[kernel] r15342 - in dists/lenny/linux-2.6: . debian debian/config debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/features/all/xen debian/patches/series

Dann Frazier dannf at alioth.debian.org
Tue Mar 9 16:51:41 UTC 2010


Author: dannf
Date: Tue Mar  9 16:51:40 2010
New Revision: 15342

Log:
merge 2.6.26-21lenny4

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch
   dists/lenny/linux-2.6/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch
   dists/lenny/linux-2.6/debian/patches/series/21lenny4
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4
   dists/lenny/linux-2.6/debian/patches/series/21lenny4-extra
      - copied unchanged from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4-extra
Modified:
   dists/lenny/linux-2.6/   (props changed)
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/config/defines

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Tue Mar  9 16:46:00 2010	(r15341)
+++ dists/lenny/linux-2.6/debian/changelog	Tue Mar  9 16:51:40 2010	(r15342)
@@ -51,6 +51,23 @@
 
  -- maximilian attems <maks at debian.org>  Mon, 28 Dec 2009 23:44:19 +0100
 
+linux-2.6 (2.6.26-21lenny4) stable-security; urgency=high
+
+  [ dann frazier ]
+  * futex: Handle user space corruption gracefully (CVE-2010-0622)
+  * mmap: cleanup compiler warnings from CVE-2010-0291 fixes
+  * x86: set_personality_ia32() misses force_personality32, an additional
+    fix for CVE-2010-0307
+  * Replace fix for CVE-2009-2691 w/ upstreamed version (Closes: #570554)
+  * uvesafb/connector: prevent unprivileged users from sending netlink packets
+    (CVE-2009-3725)
+  
+  [ Ben Hutchings ]
+  * [xen][i386] Fix kernel logging via userspace (Closes: #568561)
+    (regression due to fix for #510478)
+
+ -- dann frazier <dannf at debian.org>  Tue, 09 Mar 2010 09:34:37 -0700
+
 linux-2.6 (2.6.26-21lenny3) stable-security; urgency=high
 
   * Additional fixes for CVE-2010-0307

Modified: dists/lenny/linux-2.6/debian/config/defines
==============================================================================
--- dists/lenny/linux-2.6/debian/config/defines	Tue Mar  9 16:46:00 2010	(r15341)
+++ dists/lenny/linux-2.6/debian/config/defines	Tue Mar  9 16:51:40 2010	(r15342)
@@ -1,6 +1,6 @@
 [abi]
 abiname: 2
-ignore-changes: gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs saa7134_* saa_dsp_writel ub_sock_snd_queue_add
+ignore-changes: cn_add_callback gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs saa7134_* saa_dsp_writel ub_sock_snd_queue_add
 
 [base]
 arches:

