[arch-commits] CVS update of core/base/kernel26 (PKGBUILD pre-2.6.24.2.patch)

Sun Feb 10 15:02:39 UTC 2008

Date: Sunday, February 10, 2008 @ 10:02:39
  Author: tpowa
    Path: /home/cvs-core/core/base/kernel26

   Added: pre-2.6.24.2.patch (1.1)
Modified: PKGBUILD (1.289 -> 1.290)

'upgpgk: added fix for root exploit and latest stable patches from greg kroah repository'


--------------------+
 PKGBUILD           |   11 -
 pre-2.6.24.2.patch |  415 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 423 insertions(+), 3 deletions(-)


Index: core/base/kernel26/PKGBUILD
diff -u core/base/kernel26/PKGBUILD:1.289 core/base/kernel26/PKGBUILD:1.290

--- core/base/kernel26/PKGBUILD:1.289	Fri Feb  8 17:23:24 2008
+++ core/base/kernel26/PKGBUILD	Sun Feb 10 10:02:38 2008
@@ -1,10 +1,10 @@
-# $Id: PKGBUILD,v 1.289 2008/02/08 22:23:24 tpowa Exp $
+# $Id: PKGBUILD,v 1.290 2008/02/10 15:02:38 tpowa Exp $
 # Maintainer: Tobias Powalowski <tpowa at archlinux.org>
 # Maintainer: Thomas Baechler <thomas at archlinux.org>
 pkgname=kernel26
 _basekernel=2.6.24
 pkgver=2.6.24.1
-pkgrel=1
+pkgrel=2
 pkgdesc="The Linux Kernel and modules"
 arch=(i686 x86_64)
 license=('GPL2')
@@ -22,6 +22,7 @@
 install=kernel26.install
 source=(ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_basekernel.tar.bz2
 	ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
+	pre-2.6.24.2.patch
 	### next two lines only needed for rc kernel building
 	#http://www.kernel.org/pub/linux/kernel/v2.6/testing/patch-2.6.24-rc6.bz2
 	#http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.24-rc6-git2.bz2
@@ -61,6 +62,7 @@
 )
 md5sums=('3f23ad4b69d0a552042d1ed0f4399857'
          '86d55d5080217b2e79e0fff227218cd1'
+         '276c1c801605b39dfab5badddbf97c66'
          '97c28c42ef2bbf8c9c6464a1e09eaf90'
          '3a2693f2793fd1a968a750dbf154ab57'
          '6a5a1925501fe20fafd04fdb3cb4f6ed'
@@ -88,7 +90,10 @@
   cd $startdir/src/linux-$_basekernel
   # add upstream patch from 2.6.24 series
   patch -Np1 -i ../patch-$pkgver || return 1
- 
+
+  # add queued patches for 2.6.24 series
+  #http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
+  patch -Np1 -i ../pre-2.6.24.2.patch || return 1
   ### next 2 lines are only needed for rc kernels
   #patch -Np1 -i ../patch-$pkgver-rc6 || return 1
   #patch -Np1 -i ../patch-2.6.24-rc6-git2 || return 1
Index: core/base/kernel26/pre-2.6.24.2.patch
diff -u /dev/null core/base/kernel26/pre-2.6.24.2.patch:1.1
--- /dev/null	Sun Feb 10 10:02:39 2008
+++ core/base/kernel26/pre-2.6.24.2.patch	Sun Feb 10 10:02:39 2008
@@ -0,0 +1,415 @@
+diff --git a/fs/splice.c b/fs/splice.c
+index 14e2262..80beb2b 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1237,6 +1237,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+ 		if (unlikely(!base))
+ 			break;
+ 
++		if (!access_ok(VERIFY_READ, base, len)) {
++			error = -EFAULT;
++			break;
++		}
++
+ 		/*
+ 		 * Get this base offset and number of pages, then map
+ 		 * in the user pages.
