[kernel] r15342 - in dists/lenny/linux-2.6: . debian debian/config debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/features/all/xen debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Mar 9 16:51:41 UTC 2010
Author: dannf
Date: Tue Mar 9 16:51:40 2010
New Revision: 15342
Log:
merge 2.6.26-21lenny4
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch
dists/lenny/linux-2.6/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch
dists/lenny/linux-2.6/debian/patches/series/21lenny4
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4
dists/lenny/linux-2.6/debian/patches/series/21lenny4-extra
- copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4-extra
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/config/defines
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Tue Mar 9 16:46:00 2010 (r15341)
+++ dists/lenny/linux-2.6/debian/changelog Tue Mar 9 16:51:40 2010 (r15342)
@@ -51,6 +51,23 @@
-- maximilian attems <maks at debian.org> Mon, 28 Dec 2009 23:44:19 +0100
+linux-2.6 (2.6.26-21lenny4) stable-security; urgency=high
+
+ [ dann frazier ]
+ * futex: Handle user space corruption gracefully (CVE-2010-0622)
+ * mmap: cleanup compiler warnings from CVE-2010-0291 fixes
+ * x86: set_personality_ia32() misses force_personality32, an additional
+ fix for CVE-2010-0307
+ * Replace fix for CVE-2009-2691 w/ upstreamed version (Closes: #570554)
+ * uvesafb/connector: prevent unprivileged users from sending netlink packets
+ (CVE-2009-3725)
+
+ [ Ben Hutchings ]
+ * [xen][i386] Fix kernel logging via userspace (Closes: #568561)
+ (regression due to fix for #510478)
+
+ -- dann frazier <dannf at debian.org> Tue, 09 Mar 2010 09:34:37 -0700
+
linux-2.6 (2.6.26-21lenny3) stable-security; urgency=high
* Additional fixes for CVE-2010-0307
Modified: dists/lenny/linux-2.6/debian/config/defines
==============================================================================
--- dists/lenny/linux-2.6/debian/config/defines Tue Mar 9 16:46:00 2010 (r15341)
+++ dists/lenny/linux-2.6/debian/config/defines Tue Mar 9 16:51:40 2010 (r15342)
@@ -1,6 +1,6 @@
[abi]
abiname: 2
-ignore-changes: gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs saa7134_* saa_dsp_writel ub_sock_snd_queue_add
+ignore-changes: cn_add_callback gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs saa7134_* saa_dsp_writel ub_sock_snd_queue_add
[base]
arches:
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch)
@@ -0,0 +1,99 @@
+From 8b52ce7ee12f81e584405185bf60ff859fce74e5 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 17:18:08 -0700
+Subject: [PATCH 1/4] add 2.6.31.5/connector-keep-the-skb-in-cn_callback_data.patch
+
+---
+ drivers/connector/cn_queue.c | 3 ++-
+ drivers/connector/connector.c | 11 +++++------
+ include/linux/connector.h | 6 +++---
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
+index b6fe7e7..e3cf1d9 100644
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -36,8 +36,9 @@ void cn_queue_wrapper(struct work_struct *work)
+ struct cn_callback_entry *cbq =
+ container_of(work, struct cn_callback_entry, work);
+ struct cn_callback_data *d = &cbq->data;
++ struct cn_msg *msg = NLMSG_DATA(nlmsg_hdr(d->skb));
+
+- d->callback(d->callback_priv);
++ d->callback(msg);
+
+ d->destruct_data(d->ddata);
+ d->ddata = NULL;
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index 1d65184..f101295 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -118,10 +118,11 @@ EXPORT_SYMBOL_GPL(cn_netlink_send);
+ /*
+ * Callback helper - queues work and setup destructor for given data.
