diff --git a/debian/changelog b/debian/changelog index 4be136e57..8dbdf327d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,11 @@ -linux-2.6 (3.2.1-3) UNRELEASED; urgency=low +linux-2.6 (3.2.2-1) UNRELEASED; urgency=low + + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.2 + - ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307) + - Unused iocbs in a batch should not be accounted as active (CVE-2012-0058) + - uvcvideo: Fix integer overflow in uvc_ioctl_ctrl_map() + - [arm] proc: clear_refs: do not clear reserved pages [ Ben Hutchings ] * Stop changing 'build' and 'source' symlinks in linux-image maintainer diff --git a/debian/patches/bugfix/all/block-add-and-use-scsi_blk_cmd_ioctl.patch b/debian/patches/bugfix/all/block-add-and-use-scsi_blk_cmd_ioctl.patch deleted file mode 100644 index fbe0a8d47..000000000 --- a/debian/patches/bugfix/all/block-add-and-use-scsi_blk_cmd_ioctl.patch +++ /dev/null @@ -1,164 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 12 Jan 2012 16:01:27 +0100 -Subject: [PATCH 1/3] block: add and use scsi_blk_cmd_ioctl - -commit 577ebb374c78314ac4617242f509e2f5e7156649 upstream. - -Introduce a wrapper around scsi_cmd_ioctl that takes a block device. - -The function will then be enhanced to detect partition block devices -and, in that case, subject the ioctls to whitelisting. - -Cc: linux-scsi@vger.kernel.org -Cc: Jens Axboe -Cc: James Bottomley -Signed-off-by: Paolo Bonzini -Signed-off-by: Linus Torvalds ---- - block/scsi_ioctl.c | 7 +++++++ - drivers/block/cciss.c | 6 +++--- - drivers/block/ub.c | 3 +-- - drivers/block/virtio_blk.c | 4 ++-- - drivers/cdrom/cdrom.c | 3 +-- - drivers/ide/ide-floppy_ioctl.c | 3 +-- - drivers/scsi/sd.c | 2 +- - include/linux/blkdev.h | 2 ++ - 8 files changed, 18 insertions(+), 12 deletions(-) - -diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c -index fbdf0d8..a2c11f3 100644 ---- a/block/scsi_ioctl.c -+++ b/block/scsi_ioctl.c -@@ -690,6 +690,13 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod - } - EXPORT_SYMBOL(scsi_cmd_ioctl); - -+int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode, -+ unsigned int cmd, void __user *arg) -+{ -+ return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg); -+} -+EXPORT_SYMBOL(scsi_cmd_blk_ioctl); -+ - static int __init blk_scsi_ioctl_init(void) - { - blk_set_cmd_filter_defaults(&blk_default_cmd_filter); -diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c -index 587cce5..b0f553b 100644 ---- a/drivers/block/cciss.c -+++ b/drivers/block/cciss.c -@@ -1735,7 +1735,7 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode, - case CCISS_BIG_PASSTHRU: - return cciss_bigpassthru(h, argp); - -- /* scsi_cmd_ioctl handles these, below, though some are not */ -+ /* scsi_cmd_blk_ioctl handles these, below, though some are not */ - /* very meaningful for cciss. SG_IO is the main one people want. */ - - case SG_GET_VERSION_NUM: -@@ -1746,9 +1746,9 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode, - case SG_EMULATED_HOST: - case SG_IO: - case SCSI_IOCTL_SEND_COMMAND: -- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp); -+ return scsi_cmd_blk_ioctl(bdev, mode, cmd, argp); - -- /* scsi_cmd_ioctl would normally handle these, below, but */ -+ /* scsi_cmd_blk_ioctl would normally handle these, below, but */ - /* they aren't a good fit for cciss, as CD-ROMs are */ - /* not supported, and we don't have any bus/target/lun */ - /* which we present to the kernel. */ -diff --git a/drivers/block/ub.c b/drivers/block/ub.c -index 0e376d4..7333b9e 100644 ---- a/drivers/block/ub.c -+++ b/drivers/block/ub.c -@@ -1744,12 +1744,11 @@ static int ub_bd_release(struct gendisk *disk, fmode_t mode) - static int ub_bd_ioctl(struct block_device *bdev, fmode_t mode, - unsigned int cmd, unsigned long arg) - { -- struct gendisk *disk = bdev->bd_disk; - void __user *usermem = (void __user *) arg; - int ret; - - mutex_lock(&ub_mutex); -- ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, usermem); -+ ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, usermem); - mutex_unlock(&ub_mutex); - - return ret; -diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c -index ffd5ca9..c4a60ba 100644 ---- a/drivers/block/virtio_blk.c -+++ b/drivers/block/virtio_blk.c -@@ -250,8 +250,8 @@ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode, - if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI)) - return -ENOTTY; - -- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, -- (void __user *)data); -+ return scsi_cmd_blk_ioctl(bdev, mode, cmd, -+ (void __user *)data); - } - - /* We provide getgeo only to please some old bootloader/partitioning tools */ -diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index 1bbf764..55eaf47 100644 ---- a/drivers/cdrom/cdrom.c -+++ b/drivers/cdrom/cdrom.c -@@ -2746,12 +2746,11 @@ int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev, - { - void __user *argp = (void __user *)arg; - int ret; -- struct gendisk *disk = bdev->bd_disk; - - /* - * Try the generic SCSI command ioctl's first. - */ -- ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp); -+ ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp); - if (ret != -ENOTTY) - return ret; - -diff --git a/drivers/ide/ide-floppy_ioctl.c b/drivers/ide/ide-floppy_ioctl.c -index d267b7a..a22ca84 100644 ---- a/drivers/ide/ide-floppy_ioctl.c -+++ b/drivers/ide/ide-floppy_ioctl.c -@@ -292,8 +292,7 @@ int ide_floppy_ioctl(ide_drive_t *drive, struct block_device *bdev, - * and CDROM_SEND_PACKET (legacy) ioctls - */ - if (cmd != CDROM_SEND_PACKET && cmd != SCSI_IOCTL_SEND_COMMAND) -- err = scsi_cmd_ioctl(bdev->bd_disk->queue, bdev->bd_disk, -- mode, cmd, argp); -+ err = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp); - - if (err == -ENOTTY) - err = generic_ide_ioctl(drive, bdev, cmd, arg); -diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index 7b3f807..b4d57bb 100644 ---- a/drivers/scsi/sd.c -+++ b/drivers/scsi/sd.c -@@ -1097,7 +1097,7 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode, - error = scsi_ioctl(sdp, cmd, p); - break; - default: -- error = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, p); -+ error = scsi_cmd_blk_ioctl(bdev, mode, cmd, p); - if (error != -ENOTTY) - break; - error = scsi_ioctl(sdp, cmd, p); -diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h -index 94acd81..ca7b869 100644 ---- a/include/linux/blkdev.h -+++ b/include/linux/blkdev.h -@@ -675,6 +675,8 @@ extern int blk_insert_cloned_request(struct request_queue *q, - struct request *rq); - extern void blk_delay_queue(struct request_queue *, unsigned long); - extern void blk_recount_segments(struct request_queue *, struct bio *); -+extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t, -+ unsigned int, void __user *); - extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t, - unsigned int, void __user *); - extern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t, --- -1.7.8.2 - diff --git a/debian/patches/bugfix/all/block-fail-SCSI-passthrough-ioctls-on-partition-devi.patch b/debian/patches/bugfix/all/block-fail-SCSI-passthrough-ioctls-on-partition-devi.patch deleted file mode 100644 index 6626d9779..000000000 --- a/debian/patches/bugfix/all/block-fail-SCSI-passthrough-ioctls-on-partition-devi.patch +++ /dev/null @@ -1,160 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 12 Jan 2012 16:01:28 +0100 -Subject: [PATCH 2/3] block: fail SCSI passthrough ioctls on partition devices - -commit 0bfc96cb77224736dfa35c3c555d37b3646ef35e upstream. - -Linux allows executing the SG_IO ioctl on a partition or LVM volume, and -will pass the command to the underlying block device. This is -well-known, but it is also a large security problem when (via Unix -permissions, ACLs, SELinux or a combination thereof) a program or user -needs to be granted access only to part of the disk. - -This patch lets partitions forward a small set of harmless ioctls; -others are logged with printk so that we can see which ioctls are -actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. -Of