Merge /dists/sid/linux-2.6.

svn path=/dists/trunk/linux-2.6/; revision=6472

debian/arch/powerpc/defines

@@ -11,16 +11,16 @@ subarches:
  vserver
 
 [apus]
-depends: mkvmlinuz (>= 19)
+depends: mkvmlinuz (>= 20)
 
 [powerpc]
-depends: mkvmlinuz (>= 19)
+depends: mkvmlinuz (>= 20)
 
 [powerpc-smp]
-depends: mkvmlinuz (>= 19)
+depends: mkvmlinuz (>= 20)
 
 [powerpc-miboot]
-depends: mkvmlinuz (>= 19)
+depends: mkvmlinuz (>= 20)
 
 [powerpc64]
 kpkg-subarch: powerpc64

debian/arch/powerpc/vserver/defines

@@ -7,7 +7,7 @@ flavours:
 recommends: util-vserver
 
 [powerpc]
-depends: mkvmlinuz (>= 18)
+depends: mkvmlinuz (>= 20)
 
 [powerpc64]
 kpkg-subarch: powerpc64

debian/changelog

@@ -9,7 +9,52 @@ linux-2.6 (2.6.16-99experimental.1) UNRELEASED; urgency=low
 
  -- maximilian attems <maks@sternwelten.at>  Tue, 18 Apr 2006 02:09:27 +0200
 
-linux-2.6 (2.6.16-7) UNRELEASED; urgency=low
+linux-2.6 (2.6.16-9) unstable; urgency=low
+
+  [ maximilian attems ]
+  * Add stable release 2.6.16.8:
+    - ip_route_input panic fix (CVE-2006-1525)
+  * Add stable release 2.6.16.9:
+    - i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056)
+
+  [ Bastian Blank ]
+  * Update vserver patch to 2.0.2-rc17.
+
+ -- Bastian Blank <waldi@debian.org>  Thu, 20 Apr 2006 15:37:28 +0200
+
+linux-2.6 (2.6.16-8) unstable; urgency=low
+
+  * Fix ABI-breakage introduced in -7. (closes: #363032)
+  * Add stable release 2.6.16.6:
+    - ext3: Fix missed mutex unlock
+    - RLIMIT_CPU: fix handling of a zero limit
+    - alpha: SMP boot fixes
+    - m32r: security fix of {get, put}_user macros
+    - m32r: Fix cpu_possible_map and cpu_present_map initialization for SMP kernel
+    - shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524)
+    - powerpc: fix incorrect SA_ONSTACK behaviour for 64-bit processes
+    - MPBL0010 driver sysfs permissions wide open
+    - cciss: bug fix for crash when running hpacucli
+    - fuse: fix oops in fuse_send_readpages()
+    - Fix utime(2) in the case that no times parameter was passed in.
+    - Fix buddy list race that could lead to page lru list corruptions
+    - NETFILTER: Fix fragmentation issues with bridge netfilter
+    - USB: remove __init from usb_console_setup
+    - Fix suspend with traced tasks
+    - isd200: limit to BLK_DEV_IDE
+    - edac_752x needs CONFIG_HOTPLUG
+    - fix non-leader exec under ptrace
+    - sky2: bad memory reference on dual port cards
+    - atm: clip causes unregister hang
+    - powerpc: iSeries needs slb_initialize to be called
+    - Fix block device symlink name
+    - Incorrect signature sent on SMB Read
+  * Add stable release 2.6.16.7:
+    - fix MADV_REMOVE vulnerability (CVE-2006-1524 for real this time)
+
+ -- Bastian Blank <waldi@debian.org>  Tue, 18 Apr 2006 16:22:31 +0200
+
+linux-2.6 (2.6.16-7) unstable; urgency=low
 
   [ Frederik Schüler ]
   * Add stable release 2.6.16.3:
@@ -33,7 +78,7 @@ linux-2.6 (2.6.16-7) UNRELEASED; urgency=low
   [ Christian T. Steigies ]
   * [m68k] update m68k patch and config to 2.6.16, temporarily disable atari
 
