Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=e54392082454befb312bc1ddd3400348d144889a

commit e54392082454befb312bc1ddd3400348d144889a
Author: Miklos Vajna <vmik...@frugalware.org>
Date:   Sat Dec 25 02:50:35 2010 +0100

kernel-2.6.36-4-i686

- bump to 2.6.36.2 and fix a systemd-related oops

diff --git a/source/base/kernel/FrugalBuild b/source/base/kernel/FrugalBuild
index 1183cc0..6327073 100644
--- a/source/base/kernel/FrugalBuild
+++ b/source/base/kernel/FrugalBuild
@@ -4,9 +4,7 @@
USE_DEVEL=${USE_DEVEL:-"n"}

if ! Fuse $USE_DEVEL; then
-       
_F_kernel_patches=(econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
 \
-       econet-fix-cve-2010-3848.patch \
-       econet-fix-cve-2010-3850.patch)
+       
_F_kernel_patches=(sched-cgroup-use-exit-hook-to-avoid-use-after-free-c.patch)
else
# example for a tagged rc release: 2.6.32.rc5
# example for a random snapshot (based on git describe output): 
2.6.32.rc5.81.g964fe08
diff --git 
a/source/base/kernel/econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
 
b/source/base/kernel/econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
deleted file mode 100644
index 0382d9c..0000000
--- 
a/source/base/kernel/econet-disallow-null-remote-addr-for-sendmsg-fixes-cve-2010-3849.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From fa0e846494792e722d817b9d3d625a4ef4896c96 Mon Sep 17 00:00:00 2001
-From: Phil Blundell <ph...@gnu.org>
-Date: Wed, 24 Nov 2010 11:49:19 -0800
-Subject: econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
-
-From: Phil Blundell <ph...@gnu.org>
-
-commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.
-
-Later parts of econet_sendmsg() rely on saddr != NULL, so return early
-with EINVAL if NULL was passed otherwise an oops may occur.
-
-Signed-off-by: Phil Blundell <ph...@gnu.org>
-Signed-off-by: David S. Miller <da...@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
-
----
- net/econet/af_econet.c |   26 ++++++++------------------
- 1 file changed, 8 insertions(+), 18 deletions(-)
-
---- a/net/econet/af_econet.c
-+++ b/net/econet/af_econet.c
-@@ -297,23 +297,14 @@ static int econet_sendmsg(struct kiocb *
-
-       mutex_lock(&econet_mutex);
-
--      if (saddr == NULL) {
--              struct econet_sock *eo = ec_sk(sk);
--
--              addr.station = eo->station;
--              addr.net     = eo->net;
--              port         = eo->port;
--              cb           = eo->cb;
--      } else {
--              if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
--                      mutex_unlock(&econet_mutex);
--                      return -EINVAL;
--              }
--              addr.station = saddr->addr.station;
--              addr.net = saddr->addr.net;
--              port = saddr->port;
--              cb = saddr->cb;
--      }
-+        if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-+                mutex_unlock(&econet_mutex);
-+                return -EINVAL;
-+        }
-+        addr.station = saddr->addr.station;
-+        addr.net = saddr->addr.net;
-+        port = saddr->port;
-+        cb = saddr->cb;
-
-       /* Look for a device with the right network number. */
-       dev = net2dev_map[addr.net];
-@@ -351,7 +342,6 @@ static int econet_sendmsg(struct kiocb *
-
-               eb = (struct ec_cb *)&skb->cb;
-
--              /* BUG: saddr may be NULL */
-               eb->cookie = saddr->cookie;
-               eb->sec = *saddr;
-               eb->sent = ec_tx_done;
diff --git a/source/base/kernel/econet-fix-cve-2010-3848.patch 
b/source/base/kernel/econet-fix-cve-2010-3848.patch
deleted file mode 100644
index 5af7858..0000000
--- a/source/base/kernel/econet-fix-cve-2010-3848.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From a27e13d370415add3487949c60810e36069a23a6 Mon Sep 17 00:00:00 2001
-From: Phil Blundell <ph...@gnu.org>
-Date: Wed, 24 Nov 2010 11:51:47 -0800
-Subject: econet: fix CVE-2010-3848
-
-From: Phil Blundell <ph...@gnu.org>
-
-commit a27e13d370415add3487949c60810e36069a23a6 upstream.
-
-Don't declare variable sized array of iovecs on the stack since this
-could cause stack overflow if msg->msgiovlen is large.  Instead, coalesce
-the user-supplied data into a new buffer and use a single iovec for it.
-
-Signed-off-by: Phil Blundell <ph...@gnu.org>
-Signed-off-by: David S. Miller <da...@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