course it was being sent to a (partition on a) hard disk, so it would -have failed with ENOTTY and the patch isn't changing anything in -practice. Still, I'm treating it specially to avoid spamming the logs. - -In principle, this restriction should include programs running with -CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and -/dev/sdb, it still should not be able to read/write outside the -boundaries of /dev/sda2 independent of the capabilities. However, for -now programs with CAP_SYS_RAWIO will still be allowed to send the -ioctls. Their actions will still be logged. - -This patch does not affect the non-libata IDE driver. That driver -however already tests for bd != bd->bd_contains before issuing some -ioctl; it could be restricted further to forbid these ioctls even for -programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. - -Cc: linux-scsi@vger.kernel.org -Cc: Jens Axboe -Cc: James Bottomley -Signed-off-by: Paolo Bonzini -[ Make it also print the command name when warning - Linus ] -Signed-off-by: Linus Torvalds ---- - block/scsi_ioctl.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ - drivers/scsi/sd.c | 11 +++++++++-- - include/linux/blkdev.h | 1 + - 3 files changed, 55 insertions(+), 2 deletions(-) - -diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c -index a2c11f3..260fa80 100644 ---- a/block/scsi_ioctl.c -+++ b/block/scsi_ioctl.c -@@ -24,6 +24,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -690,9 +691,53 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod - } - EXPORT_SYMBOL(scsi_cmd_ioctl); - -+int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd) -+{ -+ if (bd && bd == bd->bd_contains) -+ return 0; -+ -+ /* Actually none of these is particularly useful on a partition, -+ * but they are safe. -+ */ -+ switch (cmd) { -+ case SCSI_IOCTL_GET_IDLUN: -+ case SCSI_IOCTL_GET_BUS_NUMBER: -+ case SCSI_IOCTL_GET_PCI: -+ case SCSI_IOCTL_PROBE_HOST: -+ case SG_GET_VERSION_NUM: -+ case SG_SET_TIMEOUT: -+ case SG_GET_TIMEOUT: -+ case SG_GET_RESERVED_SIZE: -+ case SG_SET_RESERVED_SIZE: -+ case SG_EMULATED_HOST: -+ return 0; -+ case CDROM_GET_CAPABILITY: -+ /* Keep this until we remove the printk below. udev sends it -+ * and we do not want to spam dmesg about it. CD-ROMs do -+ * not have partitions, so we get here only for disks. -+ */ -+ return -ENOIOCTLCMD; -+ default: -+ break; -+ } -+ -+ /* In particular, rule out all resets and host-specific ioctls. */ -+ printk_ratelimited(KERN_WARNING -+ "%s: sending ioctl %x to a partition!\n", current->comm, cmd); -+ -+ return capable(CAP_SYS_RAWIO) ? 0 : -ENOIOCTLCMD; -+} -+EXPORT_SYMBOL(scsi_verify_blk_ioctl); -+ - int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode, - unsigned int cmd, void __user *arg) - { -+ int ret; -+ -+ ret = scsi_verify_blk_ioctl(bd, cmd); -+ if (ret < 0) -+ return ret; -+ - return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg); - } - EXPORT_SYMBOL(scsi_cmd_blk_ioctl); -diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index b4d57bb..c691fb5 100644 ---- a/drivers/scsi/sd.c -+++ b/drivers/scsi/sd.c -@@ -1075,6 +1075,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode, - SCSI_LOG_IOCTL(1, sd_printk(KERN_INFO, sdkp, "sd_ioctl: disk=%s, " - "cmd=0x%x\n", disk->disk_name, cmd)); - -+ error = scsi_verify_blk_ioctl(bdev, cmd); -+ if (error < 0) -+ return error; -+ - /* - * If we are in the middle of error recovery, don't let anyone - * else try and use this device. Also, if error recovery fails, it -@@ -1267,6 +1271,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode, - unsigned int cmd, unsigned long arg) - { - struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device; -+ int ret; -+ -+ ret = scsi_verify_blk_ioctl(bdev, cmd); -+ if (ret < 0) -+ return ret; - - /* - * If we are in the middle of error recovery, don't let anyone -@@ -1278,8 +1287,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode, - return -ENODEV; - - if (sdev->host->hostt->compat_ioctl) { -- int ret; -- - ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg); - - return ret; -diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h -index ca7b869..0ed1eb0 100644 ---- a/include/linux/blkdev.h -+++ b/include/linux/blkdev.h -@@ -675,6 +675,7 @@ extern int blk_insert_cloned_request(struct request_queue *q, - struct request *rq); - extern void blk_delay_queue(struct request_queue *, unsigned long); - extern void blk_recount_segments(struct request_queue *, struct bio *); -+extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int); - extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t, - unsigned int, void __user *); - extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t, --- -1.7.8.2 - diff --git a/debian/patches/bugfix/all/dm-do-not-forward-ioctls-from-logical-volumes-to-the.patch b/debian/patches/bugfix/all/dm-do-not-forward-ioctls-from-logical-volumes-to-the.patch deleted file mode 100644 index 48ed7506d..000000000 --- a/debian/patches/bugfix/all/dm-do-not-forward-ioctls-from-logical-volumes-to-the.patch +++ /dev/null @@ -1,88 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 12 Jan 2012 16:01:29 +0100 -Subject: [PATCH 3/3] dm: do not forward ioctls from logical volumes to the - underlying device - -commit ec8013beddd717d1740cfefb1a9b900deef85462 upstream. - -A logical volume can map to just part of underlying physical volume. -In this case, it must be treated like a partition. - -Based on a patch from Alasdair G Kergon. - -Cc: Alasdair G Kergon -Cc: dm-devel@redhat.com -Signed-off-by: Paolo Bonzini -Signed-off-by: Linus Torvalds ---- - drivers/md/dm-flakey.c | 11 ++++++++++- - drivers/md/dm-linear.c | 12 +++++++++++- - drivers/md/dm-mpath.c | 6 ++++++ - 3 files changed, 27 insertions(+), 2 deletions(-) - -diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c -index f84c080..9fb18c1 100644 ---- a/drivers/md/dm-flakey.c -+++ b/drivers/md/dm-flakey.c -@@ -368,8 +368,17 @@ static int flakey_status(struct dm_target *ti, status_type_t type, - static int flakey_ioctl(struct dm_target *ti, unsigned int cmd, unsigned long arg) - { - struct flakey_c *fc = ti->private; -+ struct dm_dev *dev = fc->dev; -+ int r = 0; - -- return __blkdev_driver_ioctl(fc->dev->bdev, fc->dev->mode, cmd, arg); -+ /* -+ * Only pass ioctls through if the device sizes match exactly. -+ */ -+ if (fc->start || -+ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT) -+ r = scsi_verify_blk_ioctl(NULL, cmd); -+ -+ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg); - } - - static int flakey_merge(struct dm_target *ti, struct bvec_merge_data *bvm, -diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c -index 3921e3b..9728839 100644 ---- a/drivers/md/dm-linear.c -+++ b/drivers/md/dm-linear.c -@@ -116,7 +116,17 @@ static int linear_ioctl(struct dm_target *ti, unsigned int cmd, - unsigned long arg) - { - struct linear_c *lc = (struct linear_c *) ti->private; -- return __blkdev_driver_ioctl(lc->dev->bdev, lc->dev->mode, cmd, arg); -+ struct dm_dev *dev = lc->dev; -+ int r = 0; -+ -+ /* -+ * Only pass ioctls through if the device sizes match exactly. -+ */ -+ if (lc->start || -+ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT) -+ r = scsi_verify_blk_ioctl(NULL, cmd); -+ -+ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg); - } - - static int linear_merge(struct dm_target *ti, struct bvec_merge_data *bvm, -diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c -index 5e0090e..801d92d 100644 ---- a/drivers/md/dm-mpath.c -+++ b/drivers/md/dm-mpath.c -@@ -1520,6 +1520,12 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd, - - spin_unlock_irqrestore(&m->lock, flags); - -+ /* -+ * Only pass ioctls through if the device sizes match exactly. -+ */ -+ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) -+ r = scsi_verify_blk_ioctl(NULL, cmd); -+ - return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg); - } - --- -1.7.8.2 - diff --git a/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch b/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch deleted file