Hello community,
here is the log from the commit of package kernel-source for openSUSE:11.3
checked in at Tue Oct 25 23:35:49 CEST 2011.
--------
--- old-versions/11.3/UPDATES/all/kernel-source/kernel-debug.changes 2011-07-21 07:02:45.000000000 +0200
+++ 11.3/kernel-source/kernel-debug.changes 2011-10-24 17:22:05.000000000 +0200
@@ -1,0 +2,116 @@
+Wed Oct 19 22:09:05 CEST 2011 - mszeredi@suse.cz
+
+- patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch:
+ Ecryptfs: Add mount option to check uid of device being mounted
+ = expect uid (bnc#711539 CVE-2011-1833).
+
+-------------------------------------------------------------------
+Tue Oct 11 14:56:41 CEST 2011 - jbeulich@novell.com
+
+- patches.xen/xen-netback-multiple-tasklets: Refresh (bnc#719117).
+- patches.xen/xen-netback-kernel-threads: Refresh.
+
+-------------------------------------------------------------------
+Thu Oct 6 22:17:01 CEST 2011 - jdelvare@suse.de
+
+- patches.fixes/drm-radeon-kms-fix-i2c-masks.patch:
+ drm/radeon/kms: Fix I2C mask definitions (bnc#712023).
+
+-------------------------------------------------------------------
+Thu Oct 6 15:36:13 CEST 2011 - jack@suse.cz
+
+- patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch:
+ ext4: Fix max file size and logical block counting of extent
+ format file (bnc#706374).
+
+-------------------------------------------------------------------
+Mon Oct 3 18:35:04 CEST 2011 - sjayaraman@suse.de
+
+- patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch:
+ cifs: add fallback in is_path_accessible for old servers
+ (bnc#718028).
+
+-------------------------------------------------------------------
+Fri Sep 30 08:52:47 CEST 2011 - jdelvare@suse.de
+
+- series.conf: Disable
+ patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch
+ for now, it is causing a regression (bnc#712023).
+
+-------------------------------------------------------------------
+Thu Sep 29 02:21:19 CEST 2011 - tonyj@suse.de
+
+- patches.fixes/perf_software_event_overflow.patch: perf: Fix
+ software event overflow (bnc#712366, CVE-2011-2918).
+
+-------------------------------------------------------------------
+Fri Sep 23 11:34:36 CEST 2011 - mszeredi@suse.cz
+
+- patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch:
+ fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message (bnc#716901
+ CVE-2011-3353).
+
+-------------------------------------------------------------------
+Sun Sep 18 22:18:43 CEST 2011 - sjayaraman@suse.de
+
+- patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch:
+ Update references (bnc#718028, CVE-2011-3363).
+
+-------------------------------------------------------------------
+Sun Sep 18 22:06:12 CEST 2011 - sjayaraman@suse.de
+
+- patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch:
+ cifs: always do is_path_accessible check in cifs_mount
+ (bnc#718028).
+
+-------------------------------------------------------------------
+Thu Sep 8 21:52:24 CEST 2011 - jdelvare@suse.de
+
+- patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch:
+ Add Git-commit tag.
+
+-------------------------------------------------------------------
+Wed Aug 31 11:34:51 CEST 2011 - jslaby@suse.de
+
+- patches.fixes/pty-fix-pty-counting.patch: TTY: pty, fix pty
+ counting (bnc#711203).
+
+-------------------------------------------------------------------
+Mon Aug 29 17:14:43 CEST 2011 - sjayaraman@suse.de
+
+- patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch:
+ cifs: fix possible memory corruption in CIFSFindNext
+ (bnc#714001, CVE-2011-3191).
+
+-------------------------------------------------------------------
+Fri Aug 12 16:41:35 CEST 2011 - mszeredi@suse.cz
+
+- patches.fixes/validate-size-of-efi-guid-partition-entries.patch:
+ Validate size of EFI GUID partition entries (bnc#692784,
+ CVE-2011-1776).
+
+-------------------------------------------------------------------
+Tue Aug 9 09:41:24 CEST 2011 - jbeulich@novell.com
+
+- Update Xen patches to 2.6.34.10.
+- patches.xen/1080-blkfront-xenbus-gather-format.patch: blkfront: fix
+ data size for xenbus_gather in connect().
+- patches.xen/1081-blkback-resize-transaction-end.patch: xenbus: fix
+ xenbus_transaction_start() hang caused by double
+ xenbus_transaction_end().
+- patches.xen/1089-blkback-barrier-check.patch: blkback: don't fail
+ empty barrier requests.
+- patches.xen/1090-blktap-locking.patch: blktap: fix locking
+ (bnc#685276).
+- patches.xen/1091-xenbus-dev-no-BUG.patch: xenbus: don't BUG() on user
+ mode induced conditions (bnc#696107).
+- patches.xen/1098-blkfront-cdrom-ioctl-check.patch: blkfront: avoid
+ NULL de-reference in CDROM ioctl handling (bnc#701355).
+
+-------------------------------------------------------------------
+Sat Aug 6 11:36:37 CEST 2011 - jslaby@suse.de
+
+- patches.drivers/intr-remap-allow-disabling-source-id-checking.patch:
+ intr-remap: allow disabling source id checking (bnc#710352).
