debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

* Added 2.6.12.5 (Simon Horman) 

- Fix BUG() is triggered by a call to set_mempolicy() with a negativ
      first argument.
    - [amd64] Fix a SRAT handling on systems with dual cores.
    - [amd64] SMP timing problem
    - [security] Zlib fixes See CAN-2005-2458, CAN-2005-2459
      http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
      http://bugs.gentoo.org/show_bug.cgi
    - Add zlib deflateBound()
    - [security] Fix error during session join. See CAN-2005-2098
    - [security] Fix keyring destructor. See CAN-2005-2099
    - Module per-cpu alignment cannot always be met
      http://www.ussg.iu.edu/hypermail/linux/kernel/0409.0/0768.html
    Closes: #323039

svn path=/trunk/kernel/source/linux-2.6/; revision=3878
This commit is contained in:
Simon Horman 2005-08-15 09:22:29 +00:00
parent 1c2fb4eea9
commit 95f82466aa
5 changed files with 379 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
debian/changelog vendored
View File

@ -34,19 +34,22 @@ linux-2.6 (2.6.12-3) UNRELEASED; urgency=low
toolchain in sid. Many thanks go to GOTO Masanori and Matthias Klose as
well as any other who worked on the biarch toolchain to make this happen.
* [security]
security-keys-destructor-oops.patch
Fix keyring destructor
See CAN-2005-2099 (Simon Horman)
* Added 2.6.12.5 (Simon Horman)
- Fix BUG() is triggered by a call to set_mempolicy() with a negativ
first argument.
- [amd64] Fix a SRAT handling on systems with dual cores.
- [amd64] SMP timing problem
- [security] Zlib fixes See CAN-2005-2458, CAN-2005-2459
http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
http://bugs.gentoo.org/show_bug.cgi
- Add zlib deflateBound()
- [security] Fix error during session join. See CAN-2005-2098
- [security] Fix keyring destructor. See CAN-2005-2099
- Module per-cpu alignment cannot always be met
http://www.ussg.iu.edu/hypermail/linux/kernel/0409.0/0768.html
Closes: #323039
* [security]
security-keys-session-join.patch
Fix error during session join
See CAN-2005-2098 (Simon Horman)
Closes: #323039
-- Simon Horman <horms@debian.org> Mon, 15 Aug 2005 17:41:42 +0900
-- Simon Horman <horms@debian.org> Mon, 15 Aug 2005 18:15:51 +0900
linux-2.6 (2.6.12-2) unstable; urgency=low

