Fix potential crash with sys_move_pages (CVE-2010-0415)

svn path=/dists/trunk/linux-2.6/; revision=15138

debian/changelog

@@ -5,6 +5,7 @@ linux-2.6 (2.6.32-8) UNRELEASED; urgency=low
 
   [ dann frazier ]
   * KVM: PIT: control word is write-only (CVE-2010-0309)
+  * Fix potential crash with sys_move_pages (CVE-2010-0415)
 
   [ Ben Hutchings ]
   * Build lgs8gxx driver along with cxusb (Closes: #568414)

debian/patches/bugfix/all/fix-potential-crash-with-sys_move_pages.patch

@@ -0,0 +1,31 @@
+commit 6f5a55f1a6c5abee15a0e878e5c74d9f1569b8b0
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date:   Fri Feb 5 16:16:50 2010 -0800
+
+    Fix potential crash with sys_move_pages
+    
+    We incorrectly depended on the 'node_state/node_isset()' functions
+    testing the node range, rather than checking it explicitly.  That's not
+    reliable, even if it might often happen to work.  So do the proper
+    explicit test.
+    
+    Reported-by: Marcus Meissner <meissner@suse.de>
+    Acked-and-tested-by: Brice Goglin <Brice.Goglin@inria.fr>
+    Acked-by: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+    Cc: stable@kernel.org
+    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/mm/migrate.c b/mm/migrate.c
+index efddbf0..9a0db5b 100644
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -912,6 +912,9 @@ static int do_pages_move(struct mm_struct *mm, struct task_struct *task,
+ 				goto out_pm;
+ 
+ 			err = -ENODEV;
++			if (node < 0 || node >= MAX_NUMNODES)
++				goto out_pm;
++
+ 			if (!node_state(node, N_HIGH_MEMORY))
+ 				goto out_pm;
+ 

debian/patches/series/8

@@ -8,3 +8,4 @@
 - bugfix/all/e1000e-enhance-fragment-detection.patch
 - bugfix/all/e1000-enhance-fragment-detection.patch
 + bugfix/all/stable/2.6.32.8.patch
++ bugfix/all/fix-potential-crash-with-sys_move_pages.patch