From: Greg Kroah-Hartman Date: Thu, 24 Mar 2011 17:00:54 +0000 (-0700) Subject: .37 patches X-Git-Tag: v2.6.37.6~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ab278fdaf82b4a43ae1d7307df041990eb49f448;p=thirdparty%2Fkernel%2Fstable-queue.git .37 patches --- diff --git a/queue-2.6.37/ext3-skip-orphan-cleanup-on-rocompat-fs.patch b/queue-2.6.37/ext3-skip-orphan-cleanup-on-rocompat-fs.patch new file mode 100644 index 00000000000..e115f5af35f --- /dev/null +++ b/queue-2.6.37/ext3-skip-orphan-cleanup-on-rocompat-fs.patch @@ -0,0 +1,41 @@ +From ce654b37f87980d95f339080e4c3bdb2370bdf22 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Sat, 26 Feb 2011 22:40:19 +0200 +Subject: ext3: skip orphan cleanup on rocompat fs + +From: Amir Goldstein + +commit ce654b37f87980d95f339080e4c3bdb2370bdf22 upstream. + +Orphan cleanup is currently executed even if the file system has some +number of unknown ROCOMPAT features, which deletes inodes and frees +blocks, which could be very bad for some RO_COMPAT features. + +This patch skips the orphan cleanup if it contains readonly compatible +features not known by this ext3 implementation, which would prevent +the fs from being mounted (or remounted) readwrite. + +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext3/super.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext3/super.c ++++ b/fs/ext3/super.c +@@ -1440,6 +1440,13 @@ static void ext3_orphan_cleanup (struct + return; + } + ++ /* Check if feature set allows readwrite operations */ ++ if (EXT3_HAS_RO_COMPAT_FEATURE(sb, ~EXT3_FEATURE_RO_COMPAT_SUPP)) { ++ ext3_msg(sb, KERN_INFO, "Skipping orphan cleanup due to " ++ "unknown ROCOMPAT features"); ++ return; ++ } ++ + if (EXT3_SB(sb)->s_mount_state & EXT3_ERROR_FS) { + if (es->s_last_orphan) + jbd_debug(1, "Errors on filesystem, " diff --git a/queue-2.6.37/fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch b/queue-2.6.37/fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch new file mode 100644 index 00000000000..587e42f62fa --- /dev/null +++ b/queue-2.6.37/fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch @@ -0,0 +1,37 @@ +From d6244bc0ed0c52a795e6f4dcab3886daf3e74fac Mon Sep 17 00:00:00 2001 +From: Henry Nestler +Date: Sun, 20 Feb 2011 20:50:56 +0000 +Subject: fbcon: Bugfix soft cursor detection in Tile Blitting + +From: Henry Nestler + +commit d6244bc0ed0c52a795e6f4dcab3886daf3e74fac upstream. + +Use mask 0x10 for "soft cursor" detection on in function tile_cursor. +(Tile Blitting Operation in framebuffer console). + +The old mask 0x01 for vc_cursor_type detects CUR_NONE, CUR_LOWER_THIRD +and every second mode value as "software cursor". This hides the cursor +for these modes (cursor.mode = 0). But, only CUR_NONE or "software cursor" +should hide the cursor. +See also 0x10 in functions add_softcursor, bit_cursor and cw_cursor. + +Signed-off-by: Henry Nestler +Signed-off-by: Paul Mundt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/tileblit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/console/tileblit.c ++++ b/drivers/video/console/tileblit.c +@@ -83,7 +83,7 @@ static void tile_cursor(struct vc_data * + int softback_lines, int fg, int bg) + { + struct fb_tilecursor cursor; +- int use_sw = (vc->vc_cursor_type & 0x01); ++ int use_sw = (vc->vc_cursor_type & 