[kernel] r16216 - in dists/lenny/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/features/all/openvz debian/patches/features/all/vserver debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Aug 29 18:38:34 UTC 2010
Author: dannf
Date: Sun Aug 29 18:38:31 2010
New Revision: 16216
Log:
merge 2.6.26-24lenny1
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-race-in-tty_fasync-properly.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/fix-race-in-tty_fasync-properly.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-missing-page-table-unmap-for-stack-guard-page-failure-case.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-fix-missing-page-table-unmap-for-stack-guard-page-failure-case.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-pass-correct-mm-when-growing-stack.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-pass-correct-mm-when-growing-stack.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd4-bug-in-read_buf.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/nfsd4-bug-in-read_buf.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/dont-send-SIGBUS-for-kernel-page-faults.patch
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/x86/dont-send-SIGBUS-for-kernel-page-faults.patch
dists/lenny/linux-2.6/debian/patches/series/24lenny1
- copied unchanged from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/series/24lenny1
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Sun Aug 29 18:34:16 2010 (r16215)
+++ dists/lenny/linux-2.6/debian/changelog Sun Aug 29 18:38:31 2010 (r16216)
@@ -12,6 +12,24 @@
-- Ben Hutchings <ben at decadent.org.uk> Fri, 02 Jul 2010 01:36:02 +0100
+linux-2.6 (2.6.26-24lenny1) stable-security; urgency=high
+
+ * cifs: Fix a kernel BUG with remote OS/2 server (CVE-2010-2248)
+ * Fix race in tty_fasync() properly (CVE-2009-4895)
+ * xfs: prevent swapext from operating on write-only files (CVE-2010-2226)
+ * nfsd4: bug in read_buf (CVE-2010-2521)
+ * GFS2: rename causes kernel Oops (CVE-2010-2798)
+ * exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
+ regression due to fix for CVE-2010-0307)
+ * can: add limit for nframes and clean up signed/unsigned variables
+ (CVE-REQUESTED)
+ * mm: keep a guard page below a grow-down stack segment (CVE-2010-2240)
+ * drm: stop information leak of old kernel stack (CVE-2010-2803)
+ * ext4: fix integer overflows in ext4_ext_{in_cache,get_blocks}
+ (CVE-2010-3015)
+
+ -- dann frazier <dannf at debian.org> Wed, 18 Aug 2010 17:56:34 -0600
+
linux-2.6 (2.6.26-24) stable; urgency=high
[ Ben Hutchings ]
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/can-add-limit-for-nframes-and-clean-up-signed-variables.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/can-add-limit-for-nframes-and-clean-up-signed-variables.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/can-add-limit-for-nframes-and-clean-up-signed-variables.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/can-add-limit-for-nframes-and-clean-up-signed-variables.patch)
@@ -0,0 +1,143 @@
+commit fd30c766c0b61a2b947e80852ec1721febf1ad09
+Author: dann frazier <dannf at hp.com>
+Date: Wed Aug 11 18:17:16 2010 -0600
+
+ can: add limit for nframes and clean up signed/unsigned variables
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ This patch adds a limit for nframes as the number of frames in TX_SETUP and
+ RX_SETUP are derived from a single byte multiplex value by default.
+ Use-cases that would require to send/filter more than 256 CAN frames should
+ be implemented in userspace for complexity reasons anyway.
+
+ Additionally the assignments of unsigned values from userspace to signed
+ values in kernelspace and vice versa are fixed by using unsigned values in
+ kernelspace consistently.
+
+ Signed-off-by: Oliver Hartkopp <socketcan at xxxxxxxxxxxx>
+ Reported-by: Ben Hawkes <hawkes at xxxxxxxxxx>
+ Acked-by: Urs Thuermann <urs.thuermann at xxxxxxxxxxxxx>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 72c2ce9..4d21e40 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -58,6 +58,13 @@
+ #include <net/sock.h>
+ #include <net/net_namespace.h>
+
++/*
++ * To send multiple CAN frame content within TX_SETUP or to filter
++ * CAN messages with multiplex index within RX_SETUP, the number of
++ * different filters is limited to 256 due to the one byte index value.
++ */
++#define MAX_NFRAMES 256
++
+ /* use of last_frames[index].can_dlc */
+ #define RX_RECV 0x40 /* received data for this element */
+ #define RX_THR 0x80 /* element not been sent due to throttle feature */
+@@ -85,15 +92,15 @@ struct bcm_op {
+ struct list_head list;
+ int ifindex;
+ canid_t can_id;
+- int flags;
++ u32 flags;
+ unsigned long frames_abs, frames_filtered;
+ struct timeval ival1, ival2;
+ struct hrtimer timer, thrtimer;
+ ktime_t rx_stamp, kt_ival1, kt_ival2, kt_lastmsg;
+ int rx_ifindex;
+- int count;
+- int nframes;
+- int currframe;
++ u32 count;
++ u32 nframes;
++ u32 currframe;
+ struct can_frame *frames;
+ struct can_frame *last_frames;
+ struct can_frame sframe;
+@@ -172,7 +179,7 @@ static int bcm_read_proc(char *page, char **start, off_t off,
+ len += snprintf(page + len, PAGE_SIZE - len,
+ "rx_op: %03X %-5s ",
+ op->can_id, bcm_proc_getifname(op->ifindex));
+- len += snprintf(page + len, PAGE_SIZE - len, "[%d]%c ",