+
+-------------------------------------------------------------------
kernel-default.changes: same change
kernel-desktop.changes: same change
kernel-docs.changes: same change
kernel-ec2.changes: same change
kernel-net.changes: same change
kernel-pae.changes: same change
kernel-ppc64.changes: same change
kernel-ps3.changes: same change
kernel-s390.changes: same change
kernel-source.changes: same change
kernel-syms.changes: same change
kernel-trace.changes: same change
kernel-vanilla.changes: same change
kernel-vmi.changes: same change
kernel-xen.changes: same change
calling whatdependson for 11.3-i586
Old:
----
minmem
needed_space_in_mb
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kernel-debug.spec ++++++
--- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200
+++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200
@@ -56,7 +56,7 @@
Name: kernel-debug
Summary: A Debug Version of the Kernel
Version: 2.6.34.10
-Release: 0.<RELEASE2>
+Release: 0.<RELEASE4>
%if %using_buildservice
%else
%endif
kernel-default.spec: same change
kernel-desktop.spec: same change
++++++ kernel-ec2.spec ++++++
--- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200
+++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200
@@ -56,7 +56,7 @@
Name: kernel-ec2
Summary: The Amazon EC2 Xen Kernel
Version: 2.6.34.10
-Release: 0.<RELEASE2>
+Release: 0.<RELEASE4>
%if %using_buildservice
%else
%endif
++++++ kernel-pae.spec ++++++
--- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200
+++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200
@@ -56,7 +56,7 @@
Name: kernel-pae
Summary: Kernel with PAE Support
Version: 2.6.34.10
-Release: 0.<RELEASE2>
+Release: 0.<RELEASE4>
%if %using_buildservice
%else
%endif
kernel-ps3.spec: same change
kernel-s390.spec: same change
++++++ kernel-source.spec ++++++
--- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200
+++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200
@@ -31,7 +31,7 @@
Name: kernel-source
Summary: The Linux Kernel Sources
Version: 2.6.34.10
-Release: 0.<RELEASE2>
+Release: 0.<RELEASE4>
%if %using_buildservice
%else
%endif
++++++ kernel-syms.spec ++++++
--- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200
+++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200
@@ -24,7 +24,7 @@
Name: kernel-syms
Summary: Kernel Symbol Versions (modversions)
Version: 2.6.34.10
-Release: 0.<RELEASE2>
+Release: 0.<RELEASE4>
%if %using_buildservice
%else
%define kernel_source_release %(LC_ALL=C rpm -q kernel-devel%variant-%version --qf "%{RELEASE}" | grep -v 'not installed' || echo 0)
++++++ kernel-trace.spec ++++++
--- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:19.000000000 +0200
+++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:19.000000000 +0200
@@ -56,7 +56,7 @@
Name: kernel-trace
Summary: The Realtime Linux Kernel
Version: 2.6.34.10
-Release: 0.<RELEASE2>
+Release: 0.<RELEASE4>
%if %using_buildservice
%else
%endif
kernel-vanilla.spec: same change
kernel-vmi.spec: same change
kernel-xen.spec: same change
++++++ patches.drivers.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/intr-remap-allow-disabling-source-id-checking.patch new/patches.drivers/intr-remap-allow-disabling-source-id-checking.patch
--- old/patches.drivers/intr-remap-allow-disabling-source-id-checking.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.drivers/intr-remap-allow-disabling-source-id-checking.patch 2011-08-06 11:44:49.000000000 +0200
@@ -0,0 +1,88 @@
+From d1423d5679875ebbbc2fc63b33d465baceee0430 Mon Sep 17 00:00:00 2001
+From: Chris Wright
+Date: Tue, 20 Jul 2010 11:06:49 -0700
+Subject: intr-remap: allow disabling source id checking
+Git-commit: d1423d5679875ebbbc2fc63b33d465baceee0430
+Patch-mainline: v2.6.36-rc1
+References: bnc#710352
+
+Allow disabling the source id checking while programming the interrupt
+remap table entry. Useful for debugging or working around the broken
+source id checks on some platforms.
+
+Signed-off-by: Chris Wright
+Acked-by: Suresh Siddha
+Acked-by: Weidong Han
+Signed-off-by: David Woodhouse
+Signed-off-by: Jiri Slaby
+---
+ Documentation/kernel-parameters.txt | 7 +++++++
+ drivers/pci/intr_remapping.c | 20 ++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -993,6 +993,12 @@ and is between 256 and 4096 characters.
+ result in a hardware IOTLB flush operation as opposed
+ to batching them for performance.
+
++ intremap= [X86-64, Intel-IOMMU]
++ Format: { on (default) | off | nosid }
++ on enable Interrupt Remapping (default)
++ off disable Interrupt Remapping
++ nosid disable Source ID checking
++
+ inttest= [IA64]
+
+ iomem= Disable strict checking of access to MMIO memory
+@@ -1716,6 +1722,7 @@ and is between 256 and 4096 characters.
+
+ nointremap [X86-64, Intel-IOMMU] Do not enable interrupt
+ remapping.
++ [Deprecated - use intremap=off]
+
+ nointroute [IA-64]
+
+--- a/drivers/pci/intr_remapping.c
++++ b/drivers/pci/intr_remapping.c
+@@ -20,6 +20,8 @@ static int ir_ioapic_num, ir_hpet_num;
+ int intr_remapping_enabled;
+
+ static int disable_intremap;
++static int disable_sourceid_checking;
++
+ static __init int setup_nointremap(char *str)
+ {
+ disable_intremap = 1;
+@@ -27,6 +29,22 @@ static __init int setup_nointremap(char
+ }
+ early_param("nointremap", setup_nointremap);
+
++static __init int setup_intremap(char *str)
++{
++ if (!str)
++ return -EINVAL;
++
++ if (!strncmp(str, "on", 2))
++ disable_intremap = 0;
++ else if (!strncmp(str, "off", 3))
++ disable_intremap = 1;
++ else if (!strncmp(str, "nosid", 5))
++ disable_sourceid_checking = 1;
++
++ return 0;
++}
++early_param("intremap", setup_intremap);
++
+ struct irq_2_iommu {
+ struct intel_iommu *iommu;
+ u16 irte_index;
+@@ -452,6 +470,8 @@ int free_irte(int irq)
+ static void set_irte_sid(struct irte *irte, unsigned int svt,
+ unsigned int sq, unsigned int sid)
+ {
++ if (disable_sourceid_checking)
++ svt = SVT_NO_VERIFY;
+ irte->svt = svt;
+ irte->sq = sq;
+ irte->sid = sid;
++++++ patches.fixes.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch new/patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch
--- old/patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,36 @@
+From: Jeff Layton
+Date: Tue, 17 May 2011 06:40:30 -0400
+Subject: cifs: add fallback in is_path_accessible for old servers
+References: bnc#718028
+Patch-mainline: v2.6.39
+Git-commit: 221d1d797202984cb874e3ed9f1388593d34ee22
+
+The is_path_accessible check uses a QPathInfo call, which isn't
+supported by ancient win9x era servers. Fall back to an older
+SMBQueryInfo call if it fails with the magic error codes.
+
+Cc: stable@kernel.org
+Reported-and-Tested-by: Sandro Bonazzola
+Signed-off-by: Jeff Layton
+Signed-off-by: Steve French
+Signed-off-by: Suresh Jayaraman
+---
+ fs/cifs/connect.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: linux-2.6.34-openSUSE-11.3/fs/cifs/connect.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/fs/cifs/connect.c
++++ linux-2.6.34-openSUSE-11.3/fs/cifs/connect.c
+@@ -2261,6 +2261,11 @@ is_path_accessible(int xid, struct cifsT
+ 0 /* not legacy */, cifs_sb->local_nls,
+ cifs_sb->mnt_cifs_flags &
+ CIFS_MOUNT_MAP_SPECIAL_CHR);
++
++ if (rc == -EOPNOTSUPP || rc == -EINVAL)
++ rc = SMBQueryInformation(xid, tcon, full_path, pfile_info,
++ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
++ CIFS_MOUNT_MAP_SPECIAL_CHR);
+ kfree(pfile_info);
+ return rc;
+ }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch new/patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch
--- old/patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,42 @@
+From: Jeff Layton
+Date: Mon, 14 Mar 2011 13:48:08 -0400
+Subject: cifs: always do is_path_accessible check in cifs_mount
+Patch-mainline: v2.6.39-rc4
+References: bnc#718028, CVE-2011-3363
+Git-commit: 70945643722ffeac779d2529a348f99567fa5c33
+
+Currently, we skip doing the is_path_accessible check in cifs_mount if
+there is no prefixpath. I have a report of at least one server however
+that allows a TREE_CONNECT to a share that has a DFS referral at its
+root. The reporter in this case was using a UNC that had no prefixpath,
+so the is_path_accessible check was not triggered and the box later hit
+a BUG() because we were chasing a DFS referral on the root dentry for
+the mount.