+ 
+From stable-bounces at linux.kernel.org Fri Feb  8 11:02:37 2008
+From: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Fri, 08 Feb 2008 14:01:02 -0500
+Subject: NFS: Fix a potential file corruption issue when writing
+To: stable at kernel.org
+Message-ID: <1202497262.8383.8.camel at heimdal.trondhjem.org>
+
+From: Trond Myklebust <Trond.Myklebust at netapp.com>
+
+patch 5d47a35600270e7115061cb1320ee60ae9bcb6b8 in mainline.
+
+If the inode is flagged as having an invalid mapping, then we can't rely on
+the PageUptodate() flag. Ensure that we don't use the "anti-fragmentation"
+write optimisation in nfs_updatepage(), since that will cause NFS to write
+out areas of the page that are no longer guaranteed to be up to date.
+
+A potential corruption could occur in the following scenario:
+
+client 1			client 2
+===============			===============
+				fd=open("f",O_CREAT|O_WRONLY,0644);
+				write(fd,"fubar\n",6);	// cache last page
+				close(fd);
+fd=open("f",O_WRONLY|O_APPEND);
+write(fd,"foo\n",4);
+close(fd);
+
+				fd=open("f",O_WRONLY|O_APPEND);
+				write(fd,"bar\n",4);
+				close(fd);
+-----
+The bug may lead to the file "f" reading 'fubar\n\0\0\0\nbar\n' because
+client 2 does not update the cached page after re-opening the file for
+write. Instead it keeps it marked as PageUptodate() until someone calls
+invalidate_inode_pages2() (typically by calling read()).
+
+The bug was introduced by commit 44b11874ff583b6e766a05856b04f3c492c32b84
+"NFS: Separate metadata and page cache revalidation mechanisms"
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/nfs/write.c |   20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -701,6 +701,17 @@ int nfs_flush_incompatible(struct file *
+ }
+ 
+ /*
++ * If the page cache is marked as unsafe or invalid, then we can't rely on
++ * the PageUptodate() flag. In this case, we will need to turn off
++ * write optimisations that depend on the page contents being correct.
++ */
++static int nfs_write_pageuptodate(struct page *page, struct inode *inode)
++{
++	return PageUptodate(page) &&
++		!(NFS_I(inode)->cache_validity & (NFS_INO_REVAL_PAGECACHE|NFS_INO_INVALID_DATA));
++}
++
++/*
+  * Update and possibly write a cached page of an NFS file.
+  *
+  * XXX: Keep an eye on generic_file_read to make sure it doesn't do bad
+@@ -721,10 +732,13 @@ int nfs_updatepage(struct file *file, st
+ 		(long long)(page_offset(page) +offset));
+ 
+ 	/* If we're not using byte range locks, and we know the page
+-	 * is entirely in cache, it may be more efficient to avoid
+-	 * fragmenting write requests.
++	 * is up to date, it may be more efficient to extend the write
++	 * to cover the entire page in order to avoid fragmentation
++	 * inefficiencies.
+ 	 */
+-	if (PageUptodate(page) && inode->i_flock == NULL && !(file->f_mode & O_SYNC)) {
++	if (nfs_write_pageuptodate(page, inode) &&
++			inode->i_flock == NULL &&
++			!(file->f_mode & O_SYNC)) {
+ 		count = max(count + offset, nfs_page_length(page));
+ 		offset = 0;
+ 	}
+From stable-bounces at linux.kernel.org Fri Feb  8 04:19:02 2008
+From: Ulisses Furquim <ulissesf at gmail.com>
+Date: Fri, 08 Feb 2008 04:18:16 -0800
+Subject: inotify: fix check for one-shot watches before destroying them
+To: torvalds at linux-foundation.org
+Cc: rlove at google.com, clem.taylor at gmail.com, stable at kernel.org, amy.griffis at hp.com, ttb at tentacle.dhs.org, akpm at linux-foundation.org, ulissesf at gmail.com
+Message-ID: <200802081217.m18CHvXc023553 at imap1.linux-foundation.org>
+
+From: Ulisses Furquim <ulissesf at gmail.com>
+
+patch ac74c00e499ed276a965e5b5600667d5dc04a84a in mainline.
+
+As the IN_ONESHOT bit is never set when an event is sent we must check it
+in the watch's mask and not in the event's mask.