++ len += snprintf(page + len, PAGE_SIZE - len, "[%u]%c ",
+ op->nframes,
+ (op->flags & RX_CHECK_DLC)?'d':' ');
+ if (op->kt_ival1.tv64)
+@@ -206,7 +213,7 @@ static int bcm_read_proc(char *page, char **start, off_t off,
+ list_for_each_entry(op, &bo->tx_ops, list) {
+
+ len += snprintf(page + len, PAGE_SIZE - len,
+- "tx_op: %03X %s [%d] ",
++ "tx_op: %03X %s [%u] ",
+ op->can_id, bcm_proc_getifname(op->ifindex),
+ op->nframes);
+
+@@ -287,7 +294,7 @@ static void bcm_send_to_user(struct bcm_op *op, struct bcm_msg_head *head,
+ struct can_frame *firstframe;
+ struct sockaddr_can *addr;
+ struct sock *sk = op->sk;
+- int datalen = head->nframes * CFSIZ;
++ unsigned int datalen = head->nframes * CFSIZ;
+ int err;
+
+ skb = alloc_skb(sizeof(*head) + datalen, gfp_any());
+@@ -465,7 +472,7 @@ static void bcm_rx_update_and_send(struct bcm_op *op,
+ * bcm_rx_cmp_to_index - (bit)compares the currently received data to formerly
+ * received data stored in op->last_frames[]
+ */
+-static void bcm_rx_cmp_to_index(struct bcm_op *op, int index,
++static void bcm_rx_cmp_to_index(struct bcm_op *op, unsigned int index,
+ struct can_frame *rxdata)
+ {
+ /*
+@@ -547,7 +554,7 @@ static int bcm_rx_thr_flush(struct bcm_op *op)
+ int updated = 0;
+
+ if (op->nframes > 1) {
+- int i;
++ unsigned int i;
+
+ /* for MUX filter we start at index 1 */
+ for (i = 1; i < op->nframes; i++) {
+@@ -596,7 +603,7 @@ static void bcm_rx_handler(struct sk_buff *skb, void *data)
+ {
+ struct bcm_op *op = (struct bcm_op *)data;
+ struct can_frame rxframe;
+- int i;
++ unsigned int i;
+
+ /* disable timeout */
+ hrtimer_cancel(&op->timer);
+@@ -798,14 +805,15 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
+ {
+ struct bcm_sock *bo = bcm_sk(sk);
+ struct bcm_op *op;
+- int i, err;
++ unsigned int i;
++ int err;
+
+ /* we need a real device to send frames */
+ if (!ifindex)
+ return -ENODEV;
+
+- /* we need at least one can_frame */
+- if (msg_head->nframes < 1)
++ /* check nframes boundaries - we need at least one can_frame */
++ if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+ return -EINVAL;
+
+ /* check the given can_id */
+@@ -965,6 +973,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
+ msg_head->nframes = 0;
+ }
+
++ /* the first element contains the mux-mask => MAX_NFRAMES + 1 */
++ if (msg_head->nframes > MAX_NFRAMES + 1)
++ return -EINVAL;
++
+ if ((msg_head->flags & RX_RTR_FRAME) &&
+ ((msg_head->nframes != 1) ||
+ (!(msg_head->can_id & CAN_RTR_FLAG))))
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch)
@@ -0,0 +1,62 @@
+commit d6ade89ce3c3ee683d7dd4ab0ed080e66dda3a6f
+Author: Suresh Jayaraman <sjayaraman at suse.de>
+Date: Wed Mar 31 12:00:03 2010 +0530
+
+ cifs: Fix a kernel BUG with remote OS/2 server (try #3)
+
+ While chasing a bug report involving a OS/2 server, I noticed the server sets
+ pSMBr->CountHigh to a incorrect value even in case of normal writes. This
+ results in 'nbytes' being computed wrongly and triggers a kernel BUG at
+ mm/filemap.c.
+
+ void iov_iter_advance(struct iov_iter *i, size_t bytes)
+ {
+ BUG_ON(i->count < bytes); <--- BUG here
+
+ Why the server is setting 'CountHigh' is not clear but only does so after
+ writing 64k bytes. Though this looks like the server bug, the client side
+ crash may not be acceptable.
+
+ The workaround is to mask off high 16 bits if the number of bytes written as
+ returned by the server is greater than the bytes requested by the client as
+ suggested by Jeff Layton.
+
+ CC: Stable <stable at kernel.org>
+ Reviewed-by: Jeff Layton <jlayton at samba.org>
+ Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index aec7014..7a11be4 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -1620,6 +1620,14 @@ CIFSSMBWrite(const int xid, struct cifsTconInfo *tcon,
+ *nbytes = le16_to_cpu(pSMBr->CountHigh);
+ *nbytes = (*nbytes) << 16;
+ *nbytes += le16_to_cpu(pSMBr->Count);
++
++ /*
++ * Mask off high 16 bits when bytes written as returned by the
++ * server is greater than bytes requested by the client. Some
++ * OS/2 servers are known to set incorrect CountHigh values.
++ */
++ if (*nbytes > count)
++ *nbytes &= 0xFFFF;
+ }
+
+ cifs_buf_release(pSMB);
+@@ -1705,6 +1713,14 @@ CIFSSMBWrite2(const int xid, struct cifsTconInfo *tcon,
+ *nbytes = le16_to_cpu(pSMBr->CountHigh);
+ *nbytes = (*nbytes) << 16;
+ *nbytes += le16_to_cpu(pSMBr->Count);
++
++ /*
++ * Mask off high 16 bits when bytes written as returned by the
++ * server is greater than bytes requested by the client. OS/2
++ * servers are known to set incorrect CountHigh values.
++ */
++ if (*nbytes > count)
++ *nbytes &= 0xFFFF;
+ }
+
+ /* cifs_small_buf_release(pSMB); */ /* Freed earlier now in SendReceive2 */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch)
@@ -0,0 +1,30 @@
+non-critical issue, CVE-2010-2803
+
+[Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+Userspace controls the amount of memory to be allocate, so it can
+get the ioctl to allocate more memory than the kernel uses, and get
+access to kernel stack. This can only be done for processes authenticated
+to the X server for DRI access, and if the user has DRI access.
+
+Fix is to just memset the data to 0 if the user doesn't copy into
+it in the first place.