+
+This patch fixes this by removing the check for a zero-length
+prefixpath. That should make the is_path_accessible check be done in
+this situation and should allow the client to chase the DFS referral at
+mount time instead.
+
+Cc: stable@kernel.org
+Reported-and-Tested-by: Yogesh Sharma
+Signed-off-by: Jeff Layton
+Signed-off-by: Steve French
+Signed-off-by: Suresh Jayaraman
+---
+ fs/cifs/connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: linux-2.6.34-openSUSE-11.3/fs/cifs/connect.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/fs/cifs/connect.c
++++ linux-2.6.34-openSUSE-11.3/fs/cifs/connect.c
+@@ -2563,7 +2563,7 @@ try_mount_again:
+
+ remote_path_check:
+ /* check if a whole path (including prepath) is not remote */
+- if (!rc && cifs_sb->prepathlen && tcon) {
++ if (!rc && tcon) {
+ /* build_path_to_root works only when we have a valid tcon */
+ full_path = cifs_build_path_to_root(cifs_sb);
+ if (full_path == NULL) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch new/patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
--- old/patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,44 @@
+From: Jeff Layton
+Date: Tue, 23 Aug 2011 07:21:28 -0400
+Subject: cifs: fix possible memory corruption in CIFSFindNext
+References: bnc#714001, CVE-2011-3191
+Patch-mainline: 3.1 (expected)
+Git-commit: c32dfffaf59f73bbcf4472141b851a4dc5db2bf0
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6.git
+
+The name_len variable in CIFSFindNext is a signed int that gets set to
+the resume_name_len in the cifs_search_info. The resume_name_len however
+is unsigned and for some infolevels is populated directly from a 32 bit
+value sent by the server.
+
+If the server sends a very large value for this, then that value could
+look negative when converted to a signed int. That would make that
+value pass the PATH_MAX check later in CIFSFindNext. The name_len would
+then be used as a length value for a memcpy. It would then be treated
+as unsigned again, and the memcpy scribbles over a ton of memory.
+
+Fix this by making the name_len an unsigned value in CIFSFindNext.
+
+Cc:
+Reported-by: Darren Lavender
+Signed-off-by: Jeff Layton
+Signed-off-by: Steve French
+Signed-off-by: Suresh Jayaraman
+---
+ fs/cifs/cifssmb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: linux-2.6.34-openSUSE-11.3/fs/cifs/cifssmb.c
+===================================================================
+--- linux-2.6.34-openSUSE-11.3.orig/fs/cifs/cifssmb.c
++++ linux-2.6.34-openSUSE-11.3/fs/cifs/cifssmb.c
+@@ -3743,7 +3743,8 @@ int CIFSFindNext(const int xid, struct c
+ T2_FNEXT_RSP_PARMS *parms;
+ char *response_data;
+ int rc = 0;
+- int bytes_returned, name_len;
++ int bytes_returned;
++ unsigned int name_len;
+ __u16 params, byte_count;
+
+ cFYI(1, ("In FindNext"));
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch new/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch
--- old/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/drm-radeon-kms-fix-i2c-masks.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,30 @@
+From: Jean Delvare
+Subject: drm/radeon/kms: Fix I2C mask definitions
+Patch-mainline: Not yet, should happen soon
+References: bnc#712023
+
+Commit 9b9fe724 accidentally used RADEON_GPIO_EN_* where
+RADEON_GPIO_MASK_* was intended. This caused improper initialization
+of I2C buses, mostly visible when setting i2c_algo_bit.bit_test=1.
+Using the right constants fixes the problem.
+
+Signed-off-by: Jean Delvare
+Reviewed-by: Alex Deucher
+Cc: Jerome Glisse
+---
+ drivers/gpu/drm/radeon/radeon_combios.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_combios.c
++++ b/drivers/gpu/drm/radeon/radeon_combios.c
+@@ -503,8 +503,8 @@ static struct radeon_i2c_bus_rec combios
+ i2c.y_clk_reg = RADEON_MDGPIO_Y;
+ i2c.y_data_reg = RADEON_MDGPIO_Y;
+ } else {
+- i2c.mask_clk_mask = RADEON_GPIO_EN_1;
+- i2c.mask_data_mask = RADEON_GPIO_EN_0;
++ i2c.mask_clk_mask = RADEON_GPIO_MASK_1;
++ i2c.mask_data_mask = RADEON_GPIO_MASK_0;
+ i2c.a_clk_mask = RADEON_GPIO_A_1;
+ i2c.a_data_mask = RADEON_GPIO_A_0;
+ i2c.en_clk_mask = RADEON_GPIO_EN_1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch new/patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch
--- old/patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,127 @@
+From 764355487ea220fdc2faf128d577d7f679b91f97 Mon Sep 17 00:00:00 2001
+From: John Johansen
+Date: Fri, 22 Jul 2011 08:14:15 -0700
+Subject: Ecryptfs: Add mount option to check uid of device being mounted = expect uid
+Patch-mainline: 3.1
+References: bnc#711539 CVE-2011-1833
+
+Close a TOCTOU race for mounts done via ecryptfs-mount-private. The mount
+source (device) can be raced when the ownership test is done in userspace.
+Provide Ecryptfs a means to force the uid check at mount time.
