_pending(current).
+@@ -26,6 +36,17 @@ struct task_struct *kthread_create(int (*threadfn)(void *data),
+ __k; \
+ })
+
++/* Like kthread_run() but run a thread in VE context */
++#define kthread_run_ve(ve, threadfn, data, namefmt, ...) \
++({ \
++ struct task_struct *__k \
++ = kthread_create_ve(ve, threadfn, data, namefmt, \
++ ## __VA_ARGS__); \
++ if (!IS_ERR(__k)) \
++ wake_up_process(__k); \
++ __k; \
++})
++
+ void kthread_bind(struct task_struct *k, unsigned int cpu);
+ int kthread_stop(struct task_struct *k);
+ int kthread_should_stop(void);
+diff --git a/kernel/kthread.c b/kernel/kthread.c
+index bd1b9ea..e8f1e53 100644
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -13,6 +13,7 @@
+ #include <linux/file.h>
+ #include <linux/module.h>
+ #include <linux/mutex.h>
++#include <linux/nsproxy.h>
+
+ #define KTHREAD_NICE_LEVEL (-5)
+
+@@ -26,6 +27,7 @@ struct kthread_create_info
+ int (*threadfn)(void *data);
+ void *data;
+ struct completion started;
++ struct ve_struct *ve;
+
+ /* Result passed back to kthread_create() from kthreadd. */
+ struct task_struct *result;
+@@ -66,6 +68,18 @@ static int kthread(void *_create)
+ void *data;
+ int ret = -EINTR;
+
++ if (do_ve_enter_hook && create->ve != get_ve0()) {
++ ret = do_ve_enter_hook(create->ve, 0);
++ if (ret < 0) {
++ create->result = ERR_PTR(ret);
++ complete(&create->started);
++ return ret;
++ }
++ } else if (create->ve != get_ve0())
++ BUG();
++
++ create->result = current;
++
+ /* Copy data: it's on kthread's stack */
+ threadfn = create->threadfn;
+ data = create->data;
+@@ -97,9 +111,10 @@ static void create_kthread(struct kthread_create_info *create)
+ } else {
+ struct sched_param param = { .sched_priority = 0 };
+ wait_for_completion(&create->started);
+- read_lock(&tasklist_lock);
+- create->result = find_task_by_pid_ns(pid, &init_pid_ns);
+- read_unlock(&tasklist_lock);
++
++ if (IS_ERR(create->result))
++ goto end;
++
+ /*
+ * root may have changed our (kthreadd's) priority or CPU mask.
+ * The kernel thread should not inherit these properties.
+@@ -108,11 +123,12 @@ static void create_kthread(struct kthread_create_info *create)
+ set_user_nice(create->result, KTHREAD_NICE_LEVEL);
+ set_cpus_allowed(create->result, CPU_MASK_ALL);
+ }
++end:
+ complete(&create->done);
+ }
+
+ /**
+- * kthread_create - create a kthread.
++ * kthread_create_ve - create a kthread.
+ * @threadfn: the function to run until signal_pending(current).
+ * @data: data ptr for @threadfn.
+ * @namefmt: printf-style name for the thread.
+@@ -130,7 +146,8 @@ static void create_kthread(struct kthread_create_info *create)
+ *
+ * Returns a task_struct or ERR_PTR(-ENOMEM).
+ */
+-struct task_struct *kthread_create(int (*threadfn)(void *data),
++struct task_struct *kthread_create_ve(struct ve_struct *ve,
++ int (*threadfn)(void *data),
+ void *data,
+ const char namefmt[],
+ ...)
+@@ -139,6 +156,7 @@ struct task_struct *kthread_create(int (*threadfn)(void *data),
+
+ create.threadfn = threadfn;
+ create.data = data;
++ create.ve = ve;
+ init_completion(&create.started);
+ init_completion(&create.done);
+
+@@ -158,7 +176,7 @@ struct task_struct *kthread_create(int (*threadfn)(void *data),
+ }
+ return create.result;
+ }
+-EXPORT_SYMBOL(kthread_create);
++EXPORT_SYMBOL(kthread_create_ve);
+
+ /**
+ * kthread_bind - bind a just-created kthread to a cpu.