+
+Reported-by: Kees Cook <kees at ubuntu.com>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+diff --git a/drivers/char/drm/drm_drv.c b/drivers/char/drm/drm_drv.c
+index 5641387..87ba428 100644
+--- a/drivers/char/drm/drm_drv.c
++++ b/drivers/char/drm/drm_drv.c
+@@ -504,7 +504,9 @@ int drm_ioctl(struct inode *inode, struct file *filp,
+ retcode = -EFAULT;
+ goto err_i1;
+ }
+- }
++ } else
++ memset(kdata, 0, _IOC_SIZE(cmd));
++
+ retcode = func(dev, kdata, file_priv);
+
+ if ((retcode == 0) && (cmd & IOC_OUT)) {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch)
@@ -0,0 +1,63 @@
+From 7ad2dabd30866715de71b2d3f0be136c0a26b3bd Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Tue, 2 Feb 2010 12:37:44 -0800
+Subject: [PATCH] Fix 'flush_old_exec()/setup_new_exec()' split
+
+commit 7ab02af428c2d312c0cf8fb0b01cc1eb21131a3d upstream.
+
+Commit 221af7f87b9 ("Split 'flush_old_exec' into two functions") split
+the function at the point of no return - ie right where there were no
+more error cases to check. That made sense from a technical standpoint,
+but when we then also combined it with the actual personality setting
+going in between flush_old_exec() and setup_new_exec(), it needs to be a
+bit more careful.
+
+In particular, we need to make sure that we really flush the old
+personality bits in the 'flush' stage, rather than later in the 'setup'
+stage, since otherwise we might be flushing the _new_ personality state
+that we're just setting up.
+
+So this moves the flags and personality flushing (and 'flush_thread()',
+which is the arch-specific function that generally resets lazy FP state
+etc) of the old process into flush_old_exec(), so that it doesn't affect
+any state that execve() is setting up for the new process environment.
+
+This was reported by Michal Simek as breaking his Microblaze qemu
+environment.
+
+Reported-and-tested-by: Michal Simek <michal.simek at petalogix.com>
+Cc: Peter Anvin <hpa at zytor.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backport to 2.6.26]
+---
+ fs/exec.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index f12ede3..164ac13 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -967,6 +967,10 @@ int flush_old_exec(struct linux_binprm * bprm)
+ goto out;
+
+ bprm->mm = NULL; /* We're using it now */
++
++ current->flags &= ~PF_RANDOMIZE;
++ flush_thread();
++
+ return 0;
+
+ out:
+@@ -1003,9 +1007,6 @@ void setup_new_exec(struct linux_binprm * bprm)
+ tcomm[i] = '\0';
+ set_task_comm(current, tcomm);
+
+- current->flags &= ~PF_RANDOMIZE;
+- flush_thread();
+-
+ /* Set the new mm task size. We have to do that late because it may
+ * depend on TIF_32BIT which is only updated in flush_thread() on
+ * some architectures like powerpc
+--
+1.7.1
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch)
@@ -0,0 +1,87 @@
+From 7242d45aa2a0ec7bdaebf10ce2b1b72b6fcb42f2 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita at gmail.com>
+Date: Wed, 3 Mar 2010 23:55:01 -0500
+Subject: [PATCH] ext4: consolidate in_range() definitions
+
+[Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+There are duplicate macro definitions of in_range() in mballoc.h and
+balloc.c. This consolidates these two definitions into ext4.h, and
+changes extents.c to use in_range() as well.
+
+Signed-off-by: Akinobu Mita <akinobu.mita at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Cc: Andreas Dilger <adilger at sun.com>
+---
+ fs/ext4/balloc.c | 3 ---
+ fs/ext4/ext4.h | 3 +++
+ fs/ext4/extents.c | 4 ++--
+ fs/ext4/mballoc.h | 2 --
+ 4 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index 9cc80b9..bd24882 100644
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -195,9 +195,6 @@ unsigned ext4_init_block_bitmap(struct super_block *sb, struct buffer_head *bh,
+ * when a file system is mounted (see ext4_fill_super).
+ */
+
+-
+-#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
+-
+ /**
+ * ext4_get_group_desc() -- load group descriptor from disk
+ * @sb: super block
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index 527aba6..f91d153 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1206,6 +1206,9 @@ extern int ext4_get_blocks_wrap(handle_t *handle, struct inode *inode,
+ sector_t block, unsigned long max_blocks,
+ struct buffer_head *bh, int create,
+ int extend_disksize);
++
++#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
++
+ #endif /* __KERNEL__ */
+
+ #endif /* _EXT4_H */
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 47929c4..617b4a3 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1663,7 +1663,7 @@ ext4_ext_in_cache(struct inode *inode, ext4_lblk_t block,
+
+ BUG_ON(cex->ec_type != EXT4_EXT_CACHE_GAP &&
+ cex->ec_type != EXT4_EXT_CACHE_EXTENT);
+- if (block >= cex->ec_block && block < cex->ec_block + cex->ec_len) {
++ if (in_range(block, cex->ec_block, cex->ec_len)) {
+ ex->ee_block = cpu_to_le32(cex->ec_block);
+ ext4_ext_store_pblock(ex, cex->ec_start);
+ ex->ee_len = cpu_to_le16(cex->ec_len);
+@@ -2590,7 +2590,7 @@ int ext4_ext_get_blocks(handle_t *handle, struct inode *inode,
+ */
+ ee_len = ext4_ext_get_actual_len(ex);
+ /* if found extent covers block, simply return it */
+- if (iblock >= ee_block && iblock < ee_block + ee_len) {
++ if (in_range(iblock, ee_block, ee_len)) {
+ newblock = iblock - ee_block + ee_start;
+ /* number of remaining blocks in the extent */
+ allocated = ee_len - (iblock - ee_block);
+diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
+index bfe6add..d85a92c 100644
+--- a/fs/ext4/mballoc.h
++++ b/fs/ext4/mballoc.h
+@@ -249,8 +249,6 @@ static inline void ext4_mb_store_history(struct ext4_allocation_context *ac)
+ static void ext4_mb_store_history(struct ext4_allocation_context *ac);
+ #endif
+
+-#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
+-
+ static struct proc_dir_entry *proc_root_ext4;
+ struct buffer_head *read_block_bitmap(struct super_block *, ext4_group_t);
+
+--
+1.7.1
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-race-in-tty_fasync-properly.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/fix-race-in-tty_fasync-properly.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-race-in-tty_fasync-properly.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/fix-race-in-tty_fasync-properly.patch)
@@ -0,0 +1,55 @@
+commit 769a693ecea9c4821b8fdb297b211d09740cc191
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sun Feb 7 10:11:23 2010 -0800
+
+ Fix race in tty_fasync() properly
+
+ This reverts commit 703625118069 ("tty: fix race in tty_fasync") and
+ commit b04da8bfdfbb ("fnctl: f_modown should call write_lock_irqsave/
+ restore") that tried to fix up some of the fallout but was incomplete.