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch)
@@ -0,0 +1,99 @@
+From 8b52ce7ee12f81e584405185bf60ff859fce74e5 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 17:18:08 -0700
+Subject: [PATCH 1/4] add 2.6.31.5/connector-keep-the-skb-in-cn_callback_data.patch
+
+---
+ drivers/connector/cn_queue.c  |    3 ++-
+ drivers/connector/connector.c |   11 +++++------
+ include/linux/connector.h     |    6 +++---
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
+index b6fe7e7..e3cf1d9 100644
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -36,8 +36,9 @@ void cn_queue_wrapper(struct work_struct *work)
+ 	struct cn_callback_entry *cbq =
+ 		container_of(work, struct cn_callback_entry, work);
+ 	struct cn_callback_data *d = &cbq->data;
++	struct cn_msg *msg = NLMSG_DATA(nlmsg_hdr(d->skb));
+ 
+-	d->callback(d->callback_priv);
++	d->callback(msg);
+ 
+ 	d->destruct_data(d->ddata);
+ 	d->ddata = NULL;
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index 1d65184..f101295 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -118,10 +118,11 @@ EXPORT_SYMBOL_GPL(cn_netlink_send);
+ /*
+  * Callback helper - queues work and setup destructor for given data.
+  */
+-static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), void *data)
++static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *), void *data)
+ {
+ 	struct cn_callback_entry *__cbq, *__new_cbq;
+ 	struct cn_dev *dev = &cdev;
++	struct cn_msg *msg = NLMSG_DATA(nlmsg_hdr(skb));
+ 	int err = -ENODEV;
+ 
+ 	spin_lock_bh(&dev->cbdev->queue_lock);
+@@ -129,7 +130,7 @@ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), v
+ 		if (cn_cb_equal(&__cbq->id.id, &msg->id)) {
+ 			if (likely(!work_pending(&__cbq->work) &&
+ 					__cbq->data.ddata == NULL)) {
+-				__cbq->data.callback_priv = msg;
++				__cbq->data.skb = skb;
+ 
+ 				__cbq->data.ddata = data;
+ 				__cbq->data.destruct_data = destruct_data;
+@@ -146,7 +147,7 @@ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), v
+ 				__new_cbq = kzalloc(sizeof(struct cn_callback_entry), GFP_ATOMIC);
+ 				if (__new_cbq) {
+ 					d = &__new_cbq->data;
+-					d->callback_priv = msg;
++					d->skb = skb;
+ 					d->callback = __cbq->data.callback;
+ 					d->ddata = data;
+ 					d->destruct_data = destruct_data;
+@@ -179,7 +180,6 @@ static int cn_call_callback(struct cn_msg *msg, void (*destruct_data)(void *), v
+  */
+ static void cn_rx_skb(struct sk_buff *__skb)
+ {
+-	struct cn_msg *msg;
+ 	struct nlmsghdr *nlh;
+ 	int err;
+ 	struct sk_buff *skb;
+@@ -196,8 +196,7 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ 			return;
+ 		}
+ 
+-		msg = NLMSG_DATA(nlh);
+-		err = cn_call_callback(msg, (void (*)(void *))kfree_skb, skb);
++		err = cn_call_callback(skb, (void (*)(void *))kfree_skb, skb);
+ 		if (err < 0)
+ 			kfree_skb(skb);
+ 	}
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 26502da..7552837 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -96,9 +96,9 @@ struct cn_callback_id {
+ struct cn_callback_data {
+ 	void (*destruct_data) (void *);
+ 	void *ddata;
+-	
+-	void *callback_priv;
+-	void (*callback) (void *);
++
++	struct sk_buff *skb;
++	void (*callback) (struct cn_msg *);
+ 
+ 	void *free;
+ };
+-- 
+1.7.0
+