- -- maximilian attems <maks@sternwelten.at>  Thu, 13 Apr 2006 11:16:42 +0200
+ -- Bastian Blank <waldi@debian.org>  Sat, 15 Apr 2006 13:56:05 +0200
 
 linux-2.6 (2.6.16-6) unstable; urgency=medium
 

debian/patches/2.6.16.7

@@ -0,0 +1,14 @@
+diff --git a/mm/madvise.c b/mm/madvise.c
+index af3d573..4e19615 100644
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -168,6 +168,9 @@ static long madvise_remove(struct vm_are
+ 			return -EINVAL;
+ 	}
+ 
++	if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE))
++		return -EACCES;
++
+ 	mapping = vma->vm_file->f_mapping;
+ 
+ 	offset = (loff_t)(start - vma->vm_start)

debian/patches/2.6.16.8

@@ -0,0 +1,16 @@
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index fca5fe0..a67955e 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in
+ 	/* Reserve room for dummy headers, this skb can pass
+ 	   through good chunk of routing engine.
+ 	 */
+-	skb->mac.raw = skb->data;
++	skb->mac.raw = skb->nh.raw = skb->data;
++
++	/* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
++	skb->nh.iph->protocol = IPPROTO_ICMP;
+ 	skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
+ 
+ 	if (rta[RTA_SRC - 1])