-
----
- net/econet/af_econet.c |   62 
++++++++++++++++++++++++-------------------------
- 1 file changed, 31 insertions(+), 31 deletions(-)
-
---- a/net/econet/af_econet.c
-+++ b/net/econet/af_econet.c
-@@ -31,6 +31,7 @@
- #include <linux/skbuff.h>
- #include <linux/udp.h>
- #include <linux/slab.h>
-+#include <linux/vmalloc.h>
- #include <net/sock.h>
- #include <net/inet_common.h>
- #include <linux/stat.h>
-@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *
- #endif
- #ifdef CONFIG_ECONET_AUNUDP
-       struct msghdr udpmsg;
--      struct iovec iov[msg->msg_iovlen+1];
-+      struct iovec iov[2];
-       struct aunhdr ah;
-       struct sockaddr_in udpdest;
-       __kernel_size_t size;
--      int i;
-       mm_segment_t oldfs;
-+      char *userbuf;
- #endif
-
-       /*
-@@ -319,17 +320,17 @@ static int econet_sendmsg(struct kiocb *
-               }
-       }
-
--      if (len + 15 > dev->mtu) {
--              mutex_unlock(&econet_mutex);
--              return -EMSGSIZE;
--      }
--
-       if (dev->type == ARPHRD_ECONET) {
-               /* Real hardware Econet.  We're not worthy etc. */
- #ifdef CONFIG_ECONET_NATIVE
-               unsigned short proto = 0;
-               int res;
-
-+              if (len + 15 > dev->mtu) {
-+                      mutex_unlock(&econet_mutex);
-+                      return -EMSGSIZE;
-+              }
-+
-               dev_hold(dev);
-
-               skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
-@@ -405,6 +406,11 @@ static int econet_sendmsg(struct kiocb *
-               return -ENETDOWN;               /* No socket - can't send */
-       }
-
-+      if (len > 32768) {
-+              err = -E2BIG;
-+              goto error;
-+      }
-+
-       /* Make up a UDP datagram and hand it off to some higher intellect. */
-
-       memset(&udpdest, 0, sizeof(udpdest));
-@@ -436,36 +442,26 @@ static int econet_sendmsg(struct kiocb *
-
-       /* tack our header on the front of the iovec */
-       size = sizeof(struct aunhdr);
--      /*
--       * XXX: that is b0rken.  We can't mix userland and kernel pointers
--       * in iovec, since on a lot of platforms copy_from_user() will
--       * *not* work with the kernel and userland ones at the same time,
--       * regardless of what we do with set_fs().  And we are talking about
--       * econet-over-ethernet here, so "it's only ARM anyway" doesn't
--       * apply.  Any suggestions on fixing that code?         -- AV
--       */
-       iov[0].iov_base = (void *)&ah;
-       iov[0].iov_len = size;
--      for (i = 0; i < msg->msg_iovlen; i++) {
--              void __user *base = msg->msg_iov[i].iov_base;
--              size_t iov_len = msg->msg_iov[i].iov_len;
--              /* Check it now since we switch to KERNEL_DS later. */
--              if (!access_ok(VERIFY_READ, base, iov_len)) {
--                      mutex_unlock(&econet_mutex);
--                      return -EFAULT;
--              }
--              iov[i+1].iov_base = base;
--              iov[i+1].iov_len = iov_len;
--              size += iov_len;
-+
-+      userbuf = vmalloc(len);
-+      if (userbuf == NULL) {
-+              err = -ENOMEM;
-+              goto error;
-       }
-
-+      iov[1].iov_base = userbuf;
-+      iov[1].iov_len = len;
-+      err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
-+      if (err)
-+              goto error_free_buf;
-+
-       /* Get a skbuff (no data, just holds our cb information) */
-       if ((skb = sock_alloc_send_skb(sk, 0,
-                                      msg->msg_flags & MSG_DONTWAIT,
--                                     &err)) == NULL) {
--              mutex_unlock(&econet_mutex);
--              return err;
--      }
-+                                     &err)) == NULL)
-+              goto error_free_buf;
-
-       eb = (struct ec_cb *)&skb->cb;
-
-@@ -481,7 +477,7 @@ static int econet_sendmsg(struct kiocb *
-       udpmsg.msg_name = (void *)&udpdest;
-       udpmsg.msg_namelen = sizeof(udpdest);
-       udpmsg.msg_iov = &iov[0];
--      udpmsg.msg_iovlen = msg->msg_iovlen + 1;
-+      udpmsg.msg_iovlen = 2;
-       udpmsg.msg_control = NULL;
-       udpmsg.msg_controllen = 0;
-       udpmsg.msg_flags=0;
-@@ -489,9 +485,13 @@ static int econet_sendmsg(struct kiocb *
-       oldfs = get_fs(); set_fs(KERNEL_DS);    /* More privs :-) */