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch)
@@ -0,0 +1,189 @@
+From d21956a7f9f7843b9050d3455a0cc9c93c6fa5ee Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 17:19:29 -0700
+Subject: [PATCH 2/4] add 2.6.31.5/connector-provide-the-sender-s-credentials-to-the-callback.patch
+
+---
+ Documentation/connector/cn_test.c     |    4 +---
+ Documentation/connector/connector.txt |    8 ++++----
+ drivers/connector/cn_proc.c           |    3 +--
+ drivers/connector/cn_queue.c          |   10 +++++++---
+ drivers/connector/connector.c         |    3 ++-
+ drivers/video/uvesafb.c               |    3 +--
+ drivers/w1/w1_netlink.c               |    3 +--
+ include/linux/connector.h             |    6 +++---
+ 8 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/Documentation/connector/cn_test.c b/Documentation/connector/cn_test.c
+index be7af14..a7d46cb 100644
+--- a/Documentation/connector/cn_test.c
++++ b/Documentation/connector/cn_test.c
+@@ -32,10 +32,8 @@ static char cn_test_name[] = "cn_test";
+ static struct sock *nls;
+ static struct timer_list cn_test_timer;
+ 
+-void cn_test_callback(void *data)
++static void cn_test_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+-	struct cn_msg *msg = (struct cn_msg *)data;
+-
+ 	printk("%s: %lu: idx=%x, val=%x, seq=%u, ack=%u, len=%d: %s.\n",
+ 	       __func__, jiffies, msg->id.idx, msg->id.val,
+ 	       msg->seq, msg->ack, msg->len, (char *)msg->data);
+diff --git a/Documentation/connector/connector.txt b/Documentation/connector/connector.txt
+index ad6e0ba..3e6dcc7 100644
+--- a/Documentation/connector/connector.txt
++++ b/Documentation/connector/connector.txt
+@@ -23,7 +23,7 @@ handling...  Connector allows any kernelspace agents to use netlink
+ based networking for inter-process communication in a significantly
+ easier way:
+ 
+-int cn_add_callback(struct cb_id *id, char *name, void (*callback) (void *));
++int cn_add_callback(struct cb_id *id, char *name, void (*callback) (struct cn_msg *, struct netlink_skb_parms *));
+ void cn_netlink_send(struct cn_msg *msg, u32 __group, int gfp_mask);
+ 
+ struct cb_id
+@@ -53,15 +53,15 @@ struct cn_msg
+ Connector interfaces.
+ /*****************************************/
+ 
+-int cn_add_callback(struct cb_id *id, char *name, void (*callback) (void *));
++int cn_add_callback(struct cb_id *id, char *name, void (*callback) (struct cn_msg *, struct netlink_skb_parms *));
+ 
+ Registers new callback with connector core.
+ 
+ struct cb_id *id 		- unique connector's user identifier.
+ 			  	  It must be registered in connector.h for legal in-kernel users.
+ char *name 			- connector's callback symbolic name.
+-void (*callback) (void *)	- connector's callback.
+-				  Argument must be dereferenced to struct cn_msg *.
++void (*callback) (struct cn..)	- connector's callback.
++				  cn_msg and the sender's credentials
+ 
+ void cn_del_callback(struct cb_id *id);
+ 
+diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
+index 5c9f67f..e5ed75d 100644
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -196,9 +196,8 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
+  * cn_proc_mcast_ctl
+  * @data: message sent from userspace via the connector
+  */
+-static void cn_proc_mcast_ctl(void *data)
++static void cn_proc_mcast_ctl(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+-	struct cn_msg *msg = data;
+ 	enum proc_cn_mcast_op *mc_op = NULL;
+ 	int err = 0;
+ 
+diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
+index e3cf1d9..989c1bd 100644
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -37,8 +37,9 @@ void cn_queue_wrapper(struct work_struct *work)
+ 		container_of(work, struct cn_callback_entry, work);
+ 	struct cn_callback_data *d = &cbq->data;
+ 	struct cn_msg *msg = NLMSG_DATA(nlmsg_hdr(d->skb));
++	struct netlink_skb_parms *nsp = &NETLINK_CB(d->skb);
+ 
+-	d->callback(msg);
++	d->callback(msg, nsp);
+ 
+ 	d->destruct_data(d->ddata);
+ 	d->ddata = NULL;
+@@ -46,7 +47,9 @@ void cn_queue_wrapper(struct work_struct *work)
+ 	kfree(d->free);
+ }
+ 
+-static struct cn_callback_entry *cn_queue_alloc_callback_entry(char *name, struct cb_id *id, void (*callback)(void *))
++static struct cn_callback_entry *
++cn_queue_alloc_callback_entry(char *name, struct cb_id *id,
++			      void (*callback)(struct cn_msg *, struct netlink_skb_parms *))
+ {
+ 	struct cn_callback_entry *cbq;
+ 
+@@ -76,7 +79,8 @@ int cn_cb_equal(struct cb_id *i1, struct cb_id *i2)
+ 	return ((i1->idx == i2->idx) && (i1->val == i2->val));
+ }
+ 
+-int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(void *))
++int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id,
++			  void (*callback)(struct cn_msg *, struct netlink_skb_parms *))
+ {
+ 	struct cn_callback_entry *cbq, *__cbq;
+ 	int found = 0;
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index f101295..1e8cd67 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -208,7 +208,8 @@ static void cn_rx_skb(struct sk_buff *__skb)
+  *
+  * May sleep.
+  */
+-int cn_add_callback(struct cb_id *id, char *name, void (*callback)(void *))
++int cn_add_callback(struct cb_id *id, char *name,
++		    void (*callback)(struct cn_msg *, struct netlink_skb_parms *))
+ {
+ 	int err;
+ 	struct cn_dev *dev = &cdev;
+diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c
+index cdbb56e..e945b64 100644
+--- a/drivers/video/uvesafb.c
++++ b/drivers/video/uvesafb.c
+@@ -66,9 +66,8 @@ static DEFINE_MUTEX(uvfb_lock);
+  * find the kernel part of the task struct, copy the registers and
+  * the buffer contents and then complete the task.
+  */
+-static void uvesafb_cn_callback(void *data)
++static void uvesafb_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+-	struct cn_msg *msg = data;
+ 	struct uvesafb_task *utask;
+ 	struct uvesafb_ktask *task;
+ 
+diff --git a/drivers/w1/w1_netlink.c b/drivers/w1/w1_netlink.c
+index 65c5ebd..7ad099c 100644
+--- a/drivers/w1/w1_netlink.c
++++ b/drivers/w1/w1_netlink.c
+@@ -128,9 +128,8 @@ static int w1_process_command_slave(struct w1_slave *sl, struct cn_msg *msg,
+ 	return err;
+ }
+ 
+-static void w1_cn_callback(void *data)
++static void w1_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
+ {
+-	struct cn_msg *msg = data;
+ 	struct w1_netlink_msg *m = (struct w1_netlink_msg *)(msg + 1);
+ 	struct w1_netlink_cmd *cmd;
+ 	struct w1_slave *sl;
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 7552837..4a144f0 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -98,7 +98,7 @@ struct cn_callback_data {
+ 	void *ddata;
+ 
+ 	struct sk_buff *skb;
+-	void (*callback) (struct cn_msg *);
++	void (*callback) (struct cn_msg *, struct netlink_skb_parms *);
+ 
+ 	void *free;
+ };
+@@ -124,11 +124,11 @@ struct cn_dev {
+ 	struct cn_queue_dev *cbdev;
+ };
+ 
+-int cn_add_callback(struct cb_id *, char *, void (*callback) (void *));
++int cn_add_callback(struct cb_id *, char *, void (*callback) (struct cn_msg *, struct netlink_skb_parms *));
+ void cn_del_callback(struct cb_id *);
+ int cn_netlink_send(struct cn_msg *, u32, gfp_t);
+ 
+-int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(void *));
++int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(struct cn_msg *, struct netlink_skb_parms *));
+ void cn_queue_del_callback(struct cn_queue_dev *dev, struct cb_id *id);
+ 
+ struct cn_queue_dev *cn_queue_alloc_dev(char *name, struct sock *);
+-- 
+1.7.0
+