+
+ It turns out that we really cannot hold 'tty->ctrl_lock' over calling
+ __f_setown, because not only did that cause problems with interrupt
+ disables (which the second commit fixed), it also causes a potential
+ ABBA deadlock due to lock ordering.
+
+ Thanks to Tetsuo Handa for following up on the issue, and running
+ lockdep to show the problem. It goes roughly like this:
+
+ - f_getown gets filp->f_owner.lock for reading without interrupts
+ disabled, so an interrupt that happens while that lock is held can
+ cause a lockdep chain from f_owner.lock -> sighand->siglock.
+
+ - at the same time, the tty->ctrl_lock -> f_owner.lock chain that
+ commit 703625118069 introduced, together with the pre-existing
+ sighand->siglock -> tty->ctrl_lock chain means that we have a lock
+ dependency the other way too.
+
+ So instead of extending tty->ctrl_lock over the whole __f_setown() call,
+ we now just take a reference to the 'pid' structure while holding the
+ lock, and then release it after having done the __f_setown. That still
+ guarantees that 'struct pid' won't go away from under us, which is all
+ we really ever needed.
+
+ Reported-and-tested-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+ Acked-by: Greg Kroah-Hartman <gregkh at suse.de>
+ Acked-by: Américo Wang <xiyou.wangcong at gmail.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Backported-to-Debian's-2.6.26-by: dann frazier <dannf at debian.org>
+
+diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
+index 60b691e..ced3fab 100644
+--- a/drivers/char/tty_io.c
++++ b/drivers/char/tty_io.c
+@@ -2911,8 +2911,10 @@ static int tty_fasync(int fd, struct file *filp, int on)
+ pid = task_pid(current);
+ type = PIDTYPE_PID;
+ }
++ get_pid(pid);
+ spin_unlock_irqrestore(&tty->ctrl_lock, flags);
+ retval = __f_setown(filp, pid, type, 0);
++ put_pid(pid);
+ if (retval)
+ return retval;
+ } else {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch)
@@ -0,0 +1,61 @@
+commit 85e1e2f8339ecb3329516f5dbd2ef98d012cf3be
+Author: Bob Peterson <rpeterso at redhat.com>
+Date: Wed Jul 14 18:12:26 2010 -0400
+
+ GFS2: rename causes kernel Oops
+
+ This patch fixes a kernel Oops in the GFS2 rename code.
+
+ The problem was in the way the gfs2 directory code was trying
+ to re-use sentinel directory entries.
+
+ In the failing case, gfs2's rename function was renaming a
+ file to another name that had the same non-trivial length.
+ The file being renamed happened to be the first directory
+ entry on the leaf block.
+
+ First, the rename code (gfs2_rename in ops_inode.c) found the
+ original directory entry and decided it could do its job by
+ simply replacing the directory entry with another. Therefore
+ it determined correctly that no block allocations were needed.
+
+ Next, the rename code deleted the old directory entry prior to
+ replacing it with the new name. Therefore, the soon-to-be
+ replaced directory entry was temporarily made into a directory
+ entry "sentinel" or a place holder at the start of a leaf block.
+
+ Lastly, it went to re-add the replacement directory entry in
+ that leaf block. However, when gfs2_dirent_find_space was
+ looking for space in the leaf block, it used the wrong value
+ for the sentinel. That threw off its calculations so later
+ it decides it can't really re-use the sentinel and therefore
+ must allocate a new leaf block. But because it previously decided
+ to re-use the directory entry, it didn't waste the time to
+ grab a new block allocation for the inode. Therefore, the
+ inode's i_alloc pointer was still NULL and it crashes trying to
+ reference it.
+
+ In the case of sentinel directory entries, the entire dirent is
+ reused, not just the "free space" portion of it, and therefore
+ the function gfs2_dirent_find_space should use the value 0
+ rather than GFS2_DIRENT_SIZE(0) for the actual dirent size.
+
+ Fixing this calculation enables the reproducer programs to work
+ properly.
+
+ Signed-off-by: Bob Peterson <rpeterso at redhat.com>
+ Signed-off-by: Steven Whitehouse <swhiteho at redhat.com>
+
+diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c
+index eed040d..4c83653 100644
+--- a/fs/gfs2/dir.c
++++ b/fs/gfs2/dir.c
+@@ -393,7 +393,7 @@ static int gfs2_dirent_find_space(const struct gfs2_dirent *dent,
+ unsigned totlen = be16_to_cpu(dent->de_rec_len);
+
+ if (gfs2_dirent_sentinel(dent))
+- actual = GFS2_DIRENT_SIZE(0);
++ actual = 0;
+ if (totlen - actual >= required)
+ return 1;
+ return 0;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-missing-page-table-unmap-for-stack-guard-page-failure-case.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-fix-missing-page-table-unmap-for-stack-guard-page-failure-case.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-missing-page-table-unmap-for-stack-guard-page-failure-case.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-fix-missing-page-table-unmap-for-stack-guard-page-failure-case.patch)
@@ -0,0 +1,28 @@
+commit 70b3fc3bb866f8d5f5a71d42ddb5486cbf89f2ed
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri Aug 13 09:24:04 2010 -0700
+
+ mm: fix missing page table unmap for stack guard page failure case
+
+ .. which didn't show up in my tests because it's a no-op on x86-64 and
+ most other architectures. But we enter the function with the last-level
+ page table mapped, and should unmap it at exit.