-       err = sock_sendmsg(udpsock, &udpmsg, size);
-       set_fs(oldfs);
-+
-+error_free_buf:
-+      vfree(userbuf);
- #else
-       err = -EPROTOTYPE;
- #endif
-+      error:
-       mutex_unlock(&econet_mutex);
-
-       return err;
diff --git a/source/base/kernel/econet-fix-cve-2010-3850.patch 
b/source/base/kernel/econet-fix-cve-2010-3850.patch
deleted file mode 100644
index 08d9904..0000000
--- a/source/base/kernel/econet-fix-cve-2010-3850.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 16c41745c7b92a243d0874f534c1655196c64b74 Mon Sep 17 00:00:00 2001
-From: Phil Blundell <ph...@gnu.org>
-Date: Wed, 24 Nov 2010 11:49:53 -0800
-Subject: econet: fix CVE-2010-3850
-
-From: Phil Blundell <ph...@gnu.org>
-
-commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream.
-
-Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
-
-Signed-off-by: Phil Blundell <ph...@gnu.org>
-Signed-off-by: David S. Miller <da...@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
-
----
- net/econet/af_econet.c |    3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/econet/af_econet.c
-+++ b/net/econet/af_econet.c
-@@ -661,6 +661,9 @@ static int ec_dev_ioctl(struct socket *s
-       err = 0;
-       switch (cmd) {
-       case SIOCSIFADDR:
-+              if (!capable(CAP_NET_ADMIN))
-+                      return -EPERM;
-+
-               edev = dev->ec_ptr;
-               if (edev == NULL) {
-                       /* Magic up a new one. */
diff --git 
a/source/base/kernel/sched-cgroup-use-exit-hook-to-avoid-use-after-free-c.patch 
b/source/base/kernel/sched-cgroup-use-exit-hook-to-avoid-use-after-free-c.patch
new file mode 100644
index 0000000..c8d9302
--- /dev/null
+++ 
b/source/base/kernel/sched-cgroup-use-exit-hook-to-avoid-use-after-free-c.patch
@@ -0,0 +1,56 @@
+From 497c0f9c12d1582b6492960f67ef28bec6584e0f Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <a.p.zijls...@chello.nl>
+Date: Fri, 24 Dec 2010 17:43:02 +0100
+Subject: [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash
+
+By not notifying the controller of the on-exit move back to
+init_css_set, we fail to move the task out of the previous cgroup's
+cfs_rq. This leads to an opportunity for a cgroup-destroy to come in and
+free the cgroup (there are no active tasks left in it after all) to
+which the not-quite dead task is still enqueued.
+
+Cc: sta...@kernel.org
+Reported-and-tested-by: Miklos Vajna <vmik...@frugalware.org>
+Signed-off-by: Peter Zijlstra <a.p.zijls...@chello.nl>
+---
+ kernel/sched.c |   10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+diff --git a/kernel/sched.c b/kernel/sched.c
+index dc85ceb..ab869f7 100644
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -614,6 +614,9 @@ static inline struct task_group *task_group(struct 
task_struct *p)
+ {
+       struct cgroup_subsys_state *css;
+
++       if (p->flags & PF_EXITING)
++               return &root_task_group;
++
+       css = task_subsys_state_check(p, cpu_cgroup_subsys_id,
+                       lockdep_is_held(&task_rq(p)->lock));
+       return container_of(css, struct task_group, css);
+@@ -8763,6 +8766,12 @@ cpu_cgroup_attach(struct cgroup_subsys *ss, struct 
cgroup *cgrp,
+       }
+ }
+
++static void
++cpu_cgroup_exit(struct cgroup_subsys *ss, struct task_struct *task)
++{
++       sched_move_task(task);
++}
++
+ #ifdef CONFIG_FAIR_GROUP_SCHED
+ static int cpu_shares_write_u64(struct cgroup *cgrp, struct cftype *cftype,
+                               u64 shareval)
+@@ -8835,6 +8844,7 @@ struct cgroup_subsys cpu_cgroup_subsys = {
+       .destroy        = cpu_cgroup_destroy,
+       .can_attach     = cpu_cgroup_can_attach,
+       .attach         = cpu_cgroup_attach,
++       .exit           = cpu_cgroup_exit,
+       .populate       = cpu_cgroup_populate,
+       .subsys_id      = cpu_cgroup_subsys_id,
+       .early_init     = 1,
+--
+1.7.3.4
+
diff --git a/source/include/kernel-version.sh b/source/include/kernel-version.sh
index 48ab1c8..174ac28 100644
--- a/source/include/kernel-version.sh
+++ b/source/include/kernel-version.sh
@@ -16,8 +16,8 @@
# * _F_kernelver_stable: the number of the -stable patch to use (if any)
###
_F_kernelver_ver=2.6.36
-_F_kernelver_rel=3
-_F_kernelver_stable=1
+_F_kernelver_rel=4
+_F_kernelver_stable=2

###
# == APPENDED VALUES
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git

Reply via email to