diff --git a/debian/changelog b/debian/changelog index 8a2f84bd0..e79a3cb26 100644 --- a/debian/changelog +++ b/debian/changelog @@ -37,6 +37,7 @@ linux-2.6 (2.6.38-4) UNRELEASED; urgency=low For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38.3 * Add stable 2.6.38.4-rc1 + * [s390] pfault: fix token handling (Closes: #622570) -- Ben Hutchings Fri, 08 Apr 2011 00:59:57 +0100 diff --git a/debian/patches/bugfix/s390/S390-pfault-fix-token-handling.patch b/debian/patches/bugfix/s390/S390-pfault-fix-token-handling.patch new file mode 100644 index 000000000..8fb868c39 --- /dev/null +++ b/debian/patches/bugfix/s390/S390-pfault-fix-token-handling.patch @@ -0,0 +1,73 @@ +From: Heiko Carstens +Subject: [S390] pfault: fix token handling +Date: Tue, 19 Apr 2011 08:34:01 +0200 + +f6649a7e "[S390] cleanup lowcore access from external interrupts" changed +handling of external interrupts. Instead of letting the external interrupt +handlers accessing the per cpu lowcore the entry code of the kernel reads +already all fields that are necessary and passes them to the handlers. +The pfault interrupt handler was incorrectly converted. It tries to +dereference a value which used to be a pointer to a lowcore field. After +the conversion however it is not anymore the pointer to the field but its +content. So instead of a dereference only a cast is needed to get the +task pointer that caused the pfault. + +Fixes a NULL pointer dereference and a subsequent kernel crash: + +Unable to handle kernel pointer dereference at virtual kernel address (null) +Oops: 0004 [#1] SMP +Modules linked in: nfsd exportfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc + loop qeth_l3 qeth vmur ccwgroup ext3 jbd mbcache dm_mod + dasd_eckd_mod dasd_diag_mod dasd_mod +CPU: 0 Not tainted 2.6.38-2-s390x #1 +Process cron (pid: 1106, task: 000000001f962f78, ksp: 000000001fa0f9d0) +Krnl PSW : 0404200180000000 000000000002c03e (pfault_interrupt+0xa2/0x138) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3 +Krnl GPRS: 0000000000000000 0000000000000001 0000000000000000 0000000000000001 + 000000001f962f78 0000000000518968 0000000090000002 000000001ff03280 + 0000000000000000 000000000064f000 000000001f962f78 0000000000002603 + 0000000006002603 0000000000000000 000000001ff7fe68 000000001ff7fe48 +Krnl Code: 000000000002c036: 5820d010 l %r2,16(%r13) + 000000000002c03a: 1832 lr %r3,%r2 + 000000000002c03c: 1a31 ar %r3,%r1 + >000000000002c03e: ba23d010 cs %r2,%r3,16(%r13) + 000000000002c042: a744fffc brc 4,2c03a + 000000000002c046: a7290002 lghi %r2,2 + 000000000002c04a: e320d0000024 stg %r2,0(%r13) + 000000000002c050: 07f0 bcr 15,%r0 +Call Trace: + ([<000000001f962f78>] 0x1f962f78) + [<000000000001acda>] do_extint+0xf6/0x138 + [<000000000039b6ca>] ext_no_vtime+0x30/0x34 + [<000000007d706e04>] 0x7d706e04 +Last Breaking-Event-Address: + [<0000000000000000>] 0x0 + +For stable maintainers: +the first kernel which contains this bug is 2.6.37. + +Reported-by: Stephen Powell +Cc: Jonathan Nieder +Cc: stable@kernel.org +Signed-off-by: Heiko Carstens +--- + + arch/s390/mm/fault.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c +index 9217e33..4cf85fe 100644 +--- a/arch/s390/mm/fault.c ++++ b/arch/s390/mm/fault.c +@@ -558,9 +558,9 @@ static void pfault_interrupt(unsigned int ext_int_code, + * Get the token (= address of the task structure of the affected task). + */ + #ifdef CONFIG_64BIT +- tsk = *(struct task_struct **) param64; ++ tsk = (struct task_struct *) param64; + #else +- tsk = *(struct task_struct **) param32; ++ tsk = (struct task_struct *) param32; + #endif + + if (subcode & 0x0080) { diff --git a/debian/patches/series/4 b/debian/patches/series/4 index 0df53444c..d80b4b512 100644 --- a/debian/patches/series/4 +++ b/debian/patches/series/4 @@ -13,3 +13,4 @@ - bugfix/sparc/sparc-Fix-.size-directive-for-do_int_load.patch + bugfix/all/stable/2.6.38.4-rc1.patch + debian/lib-strict_strto-Avoid-ABI-change.patch ++ bugfix/s390/S390-pfault-fix-token-handling.patch