+
+Signed-off-by: Ulisses Furquim <ulissesf at gmail.com>
+Reported-by: "Clem Taylor" <clem.taylor at gmail.com>
+Tested-by: "Clem Taylor" <clem.taylor at gmail.com>
+Cc: Amy Griffis <amy.griffis at hp.com>
+Cc: Robert Love <rlove at google.com>
+Cc: John McCutchan <ttb at tentacle.dhs.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+
+---
+ fs/inotify_user.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/inotify_user.c
++++ b/fs/inotify_user.c
+@@ -269,7 +269,7 @@ static void inotify_dev_queue_event(stru
+ 	/* we can safely put the watch as we don't reference it while
+ 	 * generating the event
+ 	 */
+-	if (mask & IN_IGNORED || mask & IN_ONESHOT)
++	if (mask & IN_IGNORED || w->mask & IN_ONESHOT)
+ 		put_inotify_watch(w); /* final put */
+ 
+ 	/* coalescing: drop this event if it is a dupe of the previous */
+From stable-bounces at linux.kernel.org Fri Feb  8 04:19:17 2008
+From: Nishanth Aravamudan <nacc at us.ibm.com>
+Date: Fri, 08 Feb 2008 04:18:18 -0800
+Subject: hugetlb: add locking for overcommit sysctl
+To: torvalds at linux-foundation.org
+Cc: wli at holomorphy.com, agl at us.ibm.com, nacc at us.ibm.com, akpm at linux-foundation.org, stable at kernel.org, david at gibson.dropbear.id.au
+Message-ID: <200802081217.m18CHxwe023557 at imap1.linux-foundation.org>
+
+
+From: Nishanth Aravamudan <nacc at us.ibm.com>
+
+patch a3d0c6aa1bb342b9b2c7b123b52ac2f48a4d4d0a in mainline.
+
+When I replaced hugetlb_dynamic_pool with nr_overcommit_hugepages I used
+proc_doulongvec_minmax() directly.  However, hugetlb.c's locking rules
+require that all counter modifications occur under the hugetlb_lock.  Add a
+callback into the hugetlb code similar to the one for nr_hugepages.  Grab
+the lock around the manipulation of nr_overcommit_hugepages in
+proc_doulongvec_minmax().
+
+Signed-off-by: Nishanth Aravamudan <nacc at us.ibm.com>
+Acked-by: Adam Litke <agl at us.ibm.com>
+Cc: David Gibson <david at gibson.dropbear.id.au>
+Cc: William Lee Irwin III <wli at holomorphy.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+
+---
+ include/linux/hugetlb.h |    1 +
+ kernel/sysctl.c         |    2 +-
+ mm/hugetlb.c            |   10 ++++++++++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -17,6 +17,7 @@ static inline int is_vm_hugetlb_page(str
+ }
+ 
+ int hugetlb_sysctl_handler(struct ctl_table *, int, struct file *, void __user *, size_t *, loff_t *);
++int hugetlb_overcommit_handler(struct ctl_table *, int, struct file *, void __user *, size_t *, loff_t *);
+ int hugetlb_treat_movable_handler(struct ctl_table *, int, struct file *, void __user *, size_t *, loff_t *);
+ int copy_hugetlb_page_range(struct mm_struct *, struct mm_struct *, struct vm_area_struct *);
+ int follow_hugetlb_page(struct mm_struct *, struct vm_area_struct *, struct page **, struct vm_area_struct **, unsigned long *, int *, int, int);
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -910,7 +910,7 @@ static struct ctl_table vm_table[] = {
+ 		.data		= &nr_overcommit_huge_pages,
+ 		.maxlen		= sizeof(nr_overcommit_huge_pages),
+ 		.mode		= 0644,
+-		.proc_handler	= &proc_doulongvec_minmax,
++		.proc_handler	= &hugetlb_overcommit_handler,
+ 	},
+ #endif
+ 	{
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -605,6 +605,16 @@ int hugetlb_treat_movable_handler(struct
+ 	return 0;
+ }
+ 
++int hugetlb_overcommit_handler(struct ctl_table *table, int write,
++			struct file *file, void __user *buffer,
++			size_t *length, loff_t *ppos)
++{
++	spin_lock(&hugetlb_lock);
++	proc_doulongvec_minmax(table, write, file, buffer, length, ppos);
++	spin_unlock(&hugetlb_lock);
++	return 0;
++}
++
+ #endif /* CONFIG_SYSCTL */
+ 
+ int hugetlb_report_meminfo(char *buf)
+From stable-bounces at linux.kernel.org Fri Feb  8 04:30:29 2008
+From: Jan Kara <jack at suse.cz>
+Date: Fri, 08 Feb 2008 04:22:13 -0800
+Subject: quota: turn quotas off when remounting read-only
+To: torvalds at linux-foundation.org
+Cc: akpm at linux-foundation.org, jack at suse.cz, stable at kernel.org
+Message-ID: <200802081221.m18CLtGt024628 at imap1.linux-foundation.org>
+
+
+From: Jan Kara <jack at suse.cz>
+
+patch 66191dc622f5ff0a541524c4e96fdacfacfda206 in mainline.