debian/patches/2.6.16.9

@@ -0,0 +1,178 @@
+diff --git a/arch/i386/kernel/cpu/amd.c b/arch/i386/kernel/cpu/amd.c
+index 0810f81..d2d50cb 100644
+--- a/arch/i386/kernel/cpu/amd.c
++++ b/arch/i386/kernel/cpu/amd.c
+@@ -207,6 +207,8 @@ #define CBAR_KEY	(0X000000CB)
+ 		set_bit(X86_FEATURE_K7, c->x86_capability); 
+ 		break;
+ 	}
++	if (c->x86 >= 6)
++		set_bit(X86_FEATURE_FXSAVE_LEAK, c->x86_capability);
+ 
+ 	display_cacheinfo(c);
+ 
+diff --git a/arch/x86_64/kernel/process.c b/arch/x86_64/kernel/process.c
+index 22a05de..818ab9e 100644
+--- a/arch/x86_64/kernel/process.c
++++ b/arch/x86_64/kernel/process.c
+@@ -527,8 +527,6 @@ __switch_to(struct task_struct *prev_p, 
+ 	int cpu = smp_processor_id();  
+ 	struct tss_struct *tss = &per_cpu(init_tss, cpu);
+ 
+-	unlazy_fpu(prev_p);
+-
+ 	/*
+ 	 * Reload esp0, LDT and the page table pointer:
+ 	 */
+@@ -591,6 +589,12 @@ __switch_to(struct task_struct *prev_p, 
+ 	prev->userrsp = read_pda(oldrsp); 
+ 	write_pda(oldrsp, next->userrsp); 
+ 	write_pda(pcurrent, next_p); 
++
++ 	/* This must be here to ensure both math_state_restore() and
++	   kernel_fpu_begin() work consistently.
++	   And the AMD workaround requires it to be after DS reload. */
++	unlazy_fpu(prev_p);
++
+ 	write_pda(kernelstack,
+ 		  task_stack_page(next_p) + THREAD_SIZE - PDA_STACKOFFSET);
+ 
+diff --git a/arch/x86_64/kernel/setup.c b/arch/x86_64/kernel/setup.c
+index aa55e3c..a4a0bb5 100644
+--- a/arch/x86_64/kernel/setup.c
++++ b/arch/x86_64/kernel/setup.c
+@@ -909,6 +909,10 @@ #endif
+ 	if (c->x86 == 15 && ((level >= 0x0f48 && level < 0x0f50) || level >= 0x0f58))
+ 		set_bit(X86_FEATURE_REP_GOOD, &c->x86_capability);
+ 
++	/* Enable workaround for FXSAVE leak */
++	if (c->x86 >= 6)
++		set_bit(X86_FEATURE_FXSAVE_LEAK, &c->x86_capability);
++
+ 	r = get_model_name(c);
+ 	if (!r) { 
+ 		switch (c->x86) { 
+diff --git a/include/asm-i386/cpufeature.h b/include/asm-i386/cpufeature.h
+index c4ec2a4..9d15eec 100644
+--- a/include/asm-i386/cpufeature.h
++++ b/include/asm-i386/cpufeature.h
+@@ -70,6 +70,7 @@ #define X86_FEATURE_K7		(3*32+ 5) /* Ath
+ #define X86_FEATURE_P3		(3*32+ 6) /* P3 */
+ #define X86_FEATURE_P4		(3*32+ 7) /* P4 */
+ #define X86_FEATURE_CONSTANT_TSC (3*32+ 8) /* TSC ticks at a constant rate */
++#define X86_FEATURE_FXSAVE_LEAK (3*32+10) /* FXSAVE leaks FOP/FIP/FOP */
+ 
+ /* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */
+ #define X86_FEATURE_XMM3	(4*32+ 0) /* Streaming SIMD Extensions-3 */
+diff --git a/include/asm-i386/i387.h b/include/asm-i386/i387.h
+index 152d0ba..7b1f011 100644
+--- a/include/asm-i386/i387.h
++++ b/include/asm-i386/i387.h
+@@ -13,6 +13,7 @@ #define __ASM_I386_I387_H
+ 
+ #include <linux/sched.h>
+ #include <linux/init.h>
++#include <linux/kernel_stat.h>
+ #include <asm/processor.h>
+ #include <asm/sigcontext.h>
+ #include <asm/user.h>
+@@ -38,17 +39,38 @@ #define restore_fpu(tsk)			\
+ extern void kernel_fpu_begin(void);
+ #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0)
+ 
++/* We need a safe address that is cheap to find and that is already
++   in L1 during context switch. The best choices are unfortunately
++   different for UP and SMP */
++#ifdef CONFIG_SMP
++#define safe_address (__per_cpu_offset[0])
++#else
++#define safe_address (kstat_cpu(0).cpustat.user)
++#endif
++
+ /*
+  * These must be called with preempt disabled