mode 100644 index fb7829f4e..000000000 --- a/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch +++ /dev/null @@ -1,51 +0,0 @@ -Subject: [media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() -From: Dan Carpenter -Date: Thu Jan 5 02:27:57 2012 -0300 - -If ctrls->count is too high the multiplication could overflow and -array_size would be lower than expected. Mauro and Hans Verkuil -suggested that we cap it at 1024. That comes from the maximum -number of controls with lots of room for expantion. - -$ grep V4L2_CID include/linux/videodev2.h | wc -l -211 - -Cc: stable -Signed-off-by: Dan Carpenter -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/video/v4l2-ioctl.c | 4 ++++ - include/linux/videodev2.h | 1 + - 2 files changed, 5 insertions(+), 0 deletions(-) - ---- - -http://git.linuxtv.org/media_tree.git?a=commitdiff;h=6c06108be53ca5e94d8b0e93883d534dd9079646 - -diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c -index e1da8fc..639abee 100644 ---- a/drivers/media/video/v4l2-ioctl.c -+++ b/drivers/media/video/v4l2-ioctl.c -@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, - struct v4l2_ext_controls *ctrls = parg; - - if (ctrls->count != 0) { -+ if (ctrls->count > V4L2_CID_MAX_CTRLS) { -+ ret = -EINVAL; -+ break; -+ } - *user_ptr = (void __user *)ctrls->controls; - *kernel_ptr = (void *)&ctrls->controls; - *array_size = sizeof(struct v4l2_ext_control) -diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h -index 6bfaa76..b2e1331 100644 ---- a/include/linux/videodev2.h -+++ b/include/linux/videodev2.h -@@ -1132,6 +1132,7 @@ struct v4l2_querymenu { - #define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000 - - /* User-class control IDs defined by V4L2 */ -+#define V4L2_CID_MAX_CTRLS 1024 - #define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900) - #define V4L2_CID_USER_BASE V4L2_CID_BASE - /* IDs reserved for driver specific controls */ diff --git a/debian/patches/bugfix/all/proc-clean-up-and-fix-proc-pid-mem-handling.patch b/debian/patches/bugfix/all/proc-clean-up-and-fix-proc-pid-mem-handling.patch deleted file mode 100644 index 2acee073d..000000000 --- a/debian/patches/bugfix/all/proc-clean-up-and-fix-proc-pid-mem-handling.patch +++ /dev/null @@ -1,269 +0,0 @@ -From e268337dfe26dfc7efd422a804dbb27977a3cccc Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Tue, 17 Jan 2012 15:21:19 -0800 -Subject: proc: clean up and fix /proc//mem handling -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Linus Torvalds - -commit e268337dfe26dfc7efd422a804dbb27977a3cccc upstream. - -Jüri Aedla reported that the /proc//mem handling really isn't very -robust, and it also doesn't match the permission checking of any of the -other related files. - -This changes it to do the permission checks at open time, and instead of -tracking the process, it tracks the VM at the time of the open. That -simplifies the code a lot, but does mean that if you hold the file -descriptor open over an execve(), you'll continue to read from the _old_ -VM. - -That is different from our previous behavior, but much simpler. If -somebody actually finds a load where this matters, we'll need to revert -this commit. - -I suspect that nobody will ever notice - because the process mapping -addresses will also have changed as part of the execve. So you cannot -actually usefully access the fd across a VM change simply because all -the offsets for IO would have changed too. - -Reported-by: Jüri Aedla -Cc: Al Viro -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - fs/proc/base.c | 145 +++++++++++++++------------------------------------------ - 1 file changed, 39 insertions(+), 106 deletions(-) - ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -194,65 +194,7 @@ static int proc_root_link(struct inode * - return result; - } - --static struct mm_struct *__check_mem_permission(struct task_struct *task) --{ -- struct mm_struct *mm; -- -- mm = get_task_mm(task); -- if (!mm) -- return ERR_PTR(-EINVAL); -- -- /* -- * A task can always look at