+
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/memory.c b/mm/memory.c
+index a1a8e45..659776b 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2309,8 +2309,10 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+ spinlock_t *ptl;
+ pte_t entry;
+
+- if (check_stack_guard_page(vma, address) < 0)
++ if (check_stack_guard_page(vma, address) < 0) {
++ pte_unmap(page_table);
+ return VM_FAULT_SIGBUS;
++ }
+
+ /* Allocate our own private page. */
+ pte_unmap(page_table);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch)
@@ -0,0 +1,58 @@
+commit 2972a92225fb59f0b02adbbd5c0f1f22c58a2adb
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat Aug 14 11:44:56 2010 -0700
+
+ mm: fix page table unmap for stack guard page properly
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ We do in fact need to unmap the page table _before_ doing the whole
+ stack guard page logic, because if it is needed (mainly 32-bit x86 with
+ PAE and CONFIG_HIGHPTE, but other architectures may use it too) then it
+ will do a kmap_atomic/kunmap_atomic.
+
+ And those kmaps will create an atomic region that we cannot do
+ allocations in. However, the whole stack expand code will need to do
+ anon_vma_prepare() and vma_lock_anon_vma() and they cannot do that in an
+ atomic region.
+
+ Now, a better model might actually be to do the anon_vma_prepare() when
+ _creating_ a VM_GROWSDOWN segment, and not have to worry about any of
+ this at page fault time. But in the meantime, this is the
+ straightforward fix for the issue.
+
+ See https://bugzilla.kernel.org/show_bug.cgi?id=16588 for details.
+
+ Reported-by: Wylda <wylda at volny.cz>
+ Reported-by: Sedat Dilek <sedat.dilek at gmail.com>
+ Reported-by: Mike Pagano <mpagano at gentoo.org>
+ Reported-by: François Valenduc <francois.valenduc at tvcablenet.be>
+ Tested-by: Ed Tomlinson <edt at aei.ca>
+ Cc: Pekka Enberg <penberg at kernel.org>
+ Cc: Greg KH <gregkh at suse.de>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/memory.c b/mm/memory.c
+index 659776b..12018e7 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2309,14 +2309,13 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+ spinlock_t *ptl;
+ pte_t entry;
+
+- if (check_stack_guard_page(vma, address) < 0) {
+- pte_unmap(page_table);
++ pte_unmap(page_table);
++
++ /* Check if we need to add a guard page to the stack */
++ if (check_stack_guard_page(vma, address) < 0)
+ return VM_FAULT_SIGBUS;
+- }
+
+ /* Allocate our own private page. */
+- pte_unmap(page_table);
+-
+ if (unlikely(anon_vma_prepare(vma)))
+ goto oom;
+ page = alloc_zeroed_user_highpage_movable(vma, address);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch)
@@ -0,0 +1,78 @@
+From f863718750a155259bcccbf10b12d8282a0f538f Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Wed, 18 Aug 2010 17:04:23 -0600
+Subject: [PATCH 2/2] From: Linus Torvalds <torvalds at linux-foundation.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+commit d7824370e26325c881b665350ce64fb0a4fde24a upstream.
+
+This commit makes the stack guard page somewhat less visible to user
+space. It does this by:
+
+ - not showing the guard page in /proc/<pid>/maps
+
+ It looks like lvm-tools will actually read /proc/self/maps to figure
+ out where all its mappings are, and effectively do a specialized
+ "mlockall()" in user space. By not showing the guard page as part of
+ the mapping (by just adding PAGE_SIZE to the start for grows-up
+ pages), lvm-tools ends up not being aware of it.
+
+ - by also teaching the _real_ mlock() functionality not to try to lock
+ the guard page.
+
+ That would just expand the mapping down to create a new guard page,
+ so there really is no point in trying to lock it in place.
+
+It would perhaps be nice to show the guard page specially in
+/proc/<pid>/maps (or at least mark grow-down segments some way), but
+let's not open ourselves up to more breakage by user space from programs
+that depends on the exact deails of the 'maps' file.
+
+Special thanks to Henrique de Moraes Holschuh for diving into lvm-tools
+source code to see what was going on with the whole new warning.
+
+[Note, for .27, only the /proc change is done, mlock is not modified
+here. - gregkh]
+
+Reported-and-tested-by: François Valenduc <francois.valenduc at tvcablenet.be
+Reported-by: Henrique de Moraes Holschuh <hmh at hmh.eng.br>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ fs/proc/task_mmu.c | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 0b2d836..1c0abfa 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -205,6 +205,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+ struct file *file = vma->vm_file;
+ int flags = vma->vm_flags;
+ unsigned long ino = 0;
++ unsigned long start;
+ dev_t dev = 0;
+ int len;
+
+@@ -214,8 +215,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+ ino = inode->i_ino;
+ }
+
++ /* We don't show the stack guard page in /proc/maps */
++ start = vma->vm_start;
++ if (vma->vm_flags & VM_GROWSDOWN)
++ start += PAGE_SIZE;
++
+ seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
+- vma->vm_start,
++ start,
+ vma->vm_end,
+ flags & VM_READ ? 'r' : '-',
+ flags & VM_WRITE ? 'w' : '-',
+--
+1.7.1
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch)
@@ -0,0 +1,68 @@
+commit 43040e916a16cc8bc82722732c156cbf64991025
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Thu Aug 12 17:54:33 2010 -0700
+
+ mm: keep a guard page below a grow-down stack segment
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ This is a rather minimally invasive patch to solve the problem of the
+ user stack growing into a memory mapped area below it. Whenever we fill
+ the first page of the stack segment, expand the segment down by one
+ page.