+  */
+ static inline void __save_init_fpu( struct task_struct *tsk )
+ {
++	/* Use more nops than strictly needed in case the compiler
++	   varies code */
+ 	alternative_input(
+-		"fnsave %1 ; fwait ;" GENERIC_NOP2,
+-		"fxsave %1 ; fnclex",
++		"fnsave %[fx] ;fwait;" GENERIC_NOP8 GENERIC_NOP4,
++		"fxsave %[fx]\n"
++		"bt $7,%[fsw] ; jc 1f ; fnclex\n1:",
+ 		X86_FEATURE_FXSR,
+-		"m" (tsk->thread.i387.fxsave)
+-		:"memory");
++		[fx] "m" (tsk->thread.i387.fxsave),
++		[fsw] "m" (tsk->thread.i387.fxsave.swd) : "memory");
++	/* AMD K7/K8 CPUs don't save/restore FDP/FIP/FOP unless an exception
++	   is pending.  Clear the x87 state here by setting it to fixed
++   	   values. __per_cpu_offset[0] is a random variable that should be in L1 */
++	alternative_input(
++		GENERIC_NOP8 GENERIC_NOP2,
++		"emms\n\t"	  	/* clear stack tags */
++		"fildl %[addr]", 	/* set F?P to defined value */
++		X86_FEATURE_FXSAVE_LEAK,
++		[addr] "m" (safe_address));
+ 	task_thread_info(tsk)->status &= ~TS_USEDFPU;
+ }
+ 
+diff --git a/include/asm-x86_64/cpufeature.h b/include/asm-x86_64/cpufeature.h
+index 76bb619..662964b 100644
+--- a/include/asm-x86_64/cpufeature.h
++++ b/include/asm-x86_64/cpufeature.h
+@@ -64,6 +64,7 @@ #define X86_FEATURE_CENTAUR_MCR	(3*32+ 3
+ #define X86_FEATURE_REP_GOOD	(3*32+ 4) /* rep microcode works well on this CPU */
+ #define X86_FEATURE_CONSTANT_TSC (3*32+5) /* TSC runs at constant rate */
+ #define X86_FEATURE_SYNC_RDTSC  (3*32+6)  /* RDTSC syncs CPU core */
++#define X86_FEATURE_FXSAVE_LEAK (3*32+7)  /* FIP/FOP/FDP leaks through FXSAVE */
+ 
+ /* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */
+ #define X86_FEATURE_XMM3	(4*32+ 0) /* Streaming SIMD Extensions-3 */
+diff --git a/include/asm-x86_64/i387.h b/include/asm-x86_64/i387.h
+index 876eb9a..cba8a3b 100644
+--- a/include/asm-x86_64/i387.h
++++ b/include/asm-x86_64/i387.h
+@@ -72,6 +72,23 @@ #define set_fpu_cwd(t,val) ((t)->thread.
+ #define set_fpu_swd(t,val) ((t)->thread.i387.fxsave.swd = (val))
+ #define set_fpu_fxsr_twd(t,val) ((t)->thread.i387.fxsave.twd = (val))
+ 
++#define X87_FSW_ES (1 << 7)	/* Exception Summary */
++
++/* AMD CPUs don't save/restore FDP/FIP/FOP unless an exception
++   is pending. Clear the x87 state here by setting it to fixed
++   values. The kernel data segment can be sometimes 0 and sometimes
++   new user value. Both should be ok.
++   Use the PDA as safe address because it should be already in L1. */
++static inline void clear_fpu_state(struct i387_fxsave_struct *fx)
++{
++	if (unlikely(fx->swd & X87_FSW_ES))
++		 asm volatile("fnclex");
++	alternative_input(ASM_NOP8 ASM_NOP2,
++	     	     "    emms\n"		/* clear stack tags */
++	     	     "    fildl %%gs:0",	/* load to clear state */
++		     X86_FEATURE_FXSAVE_LEAK);
++}
++
+ static inline int restore_fpu_checking(struct i387_fxsave_struct *fx) 
+ { 
+ 	int err;
+@@ -119,6 +136,7 @@ #else
+ #endif
+ 	if (unlikely(err))
+ 		__clear_user(fx, sizeof(struct i387_fxsave_struct));
++	/* No need to clear here because the caller clears USED_MATH */
+ 	return err;
+ } 
+ 
+@@ -149,7 +167,7 @@ #else
+ 				"i" (offsetof(__typeof__(*tsk),
+ 					      thread.i387.fxsave)));
+ #endif
+-	__asm__ __volatile__("fnclex");
++	clear_fpu_state(&tsk->thread.i387.fxsave);
+ }
+ 
+ static inline void kernel_fpu_begin(void)

