From: Greg Kroah-Hartman Date: Wed, 1 Jul 2009 00:06:23 +0000 (-0700) Subject: remove a .27 patch X-Git-Tag: v2.6.27.26~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08600531b5178a451cf676134f6ec30be7aa9fee;p=thirdparty%2Fkernel%2Fstable-queue.git remove a .27 patch --- diff --git a/queue-2.6.27/send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch b/queue-2.6.27/send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch deleted file mode 100644 index 3e6dd6ab0b3..00000000000 --- a/queue-2.6.27/send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 8eeee4e2f04fc551f50c9d9847da2d73d7d33728 Mon Sep 17 00:00:00 2001 -From: Oleg Nesterov -Date: Wed, 17 Jun 2009 00:27:10 +0200 -Subject: send_sigio_to_task: sanitize the usage of fown->signum - -From: Oleg Nesterov - -commit 8eeee4e2f04fc551f50c9d9847da2d73d7d33728 upstream. - -send_sigio_to_task() reads fown->signum several times, we can race with -F_SETSIG which changes ->signum lockless. In theory, this can fool -security checks or we can call group_send_sig_info() with the wrong -->si_signo which does not match "int sig". - -Change the code to cache ->signum. - -Signed-off-by: Oleg Nesterov -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - fs/fcntl.c | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - ---- a/fs/fcntl.c -+++ b/fs/fcntl.c -@@ -417,14 +417,20 @@ static inline int sigio_perm(struct task - } - - static void send_sigio_to_task(struct task_struct *p, -- struct fown_struct *fown, -+ struct fown_struct *fown, - int fd, - int reason) - { -- if (!sigio_perm(p, fown, fown->signum)) -+ /* -+ * F_SETSIG can change ->signum lockless in parallel, make -+ * sure we read it once and use the same value throughout. -+ */ -+ int signum = ACCESS_ONCE(fown->signum); -+ -+ if (!sigio_perm(p, fown, signum)) - return; - -- switch (fown->signum) { -+ switch (signum) { - siginfo_t si; - default: - /* Queue a rt signal with the appropriate fd as its -@@ -433,7 +439,7 @@ static void send_sigio_to_task(struct ta - delivered even if we can't queue. Failure to - queue in this case _should_ be reported; we fall - back to SIGIO in that case. --sct */ -- si.si_signo = fown->signum; -+ si.si_signo = signum; - si.si_errno = 0; - si.si_code = reason; - /* Make sure we are called with one of the POLL_* -@@ -445,7 +451,7 @@ static void send_sigio_to_task(struct ta - else - si.si_band = band_table[reason - POLL_IN]; - si.si_fd = fd; -- if (!group_send_sig_info(fown->signum, &si, p)) -+ if (!group_send_sig_info(signum, &si, p)) - break; - /* fall-through: fall back on the old plain SIGIO signal */ - case 0: diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 58f78269297..95010f00486 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -16,7 +16,6 @@ floppy-request-and-release-only-the-ports-we-actually-use.patch ib-mlx4-add-strong-ordering-to-local-inval-and-fast-reg-work-requests.patch x86-handle-initrd-that-extends-into-unusable-memory.patch lockdep-select-frame-pointers-on-x86.patch -send_sigio_to_task-sanitize-the-usage-of-fown-signum.patch md-raid5-add-missing-call-to-schedule-after-prepare_to_wait.patch tcp-advertise-mss-requested-by-user.patch parport_pc-after-superio-probing-restore-original-register-values.patch