+
+ Now, admittedly some odd application might _want_ the stack to grow down
+ into the preceding memory mapping, and so we may at some point need to
+ make this a process tunable (some people might also want to have more
+ than a single page of guarding), but let's try the minimal approach
+ first.
+
+ Tested with trivial application that maps a single page just below the
+ stack, and then starts recursing. Without this, we will get a SIGSEGV
+ _after_ the stack has smashed the mapping. With this patch, we'll get a
+ nice SIGBUS just as the stack touches the page just above the mapping.
+
+ Requested-by: Keith Packard <keithp at keithp.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/memory.c b/mm/memory.c
+index 0755c52..a1a8e45 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2277,6 +2277,26 @@ out_nomap:
+ }
+
+ /*
++ * This is like a special single-page "expand_downwards()",
++ * except we must first make sure that 'address-PAGE_SIZE'
++ * doesn't hit another vma.
++ *
++ * The "find_vma()" will do the right thing even if we wrap
++ */
++static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
++{
++ address &= PAGE_MASK;
++ if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
++ address -= PAGE_SIZE;
++ if (find_vma(vma->vm_mm, address) != vma)
++ return -ENOMEM;
++
++ expand_stack(vma, address);
++ }
++ return 0;
++}
++
++/*
+ * We enter with non-exclusive mmap_sem (to exclude vma changes,
+ * but allow concurrent faults), and pte mapped but not yet locked.
+ * We return with mmap_sem still held, but pte unmapped and unlocked.
+@@ -2289,6 +2309,9 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+ spinlock_t *ptl;
+ pte_t entry;
+
++ if (check_stack_guard_page(vma, address) < 0)
++ return VM_FAULT_SIGBUS;
++
+ /* Allocate our own private page. */
+ pte_unmap(page_table);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-pass-correct-mm-when-growing-stack.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-pass-correct-mm-when-growing-stack.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-pass-correct-mm-when-growing-stack.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/mm-pass-correct-mm-when-growing-stack.patch)
@@ -0,0 +1,34 @@
+commit 9dac19431cfd8e5677b1e9ca43feba1ea59c40b4
+Author: Hugh Dickins <hugh at veritas.com>
+Date: Thu Apr 16 21:58:12 2009 +0100
+
+ mm: pass correct mm when growing stack
+
+ Tetsuo Handa reports seeing the WARN_ON(current->mm == NULL) in
+ security_vm_enough_memory(), when do_execve() is touching the
+ target mm's stack, to set up its args and environment.
+
+ Yes, a UMH_NO_WAIT or UMH_WAIT_PROC call_usermodehelper() spawns
+ an mm-less kernel thread to do the exec. And in any case, that
+ vm_enough_memory check when growing stack ought to be done on the
+ target mm, not on the execer's mm (though apart from the warning,
+ it only makes a slight tweak to OVERCOMMIT_NEVER behaviour).
+
+ Reported-by: Tetsuo Handa <penguin-kernel at i-love.sakura.ne.jp>
+ Signed-off-by: Hugh Dickins <hugh at veritas.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index be95d3b..497c9ed 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1563,7 +1563,7 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
+ * Overcommit.. This must be the final test, as it will
+ * update security statistics.
+ */
+- if (security_vm_enough_memory(grow))
++ if (security_vm_enough_memory_mm(mm, grow))
+ return -ENOMEM;
+
+ /* Ok, everything looks good - let it rip */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd4-bug-in-read_buf.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/nfsd4-bug-in-read_buf.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd4-bug-in-read_buf.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/nfsd4-bug-in-read_buf.patch)
@@ -0,0 +1,53 @@
+commit 78137ed12e8b641b2e6ffb098b564139cd5b15a9
+Author: Neil Brown <neilb at suse.de>
+Date: Tue Apr 20 12:16:52 2010 +1000
+
+ nfsd4: bug in read_buf
+
+ When read_buf is called to move over to the next page in the pagelist
+ of an NFSv4 request, it sets argp->end to essentially a random
+ number, certainly not an address within the page which argp->p now
+ points to. So subsequent calls to READ_BUF will think there is much
+ more than a page of spare space (the cast to u32 ensures an unsigned
+ comparison) so we can expect to fall off the end of the second
+ page.
+
+ We never encountered thsi in testing because typically the only
+ operations which use more than two pages are write-like operations,
+ which have their own decoding logic. Something like a getattr after a
+ write may cross a page boundary, but it would be very unusual for it to
+ cross another boundary after that.
+
+ Cc: stable at kernel.org
+ Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
+
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index c513bbd..e09adb5 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -179,10 +179,10 @@ static __be32 *read_buf(struct nfsd4_compoundargs *argp, u32 nbytes)
+ argp->p = page_address(argp->pagelist[0]);
+ argp->pagelist++;
+ if (argp->pagelen < PAGE_SIZE) {
+- argp->end = p + (argp->pagelen>>2);
++ argp->end = argp->p + (argp->pagelen>>2);
+ argp->pagelen = 0;
+ } else {
+- argp->end = p + (PAGE_SIZE>>2);
++ argp->end = argp->p + (PAGE_SIZE>>2);
+ argp->pagelen -= PAGE_SIZE;
+ }
+ memcpy(((char*)p)+avail, argp->p, (nbytes - avail));
+@@ -1047,10 +1047,10 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp)
+ argp->p = page_address(argp->pagelist[0]);
+ argp->pagelist++;
+ if (argp->pagelen < PAGE_SIZE) {
+- argp->end = p + (argp->pagelen>>2);
++ argp->end = argp->p + (argp->pagelen>>2);
+ argp->pagelen = 0;
+ } else {
+- argp->end = p + (PAGE_SIZE>>2);
++ argp->end = argp->p + (PAGE_SIZE>>2);
+ argp->pagelen -= PAGE_SIZE;
+ }
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch)
@@ -0,0 +1,127 @@
+commit ef3481c525adee77cb5f338ff23644a4fb71c427
+Author: dann frazier <dannf at hp.com>
+Date: Wed Aug 18 17:02:08 2010 -0600
+
+ [ backport of 7c88db0cb589df980acfb2f73c3595a0653004ec to 2.7.27.3 by Joe
+ Korty <joe.korty at ccur.com ]
+
+ [ backported to Debian's 2.6.26 by dann frazier <dannf at debian.org> ]
+
+ proc: fix vma display mismatch between /proc/pid/{maps,smaps}
+
+ Commit 4752c369789250eafcd7813e11c8fb689235b0d2 aka
+ "maps4: simplify interdependence of maps and smaps" broke /proc/pid/smaps,
+ causing it to display some vmas twice and other vmas not at all. For example:
+
+ grep .- /proc/1/smaps >/tmp/smaps; diff /proc/1/maps /tmp/smaps
+
+ 1 25d24
+ 2 < 7fd7e23aa000-7fd7e23ac000 rw-p 7fd7e23aa000 00:00 0
+ 3 28a28
+ 4 > ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
+
+ The bug has something to do with setting m->version before all the
+ seq_printf's have been performed. show_map was doing this correctly,
+ but show_smap was doing this in the middle of its seq_printf sequence.