+
+Signed-off-by: John Johansen
+Cc:
+Signed-off-by: Tyler Hicks
+Acked-by: Miklos Szeredi
+---
+ fs/ecryptfs/main.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+Index: linux-2.6.32-SLE11-SP1/fs/ecryptfs/main.c
+===================================================================
+--- linux-2.6.32-SLE11-SP1.orig/fs/ecryptfs/main.c 2011-10-19 21:55:25.000000000 +0200
++++ linux-2.6.32-SLE11-SP1/fs/ecryptfs/main.c 2011-10-19 21:58:03.000000000 +0200
+@@ -212,7 +212,8 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ec
+ ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata,
+ ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
+ ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
+- ecryptfs_opt_unlink_sigs, ecryptfs_opt_err };
++ ecryptfs_opt_unlink_sigs, ecryptfs_opt_check_dev_ruid,
++ ecryptfs_opt_err };
+
+ static const match_table_t tokens = {
+ {ecryptfs_opt_sig, "sig=%s"},
+@@ -227,6 +228,7 @@ static const match_table_t tokens = {
+ {ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"},
+ {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
+ {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
++ {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
+ {ecryptfs_opt_err, NULL}
+ };
+
+@@ -270,6 +272,7 @@ static void ecryptfs_init_mount_crypt_st
+ * ecryptfs_parse_options
+ * @sb: The ecryptfs super block
+ * @options: The options pased to the kernel
++ * @check_ruid: set to 1 if device uid should be checked against the ruid
+ *
+ * Parse mount options:
+ * debug=N - ecryptfs_verbosity level for debug output
+@@ -285,7 +288,8 @@ static void ecryptfs_init_mount_crypt_st
+ *
+ * Returns zero on success; non-zero on error
+ */
+-static int ecryptfs_parse_options(struct super_block *sb, char *options)
++static int ecryptfs_parse_options(struct super_block *sb, char *options,
++ uid_t *check_ruid)
+ {
+ char *p;
+ int rc = 0;
+@@ -310,6 +314,8 @@ static int ecryptfs_parse_options(struct
+ char *cipher_key_bytes_src;
+ char *fn_cipher_key_bytes_src;
+
++ *check_ruid = 0;
++
+ if (!options) {
+ rc = -EINVAL;
+ goto out;
+@@ -410,6 +416,9 @@ static int ecryptfs_parse_options(struct
+ case ecryptfs_opt_unlink_sigs:
+ mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS;
+ break;
++ case ecryptfs_opt_check_dev_ruid:
++ *check_ruid = 1;
++ break;
+ case ecryptfs_opt_err:
+ default:
+ printk(KERN_WARNING
+@@ -551,7 +560,8 @@ ecryptfs_fill_super(struct super_block *
+ * ecryptfs_interpose to create our initial inode and super block
+ * struct.
+ */
+-static int ecryptfs_read_super(struct super_block *sb, const char *dev_name)
++static int ecryptfs_read_super(struct super_block *sb, const char *dev_name,
++ uid_t check_ruid)
+ {
+ struct path path;
+ int rc;
+@@ -561,6 +571,15 @@ static int ecryptfs_read_super(struct su
+ ecryptfs_printk(KERN_WARNING, "path_lookup() failed\n");
+ goto out;
+ }
++ if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
++ rc = -EPERM;
++ printk(KERN_ERR "Mount of device (uid: %d) not owned by "
++ "requested user (uid: %d)\n",
++ path.dentry->d_inode->i_uid, current_uid());
++ goto out_free;
++ }
++
++
+ ecryptfs_set_superblock_lower(sb, path.dentry->d_sb);
+ sb->s_maxbytes = path.dentry->d_sb->s_maxbytes;
+ sb->s_blocksize = path.dentry->d_sb->s_blocksize;
+@@ -597,6 +616,7 @@ static int ecryptfs_get_sb(struct file_s
+ const char *dev_name, void *raw_data,
+ struct vfsmount *mnt)
+ {
++ uid_t check_ruid;
+ int rc;
+ struct super_block *sb;
+
+@@ -606,12 +626,12 @@ static int ecryptfs_get_sb(struct file_s
+ goto out;
+ }
+ sb = mnt->mnt_sb;
+- rc = ecryptfs_parse_options(sb, raw_data);
++ rc = ecryptfs_parse_options(sb, raw_data, &check_ruid);
+ if (rc) {
+ printk(KERN_ERR "Error parsing options; rc = [%d]\n", rc);
+ goto out_abort;
+ }
+- rc = ecryptfs_read_super(sb, dev_name);
++ rc = ecryptfs_read_super(sb, dev_name, check_ruid);
+ if (rc) {
+ printk(KERN_ERR "Reading sb failed; rc = [%d]\n", rc);
+ goto out_abort;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch new/patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch
--- old/patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,261 @@
+From: Lukas Czerner
+Subject: [PATCH] ext4: Fix max file size and logical block counting of extent format file
+References: bnc#706374
+Patch-mainline: 3.0
+Git-commit: f17722f917b2f21497deb6edc62fb1683daa08e6
+
+Kazuya Mio reported that he was able to hit BUG_ON(next == lblock)
+in ext4_ext_put_gap_in_cache() while creating a sparse file in extent
+format and fill the tail of file up to its end. We will hit the BUG_ON
+when we write the last block (2^32-1) into the sparse file.
+
+The root cause of the problem lies in the fact that we specifically set
+s_maxbytes so that block at s_maxbytes fit into on-disk extent format,
+which is 32 bit long. However, we are not storing start and end block
+number, but rather start block number and length in blocks. It means
+that in order to cover extent from 0 to EXT_MAX_BLOCK we need
+EXT_MAX_BLOCK+1 to fit into len (because we counting block 0 as well) -
+and it does not.
+
+The only way to fix it without changing the meaning of the struct
+ext4_extent members is, as Kazuya Mio suggested, to lower s_maxbytes
+by one fs block so we can cover the whole extent we can get by the
+on-disk extent format.
+
+Also in many places EXT_MAX_BLOCK is used as length instead of maximum
+logical block number as the name suggests, it is all a bit messy. So
+this commit renames it to EXT_MAX_BLOCKS and change its usage in some
+places to actually be maximum number of blocks in the extent.
+
+The bug which this commit fixes can be reproduced as follows:
+
+ dd if=/dev/zero of=/mnt/mp1/file bs=<blocksize> count=1 seek=$((2**32-2))
+ sync
+ dd if=/dev/zero of=/mnt/mp1/file bs=<blocksize> count=1 seek=$((2**32-1))
+
+Reported-by: Kazuya Mio
+Signed-off-by: Lukas Czerner
+Signed-off-by: "Theodore Ts'o"
+Acked-by: Jan Kara
+---
+ fs/ext4/ext4_extents.h | 7 +++++--
+ fs/ext4/extents.c | 34 +++++++++++++++++-----------------
+ fs/ext4/move_extent.c | 10 +++++-----
+ fs/ext4/super.c | 15 ++++++++++++---
+ 4 files changed, 39 insertions(+), 27 deletions(-)
+
+Index: linux-2.6.32-SLE11-SP1/fs/ext4/ext4_extents.h
+===================================================================
+--- linux-2.6.32-SLE11-SP1.orig/fs/ext4/ext4_extents.h
++++ linux-2.6.32-SLE11-SP1/fs/ext4/ext4_extents.h
+@@ -137,8 +137,11 @@ typedef int (*ext_prepare_callback)(stru
+ #define EXT_BREAK 1
+ #define EXT_REPEAT 2
+
+-/* Maximum logical block in a file; ext4_extent's ee_block is __le32 */
+-#define EXT_MAX_BLOCK 0xffffffff
++/*
++ * Maximum number of logical blocks in a file; ext4_extent's ee_block is
++ * __le32.