itself, in case it chooses -- * to use system calls instead of load instructions. -- */ -- if (task == current) -- return mm; -- -- /* -- * If current is actively ptrace'ing, and would also be -- * permitted to freshly attach with ptrace now, permit it. -- */ -- if (task_is_stopped_or_traced(task)) { -- int match; -- rcu_read_lock(); -- match = (ptrace_parent(task) == current); -- rcu_read_unlock(); -- if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH)) -- return mm; -- } -- -- /* -- * No one else is allowed. -- */ -- mmput(mm); -- return ERR_PTR(-EPERM); --} -- --/* -- * If current may access user memory in @task return a reference to the -- * corresponding mm, otherwise ERR_PTR. -- */ --static struct mm_struct *check_mem_permission(struct task_struct *task) --{ -- struct mm_struct *mm; -- int err; -- -- /* -- * Avoid racing if task exec's as we might get a new mm but validate -- * against old credentials. -- */ -- err = mutex_lock_killable(&task->signal->cred_guard_mutex); -- if (err) -- return ERR_PTR(err); -- -- mm = __check_mem_permission(task); -- mutex_unlock(&task->signal->cred_guard_mutex); -- -- return mm; --} -- --struct mm_struct *mm_for_maps(struct task_struct *task) -+static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) - { - struct mm_struct *mm; - int err; -@@ -263,7 +205,7 @@ struct mm_struct *mm_for_maps(struct tas - - mm = get_task_mm(task); - if (mm && mm != current->mm && -- !ptrace_may_access(task, PTRACE_MODE_READ)) { -+ !ptrace_may_access(task, mode)) { - mmput(mm); - mm = ERR_PTR(-EACCES); - } -@@ -272,6 +214,11 @@ struct mm_struct *mm_for_maps(struct tas - return mm; - } - -+struct mm_struct *mm_for_maps(struct task_struct *task) -+{ -+ return mm_access(task, PTRACE_MODE_READ); -+} -+ - static int proc_pid_cmdline(struct task_struct *task, char * buffer) - { - int res = 0; -@@ -816,38 +763,39 @@ static const struct file_operations proc - - static int mem_open(struct inode* inode, struct file* file) - { -- file->private_data = (void*)((long)current->self_exec_id); -+ struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode); -+ struct mm_struct *mm; -+ -+ if (!task) -+ return -ESRCH; -+ -+ mm = mm_access(task, PTRACE_MODE_ATTACH); -+ put_task_struct(task); -+ -+ if (IS_ERR(mm)) -+ return PTR_ERR(mm); -+ - /* OK to pass negative loff_t, we can catch out-of-range */ - file->f_mode |= FMODE_UNSIGNED_OFFSET; -+ file->private_data = mm; -+ - return 0; - } - - static ssize_t mem_read(struct file * file, char __user * buf, - size_t count, loff_t *ppos) - { -- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode); -+ int ret; - char *page; - unsigned long src = *ppos; -- int ret = -ESRCH; -- struct mm_struct *mm; -+ struct mm_struct *mm = file->private_data; - -- if (!task) -- goto out_no_task; -+ if (!mm) -+ return 0; - -- ret = -ENOMEM; - page = (char *)__get_free_page(GFP_TEMPORARY); - if (!page) -- goto out; -- -- mm = check_mem_permission(task); -- ret = PTR_ERR(mm); -- if (IS_ERR(mm)) -- goto out_free; -- -- ret = -EIO; -- -- if (file->private_data != (void*)((long)current->self_exec_id)) -- goto out_put; -+ return -ENOMEM; - - ret = 0; - -@@ -874,13 +822,7 @@ static ssize_t mem_read(struct file * fi - } - *ppos = src; - --out_put: -- mmput(mm); --out_free: - free_page((unsigned long) page); --out: -- put_task_struct(task); --out_no_task: - return ret; - } - -@@ -889,27 +831,15 @@ static ssize_t mem_write(struct file * f - { - int copied; - char *page; -- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode); - unsigned long dst = *ppos; -- struct mm_struct *mm; -+ struct mm_struct *mm = file->private_data; - -- copied = -ESRCH; -- if (!task) -- goto out_no_task; -+ if (!mm) -+ return 0; - -- copied = -ENOMEM; - page = (char *)__get_free_page(GFP_TEMPORARY); - if (!page) -- goto out_task; -- -- mm = check_mem_permission(task); -- copied = PTR_ERR(mm); -- if (IS_ERR(mm)) -- goto out_free; -- -- copied = -EIO; -- if (file->private_data != (void *)((long)current->self_exec_id)) -- goto out_mm; -+ return -ENOMEM; - - copied = 0; - while (count > 0) { -@@ -933,13 +863,7 @@ static ssize_t mem_write(struct file * f - } - *ppos = dst; - --out_mm: -- mmput(mm); --out_free: - free_page((unsigned long) page); --out_task: -- put_task_struct(task); --out_no_task: - return copied; - } - -@@ -959,11 +883,20 @@ loff_t mem_lseek(struct file *file, loff - return file->f_pos; - } - -+static int mem_release(struct inode *inode, struct file *file) -+{ -+ struct mm_struct *mm = file->private_data; -+ -+ mmput(mm); -+ return 0; -+} -+ - static const struct file_operations proc_mem_operations = { - .llseek = mem_lseek, - .read = mem_read, - .write = mem_write, - .open = mem_open, -+ .release = mem_release, - }; - - static ssize_t environ_read(struct file *file, char __user *buf, diff --git a/debian/patches/bugfix/all/rtc-Fix-alarm-rollover-when-day-or-month-is-out-of-r.patch b/debian/patches/bugfix/all/rtc-Fix-alarm-rollover-when-day-or-month-is-out-of-r.patch deleted file mode 100644 index ec6f80500..000000000 --- a/debian/patches/bugfix/all/rtc-Fix-alarm-rollover-when-day-or-month-is-out-of-r.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Ben Hutchings -Date: Thu, 29 Dec 2011 14:38:52 +0100 -Subject: [PATCH] rtc: Fix alarm rollover when day or month is out-of-range - -Commit f44f7f96a20af16f6f12e1c995576d6becf5f57b ('RTC: Initialize -kernel state from RTC') introduced a potential infinite loop. If an -alarm time contains a wildcard month and an invalid day (> 31), or a -wildcard year and an invalid month (>= 12), the loop searching for the -next matching date will never terminate. Treat the invalid values as -wildcards. - -References: http://bugs.debian.org/646429 -References: http://bugs.debian.org/653331 -Signed-off-by: Ben Hutchings ---- - drivers/rtc/interface.c | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c -index 3d9d2b9..f79ff34 100644 ---- a/drivers/rtc/interface.c -+++ b/drivers/rtc/interface.c -@@ -227,11 +227,11 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm) - alarm->time.tm_hour = now.tm_hour; - - /* For simplicity, only support date rollover for now */ -- if (alarm->time.tm_mday == -1) { -+ if (alarm->time.tm_mday < 1 || alarm->time.tm_mday > 31) { - alarm->time.tm_mday = now.tm_mday; - missing = day; - } -- if (alarm->time.tm_mon == -1) { -+ if ((unsigned)alarm->time.tm_mon >= 12) { - alarm->time.tm_mon = now.tm_mon; - if (missing == none) - missing = month; --- -1.7.7.3 - diff --git a/debian/patches/series/base b/debian/patches/series/base index 7bbf414a7..790cf1294 100644 --- a/debian/patches/series/base +++ b/debian/patches/series/base @@ -59,22 +59,16 @@ + bugfix/all/cpu-Register-a-generic-CPU-device-on-architectures-t.patch + debian/x86-memtest-WARN-if-bad-RAM-found.patch + bugfix/all/snapshot-Implement-compat_ioctl.patch -+ bugfix/all/rtc-Fix-alarm-rollover-when-day-or-month-is-out-of-r.patch -+ bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch + debian/ARM-Remove-use-of-possibly-undefined-BUILD_BUG_ON-in.patch + bugfix/arm/ARM-ixp4xx-gpiolib-support.patch + bugfix/arm/ARM-topdown-mmap.patch + bugfix/alpha/alpha-add-io-read-write-16-32-be-functions.patch + features/arm/ARM-kirkwood-6282A1.patch + bugfix/all/net-reintroduce-missing-rcu_assign_pointer-calls.patch -+ bugfix/all/block-add-and-use-scsi_blk_cmd_ioctl.patch -+ bugfix/all/block-fail-SCSI-passthrough-ioctls-on-partition-devi.patch -+ bugfix/all/dm-do-not-forward-ioctls-from-logical-volumes-to-the.patch + features/all/Input-ALPS-move-protocol-information-to-Documentatio.patch + features/all/Input-ALPS-add-protocol-version-field-in-alps_model_.patch + features/all/Input-ALPS-remove-assumptions-about-packet-size.patch + features/all/Input-ALPS-add-support-for-protocol-versions-3-and-4.patch + features/all/Input-ALPS-add-semi-MT-support-for-v3-protocol.patch -+ bugfix/all/proc-clean-up-and-fix-proc-pid-mem-handling.patch + bugfix/x86/KVM-nVMX-Add-KVM_REQ_IMMEDIATE_EXIT.patch + bugfix/x86/KVM-nVMX-Fix-warning-causing-idt-vectoring-info-beha.patch