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch)
@@ -0,0 +1,88 @@
+From 20a1c695fded8a81a3cbdaf8b8a3b01ff227ae54 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 17:21:25 -0700
+Subject: [PATCH 3/4] add 2.6.31.5/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
+
+---
+ drivers/connector/cn_queue.c  |    4 ++--
+ drivers/connector/connector.c |   11 +++--------
+ include/linux/connector.h     |    3 ---
+ 3 files changed, 5 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
+index 989c1bd..54e12cf 100644
+--- a/drivers/connector/cn_queue.c
++++ b/drivers/connector/cn_queue.c
+@@ -41,8 +41,8 @@ void cn_queue_wrapper(struct work_struct *work)
+ 
+ 	d->callback(msg, nsp);
+ 
+-	d->destruct_data(d->ddata);
+-	d->ddata = NULL;
++	kfree_skb(d->skb);
++	d->skb = NULL;
+ 
+ 	kfree(d->free);
+ }
+diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
+index 1e8cd67..064b210 100644
+--- a/drivers/connector/connector.c
++++ b/drivers/connector/connector.c
+@@ -118,7 +118,7 @@ EXPORT_SYMBOL_GPL(cn_netlink_send);
+ /*
+  * Callback helper - queues work and setup destructor for given data.
+  */
+-static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *), void *data)
++static int cn_call_callback(struct sk_buff *skb)
+ {
+ 	struct cn_callback_entry *__cbq, *__new_cbq;
+ 	struct cn_dev *dev = &cdev;
+@@ -129,12 +129,9 @@ static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *),
+ 	list_for_each_entry(__cbq, &dev->cbdev->queue_list, callback_entry) {
+ 		if (cn_cb_equal(&__cbq->id.id, &msg->id)) {
+ 			if (likely(!work_pending(&__cbq->work) &&
+-					__cbq->data.ddata == NULL)) {
++					__cbq->data.skb == NULL)) {
+ 				__cbq->data.skb = skb;
+ 
+-				__cbq->data.ddata = data;
+-				__cbq->data.destruct_data = destruct_data;
+-
+ 				if (queue_work(dev->cbdev->cn_queue,
+ 							&__cbq->work))
+ 					err = 0;
+@@ -149,8 +146,6 @@ static int cn_call_callback(struct sk_buff *skb, void (*destruct_data)(void *),
+ 					d = &__new_cbq->data;
+ 					d->skb = skb;
+ 					d->callback = __cbq->data.callback;
+-					d->ddata = data;
+-					d->destruct_data = destruct_data;
+ 					d->free = __new_cbq;
+ 
+ 					INIT_WORK(&__new_cbq->work,
+@@ -196,7 +191,7 @@ static void cn_rx_skb(struct sk_buff *__skb)
+ 			return;
+ 		}
+ 
+-		err = cn_call_callback(skb, (void (*)(void *))kfree_skb, skb);
++		err = cn_call_callback(skb);
+ 		if (err < 0)
+ 			kfree_skb(skb);
+ 	}
+diff --git a/include/linux/connector.h b/include/linux/connector.h
+index 4a144f0..9e7ea3f 100644
+--- a/include/linux/connector.h
++++ b/include/linux/connector.h
+@@ -94,9 +94,6 @@ struct cn_callback_id {
+ };
+ 
+ struct cn_callback_data {
+-	void (*destruct_data) (void *);
+-	void *ddata;
+-
+ 	struct sk_buff *skb;
+ 	void (*callback) (struct cn_msg *, struct netlink_skb_parms *);
+ 
+-- 
+1.7.0
+