+ */
+-static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), void *data)
++static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *), void *data)
+ {
+ struct cn_callback_entry *__cbq, *__new_cbq;
+ struct cn_dev *dev = &cdev;
++ struct cn_msg *msg = NLMSG_DATA(nlmsg_hdr(skb));
+ int err = -ENODEV;
+
+ spin_lock_bh(&dev->cbdev->queue_lock);
+@@ -129,7 +130,7 @@ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), v
+ if (cn_cb_equal(&__cbq->id.id, &msg->id)) {
+ if (likely(!work_pending(&__cbq->work) &&
+ __cbq->data.ddata == NULL)) {
+- __cbq->data.callback_priv = msg;
++ __cbq->data.skb = skb;
+
+ __cbq->data.ddata = data;
+ __cbq->data.destruct_data = destruct_data;
+@@ -146,7 +147,7 @@ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), v
+ __new_cbq = kzalloc(sizeof(struct cn_callback_entry), GFP_ATOMIC);
+ if (__new_cbq) {
+ d = &__new_cbq->data;
+- d->callback_priv = msg;
++ d->skb = skb;
+ d->callback = __cbq->data.callback;
+ d->ddata = data;
+ d->destruct_data = destruct_data;
+@@ -179,7 +180,6 @@ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), v
+ */
+ static void cn_rx_skb(struct sk_buff *__skb)
+ {
+- struct cn_msg *msg;
+ struct nlmsghdr *nlh;
+ int err;
+ struct sk_buff *skb;
+@@ -196,8 +196,7 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ return;
+ }
+
+- msg = NLMSG_DATA(nlh);
+- err = cn_call_callback(msg, (void (*)(void *))kfree_skb, skb);
++ err = cn_call_callback(skb, (void (*)(void *))kfree_skb, skb);
+ if (err < 0)
+ kfree_skb(skb);
+ }
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 26502da..7552837 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -96,9 +96,9 @@ struct cn_callback_id {
+ struct cn_callback_data {
+ void (*destruct_data) (void *);
+ void *ddata;
+-
+- void *callback_priv;
+- void (*callback) (void *);
++
++ struct sk_buff *skb;
++ void (*callback) (struct cn_msg *);
+
+ void *free;
+ };
+--
+1.7.0
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch)
@@ -0,0 +1,189 @@
+From d21956a7f9f7843b9050d3455a0cc9c93c6fa5ee Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 17:19:29 -0700
+Subject: [PATCH 2/4] add 2.6.31.5/connector-provide-the-sender-s-credentials-to-the-callback.patch
+
+---
+ Documentation/connector/cn_test.c | 4 +---
+ Documentation/connector/connector.txt | 8 ++++----
+ drivers/connector/cn_proc.c | 3 +--
+ drivers/connector/cn_queue.c | 10 +++++++---
+ drivers/connector/connector.c | 3 ++-
+ drivers/video/uvesafb.c | 3 +--
+ drivers/w1/w1_netlink.c | 3 +--
+ include/linux/connector.h | 6 +++---
+ 8 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/Documentation/connector/cn_test.c b/Documentation/connector/cn_test.c
+index be7af14..a7d46cb 100644
+--- a/Documentation/connector/cn_test.c
++++ b/Documentation/connector/cn_test.c
+@@ -32,10 +32,8 @@ static char cn_test_name[] = "cn_test";
+ static struct sock *nls;
+ static struct timer_list cn_test_timer;
+
+-void cn_test_callback(void *data)
++static void cn_test_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+- struct cn_msg *msg = (struct cn_msg *)data;
+-
+ printk("%s: %lu: idx=%x, val=%x, seq=%u, ack=%u, len=%d: %s.\n",
+ __func__, jiffies, msg->id.idx, msg->id.val,
+ msg->seq, msg->ack, msg->len, (char *)msg->data);
+diff --git a/Documentation/connector/connector.txt b/Documentation/connector/connector.txt
+index ad6e0ba..3e6dcc7 100644
+--- a/Documentation/connector/connector.txt
++++ b/Documentation/connector/connector.txt
+@@ -23,7 +23,7 @@ handling... Connector allows any kernelspace agents to use netlink
+ based networking for inter-process communication in a significantly
+ easier way:
+
+-int cn_add_callback(struct cb_id *id, char *name, void (*callback) (void *));
++int cn_add_callback(struct cb_id *id, char *name, void (*callback) (struct cn_msg *, struct netlink_skb_parms *));
+ void cn_netlink_send(struct cn_msg *msg, u32 __group, int gfp_mask);
+
+ struct cb_id
+@@ -53,15 +53,15 @@ struct cn_msg
+ Connector interfaces.
+ /*****************************************/
+
+-int cn_add_callback(struct cb_id *id, char *name, void (*callback) (void *));
++int cn_add_callback(struct cb_id *id, char *name, void (*callback) (struct cn_msg *, struct netlink_skb_parms *));
+
+ Registers new callback with connector core.