+ This patch arranges things so that the setting of m->version in show_smap
+ is also done at the end of its seq_printf sequence.
+
+ Testing: in addition to the above grep test, for each process I summed
+ up the 'Rss' fields of /proc/pid/smaps and compared that to the 'VmRSS'
+ field of /proc/pid/status. All matched except for Xorg (which has a
+ /dev/mem mapping which Rss accounts for but VmRSS does not). This result
+ gives us some confidence that neither /proc/pid/maps nor /proc/pid/smaps
+ are any longer skipping or double-counting vmas.
+
+ Signed-off-by: Joe Korty <joe.korty at ccur.com>
+ Cc: Matt Mackall <mpm at selenic.com>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 2819fcb..91ecd40 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -199,11 +199,8 @@ static int do_maps_open(struct inode *inode, struct file *file,
+ return ret;
+ }
+
+-static int show_map(struct seq_file *m, void *v)
++static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+ {
+- struct proc_maps_private *priv = m->private;
+- struct task_struct *task = priv->task;
+- struct vm_area_struct *vma = v;
+ struct mm_struct *mm = vma->vm_mm;
+ struct file *file = vma->vm_file;
+ int flags = vma->vm_flags;
+@@ -211,9 +208,6 @@ static int show_map(struct seq_file *m, void *v)
+ dev_t dev = 0;
+ int len;
+
+- if (maps_protect && !ptrace_may_attach(task))
+- return -EACCES;
+-
+ if (file) {
+ struct inode *inode = vma->vm_file->f_path.dentry->d_inode;
+ dev = inode->i_sb->s_dev;
+@@ -258,6 +252,18 @@ static int show_map(struct seq_file *m, void *v)
+ }
+ }
+ seq_putc(m, '\n');
++}
++
++static int show_map(struct seq_file *m, void *v)
++{
++ struct vm_area_struct *vma = v;
++ struct proc_maps_private *priv = m->private;
++ struct task_struct *task = priv->task;
++
++ if (maps_protect && !ptrace_may_attach(task))
++ return -EACCES;
++
++ show_map_vma(m, vma);
+
+ if (m->count < m->size) /* vma is copied successfully */
+ m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
+@@ -368,23 +374,25 @@ static int smaps_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
+
+ static int show_smap(struct seq_file *m, void *v)
+ {
++ struct proc_maps_private *priv = m->private;
++ struct task_struct *task = priv->task;
+ struct vm_area_struct *vma = v;
+ struct mem_size_stats mss;
+- int ret;
+ struct mm_walk smaps_walk = {
+ .pmd_entry = smaps_pte_range,
+ .mm = vma->vm_mm,
+ .private = &mss,
+ };
+
++ if (maps_protect && !ptrace_may_attach(task))
++ return -EACCES;
++
+ memset(&mss, 0, sizeof mss);
+ mss.vma = vma;
+ if (vma->vm_mm && !is_vm_hugetlb_page(vma))
+ walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
+
+- ret = show_map(m, v);
+- if (ret)
+- return ret;
++ show_map_vma(m, vma);
+
+ seq_printf(m,
+ "Size: %8lu kB\n"
+@@ -406,7 +414,9 @@ static int show_smap(struct seq_file *m, void *v)
+ mss.referenced >> 10,
+ mss.swap >> 10);
+
+- return ret;
++ if (m->count < m->size) /* vma is copied successfully */
++ m->version = (vma != get_gate_vma(task)) ? vma->vm_start : 0;
++ return 0;
+ }
+
+ static const struct seq_operations proc_pid_smaps_op = {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch)
@@ -0,0 +1,39 @@
+commit cd84df2d7a4a5d8a4245484f97cbc3526c377ba3
+Author: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+Date: Thu Jun 24 12:07:47 2010 +1000
+
+ xfs: prevent swapext from operating on write-only files
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ This patch prevents user "foo" from using the SWAPEXT ioctl to swap
+ a write-only file owned by user "bar" into a file owned by "foo" and
+ subsequently reading it. It does so by checking that the file
+ descriptors passed to the ioctl are also opened for reading.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Reviewed-by: Christoph Hellwig <hch at lst.de>
+
+diff --git a/fs/xfs/xfs_dfrag.c b/fs/xfs/xfs_dfrag.c
+index 5f3647c..39c8805 100644
+--- a/fs/xfs/xfs_dfrag.c
++++ b/fs/xfs/xfs_dfrag.c
+@@ -74,7 +74,9 @@ xfs_swapext(
+ goto out_free_sxp;
+ }
+
+- if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND)) {
++ if (!(file->f_mode & FMODE_WRITE) ||
++ !(file->f_mode & FMODE_READ) ||
++ (file->f_flags & O_APPEND)) {
+ error = XFS_ERROR(EBADF);
+ goto out_put_file;
+ }
+@@ -86,6 +88,7 @@ xfs_swapext(
+ }
+
+ if (!(target_file->f_mode & FMODE_WRITE) ||
++ !(target_file->f_mode & FMODE_READ) ||
+ (target_file->f_flags & O_APPEND)) {
+ error = XFS_ERROR(EBADF);
+ goto out_put_target_file;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/dont-send-SIGBUS-for-kernel-page-faults.patch (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/x86/dont-send-SIGBUS-for-kernel-page-faults.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/dont-send-SIGBUS-for-kernel-page-faults.patch Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/bugfix/x86/dont-send-SIGBUS-for-kernel-page-faults.patch)
@@ -0,0 +1,35 @@
+commit dd1a3004ef4eda44a464c36f88a52b58a6a55806
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri Aug 13 09:49:20 2010 -0700
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ x86: don't send SIGBUS for kernel page faults
+
+ It's wrong for several reasons, but the most direct one is that the
+ fault may be for the stack accesses to set up a previous SIGBUS. When
+ we have a kernel exception, the kernel exception handler does all the
+ fixups, not some user-level signal handler.