++ */
++#define EXT_MAX_BLOCKS 0xffffffff
+
+ /*
+ * EXT_INIT_MAX_LEN is the maximum number of blocks we can have in an
+Index: linux-2.6.32-SLE11-SP1/fs/ext4/extents.c
+===================================================================
+--- linux-2.6.32-SLE11-SP1.orig/fs/ext4/extents.c
++++ linux-2.6.32-SLE11-SP1/fs/ext4/extents.c
+@@ -1329,7 +1329,7 @@ got_index:
+
+ /*
+ * ext4_ext_next_allocated_block:
+- * returns allocated block in subsequent extent or EXT_MAX_BLOCK.
++ * returns allocated block in subsequent extent or EXT_MAX_BLOCKS.
+ * NOTE: it considers block number from index entry as
+ * allocated block. Thus, index entries have to be consistent
+ * with leaves.
+@@ -1343,7 +1343,7 @@ ext4_ext_next_allocated_block(struct ext
+ depth = path->p_depth;
+
+ if (depth == 0 && path->p_ext == NULL)
+- return EXT_MAX_BLOCK;
++ return EXT_MAX_BLOCKS;
+
+ while (depth >= 0) {
+ if (depth == path->p_depth) {
+@@ -1360,12 +1360,12 @@ ext4_ext_next_allocated_block(struct ext
+ depth--;
+ }
+
+- return EXT_MAX_BLOCK;
++ return EXT_MAX_BLOCKS;
+ }
+
+ /*
+ * ext4_ext_next_leaf_block:
+- * returns first allocated block from next leaf or EXT_MAX_BLOCK
++ * returns first allocated block from next leaf or EXT_MAX_BLOCKS
+ */
+ static ext4_lblk_t ext4_ext_next_leaf_block(struct inode *inode,
+ struct ext4_ext_path *path)
+@@ -1377,7 +1377,7 @@ static ext4_lblk_t ext4_ext_next_leaf_bl
+
+ /* zero-tree has no leaf blocks at all */
+ if (depth == 0)
+- return EXT_MAX_BLOCK;
++ return EXT_MAX_BLOCKS;
+
+ /* go to index block */
+ depth--;
+@@ -1390,7 +1390,7 @@ static ext4_lblk_t ext4_ext_next_leaf_bl
+ depth--;
+ }
+
+- return EXT_MAX_BLOCK;
++ return EXT_MAX_BLOCKS;
+ }
+
+ /*
+@@ -1570,13 +1570,13 @@ unsigned int ext4_ext_check_overlap(stru
+ */
+ if (b2 < b1) {
+ b2 = ext4_ext_next_allocated_block(path);
+- if (b2 == EXT_MAX_BLOCK)
++ if (b2 == EXT_MAX_BLOCKS)
+ goto out;
+ }
+
+ /* check for wrap through zero on extent logical start block*/
+ if (b1 + len1 < b1) {
+- len1 = EXT_MAX_BLOCK - b1;
++ len1 = EXT_MAX_BLOCKS - b1;
+ newext->ee_len = cpu_to_le16(len1);
+ ret = 1;
+ }
+@@ -1652,7 +1652,7 @@ repeat:
+ fex = EXT_LAST_EXTENT(eh);
+ next = ext4_ext_next_leaf_block(inode, path);
+ if (le32_to_cpu(newext->ee_block) > le32_to_cpu(fex->ee_block)
+- && next != EXT_MAX_BLOCK) {
++ && next != EXT_MAX_BLOCKS) {
+ ext_debug("next leaf block - %d\n", next);
+ BUG_ON(npath != NULL);
+ npath = ext4_ext_find_extent(inode, next, NULL);
+@@ -1770,7 +1770,7 @@ int ext4_ext_walk_space(struct inode *in
+ BUG_ON(func == NULL);
+ BUG_ON(inode == NULL);
+
+- while (block < last && block != EXT_MAX_BLOCK) {
++ while (block < last && block != EXT_MAX_BLOCKS) {
+ num = last - block;
+ /* find extent for this block */
+ down_read(&EXT4_I(inode)->i_data_sem);
+@@ -1898,7 +1898,7 @@ ext4_ext_put_gap_in_cache(struct inode *
+ if (ex == NULL) {
+ /* there is no extent yet, so gap is [0;-] */
+ lblock = 0;
+- len = EXT_MAX_BLOCK;
++ len = EXT_MAX_BLOCKS;
+ ext_debug("cache gap(whole file):");
+ } else if (block < le32_to_cpu(ex->ee_block)) {
+ lblock = block;
+@@ -2143,8 +2143,8 @@ ext4_ext_rm_leaf(handle_t *handle, struc
+ path[depth].p_ext = ex;
+
+ a = ex_ee_block > start ? ex_ee_block : start;
+- b = ex_ee_block + ex_ee_len - 1 < EXT_MAX_BLOCK ?
+- ex_ee_block + ex_ee_len - 1 : EXT_MAX_BLOCK;
++ b = ex_ee_block + ex_ee_len - 1 < EXT_MAX_BLOCKS - 1 ?
++ ex_ee_block + ex_ee_len - 1 : EXT_MAX_BLOCKS - 1;
+
+ ext_debug(" border %u:%u\n", a, b);
+
+@@ -3780,15 +3780,15 @@ static int ext4_ext_fiemap_cb(struct ino
+ flags |= FIEMAP_EXTENT_UNWRITTEN;
+
+ /*
+- * If this extent reaches EXT_MAX_BLOCK, it must be last.
++ * If this extent reaches EXT_MAX_BLOCKS-1, it must be last.
+ *
+- * Or if ext4_ext_next_allocated_block is EXT_MAX_BLOCK,
++ * Or if ext4_ext_next_allocated_block is EXT_MAX_BLOCKS-1,
+ * this also indicates no more allocated blocks.