+
+ struct cb_id *id - unique connector's user identifier.
+ It must be registered in connector.h for legal in-kernel users.
+ char *name - connector's callback symbolic name.
+-void (*callback) (void *) - connector's callback.
+- Argument must be dereferenced to struct cn_msg *.
++void (*callback) (struct cn..) - connector's callback.
++ cn_msg and the sender's credentials
+
+ void cn_del_callback(struct cb_id *id);
+
+diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
+index 5c9f67f..e5ed75d 100644
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -196,9 +196,8 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
+ * cn_proc_mcast_ctl
+ * @data: message sent from userspace via the connector
+ */
+-static void cn_proc_mcast_ctl(void *data)
++static void cn_proc_mcast_ctl(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+- struct cn_msg *msg = data;
+ enum proc_cn_mcast_op *mc_op = NULL;
+ int err = 0;
+
+diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
+index e3cf1d9..989c1bd 100644
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -37,8 +37,9 @@ void cn_queue_wrapper(struct work_struct *work)
+ container_of(work, struct cn_callback_entry, work);
+ struct cn_callback_data *d = &cbq->data;
+ struct cn_msg *msg = NLMSG_DATA(nlmsg_hdr(d->skb));
++ struct netlink_skb_parms *nsp = &NETLINK_CB(d->skb);
+
+- d->callback(msg);
++ d->callback(msg, nsp);
+
+ d->destruct_data(d->ddata);
+ d->ddata = NULL;
+@@ -46,7 +47,9 @@ void cn_queue_wrapper(struct work_struct *work)
+ kfree(d->free);
+ }
+
+-static struct cn_callback_entry *cn_queue_alloc_callback_entry(char *name, struct cb_id *id, void (*callback)(void *))
++static struct cn_callback_entry *
++cn_queue_alloc_callback_entry(char *name, struct cb_id *id,
++ void (*callback)(struct cn_msg *, struct netlink_skb_parms *))
+ {
+ struct cn_callback_entry *cbq;
+
+@@ -76,7 +79,8 @@ int cn_cb_equal(struct cb_id *i1, struct cb_id *i2)
+ return ((i1->idx == i2->idx) && (i1->val == i2->val));
+ }
+
+-int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(void *))
++int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id,
++ void (*callback)(struct cn_msg *, struct netlink_skb_parms *))
+ {
+ struct cn_callback_entry *cbq, *__cbq;
+ int found = 0;
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index f101295..1e8cd67 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -208,7 +208,8 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ *
+ * May sleep.
+ */
+-int cn_add_callback(struct cb_id *id, char *name, void (*callback)(void *))
++int cn_add_callback(struct cb_id *id, char *name,
++ void (*callback)(struct cn_msg *, struct netlink_skb_parms *))
+ {
+ int err;
+ struct cn_dev *dev = &cdev;
+diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c
+index cdbb56e..e945b64 100644
+--- a/drivers/video/uvesafb.c
++++ b/drivers/video/uvesafb.c
+@@ -66,9 +66,8 @@ static DEFINE_MUTEX(uvfb_lock);
+ * find the kernel part of the task struct, copy the registers and
+ * the buffer contents and then complete the task.