0x10); + + cursor.sx = vc->vc_x; + cursor.sy = vc->vc_y; diff --git a/queue-2.6.37/nfsd-wrong-index-used-in-inner-loop.patch b/queue-2.6.37/nfsd-wrong-index-used-in-inner-loop.patch new file mode 100644 index 00000000000..4eb111e1246 --- /dev/null +++ b/queue-2.6.37/nfsd-wrong-index-used-in-inner-loop.patch @@ -0,0 +1,49 @@ +From 5a02ab7c3c4580f94d13c683721039855b67cda6 Mon Sep 17 00:00:00 2001 +From: Mi Jinlong +Date: Fri, 11 Mar 2011 12:13:55 +0800 +Subject: nfsd: wrong index used in inner loop + +From: Mi Jinlong + +commit 5a02ab7c3c4580f94d13c683721039855b67cda6 upstream. + +We must not use dummy for index. +After the first index, READ32(dummy) will change dummy!!!! + +Signed-off-by: Mi Jinlong +[bfields@redhat.com: Trond points out READ_BUF alone is sufficient.] +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4xdr.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -1107,7 +1107,7 @@ nfsd4_decode_create_session(struct nfsd4 + + u32 dummy; + char *machine_name; +- int i, j; ++ int i; + int nr_secflavs; + + READ_BUF(16); +@@ -1180,8 +1180,6 @@ nfsd4_decode_create_session(struct nfsd4 + READ_BUF(4); + READ32(dummy); + READ_BUF(dummy * 4); +- for (j = 0; j < dummy; ++j) +- READ32(dummy); + break; + case RPC_AUTH_GSS: + dprintk("RPC_AUTH_GSS callback secflavor " +@@ -1197,7 +1195,6 @@ nfsd4_decode_create_session(struct nfsd4 + READ_BUF(4); + READ32(dummy); + READ_BUF(dummy); +- p += XDR_QUADLEN(dummy); + break; + default: + dprintk("Illegal callback secflavor\n"); diff --git a/queue-2.6.37/nfsd4-fix-struct-file-leak.patch b/queue-2.6.37/nfsd4-fix-struct-file-leak.patch new file mode 100644 index 00000000000..712e5322cd1 --- /dev/null +++ b/queue-2.6.37/nfsd4-fix-struct-file-leak.patch @@ -0,0 +1,101 @@ +From 0997b173609b9229ece28941c118a2a9b278796e Mon Sep 17 00:00:00 2001 +From: J. Bruce Fields +Date: Wed, 2 Mar 2011 18:01:35 -0500 +Subject: nfsd4: fix struct file leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: J. Bruce Fields + +commit 0997b173609b9229ece28941c118a2a9b278796e upstream. + +Make sure we properly reference count the struct files that a lock +depends on, and release them when the lock stateid is released. + +This fixes a major leak of struct files when using locking over nfsv4. + +Reported-by: Rick Koshi +Tested-by: Ivo Přikryl +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -408,6 +408,9 @@ static void unhash_generic_stateid(struc + + static void free_generic_stateid(struct nfs4_stateid *stp) + { ++ int oflag = nfs4_access_bmap_to_omode(stp); ++ ++ nfs4_file_put_access(stp->st_file, oflag); + put_nfs4_file(stp->st_file); + kmem_cache_free(stateid_slab, stp); + } +@@ -459,11 +462,8 @@ release_stateid_lockowners(struct nfs4_s + + static void release_open_stateid(struct nfs4_stateid *stp) + { +- int oflag = nfs4_access_bmap_to_omode(stp); +- + unhash_generic_stateid(stp); + release_stateid_lockowners(stp); +- nfs4_file_put_access(stp->st_file, oflag); + free_generic_stateid(stp); + } + +@@ -3661,6 +3661,7 @@ alloc_init_lock_stateid(struct nfs4_stat + stp->st_stateid.si_stateownerid = sop->so_id; + stp->st_stateid.si_fileid = fp->fi_id; + stp->st_stateid.si_generation = 0; ++ stp->st_access_bmap = 0; + stp->st_deny_bmap = open_stp->st_deny_bmap; + stp->st_openstp = open_stp; + +@@ -3675,6 +3676,17 @@ check_lock_length(u64 offset, u64 length + LOFF_OVERFLOW(offset, length))); + } + ++static void get_lock_access(struct nfs4_stateid *lock_stp, u32 access) ++{ ++ struct nfs4_file *fp = lock_stp->st_file; ++ int oflag = nfs4_access_to_omode(access); ++ ++ if (test_bit(access, &lock_stp->st_access_bmap)) ++ return; ++ nfs4_file_get_access(fp, oflag); ++ __set_bit(access, &lock_stp->st_access_bmap); ++} ++ + /* + * LOCK operation + */ +@@ -3772,18 +3784,16 @@ nfsd4_lock(struct svc_rqst *rqstp, struc + switch (lock->lk_type) { + case NFS4_READ_LT: + case NFS4_READW_LT: +- if (find_readable_file(lock_stp->st_file)) { +- nfs4_get_vfs_file(rqstp, fp, &cstate->current_fh, NFS4_SHARE_ACCESS_READ); +- filp = find_readable_file(lock_stp->st_file); +- } ++ filp = find_readable_file(lock_stp->st_file); ++ if (filp) ++ get_lock_access(lock_stp, NFS4_SHARE_ACCESS_READ); + file_lock.fl_type = F_RDLCK; + break; + case NFS4_WRITE_LT: + case NFS4_WRITEW_LT: +- if (find_writeable_file(lock_stp->st_file)) { +- nfs4_get_vfs_file(rqstp, fp, &cstate->current_fh, NFS4_SHARE_ACCESS_WRITE); +- filp = find_writeable_file(lock_stp->st_file); +- } ++ filp = find_writeable_file(lock_stp->st_file); ++ if (filp) ++ get_lock_access(lock_stp, NFS4_SHARE_ACCESS_WRITE); + file_lock.fl_type = F_WRLCK; + break; + default: diff --git a/queue-2.6.37/nfsd4-minor-nfs4state.c-reshuffling.patch b/queue-2.6.37/nfsd4-minor-nfs4state.c-reshuffling.patch new file mode 100644 index 00000000000..942c750c28f --- /dev/null +++ b/queue-2.6.37/nfsd4-minor-nfs4state.c-reshuffling.patch @@ -0,0 +1,188 @@ +From 529d7b2a7fa31e9f7d08bc790d232c3cbe64fa24 Mon Sep 17 00:00:00 2001 +From: J. Bruce Fields +Date: Wed, 2 Mar 2011 23:48:33 -0500 +Subject: nfsd4: minor nfs4state.c reshuffling + +From: J. Bruce Fields + +commit 529d7b2a7fa31e9f7d08bc790d232c3cbe64fa24 upstream. + +Minor cleanup in preparation for a bugfix--moving some code to avoid +forward references, etc. No change in functionality. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 125 +++++++++++++++++++++++++--------------------------- + 1 file changed, 61 insertions(+), 64 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -327,64 +327,6 @@ static struct list_head unconf_id_hashtb + static struct list_head client_lru; + static struct list_head close_lru; + +-static void unhash_generic_stateid(struct nfs4_stateid *stp) +-{ +- list_del(&stp->st_hash); +- list_del(&stp->st_perfile); +- list_del(&stp->st_perstateowner); +-} +- +-static void free_generic_stateid(struct nfs4_stateid *stp) +-{ +- put_nfs4_file(stp->st_file); +- kmem_cache_free(stateid_slab, stp); +-} +- +-static void release_lock_stateid(struct nfs4_stateid *stp) +-{ +- struct file *file; +- +- unhash_generic_stateid(stp); +- file = find_any_file(stp->st_file); +- if (file) +- locks_remove_posix(file, (fl_owner_t)stp->st_stateowner); +- free_generic_stateid(stp); +-} +- +-static void unhash_lockowner(struct nfs4_stateowner *sop) +-{ +- struct nfs4_stateid *stp; +- +- list_del(&sop->so_idhash); +- list_del(&sop->so_strhash); +- list_del(&sop->so_perstateid); +- while (!list_empty(&sop->so_stateids)) { +- stp = list_first_entry(&sop->so_stateids, +- struct nfs4_stateid, st_perstateowner); +- release_lock_stateid(stp); +- } +-} +- +-static void release_lockowner(struct