+--
+1.6.2
+
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0060-nfs-use-kthread_run_ve-to-start-lockd.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0060-nfs-use-kthread_run_ve-to-start-lockd.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,32 @@
+From ba0ce90476e6267f6c035f9c9ef7c45d6195ec6e Mon Sep 17 00:00:00 2001
+From: Vitaliy Gusev <vgusev at openvz.org>
+Date: Tue, 13 Jan 2009 18:23:56 +0300
+Subject: [PATCH] nfs: use kthread_run_ve to start lockd
+
+Lockd is virtualized, so must be created in VE context.
+The reason it worked before (in 2.6.18 kernel for example) is that lockd is
+rewritten to use new kthread API, which was not capable for creating threads
+in containers.
+
+Signed-off-by: Vitaliy Gusev <vgusev at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ fs/lockd/svc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c
+index f9f02fc..50b29d5 100644
+--- a/fs/lockd/svc.c
++++ b/fs/lockd/svc.c
+@@ -307,7 +307,7 @@ lockd_up(int proto) /* Maybe add a 'family' option when IPv6 is supported ?? */
+ svc_sock_update_bufs(serv);
+ nlmsvc_serv = rqstp->rq_server;
+
+- nlmsvc_task = kthread_run(lockd, rqstp, serv->sv_name);
++ nlmsvc_task = kthread_run_ve(get_exec_env(), lockd, rqstp, serv->sv_name);
+ if (IS_ERR(nlmsvc_task)) {
+ error = PTR_ERR(nlmsvc_task);
+ nlmsvc_task = NULL;
+--
+1.6.0.6
+
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0072-pidns-lost-task-debug-print-uses-wrong-prototype.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0072-pidns-lost-task-debug-print-uses-wrong-prototype.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,40 @@
+From 672ab37bb2f8f821cb8f63d59f1a19f7e389296b Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov at openvz.org>
+Date: Tue, 10 Mar 2009 14:27:17 +0300
+Subject: [PATCH] pidns: lost task debug print uses wrong prototype
+
+Print most interesting fields manually.
+
+http://bugzilla.openvz.org/show_bug.cgi?id=1181
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ kernel/pid_namespace.c | 11 ++++-------
+ 1 files changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
+index 1445b22..4aee3b9 100644
+--- a/kernel/pid_namespace.c
++++ b/kernel/pid_namespace.c
+@@ -250,13 +250,10 @@ EXPORT_SYMBOL_GPL(pid_ns_attach_init);
+ #ifdef CONFIG_VE
+ static noinline void show_lost_task(struct task_struct *p)
+ {
+- char buf[512] = "N/A";
+-#ifdef CONFIG_PROC_FS
+- extern char * task_sig(struct task_struct *p, char *buffer);
+-
+- task_sig(p, buf);
+-#endif
+- printk("Lost task: %d/%s/%p\nSignals:%s\n", p->pid, p->comm, p, buf);
++ printk("Lost task: %d/%s/%p blocked: %lx pending: %lx\n",
++ p->pid, p->comm, p,
++ p->blocked.sig[0],
++ p->pending.signal.sig[0]);
+ }
+
+ static void zap_ve_processes(struct ve_struct *env)
+--
+1.6.2
+
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0073-pidns-zap-ve-process-only-when-killing-ve-s-init-pi.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0073-pidns-zap-ve-process-only-when-killing-ve-s-init-pi.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,31 @@
+From d876c93aa8cbd06f47e3669f5d8fcec1afc77ed4 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov at openvz.org>
+Date: Tue, 10 Mar 2009 14:31:18 +0300
+Subject: [PATCH] pidns: zap ve process only when killing ve's init pid-ns
+
+This prevents task genocide when zapping nested pid-ns in same ve,
+and affects ve0 only.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ kernel/pid_namespace.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
+index 4aee3b9..12f679e 100644
+--- a/kernel/pid_namespace.c
++++ b/kernel/pid_namespace.c
+@@ -339,7 +339,8 @@ void zap_pid_ns_processes(struct pid_namespace *pid_ns)
+
+
+ #ifdef CONFIG_VE
+- zap_ve_processes(get_exec_env());
++ if (get_exec_env()->ve_ns->pid_ns == pid_ns)
++ zap_ve_processes(get_exec_env());
+ #endif
+ /* Child reaper for the pid namespace is going away */
+ pid_ns->child_reaper = NULL;
+--
+1.6.2
+
Added: dists/lenny/linux-2.6/debian/patches/features/all/openvz/0075-bc-fix-permissions-on-proc-bc.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/0075-bc-fix-permissions-on-proc-bc.patch Sun Mar 22 21:13:00 2009
@@ -0,0 +1,50 @@
+From 9abe1a6ca0895bfdee9b7c4c7114c10c65631160 Mon Sep 17 00:00:00 2001
+From: Cyrill Gorcunov <gorcunov at openvz.org>
+Date: Wed, 18 Mar 2009 18:48:33 +0300
+Subject: [PATCH] bc: fix permissions on /proc/bc
+
+The reading of /proc/bc/* is permitted for those only who
+has CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH attributes
+set. We should not point files as "group" or "other"
+readable/executable since they are not.