+
+Turn off quotas before filesystem is remounted read only.  Otherwise quota
+will try to write to read-only filesystem which does no good...  We could
+also just refuse to remount ro when quota is enabled but turning quota off
+is consistent with what we do on umount.
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/super.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -603,6 +603,7 @@ int do_remount_sb(struct super_block *sb
+ 			mark_files_ro(sb);
+ 		else if (!fs_may_remount_ro(sb))
+ 			return -EBUSY;
++		DQUOT_OFF(sb);
+ 	}
+ 
+ 	if (sb->s_op->remount_fs) {
+From stable-bounces at linux.kernel.org Tue Feb  5 15:52:50 2008
+From: David Chinner <dgc at sgi.com>
+Date: Wed, 6 Feb 2008 10:52:15 +1100
+Subject: XFS: Fix oops in xfs_file_readdir()
+To: stable at kernel.org
+Cc: greg at kroah.com, chris at sous-sol.org
+Message-ID: <20080205235215.GY155259 at sgi.com>
+Content-Disposition: inline
+
+From: David Chinner <dgc at sgi.com>
+
+patch 450790a2c51e6d9d47ed30dbdcf486656b8e186f in mainline.
+
+Several occurrences of oops in xfs_file_readdir() on ia32 have been
+reported since 2.6.24 was released. This is a regression introduced
+in 2.6.24 and is relatively easy to hit. The patch below fixes the
+problem.
+
+
+Signed-off-by: Dave Chinner <dgc at sgi.com>
+Signed-off-by: Lachlan McIlroy <lachlan at sgi.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/xfs/linux-2.6/xfs_file.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/xfs/linux-2.6/xfs_file.c
++++ b/fs/xfs/linux-2.6/xfs_file.c
+@@ -350,8 +350,8 @@ xfs_file_readdir(
+ 
+ 		size = buf.used;
+ 		de = (struct hack_dirent *)buf.dirent;
+-		curr_offset = de->offset /* & 0x7fffffff */;
+ 		while (size > 0) {
++			curr_offset = de->offset /* & 0x7fffffff */;
+ 			if (filldir(dirent, de->name, de->namlen,
+ 					curr_offset & 0x7fffffff,
+ 					de->ino, de->d_type)) {
+@@ -362,7 +362,6 @@ xfs_file_readdir(
+ 				       sizeof(u64));
+ 			size -= reclen;
+ 			de = (struct hack_dirent *)((char *)de + reclen);
+-			curr_offset = de->offset /* & 0x7fffffff */;
+ 		}
+ 	}
+ 
+From stable-bounces at linux.kernel.org Thu Jan 31 23:06:27 2008
+From: Al Viro <viro at ZenIV.linux.org.uk>
+Date: Fri, 1 Feb 2008 07:05:44 +0000
+Subject: Fix dl2k constants
+To: Jeff Garzik <jgarzik at pobox.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>, stable at kernel.org
+Message-ID: <20080201070544.GL27894 at ZenIV.linux.org.uk>
+Content-Disposition: inline
+
+
+patch 9c52fab2f187636b39afb0dcf562872ed42ab608 in mainline.