nfs4_stateowner *sop) +-{ +- unhash_lockowner(sop); +- nfs4_put_stateowner(sop); +-} +- +-static void +-release_stateid_lockowners(struct nfs4_stateid *open_stp) +-{ +- struct nfs4_stateowner *lock_sop; +- +- while (!list_empty(&open_stp->st_lockowners)) { +- lock_sop = list_entry(open_stp->st_lockowners.next, +- struct nfs4_stateowner, so_perstateid); +- /* list_del(&open_stp->st_lockowners); */ +- BUG_ON(lock_sop->so_is_open_owner); +- release_lockowner(lock_sop); +- } +-} +- + /* + * We store the NONE, READ, WRITE, and BOTH bits separately in the + * st_{access,deny}_bmap field of the stateid, in order to track not +@@ -457,6 +399,64 @@ static int nfs4_access_bmap_to_omode(str + return nfs4_access_to_omode(access); + } + ++static void unhash_generic_stateid(struct nfs4_stateid *stp) ++{ ++ list_del(&stp->st_hash); ++ list_del(&stp->st_perfile); ++ list_del(&stp->st_perstateowner); ++} ++ ++static void free_generic_stateid(struct nfs4_stateid *stp) ++{ ++ put_nfs4_file(stp->st_file); ++ kmem_cache_free(stateid_slab, stp); ++} ++ ++static void release_lock_stateid(struct nfs4_stateid *stp) ++{ ++ struct file *file; ++ ++ unhash_generic_stateid(stp); ++ file = find_any_file(stp->st_file); ++ if (file) ++ locks_remove_posix(file, (fl_owner_t)stp->st_stateowner); ++ free_generic_stateid(stp); ++} ++ ++static void unhash_lockowner(struct nfs4_stateowner *sop) ++{ ++ struct nfs4_stateid *stp; ++ ++ list_del(&sop->so_idhash); ++ list_del(&sop->so_strhash); ++ list_del(&sop->so_perstateid); ++ while (!list_empty(&sop->so_stateids)) { ++ stp = list_first_entry(&sop->so_stateids, ++ struct nfs4_stateid, st_perstateowner); ++ release_lock_stateid(stp); ++ } ++} ++ ++static void release_lockowner(struct nfs4_stateowner *sop) ++{ ++ unhash_lockowner(sop); ++ nfs4_put_stateowner(sop); ++} ++ ++static void ++release_stateid_lockowners(struct nfs4_stateid *open_stp) ++{ ++ struct nfs4_stateowner *lock_sop; ++ ++ while (!list_empty(&open_stp->st_lockowners)) { ++ lock_sop = list_entry(open_stp->st_lockowners.next, ++ struct nfs4_stateowner, so_perstateid); ++ /* list_del(&open_stp->st_lockowners); */ ++ BUG_ON(lock_sop->so_is_open_owner); ++ release_lockowner(lock_sop); ++ } ++} ++ + static void release_open_stateid(struct nfs4_stateid *stp) + { + int oflag = nfs4_access_bmap_to_omode(stp); +@@ -3691,7 +3691,6 @@ nfsd4_lock(struct svc_rqst *rqstp, struc + struct file_lock conflock; + __be32 status = 0; + unsigned int strhashval; +- unsigned int cmd; + int err; + + dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n", +@@ -3778,8 +3777,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struc + filp = find_readable_file(lock_stp->st_file); + } + file_lock.fl_type = F_RDLCK; +- cmd = F_SETLK; +- break; ++ break; + case NFS4_WRITE_LT: + case NFS4_WRITEW_LT: + if (find_writeable_file(lock_stp->st_file)) { +@@ -3787,8 +3785,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struc + filp = find_writeable_file(lock_stp->st_file); + } + file_lock.fl_type = F_WRLCK; +- cmd = F_SETLK; +- break; ++ break; + default: + status = nfserr_inval; + goto out; +@@ -3812,7 +3809,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struc + * Note: locks.c uses the BKL to protect the inode's lock list. + */ + +- err = vfs_lock_file(filp, cmd, &file_lock, &conflock); ++ err = vfs_lock_file(filp, F_SETLK, &file_lock, &conflock); + switch (-err) { + case 0: /* success! */ + update_stateid(&lock_stp->st_stateid); diff --git a/queue-2.6.37/nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch b/queue-2.6.37/nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch new file mode 100644 index 00000000000..6fef15882df --- /dev/null +++ b/queue-2.6.37/nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch @@ -0,0 +1,40 @@ +From 5ece3cafbd88d4da5c734e1810c4a2e6474b57b2 Mon Sep 17 00:00:00 2001 +From: Mi Jinlong +Date: Fri, 18 Feb 2011 09:08:31 +0800 +Subject: nfsd41: modify the members value of nfsd4_op_flags + +From: Mi Jinlong + +commit 5ece3cafbd88d4da5c734e1810c4a2e6474b57b2 upstream. + +The members of nfsd4_op_flags, (ALLOWED_WITHOUT_FH | ALLOWED_ON_ABSENT_FS) +equals to ALLOWED_AS_FIRST_OP, maybe that's not what we want. + +OP_PUTROOTFH with op_flags = ALLOWED_WITHOUT_FH | ALLOWED_ON_ABSENT_FS, +can't appears as the first operation with out SEQUENCE ops. + +This patch modify the wrong value of ALLOWED_WITHOUT_FH etc which +was introduced by f9bb94c4. + +Reviewed-by: Benny Halevy +Signed-off-by: Mi Jinlong +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4proc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -954,8 +954,8 @@ typedef __be32(*nfsd4op_func)(struct svc + void *); + enum nfsd4_op_flags { + ALLOWED_WITHOUT_FH = 1 << 0, /* No current filehandle required */ +- ALLOWED_ON_ABSENT_FS = 2 << 0, /* ops processed on absent fs */ +- ALLOWED_AS_FIRST_OP = 3 << 0, /* ops reqired first in compound */ ++ ALLOWED_ON_ABSENT_FS = 1 << 1, /* ops processed on absent fs */ ++ ALLOWED_AS_FIRST_OP = 1 << 2, /* ops reqired first in compound */ + }; + + struct nfsd4_operation { diff --git a/queue-2.6.37/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch b/queue-2.6.37/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch new file mode 100644 index 00000000000..e3f6fde9845 --- /dev/null +++ b/queue-2.6.37/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch @@ -0,0 +1,48 @@ +From 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 23 Mar 2011 16:42:53 -0700 +Subject: proc: protect mm start_code/end_code in /proc/pid/stat + +From: Kees Cook + +commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 upstream. + +While mm->start_stack was protected from cross-uid viewing (commit +f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged +processes")), the start_code and end_code values were not. This would +allow the text location of a PIE binary to leak, defeating ASLR. + +Note that the value "1" is used instead of "0" for a protected value since +"ps", "killall", and likely other readers of /proc/pid/stat, take +start_code of "0" to mean a kernel thread and will misbehave. Thanks to +Brad Spengler for pointing this out. + +Addresses CVE-2011-0726 + +Signed-off-by: Kees Cook +Cc: Alexey Dobriyan +Cc: David Howells +Cc: Eugene Teo +Cc: Martin Schwidefsky +Cc: Brad Spengler +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/array.