rpms/kernel/F-11 fnctl-f_modown-should-call-write_lock_irqsave-restore.patch, NONE, 1.1.2.1 tty-fix-race-in-tty_fasync.patch, NONE, 1.1.2.1 kernel.spec, 1.1784.2.8, 1.1784.2.9
Chuck Ebbert
cebbert at fedoraproject.org
Sat Jan 30 19:38:12 UTC 2010
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19751
Modified Files:
Tag: private-fedora-11-2_6_30
kernel.spec
Added Files:
Tag: private-fedora-11-2_6_30
fnctl-f_modown-should-call-write_lock_irqsave-restore.patch
tty-fix-race-in-tty_fasync.patch
Log Message:
kernel: tty->pgrp races (#559100)
fnctl-f_modown-should-call-write_lock_irqsave-restore.patch:
fcntl.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- NEW FILE fnctl-f_modown-should-call-write_lock_irqsave-restore.patch ---
>From b04da8bfdfbbd79544cab2fadfdc12e87eb01600 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh at suse.de>
Date: Tue, 26 Jan 2010 15:04:02 -0800
Subject: fnctl: f_modown should call write_lock_irqsave/restore
From: Chuck Ebbert <cebbert at redhat.com>
[ backport to 2.6.30 ]
commit b04da8bfdfbbd79544cab2fadfdc12e87eb01600 upstream.
Commit 703625118069f9f8960d356676662d3db5a9d116 exposed that f_modown()
should call write_lock_irqsave instead of just write_lock_irq so that
because a caller could have a spinlock held and it would not be good to
renable interrupts.
Cc: Eric W. Biederman <ebiederm at xmission.com>
Cc: Al Viro <viro at ZenIV.linux.org.uk>
Cc: Alan Cox <alan at lxorguk.ukuu.org.uk>
Cc: Tavis Ormandy <taviso at google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---
fs/fcntl.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -200,7 +200,9 @@ static int setfl(int fd, struct file * f
static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
uid_t uid, uid_t euid, int force)
{
- write_lock_irq(&filp->f_owner.lock);
+ unsigned long flags;
+
+ write_lock_irqsave(&filp->f_owner.lock, flags);
if (force || !filp->f_owner.pid) {
put_pid(filp->f_owner.pid);
filp->f_owner.pid = get_pid(pid);
@@ -208,7 +210,7 @@ static void f_modown(struct file *filp,
filp->f_owner.uid = uid;
filp->f_owner.euid = euid;
}
- write_unlock_irq(&filp->f_owner.lock);
+ write_unlock_irqrestore(&filp->f_owner.lock, flags);
}
int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
tty-fix-race-in-tty_fasync.patch:
tty_io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE tty-fix-race-in-tty_fasync.patch ---
>From 703625118069f9f8960d356676662d3db5a9d116 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh at suse.de>
Date: Thu, 17 Dec 2009 07:07:19 -0800
Subject: tty: fix race in tty_fasync
From: Greg Kroah-Hartman <gregkh at suse.de>
commit 703625118069f9f8960d356676662d3db5a9d116 upstream.
We need to keep the lock held over the call to __f_setown() to
prevent a PID race.
Thanks to Al Viro for pointing out the problem, and to Travis for
making us look here in the first place.
Cc: Eric W. Biederman <ebiederm at xmission.com>
Cc: Al Viro <viro at ZenIV.linux.org.uk>
Cc: Alan Cox <alan at lxorguk.ukuu.org.uk>
Cc: Linus Torvalds <torvalds at linux-foundation.org>
Cc: Tavis Ormandy <taviso at google.com>
Cc: Jeff Dike <jdike at addtoit.com>
Cc: Julien Tinnes <jln at google.com>
Cc: Matt Mackall <mpm at selenic.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
drivers/char/tty_io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -1930,8 +1930,8 @@ static int tty_fasync(int fd, struct fil
pid = task_pid(current);
type = PIDTYPE_PID;
}
- spin_unlock_irqrestore(&tty->ctrl_lock, flags);
retval = __f_setown(filp, pid, type, 0);
+ spin_unlock_irqrestore(&tty->ctrl_lock, flags);
if (retval)
goto out;
} else {
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1784.2.8
retrieving revision 1.1784.2.9
diff -u -p -r1.1784.2.8 -r1.1784.2.9
--- kernel.spec 30 Jan 2010 17:00:42 -0000 1.1784.2.8
+++ kernel.spec 30 Jan 2010 19:38:11 -0000 1.1784.2.9
@@ -868,6 +868,9 @@ Patch16513: e1000-e1000e-don-t-use-small
# cve-2009-4537
Patch16514: linux-2.6-net-r8169-improved-rx-length-check-errors.patch
+Patch16515: tty-fix-race-in-tty_fasync.patch
+Patch16516: fnctl-f_modown-should-call-write_lock_irqsave-restore.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1631,6 +1634,9 @@ ApplyPatch e1000-e1000e-don-t-use-small-
# cve-2009-4537
ApplyPatch linux-2.6-net-r8169-improved-rx-length-check-errors.patch
+ApplyPatch tty-fix-race-in-tty_fasync.patch
+ApplyPatch fnctl-f_modown-should-call-write_lock_irqsave-restore.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2219,6 +2225,9 @@ fi
# and build.
%changelog
+* Sat Jan 30 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.30.10-105.2.9
+- kernel: tty->pgrp races (#559100)
+
* Sat Jan 30 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.30.10-105.2.8
- CVE-2009-4537 kernel: r8169 issue reported at 26c3
(fix taken from Red Hat/CentOS 5.4)
More information about the scm-commits
mailing list