+ *
+- * XXX this might miss a single-block extent at EXT_MAX_BLOCK
++ * XXX this might miss a single-block extent at EXT_MAX_BLOCKS-1
+ */
+- if (ext4_ext_next_allocated_block(path) == EXT_MAX_BLOCK ||
+- newex->ec_block + newex->ec_len - 1 == EXT_MAX_BLOCK) {
++ if (ext4_ext_next_allocated_block(path) == EXT_MAX_BLOCKS - 1 ||
++ newex->ec_block + newex->ec_len == EXT_MAX_BLOCKS) {
+ loff_t size = i_size_read(inode);
+ loff_t bs = EXT4_BLOCK_SIZE(inode->i_sb);
+
+@@ -3868,8 +3868,8 @@ int ext4_fiemap(struct inode *inode, str
+
+ start_blk = start >> inode->i_sb->s_blocksize_bits;
+ last_blk = (start + len - 1) >> inode->i_sb->s_blocksize_bits;
+- if (last_blk >= EXT_MAX_BLOCK)
+- last_blk = EXT_MAX_BLOCK-1;
++ if (last_blk >= EXT_MAX_BLOCKS)
++ last_blk = EXT_MAX_BLOCKS-1;
+ len_blks = ((ext4_lblk_t) last_blk) - start_blk + 1;
+
+ /*
+Index: linux-2.6.32-SLE11-SP1/fs/ext4/move_extent.c
+===================================================================
+--- linux-2.6.32-SLE11-SP1.orig/fs/ext4/move_extent.c
++++ linux-2.6.32-SLE11-SP1/fs/ext4/move_extent.c
+@@ -1001,12 +1001,12 @@ mext_check_arguments(struct inode *orig_
+ return -EINVAL;
+ }
+
+- if ((orig_start > EXT_MAX_BLOCK) ||
+- (donor_start > EXT_MAX_BLOCK) ||
+- (*len > EXT_MAX_BLOCK) ||
+- (orig_start + *len > EXT_MAX_BLOCK)) {
++ if ((orig_start >= EXT_MAX_BLOCKS) ||
++ (donor_start >= EXT_MAX_BLOCKS) ||
++ (*len > EXT_MAX_BLOCKS) ||
++ (orig_start + *len >= EXT_MAX_BLOCKS)) {
+ ext4_debug("ext4 move extent: Can't handle over [%u] blocks "
+- "[ino:orig %lu, donor %lu]\n", EXT_MAX_BLOCK,
++ "[ino:orig %lu, donor %lu]\n", EXT_MAX_BLOCKS,
+ orig_inode->i_ino, donor_inode->i_ino);
+ return -EINVAL;
+ }
+Index: linux-2.6.32-SLE11-SP1/fs/ext4/super.c
+===================================================================
+--- linux-2.6.32-SLE11-SP1.orig/fs/ext4/super.c
++++ linux-2.6.32-SLE11-SP1/fs/ext4/super.c
+@@ -1976,6 +1976,12 @@ static void ext4_orphan_cleanup(struct s
+ * in the vfs. ext4 inode has 48 bits of i_block in fsblock units,
+ * so that won't be a limiting factor.
+ *
++ * However there is other limiting factor. We do store extents in the form
++ * of starting block and length, hence the resulting length of the extent
++ * covering maximum file size must fit into on-disk format containers as
++ * well. Given that length is always by 1 unit bigger than max unit (because
++ * we count 0 as well) we have to lower the s_maxbytes by one fs block.
++ *
+ * Note, this does *not* consider any metadata overhead for vfs i_blocks.
+ */
+ static loff_t ext4_max_size(int blkbits, int has_huge_files)
+@@ -1997,10 +2003,13 @@ static loff_t ext4_max_size(int blkbits,
+ upper_limit <<= blkbits;
+ }
+
+- /* 32-bit extent-start container, ee_block */
+- res = 1LL << 32;
++ /*
++ * 32-bit extent-start container, ee_block. We lower the maxbytes
++ * by one fs block, so ee_len can cover the extent of maximum file
++ * size
++ */
++ res = (1LL << 32) - 1;
+ res <<= blkbits;
+- res -= 1;
+
+ /* Sanity check against vm- & vfs- imposed limits */
+ if (res > upper_limit)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch new/patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch
--- old/patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,37 @@
+From c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi
+Date: Wed, 24 Aug 2011 10:20:17 +0200
+Subject: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
+Patch-mainline: 3.1
+References: bnc#716901 CVE-2011-3353
+
+FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
+message processing could overrun and result in a "kernel BUG at
+fs/fuse/dev.c:629!"
+
+Reported-by: Han-Wen Nienhuys
+Signed-off-by: Miklos Szeredi
+Cc: stable@kernel.org
+Acked-by: Miklos Szeredi
+---
+ fs/fuse/dev.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
+index 640fc22..168a80f 100644
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
+ if (outarg.namelen > FUSE_NAME_MAX)
+ goto err;
+
++ err = -EINVAL;
++ if (size != sizeof(outarg) + outarg.namelen + 1)
++ goto err;
++
+ name.name = buf;
+ name.len = outarg.namelen;
+ err = fuse_copy_one(cs, buf, outarg.namelen + 1);
+--
+1.7.3.4
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch new/patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch
--- old/patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch 2011-07-20 18:48:56.000000000 +0200
+++ new/patches.fixes/i2c-algo-bit-call-pre-post_xfer-for-bit_test.patch 2011-10-19 22:16:41.000000000 +0200
@@ -3,6 +3,7 @@
Date: Sun, 17 Apr 2011 10:20:19 +0200
Subject: [PATCH] i2c-algo-bit: Call pre/post_xfer for bit_test
Patch-mainline: 2.6.39
+Git-commit: d3b3e15da14ded61c9654db05863b04a2435f4cc
References: bnc#669937, freedesktop#36221
Apparently some distros set i2c-algo-bit.bit_test to 1 by
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch new/patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch
--- old/patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,81 @@
+From 961277664b03c1b3b594faddba91ee13b9d2cc98 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins
+Date: Mon, 20 Jun 2011 11:27:40 +0100
+Subject: [PATCH] ksm: fix NULL pointer dereference in scan_get_next_rmap_item
+
+References: KSM (bnc #697901, CVE-2011-2183)
+Patch-mainline: no (currently in mmotm, expected to hit mainline 3.0)
+
+Andrea Righi reported a case where an exiting task can race against
+ksmd::scan_get_next_rmap_item (http://lkml.org/lkml/2011/6/1/742) easily
+triggering a NULL pointer dereference in ksmd.
+
+ksm_scan.mm_slot == &ksm_mm_head with only one registered mm
+
+CPU 1 (__ksm_exit) CPU 2 (scan_get_next_rmap_item)
+ list_empty() is false
+lock slot == &ksm_mm_head
+list_del(slot->mm_list)
+(list now empty)
+unlock
+ lock
+ slot = list_entry(slot->mm_list.next)
+ (list is empty, so slot is still ksm_mm_head)
+ unlock
+ slot->mm == NULL ... Oops
+
+Close this race by revalidating that the new slot is not simply the list
+head again.
+
+Andrea's test case:
+
+#include
+#include
+#include
+#include
+
+#define BUFSIZE getpagesize()
+
+int main(int argc, char **argv)
+{
+ void *ptr;
+
+ if (posix_memalign(&ptr, getpagesize(), BUFSIZE) < 0) {
+ perror("posix_memalign");
+ exit(1);
+ }
+ if (madvise(ptr, BUFSIZE, MADV_MERGEABLE) < 0) {
+ perror("madvise");
+ exit(1);
+ }
+ *(char *)NULL = 0;
+
+ return 0;
+}
+
+Reported-by: Andrea Righi
+Tested-by: Andrea Righi
+Cc: Andrea Arcangeli
+Signed-off-by: Hugh Dickins
+Signed-off-by: Chris Wright
+Cc:
+Signed-off-by: Andrew Morton
+Signed-off-by: Mel Gorman
+
+diff --git a/mm/ksm.c b/mm/ksm.c
+index d708b3e..9a68b0c 100644
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -1302,6 +1302,12 @@ static struct rmap_item *scan_get_next_rmap_item(struct page **page)
+ slot = list_entry(slot->mm_list.next, struct mm_slot, mm_list);
+ ksm_scan.mm_slot = slot;
+ spin_unlock(&ksm_mmlist_lock);
++ /*
++ * Although we tested list_empty() above, a racing __ksm_exit
++ * of the last mm on the list may have removed it since then.