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -489,8 +489,8 @@ static int do_task_stat(struct seq_file + vsize, + mm ? get_mm_rss(mm) : 0, + rsslim, +- mm ? mm->start_code : 0, +- mm ? mm->end_code : 0, ++ mm ? (permitted ? mm->start_code : 1) : 0, ++ mm ? (permitted ? mm->end_code : 1) : 0, + (permitted && mm) ? mm->start_stack : 0, + esp, + eip, diff --git a/queue-2.6.37/procfs-fix-proc-pid-maps-heap-check.patch b/queue-2.6.37/procfs-fix-proc-pid-maps-heap-check.patch new file mode 100644 index 00000000000..1ffb7131d46 --- /dev/null +++ b/queue-2.6.37/procfs-fix-proc-pid-maps-heap-check.patch @@ -0,0 +1,127 @@ +From 0db0c01b53a1a421513f91573241aabafb87802a Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Wed, 23 Mar 2011 16:42:50 -0700 +Subject: procfs: fix /proc//maps heap check + +From: Aaro Koskinen + +commit 0db0c01b53a1a421513f91573241aabafb87802a upstream. + +The current code fails to print the "[heap]" marking if the heap is split +into multiple mappings. + +Fix the check so that the marking is displayed in all possible cases: + 1. vma matches exactly the heap + 2. the heap vma is merged e.g. with bss + 3. the heap vma is splitted e.g. due to locked pages + +Test cases. In all cases, the process should have mapping(s) with +[heap] marking: + + (1) vma matches exactly the heap + + #include + #include + #include + + int main (void) + { + if (sbrk(4096) != (void *)-1) { + printf("check /proc/%d/maps\n", (int)getpid()); + while (1) + sleep(1); + } + return 0; + } + + # ./test1 + check /proc/553/maps + [1] + Stopped ./test1 + # cat /proc/553/maps | head -4 + 00008000-00009000 r-xp 00000000 01:00 3113640 /test1 + 00010000-00011000 rw-p 00000000 01:00 3113640 /test1 + 00011000-00012000 rw-p 00000000 00:00 0 [heap] + 4006f000-40070000 rw-p 00000000 00:00 0 + + (2) the heap vma is merged + + #include + #include + #include + + char foo[4096] = "foo"; + char bar[4096]; + + int main (void) + { + if (sbrk(4096) != (void *)-1) { + printf("check /proc/%d/maps\n", (int)getpid()); + while (1) + sleep(1); + } + return 0; + } + + # ./test2 + check /proc/556/maps + [2] + Stopped ./test2 + # cat /proc/556/maps | head -4 + 00008000-00009000 r-xp 00000000 01:00 3116312 /test2 + 00010000-00012000 rw-p 00000000 01:00 3116312 /test2 + 00012000-00014000 rw-p 00000000 00:00 0 [heap] + 4004a000-4004b000 rw-p 00000000 00:00 0 + + (3) the heap vma is splitted (this fails without the patch) + + #include + #include + #include + #include + + int main (void) + { + if ((sbrk(4096) != (void *)-1) && !mlockall(MCL_FUTURE) && + (sbrk(4096) != (void *)-1)) { + printf("check /proc/%d/maps\n", (int)getpid()); + while (1) + sleep(1); + } + return 0; + } + + # ./test3 + check /proc/559/maps + [1] + Stopped ./test3 + # cat /proc/559/maps|head -4 + 00008000-00009000 r-xp 00000000 01:00 3119108 /test3 + 00010000-00011000 rw-p 00000000 01:00 3119108 /test3 + 00011000-00012000 rw-p 00000000 00:00 0 [heap] + 00012000-00013000 rw-p 00000000 00:00 0 [heap] + +It looks like the bug has been there forever, and since it only results in +some information missing from a procfile, it does not fulfil the -stable +"critical issue" criteria. + +Signed-off-by: Aaro Koskinen +Reviewed-by: KOSAKI Motohiro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/task_mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -248,8 +248,8 @@ static void show_map_vma(struct seq_file + const char *name = arch_vma_name(vma); + if (!name) { + if (mm) { +- if (vma->vm_start <= mm->start_brk && +- vma->vm_end >= mm->brk) { ++ if (vma->vm_start <= mm->brk && ++ vma->vm_end >= mm->start_brk) { + name = "[heap]"; + } else if (vma->vm_start <= mm->start_stack && + vma->vm_end >= mm->start_stack) { diff --git a/queue-2.6.37/series b/queue-2.6.37/series index b9cc97d0a68..4e5029a7974 100644 --- a/queue-2.6.37/series +++ b/queue-2.6.37/series @@ -19,3 +19,12 @@ intel_idle-disable-nhm-wsm-hw-c-state-auto-demotion.patch intel_idle-disable-atom-lincroft-hw-c-state-auto-demotion.patch prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch alsa-hda-fix-internal-mic-on-dell-e5420-e5520.patch +ext3-skip-orphan-cleanup-on-rocompat-fs.patch +sysctl-restrict-write-access-to-dmesg_restrict.patch +procfs-fix-proc-pid-maps-heap-check.patch +proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch +fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch +nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch +nfsd4-minor-nfs4state.c-reshuffling.patch +nfsd4-fix-struct-file-leak.patch +nfsd-wrong-index-used-in-inner-loop.patch diff --git a/queue-2.6.37/sysctl-restrict-write-access-to-dmesg_restrict.patch b/queue-2.6.37/sysctl-restrict-write-access-to-dmesg_restrict.patch new file mode 100644 index 00000000000..fbd929b7d1a --- /dev/null +++ b/queue-2.6.37/sysctl-restrict-write-access-to-dmesg_restrict.patch @@ -0,0 +1,76 @@ +From bfdc0b497faa82a0ba2f9dddcf109231dd519fcc Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Wed, 23 Mar 2011 16:43:11 -0700 +Subject: sysctl: restrict write access to dmesg_restrict + +From: Richard Weinberger + +commit bfdc0b497faa82a0ba2f9dddcf109231dd519fcc upstream. + +When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the kernel +ring buffer. But a root user without CAP_SYS_ADMIN is able to reset +dmesg_restrict to 0. + +This is an issue when e.g. LXC (Linux Containers) are used and complete +user space is running without CAP_SYS_ADMIN. A unprivileged and jailed +root user can bypass the dmesg_restrict protection. + +With this patch writing to dmesg_restrict is only allowed when root has +CAP_SYS_ADMIN. + +Signed-off-by: Richard Weinberger +Acked-by: Dan Rosenberg +Acked-by: Serge E. Hallyn +Cc: Eric Paris +Cc: Kees Cook +Cc: James Morris +Cc: Eugene Teo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sysctl.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -168,6 +168,11 @@ static int proc_taint(struct ctl_table * + void __user *buffer, size_t *lenp, loff_t *ppos); + #endif + ++#ifdef CONFIG_PRINTK ++static int proc_dmesg_restrict(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos); ++#endif ++ + #ifdef CONFIG_MAGIC_SYSRQ + /* Note: sysrq code uses it's own private copy */ + static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE; +@@ -1469,7 +1474,7 @@ static struct ctl_table fs_table[] = { + .data = &suid_dumpable, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dmesg_restrict, + .extra1 = &zero, + .extra2 = &two, + }, +@@ -2400,6 +2405,17 @@ static int proc_taint(struct ctl_table * + return err; + } + ++#ifdef CONFIG_PRINTK ++static int proc_dmesg_restrict(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos) ++{ ++ if (write && !capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ return proc_dointvec_minmax(table, write, buffer, lenp, ppos); ++} ++#endif ++ + struct do_proc_dointvec_minmax_conv_param { + int *min; + int *max;