364
debian/patches-debian/patch-2.6.12.5 vendored Normal file
View File

@ -0,0 +1,364 @@
diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 12
-EXTRAVERSION = .4
+EXTRAVERSION = .5
NAME=Woozy Numbat
# *DOCUMENTATION*
diff --git a/arch/ppc64/boot/zlib.c b/arch/ppc64/boot/zlib.c
--- a/arch/ppc64/boot/zlib.c
+++ b/arch/ppc64/boot/zlib.c
@@ -1307,7 +1307,7 @@ local int huft_build(
{
*t = (inflate_huft *)Z_NULL;
*m = 0;
- return Z_OK;
+ return Z_DATA_ERROR;
}
@@ -1351,6 +1351,7 @@ local int huft_build(
if ((j = *p++) != 0)
v[x[j]++] = i;
} while (++i < n);
+ n = x[g]; /* set n to length of v */
/* Generate the Huffman codes and for each, make the table entries */
diff --git a/arch/x86_64/kernel/setup.c b/arch/x86_64/kernel/setup.c
--- a/arch/x86_64/kernel/setup.c
+++ b/arch/x86_64/kernel/setup.c
@@ -729,8 +729,6 @@ static void __init amd_detect_cmp(struct
int cpu = smp_processor_id();
int node = 0;
unsigned bits;
- if (c->x86_num_cores == 1)
- return;
bits = 0;
while ((1 << bits) < c->x86_num_cores)
diff --git a/arch/x86_64/kernel/smp.c b/arch/x86_64/kernel/smp.c
--- a/arch/x86_64/kernel/smp.c
+++ b/arch/x86_64/kernel/smp.c
@@ -284,6 +284,71 @@ struct call_data_struct {
static struct call_data_struct * call_data;
/*
+ * this function sends a 'generic call function' IPI to one other CPU
+ * in the system.
+ */
+static void __smp_call_function_single (int cpu, void (*func) (void *info), void *info,
+ int nonatomic, int wait)
+{
+ struct call_data_struct data;
+ int cpus = 1;
+
+ data.func = func;
+ data.info = info;
+ atomic_set(&data.started, 0);
+ data.wait = wait;
+ if (wait)
+ atomic_set(&data.finished, 0);
+
+ call_data = &data;
+ wmb();
+ /* Send a message to all other CPUs and wait for them to respond */
+ send_IPI_mask(cpumask_of_cpu(cpu), CALL_FUNCTION_VECTOR);
+
+ /* Wait for response */
+ while (atomic_read(&data.started) != cpus)
+ cpu_relax();
+
+ if (!wait)
+ return;
+
+ while (atomic_read(&data.finished) != cpus)
+ cpu_relax();
+}
+
+/*
+ * Run a function on another CPU
+ * <func> The function to run. This must be fast and non-blocking.
+ * <info> An arbitrary pointer to pass to the function.
+ * <nonatomic> Currently unused.
+ * <wait> If true, wait until function has completed on other CPUs.
+ * [RETURNS] 0 on success, else a negative status code.
+ *
+ * Does not return until the remote CPU is nearly ready to execute <func>
+ * or is or has executed.
+ */
+
+int smp_call_function_single (int cpu, void (*func) (void *info), void *info,
+ int nonatomic, int wait)
+{
+
+ int me = get_cpu(); /* prevent preemption and reschedule on another processor */
+
+ if (cpu == me) {
+ printk("%s: trying to call self\n", __func__);
+ put_cpu();
+ return -EBUSY;
+ }
+ spin_lock_bh(&call_lock);
+
+ __smp_call_function_single(cpu, func,info,nonatomic,wait);
+
+ spin_unlock_bh(&call_lock);
+ put_cpu();
+ return 0;
+}
+
+/*
* this function sends a 'generic call function' IPI to all other CPUs
* in the system.
*/
diff --git a/arch/x86_64/kernel/smpboot.c b/arch/x86_64/kernel/smpboot.c
--- a/arch/x86_64/kernel/smpboot.c
+++ b/arch/x86_64/kernel/smpboot.c
@@ -202,9 +202,6 @@ static __cpuinit void sync_master(void *
{
unsigned long flags, i;
- if (smp_processor_id() != boot_cpu_id)
- return;
-
go[MASTER] = 0;
local_irq_save(flags);
@@ -253,7 +250,7 @@ get_delta(long *rt, long *master)
return tcenter - best_tm;
}
-static __cpuinit void sync_tsc(void)
+static __cpuinit void sync_tsc(unsigned int master)
{
int i, done = 0;
long delta, adj, adjust_latency = 0;
@@ -267,9 +264,17 @@ static __cpuinit void sync_tsc(void)
} t[NUM_ROUNDS] __cpuinitdata;
#endif
+ printk(KERN_INFO "CPU %d: Syncing TSC to CPU %u.\n",
+ smp_processor_id(), master);
+
go[MASTER] = 1;
- smp_call_function(sync_master, NULL, 1, 0);
+ /* It is dangerous to broadcast IPI as cpus are coming up,
+ * as they may not be ready to accept them. So since
+ * we only need to send the ipi to the boot cpu direct
+ * the message, and avoid the race.
+ */
+ smp_call_function_single(master, sync_master, NULL, 1, 0);
while (go[MASTER]) /* wait for master to be ready */
no_cpu_relax();
@@ -313,16 +318,14 @@ static __cpuinit void sync_tsc(void)
printk(KERN_INFO
"CPU %d: synchronized TSC with CPU %u (last diff %ld cycles, "
"maxerr %lu cycles)\n",
- smp_processor_id(), boot_cpu_id, delta, rt);
+ smp_processor_id(), master, delta, rt);
}
static void __cpuinit tsc_sync_wait(void)
{
if (notscsync || !cpu_has_tsc)
return;
- printk(KERN_INFO "CPU %d: Syncing TSC to CPU %u.\n", smp_processor_id(),
- boot_cpu_id);
- sync_tsc();
+ sync_tsc(0);
}
static __init int notscsync_setup(char *s)
diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c
--- a/fs/isofs/compress.c
+++ b/fs/isofs/compress.c
@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
brelse(bh);
+ if (cstart > cend)
+ goto eio;
+
csize = cend-cstart;
+ if (csize > deflateBound(1UL << zisofs_block_shift))