debian/patches/include-linux-seccomp-abifix.patch

@@ -0,0 +1,18 @@
+diff -urN linux-2.6-2.6.16.old/include/linux/seccomp.h linux-2.6-2.6.16/include/linux/seccomp.h
+--- linux-2.6-2.6.16.old/include/linux/seccomp.h	2006-03-20 06:53:29.000000000 +0100
++++ linux-2.6-2.6.16/include/linux/seccomp.h	2006-04-17 12:01:01.000000000 +0200
+@@ -26,9 +26,12 @@
+ 
+ #else /* CONFIG_SECCOMP */
+ 
+-typedef struct { } seccomp_t;
++typedef struct { int mode; } seccomp_t;
++
++static inline void secure_computing(int this_syscall)
++{
++}
+ 
+-#define secure_computing(x) do { } while (0)
+ /* static inline to preserve typechecking */
+ static inline int has_secure_computing(struct thread_info *ti)
+ {

debian/patches/series/8

@@ -0,0 +1,3 @@
++ include-linux-seccomp-abifix.patch
++ 2.6.16.6
++ 2.6.16.7

debian/patches/series/9

@@ -0,0 +1,2 @@
++ 2.6.16.8
++ 2.6.16.9

debian/patches/series/9-extra

@@ -0,0 +1 @@
++ vserver-vs2.0.2-rc17-update.patch *_vserver

debian/patches/vserver-vs2.0.2-rc17-update.patch

@@ -0,0 +1,75 @@
+diff -urN linux-2.6-2.6.16-vs2.0.2-rc16/fs/namei.c linux-2.6-2.6.16-vs2.0.2-rc17/fs/namei.c
+--- linux-2.6-2.6.16-vs2.0.2-rc16/fs/namei.c	2006-04-19 14:47:38.000000000 +0200
++++ linux-2.6-2.6.16-vs2.0.2-rc17/fs/namei.c	2006-04-19 14:48:36.000000000 +0200
+@@ -242,7 +242,7 @@
+ 
+ 	vxwprintk(1, "xid=%d denied access to %p[#%d,%lu] »%s«.",
+ 		vx_current_xid(), inode, inode->i_xid, inode->i_ino,
+-		vxd_path(nd->dentry, nd->mnt));
++		vxd_cond_path(nd));
+ 	return -EACCES;
+ }
+ 
+diff -urN linux-2.6-2.6.16-vs2.0.2-rc16/include/linux/vserver/debug.h linux-2.6-2.6.16-vs2.0.2-rc17/include/linux/vserver/debug.h
+--- linux-2.6-2.6.16-vs2.0.2-rc16/include/linux/vserver/debug.h	2006-04-19 14:47:39.000000000 +0200
++++ linux-2.6-2.6.16-vs2.0.2-rc17/include/linux/vserver/debug.h	2006-04-19 14:48:36.000000000 +0200
+@@ -60,11 +60,13 @@
+ 			printk(VX_WARNLEVEL f "\n" , ##x);	\
+ 	} while (0)
+ 
+-
+ #define vxd_path(d,m)						\
+ 	({ static char _buffer[PATH_MAX];			\
+ 	   d_path((d), (m), _buffer, sizeof(_buffer)); })
+ 
++#define vxd_cond_path(n)					\
++	((n) ? vxd_path((n)->dentry, (n)->mnt) : "<null>" )
++
+ #else	/* CONFIG_VSERVER_DEBUG */
+ 
+ #define vx_debug_switch 0
+@@ -82,6 +84,7 @@
+ #define vxwprintk(x...) do { } while (0)
+ 
+ #define vxd_path	"<none>"
++#define vxd_cond_path	vxd_path
+ 
+ #endif	/* CONFIG_VSERVER_DEBUG */
+ 
+diff -urN linux-2.6-2.6.16-vs2.0.2-rc16/net/ipv4/devinet.c linux-2.6-2.6.16-vs2.0.2-rc17/net/ipv4/devinet.c
+--- linux-2.6-2.6.16-vs2.0.2-rc16/net/ipv4/devinet.c	2006-04-19 14:47:39.000000000 +0200
++++ linux-2.6-2.6.16-vs2.0.2-rc17/net/ipv4/devinet.c	2006-04-19 14:48:37.000000000 +0200
+@@ -529,33 +529,6 @@
+   	return rc;
+ }
+ 
+-/*
+-	Check that a device is not member of the ipv4root assigned to the process
+-	Return true if this is the case
+-
+-	If the process is not bound to specific IP, then it returns 0 (all
+-	interface are fine).
+-*/
+-static inline int devinet_notiproot (struct in_ifaddr *ifa)
+-{
+-	int ret = 0;
+-	struct nx_info *nxi;
+-
+-	if ((nxi = current->nx_info)) {
+-		int i;
+-		int nbip = nxi->nbipv4;
+-		__u32 addr = ifa->ifa_local;
+-		ret = 1;
+-		for (i=0; i<nbip; i++) {
+-			if(nxi->ipv4[i] == addr) {
+-				ret = 0;
+-				break;
+-			}
+-		}
+-	}
+-	return ret;
+-}
+-
+ 
+ int devinet_ioctl(unsigned int cmd, void __user *arg)
+ {