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/futex-handle-user-space-corruption-gracefully.patch)
@@ -0,0 +1,30 @@
+commit 984ae3529bd00eaa1b6d62e404a5c64b14ac05ed
+Author: dann frazier <dannf at hp.com>
+Date:   Thu Feb 11 17:07:25 2010 -0700
+
+    [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+      commit 51246bfd189064079c54421507236fd2723b18f3
+      Author: Thomas Gleixner <tglx at linutronix.de>
+      Date:   Tue Feb 2 11:40:27 2010 +0100
+    
+          futex: Handle user space corruption gracefully
+
+diff --git a/kernel/futex.c b/kernel/futex.c
+index ec84da5..a316902 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -630,6 +630,13 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
+ 	if (!pi_state)
+ 		return -EINVAL;
+ 
++	/*
++	 * If current does not own the pi_state then the futex is
++	 * inconsistent and user space fiddled with the futex value.
++	 */
++	if (pi_state->owner != current)
++		return -EINVAL;
++
+ 	spin_lock(&pi_state->pi_mutex.wait_lock);
+ 	new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
+ 

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch)
@@ -0,0 +1,24 @@
+commit c134b8bf86cf38350a11f4cbebff5233344991cc
+Author: dann frazier <dannf at hp.com>
+Date:   Mon Feb 15 12:54:04 2010 -0700
+
+    [Adjusted to apply to Debian's 2.6.26]
+    commit dfe195fb79e88c334481f1362fef52f6d2e30b2d
+    Author: Benny Halevy <bhalevy at panasas.com>
+    Date:   Tue Aug 5 13:01:41 2008 -0700
+    
+        mm: fix uninitialized variables for find_vma_prepare callers
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 16f8c3d..d2befc5 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -366,7 +366,7 @@ find_vma_prepare(struct mm_struct *mm, unsigned long addr,
+ 		if (vma_tmp->vm_end > addr) {
+ 			vma = vma_tmp;
+ 			if (vma_tmp->vm_start <= addr)
+-				return vma;
++				break;
+ 			__rb_link = &__rb_parent->rb_left;
+ 		} else {
+ 			rb_prev = __rb_parent;