+ */
+-static void uvesafb_cn_callback(void *data)
++static void uvesafb_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+- struct cn_msg *msg = data;
+ struct uvesafb_task *utask;
+ struct uvesafb_ktask *task;
+
+diff --git a/drivers/w1/w1_netlink.c b/drivers/w1/w1_netlink.c
+index 65c5ebd..7ad099c 100644
+--- a/drivers/w1/w1_netlink.c
++++ b/drivers/w1/w1_netlink.c
+@@ -128,9 +128,8 @@ static int w1_process_command_slave(struct w1_slave *sl, struct cn_msg *msg,
+ return err;
+ }
+
+-static void w1_cn_callback(void *data)
++static void w1_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+- struct cn_msg *msg = data;
+ struct w1_netlink_msg *m = (struct w1_netlink_msg *)(msg + 1);
+ struct w1_netlink_cmd *cmd;
+ struct w1_slave *sl;
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 7552837..4a144f0 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -98,7 +98,7 @@ struct cn_callback_data {
+ void *ddata;
+
+ struct sk_buff *skb;
+- void (*callback) (struct cn_msg *);
++ void (*callback) (struct cn_msg *, struct netlink_skb_parms *);
+
+ void *free;
+ };
+@@ -124,11 +124,11 @@ struct cn_dev {
+ struct cn_queue_dev *cbdev;
+ };
+
+-int cn_add_callback(struct cb_id *, char *, void (*callback) (void *));
++int cn_add_callback(struct cb_id *, char *, void (*callback) (struct cn_msg *, struct netlink_skb_parms *));
+ void cn_del_callback(struct cb_id *);
+ int cn_netlink_send(struct cn_msg *, u32, gfp_t);
+
+-int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(void *));
++int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(struct cn_msg *, struct netlink_skb_parms *));
+ void cn_queue_del_callback(struct cn_queue_dev *dev, struct cb_id *id);
+
+ struct cn_queue_dev *cn_queue_alloc_dev(char *name, struct sock *);
+--
+1.7.0
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch)
@@ -0,0 +1,88 @@
+From 20a1c695fded8a81a3cbdaf8b8a3b01ff227ae54 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 17:21:25 -0700
+Subject: [PATCH 3/4] add 2.6.31.5/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
+
+---
+ drivers/connector/cn_queue.c | 4 ++--
+ drivers/connector/connector.c | 11 +++--------
+ include/linux/connector.h | 3 ---
+ 3 files changed, 5 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
+index 989c1bd..54e12cf 100644
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -41,8 +41,8 @@ void cn_queue_wrapper(struct work_struct *work)
+
+ d->callback(msg, nsp);
+
+- d->destruct_data(d->ddata);
+- d->ddata = NULL;
++ kfree_skb(d->skb);
++ d->skb = NULL;
+
+ kfree(d->free);
+ }
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index 1e8cd67..064b210 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -118,7 +118,7 @@ EXPORT_SYMBOL_GPL(cn_netlink_send);
+ /*
+ * Callback helper - queues work and setup destructor for given data.
+ */
+-static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *), void *data)
++static int cn_call_callback(struct sk_buff *skb)
+ {
+ struct cn_callback_entry *__cbq, *__new_cbq;
+ struct cn_dev *dev = &cdev;
+@@ -129,12 +129,9 @@ static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *),
+ list_for_each_entry(__cbq, &dev->cbdev->queue_list, callback_entry) {
+ if (cn_cb_equal(&__cbq->id.id, &msg->id)) {
+ if (likely(!work_pending(&__cbq->work) &&
+- __cbq->data.ddata == NULL)) {
++ __cbq->data.skb == NULL)) {
+ __cbq->data.skb = skb;
+
+- __cbq->data.ddata = data;
+- __cbq->data.destruct_data = destruct_data;
+-
+ if (queue_work(dev->cbdev->cn_queue,
+ &__cbq->work))
+ err = 0;
+@@ -149,8 +146,6 @@ static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *),
+ d = &__new_cbq->data;
+ d->skb = skb;
+ d->callback = __cbq->data.callback;
+- d->ddata = data;
+- d->destruct_data = destruct_data;
+ d->free = __new_cbq;
+
+ INIT_WORK(&__new_cbq->work,
+@@ -196,7 +191,7 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ return;
+ }
+
+- err = cn_call_callback(skb, (void (*)(void *))kfree_skb, skb);
++ err = cn_call_callback(skb);
+ if (err < 0)
+ kfree_skb(skb);
+ }
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 4a144f0..9e7ea3f 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -94,9 +94,6 @@ struct cn_callback_id {
+ };
+
+ struct cn_callback_data {
+- void (*destruct_data) (void *);
+- void *ddata;
+-
+ struct sk_buff *skb;
+ void (*callback) (struct cn_msg *, struct netlink_skb_parms *);
+
+--
+1.7.0
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch)
@@ -0,0 +1,30 @@
+commit 984ae3529bd00eaa1b6d62e404a5c64b14ac05ed
+Author: dann frazier <dannf at hp.com>
+Date: Thu Feb 11 17:07:25 2010 -0700
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ commit 51246bfd189064079c54421507236fd2723b18f3
+ Author: Thomas Gleixner <tglx at linutronix.de>
+ Date: Tue Feb 2 11:40:27 2010 +0100
+
+ futex: Handle user space corruption gracefully
+
+diff --git a/kernel/futex.c b/kernel/futex.c
+index ec84da5..a316902 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -630,6 +630,13 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
+ if (!pi_state)
+ return -EINVAL;
+
++ /*
++ * If current does not own the pi_state then the futex is
++ * inconsistent and user space fiddled with the futex value.