+
+ Even apart from the nested SIGBUS issue, it's also wrong to give out
+ kernel fault addresses in the signal handler info block, or to send a
+ SIGBUS when a system call already returns EFAULT.
+
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index 8bcb6f4..f48d1bc 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -896,8 +896,10 @@ do_sigbus:
+ up_read(&mm->mmap_sem);
+
+ /* Kernel mode? Handle exceptions or die */
+- if (!(error_code & PF_USER))
++ if (!(error_code & PF_USER)) {
+ goto no_context;
++ return;
++ }
+ #ifdef CONFIG_X86_32
+ /* User space => ok to do another page fault */
+ if (is_prefetch(regs, address, error_code))
Modified: dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Sun Aug 29 18:34:16 2010 (r16215)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Sun Aug 29 18:38:31 2010 (r16216)
@@ -7875,9 +7875,9 @@
goto out;
- bprm->mm = NULL; /* We're using it now */
- return 0;
- out:
+ current->flags &= ~PF_RANDOMIZE;
+ flush_thread();
@@ -1275,6 +1303,10 @@ int do_execve(char * filename,
struct files_struct *displaced;
int retval;
@@ -67113,21 +67113,24 @@
unlock_page(page);
page_cache_release(page);
return ret;
-@@ -2288,10 +2370,14 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2308,6 +2390,7 @@ static int do_anonymous_page(struct mm_s
struct page *page;
spinlock_t *ptl;
pte_t entry;
+ struct page_beancounter *pbc;
- /* Allocate our own private page. */
pte_unmap(page_table);
+@@ -2315,6 +2398,9 @@ static int do_anonymous_page(struct mm_s
+ if (check_stack_guard_page(vma, address) < 0)
+ return VM_FAULT_SIGBUS;
+
+ if (unlikely(pb_alloc(&pbc)))
+ goto oom_nopb;
+
+ /* Allocate our own private page. */
if (unlikely(anon_vma_prepare(vma)))
goto oom;
- page = alloc_zeroed_user_highpage_movable(vma, address);
@@ -2311,11 +2397,14 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
inc_mm_counter(mm, anon_rss);
lru_cache_add_active(page);
@@ -67521,7 +67524,7 @@
if (charged)
vm_unacct_memory(charged);
return error;
-@@ -1554,12 +1596,16 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
+@@ -1559,12 +1601,16 @@ static int acct_stack_growth(struct vm_a
if (is_hugepage_only_range(vma->vm_mm, new_start, size))
return -EFAULT;
@@ -67533,7 +67536,7 @@
* Overcommit.. This must be the final test, as it will
* update security statistics.
*/
- if (security_vm_enough_memory(grow))
+ if (security_vm_enough_memory_mm(mm, grow))
- return -ENOMEM;
+ goto fail_sec;
Modified: dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Sun Aug 29 18:34:16 2010 (r16215)
+++ dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Sun Aug 29 18:38:31 2010 (r16216)
@@ -25763,10 +25763,10 @@
mark_page_accessed(page);
lock_page(page);
delayacct_clear_flag(DELAYACCT_PF_SWAPIN);
-@@ -2292,6 +2300,8 @@ static int do_anonymous_page(struct mm_s
- /* Allocate our own private page. */
- pte_unmap(page_table);
+@@ -2316,6 +2324,8 @@ static int do_anonymous_page(struct mm_s
+ return VM_FAULT_SIGBUS;
+ /* Allocate our own private page. */
+ if (!vx_rss_avail(mm, 1))
+ goto oom;
if (unlikely(anon_vma_prepare(vma)))
Copied: dists/lenny/linux-2.6/debian/patches/series/24lenny1 (from r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/series/24lenny1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/24lenny1 Sun Aug 29 18:38:31 2010 (r16216, copy of r16215, releases/linux-2.6/2.6.26-24lenny1/debian/patches/series/24lenny1)
@@ -0,0 +1,16 @@
++ bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch
++ bugfix/all/fix-race-in-tty_fasync-properly.patch
++ bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
++ bugfix/all/nfsd4-bug-in-read_buf.patch
++ bugfix/all/gfs2-rename-causes-kernel-oops.patch
++ bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
++ bugfix/all/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
++ bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
++ bugfix/all/mm-fix-missing-page-table-unmap-for-stack-guard-page-failure-case.patch
++ bugfix/x86/dont-send-SIGBUS-for-kernel-page-faults.patch
++ bugfix/all/mm-pass-correct-mm-when-growing-stack.patch
++ bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch
++ bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
++ bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
++ bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
++ bugfix/all/ext4-consolidate-in_range-definitions.patch
More information about the Kernel-svn-changes
mailing list