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-shift-down_read-to-caller.patch)
@@ -0,0 +1,65 @@
+commit b30527a4d924827faae5c2eda92d7ceaec41ae68
+Author: dann frazier <dannf at hp.com>
+Date:   Sat Feb 20 12:21:38 2010 -0700
+
+    [Backported to Debian's 2.6.26]
+    commit 60634e4b830850bb38016f1e6a7a7358eba8118c
+    Author: Oleg Nesterov <oleg at redhat.com>
+    Date:   Fri Jul 10 03:27:38 2009 +0200
+    
+        mm_for_maps: shift down_read(mmap_sem) to the caller
+    
+        commit 00f89d218523b9bf6b522349c039d5ac80aa536d upstream.
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 51e7188..2d6f1c4 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -245,9 +245,8 @@ static int check_mem_permission(struct task_struct *task)
+ struct mm_struct *mm_for_maps(struct task_struct *task)
+ {
+ 	struct mm_struct *mm = get_task_mm(task);
+-	if (!mm)
+-		return NULL;
+-	if (mm != current->mm) {
++
++	if (mm && mm != current->mm) {
+ 		/*
+ 		 * task->mm can be changed before security check,
+ 		 * in that case we must notice the change after.
+@@ -255,10 +254,9 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ 		if (!ptrace_may_attach(task) ||
+ 		    mm != task->mm) {
+ 			mmput(mm);
+-			return NULL;
++			mm = NULL;
+ 		}
+ 	}
+-	down_read(&mm->mmap_sem);
+ 	return mm;
+ }
+ 
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 2bb6eb6..2819fcb 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -119,6 +119,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+ 	mm = mm_for_maps(priv->task);
+ 	if (!mm)
+ 		return NULL;
++	down_read(&mm->mmap_sem);
+ 
+ 	tail_vma = get_gate_vma(priv->task);
+ 	priv->tail_vma = tail_vma;
+diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
+index 4b4f9cc..5b4a574 100644
+--- a/fs/proc/task_nommu.c
++++ b/fs/proc/task_nommu.c
+@@ -137,6 +137,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+ 		priv->task = NULL;
+ 		return NULL;
+ 	}
++	down_read(&mm->mmap_sem);
+ 
+ 	/* start from the Nth VMA */
+ 	for (vml = mm->context.vmlist; vml; vml = vml->next)

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch)
@@ -0,0 +1,48 @@
+commit 19f0a28fc4adf05a06f47835ca4e2e33da2a321b
+Author: dann frazier <dannf at hp.com>
+Date:   Sat Feb 20 12:20:50 2010 -0700
+
+    [Backported to Debian's 2.6.26]
+    commit a79c30e57c0eac03aae8be4649958f8592141d20
+    Author: Oleg Nesterov <oleg at redhat.com>
+    Date:   Tue Jun 23 21:25:32 2009 +0200
+    
+        mm_for_maps: simplify, use ptrace_may_access()
+    
+        commit 13f0feafa6b8aead57a2a328e2fca6a5828bf286 upstream.
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 3b45537..51e7188 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -247,19 +247,19 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ 	struct mm_struct *mm = get_task_mm(task);
+ 	if (!mm)
+ 		return NULL;
++	if (mm != current->mm) {
++		/*
++		 * task->mm can be changed before security check,
++		 * in that case we must notice the change after.
++		 */
++		if (!ptrace_may_attach(task) ||
++		    mm != task->mm) {
++			mmput(mm);
++			return NULL;
++		}
++	}
+ 	down_read(&mm->mmap_sem);
+-	task_lock(task);
+-	if (task->mm != mm)
+-		goto out;
+-	if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
+-		goto out;
+-	task_unlock(task);
+ 	return mm;
+-out:
+-	task_unlock(task);
+-	up_read(&mm->mmap_sem);
+-	mmput(mm);
+-	return NULL;
+ }
+ 
+ static int proc_pid_cmdline(struct task_struct *task, char * buffer)