+
+Signed-off-by: Cyrill Gorcunov <gorcunov at openvz.org>
+Signed-off-by: Pavel Emelyanov <xemul at openvz.org>
+---
+ kernel/bc/proc.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bc/proc.c b/kernel/bc/proc.c
+index c78d744..b3d7178 100644
+--- a/kernel/bc/proc.c
++++ b/kernel/bc/proc.c
+@@ -423,7 +423,7 @@ static int bc_lookset(struct inode *ino, void *data)
+ ino->i_ino = bc_make_ino(ub);
+ ino->i_fop = &bc_entry_fops;
+ ino->i_op = &bc_entry_iops;
+- ino->i_mode = S_IFDIR | S_IRUSR | S_IXUGO;
++ ino->i_mode = S_IFDIR | S_IRUSR | S_IXUSR;
+ /* subbeancounters are not included, but who cares? */
+ ino->i_nlink = num_entries + 2;
+ ino->i_gid = 0;
+@@ -661,7 +661,7 @@ static int __init ub_init_proc(void)
+ struct proc_dir_entry *entry;
+
+ bc_proc_root = create_proc_entry("bc",
+- S_IFDIR | S_IRUGO | S_IXUGO, NULL);
++ S_IFDIR | S_IRUSR | S_IXUSR, NULL);
+ if (bc_proc_root == NULL)
+ panic("Can't create /proc/bc entry");
+
+@@ -675,7 +675,7 @@ static int __init ub_init_proc(void)
+ bc_register_proc_root_entry(&bc_all_resources_entry);
+
+ entry = proc_create("user_beancounters",
+- S_IRUGO, &glob_proc_root, &ub_file_operations);
++ S_IRUSR, &glob_proc_root, &ub_file_operations);
+ return 0;
+ }
+
+--
+1.6.2
+
Modified: dists/lenny/linux-2.6/debian/patches/series/14-extra
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/14-extra (original)
+++ dists/lenny/linux-2.6/debian/patches/series/14-extra Sun Mar 22 21:13:00 2009
@@ -38,3 +38,13 @@
+ features/all/openvz/0046-netns-enable-cross-ve-Unix-sockets.patch featureset=openvz
+ features/all/openvz/0047-netfilter-Fix-NULL-dereference-in-nf_nat_setup_info.patch featureset=openvz
+ features/all/openvz/0048-netfilter-Add-check-to-the-nat-hooks.patch featureset=openvz
++ features/all/openvz/0050-nfs-Fix-access-to-freed-memory.patch featureset=openvz
++ features/all/openvz/0051-NFS-NFS-super-blocks-in-different-VEs-should-be-dif.patch featureset=openvz
++ features/all/openvz/0054-ve-sanitize-capability-checks-for-namespaces-creati.patch featureset=openvz
++ features/all/openvz/0056-nfs-Fix-nfs_match_client.patch featureset=openvz
++ features/all/openvz/0057-Add-do_ve_enter_hook.patch featureset=openvz
++ features/all/openvz/0058-Add-kthread_create_ve-and-kthread_run_ve-functio.patch featureset=openvz
++ features/all/openvz/0060-nfs-use-kthread_run_ve-to-start-lockd.patch featureset=openvz
++ features/all/openvz/0072-pidns-lost-task-debug-print-uses-wrong-prototype.patch featureset=openvz
++ features/all/openvz/0073-pidns-zap-ve-process-only-when-killing-ve-s-init-pi.patch featureset=openvz
++ features/all/openvz/0075-bc-fix-permissions-on-proc-bc.patch featureset=openvz
More information about the Kernel-svn-changes
mailing list