[Frugalware-darcs] frugalware-0.6: kernel-2.6.20-5terminus7-i686

[VMiklos]

Darcsweb-Url: 
http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070711065846-e2957-ad85459ec621306e8f68e2f497dbf301c9c0f077.gz;

[kernel-2.6.20-5terminus7-i686
VMiklos <[EMAIL PROTECTED]>**20070711065846
 added CVE-2007-3104.diff
 closes #2199
] {
addfile ./source/base/kernel/CVE-2007-3104.diff
hunk ./source/base/kernel/CVE-2007-3104.diff 1
+From: Maneesh Soni <[EMAIL PROTECTED]>
+
+o sysfs_d_iput() is invoked in dentry reclaim path under memory pressure. This
+  happens without i_mutex. It also nullifies s_dentry to indicate that
+  the associated dentry is evicted. sysfs_readdir() accesses the s_dentry,
+  and gets the inode number from the associated dentry->d_inode, if
+  there is one, else it invokes iunique(). This can create a race situation,
+  and crash while accessing the d_inode in sysfs_readdir().
+
+o The race happens when the dentry is getting reclaimed and detached from
+  the corresponding sysfs_dirent though sysfs_dirent is still a valid
+  node. Accessing dentry fields are ok as it is under RCU but the inode is
+  not hence we may see oops accessing dentry->d_inode->i_no.
+
+o The following patch always use i_unique() to get the inode number in
+  sysfs_readdir. This is ok as sysfs doesnot have permanent inode numbering.
+  It could be slower but avoids the oops.
+
+Signed-off-by: Maneesh Soni <[EMAIL PROTECTED]>
+
+Cc: Dipankar Sarma <[EMAIL PROTECTED]>
+Cc: Ethan Solomita <[EMAIL PROTECTED]>
+Cc: Greg KH <[EMAIL PROTECTED]>
+Cc: Martin Bligh <[EMAIL PROTECTED]>
+Cc: Rohit Seth <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+---
+
+ fs/sysfs/dir.c |    5 +----
+ 1 files changed, 1 insertion(+), 4 deletions(-)
+
+diff -puN fs/sysfs/dir.c~fix-sysfs_readdir-oops fs/sysfs/dir.c
+--- a/fs/sysfs/dir.c~fix-sysfs_readdir-oops
++++ a/fs/sysfs/dir.c
+@@ -538,10 +538,7 @@ static int sysfs_readdir(struct file * f
+ 
+                               name = sysfs_get_name(next);
+                               len = strlen(name);
+-                              if (next->s_dentry)
+-                                      ino = next->s_dentry->d_inode->i_ino;
+-                              else
+-                                      ino = iunique(sysfs_sb, 2);
++                              ino = iunique(sysfs_sb, 2);
+ 
+                               if (filldir(dirent, name, len, filp->f_pos, ino,
+                                                dt_type(next)) < 0)
+_
hunk ./source/base/kernel/FrugalBuild 8
-pkgrel=5terminus6
+pkgrel=5terminus7
hunk ./source/base/kernel/FrugalBuild 10
-_F_kernel_patches=(CVE-2007-2525.diff CVE-2007-2878.diff)
+_F_kernel_patches=(CVE-2007-2525.diff CVE-2007-2878.diff CVE-2007-3104.diff)
}
_______________________________________________
Frugalware-darcs mailing list
Frugalware-darcs@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-darcs