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch)
@@ -0,0 +1,26 @@
+From 4f232537fcb3301b102f022b3dee8e294b462773 Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Sun, 7 Mar 2010 19:47:12 -0700
+Subject: [PATCH 4/4] 2.6.31.5/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch
+
+---
+ drivers/video/uvesafb.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c
+index e945b64..b595d48 100644
+--- a/drivers/video/uvesafb.c
++++ b/drivers/video/uvesafb.c
+@@ -71,6 +71,9 @@ static void uvesafb_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *ns
+ 	struct uvesafb_task *utask;
+ 	struct uvesafb_ktask *task;
+ 
++	if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
++		return;
++
+ 	if (msg->seq >= UVESAFB_TASKS_MAX)
+ 		return;
+ 
+-- 
+1.7.0
+

Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/bugfix/x86/set_personality_ia32-misses-force_personality32.patch)
@@ -0,0 +1,25 @@
+[Adjusted to apply to Debian's 2.6.26]
+
+commit 1252f238db48ec419f40c1bdf30fda649860eed9
+Author: Oleg Nesterov <oleg at redhat.com>
+Date:   Tue Feb 16 15:02:13 2010 +0100
+
+    x86: set_personality_ia32() misses force_personality32
+    
+    05d43ed8a "x86: get rid of the insane TIF_ABI_PENDING bit" forgot about
+    force_personality32.  Fix.
+    
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kernel/process_64.c linux-source-2.6.26/arch/x86/kernel/process_64.c
+--- linux-source-2.6.26.orig/arch/x86/kernel/process_64.c	2010-02-10 01:11:15.000000000 -0700
++++ linux-source-2.6.26/arch/x86/kernel/process_64.c	2010-02-17 21:29:14.000000000 -0700
+@@ -728,6 +728,7 @@ void set_personality_ia32(void)
+ 
+ 	/* Make sure to be in 32bit mode */
+ 	set_thread_flag(TIF_IA32);
++	current->personality |= force_personality32;
+ 
+ 	/* Prepare the first "return" to user space */
+ 	current_thread_info()->status |= TS_COMPAT;

Copied: dists/lenny/linux-2.6/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/features/all/xen/set_personality_ia32-misses-force_personality32.patch)
@@ -0,0 +1,11 @@
+diff -urpN a/arch/x86/kernel/process_64-xen.c b/arch/x86/kernel/process_64-xen.c
+--- a/arch/x86/kernel/process_64-xen.c	2010-02-17 21:42:34.000000000 -0700
++++ b/arch/x86/kernel/process_64-xen.c	2010-02-17 21:44:00.000000000 -0700
+@@ -779,6 +779,7 @@ void set_personality_ia32(void)
+ 
+ 	/* Make sure to be in 32bit mode */
+ 	set_thread_flag(TIF_IA32);
++	current->personality |= force_personality32;
+ 
+ 	/* Prepare the first "return" to user space */
+ 	current_thread_info()->status |= TS_COMPAT;

Copied: dists/lenny/linux-2.6/debian/patches/series/21lenny4 (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/21lenny4	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4)
@@ -0,0 +1,10 @@
++ bugfix/all/futex-handle-user-space-corruption-gracefully.patch
++ bugfix/all/mm-fix-uninitialized-vars-for-find_vma_prepare-callers.patch
++ bugfix/x86/set_personality_ia32-misses-force_personality32.patch
+- bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
++ bugfix/all/mm_for_maps-simplify-use-ptrace_may_access.patch
++ bugfix/all/mm_for_maps-shift-down_read-to-caller.patch
++ bugfix/all/connector-keep-the-skb-in-cn_callback_data.patch
++ bugfix/all/connector-provide-the-sender-s-credentials-to-the-callback.patch
++ bugfix/all/connector-removed-the-destruct_data-callback-since-it-is-always-kfree_skb.patch
++ bugfix/all/uvesafb-connector-disallow-unpliviged-users-to-send-netlink-packets.patch

Copied: dists/lenny/linux-2.6/debian/patches/series/21lenny4-extra (from r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4-extra)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/21lenny4-extra	Tue Mar  9 16:51:40 2010	(r15342, copy of r15341, releases/linux-2.6/2.6.26-21lenny4/debian/patches/series/21lenny4-extra)
@@ -0,0 +1,2 @@
++ features/all/xen/set_personality_ia32-misses-force_personality32.patch featureset=xen
++ features/all/xen/printk-robustify-printk-xen.patch featureset=xen



More information about the Kernel-svn-changes mailing list