++ */
++ if (pi_state->owner != current)
++ return -EINVAL;
++
+ spin_lock(&pi_state->pi_mutex.wait_lock);
+ new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch)
@@ -0,0 +1,24 @@
+commit c134b8bf86cf38350a11f4cbebff5233344991cc
+Author: dann frazier <dannf at hp.com>
+Date: Mon Feb 15 12:54:04 2010 -0700
+
+ [Adjusted to apply to Debian's 2.6.26]
+ commit dfe195fb79e88c334481f1362fef52f6d2e30b2d
+ Author: Benny Halevy <bhalevy at panasas.com>
+ Date: Tue Aug 5 13:01:41 2008 -0700
+
+ mm: fix uninitialized variables for find_vma_prepare callers
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 16f8c3d..d2befc5 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -366,7 +366,7 @@ find_vma_prepare(struct mm_struct *mm, unsigned long addr,
+ if (vma_tmp->vm_end > addr) {
+ vma = vma_tmp;
+ if (vma_tmp->vm_start <= addr)
+- return vma;
++ break;
+ __rb_link = &__rb_parent->rb_left;
+ } else {
+ rb_prev = __rb_parent;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch)
@@ -0,0 +1,65 @@
+commit b30527a4d924827faae5c2eda92d7ceaec41ae68
+Author: dann frazier <dannf at hp.com>
+Date: Sat Feb 20 12:21:38 2010 -0700
+
+ [Backported to Debian's 2.6.26]
+ commit 60634e4b830850bb38016f1e6a7a7358eba8118c
+ Author: Oleg Nesterov <oleg at redhat.com>
+ Date: Fri Jul 10 03:27:38 2009 +0200
+
+ mm_for_maps: shift down_read(mmap_sem) to the caller
+
+ commit 00f89d218523b9bf6b522349c039d5ac80aa536d upstream.
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 51e7188..2d6f1c4 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -245,9 +245,8 @@ static int check_mem_permission(struct task_struct *task)
+ struct mm_struct *mm_for_maps(struct task_struct *task)
+ {
+ struct mm_struct *mm = get_task_mm(task);
+- if (!mm)
+- return NULL;
+- if (mm != current->mm) {
++
++ if (mm && mm != current->mm) {
+ /*
+ * task->mm can be changed before security check,
+ * in that case we must notice the change after.
+@@ -255,10 +254,9 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ if (!ptrace_may_attach(task) ||
+ mm != task->mm) {
+ mmput(mm);
+- return NULL;
++ mm = NULL;
+ }
+ }
+- down_read(&mm->mmap_sem);
+ return mm;
+ }
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 2bb6eb6..2819fcb 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -119,6 +119,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+ mm = mm_for_maps(priv->task);
+ if (!mm)
+ return NULL;
++ down_read(&mm->mmap_sem);
+
+ tail_vma = get_gate_vma(priv->task);
+ priv->tail_vma = tail_vma;
+diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
+index 4b4f9cc..5b4a574 100644
+--- a/fs/proc/task_nommu.c
++++ b/fs/proc/task_nommu.c
+@@ -137,6 +137,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+ priv->task = NULL;
+ return NULL;
+ }
++ down_read(&mm->mmap_sem);
+
+ /* start from the Nth VMA */
+ for (vml = mm->context.vmlist; vml; vml = vml->next)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch)
@@ -0,0 +1,48 @@
+commit 19f0a28fc4adf05a06f47835ca4e2e33da2a321b
+Author: dann frazier <dannf at hp.com>
+Date: Sat Feb 20 12:20:50 2010 -0700
+
+ [Backported to Debian's 2.6.26]
+ commit a79c30e57c0eac03aae8be4649958f8592141d20
+ Author: Oleg Nesterov <oleg at redhat.com>
+ Date: Tue Jun 23 21:25:32 2009 +0200
+
+ mm_for_maps: simplify, use ptrace_may_access()
+
+ commit 13f0feafa6b8aead57a2a328e2fca6a5828bf286 upstream.