++ */
++ if (slot == &ksm_mm_head)
++ return NULL;
+ next_mm:
+ ksm_scan.address = 0;
+ ksm_scan.rmap_list = &slot->rmap_list;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/perf_software_event_overflow.patch new/patches.fixes/perf_software_event_overflow.patch
--- old/patches.fixes/perf_software_event_overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/perf_software_event_overflow.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,32 @@
+From: Tony Jones
+Subject: perf: Fix software event overflow
+References: bnc#712366, CVE-2011-2918
+Git-commit: a8b0ca17b80e92faab46ee7179ba9e99ccb61233
+Patch-mainline: v3.1-rc1
+Signed-off-by: Tony Jones
+
+Signed-off-by: Peter Zijlstra
+Vince [Weaver] found that under certain circumstances software event overflows
+go wrong and deadlock. Avoid trying to delete a timer from the timer callback.
+
+---
+ kernel/perf_event.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/kernel/perf_event.c
++++ b/kernel/perf_event.c
+@@ -3863,12 +3863,8 @@ static int __perf_event_overflow(struct
+ if (events && atomic_dec_and_test(&event->event_limit)) {
+ ret = 1;
+ event->pending_kill = POLL_HUP;
+- if (nmi) {
+- event->pending_disable = 1;
+- perf_pending_queue(&event->pending,
+- perf_pending_event);
+- } else
+- perf_event_disable(event);
++ event->pending_disable = 1;
++ perf_pending_queue(&event->pending, perf_pending_event);
+ }
+
+ if (event->overflow_handler)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/pty-fix-pty-counting.patch new/patches.fixes/pty-fix-pty-counting.patch
--- old/patches.fixes/pty-fix-pty-counting.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/pty-fix-pty-counting.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,134 @@
+From 24d406a6bf736f7aebdc8fa0f0ec86e0890c6d24 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby
+Date: Wed, 10 Aug 2011 14:59:28 +0200
+Subject: TTY: pty, fix pty counting
+Git-commit: 24d406a6bf736f7aebdc8fa0f0ec86e0890c6d24
+Patch-mainline: v3.1-rc4
+References: bnc#711203
+
+tty_operations->remove is normally called like:
+queue_release_one_tty
+ ->tty_shutdown
+ ->tty_driver_remove_tty
+ ->tty_operations->remove
+
+However tty_shutdown() is called from queue_release_one_tty() only if
+tty_operations->shutdown is NULL. But for pty, it is not.
+pty_unix98_shutdown() is used there as ->shutdown.
+
+So tty_operations->remove of pty (i.e. pty_unix98_remove()) is never
+called. This results in invalid pty_count. I.e. what can be seen in
+/proc/sys/kernel/pty/nr.
+
+I see this was already reported at:
+ https://lkml.org/lkml/2009/11/5/370
+But it was not fixed since then.
+
+This patch is kind of a hackish way. The problem lies in ->install. We
+allocate there another tty (so-called tty->link). So ->install is
+called once, but ->remove twice, for both tty and tty->link. The fix
+here is to count both tty and tty->link and divide the count by 2 for
+user.
+
+And to have ->remove called, let's make tty_driver_remove_tty() global
+and call that from pty_unix98_shutdown() (tty_operations->shutdown).
+
+While at it, let's document that when ->shutdown is defined,
+tty_shutdown() is not called.
+
+Signed-off-by: Jiri Slaby
+Cc: Alan Cox
+Cc: "H. Peter Anvin"
+Cc: stable
+Signed-off-by: Greg Kroah-Hartman
+---
+ drivers/char/pty.c | 17 +++++++++++++++--
+ drivers/char/tty_io.c | 3 +--
+ include/linux/tty.h | 2 ++
+ include/linux/tty_driver.h | 3 +++
+ 4 files changed, 21 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/pty.c
++++ b/drivers/char/pty.c
+@@ -426,8 +426,19 @@ static inline void legacy_pty_init(void)
+ int pty_limit = NR_UNIX98_PTY_DEFAULT;
+ static int pty_limit_min;
+ static int pty_limit_max = NR_UNIX98_PTY_MAX;
++static int tty_count;
+ static int pty_count;
+
++static inline void pty_inc_count(void)
++{
++ pty_count = (++tty_count) / 2;
++}
++
++static inline void pty_dec_count(void)
++{
++ pty_count = (--tty_count) / 2;
++}
++
+ static struct cdev ptmx_cdev;
+
+ static struct ctl_table pty_table[] = {
+@@ -520,6 +531,7 @@ static struct tty_struct *pts_unix98_loo
+
+ static void pty_unix98_shutdown(struct tty_struct *tty)
+ {
++ tty_driver_remove_tty(tty->driver, tty);
+ /* We have our own method as we don't use the tty index */
+ kfree(tty->termios);
+ }
+@@ -567,7 +579,8 @@ static int pty_unix98_install(struct tty
+ */
+ tty_driver_kref_get(driver);
+ tty->count++;
+- pty_count++;
++ pty_inc_count(); /* tty */
++ pty_inc_count(); /* tty->link */
+ return 0;
+ free_mem_out:
+ kfree(o_tty->termios);
+@@ -579,7 +592,7 @@ free_mem_out:
+
+ static void pty_unix98_remove(struct tty_driver *driver, struct tty_struct *tty)
+ {
+- pty_count--;
++ pty_dec_count();
+ }
+
+ static const struct tty_operations ptm_unix98_ops = {
+--- a/drivers/char/tty_io.c
++++ b/drivers/char/tty_io.c
+@@ -1235,8 +1235,7 @@ static int tty_driver_install_tty(struct
+ *
+ * Locking: tty_mutex for now
+ */
+-static void tty_driver_remove_tty(struct tty_driver *driver,
+- struct tty_struct *tty)
++void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct *tty)
+ {
+ if (driver->ops->remove)
+ driver->ops->remove(driver, tty);
+--- a/include/linux/tty.h
++++ b/include/linux/tty.h
+@@ -406,6 +406,8 @@ extern void tty_driver_flush_buffer(stru
+ extern void tty_throttle(struct tty_struct *tty);
+ extern void tty_unthrottle(struct tty_struct *tty);
+ extern int tty_do_resize(struct tty_struct *tty, struct winsize *ws);
++extern void tty_driver_remove_tty(struct tty_driver *driver,
++ struct tty_struct *tty);
+ extern void tty_shutdown(struct tty_struct *tty);
+ extern void tty_free_termios(struct tty_struct *tty);
+ extern int is_current_pgrp_orphaned(void);
+--- a/include/linux/tty_driver.h
++++ b/include/linux/tty_driver.h
+@@ -47,6 +47,9 @@
+ *
+ * This routine is called synchronously when a particular tty device
+ * is closed for the last time freeing up the resources.