+ goto eio;
+
/* Now page[] contains an array of pages, any of which can be NULL,
and the locks on which we hold. We should now read the data and
release the pages. If the pages are NULL the decompressed data
diff --git a/include/asm-x86_64/smp.h b/include/asm-x86_64/smp.h
--- a/include/asm-x86_64/smp.h
+++ b/include/asm-x86_64/smp.h
@@ -46,6 +46,8 @@ extern int pic_mode;
extern int smp_num_siblings;
extern void smp_flush_tlb(void);
extern void smp_message_irq(int cpl, void *dev_id, struct pt_regs *regs);
+extern int smp_call_function_single (int cpuid, void (*func) (void *info), void *info,
+ int retry, int wait);
extern void smp_send_reschedule(int cpu);
extern void smp_invalidate_rcv(void); /* Process an NMI */
extern void zap_low_mappings(void);
diff --git a/include/linux/zlib.h b/include/linux/zlib.h
--- a/include/linux/zlib.h
+++ b/include/linux/zlib.h
@@ -506,6 +506,11 @@ extern int zlib_deflateReset (z_streamp
stream state was inconsistent (such as zalloc or state being NULL).
*/
+static inline unsigned long deflateBound(unsigned long s)
+{
+ return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
+}
+
extern int zlib_deflateParams (z_streamp strm, int level, int strategy);
/*
Dynamically update the compression level and compression strategy. The
diff --git a/kernel/module.c b/kernel/module.c
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -249,13 +249,18 @@ static inline unsigned int block_size(in
/* Created by linker magic */
extern char __per_cpu_start[], __per_cpu_end[];
-static void *percpu_modalloc(unsigned long size, unsigned long align)
+static void *percpu_modalloc(unsigned long size, unsigned long align,
+ const char *name)
{
unsigned long extra;
unsigned int i;
void *ptr;
- BUG_ON(align > SMP_CACHE_BYTES);
+ if (align > SMP_CACHE_BYTES) {
+ printk(KERN_WARNING "%s: per-cpu alignment %li > %i\n",
+ name, align, SMP_CACHE_BYTES);
+ align = SMP_CACHE_BYTES;
+ }
ptr = __per_cpu_start;
for (i = 0; i < pcpu_num_used; ptr += block_size(pcpu_size[i]), i++) {
@@ -347,7 +352,8 @@ static int percpu_modinit(void)
}
__initcall(percpu_modinit);
#else /* ... !CONFIG_SMP */
-static inline void *percpu_modalloc(unsigned long size, unsigned long align)
+static inline void *percpu_modalloc(unsigned long size, unsigned long align,
+ const char *name)
{
return NULL;
}
@@ -1554,7 +1560,8 @@ static struct module *load_module(void _
if (pcpuindex) {
/* We have a special allocation for this section. */
percpu = percpu_modalloc(sechdrs[pcpuindex].sh_size,
- sechdrs[pcpuindex].sh_addralign);
+ sechdrs[pcpuindex].sh_addralign,
+ mod->name);
if (!percpu) {
err = -ENOMEM;
goto free_mod;
diff --git a/lib/inflate.c b/lib/inflate.c
--- a/lib/inflate.c
+++ b/lib/inflate.c
@@ -326,7 +326,7 @@ DEBG("huft1 ");
{
*t = (struct huft *)NULL;
*m = 0;
- return 0;
+ return 2;
}
DEBG("huft2 ");
@@ -374,6 +374,7 @@ DEBG("huft5 ");
if ((j = *p++) != 0)
v[x[j]++] = i;
} while (++i < n);
+ n = x[g]; /* set n to length of v */
DEBG("h6 ");
@@ -410,12 +411,13 @@ DEBG1("1 ");
DEBG1("2 ");
f -= a + 1; /* deduct codes from patterns left */
xp = c + k;
- while (++j < z) /* try smaller tables up to z bits */
- {
- if ((f <<= 1) <= *++xp)
- break; /* enough codes to use up j bits */
- f -= *xp; /* else deduct codes from patterns */
- }
+ if (j < z)
+ while (++j < z) /* try smaller tables up to z bits */
+ {
+ if ((f <<= 1) <= *++xp)
+ break; /* enough codes to use up j bits */
+ f -= *xp; /* else deduct codes from patterns */
+ }
}
DEBG1("3 ");
z = 1 << j; /* table entries for j-bit table */
diff --git a/lib/zlib_inflate/inftrees.c b/lib/zlib_inflate/inftrees.c
--- a/lib/zlib_inflate/inftrees.c
+++ b/lib/zlib_inflate/inftrees.c
@@ -141,7 +141,7 @@ static int huft_build(
{
*t = NULL;
*m = 0;
- return Z_OK;
+ return Z_DATA_ERROR;
}
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -409,7 +409,7 @@ asmlinkage long sys_set_mempolicy(int mo
struct mempolicy *new;
DECLARE_BITMAP(nodes, MAX_NUMNODES);
- if (mode > MPOL_MAX)
+ if (mode < 0 || mode > MPOL_MAX)
return -EINVAL;
err = get_nodes(nodes, nmask, maxnode, mode);
if (err)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -188,7 +188,11 @@ static void keyring_destroy(struct key *
if (keyring->description) {
write_lock(&keyring_name_lock);
- list_del(&keyring->type_data.link);
+
+ if (keyring->type_data.link.next != NULL &&
+ !list_empty(&keyring->type_data.link))
+ list_del(&keyring->type_data.link);
+
write_unlock(&keyring_name_lock);
}
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -641,7 +641,7 @@ long join_session_keyring(const char *na
keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL);
if (IS_ERR(keyring)) {
ret = PTR_ERR(keyring);
- goto error;
+ goto error2;
}
}
else if (IS_ERR(keyring)) {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel-announce" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