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 3b45537..51e7188 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -247,19 +247,19 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ return NULL;
++ if (mm != current->mm) {
++ /*
++ * task->mm can be changed before security check,
++ * in that case we must notice the change after.
++ */
++ if (!ptrace_may_attach(task) ||
++ mm != task->mm) {
++ mmput(mm);
++ return NULL;
++ }
++ }
+ down_read(&mm->mmap_sem);
+- task_lock(task);
+- if (task->mm != mm)
+- goto out;
+- if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
+- goto out;
+- task_unlock(task);
+ return mm;
+-out:
+- task_unlock(task);
+- up_read(&mm->mmap_sem);
+- mmput(mm);
+- return NULL;
+ }
+
+ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch)
@@ -0,0 +1,26 @@
+From 4f232537fcb3301b102f022b3dee8e294b462773 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 19:47:12 -0700
+Subject: [PATCH 4/4] 2.6.31.5/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
+
+---
+ drivers/video/uvesafb.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c
+index e945b64..b595d48 100644
+--- a/drivers/video/uvesafb.c
++++ b/drivers/video/uvesafb.c
+@@ -71,6 +71,9 @@ static void uvesafb_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *ns
+ struct uvesafb_task *utask;
+ struct uvesafb_ktask *task;
+
++ if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
++ return;
++
+ if (msg->seq >= UVESAFB_TASKS_MAX)
+ return;
+
+--
+1.7.0
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch)
@@ -0,0 +1,25 @@
+[Adjusted to apply to Debian's 2.6.26]
+
+commit 1252f238db48ec419f40c1bdf30fda649860eed9
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Tue Feb 16 15:02:13 2010 +0100
+
+ x86: set_personality_ia32() misses force_personality32
+
+ 05d43ed8a "x86: get rid of the insane TIF_ABI_PENDING bit" forgot about
+ force_personality32. Fix.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kernel/process_64.c linux-source-2.6.26/arch/x86/kernel/process_64.c
+--- linux-source-2.6.26.orig/arch/x86/kernel/process_64.c 2010-02-10 01:11:15.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kernel/process_64.c 2010-02-17 21:29:14.000000000 -0700
+@@ -728,6 +728,7 @@ void set_personality_ia32(void)
+
+ /* Make sure to be in 32bit mode */
+ set_thread_flag(TIF_IA32);
++ current->personality |= force_personality32;
+
+ /* Prepare the first "return" to user space */
+ current_thread_info()->status |= TS_COMPAT;
Copied: dists/lenny/linux-2.6/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch)
@@ -0,0 +1,11 @@
+diff -urpN a/arch/x86/kernel/process_64-xen.c b/arch/x86/kernel/process_64-xen.c
+--- a/arch/x86/kernel/process_64-xen.c 2010-02-17 21:42:34.000000000 -0700
++++ b/arch/x86/kernel/process_64-xen.c 2010-02-17 21:44:00.000000000 -0700
+@@ -779,6 +779,7 @@ void set_personality_ia32(void)
+
+ /* Make sure to be in 32bit mode */
+ set_thread_flag(TIF_IA32);
++ current->personality |= force_personality32;
+
+ /* Prepare the first "return" to user space */
+ current_thread_info()->status |= TS_COMPAT;
Copied: dists/lenny/linux-2.6/debian/patches/series/21lenny4 (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/21lenny4 Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4)
@@ -0,0 +1,10 @@
++ bugfix/all/futex-handle-user-space-corruption-gracefully.patch
++ bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch
++ bugfix/x86/set_personality_ia32-misses-force_personality32.patch
+- bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
++ bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
++ bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
++ bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch
++ bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch
++ bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
++ bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
Copied: dists/lenny/linux-2.6/debian/patches/series/21lenny4-extra (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4-extra)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/21lenny4-extra Tue Mar 9 16:51:40 2010 (r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4-extra)
@@ -0,0 +1,2 @@
++ features/all/xen/set_personality_ia32-misses-force_personality32.patch featureset=xen
++ features/all/xen/printk-robustify-printk-xen.patch featureset=xen
More information about the Kernel-svn-changes
mailing list