++ * Note that tty_shutdown() is not called if ops->shutdown is defined.
++ * This means one is responsible to take care of calling ops->remove (e.g.
++ * via tty_driver_remove_tty) and releasing tty->termios.
+ *
+ *
+ * void (*cleanup)(struct tty_struct * tty);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/validate-size-of-efi-guid-partition-entries.patch new/patches.fixes/validate-size-of-efi-guid-partition-entries.patch
--- old/patches.fixes/validate-size-of-efi-guid-partition-entries.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/validate-size-of-efi-guid-partition-entries.patch 2011-10-19 22:16:41.000000000 +0200
@@ -0,0 +1,35 @@
+From fa039d5f6b126fbd65eefa05db2f67e44df8f121 Mon Sep 17 00:00:00 2001
+From: Timo Warns
+Date: Fri, 6 May 2011 13:47:35 +0200
+Subject: [PATCH] Validate size of EFI GUID partition entries.
+Patch-mainline: fa039d5f6b126fbd65eefa05db2f67e44df8f121
+References: bnc#692784, CVE-2011-1776
+
+Otherwise corrupted EFI partition tables can cause total confusion.
+
+Signed-off-by: Timo Warns
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds
+Acked-by: Michal Hocko
+Acked-by: Miklos Szeredi
+---
+ fs/partitions/efi.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+Index: linux-2.6.16-SLES10-SP3-TD/fs/partitions/efi.c
+===================================================================
+--- linux-2.6.16-SLES10-SP3-TD.orig/fs/partitions/efi.c
++++ linux-2.6.16-SLES10-SP3-TD/fs/partitions/efi.c
+@@ -363,6 +363,12 @@ is_gpt_valid(struct block_device *bdev,
+ goto fail;
+ }
+
++ /* Check that sizeof_partition_entry has the correct value */
++ if (le32_to_cpu((*gpt)->sizeof_partition_entry) != sizeof(gpt_entry)) {
++ pr_debug("GUID Partitition Entry Size check failed.\n");
++ goto fail;
++ }
++
+ if (!(*ptes = alloc_read_gpt_entries(bdev, *gpt)))
+ goto fail;
+
++++++ patches.xen.tar.bz2 ++++++
++++ 19758 lines of diff (skipped)
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:24.000000000 +0200
+++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:24.000000000 +0200
@@ -291,6 +291,12 @@
patches.fixes/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
patches.fixes/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
patches.fixes/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
+ patches.fixes/validate-size-of-efi-guid-partition-entries.patch
+
+ # bug 697901
+ patches.fixes/ksm-fix-null-pointer-dereference-in-scan_get_next_rmap_item.patch
+
+ patches.fixes/fuse-check-size-of-fuse_notify_inval_entry-message.patch
########################################################
# IPC patches
@@ -423,6 +429,9 @@
# cifs patches
########################################################
patches.fixes/cifs-ensure-credentials-match-when-using-existing-session
+ patches.fixes/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
+ patches.fixes/cifs-always-do-is_path_accessible-check-in-cifs_moun.patch
+ patches.fixes/cifs-add-fallback-in-is_path_accessible-for-old-serv.patch
########################################################
# ext2/ext3
@@ -437,6 +446,7 @@
patches.fixes/ext4-move-aio-completion-after-unwritten-extent-conversion
patches.fixes/ext4-mark-multi-page-IO-complete-on-mapping-failure.patch
patches.fixes/ext4-fix-ext4_da_block_invalidatepages-to-handle-pag.patch
+ patches.fixes/ext4-Fix-max-file-size-and-logical-block-counting-of.patch
########################################################
# btrfs
@@ -570,6 +580,7 @@
patches.fixes/writeback_fix_sb_locking.diff
patches.fixes/debugfs_remove_corruption.diff
+ patches.fixes/ecryptfs-add-mount-option-to-check-uid-of-device.patch
########################################################
# Swap-over-NFS
@@ -680,6 +691,7 @@
patches.fixes/drm-radeon-kms-fix-a-regression-on-r7xx-agp-due-to-the-hdp-flush-fix
patches.fixes/drm-radeon-kms-check-AA-resolve-registers-on-r300.patch
patches.fixes/drm-radeon-kms-register-an-i2c-adapter-name-for-the-dp-aux-bus.patch
+ patches.fixes/drm-radeon-kms-fix-i2c-masks.patch
########################################################
# video4linux
@@ -759,6 +771,7 @@
# PCI and PCI hotplug
########################################################
patches.fixes/pci-hotplug-cpqphp-fix-crash.patch
+ patches.drivers/intr-remap-allow-disabling-source-id-checking.patch
########################################################
# sysfs / driver core
@@ -817,6 +830,7 @@
# Char / serial
########################################################
patches.fixes/tty-ldisc-do-not-close-until-there-are-readers.patch
+ patches.fixes/pty-fix-pty-counting.patch
########################################################
# Other driver fixes
@@ -979,6 +993,8 @@
patches.fixes/ia64-configure-HAVE_UNSTABLE_SCHED_CLOCK-for-SGI_SN.patch
+ patches.fixes/perf_software_event_overflow.patch
+
########################################################
# KVM patches
########################################################
@@ -1067,6 +1083,12 @@
patches.xen/1062-xenbus-dev-leak.patch
patches.xen/1069-blktap-misc.patch
patches.xen/1070-pciback-reset-msi.patch
+ patches.xen/1080-blkfront-xenbus-gather-format.patch
+ patches.xen/1081-blkback-resize-transaction-end.patch
+ patches.xen/1089-blkback-barrier-check.patch
+ patches.xen/1090-blktap-locking.patch
+ patches.xen/1091-xenbus-dev-no-BUG.patch
+ patches.xen/1098-blkfront-cdrom-ioctl-check.patch
# changes outside arch/{i386,x86_64}/xen
patches.xen/xen3-fixup-kconfig
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.I8Lf5m/_old 2011-10-25 23:30:24.000000000 +0200
+++ /var/tmp/diff_new_pack.I8Lf5m/_new 2011-10-25 23:30:24.000000000 +0200
@@ -1,3 +1,3 @@
-2011-07-20 18:48:56 +0200
-GIT Revision: 44c785657e56b41c4cb86b522cde6813af77c8c2
+2011-10-19 22:16:41 +0200
+GIT Revision: e5de38737cdc6b3c05a1c5214630aac9dd7ca1c4
GIT Branch: openSUSE-11.3
continue with "q"...
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org