55
debian/patches-debian/security-keys-destructor-oops.patch vendored
View File

@ -1,55 +0,0 @@
commit 94efe72f762e2c147d8146d637d5ece5614c8d94
tree 002e4719541ad838342e01a5f8ff63ae0a618b29
parent bcf945d36fa0598f41ac4ad46a9dc43135460263
author David Howells <dhowells@redhat.com> 1123186027 -0700
committer Linus Torvalds <torvalds@g5.osdl.org> 1123186274 -0700
[PATCH] Destruction of failed keyring oopses
The attached patch makes sure that a keyring that failed to instantiate
properly is destroyed without oopsing [CAN-2005-2099].
The problem occurs in three stages:
(1) The key allocator initialises the type-specific data to all zeroes. In
the case of a keyring, this will become a link in the keyring name list
when the keyring is instantiated.
(2) If a user (any user) attempts to add a keyring with anything other than
an empty payload, the keyring instantiation function will fail with an
error and won't add the keyring to the name list.
(3) The keyring's destructor then sees that the keyring has a description
(name) and tries to remove the keyring from the name list, which oopses
because the link pointers are both zero.
This bug permits any user to take down a box trivially.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
I:100644 100644 a1f6bac647a1c3a673bfbb2b4b03d0556cc9be88 9c208c756df8136cbaa0a06f5442af60c712ae6d M security/keys/keyring.c
Key:
S: Skipped
I: Included Included verbatim
D: Deleted Manually deleted by subsequent user edit
R: Revised Manually revised by subsequent user edit
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -201,7 +201,11 @@ static void keyring_destroy(struct key *
if (keyring->description) {
write_lock(&keyring_name_lock);
- list_del(&keyring->type_data.link);
+
+ if (keyring->type_data.link.next != NULL &&
+ !list_empty(&keyring->type_data.link))
+ list_del(&keyring->type_data.link);
+
write_unlock(&keyring_name_lock);
}

54
debian/patches-debian/security-keys-session-join.patch vendored
View File

@ -1,54 +0,0 @@
commit bcf945d36fa0598f41ac4ad46a9dc43135460263
tree 7a2aa188442bf863f20055a001baf85143d7a5b9
parent 6fb0caa42308923d9e4ed7b36ec077b97c107e24
author David Howells <dhowells@redhat.com> 1123186026 -0700
committer Linus Torvalds <torvalds@g5.osdl.org> 1123186274 -0700
[PATCH] Error during attempt to join key management session can leave semaphore pinned
The attached patch prevents an error during the key session joining operation
from hanging future joins in the D state [CAN-2005-2098].
The problem is that the error handling path for the KEYCTL_JOIN_SESSION_KEYRING
operation has one error path that doesn't release the session management
semaphore. Further attempts to get the semaphore will then sleep for ever in
the D state.
This can happen in four situations, all involving an attempt to allocate a new
session keyring:
(1) ENOMEM.
(2) The users key quota being reached.
(3) A keyring name that is an empty string.
(4) A keyring name that is too long.
Any user may attempt this operation, and so any user can cause the problem to
occur.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
I:100644 100644 9b0369c5a223acbf951178e87ebbb0789458b507 c089f78fb94ec170dbd042f08a4a61b9915c526e M security/keys/process_keys.c
Key:
S: Skipped
I: Included Included verbatim
D: Deleted Manually deleted by subsequent user edit
R: Revised Manually revised by subsequent user edit
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -678,7 +678,7 @@ long join_session_keyring(const char *na
keyring = keyring_alloc(name, tsk->uid, tsk->gid, 0, NULL);
if (IS_ERR(keyring)) {
ret = PTR_ERR(keyring);
- goto error;
+ goto error2;
}
}
else if (IS_ERR(keyring)) {

3
debian/patches-debian/series/2.6.12-3 vendored
View File

@ -1,2 +1 @@
+ security-keys-destructor-oops.patch
+ security-keys-session-join.patch
+ patch-2.6.12.5