+
+The MSSR constants didn't match the reality - bitfield declarations
+used to be correct (1000BT_FD - bit 11, 1000BT_HD - bit 10), but enum
+had them the other way round.  Went unnoticed until the switch from
+the bitfields use to the explicit arithmetics and I hadn't caught that one
+when verifying correctness of change...
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/net/dl2k.h |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dl2k.h
++++ b/drivers/net/dl2k.h
+@@ -388,8 +388,8 @@ enum _mii_mssr {
+ 	MII_MSSR_CFG_RES = 0x4000,
+ 	MII_MSSR_LOCAL_RCV_STATUS = 0x2000,
+ 	MII_MSSR_REMOTE_RCVR = 0x1000,
+-	MII_MSSR_LP_1000BT_HD = 0x0800,
+-	MII_MSSR_LP_1000BT_FD = 0x0400,
++	MII_MSSR_LP_1000BT_FD = 0x0800,
++	MII_MSSR_LP_1000BT_HD = 0x0400,
+ 	MII_MSSR_IDLE_ERR_COUNT = 0x00ff,
+ };
+ 
+From 366c246de9cec909c5eba4f784c92d1e75b4dc38 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley at HansenPartnership.com>
+Date: Sat, 2 Feb 2008 16:06:23 -0600
+Subject: SCSI: sd: handle bad lba in sense information
+
+From: James Bottomley <James.Bottomley at HansenPartnership.com>
+
+patch 366c246de9cec909c5eba4f784c92d1e75b4dc38 in mainline.
+
+Some devices report medium error locations incorrectly.  Add guards to
+make sure the reported bad lba is actually in the request that caused
+it.  Additionally remove the large case statment for sector sizes and
+replace it with the proper u64 divisions.
+
+Tested-by: Mike Snitzer <snitzer at gmail.com>
+Cc: Stable Tree <stable at kernel.org>
+Cc: Tony Battersby <tonyb at cybernetics.com>
+Signed-off-by: James Bottomley <James.Bottomley at HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ drivers/scsi/sd.c |   34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -907,6 +907,7 @@ static int sd_done(struct scsi_cmnd *SCp
+  	unsigned int xfer_size = SCpnt->request_bufflen;
+  	unsigned int good_bytes = result ? 0 : xfer_size;
+  	u64 start_lba = SCpnt->request->sector;
++	u64 end_lba = SCpnt->request->sector + (xfer_size / 512);
+  	u64 bad_lba;
+ 	struct scsi_sense_hdr sshdr;
+ 	int sense_valid = 0;
+@@ -945,26 +946,23 @@ static int sd_done(struct scsi_cmnd *SCp
+ 			goto out;
+ 		if (xfer_size <= SCpnt->device->sector_size)
+ 			goto out;
+-		switch (SCpnt->device->sector_size) {
+-		case 256:
++		if (SCpnt->device->sector_size < 512) {
++			/* only legitimate sector_size here is 256 */
+ 			start_lba <<= 1;
+-			break;
+-		case 512:
+-			break;
+-		case 1024:
+-			start_lba >>= 1;
+-			break;
+-		case 2048:
+-			start_lba >>= 2;
+-			break;
+-		case 4096:
+-			start_lba >>= 3;
+-			break;
+-		default:
+-			/* Print something here with limiting frequency. */
+-			goto out;
+-			break;
++			end_lba <<= 1;
++		} else {
++			/* be careful ... don't want any overflows */
++			u64 factor = SCpnt->device->sector_size / 512;
++			do_div(start_lba, factor);
++			do_div(end_lba, factor);
+ 		}
++
++		if (bad_lba < start_lba  || bad_lba >= end_lba)
++			/* the bad lba was reported incorrectly, we have
++			 * no idea where the error is
++			 */
++			goto out;
++
+ 		/* This computation should always be done in terms of
+ 		 * the resolution of the device's medium.
+ 		 */


